Internal Control Framework: The COSO StandardInternal Control adalah proses yang diimplementasikan oleh manajemen perusahaan, yang didesain untuk memberikan reasonable assurance tidak hanya pada bagian akuntansi dan keuangan, melainkan keseluruhan proses di dalam perusahaan. Sebuah perusahaan atau sebuah proses memiliki internal control yang baik jika: (1) dapat menyelesaikan misinya dengan cara yang etis; (2) menghasilkan data yang akurat dan andal; (3) sesuai dengan hukum yang berlaku dan kebijakan perusahaan; (4) menggunakan sumber daya secara ekonomis dan efisien; (5) memberikan pengamanan yang sesuai atas aset. Manajemen bertanggung jawab untuk membangun dan mengatur internal control yang dimilikinya tersebut, dan auditor internal melakukan penilaian atas efektivitas serta membuat rekomendasi yang tepat.Dalam laporan yang dipublikasikan oleh COSO mengenai internal control (atau disebut Internal Control Integrated Framework) dikenalkan sebuah kerangka atas definisi internal control serta prosedur untuk mengevaluasi control tersebut. Dalam laporan tersebut, definisi internal control adalah sebuah proses yang dipengaruhi oleh BOD dari perusahaan, manajemen, dan personil lain dalam perusahaan, yang didesain untuk memberikan reasonable assurance terkait pencapaian atas tujuan berikut: efektivitas dan efisiensi dari operasi, keandalan dari pelaporan keuangan, dan kesesuaian dengan hukum dan peraturan yang berlaku.Based on this very general definition of internal control, COSO uses a threedimensionalmodel to describe an internal control system in an enterprisethis COSO internal control framework as a three-dimensional model withfive levels on the front-facing side and the three major components of internal controlon the top of the diagraminternal controls financial reporting, compliance, andoperationsrepresenting the effectiveness and efficiency of operations, reliabilityof financial reporting, and compliance with applicable laws and regulations. Theright-hand side of the exhibit shows segments, but there could be multiples of thesedepending on the structure of the enterpriseHowever, in this three-dimensionalmodel, each control is related to all others in the same row, stack, or column.The point of the COSO internal controls model or framework is that we mustalways consider each identified internal control in terms of how it relates to otherassociated internal controls.All internal auditors must develop an understanding of this COSO internal controlsframework. No matter what area under is review, internal auditors always needto look at internal controls in this multilevel and three-dimensional manner. Whilethis is true for all internal audit work, the concept is particularly valuable when assessingand evaluating internal controls using the COSO internal controls framework.

Risk Management: COSO ERMCOSO Enterprise Risk ManagementIntegrated Format (COSO ERM). This is an approach that allows an enterprise andinternal audit to consider and assess risks at all levels, whether in an individual area,such as for an information technology (IT) development project, or in global risksregarding an international expansion. Released by the same COSO guidance-settingfunction that has developed and maintains the COSO internal controls framework,COSO ERM sometimes looks like its internal controls brother, but it has a muchdifferent feel and approach.COSO Enterprise Risk Management is a framework to help enterprises to have aconsistent definition of their risks. It is also an important tool for understanding andimproving SOx internal controls.the COSO ERM framework document starts by definingenterprise risk management:Enterprise risk management is a process, effected by an entitys board of directors,management and other personnel, applied in a strategy setting and acrossthe enterprise, designed to identify potential events that may affect the entity,and manage risk to be within its risk appetite, to provide reasonable assuranceregarding the achievement of entity objectives.COSO ERM framework as a three-dimensional cube with the components of:! Four vertical columns representing the strategic objectives of enterprise risk.! Eight horizontal rows or risk components.! Multiple levels to describe any enterprise, from a headquarters entity levelto individual subsidiaries. Depending on organization size, there can be manyslices of the model here.Byfocusing on the COSO ERM framework as well as general good risk managementpractices, internal audit can help an enterprise by planning and performing reviewsof enterprise risk-management processes. Of course, to review COSO ERM practicesand implementation procedures, internal auditors, either as internal audit reviewersof controls or consultants to management, need to develop a strong understandingof COSO ERM controls and processes.Internal audit should reviewenterprise-wide ERM processes using some of these tools:! As part of any identified ERM process, processflowcharts can be useful in describing how risk management operates in anenterprise. This requires looking at documentation prepared for risk-relatedprocesses, determining if they are current conditions, and describing the overalladequacy of all levels of enterprise risk processes. Internal audit processmodeling and process flowcharts are discussed in Chapter 16.! An ERM process often results in alarge volume of guidance materials, documented procedures, report formats,and the like. There may often be valuable to an internal audit review the riskand control materials.! Although an often misused term, benchmarking is the processof looking at functions in another environment to assess their operations andto develop improved approaches based on the best practices of others. TheInstitute of Internal Auditors (IIAs) Progress Through Sharing motto and traditionas well as benchmarking approaches discussed in Chapter 11 promotethe gathering comparative information. This often can be a useful techniquehere.! Questionnaires are a good method for gathering informationon ERM effectiveness from a wide range of people. They can be sent out todesignated stakeholders with requests for specific information. This is often avaluable internal audit technique