TI

D
A
K
U
N
TU
K
D
IS
EB
A
R
ERM & Audit Integration

LU
A
SK
A
N
 Please introduce yourselves

N
A
SK
What is your concern regarding

A
LU
ERM and Audit integration ?

R
A
EB
Are you facing any problem

IS
through the integration process ?

D
K
TU
N For Auditor, have learned about
risk management ?
U

For Risk, have learned about

K
A

auditing ?
D
TI

1
In order to achieve our objectives

N
A
SK
A
Limited access to Gadget

LU
Interactive unless needed

R
A
EB
IS
D
K
TU
N
U
K
A
D
TI

2
 Workshop Agenda

N
A
SK
Day 1

A
1. What happened right now and how the business

LU
response, what RM and IA can do ?

R
2. Integration refer to objective (the evolution role of

A
IA and RM)

EB
3. Integration refer to each function activity (planning,
process, reporting)

IS
4. Integration by people (competencies)

D
K
TU
N Day 2
1. Integration through tools and technology
U
2. Current practice of integration (based on RIMS and
K

IIA research)
A

3 & 4 What’s next (discussion and presentation)

D

Assessment to our RM/IA practices

TI

3
 N
A
SK
A
LU
Current business condition,

R
A
how the business response,

EB
IS
and what RM – IA can do ?

D
K
TU
N
U
K
A
D
TI

4
World of Disruption – Volatility, Uncertainty, Complexity, Ambiguity (D - VUCA)

N
A
SK
• Talent War vs
Bonus • Unseen
Demography • Earthquake

A
competitor
• Millennials • Global • Volcanic

LU
• Changing in economic Eruption
consumer impact – trade • Flood

R
behavior war • Forest Fire

A
Natural Disaster Pandemic Illness

EB
IS
D
K
TU
• Internet of things • Tight Regulation • Presidential
• Big Data Analytics • Unfavorable
N Election 2019
• Hoax government • Pilkada 2020
U
• Cyber Threat policy
• Artificial Intelligence
K
A

Man made
D

disaster
TI

5
 CHANGES MADE BY COVID…

N
A
SK
• Online shopping widening – from wants to needs

A
• Food delivery - from indulgence to utility

LU
• Do It Yourself @Home (home cooking, hair treatment, home

R
appliances maintenance / repair)

A
EB
• Work from home – Flexible Working Hour
• Constantly fear customer – social distrust

IS
D
• Go virtual (e-concert, telemedicine, e-sport, online meeting,

K
online schooling, online religion services)

TU
• The rise of Empathy and Solidarity
• More religious
N
U
K
A

Happy Parenting vs Physical abuse ?

D
TI

Source : 30 Customer Behavior Shifting After Covid 19, by Invent.ure Knowledge, 2020 6
 PROSPERING IN THE PANDEMIC…
From the equity added perspective

N
A
SK
• Pharmaceutical

A
• Chemical

LU
• Technology, Gaming

R
• Online education

A
EB
• Telecommunication

IS
• E-commerce

D
• Logistic

K
TU
N
U
K

Gold price is
A

up 13% since
D

Jan 2020,
TI

highest level
since 2012
Source : Financial Times, Prospering in the pandemic - The top 100 companies, June 2020 7
 N
A
SK
A
LU
Develops and Manufactures

R
automation sensors, vision

A
system, barcode readers, laser

EB
markers
In early June, Keyence shares

IS
hit an all-time high and the

D
automation specialist became
Japan’s second most valuable

K
company after Toyota.

TU
N Offers online
U
consultation with
doctors, has soared
K

130% since Jan 2020

A
D

People have sought to

avoid hospital
TI

8
 N
A
SK
Industry Banking
Fate Collapsed

A
(Purchased for £1 by ING).

LU
Successor ING GROUP

R
Baring Asset Management

A
Founded 1762

EB
Defunct February 26, 1995

IS
Headquarters London

D
K
TU
• The world's second oldest merchant bank
• The bank collapsed in 1995 after suffering losses of £827 million ($1.3
N
billion) resulting from poor speculative investments, primarily in future
U
contracts.
K

• Conducted by an employee named Nick Leeson working at its office

A
D

in Singapore.
TI

9
 N
A
What went wrong :

SK
• Appointment of competent person in performing
their duties

A
LU
• Management teams have a duty to understand fully
the businesses they manage

R
• Clear segregation of duties is fundamental to any

A
EB
effective control system
• Relevant internal controls, including independent risk

IS
management, have to be established for all business

D
activities

K
• Top management and the Audit Committee have to

TU
ensure that significant weaknesses, identified to them
N
by internal audit or otherwise, are resolved quickly
U
K
A
D
TI

10
Risk & Control – What is Risk ?

N
A
SK
Risk is the possibility of an event

A
occurring that will have an impact

LU
on the achievement of objectives.
Risk is measured in terms of impact

R
A
and likelihood – IIA Standard

EB
IS
Risk is all about uncertainty, or

D
more importantly, the effect of

K
TU
uncertainty on the achievement of
N objectives – ISO 31000
U
K
A
D
TI

11
Risk & Control – What is Control ?

N
A
SK
Internal control is a process affected by an
entity’s board of directors, management, and

A
LU
other personnel, designed to provide
reasonable assurance regarding the

R
achievement of objectives in the following

A
EB
categories:
• Effectiveness and efficiency of operations

IS
• Reliability of reporting

D
• Compliance with applicable laws and

K
regulations

TU
Based on - COSO
N
Control is any action taken by management, the board, and other parties to
U
manage risk and increase the likelihood that established objectives and goals
K

will be achieved. Management plans, organizes, and directs the performance of

A
D

sufficient actions to provide reasonable assurance that objectives and goals will
TI

be achieved. – IIA Standard

12
 The Three Lines of Defense Model

N
A
SK
A
LU
R
A
EB
IS
D
K
TU
N
U
K
A
D
TI

Sumber: IIA 13
 An update of the Three Lines of Defense – July 2020
An update of the Three Lines of Defense – July 2020

N
A
SK
A
LU
R
A
EB
IS
D
K
TU
N
U
K
A
D
TI

14
 THE THREE LINES MODEL
An update of the Three Lines of Defense – July 2020

N
A
SK
Principle 1 : Principle 2 : Principle 3 : Management,

A
Governance Governing Body Roles 1st, 2nd line roles

LU
• Accountability (integrity, • Appropriate structures and • 1st Lines – delivery product to

R
A
leadership, transparency) processes in place customer, include supporting

EB
• Action → risk based decision • Organizational objectives and functions. Responsible for managing
risk.

