Audit Berpeduli Resiko

RISK BASED AUDIT
Audit Berpeduli Resiko (ABR)
AGENDA
Latar Belakang Audit Berpeduli Resiko
Proses & Tahapan Audit Berpeduli Resiko
Opsi Penerapan Audit Berpeduli Resiko
Continous Audit Cycle
Contoh Perencanaan Audit Berpeduli
Resiko
LATAR BELAKANG ABR
Latar Belakang Perubahan

Pendekatan ABR timbul karena adanya halhal berikut:
Adanya permintaan dan tekanan untuk
melakukan reformasi dalam tata kelola
perusahan (good corporate governance)
Adanya
keinginan
stakeholders
agar
perusahaan dikelola secara lebih efektif
Adanya keinginan dari manajemen untuk
memperoleh saran-saran perbaikan dalam
kegiatan operasinya
Why Risk Based Internal

Audit
An organisation that understands its risks,
understands its opportunities. However:
If it doesnt know its risks, it doesnt know the
risks it can accept
If it doesnt know the risks it can accept, it
doesnt know the risks to take
If it doesnt know the risks to take, it doesnt
know how to grow
If it doesnt know how to grow, it will wither
away.
Why Risk Based Internal

Audit
If Organisation does not understand its risks,
Events will knock the organisation back; missed
opportunities will hold it back.
So how does any organisation control events
and seize opportunities? By understanding:
The risks it faces, both ongoing and in new projects.
The risks it is prepared to accept.
The action necessary to manage those risks it is not
prepared to accept.
Pengertian RBIA
Risk based internal auditing (RBIA) is
the methodology which provides
assurance that risks are being
managed to within the organisations
risk appetite.
In other words: the processes that
manage risks to a level considered
acceptable by the board are working
effectively and efficiently.
The Logic
Jika tujuan auditor intern adalah untuk mendukung
pencapaian tujuan yang ditetapkan perusahaan,
maka auditor intern dalam penugasan auditnya
juga harus memperhatikan seluruh risiko yang
mungkin dihadapi oleh organisasi dalam rangka
mencapai tujuannya. Dengan mengenali risiko
inilah auditor intern akan mampu memberikan
masukan kepada auditi sehingga auditi dapat
meminimalisasi dampak risiko
The Logic
Change in Focus of Internal

Audit
Operational Audits
Corporate Governance
Enterprise Risk
Management
Strategic Reviews
Ethics Audits
Migration to IFRS
Compliance Audits
Audits of
Financial Risk
Fraud
Investigations
Evaluations of
Internal Controls
Traditional vs. Risk-Based Audit Approach

Audit Konvensional
1
Perhatian auditor dititikberatkan

pada risiko manajemen dalam
kaitannya dengan pencapaian
tujuan audit. Auditor akan
melakukan analisis atas risiko
manajemen yang mempengaruhi
tujuan auditnya. Semakin
memadai pengendalian intern
maka pengujian dan pembuktian
audit (besarnya sample
pengujian) yang harus dilakukan
akan berkurang.
Audit Berpeduli Resiko
Perhatian auditor lebih jauh lagi

dititikberatkan pada penaksiran
atas risiko (risk assessment).
Auditor melakukan penaksiran
risiko bukan hanya semata-mata
untuk audit namun lebih
difokuskan pada risiko atas
kelangsungan dan perkembangan
aktivitas dalam rangka pencapaian
tujuan manajemen.

Audit Konvensional
2
Auditor berfokus pada

kejadian dan kondisi masa
lalu yang berdampak pada
tujuan audit yang telah
ditetapkan dengan tujuan
untuk menilai tingkat
kewajarannya.
Auditor mencoba membuat

skenario risiko di masa kini dan
di masa depan yang akan
berdampak pada pencapaian
tujuan organisasi. Sehingga dalam
memberikan rekomendasi audit,
lebih dititikberatkan pada
pengelolaan risiko (risk
management) selain pengelolaan
pengendalian (management
control).

