Professional Documents
Culture Documents
Technique for
Internal Audit
28 – 29 AUGUST 2021
DAY01
▪ What is Internal Auditing?
▪ The Right Stuff
▪ Internal Audit Roles in Today’s World
Agenda ▪ Internal Audit Methodology
▪ Risk-Based Internal Audit
▪ Q&A?
What is Internal
Auditing?
Audit Means…
Source: https://en.wikipedia.org/wiki/Audit
Internal Audit Definition byIIA
▪ Internal auditing is an independent, objective
assurance and consulting activity designed to add
value and improve an organization's operations.
▪ It helps an organization accomplish its objectives by
bringing a systematic, disciplined approach to
evaluate and improve the effectiveness of risk
management, control, and governance processes.*
* Definition by the Institute of Internal Auditors (IIA)
http://www.theiia.org/theiia/about-the-profession/internal-audit-faqs/?i=1077
History of Audit
▪ 5000 years ago, in the Middle Kingdom of the Nile live Mesopotamian Civilization, the Pharaoh's deputy
was overseeing the storage of grains. Auditing was a matter of reperforming the work of others. Auditing
meant observing, counting and double-checking records.
▪ The processes and systems were very simple, and so was auditing.
▪ As the business organizations grew in size and complexity, the practice of Internal Audit also evolved.
History of Audit(Cont’d)
▪ Historically, auditing was concerned with accounting for government activities and reviewing the work done by tax
collectors. In the early years of auditing, the keeping and maintaining of accounting records was done primarily to
detect fraudulent activity.
▪ The industrial revolution in the mid 1700s tothe mid 1800s was responsible for the increased demand in auditors
because this period saw an increase in responsibility being passed from owners to managers. This led to an
increased requirement for auditors who were independent of management and who were engaged not only to be
alert for errors within financial records but also errors within the records. In simple terms, deliberate errors in
order to achieve personal financial gain were deemed to be fraudulent activity (as is still the case today) whilst
error was (and still is) unintentional.
▪ During the early 1700s the concept of ‘sampling’ was introduced. Sampling is where auditors select a sample of
items that make up various balances and was used where it is not economically viable to physically examine all
the transactions that have taken place. This practice is stillpivotal today.
Source: https://www.oreilly.com/
Evolution of InternalAudit
1900s 1950s 1960s 1970s 1990s 2000s to Present
Clerical Financial
Work & Reporting& InternalControl Objective Assurance, Consulting
Theftfraud Operational Compliance Business Activity, Added Value, Improve an
Auditing Oriented Organization Operation and the
Orientation Effectiveness of Risk Management,
Internal Control, and Governance
Process
KEY MILESTONES
IA set to emerge as a Profession IA began as aProfession Advance& Strengthening of IA Profession
1941 – Formation of theIIA 1968 – Issuedthe Codeof Ethics 1999 – IssuedCurrent Definition of OA
1947 – Issued the Statement of the 1972 – Published theCBOK 2000 – Revised the Code of Ethics
Responsibilities of the IA (Revisedin 1974 – Created the ProfessionalCertification 2002 – Issuedthe New IA Standards
1957, 1971, 1976, 1981, and1990) for IA 2006 – The Standards has beenRecognized
1976 – Formation of theIIA Research Globally
Foundation 2007 – Issued a New IA Framework – the IPPF
1977 – Created a Professional Magazine for IA 2015 – Issueda New Enhancementof the IPPF
1978 – Issued theIA Standards (latest update was in 2017)
1989 – Establishment of the IIA Indonesia
Watch Dog vs Trusted Advisors vs Change Agents
+ - 1 6 T, 1MDB menuntut
Deutsche Bank,
JPMorgan, Coutts & Co.
*Succeeding as a 21st Century Internal Auditor: 7 Attributes of Highly Effective Internal Auditors, page 3
7 Sought-After Qualities of an InternalAuditor
–Larry Harrington–
Chief Audit Executive
Raytheon Company
*Source: Succeeding as a 21st Century Internal Auditor: 7 Attributes of Highly Effective Internal Auditors, page 1
Business Acumen
Financial Marketplace Operational Technology Strategic
acumen acumen acumen acumen acumen
• Understanding • Competition, • Day-to-day • Leverage and • Understanding
and market drivers, operations and possessing systems that
interpreting consumer production, technology define and
financial needs, supply chain, skillsets, influence an
statements. marketing. third-party understanding organization’s
relationship, basic software goals and
quality program direction
assurance. coding. including risk
management,
decision-
making, long-
term planning,
culture.
