Risk Management and Internal Auditor

INTERNAL CONTROL, INTERNAL AUDITOR & RISK MANAGEMENT

Internal Auditor PerusahaanSatuan kerja atau fungsi pengawasan internal bertugas membantu Direksi dalam memastikan pencapaian tujuan dan kelangsungan usaha dengan : 1. Evaluasi terhadap efisiensi dan efektivitas pencapaian tujuan

perusahaan;2. Monitoring dan perbaikan atas efektifitas pengendalian risiko; 3. Evaluasi kepatuhan perusahaan terhadap peraturan perusahaan,

pelaksanaan GCG dan perundangundangan; dan 4. Memfasilitasi kelancaran pelaksanaan audit oleh auditor eksternal;

Auditor Internal :• Penguji keandalan pengendalian internal• Fasilitator dan sebagai unsur Manajemen yang melakukan pengukuran dan

pengujian penerapan GCG. • Auditor lebih baik jika memfungsikan sebagai Konsultan daripada semata-

mata sebagai pemeriksa / pengawas.

2

Internal Audit Role

Internal Auditor

A systematic disciplined approach

Evaluating & Improving the

effectiveness of risk management, control, and

Governance process

Independent and Objectivity

Assurance & Consulting activity designed to

added value & Improve operations

Helping organization accomplish its

objective Strategic Operation Reporting

Compliance

• The objective of IA is to assist all members of management in the effective discharge of their responsibilities, by furnishing them with objective analyses, appraisals, recommendations and pertinent comments concerning the activities reviewed. It involve such activities as:– Reviewing and appraising the soundness, adequacy and application of accounting, financial and

operating controls.– Ascertaining the extent of compliance with established policies, plans and procedures.– Ascertaining the extent to which company assets are accounted for, and safeguarded from losses of all

kinds.– Ascertaining the reliability of accounting and other data developed within the organization.– Appraising the quality of performance in carrying out assigned responsibilities.”

4

Internal Auditor Objective

• Seven Dimension in the Internal Auditor’s role (Donna 1985)• Accountant• Policeman• Watchdog• Teacher• Consultant• Communicator• Future Manager

Two roles Internal Auditor - IIA

• Assurance services involve the internal auditor’s objective assessment of evidence to provide an independent opinion or, conclusions regarding … a process, system or other subject matter …

• Consulting services are advisery in nature, and are generally performed at the specific request of an engagement client

Internal Control - COSO

Internal control menurut COSO (Committee of Sponsoring Organizations of the Treadway Commission) adalah suatu proses yang dijalankan oleh dewan direksi, manajemen, dan staff, untuk membuat reasonable assurance mengenai:• Efektifitas dan efisiensi operasional• Reliabilitas pelaporan keuangan• Kepatuhan atas hukum dan peraturan

yang berlaku

Komponen Internal Control• Control Environment• Risk Assessment• Control Activities• Information and communication• Monitoring

5

Control Environment :1. The organization demonstrates a commitment to integrity and ethical values 2. The board of directors demonstrates independence from management and exercises

oversight of the development and performance of internal control3. Management establishes, with board oversight, structures, reporting lines, appropriate

authorities and responsibility in the pursuit of objectives4. The organization demonstrates a commitment to attract, develop, and retain

competent individuals in alignment with objectives 5. The organization holds individuals accountable for their internal control responsibilities

in the pursuit of objectives

6

Risk Assessment :6. The organization specifies objectives with sufficient clarity to enable the

identification and assessment of risks relating to objectives 7. The organization identifies risks to the achievement of its objectives across the

entity and analyzes risks as a basis for determining how the risks should be managed

8. The organization considers the potential for fraud in assessing risks to the achievement of objectives

9. The organization identifies and assesses changes that could significantly impact the system of internal control


7

Control Activities :10. The organization selects and develops control

activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels

11. The organization selects and develops general control activities over technology to support the achievement of objectives

12. The organization deploys control activities through policies that establish what is expected and in procedures that put policies into action

Information and Communication :13. The organization obtains or generates and

uses relevant, quality information to support the functioning of internal control

14. The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control

15. The organization communicates with external parties regarding matters affecting the functioning of internal control

Monitoring Activities :16. The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain

whether the components of internal control are present and functioning 17. The organization evaluates and communicates internal control deficiencies in a timely manner to

those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate


8

Internal Auditor and Governance

Internal control

Risk Management

Governance

Key Governance Element

Internal Auditor…helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.

