Evaluation of Internal Control System in Cash Disb

Download as pdf or txt
Download as pdf or txt
You are on page 1of 10

See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/335285642

Evaluation of Internal Control System in Cash Disbursement Cycle: Case Study


of Construction Company PT XYZ

Conference Paper · January 2019


DOI: 10.2991/apbec-18.2019.10

CITATIONS READS

0 608

2 authors:

Nindya Farah Dwi Puspitasari Chaerul Djakman


Universitas Terbuka University of Indonesia
4 PUBLICATIONS   1 CITATION    33 PUBLICATIONS   91 CITATIONS   

SEE PROFILE SEE PROFILE

All content following this page was uploaded by Nindya Farah Dwi Puspitasari on 11 January 2022.

The user has requested enhancement of the downloaded file.


Advances in Economics, Business and Management Research, volume 89
1st Asia Pacific Business and Economics Conference (APBEC 2018)

Evaluation of Internal Control System in Cash


Disbursement Cycle: Case Study of Construction
Company PT XYZ
Nindya Farah Dwi Puspitasari Chaerul D. Djakman
Faculty of Economics and Business Lecturer in Faculty of Economics
Universitas Indonesia Universitas Indonesia
Jakarta, Indonesia Jakarta, Indonesia
[email protected] [email protected]

Abstract—Construction Company PT XYZ’s actual situation undervalued in records, unrecorded payment notes, and late
based on an internal audit report shows some unusual cash receipt settlements [3].
transactions related to the cash disbursement cycle. This
indicates that the company needs an adequate internal control These transactions lead to the conclusion that the
system to provide assurance in cash disbursement transactions company’s cash disbursement cycle requires a more adequate
so that reports on cash disbursements can be fairly presented. internal control system to provide assurance in cash
Furthermore, if internal control is properly designed and disbursement transactions so that financial reports can be
implemented, it can prevent and detect fraud that might harm fairly presented. Elder, Beasley, Arens, and Jusuf state that
the company. This research evaluates and proposes improvement companies must develop internal controls which are capable
of internal control over PT XYZ’s cash disbursement cycle by of providing reasonable, not absolute, so that financial
using principles of the COSO framework 2013. This descriptive statements are fairly presented [4]. Furthermore, if properly
qualitative research is a case study observing the object of designed and implemented, internal control can effectively
research and interviewing PT XYZ’s senior personnel. Results prevent and detect fraud. The company requires design and
show that some weaknesses remain in internal control over the evaluation of internal controls to improve reliability of
company’s cash disbursement cycle. In addition, this research financial statements, improve efficiency and effectiveness of
also conducts self-control assessment and fraud analysis to operations, and comply with applicable laws and regulations.
determine appropriate and effective internal control in the cash
disbursement cycle. One method to evaluate internal controls’ effectiveness is
the internal control framework issued by the Committee of
Keywords—fraud, internal control system, cash disbursement Sponsoring Organizations of the Threadway Commission
(COSO) [5]. By using COSO’s five internal control
I. INTRODUCTION components, this case study evaluates the internal control
A. Background system and makes suggestions for the cash disbursement
cycle to improve the reliability of cash accounts in financial
Due to its complex business, costly nature, and involvement
statements at Construction Company PT XYZ.
with a high number of third parties, the construction industry
runs risks of internal fraud [1]. Based on a survey by the B. Statement of Problem
Association of Certified Fraud Examiners the most common Based on the previous description, this research’s
fraud occurred in asset misappropriation, followed by problem is
Corruption and Financial Statement Fraud [2]. Furthermore,
the survey also stated that the most common fraud cases of (1) Has applied to the cash disbursement cycle at PT
asset misappropriation were found on billing schemes in cash XYZ, how good is the internal control system’s
disbursement. evaluation and improvement based on COSO’s
internal control framework?
PT XYZ is an infrastructure company with core
competencies in infrastructure and construction sectors, C. Research Objective
asphalt and liquefied gas (LPG) trade, precast concrete The objective in this research is, based on COSO’s
manufacturing, mechanical and electrical work, and internal control framework, to evaluate and suggest
maintenance services. PT XYZ has an internal audit unit improvements to the internal control system that should be
whose activities provide assurance services and independent, applied to the cash disbursement cycle at PT XYZ.
objective consultations. Results of audit findings by the
internal audit unit for January–September 2016 showed some D. Research Contribution
unusual cash disbursement transactions, such as a payment (1) This research is important because it provides
transaction of as much as 600 million rupiah without a benefits to PT XYZ stakeholders through suggestions
voucher signed by authorized project personnel, cash regarding improvement of the internal control
withdrawals totaling approximately 9 billion rupiah without system of the cash disbursement cycle based on the
complete cash transactions records, unrecognized voucher COSO internal control framework.
documents, duplicate voucher documents, cash-on-hand

Copyright © 2019, the Authors. Published by Atlantis Press.


