Sesi 4 - Samuel Triswandi.pdf

7/28/2019 Sesi 4 - Samuel Triswandi.pdf

1/12

1

Event Management Training & Conferences

Knowledge Development Centerwe develop people to be more

Internal Control Management

Jakarta, 13 June 2012

Definition

In accounting and auditing, internal control is defined as a

process affected by an organization's structure, work and

authority flows, people and management information systems,

designed to help the organization accomplish specific goals or

objectives. It is a means by which an organization's resourcesare directed, monitored, and measured. It plays an important

role in preventing and detecting fraud and protecting the

organization's resources, both physical (e.g., machinery and

property) and intangible (e.g., reputation or intellectual

property such as trademarks).


2/12

2



Definition At the organizational level, internal control objectives relate to the

reliability of financial reporting, timely feedback on the

achievement of operational or strategic goals, and compliance with

laws and regulations. At the specific transaction level, internal

control refers to the actions taken to achieve a specific objective

(e.g., how to ensure the organization's payments to third parties

are for valid services rendered.) Internal control procedures reduce

process variation, leading to more predictable outcomes. Internal

controls within business entities are also referred to as operationalcontrols.

Definition

Under the COSO Internal Control-Integrated Framework,a widely-used framework in not only the United Statesbut around the world, internal control is broadlydefined as a process, effected by an entity's board of

directors, management, and other personnel, designedto provide reasonable assurance regarding theachievement of objectives in the following categories:

a) Effectiveness and efficiency of operations;

b) Reliability of financial reporting; and

c) Compliance with laws and regulations.


3/12

3



Key conceptsThe COSO framework involves several key concepts:

Internal control is a process. It is a means to an end, not anend in itself.

Internal control is affected by people. Its not merely policy,manuals, and forms, but people at every level of anorganization.

Internal control can be expected to provide only reasonable

assurance, not absolute assurance, to an entitysmanagement and board.

Internal control is geared to the achievement of objectivesin one or more separate but overlapping categories.

5 Component Internal Control

1. Control Environment-sets the tone for the organization, influencing the controlconsciousness of its people. It is the foundation for all other components ofinternal control.

2. Risk Assessment-the identification and analysis of relevant risks to the

achievement of objectives, forming a basis for how the risks should be managed

3. Information and Communication-systems or processes that support the

identification, capture, and exchange of information in a form and time framethat enable people to carry out their responsibilities

4. Control Activities-the policies and procedures that help ensure management

directives are carried out.

5. Monitoring-processes used to assess the quality of internal control performanceover time.


4/12

4



A SOUND CONTROL ENVIRONMENT

Managers and employees who possess integrity,

ethical values and competence;

Management's philosophy and operating style;

Proper assignment of authority and responsibility;

Proper organization of available resources;

Proper training and development of people; and Proper attention and direction from senior

management.

A SOUND RISK ASSESSMENT PROCESS

An awareness of and ability to deal with the risks and

obstacles to successful achievement of business

objectives;

Establishment by management of a set of objectivesthat integrate all the organization's resources so that

the organization operates in concert; and

Identification, analysis and management of the risks

and obstacles to successful achievement of the three

primary business objectives.


5/12

5



A SOUND OPERATIONAL CONTROL

ACTIVITIES

The establishment and execution of policies andprocedures to help ensure effective implementationof the actions identified by management as beingnecessary to address risks and obstacles toachievement of business objectives.

(These control activities help ensure thatmanagement's directives are carried out; occur at alllevels of the organization; and in all activities, units

and functions. Examples include authorizations,reviews of operating performance, security of assets,and segregation of duties.)

A SOUND INFORMATION AND

COMMUNICATIONS SYSTEM Information systems produce reports, containing operational, financial and compliance

related information, that make it possible to run and control a business. They deal withinternally generated data as well as the external activities, conditions and eventsnecessary to informed business decision making and external reporting.

The organization's people must be able to capture and exchange the information neededto conduct, manage and control operations.

Pertinent information must be identified, captured and communicated in a form and time

frame that enables people to carry out their responsibilities. Effective communication must flow down, up and across the organization. (This includes a

clear message from top management to all personnel that control responsibilities must betaken seriously.)

All personnel must understand their own role in the internal control system, as well ashow their individual activities relate to the work of others.

All personnel must have a means of communicating significant information upstream.

There must be effective communication with external parties.


6/12

6



EFFECTIVE MONITORING The entire control system must be monitored to assess the quality of the

system's performance over time.(Ongoing monitoring, which should occur in the normal course ofoperations, includes such things as regular management and supervisoryactivities; and actions personnel take in performing their duties.)

Internal deficiencies should be reported upstream, with serious mattersreported to top management.

There should also be separate, independent evaluations of the internalcontrol system. The scope and frequency of these independentevaluations depend primarily on the assessment of risks and obstacles,and the effectiveness of ongoing monitoring procedures.

Collectively, the three primary business objectives and the fivecomponents needed to achieve those objectives constitute the internalcontrol framework

The New Paradigm in Internal ControlInternal audits can use the Framework to focus on three different levels of control:

1. Strategicplanning, organizing and directing activities that address achieving the long rangemission and objectives of the entity under review.

2. Tacticalplanning, organizing and directing activities that address achieving short term (annual)objectives and goals of the entity under review that lead to success in achieving theentity's strategic mission and objectives.

3. Operational

planning, organizing and directing controls that address the day- to-day operations ofthe entity.

Using a survey tool based upon the five components, internal audits can be conducted at astrategic, rather than operational, level. These strategic internal audits can be designed togather testimonial and documentary evidence to either support achievement of the standardfor effective internal control; or to identify to senior managers deficiencies and improvementopportunities for achieving effective internal control. Essentially, this means assessingplanning activities; the means of measuring accomplishment; the reliability of data used tobenchmark, report and measure; and the resources used to achieve outcomes. TheFramework approach provides an ideal vehicle for adding value to the organization.


