(Viii) COSO CONTROL ENVIRONMENT IN PERSPECTIVE

As somewhat of a different view, Exhibit 3.2 shows the COSO internal control as pyramid,
with the control environtment as its foundation. Here, the information and communications
component is not shown as an individual layer in the model but a side component that encompasses
the Risk Assessment and Control Activities layers. This view was more common when the COSO
internal control framework was first drafted, but the Exhibit 3.1 version is much more common today.
This view does not really describe the components separated entity by entity shown in the right hand
side of exhibit 3.1.

Although not the typical view of the COSO internal controls framework, this concept is
important. Just as a strong foundation is necessary for a multistory building, the control environtment
provides the foundation for the other components of internal control. An enterprise that is building a
strong internal control structure should give special attention to placing solid foundation bricks. Of
course, internal auditors should also keep this concept in mind when assessing internal controls.
Internal audit is a key part of this foundation, but the other components are essential as well.

Evaluating the COSO internal control environment does not just require as series of “do the
debits equal the credits?” types of rules or measures, but points to the need for strong overall policies
that the fundamental but still may be different in many enterprises. For example, there is no set of rule
for defining what is meant by tone at the top, each executive’s message may be different. However,
the CEO and other key managers should adequately communicate these important enterprise
messages, usually following the CEO’s lead.

(b) Risk Assessment

Exhibit 3.1 shows the next level above the control foundation as risk assessement. An
enterprise’s ability to achieve its objectives can be at risk due to variety of internal and external
factors. Understanding and management of the risk environtment is a basic elemen of internal control
foundation, and enterprise should have a process in place to evaluate the potential risks that may
impact attainment of its objectives. The risk assessment component focusese on internal control
within an enterprise and has a much narrower focus than the COSO ERM framework discussed in
chapter 6.

COSO internal controls risk assessment should be a forward-looking process that is

performed at all levels and for virtually all activities whitin the enterprise. COSO describes risk
assessment as three-step process :

1. Estimate the significance of the risk.

2. Assess the likelihood or frequency of the risk occurring.

3. Consider how the risk should be managed and assess what action must be taken

This COSO risk assessment process places responsibility on management to assess whether a
risk is significant and, if so, to take appropriate actions.COSO internal controls also emphasizes that
risk analysis is not theoretical process ; often it is critical to an entity’s overall success. As part of its
overall assessment of internal control, management should take steps to assess both the risk that many
impact the overall enterprise and those pertaining to various enterprise activities or entities. A viriety
of risk, caused by either internal or external sources, may affect the overall enterprise. The COSO
internal controls framework suggests that risk should be considered from three perspectives :

1. Enterprise risks due to external factors. These risk include technological developments that can
affect the nature and timing of new roduct research and development or lead to changes in
procurement processes. Other external factor risk include changing customer needs or expectations,
prcing, warranties, or service activities. New legislation or regulations can force changes in operating
policies or strategies, and catastrophes, such as the World Trade Center terrorist attack, can lead to
changes in operations and highlight the need for contingency planning.

2. Enterprise risks due to internal factors. As internal auditors often highlight in their ongoing
reviews, there can be many types of enterprise-level risk. For example, a disruption in an enterprise’s
IT server or storage management processing facility can adversely affect overall operations. Also the
quality of personnel hired, as well as their training or motivation, can influence the level of control
consciusness within the entity. In addition, the extent of employee accessibility to assets can
contribute to misappropriation of resources. Although now better remedied by Sox, the COSO
internal controls report also cited the risk of an unassertive or ineffective board or audit committee
that can provide opportunities for ndiscretions.

3. Specific activity-level risks. Besides being viewed at an enterprise-wide level, risk should also be
considered for each significant business unit and key activity. This activity-level concern contribute to
the enterprise-wide risks and should be identified an an ongoing basis, considered in the various
planinning process throughout the enterprise. Where no such risk-assessment process exists in an
enterprise, internal auditor should consider this lack of a formal process as parts an overall internal
controls assessment.

All to often, management may have processes in place that give the appearance of risk
assessments but are lacking substance. For example, a new productauthorization approval form may
include a selection box for the requester to describe the risk associated with the proposed product.
Local management may consistently describe them as “low”, with no furder analysis until three is
some type of massive failure. When performing reviews in these areas, internal auditor should review
this analysis and discuss the reasoning behind these types of low risk assessment.

