PT LMI C&C – Internal Audit

Training
2nd & 3rd June
With You
Today

Jonathan Ho
Director
Risk Consulting
KPMG Services Pte Ltd

Tan Chee Keng

Director
Risk Consulting
KPMG Services Pte Ltd

Victor Chan
Assistant Manager
Risk Consulting
KPMG Services Pte Ltd
2
Training
Objectives

By the end of this training, the Control and Compliance team will:

 Understand their roles and responsibilities

 Be able to appreciate the concept of risks and internal controls

 Understand and be able to conduct audits in accordance with

the C&C Internal Audit Manual

3
Training
Objectives

What would you like to

achieve these two days?

4
Training Agenda – Day
1

5
Training Agenda – Day
2

6
Training Agenda – Day
2

7
Internal Audit
Charter and
IA Manual
C&C’s Organisation
Structure

Head of C&C
(Arthur Felix Kalesaran)

Senior Manager
(Deddy Taufik Hidayat)

Assistant Manager Assistant Manager

(Noventywan H) (Maria Lusiana)

Supervisor Supervisor
(Seprian Anggasari) (Greggy Alvin Leander)
9
 IA Charter and IA Manual
What is the objective of an IA Charter and IA Manual?
IA Charter
The internal audit charter is a formal
document that defines the internal audit
activity's purpose, authority, and
responsibility.
IA Manual
The objective of the Internal Audit Manual
is to serve as a guide to new staff and
reference for existing staff of Control and
Compliance (“C&C”), PT Lippo Malls
Indonesia (“PT LMI”). It documents the
policies, procedures and standards for the
efficient and effective functioning of C&C
unit.
Knowing your IA
Charter

Contents of IA Charter
1. Introduction
2. Mission
3. Scope of Internal Audit Work
4. Accountability
5. Independence and Reporting
6. Code of Ethics
7. Responsibility
8. Authority
9. Communication with the Auditees
10. Relationship with External Auditors
11. Operating Budget / Expenses
12. Quality Assurance
11
Knowing your IA
Manual

1. Introduction • Objective of the manual

2. Skill, Professional
• Skill sets and professional development
Development and • Professional conduct
Conduct

3. Risk Based • Independent Risk assessment

Internal Audit Plan • Identify audit universe
• Develop internal audit plan and resource

4. Audit Execution •Planning the audit, audit program development

and Reporting •Audit fieldwork
•Reporting and Fieldwork 12
Risk and
Control
Concepts
Risk, Control and
Process

What is
What is
Internal
Risk?
Control?
What is
a
Process?
14
What is Risk?

RISK = The possibility of an organization NOT:

Achieving its goals Operating effectively Protecting itself

and efficiently from loss

Providing reliable Complying with

financial data regulations and
defined policies
What is Internal Source : COSO
Control? Framework

A process, effected by an entity's board of directors, management, and

other personnel, designed to provide reasonable assurance regarding the
achievement of objectives in the following categories:

COSO Cube
16
Types of Internal
Controls

Controls should be applied to both manual and computerized systems

Preventive Detective Manual Systems

controls controls controls controls

 Attempt to deter  Attempt to detect  Internal controls  Internal controls

or prevent undesirable acts. that requires staff that are
undesirable operation and incorporated into
events from  Provide evidence monitoring outside computerized
occurring. that a loss has of any system or systems.
occurred but do application.
 Proactive controls not prevent a  Fully automated
that help to loss from  Reliance on using application
prevent a loss. occurring. human for the algorithm/logic.
effectiveness of
control.

17
Types of Internal Controls
(Cont’d)
• Automated Controls are generally more effective
• Preventive Controls are typically more efficient

HIGH
Effectiveness

Automated Automated
Detective Preventive

Manual Manual
Detective Preventive

LOW
Efficiency HIGH

18
Examples of Control
Activities
Type Description Examples
Authorization Approval of transactions • Limits and delegation of financial
executed and access to authority for purchase orders, waiver of
assets and records competitive quotes requirement, write-
off of bad debts, fixed assets,
cancellation/ reversal of course fees
collection.
• Bank signatories for payments.

