Analysis of RBA implementation and the preparation of an audit program at Ministry of Villages, Development of Disadvantaged Regions and Transmigration

Risk-Based Audit (RBA) is an audit method that applies a risk approach in its implementation. By applying the RBA method, it is expected that an audit can be performed effectively and efficiently, thus producing maximum audit results. This study aims to analyze the implementation of RBA upon audits conducted by The Audit Board of Indonesia (BPK). Furthermore, this study analyzes the preparation of an Audit Program in line with the previously determined RBA. The research framework uses Agency Theory which emphasizes the relationship between management and principal. To ensure that management does not perform any manipulation, an independent third party must conduct the audit. This study applied a qualitative research methodology with a case study approach at BPK. The author expects to dig deeper into the application and implementation of RBA within BPK by using the case study approach support by audit documents and interviews with BPK Audit Team. The results showed that the implementation, performance, and monitoring of RBA by the BPK Audit Team were in line with the instructions and guidelines set by BPK.


INTRODUCTION
State finances encompass all of the rights and obligations of the state that has monetary value and everything in the form of money or goods that can be utilized as state property in connection with the implementation of these rights and obligations (Law Number 17 of 2003). This is consistent with the bureaucratic reforms that have been implemented since the 1997 Indonesian economic crisis. Therefore, state finances are one of the areas targeted for reform. State finances reform is viewed from the management perspective and is supported, among other things, by three laws and regulations, namely Law Number 17  There are currently 34 ministries in Indonesia, with different nomenclatures and business processes according to their respective responsibilities. One of the ministries with a fairly complex business process is the Ministry of Villages, Development of Disadvantaged Regions and Transmigration (Kementerian Desa, Pembangunan Daerah Tertinggal, dan Transmigrasi; Kemendesa PDTT). It is formed by merging several directorate generals from three ministries. Each directorate general has its business processes, so the merger process requires significant adjustments. In addition, Kemendesa PDTT's work units were sporadic, making the monitoring process difficult. Furthermore, based on Government Regulation Number 60 of 2014 regarding Village Funds sourced from the State Revenue and Expenditure Budget, Article 21 paragraph (1), the Minister in charge of Villages determines priorities for the utilization of Village Funds. This means that Kemendesa PDTT has the authority to set priorities for the utilization of village funds for each fiscal year. Village funds are funds derived from State Budget (Anggaran Pendapatan dan Belanja Negara, APBN) allocated for villages which are transferred through Regional Budget (Anggaran Pendapatan dan Belanja Daerah, APBD). It is used for financing governance, implementing development, community development, and community empowerment (Government Regulation Number 60 of 2014).
Apart from having the authority to set priorities for the use of village funds for each fiscal year, based on Government Regulation Number 43 of 2014 Article 131 paragraph (1), Kemendesa PDTT has the authority to regulate related affairs on village facilitators. Furthermore, matters concerning village facilitators are further regulated in the Regulation of the Minister of Villages, Development of Disadvantaged Regions, and Transmigration Number 3 of 2015. This regulation underlies the budget in the form of incentives for village facilitators at Kemendesa PDTT.
The problem that arises based on the background above is that the Kemendesa PDTT has business processes involving several directorate generals in several ministries, so it requires the ability to synergize with one another. In addition to the business processes of each directorate, the process of combining their assets must be adjusted. Each of these merged directorates possesses assets that were previously listed in the previous ministry. As a result, when the directorate joins Kemendesa PDTT, the assets will be removed from the previous ministry and registered in the financial statement of Kemendesa PDTT. The merger of these assets must be executed properly so that the value recorded in the financial statements of Kemendesa PDTT conforms with the actual conditions. In addition, Kemendesa PDTT also has significant expenditure, with a particular characteristic of spending on goods delivered to the public. Expenditures are allocated for the procurement process at the central govern-ment, but the entire implementation is executed in the regions. Since the entire procurement process is carried out at the central government at Kemendesa PDTT head office, the person in charge is also located at the head office, but the implementation is conducted at the regional level. As a result, monitoring the procurement's implementation will be difficult. Not all procurements, particularly those completed at the end of the fiscal year, can be directly monitored. Given the high value of the procurement, this is a highrisk movement.
