Internal Control over

Financial Reporting
(ICFR) Workshop.
February 19 21, 2007
 Workshop Agenda
Session Start End
Day 1
Safety announcement Building Management 08:55 09:00
Opening : 09:00 09:15
a. The IIA Indonesia Chapter : Edwinsjah Iskandar (Vice
President)
b. Deloitte : Osman Sitorus (COO - Deloitte)
Workshop Outline/Introduction 09:15 09:30
Revolutionary Challenges in the Internal Audit Profession 09:30 10:15
Break 10:15 10:30
Sarbanes-Oxley Act Requirements 10:30 11:15
Indonesia Regulations in relation to ICFR 11:15 11:45
Lunch 11:45 13:15
COSO Overview 13:15 14:00
Internal Control over Financial Reporting (ICFR) Overview 14:00 15:00
Break 15:00 15:15
Control Structure 15:15 16:00
Control Environment 16:00 17:00

2 ICFR Workshop 19-21 February, 2007 2007 Deloitte

Workshop Agenda
Session Start End
Day 2
Risk Assessment 09:00 10:15
Break 10:15 10:30
Control Activities 10:30 12:00
Lunch 12:00 13:30
Control Activities 13:30 14:00
Process Level Case Study 14:00 15:15
Break 15:15 15:30
Information and Communication 15:30 17:00
Day 3
Monitoring 09:00 10:15
COSO Benefits 10:15 10:30
Break 10:30 10:45
Hard Controls and Soft Controls 10:45 11:15
Summary 11:15 11:50
Closing 11:50 12:00

3 ICFR Workshop 19-21 February, 2007 2007 Deloitte

 Activity
Directions:
As we start this workshop, think about your learning goal why you are here.
Then, at the end of the program, assess how successful you have been in
achieving this goal.
1. In the space below, identify and record a learning goal that you have for this
training course?
2. Then, in approximately 1 minute, talk to the person beside you and discuss
the following:
Your Name and Company
Thoughts about what is most challenging about internal auditing
Learning goal for this course.
3. Be prepared to share this to the group.

As a result of participating in this workshop, I want to be able to:

4 ICFR Workshop 19-21 February, 2007 2007 Deloitte

Revolutionary
Challenges
Activity
Directions:
1. Form and work in small group of about 8-9 participants.
2. Answer the following questions below.
3. Summarize your group response on the worksheet.
4. Select a group spokesperson and be prepared to share your group
responses to us.
Based on your experience, kindly write down the changes that you have
noticed in field of internal audit profession with respect to the following areas
(pls. include examples):
Areas Past (before) Present (now)
1. Focus of Audit?
2. Preparation of Audit Plan?
3. Role in the Organization?
4. Use of Information Technology (IT)?
5. How people view Auditors?

6 ICFR Workshop 19-21 February, 2007 2007 Deloitte

Revolutionary Challenges
Transforming Internal Audit Internal Audit Maturity Model

Viewpoints Baseline Cumulative or Mainstream Cumulative or Leading Edge

Evolutionary* Evolutionary*
Philosophy
Perspective Focus on the past: Cumulative Focus on the Cumulative Focus on the future:
retrospective present
Proactive approach
Look at what toward risk mitigation
happened and development of
controls
Defining Effectiveness
Focus Audit entity based on Evolutionary Audit entity Evolutionary Focus on strategic,
rotation plan prioritized based business, and process
on inherent risk toward risk
Style Corporate policy Cumulative Supportive Cumulative Advisor
Organization Structure
Responsibility Audit for compliance Evolutionary Auditing and Evolutionary Auditing and
suggesting consulting
Existence of Audit Not likely Evolutionary Occasionally Evolutionary Member if c suite
Executive
Internal Audit Controller Evolutionary CFO/COO Evolutionary Audit committee chair
Reporting Lines

* Cumulative: The past practices of internal audit function are absorbed into and become part of new, expanded practices.
Evolutionary: The past practices of internal audit are discarded as new practices are adopted to take their place.
7 ICFR Workshop 19-21 February, 2007 2007 Deloitte
Revolutionary Challenges
Transforming Internal Audit Internal Audit Maturity Model

Viewpoints Baseline Cumulative or Mainstream Cumulative or Leading Edge

Evolutionary* Evolutionary*
Role of Internal Audit in the Sarbanes-Oxley Era
Objectives and Compliance to Cumulative Assurance on Cumulative Business Assurance
Mandates (financial) policies & financial control,
procedures compliance
Sarbanes-Oxley N/A Evolutionary Participating in the Evolutionary Management ownership/
Ownership Sarbanes-Oxley effort IA validation
Independence and Hopefully Cumulative Generally Cumulative Absolutely
Objectivity
Technology
Toolkit Automated Cumulative Sampling programs & Cumulative Real-time monitoring
workpapers standalone data
analysis
IT Audit Ill-defined Cumulative GCC, Security, Cumulative Consulting to improve
Applications infrastructure
Fraud Detection
Fraud Prevention Generally not Evolutionary Reactive Cumulative Proactive
and Detection addressed
Risk Management
Risk Focus Operational Cumulative Operational & Cumulative All enterprise risks
Financial
* Cumulative: The past practices of internal audit function are absorbed into and become part of new, expanded practices.
Evolutionary: The past practices of internal audit are discarded as new practices are adopted to take their place.
8 ICFR Workshop 19-21 February, 2007 2007 Deloitte
Sarbanes Oxley Act
of 2002
What is Sarbanes Oxley Act?
SOX
Enacted US corporate governance law in
response to major corporate collapses

Board Audit External Audit Controls Whistle-blower Use of non-GAAP

Committee Independence Certification Financial
& Attestation Measures

Its objectives are to:

S302
Disclosure
controls
Protect investors and workers
Deter and punish wrongdoers

10 ICFR Workshop 19-21 February, 2007 2007 Deloitte

 Where did the name come from?
Where did the name come from?

