Professional Documents
Culture Documents
1019-Materi ERM Audit Integration
1019-Materi ERM Audit Integration
1019-Materi ERM Audit Integration
D
A
K
U
N
TU
K
D
IS
EB
A
R
ERM & Audit Integration
LU
A
SK
A
N
Please introduce yourselves
N
A
SK
What is your concern regarding
A
LU
ERM and Audit integration ?
R
A
EB
Are you facing any problem
IS
through the integration process ?
D
K
TU
N For Auditor, have learned about
risk management ?
U
auditing ?
D
TI
1
In order to achieve our objectives
N
A
SK
A
Limited access to Gadget
LU
Interactive unless needed
R
A
EB
IS
D
K
TU
N
U
K
A
D
TI
2
Workshop Agenda
N
A
SK
Day 1
A
1. What happened right now and how the business
LU
response, what RM and IA can do ?
R
2. Integration refer to objective (the evolution role of
A
IA and RM)
EB
3. Integration refer to each function activity (planning,
process, reporting)
IS
4. Integration by people (competencies)
D
K
TU
N Day 2
1. Integration through tools and technology
U
2. Current practice of integration (based on RIMS and
K
IIA research)
A
3
N
A
SK
A
LU
Current business condition,
R
A
how the business response,
EB
IS
and what RM – IA can do ?
D
K
TU
N
U
K
A
D
TI
4
World of Disruption – Volatility, Uncertainty, Complexity, Ambiguity (D - VUCA)
N
A
SK
• Talent War vs
Bonus • Unseen
Demography • Earthquake
A
competitor
• Millennials • Global • Volcanic
LU
• Changing in economic Eruption
consumer impact – trade • Flood
R
behavior war • Forest Fire
A
Natural Disaster Pandemic Illness
EB
IS
D
K
TU
• Internet of things • Tight Regulation • Presidential
• Big Data Analytics • Unfavorable
N Election 2019
• Hoax government • Pilkada 2020
U
• Cyber Threat policy
• Artificial Intelligence
K
A
Man made
D
disaster
TI
5
CHANGES MADE BY COVID…
N
A
SK
• Online shopping widening – from wants to needs
A
• Food delivery - from indulgence to utility
LU
• Do It Yourself @Home (home cooking, hair treatment, home
R
appliances maintenance / repair)
A
EB
• Work from home – Flexible Working Hour
• Constantly fear customer – social distrust
IS
D
• Go virtual (e-concert, telemedicine, e-sport, online meeting,
K
online schooling, online religion services)
TU
• The rise of Empathy and Solidarity
• More religious
N
U
K
A
Source : 30 Customer Behavior Shifting After Covid 19, by Invent.ure Knowledge, 2020 6
PROSPERING IN THE PANDEMIC…
From the equity added perspective
N
A
SK
• Pharmaceutical
A
• Chemical
LU
• Technology, Gaming
R
• Online education
A
EB
• Telecommunication
IS
• E-commerce
D
• Logistic
K
TU
N
U
K
Gold price is
A
up 13% since
D
Jan 2020,
TI
highest level
since 2012
Source : Financial Times, Prospering in the pandemic - The top 100 companies, June 2020 7
N
A
SK
A
LU
Develops and Manufactures
R
automation sensors, vision
A
system, barcode readers, laser
EB
markers
In early June, Keyence shares
IS
hit an all-time high and the
D
automation specialist became
Japan’s second most valuable
K
company after Toyota.
TU
N Offers online
U
consultation with
doctors, has soared
K
8
N
A
SK
Industry Banking
Fate Collapsed
A
(Purchased for £1 by ING).
LU
Successor ING GROUP
R
Baring Asset Management
A
Founded 1762
EB
Defunct February 26, 1995
IS
Headquarters London
D
K
TU
• The world's second oldest merchant bank
• The bank collapsed in 1995 after suffering losses of £827 million ($1.3
N
billion) resulting from poor speculative investments, primarily in future
U
contracts.
K
in Singapore.
TI
9
N
A
What went wrong :
SK
• Appointment of competent person in performing
their duties
A
LU
• Management teams have a duty to understand fully
the businesses they manage
R
• Clear segregation of duties is fundamental to any
A
EB
effective control system
• Relevant internal controls, including independent risk
IS
management, have to be established for all business
D
activities
K
• Top management and the Audit Committee have to
TU
ensure that significant weaknesses, identified to them
N
by internal audit or otherwise, are resolved quickly
U
K
A
D
TI
10
Risk & Control – What is Risk ?
N
A
SK
Risk is the possibility of an event
A
occurring that will have an impact
LU
on the achievement of objectives.
Risk is measured in terms of impact
R
A
and likelihood – IIA Standard
EB
IS
Risk is all about uncertainty, or
D
more importantly, the effect of
K
TU
uncertainty on the achievement of
N objectives – ISO 31000
U
K
A
D
TI
11
Risk & Control – What is Control ?
