Assessing Control Risk and Reporting on Internal Control: PT

Telekomunikasi Indonesia Tbk

By:

Jonathan David 18/422958/EK/21636

Citra Aulia Ramadhanty 18/425432/EK/21818
Hendrawan Dhanes S. 18/429238/EK/21998

PROGRAM STUDI SARJANA AKUNTANSI

FAKULTAS EKONOMIKA DAN BISNIS
UNIVERSITAS GADJAH MADA
YOGYAKARTA
2019
Obtain and document understanding of internal control

Auditors need to understand control that are relevant to financial statement audits in order
to identify and assess the risk of materially. There are four steps in the process of understanding
controls: obtaining and document understanding of internal control; assess control risk; design,
perform, and evaluate tests of controls; decide planned detection risk and substantive test. In
obtain and document understanding of internal control auditor use three technique or procedure:
Narrative, Flowchart, and Internal Control Questionnaire.

Narrative is a written description of a client’s internal controls. A proper narrative of an

accounting system and related controls describes four things: The origin of every document and
record in the system, all processing that takes place, the disposition of every document and
record in the system, an indication of the controls relevant to the assessment of control risk.
Flowchart is a diagram of the client’s documents and their sequential flow in the organization.
Well-prepared flowcharts are advantageous primarily because they provide a concise overview
of the client’s system, including separation of duties, which helps auditors identify controls and
deficiencies in the client’s system. Flowcharts have two advantages over narratives: typically,
they are easier to read and easier to update. It is unusual to use both a narrative and a flowchart
to describe the same system because both present the same information. Internal control
questionnaire asks a series of questions about the controls in each audit area as a means of
identifying internal control deficiencies. Most questionnaires require a “yes” or a “no” response,
with “no” responses indicating potential internal control deficiencies. By using a questionnaire,
auditors cover each audit area reasonably quickly. The two main disadvantages of questionnaires
are their inability to provide an overview of the system and their inapplicability for some audits,
especially smaller ones. In addition to understanding the design of the internal controls, the
auditor must also evaluate whether the designed controls are implemented. Auditors use several
methods to evaluate implementation: Update and evaluate auditor’s previous experience with the
entity, Make Inquiries of Client personnel, Examine Documents and records, observe entity
activities and Operations, Perform Walkthroughs of the accounting System.

Assess control risk

After obtaining an understanding of internal control, the auditor makes a preliminary

assessment of control risk as part of the auditor’s overall assessment of the risk of material
misstatement. This assessment is a measure of the auditor’s expectation that internal controls will
prevent material misstatements from occurring or detect and correct them if they have occurred.
The starting point for most auditors is the assessment of entity-level controls. By their nature,
entity-level controls, such as many of the elements contained in the control environment, risk
assessment, and monitoring components, have an overarching impact on most major types of
transactions in each transaction cycle. Similarly, auditors should evaluate the effectiveness of IT
general controls before evaluating automated application controls or manual controls dependent
on IT output. Ineffective general controls create the potential for material misstatements across
all system applications, regardless of the quality of individual application controls. Once auditors
determine that entity-level controls, including general controls, are designed and placed in
operation, they next make a preliminary assessment for each transaction-related audit objective
for each major type of transaction in each transaction cycle.

Many auditors use a control risk matrix to assist in the control risk assessment process
at the transaction level. The purpose is to provide a convenient way to organize assessing control
risk for each audit objective. Components of the control risk matrix are Identify audit
Objectives, Identify existing Controls, associate Controls with related audit Objectives.
Auditors must evaluate whether key controls are absent in the design of internal control over
financial reporting as a part of evaluating control risk and the likelihood of financial statement
misstatements. Auditing standards define three levels of the absence of internal controls: control
deficiency, significant deficiency, material weakness. A control deficiency exists if the design
and implementation or operation of controls does not permit company personnel to prevent or
detect misstatements on a timely basis in the normal course of performing their assigned
functions. A significant deficiency exists if one or more control deficiencies exist that are less
severe than a material weakness (defined next), but are important enough to merit attention by
those responsible for oversight of the company’s financial reporting. A material weakness
exists if a significant deficiency, by itself or in combination with other significant deficiencies,
results in a reasonable possibility that internal control will not prevent or detect material financial
statement misstatements on a timely basis. In order to identify all deficiencies auditors, use a
five-step approach: Identify existing controls, Identify the absence of key controls, Consider
the possibility of compensating controls, decide whether there is a significant deficiency or
material weakness, determine potential misstatements that could result. The control matrix
is useful for both associated control deficiencies with related audit objective and assesses control
risk for each related audit objective.

