The influence of internal control on fraud prevention (Case study at Bank BRI of Cimahi City)

Article History Received on 8 June 2020 1 Revision on 23 June 2020 2 Revision on 30 June 2020 3 Revision on 16 July 2020 4 Revision on 18 July 2020 5 Revision on 24 July 2020 6 Revision on 27 July 2020 7 Revision on 11 August 2020 8 Revision on 18 August 2020 9 Revision on 19 August 2020 10 Revision on 24 August 2020 11 Revision on 25 August 2020 12 Revision on 27 August 2020 Accepted on 28 August 2020 Abstract


Introduction
A Company has internal control in an effort to supervise their business activities to create secure and successful entity-winning practices. In the field of banking, in addition to the other regulations laid down by the financial service authority as a State Institution which oversees financial institutions in Indonesia, internal controls are certainly essential. (Financial Service Authority, 2016). According to Law No. 10 of 1998 on the Amendments of Law no. 7 of 1992 on banking that "Bank is a business entity that collects funds from the community in the form of savings and distributes it to the public in the form of credit and/or other forms in order to improve the standard of living of the community at large." Obeying the rules and not making mistakes that can lead to irregularities and fraud is one way to get sympathy from both customers and non-customers (Sukadwilinda and R. Aryanti, 2013). The implementation of anti-fraud strategies undertaken by commercial banks is in the form of a control fraud system by means of detection, prevention, investigation and monitoring in controlling fraud (Karyono, 2017: 4-5).
Poor Internal control which is one cause of fraud (Siregar and tenoyo 2015); Zakari, Nawawi and Salin 2016). Company must run effective internal controls (KPMG 2004) to prevent fraud that can cause large losses. Internal control can be described as supervision and procedures which are arranged to ensure that a certain goal will be achieved. Fraud can be termed as fraud which contains the meaning of deviation and act against the law (Illegal act) which is done on purpose, for example, deceiving or giving a mislead picture to other parties which is done by people both from inside and outside the organization. A fraud is designed to take advantage of opportunities dishonestly, which directly or indirectly harm other parties (Karyono, 2017: 4-5).
Fraud is categorized into four groups, those are fraudulent statements, misuse of assets (Assets Misappropriation), corruption and fraud related to computers (Karyono, 2017: 8-17). In the case of Bank Rakyat Indonesia (BRI), there was an act of theft of electronic data or skimming. A customer of PT Bank Rakyat Indonesia Persero Tbk (BRI) lost a balance of IDR 14 million . This was happened due to the data breach (the skimming mode). Responding to this, BRI Corporate Secretary, Hari Purnomo said that he and his men were currently investigating the case of losing customer balances casuistically. "If the case is due to banking crimes, then we will resolve customer complaints," as cited from Antara, Friday (13/9/2019) Teguh (2019). In addition, there was another skimming victim, Tresna Pamungkas (37), who felt very sorry about the bank's security system services. His savings balance suddenly decreased after receiving an SMS from BRI. As a result, he lost Rp5,000,000. According to him, there is no more reason for the bank to not follow up this skimming case. The reason is not only he who became the victim of skimming. In fact, with this skimming incident, he considers that BRI technology system is easy to hack. So that, it resulted the loss for many people. Meanwhile, Bank BRI of Cimahi City was unable to provide information on this. They only directed for more information of confirmation to the head office due to all policy in providing information (Azam, 2018).
The cause of electronic fraud in the form of data theft or skimming is due to the lack of internal controls which is not in accordance with the (COBIT) Objective control framework For Information and Related Technology framework, namely: Planning & Organization (PO), Acquisition and Implementation (AI), Delivery Support (DS), Monitoring and Evaluate (ME), and the most violated component of work equipment in the fraud cases of electronic data theft or Skiming is Delivery Support (DS), because this work tool is related to data security systems (Simonson & Johnson 2013). The Failure of fraud prevention is caused by internal and external factors of the organization, as it has explained that the main action for fraud prevention is to create and implement a reliable control system on organizational activities (Karyono, 2017: 85-86). Several studies have been conducted to examine the effect of internal control on fraud prevention, including Suginam (2016) who argued that internal control has a positive effect on fraud but the results are not significant. Meanwhile, Sukadwilinda and R. Aryanti Ratnawati stated that the Internal Control had a significant effect on Fraud Prevention.

