Hal itu tidaklah salah total. Sebab, masyarakat awam selama ini sering menganggap bahwa kegiatan auditor hanyalah membandingkan antara apa yang diimplementasikan di lapangan dengan apa yang seharusnya. Kegiatan audit ini biasanya dikenal sebagai compliance audit yang sebenarnya hanyalah salah satu peran yang dapat diberikan oleh internal auditor sebagai bagian dari jasa assurance. Padahal, sebenarnya banyak kegiatan jasa assurance lainnya yang dapat diberikan auditor. Artinya, tidak hanya audit dan tidak hanya compliance audit saja.
Menurut standar IIA, assurance services adalah “An objective examination of evidence for the purpose of providing an independent assessment on governance, risk management, and control processes for the organization. Examples may include financial, performance, compliance, system security, and due diligence engagements.”
Jika mengacu kepada PP 60/2008, manfaat jasa assurance yang diberikan internal auditor adalah “untuk memberikan keyakinan yang memadai bahwa kegiatan telah dilaksanakan sesuai dengan tolok ukur yang telah ditetapkan secara efektif dan efisien untuk kepentingan pimpinan dalam mewujudkan tata kepemerintahan yang baik.” Menurut Pasal 47 PP tersebut, kegiatan yang dilakukan dalam rangka memberikan keyakinan itu adalah “pengawasan intern atas penyelenggaraan tugas dan fungsi Instansi Pemerintah termasuk akuntabilitas keuangan negara.” Menurut Pasal 48 PP tersebut, bentuk dari pengawasan intern adalah “audit, reviu, evaluasi, pemantauan, dan kegiatan pengawasan lainnya.”
Kedua, dalam hal peran BPKP dalam pemberantasan korupsi. Selama ini, terdapat salah persepsi bahwa BPKP adalah bagian dari aparat penegakan hukum. Padahal, dalam fungsi dukungan audit BPKP terhadap KPK, BPKP hanya bertugas untuk menjadi tenaga ahli dalam penghitungan kerugian negara. Hal ini sebenarnya bisa juga dijalankan oleh pihak lain, selain BPKP. Misalnya, dari akademisi. Namun, dalam praktiknya yang lebih sering diandalkan dan dijadikan tenaga ahli dalam penghitungan kerugian negara adalah aparat BPKP. Namun, dalam pelaksanaannya, BPKP tentu tidak melaksanakan fungsi penyidikan. Sebab, BPKP bukan aparat hukum. Posisinya adalah sebagai tenaga ahli. BPKP dalam posisinya tersebut tidak boleh melakukan penyidikan, seperti surveilance, penyadapan, intrograsi, dan sejenisnya.
Ketiga, selama ini terjadi salah pandang dalam melihat posisi BPKP sebagai internal auditor Presiden/Pemerintah. Masyarakat memandang bahwa BPKP mestinya independen terhadap Presiden/Pemerintah. Padahal, sebagai bagian dari manajemen Presiden/Pemerintah, BPKP tidaklah bisa independen dari Presiden/Pemerintah. Karena itu, tugas BPKP tidak lepas dari menopang keberhasilan Presiden/Pemerintah dalam menjalankan manajemen pemerintahan.
Sebenarnya dalam standar IIA sudah jelas bahwa salah satu tugas dari internal auditor adalah memberikan jasa consulting, yaitu “advisory and related client service activities, the nature and scope of which are agreed with the client, are intended to add value and improve an organization’s governance, risk management, and control processes without the internal auditor assuming management responsibility. Examples include counsel, advice, facilitation, and training.”
Jika mengacu ke PP 60/2008, kegiatan jasa consulting dari internal auditor juga telah ditegaskan, yaitu dalam bentuk pembinaan penyelenggaraan SPIP, sedangkan penyelenggaraan SPIP itu sendiri tetap menjadi tanggung-jawab manajemen (Pasal 47). Bentuk pembinaan penyelenggaraan SPIP menurut PP tersebut adalah penyusunan pedoman teknis penyelenggaraan SPIP, sosialisasi SPIP, pendidikan dan pelatihan SPIP, pembimbingan dan konsultansi SPIP, dan peningkatan kompetensi auditor aparat pengawasan intern pemerintah.
