Internal
Audit
Internal Audit Charter
​
1. MAIN BASIC
1.1. Code of ethics published by The Institute of Internal Auditors dated June 17, 2000.
1.2. Standards for the Professional Practice of Internal Auditing issued by The Institute of Internal Auditors dated October 18, 2001.
1.3. Practices Advisory issued by The Institute of Internal Auditors.
1.4. Internal Control - Integrated Framework issued by the Committee of Sponsoring Organizations of 1992 ("COSO Report").
1.5. Decision of the Chairman of Bapepam No. Kep-29/PM/2004 dated September 24, 2004 replaces the Decision of the Chairman of Capital Market Supervisory Agency (Bapepam) No. KEP-41/PM/2003 dated December 22, 2003 concerning the rules of Bapepam No. IX.I.5 on "Establishment and Implementation Guidelines Audit Working Committee".
1.6. Statement of Financial Accounting Standard.
​
2. DEFINITION AND OBJECTIVES OF INTERNAL AUDIT
It becomes the policy of the Board of Directors and the Board of Commissioners of PT. Surya Toto Indonesia, Tbk. ("STI" or the "Company") to support the Internal Audit function as a function of internal assurance and independent consulting to assist the Board of Directors and the Board of Commissioners of STI in implementing good corporate governance.
2.1. Internal Audit
2.1.1. As independent division in the STI chart of organization.
2.1.2. Contribute to enhance and improve operations of STI in order to achieve accuracy and truth of STI financial statements and provide an independent consulting and objective.
2.1.3. Using a systematic approach in evaluating and improving the effectiveness of risk internal control management and provisions as well as regulations applicable to the Company's business activities.
2.1.4. Assist management and the Company in achieving its intended purpose.
(Code of Ethics - The Institute of Internal Auditors).
2.2. Internal Audit aims to become strategic business partner of management and the Company to assist the achievement of Company objectives, Internal Audit will assist through:
​
(Internal Control Integrated Framework COSO Report).
2.2.1. Environmental Assessment of STI Control (or Control Environment are: integrity, ethical values, organizational structure and build in controls) that are the basis of the Internal Control STI as a whole.
2.2.2. Control Self Assessment / Risk Assessment
2.2.2.1. Internal Audit facilitates goal setting, identification of risk and risk management conducted by the management. (IIA Practices Advisory 2100 point 3.1).
2.2.2.2. Internal Audit assess the reliability, accuracy and validity of risk assessment undertaken to provide input to management. (IIA Practices Advisory 2100 point 3.5).
2.2.2.3. Internal Audit will give priority to area that consider by management have a high risk and provide input to Management about on effectiveness of Management in managing risk.
2.2.3. Assessment of internal control activities to improve the process of the Company's activities. (IIA Practices
Advisory 2120 and COSO Report – Internal Control Integrated Framework).
2.2.3.1. Effectiveness and Efficiency of Operations
2.2.3.2. Financial Reporting Reliability
2.2.3.3. Safeguarding of Assets
2.2.3.4. Compliance to regulations and legislation
2.2.4. In addition to assessing internal controls related to the reliability of financial reporting, Internal Audit also assess the suitability of accounting principles and policies that adopted by the STI with Statement of Financial Accounting Standard Indonesia. However, Internal Audit did not offer an opinion on the Company Financial Statements, where it is the task of the External Auditor.
2.2.5. Assessment of the adequacy and reporting processes as well as implementation of communication of risk management and internal control STI.
2.2.6. Assessment of the effectiveness of the monitoring function of internal control conducted either through: (Standards of the Professional Practice of Internal Auditing 1110 point 2.5).
2.2.6.1. Continuous supervision by the system of internal controls (embedded internal control) such financial controller, budget controller and operational controller.
2.2.6.2. Continuous assessment conducted by the above division of the department under him.
2.3. Internal Audit should cooperate with the Audit Committee in order to perform its role in accordance with existing regulations. (Bapepam No. Kep.29/PM/2004 point 3).
2.4. Internal audit should communicate and cooperate with the External auditor to ensure both audit plan give improvement to STI performance.
2.5. Internal Audit is responsible to carry out assignments that are ad-hoc and/or special which are given by the President Director or the Audit Committee as long as did not contain a conflict of interest. Assignment from the other Board of Directors members must be submitted through the President Director, the assignment from members of the Board Commissioner delivered through the Audit Committee.
