INTERNAL AUDIT

(PERTEMUAN KE-7)

INTERNAL CONTROL
MAPPING
DEFINITION OF INTERNAL CONTROL

THE COMPONENTS OF INTERNAL CONTROL

INTERNAL CONTROL ROLES AND RESPONSIBILITIES

LIMITATIONS OF INTERNAL CONTROL

VIEWING INTERNAL CONTROL FROM DIFFERENT

PERSPECTIVES

TYPES OF CONTROLS

EVALUATING THE SYSTEM OF INTERNAL CONTROLS

DEFINITION OF INTERNAL
CONTROL
 Internal Control (COSO) : a process,
effected by an entity’s BOD, management,
and other personnel, designed to provide
reasonable assurance regarding the
achievement of objectives in the following
categories:
a. Effectiveness and efficiency of operations
b. Reliability of financial reporting
c. Compliance with applicable laws and
regulations
THE COMPONENTS OF
INTERNAL CONTROL
1. Control Environment
“the integrity, etchical values, and
competence of entity’s people:
a. management’s philosophy and
operating style;
b. the way management assigns authority
and responsibility;
c. organizes and develops its people;
d. and the attention and direction provided
by the BOD.”
THE COMPONENTS OF
INTERNAL CONTROL
2. Risk Assesment
“is the identification and analysis of
relevant risks to achievement of the
objectives, forming a basis for
determining how the risks should be
managed.”
THE COMPONENTS OF
INTERNAL CONTROL
3. Control Activities
“are the actions taken by management, the
board, and other parties to mitigate the
likelihood that established objectives and
goals will be achieved.”

Critical concept  Segregation of duties :

is concept of dividing, or segregation,
control activities related to the authorization
of transactions (pembagian tugas antara
otorisasi, pencatatan, penyimpanan)
THE COMPONENTS OF
INTERNAL CONTROL
Internal control activities including:
a. Performance reviews and follow-up
activities;
b. Authorizations (approvals);
c. IT access control activities;
d. Documentation (rigorious and
comprehensive);
e. Physical access control activities;
f. IT application (input, processing, output)
control activities;
g. Independent verifications and reconsiliations.
THE COMPONENTS OF
INTERNAL CONTROL
4. Information and Communication
“Relevant, accurate, and timely information
must be available to individuals at all levels
of an organization whoo need such
information to run the business effectively.”

“Communication must take place in a

broader sense, dealing with expectations,
responsibilities of individuals and groups,
and other important matters.”
THE COMPONENTS OF
INTERNAL CONTROL
5. Monitoring
“ a process that assesses the quality of
the system’s performance over time.
This is accomplished through
ongoing/separation monitoring or
combines of the two.”
INTERNAL CONTROL ROLES AND
RESPONSIBILITIES
1. Management
The CEO has primary responsibility for
setting the “ tone at the top “ and
establishing a positive control
environment.

Tone at the top : the entity-wide attitude

of integrity and control consciousness,
as exhibited by the most senior
executives of an organization.
INTERNAL CONTROL ROLES AND
RESPONSIBILITIES
2. BOD
The BOD has ultimate responsibility for
ensuring management has established
an effective system of internal control.
INTERNAL CONTROL ROLES AND
RESPONSIBILITIES
3. Internal Auditors
Internal auditors play a significant role in
verifying that management has met its
responsibility.

Initially management performs the

primary assessment of the system of
internal control, and then the internal
audit function independently validates
management’s assertions.
INTERNAL CONTROL ROLES AND
RESPONSIBILITIES
4. Other Personal
All personal should be responsible for
communicating upward problems in
operations, non compliance with the
code of conduct, or other policy
violations or illegal actions.
LIMITATIONS OF INTERNAL
CONTROL
Limitations as inherent to internal control:
a. Human judgement in decision-making can be
faulty;
b. Breakdowns can occur because of such
human failures as simple error or mistake;
c. Controls can be circumvented by the collusion
of two or more people;
d. Management has the ability to override the
internal control system;
e. Controls must be considered in terms of their
costs compared to their benefit.
LIMITATIONS OF INTERNAL
CONTROL
Inherent Risk : the combination of internal and
external risk factors in their pure, uncontrolled
state or the gross risk that exists assuming
there are no internal controls in place.
Controllable Risk : the portion of inherent risk
that management can reduce through day-to-
day operations and management activities.
Residual Risk : the portion of inherent risk that
remains after management executes its risk
response (net risk).
LIMITATIONS OF INTERNAL CONTROL