Strategic Acumen
Vision
Framework
Perceptiveness
Assertiveness
Flexibility
Emotional balance
Patience
Emotional
intelligence
Innovative Mindset
Free yourself from the Create a culture where Make risk-taking a more
fear of failure innovation is rewarded consistent behaviour
Leveraging Enabling Technology
Technology Solution that Creates Value
Hasend-to-
Enables
end Enables and
remote
Serves as automated empowers
collaboration
the single workflows integrated
with team
sourceof from risk
members,
truth for all planning to manageme
stakeholders,
audit, risk, testing to nt&
consultants
and reporting combined
and external
controls and issue assurance
auditors
data managemen
t
Internal Audit Roles in
Today’s World
Three Lines Model: Creating & ProtectingValue
Audit
CEO
Committee
Internal External
Audit Audit
Value Proposition for KeyStakeholders
Internal Auditing:
• Assurance
• Insight
• Objectivity
Governing bodies and senior management rely on Internal Auditing for objective assurance and insight
on the effectiveness and efficiency of governance, risk management and internal control processes.
Internal Audit Activity
Scope of Internal Audit work encompasses a systematic, disciplined approach to evaluating and improving the adequacy and
effectiveness of risk management, control, and governance process and the quality of performance in carrying out assigned
responsibilities.
The purpose of evaluating the adequacy of the organization’s existing risk management, control and governance processes is to
provide reasonable assurance that these processes are functioning as intended and will enable the organization’s objectives and goals
to be met, and to provide recommendations for improving the organization’s operations, in terms of both efficient and effective
performance
Governance • Assess and make appropriate recommendations
for improving the governanceprocess Internal AuditRoles
Determining whether risk management processesare effective is a judgment resulting from the internal auditor’sassessment that:
• Organizational objectives support and align with the organization’s mission;
• Significant risks are identifiedand assessed;
• Appropriate risk responsesare selected that align risks with the organization’srisk appetite; and
• Relevant risk information is captured and communicated in a timely manner across the organization, enabling staff, management, and the
board to carry out their responsibilities.
• Risk management processes are monitored through ongoingmanagement activities, separate evaluations, or both.
During consulting engagements, internal auditors must address risk consistent with the engagement’sobjectives and be alert to the
existence of other significant risks. Internal auditors must incorporate knowledge of risks gained from consulting engagements into their
evaluation of theorganization’s risk management processes.
When assisting management in establishing or improving risk management processes, internal auditors must refrain from assuming
any management responsibilityby actually managing risks.
Internal Audit Role in InternalControl
The internal audit activity must assist the organization in maintaining effective controls by evaluating their effectiveness and
efficiency and by promoting continuous improvement.
IA activity must evaluate the adequacy and effectiveness of controls in responding to risks within the organization’s
governance, operations, and information system regarding the:
• Reliability and integrity of financial and operationalinformation;
• Effectiveness and efficiency of operations;
• Safeguarding of assets;and
• Compliance with laws, regulations, and contracts.
Supplemental Guidance provides detailed guidance for carrying out internal audit
activities such as processes and procedures, tools and techniques, programs, approach
steps, and sample deliverables. All Guidance and GTAG Practices become part of the
Supplemental Guidance
Process Risk Approach
Vision Mission Value
Goals
Objectives
Strategies
External Stakeholders
Factors Influences
CSFs Risks
Business Processes
KPIs Controls
Internal Audit
• IA performs detailed test Methodology Based on the risk
work, reviews audit results
assessment results and
and holds a formal exit Execute AuditProject
meeting at the conclusion 5 Develop Internal Audit plan, IA
Work Plan 3 Audit Plan identifies timing,
of each audit performed.
locations, projectteams
and determine
appropriate use of
DesignAudit
4 technology tools.
Programs
ScheduleAudits
DevelopRisk and Plan Resources DesignI nternal
Model AuditProgram
PrioritizeRisk
Risk-Based Internal Audit
Underlying Standards
▪ 2010 – Planning
▪ 2020 – Communication and Approval
▪ 2030 – Resource Management
▪ 2040 – Policies and Procedures
▪ 2050 – Co-ordination
▪ 2060 – Reporting to Senior Management and the Board
▪ 2070 – External Service provider and Organizational Responsibility for Internal Auditing
Standard 2010 – Planning
The chief audit executive must establish a risk-based plan to determine the
priorities of the internal audit activity, consistent with the organization’s goals.
