Professional Documents
Culture Documents
Effective
Technique for
Internal Audit
WEBINAR IAI & FEBUI
Day –
28 1 29 AUGUST 2021
DAY 01
Vidvant Brahmantyo
Partner at RSM
- 1 wife
2004 2006 2007
- 2 children
Professional Certifications:
Joined Swiss-
• Registered State Accountant No. RNA 9887
Belhotel
• Chartered Accountant (CA) No. 11.D42202 2010
International as
• Certified Internal Auditor (CIA) No. 172916 Chief Audit
• Certified Internal Controls Auditor (CICA) No.14075986 Executive (CAE) Hobbies/others:
• Certified Fraud Examiner (CFE)
• Certified Governance, Risk Management and Compliance Professional (GRCP) No. GRCP- - Basketball
101193
Re-joined - Futsal &
• Certified Governance, Risk Management and Compliance Auditor (GRCA) No. GRCA-
2011
Deloitte Risk
101193 Soccer
Advisory as
2018 - Traveling
Manager
Today
Resigned from https://www.linkedin.com/in/vbrahmantyo/
Deloitte Risk
Advisory as Director
▪ What is Internal Auditing?
▪ The Right Stuff
▪ Internal Audit Roles in Today’s World
Agenda ▪ Internal Audit Methodology
▪ Risk-Based Internal Audit
▪ Q&A?
What is Internal
Auditing?
Audit Means…
Source: https://en.wikipedia.org/wiki/Audit
Internal Audit Definition by IIA
▪ Internal auditing is an independent, objective
assurance and consulting activity designed to add
value and improve an organization's operations.
▪ It helps an organization accomplish its objectives by
bringing a systematic, disciplined approach to
evaluate and improve the effectiveness of risk
management, control, and governance processes.*
* Definition by the Institute of Internal Auditors (IIA)
http://www.theiia.org/theiia/about-the-profession/internal-audit-faqs/?i=1077
History of Audit
▪ 5000 years ago, in the Middle Kingdom of the Nile live Mesopotamian Civilization, the Pharaoh's deputy was
overseeing the storage of grains. Auditing was a matter of reperforming the work of others. Auditing meant
observing, counting and double-checking records.
▪ The processes and systems were very simple, and so was auditing.
▪ As the business organizations grew in size and complexity, the practice of Internal Audit also evolved.
History of Audit (Cont’d)
▪ Historically, auditing was concerned with accounting for government activities and reviewing the work done by tax
collectors. In the early years of auditing, the keeping and maintaining of accounting records was done primarily to
detect fraudulent activity.
▪ The industrial revolution in the mid 1700s to the mid 1800s was responsible for the increased demand in auditors
because this period saw an increase in responsibility being passed from owners to managers. This led to an
increased requirement for auditors who were independent of management and who were engaged not only to be
alert for errors within financial records but also errors within the records. In simple terms, deliberate errors in
order to achieve personal financial gain were deemed to be fraudulent activity (as is still the case today) whilst
error was (and still is) unintentional.
▪ During the early 1700s the concept of ‘sampling’ was introduced. Sampling is where auditors select a sample of
items that make up various balances and was used where it is not economically viable to physically examine all the
transactions that have taken place. This practice is still pivotal today.
Source: https://www.oreilly.com/
Evolution of Internal Audit
1900s 1950s 1960s 1970s 1990s 2000s to Present
Clerical Financial
Work & Reporting & Internal Control Objective Assurance, Consulting
Theft fraud Operational Compliance Business Activity, Added Value, Improve an
Auditing Oriented Organization Operation and the
Orientation Effectiveness of Risk Management,
Internal Control, and Governance
Process
KEY MILESTONES
IA set to emerge as a Profession IA began as a Profession Advance & Strengthening of IA Profession
1941 – Formation of the IIA 1968 – Issued the Code of Ethics 1999 – Issued Current Definition of OA
1947 – Issued the Statement of the 1972 – Published the CBOK 2000 – Revised the Code of Ethics
Responsibilities of the IA (Revised in 1974 – Created the Professional Certification 2002 – Issued the New IA Standards
1957, 1971, 1976, 1981, and 1990) for IA 2006 – The Standards has been Recognized
1976 – Formation of the IIA Research Globally
Foundation 2007 – Issued a New IA Framework – the IPPF
1977 – Created a Professional Magazine for IA 2015 – Issued a New Enhancement of the IPPF
1978 – Issued the IA Standards (latest update was in 2017)
1989 – Establishment of the IIA Indonesia
Watch Dog vs Trusted Advisors vs Change Agents
▪ S i x m o n t h s l a t e r, E N RO N f i l e d fo r b a n k r u p tcy.
▪ G r e a te s t a c co u n t i n g f ra u d o f 2 0 t h c e n t u r y.
▪ 1 2 , 0 0 0 p e o p l e d i r e c t l y l o s t t h e i r j o b s , r e t i re m e nt b e n ef i t s a n d e n t i re l i fe
s av i n gs .
▪ Pe n s i o n e rs w h o b o u g ht s t o c ks o f E n ro n l o s t U S $ 7 0 b i l l i o n w h e n p r i c e o f
s to c k co l l a p s ed to ZE RO.
▪ C a u s e d b y “ L a x A u d i t i n g ” b y A r t h u r A n d e rs e n a c co u n t i n g f i r m , o n e o f t h e
“ B i g 5 ” ( 8 5 , 0 0 0 p e o p l e a n d o ve r U S $ 9 b i l l i o n a n n u a l r e ve n u e s ) co l l a p s e d .
