A mining company's internal audit is an independent assurance and consulting function that ensures mining operations comply with regulations, manages risks measurably, and upholds good governance. In a sector with inherently high risks like mining—from occupational safety and environmental impacts to asset management and high-value procurement—the role of internal audit is not simply a compliance formality, but a strategic line of defense for business sustainability.
This article comprehensively discusses the definition, legal basis, scope, types of risks, and stages of implementing an effective internal mining audit. This guide is designed for Heads of Internal Audit Units (SPI), Inspectorates, Heads of Mining Engineering (KTT), internal auditors, and decision-makers in mining companies—including state-owned and regionally-owned enterprises (BUMN) in the natural resource sector that are subject to regulatory requirements. Good Corporate Governance (GCG).
What is an Internal Audit of a Mining Company?
Internal auditing is an independent and objective activity designed to add value and improve the effectiveness of an organization's risk management, internal control, and governance processes. This definition refers to the Institute of Internal Auditors (IIA) standards, which serve as a benchmark for internal audit practice globally and in Indonesia.
In the mining context, a mining company's internal audit assesses whether all business processes—from exploration and production to processing and commodity sales—are carried out in accordance with internal policies, industry standards, and laws and regulations. Its scope is cross-functional, including:
- Financial Audit: accuracy of reporting, cash management, royalties, and state revenue.
- Operational Audit: production efficiency, heavy equipment utilization, and supply chain management.
- Compliance Audit: compliance with permits, environmental obligations, and mining safety.
- Information Systems Audit: operational data reliability and system security.
Unlike external audits, which focus on providing an opinion on financial statements, internal mining audits are continuous and process-improvement oriented. Internal auditors act as strategic partners with management and the board of commissioners in overseeing the effectiveness of internal controls and risk management.
Legal Basis and Obligations for Mining Compliance Audits
One of the key differences between internal audits in the mining sector is the mandatory state-mandated mining compliance audits. Companies holding Mining Business Licenses (IUP), Special Mining Business Licenses (IUPK), Special Production Operation Mining Licenses (IUP) for processing/refining, Contracts of Work (CoW), Contracts of Work (PKP2B), and mining service companies (IUJP) are required to implement a Mineral and Coal Mining Safety Management System (SMKP).
Some of the main regulatory foundations that the audit team needs to understand:
- ESDM Ministerial Regulation No. 26 of 2018 concerning the Implementation of Good Mining Principles (Article 18 requires the implementation and audit of SMKP).
- Minister of Energy and Mineral Resources Decree No. 1827.K/30/MEM/2018 regarding Guidelines for the Implementation of Good Mining Engineering Principles.
- Decree of the Director General of Mineral and Coal No. 185.K/37.04/DJB/2019 regarding technical guidelines for the implementation of SMKP.
Under these provisions, every mining company is required to conduct an internal audit of SMKP implementation at least once a year, and the results must be reported to the Minister through the Director General of Mineral and Coal. SMKP internal auditors must also possess competency, as evidenced by an audit training certificate registered with the Chief Mining Inspector (KAIT).
It's worth noting that the oversight trend continues to strengthen. In 2025, the Directorate General of Mineral and Coal issued a directive requiring SMKP internal audits to be based on data, risk, and performance on an ongoing basis—a clear signal that regulators expect a more analytical audit approach, beyond simply document fulfillment.
For mining SOEs/BUMDs, this obligation overlaps with the demands for GCG implementation and internal control that are of concern to BPKP, so that the quality of internal audits has a direct impact on the assessment of corporate governance.
Scope of Mining Internal Audit
The scope of internal audits in mining is much broader than in the service or manufacturing sectors in general due to the dispersed, asset-intensive, and highly regulated nature of operations. Typical audit areas include:
- Occupational safety and health (K3) and operational safety, according to the elements of SMKP.
- Environmental compliance: reclamation, post-mining, waste management, and environmental permits.
- Production and reserve management: reconciliation of production, levels and stock movements.
- Procurement and contract management: high risk of fraud and conflict of interest.
- Management of fixed assets and heavy equipment: maintenance, utilization, and security of assets.
- Financial obligations to the state: royalties, PNBP, and production fees.
- Operational information and data systems: data integrity which is the basis for reporting.
Due to this broad scope, it is impossible for an internal audit team to thoroughly examine all areas annually. This is where a risk-based approach becomes crucial for setting priorities.
Mining Company Audit Risks That Must Be Considered
Understand audit risk Mining companies help SPI teams allocate limited resources to the most material areas. There are two layers of risk discussion that are important to separate.
