Standar Pekerjaan Lapangan: Pemahaman Memadai atas Pengendalian Intern Pertemuan 5 Learning Objectives 1. 2. 3. 4. 5. 6. Management’s need for internal control vs. the Auditor’s need to consider internal control in designing an audit How IT affects internal control Explain the five components of internal control Explain methods used to obtain an understanding of internal control Assess control risk Describe the process of designing and performing tests of controls Client and Auditor Concern about Internal Control System Internal Control consists of policies and procedures designed to provide management with reasonable assurance that the company achieves its objectives and goals 3 key concepts underlie the study of IC and assessment control risk 1. Management Responsibility 2. Reasonable Assurance 3. Inherent Limitations Client Concerns about Internal Control (COSO Report) 3 (three) concerns of management in designing an effective control system 1. 2. 3. Reliability of Financial Reporting Efficiency and Effectiveness of Operation Compliance with Applicable Laws and Regulation Auditor Concerns about Internal Control 1. Controls related to the Reliability of Financial Reporting 2. Control over Classes of Transactions Effect of IT on Internal Control Advantages Able to process large volume of transactions Processes transactions with highly accuracy No human judgment. Disadvantages Program error - GIGO Unauthorized persons accessing the system (data and program) System (data or program) corruption because of virus. Components of Internal Control 5 Categories of Controls (=PSA69 – SA Seksi 319 = COSO) The control environment Risk assessment Control activities Information and Communication Monitoring Control Environment Integrity and ethical Value Commitment to Competence Board of Directors or Audit Committee Management’s Philosophy and Operating Style Organization Structure Assignment of Authority and Responsibility Human Resource a Policies and Practices Risk Assessment All entities regardless of size, structure, nature, or industry, face a variety of risks from external and internal sources that must be managed, as they are constantly change The important first step is to identify factors that may increase risks. Mgt assesses risks as a part of designing and operating internal control to minimize errors and fraud Risk Assessment Risk occur because of : Changes in Operating Environment New Personnel New or Repaired Information System New Technology New Product Lines, Products, or Activities Corporate Restructuring Foreign Operation New Accounting standard Control Activities (1) Control Activities (SAS 94 and COSO Report) – generally relate to policies and procedures; 1. Segregation of Duties 2. Information Processing 3. Physical Control 4. Performance Review Control Activities (2) 5 Specific Control Activities related to policies and procedures; 1. Adequate separation of Duties 2. Proper authorization of transactions and activities 3. Adequate documents and records 4. Physical Control over assets and records 5. Independent check on performance Information and Communication Information system relevant with the objective of Financial Reporting consisted of the methods and records established to record, process, summarize, and report the transactions of the entity, and also to maintain the accountability of assets, liabilities and equities of the entity Communication consists of providing understanding about individual’s roles and responsibilities related to internal control on financial reporting Information and Communication (2) Auditor should get reasonable understanding about: Group of transactions significant in the financial statements How does a transaction begin ? Accounting record, supporting information, and certain accounts in the financial statements Accounting process from transaction till financial reports. Monitoring Management is responsible to establish and maintain internal control. For that management should monitor to consider whether the IC works properly and what needed to be justified (updated) as the environment changes Adequate Documents and Records Relevant principles dictate the proper design and use of documents and Records 1. Pre-numbered 2. Prepare at the time a transaction takes place 3. Sufficiently simple 4. Designed for multiple use 5. Constructed in a manner that encourage correct preparation Procedures to Obtain an Understanding of Internal Control Reasons: 1. 2. 3. 4. Auditability Potential Material misstatement Detection Risk Design of tests Procedures to Determine Design and Placement in Operation (see p.284) Documentation of the Understanding (see p. 285) Assess Control Risk Four specific assessments must be made: Assess whether the Financial Statements are auditable Determine assessed control risks supported by understanding obtained Assess whether it likely that a lower assessed control risk could be supported Determine the appropriate assessed control risk Assess Control Risk (2) Identify Transaction-Related Audit Objectives Identify Specific Controls Identify and evaluate Weaknesses (see Figure 10 – 4 on p. 290) The Control Risk Matrix (see Figure 10 – 5 on p. 291) Assess Control Risk Communicate Reportable Conditions and Related Matters Test of Control Procedures for Test of Controls Make inquires of appropriate client personnel Examine documents, records, and reports Observe Control-Related activities Reperform Client Procedures