Internal Control and Risk Management in Ensuring Good University Governance

: Human resources development has been a crucial issue in the emerging economies of Indonesia. The growth of Universities and other form of Higher Education in Indonesia indicates the raise of public and government awareness of educational quality. This awareness must be followed by higher education management ability for designing strategies and implementing them to produce high quality graduates. This study is expected to have contribution to enhance the management quality of Private Higher Education. This research aims to evaluate the implementation of Internal Control and Risk Management in ensuring Good University Governance. The data were collected from leaders of all Private Higher Education located at Special Province of Yogyakarta, the destination for most prospective students who will pursue further studies. Descriptive qualitative and regression analysis were performed to analyze the data. Research finding revealed that most of Private Higher Education had sufficient information and knowledge in implementing Internal Control, Risk Management, and Good University Governance. Other result showed that Internal Control and Risk Management positively influenced the implementation of Good University Governance. Limitation of this study was the respondents’ comprehension of the risk management terms that were not very well understood by some of the Higher Educational Institution’s Leaders.


Introduction
Young generation is an important investment for a nation. This generation will determine the direction of progress or setbacks of a nation. Education is a means to form young people; therefore the presence of Higher education institution is very important for the future of Indonesia. Besides having a very strategic role, there is also a very tight competition among universities within Indonesia as well as universities overseas. Currently in Indonesia, there were around 3,200 public and private universities with varieties of education quality. To be able to face local and global competition, universities must be able to provide programs that meet the market requirement, excel in the development of science, have an effective internal control, able to manage the potential risks and have good corporate governance. Universities require a system that is capable of ensuring the passage of their accountability process through effective internal control in educational organizations.
Reliable and effective internal control systems are not only necessary and intended for profit-oriented organizations but also for non-profit organizations including universities. Through the implementation of reliable internal control, universities will be able to effectively and efficiently improve the achievement of organizational objectives and to adapt in the organizational operating environment. In general, internal control is defined as a process that is influenced by the board of directors, management and other personnel, designed to provide reasonable assurance of achieving the objectives related to operations, reporting, and compliance (COSO, 2013). The term Internal Control in this study refers to the definition of the Committee of Sponsoring Organizations of Tread way Commission (COSO), which is a joint initiative of five private sector organizations, which was founded in the United States. Since 1992, COSO published an integrated internal control framework that continues to change in accordance with the development of the organization's operating environment. The rapid changes today that demand transparency and greater accountability systems such as the complexity of the environment surrounding the organization, technological advances, globalization, stakeholder engagement, require a reliable internal control to support effective management decision-making (COSO, 2013).
Besides the issue of accountability, universities also face a variety of challenges and risks. Risk is defined here as the likelihood that an event will occur and will affect the achievement of the goals set by the organization (COSO, 2013). Because the risk cannot be eliminated, the organization should design assessment and risk analysis in various fields (teaching and learning, finance, research, student, etc.) in order to minimize or avoid these risks. One study by the University of Sydney (2008) mentions that the educational organization has four risk groups, namely the risks associated with the activities of teaching and learning, innovation and research, student experience, and relationships with external parties. Improper risk management will have a significant impact on the development of educational organizations in the future. All organizations face the risk that comes from within and outside the organization, although not all educational organizations face the same types of risks. It is necessary to identify potential risks that possibly faced by an organization. A research by Vancouver Island University (2013) divided the risk of education organization into four categories: strategic risk, operational risk, risk reporting and compliance risks. IBM (2010), for example, has the concept of risk identification and possible solutions for higher education institution. One of the identified risks is the unavailability of an adequate analysis of the risk management system for educational organization. Educational organization also requires good governance, especially in increasing public confidence to hand over the task of educating the them. Good University Governance becomes an obligation for educational organization. Application of Good University Governance is expected to improve the quality of education.
Yogyakarta is the barometer of the higher education institution governance in Indonesia. A total of six State Universities and 117 private universities and colleges are established in Yogyakarta. The existence of many universities and colleges has implication for Yogyakarta as a gathering place for young people from various regions with which Yogyakarta is also known as mini Indonesia. The conditions that have been described in the previous paragraphs attracted researchers to look at the implementation of internal control, risk management implementation and practice of Good University Governance in private universities and colleges in Yogyakarta. Furthermore, the researchers are also required to identify the relationship between the implementation of internal control and risk management to the implementation of Good University Governance. This research is important to map-out the management of private universities and colleges in the province of the city of education. The results of the research will provide input and contribute to the improvement of the quality management of these universities and colleges.

