Good Auditor

Download as pdf or txt
Download as pdf or txt
You are on page 1of 20
At a glance
Powered by AI
The key takeaways are about roles and responsibilities in governance and assurance, and about internal control frameworks such as COSO and COBIT.

Internal control generally refers to methods and procedures used to safeguard assets and ensure they are used properly, comprising plans, methods, and measures to check accuracy of accounting data and encourage adherence to policies.

An effective internal control system helps achieve objectives around long-term profitability, reliable reporting, compliance with laws and regulations, and decreases risks of losses or damage to reputation.

The Roles

•BoC
Oversight •Committee

•BoD
ASSURANCE

Stewardship •Senior
•Internal Audit
•Risk Management Manager
•Compliance •Operational
•ISO Performance Manager
•External Audit
Shareholder
The Roles
GCG Assurance
•BoC
Oversight •Committee

•BoD
ASSURANCE

Stewardship •Senior
•Internal Audit
•Risk Management Manager
•Compliance •Operational
•ISO Performance Manager
•External Audit
•Others
WHAT IS INTERNAL CONTROL?
 Generally, an internal control is methods and procedures used to safeguard assets
and other resources and to assure that those assets and resources are used as
directed by management.

 A more formal definition is that internal control comprises the plan of the organization
and all of the coordinated methods and measures adopted within an organization to
safeguard its assets, check the accuracy and reliability of its accounting data,
promote operational efficiency, and encourage adherence to prescribed managerial
policies and applicable laws.

 Internal control system is a major building block of an effective Governance and


Accountability structure of the corporation.

 Indonesian State Owned Corporation are required to have an adequate internal


control system following the guidance issued by the regulators (BAPEPAM-LK) for
those who goes already go public and also Kementerian Negara BUMN.
WHY are we CONCERNED with INTERNAL
CONTROL?
 A system of effective internal controls is a critical component of
company and a foundation for the safe and sound operation of
company organisations.
 A system of strong internal controls can help to ensure that the goals and
objectives of a company organisation will be met :
• Achieve long-term profitability targets,
• Maintain reliable financial and managerial reporting.
• Compliance with laws and regulations as well as policies, plans, internal rules and
procedures, and
• Decrease the risk of unexpected losses or damage to the co’s reputation.
 Recent cases within the MNC (Enron, Parmalat, Worldcom) and several
BUMN were a strong indication of weaknesses of the CO’s internal
control system.
 Effectiveness of Internal Control System is becoming a focus of regulator
and stakeholders’ attention (local and global) and it is mandatory for
company to establish and implement an adequate system.
INTERNAL CONTROL FRAMEWORKS
To evaluate effectiveness of internal control, we need a framework that meets four criteria :
(a) objectivity; (b) measurability; (c) completeness; and (d) relevance.
A number of evaluative framework are available. Among the most prominent are :

A. COSO - Internal Control-Integrated Framework: Developed by the Committee of Sponsoring Organizations


of the Treadway Commission and sponsored by the AICPA,FEI, the IIA, and others, COSO is the dominant
framework in the U.S. The guidelines were first published in 1991,with anticipated revisions and updates
forthcoming.We believe this will be the framework chosen by the vast majority of U.S.-based public
companies.

B. COBIT. While COSO identifies five components of internal control, that need to be in place and integrated
to achieve financial reporting and disclosure objectives, COBIT (Control Objectives for Information and
related Technology) provides similar detailed guidance for IT.

C. CoCo - The Control Model: Developed by the Criteria of Control Committee of the Canadian Institute of
Chartered Accountants, CoCo focuses on behavioral values rather than control structure and procedures as
the fundamental basis for internal control in a company.

D. Turnbull Report- Internal Control: Guidance for Directors on the Combined Code: Developed by the
Committee on Corporate Governance of the Institute of Chartered Accountants in England & Wales, in
conjunction with the London Stock Exchange, the guide was published in 1999. Turnbull requires
companies to identify, evaluate, and manage their significant risks and to assess the effectiveness of the
related internal control system.

E. ACC- Australian Criteria of Control: Issued in 1998 by the Institute of Internal Auditors – Australia, the ACC
emphasizes the competency of management and employees to develop and operate the internal control
framework. Self-committed control, which includes such attributes as attitudes, behaviors, and competency,
is promoted as the most cost-effective approach to internal control.