Furthermore, public expectations of accountability for state finances are pretty high. One of the topics discussed is the transparency and accountability of state financial management. Compiling financial statements is one way to demonstrate accountability. As a budget user, a minister or head of the institution is responsible for compiling and submitting financial statements of the state ministries/institutions under their leadership following Law Number 17 of 2003. Likewise, Kemendesa PDTT must be accountable for the budget that has been utilized. One of the accountability is related to the use of funds to assist village funds. However, there are still several problems related to village fund facilitators. Dianto (2018) explained three problematic aspects: the quantity, quality, and division of facilitation work. There are problems with the limited physical ability of professional village facilitators in providing services and a lack of focus on community empowerment activities for the quantity aspect.
Furthermore, the problem in terms of the quality aspect is that there are professional village facilitators whose background education is not in empowerment and community assistance. Moreover, the issue with the division of facilitation work is the imbalanced workload versus the honorarium received. In addition, the problem of village facilitators was also discussed in research conducted by Lobor, Ogotan, and Londa (2018), who concluded that in the implementation, the role of the village facilitators was not optimal due to their inadequate capacity.
The 1945 Constitution of the Republic of Indonesia delegates the task of auditing state finances to The Audit Board of Indonesia (BPK), as referred to in Article 23 paragraph (5). Therefore, BPK must gain the trust of stakeholders or users of financial statements. BPK needs to improve the quality and benefits of its Audit Reports (Laporan Hasil Pemeriksaan, LHP), including the quality of opinions rendered, to earn this trust. BPK has taken several steps to improve the quality and benefits of the LHP and the opinions provided. One of them is by implementing a Risk-Based Audit (RBA). Therefore, BPK must accordingly ensure that the RBA has been appropriately performed. When BPK has performed RBA properly, an audit program is expected to conform to the mapped risk, allowing audit implementation to run effectively and efficiently.
Based on the background description, the problem formulations in this study are (1) How is the implementation of RBA performed by the auditor at Kemendesa PDTT?
(2) How to compile an Audit Program in line with the RBA at Kemendesa PDTT? (3) How will the auditor perform and monitor the implementation of RBA at Kemendesa PDTT? This research aims to find out and analyze the implementation of RBA in Kemendes PDTT, the Audit Program prepared based on the RBA, and the implementation and monitoring process carried out.

LITERATURE REVIEW
There have been several previous studies on risk assessment and RBA implementation. However, most of the studies are quantitative in nature, they are not conducted in the public sector, and the findings do not include the development of an audit program. One of the previous studies related to RBA was conducted in the public sector. It applied a qualitative approach, i.e., a study in one of the regencies in East Java for the 2013 fiscal year. This study concluded that RBA had been applied at the audit planning stage, and the factors that influenced auditor behavior did not affect the implementation of RBA (Sastra, Yuhertiana, & Budiwitjaksono, 2018).
Another case study on RBA at BRI Bank in Bandung Regency by Rozali and Mohammad (2015). The study was quantitative and applied a saturated sampling method. The study discussed the effect of Risk-Based Internal Auditing implementation in terms of fraud prevention in BRI Bank Bandung Region internal audit. According to the findings of this study, BRI Bank has implemented Risk Based Internal Auditing. This had a positive impact on fraud prevention as well. Other research has found a strong but not statistically significant link between riskbased auditing on the annual audit plan and private entities in the financial sector. Planning an audit with a risk-based approach positively correlates to the size of the audited entity. Internal audit is more proactive in implementing Enterprise Risk Management (ERM) in smaller organizations and, more importantly, in the financial and private sectors (Castanheira, Rodrigues, & Craig, 2009). Another research on Risk-Based Internal Audit by an internal audit suggests that it may have more audit findings to be disclosed compared to conventional auditing. This audit findings can be a formal finding that should be reported in audit reports, business aspects that must be attracked the attention of management for decision making, whether each should be handled or not, and finally preparing and presenting informal finding that is not included in the final audit report (Coetzee & Lubbe, 2014).
