The Practices of Risk-Based Internal Shariah Auditing Within Malaysian Takaful Operators: A Multiple Case Study

Shariah audit functions within Islamic Financial Institutions were imposed by Bank Negara Malaysia (BNM) with the issuance of Shariah Governance Framework in 2010. During the early stages of the implementation, the approach for this shariah audit function was only focused on shariah compliance. After ten years, the shariah audit function became mandatory, where this function was expected to be well-developed and able to achieve its primary objective. The role of shariah audit should go beyond Shariah compliance as it should serve as an independent assessment of internal control for any shariah compliance risk. Shariah audit also is one of the crucial elements in the Shariah governance framework. However, the lack of specific guidelines for shariah audit became a challenge for auditors to carry out a comprehensive shariah audit procedure. Therefore, this study aims to provide an in-depth explanation of the process of shariah audit, particularly on planning, executing, reporting and follow up, which emphasises on the application of risk-based internal audit (RBIA) approach. The study adopted a qualitative methodology by using multiple case studies involving Takaful Operators in Malaysia. The detailed explanation of the current shariah audit process is expected to contribute to the provision of valuable detailed information for the Takaful Industry as well as other Islamic financial institutions. The information could benefit Islamic Financial Institutions by assisting in developing a strategy to provide a robust internal control for reducing the occurrence of shariah non-compliance risk.


Introduction
Malaysia can be considered as a leading country in the development of Islamic finance. In any context, whether it is research, product development, regulatory frameworks, or practical steps, Malaysian Islamic finance industry has always been a step ahead from the rest of the world.
Generally, the development of the Islamic financial system in Malaysia started with the establishment of a pilgrimage fund (Tabung Haji) in 1963 as the first Islamic savings institution. After a hiatus of several years, the first full-fledged Islamic bank was established in 1983 with the name Bank Islam Malaysia (Islamic Bank of Malaysia). As for non-banking financial service institutions, the first was the establishment of the first Takaful or Islamic insurance company under the Takaful Act in 1984 known as Syarikat Takaful Malaysia Berhad.
The Takaful sector has become a major contributor to Malaysia's financial system as a whole since the establishment of the first Takaful Operator in Malaysia. To date, there are eleven (11) Takaful Operators in Malaysia. Eight (8) Takaful Operators from the list provide family Takaful and general Takaful services, while another three (3) are involved only in Family Takaful. The takaful market is presently centered in Malaysia and the Middle East, and has experienced significant growth rates (PWC, 2018). The combination of ethical investment strategy, considerable growth potential, and cost competitiveness are among the reasons that attract of the non-Muslim country for this business.
Although there is an increase in the number of Takaful operators, the Takaful penetration rate and share of the Malaysian Takaful business is still much lower than the conventional market (Juliana et al., 2013;Md. Husin and Ab. Rahman, 2013). This can be proved by looking at the size of the Takaful industry's market share in Malaysia, which accounted for only 12 percent of the 2015 total conventional insurance and Takaful market (Alajaji et al., 2017). Many issues and challenges have been highlighted, which include human capital shortages, inadequate technology capabilities, ineffective governance practices, and lack of innovation in the business model for new market niches, leading to the small size of Takaful's market shares (Fauzi et al., 2016;Deloitte, 2015).
The issue associated with this study is ineffective governance practices, which subsequently expose the Takaful Operators in their operations and activities to the risk of shariah non-compliance. Effective Shariah governance is crucial in mitigating the risk of shariah non-compliance faced by Takaful operators (Yusof et al., 2015). Accordingly, Bank Negara Malaysia has provided guidelines known as the Shariah governance framework (SGF) in 2011, which introduces the four main functions of shariah compliance organs; shariah audit, shariah review, shariah risk management, and shariah research and development. The new policy document of shariah governance also has been introduced recently in order to strengthen the effectiveness of Shariah governance implementation and ehance the current SGF further.
Shariah audit is one of the significant functions that serve as a governance mechanism for Islamic finance, as it ensures that the IFIs operate according to Shariah (Shafii et al., 2010). There should be an appropriate Shariah auditing framework to provide a quality assurance environment. A specific guideline for Shariah auditing is essential as it acts as a unique added value to Islamic Financial Institutions. However, this function of shariah audit was pronounced very briefly in SGF and caught the attention of researchers, who then requested one specific framework for shariah audit to be developed (Kassim et al., 2013;Ahmad et al., 2013;Yussof, 2015). This lack of specific guidelines made it very challenging for auditors to carry out a comprehensive shariah audit procedure.
From the issues discussed above, the objective of this study is to provide an in-depth analysis of the risk-based audit applied by Takaful Operators in their shariah audit process; planning, executing, reporting, and follow up; by using a multiple case study. This paper is divided into four main sections. The literature review section discusses the risk-based internal audit, empirical studies in shariah audit, and the shariah audit process. Section three features the discussion on study design and methodology. Section four presents substantial findings, and the final section contains the concluding comments.