9

Value Proposition of Internal Auditing

Objectivity

InsightAssurance

What stakeholders should expect from internal auditor ?

Governance

ControlRisk

Catalyst

AssesmentsAnalysis

Integrity

Independent

Accesstability

Internal Auditing

Assurance Insight Objectivity

OBJECTIVITY = Integrity, Accountability, & IndependenceWith commitment to integrity and accountability, internal auditing provides value to governing bodies and senior management as an objective source of independent advice.

Assurance = Governance, Risk & ControlInternal auditing provides assurance on the organization’s governance, risk management, and control processes to help the organization achieve its strategic, operational, financial and compliance objectives.

COSO ERM FRAMEWORK• Enterprise risk management is a process, effected by an entity’s board of directors,

management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.

10 http://www.accaglobal.com/uk/en/student/exam-support-resources/

Enterprise risk management is:• A process, ongoing and flowing through an entity• Effected by people at every level of an organization• Applied in strategy setting• Applied across the enterprise, at every level and unit, and includes taking an entity level

portfolio view of risk• Designed to identify potential events that, if they occur, will affect the entity and to manage

risk within its risk appetite• Able to provide reasonable assurance to an entity’s management and board of directors• Geared to achievement of objectives in one or more separate but overlapping categories

COSO ERM FRAMEWORK• This enterprise risk management framework is geared to

achieving an entity’s objectives, set forth in four categories:

– Strategic – high-level goals, aligned with and supporting its mission

– Operations – effective and efficient use of its resources

– Reporting – reliability of reporting– Compliance – compliance with applicable laws and

regulations.• Enterprise risk management consists of eight interrelated

components. These are derived from the way management runs an enterprise and are integrated with the management process.

11 http://www.accaglobal.com/uk/en/student/exam-support-resources/

1. Internal Environment2. Objective Setting3. Event Identification4. Risk Assessment5. Risk Response6. Control Activities7. Information and communication8. Monitoring

1. Internal Environment – The internal environment encompasses the tone of an organization, and sets the basis for how risk is viewed and addressed by an entity’s people, including risk management philosophy and risk appetite, integrity and ethical values, and the environment in which they operate.

2. Objective Setting – Objectives must exist before management can identify potential events affecting their achievement. Enterprise risk management ensures that management has in place a process to set objectives and that the chosen objectives support and align with the entity’s mission and are consistent with its risk appetite.

3. Event Identification – Internal and external events affecting achievement of an entity’s objectives must be identified, distinguishing between risks and opportunities. Opportunities are channeled back to management’s strategy or objective-setting processes.

4. Risk Assessment – Risks are analyzed, considering likelihood and impact, as a basis for determining how they should be managed. Risks are assessed on an inherent and a residual basis.

12

COSO ERM FRAMEWORK

5. Risk Response – Management selects risk responses – avoiding, accepting, reducing, or sharing risk – developing a set of actions to align risks with the entity’s risk tolerances and risk appetite.

6. Control Activities – Policies and procedures are established and implemented to help ensure the risk responses are effectively carried out.

7. Information and Communication – Relevant information is identified, captured, and communicated in a form and timeframe that enable people to carry out their responsibilities. Effective communication also occurs in a broader sense, flowing down, across, and up the entity.

8. Monitoring – The entirety of enterprise risk management is monitored and modifications made as necessary. Monitoring is accomplished through ongoing management activities, separate evaluations, or both.

13

COSO ERM FRAMEWORK

Key Implementation Factors ERM

• Organizational design of business• Establishing an ERM organization• Performing risk assessments• Determining overall risk appetite• Identifying risk responses• Communication of risk results• Monitoring• Oversight & periodic review

by management

• Play an important role in monitoring ERM, but do NOT have primary responsibility for its implementation or maintenance.

• Assist management and the board or audit committee in the process by:- - Monitoring - Evaluating- Examining - Reporting - Recommending improvements evaluations, or both.

• Professional Practices & Standard– 2010.A1 – The internal audit activity’s plan of engagements should be

based on a risk assessment, undertaken at least annually.– 2120.A1 – Based on the results of the risk assessment, the internal

audit activity should evaluate the adequacy and effectiveness of controls encompassing the organization’s governance, operations, and information systems.

