Materi 950

Day 1
Effective
Technique for
Internal Audit
WEBINAR IAI & FEBUI
Day –
28 1 29 AUGUST 2021
DAY 01
Vidvant Brahmantyo
Partner at RSM
My Journey – Vidvant Brahmantyo

Graduated
from University and started Joined MAA Joined Deloitte Risk
my career as Financial Insurance as Internal Advisory as Senior
Auditor at Grant Thornton Auditor Consultant
Family/others:
START
- 1 wife
2004 2006 2007
- 2 children
Professional Certifications:
Joined Swiss-
• Registered State Accountant No. RNA 9887
Belhotel
• Chartered Accountant (CA) No. 11.D42202 2010
International as
• Certified Internal Auditor (CIA) No. 172916 Chief Audit
• Certified Internal Controls Auditor (CICA) No.14075986 Executive (CAE) Hobbies/others:
• Certified Fraud Examiner (CFE)
• Certified Governance, Risk Management and Compliance Professional (GRCP) No. GRCP- - Basketball
101193
Re-joined - Futsal &
• Certified Governance, Risk Management and Compliance Auditor (GRCA) No. GRCA-
2011
Deloitte Risk
101193 Soccer
Advisory as
2018 - Traveling
Manager
Today
Resigned from https://www.linkedin.com/in/vbrahmantyo/
Deloitte Risk
Advisory as Director
▪ What is Internal Auditing?
▪ The Right Stuff
▪ Internal Audit Roles in Today’s World
Agenda ▪ Internal Audit Methodology
▪ Risk-Based Internal Audit
▪ Q&A?
What is Internal
Auditing?
Audit Means…
Source: https://en.wikipedia.org/wiki/Audit
Internal Audit Definition by IIA
▪ Internal auditing is an independent, objective
assurance and consulting activity designed to add
value and improve an organization's operations.
▪ It helps an organization accomplish its objectives by
bringing a systematic, disciplined approach to
evaluate and improve the effectiveness of risk
management, control, and governance processes.*
* Definition by the Institute of Internal Auditors (IIA)
http://www.theiia.org/theiia/about-the-profession/internal-audit-faqs/?i=1077
History of Audit
▪ 5000 years ago, in the Middle Kingdom of the Nile live Mesopotamian Civilization, the Pharaoh's deputy was
overseeing the storage of grains. Auditing was a matter of reperforming the work of others. Auditing meant
observing, counting and double-checking records.
▪ The processes and systems were very simple, and so was auditing.
▪ As the business organizations grew in size and complexity, the practice of Internal Audit also evolved.
History of Audit (Cont’d)
▪ Historically, auditing was concerned with accounting for government activities and reviewing the work done by tax
collectors. In the early years of auditing, the keeping and maintaining of accounting records was done primarily to
detect fraudulent activity.
▪ The industrial revolution in the mid 1700s to the mid 1800s was responsible for the increased demand in auditors
because this period saw an increase in responsibility being passed from owners to managers. This led to an
increased requirement for auditors who were independent of management and who were engaged not only to be
alert for errors within financial records but also errors within the records. In simple terms, deliberate errors in
order to achieve personal financial gain were deemed to be fraudulent activity (as is still the case today) whilst
error was (and still is) unintentional.
▪ During the early 1700s the concept of ‘sampling’ was introduced. Sampling is where auditors select a sample of
items that make up various balances and was used where it is not economically viable to physically examine all the
transactions that have taken place. This practice is still pivotal today.
Source: https://www.oreilly.com/
Evolution of Internal Audit
1900s 1950s 1960s 1970s 1990s 2000s to Present
Clerical Financial
Work & Reporting & Internal Control Objective Assurance, Consulting
Theft fraud Operational Compliance Business Activity, Added Value, Improve an
Auditing Oriented Organization Operation and the
Orientation Effectiveness of Risk Management,
Internal Control, and Governance
Process
KEY MILESTONES
IA set to emerge as a Profession IA began as a Profession Advance & Strengthening of IA Profession
1941 – Formation of the IIA 1968 – Issued the Code of Ethics 1999 – Issued Current Definition of OA
1947 – Issued the Statement of the 1972 – Published the CBOK 2000 – Revised the Code of Ethics
Responsibilities of the IA (Revised in 1974 – Created the Professional Certification 2002 – Issued the New IA Standards
1957, 1971, 1976, 1981, and 1990) for IA 2006 – The Standards has been Recognized
1976 – Formation of the IIA Research Globally
Foundation 2007 – Issued a New IA Framework – the IPPF
1977 – Created a Professional Magazine for IA 2015 – Issued a New Enhancement of the IPPF
1978 – Issued the IA Standards (latest update was in 2017)
1989 – Establishment of the IIA Indonesia
Watch Dog vs Trusted Advisors vs Change Agents
CLASSIC ASSURANCE PROVIDERS TRUSTED ADVISORS CHANGE AGENTS

(“BEAN COUNTERS”) (“KNOW HOW TO GROW, HARVEST, (“BOLD AND CONFIDENT TO
AND TAKE BEANS TO THE MARKET”) ADVOCATE CHANGING THE CROP TO
MAXIMIZE RESULTS”)
Does Internal Audit have to Exist?
+-16 T, 1MDB menuntut

Deutsche Bank,
JPMorgan, Coutts & Co.
+-23,7 T, kasus korupsi terbesar di

Window Dressing Laporan Keuangan
+-16,81 T, kasus korupsi Indonesia
(3,6 T) dan Pengadaan Pesawat
pengelolaan keuangan
Bombardier type CRJ1000 (419 M)
dan dana investasi
Most Notorious Case – Enron (2001)
▪ I n A p r i l 2 0 0 1 , F o r t u n e M a ga z i n e l i s t e d E N RO N a s t h e 7 t h l a r ge st co m p a ny i n
t h e U SA a n d m o s t In novative Co m p any.
▪ S i x m o n t h s l a t e r, E N RO N f i l e d fo r b a n k r u p tcy.
▪ G r e a te s t a c co u n t i n g f ra u d o f 2 0 t h c e n t u r y.
▪ 1 2 , 0 0 0 p e o p l e d i r e c t l y l o s t t h e i r j o b s , r e t i re m e nt b e n ef i t s a n d e n t i re l i fe
s av i n gs .
▪ Pe n s i o n e rs w h o b o u g ht s t o c ks o f E n ro n l o s t U S $ 7 0 b i l l i o n w h e n p r i c e o f
s to c k co l l a p s ed to ZE RO.
▪ C a u s e d b y “ L a x A u d i t i n g ” b y A r t h u r A n d e rs e n a c co u n t i n g f i r m , o n e o f t h e
“ B i g 5 ” ( 8 5 , 0 0 0 p e o p l e a n d o ve r U S $ 9 b i l l i o n a n n u a l r e ve n u e s ) co l l a p s e d .
▪ O t h e rs t o b l a m e : C F O A n d re w Fa s t o w ( 6 ye a rs p r i s o n s e n t e n ce ) , C EO J e f f
S k i l l i n g ( 2 4 ye a rs p r i s o n s e n t e n ce ) , s t o c k a n a l yst s w h o ke e p p u s h i n g E n ro n
s to c k , s e n i o r m a n a ge ment fo r h i d i ng l o s s e s i n d u b i o us o f f - balanc e - she et
p a r t n e rs h i p s , m e d i a e xa g ge ra t i o n a n d f r e n zy.
The Right
Stuff
HTTPS://YOUTU.BE/LJUZDVYEBHU
Organization’s Expectation from Internal Auditor
1. Analytical and Critical
Thinking
2. Communication
3. IT General Skills
4. Risk Management
5. Business Acumen*
*Succeeding as a 21st Century Internal Auditor: 7 Attributes of Highly Effective Internal Auditors, page 3
7 Sought-After Qualities of an Internal Auditor
“Soft skills are the new

hard skills...”
–Larry Harrington–
Chief Audit Executive
Raytheon Company
*Source: Succeeding as a 21st Century Internal Auditor: 7 Attributes of Highly Effective Internal Auditors, page 1
Business Acumen
Financial Marketplace Operational Technology Strategic
acumen acumen acumen acumen acumen
• Understanding • Competition, • Day-to-day • Leverage and • Understanding
and market drivers, operations and possessing systems that
interpreting consumer production, technology define and
financial needs, supply chain, skillsets, influence an
statements. marketing. third-party understanding organization’s
relationship, basic software goals and
quality program direction
assurance. coding. including risk
management,
decision-
making, long-
term planning,
culture.
Strategic Acumen
Vision
Framework
Perceptiveness
Assertiveness
Flexibility
Emotional balance
Patience
Source: Forbes article by Paloma Cantero-Gomez

Tactical vs Strategic Thinking
Tactical Strategic
Keeps opportunities and issues separate so that they are Recognizes that the solution may not be to simply correct
digestible. a problem, one that will enhance value.
Looks at what is happening at face value. Recognizes that the root cause may be far more complex
than is evident on the surface.
Works to fill information holes, answering one question Doesn’t wait until an audit engagement is complete
and moving to the next without asking any other before applying critical thinking skills.
questions in between.
Focused on checking items off a list to get it finished. Audit plans should remain dynamic and implementing
agile auditing.
Sequential, focusing on one thing followed another. Implements holistic examination of operations that
transformational change can be envisioned and advised.
Avoids complexity. Embraces complexity.
Building Blocks of Positive Relationship
Verbal Nonverbal
communication communication Listening skills
skills skills
Networking Team-building
Empathy
skills skills
Emotional
intelligence
Innovative Mindset
Free yourself from the Create a culture where Make risk-taking a more
fear of failure innovation is rewarded consistent behaviour
Leveraging Enabling Technology
Technology Solution that Creates Value

Has end-to-end
Enables remote
automated Enables and
collaboration Serves as the
workflows from empowers
with team single source of
planning to integrated risk
members, truth for all
testing to management &
stakeholders, audit, risk, and
reporting and combined
consultants and controls data
issue assurance
external auditors
management
Internal Audit Roles in
Today’s World
Three Lines Model: Creating & Protecting Value
Enabler: Communication, Cooperation, and Collaboration

Internal Audit’s Role In The Organization
Board of Directors (BODs)
Audit
CEO
Committee
Internal External
Audit Audit
Value Proposition for Key Stakeholders
Internal Auditing:
• Assurance
• Insight
• Objectivity
Governing bodies and senior management rely on Internal Auditing for objective assurance and insight
on the effectiveness and efficiency of governance, risk management and internal control processes.
Internal Audit Activity
Scope of Internal Audit work encompasses a systematic, disciplined approach to evaluating and improving the adequacy and effectiveness
of risk management, control, and governance process and the quality of performance in carrying out assigned responsibilities.
The purpose of evaluating the adequacy of the organization’s existing risk management, control and governance processes is to provide
reasonable assurance that these processes are functioning as intended and will enable the organization’s objectives and goals to be met,
and to provide recommendations for improving the organization’s operations, in terms of both efficient and effective performance
• Assess and make appropriate recommendations

Governance
for improving the governance process Internal Audit Roles
Existence • Provide management and the Audit

Committee with ongoing assessments of
Risk • Evaluate the effectiveness and contribute to the the company’s risk management processes
Management improvement of risk management processes and system of internal control.
Evaluation • Play an important role in documenting
Process internal controls, testing internal controls
• Maintaining effective controls by evaluating their and providing input to management with
Internal Control effectiveness and efficiency and by promoting respect to concluding on design and
continuous improvement operating effectiveness.
Internal Audit Role in Governance
The internal audit activity must assess and make appropriate recommendations for improving the governance process in its
accomplishment of the following objectives:
• Promoting appropriate ethics and values within the organization;
• Ensuring effective organizational performance management and accountability;
• Communicating risk and control information to appropriate areas of the organization; and
• Coordinating the activities of and communicating information among the board, external and internal auditors, and
management.
Evaluate the design, Assess whether the

implementation, and information technology Consulting engagement
effectiveness of the governance of the objectives must be consistent
organization’s ethics-related organization sustains and with the overall values and
objectives, programs, and supports the organization’s goals of the organization.
activities. strategies and objectives
Internal Audit Role in Risk Management
The internal audit activity must evaluate the effectiveness and contribute to the improvement of risk management processes.
Determining whether risk management processes are effective is a judgment resulting from the internal auditor’s assessment that:
• Organizational objectives support and align with the organization’s mission;
• Significant risks are identified and assessed;
• Appropriate risk responses are selected that align risks with the organization’s risk appetite; and
• Relevant risk information is captured and communicated in a timely manner across the organization, enabling staff, management, and the board
to carry out their responsibilities.
• Risk management processes are monitored through ongoing management activities, separate evaluations, or both.
Evaluate risk exposures relating Evaluate the potential for the

