Name : Arief Budi Nugroho

NIM : 12030120190075
Class : X-IUP

Week 5

Internal Audit Planning

Before the internal audit function can launch a planned audit, it must have several foundations in place to
build an effective internal audit function or resource:

1. An effective plan or organization and charter for launching internal audit activities.
2. Long term annual audit plan.
3. Standardized and effective approach to conducting all internal audits.

Develop and Prepare an Audit Program

Internal audits must be organized and carried out consistently, to help achieve this goal of audit
consistency, internal auditors must use what is called an audit program to carry out audit procedures
consistently and effectively for similar types of audits. The term program refers to a set of auditor
procedures that are similar to the steps in a computer program, the instructions for which go through the
same program instructions each time the process is executed.

An audit program is a tool for planning, directing and controlling audit work that determines the steps that
must be taken to meet audit objectives.

Audit Program Planning Objectives:

1. Explain the steps and tests that must be carried out.

2. The program should identify aspects of areas to be examined further and sensitive areas that
require audit emphasis.
3. The program should guide junior internal auditors and more experienced internal auditors.

Depending on the type of audit planned, the program usually follows one of three general formats:

1. A set of general audit procedures

2. Audit procedures with detailed instructions for auditors
3. Checklist for compliance review

Implementation of Internal Audit

1. Initial Procedures for Internal Audit Field Work

- The auditor and audit team members should initiate meetings with members of the auditee's
management to outline the initial plan for the audit, including the areas to be tested, any special
reports or documentation required, and the personnel to be interviewed.
- If key components of a planned audit are missing, such as missing data files, audit management
must develop a revised strategy to address the issue, such as:
1. Revise audit procedures to perform additional testing in other areas
2. Complete audits without missing data files
 3. Complete other parts of the audit and reschedule the next visit to perform testing.
- When each step has been completed, the responsible auditor should initial and date the audit
program.
- Documentation gathered from each audit step, as well as any audit analysis, should be compiled
and forwarded to the responsible auditor, who performs an initial review of the audit work.

2. Technical Assistance for Audit Field Work

An important message that audit management must communicate to staff is that all technical audit issues
must be brought to the attention of the responsible auditor for resolution as soon as possible. Any
additional cost and time requirements caused by these technical issues must be documented

3. Monitoring Audit Management Field Work

If the internal audit includes an extended time period or level of required resources, internal audit
management should review audit progress and provide technical direction through visits and
communications.

4. Potential Audit Findings

Although the content of preliminary audit findings may vary depending on specific internal audit needs,
preliminary audit findings typically have the following elements:

1. Identify findings.
2. The condition of the audit that has been completed.
3. Reference to documented audit work.
4. Auditor's initial recommendation
5. Results of discussion of findings with management

Potential audit findings should be reviewed with unit management during the audit to determine whether
they are factual and appear significant. Depending on the scope and size of the audit, these potential
findings should be analyzed at some point during the review.

Internal Audit Practice Standards

Every profession requires a set of standards to provide rules and guidelines to govern their practices,
general procedures, and ethics. The primary standards for internal auditors can be found in the
International Standards for the Professional Practice of Internal Auditing (IIA standards) from the Institute
of Internal Auditors (IIA), which is a set of guidance materials that have been essential to internal auditors
for many years since their inception. In 2015, the IIA's basic standards, code of ethics, and other guidance
materials were combined into what is known as the International Professional Practices Framework
(IPPF).
IPPF Key Components

Figure 9.1 shows its main components, combined into required or recommended elements:

- Internal audit mission statement

- Core principles of internal audit
- Understanding internal audit
- International standards of internal audit professional practice
- Additional implementation and guidance
- Guide to emerging issues

As the world's leading and leading internal audit professional organization, the IIA, through its IPPF, has
developed and published standards that define basic internal audit practices. The International Standards
for the Professional Practice of Internal Auditing are designed to:

- Explain the basic principles of internal audit practice.

- Provides a framework for conducting and promoting a variety of value-added internal audit
activities.
- Establish a basis for measuring internal audit performance.
- Drive improvements in organizational processes and operations.