Interpretation:
To develop the risk-based plan, the chief audit executive consults with senior
management and the board and obtains an understanding of the organization’s
strategies, key business objectives, associated risks, and risk management
processes. The chief audit executive must review and adjust the plan, as necessary,
in response to changes in the organization’s business, risks, operations, programs,
systems, and controls.
Planning – Internal Audit Cycle Phase 1, 2, and 3
People Process Technology
Internal Audit
• IA performs detailed test Methodology Based on the risk
work, reviews audit results
assessment results and
and holds a formal exit Execute AuditProject
meeting at the conclusion 5 Develop Internal Audit plan, IA
Work Plan 3 Audit Plan identifies timing,
of each audit performed.
locations, projectteams
and determine
appropriate use of
DesignAudit
4 technology tools.
Programs
• Gain a thorough understanding of the company’s business objectives and co-develop the expectations
regarding internal audit’s alignment with those business objectives and criteria for assessing the related risks.
• IA develop a mutual understanding of the scope of internal audit among the company’s executive management,
the Audit Committee or the Board ofCommissioners.
Komite Pemantau
Dewan Komisaris Direksi KomiteAudit
Risiko
• Identify key aspects of the process to develop a risk model and riskuniverse.
High
High
Risk
Impact of
Occurrence Medium
Risk
Low
ILLUSTRATIVE Risk
Low High
Likelihood of Occurrence
Human Resources 1 - Low 1 - Low Have dedicated Human Resources Department. Staff have high morale and
adequate training, and turnover is low.
Complexity 2 - Moderate 3 - High Supply chain management has increased complexity of the business process.
of Business
Process
Control Processes 3 - High 3 - High Past audits have found control weaknesses that have caused inefficient financial
processes and inaccurate financial information. There are no formalized policies &
procedures.
Asset Management 3 - High 3 - High There have been few controls in this area and an inappropriate shrinkage
(Exposure to Loss) amount exists. Physical controls are non-existent and inventory is
suspiciously walking out the door.
Regulatory Environment 1 - Low 2 - Moderate Regulatory issues are related to foreign expansion and they are being addressed.
Business Environment 2 - Moderate 2 - Moderate Key issues going on in business environment are creating the need to solidify the
brand in the market.
Customer Impact 2 - Moderate 3 - High Customers currently are loyal, but there is a need to keep them there. This is the most
important issue of brand apparel and fashion.
Phase 3: Develop AuditPlan
Objective
ILLUSTRATIVE
ILLUSTRATIVE
Functional Area Audit Area/Process Sub Process Business Objectives Riskforthe Process Inherent Impact Criticality Likelihood Implications
Safeguarding Asset
Inventory W arehous Access to Physical High Medium Loss of
e Access assets
Physical inventory is loss of inventory.
person.
High High
Phase 3: Develop Audit Plan(Cont’d)
ILLUSTRATIVE
Internal
Audit Assurance Consulting
Department
The Assurance Engagement Process
Risk and Control Matrix
Process-Level Risk Key Control Test Plan
Risk A • Control 1 • Test A
• Control 2 • Test B
• Control 3
Risk B • Control 4 • Test C
• Control 5
… … …
Identifying Information
Sufficient
Relevant
Reliable
Useful
• Nature, Extent, Timing
• Manual Audit Procedures:
1) Analytical procedures
2) Inquiry
3) Observation
4) Inspection
5) Vouching
Audit 6) Tracing
Procedures 7) Reperformance
8) Confirmation
• Computer-Assisted Audit Procedures
1) Generalized Audit Software
2) Continuous Auditing
Analytical Procedures
BENCHMARKING:
EXTERNAL AND
INTERNAL
Generalized Audit Software
Examining files and Recalculating recorded Selecting and printing
records for validity, values and calculating samples and
completeness, and other values of audit calculating sample
accuracy interest results
Cause
Effect
Recommendation
❖ Mandatory elements:
✓ engagement’s objectives
✓ scope and
✓ results (conclusion, recommendation, action plan)
Communicating ❖ Quality:
✓ Accurate
Audit ✓ Objective
Engagement ✓ Clear
Result ✓ Concise
✓ Constructive
✓ Complete
✓ Timely
Q&A?
Key Takeaways
Be comfortable Learn from those
with being around you and
uncomfortable above you