KontroL & SIA

Main topic:
KONSEP KONTROL

COBiT

COSO & COSO - ERM

1577.ws

Latar Belakang Pentingnya Kontrol dalam SIA

Dilatarbelakangi:
Penggunaan Komputer secara massive
Ketersediaan Data Semakin Luas
Isu Kerahasiaan Data & Informasi

Kondisi KontroL

>>> present

Pada Praktiknya:

Minimnya pengetahuan tentang jaringan & sistem

Tidak menyadari arti penting data dan informasi beserta
pengendalian (terkait waktu & biaya)

1577.ws

Pentingnya Kontrol dalam SIA

Antisipasi perusahaan terkait arti penting kontroL:

Staf

khusus untuk control & security.

Meningkatkan pengetahuan tentang pengukuran
kontrol (Educating)

Protect
Capabilities & risk

Menetapkan

kebijakan pengamanan.
Kontrol sebagai bagian pengembangan aplikasi
Pengamanan ekstra untuk data-data penting
Note:
Sebagai akuntan diharapkan dapat menilai efektivitas sistem dan mengatasi
masalah (eliminate , detecting, correcting, recovering)
1577.ws

InternaL KontroL

Tujuan >>> memberikan kepastian atas:

Pengamanan aset (termasuk data & informasi)

Kecukupan pengungkapan (disclosure)
Ketersediaan informasi yang akurat dan dapat diandalkan
Kesesuaian terhadap peraturan & manajerial
Peningkatan efisiensi

Fungsi InternaL KontroL

Preventive
mencegah
Detective
segera menemukan
Corrective memperbaiki

Note:
Sebagai akuntan diharapkan dapat menilai efektivitas sistem dan mengatasi
masalah (eliminate , detecting, correcting, recovering)
1577.ws

Klasifikasi InternaL KontroL

GeneraL ControL
Untuk memberikan kepastian bahwa perusahaan dan
lingkungannya berjalan dengan baik

AppLication ControL
Prevent, detect, and correct transaction errors and
fraud
Titik Berat: accuracy, completeness, validity, and
authorization dari data

Note:
Internal kontrol yang efektif dapat membantu mencapai tujuan dan minimize
surprises

1577.ws

Sarbanes OxLeY Act (SOX 2002)

Tujuan:

Mencegah fraud pada laporan keuangan

Transparansi laporan keuangan
Melindungi investor
Meningkatkan internal kontrol

Implikasi SOX

Implikasi adanya SOX:

PCAOB (Public Company Accounting Oversight Board) untuk

mengawasi profesi auditor
Aturan baru tentang profesi auditor
Aturan baru tentang komite audit
Aturan baru tentang manajemen
Penekanan pentingnya internal kontrol
1577.ws

Levers of ControL

Menurut Robert Simon terdapat 4 macam:

Concise System (sistem yang sederhana)

Boundary System
Diagnostic Control System
Interactive Control System

1577.ws

Kerangka PengendaLian>>>

jenis

COBIT FRAMEWORK
Control Objectives for Information and Related Technology
Developed by the Information Systems Audit and Control Foundation
(ISACF)

COSO FRAMEWORK
Committee of Sponsoring Organizations, terdiri dari: American,
Accounting Association, AICPA, Institute of Internal Auditors, Institute
of Management Accountants, Financial Executives Institute
COSO issued the Internal Control Integrated Framework

COSO-ERM FRAMWORK
COSO- Enterprise Risk Management (ERM)

1577.ws

COBIT FRAMEWORK
Pengendalian dilihat dari 3 sisi, yaitu:
TUJUAN PERUSAHAAN

(OBJECTIVE)

Effectiveness
Efficiency
Confidentiality
Integrity
Availability
Compliance with legal requirements
Reliability

SUMBER

DAYA

(RESOURCES)

TEKNOLOGI

INFORMASI

SDM, Aplikasi, Teknologi, Fasilitas, dan Data

PROSES

(PROCESS)

TEKNOLOGI

INFORMASI

Planning and organization

Acquisition and implementation
Delivery and support
Monitoring
1577.ws

COSO FRAMEWORK
Pengendalian terdiri dari 5 komponen, yaitu:
Control Environment
Titik berat: SDM (integritas, etika, kompetensi)

Control Activity
Titik berat: Kebijakan dan Prosedur

Risk Assesment
Titik berat: identifikasi resiko, analisis, dan manajemen resiko

Information & Communication

Titik berat: pertukaran informasi dalam akivitas operasi perusahaan

Monitoring
Titik berat: pengawasan melekat
1577.ws

COSO ERM FRAMEWORK

Dengan adanya ERM, maka akan membantu perusahaan untuk:

Meyakinkan

perusahaan dalam mencapai tujuan

Mencapai target keuangan dan kinerja
Memanage resiko
Menjaga kredibilitas perusahaan
Definisi Risk Management
Manajemen Resiko Didefinisikan sebagai:

Sebuah proses yang dilakukan oleh seluruh SDM perusahaan,

dalam menyusun strategi untuk mengidentifikasi kejadian
potensial yang dapat mempengaruhi entitas dan mengelola
risiko dalam rangka untuk memberikan keyakinan memadai
tentang pencapaian tujuan entitas.