– 2210.A1 – When planning the engagement, the internal auditor should identify and assess risks relevant to the activity under review. The engagement objectives should reflect the results of the risk assessment.

15

Relationship Internal Auditor and ERM

16

Three Lines of Defense

17


18


• Reviewing critical control systems and risk management processes.• Performing an effectiveness review of management's risk assessments and

the internal controls.• Providing advice in the design and improvement of control systems and

risk mitigation strategies.• Implementing a risk-based approach to planning and executing the

internal audit process. • Ensuring that internal auditing’s resources are directed at those areas

most important to the organization.• Challenging the basis of management’s risk assessments and evaluating

the adequacy and effectiveness of risk treatment strategies.• Facilitating ERM workshops.• Defining risk tolerances where none have been identified, based on

internal auditing's experience, judgment, and consultation with management.

19

Role of Internal Auditor on ERM

Management Expectation on Internal Auditor

21

Internal Auditor & Customer Need

Audit Comittee Board

• Safeguarding Assets• Compliance with Laws and

Regulations• Reliability of Data

QUALITY OF INFORMATION

Operating Management

• Operating Management• Effectiveness and Efficiency

of Operations• Achievement of Organizatio

CHANGE AGENT

What does customer want

customer

Regulator

Suplier

Auditee

Audit Commitee

EksternalAuditor

Function• Operation• Financial Reporting• Compliance

COSO - Internal Control• Control Environment• Risk Assessment• Control Activities• Information and communication• Monitoring

BOC Expecatation to Internal Audit Function

• Improve SPI staff skills and competencies and their understanding of the business operations

• Provide consulting services• Improve SPI’s communications with key stakeholders• Provide a value added internal audit function as well

as improve the quality of reports• Provide risk management and control assurance• Provide regulatory and corporate compliance

assurance• Act as a mediator with external parties

• Key improvement to meet the management and stakeholder expectation• Align Internal Audit with the strategic goals of the organisation.• Drive efficiency through integration, talent management and use of data analytics.• Maintain a balance between assurance and advisory reviews.• Run Internal Audit like a business.

23

How to meet Expectation

• How to meet the management and stakeholder expectation• Internal auditor role should be established with a charter approved and reviewed annually at

board level. • The internal audit charter should describe the internal audit role in the organization it serves,

including its purpose, authority, responsibility, and relationships with external organizations.• The internal audit charter should be promoted across the organization at all levels and as

appropriate across its supply chains and to its stakeholders.• Internal audit should have measures in place to demonstrate its level of performance to the

organization. • Expectation gaps at organization and individual customer levels should be identified, and all

performance measures continuously monitored if the full added value of the internal audit role is to be achieved.

• New dimensions of the internal audit role in an organization should be continuously explored to ensure that it is at the cutting edge of its professional attributes and in its performance .

24

Internal Audit Roles

25

Memahami ekspektasi manajemen & Dewan

Komisaris Audit PlanRisk

Assessment 1 2 3Dokumentasi ekspektasi manajemen & Dewan Komisaris

Annual Audit Plan

Metodologi Risk-Based Audit (RBA)

PLAN

TOP PRIORITY RISK

• Mendapatkan komitmen manajemen eksekutif atas pelaksanaan jasa internal audit.• Menetapkan kriteria penilaian risiko• Memahami area yang menjadi perhatian manajemen meskipun area tersebut tidak berisiko tinggi

• Doc. Kepts. RUPS• Memo/Surat Dewan Komisaris• Kepts. BOD/ RRD• BPK & ICM Eksternal Audit)

26

Role of SPI to Review Risk

• Ensure Internal Controll Management• ICoFR• System mitigation

Controllable Risk

• Corporate Strategic Plan • Business Development Unit• Modeling & Workshop MitigationStrategic Risk

• Mitigate Corporate Risk Management• PIMR Unit• Prediction & Analysis

Uncontrollable Risk

KERANGKA KERJA1

− Persiapan− Pelaksanaan− Penyusunan Laporan Hasil Audit

RENCANAKERJA

− Representatif− Responsif− Konstruktif

PELAKSANAAN PENUGASAN PROFESI

Standards Professional Internal Auditor (IIA) :

− General Standards− Field Work Standards− Reporting Standards

LAPORAN PERIODIK :

