RINGKASAN MATERI KULIAH

CHAPTER 6
Internal Control

Pengendalian Internal (Internal Control):

1. Kerangka kerja
2. Definisi pengendalian internal
3. Tujuan, komponen, dan prinsip-prinsip pengendalian internal.
4. Peran dan tanggungjawab pengendalian internal
5. Keterbatasan pengendalian internal
6. Pengendalian internal dari perspektif yang berbeda
7. Jenis-jenis pengendalian
8. Sistem evaluasi pengendalian internal

FRAMEWORKS
A framework is a body of guiding principles that form a template
against which organizations can evaluate a multitude of business
practices. Specific to the practice of internal auditing, various
frameworks are used to assess the design adequacy and operating
effectiveness of controls.
Frameworks provide a structure within which a body of knowledge
and guidance fit together. This system facilitates consistent
development, interpretation, and application of concepts,
methodologies, and techniques useful to a discipline or profession.

Internal Control Frameworks

There are no substantive differences between COSO and CoCo. Both
frameworks include definitions of internal control that describe a
process that provides reasonable assurance for achieving the
objectives of an organization in three specific categories: effectiveness
and efficiency of operations, reliability of reporting, and compliance.
The frameworks also agree regarding responsibility for internal
control, specifically putting responsibility not only on the board of
directors, senior management, and internal auditors, but also on each
individual within the organization. Although the frameworks use
different titles for them, the components of each internal control
framework are basically the same and can be examined using the
COSO titles for each component. They are: Control Environment, Risk
Assessment, Control Activities, Information and Communication, and
Monitoring.
Primarily designed to provide guidance to companies of all sizes with
cost effective means to comply with Section 404 of Sarbanes-Oxley,
the Compendium provides the added benefit of supplying direction to
smaller public companies on the application of the COSO framework
when evaluating the effectiveness of ICFR.
As a result of the increased public scrutiny over ICFR that ensued
from Sarbanes-Oxley, the subject of internal control has been
elevated to the prominence formerly reserved for topics such as sales,
marketing, profits (EPS), and capital adequacy in many organizations.
In addition to using COSO, CoCo, and FRC Internal Control Guidance
as vehicles to assess ICFR, many organizations also are using these
frameworks to more broadly evaluate the entire system of internal
controls.

DEFINITION OF INTERNAL CONTROL

COSO broadly defines internal control as:
. . . a process, effected by an entity’s board of directors, management,
and other personnel, designed to provide reasonable assurance
regarding the achievement of objectives relating to operations,
reporting, and compliance.

THE OBJECTIVES, COMPONENTS, AND PRINCIPLES OF

INTERNAL CONTROL
COSO explains, “A direct relationship exists between objectives,
which are what an entity strives to achieve, components [and
principles], which represent what is required to achieve the
objectives, and entity structure (the operating units, legal entities,
and other structures). The relationship can be depicted in the form of
a cube.”

The Components of Internal Control:

— Control Environment
— Risk Assessment
— Control Activities
— Information and Communication
— Monitoring Activities

In addition to the five integrated components, COSO also defines 17

supporting principles representing the fundamental concepts
associated with each component of internal control.

Objectives
The [COSO] [f]ramework sets forth three categories of objectives,
which allow organizations to focus on differing aspects of internal
control:
■ Operations Objectives—These pertain to effectiveness and
efficiency of the entity’s operations, including operational and
financial
performance goals, and safeguarding assets against loss.
■ Reporting Objectives—These pertain to internal and external
financial and non-financial reporting and may encompass reliability,
timeliness, transparency, or other terms as set forth by regulators,
standard setters, or the entity’s policies.
■ Compliance Objectives—These pertain to adherence to laws and
regulations to which the entity is subject.

Components
COSO indicates, “Supporting the organization in its efforts to achieve
objectives are five components of internal control:
■ Control Environment
■ Risk Assessment
■ Control Activities
■ Information and Communication
■ Monitoring Activities

The control environment provides an atmosphere in which people

conduct their activities and carry out their control responsibilities. It
serves as the foundation for the other components. Within this
environment, management assesses risks to the achievement of
specified objectives. Control activities are implemented to help ensure
that management directives to address the risks are carried out.
Meanwhile, relevant information is captured and communicated
throughout the organization. The entire process is monitored and
modified as conditions warrant.

