Role of Internal Audit in Risk Management at PT Reinsurance ABC

Letizia Prima

and M. Malik

Faculty of Economics and Business, Universitas Indonesia, Depok -Indonesia

Keywords: Internal Audit, Internal Control, Risk Based Internal Audit (RBIA), Risk Management

Abstract: This study aims to analyze role of internal audit in internal control and risk management of PT Reinsurance

ABC, as well as provide suggestions for improvement the role of internal audit in risk management. This

study used descriptive qualitative method. The method explains role of internal audit in internal control and

risk management is assessed based on ISO 31000:2009, COSO-ERM Integrated Farmework and

International Standards of Internal Audit Professional Practice (IPPF) by Institute of Internal Auditors (IIA).

The results of the analysis show that the internal audit has carried out their role in helping management

achieve company’s goals, vision and mission with their activities that conduct an assessment or assurance

and do consulting on internal control and risk management of the company. However, the technical

assessment or assurance and internal audit’s consultation of PT Reinsurance ABC currently still needs to be

improved starting from audit planning to follow-up the audit results. The role of internal audit in internal

control also needs to be improved, especially in the operational activities of PT Reinsurance ABC. Internal

audit also carries out their role in corporate risk management, they asses and provide evaluations and

recommendations on risk management processes, but their role needs to be improved in communication,

consultation and coordination regarding the process and implementation of risk management at PT

Reinsurance ABC. Thus, internal audit will be expected to act as the third line of defense. PT Reinsurance

ABC will only examine significant risks and use the risk management process as the basis for conducting

audit in Risk Based Internal Audit (RBIA).

1 INTRODUCTION

Internal audit is an appraisal independent function

that is intended to carry out checks and evaluations

on organizational activities. According to Moeller

(2007), auditing is used to term total service levels

from detailed checks to higher level assessments.

Internal auditing defines the work carried out in a

company by its own employees not by external

auditors, public accountants, or other parties such as

the government or regulators who indirectly become

part of certain companies. The internal audit plays

an important role which includes independence,

appraisal functions, the formation of a modern

internal audit organization, the implementation of

the functions of inspection and evaluation,

coordination with other functions in service

companies, and benefits for the entire organization

to be carefully considered an internal auditor

(Moeller, 2007).

In order for the internal audit function to provide

added value for the company, this function must

truly understand the company's needs and risks

comprehensively. In addition, in order to obtain

maximum results, the internal auditor must be

someone who is competent and independent. In

carrying out its duties maximally, the internal audit

can no longer only hold to the old paradigm of

watchdog, but to ensure that all company operations

are carried out to the best standards, by providing

objective and independent assurance functions, as

well as providing advice based on best practice. By

using a systematic approach and various scientific

disciplines, internal audit helps companies achieve

their goals by evaluating and increasing the

effectiveness of risk management, internal controls,

and governance processes.

The scope of audit activities is increasingly

widespread, at present not only financial audits and

compliance audits but the focus of attention is aimed

Prima, L. and Malik, M.

Role of Internal Audit in Risk Management at PT Reinsurance ABC.

DOI: 10.5220/0009502510431049

In Proceedings of the 1st Unimed International Conference on Economics Education and Social Science (UNICEES 2018), pages 1043-1049

ISBN: 978-989-758-432-9

1043

at all aspects that affect company performance and

management control and pay attention to business

risk aspects and risk management. Audit orientation

shift towards risk-based internal audit (RBIA) will

continue in line with the company's needs in the

future.

The reinsurance business is a unique business

because this business earns its income from

reinsurance premiums paid by insurance companies

that want to share the risk with reinsurance

companies. The premiums obtained by the company

must be processed properly so that they can fulfill

their obligations and obtain optimal profits. The

reinsurance industry is an industry that is different

from other industries in general, so that more

understanding is needed of this industry. In line with

the development of the economy and the

increasingly unique characteristics of the insurance

business, the accounting base is also expected to be

in line with the insurance company's risk

management concept. The application of good

internal control and risk management is inseparable

from the internal auditor's role of the company itself.