This is an open access article under the CC BY-NC license (http://creativecommons.org/licenses/by-nc/4.0/). 63
(2) This research provides knowledge for academics The entity’s risk assessment is a process to identify and
and for similar subsequent research, as well as a respond to business risks. Organizations typically face a
reference for academics and non-academics variety of threatening external and internal risks to achieving
conducting further research. objectives of operation, financial reporting, and legal
compliance.
II. LITERATURE REVIEW
Control activities are policies and procedures help to
A. Internal Control ensure that management directives can be implemented to
Several definitions explain internal control’s purpose. In address risks identified in the risk assessment process.
the early 1990s, many people interpreted internal controls as Control activities include various activities, including
steps taken by a business to prevent fraud, both asset approval, authorization, verification, reconciliation, review of
misappropriation and fraudulent financial reporting. Another operating performance, and segregation of duties.
opinion, in addition to recognizing internal controls’ Information relevant to financial reporting’s purpose
importance in fraud prevention, people believe that internal includes the accounting system and consists of records and
control plays the same role of ensuring control over procedures to initiate and authorize records, process and
manufacturing and other processes [6]. After establishing an report entities’ transactions, and maintain accountability of
effective internal control system, the company can more related assets and liabilities. Meanwhile, communication
scientifically and effectively control management of cost involves providing understanding of individuals’ roles and
expenditures and can improve its entire economic profit that responsibilities relating to internal control over financial
has huge strategic significance [7]. reporting.
COSO defines internal control as a process, affected by Monitoring activity assesses internal control’s performance
the board of directors, management, and other personnel, quality over time. In providing reasonable assurance that the
designed to provide reasonable assurance regarding entity’s objectives are achieved, management must monitor
achievement of objectives relating to operations, reporting, controls to determine whether they operate effectively.
and compliance [5]. Internal control by COSO Internal
Control—Integrated Framework 2013 consists of five internal B. Internal Control over Cash Disbursement
control components: Control Environment, Risk Assessment, Cash is a means of exchange owned by the company and
Control Activities, Information and Communication, and ready for use in corporate transactions at any desired time
Monitoring Activities [8]. [9]. Cash is the most liquid asset, and it undergoes the most
Control environment determines an organization’s nature frequent change because it is affected by almost every
and influences organizational members’ awareness of control. transaction with external parties. Romney and Steinbart
The control environment is the basis for all other internal describe internal controls over cash disbursement cycles that
control components that provide discipline and structure. can be applied to each threat (TableI) [10].
TABLEI.THREATS AND CONTROLS IN THE CASH DISBURSEMENTSYSTEM
No Threats Controls
1 Failure to take advantage of discounts - Invoice filled by due date for discounts
- Cash flow budgets
2 Paying for items not received - Matching all supplier invoices to supporting documents acknowledged by both receiving and
inventory control
- Budgets (for service)
- Receipts for travel expenses
- Corporate credit cards for travel expenses
3 Duplicate payments - A complete voucher package for all payments
- Paying only from original copies of supplier invoices
- Cancelling all supporting documents when payment is made
4 Cash theft - Physical security of blank checks and check-signing machine
- Periodic accounting of all sequentially numbered checks by cashier
- Access control to EFT terminals
- Use of a dedicated computer and browser for online banking
- ACH (Automated Clearing House) blocks on accounts not used for payments
- Separation of check-writing function from accounts payable
- Dual signatures on checks for specific amounts
- Regular reconciliation of bank account by someone independent of cash disbursement procedures
- Access restriction to supplier master file
- Limiting the number of employees with ability to create one-time suppliers and to process invoices
from one-time suppliers
- Running an impress fund for petty cash
- Surprise audits of the petty cash fund
5 Check alteration - Check protection
- Use of special inks and papers
- “Positive Pay” arrangement with banks
6 Cash flow problems - Cash flow budget
Source: Romney and Steinbart (2015)