Evaluate the effectiveness and
to the organization’s occurrence of fraud and how
contribute to the improvement
governance, operations, and the organization manages fraud
of risk management processes.
information systems. risk.
During consulting engagements, internal auditors must address risk consistent with the engagement’s objectives and be alert to the existence
of other significant risks. Internal auditors must incorporate knowledge of risks gained from consulting engagements into their evaluation of
the organization’s risk management processes.
When assisting management in establishing or improving risk management processes, internal auditors must refrain from assuming any
management responsibility by actually managing risks.
Internal Audit Role in Internal Control
The internal audit activity must assist the organization in maintaining effective controls by evaluating their effectiveness and
efficiency and by promoting continuous improvement.
IA activity must evaluate the adequacy and effectiveness of controls in responding to risks within the organization’s
governance, operations, and information system regarding the:
• Reliability and integrity of financial and operational information;
• Effectiveness and efficiency of operations;
• Safeguarding of assets; and
• Compliance with laws, regulations, and contracts.
Review operations & programs to

ascertain the extent to which results Must incorporate knowledge of
Ascertain the extent to which
are consistent with established goals controls gained from consulting
operating, and program goals and
and objectives to determine whether engagements into evaluation of
objectives have been established and
operations and programs are being the organization’s control
conform to those of the organization.
implemented or performed as processes.
intended.
Internal Audit
Methodology
International Professional Practices Framework
“To enhance and protect
• Demonstrating professional organizational value by providing
competence and accuracy risk-based and objective
• Objective and free from undue assurance, advice, and insight”
influence (independent)
• Aligned with the organization's
strategy, objectives and risks
• Properly positioned and supported
by adequate resources
• Demonstrating quality and
continuous improvement
Implementation Guidance
• Communicate effectively
is more comprehensive than
• Give risk-based confidence
Practice Advisories in
• Demonstrating integrity
guiding practitioners to
• Insightful, proactive and focused on
achieve conformance to
the future
standards.
• Encourage organizational
improvement source: global.theiia.org
Supplemental Guidance provides detailed guidance for carrying out internal audit
activities such as processes and procedures, tools and techniques, programs, approach
steps, and sample deliverables. All Guidance and GTAG Practices become part of the
Supplemental Guidance
Process Risk Approach
Vision Mission Value
Goals
Objectives
Strategies
External Stakeholders
Factors Influences
CSFs Risks
Business Processes
KPIs Controls
Audit Plan Audit Strategies

Internal Audit Cycle
People Process Technology
• IA understands the business objectives of company and Develop the expectations

regarding IA’s alignment with those business objectives and criteria for assessing the
related risks.
Co-Develop
1
Expectation
• IA reports audit results to • IA identifies
management. business process
• Periodic reporting of IA Deliver Results 2 Develop Risk & develop risk
6
activities to senior and Insight Model and Universe assessment
management & the Audit
Committee.
InternalAudit
• IA performs detailed test Methodology Based on the risk
work, reviews audit results
assessment results and
and holds a formal exit ExecuteAudit Project
5 Develop Internal Audit plan, IA
meeting at the conclusion Work Plan 3 Audit Plan identifies timing,
of each audit performed.
locations, project teams
and determine
appropriate use of
DesignAudit
4 technology tools.
Programs
IA develops audit programs of detailed tests.

Internal Audit Cycle – Detail Activities
Internal Audit Methodology – Detail Activities
Phase 2: Develop Phase 5: Execute

Phase 1: Co-Develop Phase 3: Develop Phase 4: Design Phase 6: Deliver
Risk Model and Audit Project
Expectations Audit Plan Audit Programs Results and Insights
Universe Workplan
Develop Plan Risk

Develop Internal Execute Internal Communicate Internal
Communication and Assessment Plan Audit Project
Audit Plan Audit Program Audit Results
Reporting Protocols Project
Communicate Risk Assess Business

Understand Client
Assessment Processes and
Business
Results Systems
Schedule Audits
Develop Risk Design Internal
and Plan
Model Audit Program
Resources
Prioritize Risk
Risk-Based
Internal Audit
Legendary Quotes on Planning
“By failing to prepare, you are preparing to fail.”

— Benjamin Franklin
“A good plan isn't one where someone wins, it's where

nobody thinks they've lost.”
— Terry Pratchett, The Amazing Maurice and His Educated
Rodents
SOURCE: HTTPS://YOUTU.BE/W2SI_BUE6L8
Performance Standard 2000: Managing the
Internal Audit Activity
Overarching Standards
▪ 2000 – Managing the Internal Audit Activity
The Chief Audit Executive must effectively manage the Internal Audit activity to ensure it adds
value to the organisation.
Underlying Standards
▪ 2010 – Planning
▪ 2020 – Communication and Approval
▪ 2030 – Resource Management
▪ 2040 – Policies and Procedures
▪ 2050 – Co-ordination
▪ 2060 – Reporting to Senior Management and the Board
▪ 2070 – External Service provider and Organizational Responsibility for Internal Auditing
Standard 2010 – Planning
The chief audit executive must establish a risk-based plan to determine the
priorities of the internal audit activity, consistent with the organization’s goals.
Interpretation:
To develop the risk-based plan, the chief audit executive consults with senior
management and the board and obtains an understanding of the organization’s
strategies, key business objectives, associated risks, and risk management
processes. The chief audit executive must review and adjust the plan, as necessary,
in response to changes in the organization’s business, risks, operations, programs,
systems, and controls.
Planning – Internal Audit Cycle Phase 1, 2, and 3

related risks.
Co-Develop
1
Expectation
6
Committee.
InternalAudit
and holds a formal exit ExecuteAudit Project
meeting at the conclusion 5 Develop Internal Audit plan, IA
Work Plan 3 Audit Plan identifies timing,
and determine
appropriate use of
DesignAudit
4 technology tools.
Programs

Phase 1: Co-Develop Expectation
Objective
• Gain a thorough understanding of the company’s business objectives and co-develop the expectations
regarding internal audit’s alignment with those business objectives and criteria for assessing the related risks.
• IA develop a mutual understanding of the scope of internal audit among the company’s executive management,
the Audit Committee or the Board of Commissioners.
Komite Pemantau
Dewan Komisaris Direksi KomiteAudit
Risiko
Senior Risk Management Other Assurance

Management Team Provider
Phase 2: Develop Risk Model & Universe
Objective
• Identify key aspects of the process to develop a risk model and risk universe.
High
High
Risk
Impact of
Occurrence Medium
Risk
Low
ILLUSTRATIVE Risk
Low High
Likelihoodof Occurrence
Risk Factors Likelihood Impact Supporting Comments

Systems 3 - High 3 - High Lack of computer systems and resources caused control weaknesses (noted in prior audit).
Computer issues present numerous potential risks.
Human Resources 1 - Low 1 - Low Have dedicated Human Resources Department. Staff have high morale and adequate training,
and turnover is low.
Complexity of Business 2 - Moderate 3 - High Supply chain management has increased complexity of the business process.
Process
Control Processes 3 - High 3 - High Past audits have found control weaknesses that have caused inefficient financial processes and
inaccurate financial information. There are no formalized policies & procedures.
Asset Management (Exposure 3 - High 3 - High There have been few controls in this area and an inappropriate shrinkage amount exists.
to Loss) Physical controls are non-existent and inventory is suspiciously walking out the door.
Regulatory Environment 1 - Low 2 - Moderate Regulatory issues are related to foreign expansion and they are being addressed.
Business Environment 2 - Moderate 2 - Moderate Key issues going on in business environment are creating the need to solidify the brand in the
market.
Customer Impact 2 - Moderate 3 - High Customers currently are loyal, but there is a need to keep them there. This is the most important
issue of brand apparel and fashion.
Phase 3: Develop Audit Plan
Objective
• Recommend an auditable segment they should pursue in an engagement.

• Identify considerations related to timing of internal audits.
• Identify considerations for reassessment of an IA plan.
Prioritize IAUniverse Based on Completed Risk Model - Example ILLUSTRATIVE

Phase 3: Develop Audit Plan (Cont’d)
Key risks for the selected business risk areas (Inventory) will be identified using appropriate tools (e.g., Risk & Control
Knowledge Base). Then, it will be tailored based on the Company's unique business organization / activities, to have a
reference risk control matrix for the Company’s inventory functions.
ILLUSTRATIVE
Business Area Business Process Key Risk

- Access to Warehouse is not limited to authorized person.
Safeguarding Assets - Warehouse is not provided with safety tools such as fire extinguisher.
- Purchase request is not justified with appropriate documentation and approvals.

Purchase Request - Request is not created based on the most economical calculation which benefit Company (e.g.,
Economic Order Quantity, Buffer Stock, etc.)
Inventory Inventory Balance - Excessive/Out of stock balance of inventory.
- Disposal is not justified with appropriate documentation and approvals.

Disposal
- Improper loss on inventory’s trade in/exchange/sales
- inventory report does not comply with guidelines in place

Reporting - Inventory report does not include key information for decision making for inventory management
(e.g., inventory turnover, aging analysis, etc.).
Below is the sample of risk control matrix for The Company’s Inventory operation/function. From the result of Risk
Control Matrix, a graph or summary may be created to indicate each areas/processes criticality.
ILLUSTRATIVE
Risk Control Matrix – Inventory
Functional Audit Sub Business Risk for the Inherent Criticality

Implications
Area Area/Process Process Objectives Process Impact Likelihood
Inventory Safeguarding W arehous Access to Physical High Medium Loss of
Asset e Access Physical loss of assets
inventory is inventory.
limited only to
authorized
person.
High High
ILLUSTRATIVE
Risk # Impact (*) Vulnerability (*) MARCI response Partially addressed in

Risk (**)
(**) proposed internal audit
plan
1 Government regulations Mitigate
2 Privacy and security Mitigate Yes
3 Permissible use of data Mitigate Yes
4 System availability and reliability Assure Yes
5 Economic conditions/Industry trends Assure
6 Corporate tone at the top Assure
7 Selection and implementation of new technology and services Assure Yes

8 Customer consolidation Assure
9 Changes in accounting standards Assure Yes
10 Board conflict of interest or lack of independence Assure

11 Product Integrity Assure Yes
12 Transformation of accounting and finance Mitigate Yes
13 Off-shoring Activities Assure Yes
14 Adequate Internal Audit resources to monitor risks Assure Yes

Study Case – Create a RBIA for PLN
RBIA Flow of Thinking
Strategic Objective
Key Performance Indicator
Top Risk & Risk Appetite Statement
Audit Plan Tahunan
Internal
Audit Assurance Consulting
Department
Q&A?
Key Takeaways
Be comfortable Learn from those
with being around you and
uncomfortable above you
Find the learning

opportunity in
Ask questions!
every mistake you
make
Thank you
“Do what you love, and success will follow. Passion is the fuel behind a
successful career.”
– Meg Whitman –
Board Member of Procter & Gamble
Day 2
Effective
Technique for
Internal Audit
WEBINAR IAI & FEBUI
Day –
28 2 29 AUGUST 2021
DAY 02
▪ Design Audit Programs
▪ Execute Audit Project Work Plan
Agenda ▪ Deliver Results and Insight
▪ Q&A?
Design Audit Programs
S OU RC E: H TTPS :// YOUTU .BE/ WBPX6J MGBYA
7 Deadly Internal Audit Sins (Cont’d)
1) Publish an erroneous report (a mistake could be equally devastating);
2) To intentionally submit incomplete or false work papers (unethical);
3) Lose your temper with a client (don’t act out unprofessionally);
4) Auditing with an agenda (auditing with a conflict of interest);
5) Betraying the bond of confidentiality (inappropriate information exchange);
6) Violating company policy (walking the talk); and
7) Issuing an internal auditor's report that is petty or doesn’t add value
(wasting time on unimportant detail).
Phase 4: Design Audit Programs
4. Design Audit Programs
1 Co-Develop Expectation
▪ A successful internal audit engagement should be
supported by a well-designed Internal Audit Program
Develop Risk
▪ There are two objectives in Design Internal Audit
Deliver Results and 2
6
Insight Model and Universe Programs as follows:
▪ Develop Internal Audit Program
▪ Approve Internal Audit Program
▪ A well-developed audit program will provide the
Internal Audit foundation for the control testing being executed
Methodology
efficiently. Specifically, it:
5
Execute Audit Project
3
Devellop ▪ Assists in controlling work and assigning
Work Plan Audit Pllan
responsibility;
▪ Provides a record and confirmation of work
completed; and
4 Design Audit Programs
▪ Supports the achievement of the internal audit
objectives
Develop Internal Audit Program
Approve Internal
Develop Internal Audit Program
Audit Program
Internal Audit
Internal Audit Program
Program Draft (Approved)
What is an Audit Program and its Purpose?
An audit program can be described as follows:
▪ A detailed work plan that stipulates procedural steps required to achieve audit
objectives, including the creation of key working paper deliverables and/or the
final report.
▪ A document that sets forth procedures necessary to complete an efficient and
effective audit; it is suggested that this document be approved by the
engagement/project leader and/or Chief Internal Auditor, as applicable and
dependent on type of audit, prior to start of fieldwork.
▪ A project work plan that can assist in developing and monitoring project budgets.
Why Audit Program is Important?
It is important to have a well developed audit program, as it addresses a number of objectives. These objectives
include:
▪ Provide an outline of the work to be performed

