Effective

Technique for
Internal Audit

28 – 29 AUGUST 2021
DAY01
 ▪ What is Internal Auditing?
▪ The Right Stuff
▪ Internal Audit Roles in Today’s World
Agenda ▪ Internal Audit Methodology
▪ Risk-Based Internal Audit
▪ Q&A?
What is Internal
Auditing?
Audit Means…

Source: https://en.wikipedia.org/wiki/Audit
Internal Audit Definition byIIA
▪ Internal auditing is an independent, objective
assurance and consulting activity designed to add
value and improve an organization's operations.
▪ It helps an organization accomplish its objectives by
bringing a systematic, disciplined approach to
evaluate and improve the effectiveness of risk
management, control, and governance processes.*
* Definition by the Institute of Internal Auditors (IIA)
http://www.theiia.org/theiia/about-the-profession/internal-audit-faqs/?i=1077
History of Audit
▪ 5000 years ago, in the Middle Kingdom of the Nile live Mesopotamian Civilization, the Pharaoh's deputy
was overseeing the storage of grains. Auditing was a matter of reperforming the work of others. Auditing
meant observing, counting and double-checking records.

▪ The processes and systems were very simple, and so was auditing.
▪ As the business organizations grew in size and complexity, the practice of Internal Audit also evolved.
History of Audit(Cont’d)
▪ Historically, auditing was concerned with accounting for government activities and reviewing the work done by tax
collectors. In the early years of auditing, the keeping and maintaining of accounting records was done primarily to
detect fraudulent activity.
▪ The industrial revolution in the mid 1700s tothe mid 1800s was responsible for the increased demand in auditors
because this period saw an increase in responsibility being passed from owners to managers. This led to an
increased requirement for auditors who were independent of management and who were engaged not only to be
alert for errors within financial records but also errors within the records. In simple terms, deliberate errors in
order to achieve personal financial gain were deemed to be fraudulent activity (as is still the case today) whilst
error was (and still is) unintentional.
▪ During the early 1700s the concept of ‘sampling’ was introduced. Sampling is where auditors select a sample of
items that make up various balances and was used where it is not economically viable to physically examine all
the transactions that have taken place. This practice is stillpivotal today.

Source: https://www.oreilly.com/
Evolution of InternalAudit
1900s 1950s 1960s 1970s 1990s 2000s to Present

Clerical Financial
Work & Reporting& InternalControl Objective Assurance, Consulting
Theftfraud Operational Compliance Business Activity, Added Value, Improve an
Auditing Oriented Organization Operation and the
Orientation Effectiveness of Risk Management,
Internal Control, and Governance
Process
KEY MILESTONES
IA set to emerge as a Profession IA began as aProfession Advance& Strengthening of IA Profession

1941 – Formation of theIIA
1947 – Issued the Statement of the
Responsibilities of the IA (Revisedin
1957, 1971, 1976, 1981, and1990)
1968 – Issuedthe Codeof Ethics
1972 – Published theCBOK
1974 – Created the ProfessionalCertification
for IA
1976 – Formation of theIIA Research
Foundation
1977 – Created a Professional Magazine for IA
1978 – Issued theIA Standards
1989 – Establishment of the IIA Indonesia
1999 – IssuedCurrent Definition of OA
2000 – Revised the Code of Ethics
2002 – Issuedthe New IA Standards
2006 – The Standards has beenRecognized
Globally
2007 – Issued a New IA Framework – the IPPF
2015 – Issueda New Enhancementof the IPPF
(latest update was in 2017)
Watch Dog vs Trusted Advisors vs Change Agents

CLASSIC ASSURANCE PROVIDERS TRUSTED ADVISORS CHANGE AGENTS

(“BEAN COUNTERS”) (“KNOW HOW TO GROW, HARVEST, (“BOLD AND CONFIDENT TO
AND TAKE BEANS TO THE MARKET”) ADVOCATE CHANGING THE CROP TO
MAXIMIZE RESULTS”)
 Does Internal Audit have to Exist?

+ - 1 6 T, 1MDB menuntut
Deutsche Bank,
JPMorgan, Coutts & Co.

