Matakuliah
Tahun
: F0204 / Sistem Akuntansi
: 2007
Internal Control
Pertemuan 07 - 08
Why do we need controls?
• (1) to provide reasonable assurance that the
goals of each business process are being
achieved
• (2) to mitigate the risk that the enterprise will
be exposed to some type of harm, danger, or
loss (including loss caused by fraud or other
intentional and unintentional acts)
• (3) to provide reasonable assurance that the
company is in compliance with applicable
legal and regulatory obligations.
Bina Nusantara
Common Business Exposures
1.
2.
3.
4.
5.
6.
7.
8.
9.
Bina Nusantara
Erroneous recordkeeping
Unacceptable accounting
Business interruption
Erroneous management decisions
Fraud and embezzlement
Statutory sanctions
Excessive costs
Loss or destruction of resources
Competitive disadvantage
Recent Internal Control Legislation
• Sarbanes-Oxley Act (SOA) of 2002
– Created public company accounting oversight
board
– Increased accountability for company officers
and board of directors
– Increased white collar crime penalties
– Prohibits audit firms from providing design
and implementation of financial information
systems
Bina Nusantara
Sarbanes-Oxley Act of 2002 (SOA)
• Section 302—CEOs and CFOs must
certify quarterly and annual financial
statements
• Section 404—Mandates the annual report
filed with the SEC include an internal
control report
Bina Nusantara
Outline of
SOA 2002
Bina Nusantara
Fraud and its Relationship to Control
• Fraud: deliberate act or untruth intended
to obtain unfair or unlawful gain.
– Management charged with responsibility to prevent and/or
disclose fraud
– Control systems enable management to do this job
– Management responsible to provide internal control system
per the Foreign Corrupt Practices Act of 1977
– Section 1102 of the Sarbanes-Oxley Act specifically
addresses corporate fraud
– Instances of fraud undermine management’s ability to
convince various authorities that it is upholding its
stewardship responsibility
Bina Nusantara
SAS 99
• The accounting profession too has been proactive in
dealing with corporate fraud, as it has launched an
anti-fraud program.
• One of the manifestations of this initiative is
Statement on Auditing Standards (SAS) Number 99,
entitled Consideration of Fraud in a Financial
Statement Audit.
– SAS 99 has the same title as its predecessor, SAS 82, but
the new standard is much more encompassing than the old.
– For instance, SAS 99 emphasizes brainstorming fraud risks,
increasing professional skepticism, using unpredictable audit
test patterns, and detecting management override of internal
controls.
Bina Nusantara
E&Y Fraud Survey
•
•
•
•
•
•
•
•
•
•
About 85 % of fraud committed by company insiders
About 55% of perpetrators were management employees
More fraud in less-developed countries
Only about 20 % of fraud comes to the public knowledge
About 40% of frauds are known to the public, 20% are kept
confidential, and the other 40% are not yet discovered
Best prevention is internal control, management reviews,
and internal audits
The #1 fraud worry to executives is asset misappropriation
The #2 fraud worry to executives is computer crime
Most organizations now have formal fraud prevention
policies including codes of corporate governance and
employee conduct
Most useful fraud prevention techniques are internal
controls, management reviews, and internal audits
Bina Nusantara
Definition of Internal Control
• From SAS 78 (1995) - adopted COSO definition:
– INTERNAL CONTROL is a process-effected by a an entity’s board of
directors, management, and other personnel-designed to provide
reasonable assurance regarding the achievement of objectives in the
following categories:
• Effectiveness & efficiency of operations
• Reliability of financial reporting
• Compliance with applicable laws & regulations.
Bina Nusantara
Five Interrelated Components of
Internal Control
Control environment- tone at the top
2. Risk assessment - identification/analysis of risks
3. Control activities - policies and procedures
4. Information & communication - processing of
info in a form and time frame to enable people to
do their jobs
5. Monitoring - process that assess quality of
internal control over time
1.
Bina Nusantara
COSO Report, SOA, and SAS 94
• In the section addressing implementation of the Sarbanes
Oxley Act section 404, the SEC used the COSO description
of internal control.
– It went on to say that management must base its evaluation of the
effectiveness of its internal control system on a framework such as
COSO
– COSO report stresses internal control is a process
• A complementary perspective on internal control is found in
Statement on Auditing Standards (SAS) 94, entitled “The
Effect on Information Technology on the Auditor’s
Consideration of Internal Control in a Financial Statement
Audit.”
– This standard guides auditors in understanding the impact of IT on
internal control and assessing IT-related control risks
– Further, SAS 94 highlights how IT can be used to strengthen internal
control, while at the same time emphasizing how IT can actually
Bina Nusantara weaken some controls
Gelinas, Sutton & Hunton’s Working Definition
of IC: Key Points
• A system of internal control is not an end in itself. Rather, it is a means to
an end—the end of attaining process objectives
• Internal control itself is a system. Therefore, like any system it must
– (1) have clearly defined goals and
– (2) consist of interrelated components that act in concert to achieve those
goals.