Exception/ Reports are generated to • Log of system access after working

Edit report monitor something and hours
exceptions are followed up to • Expense overrun reports (actual
resolution. vs. budget)
(Exception – a violation of a
set standard, Edit – a change
to a master file)

19
Examples of Control Activities
(Cont’d)
Type Description
IT Controls: The permissions that are
Access Rights granted to a user to read,
write and erase files in the
system.
Segregation Separation of duties and
of duties responsibilities of authorizing,
recording, checking
transactions and maintaining
custody to prevent individuals
from undetected theft of cash.
Conflicting functions are
segregated.
Examples
• Access rights are assigned based on
roles and responsibilities – only
cashiers are granted access to cash
receipts module.
• Person who prepares bank
reconciliations is not involved in
purchasing and payment function.
• Competitive quotes evaluation for
vendor selection is reviewed and
approved by the delegated authority.
20
Examples of Control Activities
(Cont’d)
Type Description Examples
Key Financial and non-financial • Accounts Receivables turnover ratio.
Performance quantitative measurements • Leasing rates above budget
Indicators that are collected by the
• Vacant units
entity and used to evaluate
progress towards meeting
objectives.

Reconciliation Check whether data from • Bank reconciliation between general

different sources are
consistent.
ledger and bank statements.
• Reconciliation of Accounts Receivables
ageing to General Ledger.
• Reconciliation of Accounts Payable
balance to supplier’s statement of
accounts.

21
Examples of Control Activities
(Cont’d)
Type Description Examples
Document Pertinent documents are • Receipt vouchers are filed in sequential
Control properly filed for easy reference order.
and tracking, and safeguarded • Billings are sequentially numbered
for retention.

Physical Pertinent assets such as cash is • Cash and blank cheque books are
Security adequately safeguarded, where placed under lock and key with dual
access is restricted. control.
• Physical access to offices are restricted
to personnel of the department,
especially Leasing, Finance, Payroll and
IT department.
Review and A person different from the • Manager’s review of reconciliations.
Monitoring preparer analyzing and • Co-workers verifying each others’ work.
performing oversight of
activities performed.

22
Difference between a Control Activity and Process
Activity

Process / activity Control Activity

Reconciliation Review of reconciliation

Edit report is reviewed and items are

An edit report is generated
followed up

Analysts prepares a report that Report is reviewed by Manager for

compares return to sales by product accuracy and for negative trends

Inventory count discrepancies are

Inventory count
identified and followed up

23
Pointers to Document Controls:
5Ws + H and 12 Questions

5Ws +H 12 Questions

1. How often is the control activity performed? (daily, weekly..)

When?
2. When is the control performed? (before, after, upon..)
Who? 3. Who performs the control activity? (Function, title)
4. What reports/document are involved in performing the control activity?
5. What systems support the control activity?
What? 6. What is performed to ensure control objective?
7. What follow up procedures are performed if errors are detected?
8. What system controls are in place to mitigate the financial risk?
Why? 9. What is the purpose of the control activity (e.g. to ensure that…)?
10. Where is the control performed (site, department, Warehouse, refinery,
Where?
etc.)?
11. How does the control link to the next control steps
How?
12. How is the performance of the control evidenced?

24
Quiz 1
Developing Risk
Based Internal
Audit Plan
Steps to develop an Internal Audit Plan IA Manual Chapter 3

Internal Audit
Plan
Risk
Assessment

Business
Understanding

27
Business Understanding IA Manual Chapter 3.1

Review and
Analyse Industry
Information

Identify Auditable
Business
Processes
28
 Risk Assessment
IA Manual Chapter 3.2

• Establish risk rating criteria and parameters

• Identify risk universe
Identify and • Prioritise / rank risks
Assess • Plot Heat Map

• Establish risk categories (eg. Financial, operational, compliance)

Analyse and • Identify and map top risks to business processes
Measure

• Consider past findings, emerging risks, engage stakeholders

Review

29
Risk Assessment - Concepts and
Terminologies
Concepts Definition

Likelihood of Occurrence
Likelihood Probability that a particular risk will occur, evaluated against a set
Likely

time period.
Impact In the event that a risk occur, the potential impact to an organization.
Possible/Moder Likely
ate
Unlikely