1577.ws

Prinsip Dasar ERM

Prinsip dasar yang melatarbelakangi ERM:

Perusahaan

didirikan untuk memberikan benefit bagi

pemilik
Manajemen menghadapi ketidakpastian
Ketidakpastian
Risk

The possibility that can make negative effect

Opportunity

The possibility that can make positive effect

1577.ws

COSO ERM FRAMEWORK

1577.ws

COSO ERM FRAMEWORK

4 tujuan perusahaan:

Strategic objectives

Operations objectives

Efektifitas & efisiensi

Reporting objectives

Visi dan misi

Reliable & Objective

Compliance objectives

Peraturan & Persaingan

1577.ws

COSO ERM FRAMEWORK

Unit dalam perusahaan:

Entity

level
Division
Business unit
Subsidiary

1577.ws

COSO ERM FRAMEWORK

Komponen Resiko & Pengendalian:

Internal environment
Objective setting
Event identification
Risk assessment
Risk response
Control activities
Information and communication
Monitoring

1577.ws

INTERNAL ENVIRONMENT
Terdiri dari:
Gaya manajemen & operasi
Pimpinan
Integritas,
Etika, Komitmen, dan
kompetensi
Struktur Organisasi
Otoritas & Tanggung Jawab
HRM (human resources management)
Pengaruh Eksternal
peraturan

1577.ws

Gaya Manajemen dan Operasi

Adanya pemahaman organisasi terhadap resiko

Mempengaruhi kegiatan operasi perusahaan (short & long term)

Risk appetite, resiko yang bersedia diterima perusahaan dalam

mencapai tujuan
Gaya manajemen harus dikomunikasikan secara jelas
Pentingnya contoh dari manajemen

Contoh Pertanyaan untuk menilai gaya manajemen:

Apakah manajemen menilai potensi resiko sebelum manjalankan
aktivitas perusahaan?
Apakah manajemen melakukan manipulasi capaian kinerja?
Apakah manajemen mendorong pegawai untuk mengutamakan
hasil tanpa melihat cara/ peraturan?

1577.ws

Pimpinan
Terdiri Dari:

Board of directors
Bertugas:
1. Memeriksa Manajemen (plans, performances, activities)
2. Menentukan strategi perusahaan
3. Mereview Laporan Keuangan & Perusahaan secara Umum
4. Berinteraksi dengan Internal & Eksternal Audtor

Komite Audit

Bertugas:
1. Memeriksa internal control
2. Mengawasi proses pembuatan laporan keuangan ditinjau
berdasarkan peraturan yang berlaku
3. Berinteraksi dengan Internal & Eksternal Audtor (menunjuk,
memeriksa, dan menerima laporan)

1577.ws

Manajemen SDM

Manajemen SDM meliputi:

Hiring
Compensating
Training
Evaluating

and promoting
Discharging
Managing disgruntled employees
Vacations and rotation of duties
Confidentiality insurance and fidelity bonds

1577.ws

OBJECTIVE SETTING
Kriteria:
Mudah dipahami dan diukur
Menjadi Prioritas
Sejalan dengan Risk Appetite
Proses Penetapan Objective:
Set Strategic Objective
Identifikasi alternatif mencapai tujuan
Asses Resiko tiap alternatif
Tetapkan Strategi perusahaan
Tetapkan operation, compliance dan
report objective

1577.ws

EVENT IDENTIFICATION
Dipengaruhi oleh
Faktor Internal
Infrastruktur
SDM
Proses
Teknologi
Faktor Eksternal
Ekonomi
Alam
Politik
Sosial
Teknologi

1577.ws

EVENT IDENTIFICATION

Cara identifikasi event:

Membuat

daftar komprehensif event potensial

Melakukan analisis internal
Memonitor event dan penyebabnya
Mengadakan interview & workshop
Melakukan pengumpulan data dan analisis
Melakukan analisis proses

1577.ws

RISK ASSESSMENT AND RISK

RESPONSE
Jenis Resiko menurut COSO:
Inherent Risk
Residual Risk
Respon Terhadap Resiko:
Kurangi (reduce)
Terima (accept)
Bagi (share)
Hindari (avoid)

1577.ws

Identify the events or threats

that confront the company
Estimate the likelihood or
probability of each event occurring
Estimate the impact of potential
loss from each threat

RISK ASSESSMENT
AND RISK RESPONSE

Identify set of controls to

guard against threat
Estimate costs and benefits
from instituting controls
Is it
costbeneficial
to protect
system

Yes

No

Avoid,
share,
or
accept
risk

Reduce risk by implementing set of

controls to guard against threat
1577.ws

RISK ASSESSMENT AND RISK

RESPONSE

Expected Loss without control procedure = $800,000 x 12% = $96,000.

Expected loss with control procedure = $800,000 x 0,5%= $4,000.
Estimated value of control procedure = $96,000 - $4,000 = $92,000.
Letscost
goofthrough
an example:
Estimated
control procedure
= $43,000 (given).
Hobby
Benefits
exceed Hole
costs is
by trying
$92,000
to- decide
$43,000 whether
= $49,000.to install a
motion
detector
system
in itsinstall
warehouse
to detectors.
reduce
In this case,
Hobby
Hole should
probably
the motion

the probability of a catastrophic theft.

