CG Summary Session 5

Hayyin Nur Adisa

Lulu Thasya Syahida
Mentari Andini
Yuniar Nawang S.

Internal Auditing Role in Corporate Governence (IIA)

● Internal audit provides ​assurance by assessing and reporting on the effectiveness of

governance, risk management, and control processes designed to help the
organization achieve strategic, operational, financial, and compliance objectives

● Internal audit provides ​insight by acting as a catalyst for management and the board
of have a deeper understanding of governance processes and structures

● lnternal auditing can mature to provide ​foresight to the organization by identifying

trends and bringing attention to emerging challenges before they become crises

● Internal audit can ​add value by providing advisory and consulting services​, intended
to improve governance, risk management, and control processes, so long as internal
audit assumes no management responsibility

A corporate governance practice for listed companies – sometimes mandated -- is to

use audit committees to provide strengthened oversight of the financial and ethical integrity
of publicly held companies. Ideally, internal audit should report functionally to the board or
audit committee and administratively to management.

Internal audit strengthens corporate governance through risk-based audits that

provide assurance and insights on the processes and structures that drive the organization
toward success. As risks grow and become more complex, internal audit’s role is likely to
expand in areas such as risk governance, culture and behavior, sustainability, and other non
financial reporting measures.

Institute Internal Auditors, (2013), IIA Position Paper: Three lines of defense in
effective risk management and control

INTRODUCTION
Internal auditors, enterprise risk management specialists, compliance officers,
internal control specialists, quality inspectors, fraud investigators, and other risk and control
professionals working together to help their organizations manage risk.
Clear responsibilities must be defined so that each group of risk and control
professionals understands the boundaries of their responsibilities and how their positions fit
into the organization’s overall risk and control structure.
Although risk management frameworks can effectively identify the types of risks that
modern businesses must control, these frameworks are largely silent about how specific
duties should be assigned and coordinated within the organization.
 The Three Lines of Defense model provides a simple and effective way to enhance
communications on risk management and control by clarifying essential roles and duties. It
provides a fresh look at operations, helping to assure the ongoing success of risk
management initiatives, and it is appropriate for any organization — regardless of size or
complexity. If a formal risk management framework or system does not exist, the Three
Lines of Defense model can enhance clarity regarding risks and controls and help improve
the effectiveness of risk management systems.

BEFORE THE THREE LINES: RISK MANAGEMENT OVERSIGHT AND

STRATEGY-SETTING
In the Three Lines of Defense model, management control is the first line of defense in risk
management, the various risk control and compliance oversight functions established by
management are the second line of defense, and independent assurance is the third.

Governing bodies and senior management are the primary stakeholders served by
the “lines,” and they are the parties best positioned to help ensure that the Three Lines of
Defense model is reflected in the organization’s risk management and control processes.
Senior management and governing bodies collectively have responsibility and
accountability for setting the organization’s objectives, defining strategies to achieve those
objectives, and establishing governance structures and processes to best manage the risks
in accomplishing those objectives.

THE FIRST LINE OF DEFENSE: OPERATIONAL MANAGEMENT

The Three Lines of Defense model distinguishes among three groups (or lines)
involved in effective risk management:
​ ​Functions that own and manage risks.
​ ​Functions that oversee risks.
​ ​Functions that provide independent assurance.
As the first line of defense, operational managers own and manage risks. They also are
responsible for implementing corrective actions to address process and control deficiencies.

Operational management is responsible for maintaining effective internal controls and for
executing risk and control procedures on a day-to-day basis. Operational management
identifies, assesses, controls, and mitigates risks, guiding the development and
implementation of internal policies and procedures and ensuring that activities are consistent
with goals and objectives.

Operational management naturally serves as the first line of defense because controls are
designed into systems and processes under their guidance of operational management.

