03. internal control-coso framework

AUDIT INTERN PEMERINTAH

INTERNAL CONTROL

Ali Mugiono

Inspektorat Jenderal Kementerian Keuangan

Gedung Juanda II Lantai 7, Jl. Dr. Wahidin No. 1 Jakarta – Telp. 021-385 3855

+62818858716 - e-mail: [email protected]

Internal Control AUDIT INTERN PEMERINTAH [email protected]

COSO Internal Control -Integrated Framework (1992):

Committee of Sponsoring Organizations of the Treadway Commission(COSO) : • 1985 The National Commission on

Fraudulent Financial Reporting (Treadway Committee) dibentuk oleh 5 organisasi (AICPA, FEI,IIA, IMA dan AAA). Organisasi tersebut kemudian lebih dikenal dengan COSO. Dilatarbelakangi berkembangnya praktek kecurangan (fraud) pada laporan keuangan • 1987 Total 49 rekomendasi mencegah dan

mendeteksi kecurangan. Menyarankan penerapan pengendalian intern yang efektif, mengatur fungsi internal audit, dan pengawasan oleh Komite Audit • 1992 Menerbitkan Internal Control -

Integrated Framework (COSO Framework I). • 2004 Menerbitkan Enterprise Risk

Management-Integrated Framework (COSO Framework II)


Internal Control is a process effected by

an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievements of objectives in the following categories:


•Compliance with applicable laws and regulations •Reliability of financial reporting

•Effectiveness & efficiency of operations

Internal control is a process. It is a means to an end, not an end in itself.

Internal control is effected by people. It’s not merely policy manuals and forms, but people at every level of an organization.

Internal control can be expected to provide only reasonable assurance, not absolute assurance, to an entity’s management and board.

Internal control is geared to the achievement of objectives in one or more separate but overlapping categories.


1. Management’s Philosophy and Operating Style

2. Integrity and Ethical Values 3. Board of Directors and Audit

Committee Direction and Policies 4. Commitment to Competence 5. Organizational Structure 6. Assignment of Authority and

Responsibility 7. Human Resource Policies and

Procedures


Tone of the TOP

CONTROL ENVIRONMENT

Control Environment The control environment sets the tone of the organization, influencing the control consciousness of its people. It is the foundation for all other components of internal control, providing discipline and structure.



1. Company-wide Objectives 2. Process-level Objectives 3. Risk Identification and Analysis 4. Managing Change Human

Resource Policies and Procedures

RISK ASSESSMENT

Risk Assessment is the identification and analysis of relevant risks

to achievement of the objectives, forming a basis for determining how the risks should be managed.

Objectives (i.e. assertions) must be established prior to the identification of risks to their achievement and to take necessary actions to manage the risks.

By setting objectives, both at entity and activity levels, prior to a risk assessment, a company can determine the critical success factors; then determine the risks to the critical success factors.

A risk assessment usually includes:

a. Estimating the significance of a risk

b. Assessing the likelihood (or frequency) of the risk occurring

c. Consideration of how the risk should be managed



CONTROL ACTIVITIES

Control Activities are the policies and procedures that help ensure

management directives are carried out. They help to ensure that necessary actions are taken to address risks to achievement of the entity's objectives. Control activities occur throughout the organization, at all levels and in all functions.

(1) authorization and approval procedures; (2) segregation of duties (authorizing, processing, recording, reviewing); (3) controls over access to resources and records; (4) verifications; (5) reconciliations; (6) reviews of operating performance; (7) reviews of operations, processes and activities; (8) supervision (assigning, reviewing and approving, guidance and training).



CONTROL ACTIVITIES

Authorization and approval procedures

Authorizing and executing transactions and events are only done by persons acting within the scope of their authority. Authorization is the principal means of ensuring that only valid transactions and events are initiated as intended by management. Authorization procedures, which should be documented and clearly communicated to managers and employees, should include the specific conditions and terms under which authorizations are to be made. Conforming to the terms of an authorization means that employees act in accordance with directives and within the limitations established by management or legislation.



CONTROL ACTIVITIES

To reduce the risk of error, waste, or wrongful acts and the risk of not detecting such problems, no single individual or team should control all key stages of a transaction or event. Rather, duties and responsibilities should be assigned systematically to a number of individuals to ensure that effective checks and balances exist. Key duties include authorizing and recording transactions, processing, and reviewing or auditing transactions. Collusion, however, can reduce or destroy the effectiveness of this internal control activity. A small organisation may have too few employees to fully implement this control. In such cases, management must be aware of the risks and compensate with other controls. Rotation of employees may help ensure that one person does not deal with all the key aspects of transactions or events for an undue length of time. Also encouraging or requiring annual holidays may help reduce risk by bringing about a temporary rotation of duties.

Segregation of duties (authorizing, processing, recording, reviewing)



CONTROL ACTIVITIES

Access to resources and records is limited to authorized individuals who are accountable for the custody and/or use of the resources. Accountability for custody is evidenced by the existence of receipts, inventories, or other records assigning custody and recording the transfer of custody. Restricting access to resources reduces the risk of unauthorized use or loss to the government and helps achieve management directives. The degree of restriction depends on the vulnerability of the resource and the perceived risk of loss or improper use, and should be periodically assessed. When determining an asset's vulnerability, its cost, portability and exchangeability should be considered.

