SME Internal Control: How is compliance with COSO Framework?

: Malang, East Java Indonesia, is a tourist city with natural beauty and a large variety of food and beverage industries, including Coffee Shops. The purpose of this study was to evaluate the compliance of the internal control implementation of the SMEs (Small Medium Enterprises) food and beverage based on the COSO Framework. This research is qualitative research with a case study method that uses components of the COSO Framework as basis analysis of four coffee shops in Malang City. The results show that there are differences between theory and practice in the field. Generally, among five components of the COSO Framework, the Control Activities component has not been considered important in internal control. Hence, there are some cases of irregularities that create or negligence in each coffee shop. It can be concluded that SME still need control over their business to eliminate fraud; therefore, separation of duties is required.


INTRODUCTION
Malang is a tourist city that attracts many tourists because it has the potential for extraordinary natural beauty. In addition, Malang also presents a very diverse culinary tourism whose number continues to grow every year. One of this culinary tourism is a coffee shop (Bandhu, 2021). Coffee shops are now becoming a very popular place because of their unique and comfortable place to relax or hang out. Nowadays, the number of new (modern) coffee shops has increased by 1000 outlets; thus, the total number of coffee shops in Malang has reached 2950 outlets (Ivan, 2020). Most SMEs grow and develop well; however, they have problems related to internal control in carrying out their operational activities. compliance objectives (COSO, 2013). According to the COSO, the components of internal control are Control Environment, Control Activities, Risk Assessment, Information and Communication, and Monitoring (Graham, 2011). The internal control framework has three categories of objectives that allow an organization to focus on imposing different aspects of internal control as follows: The first component of Control Environment covers management and employees' attitudes towards the importance of influencing the environment. The Control Environment is based on five principles: Supervisors must be independent of management while overseeing internal control, and the supervisory board should be independent of management. With the board's support, management establishes structures, reporting lines, authorities, and responsibilities to achieve goals. The company exhibits a commitment to hiring, training, and retaining competent employees and encouraging employees to take on internal control responsibilities.
The second component, Risk Assessment, covers all organizations that have risks in carrying out activities related to the productivity of business activities. This statement means that the company can identify the analysis and evaluation of planning to minimize risk. There are four principles in Risk Assessment: The organization develops objectives that are clear enough to allow for risk identification and assessment; the organization identifies risks to achieve its entity-wide objectives and analyzes risks as a basis for determining how risks should be managed; when analyzing risks to goal achievement, the organization examines the possibility of fraud; and when reviewing changes that could have a substantial impact on the internal control system, the organization analyzes the potential for fraud to occur. The goal of the risk assessment component is to reduce organizational deviations.
The third component, Control Activities, is a control procedure by having standard work operations that aim to prevent and detect perpetrators of irregularities. In this case, Three principles govern control activities: the organization picks and develops activities. These controls help the organization select and develop in general by lowering the risk to an acceptable level. Control activities over information technology to support the achievement of objectives, and the organization implements control activities through policies that determine what is required. Expectations and procedures for implementing the policy. Control Activities within the organization in controlling to develop information technology through policies and procedures.
The fourth component, Information and Communication, is an important component in delivering information to internal and external parties. According to three principles, the Organization gathers, uses quality, and relevant information to support all internal control components. Internally, organization communicates to offer information, such as internal control objectives and responsibilities, that is required to support the function of internal control. The organization communicates with external parties regarding matters relating to various matters that may affect all internal control components. In this component, an organization must provide actual information obtained from internal and external relations.
The fifth component, Monitoring Activities, is a control to monitor and determine employees' performances and the company's condition in increasing the effectiveness of control. Organization decides to grow and evaluate progressively and individually in this component, which includes two concepts. This is to ensures that internal control components function properly in inter-organizational Communication and that internal control is tailored to the decision-making party. Five components in the COSO Framework internal control must be carried out to improve the development and growth of SMEs.

