RISK BASED

AUDIT-INTRO AND
GUIDELINES
Lucky Hatreztyo
Lucky Hatreztyo, SE. MBA, CRA, GRCP, GRCA
Experience:
◦ Current Pos : VP Of Risk Management AP2 Group and Adjunt lecturer at SGU (Swiss German Univeristy)

Previous Pos:
◦ PT Jalin Pembayaran Nusantara- Head Of Risk And Compliance
◦ Indosat-Head Of PMO ERM Implementation
◦ Mahadasha-Head Of ERM
◦ ASEI-Head Of Risk Management
◦ Tokio Marine (auditor)
◦ Jasindo-Staff Risk Management and GCG

Consulting:
◦ Group Ethos Kreatif Indonesia (manufacturing, digital marketing dan ritel)
◦ Semen Indonesia
◦ Telkom
◦ Elnusa
◦ PT IKT (Indonesia Kendaraan terminal)
◦ PT PII
A quote
Risk is everywhere……

Risk is an intrinsic part of a business!!!!

Without Risk!! NO
opportunities!!

Have we measure it precisely ??

 A definition of risk

Risk - “effect of uncertainty on objectives” (ISO 31000)

NOTE 1 An effect is a deviation from the expected — positive and/or negative. (wrt achieving
objectives)
NOTE 2 Objectives can have different aspects (such as financial, health and safety, and environmental goals) and can apply at
different levels (such as strategic, organization-wide, project, product and process).

NOTE 3 Risk is often characterized (i.e. named, e.g. credit risk) by reference to potential events
(2.17) and consequences (2.18), or a combination of these.

NOTE 4 Risk is often expressed in terms of a combination of the consequences of an event (including changes in
circumstances) and the associated likelihood (2.19) of occurrence.
What Is Your Definition?

LOSS??
??
= OR
Gain???
Risk And Perceptions

Result from actual and

technical analysis of risk

How risk perceived by

its stakeholder
Perception
Perception will
drive risk
appetite!!!!
Decision made
What Drive Perceptions

Sender Filters Receiver

•Culture, norms, believe, values, literacy, language

•Heuristic bias, psychological programming
•Skills and interest of adopting new behavior
•Infrastructure/ partners/ resources
•Other competing message
 Risk Analysis
Qualitative and
qualitative quantitative
quantitative
• Risk identification • Validation of risk • Probablistic
• Risk rankings impact techniques
•
•
Risk maps
Risk maps with
• Validation or risk
likelihood
• cash flow at risk
• earnings at risk
How can we
impact and likelihood
• Risks mapped to
• Validation of
correlations
• earnings distributions
• eps distributions
do a Risk
objectives or divisions
• Identification of risk
• Risk-corrected
revenues
• Gain/loss curves
Analysis ?
correlations
• Tornado charts
• Scenario analysis
• Benchmarking
• Net present value
• Traditional measures
Risk Analysis

Question for
us?
 Risk And Decision Making
Incoming
cars
No
Should I look
around before
crossing the No cars
street?? Incoming
yes
cars

WHICH
ONE ARE No cars

YOU?
Why Risk Management??
An inspiring quote….

"It's only when the tide goes out that you know
who's been swimming naked."
Prepare our self….

A downturn event will exposes those

who had been taking on excessive
risk when times were good

Prepare our self with belt and suspenders in the form of financial strength and quality
operating businesses…….
Preparing our ship
 The world is changing fast
◦ Globalization and tight industry competition
◦ Rapid change in resources and environment
◦ Stakeholder high expectation
Do we have enough
◦ High increasing in intangible asset (especially in ability and
money market) resources to adapt
and face the rapid
◦ Rapid change in technology and knowledge changes??
◦ Regulatory explosion and political impact
◦ ect
Example..
◦ Globalization and tight industry competition (Ie:MEA)
◦ Rapid change in resources and environment (Ie:Financial and non financial needs and availability in market to grow)
◦ Stakeholder high expectation (Ie: Shareholder expectation, media perception, regulator demand, employee demand, ect)
◦ High increasing in intangible asset (especially in money market) (Ie: speculative energy prices, volatility on stock market,
foreign exchange movement)
◦ Rapid change in technology and knowledge(ie: technology growth to serve community, easier way to do and gather
information)
◦ Regulatory explosion and political impact
◦ (Ie:OJK and other regulator expectation, area political regulator and political behavioral)
Managing so many stakeholder expectations
Decision to invest or
Media coverage and hold shares
pressure groups willingness shareholder
to give benefit of the doubt Willingness to buy/use
when crisis occurs Media Clients

Willingness to partner
Decision to lend and
Lenders partners
giving rational rate Management