▪ O t h e rs t o b l a m e : C F O A n d re w Fa s t o w ( 6 ye a rs p r i s o n s e n t e n ce ) , C EO J e f f
S k i l l i n g ( 2 4 ye a rs p r i s o n s e n t e n ce ) , s t o c k a n a l yst s w h o ke e p p u s h i n g E n ro n
s to c k , s e n i o r m a n a ge ment fo r h i d i ng l o s s e s i n d u b i o us o f f - balanc e - she et
p a r t n e rs h i p s , m e d i a e xa g ge ra t i o n a n d f r e n zy.
The Right
Stuff
HTTPS://YOUTU.BE/LJUZDVYEBHU
Organization’s Expectation from Internal Auditor
1. Analytical and Critical
Thinking
2. Communication
3. IT General Skills
4. Risk Management
5. Business Acumen*
*Succeeding as a 21st Century Internal Auditor: 7 Attributes of Highly Effective Internal Auditors, page 3
7 Sought-After Qualities of an Internal Auditor
–Larry Harrington–
Chief Audit Executive
Raytheon Company
*Source: Succeeding as a 21st Century Internal Auditor: 7 Attributes of Highly Effective Internal Auditors, page 1
Business Acumen
Financial Marketplace Operational Technology Strategic
acumen acumen acumen acumen acumen
• Understanding • Competition, • Day-to-day • Leverage and • Understanding
and market drivers, operations and possessing systems that
interpreting consumer production, technology define and
financial needs, supply chain, skillsets, influence an
statements. marketing. third-party understanding organization’s
relationship, basic software goals and
quality program direction
assurance. coding. including risk
management,
decision-
making, long-
term planning,
culture.
Strategic Acumen
Vision
Framework
Perceptiveness
Assertiveness
Flexibility
Emotional balance
Patience
Networking Team-building
Empathy
skills skills
Emotional
intelligence
Innovative Mindset
Free yourself from the Create a culture where Make risk-taking a more
fear of failure innovation is rewarded consistent behaviour
Leveraging Enabling Technology
Audit
CEO
Committee
Internal External
Audit Audit
Value Proposition for Key Stakeholders
Internal Auditing:
• Assurance
• Insight
• Objectivity
Governing bodies and senior management rely on Internal Auditing for objective assurance and insight
on the effectiveness and efficiency of governance, risk management and internal control processes.
Internal Audit Activity
Scope of Internal Audit work encompasses a systematic, disciplined approach to evaluating and improving the adequacy and effectiveness
of risk management, control, and governance process and the quality of performance in carrying out assigned responsibilities.
The purpose of evaluating the adequacy of the organization’s existing risk management, control and governance processes is to provide
reasonable assurance that these processes are functioning as intended and will enable the organization’s objectives and goals to be met,
and to provide recommendations for improving the organization’s operations, in terms of both efficient and effective performance
Determining whether risk management processes are effective is a judgment resulting from the internal auditor’s assessment that:
• Organizational objectives support and align with the organization’s mission;
• Significant risks are identified and assessed;
• Appropriate risk responses are selected that align risks with the organization’s risk appetite; and
• Relevant risk information is captured and communicated in a timely manner across the organization, enabling staff, management, and the board
to carry out their responsibilities.
• Risk management processes are monitored through ongoing management activities, separate evaluations, or both.
During consulting engagements, internal auditors must address risk consistent with the engagement’s objectives and be alert to the existence
of other significant risks. Internal auditors must incorporate knowledge of risks gained from consulting engagements into their evaluation of
the organization’s risk management processes.
When assisting management in establishing or improving risk management processes, internal auditors must refrain from assuming any
management responsibility by actually managing risks.
Internal Audit Role in Internal Control
The internal audit activity must assist the organization in maintaining effective controls by evaluating their effectiveness and
efficiency and by promoting continuous improvement.
IA activity must evaluate the adequacy and effectiveness of controls in responding to risks within the organization’s
governance, operations, and information system regarding the:
• Reliability and integrity of financial and operational information;
• Effectiveness and efficiency of operations;
• Safeguarding of assets; and
• Compliance with laws, regulations, and contracts.
Supplemental Guidance provides detailed guidance for carrying out internal audit
activities such as processes and procedures, tools and techniques, programs, approach
steps, and sample deliverables. All Guidance and GTAG Practices become part of the
Supplemental Guidance
Process Risk Approach
Vision Mission Value
Goals
Objectives
Strategies
External Stakeholders
Factors Influences
CSFs Risks
Business Processes
KPIs Controls
InternalAudit
• IA performs detailed test Methodology Based on the risk
work, reviews audit results
assessment results and
and holds a formal exit ExecuteAudit Project
5 Develop Internal Audit plan, IA
meeting at the conclusion Work Plan 3 Audit Plan identifies timing,
of each audit performed.
locations, project teams
and determine
appropriate use of
DesignAudit
4 technology tools.
Programs
Schedule Audits
Develop Risk Design Internal
and Plan
Model Audit Program
Resources
Prioritize Risk
Risk-Based
Internal Audit
Legendary Quotes on Planning
Underlying Standards
▪ 2010 – Planning
▪ 2020 – Communication and Approval
▪ 2030 – Resource Management
▪ 2040 – Policies and Procedures
▪ 2050 – Co-ordination
▪ 2060 – Reporting to Senior Management and the Board
▪ 2070 – External Service provider and Organizational Responsibility for Internal Auditing
Standard 2010 – Planning
The chief audit executive must establish a risk-based plan to determine the
priorities of the internal audit activity, consistent with the organization’s goals.
Interpretation:
To develop the risk-based plan, the chief audit executive consults with senior
management and the board and obtains an understanding of the organization’s
strategies, key business objectives, associated risks, and risk management
processes. The chief audit executive must review and adjust the plan, as necessary,
in response to changes in the organization’s business, risks, operations, programs,
systems, and controls.
