Professional Documents
Culture Documents
Internal Control - SIA Kelompok 3
Internal Control - SIA Kelompok 3
Oleh:
Kurniasari Mauludina Putriani (1706059095)
Marvella (1706058880)
Michelle Zevania (1706059164)
Anggita Agustina (1706972581)
Luvyta (1706972833)
Shelly Maryani (1706973060)
Vanessa Marsya K (1706973092)
Outline
Framework Appendices
1. Definition of Internal A. Glossary
Control B. Roles and
2. Objectives, Components, Responsibilities
and Principles C. Specific Considerations
3. Effective Internal Control for smaller entities
4. Additional Considerations D. Methodology for
5. Control Environment Revising the Framework
6. Risk Assessment E. Public comment letters
7. Control Activities F. Summary of changes to
8. Information and internal control -
Communication integrated framework
9. Monitoring Activities issued in 1992
10. Limitations of Internal G. Comparison with COSO
Control Enterprise Risk
2
Management -
1. Definition of
Internal Control
Internal control is a process,
effected by an entity’s board of
directors, management, and other
personnel, designed to provide
reasonable assurance regarding
the achievement of objectives
relating to operations,
reporting, and compliance.
2. Objectives, Components, and
Principles
An organization adopts a mission
and vision, sets strategies,
establishes objectives it wants to
achieve, and formulates plans for
achieving them. Objectives may be
set for an entity as a whole, or be
targeted to specific activities within
the entity
COMPONENT INTERNAL CONTROL
1. Control Environment
2. Risk Assessment
3. Control Activities
4. Information and Communication
5. Monitoring Activities
Relationship of Objectives, Components, and the
Entity
A direct relationship exists
between objectives, which
are what an entity strives to
achieve, components, which
represent what is required
to achieve the objectives,
and entity structure (the
operating units, legal
entities, and
other structures)
OBJECTIVES
Control
Control Monitoring
Environme
Activities Activities
nt
Risk Informatio
Assestmen n and
tt Communic
ation
Internal Control and the Management
Process
◂ Having a board that comprises directors
with sufficient independence from
management and that carries out its
oversight role is part of internal control
◂ Making strategic decisions impacting the
entity’s objectives is not part of internal
control
◂ Setting the overall level of acceptable risk
and associated risk appetite is part of
strategic planning and enterprise risk
management, not part of internal control.
◂ Selecting and Developing control activities
designed to mitigate risks based on
Internal Control and
Objective-Setting
As part of internal control, an organization
specifies objectives by:
◂ Articulating and codifying specific,
measurable or observable, attainable,
relevant and time-based objective.
◂ Assessing suitability of objectives and sub-
objectives for internal control based on
facts, circumstances, and established laws,
rules, regulations, and standards
◂ Communicating objectives and sub-objectives
throughout the entity and sub-units
Limitations of Internal Control
◂ Suitability of objectives established as a
precondition to internal control
◂ Reality that human judgment in decision making
can be fault.
◂ Breakdowns that can occur because of human
failures such as errors
◂ Ability of management to override internal control
◂ Ability of management, other personnel, and/or
third parties to circumvent controls through
collusion
3. Effective Internal
Control
An effective system of internal control
provides reasonable assurance regarding
achievement of an entity’s objectives.
Present and Role of
Functioning Component
Dificiencies in
Role of Principles
Internal control
4.
Additional
Considerations
14
Judgement Point of focus
● Bigger ● Effective
economies of Advantages internal
scale control:
● Broader range ● Wider span of
of experienced control
in-house ● Greater
personnel interpersonal
● Smaller relative relation
cost
Benefits and Cost of Internal
Control
Benefi
ts
➔ Provides management and boards of
directors
➔ As a basis for decision-making
➔ Provides feedback of the business functions
➔ Increase efficiency
➔ Reduce surprises
➔ Increase business relationship
Benefits and Cost of Internal
Control
Cos
➔ Trade-offs between competency and
ts compensation costs of labors
➔ Efforts from selecting till maintaining and
updating updating the control activities
needed
➔ Reliance on technology
➔ Establishing an information system
Other Considerations in
Determining Benefits and Costs
Purpose:
1) Planning: Creates standards and expectations of
performance and conduct
2) Organizing: Capturing the design of internal control,
Provides clarity around roles and responsibilities/
consistency in management
3) Leading:Assist in training new personnels,
Communicating 5W of the execution, Provides a means
to retain organizational knowledge and mitigate the risk
4) Monitoring: Provides evidence of performance activities
Documentation
The level and nature of documentation can also vary
by the size of the organization and the complexity of
the control through:
● In-depth policy and procedure manuals
● Flowcharts of processes
● Organizational charts
● Job descriptions
● Direct observation
5.
