INTERNAL AUDIT

PROCESS AND METHODS

KELOMPOK 2
(TRI WIDODO, RIA ANANDA, JOVI, ZIVANNA, HIKMATURRIZKI
ANNISA)
PL ANNING AN
ASSURANCE
ENGAGEMENT
CHAPTER 9
HIGH-LEVEL ASSURANCE ENGAGEMENT RISK MANAGEMENT

• Risk Assesment dianggap penting karena menentukan tujuan, cakupan dan pendekatan dalam assurance engagement.

Sumber informasi untuk mengidentifikasi & mengukur risiko:

Management
Management’s Risk
Review of Documents Interviews at Various
Assesment
level

Performance Measures Financial & Operating

Previous Audit Result
& Trends Information

Internal Auditor
External Auditor & Regulation &
outside the
Consultant Regulatory Result
Organization

Industry Research & Ongoing Client

Event Reporting
Standard Contact
REVIEW OF DOCUMENT MANAGEMENT
INTERVIEW AT VARIOUS
• Some relevant documents: LEVEL
– Business Plan
• Additional information:
– Organization Charts
– Mission/purpose
– Process Map, Risk/Control matrices or
Process Narratives – Vision for the future

– Key Technology – Primary market/competition

– Job Desc – Key business issues

– Key Policies – Financial conditions & trends

– Recent changes
– Strengths
– Concern or challenges
– Major risk
– Key personnel
– Overview of processes & operating system
 Management’s Risk • Melakukan review atas risk assesment yang telah dilakukan oleh
Assesment manajemen. Memastikan bahwa testing yang dilakukan sudah sesuai

Performance Measures • KPI provides some level of assurance or is an issue to be explored. Jika
& Trends terdapat KRI dapat menjadi pertimbangan juga bagi internal auditor

Financial & Operating • Review efektivitas pengelolaan keuangan dan operasi

Information

Previous Audit Results • Melakukan cek atas penerapan rekomendasi dari hasil audit sebelumnya

Internal Auditor outside • Sharing audit programs dengan auditro dari entitas lain
the Organization
External Auditor & • Melakukan cek atas penerapan rekomendasi dari hasil pekerjaan internal
Consultans auditor dan konsultan
 Regulations & • Identifikasi aturan-aturan yang berlaku
Regulatory Results pada area yang diaudit

Industry Research • Mendapatkan informasi terkait risiko

& Standard umum yang melekat pada industri tertentu

• Review record peristiwa penting

Event Reporting perusahaan

Ongoing Client • menjaga kontak dengan client

Contact
DEVELOPMENT OF AUDIT OBJECTIVES,
SCOPE, AND APPROACH

Governance

Risk
Control
Management
GOVERNANCE
• Objectives:
– Promoting appropriate ethics & values within the organization
– Ensuring effective organizational performance management and accountability
– Communicating risk abd control information to appropriate areas of the organization
– Coordinating activities of and communicating information among the board, external and internal auditors
abd management
• The Internal audit must evaluate the design, implementation and effectiveness of the organization’s
ethic relates obejctives, programs, and activities
• The Internal audit activity must assess whethe the information technology governance of the
organization supports the organization’s startegies and objectives
RISK MANAGEMENT
• Standard 2120 – Risk Management
• The internal audit activity must evaluate the effectiveness and contribute to the improvement
of risk management process
• Standard 2120.A1
• The internal audit activity must evaluate risk exposures relating to the organization’s
governance, operations, and information systems
• Standard 2120.A2
• The internal audit activity must evaluate the potential for the occurence of fraud and how the
organization manages fraud risk
CONTROL
• Standard 2130 – Control
• The internal audit activity must assist the organization in maintaining effective controls by
evaluating their effectiveness and efficiency and by promoting continuous improvement
• Standard 2130.A1
• The internal audit activity must evaluate the adequacy and effectiveness of controls in
responding to risks within the organization’s governance, operations, and information systems
PARTNERING WITH MANAGEMENT

• The internal auditor’s single best source of information is the manager of the area being
audited.
• Planning the audit with that manager and thinking issues through together will produce the
most value-added, business-focused results.
PRE-ENGAGEMENT COMMUNICATIONS

