Post on 31-Dec-2016
INTERNAL CONTROL, INTERNAL AUDITOR & RISK MANAGEMENT
Internal Auditor PerusahaanSatuan kerja atau fungsi pengawasan internal bertugas membantu Direksi dalam memastikan pencapaian tujuan dan kelangsungan usaha dengan : 1. Evaluasi terhadap efisiensi dan efektivitas pencapaian tujuan
perusahaan;2. Monitoring dan perbaikan atas efektifitas pengendalian risiko; 3. Evaluasi kepatuhan perusahaan terhadap peraturan perusahaan,
pelaksanaan GCG dan perundangundangan; dan 4. Memfasilitasi kelancaran pelaksanaan audit oleh auditor eksternal;
Auditor Internal :• Penguji keandalan pengendalian internal• Fasilitator dan sebagai unsur Manajemen yang melakukan pengukuran dan
pengujian penerapan GCG. • Auditor lebih baik jika memfungsikan sebagai Konsultan daripada semata-
mata sebagai pemeriksa / pengawas.
2
Internal Audit Role
Internal Auditor
A systematic disciplined approach
Evaluating & Improving the
effectiveness of risk management, control, and
Governance process
Independent and Objectivity
Assurance & Consulting activity designed to
added value & Improve operations
Helping organization accomplish its
objective Strategic Operation Reporting
Compliance
• The objective of IA is to assist all members of management in the effective discharge of their responsibilities, by furnishing them with objective analyses, appraisals, recommendations and pertinent comments concerning the activities reviewed. It involve such activities as:– Reviewing and appraising the soundness, adequacy and application of accounting, financial and
operating controls.– Ascertaining the extent of compliance with established policies, plans and procedures.– Ascertaining the extent to which company assets are accounted for, and safeguarded from losses of all
kinds.– Ascertaining the reliability of accounting and other data developed within the organization.– Appraising the quality of performance in carrying out assigned responsibilities.”
4
Internal Auditor Objective
• Seven Dimension in the Internal Auditor’s role (Donna 1985)• Accountant• Policeman• Watchdog• Teacher• Consultant• Communicator• Future Manager
Two roles Internal Auditor - IIA
• Assurance services involve the internal auditor’s objective assessment of evidence to provide an independent opinion or, conclusions regarding … a process, system or other subject matter …
• Consulting services are advisery in nature, and are generally performed at the specific request of an engagement client
Internal Control - COSO
Internal control menurut COSO (Committee of Sponsoring Organizations of the Treadway Commission) adalah suatu proses yang dijalankan oleh dewan direksi, manajemen, dan staff, untuk membuat reasonable assurance mengenai:• Efektifitas dan efisiensi operasional• Reliabilitas pelaporan keuangan• Kepatuhan atas hukum dan peraturan
yang berlaku
Komponen Internal Control• Control Environment• Risk Assessment• Control Activities• Information and communication• Monitoring
5
Control Environment :1. The organization demonstrates a commitment to integrity and ethical values 2. The board of directors demonstrates independence from management and exercises
oversight of the development and performance of internal control3. Management establishes, with board oversight, structures, reporting lines, appropriate
authorities and responsibility in the pursuit of objectives4. The organization demonstrates a commitment to attract, develop, and retain
competent individuals in alignment with objectives 5. The organization holds individuals accountable for their internal control responsibilities
in the pursuit of objectives
6
Risk Assessment :6. The organization specifies objectives with sufficient clarity to enable the
identification and assessment of risks relating to objectives 7. The organization identifies risks to the achievement of its objectives across the
entity and analyzes risks as a basis for determining how the risks should be managed
8. The organization considers the potential for fraud in assessing risks to the achievement of objectives
9. The organization identifies and assesses changes that could significantly impact the system of internal control
Internal Control - COSO
7
Control Activities :10. The organization selects and develops control
activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels
11. The organization selects and develops general control activities over technology to support the achievement of objectives
12. The organization deploys control activities through policies that establish what is expected and in procedures that put policies into action
Information and Communication :13. The organization obtains or generates and
uses relevant, quality information to support the functioning of internal control
14. The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control
15. The organization communicates with external parties regarding matters affecting the functioning of internal control
Monitoring Activities :16. The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain
whether the components of internal control are present and functioning 17. The organization evaluates and communicates internal control deficiencies in a timely manner to
those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate
Internal Control - COSO
8
Internal Auditor and Governance
Internal control
Risk Management
Governance
Key Governance Element
Internal Auditor…helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.
