INTERNAL CONTROL,

INTERNAL AUDITOR & RISK MANAGEMENT

Internal Auditor Perusahaan
Satuan kerja atau fungsi pengawasan internal bertugas membantu
Direksi dalam memastikan pencapaian tujuan dan kelangsungan usaha
dengan :
1. Evaluasi terhadap efisiensi dan efektivitas pencapaian tujuan
perusahaan;
2. Monitoring dan perbaikan atas efektifitas pengendalian risiko;
3. Evaluasi kepatuhan perusahaan terhadap peraturan perusahaan,
pelaksanaan GCG dan perundangundangan; dan
4. Memfasilitasi kelancaran pelaksanaan audit oleh auditor eksternal;

Auditor Internal :
• Penguji keandalan pengendalian internal
• Fasilitator dan sebagai unsur Manajemen yang melakukan pengukuran dan
pengujian penerapan GCG.
• Auditor lebih baik jika memfungsikan sebagai Konsultan daripada semata-
mata sebagai pemeriksa / pengawas.

2
Internal Audit Role

A systematic
disciplined
approach
Evaluating &
Helping organization
Improving the
accomplish its
effectiveness of risk
objective Strategic
management,
Operation Reporting
control, and
Compliance Internal Governance process
Auditor

Assurance & Consulting

activity designed to Independent and
added value & Improve Objectivity
operations
 Internal Auditor Objective

Two roles Internal Auditor - IIA • Seven Dimension in the

Internal Auditor’s role
• Assurance services involve the internal auditor’s objective
(Donna 1985)
assessment of evidence to provide an independent opinion • Accountant
or, conclusions regarding … a process, system or other • Policeman
subject matter … • Watchdog
• Teacher
• Consulting services are advisery in nature, and are generally • Consultant
performed at the specific request of an engagement client • Communicator
• Future Manager
• The objective of IA is to assist all members of management in the effective discharge of their
responsibilities, by furnishing them with objective analyses, appraisals, recommendations and
pertinent comments concerning the activities reviewed. It involve such activities as:
– Reviewing and appraising the soundness, adequacy and application of accounting, financial and
operating controls.
– Ascertaining the extent of compliance with established policies, plans and procedures.
– Ascertaining the extent to which company assets are accounted for, and safeguarded from losses of all
kinds.
– Ascertaining the reliability of accounting and other data developed within the organization.
– Appraising the quality of performance in carrying out assigned responsibilities.”

4
Internal Control - COSO

Internal control menurut COSO (Committee of Sponsoring Organizations of the

Treadway Commission) adalah suatu proses
yang dijalankan oleh dewan direksi, manajemen,
dan staff, untuk membuat
reasonable assurance mengenai:
• Efektifitas dan efisiensi operasional
• Reliabilitas pelaporan keuangan
• Kepatuhan atas hukum dan peraturan
yang berlaku

Komponen Internal Control

• Control Environment
• Risk Assessment
• Control Activities
• Information and communication
• Monitoring

5
 Internal Control - COSO
Control Environment :
1. The organization demonstrates a commitment to integrity and ethical values
2. The board of directors demonstrates independence from management and exercises
oversight of the development and performance of internal control
3. Management establishes, with board oversight, structures, reporting lines, appropriate
authorities and responsibility in the pursuit of objectives
4. The organization demonstrates a commitment to attract, develop, and retain
competent individuals in alignment with objectives
5. The organization holds individuals accountable for their internal control responsibilities
in the pursuit of objectives

Risk Assessment :
6. The organization specifies objectives with sufficient clarity to enable the
identification and assessment of risks relating to objectives
7. The organization identifies risks to the achievement of its objectives across the
entity and analyzes risks as a basis for determining how the risks should be
managed
8. The organization considers the potential for fraud in assessing risks to the
achievement of objectives
9. The organization identifies and assesses changes that could significantly impact
the system of internal control
6
 Internal Control - COSO
Control Activities :
10. The organization selects and develops control
activities that contribute to the mitigation of
risks to the achievement of objectives to
acceptable levels
11. The organization selects and develops
general control activities over technology to
support the achievement of objectives
12. The organization deploys control activities
through policies that establish what is
expected and in procedures that put policies
into action
Information and Communication :
13. The organization obtains or generates and
uses relevant, quality information to support
the functioning of internal control
14. The organization internally communicates
information, including objectives and
responsibilities for internal control,
necessary to support the functioning of
internal control
15. The organization communicates with
external parties regarding matters affecting
the functioning of internal control

Monitoring Activities :
16. The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain
whether the components of internal control are present and functioning
17. The organization evaluates and communicates internal control deficiencies in a timely manner to
those parties responsible for taking corrective action, including senior management and the board of
directors, as appropriate
7
 Internal Auditor and Governance

Governance Internal Auditor

…helps an organization
Risk accomplish its objectives by
Management bringing a systematic, disciplined
approach to evaluate and
Internal improve the effectiveness of risk
control management, control, and
governance processes.