​
3. ORGANIZATON OF INTERNAL AUDIT
3.1. Internal Audit is independent Division of the Company's organizational structure which is under and responsible to the President Director and report to the Audit Committee functionally (IIA Practice Advisory 1110-1 point 3).
3.2. Internal Audit Division, led by the Head of Internal Audit (Chief Internal Audit) as the Internal Audit Division which is responsible for making the Internal Audit Plan and implement internal audit function as a whole.
​
4. INTERNAL AUDIT PRINCIPLES
In carrying out their duties and responsibilities, Internal Audit Division must adhere to the principles as follows: (IIA Code of Ethics)
4.1. Integrity
Maintain high professional values and the value of specific and general ethics.
​
4.2. Independency
In conducting its duties Internal Audit do for the best interests of the Company which supports the achievement of the vision, mission and strategy STI.
4.3. Objectivity
Internal audit not allowed to have a relationship with the potential conflict of interest with the audited party, shall not engage in operational activities of the audit object and not a subordinate of the audited party.
4.4. Confidentiality
Internal Audit maintains all received any information and will not disclose information to parties who are not interested.
4.5. Competency
Internal Audit must continually improve the knowledge and skills to be able to perform the task well.
​
5. DUTIES AND RESPONSIBILITIES
Internal Audit as one of the functions of the Control and Monitoring of the Company has a duty and responsibility:
5.1. Assessing the adequacy of the Company's internal control mechanisms, risk management policies and governance systems that can help achieve the business objectives of the Company. (IIA Code of Ethics and COSO Report – Internal Control Integrated Framework).
5.2. Assessing the effectiveness of the control procedures that executed by the control system (Embedded Internal Control) in each relevant department has carried out in accordance with Corporate Policy Manual STI and Standard Operating Procedures. (COSO Report – Internal Control Integrated Framework).
5.3. Assessing the efficiency based on the Business Process Approach. (COSO Report – Internal Control Integrated
Framework) .
5.4. Assessing the reliability of financial internal controls and internal control in the process of financial reporting (financial reporting controls). (COSO Report – Internal Control Integrated Framework).
5.5. Assessing compliance of Company with prevailing laws and regulations. (COSO Report – Internal Control Integrated Framework).
5.6. Provide input to management on internal controls and Standard Operating Procedures are needed which refers to best practices.
5.7. Chief Internal Audit is responsible for making the Annual Audit Plan based on risk (Risk Based Internal Audit Plan), plans and annual staff needs (man power planning) and the Internal Audit Division budget to be submitted to the Board of Directors and Audit Committee. (Standards for the Professional Practice of Internal Auditing 1110 point 2.2).
5.8. Chief Internal Audit should conduct assessment skills, comprehension, and knowledge of audit staff in related with the audit. If the Internal Audit Division did not have the skills, understanding and knowledge sufficient for certain things then Chief Internal Audit should report to the Board of Directors and Audit Committee to appoint an independent third party. (Standards for the Professional Practice of Internal Auditing 1200).
5.9. If there is a significant change in the plans that have been submitted, the Chief Internal Audit should communicate these changes along with a revised plan to the President Director and the Audit Committee.
5.10. Chief Internal Audit is responsible to submit a report on audit activities and findings to the Board of Directors and Audit Committee. (Standards for the Professional Practice of Internal Auditing 1200).
5.11. Chief Internal Audit is responsible for monitoring plan, follow up as well as assess the adequacy of management follow-up of the suggestions and recommendations made by Internal Audit.
5.12. Chief Internal Audit is responsible to carry out assignments that are ad-hoc given either by the President Director or the Audit Committee as long as did not contain a conflict of interest. On such special assignment, Internal Audit prepared assignment letter that explains the purpose, scope and responsibilities of assignments of Internal Audit that must be signed by the assignor.
5.13. Chief Internal Audit is responsible for reporting to the President Director and the Audit Committee if the assignments are potential conflicts of interest or the Internal Audit can no longer be considered independent. In such a situation, the President Director or the Audit Committee is entitled to appoint an independent third party to perform these tasks at the expense of the Company. (IIA Practice Advisory 1130.C2).
5.14. Provide early warning to the Board of Directors and Audit Committee about the problems found in audit work has the potential to significantly affect the achievement of STI.