9
Value Proposition of Internal Auditing
Objectivity
InsightAssurance
What stakeholders should expect from internal auditor ?
Governance
ControlRisk
Catalyst
AssesmentsAnalysis
Integrity
Independent
Accesstability
Internal Auditing
Assurance Insight Objectivity
OBJECTIVITY = Integrity, Accountability, & IndependenceWith commitment to integrity and accountability, internal auditing provides value to governing bodies and senior management as an objective source of independent advice.
Assurance = Governance, Risk & ControlInternal auditing provides assurance on the organization’s governance, risk management, and control processes to help the organization achieve its strategic, operational, financial and compliance objectives.
COSO ERM FRAMEWORK• Enterprise risk management is a process, effected by an entity’s board of directors,
management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.
10 http://www.accaglobal.com/uk/en/student/exam-support-resources/
Enterprise risk management is:• A process, ongoing and flowing through an entity• Effected by people at every level of an organization• Applied in strategy setting• Applied across the enterprise, at every level and unit, and includes taking an entity level
portfolio view of risk• Designed to identify potential events that, if they occur, will affect the entity and to manage
risk within its risk appetite• Able to provide reasonable assurance to an entity’s management and board of directors• Geared to achievement of objectives in one or more separate but overlapping categories
COSO ERM FRAMEWORK• This enterprise risk management framework is geared to
achieving an entity’s objectives, set forth in four categories:
– Strategic – high-level goals, aligned with and supporting its mission
– Operations – effective and efficient use of its resources
– Reporting – reliability of reporting– Compliance – compliance with applicable laws and
regulations.• Enterprise risk management consists of eight interrelated
components. These are derived from the way management runs an enterprise and are integrated with the management process.
11 http://www.accaglobal.com/uk/en/student/exam-support-resources/
1. Internal Environment2. Objective Setting3. Event Identification4. Risk Assessment5. Risk Response6. Control Activities7. Information and communication8. Monitoring
1. Internal Environment – The internal environment encompasses the tone of an organization, and sets the basis for how risk is viewed and addressed by an entity’s people, including risk management philosophy and risk appetite, integrity and ethical values, and the environment in which they operate.
2. Objective Setting – Objectives must exist before management can identify potential events affecting their achievement. Enterprise risk management ensures that management has in place a process to set objectives and that the chosen objectives support and align with the entity’s mission and are consistent with its risk appetite.
3. Event Identification – Internal and external events affecting achievement of an entity’s objectives must be identified, distinguishing between risks and opportunities. Opportunities are channeled back to management’s strategy or objective-setting processes.
4. Risk Assessment – Risks are analyzed, considering likelihood and impact, as a basis for determining how they should be managed. Risks are assessed on an inherent and a residual basis.
12
COSO ERM FRAMEWORK
5. Risk Response – Management selects risk responses – avoiding, accepting, reducing, or sharing risk – developing a set of actions to align risks with the entity’s risk tolerances and risk appetite.
6. Control Activities – Policies and procedures are established and implemented to help ensure the risk responses are effectively carried out.
7. Information and Communication – Relevant information is identified, captured, and communicated in a form and timeframe that enable people to carry out their responsibilities. Effective communication also occurs in a broader sense, flowing down, across, and up the entity.
8. Monitoring – The entirety of enterprise risk management is monitored and modifications made as necessary. Monitoring is accomplished through ongoing management activities, separate evaluations, or both.
13
COSO ERM FRAMEWORK
Key Implementation Factors ERM
• Organizational design of business• Establishing an ERM organization• Performing risk assessments• Determining overall risk appetite• Identifying risk responses• Communication of risk results• Monitoring• Oversight & periodic review
by management
• Play an important role in monitoring ERM, but do NOT have primary responsibility for its implementation or maintenance.
• Assist management and the board or audit committee in the process by:- - Monitoring - Evaluating- Examining - Reporting - Recommending improvements evaluations, or both.
• Professional Practices & Standard– 2010.A1 – The internal audit activity’s plan of engagements should be
based on a risk assessment, undertaken at least annually.– 2120.A1 – Based on the results of the risk assessment, the internal
audit activity should evaluate the adequacy and effectiveness of controls encompassing the organization’s governance, operations, and information systems.