Another previous study was a case study in Uasin Gishu Regency. This study discussed the effect of a RBA approach on the application of the internal control system. This study concluded that the RBA approach had a positive effect on the application of the internal control system. The challenges faced in implementing RBA in the application of the internal control system were the lack of relevant knowledge, lack of experience, lack of late tools to identify risks, and lack of relevant principles or guidelines in implementing RBA (Nyarombe, Musau, Kavai, & Kipyegon, 2015). Meanwhile, another research conducted by Young (2020) discussed the identification of determinants for an operational risk management framework, that could serve as a guide towards a RBA approach.
RBA is a concept assuming that the higher the risk from an area, the higher the attention in the given audit area. Therefore, an auditor must understand business processes before identifying business risks. Understanding business processes include understanding risk and systems control to achieves the goals and objectives of an organization. A risk-based approach assists auditors in planning the audit process to contribute to better governance, robust risk management, and more reliable control (Pickett, 2015). In addition, RBA is also defined as a paradigm shift, from the traditional approach to system auditing, and finally to RBA (Nyarombe et al., 2015).
RBA will be effective in terms of strategic objectives, which will indicate targets, making it possible to perform efficient audits. It also links risk to business objectives, smarter facilitations, faster and sharper risk mitigation (Bechara & Kapoor, 2012). In comparison, Messier Jr. (2014) stated that the definition of RBA is the primary framework that guides the audit of financial statements. Meanwhile, Zacchea (2003) states that the RBA process is a systematic, rational, and defensible technique used to identify potential risks. It is also a factor-based process for quantitatively estimating the risks involved in the audit universe. In addition, it is focusing attention on the audit areas most vulnerable to risk and allocating limited audit resources to the most productive audit target. Based on some of the identifications, it is possible to conclude that RBA is a method of auditing that involves performing an audit while considering the risks ahead. One of the purposes of using this method is to perform an effective and efficient audit by selecting the appropriate audit target. Thus, it is necessary to conduct an analysis related to the implementation of RBA in an audit, its effect on the preparation of an audit program, and the implementation and monitoring of RBA in an audit.
Audit opinions are an assessment of the fairness of an entity's financial statements rather than an assessment of the truth of such statements. An audit opinion is a fair conclusion based on the audited information. An opinion is reasonable if it is free from bias and dishonesty and is based on the full disclosure of information. However, a reasonable opinion can only be issued when financial statements are correct and free from material misstatements (Chen, Cumming, Hou, & Lee, 2013). Law Number 15 of 2004 states that audit opinions in the public sector are based on conformity with government accounting standards, adequate disclosure, compliance with laws and regulations, and the effectiveness of the internal control system. Audits of ministerial and institutional financial statements may result in unqualified, qualified, or adverse opinions or a disclaimer (Tsipouridou & Spathis, 2015).
Recommendations in an audit outline the remedial actions to be taken by the audited entity's management (Kyei, 2016); they are based on the auditor's opinions concerning a particular situation and must reflect the auditor's knowledge and judgment (Sawyer, 2006). The recommendations given by BPK are divided into various groups, which are weaknesses in the internal control system, potential for state losses, and administrative findings. However, audit recommendations do not always relate to violations of the law or fraud. Audit recommendations in the form of administrative findings are made to improve administration within a public entity. They can be resolved with administrative sanctions in the form of reimbursement of money to the state treasury as outlined in BPK Regulation Number 2 of 2017 concerning the Monitoring of the Follow-Up of Recommendations of BPK's Audit Results.
This study also refers to agency theory explaining the importance of transparency and accountability in the public sector. Agency Theory explains the existence of an agency relationship, where a company is a collection of agreements or contracts between parties having economic resources (the principals) and management (agents) having a task in managing the use and control of resources. Agents receive the delegation of authority from the principals to make decisions, but these decisions are not necessarily in line with the principals' wishes (Jensen & Meckling, 2009). The agency relationship, on the other hand, creates problems. There are two problems, i.e., (1) the existence of information asymmetry. This information asymmetry will occur when management as an agent has more information than the principals, both in terms of information on the company's financial position and operating position.
