TUGAS 1

1. Sebutkan definisi internal auditing menurut IIA (dalam Bahasa Inggris dan terjemahannya) !
Jawab :
Internal auditing is an independent, objective assurance and consulting activity designed to
add value and improve an organization’s operations. It helps an organization accomplish its
objectives by bringing a systematic, disciplined approach to evaluate and improve the
effectiveness of risk management, control, and governance processes.
Audit internal adalah suatu aktivitas penjaminan dan konsultasi secara independent dan objektif
yang dirancang untuk menambah nilai dan meningkatkan operasi organisasi.
Audit Internal membantu organisasi mencapai tujuannya dengan pendekatan yang sistematis,
disiplin untuk mengevaluasi dan meningkatkan efektivitas manajemen risiko, kontrol, serta
proses tata kelola.
2. Gambar di bawah ini ada hubungannya dengan definisi internal auditing. Jelaskan maksud
masing-masing ‘layer’ dalam gambar dan hubungan ketiga layer !

Jawab :
Tujuan
dilakukannya audit internal adalah untuk meningkatkan efektifitas manajemen risiko,
pengendalian dan tata kelola. Gunanya yaitu untuk melindungi kepentingan publik. Dewan
Komisaris dan manajemen yang mengarahkan apa yang diinginkan oleh pemegang saham.
Tata Kelola (Governance) mencakup semua aktivitas dalam suatu organisasi, yang
didalamnya terdapat manajemen risiko.
Manajemen Risiko dilakukan untuk mengidentifikasi dan mengelola risiko yang dapat
mempengaruhi keberhasilan perusahaan. Manajemen Risiko juga mengeksploitasi peluang –
peluang yang memungkinkan kesuksesan perusahaan, maka manajemen membutuhkan
pengendalian internal untuk mengatasi hal tersebut.
 Internal Control ada di bagian paling dalam karena mewakili suatu bagian dari aktivitas
manajemen risiko.
3. a. Apa yang dimaksud dengan ‘governance’ ?
Jawab :
Governance / Tata Kelola adalah proses yang dilakukan oleh dewan direksi dan komisaris untuk
mengotorisasi, mengarahkan, mengelola dan mengawasi manajemen untuk mencapai tujuan
organisasi.
b. Jelaskan maksud gambar di bawah ini terait dengan governance ?

Jawab :

 Dewan komisaris bertanggung jawab memberikan arahan strategis dan pedoman untuk
menetapkan sasaran utama sejalan dengan model bisnis organisasi serta selaras dengan prioritas
pemangku kepentingan.
 Dewan komisaris juga dapat mempengaruhi filosofi dan pengambilan risiko organisasi.
 Pelaksanaan tata kelola sehari – hari dikerjakan oleh manajemen sehingga mungkin terjadi
kekeliruan dalam melakukan tata kelola, maka dari itu manajemen perlu arahan dari dewan
direksi dan komisaris agar pelaksanaan tata kelola dapat sesuai untuk mencapai tujuan
perusahaan dan juga dapat meminimalkan risiko.
Poin-poin dalam “Governance Umbrella” :

 Tata kelola dimulai dengan dewan direksi dan komitenya. Dewan direksi berfungsi sebagai
“payung” untuk menggambarkan pengawasan tata kelola.
 Tata kelola memberi arahan kepada manajemen, memberdayakan mereka dengan wewenang
untuk mengambil tindakan yang diperlukan untuk mencapai tujuan tersebut, serta harus
mengawasi keseluruhan hasil dari opersional.
 TUGAS 2
1. Sebutkan perbedaan antara COSO Internal Control Integrated Framework dan COSO
Enterprise Risk Management Framework !
Jawab :
 COSO ERM Framework merupakan pengembangan dari COSO Internal Integrated
Framework. Dalam COSO Internal ada 5 komponen, yaitu :
a. Lingkungan Pengendalian
b. Risk Assesment
c. Control Activities
d. Komunikasi dan Informasi
e. Monitoring
 Sedangkan dalam COSO ERM ada 8 komponen yang sudah mencakup COSO Internal
Control yaitu :
a. Lingkungan Internal
b. Penetapan Tujuan
c. Identifikasi Kejadian
d. Risk Assesment
e. Risk Response
f. Control Activities
g. Information & Communication
h. Monitoring
Perbandingan COSO Internal Control dan COSO ERM