N
A
SK
Internal control is a process affected by an
entity’s board of directors, management, and
A
LU
other personnel, designed to provide
reasonable assurance regarding the
R
achievement of objectives in the following
A
EB
categories:
• Effectiveness and efficiency of operations
IS
• Reliability of reporting
D
• Compliance with applicable laws and
K
regulations
TU
Based on - COSO
N
Control is any action taken by management, the board, and other parties to
U
manage risk and increase the likelihood that established objectives and goals
K
sufficient actions to provide reasonable assurance that objectives and goals will
TI
N
A
SK
A
LU
R
A
EB
IS
D
K
TU
N
U
K
A
D
TI
Sumber: IIA 13
An update of the Three Lines of Defense – July 2020
An update of the Three Lines of Defense – July 2020
N
A
SK
A
LU
R
A
EB
IS
D
K
TU
N
U
K
A
D
TI
14
THE THREE LINES MODEL
An update of the Three Lines of Defense – July 2020
N
A
SK
Principle 1 : Principle 2 : Principle 3 : Management,
A
Governance Governing Body Roles 1st, 2nd line roles
LU
• Accountability (integrity, • Appropriate structures and • 1st Lines – delivery product to
R
A
leadership, transparency) processes in place customer, include supporting
EB
• Action → risk based decision • Organizational objectives and functions. Responsible for managing
risk.
IS
making activities are aligned
• 2nd Lines – provide assistance with
D
• Assurance and advice • In order to achieve that …:
managing risk. Focus on specific
K
• Delegates responsibility
objectives of Risk Management (eg.
TU
• Provide resources compliance, ERM implementation,
N
• Ensuring legal, regulatory, sustainability)
U
ethical compliance • 1st and 2nd may be blended or
K
Audit function
D
TI
15
THE THREE LINES MODEL
An update of the Three Lines of Defense – July 2020
N
A
SK
Principle 4 : 3rd Principle 5 : 3rd line Principle 6 : creating
A
line roles independence and protecting value
LU
Independent and objective Establish through : All lines working together through
R
assurance and advice on the • Accountability to the governing communication, cooperation, and
A
adequacy and effectiveness of body collaboration
EB
governance and risk • Unfettered access to people,
management
IS
resources, and data needed to
complete its work;
D
• Freedom from bias or interference
K
in the planning and delivery of audit
TU
services.
N
U
K
A
D
TI
16
Organization structure - contoh
N
A
SK
A
LU
General Meetings of
Shareholders
R
A
EB
Board of Directors Board of Commissioners
IS
D
K
Investment Insurance Product
Risk Oversight
TU
Compliance Development Audit Committee
Committee Committe
Committee
N
U
K
A
Risk
Internal Audit
D
Management
TI
Source: POJK 02/POJK.5/2014 tentang Tata Kelola Perusahaan yang Baik Bagi Perusahaan Perasuransian 17
Overview – Internal Audit’s Positioning in RM
N
A
Organizations with Internal Audit and ERM Separate by Industry
SK
A
LU
R
A
EB
IS
D
K
TU
N
• Internal audit and ERM are separate in 80% of the organizations.
U
• There may be some blurring between the second and third lines of defense.
K
• Regional, industry, and size differences are also seen with this question.
A
D
TI
N
A
SNI ISO 31000 - 2018
SK
A
LU
R
A
EB
IS
Kerangka kerja manajemen risiko Proses manajemen risiko
D
K
TU
N
U
K
A
D
TI
19
PRINSIP MANAJEMEN RISIKO
N
A
SK
A
LU
R
A
EB
IS
D
K
TU
N
U
K
A
D
TI
20
KERANGKA KERJA MANAJEMEN RISIKO
N
A
SK
A
LU
R
A
EB
IS
D
K
TU
N
U
K
A
D
TI
21
PROSES MANAJEMEN RISIKO
N
A
SK
A
LU
R
A
EB
IS
D
K
TU
N
U
K
A
D
TI
22
Risk & Control – COSO ERM Component & Principles
N
A
SK
COSO ERM 2016 :
A
The culture, capabilities, and
LU
practices, integrated with
strategy-setting and its
R
A
execution, that
EB
organizations rely on to
manage risk in creating,
IS
preserving, and realizing
D
value.
K
TU
N
U
K
Source :
A
23
Risk & Control – Limitation of Internal Control
N
A
SK
• Provides no assurance that objectives will be met, only reasonable
A
assurance that management will know level of achievement
LU
• Provides reasonable, not absolute, assurance that financial reporting and
R
A
compliance objectives will be achieved
EB
IS
D
Limiting Factors :
K
• Judgement
TU
• Breakdowns
• Overrides N
U
• Collusion
K
24
N
A
SK
A
LU
Integration #1 – Refer to
R
A
each function objective
EB
IS
D
K
TU
N
U
K
A
D
TI
25
N
2001 2002 2005 2009
A
Terrorist Attack twin tower (11 Sarbanes Oxley Act (SOA) The Basel Committee on Banking The International Organization for
SK
Sept) As a response to Enron case, and Supervision Standarization (ISO)
Enron bankruptcy due to bad apply for companies listed in NYSE Release Basel II ISO 31000:2009 Risk Management
– Principles and Guidelines
A
governance
LU
1992 1995
R
1990
Cadbury Committee AS/NZS 4360:1995 Risk
A
United Nation
Starting program The International Recommend BOD should be in Management Standard
EB
Decade for Natural Disaster charge for company’s RM First RM standard
Recovery (IDNDR). Focus on impact The Bank for International
IS
and mitigation plan of natural Settlement (BIS)
disaster. Introduce Basel 1 for banking
D
industries
K
TU
1966 1986
The Insurance Institute of America The Institute for Risk
Associate in Risk Management - Management N
Introduce general RM international
U
First Risk Management
certification certification known as Fellow of
K
1914
D
Apakah penyebab suatu risiko sudah diberikan penanganan yang memadai supaya risiko tidak berulang ? 30
Larangan Terbang sementara, di 22 negara. (per
N
13 maret 2019)
Bisnis mulai sunset ? termasuk larangan melewati wilayah udara Penalti dari Regulator ?
