AUDIT INTERN PEMERINTAH

INTERNAL CONTROL
Ali Mugiono Inspektorat Jenderal Kementerian Keuangan Gedung Juanda II Lantai 7, Jl. Dr. Wahidin No. 1 Jakarta Telp. 021-385 3855 +62818858716 - e-mail: alimugiono.itjen@gmail.com

AUDIT INTERN PEMERINTAH

alimugiono.itjen@gmail.com

Internal Control
Committee of Sponsoring Organizations of the Treadway Commission(COSO) : 1985 The National Commission on Fraudulent Financial Reporting (Treadway Committee) dibentuk oleh 5 organisasi (AICPA, FEI,IIA, IMA dan AAA). Organisasi tersebut kemudian lebih dikenal dengan COSO. Dilatarbelakangi berkembangnya praktek kecurangan (fraud) pada laporan keuangan 1987 Total 49 rekomendasi mencegah dan mendeteksi kecurangan. Menyarankan penerapan pengendalian intern yang efektif, mengatur fungsi internal audit, dan pengawasan oleh Komite Audit 1992 Menerbitkan Internal Control Integrated Framework (COSO Framework I). 2004 Menerbitkan Enterprise Risk Management-Integrated Framework (COSO Framework II)

COSO Internal Control -Integrated Framework (1992):

AUDIT INTERN PEMERINTAH

alimugiono.itjen@gmail.com

Internal Control

COSO Internal Control -Integrated Framework (1992): Internal Control is a process effected by
an entitys board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievements of objectives in the following categories: Effectiveness & efficiency of operations Reliability of financial reporting Compliance with applicable laws and regulations
Internal control is a process. It is a means to an end, not an end in itself. Internal control is effected by people. Its not merely policy manuals and forms, but people at every level of an organization. Internal control can be expected to provide only reasonable assurance, not absolute assurance, to an entitys management and board. Internal control is geared to the achievement of objectives in one or more separate but overlapping categories.

AUDIT INTERN PEMERINTAH

alimugiono.itjen@gmail.com

Internal Control
Control Environment

COSO Internal Control -Integrated Framework (1992):

Tone of the TOP

1. Managements Philosophy and Operating Style 2. Integrity and Ethical Values 3. Board of Directors and Audit Committee Direction and Policies 4. Commitment to Competence 5. Organizational Structure 6. Assignment of Authority and Responsibility 7. Human Resource Policies and Procedures

The control environment sets the tone of the organization, influencing the control consciousness of its people. It is the foundation for all other components of internal control, providing discipline and structure.

CONTROL ENVIRONMENT

AUDIT INTERN PEMERINTAH

alimugiono.itjen@gmail.com

Internal Control

COSO Internal Control -Integrated Framework (1992):

Risk Assessment
is the identification and analysis of relevant risks to achievement of the objectives, forming a basis for determining how the risks should be managed. 1. Company-wide Objectives Objectives (i.e. assertions) must be 2. Process-level Objectives established prior to the identification of 3. Risk Identification and Analysis risks to their achievement and to take 4. Managing Change Human necessary actions to manage the risks. Resource Policies and Procedures By setting objectives, both at entity
and activity levels, prior to a risk assessment, a company can determine the critical success factors; then determine the risks to the critical success factors.

RISK ASSESSMENT

A risk assessment usually includes: a. Estimating the significance of a risk b. Assessing the likelihood (or frequency) of the risk occurring c. Consideration of how the risk should be managed

AUDIT INTERN PEMERINTAH

alimugiono.itjen@gmail.com

Internal Control

COSO Internal Control -Integrated Framework (1992):

Control Activities
are the policies and procedures that help ensure management directives are carried out. They help to ensure that necessary actions are taken to address risks to achievement of the entity's objectives. Control activities occur throughout the organization, at all levels and in all functions. (1) authorization and approval procedures; (2) segregation of duties (authorizing, processing, recording, reviewing); (3) controls over access to resources and records; (4) verifications; (5) reconciliations; (6) reviews of operating performance; (7) reviews of operations, processes and activities; (8) supervision (assigning, reviewing and approving, guidance and training).