Fraud prevention
Fraud has been existing from generation to generation (Prabowo 2013). Since Before the industrial revolution, financial scandals have disrupted the economy world (Pearson and Singleton 2008). According to Karyono (2017: 59-61), the prevention of fraud is by describing various means of control. The means of control is by creating policies, procedures, organization, control techniques, and employee participation. Written procedures must be established to prevent fraud and to support policy.

Procedure Policy
Written procedures must be established to prevent fraud and to support the policy of the Procedures, among others: a. Containing function of separation to create conditions for mutual checks between functions. b. Containing a review system in order to detect fraud early in existing activities. c. Containing a reporting system and provisions for cracking down the fraud perpetrator.

Organization Policy
In an organization, there are independent committees and internal auditors who have the responsibility of knowing all organizational activities and analyzing internal control. To be effective, internal audit must have an access to both audit committee and top management.

Control Technique
Unreliable control structure designs and weaknesses in implementation will be a source or opportunity for fraud to occur. The following shows effective control tactics to reduce the possibility of fraud, those are: a. Adequate documentation and recording. b. Adequate control over access to computer terminals, data processed in processing, as well as programs and other supporting media. c. There is a manual control of files used in computer processing or disposal that is no longer used. d. There is a system of direct physical control over treasure or assets. e. There is Regular and regular internal reviews of all activities and transactions.

Employee Participation
The organization should have staff or members who are experienced and have a high curiosity, suspicious and sensitive to signals of fraud. The things that need to be considered in order to develop these traits include: a. The quality of prospective employees must receive special attention. b. Adoption of effective procedures for employees to raise complaints or dissatisfaction. c. Provisions that govern employees who are willing to report all other suspicious employee activities. d. There is a rule that employees are not allowed to routinely overtime without adequate supervision. e. Employees are required to take annual leave every month.
According to Karyono (2013: 46) effective fraud prevention has 5 (five) objectives, namely: 1. Prevention, that is preventing the occurrence of real fraud in all organizations. 2. Deference, that is warding off the potential actors, 3. Description, which complicates the steps of the fraud perpetrator . 4. Reverification, that is identifying high-risk activities and weaknesses in internal control, 5. Civil action prosecution, namely charges against the perpetrator".

Internal control
The definition of Internal Control by (COSO, 2013) is: "A process, which is influenced by the board of directors, management, and other personnel of an entity, which is designed to provide reasonable assurance regarding the objective achievement related to operations, reporting and compliance. "According to COBIT in Simonson & Johnson (2016), Internal control is a set of best practices for IT management created by the Information Systems Audit and Control Association (ISACA), and the IT Governance Institute (ITGI) in 1992, to provide the information that company needs to achieve its objectives. Meanwhile, according to Tuannakota (2014: 127), internal control is management's response to counteracting known risks, or in other words, to achieve control objectives. Based on the definition of internal control, it can be understood that internal control is a process, which is carried out by the board of management, directors and other personnel, designed to provide confidence in the achievement of certain interrelated goals within the organization.

Quality control purposes
The objectives of internal control according to the Internal Audit Education Foundation (YPIA) (2015) are: 1. The objective of operation is the goals achievement of operational effectiveness and efficiency. 2. The purpose of reporting is that the reports produced by the company can be trusted. 3. The Objectives of compliance is that the company's activities is in line with the applicable laws and regulations.
Meanwhile, the objectives of internal control according to Arens and James K Loebbecke (2016) are as follows: 1. The Effectiveness and Efficiency of Operation The Internal control is intended to avoid repetition of unnecessary cooperation and the waste of all aspects of the business as well as to prevent inefficient use of resources.

The Reliability of Financial Statements
In order to carry out its business operations, the management requires accurate information. Therefore, the existence of internal control is expected to provide reliable data, because the existence of data or records allows reliable financial reports to be prepared.

The Compliance with Laws and Regulations
The Internal control is intended to ensure that all rules and policies established by the management to achieve the company goals obeyed by the employees. 4. Internal control leads to a process because internal control is integrated into the organization's operation activities and it is an integral part of the management's main activities, namely planning, implementation and supervision.
From the description above, it can be seen that internal control has a broad meaning that does not only cover accounting issues, but also includes all managerial aspects related to company management. Internal control is not an independent part of the company but it is a functioning system.