Senator Congressman
Paul S. Sarbanes (MD) Michael G. Oxley (OH)

11 ICFR Workshop 19-21 February, 2007 2007 Deloitte

 Sarbanes-Oxley Requirements
Key Requirement Implication
Sections of the Act

302 Corporate responsibility for financial Accuracy issues resulting in criminal prosecution of
reports company officers must be identified and removed
404 Management assessment of internal
Requires ongoing documentation, evaluation, and testing,
controls and remediation of financial reporting controls

409 Real time issuer disclosures. Monitoring, prevention, and real-time disclosure of
material changes must be systematic and ongoing

802 Criminal penalties for altering Digital vaulting and ready access to historical records,
documents. including correspondence and e-mails, must be implemented

Other Mandatory Requirements

Section Section

103 Auditing, quality control, and independence standards and rules 403 Disclosures of transactions involving management and principal
109 Funding stockholders

202 Preapproval requirements 406 Code of ethics for senior financial officers

206 Conflicts of interest 407 Disclosure of audit committee financial expert

301 Public company audit committees 408 Enhanced review of periodic disclosures by issuers

303 Improper influence on conduct of audits 501 Treatment of securities analysts by registered securities
associations and national securities exchanges.
304 Forfeiture of certain bonuses and profits
806 Protection for employees of publicly traded companies who
305 Officer and directors and penalties provide evidence of fraud
306 Insider trades during pension fund blackout periods 906 Corporate responsibility for financial reports
401 Disclosures in periodic reports. 1102 Tampering with a record or otherwise impeding an official
402 Enhanced conflict of interest provisions proceeding

12 ICFR Workshop 19-21 February, 2007 2007 Deloitte

Section 404
Under the SEC rules, managements report on internal control over financial
reporting (ICFR) should include the following information:
Statement of managements responsibility for establishing and maintaining adequate
internal control over financial reporting;

Statement identifying the framework used by management to conduct the required

evaluation of the effectiveness the companys internal control over financial reporting;
Managements assessment of the effectiveness of the companys internal control over
financial reporting as of the end of the companys most recent fiscal year, including a
statement as to whether or not the companys internal control is effective. The
assessment must include disclosure of any material weakness in the companys
internal control over financial reporting identified by management. Management is not
permitted to conclude that the companys internal control is effective if there is one or
more material weaknesses in the companys internal control over financial reporting;
and
A statement that the registered public accounting firm that audited the financial
statement included in the annual report has issued an attestation report on
managements assessment of the registrants internal control over financial reporting.

13 ICFR Workshop 19-21 February, 2007 2007 Deloitte

Examples of Management Report in ICFR
The management of [company name] is responsible for establishing and maintaining adequate
internal control over financial reporting. This internal control system was designed to provide
reasonable assurance to the companys management and board of directors regarding the
preparation and fair presentation of published financial statements.
[Company name] management assessed the effectiveness of the companys internal control
over financial reporting as of [year-end]. In making this assessment, it used the criteria set forth
by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) in Internal
Control Integrated Framework. Based on our assessment, we believe that, as of [year-end],
the companys internal control over financial reporting is effective based on those criteria.
All internal control system, no matter how well designed, have inherent limitations. Therefore,
even those systems determined to be effective can provide only reasonable assurance with
respect to financial statement preparation and presentation. Because of its inherent limitations,
internal control over financial reporting may not prevent or detect misstatements. Also,
projections of any evaluation of effectiveness to future periods are subject to the risk that controls
may become inadequate because of changes in conditions, or that the degree of compliance with
the policies or procedures may deteriorate.
Our internal control over financial reporting and managements assessment of the effectiveness
of internal control over financial reporting as of [year-end] have been audited by [Name of
External Auditor], as stated in their report which is included on page [xx] of this Annual Report.

Chief Executive Officer Chief Financial Office

[Date]

14 ICFR Workshop 19-21 February, 2007 2007 Deloitte

What is a Material Weakness?
(based on Public Company Accounting Oversight Board or PCAOB)
A material weakness is a significant deficiency, or combination
of significant deficiencies, that results in a more than remote
likelihood that a material misstatement of the annual or interim
financial statements will not be prevented or detected.

A significant deficiency is a control deficiency, or combination of

control deficiencies, that adversely affects the companys ability to
initiate, authorize, record, process or report external data
reliability in accordance with generally accepted accounting
principles such that there is more than a remote likelihood that a
misstatement of the companys annual or interim financial
statements that is more than inconsequential will be prevented or
detected.
remote likelihood when it either reasonable possible or
probable
inconsequential is subject to a reasonable person test

15 ICFR Workshop 19-21 February, 2007 2007 Deloitte

What is a Material Weakness?
(based on Public Company Accounting Oversight Board or PCAOB)

A control deficiency exist when the design or operation of a

control does not allow management or employees, in the normal
course of performing their assigned functions, to prevent or detect
misstatements on a timely basis.
A deficiency in design exist when (a) a control necessary to meet
the control objective is missing or (b) is not properly designed so
that, even if the control operates as designed, the control
objective is not always met.

A deficiency in operation exist when a properly designed control

objective does not operate as designed, or when the person
performing the control does not possess the necessary authority
or qualifications to perform the control effectively.

