Vous êtes sur la page 1sur 200

Commission on Audit

INTEGRATED RESULTS AND


RISK-BASED AUDIT MANUAL
(Funded by The World Bank IDF Grant No. TF 092158)

Strategic Planning and Risk Identification

Planning Delivery

Agency Audit
Conclusion
Planning and Risk Execution
and Reporting
Assessment

Monitoring
(Quality Control System)

SEPTEMBER 2011
Integrated Results and Risk-Based Audit Manual

TABLE OF CONTENTS

Introduction

Overview of IRRBAM

1. Strategic Planning and Risk Identification

1.1 Perform Government Risk Identification


1.1.1 Develop/Update the Government Risk Model
1.1.2 Identify Government Risks
1.1.3 Report the Results of GRI
1.2 Conduct COA Strategic Planning

2. Agency Audit Planning and Risk Assessment

2.1 Prepare Agency Audit Workstep


2.2 Understand the Agency
2.3 Identify Significant Agency Risks
2.3.1 Update Agency Risk Model
2.3.2 Identify Agency Risks
2.3.3 Prioritize Significant Agency Risks
2.4 Understand and Assess Agency-level Controls
2.5 Understand the Process
2.5.1 Identify Critical Path of the Processes
2.5.2 Identify Process Risks
2.5.3 Identify Impact
2.5.4 Identify Existing Controls
2.6 Conduct Audit Risk Assessment and Planning
2.6.1 Financial and Compliance
2.6.2 Performance
2.6.3 Determine Audit Scope and Timing
2.6.4 Determine need for specialized skills

3A. Execution
3A.1 Design Audit Tests
3A.2 Execute Audit Tests
3A.3 Evaluate Audit Results
3A.4 Communicate Audit Results

Supplemental:
3A-S1 Execution Financial & Compliance
3A-S2 Execution Performance
3A-S3 Sample Test of Control Working Paper

Last updated : March 2011 1|Pa ge


Version : 00-01/2011/v1
Integrated Results and Risk-Based Audit Manual

3A-S4 Sample Substantive Test Audit Program

3B. Conclusion and Reporting


3B.1 Summarize Audit Results
3B.1.1 Prepare summary of audit results and recommendations
3B.1.2 Discuss results of different types of audit conducted
3B.2 Prepare Audit Report
3B.3 Perform Overall Audit Review
3B.3.1 Perform overall review and approval
3B.3.2 Issue report
3B.4 Wrap-up and Archive the Engagement
3B.5 Follow-up Agency Action Plan

4. Monitor quality control on audit services

Last updated : March 2011 2|Pa ge


Version : 00-01/2011/v1
Integrated Results and Risk-Based Audit Manual

FORMS AND TEMPLATES

1. Strategic Planning and Risk Identification


Form 01-01 Government Risk Model (GRM)
Form 01-02 Government Risk Identification Template (GRIT)

2. Agency Audit Planning and Risk Assessment


Form 02-01 Agency Audit Workstep
Form 02-02 Understanding the Agency (UTA) Template
Form 02-03 Agency Risk Model (ARM)
Form 02-04 Agency Risk Identification (AgRI) Matrix
Form 02-05 Agency-level Control Checklist (ALCC)
Form 02-06 Process-Risk-Control (PRC) Matrix
Form 02-07 Audit Risk Assessment and Planning (ARAP) Tool

3A. Delivery: Execution


Form 03A-01 Audit Test Summary (ATS)

3B. Delivery: Conclusion and Reporting


Form 03B-01 Summary of Audit Results and Recommendations (SARR)
Form 03B-02 Quality Inspection Tool (QIT)
Form 03B-03 Agency Action Plan (AAP)
Form 03B-04 Action Plan Monitoring Tool (APMT)

Last updated : March 2011 1|Pa ge


Version : 00-02/2011/v1
Integrated Results and Risk-Based Audit Manual Introduction

Introduction

The services provided by the Commission on Audit, as a Constitutional Body and as the
countrys Supreme Audit Institution are critical to meet the uttermost expectation of the
public. The evolution of audit approaches, revision and emergence of old and new laws,
rules and regulations necessitates a more integrated and holistic approach in the conduct
of COAs audit services.

With this regard, the Philippine Government entered into a contractual agreement with the
International Bank for Reconstruction and Development (World Bank) for a grant (IDF
Grant TF092158) to improve the effectiveness and efficiency of the COA in its audit of
government revenues and expenditures through the development and adoption of a
results-based integrated audit methodology that will focus on the outputs and outcomes of
public expenditures, using a risk-based approach.