The component of internal control
The internal control component according to the Control Objective For Information and Related Technology (COBIT) a collection of general guidelines developed by the Information System Audit and Control Association (ISACA) and by the IT Governance Institute (ITGI) 1992, for the provision of information required for the organization to achieve its objectives.. The basic principles of COBIT include (Simmonson & Johnson, 2013): 1. Business Information Requirement, is in the form of information, in which the information must have elements of effectiveness (effective), efficiency (efficient), confidentiality (confidence), integrity (integrity), availability (available), compliance (fulfillment), and reliability (trustworthiness).
2. IT Resource, consists of users (people), features (application), technology, insfrastructure, information, Database Management system, Software and multimedia 3. High level IT Process consists of IT Process (Planning and Organization (PO), Acquisition and implementation (AI), Delivery Support (DS), and monitoring and Evaluation (ME); IT Process (IT Strategy, Computer Operation, incident Handling, acceptance testing, Change management, Contingency planning, and Problem Management): Activities (Record new Problem, Analysis, propose solution, monitoring solution, and Record known Problem).
COBIT's main purpose is to provide IT governance with clear policies and best practices that allow organizations around the world to recognize and manage the risk associated with internal control. (Simmonson & Johnson, 2013).

The Cobit' s Framework
Cobit divides the information technology management process into four main domains with the total of each domain in Cobit having the following details (Simmonson & Johnson, 2013).

Planning & Organization (PO)
The Domain emphasizes on the planning process and strategy alignment of IT that in line with the company's strategy including strategy issue, tactic and the best IT identification on the table 2.1.

A11
Identifying Automatic Solutions A12 Acquiring and maintaining software application A13 Acquiring and maintaining infrastructure technology A14 Allowing operation and use A15 Fulfilling IT resources. A16 Managing Changes A17 Installing a solution of accreditation with its change.

Delivery and Support (DS)
This domain includes IT service fulfillment processes, system security, service continuity, training and education for users, and compliance with ongoing data processes. The DS domain consists of 13 (thirteen) information technology processes in the table 2.3.

DS 1
Defining and managing service levels DS 2 Managing third party services DS 3 Managing performance and capacity DS 4 Ensuring continuous service DS 5 Ensuring security system DS 6 Identifying and allocating the costs DS 7 Educating and training the users DS 8 Managing service desk and incidents DS 9 Managing configuration DS10 Managing problems

DS 11
Managing data DS 12 Managing the physical environment DS 13 Managing the operation

Monitoring and Evaluation
This domain focuses on the problem of controls that are applied in the organization, internal and external checks and independent assurance of the checking process that are carried out, this domain consists of four information technology processes as shown in table 2.4  (2013), Internal control is a set of general guidelines (best practices) for IT management created by (ISACA) the Information System Audit and Control Association, and the (ITGI) IT Governance Institute in 1992, to provide useful information needed by the company in achieving its goals. In realizing effective fraud prevention, existing internal controls must be in accordance with Cobit's work tools, those are; Planning and Organization (PO), Acquisition Implementation (AI), Delivery Support (DS), Monitoring Evaluation (ME) (Suryo Setiyo Kardono. 2018). Fraud Prevention describes various means of control. The means of control referred to creating policies, procedures, organization, control techniques, and employees' participation Karyono (2013: 59-61).
The prevention pillar is part of the fraud control system that contains steps in order to reduce the potential risk of fraud, which includes anti-fraud awareness, identification of vulnerabilities and know your employee. Effective internal control can minimize the loopholes for the perpetrators of fraud, the more effective internal control is, the more it can prevent fraud. Internal control implies that all policies and procedures must be created and implemented to help ensure that the actions identified by management to address the risk of achieving organizational goals are effectively implemented (Lisa, 2008).
Internal Control needs to be implemented in various companies including banks that have various risks that may occur. The Role of Internal Control on Fraud Prevention as expressed by Karyono (2013: 85-86) is that the Failure to prevent fraud (fraud) is caused by internal and external factors in the organization. The main action for fraud prevention is to create and implement a reliable internal control system on the organizational activities. The Failure to prevent fraud also occurs due to capital and ethical factors within the organization and outside the organization in addition to the capital and ethical issues. The failure to prevent fraud is also caused by the weak internal control.
Several studies have been conducted to examine the effect of internal control on fraud prevention, including research conducted by Suryo Setiyo Kardono (2018) which stated that Internal Control had a significant effect on fraud prevention. The internal control had a positive effect on preventing information fraud (the higher/stronger internal control, the more increase the prevention of information fraud). Meanwhile, Tessamonica (2015) states that internal control affects the prevention of fraud, accounting scandals and corporate fraud in the form of manipulation of financial statements due to operating style that has not been running optimally with the responsibilities and philosophies that exist and lack of monitoring employees' performance.