A
tertentu
SK
A
LU
Penundaan Launching
Produk baru**
R
Tuntutan dari maskapai
A
penerbangan atas tidak
EB
beroperasinya beberapa
Menurunnya Company pesawat*
IS
image dan kepercayaan
D
pelanggan Boeing 737 max 8
K
TU
Financial Loss ?
Market share turun ? U
N
Harga Saham jatuh 11% dalam Pembatalan pesanan.
waktu 1 minggu, nilai pasar Lion air membatalkan
K
N
A
Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an
SK
organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined
A
LU
approach to evaluate and improve the effectiveness of risk management, control, and governance processes.
R
• Assurance : Audit internal harus bisa memberikan jaminan bahwa organisasi /
A
perusahaan beroperasi sesuai dengan apa yang telah ditetapkan Manajemen dalam
EB
tujuan organisasi / perusahaan
IS
D
• Insight : Audit internal harus memiliki wawasan yang luas dalam rangka
membantu manajemen (memberikan saran) untuk meningkatkan pengendalian
K
internal, proses kerja, prosedur, kinerja dan manajemen risiko; serta untuk
TU
mencapai efisiensi, meningkatkan pendapatan dan produktivitas, profit, melihat
N peluang-peluang baru dan dalam memastikan keberlangsungan usaha.
U
K
secara obyektif
D
TI
32
Internal Audit Role
N
A
SK
A
• To ensure that operations are complying with the laws,
LU
Watchdog regulations and policies of the organization
• The compliance audit focuses on system variation (errors,
R
We watch and omissions, delays and fraud)
A
Warn • Compliance auditing is a way of identifing variation in the
EB
system so an improvement can be put in place
IS
D
K
TU
• Partner to Management
Consultant N• Scope of Works : Economy, Efficiency, Effectiveness (3 E's
U
We advise and Audit)
K
33
Internal Audit Role – con’t
N
A
SK
Catalyst
A
• The Catalyst seeks long term impact on the
LU
organization by focusing the audit on the
We Lead and move others within long term values of the organization
the policy set by senior
R
A
management
EB
IS
D
K
TU
N
U
K
A
D
TI
34
Internal Audit Value Enhancement Opportunities
N
Value Protection Value Enhancement
A
SK
Melakukan assessment terhadap Melakukan assessment Mengusulkan Improvement Terlibat dalam aktivitas
kondisi governance, management terhadap kondisi governance, untuk meningkatkan kinerja strategis sebagai advisor
A
risiko, dan control saat ini, termasuk management risiko, dan bisnis, termasuk
LU
beberapa aspek diantaranya : control masa yang akan diantaranya :
• Hukum dan kepatuhan • Proses improvement
R
datang, termasuk beberapa
• Bisnis proses dan sistem • Peningkatkan efisiensi
A
aspek diantaranya
EB
• Project dan Kontrak utama • Keputusan Investasi
• Finansial proses dan sistem • Emerging risk
IS
• Menjaga asset • Due Diligence
• Tata kelola perusahaan
D
K
TU
N
U
K
Source:
How and when you should leverage Internal Audit – PwC, March 2017
A
D
TI
35
Overview – Audit Philosophy
N
A
TRADITIONAL PREFERRED PRACTICE
SK
Where We Are IDEAL
A
Helping Factor + Hindering Factor -
LU
The Realm of Room For
The Traditional Improvement
R
Internal audit Opportunities Risk
A
EB
The Past The Future
IS
Strengths Weaknesses
History Goals
D
Now
K
Control Threats
TU
N
Traditional internal audits have value,
The realm of the value-added internal auditing includes all
but it is the value of "lessons learned"
U
three dimensions of internal assurance:
from the historical operation of
K
controls.
1. Assurance that past transactions and historical
A
intended
3. Assurance that likely future risks are recognized in
management's plans 36
Internal Audit Maturity
Watchdog
N
A
SK
Consulting
Catalyst
A
LU
Watchdog
R
A
Consulting
EB
IS
Leading
D
Advance
K
Diakui sebagai agen
Watchdog Intermediate
TU
Diakui sebagai kunci perubahan
Terdapat kontributor untuk peningkatan
Developing
N penyelarasan signifikan bagi dan inovasi bisnis
U
dengan proses perusahaan (Agent of Change)
Tahapan proses
(Business Partner)
K
perusahaan
keunggulan
D
(Compliance Oriented)
Based) (Process
Effectiveness) 37
N
A
SK
A
LU
R
A
EB
IS
D
K
TU
N
U
K
A
countries
Source : IIA – Risk in focus 2019, Hot Topics for Internal Auditor 38
N
A
SK
A
LU
R
A
EB
IS
D
K
TU
N
U
K
A
D
TI
40
Source : Varonis – Cyber security statistic 2019
N
A
SK
A
LU
R
A
EB
• Company : Bank Mandiri • Company : RS. Dharmais, RS Harapan Kita
IS
• Event : 10% customer’s (+-1,5 Mio) account • Event : Wanna Cry – type of malware that threatens to publish the victim's
D
balance not valid, 20 July 2019 data or perpetually block access to it unless a ransom is paid, May 2017.
