Professional Documents
Culture Documents
Day 1 IAI-Effective Technique For Internal Audit
Day 1 IAI-Effective Technique For Internal Audit
Technique for
Internal Audit
WEBINAR IAI & FEBUI
28 – 29 AUGUST 2021
DAY 01
Vidvant Brahmantyo
Partner at RSM
- 1 wife
2004 2006 2007
- 2 children
Professional Certifications:
Joined Swiss-
• Registered State Accountant No. RNA 9887
Belhotel
• Chartered Accountant (CA) No. 11.D42202 2010
International as
• Certified Internal Auditor (CIA) No. 172916 Chief Audit
• Certified Internal Controls Auditor (CICA) No.14075986 Executive (CAE) Hobbies/others:
• Certified Fraud Examiner (CFE)
• Certified Governance, Risk Management and Compliance Professional (GRCP) No. GRCP- - Basketball
101193
Re-joined - Futsal &
• Certified Governance, Risk Management and Compliance Auditor (GRCA) No. GRCA- 2011
Deloitte Risk
101193 Soccer
Advisory as
2018 - Traveling
Manager
Today
Resigned from https://www.linkedin.com/in/vbrahmantyo/
Deloitte Risk
Advisory as Director
▪ What is Internal Auditing?
▪ The Right Stuff
▪ Internal Audit Roles in Today’s World
Agenda ▪ Internal Audit Methodology
▪ Risk-Based Internal Audit
▪ Q&A?
What is Internal
Auditing?
Audit Means…
Source: https://en.wikipedia.org/wiki/Audit
Internal Audit Definition by IIA
▪ Internal auditing is an independent, objective
assurance and consulting activity designed to add
value and improve an organization's operations.
▪ It helps an organization accomplish its objectives by
bringing a systematic, disciplined approach to
evaluate and improve the effectiveness of risk
management, control, and governance processes.*
* Definition by the Institute of Internal Auditors (IIA)
http://www.theiia.org/theiia/about-the-profession/internal-audit-faqs/?i=1077
History of Audit
▪ 5000 years ago, in the Middle Kingdom of the Nile live Mesopotamian Civilization, the Pharaoh's deputy was
overseeing the storage of grains. Auditing was a matter of reperforming the work of others. Auditing meant
observing, counting and double-checking records.
▪ The processes and systems were very simple, and so was auditing.
▪ As the business organizations grew in size and complexity, the practice of Internal Audit also evolved.
History of Audit (Cont’d)
▪ Historically, auditing was concerned with accounting for government activities and reviewing the work done by tax
collectors. In the early years of auditing, the keeping and maintaining of accounting records was done primarily to
detect fraudulent activity.
▪ The industrial revolution in the mid 1700s to the mid 1800s was responsible for the increased demand in auditors
because this period saw an increase in responsibility being passed from owners to managers. This led to an
increased requirement for auditors who were independent of management and who were engaged not only to be
alert for errors within financial records but also errors within the records. In simple terms, deliberate errors in
order to achieve personal financial gain were deemed to be fraudulent activity (as is still the case today) whilst
error was (and still is) unintentional.
▪ During the early 1700s the concept of ‘sampling’ was introduced. Sampling is where auditors select a sample of
items that make up various balances and was used where it is not economically viable to physically examine all the
transactions that have taken place. This practice is still pivotal today.
Source: https://www.oreilly.com/
Evolution of Internal Audit
1900s 1950s 1960s 1970s 1990s 2000s to Present
Clerical Financial
Work & Reporting & Internal Control Objective Assurance, Consulting
Theft fraud Operational Compliance Business Activity, Added Value, Improve an
Auditing Oriented Organization Operation and the
Orientation Effectiveness of Risk Management,
Internal Control, and Governance
Process
KEY MILESTONES
IA set to emerge as a Profession IA began as a Profession Advance & Strengthening of IA Profession
1941 – Formation of the IIA 1968 – Issued the Code of Ethics 1999 – Issued Current Definition of OA
1947 – Issued the Statement of the 1972 – Published the CBOK 2000 – Revised the Code of Ethics
Responsibilities of the IA (Revised in 1974 – Created the Professional Certification 2002 – Issued the New IA Standards
1957, 1971, 1976, 1981, and 1990) for IA 2006 – The Standards has been Recognized
1976 – Formation of the IIA Research Globally
Foundation 2007 – Issued a New IA Framework – the IPPF
1977 – Created a Professional Magazine for IA 2015 – Issued a New Enhancement of the IPPF
1978 – Issued the IA Standards (latest update was in 2017)
1989 – Establishment of the IIA Indonesia
Watch Dog vs Trusted Advisors vs Change Agents
▪ S i x m o n t h s l a t e r, E N R O N f i l e d f o r b a n k r u p t c y.