+-23,7 T, kasus korupsi terbesar di

W indow Dressing Laporan Keuangan
+-16,81 T, kasus korupsi Indonesia
(3,6 T) dan Pengadaan Pesawat
pengelolaan keuangan
Bombardier type CRJ1000 (419 M)
dan dana investasi
 Most Notorious Case – Enron (2001)
▪ I n A p r i l 2 0 0 1 , Fo rtune M a ga z i n e li s ted E N RO N a s t he 7 t h l a rgest co m p a ny i n
t h e U SA a n d m o s t In novative Co m p any.

▪ S i x m o nt h s l ater, E N RO N f i l ed fo r ba n kru ptcy.

▪ G re ates t a c co u nt i n g f rau d o f 2 0 t h c e nt u ry.

▪ 1 2 , 0 0 0 p e o ple d i rec t l y l o s t t h e i r j o b s , ret i reme nt b e n ef i t s a n d e nt i re l i fe s

av i n gs .

▪ Pe n s i one rs wh o b o u ght s to c ks o f E n ron l o s t U S $ 7 0 b i l l i on wh e n p r i c e o f

s to c k co l l a p s ed to ZE RO.

▪ C au s e d b y “ Lax A u di t in g ” b y A r t hur A n d ers en a c co u nt i n g f i r m , o n e o f t h e

“ B i g 5 ” ( 8 5 , 0 0 0 p e o p l e a n d o ve r U S $ 9 b i l l i on an nu a l reven ues ) co l l a p sed .

▪ O t h e rs to b l a m e : C FO A n d rew Fa s to w ( 6 ye a rs p r i s on s e nten ce) , C EO J eff

S k i l l in g ( 2 4 ye a rs pr i s o n s e nten ce ) , s to c k a n a l yst s wh o ke e p p ush i n g E n ro n sto
c k , s e n i o r m a n a ge ment fo r h i d ing l o s s e s i n d u bio us o f f - balanc e - she et
p a r t ners h i ps, m e d i a exa g ge rat i on a n d f ren zy.
 Organization’s Expectation from Internal Auditor
1. Analytical and Critical
Thinking
2. Communication
3. IT General Skills
4. Risk Management
5. BusinessAcumen*

*Succeeding as a 21st Century Internal Auditor: 7 Attributes of Highly Effective Internal Auditors, page 3
 7 Sought-After Qualities of an InternalAuditor

“Soft skills are the new

hard skills...”

–Larry Harrington–
Chief Audit Executive
Raytheon Company

*Source: Succeeding as a 21st Century Internal Auditor: 7 Attributes of Highly Effective Internal Auditors, page 1
Business Acumen
Financial Marketplace Operational Technology Strategic
acumen acumen acumen acumen acumen
• Understanding • Competition, • Day-to-day • Leverage and • Understanding
and market drivers, operations and possessing systems that
interpreting consumer production, technology define and
financial needs, supply chain, skillsets, influence an
statements. marketing. third-party understanding organization’s
relationship, basic software goals and
quality program direction
assurance. coding. including risk
management,
decision-
making, long-
term planning,
culture.
Strategic Acumen
Vision
Framework

Perceptiveness
Assertiveness

Flexibility

Emotional balance

Patience

Source: Forbes article by PalomaCantero-Gomez

Tactical vs Strategic Thinking
Tactical
Keeps opportunities and issues separate so that they
are digestible.
Looks at what is happening at facevalue.
Works to fill information holes, answering one
question and moving to the next without asking
any other questions in between.
Focused on checking items off a list to get itfinished.
Sequential, focusing on one thing followedanother.
Avoids complexity.
Strategic
Recognizes that the solution may not be to simply
correct a problem, one that will enhance value.
Recognizes that the root cause may be far more
complex than is evident on the surface.
Doesn’t wait until an audit engagement iscomplete
before applying critical thinking skills.
Audit plans should remain dynamic and
implementing agile auditing.
Implements holistic examination of operations that
transformational change can be envisioned and
advised.
Embraces complexity.
Building Blocks of PositiveRelationship
Verbal Nonverbal
communication communication Listening skills
skills skills