Control
Environmen
t
26
Introduction
The control environment is the set of
standards, processes, and structures
that provide the basis for carrying out
internal control across the organization.
Principle 1:
“ The organization
demonstrates a
commitment to integrity
and ethical values.
Tone at the Top and throughout the
Organization
The board of directors and management at
all levels of the entity demonstrate through
their directives, actions, and behavior
The importance of integrity and ethical
values are to support the functioning of the
system of internal control.
Tone at the Top and throughout the
Organization
Demonstrate through: The tone affects::
● the operating style ❖ Awareness of risk
and ❖ Responses to risks
● personal conduct of ❖ Control activities
management and ❖ Information and
the board of communication
directors, attitudes ❖ Feedback from
toward risk, and monitoring
positions activities
Establish Standards of Conducts
The expectations of the board of directors and senior
management concerning integrity and ethical values
are defined in the entity’s standards of conduct and
understood at all levels of the organization and by
outsourced service providers and business partners
Establish Standards of Conducts
Variables that can affect:
➢ The nature of services outsourced
➢ Extent of alignment of the service
provider
➢ Quality and frequency of the service
provider’s reinforcement and oversight
➢ Magnitude and level of complexity of the
entity’s supply chain and business model
Evaluates Adherence to Standard of
Conduct
Processes are in place to evaluate the
performance of individuals and teams
against the entity’s expected standards of
conducts
Evaluates Adherence to Standard of
Conduct
The process requires that management:
1. Define a set of indicators
2. Establish continual and periodic compliance
procedures
3. Identify, analyze, and report business conduct
issues and trends
4. Consider the demonstration strength of leadership
5. Compile allegations centrally
6. Conduct and document investigations
7. Follow through on the implementation
8. Periodically analyze of issues
Addresses Deviations in a Timely
Manner
Deviations of the entity’s expected
standards of conduct are identified and
remedied in a timely and consistent manner.
Principle 2:
“ The board of directors
demonstrates
independence from management
and exercises oversight
of the development and
performance of internal control.
Establishes Oversight
Responsibilities
The board of directors identifies and
accepts its oversight responsibilities in
relation to established requirements
and expectations.
Establishes Oversight
Responsibilities
The positions need to While BOD retains oversight
be specialized: responsibility,
1. Nomination The chief executive officer
committees and senior management
2. Compensation bear direct responsibility for
committees developing and
implementing the internal
3. Audit committees
control system.
4. etc
Applies Relevant Expertise
The board of directors defines, maintains,
and periodically evaluates the skills and
expertise needed among its members to
enable them to ask probing questions of
senior management and take
commensurate actions.
Operates Independently
The board of director has sufficient
members who are independent from
management and objective in evaluations
and decision making
Provides Oversight for the system
of internal control
The board of director retains oversight
responsibility for management’s design,
implementation and conduct of internal
control
Principle 3:
“ Management establishes, with
board
oversight, structures, reporting
lines, and appropriate
authorities and responsibilities
in the pursuit of objectives.
Considers All Structures of the
Entity
Management and the board of directors
consider the multiple structures used
(including operating units, legal
entities, geographic distribution, and
outsourced service providers) to support
the achievement of objectives.
Considers All Structures of the
Entity
Variables to consider:
• Nature, size, and geographic distribution of the entity’s
business
• Risks related to the entity’s objectives and business
processes
• Nature of the assignment of authority and responsibility to
top, operating unit, functional, and geographic management
• Definition of reporting lines and communication channels
• Financial, tax, regulatory, and other reporting requirements
of relevant jurisdiction
Establishes Reporting Lines
Management designs and evaluates lines
of reporting for each entity structure to
enable execution of authorities and
responsibilities and flow of information to
manage the activities of the entity
Establishes Reporting Lines
• The board of directors stays informed and
challenges senior management
• Senior management is ultimately responsible for
establishing directives, guidance, and control
• Management, which includes supervisors and
decision-makers, executes senior management
directives at the entity and its subunits.
• Personnels have direct responsibility over
outsourced processes conducted by service providers.
Define, Assign and Limits
Authorities and Responsibilities
Management and the board of director
delegate authority, define responsibilities,
and use appropriate process and technology
to assign responsibility
Define, Assign and Limits
Authorities and Responsibilities
Operation Objectives
Point of focus:
• reflects management’s choices
• Considers tolerances for risk
• Includes operations and financial performance goals.
• Forms a basis for committing of resources.