F. The King Report: The King Report, released by the King Committee on Corporate Governance in 1994,
promotes high standards of corporate governance in South Africa. The King Report goes beyond the usual
financial and regulatory aspects of corporate governance by addressing social, ethical, and environmental
concerns.
COSO
(Committee of Sponsoring Organizations)
 Sponsoring organizations – AICPA, AAA, FEI, IIA, IMA (mostly accountancy
and audit related organisation)
 History – several business failures in the 1980’s prompted creation of the
Treadway Commission, first formed in 1985 to examine causes of
fraudulent financial reporting.
 Charged with creating a control model.
 Result: Report titled Internal Control – Integrated Framework, published in 1992.
 COSO’s goal is to improve the quality of financial reporting through a
focus on corporate governance, ethical practices, and internal control.
 COSO model was considered to be best practices, but had no “teeth”.
 Renewed interest today because of recent accounting scandals and
Sarbanes-Oxley Act of 2002 (SOA). The COSO model is still considered by
many to be the best internal control guidance available.
COSO INTERNAL CONTROL
FRAMEWORK
Information is needed for all three objectives categories- to effectively managed
business operation, prepare financial statements and determine compliance.
 Internal Control is defined (in COSO
Three Objectives Categories
and US auditing standards – AU
319) as a process, effected by an
entity’s board of directors,
management and other personnel,
designed to provide reasonable
assurance regarding the
achievement of objectives in the

Five Components
following categories:
• Effectiveness and efficiency of
operations
• Reliability of financial reporting
• Compliance with applicable laws
and regulations
 COSO identifies five components of
internal control that need to be in
place and integrated to ensure the All five components are Internal control is relevant to an
achievement of each of the applicable and important to entire entreprise, or to any units
objectives. achieve operations objectives or activities
COSO DEFINITION OF INTERNAL CONTROL

Internal control is a process…designed to provide reasonable


assurance regarding the achievement of objectives in the
following categories:
 Effectiveness and efficiency of operations
 Reliability of financial reporting
 Compliance with applicable laws and regulations

COSO Components: CORPORATE OBJECTIVES:


• Control Environment PROVIDE • OPERATIONS
ASSURANCE
• Risk Assesment • FINANCIAL
OF
• Control Activities EFFECTIVENESS & REPORTING
EFFICIENCY IN
• Information & Communication • COMPLIANCE
ACHIEVING
• Monitoring
WHAT CHARACTERISES AN EFFECTIVE
SYSTEM OF INTERNAL CONTROL?

 All 5 components working together

 Control Environment
 Risk Assessment
 Control Activities
 Information & Communication
 Monitoring
 Everyone in the organization playing an active role

Internal Controls are Everyone’s Business!


WHO is RESPONSIBLE
for Internal Control?

 The organization’s leadership is ultimately


responsible.
 Everyone in an organization plays some role in
effecting control. All personnel should be responsible to
communicate problems in operations, deviations from
established standards, and violations of policy or law.
 Auditors contribute to the effectiveness of controls, but
they are not responsible to establish or maintain them.
WHO WILL BE AFFECTED
AND HOW?
Supervisory Board (BoC):
• Enhanced oversight
• Strengthening supervision through board’s committee
(Audit Committee, and other committes)
Management:
• Responsibility for financial reporting and keeping the
markets informed
• Certifications through Disclosure process and procedures
• Implementing Code of Ethics
Employee:
• Effecting control across the organization
• Communicating problems in operations, deviations
from established standards, and violations of policy or law.
Auditor:
• Maintaining Independence
• Assertion on internal controls
LIMITATIONS OF INTERNAL CONTROL
 Judgement - decisions are made by humans, often under
pressure and time constraints, based on information at hand.
 Breakdowns - Employees may not understand instructions or
may simply make mistakes. Errors may result from new
systems and processes.
 Management Override - high level personnel may be able to
override prescribed policies and procedures.
 Collusion - two or more individuals, working together, may be
able to circumvent controls.
 Cost vs. Benefit - The risk of failure and the potential effects
must be weighed against the cost of establishing controls.
Components of Internal Control
on Various Regulatory Schemes

Kementerian
COSO Basel II Bank Indonesia
BUMN
 Control  Management  Lingkungan  Pengawasan oleh
Environment Oversight and the Pengendalian Internal Manajemen dan Kultur
Control Culture dalam Perusahaan Pengendalian
yang Disiplin dan
Terstruktur

 Risk Assessment  Risk Recognition and  Pengkajian dan  Identifikasi dan Penilaian
Assessment Pengelolaan Resiko Risiko
Usaha

 Control Activities  Control Activities and  Aktivitas Pengendalian  Kegiatan Pengendalian


Segregation of Duties dan Pemisahan Fungsi

 Information &  Information and  Sistem Informasi dan  Sistem Akuntansi,


Communications Communication Komunikasi Informasi dan Komunikasi

 Monitoring  Monitoring Activities  Monitoring  Kegiatan Pemantauan


and Correcting dan Tindakan Koreksi
Deficiencies Penyimpangan/Kelemaha
n
INTERNAL CONTROL CAPABILITY MATURITY CONTINUUM:
Where Are We?

