Effective

Technique for
Internal Audit
WEBINAR IAI & FEBUI
28 – 29 AUGUST 2021
DAY 01
 Vidvant Brahmantyo
Partner at RSM

My Journey – Vidvant Brahmantyo

Graduated
from University and started Joined MAA Joined Deloitte Risk
my career as Financial Insurance as Internal Advisory as Senior
Auditor at Grant Thornton Auditor Consultant
Family/others:
START

- 1 wife
2004 2006 2007
- 2 children
Professional Certifications:
Joined Swiss-
• Registered State Accountant No. RNA 9887
Belhotel
• Chartered Accountant (CA) No. 11.D42202 2010
International as
• Certified Internal Auditor (CIA) No. 172916 Chief Audit
• Certified Internal Controls Auditor (CICA) No.14075986 Executive (CAE) Hobbies/others:
• Certified Fraud Examiner (CFE)
• Certified Governance, Risk Management and Compliance Professional (GRCP) No. GRCP- - Basketball
101193
Re-joined - Futsal &
• Certified Governance, Risk Management and Compliance Auditor (GRCA) No. GRCA- 2011
Deloitte Risk
101193 Soccer
Advisory as
2018 - Traveling
Manager
Today
Resigned from https://www.linkedin.com/in/vbrahmantyo/
Deloitte Risk
Advisory as Director
 ▪ What is Internal Auditing?
▪ The Right Stuff
▪ Internal Audit Roles in Today’s World
Agenda ▪ Internal Audit Methodology
▪ Risk-Based Internal Audit
▪ Q&A?
What is Internal
Auditing?
Audit Means…

Source: https://en.wikipedia.org/wiki/Audit
Internal Audit Definition by IIA
▪ Internal auditing is an independent, objective
assurance and consulting activity designed to add
value and improve an organization's operations.
▪ It helps an organization accomplish its objectives by
bringing a systematic, disciplined approach to
evaluate and improve the effectiveness of risk
management, control, and governance processes.*
* Definition by the Institute of Internal Auditors (IIA)
http://www.theiia.org/theiia/about-the-profession/internal-audit-faqs/?i=1077
History of Audit
▪ 5000 years ago, in the Middle Kingdom of the Nile live Mesopotamian Civilization, the Pharaoh's deputy was
overseeing the storage of grains. Auditing was a matter of reperforming the work of others. Auditing meant
observing, counting and double-checking records.
▪ The processes and systems were very simple, and so was auditing.
▪ As the business organizations grew in size and complexity, the practice of Internal Audit also evolved.
History of Audit (Cont’d)
▪ Historically, auditing was concerned with accounting for government activities and reviewing the work done by tax
collectors. In the early years of auditing, the keeping and maintaining of accounting records was done primarily to
detect fraudulent activity.
▪ The industrial revolution in the mid 1700s to the mid 1800s was responsible for the increased demand in auditors
because this period saw an increase in responsibility being passed from owners to managers. This led to an
increased requirement for auditors who were independent of management and who were engaged not only to be
alert for errors within financial records but also errors within the records. In simple terms, deliberate errors in
order to achieve personal financial gain were deemed to be fraudulent activity (as is still the case today) whilst
error was (and still is) unintentional.
▪ During the early 1700s the concept of ‘sampling’ was introduced. Sampling is where auditors select a sample of
items that make up various balances and was used where it is not economically viable to physically examine all the
transactions that have taken place. This practice is still pivotal today.

Source: https://www.oreilly.com/
Evolution of Internal Audit
1900s 1950s 1960s 1970s 1990s 2000s to Present

Clerical Financial
Work & Reporting & Internal Control Objective Assurance, Consulting
Theft fraud Operational Compliance Business Activity, Added Value, Improve an
Auditing Oriented Organization Operation and the
Orientation Effectiveness of Risk Management,
Internal Control, and Governance
Process
KEY MILESTONES
IA set to emerge as a Profession IA began as a Profession Advance & Strengthening of IA Profession