Literature Review
Governance can be defined as a process when organizations take important decisions, determine the parties involved in the process, and how the responsibility thereof (Graham et al., 2003). Thus, Good University Governance can be defined as a process conducted by the College for decision-making.There is various opinions on the Good University Governance. Some of them are transparancy and disclosure; accountability; responsibility; independency; and fairness. Benefits of Good Governance for Universities. In general, the application of Good University Governance has benefits for universities and colleges. First, the institution's internal communication patterns are more qualified as to lead to openness. Second, Good University Governance is rising college's image as an institution of professional kind. Third, it is obtaining the trust from outsiders as a credible institution. Internal Control is defined as a process that is influenced by the board of directors, management and other personnel, designed to provide reasonable assurance of achieving the objectives related to operations, reporting, and compliance (COSO, 2013). With reference to the internal control integrated framework issued by COSO, the organization is expected to be able to develop a system of internal control that can adapt to changes in the operating environment and business, to reduce the risk to some extent and to support decision-making and management of a good organization.
Meanwhile, the organizations that implement the COSO Internal Control system will get benefit in the form of, among others: the direction to the achievement of organizational goals in the areas of operations, reporting, and compliance (laws and regulations referred to); availability of manual procedures and policies, systems, and documents simultaneously affects people who are involved in the management of the organization to act according to its capacity; the flexibility of the system that adapt to the organizational structure. (COSO, 2013). According to the COSO, there are five Internal Control Components (2013). First component is environmental control. It is a set of standards, processes, and structures as the basis for control within the organization. Second component is risk assessment. Risk is defined as the chances of events that will affect the achievement of objectives. Risk assessment aims to identify and assess risks through a series of dynamic processes. Third, control activity. These activities are defined as actions that help management to control risk through a series of activities in accordance with policies and procedures. Information and Communication are the fourth component. They are very important as controlling measures because good information must be supported by proper communication. The last component is Monitoring. This monitoring activity is used to ensure that the components of other control goes well.
Risk is defined as the likelihood that an event will occur and will affect the achievement of the goals set by the organization (COSO, 2013). Furthermore, COSO describes risk management as a process, which is influenced by the board of directors, managers, and other personnel, applied at strategic level and throughout the organization, which is designed to identify potential events that may have an impact on society together, and manage risk within a certain tolerance limit so that the organization still able to achieve organizational goals. The National Association of College and University Business Officers (NACUBO) published a report on risk management in the universities in 2003 (Tufano, 2011) which encourages university leaders to implement and improve the effective management programs. This study found that there are five levels of how institutions manage the risks (Tufano, 2011). Good Governance is an issue that is widely discussed in various studies. In general, research on good governance focuses on good corporate governance. Research from Suyono and Hariyanto (2012) found that the internal control, internal audit, and organizational commitment positively influenced good corporate governance practices. The study states that the Internal Control is able to assure the reliability of financial reporting, operations are efficient and effective, as well as compliance with applicable rules and policies. In other words, if the Internal Control goes well, then good corporate governance can be applied with good anyway. Companies and universities have the same thing in common, that is, managing the funds. Improper management of funds will lead to ineffective use of funds. This can be caused by the long procedure of services and open the posibility of fraud. Good Internal Control will provide the basis for the formation of a good management of higher education institution. Based on these reviews, it can be formulated hypotheses as follows:

H1: Implementation of Internal Control has a positive effect on the implementation of Good University Governance
Research associates with the good university governance is not many, especially in Indonesia. Adamov et al. (2010) conducted a study that discussed the relationship between good governance with Management Information System of Higher education institution. This study is based on the understanding that the technology will support the implementation of Good Governance in higher education institution. The conclusion of this study indicates that a good management information system will support the implementation of Good Governance in higher education institution. Research discusses the implementation of good governance in universities and institutions in Pakistan. The study tried to determine the relationship between management and good governance. The results showed there was a positive relationship between them. Based on the findings above, the hypothesis can be formulated as follows.

