01 Final Irrbam

Commission on Audit
INTEGRATED RESULTS AND RISK-BASED AUDIT MANUAL

(Funded by The World Bank IDF Grant No. TF 092158)
Strategic Planning and Risk Identification Planning

Agency Audit Planning and Risk Assessment
Delivery
Execution Conclusion and Reporting
Monitoring
(Quality Control System)
SEPTEMBER 2011
Integrated Results and Risk-Based Audit Manual
TABLE OF CONTENTS
Introduction Overview of IRRBAM
1.
Strategic Planning and Risk Identification 1.1 Perform Government Risk Identification 1.1.1 Develop/Update the Government Risk Model 1.1.2 Identify Government Risks 1.1.3 Report the Results of GRI Conduct COA Strategic Planning
1.2 2.
Agency Audit Planning and Risk Assessment 2.1 2.2 2.3 Prepare Agency Audit Workstep Understand the Agency Identify Significant Agency Risks 2.3.1 Update Agency Risk Model 2.3.2 Identify Agency Risks 2.3.3 Prioritize Significant Agency Risks Understand and Assess Agency-level Controls Understand the Process 2.5.1 Identify Critical Path of the Processes 2.5.2 Identify Process Risks 2.5.3 Identify Impact 2.5.4 Identify Existing Controls Conduct Audit Risk Assessment and Planning 2.6.1 Financial and Compliance 2.6.2 Performance 2.6.3 Determine Audit Scope and Timing 2.6.4 Determine need for specialized skills
2.4 2.5
2.6
3A.
Execution 3A.1 Design Audit Tests 3A.2 Execute Audit Tests 3A.3 Evaluate Audit Results 3A.4 Communicate Audit Results Supplemental: 3A-S1 Execution Financial & Compliance 3A-S2 Execution Performance 3A-S3 Sample Test of Control Working Paper
Last updated Version
: March 2011 : 00-01/2011/v1
1|Pa ge
Integrated Results and Risk-Based Audit Manual 3A-S4 Sample Substantive Test Audit Program 3B. Conclusion and Reporting 3B.1 Summarize Audit Results 3B.1.1 Prepare summary of audit results and recommendations 3B.1.2 Discuss results of different types of audit conducted 3B.2 Prepare Audit Report 3B.3 Perform Overall Audit Review 3B.3.1 Perform overall review and approval 3B.3.2 Issue report 3B.4 Wrap-up and Archive the Engagement 3B.5 Follow-up Agency Action Plan Monitor quality control on audit services
4.
: March 2011 : 00-01/2011/v1
2|Pa ge
FORMS AND TEMPLATES

1. Strategic Planning and Risk Identification Form 01-01 Government Risk Model (GRM) Form 01-02 Government Risk Identification Template (GRIT) Agency Audit Planning and Risk Assessment Form 02-01 Agency Audit Workstep Form 02-02 Understanding the Agency (UTA) Template Form 02-03 Agency Risk Model (ARM) Form 02-04 Agency Risk Identification (AgRI) Matrix Form 02-05 Agency-level Control Checklist (ALCC) Form 02-06 Process-Risk-Control (PRC) Matrix Form 02-07 Audit Risk Assessment and Planning (ARAP) Tool Delivery: Execution Form 03A-01 Audit Test Summary (ATS) Delivery: Conclusion and Reporting Form 03B-01 Summary of Audit Results and Recommendations (SARR) Form 03B-02 Quality Inspection Tool (QIT) Form 03B-03 Agency Action Plan (AAP) Form 03B-04 Action Plan Monitoring Tool (APMT)
2.
3A.
3B.
: March 2011 : 00-02/2011/v1
1|Pa ge
Introduction
Introduction
The services provided by the Commission on Audit, as a Constitutional Body and as the countrys Supreme Audit Institution are critical to meet the uttermost expectation of the public. The evolution of audit approaches, revision and emergence of old and new laws, rules and regulations necessitates a more integrated and holistic approach in the conduct of COAs audit services. With this regard, the Philippine Government entered into a contractual agreement with the International Bank for Reconstruction and Development (World Bank) for a grant (IDF Grant TF092158) to improve the effectiveness and efficiency of the COA in its audit of government revenues and expenditures through the development and adoption of a results-based integrated audit methodology that will focus on the outputs and outcomes of public expenditures, using a risk-based approach. As early as 2003, COA has already introduced the risk-based approach in the conduct of its audit services. Various risk-based manuals have been developed such as the Government-wide and Sectoral Performance Audit (GWSPA) Manual, Risk-based Audit Approach (RBAA) Manual and the Risk-based Financial Audit Manual (RBFAM). A significant addition in this manual is the inclusion of the Organizational Performance Indicators Framework of the Department of Budget and Management to support the Governments Public Finance Management (PFM) reform agenda. This will be introduced in this manual to complement the results-based evaluation of the projected and actual outputs and outcomes of programs, activities and projects of government agencies that will focus on the role of public audit in promoting increased accountability and transparency to improve capacity in the overall governance framework of the Philippines. This Integrated Results and Risk-based Audit Manual aims to integrate the different COA audit services such as: Financial and Compliance Audit; Agency-based Performance Audit; Government-wide and Sectoral Performance Audit; and Fraud Audit into a common audit approach. The IRRBA approach will provide for a consistent set of processes that will guide the COA auditors in performing COAs audit services. The silo approach in the conduct of the audit will be addressed by introducing linkages of each type of audit and its results for a more effective service delivery.
: March 2011 : 00-03/2011/v1
1|Pa ge
Overview
Overview Government auditing plays a vital role in the public sector governance through its oversight, insight and foresight responsibilities. Government auditors help the government achieve accountability and integrity, improve operations, and instill confidence among citizens and stakeholders. The Commission on Audit, as mandated to be the countrys Supreme Audit Institution by Article IX-D of the 1987 Philippine Constitution, plays a significant role in the Public Sector Governance. This mandate gives the COA the responsibility to serve as the check and balance in the use of public funds; to become part of the development of a sound financial management; to examine proper execution of administrative activities; and to provide information to public authorities and the general public through the publication of objective reports. This manual will discuss the COAs fulfillment of its role in the countrys public governance through the delivery of the following audit services: Comprehensive Audit - Financial and Compliance - Agency-based Performance Audit Government-wide and Sectoral Performance Audit (GWSPA) Fraud Audit
The need for an Integrated-Results and Risk-based Audit Integration is defined in this manual as the establishment of a common public sector audit approach and a consistent set of audit processes that reduces redundant activities, eliminate duplication in the audit of an agency and drive down resource costs through identifying opportunities to create efficiencies and streamlining public sector audit processes to allow the delivery of a comprehensive attestation and advisory audit services. The Commission has long been implementing risk-based audit in the conduct of its audit services. However, to meet the evolving developments in the public governances expenditure management, the COA shall incorporate the results-based approach in its audit.
: March 2011 : 00-04/2011/v1
1|Pa ge
Overview
Organizational Performance Indicator Framework (OPIF) The Organizational Performance Indicator Framework (OPIF) is one of the two reform components of the Public Expenditure Management (PEM) being implemented by the government. The reform is being headed by the Department of Budget and Management (DBM) in coordination with other oversight agencies such as the COA and the National Economic and Development Authority (NEDA). OPIF is an expenditure management approach that links public resources towards results and accounts for performance. This approach guides agencies to focus their efforts and public resources on core functions and on delivering high impact activities at reasonable costs and qualities. The role of the COA comes in to assess the agencys performance through indicators that are initially set to account for accomplishments based on pre-determined targets and measures.
Linkage of COAs audit services The diagram below shows how COAs audit services are linked to different audit services, as well as to the countrys Public Expenditure Management reform, the OPIF.
AGENCY Regularity (Financial and Compliance Audit)
INTER-AGENCY
Linkage with other government agencies
Agency-based Value For Money Audit

Economy Efficiency Effectiveness
Governmentwide and Sectoral Performance Audit (GWSPA) Impact
ELEMENTS
AUDIT
Resource
Inputs
Processes
Outputs
Outcome
Performance Indicator
Budget Legislation
Enacted Budget Other Inputs
Programs Activities Projects
Major Final Outputs
Organizational Outcome
Sector Goals Societal Goals
Diagram 1: Overview of COAs audit services
: March 2011 : 00-04/2011/v1
2|Pa ge
Overview
The diagram depicts the different audit services provided by the Commission: Comprehensive Audit Financial Audit This type of audit seeks to determine the accuracy of the data contained in the financial statements and reports of the agency including the reliable recording and reporting of historical financial information. Compliance Audit Compliance audit seeks to ensure that public funds are obtained and used in accordance with law and propriety, as well as to determine whether the accountable agency has properly discharged its responsibilities in a legal and ethical manner. Agency-based Performance Audit This audit examines the economy, efficiency and effectiveness of an agency in using its public resources. Government-wide and Sectoral Performance Audit (GWSPA) This type of audit deals with determining the economy, efficiency and effectiveness of publicly funded projects, activities and programs among different agencies. The diagram shows the focus of the different audit services provided by the COA by differentiating the elements of an agencys process. Each element (resource, input, process, output, outcome and impact) is interrelated and plays a significant role in an agency and the government as a whole. The COAs results-based approach will be used in assessing an agencys performance indicators indicated in its OPIF. The OPIF element in an agencys logframe can be traced into its processes which will be taken into account during the conduct of the audit. Although not mentioned in the diagram, auditors shall be aware of any possible fraud indications which may arise during the course of the audits conducted. Fraud audit shall always be embedded in the delivery of the COAs audit services.
: March 2011 : 00-04/2011/v1
3|Pa ge
Overview
The role of OPIF in public sector performance audit

Introduction The starting point in the performance audit planning process is selecting the right scope for audit from the multitude of government activities. This is a multifaceted and demanding exercise that requires good knowledge of the government agencys business or sector of action and how it contributes to governments strategic ends. It is, however, one of the most essential steps in the process. If the breadth and depth of audit fail to address the governments major final outputs and outcomes, all the audit effort that follows will have little chance of generating better managed government programs, better state accountability to the public and an ethical and effective public service. The Organizational Performance Indicator Framework, or OPIF, sets out a structure that provides an important compass in deciding the content and substance of performance audit. As its name suggests, OPIF is a systematic approach to planning that seeks to align the tasks government agencies are funded to do (i.e., the goods and/or services they provide to external consumers or end-users) with the desired outcomes, objectives or goals that the government hopes to achieve or influence in critical societal areas such as health, education, economic well-being, law and order, and environmental sustainability. The audit planning process involves several layers of activity that interrelate with OPIF in a complex manner before an audit begins. These include the recognition of external trends and strategic risks facing government instrumentalities; the defining of output or product lines, functional areas and sectors to be reviewed over time; and the choice of agency programs or activities to be examined. Typically, these are driven by the relevance of performance audit to the government agencys mandate, the major risks associated with the agencys mission, and auditability (or inability to carry out the audit, as in the case of societal outcomes where suitable criteria are not available to assess performance). Risk-based audit planning is emphasized at the outset because of the crucial role it plays in ascertaining how well a government agency is responding to key challenges, opportunities and critical success factors that shape the accomplishment of government objectives and the discharge of stewardship responsibilities for public resources and assets.
: March 2011 : 00-05/2011/v1
1|Pa ge
Overview
Outcome orientation: twinning of performance audit and OPIF In the past, many audits were driven by control and process concerns rather than addedvalue considerations in assessing public sector performance. However, the current trend is toward a more outcome-based audit. The need of government to achieve more concrete results in societal goals such as poverty reduction, full employment and education for all is shifting the emphasis of public sector audit, in recent years, to pay more attention on results. Regardless of whether the scope of the audit is a program, an operation, a system or a control, a focus on results is being maintained, if somewhat unsystematically. The relationship of the agencys agenda to the desired ends is increasingly becoming indispensable to the auditors learning curve. Performance auditing by nature is not a regular audit with by the book opinions. The auditor might not have to confront a traditional, rule-bound situation. Performance audit is wide-ranging, operating from a quite different knowledge base to that of traditional auditing. This type of audit looks at the outputs or outcomes first and avoids conducting an initial scrutiny of the details of the methods or processes. Of course this presumes that indicators are on hand to gauge the quality, quantity and cost of the outputs. If the auditor finds the result to be all right, serious flaws in the design or implementation of the activity or process are discounted, making the entire audit procedure more cost-effective. It is only when the result is substandard that controls are examined to pinpoint what is troubling the system. The greater challenge for performance audit occurs when it has to delve into policy questions. Auditors must understand policies amenable to audit effectively, and resultsoriented auditing inevitably brings performance auditing closer to policy matters. They must have the expertise to check (1) whether agency practices comply with policy expectations (for example, extent of compliance with enacted policy on service standards); (2) the sufficiency of the agencys cost-benefit analysis on which a policy or program is based; (3) opportunities to fill policy gaps (for example, the need for a government-wide policy on emergency preparedness); and (4) the need to update or improve existing policy (for example, the need for a new directive for national security). A caveat is that it is generally accepted that performance audit should confine itself to examining policy and program implementation and not to throwing the development of policy into doubt (although auditors may evaluate the clarity of the grounds for setting the objectives). Note too that the risks of mandate concerns proportionately get bigger as policies get broader. It is easy enough for auditors to deal with departmental administrative policies (such as service delivery procedures), but the stakes grow to be larger when auditors tackle program policy goals (such as fisheries conservation policy, healthcare policy) as well as national policy goals (such as reducing poverty).
Last updated Version : March 2011 : 00-05/2011/v1
2|Pa ge
Overview
OPIF provides a good platform for auditors not to second-guess the strategic intentions of government, when government selects a certain policy direction. Departments and agencies are now required to define results commitments in their corporate plans and to report goals and actual performance annually. These provide excellent points of reference for results-oriented auditing. The Department of Budget and Management, the implementor of OPIF, acts as the agent for government in negotiating performance contracts with the departments and agencies, to assist them in linking the goods and services that they deliverthe major final outputs (MFOs)to the results they have committed to (organizational outcomes, sectoral and societal goals). Indeed, the key features of OPIF embody a clear crossover between a results-oriented performance framework and a results-based audit perspective. These include: (1) a shift of emphasis in department/agency accountability towards outputs and results (outcomes) measured against performance indicators; (2) clarification of expected performance and accountability of departments/agencies through these results; (3) focus on the delivery of outputs relevant to the results/outcomes specified in agency mandates; (4) establishment of an integrated performance management system in which performance targets zero in on the efficiency of departments/agencies in delivering their MFOs; and (5) reporting to the public and to Congress in clear terms the outcomes achieved. Both OPIF and performance audit deal mainly with questions such as: What has been the upshot of the agencys performance, and have the requirements or the objectives been fulfilled? In this approach, the inquiry centers on performance (concerning economy, efficiency, and effectiveness) and relates observations to the given norms (goals, objectives, regulations and so on). To be sure, there is a striking parallel between what they strive for, as indicated in the following table: Performance Audit Economy - minimizing the cost of resources used for an activity, having regard to appropriate quality Efficiency producing similar results with fewer resources or better results with the same resources Effectiveness achieving the stipulated aims or objectives by the means employed and the outputs produced OPIF Fiscal discipline - living within the means (resources) available to the Government Allocative efficiency - spending money on the right things or right priorities Operational efficiency - obtaining the best value for the money or resources available Effectiveness - success of process and outputs in delivering societal and sectoral changes
: March 2011 : 00-05/2011/v1
3|Pa ge
Overview
At the very basic level, performance auditing has been mainly concerned with different aspects of the economy or the efficiency of operations of agencies. Auditors try to answer the question Are things being done in the right way?, that is, whether policy decisions are being carried out properly. This question often partakes of a normative outlook, i.e., the auditor wants to know whether government officials have observed the rules or the requirements. Audits of economy may provide answers to questions such as: Do the means chosen or the equipment obtainedthe inputsrepresent the most economical use of public funds, consistent with the quality needs of the program? Have the human, financial or material resources been used cost-effectively? Are the management activities performed in accordance with sound administrative principles, contract requirements, acceptable standards, and good management policies? In short, has the agency kept the costs low? Audits of efficiency answer the question whether agency resources have been put to optimal or suitable use or whether identical results in terms of quality and turn-around time could have been achieved with fewer resources. Auditors examine productivity, unit cost, or indicators such as utilization rates, backlogs and service wait times. In short, has the agency made the most of available resources? The OPIF approach to performance management displays the same adherence to efficiency and economy. The focus is on allocative efficiency (in terms of national and sector goals and organizational outcomes) in the execution of the budget, but also on the operational efficiency of departments/agencies in the provision of services (and, in some cases, goods) for the purpose of achieving the desired government goals and outcomes. Sound OPIF-based management means that the responsible authority will promote the optimal use of resources to achieve intended outcomes with the lowest possible costs. The scope for analysis becomes considerably wider when a second-order question whether the right things are being doneis asked. This line of inquiry refers to effectiveness or impact on societywhether the adopted policies have been suitably put into service or whether ample means have been utilized to achieve the predetermined aims. There are two parts to the issue of effectiveness: if the policy objectives have been achieved, and if the impacts observed are really the upshot of the policy rather than other circumstances. It is here where a chosen measure to achieve a certain objective runs the risk of being contested. Effectiveness audits are also on the lookout for unintended consequences or spillover effects (such as environmental degradation resulting from economic policy). The figure below indicates how audit perspectives enter into an effectiveness model.
: March 2011 : 00-05/2011/v1
4|Pa ge
Overview
In assessing effectiveness, performance auditing may ask whether (1) government programs have been effectively designed, whether the means provided (legal, financialand so on) are proper, consistent, suitable, or relevant; (2) the program supplements, duplicates, overlaps, or counteracts other related programs; (3) the quality of the public services meets the publics expectations or the stipulated objectives; (4) the system for measuring, monitoring and reporting is adequate; (5) the observed direct or indirect social, economic and environmental impacts of a policy are due to other causes; and (6) alternative approaches can yield better performance or eliminate factors that inhibit program effectiveness. OPIF effectiveness measures rest on the same underpinnings as those of performance audit. OPIF seeks to measure the effectiveness of the agencys outputs in delivering societal and sectoral changes. OPIF measures of effectiveness (as well as of efficiency and economy) begin as part of a budget proposal, and attain official standing or legislative base once the government budget is passed by Congress. Once they reach this stage, government agencies can prepare a blueprint of how these criteria will be used when policy goals, programs and projects are implemented. Thus the concept of a results-oriented approach applies irrespective of whether it is used by OPIF or performance audit. Both follow the same input-throughput-output-outcome cycle illustrated below.
: March 2011 : 00-05/2011/v1
5|Pa ge
Overview
Finally, both performance audit and OPIF allow for scrutiny and planning across government departments, which should be the case since public sector activities and projects often cross agency lines. Inquiring on the activity or project as a whole is in general more useful than dwelling on a slice of action carried out by a specific agency. The types of performance audits are (1) agency or program audits, which provide a substantive review of the whole or part of the operations of a department or agency; (2) government-wide audits, which focus on cross-sectional issues or functional areas, such as procurement, in a number of departments; and sectoral audits, which focus on program areas delivered by a number of agencies, for example, disaster mitigation operations. In a similar vein, OPIF is carried out singularly in specific agencies, or jointly across sectors (e.g., education, health, agriculture, science and technology).
Understanding the agency Each audit should be based on a thorough understanding of the audited agency, and the environment in which it operates, as it relates to the audit assignment. Performance audit begins by having a good grasp of department/agency objectives, expected results and stewardship responsibilities. The audit team then identifies the major threats and opportunities that may affect the agency or entities within a functional area. Prior to starting field work, a process of setting priorities, developing strategic and long-range plans, submitting audit proposals, rationalizing resources and assessing anticipated audit worth should take place. Regardless of the size and nature of the subject, it is important for the audit team to understand the big picture. Generating audit conclusions or reporting failings without this overall familiarity may result in sterile audit work or ambiguous and confusing findings. A first round knowledge of the agency forms a reasonable basis for believing that the audit can be completed in accordance with the performance audit policies. An agency analysis framework will be required. An environmental scan to identify external trends and long-term risks and challenges that the agency faces will kick this off. All agencies operate against a background of broad external forces that influence their
6|Pa ge
Overview
operations in substantial ways. These forces affect not just the agency, but also the public and its resources. Some examples are (1) economic trends that include recession, inflation, unemployment, and unfair trade practices; (2) political and regulatory factors that involve world trade agreements, government subsidy programs, and political instability; (3) demographic patterns that dictate the characteristics of the work force and the demand preferences of the public (e.g., aging population affect demand for healthcare); (4) technological advances that lead to dramatic changes in the way things are done, such as computerization and the internet; (5) social/cultural changes that affect the way people live, work and behave (e.g., more women in the workplace, concerns about drug abuse); and (6) ecological concerns about acid rain, global warming, recycling and waste management that can lead to substantial changes in the way agencies operate. The audit team should have up-to-date knowledge of significant legislative authorities; organizational arrangements; the bureaucratic environment in which the entity operates; key personnel; spending levels and revenues; the entitys clients; major operations, including in the field; the accountability arrangements; the major control systems; major risks facing the entity; and prior deficiencies/known weaknesses. How are the OPIF elements incorporated in understanding the agency? First, it is necessary to check whether the OPIF logical framework will match up with an agency program structureotherwise known as a program accountability model.
: March 2011 : 00-05/2011/v1
7|Pa ge
Overview
It is easy to see from the above figure that the OPIF framework elements have corresponding components in the program accountability model. A comparison of the building blocks of the two models, shown in the in the table below, illustrates how wellmatched they are. Auditors will not have to search far and wide to understand the workings of an OPIF-based agency.
OPIF Logical Framework Societal goal describes the intended desirable impacts of the department/agencys goods and services on the country, the environment or the economy. As end-points to be aimed for, they represent the high-level vision the Government has for the country. Sectoral goals the longer-term benefits for the sector from organizational changes. Organizational outcomes benefits to the community that result from the department/agencys provision of goods or services Major final outputs the products (goods and services) the department/agency delivers to external clients. PAPS programs, activities and projects that are necessary undertakings pursued by departments/agencies to be able to deliver the goods, products or services.
Program Accountability model Impacts, or effects refer to all the consequences of the program, whether intended or unintended
Outcomes intended consequences of producing or delivering the goods or services; ranked from the immediate to the ultimate Outputs refer to the products or services produced or delivered by the program Activities a collection of activities directed to achieving the programs objectives.
In performance audit, the audit team checks if there is a logical link between the activities undertaken, the output and the program objectives and other effects. They also ascertain whether the agency is clear on what the expected outputs are (the MFOs in OPIF terms) and whether performance indicators are available for guiding the audit. Similarly, within OPIF, the building blocks are viewed in a sequence or chain, leading from activities and processes to long-term goals such as poverty reduction. Each result in the
8|Pa ge
Overview
chain is a link and is joined to other results in the chain by causality. The chain starts with projects, activities and programs (PAPs), and moves through MFOs to outcomes and finally to higher-level goals at the sectoral and societal levels. The Medium-Term Philippine Development Plan defines the societal goals and sectoral goals, providing an overarching structure for OPIF logframe. The diagram below shows the linkage between these different levels. The key level for OPIF is the MFO level. MFOs are tangible and can be more easily quantified as compared to outcomes and goals. Each of the other levels can be defined in relation to MFOs: activities are how MFOs are produced; outcomes and higher-level goals are the reason or why MFOs are produced; and for the MFOs themselves, there is a need to know what is produced and for whom. Measuring the marginal contribution that an MFO makes toward improving a societal welfare (reduced poverty incidence and improved quality of life) is a critical element of strategic budgeting and the development of the MTPDP. The OPIF logframe of the Department of Agrarian Reform (shown on next page), is an example of a well-formulated results-based framework. The OPIF process can assist performance audit through the following: 1. Review of the department/agency mandates and functions and articulation of the organizational outcomes or results of the department/agency. 2. Identifying the links between the department/agencys organizational outcomes and the higher government objectives (sectoral and societal goals) enunciated in the MTPDP, government priorities, sectoral policies and so on. 3. Documenting the MFOs and organizational outcomes in a framework that shows the linkages between resource inputs, the programs, activities and projects that the department/agency implements to produce its MFOs, and the organizational outcomes for which it is mandated. 4. Identification of performance indicators (PIs) with performance measures (targets) for each MFO. These PIs are the major means by which the department/agency can track progress and will be held accountable to the government as a whole, the Congress, the general public and other stakeholders. There are four classes of PIs: Quantity indicates the volume of service (output) delivered during a given period of time Quality indicates how well the service (output) is delivered Timeliness indicates the rate at which service (output) is delivered Cost indicates the amount of input used to produce the service (output).
: March 2011 : 00-05/2011/v1
9|Pa ge
Overview
Department of Agrarian Reform
: March 2011 : 00-05/2011/v1
10 | P a g e
Overview
The following chart would be of immense help to auditors in pinpointing the agencys extent of control and accountability over each activity/output level.
Under the OPIF process, each agency constructs a corporate plan that details out the operating environment, business conditions and planned process improvements for delivering MFOs and sub-outputs. Since the MFOs are the lynchpin of the OPIF framework, it is essential to say a few more words about them, in a way that would make clear their critical importance to understanding the audited agency. MFOs can be defined relative to the outcomes that they contribute to the client or community group that they serve and the business lines or functional business unit of the department/agency. To derive the MFOs, the department/agency should ask: What outputs are we providing to external clients to achieve our mandate (organizational outcomes)? MFOs may reflect delivery of saleable products, provision of policy advice or other advisory services, regulatory services, case management services, and government provision of services not readily available in the market place. It may include goods and services delivered through outsourcing. Each MFO should reflect a core output, deliverable or business line of the department/agency and will typically comprise a grouping of PAPs undertaken with a common outcome in mind. This grouping of PAPs should also help the department/agency to assess whether it is providing the right
: March 2011 : 00-05/2011/v1
11 | P a g e
Overview
services (or mix of services) to achieve the organizational outcomes. It is intended that, in due course, the department/agency budgets will be appropriated at MFO level. Following are examples of MFOs: 1. DOF - Fiscal policies (domestic and international), plans and programs; cash and debt management services; Anti-corruption in public finance management, antismuggling and tax evasion activities and exercise of regulatory power; policies, plans and programs for domestic financial and capital market development; policies, plans and programs for public sector debt management as well as risk management; policies, plans and programs for the government corporate sector as well as other government assets; policy oversight on LGUs financial operations; administration of Locally-Sourced and ODA Funds for LGUs. 2. DOH Health, nutrition and population policy and program development; capability building services for LGUs and other stakeholders; leveraging services for priority health programs; regulatory services for health products, devices, equipment and facilities; tertiary and other specialized health care. 3. DOT - Tourism promotional services; tourism development planning services; standards for tourism facilities and services; development, restoration and maintenance services, regulatory services. The background knowledge that the auditors accumulate provides the basis for describing the agency that is the subject of audit, enabling them to make initial scoping decisions and defining lines of inquiry, such as those shown in the following figure. This knowledge includes an understanding of the character of the government agency being audited (role and function, activities and processes in general, development trends), legislation and general programs and performance goals, organizational structure and accountability relationships, internal and external environment and the stakeholders, external constraints affecting program delivery, and management processes and resources.
: March 2011 : 00-05/2011/v1
12 | P a g e
Overview
An audit team with considerable experience in auditing the department or agency may have cumulative knowledge to satisfy these requirements without engaging in a formal overview stage. An in-depth perspective is required where a government-wide or sectoral audit is being carried out. In some cases, a survey may be conducted to come up with a broad-based appraisal of the operations subject to audit, without carrying out detailed verification. The auditors gather information in order to fine-tune initial decisions about scope, cost, timing and skills, and to propose audit objectives, areas for in-depth review, criteria, and examination approach. In finalizing these decisions, the audit team designs an audit to reduce the risk of making erroneous observations, faulty conclusion and inappropriate recommendations in the report to correspond with the level of assurance provided by the audit work. All things considered, the purpose of the scoping exercise is to allow the concentration of audit resources and effort on the areas that can have a significant impact on the performance and results of the subject being audited. Unrelenting attention by the auditor is needed to identify and focus the audit on the critical operations. In using OPIF, the auditors must be aware of its limitations: First, it is a work in progress. In view of the innovative nature of the OPIF system, which requires shifts in practices/procedures, knowledge/capacity and value-orientation of the implementers, changes in the current system cannot be done overnight. Second, implementation is done through learning by doing. While the literature is replete with the available methodology
13 | P a g e
Overview
and tools for a performance and results-oriented system, capacity building can only be made more effective if the agency staff go through the actual process of implementing the system and learning from the lessons of experience. Third, the OPIF system is homegrown and indigenized. Technical assistance from various sources, have been provided to the government based on the experiences of countries that have adopted OPIF in their respective planning and budgeting processes. This technical assistance provided very valuable inputs in bringing OPIF to its status today. However, the technical inputs have to be adjusted to suit the domestic institutional conditions.
A word about risk management An important device used in all phases of the planning process is risk assessment. Risk is defined as the probability that an event or action may harmfully affect the organization, such as exposure to financial failure, loss of reputation, or inability to deliver the program with economy, efficiency, cost-effectiveness or take into account the environmental implications. Risk estimation requires the auditor to ask the following type of questions: What can go wrong? What is the probability of it going wrong? What are the consequences? Can the risk be minimized or controlled? Can OPIF provide guidance and tools to assist auditors to identify and assess environmental issues and risks in their performance audit work? OPIF can point to the inherent risks in dealing with organizational outputs beyond the control of the agency (the susceptibility of the subject matter by its nature to significant error where there are no related controls). But an agency which is careless in applying OPIF to its operations may itself induce failure risk. The fact that OPIF is to be carried out through learning by doing raises significant risks in terms of timing and adequacy of results. Likewise, risk can attend the consequences of the publics perception of fairness and equitable treatment of citizens as agencies carry out MFOs. Changes in mandate occasioned by the introduction of new MFOs may increase the level of exposure to uncertainties. There is also the matter of process riskOPIF requires a sometimes painful alignment with operation strategies and alternative delivery approaches. On the other hand, a circumspectly crafted department/agency OPIF may prevent failure risk by avoiding redundant activities, nonessential undertakings, uncoordinated policy/program implementation, poor sector management, superfluous committees, and the politicization of the bureaucracy.
: March 2011 : 00-05/2011/v1
14 | P a g e
Overview
Recap: OPIF value-adding contribution to performance audit OPIF should, where the opportunity arises, add value in a variety of ways, including: Helping auditors to respond effectively to changes in the way public services are organized and delivered, including, identifying opportunities for worthwhile innovation; Providing new insights into the way an audited body manages its resources, delivers its programs, achieves its objectives and develops business opportunities, including how cost-effective improvements might be identified and achieved; Helping generate the audit framework, by providing a convenient way to ascertain the audit scope; Keeping audit costs in balance with the significance of the issues being examined; Taking account of the management circumstances and operational environment as well as the governance milieu; Sustaining an iterative planning process to maintain a focus on matters of significance and interest to decision-makers and Congress; Helping auditors to recognize institutional risks and to respond to them effectively; Contributing to new accounting systems by making clear what the auditors requirements are; and Benchmarking and developing yardsticks, collating and distilling information, for example, on good practice from across ranges of public sector agencies.
: March 2011 : 00-05/2011/v1
15 | P a g e
Phase 1 Strategic Planning and Risk Identification
STRATEGIC PLANNING AND RISK IDENTIFICATION