(2) the emergence of a conflict of interest because the agent does not always have the same goal with the principals (Messier, Glover, & Prawitt, 2014).
A company may intentionally deceive or mislead users of financial statements, especially investors, by preparing and disseminating material misstatements of financial statements. Fraud in financial statements is committed by top executives, for example. Manipulation of financial records, misreporting, intentional misinterpretation, inadequate disclosure, and manipulation of aggressive accounting practices are all examples of fraud. Management does this to conceal their performance (Rezaee, 2002). As a result, there is a conflict of interest between company management and company management stakeholders. As a result, management will attempt to maintain its performance in front of stakeholders through various means, one of which is financial report fraud.
In the public sector, government officials, as the party in charge of administering public services, have access to more information, allowing them to make decisions or policies that are solely for their benefit, ignoring the interests and welfare of the people. To address this issue, the government must strive to present financial statements transparent and accountable (Setyaningrum & Syafitri, 2001). Therefore, an independent thirdparty audit is required to ensure that the presented financial statements are accountable. RBA is one of the audit methods available. However, due to the broad scope of the audit, an audit method capable of producing an effective and efficient audit is needed, namely the RBA, where an audit is carried out by considering risks. Meanwhile, for internal control, this research framework uses the Committee of Sponsoring Organizations of the Treadway Commission (COSO) framework. Control based on COSO is a framework that contains a description of professional practice that establishes efficient business systems and processes and effective internal controls. COSO framework has proven to provide an excellent result. The COSO framework defines risk as a process carried out by an entity, management, or other personnel designed to provide assurance related to the achievement of objectives with catego-ries such as operating effectiveness and efficiency, reliability of financial statements, and compliance with the prevailing laws and regulations. Apart from using Agency Theory, this study also uses the COSO  These Audit Management Guidelines are the reference for conducting audits of the management of state finances and state financial responsibility. The stages discussed in these guidelines are the audit planning stage, audit implementation stage, and audit reporting stage. Thus, it is expected that the audit is in line with the standard. These Audit Management Guidelines govern the overall management of audits, whether in Financial Audit, Performance Audit, or Special Purpose Audit. The Audit Management Guidelines emphasize the existence of quality control and quality assurance. Quality control is performed to ensure that audits are performed in compliance with applicable standards and regulations. In addition, quality control will ensure that all audit stages have been performed on time, are comprehensive, documented, implemented, and have been reviewed in stages (BPK RI, 2015). As a result, the auditor must consider performing the audit in high-risk areas. The Technical Guidance for Financial Audit Risk Assessment aims to guide financial audit risk assessment and ensure consistency in applying risk assessment methods. The Technical Guidelines for the Financial Audit Risk Assessment discusses the risks in the audit, i.e., audit risk, inherent risk, control risk, detection risk, and fraud risk (BPK RI, 2017).

Technical Guidelines for Risk Assessment
In addition, BPK also stipulates Technical Guidelines for Understanding and Testing the Internal Control System through Audit Board of the Republic of Indonesia (BPK RI) Decree Number 2/K/I-XIII.2/7/2012 dated July 6, 2012. In performing the audit, the auditor is required to assess the effectiveness of the Internal Control System. This assessment reflects the auditor's expectations on internal control's ability to prevent or detect material misstatements and if they do occur, they will be corrected. This internal control system assessment serves as a consideration in planning an audit, concerning the nature of an audit, the timing and scope of an audit (BPK RI, 2012).