Bulanan &Tahunan− Timing− Content− Termasuk Follow Up

Pertamina Experience

Vision To be a world-class national energy company

Mision To carry out integrated business core in oil, gas, renewable and new energy based on strong commercial principles

Value Clean; Confident; Commercial; Competitive; Customer Focus; Capable

Pertamina Visi, Misi dan Nilai

18

6 C

Upstream

• Producer of oil and gas domestically and overseas• Supplier for geothermal energy• Gas transporter & trader

Downstream

• Refining• Fuel business (kerosene, HSD/Diesel/MFO, etc) for

industry• Special fuel business for retail (PertaminaDex,

Pertamax/PertamaxPlus)• Aviation business• Lube base business• LPG business• Petrochemical business• Responsible for distributing fuel for Public Service

Obligation (PSO), such as kerosene, gasoline, HSD• Executor for kerosene conversion to LPG

Refinery Shipping/Piping Depot Transportation Gas stationUpstream

Employees • 15,190 personsSubsidiaries & Affiliates • 19 Subsidiaries• 13 Affiliates

Corporate

Pertamina’s Scope of Business

19

• Insurance• Hotel• Medical• Dana Ventura

Other

http://images.google.com/imgres?imgurl=http://members.bumn-ri.com/pictures/PTMNdfc0097e.pjpeg&imgrefurl=http://members.bumn-ri.com/pertamina/graphics.html&h=173&w=260&sz=13&hl=en&start=9&tbnid=XZyPuL8G3smw6M:&tbnh=75&tbnw=112&prev=/images?q=PERTAMINA&svnum=10&hl=en&lr=

Business Process 31

Performance & Governance

20

No Company1 Royal Dutch Shell75 Petronas

122 Pertamina135 Unilever

No Company1 Wall Mart69 Petronas

123 Pertamina477 PLN

2013

2014

16 Nopembe

r 2010

21 April 2011

9 Maret 2012

15 Februari

2013

14 Februari

2014

13 Februari

2015

12 Februari

2016

Financial Statement Released

Good Gorporate Governance Score

Referensi : Pertamina Annual Report & website

94,27 94,43 94,50

No Company

130 Pertamina477 PLN

2015

Pertamina Transformation

Management Need

Analysis Current Condtion

Roadmap

Transformation to be World Class Internal Audit

• Determine Value Driver• Define Current Condition of IA• Derive IA Roadmap for performance development and IA

function

Area of Impovement

• Organization• HR Management • Working practices• Communtation and Reporting

• Quality Assurance• Knowledge Management• US of IT Audit Software

AUDIT (Watchdog)

Before

2009Transformation2010

Assurance & Consulting based on

RBA2011

IA Pertamina Transform to Best Practice

• Assurance and Consulting by implementing Risk Based Audit with Audit Management Systems tools

• Stabilization and implementation of Internal auditor reposition by continuing evalution

• Increasing quantity of human resources by new recuritmen

• Increasing quality of human resources by training and certification.

EVALUATION OF GOVERNANCE & RISK;ASSURANCE OF INTERNAL CONTROL EFFECTIVENESS

Step in Reposition IA

2009 – AREA OF IMPROVEMENT

1. Organization2. Human Resources3. Working Practice4. Use of IT5. Knowledge

Management6. Communication &

Reporting7. Quality Assurance

2009 – CATEGORIZING

• Workstream (Area 1,2)



• Workstream (Area 4)

2010 – DELIVERABLES

• Visi & Mision• Internal Auditor

Charter• Organization

Structured• Working Practice• IT Audit• Risk Based Audit• Audit Management

Systems• Knowledge

Management• Auditor Comptetence• Quality Assurance

2011 – RESULT

• Visi & Mision Auditor

• Internal Auditor Charter

• Organization structured

• Audit Unverse• Working Practice• SOP Risk Based

Audit• Knowledge

Management Function

• Implementing RBA & AMS

Strategic plan to achieve a world-class IA

Area of Im

provement

• To develop a comprehensive Quality Assurance and Improvement ProgramQUALITY ASSURANCE

• Leverage technology to synthesize knowledge and make information readily available to both SPI staff and the auditees

KNOWLEDGE MANAGEMENT

• To communicate with clarity, brevity, accuracy and withCOMMUNICATION AND REPORTING

• Enhance audit processes by integrating technology solutions into multiple aspects of SPI’s operations

