Source Process Details

No.
Enterprise Model
(L1) Process Area (L2) Business Process (L3)

PU.P.001 P2P P2P Purchase Others

PU.P.002
PU.P.003

PU.P.004 P2P P2P Purchase Others

PU.P.005 P2P P2P Purchase Others

PU.P.006 P2P P2P Purchase Others

PU.P.007 P2P P2P Purchase Others

PU.P.008 P2P P2P Purchase Others

PU.P.009 P2P P2P Purchase Others

PU.P.010 P2P P2P Purchase Others

WH.P.002
AC.P.001 P2P P2P Accounting

TS.P.201 P2P P2P Treasury

TS.P.001

PU.P.011 P2P P2P Purchase Others

PU.P.012 P2P P2P Purchase Others

AC.P.101 Asset Management Asset Management Fixed Asset

AC.P.104 Asset Management Asset Management Fixed Asset

AC.P.106 Asset Management Asset Management Fixed Asset

AC.P.201 Asset Management Asset Management Fixed Asset

etails General

Objectives Item in Financial

Statements
Subprocess

Vendor Comparison & Selection Vendor can provide goods with Balance Sheet:
standard market price with good Inventory cash
quality
Income Statement:
COGS and
expenses

Vendor Agreement Agreement is valid N/A

Vendor Master Data Vendor Master Data is valid N/A

Material Master Data Material Master Data is valid N/A

Purchase Requisition (PR) Approval Only authorized PR can be N/A

processed

Purchase Order (PO) Approval PO should be generated from N/A

approved PR

Purchase Order (PO) Return Returns of goods is valid Balance Sheet:

Supplies/FA

Income Statement:
expenses

Closing PO PO closed once goods are Balance Sheet:

completely received Account Payable

Income Statement:
Expense
Account Payable (AP) Recording AP is valid and accurate Balance Sheet:
Account Payable

Income Statement:
Expense

AP Payment and bank Bank and cash disbursement is valid Balance Sheet:
disbursement and accurate Cash

Income Statement:
-

Vendor Evaluation Vendor delivers good quality and N/A

price as agreed in the agreement

Vendor Blacklist Blacklisted vendors are removed or N/A

blocked from vendor master data

Fixed Asset Acquisition Fixed asset acquisition is valid Balance Sheet:

Fixed Asset

Income Statement:
Fixed Asset Transfer Fixed asset transfer is valid Balance Sheet:
Fixed Asset

Income Statement:

Fixed Asset Disposal Fixed asset disposal is valid and Balance Sheet:
authorized Fixed Asset

Income Statement:

Fixed Asset Opname Fixed asset balance in system is Balance Sheet:

inline with the result of fixed asset Fixed Asset
opname
Income Statement:
 Risk Assessment

ID Risks Risk Category Risks Impact Probability

(Financial,
Operational or
SOD)

Operational 1. Overprice and poor quality of 3 2

goods.
2. Unauthorized vendor

Operational 1. Invalid agreement 2 2

2. Purchasing process is not
proceed based on the agreement

Operational 1. Vendor Master Data doesn't 2 2

exist in system
2. Vendor is not valid (not
approved by Authorized Person)
Operational 1. Material Master Data doesn't 2 2
exist in system
2. Invalid Material Master Data

Operational 1. Unauthorized PR 3 2
2. PR sent to different vendor from
the Commercial Bid Tabulation

Operational Unauthorized PO 3 2

Operational 1. Returns of goods is invalid. 2 1

2. Overpayment of invoice if no
journal posted in system for PO
return

Operational Goods received is invalid. 3 2

Type, quantity, and condition of
goods which actual received are
not agreed with supporting
document
Over/under paid compared to
actual goods received
Financial AP is not valid and accurate 3 2

Financial 1. Bank and cash disbursement 3 2

(internet banking) is invalid/isn't
agreed with the supporting
documents.
2. Overpayment

Operational Still using bad quality vendors 1 2

Operational Still using blacklisted vendors 1 2

Financial 1. Fixed asset acquisition is invalid 3 2

2. Fixed asset balance is not
properly stated
Financial 1. Fixed asset transfer is invalid 3 2
2. Fixed asset balance is not
properly stated