As early as 2003, COA has already introduced the risk-based approach in the conduct of
its audit services. Various risk-based manuals have been developed such as the
Government-wide and Sectoral Performance Audit (GWSPA) Manual, Risk-based Audit
Approach (RBAA) Manual and the Risk-based Financial Audit Manual (RBFAM). A
significant addition in this manual is the inclusion of the Organizational Performance
Indicators Framework of the Department of Budget and Management to support the
Governments Public Finance Management (PFM) reform agenda. This will be introduced
in this manual to complement the results-based evaluation of the projected and actual
outputs and outcomes of programs, activities and projects of government agencies that
will focus on the role of public audit in promoting increased accountability and
transparency to improve capacity in the overall governance framework of the Philippines.

This Integrated Results and Risk-based Audit Manual aims to integrate the different COA
audit services such as: Financial and Compliance Audit; Agency-based Performance
Audit; Government-wide and Sectoral Performance Audit; and Fraud Audit into a common
audit approach. The IRRBA approach will provide for a consistent set of processes that
will guide the COA auditors in performing COAs audit services. The silo approach in the
conduct of the audit will be addressed by introducing linkages of each type of audit and its
results for a more effective service delivery.

Last updated : March 2011 1|Pa ge


Version : 00-03/2011/v1
Integrated Results and Risk-Based Audit Manual Overview

Overview

Government auditing plays a vital role in the public sector governance through its
oversight, insight and foresight responsibilities. Government auditors help the government
achieve accountability and integrity, improve operations, and instill confidence among
citizens and stakeholders.

The Commission on Audit, as mandated to be the countrys Supreme Audit Institution by


Article IX-D of the 1987 Philippine Constitution, plays a significant role in the Public Sector
Governance. This mandate gives the COA the responsibility to serve as the check and
balance in the use of public funds; to become part of the development of a sound financial
management; to examine proper execution of administrative activities; and to provide
information to public authorities and the general public through the publication of objective
reports.

This manual will discuss the COAs fulfillment of its role in the countrys public governance
through the delivery of the following audit services:
Comprehensive Audit
- Financial and Compliance
- Agency-based Performance Audit
Government-wide and Sectoral Performance Audit (GWSPA)
Fraud Audit

The need for an Integrated-Results and Risk-based Audit

Integration is defined in this manual as the establishment of a common public sector


audit approach and a consistent set of audit processes that reduces redundant activities,
eliminate duplication in the audit of an agency and drive down resource costs through
identifying opportunities to create efficiencies and streamlining public sector audit
processes to allow the delivery of a comprehensive attestation and advisory audit
services.

The Commission has long been implementing risk-based audit in the conduct of its audit
services. However, to meet the evolving developments in the public governances
expenditure management, the COA shall incorporate the results-based approach in its
audit.

Last updated : March 2011 1|Pa ge


Version : 00-04/2011/v1
Integrated Results and Risk-Based Audit Manual Overview

Organizational Performance Indicator Framework (OPIF)

The Organizational Performance Indicator Framework (OPIF) is one of the two reform
components of the Public Expenditure Management (PEM) being implemented by the
government. The reform is being headed by the Department of Budget and Management
(DBM) in coordination with other oversight agencies such as the COA and the National
Economic and Development Authority (NEDA).

OPIF is an expenditure management approach that links public resources towards results
and accounts for performance. This approach guides agencies to focus their efforts and
public resources on core functions and on delivering high impact activities at reasonable
costs and qualities.

The role of the COA comes in to assess the agencys performance through indicators that
are initially set to account for accomplishments based on pre-determined targets and
measures.

Linkage of COAs audit services

The diagram below shows how COAs audit services are linked to different audit services,
as well as to the countrys Public Expenditure Management reform, the OPIF.