Potential for fraud to occur Increased bureaucracy

Potential noncompliance
Excess cost
with laws and regulations
Consequences of
Concequences of
Poor or inaffective Implementing
Unnecessary complexity of
Accepting
business decision-making Excessive
controls Internal
Excessive Risk
Control

Potential loss of assets Increased cycle time

VIEWING INTERNAL CONTROL
FROM DIFFERENT PERSPECTIVES

1. Management
Internal control includes a number of
activities designed to mitigate risks or
enable opportunities that effect the
achievement of an organization’s
objectives
VIEWING INTERNAL CONTROL
FROM DIFFERENT PERSPECTIVES

2. Internal Auditors
are charged with independently
verifying that the organization’s control
are designed adequately and operating
effectively as management intends.
VIEWING INTERNAL CONTROL
FROM DIFFERENT PERSPECTIVES

3. Independent Outside Auditors

Is focused on internal control relatives
to how it affects the organization’s
financial reporting.
VIEWING INTERNAL CONTROL
FROM DIFFERENT PERSPECTIVES

4. Other External Parties

have interest in an organization’s
internal control because their interest
vary, so too will their perspectives of
internal control.
TYPES OF CONTROLS
1. Entity-Level, Process-Level, and Transaction-Level Controls
Entity-Level Controls include:
a. Controls related to the control environment;
b. Controls over management override;
c. The company’s risk assessment process;
d. Centralized processing and controls; including shared service
environments;
e. Controls to monitor results of operations;
f. Controls to monitor other controls (activities of internal audit
function, audit committee, and self assessment programs);
g. Controls over the period-end financial reporting process;
h. Policies that address significant business control and risk
management practices.
TYPES OF CONTROLS
Process-Level Controls include:
a. Reconsiliations of key accounts;
b. Physical verifications of assets;
c. Process employee supervision and
performance evaluations;
d. Process-level risk assessments;
e. Monitoring/ oversight of specific
transactions.
TYPES OF CONTROLS
Transaction-Level Controls include:
a. Authorizations;
b. Documentation;
c. Segregation of duties;
d. IT application control (input, processing,
output);
TYPES OF CONTROLS
2. Key Controls and Secondary Controls
Key Control (Primary Control) is designed
to reduce key risks associated with business
objectives.

Secondary Control is designed to either (1)

mitigate risks that are not key to business
objectives; (2) partially reduce the level of risk
when a key control does not operate
effectively.
TYPES OF CONTROLS
3. Compensating Controls
are designed to supplement key controls that
are either ineffective or cannot fully mitigate a
risk or group of risks by themselves to an
acceptable level within the risk appetite
established by management and the board.
TYPES OF CONTROLS
4. Complementary Controls
is a necessary control that is not sufficient by
itself to fully mitigate the risk. When combined
with one or more other controls, a
complementary control does help reduce the
underlying risk to an acceptable level. Ex:
segregation of duties.
TYPES OF CONTROLS
5. Preventive, Detective, Corrective, and Directive Controls
Preventive Control is designed to deter unintended events from
occurring in the first place.

Detective Control is designed to discover undesirable events that

have already occured.

Corrective Control is one in which detected omissions and errors

are corrected.

Directive Control gives explicit direction regarding what actions

need to take place to cause or encourage a desirable event to
occur.
TYPES OF CONTROLS
6. Information System Control
Have 2 types that can be used to mitigate risk
a. General Computing Controls
“apply to many if not all application systems and help ensure
their continued, proper operation”
b. Application Controls
“include computerized steps within the application software and
related manual procedures to control the processing of various
types of transactions”

These 2 types work together  “to ensure completeness,

accuracy, and validity of the financial and other information in the
system.”
TYPES OF CONTROLS
7. Simultanouos Categorization of Controls

specific controls can fit into several

categories at the same time.
Ex: a control can be a entity-level control at
the same time that it is a key control.
EVALUATING THE SYSTEM OF
INTERNAL CONTROLS
 In evaluating control process, the CAE
considers:
a. Significant discrepancies or weaknesses
were discovered;
b. Corrections or improvements were made
after the discoveries;
c. The discoveries and their potential
consequences lead to a conclusion that a
pervasive condition exists resulting in an
unacceptable level of risk.