Financial 1. Fixed asset disposal is invalid 3 2

and unauthorized
2. Fixed asset balance is not
properly stated

Financial 1. Fixed asset balance in system is 3 2

not inline with the result of fixed
asset opname
2. Fixed asset balance is not
properly stated
Risk Level Risk

By Process owner By CIA

6 Medium

4 Low

4 Low
4 Low

6 Medium

6 Medium

2 Low

6 Medium
6 Medium

6 Medium

2 Low

2 Low

6 Medium
6 Medium

6 Medium

6 Medium
 Control Description

Description of Control Activity Type of COSO

Component

1. For certain purchasing activity, Purchasing Staff should receive Control Activitites
minimum 3 quotation from vendors to compare and get the best quality
and price
2. Purchasing Staff summarize the quotation from vendors in
Commercial Bid Tabulation and choose the best vendor
3. Commercial Bid Tabulation and the chosen vendor reviewed by
Purchasing Dept. Head and User Manager, then approved by
Functional Director/Finance DIrector/President Director (based on
authorization matrix)

1. Purchasing received agreement from vendor and give it to Legal or Control Activitites
Accounting/Tax for review
2. After being reviewed, agreement should be approved by Authorized
Person or Functional Director/Finance DIrector/President Director
(based on authorization matrix)

1. GA Administrator input vendor master data (based on Commercial

Bid Tabulation's result) along with the PR
2. PR should be reviewed and approved by Functional Director/Finance
DIrector/President Director (based on authorization matrix)
1. GA Administrator input material master data (based on Commercial
Bid Tabulation's result) along with the PR
2. PR should be reviewed and approved by Functional Director/Finance
DIrector/President Director (based on authorization matrix)

1. GA Administrator input PR to the system (based on the information Control Activitites

from Commercial Bid Tabulation)
2. Printed PR should be reviewed and approved by Functional
Director/Finance DIrector/President Director (based on authorization
matrix)

1. After PR is approved by Functional Director/Finance Control Activitites

DIrector/President Director (based on authorization matrix), GA
Administrator generate PO from the system
2. Printed PO should be reviewed by Purchasing Staff and User
Manager before send it to vendor

Purchase Order return created by Purchasing Staff, reviewed by Control Activities

Purchasing Dept. Head, and authorized as agreed matrix. Authorized
person should checked form pengajuan return which should be agreed
with PO return.

1. User/GA check the goods received, make sure the goods received Control Activities
are complete and in line with the PO, DO, and invoice
2. User/GA fill Bukti Pengeluaran Uang (BPU) form and attach it with
copy PO, DO, and invoice then give it to Accounting for AP recording
1. Accounting receive completed supporting documents (BPU, copy Control Activities
PO, DO, and invoice) for AP recording
2. Make sure all the supporting documents are agreed and valid
3. Post AP journal in the system
4. Give all the supporting documents to Treasury for payment

1. Treasury receive supporting documents from Accounting and input Control Activities
payment journal to system using settlement function
2. Treasury General Manager/Finance Director will approve payment
journal in system, then payment journal will be automatically posted.
Supporting documents are archived by Accounting

User and Purchasing Department assess regarding delivery date and Control Activities
quantity (user), and unit price and service level (Purchasing) from
vendor using vendor sheet evaluation. If its has bad quality, then should
be black listed in vendor master data.