▪ G r e a t e s t a c c o u n t i n g f r a u d o f 2 0 t h c e n t u r y.
▪ 12,000 people directly lost their jobs, retirement benefits and entire life
savings.
▪ P e n s i o n e rs w h o b o u g h t s t o c k s o f E n r o n l o s t U S $ 7 0 b i l l i o n w h e n p r i c e o f
stock collapsed to ZERO.
▪ C a u s e d b y “ L a x A u d i t i n g ” b y A r t h u r A n d e rs e n a c c o u n t i n g f i r m , o n e o f t h e
“Big 5” (85,000 people and over US$9billion annual revenues) collapsed.
▪ O t h e rs t o b l a m e : C F O A n d r e w Fa s t o w ( 6 y e a r s p r i s o n s e n t e n c e ) , C E O J e f f
S k i l l i n g ( 2 4 y e a r s p r i s o n s e n t e n c e ) , s t o c k a n a l y s t s w h o ke e p p u s h i n g E n r o n
stock, senior management for hiding losses in dubious off -balance-sheet
p a r t n e rs h i p s , m e d i a e x a g g e ra t i o n a n d f r e n z y.
The Right
Stuff
HTTPS://YOUTU.BE/LJUZDVYEBHU
Organization’s Expectation from Internal Auditor
1. Analytical and Critical
Thinking
2. Communication
3. IT General Skills
4. Risk Management
5. Business Acumen*
*Succeeding as a 21st Century Internal Auditor: 7 Attributes of Highly Effective Internal Auditors, page 3
7 Sought-After Qualities of an Internal Auditor
–Larry Harrington–
Chief Audit Executive
Raytheon Company
*Source: Succeeding as a 21st Century Internal Auditor: 7 Attributes of Highly Effective Internal Auditors, page 1
Business Acumen
Financial Marketplace Operational Technology Strategic
acumen acumen acumen acumen acumen
• Understanding • Competition, • Day-to-day • Leverage and • Understanding
and market drivers, operations and possessing systems that
interpreting consumer production, technology define and
financial needs, supply chain, skillsets, influence an
statements. marketing. third-party understanding organization’s
relationship, basic software goals and
quality program direction
assurance. coding. including risk
management,
decision-
making, long-
term planning,
culture.
Strategic Acumen
Vision
Framework
Perceptiveness
Assertiveness
Flexibility
Emotional balance
Patience
Networking Team-building
Empathy
skills skills
Emotional
intelligence
Innovative Mindset
Free yourself from the Create a culture where Make risk-taking a more
fear of failure innovation is rewarded consistent behaviour
Leveraging Enabling Technology
Technology Solution that Creates Value
Has end-to-end
Enables remote
automated Enables and
collaboration Serves as the
workflows from empowers
with team single source of
planning to integrated risk
members, truth for all
testing to management &
stakeholders, audit, risk, and
reporting and combined
consultants and controls data
issue assurance
external auditors
management
Internal Audit Roles in
Today’s World
Three Lines Model: Creating & Protecting Value
Audit
CEO
Committee
Internal External
Audit Audit
Value Proposition for Key Stakeholders
Internal Auditing:
• Assurance
• Insight
• Objectivity
Governing bodies and senior management rely on Internal Auditing for objective assurance and insight
on the effectiveness and efficiency of governance, risk management and internal control processes.
Internal Audit Activity
Scope of Internal Audit work encompasses a systematic, disciplined approach to evaluating and improving the adequacy and effectiveness
of risk management, control, and governance process and the quality of performance in carrying out assigned responsibilities.
The purpose of evaluating the adequacy of the organization’s existing risk management, control and governance processes is to provide
reasonable assurance that these processes are functioning as intended and will enable the organization’s objectives and goals to be met,
and to provide recommendations for improving the organization’s operations, in terms of both efficient and effective performance
Determining whether risk management processes are effective is a judgment resulting from the internal auditor’s assessment that:
• Organizational objectives support and align with the organization’s mission;
• Significant risks are identified and assessed;
• Appropriate risk responses are selected that align risks with the organization’s risk appetite; and
• Relevant risk information is captured and communicated in a timely manner across the organization, enabling staff, management, and the board
to carry out their responsibilities.
• Risk management processes are monitored through ongoing management activities, separate evaluations, or both.
During consulting engagements, internal auditors must address risk consistent with the engagement’s objectives and be alert to the existence
of other significant risks. Internal auditors must incorporate knowledge of risks gained from consulting engagements into their evaluation of
the organization’s risk management processes.
When assisting management in establishing or improving risk management processes, internal auditors must refrain from assuming any
management responsibility by actually managing risks.