These components are relevant to an entire entity and to the entity

level, its subsidiaries, divisions, or any of its individual operating
units, functions, or other subsets of the entity.”
Principles
In addition to the five integrated components, COSO also defines 17
principles representing the fundamental concepts associated with
each component of internal control. COSO indicates, “[b]ecause these
principles are drawn directly from the components, an entity can
achieve effective internal control by applying all principles. All
principles apply to operations, reporting and compliance objectives.”
The principles supporting the five components of internal control are
outlined in exhibit 6-9.

INTERNAL CONTROL ROLES AND RESPONSIBILITIES

Everyone in an organization has responsibility for internal control:
Management
The CEO assumes primary responsibility for the system of internal
controls. The “tone at the top” (how ethical or how much integrity an
organization has) is set by the CEO and rolls down from there to
senior management, line management, and ultimately to all of the
individuals in an organization. The CEO is more or less visible and
has more or less of a direct impact depending on the size of the
organization. In smaller organizations, the CEO very directly affects
the system of internal controls. In larger organizations, the CEO has
the greatest impact on senior management who in turn influence
their subordinates. In this way, senior and line managers act as
“CEOs” over the areas for which they are responsible.
Board of Directors
The board of directors oversees management, provides direction
regarding internal control, and ultimately has responsibility for
overseeing the system of internal controls. The board of directors’
roles and responsibilities as described by COSO form an effective
governance “umbrella” for an organization.
Internal Auditors
internal auditors play a significant role in verifying that management
has met its responsibility.
The COSO framework defines the role of the internal auditor
similarly, although in more general terms: “…internal auditors
provide assurance and advisory support to management on internal
control…the internal audit [function] includes evaluating the
adequacy and effectiveness of controls in responding to risks within
the organization’s oversight, operations, and information systems…”
Because of its organizational position and authority in an entity, an
internal audit function often plays a significant monitoring role.
Other Personnel
COSO clearly indicates that everyone in an organization has
responsibility for internal control: “Internal control is the
responsibility of everyone in an entity and therefore constitutes an
explicit or implicit part of everyone’s job description. Front-line
personnel constitute the first line of defense in the performance of
internal control responsibilities.”29 Virtually all employees produce
information used in
the internal control system or take other actions needed to effect
control.COSO also clearly indicates that all associates bear the
responsibility of communicating problems in operations, code of
conduct violations, or other policy infractions or illegal activity to
management or other appropriate bodies.

LIMITATIONS OF INTERNAL CONTROL

Internal control cannot prevent bad judgments or decisions, or
external events that can cause an organization to fail to achieve its
operational goals. In other words, even an effective system of internal
control can experience a failure. Limitations may result from the:
■ Suitability of objectives established as a precondition to internal
control.
■ Reality that human judgment in decision-making can be faulty and
subject to bias.
■ Breakdowns that can occur because of human failures such as
simple errors.
■ Ability of management to override internal control.
■ Ability of management, other personnel, and/or third parties to
circumvent controls through collusion.
■ External events beyond the organization’s control.

Inherent Risk, Controllable Risk, and Residual Risk

An organization’s ability to achieve established entity objectives is
affected by both internal and external risks. The combination of
internal and external risks in their pure, uncontrolled state is referred
to as inherent risk.

With that said, there are many factors management must consider
when determining the specific actions (controls) they should take to
manage inherent risks to an acceptably low level and establish
tolerance parameters. To begin with, management must consider
controllable risk.
Controllable risk is that portion of inherent risk that management can
directly influence and reduce through day-to-day business activities.
Once management has implemented cost-effective controls to address
controllable risks, then and only then can they determine if the
organization is operating within the overall risk appetite established
by senior management and the board of directors. The portion of
inherent risk that remains after mitigating all controllable risks is
defined as residual risk.

VIEWING INTERNAL CONTROL FROM DIFFERENT

PERSPECTIVES
Management
From management’s perspective, internal control includes a number
of activities designed to mitigate risks or enable opportunities that
affect the achievement of an organization’s objectives.
Internal Auditors
internal auditors are charged with independently verifying that the
organization’s controls are designed adequately and operating
effectively as management intends. Additionally, internal auditors are
well positioned to offer their perspective on the costs versus the
benefits of specific control activities and can provide insight to
management on internal controls that can be considered for
elimination because they are redundant or because the benefits they
provide do not exceed the costs of implementing them.
Independent Outside Auditors
The primary responsibility of an organization’s independent outside
auditors is to attest to the fairness of the financial statements and, in
certain countries, the effectiveness of internal control over financial
reporting. For this reason, their perspective is focused on internal
control relative to how it affects the organization’s financial
reporting.
Other External Parties
External parties that have an interest in an organization’s internal
control include legislators, regulators, investors, and creditors.
Because their interests vary, so too will their perspective of internal
control. Consequently, various internal control definitions have been
developed by legislators and regulatory agencies to correspond with
their specific responsibilities relative to the types of activities they
monitor. Investors and creditors, on the other hand, primarily need
the kind of financial information that the organization’s independent
outside auditors validate.