The implementation of an effective and maximum

audit function can provide benefits and provide

added value for the company (Sawyer, 2006). In

addition, regulation and supervision in the insurance

business is absolutely necessary because the

insurance business is a fiduciary business. In the

insurance business, the funds entrusted by the public

to the insurance business are risk financing

transferred from individuals to the business world.

Therefore, the regulation and supervision of the

company's operations must also be well maintained

because it covers the interests of the community

(Sensi, 2006). To deal with these conditions, the

OJK (Financial Services Authority) as the

supervisory board and regulator of the financial

industry strongly supports risk management

activities to provide assurance and trust to the

public. The application of good internal control and

risk management will benefit reinsurance companies

in developing their business in Indonesia.

Based on the description, the author is interested

in writing the final work on PT. Reinsurance ABC,

which is one of the reinsurance companies in

Jakarta. In carrying out its functions, PT.

Reinsurance ABC has internal audit activities that

have not been well structured and have not been

effective in controlling business risks. There is still a

lot of overlap between the implementation of tasks

between the internal audit and the risk management

section. Therefore, the researcher conducted an

analysis of the internal role of the internal auditor in

carrying out internal control and risk management of

PT. Reinsurance ABC..

2 THEORICAL FRAMEWORK

Planning, testing information in audit activities,

reporting, and follow-up audit results are technical

implementation of the main internal audit. Based on

the IPPF 2200 regarding planning assignments,

internal auditors must be able to make and develop

document planning for assignments that include the

objectives of planning audits to be carried out to

provide assurance efficiently. Then, internal audit

must be able to collect and evaluate various

competent information that is useful in audit

activities which is used as audit findings and internal

audit can provide recommendations on the audit

findings. Based on the IPPF 2400 by IIA about

performance standard, internal audit must be able to

communicate the results of the assignment in the

form of an audit report. As well as, the audit

findings contained in the audit report must be

followed up. So, management can give corrective

action.

COSO (Committee of Sponsoring

Organization) creates an Internal Control -

Integrated Framework that contains the formulation

of an internal control system. The five components

of internal control are control environment, risk

assessment, control activities, information and

communication, and monitoring activities (COSO,

2009).

The risk management process according to ISO

31000: 2009 consists of five activities, namely:

1. Communication and consultation

Communication and consultation with

stakeholders must always be considered and

take place in all stages of the risk management

process.

2. Establish context

In context setting, the company describes the

company's objectives, defines internal and

external parameters that must be considered

when managing risk, and sets the scope and risk

criteria for the remaining processes.

3. Risk assessment

Risk assessment consists of risk identification,

risk analysis, and risk evaluation.

4. Risk treatment

This process looks for methods to manage risk

that are effective in accordance with the

capabilities of the company.

5. Monitoring and review

This monitoring and review process can be

carried out with regular monitoring by risk

UNICEES 2018 - Unimed International Conference on Economics Education and Social Science

1044

owners, supervisors and third parties through

verification of internal and external audits.

There are eight components of risk management

according to COSO, namely:

1. Internal Environment

This assesses the company in managing risk,

determining the risks faced, and the company's

philosophy related to business ethics, value, and

integrity.

2. Objective Setting

Setting goals is done to achieve company goals.

Ensure things that can threaten the achievement

of the goals of the company and evaluate or

assess alternative options tailored to the

company's risk appetite so as not to interfere

with the objectives to be achieved.

3. Inventory Identification

The company needs to identify events that

contain risks or contain opportunities and those

identifications must be managed or achieved.

4. Risk Assessment

Identified events need to be analyzed to

determine the impact that will be generated and

this becomes the basis for managing these risks.

5. .Risk Response

After conducting risk assessments, the company

must determine the response that will be made

to deal with these risks. Determine the risk to

assess the suitability of the company. Risk

treatment is carried out by accepting risks,

avoiding risks, transferring risk, or minimizing

the impact. risk response is related to

determining risk appetite and risk tolerance.