RESEARCH METHODS
This research is qualitative research with a case study approach. The qualitative research was chosen because this study aims to understand the phenomenon of what is experienced by research subjects related to behavior, perception, motivation, and action (Moleong, 2017). The research focos on four Coffee Shops in Malang City, East Java, Indonesia; includes Niwa Coffee Garden, Homirast.Ind.Ind, Toko Kopi Koopen and Teras Engkong. The selection of these four coffee shops based on the criteria that they have the potential to excel in internal control. This case study is used because it can describe specific events that occur within the company. It focuses on one problem, namely comparing the implementation of internal controls in the field, which allows for a better understanding of the sequence of events. Evaluation of the implementation of internal control is carried out using the COSO framework approach because this approach provides standards tested and applied internationally and is compatible with SME business. This research was conducted for one month in May 2021 to meet the needs of taking observations and interviews with business owners. Informal interviews were suggested based on the spontaneity of the questions (Moleong, 2017), therefore, the usual open-ended interviews were verbal to allow the interviewers to explain freely.

FINDINGS AND DISCUSSION
The analysis is carried out and presented based on each component in the COSO Framework as follows:

Control Environment
Based on the Control Environment component, Table 1 shows that differences occur in applying theory using the COSO Framework. The Niwa Coffee Garden, Homirast.Ind and Toko Kopi Koopen have implemented reasonable internal control in developing their businesses.
However, the Teras Engkong seems not to implement some criteria related to commitment to integrity and ethical values because these Coffee Shops run by three owners without any employees. Therefore, they rely on trust between owners. This policy might work well and do not affect the business operation because it is a new business., However, the owners should set up rules related to integrity and ethical values. The table below shows the differences that occur in the application of theory using the COSO Framework Control Environment component as follows:

Risk Assesment
Based on the components of the Risk Assessment (Table 2), it can be seen that there are differences that occur in the application of theory using the COSO Framework. The four Coffee Shops have implemented good control in developing their businesses. However, their bookkeeping system does not comply with accounting standards. Thus, they need to improve the accounting system to develop a good internal control system. The detail of Risk assessment is presented below:

Control Activities
Based on the Control Activities component in the COSO Framework (Table 3), it can be seen that the four Coffee Shops have implemented reasonable internal control in developing their businesses. However, they do not fulfill the criteria of "Evaluating the type of control that has multiple properties", "Consider the level at which control activities are applied", and "Implement relevant control activity technology infrastructure. Table 3 below shows that there are differences that occur in the application of theory using the COSO Framework with the Control Activities components as follows:  Table 4 shows that the four Coffee Shops have implemented good internal control in developing their business based on the Information and Communication criteria in the COSO Framework. All four coffee shops have implemented all the COSO points of focus. This implies that point of fokus This can suit the needs of business owners and staff in terms of information and Communication.

Monitoring Activities
In the last criteria of the COSO Framework, all the four coffee shops have practiced almost all the points of focus in the monitoring. All four coffee shops have adopted all of the points of focus. This signifies that the focal point is important. This can meet the information and communication needs of business owners and employees:

Information And Communication
All focus points have been put into practice.
All focus points have been put into practice.
All focus points have been put into practice.
All focus points have been put into practice. Monitoring Activities All focus points have been put into practice.
All focus points have been put into practice.
All focus points have been put into practice.
All focus points have been put into practice. Source: Result Interview Data Analysis (2021)