1941 – Formation of the IIA
1947 – Issued the Statement of the
Responsibilities of the IA (Revised in
1957, 1971, 1976, 1981, and 1990)
1968 – Issued the Code of Ethics
1972 – Published the CBOK
1974 – Created the Professional Certification
for IA
1976 – Formation of the IIA Research
Foundation
1977 – Created a Professional Magazine for IA
1978 – Issued the IA Standards
1989 – Establishment of the IIA Indonesia
1999 – Issued Current Definition of OA
2000 – Revised the Code of Ethics
2002 – Issued the New IA Standards
2006 – The Standards has been Recognized
Globally
2007 – Issued a New IA Framework – the IPPF
2015 – Issued a New Enhancement of the IPPF
(latest update was in 2017)
Watch Dog vs Trusted Advisors vs Change Agents

CLASSIC ASSURANCE PROVIDERS TRUSTED ADVISORS CHANGE AGENTS

(“BEAN COUNTERS”) (“KNOW HOW TO GROW, HARVEST, (“BOLD AND CONFIDENT TO
AND TAKE BEANS TO THE MARKET”) ADVOCATE CHANGING THE CROP TO
MAXIMIZE RESULTS”)
 Does Internal Audit have to Exist?

+-16 T, 1MDB menuntut

Deutsche Bank,
JPMorgan, Coutts & Co.

+-23,7 T, kasus korupsi terbesar di

Window Dressing Laporan Keuangan
+-16,81 T, kasus korupsi Indonesia
(3,6 T) dan Pengadaan Pesawat
pengelolaan keuangan
Bombardier type CRJ1000 (419 M)
dan dana investasi
 Most Notorious Case – Enron (2001)
▪ In April 2001, Fortune Magazine listed ENRON as the 7th largest company in
t h e U S A a n d m o s t I n n o v a t i v e C o m p a n y.

▪ S i x m o n t h s l a t e r, E N R O N f i l e d f o r b a n k r u p t c y.

▪ G r e a t e s t a c c o u n t i n g f r a u d o f 2 0 t h c e n t u r y.

▪ 12,000 people directly lost their jobs, retirement benefits and entire life
savings.

▪ P e n s i o n e rs w h o b o u g h t s t o c k s o f E n r o n l o s t U S $ 7 0 b i l l i o n w h e n p r i c e o f
stock collapsed to ZERO.

▪ C a u s e d b y “ L a x A u d i t i n g ” b y A r t h u r A n d e rs e n a c c o u n t i n g f i r m , o n e o f t h e
“Big 5” (85,000 people and over US$9billion annual revenues) collapsed.

▪ O t h e rs t o b l a m e : C F O A n d r e w Fa s t o w ( 6 y e a r s p r i s o n s e n t e n c e ) , C E O J e f f
S k i l l i n g ( 2 4 y e a r s p r i s o n s e n t e n c e ) , s t o c k a n a l y s t s w h o ke e p p u s h i n g E n r o n
stock, senior management for hiding losses in dubious off -balance-sheet
p a r t n e rs h i p s , m e d i a e x a g g e ra t i o n a n d f r e n z y.
The Right
Stuff
HTTPS://YOUTU.BE/LJUZDVYEBHU
 Organization’s Expectation from Internal Auditor
1. Analytical and Critical
Thinking
2. Communication
3. IT General Skills
4. Risk Management
5. Business Acumen*

*Succeeding as a 21st Century Internal Auditor: 7 Attributes of Highly Effective Internal Auditors, page 3
 7 Sought-After Qualities of an Internal Auditor

“Soft skills are the new

hard skills...”