6. Control Activities

Making procedures or policies in response to

risk. Response is done by accepting risks,

avoiding risks, transferring risk, or minimizing

the impact. Then, determine the procedure that

must be taken and the person responsible for the

risk. A good and structured procedure will make

it easier for the company to achieve its

objectives.

7. Information and Communication

Related information is collected and

communicated within the organization. So that

every part of the organization or company can

play a good role in accordance with their

respective responsibilities.

8. Monitoring

Monitoring is carried out on an ongoing basis

and make adjustments if needed to deal with

changes in the company's environment.

Based on IIA, internal audit has the role of being

able to manage and assess the audit function so that

the company's internal control can run effectively

and efficiently, the management and assessment will

be stated in audit recommendations or suggestions.

Starting from audit planning, testing information,

and reporting, as well as follow-up audit results.

Based on IPPF by IIA 2120, internal audit has a

role to evaluate effectiveness and make

improvements to the risk management process. The

assessment of the effectiveness of the risk

management process will take the form of an

opinion based on an internal audit evaluation which

explains the following:

1. The purpose of the organization has been

supportive and related to the mission of the

organization

2. Significant risks have been identified and assessed

3. The appropriate risk response has been chosen

and in accordance with the organization's risk

appetite

4. Relevant information about risk has been obtained

and communicated in a timely manner to all

organizational units, allowing staff, councils and

management to carry out their duties and

responsibilities.

According to Setiawati (2015), the internal audit

functions as an advisor or advisor in the risk

management process in the company. IIA (Institute

of Internal Auditors) regulates the role that cannot

be performed by internal auditors on organizational

risk management, namely determining risk appetite,

imposing risk management processes, managing risk

insurance, making decisions in response to risks,

applying risk responses on behalf of management,

and being responsible for the risk management

process.

According to IIA (Institute of Internal Auditors),

risk-based internal audit connects internal audit with

overall risk management. Risk-based internal

auditing is a methodology used by internal auditors

to provide confidence that risk is managed to the

extent of risk that can be accepted by the company

(risk appetitte).

Three Lines of Defense is a method used to

improve effective communication and coordination

in risk management, and to divide defense lines into

three parts. The first line of defense is the entire

department, the second line of defense, namely the

risk management department, and third, the internal

audit department (Institute of Internal Auditors,

2009).

3 RESEARCH METHOD

In this study, researchers chose to use qualitative

descriptive research. The qualitative process is

carried out in the process of finding, collecting, and

describing the processing data obtained. This type of

Role of Internal Audit in Risk Management at PT Reinsurance ABC

1045

research is to explain data, information, and facts

obtained from the unit of analysis then analyze and

measure internal controls and risk management

process based on COSO-ERM Integrated

Farmework and ISO 31000:2009 to know the

company’s control and risk management in general.

Then analyze role of internal audit in internal control

and risk management PT. Reinsurance ABC which

is assessed based on International Standards of

Internal Audit Professional Practice (IPPF) by

Institute of Internal Auditors (IIA).The author uses a

lot of data from company’s audit work program,

internal audit reports, and literature studies by

collecting books, scientific journals, articles, rules,

professional standards related to internal audit and

risk management.

The unit of analysis in this study is PT.

Reinsurance ABC as a single unit analysis. PT.

Reinsurance ABC located in Jakarta The scope of

this analysis is the role of internal audit in carrying

out internal control and management of the PT.

Reinsurance ABC. This study provides

recommendations and improvements to the role of

internal audit in internal control and management of

PT. Reinsurance ABC. Data collection is done by

Observation and inteview. It conducts direct

observation of activities related to internal audit

audit activities, internal control, and also internal

audit’s role in risk management of PT. Reinsurance

ABC. The interview activity was carried out with

parties who had a direct connection with the

research conducted. They are internal audit ‘s

department and risk management’s department.

