Perencanaan Internal Audit PERTEMUAN IVV Dr Rilla Gantino

Perencanaan Internal Audit PERTEMUAN IV-V Dr Rilla Gantino, SE. , AK. , MM MAKSI-FEB

KEMAMPUAN AKHIR YANG DIHARAPKAN - Memahami 7 tahap dasar perencanaan internal audit - Memahami tahapan penyusunan audit program • Memahami Control Self Assessment

• • In cooperation with the senior management, perform the following: Conduct a preliminary risk assessment by utilizing a group interview. Gather top management input on the preliminary risk assessment. Prepare a Draft Annual Audit Plan based upon the results of the risk assessment process. Obtain the formal approval of the Audit Committee or the board. This plan will be subject to reviews during the course of audit work to ensure that the focus continues to be on the higher risk areas. In addition, the need to conduct special assignments requested from the Audit Committee and senior management may also require the deferral of planned audit work. Additional work may require additional staff and the help of specialist or consultant coming from outside the company. • N. B. : The approval of audit committee is suffice, however, where no audit committee is existing, approval of the board should be taken.

COMMUNICATION OF I/A PLAN Distribute annual audit plan to senior management. Keep senior management informed of all changes made to annual audit plan. Ensure that management is informed about the internal audit work at least a month prior to starting the work. Note that special assignments may require different procedures involving little or no notification to management. If there is any special assignment going parallel with the normal audit work, intimation should be made about the time frame for the completion of the additional assignment to audit committee and management. If there is need for additional persons in the team because of additional work, raise the requisition at most appropriate time.

CONTOH

CONTOH-CONTOH

No. Main Areas of Audit Interest – 2011 Plan 1 3 1 5 2 Major 1 1 8 Risk 1 1 0 7 3 9 Moderate 4 1 4 8 5 6 1 4 6 5 1 2 1 3 7 1 0 Insignificant Adequate Fair Poor 3 Research Management Failure of processes to effectively and efficiently coordinate the University’s research activity to meet strategic and compliance objectives. 4 Business Continuity Failure of Emergency Response, Crisis Management and Business Continuity strategies to appropriately respond to a major event 5 Budget Division Governance Failure of management, processes and systems to meet corporate objectives and compliance obligations within the RDM environment. 6 Records Management Failure to maintain corporate records to meeting compliance and reporting obligations, and corporate memory. 7 Themis Renewal Failure of the various related projects to deliver the promised business benefits. 8 ISIS (Student System) Failure of ISIS to deliver the promised business benefits. 9 IT Security & DRP Failure of IT systems. Risk Level Moderate Significant Failure of procurement activity to be effectively Procurement and efficiently implemented increasing the risk 10 Cost of wastage, fraud and non achievement of cost Containment containment targets. Failure of systems to provide appropriate coordination of maintenance, minor works and 11 P&CS Scheduling construction activity and for meeting contractual reporting obligations. Control Low High Training 2 Minor Excellent 2 Failure to provide appropriate training framework and programs increasing the risk of inappropriate staff behaviour , break of compliance obligations, and exposure to litigation. 1 2 1 5 1 1 Failure of project governance and management processes to deliver projects on time and on budget. 4 9 Primary Risk Capital Projects 1 Severe Auditable Area Ris k (1) Inherent (1) Risk (2) 12 Marketing & Communications Failure of marketing and communications strategies to achieve key objectives. 13 Financial Assurance Failure of financial systems to process transactions and enable accurate reporting. Residual registers (2) Management assessment Failure to meet key compliance obligations

Audit Planning § Audit Resource Management System (ARMS) Ø Audit universe Ø Prioritised based on five risk factors using 1 – 5 score: - Inherent risk - Residual risk - Materiality - Prior audit results (assurance) - Audit judgement (gut feel informed by business intelligence) Ø 15 % annual weighting Ø Time budget and recording Ø Report tracking

Audit Planning Audit Assurance With a devolved organisational structure “assurance” is important. Divisional Audit § Risk based § Performed at the Budget Division level § Analytical review of finance, HR and other systems data (Profiling) § Review processes and controls for efficiency and effectiveness § Business objectives being met? Where all the cultural issues play out - Consultative approach

Audit Planning Financial and Administrative Systems § Risk based § Confirm effectiveness and efficiency of key controls and processes; Finance, Purchasing Card, HR/Payroll, Students, Advance. Information Technology (IT) Audit § § § Risk based Database security controls reviews IT general controls reviews Pre- and post-implementation systems reviews Computer security reviews

Audit Planning Performance and System Reviews § Risk based § Focus on efficiency and effectiveness of what and how activities are performed § Confirm the overall focus of the operations is in line with the University's strategic and operational plans. Other Audits On request from management performance /management audits, special investigations or act in a consulting role.

Audit Planning Audit Consulting – (Knowledge Transfer / Engagement) Greater opportunity to be proactive! Where we need to move if we want to address cultural issues. New audit paradigm - meet stakeholder expectations - meet professional standards

Audit Planning Audit Consulting – (Knowledge Transfer / Engagement) cont Challenges § How to better engage / partner with stakeholders / managers? § Manage people and their egos § Maintain the fine balance between being a colleague/consultant and policeman § Remaining independent and objective § Not assuming management responsibility but educating, cajoling and what ever else it may take to get managers and all staff to take responsibility to improve the effectiveness of risk management, control and governance processes.

Audit Planning Audit Consulting – (Knowledge Transfer / Engagement) Mindset Shift § Leader & facilitator § Coach § Extrovert § Creative / innovative and energetic Overriding caveat – independence cont

Audit Planning Audit Consulting – (Knowledge Transfer / Engagement) cont Establish relationships § Get their attention § Appeal to their personnel reputational risk Face to face discussions § What are their issues? § How can audit add value for them? § Training / information deficits? § What do they need to do to achieve their goals and those of their department?

Audit Planning Consulting – Knowledge Transfer / Engagement (Cont) Planned Outcomes § Managers and staff better placed to perform their roles and meet their responsibilities § Proactively work with managers to address local issues § Take learning and apply to University wide § Communicate assurance to key stakeholders

Audit Planning Summary - Operational Emphasis § Alignment of audit plan with stakeholder expectations and the University’s strategic and operational risk profiles § Identify and incorporate key risks and the value add proposition into each audit plan § Establishing a resourcing model which incorporates staffing flexibility: cosourcing, agency staff, specialist expertise § Increased use of data extraction and manipulation for analysis to establish business profiles and areas of interest § Stakeholder engagement with emphasis on face to face interaction § Consulting, coaching and supporting § Stakeholder satisfaction

Deakin University Internal Audit Planning Process Overview

Audit Universe

Audit and Risk Planning Meeting Discuss the following: • What Internal Audit has done up to this point. • New audits/Merged audits/Removed audits to the Audit Universe. • High Residual Risk audits not planned to be covered in forthcoming year. • Proposed draft Plan forthcoming year. • Assurance map (High Residual Risks based on Risk Registers).

Example of Audits Added/New

Draft IA Plan for Forthcoming Year

Assurance Map

Master Audit Plan Submitted to ARC for Approval • Master Audit Plan is submitted at the November ARC meeting for approval. • Includes: – – – Overview of Planning methodology Overview on resources Draft Plan forthcoming year Audit Universe Assurance Map