–Larry Harrington–
Chief Audit Executive
Raytheon Company

*Source: Succeeding as a 21st Century Internal Auditor: 7 Attributes of Highly Effective Internal Auditors, page 1
Business Acumen
Financial Marketplace Operational Technology Strategic
acumen acumen acumen acumen acumen
• Understanding • Competition, • Day-to-day • Leverage and • Understanding
and market drivers, operations and possessing systems that
interpreting consumer production, technology define and
financial needs, supply chain, skillsets, influence an
statements. marketing. third-party understanding organization’s
relationship, basic software goals and
quality program direction
assurance. coding. including risk
management,
decision-
making, long-
term planning,
culture.
Strategic Acumen
Vision

Framework

Perceptiveness

Assertiveness

Flexibility

Emotional balance

Patience

Source: Forbes article by Paloma Cantero-Gomez

Tactical vs Strategic Thinking
Tactical
Keeps opportunities and issues separate so that they are
digestible.
Looks at what is happening at face value.
Works to fill information holes, answering one question
and moving to the next without asking any other
questions in between.
Focused on checking items off a list to get it finished.
Sequential, focusing on one thing followed another.
Avoids complexity.
Strategic
Recognizes that the solution may not be to simply correct
a problem, one that will enhance value.
Recognizes that the root cause may be far more complex
than is evident on the surface.
Doesn’t wait until an audit engagement is complete
before applying critical thinking skills.
Audit plans should remain dynamic and implementing
agile auditing.
Implements holistic examination of operations that
transformational change can be envisioned and advised.
Embraces complexity.
Building Blocks of Positive Relationship
Verbal Nonverbal
communication communication Listening skills
skills skills

Networking Team-building
Empathy
skills skills

Emotional
intelligence
Innovative Mindset

Free yourself from the Create a culture where Make risk-taking a more
fear of failure innovation is rewarded consistent behaviour
Leveraging Enabling Technology
Technology Solution that Creates Value
Has end-to-end
Enables remote
automated Enables and
collaboration Serves as the
workflows from empowers
with team single source of
planning to integrated risk
members, truth for all
testing to management &
stakeholders, audit, risk, and
reporting and combined
consultants and controls data
issue assurance
external auditors
management
Internal Audit Roles in
Today’s World
Three Lines Model: Creating & Protecting Value

Enabler: Communication, Cooperation, and Collaboration

Internal Audit’s Role In The Organization

Board of Directors (BODs)

Audit
CEO
Committee

Internal External
Audit Audit
 Value Proposition for Key Stakeholders
Internal Auditing:
• Assurance
• Insight
• Objectivity

Governing bodies and senior management rely on Internal Auditing for objective assurance and insight
on the effectiveness and efficiency of governance, risk management and internal control processes.
Internal Audit Activity
Scope of Internal Audit work encompasses a systematic, disciplined approach to evaluating and improving the adequacy and effectiveness
of risk management, control, and governance process and the quality of performance in carrying out assigned responsibilities.
The purpose of evaluating the adequacy of the organization’s existing risk management, control and governance processes is to provide
reasonable assurance that these processes are functioning as intended and will enable the organization’s objectives and goals to be met,
and to provide recommendations for improving the organization’s operations, in terms of both efficient and effective performance

• Assess and make appropriate recommendations

Governance
for improving the governance process Internal Audit Roles

Existence • Provide management and the Audit

Committee with ongoing assessments of
Risk • Evaluate the effectiveness and contribute to the the company’s risk management processes
Management improvement of risk management processes and system of internal control.
Evaluation • Play an important role in documenting
Process internal controls, testing internal controls
• Maintaining effective controls by evaluating their and providing input to management with
Internal Control effectiveness and efficiency and by promoting respect to concluding on design and
continuous improvement operating effectiveness.
Internal Audit Role in Governance
The internal audit activity must assess and make appropriate recommendations for improving the governance process in its
accomplishment of the following objectives:
• Promoting appropriate ethics and values within the organization;
• Ensuring effective organizational performance management and accountability;
• Communicating risk and control information to appropriate areas of the organization; and
• Coordinating the activities of and communicating information among the board, external and internal auditors, and
management.

Evaluate the design, Assess whether the

implementation, and
effectiveness of the
organization’s ethics-related
objectives, programs, and
activities.
information technology
governance of the
organization sustains and
supports the organization’s
strategies and objectives
Consulting engagement
objectives must be consistent
with the overall values and
goals of the organization.
Internal Audit Role in Risk Management
The internal audit activity must evaluate the effectiveness and contribute to the improvement of risk management processes.