Auditors implement an Audit Risk Model to obtain audit evidence by considering risks in preparing audit procedures (Arens, Elder, Beasley, & Hogan, 2017). This Audit Risk Model will help the auditors to decide the amount and type of evidence needed. The Audit Risk Model describes the relationship between Acceptable Audit Risk (AAR), Planned Detection Risk (PDR), Inherent Risk (IR), and Control Risk (CR). The Audit Risk Model is described as follows:

AAR = PDR x IR x CR
Planned Detection Risk is the risk of audit evidence failing to detect material misstatements. Meanwhile, Inherent Risk is used to measure the auditor's assessment of the susceptibility of an assertion of material misstatement before considering the effectiveness of internal control. Furthermore, Control Risk is related to the auditor's assessment of the risks of material misstatement that can occur and cannot be prevented or detected promptly based on the company's internal control. However, Acceptable Audit Risk is a measure of the risk that the auditor accepts related to the possibility of material misstatement in the financial statements after the audit is completed and an unmodified opinion has been issued (Arens et al., 2017). Furthermore, four types of tests represent audit procedures in response to identified risks in the audit risk model. The four tests are control tests, substantive tests of transactions, substantive analytical procedures, and balance-details tests. The four tests are expected to generate enough appropriate audit evidence.

RESEARCH METHOD
This study applies the case studies method since it aims to explore the phenomenon of actual occurring problems, and researchers must be directly involved to understand the problem. The method is expected to yield an understanding of how risk assessment is carried out at Kemendesa PDTT. Therefore, an appropriate audit program can then be arranged. The sampling technique used is purposive sampling, with criteria for the business process, the entity's risks, and the problem regarding the entity. Case studies were conducted at BPK, especially the unit that handled Kemendesa PDTT for the fiscal year 2018. Subsequently, communication was performed with the financial statement review team of Kemendesa PDTT for the fiscal year 2018 to explore further the implementation of RBA conducted by BPK auditors.
The research method used is qualitative. According to Satori and Komariah (2011), qualitative research is a type of research that focuses on social phenomena/events/symptoms and then reveals the existing meaning of these events to be used as valuable lessons for the development of a theoretical concept. This is similar to this study, in which the results are expected to provide benefits in the form of an in-depth overview of the RBA implementation by BPK auditors for auditing the financial statements of Kemendesa PDTT. The study was conducted by collecting relevant information through open interviews with the audit team and analyzing the audit working papers.
Sources of data for this study were from BPK and Kemendesa PDTT, both primary and secondary data. The secondary data included the 2018 Audited Financial Statements and audit working papers. An audit working pa-per is a note or documentation made by an auditor concerning the procedure taken, tests performed, information obtained, and audit conclusion. This audit working paper can be documented in the form of paper and/or electronic media. This audit working paper is performed at the planning stage, implementing the audit, and reporting the audit results. Meanwhile, the primary data used were interview results with BPK audit team.
The first problem formulation is RBA implementation in the financial statement audit of Kemendesa PDTT fiscal year 2018 and its compliance with the guidelines set by BPK. This study analyzes BPK guidelines concerning the Audit Risk Model based on secondary data in the audit working papers and primary data in interviews with the Audit Team Leader, Audit Sub-Team Leader, and Technical Controller. The second problem is analyzing the preparation of an audit program.

Agency Theory
Agent / management Principal The preparation of this audit program is based on previously identified risks and their compliance with the guidelines set by BPK. The third problem is related to the implementation and monitoring of RBA with the guidelines set by BPK.

RESULT AND DISCUSSION
The audit of 2018 Kemendesa PDTT's financial statements implemented RBA as shown in its audit working paper. There are two sections related to the audit working paper: Internal Control System and Process Business Comprehension and Risk Comprehension and Assessment. This understanding is based on the results of the internal control system audit conducted by the previous audit team and then complemented by an ongoing analysis of internal control conditions of Kemendesa PDTT. One method of understanding the ongoing internal control system is by distributing questionnaires and conducting walkthroughs. Based on the audit working paper, the internal control system and process business comprehension comprise three parts: Comprehension of financial statement system, Comprehension, and inventory of Kemendesa PDTT internal regulation, program, and activities Internal Control System comprehension applying COSO approach.