The research methodology
The Determination of the research methods is needed in a research process in order to facilitate research procedures in answering research questions. It is generally divided into two types, applied research and basic research (fundamental research). Applied research is intended to produce a solution aimed at solving problems related to events that are directly on the organization. Basic research is aimed at understanding the content of problems faced by the organizations in general and finding methods to solve problems that occur (Acep Edison, 2018: 13-14).
This research is a basic/fundamental research using explanatory studies and survey analysis. Explanatory research is research that aims to obtain answers about "how" and "why" a case occurs. It is aimed to explain or prove how the relationship between the research variables. The relationship can be in the form of correlation or causality (cause and effect) (Nuryaman and Veronica, 2015: 6). An explanatory study is a study aimed at describing the relationship, the effect between a predictive variable or predictor of a variable that is predictable or commonly expressed as a cause variable and an effect variable. The nature of explanatory studies is associative studies. It means that research with associative nature consists of at least two variables (Acep Edison, 2018: 85). Survey analysis is research that intends to collect information in the form of relatively large data or research based on phenomena with very broad symptoms. Surveys are used to measure, investigate, of why symptoms occur, and what causes them (Acep Edison, 2018: 86).
The company chosen for this research was Bank Rakyat Indonesia (BRI) of Cimahi City.

Population and sample
The Definition of Population according to Edison (2018: 112) is a collection of individuals or elements in a unit of measurement attached to their characteristics in a certain area. Research is a collection of individuals who have the same characteristics that function as sources of research information.
Based on the definition above, the population in this study is all employees who work at Bank Rakyat Indonesia (BRI) of Cimahi City. The total population was 46 employees from the Operational Section with details of department as follows. Samples are representatives of a population that can explain the nature and characteristics of a population. Sampling which does not meet the rules will cause the target of the study to be biased because inadequate number of samples will not describe the population measured (Acep Edison, 2018: 102). The number of samples in this research was 46 employees. .502

The results and discussions
The Figure above shows that the value of Kolmogorov Smirrnov is 0.827 with a significance value of 0.502. The significance value produced by Kolmogorov Smirnov is more than 5% (significant level of research). It can be concluded that Ho is accepted or the residual data are normally distributed. In other words, the regression model was feasible to use because it met the assumption of normality or normally distributed data.

The Heteroscedasticity test
Heteroscedasticity test is used to determine whether there are any deviations in a regression. The variance of residual inequality for all results of the regression model is heteroscedasticity. A good regression model is homoscedasticity or the heteroscedasticity does not occur. One way to detect the presence or absence of heteroscedasticity is to make a scatter graph. The results of heteroscedasticity testing using the scatter plot graph is presented below: Based on the scatter plot test results in Figure, it can be seen that there are no clear patterns and points spread between below 0 to above 0 on the Y axis. It can be concluded that there is no heteroscedasticity in this regression model. 2. If the regression coefficient value of internal control variable shows 0.694, it means that if the internal control variable has increased by 1 (one) unit, then the dependent variable, which is fraud prevention variable, will decrease by 0.694.

The hypothesis test
This test basically aims to show how far the influence of one independent variable individually in defining the dependent variable. This can be seen from the indicating significance value of t from the calculation results. If the probability value is less than significant level (0.05), then the independent variable individually influences the dependent variable. On the contrary, if the probability value is more than significant level (0.05), then the independent variables have no individual effect on the dependent variable. Based on the results of the T-test (partial) in the regression model, the significance value of the internal control variable obtained at 0.000 (less than the significance level). Furthermore, it can also be seen from the results of the comparison between tcount and ttable which shows that the tcount value is 5.309, while ttable is 2.045. From here it can be seen that tcount > ttable (5.309 > 2.045), it can be concluded that Ha is accepted, meaning that partially the internal control variable has a significant effect on fraud prevention. Internal control positively affects fraud prevention, as the theory and results in this study support the hypothesis, hereby internal control is one way for companies to prevent fraud.

