Peran Audit Internal dalam

Mengawal Manajemen Risiko

KULIAH 4 :
Tantangan Praktik Auditing atas Pengelolaan Risiko (memahami
manajemen risiko, faktor2 penyebab risiko, jenis2 fraud risk),
pentingnya identifikasi risiko audit bagi audtor), tidak ada organisasi
yang imun terhadap Fraud.
SABTU, 20 MEI 2023
Jam 13.00 – 16.30

•Referensi :
•Presentasi Kimeu, Jones Jones Musyoki
(INTERNAL AUDIT CONFERENCE :INTERNAL AUDIT & RISK
ENVIRONMENTS),Mombasa Continental Beach Resort, Wednesday 20th August,
2014
Pemahaman Risiko (Understanding Risk) ?

The possibility that an event will occur

and adversely affect the achievement of
objectives
Ref : Committee of Sponsoring Organizations
(COSO) Enterprise Risk Management Framework
The chance of something happening that
will have an impact upon objectives.
Ref. AS/NZS 4360:1999, Risk Management
Events that may have a positive impact
represent opportunities
Pengertian Risiko

• Risks can be defined as real or potential events which reduce

the likelihood of achieving strategic and operational objectives
(Risiko dapat dimaknai sebagai kejadian nyata atau yang
berpotensi mengurangi kemungkinan pencapaian tujuan-
tujuan stratejik dan operasional dari suatu organisasi)
• Risk identification is the process of determining risks that
could potentially prevent the program, enterprise, or
investment from achieving its objectives. It includes
documenting and communicating the concern.
(Identifikasi Risiko merupakan suatu proses menetapkan risiko2 yg
secara potensial dpt menghambat program, perusahaan, atau investasi
dari pencapaian tujuannya. Proses identifikasi meliputi dokumentasi &
komunikasi hal-hal yg hrs mendapatkan perhatian manajemen)
 Konteks saat ini Risiko selaluada
(In today's world, change and uncertainty are constants...)

Dynamic IT
Industry
Reputation
Security of confidential
Information

All Risk types

Transparency & Accountability

Fire

Labour strikes Bad press reports

17
 Risiko dapat terjadi karena faktor2:

 People – fraud, vandalism, human error,

strikes, miscommunication, riots etc

 Systems – machine breakdown, internal control

deficiencies, obsolescence etc

 External factors – suppliers, customers,

natural perils (earthquakes, floods) etc
Model Proses Audit (The Audit Process Model)

Input Process Output Outcome

IA IA Practices Analisis,
Knowledge penilaian/evalua
& Skills
& Procedures
si, rekomendasi,
(Praktik2 & komsultasi dan Mendukung
Computer, prosedur2 IA informasi/atensi organisasi
Software & terbaik /Management
Standar IA sesuai melaksanakan
Standar tanggungjawab
nya akuntabel
Waktu & Profesi & Mendorong
Dukungan Menjunjung Penerapan IC
Anggaran Tinggi Kode & Risk Mgt yg
Etik AI efektif
Reputasi
Integritas &
Kejujuran
 IIA Standards: Risk Management
2010—Planning
( International Internal Audit Standards Board, September 2012)
The chief audit executive must establish a risk-based plan to determine the
priorities of the internal audit activity, consistent with the organization’s
goals.
Interpretation:
The CAE is responsible for developing a risk-based plan. The CAE takes into
account the organization’s risk management framework, including using
risk appetite levels set by management for the different activities or parts
of the organization. If a framework does not exist, the CAE uses his/her
own judgment of risks after consideration of input from senior
management and the board. The CAE must review and adjust the plan, as
necessary, in response to changes in the organization’s business, risks,
operations, programs, systems, and controls.

Ref : Bob Rudloff, CIA, CFE, CRMA Vice President, Internal Audit MGM Resorts
International 7
 IIA Standards: Risk Management
2010—Planning
The internal audit activity must evaluate the effectiveness and contribute to the
improvement of risk management processes.
•2120.A1 – The internal audit activity must evaluate risk exposures relating to the
organization’s governance, operations, and information systems.
•2120.A2 – The internal audit activity must evaluate the potential for the
occurrence of fraud and how the organization manages fraud.
•2120.C1 – During consulting engagements, internal auditors must address risk
consistent with the engagement’s objectives and be alert to the existence of other
significant risks.
•2120.C2 – Internal auditors must incorporate knowledge of risks gained form
consulting engagements into their evaluation of the organization’s risk
management processes.
•2120.C3 – When assisting management in establishing or improving risk
management processes, internal auditors must refrain from assuming any
management responsibility by actually managing risks.

