INTERNAL Training Root Cause Analysis & Effective Report Writing 10 December 2020 GROUP AUDIT & RISK ADVISORY INTERNAL Agenda: • The Purpose of an Audit Report • 3 Steps of Report Writing o Organizing the Issues o Writing the Issues o Editing the Issues • Audit Grading • Exit Conference INTERNAL • o o • o • o o o • • INTERNAL • • • • • • • • • • INTERNAL INTERNAL • • • → o o o • • • INTERNAL INTERNAL 3 Steps of Report Writing 1. Organizing the Issues INTERNAL • • INTERNAL • INTERNAL • INTERNAL • INTERNAL INTERNAL • • INTERNAL • • • • INTERNAL When looking for root causes the following considerations should be taken into account: INTERNAL INTERNAL Problem W1 Why 1 Why 2 Why 3 W2 Why 1a.2 Why 1b.2 Why 2a.2 Why 2b.2 Why 3a.2 Why 3b.2 W3 Why 1a.3 Why 1b.3 Why 2a.3 Why 2b.3 Why 3a.3 Why 3b.3 W4 Why 1a.4 Why 1b.4 Why 2a.4 Why 2b.4 Why 3a.4 Why 3b.4 W5 Why 1a.5 Why 1b.5 Why 2a.5 Why 2b.5 Why 3a.5 Why 3b.5 INTERNAL INTERNAL INTERNAL INTERNAL • • • • • INTERNAL INTERNAL • • • • • INTERNAL INTERNAL 3 Steps of Report Writing 2. Writing the Issues INTERNAL • • • INTERNAL INTERNAL • • • • • • • INTERNAL • • • • • INTERNAL • • • • • • INTERNAL INTERNAL 3 Steps of Report Writing 3. Editing the Issues INTERNAL INTERNAL INTERNAL INTERNAL INTERNAL INTERNAL Negative Wording Tell the reader what is, not what is not ❑ ❑ ❑ ❑ ❑ ❑ ❑ ❑ ❑ ❑ ❑ ❑ ❑ ❑ INTERNAL ❑ ❑ ❑ ❑ INTERNAL Audit Grading INTERNAL INTERNAL INTERNAL INTERNAL INTERNAL Kecukupan Kontrol Effective Moderately Effective Deskripsi Controls evaluated are adequate, appropriate, and effective to provide reasonable assurance that risks are being managed and objectives should be met. • There are no major findings, irregularities or losses. There are no significant unmitigated risks to the organization as a whole • Control weaknesses are few, minor, isolated and generally low risk • May also have operational efficiency suggestions • Prior audit findings, if any, have been addressed Controls evaluated effective but there is still a little non-compliance things. • There are no major findings and losses • Management actions are aimed to improve non-compliance related to existing systems or minor improvements through changes in control Improvement Needed A few spesific control weakness were noted; generally however, controls evaluated are adequate, appropriate, and effective to provide reasonable assurance that risks are being managed and objectives should be met. • Management practices and procedures performed are generally in compliance with established policies, procedures, laws and regulations with few and minor exeptions noted • Insignificant prior audit findings, if any, may be open Significant Improvement Needed Numerous spesific control weakness were noted. Controls evaluated are unlikely to provide reasonable assurance that risks are being managed and objectives should be met • Multiple key controls are not operating as design. There are numerous significant control weaknesses in core areas • Moderately significant prior audit findings were not sufficiently addressed Weak Controls evaluated are not adequate, appropriate, or effective to provide reasonable assurance that risks are being managed and objectives should be met. • There are numerous significant control weaknesses or unacceptable trends in core areas • Overall risk exposure is unacceptable and the profitability of serious errors, fraud and non-detection occuring is high • A high risk of material financial loss, impairment of operations, and misrepresentation of financial/ operational results or substantial damage to the reputation of the organization exists • There are critical or prolonged instance of non-compliance with established plocies, procedures, laws and/or regulations. Management must take immediate corrective action • Significant prior audit findings were not sufficiently addressed INTERNAL INTERNAL ✓ ✓ ✓ ✓ ✓ ✓ INTERNAL ✓ ✓ ✓ ✓ ✓ ✓ INTERNAL ✓ ✓ ✓ ✓ ✓ INTERNAL Exit Conference INTERNAL • • • INTERNAL • • • • • INTERNAL • • • • INTERNAL • • • o o o INTERNAL • • • • • • INTERNAL Thank You