Determining whether risk management processes are effective is a judgment resulting from the internal auditor’s assessment that:
• Organizational objectives support and align with the organization’s mission;
• Significant risks are identified and assessed;
• Appropriate risk responses are selected that align risks with the organization’s risk appetite; and
• Relevant risk information is captured and communicated in a timely manner across the organization, enabling staff, management, and the board
to carry out their responsibilities.
• Risk management processes are monitored through ongoing management activities, separate evaluations, or both.

Evaluate risk exposures relating Evaluate the potential for the

Evaluate the effectiveness and
to the organization’s occurrence of fraud and how
contribute to the improvement
governance, operations, and the organization manages fraud
of risk management processes.
information systems. risk.

During consulting engagements, internal auditors must address risk consistent with the engagement’s objectives and be alert to the existence
of other significant risks. Internal auditors must incorporate knowledge of risks gained from consulting engagements into their evaluation of
the organization’s risk management processes.

When assisting management in establishing or improving risk management processes, internal auditors must refrain from assuming any
management responsibility by actually managing risks.
Internal Audit Role in Internal Control
The internal audit activity must assist the organization in maintaining effective controls by evaluating their effectiveness and
efficiency and by promoting continuous improvement.
IA activity must evaluate the adequacy and effectiveness of controls in responding to risks within the organization’s
governance, operations, and information system regarding the:
• Reliability and integrity of financial and operational information;
• Effectiveness and efficiency of operations;
• Safeguarding of assets; and
• Compliance with laws, regulations, and contracts.

Review operations & programs to

ascertain the extent to which results Must incorporate knowledge of
Ascertain the extent to which
are consistent with established goals controls gained from consulting
operating, and program goals and
and objectives to determine whether engagements into evaluation of
objectives have been established and
operations and programs are being the organization’s control
conform to those of the organization.
implemented or performed as processes.
intended.
Internal Audit
Methodology
 International Professional Practices Framework
“To enhance and protect
• Demonstrating professional organizational value by providing
competence and accuracy risk-based and objective
• Objective and free from undue assurance, advice, and insight”
influence (independent)
• Aligned with the organization's
strategy, objectives and risks
• Properly positioned and supported
by adequate resources
• Demonstrating quality and
continuous improvement
Implementation Guidance
• Communicate effectively
is more comprehensive than
• Give risk-based confidence
Practice Advisories in
• Demonstrating integrity
guiding practitioners to
• Insightful, proactive and focused on
achieve conformance to
the future
standards.
• Encourage organizational
improvement source: global.theiia.org

Supplemental Guidance provides detailed guidance for carrying out internal audit
activities such as processes and procedures, tools and techniques, programs, approach
steps, and sample deliverables. All Guidance and GTAG Practices become part of the
Supplemental Guidance
Process Risk Approach
Vision Mission Value
Goals

Objectives

Strategies
External Stakeholders
Factors Influences
CSFs Risks
Business Processes
KPIs Controls

Audit Plan Audit Strategies

Internal Audit Cycle
People Process Technology

• IA understands the business objectives of company and Develop the expectations

regarding IA’s alignment with those business objectives and criteria for assessing the
related risks.
Co-Develop
1
Expectation
• IA reports audit results to • IA identifies
management. business process
• Periodic reporting of IA Deliver Results 2 Develop Risk & develop risk
6
activities to senior and Insight Model and Universe assessment
management & the Audit
Committee.

• IA performs detailed test
work, reviews audit results
and holds a formal exit
meeting at the conclusion
of each audit performed.
Internal Audit
Methodology Based on the risk
assessment results and
Execute Audit Project
5 Develop Internal Audit plan, IA
Work Plan 3 identifies timing,
Audit Plan
locations, project teams
and determine
appropriate use of
Design Audit
4 technology tools.
Programs

IA develops audit programs of detailed tests.