▪ Encourage a thorough understanding of the audited function or department by listing program steps
aimed at gaining an understanding
▪ Assist project management in controlling work and assigning responsibility
▪ Provide a record of the scope of the audit and work steps completed
▪ Aid in reviewing the audit
▪ Furnish evidence that the work is adequately planned
▪ Provide evidence that the scope of a particular function or department has received separate and
adequate consideration and that important aspects or steps of the audit have been considered and not
omitted
▪ Serve as a directive and guide against which actual performance is ultimately compared
▪ Give order and coherence to the audit undertaking
A comprehensive and well-written audit program substantiates the procedures followed, the compliance and
substantive tests performed, the information and evidence obtained, and the audit conclusions reached
Key Internal Audit Program Requirements
Sample size
Basis for selection
Time period subject to testing
Reports from which samples will be obtained
Names of reports and documents to be reviewed or used for testing
Specific attributes to be tested

Key Steps in Designing an Internal Audit Program
Link and Map the Finalise the
Risks Identified to Design Audit Work
Understand the Business Internal Audit
the Business to be Performed
Program
Process
Obtain understanding of the • Map the risks Based on the Audit Determine the following ba sed on
selected business process as identified to the Objectives, design our understanding of the business
process and the specific audit work
indicated in the Internal Audit business process specific audit work to
designed for the engagement:
Planning Memorandum. This • Determine the be performed, to • Sample Size;
can be achieved through the audit objectives. At address the risks • Basis of Selection;
following: minimum, the audit identified • Time period subject to testing;
• Review of Standard • Reports from which samples
objectives should
Operating Procedures for will be obtained;
address the risks • Names of reports and
the related business identified documents to be reviewed or
process used for testing; and
• Review of Financial • Specific attributes to be tested
Statements /
Management Reports
Payment
✓ Unauthorised
Payment
– Sample
Audit Area Risks Identified Audit Objectives Proposed Audit Work
Expenditure Payments are ✓ Ascertain that Payment Vouchers (“PV”) are
supported and sequentially numbered
reviewed prior to ✓ Ascertain that there is segregation of duties in the
payment process of payments process
✓ Ascertain that the goods/services have been
received by reviewing the Suppliers Delivery Order
or the Company’s Goods Received Note. Determine
whether these documents are acknowledged by the
Receiver. Match the Purchase Order / Contract
before payment is processed
✓ Ascertain that a Payment Voucher is raised and
supported with the relevant supporting documents
prior payment
✓ Ascertain that the Payment Voucher is approved in
accordance with the Authorised Approval Matrix
– Sample (Cont’d)
Key Stakeholders
Key Process Owner
▪ To determine if the Audit Team has a correct understanding of business processes; and
▪ To verify feasibility of test programs
Chief Audit Executive (CAE) /Coordinator of the Audit

▪ To ensure that all key risk areas and concerns have been addressed by the Internal Audit Program; and
▪ To manage the expectation of the Chief Audit Executive (CAE)/Coordinator of the Audit in relation to work being
performed. This will facilitate the process of asking for a fee increase should any significant client delays occur.
Internal Audit Engagement Assistant Managers and Managers

▪ To review the Internal Audit Program and determine if it adequately addresses the internal audit scope and does
not require for excessive testing; and
▪ To ensure that appropriate control objectives, control activities and risks have been identified. Subsequently, the
documented understanding of the process should adequately relate to risks identified.
Execute Audit
Project Work
Plan
Performance Standard 2300: Performing the Engage
Overarching Standards
▪ 2300 – Performing the Engagement
Internal Auditors must identify, analyze, evaluate, and document sufficient information to achieve the
engagement’s objectives.
Underlying Standards
▪ 2310 – Identifying Information
Internal auditors must identify sufficient, reliable, relevant, and useful information to achieve the engagement’s
objectives.
▪ 2320 – Analysis and Evaluation
Internal auditors must base conclusions and engagement results on appropriate analyses and evaluations.
▪ 2330 – Documenting Information
Internal auditors must document sufficient, reliable, relevant, and useful information to support the engagement
results and conclusions.
▪ 2340 – Engagement Supervision
Engagements must be properly supervised to ensure objectives are achieved, quality is assured, and staff is
developed.
Phase 5: Execute Audit Project Work Plan
1
Co-Develop 5. A shift in emphasis to “What must go right” not
Expectation
simply “What can go wrong.” An efficient approach
that not only reveals the impact and extent of real
Deliver Results and 2 Develop Risk
6
Insight Model and Universe issues but assists in mitigating them.
 Initial assessment workshop
Internal Audit
 Integrated testing
Methodology
 Deductive analytics
Execute Audit Project Devellop
5
Work Plan 3
Audit Pllan  Clarity over agreed control strategy
 Determine training, CSA and CCM needs.
4
Design Audit
Programs
 Accelerate solutions development
Execute Audit Project Work Plan
Execution
Reference • Best practices • Walkthrough
• Walkthrough
• Prior years’ working results
• Audit Program results
papers and reports
• Data Analytics • Sample testing
• Integrated database results
Activity
Walkthrough Sample Testing
Execution (Design (Operating Closure of
Preparation Effectiveness Effectiveness Fieldwork
Review) Review)
Outcome
• Background • Observation
• Audit Program • Risk Control
Information • Exit Meeting
• Risk Control Matrix
• Risk Control Documents
Matrix • Test Sheet
Matrix
Internal Audit Execution Principles
Understand the
business & client
Risk management Know the people
Provide value Pre-empt (solve it

(root cause &
recommendation) before it happens)
Examples of Principles in Action
Research past Assign team most suited
files/internet/client’s Know past experience, in addressing technical
know the people profile and people
information requirements
Look at any findings

Communicate with objectively, if we can’t
clients, give them articulate the risks or can’t
Follow-up and escalate
heads-up on possible identify the benefit of
issues solving it, then possibly not
an issue
Focus on thinking more

Know our scope, know Formalised and keep
what is the basic we (and adding value) and documentary for client
need to do complete the routine communication
work fast
Audit Planning Memorandum (APM)
Objective is to provide the necessary planning and background information, to be
used by the team and circulated to client (with certain sections removed)
APM should include the following:
▪ Scope of review
▪ Timeline of project (fieldwork, reporting etc.)
▪ Team members
▪ Background of scope of review
▪ Focus areas
▪ Challenges, strategy and approach
▪ Summary of past audit findings
▪ Request For Information (RFI)
▪ Process owners
What is a Business Cycle?
A business cycle is a collection of: Financial Accounting
▪ Transactions Revenue
▪ Processes Expenditure
▪ Controls
Inventory
Payroll & Personnel
Fixed Assets
Treasury
Practical Example – Expenditure Cycle
We should obtain an understanding of the flow of transactions, the processes, and controls.
Example of Expenditure Cycle:
TransactionReports
Disbursement
LedgerReports
SupplierMaster
1
File
2 3
PurchaseOrder Inventory AccountPayable
Sub-System Sub-system Sub-system
PurchaseOrderData
General
PurchaseOrder GoodReceivedNote Invoice Ledger
ControlPoints
Audit of Expenditure Cycle
TransactionReports
Disbursement
LedgerReports
SupplierMaster
1
File
2 3 4
PurchaseOrderData
GeneralLedger
PurchaseOrder GoodReceivedNote Invoice
ControlPoints
Supplier Master File – Example of controls:

1. The ability to create, change, or delete vendor pricing information should be restricted;
2. The ability to create, change, or delete vendor master records should be restricted;
3. The ability to input, change, cancel, or release vendor invoices for payment should be restricted; and
4. Reports of changes to vendor master records are compared to authorized source documents and/or a manual
log of requested changes to ensure that all valid changes were input accurately and timely.
Audit of Expenditure Cycle (Cont’d)
TransactionReports
Disbursement
LedgerReports
SupplierMaster
1 File
2 3 4
PurchaseOrderData
GeneralLedger
ControlPoints
Purchase Order Module – Example of controls:

1. The ability to create, change, or cancel purchase requisitions should be restricted; and
2. The ability to create, change, or cancel purchase orders should be restricted;
3. The application validates purchase orders on-line (automated controls).
TransactionReports
Disbursement
LedgerReports
SupplierMaster
1 File
2 3 4
PurchaseOrderData
GeneralLedger
ControlPoints
Inventory Module – Example of controls:

1. The ability to input, change, or cancel goods received transactions should be restricted; and
2. The ability to input vendor invoices that do not have a purchase order and/or goods receipt as support should be restricted.
TransactionReports
Disbursement
LedgerReports
SupplierMasterFile
1
2 3 4
PurchaseOrderData
GeneralLedger
ControlPoints
Account Payable Module – Example of controls:

1. The ability to modify the payment run parameter specification or to initiate a payment run should be restricted;
2. The ability to release invoices that have been blocked for payment, either for an individual invoice or for a specified vendor;
3. The system automatically matches vendor invoice transactions to receipts of goods and purchase orders. It then posts the invoices to the
appropriate vendor account in Accounts Payable and to the Accounts Payable control account in the general ledger (automated controls).
Risk Control Matrix (RCM)
Risk Control Matrix (RCM) is a table to compare risks with corresponding controls in business
process. Effectiveness of controls shall be assessed based on this RCM.
List up risks related to a business process List up controls to remediate the risks indicated to the left (for manual
operations and system functions)
Examples: Examples:
Errors in sales amounts when entering to Approval by manager, restrictions to prevent entering information of false
system, registering false sales, etc. customers by master data, periodic check for unusual amounts, etc.
Audit Program Component - Scope
Scope of the audit and risk mapping
No Audit Objectives (as defined in APM) Risk
Fraudulent payments
Payments are supported and reviewed prior to payments
1
and recognition
Unauthorised payments
Management Assertion
Validity Corresponding transaction actually exist and authorized.
Completeness All transactions are recorded as they should be.
Accuracy Transactions are recorded accurately.
Allocation Transactions are recorded in appropriate term.