• A good rule of thumb is to notify the manager at least six weeks before the planning stage
begins.
• Six weeks gives the manager time to get used to the idea and make any arrangements that will
help the audit go smoothly.
RESOURCE ALLOCATION
• The most important resources are the knowledge, skills, and experience of the audit team.
• Care should be taken when selecting which internal auditors to assign to the engagement to
create the best possible team, given the nature and complexity of the engagement.
PLANNING DOCUMENTATION
• It’s common at some point to send an engagement letter to formalize the engagement.
• This can be done right after the phone call if the audit objectives and scope have been
predetermined.
E V A L U AT I N G D E S I G N O F
CONTROLS AND OTHER
RISK MANAGEMENT
TECHNIQUES
CHAPTER 10
OPENING MEETING

By:
• Internal Audit Team
• Area Manager
• Manager’s direct reports (if the manager desires)
• Manager’s superior (if the superior desires)

To build credibility with their professionalism and start to build a partnering

relationship with the client management team.

Start with introductions, the auditor in charge should then state the purpose
of the meeting, the objectives, scope, and approach of the audit process, and
other relevant information.
PL ANNING A CONSULTING ENGAGEMENT

May be similar or different to the assurance engagement, depending on the

objectives and scope agreed with the client.

The key things to remember:

• CAE must consider the engagement’s potential to improve management.
• Internal auditors may provide consulting services.
• Internal auditors must ensure that the scope is sufficient.
• Internal auditors must be sure the client understands that they will be alert
to significant control observations.
ADEQUACY AND EFFECTIVENESS

Adequate Control
Present if management has planned and organized in a manner that provides
reasonable assurance that the organization’s risks have been managed
effectively and that the organization’s goals and objectives will be achieved
efficiently and economically.

In practice, internal audit activities might choose to evaluate design adequacy

at any of several points, for example:
• Some have a distinct stage of the engagement devoted to evaluating design.
• Some do the same, but include design evaluation in the planning phase.
• Some evaluate design while performing tests of effectiveness.
• Some evaluate design at the entity level and effectiveness during audits of
locations.
 DETAILED ASSURANCE ENGAGEMENT RISK ASSESSMENT

Internal auditors can complete the matrix themselves, but the results will be
better if can engage the manager of the area in the analysis.
DETAILED ASSURANCE ENGAGEMENT
RISK ASSESMENT
IDENTIFY OBJECTIVE

IDENTIFY INHERENT RISKS

ASSESS RISK IMPACT AND LIKELIHOOD

IDENTIFY CONTROLS AND OTHER RISK MANAGEMENT TECHNIQUES

EVALUATE DESIGN OF CONTROLS AND OTHER RISK MANAGEMENT

TECHNIQUES
IDENTIFY OBJECTIVES AND INHERENT RISKS

• Identify Objectives
After completing the objectives column, it is good practice to compare the
objectives with those of the entire area being audited and, if applicable, the
organization as a whole.

• Identify Inherent Risks

Inherent Risks is the risks to an objectives that could prevent it from being
achieved which can arise when decide the objectives and in pursuit of the
objectives.

Ideally, this step of the analysis will identify inherent risk that is, what could go
wrong if there were no controls or other risk management techniques.
ASSESS RISK IMPACT AND LIKELIHOOD
• Setiap risiko harus dinilai
• Management seharusnya menilai setiap risiko (seminimal mungkin melalui intuisinya) untuk
memutuskan seberapa banyak sumber daya yang harus disediakan untuk mengatur risiko
tersebut.
• Internal auditor seharusnya menilai setiap risiko untuk memutuskan seberapa banyak usaha
audit yang harus dikeluarkan untuk mengatur risiko tersebut.
• 2 key factor dalam menilai risiko adalah: dengan melihat dampak dari risiko jika terjadi dan
kemungkinannya (impact and likelihood).
• Biasanya menilai dampak dan kemungkinan secara terpisah dapat membantu manajemen
memutuskan teknik manajemen risiko yang terbaik dan dapat membantu auditor internal
memutuskan *apakah keputusan management dalam menerapkan teknik tersebut merupakan
keputusan terbaik dan *atau lebih baik melakukan lagi analisis terhadap risiko tersebut.
• Risk response yang dijelaskan dalam COSO’s ERM memberikan contoh atas teknik manajemen
dalam menangani risiko secara spesifik.