Tests of controls

The purpose of test of controls is to test the effectiveness of controls in support of

reduced control risk of audit. In order to do test of control, auditor uses four types of procedures
to test controls: Make inquiries of appropriate client personnel; examine documents,
records, and reports; Observe control-related activities; Reperform client procedures. The
extent to which tests of controls are applied depends on the preliminary assessed control risk. If
the auditor wants a lower assessed control risk, more extensive tests of controls are applied, both
in terms of the number of controls tested and the extent of the tests for each control. The extent
of tests of controls also dependent on reliance on evidence from the prior year’s audit, testing
of controls related to significant risks, and testing less than the entire audit period. The
different of test of controls and procedures to obtain an understanding are the test of controls are
applied only when the assessed control risk has not been satisfied and test controls are performed
on larger samples. When client use service center for processing transaction, the auditor may
need to obtain an understanding of the control of the service center.

Decide planned detection risk and design substantive tests

The completion of these activities is sufficient for the audit of internal control over
financial reporting, even though the report will not be finalized until the auditor completes the
audit of financial statements. The auditor uses the control risk assessment and results of tests of
controls to determine planned detection risk and related substantive tests for the audit of financial
statements. The auditor does this by linking the control risk assessments to the balance-related
audit objectives for the accounts affected by the major transaction types and to the four
presentations and disclosure audit objectives. The appropriate level of detection risk for each
balance-related audit objective is then decided using the audit risk model.

Auditor reporting on internal control

The auditor must communicate significant deficiencies and material weaknesses in

writing to those charged with governance as soon as the auditor becomes aware of their
existence. The communication is usually addressed to the audit committee and to management.
auditors often identify less significant internal control–related issues, as well as opportunities for
the client to make operational improvements. These should also be communicated to the client.
The form of communication is often a separate letter for that purpose, called a management
letter. Although management letters are not required by auditing standards, auditors generally
prepare them as a value-added service of the audit. The type of opinions on internal control are
similar to financial statement audit. Unqualified Opinion issued when there are no identified
material weaknesses as of the end of the fiscal year and there have been no restrictions on the
scope of the auditor’s work. Adverse Opinion issued when one or more material weaknesses
exist, the auditor must express an adverse opinion on the effectiveness of internal control.
Qualified or Disclaimer of Opinion issued when the scope limitation requires the auditor to
express a qualified opinion or a disclaimer of opinion on internal control over financial reporting.

Evaluating, reporting, and testing internal control for nonpublic and smaller company

The differences for smaller companies that are not subject to section 404(b) are Reporting
requirements, Extent of required internal controls, Extent of understanding needed, Assessing
control risk, and Extent of tests of controls needed.

Impact of IT environment on control risk assessment and testing

When traditional source documents such as invoices, purchase orders, billing records, and
accounting records such as sales journals, inventory listings, and accounts receivable subsidiary
records exist only electronically, auditors must change their approach to auditing. This approach
is often called auditing through the computer. Auditors use three approaches to test the
effectiveness of automated controls when auditing through the computer: test data approach,
parallel simulation, and embedded audit module approach. In the test data approach,
auditors process their own test data using the client’s computer system and application program
to determine whether the automated controls correctly process the test data. When using the test
data approach, auditors have three main considerations: test data should include all relevant
conditions that the auditor wants tested, application programs tested by auditors’ test data
must be the same as those the client used throughout the year, and test data must be
eliminated from the client’s records. parallel simulation testing is the use auditor-controlled
software to do the same operations that the client’s software does, using the same data files.
Embedded audit module approach is when auditors insert an audit module into the client’s
application system to identify specific types of transaction.

Case Study: PT Telekomunikasi Indonesia Tbk

PT Telekomunikasi Indonesia, Tbk. (PT Telkom) is an independent business entity that has the
status of a public company. It means that the company is obliged to annually issue an annual
report containing information on the state and course of the Company's business activities for the
year concerned. Telkom is obliged to submit their annual financial reports to the US SEC
because their shares are also traded on the New York stock exchange. And in April 2003, PT
Telkom has proceeded the consolidation financial report for the year 2002.

The CPA firm Eddy Pianto partner Grant Thornton (GT) was the auditor of PT Telkom's 2002
financial statements, while CPA firm Hadi Sutanto was an auditor of PT Telkom's subsidiary, PT
Telkomsel. Hadi Sutanto, who is a partner of Pricewaterhouse Coopers (PwC), was then
appointed by Telkom to re-audit Telkom's 2002 financial statements after the report was rejected
by the US Securities and Exchanges (SEC) commission.