Literature Review Risk-based Internal Audit
In the traditional approach, the focus of internal auditing is mainly on internal control. In contrast, the focus of risk-based internal auditing is on the maximum potential risks that organizations may experience, and how to address these risks and even turn them into opportunities (Mut and Akyurek, 2016). Risk-based audit (RBA) is a word derived from the USA-based study foundation, the Institute of International Audit (IIA) (IIA, 2004). In 1999, IIA's board of directors voted in favour of approving a new definition of internal audit and a new framework for professional practice (PPF). IIA defines riskbased internal auditing (RBIA) as a methodology that links internal auditing to an organization's overall risk management framework. RBIA allows internal audit to assure the board that risk management processes are managing risks effectively concerning the risk appetite. Table 1.0 below exhibits the emerging development on the functions of internal auditing. Protection of assets Controlling of accounting records 1960s The protection of financial data Auditing the financial assets and comparison with standards 1970s Protection of both financial and non-financial data Auditing for financial and suitability of assets 1980s Protection of both financial and non-financial data The auditing of whole activities, processes and control systems 1990s To support organization for achieving aims The auditing of whole activities, processes and control systems 2000s To support organization for achieving aims Auditing the whole organizational, control, risk management processes and consultancy service for creating added value to the organization. Sources: Mut and Akyurek, 2016 Based on the table, the evolution in the scope and aim of internal audit can be clearly seen, and the most recent scope was auditing the whole organizational, control, risk management processes, and consultancy service for creating added value to the organization. The simplest way to conceptually consider risk-based auditing is to audit the things that matter to your organizations (Terer and Ngahu, 2017).
On the same ground, Griffiths (2005) describes the development of internal auditing by taking into consideration the following distinct methods, which is shown in exhibit 1.0 below: Risk-based internal audit engagement should consist of five steps: establishing audit engagement objectives based on the goals of the activity under review; identifying operational or strategic events within the scope of the audit engagement (including risks that threaten the achievement of the objectives); carrying out risk assessment where the risk is measured in terms of probability (the possibility of the incident occurring) and impact (the outcome or effect of the case); and control activities that should be included in the risk reaction (Coetzee and Lubbe, 2013).
According to Zainal Abidin (2017), most of the previous researches concentrated primarily on the risk assessment activities carried out during the planning phase of the audit. There are also studies which examined the factors of adopting risk-based audit in the organization (Allergini and D'Onza, 2003;Koutopis and Tsamis, 2009;Castanheira et al., 2010). Among the identified variables that are significantly related to the implementation are company size, regulations, industry, organizational culture, and management mindsets.
For the area of shariah audit, less exposure has been given to the actual practice of shariah audit, which is related to the risk-based audit area. A recent study conducted by Abd Rahman et al. (2018) provided an in-depth explanation of internal shariah audit for Islamic banking. Other than that, a study by Yahya (2018) also agreed that evolution towards higher levels of risk-based auditing is needed if internal auditors are to play an essential role in risk management.
Compliance auditing •Limited practice that controls whether the organizations operate according to predetermined procedures or not.
System focus auditing •It considers the organization as a whole and detects which working procedures are incorrectly carried out. It is less procedure-oriented than the compliance stage.
Risk based auditing •It emphasizes the importance of risk assessment in order to achieve objectives.
Value for money auditing •a control process that is operated for determining whether the value for money is achieved or not at an optimum level for attempting to improve profit.
Assurance-based auditing • guarantees all working procedures to avoid imitation of the products and services by using the risk-based approach.

