INTERNAL AUDIT

(MODUL PERTEMUAN KE-7)

Dr. Rita Yuniarti, S.E., M.M., Ak., CA
MAPPING
DEFINITION OF INTERNAL CONTROL

THE COMPONENTS OF INTERNAL CONTROL

INTERNAL CONTROL ROLES AND

RESPONSIBILITIES

LIMITATIONS OF INTERNAL CONTROL

VIEWING INTERNAL CONTROL FROM DIFFERENT

PERSPECTIVES

TYPES OF CONTROLS

EVALUATING THE SYSTEM OF INTERNAL

CONTROLS
DEFINITION OF INTERNAL
CONTROL
 Internal Control (COSO) : a process,
effected by an entity’s BOD, management,
and other personnel, designed to provide
reasonable assurance regarding the
achievement of objectives in the following
categories:
a. Effectiveness and efficiency of operations
b. Reliability of financial reporting
c. Compliance with applicable laws and
regulations
THE COMPONENTS OF INTERNAL
CONTROL
1. Control Environment
“the integrity, etchical values, and
competence of entity’s people:
a. management’s philosophy and
operating style;
b. the way management assigns authority
and responsibility;
c. organizes and develops its people;
d. and the attention and direction provided
by the BOD.”
THE COMPONENTS OF INTERNAL
CONTROL
2. Risk Assesment
“is the identification and analysis of
relevant risks to achievement of the
objectives, forming a basis for
determining how the risks should be
managed.”
THE COMPONENTS OF INTERNAL
CONTROL
3. Control Activities
“are the actions taken by management,
the board, and other parties to mitigate the
likelihood that established objectives and
goals will be achieved.”

Critical concept  Segregation of duties

: is concept of dividing, or segregation,
control activities related to the
authorization of transactions (pembagian
tugas antara otorisasi, pencatatan,
penyimpanan)
THE COMPONENTS OF INTERNAL
CONTROL
Internal control activities including:
a. Performance reviews and follow-up
activities;
b. Authorizations (approvals);
c. IT access control activities;
d. Documentation (rigorious and
comprehensive);
e. Physical access control activities;
f. IT application (input, processing, output)
control activities;
g. Independent verifications and
reconsiliations.
THE COMPONENTS OF INTERNAL
CONTROL
4. Information and Communication
“Relevant, accurate, and timely
information must be available to
individuals at all levels of an organization
whoo need such information to run the
business effectively.”

“Communication must take place in a

broader sense, dealing with expectations,
responsibilities of individuals and groups,
and other important matters.”
THE COMPONENTS OF INTERNAL
CONTROL
5. Monitoring
“ a process that assesses the quality of
the system’s performance over time.
This is accomplished through
ongoing/separation monitoring or
combines of the two.”
INTERNAL CONTROL ROLES AND
RESPONSIBILITIES
1. Management
The CEO has primary responsibility for
setting the “ tone at the top “ and
establishing a positive control
environment.

Tone at the top : the entity-wide attitude

of integrity and control consciousness, as
exhibited by the most senior executives of
an organization.
INTERNAL CONTROL ROLES AND
RESPONSIBILITIES
2. BOD
The BOD has ultimate responsibility for
ensuring management has established
an effective system of internal control.
INTERNAL CONTROL ROLES AND
RESPONSIBILITIES
3. Internal Auditors
Internal auditors play a significant role
in verifying that management has met
its responsibility.

Initially management performs the

primary assessment of the system of
internal control, and then the internal
audit function independently validates
management’s assertions.
INTERNAL CONTROL ROLES AND
RESPONSIBILITIES
4. Other Personal
All personal should be responsible for
communicating upward problems in
operations, non compliance with the
code of conduct, or other policy
violations or illegal actions.
LIMITATIONS OF INTERNAL
CONTROL
Limitations as inherent to internal control:
a. Human judgement in decision-making can
be faulty;
b. Breakdowns can occur because of such
human failures as simple error or mistake;
c. Controls can be circumvented by the
collusion of two or more people;
d. Management has the ability to override
the internal control system;
e. Controls must be considered in terms of
their costs compared to their benefit.
LIMITATIONS OF INTERNAL
CONTROL
Inherent Risk : the combination of internal
and external risk factors in their pure,
uncontrolled state or the gross risk that
exists assuming there are no internal
controls in place.
Controllable Risk : the portion of inherent
risk that management can reduce through
day-to-day operations and management
activities.
Residual Risk : the portion of inherent risk
that remains after management executes
its risk response (net risk).
LIMITATIONS OF INTERNAL
CONTROL
Consequences of
Concequences of
Implementing
Accepting
Excessive
Excessive Risk
Internal Control