As mentioned earlier, the Audit Team's steps in performing an internal control system and process business comprehension conform with Technical Guidelines for Understanding and Testing the Internal Control System published by BPK. In addition, based on interview results with the Audit Team Leader regarding the steps in the internal control system and process business comprehension of the entity, those steps provided a complete illustration about the audited entity's internal control system and process business. Meanwhile, for risk comprehension and assessment, the auditor identified IR, CR and CR assessment, Busi- This RBA began in the audit planning stage. However, there was an opportunity to perform an evaluation based on RBA during the following steps based on the ongoing development. Based on the document and interview analysis, the first step was comprehending the Internal Control System and entity process business. One of the tools used in this step was a questionnaire which was distributed to relevant authorities. Each of the results of the questionnaire was given a weighted value. However, the weight of this score does not directly reflect the internal control system, but rather the auditor's professional judgment is still needed to adjust the score. In the audit of Kemendesa PDTT's financial statement, the audit team also conducted a professional judgment to adjust the initial score based on the professional judgment. Professional judgment is taken by considering the things that affect the assessment score of each element. In the audit of Kemendesa PDTT's financial statement, things that affect professional judgment include communication of policies and rules regarding sanctions to all employees, identification of risks that can hinder the preparation of the financial statement, work realization that is not under an agreement or contract, valid or nor proof of transaction, and follow up on recommendations of previous BPK audits.
The next step was risk comprehension and assessment by setting the IR and CR level for each business process and account, which was continued by business process risk assessment and fraud risk assessment. Those various assessments would result in a general risk assessment matrix. In the audit working papers, it can be seen that the Audit Team conducted an IR assessment. It is also supported by interview results saying that IR assessment is conducted. The assessment value was conducted on accounts in financial statements by considering four criteria: transaction types, subjectivity level on consideration required by accounting standards, vulnerability level on misuse or theft, and factors related to misrepresentation due to fraud.
As consideration for the four criteria mentioned earlier, the auditors also applied BRM and FRAM considerations. BRM illustrates an entity condition with significant risks resulting inability of the entity to reach the goals. This inability to reach the goals will affect the accountability of the financial statement, efficiency, effectiveness, and obedience towards regulations. Meanwhile, FRAM functions to identify and detect fraud risks resulting in misrepresentation in the financial statements. There are three types of fraud, they are corruption, asset abuse, and mislead presentation. Auditors then analyzed fraud type, classification, impact, possibilities, and causes and performed additional alternative procedures to ensure that fraud could be detected. Eventually, IR assessment at each account was conducted by considering the four mentioned factors, BRM and FRAM. Then, the IR percentage scale and IR level of the account were determined.
Furthermore, based on audit working papers and supported by interview results with Audit Team Leader, it was identified that Auditors had conducted an assessment on CR of entity's business process and CR of relevant accounts. The CR was a result of internal control system comprehension and IR assessment. For further internal control system comprehension, auditors referred to technical instructions of internal control system comprehension and testing. In identifying the CR, auditors went through two stages. They controlled risk assessments at transaction cycle and account levels.
Based on interview results with Audit Team Leader and document analysis, it could be identified that after identifying the AR, IR, and CR, auditors would determine the Detection Risk (DR). This DR illustrates a risk in which auditors cannot detect material misrepresentation while conducting a substantive procedure. The aim of identifying this DR is to enable auditors to determine audit procedures and audit evidence that should be collected. If auditors identify DR as low, in-depth substantive testing will be performed with extensive audit evidence in audit working papers. On the contrary, if DR

ANALYSIS OF THE RBA IMPLEMENTATION AND THE PREPARATION ... Nur Meilani Tri Nugraheni, Bambang Pamungkas
is identified as high, auditors will perform limited substantive testing with relatively less audit evidence.
From that analysis, the author concludes that the application of RBA by BPK auditors has complied with the technical instructions on internal control system comprehension and testing and technical instructions on risk assessment published by BPK. The risk assessment technical guidelines on financial audit and technical guidelines on understanding and testing internal control systems by BPK are in line with the COSO framework. One of the tools used to collect data and information on an entity's internal control system is a questionnaire. There are two questionnaires involved: the internal control system questionnaire at the entity level and the internal control system questionnaire at the transaction and activity levels. The first questionnaire at the entity level comprises five control components: control environment, risk assessment, control activity, information and communication, and monitoring. These five components are based on components developed by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Internal control system questionnaire will then be delivered to the entity's head or other authorities at this entity level. Auditors will also conduct interviews to confirm the delivered answers. Then, considering results or conclusions on five internal control system components in the first questionnaire (at the entity level), the second questionnaire at the transaction cycle level is prepared. Within the questionnaire at the transaction cycle level, the auditor seeks information related to assertions. However, in the LKPP LKLL LKBUN guidance, in regards to control risk, it is mentioned that auditors can document a control system to identify controls determined by the entity to mitigate the identified inherent risks during the first audit. This means that the auditor can skip this step for the next audit, and the assessment can use documentation from the previous audit. The risk lies when entity control changes, but auditors have used the previous audit document. As a result of such a condition, auditors must perform a re-identification.