Low Moderate Major

Magnitude of Impact
Risk Assessment - Concepts and
Terminologies 30
Defining your thresholds of impact…(monetary

Likelihood of occurrence
loss)

Magnitude of Impact

Scale 1 2 3
Descriptors Low Moderate Major

Potential
Monetary loss < 5% of net cash flow 5% to 10% of net cash flow >10% of net cash flow
(Net Profit)
Defining your thresholds of impact…(monetary
loss) 31
 Likelihood of occurrence
Defining your thresholds of impact…(non-monetary
loss)

Magnitude of Impact

Scale 1 2 3
Descriptors Low Moderate Major

Damage to reputation Low (involving several small Moderate (involving major Major (involving major
incidents in a single location) incident/s in a single location) loss incidents in several locations)
loss of confidence service of confidence in service loss of confidence in service
capabilities capabilities capabilities

Operational 3 days of total work days in a 3 to 5 days of total work days in a Greater than 5 days of total
disruption year unscheduled disruption to year unscheduled disruption to work days in a year
operations operations unscheduled disruption to
operations
Defining your thresholds of impact…(non-monetary
loss) 32
 …and likelihood

Likelihood of occurrence
Magnitude of Impact

Scale 1 2 3

Likelihood Dimension Unlikely Possible/ Moderate Likely

Event will probably occur

Qualitative Descriptors Event could occur at some time. Event will occur at some time. in most circumstances.

1. Probability < 25% chance of occurring. 25% - 50% chance of occurring. > 50% chance of occurring.

Risk event will occur beyond the Risk event will occur between Risk event will occur within the
2. ‘Time-to-failure’
next 2 years. the next 12 – 24 months next 12 months
…and likelihood
33
 Dashboard report on LMIRT’s Top 10 Risks Profile
(2013)
Likelihood of Occurrence

Consolidated Corporate Risk

Risk No. Risk identified
Dashboard Country Risk (Political /Economic/FX risk–by
R1
product)
Likely
Possible/Moderate

R2 Adverse hazardous events – (Earthquakes, Flood)

R3 Financial Market Risk (shortage of funding)

Property Manager risk (Poor performance and
R3 R4
fraud risk)
R4
R7 R5 Fraud risk (internal)

R6 Financial Counterparty risk (Banks/Insurance Cos)

R7 Key man/personnel risk

Unlikely

R2 R8 R1 R5
R8 Regulatory risk (changes in SGX Rules/MAS L&R)
R9 R10 R6
R9 New acquisition risk

R10 Changing business trends

Low Moderate Major

Magnitude of
Impact
 Mapping of Key Risks to Processes – Tier 1
(2013) Processes

Strategic Collection &

Leasing & Financial Business
Planning & Safeguarding of Procurement Treasury & Investment
Risk No. Identified Risk Risk Value Billing HR & Payroll Continuity
Control Reporting / IPT Cash
Cash Planning
Environment Management

R1 Country risk Medium   

R2 Adverse hazardous events Low  

R3 Financial market risk Medium    

R4 Property manager risk High     

R5 Fraud risk Medium       

R6 Financial counterparty risk Medium 

R7 Key man / personnel risk Medium     

R8 Regulatory risk Low    

R9 New acquisition risk Low  

R10 Changing business trends Low   
Number of risks which manifest in Processes 8 4 3 2 5 1 2 6 5

35
Processes that were covered in FY2011/ 2012 IA Plan
 Mapping of Key Risks to Processes – Tier 1
(2013) Processes

Strategic Collection & Business

Planning & Leasing &
Safeguarding of Procurement
Financial Treasury & Cas h
Risk No. Identified Risk Risk Value Billing HR & Payroll Continuity Investment
Control Reporting / IPT Management
Cash Planning
Environment