Integrated Results and Risk-Based Audit Framework

Delivery
Monitoring
Introduction The complexity of todays public environment necessitates for a more systematic, integrated and holistic approach to plan for the detection and management of the risks faced by government institutions. Thus, the mandate of COA to safeguard the transparency and accountability of the transactions of the government is getting more complicated. This phase covers the first integration point wherein all COA audit services namely: Financial and Compliance Audit, Agency-based Performance Audit, Government-wide and Sectoral Performance Audit and Fraud Audit, will meet through a common strategic planning and risk identification process. The succeeding topics will describe the strategic planning and risk identification processes and outputs of COA in relation to the conduct of its audit services. However, for purposes of illustration and functional relation, some items on COAs Annual Strategic Planning process will be referred. Nevertheless, the steps provided in this manual will not supersede the processes defined in the Operations Manual of the Planning, Financial and Management Office (PFMO).
: March 2011 : 01-00/2011/v1
1|Pa ge
The following are the activities involved in this phase: 1.1 Perform Government Risk Identification (GRI) 1.1.1 Develop/Update the Government Risk Model (GRM) 1.1.2 Identify Government Risks 1.1.3 Report the results of Government Risk Identification (GRI) Conduct COA Strategic Planning
1.2
Procedures
1.1
Perform Government Risk Identification

Risk is defined as the threat that an event, action or inaction will adversely affect the agencys ability to successfully achieve its mandate and objectives and execute its strategies. The Government is always faced with internal and external factors that may influence and make it uncertain whether and when it will achieve its objectives stated in the Medium-Term Philippine Development Plan (MTPDP) and State of the Nation Address (SONA) among others. The Commission on Audit (COA) as the countrys Supreme Audit Institution shall independently identify the risks that the Government as a whole may face in achieving its objectives. This is to determine the focus areas which need to be prioritized given the limited resources. The results will also be an input in the determination of the appropriate audit strategies needed to be applied by COA for the allocation of resources appropriate for the audit services such as the people, skills, competence, processes and procedures. The objectives of this activity are: to obtain high-level inputs from COA directors assigned in the audit of agencies representing the three audit sectors, regions and auditors performing Government-wide and Sectoral Performance Audit (GWSPA) and Fraud Audit; to have a common language of risk; and to have a unified thrust in government auditing. This activity shall be conducted annually, supervised by the Assistant Commissioners and attended by directors from the following sectors/offices: o National Government Sector (NGS) o Corporate Government Sector (CGS) o Local Government Sector (LGS)
: March 2011 : 01-00/2011/v1
2|Pa ge
o o o o o 1.1.1
Regional Offices Special Audits Office (SAO) Information Technology Office (ITO) Technical Services Office (TSO) Fraud and Investigation Office (FAIO)
Develop/update the Government Risk Model The Government Risk Model (GRM) is a framework consisting of risks categorized into groups that could threaten the government as a whole or the specific processes of the government. The GRM includes a definition of each risk to have a common understanding of risks. The GRM, populated with a list of government risks, is the foundation for conducting Government Risk Identification. It shall be developed to facilitate the identification of risks faced by the government as a whole. Risks are categorized as follows: Strategic risk arises when forces in the environment could significantly change the fundamentals that drive governments overall social and/or operating objectives, strategies and, in the extreme, result in failure of the Governments operations. Operation risk risks that operations are inefficient and ineffective in executing the governments operating model, satisfying the public, and achieving the governments quality, cost and time performance objectives. This arises when operation processes: o Are not clearly defined o Are poorly aligned with agencys strategies, goals and objectives o Are not performed effectively and efficiently in satisfying the public o Expose significant financial, physical and intellectual resources to unacceptable losses, risk taking, misappropriation or misuse Financial risk risk that cash flows and financial risks are not managed costeffectively to: (a) maximize cash availability; (b) reduce uncertainty of currency, interest rate, and other financial risks; or (c) move cash funds quickly and without loss of value to wherever they are needed most. It also includes risks that government agencies face when misleading financial information becomes the basis for decision making by the governing management. Compliance risk non-compliance with prescribed policies and procedures or laws and regulations resulting in lower quality, higher execution costs, lost revenues, unnecessary delays, penalties, fines and so on.
: March 2011 : 01-00/2011/v1
3|Pa ge
Government Risk Model COA directors representing the three audit sectors, regions, SAO, TSO, ITO, and FAIO shall identify and define risks inherent to their sector/region to develop a comprehensive list of government risks and have a common understanding of risks within the COA. Presented below (Diagram 1.1) is a sample of the GRM.
Strategic
Planning and resource allocation Organizational structure Strategic planning Operational planning Budgeting Forecasting Resource allocation Capital/fund availability Operational model Operational portfolio Outsourcing Major initiatives Vision and direction Planning and execution Measurement and monitoring Technology implementation Project evaluation Change readiness Climate change and sustainability initiatives Education Healthcare services delivery Energy and water management (supply/distribution)
Operations
Public service and operations Customer/public satisfaction Channel effectiveness Cycle time Service failure Efficiency Capacity Performance measure/gap Partnering/contracting Citizen relationship management system and organization Corruption and fraud People Culture Recruiting and retention Development and performance Succession planning Knowledge capital Compensation and benefits Performance incentives Health and safety Information technology Information management Security/access Availability/continuity Integrity Infrastructure
Compliance
Mandate Functions Governance Board performance/Agency Management Committee Tone at the top Authority/limit Control environment Corporate social responsibility Reputation Code of conduct Ethics Fraud Employee/third party fraud Illegal acts Management fraud Unauthorized use Legal Contract Liability Intellectual property Anticorruption Legal
Financial
Market Interest rate Foreign currency Commodity Financial instrument Public policies Debt and fiscal policy Liquidity and credit Cash management Opportunity cost Funding Hedging Credit and collections Insurance Foreign assisted loan Accounting and reporting Accounting, reporting and disclosure Internal control Investment evaluation Tax strategy and planning
Diagram 1.1 Sample GRM
The GRM shall be revisited at least annually and updated/revised regularly or as required to reflect changes in government risks brought about by the changing environment and current events. The GRM shall be used as one of the inputs in identifying government risks. Documentation Form 01-01 Government Risk Model (GRM) documents all the identified government risks and its corresponding definition.
: March 2011 : 01-00/2011/v1
4|Pa ge
1.1.2
Identify government risks Risk identification is the process of finding, recognizing, and describing risks. It involves the identification of risk sources, events, their causes and their potential consequences. The fundamental principle of a risk-based audit is to identify risks and focus the audit on those areas which may have a significant effect on the achievement of the governments objectives. As the countrys Supreme Audit Institution, it is imperative for the Commission to identify risks which may hinder the government as a whole to achieve its objectives. Identification of government risks shall be conducted by the COA to determine the areas needed to be focused in their audit activities. This is an input to the development of the Commissions overall audit focus areas during the Annual Strategic Planning. Identification of government risks is done by the COA as an auditor and is independent from the management of the government and its agencies. Any risk assessment as part of the risk management process which will be carried out by the COA as an agency is distinct and separate from this activity. At the same time, the results of the COAs risk identification cannot be considered as a substitute for the governments or agency managements own risk assessment process. Identification of government risks shall be conducted annually. This activity can be done through workshops, surveys or interviews. In any case, this activity shall be supervised by the Assistant Commissioners and attended by directors from the following sectors/offices: o National Government Sector (NGS) o Corporate Government Sector (CGS) o Local Government Sector (LGS) o Regional Offices o Special Audits Office (SAO) o Information Technology Office (ITO) o Technical Services Office (TSO) o Fraud and Investigation Office (FAIO) This activity is conducted to have an over-all consideration of risks of the government as a whole. As an agency that is mandated to look at the transparency and accountability as well as to recommend measures to improve the efficiency and effectiveness of government operations, the COA shall have a unified approach and same risk language in identifying the exposures of the government. This is the first integration point of different audit services performed by the COA.
: March 2011 : 01-00/2011/v1
5|Pa ge
Identification of government risks should not be done on a silo approach. This activity will be conducted in order to identify risks or potential issues that may cut across different government agencies. Inputs of each audit sector are therefore relevant to capture the real risk scenarios of the government as a whole. Linkage of government objectives and initiatives, risks and agencies
Diagram 1.2 - Linkage of objectives and initiatives, risks and agencies
Identifying risks in government objectives and initiatives Understanding the objectives of the government is the first step in this process. After the objectives have been substantiated, risks that may hinder the achievement of the set objectives shall be identified. In identifying government risks, the COA should identify sources of risks, areas of impacts, events, causes and potential consequences. This is to generate a list of risks based on those events that might create, enhance, prevent, degrade, accelerate or delay the achievement of objectives. The following shall be used as inputs in identifying government risks: o SONA o MTPDP
6|Pa ge
o o o o o o o o
Medium-Term Public Investment Program (MTPIP) GRM Previous AARs Sector risks Media releases and media reports Fraud and geographic risks Government-wide and sectoral programs and activities Knowledge of the auditors
Risk analysis involves considering the causes and sources of risk, their positive and negative consequences, and the likelihood that those consequences can occur. Factors that affect consequences and likelihood should be identified. Risk is analyzed by determining consequences and their likelihood, and other attributes of the risk. An event can have multiple consequences and can affect multiple objectives. Risks are evaluated and prioritized based on the outcomes of risk analysis.
Link risks to Agency/Programs/Activities
Department of Public Works and Highways Metropolitan Waterworks and Sewerage System
Inputs
Identify Government Risks
SONA, MTPDP and MTPIP
Media releases and reporting
Knowledge and prior audit reports
COA Direction/ SSAP
Fraud and geographic risks
City Government of Navotas
Hunger mitigation program
GRM
Industry/ sector risks
Health sector development project
Diagram 1.3 Risk Identification Process Flow
Risks on fraud covered by FAIO and government programs/activities under the scope of Government-wide and Sectoral Performance Audit (GWSPA) covered by SAO shall also be considered in this activity. Government Risk Identification, based on the results, may result directly in the identification of fraud audits and/or GWSPAs.
: March 2011 : 01-00/2011/v1
7|Pa ge
In this activity, the participants may identify potential GWSPAs. SAO shall also recommend government programs and activities to be subjected to GWSPA. Potential GWSPAs shall be analyzed and evaluated.
Locate identified government risks to affected agency and its programs/activities After the risks have been identified for a particular government objective, the COA shall now locate these risks with the concerned agencies and the related processes, programs, activities or projects. Form 01-02 Government Risk Identification Template (GRIT) is prepared to plot the key government risks and the affected agencies including processes, programs, activities or projects. Diagram 1.8 below illustrates the linking of risks to processes.
Key Government Risks
Link key government risks to government agencies within the cluster
Government Agency
Link key government risks to government processes/programs/activities
Government processes/ programs/activities
Legal Intellectual property
Compliance
Liability Contract Anticorruption Legal
Department of Public Works and Highways
Department of Transportation and Communication
Procurement Process
Diagram 1.4 Linkage of risks to processes
Fraud audit and GWSPA For key government risks that resulted directly to the identification of fraud audits and GWSPAs (as risk response or planned action), FAIO and SAO shall perform the audits following the guidelines set forth in their respective manuals (Fraud Audit Manual and GWSPA Manual). Documentation The results of this activity shall be documented in Form 01-02 Government Risk Identification Template (GRIT).
: March 2011 : 01-00/2011/v1
8|Pa ge
1.1.3
Report the results of Government Risk Identification The COA shall ensure that the results of the government risk identification will be presented to and approved by the Assistant Commissioners and Commission Proper, and distributed to concerned sectors/offices who participated in this activity. The report on the results of GRI contains/documents the GRIT and the minutes of the GRI activity. The results of this activity shall be cascaded down to the concerned sectors, clusters, audit groups through the COA Strategic Planning process. The results will also be an input to the Agency Audit Planning and Risk Assessment Phase (refer to phase 2 of the manual).
1.2
Conduct COA Strategic Planning

This section covers the COA Strategic Planning conducted annually. The elements and processes described here are captured from the PFMO manual to show the linkage of Strategic Planning of the COA as an agency to the IRRBAs Strategic Planning and Risk Identification of the COA as an auditor. The IRRBA Manual does not supersede any activity presented in the PFMO Operations Manual. Strategic planning is an essential element in the development of an IRRBA approach. A long-term perspective for the audit services may be provided by this process. Likewise, it provides efforts to allocate resource properly and drives the implementation of the COAs audit objectives and priorities. Strategic Planning process Strategic planning is an iterative and never-ending process. The COA shall continuously set goals, values and objectives aligned to its mandate and monitor its progress all throughout the year. Each element of the planning process cannot stand alone and is necessary to be linked with other elements to fully achieve its objective. The following are some of the Strategic Planning models used by other organizations. There is however no perfect strategic planning model for a specific Supreme Audit Institution. It is still the managements responsibility to select and ensure a model that is tailor-fitted to the needs and culture of the COA.
: March 2011 : 01-00/2011/v1
9|Pa ge
Basic Strategic Planning Basic strategic planning starts with the identification of the organizations purpose or mission statement. Goals will then be established to define what an organization needs to accomplish to meet its purpose or mission, and address major issues facing the organization. After the mission statement and goals have been identified, specific approaches or strategies will be set. Strategies often change the most as the organization eventually conducts more robust strategic planning. Specific action plans will then be based on the strategies identified. This is the specific activities set out for each major sector or department. Then, regular monitoring and update of the plans are performed as the year progresses. Goal-based/Issue-based Planning The processes are almost the same with the Basic Strategic Planning model except that the organization conducts an assessment of its Strengths, Weaknesses, Opportunities and Threats (SWOT). Scenario Planning This model, as the title implies, relates factors which might influence the organization such as: new standards; laws, rules and regulations; economic downturns; and natural disasters. Each possible change in circumstance or scenarios will be provided with strategies. Alignment Planning The alignment model ensures strong alignment among the organizations mission and resources to effectively deliver the services. This model focuses on the adjustments to be made to fine-tune the strategies needed to align with the organizations mission, programs, resources and needed support. Self-Organizing/Traditional Planning These are often liner in nature, e.g. general-to-specific, cause-and-effect. Typically, the organization starts the planning process with the SWOT Analysis, then prioritizing issues which will be provided with specific strategies. Seeking consultation and interaction among the participants during the planning process is significant. Concurrence shall be obtained not just on the outcomes of development but also on the strategies and tradeoffs needed in establishing the level of the COA audit services to be provided.
: March 2011 : 01-00/2011/v1
10 | P a g e
Reasons for Planning The following are some of the reasons for the strategic planning process: It is a requirement of the auditing standards It is a guide for the achievement of the audit objectives It is a tool used to monitor an organizations progress It measures accomplishment It provides control over activities It assigns responsibility and accountability Benefits of Strategic Planning Strategic planning provides benefits such as: Clearly define the purpose of the organization and to establish realistic goals and objectives consistent with that mission in a defined time frame within the organizations capacity for implementation. Serves as a communication tool to disseminate the organizations goals and objectives Assigns ownership of action plans and strategies Utilizes resources by focusing on the key priorities Provides a measuring tool for the performance and progress of each segment Elements of a strategic plan Development of strategic plan requires consideration of values and priorities. The plan should reflect the needs of the COA as a whole in response to its mandated functions. Key message from the Commission Proper Mission Vision Goals Strategic thrusts Key national programs and the entities responsible Monitoring process Review and communication In any case, plans must be adaptable and flexible in response to a changing environment. Assessment on the capacity and resources shall also be regularly done to determine any needs for adjustment on the plans set.
: March 2011 : 01-00/2011/v1
11 | P a g e
Timing Ideally, the strategic planning process should be conducted at least once a year in order to be ready for the coming year. This includes identification of the organizational goals to be achieved at least over the coming fiscal year, resources needed to achieve those goals, and funding needed to obtain the resources. Linkage of COAs Annual Strategic Planning process with IRRBA The diagram below shows the linkage of the COAs Annual Strategic Planning Process with the Strategic Planning and Risk Identification phase of the IRRBA approach. The previous activity, Government Risk Identification will be an input in the Annual Strategic Planning of COA to determine the focus areas of the audit sectors. The GRIT, as accomplished by the COA Directors and approved by the Assistant Commissioners will be cascaded as an attachment to the Sector Strategic Action Plan (SSAP) and Cluster/Regional Operation Plan (COP/ROP) of the audit sectors. The results of the COAs Annual Strategic Planning process specific to the conduct of the audit services will be an input in the Phase 2 of the IRRBA methodology Agency Audit Planning and Risk Assessment.
Diagram 1.5 Linkage of COAs Annual Strategic Planning process with IRR
: March 2011 : 01-00/2011/v1
12 | P a g e
Policy and Standard Policy/Standard ISSAI 100 ISSAI 200 ISSAI 300 ISSAI 1300 INTOSAI GOV 9130 ISO/FDIS 31000:2009 COA Memorandum No. 79-205 Description Basis principles in Government Auditing General standards in government auditing and standards with ethical significance Field standards in government auditing Financial audit guideline Planning an audit of financial statements Guidelines for internal control standards for the public sector Further information on entity risk management Risk management Principles and guidelines Reiteration of unnumbered COA Memorandum dated May 8, 1978 re: Alignment/Coordination of all Projects/Programs of COA offices/Committees by the Planning, Financial & Management Office July 6, 1979 Preparation of a Consolidated Annual Report (CAAR) by Region and by Department 2008 COA Organization Restructuring Implementing guidelines on audit operations under the 2008 COA organizational restructuring
COA Memorandum No. 95-051 COA Resolution No. 2008-012 COA Memorandum No. 2009-028
Documentation Procedure 1.1 Perform Government Risk Identification Sub-procedure Develop/Update the Government Risk Model Identify Government Risks Report the Results of Government Risk Identification 1.2 Conduct COA Strategic Planning Output/Tools Form 01-01 Government Risk Model (GRM) Form 01-02 Government Risk Identification Template (GRIT) Report on the results of GRI
: March 2011 : 01-00/2011/v1
13 | P a g e
Phase 1 Strategic Planning and Risk Identification Form 01-01: Government Risk Model
GOVERNMENT RISK MODEL
Objective Part of the Strategic Planning and Risk Identification process of the Integrated Results and Riskbased Audit (IRRBA) is the identification of government risks. This activity will be conducted annually, supervised by the Assistant Commissioners and attended by directors from the following sectors/offices: National Government Sector (NGS) Corporate Government Sector (CGS) Local Government Sector (LGS) Regional Offices Fraud and Investigation office (FAIO) Special Audits Office (SAO) Information Technology Office (ITO) Technical Services Office (TSO) The Government Risk Model is introduced to guide the participants in the identification of government risks. The Government Risk Model is a comprehensive list of risks that a government may encounter which could threaten the achievement of its mandate and objectives. This model shall be regularly reviewed, updated and customized to consider changes in the public sector environment, as well as to consider the impact of new standards, laws, rules and regulations.
*The COA shall identify the process champion in this activity, which will ensure the maintenance and updating of this tool.
Accomplishing this tool Risk Listing - The Risk Listing is a table of government risks divided into the following risk categories: a. Strategic b. Operations c. Compliance d. Financial
1|Page
The table lists down all potential risks that the government may face. Therefore, there are risks that may be identified as a risk of the government in the current audit period that was not identified in the preceding audit period. In either case, the risk listing shall be maintained regardless of the existence of the risk at the time of the identification. Likewise, the list shall be regularly updated to include emerging risks that may affect the achievement of the governments mandate and objectives.
Risk Definition - Customize/create the definition of the risks based on the nature of the risk. a. Risk Title The label for the risks identified shall be properly chosen to reflect the nature of the risk even by just looking at the risk title. b. Risk Description - The risk description shall be clear on the cause and effect of the risk once it materializes. The risk definition shall be generic in nature and shall avoid including process-level effects to not limit/restrict the risk descriptions.
NOTE: The items in the succeeding pages are just samples to illustrate the tool. It does not represent any factual data nor any result of prior audit projects.
: March 2011 : 01-01/2011/v1
2|Page
: March 2011 : 01-01/2011/v1
3|Page
GOVERNMENT RISK MODEL

Prepared by Reviewed by Approved by : : : Date Date Date : : :
Strategic
Planning and resource allocation Organizational structure Strategic planning Operational planning Budgeting Forecasting Resource allocation Capital/fund availability Operational model Operational portfolio Outsourcing Major initiatives Vision and direction Planning and execution Measurement and monitoring Technology implementation Project evaluation Change readiness
Operations
Public service and operations Customer/public satisfaction Channel effectiveness Cycle time Service failure Efficiency Capacity Performance measure/gap Partnering/contracting Citizen relationship management system and organization Corruption and fraud People Culture Recruiting and retention Development and performance Succession planning Knowledge capital Compensation and benefits Performance incentives Health and safety Information technology Information management Security/access Availability/continuity Integrity Infrastructure Hazards Natural events Terror and malicious acts Physical assets Real estate Property, plant and facilities Maintenance and performance Inventory
Compliance
Mandate Functions Governance Board performance/Agency Management Committee Tone at the top Authority/limit Control environment Corporate social responsibility Reputation Code of conduct Ethics Fraud Employee/third party fraud Illegal acts Management fraud Unauthorized use Legal Contract Liability Intellectual property Anticorruption Legal Regulatory Trade Customs Procurement Road-right of way (RROW )Acquisition Labor Securities Environment Data protection and privacy International Product/service quality Health and safety Competitive practice/antitrust
Financial
Market Interest rate Foreign currency Commodity Financial instrument Public policies Debt and fiscal policy Liquidity and credit Cash management Opportunity cost Funding Hedging Credit and collections Insurance Foreign assisted loan Accounting and reporting Accounting, reporting and disclosure Internal control Investment evaluation Tax strategy and planning Capital structure Debt Equity Pension funds
Climate change and sustainability initiatives
Education Healthcare services delivery Energy and water management (supply/distribution) Environment dynamics Economic changes Financial market Sovereign/political Customer/public wants Technological innovation Environment scan Agency environment/industry Sensitivity Market dynamics Macroeconomic factors Lifestyle trends Sociopolitical Technology changes Communication and public relations Media relations Public relations Crisis communications Employee communication
: March 2011 : 01-01/2011/v1
4|Page
Risk Definition
RISK TITLE STRATEGIC Planning and Resource Allocation Organizational structure Strategic planning Operational planning The overall structure of the government instrumentalities does not support the achievement of strategic objectives in an efficient manner. This risk pertains to the inability to discover, evaluate and select among alternatives to provide direction and allocate resources for effective execution to achieve the strategic objectives of the government. This risk pertains to the misalignment of operating plans and execution to strategic planning. There is also a lack of information needed to make the right decisions. This risk pertains to the inability to effectively budget for new and existing initiatives that support the overall strategic goals and objectives for growth, expansion, acquisition for public welfare. It also pertains to the inability to effectively budget for programs and projects that would meet the governments Medium Term Philippine Development Plan (MTPDP). Forecasting Resource allocation Capital/fund availability This risk pertains to the inability to forecast financial information to enable the allocation of resources to new and existing initiatives. Unavailability and inappropriateness of resource allocation process prohibits the governments ability to provide value for public. Insufficient access to fund threatens the governments capacity to grow, execute its strategies and achieve its objectives. The government has an obsolete operation model and does not recognize it and/or lacks the information needed to make an up-to-date assessment of its current model and build a compelling operational case form modifying that model in a timely manner. Lack of relevant and reliable information that enables agency management to effectively prioritize its services or balance its operations in a strategic context may preclude a diversified agency from maximizing its overall performance. Outsourcing activities to third parties may result in the third parties not acting within the intended limits of their authority or not performing in a manner consistent with the governments strategies and objectives. This risk pertains to the failure to establish a vision and direction for major initiatives, including services, products and programs that will drive future growth. It also pertains to failure to establish project acceptance criteria and adequately measure against the criteria. This risk pertains to the failure to plan and execute major initiatives due in a coordinated manner. RISK DESCRIPTION
Budgeting
Operational model
Operational portfolio
Outsourcing Major initiatives Vision and direction
Planning and execution
: March 2011 : 01-01/2011/v1
5|Page
RISK TITLE Measurement and monitoring Technology implementation Project evaluation Change readiness Climate change and sustainability initiatives Environment Dynamics Economic changes Financial market
RISK DESCRIPTION This risk pertains to the failure to identify appropriate metrics and assess performance, quality and adherence to the standards as set forth by the government. This risk pertains to the failure of a major technology implementation to meet the organizations strategic objectives. Failure to evaluate project proposals may result in problems when the project has been approved. The people within the government are unable to implement process and service improvements quickly enough to keep pace with changes in the public environment. Failure to foresee changes in the environment and establish initiatives to keep pace with biological changes may result in operations discontinuance and degradation. Economic changes such as lower economic growth reduce tax revenue and opportunities to provide a wide range of services or limit the availability or quality of existing services. Movements in prices, rates, indices and the like threaten the value of the agencys financial assets. Adverse political actions in a country in which the agency has invested significantly is dependent on a significant volume of operation or has entered into a significant agreement with a counterparty subject to the laws of that country threaten the agencys resources and future cash flows. This risk pertains to the changing pervasive public needs and wants that the agency is not aware of, e.g., increased demand for faster turnaround on services. The agency is not leveraging advancements in technology in its operations to achieve or sustain advantage. The agency may also be exposed to the actions of another agency or substitute that does not leverage technology to attain superior quality, cost and/or time performance in their services processes. Failure to monitor the external environment or formulation of unrealistic or erroneous assumptions about environment risks may cause the agency to retain operation strategies long after they have become obsolete. This risk pertains to the changes in opportunities and threats, and other conditions affecting the agencys environment. Overcommitment of resources and expected future cash flows threatens the agencys capacity to withstand changes in the environment (e.g., interest rates, public demand, changes in regulations and so on) forces. This risk pertains to the factors relating to macroeconomic conditions that affect the ability to maintain or increase revenue and profitability in a specific agency environment. This risk pertains to the failure to anticipate and respond to changes in overall trends related to lifestyle demands of consumers.
Sovereign/political
Customer/public wants
Technological innovation
Environment scan
Agency environment/Industry Sensitivity Market Dynamics Macroeconomics factors Lifestyle trends
: March 2011 : 01-01/2011/v1
6|Page
RISK TITLE Sociopolitical Technology changes
RISK DESCRIPTION This risk pertains to the exposure to social and political factors within a market environment that affect the ability to market, sell and deliver products and services. This risk pertains to the dramatic changes in current technologies that may impact the market viability or demand of current products and services offered by the agency. This risk pertains to the inability to anticipate and manage shifts in the information stakeholders wants and the way in which they want it communicated to them. It also pertains to the ineffective ongoing, transparent communications with the public in order to create goodwill. A decline in customer/public confidence threatens the agencys capacity to efficiently raise or collect funds. This risk pertains to the failure to communicate the right message in an effective manner to recover and maintain agency operations in the event of a crisis or disruption due to physical or natural circumstances. This risk pertains to the inability to understand and respond to the communication needs of different employees.
Communication and public relations Media relations
Public relations Crisis communications Employee communications OPERATIONS Public Service and Operations Customer/public satisfaction Channel effectiveness Cycle time Service failure Efficiency Capacity Performance measure/gap
A lack of focus on the customer/ public threatens the agencys capacity to meet or exceed the customers/ publics expectations. Poorly performing or positioned channels access threaten the agencys capacity to effectively and efficiently service the customer/ public. Unnecessary activities threaten the agencys capacity deliver services in a timely manner. Faulty or non-performing services expose the agency to customer/public complaints, litigation, and loss of revenues and agency reputation. Inefficient operations threaten the agencys capacity to deliver services at the lowest cost and shortest time possible. Insufficient capacity threatens the agencys ability to meet customer/public demands, or excess capacity threatens the agencys ability to generate competitive profit margins. Inability to perform at world-class levels in terms of quality, costs and/or cycle time due to inferior operating practices threatens the demand for the agencys services. Inefficient or ineffective external relationships affect the agencys capacity to serve. These uncertainties arise due to choosing the wrong partner, poor execution, taking more than what is given (resulting in loss of a partner) and failing to capitalize on partnering opportunities.
Partnering/contracting
People
: March 2011 : 01-01/2011/v1
7|Page
RISK TITLE Culture Recruiting and retention Development and performance
RISK DESCRIPTION This risk pertains to the failure to establish a culture that is consistent with management philosophy and that encourages integrity, values, and ethical competence. This risk pertains to the failure to attract, hire and retain the qualified resources to optimize execution of the organization's objectives. This risk pertains to the inability to develop and enhance employee skills and provide performance management that ensures optimal achievement of organizational strategies, goals and objectives. This risk pertains to the failure to create and implement an effective succession plan for senior executive and other key positions and employees throughout the organization. It also pertains to the failure to align succession planning with strategic planning and leadership development objectives). Processes for capturing and institutionalizing learning across the agency are either non-existent or ineffective, resulting in slow response time, high costs, repeated mistakes, slow development, constraints on growth and unmotivated employees. Failure to provide a total compensation package (base salary, annual/long-term incentive, benefits/perquisites) that are market competitive, aligned to agency and compensation strategies and retain and motivate employees to achieve desired results. Unrealistic, misunderstood, subjective or non-actionable performance measures may cause senior management, division heads and employees to act in a manner inconsistent with the agencys objectives, strategies, and ethical standards, and with prudent agency practice. Failure to provide a safe working environment for its workers exposes the agency to compensation liabilities, loss of operational reputation and other costs. Failure of Information systems to adequately protect the critical data and infrastructure from theft, corruption, unauthorized usage, viruses, or sabotage. The inability to recover from, and continue uninterrupted operations in the event of extraordinary events, systems and implementation failures. Information systems that do not provide reliable information when it is needed or perform so slowly that operations are not efficient. The computer and telecommunications systems with supporting software do not capture, retain and transfer data in a secure and reliable environment and do not meet the expected requirements of the agency at a reasonable cost. Threat to disrupt operation and ability of the agency to sustain operations, provide essential services or recover operating costs or accomplish planned target due to natural events (e.g., fire, earthquake, tornado). Threat to disrupt operation and ability of the agency to sustain operations, provide essential services or recover operating costs or accomplish planned target due to terrorist activities or other malicious acts.
Succession planning
Knowledge capital
Compensation and benefits
Performance Incentives
Health and safety Information and technology Security/access Availability/continuity Integrity
Infrastructure Hazards Natural events
Terror and malicious acts
: March 2011 : 01-01/2011/v1
8|Page
RISK TITLE Physical assets Real estate Property, plant and facilities Inventory COMPLIANCE Mandate Function Governance Board performance/Agency management committee Tone at the top
RISK DESCRIPTION
Failure to provide physical protection and stewardship over real estate designed to optimize longevity and utilization. Failure to provide physical protection and stewardship over long-lived assets (such as buildings, furniture, fixtures, machinery, equipment and other assets) designed to optimize longevity and utilization. Failure to provide physical protection and stewardship over inventories designed to optimize utilization while minimizing obsolescence, contamination, etc.
Failure to align process objectives and performance measures with the mandate of the agency, its objectives and strategies may result in conflicting, uncoordinated activities throughout the agency. Failure of Board of Directors to discharge their obligations and duties owed to the agency and its stakeholders in good faith; and to possess adequate knowledge to interpret and act on the information provided. Senior management fails to establish an environment that encourages integrity, ethical values, and competence of the agency's people through management's philosophy and operating style, assignment of authority and responsibility, and the organization and development of its people. Ineffective lines of authority may cause senior management, division heads or employees to do things they should not do or fail to do things they should. Failure to establish and maintain an internal control environment which aligns with stakeholder and regulatory expectations. The mismanagement of "socially responsible" activities (e.g., conducting social responsibility training for management of manufacturers, undertaking environmental programs, participating in community initiatives) resulting in an unfavorable agency perception with stakeholders, customers, suppliers, agency partners, employees and the regulatory community. Damage to the Agencys reputation exposes it to loss of customer/ public trust, profits and the ability to grow.
Authority/limit Control environment
Corporate social responsibility
Reputation Code of conduct Ethics Fraud
The absence of formal standards of employee behavior that are intended to direct and influence the way agency operation is conducted, above and beyond the letter of the law. Potential unethical acts committed by agency employees or other stakeholders may negatively impact the agency's reputation. Fraudulent activities perpetrated by employees, suppliers, agents, or third-party administrators against the agency for personal gain (e.g., misappropriation of physical, financial or information assets) expose the agency to financial loss.
Employee/Third Party Fraud
: March 2011 : 01-01/2011/v1
9|Page
RISK TITLE Illegal Acts Management Fraud Unauthorized Use Legal Contract Liability Intellectual property Anticorruption Legal Regulatory Trade Customs Procurement Road-right of way (RROW) acquisition Labor
RISK DESCRIPTION Illegal acts committed by senior management, division heads or employees expose the agency to fines, sanctions, and loss of public trust, profits and reputation, etc. Management Fraud (e.g., intentional misstatement of financial statements or critical reports) may adversely affect stakeholders decisions. Unauthorized use of the agencys physical, financial or information assets by employees or others exposes the agency to unnecessary waste of resources and financial loss. Entering into contracts that are unfavorable to the agency; and the failure to comply with and monitor contract terms to protect the agency from financial losses. A responsibility, duty or obligation that may result in lawful consideration to provide satisfaction, compensation or other form of restitution. Failure to create, capture, enhance, leverage and protect the collective knowledge, expertise and ideas of agency employees valued as nonphysical assets. Failure to create an agency environment which is opposed to corruption, and instill agency practices which prevent corruption. Changing laws threaten the agencys capacity to consummate important transactions, enforce contractual agreements or implement specific strategies and activities. Failure to identify and prevent legal risks posed by noncompliance with governmental and International regulatory requirements for Trade Practices e.g., anti-dumping and trade policy. Failure to identify and prevent legal risks posed by noncompliance With governmental and International regulatory requirements for Customs. Failure to identify and prevent legal risks posed by noncompliance with the government procurement reform act. Failure to implement infrastructure projects due to RROW problems and risks posed by non-compliance with Comprehensive and Continuing Urban development and Housing Program (RA 7279) Failure to identify and prevent legal risks posed by noncompliance with governmental and International regulatory requirements for Labor rules and regulations, including taxes, wages, antidiscrimination, Family and Medical Leave, workplace violence etc. Failure to identify and prevent legal risks posed by noncompliance with governmental and International Securities regulatory requirements. Failure to identify and prevent legal risks posed by noncompliance with governmental and International Environmental regulations e.g., noncompliance with ISO 4001 standards. Failures to identify and prevent legal risks posed by, and prevent noncompliance with privacy rules and regulations standards resulting in improper disclosure of confidential customer information.
Securities Environment Data protection and privacy
: March 2011 : 01-01/2011/v1
10 | P a g e
RISK TITLE International Product/service quality Health and safety
RISK DESCRIPTION Exposure to geo-political, regulatory and fraud risks via international business dealings. Failure to identify and prevent legal risks posed by noncompliance with governmental and International regulatory requirements for product/service quality and safety. Failure to identify and prevent legal risks posed by noncompliance with governmental and International rules and regulations for health and safety. Failures to identify and prevent legal risks posed by, and prevent noncompliance with, government and international rules and regulations for competitive practices/ anti-trade. Lack of awareness of statutory and regulatory application of export & customs policies and requirements.
Competitive practice/antitrust FINANCIAL Market Interest rate Foreign currency Commodity Financial instrument Liquidity and credit Cash management Opportunity cost
Unfavorable price paid per unit of funds borrowed or the rate of return received on invested assets, or interest rate fluctuations beyond projected range. Unfavorable fluctuations in the currency of another market that is needed to carry out international transactions. Unfavorable fluctuations in the price of raw materials or other commodities used in product development/service delivery that are not anticipated and managed. Financial market risk can vary depending on the particular segment of the market to which the holder of a financial instrument is exposed, or the way in which the exposure is structured.
Failure to efficiently and effectively administer and manage cash flows to maintain adequate liquidity to meet obligations. The use of funds in a manner that leads to the loss of economic value, including time value losses, transaction costs and other causes of loss of value. Failure to meet the requirements of a portfolio of capital investments and obligations based on specified commitments or in accordance with terms of an agreement (i.e. retirement and capital accounts). Failure to receive appropriate funds to finance programs and projects.
Funding
Hedging Credit and collections Insurance Accounting and reporting
Failure to purchase or undertake sale transactions that effectively minimize profits or losses arising from price fluctuations. Inability to obtain the optimal level of payment received as a result of a prior agency transaction. Insurance coverage fails to protect the agency from significant financial losses due to incidents and claims.
: March 2011 : 01-01/2011/v1
11 | P a g e
RISK TITLE
RISK DESCRIPTION Incomplete, inaccurate and/or untimely reporting of required financial and operating information to other regulatory agencies may expose the agency to fines, penalties and sanctions.
Accounting, reporting and disclosure
Internal control Investment evaluation Tax strategy and planning Capital structure Debt Equity Pension funds
Over-emphasis on financial accounting and other information to manage the operations may result in the manipulation of outcomes to achieve targets at the expense of not meeting public expectation, quality and efficiency objectives. Significant or material weaknesses resulting from inadequate financial internal controls impacting management's assessment and reporting under country regulations. Lack of relevant and/or reliable information supporting investment decisions and linking the financial risks accepted to the capital at risk, may result in poor short- or long-term investments. Failure to properly evaluate and execute tax planning strategies. Misalignment of tax objectives and strategies with overall agency objectives, strategies and initiatives. Potential over reliance on borrowing from creditors to provide adequate working capital for agency objectives and/or to cover current operating obligations resulting in an unfavorable debt to equity ratios. Inability to offer marketable securities appropriately priced for the enterprise's value. Inability to identify, establish and maintain the optimal structure for pension funds.
: March 2011 : 01-01/2011/v1
12 | P a g e
Phase 1 Strategic Planning and Risk Identification Form 01-02 Government Risk Identification Template
GOVERNMENT RISK IDENTIFICATION TEMPLATE