Planning – Internal Audit Cycle Phase 1, 2, and 3
People Process Technology
InternalAudit
• IA performs detailed test Methodology Based on the risk
work, reviews audit results
assessment results and
and holds a formal exit ExecuteAudit Project
meeting at the conclusion 5 Develop Internal Audit plan, IA
Work Plan 3 Audit Plan identifies timing,
of each audit performed.
locations, project teams
and determine
appropriate use of
DesignAudit
4 technology tools.
Programs
• Gain a thorough understanding of the company’s business objectives and co-develop the expectations
regarding internal audit’s alignment with those business objectives and criteria for assessing the related risks.
• IA develop a mutual understanding of the scope of internal audit among the company’s executive management,
the Audit Committee or the Board of Commissioners.
Komite Pemantau
Dewan Komisaris Direksi KomiteAudit
Risiko
• Identify key aspects of the process to develop a risk model and risk universe.
High
High
Risk
Impact of
Occurrence Medium
Risk
Low
ILLUSTRATIVE Risk
Low High
Likelihoodof Occurrence
Human Resources 1 - Low 1 - Low Have dedicated Human Resources Department. Staff have high morale and adequate training,
and turnover is low.
Complexity of Business 2 - Moderate 3 - High Supply chain management has increased complexity of the business process.
Process
Control Processes 3 - High 3 - High Past audits have found control weaknesses that have caused inefficient financial processes and
inaccurate financial information. There are no formalized policies & procedures.
Asset Management (Exposure 3 - High 3 - High There have been few controls in this area and an inappropriate shrinkage amount exists.
to Loss) Physical controls are non-existent and inventory is suspiciously walking out the door.
Regulatory Environment 1 - Low 2 - Moderate Regulatory issues are related to foreign expansion and they are being addressed.
Business Environment 2 - Moderate 2 - Moderate Key issues going on in business environment are creating the need to solidify the brand in the
market.
Customer Impact 2 - Moderate 3 - High Customers currently are loyal, but there is a need to keep them there. This is the most important
issue of brand apparel and fashion.
Phase 3: Develop Audit Plan
Objective
ILLUSTRATIVE
ILLUSTRATIVE
High High
Phase 3: Develop Audit Plan (Cont’d)
ILLUSTRATIVE
Internal
Audit Assurance Consulting
Department
Q&A?
Key Takeaways
Be comfortable Learn from those
with being around you and
uncomfortable above you
DAY 02
▪ Design Audit Programs
▪ Execute Audit Project Work Plan
Agenda ▪ Deliver Results and Insight
▪ Q&A?
Design Audit Programs
S OU RC E: H TTPS :// YOUTU .BE/ WBPX6J MGBYA
7 Deadly Internal Audit Sins (Cont’d)
1) Publish an erroneous report (a mistake could be equally devastating);
2) To intentionally submit incomplete or false work papers (unethical);
3) Lose your temper with a client (don’t act out unprofessionally);
4) Auditing with an agenda (auditing with a conflict of interest);
5) Betraying the bond of confidentiality (inappropriate information exchange);
6) Violating company policy (walking the talk); and
7) Issuing an internal auditor's report that is petty or doesn’t add value
(wasting time on unimportant detail).
Phase 4: Design Audit Programs
4. Design Audit Programs
1 Co-Develop Expectation
▪ A successful internal audit engagement should be
supported by a well-designed Internal Audit Program
Develop Risk
▪ There are two objectives in Design Internal Audit
Deliver Results and 2
6
Insight Model and Universe Programs as follows:
▪ Develop Internal Audit Program
▪ Approve Internal Audit Program
▪ A well-developed audit program will provide the
Internal Audit foundation for the control testing being executed
Methodology
efficiently. Specifically, it:
5
Execute Audit Project
3
Devellop ▪ Assists in controlling work and assigning
Work Plan Audit Pllan
responsibility;
▪ Provides a record and confirmation of work
completed; and
4 Design Audit Programs
▪ Supports the achievement of the internal audit
objectives
Develop Internal Audit Program
Approve Internal
Develop Internal Audit Program
Audit Program
Internal Audit
Internal Audit Program
Program Draft (Approved)
What is an Audit Program and its Purpose?
An audit program can be described as follows:
▪ A detailed work plan that stipulates procedural steps required to achieve audit
objectives, including the creation of key working paper deliverables and/or the
final report.
▪ A document that sets forth procedures necessary to complete an efficient and
effective audit; it is suggested that this document be approved by the
engagement/project leader and/or Chief Internal Auditor, as applicable and
dependent on type of audit, prior to start of fieldwork.
▪ A project work plan that can assist in developing and monitoring project budgets.
Why Audit Program is Important?
It is important to have a well developed audit program, as it addresses a number of objectives. These objectives
include:
A comprehensive and well-written audit program substantiates the procedures followed, the compliance and
substantive tests performed, the information and evidence obtained, and the audit conclusions reached
Key Internal Audit Program Requirements
Sample size
Overarching Standards
▪ 2300 – Performing the Engagement
Internal Auditors must identify, analyze, evaluate, and document sufficient information to achieve the
engagement’s objectives.
Underlying Standards
▪ 2310 – Identifying Information
Internal auditors must identify sufficient, reliable, relevant, and useful information to achieve the engagement’s
objectives.
▪ 2320 – Analysis and Evaluation
Internal auditors must base conclusions and engagement results on appropriate analyses and evaluations.
▪ 2330 – Documenting Information
Internal auditors must document sufficient, reliable, relevant, and useful information to support the engagement
results and conclusions.
▪ 2340 – Engagement Supervision
Engagements must be properly supervised to ensure objectives are achieved, quality is assured, and staff is
developed.