​
​
6. RIGHTS AND AUTHORITY
6.1. Internal Audit has the right and authority to get access to all functions within the organization, access to all documents / records, access to assets owned by STI.
6.2. Internal Audit has the right and authority to ask questions and seek clarification from the employees and management on issues related to the audit assignment.
6.3. Chief Internal Audit has a right and responsibility to assess operational and non-operational performance of company
through visits, audits and other relevant activities.
6.4. Internal Audit has the right and responsibility for communicating and discussing with the Audit Committee of significant issues that require an opinion on these inputs of the Audit Committee.
6.5. With the approval of President Director, Internal Audit is authorized to ask for help from specialists (specialized services) from outside the organization STI if resources in the Internal Audit are not sufficient to meet the audit objectives.
6.6. Internal Audit does not have the authority to:
6.6.1. Carry out the operational duties for the organization and affiliation of STI.
6.6.2. Initiate or approve accounting transactions outside of Internal Audit Division.
6.6.3. Directing the activities of employees who are not employees of Internal Audit Division of STI, except in the case of employees who have been referred to specifically refer assigned to the audit team members or to help the audit team.
​
7. TARGET AND WORKING MEASUREMENT
7.1. Internal Audit made targets, long-term and annual plans (Road Map) based on the inputs for the performance of Internal Audit Division either made by the internal (the Audit Committee and Board of Directors) and external parties who appointed by the company.
7.2. Employment target is to include but not limited to:
7.2.1. Repair of Internal Audit Working Framework (preparation of audit methodology, manuals, standardizing
paperwork, making quality assurance program and the preparation of knowledge management database.
7.2.2. Compliance with the standards issued by the IIA (manufacturing risk profile, a risk based audit plan, etc).
7.2.3. Suitability of the Internal Control - Integrated Framework issued by COSO (the understanding of business processes, identifying risks and controls as well as evaluating the adequacy of control and company standard operating procedures.
7.2.4. Development of Internal Audit resources.
7.2.5. Risk-based audit activities.
7.3. Internal Audit makes Key Performance of indicators that covering:
7.3.1. Results/conclusion.
7.3.2. An agreed standard. (IIA Standard, COSO, best practices, etc)
7.3.3. Work schedule.
​
8. RISK-BASED AUDIT APPROACH (RISK BASED AUDIT)
8.1. Internal Audit aims to become strategic business partners of the management and the Company to assist the achievement of Company goals. Internal Audit therefore must understand the objectives, business processes and the risk (what could go wrong) that can affect the efficiency and effectiveness of the Company's business processes and the achievement of Company goals.
8.2. Risk Based Audit Approach is a process by which the Internal Audit must understand the objectives, control environment business processes and associated risks to prepare the Audit Plan and conduct audits based on risk profile that has been identified and analyzed. (COSO Report - Internal Control Integrated Framework).
8.3. Identification and risk assessment/analysis conducted through Control Self Assessment (CSA) which is conducted by the Department related to the facilitated by Internal Audit. (COSO Report – Internal Control Integrated Framework).
8.4. Risk profile has becomes the basis for setting the scope, frequency of audits and the necessary resources to better focus on areas considered high risk.
8.5. Risk profile and risk assessment is something always change by the Company's internal factors (Corporate action, Plan, etc) as well as external factors (economic conditions, regulations and laws, competition, etc). Internal Audit therefore must constantly communicate with management to ensure the risk profile that is used as the basis for the audit work and plan are valid and relevant. (COSO Report – Internal Audit Integrated Framework).
8.6. Active and continuous communication with the auditee made by Internal Audit to discuss audit schedule, audit approach, scope of work and audit findings.
8.7. Application of Risk-Based Audit does not mean eliminating the compliance of audit activities. With Risk Based Audit approach, compliance audits of the Standard Operating Procedures and applicable laws and regulations focused on areas that have high risk.
​
9. ANNUAL AUDIT ACTIVITY MANAGEMENT
9.1. Planning
9.1.1. Annual Audit Plan at least including:
9.1.1.1. The area that became the focus of audit activity that is determined based on the risk profile
9.1.1.2. The scope of the audit
9.1.1.3. The frequency and schedule of audit
9.1.1.4. Resources required
9.1.2. Annual Audit Plan submitted to the Board of Directors and Audit Committee for approval.
9.1.3. Board of Directors and Audit Committee is responsible for reviewing, advising and giving approval for the Annual Audit Plan.