Avoidence Reduction Sharing Accaptance

mengurangi
keluar dari
kemungkinan
aktivitas yang tindakan diambil
atau dampak
menimbulkan untuk
risiko dengan
risiko. mengurangi
mentransfer atau tidak ada
penghindaran kemungkinan
berbagi sebagian tindakan yang
risiko dapat atau dampak
risiko. teknik diambil untuk
melibatkan risiko, atau
umum termasuk mempengaruhi
keluarnya lini keduanya.
pembelian kemungkinan
produk, biasanya
produk asuransi, risiko atau
mengurangi melibatkan
terlibat dalam dampaknya.
ekspansi ke pasar berbagai
transaksi lindung
geografis baru keputusan bisnis
nilai atau
atau menjual sehari-hari.
outsourcing
divisi
suatu kegiatan.
IDENTIFY CONTROLS AND OTHER RISK MANAGEMENT
TECHNIQUES
• Bila risiko memang harus di analisis lebih jauh, step selanjutnya adalah dengan meng-identifikasi
control atas risiko tersebut atau dengan melakukan teknik management risiko yang lain untuk
me-manage risiko tersebut.
• Apapun sumbernya, internal auditor harus menspesifikasikan control dari banyaknya langkah
yang dijalani dalam proses bisnis.
• Internal auditor juga harus membedakan kunci atau control primer (control yang harus
beroperasi secara efektif untuk mengurangi risiko ke tingkat yang dapat diterima) dengan
control sekunder (control yang fungsinya untuk membantu proses berjalannya control (tetapi
tidak penting)).
• Akan sangat membantu untuk mengidentifikasi control utama (primary) karena biasanya
control sekunder tidak perlu diuji untuk keefektifannya. Ada kalanya control sekunder layak
diuji karena mereka berkontribusi pada efisiensi tetapi itu tidak penting.
EVALUATE DESIGN OF CONTROLS AND OTHER RISK
MANAGEMENT TECHNIQUES
• Ketika melakukan identifikasi control melalui management ataupun dokumen, akan lebih baik
bila identifikasi tersebut juga dilakukan dengan employee yang menjalani control tersebut.
• Hal ini baik untuk dilakukan karena employee dapat menjelaskan langkah demi langkah dalam
melakukan suatu prosedur atau tugas kepada auditor. Dan auditor dapat melihat apakah control
di ikutsertakan dalam prosedur yang dilakukan.
• Jika tidak, ada dua kemungkinan alasan yang terjadi:
A. Karyawan tidak mengikuti prosedur yang benar
B. Prosedur tersebut dirancang oleh orang-orang yang tidak melakukan pekerjaan, secara
teoritis sehat, tetapi tidak berfungsi dengan baik di dunia nyata (atau bekerja secara baik
saat dirancang, tetapi ketika lingkungannya berubah, prosedur tersebut tidak update
dengan lingkungan)
TOOLS FOR DOCUMENTING AND
EVALUATING CONTROL DESIGN
Risk/Control Matrix

Flowchart

Narrative
CONTROL CONCEPTS AND
PRINCIPLES
Some of the most commonly used concepts of control are:

Preventive or
Directive Compensating
detective

Entity-level,
Manual or activity-level, or
automated transaction-
level
IT CONTROL CONCEPTS AND
PRINCIPLES
• The same concepts of controls (e.g., preventive versus
detective, or entity-level versus transaction-level)
apply to IT as well.
• Entity-level controls  Shared IT services  IT
general controls
• Activity-level controls  Application controls
RELEVANT STANDARDS AND
PROFESSIONAL GUIDANCE
Practice
Standards
Advisories
• 2300: Performing the • PA 2120-2: Managing
Engagement the Risk of the Internal
• 2310: Identifying Audit Activity
Information
• 2320: Analysis and
Evaluation
THANKYOU
SESI TANYA-JAWAB.