• Cause : Unsuccessful regular IT Maintenance • Cause : Phishing, low cyber security awareness (e.g : Lack of cyber security
K
(Backup procedure) training for user, Antivirus don’t regularly updated, etc)
TU
• Impact : • Impact :
• Company reputation N • Company reputation
• Financial loss • Operational disruption
U
• Corrective Action : Back to normal within 2- • Financial loss – up to USD 17K (US data)
K
42
Source : Marsh and McLennan Companies – Cyber risk in Asia Pacific, 2017
N
From the survey results, there
A
SK
are a notable mismatch
between Auditor’s perceive to
A
be the biggest risks to the
LU
organizations and where
R
internal audit spends its time
A
EB
People competencies may
IS
become one of the reason
D
K
TU
N
U
K
A
D
TI
Source : IIA – Risk in focus 2019, Hot Topics for Internal Auditor 43
KEBAKARAN KERETA DI PAKISTAN –
74 PENUMPANG MENINGGAL
N
MULTAN - KAMIS, 31 OKTOBER 2019
A
SK
Fakta :
• Kecelakaan terburuk 15 tahun terakhir, telah
A
terjadi 2 kecelakaan lain dalam 3 bulan terakhir
LU
• Kereta berhenti 20 menit setelah kejadian
• Kebanyakan korban meninggal adalah yang
R
A
loncat dari kereta
• Peraturan ‘dilarang membawa kompor’ sudah
EB
ada, tetapi tidak ada yang melakukan
IS
pengecekan terhadap barang bawaan
penumpang
D
K
TU
N
U
K
A
N
A
SK
To start the integration between 2 function, please
do simple things, for example :
A
LU
For Risk Management :
R
• If same risk event happened many times, then
A
it’s time to check whether those events have been
EB
analyzed properly, e.g:
• Root cause of those risk well identified
IS
• Advice regarding proper internal control has
D
been given. Consider to discuss with Internal
K
Audit.
TU
N
For Internal Auditor :
U
• IA objective should align with company objective.
K
41
N
A
SK
A
LU
Integration #2 – Refer to
R
A
each function activity
EB
IS
(planning – process –
D
reporting)
K
TU
N
U
K
A
D
TI
46
N
A
•
SK
IA role in Risk Management
• Risk Based Internal Audit
A
LU
• Risk and Control Self Assessment
•
R
Combined Assurance
A
EB
IS
D
K
TU
N
U
K
A
D
TI
47
TI
D
A
K
U
N
TU
K
D
IS
EB
A
R
LU
A
SK
A
N
48
N
A
SK
A
LU
R
A
EB
IS
D
K
TU
N
U
K
A
D
TI
N
CORE ROLES LEGITIMATE ROLES (with SHOULD NOT UNDERTAKE
A
a) Giving assurance on the RM Safeguards) a) Setting the risk appetite
SK
program a) Facilitating identification & b) Imposing risk management
A
b) Giving assurance that risks are evaluation of risks process
LU
correctly evaluated b) Coaching management in c) Assurance by management on
c) Evaluating risk management responding to risks controls and risks
R
processes c) Coordinating ERM activities d) Taking decisions on risk
A
EB
d) Evaluating the reporting of key d) Consolidated reporting on risks responses
risks e) Maintaining and developing the e) Managing risks on management
IS
e) Reviewing the management of ERM framework ‘s behalf
D
key risks f) Championing establishment of f) Accountability for risks and
K
ERM controls
TU
g) Developing ERM strategy for
N board approval
U
K
A
D
TI
Source: IIA IPPF Guide, Assessing the adequacy of risk management using ISO 31000, 2010.