Audit Konvensional
3
Laporan audit merupakan

informasi yang disampaikan
kepada pihak-pihak yang
berkepentingan dan
pengguna laporan sesuai
tujuan audit yang sudah
ditetapkan, terutama
mengenai berfungsi atau
tidaknya pengendalian.
Dalam laporan audit, auditor

lebih menitikberatkan pada
pengungkapan proses
yang memiliki risiko
dibandingkan pengungkapan
berfungsi atau tidaknya
suatu pengendalian

Audit Konvensional
4
Pendekatan proses auditnya berbasis

sistem (system based audit).
Audit berbasis sistem dilaksanakan
atas dasar keberadaan suatu sistem
yang sesungguhnya ada dan
pengendalian yang dijalankan terkait
dengan sistem tersebut. Oleh karena
itu dengan sistem yang ada,
dianggap akan mampu mengatasi
semua risiko. Biasanya pengujian
dilakukan dengan kuesioner internal
kontrol, yaitu dokumen standar yang
digunakan dalam setiap penugasan
audit.

Pendekatan proses auditnya berbasis
risiko (risk based audit).
Audit berbasis risiko dilaksanakan atas
dasar risiko-risiko dan melaporkan
kepada pihak manajemen apakah
risiko risiko tersebut telah dapat
dikelola dengan baik atau sebaliknya.
Dalam hal ini proses ABR
dilaksanakan untuk mengelompokkan
sejumlah risiko-risiko, dan proses
menggambarkan sesuatu yang logis
dan bukan kondisi aktual. Jika
terdapat suatu risiko tetapi tidak
termasuk di dalam proses yang
dipetakan maka harus dipecahkan
melalui proses yang baru
Benefits of Risk Based

Internal Audits
Risk-based auditing is a simple concept.
Improves audit effectiveness and efficiency by shifting the function from a
policing activity to one that contributes effectively to managing risk and
achieving wider organizational goals.
Involves high-level risk profiling of the audit portfolio over time;
Facilitates strategic use of scarce audit resources, aligns audit efforts with
management objectives, and reduces risk exposure by focusing attention on
areas of weakness.
The auditor performs a MORE EFFECTIVE and EFFICIENT audit, focused
on HIGHER-RISK AREAS.
Business units are involved at all stages of the audit.
Risk-based auditing is more efficient, because it directs audits at the highrisk areas
RBIA can also highlight risks that are over controlled and decrease
efficiency
Risk Based Audit

Risk based audit is the contemporary
expression of the transition from auditing
focused on past activities to managing the
future
Risk based audit is based on these
assumption
Audit resources are not infinite,
Unit activities to be audited are subject to
different risks,
Unit activities to be audited have relatively
differing degree of importance
Risk Based Audit
How does RBIA Works?
Achtung !!
Within the context of RBIA, internal audit
can only provide assurance where a risk
management framework is in place: all
other work is consultancy.
PROSES ABR
3 Stages of an audit
Processes involved in stage 2

Risk Register (audited)
Risks on which assurance is provided

by others
Risks within the risk appetite

Filter risks
Risks not requiring an audit in this
period
Risks which will be tolerated

Risks on which assurance
is required
Categorise risks
Audit Universe
Link risks to audits
Risk and Audit Universe
Select risks to be covered
Alllocate resources to
audits
Audit plan
Audit Committee report
Processes involved in stage 3

Audit plan
Define draft audit scope
Examine the risk management
process for the area audited
Conclude on risk maturity
for the area audited
Decide on audit approach
Meetings to determine objectives,
risks and agree scope
Agreed scope
Obtain relevant documentation on

processes
Risk and audit universe
Set up an audit database to record

the audit details, or update the Risk
and Audit Universe
Test the monitoring and proper
operation of controls
Draw preliminary conclusions and
discuss them
Audit report
Feedback results into risk and audit

universe
Audit database
RBIA documentation
risk and audit
universe
objectives
audit databases
objectives
risks
risks
scores
scores
controls
controls
last audits
tests
Audit
Committee
report
audit
reports
Risk based internal audit

identification
Risk
}
Risks can be identified as
Financial (Credit,
market, liquidity risk,
etc.).
Operational (loss of key
employee risk, loss of
data risk, etc.).
Compliance (breach of
laws & regulations risk).
Reputational (Quality
control, customer
services risks).
Prioritisation of
audit areas
Magnitude of
the loss,
likelihood of
occurrence
Regulatory and
management
concerns and
Controls in
place Should be
Allocation of
resources
Audit resources are
to be allocated on the
basis of Overall
Risk. Where
necessary, training
should be imparted to
the officers and other
staff of internal audit
function.
considered.
26
Risk Based Audit Process