Ref : Bob Rudloff, CIA, CFE, CRMA Vice President, Internal Audit MGM
Resorts International 8
Peran AI dlm Manajemen Risko (ROLE OF
INTERNAL AUDIT in Risk Management)

 Independent appraisal of the policies,

processes, and controls relating to risk
management framework and reporting to all
levels of management

 The Role of Internal Audit in Risk

Management is important but one that can also
present significant challenges- source IIA
 Fraud Triangle – Penyebab Korupsi (Pressure,
Opportunity, dan Rationalization)
Dennis Gree’s mengilustrasikan elemen kunci penyebab Korupsi:
1. A Perceived pressure (tekanan/dorongan yg kuat) - Mengabaikan ETIKA
Pressure; dorongan yg menyebabkan seseorang melakukan fraud, contoh
hutang atau tagihan yg menumpuk, gaya hidup mewah, ketergantungan narkoba
dll, atau masalah rumah tangga, bisa juga perilaku serakah. Fraud dilakukan utk
keuntungan pribadi, organisasi atau keduanya, dorongan dpt dikelompokan kedlm
masalah keuangan & perilaku yg jelek, serta berhubungan dengan pekerjaan.
2. A perceived opportunity
Peluang yg memungkinkan tejadinya Fraud, karena lemahnya control, dan
penyalahgunaan jabatan. Bisa dieleminir dgn control, prosedur/SOP yg lebih baik,
dan adanya deteksi dini Fraud.
3. Rationalization—Some way to rationalize the fraud as acceptable
Pelaku fraud melakukan pembenaran apa yg dia lakukan, misalnya dia berbuat
utk membahagiakan keluarga & orang2 yg dicintainya, kerja keras wajar
mendapatkan lebih, perusahaan sudah untung besar kenapa tidak ngambil bagian
itu. Dia membuat fraud, karena organisasi telah berhutang kepadanya, saya hanya
pinjam uang toh nanti sy kembalikan, tidak ada orang yg dirugikan, dll
13
10
11
THE FRAUD Pressure •Greed
Financial

•Living Beyond one’s means Vices

Motivation to
TRIANGLE
•High bills or personal debt •Gambling
commit fraud •Poor credit •Drugs
•Personal financial losses •Alcohol
•Unexpected financial needs
•Extra marital
•Constinuation/viability of business
relationship

Work Related Others

•Insufficient recognition for job •Creating the
performance appearance of succes
•Dissatisfaction with job
Opportunity •Fear of losing job
•Ego, power and
control
To commit and •Beeing overlooked for promotion
•Feeling under valued •Influence of others
conceal fraud
Perceived opportunities
•Lack of or circumvention of controls that Rationalisation
prevent and/or detect fraudulent behaviour Reasoning that justifies
•Inability to judge the quality of behaviour and eases misgivings
performance
•Failure to discipline fraud perpetrators Common rationalisations
•Lack of access to information •The organisation owes it to me
•Ignorance, apathy, or an incapacity to •I am only borrowing the money – I will pay it back
detect fraud •Nobody will get hurt/this is a victim crime
•Lack of audit trail •I deserved more/ deserve the perks as reasonable compensation
•Its for a good purpose/cause
•We’ll fix the books
•Something has to be sacrificed – my integrity or my reputation
•Everyone is getting rich, so why shouldn’t I ?
•The company can afford it
•It’s not really a serious matter
•There were no internal controls so i wanted to show them how easy it was
•I wanted to improve my standard of living
•They did not treat me with respect, morale was low, so iwanted to get even
 FRAUD RISK ?