R1 Country risk Medium 2 2 2

R2 Adverse hazardous events Low 1 1

R3 Financial market risk Medium 6 6 6 6

R4 Property manager risk High 5 5 5 5 5

R5 Fraud risk Medium 2 2 2 2 2 2 2

R6 Financial counterparty risk Medium 2

R7 Key man / personnel risk Medium 4 4 4 4 4

R8 Regulatory risk Low 1 1 1 1

R9 New acquisition risk Low 1 1

R10 Changing business trends Low 1 1 1

Aggregated risk score where risks manifest in

Processes 18 9 11 7 18 2 6 15 13

36
Processes that were covered in FY2011/ 2012 IA Plan
Develop Internal Audit Plan IA Manual Chapter 3.3

Determine
Business Determine Present to
Develop IA
Process to be Timing and Board for
Plan
included in the Resources approval
Plan

37
Internal Audit Plan – Sample for Illustration

The IA Plan should include

details of IA objectives
relating to the processes
selected for review.

38
Internal Audit Plan – Timing and Resources of Audit

Timing of audit
• Internal audit reviews of malls can be allocated over a number
of years due to budgetary, resources or other restrictions,
resulting in the need for a multi year plan.
• Malls may be priortised based on factors illustrated in the
next slide

39
 •Sun – Fire incident in tenant’s premise due to mishandling of flammable substance

Prioritising Malls • Pluitt – Travelator incident which result in negative publicity in social media

Large Malls Many

High Recent High number
(by Previous
Malls (15) New Mall? Turnover of adverse complaints Total
floor/Revenue Significant
Key Staff? events? from tenants?
size) Findings?
Gajah Mada
X 1
Plaza
Cibubur Junction -
The Plaza
X X X 3
Semanggi
Mall Lippo
-
Cikarang
Eka Lokasari
X X 2
Plaza
Bandung Indah
X X 2
Plaza
Istana Plaza X X 2

Sun Plaza X X* 2

Pluit Village X X X X* 4

Plaza Medan Fair X X 2

Palembang
X X 2
Square & PSX
Tamini Square X 1
Lippo Plaza
X X 2
Kramat Jati
Pejaten Village X 1
Binjai Supermall X 41
0
Break Out 1
End of Day 1

42
Quiz 2
Audit Planning
 IA Manual Chapter 4.1
Pre-Fieldwork Planning

 Notify the Auditee (one month in advance)

 Schedule meetings / timing

 Send a Document Request List

 Engage the Auditee where possible (e.g. via phone

calls, emails)

45
During Fieldwork
Perform process understanding
• Process understanding
commonly performed through
interviews and discussions
• Conducted with those
individuals who are intimately
familiar with the process
• Should be documented in
narrative form and/or through
the use of flowcharts
IA Manual Chapter 4.1
Perform Risk and Control
analysis
• Based on process
understanding, identify and
assess process risks and how
controls are in place to
manage those risks
• Documented in the Risk and
Control Matrix (RCM)
46
Process Narratives - Sample for
Illustration

Process Narratives document shall record all the

pertinent information relating to that major process.

Generally, information that is required for you to plan

and design the audit procedures for this process may be
included here.
Risk Control Matrix - Sample for
Illustration

A Risk Control Matrix (RCM) provides a list of

controls to mitigate as much as possible risks
that emerges from transactions.

Creation of an RCM allows for visualization of

the current operation status and also
comparison of requisite controls, helping you
discover deficiencies in the actual business
flow and standardize work operations.
Interview
Techniques
Interviews during the
audit
Planning the Conducting
Interview the Interview
•An appointment for the •Interviewer is to
interview should be made introduce himself /
at a mutually agreeable herself and give the
time. objective of the audit and
the purpose for the
interview.
•Prepare agenda and
interview questions (ask
5W1H questions) •Reserve judgement and
keep an open mind
during the interview.
Leading questions should
not be asked.
•Be punctual, polite and
tactful.
IA Manual Chapter 4.4.4
Concluding
the Interview
•Matters discussed should
be summarised with the
interviewee to allow for
affirmation of given
input.
•The interviewer should
provide orientation about
the next step after the
interview.
•The interviewee should
then be thanked for his
time and the information
given.
Documenting
Interview
•The results should be
documented as soon
as possible after the
interview has ended.
•The interview records
(i.e. walkthroughs) are
to be used as
supporting evidence
in the working papers.
50
Audit Fieldwork
and Working
Papers
Purpose of Working IA Manual Chapter 4.5
Papers