Eddy Pianto Simon from KAP Eddy Pianto felt disadvantaged by KAP Hadi Sutanto. That's
because KAP Hadi Sutanto did not allow KAP Eddy Pianto to use the opinion of KAP Hadi
Sutanto in the results of his audit of PT Telkomsel (a subsidiary) in PT Telkom's (consolidated)
audit report. This is considered by Eddy Pianto as one of the reasons the SEC rejected the 2002
Telkom’s financial statements auditing KAP Eddy Pianto.

On July 16, 2008, Eddy sent a letter to the Chairman of IAI, Achmadi Hadibroto. The letter is
about complaints about unhealthy treatments received by CPA firm Drs Eddy Pianto (EP) from
CPA firm Drs Hadi Sutanto (HS). In the letter, Eddy explained the chronology of the case which
made them looks bad. EP, as the party that felt the loss, both moral and material caused, both
directly and indirectly involving Telkom’s financial report in 2002 by US SEC.

Initially, when receiving the assignment as an auditor of PT Telkom (2002), there were no
problems experienced by EP. Including HS, who at the same time became an auditor of PT
Tekomsel. In January and February 2003, the two parties exchanged communications, and
exchanged documents. EP sends Audit Instructions to HS. Instead, HS sends the reports
requested by EP according to Audit Instructions. HS also sent documents stating that, as an
Telkomsel auditor, HS was independent.

On March 17, 2003, EP notified HS that Telkom's audit report would be issued on March 25,
2003. EP stated that it would make a reference to the Telkomsel audit results. Answering EP’s
letter, HS stated, they did not give permission to EP to refer the results of its audit of Telkomsel.
Surprisingly, on March 25, 2003, HS sent a copy of Telkomsel's audit report to be consolidated
to Telkom’s financial report. In its introductory letter, HS did not mention words that did not
allow the EP to use the results of its audit of Telkomsel as a reference in the consolidated
financial report.

However, on March 31, HS reiterated the letter dated March 24. HS also sent a letter with the
same note to the President Commissioner and Chairman of Telkomsel Audit Committee, on
April 9. AU 543, according to HS's interpretation, is that EP must obtain permission from HS
before referring PT Telkomsel's audit results to PT Telkom's audit results. Whereas according to
EP, AU 543 actually allows EP to refer to HS’s opinion without permission. EP has confidence
that HS has interpreted AU 543 incorrectly, resulting in an SEC decision that has disadvantaged
Telkom. AU 543, like the Auditing Standards for Public Accountants (PSA 543), does not
require EP to ask for permission, but rather just to communicate it. Permission from the
subsidiary auditor is needed, if the name of the auditor is included in the consolidated financial
report.

Secondly, HS in their letter dated March 31, confuses the permit for the EP to refer to HS's work
with the permit for Telkom to include HS's opinion in the 20-F report. In a letter dated March 31,
HS stated that the permit was related to the Form 20-F report. In fact, permission for Form 20-F
should be directed to Telkom management, not to its auditor, EP. However, because of HS’s
letter dated March 24 that refused to give permission, on June 5, SEC sent a letter to Telkom
management. The contents, among others stated, because there was no permission from HS, EP
should have qualified or disclaimed the financial report of 2002. It is also stated that EP did not
demonstrate its competence in implementing US GAAS. For this reason, SEC rejected the Form
20-F report.

SEC's decision left Eddy and his partner Grant Thornton Indonesia confused. Because, before
sending the letter to Telkom's management, SEC had already requested a credential review of EP
on May 22. Heinz & Associates LLP from Denver, Colorado, USA was appointed as the
executive.

On June 21, 2003, Eddy sent a letter to SEC to explain the correct interpretation of AU 543. On
June 25, Eddy made a teleconference with SEC. In the teleconference, there was no refutation
from the SEC regarding Eddy's interpretation of AU 543. But the SEC had already rejected
Telkom's Form 20-F report, and Telkom's management had already stated (on June 11) Telkom’s
2002 financial report as unaudited, and appointed PwC (HS) as the auditor for Telkom’s 2002
financial report review.

For Eddy, the unhealthy treatment of CPA firm Hadi Sutanto (HS) not only harms Telkom and
its name, but also concerns its business continuity, CPA firm Eddy Pianto (EP). This is also what
Eddy demanded of the professional organization, IAI. Namely, in order to clear his name, not
only to Bapepam, the Directorate General of Financial Institutions and companies that will use
its audit services, but to the general public.