– 2210.A1 – When planning the engagement, the internal auditor should identify and assess risks relevant to the activity under review. The engagement objectives should reflect the results of the risk assessment.
15
Relationship Internal Auditor and ERM
16
Three Lines of Defense
17
Three Lines of Defense
18
Three Lines of Defense
• Reviewing critical control systems and risk management processes.• Performing an effectiveness review of management's risk assessments and
the internal controls.• Providing advice in the design and improvement of control systems and
risk mitigation strategies.• Implementing a risk-based approach to planning and executing the
internal audit process. • Ensuring that internal auditing’s resources are directed at those areas
most important to the organization.• Challenging the basis of management’s risk assessments and evaluating
the adequacy and effectiveness of risk treatment strategies.• Facilitating ERM workshops.• Defining risk tolerances where none have been identified, based on
internal auditing's experience, judgment, and consultation with management.
19
Role of Internal Auditor on ERM
Management Expectation on Internal Auditor
21
Internal Auditor & Customer Need
Audit Comittee Board
• Safeguarding Assets• Compliance with Laws and
Regulations• Reliability of Data
QUALITY OF INFORMATION
Operating Management
• Operating Management• Effectiveness and Efficiency
of Operations• Achievement of Organizatio
CHANGE AGENT
What does customer want
customer
Regulator
Suplier
Auditee
Audit Commitee
EksternalAuditor
Function• Operation• Financial Reporting• Compliance
COSO - Internal Control• Control Environment• Risk Assessment• Control Activities• Information and communication• Monitoring
BOC Expecatation to Internal Audit Function
• Improve SPI staff skills and competencies and their understanding of the business operations
• Provide consulting services• Improve SPI’s communications with key stakeholders• Provide a value added internal audit function as well
as improve the quality of reports• Provide risk management and control assurance• Provide regulatory and corporate compliance
assurance• Act as a mediator with external parties
• Key improvement to meet the management and stakeholder expectation• Align Internal Audit with the strategic goals of the organisation.• Drive efficiency through integration, talent management and use of data analytics.• Maintain a balance between assurance and advisory reviews.• Run Internal Audit like a business.
23
How to meet Expectation
• How to meet the management and stakeholder expectation• Internal auditor role should be established with a charter approved and reviewed annually at
board level. • The internal audit charter should describe the internal audit role in the organization it serves,
including its purpose, authority, responsibility, and relationships with external organizations.• The internal audit charter should be promoted across the organization at all levels and as
appropriate across its supply chains and to its stakeholders.• Internal audit should have measures in place to demonstrate its level of performance to the
organization. • Expectation gaps at organization and individual customer levels should be identified, and all
performance measures continuously monitored if the full added value of the internal audit role is to be achieved.
• New dimensions of the internal audit role in an organization should be continuously explored to ensure that it is at the cutting edge of its professional attributes and in its performance .
24
Internal Audit Roles
25
Memahami ekspektasi manajemen & Dewan
Komisaris Audit PlanRisk
Assessment 1 2 3Dokumentasi ekspektasi manajemen & Dewan Komisaris
Annual Audit Plan
Metodologi Risk-Based Audit (RBA)
PLAN
TOP PRIORITY RISK
• Mendapatkan komitmen manajemen eksekutif atas pelaksanaan jasa internal audit.• Menetapkan kriteria penilaian risiko• Memahami area yang menjadi perhatian manajemen meskipun area tersebut tidak berisiko tinggi
• Doc. Kepts. RUPS• Memo/Surat Dewan Komisaris• Kepts. BOD/ RRD• BPK & ICM Eksternal Audit)