TYPES OF CONTROLS
There are many types of controls that are used by an organization to
increase the likelihood that objectives will be met. It is important to
note that specific controls can be referred to by different
organizations (and even different individuals within an organization)
by different names. More significant than the name used to describe a
particular control is the type of control it is. This can create confusion
because many controls fit into more than one category
simultaneously. This is addressed in more detail later in the chapter.
Depending on the specific application of these controls, they can be
classified any number of ways and may take on multiple
classifications simultaneously. The following sections outline the
various types of controls and their individual purposes.
Entity-Level, Process-Level, and Transaction-Level Controls
Entity-Level Control: A control that operates across an entire entity
and, as such, is not bound by, or associated with, individual
processes. Entity-level controls can be divided into two categories:
governance controls and management-oversight controls.
Process-Level Control: An activity that operates within a specific process for the
purpose of achieving process-level objectives. Process-level controls are more

detailed in their focus than entity-level controls. They are established

by process owners to reduce the risk that threatens the achievement
of process objectives.
Transaction-Level Control: An activity that reduces risk relative to a group or variety
of operational-level tasks or transactions within an organization. Transaction-level

controls are even more detailed in their focus than process-level

controls and reduce risk relative to a group or variety of operational-
level activities (tasks) or transactions within an organization.

Key Controls and Secondary Controls

Controls also can be categorized in terms of their importance. As
such, a control can be categorized either as a key control or as a
secondary control. A key control (often referred to as the “primary”
control) is designed to reduce key risks associated with business
objectives. Failure to implement adequately designed and effectively
operating key controls can result in the failure of the organization not
only to achieve critical business objectives but to survive.
A secondary control is one that is designed to either 1) mitigate risks
that are not key to business objectives, or 2) partially reduce the level
of risk when a key control does not operate effectively. Secondary
controls reduce the level of residual risk when key controls do not
operate effectively, but they are not adequate, by themselves, to
mitigate a particular key risk to an acceptable level. They are
typically a subset of compensating controls.

Compensating Controls
Compensating controls are designed to supplement key controls that
are either ineffective or cannot fully mitigate a risk or group of risks
by themselves to an acceptable level within the risk appetite
established by management and the board.

Preventive and Detective Controls

A preventive control is designed to deter unintended events from
occurring in the first place. Because of the dynamic nature and
complexity of day-to-day business operations, it is difficult to design a
preventive control that is both economical and efficient. As a result,
most organizations use a combination of preventive controls and
detective controls when designing both an effective and efficient
system of internal controls. Conversely, a detective control is designed
to discover undesirable events that have already occurred. A
detective control must occur timely (before the undesirable event has
had an unacceptably negative impact on the organization) to be
considered effective.

Information Systems (Technology) Controls

types of information systems controls that can be used to mitigate
these risks:
1. General computing controls. These “apply to many if not all
application systems and help ensure their continued, proper
operation.”
2. Application controls. These “include computerized steps within the
application software and related manual procedures to control the
processing of various types of transactions.”

Simultaneous Categorization of Controls

Specific controls can fit into several categories at the same time. For
example, a control can be an entity-level control at the same time
that it is a key control. While these nuances can be confusing in the
beginning, time spent working with controls will lead to a better
understanding of how the various categories can exist in a single
control.
EVALUATING THE SYSTEM OF INTERNAL CONTROLS:
AN OVERVIEW
Entitywide and business process control activities specifically
designed to provide reasonable assurance that external reporting
objectives are achieved and support management’s related assertions
possess certain common elements. To be designed adequately and
operating effectively, these controls should address the concepts of
initiation, authorization, recording, processing, and reporting. As
mentioned earlier in the chapter, these controls are collectively
referred to as ICFR. The PCAOB was created to establish guidelines to
which independent outside auditors and, indirectly, management
must adhere in order to comply with these reporting requirements. In
response, on June 12, 2007, the PCAOB issued Auditing Standard No.
5, An Audit of Internal Control Over Financial Reporting That is
Integrated with an Audit of Financial Statements. For additional
specific guidelines, refer to Auditing Standard No. 5 itself.
 Effects of reporting relationship and type of internal control deficiency on
internal auditors’ internal control evaluations
Audrey Gramling & Arnold Schneider