Case Analysis: PT Telekomunikasi Indonesia Tbk

The violations regarding the case goes back to the dispute between Eddy Pianto’s Public
Accounting Firm and Hadi Sutanto’s Public Accounting Firm, which will be abbreviated to KAP
EP and KAP HS. KAP HS was appointed to create an audit report for PT Telkom after KAP
EP’s audit report was rejected by the SEC. This is caused by a misunderstanding of AU 543;
KAP HS interpreted that the rule would require KAP EP to report and gain permission from
KAP HS in order to refer the PT Telkomsel’s audit report to PT Telkom’s. Since PT Telkomsel
is a subsidiary of PT Telkom, KAP HS felt that they needed to gain permission first. However,
KAP EP interpreted AU 543 in a way that made them feel like they did not need to gain
permission from KAP HS to refer to their opinion. According to the actual AU 543, KAP EP did
not require permission, yet needed to inform KAP HS of their actions; permission would be
needed if the name of the auditor for the subsidiary company is stated in the consolidated
financial statements.

KAP HS rejected permission to act as the first layer of the audit, meaning that it did not
want to act as a guiding standard for the second layer, which was KAP EP. Said rejection caused
KAP EP to have difficulty in obtaining an opinion on both PT Telekomunikasi Indonesia Tbk
and PT Telekomunikasi Selular’s financial statements. Aside from that, KAP HS also served
KAP EP a disadvantage since it prolonged the completion of the audit, even though the results
were already needed by the SEC and the Indonesian Financial Services Authority. Because of
this, KAP EP got a sanction that froze their business permissions in the stock market.
KAP HS also made PT Telkom’s stock prices drop and harmed the country’s economy.
The aforementioned rejection of permission was because KAP HS did not permit the viewing of
PT Telkom’s 20-F, even though it was not relevant for KAP HS to review the entirety of the 20-
F without proper authorization. They thought that it was relevant since they were affiliated with
PwC, which was an internationally recognized accounting firm; yet they were founded based on
Indonesian rules and regulations, hindering them irrelevant to the matter. Because of this, KAP
HS was forced to abide by the Indonesian rules and regulations regarding the specifications of
the capital market.
Although KAP EP was not to blame, they still received the sanctions that froze their
business in the Indonesian stock market. They were affected by the violation of UU no.8 of
1995, which talked about the capital market. The set of rules specifically caters rules and
regulations regarding the capital market and every firm or body that has a role in it. Specifically,
KAP EP became a victim of the violation of article 107, which regulates against any party that
might cause harm to other firms or mislead the Indonesian Financial Services Authority. Any
party that might withhold, eliminate or falsify information that might lead to harm will be
sanctioned with a maximum of 3 years in federal prison or up to Rp.5 billion in fines. KAP EP
was the victim of KAP HS’s violation and they lost their clientele, which consisted of 59
companies that they audited.
When KAP HS were proven guilty, they were fined Rp.20 billion and said money was
stored into the country’s cash account as the country’s income. The fine had to be delivered in 30
days or else a late fee of Rp.10 million would be charged per day exceeding the due date. This
was issued on June 21, 2004. KAP HS also violated the Sarbanes-Oxley Act of 2002 section 404,
which concerns management assessment of internal control. This section states that the
management of public companies has to assess the effectiveness of the internal control of issuers
for financial reporting. This section requires management to state their responsibility for
establishing and maintaining an adequate internal control structure and procedures for financial
reporting, and contain an assessment, as of the end of the most recent fiscal year of the issuer, of
the effectiveness of the internal control structure and procedures of the issuer for financial
reporting. The decision to reject the permission requested by KAP EP was ineffective in the act
of financial reporting, since it prevented KAP EP from completing their report on time. Because
of this, it could be concluded that KAP HS violated this section of the Sarbanes-Oxley Act of
2002.
 REFERENCES

Arens et al, (2016), Auditing and Assurance Services: An Integrated Approach, England:
Pearson.

Roza, Husna; Pratami, Ambun Putri Beniv, (2013), THE REVIEW OF AUDIT IN PT TELKOM
INDONESIA TBK IN COMPLIANCE WITH THE SARBANES OXLEY ACT OF 2002
SECTION 302, 404, AND 906

< http://repo.polinpdg.ac.id/487/1/828-788-1-PB.pdf>

UNDANG-UNDANG REPUBLIK INDONESIA NOMOR 8 TAHUN 1995

< https://www.ojk.go.id/en/kanal/pasar-modal/regulasi/undang-undang/Documents/959.pdf>

SOX Section 404: Management Assessment of Internal Controls

< https://www.sarbanes-oxley-101.com/SOX-404.htm>

Kronologis Singkat Kasus PT. Telkom pada Tahun 2002

< https://dokumen.tips/download/link/kronologis-singkat-kasus-pt-tlkom>