H2: Risk Management has a positive effect on the implementation of Good University Governance
Both of these hypotheses can be described as follows:

Methodology
The population of this research is all universities and colleges in Yogyakarta Special Region Province. The entire population will be made as respondents in this study. Data was collected by distributing questionnaires to all universities and colleges located at in Yogyakarta Special Region Province. The questionnaire was addressed to the head of higher education institutions (Rector / Director / Chairman, or vice-chairman). Internal control is a process that is influenced by the board of directors, management and other personnel, designed to provide reasonable assurance of achieving the objectives related to operations, reporting, and compliance (COSO, 2013). Internal Control variables will be measured using the instrument according to COSO (2013), that consisted of the control environment, risk assessment, control activities, information and communication, and monitoring activities. Risk Management is defined as a process, which is influenced by the board of directors, managers, and other personnel, applied at strategic level and throughout the organization, which is designed to identify potential events that may have an INTERNAL CONTROL RISK MANAGEMENT GOOD UNIVERSITY GOVERNANCE impact on organization, and manage risks within certain tolerance limits so that the organization is still able to achieve organizational goals (COSO, 2013). Risk management variables will be measured using the instrument according to the National Association of College and University Business Officers (NACUBO) related to students, education and teaching, research, governance, financial, health, safety, and security, human resources, asset management, information technology, environment. Good University Governance can be defined as a process conducted by the university for decision-making. Good University Governance variables were measured using instruments transparency, accountability, responsibility, independency, equality and fairness. First, the data will be analysed to describe the respondent profiles and explain the implementation of internal control, risk management and the implementation of Good University Governance. Further, the data will be analysed/examined in the form of testing the effect of the implementation of the Internal Control to the implementation of Good University Governance and examine the effect of the implementation of the Risk Management to the implementation of Good University Governance. Tests are carried out using simple linear regression and multiple linear regression.

Results and Discussion
The number of private universities in Yogyakarta Special Region as listed in the Directory of Higher education institution in Yogyakarta in 2013 (Dikpora, 2013) were 117 universities and colleges with the following details: From Table 1, it is noted that the population were 117 universities and colleges located at Yogyakarta Special Region. There were 96 respondents (82%) who completed and returned their questionnaire and only 83 respondents (71%) who responded with completed data that can be processed further. With a response rate of 71%, it can be concluded that the data may represent the the population. Respondents in this study include the leaders of higher education institutions comprising of 68 respondents (81.93%) who were chairman or vice-chairman, three respondents (3.61%) who were the heads of the bureau and 12 respondents (14.46%) who did not mention their position (see Table 2).  University  5  3  1  3  Institute  27  8  1  6  Colleges  20  5  1  3  TOTAl  52  16  3  12 According to the respondents, their stakeholders'levels of satisfaction to their service are as follows. It was stated that 70 respondents/84.33% were satisfied), 3 respondents/3, 61% were very satisfied, and only3 respondents /3.61%were not satisfied. There were 6 respondents (7.23%) who did not provide their answers. Implementation of Internal Control in higher education institution was divided into five components: Internal Control Environment, Risk Assessment, Control Activities, Information and Communication, and Monitoring. The results of the study in general and for each component can be described below. In general, the respondents stated that they have 79% of all statements relating to the five components of the COSO internal control (see Table 3). The 79.1% yes answer means that the Higher Education Institution has had 79.1% of the requirements documents, designs, as well as good organizational management procedures that will encourage the organization to achieve its goals in a healthy, effective and accountable manner. Universities have more complete documents and procedures when compared with those of institute and colleges. To provide further details of the implementation of each component of internal control-,the first component is the Internal Control Environment that includes a code of conduct, performance appraisal system, the design of recruitment and career development, organizational structure, clarity of function and authority, as well as the quality manual and procedures activity. The results of the research for this component showed that 84.17% of the respondents claimed to have and implement various policies that will provide a good foundation for the management of higher education institution. This means that 84.17% of respondents have already designed the work and the governance system of their organizations. The second component of internal control is a risk assessment that indicates the extent to which the organization has a process of identifying risks, the design process reduces the incidence of risk, as well as its risk management documents. The results of the study have shown that only about 53% of respondents had a planning and designing risk management. The initial design of risk management is an important issue because of the emergence or the risk will affect the achievement of the organizational goals. When the potential risk are not being prepared and anticipated well, this organization will unlikely be able to achieve the goals of the organization as it has been formulated in the vision and mission statements.
The third component of internal control is the control activities. Control activities comprise a separation of duties and authority within organization. Next, the higher educational institution must present controlling function. It must also record, document, and manage assets as well as determinate the value of assets.Finally, the higher educational institution has good system which constantly update employee data and organize cash spending well. The results showed that on average, 80.22% statements that describes good internal control has been implemented, and only 14% of the components of internal control are not yet implemented. The next component of internal control is information and communication that is reflected on the protection and data security systems, the use of a password to access certain applications (such as finance), backing up data regularly, and maintaining the security of documents from fire and flood. The results showed that 82.83% of respondents said that they had those components. The last component is monitoring. Management periodically reviews the ongoing projects, the follow-up lead on the recommendations of the internal and external audit results. The results showed that 83.13% of respondents have already conductedmonitoring activities, especially at universities (97, 22%). However, there were 20% of Institution and Colleges thatdidnot conduct monitoring of ongoing projects and/ or did not follow the recommendations of the internal and external audit reports.
The potensial risks listed in this reseach were students, education and teaching, research, governance, finance, health and safety and security, human resources, asset management, information technology, and the environment. The average score of the risk management obtained was 129.1 out of 198. The higher this score, the better the risk management was applied. This score is associated with the handling of a variety of potential problems that would arise. The 129.1 was equivalent to the value of 3.39 according to the Likert scale (between value enough (3) and good (4). Further fundings showed that the lowest score was the financial condition and research. This showed that the financial problems was still one of the risks that not yet be managed properly. The mean score of it was 2.67. It indicates in the value of lack (2) and sufficient (3). Financial component covers the diversity of sources of operational funds, loans from external parties, control budgeting and financial management, abuse/manipulation, monitoring and financial audit. The second lowest risk score was research. The average score was 2.83. This suggests that the amount, quality, funding and research cooperation with other parties (industry, universities, government) were still low (under sufficient). In the meantime, it is well understood that research is the heart of any educational institution. Further analysis on the impact of this various risks to the achievement of the vision and mission has the value of 3.32 (between moderate impact value (3) and large (4). The results of testing the impact of the potential risks to the achievement of Vision Mission showed a significant positive impact. (see Table 4). Good organization's governance will certainly provide a significant difference to the progress of the organization, whether it is a for-profit organization or a non-profit one,. (Society of Corporate Secretaries and Governance Professionals, 2008). In this study, GUG was measured using the statements that must be answered with alternative (1) if the higher education institution does not yet have any document of provisions/regulations and good practices have not been implemented, while alternative (5) when the higher education institution has document of provisions/regulations completely, and the implementation has been going well. Based on the respondents' answers, the results showed that the average value obtained from all respondents was 3.7. It means that the answer was between alternative (3)document of provisions/regulations provided partially and implementation is not fully completed and alternative (4) document of provisions/ regulations was complete but the implementation has not conducted completely.
In general, it means that the Higher education institutions have already had most of the documents but the implementation thereof has been partially done. The Indonesian institutional accreditation bodies have demanded and encouraged education institutions in Indonesia to prepare and implement various documented rules/regulations as a reference for good university governance. This research also found that there was influence of internal control to good university governance (GUG). The results showed that there was a significant positive effect of internal control to GUG (see Table 5). Analysis of the influence of Risk Management Implementation to GUG showed a significant positive effect of the risk management to GUG. It means that when the risk management shows a high value (which means that the Higher Education Institution has been well prepared in managing potential risks), the better the implementation of GUG will be.