Objective The Government Risk Identification Template (GRIT) is used to document the significant government risks identified for a particular audit period, as well as the basis of selecting those particular risks, and the agencies and programs or activities affected. By having all of this information in one sheet, it facilitates ease of summary and discussion with the participants during the identification of significant government risks as well as increased efficiency and effectiveness in tracing the effects of those risks. This template if carefully and exhaustively accomplished will facilitate a unified thrust for the COA in conducting government auditing. The GRIT once accomplished shall be cascaded to all audit clusters and concerned offices through the COAs Annual Strategic Planning for inclusion in the Agency Audit Planning and Risk Assessment. Accomplishing this tool Accomplishing this tool is critical to document the high-level inputs from COA directors assigned in the audit of agencies representing the three audit sector, regions, and auditors performing Government-wide and Sectoral Performance Audit (GWSPA) and Fraud Audit. Government Objective - Identify the objectives of the government as identified in the State of the Nation Address (SONA), Medium-Term Philippine Development Plan (MTPDP), MediumTerm Public Investment Program (MTPIP) and so on. Key Government Risk - Participants may use the Government Risk Model to identify the key government risks (risk category, risk title and risk definition) Basis of Selection - Indicate the basis or reason why the risk was considered as significant. Relevant data may also be obtained from the following: COA direction Sector Strategic Action Plan
ast updated Version : March 2011 : 01-02/2011/v1
1|Page
SONA MTPDP/MTPIP Government Risk Model Sector risks Media releases and media reports Fraud and geographic risks Government-wide and sectoral programs and activities Knowledge of the auditors
Name of Agency - Indicate the agencies affected by the risks identified. Auditors may also refer to other outputs of government instrumentalities (e.g., Updated Strategy Planning Matrices for the MTPDP of NEDA). Government Program, Activity or Project - Relate the government program/activity affected by the risk identified. It could be a program of one agency or inter-agency project.
ast updated Version
: March 2011 : 01-02/2011/v1
2|Page
GOVERNMENT RISK IDENTIFICATION TEMPLATE

For the Audit Period 20XX Prepared by Reviewed by Approved by : : : __________________________________________________ __________________________________________________ __________________________________________________ Date Date Date : : :
Key Government Risk Government Objective Risk Category Basis of Selection Risk Title
Key Risk 1 Key Risk 2 Key Risk 3 Key Risk 4 Key Risk 5 Key Risk 6 Key Risk 7 Key Risk 8 Key Risk 10 Key Risk 11 Key Risk 12
Name of Agency
Risk Definition
Government Program, Activity or Project
: March 2011 : 01-02/2011/v1
3|Page
Phase 2 Agency Audit Planning and Risk Assessment
AGENCY AUDIT PLANNING AND RISK ASSESSMENT

Delivery
Monitoring
Introduction The scope of state audit under our Constitution and the implementing laws and regulations include financial, compliance and performance audits. These three main classifications of state audit, when conducted together, are known as comprehensive audit. Comprehensive audit starts with planning the engagement at the agency level. Activity 2, Agency Audit Planning and Risk Assessment, is designed to promote the consistent implementation of the IRRBA methodology and standard documentation in comprehensive auditing. Activity 2 employs a disciplined, team-based approach to audit planning, emphasizing the early development of risk assessments and the audit strategy. Agency Audit Planning and Risk Assessment occur early in the audit cycle to provide time to appropriately plan and customize the audit strategy, thereby allowing COA auditors to effectively execute the audit and at the same time, perform other duties and responsibilities. This activity is ideally done in the first 3 months of the audit cycle.
1|Pa ge
The following are the activities involved in this phase: 2.1. Prepare Agency Audit Workstep 2.2. Understand the Agency 2.3. Identify Significant Agency Risks 2.3.1 Update Agency Risk Model 2.3.2 Assess Agency Risks 2.3.3 Prioritize Significant Agency Risks 2.4. Understand and Assess Agency-Level Controls 2.5. Understand the Process 2.5.1. Identify Critical Path of the Processes 2.5.2. Identify Process Risks 2.5.3. Identify Impact 2.5.4. Identify Existing Controls 2.6. Conduct Audit Risk Assessment and Planning 2.6.1. Financial and Compliance 2.6.2. Performance 2.6.3. Determine Audit Scope and Timing 2.6.4. Determine need for specialized skills Procedures 2.1. Prepare Agency Audit Workstep The Agency Audit Workstep contains a phase by phase detail of the IRRBAM showing the estimated time to complete each phase and the audit team member assigned to complete each activity. This should be accomplished by the ATL and approved by the SA. A copy should be submitted to the CD. The audit team should prepare the Audit Worksteps for each agency being audited showing the estimated time to be incurred for the current year audit. For regional auditors assigned to a regional office or branch of a National or Corporate agency, they shall prepare the worksteps that will be done by only by regional auditors. Documentation Form 02-01 Agency Audit Workstep Template
2|Pa ge
2.2.
Understand the Agency An important aspect of the Comprehensive audit process is the identification of risks applicable to the agency. Agency risks have various sources such as new legislation/law, environmental factors, control environment, nature of agencys operations and market forces. In identifying the agencys risks, it is important to gain sufficient understanding of the agency including its purpose, operations and environment. The key to an effective planning of an audit is gaining a thorough understanding of the agency. By understanding how the agency operates and how key environmental factors affect its goals, objectives, and strategies, we can better identify and consider its agency risks during our audit. The knowledge we gain about the agencys operations provides the basis for making more comprehensive risk evaluations. That is, by gaining an understanding of the agencys principal risks and their relationship to the inherent and control risk components of audit risk, we can: Develop more effective and efficient audit strategies. Increase the value we deliver by providing timely communications on internal control observations and emerging issues of importance to the agency. Better manage COAs risk by using the more comprehensive view of the agencys risks in making engagement decisions. In understanding the agency, we comprehend the agency itself and the environment in which it operates. This assists us in identifying risk factors. We determine whether these risk factors are inherent risks (i.e., risk factors that may give rise to risks of material misstatement or risk of not achieving the objectives of the Agencys PAPs) and consider the effect in our risk assessment and in the design of our audit test procedures. We exercise professional judgment in determining the extent of understanding that is required. Our primary consideration is whether we have obtained a sufficient understanding of the agency and its environment to identify and assess the risks of material misstatement, whether due to fraud or error, or risk of not achieving the objectives of the Agencys PAPs and thereby providing a basis for designing and implementing audit procedures to respond to the assessed risks. Components Accordingly, the audit team should have an understanding of each of the following and their interrelationships: Relevant industry, regulatory, and other external factors including the applicable financial reporting framework
3|Pa ge
The nature of the agency, including: - Its operations - Its ownership and governance structures - The types of investments that the agency is making and plans to make - The way that the agency is structured and how it is financed to enable the auditor to understand the classes of transactions, account balances, and disclosures to be expected in the agency The agencys selection and application of accounting policies, including the reasons for changes thereto The auditor shall evaluate whether the agencys accounting policies are appropriate and consistent with the applicable financial reporting framework and accounting policies. The agencys objectives and strategies, and those related agency risks that may result in risks of material misstatement or risks of not achieving the objectives of the Agencys PAPs The measurement and review of the agencys financial and operational performance The mandates of an agency given by the Philippine Government or any other law or legislation establishing such agency An understanding of the Agencys PAPs to determine if the objectives of such PAPs are aligned with the Agencys mandate Transactions outside the Agencys mandate that are significant give rise to Mandate risk. Key results identified and monitored by management that must be achieved to conclude that a strategy has been implemented successfully Key performance indicators also refer to the targeted Major Final Outputs (MFO) as stated in the agencys Organizational Performance Indicator Framework (OPIF). We share with management our understanding of the agency and its environment to confirm our understanding of the agency, to determine managements awareness of the effects of the agencys environment on the operations and to understand managements attitude and strategies towards managing its risks. Audit Techniques A wide variety of procedures and techniques are used to gather the necessary information for understanding the agency. These may include: Review of information Review of relevant information of the agency and its environment assists us in obtaining an understanding of the agency and its environment and in identifying risk factors. Inquiry of agency management and others within the agency 4|Pa ge
Inquiries of management and those responsible for financial reporting and operations enhance our understanding of the nature of the agencys operations. We may also inquire of others within the agency with different levels of authority to obtain additional information or a different perspective as we identify risk factors. Analytical procedures on financial and non-financial information Analytical procedures performed as risk assessment procedures may include both financial and non-financial information. This will include our analysis of the agencys actual performance against the targeted performance Major Final Outputs in its OPIF. Our analytical procedures assist us in identifying risk factors that may require added attention in the audit. Our analytical procedures performed as risk assessment procedures provide a basis for designing and implementing audit procedures that respond to the assessed risks of material misstatement and risks of not achieving the objectives of an agencys PAPs. However, overall analytical procedures may use data aggregated at a high level and therefore the results only provide an initial indication about whether a risk exists. Documentation We document our understanding of the Agency using the Form 02-02 Understanding the Agency template.
2.3.
Identify Significant Agency Risks After gathering information to understand the agency, the auditors of a particular agency (both Head Office and Regions) shall convene to update the Agency Risk Model and identify and prioritize agency risks. At this stage, auditors may identify Key Fraud Risks (KFR). KFRs identified during this phase of the IRRBAM shall be evaluated and assessed through the Fraud Brainstorming and Fraud Risk Assessment. Auditors shall use the methodology in Fraud Audit Manual in assessing and evaluation KFRs identified in IRRBAM to come up with proactive and detective testing.
5|Pa ge
2.3.1 Update Agency Risk Model The Agency Risk Model (ARM) is a framework consisting of a list of agency-level risks that may hinder the achievement of the agencys objectives. The ARM will be the guide of the auditors in identifying agency risks. The ARM should be updated annually to consider changes in the agency environment and new policies, laws, rules and regulations. The agency auditors shall provide input on the additions or modifications that needs to be reflected in the ARM after conducting the Understanding the Agency process. Risks are categorized as follows: Strategic risk arises when forces in the agency environment could significantly change the fundamentals that drive agencys overall social and/or operating objectives and strategies and, in the extreme, result in failure of the agencys operations. Operation risk risks that operations are inefficient and ineffective in executing the agencys operating model, satisfying the public, and achieving the agencys quality, cost and time performance objectives. This arises when operation processes: o Are not clearly defined o Are poorly aligned with agencys strategies, goals and objectives o Are not performed effectively and efficiently in satisfying public o Expose significant financial, physical and intellectual resources to unacceptable losses, risk taking, misappropriation or misuse Financial risk risk that cash flows and financial risks are not managed costeffectively to (a) maximize cash availability; (b) reduce uncertainty of currency, interest rate, and other financial risks; or (c) move cash funds quickly and without loss of value to wherever they are needed most. It also includes risks that government agencies face when misleading financial information becomes the basis for decision making by the governing management. Compliance risk non-compliance with prescribed policies and procedures or laws and regulations resulting in lower quality, higher execution costs, lost revenues, unnecessary delays, penalties, fines and so on.
The ARM is somewhat similar with the GRM except that the risks in former are Agency-specific while the latter relates to the risk of the government as a whole. ARM shall be customized per Agency by obtaining information from the UTA template and through inputs from head office and regional auditors.
6|Pa ge
2.3.2 Assess Agency Risks Based on the data gathered from the UTA and the results from the GRIT, the audit team shall identify Agency Risks. Different modes may be used in identifying agency risks. It could be in the form of a workshop, survey, questionnaire or interview. In any case, it shall be ensured that the essence of identifying agency risks is followed. The participants are to identify the following and document in the Agency Risk Identification (AgRI) Matrix: Identified Agency Risks Basis of Selection Risk Rating (Impact, Likelihood and Overall Rating) Risk Location Initial Audit Response Remarks Documentation We document our identification and assessment of Agency Risks using Form 0205 Agency Risk Identification Matrix. 2.3.3 Prioritize Significant Agency Risks After all the risks of an agency have been identified, the agency auditors shall prioritize those risks which are significant based on the risk rating provided. The risks identified as significant will be the audit teams focus for their audit. The identified significant agency processes affected by the significant agency risks will be the focus of our Understanding the Process in the succeeding activities.
2.4.
Understand and Assess Agency-level Controls Understanding agency-level controls is an important step in our planning process. Our understanding assists us in identifying and assessing risk, as well as in determining the most appropriate audit strategy. The nature, timing and extent of procedures to obtain an understanding of agencylevel controls varies depending on the size and complexity of the agency, previous experience with the agency and the nature of the agencys controls. We often obtain our understanding of agency-level controls through inquiry and observation due to the nature of agency-level controls and because audit evidence
7|Pa ge
may not exist or be available in documentary form. This may be even more apparent in less complex agencies when communication between agency management and other personnel may be informal. In other instances, we may be able to corroborate agency managements statements by inspecting documents and reports (e.g., quarterly reports, interim financial statements and minutes of meetings). Internal Control Agency management is responsible for the design, implementation and maintenance of effective internal control to address identified agency risks that threaten the achievement of the agencys objectives. These objectives relate to the reliability of the agencys financial reporting, the effectiveness and efficiency of its operations and its compliance with applicable laws and regulations. The way in which internal control is designed, implemented and maintained will vary with an agencys size and complexity. Internal control, no matter how effective, can provide an agency with only reasonable assurance about achieving the agencys financial reporting and operational objectives. The likelihood of their achievement is affected by the inherent limitations of internal control. These inherent limitations include the realities that human judgment in decision-making can be faulty and that breakdowns in internal control can occur because of human error. Internal control may be divided into five interrelated components. Although this does not necessarily reflect how an agency considers and implements internal control, these components provide a useful framework for us to consider the agencys internal control and to assess the effect on our audit strategy. The five components of internal control are: Control environment Risk assessment Monitoring Information and communication Control activities
Documenting and evaluating agency-level controls does not by itself provide a complete perspective of internal controls of an agency. However, it is an important starting point because the assessment of agency-level controls particularly when weaknesses are identified can have a significant effect on the overall assessment of the effectiveness of internal controls and procedures. Documentation We document our understanding of agency-level controls using Form 02-03 Agency-Level Controls Checklist.
8|Pa ge
2.5.
Understand the Process Significant processes where significant agency risks reside that were identified in the AgRI Matrix are the subject of our Understanding the Process. Our understanding of significant processes, including risks and controls assist us in: Performing risk assessments for each relevant assertion for each significant account and disclosure Customizing the nature, timing and extent of our audit procedures to address the identified risks
2.5.1
Identify critical path of the processes We obtain our understanding by performing inquiry, observation and inspection procedures. Obtaining our understanding of significant processes is a continuous process. When we perform audit procedures and we identify changes in significant processes, we update our understanding. When we identify a new significant process during our audit, we perform the procedures as outlined in this objective. We obtain an understanding of the critical path of significant processes by obtaining an understanding of each of the following stages: Initiation: the point where the transaction first enters the agencys process and is prepared and submitted for recording Recording: the point where the transaction is first recorded in the books and records of the agency Processing: any changes, manipulation or transfers of data in the books and records of the agency Reporting: the point where the transaction is reported (i.e., posted) in the general ledger
2.5.2
Identify Process Risks Process risks refer to points where risks of material misstatement or risks to the Agency PAPs objectives, due to error or fraud, can occur in the significant process. We do not attempt to identify all process risks, but focus on those process risks that could have a material effect on objectives of the process or PAPs. We use our professional judgment to identify the appropriate level of detail.
9|Pa ge
2.5.3
Identify Impact We determine the impact of the process risk by identifying the affected accounts, including assertions, and its impact on the attainment of the objectives of an agencys PAPs.
2.5.4
Identify Existing Controls We identify existing controls that address our identified process risks. We determine whether the design of these controls mitigate our identified process risks. Information that will be obtained from our walkthrough (discussed in succeeding paragraphs) shall become one of our bases for our preliminary assessment of control risk. Further, we also evaluate whether the design of the existing controls identified is adequate to address the identified process risks. Any identified process risk with no controls in place or with inadequate controls should be communicated to management to provide them time to address and resolve the control deficiency. Confirmation of our understanding We perform a walkthrough to confirm that our understanding of the significant process is as we have documented and to confirm the points where data is, or should be, captured, transferred or modified as these are the points where misstatements are most likely to occur. We also perform walkthrough to obtain a preliminary assessment of the effectiveness of controls. The result of our walkthrough will be one of our bases for our preliminary assessment of control risk (discussed further in 2.5 Conduct Audit Risk Assessment). Documentation Our documentation of process flow may be in narrative format or in graphical form through the use of process mapping flowcharts. Our documentation of our Understanding the Process is determined by the size and complexity of the processes subject for review. The process mapping flowchart including the identification of process risks, controls and impact are documented using Form 0206 Process-Risk-Control (PRC) Matrix.
2.6.
Conduct Audit Risk Assessment The information we have obtained in our UTA, ALC and PRC will be our basis in evaluating and quantifying risks in our audit. The resulting assessments will provide us our basis for prioritization in our audit.
10 | P a g e
In order to develop an audit strategy that is responsive to the agencys risks, we assess risk for financial, compliance and agency-based performance audit. 2.6.1. Financial and Compliance In conducting Financial and Compliance Audit Risk Assessment, we assess risk for each relevant assertion for each significant account. a. Identify significant and material financial statement accounts We identify significant financial statement accounts based on the affected accounts identified in our Understanding the Process using the PRC Tool. Financial statement accounts that will be assessed are those that are significant and material. As a general rule, an account is considered material when the account balance as of cutoff date is equal to or more than the planning materiality (as computed using COAs computation of materiality). Aside from account balance as of cutoff date, we should also consider the movement in the accounts in determining whether the account is material or not. b. Assess Inherent Risk Definition: Inherent risk: The susceptibility of an assertion about a class of transactions, account balance or disclosure to a misstatement that could be material, either individually or when aggregated with other misstatements, before consideration of any related controls. We consider the information we gathered in our UTA, ALC and PRC and use our professional judgment in making our inherent risk assessment for each relevant assertion. In deciding whether to assess inherent risk as either High or Low, we consider whether we identified inherent risk factors that cause us to believe that there is a higher likelihood that a material misstatement could occur. If we believe there is a higher likelihood that a material misstatement could occur, we assess inherent risk for the relevant assertions as High. If we identify inherent risk factors that cause us to believe that it is less likely that a material
11 | P a g e
misstatement could occur, assuming no controls, we assess inherent risk as Low.
Factors that may affect our inherent risk assessment are as follows: Susceptibility to material misstatement Size and composition Variations from expected amounts Effects of external factors Competence and experience of agency personnel Degree of subjectivity Completion of unusual/complex transactions at or near period-end Transactions not subjected to routine processing c. Preliminary Assess Control Risk Definition: Control risk: The risk that a misstatement that could occur in an assertion about a class of transactions, account balance or disclosure and that could be material, either individually or when aggregated with other misstatements, will not be prevented, or detected and corrected, in a timely manner by the agencys internal control. Our preliminary assessment of control risk at this point is based on the following: Evaluation of the design of controls done in Understanding the Process activity Information we obtained from prior periods engagements, if available Information we obtained from the results of walkthrough procedures in Understanding the Process activity Our preliminary evaluation is typically made after we understand the significant processes, risks and controls in Understanding the Process, and after we perform walkthroughs, but before any test of controls is performed. In other words, our preliminary control risk evaluation is based on the design of controls and our determination whether controls have been implemented. We make a preliminary assessment so that we can develop our audit strategy and plan our resources. As the evaluation is preliminary, it is subject to change based on the results of our tests of control effectiveness in the Execution phase.
12 | P a g e
We assess control risk for each relevant assertion as either: 1. Low - Rely on Controls We assess whether controls have been designed and are operating effectively throughout the period of reliance. Our assessment to rely on controls at this stage in the audit is a preliminary assessment only. A final assessment shall be made after the conduct of Tests of Controls to determine the operating effectiveness of the controls. 2. High - Not Rely on Controls After gaining the necessary understanding of the agencys significant processes or significant disclosure processes: We believe that controls have not been designed appropriately, implemented effectively, or are unlikely to operate effectively throughout the period of reliance, and therefore we have decided not to test controls; We have identified substantive procedures that we believe provide the evidence necessary to support the related account balances or disclosure; or We believe that testing controls would be inefficient. d. Make Combined Risk Assessment (CRA) The table below shows how we combine our assessments on inherent and control risks into one CRA for financial and compliance risk assessment:
High
Inherent Risk Assessment
Low
High
Low
Minimal
Moderate
Low
High
Control Risk Assessment
13 | P a g e
The following chart summarizes the risk conclusion and effect on our audit procedures: Overall Risk Assessment Minimal Risk Conclusion We have sufficient evidence that controls are effective at preventing or detecting and correcting risks of material misstatement from occurring We have sufficient evidence that controls are effective at preventing or detecting and correcting risks of material misstatement from occurring We have insufficient evidence to conclude that controls operated effectively and will prevent or detect and correct misstatements from occurring We have insufficient evidence to conclude that controls operate effectively and will prevent or detect and correct misstatements from occurring and we assess there is a higher likelihood that risks of material misstatements will occur Effect on Substantive Tests Audit Procedures Designed to confirm that material misstatements have not occurred Designed to confirm that the risks that have created a higher likelihood of misstatements occurring have not resulted in a material misstatement Designed to detect and evaluate misstatements that may not have been prevented or detected and corrected by controls Designed to detect whether risks of material misstatement have resulted in a material misstatement
Low
Moderate
High
e. Other Material Accounts Other Material Accounts (OMA) refer to material financial statement accounts that were not considered as significant based on the results of Agency Risk Assessment and Understanding the Process. We use high precision analytical procedures for OMAs. This procedure should not be redundant with the Analytic Review procedures done in the Understanding the Agency Template. 2.6.2. Performance In conducting assessment for Performance audit, we consider the following factors in evaluating each of the agencys PAPs.
14 | P a g e
Quantitative Factor Budget Selection of agencys programs/ projects for performance audit is based on an assessment of the total value of government assets, annual expenditure and/or annual revenue of the audit area. The more funds used for a program/project, the higher is its priority for selection as an audit project. Qualitative Factors a. Risk to good management The auditor should assess the risk that the management of the activity to be audited is deficient in economy, efficiency and effectiveness. Evidence of risk to good management includes: Management inaction in response to identified weakness; Adverse comment in the legislature or media; Non-achievement of stated objectives such as revenue raised or clients assisted; High staff turnover; Significant underspending or overspending; Control deficiencies in PAPs processes; Sudden program expansion; and Overlapping or confused responsibility relationships. An agencys program or activity that is more complex to manage and operates in an uncertain environment is more likely to have problems associated with performance. Some possible indicators of high complexity and uncertainty are: Highly decentralized operations with devolved management decision-making responsibilities; A multiplicity of interested parties; Use of rapidly changing and sophisticated technology; A dynamic and competitive environment; and Controversial social and political debate surrounding the issue. The stage of the agencys program development should also be kept in mind when assessing management performance. For example, in the development stage it will be particularly important for the agencys management to set measurable operation objectives that clearly identify how the program will contribute to the organizations objectives. During program implementation, it will be important to see whether appropriate performance measures are maintained and analyzed to assess performance, and whether there is a clear identification of roles and responsibilities for each level of program. If the program has been in place for some time, it will be important to assess whether 15 | P a g e
a formal evaluation has been undertaken to ascertain whether the program is continuing to meet relevant needs and the extent to which those needs still exist or are being met by other programs. b. Significance The significance of an audit project should have bearing on the magnitude of its organizational impacts. It will depend on whether the activity is comparatively minor or whether shortcomings in the area concerned could flow on to other activities within the agency. Significance will rate highly where the audit project is considered to be of particular importance to the agency and where improvement would have a significant impact on its operations. A low ranking in relation to significance would be expected where the project is of a routine nature and the impact of poor performance would be restricted to a small area or be likely to have minimal impact. c. Visibility This factor is similar in significance but is more concerned with the external impact of the program. It is related to the social, economic and environmental aspects of the program/project and the importance of its operations to the government and the public. In considering this factor some weight would be attached to the impact of an error, weakness, or irregularity on public accountability. It would also have regard to the degree of interest by the legislature and public in the outcome of the audit. Projects that have been identified with the audit thrust by the Commission would generally warrant a high rank in terms of visibility. d. Previous Audit Coverage Coverage refers not only to previous COA audits undertaken but also to other independent reviews of the project. Such reviews may have been conducted by internal audit, external consultants or government committees or the project could have been subjected to program evaluation. As a general rule, a low ranking would occur when there has been a substantial review of the activity within the past two years. A higher ranking would be warranted where a followup review has been requested by the President, Congress or other authorities or the previous review indicated that such follow-up should be made. The materiality, risk, significance and visibility of a project will also influence the ranking for coverage. If a program has ranked highly on all or most of these elements it would be expected that the coverage cycle would be at fairly frequent intervals.
16 | P a g e
The factors that we have described above are the basis for a systematic approach to assisting the auditor in applying judgment in selecting PAPs for performance audit. Using these factors when supported by valid information and data will help auditors in allocating scarce resources for the audit of projects. Documentation We document our audit risk assessments using the Form 02-07 Audit Risk Assessment and Planning Tool. 2.6.3. Determine Audit Scope and Timing Our audit scope defines the boundaries and limitations of our audit. We document our audit scope based on the results of our risk assessment. In determining the timing of our audit tests (tests of controls and details), we shall consider COA auditors other responsibilities such as, but not limited to: Cash examinations to accountable officers Request for relief of accountabilities Issuance of disallowances Pre-audit activities 2.6.4. Determine need for specialized skills We are not expected to have the expertise of a person qualified to engage in the practice of another profession or occupation (e.g., an actuary, engineer, fraud investigator). When such expertise is required in order to obtain sufficient appropriate audit evidence, we consider whether to use the work of an appropriate expert. We may use the work of an expert to: Value complex financial instruments, land and buildings, plant and machinery, jewelry, works of art, antiques, intangible assets, assets acquired and liabilities assumed in business combinations and assets that may have been impaired Understand the technical aspects of the agencys operations Calculate the liabilities associated with insurance contracts or employee benefit plans Value environmental liabilities and site clean-up costs Analyze complex or unusual tax compliance issues Measure work completed and to be completed on contracts in progress Interpret technical requirements, statutes, regulations or agreements (e.g., the significance of contracts or other legal documents or legal title to property)
17 | P a g e
Review the work of another expert (e.g., to corroborate the findings of a managements expert)
Documentation We document details of our work plan (i.e., scope, audit strategy, timing) as part of the Audit Risk Assessment and Planning Tool.
18 | P a g e
Policy and Standard
Policy/Standard ISSAI 1230 ISSAI 1265 ISSAI 1300 ISSAI 1315 ISSAI 1320 ISSAI 1330 ISSAI 1520 Documentation Procedure 2.1 Prepare Agency Audit Workstep 2.2 Understand the Agency 2.3 Identify Significant Agency Risks
Description Audit Documentation Communicating Deficiencies in Internal Control to Those Charged with Governance and Management Financial audit guideline Planning an audit of financial statements Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and Environment Materiality in Planning and Performing an Audit The Auditors Responses to Assessed Risks Analytical Procedures
Sub-procedure
Output/Tools Form 02-01 Agency Audit Workstep Form 02-02 Understand the Agency (UTA) Template Form 02-03 Agency Risk Model (ARM) Form 02-04 Agency Risk Identification (AgRI) Matrix Form 02-05 Agency-level Control Checklist (ALCC)
Understand the Agency Profile Update Agency Risk Model Identify Agency Risks Prioritize Significant Agency Risks
2.4 Understand and Assess Agency-Level Controls 2.5 Understand the Process
Identify critical path of the processes Identify Process Risks Identify Existing Controls Identify Impact
Form 02-06 Process-RiskControl (PRC) Matrix
2.6 Conduct Audit Risk Assessment and Planning
Financial and Compliance Performance Determine Audit Scope and Timing Determine need for specialized skills Form 02-07 Audit Risk Assessment and Planning (ARAP) Tool
19 | P a g e
Phase 2 Agency Audit Planning and Risk Assessment Form 02-01: Agency Audit Workstep
AGENCY AUDIT WORKSTEP
Auditee Audit Period Prepared By Reviewed By Approved By
__________________________________________________ __________________________________________________ __________________________________________________ __________________________________________________ __________________________________________________ Date Prepared: Date Reviewed: Date Approved: ___________________ ___________________ ___________________
Activity
WP Ref.
Person Responsible
Output J F M
Target Date to Accomplish Year A M J J A S
Remarks O N D
: March 2011 : 02-01/2011/v1
1|P a ge
Phase 2 Agency Audit Planning and Risk Assessment Form 02-02: Understanding the Agency Template
UNDERSTANDING THE AGENCY TEMPLATE