THE SECOND LINE OF DEFENSE: RISK MANAGEMENT AND COMPLIANCE

FUNCTIONS
Management establishes various risk management and compliance functions to help build
and/or monitor the first line-of-defense controls. The specific functions will vary by
organization and industry, but typical functions in this second line of defense include:
● A risk management function (and/or committee) that facilitates and monitors the
implementation of effective risk management practices by operational management
and assists risk owners in defining the target risk exposure and reporting adequate
risk-related information throughout the organization.
● A compliance function to monitor various specific risks such as noncompliance with
applicable laws and regulations. In this capacity, the separate function reports directly
to senior management, and in some business sectors, directly to the governing body.
Multiple compliance functions often exist in a single organization, with responsibility
for specific types of compliance monitoring, such as health and safety, supply chain,
environmental, or quality monitoring.
● A controllership function that monitors financial risks and financial reporting issues.

Management establishes these functions to ensure the first line of defense is properly
designed, in place, and operating as intended. Each of these functions has some degree of
independence from the first line of defense, but they are by nature management functions.
Management functions may intervene directly in modifying and developing the internal
control and risk systems.

The responsibilities of these functions vary on their specific nature, but can include:
​ ​Supporting management policies, defining roles and responsibilities, and setting
goals for implementation.
​ ​Providing risk management frameworks.
​ ​Identifying known and emerging issues.
​ ​Identifying shifts in the organization’s implicit risk appetite.
​ ​Assisting management in developing processes and controls to manage risks and
issues.
​ ​Providing guidance and training on risk management processes.
​ ​Facilitating and monitoring implementation of effective risk management practices
 by operational management.
​ ​Alerting operational management to emerging issues and changing regulatory and
risk scenarios.
​ ​Monitoring the adequacy and effectiveness of internal control, accuracy and
completeness of reporting, compliance with laws and regulations, and timely
remediation of deficiencies.

THE THIRD LINE OF DEFENSE: INTERNAL AUDIT

Internal auditors provide the governing body and senior management with
comprehensive assurance based on the highest level of independence and objectivity within
the organization.
Internal audit provides assurance on the effectiveness of governance, risk
management, and internal controls, including the manner in which the first and second lines
of defense achieve risk management and control objectives. The scope of this assurance
usually covers:
● A broad range of objectives, including efficiency and effectiveness of operations;
safeguarding of assets; reliability and integrity of reporting processes; and
compliance with laws, regulations, policies, procedures, and contracts.
● All elements of the risk management and internal control framework, which includes:
internal control environment; all elements of an organization’s risk management
framework (i.e., risk identification, risk assessment, and response); information and
communication; and monitoring.
● The overall entity, divisions, subsidiaries, operating units, and functions — including
business processes, such as sales, production, marketing, safety, customer
functions, and operations — as well as supporting functions (e.g., revenue and
expenditure accounting, human resources, purchasing, payroll, budgeting,
infrastructure and asset management, inventory, and information technology).

Establishing a professional internal audit activity should be a governance requirement for all
organizations. This is important for smaller entities, as they may face equally complex
environments with a less formal, robust organizational structure to ensure the effectiveness
of its governance and risk management processes. Internal audit actively contributes to
effective organizational governance providing certain conditions — fostering its
independence and professionalism — are met. Best practice is to establish and maintain an
independent, adequately, and competently staffed internal audit function, which includes:

​ Acting in accordance with recognized international standards for the practice of

internal auditing.
​ Reporting to a sufficiently high level in the organization to be able to perform its
duties independently.
​ Having an active and effective reporting line to the governing body.

EXTERNAL AUDITORS, REGULATORS, AND OTHER EXTERNAL BODIES

External auditors, regulators, and other external bodies reside outside the organization’s
structure, but they can have an important role in the organization’s overall governance and
control structure. Regulators sometimes set requirements intended to strengthen the
controls in an organization and on other occasions perform an independent and objective
function to assess the whole or some part of the first, second, or third line of defense with
regard to those requirements. External auditors, regulators, and other groups outside the
organization can be considered as additional lines of defense, providing assurance to the
organization’s shareholders, including the governing body and senior management.