Internal Audit Cycle – Detail Activities
Internal Audit Methodology – Detail Activities

Phase 2: Develop Phase 5: Execute

Phase 1: Co-Develop Phase 3: Develop Phase 4: Design Phase 6: Deliver
Risk Model and Audit Project
Expectations Audit Plan Audit Programs Results and Insights
Universe Workplan

Develop Plan Risk

Develop Internal Execute Internal Communicate Internal
Communication and Assessment Plan Audit Project
Audit Plan Audit Program Audit Results
Reporting Protocols Project

Communicate Risk Assess Business

Understand Client
Assessment Processes and
Business
Results Systems

Schedule Audits
Develop Risk Design Internal
and Plan
Model Audit Program
Resources

Prioritize Risk
Risk-Based
Internal Audit
Legendary Quotes on Planning
“By failing to prepare, you are preparing to fail.”
― Benjamin Franklin

“A good plan isn't one where someone wins, it's where

nobody thinks they've lost.”
― Terry Pratchett, The Amazing Maurice and His Educated
Rodents
SOURCE: HTTPS://YOUTU.BE/W2SI_BUE6L8
Performance Standard 2000: Managing the
Internal Audit Activity
Overarching Standards
▪ 2000 – Managing the Internal Audit Activity
The Chief Audit Executive must effectively manage the Internal Audit activity to ensure it adds
value to the organisation.

Underlying Standards
▪ 2010 – Planning
▪ 2020 – Communication and Approval
▪ 2030 – Resource Management
▪ 2040 – Policies and Procedures
▪ 2050 – Co-ordination
▪ 2060 – Reporting to Senior Management and the Board
▪ 2070 – External Service provider and Organizational Responsibility for Internal Auditing
Standard 2010 – Planning
The chief audit executive must establish a risk-based plan to determine the
priorities of the internal audit activity, consistent with the organization’s goals.

Interpretation:

To develop the risk-based plan, the chief audit executive consults with senior
management and the board and obtains an understanding of the organization’s
strategies, key business objectives, associated risks, and risk management
processes. The chief audit executive must review and adjust the plan, as necessary,
in response to changes in the organization’s business, risks, operations, programs,
systems, and controls.
Planning – Internal Audit Cycle Phase 1, 2, and 3
People Process Technology

• IA understands the business objectives of company and Develop the expectations

regarding IA’s alignment with those business objectives and criteria for assessing the
related risks.
Co-Develop
1
Expectation
• IA reports audit results to • IA identifies
management. business process
• Periodic reporting of IA Deliver Results 2 Develop Risk & develop risk
6
activities to senior and Insight Model and Universe assessment
management & the Audit
Committee.

• IA performs detailed test
work, reviews audit results
and holds a formal exit
meeting at the conclusion
of each audit performed.
Internal Audit
Methodology Based on the risk
assessment results and
Execute Audit Project
5 Develop Internal Audit plan, IA
Work Plan 3 identifies timing,
Audit Plan
locations, project teams
and determine
appropriate use of
Design Audit
4 technology tools.
Programs

IA develops audit programs of detailed tests.

Phase 1: Co-Develop Expectation
Objective

• Gain a thorough understanding of the company’s business objectives and co-develop the expectations
regarding internal audit’s alignment with those business objectives and criteria for assessing the related risks.
• IA develop a mutual understanding of the scope of internal audit among the company’s executive management,
the Audit Committee or the Board of Commissioners.

Komite Pemantau
Dewan Komisaris Direksi Komite Audit
Risiko

Senior Risk Management Other Assurance

Management Team Provider
Phase 2: Develop Risk Model & Universe
Objective

• Identify key aspects of the process to develop a risk model and risk universe.
High

High
Risk

Impact of
Occurrence Medium
Risk

Low

ILLUSTRATIVE Risk

Low High
Likelihood of Occurrence

Risk Factors Likelihood Impact Supporting Comments

Systems 3 - High 3 - High Lack of computer systems and resources caused control weaknesses (noted in prior audit).
Computer issues present numerous potential risks.

Human Resources 1 - Low 1 - Low Have dedicated Human Resources Department. Staff have high morale and adequate training,
and turnover is low.

Complexity of Business 2 - Moderate 3 - High Supply chain management has increased complexity of the business process.
Process

Control Processes 3 - High 3 - High Past audits have found control weaknesses that have caused inefficient financial processes and
inaccurate financial information. There are no formalized policies & procedures.