Controls over access to resources and records



CONTROL ACTIVITIES

Transactions and significant events are verified before and after processing, e.g. when goods are delivered, the number of goods supplied is verified with the number of goods ordered. Afterwards, the number of goods invoiced is verified with the number of goods received. The inventory is verified as well by performing stock-takes.

Verifications

Records are reconciled with the appropriate documents on a regular basis, e.g. the accounting records relating to bank accounts are reconciled with the corresponding bank statements.

Reconciliations

Operating performance is reviewed against a set of standards on a regular basis, assessing effectiveness and efficiency. If performance reviews determine that actual accomplishments do not meet established objectives or standards, the processes and activities established to achieve the objectives should be reviewed to determine if improvements are needed.

Reviews of operating performance



CONTROL ACTIVITIES

Operations, processes and activities should be periodically reviewed to ensure that they are in compliance with current regulations, policies, procedures, or other requirements. This type of review of the actual operations of an organisation should be clearly distinguished from the monitoring of internal control.

Reviews of operations, processes and activities

Competent supervision helps to ensure that internal control objectives are achieved. Assigning, reviewing, and approving an employee's work encompasses: • clearly communicating the duties, responsibilities, and accountabilities assigned each staff member; • systematically reviewing each member's work to the extent necessary; • approving work at critical points to ensure that it flows as intended.

supervision (assigning, reviewing and approving, guidance and training)



CONTROL ACTIVITIES

Preventive controls focus on preventing errors or exceptions. Such preventive controls are – Standard policies and procedures

– Proper segregation of duties

– Authorization levels/approvals

Detective controls are designed to identify an error or exception after it has occurred. Such detective controls are:

– Exception reports

– Reconciliations

– Periodic audits

Control Activities can be classified as either Preventive or Detective.

Entities should reach an adequate balance between detective and preventive control activities. Corrective actions are a necessary complement to control activities in order to achieve the objectives.


Information and Communication


INFORMATION AND COMMUNICATION

Pertinent information must be identified, captured and communicated in a form and timeframe that enables people to carry out their responsibilities.

Information systems produce reports, containing operational, financial and compliance related information, that make it possible to run and control the business.

Information – Information is needed at all levels of an organization to run the business, and move toward achievement of the entity’s objectives in all categories. This will include:

Operational reports to management to ensure effective and efficient use of resources

Financial reports detailing the performance of the company used by company management and external parties.

• Obtaining external and internal information and provide management with necessary reports on the entity’s performance relative to established objectives.

• Provide information to the right people in sufficient detail and on time to enable them to carry out their responsibilities effectively and efficiently

Communication – Communication must take place, dealing with expectations, responsibilities and other important matters.

• Adequacy of communication across the organization and the completeness and timeliness of information.

• Openness and effectiveness of channels with customers, suppliers and other external parties for communicating information.


COSO Internal Control -Integrated Framework (1992): Monitoring Monitoring is the process of assessment by appropriate personnel of the design and operation of controls on a suitably timely basis, and taking necessary actions.

It applies to all activities within an organization, and sometimes to outside contractors as well. This may include outsourced cash collections (lockbox), outsourced payment processing (A/P through Shared Services Center) or waste management (compliance with EPA regulations).

Monitoring can be done in two ways:

1.Ongoing Activities

2.Separate Evaluations

1. Ongoing Activities – Activities to monitor the effectiveness of internal controls in the ordinary course of operations. These include regular management and supervisory activities, comparisons, reconciliations and other routine actions.

Example - Data recorded by information systems are compared with physical assets. Finished product inventories are examined periodically and counts are then compared with accounting records and differences reports.

2. Separate Evaluations – Evaluations of internal controls performed by people

within the organization and/or internal audit. Controls addressing higher-priority risks and those most critical to reducing a given risk will tend to be evaluated more often.



Internal Control Purpose Help in achieving performance and

profitability targets, and prevent loss of resources.

Help to ensure reliable financial reporting.

Help to ensure that the enterprise complies with laws and regulations, avoiding damage to its reputation and other consequences.

Reasonable manner Not Absolute

Cost of Control

Internal Control Evaluation Evaluation Objectives Criteria Steps and Check List


Evaluation Objective: To observe the establishment of code of conduct and other policies to implement ethical and moral behavioral standard and values

Internal Control Evaluation

Evaluation Criteria: Formal document Formal communication 100% of sample are welldone Day to day activity represent implementation the policies Sound appearance of people

Evaluation Criteria and Check list: Formal policies are exist The policies communicated promptly to all people among organization Customer and/or stakeholder are aknowledged upon the policies People are voluntarily (eager) to implement to themselves


1. Regarding the COSO-Internal Control – Integrated Framework (COSO-ICIF) there are 5 components. Each group of you are demanded to make analysis about one of the components, which includes: its sub-components, reasons why it is a must, its roles and development process in organization, how it contributes in the achievement of 3 categories of internal control objectives, and how it relates to the other components. Also state in your explaination how Internal Audit (IA) affects the component (assurance and consultation roles).

2. Assume that your group is assigned to perform IA evaluation in a tax office. For this assignment you are demanded to create evaluation program which include: evaluation objectives/targets, measurement criteria, and program steps or check list (each group make its own component ).

3. There is an opinion that ‘control’ is contrary with the ‘comfortability’ and/or ‘the speed of services’. Make your group opinion by using COSO-ICIF approach and how does IA reconciliate them.

Assignment – # 03 (Group)

03. internal control-coso framework

Documents