50
Risk Based Internal Audit
Evolution of Internal Audit Model
N
A
SK
A
LU
R
A
EB
IS
D
K
TU
N
U
K
51
Risk Based Internal Audit
Common audit cycle and risk integration
N
A
SK
A
Audit Annual
Areas normally used based on Risk
LU
Planning
Based :
R
• Annual Plan → Macro risk
A
assessment (general risk
EB
Monitoring
Audit Plan assessment on a process/ unit)
per Project • Audit Execution → Micro Risk
IS
Assessment (used risk register as
D
a reference)
K
• Reporting / Audit Opinion →
TU
used risk level to set calculated
N opinion
U
K
Reporting Execution
A
D
TI
52
RBIA – RBIA in Annual Planning Process
N
A
Perusahaan Risk Factor Internal Audit SWOT*
SK
Financial Man Power
Corp function (Revenue, Net Profit,
Company Strategic (Jumlah dan
A
Opex) Kompetensi)
LU
Operational Risk Objectives
(fraud juml kerugian& Tools &
R
Cabang frekuensi, kelas Metodologi 3
A
Audit Universe cabang) Annual Audit Plan
EB
Anak Perusahaan
Auditor’s view 1 Budget
(jika ada) Constraint
IS
Diskusi dan
Persetujuan Direksi
D
Project Management
Other 4
K
Concern
TU
Review Periodik
Proses N Stakeholder
Concern
U
K
Control
A
Environment 2
D
53
Risk Based Internal Audit –
Audit Plan Area (Example)
N
A
SK
A
LU
R
A
EB
IS
D
K
TU
N
U
K
A
D
TI
54
Source: CEB Audit Hot Spot 2018
Risk Based Internal Audit –
Audit Plan Area (Example)
N
A
SK
A
LU
Then …How to perform audit
R
on reputation, change
A
EB
management, competition,
IS
business practices , etc ?
D
K
TU
N
U
K
A
D
TI
55
Risk Control Self Assessment –
What auditor can do ?
N
A
SK
A
LU
R
A
EB
IS
D
K
TU
N
U
K
A
D
TI
56
Risk Control Self Assessment –
Risk and Control Accountability - Ownership
N
A
SK
Golden rule:
A
RCSA method emphasize collaboration and interaction among top management, risk owners, and risk
LU
management & auditors
R
A
EB
Risk Management & Auditors should understand the distinction between:
IS
1. ownership of RCSA processes and
D
2. the promotion of the actual RCSA approach.
K
TU
It is common for the risk management & auditors to promote the RCSA concept, facilitate its
N
implementation, and support its use. However, the risk management & auditors need to be cognizant of
U
their role and ensure that it does not cross over into the realm of ownership
K
A
D
TI
57
Risk Control Self Assessment –
Risk and Control Accountability - Ownership
N
A
SK
Risk management & Auditors can focus on:
A
1. validating the evaluation conclusions produced by the RCSA process,
LU
2. synthesizing the information gathered from components of the organization, and
R
3. expressing its overall judgment about the effectiveness of risk management and controls to top
A
EB
management and the risk oversight/audit committee.
IS
D
And also can enhance the RCSA process by:
K
1. Continually monitoring business activities and keeping abreast of significant business issues by
TU
regularly meeting with management/risk owners
2.
N
Incorporating risk factors into the development of audit plans (rather than just scheduling routine
U
audits to assess control environment)
K
A
3. (since technological advancements impact the risk and control structure) Proactively reviewing
D
processes.
58
TI
D
A
K
U
N
TU
K
D
IS
EB
A
R
LU
A
SK
A
N
Risk reporting
59
Audit Opinion – common practice
N
A
SK
•Adequate (internal control-IC)
A
• Satisfactory
LU
•Generally Conform with the
Standard
R
A
EB
•Adequate, but some improvement
needed
IS
•Partially Conform with the
D
Standard
K
TU
•Urgent Attention is required
N •Unsatisfactory
U
•Non Conformance (to the
K
Standard)
A
D
TI
60
N
A
SK
A
LU
Are you facing this reporting
R
problem ?
A
EB
The risk is low, however there are many audit
IS
findings or vice versa? (eg: Risk “green” – audit
D
grading “red”)
K
TU How to mitigate ?
N
U
K
A
D
TI
61
Many risks vs Many assurance provider
Combined assurance is the key
N
A
SK
Combined Assurance
A
LU
Integrating and aligning
assurance processes to
R
A
obtain a comprehensive,
What is
EB
holistic view of the
Combined effectiveness of the
IS
organization’s governance,
Assurance?
D
risks, and controls to
K
enable senior management
TU
to set priorities and take
N any necessary actions
U
K
A
D
TI
Sumber: IIA 62
Consideration for ways of coordinating combined assurance
N
A
SK
A
LU
R
A
EB
IS
D
K
TU
N
U
K
A
D
TI
Sumber : IIA 2015 - Combined Assurance: One Language, One Voice, One View 63
N
A
SK
A
LU
Integration #3 – Refer to
R
A
people competency
EB
IS
D
K
TU
N
U
K
A
D
TI
64
KEBAKARAN GEDUNG KEJAKSAAN
N
AGUNG
A
SK
Jakarta – Sabtu, 22 Agustus 2020
A
LU
R
A
EB
IS
D
K
▪ Pelaporan rutin terkait pemeliharaan sarana dan
TU
▪ 11 jam terbakar, ditangani oleh 40 mobil
prasarana Gedung, tidak berjalan
pemadam dan 200 personel N ▪ Sebanyak 70% gedung pemerintah tidak memenuhi
▪ Hidrant tidak berfungsi, kesulitan
U
standar keselamatan kebakaran *.
mendapatkan sumber air
K
A
SK
(Technical
competencies) – these
A
describe the ‘what’ –
LU
the knowledge and
R
skills needed to do the
A
job.
EB
IS
D
K
What is competency ?