Management Assertion (Cont’d)
Existence or Occurrence
Existence is an assertion about whether the existence of an asset or a liability exists at a certain time. Occurrence
is an assertion about whether a recorded transaction has occurred during a certain period.
Completeness
Completeness is an assertion of whether all transactions and accounts that should be presented in the Financial
Statements are available and recorded.
Valuation or Allocation
Valuation or Allocation is an assertion to ensure that each asset and liability is recorded at an appropriate value.
Rights and Obligations
Rights is an assertion about whether the Company has rights to an asset at a certain time. Obligation is an
assertion about whether the Company has an obligation that is the responsibility of the Company at a certain
time.
Presentation and Disclosure
Presentation is an assertion about whether certain components in the Financial Statements have been
appropriately classified and described. Disclosure is an assertion that describes whether all material information
has been disclosed in the Financial Statements.
Walkthrough - Tasks
▪ Understand the existing business process from process owners
▪ Identify and review existing controls based on risk identified
▪ Identify design effectiveness deficiencies
Risk Design Effectiveness

1. Fraudulent payments 1. Review that 3-way match, where applicable, is performed before processing
invoice
2. Review control (e.g. system control) is in place to prevent invoice/credit note from
recorded twice
3. Whether management review aged accounts payable analysis regularly and
unusual items timely investigated and resolved
2. Unathorised payments 1. Review the authorization matrix on whether it is up to date
2. Understand the urgent payment procedures
Design effectiveness deficiency:

a) a necessary control is missing
b) an existing control doesn’t remediate the risk.
Understand the Process
Transaction Volume
Transaction Categories
Key Statistic Summarised by Category
Transaction Structure
Document the Controls
Check your control documentation:

1. What is the risk being controlled?
2. Who (or what system) performs the control activity?
3. How frequent is the activity performed?
4. What mechanism is used to perform the activity (source documents)?
Conducting Interviews: Tip
▪ Have them explain their process role from beginning to end
▪ Keep initial questions open-ended
Who What
▪ Don’t use a checklist approach
▪ Take detailed notes
When Where ▪ Be inquisitive, ask probing questions
▪ Ask them to show you (observe)
How Why ▪ Ask them if there are any gaps or opportunities for
enhancement
What Why ▪ Include discussion on key systems and applications
if not ▪ Ask to receive documentation not already obtained
▪ Be well prepared and make efficient use of their time
Control Category
A policy establishing what should be done and, and serving as a basis for the second element, procedures
Policies & Procedures
to affect the policy.
Written consent to proceed with a requested activity, without in any way diminishing the applicant’s
Authorization
obligation to meet the standard or specified requirements.
Comparison of two or more items, or the use of supplementary tests, to ensure the accuracy, correctness,
Verification
or truth of the information / Alternative term for acknowledgement
Regulation Compliance Compliance with relevant laws and regulations.
Analysis of actual results versus organizational goals or plans, periodic and regular operational reviews,
Monitoring
metrics, and other key performance indicators.
Control policy according to which no person should be given responsibility for more than one related
Segregation of Duties
function.
Sample Testing - Tasks
▪ Design test steps based on the controls identified during D&I review
▪ Select samples from the transaction population (e.g. PO listing, payment listing)
▪ Perform testing on samples
▪ Identify operating effectiveness deficiency
Controls Identified during D&I
Risk Operating Effectiveness
Review
1. Fraudulent 1. Purchases are made based on A. For 25 sample of payments selected verify the following:
payments approved Purchase Request 1. Payment is duly supported (i.e. invoice, evidence of receipt,
(“PR”). Purchase Order)
2. 3 quotations are sourced for the 2. Payment is invalidated (stamped paid) upon payment
purchase 3. Payment is approved according to authorization matrix
3. Services or goods are received A. Perform data analytics to identify:
prior to payment 1. duplicate invoice numbers
4. Invoice is match to approved 2. duplicate payment voucher numbers
Purchase Order (“PO”), Invoices
and evidences of receipt
Operating effectiveness deficiency:

a) a control does not operate as designed
b) the person performing the control does not possess the necessary authority or qualifications.
Sample Test Sheet
Type of
Control Control Frequency Sample Size
Manual Many Times per Day 25

Daily 15
Weekly 5
Monthly 2
Quarterly / Annually 1
ITAC 1
This is just a guideline. Sample size can be based on your professional
judgment.
Key Questions Prior Closure Meeting
How Do You Know When What are the Key

You’re Ready for the Elements of a “Successful”
Closure Meeting? Closure Meeting?
Who to Invite to the

Closure Meeting?
Closure Meeting Preparation
❑ Workpapers have been completed and reviewed.
❑ Communication of potential issues, findings and/or areas of concerns has

been made with the Audit Client prior closure meeting (root clause
availability is a plus).
❑ Any gap was supported with sufficient evidence.

Inviting the Attendee
❑ The decision of who to invite should be based on
input from the Chief Audit Executive (CAE), Audit
Manager, Audit Staff and the Audit Client.
❑ Invitation should include:
➢ Audit Client’s Head of Division (if available)
➢ Audit Client
➢ Audit Client’s Staff (Staff Worked with During the
Engagement)
➢ Audit Team
A Successful Closure Meeting Tips & Tricks
Aces the Attitude
Deliver Results and
Insight
Auditor's Report Definition
The auditor's report is a formal opinion, or disclaimer thereof, issued by
either an internal auditor or an independent external auditor as a result
of an internal or external audit, as an assurance service in order for the
user to make decisions based on the results of the audit.
Source: https://en.wikipedia.org/wiki/Auditor%27s_report
Audit Report Related Standards
2400 – Communicating Results
Internal auditors must communicate the results of engagements.
2410 – Criteria for Communicating
Communications must include the engagement’s objectives, scope, and results.
2410.A1
Final communication of engagement results must include applicable conclusions, as well as applicable recommendations
and/or action plans. Where appropriate, the internal auditors’ opinion should be provided. An opinion must take into
account the expectations of senior management, the board, and other stakeholders and must be supported by sufficient,
reliable, relevant, and useful information.
2410.A2
Internal auditors are encouraged to acknowledge satisfactory performance in engagement communications
2410.A3
When releasing engagement results to parties outside the organization, the communication must include limitations on
distribution and use of the results.
2410.C1
Communication of the progress and results of consulting engagements will vary in form and content depending upon the
nature of the engagement and the needs of the client.
Audit Report Related Standards (Cont’d)
2420 – Quality of Communications
Communications must be accurate, objective, clear, concise, constructive, complete, and timely.
2430 – Use of “Conducted in Conformance with the International Standards for the Professional Practice of Internal
Auditing”
Indicating that engagements are “conducted in conformance with the International Standards for the Professional Practice of
Internal Auditing” is appropriate only if supported by the results of the quality assurance and improvement program.
2440 – Disseminating Results

The chief audit executive must communicate results to the appropriate parties.
2450 – Overall Opinions

When an overall opinion is issued, it must take into account the strategies, objectives, and risks of the organization; and the
expectations of senior management, the board, and other stakeholders. The overall opinion must be supported by sufficient,
reliable, relevant, and useful information.
Phase 6: Deliver Results and Insight

related risks.
Co-Develop
1
Expectation
6
Committee.
InternalAudit
and holds a formal exit Execute Audit Project
5 Develop Internal Audit plan, IA
meeting at the conclusion Work Plan 3 Audit Plan identifies timing,
and determine
appropriate use of
DesignAudit
4 technology tools.
Programs

Audit Report is an Evidence of Quality Audit
Risk-Based Internal Audit Audit Report

Audit Report Means to Internal Auditor
Aquaman
Judge
Police Officer
Thor
Pandawa Lima
Things to Consider When Drafting Audit Report
❖ Stakeholders have diverse needs.
❖ Effective audit communication needs to be accurate, objective, clear, concise, constructive, complete and timely to be
relevant.
❖ The audit report must include the objectives, scope, and results of the engagement.
❖ Management’s action plans must be included, as they are often the most referenced segment of the report over time.
❖ It is important to conduct a thorough review of the content to validate factual accuracy, completeness of reporting, and
ensure the engagement results and conclusions are supported by sufficient, reliable, relevant, and useful information.
❖ A concise executive summary may highlight good practices observed during the engagement and any steps taken by
management to improve governance, risk management, and internal controls
❖ The distribution of the report must be validated and approved by the Chief Audit Executive (CAE) to ensure it is directed
to the intended recipients and disseminated to the appropriate parties who can ensure that the results are given due
consideration.
Audit Report Potential Pitfalls
Significant errors and omissions.
Language that is too technical or filled with too much jargon.
Observations and recommendations that are not well-formulated.
Failing to acknowledge satisfactory performance.
Omitting or not explaining the scope limitations.
Issuing late reports or issuing them to inappropriate parties.

Audit Report Elements
Five C’s
Standards, measures, or expectations used in making an evaluation and/or verification of an observation (what
should exist). Criteria are used to compare and evaluate the existing condition(s) and can be written policies,
Criteria procedures, laws, regulations, and/or guidelines. Criteria can also be established organizational practices,
expectations based on the design of the control, and even common-sense procedures that may not be formally
documented and may require internal auditors’ professional judgment for their evaluation.
Factual evidence identified during the course of the engagement (what does exist). Condition is
Condition the key issue the internal auditor considers, and it can be measurable or observable.
Underlying reason for the difference between the criteria and condition (why the difference exists).
Cause It answers the questions “what allows the condition to exist?” and “why did the condition occur?” It
is essential that internal audit work with management to identify the root cause of the gap.
Risk or exposure encountered because the condition is not consistent with the criteria (the
Consequence consequence of the difference). In determining the degree of risk or exposure, internal auditors
consider the effect that the engagement observations may have on the organization’s operations
(Effect) and/or financial reporting process. Effects can be existing or potential.
Recommendations are internal auditors’ suggestions for correcting conditions and identifying the cause to prevent
Corrective Action recurrence (or the creation of new conditions). Recommendations provide an efficient and effective way to address
Plan / the gaps identified between condition and criteria. Actions that were initiated by management during the internal
audit engagement, but before the issuance of the written report, can be acknowledged in the final engagement
Recommendation communication.
Gap, Root Cause Analysis & Recommendation
Observation, Recommendation & Management Acti
Examples of Condition, Effect, Cause, Root Cause,
& Recommendation
Rating of Finding
Rating Description
An audit finding is assigned a “High” priority when the underlying internal controls or processes contain material or pervasive
weaknesses. Remedial action should be taken immediately to address the audit finding. The condition requires improvements with
High more than usual management involvement and monitoring until the internal controls are improved.
An audit finding is assigned a “Medium” priority when there are improvements required in the level of internal controls, effectiveness
and efficiency of operations, reliability of financial records, compliance with applicable laws and regulations and supervision or
Medium compliance with policies. Positive (but not urgent) action is required from management to address the audit finding within 3 months.
An audit finding is assigned a “Low” priority when the internal controls are generally functioning with some minor exceptions, mostly in
Low terms of efficiency and isolated events of non-compliance. Management can have within 3 to 6 months to address the audit finding.
Audit Report Template – Executive Summary
Audit Report Template – Executive Summary
(Cont’d)
Observations, Recommendations and
Management Response
Writing an Impactful Audit Report: 6 Tips for
being more Persuasive
Keep It Short
Remember Keep It
the 5 C’s Simple
Make Your
Consider the
Best Ideas
Implications
Stand Out
Don’t
Neglect the
Basics
Q&A?
Key Takeaways
Know the principles, be resourceful and creative in application
Work hard but work smarter, 1(effort) + 1(smart) = 3

Thank you
“Risk comes from not knowing what you’re doing.”
– Warren Buffet –
CEO of Berkshire Hathaway
Day 3
By: Fernandez Gultom CPA
▪ EDUCATIONAL BACKGROUND
▪ BACHELOR DEGREE OF ECONOMICS IN UNIVERSITAS SUMATERA UTARA
▪ CERTIFIED PUBLIC ACCOUNTANT ISSUED BY IAPI
▪ WORKING EXPERIENCES
▪ SENIOR MANAGER IN KAP PURWANTONO, SUNGKORO AND SURJA (ERNST AND YOUNG
INDONESIA)
▪ DIGITAL TRANSFORMATION
▪ INTERNAL AUDIT FUNCTION
▪ INTERNAL AUDIT FUNCTION in DIGITAL TRANSFORMATION
▪ IT AUDIT’S ROLE IN DIGITAL TRANFORMATION