Objective We obtain our understanding by performing review, inquiry, analytical procedures, observation and inspection. This template enables us to document our understanding of the agency and its environment and assist in identifying risks of material misstatement. We document the identified inherent and/or significant risks in this template. The Understanding the Agency (UTA) can be used in conjunction with our meeting(s) with the agency during the planning of the engagement. When we complete the UTA, we: Consider the use of available industry or sector knowledge Customize the UTA to each engagement For future engagements, we base our understanding of the agency and its environment on prior period knowledge. We update our understanding by focusing on the significant changes in the agency and its environment in the current period and reflect those changes within the UTA brought forward from the prior period. Accomplishing this tool Agency Profile A. Mandate State the relevant law, rule or regulation mandating the purpose of the establishment of the agency. B. Operations Provide a brief description of the agencys operations and critical agency processes. C. Structure - Describe the Agencys organizational structure and its relation to other key government agencies. (Attach the Agencys organizational structure, as necessary) D. Objectives and Strategies State the objectives and strategies of the Agency. Evaluate if these objectives and strategies are aligned with the mandate of the Agency. E. Key Stakeholders List stakeholders, or unified stakeholder groups, whose expectations or actions (or inactions) can significantly influence management or affect the agency objectives and strategies (and/or the ability of the agency to meet its objectives and strategies) F. Key Environmental Factors Briefly describe the environment of the agency and how the operations of the Agency are affected/influenced by environmental factors. Examples of environment to be reviewed are:
Last updated : March 2011 Version : 02-02/2011/v1
1|Pa ge
Political Environment Social Environment Legal and Regulatory Environment Technological Environment
OPIF/Program Accountability Model Show the Organizational Performance Indicator Framework of the agency if there is any or the Program Accountability Model developed. Key Performance Indicators - The key results identified and monitored by management, generally few in number, that must be achieved to conclude that a strategy has been implemented successfully. Key performance indicators also refer to the targeted Major Final Outputs (MFO) as agreed in their Organizational Performance Indicator Framework (OPIF). Accounting Policy Provide brief description of key accounting policies applied, including financial reporting standards or changes in the agencys accounting policies and reasons for such changes. We evaluate whether the agencys accounting policies are appropriate and consistent with the applicable financial reporting framework. Previous Audit Findings Include significant audit findings from previous audits that may still exist in the agency. Recent Developments/ News Include any pertinent news or publication about the agency and indicate the possible impact or risk that may arise on the Agency. Analytic Review Evaluations of financial and non-financial information through analysis of plausible relationships among both financial and non-financial data. Analytical procedures also encompass such investigation as is necessary of identified fluctuations or relationships that are inconsistent with other relevant information or that differ from expected values by a significant amount. A. Financial Financial Statement Account indicate the financial statement accounts of the Agency Current Year indicate the current account balance of the financial statement account Prior Year indicate the previous years balance of the financial statement account Variance (Amount) the amount of difference between the current year and previous year balance
2|Pa ge
Variance (%) the percentage increase or decrease from previous years balance (Formula is Amount of Variance/Prior Year balance) Remarks indicate the reason for the significant increase or decrease in the account balance
B. Performance Performance indicators indicate the performance indicator applicable to the Agency. Examples of performance indicators are Asset Turnover, Inventory Turnover, Return on Asset and Return on Equity. Should the Agency have an OPIF structure, we should consider the Major Final Outputs as part of the performance indicators. Actual refers to the actual achievement of the Agency on its performance indicator Budget/Target pertains to the planned or targeted performance expected from the Agency. Variance (Amount) the amount of difference between the actual and budgeted/targeted amounts. Variance (%) the percentage increase or decrease from the budgeted/targeted amount (Formula is Amount of Variance/Budgeted or Targeted amount) Remarks Indicate the reason for any significant increase or decrease from the budgeted or targeted amount. PAPs Review This is a review of each PAP of the agency by understanding the details and overview of the PAP including its objectives. An analytic review on the performance of the PAP is also included to determine specific areas in the PAP that require audit focus. UTA Summary A. UTA Reference States the part/component of the UTA where the information was taken from. B. Identified Agency Risk Indicates the agency risks (risk title and risk statement) identified while understanding the agency. Audit teams may also use the Agency Risk Model as a reference in plotting the agency risks identified at this point. C. Impact on the Agency States the impact of risk to the agency if it materializes based on your initial understanding.
3|Pa ge
UNDERSTANDING THE AGENCY TEMPLATE

Agency: Audit Period: Prepared by: Date Reviewed by: Date Approved by: Date
AGENCY PROFILE A. Mandate
B. Operations
C. Structure
D. Objectives and Strategies Objectives Strategies
4|Pa ge
E. Key Stakeholders
F. Key Environmental Factors

Political Environment Social Environment Legal and Regulatory Environment Technological Environment
OPIF/ PROGRAM ACCOUNTABILITY MODEL
MFOs/ KEY PERFORMANCE INDICATORS
5|Pa ge
ACCOUNTING POLICIES
PREVIOUS AUDIT FINDINGS
RECENT DEVELOPMENTS/ NEWS Recent Developments/ News Impact on the Agency
6|Pa ge
Phase 2 Agency Audit Planning and Risk Assessment Form 02-02 Understanding the Agency Template
ANALYTIC REVIEW Analytical procedures performed may include both financial and non-financial information Our analytical procedures performed provide a basis for designing and implementing audit procedures that respond to the assessed risks of material misstatement. However, overall analytical procedures may use data aggregated at a high level and therefore the results only provide an initial indication about whether a risk of material misstatement exists. a. Financial Financial Statement Accounts Current Year Prior Year Variance Amount % Remarks
: March 2011 : 02-02/2011/v1
7|Pa ge
Phase 2 Agency Audit Planning and Risk Assessment Form 02-02 Understanding the Agency Template
b. Performance Variance Amount %
Performance Indicators
Actual
Budget/ Target
Remarks
Major Final Outputs
: March 2011 : 02-02/2011/v1
8|Pa ge
PAPs REVIEW a. Program/Project Details Program/ Project: Objectives: Total Budget: Duration: Project Overview:
b. Performance Indicators Performance Indicators Financial Variance Amount %
Actual
Budget/Target
Remarks
Non-financial
: March 2011 : 02-02/2011/v1
9|Pa ge
UTA SUMMARY Identified Agency Risk Risk Title Risk Statement
UTA Ref.
Impact on the Agency
: March 2011 : 02-02/2011/v1
10 | P a g e
Phase 2 Agency Audit Planning and Risk Assessment Form 02-03: Agency Risk Model
AGENCY RISK MODEL
Objective The Agency Risk Model is a tool to guide the audit team of a particular agency in the identification of agency risks. The Agency Risk Model is a comprehensive list of risks that an agency may encounter which could threaten the achievement of its mandate and objectives. This model shall be regularly reviewed, updated and customized to consider changes in the public sector environment as well as to consider the impact of new standards, laws, rules and regulations. Accomplishing this Tool Risk Reference Number - Assign a risk reference number for each agency risk identified. The risk reference number would serve as a reference for the auditors to easily identify agency risks. Develop a risk reference for the identified risk per risk category (strategic, operations, compliance, financial). Risk Listing - The Risk Listing is a table of agency risks divided into the following risk categories: a. Strategic b. Operations c. Compliance d. Financial The table lists down all potential risks that the agency may face. Therefore, there are risks that may be identified as a risk of the agency in the current audit period that was not identified in the preceding audit period. In either case, the risk listing shall be maintained regardless of the existence of the risk at the time of the identification. Likewise, the list shall be regularly updated to include emerging risks that may affect the achievement of the agencys mandate and objectives.
: March 2011 : 02-03/2011/v1
1|Page
Risk Definition - Customize/create the definition of the risks based on the nature of the risk. a. Risk Title The label for the risks identified shall be properly chosen to reflect the nature of the risk even by just looking at the risk title. b. Risk Description - The risk description shall be clear as to cause and effect of the risk once it materializes. The risk definition shall be generic in nature and shall avoid including process-level effects that limits/restricts the risk descriptions.
NOTE: The items in the succeeding pages are just samples to illustrate the tool. It does not represent any factual data nor any result of prior audit projects.
: March 2011 : 02-03/2011/v1
2|Page
AGENCY RISK MODEL

Strategic
Planning and resource allocation Organizational structure Strategic planning Operational planning Budgeting Forecasting Resource allocation Capital/fund availability Operational model Operational portfolio Outsourcing Major initiatives Vision and direction Planning and execution Measurement and monitoring Technology implementation Project evaluation Change readiness
Operations
Public service and operations Customer/public satisfaction Channel effectiveness Cycle time Service failure Efficiency Capacity Performance measure/gap Partnering/contracting Citizen relationship management system and organization Corruption and fraud People Culture Recruiting and retention Development and performance Succession planning Knowledge capital Compensation and benefits Performance incentives Health and safety Information technology Information management Security/access Availability/continuity Integrity Infrastructure Hazards Natural events Terror and malicious acts Physical assets Real estate Property, plant and facilities Maintenance and performance Inventory
Compliance
Mandate Functions Governance Board performance/Agency Management Committee Tone at the top Authority/limit Control environment Corporate social responsibility Reputation Code of conduct Ethics Fraud Employee/third party fraud Illegal acts Management fraud Unauthorized use Legal Contract Liability Intellectual property Anticorruption Legal Regulatory Trade Customs Procurement Road-right of way (RROW )Acquisition Labor Securities Environment Data protection and privacy International Product/service quality Health and safety Competitive practice/antitrust
Financial
Market Interest rate Foreign currency Commodity Financial instrument Public policies Debt and fiscal policy Liquidity and credit Cash management Opportunity cost Funding Hedging Credit and collections Insurance Foreign assisted loan Accounting and reporting Accounting, reporting and disclosure Internal control Investment evaluation Tax strategy and planning Capital structure Debt Equity Pension funds
Climate change and sustainability initiatives
Education Healthcare services delivery Energy and water management (supply/distribution) Environment dynamics Economic changes Financial market Sovereign/political Customer/public wants Technological innovation Environment scan Agency environment/industry Sensitivity Market dynamics Macroeconomic factors Lifestyle trends Sociopolitical Technology changes Communication and public relations Media relations Public relations Crisis communications Employee communication
: March 2011 : 02-03/2011/v1
3|Page
Risk Definition
RISK REF. NO. RISK TITLE STRATEGIC Planning and Resource Allocation S1 S2 S3 Organizational structure Strategic planning Operational planning The overall structure of the agency instrumentalities does not support the achievement of strategic objectives in an efficient manner. This risk refers to the inability to discover, evaluate and select among alternatives to provide direction and allocate resources for effective execution to achieve the strategic objectives of the agency This risk refers to the misalignment of operating plans and execution to strategic planning. Lack of information needed to make the right decisions. This risk refers to the inability to effectively budget for new and existing initiatives that support the overall strategic goals and objectives for growth, expansion, acquisition for public welfare. S4 Budgeting It also refers to the inability to effectively budget for programs and projects that would meet the agencys Medium Term Philippine Development Plan (MTPDP). S5 S6 S7 Forecasting Resource allocation Capital/fund availability This risk refers to the inability to forecast financial information to enable the allocation of resources to new and existing initiatives Unavailability and inappropriateness of resource allocation process prohibits the agencys ability to provide value for public. Insufficient access to fund threatens the agencys capacity to grow, execute its strategies and achieve its objectives. The agency has an obsolete operation model and doesnt recognize it and/or lacks the information needed to make an up-to-date assessment of its current model and build a compelling operational case form modifying that model on timely basis. Lack of relevant and reliable information that enables agency management to effectively prioritize its services or balance its operations in a strategic context may preclude a diversified agency from maximizing its overall performance. Outsourcing activities to third parties may result in the third parties not acting within the intended limits of their authority or not performing in a manner consistent with the agencys strategies and objectives. This risk refers to the failure to establish a vision and direction for major initiatives, including services, products and programs that will drive future growth. It also refers to the failure to establish project acceptance criteria and adequately measure against the criteria. This risk refers to the failure to plan and execute major initiatives due in a coordinated manner. This risk refers to the failure to identify appropriate metrics and assess performance, quality and adherence to the standards as set forth by the agency. RISK DESCRIPTION
S8
Operational model
S9
Operational portfolio
S10
Outsourcing Major initiatives
S11
Vision and direction Planning and execution Measurement and monitoring
S12 S13
: March 2011 : 02-03/2011/v1
4|Page
RISK REF. NO. S14 S15 S16 S17
RISK TITLE Technology implementation Project evaluation Change readiness Climate change and sustainability initiatives Environment Dynamics
RISK DESCRIPTION This risk refers to the failure of a major technology implementation to meet the strategic objectives of the organization. Failure to evaluate project proposals may result in problems when the project has been approved. The people within the agency are unable to implement process and service improvements quickly enough to keep pace with changes in the public environment. Failure to foresee changes in the environment and establish initiatives to keep pace with biological changes may result in stop operations and degradation Economic changes, such as lower economic growth, reduce tax revenue and opportunities to provide a wide range of services or limit the availability or quality of existing services. Movements in prices, rates, indices and the like threaten the value of the agencys financial assets. Adverse political actions in a country in which the agency has invested significantly, is dependent on a significant volume of operation or has entered into a significant agreement with a counterparty subject to the laws of that country threaten the agencys resources and future cash flows. The agency may not be aware of changing pervasive public needs and wants, e.g. increased demand for faster turnaround on services. The agency is not leveraging advancements in technology in its operations to achieve or sustain advantage or is exposed to the actions of other agencys or substitutes that do not leverage technology or to attain superior quality, cost and/or time performance in their services processes. Failure to monitor the external environment or formulation of unrealistic or erroneous assumptions about environment risks may cause the agency to retain operation strategies long after they have become obsolete. This risk refers to the changes in opportunities and threats, and other conditions affecting the agencys environment. Over commitment of resources and expected future cash flows threatens the agencys capacity to withstand changes in environment (e.g., interest rates, public demand, changes in regulations) forces. This risk refers to factors relating to macroeconomic conditions that affect the ability to maintain or increase revenue and profitability in a specific agency environment. This risk refers to the failure to anticipate and respond to changes in overall trends related to lifestyle demands of consumers. This risk refers to the exposure to social and political factors within a market environment that affect the ability to market, sell and service products and services. This risk refers to the dramatic changes in current technologies that may impact the market viability or demand of current products and services offered by the agency.
S18 S19
Economic changes Financial market
S20
Sovereign/political
S21
Customer/public wants Technological innovation Environment scan Agency environment/Industry Sensitivity Market Dynamics
S22
S23 S24 S25
S26 S27 S28 S29
Macroeconomics factors Lifestyle trends Sociopolitical Technology changes
: March 2011 : 02-03/2011/v1
5|Page
RISK REF. NO.
RISK TITLE Communication and public relations
RISK DESCRIPTION
S30
Media relations
This risk refers to the inability to anticipate and manage shifts in the information stakeholders want, and the way in which they want it communicated to them and ineffective ongoing, transparent communications with the public to create goodwill. A decline in customer/public confidence threatens the agencys capacity to efficiently raise or collect funds. This risk refers to the failure to communicate the right message effectively to recover and maintain agency operations in the event of a crisis or disruption due to physical or natural circumstances. This risk refers to the inability to understand, and respond to, the communication needs of different employees.
S31 S32 S33
Public relations Crisis communications Employee communications OPERATIONS
Public Service and Operations O1 O2 O3 O4 O5 O6 O7 Customer/public satisfaction Channel effectiveness Cycle time Service failure Efficiency Capacity Performance measure/gap Partnering/contracting People O9 O10 O11 Culture Recruiting and retention Development and performance This risk refers to the failure to establish a culture that is consistent with management philosophy and that encourages integrity, values, and ethical competence. This risk refers to the failure to attract, hire and retain the qualified resources to optimize execution of the organization's objectives. Inability to develop and enhance employee skills and provide performance management that ensures optimal achievement of organizational strategies, goals and objectives. A lack of focus on the customer/ public threatens the agencys capacity to meet or exceed the customers/ publics expectations. Poorly performing or positioned channel access threaten the agencys capacity to effectively and efficiently service the customer/ public. Unnecessary activities threaten the agencys capacity deliver services on a timely manner. Faulty or nonperforming services expose the agency to customer/public complaints, litigation, and loss of revenues, and agency reputation. Inefficient operations threaten the agencys capacity to deliver services at the lowest cost and shortest time possible. Insufficient capacity threatens the agencys ability to meet customer/public demands, or excess capacity threatens the agencys ability to generate competitive profit margins. Inability to perform at world-class levels in terms of quality, costs and/or cycle time due to inferior operating practices threatens the demand for the agencys services. Inefficient or ineffective external relationships affect the agencys capacity to serve; these uncertainties arise due to choosing the wrong partner, poor execution, taking more than is given (resulting in loss of a partner) and failing to capitalize on partnering opportunities.
O8
: March 2011 : 02-03/2011/v1
6|Page
RISK REF. NO.
RISK TITLE
RISK DESCRIPTION This risk refers to the failure to create and implement an effective succession plan for senior executive and other key positions and employees throughout the organization. It also refers to failure to align succession planning with strategic planning and leadership development objectives). Processes for capturing and institutionalizing learning across the agency are either non-existent or ineffective, resulting in slow response time, high costs, repeated mistakes, slow development, constraints on growth and unmotivated employees. This risk refers to the failure to provide a total compensation package (base salary, annual/long-term incentive, benefits/perquisites) that are market competitive, aligned to agency and compensation strategies and retain and motivate employees to achieve desired results. Unrealistic, misunderstood, subjective or non-actionable performance measures may cause senior management, division heads and employees to act in a manner inconsistent with the agencys objectives, strategies, and ethical standards, and with prudent agency practice. Failure to provide a safe working environment for its workers exposes the agency to compensation liabilities, loss of operational reputation and other costs. Failure of Information systems to adequately protect the critical data and infrastructure from theft, corruption, unauthorized usage, viruses, or sabotage. This risk refers to the inability to recover from, and continue uninterrupted operations in the event of extraordinary events, systems and implementation failures. This risk refers to information systems that do not provide reliable information when it is needed or perform so slowly that operations are not efficient. The computer and telecommunications systems with supporting software do not capture, retain and transfer data in a secure and reliable environment and do not meet the expected requirements of the agency at a reasonable cost. This risk refers to the threat to disrupt operation and ability of the agency to sustain operations, provide essential services or recover operating costs or accomplish planned target due to natural events (e.g., fire, earthquake, tornado). This risk refers to the threat to disrupt operation and ability of the agency to sustain operations, provide essential services or recover operating costs or accomplish planned target due to terrorist activities or other malicious acts.
O12
Succession planning
O13
Knowledge capital
O14
Compensation and benefits Performance Incentives Health and safety
O15
O16
Information and technology O17 O18 O19 Security/access Availability/continuity Integrity
O20
Infrastructure Hazards
O21
Natural events Terror and malicious acts Physical assets
O22
O23 O24
Real estate Property, plant and facilities
This risk refers to the failure to provide physical protection and stewardship over real estate designed to optimize longevity and utilization. This risk refers to the failure to provide physical protection and stewardship over long-lived assets (such as buildings, furniture, fixtures, machinery, equipment and other assets) designed to optimize longevity and utilization.
: March 2011 : 02-03/2011/v1
7|Page
RISK REF. NO. O25
RISK TITLE Inventory COMPLIANCE Mandate
RISK DESCRIPTION This risk refers to the failure to provide physical protection and stewardship over inventories designed to optimize utilization while minimizing obsolescence, contamination and so on.
C1
Function Governance
Failure to align process objectives and performance measures with the mandate of the agency, its objectives and strategies may result in conflicting, uncoordinated activities throughout the agency. This risk refers to the failure of the Board of Directors to discharge their obligations and duties owed to the agency and its stakeholders in good faith and to possess adequate knowledge to interpret and act on the information provided. Senior management fails to establish an environment that encourages integrity, ethical values, and competence of the agency's people through management's philosophy and operating style, assignment of authority and responsibility, and the organization and development of its people. Ineffective lines of authority may cause senior management, division heads or employees to do things they should not do or fail to do things they should. This risk refers to the failure to establish and maintain an internal control environment which aligns with stakeholder and regulatory expectations. This risk refers to the mismanagement of "socially responsible" activities (e.g., conducting social responsibility training for management of manufacturers, undertaking environmental programs, participating in community initiatives) resulting in an unfavorable agency perception with stakeholders, customers, suppliers, agency partners, employees and the regulatory community. Damage to the Agencys reputation exposes it to loss of customer/public trust, profits and the ability to grow.
C2
Board performance/Agency management committee Tone at the top
C3
C4 C5
Authority/limit Control environment
C6
Corporate social responsibility
C7
Reputation Code of conduct
C8 C9
Ethics Fraud Employee/Third Party Fraud Illegal Acts Management Fraud
This risk refers to the absence of formal standards of employee behavior that are intended to direct and influence the way agency operation is conducted, above and beyond the letter of the law. Potential unethical acts committed by agency employees or other stakeholders may negatively impact the agency's reputation. This risk refers to the fraudulent activities perpetrated by employees, suppliers, agents, or third-party administrators against the agency for personal gain (e.g., misappropriation of physical, financial or information assets) expose the agency to financial loss. Illegal acts committed by senior management, division heads or employees expose the agency to fines, sanctions, and loss of public trust, profits and reputation and the like. Management Fraud (e.g., intentional misstatement of financial statements or critical reports) may adversely affect stakeholders decisions.
C10
C11 C12
: March 2011 : 02-03/2011/v1
8|Page
RISK REF. NO. C13
RISK TITLE Unauthorized Use Legal
RISK DESCRIPTION Unauthorized use of the agencys physical, financial or information assets by employees or others exposes the agency to unnecessary waste of resources and financial loss. This risk refers to entering into contracts that are unfavorable to the agency and the failure to comply with and monitor contract terms to protect the agency from financial losses. This risk refers to a responsibility, duty or obligation that may result in lawful consideration to provide satisfaction, compensation or other form of restitution. This risk refers to the failure to create, capture, enhance, leverage and protect the collective knowledge, expertise and ideas of agency employees valued as non-physical assets. This risk refers to the failure to create an agency environment which is opposed to corruption, and instill agency practices that prevent corruption. Changing laws threaten the agencys capacity to consummate important transactions, enforce contractual agreements or implement specific strategies and activities. This risk refers to the failure to identify and prevent legal risks posed by non-compliance with agency and international regulatory requirements for trade practices, e.g., anti-dumping and trade policy. This risk refers to the failure to identify and prevent legal risks posed by non-compliance with agency and international regulatory requirements for Customs. This risk refers to the failure to identify and prevent legal risks posed by non-compliance with the agency procurement reform act. This risk refers to the failure to implement infrastructure projects due to RROW problems and risks posed by non-compliance with Comprehensive and Continuing Urban development and Housing Program (RA 7279) This risk refers to the failure to identify and prevent legal risks posed by non-compliance with agency and International regulatory requirements for Labor rules and regulations, including taxes, wages, anti-discrimination, Family and Medical Leave, workplace violence and so on. This risk refers to the failure to identify and prevent legal risks posed by non-compliance with agency and International Securities regulatory requirements. This risk refers to the failure to identify and prevent legal risks posed by non-compliance with agency and International Environmental regulations, e.g., noncompliance with ISO 4001 standards. This risk refers to the failure to identify and prevent legal risks posed by non-compliance with privacy rules and regulations standards resulting in improper disclosure of confidential customer information. This risk refers to the exposure to geo-political, regulatory and fraud risks via international business dealings. This risk refers to the failure to identify and prevent legal risks posed by non-compliance with agency and International regulatory requirements for product/service quality and safety.
C14 C15 C16 C17 C18
Contract Liability Intellectual property Anticorruption Legal Regulatory
C19 C20 C21 C22
Trade Customs Procurement Road-right of way (RROW) acquisition Labor
C23
C24 C25 C26 C27 C28
Securities Environment Data protection and privacy International Product/service quality
: March 2011 : 02-03/2011/v1
9|Page
RISK REF. NO. C29
RISK TITLE Health and safety Competitive practice/antitrust FINANCIAL Market
RISK DESCRIPTION This risk refers to the failure to identify and prevent legal risks posed by non-compliance with agency and International rules and regulations for health and safety. This risk refers to the failure to identify and prevent legal risks posed by non-compliance with agency and international rules and regulations for competitive practices/anti-trade. Lack of awareness of statutory and regulatory application of export and customs policies and requirements.
C30
F1 F2 F3 F4
Interest rate Foreign currency Commodity Financial instrument Liquidity and credit
This risk refers to the unfavorable price paid per unit of funds borrowed or the rate of return received on invested assets, or interest rate fluctuations beyond projected range. This risk refers to the unfavorable fluctuations in the currency of another market that is needed to carry out international transactions. This risk refers to the unfavorable fluctuations in the price of raw materials or other commodities used in product development/service delivery that are not anticipated and managed. Financial market risk can vary depending on the particular segment of the market to which the holder of a financial instrument is exposed, or the way in which the exposure is structured.
F5 F6
Cash management Opportunity cost
This risk refers to the failure to efficiently and effectively administer and manage cash flows to maintain adequate liquidity to meet obligations. This risk refers to the the use of funds in a manner that leads to the loss of economic value, including time value losses, transaction costs and other causes of loss of value. This risk refers to the failure to meet the requirements of a portfolio of capital investments and obligations based on specified commitments or in accordance with terms of an agreement (i.e., retirement and capital accounts). It also refers to the failure to receive appropriate funds to finance programs and projects.
F7
Funding
F8 F9 F10
Hedging Credit and collections Insurance
This risk refers to the failure to purchase or undertake sale transactions that effectively minimize profits or losses arising from price fluctuations. This risk refers to the inability to obtain the optimal level of payment received as a result of a prior agency transaction. Insurance coverage fails to protect the agency from significant financial losses due to incidents and claims.
Accounting and reporting Incomplete, inaccurate and/or untimely reporting of required financial and operating information to other regulatory agencies may expose the agency to fines, penalties and sanctions. Over-emphasis on financial accounting and other information to manage the operations may result in the manipulation of outcomes to achieve targets at Last updated Version : March 2011 : 02-03/2011/v1
F11
Accounting, reporting and disclosure
10 | P a g e
RISK REF. NO.
RISK TITLE
RISK DESCRIPTION the expense of not meeting public expectation, quality and efficiency objectives.
F12 F13 F14
Internal control Investment evaluation Tax strategy and planning Capital structure
This risk refers to the significant or material weaknesses resulting from inadequate financial internal controls impacting management's assessment and reporting under country regulations. This risk refers to the lack of relevant and/or reliable information supporting investment decisions and linking the financial risks accepted to the capital at risk, may result in poor short- or long-term investments. This risk refers to the failure to properly evaluate and execute tax planning strategies. It also refers to the misalignment of tax objectives and strategies with overall agency objectives, strategies and initiatives. This risk refers to the potential over-reliance on borrowing from creditors to provide adequate working capital for agency objectives and/or to cover current operating obligations resulting in an unfavorable debt to equity ratios. This risk refers to the inability to offer marketable securities appropriately priced for the enterprise's value. This risk refers to the inability to identify, establish and maintain the optimal structure for pension funds.
F15
Debt
F16 F17
Equity Pension funds
: March 2011 : 02-03/2011/v1
11 | P a g e
Phase 2 Agency Audit Planning and Risk Assessment Form 02-04 Agency Risk Identification Matrix
AGENCY RISK IDENTIFICATION MATRIX