64
from internal control principles. Questions then developed
C. Fraud
from the prepared questionnaire.
Elder, Beasley, Arens, and Jusuf describe at least three
conditions that may cause a type of fraud called “triangle (2) Secondary data is processed primary data, that is,
fraud” [4]: documents used in the cash disbursement cycle, such as
standard operating procedures (SOPs) and other documents.
(1) Pressure
C. Research Instrument
Management or employees are under pressure to commit
fraud. In this research, data collection and information
techniques included:
(2) Opportunity
(1) Literature study
Management or employees are in a position or situation
to commit fraud. Literature study is —Conducted by reviewing legal
literature, along with rules, textbooks, articles, journals, and
(3) Rationalization other related documents.
Management or employees mentally justify the act of (2) Field Research
fraud. Mentally justifying means there is an attitude,
Field research is —Conducted by directly collecting data
characteristic, or set of ethical value that allows management and conducting research on the research object through:
or employees to justify such dishonest behavior.
a. Observation
III. RESEARCH METHODOLOGY
Through observation, research data was collected for 2
A. Overview months (January–February 2017). Author involvement in the
This descriptive qualitative research is a case study using process of implementing internal control was as an intern
an evaluation method. Stages of evaluation are to assess staff member in the internal audit unit which allowed authors
implementation of each control principle based on the to gather information for answering this study’s research
Integrated Internal Control Framework COSO 2013. The question.
assessment was expected to reveal weaknesses in internal b. Interviews
controls’ implementation and suggest improvements to the
To obtain deeper understanding of the internal control
internal control system in the cash disbursements cycle.
system’s implementation in the cash disbursement cycle at
B. Types of Data PT XYZ, the author conducted interviews with the following
This research includes both primary and secondary data. staff members deemed capable and authorized to provide
necessary information: the head of the financial department,
(1) Primary data is raw data obtained through direct senior staff of the internal audit unit, debt staff, and projected
observation and interview techniques for information about cash staff.
the internal control system’s implementation in the cash
D. Research Variables
disbursement cycle. Interviews were conducted using semi-
structured methods with a prepared questionnaire derived Variables in this research are control principles based on
the integrated internal control framework COSO (TableII).

TABLEII.RESEARCH VARIABLES
Component Control Principles
Control Principle 1: Commitment to integrity and ethical values
Environment Principle 2: Independence from management and exercises oversight of the development and performance of internal control
Principle 3: Establishment of structures, reporting lines, and appropriate authorities and responsibilities in pursuit of the objective
Principle 4: Commitment to attract, develop, and retain competent individuals in alignment with objectives
Principle 5: Individuals accountable for their internal control responsibilities in pursuit of objectives
Risk Assessment Principle 6: Objectives with sufficient clarity to enable identification and assessment of risk relating to objectives
Principle 7: Risk identification to achievement of the entity’s objectives and risk analysis to determine how risks should be managed
Principle 8: Potential for fraud in assessing risks to achievement of objectives
Principle 9: Identification and assessment of changes that could significantly impact the system of internal control
Control Activities Principle 10: Development of control activities that contribute to mitigation of risks to achievement of objectives to acceptable levels
Principle 11: Development of general control activities over technology to support achievement of objectives
Principle 12: Deployment of control activities through policies that establish what is expected and procedures that put policies into action
Information and Principle 13: Relevant, quality information to support the functioning of internal control
Communication Principle 14: Internal communication, including objectives and responsibilities for internal control, necessary to support the
functioning of internal control
Principle 15: Communication with external parties regarding matters affecting the functioning of internal control
Monitoring Principle 16: Ongoing and/or separate evaluations to ascertain whether components of internal control are present and functioning
Activities Principle 17: Evaluation and communication of internal control deficiencies in a timely manner to those parties responsible for
taking corrective action, including senior management and the board of directors, where appropriate
a.
Source: COSO’s Internal Control—Integrated Framework 2013