Key Governance Element

8
 Value Proposition of Internal Auditing

What stakeholders should expect from internal

auditor ?
Assurance = Governance, Risk &
Control
Internal auditing provides assurance
on the organization’s governance, risk
management, and control processes
Assurance
to help the organization achieve its
strategic, operational, financial and
compliance objectives.
OBJECTIVITY = Integrity,
Accountability, & Independence
Objectivity With commitment to integrity
and accountability, internal
Internal Auditing auditing provides value to
governing bodies and senior
management as an objective
Insight
source of independent advice.

Governance Catalyst Integrity

Assurance Insight Objectivity

Accesstabili Independe
Risk Control Analysis Assesments ty nt

9
 COSO ERM FRAMEWORK
• Enterprise risk management is a process, effected by an entity’s board of directors,
management and other personnel, applied in strategy setting and across the
enterprise, designed to identify potential events that may affect the entity, and manage
risk to be within its risk appetite, to provide reasonable assurance regarding the
achievement of entity objectives.

Enterprise risk management is:

• A process, ongoing and flowing through an entity
• Effected by people at every level of an organization
• Applied in strategy setting
• Applied across the enterprise, at every level and unit, and includes taking an entity level
portfolio view of risk
• Designed to identify potential events that, if they occur, will affect the entity and to manage
risk within its risk appetite
• Able to provide reasonable assurance to an entity’s management and board of directors
• Geared to achievement of objectives in one or more separate but overlapping categories

10
http://www.accaglobal.com/uk/en/student/exam-support-resources/
 COSO ERM FRAMEWORK
• This enterprise risk management framework is geared to
achieving an entity’s objectives, set forth in four
categories:
– Strategic – high-level goals, aligned with and
supporting its mission
– Operations – effective and efficient use of its
resources
– Reporting – reliability of reporting
– Compliance – compliance with applicable laws and
regulations.
• Enterprise risk management consists of eight interrelated
components. These are derived from the way
management runs an enterprise and are integrated with
the management process. 1. Internal Environment
2. Objective Setting
3. Event Identification
4. Risk Assessment
5. Risk Response
6. Control Activities
7. Information and communication
8. Monitoring
11
http://www.accaglobal.com/uk/en/student/exam-support-resources/
 COSO ERM FRAMEWORK
1. Internal Environment – The internal environment encompasses the tone of an
organization, and sets the basis for how risk is viewed and addressed by an
entity’s people, including risk management philosophy and risk appetite,
integrity and ethical values, and the environment in which they operate.
2. Objective Setting – Objectives must exist before management can identify
potential events affecting their achievement. Enterprise risk management
ensures that management has in place a process to set objectives and that the
chosen objectives support and align with the entity’s mission and are consistent
with its risk appetite.
3. Event Identification – Internal and external events affecting achievement of an
entity’s objectives must be identified, distinguishing between risks and
opportunities. Opportunities are channeled back to management’s strategy or
objective-setting processes.
4. Risk Assessment – Risks are analyzed, considering likelihood and impact, as a
basis for determining how they should be managed. Risks are assessed on an
inherent and a residual basis.
12
COSO ERM FRAMEWORK
5. Risk Response – Management selects risk responses – avoiding,
accepting, reducing, or sharing risk – developing a set of actions to
align risks with the entity’s risk tolerances and risk appetite.
6. Control Activities – Policies and procedures are established and
implemented to help ensure the risk responses are effectively carried
out.
7. Information and Communication – Relevant information is identified,
captured, and communicated in a form and timeframe that enable
people to carry out their responsibilities. Effective communication also
occurs in a broader sense, flowing down, across, and up the entity.
8. Monitoring – The entirety of enterprise risk management is monitored
and modifications made as necessary. Monitoring is accomplished
through ongoing management activities, separate evaluations, or both.