There has been much misunderstanding and confusion regarding the risk assessment element
of COSO internal controls because of the similarly named COSO ERM framework. The risk
assessment component of the framework includes risk assessment for within an individual enterprise.
The COSO ERM framework covers the entire entity and beyond. These are two separate issues, one is
not a replacement for the other.

(c) Control Activities

The next layer up in the exhibit 3.1 COSO internal control framework is called control
activities. This layer also appears as a separate horizontal layer above control activities in axhibit 3.2,
but is encompassed here by the information and communication component. Control activities are the
policies and procedures that help ensure that actions identified to address risks are carried out,
following a wide range of control activities sub-processes. Control activities axist at all levels within
an enterprise and, in many cases, may overlap one another. The concept of control activities is an
essential part of building and the establishing effective internal controls in an enterprise. The COSO
internal controls framework identifies a series of these activities by type of process. From an internal
audit prespective, they should together be helpful in building effective overall internal control.

(i) TYPES OF CONTROL ACTIVITIES internal controls are generally classified as manual,
IT, or management controls, and they are also described in terms of whether they are preventive,
corrective, or detective control activities. While no one set of internal control definitions is correct for
all situations, COSO internal controls suggests a way to classify these control activities is an
enterprise. Although it certainly is not an all-inclusive list, the next point is represent some of this
COSO-recommended internal control activities for an enterprise :

 Top-level reviews. Management and internal auditors, at various levels, should review the
results of their performance, contrasting those results with budgets, competitive statistics, and
other benchmark measurements. Management actions to follow up on the results of these top
level reviews and to take corrective action represent a control activity.

 Direct functional ar activity management. Managers at various levels should review the
operational reports from their control systems and take corrective action as appropriat. Many
management system have been build to produce exception reports covering these control
activities. The control activity hereis the management process of following up on these
reported events and taking appropriate corrective action.

 Information processing. IT systems contain many controls where systems internally check
for compliance in certain areas and then report any internal control exceptions. Those
reported exception items should receive corrective action by automated systems procedures,
by operational personnel, or by management.other control activities include controls over the
development of new systems or over access to data and program files.

 Physical controls. An enterprise should have appropiate control over its physical assets,
including fixtures, inventories, and negotiable securities. An active program of periodic
physical inventories represents a major control activity here, and internal auditors can play a
major role in monitoring compliance.

 Performance indicators. Management should relate sets of data, both operational and
financial, to one another and take appropriate analytical, investigative, or corrective actions.
This process represents an important enterprise control activity that can also satisfy financial
and operational reporting requirements.

 Segregation of duties. Duties should be segregated among defferent people to reduce the risk
of error or inappropriate actions. This basic internal control procedure should be on almost
every internal auditor’s radar screen.

These control activities are included in the COSO internal controls report but represent only
a small number of the many control activities performed in the normal course of business : these and
others keep an enterprise and track toward achieving its many objectives. Control activities usually
involve both a policy establishing what should be done and procedures to affect those policies. While
these internal control activities sometimes may be communicated only orally, according to COSO
internal controls, no matter how they are communicated, the matter should implemented
“thoughtfully, conscientiously, and consistently”. This is a strong message for internal auditors
reviewing internal control activities. Even though an enterprise may have a published policy covering
a given area, there should be established internal control procedures to support that policy. Procedures
are of little use unless there is a sharp focus on the condition to which they are directed. All to often,
an enterprise may establish a control violations exception report, as part of an IT system, yet reported
control violations receive little more than a cursory review by the report recipients. However,
depending on the types of conditions reported, those exceptions should receive appropriate follow-up
actions.

(ii) INTEGRATION OF CONTROL ACTIVITIES WITH RISK ASSESSMENT.

