7/28/2019 Sesi 4 - Samuel Triswandi.pdf
1/12
1
Event Management Training & Conferences
Knowledge Development Centerwe develop people to be more
Internal Control Management
Jakarta, 13 June 2012
Definition
In accounting and auditing, internal control is defined as a
process affected by an organization's structure, work and
authority flows, people and management information systems,
designed to help the organization accomplish specific goals or
objectives. It is a means by which an organization's resourcesare directed, monitored, and measured. It plays an important
role in preventing and detecting fraud and protecting the
organization's resources, both physical (e.g., machinery and
property) and intangible (e.g., reputation or intellectual
property such as trademarks).
7/28/2019 Sesi 4 - Samuel Triswandi.pdf
2/12
2
Event Management Training & Conferences
Knowledge Development Centerwe develop people to be more
Definition At the organizational level, internal control objectives relate to the
reliability of financial reporting, timely feedback on the
achievement of operational or strategic goals, and compliance with
laws and regulations. At the specific transaction level, internal
control refers to the actions taken to achieve a specific objective
(e.g., how to ensure the organization's payments to third parties
are for valid services rendered.) Internal control procedures reduce
process variation, leading to more predictable outcomes. Internal
controls within business entities are also referred to as operationalcontrols.
Definition
Under the COSO Internal Control-Integrated Framework,a widely-used framework in not only the United Statesbut around the world, internal control is broadlydefined as a process, effected by an entity's board of
directors, management, and other personnel, designedto provide reasonable assurance regarding theachievement of objectives in the following categories:
a) Effectiveness and efficiency of operations;
b) Reliability of financial reporting; and
c) Compliance with laws and regulations.
7/28/2019 Sesi 4 - Samuel Triswandi.pdf
3/12
3
Event Management Training & Conferences
Knowledge Development Centerwe develop people to be more
Key conceptsThe COSO framework involves several key concepts:
Internal control is a process. It is a means to an end, not anend in itself.
Internal control is affected by people. Its not merely policy,manuals, and forms, but people at every level of anorganization.
Internal control can be expected to provide only reasonable
assurance, not absolute assurance, to an entitysmanagement and board.
Internal control is geared to the achievement of objectivesin one or more separate but overlapping categories.
5 Component Internal Control
1. Control Environment-sets the tone for the organization, influencing the controlconsciousness of its people. It is the foundation for all other components ofinternal control.
2. Risk Assessment-the identification and analysis of relevant risks to the
achievement of objectives, forming a basis for how the risks should be managed
3. Information and Communication-systems or processes that support the
identification, capture, and exchange of information in a form and time framethat enable people to carry out their responsibilities
4. Control Activities-the policies and procedures that help ensure management
directives are carried out.
5. Monitoring-processes used to assess the quality of internal control performanceover time.
7/28/2019 Sesi 4 - Samuel Triswandi.pdf
4/12
4
Event Management Training & Conferences
Knowledge Development Centerwe develop people to be more
A SOUND CONTROL ENVIRONMENT
Managers and employees who possess integrity,
ethical values and competence;
Management's philosophy and operating style;
Proper assignment of authority and responsibility;
Proper organization of available resources;
Proper training and development of people; and Proper attention and direction from senior
management.
A SOUND RISK ASSESSMENT PROCESS
An awareness of and ability to deal with the risks and
obstacles to successful achievement of business
objectives;
Establishment by management of a set of objectivesthat integrate all the organization's resources so that
the organization operates in concert; and
Identification, analysis and management of the risks
and obstacles to successful achievement of the three
primary business objectives.
7/28/2019 Sesi 4 - Samuel Triswandi.pdf
5/12
5
Event Management Training & Conferences
Knowledge Development Centerwe develop people to be more
A SOUND OPERATIONAL CONTROL
ACTIVITIES
The establishment and execution of policies andprocedures to help ensure effective implementationof the actions identified by management as beingnecessary to address risks and obstacles toachievement of business objectives.
(These control activities help ensure thatmanagement's directives are carried out; occur at alllevels of the organization; and in all activities, units
and functions. Examples include authorizations,reviews of operating performance, security of assets,and segregation of duties.)
A SOUND INFORMATION AND
COMMUNICATIONS SYSTEM Information systems produce reports, containing operational, financial and compliance
related information, that make it possible to run and control a business. They deal withinternally generated data as well as the external activities, conditions and eventsnecessary to informed business decision making and external reporting.