AGENCY INTER-AGENCY
Linkage with other government agencies

Regularity (Financial and Compliance Audit) Government-


wide and
AUDIT

Sectoral
Performance
Agency-based Value For Money Audit
Economy Efficiency Effectiveness
Audit
(GWSPA)
ELEMENTS

Resource Inputs Processes Outputs Outcome Impact

Budget Enacted Programs Major Final Organiza- Sector


Performance
Indicator

Budget Outputs tional Goals


Legislation Activities Outcome
Other Societal
Inputs Projects Goals

Diagram 1: Overview of COAs audit services

Last updated : March 2011 2|Pa ge


Version : 00-04/2011/v1
Integrated Results and Risk-Based Audit Manual Overview

The diagram depicts the different audit services provided by the Commission:

Comprehensive Audit

Financial Audit This type of audit seeks to determine the accuracy of the data
contained in the financial statements and reports of the agency including the
reliable recording and reporting of historical financial information.

Compliance Audit Compliance audit seeks to ensure that public funds are
obtained and used in accordance with law and propriety, as well as to determine
whether the accountable agency has properly discharged its responsibilities in a
legal and ethical manner.

Agency-based Performance Audit This audit examines the economy, efficiency


and effectiveness of an agency in using its public resources.

Government-wide and Sectoral Performance Audit (GWSPA)

This type of audit deals with determining the economy, efficiency and effectiveness
of publicly funded projects, activities and programs among different agencies.

The diagram shows the focus of the different audit services provided by the COA by
differentiating the elements of an agencys process. Each element (resource, input,
process, output, outcome and impact) is interrelated and plays a significant role in an
agency and the government as a whole.

The COAs results-based approach will be used in assessing an agencys performance


indicators indicated in its OPIF. The OPIF element in an agencys logframe can be traced
into its processes which will be taken into account during the conduct of the audit.

Although not mentioned in the diagram, auditors shall be aware of any possible fraud
indications which may arise during the course of the audits conducted. Fraud audit shall
always be embedded in the delivery of the COAs audit services.

Last updated : March 2011 3|Pa ge


Version : 00-04/2011/v1
Integrated Results and Risk-Based Audit Manual Overview

The role of OPIF in public sector performance audit

Introduction

The starting point in the performance audit planning process is selecting the right scope
for audit from the multitude of government activities. This is a multifaceted and demanding
exercise that requires good knowledge of the government agencys business or sector of
action and how it contributes to governments strategic ends. It is, however, one of the
most essential steps in the process. If the breadth and depth of audit fail to address the
governments major final outputs and outcomes, all the audit effort that follows will have
little chance of generating better managed government programs, better state
accountability to the public and an ethical and effective public service.

The Organizational Performance Indicator Framework, or OPIF, sets out a structure that
provides an important compass in deciding the content and substance of performance
audit. As its name suggests, OPIF is a systematic approach to planning that seeks to
align the tasks government agencies are funded to do (i.e., the goods and/or services they
provide to external consumers or end-users) with the desired outcomes, objectives or
goals that the government hopes to achieve or influence in critical societal areas such as
health, education, economic well-being, law and order, and environmental sustainability.

The audit planning process involves several layers of activity that interrelate with OPIF in
a complex manner before an audit begins. These include the recognition of external
trends and strategic risks facing government instrumentalities; the defining of output or
product lines, functional areas and sectors to be reviewed over time; and the choice of
agency programs or activities to be examined. Typically, these are driven by the relevance
of performance audit to the government agencys mandate, the major risks associated
with the agencys mission, and auditability (or inability to carry out the audit, as in the case
of societal outcomes where suitable criteria are not available to assess performance).
Risk-based audit planning is emphasized at the outset because of the crucial role it plays
in ascertaining how well a government agency is responding to key challenges,
opportunities and critical success factors that shape the accomplishment of government
objectives and the discharge of stewardship responsibilities for public resources and
assets.

Last updated : March 2011 1|Pa ge


Version : 00-05/2011/v1
Integrated Results and Risk-Based Audit Manual Overview

Outcome orientation: twinning of performance audit and OPIF

In the past, many audits were driven by control and process concerns rather than added-
value considerations in assessing public sector performance. However, the current trend
is toward a more outcome-based audit. The need of government to achieve more concrete
results in societal goals such as poverty reduction, full employment and education for all is
shifting the emphasis of public sector audit, in recent years, to pay more attention on
results. Regardless of whether the scope of the audit is a program, an operation, a system
or a control, a focus on results is being maintained, if somewhat unsystematically. The
relationship of the agencys agenda to the desired ends is increasingly becoming
indispensable to the auditors learning curve.

