The Risk Evaluation in Sharia Rural Banks: A Practices and Role Strengthening of Internal Auditor

This study examines internal auditor’s role in the business's risk valuation in Indonesia sharia rural banking. A qualitative approach used with the following three steps analysis. The first is the exploration of internal auditor function's existence, second focused on obtaining a depth conversation analysis, and, last, a confirmation to get the result's credibility. The results showed that internal auditors divided into two different important roles, included in directors' function. The other was a supervisory role of the separated internal control unit, which both are controlling business risks in the operational, financial reporting, and compliance management. Internal auditors' role in the divide internal control force is more sustainable, consistent in all business aspects, and therefore focused on the potential business risks. Another part took comprehensive control, but it restricted by capacity and operational complexities.


INTRODUCTION
In recent decades, banking industries have been identified as a risk-based industry, whether finance, operational, management, and legal liabilities aspects (Hryckiewicz & Kozłowski, 2017). Each bank has to change the policies, systems, and procedures of industrial risk control and transform all rules into risk-based, adapting them to business disruption (Maudos, 2017;Surbakti, 2004). Risk management had received serious attention from the banking industry and was introduced in 1988 by the Bank Indonesia Settlements (Hadinata, 2017). It applied risk management by calculating capital adequacy requirements (CAR), which in 1998 was expanded into market risk aspects, and Bank Indonesia (BI) gradually applied this provision to begin in 1993 (Hadinata, 2017;Hamza, 2013;Sato, 2017) Islamic banking or sharia banking's growth is the same term, still dependent on conventional banking operational rules. Although it has different characteristics, it realized that Islamic banking differs systemically, including legal practices, operations, specific product features, and, indeed, the inherent risk (Sood, 2017;Suta & Musa, 2003). Sharia banking rapidly growing in Indonesia is also inseparable from international Islamic banking (Idat, 2005). Behind all of that, there are critical concerns that the development of Islamic banking is just a euphoria, pseudo and dangerous if it is not based on an adequate institutional and regulatory framework from the aspect of Islamic banking best practices (Darmadi, 2013;Surbakti, 2004). The inadequate regulatory framework is most susceptible to various crime and fraud that has always threaten the national banking industry (Ferry, Zakaria, Zakaria, & Slack, 2017;Surbakti, 2004) Institutionally, there are sharia banks in the form of a full sharia bank (fullfledged) and some types of sharia business unit (Unit Usaha Syariah-UUS) within conventional banks, and sharia rural bank (Bank Perkreditan Rakyat Syariah-BPRS). Specifically, the research was focused on sharia rural banks, suggesting an exciting phenomenon; first, it represents small sharia banks in Indonesia, limited by size, capital, and location (Adnan & Muhammad, 2007). Second, the trend indicates that the sharia rural bank avoided more extended contracts due to limited funds available for financing. The sharia rural bank is classified as small to medium-size banks, and that the banks followed or socio-cultural habits or in general business practices (Yuliana, Suhel, & Bashir, 2017). Otoritas Jasa Keuangan (OJK), the authorized financial supervisory board in Indonesia, described for 2018 that the amount of sharia rural banks would grow into 116 entities and increase in the open line with the growth of the sharia industry awareness (Bank Indonesia, 2002).
This increasing bank business risk resulted requires sufficient internal control (Idat, 2005). Sutrisno, Amin, & Marsius (2000) Reported that internal supervision at sharia rural banks has a different role, according to the organizational structures. Some bank places internal auditors under functionally at the director while others directly placed under the commissioners. The results concluded how they could understand the directors' or commissioners' operational function's internal control. The conclusion implies that there is no problem regarding internal auditor positions in sharia rural banks. However, this conclusion contradicted the research by Pratt & Beaulieu (1992), Rahmat (2017), Sinurani (2017), which stated that the company's function distinguished between financial and non-financial control has a strong influence on corporate control's cultures. The results revealed that differences influence corporate culture differences in functional areas within a bank (Suprayogi, 2007). Referring to the cases that have occurred, the banking business's risk is still high, while internal auditors' functional role has not been constrained optimally (Rini, 2014).
It still has inconclusive results comparing the study of Sutrisno et al. (2000) and Hadinata (2017), Pratt & Beaulieu (1992), Sinurani (2017) report. It was interesting to explain and compare how the internal auditor's role in risk management between internal auditors who have different positions in the organizational structure of sharia rural bank. This study would discuss the relationship between internal auditors' roles and risk management, which is expected to provide additional information on the empirical research of Bank Indonesia and mostly to sharia rural banks. Specifically, this research intensively explains and compares how the internal auditor's role in risk management between internal auditors who have different positions in the organizational structure of sharia rural bank.