– We can also say that internal control is a process
• Establishing a viable internal control system is management’s
responsibility.
• The strength of any internal control system is largely a function of the
people who operate it.
• Internal control cannot be expected to provide absolute, 100% assurance
that the organization will reach its objectives. Rather, the operative phrase
is that it should provide reasonable assurance
• Internal control is not free; controls should be built in and cost effective
Bina Nusantara
Gelinas, Sutton & Hunton’s Working
Definition of IC
• …a system of integrated elements - people,
structure, processes, and procedures - acting in
concert to provide reasonable assurance that an
organization achieves business process goals.
The design and operation of the internal control
system is the responsibility of top management
and therefore should:
Bina Nusantara
(Text definition of IC cont.)
• Reflect management’s careful
assessment of risks.
• Be based on management’s evaluation
of costs versus benefits.
• Be built on management’s strong sense
of business ethics and personal
integrity.
Bina Nusantara
General Control Model: Figure 7.1
Bina Nusantara
Ethics and Controls
• COSO report stresses ethics as part of control
environment (tone at the top)
• AICPA has built ethics issues into CPA exam
• The Institute of Management Accountants has a code of
ethics which is also tested on both the CMA and CFM
exams
• Internal Auditing has ethics articles
• Many corporations have developed Codes of Conduct
Bina Nusantara
Causeway Company Systems Flowchart
Bina Nusantara
Business Process Control Goals
• Control Goals - ends to be obtained
– Control goals of operations processes
– Control goals of information processes
– See Table 7.1 Control Goals (page 244)
Bina Nusantara
Control Goals of the Operations
Process
• Ensure effectiveness of operations
• Ensure efficient employment of
resources
• Ensure security of resources
Bina Nusantara
Control Goals of Operations Process
• Ensure effectiveness of operations
– A measure of success in meeting one or more operations process goals
which reflect the criteria used to judge the effectiveness of various business
processes
– Ex. Deposit cash receipts on the day received
• Ensure efficient employment of resources
– A measure of the productivity of the resources applied to achieve a set of
goals
– Ex. What is the cost of people, computers, and other resources to deposit
cash on the day received
• Ensure security of resources
– Protecting an organization’s resources from loss, destruction, disclosure,
copying, sale, or other misuse
– Ex. Are cash and information resources available when required?
– Are they put to authorized use?
Bina Nusantara
Control Goals of the Information Process
• For business event inputs, ensure
– Input validity
– Input completeness
– Input accuracy
• For master data, ensure
– update completeness
– update accuracy
Bina Nusantara
Control Goals of Information Process
• Input validity
– Input data approved and represent actual economic events and objects
– Ex. Are all cash receipts input into the process and supported by customer
payments
• Input completeness
– Requires that all valid events or objects be captured and entered into the
system
– Ex. Are all valid customer payment captured on a customer remittance advice
(RA) and entered into the process? Input accuracy (correct data entered
correctly)
• Input Accuracy
– Requires that events be correctly captured and entered into the system
– Ex. Is correct payment amount and customer number on the RA?
– Ex. Is the correct payment amount and customer number keyed into the
system?
Bina Nusantara
Control Goals of Information Process
• Update completeness
– Requires all events entered into the computer are reflected in their
respective master data
– Ex. Are all input cash receipts recorded in the AR master data?
• Update accuracy
– Requires that data entered into a computer are reflected correctly in
their respective master data
– Ex. Are all input cash receipts correctly recorded in the AR master
data?
Bina Nusantara
Business Process Control Plans
• Business Process Control Plans - reflect information
processing policies and procedures that assist in
accomplishing control goals
– The Control Environment The fact that the control environment
appears at the top of the hierarchy illustrates that the control
environment comprises a multitude of factors that can either reinforce
or mitigate the effectiveness of the pervasive and application control
plans.
– Pervasive control plans also relate to a multitude of goals and
processes
• Like the control environment, they provide a climate or set of
surrounding conditions in which the various business processes
operate.
• They are broad in scope and apply equally to all business
processes, hence they pervade all systems.
– Business process control plans relate to those controls particular to
a specific process or subsystem, such as billing or cash receipts, or to
a particular technology used to process the data.
Bina Nusantara
Bina Nusantara
Other Classifications of Control Plans
• Preventive Controls: Issue is prevented from occurring –
cash receipts are immediately deposited to avoid loss
• Detective Controls: Issue is discovered – unauthorized
disbursement is discovered during reconciliation
• Corrective Controls: issue is corrected – erroneous data
is entered in the system and reported on an error and
summary report; a clerk re-enters the data
Bina Nusantara