13
Key Implementation Factors ERM

• Organizational design of business

• Establishing an ERM organization
• Performing risk assessments
• Determining overall risk appetite
• Identifying risk responses
• Communication of risk results
• Monitoring
• Oversight & periodic review
by management
 Relationship Internal Auditor and ERM
• Play an important role in monitoring ERM, but do NOT have primary
responsibility for its implementation
or maintenance.
• Assist management and the board or audit committee in the process by: -
- Monitoring - Evaluating
- Examining - Reporting
- Recommending improvements evaluations, or both.
• Professional Practices & Standard
– 2010.A1 – The internal audit activity’s plan of engagements should be
based on a risk assessment, undertaken at least annually.
– 2120.A1 – Based on the results of the risk assessment, the internal
audit activity should evaluate the adequacy and effectiveness of controls
encompassing the organization’s governance, operations, and
information systems.
– 2210.A1 – When planning the engagement, the internal auditor should
identify and assess risks relevant to the activity under review. The
engagement objectives should reflect the results of the risk assessment.
15
Three Lines of Defense

16
Three Lines of Defense

17
Three Lines of Defense

18
Role of Internal Auditor on ERM
• Reviewing critical control systems and risk management processes.
• Performing an effectiveness review of management's risk assessments and
the internal controls.
• Providing advice in the design and improvement of control systems and
risk mitigation strategies.
• Implementing a risk-based approach to planning and executing the
internal audit process.
• Ensuring that internal auditing’s resources are directed at those areas
most important to the organization.
• Challenging the basis of management’s risk assessments and evaluating
the adequacy and effectiveness of risk treatment strategies.
• Facilitating ERM workshops.
• Defining risk tolerances where none have been identified, based on
internal auditing's experience, judgment, and consultation with
management.
19
Management Expectation on Internal Auditor
 Internal Auditor & Customer Need

customer
What does Audit
customer want Commitee
Regulator
Eksternal
Auditor
Auditee
Suplier

Audit Comittee Board Operating Management

• Safeguarding Assets • Operating Management

• Compliance with Laws and • Effectiveness and Efficiency
Regulations of Operations
• Reliability of Data • Achievement of Organizatio

QUALITY OF INFORMATION CHANGE AGENT

21
 BOC Expecatation to Internal Audit Function

• Improve SPI staff skills and competencies and their

understanding of the business operations
• Provide consulting services
• Improve SPI’s communications with key stakeholders
• Provide a value added internal audit function as well
as improve the quality of reports
• Provide risk management and control assurance
• Provide regulatory and corporate compliance
assurance
• Act as a mediator with external parties

COSO - Internal Control

• Control Environment
• Risk Assessment
• Control Activities
• Information and communication
• Monitoring

Function
• Operation
• Financial Reporting
• Compliance
 How to meet Expectation
• How to meet the management and stakeholder expectation
• Internal auditor role should be established with a charter approved and reviewed annually at
board level.
• The internal audit charter should describe the internal audit role in the organization it serves,
including its purpose, authority, responsibility, and relationships with external organizations.
• The internal audit charter should be promoted across the organization at all levels and as
appropriate across its supply chains and to its stakeholders.
• Internal audit should have measures in place to demonstrate its level of performance to the
organization.
• Expectation gaps at organization and individual customer levels should be identified, and all
performance measures continuously monitored if the full added value of the internal audit role
is to be achieved.
• New dimensions of the internal audit role in an organization should be continuously explored
to ensure that it is at the cutting edge of its professional attributes and in its performance .

• Key improvement to meet the management and stakeholder expectation

• Align Internal Audit with the strategic goals of the organisation.
• Drive efficiency through integration, talent management and use of data analytics.
• Maintain a balance between assurance and advisory reviews.
• Run Internal Audit like a business.

23
Internal Audit Roles

24
Metodologi Risk-Based Audit (RBA)

PLAN

1 2 3
Memahami ekspektasi
manajemen & Dewan Risk Audit Plan
Komisaris Assessment

Dokumentasi ekspektasi Annual Audit Plan

manajemen & Dewan
Komisaris

TOP PRIORITY RISK

• Doc. Kepts. RUPS
• Memo/Surat Dewan Komisaris
• Kepts. BOD/ RRD
• BPK & ICM Eksternal Audit)

• Mendapatkan komitmen manajemen eksekutif atas pelaksanaan jasa internal audit.