USE OF IT

• Improve SPI’s processes to increase efficiencies and value deliveredWORKING PRACTICES

• Maintain and bring in the right people to support the needs of Pertamina’s business

HUMAN RESOURCES

• To re-align function to business processes and risks and build reputationORGANISATION

Referensi : Pertamina Annual Report 2013

•Q

ualit

y A

ssur

ance

•K

now

ledg

e M

anag

emen

t

•C

omm

unta

tion

and

Rep

ortin

g

•U

S o

f IT

Aud

it S

oftw

are

•W

orki

ng

prac

tices

•H

R

Man

agem

ent

•O

rgan

izat

ion

•Q

ualit

y A

ssur

ance

•K

now

ledg

e M

anag

emen

t

•C

omm

unta

tion

and

Rep

ortin

g

•U

S o

f IT

Aud

it S

oftw

are

•W

orki

ng

prac

tices

•H

R

Man

agem

ent

•O

rgan

izat

ion

As Marc 2009 as Feb 2011 best practice

Progress in Area of Improvement

Strategic Internal Audit Planning 2014-2018

ROADMAD PERTAMINA

STAKEHOLDER EXPECTATION

VISION & MISION

SWOT ANALYSIS

N0 Strategic Plan Model 75 Timelines1. Refining the vision and IA Charter Strategy 20142. Optimality of quality assurannce role, including

evaluation on the implementation of IA Code of Ethics

Sytem, shared Value

2014-2018

3. Improvement on the methodology of Risk BasedAudit (RBA), including planning, implementation,and reporting

System, Style 2014-2018

4. Implementation of Continuous Auditing methodology

System 2014-2018

5. Reorganization of IAa. Group Control Functionb. BG M&T IA Functionc. Upstream IA Function

Structure

6. KPI of Integrated Audit/Secondment System 2014-20187. Implementation of auditor competency development

system in a continuous mannerStaff, Skill 2014-2018

8. ICoFR Testing System 2014-20189. Implementation of RBA in Subsidiaries System 2014-2018

WATCHDOGTO

STRATEGICBUSINESSPARTNER

TO BESTRATEGIC

ADVISOR

2013 20152014


Key Achievement

Key A

chivement

• conducted on 59 areas/ activities of the companyThe Implementation of Assurance and Consulting

• Internal Control Framework• Developing Continuous Controlling System (CCS); • Implementation of Internal Control Over Financial

Reporting ICoFR• Fraud Prevention Program

Initiatives of the Internal Audit

• Performance Improvement ProgrammeInternal Audit Image

• by pursuing the international & national certification program and training program.

Professionalism Improvement

• Government Auditor (BPK), Governmen Internal Auditor (BPKP) and External Auditor

Coordinates with External Auditors


40 Referensi : Pertamina Annual Report 2013

40

Struktur Organisas i Internal Audit


41

Internal Audit CharterVisi Menjadi Internal Audit yang profesional dan terpercaya dengan menerapkan praktik terbaik perusahaan energi kelas dunia.

MisiMemberikan nilai tambah bagi Perusahaan melalui kegiatan assurance dan consulting secara independen dan objektif sesuai standar profesi yang berlaku secara internasional.

Tujuan1. Membantu Perusahaan untuk mencapai tujuannya secara efektif dan efisien dengan cara melakukan

evaluasi dan merekomendasikan perbaikan efektivitas tata kelola perusahaan, manajemen risiko dan pengendalian internal.

2. Membantu manajemen Perusahaan dan pemangku kepentingan lainnya dengan memberikan advis, pertimbangan dan rekomendasi yang berguna untuk meningkatkan efektivitas dan efisiensi Perusahaan.

Ruang LingkupPenugasan Internal Audit mencakup semua area dan kegiatan operasional, bisnis perusahaan beserta anak perusahaan, afiliasi dan pihak lain yang relevan dalam rangka mengevaluasi dan meningkatkan efektifitas tata kelola Perusahaan, manajemen risiko dan pengendalian internal.


42

Internal Audit CharterIndependensiInternal Audit dipimpin oleh seorang CAE yang bertanggungjawab kepada Dirut; CAE diangkat & diberhentikan oleh Dirut dengan persetujuan Dekom; dilarang terlibat dalam kegiatan operasional yang dapat mengganngu independensi; dll.