9.2. Implementation of Audit and Supervision (Standards for the Professional Practice of Internal Auditing in 2300)
9.2.1. Chief Internal Audit should ensure that all audit and review programs have been implemented. For each deviation (exception). If there is, must get approval from the Chief Internal Audit.
9.2.2. Chief Internal Audit should ensure that supervision and monitoring implementation of audit has been carried out by the managers and coordinators.
9.2.3. Each audit conclusions and recommendations are made based on adequate analysis, as well as examined and evaluated carefully.
9.2.4. The information obtained and used to analyze must be reliable, relevant and sufficient to make conclusions.
9.3. Reporting Audit Results (Standards for the Professional Practice of Internal Auditing in 2400)
In preparing the audit report, the Chief Internal Audit should ensure that:
9.3.1. Audit Report has been covering all the material things which if removed may affect the effectiveness and
efficiency of internal controls, risk management and good corporate governance. (Standards for the Professional Practice of Internal Auditing in 2421).
9.3.2. Except in cases of fraud, all audit findings have been discussed with the auditee to allow the auditee to respond to these findings.
9.3.3. Audit Report at least include:
9.3.3.1. Conclusions and findings of audits and other related material information. (Standards for the Professional Practice of Internal Auditing in 2410).
9.3.3.2. Recommendations and observations.
9.3.3.3. Analysis of the difficulties and obstacles as well as resources needed to implement management
recommendations made.
9.3.3.4. Results if corrective action is not taken.
9.3.3.5. The estimated period in implementing corrective measures.
9.3.4. Audit reports submitted to management 1 (one) week after the date of the audit work completed in order to get response.
9.3.5. Management responses received no later than 1 (one) week after the audit report received by the management.
9.3.6. Final audit report submitted to the Board of Directors and Audit Committee no later than 1 (one) week after the management response is received.
9.4. Monitoring of implementation progress of audit recommendations by management (COSO Report - Internal Control
Integrated Framework and Standards for the Professional of Internal Auditing in 2500)
9.4.1. For follow-up findings and recommendations, Internal Audit to register any findings and recommendations submitted to management (Standards for the Professional Practice of Internal Auditing 2500 C.1)
9.4.1.1. Made an order of priority based on the level of risk and the consequences if the recommendations are not implemented then divided into high, medium and low.
9.4.1.2. Created deadline for implementation of the recommendations.
9.4.1.3. Identified critical success factor implementation of the recommendations.
9.4.2. Delivering these registers to the Board of Directors and Audit Committee to receive input and approval.
9.4.3. Monitoring the progress towards implementation of the recommendations and submit progress reports to the Board of Directors and Audit Committee.
​
10. QUALITY/ASSURANCE PROGRAM (STANDARDS FOR THE PROFESSIONAL PRACTICE OF INTERNAL AUDITING 1300)
10.1. Internal Audit continuously improves its role to meet the needs and expectations of the auditee and related stakeholders. Therefore continuation of evaluate on an ongoing basis to ensure that in conducting internal audits in accordance with his role agreed targets, code of ethics and the Internal Audit Charter to produce and process quality audit results.
10.2. Evaluate the quality of Internal Audit performed the audit results and audit process.
10.3. Evaluation of quality can be done in the form of:
10.3.1. Internal Assessment (Standards for the Professional Practice of Internal Auditing in 1311)
10.3.1.1. Self Assessment
Evaluation conducted by the Internal Audit itself is usually done at the end of the audit process to assess compliance with management standards for audits (audits of compliance with the manual, the standard working papers, the effectiveness of audit, etc) as well as reporting the audit results. This is in addition to maintaining audit quality as well as inputs to improve the effectiveness and efficiency audits.
10.3.1.2. Internal Independent Assessment
Conducted through customer / auditee surveys to get feedback on the performance of Internal Audit. Performance is measured based on the expectations that have been agreed by management and Internal Audit.
10.3.2. External Independent Assessment (Standards for the Professional of Internal Auditing)
Evaluation conducted by external independent and competent shall done at - least one time within 5 (five) years as recommended by the Standard Practice Framework - IIA