65
E. Company Profile documents, receipts, transfer receipts) and properly
record it in the expenditure table and ledgers.
PT XYZ, a company listed in the Indonesia Stock
Exchange (IDX), operates in infrastructure and building (3) Every week, GA performs the project’s finance
construction sectors, asphalt and liquid gas fuel (LPG) trade, opname and cash settlement. GA closes the entire
precast concrete manufacturing, mechanical and electrical project’s estimated cash book and records its final
work, and maintenance services. It was founded in 1982, balance of cash book, bank book and temporary
after operating for two decades as a contracting department cash receipt book. GA also reconciles the project
in the parent company. bank book and project cash book, transfers the giro
service fee, and, monthly, sends proof of transfer to
As of December 31, 2016, total assets of PT XYZ reached the head office. The project head examines minutes
4 trillion rupiah, with total net assets of 1.8 trillion rupiah [11]. of the finance opname and supporting documents.
Cash Disbursement Cycle GA then submits a project cash settlement form and
supporting documents to the finance department.
Cash disbursement for construction projects is divided into
two, cash disbursement at the head office and at project sites. (4) The finance department receives a cash settlement
At the head office, cash is disbursed through a bank account form and supporting documents and checks their
on behalf of the company, is used for replenishing cash in the completeness and validity. Eligible voucher and
project bank account, paying debts to third parties (suppliers) payment documents are submitted to the head of
based on agreements/contracts, and making direct voucher general finance and the personnel directorate, along
payments. with the cash settlement form to be signed.
Ineligible voucher and payment documents are sent
(1) The project cash balance is based on standard cash back to the project to be revised as required.
requests from the project. Cash project replenishment
uses the impress fund system according to the cash (5) The finance department prepares a check for cash
settlement value approved by the finance department. replenishment based on the cash settlement value
approved by the head of general finance and the
(2) Transactions which are based on agreements/ personnel directorate.
contracts paid by the finance department at the head
office. Supplier’s invoice and billing documents can IV. FINDINGS AND DISCUSSION
be sent to the head office or a project site. The
A. Findings
cashier immediately prepares a billing receipt form
for completed and correct billing documents. Evaluation of Internal Control Based on the COSO
General Affairs (GA) makes a voucher document Framework
after receiving a billing receipt form. The voucher Evaluation of the internal control system includes 17
and any supporting documents (e.g., invoice, billing principles based on the COSO framework, using observation
documents, and internal documents) are sent to the and interview methods. Each principle is discussed in the
debt officer in the finance department to be section below.
processed for payment [12].
The company’s integrity and ethical principles have been
(3) Direct voucher payment is usually made when the defined in the Code of Conduct approved by the Company’s
cash balance in the project bank account is not Board of Commissioners (BoC) and Board of Directors
sufficient for payment. (BoD). Management periodically evaluates individual and
Project cash is the amount transferred by the department team performance according to the Code of Conduct.
of finance to the project’s bank account through the Violations are processed according to level (minor, moderate,
company’s bank account used for routine payment, or severe). However, the Company does not have integrity
accounted for weekly by the project, and replenished by the pact signed by employees, particularly those involved in the
impress fund system. The cash balance in the project’s bank cash disbursement cycle.
account can reach 2 billion rupiah. Procedures for project Research found that BoCs and BoDs show independence
cash disbursement are as follows [13]: from management by supporting audits conducted by internal
(1) GA requests a project cash standard based on a cash auditors. BoCs regularly review the company’s internal
flow budget plan made once in 3 months. GA control system and often communicated with BoDs and
prepares a project cash request form and submits it internal audit units in the internal control system’s
to the finance department at the head office for implementation. BoCs and BoDs have independent members
further processing. Upon request, with eligible to ensure objectivity in the decision-making process
documents approved by the head of general finance regarding the company’s internal control.
and the personnel directorate, finance prepares a In the third principle, research found that reporting lines
check to transfer funds to the project bank account. are described in SOPs. However, SOPs related to the cash
(2) Payments using project cash can be made in cash or disbursement cycle have not been updated. In the event of a
non-cash. GA is responsible for managing financial change in key personnel’s responsibilities related to the cash
activities at the PT XYZ project site. Thus, GA disbursement cycle, the change is subject to approval by
must prepare a voucher for each payment based on directors and senior management and is then communicated
supporting documents (e.g., invoices, internal to interested units.