Networking Team-building Empathy

skills skills

Emotional
intelligence
Innovative Mindset

Free yourself from the Create a culture where Make risk-taking a more
fear of failure innovation is rewarded consistent behaviour
Leveraging Enabling Technology
Technology Solution that Creates Value

Hasend-to-
Enables
end Enables and
remote
Serves as automated empowers
collaboration
the single workflows integrated
with team
sourceof from risk
members,
truth for all planning to manageme
stakeholders,
audit, risk, testing to nt&
consultants
and reporting combined
and external
controls and issue assurance
auditors
data managemen
t
Internal Audit Roles in
Today’s World
Three Lines Model: Creating & ProtectingValue

Enabler: Communication, Cooperation, and Collaboration

Internal Audit’s Role In TheOrganization

Board of Directors (BODs)

Audit
CEO
Committee

Internal External
Audit Audit
 Value Proposition for KeyStakeholders

Internal Auditing:
• Assurance
• Insight
• Objectivity

Governing bodies and senior management rely on Internal Auditing for objective assurance and insight
on the effectiveness and efficiency of governance, risk management and internal control processes.
Internal Audit Activity
Scope of Internal Audit work encompasses a systematic, disciplined approach to evaluating and improving the adequacy and
effectiveness of risk management, control, and governance process and the quality of performance in carrying out assigned
responsibilities.

The purpose of evaluating the adequacy of the organization’s existing risk management, control and governance processes is to
provide reasonable assurance that these processes are functioning as intended and will enable the organization’s objectives and goals
to be met, and to provide recommendations for improving the organization’s operations, in terms of both efficient and effective
performance
Governance • Assess and make appropriate recommendations
for improving the governanceprocess Internal AuditRoles

Existence • Provide management and the Audit

Committee with ongoing assessments of
Risk • Evaluate the effectiveness and contribute to the the company’s risk management processes
Management improvement of risk management processes and system of internalcontrol.
Evaluation • Play an important role in documenting
Process internal controls, testing internal controls
• Maintaining effective controls by evaluating their and providing input to managementwith
InternalControl effectiveness and efficiency and by promoting respect to concluding on design and
continuous improvement operating effectiveness.
Internal Audit Role inGovernance
The internal audit activity must assess and make appropriate recommendations for improving the governance process in its
accomplishment of the following objectives:
• Promoting appropriate ethics and values within the organization;
• Ensuring effective organizational performance management and accountability;
• Communicating risk and control information to appropriate areas of the organization; and
• Coordinating the activities of and communicating information among the board, external and internal auditors, and
management.

Evaluate the design, Assess whether the

implementation, and
effectiveness of the
organization’s ethics-related
objectives, programs, and
activities.
information technology
governance of the
organization sustains and
supports the organization’s
strategies and objectives
Consulting engagement
objectives must be consistent
with the overall values and
goals of the organization.
Internal Audit Role in RiskManagement
The internal audit activity must evaluate the effectiveness and contribute to the improvement of risk management processes.

Determining whether risk management processesare effective is a judgment resulting from the internal auditor’sassessment that:
• Organizational objectives support and align with the organization’s mission;
• Significant risks are identifiedand assessed;
• Appropriate risk responsesare selected that align risks with the organization’srisk appetite; and
• Relevant risk information is captured and communicated in a timely manner across the organization, enabling staff, management, and the
board to carry out their responsibilities.
• Risk management processes are monitored through ongoingmanagement activities, separate evaluations, or both.

Evaluate risk exposures relating Evaluate the potential for the

Evaluate the effectiveness and
to the organization’s occurrence of fraud and how
contribute to the improvement
governance, operations, and the organization manages fraud
of risk management processes.
information systems. risk.

During consulting engagements, internal auditors must address risk consistent with the engagement’sobjectives and be alert to the
existence of other significant risks. Internal auditors must incorporate knowledge of risks gained from consulting engagements into their
evaluation of theorganization’s risk management processes.

When assisting management in establishing or improving risk management processes, internal auditors must refrain from assuming
any management responsibilityby actually managing risks.
Internal Audit Role in InternalControl
The internal audit activity must assist the organization in maintaining effective controls by evaluating their effectiveness and
efficiency and by promoting continuous improvement.
IA activity must evaluate the adequacy and effectiveness of controls in responding to risks within the organization’s
governance, operations, and information system regarding the:
• Reliability and integrity of financial and operationalinformation;
• Effectiveness and efficiency of operations;
• Safeguarding of assets;and
• Compliance with laws, regulations, and contracts.