COORDINATING THE THREE LINES OF DEFENSE

When assigning specific duties and coordinating among risk management functions,
however, it can be helpful to keep in mind the underlying role of each group in the risk
management process.

Risk management normally is strongest when there are three separate and clearly identified
lines of defense. However, in exceptional situations that develop, especially in small
organizations, certain lines of defense may be combined.

Senior management and governing bodies should clearly communicate the expectation that
information be shared and activities coordinated among each of the groups responsible for
managing the organization’s risks and controls. Under the ​International Standards for the
Professional Practice of Internal Auditing,​ chief audit executives are specifically required to
“share information and coordinate activities with other internal and external providers of
assurance and consulting services to ensure proper coverage and minimize duplication of
efforts.”

RECOMMENDED PRACTICES:
• Risk and control processes should be structured in accordance with the Three Lines of
Defense model.
• Each line of defense should be supported by appropriate policies and role definitions.
• There should be proper coordination among the separate lines of defense to foster
efficiency and effectiveness.
• Risk and control functions operating at the different lines should appropriately share
knowledge and information to assist all functions in better accomplishing their roles in an
efficient manner.
• Lines of defense should not be combined or coordinated in a manner that compromises
their effectiveness.
• In situations where functions at different lines are combined, the governing body should be
advised of the structure and its impact. For organizations that have not established an
internal audit activity, management and/or the governing body should be required to explain
and disclose to their stakeholders that they have considered how adequate assurance on
the effectiveness of the organization’s governance, risk management, and control structure
will be obtained.

POJK No. 56/POJK.04/2015

Definisi
Audit Internal adalah suatu kegiatan pemberian keyakinan dan konsultasi yang bersifat
independen dan objektif, dengan tujuan untuk meningkatkan nilai dan memperbaiki
operasional perusahaan, melalui pendekatan yang sistematis, dengan cara mengevaluasi
dan meningkatkan efektivitas manajemen risiko, pengendalian, dan proses tata kelola
perusahaan.
Kedudukan
● Kepala Unit Audit Internal diangkat dan diberhentikan oleh direktur utama atas
persetujuan Dewan Komisaris.
● Kepala Unit Audit Internal bertanggung jawab kepada direktur utama.
● Auditor internal dalam Unit Audit Internal bertanggung jawab secara langsung kepada
kepala Unit Audit Internal.
Tugas, Tanggung Jawab, dan Wewenang
● Unit Audit Internal mempunyai tugas dan tanggung jawab paling sedikit:
a. menyusun dan melaksanakan rencana Audit Internal tahunan;
b. menguji dan mengevaluasi pelaksanaan pengendalian internal dan sistem
manajemen risiko sesuai dengan kebijakan perusahaan;
c. melakukan pemeriksaan dan penilaian atas efisiensi dan efektivitas di bidang
keuangan, akuntansi, operasional, sumber daya manusia, pemasaran, teknologi
informasi, dan kegiatan lainnya;
d. memberikan saran perbaikan dan informasi yang objektif tentang kegiatan yang
diperiksa pada semua tingkat manajemen;
e. membuat laporan hasil audit dan menyampaikan laporan tersebut kepada direktur
utama dan Dewan Komisaris;
f. memantau, menganalisis dan melaporkan pelaksanaan tindak lanjut perbaikan yang
telah disarankan;
g. bekerja sama dengan Komite Audit;
h. menyusun program untuk mengevaluasi mutu kegiatan audit internal yang
dilakukannya; dan
i. melakukan pemeriksaan khusus apabila diperlukan.
● Unit Audit Internal mempunyai wewenang paling sedikit:
a. mengakses seluruh informasi yang relevan tentang perusahaan terkait dengan tugas
dan fungsinya;
b. melakukan komunikasi secara langsung dengan Direksi, Dewan Komisaris, dan/atau
Komite Audit serta anggota dari Direksi, Dewan Komisaris, dan/atau Komite Audit;
c. mengadakan rapat secara berkala dan insidentil dengan Direksi, Dewan Komisaris,
dan/atau Komite Audit; dan
d. melakukan koordinasi kegiatannya dengan kegiatan auditor eksternal.
Piagam Audit Internal
Emiten atau Perusahaan Publik wajib memiliki piagam Audit Internal yang paling sedikit
memuat:
a. struktur dan kedudukan Unit Audit Internal;
b. tugas dan tanggung jawab Unit Audit Internal;
c. wewenang Unit Audit Internal;
d. kode etik Unit Audit Internal yang mengacu pada kode etik yang ditetapkan oleh asosiasi
Audit Internal yang ada di Indonesia atau kode etik Audit Internal yang lazim berlaku
secara internasional;
e. persyaratan auditor internal dalam Unit Audit Internal;
f. pertanggungjawaban Unit Audit Internal; dan
g. larangan perangkapan tugas dan jabatan auditor internal dan pelaksana dalam Unit
Audit Internal dari pelaksanaan kegiatan operasional perusahaan baik di Emiten atau
Perusahaan Publik maupun anak perusahaannya.