Control activities should be closely related to the identified risk from the COSO internal
controls risk assessment component. Internal control is a process, and appropriate control activities
should not be installed to address indentified risk. Controlactivities should not be installed just
because they seem to be the right thing to do even if there area no significant risk in the area where
the control activities would be installed. Sometimes control activities in place once served some
control-risk concern, although the concerns have largely gone away. A control activity procedure
should not be discarded just because there have not been control violation incidents in recent years,
but management needs periodically to reevaluate the relative risk. All internal control activities should
contribute to the overall control structure. Internal auditors should keep this concept in mind as they
review internal controls and make recommendations.

(iii) CONTROLS OVER INFORMATION SYSTEMS. The COSO internal controls framework
emhasizes that control procedures are needed over all significant IT or information systems financial,
operational, and compliance related. COSO internal controls breaks down information system
controls into the well-recognozed general and aplication controls. General controls apply to much of
function of the information systems to help ensure adequate control procedures over all aplications. A
physical security lock on the door to the IT server center is such a general control for all aplications
running in on servers whitin that facility.

The term application controls refers to specific IT processes. A control in a weekly payroll IT
program that prevents any employee from being paid for over 80 hours in a given week. The COSO
internal controls framework highlights a series of IT control areas for evaluating the overall adequacy
of internal controls. General controls include all centralized server center or data storage management
controls, including job scheduling, database management, and business continuity planning. These
controls typically are responsibility of specialists in centralized computer server or storage
management centers. However, with newer, more modern systems connected to one another through
telecommunications and network links these controls can be distributed across a large web of server-
based systems.

The COSO internal controls framework document concludes with a discussion on the need to
consider the impact of enevolving technologies when evaluating information systems control
activities. Due to the rapid introduction of new technologies, what is new today will soon be replsced
by something else. COSO internal controls have not introduced anything new with regard to IT
controls but highlighted their importance in the overall internal control environment.
(d) Communications and Information

Exhibit 3.1, the model of the COSO internal controls framework,describes its components as layers,
one on top of another, starting with the internal control environment as the foundation. The pyramid
model in exhibit 3.2 describe the information and communication component not as a horizontal layer
but a side element that crosses other components. Information and communications are related but
distinct components of internal control framework. Appropiate information, supported by IT systems,
must be communicated up and down the enterprise in a manner and time that allows people to carry
out their responsibilities. In addition to formal and informal communication systems, enterprises must
have effective procedures in place to communicate with internal and external parties. These
information and communication flows in the enterprise must be understood for any internal control
evaluation, such as for a S)x section 404 evaluation.
ii) LINGKUNGAN PENGENDALIAN DALAM PERSPEKTIF COSO

Exhibit 3.2 menunjukkan pengendalian COSO internal sebagai piramida, dengan kontrol
lingkungan sebagai landasannya. Di sini, informasi dan komponen komunikasi tidak
ditampilkan sebagai lapisan individu akan tetapi sisi komponen yang meliputi Penilaian
Risiko dan Aktivitas Pengendalian lapisan. Pandangan ini lebih umum ketika kerangka
pengendalian internal COSO pertama kali dirancang, tetapi Bukti versi 3.1 jauh lebih umum
saat ini. Suatu perusahaan yang membangun struktur pengendalian internal yang kuat
harus memberikan perhatian khusus untuk menempatkan batu bata pondasi yang
kuat. Tentu saja, auditor internal juga harus menjaga konsep ini ketika menilai pengendalian
internal.

Mengevaluasi lingkungan pengendalian internal COSO tidak hanya membutuhkan sebagai

rangkaian jenis peraturan atau tindakan, tetapi menunjukkan perlunya kebijakan-kebijakan
umum yang kuat dan masih mungkin berbeda di banyak perusahaan. Sebagai contoh, tidak
ada set aturan untuk mendefinisikan apa yang dimaksud dengan nada di atas, setiap pesan
eksekutif mungkin berbeda. Namun, CEO dan manajer kunci lainnya memadai harus
mengkomunikasikan pesan-pesan penting perusahaan, biasanya setelah memimpin CEO.