Preparation of Annual Audit Plan as Risk
Based (Macro Risk Analysis) aims
Determination of audit priorities,
Mobilization of audit resources are started
from most risky activities
Risk Analysis in Individual Audits (Micro

Risk Analysis)
covers definition of risks related to audited
activity, assessment of current internal
controls, development of internal control
practices for the elimination of risks
The Risk Based Audit Process in 3 steps

Risk assessment What can go wrong?
Perform risk assessment procedures to identify and
assess the risks.
Risk Response Did it go wrong?
Perform further procedures to respond to the assessed
risks and determine if significant event have occurred.
Reporting. Recommendation (feed back)
What is the appropriate wording of the recommendation
based on the work performed?
Tahapan RBIA
1. Assess the risk maturity of the organisation
Risiko kegiatan dari auditi (the auditee business

risk),
Cara manajemen mengurangi atau meminimalisasi
risiko
Wilayah/area yang mengandung risiko dan belum
diidentifikasi oleh manajemen secara memadai atau
bahkan tidak diketahui sama sekali oleh
manajemen.
2. Assign the risks to an audit that will examine

their management. Set up the Risk and Audit
Universe (RAU) and draw up a plan for
carrying out audits, usually annual
3. Carry out individual risk based audits and
feedback the audit results into the RAU
OPSI PENERAPAN AUDIT

BERPEDULI RESIKO
Internal Audit Capability Model Matrix
Risk Maturity Level

Risk Maturity
Key Charateristics
Risk Naive
Risk Aware
No formal approach developed for risk management
Risk Define
Strategy and policy in place and communicated.

Risk appetite defined.
Risk Managed
Enterprise wide approach to risk management

developed & communicated. Risk register in place
Risk Enabled
Risk management and internal control fully

embedded into operations.
Organization in
readiness to covert market uncertainties into
opportunities.
Scattered silo base approach to risk management.

Risk identified within functions and not across
processe. Also risks not communicated across
enterprise
Audit Strategy for Different Level of Risk

Maturity
Area
Risk Naive
Risk
Aware
Risk
Define
Risk
Managed
Risk
Enabled
Risk maturity report

on enterprise wide
risk management
process (RMP)
NO Formal
RMP
Poor RMP
RMP
Deficiencies
RMP Managed
Organisations
RMP enabled
organisation
Consulting
objectives in risk
management (RM)
To promote,
guide, facilitate
RM (PGF)
To promote,
guide,
facilitate RM
(PGF)
To embed RM
To improve RM
Need based
improvement
Audit plan based

on
Traditional
audit plan
(TAP)
Traditional
audit plan
(TAP)
Management
view on risk
(RBIA) and
supplement
with TAP
Management
view on risk
drive audit plan
(RBIA)
Management
view on risk
drive audit
plan (RBIA)
Assurance on
Control
Process
Control
Process
RMP and
control
process
RMP
RMP
Decide Audit Approach
Frequency of Audits and Consultancy
SIKLUS AUDIT
BERKELANJUTAN
Audit Process
9
Pl
a
nn
in
g
Seleksi
auditan
2
Persiapan
penugasan
Evaluasi
Fo
llo
w
-u
p
Risk Assessment
PROSES
AUDIT
Pelaporan
hasil audit
4
Deskripsi
& evaluasi
Dokumen
7
Pengembangan
temuan
Pengujian
lapangan
or
k
dw
g
rt i n
po
Re
Survei
Pendahuluan
Fi
el
Monitoring
tindak
lanjut
Continuous Audit Planning Cycle

More efficient annual
planning cycle
Synchronized with ERM
On-going
January June
April
Responsive to changing
risk environment
6-month project planning
cycle allows for more
flexibility
18-month view
December
May
On-going
June
Jul-Dec
September
Audit Plan
Risk may be identified in the

following terms:
Risk is defined as a particular event, or

circumstance that, if it were to occur,
would impact achievement of a business
objective
Risk Assessment Framework