Standar IIA telah membedakan dengan jelas pihak-pihak yang terkait dengan jasa assurance dan consulting yang diberikan oleh internal auditor, yaitu sebagai berikut:
“Assurance services involve the internal auditor’s objective assessment of evidence to provide an independent opinion or conclusions regarding an entity, an operation, a function, a process, system, or other subject matter. The nature and scope of the assurance engagement are determined by the internal auditor. There are generally three parties involved in assurance services: (1) the person or group directly involved with the entity, operation, function, process, system, or other subject matter the process owner, (2) the person or group making the assessment the internal auditor, and (3) the person or group using the assessment the user.”
“Consulting services are advisory in nature, and are generally performed at the specific request of an engagement client. The nature and scope of the consulting engagement are subject to agreement with the engagement client. Consulting services generally involve two parties: (1) the person or group offering the advice the internal auditor, and (2) the person or group seeking and receiving the advice the engagement client. When performing consulting services the internal auditor should maintain objectivity and not assume management responsibility.”
Beberapa hal terkait dengan jasa consulting yang dilakukan oleh internal auditor menurut standar IIA adalah sebagai berikut:
1000.C1 The nature of consulting services must be defined in the internal audit charter.
1130.C1 Internal auditors may provide consulting services relating to operations for which they had previous responsibilities.
1130.C2 If internal auditors have potential impairments to independence or objectivity relating to proposed consulting services, disclosure must be made to the engagement client prior to accepting the engagement.
1210.C1 The chief audit executive must decline the consulting engagement or obtain competent advice and assistance if the internal auditors lack the knowledge, skills, or other competencies needed to perform all or part of the engagement.
1220.C1 Internal auditors must exercise due professional care during a consulting engagement by considering the:
- Needs and expectations of clients, including the nature, timing, and communication of engagement results;
- Relative complexity and extent of work needed to achieve the engagement’s objectives; and
- Cost of the consulting engagement in relation to potential benefits.
2010.C1 The chief audit executive should consider accepting proposed consulting engagements based on the engagement s potential to improve management of risks, add value, and improve the organization s operations. Accepted engagements must be included in the plan.
2050 The chief audit executive should share information and coordinate activities with other internal and external providers of assurance and consulting services to ensure proper coverage and minimize duplication of efforts.
2110.C1 Consulting engagement objectives must be consistent with the overall values and goals of the organization.
2120.C1 During consulting engagements, internal auditors must address risk consistent with the engagement s objectives and be alert to the existence of other significant risks.
2120.C2 Internal auditors must incorporate knowledge of risks gained from consulting engagements into their evaluation of the organization s risk management processes.
2130.C1 During consulting engagements, internal auditors must address controls consistent with the engagement’s objectives and be alert to significant control issues.
2130.C2 Internal auditors must incorporate knowledge of controls gained from consulting engagements into evaluation of the organization s control processes.
2201.C1 Internal auditors must establish an understanding with consulting engagement clients about objectives, scope, respective responsibilities, and other client expectations. For significant engagements, this understanding must be documented.
2210.C1 Consulting engagement objectives must address governance, risk management, and control processes to the extent agreed upon with the client.
2220.A2 If significant consulting opportunities arise during an assurance engagement, a specific written understanding as to the objectives, scope, respective responsibilities, and other expectations should be reached and the results of the consulting engagement communicated in accordance with consulting standards.
2220.C1 In performing consulting engagements, internal auditors must ensure that the scope of the engagement is sufficient to address the agreed-upon objectives. If internal auditors develop reservations about the scope during the engagement, these reservations must be discussed with the client to determine whether to continue with the engagement.
2240.C1 Work programs for consulting engagements may vary in form and content depending upon the nature of the engagement.
2330.C1 The chief audit executive must develop policies governing the custody and retention of consulting engagement records, as well as their release to internal and external parties. These policies must be consistent with the organization s guidelines and any pertinent regulatory or other requirements.
2410.C1 Communication of the progress and results of consulting engagements will vary in form and content depending upon the nature of the engagement and the needs of the client.
2440.C1 The chief audit executive is responsible for communicating the final results of consulting engagements to clients.
2440.C2 During consulting engagements, governance, risk management, and control issues may be identified. Whenever these issues are significant to the organization, they must be communicated to senior management and the board.
2500.C1 The internal audit activity must monitor the disposition of results of consulting engagements to the extent agreed upon with the client.
Komentar