(b) Penilaian Resiko

Bagan 3.1 menunjukkan tingkat berikutnya di atas landasan kontrol assessement

risiko. Kemampuan perusahaan untuk mencapai tujuan dapat berisiko karena berbagai
faktor internal dan eksternal. Memahami dan pengelolaan risiko lingkungan merupakan
elemen dasar dari pondasi pengendalian internal, dan perusahaan harus memiliki proses di
tempat untuk mengevaluasi potensi risiko yang dapat mempengaruhi pencapaian
tujuan.Penilaian risiko komponen berfokus tentang pengendalian internal dalam suatu
perusahaan dan memiliki fokus yang lebih sempit daripada kerangka COSO ERM.
Penilaian resiko pengendalian internal COSO harus dilakukan pada semua tingkatan dan
untuk hampir semua kegiata perusahaan. COSO menjelaskan penilaian risiko sebagai
proses tiga langkah:

1. Perkiraan pentingnya risiko.

2. Menilai kemungkinan atau frekuensi resiko terjadi.

3. Pertimbangkan bagaimana resiko harus dikelola dan menilai tindakan apa yang harus
diambil.

Proses penilaian risiko COSO ini tanggung jawab terletak pada manajemen untuk menilai
apakah risiko signifikan dan, jika demikian, mengambil tindakan kontrol internal yang tepat.
COSO juga menekankan bahwa proses analisis risiko tidak teoritis; seringkali sangat
penting untuk keberhasilan keseluruhan entitas. Sebagai bagian dari penilaian secara
keseluruhan pengendalian internal, manajemen harus mengambil langkah untuk menilai
kedua risiko bahwa banyak dampak perusahaan secara keseluruhan dan kegiatan yang
berhubungan dengan berbagai perusahaan atau badan. Sebuah viriety risiko, yang
disebabkan oleh baik sumber internal maupun eksternal, dapat mempengaruhi perusahaan
secara keseluruhan. Pengendalian internal COSO menunjukkan kerangka kerja risiko yang
harus dipertimbangkan dari tiga perspektif:

1. Risiko perusahaan karena faktor eksternal.

risiko Ini termasuk perkembangan teknologi yang dapat mempengaruhi sifat dan
waktu penelitian produk baru dan pembangunan atau menyebabkan perubahan dalam
proses pengadaan. faktor risiko eksternal lainnya termasuk perubahan kebutuhan
pelanggan atau harapan, prcing, jaminan, atau kegiatan pelayanan. undang-undang baru
atau peraturan dapat memaksa perubahan kebijakan operasional atau strategi, dan
bencana, seperti serangan teroris World Trade Center, dapat menyebabkan perubahan
dalam operasi dan menyoroti kebutuhan untuk perencanaan darurat.

2. Risiko perusahaan karena faktor internal.

Akan ada banyak jenis risiko perusahaan. Sebagai contoh, gangguan dalam suatu
perusahaan IT server atau fasilitas penyimpanan manajemen pengolahan dapat
mempengaruhi operasi secara keseluruhan. Juga kualitas personil disewa, serta
pelatihan atau motivasi, dapat mempengaruhi tingkat kontrol kesadaran dalam entitas.
Laporan pengendalian internal COSO juga menyebutkan risiko sebuah dewan tidak tegas
atau tidak efektif atau komite audit yang dapat memberikan kesempatan untuk
indiscretions.

3. Khusus kegiatan tingkat risiko.

Selain dilihat pada tingkat perusahaan dunia, risiko juga harus dipertimbangkan
untuk setiap unit bisnis yang signifikan dan aktivitas kunci. Tingkat perhatian kegiatan
berkontribusi terhadap risiko perusahaan secara luas dan harus diidentifikasi,
dipertimbangkan dalam berbagai proses perencanaan seluruh perusahaan. Dimana ada
proses penilaian risiko tersebut ada dalam perusahaan, auditor internal harus
mempertimbangkan ini tidak adanya proses formal sebagai bagian internal kontrol secara
keseluruhan penilaian. Ada banyak kesalahpahaman dan kebingungan mengenai unsur
penilaian risiko pengendalian COSO internal karena kerangka COSO ERM bernama
sama. Penilaian risiko komponen kerangka ini meliputi penilaian risiko di dalam suatu
perusahaan individual.Kerangka COSO ERM meliputi seluruh badan dan seterusnya. Ini
adalah dua isu yang terpisah.