Determination to enter
Employee Competitors
Eagerness of new and take over market
employee and loyalty of
existing employee Regulators
Regulator attitude and
change
Question for us??
◦ Do we really know our strategic position today?
◦ Do we have a proper business process to keep up all changes and adapt?
◦ Do we have sufficient resources to grow and adapt with any of the changes?
◦ Have we do a prudent investment preparation and analysis for any incoming project?
◦ Have we comply to any existing regulation?
◦ Have we understand what our strategic obstacle?
◦ ect
Implementation driver..
◦ Assurance in strategic implementation and business target achievement
◦ One way to avoid big surprise like “BLACK SWAN”
◦ Assurance to manage cost effective and efficiently
◦ Long term business sustainability assurance
◦ Increasing corporate and shareholder value
◦ Avoiding “expected loss”
◦ And others…
 Internal Auditing

Internal auditing is an independent, objective assurance and consulting activity designed to add value and
improve an organization's operations. It helps an organization accomplish its objectives by bringing a
systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and
governance processes.
 Assurance

Assurance activities certainly include the traditional

internal audit, but also include other services. The
glossary to the Standards defines an assurance
engagement as an objective examination of evidence
for the purpose of providing an independent
assessment on risk management, control, or
governance processes for the organization. Examples
of the types of engagements that would be considered
assurance engagements include financial,
performance, compliance, system security, and due
diligence audits.
 Consultancy

The glossary defines consulting activities as advisory and

related client service activities,
the nature and scope of which are agreed upon with the
client and which are intended to add
value and improve an organization’s operations.
Consulting activities, though new to the
definition and the Professional Standards, include
activities that have long been performed
as part of the internal audit function’s work. This
includes such activities as conducting
internal control training, providing advice to
management about the control concerns in
new systems, drafting policies, and participating in
quality teams.
Role Of Internal Audit In Risk Management

Standard 2120 – Risk Management states that “The internal audit activity must evaluate the effectiveness and
contribute to the improvement of risk management processes.” Specifically, the standard requires the internal
audit activity to assess whether:
 The organization’s objectives align with its mission.
 Management assesses significant risks.
 Management’s risk responses align risks with the organization’s risk appetite.
 Relevant risk information is captured and communicated timely throughout the organization, including to
the board.
Risk-based Internal Audit
IIA defines risk based internal auditing (RBIA) as a methodology that links internal auditing to an organisation's overall risk
management framework. RBIA allows internal audit to provide assurance to the board that risk management processes are
managing risks effectively, in relation to the risk appetite.
A dynamic process RBIA is at the cutting edge of internal audit practice. As a result, it is an area that is evolving rapidly and where
there is still little consensus about the best way to implement it.
It is more difficult to manage than traditional methodologies. Monitoring progress against an annual plan that is constantly
changing is a challenge. Setting targets and appraising staff may become more complex.
 Risk-based Internal Audit
Stage 1: Assessing risk maturity
Obtaining an overview of the extent to which the board and management determine, assess, manage and monitor risks. This
provides an indication of the reliability of the risk register for audit planning purposes.
Stage 2: Periodic audit planning
Identifying the assurance and consulting assignments for a specific period, usually annual, by identifying and prioritising all those
areas on which the board requires objective assurance, including the risk management processes, the management of key risks,
and the recording and reporting of risks.
Stage 3: Individual audit assignments
Carrying out individual risk based assignments to provide assurance on part of the risk management framework, including on the
mitigation of individual or groups of risks.
 Risk-based Internal Audit
Advantages By following RBIA internal audit should be able to conclude that:
1. Management has identified, assessed and responded to risks above and below the risk appetite
2. The responses to risks are effective but not excessive in managing inherent risks within the risk appetite
3. Where residual risks are not in line with the risk appetite, action is being taken to remedy that
4. Risk management processes, including the effectiveness of responses and the completion of actions, are being monitored by
management to ensure they continue to operate effectively
5. Risks, responses and actions are being properly classified and reported.

This enables internal audit to provide the board with assurance that it needs on three areas:
6. Risk management processes, both their design and how well they are working
7. Management of those risks classified as 'key', including the effectiveness of the controls and other responses to them
8. Complete, accurate and appropriate reporting and classification of risks
 Risk-Based Internal Audit-Risk Maturity

Risk Maturity Characteristic

Risk Naïve No formal approach developed for risk management

Risk Aware Scattered silo based approach to risk management

Risk Defined Strategy and policies in place and communicated

Council wide approach to risk management developed
Risk Managed and communicated
Risk management and internal control fully embedded in
Risk Enabled the operations of the Council
 Risk-Based Internal Audit-Audit Approach
Risk
Characteristic Monitoring Control
Maturity
Cant Conduct RBA, Improve to
Risk Naïve Defined, audit can be develop Low Monitoring risk activity Existence of limited control in activities
related to risk factor
Cant Conduct RBA, Improve to
Risk Aware Defined, audit can be develop Monitoring Risk activity conducted in limited area Control in place but not integrated with risk issues
related to risk factor
Assurance and Consulting Monitoring Risk Activity in some area supported by Partial risk already identified and measured and
Risk Defined
approach quick respon being reviewed timely
Almost all area has been monitored and risk is part of
Risk All risk already identified and measured and
Assurance approach KPI and the effectiveness of implementation already
Managed consistently being reviewed
defined and achieved
Almost all area has been monitored and risk is part of
KPI and the effectiveness of implementation already
defined and achieved
All risk already identified and measured and
Risk Enabled Assurance approach all area has been monitored and risk is part of KPI
consistently being reviewed
and the effectiveness of implementation already
defined and achieved
 Maturity Level RIMS
Leadership
Managed
Translated
Repeatable