A catastrophic theft could result in losses of $800,000.
Local crime statistics suggest that the probability of a
catastrophic theft at Hobby Hole is 12%.
Companies with motion detectors only have about a .
5% probability of catastrophic theft.
The present value of purchasing and installing a
motion detector system and paying future security
costs is estimated to be about $43,000.
Should Hobby Hole install the motion detectors?
1577.ws

CONTROL ACTIVITIES
Pengendalian akitivitas, meliputi:
Otorisasi yang Tepat
Pemisahan Tugas
Pengembangan Proyek
Pengendalian terhadap perubahan
manajemen
Desain dokumen & pencatatan
Pengamanan aset (termasuk data)
Independen Check

1577.ws

Proper Authorization

Typically at least two levels of authorization:

General authorization

Transaksi Rutin

Special

authorization

Transaksi non rutin

Significant effect
Memerlukan manajemen review

1577.ws

Segregation of Duties

To learn a little about segregation of

duties, lets first meet Mr. X
1577.ws

CONTROL ACTIVITIES

Mr. X bertugas menjaga cash

perusahaan misal $ 1.000
1577.ws

CONTROL ACTIVITIES

Ledger
$1,000

Mr. X also keeps the books for that

money.
1577.ws

CONTROL ACTIVITIES

Ledger
$1,000

Mr. X has a date tonight, and hes a little desperate to

impress that special someone, so he takes $100 of
the cash. (Thinks hes only borrowing it, you know.)
1577.ws

CONTROL ACTIVITIES

Ledger
$900

Mr. X also records an entry in the books to show that

$100 was spent for some legitimate purpose. Now
the balance in the books is $900.
1577.ws

CONTROL ACTIVITIES

Ledger
$900

How will Mr. X ever get caught at his

theft?
1577.ws

CONTROL ACTIVITIES

Now lets change the story. Mr. X is in

charge of the pile of cash.
1577.ws

CONTROL ACTIVITIES

Ledger
$1,000

But Mrs. Y keeps the books.

This arrangement is a form of segregation of duties.
1577.ws

CONTROL ACTIVITIES

Ledger
$1,000

Mr. X gets in a pinch again and takes

$100 of the organizations cash.
1577.ws

CONTROL ACTIVITIES

Ledger
$1,000

How will Mr. X get caught?

1577.ws

If this happens . . .

Ledger
$1,000

Then segregation of duties is out the window

Kolusi mengalahkan pemisahan tugas
1577.ws

Segregation of Accounting Duties

Pemisahan Fungsi setidaknya antara:

AuthorizationApproving transactions and decisions.

RecordingPreparing source documents; maintaining journals, ledgers, or other
files; preparing reconciliations; and preparing performance reports.
CustodyHandling cash, maintaining an inventory storeroom, receiving incoming
customer checks, writing checks on the organizations bank account.

Segregation of Duties within system function

Pemisahan Fungsi setidaknya antara:

Systems administration
Network management
Security management
Change management
Users
Systems analysts
Programming
Computer operations
Information systems library
Data control

1577.ws

Project Development

Pengendalian pengembangan project setidaknya

didukung dengan adanya:

Strategic master plan

Project controls
Data processing schedule
Steering committee
System performance measurements
Post-implementation review

Tujuan Pengendalian Pengembangan Project

Mengurangi Cost dan Resiko Kegagalan

1577.ws

Pengendalian Perubahan Manajemen

Dilakukan agar perubahan manajemen tidak berdampak negatif pada:

Systems

reliability

Security
Confidentiality
Integrity
Availability

1577.ws

Independen Check

Ledger
$1,000

Lets look at Mr. X and Mrs. Y again. Assume that Mr.

X stole cash but Mary did NOT alter the books.
1577.ws

CONTROL ACTIVITIES

Ledger
$1,000

Can Mr. Xs theft be discovered if an independent

party doesnt compare a count of the cash to whats
recorded on the books?
1577.ws

CONTROL ACTIVITIES

Ledger
$1,000

Segregation of duties only has value when

supplemented by independent checks.
1577.ws

Independen Check

Tipe-tipe independen check:

Top-level

reviews (actual vs plan)

Analytical reviews
Rekonsiliasi
Pengecekan fisik
Double-entry accounting
Independent review

1577.ws

INFORMATION AND COMMUNICATION

Pengendalian informasi:
Penerapan kebijakan dan
prosedur penyampaian
Meningkatkan akurasi informasi
Pembatasan akses informasi
Melindungi record dan
documents

1577.ws

MONITORING
Meliputi:
Evaluasi ERM
Adanya Supervisi
Responsibility accounting
Monitor aktivitas sistem
Track purchased software
Audit terjadwal
Employ a computer security officer, a
Chief Compliance Officer, and security
consultants
Engage forensic specialists
Install fraud detection software
Implement a fraud hotline

1577.ws

Terima Kasih

Jakarta, 8 November 2011

1577.ws