66
Training and development are conducted to ensure that receipt date and destruction of unnecessary documents) or
employees involved in the business cycle have the necessary softcopy (control of information security transmitted from
knowledge, skills, and capabilities. Management routinely the project site to the head office and vice versa, and security
conducts competency evaluations of employee and non- on computer screens).
employee (outsourcing, interns) performance according to
predetermined policies. For senior management, the Physical control over projects’ cash-on-hand includes
company also has a competency standard that reflects the securing (locking up) cash savings and controlling access to
technical competencies required. The fourth principle also cash-on-hand and GA and project heads conducting weekly
describes contingency plans for assignment of responsibility cash opnames. Physical control over project cash in the bank
for internal control. However, based on interviews, includes serial numbers on vouchers and physical security;
management does not have a contingency plan for important recording project bankbooks daily; reconciling monthly the
assignment responsibilities related to voucher preparation. balance in the project bankbook with the bank statement;
Prepared vouchers need to be signed sequentially by recording as yet unrecorded transactions in the bankbook
authorized personnel using the established system. But (e.g., giro service revenue, remittance fee, administration fee
documents on personnel’s responsibilities in creating of checking account, charging of check/giro book fee);
vouchers have not been updated. reporting bank reconciliation to the treasurer in the finance
department; physically protecting checks/giro at the project
In principle 5, individual performance indicators are site, directly confirming the relevant bank before issuing a
determined in each unit, while the HR Department determines check/giro, validating check/giro with the authorized project
incentives and rewards based on performance evaluation officer’s signature, and confirming with the bank cashier the
results. There are guidelines on performance measures, funds’ availability in project bank accounts. Physical control
incentives, and rewards for each position level. at the head office includes physical protection of check/giro
and controls access for validating check/giro. The treasury,
For evaluation results in principle 6, company objectives the head of the finance department, and the director must
are implied in the Vision and Mission statement and in approve the check/giro. Other controls include access to
individual values in the Code of Conduct. With Vision- buildings and facilities by guards both during and outside
Mission, the company sets financial and non-financial goals. working hours; physically securing vouchers received and
In addition, Vision-Mission illustrates the main competitive invoice receipt forms based on their dates; the Chief
advantage and becomes a reference in formulation of the Financial Officer ensuring funds’ availability in corporate
company’s strategic management. Objectives prepared at the bank accounts; use of electronic security access (fingerprints)
activity level are based on the company’s strategic to record employees’ presence at the head office and Closed-
management and involve all senior management in the Circuit Television (CCTV) in the building; and restrictions
relevant unit. on access to critical device areas.
Risk identification associated with the cash disbursement Research found that at PK XYZ, segregation of duties is
cycle has never been performed. As a result, the company still weak. This is due to the limited number of finance
never conducts a risk assessment (principle 7). The company personnel at the project site, so some personnel still perform
has also never performed fraud risk identification (principle two or more different functions. For example, the project
8). As a result, the company does not have a mechanism to finance officer under GA has responsibility for recording and
anticipate, identify, and act on risks arising from changes in reconciling bank accounts so that these overlapping duties
the environment (principle 9). allow him to commit fraud in recording and reconciling
In principle 10, as a result of having no risk identification project cash.
and risk assessment, control activities still do not contribute Control activities involving use of the SIMPro (ERP
to risk mitigation. Control activities consist of performance system) are not described in SOPs even though they play an
review, information processing controls, physical controls, important role in delivering information for the cash
and segregation of duties [8]. BoDs determine and evaluate disbursement cycle (principle 11).
key performance indicators to conduct appropriate
performance assessment. Employee performance assessment Principle 12, regarding development of control activity
indicators are based on employees’ work performance, and through policy, shows that SOPs do not explain the role of
scores are given based on their activities. Information technology and information systems in the cash disbursement
processing control consists of general and application cycle. Problems include lack of revision since initiation; the
controls. General controls in the cash disbursement cycle SOP has not considered possible risks; and timeliness of
include: access control and system security with restrictions control still needs improvement through employee training.
on access rights to computer and SIMPro systems, including Results of control evaluation determine its continued
user identification such as accounts and passwords; relevance, for instance control’s socialization and
authorization controls that restrict access to official improvement. Control improvements are always
information only; and data control such as data encryption. communicated via internal letter and SIMPro.
Application controls include: input control including
validation of billing documents, completeness of documents, SIMPro has integrated data related to the cash
and verification of documents manually by the bill’s disbursement cycle, such as project achievements, contracts,
recipient; processing control is performed against the expenditure records, invoice receipt forms, Project Profit and
possibility of errors by personnel in the Information Loss reports, and other financial and tax support documents
Technology unit occurring in a computer program; and for several departments (e.g., finance, accounting, Internal
output controls in hardcopy (document filing based on Audit Unit) to process into relevant information. Information
inputted into the system considers timeliness, completeness,