Review operations & programs to

ascertain the extent to which results Must incorporate knowledgeof
Ascertain the extent to which
are consistent with established goals controls gained from consulting
operating, and program goals and
and objectives to determine whether engagements into evaluation of
objectives have been established and
operations and programs are being the organization’s control
conform to those of theorganization.
implemented or performed as processes.
intended.
Internal Audit
Methodology
 International Professional Practices Framework
“To enhanceand protect
• Demonstratingprofessional organizational value by providing
competence and accuracy risk-basedand objective
• Objective and free fromundue assurance, advice, andinsight”
influence (independent)
• Aligned with the organization's
strategy, objectives andrisks
• Properly positioned andsupported
by adequate resources
• Demonstrating qualityand
continuous improvement
ImplementationGuidance
• Communicateeffectively
is more comprehensivethan
• Give risk-based confidence
Practice Advisories in
• Demonstrating integrity
guiding practitioners to
• Insightful, proactive and focusedon
achieve conformanceto
the future
standards.
• Encourage organizational
improvement source:global.theiia.org

Supplemental Guidance provides detailed guidance for carrying out internal audit
activities such as processes and procedures, tools and techniques, programs, approach
steps, and sample deliverables. All Guidance and GTAG Practices become part of the
Supplemental Guidance
Process Risk Approach
Vision Mission Value
Goals

Objectives

Strategies
External Stakeholders
Factors Influences
CSFs Risks
Business Processes
KPIs Controls

Audit Plan Audit Strategies

Internal Audit Cycle
People Process Technology

• IA understands the business objectives of company and Develop the expectations

regarding IA’s alignment with those business objectives and criteria for assessing
the related risks.
Co-Develop
1
Expectation
• IA reports audit resultsto • IA identifies
management. business process
• Periodic reporting of IA Deliver Results 2 Develop Risk & develop risk
6
activities to senior and Insight Model and Universe assessment
management & theAudit
Committee.

• IA performs detailed test
work, reviews audit results
and holds a formal exit
meeting at the conclusion
of each audit performed.
Internal Audit
Methodology Based on the risk
assessment results and
Execute AuditProject
5 Develop Internal Audit plan, IA
Work Plan 3 Audit Plan identifies timing,
locations, projectteams
and determine
appropriate use of
DesignAudit
4 technology tools.
Programs

IA develops audit programs of detailed tests.

 Internal Audit Cycle – DetailActivities
Internal Audit Methodology – Detail Activities

Phase1:Co-Develop Phase2:Develop Risk Phase3:Develop Phase4:Design Phase5:Execute Phase6: Deliver

Expectations Model and Universe AuditPlan AuditPrograms Audit Project Results andInsights
Workplan
Develop Communication Plan Risk
and ReportingProtocols Assessment DevelopInternal Plan AuditProject ExecuteI nternal Communicate Internal
Project AuditPlan AuditProgram Audit Results

UnderstandClient CommunicateRisk AssessBusiness

Business Assessment Results Processes and
Systems

ScheduleAudits
DevelopRisk and Plan Resources DesignI nternal
Model AuditProgram

PrioritizeRisk
Risk-Based Internal Audit

This Photo by Unknown Author is licensed under CC BY-NC

Performance Standard 2000: Managing the
Internal Audit Activity
Overarching Standards
▪ 2000 – Managing the Internal Audit Activity
The Chief Audit Executive must effectively manage the Internal Audit activity to ensure it adds
value to the organisation.

Underlying Standards
▪ 2010 – Planning
▪ 2020 – Communication and Approval
▪ 2030 – Resource Management
▪ 2040 – Policies and Procedures
▪ 2050 – Co-ordination
▪ 2060 – Reporting to Senior Management and the Board
▪ 2070 – External Service provider and Organizational Responsibility for Internal Auditing
Standard 2010 – Planning
The chief audit executive must establish a risk-based plan to determine the
priorities of the internal audit activity, consistent with the organization’s goals.