Kerentanan suatu organisasi yg harus diatasi oleh

berbagai elemen terkait, yg menyebabkan seseorang
melakukan suatu kejahatan (Vulnerability an
organization has to overcoming the interrelated
elements that enable someone to commit fraud_

Segitiga penyebab kejahatan (Fraud triangle), artinya

potensi risiko fraud dilihat dari karena tekanan
kebutuhan/gaya hidup, kesempatan dan rsionalisasi
(Non-sharable financial need, opportunity, and ability
to rationalize (Fraud Theory—GONE Theory)
 PEMAHAMAN RISKO DALAM
PRAKTIK
• Setiap aktivitas atau keputusan pasti memiliki risiko, karena setiap
aktivitas atau keputusan yg akan kita ambil ada tujuan yg akan dicapai.
Risiko hrs dapat dikendalikan agar tujuan dpt dicapai.

• Manajemen risiko orientasinya adalah antisipasi, bukan reaksi atau

reaktif, seperti pemadam kebakaran.

• Manajemen risiko sangat dibutuhkan karena adanya ketidakpastian

(uncertainty), kalau kejadian tersebut pasti terjadi, maka hal ini bukan
risiko. Atau sebaliknya suatu kejadian yang tdk mungkin terjadi maka itu
juga bukan risiko. Tetapi dalam kehidupan nyata, tdk ada yg pasti di
dunia ini, apalagi bicara masa depan, yg pasti adalah perubahan sehingga
dalam kehidupan ini kita selalu dihadapi risiko, yg mungkin dpt terjadi
bila tidak dilakukan antisipasi dengan baik (mitigasi risiko).

• Suatu kesengajaan yg seharusnya tidak terjadi, juga bukan merupakan

risiko. Misalnya, pekerjaan yang tidak selesai karena malas, maka malas
ini bukan merupakan risiko. Misalnya ke kantor sering terlambat, karena
sengaja berangkat siang, ini juga bukan risiko, memang sengaja.
 APA ITU RISK MANAGEMENT –
DEFINISI ERM (ENTERPRISE RISK
MANAGEMENT)
ERM is a process affected by an entity’s board of directors,
management and other personnel, applied in strategy setting and
across the enterprise, designed to identify potential events that
may affect the entity, and manage risks to be within its risk
appetite, to provide reasonable assurance regarding the
achievement of entity’s objectives

(Pengelolaan risiko merupakan suatu proses yang dipengaruhi

oleh BoD, manajemen & personil lainnya, diterapkan dlm
merumuskan strategi & diterapkan secara menyeluruh dlm
perusahaan, dirancang utk mengidentifikasi peristiwa2 potesial
yang mungkin mempengaruhi organisasi, & mengelola risiko
menjadi risiko yg bisa ditolerir organisasi, serta memberikan
jaminan yg layak utk pencapaian tujuan2 organisasi)
 ELEMEN ATAU UNSUR PENTING
DARI PENGERTIAN MANAJEMEN
RISIKO
1. Proses : risiko proses bukan suatu bagian/divisi atau elemen dari
organisasi/perusahaan --- melibatkan top manajemen dan seluruh unit
kerja.
2. Diterapkan di dlm merumuskan strategi atau kebijakan organsiasi
dalam setiap kebijakan yang dibuat oleh memperhatikan manajemen
risiko.
3. Identifikasi potensi peristiwa (events)-> maksudnya bhw
prosesmanajemen risiko hrs dapat mengenali atau mengindetifikasi
potensi kemungkinan terjadinya risiko yang akan terjadi
4. Mengelola tingkat risiko pada level yang dapat ditolerir organisasi (risk
appetite) artinya manajemen risiko harus dapat memastikan risiko2
yang mungkin terjadi pada level dapat ditolerir organisasi sesuai batas
risiko yag disepakati (bukan menghilangkan risiko, karena risiko sekecil
apapun akan terjadi).
5. Reasonable assurance: Manajemen risiko hrs dapat memberikan
jaminan yg layak atau hasil yg masuk akal/wajar atas strategi kebijakan
yg diambil diambil manajemen dengan mepertimbangkan risiko2 tsb
 CATATAN MALTA FORUM FOR INTERNAL AUDITORS
PERAN AUDITOR INTERNAL DALAM RISK
MANAGEMENT
Peran Utama (core roles); Peran yg seharusnya yang
Reviewing the tdk dilakukan oleh IA:
management of key risks Setting the risk appetite
Evaluating the Imposing risk management
reporting of key risks processess
Evaluating risk Management assurance on
management process risks
Giving assurance that Taking decisions on risk
risks are correctly responses
evaluated Implementing risk
Giving assurance on responses on management’s
the risk management behalf
process Accountability for risk
management
 PROBLEM VS RISK ?
Problem atau Krisis ???
Terjadi saat ini sbg akibat keputusan atau aktivitas yg lalu dlm
organisasi (misalnya temuan audit yg lalu blm ditindaklanjuti).
Aksi atau tindakan yg diambil utk menyelesaikan masalah ini disebut
crisis atau problem management, bukan manajemen risiko.
Risiko: ???
Merupakan potential problem yg mungkin akan timbul sbg dampak
atau akibat dari keputusan/aktivitas hari ini. Aksi yg diambil adalah
mengelola risiko (risk management), agar risiko yg terjadi tidak akan
mengejutkan organisasi(no surprise karena sudah diantisipasi), & dpt
mencapai tujuan organisasi.
Manajemen risiko bertujuan agar risiko yg mungkin terjadi di masa
mendatang dpt diantisipasi saat keputusan diambil, agar kemungkinan
tejadinya bisa diperkecil atau dampak yg ditimbulkan dpt diperkecil
sehingga tujuan keputusan yg diambil dapat diraih secara layak.
 KENAPA KITA HRS KONSEN DGN RISIKO
KECURANGAN (WHY BE CONCERNED ABOUT FRAUD
RISK) ?