Initial
Non Development Based on
exisitence to RIMS with 5 level of
Adhoc maturity

RIMS (Risk Management Society)

Maturity Model Assessments

*25 ERM success components and 71 competency drivers that

All Risk Management Program Will are mapped and benchmarked to ISO 31000: 2009; OCEG ”Red
Be Develop in match with ERM Book” 2.0: 2009; BS 31000: 2008; COSO: 2004; FERMA:
Maturity Target
2002; and Solvency II: 2012 risk standards.
 1. Description: Degree of executive support for an ERM-based approach within the corporate culture.
This goes beyond regulatory compliance across all processes, functions, business lines, roles and
geographies. Degree of integration, communication and coordination of internal audit, information
Attributes technology, compliance, control and risk management.
2. Description: Degree of quality and penetration coverage of risk assessment activities in documenting
risks and opportunities. Degree of collecting knowledge from employee expertise, databases and
other electronic files (such as Microsoft® Word, Excel®, etc) to uncover dependencies and correlation
across the enterprise.
(1) Adoption of ERM-Based 3. Description: Degree of weaving the ERM Process into business processes and using ERM Process
steps to identify, assess, evaluate, mitigate and monitor. Degree of incorporating qualitative methods
Approach supported by quantitative methods, analysis, tools and models.
(2) Uncovering Risks 4. Description: Degree of understanding the risk-reward tradeoffs within the business. Accountability
(3) ERM-Process Management within leadership and policy to guide decision-making and attack gaps between perceived and actual
risk. Risk appetite defines the boundary of acceptable risk and risk tolerance defines the variation of
(4) Risk Appetite Management measuring risk appetite that management deems acceptable.
(5) Root Cause Discipline 5. Description: Degree of discipline applied to measuring a problem’s root cause and binding events
with their process sources to drive the reduction of uncertainty, collection of information and
(6) Business Resilience and measurement of the controls’ effectiveness. The degree of risk from people, external environment,
Sustainability systems, processes and relationships is explored.
(7) Performance Management 6. Description: Extent to which the ERM Process’s sustainability aspects are integrated into operational
planning. This includes evaluating how planning supports resiliency and value. The degree of
ownership and planning beyond recovering technology platforms. Examples include vendor and
distribution dependencies, supply chain disruptions, dramatic market pricing changes, cash flow
volatility, liquidity, etc.
7. Description: Degree of executing vision and strategy, working from financial, customer, business
process and learning and growth perspectives, such as Kaplan’s balanced scorecard, or similar
approach. Degree of exposure to uncertainty, or potential deviations from plans or expectations.
Nonexistent
No recognized need for an ERM Process and no formal responsibility for ERM. Internal audit, risk management, compliance and financial activities might exist but aren’t
integrated. Business processes and risk ownership aren’t well defined.
Level 1: Ad Hoc
Corporate culture has little risk management accountability. Risk management is not interpreted consistently. Policies and activities are improvised. Programs for compliance,
internal audit, process improvement and IT operate independently and have no common framework, causing overlapping risk assessment activities and inconsistencies. Controls
are based on departments and finances. Business processes and process owners aren’t well defined or communicated. Risk management focuses on past events. Qualitative risk
assessments are unused or informal. Risk management is considered a quantitative analysis exercise.
Level 2: Initial
Risk culture is enforced by policy interpreted as compliance. An executive champions ERM management to develop an ERM Process. One area has used the ERM Process, as
shown by the department head and team activities. Business processes are identified and ownership is defined. Risk management is used to consider risks in a far-sighted
manner.
Level 3: Repeatable
ERM risk plans are understood by management and the organization. Senior management expects that a risk management plan includes a qualitative risk assessment for
significant projects, new products, business practice changes, acquisitions, etc. Most areas use the ERM Process and report on risk issues. Process owners take responsibility for
managing their risks and opportunities. Risk management creates and evaluates far-sighted scenarios.
Level 4: Managed
Risk culture is associated with career advancement. The organization is self-governed with shared ethics and trust; promise-makers are held accountable. Risk management issues
are understood at all levels and risk plans are conducted in all business process areas. The Board of Directors, CEO and Chief Risk Officer expect a risk management plan to include
a qualitative risk assessment for significant projects, new products, business practice changes, acquisitions, etc. with reporting to the Board on priorities. All areas use the ERM
Process to enhance their functions via the ERM framework, with frequent and effective communication on risk issues. Process owners incorporate managing their risks and
opportunities within regular planning cycles. All areas create and evaluate far-sighted scenarios and follow-up activities.
Level 5: Leadership
Risk culture is analyzed and reported as a systematic view of evaluating risk. Executive sponsorship is strong and the tone from the top has sewn an ERM Process into the
corporate culture. Board of Directors, senior management and the Chief Risk Officer communicate risk management’s importance in daily decisions. Risk management is
embedded in each business function. Internal audit, information technology, compliance, control and risk management are highly integrated and coordinate and report risk
issues. All areas use risk-based best practices. The risk management lifecycle for each business process area is routinely improved.
Systematic Approach To Creating And Maintaining A Risk-
based Internal Audit Plan

◦ Understand the organization.