Potential for fraud to

Increased bureaucracy
occur

Potential
noncompliance with Excess cost
laws and regulations

Poor or inaffective
Unnecessary
business decision-
complexity of controls
making

Potential loss of assets Increased cycle time

VIEWING INTERNAL CONTROL
FROM DIFFERENT
PERSPECTIVES
1. Management
Internal control includes a number of
activities designed to mitigate risks or
enable opportunities that effect the
achievement of an organization’s
objectives
VIEWING INTERNAL CONTROL
FROM DIFFERENT
PERSPECTIVES
2. Internal Auditors
are charged with independently
verifying that the organization’s control
are designed adequately and operating
effectively as management intends.
VIEWING INTERNAL CONTROL
FROM DIFFERENT
PERSPECTIVES
3. Independent Outside Auditors
Is focused on internal control relatives
to how it affects the organization’s
financial reporting.
VIEWING INTERNAL CONTROL
FROM DIFFERENT
PERSPECTIVES
4. Other External Parties
have interest in an organization’s
internal control because their interest
vary, so too will their perspectives of
internal control.
TYPES OF CONTROLS
1. Entity-Level, Process-Level, and Transaction-Level
Controls
Entity-Level Controls include:
a. Controls related to the control environment;
b. Controls over management override;
c. The company’s risk assessment process;
d. Centralized processing and controls; including shared
service environments;
e. Controls to monitor results of operations;
f. Controls to monitor other controls (activities of internal
audit function, audit committee, and self assessment
programs);
g. Controls over the period-end financial reporting process;
h. Policies that address significant business control and risk
management practices.
TYPES OF CONTROLS
Process-Level Controls include:
a. Reconsiliations of key accounts;
b. Physical verifications of assets;
c. Process employee supervision and
performance evaluations;
d. Process-level risk assessments;
e. Monitoring/ oversight of specific
transactions.
TYPES OF CONTROLS
Transaction-Level Controls include:
a. Authorizations;
b. Documentation;
c. Segregation of duties;
d. IT application control (input, processing,
output);
TYPES OF CONTROLS
2. Key Controls and Secondary Controls
Key Control (Primary Control) is designed to reduce key
risks associated with business objectives.

Secondary Control is designed to either (1) mitigate risks

that are not key to business objectives; (2) partially reduce
the level of risk when a key control does not operate
effectively.
TYPES OF CONTROLS
3. Compensating Controls
are designed to supplement key controls that are either
ineffective or cannot fully mitigate a risk or group of risks by
themselves to an acceptable level within the risk appetite
established by management and the board.
TYPES OF CONTROLS
4. Complementary Controls
is a necessary control that is not sufficient by itself to fully
mitigate the risk. When combined with one or more other
controls, a complementary control does help reduce the
underlying risk to an acceptable level. Ex: segregation of
duties.
TYPES OF CONTROLS
5. Preventive, Detective, Corrective, and Directive Controls
Preventive Control is designed to deter unintended events from
occurring in the first place.

Detective Control is designed to discover undesirable events

that have already occured.

Corrective Control is one in which detected omissions and

errors are corrected.

Directive Control gives explicit direction regarding what actions

need to take place to cause or encourage a desirable event to
occur.
TYPES OF CONTROLS
6. Information System Control
Have 2 types that can be used to mitigate risk
a. General Computing Controls
“apply to many if not all application systems and help
ensure their continued, proper operation”
b. Application Controls
“include computerized steps within the application
software and related manual procedures to control the
processing of various types of transactions”

These 2 types work together  “to ensure completeness,

accuracy, and validity of the financial and other information
in the system.”
TYPES OF CONTROLS
7. Simultanouos Categorization of Controls
specific controls can fit into several categories at the same
time.
Ex: a control can be a entity-level control at the same time
that it is a key control.
EVALUATING THE SYSTEM OF
INTERNAL CONTROLS
 In evaluating control process, the CAE
considers:
a. Significant discrepancies or weaknesses
were discovered;
b. Corrections or improvements were made
after the discoveries;
c. The discoveries and their potential
consequences lead to a conclusion that a
pervasive condition exists resulting in an
unacceptable level of risk.