TU
So, if you have to Advocate risk management as a central part
N
of an organisation’s strategic management (a professional
Behavioural competencies – these
U
standard) then developing skills in Influence and impact (a describe the ‘how’ – the personal
K
behavioural competency) would help you to achieve this. qualities and behaviours needed to do
A
N
A
•
SK
Perform our professional services
• Compliance to professional standard
A
LU
• Market competition
•
R
Not to be replace by machine
A
EB
IS
Code of Ethics Rule 4.1 states “Internal auditors shall
D
engage only in those services for which they have the
K
necessary knowledge, skills, and experience.”
TU
Code of Ethics Rule 4.3 states “Internal auditors shall
N
U
continually improve their proficiency and the
effectiveness and quality of their services.”
K
A
D
TI
67
Source : Kompas, 3 Mei 2018
TI
D
A
K
U
N
TU
K
D
IS
EB
A
R
LU
A
SK
A
N
68
TI
D
A
K
U
N
TU
K
D
IS
EB
A
R
LU
A
SK
A
N
69
Before we set standard competencies, please remember…
N
A
SK
A
• Different levels of maturity within organisations, depending on size,
LU
sector and geographical region.
R
A
• The wide range of variations in job roles between sectors and
EB
organisations.
IS
• Aspirations of organisations that wish to raise their risk management/
D
K
internal audit standards and capabilities and, where appropriate,
TU
develop a risk management – internal audit function.
N
• The need for individuals and employers to adapt standards to roles
U
K
70
#1 - Career level
N
A
SK
A
LU
R
A
EB
IS
D
K
TU
N
U
K
A
D
TI
71
Source : Professional Standards in Risk Management – Institute of Risk Management.
#2 – Technical Competencies for Risk Person
N
Insights and context Organisational capability
A
• Communication and consultation
SK
• Risk management principles and practice
• Organisational environment • Change management
A
• External operating environment • People management
LU
R
Strategy and performance
A
EB
• Risk management strategy and architecture
• Risk management policy and procedures
IS
• Risk culture and appetite
D
• Risk performance and reporting
K
TU
Risk management process N
U
• Risk assessment
• Risk treatment
K
A
D
TI
72
Source : Professional Standards in Risk Management – Institute of Risk Management.
TI
D
A
K
U
N
TU
K
D
IS
EB
A
R
LU
A
SK
A
N
73
TI
D
A
K
U
N
TU
K
D
IS
EB
A
R
LU
A
SK
A
N
74
TI
D
A
K
U
N
TU
K
D
IS
EB
A
R
LU
A
SK
A
N
75
TI
D
A
K
U
N
TU
K
D
IS
EB
A
R
LU
A
SK
A
N
76
#2 – Technical Competencies for Auditors
N
A
SK
A
LU
R
A
EB
IS
D
K
TU
N
U
K
A
D
TI
77
Source : Core competencies for today’s Internal Auditor – IIA, 2010
#2 – Technical Competencies for Auditors
Competencies needed by auditor for assessing risk management
N
A
SK
A
LU
R
A
EB
IS
D
K
TU
N
U
K
A
D
TI
Source : IIA Research Foundation – March 2011, Internal Auditing Role’s in Risk Management 78
#2 – Overall Competencies for Auditors
N
A
SK
A
LU
R
A
EB
IS
D
K
TU
N
U
K
A
D
79
#2 – Behavioural
N
Competencies
A
SK
A
LU
• Empathy
R
• Creativity
A
• Communication
EB
• Collaboration
IS
• Drive to learn and achieve
D
something (strive for
K
TU
excellence)
N
U
K
A
D
TI
80
#3 – Competency Development – The PDCA
process
N
A
SK
Standard Competency Competency Assessment Development Plan Periodic Monitoring
A
LU
• Monitoring hasil
R
• Merupakan langkah awal • Development Plan dibuat
Standard Competency berisi pengembangan, minimal
A
bagi program min 1 tahun 1 kali, berisi gap
jenjang karir (Junior, middle, dilakukan 1 tahun 2 kali.
EB
pengembangan kompetensi yang di-
senior) disertai dengan : berkelanjutan yang identifikasi setelah • Jika hasil pengembangan
IS
• Kompetensi yang harus terstruktur assessment beserta dengan sudah sesuai dengan level
D
dimiliki pada tiap jenjang rencana pengembangannya. kompetensi yang diharapkan,
• Competency Assessment
maka dapat dilakukan
K
• Program pelatihan / umumnya dilakukan setiap • Selain training, rencana
assessment ulang untuk
TU
training yang relevan 1 tahun 1 kali, atau sesuai pengembangan kompetensi
untuk mencapai dapat ditambah dengan job jenjang karir berikutnya.
kebutuhan. N
kompetensi tersebut. assignment, job • Sebaliknya, jika hasil
• Metode yang dipakai dapat
U
enlargement, atau metode pengembangan masih belum
berupa assessment yang
K
N
A
problem ?
SK
A
LU
Auditor and Risk Management should giving
advise to business unit, however they are:
R
• Newbie
A
EB
• Lack of business understanding
• Lack of confidence
IS
• For Auditors – too detail, don’t see the big
D
picture
K
• For Risk Management– stay on behalf of
TU
N process owner, not giving proper challenge on
risk report and decision made by management
U
K
A
How to mitigate ?