Conclusion and Recommendations
The research found that the majority (79.1%) Higher Education Institutions in Yogyakarta Special Region have implemented internal control system which is related to internal control environment, risk assessment, control activities, information and communicaton, and monitoring. Control environment consists of a code of conduct, performance appraisal, career development, organizational structure, quality manual and procedures. Risk assessment includes identification of organizational risk, the design process to reduce the risk and risk management documents. Control activities involves the separation of powers and duties between functions within the organization, asset management, accountable of registration and payment system, and financial accountability. Information and communication includes computer-based data security. Monitoring includes a review of ongoing projects as well as the follow-up on the recommendations of internal auditors. We can understand that the Higher Education Institutions' condition relating to the implementation of risk management in general is still at sufficient category. Risk management that need special attention was related with finance and research.
Next, we can conclude that implementation of Good University Governance is quite comprehensive but its implementation has not been engaged completely. However, there is a positive effect of internal control to the implementation of Good University Governance. In addition, there is a positive influence on the implementation of risk management implementation to Good University Governance. Hence, this research is expected to encourage higher education leaders to continue their exploration of modern management for higher education institution especially related to the risk management. This research has limitations with regard to the understanding of the respondents that varied especially related to risk management that could possibly influence the results. Therefore, Association of Higher Education Institutions and the Directorate of Educational and Culture should pay special attention to small private colleges and institutions as well as provide adequate assistance to them due to their limited resources. Proper assistance to them is expected to enhance their education quality. It becomes the responsibility of the faculty members, educators and their leaders to promote qualified researchs and partnership with industry, government or other universities. Further research can be done by taking different samples from different regions in Indonesia or abroad.