Empirical studies in Shariah Audit
Considering the Islamic market's fast development, the Islamic financial sector must have an appropriate 'check and balance' system in the form of shariah auditing tailored to its establishment's objectives and functions or maqasid al-shariah, which means the shariah' objectives of Islamic law' (Yaacob & Donglah, 2012). One of the pioneering studies is by Abdul Razak and Omar (2008), which addressed the application of shariah auditing in Islamic financial institutions in Malaysia, and suggested that the shariah audit function be implemented to improve shariah assurance.
There are few studies that were undertaken before the SGF 2011 was issued, which made shariah auditing compulsory. It is noteworthy to mention that studies carried out prior to the issuance of SGF 2011 were more about proposals for one shariah compliance feature in a given IFI (Kassim et al., 2009;Shafii et al., 2010;Muneeza and Hassan, 2010).
A year after the issuance of the SGF, most of the studies conducted were to identify the issues and challenges surrounding the implementation of shariah audit function (Kassim and Sanusi, 2013;Yaacob et al., 2013). Many studies were also conducted to get the perceptions of undergraduates and postgraduates students on their understanding of shariah audit concepts as well as providing recommendations to enhance the knowledge and skills for this target of groups.
The study on shariah audit practice was started by Yahya and Mahzan in 2012, which was conducted using a few samples of Islamic financial institutions in Malaysia. The study discovered that the practices are still in the development stage and need further improvement. There are a few other studies which were conducted to further explore the current audit practice (Kassim and Sanusi, 2013;Ab. Ghani and Abdul Rahman, 2015;Yahya et al., 2018).
A research by Ab.Ghani and Abdul Rahman (2015) examined the extent of Shariah audit practices in Islamic banks in Malaysia by using the Exposure Draft of Internal Shariah Audit Framework (ISAF) issued by the International Shariah Research Academy (ISRA) as a benchmark to measure the extent of Shariah audit practices. The results of the study indicated that the majority of Islamic banks have appropriately set audit objectives, governance structure, competency requirements, audit process and reporting requirements, although some have not clearly outlined their audit scope and audit charter. This study however focuses on the Islamic banking industry only.
The study conducted by Yahya et al. (2018) can be regarded as the latest study on shariah audit practice which explores present shariah auditing practices among Islamic Financial Institutions (IFIs). The findings of the study showed that the procedures are still evolving, where further developments and improvements are needed with a particular focus on the standardization of the shariah audit framework and guidelines for the design of the shariah auditing audit program.

Shariah Audit Process Planning
Audit planning includes the decision on the overall audit strategy and the development of an audit plan (Bunjaku, 2019). According to Lahsasna (2016), a good Shariah audit plan should cover the essential requirements and should also be free from anything irrelevant to the auditing process. Therefore, anything that is necessary to ensure compliance with Shariah must be part of it, and at the same time everything that is not useful for this purpose must be eliminated so that the process can be both time-and cost-effective.
The audit process will usually begin with audit planning, which is deemed to be a vital component as it relates to internal control procedures in any organization. The objective of the internal control system is to support the people of the organisation to manage hazards and to achieve the goals set and conveyed by the organizations (Saedi and Dastgir, 2017;Lai et al., 2017). By having good internal control, then only the organization can have an effective audit program (Sawalqa and Qtish, 2012).The different nature of the business might result in different types of internal control and audit planning. Specialization in the industry would have an impact on the audit risk assessment and audit planning decisions (Low, 2004).
For shariah audit purposes, the auditor should also have a full understanding of all essential elements, pillars and conditions of each Islamic financial contract utilized in the current Islamic finance business. Once the auditor has grasped the business of the IFI, the appropriate techniques, and the audit scope, only then can they design a proper audit plan.
Audit scope is defined as preparation to determine the boundaries within which auditors are supposed to conduct shariah auditing. The scope of the audit will decide the types of required information, timing and human resources. Every audit scope must have an audit program. As highlighted in the SGF 2011, there are a few areas that should be covered by an auditor when conducting a shariah audit. Among the areas are: (i) audit of financial statements of the IFI; (ii) compliance audit on organizational structure, people, process and information technology application systems; and (iii) review of adequacy of the Shariah governance process.
Another important element in audit planning is the audit programme. The purpose of the audit program is to audit a specific area of an audit exercise (Shafii et al., 2015). It is also similar to a checklist to operate with and identify IFI shariah compliance. It is therefore common for a number of audit programs to be audited for the different departments and business activities. The audit programme comprises all the information of the audit work required to perform a skilled task in various internal control circumstances (Sawalqa and Qtish, 2012).