IS
making activities are aligned
• 2nd Lines – provide assistance with

D
• Assurance and advice • In order to achieve that …:
managing risk. Focus on specific

K
• Delegates responsibility
objectives of Risk Management (eg.

TU
• Provide resources compliance, ERM implementation,
N
• Ensuring legal, regulatory, sustainability)
U
ethical compliance • 1st and 2nd may be blended or
K

• Establish reliable Internal separate function

A

Audit function
D
TI

15
 THE THREE LINES MODEL
An update of the Three Lines of Defense – July 2020

N
A
SK
Principle 4 : 3rd Principle 5 : 3rd line Principle 6 : creating

A
line roles independence and protecting value

LU
Independent and objective Establish through : All lines working together through

R
assurance and advice on the • Accountability to the governing communication, cooperation, and

A
adequacy and effectiveness of body collaboration

EB
governance and risk • Unfettered access to people,
management

IS
resources, and data needed to
complete its work;

D
• Freedom from bias or interference

K
in the planning and delivery of audit

TU
services.
N
U
K
A
D
TI

16
Organization structure - contoh

N
A
SK
A
LU
General Meetings of
Shareholders

R
A
EB
Board of Directors Board of Commissioners

IS
D
K
Investment Insurance Product
Risk Oversight

TU
Compliance Development Audit Committee
Committee Committe
Committee
N
U
K
A

Risk
Internal Audit
D

Management
TI

Source: POJK 02/POJK.5/2014 tentang Tata Kelola Perusahaan yang Baik Bagi Perusahaan Perasuransian 17
Overview – Internal Audit’s Positioning in RM

N
A
Organizations with Internal Audit and ERM Separate by Industry

SK
A
LU
R
A
EB
IS
D
K
TU
N
• Internal audit and ERM are separate in 80% of the organizations.
U
• There may be some blurring between the second and third lines of defense.
K

• Regional, industry, and size differences are also seen with this question.
A
D
TI

Source: Research CBOK 2015 Who own Risk ? 18

ARSITEKTUR Prinsip manajemen risiko

N
A
SNI ISO 31000 - 2018

SK
A
LU
R
A
EB
IS
Kerangka kerja manajemen risiko Proses manajemen risiko

D
K
TU
N
U
K
A
D
TI

19
 PRINSIP MANAJEMEN RISIKO

N
A
SK
A
LU
R
A
EB
IS
D
K
TU
N
U
K
A
D
TI

20
 KERANGKA KERJA MANAJEMEN RISIKO

N
A
SK
A
LU
R
A
EB
IS
D
K
TU
N
U
K
A
D
TI

21
 PROSES MANAJEMEN RISIKO

N
A
SK
A
LU
R
A
EB
IS
D
K
TU
N
U
K
A
D
TI

22
 Risk & Control – COSO ERM Component & Principles

N
A
SK
COSO ERM 2016 :

A
The culture, capabilities, and

LU
practices, integrated with
strategy-setting and its

R
A
execution, that

EB
organizations rely on to
manage risk in creating,

IS
preserving, and realizing

D
value.

K
TU
N
U
K

Source :
A

COSO Public Exposure

D

ERM - Aligning Risk with Strategy and Performance

TI

June 2016 edition

23
 Risk & Control – Limitation of Internal Control

N
A
SK
• Provides no assurance that objectives will be met, only reasonable

A
assurance that management will know level of achievement

LU
• Provides reasonable, not absolute, assurance that financial reporting and

R
A
compliance objectives will be achieved

EB
IS
D
Limiting Factors :

K
• Judgement

TU
• Breakdowns
• Overrides N
U
• Collusion
K

• Cost versus benefits

A
D
TI

24
 N
A
SK
A
LU
Integration #1 – Refer to

R
A
each function objective

EB
IS
D
K
TU
N
U
K
A
D
TI

25
 N
2001 2002 2005 2009

A
Terrorist Attack twin tower (11 Sarbanes Oxley Act (SOA) The Basel Committee on Banking The International Organization for

SK
Sept) As a response to Enron case, and Supervision Standarization (ISO)
Enron bankruptcy due to bad apply for companies listed in NYSE Release Basel II ISO 31000:2009 Risk Management
– Principles and Guidelines

A
governance

LU
1992 1995

R
1990
Cadbury Committee AS/NZS 4360:1995 Risk

A
United Nation
Starting program The International Recommend BOD should be in Management Standard

EB
Decade for Natural Disaster charge for company’s RM First RM standard
Recovery (IDNDR). Focus on impact The Bank for International

IS
and mitigation plan of natural Settlement (BIS)
disaster. Introduce Basel 1 for banking

D
industries

K
TU
1966 1986
The Insurance Institute of America The Institute for Risk
Associate in Risk Management - Management N
Introduce general RM international
U
First Risk Management
certification certification known as Fellow of
K

the Institute of Risk Management

A

1914
D

Robert Martin Association

TI

(Philadelphia) Source : Pedoman Management Risiko berbasis GCG – KNKG

consist of credit and lending Taken from Felix Kloman - “Enterprise Risk Management: Today’s Leading Research and Best
officers Practices for Tomorrow’s Executives” (2010) 26
 N
A
SK
A
LU
R
A
EB
IS
D
K
TU
N
U
K
A
D
TI