 A permanent record of the work

performed during the audit

 Audit evidence

 Provide the means for review of audit work

 Provide basis for the Audit Report

 Reference for subsequent audits and planning

52
 Steps to complete Working IA Manual Chapter 4.5
Papers

• Plan and prepare Execute • All work papers must

Store
working papers be subject to review
• Carry out test and • Submit to manager / • Working Papers are
document findings confidential
Head of C&C to
review • Securely store and file
working papers

Plan Review

53
Working
Paper

• Supporting work papers may be used to document the test results.

• Include enough information for the reviewer to re-perform the audit procedure. Information
presented need to be targeted for the audit procedures only.
• Audit procedures need to agree with the RCM.
• All exceptions must be clarified and concluded
• Find out the root cause of each exception.
Testing
Techniques
 How do we assess Control
Effectiveness?
Design Effectiveness Operational Effectiveness
a. Conduct interviews with process Testing should cover:
owners to understand the
a. Evidence of the operation of the control (eg. Sign-
workflows. (Enquiry)
offs, tick-marks, email);
b. Assess the knowledge of the
b. Steps to ascertain that the control has been
staff performing the control
performed as intended (e.g. check mathematical
activities through enquiry.
accuracy, authorization compliance, timely follow
(Knowledge Assessment)
up on outstanding items)
c. Walkthrough of control to validate
that it exists according to our
documentation. (Inspection)

Walkthrough Testing

Control Gap/ Deficiency /

Adequacy Effectiveness

Test of Operational
Test of Design Effectiveness

56
Test of Design - IA Manual Chapter 4.2
considerations
Design effectiveness refers to whether a control is suitably designed
to prevent or detect the mentioned risk. Consider the following :-

Does the control achieve its objective?

How is the control performed?

What is the frequency of the control?

How competent and experience is the person performing the control?

 Test of Design - IA Manual Chapter 4.2
considerations
Is the control the only (key) control? Any compensating control(s)?
Test of Design – Performing IA Manual Chapter 4.2
Walkthrough

Procedures:
• Trace a transaction from origination, through to the company’s
accounting and information systems and financial report preparation.
• Use the following methods to verify the documentation; Inquiry and
observation of person performing the control, documentation review, and
inspection by comparing the supporting documents to the accounting records
(e.g. lease agreements, billings, etc.).

58
Test of Operational IA Manual Chapter 4.2
Effectiveness

 The purpose of Test of Operational Effectiveness is to gather

sufficient documented evidence on whether or not the controls as
documented are operating in practice.
 Testing involves acquiring evidence on the effectiveness of
the prescribed controls.

59
 Test Operational Effectiveness IA Manual Chapter 4.2
of techniques
Techniques of Testing Examples
Inquiry “Do you reconcile your activity or do you review a
certain report each month?”
Observation Observing a reconciliation occur
Inspection Invoices are examined to assure that receiving
documents and proof of delivery are attached when
they are presented for payment
Re-performance Re-calculating the amortisation of lease revenue
Knowledge Assessment Interview the person performing the 3 way match,
assess if the person has sufficient understanding to
carry out the control activities.
Corroborative Inquiry Interview a second person to confirm the control
activity.

System Query Perform inquiry in system to validate the control

activities.
60
Sample Method IA Manual Chapter 4.2

Sampling enables information about a population characteristic

without having to test the entire population. Therefore, a
selection of items from the population that is representative of
the whole population is generally the most efficient testing
technique. Sampling involves making decisions about the
following:
• Identification of the population of items;
• How to select items from the population (selection
technique);
• Which items to select (time period);
• How many items to select (size of sample).