Performance auditing by nature is not a regular audit with by the book opinions. The
auditor might not have to confront a traditional, rule-bound situation. Performance audit is
wide-ranging, operating from a quite different knowledge base to that of traditional
auditing. This type of audit looks at the outputs or outcomes first and avoids conducting an
initial scrutiny of the details of the methods or processes. Of course this presumes that
indicators are on hand to gauge the quality, quantity and cost of the outputs. If the auditor
finds the result to be all right, serious flaws in the design or implementation of the activity
or process are discounted, making the entire audit procedure more cost-effective. It is
only when the result is substandard that controls are examined to pinpoint what is
troubling the system.

The greater challenge for performance audit occurs when it has to delve into policy
questions. Auditors must understand policies amenable to audit effectively, and results-
oriented auditing inevitably brings performance auditing closer to policy matters. They
must have the expertise to check (1) whether agency practices comply with policy
expectations (for example, extent of compliance with enacted policy on service
standards); (2) the sufficiency of the agencys cost-benefit analysis on which a policy or
program is based; (3) opportunities to fill policy gaps (for example, the need for a
government-wide policy on emergency preparedness); and (4) the need to update or
improve existing policy (for example, the need for a new directive for national security). A
caveat is that it is generally accepted that performance audit should confine itself to
examining policy and program implementation and not to throwing the development of
policy into doubt (although auditors may evaluate the clarity of the grounds for setting the
objectives). Note too that the risks of mandate concerns proportionately get bigger as
policies get broader. It is easy enough for auditors to deal with departmental
administrative policies (such as service delivery procedures), but the stakes grow to be
larger when auditors tackle program policy goals (such as fisheries conservation policy,
healthcare policy) as well as national policy goals (such as reducing poverty).

Last updated : March 2011 2|Pa ge


Version : 00-05/2011/v1
Integrated Results and Risk-Based Audit Manual Overview

OPIF provides a good platform for auditors not to second-guess the strategic intentions of
government, when government selects a certain policy direction. Departments and
agencies are now required to define results commitments in their corporate plans and to
report goals and actual performance annually. These provide excellent points of reference
for results-oriented auditing. The Department of Budget and Management, the
implementor of OPIF, acts as the agent for government in negotiating performance
contracts with the departments and agencies, to assist them in linking the goods and
services that they deliverthe major final outputs (MFOs)to the results they have
committed to (organizational outcomes, sectoral and societal goals).

Indeed, the key features of OPIF embody a clear crossover between a results-oriented
performance framework and a results-based audit perspective. These include: (1) a shift
of emphasis in department/agency accountability towards outputs and results (outcomes)
measured against performance indicators; (2) clarification of expected performance and
accountability of departments/agencies through these results; (3) focus on the delivery of
outputs relevant to the results/outcomes specified in agency mandates; (4) establishment
of an integrated performance management system in which performance targets zero in
on the efficiency of departments/agencies in delivering their MFOs; and (5) reporting to
the public and to Congress in clear terms the outcomes achieved.

Both OPIF and performance audit deal mainly with questions such as: What has been the
upshot of the agencys performance, and have the requirements or the objectives been
fulfilled? In this approach, the inquiry centers on performance (concerning economy,
efficiency, and effectiveness) and relates observations to the given norms (goals,
objectives, regulations and so on). To be sure, there is a striking parallel between what
they strive for, as indicated in the following table:

Performance Audit OPIF

Economy - minimizing the cost of Fiscal discipline - living within the means
resources used for an activity, having (resources) available to the Government
regard to appropriate quality

Efficiency producing similar results with Allocative efficiency - spending money on


fewer resources or better results with the the right things or right priorities
same resources Operational efficiency - obtaining the best
value for the money or resources available
Effectiveness achieving the stipulated Effectiveness - success of process and
aims or objectives by the means employed outputs in delivering societal and sectoral
and the outputs produced changes

Last updated : March 2011 3|Pa ge


Version : 00-05/2011/v1
Integrated Results and Risk-Based Audit Manual Overview

At the very basic level, performance auditing has been mainly concerned with different
aspects of the economy or the efficiency of operations of agencies. Auditors try to answer
the question Are things being done in the right way?, that is, whether policy decisions
are being carried out properly. This question often partakes of a normative outlook, i.e.,
the auditor wants to know whether government officials have observed the rules or the
requirements.

Audits of economy may provide answers to questions such as: Do the means chosen or
the equipment obtainedthe inputsrepresent the most economical use of public funds,
consistent with the quality needs of the program? Have the human, financial or material
resources been used cost-effectively? Are the management activities performed in
accordance with sound administrative principles, contract requirements, acceptable
standards, and good management policies? In short, has the agency kept the costs low?