Code of ethics and principles of internal auditing

- As an internal auditor, the code of ethics is tried to make the auditor have a positive principle to
makes the audit activity going on the route. The principles that been build is about integrity,
objectivity, confidentiality, and competency. The rules of conduct for each principle are mostly
explain to keep honest, responsibility, follow the rule, protection of information, and have
developing skills.
- The Internal audit principles
 o The IIA’s goal for these principles is to make it easier for internal audit professionals to
understand and focus on the things that are most important. These principles should
facilitate more effective communications with key stakeholders, including regulators,
regarding the priorities that defi ne internal audit effectiveness.

IPPF future directions.

-
- the overall IPPF seems to be a very good concept for internal auditors, improving internal defi
nitions and emphasizing key principles along with an emphasis on the IIA’s code of ethics and the
International Standards for the Professional Practice of Internal Auditing . An overall
understanding of all components of the IPPF should be a strong CBOK requirement.

Various audit approaches.

As the business landscape evolves, internal audit approaches also adapt to ensure the effective functioning
of systems and the fulfillment of control objectives. Several audit approaches are employed, including
workshops, surveys, interviews, and evidence evaluation:

1. Workshops: Workshops serve as a powerful means for teams to collaborate and explore ways to
enhance performance. They are particularly beneficial when addressing high-risk areas, such as
new projects or ventures, where collective input and brainstorming can lead to effective solutions.

2. Surveys: Surveys are valuable tools for gathering information and understanding the perspectives
of individuals on specific issues. They can be used to assess compliance levels, awareness of
controls, and other critical aspects by collecting input from a broad cross-section of staff
members.

3. Interviews: Conducting interviews allows auditors to gain insights into relevant issues and their
impact on systems. Interviews are especially useful when dealing with critical concerns that
require specific decisions. They involve conversations with individuals who possess the most
knowledge about the matter, enabling a deeper understanding.
 4. Evidence Evaluation: The evaluation of available evidence related to control implementation is
essential for effective audits. Auditors must assess how controls are functioning and mitigating
risks by examining tangible evidence. This process ensures that controls are not just in place but
are also effective in achieving their intended objectives.

These various audit approaches provide a comprehensive toolkit for auditors to assess and improve
organizational systems and controls, ultimately contributing to better risk management and operational
effectiveness.

Investigation of circumstances.

- Investigations is one of the ways to find the mistake from the organization activity that could be
related to the audit field. One of the mistakes is Fraud.
- CIPFA defined fraud into three categories:
o Those which are known and recorded publicly
o Those which are known only within organizations and which will not be brought into the
public arena; and
o Those which are, as yet, undiscovered.
- The definition of Fraud from IIA:
o Any illegal act characterized by deceit, concealment, or violation of trust. These acts are
not dependent upon the threat of violence or physical force. Frauds are perpetrated by
parties and organizations to obtain money, property, or services; to avoid payment or
loss of services; or to secure personal or business advantage
- ACFE definition of Fraud
o The use of one’s occupation for personal enrichment through the deliberate misuse or
misapplication of the employing organization’s resources or assets
- Fraud can be happened due to the innocent error has gone undetected and arise a weakness from
the system that makes the Fraud potentially happened. The equation is such as like:
o Motive + Means + Opportunity = Fraud
o The components that make fraud is an act of deceit to gain advantage or property of
another:
 Motive
 Attraction
 Opportunity
 Concealment
- Fraud could be may be perpetrated from the internal part such as employees and/or third parties
from the external. Fraud maybe:
o Be complicated
o Be simple
o Be one-off or continuous
o Be carefully planned
o Involve regular amounts
o Be perpetrated by senior officers
o Involve large amounts
- Types of Fraud
 o Theft
o Bribery and corruption
o Forgery
 makes a false instrument with the intention that he or another shall use it to
induce someone to accept it as genuine and by reason of so accepting it, to do, or
not to do some act to his own or some other person’s prejudice
o Conspiracy
 This involves the unlawful agreement by two or more persons to carry out an
unlawful common purpose or a lawful common purpose by unlawful means.
- When the fraud or irregularity comes to the attention from the auditor, there are various options to
keep under review such as:
o Call the police
o Commence a management enquiry
o Commence an audit investigation
o Commence a joint management/internal audit investigation
o Interview the officer in question
o Suspend the suspect
o Instruct disciplinary proceedings
o Check the system of internal control
o Issue a formal instruction to staff
o Do nothing.