Vendor sheet evaluation (Form penliaian Kinerja dan Kompetensi)

created by Purchasing Department

User ask Purchasing Staff and IT team to "hold" the blacklisted vendor Control Activities
in Vendor Master Data, and Purchasing Staff inform the other users
about the blacklisted vendor

1. Accounting fill Fixed Asset Acquisition form and ask for approval from Control Activities
Authorized Person
2. After the form being approved, Accounting input and validate fixed
asset journal in system, then ask for review from Authorized Person
3. After the journal being reviewed, Accounting post the fixed asset
journal in system
1. User Dept. prepare and fill Fixed Asset Transfer form request and Control Activities
ask for approval from Authorized Person
2. After being approved, User Dept. prepare for the asset transfer and
sign the BAST. Then give the supporting documents to Accounting
3. Accounting review the supporting documents and input the fixed
asset transfer in system

1. User Dept. prepare and fill Fixed Asset Disposal form request and Control Activities
ask for approval from Authorized Person
2. After being approved, Accounting input and validate fixed asset
disposal journal in system then ask for approval from Authorized
Person and post the journal

1. Accounting and GA perform fixed asset opname (at least once a Control Activities
year).
2. Accounting compare the result of fixed asset opname with the
balance of fixed asset in system
Control Description

Control Type Control Method Frequency of Control

(Prevent/ Detect) (Auto, Manual, Semi) Activity Control Officer Control Owner

Prevent Manual Occurence Purchasing Staff Purchasing Dept.

Head

Prevent Manual Occurence Purchasing Staff Purchasing Dept.

Head
Prevent Manual Occurence Purchasing Staff Purchasing Dept.
Head

Prevent Manual Occurence Purchasing Staff Purchasing Dept.

Head

Prevent Manual occurence GA/IT Staff GA Spv/IT Head

Prevent Manual occurence User/GA Admin User Manager/GA

Supervisor
Prevent Manual occurrence Accounting AP Staff Accounting AP Staff

Prevent Manual occurrence Treasury Staff Treasury General

Manager/Finance
Director

Prevent Manual occurence Purchasing Staff Purchase Dept.

head

Prevent Manual occurence Purchasing Staff Purchase Dept.

head

Prevent Manual occurence Accounting Staff Accounting Dept.

Head
Prevent Manual occurence Accounting Staff Accounting Dept.
Head

Prevent Manual occurence Accounting Staff Accounting Dept.

Head

Prevent Manual occurence Accounting Staff Accounting Dept.

GA Staff Head
 Storage Location of Base Extent of Testing
Testing steps Data and Evidence of (Sample Size) /
Control Test frequency

1. Obtain population of Purchase Requisition Hardcopy 30

2. Select 30 samples (based on Frequency of (Commercial Bid
Control Performance) Tabulation)
3. Obtain and check the selected samples'
supporting documents
4. Check the completeness (there is Commercial
Bid Tabulation for certain purchasing process)
5. Check the authorization (there is evidence of
approval from authorized person on every
Commercial Bid Tabulation)

1. Obtain population of Purchase Requisition Hardcopy 30

2. Select 30 samples (based on Frequency of (Agreement)
Control Performance)
3. Obtain and check the selected samples'
supporting documents
4. Check the completeness (there is Vendor
Agreement for certain purchasing process)
5. Check the authorization (there is evidence of
approval from authorized person on every
Commercial Bid Tabulation)

1. Obtain population of Purchase Requisition Database 30

2. Select 30 samples (based on Frequency of
Control Performance)
3. Obtain and check the selected samples'
supporting documents
4. Check the completeness (there is Vendor Master
Data form for every purchasing process)
5. Check the authorization (there is evidence of
approval from authorized person on every Vendor
Master Data form)
1. Obtain population of Purchase Requisition Database 30
2. Select 30 samples (based on Frequency of
Control Performance)
3. Obtain and check the selected samples'
supporting documents
4. Check the completeness (there is Material
Master Data form for every purchasing process)
5. Check the authorization (there is evidence of
approval from authorized person on every Material
Master Data form)

1. Obtain population of Purchase Requisition Hardcopy 30

2. Select 30 samples (based on Frequency of (Purchase Requisition)
Control Performance)
3. Obtain and check the selected samples'
supporting documents
4. Check the completeness (there is approved
Purchase Requisition form for every purchasing
process)
5. Check the authorization (there is evidence of
approval from authorized person on every
Purchase Requisition form)