• Menetapkan kriteria penilaian risiko
• Memahami area yang menjadi perhatian manajemen meskipun area tersebut tidak berisiko tinggi

25
Role of SPI to Review Risk

• Ensure Internal Controll Management

Controllable • ICoFR
Risk • System mitigation

• Corporate Strategic Plan

• Business Development Unit
Strategic Risk • Modeling & Workshop Mitigation

• Mitigate Corporate Risk Management

Uncontrollable • PIMR Unit
Risk • Prediction & Analysis

26
1 KERANGKA
KERANGKA KERJA
KERJA

RENCANA PELAKSANAAN
LAPORAN
KERJA PENUGASAN PROFESI
PERIODIK :

− Representatif Standards Professional

Bulanan &
− Responsif Internal Auditor (IIA) :
Tahunan
− Konstruktif − General Standards − Timing
− Field Work Standards − Content
− Termasuk
− Reporting Standards Follow Up

− Persiapan
− Pelaksanaan
− Penyusunan Laporan Hasil Audit

Page 27
Pertamina Experience
Pertamina Visi, Misi dan Nilai

Vision To be a world-class national energy company

Mision To carry out integrated business core in oil, gas,

renewable and new energy based on strong
commercial principles

Value Clean; Confident; Commercial; Competitive;

Customer Focus; Capable
6C

18
 Pertamina’s Scope of Business

Upstream Refinery Shipping/Piping Depot Transportation Gas station

Upstream Downstream
• Producer of oil and gas domestically and overseas • Refining
• Supplier for geothermal energy • Fuel business (kerosene, HSD/Diesel/MFO, etc) for
• Gas transporter & trader industry
• Special fuel business for retail (PertaminaDex,
Pertamax/PertamaxPlus)
• Aviation business
Corporate Other • Lube base business
Employees • Insurance • LPG business
• 15,190 persons • Hotel • Petrochemical business
Subsidiaries & Affiliates • Medical • Responsible for distributing fuel for Public Service
• 19 Subsidiaries • Dana Ventura Obligation (PSO), such as kerosene, gasoline, HSD
• 13 Affiliates • Executor for kerosene conversion to LPG

19
 3
Business Process 1
 Performance & Governance

No Company
Financial Statement Released 1 Royal Dutch Shell
75 Petronas

16 21 9 15 14 13 12 2013
Nopembe April Maret Februari Februari Februari Februari
r 2010 2011 2012 2013 2014 2015 2016 122 Pertamina
135 Unilever

No Company

Good Gorporate Governance Score 1 Wall Mart

94,50 69 Petronas
94,27 94,43

2014
123 Pertamina
477 PLN
No Company

2015
130 Pertamina
477 PLN 20
Referensi : Pertamina Annual Report & website
Pertamina Transformation

Befor Assurance &

AUDIT
e 2010 Transformation 2011
Consulting based on
2009(Watchdog) RBA

Management Need Transformation to be World Class Internal Audit

• Determine Value Driver

Analysis Current Condtion• Define Current Condition of IA
• Derive IA Roadmap for performance development and IA
function

Area of Impovement

Roadmap •
•
Organization
HR Management
•
•
Quality Assurance
Knowledge Management
• Working practices • US of IT Audit Software
• Communtation and Reporting
IA Pertamina Transform to Best Practice

• Assurance and Consulting by

implementing Risk Based Audit with Audit
Management Systems tools

EVALUATION OF
• Stabilization and implementation of
GOVERNANCE & RISK;
Internal auditor reposition by continuing ASSURANCE OF
evalution INTERNAL CONTROL
EFFECTIVENESS
• Increasing quantity of human resources by
new recuritmen
• Increasing quality of human resources by
training and certification.
Step in Reposition IA

2009 – AREA OF 2009 – 2010 – 2011 –

IMPROVEMENT CATEGORIZING DELIVERABLES RESULT
• Workstream (Area • Visi & Mision
1. Organization • Visi & Mision
1,2) Auditor
2. Human Resources • Workstream (Area
• Internal Auditor • Internal Auditor
3. Working Practice Charter Charter
3,6)
• Organization • Organization
4. Use of IT • Workstream (Area
Structured structured
5. Knowledge 5,7)
• Working Practice • Audit Unverse
Management • Workstream (Area
• IT Audit • Working Practice
6. Communication & 4)
• Risk Based Audit • SOP Risk Based
Reporting • Audit Management Audit
7. Quality Assurance Systems • Knowledge
• Knowledge Management
Management Function
• Auditor Comptetence • Implementing RBA
• Quality Assurance & AMS
 Strategic plan to achieve a world-class IA
QUALITY ASSURANCE
• To develop a comprehensive Quality Assurance and Improvement Program