16 ICFR Workshop 19-21 February, 2007 2007 Deloitte

What is a Material Weakness?
(based on Public Company Accounting Oversight Board or PCAOB)

PCAOBs framework for evaluating deficiencies in internal control

over financial reporting is therefore based on an assessment of the
magnitude of the potential misstatement and the likelihood of
occurrence.
17 ICFR Workshop 19-21 February, 2007 2007 Deloitte
List of deficiencies that are considered at least significant
deficiencies in ICFR (based on PCAOB guidelines)

Deficiencies in:
Controls over the selection and application policies that
are inconformity with GAAP;
Antifraud programs and controls;
Controls over routine and non-systematic transactions;
and
Controls over the period-end financial reporting, including
controls over procedures used to enter transaction totals
into general ledger; initiate, authorize, record and process
journal entries into general ledger; and record recurring and
nonrecurring adjustments to the financial statements.

18 ICFR Workshop 19-21 February, 2007 2007 Deloitte

Listed circumstances representing de facto significant
deficiencies as well as a strong indicator that a material
weakness in ICFR exists (based on PCAOB guidelines)
Restatement of previously issued financial statement to reflect the correction
of a misstatement
Identification by the auditor of a material misstatement in financial statement
in the current period that was not initially identified by the companys internal
control over financial reporting
Oversight of the companys external financial reporting and internal control
over financial reporting by the companys audit committee is ineffective
The internal audit function or the risk assessment function is ineffective at a
company needing such a function to have effective monitoring and risk
assessment
An ineffective regulatory compliance function for complex entities in high
regulated industries
Identification of fraud any magnitude on the part of senior management
Significant deficiencies, previously communicated to management and the
audit committee, remain uncorrected after some reasonable time
An ineffective control environment

19 ICFR Workshop 19-21 February, 2007 2007 Deloitte

The independent Auditors Report
The content of the auditors report is prescribed by Public Company
Accounting Oversight Board (PCAOB) standard, and there are many
nuances to the auditors reporting. The most common opinions on the
effectiveness of internal control over financial reporting will be:

Unqualified Opinion. An opinion that internal control over financial

reporting is effective: no material weaknesses in internal control over
financial reporting exist as of the financial year-end assessment date.
Adverse Opinion. An opinion that internal control over financial reporting
is not effective: one or more material weaknesses exist as of the financial
year-end assessment date.
Disclaimer Opinion. A report stating that restrictions on the scope of
the auditors work prevent the auditor from expressing an opinion on
the companys internal control over financial reporting.

20 ICFR Workshop 19-21 February, 2007 2007 Deloitte

Report of Independent Registered Public Accounting
Firm on ICFR
We have audited managements assessment, included in the Because of its inherent limitations, internal control over financial
accompanying [title of managements report] that [name of company, reporting may not prevent or detect misstatements. Also, projects
for example W Company] maintained effective internal control over of any evaluation of effectiveness to future periods are subject to
financial reporting as of [year-end], base on [Identify control criteria, the risk that controls may become inadequate because of
for example, criteria established in Internal Control-Integrated changes in conditions, or that the degree of compliance with the
Framework issued by the Committee of Sponsoring Organizations of policies or procedures may deteriorate.
the Treadway Commission (COSO)]. W Companys management
is responsible for maintaining effective internal control over financial In our opinion, managements assessment that W Company
reporting and for its assessment of the effectiveness of internal maintain effective internal control over financial reporting as [year-
control over financial reporting. Our responsibility is to express an end], is fairly stated, in all material respects, based on [Identify
opinion on the effectiveness of the companys internal control over control criteria, for example, criteria established in Internal
financial reporting based on our audit report. Control-Integrated Framework issued by the Committee of
Sponsoring Organizations of the Treadway Commission (COSO)].
A companys internal control over financial reporting is a process Also, in our opinion, W Company maintained, in all material
designed to provide reasonable assurance regarding the reliability of respects, effective internal control over financial reporting as of
financial reporting and the preparation of financial statements for [year-end], based on [Identify control criteria, for example,
external purposes in accordance with generally accepted accounting criteria established in Internal Control-Integrated Framework
principles. A companys internal control over financial reporting issued by the Committee of Sponsoring Organizations of the
include those policies and procedures that (1) pertain to the Treadway Commission (COSO)].
maintenance of records that, in reasonable detail, accurately and We have also audited, in accordance with the standards of the
fairly reflect the transactions and dispositions of the assets of the Public Company Accounting Oversight Board (United State), the
company; (2) provide reasonable assurance that transactions are [Identify the financial statements] of W Company and our report
recorded as necessary to permit preparation of financial statements in dated [date of report, which should be the same as the date of the
accordance with generally accepted accounting principles, and that report on the effectiveness of internal control over financial
receipts and expenditures of the company are being made only in reporting] expressed [include nature of opinion].
accordance with authorizations of management and directors of the
company; and (3) provide reasonable assurance regarding prevention
or timely detection of unauthorized acquisition, use or disposition of [Signature]
the companys assets that could have a material effect on the
financial statements. [City and State or Country]
[Date]

21 ICFR Workshop 19-21 February, 2007 2007 Deloitte

Indonesia Regulations
in relation to ICFR
Indonesia Regulations
BAPEPAM Regulation No. X.K.6 concerning Obligation to
Submit Annual Report for Listed Companies, dated
December 7, 2006
Article 2 : Form and Content of Annual Report
Sub-article (g) : Corporate Governance

Point 6:
Explanation on internal control implemented by the company and
performance of internal control and internal audit function
Point 7:
Explanation on risks faced and actions taken by the company to manage
those risks, e.g.: risks from exchange rate or interest rate fluctuation,
competition, supplies, other countries or international regulations and
government policies

23 ICFR Workshop 19-21 February, 2007 2007 Deloitte

Indonesia Regulations (contd)

PSA 62 Compliance Audit on Government Entities and

Other Government Aids Recipients

Paragraph 8:
Auditor should design the audit to give reasonable assurance that the financial
statements are free of material misstatements caused by breach of applicable
laws that has direct and material impact on financial statement figures.