Execution
The execution stage is the stage where the auditors will perform the actual audit according to what they have planned in the planning stage. Audit execution involves audit fieldwork. In accordance with the proposal for an audit, fieldwork is defined as the technique of gathering evidence, evaluating and reviewing that evidence. The objective of the fieldwork is to collect sufficient and relevant evidence to arrive at a conclusion or a finding and to support the recommendations. Studies conducted on audit fieldwork are usually associated with the auditor's judgement when conducting the audit (Smith et al., 2001;Wedemeyer, 2010;Alteer et al., 2013;Yang et al., 2017;Fatmawati et al., 2018).
According to Hanefah et al. (2014), there are two types of tests that can be used in conducting audit fieldwork, which are known as the test of control and the substantive test. The test of control is done to check the effectiveness of the internal control system on shariah compliance as well as if the operational systems of the IFIs comply with the laws and regulations. On the other hand, the substantive test is used to detect material money misstatement in transactions, account balances and disclosure in the financial statements.
The most important decisions at the executing stage are the selection of an appropriate technique that can be deployed for gathering audit evidence (Lahsasna, 2016). Among the techniques include reviewing documents, interviewing, observation, benchmarking, surveys, case studies, flow charting, statistical analysis, walkthrough and questionnaires. Many factors lead to the selection on the techniques. Among the factors are objectives of an audit, nature of business and also the availability of the techniques.
On the same ground, Htay et al. (2013) have come out with several shariah audit techniques that can be used in conducting shariah audit, which includes the halal and haram code approach, aqad approach, legal documentation approach, maqasid al-shariah approach or business techniques approach. Maqasid al-shariah approach is observed as the best techniques as it portrays the objectives of the establishment of Takaful Operators itself. In maqasid shariah techniques, innovation and all endeavours to test the legality of a new product must readily comply with the objectives of Shariah.

Reporting
According to Htay et al. (2013), after audit fieldwork, the formal reporting will be prepared and referred to as the preliminary report. The written report then will be submitted to the management of Takaful. The report will be discussed openly and transparently where the auditee has the right to accept or dismiss the results. Any points of rejection will be further examined and additional evidenced gathered. Finally, the final report will be furnished by the auditee on the auditor's results after they have reached the appropriate conclusion.
The report should be submitted, checked and supported by the Board Audit Committee to ensure that the internal audit report is presented independently (Abd Rahman et al., 2018). It is important to issue and publish an audit report which should include the objective of shariah audit, the process and procedures used in carrying out shariah audit, the opinion on the scope of shariah compliance, the results, i.e. the thorough violation of Shariah's value by IFIs, the consequences and suggestions for enhancement.
On the other hand, Shafii et al. (2017) highlighted that shariah audit findings should be reported directly to the Shariah Committee in order to ensure independence of the shariah audit work. At the same time, IPPF (2013) also emphasised on the reporting aspect of internal audit work that should include communication, monitoring of audit progress and the communication of the acceptance of the risk found during the audit to the top management and BOD.

Follow Up
The purpose of follow up is to ensure that management has implemented the action and addressed all the issues. This follow up stage also serves as a monitoring function for the management level (Kenessy, 2014). Monitoring is close surveillance of internal audit processes that can lead to success. It is important to follow and assure that the entire audit process has been followed and is in line with the objectives of the organization (Gurama and Mansor, 2018).
The most important part in this follow up stage is to ensure that management is able to meet the deadline and that the rectification has been made accordingly. It is highly essential to study on how IFI conducting their follow up this is also a part of monitoring function. In fact, International Standards for the Professional Practice of Internal Auditing as provided by the Institute of Internal Auditors (IIA) has generated guidance in this area in Standard 2500 -Monitoring Progress and Standard 2600 -Communicating Risk Acceptance. The follow-up process also enables to determine the efficiency of the risk reaction of management (CIIA, 2018).

