1. Sebutkan definisi internal auditing menurut IIA (dalam Bahasa Inggris dan terjemahannya) !
Jawab :
Internal auditing is an independent, objective assurance and consulting activity designed to
add value and improve an organization’s operations. It helps an organization accomplish its
objectives by bringing a systematic, disciplined approach to evaluate and improve the
effectiveness of risk management, control, and governance processes.
Audit internal adalah suatu aktivitas penjaminan dan konsultasi secara independent dan objektif
yang dirancang untuk menambah nilai dan meningkatkan operasi organisasi.
Audit Internal membantu organisasi mencapai tujuannya dengan pendekatan yang sistematis,
disiplin untuk mengevaluasi dan meningkatkan efektivitas manajemen risiko, kontrol, serta
proses tata kelola.
2. Gambar di bawah ini ada hubungannya dengan definisi internal auditing. Jelaskan maksud
masing-masing ‘layer’ dalam gambar dan hubungan ketiga layer !
Jawab :
Tujuan
dilakukannya audit internal adalah untuk meningkatkan efektifitas manajemen risiko,
pengendalian dan tata kelola. Gunanya yaitu untuk melindungi kepentingan publik. Dewan
Komisaris dan manajemen yang mengarahkan apa yang diinginkan oleh pemegang saham.
Tata Kelola (Governance) mencakup semua aktivitas dalam suatu organisasi, yang
didalamnya terdapat manajemen risiko.
Manajemen Risiko dilakukan untuk mengidentifikasi dan mengelola risiko yang dapat
mempengaruhi keberhasilan perusahaan. Manajemen Risiko juga mengeksploitasi peluang –
peluang yang memungkinkan kesuksesan perusahaan, maka manajemen membutuhkan
pengendalian internal untuk mengatasi hal tersebut.
Internal Control ada di bagian paling dalam karena mewakili suatu bagian dari aktivitas
manajemen risiko.
3. a. Apa yang dimaksud dengan ‘governance’ ?
Jawab :
Governance / Tata Kelola adalah proses yang dilakukan oleh dewan direksi dan komisaris untuk
mengotorisasi, mengarahkan, mengelola dan mengawasi manajemen untuk mencapai tujuan
organisasi.
b. Jelaskan maksud gambar di bawah ini terait dengan governance ?
Jawab :
Dewan komisaris bertanggung jawab memberikan arahan strategis dan pedoman untuk
menetapkan sasaran utama sejalan dengan model bisnis organisasi serta selaras dengan prioritas
pemangku kepentingan.
Dewan komisaris juga dapat mempengaruhi filosofi dan pengambilan risiko organisasi.
Pelaksanaan tata kelola sehari – hari dikerjakan oleh manajemen sehingga mungkin terjadi
kekeliruan dalam melakukan tata kelola, maka dari itu manajemen perlu arahan dari dewan
direksi dan komisaris agar pelaksanaan tata kelola dapat sesuai untuk mencapai tujuan
perusahaan dan juga dapat meminimalkan risiko.
Poin-poin dalam “Governance Umbrella” :
Tata kelola dimulai dengan dewan direksi dan komitenya. Dewan direksi berfungsi sebagai
“payung” untuk menggambarkan pengawasan tata kelola.
Tata kelola memberi arahan kepada manajemen, memberdayakan mereka dengan wewenang
untuk mengambil tindakan yang diperlukan untuk mencapai tujuan tersebut, serta harus
mengawasi keseluruhan hasil dari opersional.
TUGAS 2
1. Sebutkan perbedaan antara COSO Internal Control Integrated Framework dan COSO
Enterprise Risk Management Framework !
Jawab :
COSO ERM Framework merupakan pengembangan dari COSO Internal Integrated
Framework. Dalam COSO Internal ada 5 komponen, yaitu :
a. Lingkungan Pengendalian
b. Risk Assesment
c. Control Activities
d. Komunikasi dan Informasi
e. Monitoring
Sedangkan dalam COSO ERM ada 8 komponen yang sudah mencakup COSO Internal
Control yaitu :
a. Lingkungan Internal
b. Penetapan Tujuan
c. Identifikasi Kejadian
d. Risk Assesment
e. Risk Response
f. Control Activities
g. Information & Communication
h. Monitoring
Perbandingan COSO Internal Control dan COSO ERM
Jawab :
COSO ERM merupakan suatu proses yang dipengaruhi oleh dewan direksi, manajemen
perusahaan dan pemangku kepentingan lain diterapkan dalam penetapan strategi dan
keseluruhan perusahaan, dan didesain untuk mengidentifikasi kejadian potensial yang
mungkin mempengaruhi entitas dan mengelola risiko yang bisa dikendalikan untuk
menyediakan penjaminan yang layak sehubungan dengan pencapaian tujuan entitas.