KNOWLEDGE MANAGEMENT
• Leverage technology to synthesize knowledge and make information readily
Area of Improvement

available to both SPI staff and the auditees

COMMUNICATION AND REPORTING

• To communicate with clarity, brevity, accuracy and with

USE OF IT
• Enhance audit processes by integrating technology solutions into multiple
aspects of SPI’s operations

WORKING PRACTICES
• Improve SPI’s processes to increase efficiencies and value delivered

HUMAN RESOURCES
• Maintain and bring in the right people to support the needs of Pertamina’s
business

ORGANISATION
• To re-align function to business processes and risks and build reputation

Referensi : Pertamina Annual Report 2013

 • Quality
Assurance

• Knowledge
Management

• Communtatio
n and

As Marc 2009
Reporting

• US of IT Audit
Software

• Working
practices

• HR

as Feb 2011
Management

• Organization
Progress in Area of Improvement

• Quality
Assurance

• Knowledge
best practice
Management

• Communtatio
n and
Reporting

• US of IT Audit
Software

• Working
practices

• HR
Management

• Organization
 Strategic Internal Audit Planning 2014-2018

ROADMAD PERTAMINA

STAKEHOLDER EXPECTATION

VISION & MISION

SWOT ANALYSIS

N0 Strategic Plan Model 75 Timelines

1. Refining the vision and IA Charter Strategy 2014
2. Optimality of quality assurannce role, including Sytem, 2014-2018
evaluation on the implementation of IA Code of shared Value
Ethics
3. Improvement on the methodology of Risk Based System, Style 2014-2018
WATCHDOG Audit (RBA), including planning, implementation,
and reporting
TO TO BE
STRATEGIC 4. Implementation of Continuous Auditing System 2014-2018 STRATEGIC
methodology
BUSINESS ADVISOR
PARTNER 5. Reorganization of IA Structure
a. Group Control Function
b. BG M&T IA Function
c. Upstream IA Function
6. KPI of Integrated Audit/Secondment System 2014-2018
7. Implementation of auditor competency development Staff, Skill 2014-2018
system in a continuous manner
8. ICoFR Testing System 2014-2018
9. Implementation of RBA in Subsidiaries System 2014-2018
2013 2014 2015

Referensi : Pertamina Annual Report 2013

 Key Achievement
The Implementation of Assurance and Consulting
• conducted on 59 areas/ activities of the company

Initiatives of the Internal Audit

• Internal Control Framework
Key Achivement

• Developing Continuous Controlling System (CCS);

• Implementation of Internal Control Over Financial
Reporting ICoFR
• Fraud Prevention Program

Internal Audit Image

• Performance Improvement Programme

Professionalism Improvement
• by pursuing the international & national certification
program and training program.
Coordinates with External Auditors
• Government Auditor (BPK), Governmen Internal Auditor
(BPKP) and External Auditor

Referensi : Pertamina Annual Report 2013

 S t r u k t u r O rga n i s a s i I nte r n a l A u d i t

40
Referensi : Pertamina Annual Report 2013
40
 I nte r n a l A u d i t C h a r te r
Visi
Menjadi Internal Audit yang profesional dan terpercaya dengan menerapkan praktik terbaik perusahaan
energi kelas dunia.

Misi
Memberikan nilai tambah bagi Perusahaan melalui kegiatan assurance dan consulting secara
independen dan objektif sesuai standar profesi yang berlaku secara internasional.

Tujuan
1. Membantu Perusahaan untuk mencapai tujuannya secara efektif dan efisien dengan cara melakukan
evaluasi dan merekomendasikan perbaikan efektivitas tata kelola perusahaan, manajemen risiko dan
pengendalian internal.
2. Membantu manajemen Perusahaan dan pemangku kepentingan lainnya dengan memberikan advis,
pertimbangan dan rekomendasi yang berguna untuk meningkatkan efektivitas dan efisiensi
Perusahaan.

Ruang Lingkup
Penugasan Internal Audit mencakup semua area dan kegiatan operasional, bisnis perusahaan beserta
anak perusahaan, afiliasi dan pihak lain yang relevan dalam rangka mengevaluasi dan meningkatkan
efektifitas tata kelola Perusahaan, manajemen risiko dan pengendalian internal.