CHAPTER 1 “FINANCIAL REPORTING AND DISCLOSURE”

1. Understanding the business

2. Staying focused – complex, difficult, and riskier areas

A company generally has certain business units or areas that are much more complex
and challenging to understand than routine areas such as payroll. Management should
highlight such complex or risky areas for the audit committee. Those areas may include
hedging operations or off-balance sheet and related information more efficiently and
effectively.

3. Materiality
Materiality is central to financial reporting. Management uses materiality when
evaluating whether to disclose an item, assessing whether to make a proposed
adjustment, determining the magnitude of an internal control deficiency, and deciding
whether to restate previously issued financial statements. Establishing materiality can
be quire complex. For example, some point to a “rule of thumb” quantitative threshold
(e.g., of net income or net loss) to establish materiality.

4. Accounting policies

It is critical that audit committees understand the significant accounting policies the
company uses and whether they are reasonable and appropriate. Because the volume
and complexity of accounting standards, leading audit committees are devoting time at
meetings to ensure they understand existing accounting policies.

5. Accounting estimates

Accounting estimates represent higher financial reporting risk and require significant
judgement by management. Accordingly, the audit committee should understand which
areas involve estimates, given their effect on reported results. Management commonly
makes estimations for uncollectible accounts receivable, slow-moving or obsolete
inventory, asset impairment, pension and other postemployment benefit obligations,
income tax exposures, derivatives valuations, warranty liabilities, litigation reserves,
environmental liabilities, stock option expenses, and restructuring costs.

6. Significant changes during the reporting period

Audit committees should review significant period-to-period changes in the financial

statements. Management will need to provide substantive explanations for such changes
and for major variations between actual results and budgets or forecasts.

7. Related party transactions

A challenge for audit committees is that they may be unaware the company has entered
into transaction involving related parties, and so don’t have a good basis for
determining whether the disclosure are adequate.

8. Special items, including non-GAAP disclosures

Company sometimes separate out particular transactions or event when reporting to
shareholders. Judgement is needed to determine what constitutes a “special” item that
should be separately communicated to financial statement users. Generally accepted
accounting principles don’t address this concept, and so such disclosures are often
outside the confines of established accounting standards. Effective audit committees
discuss unusual item with management and the external auditors.

9. Interim Financial Statements

Astute committees perform their review before the company issues the interim financial
information, rather than after the fact. During its review of interim results, an audit
committee should ask management about significant judgements and issues faced in the
period end closing and whether the interim statements were prepared on a basis
consistent with the annual financial statements. The audit committee also should discuss
the results of any external auditor review of an interim report.