Abstract
Purpose – This paper aims to explore whether an internal auditor’s evaluation of internal
control deficiencies are influenced by the party with primary influence over the internal audit
function and by the type of internal control deficiency.
Design/methodology/approach – A behavioral experiment is conducted with internal
auditors as participants in a 2 x 2 between-subjects factorial design.
Findings – Results indicate that internal auditors are less likely to evaluate a pervasive
control deficiency related to “tone at the top” as a material weakness than a process-specific
control deficiency. Furthermore, internal auditors are somewhat less likely to evaluate a
process-specific internal control deficiency as a material weakness when management has
primary influence over the internal audit function than when the audit committee has primary
influence. It is also found that the best practice of internal audit oversight (i.e., primary
oversight of internal auditors by the audit committee) may lead to potential internal under-
reporting of instances where the audit committee represents a material weakness in internal
control.
Research limitations/implications – Limitations of this research include lack of economic
consequences (e.g. future pay and job loss) associated with the internal control decisions
made by the participants; less concise information provided to the participants than would
generally be available to them; and lack of generalizability of the findings beyond the specific
company setting and internal control scenario portrayed in the case materials.
Practical implications – Not evaluating a pervasive control deficiency related to “tone at the
top” as a material weakness seems to not fully align with relevant professional guidance and
can possibly result in inaccurate internal information about the quality of internal controls.
Furthermore, having an internal auditor’s evaluation of a process-specific internal control
deficiency influenced by the party with primary influence over the internal audit function
would not appear to align with relevant professional guidance. Finally, primary oversight by
the audit committee of the internal auditors may lead to potential internal under-reporting of
instances where the audit committee represents a material weakness in internal controls
and, thus, possible communication of inaccurate internal control information.
Originality/value – This study is the first to address whether the party with primary influence
over the internal audit function influences an internal auditor’s evaluation of internal control
deficiencies.

Summary and Conclusion

Hasil yang kita diskusikan di bawah ini, tentu saja, tunduk pada keterbatasan yang
umum dengan sebagian besar studi perilaku eksperimental [14]. Terlepas dari
keterbatasan tipikal ini, hasil kami sangat menunjukkan bahwa auditor internal
akan cenderung mengevaluasi defisiensi kontrol pervasif yang terkait dengan
nada di atas sebagai kelemahan material daripada defisiensi kontrol spesifik
proses. Kekurangan pengendalian kami yang meluas – mencerminkan nada oleh
manajemen puncak – dapat memiliki implikasi yang signifikan terhadap ICFR di
seluruh perusahaan. Tidak mengevaluasi kekurangan ini sebagai kelemahan
material dapat mengakibatkan penyediaan informasi internal yang tidak akurat
tentang kualitas pengendalian internal. Dalam meninjau hasil yang terkait dengan
defisiensi pengendalian internal yang meresap, penting untuk diingat bahwa kami
memilih satu defisiensi pengendalian internal spesifik yang meresap – nada
manajemen di bagian atas yang terkait dengan pentingnya pengendalian internal.
Hasilnya mungkin didorong oleh pilihan kami tentang defisiensi pengendalian
internal yang meresap. Secara potensial, auditor internal mungkin menganggap
pengendalian internal yang terkait dengan nada di atas sebagai kurang penting
daripada pengendalian pervasif lainnya (misalnya, manajemen mengesampingkan
pengendalian, program whistleblower yang efektif, praktik perekrutan yang terkait
dengan mempekerjakan karyawan pelaporan keuangan yang kompeten). Jadi, jika
kami telah memilih kontrol pervasif alternatif, hasil kami mungkin berbeda. Kami
menyadari bahwa ini adalah pertanyaan empiris dan oleh karena itu menyarankan
penelitian masa depan yang terkait dengan masalah ini.

Hasil kami, ditambah dengan analisis arsip, menyebabkan kami mempertanyakan

apakah kelemahan material yang meresap terkait dengan nada di atas tidak
dilaporkan. Analisis yang diberikan oleh Audit Analytics (2016a, 2016b) mencatat
bahwa jarang ada nada pervasif pada kekurangan teratas untuk dilaporkan sebagai
kelemahan material. Apakah temuan ini karena fakta bahwa kelemahan material
seperti itu jarang terjadi atau ada bias terhadap pelaporan kelemahan material
tersebut? Apakah pembuat standar dan regulator tidak mengharapkan nada yang
tidak tepat tentang pentingnya kontrol untuk diklasifikasikan sebagai kelemahan
material?