Keterangan COSO Internal Control COSO ERM

Mempertimbangkan seluruh
Menekankan pada efektivitas
aktivitas pada semua level
Tujuan dan efisiensi organisasi pada
organisasi pada pengelolaan
unit aktivitas.
risiko.
Fokus Pada pengelolaan keuangan Pada pengelolaan risiko
Memberikan pemikiran Untuk meningkatkan
kepempinan melalui kemampuan sebuah
pengembangan kerangka perusahaan unuk
kerja & pedoman yg menyelaraskan risk appetite
komprehensif tentang dengan strategi dan arah
Fungsi COSO manajemen risiko kebijakan perusahaan
perusahaan, pengendalian sehingga dapat
internal dan pencegahan meningkatkan kualitas
kecurangan yang dirancang keputusan yang diambil
untuk meningkatkan kinerja manajemen.
organisasi.
2. Kerangka kerja (framework) COSO Enterprise Risk Management digambarkan seperti
di bawah ini. Sebutkan definisi COSO Enterprise Risk Management dan jelaskan
maksud gambar tersebut !

Jawab :
COSO ERM merupakan suatu proses yang dipengaruhi oleh dewan direksi, manajemen
perusahaan dan pemangku kepentingan lain diterapkan dalam penetapan strategi dan
keseluruhan perusahaan, dan didesain untuk mengidentifikasi kejadian potensial yang
mungkin mempengaruhi entitas dan mengelola risiko yang bisa dikendalikan untuk
menyediakan penjaminan yang layak sehubungan dengan pencapaian tujuan entitas.
Manfaat  meningkatkan kemampuan perusahaan untuk dapat menyelaraskan risk
appetite dengan strategi dan arah kebijakan perusahaan sehingga menghasilkan keputusan
yang berkualitas.
Maksud Gambar  ERM COSO dibagi ke dalam 3 dimensi yaitu komponen ERM
COSO, tipe tujuan dan tingkatan perusahaan.

 8 Komponen ERM COSO

1. Lingkungan Internal  sangat menentukan warna dari sebuah organisasi dan
memberi dasar bagi cara pandang terhadap risiko dari setiap orang dalam organisasi
tersebut. Di dalam lingkungan internal ini termasuk, filosofi manajemen risiko dan
risk appetite, nilai-nilai etika dan integritas, dan lingkungan di mana kesemuanya
tersebut berjalan.
2. Penentuan Tujuan  Tujuan perusahaan harus ada terlebih dahulu sebelum
manajemen dapat menidentifikasi kejadian-kejadian yang berpotensi mempengaruhi
pencapaian tujuan tersebut. ERM memastikan bahwa manajemen memiliki sebuah
proses untuk menetapkan tujuan ddan bahwa tujuan yang dipilih atau ditetapkan
 tersebut terkait dan mendukung misi perusahaan dan konsisten dengan risk appetite-
nya.
3. Identifikasi Kejadian  Kejadian internal dan eksternal yang mempengaruhi
pencapaian tujuan perusahaan harus diidentifikasi, dan dibedakan antara risiko dan
peluang. Peluang dikembalikan (channeled back) kepada proses penetapan strategi
atau tujuan manajemen.
4. Penilaian Risiko  Risiko dianalisis dengan memperhitungkan kemungkinan
terjadi (likelihood) dan dampaknya (impact), sebagai dasar bagi penentuan
bagaimana seharusnya risiko tersebut dikelola.
5. Respons Risiko  Manajemen memilih respons risiko –menghindar (avoiding),
menerima (accepting), mengurangi (reducing), atau mengalihkan (sharing risk) –
dan mengembangkan satu set kegiatan agar risiko tersebut sesuai dengan toleransi
(risk tolerance) dan risk appetite.
6. Kegiatan Pengendalian  Kebijakan dan prosedur yang ditetapkan dan
diimplementasikan untuk membantu memastikan respons risiko berjalan dengan
efektif.
7. Informasi dan Komunikasi  Informasi yang relevan diidentifikasi, ditangkap,
dan dikomunikasikan dalam bentuk dan waktu yang memungkinkan setiap orang
menjalankan tanggung jawabnya.
8. Pengawasan  Keseluruhan proses ERM dimonitor dan modifikasi dilakukan
apabila perlu. Pengawasan dilakukan secara melekat pada kegiatan manajemen yang
berjalan terus-menerus, melalui eveluasi secara khusus, atau dengan keduanya.