41
Referensi : Pertamina Annual Report 2013
41
 I nte r n a l A u d i t C h a r te r
Independensi
Internal Audit dipimpin oleh seorang CAE yang bertanggungjawab kepada Dirut; CAE diangkat
& diberhentikan oleh Dirut dengan persetujuan Dekom; dilarang terlibat dalam kegiatan
operasional yang dapat mengganngu independensi; dll.
Wewenang
Memiliki akses tidak terbatas atas semua data, fungsi, kegiatan dan sumber daya Perusahaan;
koordinasi dengan auditor eksternal, institusi pengawasan laiinya & Komite Audit;
pengawasan atas anak perusahaan sesuai piagam hubungan korporasi; dll
Tugas & Tanggung Jawab
Melaksanakan kegiatan pengawasan; melaporkan hasilnya kepada Dirut & pihak yang
berkompeten; melaksanakan audit investigasi; melaporkan hasil kegiatan pengawasan kepada
Dekom cq Komite Audit; dll.
Persyaratan Auditor
Memiliki integritas, profesional, independen, jujur & obyektif, pengetahuan teknis audit;
mematuhi standar profesi & kode etik; memahami prinsip tata kelola perusahaan yang baik;
dll.
Standar Pelaksanaan Internal Audit
Sistem Tata Kerja dan Kode Etik Internal Audit yang mengacu kepada International Standards
for the Professional Practice of Internal Auditing yang ditetapkan oleh IIA.

42
Referensi : Pertamina Annual Report 2013
42
 K o d e E ti k
Integritas
 Kejujuran, objektivitas, dan kesungguhan dalam melaksanakan tugas dan memenuhi tanggung jawab profesi.
 Loyalitas terhadap organisasi namun tidak boleh terlibat dalam kegiatan-kegiatan yang menyimpang atau melanggar hukum.
 Tidak boleh secara sadar terlibat dalam tindakan atau kegiatan yang dapat mendiskreditkan profesi atau organisasinya.

Objektivitas
 Harus menahan diri dari kegiatan-kegiatan yang dapat menimbulkan konflik kepentingan dan prasangka sehingga meragukan
kemampuannya dalam melaksanakan tugas dan memenuhi tanggung jawab profesinya secara objektif.
 Tidak boleh menerima sesuatu dalam bentuk apapun yang dapat atau patut diduga mempengaruhi pertimbangan
profesionalnya.
 Harus mengungkapkan semua fakta-fakta penting yang diketahuinya di dalam laporan pelaksanaan tugasnya, dan/atau
dilarang untuk mendistorsi laporan serta menutup adanya praktik-praktik yang melanggar hukum.

Kerahasiaan
 Tidak boleh menggunakan informasi yang diperoleh dalam pelaksanaan tugasnya untuk mendapatkan keuntungan pribadi,
melanggar hukum, dan yang dapat menimbulkan kerugian terhadap organisasinya.
 
Kompetensi
• Harus mengusahakan berbagai upaya agar senantiasa memenuhi International Standars for the Professional Practice of
Internal Auditing.
• Harus senantiasa meningkatkan kompetensi melalui pendidikan profesional berkelanjutan, guna efektivitas dan peningkatan
kualitas pelaksanaan tugasnya.
• Hanya melakukan jasa-jasa yang dapat diselesaikan dengan menggunakan kompetensi profesional yang dimilikinya.

43
Referensi : Pertamina Annual Report 2013
43
Annual Audit Plan
What We do

Prioritizing Audit Objects

The objective is to rate the business processes in Audit Universe in relation to
the level of risk based on the results of risk assessment:
Before Raker/Rakor Raker/Rakor

Updated Risk Profile Audit Universe

Finalizing Documentations
Relevant Key Processes Auditable Areas
Bring Draft Auditable Area to
Prioritize Auditable Areas Raker/Rakor to considering :
considering :  Input from Audit Committee
Review available Documented Audit  Input from SVP/VP/Mgr
Mapped Updated Risk  Last audit finding and
information and Object / Auditable Operational Function
Profile with Audit opinion
Identify Relevant Areas relevant to the  Law/regulatory opinion
Universe  Company’s loss event in
Processes Updated Risk Profile  Objective opinion from IA
current/ previous year members regarding high risk
 Internal Audit Long Term area
Planning
Knowledge Sharing
Project Management

44
IA Process
Risk Based Audit Approach

45
 Quality Assurance

Quality
Assurance & QAIP untuk memberikan keyakinan
Improvement yang memadai bagi stakeholders atas
Program kegiatan Internal Audit
(QAIP)

Dilakukan melalui
Survey Feedback Survey
Auditee dan Kepuasan
Stakeholders Stakeholders
Satisfaction Survey