26
Role of SPI to Review Risk
• Ensure Internal Controll Management• ICoFR• System mitigation
Controllable Risk
• Corporate Strategic Plan • Business Development Unit• Modeling & Workshop MitigationStrategic Risk
• Mitigate Corporate Risk Management• PIMR Unit• Prediction & Analysis
Uncontrollable Risk
Page 27
KERANGKA KERJA1
− Persiapan− Pelaksanaan− Penyusunan Laporan Hasil Audit
RENCANAKERJA
− Representatif− Responsif− Konstruktif
PELAKSANAAN PENUGASAN PROFESI
Standards Professional Internal Auditor (IIA) :
− General Standards− Field Work Standards− Reporting Standards
LAPORAN PERIODIK :
Bulanan &Tahunan− Timing− Content− Termasuk Follow Up
Pertamina Experience
Vision To be a world-class national energy company
Mision To carry out integrated business core in oil, gas, renewable and new energy based on strong commercial principles
Value Clean; Confident; Commercial; Competitive; Customer Focus; Capable
Pertamina Visi, Misi dan Nilai
18
6 C
Upstream
• Producer of oil and gas domestically and overseas• Supplier for geothermal energy• Gas transporter & trader
Downstream
• Refining• Fuel business (kerosene, HSD/Diesel/MFO, etc) for
industry• Special fuel business for retail (PertaminaDex,
Pertamax/PertamaxPlus)• Aviation business• Lube base business• LPG business• Petrochemical business• Responsible for distributing fuel for Public Service
Obligation (PSO), such as kerosene, gasoline, HSD• Executor for kerosene conversion to LPG
Refinery Shipping/Piping Depot Transportation Gas stationUpstream
Employees • 15,190 personsSubsidiaries & Affiliates • 19 Subsidiaries• 13 Affiliates
Corporate
Pertamina’s Scope of Business
19
• Insurance• Hotel• Medical• Dana Ventura
Other
Business Process 31
Performance & Governance
20
No Company1 Royal Dutch Shell75 Petronas
122 Pertamina135 Unilever
No Company1 Wall Mart69 Petronas
123 Pertamina477 PLN
2013
2014
16 Nopembe
r 2010
21 April 2011
9 Maret 2012
15 Februari
2013
14 Februari
2014
13 Februari
2015
12 Februari
2016
Financial Statement Released
Good Gorporate Governance Score
Referensi : Pertamina Annual Report & website
94,27 94,43 94,50
No Company
130 Pertamina477 PLN
2015
Pertamina Transformation
Management Need
Analysis Current Condtion
Roadmap
Transformation to be World Class Internal Audit
• Determine Value Driver• Define Current Condition of IA• Derive IA Roadmap for performance development and IA
function
Area of Impovement
• Organization• HR Management • Working practices• Communtation and Reporting
• Quality Assurance• Knowledge Management• US of IT Audit Software
AUDIT (Watchdog)
Before
2009Transformation2010
Assurance & Consulting based on
RBA2011
IA Pertamina Transform to Best Practice
• Assurance and Consulting by implementing Risk Based Audit with Audit Management Systems tools
• Stabilization and implementation of Internal auditor reposition by continuing evalution
• Increasing quantity of human resources by new recuritmen
• Increasing quality of human resources by training and certification.
EVALUATION OF GOVERNANCE & RISK;ASSURANCE OF INTERNAL CONTROL EFFECTIVENESS
Step in Reposition IA
2009 – AREA OF IMPROVEMENT
1. Organization2. Human Resources3. Working Practice4. Use of IT5. Knowledge
Management6. Communication &
Reporting7. Quality Assurance
2009 – CATEGORIZING
• Workstream (Area 1,2)
• Workstream (Area 3,6)
• Workstream (Area 5,7)
• Workstream (Area 4)
2010 – DELIVERABLES
• Visi & Mision• Internal Auditor
Charter• Organization
Structured• Working Practice• IT Audit• Risk Based Audit• Audit Management
Systems• Knowledge
Management• Auditor Comptetence• Quality Assurance
2011 – RESULT
• Visi & Mision Auditor
• Internal Auditor Charter
• Organization structured
• Audit Unverse• Working Practice• SOP Risk Based
Audit• Knowledge
Management Function
• Implementing RBA & AMS
Strategic plan to achieve a world-class IA
Area of Im
provement
• To develop a comprehensive Quality Assurance and Improvement ProgramQUALITY ASSURANCE
• Leverage technology to synthesize knowledge and make information readily available to both SPI staff and the auditees