 Kedelapan komponen ini diperlukan untuk mencapai tujuan-tujuan perusahaan,

baik tujuan strategis, operasional, pelaporan keuangan, maupun kepatuhan
terhadap ketentuan perundang-undangan.
 Penerapan komponen dalam berbagai tujuan tersebut dapat dilakukan pada tingkat
entitas, divisi, unit bisnis, dan/atau cabang (subsidiary).

3. Jelaskan proses manajemen risiko termasuk bentuk-bentuk respon risiko. Manakah dari
komponen-komponen ERM yang terkait manajemen risiko !

Jawab :
Proses Manajemen Risiko :
a. Risk Identification
Proses ini meliputi identifikasi kerugian yang mungkin terjadi dalam suatu aktivitas.
Aspek penting dalam identifikasi risiko adalah mendaftar kemungkinan kerugian
yang mungkin terjadi sebanyak mungkin.
Teknik yang digunakan untuk mengidentifikasi risiko yaitu :
- Brainstorming - Informasi Bisnis
- Survey - Kelompok Kerja
- Wawancara
b. Risk Assessment
Tahap selanjutnya adalah mengukur risiko (measurement) dengan cara melihat
sebarapa besar terjadinya severity (kerusakan) dan probabilitas terjadinya risiko
tersebut. Pada tahap ini sangat penting untuk menentukan dugaan yang terbaik agar
nantinya dapat memprioritaskan dengan baik dalam implementasi perencanaan
manajemen risiko.
c. Risk Response
Proses ini dilakukan untuk memilih dan menerapkan langkah – langkah pengelolaan
risiko. Tantangan bagi manajer risiko adalah untuk menentukan portofolio yang
tepat untuk membentuk sebuah strategi yang terintegrasi sehingga risiko dapat
dihadapi dengan baik. Tanggapan risiko umumnya terbagi dalam kategori seperti
berikut:
- Risk Avoidance : Memutuskan untuk tidak melakukan aktivitas yang
mengandung risiko sama sekali
- Risk Reduction : Merupakan metode yang mengurangi kemungkinan terjadinya
suatu risiko atau mengurangi dampak kerusakan yang dihasilkan oleh suatu risiko
- Risk Transfer : Memindahkan risiko kepada pihak lain.
- Risk Deferral : Meliputi menunda aspek suatu proyek sehingga saat dimana
probabilitas terjadinya risiko tersbut kecil.
- Risk Retention : Risiko tertentu dapat dihilangkan dengan cara mengurangi
maupun mentransfer, namun beberapa risiko harus tetap diterima sebagai baigan
penting dari aktivitas.
d. Implementation
Tahap dimana strategi dan semua perencanaan dilaksanakan. Yang terpenting adalah
harus memberikan keputusan untuk memilih mana yang akan ditetapkan untuk
diimplementasi.
e. Risk Monitoring
Untuk mengetahui keefektifan respon yang telah dipilih serta untuk mengidentifikasi
adanya risiko baru yang mungkin akan muncul.