1. Gain Understanding of
the Control Environment
Understand entity objectives and identify

significant changes to operations/control
environment.
2. Identify Relevant Risks
Develop audit scope and objectives based

on risk assessment results.
3. Assess Relevant Risks
Rate and prioritize business, financial,

operational, and compliance risks.
4. Develop Risk-based
Audit Strategy
Develop audit scope and objectives based

on risk assessment results.
Understand the Control

Environment
Understand Business Objectives
Understand strategy, goals, objectives and
organizational structure
Review prior audit reports, issues, deficiencies
Identify significant changes to operations or
control environment
Impact to Audit Plan: Top Down and Bottom Up
Rating Scale
Scale
HIGH
MEDIUM
LOW
Impact
Likelihood
An incident of noncompliance
and/or the loss of confidentiality,
integrity, or availability could be
expected to have a severe or
catastrophic adverse effect on
operations, assets, or people.
Without regard to the effects of

compliance controls or
mitigation strategy, it is highly
likely (over 75%) and capable
of happening in the next 24
months.
expected to have a serious
adverse effect on operations,
assets, or people.

mitigation strategy, it is likely
(25% 75%) and capable of
happening in the next 24
months.
expected to have a limited
adverse effect on operations,
assets, or people.

mitigation strategy, it is
remotely possible (less than
25%) or may not be capable of
happening in the next 24
months.
Impact
Risk Heat Map

Severe
(5)
15
25
Significant
(3)
15
Negligible
(1)
Probable
(3)
Almost
Definite
(5)
Remote
(1)
Likelihood
Probable (4) Almost certain (5)

Possible (3)
Unlikely (2)
Rare(1)
Likelihood of residual risk
Risk Exposure Matrix

10
Issue
15
20
25
Unacceptable
Unacceptable
Unacceptable
4
Acceptable
12
Issue
16
20
Unacceptable
Unacceptable
3
Acceptable
9
Issue
12
Issue
15
2
Acceptable
4
Acceptable
Supplementary Issue
Supplementary Issue
10
Issue
1
Acceptable
2
Acceptable
3
Acceptable
4
Acceptable
Insignificant (1)
Minor (2)
5
Supplementary Issue
Supplementary Issue
Supplementary Issue
Moderate (3)
Major (4)
Unacceptable
5
Supplementary Issue
Catastrophic (5)
Consequence of residual risk
Unacceptable: Immediate action required to control the risk
Supplementary issue: Action is advisable if it is cost-effective
Issue: Action required to control the risk
Acceptable: No action required
Risk appetite, as defined by the board
Impact and Likelihood
High Risk
Impact
Medium Risk
MITIGATE &
CONTROL
SHARE RISK
Low Risk
Medium Risk
ACCEPT RISK
CONTROL RISK
Likelihood
Risk Categories
Residual Risk
CONTOH PERENCANAAN
AUDIT BERPEDULI RESIKO
Table of Contents
50
I.
Introduction of Internal and External Audit Teams
II. Audit Risk Assessment Process and Audit Plan

III. Summary Comparison of Audit Effort in prior year versus Plan
for the current year.
IV. Internal Audit Schedule
V. Sample Audit Committee Deliverable
VI. Matrix for Evaluation of Audit Independence
Internal Audit Plan - Overview

51
The audit plan was developed using a risk based audit approach. Utilizing
experience and understanding of the banks operations as well as industry
knowledge, internal audit identified auditable areas, performed a risk
assessment for each of these areas, and assigned each of these a risk
rating of high, medium or low.
Internal Audit considered the following factors, as well as knowledge of the
Bank, in determining the risk rating for each auditable area:
Discussions with Bank Management which provided insight regarding
issues and risks in the auditable areas
Potential impact that the auditable area may have on the financial position
of the Bank
Other environmental factors, such as past audit results, changes in
personnel and operations, past and current emphasis by regulators, and
future business strategies
This risk assessment process will be performed on an ongoing (at least

annually) basis to ensure changing risk factors, including losses,
operational changes or turnover are continually monitored.
A cycling approach to the internal audit plan was used, whereby high risk
areas are audited on an annual basis, and medium to low risk areas are
audited over a 18 to 24 month cycle.
Risk Map - ABC52 Bank

Disaster Recovery
S
I
G
N
I
F
I
C
A
N
C
E
Logical Security/Security
Admin.
Commercial Lending
Local Area Network

Treasury/Investments/ALM
Community Reinvestment Act
Centralized Doc. Unit
Central Services
Commercial Business Lending
IT Telecommunications
Finance
Software Licensing
Internet Conn./Firewall
Operations Support
SBA Center
New Product Development
ITI Applications
II
Small Business Lending

Branch Network
Real Estate Lending
Human Resources/Payroll
Loan Administration Dept.