Source : Risk Management and Internal Audit: Forging a Collaborative Alliance

The Institute of Internal Auditors, Inc. and the Risk and Insurance Management Society, Inc - 2012 27
 N
A
SK
A
LU
R
A
EB
IS
D
K
TU
N
U
K
A
D
TI

Source : RIMS – the Risk Management Society 28

Source : Deloitte
TI
D
A
K
U
N
TU
K
D
IS
EB
A
R
LU
A
SK
A
N
29
 N
A
SK
A
LU
R
A
EB
IS
D
K
TU
N
U
K
A
D
TI

Apakah penyebab suatu risiko sudah diberikan penanganan yang memadai supaya risiko tidak berulang ? 30
 Larangan Terbang sementara, di 22 negara. (per

N
13 maret 2019)

Bisnis mulai sunset ? termasuk larangan melewati wilayah udara Penalti dari Regulator ?

A
tertentu

SK
A
LU
Penundaan Launching
Produk baru**

R
Tuntutan dari maskapai

A
penerbangan atas tidak

EB
beroperasinya beberapa
Menurunnya Company pesawat*

IS
image dan kepercayaan

D
pelanggan Boeing 737 max 8

K
TU
Financial Loss ?
Market share turun ? U
N
Harga Saham jatuh 11% dalam Pembatalan pesanan.
waktu 1 minggu, nilai pasar Lion air membatalkan
K

turun USD 26 Bio pesanan 220 unit

A
D
TI

*Norwegian Air Shuttle, memiliki 18 unit boeing 737 max 8 31

**Produsen pesawat itu juga telah menunda debut pesawat 777X
 Audit Internal “Value Proposition”

N
A
Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an

SK
organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined

A
LU
approach to evaluate and improve the effectiveness of risk management, control, and governance processes.

R
• Assurance : Audit internal harus bisa memberikan jaminan bahwa organisasi /

A
perusahaan beroperasi sesuai dengan apa yang telah ditetapkan Manajemen dalam

EB
tujuan organisasi / perusahaan

IS
D
• Insight : Audit internal harus memiliki wawasan yang luas dalam rangka
membantu manajemen (memberikan saran) untuk meningkatkan pengendalian

K
internal, proses kerja, prosedur, kinerja dan manajemen risiko; serta untuk

TU
mencapai efisiensi, meningkatkan pendapatan dan produktivitas, profit, melihat
N peluang-peluang baru dan dalam memastikan keberlangsungan usaha.
U
K

• Objective : Audit intenal melakukan penilaian / evaluasi dan konsultasi

A

secara obyektif
D
TI

32
Internal Audit Role

N
A
SK
A
• To ensure that operations are complying with the laws,

LU
Watchdog regulations and policies of the organization
• The compliance audit focuses on system variation (errors,

R
We watch and omissions, delays and fraud)

A
Warn • Compliance auditing is a way of identifing variation in the

EB
system so an improvement can be put in place

IS
D
K
TU
• Partner to Management
Consultant N• Scope of Works : Economy, Efficiency, Effectiveness (3 E's
U
We advise and Audit)
K

• The focus of the consultant is on the conservation of the

Participate
A

organization's resources and helping managers manage.

D
TI

33
Internal Audit Role – con’t

N
A
SK
Catalyst

A
• The Catalyst seeks long term impact on the

LU
organization by focusing the audit on the
We Lead and move others within long term values of the organization
the policy set by senior

R
A
management

EB
IS
D
K
TU
N
U
K
A
D
TI

34
 Internal Audit Value Enhancement Opportunities

N
Value Protection Value Enhancement

A
SK
Melakukan assessment terhadap Melakukan assessment Mengusulkan Improvement Terlibat dalam aktivitas
kondisi governance, management terhadap kondisi governance, untuk meningkatkan kinerja strategis sebagai advisor

A
risiko, dan control saat ini, termasuk management risiko, dan bisnis, termasuk

LU
beberapa aspek diantaranya : control masa yang akan diantaranya :
• Hukum dan kepatuhan • Proses improvement

R
datang, termasuk beberapa
• Bisnis proses dan sistem • Peningkatkan efisiensi

A
aspek diantaranya

EB
• Project dan Kontrak utama • Keputusan Investasi
• Finansial proses dan sistem • Emerging risk

IS
• Menjaga asset • Due Diligence
• Tata kelola perusahaan

D
K
TU
N
U
K

Source:
How and when you should leverage Internal Audit – PwC, March 2017
A
D
TI

35
 Overview – Audit Philosophy

N
A
TRADITIONAL PREFERRED PRACTICE

SK
Where We Are IDEAL

A
Helping Factor + Hindering Factor -

LU
The Realm of Room For
The Traditional Improvement

R
Internal audit Opportunities Risk

A
EB
The Past The Future

IS
Strengths Weaknesses
History Goals

D
Now

K
Control Threats

TU
N
Traditional internal audits have value,
The realm of the value-added internal auditing includes all
but it is the value of "lessons learned"
U
three dimensions of internal assurance:
from the historical operation of
K

controls.
1. Assurance that past transactions and historical
A

records are reasonably accurate.