Phase 5: Execute Audit Project Work Plan
1
Co-Develop 5. A shift in emphasis to “What must go right” not
Expectation
simply “What can go wrong.” An efficient approach
that not only reveals the impact and extent of real
Deliver Results and 2 Develop Risk
6
Insight Model and Universe issues but assists in mitigating them.
Initial assessment workshop
Internal Audit
Integrated testing
Methodology
Deductive analytics
Execute Audit Project Devellop
5
Work Plan 3
Audit Pllan Clarity over agreed control strategy
Determine training, CSA and CCM needs.
4
Design Audit
Programs
Accelerate solutions development
Execute Audit Project Work Plan
Execution
Reference • Best practices • Walkthrough
• Walkthrough
• Prior years’ working results
• Audit Program results
papers and reports
• Data Analytics • Sample testing
• Integrated database results
Activity
Walkthrough Sample Testing
Execution (Design (Operating Closure of
Preparation Effectiveness Effectiveness Fieldwork
Review) Review)
Outcome
• Background • Observation
• Audit Program • Risk Control
Information • Exit Meeting
• Risk Control Matrix
• Risk Control Documents
Matrix • Test Sheet
Matrix
Internal Audit Execution Principles
Understand the
business & client
▪ Scope of review
▪ Timeline of project (fieldwork, reporting etc.)
▪ Team members
▪ Background of scope of review
▪ Focus areas
▪ Challenges, strategy and approach
▪ Summary of past audit findings
▪ Request For Information (RFI)
▪ Process owners
What is a Business Cycle?
A business cycle is a collection of: Financial Accounting
▪ Transactions Revenue
▪ Processes Expenditure
▪ Controls
Inventory
Payroll & Personnel
Fixed Assets
Treasury
Practical Example – Expenditure Cycle
We should obtain an understanding of the flow of transactions, the processes, and controls.
Example of Expenditure Cycle:
TransactionReports
Disbursement
LedgerReports
SupplierMaster
1
File
2 3
PurchaseOrder Inventory AccountPayable
Sub-System Sub-system Sub-system
PurchaseOrderData
General
PurchaseOrder GoodReceivedNote Invoice Ledger
ControlPoints
Audit of Expenditure Cycle
TransactionReports
Disbursement
LedgerReports
SupplierMaster
1
File
2 3 4
PurchaseOrder Inventory AccountPayable
Sub-System Sub-system Sub-system
PurchaseOrderData
GeneralLedger
PurchaseOrder GoodReceivedNote Invoice
ControlPoints
2 3 4
PurchaseOrder Inventory AccountPayable
Sub-System Sub-system Sub-system
PurchaseOrderData
GeneralLedger
PurchaseOrder GoodReceivedNote Invoice
ControlPoints
2 3 4
PurchaseOrder Inventory AccountPayable
Sub-System Sub-system Sub-system
PurchaseOrderData
GeneralLedger
PurchaseOrder GoodReceivedNote Invoice
ControlPoints
2 3 4
PurchaseOrder Inventory AccountPayable
Sub-System Sub-system Sub-system
PurchaseOrderData
GeneralLedger
PurchaseOrder GoodReceivedNote Invoice
ControlPoints
List up risks related to a business process List up controls to remediate the risks indicated to the left (for manual
operations and system functions)
Examples: Examples:
Errors in sales amounts when entering to Approval by manager, restrictions to prevent entering information of false
system, registering false sales, etc. customers by master data, periodic check for unusual amounts, etc.
Audit Program Component - Scope
Scope of the audit and risk mapping
Fraudulent payments
Payments are supported and reviewed prior to payments
1
and recognition
Unauthorised payments
Management Assertion
Transaction Categories
Transaction Structure
Document the Controls
A policy establishing what should be done and, and serving as a basis for the second element, procedures
Policies & Procedures
to affect the policy.
Written consent to proceed with a requested activity, without in any way diminishing the applicant’s
Authorization
obligation to meet the standard or specified requirements.
Comparison of two or more items, or the use of supplementary tests, to ensure the accuracy, correctness,
Verification
or truth of the information / Alternative term for acknowledgement
Analysis of actual results versus organizational goals or plans, periodic and regular operational reviews,
Monitoring
metrics, and other key performance indicators.
Control policy according to which no person should be given responsibility for more than one related
Segregation of Duties
function.
Sample Testing - Tasks
▪ Design test steps based on the controls identified during D&I review
▪ Select samples from the transaction population (e.g. PO listing, payment listing)
▪ Perform testing on samples
▪ Identify operating effectiveness deficiency
Controls Identified during D&I
Risk Operating Effectiveness
Review
1. Fraudulent 1. Purchases are made based on A. For 25 sample of payments selected verify the following:
payments approved Purchase Request 1. Payment is duly supported (i.e. invoice, evidence of receipt,
(“PR”). Purchase Order)
2. 3 quotations are sourced for the 2. Payment is invalidated (stamped paid) upon payment
purchase 3. Payment is approved according to authorization matrix
3. Services or goods are received A. Perform data analytics to identify:
prior to payment 1. duplicate invoice numbers
4. Invoice is match to approved 2. duplicate payment voucher numbers
Purchase Order (“PO”), Invoices
and evidences of receipt
Type of
Control Control Frequency Sample Size
Source: https://en.wikipedia.org/wiki/Auditor%27s_report
Audit Report Related Standards
2400 – Communicating Results
Internal auditors must communicate the results of engagements.
2410 – Criteria for Communicating
Communications must include the engagement’s objectives, scope, and results.
2410.A1
Final communication of engagement results must include applicable conclusions, as well as applicable recommendations
and/or action plans. Where appropriate, the internal auditors’ opinion should be provided. An opinion must take into
account the expectations of senior management, the board, and other stakeholders and must be supported by sufficient,
reliable, relevant, and useful information.