Capability Capability
Capability Attributes Implications
Level Description
CONTINUOUS • Best practices identified and shared • Internal controls – integrated framework
Optimizing • World-class financial reporting process fully implemented
IMPROVEMENT
• Organized efforts to remove inefficiency • Entity-level analytics and monitoring fully
Continuously improving controls
• External and internal change monitored operational
enterprisewide
for impact on control structure • Faster decisions on improving controls
“Chain of accountability”
• Controls preventive and systems-based
sustained

QUANTITATIVE • Control process performance standards • Controls effectiveness continuously


Managed Risk managed quantitatively established and managed assessed and validated
enterprisewide • Rigorous estimation methodologies and • Process owners report to management
“Chain of accountability” is analysis • Internal audit plans aligned
in place • Risks are managed quantitatively and • Entity-level analytics and monitoring
aggregated at corporate level emerging
• Process-based solution

QUALITATIVE/ QUANTITATIVE • Internal control uniform across the entity • All groups accountable to use organization’s
Defined Policies, processes and • Transaction flows documented control standards
standards defined and • Risks of errors and omissions sourced • Remaining known gaps closed
institutionalized • Control processes for mitigating risks • Control reports not very robust
Controls documented and better documented and integrated • Assurance lacking that all deviations
accountability emerging from control standards detected

INTUITIVE • Common control framework • Quality people assigned to support control


Repeatable Process established and repeating; • Increased controls awareness activties
reliance on people continues • Basic policies and control processes established • Some control gaps identified and fixed
Controls documentation lacking • Processes are repeating but not necessarily • Communication is lacking
documented • Limited monitoring activities

Initial AD HOC/ CHAOTIC • Reliance on individual initiative • Key controls are not in place
• “Just do it” • Controls are not periodically evaluated for
Control is not a priority
• Ad hoc disclosure activities deficiencies
Unstable control environment
• Policies not articulated • Success depends on manual efforts and
leads to dependency on heroics
• Few processes are defined validation by seasoned managers
• Institutional capability lacking • Gaps result when key people leave
MAJOR IMPLEMENTATION CHALLENGE
 CULTURE
• Different performance orientation (Social Harmony rather than shareholder
return)
• Limited individual accountability for results
• Absence of open friction/challenge in internal interactions (focus on
preserving harmony)
 DECISION MAKING
• Lack of clarity around accountability and authority levels
• Complex, slow and bureaucratic decision making
• Insufficiently supported by facts, due to lack of data transparency
 ORGANIZATION
• Functional silos (not enough cross-functionality of corporate perspective)
• Multilayered structure, impeding empowerment
• Antiquated, unproductive administrative support (HRD, IT,etc)
Internal Control vs and ERM - 1
 “Enterprise Risk Management” is a process for identifying, analyzing and
managing risk across the entire enterprise
 ERM defines risk and risk management and provides key principles and
concepts, a common language and other elements of a comprehensive
risk management framework.
 ERM provides criteria for companies’ use in determining whether their risk
management is effective, and if not, what is needed to make it so.

 “ERM is much broader than the Internal Control – Integrated Framework


 ERM expands on internal control and provides a more robust and
extensive focus on the broader subject of enterprise risk
management.
 ERM does NOT replace the internal control framework, rather
incorporates elements of the internal control framework within it.
 The Internal Control – Integrated Framework remains in place as the
definition of and framework for internal control.
Internal Control vs and ERM - 2

 Expands and elaborates on elements of internal control as set out in


COSO’s control framework.”

 Includes objective setting as a separate component. Objectives are


a “prerequisite” for internal control.

 Expands the control framework’s “Financial Reporting” and “Risk


Assessment.”
ERM framework broader than IC framework
Enterprise Risk Management(ERM) is defined as process, The ERM Framework has Eight Components. The cube
effected by an entity's board of directors, management and depicts the interrelationship of the 8 components with the
other personnel, applied in strategy setting and across the entity’s objectives and with the entity’s units:
enterprise, designed to identify potential events that may
affect the entity, and manage risks to be within its risk
appetite, to provide reasonable assurance regarding the
achievement of entity objectives.

The ERM Framework is geared to achieving an entity’s


objectives, set forth in 4 categories:

Strategic – related to the high-level goals and mission of the


entity,
Operations – related to efficiency, performance and
profitability
Reporting – related to internal and external reporting
Compliance – related to compliance with laws and
regulations

The COSO ERM framework defines essential components,


suggests a common language, and provides clear direction
and guidance for enterprise risk management
ERM expands on internal control and provides a more robust and
extensive focus on the broader subject of enterprise risk management
AS/NZS:ISO-31000 vs COSO

Penetapan Tujuan

Identifikasi Kejadian

Penetapan Konteks Identifikasi Risiko


Komunikasi dan Konsultasi

Lingkungan Pengendalian
Informasi dan Komunikasi
Identifikasi Risiko Pengukuran Risiko

Pemantauan

Pemantauan
Analisis Risiko Respon dan Mitigasi

Evaluasi Risiko Penentuan Pengendalian

Penanganan Risiko Kegiatan Pengendalian

ISO 31000 COSO ERM

Actually, ISO31000 getting more popular because it has more practical guidances
while COSO looks starting to complete it’s guidances

You might also like