Internal auditors should take into account their organization’s
◦ Identify, assess, and prioritize risks. level of maturity, especially the degree of integration of
◦ Coordinate with other providers. governance and risk management. Auditors may need to adapt
the guidance to the specifics of the industries, geographic
◦ Estimate resources. locations, and political jurisdictions in which their organizations
◦ Propose plan and solicit feedback. operate.
◦ Finalize and communicate plan.
◦ Assess risks continuously.
◦ Update plan and communicate updates.

*Developing the Risk-based Internal Audit Plan-The

IIA
Internal Audit Plan Dev Cycle
 Understanding the Organization
Identifying Objectives, Strategies, and Structure
◦ Understanding the organization’s risk management processes requires identifying how the roles and
responsibilities of risk management and governance are coordinated
Involves:
The implementation of systems of control by operational and line management.
The provision of assurance that systems of risk management and control have been designed effectively
and are operating as designed. Risk management, compliance, quality control, and similar functions
provide such assurance.
The provision of independent assurance and advice over governance, risk management, and control
processes by the internal audit activity.
 Understanding the Organization
Reviewing Key Documents What Document to
be Identify, not
◦ Reviewing Key Documents to gain insight into
limited to:
the organization’s business processes and
potential risks and control points  RKAP/RJPP

◦ To Identify If the company has implemented  VISI MISI

any tools for continuous risk  Struktur
Organisasi
◦ Internal auditors may gather information
from the risk reports or other assurance  Risk Register dan
report risk Profile

◦ Supplemental information may be drawn  Kelengkapan Tata

from assessments and reports previously Kelola Perusahaan
produced by internal and external auditors. dan Perangkatnya