KNOWLEDGE MANAGEMENT
• To communicate with clarity, brevity, accuracy and withCOMMUNICATION AND REPORTING
• Enhance audit processes by integrating technology solutions into multiple aspects of SPI’s operations
USE OF IT
• Improve SPI’s processes to increase efficiencies and value deliveredWORKING PRACTICES
• Maintain and bring in the right people to support the needs of Pertamina’s business
HUMAN RESOURCES
• To re-align function to business processes and risks and build reputationORGANISATION
Referensi : Pertamina Annual Report 2013
•Q
ualit
y A
ssur
ance
•K
now
ledg
e M
anag
emen
t
•C
omm
unta
tion
and
Rep
ortin
g
•U
S o
f IT
Aud
it S
oftw
are
•W
orki
ng
prac
tices
•H
R
Man
agem
ent
•O
rgan
izat
ion
•Q
ualit
y A
ssur
ance
•K
now
ledg
e M
anag
emen
t
•C
omm
unta
tion
and
Rep
ortin
g
•U
S o
f IT
Aud
it S
oftw
are
•W
orki
ng
prac
tices
•H
R
Man
agem
ent
•O
rgan
izat
ion
As Marc 2009 as Feb 2011 best practice
Progress in Area of Improvement
Strategic Internal Audit Planning 2014-2018
ROADMAD PERTAMINA
STAKEHOLDER EXPECTATION
VISION & MISION
SWOT ANALYSIS
N0 Strategic Plan Model 75 Timelines1. Refining the vision and IA Charter Strategy 20142. Optimality of quality assurannce role, including
evaluation on the implementation of IA Code of Ethics
Sytem, shared Value
2014-2018
3. Improvement on the methodology of Risk BasedAudit (RBA), including planning, implementation,and reporting
System, Style 2014-2018
4. Implementation of Continuous Auditing methodology
System 2014-2018
5. Reorganization of IAa. Group Control Functionb. BG M&T IA Functionc. Upstream IA Function
Structure
6. KPI of Integrated Audit/Secondment System 2014-20187. Implementation of auditor competency development
system in a continuous mannerStaff, Skill 2014-2018
8. ICoFR Testing System 2014-20189. Implementation of RBA in Subsidiaries System 2014-2018
WATCHDOGTO
STRATEGICBUSINESSPARTNER
TO BESTRATEGIC
ADVISOR
2013 20152014
Referensi : Pertamina Annual Report 2013
Key Achievement
Key A
chivement
• conducted on 59 areas/ activities of the companyThe Implementation of Assurance and Consulting
• Internal Control Framework• Developing Continuous Controlling System (CCS); • Implementation of Internal Control Over Financial
Reporting ICoFR• Fraud Prevention Program
Initiatives of the Internal Audit
• Performance Improvement ProgrammeInternal Audit Image
• by pursuing the international & national certification program and training program.
Professionalism Improvement
• Government Auditor (BPK), Governmen Internal Auditor (BPKP) and External Auditor
Coordinates with External Auditors
Referensi : Pertamina Annual Report 2013
40 Referensi : Pertamina Annual Report 2013
40
Struktur Organisas i Internal Audit
41 Referensi : Pertamina Annual Report 2013
41
Internal Audit CharterVisi Menjadi Internal Audit yang profesional dan terpercaya dengan menerapkan praktik terbaik perusahaan energi kelas dunia.
MisiMemberikan nilai tambah bagi Perusahaan melalui kegiatan assurance dan consulting secara independen dan objektif sesuai standar profesi yang berlaku secara internasional.
Tujuan1. Membantu Perusahaan untuk mencapai tujuannya secara efektif dan efisien dengan cara melakukan
evaluasi dan merekomendasikan perbaikan efektivitas tata kelola perusahaan, manajemen risiko dan pengendalian internal.
2. Membantu manajemen Perusahaan dan pemangku kepentingan lainnya dengan memberikan advis, pertimbangan dan rekomendasi yang berguna untuk meningkatkan efektivitas dan efisiensi Perusahaan.
Ruang LingkupPenugasan Internal Audit mencakup semua area dan kegiatan operasional, bisnis perusahaan beserta anak perusahaan, afiliasi dan pihak lain yang relevan dalam rangka mengevaluasi dan meningkatkan efektifitas tata kelola Perusahaan, manajemen risiko dan pengendalian internal.
42 Referensi : Pertamina Annual Report 2013
42
Internal Audit CharterIndependensiInternal Audit dipimpin oleh seorang CAE yang bertanggungjawab kepada Dirut; CAE diangkat & diberhentikan oleh Dirut dengan persetujuan Dekom; dilarang terlibat dalam kegiatan operasional yang dapat mengganngu independensi; dll.