Asset Management (Exposure 3 - High 3 - High There have been few controls in this area and an inappropriate shrinkage amount exists.
to Loss) Physical controls are non-existent and inventory is suspiciously walking out the door.

Regulatory Environment 1 - Low 2 - Moderate Regulatory issues are related to foreign expansion and they are being addressed.

Business Environment 2 - Moderate 2 - Moderate Key issues going on in business environment are creating the need to solidify the brand in the
market.

Customer Impact 2 - Moderate 3 - High Customers currently are loyal, but there is a need to keep them there. This is the most important
issue of brand apparel and fashion.
Phase 3: Develop Audit Plan
Objective

• Recommend an auditable segment they should pursue in an engagement.

• Identify considerations related to timing of internal audits.
• Identify considerations for reassessment of an IA plan.

Prioritize IA Universe Based on Completed Risk Model - Example ILLUSTRATIVE

Phase 3: Develop Audit Plan (Cont’d)
Key risks for the selected business risk areas (Inventory) will be identified using appropriate tools (e.g., Risk & Control
Knowledge Base). Then, it will be tailored based on the Company's unique business organization / activities, to have a
reference risk control matrix for the Company’s inventory functions.

ILLUSTRATIVE

Business Area Business Process Key Risk

- Access to Warehouse is not limited to authorized person.
Safeguarding Assets
- Warehouse is not provided with safety tools such as fire extinguisher.

- Purchase request is not justified with appropriate documentation and approvals.

Purchase Request - Request is not created based on the most economical calculation which benefit Company (e.g.,
Economic Order Quantity, Buffer Stock, etc.)

Inventory Inventory Balance - Excessive/Out of stock balance of inventory.

- Disposal is not justified with appropriate documentation and approvals.

Disposal
- Improper loss on inventory’s trade in/exchange/sales

- inventory report does not comply with guidelines in place

Reporting - Inventory report does not include key information for decision making for inventory management
(e.g., inventory turnover, aging analysis, etc.).
Phase 3: Develop Audit Plan (Cont’d)
Below is the sample of risk control matrix for The Company’s Inventory operation/function. From the result of Risk
Control Matrix, a graph or summary may be created to indicate each areas/processes criticality.

ILLUSTRATIVE

Risk Control Matrix – Inventory

Functional Audit Sub Business Risk for the Inherent Criticality

Implications
Area Area/Process Process Objectives Process Impact Likelihood
Inventory Safeguarding Warehous Access to Physical High Medium Loss of
Asset e Access Physical loss of assets
inventory is inventory.
limited only to
authorized
person.

High High
Phase 3: Develop Audit Plan (Cont’d)
ILLUSTRATIVE

Risk # Partially addressed in proposed

Risk (**) Impact (*) Vulnerability (*) MARCI response
(**) internal audit plan

1 Government regulations Mitigate

2 Privacy and security Mitigate Yes

3 Permissible use of data Mitigate Yes

4 System availability and reliability Assure Yes

5 Economic conditions/Industry trends Assure

6 Corporate tone at the top Assure

7 Selection and implementation of new technology and services Assure Yes

8 Customer consolidation Assure

9 Changes in accounting standards Assure Yes

10 Board conflict of interest or lack of independence Assure

11 Product Integrity Assure Yes

12 Transformation of accounting and finance Mitigate Yes

13 Off-shoring Activities Assure Yes

14 Adequate Internal Audit resources to monitor risks Assure Yes

Study Case – Create a RBIA for PLN
RBIA Flow of Thinking
Strategic Objective

Key Performance Indicator

Top Risk & Risk Appetite Statement

Audit Plan Tahunan

Internal
Audit Assurance Consulting
Department
Q&A?
Key Takeaways
Be comfortable Learn from those
with being around you and
uncomfortable above you

Find the learning

opportunity in
Ask questions!
every mistake you
make
Thank you
“Do what you love, and success will follow. Passion is the fuel behind a
successful career.”
– Meg Whitman –
Board Member of Procter & Gamble