◦ Other information could be gather from  Dokumen aturan

internal
internal regulation document such as policy
and standard operating procedures  Notulen rapat
 Understanding the Organization
Consulting with Key Stakeholders Stakeholder, not limited to: How to communicate:
ongoing communication helps ensure that senior management, the board, and  Regulator
the internal audit activity share a common understanding of the organization’s Face-to-face meetings.
risks and assurance priorities.  Board: audit committee, risk
committee, governance Online
What to do:
 Meetings with Board and Governance Committees (Internal Audit may learn
committees, individual board Meeting/Conferences
about the latest developments in the organization and be alert to potential members.
Workshop/Group
risks that could result from the changes from discussion with committee)  Senior management
 Meetings with Management (Internal auditors may meet with key members
Brainstorming
 Second line functions.
of operational or line management, such as vice presidents and directors in Survey and internview
each business area, as well as employees performing operational tasks)  Operational/line
 Doing Informal Communication (Internal Audit must understand that management. Informal
Information obtained informally may complete internal audit’s
 Employees performing key communication
understanding of the organization, providing realistic details that are not
disclosed formally) operational tasks.
 Surveys, Interviews, Brainstorming, Research (Internal audit can asses and  External auditors/regulators,
understand organization by doing some activity which are especially useful as indicated (industry-
for identifying emerging risks and fraud risks. ) specific).
 Understanding the Organization
Sources of Emerging Risk Information, not limited to: Tools Hint:
◦ Changes in management priorities, business ◦ PESTEL
processes, technology (IT), and operations. ◦ SWOT
◦ Ethics/whistleblower system for fraud risks. ◦ Brainstorming
◦ Geopolitical developments.
◦ Legal and regulatory changes.
◦ Requests from senior management and the board.
◦ New projects and change programs.
◦ Prior risk assessments from management and internal
audit activity (including fraud, IT, and financial
controls).
 Understanding the Organization
Creating or Revising the Audit Universe
Audit Universe Is which is a list or catalog of all potentially auditable units within an organization
An audit universe simplifies the identification and assessment of risks throughout the organization. It is a step toward discovering which
auditable units have levels of risk that warrant further review in dedicated internal audit engagements. Ensuring the audit universe will capture
all risks is challenging because some risks exist in the interface between organizational units or between the organization and the external
environment
Internal Audit Could consider the following sources of risk information:
 Organization’s strategy and chain of value creation.
 All major areas, units, departments, and projects and their strategies, objectives, and processes (at high level, from the organizational chart,
legal, and/or ERM framework).
 Third-party vendors (from legal, procurement, or contract management functions).
 Processes and subprocesses of all major functions (from process mapping activities such as those required by ISO).
 Major IT applications and information systems assets, including hardware, software, and the information they contain (from IT management).
 Regulatory and legal compliance requirements that apply to the organization.
 Nonfinancial performance indicators (e.g., environmental, health and safety, social, governance).
 Understanding the Organization
Internal Audit Documentation
◦ Internal audit charter noting expectations of management and the board and requirements for internal audit
conformance with the IPPF as well as compliance with laws, regulations, and other industry requirements.
◦ Organization’s risk management framework (risk categories and individual risks with descriptions).
◦ Comprehensive, consolidated risk register (risk universe).
 Internal Audit Risk Assessment
Understanding the Significance of Independent Assessment Audit Universe Is which is a list or catalog of all
potentially auditable units within an organization
Risk assessment enables Internal Audit to focus on those risks that rate among the most significant and to identify
manageable, timely, and value-adding engagements that reflect the organization’s priorities.
Internal auditors should do their own work to validate that all key risks have been documented and that the
relative significance of risks is reflected accurately.
 Internal Audit Risk Assessment
Understanding Business Objectives, Strategies, and Risks
Some organizations may categorize business objectives as strategic, functional, or process-level.
COSO’s ERM framework defines opportunity as an “action or potential action that creates or alters goals or
approaches for creating, preserving, and realizing value.”
Internal auditors should consider that “risks represent the barriers to successfully achieving … objectives as well as
the opportunities that may help achieve those objectives.”3 Indeed, “risks may relate to preventing bad things from
happening (risk mitigation) or failing to ensure good things happen (that is, exploiting or pursuing opportunities).”
Basic Information:
Risks Related to Business Objectives
Risks Include Opportunities
 Internal Audit Risk Assessment
Documenting Risks-Risk Categories Types of risk categories, not limited to:
Each business unit or function in the organization may have  COSO:
a different way of viewing and measuring business • Risk category (financial, operational, strategic, compliance) and sub-
objectives, processes, and risks. Creating risk categories category (market, credit, liquidity, etc.) for business units, corporate
introduces reliability and consistency throughout an functions, and capital projects.
organization when identifying, communicating about, and  Regulated policies (POJK)-Banking/Insurance/Multifinance/Financial Group:
analyzing risks and risk management processes.  Risiko Operasional
Specific frameworks, approaches, and industries may  Risiko Strategis
recommend or require the use of certain risk categories. If  Risiko Kredit
the organization uses a risk management framework, the
 Risiko Pasar
internal audit activity should align its categories to those of
the framework. If no framework or risk categories exist,  Risiko Likuiditas
internal auditors can brainstorm with management about  Risiko Reputasi
risks relevant to the organization by starting with a  Risiko Hukum
taxonomy of risk categories common to most  Risiko Kepatuhan
organizations, such as strategic, operational, compliance,
 Risiko Intragroup
and financial risks.
 Internal Audit Risk Assessment
Environmental, Social, and Governance Risks Types of risk Events, not limited to:
Investors, consumers, and the public have come ◦ Environmental requirements and compliance risks apply to
to expect organizations to measure and report the supply chain, products, and services. Environmental
on their environmental, social, and governance fraud, such as cheating on emissions standards, is
(ESG) efforts. receiving not just regulatory attention but also greater
public scrutiny.
Internal auditors should participate in their
organization’s ESG dialogue and understand ◦ Social risks involve the impact an organization has on
their organization’s ESG efforts, particularly how employees, customers, suppliers, and communities.
those efforts align with stakeholder Maintaining positive relationships with these stakeholders
expectations. sustains public trust in the organization.
◦ Governance risks are related to strategies, policies, and
oversight regarding sustainability, board structure and
composition, executive compensation, political lobbying,
bribery, corruption, and fraud.
 Internal Audit Risk Assessment
Risk Assessment Approaches Types of risk assesment, not limited to:

Some common methods for identifying, documenting,  A specific-risk approach may be considered bottom-up because it
involves identifying risks associated with each specific auditable unit
and assessing risks are the “specific-risk approach,” “risk-
in the audit universe. This approach is frequently used for risk
by-process approach,” and “risk factor approach. Internal assessments related to individual audit engagements but may
auditor may customize their approach to the become cumbersome when extended to the organizational level,
organization wide risk assessment, and many use a where the number of auditable units and risks becomes quite large
hybrid (i.e., a combination of approaches). The feedback  A risk-by-process approach is similar to a specific risk approach.
of senior management and the board (and relevant Internal auditors and management start by considering business
committees of each) should be taken into account when processes throughout the organization as the auditable units. Key
selecting an approach and criteria for the comprehensive risks are mapped to each process..
risk assessment.  A risk-factor approach is considered top-down because it looks at
high-level conditions that are common across most auditable units.
Risk assessments typically include both quantitative and
This approach is commonly used when performing a comprehensive,
qualitative methodologies. An abundant selection of organization wide risk assessment because it provides a macro-level
software is available to help the internal audit activity view.
perform risk assessments that result in both quantitative
and qualitative data.
 Internal Audit Risk Assessment
Examples of risk factors and risk factor categories include:
A risk-factor approach is considered top-down because it looks at
high-level conditions that are common across most auditable units. ◦ Relative level of activity (e.g., number of transactions).
This approach is commonly used when performing a comprehensive, ◦ Materiality (magnitude of revenue or expense).
organization wide risk assessment because it provides a macro-level ◦ Liquidity of assets involved.
view.
◦ Impact on brand (public perception, reputation).
◦ Failure to meet goals.
◦ Management competency, performance, turnover.
◦ Known deficiencies (previous unsatisfactory engagement results).
◦ Degree of change in systems, policies, procedures, contracts,
relationships.
◦ Susceptibility to fraud.
◦ Complexity of operations.
◦ Degree of third-party reliance.
◦ Strength of internal controls, control environment.
◦ Degree of regulatory involvement, compliance concerns.
◦ Time since last assessment or audit.8
 Internal Audit Risk Assessment
Measuring Risk  Risk Management Strategies and Residual Risk (Residual risk, or net
risk, is the portion of inherent risk that remains after management
In their risk assessments, internal auditors should executes its risk management strategies)
estimate both inherent risk — the risk that exists if  Impact and Likelihood Ratings (Impact and likelihood are two
no controls were in place — and residual risk measures recognized in The IIA’s definition of risk)
 Risk Factors and Total Risk Score Risk factors are elements that
Internal auditors need to be able to consider
generally increase the impact or likelihood of risk to the related
whether risk mitigation techniques are effectively auditable unit, and in the risk-factor approach, risk ratings are
designed and operating. assigned to the risk factors themselves, rather than to the level of
impact or likelihood.
Internal audit’s risk assessments start by
 Heat Map Risk assessment (results with levels of risk for each
considering inherent risk, the combination of auditable unit may be depicted graphically in a heat map or similar
internal and external risks in their pure, chart to help show the ranking of priorities. Heat maps are especially
uncontrolled state. useful when certain criteria are weighted more heavily than others
and in visual presentations to the board and senior management.)
 Internal Audit Risk Assessment
Validating Risk Assessment with Management
The internal audit activity considers stakeholder input throughout the process of developing the internal audit
plan, and this feedback informs the internal audit activity’s risk assessment. At the same time, the internal audit
activity must remain independent and objective — unbiased by management — including in its risk assessment.
 Internal Audit Risk Assessment
Internal Audit Documentation
◦ Audit universe listing auditable units.
◦ Notes on brainstorming and assessing emerging risks and fraud risks.
◦ Risk assessment including analysis of risk significance.
◦ List and description of risk factors and measures.
◦ Risk-and-control chart/matrix showing risk ratings.
◦ Heat map.
◦ Rankings of auditable units for inclusion in plan.
◦ Criteria for priority and frequency of review based on level of residual risk.

.
 Internal Audit Risk Assessment Specific Risk
Approach
Impact Description Impact Score Regulatory Criteria Operational Criteria Financial Criteria

Complex, highly regulated environment

with strict enforcement; consequences
One or more business units or
for noncompliance likely to cause legal
entire organization may be Greater than $25
Catastrophic 5 liabilities and penalties that may result unable to operate. Impact on million
in partial or complete shutdown.
reputation.
Significant financial and reputational
impacts.

Multiple business units may be

Complex regulatory environment; legal
significantly affected.
liabilities and penalties for Organization’s ability to $10 million to
Highly Significant 4 noncompliance may receive public
operate or serve customers $25 million
attention and have lasting impact
may be severely reduced.
financially and reputationally.
Impact on reputation.

One or more business units

Laws and regulations are consistently may be materially affected.
$5 million to $10
Significant 3 enforced. Legal liabilities and penalties Organization’s ability to
million (material)
for noncompliance are material. operate or serve customers
may be significantly reduced

Active regulatory environment with Operational effectiveness and $1 million to $5

Moderate 2 small to moderate penalties for efficiency are moderately
million
noncompliance. damaged.