7/12

7



Roles and Responsibility1. Management: The Chief Executive Officer (the top manager) of

the organization has overall responsibility for designing andimplementing effective internal control.

2. Board of Directors: Management is accountable to the board ofdirectors, which provides governance, guidance and oversight.

3. Auditors: The internal auditors and external auditors of theorganization also measure the effectiveness of internal controlthrough their efforts.

4. Managers and Staffs may be involved in evaluating the controls

within their own organisational unit using a control self-assessment.

Describing Internal Control

1. Objective Categorization (designed to providereasonable assurance that particular objective areachieved, or related progress understood ex A/Pfunction)

2. Activity Categorization (explained by type ornature of activity)

3. Control Precision (the alignment or correlationbetween a particular control procedure and agiven control objective or risk)


8/12

8



Objective Categorization Existence (Validity): Only valid or authorized transactions are processed

(i.e., no invalid transactions)

Occurrence (Cutoff): Transactions occurred during the correct period orwere processed timely.

Completeness: All transactions are processed that should be (i.e., noomissions)

Valuation: Transactions are calculated using an appropriate methodologyor are computationally accurate.

Rights & Obligations: Assets represent the rights of the company, andliabilities its obligations, as of a given date.

Presentation & Disclosure (Classification): Components of financialstatements (or other reporting) are properly classified (by type oraccount) and described.

Reasonableness-transactions or results appears reasonable relative toother data or trends.

Activity Categorization Control activities may also be explained by the type or nature of activity. These include

(but are not limited to):

Segregation of duties - separating authorization, custody, and record keeping roles offraud or error by one person.

Authorization of transactions - review of particular transactions by an appropriate person.

Retention of records - maintaining documentation to substantiate transactions.

Supervision or monitoring of operations - observation or review of ongoing operationalactivity.

Physical safeguards - usage of cameras, locks, physical barriers, etc. to protect property,

such as merchandise inventory. Top-level reviews-analysis of actual results versus organizational goals or plans, periodic

and regular operational reviews, metrics, and other key performance indicators (KPIs).

IT Security - usage of passwords, access logs, etc. to ensure access restricted to authorizedpersonnel.

Top level reviews-Management review of reports comparing actual performance versusplans, goals, and established objectives.

Controls over information processing-A variety of control activities are used in informationprocessing. Examples include edit checks of data entered, accounting for transactions innumerical sequences, comparing file totals with control accounts, and controlling accessto data, files and programs.


9/12

9



Control Precision

A control with direct impact on the achievement

of an objective (or mitigation of a risk) is said to be

more precise than one with indirect impact on the

objective or risk. Precision is distinct from

sufficiency; that is, multiple controls with varying

degrees of precision may be involved in achieving

a control objective or mitigating a risk.

Fraud and Internal Control

Internal control plays an important role in theprevention and detection of fraud. Under theSarbanes-Oxley Act, companies are required toperform a fraud risk assessment and assess relatedcontrols.

This typically involves identifying scenarios in whichtheft or loss could occur and determining if existingcontrol procedures effectively manage the risk to anacceptable level.

The risk that senior management might overrideimportant financial controls to manipulate financialreporting is also a key area of focus in fraud riskassessment.


10/12

10



Internal Control and Improvement If the internal control system is implemented only to prevent

fraud and comply with laws and regulations, then an importantopportunity is missed. The same internal controls can also beused to systematically improve businesses, particularly in regardto effectiveness and efficiency

Advances in technology and data analysis have led to thedevelopment of numerous tools which can automaticallyevaluate the effectiveness of internal controls. Used in

conjunction with continuous auditing, continuous controlsmonitoring provides assurance on financial information flowingthrough the business processes.

Cost Management System1. Display past, present, and future expenditures.

2. Mirror the organizations cost structure and behaviors to support ongoing

improvement and control.

3. Support realistic, reliable strategic planning and explicit management intention.

4. Influence individual and team behaviors toward goal accomplishment.

5. Monitor and control resource use against mission and strategic intentions.

6. Provide warning when unhealthy financial thresholds are imminent.7. Facilitate the repositioning of resources.

8. Hold specific individuals and groups accountable for standards of performance.

9. Assist in analyzing key discrete points of profitability: customer , process,

product, and region.

10.Display a 360-degree unbiased view of the organizations cost structure, one that

is understood and actually used in decision making by all executives and

managers.


11/12

11



Barriers in Internal Control

People

Value & Culture

Process

System

Some specific Issues

Management Plans

Management Objectives

Communication of Desired Outcomes and the Policies and Procedures toachieve outcomes

Written Standards to Measure Achievement of Desired Outcomes

Assignment of Responsibility and Granting of Authority Budget vs Workloads

Staffing Efficiency

Communications

Process Measurement

Corrective Actions Taken and Measures of Success

Outcome Measurement and Reporting Systems


12/12

12


Knowledge Development Center

Important elements in Internal Control Establishing a foundation for monitoring, including (a) a proper tone at

the top; (b) an effective organizational structure that assigns monitoringroles to people with appropriate capabilities, objectivity and authority;and (c) a starting point or baseline of known effective internal controlfrom which ongoing monitoring and separate evaluations can beimplemented

Designing and executing monitoring procedures focused on persuasiveinformation about the operation ofkey controls that address meaningfulrisks to organizational objectives; and

Assessing and reporting results, which includes evaluating the severity ofany identified deficiencies and reporting the monitoring results to theappropriate personnel and the board for timely action and follow-up ifneeded.

Thank you

Sesi 4 - Samuel Triswandi.pdf

Documents

Transcript of Sesi 4 - Samuel Triswandi.pdf