4 ANALYSIS

Authority, responsibility and objectives of the

internal audit function of PT. Reinsurance ABC has

been formally defined in the IA charter or internal

audit charter, but the charter of PT. Reinsurance

ABC distributes the audit charter for its own internal

audit and there has been no significant change to the

previous internal audit charter. So that there is a

need for periodic updates and distributed to all

management organizations tailored to the objectives

of the company. However, the tone of the top

currently supports the internal audit function and

role. Internal audit helps management achieve its

goals, vision, and mission with its activities. Internal

audit conducting an assessment or assurance and

consulting on internal control and risk management

of the company. Technical assessment or assurance

and internal audit consultation of PT. Reinsurance

ABC currently, there are still some shortcomings,

the audit plan of PT. Reinsurance ABC is less

systematic and the realization of audit planning that

has been made is not all running. That is because the

internal audit’s staff is very little, while PT.

Reinsurance ABC always plans to audit all

company’s departments. Head of internal audit of

PT. Reinsurance ABC is a person who is quite

experienced in his field, but due to the heavy load of

work to audit all departments so that he is not

effective in doing his work. Risk assessment is not

compiled based on the priority values of each

component or department, but based on previous

audit findings and audit findings are often repeated,

so that they cannot provide appropriate

recommendations and have a significant impact.

Therefore, it is necessary to add competent

internal auditors and PT. Reinsurance ABC needs to

implement risk management in every audit plan

carried out by the company, so that internal audit’s

work becomes more effective. The audit by a

company's internal audit also needs to be based on a

good and systematic risk-based audit (RBIA), which

uses the entire risk management process, so that the

audit process is more structured. The next stage,

transaction testing has been carried out by referring

to the audit program, but lack of communication and

the absence of documentation of the results of

clarification with the auditee. Internal Audit PT.

ABC Reinsurance is now able to communicate the

results of audit assignments in the form of audit

reports. However, at this time the auditee has not

clarified the issues for any of the things reported in

the conflict regarding matters not approved by the

auditee. So, the recommendations for improvement

often only go in one direction and there is no good

discussion, so that the internal audit of company

must increase its consultative role. After reporting,

the internal auditor will follow up on the audit

results. Follow-up of audit results has been quite

well done, but there are still corrective actions that

should have been carried out and have not been

carried out until the next audit report period.

Based on IIA’ performance standard 2130,

activities carried out by internal audit or can also be

called the role of internal audit in internal control,

which must be able to evaluate the adequacy and

effectiveness:

a. Information on Company Financial Statements

Internal audit has conducted an audit or

assessment of the accounting system and

reviews of financial statements contained in the

UNICEES 2018 - Unimed International Conference on Economics Education and Social Science

1046

company. Internal audit has also made a report

on the audit. For example: internal audit checks

the recording and disclosure of investments in

the company's financial statements and there are

a number of things that are of concern to be

improved. The internal audit also check the

taxation, treasury, and check of the company's

finances.

b. Company Operations

Internal audit has been able to evaluate the

adequacy of the company's operational activities

and provide recommendations for

improvements that should be made. Internal

audit reviews the SOP (Standard Operational

Procedure) by studying the applicable SOP in

the company and studying the company's

organizational structure first and mapping the

SOP which are the responsibility of each group

or department head.

c. Security of Company Assets

Internal audit has evaluated the company's

assets and carried out physical checks on the

company's assets. Internal audit also conducts

stock opname and checking inventory’s items

with company’s notes.

d. Obedience in laws, regulations, and applicable

regulations

Internal audit has evaluated the compliance of

laws, regulations, and provisions applicable to

companies by looking for copies of the

government regulatory, POJK, PSAK, and

SEOJK to be examined, then comparing the

regulations with the actual conditions of PT.

Reinsurance ABC. The conclusions and

suggestions indicate that the internal audit has

carried out the 2130 IIA’s performance

standard.

Internal audit in corporate risk management has

roles:

1.Provide communication about risks in audit

activities or activities

Audit findings generated in audit activities by

internal audits have been submitted to the directors.

Internal audit has also provided recommendations

for improvements that should be made to audit

findings that have potential risks in the future. For

example, at present there is a delay in the issuance of

notes due to difficulties in obtaining accurate data

from ceding companies that cause delays in receipt

of premiums or sessions. The internal audit provides

recommendations to reduce the number of pending

borders and speed up the time of issuing notes by

improving the engineering procedures of the

engineering department.