▪ What is Digital Transformation?
▪ Digital transformation (DT or DX) is the use of new, fast and frequently
changing digital technology to solve problems. It is about transforming
processes that were non digital or manual to digital processes.
▪ Dig ital Transformation examples:
• IT modernization, like cloud computing
• Reskilling employees
• Implementing digital tools like artificial intelligence (AI) to free employees to focus on
tasks requiring creativity, problem-solving, and more human skills
• Using design thinking to discover and resolve pain points in the customer journey
• Revamping processes to adapt to customers’ needs
• Moving to a remote-first workspace
▪ There are 3 pillars of digital transformation
▪ People
▪ Process
▪ Tools
▪ PEOPLE
Investing in new technologies is pointless if no one is capable of

utilizing them. That’s why people should be central to any digital
transformation strategy.
To ensure the successful adoption of technology, follow these steps:
▪ Get the right people in the right roles
▪ Provide training
▪ Measure output
▪ PROCESS
The digital transformation framework provides new, improved ways of doing

things. These could be digital tools that help people collaborate, give insights
into client/customer behavior, automate marketing and sales, or improve
nearly any other business function that used to depend on manual
processes. For people to utilize these tools effectively, the processes need to
be established and communicated effectively.
To achieve this:
▪ Create documentation
▪ Update process frequently
▪ Ensure standardization
▪ TOOLS
As we have seen, new digital tools are not the only element of digital
transformation, but they still form an integral part of it. The challenge
here is to successfully bridge the gap between new and existing
technologies to produce the best results. To do this and communicated
effectively.
To achieve this:
▪ Fully utilize existing tools
▪ Select the right technology
▪ What Is Internal Auditing?
▪ Internal auditing is an independent, objective, assurance and
consulting activity designed to add value and improve an
organization’s operations.
▪ The organization who performs internal auditing is defined as
Internal Auditor.
▪ Internal Audit Responsibilities
▪ Offer Insight and Advice
▪ Evaluate Risks
▪ Assess Controls
▪ Ensure Accuracy
▪ Improve Operations
▪ Promote Ethics
▪ Review Processes and Procedures
▪ Monitor Compliance
▪ Assure Safeguards
▪ Investigate Fraud
▪ Communicate Results
▪ Development of Internal Audit
▪ Internal Audit 1.0
▪ Internal audit has ramped up in efficiency and focus with improved
standards, guidelines, etc. But the “tools” to perform these tasks
were mostly paper based.
▪ The first major change that leads to internal audit 1.0 is the
introduction of software solutions specifically designed for audit
purposes. These tools were initially “fat clients” hence with the
software and the data installed and residing on someone’s own
machine.
▪ Fast forward now to 2002 and the inception of the Sarbanes-Oxley
Act. The main focus is a lot of attention on internal control and audit
tools. At the same time, introduction of new technology
improvements helped developers move away from fat clients to full
web solutions no longer hosted on a user’s machine.
▪ This is a breakthrough for information sharing: many people can
now work simultaneously on the same topic and collaborate.
Consolidation of findings and recommendations also becomes
much more efficient and instantaneous.
▪ Integrating the information from a variety of sources to present a
single source of truth. The result is a self-correcting framework in
which each line of defense collaborates with the others to
continuously provide complete and reliable information.
▪ These detection strategies using of Big Data analytics capabilities
to find irregularities in the data being audited.
▪ The challenges resulting from new digital technologies are driven by
five main trends:
▪ Technology/digital disruption
▪ Business transformation align with technology transformation
▪ Utilizing big data
▪ Cyber security
▪ Regulatory pressure
▪ Identify Technology Risk :
▪ Data quality risk
▪ IT governance risk
▪ Cyber security risk
▪ Regulatory risk
▪ Business system risk
▪ IT process and asset risk
▪ IT compliance risk
▪ IT resilience and continuance risk
▪ Solution for Internal Audit including IT Audit for digital transformation:
1. Set foundation
Sharpening Internal Audit’s IT focus consists of developing a clear understanding of key
stakeholders’ expectations and then recognizing that those expectations likely evolved and
will continue to evolve in today’s rapidly changing environment.
To stay ahead of the curve on continuously evolving risks, Internal Audit must network both
internally and externally regarding emerging risks and mitigation practices.
Internal Audit’s role in ensuring that technology-related risks get considered properly
becomes especially important when a company is getting ready to roll out a new business
process, product, or information system.
By leveraging the IT risk assessment, Internal Audit can serve as a trusted advisor to the
business by proactively identifying organisation-specific risks and by providing strategic
advice and value-added services when it comes to issues that involve cyber security, privacy,
the cloud, big data, social media, the Internet of Things, and other technology challenges.
▪ Solution for Internal Audit including IT Audit for digital
transformation:
2. Assess Risk
Internal Audit develop an enterprise risk profile and to conduct a dynamic and
comprehensive risk assessment that incorporates a company’s risk universe, major
trends and opportunities, and macro risks.
Internal Audit should also use data analytics and visualisation tools to find out where
risks reside in the organization.
3. Execute Audits
Internal Audit can more fully develop the audit plan to drive enterprise value.The plan
should be balanced, taking into account identified risk areas, relevant regulatory
expectations, stakeholder requests, and emerging trends and opportunities.
▪ Solution for Internal Audit including IT Audit for digital transformation:
4. Deliver Report
Deliver a robust set of meaningful recommendations and insights on technology
challenges. By expanding from a narrow, fixed approach to an informed, proactive, big-
picture stance that evolves with the organisation’s needs.
Leverage the management to create awareness and education around key technology
trends.
Day 4+Day 5
Effective Technique For
Internal Auditor
ZoomWebinar
AGENDA
I. StandarAudit Internal
II. Perencanaan Penugasan
III. Pelaksanaan Penugasan
IV.Komunikasi Penugasan dan Monitoring Tindakan
Perbaikan
I.
Standar Audit Internal
A.
PENGANTAR
MILESTONES PROFESI AUDIT INTERNAL
Sebelum 1941 1941 2002 2019 dst
Worldcom’s VP InternalAudit.
Megafraud whistleblower
EVOLUSI PERAN PROFESI AUDIT INTERNAL
Watch Dog - Strategic

Consulting Catalyst Next ?
Compliance Business Partner
(Insight)
Audit
&
TrustedAdvisor
WATCH DOG → CONSULTANT → CATALYST
PERAN PUNCAK INTERNAL AUDIT KINI
Atribut auditor internal kini:

▪ Ethical resiliency
▪ Results focus
▪ Intellectualcuriosity and open-mindedness
▪ D ynamic communication and inspirational
leadership
▪ Insightful relationships
▪ Critical-thinking skills, business acumen,and
technical expertise
M O D EL TIGA LINI – THE IIA
ORGAN PENGURUS
1. Memiliki akuntabilitas kepada pemangku kepentingan untuk melakukan pengawasan terhadap organisasi.
2. Terlibat dengan pemangku kepentingan untuk memantau kepentingan mereka dan secara transparan
mengkomunikasikan pencapaian tujuan-tujuan organisasi.
3. Menumbuhkan budaya yang mengedepankan perilaku etis dan akuntabilitas.

4. Membangun struktur dan proses-proses tata kelola,termasuk komite penunjang yang dipersyaratkan.
5. Mendelegasikan tanggung jawab dan menyediakan sumberdaya kepada manajemen untuk dapat mencapai
tujuan organisasi.
6. Menentukan selera risiko organisasi dan menjalankan pengawasan manajemen risiko (termasuk pengendalian
internal)
7. Menjaga pengawasan atas kepatuhan terhadap hukum,peraturan dan nilai-nilai etika.
8. Membangun dan mengawasi fungsi audit internal yang independen,objektif dan kompeten.
MAN A JEMEN
• Peran Lini Pertama

1. Memimpin dan mengarahkan tindakan-tindakan (termasuk pengelolaan risiko) dan
penerapan sumberdaya untuk mencapai tujuan-tujuan organisasi.
2. Menjaga dialog yang berkelanjutan dengan organ pengurus dan melaporkan rencana,
realisasi dan hasil yang diharapkan dihubungkan dengan pencapaian tujuan organisasi
dan risikonya.
3. Mengembangkan dan memelihara struktur dan proses-proses yang memadai untuk

pengelolaan operasional dan risiko (termasuk pengendalian internal).
4. Memastikan kepatuhan terhadap hukum,peraturan dan nilai-nilai etika.
MAN A JEMEN
• Peran Lini Kedua

1. Memberikan keahlian penunjang,dukungan,pemantauandan tantangandalamproses
mengelola risiko,termasuk:
a) Pengembangan, penerapan, dan peningkatan berkelanjutan dari praktik-praktik
manajemenrisiko (termasuk pengendalian internal) pada level proses,sistem dan
entitas.
b) Pencapaiantujuanmanajemenrisiko, seperti: kepatuhanterhadaphukum, peraturan,
dan perilaku yang etis; pengendalian internal;keamanan teknologi dan informasi;
keberlanjutan;dan asurans qualitas.
2. Memberikan analisis dan laporan-laporan mengenai kecukupan dan efektivitas manajemen
risiko (termasuk pengendalian internal).
AUDIT INTERNAL
1. Menjaga akuntabilitas utama kepada organ pengurus dan independensinya dari

pelaksanaan pekerjaan yang menjadi tanggung jawab manajemen.
2. Mengkomunikasikan asurans dan advis yang independen dan objektif kepada
manajemen dan organ pengurus mengenai kecukupan dan efektifitas tata kelola
dan manajemen risiko (termasuk pengendalian internal) untuk mendukung
pencapaian tujuan-tujuan organisasi, serta mempromosikan dan memfasilitasi
peningkatan yang berkelanjutan.
3. Melaporkan kerusakan/gangguan independensi dan objektivitas kepada organ
pengurus dan menerapkan pengamanan yang dipersyaratkan.
INTERNAL
AUDIT
CAPABILITY
MODEL
B.IPPF
INTERNATIONAL PROFESSIONAL PRACTICES F R A MEWORK
Mandatory
Recommended
Melindungi dan meningkatkan nilai organisasi dengan memberikan
MISI
asurans,advis dan insight yang berbasis risiko dan objektif.
• Berintegritas. • Kualitas dan perbaikan berkelanjutan.
PRINSIP
• Kompeten dan cermat - profesional. • Berkomunikasi secara efektif.
• O bjektif dan independen. • Memberi asurans berbasis risiko.
• Selaras dengan strategi,tujuan dan risiko organisasi. • Berwawasan, proaktif dan fokus pada masa depan.
• Didukung sumber daya memadai. • Mendorong perbaikan organisasi.
• Aktivitas asurans dan konsultansi yang independen dan objektif,
DEFINISI
• Memberi nilai tambah dan meningkatkan operasi organisasi.
• Membantu organisasi mencapai tujuannya
• Menggunakan pendekatan yang sistematis dan teratur
• Mengevaluasi dan meningkatkan keefektifanproses manajemenrisiko, pengendalian
dan tata kelola.
Released:
KODE ETIK
2017 Prinsip:
Integritas, Objektivitas, Kerahasiaan, Kompetensi
MISI
•Melindungi dan meningkatkan nilai

organisasi dengan memberikan
asurans,advis dan insight yang berbasis
risiko dan objektif.
PRINSIP
1. Berintegritas. 6. Kualitas dan perbaikan

2. Kompeten dan cermat - berkelanjutan.
profesional. 7. Berkomunikasi secara efektif.
3. Objektif dan independen. 8. Memberi asurans berbasis risiko.
4. Selaras dengan strategi,tujuan dan 9. Berwawasan,proaktif dan fokus
risiko organisasi. pada masa depan.
5. Didukung sumber daya memadai. 10. Mendorong perbaikan organisasi.
DEFINISI
1. Aktivitas asurans dan konsultansi yang independen dan

objektif,
2. Memberi nilai tambah dan meningkatkan operasi organisasi.

3. Membantu organisasi mencapai tujuannya
4. Menggunakan pendekatan yang sistematis dan teratur
5. Mengevaluasi dan meningkatkan keefektifan proses
pengelolaan risiko, pengendalian dan tata kelola.
JENIS JAS A A U D I T INTE R N A L
Jenis Jasa
Audit Internal
Asurans Konsultansi
• Eksaminasi obyektifatas bukti-bukti • Advisory dan jasa terkait

• Untuk memberikanpenilaian • Sifat dan ruang lingkupnya disepakati
• Mengenai tata kelola (governance), bersama dengan klien,
manajemen risiko dan pengendalian • Ditujukan untuk menambah nilai
internal. • Memperbaiki tata kelola, manajemen
risiko dan pengendalian.
PERAN ASSURANCE (ASURANS)
• Eksaminasi obyektif atas bukti

User/Pemberi
Mandat • Untuk memberi penilaian
• Mengenai tata kelola,pengelolaan
risiko dan pengendalian internal.
• Contoh:Audit, reviu, evaluasi,
Auditor Auditi
eksaminasi, prosedur tertentu, dll.
LOGO
PERAN CONSULTING (KONSULTANSI)
• Advisory dan insight dan aktivitas

terkait
• Ruang lingkup:disepakati bersama
• Untuk menambah nilai
A UDITOR KLIEN • Memperbaiki tata kelola,
pengelolaan risiko dan
pengendalian.
• Contoh:Pendampingan, bantuan
teknis,pemberian nasihat, training,
dll
Auditors
Internal
Role of
IIA Position Paper:

The Role O f InternalAuditing In
Enterprise-wide Risk Management
STA N DAR AUDIT (terlampir)
STA N DAR AUDIT
TUJUAN STANDAR
• Menjelaskan prinsip dasar praktik audit internal.

• Memberikan pedoman melaksanakan dan meningkatkan jasa
audit internal.
• Dasar untuk mengevaluasi kinerja audit internal.