68
External Non-
Financial
Reporting
External
Objectives
Financing
Reporting - Complies with externally
Objectives established standards
Complies with applicable and frameworks.
accounting standards. - Considers the required
Considers Materiality. level of precision
Reflects entity activities. - Reflects entity activities.
69
Internal
Reporting
Objectives
- Reflects Management’s Choices
- Considers the required level of
precision.
- Reflects entity activities.
Compliance
-Objectives
Reflects external laws and regulations
- Considers tolerance for risk
70
Identifies and Analyzes Risk
Principle 7: Points of focus:
- Includes entity, subsidiary,
The organization identifies
division, operating unit and
risks to the achievement of functional levels.
its objectives across the
- Analyzes internal and
entity and analyzes risks as
external factors.
a basis for determining how
- Involves appropriate levels of
the risks should be
management.
managed.
- Estimates significance of
risks identified.
- Determines how to respond
to risks.
71
Includes entity, subsidiary, division,
operating unit, and functional
levels
72
Analyze Internal and External
Factors
74
Estimates Significance Risk
75
Estimates Significance Risk
A risk that doesn’t have a significant impact on the entity and that’s
unlikely to occur generally doesn’t require a detailed risk response. a
risk with a higher likelihood of occurrence and potentially of a
significant impact, results in considerable attention.
76
Risk Response
78
Assesses Fraud Risk
Principle 8: Points of focus:
The Organization considers - Considers various
the potential for fraud in types of frauds.
assessing risks to the
achievement of objectives - Assesses incentive and
pressures.
- Assesses
opportunities.
- Assesses attitudes and
rationalizations.
79
Types of fraud
80
Factors Impacting Fraud Risk
82
External Environment
84
Leadership Changes
85
7.
Control
Activities
86
Introduction
87
Selects and Develops Control
Activities
Principle 10: Points of focus:
The organization selects and - Integrate with risk
develops control activities assessment.
- Considers entity-specific
that contribute to the factors.
mitigation of risks to the - Determines relevant
achievement of objectives to business processes.
acceptable levels. - Evaluate a mix of control
activity types.
- Considers at what level
activities are applied.
- Addresses segregation of
duties.
88
Integrate with risk assessment
89
Entity-Specific Factors
90
Business Process Control Activities
91
Types of Transaction Control
Activities
92
Control activities at Different Levels
94
8.
Information &
Communicatio
n
95
Communication Beyond
Normal Channel
Organization makes separate communication
channel for Customers, Suppliers, Outsorurced
Service Providers, and other external parties in
order to make them able to communicate
directly with management and/or other
personnel about concerns over how business is
led by/between parties that usually is generated
by complexity that arouse in a business
relationship between an entity and external
party.
E.g. : customer service
96
Method of Communication
● Management considers which method
reckoning The Audiences, The Nature of
Communication, Timeliness, and Any legal
or regulatory requirements.
● Methods that are often effective and used
by management to reach a broad audience
of external parties are :
○ Issuing Press and News Release through
investor/public relations channels
○ Using Blogs, Social Media, Electronic
Billboards, and e-mail.
97
9.
Monitoring
Activities
98
Monitoring Activities
➔ Activities to ascertain whether the five
components of Internal Control is available
and functioning effectively.
➔ Selected, developed, and performed in order
to ascertain whether each component have
to continue being present and functioning or
there are some changes needed.
➔ In the process of ascertaining it,
Organization can use on-going evaluation,
separate evaluation, or combination of both.
99
Distinguishing Control
Activities & Monitoring
Activities
100
Conducts Ongoing and/or
Separate Evaluations
Principle 16 : The Organization selects, develops, and
perform ongoing and/or separate evaluations to ascertain
whether the components of internal control are present and
functioning.
102
Separate Evaluations
● Include Observating, Reviewing, and other ◂ Conducted
Periodically by
examination to ascertain whether controls to objective
effect principles accross it’s entity and management
subunit are designed, implemented, and personnel,
internal audit,
conducted. or external
● Vary in scope and frequency, depend on parties
significance of risks, risk responses, results on ◂ Scope and
Frequency of
ongoing evaluations, and expected impact on which is a
control matter of
● Evaluation scope is determined by either: management
judgment
operations, reporting, or compliance (3
objectives categories)
103
Separate Evaluations
● Knowledgeable Personnel
● Separate Evaluation Approach and
Objectivity
○ Internal Audit Evaluations
○ Other Objective Evaluations
○ Cross Operating Unit or Functional
Evaluations
○ Benchmarking/Peer Evaluations
○ Self-Assesments
● Outsourced Service Providers
104
Evaluates and
Communicates
Principle 17 : The organization Deficiencies
evaluates and communicates
internal control deficiencies in a timely manner to those
parties responsble for taking corrective action including
senior management and the board of directors, as
appropriate
Communicating Internal
Assess Results Control Deficiencies
Deficiencies can be known Report depends on:
through: ◂ Criteria established by
◂ Monitoring Activities regulators, standard-setting
bodies, management, and BOD
◂ Other Components
◂ External Parties Scope depends on:
◂ How the deficiency is evaluated
against established criteria
105
10.
