Audit Assertions in the GRC Framework for Risk Control

In an era of increasingly complex corporate governance, organizations are required not only to fulfill financial reporting obligations but also to demonstrate that all internal processes are operating according to established standards. Two concepts that now play a central role in this effort are audit assertions and the GRC framework (Governance, Risk, and Compliance). Both are not merely technical accounting tools, but rather the foundation of public trust in a business entity.

This article will discuss what is meant by assertion in audit, how management assertion works in practice, and why the relevance of assertion for GRC is becoming increasingly crucial in modern enterprise risk management.

What is meant by assertion in auditing?

Assertions in an audit are a series of statements or declarations made by management, either explicitly or implicitly, regarding the classes of transactions, account balances, and presentation and disclosure contained in an entity's financial statements. These statements are not merely administrative in nature, but serve as a reference point for auditors in designing and performing audit procedures.

In other words, when management presents financial statements, they are indirectly “promising” to stakeholders that the figures are accurate, complete, and fairly presented. This promise is then verified by the auditor. independent auditor.

Management Assertions in Auditing

Management assertions in an audit refer to representations expressed or implied by management regarding the classification of transactions, account balances, and relevant disclosures in the financial statements. Under applicable auditing standards, management assertions in an audit generally fall into five main categories:

• Existence or Occurrence: Management certifies that the assets or liabilities listed actually exist, and the recorded transactions occurred in the period reported.
• Completeness: All transactions and balances that should be recorded in the financial statements have been included without any omissions.
• Rights and Obligations: Recorded assets are the legal rights of the company, and recorded liabilities are the actual responsibilities of the entity.
• Valuation and Allocation: The components of assets, liabilities, revenues, and expenses are recorded at the appropriate values ​​in accordance with applicable accounting principles.
• Presentation and Disclosure: All components of the financial statements are classified, explained and disclosed appropriately in accordance with applicable standards.

Audit Assertions and Examples in Practice

To understand further, here are audit assertions and examples in the context of a real company:

• Contoh asersi keberadaan: Manajemen menyatakan bahwa persediaan barang jadi senilai Rp500 juta yang tercantum di neraca benar-benar tersedia secara fisik di gudang perusahaan.
• Contoh asersi kelengkapan: Manajemen mengonfirmasi bahwa seluruh transaksi pembelian bahan baku sepanjang tahun fiskal telah dicatat dan tidak ada yang terlewat.
• Contoh asersi penilaian: Manajemen memastikan bahwa aset tetap dicatat sebesar harga perolehan dikurangi penyusutan yang dihitung secara sistematis sesuai kebijakan akuntansi perusahaan.
• Contoh asersi penyajian dan pengungkapan: Manajemen menegaskan bahwa utang yang diklasifikasikan sebagai kewajiban jangka panjang tidak akan jatuh tempo dalam 12 bulan ke depan.

Konsep Framework GRC dalam Perusahaan

GRC (Governance, Risk, and Compliance) adalah pendekatan terintegrasi yang memungkinkan organisasi mengelola tata kelola, risiko, dan kepatuhan secara selaras dan efisien (admin, 2019). Tiga pilar utama GRC dapat diuraikan sebagai berikut:

• Governance (Tata Kelola): Mencakup struktur kepemimpinan, aturan pengambilan keputusan, dan mekanisme akuntabilitas yang memastikan organisasi beroperasi secara etis dan transparan.
• Risk Management (Manajemen Risiko): Meliputi proses identifikasi, penilaian, dan mitigasi berbagai risiko yang dapat mengancam pencapaian tujuan organisasi.
• Compliance (Kepatuhan): Memastikan organisasi mematuhi regulasi eksternal seperti ketentuan Otoritas Jasa Keuangan (OJK) dan kebijakan internal yang berlaku.

Relevansi Asersi Audit bagi GRC

Relevansi asersi bagi GRC terletak pada fungsinya sebagai instrumen verifikasi yang memperkuat ketiga pilar GRC secara bersamaan. Berikut penjabarannya:

• Terhadap Governance: Asersi manajemen membuktikan bahwa tata kelola keuangan dan operasional berjalan sesuai kebijakan yang ditetapkan dewan komisaris dan direksi.
• Terhadap Risk Management: Auditor menggunakan asersi sebagai basis penilaian risiko salah saji, sehingga area dengan risiko tinggi dapat diprioritaskan dalam proses audit.
• Terhadap Compliance: Asersi penyajian dan pengungkapan secara langsung memastikan bahwa laporan keuangan memenuhi standar akuntansi dan regulasi yang berlaku, termasuk PSAK dan peraturan OJK.

Relevansi asersi bagi GRC semakin nyata ketika organisasi menghadapi tuntutan transparansi yang meningkat dari para investor dan regulator. Tanpa asersi yang terstruktur, proses audit tidak akan mampu memberikan jaminan yang memadai atas keandalan sistem pengendalian internal perusahaan

Integrasi Asersi Audit dalam Framework GRC

Integrasi asersi audit ke dalam framework GRC bukan sekadar pelengkap teknis, melainkan sebuah kebutuhan strategis. Langkah-langkah integrasi yang dapat diterapkan antara lain:

• Pemetaan Asersi ke Risiko GRC: Setiap kategori asersi manajemen dalam audit dipetakan ke risiko spesifik dalam register risiko perusahaan, sehingga internal audit dapat berfokus pada area yang paling rentan.
• Penyelarasan dengan Three Lines of Defense: Asersi audit memperkuat lini pertahanan kedua (manajemen risiko) dan ketiga (audit internal) dalam model pertahanan berlapis.
• GRC Dashboard Usage: The findings of the assertion testing are integrated into GRC reporting to management and the board of commissioners as material for decision-making.
• Continuous Monitoring: Assertions are not only tested during the annual audit, but are used as a reference for routine monitoring through key risk indicators (Key Risk Indicators/BLOOD).

Challenges in Using Assertions in GRC

Despite its great benefits, the use of assertions in the GRC framework is not without challenges, including:

• Data Complexity: Large transaction volumes make it difficult for auditors to test all assertions in depth without adequate audit technology support.
• Management Subjectivity: Implicit assertions are susceptible to management bias or interests, so auditors must have a high level of professional skepticism.
• Competency Gap: Not all GRC practitioners understand the technical dimensions of management assertions in audits, which can hinder the effective integration of these two frameworks.
• Regulatory Changes: Continuous updates to accounting standards and GRC regulations require periodic updates to assertion mapping to remain relevant to current conditions.
• Silorization Function: In many Indonesian organizations, audit, risk management, and compliance functions still work separately, so the potential synergy between audit assertions and GRC has not been maximized.

Conclusion

Integrating audit assertions into the GRC framework strengthens risk control, ensuring Indonesian organizations are responsive to regulations. Holistic implementation will enhance stakeholder trust and sustainable performance.

Therefore, companies need a system that can support audit management, risk control, and compliance monitoring in a more structured and integrated manner. To support this, an audit application is needed. Audithink can be a solution in helping organizations manage audit processes and GRC frameworks more effectively.

This application is designed to be easily integrated with various corporate systems, supports real-time monitoring, and enables data-driven audit and risk management. Submit a demo now and find out how our app works