• Peningkatan proses dan operasi organisasi.
STRUKTUR STANDAR
• Pernyataan Standar
✓ Standar ‘Attribute’
✓ Standar ‘Performance’
✓ Standar implementasi
• Interpretasi
• Daftar istilah
STA N DAR ATRIBUT
1. Tujuan,Wewenang,danTanggungjawab
2. Independensi and Objektivitas
3. Profisiensi dan Due Professional Care
4. QualityAssurance and Improvement Program
STANDAR KINERJA (PERFORMANCE STANDARD)
1. Mengelola SatuanAudit Internal

2. Sifat PekerjaanAudit Internal
3. Perencanaan Penugasan
4. Pelaksanaan Penugasan
5. Komunikasi Hasil Penugasan
6. Monitor Progres
7. Penerimaan Risiko oleh Manajemen
SISTEM PENOMORAN STANDAR
1210.A3
Huruf ‘A’
menjelaskan:
Angka ‘1’ Angka ‘10’ Assurance
menjelaskan: menjelaskan:
Standar Atribut Proficiency
Angka ‘3’
menjelaskan:
Angka ‘2’ menjelaskan:
Standar
Proficiency & Due
Implementasi
Proffesional Care
yang ke 3
KODE ETIK
KO D E ETIK A U D I T INTE R N A L
• Principles (Prinsip).
• Rules of Conduct (Aturan Perilaku):
✓ Mendeskripsikan norma perilaku yang diharapkan.
✓ Sebagai bantuan menafsirkan‘Prinsip’.
✓ Untuk memandu perilaku etis.
PRINCIPLES (PRINSIP)
• Integrity
• Objectivity
• Confidentiality
• Competency
KODE ETIK
1.Integrity (Integritas):
a. Jujur,hati-hati dan bertanggung jawab.
b. Patuh hukum dan memberi keterangan obyektif apabila
diharuskan hukum/profesi.
c. Tidak terlibat dalam kegiatan ilegal,tidak mendiskreditkan
profesi/organisasi.
d. Mendukung tujuan organisasi yang sah dan etis.

2. Objectivity (Objektivitas)
a. Menghindari pertentangan kepentingan (CoI)

b. Tidak boleh menerima apapun yang dapat mempengaruhi pendapat
profesionalnya.
c. Mengungkapkan semua fakta material.

3. Confidentiality (Kerahasiaan)
a. Menjaga informasi yang diperoleh.

b. Tidak menggunakan informasi untuk memperoleh
keuntungan pribadi.
4. Competency (Kompetensi)
a. Hanya memberikan jasa yang sesuai dengan

pengetahuan,keterampilan,dan pengalaman.
b. Bekerja sesuai Standar ProfesiAudit Internal;
c. Senantiasa meningkatkan keahlian.

applying the Standards.
2. Supplemental Guidance (Practice Guides) — provide
detailed processes and procedures for internal audit
practitioners.
IMPLEMENTATION GUIDANCE (terlampir)
SUPPLEMENTAL GUIDANCE
II.
P E R E N C A NA A N P E N U GASAN
Tahapan Umum PERENCAN AAN
Proses Audit Internal

AUDIT
TAHUNAN
EVALUASI DAN
PELAPORAN PERENCAN AAN
KEGIATAN PENUGASAN
PEMA NTAUAN
TINDAKAN PELAKSAN AAN
PERBAIKAN PENUGASAN
KO MUNIKASI
HASIL
PENUGASAN
Tahapan Penugasan Audit Internal
KOMUNIKASI
PERENCAN AAN PELAKSAN AAN HASIL &
PENUGASAN PENUGASAN
MONITORING
Uraian Kegiatan Penugasan Audit Internal
Perencanaan Penugasan
Contoh Tujuan Penugasan
1. Evaluasi kecukupan sistem pengendalian

internal
2. Menilai efektivitas operasi
3. Menilai kepatuhan
4. Menilai efektivitas dan efisiensi operasi
5. Mereviu akurasi laporan keuangan
6. Menilai keberhasilan pencapaian target
7. Menilai kinerja operasi
Ruang Lingkup Penugasan – High level flow chart
Ruang Lingkup Penugasan
1. Menyebutkan klien (auditi)

2. Batasan proses bisnis yang diaudit
3. Lokasi yang tercakup
4. Identifikasi periode waktu yang tercakup
5. Pengecualian ruang lingkup
Ruang Lingkup Penugasan
1. Tanggung jawab auditor,

2. Panduan pengumpulan bukti,
3. Fokus pada penugasan,
4. Area yang tercakup dan tidak.
Memahami KLIEN
• Kegiatan yang sangat penting

• Mengetahui proses bisnis klien,manajemen kinerja,dsb
• Kegagalan memahami klien = kegagalan melaksanakan audit
• Sumber data:dari segala sumber yang dapat diakses
• Bentuk data:segala bentuk data yang dapat diakses
Memahami Klien
Mempelajari Dokumen Penugasan yang Lalu

Mempelajari Informasi mengenaiAuditee
Melakukan observasi pendahuluan

Mempelajari Proses BisnisAuditee (mempelajari flowchart)
Melakukan wawancara pendahuluan
Mempelajari berbagai informasi ttg auditi dari internet
Dll...
Mengidentifikasi dan Menilai Risiko
Memahami Identifikasi Assess Risiko Prioritaskan/Pilih

Auditi Risiko Risiko yg Diaudit
RISIKO
“Peristiwa yang berpeluang terjadi,yang dapat menurunkan probabilitas tercapainya

tujuan”
Trade-off antara Risiko dan Imbal Hasil
• High Risk
• High Return
Elemen Risiko
Probablititas
Event Dampak
Man
Methods
Money
Machine
Material,etc Risk
Risiko Dalam Bisnis
Bisnis adalah:
Meraih Peluang, Mengelola Risiko
RiskAppetite Orangbisa Berbeda
semakin Pandai Mengelola Risiko
semakin Besar Manfaat Diterima
Berbagai Model Risiko
Berbagai Model Risiko
Risiko Dikelola dengan ‘Pengendalian’ /Control
Extreme 5 15 (5) 19 (10) 22 (15) 24 (20) 25 (25)
High 4 10 (4) 14 (8) 18 (12) 21 (16) 23 (20)

IMPACT / DAMPAK
Medium 3 6 (3) 9 (6) 13 (9) 17 (12) 20 (15)
Low 2 3 (2) 5 (4) 8 (6) 12 (8) 16 (10)
Negligible 1 1 (1) 2 (2) 4 (3) 7 (4) 11 (5)

Score
1 2 3 4 5
Remote Unlikely Possible Probable Certain
Teknologi pengereman diciptakan bukan untuk
(0 – 10%) (10-25%) (25-50%) (50-90%) (90-100%) memperlambat mobil F1
LIKELIHOOD / PROBABILITY
C O N TROL
kebijakan dan prosedur

untuk meitigasi risiko
sampai pada tingkat
yang dapat diterima
organisasi
CONTROL (PENGERTIAN UMUM)
CONTROL DALAM BISNIS
Inherent Risks → Control → Residual Risks
Keterbatasan Control
MENGIDENTIFIKASI DAN MENILAI RISIKO
MENGIDENTIFIKASI
PENGENDALIAN
UTAMA
CONTOH PENGENDALIAN UTAMA
1. APPROVING. 6. MONITORING.
2. CALCULATING. 7. RESTRICTING.
3. D O CUMENTING. 8. SEGREGATING.
4. EXAMINING. 9. SUPERVISING.
5. MATCHING.
CONTOH KERTAS KERJA
MENGEVALUASI KECUKUPAN RANCANGAN PENGE
Perencanaan
Kalau ada yg tidak
Assess kecukupan balance →
control dr segi design
Risiko yg Identifikasi C ontrol
TemuanTypeA
Diaudit Terkait
Assess control dr segi
Dituangkan dalam
audit program.
implementasi (Hasilnya:TemuanType
B)
Pelaksanaan Penugasan
Pengendalian
Pengendalian
yang
yang ada
seharusnya
Ada Gap ?
Ada Gap ?
Over controlled Less controlled

C O N TO H TERJADINYA ‘GAP’
CONTOH KERTAS KERJA
MENYUSUN RENCANA PENGUJIAN
❑ Yang dituangkan dalam audit program.

❑ Isinya berupa perintah2 (langkah2 audit) untuk dilaksanakan auditor selama di lapangan.
❑ Langkah-langkah tersebut menyangkut:
✓ Menilai apakahcontrol dilaksanakansecara konsisten
✓ Menilai apakahcontrol tersebut masih efektif dlm memitigasi risiko
✓ Menilai apakahada penyimpangan/frauddalam implementasi control
✓ Menilai apakahada control yang lebih efektif dan efisien
❑ Kalau nanti dalam pelaksanaan audit ada temuan,langsung tulis temuan (yg terdiri dari:Kondisi,kriteria, akib
PENDEKATAN/TEKNIK PENGUJIAN
a. Kuesioner h. Penghitungan (counting)

b. Wawancara i. Reperformance (reka ulang)
c. Prosedur analisis j. Internal control dummy test
d. Reviu dokumen,walkthrough k. Klarifikasi
e. Verification:Scanning-Vouching-Tracing l. Uji/tes laboratorium
f. Konfirmasi m. Uji forensik
g. Observasi-Inspeksi n. Inqiry,investigasi,dll
Vouching Vs Tracing
Backward
Vouching Forward
Tracing
VO U C H I N G
Source
Document/ Journal G eneral Financial
Physical Evidence Ledger Statement
TRACING
CONTOH KERTAS KERJA
CO NTO H KASUS
CO NTO H KASUS
MENGEMBANGKAN PROGRAM KERJA PENUGASAN
1. Memberi informasi dan pemahaman kepada seluruh anggota tim mengenai tugas yang
akan dikerjakan di tahap pengujian.
2. Media koordinasi seluruh anggota tim dalam berbagi tugas dan tanggungjawab.
3. Pada tahap pelaksanaan penugasan, program kerja dapat memberi informasi mengenai
tugas apa yang telah dan belum dilaksanakan.
4. Memfasilitasi proses review dan supervisi dari atasan tim penugasan.

C O N T O H KERTAS KERJA
CONTOH KASUS
CONTOH KASUS
CONTOH KASUS
CONTOH KASUS
ALTERNATIF PROGRAM KERJA PENUGASAN
MENGALOKASIKAN SUMBER DAYA PENUGASAN
• Pada tahap ini team audit dibentuk.

• Personil yang dibutuhkan di-hire
• Budget yang diperlukan diajukan
• Peralatan yang diperlukan disediakan
• dll
MENGALOKASIKAN SUMBER DAYA PENUGASAN
Berbagai metode alokasi SDM auditor:
1. In-house auditing.
2. Total out-sourcing.
3. Partial out-sourcing.
4. Co-sourcing.
5. Sub-contracting.
III.
PELAKSANAAN PENUGASAN
STA N DAR AUDIT PENTING
• 2300 - Pelaksanaan Penugasan

Auditor internal harus mengidentifikasi,menganalisis,mengevaluasi,dan
mendokumentasikan informasi yang memadai untuk mencapai tujuan penugasan.
• 2310 - Pengidentifikasian Informasi

Auditor internal harus mengidentifikasi informasi yang memadai,handal,relevan,
dan berguna untuk mencapai tujuan penugasan.
STA N DAR AUDIT PENTING
• 2320 -Analisis dan Evaluasi

Auditor internal harus mendasarkan kesimpulan dan hasil penugasannyapada
analisis dan evaluasi yang sesuai.
• 2330 - Pendokumentasian Informasi

Auditor internal harus mendokumentasikan informasi yang memadai,handal,
relevan dan berguna untuk mendukung kesimpulan dan hasil penugasan.
TAHAPAN PENUGASAN DAN HASILNYA
Perencanaan Pelaksanaan Komunikasi

Hasil
Penugasan
• Program • Informasi/ • Laporan
Audit bukti Hasil
Audit
LANGKAH PELAKSANAAN PENUGASAN
1.Entry M eeting
2. Persiapan Pengujian
3. Pengujian –
Mengumpulkan Informasi
4.Evaluasi Informasi
5.KesimpulanAudit
PERSIAPAN PENGUJIAN
3.Identifikasi 4.Penentuan
1.Perumusan 2.Identifikasi
kebutuhan urutan proses
tujuan pengujian jenis pengujian pengujian
personil
7.Penetapan cara 5.Perumusan

8.Pengujian atau metode 6.Perumusan standar atau
populasi
sampling kriteria
PENDEKATAN/TEKNIK PENGUJIAN
a. Kuesioner h. Penghitungan (counting)

b. Wawancara i. Reperformance (reka ulang)
c. Prosedur analisis j. Internal control dummy test
d. Reviu dokumen,walkthrough k. Klarifikasi
e. Verification:Scanning-Vouching-Tracing l. Uji/tes laboratorium
f. Konfirmasi m. Uji forensik
g. Observasi-Inspeksi n. Inqiry,investigasi,dll
CAAT (COMPUTER ASSISTED AUDITINGTECHNIQUES)
❖ Teknik audit menggunakan bantuan program komputer

❖ Sesuai untuk lingkungan auditi yang telah menggunakan teknologi informasi
❖ Memungkinkan all-audit (dari pada sampling audit)
❖ Perangkat:
▪ Microcsoft (Excel,Access,SAS),
▪ Database programming (SQL, O racle,dll)
▪ General audit software (ACL, IDEA,Teamate,Arbutus,SESAM, Soft CAAT,dll).
COMPUTERIZED AUDIT TOOLS AND TECHNIQUES
Embedded
• Program yang berjalan bersamaan dengan software
Audit yang melaksanakan fungsinya.
Modules
• Membaca file digital

Generalized • Memeriksa catatan berdasarkan kriteria auditor
Audit • Uji perhitungan
Software • Analisis,mengikhtisarkan,mengurutkan data
• Uji efektivitas pengendalian
• Template software,disimpan di server,disebarkan ke

Automated beberapa desktop.
Work Papers • D apat berupa C D,DVD,video,dsb.
SPREADSHEET
Apa saja kemampuan Spreadsheet?
• Menyimpan dan mengorganisasikan data.