Paragraph 19:
Auditor should consider to obtain additional representation from management
stating:
management is responsible for the entitys compliance with applicable laws;
and
management has identified and disclosed to auditor all applicable laws that
has direct and material impact on financial statement figures.

24 ICFR Workshop 19-21 February, 2007 2007 Deloitte

Indonesia Regulations (contd)

PSA 62 Compliance Audit on Government Entities and

Other Government Aids Recipients (Contd)
Paragraph 24:

Referring to Government Audit Reporting Standard, report of financial audit

should:
explain the audit scope of compliance with applicable laws and internal
controls and disclose the audit result; or
refer to separate report containing the information.

25 ICFR Workshop 19-21 February, 2007 2007 Deloitte

Indonesia Regulations (contd)

PSA 62 Compliance Audit on Government Entities and

Other Government Aids Recipients (Contd)
Paragraph 33:
Referring to Government Audit Standard, the auditor should:
report, in writing, on the entitys internal control;
describe every reportable condition found, including identification of
condition considered as material weakness; and
communicate the following matters:
identification of internal control categorizations (control
environment, security control, control of compliance with applicable
laws, control risk assessment);
description of audit scope in gaining understanding of internal
control and assessing control risks; and
description of internal control weaknesses considered as not
significant enough to be considered as reportable condition.
26 ICFR Workshop 19-21 February, 2007 2007 Deloitte
Overview of COSO
Overview of COSO Framework
Internal control means different things to different people
This causes confusion among businesspeople, legislators,
regulators and others
As a result, miscommunication and different expectations may
arise and cause problems within an organization
With this regards, there is a need for a set of standards that:
- Establish a common definition serving the needs of different parties
- Provide a standard against which organizations - large or small, in the
public or private sector, for profit or not - can assess their control system and
determine how to improve them
This is achieved by the introduction of COSO Internal Controls
Framework (1992)

28 ICFR Workshop 19-21 February, 2007 2007 Deloitte

Overview of COSO Framework (contd)
What COSO stand for?

What is COSO?
It is a voluntary private sector organization dedicated to improving the quality
of financial reporting through business ethics, effective internal controls, and
corporate governance. It consist of five (5) major professional organizations
in the United States, namely:
American Accounting Association

Financial Executives Institute

Institute of Internal Auditors

Institute of Management Accountants

American Institute of Certified Public Accountants

29 ICFR Workshop 19-21 February, 2007 2007 Deloitte
Activity

Directions:
1.In the space below, write down your own definition or
understanding of Internal Control?
2.Then, compare and share your answer with the person
beside you.
3.Also, be prepared to share your answer with us and to
take notes as other participants share their ideas.

What is Internal Control?

30 ICFR Workshop 19-21 February, 2007 2007 Deloitte

COSO Internal Control Integrated
Framework
Internal Control is a process, affected by an entitys board of
directors, management and other personnel, designed to provide
reasonable assurance regarding the achievement of business
objectives.
Key objectives of internal control:

Operations Financial

Preparation of Reliable
Effective and Efficient Use Financial Statements
of Resources

Compliance

Compliance with laws and

regulations

31 ICFR Workshop 19-21 February, 2007 2007 Deloitte

Internal control - Process

Not one event or circumstance, but a series of actions

that are pervasive and spread across an entitys
activities
Part of the business processes that are managed
through the basic management processes of planning,
executing and monitoring
Is integrated with the business processes and enables
them to function and monitors the performance and
relevancy
Should be built in not built on an organizations
processes and infrastructure

32 ICFR Workshop 19-21 February, 2007 2007 Deloitte

Internal Control - People

Is effected by a board of directors, management and

other personnel in an organization each is
important
Control mechanism is put in place by people to
achieve objectives they establish
Recognizes that people do not always understand,
communicate and perform consistently
Controls are affected and affect people in order that:
People know their responsibilities
A clear linkage exists between peoples duties
and the way they are carried out

33 ICFR Workshop 19-21 February, 2007 2007 Deloitte

 Internal Control Reasonable Assurance

No matter how well designed and operated, can provide only

reasonable assurance

Likelihood of achievement is affected by inherent limitations:

Human judgment in decision making can be faulty
Balance between costs and benefits
Breakdowns can occur due to human failures such as error
or mistake
Controls can be circumvented by collusion
Management can override the internal control system

34 ICFR Workshop 19-21 February, 2007 2007 Deloitte

Internal Controls - Objective
Every organization sets out a mission, establishing objectives it
wants to achieve and strategies for achieving them
Objectives may be broad or specific
Objectives generally fall under:
Operations relating to effective and efficient use of
entitys resources, including safeguarding of assets
Financial reporting relating to preparation of reliable
published financial statements
Compliance relating to an organizations compliance with
applicable laws and regulations
Internal controls contribute to achievement of objectives, but cannot
guarantee
Controls provide reasonable assurance that management and BOD
are made aware in a timely manner about whether the organization
is moving toward its objectives
35 ICFR Workshop 19-21 February, 2007 2007 Deloitte
COSO Internal Control Integrated
Framework
The process to determine
whether internal control is
The process adequately designed, executed,
that ensures effective and adaptive
that relevant
information is
identified and
communicated The policies and procedures
in a timely that help ensure that actions
manner identified to manage risk are
executed