D

2. Assurance that present controls are working as

TI

intended
3. Assurance that likely future risks are recognized in
management's plans 36
 Internal Audit Maturity
Watchdog

N
A
SK
Consulting
Catalyst

A
LU
Watchdog

R
A
Consulting

EB
IS
Leading

D
Advance

K
Diakui sebagai agen
Watchdog Intermediate

TU
Diakui sebagai kunci perubahan
Terdapat kontributor untuk peningkatan
Developing
N penyelarasan signifikan bagi dan inovasi bisnis
U
dengan proses perusahaan (Agent of Change)
Tahapan proses
(Business Partner)
K

bisnis & risiko

Traditional memperkuat
A

perusahaan
keunggulan
D

Initial – Ad-hoc (Risk Based

departemen
TI

(Compliance Oriented)
Based) (Process
Effectiveness) 37
 N
A
SK
A
LU
R
A
EB
IS
D
K
TU
N
U
K
A

* Survey to 311 respondents (Executive

D

and Chief Audit Executive) in European

TI

countries

Source : IIA – Risk in focus 2019, Hot Topics for Internal Auditor 38
 N
A
SK
A
LU
R
A
EB
IS
D
K
TU
N
U
K
A
D
TI

Source : Varonis – Cyber security statistic 2019 39

 N
A
SK
A
LU
R
A
EB
IS
D
K
TU
N
U
K
A
D
TI

40
Source : Varonis – Cyber security statistic 2019
 N
A
SK
A
LU
R
A
EB
• Company : Bank Mandiri • Company : RS. Dharmais, RS Harapan Kita

IS
• Event : 10% customer’s (+-1,5 Mio) account • Event : Wanna Cry – type of malware that threatens to publish the victim's

D
balance not valid, 20 July 2019 data or perpetually block access to it unless a ransom is paid, May 2017.
• Cause : Unsuccessful regular IT Maintenance • Cause : Phishing, low cyber security awareness (e.g : Lack of cyber security

K
(Backup procedure) training for user, Antivirus don’t regularly updated, etc)

TU
• Impact : • Impact :
• Company reputation N • Company reputation
• Financial loss • Operational disruption
U
• Corrective Action : Back to normal within 2- • Financial loss – up to USD 17K (US data)
K

3 hour after the incident

A
D
TI

Even, big companies such as and , experiencing cyber attack in 2016

41
 N
A
SK
A
LU
R
A
EB
IS
D
K
TU
N
U
K
A
D
TI

42
Source : Marsh and McLennan Companies – Cyber risk in Asia Pacific, 2017
 N
From the survey results, there

A
SK
are a notable mismatch
between Auditor’s perceive to

A
be the biggest risks to the

LU
organizations and where

R
internal audit spends its time

A
EB
People competencies may

IS
become one of the reason

D
K
TU
N
U
K
A
D
TI

Source : IIA – Risk in focus 2019, Hot Topics for Internal Auditor 43
 KEBAKARAN KERETA DI PAKISTAN –
74 PENUMPANG MENINGGAL

N
MULTAN - KAMIS, 31 OKTOBER 2019

A
SK
Fakta :
• Kecelakaan terburuk 15 tahun terakhir, telah

A
terjadi 2 kecelakaan lain dalam 3 bulan terakhir

LU
• Kereta berhenti 20 menit setelah kejadian
• Kebanyakan korban meninggal adalah yang

R
A
loncat dari kereta
• Peraturan ‘dilarang membawa kompor’ sudah

EB
ada, tetapi tidak ada yang melakukan

IS
pengecekan terhadap barang bawaan
penumpang

D
K
TU
N
U
K
A

Diskusi : apa yang seharusnya dapat dilakukan oleh

D
TI

Risk Management dan Internal Audit ?

Kompas, 1 Nov 2019 44
 Please Remember …

N
A
SK
To start the integration between 2 function, please
do simple things, for example :

A
LU
For Risk Management :

R
• If same risk event happened many times, then

A
it’s time to check whether those events have been

EB
analyzed properly, e.g:
• Root cause of those risk well identified

IS
• Advice regarding proper internal control has

D
been given. Consider to discuss with Internal

K
Audit.

TU
N
For Internal Auditor :
U
• IA objective should align with company objective.
K

When set up annual plan, do consider company’s

A

top risks to become audit project / audit program.

D
TI

41
 N
A
SK
A
LU
Integration #2 – Refer to

R
A
each function activity

EB
IS
(planning – process –

D
reporting)

K
TU
N
U
K
A
D
TI

46
 N
A
•

SK
IA role in Risk Management
• Risk Based Internal Audit

A
LU
• Risk and Control Self Assessment
•

R
Combined Assurance

A
EB
IS
D
K
TU
N
U
K
A
D
TI

47
 TI
D
A
K
U
N
TU
K
D
IS
EB
A
R
LU
A
SK
A
N
48
 N
A
SK
A
LU
R
A
EB
IS
D
K
TU
N
U
K
A
D
TI

Source: IIA - The Role of Internal Audit in Enterprise-wide Risk Management 49

 IA role in Risk Management

N
CORE ROLES LEGITIMATE ROLES (with SHOULD NOT UNDERTAKE

A
a) Giving assurance on the RM Safeguards) a) Setting the risk appetite

SK
program a) Facilitating identification & b) Imposing risk management

A
b) Giving assurance that risks are evaluation of risks process

LU
correctly evaluated b) Coaching management in c) Assurance by management on
c) Evaluating risk management responding to risks controls and risks

R
processes c) Coordinating ERM activities d) Taking decisions on risk

A
EB
d) Evaluating the reporting of key d) Consolidated reporting on risks responses
risks e) Maintaining and developing the e) Managing risks on management

IS
e) Reviewing the management of ERM framework ‘s behalf

D
key risks f) Championing establishment of f) Accountability for risks and

K
ERM controls

TU
g) Developing ERM strategy for
N board approval
U
K
A
D
TI

Source: IIA IPPF Guide, Assessing the adequacy of risk management using ISO 31000, 2010.
50
 Risk Based Internal Audit
Evolution of Internal Audit Model