Objective The Agency Risk Identification (AgRI) Matrix is used to document the agency risks identified for a particular audit period. As a tool that will facilitate the risk assessment process, this document shall be used by audit teams when assessing the impact and likelihood, identifying the locations affected and determining the initial audit response.
Accomplishing this tool Accomplishing this tool is critical to for the audit team to have a common risk language when understanding the risk profile of the agency being audited.
a. Risk Reference Number - Obtain the risk reference number from the risk reference number assigned in the Agency Risk Model. b. Agency Risk Title/Risk Statement - For each audit period, identify the risks of the agency being audited. The team shall concur and agree on the risks that they perceive will affect the achievement of the agency objectives and operations. c. Risk Rating Impact Assess the impact of the agency risk as to high, moderate and low including the justification for the assessment In assessing the impact of an agency risk, COA auditors should consider the following factors: Potential financial loss or lost opportunity for the agency Damage to reputation or relationship with stakeholders or public Potential business interruption/ reduction of agency operations Degree of agency failure to achieve mandate Noncompliance with laws, rules and regulations Likelihood Assess the likelihood of the risk as to high, moderate and low including the justification for the assessment. In assessing the likelihood of an agency risk, COA auditors should assess the probability/frequency of the risk occurring over a predefined
Last updated Version : March 2011
1|Page
: 02-04/2011/v1
time period. In most instances, the time period is set at one year. It can be adjusted to be aligned with the agencys operating cycle. Overall Rating The overall rating is the combination of the assessment made on the impact and likelihood of the agency risk identified.
The overall rating shall be determined using the following matrix:
High
Moderate
High
High
IMPACT
Moderate
Low
Moderate
High
Low
Low Low
Low Moderate LIKELIHOOD
Moderate High
d. Risk Location Process/PAPs Identify the process or PAP affected by the agency risk. Office Identify the offices (departments or units) responsible the process affected by the agency risk. e. Initial Audit Response - Indicate the initial audit response for the agency risk identified using the auditors judgment and past experiences. The team is not limited to the audit response identified in this tool since further evaluations will be made to determine the appropriate audit strategies to be used.
: March 2011
2|Page
: 02-04/2011/v1
AGENCY RISK IDENTIFICATION MATRIX

Agency Audit Period Office Risk Ref. No. ____________________________ ____________________________ ____________________________ Agency Risk Title/ Risk Statement
High Moderate Low
Prepared by Reviewed by Approved by Risk Rating
: : :
____________________________ ____________________________ ____________________________ Risk Location
Date Date Date
: : :
________________ ________________ ________________ Initial Audit Response

Financial Compliance
Impact
High Moderate
Likelihood
Overall Rating
Process/ PAPs
Office
High Moderate
Low Low
Perf ormance FRA
Justification:
Justification:
High Moderate Low
High Moderate
High Moderate
Financial Compliance Perf ormance
Low Low
FRA
Justification:
Justification:
: March 2011 : 02-04/2011/v1
3|Page
Phase 2 Agency Audit Planning and Risk Assessment Form 02-05: Agency-level Controls Checklist
AGENCY-LEVEL CONTROLS CHECKLIST

Objective After understanding the agency objectives and risks, auditors shall identify the top-level controls that the agency has established. Auditors shall obtain an understanding of agency-level controls to plan their audit and determine the most appropriate audit strategy. The Agency-level Controls Checklist contains a set of questions for each internal control component: The questions provided herein will guide auditors in obtaining an initial understanding of the agency-level controls set by the agency management. However, auditors shall consider that documenting and evaluating agency-level controls does not by itself provide a complete perspective of internal controls of an agency. It is an important starting point because the assessment of agency-level controls particularly when weaknesses are identified can have a significant effect on the overall assessment of the effectiveness of internal controls and procedures. The internal control concepts of the National Guidelines on Internal Control Systems (NGICS) and the International Standards of Supreme Audit Institutions (ISSAI) are incorporated in this tool.
Accomplishing this tool I. ALCC Probing Questions Internal Control Component Probing questions are initially provided for the following internal control component: - Control Environment - Risk Assessment - Information and communication - Monitoring - Control Activities NOTE: Auditors are not only limited to the probing questions provided in this questionnaire. Additional questions may be developed by the team, if deemed necessary. Yes / No / Not applicable Answer each probing question with the appropriate response as a result of the auditors validation of each internal control component.
1|Pa ge
Remarks Provide any remark or comment that the auditor may have during on the related probing question as a result of its validation. Examples of remarks may include identification of areas needed to be focused for the audit engagement or possible fraud indicators. Initial Assessment Make an initial assessment as to the design and operating effectiveness of each sub-component of the agencys internal control using the probing questions supplied. Indicate the reasons for giving such an assessment in the reason column. The operating effectiveness of some components of the agencys internal control is hard to determine. In this case, audit teams shall document the reasons why and focus its assessment on the design of the internal control. Auditor shall use their professional judgment during this assessment.
II. ALCC Summary Observations Document the observations obtained during the understanding of the agency level controls. Observations may include deficiencies noted on the design of agency-level controls or red flags that we may note on the process that may indicate source of fraud risks. Incidentally, audit teams may need to issue an Audit Observation Memorandum (AOM) to call the attention of the agency for the observations noted. Recommendations - Provide a recommendation (if applicable) for each key observation noted. AOM Reference Indicate the AOM reference number for those observations issued with an Audit Observation Memorandum.
2|Pa ge
AGENCY-LEVEL CONTROLS CHECKLIST

Agency: Audit Period: Approved Date Prepared: Date Reviewed: Date
I. ALCC Probing Questions

Internal Control Component Control Environment
A.1. The agency has a code of conduct or equivalent policy that is communicated and monitored. A.2. The agencys culture emphasizes the importance of integrity and ethical behavior. Senior management holds itself to the highest standards and leads by example. A.3. The agencys communications reinforce a consistent message regarding policies and culture. A.4. Agency management takes appropriate action in response to departures from approved policies and procedures or the code of conduct. A.5. There are appropriate policies for such matters as conflicts of interest, and security practices that are adequately communicated throughout the agency. A.6. Agency management maintains, monitors and appropriately responds to a fraud hotline. A.7. The agency has a whistleblower policy and related whistleblower or ethics hotline, which are appropriately communicated throughout the agency, and include procedures for handling complaints and for accepting confidential submissions of concerns about questionable transactions. A.8. Agency managements control consciousness
Yes
No
NA
Remarks
Integrity, Ethical Values, and behavior of key executives
3|Pa ge
Internal Control Component

and operating style are _________. A.9. Agency management gives appropriate attention to internal control, including information technology controls. A.10. Agency management corrects identified internal control deficiencies in a timely manner. A.11. Agency management tends to be conservative with respect to selecting accounting principles and determining accounting estimates. A.12. Agency management consults with us on significant matters relating to accounting and financial reporting issues.
Yes
No
NA
Remarks
Initial Assessment:
Reason:
Effective
Ineffective
Agency managements commitment to competence
A.13. The agency personnel have the competence and training needed to deal with the nature and complexity of the agencys operations. A.14. Agency management has other processes in place for handling complaints about agency operational issues.
Initial Assessment:
Reason:
Effective
Ineffective
Participation in governance and oversight by those charged with governance
A.15. Those charged with governance provide effective oversight of the agencys operations. A.16. There is an open line of communication among those charged with governance and COA auditors, and the nature and frequency of communication is appropriate given the size and complexity of the agency. A.17. Those charged with governance have sufficient knowledge, experience and time to perform their role effectively.
4|Pa ge

A.18. Those charged with governance are appropriately independent of agency management given the size and complexity of the agency.
Yes
No
NA
Remarks
Initial Assessment:
Reason:
Effective
Ineffective
The organizational structure and assignment of authority and responsibility
A.19. The agency organizational structure is appropriate given the nature, size and complexity of the agency A.20. Agency management engages in communications so that members of personnel understand the agencys objectives, their role in relation to these objectives, and how they are held accountable for the achievement of these objectives. A.21. There are appropriate methods for establishing authority, responsibility and lines of reporting. A.22. There are written job descriptions, reference manuals and other communications to inform personnel of their duties.
Initial Assessment:
Reason:
Effective Ineffective
Human resource policies and practices
A.23. The agency has adequate standards and procedures for hiring, training, motivating, evaluating, promoting, compensating, transferring, or terminating personnel A.24. Job performance is periodically evaluated and reviewed with each employee.
Initial Assessment:
Reason:
5|Pa ge
Internal Control Component Risk Assessment

B.1. Agency objectives are established, communicated, and monitored. Key elements of the agencys strategic plan are communicated throughout the agency so all employees have a basic understanding of the agencys overall strategy. B.2. A process is in place to periodically review and update agency-wide strategic plans. The strategic plan is reviewed and approved by the agencys board of directors. B.3. The agency-wide strategic plan includes IT or there is a separate IT strategic plan that addresses the technology needs of the agency to effectively and efficiently meet its strategic plan. B.4. There is an adequate mechanism for identifying agency risks, including those resulting from: Entering new markets or lines of business Offering new products and services Privacy and data protection compliance requirements Other changes in the operations, economic, and regulatory environment B.5. The internal audit (or another group within the company) performs a periodic (at least annual) risk assessment. Senior management reviews the risk assessment and considers actions to mitigate the significant risks identified. B.6. Management considers how much risk it is willing to accept when setting strategic direction or entering new markets, and does it strive to maintain risk within those levels. B.7. The board of directors and/or the audit committee oversees and monitors the risk assessment process and takes action to address the significant risks identified. B.8. There are groups or individuals who are responsible for anticipating or identifying changes with possible significant effects on the agency. Processes are in place to inform appropriate levels of management about
Yes
No
NA
Remarks
6|Pa ge

changes with possible significant effects on the agency. B.9. Budgets/forecasts are updated during the year to reflect changing conditions. B.10. Periodic reviews are performed or other processes in place to, among other things, anticipate and identify routine events or activities that may affect the agencys ability to achieve its objectives and address them. B.11. Management reports to the board of directors and/or the audit committee on changes that may have a significant effect on the agency. B.12. The board of directors and/or the audit committee review and approve significant changes in the agencys accounting practices. B.13. There are processes to ensure the accounting department is made aware of changes in the operating environment so they can review the changes and determine what, if any, effect the change may have on the agencys accounting practices. B.14. There are channels of communication between the accounting department and/or individual(s) in charge of monitoring regulatory rules so the accounting department is aware of regulatory changes that could affect the agencys accounting practices.
Yes
No
NA
Remarks
Initial Assessment:
Reason:
Effective
Ineffective
Information and Communication Information

C.1. The agency is able to prepare accurate and timely financial reports, including interim reports. C.2. The board of directors and management receive sufficient and timely information to allow them to fulfill their responsibilities.
7|Pa ge

C.3. Managements objectives in terms of budget, profit, and other financial and operating goals are defined and measurable. Actual results are measured against these objectives. C.4. There is a high level of user satisfaction with information systems processing, including reliability and timeliness of reports. C.5. There is a sufficient level of coordination between the accounting and information systems processing functions/departments. C.6. There are appropriate policies for developing and modifying accounting systems and controls (including changes to and use of computer programs and/or data files). C.7. Managements efforts to develop or revise information systems (including accounting systems) are responsive to its strategic plans. C.8. There are significant applications or transactions that are executed /processed by service organizations. Management has documented the relevant controls at the service organization, the company, or both that mitigate the risk of errors. There are policies for periodic monitoring of controls either at the service organization or the company and taking appropriate action to mitigate potential new risks. C.9. The board of directors or audit committee is involved in monitoring information systems projects and resource priorities. C.10. The IT organization chart clearly reflects areas of responsibility and lines of reporting and communication. C.11. There are defined responsibilities for individuals responsible for implementing, documenting, testing and approving changes to computer programs that are purchased or developed by information systems personnel or users. C.12. Systems conversions are well controlled (e.g., completed pursuant to written procedures or plans). C.13. Financial management ensures and monitors
Yes
No
NA
Remarks
8|Pa ge

user involvement in the development of programs, including the design of internal control checks and balances. C.14. There is a high degree of cooperation and interaction between users and the IT department (e.g., procedures to ensure ongoing monitoring by the IT department of user satisfaction with IT processing and policies for the development, modification, and use of programs and data files). C.15. Application programs and data files are backed up regularly. C.16. There is a current disaster recovery plan for the significant components of the IT infrastructure. C.17. There is a business continuity plan that incorporates the disaster recovery plan and end-user department needs for timely recovery of critical functions, systems, processes and data. C.18. The disaster recovery and business continuity plans are tested periodically (at least annually). C.19. The disaster recovery and business continuity plans are updated for changing conditions.
Yes
No
NA
Remarks
Initial Assessment:
Reason:
Effective
Ineffective
Communication
C.20. Lines of authority and responsibility (including lines of reporting) within the company are clearly defined and communicated. C.21. There are written job descriptions and reference manuals that describe the duties of personnel. C.22. Policies and procedures are established for and communicated to personnel at decentralized locations (including regional operations). C.23. There is a training/orientation for new
9|Pa ge

employees, or employees when starting a new position, to discuss the nature and scope of their duties and responsibilities. Such training/orientation includes a discussion of specific internal controls they are responsible for. C.24. There is a process for employees to communicate improprieties. The process is well communicated throughout the agency. The process allows for anonymity for individuals who report possible improprieties. There is a process for reporting improprieties, and actions taken to address them, to senior management, the board of directors, or the audit committee. C.25. All reported potential improprieties are reviewed, investigated, and resolved in a timely manner. C.26. Employees believe they have adequate information to complete their job responsibilities. C.27. There is a process to quickly disseminate critical information throughout the agency when necessary. C.28. There is a process for tracking communications from customers, vendors, regulators, and other external parties. C.29. Ownership is assigned to a member of management to help ensure that the agency responds appropriately, promptly, and accurately to communications from customers, vendors, regulators, and other external parties.
Yes
No
NA
Remarks
Initial Assessment:
Reason:
Monitoring Internal Audit function
D.1. The agency has an effective internal audit
10 | P a g e

function. D.2. The internal audit function is independent of the activities they audit and are prohibited from having operating responsibilities. D.3. The internal audit function adheres to professional standards (e.g., International Standards for the Professional Practice of Internal Auditing). D.4. The scope of internal audit activities is appropriate given the nature, size and structure of the agency. D.5. The internal audit department develops an annual plan that considers risk in determining the allocation of resources. D.6. The results of the internal audit activities are reported to senior management and COA auditors.
Yes
No
NA
Remarks
Initial Assessment:
Reason:
Effective
Ineffective
Other monitoring activities
D.7. Periodic evaluations of internal control are reported to agency management and those charged with governance. D.8. Personnel, in carrying out their regular duties, obtain evidence as to whether the system of internal control continues to function. D.9. Policies and procedures are in place to ensure that corrective action is taken in a timely manner when control exceptions occur. D.10. Agency management takes adequate and timely actions to correct deficiencies reported by the internal audit function or the independent auditors. D.11. Internal audit or another department performs periodic reviews of internal control D.12. Agency management or those charged with governance review communications from external parties that highlight areas of internal
11 | P a g e

control in need of improvement.
Yes
No
NA
Remarks
Initial Assessment:
Reason:
Effective
Ineffective
Control Activities
E.1. Are accounting and closing practices followed consistently at interim dates (e.g., quarterly, monthly) throughout the year? E.2. Is there appropriate involvement by management in reviewing significant accounting estimates and support for significant unusual transactions and nonstandard journal entries? E.3. Is there timely and appropriate documentation for transactions? E.4. Does the agency review its policies and procedures periodically to determine if they continue to be appropriate for the agencys activities? E.5. Do members of management have ownership of the policies and procedures? Does the ownership include ensuring the policies and procedures are appropriate for the agencys activities? E.6. Is there a budgetary system? E.7. Does management review key performance indicators (e.g., budget, profit, financial goals, operating goals) regularly (e.g., monthly, quarterly) and identify significant variances? Does management then investigate the significant variances and is appropriate corrective action taken? E.8. Are variances in planned performance communicated and discussed with the board of directors and/or audit committee at least quarterly? E.9. Are financial statements submitted to operating management? Are they accompanied by analytical comments?
12 | P a g e

E.10. Is there an appropriate segregation of incompatible activities (e.g., separation of accounting for and access to assets, IT operations function separate from systems and programming, database administration function separate from application programming and systems programming)? Are organizational charts reviewed to ensure proper segregation of duties exist? E.11. Are appropriate approvals from management required prior to allowing an individual access to specific applications and databases? E.12. Are IT personnel prohibited from having incompatible responsibilities or duties in user departments? E.13. Are there processes to periodically (e.g., quarterly, semi-annually) review system privileges and access controls to the different applications and databases within the IT infrastructure to determine if system privileges and access controls are appropriate? E.14. Has management established procedures to periodically reconcile physical assets (e.g., cash, receivables, inventories, property and equipment) with related accounting records? E.15. Are physical inventories/cycle counts taken on a periodic basis and the perpetual inventory system adjusted accordingly? Are significant or recurring adjustments investigated to determine the reason for the adjustment and are appropriate actions taken to address the reasons for the adjustments? E.16. Has management established procedures to prevent unauthorized access to, or destruction of, documents, records (including computer programs and data files), and assets? E.17. Is data processing access to non-data processing assets restricted (e.g., blank checks)? E.18. Are access security software, operating systems software, and application software used to control both centralized and decentralized access to:
Yes
No
NA
Remarks
13 | P a g e

Data Functional capabilities of programs (e.g., execute, update, modify parameters, read only)? E.19. Is physical security over information technology assets (both IT department and users) reasonable given the nature of the agencys operations? E.20. Is critical computer data backed up daily and stored off-site? E.21. Are controls in place over dial-up access to the agencys computer resources (e.g., firewalls; centralized directories to store and manage user identities and resource privileges; automated policy-based request, approval, and fulfillment process for enterprise access)? E.22. Is there a dedicated security officer function that monitors IT processing activities and are there periodic reports to the board of directors and/or audit committee on the current state of IT security at the agency? E.23. Are there systems to monitor and respond to potential interruptions in agency operations due to incidents stemming from malicious intrusions, and to update security protocols to prevent them? Are security violations and other incidents automatically logged and reviewed? E.24. Does the agency conduct periodic reviews/audits of IT security? If yes, are the results of the review/audit reported to the board of directors and/or audit committee?
Yes
No
NA
Remarks
Initial Assessment:
Reason:
14 | P a g e
II. ALCC Summary Observations Recommendations AOM Ref.
15 | P a g e
Phase 2 Agency Audit Planning and Risk Assessment Form 02-06: Process-Risk-Control Matrix
PROCESS-RISK-CONTROL MATRIX
Objective The Process-Risk-Control Matrix facilitates the understanding of processes as well as the process-level risks and controls affected by agency-levels risks identified. This tool will guide the agency audit team in identifying their focus areas for a specific audit period by obtaining an initial view of the processes. Accomplishing this Tool a. Critical Path of the Process - Document the understanding of the significant process identified which is affected by the agency-level risks as reflected in the Agency Risk Identification Matrix. Auditors may use the narrative or flowchart form in documenting the process understanding. The level of detail needed for the documentation depends on the objective of the auditors. In any case, the documentation shall be sufficient enough to identify the process-level risks and controls including the impact to the accounts and PAPs of the agency. The documented process should reflect the actual process being done by the agency. This should be validated by conducting process walkthroughs. b. Process risks and existing controls Process Risks Identify the risks/what could go wrongs in the process through a risk statement. Process-level risk is any event or circumstance that could affect the achievement of the process objectives. Impact: Accounts Affected (including assertions) Identify the extent to which the risk if realized would impact the agencys financial statement accounts. This is critical for planning the financial audit aspect. Impact: Risk to PAPs Identify the impact of process-level risks to the achievement of the objectives of the agencys PAPs. Examples are damage to assets, reputation impacts and ability to achieve key objectives. Existing Controls Indicate the controls identified during the process understanding. The controls that should be documented are those that are being carried out at the time of the audit. Controls that have been presented in operations manual or procedures shall be validated through walkthrough procedures. Control Design Assessment Develop an initial assessment on the design of the controls based on the results of the walkthrough procedures conducted. Tick the appropriate box if the control design is adequate or inadequate.
1|P a ge
Reason if inadequate Provide reason or the observation noted if the control design assessment is inadequate c. Summary Key Observation Document the observations obtained during the understanding of the processes, risks and controls. Observations may include deficiencies noted on the design of process-level controls or red flags that we may note on the process that may indicate source of fraud risks among others. Incidentally, audit teams may need to issue an Audit Observation Memorandum (AOM) to call the attention of the agency for the observations noted. Recommendation Provide a recommendation (if applicable) for each key observation noted. AOM Ref. No. Indicate the AOM reference number for those observations issued with an Audit Observation Memorandum.
: March 2011 : 02-06/2011/v1
2|P a ge
PROCESS-RISK-CONTROL MATRIX
Agency Audit Period Significant Process Significant Agency Risks
: : : :
______________________________________ ______________________________________ ______________________________________ ______________________________________
Prepared: Reviewed: Approved
: : :
_______________________ _______________________ _______________________
Date Date Date
: : :
_______________________ _______________________ _______________________
a. Critical path of the process:

Our documentation of the flow of the process may be in narrative form or graphical form through the use of process mapping flowcharts. The form of documentation depends on the size and complexity of the process.
: March 2011 : 02-06/2011/v1
3|P a ge
b. Identify Process Risks and Existing Controls

Impact Process Risks Accounts Affected (including assertions) Risk to PAPs Existing Controls Control Design Assessment Reason if inadequate
Adequate Inadequate
Adequate Inadequate
Adequate Inadequate
Summary
Key Observation Recommendation AOM Ref. No.
: March 2011 : 02-06/2011/v1
4|P a ge
Phase 2 Agency Audit Planning and Risk Assessment Form 02-07: Audit Risk Assessment and Planning Tool
AUDIT RISK ASSESSMENT AND PLANNING TOOL Objective In order to develop an audit strategy that is responsive to the agencys risks we make an audit risk assessment for relevant assertions of significant material accounts and the Agencys PAPs. The Audit Risk Assessment and Planning Tool will facilitate our documentation of our audit risk assessment for financial, compliance and performance audits. In addition, it also documents our audit strategy, scope and estimated timing which will guide the development of our audit test procedures. Accomplishing this tool: A. Financial and Compliance Significant Account The significant and material financial statement account identified in the PRC Tool. Assertion Check the related assertion/s of the financial statement account identified in the PRC Tool Inherent Risk Assess the inherent risk of the financial statement account and assertion. Our assessment of inherent risk may be higher or lower. Factors that may affect our inherent risk assessment are as follows: Susceptibility to material misstatement Size and composition Variations from expected amounts Effects of external factors Competence and experience of agency personnel Degree of subjectivity Completion of unusual/complex transactions at or near period-end Transactions not subjected to routine processing
Include in the justification the reason why we assessed inherent risk as higher or lower. Control Assessment Assess the control based on the adequacy of design. At this point, we also assess the effectiveness of the controls based on the results of walkthrough procedures conducted in Understanding the Process and based on testing results we obtained from prior years audit. Our assessment of the controls on the related financial statement account will be whether we are intending to rely or not rely on the controls. Include in the justification the reason why we intend to rely or not rely on the controls.
1|P a ge
Note that this assessment is preliminary only. A final assessment shall be made after testing the controls in the execution phase (in case we intend to rely at this point). Risk Assessment This refers to our combined risk assessment by considering our inherent risk and control assessment. Combined risk assessment is determined by using the following diagram:
High
Low
High
Low
Minimal
Moderate
Low
High
Control Assessment
The above diagram can also be interpreted as follows: Inherent Risk Assessment Low High Low High Control Risk Assessment Low Low High High Combined Risk Assessment Minimal Low Moderate High
& & & &
= = = =
Audit Strategy Indicate whether our main strategy would be testing the controls or substantive tests. Test of controls will be the audit strategy for accounts assessed as Minimal or Low (we are intending to rely on the controls), whereas, substantive procedures will be the audit strategy for accounts assessed as Moderate or High. Timing Indicate the estimated date when the audit test procedures for the financial statement account will commence. Person Days Indicate the amount of time or duration for the completion of the audit test procedures. B. Performance Column Headings (Selection Factors) Assign risk weights for each selection factor. Risk weights are expressed as percentages and when summed up, should equal to 100%. The assignment of risk weights is based on the auditors judgment. To minimize bias/subjectivity, the assignment of risk weights should be discussed among the audit team members and should be
2|P a ge
reviewed by the Supervising Auditor/ Director. Illustrated below are examples on how to assign risk weights: Example 1: If the auditors would like to give equal risk weights on selection factors and lesser weight on visibility, auditability and previous audit coverage:
Selection Factors Materiality (20%) Impact (20%) Visibility (10%) Significance (20%) Risk to Good Management (20%) Auditability (5%) Previous Audit Coverage (5%)
Example 2: If the auditors would like to focus more on the budget allocated for the PAPs:
Selection Factors Materiality (50%) Impact (10%) Visibility (10%) Significance (10%) Risk to Good Management (10%) Auditability (5%) Previous Audit Coverage (5%)
Example 3: If the auditors would like to focus more only on the Budget allocation, Significance of the PAPs on the Agencys Mandate:
Selection Factors Materiality (50%) Significance (50%)
Note that the auditors may remove selection factors that they wish not to consider in their evaluation of the agencys PAPs. Larger risk weights may be allocated to those selection factors that the auditors wish to focus more. As illustrated in the 3 examples, the total of risk weights allocated to the selection factors is always equal to 100%. Detailed definition of the selection factors are contained in the IRRBA Manual. PAPs List down the Agencys Significant PAPs. Selection Factors For each PAP, assign points for each selection factors. The points to be given for each selection factor should not exceed the risk weight assigned on the column heading of that selection factor. See illustration below:
Selection Factors PAPs Materiality (20%) Impact (20%) Visibility (10%) Significance (20%) Risk to Good Management (20%) Auditability (5%) Previous Audit Coverage (5%) Total
Program A Program B
20 18
15 15
8 5
20 15
10 15
5 5
5 5
3|P a ge
Note that the maximum amount of points to be given for each selection factor is the risk weight assigned in the column heading. Assignment of points is based on auditors judgment. To minimize bias/subjectivity, the assignment of risk weights should be discussed among the audit team members and should be reviewed by the Supervising Auditor/ Director. Total Sum up all the points given in the selection factors for the particular PAP. Basis for Assessment Indicate the auditors remarks/bases why such points were given for each particular PAP. PAPs to be subjected for performance audit - This table summarizes the PAPs selected to be subjected for performance audit during the audit period. Selection of PAPs will be based on the result of the assessment performed in the preceding table (PAPs with higher total points will be selected). The number of PAPs to be subjected for performance audit will depend on the auditor by considering their workload for the audit period and their available resources, i.e., manpower, competencies and so on. Significant PAPs List down the PAPs to be subjected for performance audit for the audit period. Audit Focus Area Identify the specific areas of the PAPs to be focused for the performance audit (e.g., procurement, delivery of services, efficiency of operations) Audit Aspect Check whether to objective of the performance audit is to check the economy, efficiency or effectiveness of the PAP. The auditor may select one or more audit aspect depending on the scope of the performance audit. Timing Indicate the estimated date when the performance audit will commence. Person Days Indicate the amount of time or duration for the completion of the performance audit. C. Specialized Skills Needed This part identifies professionals with specialized skills needed for the audit and defines their scope of work and timing.
Specialized Skills Needed Identify the professional with specialized skills to be needed in our audit. (Professionals with specialized skills may pertain to engineers, IT auditors, actuaries and the like who would be of help in the execution of audit procedures that require technical skills) Office Identify the office of the Specialized Skills Needed (e.g., TSO for Engineers, ITO for IT Auditors). Scope Identify their scope of work (e.g., infrastructure projects to be reviewed by engineers, computer programs to be evaluated by IT Auditors).
4|P a ge
Timing Indicate the estimated date when the conduct of audit procedures will commence. Person Days Indicate the amount of time or duration for the completion of the audit procedures. D. Other Material Accounts These are formerly termed as LORMA or Low Risk Material Account. These are material accounts that were not considered in the audit risk assessment for financial and compliance audit. Other Material accounts will be subjected for High-level precision analytics or test of details, if necessary.
Other Material Accounts List down the account titles of Other Material Accounts Timing Indicate the estimated date when the conduct of High-level precision analytics would commence. Person Days Indicate the amount of time or duration for the completion of the analytic procedures. Person/s Responsible Indicate the audit staff who will perform the procedures for Other Material Accounts.
5|P a ge
AUDIT RISK ASSESSMENT TOOL

