Escolar Documentos
Profissional Documentos
Cultura Documentos
Group 4
Bob Aldi (1706089721)
Dewa Wiyoga (1706998353)
Evan Soesanto (1706089803)
Chapter 2 Internal Audit’s Common
Body of Knowledge
History of CBOK
Start with a question “What do I need to know to
become an experienced, qualified, and well respected
internal auditor?”
Victor Brink introduced a book about internal audit
knowledge areas
Other author have tried to define internal auditor
knowledge requirement over the years but not clear
There still no recognized minimal set of internal audit
knowledge requirements
William G. Bishop President of Institute of Internal Audit
proposed CBOK
No CBOK created until his passed in 2004
What is Common Body Of Knowledge?
A CBOK for any profession defines the minimum level of
proficiency needed for effective performance within that
profession.
For example, the Bank Administration Institute
(BAI;www.bai.org) has released a CBOK for banking
industry risk professionals. With risk management an
important knowledge area of banking
Internal Audit’s CBOK
adalah suatu Konsep yang mempelajari Audit Internal
sebagai suatu profesi dalam kerangka ilmu pengetahuan
Sebagai suatu profesi , diatur dalam suatu Standar ialah
Standar Profesi Audit Internal ( SPAI ) yg berisikan Kode
Etik, Standar Atribut dan Standar Kinerja.
Kerangka ilmu pengetahuan tsb membentuk dasar-dasar
konseptual dan berlaku sebagai standar utk pendidikan,
pelatihan, perekrutan, dan uji kompetensi bagi siapa saja yg
ingin bekerja dalam profesi Audit Internal.
CBOK will help us:
More clearly understand how internal auditing is being
practiced around the world
Help us update our professional Standards
Allow us to look closely at the framework of the profession
the IIA Research Foundation (IIARF) launched a major
effort in 2006 to develop such a CBOK for the internal
audit profession. Its preliminary result, dated 2008, was
published in a mid-2007 research study
Although called a CBOK, the IIARF’s approach was not to
define any set of internal audit common knowledge best
practices but to survey what internal auditors were doing
at the time of the study’s publication in country-by-
country practices of internal auditing.
The following objectives:
The knowledge and skills that internal auditors possess
The skill and organizational levels used for the practice of
internal auditing work
The actual duties performed by internal auditors
The structure of internal audit organizations
The types of industries which practice internal audit
The regulatory environment of various countries
The IIA has stated it plans to use the results of this 2007
study to improve future standards, procedures, and other
offerings in areas including revised internal audit
certifications and examinations, revised standards, and
other internal audit publications.
Demographics of Survey
The IIARF CBOK surveys were assembled similar to a
consumer-type survey where participants were asked to
respond to questions based on a score ranging from 1 to
5 for each question.
The results were published as a single mean value of the
various responses; no standard deviation values showed
the ranges of those responses.
Example Result
Based on the result…
The IIA has stated that it plans to update the IIARF
CBOK study every three years and has expressed general
plans to develop and release other products and offerings
to enhance and build this internal audit CBOK.
The IIARF’s CBOK is not a guide to internal auditor best
practices. Rather, it describes a wide range of internal
audit activities and how they are practiced
CHAPTER 6 Risk Management: COSO
ERM
Enterprises need to identify all the business risks they and to manage these
risks to an acceptable level.
Risk is a frequently used term in internal control standards and procedures.
It has become a term that many internal auditors agree to consider but fail
to define. One professional’s concept and understanding of risk may be
very different from another’s.
COSO ERM is an approach that allows an enterprise and internal audit to
consider and assess risks at all levels, whether in an individual area, such as
for an information technology (IT) development project, or in global risks
regarding an international expansion.
The emphasis is on why COSO ERM can be an important internal audit
tool to better understand and evaluate the risks surrounding internal
controls at all levels.
6.1 Risk Management Fundamentals
Every enterprise exists to provide value for its stakeholders, but that value
can be eroded through unexpected events at all levels of the enterprise and
in all activities, ranging from day-to-day regular operations to setting
strategy for some future but uncertain endeavor.
Risk management is an insurance-related concept where an individual or
enterprise uses insurance mechanisms to provide protection from those
risks.
Enterprises today face a wide variety of risks and need some tools to sort
through all them in order to make rational cost and risk-related decisions.
An effective risk management process requires four steps: (1) risk
identification, (2) quantitative or qualitative assessment of the documented
risks, (3) risk prioritization and response planning, and (4) risk monitoring.
6.1 Risk Management Fundamentals
a) Risk Identification
Management should endeavor to identify all possible risks that
may impact the success of the enterprise, ranging from the larger
or more significant overall business risks down to the less
important risks associated with individual projects or smaller
business units.
The idea here is not just to list every possible risk but for an
enterprise to identify those that might have a more major impact
operations, within a reasonable time period.
A good way to start the risk identification process is with a high-
level organization chart listing corporate-level as well as operating
units.
A better approach is to identify people at all levels of the
enterprise to serve as risk assessors.
Their goal would be to identify and then help assess risks in their
units built around a risk identification model framework.
6.1 Risk Management Fundamentals
An enterprise management team should
then start with this more complete list of
potential enterprise risks and ask
themselves questions along the lines of:
Key Points
• ERM is a process.
• ERM process is implemented by people in the enterprise.
• ERM is applied through the setting of strategies across the overall enterprise.
• Concept of risk appetite must be considered.
• ERM is designed to help achieve objectives.
• ERM-related goals and objectives are of little value unless they can be organized
6.3 COSO ERM Key Elements
6.3 COSO ERM Key Elements
a) Internal Environment Component
The COSO ERM internal environment component consists
of these elements:
Risk management philosophy
Risk appetite
Board of directors attitudes
Integrity and ethical values
Commitment to competence
Organizational structure
Assignments of authority and responsibility
Human resource standards
Reporting
Cover the reliability of enterprise’s report of internal and
external financial and nonfinancial data.
ERM concerned about risk of authorizing and releasing
inaccurate reports.