Tidak ada organisasi yg imun terhadap risiko

kecurangan (no organization is immune)
Kewaspadaan terhadap kelemahan adalah satu kunci
atau hal yg sangat penting utk menciptakan
mekanisme untuk mengurangi risiko (awareness to
weaknesses is one key to establishing mechanisms
to reduce risk).
Risiko dapat internal atau eskternal (risks can be
internal or external.)
 FAKTOR2 YANG MEMPENGARUHI
RISIKO KECURANGAN ?

Sifat bisnis atau kegiatan organisasi (termasuk

sektor pemerintahan)
Lingkungan kegiatan organisasi (operating
environment of business or organization)
Efektivitas pengendalian intern (effectiveness of
internal control)
Etika dan nilai2 luhur perusahaan dan orang-orang
atau individu dalam organisasi (ethics and values of
a company/organization and people within it)
APA ITU ASESMEN RISIKO KECURANGAN (WHAT
IS
A FRAUD RISK ASSESSMENT)?

Asesmen atau penilaian risiko kecuragan adalah suatu proses yang

bertujuan mengidentifikasi dan mengungkapan secara proaktif
kelemahan-kelemahan suatu perusahaan terhadap risiko internal
maupun eksternal (Fraud risk assessment is a process aimed at
proactively identifying and addressing an organization’s
vulnerabilities to internal and external fraud).

Tujuannya membantu organisasi utk mengenali apa yg

membuatnya sangat rentan terhadap kecurangan sehingga
organisasi dpt mengukur secara proaktif untuk mengurangi risiko
yg mungkin ditimbulkan (to help an organization recognize what
makes it most vulneravle to fraud so that it can take proactive
measures to reduce its exposure)
 KENAPA ORGANISASI HRS MELAKUKAN ASESMEN RISIKO
KECURANGAN
(WHY SHOULD ORGANIZATIONS CONDUCT FRAUD RISK ASSESSMENT)