Information audit system, compliance.

- The IIA performance standard 2120.A1 states that the internal audit activity must evaluate risk
exposures relating to the organization’s governance, operations, and information systems
regarding the:
o Reliability and integrity of financial and operational information
o Effectiveness and efficiency of operations
o Safeguarding of assets
o Compliance with laws, regulations and contracts
- The IS auditor has a particular interest in the first item – the reliability and integrity of financial
and operational information. Meanwhile, Practice Advisory 2130.A1-22 goes on to say as
follows:
o The failure to protect personal information with appropriate controls can have significant
consequences for an organization
o Privacy definitions vary widely depending upon the culture, political environment and
legislative framework of the countries in which the organization operates.
o Effective control over the protection of personal information is an essential component of
the governance, risk management, and control processes of an organization.
o The internal audit activity can contribute to good governance and risk management by
assessing the adequacy of management’s identification of risks related to its privacy
objectives and the adequacy of the controls established to mitigate those risks to an
acceptable level.
- Information Systems Risk
o The risk of poor information systems and unreliable security and backup arrangements
leads to possible fraud, error, non-compliance with data protection rules, customer
dissatisfaction and security breaches.

o
o The IIA.UK&Ireland’s Information Technology Briefing Note Three covered Internet
Security (A Guide for Internal Auditors) and suggests a number of IS risk areas

o
- The role of the IS Auditor
o The IS auditor may review a system,


o for example, creditors, and must be able to bring into play important operational matters
such as setting out terms of reference for the audit clearly:
 Start with the business objectives
 Recognize that many controls are operational and interface with automated
controls
 Plan computer auditor’s work with this in mine
o IIA standard 1210.A3 makes it clear that not all auditors will have specialist computing
skills:
 Internal auditors must have sufficient knowledge of key information technology
risks and controls and available technology-based audit techniques to perform
their assigned work. However, not all internal auditors are expected to have the
 expertise of an internal auditor whose primary responsibility is information
technology auditing.
- IS Audit Planning
o An IS Auditing Guideline suggests that risk assessment is used to plan the use of IS audit
resources by considering the following:
 The integrity of IS management and IS management experience and knowledge;
 Changes in IS management.
 Pressures on IS management which may predispose them to conceal or misstate
information (e.g. large business-critical project over-runs, and hacker activities).
 The nature of the organization’s business and systems (e.g. plans for e-
commerce, the complexity of the systems and the lack of integrated systems).
 Factors affecting the organization’s industry as a whole (e.g. changes in
technology, and IS staff availability).
 The level of third party influences on the control of the systems being audited.
 Findings from and date of previous audits.
o All the details will be explain more in the books.
- Compliance
o Compliance is an issue for the internal auditor and during the audit, an assessment will be
made of the extent to which the business is adhering to laws, regulations and control
standards.
o While compliance and issues relating to regularity and probity are generally incidental to
the main audit objective in assessing significant risk and controls, there are times when
internal audit may need to launch into an investigation into specific associated problems.
In many developed countries, a failure to demonstrate compliance with anti-money
laundering can lead to the possible closure of the business, the seizure of assets or the
revocation of operating licenses. Some audit teams have compliance reviews built into
their official terms of reference.

Role as a consultant

- There are 6 types of consulting work:

o Formal engagements – planned and written agreement
o Informal engagements – routine information exchange and participation in projects,
meetings and so on.
o Emergency services – temporary help and special requests
o Assessment services – information to management to help them make decisions, for
example, proposed new system or contractor
o Facilitation services – for improvement, for example, CSA, benchmarking, planning
support
o Remedial services – to assume a direct role to prevent or remediate a problem, for
example, training in risk management, internal control, compliance issues drafting
policies.
- The model of consulting investigations:
o Initial terms of reference for the work
o Preliminary survey
o Establish suppositions
o Audit planning and work programme
o Detailed field work
o Determine underlying causes of problems
o Define and evaluate available options
o Test selected options
o Discuss with management
o Report