N
A
SK
A
LU
R
A
EB
IS
D
K
TU
N
U
K

Cyclical or Risk-based Value-driven

A

routine audit internal audit audit plan

D

plans plan Source : PwC

TI

51
 Risk Based Internal Audit
Common audit cycle and risk integration

N
A
SK
A
Audit Annual
Areas normally used based on Risk

LU
Planning
Based :

R
• Annual Plan → Macro risk

A
assessment (general risk

EB
Monitoring
Audit Plan assessment on a process/ unit)
per Project • Audit Execution → Micro Risk

IS
Assessment (used risk register as

D
a reference)

K
• Reporting / Audit Opinion →

TU
used risk level to set calculated
N opinion
U
K

Reporting Execution
A
D
TI

52
 RBIA – RBIA in Annual Planning Process

N
A
Perusahaan Risk Factor Internal Audit SWOT*

SK
Financial Man Power
Corp function (Revenue, Net Profit,
Company Strategic (Jumlah dan

A
Opex) Kompetensi)

LU
Operational Risk Objectives
(fraud juml kerugian& Tools &

R
Cabang frekuensi, kelas Metodologi 3

A
Audit Universe cabang) Annual Audit Plan

EB
Anak Perusahaan
Auditor’s view 1 Budget
(jika ada) Constraint

IS
Diskusi dan
Persetujuan Direksi

D
Project Management
Other 4

K
Concern

TU
Review Periodik
Proses N Stakeholder
Concern
U
K

Control
A

Environment 2
D

* Strength, Weakness, Opportunity, Threat

TI

53
 Risk Based Internal Audit –
Audit Plan Area (Example)

N
A
SK
A
LU
R
A
EB
IS
D
K
TU
N
U
K
A
D
TI

54
Source: CEB Audit Hot Spot 2018
 Risk Based Internal Audit –
Audit Plan Area (Example)

N
A
SK
A
LU
Then …How to perform audit

R
on reputation, change

A
EB
management, competition,

IS
business practices , etc ?

D
K
TU
N
U
K
A
D
TI

55
 Risk Control Self Assessment –
What auditor can do ?

N
A
SK
A
LU
R
A
EB
IS
D
K
TU
N
U
K
A
D
TI

56
 Risk Control Self Assessment –
Risk and Control Accountability - Ownership

N
A
SK
Golden rule:

A
RCSA method emphasize collaboration and interaction among top management, risk owners, and risk

LU
management & auditors

R
A
EB
Risk Management & Auditors should understand the distinction between:

IS
1. ownership of RCSA processes and

D
2. the promotion of the actual RCSA approach.

K
TU
It is common for the risk management & auditors to promote the RCSA concept, facilitate its
N
implementation, and support its use. However, the risk management & auditors need to be cognizant of
U
their role and ensure that it does not cross over into the realm of ownership
K
A
D
TI

57
 Risk Control Self Assessment –
Risk and Control Accountability - Ownership

N
A
SK
Risk management & Auditors can focus on:

A
1. validating the evaluation conclusions produced by the RCSA process,

LU
2. synthesizing the information gathered from components of the organization, and

R
3. expressing its overall judgment about the effectiveness of risk management and controls to top

A
EB
management and the risk oversight/audit committee.

IS
D
And also can enhance the RCSA process by:

K
1. Continually monitoring business activities and keeping abreast of significant business issues by

TU
regularly meeting with management/risk owners
2.
N
Incorporating risk factors into the development of audit plans (rather than just scheduling routine
U
audits to assess control environment)
K
A

3. (since technological advancements impact the risk and control structure) Proactively reviewing
D

information system development activities and other technology-based system development

TI

processes.
58
 TI
D
A
K
U
N
TU
K
D
IS
EB
A
R
LU
A
SK
A
N
Risk reporting

59
Audit Opinion – common practice

N
A
SK
•Adequate (internal control-IC)

A
• Satisfactory

LU
•Generally Conform with the
Standard

R
A
EB
•Adequate, but some improvement
needed

IS
•Partially Conform with the

D
Standard

K
TU
•Urgent Attention is required
N •Unsatisfactory
U
•Non Conformance (to the
K

Standard)
A
D
TI

60
 N
A
SK
A
LU
Are you facing this reporting

R
problem ?

A
EB
The risk is low, however there are many audit

IS
findings or vice versa? (eg: Risk “green” – audit

D
grading “red”)

K
TU How to mitigate ?
N
U
K
A
D
TI

61
 Many risks vs Many assurance provider
Combined assurance is the key

N
A
SK
Combined Assurance

A
LU
Integrating and aligning
assurance processes to

R
A
obtain a comprehensive,
What is

EB
holistic view of the
Combined effectiveness of the

IS
organization’s governance,
Assurance?

D
risks, and controls to

K
enable senior management

TU
to set priorities and take
N any necessary actions
U
K
A
D
TI

Sumber: IIA 62
 Consideration for ways of coordinating combined assurance

N
A
SK
A
LU
R
A
EB
IS
D
K
TU
N
U
K
A
D
TI

Sumber : IIA 2015 - Combined Assurance: One Language, One Voice, One View 63
 N
A
SK
A
LU
Integration #3 – Refer to

R
A
people competency

EB
IS
D
K
TU
N
U
K
A
D
TI

64
 KEBAKARAN GEDUNG KEJAKSAAN

N
AGUNG

A
SK
Jakarta – Sabtu, 22 Agustus 2020

A
LU
R
A
EB
IS
D
K
▪ Pelaporan rutin terkait pemeliharaan sarana dan

TU
▪ 11 jam terbakar, ditangani oleh 40 mobil
prasarana Gedung, tidak berjalan
pemadam dan 200 personel N ▪ Sebanyak 70% gedung pemerintah tidak memenuhi
▪ Hidrant tidak berfungsi, kesulitan
U
standar keselamatan kebakaran *.
mendapatkan sumber air
K

▪ Penanganan keamanan Gedung, umumnya ditangani

▪ Disebabkan oleh …..
A

oleh divisi umum, yang tidak mengerti masalah safety*

D
TI

*Sumber : Kompas 29 Sept 2020

65
 N
Professional standards

A
SK
(Technical
competencies) – these

A
describe the ‘what’ –

LU
the knowledge and

R
skills needed to do the

A
job.