Audits of efficiency answer the question whether agency resources have been put to
optimal or suitable use or whether identical results in terms of quality and turn-around time
could have been achieved with fewer resources. Auditors examine productivity, unit cost,
or indicators such as utilization rates, backlogs and service wait times. In short, has the
agency made the most of available resources?

The OPIF approach to performance management displays the same adherence to


efficiency and economy. The focus is on allocative efficiency (in terms of national and
sector goals and organizational outcomes) in the execution of the budget, but also on the
operational efficiency of departments/agencies in the provision of services (and, in some
cases, goods) for the purpose of achieving the desired government goals and outcomes.
Sound OPIF-based management means that the responsible authority will promote the
optimal use of resources to achieve intended outcomes with the lowest possible costs.

The scope for analysis becomes considerably wider when a second-order question
whether the right things are being doneis asked. This line of inquiry refers to
effectiveness or impact on societywhether the adopted policies have been suitably put
into service or whether ample means have been utilized to achieve the predetermined
aims. There are two parts to the issue of effectiveness: if the policy objectives have been
achieved, and if the impacts observed are really the upshot of the policy rather than other
circumstances. It is here where a chosen measure to achieve a certain objective runs the
risk of being contested. Effectiveness audits are also on the lookout for unintended
consequences or spillover effects (such as environmental degradation resulting from
economic policy). The figure below indicates how audit perspectives enter into an
effectiveness model.

Last updated : March 2011 4|Pa ge


Version : 00-05/2011/v1
Integrated Results and Risk-Based Audit Manual Overview

In assessing effectiveness, performance auditing may ask whether (1) government


programs have been effectively designed, whether the means provided (legal,
financialand so on) are proper, consistent, suitable, or relevant; (2) the program
supplements, duplicates, overlaps, or counteracts other related programs; (3) the quality
of the public services meets the publics expectations or the stipulated objectives; (4) the
system for measuring, monitoring and reporting is adequate; (5) the observed direct or
indirect social, economic and environmental impacts of a policy are due to other causes;
and (6) alternative approaches can yield better performance or eliminate factors that
inhibit program effectiveness.

OPIF effectiveness measures rest on the same underpinnings as those of performance


audit. OPIF seeks to measure the effectiveness of the agencys outputs in delivering
societal and sectoral changes. OPIF measures of effectiveness (as well as of efficiency
and economy) begin as part of a budget proposal, and attain official standing or legislative
base once the government budget is passed by Congress. Once they reach this stage,
government agencies can prepare a blueprint of how these criteria will be used when
policy goals, programs and projects are implemented.

Thus the concept of a results-oriented approach applies irrespective of whether it is used


by OPIF or performance audit. Both follow the same input-throughput-output-outcome
cycle illustrated below.

Last updated : March 2011 5|Pa ge


Version : 00-05/2011/v1
Integrated Results and Risk-Based Audit Manual Overview

Finally, both performance audit and OPIF allow for scrutiny and planning across
government departments, which should be the case since public sector activities and
projects often cross agency lines. Inquiring on the activity or project as a whole is in
general more useful than dwelling on a slice of action carried out by a specific agency.
The types of performance audits are (1) agency or program audits, which provide a
substantive review of the whole or part of the operations of a department or agency; (2)
government-wide audits, which focus on cross-sectional issues or functional areas, such
as procurement, in a number of departments; and sectoral audits, which focus on program
areas delivered by a number of agencies, for example, disaster mitigation operations. In a
similar vein, OPIF is carried out singularly in specific agencies, or jointly across sectors
(e.g., education, health, agriculture, science and technology).

Understanding the agency

Each audit should be based on a thorough understanding of the audited agency, and the
environment in which it operates, as it relates to the audit assignment. Performance audit
begins by having a good grasp of department/agency objectives, expected results and
stewardship responsibilities. The audit team then identifies the major threats and
opportunities that may affect the agency or entities within a functional area. Prior to
starting field work, a process of setting priorities, developing strategic and long-range
plans, submitting audit proposals, rationalizing resources and assessing anticipated audit
worth should take place. Regardless of the size and nature of the subject, it is important
for the audit team to understand the big picture. Generating audit conclusions or
reporting failings without this overall familiarity may result in sterile audit work or
ambiguous and confusing findings. A first round knowledge of the agency forms a
reasonable basis for believing that the audit can be completed in accordance with the
performance audit policies.