67
verifiability, and preservation. Only information regarding part of their regular duties. In addition, although according to
inventory data is not accurate, so further supervision is the internal audit unit, evaluations consider existing business
required (principle 13). risks, documents related to risk-based monitoring plans and
evaluation frequency are still not available.
In principle 14, the company typically uses internal letters
and SIMPro to communicate changes in control or other According to the last principle, internal control’s
policies. In practice, however, some employees still ignore evaluation results are written into Audit Reports and
information on SIMPro. Therefore, socialization—from the communicated to the president director. Through periodic
division head to employees—related to changes in control and incidental directors’ meetings, direct communication
and policy still needs improvement through training. Good with directors is conducted. After writing audit results, the
internal communication is also built through coordination internal audit unit requests responses and corrective action
meetings between BoDs and senior management, at least plans from the auditee. Furthermore, the internal audit unit
every 3 months, to discuss progress toward the company’s monitors implementation of corrective action plans, as
strategic objectives and coordinate all business units and agreed upon by the auditee.
divisions’ activities. The internal communication mechanism
for employees is open; no separate communication line yet B. Discussion
serves as a fail-safe mechanism to enable employees to Proposed Improvement of Internal Control System
communicate anonymously or confidentially.
 Control Environment
Principle 15 discusses communication with external
Improvements in the control environment can be hard or
parties. Any external problem report can be sent to the head
soft, as shown in Table III.
office for processing and will be reported to the directors for
solutions. However, the company currently does not have a  Risk Assessment
separate communication line that allows anonymous or
confidential communications from external parties. In the risk assessment component, improvements include
conducting a risk assessment and fraud risk analysis. Risk
In principle 16, ongoing evaluations are conducted Assessment in this research is based on Implementation of
through adequate supervision, bank reconciliation, Control Self-Assessment (CSA) guidelines issued by the
monitoring of contract value, project cash reconciliation, Badan Pengawasan Keuangan dan Pembangunan (BPKP).
monitoring of settlement of project cash documents, weekly With the CSA method, staffs are expected to participate
project cash opname, and monitoring of cash-on-hand. In actively in risk prevention, so that risk is a true risk [14].
practice, however, monitoring activities have not been
effective due to weaknesses in segregation of duties. Risk assessment includes identification, analysis, priority,
Meanwhile, separate evaluations are conducted through self- and response. Risk identification techniques are interviews
assessment, review, and audit of internal control system with the internal audit unit. Results of risk identification are
effectiveness as conducted by the internal audit unit. listed in Table IV.
However, a baseline for ongoing and separate evaluations is Risk analysis is achieved through interviews and is a step
currently not available. This means that no monitoring to determine an identified risk’s score by measuring the
strategy includes methods to emphasize to in-charge likely score and the impact score. Then risk priority is
operational personnel that they are responsible for internal calculated by multiplying the likely score by the impact
control and for monitoring control activities’ effectiveness as score. Results for obtained risk status are displayed in Table V.
TABLE III.CONTROL ENVIRONMENT IMPROVEMENT

Hard control Soft control


- Create an integrity pact to be signed annually by employees. - Management practices the Code of Conduct in daily actions and behavior.
- Make a description ofWrite job descriptions and employee - Management socializes all employees to the Code of Conduct and ensures
responsibilities related to implementation of internal controls. they understand its application.
- Describe internal control changes in SOPs according to the
theory, criteria, and indicators of control and related laws.
Source: Research Result
TABLE IV.RISK IDENTIFICATION

Risk Statement Cause Impact


Failure to take advantage of discounts - The Cash Flow Plan and Weekly Disbursement Plan are still weak. - Costs incurred are higher.
Payment for goods not received - Payment without authorization - Costs incurred are higher.
- Payment is not accompanied by supporting documents. - Payment is not for obtained goods
and/or services.
Duplicate payments - The project cannot distinguish between paid and unpaid vouchers. - Costs incurred are higher.
- Duplicate vouchers
Cash theft - Project bank account reconciliation is performed by someone who - Costs incurred are higher.
follows the cash disbursement procedure.
- The cash book is not recorded in an orderly way.
Cash flow problems - Cash in the head office bank account is simultaneously managed and - Costs incurred are higher due to
used for all projects. bank loan interest,
- Project budget planning and cash flow plans are weak. - Cross-subsidy burden of income
between projects.

68
Source: Research Result
Risk response is an organizational plan derived from  Control Activities
results of risk assessment. Larry Hubbard categorizes risk
response into four: avoiding, mitigating, transferring, and Categories listed in Table VII are commonly used in
accepting the risk [14]. control activities.

Fraud risk can be categorized into three conditions


termed the “fraud triangle,” as shown in Table VI.

TABLE V. RISK STATUS ASSESSMENT


No Risk Statement Likely Score Impact Score Total (3x4) Risk Status
1 2 3 4 5
1 Failure to take advantage of discounts 2 2 4 Low
2 Payment for goods not received 2 2 4 Low
3 Duplicate payments 2 2 4 Low
4 Cash theft 2 2 4 Low
5 Cash flow problems 3 3 9 High
Source: Research Result