Research Methodology
The purpose of this study is to gain in-depth understanding on the shariah audit approach practiced by Takaful Operators in Malaysia. This study was based on a multiple case study, which compared the shariah audit processes of four Takaful Operators and employed a qualitative approach using indepth interviews. This research strategy allowed the researcher to gather information about the participants' experiences, views and beliefs concerning a specific research question or phenomenon of interest (Ryan et al., 2009).
For the sampling of cases, four (4) Takaful Operators were selected by using purposive sampling. Purposive sampling is a technique widely used in qualitative research to identify and select information-rich cases for the most efficient use of limited resources (Patton, 2002). Four Takaful Operators were chosen due to the fact that these Takaful Operators had the distinction and experience of becoming the top four (4) Family Takaful providers in Malaysia. The table below exhibits the demographic details of the chosen Takaful Operators:  (2019) The selection of respondents was also done using purposive sampling, and among the criteria was to choose respondents who were directly involved in the process of shariah audit and have more than three (3) years experience. A total of 8 interviews were conducted using semi-structured interview questions. The semi-structured interviews addressed the current process on shariah audit as conducted by the practitioners in their organizations. The respondents consisted of shariah auditors and Shariah Officers of the Takaful Operators. The details of respondents are shown in Table  3.0 below.  (2019) Based on the details of the respondents, it can be considered that all of them are very highly knowledgeable, have vast experience and play a dominant role in their organizations. The interviews were conducted by the researcher via face-to-face sessions in the Klang Valley area, where the length of the interviews was between 45 and 90 minutes.
The audio recordings from the interview sessions were transcribed in detail and in verbatim. To ensure validity and reliability, the transcriptions were reviewed against original recordings by the interviewers. A thematic content analysis was performed on all transcripts. Data are presented in words and themes in qualitative content analysis which allows some interpretation of the results to be drawn. The findings of this study provide explanation on Shariah audit process, which consists of planning, execution, reporting and follow up audit.

Findings and Analysis
Since this study is a multiple case study, the finding on this study will be analysed according to selected cases starting from Case Study A, Case Study B, Case Study C and Case Study D. Each of the Takaful Operators have developed their own shariah audit process based on the available guidelines, which includes International Professional Practices Framework (IPPF) issued by the Institute of Internal Auditor (IIA), Shariah Governance Framework (SGF) issued by Bank Negara Malaysia (BNM) and Committee of Sponsoring Organizations (COSO). It is notable that Takaful Operators uses RBIA as a methodology on conducting their shariah audit function. Further discussion and details on the shariah audit process are discussed below, which is divided into two subsections; i) shariah audit planning and executing and ii) Shariah audit reporting and follow up. The respondents of this study are referred as R1, R2, R3 and accordingly.

Shariah Audit Planning and Execution Case Study A
Takaful Operator A has two approaches for their shariah audit. The first approach is known as full shariah audit and the second approach is integrated audit. Integrated audit combines operational audit with an audit of shariah internal controls. This is among the descriptions provided by R1: "There are two types of approach for audit. The first one is full shariah audit, and the other one is integrated audit. Means that in mandatory audit, we also have one scope for Shariah. It is not stand alone audit…" (R1) In general, there are two types of planning. The first one is annual audit planning and the other one is audit assignment planning. Annual audit planning will be prepared by the auditors every year before the execution stage. Normally, preparation of shariah audit planning will be started with risk assessment process. Risk assessment is at the root of every audit which aims to identify, assess and respond to risk of material misstatements that drive for every audit procedure.
For Takaful Operator A, they use a formal risk assessment template from the Group Head Office, where the auditor will adapt from the template for the shariah part. All the processes for internal audit have been determined by their Group Head Office and the auditor adds the shariah part in the process. R1 admitted that since the introduction of SGF in 2011, the organization only performed a full audit scope of shariah audit in 2015. He also mentioned that: "We use shariah audit profiling for the first full scope shariah audit that have been conducted in 2015. We map the risk with the level of risk and the area which have not been covered yet". (R1) The level of risk was divided into three categories; low, medium or high. For every risk determined, there must be a justification and they will determine the audit scope based on the risk identification. Sampling would also be based on risk level. High risk levels would usually require a large number of samples.
On the same ground, R1 also mentioned their audit program consist of key risk areas. The key area risk then will be checked for whether it complies or not with the Takaful framework. He also added that auditors should not check one by one to determine the audit cycle, as it is a traditional practice, and the important part is to identify key risk area for business operations.
After completing the audit program, the auditor will conduct the audit fieldwork. This is the stage for auditors to accumulate the evidence for audit purposes. Some techniques that might be used by the auditors include interview, observation, document examination, data mining, walkthrough or questionnaire. This is the normal SOP practiced by most operators when they perform shariah audit exercises. Some of them also used specific software such as CATS. As mentioned by R1: "For techniques, we used interview, observation and documents. We also have data analytics and we adopt CATS software…" (R1)