An agency analysis framework will be required. An environmental scan to identify external


trends and long-term risks and challenges that the agency faces will kick this off. All
agencies operate against a background of broad external forces that influence their

Last updated : March 2011 6|Pa ge


Version : 00-05/2011/v1
Integrated Results and Risk-Based Audit Manual Overview

operations in substantial ways. These forces affect not just the agency, but also the public
and its resources. Some examples are (1) economic trends that include recession,
inflation, unemployment, and unfair trade practices; (2) political and regulatory factors that
involve world trade agreements, government subsidy programs, and political instability; (3)
demographic patterns that dictate the characteristics of the work force and the demand
preferences of the public (e.g., aging population affect demand for healthcare); (4)
technological advances that lead to dramatic changes in the way things are done, such as
computerization and the internet; (5) social/cultural changes that affect the way people
live, work and behave (e.g., more women in the workplace, concerns about drug abuse);
and (6) ecological concerns about acid rain, global warming, recycling and waste
management that can lead to substantial changes in the way agencies operate.

The audit team should have up-to-date knowledge of significant legislative authorities;
organizational arrangements; the bureaucratic environment in which the entity operates;
key personnel; spending levels and revenues; the entitys clients; major operations,
including in the field; the accountability arrangements; the major control systems; major
risks facing the entity; and prior deficiencies/known weaknesses.

How are the OPIF elements incorporated in understanding the agency? First, it is
necessary to check whether the OPIF logical framework will match up with an agency
program structureotherwise known as a program accountability model.

Last updated : March 2011 7|Pa ge


Version : 00-05/2011/v1
Integrated Results and Risk-Based Audit Manual Overview

It is easy to see from the above figure that the OPIF framework elements have
corresponding components in the program accountability model. A comparison of the
building blocks of the two models, shown in the in the table below, illustrates how well-
matched they are. Auditors will not have to search far and wide to understand the
workings of an OPIF-based agency.

OPIF Logical Framework Program Accountability model

Societal goal describes the intended Impacts, or effects refer to all the
desirable impacts of the consequences of the program, whether
department/agencys goods and services intended or unintended
on the country, the environment or the
economy. As end-points to be aimed for,
they represent the high-level vision the
Government has for the country.

Sectoral goals the longer-term benefits


for the sector from organizational changes.

Organizational outcomes benefits to Outcomes intended consequences of


the community that result from the producing or delivering the goods or
department/agencys provision of goods or services; ranked from the immediate to the
services ultimate

Major final outputs the products (goods Outputs refer to the products or
and services) the department/agency services produced or delivered by the
delivers to external clients. program

PAPS programs, activities and projects Activities a collection of activities


that are necessary undertakings pursued directed to achieving the programs
by departments/agencies to be able to objectives.
deliver the goods, products or services.

In performance audit, the audit team checks if there is a logical link between the activities
undertaken, the output and the program objectives and other effects. They also ascertain
whether the agency is clear on what the expected outputs are (the MFOs in OPIF terms)
and whether performance indicators are available for guiding the audit.

Similarly, within OPIF, the building blocks are viewed in a sequence or chain, leading from
activities and processes to long-term goals such as poverty reduction. Each result in the

Last updated : March 2011 8|Pa ge


Version : 00-05/2011/v1
Integrated Results and Risk-Based Audit Manual Overview

chain is a link and is joined to other results in the chain by causality. The chain starts
with projects, activities and programs (PAPs), and moves through MFOs to outcomes and
finally to higher-level goals at the sectoral and societal levels. The Medium-Term
Philippine Development Plan defines the societal goals and sectoral goals, providing an
overarching structure for OPIF logframe. The diagram below shows the linkage between
these different levels. The key level for OPIF is the MFO level. MFOs are tangible and can
be more easily quantified as compared to outcomes and goals. Each of the other levels
can be defined in relation to MFOs: activities are how MFOs are produced; outcomes
and higher-level goals are the reason or why MFOs are produced; and for the MFOs
themselves, there is a need to know what is produced and for whom. Measuring the
marginal contribution that an MFO makes toward improving a societal welfare (reduced
poverty incidence and improved quality of life) is a critical element of strategic budgeting
and the development of the MTPDP.

The OPIF logframe of the Department of Agrarian Reform (shown on next page), is an
example of a well-formulated results-based framework.