Limitations of
Internal
Control
106
Limitations in Internal
Control
● Preconditions of Internal Control
Areas that are part of management but not part of internal control
● Judgment
Human Judgment is often inaccurate
● Breakdowns
There is always possibility of breakdowns no matter how well
designed a system of Internal Control is
● Management Override
Lay Aside determined policies/procedures for illegitimate purpose
with the intention of personal gain or to enhance entity’s
presentation of performance.
● Collusion
Individuals acting collectively to do a fraud and concealing it can
cause deficiency in internal Controls
107
Appendices
108
B.
Roles and
Responsibility
109
Our process is easy
110
Responsible
Parties
111
Board of Directors and its
Committees
● Audit Committee
● Compensation Committee
● Nomination/Governanve Committee
● Other Committee
112
Chief Executive Officer
Responsible for Internal Control include :
● Provide leadership and direction to senior
management
● Maintaining control over the risk that is facing the
entity
● Guiding development and performance of control at
entity level, and delegating it to various level
● Communicating expectation
Evaluating deficiencies in control
113
Chief Financial Officer
● Supports CEO in front-line responsibilities
○ E.g.: Internal Control in financial reporting
● Provides valuable input and direction
● Is positioned to focus on evaluating and following up
management’s action
● Narrowing CFO’s role only for treasury and financial
reporting can limit entity’s ability to succeed
● In some Jurisdiction, required by the law to certify
the effectiveness of internal control in financial
reporting alongside the CEO
114
Other Member of Senior
Management
● E.g.: Chief Administrative Officer, Chief Audit
Executive/Chief Compliance Officer, Chief
Information Officer, etc.
● Guides the development and implementation of
internal control policies and procedures that address
objective of their functional/operating unit
● Assigns more specific internal control over personnel
within their unit
115
Business-Enabling Function
● Risk and Control Personnel
○ Provide specialized skill and guidance to front-
line management and other personnel and
evaluating internal control
● Legal and Compliance Personnel
○ Making sure that legal, regulatory, etc. Are
understood and communicated to those
responsible for working on compliance
116
Other Personnel
● Control Environment: Reading, understanding, and
applying the standards
● Risk Assesment: Identifying and evaluating risks to
the achievement of objective, and
● Control Activities: Performing reconciliation,
following up on exception reports, performing
physical inspection, and investigating reasons for
cost variances, etc.
● Information and Communication: Emitting and
sharing information used to Internal Control System
● Monitoring Activities: Identify and communicate
violations to a higher-level management
117
Internal Auditor
● Provide assurance and advisory support to
management in internal control
● Evaluating the sufficiency and effectiveness of
controls in responding to risks that can be arose
within organization’s oversight, operations, and
information systems.
○ E.g.: Reliability and integrity of financial and
operational information, effectiveness and
efficiency of operations and program,
safeguarding of assets, etc.
● Can be required or optional, depending on
jurisdiction, size of the entity, and nature of business
118
Other Parties Interacting with
Entity
1. Independent 3. Legislators and
auditors Regulators
2. External Reviewers 4. Financial Analysts,
Bond Rating Agencies,
News Media
119
Specific
Consideration
s for Small
Entities
120
Characteristics of smaller entities :
•Fewer lines of business and fewer products within lines
•Concentration of marketing focus by channel or geography
•Leadership by management with significant ownership interest or rights
•Fewer levels of management with wider spans of control
•Less complex transaction processing systems
•Fewer personnel, many having a wider range of duties
•Limited ability to maintain deep resources in line as well as support staff positions
such as legal, HR, accounting, and internal auditing
Meeting Challenges in Attaining Cost-
Effective Internal Control
•Obtaining sufficient resources •Recruiting and retaining personnel
to achieve adequate with sufficient experience and skill in
segregation of duties operations, reporting, compliance,
and other disciplines
•Balancing management’s •Taking critical management attention
ability to dominate activities from running the business in order to
provide sufficient focus on internal
•Recruiting individuals with control
requisite expertise to serve
effectively on the board of •Controlling information technology
and maintaining appropriate general
directors and committees and application controls over
computer information systems with
limited technical resources
Segregation of Duties
Review
Reports of
Review
Selected
Take Check
Reconciliations
Detailed Transactions Periodic
Transactions
Asset
Counts
Managers review Managers periodically
on a regular and Managers select conduct counts of
Managers from time to
physical inventory,
timely basis
transactions for equipment, or other time review
system reports of assets and compare reconciliations of
the detailed review of them with the
accounts balances such
accounting records
transactions supporting as cash or perform them
independently
documents
Mitigating Management Override
Preparation for
Build and Public
Assess and Envision Public Finalization
Design Exposure
Exposure
128
Principles
The Framework carries forward the seventeen
principles. It retains the principles that focus on the use
of technology and the assessment of fraud risks,
recognizing their important role in achieving effective
internal control. Some principles were also enhanced or
clarified based on respondents’ comments.
