Sistem Pengendalian Internal Problems in Auditing........ Cowboy The Cowboy after OSHA(Occupational & Safety Health Act ) The COSO Internal Control Integrated Framework After several significant audit failures occurred during the 1980s, the Committee of Sponsoring Organizations (COSO) formed to redefine internal control and the criteria for determining the effectiveness of an internal control system. In 1985, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) was formed to sponsor the National Commission on Fraudulent Financial Reporting, whose charge was to study and report on the factors that can lead to fraudulent financial reporting. A significant part of this mission is aimed at developing guidance on internal control. ‹#› Defining Risk To satisfy stakeholders, be successful and gain competitive advantage, organizations need to recognize that the achievement of their business objectives is inextricably linked to risk. Risk is anything- internal or external - that may impede an organization from achieving its objectives. Although the common view of risk is a negative event, risk also encompasses uncertainty and opportunity. So the challenge to management becomes to effectively manage risk by minimizing the negative and maximizing the opportunity to achieve, or exceed, the business objectives. ‹#› In 1992, COSO published Internal Control-Integrated Framework, which established a framework for internal control and provided evaluation tools that businesses could use to evaluate their control systems. . The 1992 COSO document, Internal Control - Integrated Framework, changed the way internal control is viewed. The COSO Framework considers not only the evaluation of hard controls, like segregation of duties, but also soft controls, such as the competence and professionalism of employees. ‹#› 4 pagar pengamanan 1 2 3 4 Values Kualitas Pengendalian Intern Peran Internal Auditor Peran External Auditor ‹#› SAS 78, 1995 Mengadopsi pengertian Pengendalian internal dari laporan COSO (Committee of Sponsoring Organization) Internal control adalah suatu proses, dijalankan oleh dewan komisaris, managemen, dan karyawan lain dari suatu entitas, dirancang untuk memberikan jaminan memadai sehubungan dengan pencapaian tujuan dalam kategori sbb: Keandalan pelaporan keuangan Kepatuhan terhadap undang-undang dan peraturan yang berlaku Efektivitas dan efesiensi operasional Komponen Pengendalian Internal COSO says internal control consists of five interrelated components that are derived from the way management runs a business and are integrated into the management process: Control Environment Risk Assessment Control Activities Information and communication Monitoring Control environment. The tone of the organization influences the control consciousness of its people. Examples include the integrity, ethical values and competence of employees; management’s philosophy; and input provided by the board of directors. Risk assessment. Identification and analysis of risks relevant to achieving corporate goals, determination of how such risks should be managed and implementation of a process to address risks associated with change. Control activities. Policies, procedures and processes that help ensure a company carries out management directives. Examples include approvals, verifications, reconciliations, reviews of operating performance, security of assets and segregation of duties. Information and communication. Communication within the company and with external parties such as customers, regulators and shareholders. For example, reports that contain operational, compliance or financial data or that share ideas or events across lines of business are generated from a company’s information systems. Monitoring. Assessing the quality of a company’s internal control systems. This is done through ongoing monitoring of activities within the business unit and an independent evaluation of existing controls by auditors. Risiko Bawaan Risiko Pengendalian Risiko Deteksi Risiko Audit Scoping – The COSO Framework Monitoring Control Activities Assessment of a control system’s performance over time Policies/procedures that ensure management directives are carried out Combination of ongoing and separate evaluation Management and supervisory activities Internal audit activities Range of activities including approvals, authorizations, verifications, recommendations, performance reviews, asset security and segregation of duties Information & Communication Pertinent information identified, captured and communicated in a timely manner Access to internally and externally generated information Flow of information that allows for successful control actions from instructions on responsibilities to summary of findings for management action Risk Assessment Control Environment Sets tone of organization, influencing control consciousness of its people Factors include integrity, ethical values, competence, authority, responsibility, organization structure, HR policies and IT control environment Foundation for all other components of control Risk assessment is the identification and analysis of relevant risks to achieving the entity’s objectives – forming the basis for determining control activities ‹#› Risk Assessment Process Step 1 Goals Set Objectives Key Questions What are we trying to achieve? Examples Produce reliable financial statements Step 2 Goals Key Questions Examples Identify risks to A natural disaster could achieving those What could happen that would destroy computer systems objectives affect our objectives and data Step 3 Goals Risk Assessment Process Assess Risk Key Questions Examples What are the consequences of risk? What is likelihood event Consequences are severe; will occur? likelihood is slight Step 4 Goals Manage Risk Key Questions Examples In light of the assessment, what Insure against loss. is the most cost-effective way Develop business recovery to manage the risk> plan. Self-insure CONTROL ACTIVITIES Step 5 Goals Define Control Objective Step 6 Goals Design Control Key Questions For risks to managed through internal control, what are the control objectives? Examples Implement recovery plan that reduces the impact of a natural disaster. Key Questions How should the control be designed to prevent or detect identified risk? Examples Design recovery plan. Implement plan. Test on a regular basis. ‹#› Anti-Fraud Provisions The SEC’s rules relating to management’s reports on internal control include commentary on the background of the rules and insight on how the rules should be interpreted and implemented, including: – The assessment of a company’s internal control over financial reporting must be based on procedures sufficient both to evaluate its design and to test its operating effectiveness. Controls subject to such assessment include, but are not limited to: …controls related to the prevention and detection of fraud. In addition to the SEC guidance, the PCAOB, in its Auditing Standards #2, has stated the following: – That management's responsibility when designing a company's internal control over financial reporting is to design and implement programs and controls to prevent, deter, and detect fraud. – Management, along with those who have responsibility for oversight of the financial reporting process (such as the audit committee), should set the proper tone; create and maintain a culture of honesty and high ethical standards; and establish appropriate controls to prevent, deter, and detect fraud. ‹#› ‹#› Perolehan Pemahaman Pengendalian Internal Metodologi audit untuk memenuhi standar pekerjaan lapangan kedua: Pemahaman cukup atas komponen-komponen pengendalian internal untuk merencanaan audit Penilaian risiko kontrol untuk setiap asersi penting yang ada dlam saldo akun atau kelompok transaksi dan komponen pengungkapan dari laporan keuangan Perancangan pengujian substantif untuk setiap asersi penting elemen laporan keuangan Dokumentasi Pemahaman Angket (questionnaires) Bagan alir Diagram sistematik dg memakai simbol standar, garis penghubung dan penjelasan Tabel keputusan Rangkaian pertanyaan ya/tidak tentang pengendalian internal yang diperlukan untuk mencegah salahsaji material Matriks yang digunakan mendokumentasikan logika program komputer Memoranda Komentar tertulis auditor tentang pengendalian internal