(c) Kegiatan Pengendalian

Lapisan berikutnya 3.1 COSO internal yang disebut kegiatan pengendalian. Lapisan
ini juga muncul sebagai lapisan horizontal terpisah atas kegiatan pengawasan di tampilan
3.2, tetapi mencakup informasi dan komponen komunikasi. Aktifitas Pengendalian adalah
kebijakan dan prosedur yang membantu memastikan bahwa tindakan yang diidentifikasi
untuk mengatasi risiko dilakukan. Aktifitas Pengendalian ada di semua tingkatan dalam
perusahaan dan, dalam banyak kasus, mungkin tumpang tindih satu sama lain.Konsep
kegiatan pengendalian merupakan bagian penting dari bangunan dan pengendalian
internal yang efektif dalam membentuk suatu perusahaan. Pengendalian internal COSO
mengidentifikasi kerangka serangkaian kegiatan menurut jenis proses. Dari perspektif
audit internal, mereka bersama-sama harus membantu dalam membangun pengendalian
internal yang efektif secara keseluruhan.

(i) JENIS KEGIATAN PENGENDALIAN

pengendalian internal secara umum diklasifikasikan sebagai manual, IT, atau kontrol
manajemen, dan mereka juga dijelaskan dalam hal apakah mereka adalah pencegahan,
perbaikan, atau detektif kegiatan pengawasan. Meskipun tidak ada menetapkan salah satu
definisi pengendalian internal adalah benar untuk semua situasi, pengendalian internal
COSO menyarankan cara untuk mengklasifikasikan kegiatan kontrol perusahaan. Meskipun
tentu tidak merupakan daftar yang lengkap. COSO direkomendasikan pengendalian internal
untuk perusahaan:

♣ Top-level review. Manajemen dan auditor internal, di berbagai tingkatan, harus meninjau
hasil kinerja mereka, hasil tersebut kontras dengan anggaran, statistik kompetitif, dan
pengukuran acuan lainnya. Tindakan manajemen untuk menindaklanjuti hasil review
tersebut dan untuk mengambil tindakan korektif merupakan aktivitas pengendalian.

♣ Fungsional langsung atau kegiatan manajemen. Manajer di berbagai tingkatan harus

memeriksa laporan operasional dari sistem kontrol mereka dan mengambil tindakan
korektif yang tepat. Banyak sistem manajemen telah membangun untuk menghasilkan
laporan pengecualian meliputi kegiatan kontrol.

♣ Informasi pengolahan. Sistem TI mengandung banyak kontrol di mana sistem internal

memeriksa kepatuhan di area tertentu dan kemudian melaporkan setiap pengecualian
pengendalian internal. Item-item pengecualian melaporkan harus menerima tindakan
korektif oleh prosedur sistem otomatis, oleh personel operasional, atau dengan aktivitas
pengendalian management.

♣ Kontrol fisik. Perusahaan harus memiliki kontrol yang tepat atas aset fisik, termasuk
perlengkapan, persediaan, dan efek negosiasi. Program aktif persediaan fisik periodik
merupakan aktivitas pengendalian utama di sini, dan auditor internal dapat memainkan
peran utama dalam pengawasan kepatuhan.

♣ Indikator kinerja. Manajemen harus berhubungan set data, baik operasional dan
keuangan, untuk satu sama lain dan mengambil tindakan analitis, investigasi, atau
koreksi yang tepat. Proses ini merupakan pengendalian kegiatan perusahaan yang
penting yang juga dapat memenuhi persyaratan pelaporan keuangan dan operasional.

♣ Pemisahan tugas. Tugas harus dipisahkan antara orang-orang yang berbeda untuk
mengurangi risiko dari tindakan kesalahan. Prosedur dasar pengendalian internal harus
ada di layar radar setiap auditor internal.

Kegiatan kontrol ini termasuk dalam laporan pengendalian internal COSO, namun
hanya mewakili sejumlah kecil dari banyak kegiatan pengawasan yang dilakukan dalam
kegiatan untuk mencapai tujuannya. Kegiatan pengendalian biasanya melibatkan baik
kebijakan menetapkan apa yang harus dilakukan dan prosedur untuk mempengaruhi
kebijakan tersebut. Sedangkan kegiatan pengawasan internal ini kadang-kadang dapat
disampaikan hanya secara lisan, menurut COSO pengendalian internal, tidak peduli
bagaimana mereka dikomunikasikan, masalah ini harus dilaksanakan secara serius,
sungguh-sungguh, dan konsisten. Ini adalah pesan yang kuat untuk auditor internal yang
meninjau kegiatan pengendalian internal. Meskipun perusahaan mungkin memiliki kebijakan
diterbitkan meliputi area tertentu, harus ada prosedur menetapkan pengendalian internal
untuk mendukung kebijakan itu. Prosedur jarang digunakan kecuali ada fokus yang tajam
pada kondisi yang mereka diarahkan.