The evaluation
of internal and
external factors The control conscience of the
that impact an organization the tone at the
organizations top
performance

36 ICFR Workshop 19-21 February, 2007 2007 Deloitte

Scope Covered by Section 404
SOA 404 focus on reliability of financial reporting

e
g
ns

nc
l i n
tio

ia ort

ia
c

pl
ra

n ep
om
pe

n a
Fi R - BUs included in the evaluation scope
O

Unit B
C

Process 2
Monitoring Process 1 - Processes identified as significant
Information & regarding financial reporting
Communication
Unit A

Control Activities
Risk Assessment
Control Environment

- Determination of controls to address financial reporting risks

- Documentation of controls : policies and procedures
- Evaluation of the operating effectiveness of controls

37 ICFR Workshop 19-21 February, 2007 2007 Deloitte

Overview of Internal
Control over Financial
Reporting (ICFR)
What is ICFR? (as defined by SEC)
A process designed by, or under the supervision of, the registrants
principal executive and principal financial officers, or persons performing
similar functions, and effected by the registrants board of directors,
management and other personnel, to provide reasonable assurance
regarding the reliability of financial reporting and the preparation of financial
statements for external purposes in accordance with generally accepted
accounting principles and includes those policies and procedures related to:
Pertain to the maintenance of records that in reasonable detail
accurately and fairly reflect the transactions and disposition of the
assets of the registrant;
Provide reasonable assurance that transactions are recorded as
necessary to permit preparation of financial statements in accordance
with generally accepted accounting principles, and receipts and
expenditures of the registrant are being made only in accordance
with authorizations of management and directors of the registrant;
and
Provide reasonable assurance regarding prevention or timely
detection of unauthorized acquisition, use or disposition of the
registrant assets that could have a material effect on the financial
statements.
39 ICFR Workshop 19-21 February, 2007 2007 Deloitte
Key Concept
The gist of the definition is contained in the SECs interpretation that
internal control over financial reporting covers the applicable laws
and regulations directly related to preparation of financial statements.

The SECs definition of internal control over financial reporting

includes policies and procedures that:
1. Maintenance of records
9Retention of appropriate records
2. Transactions are executed in accordance with authorizations of
management and directors
9Authorization
9Completeness and Accuracy
9Evaluation of balances
3. Misappropriate of assets
9Access to assets

40 ICFR Workshop 19-21 February, 2007 2007 Deloitte

What is Financial Reporting?

Annual financial statements

Balance Sheets
Income Statement
Statement of Cash Flow
Notes to Financial Statements

41 ICFR Workshop 19-21 February, 2007 2007 Deloitte

What makes a Financial Report Reliable?
It should address the 5 assertions under Financial Statements:

1. Existence or Occurrence Assets, liabilities, and ownership interest exist are a specific
date, and recorded transactions represent that actually
occurred during a period

2. Completeness All transactions and other events and circumstances that

occurred during a specific period, and should have been
recognized in that period, have, in fact, been recorded

3. Valuation or Allocation Assets, liabilities, revenue, and expense components are

recorded at appropriate amounts in conformity with relevant
and appropriate accounting principles
4. Rights & Obligations Assets are the rights, and liabilities are the obligations, of a
the entity at a given date

5. Presentation & Disclosure Items in the statements are properly classified, described,
and disclosed

42 ICFR Workshop 19-21 February, 2007 2007 Deloitte

Examples of ICFR
Business Process: Cash Receipt

Financial Control Objective Risk Control Activities

Assertion
Valuation or Cash receipts are Cash receipts are inaccurately Correct recordings are confirmed
Allocation accurately or incompletely recorded by independent personnel
recorded
Inappropriate access to cash Access levels are pre-defined
receipts and related record based on specific job responsibility
Existence or Recorded cash Cash is subject to theft Periodic internal audit of cash are
Occurrence amount exist conducted
Cash receipts are not recorded Cash sales are recorded using a
in the period in which they are cash register. Customers are
received provided with the register receipt
and total daily receipts per register
balanced to cash deposited to the
bank
Presentation Cash related Disclosure data is not Responsibility for gathering the
and Disclosure information is identified by each department required data is assigned to
properly specific individuals
disclosed in the
financial
statements
43 ICFR Workshop 19-21 February, 2007 2007 Deloitte
Examples of ICFR (contd)
Business Process: Invoicing
Financial Control Objective Risk Control Activities
Assertion
Completeness A sales invoice is Delivery slips or work Bill of landing/delivery slips are
generated for every orders are lost or missing pre-numbered and sequential
shipment or order monitored
completed work
Deliveries are made but Comparisons are made of actual
order.
not recorded results with budgets and analyses
of variances
Valuation Prices used in Selling Price is inaccurate Prices are verified to authorized
recorded sales are price lists or standing data before
accurate invoice is
Discounts, incentives, etc. Discounts, incentives, etc. are
are calculated incorrectly recalculated and/or confirmed
before invoice is issued
Existence or Invoices are Invoices are not recorded Good shipped at, before or after
Occurrence recorded in the in the appropriate period the end of accounting periods are
appropriate period scrutinized and/or reconciled to
ensure complete and consistent
recording in the appropriate
accounting period including the
raising and recording of related
invoices
44 ICFR Workshop 19-21 February, 2007 2007 Deloitte
Examples of ICFR (contd)
Business Process: Shipments
Financial Control Objective Risk Control Activities
Assertion
Valuation or Correct goods Incorrect items are included or Order is verified against customer
Allocation are shipped and substituted in the order, which request before shipment
accurately may be returned by the
recorded customer
Existence, Sales are Deliveries data are not Shipment activities are reconciled
Completeness recorded in the captured or processed timely, to sales on a regular and frequent
proper period due, for example, to basis
incomplete or missing work Work orders are pre-numbered
orders and the sequence is monitored.
Valuation Posting to cost of Human error in coding or entry Independent reconciliation of
sales and accounts
inventory general
ledger accounts
are correct
Existence Deliveries are Backlog orders are not Unfulfilled orders are monitored on
recorded in the properly monitored a regular basis
proper period