2.Internal audit involvement in determining the

company's risk profile that is in line with company

appetite (risk appetite)

At this time the internal audit is involved in

identifying risks for determining the risk profile

when making a risk register. But at this time, the risk

facilities in making the risk register. Internal audit

join with risk management should be able to provide

a place for discussion or workshop to control self-

assessment of each department and make a risk

so that it is more structured. Determination of risk

appetite is sometimes determined by internal audits

and shows the error of the role of internal audit in

the risk management process.

3.In the 2120 performance standard. A1 Internal

audit must be able to evaluate risk exposures related

to operations and information systems and internal

audits have conducted risk evaluations of the

activities carried out, namely financial risk,

information technology risk, risk of assets and

liabilities, risks operational, capital risk, and

management risk. However, currently the internal

audit has not evaluated the key risk reporting

process and has not yet conducted a key risk

management review. When conducting risk

identification, internal audits often determine risk

assurance and make decisions in response to existing

risks.

4.In the 2120 performance standard. C1 internal

audit during consulting assignments should pay

attention to risks related to the purpose of the

assignment and be careful of other significant risks.

At present, the risk management process has not

been thoroughly carried out, but internal audits have

carried out consultation and insurance activities

according to IIA guidelines. Internal audit activities

always refer to the annual supervision program that

is in the company.

Internal control has been assessed by internal

audits, but the assessment of the effectiveness of the

company's operations has not been carried out by the

company, while there are still some shortcomings in

operational procedures for receiving session

activities for example. PT. Reinsurance ABC needs

to increase information technology systems that

affect the overall operations of the company. At

present, internal control of PT. Reinsurance ABC is

not effective yet. The role of internal audit in risk

management of PT. Reinsurance ABC already

exists. The company's internal audit analyzes or

evaluates the risk management process based on ISO

31000: 2009 and COSO framework. Internal audit

Role of Internal Audit in Risk Management at PT Reinsurance ABC

1047

also performs its role in assessing risk but needs to

be improved communication and coordination

regarding risk management with all departments and

internal audits in determining and identifying key

risks, then key risk evaluations have not been

formally disclosed in the form of documentation, so

there is a need to evaluate key risks reviewed also by

management and final documentation regarding the

key risks. Internal audit can actually provide

facilities in risk identification, risk management

along with internal audit should provide a discussion

or workshop space for the self-assessment of each

department and make a risk register that gets

guidelines from risk management and facilitate key

risk searches but that has not been done and internal

audit should provide teaching about risk response

and not assign to one side.

The risk management process based on ISO

31000: 2009 has seven components, staff at

PT.Reinsurance ABC has each role of company’s

risk management processes can be done such as:

1. Communication and consultation: Director,

Internal Audit and Risk Management

2. Determine the context: Risk Management

3. Risk Identification: All Departments

4. Risk Analysis: Internal Audit and Risk

Management

5. Risk Evaluation: Internal Audit and Risk

Management

6. Risk Treatment: Risk Management, Internal

Audit and All Departments

7. Supervision and Review: Internal Audit

While based on the COSO-ERM framework,

there are eight components of assessment and

carried out by each actor or executor so that the

responsibilities given are clear and structured. PT.

Reinsurance ABC can map the executor or actor of

each risk management process in COSO-ERM as

follows:

1. Internal Environment: Director (management)

2. Objective Setting: Director (management)

3. Event Identification: All Departments

4. Risk Assessment: Risk Management and

Internal Audit

5. Risk Response: Risk Management and Internal

Audit

6. Control Activities: Risk Management and All

Departments

7. Information and Communication: Director,

Internal Audit and Risk Management

8. Monitoring: Internal Audit

5 RESULTS

Good or effective internal audit can be reflected in

its role in conducting audit activities or activities,

starting from making charter or IA charter, audit

planning to reporting of audit results. There are still

some shortcomings in the internal audit activities of

PT. Reinsurance ABC.

