3 The Cowboy after OSHA(Occupational & Safety Health Act )
4 The COSO Internal Control Integrated Framework After several significant audit failures occurred during the 1980s, the Committee of Sponsoring Organizations (COSO) formed to redefine internal control and the criteria for determining the effectiveness of an internal control system.In 1985, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) was formed to sponsor the National Commission on Fraudulent Financial Reporting, whose charge was to study and report on the factors that can lead to fraudulent financial reporting.A significant part of this mission is aimed at developing guidance on internal control.
5 Defining RiskTo satisfy stakeholders, be successful and gain competitive advantage, organizations need to recognize that the achievement of their business objectives is inextricably linked to risk.Risk is anything- internal or external - that may impede an organization from achieving its objectives.Although the common view of risk is a negative event, risk also encompasses uncertainty and opportunity.So the challenge to management becomes to effectively manage risk by minimizing the negative and maximizing the opportunity to achieve, or exceed, the business objectives.
6 In 1992, COSO published Internal Control-Integrated Framework, which established a framework for internal control and provided evaluation tools that businesses could use to evaluate their control systems.. The 1992 COSO document, Internal Control - Integrated Framework, changed the way internal control is viewed. The COSO Framework considers not only the evaluation of hard controls, like segregation of duties, but also soft controls, such as the competence and professionalism of employees.
8 SAS 78, 1995Mengadopsi pengertian Pengendalian internal dari laporan COSO (Committee of Sponsoring Organization)Internal control adalah suatu proses, dijalankan oleh dewan komisaris, managemen, dan karyawan lain dari suatu entitas, dirancang untuk memberikan jaminan memadai sehubungan dengan pencapaian tujuan dalam kategori sbb:Keandalan pelaporan keuanganKepatuhan terhadap undang-undang dan peraturan yang berlakuEfektivitas dan efesiensi operasional
9 Komponen Pengendalian Internal COSO says internal control consists of five interrelated components that are derived from the way management runs a business and are integrated into the management process:Control EnvironmentRisk AssessmentControl ActivitiesInformation and communicationMonitoring
10 Control environment. The tone of the organization influences the control consciousness of its people. Examples include the integrity, ethical values and competence of employees; management’s philosophy; and input provided by the board of directors.Risk assessment. Identification and analysis of risks relevant to achieving corporate goals, determination of how such risks should be managed and implementation of a process to address risks associated with change.
11 Control activities. Policies, procedures and processes that help ensure a company carries out management directives. Examples include approvals, verifications, reconciliations, reviews of operating performance, security of assets and segregation of duties.Information and communication. Communication within the company and with external parties such as customers, regulators and shareholders. For example, reports that contain operational, compliance or financial data or that share ideas or events across lines of business are generated from a company’s information systems.Monitoring. Assessing the quality of a company’s internal control systems. This is done through ongoing monitoring of activities within the business unit and an independent evaluation of existing controls by auditors.
13 Scoping – The COSO Framework MonitoringControl ActivitiesAssessment of a control system’s performance over timeCombination of ongoing and separate evaluationManagement and supervisory activitiesInternal audit activitiesPolicies/procedures that ensure management directives are carried outRange of activities including approvals, authorizations, verifications, recommendations, performance reviews, asset security and segregation of dutiesInformation & CommunicationPertinent information identified, captured and communicated in a timely mannerAccess to internally and externally generated informationFlow of information that allows for successful control actions from instructions on responsibilities to summary of findings for management actionRisk AssessmentRisk assessment is the identification and analysis of relevant risks to achieving the entity’s objectives – forming the basis for determining control activitiesControl EnvironmentSets tone of organization, influencing control consciousness of its peopleFactors include integrity, ethical values, competence, authority, responsibility, organization structure, HR policies and IT control environmentFoundation for all other components of control
14 Risk Assessment Process Step 1GoalsKey QuestionsExamplesSet ObjectivesWhat are we trying to achieve?Produce reliable financialstatementsStep 2Identify risks toachieving thoseobjectivesWhat could happen that wouldaffect our objectivesA natural disaster coulddestroy computer systemsand dataStep 3Assess RiskWhat are the consequences ofrisk? What is likelihood eventwill occur?Consequences are severe;likelihood is slightStep 4Manage RiskIn light of the assessment, whatis the most cost-effective wayto manage the risk>Insure against loss.Develop business recoveryplan. Self-insureStep 5Define ControlObjectiveFor risks to managed throughinternal control, what are thecontrol objectives?Implement recovery planthat reduces the impact ofa natural disaster.Step 6Design ControlHow should the control bedesigned to prevent or detectidentified risk?Design recovery plan.Implement plan.Test on a regular basis.CONTROL ACTIVITIESRisk Assessment Process
15 Anti-Fraud Provisions The SEC’s rules relating to management’s reports on internal control include commentary on the background of the rules and insight on how the rules should be interpreted and implemented, including:The assessment of a company’s internal control over financial reporting must be based on procedures sufficient both to evaluate its design and to test its operating effectiveness. Controls subject to such assessment include, but are not limited to: …controls related to the prevention and detection of fraud.In addition to the SEC guidance, the PCAOB, in its Auditing Standards #2, has stated the following:That management's responsibility when designing a company's internal control over financial reporting is to design and implement programs and controls to prevent, deter, and detect fraud.Management, along with those who have responsibility for oversight of the financial reporting process (such as the audit committee), should set the proper tone; create and maintain a culture of honesty and high ethical standards; and establish appropriate controls to prevent, deter, and detect fraud.
17 Perolehan Pemahaman Pengendalian Internal Metodologi audit untuk memenuhi standar pekerjaan lapangan kedua:Pemahaman cukup atas komponen-komponen pengendalian internal untuk merencanaan auditPenilaian risiko kontrol untuk setiap asersi penting yang ada dlam saldo akun atau kelompok transaksi dan komponen pengungkapan dari laporan keuanganPerancangan pengujian substantif untuk setiap asersi penting elemen laporan keuangan
18 Dokumentasi Pemahaman Angket (questionnaires)Rangkaian pertanyaan ya/tidak tentang pengendalian internal yang diperlukan untuk mencegah salahsaji materialBagan alirDiagram sistematik dg memakai simbol standar, garis penghubung dan penjelasanTabel keputusanMatriks yang digunakan mendokumentasikan logika program komputerMemorandaKomentar tertulis auditor tentang pengendalian internal