Hasil kami memberikan beberapa dukungan bahwa auditor internal cenderung

untuk mengevaluasi kekurangan pengendalian internal proses-spesifik sebagai
kelemahan material ketika manajemen puncak memiliki pengaruh utama atas IAF
daripada ketika komite audit memiliki pengaruh utama. Hasil ini harus
diperhatikan, karena menunjukkan bahwa untuk setidaknya satu proses khusus
kontrol, auditor internal mungkin kurang objektivitas dalam evaluasi mereka
berdasarkan pihak mana yang memiliki pengaruh utama atas IAF. Mengingat
temuan ini, panduan apa yang dapat diberikan IIA kepada auditor internal atau
mereka yang memiliki pengawasan utama IAF untuk membantu mengatasi bias ini?

Akhirnya, kami menemukan konsekuensi yang tidak diinginkan karena komite audit
memiliki pengaruh utama atas IAF. Artinya, auditor internal memberikan
kemungkinan yang lebih rendah untuk menyimpulkan kelemahan material yang
terkait dengan komite audit ketika komite audit memiliki pengaruh utama atas IAF
daripada ketika manajemen puncak memiliki pengaruh utama yang lebih besar atas
IAF. Temuan kami menyebabkan kami mempertanyakan apakah praktik terbaik
pengawasan IAF oleh komite audit mengarah pada pelaporan internal yang kurang
dari contoh di mana komite audit mewakili kelemahan material dalam ICFR. Jika
terjadi kesalahan pelaporan internal atau eksternal, dapatkah peneliti dan praktisi
mengidentifikasi mekanisme yang dapat mengurangi konsekuensi yang tidak
diinginkan ini?

Hasil kami memberikan wawasan yang lebih luas tentang evaluasi pengendalian
internal yang dilakukan oleh auditor internal. Mengingat peran penting auditor
internal dalam evaluasi pengendalian internal, pemahaman ini penting dan
memberikan peluang untuk pertimbangan lebih lanjut oleh regulator, pembuat
standar, mereka yang memiliki pengawasan utama dari IAF dan peneliti. Hipotesis
kami didorong oleh argumen yang mendasari bahwa tingkat tanggung jawab yang
dirasakan untuk efektivitas pengendalian internal (oleh komite audit dan
manajemen puncak) merupakan faktor penting dalam evaluasi auditor internal.
Kami tidak mendapatkan ukuran langsung dari persepsi tingkat tanggung jawab
peserta untuk pengendalian internal yang efektif dari pihak terkait (komite audit,
manajemen puncak). Selanjutnya, peserta mungkin telah merasakan bahwa auditor
internal memiliki tanggung jawab untuk pengendalian internal yang efektif. Kami
tidak mengukur persepsi ini, karena auditor internal tidak merancang atau
menerapkan pengendalian sebagai bagian dari tanggung jawab normal mereka dan
tidak bertanggung jawab atas operasi organisasi, termasuk pengendalian internalnya
(COSO, 2015). Biasanya, tanggung jawab auditor internal di bidang ini adalah
untuk memberikan jaminan independen tentang efektivitas pengendalian internal
kepada dewan dan manajemen puncak (COSO, 2015, 2013), dan nasihat tentang
pengendalian internal kepada dewan dan manajemen puncak. Oleh karena itu,
efektivitas pengendalian internal tidak boleh dilihat secara langsung mencerminkan
kualitas auditor internal, baik untuk pengendalian internal yang meresap atau
khusus proses. Namun, kami menyadari bahwa ini adalah pertanyaan empiris dan
oleh karena itu menyarankan penelitian masa depan yang terkait dengan masalah
ini.
Secara keseluruhan, temuan kami menunjukkan kemungkinan adanya bias dalam
evaluasi auditor internal tentang defisiensi pengendalian internal. Kami mencatat
bahwa untuk perusahaan publik yang lebih besar, auditor eksternal juga diharuskan
untuk melaporkan efektivitas ICFR, dan dengan demikian memiliki peran dalam
pelaporan ICFR. Sementara auditor eksternal mungkin dapat berfungsi sebagai mata
tambahan yang terkait dengan pelaporan pengendalian internal, kami
mempertanyakan apakah auditor eksternal mungkin juga bias, misalnya, terhadap
evaluasi kekurangan nada manajemen puncak yang meresap sebagai kelemahan
material, mengingat hubungan auditor eksternal dengan manajemen puncak dan
komite audit. Kami mendorong penelitian masa depan untuk memeriksa kegunaan
peran auditor eksternal, dan pihak lain yang bertanggung jawab atas tata kelola
perusahaan, dalam mengurangi bias yang disarankan oleh penelitian kami.