TABLE VI. IDENTIFICATION OF FRAUD RISK


Risk Factors
Pressure
- Alignment between work pressure and incentives and bonuses does not meet employees’ expectations.
- Employees receive pressure from their families about lifestyle, medical expenses, and personal debt.
- Relationships between employees and management are not harmonious, thus motivating employees to commit fraud.
Opportunity
- Conflict between personal/family interests and company interests (family relations or similar business).
- Inadequate control in the cash disbursement cycle provides opportunities for employees to commit fraud.
Rationalization
- Ignoring the importance of risk identification and assessment in the cash disbursement cycle.
- Not reviewing and updating the cash disbursement cycle’s SOPs.
- Management and employees lack understanding of the Code of Conduct.
- Management and employees do not understand their duties and responsibilities in the internal control system of the cash disbursement cycle.
Source: Research Results
TABLE VII. CONTROL ACTIVITIES IMPROVEMENT
Categories
1 Establishment of Responsibility (Authorization and Approval)
- Establishment of responsibility toward cash in the company’s bank account at the head office to prevent cash flow problems. Currently, the staff
member in-charge of ensuring availability of funds in the company’s bank account is the Chief Financial Officer. However, if necessary, the Chief
Financial Officer may be accompanied by other personnel, considering PT XYZ is involved in a multibillion-dollar project with dense daily cash
inflows and outflows every week.
- Companies should have a written document describing its personnel composition under General Affairs, along with details of tasks and
responsibilities at the project site.
2 Verification
- Management determines what activities need to be verified, based on the underlying process’s inherent risk. Management also needs to
communicate clearly and document these decisions in the procedure. The employee responsible for verification should be required to document
that this activity did occur.
3 Documentation
- Management needs to review old or not updated SOPs in accordance with the company’s (current) activities.
- Archiving vendor invoices in accordance with the due date so that the company can obtain discount benefits from vendors.
4 Supervision
- Those responsible for supervision should:
a. Delegate tasks and ask staff responsible for major control activities,
b. Establish written procedures for completing tasks,
c. Systematically review and evaluate each staff member’s work,
d. Approve work on key points to ensure quality and accuracy,
e. Provide guidance and training when necessary,
f. Supervise review of documents (e.g., preliminary work).
5 Segregation of duties
- In a project site with a limited number of financial personnel, personnel at the head office need to be involved in reviewing and approving
transactions, reports, and reconciliations.
6 Access Security
- Management must secure departmental equipment, information, cash storage, checks, documents, and other resources that might be misused,
damaged, or stolen.
- Management needs to review periodically access to the SIMPro system to ensure appropriate employee access based on their duties.
7 Reporting
- Management needs to ensure that reporting staff understand reporting tasks and procedures.

69
Source: Research Result
TABLE VIII. INFORMATION AND COMMUNICATION RELATIONSHIPS
Information Communication

Control Document of Code of Conduct and integrity pact Management communicates integrity and ethics values in meetings,
Environment discussions, and by example in everyday activities. Employees also sign an
integrity pact to ensure that they understand their duties and responsibilities.
Written documents regarding employee responsibilities Management provides understanding to employees regarding responsibility of
related to implementation of internal controls and implementation of internal control through discussions and corporate
contingency plans for assignment information systems.
Standard procedure of cash disbursement Management conducts socialization and training for employees regarding
cash disbursement.
Risk Assessment Guidelines for identification and risk assessment ManagementIn meetings, management conducts discussions of risk
identification and assessment.
Control Written guidelines on standard procedures of cash Management conducts socialization and training for employees regarding
Activities disbursement and the amendments standard procedures of cash disbursement and amendments.
Written document on employee duties and Management socializes employees involved in the cycle.
responsibilities in the cash disbursement cycle
Monitoring Written document on monitoring method Interviews with personnel in-charge of the internal control evaluation process.

Written document on coverage plan and frequency of Interviews with staff involved in the cash disbursement cycle when
evaluation based on risk conducting the evaluation process.

Source: Research Result

TABLE IX.MONITORING IMPROVEMENT


Monitoring
- Establishing a monitoring strategy that includes methods to emphasize to operational and program personnel in-charge that they are responsible for
internal control and monitoring control activities’ effectiveness.

- Examination of monitoring activities by comparing activity information with information obtained from the information system and following up all
inaccuracies or other issues.

- Designing and implementing monitoring procedures that focus on persuasive information such as risk significance, timeframe since the last control
was evaluated, controls in areas with high personnel change rates, and effectiveness of the follow-up process.

Source: Research Result

 Information and Communication  In the risk assessment component, identified weaknesses