WewenangMemiliki akses tidak terbatas atas semua data, fungsi, kegiatan dan sumber daya Perusahaan; koordinasi dengan auditor eksternal, institusi pengawasan laiinya & Komite Audit; pengawasan atas anak perusahaan sesuai piagam hubungan korporasi; dll
Tugas & Tanggung JawabMelaksanakan kegiatan pengawasan; melaporkan hasilnya kepada Dirut & pihak yang berkompeten; melaksanakan audit investigasi; melaporkan hasil kegiatan pengawasan kepada Dekom cq Komite Audit; dll.
Persyaratan AuditorMemiliki integritas, profesional, independen, jujur & obyektif, pengetahuan teknis audit; mematuhi standar profesi & kode etik; memahami prinsip tata kelola perusahaan yang baik; dll.
Standar Pelaksanaan Internal AuditSistem Tata Kerja dan Kode Etik Internal Audit yang mengacu kepada International Standards for the Professional Practice of Internal Auditing yang ditetapkan oleh IIA.
43 Referensi : Pertamina Annual Report 2013
43
K o d e E ti k
Integritas Kejujuran, objektivitas, dan kesungguhan dalam melaksanakan tugas dan memenuhi tanggung jawab profesi. Loyalitas terhadap organisasi namun tidak boleh terlibat dalam kegiatan-kegiatan yang menyimpang atau melanggar hukum. Tidak boleh secara sadar terlibat dalam tindakan atau kegiatan yang dapat mendiskreditkan profesi atau organisasinya.
Objektivitas Harus menahan diri dari kegiatan-kegiatan yang dapat menimbulkan konflik kepentingan dan prasangka sehingga meragukan
kemampuannya dalam melaksanakan tugas dan memenuhi tanggung jawab profesinya secara objektif. Tidak boleh menerima sesuatu dalam bentuk apapun yang dapat atau patut diduga mempengaruhi pertimbangan
profesionalnya. Harus mengungkapkan semua fakta-fakta penting yang diketahuinya di dalam laporan pelaksanaan tugasnya, dan/atau
dilarang untuk mendistorsi laporan serta menutup adanya praktik-praktik yang melanggar hukum.
Kerahasiaan Tidak boleh menggunakan informasi yang diperoleh dalam pelaksanaan tugasnya untuk mendapatkan keuntungan pribadi,
melanggar hukum, dan yang dapat menimbulkan kerugian terhadap organisasinya. Kompetensi• Harus mengusahakan berbagai upaya agar senantiasa memenuhi International Standars for the Professional Practice of
Internal Auditing.• Harus senantiasa meningkatkan kompetensi melalui pendidikan profesional berkelanjutan, guna efektivitas dan peningkatan
kualitas pelaksanaan tugasnya.• Hanya melakukan jasa-jasa yang dapat diselesaikan dengan menggunakan kompetensi profesional yang dimilikinya.
A n n u a l A u d i t P l a n What We do
Mapped Updated Risk Profile with Audit Universe
Documented Audit Object / Auditable
Areas relevant to the Updated Risk Profile
Prioritize Auditable Areas considering :
Last audit finding and opinion
Company’s loss event in current/ previous year
Internal Audit Long Term Planning
Bring Draft Auditable Area to Raker/Rakor to considering :
Input from Audit Committee Input from SVP/VP/Mgr
Operational Function Law/regulatory opinion Objective opinion from IA
members regarding high risk area
Relevant Key Processes
Audit Universe
Auditable Areas
Updated Risk ProfileFinalizing Documentations
Knowledge SharingProject Management
Review available information and Identify Relevant Processes
The objective is to rate the business processes in Audit Universe in relation to the level of risk based on the results of risk assessment:
Prioritizing Audit Objects
Before Raker/Rakor Raker/Rakor
44
45
IA ProcessRisk Based Audit Approach
Quality Assurance & Improvement
Program (QAIP)
QAIP untuk memberikan keyakinan yang memadai bagi stakeholders atas
kegiatan Internal Audit
Survey Kepuasan
Stakeholders
Dilakukan melalui Survey Feedback Auditee dan Stakeholders Satisfaction Survey
Peningkatan Citra Internal
AuditPeningkatan Maturity Level Internal
Audit – Penilaian dari External
Quality Assurance
46
Quality Assurance & Improvement Program
Internal and External Assessment
47
