In 2020, IA took several initiatives on a continuous basis.

These initiatives were aimed at supporting the IA in achieving its objective of becoming World Class Internal Audit and a Trusted Business Partner.

Amid the COVID-19 pandemic in 2020, CAE and Audit Management had considered various options that would enable the continuity of audits. IA focused on finding alternatives to the conventional method of face-to-face auditing, replacing it with remote auditing. To this end, IA made several adjustments to adapt with the prevailing conditions, with a focus on the followings:

1. Fulfilling the need for the safety of auditors

Starting from 16 March 2020, IA had fully undertaken the Work from Home protocol for all auditors to ensure the safety of the team. IA endeavored to find ways to carry out effective audits remotely while postponing audits that require travelling and meeting face-to-face with auditees, except for audits that were required by regulators. Currently, IA has adapted to the virtual working environment, relying as much as possible on the use of data and technology, and the application of virtual meeting platforms. To keep the productivity of auditors and protect data confidentiality, every auditor has been equipped with the required infrastructures, such as computer laptops, VPN (to ensure system accessibility for all auditors), and virtual meetings through the Webex application. IA has also succeeded in managing the team remotely and virtually by monitoring their work progress on a daily, weekly and monthly basis.

2. Carrying Out the Audit Plan

All physical visits to the auditees had been barred since 16 March 2020. All audit processes were then taken up through remote viewing, data analytics, telephone and video conference.

3. Renewing the Audit Plan

IA had reviewed its audit plan by evaluating the risk associated with COVID-19. In response to the pandemic, IA undertook a “Crash Program” to review and prioritize audits in critical and high-risk areas three months in advance on a continuous basis during the running year, with the following considerations:

- Risks that arose from COVID-19 and of split operation.

- The potential of irregularities that may contravene with prevailing rules and regulations stemming from COVID-19 related protocols.

- Reviewing whether the risks from “business as usual” are still relevant or even critical in the current condition.

Throughout the COVID-19 pandemic, IA had reviewed its quarterly audit plans to ensure that they remain relevant with the development of the Bank amid COVID-19. This periodical reviews will be submitted to the Audit Committee and Management.

4. Monitoring the Impact on the Bank’s Business Operations

IA continued to discuss with Management as part of its “Business Monitoring” on the impact of COVID-19. The results of business monitoring are used as feedbacks on the evaluation of the audit plan adjustments and to determine the focus on risks that are the main concerns for the audit fieldwork.

Several key initiatives by IA in 2020 included the followings:

1. Development of Data Analytics

IA continued to improve and develop Data Analytics in line with so-called industry 4.0 revolution that is dominated by the rapid development of digital equipment, and the propensity for the individual evolvement to become “3D (Digital, Data, Disruption) Ready.” To achieve this, Data Analytics continued to enhance the knowledge and skills of the auditors through several training programs such as SQL Server, ACL, Tableu, Phyton/R, and Data Science

& Machine Learning. Not only that, Management also supported the enhancement of Data Analytics through investments in both Hardwares and Softwares. Also in 2020, the Data Analytics team provided the opportunity for other members of IA to familiarize themselves with Data Analytics through the Data Analytics attachment program.

The development by Data Analytics is also done through periodical assessments on existing alert/

scenarios in order to more effectively detect sooner any irregularities or indication of irregularities that could arise and take remedial actions. Improvements and enhancements on Data Analytics are also carried out in line with the development of the IA organization as well as the growth of the Bank’s business and operations. From these assessments, the number of parameters that resulted from the Data Analytics increased by 17% from 231 parameters in 2019 to 271 parameters in 2020 as follows:

No. Type of Alert Parameter 2019 Parameter 2020

1 CIF 17 17

2 Deposit 81 96

3 Credit & Collateral 81 109

4 Credit Card 16 18

5 Forex 2 - ^*

6 Fraud Detection 34 31

Total 231 271

*In re-development phase

Throughout 2020, IA had informed Management on a number of operational lapses that had an effect on profitability as well as findings that prevented potential losses from lapses that had been identified early by IA.

2. Visualisation

IA continued to develop its visualisation on the results of data analytics, with the aim of presenting these results to the stakeholders with more clarity, structured and easy to understand format. The data presentation could be in the form of diagrams, maps, charts or other infographics. This data visualisation could present the relations or trends between existing variables/parameters. As such, visualisation can help Management make effective decisions on issues that need expedient follow-ups. This visualization uses the Tableau dashboard. In 2020, improvements had been made on the interface and menu arrangement on IA’s Tableau Dashboard within the Tableau server.