- Komponen ERM yang terkait dengan Proses Manajemen Risiko adalah :

a. Penetapan Tujuan
b. Event Identification
c. Risk Assesment
d. Risk Response
 MULTIPLE CHOICE
CHAPTER 3
1. Which of the following is not an appropriate
governance role for an organization’s board of
directors?
a. Evaluating and approving strategic objectives.
b.Infuencing the organization’s risk-taking
philosophy.
c. Providing assurance directly to third
parties that the organization’s governance
processes are effective.
d. Establishing broad boundaries of conduct,
outside of which the organization should not
operate.
2. Which of the following are typically governance
responsibilities of senior management?
I. Delegating risk tolerance levels to risk
managers.
II. Monitoring day-to-day performance of
specific risk management activities
III. Establishing a governance committee of the
board.
IV. Ensuring that sufficient information is
gathered to support reporting to the board.
a. I and IV
b. II and III
c. I, II, and IV
d. I, II, III and IV
3. ABC utility company sells electricity to
residential customers and is a member of an
industry association that provides guidance to
electric utilities, lobbies on behalf for the
industry and facilitates sharing among its
members. From ABC's perspective, what type of
stakeholder is the industry association?
a. Directly involved the operation of the
company.
b. Interested in the success of the company.
c. Influences the company
d. Not a stakeholder
4. Who is responsible for establishing the strategic
objectives of an organization ?
a. The board of directors
b. Senior management
c. Consensus among all levels of management
d. The board and senior management jointly
5. Who is ultimately responsible for identifying new
or emerging key risk areas that should be
covered by the organization's governance
process?
a. the board of directors
b. senior management
c. risk owners
d. the internal audit function
6. The Internal Audit function should not:
a. Assess the organization's governance and risk
management processes
b. Provide advice about how to improve the
organization's governance and risk management
processes.
c. Oversee the organization's governance and
risk management processes
d. Coordinate its governance and risk
management-related activities with those of the
independent outside auditor.
7. Which of the following would not be considered
a First line of defense in the Three Lines of
Defense model?
a. A divisional controller conducts a peer
review of compliance with financial control
standards.
b. An accounts payable clerk reviews supporting
documents before processing an invoice for
payment.
c. An accounting supervisor conducts a monthly
review to ensure all reconciliations were
completed properly.
d. A production line worker inspects finished
goods to ensure the company's quality standards
are met.
8. Which of the following would be considered a
first line of defense in the Three Lines of Defense
model?
a. An accounts payable supervisor conducting
a weekly review to ensure all payments were
issued by the required payment date
b. A divisional compliance and ethics officer
conducting a review of employee training
records to ensure that all marketing and sales
staff have completed the required FCPA training
c. The external audit team observes the counting
of inventory on December 31
d. An internal audit team conducting an
engagement to provide assurance on the
company's Sarbanes-Oxley compliance with
internal controls over financial reporting
9. Which of the following would be considered a
second line of defense in the Three Lines of
Defense Model?
a. An accounts payable supervisor conducting a
weekly review to ensure all payments were
issued by the required payment date
b. A divisional compliance and ethics officer
conducting a review of employee training
records to ensure that all marketing and sales
staff have completed the required FCPA
training
c. A shift supervisor inspecting a sample of
finished goods to ensure quality standards are
met
d. An internal audit team conducting an
engagement to provide assurance on the
company's Sarbanes-Oxely compliance with
internal controls over financial reporting.
10. Companies in industries that are heavily
regulated may be subject to audits by the
regulators auditors. while not specifically
covered in the tree lines of defense model, such
auditors would most likely be considered:
a. part of the first line of defense
b. part of the second line of defense
c. part of the third line of defense
d. not a line of defense
11. Which of the following is not a role of the
internal audit function in best practice
governance activities ?
a. support the board in enterprise wide risk
assessment
b. ensure the timely implementation of audit
recommendations
c. monitor compliance with the corporate code
of conduct
d. discuss areas of significant risks
12. Which of the following statements regarding
corporate governance is not correct?
a. corporate control mechanisms include
internal and external mechanisms
b. the compensation scheme for management is
part of the corporate control mechanisms
c. the dilution of shareholders' wealth resulting
from employee stock options or employee
stock bonuses is an accounting issue rather
than a corporate governance issue
d. the internal audit function of a company
has more responsibility than the board for
company's corporate governance.
13. What types of business events tend to drive new
legislation and guidance?
a. economic downturns
b. fraud or other corporate wrongdoing
c. elections or other political changes
d. economic growth
14. Which of the following represents the best
governance structure ?
Operating Executive Internal
Management Management Auditing
a. responsibility for risk; oversight role;
advisory role
b. oversight role; responsibility for risk;
advisory role
c. responsibility role; advisory role; oversight
role
d. oversight role; advisory role; responsibility
for risk
CHAPTER 1
1. Which of the following are components of the
definition of internal auditing?
A) Independent, and objective
B) Systematic & Disciplined approach
C) Helping the organization accomplish its
objectives
D) All of the above
2. Assurance, Insight, and Objectivity comprise?
A) The Mission of internal audit
B) The three lines of defense model
C) The objectivity of internal auditing
D) The value proposition
3. Independent outside auditors provide financial
reporting assurance services, primarily for:
A) The benefit of third parties
B) Manangement
C) Board of Directors
D) The CEO
4. AVF Company's new CFO has asked the
company's CAE to meet with him to discuss the
role of the internal audit function. The CAE should
inform the CFO that the overall responsibility of
internal auditing is to:
a. Serve as an independent assurance and
consulting activity designed to add value and