D
TI
82
N
A
SK
A
LU
Integration #4 – through tools
R
A
and technology
EB
IS
D
K
TU
N
U
K
A
D
TI
83
How Technology could help GRC
N
A
• Risk Information Management System (Risk universe
SK
– assessment result – monitoring treatment plan,
A
could be link to Audit Information Management
LU
System)
• Key Risk Indicator (monitoring the cause of risk)
R
• Continuous Auditing / Monitoring (monitoring the
A
EB
implementation of certain control)
• Performance Management dashboard (KPI
IS
achievement link to the top risk assessment)
D
• Audit Information Management System (Risk Based
K
TU
Audit – Reporting – Follow up recommendation, could
be link to Risk Information Management System)
N
• Document management system (Procedure and Policy
U
warehouse)
K
Information System)
TI
84
Data Analytics Maturity
N
A
SK
• Descriptive, Data Analytics pada model ini menjelaskan suatu kejadian, trend, pola atau hubungan antar beberapa
A
data, termasuk menghasilkan variance atas data tersebut. Model ini kurang lebih menjawab pertanyaan “Kondisi apa
LU
yang sedang terjadi saat ini ?”
R
• Diagnostic, model ini umumnya dikembangkan untuk memunculkan informasi penyebab dari suatu kejadian. Model ini
A
menghasil insight yang dapat menjawab “Mengapa hal ini terjadi”. Contoh : Key Risk Indicator, Fraud Risk Indicator
EB
• Predictive, model ini dikembangkan untuk memprediksi nilai suatu variable dependen terhadap variable independen.
IS
Model ini memerlukan data historis yang sudah pernah terjadi, untuk memprediksi kejadian baru di masa yad. Model ini
D
akan menjawab pertanyaan “Apa yang akan terjadi ?”. Contoh : berdasarkan data historis kejadian fraud, setelah
K
diidentifikasi penyebabnya, maka ketika trend penyebab itu muncul, maka model ini dapat memberikan informasi kapan
TU
fraud lainnya akan terjadi.
•
N
Prescriptive, model ini dapat memberikan pilihan response / rekomendasi atas kondisi yang sedang atau akan terjadi.
U
K
A
D
TI
Source: Best Practices in Analytics: Integrating Analytical Capabilities and Process Flows, Gartner, March 2012
85
Type of Audit Information Management System
N
A
Compliance Integrated
SK
Document Pure Audit Solution with Management Data
A
Management Management Audit Solution & Analytics for
LU
System Solution management Advisory business
capability Services
R
A
EB
• Repository audit • Audit universe • Audit Management • Compliance • Continuous
working paper, • Audit workflow Solution solution with Audit Auditing/
IS
policy, report, • Issue tracking and • Tracking Management Monitoring
D
etc remediation compliance to capability • Key Risk Indicator
• User : Auditor • Audit committee certain regulation • Integrated to Risk • Fraud Vulnerability
K
reporting • User : Auditors, Register • User : Auditors,
TU
• Dashboard KPI Risk, Compliance, • Maintain, Risk, Compliance,
• User : Auditors N Process Owner reporting, tracking Process Owner
U
advisory services
• User : Auditors,
K
Risk, Compliance,
A
Process Owner
D
TI
Source : Gartner - Market Guide for Audit Management Solutions – Feb 2019 86
N
A
SK
“Teknologi voice command
A
yang dapat memberikan
LU
informasi mengenai apa
yang terjadi saat ini,
R
A
dan penyebabnya, apa
EB
dampaknya dimasa yang
akan datang, memberikan
IS
pilihan perihal apa saja
D
yang dapat dilakukan oleh
K
user”
TU
N
U
Sharing from the
K
A
CEO
D
TI
87
N
A
SK
A
LU
R
A
EB
IS
D
K
TU
N
U
K
A
D
TI
882014
Source : Key Risk Indicator – RIMS,
N
A
SK
A
Continuos
LU
Auditing –
R
A
Continous
EB
Monitoring
IS
D
K
TU
N
U
K
A
D
TI
89
Risk Management Information
System
N
A
SK
A
LU
R
A
EB
IS
D
K
TU
N
U
K
A
D
TI
90
TI
D
A
K
U
N
TU
K
D
IS
EB
A
R
LU
A
SK
A
N
91
TI
D
A
K
U
N
TU
K
D
IS
EB
A
R
LU
A
SK
A
N
92
Machine Learning : Know How
N
Frequent usage of technology in several areas …: Compliance Management
A
1. Fraud Detection
SK
2. Compliance Management
A
3. Risk Assessment
LU
R
A
EB
Risk Assessment, normally usage for :
•
IS
Determining creditworthiness
•
D
Identify cybersecurity threats
•
K
Money laundering attempts
TU
• Customer complaint
• Removing subjective risk scoring
N
U
K
A
D
TI
N
A
SK
A
LU
R
A
EB
IS
D
K
TU
N
U
K
A
D
TI
R
A
integration
EB
IS
D
K
TU
N
U
K
A
D
TI
95
N
A
SK
A
LU
R
A
EB
IS
D
K
TU
N
U
K
A
D
TI
Source : RIMS and IIA executive report – 2012, Forging a Collaborative alliance 96
N
• Prepare organisation-wide pandemic preparedness and
A
response plans to deal with the different stages of an
SK
outbreak with goals and objectives clearly spelt out;
A
• Establish and test business continuity strategies and plans for
LU
critical business functions 1;
• Deploy multiple business continuity strategies to cope with
R
high staff absenteeism rates;
A
EB
• Review information technology infrastructure needs so as
to anticipate higher network demand due to changes in
IS
customer behaviour and preferences (e.g. greater use of
D
internet banking) and to facilitate implementation of various
business continuity strategies (e.g. work-from- home);
K
TU
Supporting Culture N
U
• Provide senior management support and oversight of the
planning activities
K
A
Source : Monetary Authority of Singapore, Preparedness for Avian Influenza Pandemic and
Security Threats –, July 2007 97
N
A
•
SK
Establish a cross-functional taskforce involving relevant business and support units to develop, implement and maintain
readiness and response capability;
A
• Establish surveillance and escalation framework to keep abreast of latest developments;
LU
• Establish and test immediate response and escalation plans in the management of staff with symptoms suggestive of
R
pandemic;
A
• Establish procedures for contact tracing and staff quarantine;
EB
• Put in place logistical arrangements required to cope with a pandemic that could last for months (e.g. making
IS
arrangements for enhanced cleaning procedures and increased frequencies at higher alert levels, and stocking up of personal
protective equipment);
D
K
• Establish a framework to assess, monitor and assure that critical suppliers
TU
and service providers have implemented appropriate business
continuity measures to deal with pandemic.