Operational effectiveness or
Regulatory environment is lax or efficiency could be improved, Less than $1
Low 1
penalty for noncompliance is small. but operations proceed million
uninterrupted.
 Internal Audit Risk Assessment Specific Risk
Approach
Score effectiveness of risk management and controls
Determine residual risk.
Internal Audit Risk Assessment Risk Factor
Approach
Internal Audit Risk Assessment Risk Factor
Approach
 Additional Planning Consideration-
Coordination
Accommodating Management and Board Requests
Senior management and/or the board may request assurance and consulting services, and Internal Auditor at
some point should accommodate these requests.
Consulting/advisory services may be requested in areas or processes that have not appeared among the top
priorities in the risk assessment; often, they are opportunities for the internal audit activity to provide advice
that will lower the likelihood of risk occurrences in the future.
 Additional Planning Consideration-
Coordination
Engagement Frequency and Timing Determining Frequency Based on Risk
Not all auditable areas can be reviewed in every audit cycle, nor should they. In a purely risk-based internal audit plan, Internal
Ideally, audit frequency is based on the risk assessment.
Auditor may apply one of two strategies to arrive at
the ideal frequency of planned engagements.
Internal Auditor should consider which engagements will most enhance the
organization’s ability to achieve its objectives and which have the potential
to add the most value. 1. The audit plan may be based on a continuous
To ensure the internal audit plan covers all mandatory and risk-based risk assessment without a predefined frequency
engagements, internal auditors should consider: for engagements.
◦ Engagements required by law or regulation. 2. The audit frequency is based upon the level of
◦ Mission-critical engagements. residual risk determined in the risk assessment
◦ The time and resources required for compulsory engagements and risk-
based priorities.
 Assurance map
◦ Whether all significant risks have sufficient coverage by assurance
providers.
◦ The percentage of the plan that should be reserved for special projects,
consulting, or ad hoc requests.
 Additional Planning Consideration-
Coordination
Assurance Maps:
Internal Audit
• An assurance map documents the coordination of assurance coverage.
Documentation • It lists all significant risk categories and links them with relevant sources of assurance.
• Based on the compiled information, the degree, or level, of assurance coverage
 Assurance map provided can be rated as adequate or inadequate, and gaps and duplications become
clear.
• The map also provides clear evidence of gaps in assurance, where additional resources
may be needed.
 Estimating Resources
Internal Auditor must determine the resources needed to implement the plan.
Resources may include people (e.g., labor hours and skills), technology (e.g., audit tools and techniques),
timing/schedule (availability of resources), and funding.
Internal Auditor must estimate the scope of engagements and the skills, time, and budget that will be needed to
perform those engagements.
Internal Auditor may reflect on the nature and complexity of each engagement, the resources spent on
comparable engagements that were performed previously, and the date of the most recent audit of the area or
process. .
 Estimating Resources
Assessing Skills
As part of internal audit planning, Internal Auditor must know their competencies.
Internal Auditor Member may specialized skills and knowledge, along with a benchmark of skills necessary to fulfill
the expectations, needs, and demands of the organization and the industry.
 Estimating Resources
Coordinating with Other Providers of Assurance and Consulting Services
To make the best use of the valuable resources, Internal Auditor could coordinate activities, share information,
and consider relying upon the work of other internal and external assurance and consulting service providers
Relying upon the work of other providers instead of repeating the coverage minimizes the duplication of work
and maximizes the efficiency with which assurance is provided.
 Estimating Resources
Meeting Need for Additional Skills
If the internal audit activity lacks the knowledge or skills needed to complete a particular assurance
engagement, Other options include cosourcing, where experts from outside the organization perform
specialized work under the supervision of an experienced internal auditor, and outsourcing, where the work is
performed entirely by an outside firm.
 Estimating Resources
Calculating Hours in Plan
Internal Auditor must calculate “available” internal audit resource hours, IA Leader calculates the total number
of hours each internal audit team member is able to contribute to the completion of the audit plan in a given
period (typically one year). Total available hours take into consideration the results of the skills assessment, the
use of external resources and support staff, and the tasks that do not contribute to plan completion.
 Estimating Resources
Internal Audit Documentation
◦ Internal audit staffing plan, including
◦ Inventory of staff skills.
◦ Calculation of skills needed to complete the plan.
◦ Notes on assumptions and calculations.
◦ Summary of person-hours dedicated to nonaudit responsibilities and tasks.
 Drafting The Plan
Accommodating Management and Board Requests
All the preparatory work culminates in a draft version of the internal audit plan to be presented, discussed, revised, and finalized for approval.
The proposed internal audit plan may include the following sections:
 Executive summary – This short overview of key points typically includes a one-page summary of the most significant risks, the planned
engagements and basic schedule, and the staffing plan.
 Policies and processes – This overview gives the board an understanding of the due diligence and thoroughness of internal audit’s planning
policies and approach, with basic descriptions of the processes used to establish the audit universe, perform the risk assessment, coordinate
assurance coverage, and staff the plan.
 Risk assessment summary – A description of the risk assessment process and results enhances the board’s understanding of internal audit’s
priorities. Information may include:
 Organizational strategy, key areas of focus, key risks, and associated assurance strategies in the audit plan.
 Summary of risks.
 Analyses (or summary) of inherent and/or residual risk levels of auditable units.
 Risk scores/ratings for auditable units.
 Heat map for entire audit universe indicating priorities, inclusions, and exclusions.
 Drafting The Plan-Cont
 Overview of engagements in plan –
 A list of proposed audit engagements (and specification regarding whether the engagements are assurance or consulting in nature).
 Tentative scopes and objectives of engagements.
 Tentative timing and duration (timeline showing the quarter during which the engagement will be performed and how long it will
take to complete).
 Rationale for inclusions and exclusions – This explanation is important, especially if risk ratings or frequency determinations are overridden.
Reasons may include change in risk rating, length of time since last audit, change in management, and more.
 Resource plan – This section identifies the type and quantity of resources that will be needed to execute the plan. The description may
include the number of staff required to complete the audit plan (capacity), the number of support staff needed, a summary of the results
of the skills assessment, and a plan of action to address skill gaps.
 Financial budget requirements – The plan includes a financial budget to cover payroll of internal audit staff, as well as the cost of cosourced
and/or outsourced services, tools (i.e., technology), training, and other expenses.
 IPPF and relevant standards – References to conformance with relevant IPPF standards and guidance supports a discussion with senior
management and the board about the importance of internal audit’s risk-based plan as well as other aspects of planning (e.g.,
communication, coordination, and reliance).
 Drafting The Plan-Cont
Approval sign-off area – Senior management and the board must approve the plan.
Subsections, or subplans – Within the overall plan, the risks from all auditable areas may be consolidated into
risk categories, with assurance coverage relevant to each key risk area specified.
◦  Operational.
◦  Financial.
◦  Compliance.
◦  IT/cybersecurity.
◦  Culture.
◦  Consulting services (e.g., strategic initiatives; preliminary evaluation of new system).
◦  Requested special assignments (e.g., investigations).
◦  Follow-up (i.e., tracking implementation of recommendations).
 Drafting The Plan-Example
Alokasi SDM Rencana Audit
Risk Assesment Pelaksanaan Audit Staff Hour Plan Tahun ini
Residual Risk Tiga Tahun Dua tahun Tahun Externa
Rank Auditable Unit Rank Priority Lalu Lalu Lalu Internal l Total Q1 Q2 Q3 Q4