• Melakukan pengeditan.
• Melakukan perhitungan dan operasi dasar lain secara mudah.
• Melakukan operasi analisis,seperti analisis korelasi,regresi,analisis break-even.
• Mengubah data menjadi diagram dan grafik.
• Membuka dan membaca spreadsheetdan databaselainnya.
• Menghubungkan spreadsheetsatu sama lain,dan dengan program lain.
Apa yang dilakukan auditor terhadap Spreadsheet?
• Sebagai alat bantu audit.

• Me-reviewspreadsheetyang digunakan oleh manajemen
klien.
CONTINUOUS AUDITING
❖ Audit secara terus menerus (tanpa

henti)
❖ Mengakses data di server secara
realtime
❖ Menerapkan penggunaan bahasa
pemrograman komputer, dengan
requirement dari auditor
❖ Alert otomatis apabila terdapat

indikasi yang ditengarai auditor
CONTINUOUS AUDITVS PERIODIC AUDIT
COMBINED ASSURANCE
❖ Pemberian asurans secara bersama-sama /terintegrasi dari berbagai sumber

❖ Untuk mengatasi masalah assurance fatique
❖ Manfaat:
✓ Efisiensi dalam mengumpulkan dan melaporkan informasi
✓ Terjadi kesamaan pandang terhadap risiko dan control
✓ Pengawasan menjadi lebih efektif
✓ Satu suara
ILUSTRASI COMBINED ASSURANCE
Manajemen (first line dan second line)
External auditor
InternalAuditor
Com-
bined
Assur-
ance
Oversight of G R C
METODE COMBINED ASSURANCE
Functional integration:Mengintegrasikan
fungsi untuk keperluan pengawasan
Alignment of activities:Koordinasi
melalui penyelarasan aktivitas
Integrated planning and reporting:koordinasi

dalam perencanaan dan pelaporan
Integrated audits:koordinasi melalui

kerjasama audit
Pengujian: Pengumpulan Informasi
1. Pelaksanaan Pengujian
a. Seluruh risiko auditi,atau
b. Control Score (selisih antara risiko inheren dengan risiko residual) yang
tinggi,atau
c. Hanya yang risiko tinggi saja.
2. Kriteria-kriteria Pengujian
a. Direct:berkaitan dengan risiko yang diuji
b. Efficient:berkaitan dengan biaya dan waktu yang diperlukan
c. Feasible:kapabilitas auditor untuk melakukan teknik pengujian
3. Dokumentasi Pengujian: Matriks Risiko-Pengendalian
4. Evaluasi informasi/bukti dan membuat kesimpulan hasil audit
Sikap Auditor Internal dalam Pengumpulan Bukti
1. Menerapkan kecermatan profesi

2. Waspada terhadap kesalahan, kekurangan, inefisiensi, pemborosan dan
ketidakefektifan operasi
3. Pengujian sampai batas kewajaran
4. Menginformasikan manajemen jika terdapat indikasi kecurangan
5. Mempertimbangkan : tujuan dan cakupan audit, materialitas dan
signifikan masalah, kecakupan dan efektifitas kontrol, biaya dan manfaat
6. Memahami standar operasi
7. Memberikan jaminan sampai batas keyakinan yang wajar
Hal yang Perlu Dipertimbangkan
1. Tujuan dan cakupan audit.

2. Tingkat materialitas/signifikansi masalah yang diuji.
3. Kecukupan dan efektivitas pengendalian.
4. Perbandingan biaya dan manfaat.
5. Pemahaman terhadap standar operasi dan menilai kepatuhan terhadap standar.
6. Apabila standar/kriteria yang ada dinilai tidak memadai, auditor perlu berdiskusi dengan
klien untuk mencari alternatif atau menentukan standar yang disepakati.
7. Pengujian tidak menghasilkan keyakinan absolut, melainkan hanya keyakinan
memadai (reasonable assurance).
Evaluasi Informasi & Kesimpulan Audit
• Evaluasi informasi sebagai dasar hasil observasi dan kesimpulan audit.

• Berdasarkan evaluasi, auditor menilai dan menyimpulkan kecukupan desain
dan efektivitas implementasi pengendalian kegiatan.
Pertanyaan panduan untuk menyusun kesimpulan:

a. Apakah pengendalian utama dirancang dengan memadai?
b. Apakah pengendalian utama beroperasi dengan efektif?
c. Apakah risiko-risiko dimitigasi sampai level yang dapat diterima?
d. Secara keseluruhan, apakah pengendalian yang dirancang mendukung pencapaian tujuan
dari area yang di-review?
Hasil evaluasi dan kesimpulan dapat didokumentasikan dalam “Matrik Evaluasi

Risiko dan Pengendalian”.
Kriteria Bukti Audit
• Faktual,memadai,meyakinkan,sehingga prudent informed person
akan sampai pada kesimpulan yang sama.
Cukup • ‘Cukup’diukur dari body of evidence.
• Pertimbangan professional.
• Bukti terbaik yang diperoleh dengan teknik audit yang tepat.

Andal • Sumber yang kredibel,jenisnya tepat
• Mendukung hasil observasi dan rekomendasi, konsisten dengan

tujuan audit.
Relevan • Bukti yang tidak relevan dengan tujuan audit meningkatkan risiko
audit.
• Penting bagi pencapaian tujuan organisasi.

Berguna • Bukti yang mutakhir dapat mendasari pengambilan keputusan
yang tepat.
Kriteria Bukti Audit
• Informasiyangrelevanadalahinformasiyangmendukungobservasidanrekomendasidan
konsistendengan tujuanpenugasan.
• Informasi yang handal/kompetenadalah informasiterbaikyang dapatdiperolehmelalui
penggunaanteknik-teknikpenugasan yangtepat.
• Informasi yang memadai adalah informasi yang faktual,cukup,dan meyakinkan sehingga
seseorangyangmemilikisifatkehati-hatian(prudent)akan mencapaikesimpulanyangsama
dengan auditor.
• Informasi yang berguna membantu organisasi mencapai tujuannya.

Jenis Bukti Audit
Bukti Bukti Bukti Bukti

Dokumentasi Fisik Kesaksian Analitis
• D okumentasi • Dari • Pernyataan • Diperoleh
internal & pengamatan, tertulis/lisan dari dengan teknik
eksternal. inspeksi, klien atau pihak analisis dan
• Contoh:kontrak, perhitungan fisik terkait. verifasi
laporan,catatan, oleh auditor. • Kekuatan hukum (perbandingan
tagihan. • D apat disajikan lemah,tidak dan hubungan
dalam foto, dapat berdiri antar data),
grafik,bagan. sendiri. mengarah pada
interpretasi atau
simpulan
tertentu.
Pedoman Pengumpulan Bukti Audit
1. Bukti dari pihak ketiga yang independen lebih andal dibandingkan bukti dari personel klien.
2. Bukti yang dihasilkan oleh sistem dengan pengendalian internal yang efektif lebih andal dibandingkan
dengan bukti yang dihasilkan oleh sistem dengan pengendalian intern lemah.
3. Bukti yang diperoleh secara langsung oleh auditor internal lebihandaldibandingkan dengan bukti yang
disampaikan melalui pihak lain.
4. Bukti yang terdokumentasi lebih andal dibandingkan bukti yang tidak terdokumentasi.
5. Bukti yang dibuat secara tepat waktu lebih andal dibandingkan bukti yang dibuat tidak tepat waktu
6. Bukti yang didukung oleh bukti lain lebihkuat dibandingkandengan bukti yang tidak didukung oleh bukti
lain atau bukti yang saling bertentangan
7. Bukti dengan jumlah sampel yang besar/memadai lebih andal dibandingkan bukti dengan jumlah sampel
kecil.
Matrik Evaluasi Risiko dan Pengendalian
Matrik Evaluasi Risiko dan Pengendalian
Risiko
Pengendalian Pendekatan Hasil
Tingkat Kesimpulan
Utama Pengujian Pengujian
Proses
Pengendalian
Aktivitas Pengendalian 1 Pengujian x Efektif
Risiko A masih • TEMUAN
Pengendalian
Risiko A Aktivitas Pengendalian 2 Pengujian y tidak Efektif
belum termitigasi
Pengendalian
dengan memadai
Aktivitas Pengendalian 3 Pengujian z tidak Efektif
Aktivitas Pengendalian 1 Pengujian x
Risiko B Aktivitas Pengendalian 4 Pengujian a
Aktivitas Pengendalian 3 Pengujian z
Aktivitas Pengendalian 5 Pengujian m
Risiko C
Aktivitas Pengendalian 6 Pengujian n
U NSUR TEMUA N
• Fakta yang ditemukan

Kondisi • Disepakati auditee
• Standar/ekspektasi
Kriteria • Yang ada atau dikembangkan
• RencanaTindak
• D ampak atau risiko jika dibiarkan
• Tanggapan klien
Akibat • Potensi maupun realized penugasan
Sebab • Root-caused
• Saran perbaikan mengeliminasi sebab

Rekomendasi • Jangan restate kriteria
Contoh Temuan (Mode Singkat)
KERTAS KERJA AUDIT
Standar terkait Kertas Kerja Audit
International Professional Practices Framework (IPPF):

• Standard 2330: “Documenting Information”: Internal auditors must document
sufficient,reliable,relevant,andusefulinformationto supporttheengagementresults
and conclusions.
• Standard 2330.A1 – The chief audit executive must control access to
engagement records.The chief audit executivemust obtain theapproval ofsenior
managementand/orlegalcounsel priorto releasingsuch recordsto externalparties,
as appropriate.
• Standard 2330.A2 – The chief audit executive must develop retention
requirements for engagement records,regardless of the medium in which each
recordisstored.Theseretentionrequirementsmustbeconsistentwiththe
organization’sguidelinesand any pertinentregulatoryor otherrequirements.
Apa Tujuan Kertas Kerja? Manfaat lain Kertas Kerja
(terkait tujuan audit) • Memfasilitasi review oleh pihak ketiga,

mencerminkan profesionalisme audit
• Membantu perencanaan,pelaksanaan internal.
dan review pekerjaan audit. • Bahan audit internal di masa
• D ukungan utama bagi hasil audit.
mendatang.
• D asar penilaian kinerja mandiri dan
• Mendokumentasikan apakah tujuan me-review kinerja auditor internal.
audit tercapai. • Mendukung diskusi dengan personel
• Mendukung keakuratan dan operasional,meningkatkan kredibilitas
auditor.
kelengkapan pekerjaan audit.
• Membantu mendokumentasikan
• D asar bagi keyakinan dan kepatuhan organisasi terhadap
peningkatan mutu audit internal. ketentuan dan peraturan
perundangan.
138
Apa saja Jenis Kertas Kerja Audit?
• Informasi terkait penugasan yang

Current Files sedang dilaksanakan.
• Informasi yang dapat dipergunakan

Permanent Files pada beberapa penugasan.
Apa ukuran kecukupan Kertas Kerja Audit?