WewenangMemiliki akses tidak terbatas atas semua data, fungsi, kegiatan dan sumber daya Perusahaan; koordinasi dengan auditor eksternal, institusi pengawasan laiinya & Komite Audit; pengawasan atas anak perusahaan sesuai piagam hubungan korporasi; dll

Tugas & Tanggung JawabMelaksanakan kegiatan pengawasan; melaporkan hasilnya kepada Dirut & pihak yang berkompeten; melaksanakan audit investigasi; melaporkan hasil kegiatan pengawasan kepada Dekom cq Komite Audit; dll.

Persyaratan AuditorMemiliki integritas, profesional, independen, jujur & obyektif, pengetahuan teknis audit; mematuhi standar profesi & kode etik; memahami prinsip tata kelola perusahaan yang baik; dll.

Standar Pelaksanaan Internal AuditSistem Tata Kerja dan Kode Etik Internal Audit yang mengacu kepada International Standards for the Professional Practice of Internal Auditing yang ditetapkan oleh IIA.


43

K o d e E ti k

Integritas Kejujuran, objektivitas, dan kesungguhan dalam melaksanakan tugas dan memenuhi tanggung jawab profesi. Loyalitas terhadap organisasi namun tidak boleh terlibat dalam kegiatan-kegiatan yang menyimpang atau melanggar hukum. Tidak boleh secara sadar terlibat dalam tindakan atau kegiatan yang dapat mendiskreditkan profesi atau organisasinya.

Objektivitas Harus menahan diri dari kegiatan-kegiatan yang dapat menimbulkan konflik kepentingan dan prasangka sehingga meragukan

kemampuannya dalam melaksanakan tugas dan memenuhi tanggung jawab profesinya secara objektif. Tidak boleh menerima sesuatu dalam bentuk apapun yang dapat atau patut diduga mempengaruhi pertimbangan

profesionalnya. Harus mengungkapkan semua fakta-fakta penting yang diketahuinya di dalam laporan pelaksanaan tugasnya, dan/atau

dilarang untuk mendistorsi laporan serta menutup adanya praktik-praktik yang melanggar hukum.

Kerahasiaan Tidak boleh menggunakan informasi yang diperoleh dalam pelaksanaan tugasnya untuk mendapatkan keuntungan pribadi,

melanggar hukum, dan yang dapat menimbulkan kerugian terhadap organisasinya. Kompetensi• Harus mengusahakan berbagai upaya agar senantiasa memenuhi International Standars for the Professional Practice of

Internal Auditing.• Harus senantiasa meningkatkan kompetensi melalui pendidikan profesional berkelanjutan, guna efektivitas dan peningkatan

kualitas pelaksanaan tugasnya.• Hanya melakukan jasa-jasa yang dapat diselesaikan dengan menggunakan kompetensi profesional yang dimilikinya.

A n n u a l A u d i t P l a n What We do

Mapped Updated Risk Profile with Audit Universe

Documented Audit Object / Auditable

Areas relevant to the Updated Risk Profile

Prioritize Auditable Areas considering :

Last audit finding and opinion

Company’s loss event in current/ previous year

Internal Audit Long Term Planning

Bring Draft Auditable Area to Raker/Rakor to considering :

Input from Audit Committee Input from SVP/VP/Mgr

Operational Function Law/regulatory opinion Objective opinion from IA

members regarding high risk area

Relevant Key Processes

Audit Universe

Auditable Areas

Updated Risk ProfileFinalizing Documentations

Knowledge SharingProject Management

Review available information and Identify Relevant Processes

The objective is to rate the business processes in Audit Universe in relation to the level of risk based on the results of risk assessment:

Prioritizing Audit Objects

Before Raker/Rakor Raker/Rakor

44

45

IA ProcessRisk Based Audit Approach

Quality Assurance & Improvement

Program (QAIP)

QAIP untuk memberikan keyakinan yang memadai bagi stakeholders atas

kegiatan Internal Audit

Survey Kepuasan

Stakeholders

Dilakukan melalui Survey Feedback Auditee dan Stakeholders Satisfaction Survey

Peningkatan Citra Internal

AuditPeningkatan Maturity Level Internal

Audit – Penilaian dari External

Quality Assurance

46

Quality Assurance & Improvement Program

Internal and External Assessment

47

“ THE CHIEF AUDIT EXECUTIVE MUST DEVELOP AND MAINTAIN A QUALITY ASSURANCE AND IMPROVEMENT PROGRAM THAT COVERS ALL ASPECTS OF THE INTERNAL AUDIT ACTIVITY ”