Interpretation:

To develop the risk-based plan, the chief audit executive consults with senior
management and the board and obtains an understanding of the organization’s
strategies, key business objectives, associated risks, and risk management
processes. The chief audit executive must review and adjust the plan, as necessary,
in response to changes in the organization’s business, risks, operations, programs,
systems, and controls.
Planning – Internal Audit Cycle Phase 1, 2, and 3
People Process Technology

• IA understands the business objectives of company and Develop the expectations

regarding IA’s alignment with those business objectives and criteria for assessing
the related risks.
Co-Develop
1
Expectation
• IA reports audit resultsto • IA identifies
management. business process
• Periodic reporting of IA Deliver Results 2 Develop Risk & develop risk
6
activities to senior and Insight Model and Universe assessment
management & theAudit
Committee.

• IA performs detailed test
work, reviews audit results
and holds a formal exit
meeting at the conclusion
of each audit performed.
Internal Audit
Methodology Based on the risk
assessment results and
Execute AuditProject
5 Develop Internal Audit plan, IA
Work Plan 3 Audit Plan identifies timing,
locations, projectteams
and determine
appropriate use of
DesignAudit
4 technology tools.
Programs

IA develops audit programs of detailed tests.

Phase 1: Co-Develop Expectation
Objective

• Gain a thorough understanding of the company’s business objectives and co-develop the expectations
regarding internal audit’s alignment with those business objectives and criteria for assessing the related risks.
• IA develop a mutual understanding of the scope of internal audit among the company’s executive management,
the Audit Committee or the Board ofCommissioners.

Komite Pemantau
Dewan Komisaris Direksi KomiteAudit
Risiko

Senior Risk Management Other Assurance

Management Team Provider
Phase 2: Develop Risk Model &Universe
Objective

• Identify key aspects of the process to develop a risk model and riskuniverse.
High

High
Risk

Impact of
Occurrence Medium
Risk

Low

ILLUSTRATIVE Risk

Low High
Likelihood of Occurrence

Risk Factors Likelihood Impact SupportingComments

Systems 3 - High 3 - High Lack of computer systems and resources caused control weaknesses (noted in
prior audit). Computer issues present numerous potential risks.

Human Resources 1 - Low 1 - Low Have dedicated Human Resources Department. Staff have high morale and
adequate training, and turnover is low.

Complexity 2 - Moderate 3 - High Supply chain management has increased complexity of the business process.
of Business
Process
Control Processes 3 - High 3 - High Past audits have found control weaknesses that have caused inefficient financial
processes and inaccurate financial information. There are no formalized policies &
procedures.
Asset Management 3 - High 3 - High There have been few controls in this area and an inappropriate shrinkage
(Exposure to Loss) amount exists. Physical controls are non-existent and inventory is
suspiciously walking out the door.
Regulatory Environment 1 - Low 2 - Moderate Regulatory issues are related to foreign expansion and they are being addressed.

Business Environment 2 - Moderate 2 - Moderate Key issues going on in business environment are creating the need to solidify the
brand in the market.

Customer Impact 2 - Moderate 3 - High Customers currently are loyal, but there is a need to keep them there. This is the most
important issue of brand apparel and fashion.
Phase 3: Develop AuditPlan
Objective

• Recommend an auditable segment they should pursue in an engagement.

• Identify considerations related to timing of internal audits.
• Identify considerations for reassessment of an IAplan.

Prioritize IA Universe Based on Completed Risk Model - Example ILLUSTRATIVE

Phase 3: Develop Audit Plan(Cont’d)
Key risks for the selected business risk areas (Inventory) will be identified using appropriate tools (e.g., Risk & Control
Knowledge Base). Then, it will be tailored based on the Company's unique business organization / activities, to have a
reference risk control matrix for the Company’s inventory functions.

ILLUSTRATIVE

Business Area Business Process Key Risk

- Access to Warehouse is not limited to authorizedperson.
Safeguarding Assets - Warehouse is not provided with safety tools such as fire extinguisher.

- Purchase request is not justified with appropriate documentation and approvals.

PurchaseRequest - Request is not created based on the most economical calculation which benefit
Company (e.g., Economic Order Quantity, Buffer Stock, etc.)