EB
IS
D
K
What is competency ?
TU
So, if you have to Advocate risk management as a central part
N
of an organisation’s strategic management (a professional
Behavioural competencies – these
U
standard) then developing skills in Influence and impact (a describe the ‘how’ – the personal
K

behavioural competency) would help you to achieve this. qualities and behaviours needed to do
A

the job well.

D
TI

To meet an outcome, each standard competencies will require

activities to be completed.
66
 Why we have to improve our competencies ?

N
A
•

SK
Perform our professional services
• Compliance to professional standard

A
LU
• Market competition
•

R
Not to be replace by machine

A
EB
IS
Code of Ethics Rule 4.1 states “Internal auditors shall

D
engage only in those services for which they have the

K
necessary knowledge, skills, and experience.”

TU
Code of Ethics Rule 4.3 states “Internal auditors shall
N
U
continually improve their proficiency and the
effectiveness and quality of their services.”
K
A
D
TI

67
Source : Kompas, 3 Mei 2018
 TI
D
A
K
U
N
TU
K
D
IS
EB
A
R
LU
A
SK
A
N
68
 TI
D
A
K
U
N
TU
K
D
IS
EB
A
R
LU
A
SK
A
N
69
Before we set standard competencies, please remember…

N
A
SK
A
• Different levels of maturity within organisations, depending on size,

LU
sector and geographical region.

R
A
• The wide range of variations in job roles between sectors and

EB
organisations.

IS
• Aspirations of organisations that wish to raise their risk management/

D
K
internal audit standards and capabilities and, where appropriate,
TU
develop a risk management – internal audit function.
N
• The need for individuals and employers to adapt standards to roles
U
K

and responsibilities as organisational strategy and priorities evolve.

A
D
TI

70
 #1 - Career level

N
A
SK
A
LU
R
A
EB
IS
D
K
TU
N
U
K
A
D
TI

71
Source : Professional Standards in Risk Management – Institute of Risk Management.
 #2 – Technical Competencies for Risk Person

N
Insights and context Organisational capability

A
• Communication and consultation

SK
• Risk management principles and practice
• Organisational environment • Change management

A
• External operating environment • People management

LU
R
Strategy and performance

A
EB
• Risk management strategy and architecture
• Risk management policy and procedures

IS
• Risk culture and appetite

D
• Risk performance and reporting

K
TU
Risk management process N
U
• Risk assessment
• Risk treatment
K
A
D
TI

72
Source : Professional Standards in Risk Management – Institute of Risk Management.
 TI
D
A
K
U
N
TU
K
D
IS
EB
A
R
LU
A
SK
A
N
73
 TI
D
A
K
U
N
TU
K
D
IS
EB
A
R
LU
A
SK
A
N
74
 TI
D
A
K
U
N
TU
K
D
IS
EB
A
R
LU
A
SK
A
N
75
 TI
D
A
K
U
N
TU
K
D
IS
EB
A
R
LU
A
SK
A
N
76
 #2 – Technical Competencies for Auditors

N
A
SK
A
LU
R
A
EB
IS
D
K
TU
N
U
K
A
D
TI

77
Source : Core competencies for today’s Internal Auditor – IIA, 2010
 #2 – Technical Competencies for Auditors
Competencies needed by auditor for assessing risk management

N
A
SK
A
LU
R
A
EB
IS
D
K
TU
N
U
K
A
D
TI

Source : IIA Research Foundation – March 2011, Internal Auditing Role’s in Risk Management 78
 #2 – Overall Competencies for Auditors

N
A
SK
A
LU
R
A
EB
IS
D
K
TU
N
U
K
A
D

Source: The Institute of Internal Auditors, 2013

TI

79
 #2 – Behavioural

N
Competencies

A
SK
A
LU
• Empathy

R
• Creativity

A
• Communication

EB
• Collaboration

IS
• Drive to learn and achieve

D
something (strive for

K
TU
excellence)
N
U
K
A
D
TI

80

Standard Competency
• Merupakan langkah awal
Standard Competency berisi
jenjang karir (Junior, middle,
senior) disertai dengan :
• Kompetensi yang harus
dimiliki pada tiap jenjang
• Competency Assessment
• Program pelatihan /
training yang relevan
untuk mencapai
kompetensi tersebut.
• Metode yang dipakai dapat
TI
#3 – Competency Development – The PDCA
process
N
A
SK
Competency Assessment Development Plan Periodic Monitoring
A
LU
• Monitoring hasil
R
• Development Plan dibuat
pengembangan, minimal
A
bagi program min 1 tahun 1 kali, berisi gap
dilakukan 1 tahun 2 kali.
EB
pengembangan kompetensi yang di-
berkelanjutan yang identifikasi setelah • Jika hasil pengembangan
IS
terstruktur assessment beserta dengan sudah sesuai dengan level
D
rencana pengembangannya. kompetensi yang diharapkan,
maka dapat dilakukan
K
umumnya dilakukan setiap • Selain training, rencana
assessment ulang untuk
TU
1 tahun 1 kali, atau sesuai pengembangan kompetensi
dapat ditambah dengan job jenjang karir berikutnya.
kebutuhan. N
assignment, job • Sebaliknya, jika hasil
U
enlargement, atau metode pengembangan masih belum
berupa assessment yang
K
lainnya. mencapai target, maka
dilakukan oleh Atasan
A
• Development plan ini Development Plan dapat
langsung, Dept head fungsi
D
merupakan kesepakatan dilanjutkan pada periode
lain, dan Human Capital.
antara Atasan langsung berikutnya
dengan staff-nya 81
 Are you facing this competency

N
A
problem ?