LITERATURE REVIEW
Based on epistemology, risk has the meaning of unpleasant, detrimental, dangerous effects of any behavior or action (Hadinata, 2017). Many studies of McNamee & Selim (1998), McNamee (2000, and McNamee, Partridge, & Anderson (2015) defines risk as a concept used to explain potential uncertainty about events and or their outcomes that could have a material effect on the goals of the organization. Risk understanding is the most crucial aspect because it could affect organizational objectives (Maudos, 2017;McNamee & Selim, 1998). The possibility of risk should be identified, measured, and received priority attention (risk assessment) are further managed (risk management) and then can be avoided or reduced by management (McNamee & Selim, 1998). McNamee & Selim (1998) proposed three elements that must be taken to ensure understanding of the risk environment and manage it effectively, namely: operational, financial reporting, and compliance with business risk. The processes opened the imagination about significant risk potential to thoroughly understand the business process and framework and language for discussing risk between managers and auditors. Those researches showed that the risk understanding impacted the effectiveness of the internal auditor function. A survey conducted by KPMG (Sarens & De Beelde, 2006) explores in eight countries in Europe that over 60% of respondents believe risk management systems and internal controls can add value to its organization. Raiborn, Butler, Martin, & Pizzini (2017) support these findings and emphasize the importance of the internal auditor's role in creating good corporate governance. Similar findings in Indonesia show that results are not different for this cultural context, for example, the central role of internal auditors in formulating and assessing business process risk to determine the overall performance and responsibility of public sector services (Pangeran, Pribadi, Wirahadikusumah, & Notodarmojo, 2012).
Furthermore, Sarens & De Beelde (2006) revealed different internal auditors' perceptions about their specific role in risk management valuation. Several prior studies compared the internal auditors' role in developed countries (Sarens, Abdolmohammadi, & Lenz, 2012). These qualitative research results showed that internal auditors focused more on severe weaknesses in the risk management system and could demonstrate the value of their role (O'Leary, 2005). Different organizational structure positions will get different results (Raiborn, Butler, Martin, & Pizzini, 2017). Pratt & Beaulieu (1992) and Sato (2017) found evidence that corporate functions distinguished between financial and non-financial have a strong influence on corporate culture. These results revealed that functional areas that existed in a company impact different corporate cultures. These studies raise the suspicion that with differences in the position of internal auditors. It can also lead to differences in handling aspects of risk in sharia rural bank's internal control (Montgomery, Beasley, Menelaides, & Palmrose, 2002) Conceptual framework development has derived from most models of McNamee & Selim (1998), name recognition, and appreciation of business risk, combined with the concept proposed by Porter (2004), which includes operations, financial reporting, and compliance aspects. The three business aspects of the Porter (2004) elements implicitly emphasize the scope of business risk: the repetitive operating internal processes, the process of controlling compliance with rules, policies and work procedures, and financial reporting that shows the company's performance.

Figure 1. Conceptual Framework
The framework is based on two sides of observation, both theoretically and empirically, as a gap. First, theoretical comments that identify theoretical concepts, including role conflict in organizational theory, the role of conduct from internal auditors, audit paradigm from McNamee et al. (2015), consideration of risk management aspects, understanding of internal control of the COSO model, and management of good corporate governance. The second observation, empirical on various events related to other surveys conducted by Bank Indonesia (2002), the results of the perception of the management of people's credit banks about business risks from operational aspects, compliance, and financial reports and Sarens et al., (2012) and Sarens & De Beelde (2006) survey report on risk management. That is increasing and increasing. Both observational gaps, referring to Porter's (2004) criteria, namely: operational, financial statements, and compliance as aspects of business risk, will investigate internal auditors' role in minimizing business risk.