Peningkatan Peningkatan Maturity Level Internal

Citra Internal
Audit Audit – Penilaian dari External

46
Quality Assurance & Improvement Program
Internal and External Assessment
“ THE CHIEF AUDIT EXECUTIVE MUST DEVELOP AND MAINTAIN A QUALITY ASSURANCE AND
IMPROVEMENT PROGRAM THAT COVERS ALL ASPECTS OF THE INTERNAL AUDIT ACTIVITY ”
(IIA AS 1300)

Quality Assurance & Improvement Program

The quality assurance and improvement program must include both internal and
external assessment

Internal Assessment External Assessment

(IIA AS 1311) (IIA AS 1312)

Periodic Reviews
Ongoing Monitoring
Performed by QA Team Periodic Reviews
Team supervision,
within the IA organization
KPI Monitoring The external review was
with sufficient knowledge of
Survey Feedback Auditee performed in 2013
IA practices (Stakeholder
Satisfaction Survey)

47
Consulting Services
Participant in interdepartmental working terms

Internal Audit Department provides support to other departments in

various activities

Participate to the work group in charge for mapping of User Access

Matrix (mySAP Application)

Participate in The Fraud Awareness Program

Participate to the work group in charge of Internal Control over

Financial Reporting (ICoFR) development

48
Other Activities
Key Strategic Initiatives

Developing Continuous Audit Monitoring System

Competency Development and Certification

Coordination with External Auditor

49
 Nilai tambah IA bagi Perusahaan
1. Nilai tambah IA mempercepat proses pencapaian  tujuan perusahaan 
ultimate goal
2. Nilai tambah IA dapat diciptakan baik dalam tahap proses audit, hasil akhir
pemeriksaan maupun perannya dalam menjalankan pengendalian dalam
sebuah organisasi.
3. Nilai tambah diberikan SPI dalam empat ranah:
• Strategic
• Operation
• Reporting
• Compliance
4. Hasil pemeriksaan harus memberikan nilai tambah dalam empat ranah
tersebut bukan sekedar kegiatan pemeriksaan yang telah selesai dan laporan
hasil audit yang telah diserahkan kepada auditee dan direksi.

Page 50
 Bagaimana SPI memberikan nilai tambah - 1
1. Peran
• Menciptakan budaya pengendalian dalam organisasi sehingga
menyadarkan seluruh anggota organisasi untuk senantiasa compliance,
mengusahakan efisiensi dan efektivitas dalam pelaksanaan kegiatan,
karena kegiatannya akan dievaluasi oleh SPI.
• Karakter compliance, bekerja dengan efisien & efektif, disiplin dan
menjunjung etika menjadi prasyarat dasar seorang internal auditor. Pihak
yang diperiksa harus lebih compliance dan lebih baik dari pihak yang
diperiksa. Kondisi ini akan menciptakan pribadi-pribadi yang terus
melakukan continous improvement sehingga dari unit internal audit akan
muncul insan Pertamina yang mampu menjadi teladan dalam bekerja.
• Organisasi SPI harus mampu menjadi contoh / role model dalam
mengelola organisasi baik dari sisi compliance, governance, pengelolaan
organisasi yang efisien dan efektif dan serta kemampuannya dalam
merumuskan strategic goal yang sejalan dengan tujuan organisasi.
• Peran SPI membutuhkan insan-insan yang terus menerus belajar dan
mengikuti perkembangan perusahaan dan lingkungannya agar mampu
memahami permasalahan di lapangan saat melakukan pemeriksaan.

Page 51
 Bagaimana SPI memberikan nilai tambah - 2
2. Proses audit
• Proses audit dilakukan dengan semangat perbaikan bukan sekedar
mencari kesalahan.
• Memberikan perbaikan integratif bukan sekedar menyalahkan
• Mendengarkan auditee termasuk alasan-alasannya, dapat saja dalam
alasan tersebut tersimpan akar permasalahan.
• Fokus pada akar masalah sehingga dapat memberikan solusi yang
integratif, karena seringkali masalahnya bukan pada kesalahan tersebut
namun justru penyebab dari suatu kesalahan/penyimpangan.  misal
masalah pencurian minyak bukan sekedar menemukan dampak kerugian
bagi perusahaan namun dapat menganalisis secara komprehensif baik dari
sisi kelemahan internal kontrol perusahaan, aspek kelemahan regulasi,
penegakan hukum dan aspek sosiologis mengapa pencurian tersebut
dapat terjadi.
• Menjadikan proses audit sebagai media untuk berdialog dan memberikan
konsultasi kepada auditee tentang apa yang seharusnya dilakukan,
memberikan saran atas kesalahan yang terjadi.