“ THE CHIEF AUDIT EXECUTIVE MUST DEVELOP AND MAINTAIN A QUALITY ASSURANCE AND IMPROVEMENT PROGRAM THAT COVERS ALL ASPECTS OF THE INTERNAL AUDIT ACTIVITY ”
(IIA AS 1300)
Quality Assurance & Improvement ProgramThe quality assurance and improvement program must include both internal and
external assessment
Internal Assessment(IIA AS 1311)
Ongoing Monitoring Team supervision,
KPI MonitoringSurvey Feedback Auditee
Periodic ReviewsPerformed by QA Team
within the IA organization with sufficient knowledge of
IA practices (Stakeholder Satisfaction Survey)
External Assessment(IIA AS 1312)
Periodic ReviewsThe external review was
performed in 2013
Consulting Services
Participant in interdepartmental working terms
48
Internal Audit Department provides support to other departments in various activities
Participate to the work group in charge for mapping of User Access Matrix (mySAP Application)
Participate in The Fraud Awareness Program
Participate to the work group in charge of Internal Control over Financial Reporting (ICoFR) development
Other Activities
Key Strategic Initiatives
49
Developing Continuous Audit Monitoring System
Competency Development and Certification
Coordination with External Auditor
Nilai tambah IA bagi Perusahaan
Page 50
1. Nilai tambah IA mempercepat proses pencapaian tujuan perusahaan ultimate goal
2. Nilai tambah IA dapat diciptakan baik dalam tahap proses audit, hasil akhir pemeriksaan maupun perannya dalam menjalankan pengendalian dalam sebuah organisasi.
3. Nilai tambah diberikan SPI dalam empat ranah:
• Strategic
• Operation
• Reporting
• Compliance
4. Hasil pemeriksaan harus memberikan nilai tambah dalam empat ranah tersebut bukan sekedar kegiatan pemeriksaan yang telah selesai dan laporan hasil audit yang telah diserahkan kepada auditee dan direksi.
Bagaimana SPI memberikan nilai tambah - 1
Page 51
1. Peran• Menciptakan budaya pengendalian dalam organisasi sehingga
menyadarkan seluruh anggota organisasi untuk senantiasa compliance, mengusahakan efisiensi dan efektivitas dalam pelaksanaan kegiatan, karena kegiatannya akan dievaluasi oleh SPI.
• Karakter compliance, bekerja dengan efisien & efektif, disiplin dan menjunjung etika menjadi prasyarat dasar seorang internal auditor. Pihak yang diperiksa harus lebih compliance dan lebih baik dari pihak yang diperiksa. Kondisi ini akan menciptakan pribadi-pribadi yang terus melakukan continous improvement sehingga dari unit internal audit akan muncul insan Pertamina yang mampu menjadi teladan dalam bekerja.
• Organisasi SPI harus mampu menjadi contoh / role model dalam mengelola organisasi baik dari sisi compliance, governance, pengelolaan organisasi yang efisien dan efektif dan serta kemampuannya dalam merumuskan strategic goal yang sejalan dengan tujuan organisasi.
• Peran SPI membutuhkan insan-insan yang terus menerus belajar dan mengikuti perkembangan perusahaan dan lingkungannya agar mampu memahami permasalahan di lapangan saat melakukan pemeriksaan.
Bagaimana SPI memberikan nilai tambah - 2
Page 52
2. Proses audit• Proses audit dilakukan dengan semangat perbaikan bukan sekedar
mencari kesalahan.• Memberikan perbaikan integratif bukan sekedar menyalahkan• Mendengarkan auditee termasuk alasan-alasannya, dapat saja dalam
alasan tersebut tersimpan akar permasalahan. • Fokus pada akar masalah sehingga dapat memberikan solusi yang
integratif, karena seringkali masalahnya bukan pada kesalahan tersebut namun justru penyebab dari suatu kesalahan/penyimpangan. misal masalah pencurian minyak bukan sekedar menemukan dampak kerugian bagi perusahaan namun dapat menganalisis secara komprehensif baik dari sisi kelemahan internal kontrol perusahaan, aspek kelemahan regulasi, penegakan hukum dan aspek sosiologis mengapa pencurian tersebut dapat terjadi.
• Menjadikan proses audit sebagai media untuk berdialog dan memberikan konsultasi kepada auditee tentang apa yang seharusnya dilakukan, memberikan saran atas kesalahan yang terjadi.