Agency: Region: Audit Period: Prepared by: Reviewed by: Approved by: Date: Date: Date:
In order to develop an audit strategy that is responsive to an agencys risk of material misstatement, we make a risk assessment for financial and compliance, performance audits. A. Financial and Compliance For financial and compliance, we make our risk assessment by assessing the inherent risk, preliminary control risk and combining both assessments to arrive at an overall risk assessment for each relevant assertion for each significant account.
Significant Account/ Critical Process Assertion Inherent Risk (IR) Control Risk (CR) Risk Assessment Audit Strategy Timing Person Days ATS Ref.
Existence/ Occurence Completeness Accuracy Rights and Obligations Presentation & Disclosure Compliance
Low High
Justification:
Low-Rely on Controls High-Not Rely on Controls

Justification:
Minimal Low Moderate High
TOC Substantive Test
Click here to enter a date.
Existence/ Occurence Completeness Accuracy Rights and Obligations
Low High
Justification:
Low-Rely on Controls High-Not Rely on Controls

Justification:
Minimal Low Moderate High
TOC Substantive Test
Click here to enter a date.
6|P a ge
Significant Account/ Critical Process
Assertion
Inherent Risk (IR)
Control Risk (CR)
Risk Assessment
Audit Strategy
Timing
Person Days
ATS Ref.
Presentation & Disclosure Compliance
B. Performance
Selection Factors PAPs Materiality (__%) Visibility (__%) Significance (__%) Risk to Good Management (__%) Auditability (__%) Previous Audit Coverage (__%)
Total
Bases for Assessment
7|P a ge
PAPs to be subjected for performance audit:

Significant PAPs Audit Focus Area Audit Aspect Economy Efficiency Effectiveness Timing Person Days
C. SPECIALIZED SKILLS NEEDED

Specialized Skills Needed Office Scope Timing Person Days
D. OTHER MATERIAL ACCOUNTS

Identify Other Material Accounts that were not considered in the Financial and Compliance Audit Risk Assessment. Audit procedures for Other Material Accounts include High-level precision analytics and Tests of Details, if necessary.
Other Material Accounts: Timing: __________________. Person Days: _______ . Person/s Responsible: ____ .
8|P a ge
Phase 3A Execution
DELIVERY: EXECUTION
Integrated Results and Risk-Based Framework

Delivery
Monitoring
Introduction The Execution activity covers our procedures in designing and executing our audit tests, evaluation of results and communicating the same to the agency management. Our audit tests should be designed to obtain audit evidence regarding the completeness, accuracy, validity of data, and reasonableness of the estimates and other information. They should also be designed to identify errors, non-compliance, inefficiency, ineffectiveness that could be indicative of weaknesses in the agencys operations. Audit results are communicated to the agency management in a timely manner for them to take necessary action to prevent its recurrence. The following are the activities involved in this phase: 3A.1. 3A.2. 3A.3. 3A.4. Design Audit Tests Execute Audit Tests Evaluate Audit Results Communicate Audit Results
: March 2011 : 03-00/2011/v1
1|Page
Phase 3A Execution
Supplemental: 3A-S1 Execution Financial & Compliance 3A-S2 Execution Performance 3A-S3 Sample Test of Control Working Paper 3A-S4 Sample Substantive Test Audit Program
Procedures 3A.1. Design Audit Tests We design our audit tests through the preparation of the Audit Test Summary (Form 03-01) that lists our audit procedures to obtain sufficient appropriate audit evidence. This enables us to draw reasonable conclusions on which to base our opinion. Our audit procedures should be designed in accordance with the nature, extent and timing of audit approach identified in our Audit Assessment and Planning Memorandum. The table below describes the nature of audit procedures we may use to obtain audit evidence in executing audit tests, together with examples on how to apply such procedures: Procedures Inquiry Application Seeking information from knowledgeable persons, both financial and non-financial, throughout the agency or outside the agency. Inquiries can be either written or oral. Evaluating responses is an important part of the inquiry process, as it may provide information not previously obtained or will corroborate audit evidence already obtained. Responses to inquiries may provide a basis for us to modify or perform additional audit procedures. In certain circumstances, we may consider obtaining written representations from agency management, to confirm responses to oral inquiries. Watching processes or procedures being performed by the agencys personnel. Observation provides audit evidence about the performance of a process or procedure, but is limited to the particular point in time at which the observation takes place. In addition, the act of being observed may affect how the process or procedure is performed. Examine records or documents, whether internal or external, in paper or electronic form, or other media. Inspection of records and documents provides audit evidence of varying degrees of
2|Page
Observation
Inspection
: March 2011 : 03-00/2011/v1
Phase 3A Execution
Procedures
Application reliability, depending on their nature and source and, in the case of internal records and documents, on the effectiveness of the controls over their production. Inspection includes physical examination (e.g., inspection of individual fixed assets), which provides audit evidence with respect to their existence, but not necessarily about the agencys rights and obligations or the valuation of the assets. Checking the mathematical accuracy of documents or records. Recalculation may be performed manually or electronically. Our independent execution of the relevant control procedures that were originally performed as part of the agencys internal control, either manually. We re-perform the control procedures to obtain audit evidence that the procedures were appropriately performed as designed. In certain situations, we may be able to use data analysis techniques, principally through the use of automated tools, to obtain evidence about the operating effectiveness of control.
Recalculation Reperformance
Data Analysis
Supplemental Audit Guidelines Refer to the following supplemental audit guidelines for designing of audit tests in the context of each audit: Financial and Compliance Audit F3.1 Performance Audit P3.1 3A.2. Execute Audit Tests We execute audit tests throughout the audit period in accordance with the nature, extent and timing of the audit procedures as designed in the previous sub-activity. Audit Evidence Considerations The quality of audit evidence is affected by the relevance and reliability of the information upon which it is based. Relevance deals with the logical connection with, or bearing upon, the purpose of the audit procedure or the assertion being tested. The reliability of information to be used as audit evidence is influenced by its source and nature and the circumstance under which the evidence is obtained. The following factors influence the reliability of audit evidence: The reliability of audit evidence is increased when it is obtained from independent sources outside the agency.
Last updated Version : March 2011 : 03-00/2011/v1 3|Page
Phase 3A Execution
The reliability of audit evidence that is generated internally is increased when the related controls imposed by the agency are effective. Audit evidence obtained directly is more reliable than audit evidence obtained indirectly or by inference. Audit evidence in documentary form, whether paper, electronic, or other medium, is more reliable than evidence obtained orally. Audit evidence provided by original documents is more reliable than audit evidence provided by photocopies or fax, or documents that have been filmed, digitized or otherwise transformed into electronic form, the reliability of which may depend on the controls over their preparation and maintenance, Accounting Estimates If our planned procedures include testing how management determined the accounting estimate, we evaluate whether: The method of measurement used is appropriate in the circumstances, (e.g., in relation to the agencys operations, sector and environment), including agency managements rationale for selecting the method. The assumptions used by agency management are reasonable in light of the measurement requirements of the applicable financial reporting framework, including the consistency of the assumptions with our understanding of managements intent and ability to carry out certain courses of action. Our evaluation of the assumptions used by agency management is based only on information available to us at the time of the audit. In evaluating the reasonableness of the assumptions used by agency management we may consider whether: Individual assumptions appear reasonable The assumptions are interdependent and internally consistent The assumptions appear reasonable when considered collectively or in conjunction with other assumptions, either for that accounting estimate or for other accounting estimates In the case of fair value accounting estimates, the assumptions appropriately reflect observable marketplace assumptions External Confirmation Procedures a. Evaluation Confirmation Responses Confirmation exceptions may be given to the agency for investigation after we establish control by making a copy or other record of the confirmation reply. If agency personnel are used to investigate exceptions, we inspect, at least on a test basis, evidence explaining and reconciling the exceptions. We determine whether significant and/or frequently recurring exceptions may be indicative of a pattern of errors in the unconfirmed accounts.
Last updated Version : March 2011 : 03-00/2011/v1 4|Page
Phase 3A Execution
We also exercise professional skepticism when dealing with unusual or unexpected responses to confirmation requests (e.g., a significant change in the number or timeliness of responses to confirmation requests relative to prior audits), or a non-response when a response would be expected. These circumstances may indicate previously unidentified risks of material misstatement due to fraud. In such cases, we reconsider the judgments we made in planning our audit approach and our CRA, and the effect on our planned procedures. a. Alternative Procedures
When we do not receive replies to positive confirmation requests, we apply alternative procedures to the non-responses to obtain the evidence necessary to reduce audit risk to an acceptably low level. The nature of alternative procedures to be performed varies according to the account and assertion. We apply our alternative procedures to each item that make up the entire balance that we have not received confirmations for. Substantive Analytical Procedures We execute our substantive analytical procedures and compare the recorded amount, trend or ratio with our expectation. When the difference between the recorded amount, trend or ratio and our expectation is less than our variance threshold, no further investigation is required. If we identify differences that exceed our variance threshold or fluctuations or relationships that are inconsistent with other relevant information, we investigate them by: Inquiring of management to provide an explanation Obtaining audit evidence to support agency managements responses
3A.3. Evaluate Audit Results When we execute our audit test procedures, we may identify findings or misstatements. The identification and accumulation of misstatements is one of our most important audit responsibilities and is critical in enabling us to formulate our audit opinion. A misstatement may also result from fraud, such as: Manipulation, falsification or alteration of accounting records or supporting documentation from which the financial statements are prepared Misrepresentation in, or intentional omission from, the financial statements of events, transactions or other significant information Intentional misapplication of accounting principles relating to amounts, classification, manner of presentation or disclosure Last updated : March 2011 5|Page
Version : 03-00/2011/v1
Phase 3A Execution
Misappropriation of assets that has not been detected and recorded If we identify an intentional misstatement in the financial statements, we determine if this is an incident of suspected fraud or represents non-compliance with applicable laws and regulations. We report the matter to the Supervising Auditor of the engagement and communicate it to the appropriate level of agency management. In this case, the appropriate level of agency management is at least one level above the person(s) who appears to be involved with the misstatement.
3A.4. Communicate Audit Results We conclude on the results of our audit procedures and assess whether we have obtained sufficient appropriate audit evidence for each significant account, disclosure and assertion. We document a conclusion statement for each significant account and disclosure, that addresses the execution of the designed procedures, the adequacy of those procedures, and when identified, significant findings. For significant findings and issues, our conclusions include a summary of the procedures performed, the results of our procedures, including significant professional judgments and consultations made, and any misstatements identified. Communication of Audit Findings Agency Management does not like surprises, and they are generally more willing to correct identified audit findings when they are notified early. Early notification gives the agency time to investigate the cause of the misstatement, evaluate it and perform additional work, if necessary, to quantify it. We discuss each audit finding with the appropriate level of agency management to confirm that our understanding of the nature and cause of the audit finding is factually correct. We also discuss what actions the agency can take to prevent an errors recurrence. The appropriate level of agency management is the one that has responsibility and authority to evaluate the audit finding and take the necessary action to prevent its recurrence. Generally, this depends on the agencys organization structure and the nature and significance of the audit finding. If the agency disagrees that there is an audit finding, or disputes the amount involved, we ask the agency to support its position by providing additional audit evidence. We exercise professional skepticism when auditing the additional evidence to verify whether it supports the agencys position. Last updated : March 2011 6|Page
Version : 03-00/2011/v1
Phase 3A Execution
If, in our opinion, the evidence provided by the agency does not support the agencys position, we determine the effect on our audit opinion, which may include consulting with the Supervising Auditor or Cluster Director. Documentation We communicate our audit findings to the agencys management through the issuance of the following documents in accordance with COA Circular No. 2009-006: Audit Observation Memorandum (AOM) Notice of Suspension (NS) Notice of Disallowance (ND) Notice of Charge (NC) Note that AOM/NS/ND/NCs can be issued at any point in or stage of the audit process.
Policy and Standard Policy/Standard ISSAI 1230 ISSAI 1330 ISSAI 1450 ISSAI 1500 ISSAI 1505 ISSAI 1520 ISSAI 1530 ISSAI 1540 ISSAI 1520, Audit Documentation The Auditors Responses to Assessed Risks Evaluation of Misstatement Identified during the Audit Audit Evidence External Confirmations Analytical Procedures Audit Sampling Auditing Accounting Estimates, Including Fair Value Accounting Estimates, and Related Disclosures Analytical Procedures Description
: March 2011 : 03-00/2011/v1
7|Page
Phase 3A Execution
Documentation Procedure 3.1 Design Audit Tests 3.2 Execute Audit Tests 3.3 Evaluate Audit Results Audit Observation Memorandum Notice of Suspension Notice of Disallowance Notice of Charge Sub-procedure Output/Tools Form 03A-01 Audit Test Summary
3.4 Communicate Audit Results
: March 2011 : 03-00/2011/v1
8|Page
Phase 3A Execution
Supplemental 3A-S1 Execution Financial & Compliance
DESIGN AUDIT TESTS FINANCIAL AND COMPLIANCE

This supplement provides additional considerations in the design of audit tests our Financial and Compliance Audit. We use this supplement in conjunction with the Design Audit Tests sub-activity in Execution. Procedures F3.1Design Audit Tests F3.1.1 Design Tests of Controls a. Determine the appropriate controls to select and test We use our professional judgment in determining the appropriate controls to select and test, recognizing that we may be more effective and efficient to select and test controls that address multiple process risks and assertions. If a process risk is addressed by more than one control, we are not required to select and test every control. We also consider selecting controls tested by internal audit and others that we are able to rely on, as this may be an effective and efficient approach to obtain sufficient appropriate audit evidence about the operating effectiveness of those controls. b. Confirm that controls to test are relevant to the audit We identify and document controls that are relevant to the audit when we understand the processes. However, to avoid selecting inappropriate controls to test, we confirm that the controls selected to test are relevant to the audit, considering the following: The nature of the control. The control appropriately addresses the risk scenario(s) for the relevant assertion(s) to prevent or detect and correct misstatements. The relevance and reliability of evidence we expect to be available to support the operating effectiveness of the control. The objectivity and competency of the person performing the control. The control is applied to a complete and reliable set of data.
: March 2011 : 03-00/2011/v1
9|Page
Phase 3A Execution
Subsequent Audits In subsequent years, we use our understanding of the operating effectiveness of controls tested in prior periods to determine whether to select the same controls to test, considering: The results or findings of procedures performed and conclusions reached from prior periods. We determine if these controls are still relevant for the purpose of our audit. Changes that have occurred in significant processes since the prior period that may affect the relevance of the controls to respond to existing or additional risk scenarios identified. We determine the effects of these changes over the controls that we plan to rely on and evaluate if the controls are still effective to address the process risks for the relevant assertions.
F3.1.2 Design Substantive Tests a. Customize substantive tests for significant accounts in accordance with our audit strategy outlined in the Audit Assessment and Planning Memorandum b. Plan the timing of substantive tests The timing of our substantive tests is primarily driven by our Risk Assessment conducted in Phase 2. We may design our substantive tests to be performed at an interim date(s). These interim tests of details provide benefits such as: Enabling earlier identification of significant findings and issues Allowing more time to address and resolve significant findings and issues Reducing work performed during year end Helping to manage tight reporting deadlines Timing of Substantive Tests We may design the timing of our interim substantive tests as follows: Earlier in the reporting period (e.g., up to six months before the balance sheet date) if the Risk Assessment is minimal During the later portion of the reporting period (e.g., up to three months before the balance sheet date) if the Risk Assessment is low At or near the period end (e.g., up to one month before the balance sheet date) if the Risk Assessment is moderate or high When Interim Tests may not be effective Interim tests of details may not be effective or efficient in the following circumstances: Significant changes are expected to the agency because more extensive rollforward procedures will be needed as a result of the changes
Last updated Version : March 2011 : 03-00/2011/v1 10 | P a g e
Phase 3A Execution
The agency does not prepare or analyze financial statements at the interim date, as this affects our ability to perform interim audit procedures The agencys accounting system does not provide details of transactions for the period between the interim to the balance sheet dates, as this affects our ability to perform rollforward procedures There are significant risks that affect the significant account, disclosure or relevant assertion which may require more extensive rollforward procedures
Rollforward Considerations When we design interim procedures, we also design rollforward procedures to obtain sufficient audit evidence that provides a reasonable basis for extending our audit conclusions at the date of our interim procedures to the year end. The extent of rollforward procedures shall be customized depending on the rollforward period and risk assessment as follows:
: March 2011 : 03-00/2011/v1
11 | P a g e
Phase 3A Execution
Rollforward period Less than 1 month
Minimal Update lead schedule and extend substantive analytical procedures to the balance sheet date.
RISK ASSESSMENT Low Moderate Update lead schedule and Update lead schedule and extend substantive extend substantive analytical procedures to analytical procedures to the balance sheet date. the balance sheet date. Design additional procedures during the rollforward period to address higher inherent risks. Analyze and understand movements during rollforward period, which may include preparing or obtaining a detailed rollforward schedule. Test a sample of transactions in the rollforward period.
High Update lead schedule and extend substantive analytical procedures to the balance sheet date. Analyze and understand movements during rollforward period, which may include preparing or obtaining a detailed rollforward. Test a sample of transactions in the rollforward period. Design additional procedures during the rollforward period to address higher inherent risks.
1 to 3 months
Same as above
3 to 6 months
Same as above
Same as above. Consider testing a sample of transactions made during the rollforward period. N/A
N/A
N/A
N/A
N/A
: March 2011 : 03-00/2011/v1
12 | P a g e
Phase 3A Execution
c. Design procedures for Other Material accounts Our procedures for Other Material accounts are limited to substantive analytical procedures and limited tests of details, when appropriate, that are designed to confirm the basis of assessing the account as not significant. F3.2 Execute Audit Tests Execute Tests of Controls and Substantive Tests Refer to the attached Diagram for the Execution of Tests of Controls and Substantive Tests.
: March 2011 : 03-00/2011/v1
13 | P a g e
Phase 3A Execution
FINANCIAL AUDIT EXECUTION
Risk Assessment
Minimal
Low
Moderate
High
Design Tests of Controls
Audit Work Program
Execute Tests of Controls
Control Exceptions noted?
No
Yes Determine and Evaluate Audit Response Conclude on operating effectiveness
Rely on Controls
Not Rely on Controls
Reassess
Design Tests of Details: Less extensive tests of details
Audit Work Program
Design Tests of Details: More extensive Tests of Details
Audit Work Program
Execute Tests of Details
Diagram for the Execution of Financial Audit
: March 2011 : 03-00/2011/v1
14 | P a g e
Phase 3A Execution
3A-S2 Execution Performance
DESIGN AUDIT TESTS PERFORMANCE

This supplement provides additional considerations in the design of audit tests for Performance Audit. Procedures P3.1Design Audit Tests P3.1.1.Define Audit Objectives The audit objectives should articulate what the audit is to accomplish. This means phrasing the objectives to identify the audit subject and the performance aspect to be included. Because it is rare for one to audit all aspects of value for money, it is important to know, in planning what aspect or aspects are going to be included. This is critical in establishing the audit boundaries or scope, criteria and approach. P3.1.2.Develop Audit Criteria Types of Performance Audit Criteria There are two types of criteria in Performance Audit: the general criteria and the specific criteria General Criteria General Criteria are broad statements of acceptable and reasonable performance. They are often derived from common sense or general rationality. For example, the procedures in an organization may be too cumbersome to be effective. Even a general review of its procedures may suggest potential areas for simplification. Thus the auditors would need to acquaint themselves with generally accepted management practices of different areas. These practices can be adopted as general audit criteria for an audit assignment. Specific Criteria Specific criteria are more closely related to the agencys legislation, objectives, programs, controls and systems. Specific criteria are mostly derived from the objectives laid down for a particular project or program and their related standards and practices. For example, a malaria eradication of disease over certain period or a mass literacy program may have laid down a target literacy ratio over the plan period. These program objectives can be adopted as specific criteria for the project or program. Auditors face difficulties in this area as well. In most cases, the objectives are not given in a specific quantified form, which is always a challenge to the auditors.
Phase 3A Execution
Specific criteria are closely related to the particular operations in specific areas. Auditors need to know the details of those operations. For example, when auditing an energy project, the specific audit criteria could include standards for such activities as fuel inputs for electricity generation, range of cost per unit for power generation, close-down time for routine maintenance of the power house, ratio of average maintenance cost of total capital cost of the plant and expected output of energy. Until auditors familiarize themselves with the operations, they cannot establish a reasonable specific audit criterion. In highly specialized or technical areas auditors may require the assistance of technical experts. In fact, one of the auditing standards prescribes that the auditors should collectively possess the qualification and competence to audit an organization or a project. For technical projects, this competence can be achieved through a team of auditors that consists of professional auditors and technical experts. Sources of Audit Criteria In order to avoid always creating audit criteria from the basic principles for each audit, auditors should investigate existing sources of criteria. Audit criteria can be derived from a number of sources. However, the judgment of the auditor plays an important role in identifying relevant and reliable sources. The following can often be used as sources of criteria: Basic planning documents such as feasibility study and approved plan Financial reports of the agency Expenditure reports Budget documents Project reports Criteria published by other audit agencies Similar audit agencies Standards set by International bodies Government policies and directions Laws, rules, regulations Literature on the subject matter Pronouncements by professional bodies and standard bodies Past performance Performance standards set by management Interviews with professionals
Auditors should seek guidance from all such sources and then formulate realistic audit criteria. While doing so, they must appreciate the local conditions. For example, it would be unfair to apply quality of drinking water standards issued by the World Health Organization in a developing country where simple availability of potable water is a problem. When adopting generally accepted management practices of developed countries, suitable adjustments should be made in consultation with experienced people.
Phase 3A Execution
P3.1.3.Develop Audit Work Program Audit programs are guidelines for actions during the execution phase of the audit. Audit programs set out the detailed audit procedures for cost effective collection of evidence. Purpose of Audit Program Developing a program for carrying out audits is a key link between the development of audit objectives and the conduct of an audit leading to a defensible report. In this respect, audit programs serve as: A guide for gathering competent, relevant, sufficient evidence during the execution phase of audit in a cost-effective way; A framework for assigning work amongst the members of the audit team; A means of transferring knowledge to junior staff; and A basis for documenting the work done and the exercise of due care. Developing an Audit Program The audit objective and criteria will normally be tested by an audit program of audit procedures/techniques that include: Physical observation (which may include photography and video) Interview Questionnaire Documents review Data analysis In developing an audit program, it is important that the procedures: Relate to the audit objectives and criteria which will enable the collection of relevant evidence on issues which will maximize the impact of the audit; Are clearly stated and include sufficient details to enable them to be readily understood by those carrying out the audit; Are organized in a logical manner so that the audit examination can be conducted as efficiently as possible; Form an efficient method of gathering sufficient evidence without superfluous testing; and Take account of any earlier related audit work/ published research on the topic. Performance Audit Work Programs will need to be customized for each audit. Furthermore, factors to be considered when developing the programs include: Size Audit programs generally increase in size and complexity (more detailed procedures, questionnaires and checklists) with increases in the size of the audit; Geographic dispersion The dispersion and location of sites to be visited will affect the audit program. Detailed procedures may be required to ensure consistency when different personnel are carrying out the same audit at different locations;
Phase 3A Execution
Audit environment Managements receptiveness to being audited, whether it is the first audit of the area, and the sensitivity of the area in the organization will affect the way in which procedures are developed and applied; Components of the system to be audited, e.g. its inputs, processing, activities and outputs; and Whether broad issues only have been identified, or specific criteria are available.
P3.2. Execute Audit Tests Refer to the attached Diagram for the Execution of Performance Audit.
: March 2011 : 03-00/2011/v1
18 | P a g e
Phase 3A Execution
3A-S3 Sample Test of Control Working Paper

NOTE: The items in this document are just samples to illustrate the template. It does not represent any factual data nor any result of prior audit projects.
Process: Cash Disbursement Sub-process: Payment for goods Accounts Affected: Cash, Accounts Payable
Prepared by: Reviewed by:
J. Dela Cruz A. Santos
08-31-2010 Date 09-02-2010 Date
TEST OF CONTROLS WP# _CD-01_
Process Risk Cash payments may be made for goods not delivered Cash payments may be made for goods not ordered Duplicate processing of cash disbursements may be made Cash payments may not be recorded in the proper amount Duplicate posting of cash disbursement may be made on the ledger
Controls Accounting staff performs three-way match by comparing vendor's invoice with receiving reports and purchase orders.
Control Testing Procedure Examine whether vendor's invoices, receiving reports and purchase orders are attached to the cash disbursement vouchers.
Control Ref. 1
Accounting staff stamps "Paid" on processed cash disbursement vouchers including supporting documents. Accounting Head reviews cash disbursement vouchers and supporting documents prepared by accounting staff before posting to the ledger. Accounting staff stamps "Posted" on posted cash disbursement vouchers.
Examine whether processed cash disbursement vouchers and supporting documents are duly stamped "Paid." Examine whether cash disbursement vouchers are reviewed and signed by the Accounting Head. Examine whether posted cash disbursement vouchers are duly stamped "Posted."
: March 2011 : 03-00/2011/v1
19 | P a g e
Integrated Results and Risk-Based Audit Manual Control Ref. Date Payee 1 3 2 3 3 3
Phase 3A Execution
Item #
Cash Disbursement Voucher CD - 00545
4 5
Remarks
5/22/2010
ABC Company
No signature of Accounting Head on the CD Voucher
2 3 4
CD - 01345 CD - 00112 CD - 00050
7/12/2010 2/26/2010 1/31/2010
XYZ Corp. XXX Mfg., Inc. AAA Medical Laboratories ABC Company
3 3 3
3 3 3
3 3 3
3 3 3
CD - 00358
3/25/2010
: March 2011 : 03-00/2011/v1
20 | P a g e
Phase 3A Execution
3A-S4 Sample Substantive Test Audit Program Agency: Prepared: Date Audit Period: Reviewed: Date
Significant Account:
Cash
Audit Objectives
E/O
Audit Assertions
C R&O V P&D Comp
3 3 3 3 3 3
Audit Procedures to Consider

Assertions Addressed W/P Ref. Assigned to Prepared by Reviewed by
Audit Procedures
Mandays
1. 2. 3. 4. 5. 6. 7. 8.
: March 2011 : 03-00/2011/v1
21 | P a g e
Phase 3A - Execution Form 03A-01: Audit Test Summary
AUDIT TEST SUMMARY

Objective The Audit Test Summary is used to document our approach in executing financial and compliance audit tests for each significant account. We also document the results of our audit tests performed and conclusions reached based on such results. Accomplishing this tool: Significant Account Indicate the account title of the significant account. Significant accounts are taken from the significant accounts identified in Part A of the Audit Assessment and Planning Memorandum. Account Balance Indicate the balance of the account. Audit Risk Assessment Check the audit risk assessment based on Part A of Audit Assessment and Planning Memorandum. The Risk Assessment will determine our audit strategy in the execution phase. Part I: Test of Controls (TOC) Note: TOC is performed only for accounts assessed as Minimal or Low (wherein we rated control risk as Low we are intending to rely on controls). If our audit risk assessment is either Moderate or High, we will only accomplish Part II of this template. Process Indicate the process/es where TOC for the significant account will be done Controls to be Tested List down specific controls to be tested. Person/s Assigned Indicate the person/s who will execute the TOC for the significant account. Due Date Indicate the estimated date when the TOC is expected to be completed. TOC Working Paper Reference Indicate the working paper reference where the execution of the TOC is documented. Summary of Test Results Findings Indicate the findings or exceptions noted during the conduct of TOC.
: March 2011 : 03-01/2011/v1
1|Pa ge
Recommendation Indicate recommendations to correct the findings or other comments for the improvement of the Agencys controls on the process. TOC W/P Ref. Indicate the working paper reference where the findings/exceptions were noted. AOM Ref. Indicate the AOM reference number (if any). Conclusion Indicate our conclusion statement on the operating effectiveness of the controls tested. Final Assessment of Control Risk Based on the results of the TOC conducted, make a final assessment of Control Risk: Low Controls are operating effectively High Controls are not operating effectively In case our final control risk assessment is High, we need to reassess the overall audit risk, reassessed audit risk will fall as Moderate or High depending on the inherent risk assessment, as illustrated in the diagram below:
High
Low
High
Low
Minimal
Moderate
Low
High
Control Risk Assessment
Part II Substantive Tests Extent of Testing Check the appropriate box for the extent of testing (i.e., Extensive for Moderate or High; Less Extensive for Minimal or Low) ST Work Program Reference Indicate the working paper reference where the execution of the ST is documented. Summary of Test Results Findings Indicate the findings or exceptions noted during the conduct of ST.
2|Pa ge
Recommendation Indicate recommendations to correct the findings. ST W/P Ref. Indicate the working paper reference where the findings/exceptions were noted. AOM Ref. Indicate the AOM reference number (if any). Conclusion Indicate our conclusion statement whether the account is fairly presented in the Agencys financial statements (considering unbooked adjusting journal entries, if any).
: March 2011 : 03-01/2011/v1
3|Pa ge
AUDIT TEST SUMMARY

Agency: Audit Period: Prepared by: Reviewed by: Approved by: Date: Date: Date:
Significant Account: Account Balance:
Audit Risk Assessment
Minimal Low
Moderate High
Part I: TEST OF CONTROLS Note: TOC is not performed if audit risk assessment is High or Moderate since our preliminary assessment of Control Risk is High - Not Rely on Controls Process: _______________________ Controls to be Tested: Person/s Assigned: ____________________________ Due Date: ___________________________________ TOC Working Paper Reference: __________________ Summary of Test Results Findings Recommendation TOC W/P Ref. AOM Ref.
Conclusion
Final Assessment of Control Risk

Low - Rely on Controls
(Controls are operating effectively)

High - Not Rely
(Controls are not operating effectively) Re-assess audit risk Moderate

High
: March 2011 : 03-01/2011/v1
4|Pa ge
Part II: SUBSTANTIVE TEST Extent of Testing ST Work Program Reference Extensive (For Moderate or High)
Less Extensive (For Minimal or Low)
Summary of Test Results Findings Recommendation ST W/P Ref. AOM Ref.
Conclusion
: March 2011 : 03-01/2011/v1
5|Pa ge
Phase 3B Conclusion and Reporting
DELIVERY: CONCLUSION AND REPORTING