Page 52
 Bagaimana SPI memberikan nilai tambah - 3
3. Laporan Audit
• Laporan internal audit harus dikomunikasikan dengan baik dengan auditee
tanpa mengurangi independen dan obyektifitas internal audit.
• Laporan internal audit harus bersifat integratif dalam menguraikan
permasalahan. Seringkali masalah dalam satu unit disebabkan oleh
permasalahan/kesalahan pada unit lain, kesalahan regulasi dan lain-lain.
• Solusi yang diberikan harus bersifat menyeluruh. Jika solusi tersebut harus
diselesaikan pada unit organisasi yang lebih tinggi karena terkait
hubungan antar unit, harus dibahas dan diselesaikan pada unit organisasi
yang lebih tinggi.
• Menghindari hasil audit sekedar menjadi tumpukan dokumen, karena nilai
tambah tercipta jika hasil audit mampu merubah menjadi yang lebih baik.
• Komunikasi dengan direksi dan ketua komite audit menjadi penting untuk
menindaklanjuti permasalahan strategis yang berdampak signifikan pada
keseluruhan organisasi.

Page 53
 Nilai tambah - strategic
1. Internal audit tidak hanya berperan melakukan evaluasi atas proses namun
dapat melakukan evaluasi atas strategi yang dipilih oleh perusahaan
berdasarkan hasil audit yang dilakukan.
2. Hasil evaluasi internal control, efisiensi dan efektivitas organisasi, compliance
dapat memberikan masukan yang mengubah strategi, tujuan, visi atau misi
perusahaan.
3. SPI secara aktif memberikan masukan pada fungsi perencanaan dan
pengembangan bisnis berdasarkan hasil audit yang dilakukan.
4. Dalam evaluasi tahunan hasil pemeriksaan SPI, harus menghasilkan masukan-
masukan kepada Direksi tentang hal-hal strategis yang harus dilakukan
dilakukan.
5. SPI memberikan masukan pada unit perencanaan bisnis korporasi dalam
rangka mengembangan rencana tahunan dan rencana jangka panjang
berdasarkan evaluasi hasil pemeriksaan yang telah dilakukan

Page 54
 Nilai tambah - operation
1. Peran IA tidak hanya menilai apakah obyek yang diperiksa telah efisien dan
efektif, namun mampu memberikan saran apa yang harus dilakukan untuk
meningkatkan efisiensi dan efektifitas obyek yang diteliti.
2. IA harus mampu menginternalisasikan budaya efisiensi dan efektivitas dalam
organisasi melalui proses evaluasi yang dilakukan.
3. Fokus audit yang diperiksa harus dipilih dari unit yang paling tidak efisien dan
terus menerus dilakukan pemantauan sehingga mampu mencapai tingkat
efiisensi setara dengan unit organisasi yang lain. Sementara unit organisasi
yang dianggap telah efisien tetap dilakukan sampling untuk memastikan masih
efisien dan terus meningkat efisiensinya.
4. Pemeriksaan harus mampu menciptakan perubahan dan memberikan
peningkatan efisiensi dan efektivitas. Jika suatu unit diperiksa harapannya unit
tersebut harus berubah menjadi lebih baik sebagai dampak dari pemeriksaan
yang telah dilakukan.

Page 55
 Nilai tambah - reporting
1. Keandalan laporan keuangan diperoleh dari proses pencatatan yang akuntabel.
2. IA harus memastikan bahwa pengendalian internal dalam pelaporan keuangan
berjalan dengan baik sehingga setiap dokumen transaksi diproses sesuai
dengan prosedur.
3. Peran IA sebagai penguji ICoFR, harus dilakukan dengan menguji sertifikasi
yang dilakukan oleh control owner.
4. Dalam pelaporan korporasi IA harus menjamin bahwa manajemen tidak
melakukan earning management yang akan berpotensi pada ketidakakuratan
laporan keuangan yang dapat merugikan publik.

Page 56
 Nilai tambah - compliance
1. Internal audit harus mampu menciptakan budaya compliance, artinya
keberadaan SPI menjadikan semua anggota organisasi tidak berani melakukan
non compliance.
2. Pada saat melakukan audit dan menemukan non compliance tidak sekedar
memberikan penilaian, namun mencari akar masalah mengapa non
compliance. Karena seringkali noncompliance terjadi karena prosedur yang
kurang tepat, internal kontrol kurang handal. Sehingga rekomendasi yang
diberikan memberikan nilai tambah perbaikan prosedur dan pengendalian
internal yang telah berjalan.

Page 57
TERIMA
KASIH

58