METHOD
A qualitative approach used in this study by considering the study's context, emphasizing understanding, thinking, and perception of researchers, who produce practical solutions, included ensuring that study or other thoughts. The unit research analyzes the internal auditor's activities at the sharia rural bank in Central Java. According to data from the Association of Indonesian Sharia Rural Banks in Central Java, 12 Sharia Rural Banks spread throughout Central Java. The sample is recorded  (2002) report, namely ASB and BUS. This study's data types are primary data obtained through open-ended questionnaires and in-depth interviews with internal auditors and directors as research objects. The subject matters of the interview included operational issues (effectiveness and efficiency of operations, securing assets), financial statement issues (reliability and integrity of financial information and operational), and compliance issues (compliance with laws, especially BI regulations, internal policies).
This study used a Multiple Case Study approach with Single Unit Analysis (Baxter & Jack, 2008), conducted on the internal auditor in ASB and BUS. Two stages of data analysis will be conducted, namely the data field analysis phase simultaneously with the data collection and after the field of research stages. Data field analysis results using to clarify the criteria and conditions obtained from each sharia rural bank entity. When comparing data used to explain the differences that occur where they meet the requirements, the internal auditor position's distinction is not significant. The research's stages described as follows: 1. Comprehensive exploration, in which the researcher confirms all sharia rural bank management regarding the latest internal auditor's presence. The survey conducted by Bank Indonesia did not mention which sharia rural bank had internal auditors. 2. Focused exploration, which processed research, began to be handled in detail to get in-depth about the unit of analysis understudy focusing that has been tentatively established in the proposition. 3. Confirmation, which is carried out to obtain research credibility and will be carried out throughout the study. The method used is member check by confirming the research findings to the sharia rural bank's internal auditor triangulation by checking the validity of data uses the opinions and statements of directors and heads of operations for checking or comparing data.

RESULT AND DISCUSSION
The research stages included comprehensive exploration, focused exploration, and confirmation carried out on ASB and BUS simultaneously, with the following description: The overall exploration phase of the internal auditor function existence at ASB and BUS is carried out by in-depth interviewing about the role of supervision and evaluation of operational, financial, and compliance with banking regulations. The role of the internal auditor at ASB revealed in the answers below:

indeed, there is a job distribution between us by a separate division. The Managing Director is more focused on product development and operationalization of the bank, while the Deputy Director focuses on controlling, observing, and supervising operations on the provisions. Also, both directors need to understand clearly and in detail the various operational aspects rather directly, only if the function of oversight and supervision carried out by the board of directors is still not available specialized personnel auditor. The more efficient and effective factor regarding auditor recruitment is our primary consideration as long as the risk can be avoided even if it is not compliant, not to violate the authorized supervisory bodies' provisions or requirements.
These descriptions concluded that the Vice Director's internal control roles continually evaluate the operational system's implementation and internal control. It could be because of such factors, e.g., separate responsibilities, lack of human resources, and efficient and effective processes consideration. According to supervision principles (Mollah & Zaman, 2015;Socol, 2011;Suprayogi, 2007). Interestingly, they are aware of formalizing an internal auditor as a separate unit to perform control, which is revealed in answers below effectively: Indeed, BI requirements and the FSA require its role, ... but need a more extended adjustment, but maybe next time it should be formed ... let alone operational still reachable by direct supervision ...
Limited resources become an obstacle to strengthening the role of internal auditors. Although it is reasonable and possible, there is a discrepancy in good governance. This condition has the potential weakness of control in line with the increase and complexity of bank operations (Darmadi, 2013;Sarens & De Beelde, 2006). Otherwise, the supervision department carries out the internal auditor roles in the BUS. The supervision and evaluation function focused on financing and credit operations at the cash service, branch, and head office. In contrast, the directors are carried out the financial aspects and rules intensively. That fact is revealed by the answers below: We need a supervisory role to ensure that the director bank's operations are expected every time a report is required. Many branches even to the cash office with a variety of services offered, necessary supervision against fraud and irregularities.... less effective when relying on personnel from the central operational control. We have experienced irregularities detected late instalment payments due to a lack of oversight ... The report of the auditors was accommodating managers, and directors understand faster on branch operations...
Internal auditors at the BUS are critical, in line with increased operational capacity. The number of branches indicates this, and cash services offices spread throughout most of Central Java. The lesson of fraud in the form of loss of cash deposits is a strong basis for internal auditors' role and existence on BUS. Therefore, directors required adequate preventive supervision through the role of the internal auditor. This result is consistent with research by Hamza (2013) and Rahman & Dean (2013).
Vice Director performs the internal auditors' function at ASB for operational, financial, and compliance supervision. The rating of financial aspects from Bank Indonesia shows a score of 92.54 (very good). This finding explained the existence of effective planning, control, and evaluation process of financial performance. It is presented from an assessment of capital, profitability, liquidity, and business efficiency, although earning assets, especially nonperforming loan financing, are relatively large. The evaluation of operational aspects can be described, including findings that are (1) violations; (2) neglect; (3) inaccuracy in the implementation of standard procedures, financing procedures, financing collection, and reporting. Based on interviews, it was revealed that there were 2-3 out of 100 documents on average. These are because of negligent and inaccurate, but it was not in violation. The internal auditor's function also carried out so that each document is examined and evaluated by the Vice Director before being approved by the director. The Bank Indonesia regulations compliance identified by applying each regulation and circular to banking's financial and operational aspects. Every three months, the bank must present published financial statements as an initial indicator of compliance. Assessment of management compliance with prudential principles is the priority of its application. Other, ASB applied it as a key to developing financing and withdrawing funds.
Separate units carry out the function of internal auditors at BUS because of the large number of branches and cash services, around 45 units resulting in the need for select units. Rating of financial aspects shows a score of 93.17 (very good). This finding explains the existence of an effective process of control and evaluation of financial performance. It is presented in evaluating both capital, productive assets, profitability, liquidity, and business efficiency. Based on interviews, it was revealed that in 2009 there was an average of 4-5 out of 100 documents. These are negligent and inaccurate, but it was not in violation, mainly because the auditor's work range with an expansive work area resulted in less effective document control details. The Directors also always instil a work culture, ethos, and service ethics following Islamic banks' principles (Adnan, 1996). It is done every week through routine briefing meetings for direction, performance determination, and activity performance (Darmadi, 2013;Li, Huang, & Lin, 2007). Every three months, the bank must present published financial statements as an initial indicator of compliance. Assessment of management compliance with prudential principles is the priority of its application (Wardiwiyono, 2012). BUS also applies it as a key to developing financing and withdrawing public funds.
The confirmation stage is carried out primarily to determine the internal auditor's function and obstacles in its work performance effectiveness. It emphasized the current challenges of exploring internal control weaknesses in the financial, operational, and banking compliance aspects carried out confirmation. Confirmation results with ASB revealed that the role of the Vice Director for supervision and control was limited. Those effective's supervision declined in line with the complexity and operational capacity of the bank (Ferry et al., 2017) Internal auditors' pattern in Islamic banks can be divided into two positions: supervisory directors' role and the role of separate internal control units. Both practices have the same role in controlling business risk in operational dimensions, financial statements, and management compliance, but with different intensities. Internal auditors' role in specialized units is more consistent in all aspects on an ongoing basis, but it is focused on potential business risks (Rini, 2014). While the role inherent in the board of directors can comprehensively control all aspects, but the operational capacity and complexity are hampered (Montgomery et al., 2002).
Internal auditors' functional role model in controlling and evaluating business risk is inherent in operational, financial, and compliance activities with existing regulations (Gramling, Maletta, Schneider, & Church, 2004). Internal control is intended to effectively and efficiently carry out its operational and financial policies, and the legislation could be obeyed. Internal auditors' function in certain levels of capacity and complexity can be inherent in the directors' supervisory role (Rini, 2014;Socol, 2011). Otherwise, that is in line with operational improvements, the role of internal auditors as a separate entity from the operating section will support the effectiveness and efficiency of management (Idat, 2005).

CONCLUSION
The results are used as a basic model for effective ways to improve internal auditor control's function and role in banking risk management, especially Sharia Rural Banks. Research results can improve banking governance practices based on controlling business risk towards a healthy banking system. This study has limitations: the study sample has a different organizational culture, even with the same banking rules and regulations. Future research can re-examine auditors' role in the same corporate culture to see its effects intensively on different controlling business risk.