Memperbaiki/meningkatkan komunikasi tentang & kewaspadaan

kecurangan (Improve communication about and awareness of fraud).
Utk mengidentifikasi aktivitas2 apa yang sangat rentan terhadap risiko
(Identify what activities are the most vulnerable to fraud)
Utk mengetahui siapa (orang/unit kerja) yang menjadikan organisasi pada
level tingkat risiko yang paling tinggi (Know who puts the organization
at the greatest risk of fraud).
Membuat atau mengembangkan program2 mitigasi risiko (Develop plans
to mitigate fraud risk)
Mengembangkan teknik2 utk menentukan jika fraud telah terjadi pada
area-area yg berisiko tinggi (Develop techniques to determine if fraud
has occurred in high risk areas)
 KENAPA ORGANISASI LAKUKAN ASESMEN RISIKO
KECURANGAN… ………..LANJUTAN
Menilai (asesmen) internal control :
a. Pengendalian2 yang dileminar selama perbaikan kembali/penyesuaian
(Controls eliminated during restructuring)
b. Pengendalian2 yang terkikis atau out of date sepanjang waktu (Controls
eroded over time)
c. Lemhnya atau tidak adanya pengendalian pada area atau bidang2 yang
rentan kecurangan (Lack of controls in a vunerable area)
d. Prosedur pengendalian yang tida bekerja dengan baik (Nonperformance
of control procedures)
e. Keterbatasan2 yang melekat pada sistem pengendalian (Inherent
limitations of controls)
Dimaksudkan untuk memasitikan apakah siistem pengendalian sesuai
dengan regulasi atau standar operating prosedur yg berlaku di
organisasi (misalnya apakah sesuai dengan SPIP kalau di pemerintahan,
dan juga praktik2 terbaik dalam tata kelola pemerintahan).
 ASSEMEN RISIKO KECURANGAN & PROSES AUDIT

1. Buatkan & sampaikan laporan yg meliputi hasil-hasil pengujian atas

pengelolaan risiko menengah & tinggi, serta hasil pengujian sistem
pengendalian intern.
Apa yg hrs disikapi oleh Auditor Internal dlm proses auditnya thd hasil
asesmen risiko kecurangan tsb?

1) Auditor hrs menguji (validate) bahwa organisasi mengelola risiko

kecurangan level menengah & tinggi (artinya perusahaan telah
mengantisipasi impact dari risiko kecurangan yg tergolong pd level
menengah & tinggi pengaruhnya.

2) Melakukan evaluasi atau penilaian apakah sistem pengendalian

internal telah dilaksanakan secara efektif & efisien.

3) Identifikasi apakah ada pengelolaan suatu risiko level menengah &

tinggi yg mengesampingkan atau mengabaikan sistem pengendalian
intern.
 AUDIT RISK ASSESSMENT

 Audit risk assessment is a stage in the audit planning process

(asesmen risiko audit merupakan suatu tahapan dalam
proses perencanaan audit).
 Audit risk assessment is part of the series of controls which
are used to manage the integrity of an audit, and to determine
when and how audits should be conducted, and by whom
(asesmen risiko audit merupakan bagian dari serangkaian
pengendalian yang digunakan untuk mengelola integritas
dari suatu audit/pemeriksaan, dan untuk menentukan
kapan dan bagaimana audit tersebut harus dilakukan.

Ref : Bob Rudloff, CIA, CFE, CRMA Vice President, Internal Audit MGM
Resorts International
 RISK AUDIT (RISIKO
AUDIT)
Audit risk consists of several components (Risiko Audit
meliputi beberapa komponen):
1.The first is the likelihood that a material misstatement will be
made. (Pertama adalah kemungkinan suatu kesalahan pelaporan
atau penyajian informasi yang material dibuat atau dilakukan oleh
auditi)
2. the risk that the misstatement will not be caught by internal
controls, and (risiko dimana kesalahan pelaporan atau pernyataan
yang keliru tersebut tidak dapat dideteksi dengan internal control)
3. the misstatement will not be caught by an auditor.
(dan kemudian kesalahan pelaporan tersebut tidak dapat
dideteksi oleh seorang auditor)

Ref : Bob Rudloff, CIA, CFE, CRMA Vice President, Internal Audit MGM26
Resorts International
 AUDIT RISK ASSESSMENT

 Risk assessments performed by internal auditors are entirely

different risk assessment performed by independent auditors.
 Risk Assessments use various elements:
 Changes in volume, management, technology and other
factors
 Knowledge of the business and experience
 Time since the last audit and known issues
 Potential of loss
 Requests of management
 Financial exposure (pelaporan keuangan/realiasi anggaran)

Ref : Bob Rudloff, CIA, CFE, CRMA Vice President, Internal Audit MGM
Resorts International
 Contoh isu-isu dari 9 aspek
Dlm rangka curah pendapat Identifikasi Risiko
Kecurangan/Risiko Audit –best practices

Procedures
Business Operations
Complexity of the operation Process breakdowns

Changes in the operation Segregation of duties

Changes in financial Appropriateness of

projections corrective action
DEBRIEF
Departure from
Nonstandard practices
standards
28
 Regulations Management

