Good Auditor
Good Auditor
Good Auditor
•BoC
Oversight •Committee
•BoD
ASSURANCE
Stewardship •Senior
•Internal Audit
•Risk Management Manager
•Compliance •Operational
•ISO Performance Manager
•External Audit
Shareholder
The Roles
GCG Assurance
•BoC
Oversight •Committee
•BoD
ASSURANCE
Stewardship •Senior
•Internal Audit
•Risk Management Manager
•Compliance •Operational
•ISO Performance Manager
•External Audit
•Others
WHAT IS INTERNAL CONTROL?
Generally, an internal control is methods and procedures used to safeguard assets
and other resources and to assure that those assets and resources are used as
directed by management.
A more formal definition is that internal control comprises the plan of the organization
and all of the coordinated methods and measures adopted within an organization to
safeguard its assets, check the accuracy and reliability of its accounting data,
promote operational efficiency, and encourage adherence to prescribed managerial
policies and applicable laws.
B. COBIT. While COSO identifies five components of internal control, that need to be in place and integrated
to achieve financial reporting and disclosure objectives, COBIT (Control Objectives for Information and
related Technology) provides similar detailed guidance for IT.
C. CoCo - The Control Model: Developed by the Criteria of Control Committee of the Canadian Institute of
Chartered Accountants, CoCo focuses on behavioral values rather than control structure and procedures as
the fundamental basis for internal control in a company.
D. Turnbull Report- Internal Control: Guidance for Directors on the Combined Code: Developed by the
Committee on Corporate Governance of the Institute of Chartered Accountants in England & Wales, in
conjunction with the London Stock Exchange, the guide was published in 1999. Turnbull requires
companies to identify, evaluate, and manage their significant risks and to assess the effectiveness of the
related internal control system.
E. ACC- Australian Criteria of Control: Issued in 1998 by the Institute of Internal Auditors – Australia, the ACC
emphasizes the competency of management and employees to develop and operate the internal control
framework. Self-committed control, which includes such attributes as attitudes, behaviors, and competency,
is promoted as the most cost-effective approach to internal control.
F. The King Report: The King Report, released by the King Committee on Corporate Governance in 1994,
promotes high standards of corporate governance in South Africa. The King Report goes beyond the usual
financial and regulatory aspects of corporate governance by addressing social, ethical, and environmental
concerns.
COSO
(Committee of Sponsoring Organizations)
Sponsoring organizations – AICPA, AAA, FEI, IIA, IMA (mostly accountancy
and audit related organisation)
History – several business failures in the 1980’s prompted creation of the
Treadway Commission, first formed in 1985 to examine causes of
fraudulent financial reporting.
Charged with creating a control model.
Result: Report titled Internal Control – Integrated Framework, published in 1992.
COSO’s goal is to improve the quality of financial reporting through a
focus on corporate governance, ethical practices, and internal control.
COSO model was considered to be best practices, but had no “teeth”.
Renewed interest today because of recent accounting scandals and
Sarbanes-Oxley Act of 2002 (SOA). The COSO model is still considered by
many to be the best internal control guidance available.
COSO INTERNAL CONTROL
FRAMEWORK
Information is needed for all three objectives categories- to effectively managed
business operation, prepare financial statements and determine compliance.
Internal Control is defined (in COSO
Three Objectives Categories
and US auditing standards – AU
319) as a process, effected by an
entity’s board of directors,
management and other personnel,
designed to provide reasonable
assurance regarding the
achievement of objectives in the
Five Components
following categories:
• Effectiveness and efficiency of
operations
• Reliability of financial reporting
• Compliance with applicable laws
and regulations
COSO identifies five components of
internal control that need to be in
place and integrated to ensure the All five components are Internal control is relevant to an
achievement of each of the applicable and important to entire entreprise, or to any units
objectives. achieve operations objectives or activities
COSO DEFINITION OF INTERNAL CONTROL
Control Environment
Risk Assessment
Control Activities
Information & Communication
Monitoring
Everyone in the organization playing an active role
Kementerian
COSO Basel II Bank Indonesia
BUMN
Control Management Lingkungan Pengawasan oleh
Environment Oversight and the Pengendalian Internal Manajemen dan Kultur
Control Culture dalam Perusahaan Pengendalian
yang Disiplin dan
Terstruktur
Risk Assessment Risk Recognition and Pengkajian dan Identifikasi dan Penilaian
Assessment Pengelolaan Resiko Risiko
Usaha
Capability Capability
Capability Attributes Implications
Level Description
CONTINUOUS • Best practices identified and shared • Internal controls – integrated framework
Optimizing • World-class financial reporting process fully implemented
IMPROVEMENT
• Organized efforts to remove inefficiency • Entity-level analytics and monitoring fully
Continuously improving controls
• External and internal change monitored operational
enterprisewide
for impact on control structure • Faster decisions on improving controls
“Chain of accountability”
• Controls preventive and systems-based
sustained
QUALITATIVE/ QUANTITATIVE • Internal control uniform across the entity • All groups accountable to use organization’s
Defined Policies, processes and • Transaction flows documented control standards
standards defined and • Risks of errors and omissions sourced • Remaining known gaps closed
institutionalized • Control processes for mitigating risks • Control reports not very robust
Controls documented and better documented and integrated • Assurance lacking that all deviations
accountability emerging from control standards detected
Initial AD HOC/ CHAOTIC • Reliance on individual initiative • Key controls are not in place
• “Just do it” • Controls are not periodically evaluated for
Control is not a priority
• Ad hoc disclosure activities deficiencies
Unstable control environment
• Policies not articulated • Success depends on manual efforts and
leads to dependency on heroics
• Few processes are defined validation by seasoned managers
• Institutional capability lacking • Gaps result when key people leave
MAJOR IMPLEMENTATION CHALLENGE
CULTURE
• Different performance orientation (Social Harmony rather than shareholder
return)
• Limited individual accountability for results
• Absence of open friction/challenge in internal interactions (focus on
preserving harmony)
DECISION MAKING
• Lack of clarity around accountability and authority levels
• Complex, slow and bureaucratic decision making
• Insufficiently supported by facts, due to lack of data transparency
ORGANIZATION
• Functional silos (not enough cross-functionality of corporate perspective)
• Multilayered structure, impeding empowerment
• Antiquated, unproductive administrative support (HRD, IT,etc)
Internal Control vs and ERM - 1
“Enterprise Risk Management” is a process for identifying, analyzing and
managing risk across the entire enterprise
ERM defines risk and risk management and provides key principles and
concepts, a common language and other elements of a comprehensive
risk management framework.
ERM provides criteria for companies’ use in determining whether their risk
management is effective, and if not, what is needed to make it so.
Penetapan Tujuan
Identifikasi Kejadian
Lingkungan Pengendalian
Informasi dan Komunikasi
Identifikasi Risiko Pengukuran Risiko
Pemantauan
Pemantauan
Analisis Risiko Respon dan Mitigasi
Actually, ISO31000 getting more popular because it has more practical guidances
while COSO looks starting to complete it’s guidances