(IIA AS 1300)

Quality Assurance & Improvement ProgramThe quality assurance and improvement program must include both internal and

external assessment

Internal Assessment(IIA AS 1311)

Ongoing Monitoring Team supervision,

KPI MonitoringSurvey Feedback Auditee

Periodic ReviewsPerformed by QA Team

within the IA organization with sufficient knowledge of

IA practices (Stakeholder Satisfaction Survey)

External Assessment(IIA AS 1312)

Periodic ReviewsThe external review was

performed in 2013

Consulting Services

Participant in interdepartmental working terms

48

Internal Audit Department provides support to other departments in various activities

Participate to the work group in charge for mapping of User Access Matrix (mySAP Application)

Participate in The Fraud Awareness Program

Participate to the work group in charge of Internal Control over Financial Reporting (ICoFR) development

Other Activities

Key Strategic Initiatives

49

Developing Continuous Audit Monitoring System

Competency Development and Certification

Coordination with External Auditor

Nilai tambah IA bagi Perusahaan

1. Nilai tambah IA mempercepat proses pencapaian tujuan perusahaan ultimate goal

2. Nilai tambah IA dapat diciptakan baik dalam tahap proses audit, hasil akhir pemeriksaan maupun perannya dalam menjalankan pengendalian dalam sebuah organisasi.

3. Nilai tambah diberikan SPI dalam empat ranah:

• Strategic

• Operation

• Reporting

• Compliance

4. Hasil pemeriksaan harus memberikan nilai tambah dalam empat ranah tersebut bukan sekedar kegiatan pemeriksaan yang telah selesai dan laporan hasil audit yang telah diserahkan kepada auditee dan direksi.

Bagaimana SPI memberikan nilai tambah - 1

1. Peran• Menciptakan budaya pengendalian dalam organisasi sehingga

menyadarkan seluruh anggota organisasi untuk senantiasa compliance, mengusahakan efisiensi dan efektivitas dalam pelaksanaan kegiatan, karena kegiatannya akan dievaluasi oleh SPI.

• Karakter compliance, bekerja dengan efisien & efektif, disiplin dan menjunjung etika menjadi prasyarat dasar seorang internal auditor. Pihak yang diperiksa harus lebih compliance dan lebih baik dari pihak yang diperiksa. Kondisi ini akan menciptakan pribadi-pribadi yang terus melakukan continous improvement sehingga dari unit internal audit akan muncul insan Pertamina yang mampu menjadi teladan dalam bekerja.

• Organisasi SPI harus mampu menjadi contoh / role model dalam mengelola organisasi baik dari sisi compliance, governance, pengelolaan organisasi yang efisien dan efektif dan serta kemampuannya dalam merumuskan strategic goal yang sejalan dengan tujuan organisasi.

• Peran SPI membutuhkan insan-insan yang terus menerus belajar dan mengikuti perkembangan perusahaan dan lingkungannya agar mampu memahami permasalahan di lapangan saat melakukan pemeriksaan.


2. Proses audit• Proses audit dilakukan dengan semangat perbaikan bukan sekedar

mencari kesalahan.• Memberikan perbaikan integratif bukan sekedar menyalahkan• Mendengarkan auditee termasuk alasan-alasannya, dapat saja dalam

alasan tersebut tersimpan akar permasalahan. • Fokus pada akar masalah sehingga dapat memberikan solusi yang

integratif, karena seringkali masalahnya bukan pada kesalahan tersebut namun justru penyebab dari suatu kesalahan/penyimpangan. misal masalah pencurian minyak bukan sekedar menemukan dampak kerugian bagi perusahaan namun dapat menganalisis secara komprehensif baik dari sisi kelemahan internal kontrol perusahaan, aspek kelemahan regulasi, penegakan hukum dan aspek sosiologis mengapa pencurian tersebut dapat terjadi.

• Menjadikan proses audit sebagai media untuk berdialog dan memberikan konsultasi kepada auditee tentang apa yang seharusnya dilakukan, memberikan saran atas kesalahan yang terjadi.