1 Operasional

2 Pemasaran

3 Pengadaan

4 Keuangan

5 Auditable Unit
 Proposing the Plan and Soliciting Feedback
Internal audit typically discusses the plan with
senior management before formalizing it for
presentation to the audit committee and/or full Reflect on questions such as:
 Have all risks and auditable units been considered
board. exhaustively?
 Are there any upcoming changes that we have not
In discussions, Internal Auditor should considered methodically – e.g., acquisitions, mergers,
communicate the results of the risk assessment, system upgrades, third-party suppliers, or software
how the significant risks could affect the implementation?
 How do the engagements in the plan link to the
organization’s objectives, and how the results organization’s objectives and top risks?
help determine the plan of audit engagements.  How do the engagements add value for senior
management and the organization?
The plan may be altered based on discussions of  Does the coordination of assurance coverage and the
schedule/timing of engagements make sense?
risk appetite and the scope and/or timing of  If any requests not been honored, why not?
assurance coverage (based on coordination with
other providers).
 Proposing the Plan and Soliciting Feedback
Assurance Coverage Limitations Related to Budget
When communicating the internal audit activity’s plans and resource requirements, Internal Auditor should
express the relationship between the risks facing the organization and the budget available for assurance
coverage.
The IA Leader should bring attention to high-risk areas that will not have sufficient assurance coverage and
should be prepared to request additional resources if needed.
 Proposing the Plan and Soliciting Feedback
Internal Audit Documentation
◦ Agendas and minutes of meetings,
◦  Memoranda documenting informal meetings
◦  Surveys
 Communicating to Finalize the Plan
Presentation to Audit Committee
Internal Auditor evaluates senior management feedback and incorporates relevant information to ensure that the
plan appropriately reflects the organization’s priorities and that management supports the plan’s implementation.
The revised plan is presented to the audit committee for additional review.
The audit committee may suggest adjustments to the plan based on its view of the organization’s risk appetite.
The meeting also gives Internal Auditor an opportunity to explain the budget and its relationship to assurance
coverage, noting any significant gaps in coverage.
 Communicating to Finalize the Plan
Presentation to Full Board
To communicate to the board, the Internal Auditor typically creates a presentation that summarizes the
engagements in the plan, explains the risk assessment behind the selections, and expresses the value of the
independent and objective assurance and advice provided by the internal audit activity.
The audit committee chairperson may present the information summary to the full board for final approval.
Once senior management and the board have approved the plan formally, all affected business areas in the
organization typically receive a copy.
 Communicating to Finalize the Plan
Ongoing Communication
In some organizations, the Internal Audtor communicates quarterly, through a formal report.
The timing of presentations to the senior management and the board (audit committee) may affect how both
stakeholder groups perceive the internal audit activity. Too much information provided all at one time (e.g., the
end of the quarter) could reduce stakeholder receptivity to the internal audit activity.
Internal auditors should take care to communicate regularly with senior management and prepare any changes
to the internal audit plan with sufficient advanced notice to allow opportunities for discussion.
 Communicating to Finalize the Plan
Communicating Proposed Changes
If the internal audit plan and/or resource requirements change significantly, Internal Audit must communicate those
changes to senior management and the board and obtain their approval
to Adjust Audit Plan Organizational changes that may change the organization’s risk profile include (but are not limited
to):
Acquisition or sale of a business unit or asset.
Change in board membership, organizational ownership, or leadership.
Changes to laws, regulations, or industry standards, which may introduce new compliance risks.
Changes to strategic initiatives, including the pursuit of new opportunities.
Discovery of unforeseen risk indicators during internal or external audit engagements.
External changes, such as political or environmental developments.
Implementation of new systems.
 Communicating to Finalize the Plan
◦ Audit Documentation
• Auditable units in the audit universe.
• Inherent and residual risk ratings of each unit.
• Descriptor indicating engagement priority of each unit.
• Schedule of engagements (multiyear and short-term calendar).
• Proposed scope and objectives of engagement.
• Person-hours and resources needed for each engagement.
• Staff assignments.
Simulasi