improve the company's operations.
b. Assess the company's methods for safeguarding
its assets and, as appropriate, verify the existence
of the assets.
c. Review the integrity of financial and operating
information and the methods used to accumulate
and report information.
d. Determine whether the company's system of
internal controls provides reasonable assurance
that information is effectively and efficiently
communicated to management.
5. Which of the following statements is not true
about business objectives?
a. Business objectives represent targets of
performance.
b. Establishing meaningful business objectives is a
prerequisite to effective internal control
c. Establishing meaningful business objectives is a
key component of the management process.
d. Business objectives are management's means
of employing resources and assigning
responsibilities.
6. Within the context of internal auditing, assurance
services are best defined as:
a. objective examinations of evidence for the
purpose of providing independent assessments.
b. advisory service intended to add value and
improve an organization's operations.
c. professional activities that measure and
communicate financial and business data.
d. objective evaluations of compliance with
policies, plans, procedures, laws and regulations.
7.Which of the following is mandatory guidance
within the IPPF?
A) Implementation guidance
B) supplemental guidance
C) The value proposition
D) The core principles
8. Which of the following is recommended guidance
within the IPPF?
A) The Definition of Internal Auditing
B) The Standards
C) Supplemental Guidance
D) None of the above
9. The Internal Audit Foundation exists to help audit
leaders, practitioners, students and academics
experience continuous growth in their careers to
propel them to become:
A) Strong assurance providers
B) Trusted advisors
C) Independent outside auditions
D) CAEs
10. Which of the following is one of the 5 Cs
essential to success as an internal auditor?
A) Courage
B) Consistency
C) Collaboration
D) Candidness
11. Which of the following is a framework that can
help individual internal auditors and internal
audit functions assess their current competency
levels and identify areas for improvement?
A) Internal Control - Integrated Framework
B)International Professional Practices
Framework
C) The Global Internal Auditor Competency
Framework
D) Entreprise Risk Management Framework
12.Internal auditors must have competent
interpersonal skills. Which of the following does
not represent skills. Which of the following does
not represent attributes of interpersonal skills?
A) Communication
B) Leadership
C) Project Management
D) Team Capabilities
13. While planning an internal audit, the internal
auditor obtains knowledge about the auditee to,
among other things:
a. develop an attitude of professional skepticism
about management's assertions
b. develop an understanding of the auditee's
objectives and risks.
c. make constructive suggestions to management
concerning internal control improvements.
d. evaluate whether misstatements in the
auditee's performance reports should be
communicated to senior management and the
audit committee.
14.Which of the following is the premier
certification sponsored by The IIA?
A) Certification in Control Self-assessment
B) Certified Internal Auditor
C)Certification in Risk Management Assessment
D) Certified Information System Auditor
15. Which of the following is the ultimate position
of a career internal auditor?
A) CEO
B) CFO
C) CRO
D) CAE
CHAPTER 2
1. A primary purpose of the standards is to:
a. Promote coordination of internal and external
audit efforts
b. Establish a basis for evaluating internal audit
performance
c. Develop consistency in internal audit practices
d. Provided a codification of existing practices
2. Which of the following are "mandatory guidance"
in The IIA's IPPE?
I. Implementation Guides
II. The code of ethics
III. The definition of internal auditing
IV. The Standards
a. I, II, and IV
b. II and IV
c. II, III, and IV
d. I, II, III, and IV
3. An internal auditor provides income tax services
during the tax season. Which activity would the
auditor most likely be considered in violation of
the IIA's Code of Ethics?
A) Preparing, for a fee, a division manager's
personal tax returns
B) Appearing on a local radio show to discuss
retirement planning and tax issues.
C) Receiving a stipend for teaching an evening tax
class at the local junior college
D) Working on weekends for friend who has a
small CPA firm
4. An internal auditor is auditing a division in which
the division's CFO is a close personal friend. The
auditor learns that the friend is to be replaced after
a series of critical contract negotiations with the
Department of Defense. The auditor relays this
information to the friend. Which principle of The
IIA's Code of Ethics has been violated?
a. Integrity
b. Objectivity
c. Confidentiality
d. Privacy
5. The IIA's Standards require internal auditors to
exercise due professional care while conducting
assurance engagements. Which of the following is
not something an internal auditor is required to
consider in determining what constitutes the
exercise of due care in an assurance engagement of
treasury operations?
a. the audit committee has requested assurance on
the treasury function's compliance with a new policy
on use of financial instruments
b. treasury management has not instituted any risk
management policies
c. the independent outside auditors have
requested to see the engagement report and
working papers.
d. the treasury function just completed
implementation of a new real-time investment
tracking system
6. In which of the following situations does the
internal auditor potentially lack objectivity?
a. A payroll accounting employee assists an
internal auditor in verifying the physical inventory
of small motors
b. An internal auditor discusses a significant issue
with the vice president to whom the auditee reports
prior to drafting the audit report
c. A former purchasing assistant performs a review
of internal controls over purchasing four months
after being transferred to the internal audit
department
d. An internal auditor recommends standards
of control and performance measures for a
contract with a service organization for the
processing of payroll and employee benefits.
7. Which of the following is/are components of the
Standards?
I. Statements
II. Interpretations
III.The glossary
a. I only
b. I and II
c. I and III
d. I, II, and III
8. According to the standards, which of the 12. To determine what needs to be done regarding
following must the internal audit manager think follow-up on an assurance engagement the
about when considering appropriate due care while internal audit staff just completed, one would
planning an assurance engagement? consult:

a. the opportunity to cross-train internal audit staff
b. the cost of assurance in relationship to
potential benefits
c. job openings in the area that may be of interest
to internal auditors assigned to the engagement
a. the attribute standards: assurance services
implementation standards
b. the performance standards: consulting
services implementation standards
c. the attribute standards: consulting services

d. the potential to deliver consulting services to the d. the performance standards: assurance
auditee services implementation standards

9. Which of the following types of IPPF guidance 13. In addition to the Standards, some internal audit
require(s) an exposure? departments follow other standards in
conducting their work, either because of
I. A new Implementation Guide regulatory requirements or by choice. When
II. A new Standard these other standards are inconsistent with IIA
III. A new supplemental Guidance for auditing Standards, what should the audit department do?
cbyersecurity
IV. A new definition in the Standards Glossary a. follow IIA standards
a. III only
b. follow the other standards
b. II and IV
c. follow the standard that is least restrictive
c. II, III, and IV
d. follow the standard that is most restrictive
d. I, II, III, and IV

10. Which of the following are required of the

internal audit function per the Standards?

a.Evaluate the effectiveness of the audit committee

annually?

b. Issue an overall opinion on the adequacy of

the organization's system, of internal controls
annually

c.Obtain an annual representation from

management acknowledging management's
responsibility for the design and implementation
of internal controls to prevent illegal acts.

d.Assess whether the IT governance of the

organization sustains and supports the
organization's strategies and objectives

11. Which of the following is a core principle for the

professional practice of internal auditing?

a. Maintain Confidentiality

b. Promote an ethical culture in the internal audit

profession

c. Develop consistency in internal audit practices

d. Is appropriately positioned and adequately

resourced