CONTROL ACTIVITIES

AUDIT INTERN PEMERINTAH

alimugiono.itjen@gmail.com

Internal Control

COSO Internal Control -Integrated Framework (1992):

Authorization and approval procedures

Authorizing and executing transactions and events are only done by persons acting within the scope of their authority. Authorization is the principal means of ensuring that only valid transactions and events are initiated as intended by management. Authorization procedures, which should be documented and clearly communicated to managers and employees, should include the specific conditions and terms under which authorizations are to be made. Conforming to the terms of an authorization means that employees act in accordance with directives and within the limitations established by management or legislation.

CONTROL ACTIVITIES

AUDIT INTERN PEMERINTAH

alimugiono.itjen@gmail.com

Internal Control

COSO Internal Control -Integrated Framework (1992):

Segregation of duties (authorizing, processing, recording, reviewing) To reduce the risk of error, waste, or wrongful acts and the risk of not detecting such problems, no single individual or team should control all key stages of a transaction or event. Rather, duties and responsibilities should be assigned systematically to a number of individuals to ensure that effective checks and balances exist. Key duties include authorizing and recording transactions, processing, and reviewing or auditing transactions. Collusion, however, can reduce or destroy the effectiveness of this internal control activity. A small organisation may have too few employees to fully implement this control. In such cases, management must be aware of the risks and compensate with other controls. Rotation of employees may help ensure that one person does not deal with all the key aspects of transactions or events for an undue length of time. Also encouraging or requiring annual holidays may help reduce risk by bringing about a temporary rotation of duties.

CONTROL ACTIVITIES

AUDIT INTERN PEMERINTAH

alimugiono.itjen@gmail.com

Internal Control

COSO Internal Control -Integrated Framework (1992):

Controls over access to resources and records Access to resources and records is limited to authorized individuals who are accountable for the custody and/or use of the resources. Accountability for custody is evidenced by the existence of receipts, inventories, or other records assigning custody and recording the transfer of custody. Restricting access to resources reduces the risk of unauthorized use or loss to the government and helps achieve management directives. The degree of restriction depends on the vulnerability of the resource and the perceived risk of loss or improper use, and should be periodically assessed. When determining an asset's vulnerability, its cost, portability and exchangeability should be considered.

CONTROL ACTIVITIES

AUDIT INTERN PEMERINTAH

alimugiono.itjen@gmail.com

Internal Control
Reconciliations Records are reconciled with the appropriate documents on a regular basis, e.g. the accounting records relating to bank accounts are reconciled with the corresponding bank statements.

COSO Internal Control -Integrated Framework (1992):

Verifications Transactions and significant events are verified before and after processing, e.g. when goods are delivered, the number of goods supplied is verified with the number of goods ordered. Afterwards, the number of goods invoiced is verified with the number of goods received. The inventory is verified as well by performing stock-takes. Reviews of operating performance Operating performance is reviewed against a set of standards on a regular basis, assessing effectiveness and efficiency. If performance reviews determine that actual accomplishments do not meet established objectives or standards, the processes and activities established to achieve the objectives should be reviewed to determine if improvements are needed.

CONTROL ACTIVITIES

AUDIT INTERN PEMERINTAH

alimugiono.itjen@gmail.com

Internal Control

COSO Internal Control -Integrated Framework (1992):

Reviews of operations, processes and activities

Operations, processes and activities should be periodically reviewed to ensure that they are in compliance with current regulations, policies, procedures, or other requirements. This type of review of the actual operations of an organisation should be clearly distinguished from the monitoring of internal control.

supervision (assigning, reviewing and approving, guidance and training) Competent supervision helps to ensure that internal control objectives are achieved. Assigning, reviewing, and approving an employee's work encompasses: clearly communicating the duties, responsibilities, and accountabilities assigned each staff member; systematically reviewing each member's work to the extent necessary; approving work at critical points to ensure that it flows as intended.

CONTROL ACTIVITIES

AUDIT INTERN PEMERINTAH

alimugiono.itjen@gmail.com

Internal Control

COSO Internal Control -Integrated Framework (1992):

Control Activities can be classified as either Preventive or Detective. Preventive controls focus on preventing errors or exceptions. Such preventive controls are
Standard policies and procedures Proper segregation of duties Authorization levels/approvals

Detective controls are designed to identify an error or exception after it has occurred. Such detective controls are:
Exception reports Reconciliations Periodic audits

Entities should reach an adequate balance between detective and preventive control activities. Corrective actions are a necessary complement to control activities in order to achieve the objectives.