The organization's people must be able to capture and exchange the information neededto conduct, manage and control operations.
Pertinent information must be identified, captured and communicated in a form and time
frame that enables people to carry out their responsibilities. Effective communication must flow down, up and across the organization. (This includes a
clear message from top management to all personnel that control responsibilities must betaken seriously.)
All personnel must understand their own role in the internal control system, as well ashow their individual activities relate to the work of others.
All personnel must have a means of communicating significant information upstream.
There must be effective communication with external parties.
7/28/2019 Sesi 4 - Samuel Triswandi.pdf
6/12
6
Event Management Training & Conferences
Knowledge Development Centerwe develop people to be more
EFFECTIVE MONITORING The entire control system must be monitored to assess the quality of the
system's performance over time.(Ongoing monitoring, which should occur in the normal course ofoperations, includes such things as regular management and supervisoryactivities; and actions personnel take in performing their duties.)
Internal deficiencies should be reported upstream, with serious mattersreported to top management.
There should also be separate, independent evaluations of the internalcontrol system. The scope and frequency of these independentevaluations depend primarily on the assessment of risks and obstacles,and the effectiveness of ongoing monitoring procedures.
Collectively, the three primary business objectives and the fivecomponents needed to achieve those objectives constitute the internalcontrol framework
The New Paradigm in Internal ControlInternal audits can use the Framework to focus on three different levels of control:
1. Strategicplanning, organizing and directing activities that address achieving the long rangemission and objectives of the entity under review.
2. Tacticalplanning, organizing and directing activities that address achieving short term (annual)objectives and goals of the entity under review that lead to success in achieving theentity's strategic mission and objectives.
3. Operational
planning, organizing and directing controls that address the day- to-day operations ofthe entity.
Using a survey tool based upon the five components, internal audits can be conducted at astrategic, rather than operational, level. These strategic internal audits can be designed togather testimonial and documentary evidence to either support achievement of the standardfor effective internal control; or to identify to senior managers deficiencies and improvementopportunities for achieving effective internal control. Essentially, this means assessingplanning activities; the means of measuring accomplishment; the reliability of data used tobenchmark, report and measure; and the resources used to achieve outcomes. TheFramework approach provides an ideal vehicle for adding value to the organization.
7/28/2019 Sesi 4 - Samuel Triswandi.pdf
7/12
7
Event Management Training & Conferences
Knowledge Development Centerwe develop people to be more
Roles and Responsibility1. Management: The Chief Executive Officer (the top manager) of
the organization has overall responsibility for designing andimplementing effective internal control.
2. Board of Directors: Management is accountable to the board ofdirectors, which provides governance, guidance and oversight.
3. Auditors: The internal auditors and external auditors of theorganization also measure the effectiveness of internal controlthrough their efforts.
4. Managers and Staffs may be involved in evaluating the controls
within their own organisational unit using a control self-assessment.
Describing Internal Control
1. Objective Categorization (designed to providereasonable assurance that particular objective areachieved, or related progress understood ex A/Pfunction)
2. Activity Categorization (explained by type ornature of activity)
3. Control Precision (the alignment or correlationbetween a particular control procedure and agiven control objective or risk)
7/28/2019 Sesi 4 - Samuel Triswandi.pdf
8/12
8
Event Management Training & Conferences
Knowledge Development Centerwe develop people to be more
Objective Categorization Existence (Validity): Only valid or authorized transactions are processed
(i.e., no invalid transactions)
Occurrence (Cutoff): Transactions occurred during the correct period orwere processed timely.
Completeness: All transactions are processed that should be (i.e., noomissions)
Valuation: Transactions are calculated using an appropriate methodologyor are computationally accurate.
Rights & Obligations: Assets represent the rights of the company, andliabilities its obligations, as of a given date.
Presentation & Disclosure (Classification): Components of financialstatements (or other reporting) are properly classified (by type oraccount) and described.
Reasonableness-transactions or results appears reasonable relative toother data or trends.
Activity Categorization Control activities may also be explained by the type or nature of activity. These include
(but are not limited to):
Segregation of duties - separating authorization, custody, and record keeping roles offraud or error by one person.
Authorization of transactions - review of particular transactions by an appropriate person.
Retention of records - maintaining documentation to substantiate transactions.