10.​ ​Management disclosure committees

Management needs to ensure the financial information reported to shareholders includes

all the transactions and disclosures it should and is recorded, processed, and
summarized accurately. Audit committees should understand what processes
management uses to ensure its financial reports capture all relevant data.

11.​ ​Narrative reporting and transparency

Public companies in a number of countries must provide additional disclosure of risks

and results. External auditors are also required to communicate whether the narrative
reporting accompanying financial statements is consistent with the financial statements
and the auditors knowledge of the company’s results. Assessing whether the
information in narrative reports is accurate is really only part of a committee’s role.
Audit committees also should consider whether the reporting is complete.

12.​ ​Earnings guidance

Audit committees should ideally be part of the review process for such financial
information. The NYSE rules require audit committees to discuss earnings press
releases, as well as the financial information and earnings guidance provided to analysts
and rating agencies. The rules allow audit committees to have a general discussion and
do not require that the discussion be held in advance of each release.

13.​ ​Correspondence with securities regulators

It is common for securities regulators to review a company’s financial filings and to

question certain accounting or disclosures. Regulators then provide a document often
referred to as a “comment letter”, and the company typically has to respond within a
relatively short time frame. If regulators don’t consider the response to be satisfactory,
the company may have to answer additional questions. It’s important for audit
committees to understand the nature of such inquiries and be familiar with the
company’s responses. Astute audit committees review the comment letter as well as a
draft of management’s proposed responses, which generally have been discussed with
the external auditors.

14.​ ​Timing issues

Audit committees should ask management about whether any such significant events
occurred and what effect they had. The possibility that these type of events could occur
may even cause the company to reconsider the timing of the earnings release or the
filing date.
CHAPTER 2 "RISK MANAJEMEN AND THE SYSTEM OF INTERNAL CONTROL"

1. Risk Management processes

Internal control systems are designed to help companies mitigate known risks, and so audit
committee's' oversight of internal control and risk management is often intertwined.
Overseeing how management addresses risk for financial reporting is clearly in an audit
committee's domain (and discussed later in this chapter); however, some audit committees
take broader responsibility for overseeing risk management.

With audit committees already having significant responsibilities, many audit committee
chairs and other observers are deeply concerned about charging audit committees with full
responsibility for overseeing risk management. They argue that audit committees already
have overlt-full plates. But while audit committees generally are not charged with overseeing
all the risks that a company faces, many do take on responsibility to oversee the process
that management uses. Thos audit committees that have responsibility for overseeing the
risk management process likely will want to:

- Understand how the process works in company

- Understand the top risks management has identified and ensure these are
communicated to the entire board as well
- Understand internal audit’s role in risk management and the entire to which its audit
plan covers the key risks
- Work with the other board committees to allocate oversight of key risks among board
committees or to the full board – to ensure that all key risks are subject to board-level
oversight.

2. Internal Control

The Sarbanes-Oxley Act requires U.S. public companies to report on internal control over
financial reporting. Companies must document, test, and evaluate these controls and
provide a report that acknowledges management’s responsibility for establishing and
maintaining adequate internal control over financial reporting, identifies the framework
management used to evaluate controls, indicates management’s conclusion regarding the
effectiveness of those controls, and describe any material weaknesses that exist.

While management is responsible for implementing effective internal control over financial
reporting, audit committees should meet periodically with individuals who are primarily
responsible for internal control over financial reporting, understand and help set the tone at
the top, discuss with management the controls in place to mitigate key financial reporting
risks, including fraud risks, focus discussions on areas of greatest potential risk, understand
how management plans to assess internal control and what role internal audit and other
related resources will play, understand the external auditors’ scope and plan to test the
controls, and meet regularly with management, internal audit, and the external auditors to
discuss status and findings-particularly significant deficiencies and material weaknesses-as
well as management’s action plan to respond appropriately.