3. Laporan Audit• Laporan internal audit harus dikomunikasikan dengan baik dengan auditee

tanpa mengurangi independen dan obyektifitas internal audit.• Laporan internal audit harus bersifat integratif dalam menguraikan

permasalahan. Seringkali masalah dalam satu unit disebabkan oleh permasalahan/kesalahan pada unit lain, kesalahan regulasi dan lain-lain.

• Solusi yang diberikan harus bersifat menyeluruh. Jika solusi tersebut harus diselesaikan pada unit organisasi yang lebih tinggi karena terkait hubungan antar unit, harus dibahas dan diselesaikan pada unit organisasi yang lebih tinggi.

• Menghindari hasil audit sekedar menjadi tumpukan dokumen, karena nilai tambah tercipta jika hasil audit mampu merubah menjadi yang lebih baik.

• Komunikasi dengan direksi dan ketua komite audit menjadi penting untuk menindaklanjuti permasalahan strategis yang berdampak signifikan pada keseluruhan organisasi.

Nilai tambah - strategic

1. Internal audit tidak hanya berperan melakukan evaluasi atas proses namun dapat melakukan evaluasi atas strategi yang dipilih oleh perusahaan berdasarkan hasil audit yang dilakukan.

2. Hasil evaluasi internal control, efisiensi dan efektivitas organisasi, compliance dapat memberikan masukan yang mengubah strategi, tujuan, visi atau misi perusahaan.

3. SPI secara aktif memberikan masukan pada fungsi perencanaan dan pengembangan bisnis berdasarkan hasil audit yang dilakukan.

4. Dalam evaluasi tahunan hasil pemeriksaan SPI, harus menghasilkan masukan-masukan kepada Direksi tentang hal-hal strategis yang harus dilakukan dilakukan.

5. SPI memberikan masukan pada unit perencanaan bisnis korporasi dalam rangka mengembangan rencana tahunan dan rencana jangka panjang berdasarkan evaluasi hasil pemeriksaan yang telah dilakukan

Nilai tambah - operation

1. Peran IA tidak hanya menilai apakah obyek yang diperiksa telah efisien dan efektif, namun mampu memberikan saran apa yang harus dilakukan untuk meningkatkan efisiensi dan efektifitas obyek yang diteliti.

2. IA harus mampu menginternalisasikan budaya efisiensi dan efektivitas dalam organisasi melalui proses evaluasi yang dilakukan.

3. Fokus audit yang diperiksa harus dipilih dari unit yang paling tidak efisien dan terus menerus dilakukan pemantauan sehingga mampu mencapai tingkat efiisensi setara dengan unit organisasi yang lain. Sementara unit organisasi yang dianggap telah efisien tetap dilakukan sampling untuk memastikan masih efisien dan terus meningkat efisiensinya.

4. Pemeriksaan harus mampu menciptakan perubahan dan memberikan peningkatan efisiensi dan efektivitas. Jika suatu unit diperiksa harapannya unit tersebut harus berubah menjadi lebih baik sebagai dampak dari pemeriksaan yang telah dilakukan.

Nilai tambah - reporting

1. Keandalan laporan keuangan diperoleh dari proses pencatatan yang akuntabel.

2. IA harus memastikan bahwa pengendalian internal dalam pelaporan keuangan berjalan dengan baik sehingga setiap dokumen transaksi diproses sesuai dengan prosedur.

3. Peran IA sebagai penguji ICoFR, harus dilakukan dengan menguji sertifikasi yang dilakukan oleh control owner.

4. Dalam pelaporan korporasi IA harus menjamin bahwa manajemen tidak melakukan earning management yang akan berpotensi pada ketidakakuratan laporan keuangan yang dapat merugikan publik.

Nilai tambah - compliance

1. Internal audit harus mampu menciptakan budaya compliance, artinya keberadaan SPI menjadikan semua anggota organisasi tidak berani melakukan non compliance.

2. Pada saat melakukan audit dan menemukan non compliance tidak sekedar memberikan penilaian, namun mencari akar masalah mengapa non compliance. Karena seringkali noncompliance terjadi karena prosedur yang kurang tepat, internal kontrol kurang handal. Sehingga rekomendasi yang diberikan memberikan nilai tambah perbaikan prosedur dan pengendalian internal yang telah berjalan.

58

TERIMA KASIH

Risk Management and Internal Auditor

Documents

Transcript of Risk Management and Internal Auditor