SK
A
LU
Auditor and Risk Management should giving
advise to business unit, however they are:

R
• Newbie

A
EB
• Lack of business understanding
• Lack of confidence

IS
• For Auditors – too detail, don’t see the big

D
picture

K
• For Risk Management– stay on behalf of

TU
N process owner, not giving proper challenge on
risk report and decision made by management
U
K
A

How to mitigate ?
D
TI

82
 N
A
SK
A
LU
Integration #4 – through tools

R
A
and technology

EB
IS
D
K
TU
N
U
K
A
D
TI

83
 How Technology could help GRC

N
A
• Risk Information Management System (Risk universe

SK
– assessment result – monitoring treatment plan,

A
could be link to Audit Information Management

LU
System)
• Key Risk Indicator (monitoring the cause of risk)

R
• Continuous Auditing / Monitoring (monitoring the

A
EB
implementation of certain control)
• Performance Management dashboard (KPI

IS
achievement link to the top risk assessment)

D
• Audit Information Management System (Risk Based

K
TU
Audit – Reporting – Follow up recommendation, could
be link to Risk Information Management System)
N
• Document management system (Procedure and Policy
U
warehouse)
K

• GRC system (link Risk - Compliance – Audit

A
D

Information System)
TI

84
 Data Analytics Maturity

N
A
SK
• Descriptive, Data Analytics pada model ini menjelaskan suatu kejadian, trend, pola atau hubungan antar beberapa

A
data, termasuk menghasilkan variance atas data tersebut. Model ini kurang lebih menjawab pertanyaan “Kondisi apa

LU
yang sedang terjadi saat ini ?”

R
• Diagnostic, model ini umumnya dikembangkan untuk memunculkan informasi penyebab dari suatu kejadian. Model ini

A
menghasil insight yang dapat menjawab “Mengapa hal ini terjadi”. Contoh : Key Risk Indicator, Fraud Risk Indicator

EB
• Predictive, model ini dikembangkan untuk memprediksi nilai suatu variable dependen terhadap variable independen.

IS
Model ini memerlukan data historis yang sudah pernah terjadi, untuk memprediksi kejadian baru di masa yad. Model ini

D
akan menjawab pertanyaan “Apa yang akan terjadi ?”. Contoh : berdasarkan data historis kejadian fraud, setelah

K
diidentifikasi penyebabnya, maka ketika trend penyebab itu muncul, maka model ini dapat memberikan informasi kapan

TU
fraud lainnya akan terjadi.

•
N
Prescriptive, model ini dapat memberikan pilihan response / rekomendasi atas kondisi yang sedang atau akan terjadi.
U
K
A
D
TI

Source: Best Practices in Analytics: Integrating Analytical Capabilities and Process Flows, Gartner, March 2012

85
 Type of Audit Information Management System

N
A
Compliance Integrated

SK
Document Pure Audit Solution with Management Data

A
Management Management Audit Solution & Analytics for

LU
System Solution management Advisory business
capability Services

R
A
EB
• Repository audit • Audit universe • Audit Management • Compliance • Continuous
working paper, • Audit workflow Solution solution with Audit Auditing/

IS
policy, report, • Issue tracking and • Tracking Management Monitoring

D
etc remediation compliance to capability • Key Risk Indicator
• User : Auditor • Audit committee certain regulation • Integrated to Risk • Fraud Vulnerability

K
reporting • User : Auditors, Register • User : Auditors,

TU
• Dashboard KPI Risk, Compliance, • Maintain, Risk, Compliance,
• User : Auditors N Process Owner reporting, tracking Process Owner
U
advisory services
• User : Auditors,
K

Risk, Compliance,
A

Process Owner
D
TI

Source : Gartner - Market Guide for Audit Management Solutions – Feb 2019 86
 N
A
SK
“Teknologi voice command

A
yang dapat memberikan

LU
informasi mengenai apa
yang terjadi saat ini,

R
A
dan penyebabnya, apa

EB
dampaknya dimasa yang
akan datang, memberikan

IS
pilihan perihal apa saja

D
yang dapat dilakukan oleh

K
user”
TU
N
U
Sharing from the
K
A

CEO
D
TI

87
 N
A
SK
A
LU
R
A
EB
IS
D
K
TU
N
U
K
A
D
TI

882014
Source : Key Risk Indicator – RIMS,
 N
A
SK
A
Continuos

LU
Auditing –

R
A
Continous

EB
Monitoring

IS
D
K
TU
N
U
K
A
D
TI

89
 Risk Management Information
System

N
A
SK
A
LU
R
A
EB
IS
D
K
TU
N
U
K
A
D
TI

90
 TI
D
A
K
U
N
TU
K
D
IS
EB
A
R
LU
A
SK
A
N
91
 TI
D
A
K
U
N
TU
K
D
IS
EB
A
R
LU
A
SK
A
N
92
 Machine Learning : Know How

N
Frequent usage of technology in several areas …: Compliance Management

A
1. Fraud Detection

SK
2. Compliance Management

A
3. Risk Assessment

LU
R
A
EB
Risk Assessment, normally usage for :
•

IS
Determining creditworthiness
•

D
Identify cybersecurity threats
•

K
Money laundering attempts

TU
• Customer complaint
• Removing subjective risk scoring
N
U
K
A
D
TI

Source: Machine Learning for governance - Galvanize

93
 Machine Learning : Know How –
prerequisite

N
A
SK
A
LU
R
A
EB
IS
D
K
TU
N
U
K
A
D
TI

Source: Machine Learning for governance - Galvanize

94
 N
A
SK
A
LU
Current practices of

R
A
integration

EB
IS
D
K
TU
N
U
K
A
D
TI

95
 N
A
SK
A
LU
R
A
EB
IS
D
K
TU
N
U
K
A
D
TI

Source : RIMS and IIA executive report – 2012, Forging a Collaborative alliance 96
 N
• Prepare organisation-wide pandemic preparedness and