The application of RBA by BPK auditors has matched with the technical guidelines for understanding and testing the internal control system, technical guidelines of risk assessment, technical guidelines of financial audit risk, and technical guidelines for understanding and testing internal control system by BPK suited with Audit Risk Model stated by Arens et al. (2017). Thus, the audit of the fiscal year 2018 Kemendesa PDTT's financial statement conforms with the Audit Risk Model. Therefore, the audit of Kemendesa PDTT's financial statement fiscal year 2018 has implemented the fundamental steps of the Audit Risk Model.
Hereafter, the auditors arranged an Audit Program based on the RBA. Based on the working paper document analysis and interview results with the Audit Team, the arrangements of audit program were initiated by comprehension of research objects, then continued with an audit program arrangement by Audit Team Leader and handed over to Technical Controller for a review. Review from the Technical Controller aims to ensure that Audit Program has been arranged based on relevant implementation guidelines and technical guidelines. Then, based on audit working paper analysis, it is identified that Auditors in arranging the audit program design have considered results of entity internal control system comprehension and testing as well as results of risk assessment. After auditors identify the DR level, they will decide on an audit strategy. For example, if auditors identify DR as low, the implemented substantive procedure effectiveness will be high. Meanwhile, for low detection risk, auditors consider conducting in-depth substantive testing.
The analysis results of audit working papers and interviews with the Audit Team Leader indicate that auditors have compiled an audit program based on the RBA and the guidelines set by BPK. However, the correlation between audit time and arranged audit program is not explicitly explained in these guidelines. Kemendesa PDTT's financial statements audit fiscal year 2018 requires eight additional audit days. The additional time assignment letter is to complete the report and write the audit worksheet.
The guidelines of audit program arrangement, which BPK determines, are also in line with audit procedure arrangement, which is a continuation of the Audit Risk Model. In arranging an audit procedure, there are four types of tests conducted. These four tests are expected to result in adequate and appropriate audit evidence. The first test is a test of controls where auditors perform control tests to gain adequate and precise evidence in assessing control effectiveness. The second test is a substantive test of transactions to determine whether the transactions have been recorded correctly. The third test is substantive analytical procedures which main aim is to detect possibilities of misreports in financial statements and provide substantive evidence. Finally, the fourth test is the test of details of balances which focus on account final balance (BPK RI, 2016). Based on the audit working paper analysis, the audit procedures prepared by the audit team have followed the audit procedures as a continuation of the Audit Risk Model.
After preparing an audit program by applying RBA, auditors would then implement and monitor the RBA. The implementation of this RBA runs concurrently with the implementation of the audit. This is a realization of the previously prepared audit plan-ning. Based on the audit working paper analysis, the audit team implemented an audit strategy based on the determined DR result in implementing the RBA. This is a realization of the previously prepared audit planning. On accounts with low DR, the audit team conducted in-depth substantive tests, relying little on control. In practice, the audit team, apart from conducting in-depth substantive tests, also performed limited control tests. Meanwhile, in its implementation, although it is not the focus of the audit, medium DR is still considered. Accounts with medium DR are subject to tests of controls in practice, with limited substantive tests. In the audit of Kemendesa PDTT's financial statements, no accounts were considered to have high DR.
Based on the audit working paper analysis and interview with Audit Team Leader, Audit Sub-team Leader, and Technical Controller, the entire implementation of this audit program would be reported in stages in the form of a weekly report to get a review. First, each team member would provide a weekly report containing the things done that week, the progress, and problems faced in the audit. Then team member's weekly report would be compiled by the audit sub-team leader. Furthermore, the Audit Team Leader would compile a weekly report from each audit sub-team leader and submit it to the technical controller. This weekly report is a form of monitoring the implementation of RBA.