3. Incentives and Fraud Risk

Ideally, compensation committees design compensation packages that promote ethical

behavior without compromising long-term shareholder value. Astute audit committees
question the extent to which incentives could create risk for financial reporting. And they
understand the need to consider the risk associated with compensation plans by developing
a robust understanding of compensation programs and understanding financial targets
incorporated in compensation programs and the degree to which compensation changes if
the targets are met.

4. Financial Reporting Fraud Risk

Weaknesses in internal control can make companies more susceptible to fraud. There are
many types of fraud, including misappropriation of company assets, insider trading and
bribery. But the type of fraud that is of grace concern for audit committees is financial
reporting fraud.

5. Bribery and Corruption Risk

Additionally, audit committees may wish to ask management whether compliance programs
specifically address the FCPA and other-anti-bribery legislation and whether programs are
tailored to incorporate risk analysis, training, sanctions, monitoring, auditing, and assistance.

CHAPTER 4 “OVERSIGHT OF MANAGEMENT AND INTERNAL AUDIT”

1. Overall relationship with management

Management has deep insight into the company and its challenges, and therefore is best
positioned to recommend what information the audit committee needs.
2. Management bench strength

How does an effective committee assess the strengths and performance of key finance
managers and the broader finance team?

- First, it discusses with the CFO how he or she ensures the finance team is
appropriately qualified – and how the staff stays current with changing accounting
standards.
- Second, the committee assesses how well senior finance personnel perform based
on what it witnesses at committee meetings and how these employees respond to
queries between meetings.
- Third, it considers the confidential feedback from internal and external auditors.

3. Meeting with management

Members of management such as the chief financial, accounting, controller, and CFO should
attend audit committee meeting

4. Defining internal audit’s role

Internal auditor can perform a wide variety of work.

Internal audit’s role should be reflected in its charter. A charter sets out internal audit’s
purpose, authority, reporting structure, and responsibilities and should specify the group
cannot perform responsibilities that could hinder its objectivity.

5. Internal audit plans

Internal audit bases its annual plan on its risk assessment, which ideally should match up to
key risks identified in the company’s overall risk management program.

6. Understanding internal audit resources

Some companies have their internal audit departments fully “in house”. Other outsources
most of all of the work. Many take a hybrid approach – using outside resources in selected
circumstances to make the overall function stronger.

7. Communicating audit results

Effectively reports are typically incorporate:

- An executive summary that concisely describes the overall state of the company’s
control environment and sets the context for the rest of the report and for the
discussion in the meeting. It should highlight any areas of significant concern
- A description of internal audit’s most significant findings, with business implications
and indication of management’s remediation plans
- A listing of the results of all audits conducted since the last report, with the current
rating and the prior rating for each audit and an indication of whether the control
environment for that area or function is improving, deteriorating, or stable
- The status of past significant audit recommendations, to allow the committee to
monitor management’s commitment to needed remediation and to understand if
repeat issues exist, which can be a sign of an ineffective process.

8. Internal audit reporting lines

The internal audit reporting should demonstrate the highest support for internal audit
mandate and support objectivity, Often internal audit reports both to executive management
and to the audit committee.

9. Internal audit leadership

The internal audit director drives the function’s effectiveness and perception in the company.
This person’s background, experience, and executive presence play a key role in whether
other executives view him or her as part of the management team and whether they hold
internal audit in high regard. The internal audit director walks a fine line, as a member of
management and as the leader of an internal group that is expected to be objective of
management.

10.​ P
​ rivate sessions

The audit committee should hold regular private meetings with the internal audit director,
ideally at each in-person audit committee meeting. This private session allow more open and
candid discussion than might otherwise occur with management present.

11.​ E
​ valuating internal auditor’s performance
Committee should understand how internal audit monitors its own quality. Check that audit
are conducted in accordance with the department’s standard and professional internal
auditing standards. Committees can also seek input from external auditors.