Bagaimana SPI memberikan nilai tambah - 3
Page 53
3. Laporan Audit• Laporan internal audit harus dikomunikasikan dengan baik dengan auditee
tanpa mengurangi independen dan obyektifitas internal audit.• Laporan internal audit harus bersifat integratif dalam menguraikan
permasalahan. Seringkali masalah dalam satu unit disebabkan oleh permasalahan/kesalahan pada unit lain, kesalahan regulasi dan lain-lain.
• Solusi yang diberikan harus bersifat menyeluruh. Jika solusi tersebut harus diselesaikan pada unit organisasi yang lebih tinggi karena terkait hubungan antar unit, harus dibahas dan diselesaikan pada unit organisasi yang lebih tinggi.
• Menghindari hasil audit sekedar menjadi tumpukan dokumen, karena nilai tambah tercipta jika hasil audit mampu merubah menjadi yang lebih baik.
• Komunikasi dengan direksi dan ketua komite audit menjadi penting untuk menindaklanjuti permasalahan strategis yang berdampak signifikan pada keseluruhan organisasi.
Nilai tambah - strategic
Page 54
1. Internal audit tidak hanya berperan melakukan evaluasi atas proses namun dapat melakukan evaluasi atas strategi yang dipilih oleh perusahaan berdasarkan hasil audit yang dilakukan.
2. Hasil evaluasi internal control, efisiensi dan efektivitas organisasi, compliance dapat memberikan masukan yang mengubah strategi, tujuan, visi atau misi perusahaan.
3. SPI secara aktif memberikan masukan pada fungsi perencanaan dan pengembangan bisnis berdasarkan hasil audit yang dilakukan.
4. Dalam evaluasi tahunan hasil pemeriksaan SPI, harus menghasilkan masukan-masukan kepada Direksi tentang hal-hal strategis yang harus dilakukan dilakukan.
5. SPI memberikan masukan pada unit perencanaan bisnis korporasi dalam rangka mengembangan rencana tahunan dan rencana jangka panjang berdasarkan evaluasi hasil pemeriksaan yang telah dilakukan
Nilai tambah - operation
Page 55
1. Peran IA tidak hanya menilai apakah obyek yang diperiksa telah efisien dan efektif, namun mampu memberikan saran apa yang harus dilakukan untuk meningkatkan efisiensi dan efektifitas obyek yang diteliti.
2. IA harus mampu menginternalisasikan budaya efisiensi dan efektivitas dalam organisasi melalui proses evaluasi yang dilakukan.
3. Fokus audit yang diperiksa harus dipilih dari unit yang paling tidak efisien dan terus menerus dilakukan pemantauan sehingga mampu mencapai tingkat efiisensi setara dengan unit organisasi yang lain. Sementara unit organisasi yang dianggap telah efisien tetap dilakukan sampling untuk memastikan masih efisien dan terus meningkat efisiensinya.
4. Pemeriksaan harus mampu menciptakan perubahan dan memberikan peningkatan efisiensi dan efektivitas. Jika suatu unit diperiksa harapannya unit tersebut harus berubah menjadi lebih baik sebagai dampak dari pemeriksaan yang telah dilakukan.
Nilai tambah - reporting
Page 56
1. Keandalan laporan keuangan diperoleh dari proses pencatatan yang akuntabel.
2. IA harus memastikan bahwa pengendalian internal dalam pelaporan keuangan berjalan dengan baik sehingga setiap dokumen transaksi diproses sesuai dengan prosedur.
3. Peran IA sebagai penguji ICoFR, harus dilakukan dengan menguji sertifikasi yang dilakukan oleh control owner.
4. Dalam pelaporan korporasi IA harus menjamin bahwa manajemen tidak melakukan earning management yang akan berpotensi pada ketidakakuratan laporan keuangan yang dapat merugikan publik.
Nilai tambah - compliance
Page 57
1. Internal audit harus mampu menciptakan budaya compliance, artinya keberadaan SPI menjadikan semua anggota organisasi tidak berani melakukan non compliance.
2. Pada saat melakukan audit dan menemukan non compliance tidak sekedar memberikan penilaian, namun mencari akar masalah mengapa non compliance. Karena seringkali noncompliance terjadi karena prosedur yang kurang tepat, internal kontrol kurang handal. Sehingga rekomendasi yang diberikan memberikan nilai tambah perbaikan prosedur dan pengendalian internal yang telah berjalan.
58
TERIMA KASIH