•
N
Review and enhance communication strategies (e.g. what key messages
U
to convey, as well as when and how to convey the messages) for pandemic
K
Source : Monetary Authority of Singapore, Preparedness for Avian Influenza Pandemic and Security Threats –, July 2007 98
N
A
Intra-function separation during normal business Service providers’ readiness
SK
operations a comprehensive risk management framework and
A staff infected could potentially result in a quarantine order procedures to assess service providers’ business
A
being served to all personnel within the same office, which continuity readiness. A combination of on-site visits and
LU
in turn can affect an entire function within the organisation. surveys are used to assess these providers, depending on
R
Some institutions mitigate such concentration risk by their importance.
A
setting up more than one operating site for each Crisis communication strategy
EB
critical business function in different locations for normal Crisis communication generally refers to the management
business operations.
IS
and exchange of information within an organisation and
between the organisation and external parties such as the
D
‘Work-from-home’ strategy media, authorities and the general public during a crisis.
K
Some institutions have taken it a step further by pre-drafting
TU
As most institutions encounter difficulty in employing WFH
key messages for key stakeholders (e.g. staff, media,
strategy for their critical operational activities because of
N investors, customers and authorities) for various scenarios
infrastructure constraints and internal control issues, such a
(e.g. staff is infected, customer is infected, loss of access to
U
strategy may be more suited for managerial functions.
offices, change of operating location and disruption in
K
capabilities such as enabling remote access to office In addition, the mode of communication and timeline for such
D
applications and emails, and increasing network bandwidth. messages and statements to be communicated at various
TI
Source : Monetary Authority of Singapore, Preparedness for Avian Influenza Pandemic and Security Threats –, July 2007 99
N
A
Workplace infection control measures Transportation and evacuation plan
SK
Established adequate workplace infection control measures. Some institutions have developed transport and
evacuation plans to move recovery staff efficiently from
A
Response plans to manage staff with symptoms suggestive of
affected areas to recovery sites.
LU
avian influenza. The plans cover the roles and responsibilities
of personnel involved and designated route in moving Some institutions have private vehicles on standby at a
R
affected staff. Institutions also validate and test their response separate location to transport recovery staff.
A
plans to ensure that staff are conversant with the procedures
EB
and will react appropriately given the scenario. Some
institutions have distributed, or planned to record and
IS
distribute, videos on how to handle staff and customers
D
with flu-like symptoms.
K
TU
N
U
K
A
D
TI
Source : Monetary Authority of Singapore, Preparedness for Avian Influenza Pandemic and Security Threats –, July 2007 100
N
A
• Changing in IA plan (discontinued, reduce scope, add new engagement), due to some
SK
changes in emerging risk, for example :
A
LU
• The massive numbers of employees working from home for extended periods of time also gives rise to several risks.
Cybersecurity breaches and fraud has become a more prominent concern at many organizations.
R
A
• Credit risk has become a much greater concern, as it is granting some deferrals and working with members who’ve
EB
run into financial difficulties.
IS
• People and processes can be another source of increased risk. As organizations furlough employees, they need to
D
ensure workers’ access to the corporate network is terminated.
K
• Perform advisories, for example :
TU
• A business might decide to factor its accounts receivable, taking a discount in exchange for quicker access to cash. The
N
one that can further stress the supply chain, is to stretch payments.
U
• Increase the usage of data analytic
K
A
D
TI
101
N
A
SK
A
LU
“ We need to be innovative to respond to disruption,
R
A
which takes courage and capacity”
EB
IS
Jim Hunt, Audit Committee Chair, Penn Mutual, Brown & Brown,
D
Nemours Health System
K
TU
N
U
K
A
D
TI