Discussion
The analysis of the first criteria in the COSO Framework shows that all four coffee shops have established a good management and control environment. However, because the Teras Engkong business owners do not yet have rules that can be applied and rely on confidence between owners of this coffee shop, it seems that they have not maximized devotion to ethical values. This is acceptable in the early business establishment, but since the business grows up, they should prepare to develop written rules to ensure that good ethics are implemented.
In general, the four coffee shops have implemented risk assessment criteria as the second analysis of the COSO Framework. However, the accounting standard has not been fully implemented because only income and expenses are recorded. As a result, financial statements are incorrectly recorded. As a result, they must begin to construct an accounting information system under the scope of business to guarantee that all transactions have been properly documented and according to accounting rules.
The results of the examination of the Control Activities as the third component show that the four coffee shops did a good job of implementing these activities. However, they do not meet the criteria for evaluating controls, have not examined control actions, and have not made use of information technology. This occurs because they apply manual bookkeeping. As a result, they should begin to consider using technology to better record transactions.
According to the Information and Communication components examination, the framework has been applied well for both internal and external parties in establishing their businesses. As small businesses have limited number employees, these coffee shops could develop a close, friendly working environment based on good Communication. This type of Communication enable them to build up detailed and efficient Communication between owners and employees. This internal control illustrates how efficient communication allows all parties to communicate clearly.
In terms of the COSO Framework's final requirements, all four coffee shops have implemented nearly all of the monitoring points. They conduct formal monitoring to provide incentives in the form of bonuses. The COSO Framework dictates that work quality be assessed over time and on a regular basis. This means that business owners keep a close eye on their operations closely.
Related to internal control, the Niwa Coffee Garden does both monitorings of cash received and cash disbursement. This Coffee Shop does a very careful direct daily monitoring of income receipt and the amount of cash received. This monitoring is conducted because there are often some differences in the amount of cash received and income receipt based on the online cashier application. To fix this case, the difference is recorded in the daily income form. In particular, to cash disbursement, when purchasing raw materials and items, you must have confirmation of purchase from the provider. This is done to guarantee that there are no cash disbursement irregularities. In overcoming it, always emphasize doing routine records in conducting transactions.
The Homirast.Ind Coffee Shop conducts simple cash received internal control by completing daily income recapitulation by calculating the total amount of income received. In this process, there are high possibility of calculation error due to the manual process. The calculation is carried out carefully to overcome this issue, and the results are recorded and submitted to the business owner. When it comes to cash disbursement, it is required to check the payment receipt to confirm a purchase from the suppliers and keeping routine records. This is done to ensure that there are no discrepancies in cash disbursement.
The Toko Kopi Koopen has created a simple internal cash receipts control system that recapitulates daily income by computing the total amount of money received. A mathematical inaccuracy in this step is most likely due to manual processing. The calculations are accurately carried out to avoid this, with the results being recorded and reported to the business owner. When purchasing raw materials and commodities for cash distribution, proper planning is required. They've also stocked up on raw materials in preparation for future purchases. This is done to ensure that monies are distributed carefully. When conducting transactions or planning the procurement of raw materials, routine recording should always come first.
By recapitulating daily income and computing the overall amount of income received, the Teras Engkong performs simple internal cash receipt control. The computation inaccuracy in this step is most likely due to human processing. Therefore, the calculations should be carried out carefully and reported to the owners promptly. When buying raw materials and commodities with cash, a purchase confirmation from the vendor is required. This is done to avoid inconsistencies when it comes to opening funds. When conquering transactions, it is always suggested to prioritize recording to report daily results and expenses to the business owners.
Regarding internal control based on the COSO Framework, Niwa Coffee Garden has a better system than the four coffee shops above. This is because Niwa Coffee Garden has paid attention to users' needs in delivering information. This coffee shop has done separation of duties and always conducting regular evaluations. Furthermore, this coffee shop has applied an online cashier application to better control the cash received. Another three coffee shops seem to be less in applying internal control. To support each coffee shop development and growth, the deviation that often appeared in the cash transaction should be avoided.
Based on the case above, it is necessary to evaluate the coffee shop's internal control system to determine the potential for fraud. It is required that managers/company owners increase personal responsibility, self-efficacy, confidence in reliable day-to-day business operations, focused and self-disciplined, focused on the goals set, and building confidence in business owners (Mibey et al., 2020). Success in business shows how important they are in the business competition. SME owners with available funds might develop their businesses faster than non-availability; determination and discipline also help achieve business growth (Ojedele, 2021). According to Asikhia (2014), a thorough understanding of management and planning is a critical step toward enhancing employee engagement in a business. Re-examination of physical evidence is important to improve internal control to avoid risks and create internal controls that can improve overall revenue and expenditure efficiency (Hernawaty & Synthia, 2019). When evaluating a transaction, be prepared to take steps to reduce risk and offer solutions in order to ensure success in a sale or acquisition (Suleman et al., 2020).

CONCLUSION AND RECOMMENDATION
It could be concluded from the review of the COSO Framework theory and practice above, the four Coffee Shops have made attempts to improve internal control. However, some components have not been implemented well, which include: Control Environment particularly related to commitment to integrity and ethical values; the Risk Assessment in expanding the specified appropriate objectives by documenting accounting requirements; Control Activities related to infrastructure technology.
It is suggested that SMEs need to control every step of business to minimize acts of fraud and misconduct. They should pay higher attention in managing business and accounting processes that comply with internal control principles. Besides, they should have a separation in duties and responsibilities to enable better internal control. A business organization's internal controls must be implemented consistently to be a strong SME with good future sustainability. Internal controls should include checks on cash distribution and entry, as well as evidence of supporting documentation. This can help the coffee shop overcome overall internal control and cash receipts by avoiding inconsistencies and hazards that could hurt it.