A
response plans to deal with the different stages of an

SK
outbreak with goals and objectives clearly spelt out;

A
• Establish and test business continuity strategies and plans for

LU
critical business functions 1;
• Deploy multiple business continuity strategies to cope with

R
high staff absenteeism rates;

A
EB
• Review information technology infrastructure needs so as
to anticipate higher network demand due to changes in

IS
customer behaviour and preferences (e.g. greater use of

D
internet banking) and to facilitate implementation of various
business continuity strategies (e.g. work-from- home);

K
TU
Supporting Culture N
U
• Provide senior management support and oversight of the
planning activities
K
A

• Educate and raise the awareness of staff on the pandemic

D
TI

Source : Monetary Authority of Singapore, Preparedness for Avian Influenza Pandemic and
Security Threats –, July 2007 97
 N
A
•

SK
Establish a cross-functional taskforce involving relevant business and support units to develop, implement and maintain
readiness and response capability;

A
• Establish surveillance and escalation framework to keep abreast of latest developments;

LU
• Establish and test immediate response and escalation plans in the management of staff with symptoms suggestive of

R
pandemic;

A
• Establish procedures for contact tracing and staff quarantine;

EB
• Put in place logistical arrangements required to cope with a pandemic that could last for months (e.g. making

IS
arrangements for enhanced cleaning procedures and increased frequencies at higher alert levels, and stocking up of personal
protective equipment);

D
K
• Establish a framework to assess, monitor and assure that critical suppliers

TU
and service providers have implemented appropriate business
continuity measures to deal with pandemic.
•
N
Review and enhance communication strategies (e.g. what key messages
U
to convey, as well as when and how to convey the messages) for pandemic
K

situation for relevant stakeholders, including staff, authorities,

A

clients/customers, media and service providers/suppliers; and

D
TI

Source : Monetary Authority of Singapore, Preparedness for Avian Influenza Pandemic and Security Threats –, July 2007 98
 N
A
Intra-function separation during normal business Service providers’ readiness

SK
operations a comprehensive risk management framework and
A staff infected could potentially result in a quarantine order procedures to assess service providers’ business

A
being served to all personnel within the same office, which continuity readiness. A combination of on-site visits and

LU
in turn can affect an entire function within the organisation. surveys are used to assess these providers, depending on

R
Some institutions mitigate such concentration risk by their importance.

A
setting up more than one operating site for each Crisis communication strategy

EB
critical business function in different locations for normal Crisis communication generally refers to the management
business operations.

IS
and exchange of information within an organisation and
between the organisation and external parties such as the

D
‘Work-from-home’ strategy media, authorities and the general public during a crisis.

K
Some institutions have taken it a step further by pre-drafting

TU
As most institutions encounter difficulty in employing WFH
key messages for key stakeholders (e.g. staff, media,
strategy for their critical operational activities because of
N investors, customers and authorities) for various scenarios
infrastructure constraints and internal control issues, such a
(e.g. staff is infected, customer is infected, loss of access to
U
strategy may be more suited for managerial functions.
offices, change of operating location and disruption in
K

Many institutions have enhanced their remote computing services).

A

capabilities such as enabling remote access to office In addition, the mode of communication and timeline for such
D

applications and emails, and increasing network bandwidth. messages and statements to be communicated at various
TI

alert levels have also been predetermined.

Source : Monetary Authority of Singapore, Preparedness for Avian Influenza Pandemic and Security Threats –, July 2007 99
 N
A
Workplace infection control measures Transportation and evacuation plan

SK
Established adequate workplace infection control measures. Some institutions have developed transport and
evacuation plans to move recovery staff efficiently from

A
Response plans to manage staff with symptoms suggestive of
affected areas to recovery sites.

LU
avian influenza. The plans cover the roles and responsibilities
of personnel involved and designated route in moving Some institutions have private vehicles on standby at a

R
affected staff. Institutions also validate and test their response separate location to transport recovery staff.

A
plans to ensure that staff are conversant with the procedures

EB
and will react appropriately given the scenario. Some
institutions have distributed, or planned to record and

IS
distribute, videos on how to handle staff and customers

D
with flu-like symptoms.

K
TU
N
U
K
A
D
TI

Source : Monetary Authority of Singapore, Preparedness for Avian Influenza Pandemic and Security Threats –, July 2007 100
 N
A
• Changing in IA plan (discontinued, reduce scope, add new engagement), due to some

SK
changes in emerging risk, for example :

A
LU
• The massive numbers of employees working from home for extended periods of time also gives rise to several risks.
Cybersecurity breaches and fraud has become a more prominent concern at many organizations.

R
A
• Credit risk has become a much greater concern, as it is granting some deferrals and working with members who’ve

EB
run into financial difficulties.

IS
• People and processes can be another source of increased risk. As organizations furlough employees, they need to

D
ensure workers’ access to the corporate network is terminated.

K
• Perform advisories, for example :

TU
• A business might decide to factor its accounts receivable, taking a discount in exchange for quicker access to cash. The
N
one that can further stress the supply chain, is to stretch payments.
U
• Increase the usage of data analytic
K
A
D
TI

101
 N
A
SK
A
LU
“ We need to be innovative to respond to disruption,

R
A
which takes courage and capacity”

EB
IS
Jim Hunt, Audit Committee Chair, Penn Mutual, Brown & Brown,

D
Nemours Health System

K
TU
N
U
K
A
D
TI

Prepared and presented by

yenny.koestijani@gmail.com
102