2410.A2
Internal auditors are encouraged to acknowledge satisfactory performance in engagement communications
2410.A3
When releasing engagement results to parties outside the organization, the communication must include limitations on
distribution and use of the results.
2410.C1
Communication of the progress and results of consulting engagements will vary in form and content depending upon the
nature of the engagement and the needs of the client.
Audit Report Related Standards (Cont’d)
2420 – Quality of Communications
Communications must be accurate, objective, clear, concise, constructive, complete, and timely.
2430 – Use of “Conducted in Conformance with the International Standards for the Professional Practice of Internal
Auditing”
Indicating that engagements are “conducted in conformance with the International Standards for the Professional Practice of
Internal Auditing” is appropriate only if supported by the results of the quality assurance and improvement program.
InternalAudit
• IA performs detailed test Methodology Based on the risk
work, reviews audit results
assessment results and
and holds a formal exit Execute Audit Project
5 Develop Internal Audit plan, IA
meeting at the conclusion Work Plan 3 Audit Plan identifies timing,
of each audit performed.
locations, project teams
and determine
appropriate use of
DesignAudit
4 technology tools.
Programs
Aquaman
Judge
Police Officer
Thor
Pandawa Lima
Things to Consider When Drafting Audit Report
❖ Stakeholders have diverse needs.
❖ Effective audit communication needs to be accurate, objective, clear, concise, constructive, complete and timely to be
relevant.
❖ The audit report must include the objectives, scope, and results of the engagement.
❖ Management’s action plans must be included, as they are often the most referenced segment of the report over time.
❖ It is important to conduct a thorough review of the content to validate factual accuracy, completeness of reporting, and
ensure the engagement results and conclusions are supported by sufficient, reliable, relevant, and useful information.
❖ A concise executive summary may highlight good practices observed during the engagement and any steps taken by
management to improve governance, risk management, and internal controls
❖ The distribution of the report must be validated and approved by the Chief Audit Executive (CAE) to ensure it is directed
to the intended recipients and disseminated to the appropriate parties who can ensure that the results are given due
consideration.
Audit Report Potential Pitfalls
Significant errors and omissions.
Factual evidence identified during the course of the engagement (what does exist). Condition is
Condition the key issue the internal auditor considers, and it can be measurable or observable.
Underlying reason for the difference between the criteria and condition (why the difference exists).
Cause It answers the questions “what allows the condition to exist?” and “why did the condition occur?” It
is essential that internal audit work with management to identify the root cause of the gap.
Risk or exposure encountered because the condition is not consistent with the criteria (the
Consequence consequence of the difference). In determining the degree of risk or exposure, internal auditors
consider the effect that the engagement observations may have on the organization’s operations
(Effect) and/or financial reporting process. Effects can be existing or potential.
Recommendations are internal auditors’ suggestions for correcting conditions and identifying the cause to prevent
Corrective Action recurrence (or the creation of new conditions). Recommendations provide an efficient and effective way to address
Plan / the gaps identified between condition and criteria. Actions that were initiated by management during the internal
audit engagement, but before the issuance of the written report, can be acknowledged in the final engagement
Recommendation communication.
Gap, Root Cause Analysis & Recommendation
Observation, Recommendation & Management Acti
Examples of Condition, Effect, Cause, Root Cause,
& Recommendation
Rating of Finding
Rating Description
An audit finding is assigned a “High” priority when the underlying internal controls or processes contain material or pervasive
weaknesses. Remedial action should be taken immediately to address the audit finding. The condition requires improvements with
High more than usual management involvement and monitoring until the internal controls are improved.
An audit finding is assigned a “Medium” priority when there are improvements required in the level of internal controls, effectiveness
and efficiency of operations, reliability of financial records, compliance with applicable laws and regulations and supervision or
Medium compliance with policies. Positive (but not urgent) action is required from management to address the audit finding within 3 months.
An audit finding is assigned a “Low” priority when the internal controls are generally functioning with some minor exceptions, mostly in
Low terms of efficiency and isolated events of non-compliance. Management can have within 3 to 6 months to address the audit finding.
Audit Report Template – Executive Summary
Audit Report Template – Executive Summary
(Cont’d)
Observations, Recommendations and
Management Response
Writing an Impactful Audit Report: 6 Tips for
being more Persuasive
Keep It Short
Remember Keep It
the 5 C’s Simple
Make Your
Consider the
Best Ideas
Implications
Stand Out
Don’t
Neglect the
Basics
Q&A?
Key Takeaways
Know the principles, be resourceful and creative in application
▪ WORKING EXPERIENCES
▪ SENIOR MANAGER IN KAP PURWANTONO, SUNGKORO AND SURJA (ERNST AND YOUNG
INDONESIA)
▪ DIGITAL TRANSFORMATION
▪ INTERNAL AUDIT FUNCTION
▪ INTERNAL AUDIT FUNCTION in DIGITAL TRANSFORMATION
As we have seen, new digital tools are not the only element of digital
transformation, but they still form an integral part of it. The challenge
here is to successfully bridge the gap between new and existing
technologies to produce the best results. To do this and communicated
effectively.
To achieve this:
▪ Fully utilize existing tools
▪ Select the right technology
▪ What Is Internal Auditing?
▪ Internal auditing is an independent, objective, assurance and
consulting activity designed to add value and improve an
organization’s operations.
▪ The organization who performs internal auditing is defined as
Internal Auditor.