45 ICFR Workshop 19-21 February, 2007 2007 Deloitte

Examples of ICFR (contd)
Business Process: Financial Statement Preparation
Financial Control Objective Risk Control Activities
Assertion
All assertions Accounting polices Accounting policies are All accounting policies are
are appropriate to developed by personnel who approved by Corporate controller
the companys lack sufficient understanding of and CFO, and critical accounting
circumstances and the companys circumstances policies are approved by the audit
conform with GAAP or expertise to interpret committee. Accounting policies
complex GAAP are updated as needed based on
changes in accounting practices
Accounting policies Management does not Accounting policies for significant
are relevant to and evaluate the impact of transactions are reviewed annually
kept current in changes to the companys by the Controller for changes in
response to business or the overall circumstances and updated as
changes in the economic environment in the necessary and approved by the
companys context of companys Controller and CFO
business operation accounting policies
All entries are Personnel do not understand All accounting policies and policy
consistent with or are unaware of the changes are communicated to all
established companys accounting policies division in a timely manner
accounting policies resulting in deviations from
company policy, which may
lead to misapplications of
policies
46 ICFR Workshop 19-21 February, 2007 2007 Deloitte
Activity
Directions:
1. Form and work in small group of about 8 participants.
2. Answer the following questions below.
3. Summarize your group response.
4. Select a group spokesperson and be prepared to share your group
responses to us.

Please list down examples of Internal Control procedures over Financial Report for
the following areas:

47 ICFR Workshop 19-21 February, 2007 2007 Deloitte

Activity
Business Financial Control Objective Risk Control Activities
Process Assertion

Sales Existence or Process only valid Customer orders may not be

Occurrence customer orders authorized

Completeness All goods shipped are Missing documents or

accurately billed in the incorrect information
proper period
Improper cut-off of shipments
at the end of a period

Rights and Safeguard account Unauthorized access to

Obligation receivable records account receivable records
and data

Purchase Completeness Accurately record invoices Missing documents or

and Existence on a timely basis for incorrect information
accepted purchases that
have been authorized and
only for such purchases Invalid accounts payable
fraudulently created for
unauthorized or nonexistent
purchases

48 ICFR Workshop 19-21 February, 2007 2007 Deloitte

Control Structure
 The top down approach for Review of
ICFR

Require-
ments

Identify Significant
Accounts

Identify Material Entities

Identify Relevant Business Processes

Identify Risks and Control Activities

Company-wide usage of Risk / Control Matrix

Walkthrough

Test operating effectiveness of controls

50 ICFR Workshop 19-21 February, 2007 2007 Deloitte

Identify Business Processes
Require-
ments
Identify Signi-
ficant Accounts

Identify Material Entities

Identify Relevant Business Processes

Objective Create Key Controls Master Template

Company-wide usage of Key Controls Master Template

The identification of the relevant business processes impacting the Evaluate design of Key Controls

Test operating effectiveness of controls

siginficant accounts

Steps:
Significant Accounts B/S Significant Accounts P&L

Requirements Accounts Accounts VAT Wages &

Processes Cash receivable Inventory Payable Rec/Pay Sales Salaries

Sales generation X X X X X

Purchasing X X X

Fixed Assets

Inventory X

GL Closing and Financial Reporting X X X X X X

HR, Payroll and Employee benefits

Trade deals / customer promotions X X

Cash Management X

IT X X X X X X X

51 ICFR Workshop 19-21 February, 2007 2007 Deloitte

Identifying Significant Accounts
Two-fold process:
First at the financial statement level. Significant
Accounts
Then at the account or disclosure component level.
Evaluation should include quantitative and qualitative factors.
Significant account is one with more than a remote likelihood
that the account could contain misstatements that individually or
when aggregated with others could have a material effect on the
financial statements.
Materiality considerations:
Concept of materiality in an audit of internal controls over
financial. reporting should be applied at both the financial
statement level and at the individual account balance level.
Includes quantitative and qualitative considerations.

52 ICFR Workshop 19-21 February, 2007 2007 Deloitte

Identifying Relevant Financial Statement
Assertions
Determine the relevance of each financial statement assertion for
each significant account:
Existence or occurrence.
Completeness.
2006
Financial
Valuation or allocation. Statements

Rights and obligations.

Presentation and disclosure. Financial
Statements

Relevant assertions are assertions that have a meaningful

bearing on whether the account is fairly stated.

53 ICFR Workshop 19-21 February, 2007 2007 Deloitte

Identifying Significant Processes
Identify each significant process over each major class of
transactions affecting significant accounts or groups of
accounts. Significant
Processes

For each significant process, the auditor should:

Understand the flow of transactions, including how transactions
are initiated, recorded, processed, and reported.
Identify the points within the process where a misstatement
including a misstatement due to fraud related to each
relevant financial statement assertion could arise.
Identify the controls that management has implemented to
address these potential misstatements.
Identify the controls that management has implemented over
the prevention or timely detection of unauthorized acquisition,
use, or disposition of the company's assets.
54 ICFR Workshop 19-21 February, 2007 2007 Deloitte
StructureOne Approach
Entity Level
Each Entity
Control Environment Top Down
Risk Assessment Bottom Up Process Level
Control Activities
Information and Each Significant Process,
Communication Account Balance, Class of
Monitoring Transactions or Disclosure
Risk Assessment
Control Activities
Information and Communication
Monitoring

55 ICFR Workshop 19-21 February, 2007 2007 Deloitte

Entity Level
What are entity-level controls?

