Indonesia Internal Audit Community

Developing a Risk-Based Internal Audit plan

Donny Sadono
Agenda

Introduction to RBIA 045 mins

Workshop 045 mins

Q&A 030 mins

Total 120 mins

INTRODUCTION
Online Survey - IIAC

Survey penyususan RBIA - IIAC

40%
49%

11%

Sudah Ragu - ragu Belum

Why RBIA ?

Comprehensive risk-based planning enables the internal audit

activity to properly align and focus its limited resources to
produce insightful, proactive, and future-focused assurance and
advice on the organization’s most pressing issues.
IIA – Developing a risk based Internal Audit Plan
Standards

2010 – Planning
The chief audit executive must establish a risk-based plan to determine the priorities of the internal audit activity,
consistent with the organization’s goals.

Interpretation:
To develop the risk-based plan, the chief audit executive consults with senior management and the board and obtains an
understanding of the organization’s strategies, key business objectives, associated risks, and risk management processes.
The chief audit executive must review and adjust the plan, as necessary, in response to changes in the organization’s
business, risks, operations, programs, systems, and controls.

2010.A1 – The internal audit activity’s plan of engagements must be based on a documented risk assessment,
undertaken at least annually. The input of senior management and the board must be considered in this process.

2010.A2 – The chief audit executive must identify and consider the expectations of senior management, the board, and
other stakeholders for internal audit opinions and other conclusions.

2010.C1 – The chief audit executive should consider accepting proposed consulting engagements based on the
engagement’s potential to improve management of risks, add value, and improve the organization’s operations. Accepted
engagements must be included in the plan.

IPPF 2017
Internal Audit Plan Development Cycle
1 6 7
Understand the
Feedback Finalize plan
organization

2 5 8 11

Respond to
Identify, assess and Communicate for
Proposed plan changes
prioritize risk approval
(Update Plan)

3 4 9 10

Assess risk
Coordination Estimate resources Implement plan
continuously
RBIA PLAN example
The guidance is general enough to apply to the circumstances, needs, and requirements of individual organizations. When
applying the guidance, internal auditors should take into account their organization’s level of maturity, especially the
degree of integration of governance and risk management. Auditors may need to adapt the guidance to the specifics of
the industries, geographic locations, and political jurisdictions in which their organizations operate.
AUDIT UNIVERSE
NATURAL
RESOURCE
INDONESIA

SHIPPING LOGISTIC Corporate

PORT SERVICE PROPERTY
function

CONTAINER PROJECT INFORMATION

SHIPPING NVOCC FORWARDING PORT FINANCE PROCUREMENT
LOGISTIC TECHNOLOGY

TANKER, BULK INLAND

and OFFSHORE STEVEDORE TRAVEL RISK
CARRIER TRANSPORT IT
AGENT MANAGEMENT

SHIP CONTAINER PORT Human

MANAGMENT
Human
DEPOT SERVICE Resources Capital

WAREHOUSE
AGENCIES AND
DISTRIBUTION Insurance
CENTER
AUDIT UNIVERSE

Auditable units
may be any
“topic, subject,
project,
department,
process, entity,
function, or other
area that, due to
the presence of
risk, may justify
an audit
engagement
RISK ASESSMENTS

Impact related – risk factors Likelihood related – risk factors

Loss / Material exposure Complexity Assurance coverage Management awareness

Value at risk Degree of automations Audit result (opinion) Concern from

- Total annual revenue management
- Total cost and expenses Complexity of structures Risk management
(numbers of employees) assurance

Number of transactions Other reviews (external,

regulatory)

Weighted 40% 20% 35% 5% - 35%*

*Depend on the level of the concern
RISK ASESSMENTS
MEASURING RISKS

4 3
Material exposure
2 1
Total revenue > 220 billion 110 to 220 billion 20 to 110 billion <= 20 billion
Total Cost > 187 billion 93.5 to 187 billion 17 to 93.5 billion <= 17billion
Complexity
Degree of automations > 3 systems Up to 3 systems Up to 2 systems 1 system
Numbers of employees > 101 employees 51 to 100 employees 21 to < 50 employees < 21 employees
Number of transactions > 1,001 inv / days > 501 to < 1,000 inv / days > 101 – < 500 inv / days < 101 inv / days
Assurance coverages
Audit result Weak Need improvement Moderate Good

Risk management 3 Crisis > 3 high risks 2 – 3 high risks 1 - 2 high risks
Other assessments No assessments 1 assessments 2 assessments 3 assessments
Assurance coverages
Concerns from mgt has specific issue and reason. has general concerns. No specific concerns Demonstrate effective control
MEASURING RISKS
RISK ASESSMENTS
FREQUENCY AND TIMING

This value is assessed by IA

FREQUENCY AND TIMING
Audit Man-days Detail

Audit Man-days summary Available Man-days

TOTAL TIME CONSUMTION : 1026 Days

Other activities AUDIT MAN-DAYS : 806 Days (79%)
OTHER ACTIVITIES : 220 Days (21%)

TOTAL AVAILABLE MANDAYS: 1055 Days

29 DAYS
Annual Audit Plan
Schedule 2022
No. Audit Area – Activity Entity
Jan Feb Mar Apr May Jun Jul Aug Sept Oct Nov Dec

1 1. Procurement Activities
PT Simulasi Indonesia
2. Fixed assets management
2 1. Revenue and procurement cycle
PT Jaya Agencies Indonesia
2. IT SAP Application Control
3 1. IT General Control
PT Bentangan Luas Logistic
2. Vendor Management
4 Fuel Management PT Lautan Biru Ship Management

5 1. DG Cargo handling
PT Lautan Shipping Line Ltd
2. Ship Bunker (Purchase& consumption)
6 Revenue, procurement, ops, finance Prima Panjang Jaya

7 Parakan Gold Project PBM Tangkas Lautan Jaya

8 Order to Cash PT Travel Indonesia

9 Revenue, procurement, ops, finance PT Lautan Perdana

10 General Operation review PT Pancaran Dingin Logistik

11 Warehouse management PT Kargo Utama

12 Finance and taxes Lautan Shipping Line Pvt Ltd (India)

3
WORKSHOP
Q&A
THANK YOU