▪ Internal Audit Responsibilities
▪ Offer Insight and Advice
▪ Evaluate Risks
▪ Assess Controls
▪ Ensure Accuracy
▪ Improve Operations
▪ Promote Ethics
▪ Review Processes and Procedures
▪ Monitor Compliance
▪ Assure Safeguards
▪ Investigate Fraud
▪ Communicate Results
▪ Development of Internal Audit
▪ Internal Audit 1.0
▪ Internal Audit 2.0
▪ Internal Audit 3.0
▪ Internal Audit 4.0
▪ Internal Audit 1.0
▪ Internal audit has ramped up in efficiency and focus with improved
standards, guidelines, etc. But the “tools” to perform these tasks
were mostly paper based.
▪ The first major change that leads to internal audit 1.0 is the
introduction of software solutions specifically designed for audit
purposes. These tools were initially “fat clients” hence with the
software and the data installed and residing on someone’s own
machine.
▪ Internal Audit 2.0
▪ Fast forward now to 2002 and the inception of the Sarbanes-Oxley
Act. The main focus is a lot of attention on internal control and audit
tools. At the same time, introduction of new technology
improvements helped developers move away from fat clients to full
web solutions no longer hosted on a user’s machine.
▪ This is a breakthrough for information sharing: many people can
now work simultaneously on the same topic and collaborate.
Consolidation of findings and recommendations also becomes
much more efficient and instantaneous.
▪ Internal Audit 3.0
▪ Integrating the information from a variety of sources to present a
single source of truth. The result is a self-correcting framework in
which each line of defense collaborates with the others to
continuously provide complete and reliable information.
▪ Internal Audit 4.0
▪ These detection strategies using of Big Data analytics capabilities
to find irregularities in the data being audited.
▪ The challenges resulting from new digital technologies are driven by
five main trends:
▪ Technology/digital disruption
▪ Business transformation align with technology transformation
▪ Utilizing big data
▪ Cyber security
▪ Regulatory pressure
▪ Identify Technology Risk :
▪ Data quality risk
▪ IT governance risk
▪ Cyber security risk
▪ Regulatory risk
▪ Business system risk
▪ IT process and asset risk
▪ IT compliance risk
▪ IT resilience and continuance risk
▪ Solution for Internal Audit including IT Audit for digital transformation:
1. Set foundation
Sharpening Internal Audit’s IT focus consists of developing a clear understanding of key
stakeholders’ expectations and then recognizing that those expectations likely evolved and
will continue to evolve in today’s rapidly changing environment.
To stay ahead of the curve on continuously evolving risks, Internal Audit must network both
internally and externally regarding emerging risks and mitigation practices.
Internal Audit’s role in ensuring that technology-related risks get considered properly
becomes especially important when a company is getting ready to roll out a new business
process, product, or information system.
By leveraging the IT risk assessment, Internal Audit can serve as a trusted advisor to the
business by proactively identifying organisation-specific risks and by providing strategic
advice and value-added services when it comes to issues that involve cyber security, privacy,
the cloud, big data, social media, the Internet of Things, and other technology challenges.
▪ Solution for Internal Audit including IT Audit for digital
transformation:
2. Assess Risk
Internal Audit develop an enterprise risk profile and to conduct a dynamic and
comprehensive risk assessment that incorporates a company’s risk universe, major
trends and opportunities, and macro risks.
Internal Audit should also use data analytics and visualisation tools to find out where
risks reside in the organization.
3. Execute Audits
Internal Audit can more fully develop the audit plan to drive enterprise value.The plan
should be balanced, taking into account identified risk areas, relevant regulatory
expectations, stakeholder requests, and emerging trends and opportunities.
▪ Solution for Internal Audit including IT Audit for digital transformation:
4. Deliver Report
Deliver a robust set of meaningful recommendations and insights on technology
challenges. By expanding from a narrow, fixed approach to an informed, proactive, big-
picture stance that evolves with the organisation’s needs.
Leverage the management to create awareness and education around key technology
trends.
Day 4+Day 5
Effective Technique For
Internal Auditor
ZoomWebinar
AGENDA
I. StandarAudit Internal
II. Perencanaan Penugasan
III. Pelaksanaan Penugasan
IV.Komunikasi Penugasan dan Monitoring Tindakan
Perbaikan
I.
Standar Audit Internal
A.
PENGANTAR
MILESTONES PROFESI AUDIT INTERNAL
Worldcom’s VP InternalAudit.
Megafraud whistleblower
EVOLUSI PERAN PROFESI AUDIT INTERNAL
▪ Insightful relationships
▪ Critical-thinking skills, business acumen,and
technical expertise
M O D EL TIGA LINI – THE IIA
ORGAN PENGURUS
1. Memiliki akuntabilitas kepada pemangku kepentingan untuk melakukan pengawasan terhadap organisasi.
2. Terlibat dengan pemangku kepentingan untuk memantau kepentingan mereka dan secara transparan
mengkomunikasikan pencapaian tujuan-tujuan organisasi.
Recommended
Melindungi dan meningkatkan nilai organisasi dengan memberikan
MISI
asurans,advis dan insight yang berbasis risiko dan objektif.
PRINSIP
• Kompeten dan cermat - profesional. • Berkomunikasi secara efektif.
• O bjektif dan independen. • Memberi asurans berbasis risiko.
• Selaras dengan strategi,tujuan dan risiko organisasi. • Berwawasan, proaktif dan fokus pada masa depan.
• Didukung sumber daya memadai. • Mendorong perbaikan organisasi.
DEFINISI
• Memberi nilai tambah dan meningkatkan operasi organisasi.
• Membantu organisasi mencapai tujuannya
• Menggunakan pendekatan yang sistematis dan teratur
• Mengevaluasi dan meningkatkan keefektifanproses manajemenrisiko, pengendalian
dan tata kelola.