The overview of internal control at Bank Rakyat Indonesia (BRI) of Cimahi City
Based on the results obtained from respondents, it showed that the total actual score obtained from all statements that made up the internal control variable was 2138 (67.87%) and the ideal score was 3150, with mean score of 3.39 which was included in the decent category. This shows that the implementation of internal control conducted by Bank Rakyat Indonesia (BRI) of Cimahi City was quite good over all but still need to be evaluated regularly and periodically for many deficiencies in the system. Along with technology advances, Bank Rakyat Indonesia (BRI) of Cimahi City must be attentive to increase the security of the system. The indicators for implementing Internal Control consist of: a. The Plan and Organize indicator are known that the percentage of the total score of respondents' responses obtained from the statements that make up the Plan and Organize indicator was 70.27% with an average score of 3.51 included in good category. This happened because the company already has guidelines/policies governing the company's plans (planning and aligning IT strategies with corporate strategies, strategical issues, and tactics). b. The Acquire and Implement indicator was 68.67% with a mean score of 3.43 included in the good category. This happened because the company already has the implementation of IT solutions and its integration in the organization's business processes. It also includes changes and maintenance needed by the system. c. Delivery Support indicator was 66.86% with a mean score of 3.34 included in the quite decent category. This happened because the company has fulfilled IT services, system security, service continuity, training and education for users, and compliance of ongoing data processes. d. The Monitor and Evaluate indicator was 69.11% with a mean score of 3.46 included in the good category. This occurred because the company has carried out the controls in the organization, internal and external checks and independent guarantees of the process.

The overview of fraud prevention at Bank Rakyat Indonesia (BRI) of Cimahi City
Based on the results of research on Fraud Prevention, it showed that the total value of the actual score obtained from all statements that make up the fraud prevention variable was 1623 and the ideal score was 2400, while the total percentage value obtained was 67.63% and the mean score of 3.38 was included in the quite good category. This shows that the prevention of fraud experienced at Bank Rakyat Indonesia (BRI) of Cimahi City was included in the quite good category. However, it must be monitored and evaluated regularly because with the rapid advancement of information systems, the level of fraud will be even higher.
Indicators of application of fraud prevention consist of: a. The indicator of creating a written procedural policy was 70.83% with a mean score of 3.54 included in the good category.

Effect of internal control toward fraud prevention
Based on the results of this study, it showed that internal control had a significant effect on fraud prevention. Meanwhile, the amount of influence of internal control in contributing influence to the prevention of fraud was 50.2%. This result is also supported by several theories. According to Agoes Sukrisno (2012: 212), if the internal control of a business entity is weak, then the possibility of mistakes and fraud is even greater. Conversely, if an internal control is a strong business entity, then the possibility of errors and fraud can be minimized. Some studies have been conducted to examine the effect of internal control on fraud prevention, including Sukadwilindadan R. Aryanti Ratnawati (2013) which stated that Internal Control had the effect significant effect on fraud prevention, internal control positively influences the prevention of cash fraud (the higher/stronger internal control, the more increasing the prevention of cash fraud). Teuku Ferryza Kurniawan (2017) stated that internal control had a significant effect on fraud prevention. Furthermore, the magnitude of the influence of internal control in contributing to the prevention of fraud was 68.4%. So, the higher the internal control, the higher the prevention of fraud.

Conclusion
Internal Control at BRI of Cimahi City has been carried out with indicators of Plan and Organize, Acquire and Implement, Delivery Support, Monitor and Evaluate, which means that, the Internal Control is included in the category of quite well. This means that overall, it has been going pretty well but it still needs to be improved again and evaluated regularly and periodically, because there are still many shortcomings in the implementation of the system, because the system continues to experience growth, making Bank Bri Cimahi City must be aware to increase the system security. Application of Fraud Prevention at Bank BRI City Cimahi has been accordingly applying the principles of fraud prevention that have been carried out with indicators of Creating written procedures policies, Creating organizational policies, Creating effective control techniques. It means that even though the application of fraud prevention is very good, there are still a number of things that still need to be improved. Based on research results, it shows that the better the implementation of internal control, the better the application of cheating prevention. In other words, internal control influences the application of fraud prevention.
Based on the results of the study, the authors intend to submit several suggestions that are expected to be useful input for the parties concerned as follows: 1. Improving the internal control by increasing the identification of every possible risk to avoid the risk that will occur. Increasing the review of the performance of each division in carrying out the company's operational activities as a form of performance appraisal, separating the authorization authority between the assets section with the operational part, closing direct access to the assets section for those who are not interested, increasing documentation activities for each transaction carried out, increasing system maintenance activities periodically, always verifying strictly on each transaction operational activities, improving communication between parts in an organized manner, as well as increasing routine and separate evaluation of the performance of each section of the work unit, and improve management follow-up actions on recommendations and findings . 2. Increasing fraud prevention by increasing supervision and a good system in every activity and activities carried out by Bank Rakyat Indonesia (BRI) of Cimahi City.