CONTROL ACTIVITIES

AUDIT INTERN PEMERINTAH

alimugiono.itjen@gmail.com

Internal Control
INFORMATION AND COMMUNICATION

COSO Internal Control -Integrated Framework (1992):

Information and Communication

Pertinent information must be identified, captured and communicated in a form and timeframe that enables people to carry out their responsibilities. Information systems produce reports, containing operational, financial and compliance related information, that make it possible to run and control the business.

Information Information is needed at all levels of an organization to run the business, and move toward achievement of the entitys objectives in all categories. This will include: Operational reports to management to ensure effective and efficient use of resources Financial reports detailing the performance of the company used by company management and external parties. Obtaining external and internal information and provide management with necessary reports on the entitys performance relative to established objectives. Provide information to the right people in sufficient detail and on time to enable them to carry out their responsibilities effectively and efficiently Communication Communication must take place, dealing with expectations, responsibilities and other important matters. Adequacy of communication across the organization and the completeness and timeliness of information. Openness and effectiveness of channels with customers, suppliers and other external parties for communicating information.

AUDIT INTERN PEMERINTAH

alimugiono.itjen@gmail.com

Internal Control

COSO Internal Control -Integrated Framework (1992):

Monitoring
Monitoring is the process of assessment by appropriate personnel of the design and operation of controls on a suitably timely basis, and taking necessary actions. It applies to all activities within an organization, and sometimes to outside contractors as well. This may include outsourced cash collections (lockbox), outsourced payment processing (A/P through Shared Services Center) or waste management (compliance with EPA regulations). Monitoring can be done in two ways: 1.Ongoing Activities 2.Separate Evaluations 1. Ongoing Activities Activities to monitor the effectiveness of internal controls in the ordinary course of operations. These include regular management and supervisory activities, comparisons, reconciliations and other routine actions. Example - Data recorded by information systems are compared with physical assets. Finished product inventories are examined periodically and counts are then compared with accounting records and differences reports.

2.

Separate Evaluations Evaluations of internal controls performed by

people within the organization and/or internal audit. Controls addressing higher-priority risks and those most critical to reducing a given risk will tend to be evaluated more often.

AUDIT INTERN PEMERINTAH

alimugiono.itjen@gmail.com

Internal Control
Reasonable manner Not Absolute

COSO Internal Control -Integrated Framework (1992):

Internal Control Purpose

Help in achieving performance and profitability targets, and prevent loss of resources. Help to ensure reliable financial reporting. Help to ensure that the enterprise complies with laws and regulations, avoiding damage to its reputation and other consequences.

Cost of Control

Internal Control Evaluation

Evaluation Objectives Criteria Steps and Check List

AUDIT INTERN PEMERINTAH

alimugiono.itjen@gmail.com

Internal Control

Internal Control Evaluation

Evaluation Objective:
To observe the establishment of code of conduct and other policies to implement ethical and moral behavioral standard and values

Evaluation Criteria:
Formal document Formal communication 100% of sample are welldone Day to day activity represent implementation the policies Sound appearance of people

Evaluation Criteria and Check list:

Formal policies are exist The policies communicated promptly to all people among organization Customer and/or stakeholder are aknowledged upon the policies People are voluntarily (eager) to implement to themselves

AUDIT INTERN PEMERINTAH

alimugiono.itjen@gmail.com

Internal Control
(Group)

Assignment # 03
1. Regarding the COSO-Internal Control Integrated Framework (COSO-ICIF) there are 5 components. Each group of you are demanded to make analysis about one of the components, which includes: its sub-components, reasons why it is a must, its roles and development process in organization, how it contributes in the achievement of 3 categories of internal control objectives, and how it relates to the other components. Also state in your explaination how Internal Audit (IA) affects the component (assurance and consultation roles). Assume that your group is assigned to perform IA evaluation in a tax office. For this assignment you are demanded to create evaluation program which include: evaluation objectives/targets, measurement criteria, and program steps or check list (each group make its own component ). There is an opinion that control is contrary with the comfortability and/or the speed of services. Make your group opinion by using COSO-ICIF approach and how does IA reconciliate them.

2.

3.