Softer side of COSO

Conceptually, all five COSO components could be evaluated at
each process or activity level. However, certain controls are
common across more than one location, unit, or process and thus,
to avoid redundancy, certain controls are evaluated at the entity
level.
For practical considerations, it is generally more efficient to identify
these common components and refer to them as entity-level
controls. Entity-level controls include control environment, risk
assessment, information and communication, and monitoring.

56 ICFR Workshop 19-21 February, 2007 2007 Deloitte

Entity Level
COSO Component Entity Level Process Level

Control Environment Generally at the entity-level. Not at the process level.

Risk Assessment High-level business risk Account balance and assertions.

assessment.

Monitoring Internal audit, self- Embedded monitoring into process-

assessment. level controls.

Information and IT systems, communication of Within a process as part of the control.

Communications roles and responsibilities
throughout the entity.

Control Activities Exists mostly at the process approvals, authorizations, verifications,

level. reconciliations, security of assets,
segregation of duties

57 ICFR Workshop 19-21 February, 2007 2007 Deloitte

Entity Level
How does the assessment of entity-level controls differ among
organizations?
A company with a single business, one location, and one
executive management team will likely have a single entity-
level assessment to complete.
However, a company with many decentralized and/or varied
business subsidiaries may have a number of different entity-
level controls at different subsidiaries to address.
The extent of the entity-level assessment will depend on how
homogeneous the controls are throughout the organization.

58 ICFR Workshop 19-21 February, 2007 2007 Deloitte

I. Control Environment
Entity Level Control Environment
Overview
The control environment provides an atmosphere in which people
conduct their activities and carry out their control responsibilities. The
control environment sets the tone of an organization by influencing the
control consciousness of its people. It is the foundation for all other
components of internal control, providing discipline and structure.
Do people within the organisation want to control their business risk? Are they
capable to do so?
Managements integrity and ethical values (Principle 1)
Managements philosophy and operating style (Principle 2)
Board of Director (Principle 3)
Organisational structure (Principle 4)
Financial Reporting Competencies (Principle 5)
Methods of assignment and communication of responsibility and authority
(Principle 6)
Human resources policies and practices (Principle 7)
60 ICFR Workshop 19-21 February, 2007 2007 Deloitte
Entity Level Control Environment
Criteria to Consider

Board of
Directors Commitment to
Organizational Competence
Structure

Control
Environment HR Policies &
Assignment of
Practice
Authority and
Responsibility

Management Integrity and

Philosophy Ethical Values

61 ICFR Workshop 19-21 February, 2007 2007 Deloitte

 E
S

G
L

C
N

IA

N
O

TI

IA
C
I
AT

AN

PL
O
Principle 1 - Integrity and Ethical Values

M
EP
PE

FI

O
R

C
O
CONTROL ENVIRONMENT

Attributes Approaches Examples

Top management develops Articulating and Company Newsletter
a clearly articulated Demonstrating Integrity and Reinforcing Integrity and
statement of ethical values Ethics Ethics
that is understood at all
levels of the organizations Informing Employees about Promoting Awareness of
Integrity and Ethics Ethical Behavior
Processes are in place to Demonstrating Commitment Aligning Incentives with
monitor adherence to to Integrity and Ethics
principles of sound integrity Ethics and Values
and ethical values
Promoting a Commitment to
Deviations from sound Ethics
integrity and ethical values
are identified in a timely Promoting Employee
manner and appropriately Participation in Identifying
addressed and remedied at Misconduct
appropriate levels within the Taking Actions When
company Deviations Occur

62 ICFR Workshop 19-21 February, 2007 2007 Deloitte

 E
S

G
L

C
N

IA

N
O

TI

IA
C
I
AT

AN

PL
O
Principle 2 Board of Directors

M
EP
PE

FI

O
R

C
O
CONTROL ENVIRONMENT

Attributes Approaches Examples

The board defines and communicates Establishing Content for Board Meetings Reviewing and
authorities retained at the board level Documenting Key Activities
and those delegated to management Identifying Independent Board Members of the Board
The board has a critical mass of Establishing Boards Roles and Responsibilities Audit Committees
members who are independent directors Independence and
Audit Committee Considering Effectiveness of Financial reporting
The audit committee actively evaluates Internal Control
and monitor risks of management Expertise
override provides oversight to the Audit Committee Meeting with Auditors Reviewing Financial
effectiveness of internal control over Statement Estimates
financial reporting and financial Audit Committee Reviewing Policies and
statement preparation Procedures Audit Committee
One or more audit committee members Audit Committee Maintaining Skepticism Interacting with External
has financial reporting expertise Auditors
Audit Committee Considering Whistle-blower
The audit committee provides oversight Information Audit Committee
to the effectiveness of internal control Considering the Potential of
over financial reporting and financial Board Reviewing Audit Committee Candidates Management Override
statement preparation
Audit Committee Certifying Compliance Changing Board
The audit committee oversees the work Composition of Closely-
of both internal and external auditors, Board and Audit Committee Meeting with Held Company
and interacts with regulatory auditors if Management
necessary.