3. Thematic Audit

IA continued to carry out audit using Thematic approach, focusing on certain areas/processes/

products. Through this Thematic Audit, auditors can identify the root of the problem and provide comprehensive and effective recommendations that can be implemented bankwide.

4. Guest Auditor Program

In 2020, IA had included two guest auditors in this program. The aim of the program is to facilitate the sharing of best practises, providing greater understanding to the guest auditors on the audit process and control framework, which could eventually be used and implemented in the respective business unit/supporting unit and to provide the guest auditors an understanding of the internal control framework, risk identification and control definition, as well as an understanding of the importance of the auditor’s work in helping Management to carry out the strategy and achieving the objectives of the Bank.

5. Business Monitoring

Business Monitoring constitutes a non-audit activity by IA by engaging in continuous communication with Management. The activity is carried out routinely and not involving audit. Business Monitoring benefits both sides, whether IA or Management, among other things as follows:

• Fostering strong working relations with business unit/supporting unit

• Having a greater understanding on the activities and operations of the business units/supporting units

• Obtaining latest information on changes in business strategy, process, risk and controls

• A medium for sharing key audit issues and changes in audit methods

• A medium for networking between auditor and Head of business/support unit.

In 2020, IA undertook 307 meetings with Management.

2019 2020

547 hours 433 hours

meetings184 307 meetings

6. Combine Assurance Audit

In 2020, IA carried out the combined assurance with other assurance functions, such as the Compliance and Risk Management team with the aim that the various assurance functions can work together to schedule their audits collectively so as not to disrupt the operations of the auditees with repetitive audits, while still ensuring that the functions of assurances can proceed effectively and efficiently. In 2020, IA had carried out several assignments on combined assurances with the teams of Compliance and RCU.

7. Attachment Program

The Attachment Program is where an auditor is attached to an on the job assignment in a business unit/supporting unit/operations with the aim of equipping the auditor with a greater understanding of the business process including the risk and control elements. Throughout 2020, IA had enlisted 10 auditors in this program.

The benefits of the attachment program are as follows:

• Increasing the auditor’s understanding of the business process as well as risk and control elements of the unit in question.

• Increasing the auditor’s understanding of the role of a certain job including the challenges faced by the job.

• Providing feedbacks to Management on how to improve controls, mitigation and increase work and business efficiency and effectiveness.

8. Demerit Audit Rating

Since 2017, IA has developed the framework for Demerit from the results of audit implemented on the evaluation of Management performance. The use of Demerit is aimed at increasing the awareness of all parties at CIMB Niaga to collectively improve the Bank’s internal controls in order to achieve the Bank’s objectives. The Demerit Audit is applied in two parameters, namely the Audit Rating and Late Remediation Rate.

Since the implementation of Demerit Audit, the ratio of Late Remediation has improved, with a decrease from 15% (in 2016) to 0.5% (in 2017), 0.1% (in 2018) and 0% in both 2019 and 2020. This decreasing indicate the significant improvements being made in the control environment and the timely remediation of the audit recommendation.

Late Remediation

(%) 14

0.5 0.1 0.0 0.0

2016 2017 2018 2019 2020

9. High Risk Validation

IA has also continued with its high-risk validation, in order to ensure that all of the audit recommendations have been remediated on a timely and continuous basis, so as not to incur repeat audit findings in the future. If in the validation process a repeated finding does occur, the recommendation will be

“Re-open” and Management has to follow through again on the “Re-open” recommendation. From the results of validation undertaken in 2020, the ratio of sustainable audit remediation indicated an improving trend, wherein the 2020 ratio was 0%, down from 3%

in both 2018 and 2019.

Re-Open Rate

(%) 5

3 3

0

2017 2018 2019 2020

10. Competency Framework and Learning Journey As part of the commitment to enhance the quality

of auditors, IA undertook a comprehensive review on the existing competency model in order to align it with the evolvement of the organization and profession, including the core competency of CIMB Niaga, while also designing the learning journey for auditors. In this digital era, IA also gives its support to all of its members to acquire the Digital-Data-Design (3D) Talent. With its competency model and learning journey, IA can devise a more structured and targeted development programs for auditors, improving their quality and accountability of their assignments.