Business risks (inherent) of the mining sector
These are threats to the achievement of company objectives that auditors must assess, including:
- Safety and operational risks due to hazardous activities that have the potential to cause accidents and production losses.
- Environmental and social risks which can result in administrative sanctions up to the revocation of mining business permits.
- Regulatory compliance risks which is dynamic and layered in the mineral and coal sector.
- Fraud and integrity risks, especially in procurement, commodity sales, and production measurement.
- Risk of commodity price fluctuations which affects cash flow and reserve valuation.
Audit risk concept
Technically, audit risk is the possibility that the auditor will reach an erroneous conclusion. This risk consists of inherent risk, control risk, and detection risk. The higher the inherent risk and control weaknesses in an area—for example, a large-value procurement in a remote location—the greater the amount of testing that needs to be performed.
To address this complexity, many companies are adopting Risk-Based Internal Audit (RBIA)This approach focuses audit activities on the risks that most threaten organizational objectives, so scheduling, resource allocation, and testing depth are determined by the risk map—not just the calendar cycle. RBIA aligns the audit program with the company's risk register and management's agreed-upon risk tolerance levels.
Stages of Implementing Internal Mining Audits
Effective internal auditing follows a structured and documented cycle. Here are some general steps that can be adapted:
- Risk-based planning — Prepare an annual audit plan by mapping the risks of all units and processes, then setting assignment priorities.
- Program preparation and audit working papers — Formulate the objectives, scope, audit criteria, and testing procedures that will be documented in the working papers.
- Fieldwork — Collect evidence through document reviews, field observations, interviews, and data analysis. For SMKP audits, sampling techniques and source triangulation are essential components of the testing.
- Formulation of findings and recommendations — Analyze the gap between conditions and criteria, then compile findings along with practical recommendations for improvement.
- Reporting — Submit audit results reports to management, the audit committee, and—for SMKP audits—to regulators as required.
- Follow-up monitoring — Verifying the implementation of recommendations. This step is often overlooked, even though the value of an audit is only realized when findings are actually acted upon.
The regulator itself emphasizes that companies must immediately follow up on every audit recommendation as part of a culture of ongoing compliance.
Common Challenges and Solutions for Audit Digitalization
Despite the clear framework, mining internal audit practices face typical obstacles: scattered operations across islands, fragmented data across various units, manual paperwork documentation, and difficulty monitoring follow-up status in real-time.
These challenges slow the audit cycle and increase the risk of findings not being closed in a timely manner. The solution is to move to a centralized audit information system, which allows:
- Documented and traceable risk-based audit planning.
- Digital and collaborative management of audit working papers.
- Monitoring of findings status and follow-up in one dashboard.
- Consistent reporting for the needs of management, audit committees, and regulators.
Digitalization is also in line with the direction of data- and risk-based supervisory policies currently being pushed by regulators.
Frequently Asked Questions
Are all mining companies required to conduct internal audits?
Yes. Companies holding Mining Business Licenses (IUP), Special Mining Business Licenses (IUPK), Contracts of Work (KWork), Contract of Work (PKP2B), and Mining Business Licenses (IUJP) are required to implement SMKP and conduct an internal audit of its implementation at least once a year, in accordance with ESDM Ministerial Regulation No. 26 of 2018 and its derivative regulations.
What is the difference between internal audit and external audit in mining companies?
Internal audits are continuous and process-improvement oriented, covering operational, compliance, and risk aspects. External audits generally focus on independent opinions on financial statements or compliance verification by external parties, including SMKP verification by the Directorate General of Mineral and Coal.
Who can be an internal auditor of SMKP?
SMKP internal auditors are required to have relevant technical audit knowledge and experience, proven by an SMKP audit training certificate registered by the Chief Mining Inspector (KAIT).
What is risk-based internal audit (RBIA) in mining?
RBIA is an approach that focuses audit activities on the risks that most threaten a company's objectives. Audit priorities and depth are determined by the risk map and risk register, not just the calendar schedule.
What are the sanctions if a company does not carry out its SMKP audit obligations?
The sanctions are tiered, ranging from administrative warnings, temporary suspension of activities, to revocation of mining business permits, depending on the level of violation and applicable provisions.
Manage Your Mine Internal Audit Cycle More Scalably
The complexity of regulations, the breadth of scope, and the demands of risk-based oversight make manual management of internal audits increasingly inadequate. Audithink is here as an internal audit management platform which helps mining companies plan risk-based audits, manage working papers digitally, and monitor findings and follow-up in one centralized system—aligning with the compliance and governance demands of the mining sector.
Schedule a consultation with our team to see how Audithink can strengthen the internal audit function in your company. Or, explore platform features to understand how it works first.