Manfaat meningkatkan kemampuan perusahaan untuk dapat menyelaraskan risk
appetite dengan strategi dan arah kebijakan perusahaan sehingga menghasilkan keputusan
yang berkualitas.
Maksud Gambar ERM COSO dibagi ke dalam 3 dimensi yaitu komponen ERM
COSO, tipe tujuan dan tingkatan perusahaan.
3. Jelaskan proses manajemen risiko termasuk bentuk-bentuk respon risiko. Manakah dari
komponen-komponen ERM yang terkait manajemen risiko !
Jawab :
Proses Manajemen Risiko :
a. Risk Identification
Proses ini meliputi identifikasi kerugian yang mungkin terjadi dalam suatu aktivitas.
Aspek penting dalam identifikasi risiko adalah mendaftar kemungkinan kerugian
yang mungkin terjadi sebanyak mungkin.
Teknik yang digunakan untuk mengidentifikasi risiko yaitu :
- Brainstorming - Informasi Bisnis
- Survey - Kelompok Kerja
- Wawancara
b. Risk Assessment
Tahap selanjutnya adalah mengukur risiko (measurement) dengan cara melihat
sebarapa besar terjadinya severity (kerusakan) dan probabilitas terjadinya risiko
tersebut. Pada tahap ini sangat penting untuk menentukan dugaan yang terbaik agar
nantinya dapat memprioritaskan dengan baik dalam implementasi perencanaan
manajemen risiko.
c. Risk Response
Proses ini dilakukan untuk memilih dan menerapkan langkah – langkah pengelolaan
risiko. Tantangan bagi manajer risiko adalah untuk menentukan portofolio yang
tepat untuk membentuk sebuah strategi yang terintegrasi sehingga risiko dapat
dihadapi dengan baik. Tanggapan risiko umumnya terbagi dalam kategori seperti
berikut:
- Risk Avoidance : Memutuskan untuk tidak melakukan aktivitas yang
mengandung risiko sama sekali
- Risk Reduction : Merupakan metode yang mengurangi kemungkinan terjadinya
suatu risiko atau mengurangi dampak kerusakan yang dihasilkan oleh suatu risiko
- Risk Transfer : Memindahkan risiko kepada pihak lain.
- Risk Deferral : Meliputi menunda aspek suatu proyek sehingga saat dimana
probabilitas terjadinya risiko tersbut kecil.
- Risk Retention : Risiko tertentu dapat dihilangkan dengan cara mengurangi
maupun mentransfer, namun beberapa risiko harus tetap diterima sebagai baigan
penting dari aktivitas.
d. Implementation
Tahap dimana strategi dan semua perencanaan dilaksanakan. Yang terpenting adalah
harus memberikan keputusan untuk memilih mana yang akan ditetapkan untuk
diimplementasi.
e. Risk Monitoring
Untuk mengetahui keefektifan respon yang telah dipilih serta untuk mengidentifikasi
adanya risiko baru yang mungkin akan muncul.
c. Providing assurance directly to third d. The board and senior management jointly
parties that the organization’s governance 5. Who is ultimately responsible for identifying new
processes are effective. or emerging key risk areas that should be
d. Establishing broad boundaries of conduct, covered by the organization's governance
outside of which the organization should not process?
operate. a. the board of directors
2. Which of the following are typically governance b. senior management
responsibilities of senior management?
c. risk owners
I. Delegating risk tolerance levels to risk
managers. d. the internal audit function
II. Monitoring day-to-day performance of 6. The Internal Audit function should not:
specific risk management activities
a. Assess the organization's governance and risk
III. Establishing a governance committee of the management processes
board.
b. Provide advice about how to improve the
IV. Ensuring that sufficient information is organization's governance and risk management
gathered to support reporting to the board. processes.
3. ABC utility company sells electricity to 7. Which of the following would not be considered
residential customers and is a member of an a First line of defense in the Three Lines of
industry association that provides guidance to Defense model?
electric utilities, lobbies on behalf for the a. A divisional controller conducts a peer
industry and facilitates sharing among its review of compliance with financial control
members. From ABC's perspective, what type of standards.
stakeholder is the industry association?
b. An accounts payable clerk reviews supporting
a. Directly involved the operation of the documents before processing an invoice for
company. payment.
b. Interested in the success of the company. c. An accounting supervisor conducts a monthly
c. Influences the company review to ensure all reconciliations were
completed properly.
d. Not a stakeholder
d. A production line worker inspects finished
goods to ensure the company's quality standards
are met.