Credit Administration
Financial Products
Appraisal Department
Marketing/Promotions
IV
Facilities
III
LIKELIHOOD
Pink = High Risk

Yellow = Medium Risk
Green = Low Risk
Summary Audit53 Plan

Audit Area
Real Estate Lending
Central Services
SBA Center
Internet Connectivity/Firewall
Centralized Documentation Unit
Logical Security & Security Admin
Local Area Networks
Disaster Recovery Planning
Software Liscencing
Finance/Accounting/Accts Payable
Operations Support
Branch Network
Discretionary
Planning, Admin & Reporting to AC
Follow up on prior year Audit plan
Total Budgeted Audit Hours
Risk
Assessment
Budgeted Hours
High
High
High
High
High
High
High
Medium
Medium
Medium
Medium
Medium
Medium
Medium
Medium
Medium
Low
Low
N/A
N/A
N/A
300
250
450
250
250
160
80
450
100
80
100
60
50
250
200
150
450
150
400
260
80
4,520
Summary Focus of Audit Effort During Prior

and
54
Current Years
Hours
Significant Changes in Audit Plan from Prior

to
55
Current Year
As is depicted on the preceding page, the following
summarizes the most significant changes seen in the audit
plan for this year versus last:
Greater emphasis on lending activities, including
centralized
documentation unit, based on risk assessment process
Significant re-allocation of time from branch network to
centralized/back office operational activities based on our
risk assessment
process. For branch network, focus to be on high risk
activities, including
branch losses, wire initiation, among others
Increased discretionary time for special projects
Reduced administration time, as well as no allocation for
training,
vacation, or sick leave
Internal Audit Schedule

56
1ST QUARTER
Jan
DESCRIPTION
Branch Network
Branch 1
Branch 2
Branch 3
Branch 4
Branch 5
Branch 6
Branch 7
Branch 8
Business Processes/Operations
Real Estate Lending
Central Services
SBA Center
Finance/Accounting/Accounts Payable
Operations Support
Follow-up on Significant Issues
Discretionary
= Planned
Feb
Mar
2ND QUARTER
April
May
June
3RD QUARTER
July
Aug
Sept
4TH QUARTER
Oct
To be determined
= In
Process
=
Completed
Nov
Dec
Internal Audit Schedule, continued

57
1ST QUARTER
DESCRIPTION
Jan
Feb
Mar
2ND QUARTER
April
May
June
3RD QUARTER
July
Aug
Sept
Information Technology
GENERAL
Logical Security & Security Admin.
Local AreaNetworks
Internet Connectivity/Firewall
Disaster Recovery Planning
SoftwareLiscencing
OTHER
Special Management Projects
To be determined
Follow-up on Significant Issues

= Planned
= In
Process
=
Completed
4TH QUARTER
Oct
Nov
Dec
Internal Audit Schedule - Regulatory

58
Compliance
Regulations Reviewed as Part of the Audit Plan
As part of our review of the identified business processes and retail branches, Internal
Audit will integrate compliance testing of the following regulations as follows:
DESCRIPTION
Reg Reg Reg Reg Reg Reg Reg CRA OFAC HMDA BSA
B CC D DD E
X
Z
Branch Network
Business Processes/Operations
Real EstateLending
SBA Center

Small Business Lending
Central Services
Internal Audit will coordinate with ABC Banks Compliance Officer when determining
the scope and degree of work to be performed for compliance related issues.
Questions?

Audit Berpeduli Resiko

Transféré par

Informations du document

Description originale:

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

Audit Berpeduli Resiko

Transféré par

Droits d'auteur :

Formats disponibles

RISK BASED AUDIT