Delivery
Monitoring
Introduction Delivery phase is divided into two parts: (1) Execution and (2) Conclusion and Reporting. Conclusion and Reporting is the last step of the audit wherein the results of the audits conducted are communicated to the agency and oversight bodies. This section provides guidelines in preparing audit conclusions and audit reports. In this section, other types of audits [e.g., Fraud Audit and Government-wide and Sectoral Performance Audit (GWSPA)] conducted are considered in the preparation of reports on financial, compliance, and performance audits. This part covers: summarizing audit results; preparing audit report; performing final overall audit review; wrapping-up and archiving the engagement; and following-up agency action plans.
1|Pa ge
The following are the activities involved in this phase: 3B.1. Summarize Audit Results 3B.1.1 Prepare summary of audit results and recommendations 3B.1.2 Discuss results of other types of audit conducted 3B.2. Prepare Audit Report 3B.3. Perform Overall Audit Review 3B.3.1 Perform overall review and approval 3B.3.2 Issue report 3B.4. Wrap-up and Archive the Engagement 3B.5. Follow-up Agency Action Plan
Procedures 3B.1. Summarize Audit Results Accumulated results of financial, compliance, and performance audits are summarized at the end of the audit. Significant findings, issues and observations, including misstatements, are summarized and discussed with the agency. Conclusion for each misstatement, finding, issue, and observation is documented. This serves as basis in formulating an audit opinion in the audit report. Results of Fraud audit and GWSPA conducted by other audit teams are also considered in this section. 3B.1.1 Prepare summary of audit results and recommendations The identification and accumulation of misstatements are performed in the Execution phase of the audit. It is one of the most important audit responsibilities and is critical in enabling the auditors in formulating audit opinion. After the audit exit conference with the agency, the auditor shall prepare the audit summary and conclusion. It is documented in the Summary of Audit Results and Recommendations (SARR) containing the following: A. Matrix of Audit Findings and Recommendations B. Results/status of other audits (e.g., fraud audit and GWSPA) C. Summary of unrecorded adjusting/reclassifying journal entries
2|Pa ge
D. Conclusion The overall conclusion of the audit, after considering the effects of identified misstatements, other findings, issues, and observations. Documentation Form 03B-01: SARR. This template provides the audit team with a summary of the audit results and conclusion, and a description of the important matters and significant findings and issues arising during the execution of the audit. 3B.1.2 Discuss results of different types of audit conducted The agency may have been subjected not only to comprehensive audit but also to other types of audit like fraud audit and GWSPA. In this case, the audit team, together with the Cluster Director (CD), shall discuss with the counterpart audit team the results or status of the audit, if ongoing, for disclosure or inclusion in the AAR. The findings, observations, and issues that may have significant impact on the financial statements shall be considered before finalizing the conclusion of the audit. This shall be documented in SARR and disclosed as Other Matters of the Audit Certificate in the AAR. Minutes of discussions with the counterpart audit team [e.g., Fraud Audit and Investigation Office (FAIO) and/or Special Audits Office (SAO)] shall form part of the working papers. Forensic/Fraud Audit It is the responsibility of FAIO to initiate, monitor, assess performance, and continuously improve the conduct of fraud audits. Also, it is their responsibility to prepare fraud audit reports. The guidelines in the performance and reporting of fraud audit conducted by FAIO are documented in the Fraud Audit Manual. GWSPA SAO conducts the GWSPA. SAO, when necessary, coordinates with the audit sectors for more concerted efforts in the conduct of performance audits in the agencies implementing government programs and/or projects. The guidelines in the performance and reporting of GWSPA are documented in the GWSPA Manual.
3|Pa ge
3B.2. Prepare Audit Report At the end of the audit, a written auditors report to the agency, containing opinion on the agencys financial statements, is prepared. In addition, regardless of the agencys governance structure or size, the auditor: Communicates with management the observations arising from the audit, to clarify facts and issues and to give management the opportunity to provide further information. Communicates with those charged with governance the observations arising from the audit that are significant and relevant to their responsibility to oversee the financial reporting process. This is achieved by communicating to those charged with governance and management the significant and relevant observations identified within the audit, through the issuance of Audit Observation Memorandum (AOM). The timing of communications is dependent on the communication protocols agreed with management and those charged with governance at the start of the audit. These protocols are used to communicate significant and relevant observations in a timely manner. As the audit progresses, the status of the significant and relevant observations communicated may change and new significant and relevant observations may arise as audit procedures are performed and facts and circumstance change. Updated or additional communications to management and those charged with governance of new information are provided on a timely basis. Financial and Compliance Audits COA Memorandum No. 2002-047 dated August 13, 2002, provides the guidelines on the preparation, submission and transmittal of the AAR. Performance Audit Performance audit may take more than a year and the report may not be released at the same time as financial and compliance audits. However, the concerned auditor shall mention in his AAR the fact that a performance audit has been undertaken during the year and include in the AAR the gist of significant findings, observations and recommendations of the audit under the Observations and Recommendations section. Fraud Audit Fraud audit conducted by the Audit sectors shall be mentioned in the AAR. The summary of the results or the status of the audit, if the audit is still ongoing, and its
4|Pa ge
impact or possible impact to the financial statements shall be disclosed as Other Matters in the Audit Certificate of the AAR. The guidelines in the performance and reporting of fraud audit conducted by the Audit sectors are documented in the Fraud Audit Manual Annual Audit Report In reporting the results of comprehensive audit, the auditors shall prepare the following audit reports: a) Annual Audit Report (AAR) for the year-end financial audit of agencies with complete books of accounts and listed in the General Appropriations Act and; Management Letter (ML) for the year-end financial audit of the regional offices and operating units with and without complete books of accounts. The ML shall also be issued at the conclusion of an interim audit, if warranted.
b)
Contents of the AAR The AAR shall contain the following: a) Executive Summary b) Audit Certificate c) Financial Statements o Balance Sheet o Statement of Income and Expenses o Statement of Cash Flows o Notes to the Financial Statements d) Observations and Recommendations e) Status of Implementation of Prior Years Audit Recommendations Executive Summary The Executive Summary presents in brief the contents of the AAR. It includes the financial highlights of the agency, a statement on the scope of audit and the auditors opinion on the financial statements and the synopsis of the significant observations, recommendations and the implementation of prior years recommendations. Audit Certificate The Audit Certificate contains the overall conclusion of the auditor on the financial statements. Its basic elements are: a) Addressee The Audit Certificate shall be addressed to the board of directors or to the head of office, department, agency or local government unit.
5|Pa ge
b)
c)
d)
e)
f)
g)
Introductory Paragraph This shall include statements on: o The name of the agency and its financial statements that have been audited, including the date of and period covered by the financial statements The financial statements and the notes thereon are the responsibility and representation of the agencys management and that the auditors responsibility is to express an opinion on the financial statements based on the audit. Scope Paragraph This paragraph contains statements on the basis and scope of the audit conducted, as follows: o That the audit was conducted in accordance with the generally accepted auditing standards and the laws, rules and regulations, as applicable. o That the audit was planned and performed to obtain reasonable assurance about whether the financial statements are free of material misstatements. o That the audit performed includes: (1) examining, on a test basis, evidence to support the financial statements amounts and disclosures; (2) assessing the accounting principles used and the significant estimates made by management on the preparation of the financial statements; and (3) evaluating the overall financial statements presentation. o That the auditor believes his audit provides a reasonable basis for the opinion. Opinion Paragraph This paragraph contains the auditors opinion on the fair presentation of the financial statements and their compliance with other requirements of relevant laws or statutes. The types of opinion that the auditor may express are discussed under sub-caption Types of Audit Opinion. Other Matters this paragraph contains other relevant matters that have or may have impact on the auditors opinion. It may include the results of other types of audit (e.g., fraud audit and GWSPA) conducted that have or may have significant impact on the financial statements or on the conclusions of the audit. Date of Report The date of the Audit Certificate shall be as of completion date of the audit fieldwork. The date is generally considered as the end of the auditors responsibility for subsequent events that may affect the financial statements and which may require adjustments or disclosures. Also, it should not be earlier than the date on which the financial statements are signed or approved by management. Auditors Signature The report shall be signed pursuant to COA Memorandum No. 2010-015.
Financial Statements
6|Pa ge
The financial statements to be submitted to the auditor should have a covering Statement of Management Responsibility for Financial Statements to be signed by the official who has direct supervision and control over the agencys accounting and financial transactions and the Head of Agency or his authorized representative. It shall include the following statements: o Balance Sheet This shows the financial position/condition of the agency as of a certain date. It provides information on the agencys resources, obligations and the government equity in the agency. Income and Expenses This shows the results of operation of the agency at the end of a particular period. It explains the changes in the agencys equity resulting from operations and economic activities during the period. Cash Flows This summarizes all the cash activities of the agency classified into operating, investing and financing activities. It informs about the inflows and outflows of cash in the agency during the year. Notes to financial statements This is an integral part of the financial statements to provide additional information or disclosure necessary for their fair presentation in conformity with the generally accepted accounting principles.
The audited financial statements shall be attached to the audit certificate in the AAR. Observations and Recommendations This portion discusses the observations noted by the auditor and his recommendations. The agencys explanation or reply to the observations shall also be presented as well as the auditors rejoinder, as necessary or appropriate. The gist of the significant findings, observations, and recommendations in the performance audit conducted shall also be included in this section.
Status of Implementation of Prior Years Audit Recommendations This portion summarizes the actions taken by management to implement the previous years audit recommendations and the results of the auditors validation of the same. Specific Guidelines COA Memorandum No. 2010-015 provides permanent and uniform guidelines in the preparation and submission of the audit reports for CY 2009 and onwards for National Government Sector (NGS) and Local Government Sector (LGS), as follows:
7|Pa ge
1. The Regional Directors (RDs) shall ensure that: (a) all the elements of an audit observation are present to facilitate consolidation and prevent guesswork on the part of the consolidator; (b) the status of implementation of prior years recommendations is updated and validated; and (c) the financial statements and the notes submitted for regional consolidation are in order; 2. The signatories to the audit reports shall be as follows: Local Government Units (LGUs)/ National Government Agencies (NGAs) Provinces and Cities Municipalities and Barangays Municipalities and Cities in Metro Manila Barangays in Metro Manila NGAs with complete set of books (including specialized agencies, Foreign-Assisted Projects, and Official Development Assistance) and with consolidation NGAs with incomplete set of books NGAs with incomplete set of books and with regional consolidation NGAs with field offices with no accounting books and accounts are centrally recorded in the Head Office (HO)/ Regional Office (RO) Type of Report/ Document AAR AAR AAR AAR AAR /CAAR Audit Certificate Signatory/ Transmittal of Report SA/RD ATL/SA SA/CD ATL/SA SA/CD or RD SA/CD
MLs Regional MLs Simplified ML Matrix of Observations and Recommendations with Managements Comments and Auditor's Rejoinder
SA RD ATL Concerned ATL to submit to the HO/ RO ATL
3. The RDs shall state categorically in the transmittal of the audit report to the CDs whether a particular account/specific sub-account covered by the latters audit guide was audited or not, with or without significant findings; 4. The RDs shall ensure the timely submission of the transmitted MLs to the CDs; 5. The SAs and ATLs in the central and regional offices, respectively, may communicate directly with each other on matters pertaining to consolidation of reports.
8|Pa ge
For Corporate Government Sector, COA Memorandum No. 2010-020 states that pending approval of the guidelines on the preparation, consolidation, and transmittal of AARs and Annual Operations Audit Reports for the audit sectors, the signing and transmittal of the AARs, Consolidated AARs, and MLs for CY 2009 shall be in conformity with that of the NGS, pursuant to COA Memorandum No. 2010-015 dated May 18, 2010. Types of Audit Opinion The audit opinion is the heart of the financial audit report. It features the Auditors overall conclusion as to the reliability of the audited financial statements. Without the opinion, the report would be meaningless and the users of the statements would have no way of knowing the extent of reliance they should place on these statements. Depending on the circumstances of each audit, the Auditor shall express any of the following opinions on the financial statements: 1) 2) 3) 4) Unqualified Opinion Qualified Opinion Adverse Opinion Disclaimer / Denial of Opinion
These are explained as follows: 1) Unqualified Opinion An unqualified opinion states that the financial statements present fairly, in all material respects, the financial position, results of operations, and (when applicable) cash flows of the agency in accordance with applicable laws, rules and regulations and in conformity with generally accepted state accounting principles. However, certain circumstances while not affecting the auditors unqualified opinion on the financial statements may require that the auditor add an explanatory paragraph to his report. These circumstances include: o o o o Opinion based in part on report of another auditor; Existence of unusual uncertainties; Emphasis of a matter included in the financial statements; and Inconsistency in the application of accounting principles/methods of their application.
2)
Qualified Opinion A qualified opinion is rendered when the auditor has objection to certain matters which are material in relation to the financial statements being reported on, but not sufficiently material to warrant an adverse or denial of
9|Pa ge
opinion depending on the nature and materiality of the qualification(s). This type of opinion is expressed through the use of the phrase except for or with the exception on in the opinion paragraph. o o o o 3) Lack of sufficient competent evidential matter Scope limitations Departure from generally accepted auditing principles (GAAP) Inadequate disclosure
Adverse Opinion An adverse opinion is rendered when the effect of certain matters, to which the auditor does not concur, is highly material to make the financial statements misleading. In this type of opinion, the auditor uses the phrase do not present fairly. Disclaimer/Denial of Opinion The auditor disclaims/denies an opinion when an audit scope limitation or a pervasive probability of a material loss has a highly material effect on the financial statements. Under these circumstances, the auditor states that he is unable to express, and he does not express, an opinion on the financial statements. The issuance of split or piecemeal opinion has long been discontinued and is no longer acceptable for purposes of COA audit reports. Hereunder is a summary of the conditions which would warrant the expression of each type of opinion: Effect on the Financial Statements
4)
Type of Audit Opinion

1. Unqualified - Without explanatory paragraph - With explanatory paragraph - None
Conditions
- None
- Inconsistent application of accounting principles to which the auditor: a. Concurs with the change b. Objects to the change because the newlyadopted principle does not meet conditions for change
- None - None
10 | P a g e
Type of Audit Opinion
Conditions
- Uncertainties with probable change or reasonable possibility of material loss
Effect on the Financial Statements

- None
2. Qualified
- Audit scope limitation wherein the Auditor was unable to employ alternative audit procedures - Departure from GAAP - Non-compliance with laws and regulations - Inconsistent application of accounting principles to which the auditor objects to the change because the newly-adopted principle does not meet conditions for change
- Moderately material
- Moderately material - Moderately material - Moderately material
3. Adverse
- Departure from GAAP - Non-compliance with laws and regulations - Inconsistent application of accounting principles to which the auditor objects to the change because the newly-adopted principle does not meet conditions for change
- Highly material - Highly material - Highly material
4. Disclaimer
- Audit scope limitation wherein the auditor was unable to employ alternative audit procedures - Uncertainties with pervasive probability of material loss
- Highly material
- Highly material
The effect of an item on the financial statements is based on its materiality.
11 | P a g e
For samples of the different audit opinion, please refer to Philippine Audit Standard 2009 edition. 3B.3. Perform Overall Audit Review Pursuant to COA Memorandum No. 2009-028 the CD supervises the audit groups under the cluster in the conduct of audits and the preparation of audit reports considering the audit thrusts and significant findings, in coordination with the Regional Directors (RD) for issues affecting regional and/or field office. The Supervising Auditors (SA), prior to the issuance of audit reports shall conduct a review on the outputs prepared by the Audit Team Leaders (ATL).
3B.3.1 Perform overall review and approval At this point, the Supervising Auditor shall complete an overall review and approval of the engagement to document and confirm that: Engagement has been completed in accordance with IRRBAM Sufficient appropriate audit evidence has been obtained Audit documentation provides a basis for audit opinion The overall review and approval of the audit engagement will be documented in Form 3B-02: Quality Inspection Tool (QIT). The QIT, at a minimum, confirms the opinions of the audit teams involved in the engagement including other related offices (e.g., FAIO, SAO) that: The audit team members with supervisory responsibilities have fulfilled their duties The review of the audit work for the engagement has been completed in accordance with COA policies for reviews as well as with other relevant auditing standards. The planned audit work has been completed and that important matters and significant accounting and auditing issues have been addressed. Sufficient appropriate audit evidence has been obtained to support the audit opinion The auditors report is appropriate The audit work has been performed in accordance with the IRRBAM, COA policies and standards, as well as other professional standards, laws, rules and regulations The appropriate members of the audit team shall sign and date the QIT at the conclusion of the audit. 3B.3.2 Issue report
12 | P a g e
After the reports have been prepared and reviewed by the appropriate officers, the reports will be issued to the appropriate report recipients. Annual Audit Report (AAR) Signing of Annual Audit Report Pursuant to COA Memorandum No. 2009-028, the SAs shall sign the audit reports prepared by the ATLs, while the CDs transmit said reports to the agency. Number of copies and distribution of reports There shall be as many copies of the AAR as necessary to be reproduced. In addition to copies for the agency, the AAR shall be furnished to the oversight bodies. The AAR shall be submitted to the COA Chairman on or before the last working day of February every year. The COA Chairman shall transmit the AAR to the following heads of oversight bodies: o President o Vice- President o President of the Senate o Chairman- Senate Finance Committee o Speaker of the House of Representatives o Chairman-Appropriations Committee, and the o Secretary of the Budget and Management The final report shall be transmitted to the Head of the Agency for National Government Agencies, to the Chief Executive Officer for Local Government Units, or to the Board of Directors for Government-Owned or Controlled Corporations under signature of the COA Chairman or his duly authorized representative. As may be found necessary, other government officials, such as the Speaker of the House of Representatives, the Senate President, and the President of the Republic of the Philippines, shall also be furnished copies thereof. The transmittal letter is a simple communication transmitting the report and acknowledging the assistance and support extended by the officials and staff of the agency. It shall also include a request to implement the recommendations contained in the report and to be informed of the actions taken thereon within 30 working days from receipt thereof. In order to facilitate communication of the agencys action to be taken on the AAR, COA auditors shall provide the agency Form 03B-03: Agency Action Plan upon
13 | P a g e
issuing the AAR. The Agency Action Plan should be returned by the agency within 30 working days from receipt of the AAR.
3B.4. Wrap-up and archive the engagement Working papers document the procedures performed and the evidence obtained and evaluated to support a conclusion rendered by the auditors. As required by the professional standards, audit documentation shall be sufficient for an experienced auditor with no previous association with the audit to be able to understand the nature, timing and extent, and results of procedures performed, evidence obtained and conclusions reached. Auditors shall use professional judgment in determining the nature and extent of the audit documentation. However, it shall be ensured that it is consistent with COA policies, professional standards and other legal and regulatory requirements. Working papers/documentation is an integral part of the auditors responsibilities. Thus, there is a need for a systematic archiving of electronic and hard copy working papers/documentation. Archiving of workpapers (electronic and/or hardcopy) should be done in a timely manner after the date of our auditors report when the procedures and documentation are complete. At the completion of the audit, the Audit Team Leader is responsible for authorizing the final archive process for determining that workpapers are archived in accordance with COA policies, professional standards, and legal and regulatory requirements. Auditors shall retain records which are relevant to the audit that: Are created, sent or received in connection with the audit Contain conclusions, opinion, analyses or financial data related to the audit The following items are examples of those documents that are not necessarily retained as they do not support the conclusions reached in the audit: Superseded drafts of memoranda, financial statements or regulatory filings Notes on superseded drafts of memoranda, financial statements of regulatory filings that reflect incomplete or preliminary thinking Previous copies of workpapers that have been corrected for typographical errors or errors due to training of new employees Duplicates of documents Superseded agency-prepared schedules and analyses
14 | P a g e
E-mails that do not contain conclusions, opinions, analyses or financial data related to the audit Voice-mail or instant messages Electronic data files (including files in the teams discussion database) other than those described below
In any case, auditors shall use their professional judgment in determining which documents shall form part of the teams working papers/documentation. Timing of the archive process The documentation completion date is no later than 60 days after the date of our auditors report. Carryforward documentation guidelines When workpapers are carried forward to the current period, the original current workpapers are carried forward while prior periods workpapers are maintained unchanged. This practice should be followed to make sure that each periods workpapers provide support for the conclusions reached and the procedures performed and are separate and distinct from any other periods workpapers.
Confidentiality The audit team is responsible for adopting appropriate procedures for maintaining the confidentiality and safe custody of the workpapers to comply with the COAs and professional standards archiving requirements. Lost or destroyed workpapers If the workpapers (either electronic or hard copy) needed to support our audit opinion have been corrupted, lost, stolen or destroyed subsequent to the documentation completion date, the audit team shall report the loss to the team leader/supervisor. The following factors shall be considered in determining if there is a need to create/replace the lost workpapers: Significance of the lost or destroyed workpapers in the audit project Length of time that has passed since the AAR was issued Ability to easily obtain copies of the documents from the agency
3B.5. Follow-up Agency Action Plan Part of the Commissions mandate is to recommend measures to improve the efficiency and effectiveness of government operations (Sec. 4, Art. IX-D of the
15 | P a g e
1987 Philippine Constitution). This full completion of this mandate can only be satisfied once agencies have implemented or acted on the recommendations made by the auditors through action plans. Audit follow-up/monitoring of recommendations is an integral part of good management and a responsibility shared by the auditor and the agency. Corrective actions taken to implement audit recommendations enable the agency to improve the effectiveness and efficiency of their operations. An effective monitoring system not only ensures the prompt and proper resolution of audit observations and recommendations and the implementation of corrective action, but also ensures that a complete record of actions taken on observations and recommendations is maintained. Benefits of Monitoring Assures the auditor that the benefit of audit work is realized Validates that the recommendations as implemented are truly advantageous to the auditee. Assists the auditor in re-evaluating his analytical techniques and evidence that aid in the formulation of the recommendation. This activity will be conducted all throughout the year for the audit projects handled by the following Sectors/Offices: Audit Sectors: - National Government Sector (NGS) - Corporate Government Sector (CGS) - Local Government Sector (LGS) Regional Offices Special Offices: - Fraud and Investigation Office (FAIO) - Special Audit Office (SAO) - Technical Services Office (TSO) Monitor Progress Part of the auditors role is to determine that the audited agencies take corrective actions (as documented in the Form 04-04: Agency Action Plan) on the recommendations provided, as a result of the audit observations, in a timely manner. The auditor shall accomplish the Form 04-05 Action Plan Monitoring Tool to monitor the status of the agencys action plan.
16 | P a g e
The Commission, as the countrys Supreme Audit Institution, handles voluminous transactions and documents. Therefore, maintaining a database may support in monitoring all issues and the subsequent action taken by the auditors and agencies during the audit. Also, a database adds value by storing history of issues of a certain auditable agency. The historical issues and recommendations maintained in the database may guide COA during the assessment of the key risks of an agency or a sector as a whole. The database may also serve as a reference in conducting an in-depth analysis on the relationships of issues among different agencies (e.g., conduct of the government-wide and sectoral performance audit). Conduct Follow-up procedures Being an integral part of the audit process, follow-up should be scheduled along with other steps necessary to perform the review. However, specific follow-up activity depends on the results of the audit and can be carried out at the time the report draft is reviewed with concerned agency personnel or after the issuance of the report. Perform the following: Classify Audit Issues According to Follow-up Procedures to be done The risk assessment done in the second phase, Agency Audit Planning and Risk Assessment plays an important role in the follow-up procedures to be performed. Normally, follow-up procedures are based on the impact of the risk. Follow-up activities may be broken down into three areas: - Casual This is the most basic form of follow-up and may be satisfied by review of the process owners/clients procedures or an informal telephone conversation. Memo correspondence may also be used. This is usually applicable to the less critical findings. - Limited Limited follow-up typically involves more process owner/client interaction. This may include actually verifying procedures or transactions and in most cases, is not accomplished through memos or telephone conversations with the process owner/client. - Detailed
17 | P a g e
Detailed follow-up is usually more time-consuming and can include substantial process owner/client involvement. Verifying procedures and audit trails as well as substantiating account balances and computerized records are examples. The more critical review findings usually require detailed follow-up. Follow-up scheduling can begin when corrective action is confirmed by acceptance of an audit recommendation or when management elects to accept the risk of not implementing the recommendation. Based on the risk and exposure involved, as well as the degree of difficulty in achieving the recommended action, follow-up activity should be scheduled to monitor the situation or confirm completion of the changes that were planned. These same factors establish whether a simple telephone call would suffice or whether further review procedures would be required. Enumerated below are general procedures in conducting a detailed follow-up: - Analyze the response of the unit involved and verify if it is aligned with the strategy previously agreed upon. - Assess action taken against recommendation - Seek evidence to verify implementation of the action and seek clarification if necessary. - In case the response of the process owner/client is different from the recommendation, assess if the response is effectively mitigating the risk and is more efficient than the recommendation. - In case the response of the management is different from the recommendation and is assessed to be ineffective or inefficient, reiterate recommendations and evaluate management response to COA reiteration. - In case management decided not to act on issues raised or elected to accept the risks, prepare a Management Acceptance of Risk. - Prepare to communicate results of the follow up procedures. Policy and Standard Policy/Standard ISSAI 400 ISSAI 1220 ISSAI 1230 ISSAI 1700 COA Memorandum No. 2002-047 COA Resolution No. 2006-002 Description Reporting standards in government auditing Quality Control for Audits of Historical Financial Information Audit Documentation Forming an Opinion and Reporting on Financial Statements Guidelines on the preparation, submission and transmittal of the Annual Audit Report Conduct of comprehensive audits by the offices of this
18 | P a g e
Commission COA Resolution No. 2008-012 COA Memorandum No. 2009-028 COA Memorandum No. 2010-015 2008 COA organization restructuring Implementing guidelines on audit operations under the 2008 COA organizational restructuring Uniform guidelines for the signing and transmittal of the Annual Audit Reports (AARs), Consolidated Annual Audit Reports (CAARs), and Management Letters (MLs) of the National Government Sector and Local Government Sector, for CY 2009 and onwards. Signing and transmittal of the Annual Audit Reports (AARs), Consolidated Annual Audit Reports (CAARs), and Management Letters (MLs) of the Corporate Government Sector for 2009
COA Memorandum No. 2010-020
Documentation Procedure 3B.1 Summarize Audit Results Sub-procedure Prepare summary of audit results and recommendations Discuss results of other types of audit conducted 3B.2 Prepare Annual Audit Report 3B.3 Perform Overall Audit Review Prepare Annual Audit Report Perform overall review and approval Draft Annual Audit Report Form 03B-02 Quality Inspection Tool Output/Tools Form 03B-01 Summary of Audit Results and Recommendations
Issue Report 3B.4 Wrap-up and archive the engagement 3B.5 Follow-up Agency Action Plan Archive working papers/documentation of audit
Transmittal Letter Form 03B-03: Agency Action Plan
Form 03B-03: Agency Action Plan Form 03B-04: Action Plan Monitoring Tool
19 | P a g e
Phase 3B Conclusion and Reporting Form 03B-01: Summary of Audit Results and Recommendations
SUMMARY OF AUDIT RESULTS AND RECOMMENDATIONS

Objective This form is used to summarize and evaluate the results of comprehensive audit and other types of audits conducted. It has three parts as follows: Part I Part II Part III Introduction Summary of Audit Results and Recommendations Evaluation Factors
After the exit conference with the agency, the audit team shall accumulate the findings/observations and recommendations, as documented in Audit Observation Memorandum (AOM), together with management comments using the Summary of Audit Results and Recommendations provided in Part II of this Form. The completed template should be initialed by the ATL and SA, and approved by the CD prior to audit report sign-off. This completed template altogether with other relevant documentation should be filed in the working papers. Accomplishing this Tool The audit team should perform the following steps in relation to audit findings and observations and their disposition: A. Matrix of Audit Findings and Recommendations Summarize the findings and recommendations as documented in AOMs. This includes the findings and recommendation from financial, compliance, and performance audits conducted. Document managements comments on each findings and recommendations. This includes the disposition of proposed adjusting journal entries, disclosures, and comments on performance audit findings. Document the audit teams response to managements comments on the findings and recommendations. B. Summary of Unbooked Adjusting/ Reclassifying Journal Entries Summarize the unrecorded proposed adjusting/reclassifying journal entries and determine its effect on the Asset, Liabilities, Current Period Income or Prior Year Income, as applicable C. Results/Status of Other Audits (e.g., Fraud and GWSPA) Summarize the findings/issues of other audits conducted. Document the reference of the findings/issues. State the status of audit(s). The audit(s) may be ongoing or completed. Document the possible effect/impact of the audit in the agencys financial statements. Document other information deemed relevant by the audit team in the remarks column.
Please refer to Phase 3 - Delivery: Conclusion and Reporting of the IRRBAM for further details.
1|Page
SUMMARY OF AUDIT RESULTS AND RECOMMENDATIONS
Agency
____________________________ ____________________________
Prepared by Reviewed by Approved by
: : :
_________________ _________________ _________________
Date Date Date
: : :
________________ ________________ ________________
Audit Period
____________________________
A. Matrix of Audit Findings and Recommendations A.1. Financial and Compliance Audit
No. AOM No./Date Observation Recommendation Management Comment Rejoinder
A.2. Performance Audit

No. AOM No./Date Observation Recommendation Management Comment Rejoinder
: March 2011 : 04-01/2011/v1
2|Page
B. Summary of Unrecorded Adjusting/ Reclassifying Journal Entries

AOM Ref. Amount Accounts and Description Debit Credit Financial Statement Effects of Unbooked Entries Assets Liabilities Current Current Non-Current Current Non-Current Income
Prior Period Income
Total
C. Results/Status of Other Audits (e.g., Fraud and GWSPA)

No. Significant findings/issues Reference Status of Audit Conclusion Remarks
: March 2011 : 04-01/2011/v1
3|Page
D. Conclusion In our opinion: Yes 1. Considering quantitative factors as well as non-quantitative factors (refer to Evaluation Factors of this Template), the effects of unrecorded proposed entries, either individually or in the aggregate, is not material to the financial statements taken as a whole and therefore does not require modification of our auditors report. 2. The proposed entries, whether or not recorded, are not the result of a significant weakness in internal control over financial reporting. 3. The proposed entries, whether or not recorded, are not indications of possible fraud or illegal acts. 4. For any No responses above, indicate the steps taken or to be taken: Opinion modified Audit scopes reassessed Others: _____________________________________ Comments: No
: March 2011 : 04-01/2011/v1
4|Page
EVALUATION FACTORS
A. Materiality Factors The following factors may be relevant to the evaluation of the materiality of passed entries, recognizing that some may be more important than others. 1. Quantitative factors: a. Earnings/Surplus b. Other financial statement captions c. Segment information Meeting earnings/budget goals Compliance with contracts and regulations Impact on other periods Trends Possible undetected errors Certainty of amount Interpretations of ISSAI Establishing accounting precedent Large offsetting items Nonrecurring items Carryovers from prior periods
2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12.
Additional factors to be considered by the audit team: 13. Current user needs We may need to reassess our original materiality judgment in light of changed circumstances or knowledge gained during the audit. For example, there may be significant changes in economic trends, budgeted earnings/surplus or negotiations for a line of credit. 14. Special circumstances. The materiality threshold may be reduced when it is reasonably possible that third parties will closely scrutinize the agencys accounting practices and question why even small errors were not corrected. This might apply to, for example: o o o o o 15. Maximum-risk assignments, Agencies with weakening financial condition, Agencies that may soon have new management (within a year or shortly thereafter), Management that need to significantly improve their accounting and control practices, Potentially sensitive areas, such as revenue recognition
Agency managements past practices. When entries are passed, it is usually assumed that agency management will (a) subsequently correct the errors, and (b) improve its controls to prevent a recurrence of the problem. However, when agency management appears to be unable or unwilling to do either, the errors may take on greater significance. This is especially true when the accounting system is capable, without significant additional cost or effort, of correctly processing transactions.
: March 2011 : 04-01/2011/v1
5|Page
16.
Special purposes of the audit. The impact of proposed entries could be magnified if the financial statements will be used for special purposes. For example, if a buy-sell agreement bases the sale price on a multiple of earnings, an otherwise minor adjustment could have a significant immediate effect on the price.
B. Indications of significant weakness in internal control Even when misstatements are not material, we need to consider whether their root causes are due to inadequacies in internal control, particularly when the errors are more widespread or significantly larger than anticipated. We may need to expand our audit testing to compensate for an unexpected control weakness. We also may need to communicate the weakness to senior agency management and the Oversight Body if it is deemed to be a "reportable condition. C. Indications of possible fraud or illegal acts Proposed entries may be indications of fraud or illegal acts (possibly the "tip of the iceberg"). Examples are: o o o o o A significant increase over the prior year in the number or size of proposed adjustments. "Last minute" entries that significantly increase earnings. Misstatements that appear to have been made with the intent of achieving targeted earnings or similar goals. Unsupported or unauthorized transactions, balances and reconciling items. Entries apparently made to conceal illegal acts.
: March 2011 : 04-01/2011/v1
6|Page
Phase 3B Conclusion and Reporting Form 03B-02: Quality Inspection Tool
QUALITY INSPECTION TOOL