8. Which of the following would be considered a 11. Which of the following is not a role of the
first line of defense in the Three Lines of Defense internal audit function in best practice
model? governance activities ?
a. An accounts payable supervisor conducting a. support the board in enterprise wide risk
a weekly review to ensure all payments were assessment
issued by the required payment date
b. ensure the timely implementation of audit
b. A divisional compliance and ethics officer recommendations
conducting a review of employee training
records to ensure that all marketing and sales c. monitor compliance with the corporate code
staff have completed the required FCPA training of conduct
c. The external audit team observes the counting d. discuss areas of significant risks
of inventory on December 31 12. Which of the following statements regarding
d. An internal audit team conducting an corporate governance is not correct?
engagement to provide assurance on the a. corporate control mechanisms include
company's Sarbanes-Oxley compliance with internal and external mechanisms
internal controls over financial reporting
b. the compensation scheme for management is
part of the corporate control mechanisms
9. Which of the following would be considered a c. the dilution of shareholders' wealth resulting
second line of defense in the Three Lines of from employee stock options or employee
Defense Model? stock bonuses is an accounting issue rather
a. An accounts payable supervisor conducting a than a corporate governance issue
weekly review to ensure all payments were d. the internal audit function of a company
issued by the required payment date has more responsibility than the board for
b. A divisional compliance and ethics officer company's corporate governance.
conducting a review of employee training 13. What types of business events tend to drive new
records to ensure that all marketing and sales legislation and guidance?
staff have completed the required FCPA
training a. economic downturns
c. Review the integrity of financial and operating 9. The Internal Audit Foundation exists to help audit
information and the methods used to accumulate leaders, practitioners, students and academics
and report information. experience continuous growth in their careers to
propel them to become:
d. Determine whether the company's system of
internal controls provides reasonable assurance A) Strong assurance providers
that information is effectively and efficiently
communicated to management. B) Trusted advisors
11. Which of the following is a framework that can c. make constructive suggestions to management
help individual internal auditors and internal concerning internal control improvements.
audit functions assess their current competency d. evaluate whether misstatements in the
levels and identify areas for improvement? auditee's performance reports should be
A) Internal Control - Integrated Framework communicated to senior management and the
audit committee.
B)International Professional Practices
Framework 14.Which of the following is the premier
certification sponsored by The IIA?
C) The Global Internal Auditor Competency
Framework A) Certification in Control Self-assessment
3. An internal auditor provides income tax services a. A payroll accounting employee assists an
during the tax season. Which activity would the internal auditor in verifying the physical inventory
auditor most likely be considered in violation of of small motors
the IIA's Code of Ethics?
b. An internal auditor discusses a significant issue
A) Preparing, for a fee, a division manager's with the vice president to whom the auditee reports
personal tax returns prior to drafting the audit report
B) Appearing on a local radio show to discuss c. A former purchasing assistant performs a review
retirement planning and tax issues. of internal controls over purchasing four months
after being transferred to the internal audit
C) Receiving a stipend for teaching an evening tax department
class at the local junior college
d. An internal auditor recommends standards
D) Working on weekends for friend who has a of control and performance measures for a
small CPA firm contract with a service organization for the
processing of payroll and employee benefits.
4. An internal auditor is auditing a division in which
the division's CFO is a close personal friend. The 7. Which of the following is/are components of the
auditor learns that the friend is to be replaced after Standards?
a series of critical contract negotiations with the
Department of Defense. The auditor relays this I. Statements
information to the friend. Which principle of The
II. Interpretations
IIA's Code of Ethics has been violated?
III.The glossary
a. Integrity
a. I only
b. Objectivity
b. I and II
c. Confidentiality
c. I and III
d. Privacy
d. I, II, and III
8. According to the standards, which of the 12. To determine what needs to be done regarding
following must the internal audit manager think follow-up on an assurance engagement the
about when considering appropriate due care while internal audit staff just completed, one would
planning an assurance engagement? consult:
a. the opportunity to cross-train internal audit staff a. the attribute standards: assurance services
implementation standards
b. the cost of assurance in relationship to
potential benefits b. the performance standards: consulting
services implementation standards
c. job openings in the area that may be of interest
to internal auditors assigned to the engagement c. the attribute standards: consulting services
d. the potential to deliver consulting services to the d. the performance standards: assurance
auditee services implementation standards
9. Which of the following types of IPPF guidance 13. In addition to the Standards, some internal audit
require(s) an exposure? departments follow other standards in
conducting their work, either because of
I. A new Implementation Guide regulatory requirements or by choice. When
II. A new Standard these other standards are inconsistent with IIA
III. A new supplemental Guidance for auditing Standards, what should the audit department do?
cbyersecurity
IV. A new definition in the Standards Glossary a. follow IIA standards
a. III only
b. follow the other standards
b. II and IV
c. follow the standard that is least restrictive
c. II, III, and IV
d. follow the standard that is most restrictive
d. I, II, III, and IV
a. Maintain Confidentiality