Supervision or monitoring of operations - observation or review of ongoing operationalactivity.
Physical safeguards - usage of cameras, locks, physical barriers, etc. to protect property,
such as merchandise inventory. Top-level reviews-analysis of actual results versus organizational goals or plans, periodic
and regular operational reviews, metrics, and other key performance indicators (KPIs).
IT Security - usage of passwords, access logs, etc. to ensure access restricted to authorizedpersonnel.
Top level reviews-Management review of reports comparing actual performance versusplans, goals, and established objectives.
Controls over information processing-A variety of control activities are used in informationprocessing. Examples include edit checks of data entered, accounting for transactions innumerical sequences, comparing file totals with control accounts, and controlling accessto data, files and programs.
7/28/2019 Sesi 4 - Samuel Triswandi.pdf
9/12
9
Event Management Training & Conferences
Knowledge Development Centerwe develop people to be more
Control Precision
A control with direct impact on the achievement
of an objective (or mitigation of a risk) is said to be
more precise than one with indirect impact on the
objective or risk. Precision is distinct from
sufficiency; that is, multiple controls with varying
degrees of precision may be involved in achieving
a control objective or mitigating a risk.
Fraud and Internal Control
Internal control plays an important role in theprevention and detection of fraud. Under theSarbanes-Oxley Act, companies are required toperform a fraud risk assessment and assess relatedcontrols.
This typically involves identifying scenarios in whichtheft or loss could occur and determining if existingcontrol procedures effectively manage the risk to anacceptable level.
The risk that senior management might overrideimportant financial controls to manipulate financialreporting is also a key area of focus in fraud riskassessment.
7/28/2019 Sesi 4 - Samuel Triswandi.pdf
10/12
10
Event Management Training & Conferences
Knowledge Development Centerwe develop people to be more
Internal Control and Improvement If the internal control system is implemented only to prevent
fraud and comply with laws and regulations, then an importantopportunity is missed. The same internal controls can also beused to systematically improve businesses, particularly in regardto effectiveness and efficiency
Advances in technology and data analysis have led to thedevelopment of numerous tools which can automaticallyevaluate the effectiveness of internal controls. Used in
conjunction with continuous auditing, continuous controlsmonitoring provides assurance on financial information flowingthrough the business processes.
Cost Management System1. Display past, present, and future expenditures.
2. Mirror the organizations cost structure and behaviors to support ongoing
improvement and control.
3. Support realistic, reliable strategic planning and explicit management intention.
4. Influence individual and team behaviors toward goal accomplishment.
5. Monitor and control resource use against mission and strategic intentions.
6. Provide warning when unhealthy financial thresholds are imminent.7. Facilitate the repositioning of resources.
8. Hold specific individuals and groups accountable for standards of performance.
9. Assist in analyzing key discrete points of profitability: customer , process,
product, and region.
10.Display a 360-degree unbiased view of the organizations cost structure, one that
is understood and actually used in decision making by all executives and
managers.
7/28/2019 Sesi 4 - Samuel Triswandi.pdf
11/12
11
Event Management Training & Conferences
Knowledge Development Centerwe develop people to be more
Barriers in Internal Control
People
Value & Culture
Process
System
Some specific Issues
Management Plans
Management Objectives
Communication of Desired Outcomes and the Policies and Procedures toachieve outcomes
Written Standards to Measure Achievement of Desired Outcomes
Assignment of Responsibility and Granting of Authority Budget vs Workloads
Staffing Efficiency
Communications
Process Measurement
Corrective Actions Taken and Measures of Success
Outcome Measurement and Reporting Systems
7/28/2019 Sesi 4 - Samuel Triswandi.pdf
12/12
12
Event Management Training & Conferences
Knowledge Development Center
Important elements in Internal Control Establishing a foundation for monitoring, including (a) a proper tone at
the top; (b) an effective organizational structure that assigns monitoringroles to people with appropriate capabilities, objectivity and authority;and (c) a starting point or baseline of known effective internal controlfrom which ongoing monitoring and separate evaluations can beimplemented
Designing and executing monitoring procedures focused on persuasiveinformation about the operation ofkey controls that address meaningfulrisks to organizational objectives; and
Assessing and reporting results, which includes evaluating the severity ofany identified deficiencies and reporting the monitoring results to theappropriate personnel and the board for timely action and follow-up ifneeded.
Thank you