63 ICFR Workshop 19-21 February, 2007 2007 Deloitte

 E
S

G
L

C
N

IA

N
O

TI

IA
C
I
AT

AN

PL
O
Principle 3 Managements Philosophy

M
EP
PE

FI

O
R

C
O
CONTROL ENVIRONMENT

and Operating Style

Attributes Approaches Examples
Managements philosophy Emphasizing Risk Mitigation Reinforcing the Tone for
and operating style Effectiveness Financial
emphasize reliable financial Emphasizing Processing Reporting
reporting Requirement
Soliciting Suggestions for
Managements attitude Emphasizing Importance of Enhanced Internal Control
supports a disciplined, Diligence
objective process in Emphasizing Philosophy
selecting accounting Establishing and with External Parties
principles and developing Articulating Financial
accounting estimates Reporting Objectives

Management establishes
and clearly articulates
financial reporting
objectives, including the role
of internal control over
financial reporting

64 ICFR Workshop 19-21 February, 2007 2007 Deloitte

 E
S

G
L

C
N

IA

N
O

TI

IA
C
I
AT

AN

PL
O
Principle 4 Organizational Structure

M
EP
PE

FI

O
R

C
O
CONTROL ENVIRONMENT

Attributes Approaches Examples

Management Developing Establishing Job
establishes appropriate Organizational Charts Descriptions and
lines of financial reporting Responsibilities
for each functional area Aligning roles to
and business unit in the Processes Reorganizing to Support
organization Control Structure
Maintaining Job
Management maintains Descriptions
organizational structure
that facilitates effective Establishing
reporting and other Organizational Structures
communications about
internal control over Establishing Structure
financial reporting for Internal Audit

65 ICFR Workshop 19-21 February, 2007 2007 Deloitte

 E
S

G
L

C
N

IA

N
O

TI

IA
C
I
AT

AN

PL
O
Principle 5 - Financial Reporting

M
EP
PE

FI

O
R

C
O
CONTROL ENVIRONMENT

Competencies
Attributes Approaches Examples
Competencies that Establishing Required Utilizing Outside Service
support reliable financial Knowledge, Skills and Provider
reporting are identified Abilities
Aligning Competencies
The company employs Supplementing with Key Financial
or otherwise retains Competencies Reporting Positions
individuals who process
the required Providing Training Retaining External Tax
competencies related to Assistance
financial reporting Evaluating
Competencies in Key Assessing Key Financial
Needed competencies Financial Reporting reporting Personnel
are regularly evaluated Roles
and maintained
Reviewing and
Evaluating Competencies

66 ICFR Workshop 19-21 February, 2007 2007 Deloitte

 E
S

G
L

C
N

IA

N
O

TI

IA
C
I
AT

AN

PL
O
Principle 6 Authority and Responsibility

M
EP
PE

FI

O
R

C
O
CONTROL ENVIRONMENT

Attributes Approaches Examples

Assignment of responsibility and delegation Defining Objectives and
of authority are clearly defined for all Responsibilities
employees, including:
Audit Committee Reviewing
- Board : The audit committee overseas Key Positions
managements process for defining
responsibilities for key financial reporting Assigning Authorities and
roles Responsibilities

-Top Management The CEO and top

management are responsible for sound
internal control over financial reporting,
including both initiating and maintaining the
internal control system

-Senior and Functional Management

Senior and functional management are
responsible for ensuring understand their
responsibilities for achieving financial
reporting objectives through adherence to
internal control policies and procedures

Assignment of authority and responsibility

includes appropriate limitations

67 ICFR Workshop 19-21 February, 2007 2007 Deloitte

 E
S

G
L

C
N

IA

N
O

TI

IA
C
I
AT

AN

PL
O
Principle 7 Human Resources

M
EP
PE

FI

O
R

C
O
CONTROL ENVIRONMENT

Attributes Approaches Examples

Management Developing and Developing Human
establishes human Maintaining Position Resources Practices
resource practices that Descriptions
demonstrate its Periodically Reviewing
commitment to integrity, Developing and Policies
ethical behavior, and Maintaining Human
competencies resources Policies and Recruiting and Retaining
Procedures Key Financial Reporting
Employee recruitment Positions
and retention for key Reviewing Resumes and
financial reporting Performing Reference Evaluating Integrity and
positions are guided by Checks Ethics in the Hiring
principles of integrity and Process
by necessary Providing Training and
Awareness Providing Adequate
competencies associated Technical Training
with the positions Establishing a Review
and Appraisal Process Implementing Complex
Accounting Standard
68 ICFR Workshop 19-21 February, 2007 2007 Deloitte
Principle 7 Human Resources (contd)

Attributes Approaches Examples

Management supports Performing Exit Training Trough
employees by providing Interviews Professional
tools and training needed Organizations
to perform their financial Designing
reporting roles Compensation Plans Periodically Assessing
Performance
Employee performance Reviewing
evaluations and the Compensations Plans
companys compensation
practices, including those Evaluating Competency
affecting management, of Personnel
support achievement of
financial reporting
objectives

69 ICFR Workshop 19-21 February, 2007 2007 Deloitte

ABOUT DELOITTE:
Deloitte refers to one or more of Deloitte Touche Tohmatsu, a Swiss Verein, its member firms and their respective
subsidiaries and affiliates. As a Swiss Verein (association), neither Deloitte Touche Tohmatsu nor any of its
member firms has any liability for each other's acts or omissions. Each of the member firms is a separate and
independent legal entity operating under the names "Deloitte," "Deloitte & Touche," "Deloitte Touche Tohmatsu,"
or other related names. Services are provided by the member firms or their subsidiaries or affiliates and not by the
Member of
Deloitte Touche Tohmatsu Verein. In Indonesia, services are provided by Osman Ramli Satrio & Rekan, or Deloitte Touche Tohmatsu
Deloitte Tax Solutions, or PT Deloitte Konsultan Indonesia.