Case Study B
Takaful Operator B is a full-fledged Takaful operator. As described by the auditor, before the planning stage, the auditors will meet the Head of every department to ask for the details on their operation. This is a part of understanding the function of the department and their risk profile. This is among the statements from R2: "Before planning, we will meet Head of Department and ask for information…and then we will refer to shariah review department….at this stage we will identify the risk..." (R2) Takaful Operator B's method of shariah risk assessment is by getting input from the shariah department. In this case, the shariah department has to identify the potential shariah noncompliance risk from their shariah review activity. The findings from the shariah review activity will be passed over to the auditor, and the auditor will conduct a shariah audit based on the scope determined by the shariah reviewer. Normally, the shariah audit will be conducted together with the operational audit.
Since Takaful Operator B conducts integrated shariah audits, their audit programme is not specifically on shariah audit programme, but is the integration of operational audit programme and shariah audit programme. This is the response on the audit programme: "Our audit programme is pretty standard. Normally we just carry forward the previous assignment planning except if there is any new risk or new procedures. If there is any, we will incorporate back. There are also a part of shariah issue highlighted in the operations…." (R3) The reason for Takaful Operator B conducting integrated shariah audit is because they feel there is a redundancy between the job scope of the shariah reviewer and shariah auditor. Hence, they let the shariah department determine the shariah risk area for every department, and the auditors will test the controls based on the shariah review report. Another reason for adopting an integrated audit is due to the challenges in hiring competent Shariah auditors, and they claim that they themselves are not competent enough in shariah knowledge.

Case Study C
For Takaful Operator C, there are two stages of planning which are conducted. The first one is annual audit planning and the other one is audit assignment planning as expressed by R4: "We have two planning. The first one is for the whole year. For example, next year, what we want to audit, this is called as annual planning. Another one is when we have identified what we want to audit, we have audit engagement planning. So for each of audit assignment, we have control plan and we have identify the objectives, the scope, the procedure, audit testing…and then manpower allocated for that project. Then, we will identify the risk based on COSO framework". (R4) Before coming out with an annual audit plan, the internal audit department will conduct their own research by looking at the market outlook, any new related guidelines or any circulation that is effective to their organization. The appointment to the respective head will be made afterwards, such as risk management, operation, risk business and any other line of defense to discuss new developments that they are embarking on or if there is any product in the pipeline. Only then will they conduct further discussions on risk identification. According to R4: "We will sit down at our department level and map the risk given of the information. And the risk will be mapped based on audit universe." (R4) The risk mapping strategy also known as "bottom up" comprises of evaluating the operational risks and controls associated with each identified process in a thorough and systematic manner (Zahra and Said, 2013).The auditor then further clarified that planning is the combination of both topdown and bottom-up. All the issues arising from the audit review and compliance review will be communicated to their group office.
At the group level, they will assess the rectification of the organization as a whole because they need to determine the area that should be prioritized and improvised. Then only the group level will come out with the risk universe, and they will identify the areas that need to be audited. After that, the audit department level will try to allocate based on their available resources. The auditors also mentioned that they are usually involved in the audit planning assignment, but annual audit planning is determined by group level.
In terms of execution, this is the description from the auditor: "During execution, because in planning stage we already planned what to do, so we will request for data and start to do data analytic. So we have the big picture already and the emerging themes that we wish to put further. So during execution we will perform based on what we have. We will conduct introduction meeting, we will share and we will start the interview to look into their control design, the effective of the control and then we will show them our preliminary finding to verify whether it is okay or not and then we will check all the document and walkthrough with them". (R4)

Case Study D
For Takaful Operator D, as clarified by the auditor, their audit planning is conducted in general and the mapping is based on the requirement of SGF. This is among the responses from the auditor: "Shariah audit planning is a bit different here. If operational audit, we will detailed out the core audit and non-core audit. Core audit is audit which related to operation and finance which we need to cover every year. But non-core audit is the area that we don't have to cover every year. Maybe we have to cover once in three years. So shariah audit is actually we categorized as core audit in operational audit because is the regulatory requirement... So in planning, we totally refer to SGF. So, basically we will look back at the three elements highlighted in SGF. Number one is financial statements, operation process which relate to the system and people and the third one is relating to governance." (R7) Based on the above explanation, for Takaful Operator D, shariah audit is categorized under core audit in operational audit; it is notable that this takaful operator practices integrated audit. Shariah audit is not treated as a stand-alone audit; however it is conducted under operational audit.
In terms of risk assessment, the auditor will get the input risk management department and shariah department as mentioned by R7: "In audit universe, there are shariah scope and in risk assessment, there also shariah part that we have to look, and for this we will integrate with risk department and shariah department". (R7) On the same ground, the auditor also claimed that he always engaged in informal communication with the risk management department and will start to have official engagements with it to improve their risk assessment practice. This is the statement from R7: "Most of the time we will communicate with risk management to get their opinion on the level of risk…but it is informal engagement…we are about to start the official engagement…" (R7) In terms of their audit program, R7 revealed that it would be based on their internal audit discretion, and they are the ones who will do the risk identification. R7 also shared their process of sampling as following: "We will request sample for every audit cover, we will have entrance meeting. During entrance meeting, we will prepare the entire document that we need. Sampling basis would be based on the risk area. If high risk, sampling would be more than 10%. So 10% would be the normal percentage for sampling. More sample number would be better but we have limited resources". (R7)