Kertas kerja mendokumentasikan tujuan dan metode audit secara lengkap,
sehingga auditor yang tidak terlibat dalam audit dapat memahami pekerjaan
audit dengan melihat kertas kerja tersebut, dan mengantarkan pada kesimpulan
yang sama.
APA SAJA RAGAM KERTAS KERJA AUDIT?
• Program kerja:sifat,tujuan,lingkup dan prosedur audit

• Anggaran, waktu, dan alokasi sumber daya audit
• Kuesioner untuk memperoleh informasi mengenai klien:tujuan,risiko,pengendalian,aktivitas operasional klien.
• Pemetaan,bagan arus,grafik dan diagram terkait aktivitas-aktivitas,proses, risiko-risiko, dan pengendalian.
• Agenda pertemuan internal tim audit maupun antara tim audit dengan pihak klien.
• Memoranda narasi untuk mendokumentasikan hasil interview atau pertemuan lain dengan klien.
• Informasi yang berhubungan dengan klien,seperti: struktur organisasi,uraian tugas,kebijakan dan prosedur operasi
dan keuangan.
• Salinan dari dokumen-dokumen asli.
• Catatan-catatan akuntansi,seperti: laporan keuangan,jurnal,dan buku besar
• Bukti-bukti yang diperoleh dari pihak ketiga:surat konfirmasi dan surat pernyataan dari kantor pengacara dan hukum.
• Lembar kerja yang dibuat auditor selama proses audit.
• Implementasi kepatuhan terhadap pengendalian oleh klien dan diuji oleh auditor,seperti: rekonsiliasi bank.
• Hasil observasi audit,kesimpulan,dan rekomendasi
• Komunikasi akhir penugasan audit dan tanggapan manajemen.
Bagaimana Format Umum Kertas
Standardisasi Kertas Kerja
Kerja?
• Menjelaskan mengenai audit tsb, isi/konten

atau tujuan dari kertas kerja.
• D itandatangani (diparaf) atau diberi inisial, • Sistem referensi silang.
dan diberikan tanggal oleh auditor internal • Konsistensi dalam tata
yang melaksanakan pekerjaan tsb. letak (layout) kertas
• Memuat indeks atau referensi silang. kerja.
• Simbol-simbol verifikasi dalam audit • Standardisasi tick
(seperti tick mark) harus dijelaskan dan marks.
dibuat seragam. • Permanentfiles atau
• Sumber data harus dinyatakan secara jelas. current files.
Supervisi Penugasan Audit
Standard 2340:
“Engagementsmust be properly supervised to ensure objectivesare achieved,qualityis assured,
and staffis developed.”
Practice Advisory 2340-1

• Memastikan auditor secara kolektif memiliki pengetahuan,keahlian,dan kompetensi yang
dibutuhkan untuk melaksanakana audit.
• Memberikan instruksi yang tepat selama perencanaan dan persetujuan atas program audit.
• Memastikan program audit diselesaikan dengan baik.
• Menentukan bahwa kertas kerja audit mendukung hasil observasi, simpulan, dan
rekomendasi.Memastikan komunikasi audit yang akurat,objektif,ringkas,konstruktif dan
tepat waktu.
• Memastikan bahwa tujuan audit tercapai.
• Memberikan kesempatan untuk mengembangkan pengetahuan, keahlian, dan kompetensi
auditor internal.
C O N TOH
KKA
IV.
Komunikasi Penugasan & Monitoring
Tindakan Perbaikan
Standar Audit Terkait Komunikasi Hasil
Penugasan
2400 - Komunikasi Hasil Penugasan
Auditor internal harus mengkomunikasikan hasil penugasannya
2410 - Kriteria Komunikasi

Komunikasi harus mencakup tujuan,ruang lingkup dan hasil
penugasan.
INTERNAL AUDIT REPORT
LOGO
Three Interrelated Factors –
Menulis Laporan
Esensi /Materi
Temuan
Gaya
Graphical
Bahasa Design
LOGO
Materi Komunikasi (Laporan)
1. Ringkasan Eksekutif
2. Isi Laporan:
a. Tujuan dan ruang lingkup penugasan
b. Informasi umum (fakultatif): Informasi mengenai klien, dasar hukum
penugasan, latar belakang penugasan, metodologi penugasan, dll
c. Hasil penugasan (temuan/observasi): Kondisi,kriteria,akibat,sebab
d. Rekomendasi
e. Rencana tindakan perbaikan
f. Simpulan atau opini (fakultatif)
Syarat Kualitas LaporanAudit
Akurat • Free from error,faktual
Objektif • Objektif,Fair,Tidak Bias
Jelas • Jelas:Mudah dipahami dan logis,menghindari penggunaan

istilah teknis yang tidak perlu
Ringkas • “to the point”,tidak berbelit-belit
Lengkap • Menyertakan seluruh informasi yang relevan dan

signifikan
Konstruktif • Membantu dan mendorong klien melakukan perbaikan
TepatWaktu • Memungkinkan pelaksanaanTL yang efektif

didasarkan atas fakta.
• Obyektif berarti adil,tidak memihak,tidak berat
sebelah,dan merupakan hasil dari pemikiran adil
dan seimbang atas seluruh fakta yang relevan.
KUALITAS KOMUNIKASI
• Jelasberarti mudah dipahami dan logis,terhindar dari

pemakaian istilah teknis yang tidak penting dan
menyajikan seluruh informasi signifikan dan relevan.
• Ringkas berarti langsung pada masalahnya, dan
menghindari uraian yang tidak perlu,detail yang
berlebihan, pengulangan, dan terlalu panjang.
KUALITAS KOMUNIKASI
• Konstruktifberartimemiliki sifat membantu klien penugasan

dan organisasi, dan tertujupada upaya perbaikan yang
diperlukan.
• Lengkap berarti tidak meninggalkan hal-hal penting bagi
pengguna hasil penugasan dan telahmencakup seluruh
informasi dan observasi signifikan dan relevan untuk
mendukung simpulan dan rekomendasi.
KUALITAS KOMUNIKASI
• Tepatwaktu berartimasih bermanfaat dan

bijaksana,dengan mempertimbangkan tingkat
signifikansi isu,sehingga memungkinkan manajemen
dapat melakukan tindakan koreksi yang tepat.
Tahapan Finalisasi/Penulisan Laporan
Mengkate- Evaluasi hsl Simpulan

gorikan (Opini
(Scoring dll)
Temuan Keseluruhan)
Temuan ditulis
pada tahap
pelaksanaan
KATEGORI TEMUA N
A. Insignificant:
❑ Insignificant magnitudeATAU
❑ Remote likelihood
B. Significant
❑ More than insignificantmagnitude DAN
❑ More than remote likelihood
C. Material
❑ Significantwith extreme magnitude
Extreme 5 MATERIAL
IMPACT / DAMPAK / MAGNITUDE

High 4
Medium 3 SIGNIFICANT
Low
(insignifica 2 INSIGNIFICANT
n t)
Negligible 1
Score 1 2 3 4 5
Remote Unlikely Possible Probable Certain
(0 – 10%) (10-25%) (25-50%) (50-90%) (90-100%)
LIKELIHOOD / PROBABILITY
SIMPULAN UMUM (OPINI KESELURUHAN)
SIMPULAN UMUM (OPINI KESELURUHAN)
Memberikan Opini /Pendapat UmumAuditor
OPINI/RATING ATAS TEMUA N OPINI KESELURUHAN ATAS AUDITI

• SetiapTemuan diberikan penilaian Dari keseluruhan penilaian temuan,auditor
rating/prioritas sbb: menyimpulkan opini/ratingthd auditi:
• Tinggi • Memuaskan/satisfactory
• Sedang • Baik/Good
• Rendah
• Perlu Perbaikan/Need improvement
• Buruk/Weak
CONTOH
STRUKTUR
LAPORAN
Standar Audit terkait Pemantauan Tindakan Perbaikan
2500 – Pemantauan Perkembangan

• Kepala audit internal harus menetapkan dan memelihara sistem untuk memantau disposisi atas
hasil penugasan yang telah dikomunikasikan kepada manajemen
2600 - Komunikasi Penerimaan Risiko
• Dalam hal kepala audit internal menyimpulkan bahwa manajemen telah menanggung risiko
yang tidak dapat ditanggung oleh organisasi, kepala audit internal harus membahas masalah ini
dengan manajemen senior. Jika kepala audit internal meyakini bahwa permasalahan tersebut
belum terselesaikan,maka kepala audit internal harus mengkomunikasikan hal tersebut kepada
dewan.
Status Temuan setelah DilakukanTindakan
Perbaikan
• Closed
• In progress
• Open
• No longer relevant
Tahapan Pemantauan dan Pemutakhiran
Tindakan Perbaikan
1. Menyampaikan temuan/observasi beserta rekomendasi dan rencana aksinya
2. Menyusun dan mengirimkan surat MonitoringTindakan Perbaikan atasTemuan
Audit
3. Menerima dan mengadministrasikan tanggapan serta tindakan perbaikan

4. Mereview, memverifikasi dan menilai efektivitas tanggapan
5. Memelihara data base sistem pemantauan dan pemutakhiran tindakan perbaikan
6. Menyampaikan laporan berkala mengenai status tindakan perbaikan
Laporan Hasil Pemantauan dan Pemutakhiran Tindaka
• Status terkini atas temuan/observasi

• Tindakan perbaikan yang dilakukan manajemen
• Saldo temuan/observasi yang masih terbuka
• BeritaAcara Pelaksanaan PemutakhiranTindakan Perbaikan
Q &A
Day 6
Video
The speed of digital transformation is heightening cyber
risks for companies as they embrace new technologies
Organization exposing customer data via digital channels
Adopt open platforms
Tapecosystems of partners and suppliers (extended
supply chain) – cyber criminals focus on weakest link
Increased erosion of perimeter from third parties, social
media, mobile and personal devices
Growing regulatory focus
Rising level and sophistication of external threat
Cyber risk is outpacing organisations’ ability to keep up
1.
2.
3.
4.
5.
6.
Video

Materi 950

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Materi 950

Uploaded by

Copyright:

Available Formats

Day 1

My Journey – Vidvant Brahmantyo

CLASSIC ASSURANCE PROVIDERS TRUSTED ADVISORS CHANGE AGENTS

+-16 T, 1MDB menuntut

+-23,7 T, kasus korupsi terbesar di

“Soft skills are the new

Source: Forbes article by Paloma Cantero-Gomez

Technology Solution that Creates Value

Enabler: Communication, Cooperation, and Collaboration

Board of Directors (BODs)

• Assess and make appropriate recommendations

Existence • Provide management and the Audit

Evaluate the design, Assess whether the

Evaluate risk exposures relating Evaluate the potential for the

Review operations & programs to

Audit Plan Audit Strategies

• IA understands the business objectives of company and Develop the expectations

IA develops audit programs of detailed tests.

Phase 2: Develop Phase 5: Execute

Develop Plan Risk

Communicate Risk Assess Business

“By failing to prepare, you are preparing to fail.”

“A good plan isn't one where someone wins, it's where

• IA understands the business objectives of company and Develop the expectations

IA develops audit programs of detailed tests.

Senior Risk Management Other Assurance

Risk Factors Likelihood Impact Supporting Comments

• Recommend an auditable segment they should pursue in an engagement.

Prioritize IAUniverse Based on Completed Risk Model - Example ILLUSTRATIVE

Business Area Business Process Key Risk

- Purchase request is not justified with appropriate documentation and approvals.

Inventory Inventory Balance - Excessive/Out of stock balance of inventory.

- Disposal is not justified with appropriate documentation and approvals.

- inventory report does not comply with guidelines in place

Risk Control Matrix – Inventory

Functional Audit Sub Business Risk for the Inherent Criticality

Risk # Impact (*) Vulnerability (*) MARCI response Partially addressed in

3 Permissible use of data Mitigate Yes

4 System availability and reliability Assure Yes

5 Economic conditions/Industry trends Assure

6 Corporate tone at the top Assure

7 Selection and implementation of new technology and services Assure Yes

9 Changes in accounting standards Assure Yes

10 Board conflict of interest or lack of independence Assure

12 Transformation of accounting and finance Mitigate Yes

13 Off-shoring Activities Assure Yes

14 Adequate Internal Audit resources to monitor risks Assure Yes

Key Performance Indicator

Top Risk & Risk Appetite Statement

Audit Plan Tahunan

Find the learning

▪ Provide an outline of the work to be performed

Basis for selection

Time period subject to testing

Reports from which samples will be obtained

Names of reports and documents to be reviewed or used for testing

Specific attributes to be tested

Chief Audit Executive (CAE) /Coordinator of the Audit

Internal Audit Engagement Assistant Managers and Managers

Risk management Know the people

Provide value Pre-empt (solve it

Look at any findings

Focus on thinking more

Risk # Impact () Vulnerability () MARCI response Partially addressed in