61
Sample Criteria IA Manual Chapter 4.2

Higher risk
Key Part of Process
situations

Sampling
Focus

Unusual or Non- Focus on Most

routine Effective Control
Transactions Available
62
How to identify the correct source for sampling

Test Objective Source

1. Completeness of recording Initiating documentation

(e.g. Ascertain that all manual POs
are posted to the books.)
2. Management review
(e.g. Ascertain that monthly debtors
listing is being reviewed.)
3. Authorization
(e.g. Ascertain that all manual POs
are duly authorised.)
(e.g. Register / log book that lists all the
issued manual POs for the period under
review.)
Document that is being reviewed
(e.g. Monthly Debtors Listing for the period
under review.)
System reports that list the total population
(e.g. System listing of POs posted for the
period under review.)

4. Access controls System generated user access matrix

5. Segregation of duties Organisation Chart / Job Description

63
63
Sampling Size IA Manual Chapter 4.2

Frequency of Manual Control Description Sample Size

Annual Control performed once per annum 1

Quarterly Control performed every 3 months 2

Monthly Control performed once a month 2

Weekly Control performed once or more 5

times within a week
Daily Controls performed once a day 15

Recurring Manual Control Controls performed several times 25

every day
IT Application Controls Fully automated system controls 1

64
Quiz 3
Break Out 2
Internal Audit
Report
Documenting Audit Findings IA Manual Chapter 4.4.3

Deficiency
from testing Ascertain the Validate Finding Make a practical
result Root Cause Accuracy recommendation

68
Draft Rep ort IA Manual Chapter 4.7

Quality review by the Obtain confirmation,

Send Draft Report to
IA Manager - Draft action plan from
auditee /process
Report (and supporting auditee / process
owner for response.
working paper) owner; closing meeting

69
How to rate findings IA Manual Chapter 4.4.3

High • Issue could result in financial or operational losses

within this area in the near term if left unresolved.

Medium
• Issue is either recurring in nature or could result in
financial or operational losses within this area over the
next 12 months if left unresolved.

• Issue is unlikely to result in financial or operational

Low losses, but may include opportunities to improve the

effectiveness or the efficiency of controls or processes.
Corrective action is encouraged but not required.

70
Audit Report - Sample for Illustration

The Audit Report would clearly state the Finding (i.e. the Issue), the Possible Impact, as well as
Recommendations to address the issue.

71
What is the nature of an effective Audit Report?
IA Manual Chapter 4.9.2

Objectivity Clarity Conciseness Constructive Timeliness

• Contents of • The report • The contents • It should • The report

the report should be of the report present the should be
should be written to should be material in a issued as soon
accurate and communicate specific and fair and as possible
based on facts - clearly relevant. impartial after the
documented understood by manner, completion of
in the working the reader, courteous and the review
papers. and properly tactful. As a
structured. rule, no one
should be
mentioned by
name.

72
Content of Audit Report IA Manual Chapter 4.9.3

Objectives Scope Findings

Action
Impact Plan

73
Audit Conclusions IA Manual Chapter 4.9.5
Audit Conclusions IA Manual Chapter 4.9.5

75
Audit Conclusions IA Manual Chapter 4.9.5

76
Break Out 3
Follow Up
Respons to audit reports IA Manual Chapter 4.11

• The Auditees are responsible for the implementation of the

audit recommendations as per timelines indicated in the audit
report.

• If any extension of time is required, the Auditees must give to

Head of C&C a written explanation for the delay.

• The Auditor in charge should bring to the attention of Head of

C&C where the above is not complied with.

79
Follow Up IA Manual Chapter 4.12

Determine
Escalate
Monitor Report the Status of Clear
Unresolved
Action Plan Progress Corrective Findings
Issues
Action

80
Break Out 4
Questions?

82
 Richard Tan

Partner, Risk Consulting Services

KPMG Services Pte Ltd – Singapore
Tel: +65 6411 8181
Email: richardtan@kpmg.com.sg

Contact Jonathan Ho

Details Director, Risk Consulting Services

KPMG Services Pte Ltd – Singapore
Tel: +65 6411 8336
Email: jho1@kpmg.com.sg

Tan Chee Keng

Director, Risk Consulting Services

KPMG Services Pte Ltd – Singapore
Tel: +65 6411 8109
Email: cheekengtan@kpmg.com.sg

83