Analysis of Shariah Audit Planning and Executing
Based on the above findings, it can be highlighted that there are few elements in shariah audit planning and executing as illustrated in Table 4.0 below according to the case study:  (2019) There are a few risk assessment methods practiced by Takaful Operators. Each risk assessment method described by the auditors has their own uniqueness. It has been observed that most of the Takaful Operators applied self-risk assessment, which is also associated with control and known as Control Risk Self-Assessment. Only one Takaful Operator got the input on risk from the risk management department, which can be considered good practice to avoid redundancy of the function with other functions. In term of audit program, since they are applying risk based audit, the audit program consisted of audit key risk area.
There is presently no agreement on which sampling technique is the best, as each method has its distinctive benefits and disadvantages (Van Der Nest et al., 2015). In fact, there is no prescription by International Standards on Auditing (ISAs) on the usage of either a statistical or nonstatistical sampling technique for auditors, but it does provide guidance on the appropriate use of audit sampling in the collection of audit evidence for testing and substantive testing.
Takaful Operator A conducted two types of approach for their shariah audit; full shariah audit and integrated shariah audit. However, Takaful Operator B and D conducted integrated shariah audits, which meant that they were combining the operational audit and shariah audit, whereas Takaful Operator C went for a full shariah audit.

Shariah Audit Reporting and Follow Up Case Study A
For Takaful Operator A, they have two phases of reporting. First, they will draft a report of potential audit findings to the SC to share their concerns together with shariah department. For this purpose, they will set up an informal meeting with SC. From the meeting, they will select the issues to be reported in the audit report, and then only will they report to the Board of Audit Committee. After everything is agreed to by the Board of Audit Committee, they will notify the SC once again.
So, here we can see that they will table to SC twice; the potential findings and then the final report of findings. Takaful Operator A is the only operator that practices this way. In addition, R1 mentioned that in SGF, there is no detailed description on when and how the reporting should be done to SC.
On the other hand, Takaful Operator A practices differently in their follow up stages as mentioned by R1: "Here the follow up process is quite different from others. Normally follow up will be like we check whether the auditee has taken the action or not. But here follow up is like you do audit all over again. Take a new sample, reassess the process and documented everything. If the rating is low or medium, then they have to get approval first form head of department. If high rated risk, must be approved by Chief of Internal audit. So the follow up process here is not easy as the normal practice of follow up. And we have our own formula on determining the sample based on daily frequency or monthly frequency". (R1) The follow up process practiced by Takaful Operator A is tedious and time-consuming as it requires the process of re-audit. However, this is the best follow up process as it provides the best monitoring system for the whole management. This type of follow up also requires enough resources in terms of time and staff.

Case Study B
For Takaful Operator B, the reporting would depend on the issues of audit findings since they do integrated audits. If there are potential findings for shariah issues, then the auditor will table to SC first, and then only report to BOAC. However, the authority of approval is in the hands of the BOAC. If they present to SC, it would be out of courtesy, and just to fulfil the requirement of the dotted line in SGF.
In terms of follow up, it would be on a monthly basis. For example, if they issue the report in August, it would be agreed in the plan that the auditees have to submit in November. The procedure is the auditor will ask for their progress every month until the month of November. This is the normal practice of follow up which is practiced by most organizations.