Internal Audit Role in Internal Control
The internal audit activity must assist the organization in maintaining effective controls by evaluating their effectiveness and
efficiency and by promoting continuous improvement.
IA activity must evaluate the adequacy and effectiveness of controls in responding to risks within the organization’s
governance, operations, and information system regarding the:
• Reliability and integrity of financial and operational information;
• Effectiveness and efficiency of operations;
• Safeguarding of assets; and
• Compliance with laws, regulations, and contracts.
Supplemental Guidance provides detailed guidance for carrying out internal audit
activities such as processes and procedures, tools and techniques, programs, approach
steps, and sample deliverables. All Guidance and GTAG Practices become part of the
Supplemental Guidance
Process Risk Approach
Vision Mission Value
Goals
Objectives
Strategies
External Stakeholders
Factors Influences
CSFs Risks
Business Processes
KPIs Controls
Internal Audit
• IA performs detailed test Methodology Based on the risk
work, reviews audit results
assessment results and
and holds a formal exit Execute Audit Project
meeting at the conclusion 5 Develop Internal Audit plan, IA
Work Plan 3 identifies timing,
of each audit performed. Audit Plan
locations, project teams
and determine
appropriate use of
Design Audit
4 technology tools.
Programs
Schedule Audits
Develop Risk Design Internal
and Plan
Model Audit Program
Resources
Prioritize Risk
Risk-Based
Internal Audit
Legendary Quotes on Planning
“By failing to prepare, you are preparing to fail.”
― Benjamin Franklin
Underlying Standards
▪ 2010 – Planning
▪ 2020 – Communication and Approval
▪ 2030 – Resource Management
▪ 2040 – Policies and Procedures
▪ 2050 – Co-ordination
▪ 2060 – Reporting to Senior Management and the Board
▪ 2070 – External Service provider and Organizational Responsibility for Internal Auditing
Standard 2010 – Planning
The chief audit executive must establish a risk-based plan to determine the
priorities of the internal audit activity, consistent with the organization’s goals.
Interpretation:
To develop the risk-based plan, the chief audit executive consults with senior
management and the board and obtains an understanding of the organization’s
strategies, key business objectives, associated risks, and risk management
processes. The chief audit executive must review and adjust the plan, as necessary,
in response to changes in the organization’s business, risks, operations, programs,
systems, and controls.
Planning – Internal Audit Cycle Phase 1, 2, and 3
People Process Technology
Internal Audit
• IA performs detailed test Methodology Based on the risk
work, reviews audit results
assessment results and
and holds a formal exit Execute Audit Project
meeting at the conclusion 5 Develop Internal Audit plan, IA
Work Plan 3 identifies timing,
of each audit performed. Audit Plan
locations, project teams
and determine
appropriate use of
Design Audit
4 technology tools.
Programs
• Gain a thorough understanding of the company’s business objectives and co-develop the expectations
regarding internal audit’s alignment with those business objectives and criteria for assessing the related risks.
• IA develop a mutual understanding of the scope of internal audit among the company’s executive management,
the Audit Committee or the Board of Commissioners.
Komite Pemantau
Dewan Komisaris Direksi Komite Audit
Risiko
• Identify key aspects of the process to develop a risk model and risk universe.
High
High
Risk
Impact of
Occurrence Medium
Risk
Low
ILLUSTRATIVE Risk
Low High
Likelihood of Occurrence
Human Resources 1 - Low 1 - Low Have dedicated Human Resources Department. Staff have high morale and adequate training,
and turnover is low.
Complexity of Business 2 - Moderate 3 - High Supply chain management has increased complexity of the business process.
Process
Control Processes 3 - High 3 - High Past audits have found control weaknesses that have caused inefficient financial processes and
inaccurate financial information. There are no formalized policies & procedures.
Asset Management (Exposure 3 - High 3 - High There have been few controls in this area and an inappropriate shrinkage amount exists.
to Loss) Physical controls are non-existent and inventory is suspiciously walking out the door.
Regulatory Environment 1 - Low 2 - Moderate Regulatory issues are related to foreign expansion and they are being addressed.
Business Environment 2 - Moderate 2 - Moderate Key issues going on in business environment are creating the need to solidify the brand in the
market.
Customer Impact 2 - Moderate 3 - High Customers currently are loyal, but there is a need to keep them there. This is the most important
issue of brand apparel and fashion.
Phase 3: Develop Audit Plan
Objective
ILLUSTRATIVE
ILLUSTRATIVE
High High
Phase 3: Develop Audit Plan (Cont’d)
ILLUSTRATIVE
Internal
Audit Assurance Consulting
Department
Q&A?
Key Takeaways
Be comfortable Learn from those
with being around you and
uncomfortable above you