1. Obtain population of Purchase Requisition Hardcopy 30

2. Select 30 samples (based on Frequency of (Purchase Order)
Control Performance)
3. Obtain and check the selected samples'
supporting documents
4. Check the completeness (there is approved
Purchase Order form for every purchasing process)
5. Check the authorization (there is evidence of
approval from authorized person on every
Purchase Order form)

1. Obtain population of Purchase Requisition Hardcopy 30

2. Select 30 samples (based on Frequency of (Purchase Order Return)
Control Performance)
3. Obtain and check the selected samples'
supporting documents
4. Check the completeness (there is approved
Purchase Return form for every purchase return
process)
5. Check the authorization (there is evidence of
approval from authorized person on every
Purchase Return form)

1. Obtain population of Purchase Requisition Hardcopy 30

2. Select 30 samples (based on Frequency of (Invoice)
Control Performance)
3. Obtain and check the selected samples'
supporting documents
4. Check the completeness (there are in line: copy
PO, signed DO, and invoice for every closed PO)
5. Check the authorization (there is User's
signature on every DO form)
1. Obtain population of Purchase Requisition Database 30
2. Select 30 samples (based on Frequency of
Control Performance)
3. Obtain and check the selected samples'
supporting documents
4. Check the completeness (there are in line: copy
PO, signed DO, and invoice for every closed PO)
5. Check the authorization of posted AP journal
(there is Accounting Dept Head's approval in AP
journal)

1. Obtain population of Purchase Requisition Database 30

2. Select 30 samples (based on Frequency of
Control Performance)
3. Obtain and check the selected samples'
supporting documents
4. Check the completeness (there are in line: copy
PO, signed DO, and invoice for every closed PO)
5. Check the authorization of posted AP journal
(there is Accounting Dept Head's approval in AP
journal)

1. Obtain population of Closed PO Hardcopy 1

2. Select 30 samples for certain purschase (based (Vendor Evaluation)
on Frequency of Control Performance)
3. Obtain and check the selected samples' vendor
evaluation form
4. Check the result from vendor evaluation and the
vendor rating

1. Obtain population of Closed PO Database 1

2. Select 30 samples for certain purschase (based
on Frequency of Control Performance)
3. Obtain and check the selected samples' vendor
evaluation form
4. Check the result from vendor evaluation and the
vendor rating
5. Check the blacklisted vendors' status in system
(hold or not)

1. Obtain fixed asset listing Database population

2. Analyze the acquisition transaction during the (Fixed Asset Listing)
year and obtain the population Hardcopy
3. Select samples from the population
4. Obtain and check the completeness of selected
samples' supporting documents and its
authorization
5. Check the authorization of asset journal posted
1. Obtain fixed asset listing Database population
2. Analyze the asset transfer transaction during the (Fixed Asset Listing)
year and obtain the population
3. Select samples from the population
4. Obtain and check the completeness of selected
samples' supporting documents and its
authorization
5. Check the authorization of asset journal posted

1. Obtain fixed asset listing Database population

2. Analyze the asset disposal transaction during the (Fixed Asset Listing)
year and obtain the population
3. Select samples from the population
4. Obtain and check the completeness of selected
samples' supporting documents and its
authorization
5. Check the authorization of asset journal posted

1. Obtain BA fixed asset opname and fixed asset Database population

listing for one certain period (Fixed Asset Listing)
2. Analyze the fixed asset opname's result with the Hardcopy
fixed asset balance (BA Fixed Asset Opname)
 Test of Control

Testing Date /
Apakah (Test of Design)
Performed by

Kontrol yg dilakukan Kontrol saat ini telah Kontrol saat ini

langsung menangani akar didokumentasikan dan mencakup 5W + 1H
(root) dari dikomunikasikan secara (What, Where, When,
penyebab/dampak? resmi? Who, Why, How)?
 Testing Result: Rationale for Rationale for
Apakah (Test of Effectiveness
Effective (E) or Conclusion (Test of Conclusion (Test of
Operating Effectiveness) control score
Ineffective (I) Design) Design)

Kontrol saat ini ada di

dalam operasi dan sudah
diterapkan secara
konsisten?
 Remediation (if
Control Deficiency control is
ineffective)