Case Study C
For Takaful Operator C, they have to report to the subsidiary level and group level. Both have their own SC and BOAC. The chief of internal auditors will table to SC, then only to BOAC as mentioned by R4: "If there is SNC, we will draft a report , finalize the report and get the group sign , force for internal audit committee, shariah audit committee and then to BOAC. If we go directly to BOAC, they surely will ask whether SC has gone through this report or not although in our audit manual we have to report directly to BOAC". (R4) In terms of follow up, the frequency would depend on the level of the risk. Here is what was mentioned by R5: "If we rated the finding as high risk, the auditees have to an action one month after exit meeting and then they have to rectify. If it is rated as medium, audit committee decided after three months after the exit meeting, they have to reply. And finally for low risk, it should be given for 6 months. That would be tracked under follow up". (R5) She then added that: "Under follow up, we will follow up the issues. We have to validate back whatever supported document given by auditees. If we see that all controls are in place, then only we will close the issues. All the follow up progress will be notified to audit committee". (R5) Case Study D For Takaful Operator D, they have a different practice as the shariah auditor does not have to report for shariah audit part in the draft report. The Shariah team is the one who is eligible for that, and they have to submit to the SC, and then to the BOAC for approval and rectification. The shariah auditor will just detect the potential shariah non-compliance risk, and for their part, they only have to report in terms of assessment. The details of assessment would be on what the auditors have found during their audit and what are the auditee's rectification plans in terms of shariah control. For the final report, the auditor will table to SC and ask for any recommendation and finally table to BOAC.
Normally, the auditor will have to do a follow up if there is any finding. But if there is no finding, the auditor still will be informing the respective business. This is what was shared by R7 regarding their follow up process: "If there is any finding, we will inform the respective business and the auditee have to do action plan. Then we will check every quarter because we have to table back as a matter arising. We will table back whatever updates or actions taken. If there is pending issues, we will still reported on the pending issues and provide reasonable reason for that pending issues. We will do the follow up process until the auditee settle their task and then only we will close the file. This one also relates to their key Performance Indicator". (R7) Analysis for shariah audit reporting and follow up   (2019) Normally, audit findings will be discussed with the respective department. At this stage, auditees are given the opportunity to make justifications or clarifications, if any. The reporting of the final report will be made afterwards. Based on the table, there are differences in the practice. For Takaful Operator A, there are two phases of reporting. The first phase would be to table the draft to SC to get the input from SC before tabling to BOAC as BOAC is the ultimate decision maker. Then, the auditor will notify the SC again based on the final report. Takaful Operator B on the other hand has a different practice as the auditors will only table the report of findings to SC if there are any shariah issues since they are practicing integrated audit. Finally, for Takaful Operators C and D, they are practicing the same method of reporting. The final report will be tabled to SC first, then only to BOAC.
For the follow up stages, by using RBIA, normally the frequency of follow up will be based on the risk level as practiced by Takaful Operator C. The follow up practiced by Takaful Operator A is different from the others as the auditor will take the new sample and conduct another audit for follow up purposes. For Takaful Operator B, the follow up will be conducted on monthly basis.

Conclusions
The findings of this study indicate that the preparation of the audit plan and audit program for Takaful Operators is justified by a risk-based approach. The process of auditing practiced for shariah audit is also similar to the operational audit process. Obviously, the differences can be seen in the types of risk as the shariah audit is conducted to mitigate shariah non-compliance risk. Adopting risk-based audit in shariah audit function is the best decision for any Islamic Financial Institution. There is a positive and significant relationship between effective risk management and adoption of risk-based internal audit which shows that the use of risk based internal audit is not only give an added value for the shariah audit process, but for risk management as a whole (Drogalas et al., 2017).
By using risk-based approach, focus is placed more on higher risk areas. In COSO's internal control components, it also takes into account elements such as control environment, risk assessment, control activities, information and communication, and monitoringOther than that, by examining the practices of the shariah audit process for each of the Takaful Operators, it is found that the Takaful Operators are very optimistic about their performance on shariah audit and still seek to improve their practices from time to time. The Takaful Operators also try to comply with all the available requirements and regulations at their best, although there is no detail specification on shariah audit process.However, the issues arise in terms of identifying the shariah risk, which requires auditors to have shariah knowledge or active engagement with the shariah department and shariah committee. Takaful Operators should also strive to improve the quality of audit function and focus on achieving maqasid Shariah. By analysing the multiple case studies, it is found that there is no uniformity in the practice in term of risk assessment, engagement with shariah committee, reporting process and follow up process. The inexistence of uniformity may result in inconsistencies in providing the shariah compliance report for decision-making purposes. Thus, there is a need to develop specific shariah audit framework to enhance the current practices and provide consistencies.
The analysis of the study is important for takaful players in enhancing current shariah audit practice by making comparisons to other practices. At the same time, it can boost stakeholders' knowledge in understanding the process of shariah audit in further detail. Future research could also evaluate the effectiveness of audit practice given with current available guidelines in the finance industry, especially the Takaful industry.