INTERNAL CONTROL

SYSTEM

ADHI ALFIAN
UNIVERSITAS PADJADJARAN

Bandung, 2017
THREATS, ERROR, FRAUD
• THREATS ??
• ERROR ??
• FRAUD ??
THREATS

• Unintentional/Error:
1. Accidents caused by human carelessness.
2. Innocent errors of omissions.
3. Lost or misplaced data.
• Intentional/Fraud:
1. Sabotage.
2. Computer fraud.
3. Embezzlement.
THE INCREASING OF IS THREATS

IS threats increased because of:

• The number of systems users.
• The network framework and communication method.
• Electronization with supplier, customer, etc.
FRAUD TRIANGLE

PRESSURE

OPPORTUNITY RATIONALIZATION
INTERNAL CONTROL DEFINITION

• Internal control is the plan of organization and the methods a

business uses to safeguard assets, provide accurate and
reliable information, promote and improve operational
efficiency, and encourage adherence to prescribed managerial
policies.
• The internal control system comprises policies, practices, and
procedures employed by the organization to safeguard assets
of the firm, ensure the accuracy and reliability of accounting
records and information, promote efficiency in the firm’s
operations, and measure compliance with management’s
prescribed policies and procedures.
RISKS AND OPPORTUNITIES

Achieve the goals,

Value creation,
increase benefit, etc
Positive Opportunity

Events
Manage Risk

Negative Risk
MANAGEMENT CONTROL
Management control:
• An integral part of management responsibilities.
• Designed to reduce threats, irregularities, and achieve
organizational goals.
• Personnel-oriented and seeks to help employees attain
company goals.
INTERNAL CONTROL FORM
• Preventive, detective, and corrective controls.
• General and application controls.
• Input, processing, and output controls.
COSO’s INTERNAL CONTROL MODEL
CONTROL ENVIRONMENT

• The control environment consists of the actions, policies, and

procedures that reflect the overall attitudes of top management,
directors, and owners of an entity about internal control and its
importance to the entity.
• Control environment aspects:
1. Commitment to integrity and ethical values
2. Management’s philosophy and operating style
3. Organizational structure
4. Human Resource Policies and Practices
CONTROL ENVIRONMENT

• Control environment aspects:

5. The audit committee of the board of directors.
6. Methods of assigning authority and responsibility.
7. External influences.
RISK ASSESSMENT
• Risk assessment is a management’s identification and
analysis of risks relevant to the goals achievement.
• Risk/threats which need to assess:
1. strategic — doing the wrong thing
2. financial — having financial resources lost, wasted,
or stolen
3. information — faulty or irrelevant information, or
unreliable systems
CONTROL ACTIVITIES

• Control activities are the policies and procedures, in addition to

those included in the other four control components, that help
ensure that necessary actions are taken to address risks to the
achievement of the entity’s objectives.
• Control activities fall into one of five categories:
1. Proper authorization of transactions and activities.
2. Segregation of duties.
3. Design and use of adequate documents and records.
4. Adequate safeguards of assets and records.
5. Independent checks on performance.
INFORMATION AND COMMUNICATION

• The purpose of an entity’s accounting information and

communication system is to initiate, record, process,
and report the entity’s transactions and to maintain
account - ability for the related assets.
• All of the information and communication system make
it possible for the system to have an audit trail.
• An audit trail exists when individual company
transactions can be traced through the system.
MONITORING PERFORMANCE

• Control activities are the policies and procedures, in addition to

those included in the other four control components, that help
ensure that necessary actions are taken to address risks to the
achievement of the entity’s objectives.
• The key methods of monitoring performance:
1. effective supervision.
2. responsibility accounting.
3. internal auditing.
MODIFYING ASSUMPTIONS

• Management responsibility – establishment and maintainance of

internal control system is a anagement responsibility.
• Reasonable assurance – internal control system should provide
reasonable assurance.
• Methods of data processing – internal control should achieve the
IC objectives regardless of the data processing method used.
• Limitations – assumed there aren’t perfect system.
COSO’s INTERNAL CONTROL MODEL
LEVELS OF CONTROL
ERM DEFINITION