The role of internal audit of PT. Reinsurance

ABC in internal control is seen based on

international standards of internal audit professional

practice (IPPF) by IIA. It can be concluded that

internal audit plays a role in assessing and

improving the internal control of PT. ABC

reinsurance to achieve company goals, as well as

providing consultations and weakness

recommendations from internal controls. But until

now, internal audits have not provided a general

written assessment of the effectiveness or failure of

the company's internal controls.

The company's internal audit analyzes or

evaluates the risk management process based on ISO

31000: 2009 and COSO-ERM Integrated

Framework and the role of internal audit in risk

management is assessed in the international

standards of internal audit professional practices

(IPPF) by IIA. From the author's assessment and

research, the company's risk management policies

exist and are socialized within the company. But

until now the application of risk management is still

limited to formality with the existence of a risk

management department. Then, when there is an

error in the role of internal audits in determining risk

response, internal audit should assess the overall risk

management process and provide an assessment to

be disclosed in the internal audit report periodically.

Internal audit may not set risk response for inherent

risk in PT. ABC Reinsurance. The role of internal

audit in risk management of PT. Reinsurance

already exists. Internal audit also performs its role in

assessing risk but communication and coordination

needs to be improved regarding the process and

implementation of risk management with all

departments and internal audits in determining and

identifying key risks.

6 CONCLUSIONS

PT. Internal Audit ABC's reinsurance is less

effective can be reflected in its role in conducting

audit activities or activities. Audit planning is less

UNICEES 2018 - Unimed International Conference on Economics Education and Social Science

1048

systematic, recommendations are inappropriate

because of less systematic risk assessment, lack of

communication and the absence of documentation of

the results of clarification with the auditees. The

internal audit role of PT. Reinsurance ABC in

internal control is still less effective, internal audit

has not provided a general written assessment of the

effectiveness internal control’s company.

The company's internal audit has been able to

conduct an analysis or assessment of the company's

risk management process based on ISO 31000: 2009

and COSO-ERM Integrated Farmework.

The role of internal audit in risk management of

PT. Reinsurance ABC is assessed based on

international standards of internal audit professional

practice (IPPF) by IIA. From the author's assessment

and research, the company's risk management

policies exist and are socialized within the company.

But until now the implementation of risk

management is still limited to formality with the

existence of a risk management department. Then, at

this time there is a mistake in the role of internal

audit in determining the risk response, so that the

implementation of company audits needs to be based

on risk-based audits (RBIA), which uses the entire

risk management process, so that the audit process is

more structured and systematic. It is expected that

good risk management will form three lines of

defense for the company. Internal audit acts as a

third line of defense. Internal audit will only checks

significant risks.

REFERENCES

COSO, Comittee of Sponsoring Organization of the

Threadway Commission. (2009). Internal Control –

Integrated Framework : Guidance on Monitoring

Internal Control Systems Introduction. New York:

The Committee of Sponsoring Organizations of

the Threadway Commission.

ISO 31000:2009 Risk Management – Principles and

Guidelines.

Moeller, Robert R. (2007). Brink’s Modern Internal

Auditing Fifth Edition. New Jersey : John Wiley &

Sons, Inc.

Sensi, L. W. (2006). Memahami Akuntansi Asuransi

Kerugian. Jalarta : PT Prima Mitra Edukarya.

Sawyer, Lawrence B., Mortimer A. Dittenhofer, dan

James H. Scheiner. (2006). Sawyer’s Internal

Auditing. Dialihbahasakan oleh Ali Akbar. Edisi 5.

Buku 3. Jakarta : Salemba Empat

Setiawati, Lina. (2015). Analisis Peran Audit Internal

terhadap Good Corporate Governance, Pengendalian

Internal, dan Manajemen Risiko (Studi Kasus pada

PT. ABC). Depok : Fakultas Ekonomi Universitas

Indonesia.

The Institute of Internal Auditors (IIA). (2009).

International Standards for The Profesional Practice

of Internal Auditing.www.theiia.org,.

Role of Internal Audit in Risk Management at PT Reinsurance ABC

1049