Released:
KODE ETIK
2017 Prinsip:
Integritas, Objektivitas, Kerahasiaan, Kompetensi
MISI
Asurans Konsultansi
LOGO
PERAN CONSULTING (KONSULTANSI)
• Pernyataan Standar
✓ Standar ‘Attribute’
✓ Standar ‘Performance’
✓ Standar implementasi
• Interpretasi
• Daftar istilah
STA N DAR ATRIBUT
1. Tujuan,Wewenang,danTanggungjawab
2. Independensi and Objektivitas
3. Profisiensi dan Due Professional Care
4. QualityAssurance and Improvement Program
STANDAR KINERJA (PERFORMANCE STANDARD)
1210.A3
Huruf ‘A’
menjelaskan:
Angka ‘1’ Angka ‘10’ Assurance
menjelaskan: menjelaskan:
Standar Atribut Proficiency
Angka ‘3’
menjelaskan:
Angka ‘2’ menjelaskan:
Standar
Proficiency & Due
Implementasi
Proffesional Care
yang ke 3
KODE ETIK
KO D E ETIK A U D I T INTE R N A L
• Principles (Prinsip).
• Rules of Conduct (Aturan Perilaku):
✓ Mendeskripsikan norma perilaku yang diharapkan.
✓ Sebagai bantuan menafsirkan‘Prinsip’.
✓ Untuk memandu perilaku etis.
PRINCIPLES (PRINSIP)
• Integrity
• Objectivity
• Confidentiality
• Competency
KODE ETIK
1.Integrity (Integritas):
a. Jujur,hati-hati dan bertanggung jawab.
b. Patuh hukum dan memberi keterangan obyektif apabila
diharuskan hukum/profesi.
c. Tidak terlibat dalam kegiatan ilegal,tidak mendiskreditkan
profesi/organisasi.
EVALUASI DAN
PELAPORAN PERENCAN AAN
KEGIATAN PENUGASAN
PEMA NTAUAN
TINDAKAN PELAKSAN AAN
PERBAIKAN PENUGASAN
KO MUNIKASI
HASIL
PENUGASAN
Tahapan Penugasan Audit Internal
KOMUNIKASI
PERENCAN AAN PELAKSAN AAN HASIL &
PENUGASAN PENUGASAN
MONITORING
Uraian Kegiatan Penugasan Audit Internal
Perencanaan Penugasan
Contoh Tujuan Penugasan
Dll...
Mengidentifikasi dan Menilai Risiko
• High Risk
• High Return
Elemen Risiko
Probablititas
Event Dampak
Man
Methods
Money
Machine
Material,etc Risk
Risiko Dalam Bisnis
Bisnis adalah:
Meraih Peluang, Mengelola Risiko
RiskAppetite Orangbisa Berbeda
semakin Pandai Mengelola Risiko
semakin Besar Manfaat Diterima
Berbagai Model Risiko
Berbagai Model Risiko
Risiko Dikelola dengan ‘Pengendalian’ /Control
LIKELIHOOD / PROBABILITY
C O N TROL
1. APPROVING. 6. MONITORING.
2. CALCULATING. 7. RESTRICTING.
3. D O CUMENTING. 8. SEGREGATING.
4. EXAMINING. 9. SUPERVISING.
5. MATCHING.
CONTOH KERTAS KERJA
MENGEVALUASI KECUKUPAN RANCANGAN PENGE
Perencanaan
Kalau ada yg tidak
Assess kecukupan balance →
control dr segi design
Risiko yg Identifikasi C ontrol
TemuanTypeA
Diaudit Terkait
Assess control dr segi
Dituangkan dalam
audit program.
implementasi (Hasilnya:TemuanType
B)
Pelaksanaan Penugasan
MENGEVALUASI KECUKUPAN RANCANGAN PENGE
Pengendalian
Pengendalian
yang
yang ada
seharusnya
Ada Gap ?
Ada Gap ?
MENGEVALUASI KECUKUPAN RANCANGAN PENGE
Backward
Vouching Forward
Tracing
VO U C H I N G
Source
Document/ Journal G eneral Financial
Physical Evidence Ledger Statement
TRACING
CONTOH KERTAS KERJA
CO NTO H KASUS
CO NTO H KASUS
MENGEMBANGKAN PROGRAM KERJA PENUGASAN
1. Memberi informasi dan pemahaman kepada seluruh anggota tim mengenai tugas yang
akan dikerjakan di tahap pengujian.
2. Media koordinasi seluruh anggota tim dalam berbagi tugas dan tanggungjawab.
3. Pada tahap pelaksanaan penugasan, program kerja dapat memberi informasi mengenai
tugas apa yang telah dan belum dilaksanakan.
1. In-house auditing.
2. Total out-sourcing.
3. Partial out-sourcing.
4. Co-sourcing.
5. Sub-contracting.
III.
PELAKSANAAN PENUGASAN
STA N DAR AUDIT PENTING
1.Entry M eeting
2. Persiapan Pengujian
3. Pengujian –
Mengumpulkan Informasi
4.Evaluasi Informasi
5.KesimpulanAudit
PERSIAPAN PENGUJIAN
3.Identifikasi 4.Penentuan
1.Perumusan 2.Identifikasi
kebutuhan urutan proses
tujuan pengujian jenis pengujian pengujian
personil
Embedded
• Program yang berjalan bersamaan dengan software
Audit yang melaksanakan fungsinya.
Modules
External auditor
InternalAuditor
Com-
bined
Assur-
ance
Oversight of G R C
METODE COMBINED ASSURANCE
Functional integration:Mengintegrasikan
fungsi untuk keperluan pengawasan
Alignment of activities:Koordinasi
melalui penyelarasan aktivitas
1. Pelaksanaan Pengujian
a. Seluruh risiko auditi,atau
b. Control Score (selisih antara risiko inheren dengan risiko residual) yang
tinggi,atau
c. Hanya yang risiko tinggi saja.