Enterprise risk management is a process, effected by an entity’s

board of directors, management and other personnel, applied in
strategy setting and across the enterprise, designed to identify
potential events that may affect the entity, and manage risk to be
within its risk appetite, to provide reasonable assurance regarding
the achievement of entity objectives.
ERM SCOPE

• Aligning risk appetite and strategy – Management considers the

entity’s risk appetite in evaluating strategic alternatives, setting
related objectives, and developing mechanisms to manage
related risks.
• Enhancing risk response decisions – Enterprise risk
management provides the rigor to identify and select among
alternative risk responses – risk avoidance, reduction, sharing,
and acceptance.
• Reducing operational surprises and losses – Entities gain
enhanced capability to identify potential events and establish
responses, reducing surprises and associated costs or losses.
ERM SCOPE

• Identifying and managing multiple and cross-enterprise risks –

Every enterprise faces a myriad of risks affecting different parts
of the organization, and enterprise risk management facilitates
effective response to the interrelated impacts, and integrated
responses to multiple risks.
• Seizing opportunities – By considering a full range of potential
events, management is positioned to identify and proactively
realize opportunities.
• Improving deployment of capital – Obtaining robust risk
information allows management to effectively assess overall
capital needs and enhance capital allocation.
COSO’s ERM MODEL

Enterprise Risk Management

is not strictly a serial process,
where one component
affects only the next.
ACHIEVEMENT OF OBJECTIVES
• Strategic – high-level goals, aligned with and
supporting its mission
• Operations – effective and efficient use of its resources
• Reporting – reliability of reporting
• Compliance – compliance with applicable laws and
regulations.
INTERNAL ENVIRONMENT
The internal environment encompasses the tone of an
organization, and sets the basis for how risk is viewed
and addressed by an entity’s people, including risk
management philosophy and risk appetite, integrity
and ethical values, and the environment in which
they operate.
OBJECTIVE SETTING
Objectives must exist before management can identify
potential events affecting their achievement. Enterprise
risk management ensures that management has in place
a process to set objectives and that the chosen
objectives support and align with the entity’s mission and
are consistent with its risk appetite.
EVENT IDENTIFICATION
Internal and external events affecting achievement of an
entity’s objectives must be identified, distinguishing
between risks and opportunities. Opportunities are
channeled back to management’s strategy or objective-
setting processes.
RISK ASSESSMENT
Risks are analyzed, considering likelihood and impact,
as a basis for determining how they should be managed.
Risks are assessed on an inherent and a residual basis.
RISK ASSESSMENT MATRIX
RISK RESPONSE
Management selects risk responses – avoiding,
accepting, reducing, or sharing risk – developing a set of
actions to align risks with the entity’s risk tolerances and
risk appetite.
RISK MITIGATION
CONTROL ACTIVITIES
Policies and procedures are established and
implemented to help ensure the risk responses are
effectively carried out.
INFORMATION AND COMMUNICATION

Relevant information is identified, captured, and

communicated in a form and timeframe that enable
people to carry out their responsibilities. Effective
communication also occurs in a broader sense, flowing
down, across, and up the entity.
MONITORING
The entirety of enterprise risk management is monitored
and modifications made as necessary. Monitoring is
accomplished through ongoing management activities,
separate evaluations, or both.
COBIT 5 FRAMEWORK
• COBIT 5 helps enterprises create optimal value from
IT by maintaining a balance between realising
benefits and optimising risk levels and resource use.
• COBIT 5 enables information and related technology
to be governed and managed in a holistic manner for
the entire enterprise, taking in the full end-to-end
business and functional areas of responsibility,
considering the IT-related interests of internal and
external stakeholders.
• The COBIT 5 principles and enablers are generic and
useful for enterprises of all sizes, whether commercial,
not-for-profit or in the public sector.
COBIT 5 PRINCIPLES
COBIT 5 ENABLERS
COBIT DEVELOPMENT PHASE

Governance of Enterprise IT

Evolution of scope
IT Governance
Val IT 2.0
(2008)
Management

Control
Risk IT
(2009)
Audit
COBIT1 COBIT2 COBIT3 COBIT4.0/4.1 COBIT 5

1996 1998 2000 2005/7 2012

THANK YOU