Objectives
The Quality Inspection Tool will guide the audit team in performing overall review and approval of the audit engagement prior to the release of the audit report. The tool is divided into two parts: Part I : IRRBA Workstep Checklist Part II : Quality Assurance Checklist This tool is not all-inclusive; audit teams shall customize it as appropriate.
Accomplishing this Tool Part I: IRRBA Workstep Checklist This part consists of the activities/processes as reflected in the IRRBA Manual. As part of the quality assurance, audit teams shall ensure conformance to the prescribed methodology in the conduct of their audits. IRRBA Activities - Identify the IRRBA Activities as prescribed in the methodology. Working Paper Reference - Indicate the Working Paper tag/label for easier reference of documents. Performed by - Staff member who completed the procedure/activity shall indicate his/her initials to confirm his/her performance. Reviewed by - Reviewer shall append his/her initials as a proof of the evaluation.
Part II: Quality Assurance Checklist
This part consists of the minimum requirements in conducting audit engagements as reflected in relevant standards, laws, rules and regulations.
General Audit Procedures - Identify the minimum requirement of the relevant standards, laws, rules and
regulations.
Working Paper Reference - Indicate the Working Paper tag/label for easier reference of documents.
: March 2011 : 03B-02/2011/v1
1|Page
Performed by - Staff who completed the procedure/activity shall indicate his/her initials to confirm his/her performance. Reviewed by - Reviewer shall append his/her initials as a proof of the evaluation.
: March 2011 : 03B-02/2011/v1
2|Page
QUALITY INSPECTION TOOL

Agency: Period:
_____________________________________________________ _____________________________________________________
PART I: IRRBA Workstep Checklist

WP Ref. Performed by Reviewed by
IRRBA Activities
1. Strategic Planning and Risk Identification
1.1
Perform Government Risk Identification 1.1.1 Develop/Update the Government Risk Model Identify Government Risks Report the Results of GRI
1.1.2 1.1.3 1.2
Conduct COA Strategic Planning
2.
2.1 2.2 2.3
Prepare Agency Audit Workstep Understand the Agency Identify Significant Agency Risks
: March 2011 : 03B-02/2011/v1
3|Page
IRRBA Activities
2.3.1 2.3.2 2.3.3 Update Agency Risk Model Identify Agency Risks Prioritize Significant Agency Risks
WP Ref.
Performed by
Reviewed by
2.4
Understand the Agency-level Controls Understand the Process 2.5.1 2.5.2 2.5.3 2.5.4 Identify Critical Path of the Processes Identify Process Risks Identify Impact Identify Existing Processlevel Controls
2.5
2.6
Conduct Audit Risk Assessment and Planning 2.6.1 2.6.2 2.6.3 Financial and Compliance Performance Determine Audit Scope and Timing Determine need for specialized skills
2.6.4
3.
Execution 3.1 3.2 3.3 3.4 Design Audit Tests Execute Audit Tests Evaluate Audit Results Communicate Audit Results
: March 2011 : 03B-02/2011/v1
4|Page
IRRBA Activities
WP Ref.
Performed by
Reviewed by
4.
Conclusion and Reporting 4.1 Summarize Audit Results 4.1.1 Prepare summary of audit results and recommendations Discuss results of different types of audit conducted
4.1.2
4.2
Prepare Audit Report 4.2.1 Prepare Annual Audit Report
4.3
Perform Overall Audit Review 4.3.1 Perform overall review and approval Issue report
4.3.2 4.4
Wrap-up and Archive the Engagement Follow-up Agency Action Plan
4.5
5.
Monitor quality control on audit services
: March 2011 : 03B-02/2011/v1
5|Page
PART II: Quality Assurance Checklist

General Audit Procedures 1. Terms of Audit Engagements An engagement letter has been prepared in accordance with COA policies and professional standards. 2. Independence Members of the audit team are independent with respect to this audit client and its affiliates 3. Initial Engagements Opening Balances For initial audits, perform procedures to obtain sufficient appropriate audit evidence that: a. The opening balances do not contain misstatements that materially affect the current periods financial statements. b. The prior periods closing balances have been correctly brought forward to the current period or, when appropriate have been restated. c. Appropriate accounting policies are consistently applied or changes in accounting policies have been properly accounted for and adequately disclosed. 4. Consultation Identify areas and specialized situations where consultation is required and consult with others or use authoritative sources on other complex or unusual matters. Areas identified: ____________________ _________________ ____________________ _________________ ____________________ _________________ ____________________
Last updated Version : March 2011 : 03B-02/2011/v1
WP Ref.
Performed by
Reviewed by
Consulted:
6|Page
General Audit Procedures _________________ Appropriate consultation has occurred in areas and special situations where required by COA policies and where the audit team otherwise deemed necessary. Appropriate documentation has been prepared and reviewed for all consultation on significant issues and those consulted were informed of all the relevant facts and circumstances and the conclusions are reasonable and consistent with professional standards. Memoranda that address all significant issues on which consultation occurred are associated with, or are attached to, the Audit Observation Memorandum (AOM) with an indication of the consultants approval. If consultation memoranda have not yet been completed or approved in writing, oral approvals have been obtained from the individuals consulted and noted in the AOM or an attachment to it. Copies of the memoranda have been provided to the individuals consulted. Conclusions resulting from the consultations have been implemented. 5. Minutes and Contracts Obtain information regarding meetings of the management, board of directors, shareholders and important committees up to the report date. a. Read minutes. Obtain copies of the signed minutes or prepare excerpts. (If the copies are not signed, compare them with the original signed minutes.) b. If minutes have not been prepared for recent meetings, obtain a summary of what was discussed. c. Compare significant matters identified above with information obtained during the audit and cross-reference significant matters affecting the financial statements to the appropriate workpapers.
WP Ref.
Performed by
Reviewed by
: March 2011 : 03B-02/2011/v1
7|Page
General Audit Procedures Obtain information about important contracts, agreements and similar documents and consider their accounting or auditing implications. Crossreference significant matters affecting the financial statements and other agency-issued reports to the appropriate workpapers. 6. Consideration of Laws and Regulations in an Audit of Financial Statements When planning and performing audit procedures and evaluating and reporting the results thereof, consider the risk of non-compliance by the agency with laws and regulations that may materially affect the financial statements. Obtain a general understanding of the legal and regulatory framework applicable to the agency and how the agency is complying with that framework. The procedures ordinarily include: a. Use of existing understanding of the agencys industry and operation b. Inquiry of management concerning the agencys policies and procedures regarding compliance with laws and regulations c. Inquiry of agency as to the laws or regulations that may be expected to have a fundamental effect on the operations of the agency d. Discussion with management about the policies or procedures adopted for identifying, evaluating and accounting for litigation, claims and assessments Met with: ____________________ _________________ ____________________ _________________ ____________________ _________________ Findings:
WP Ref.
Performed by
Reviewed by
: March 2011 : 03B-02/2011/v1
8|Page
General Audit Procedures Perform procedures to help identify instances of noncompliance with those laws and regulations where noncompliance should be considered when preparing financial statements, specifically: a. Inquire with management as to whether the agency is in compliance with such laws and regulations Met with: ____________________ _________________ ____________________ _________________ ____________________ _________________ b. Inspect correspondence with the relevant licensing or regulatory authorities Obtain sufficient appropriate evidence about compliance with those laws and regulations generally recognized to have an effect on: - The determination of material amounts and disclosures in financial statements by considering them when auditing the assertions related to the determination of the amounts to be recorded and the disclosures to be made - Programs, activities and projects of the agency Sign one of the following statements, as applicable: Performance of the above procedures has not indicated any noncompliance by the agency with laws and regulations that may materially affect the financial statements. A possible non-compliance by the agency with laws and regulations was suspected or detected and we have obtained an understanding of the nature of the act and circumstances in which it has occurred, and sufficient other information to Findings:
WP Ref.
Performed by
Reviewed by
: March 2011 : 03B-02/2011/v1
9|Page
General Audit Procedures evaluate the possible effect on the financial statements and appropriate documentation , evaluation and notification of management and others has been performed. 7. Related parties Review information provided by the directors and agency management identifying the names of all known related parties and perform procedures in respect of the completeness of this information including the following: a. Review prior year workpapers for names of known related parties. b. Review the agencys procedures for identification of related parties c. Inquire as to the affiliation of directors and officers with other entities Inquired of: ______________________________________ d. Review agency management minutes of the meetings e. Inquire of other auditors currently involved in the audit, or predecessor auditors, as to their knowledge of additional related parties. 8. Inquiry regarding Litigation and Claims Carry out procedures in order to become aware of any litigation and claim involving the agency that may have a material effect on the financial statements. 9. Considering the Work of Internal Audit Obtain a sufficient understanding of internal audit activities to assist in planning the audit and developing an effective audit approach. Perform a preliminary assessment of the internal audit function when it appears that internal audit is relevant to the external audit of the financial statements in specific audit areas. Such assessment includes evaluating the competence and objectivity of the internal auditors.
WP Ref.
Performed by
Reviewed by
: March 2011 : 03B-02/2011/v1
10 | P a g e
General Audit Procedures When the audit team intends to use specific work of internal audit, evaluate and test that work to confirm its adequacy for our purposes. 10. Subsequent events Perform procedures designed to obtain sufficient appropriate audit evidence that all events up to the date of the auditors report that may require adjustment of, or disclosure In, the financial statements have been identified. 11. Going concern The engagement team has considered and evaluated the appropriateness of managements use of the going concern assumption underlying the preparation of the financial statements both in the planning phase and throughout the performance of the audit procedures. 12. Management Representations Obtain a letter of representations that is tailored to the particular circumstances, dated the same date as our auditors report, and signed by the members of management who have primary responsibility for the agency and its financial aspects 13. Financial Statements Review Apply analytical procedures at or near the end of the audit when forming an overall conclusion as to whether the financial statements as a whole are consistent with our understanding of the agency. Verify opening balances on the basis of the prior years audit report and/or workpapers. Cross-reference year-end amounts on the general ledger trial balance to the related audit workpapers. Examine supporting documents and/or inquire of agency personnel to determine that significant entries made solely to prepare the financial statement, other than entries covered by other audit procedures, were properly authorized and
WP Ref.
Performed by
Reviewed by
: March 2011 : 03B-02/2011/v1
11 | P a g e
General Audit Procedures accounted for. Agree or reconcile the financial statement amounts and the financial data in the footnotes to the general ledger trial balance or other workpapers. Determine that the financial statements and the financial data in the footnotes are clerically accurate 14. Communication of Audit Matters with Management and those Charged with Governance Inform management as soon as practicable: - If a fraud has been identified or if information obtained indicates that a fraud may exist - Of the existence of material weaknesses in the design or implementation of internal control, including material weaknesses in the design or implementation of internal control to prevent and detect fraud, that have come to our attention The audit team has determined the relevant persons who are charged with governance and with whom audit matters of governance interest are to be communicated. The audit team has considered all audit matters of governance interest that arose from the audit of financial statements and communicated them to those charged with governance. Ordinarily such matters include: a. General audit approach and overall scope of the audit b. Selection of, or changes in , significant accounting policies c. Potential effect of any significant risk and exposure that is required to be disclosed d. Audit adjustments that could have a significant effect on the agencys financial statements e. Material uncertainties relating to going concern f. Disagreements with management that could have a significant impact on the financial statements or the audit report
WP Ref.
Performed by
Reviewed by
: March 2011 : 03B-02/2011/v1
12 | P a g e
General Audit Procedures g. Expected modifications to the audit report h. Internal control issues i. Issues with respect to agencys integrity and or fraud within the agency Determine whether any identified risk of materials misstatements due to fraud has continuing control implications. Consider whether any control deficiency related to these risks, or whether the absence of or deficiencies in programs or controls to mitigate specific risks of fraud or to otherwise help prevent, deter, and detect fraud, represent matters (including potential material weaknesses) that should be communicated to agency management or any relevant regulatory body. Inform those charged with governance about those uncorrected misstatements aggregated by us during the current audit that were determined by management to be immaterial, both individually and in the aggregate, to the financial statements as a whole. Inform those charged with governance if a fraud has been identified involving management, employees who have significant roles in internal control, or others where the fraud results in a material misstatement in the financial statements. Inform those charged with governance of material weakness in the design or implementation of internal control, including material weaknesses in the design or implementation of internal control to prevent and detect fraud, that have come to the auditors attention. Inform those charged with governance of the agencys noncompliance with laws and regulations that have come to our attention. If we have reason to believe that members of agency management are involved in noncompliance, report the matter at the next higher level of authority. The audit team has communicated the above matters in a timely manner. The engagement team has communicated the
WP Ref.
Performed by
Reviewed by
: March 2011 : 03B-02/2011/v1
13 | P a g e
General Audit Procedures matters in a way, which is appropriate depending on the nature and significance o f the matter as well as on the size and legal structure of the agency being audited.
WP Ref.
Performed by
Reviewed by
I have reviewed this Quality Inspection Tool and the results of the procedures for this engagement and am satisfied that all applicable general audit procedures have been completed, the conclusions are reasonable and consistent with professional standards, and the AAR properly reflect the issues addressed. Signature: ________________________ Date: __________________
: March 2011 : 03B-02/2011/v1
14 | P a g e
Phase 3B Conclusion and Reporting Form 03B-03: Agency Action Plan
AGENCY ACTION PLAN
Objective Agency management has the responsibility to act upon the audit observation and recommendation provided by COA during the conduct of audit. To facilitate the process, the COA shall provide a mechanism to enforce compliance of the activity. Hence, the Agency Action Plan document is provided and included as part of the IRRBAM. The Agency Action Plan is a tool for the agency to signify its action plans on the observations and recommendations provided by the auditors. This document will serve as the basis for auditors when monitoring agency action plans. Agency management shall submit their action plans within 30 days from the date of receipt of the report. A significant part of this tool is the space provided for the sign-off of agency officer. Concurrence of the agency, as evidenced by their sign-off, supports the fact that the agency accepts responsibility as to the ownership of the action plans provided as well as its implementation.
Accomplishing this Tool
Reference The reference will serve as a guide for auditors to trace the audit observations and recommendations indicated in the prior years working papers or reports.
Audit Observation and Recommendation The audit observations and the corresponding recommendations of prior years audit shall be reflected by the auditors on this column to guide the auditors and agencies monitoring process.
: March 2011 : 03B-03/2011/v1
1|Pa ge
Agency Action Plan Action Plan/Remarks - Action plan is the response of the audited agency on the recommendations provided by the auditors during the course of the audit. This column shall be filled-out by the agency, detailing the appropriate resolution on the audit observation identified by the auditors. In any case, auditors shall challenge the appropriateness of the agencies action plans with the audit observations noted. Any comments that the auditors may have on the Agency Action Plans shall be communicated and resolved with the appropriate authorities. Person/Department Responsible - The Agency shall specifically identify the person or department responsible in implementing the action plan provided. If it is not possible to identify the specific person (e.g., due to job rotation), the position or rank shall suffice. Identification of a specific person or department responsible for implementing the action plan will guide the auditors during the conduct of their monitoring procedures. Target Implementation Date - The action plan provided by an agency shall be timebound. This holds true exceptionally for major audit observations that require immediate action.
: March 2011 : 03B-03/2011/v1
2|Pa ge
AGENCY ACTION PLAN

Sector: __________________________________ Agency Audited: __________________________ Audit Period: ________________ AAR date: ___________________
Agency Action Plan Ref. Audit Observation and Recommendation Action Plan / Remarks Person/Dept. Responsible Target Implem. Date
Agency sign-off: _______________________________________ Agency Officer _________________ Date
: March 2011 : 03B-03/2011/v1
3|Pa ge
Phase 3B Conclusion and Reporting Form 03B-04 Action Plan Monitoring Tool
ACTION PLAN MONITORING TOOL

Objective As discussed in the IRRBA Manual, the existence of the monitoring process for the prior years recommendations serves as an additional control for the audited agencies to be motivated in acting upon the recommendations provided by the auditors. Likewise, monitoring serves as a feedback mechanism for auditors to determine the value that the agencies obtain from the findings and suggestions that they provide. The Action Plan Monitoring tool serves as a guide for the auditors and agencies in conducting a structured monitoring process of prior years recommendations on the audit observations noted. Take note that the Agency Action Plan element will be provided by the audited agency.
Accomplishing this Tool The following elements are to be lifted from the Agency Action Plan provided by the agency management: Reference Audit Observation and Recommendation Agency Action Plan Action Plan / Remarks Person/Department Responsible Target Implementation Date The columns provided under the COA Monitoring portion are developed to guide the auditors during the conduct of their monitoring procedures. These elements are essential since this is the focus of the monitoring function of the auditors. Date of follow-up Indicate the date when the follow-up is made.
Implementation Status This column shall be answered by the auditor during the execution of the monitoring procedures.
Last updated : March 2011 Version : 03B-04/2011/v1
1|P age
The following are the selections for the status of the implementation of agency action plans: Full Action plans as provided by the agency management in the Agency Action Plan document have been fully implemented in all scope mentioned. Partial Action plans as provided by the agency management in the Agency Action Plan document have been partially implemented in some areas. Ongoing Implementation of the action plans provided the agency management in the Agency Action Plan is still ongoing. Non-implementation Agency management did not implement the action plans provided in the Agency Action Plan within the target completion period. This is the area where auditors should carefully take a look. Auditors shall examine and assess the reasons for non-implementation of previously stated action plans. Actual Implementation Date Part of the auditors examination is the determination of the actual implementation date of the action plan set by an agency. Comparison of the actual against the target date for the implementation of action plans is significant particularly on interrelated audit observations and action plans.
Reason for Delay/Non-implementation Auditors shall uncover the reasons for the delay or non-implementation of action plans. If the circumstances permit, auditors shall inquire several agency personnel or officer on the causes of the delay or non-implementation.
Comments/Action Taken This column is for the auditors comments or actions to be taken as a result of the monitoring procedures conducted. The remarks that will be provided on this column can also be a basis for the next years audit project.
Last updated : March 2011 Version : 03B-04/2011/v1
2|P age
ACTION PLAN MONITORING TOOL

Sector Team Agency Audited Audit Period AAR Date : : : : :
Agency Action Plan Audit Observation Ref. and Recommendation Action Plan/ Remarks Person/Dept. Responsible Target Implem. Date Date of follow-up (Full, Partial, Ongoing, Nonimplementation) COA Monitoring Implem. Status Actual implem. Date Reason for Delay/NonImplementation (if applicable) Comments/Action Taken
Prepared by: Reviewed by: Approved by:
Date: Date: Date:
Prepared by:
Approved by:
________________________________________ Audit Team Leader Last updated : March 2011 Version : 03B-04/2011/v1
_________________ Date
________________________________________ Supervisor
_________________ Date
3|P age
Phase 4 Monitoring
MONITORING

Delivery
Monitoring
Introduction The Monitoring phase of the IRRBA approach is a roadmap for the COA to maintain the delivery of quality audit service to the Public. The Commission shall establish a quality control system that will promote an internal culture recognizing that quality is essential in performing all of its audit work. The COA shall ensure that appropriate quality control policies and procedures are in place (e.g., engagement quality control reviews) in respect of each major product of the type of engagement such as Comprehensive Audit (Financial, Compliance and Agency-based Performance Audits) Government-wide and Sectoral Performance Audit and Fraud Audit.
1|Pa ge
Phase 4 Monitoring
Monitor Quality Control on Audit Services

The COA, as the countrys auditor of all government agencies, government-owned and controlled corporations, and government financial institutions, shall establish and maintain a system of quality control to provide reasonable assurance that: The organization and its personnel comply with professional standards and applicable legal and regulatory requirements in the delivery of its audit services. The reports issued by the Commission are appropriate in the circumstances. It is the responsibility of the Commission Proper to establish a strategic direction for the establishment of a Quality Control System. If deemed necessary, the Commission as a whole or each audit sector shall establish a Quality Control Committee that will assist the auditors in the initial and continuous implementation of the Quality Control System. Likewise, it is the responsibility of the Cluster Directors to ensure that a monitoring process comprising an ongoing consideration and evaluation of the COAs system of quality of control, including a periodic inspection of a selection of completed engagements, is in place. Each audit team is responsible to implement the quality control procedures that are applicable to their audit engagement.
Elements of a Quality Control System The following are the elements of a Quality Control System as taken from ISSAI 40 - Quality Control for Supreme Audit Institutions: a. Leadership responsibilities for quality within the firm An SAI should establish policies and procedures designed to promote an internal culture recognizing that quality is essential in performing all of its work. Such policies and procedures should be set by the head of the SAI, who retains overall responsibility for the system of quality control. b. Relevant ethical requirements An SAI should establish policies and procedures designed to provide it with reasonable assurance that the SAI, including all personnel and all parties
2|Pa ge
Phase 4 Monitoring
contracted to conduct work for the SAI, complies with the relevant ethical requirements (e.g., integrity, independence, objectivity and impartiality, professional secrecy and competence). c. Acceptance and continuance of client relationships and specific engagements An SAI should establish policies and procedures designed to provide the SAI with reasonable assurance that it will only undertake audit tasks and other work where the SAI: (a) Is competent to perform the audit task or other work and has the capabilities, including time and resources, to do so; (b) Can comply with relevant ethical requirements; and (c) Has considered the integrity of the organization being audited and has considered how to treat the risk to quality which arises. The policies and procedures should reflect the range of work carried out by each SAI. SAIs broadly carry out work in three categories: Tasks that are required of them by their mandate and statute and which they have no option but to carry out; Tasks that they can choose to carry out; Tasks that are required by their mandate, but where they have discretion as to the timing, scope or nature of each task.
d. Human resources An SAI should establish policies and procedures designed to provide it with reasonable assurance that it has sufficient resources (personnel and, where relevant, parties contracted to conduct work for the SAI) with the competence, capabilities and commitment to ethical principles necessary to: (a) Perform its tasks in accordance with relevant standards and applicable and legal and regulatory requirements; and (b) Enable the SAI to issue reports that are appropriate in the circumstances.
3|Pa ge
Phase 4 Monitoring
e. Engagement performance An SAI should establish policies and procedures designed to provide it with reasonable assurance that its tasks are performed in accordance with relevant standards and applicable legal and regulatory requirements, and that the SAI issues reports that are appropriate in the circumstances. Such policies and procedures should include: a) Matters relevant to promoting consistency in the quality of the work performed; b) Supervision responsibilities; c) Review responsibilities. f. Monitoring An SAI should establish a monitoring process designed to provide it with reasonable assurance that the policies and procedures relating to the system of quality control are relevant, adequate and operating effectively. The monitoring process should: (a) Include an ongoing consideration and evaluation of the SAIs system of quality control, including review of a sample of completed tasks across the range of work performed by the SAI; (b) Require responsibility for the monitoring process to be assigned to an individual or individuals with sufficient and appropriate experience and authority in the SAI to assume that responsibility; (c) Require that those performing the review have not taken part in the task or any quality control review of the task.
Quality control policies and procedures The Quality Control System shall be incorporated in the Commissions strategy, culture, policies and procedures. For the system to be effective, it shall be customized according to the COAs own structure, audit assignment risks and the tasks it performs COA management shall ensure that the quality control procedures are being followed by the auditors not only for compliance but as an embedded process in ensuring delivery of quality audit services.
4|Pa ge
Phase 4 Monitoring
Quality risk The COA shall ensure that the Quality Control System addresses the risks to the quality of its auditing and other work. The risks to quality will be dependent on the mandate and functions of the COA and the conditions and environment under which it operates. Quality risks may concern the professional judgments and performance of procedures in the conduct of auditing and other work, as well as the communication of the results and the appropriate understanding of these by intended users. Other consideration that needs to be included in the Quality Control System The COA shall ensure that applicable standards are followed in all work performed, and that any deviations are appropriately documented. The COA should consider their work program and whether, at an organizational level they have the resources to deliver the range of tasks to the desired level of quality. All work performed should be subject to review as a means to contributing to quality and also to promote learning and staff development. Timely documentation of all work performed (e.g., audit work papers) following completion of each engagement shall be complied with. Auditors shall ensure that appropriate principles of natural justice are followed in respect of finalizing report findings to ensure those parties affected by the COAs reports have an opportunity to comment prior to the report being finalized. Auditors should balance the confidentiality of documentation with the need for transparency and accountability. Ensure that the results of quality control reviews are reported to the Commission Proper in a timely manner and that appropriate action is taken.
Quality Assurance Activities Quality assurance refers to policies, systems and procedures established by SAIs to maintain a high standard of audit activity. It also refers to the requirements applicable to the day-to-day management of audit assignments. Quality assurance activities include: - Securing the quality of the planning; the planning of selected tasks should be reviewed to ensure that adequate consideration has been given to all matters considered essential.
5|Pa ge
Phase 4 Monitoring
Securing the quality of the ongoing work; the ongoing work should be subject to continual review. This review is essential to maintain the quality of audit work and to promote learning and feedback. Securing the quality of the finalized audit; all completed tasks should be reviewed prior to signing any reports.
The objectives of quality assurance procedures should incorporate: - Professional competency and integrity - Supervision and assignment of personnel to engagements - Guidance and assistance - Client evaluation - Allocation of administrative and technical responsibilities. Quality Assurance Review Program The COA shall establish a Quality Assurance Review Program that is flexible to the needs and mandate of the auditors. The results of the program should be reported to COA management at least annually. A quality assurance review program is a series of reviews of activities undertaken by the SAI to assess the overall quality of the work performed and covers various issues and perspectives. A quality assurance review may examine adherence to audit policy and procedures and identify areas where there is any opportunity for improvements in these policies and procedures, or it may assess the quality of audit work performed to meet specified objectives or specific stakeholders perspectives. Quality assurance reviews will generally address both adherence to specified processes and the quality of the work performed The following are some of the activities which may be undertaken by the COA in performing its Quality Assurance Review Program: - Independent academic review - Stakeholder surveys - Peer review - Follow-up reviews of recommendations - Citizen review - Feedback from audited organizations.
6|Pa ge
Phase 4 Monitoring
Policy and Standard Policy/Standard ISSAI 40 ISSAI 1000 ISSAI 1220 Appendix 4 to ISSAI 3000 ISSAI 3100 ISSAI 4100 ISSAI 4200 Description Quality Control for Supreme Audit Institutions General Introduction to the INTOSAI Financial Audit Guidelines Financial Audit Guideline Quality Control for an Audit of Financial Statements Communication and Quality Assurance Performance Audit Guidelines: Key Principles Appendix Compliance Audit Guidelines for Audits Performed Separately from the Audit if Financial Statements Compliance Audit Guidelines Related to Audit of Financial Statements
7|Pa ge

01 Final Irrbam

Transféré par

Informations du document

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

01 Final Irrbam

Transféré par

Droits d'auteur :

Formats disponibles

Commission on Audit

INTEGRATED RESULTS AND RISK-BASED AUDIT MANUAL

Strategic Planning and Risk Identification Planning

Integrated Results and Risk-Based Audit Manual

Last updated Version

: March 2011 : 00-01/2011/v1

Last updated Version

: March 2011 : 00-01/2011/v1

Integrated Results and Risk-Based Audit Manual

FORMS AND TEMPLATES

Last updated Version

: March 2011 : 00-02/2011/v1

Integrated Results and Risk-Based Audit Manual

Last updated Version

: March 2011 : 00-03/2011/v1

Integrated Results and Risk-Based Audit Manual

Last updated Version

: March 2011 : 00-04/2011/v1

Integrated Results and Risk-Based Audit Manual

AGENCY Regularity (Financial and Compliance Audit)

Agency-based Value For Money Audit

Governmentwide and Sectoral Performance Audit (GWSPA) Impact

Enacted Budget Other Inputs

Programs Activities Projects

Major Final Outputs

Sector Goals Societal Goals

Diagram 1: Overview of COAs audit services

Last updated Version

: March 2011 : 00-04/2011/v1

Integrated Results and Risk-Based Audit Manual

Last updated Version

: March 2011 : 00-04/2011/v1

Integrated Results and Risk-Based Audit Manual

The role of OPIF in public sector performance audit

Last updated Version

: March 2011 : 00-05/2011/v1

Integrated Results and Risk-Based Audit Manual

Integrated Results and Risk-Based Audit Manual

Last updated Version

: March 2011 : 00-05/2011/v1

Integrated Results and Risk-Based Audit Manual

Last updated Version

: March 2011 : 00-05/2011/v1

Integrated Results and Risk-Based Audit Manual

Last updated Version

: March 2011 : 00-05/2011/v1

Integrated Results and Risk-Based Audit Manual

Integrated Results and Risk-Based Audit Manual

Last updated Version

: March 2011 : 00-05/2011/v1

Integrated Results and Risk-Based Audit Manual

Integrated Results and Risk-Based Audit Manual

Last updated Version

: March 2011 : 00-05/2011/v1

Integrated Results and Risk-Based Audit Manual

Department of Agrarian Reform

Last updated Version

: March 2011 : 00-05/2011/v1

Integrated Results and Risk-Based Audit Manual

Last updated Version

: March 2011 : 00-05/2011/v1

Integrated Results and Risk-Based Audit Manual

Last updated Version

: March 2011 : 00-05/2011/v1