(ii) INTEGRASI KEGIATAN PENGENDALIAN DENGAN PENILAIAN RISIKO.

Aktifitas Pengendalian harus terkait erat dengan risiko diidentifikasi dari komponen
penilaian pengendalian risiko internal COSO. Pengendalian internal adalah suatu proses,
dan aktivitas pengendalian yang tepat tidak harus dipasang untuk mengatasi risiko
teridentifikasi. Sebuah prosedur aktivitas pengendalian tidak boleh dibuang hanya karena
belum ada insiden pelanggaran pengendalian dalam beberapa tahun terakhir, tetapi
manajemen perlu secara berkala untuk mengevaluasi kembali risiko relatif. Semua kegiatan
pengawasan internal harus memberikan kontribusi pada struktur kontrol secara
keseluruhan. Auditor Internal harus menjaga konsep ini dalam pikiran mereka meninjau
pengendalian internal dan membuat rekomendasi.

(iii) KONTROL ATAS SISTEM INFORMASI. Kerangka pengendalian internal COSO

menekankan bahwa prosedur pengendalian yang diperlukan selama semua TI signifikan
atau sistem informasi keuangan, operasional, dan kepatuhan yang terkait. Pengendalian
umum berlaku untuk banyak fungsi sistem informasi yaitu untuk membantu memastikan
prosedur pengendalian yang memadai.

Kontrol aplikasi spesifik merujuk pada proses TI. Kerangka pengendalian internal
COSO menyoroti rangkaian area kontrol TI untuk mengevaluasi kecukupan pengendalian
internal secara keseluruhan. kontrol Umum mencakup semua server atau data center
terpusat kontrol manajemen penyimpanan, termasuk penjadwalan pekerjaan, manajemen
database, dan rencana kelangsungan bisnis. Kontrol ini biasanya adalah tanggung jawab
para spesialis komputer server terpusat atau pusat penyimpanan manajemen. Namun,
dengan sistem baru yang lebih modern terhubung ke satu sama lain melalui link jaringan
telekomunikasi dan kontrol ini dapat didistribusikan di web besar dari sistem berbasis
server.
Dokumen kerangka kerja pengendalian internal COSO menyimpulkan mengenai
kebutuhan untuk mempertimbangkan dampak perkembangan teknologi ketika mengevaluasi
kegiatan pengendalian sistem informasi. Karena pengenalan yang cepat dari teknologi baru,
apa yang baru hari ini akan segera diganti oleh sesuatu yang lain. Pengendalian internal
COSO tidak memperkenalkan sesuatu yang baru berkaitan dengan TI kontrol tetapi
menyoroti pentingnya mereka dalam lingkungan pengendalian intern secara menyeluruh.

(d) Komunikasi dan Informasi

Bagan 3.1, model kerangka pengendalian internal COSO, menggambarkan komponen-

komponennya sebagai lapisan, satu di atas yang lain, mulai dengan lingkungan
pengendalian internal sebagai dasar. Model piramida di tampilan 3.2 menggambarkan
informasi dan komponen komunikasi bukan sebagai lapisan horizontal tapi unsur sisi yang
melintasi komponen lainnya.Informasi dan komunikasi adalah komponen terkait tetapi
berbeda dari kerangka pengendalian internal. Informasi yang tepat, didukung oleh sistem IT,
harus dikomunikasikan naik dan turun perusahaan dengan cara dan waktu yang
memungkinkan orang untuk melaksanakan tanggung jawab mereka. Selain sistem
komunikasi formal dan informal, perusahaan harus memiliki prosedur yang efektif untuk
berkomunikasi dengan pihak internal dan eksternal.