Inventory InventoryBalance - Excessive/Out of stock balance of inventory.

- Disposal is not justified with appropriate documentation and approvals.
Disposal
- Improper loss on inventory’s tradein/exchange/sales
- inventory report does not comply with guidelines in place
Reporting - Inventory report does not include key information for decision making for inventory
management (e.g., inventory turnover, aging analysis, etc.).
 Phase 3: Develop Audit Plan(Cont’d)
Below is the sample of risk control matrix for The Company’s Inventory operation/function. From the result of Risk
Control Matrix, a graph or summary may be created to indicate each areas/processes criticality.

ILLUSTRATIVE

Risk Control Matrix– Inventory

Functional Area Audit Area/Process Sub Process Business Objectives Riskforthe Process Inherent Impact Criticality Likelihood Implications

Safeguarding Asset
Inventory W arehous Access to Physical High Medium Loss of
e Access assets
Physical inventory is loss of inventory.

limited onlyto authorized

person.

High High
 Phase 3: Develop Audit Plan(Cont’d)
ILLUSTRATIVE

Risk# (**) Partially addressed inproposed

Ri Impa Vulnerability(*) MARCI response internal auditplan
sk ct (*)
(**)
1 Government regulations Mitigate
2 Privacy and security Mitigate Yes
3 Permissible use of data Mitigate Yes
4 System availability and reliability Assure Yes
5 Economic conditions/Industrytrends Assure
6 Corporate tone at the top Assure
7 Selection and implementation of new technology and services Assure Yes
8 Customer consolidation Assure
9 Changes in accounting standards Assure Yes
10 Board conflict of interest or lack of independence Assure
11 Product Integrity Assure Yes
12 Transformation of accounting and finance Mitigate Yes
13 Off-shoring Activities Assure Yes
14 Adequate Internal Audit resources to monitor risks Assure Yes
Study Case – Create a RBIA for PLN
RBIA Flow ofThinking
Strategic Objective

Key Performance Indicator

Top Risk & Risk Appetite Statement

Audit Plan Tahunan

Internal
Audit Assurance Consulting
Department
The Assurance Engagement Process
 Risk and Control Matrix
Process-Level Risk Key Control Test Plan
Risk A • Control 1 • Test A
• Control 2 • Test B
• Control 3
Risk B • Control 4 • Test C
• Control 5
… … …
Identifying Information

Sufficient

Relevant

Reliable

Useful
 • Nature, Extent, Timing
• Manual Audit Procedures:
1) Analytical procedures
2) Inquiry
3) Observation
4) Inspection
5) Vouching
Audit 6) Tracing
Procedures 7) Reperformance
8) Confirmation
• Computer-Assisted Audit Procedures
1) Generalized Audit Software
2) Continuous Auditing
 Analytical Procedures

VERTICAL ANALYSIS HORIZONTAL RATIO ANALYSIS ANALYSIS OF

ANALYSIS FUTURE-ORIENTED
INFORMATION

BENCHMARKING:
EXTERNAL AND
INTERNAL
Generalized Audit Software
Examining files and Recalculating recorded Selecting and printing
records for validity, values and calculating samples and
completeness, and other values of audit calculating sample
accuracy interest results

Summarizing, Creating pivot tables

Comparing information
resequencing, and for multidimensional
in separate files
reformatting data analysis

Searching for Automatically

anomalies in data that Preparing and printing generating a historical
may indicate errors or reports log of data analyses
fraud performed
 Condition
Audit Observation
Criteria

Cause

Effect

Recommendation
 ❖ Mandatory elements:
✓ engagement’s objectives
✓ scope and
✓ results (conclusion, recommendation, action plan)

Communicating ❖ Quality:
✓ Accurate
Audit ✓ Objective
Engagement ✓ Clear
Result ✓ Concise
✓ Constructive
✓ Complete
✓ Timely
Q&A?
Key Takeaways
Be comfortable Learn from those
with being around you and
uncomfortable above you

Find the learning

opportunity in
Ask questions!
every mistake you
make
Thankyou
“Do what you love, and success will follow. Passion is the fuel behind a
successful career.”
– Meg Whitman –
Board Member of Procter & Gamble