The entire process of implementing this audit program will be documented in audit working paper. Audit working papers are documentation that contains audit procedures and tests that have been carried out, information or data obtained, and conclusions. The audit working paper is prepared based on the audit program. Furthermore, the auditor will compile the cover sheet and complete it with the result of performing au-ANALYSIS OF THE RBA IMPLEMENTATION AND THE PREPARATION ... Nur Meilani Tri Nugraheni, Bambang Pamungkas dit procedures. The cover sheet and the result of performing audit procedures in the audit of financial statements of Kemendesa PDTT have been prepared based on an individual working program. The cover sheet and the results of the implementation of audit procedures monitor an audit to ensures that every step in the audit program has been carried out. Based on the audit working paper analysis, the cover sheet and the results of the implementation of audit procedures are prepared by members of the audit team, reviewed by the Audit Team Leader, and approved by the Technical Controller.
The analysis and interviews results show that the implementations of RBA and the audit are carried out simultaneously. Thus, all steps of the audit implementation have followed the guidelines set by BPK. However, in the composition of the audit team, there was no quality controller, so the role that the quality controller should have played was not optimal. A quality controller's role is to ensure that the audit's objectives, expectations, and scope are met and that the audit runs smoothly (BPK RI, 2015). In addition, a quality controller also has a role in ensuring that the audit findings comply with the audit standard and audit guidelines.

CONCLUSION
The 2018  In its application, one of the approaches uses instruments in the form of questionnaires and interviews to describe the five components. However, in the LKPP LKKL LKBUN guidelines established by BPK, in terms of control risk, it is stated that the audit team documents the control system during the first audit and then identifies the controls that the entity has implemented to mitigate the identifiable inherent risk. It means that for further audits, this step can not be done by the audit team. For the assessment, the following audit team can use documentation of the control system from the previous audit. The risk lies when there is a change in the control system and the audit team is still using the previous audit document. Therefore, the audit team must re-identify it.
In preparing an audit program based on previously identified risks, the audit team refers to guidelines set by BPK. One component of the audit program is the audit procedures. In detail, the preparation of the audit procedure is outlined in LKPP LKKL LKBUN guidelines. Several tests are performed in its preparation, namely, testing balances, analytical tests, tests of controls, substantive tests of the transaction, and substantive tests of balances. Each of these tests contains details of the steps that must be taken during the audit. The tests in BPK guidelines conform with tests on audit procedures that continue the Audit Risk Model. In preparing audit procedures as a followup to the Audit Risk Model, there are four tests: the test of controls, substantive tests of transactions, substantive analytical procedures, and tests of details of balances. However, the guidelines set by BPK do not explain in detail the relationship between the audit period/time and the preparation of the audit program. Therefore, the audit program implementation still requires additional assignments as the period in the primary assignment has been completed. There is an additional letter of assignment for eight days in the audit of Kemendesa PDTT's financial statements for the year 2018.
Furthermore, in implementing and monitoring RBA, BPK auditors have referred to BPK guidelines. One of the approaches used for this monitoring is through weekly reports. In addition, weekly reports will be arranged in stages for further review, and feedback will be provided. However, in the composition of the audit team on the audit of Kemendesa PDTT's financial statements, there was no Quality Controller. As a result, the Quality Controller's role was not well represented. In the Audit Management Guidelines, a Quality Controller's role is to ensure that the objectives, expectations, and scope of the audits are met and ensure the smooth running of the audit process. In addition, a Quality Controller also has a role in ensuring that the audit findings comply with the audit standard and guidelines. By applying RBA methods in this audit, the implementation is more focused on the risks that have been previously mapped, and leads to a better monitoring process.
Based on the study results, it is identified that in conducting financial statement audit, BPK should also consider the entity's characteristics being audited during an audit planning stage in addition to applying RBA method. Therefore, a specified audit period can be set to address the needs of the auditor.