2. Kriteria-kriteria Pengujian
a. Direct:berkaitan dengan risiko yang diuji
b. Efficient:berkaitan dengan biaya dan waktu yang diperlukan
c. Feasible:kapabilitas auditor untuk melakukan teknik pengujian
3. Dokumentasi Pengujian: Matriks Risiko-Pengendalian
4. Evaluasi informasi/bukti dan membuat kesimpulan hasil audit
Sikap Auditor Internal dalam Pengumpulan Bukti
• Informasiyangrelevanadalahinformasiyangmendukungobservasidanrekomendasidan
konsistendengan tujuanpenugasan.
• Informasi yang handal/kompetenadalah informasiterbaikyang dapatdiperolehmelalui
penggunaanteknik-teknikpenugasan yangtepat.
• Informasi yang memadai adalah informasi yang faktual,cukup,dan meyakinkan sehingga
seseorangyangmemilikisifatkehati-hatian(prudent)akan mencapaikesimpulanyangsama
dengan auditor.
1. Bukti dari pihak ketiga yang independen lebih andal dibandingkan bukti dari personel klien.
2. Bukti yang dihasilkan oleh sistem dengan pengendalian internal yang efektif lebih andal dibandingkan
dengan bukti yang dihasilkan oleh sistem dengan pengendalian intern lemah.
3. Bukti yang diperoleh secara langsung oleh auditor internal lebihandaldibandingkan dengan bukti yang
disampaikan melalui pihak lain.
4. Bukti yang terdokumentasi lebih andal dibandingkan bukti yang tidak terdokumentasi.
5. Bukti yang dibuat secara tepat waktu lebih andal dibandingkan bukti yang dibuat tidak tepat waktu
6. Bukti yang didukung oleh bukti lain lebihkuat dibandingkandengan bukti yang tidak didukung oleh bukti
lain atau bukti yang saling bertentangan
7. Bukti dengan jumlah sampel yang besar/memadai lebih andal dibandingkan bukti dengan jumlah sampel
kecil.
Matrik Evaluasi Risiko dan Pengendalian
Matrik Evaluasi Risiko dan Pengendalian
Risiko
Pengendalian Pendekatan Hasil
Tingkat Kesimpulan
Utama Pengujian Pengujian
Proses
Pengendalian
Aktivitas Pengendalian 1 Pengujian x Efektif
Risiko A masih • TEMUAN
Pengendalian
Risiko A Aktivitas Pengendalian 2 Pengujian y tidak Efektif
belum termitigasi
Pengendalian
dengan memadai
Aktivitas Pengendalian 3 Pengujian z tidak Efektif
Aktivitas Pengendalian 1 Pengujian x
Risiko B Aktivitas Pengendalian 4 Pengujian a
Aktivitas Pengendalian 3 Pengujian z
Aktivitas Pengendalian 5 Pengujian m
Risiko C
Aktivitas Pengendalian 6 Pengujian n
U NSUR TEMUA N
• Standar/ekspektasi
Kriteria • Yang ada atau dikembangkan
• RencanaTindak
• D ampak atau risiko jika dibiarkan
• Tanggapan klien
Akibat • Potensi maupun realized penugasan
Sebab • Root-caused
138
Apa saja Jenis Kertas Kerja Audit?
Standard 2340:
“Engagementsmust be properly supervised to ensure objectivesare achieved,qualityis assured,
and staffis developed.”
LOGO
Three Interrelated Factors –
Menulis Laporan
Esensi /Materi
Temuan
Gaya
Graphical
Bahasa Design
LOGO
Materi Komunikasi (Laporan)
1. Ringkasan Eksekutif
2. Isi Laporan:
a. Tujuan dan ruang lingkup penugasan
b. Informasi umum (fakultatif): Informasi mengenai klien, dasar hukum
penugasan, latar belakang penugasan, metodologi penugasan, dll
c. Hasil penugasan (temuan/observasi): Kondisi,kriteria,akibat,sebab
d. Rekomendasi
e. Rencana tindakan perbaikan
f. Simpulan atau opini (fakultatif)
Syarat Kualitas LaporanAudit
Temuan ditulis
pada tahap
pelaksanaan
KATEGORI TEMUA N
A. Insignificant:
❑ Insignificant magnitudeATAU
❑ Remote likelihood
B. Significant
❑ More than insignificantmagnitude DAN
❑ More than remote likelihood
C. Material
❑ Significantwith extreme magnitude
Extreme 5 MATERIAL
Medium 3 SIGNIFICANT
Low
(insignifica 2 INSIGNIFICANT
n t)
Negligible 1
Score 1 2 3 4 5
Remote Unlikely Possible Probable Certain
(0 – 10%) (10-25%) (25-50%) (50-90%) (90-100%)
LIKELIHOOD / PROBABILITY
SIMPULAN UMUM (OPINI KESELURUHAN)
SIMPULAN UMUM (OPINI KESELURUHAN)
Memberikan Opini /Pendapat UmumAuditor
• Tinggi • Memuaskan/satisfactory
• Sedang • Baik/Good
• Rendah
• Perlu Perbaikan/Need improvement
• Buruk/Weak
CONTOH
STRUKTUR
LAPORAN
Standar Audit terkait Pemantauan Tindakan Perbaikan
• Closed
• In progress
• Open
• No longer relevant
Tahapan Pemantauan dan Pemutakhiran
Tindakan Perbaikan
1. Menyampaikan temuan/observasi beserta rekomendasi dan rencana aksinya
2. Menyusun dan mengirimkan surat MonitoringTindakan Perbaikan atasTemuan
Audit
2.
3.
4.
5.
6.
Video