Compliance standards Structure change

Changes Management’s risk appetite

Monitoring and
Attitude toward controls
enforcement
and procedures

Relationship with regulators

Tone at the top

29
 People Financial Performance
Pressure to meet
Competency expectations

Sufficient numbers Debt covenants

Changes in operating
Delegation of authority margins

Extensive use of consultants Accounting standards

DEBRIEF
30
 Technology Previous Issues

Stability Identified by internal audit

Reliability Identified by independent

auditors

Back up and recovery

Identified by regulators

Access controls Self-reported issues

DEBRIEF
31
BEST PRACTICE – Risk Based Internal Audits
(RBIA)
 RISK UNIVERSE

INTERNAL AND EXTERNAL RISKS

RISK UNIVERSE

Definition: All risk types and categories across all

business lines, functions, geographical locations
and legal entities that could affect an organization.
34
ESTABLISH THE CONTEXT

External Environment

35
RISK UNIVERSE (Cont.)

36
 RISKS AT 3 LEVELS

1. Strategic/Corporate Level Risk - Strategic

alignment, Governance, Culture, Funding, etc.
2. Business Level - Organization (structure /
Segregation of duties, Infrastructure, Competence,
Staff attitudes, etc.
3. Transaction Level - P2P, Treasury Management,
Financial Reporting, etc.

37
 STRATEGIC /CORPORATE RISKS

• Organization structure
• Resource Allocation
• Governance
• Reputation

38
 STRATEGIC RISKS (Cont.)

Organization structure
•Organization charts and reporting lines
•Authority and Responsibility
•Segregation of duties (SOD)

39
 STRATEGIC RISKS (Cont.)

Resource Allocation
•Budgeting and planning
•Goal /Objective setting
•Timelines
•Metrics & Measurement

40
 STRATEGIC RISKS (Cont.)

Governance
•Culture
•Ethical behavior
•Board effectiveness
•Succession planning
•Tone at the top

41
 STRATEGIC RISKS (Cont.)

Reputation
•Image and Branding
•Stakeholder Relations

42
 FINANCE RISK

• Finance/Budget Management
• Financial Reporting
• Internal Controls
• Accounting

43
 Contoh2 Risiko Keuangan
(FINANCE RISK )

Finance/Budget Management
•Cash forecast
•Liquidity
•Cash flow Management
•Analytics
Financial Reporting
•Financial Statement close process
44
 FINANCE RISK (Lanjutan)

Internal Controls
•Transaction management (Initiation, approval,
recording and custody)
Accounting
•Application of accounting regulations, rules and
procedures

45
CONTOH RISIKO OPERASIONAL
(OPERATIONAL RISK)

• Infrastructure
• People
• Process
• Technology

46
 OPERATIONAL RISK (Lanjutan)

Infrastructure
•Capability
•Office Space
•Assets
•Tools
•Physical Security
•Business Continuity
47
 OPERATIONAL RISK (Lanjutan)

People
•Leadership – board
/management expertise
•HR – responsibility &
accountability
•Health & Safety • Mindset
•Risk-reward alignment • Buy-in--consensus
• Balance between revenue driven
•Performance Management and control driven
• Competitor pressure
•Empowerment • Communication
48 • Sustaining vigilance
OPERATIONAL RISKS - PEOPLE

Supports or
undermines strategy

 …..alignment <within/out> of
attitude, goals
People Risk  …..strong ERM
 …….within risk appetite
 ……scandals and collapses
 OPERATIONAL RISK (Menyangkut risiko
proses)

Process
•Fraud
•Policies and Procedures
•Outsourcing
•Third Party Fraud
•Business processes

50
 OPERATIONAL RISK (Menyangkut
Teknologi)

Technology
•Integrity
•Accuracy
•Availability /Timeliness
•Relevance
•Restricted Access

51
 COMPLIANCE RISKS

• Regulatory risks
• Contractual commitments (contract)
• Policies and procedures
• Code of Business Conduct

52
 ENVIRONMENTAL RISKS

 Economic: Such as; Donor Support, Skilled

Labor supply, Forex Fluctuations
• Natural Environment:
• Political: Will, priorities & political stability
• Social: demographics, attitudes, tastes and
preferences
• Technological (IT Risk): Eg. Innovations
53