are lack of the following: written documents on risk
Information and communication components within the identification and assessment; a method for conducting
COSO framework are not independent, but are related to risk assessments; fraud risk identification; and
other components, as described in Table VII. documentation of mechanisms to manage risk during
One weakness identified in the information and change. Results of risk analysis in the risk assessment
communication component is lack of a fail-safe mechanism reveals one “high” risk—a cash flow problem; others are
to allow for anonymous or confidential communication. “low” risks—failure to take advantage of discounts due to
Suggestions for improvement are to create a whistleblower delayed payments, payments on unacceptable items,
hotline for use by internal and external parties, along with duplicate payments, and cash theft.
guidelines on the whistleblowing system. o Control activities’ weaknesses: Risk mitigation has
 Monitoring Activities not been considered; the SOP has not been updated;
the SOP has not explained the roles of technology
Table VIII displays improvements to the monitoring and the information system.
component.
o Information and communication weaknesses:
V. CONCLUSION AND SUGGESTIONS Socialization related to internal controls still needs
improvement; no separate communication lines
A. Conclusion
exist for anonymous/confidential communication.
The following conclusions were obtained in this research.
o Monitoring weaknesses: No monitoring strategies
 Weaknesses in the control environment include lack of an include methods emphasizing to in-charge
integrity pact related to the employee code of ethics; the operational personnel that they are responsible for
SOP has not been updated; and the contingency plan for internal control and for monitoring the control
assigning important responsibilities related to internal activities’ effectiveness; no written document exists
control’s implementation has not been documented. on plans and frequency of evaluation based on risk.

70
B. Research Limitations The suggestion for academics and future researchers is
This research has limitations not covered in the that this study research can exemplify evaluation of the
evaluation, listed below: internal control system by using COSO guidelines. Internal
Control Systems owned by the company may vary so that
 Evaluation of internal control focused only on the development of evaluation methods should be flexible and
cash disbursement cycle for construction projects at might be adopted by other, similar companies. In addition,
PT XYZ. further research is expected to extend the scope of this
research, not only for the cash disbursement cycle, but also
 Since this research uses the interview method, there for other business cycles.
is subjectivity.
 The risk assessment process in this study is based REFERENCES
on BPKP CSA guidelines established under the
five-element COSO framework. In addition, CSA [1] M. Gunduz and O. Onder, "Corruption and internal Fraud in the
was not accompanied by certified facilitators. Turkish construction industry," Sci. Eng. Ethics, 2013, vol. 19, pp.
505-528.
C. Suggestions [2] ACFE, Report to the Nations on Occupational Fraud and Abuse.
Austin: Association of Certified Fraud Examiners, 2016.
Suggestions to interested PT XYZ parties include:
[3] PT XYZ, Internal Audit Report. Jakarta, 2016.
 Improvements in aspects of hard and soft control [4] R. Elder, M. S. Beasley, A. Arens, and A.A. Jusuf, "Jasa Audit dan
Assurance: Pendekatan Terpadu," Jakarta: Salemba Empat, 2011.
 Writing a guideline for risk assessment, conducting [5] COSO, Internal Control - Integrated Framework Executive Summary.
risk assessment accompanied by a certified New York: The Committee of Sponsoring Organizations of the
facilitator, and updating guidelines in case of the Threadway Commission, 2013.
company’s significant internal and external changes [6] O.R. Whittington and K. Pany, Principles of Auditing & Other
Assurance Service, New York: McGraw Hill, 2014.
 Establishing responsibility, determining types of [7] H. Zhou, H. Zhou, and Z. Tian, "An analysis of internal control
activities to be verified and documented in the SOP; problem of State-Owned Highway Construction Enterprise-Take
documentation, supervision, improving segregation Huanyu Highway Construction & Development Co., Ltd. as an
of duties, periodically reviewing access security, Example,"Procedia Computer Science, 2013, vol. 17 , pp. 314-323.
and ensuring effective reporting. [8] W. F. Messier, S. M., Glover and D. F. Prawitt, "Jasa Audit dan
Assurance Pendekatan Sistematis," Jakarta: Salemba Empat, 2014.
 Improving socialization regarding changes to the [9] Rudianto, Pengantar Akuntansi Konsep dan Teknik Penyusunan
internal control system; considering initiation of a Laporan Keuangan. Jakarta: Erlangga, 2012.
fail-safe communication mechanism to enable [10] M. B. Romney and P. J. Steinbart, P. J. Accounting Information
anonymous or confidential communications, for Systems 13th Edition. Edinburgh: Pearson Education , 2015.
example, a whistleblower hotline. [11] PT XYZ, 2016 Annual Report. Jakarta: PT XYZ, 2017.
[12] PT XYZ, Instruksi Kerja Pembayaran Hutang. Jakarta, 2005.
 Establishing monitoring strategies; monitoring [13] PT XYZ, Instruksi Kerja Pengelolaan Kas Kecil Luar Kota. Jakarta,
control activities by comparing activity information 2007.
with information obtained from information [14] BPKP, Pedoman Pelaksanaan Control Self Assessment untuk
systems; and designing and implementing Penilaian Risiko. Jakarta: Badan Pengawasan Keuangan dan
monitoring focused on persuasive information. Pembangunan, 2013.

71
View publication stats

You might also like