129
Assessing
Effectiveness
Attributes
Classification of Internal
Control Deficiencies
130
Objective-
setting
The Framework retains the five components and the
concept that establishing objectives is a precondition to
internal control. It clarifies the distinction between
establishing objectives (outside the system of internal
control) and specifying objectives (within the system of
internal control). The Framework expands discussion on
suitability of objectives and explains how management
should respond when specified objectives are viewed as
unsuitable
131
Objective
s
Safeguarding of Assets
Strategic Objectives
132
Technology
The Framework includes enhanced discussion on
technology both in the points of focus. The Framework
does not include extensive discussion on specific
current technology initiatives or the risks associated
with them because of the evolving nature of technology
and concerns that the Framework may become dated.
The Framework does not explicitly reference other
technology-focused frameworks by name.
133
Summary of Changes
to the Internal Control
- Integrated
Framework Issued in
1992
134
Broadbased changes :
•Applies a principles-based approach
•Expands the reporting category of objectives
•Clarifies the role of objective-setting in internal control
•Enhances governance concepts
•Considers globalization of markets and operations
•Considers different business models and organizational structures
•Considers demands and complexities in laws, rules, regulations, and standards
•Considers expectations for competencies and accountabilities
•Reflects the increased relevance of technology
•Enhances consideration of anti-fraud expectations
Key Changes to
Internal
Control
Components
Control Environment
•Combining into five principles the discussions relating to •Expanding the notion of risk oversight and
integrity and ethical values, commitment to competence, strengthening the linkages between risk and
board of directors or audit committee, management’s
philosophy and operating style, organizational structure, performance to help allocate resources to
assignment of authority and responsibility, and human support internal control in the achievement of
resource policies and practices the entity’s objectives
•Explaining linkages between the various components of •Emphasizing the need to consider internal
internal control to demonstrate the foundational aspects control across the complexities in
of the control environment for a sound system of
internal control organizational structure resulting from
different business models and the use of
•Expanding the discussion of governance roles in an
organization, recognizing differences in structures, •Aligning roles and responsibilities discussed in
requirements, and challenges across different organizational structure with the information
jurisdictions, sectors, and types of entities presented in Appendix B so that major roles
•Clarifying the expectations of integrity and ethical are used consistently within the Framework
values to reflect lessons learned and developments in
ethics and compliance
137
Risk Assessment
•Repositioning much of the discussion on •Clarifying that risk assessment includes processes for
objective-setting risk identification, risk analysis, and risk response
•Reflecting the view that non-financial •Considering fraud risk relating to material misstatement
reporting is conducted in relation to an of reporting, inadequate safeguarding of assets, and
corruption as part of the risk assessment process
external requirement or standard
Control Activities
•Broadening the discussion to •Expanding the discussion that control
activities constitute a range of control
reflect the evolution in techniques while providing a more detailed
technology since 1992 description of these types and techniques, and
a way to categorize them
•Expanding the discussion of •Updating the discussion on general
the relationship between technology controls to focus on the more
universal concepts of what needs to be
automated control activities controlled in this area rather than specifics
and general controls over applicable to the 1992 technology
143
Comparison :
● A broader concept
● Categories of Objectives
● Risk Appetite and Risk Tolerances
● Portfolio View
● Components
● Summary :
○ Common to both Internal Control (IC) and Enterprise Risk Management (ERM) : Control
Environment, Risk Assessment, Control Activities, Information and Communication, Monitoring
Activities
○ Included in IC and expanded upon in ERM : Control Environment, Risk Assessment, Information
and Communication
○ Incremental to ERM and not part of IC : Control Environment, Risk Assessment