The OPIF process can assist performance audit through the following:
1. Review of the department/agency mandates and functions and articulation of the
organizational outcomes or results of the department/agency.
2. Identifying the links between the department/agencys organizational outcomes
and the higher government objectives (sectoral and societal goals) enunciated in
the MTPDP, government priorities, sectoral policies and so on.
3. Documenting the MFOs and organizational outcomes in a framework that shows
the linkages between resource inputs, the programs, activities and projects that the
department/agency implements to produce its MFOs, and the organizational
outcomes for which it is mandated.
4. Identification of performance indicators (PIs) with performance measures (targets)
for each MFO. These PIs are the major means by which the department/agency
can track progress and will be held accountable to the government as a whole, the
Congress, the general public and other stakeholders. There are four classes of
PIs:
Quantity indicates the volume of service (output) delivered during a given
period of time
Quality indicates how well the service (output) is delivered
Timeliness indicates the rate at which service (output) is delivered
Cost indicates the amount of input used to produce the service (output).

Last updated : March 2011 9|Pa ge


Version : 00-05/2011/v1
Integrated Results and Risk-Based Audit Manual Overview

Department of Agrarian Reform

Last updated : March 2011 10 | P a g e


Version : 00-05/2011/v1
Integrated Results and Risk-Based Audit Manual Overview

The following chart would be of immense help to auditors in pinpointing the agencys
extent of control and accountability over each activity/output level.

Under the OPIF process, each agency constructs a corporate plan that details out the
operating environment, business conditions and planned process improvements for
delivering MFOs and sub-outputs.

Since the MFOs are the lynchpin of the OPIF framework, it is essential to say a few more
words about them, in a way that would make clear their critical importance to
understanding the audited agency.

MFOs can be defined relative to the outcomes that they contribute to the client or
community group that they serve and the business lines or functional business unit of the
department/agency. To derive the MFOs, the department/agency should ask: What
outputs are we providing to external clients to achieve our mandate (organizational
outcomes)? MFOs may reflect delivery of saleable products, provision of policy advice or
other advisory services, regulatory services, case management services, and government
provision of services not readily available in the market place. It may include goods and
services delivered through outsourcing. Each MFO should reflect a core output,
deliverable or business line of the department/agency and will typically comprise a
grouping of PAPs undertaken with a common outcome in mind. This grouping of PAPs
should also help the department/agency to assess whether it is providing the right

Last updated : March 2011 11 | P a g e


Version : 00-05/2011/v1
Integrated Results and Risk-Based Audit Manual Overview

services (or mix of services) to achieve the organizational outcomes. It is intended that, in
due course, the department/agency budgets will be appropriated at MFO level.
Following are examples of MFOs:
1. DOF - Fiscal policies (domestic and international), plans and programs; cash and
debt management services; Anti-corruption in public finance management, anti-
smuggling and tax evasion activities and exercise of regulatory power; policies,
plans and programs for domestic financial and capital market development;
policies, plans and programs for public sector debt management as well as risk
management; policies, plans and programs for the government corporate sector as
well as other government assets; policy oversight on LGUs financial operations;
administration of Locally-Sourced and ODA Funds for LGUs.
2. DOH Health, nutrition and population policy and program development; capability
building services for LGUs and other stakeholders; leveraging services for priority
health programs; regulatory services for health products, devices, equipment and
facilities; tertiary and other specialized health care.
3. DOT - Tourism promotional services; tourism development planning services;
standards for tourism facilities and services; development, restoration and
maintenance services, regulatory services.

The background knowledge that the auditors accumulate provides the basis for describing
the agency that is the subject of audit, enabling them to make initial scoping decisions and
defining lines of inquiry, such as those shown in the following figure. This knowledge
includes an understanding of the character of the government agency being audited (role
and function, activities and processes in general, development trends), legislation and
general programs and performance goals, organizational structure and accountability
relationships, internal and external environment and the stakeholders, external constraints
affecting program delivery, and management processes and resources.

Last updated : March 2011 12 | P a g e


Version : 00-05/2011/v1
Integrated Results and Risk-Based Audit Manual Overview

An audit team with considerable experience in auditing the department or agency may
have cumulative knowledge to satisfy these requirements without engaging in a formal
overview stage. An in-depth perspective is required where a government-wide or sectoral
audit is being carried out. In some cases, a survey may be conducted to come up with a
broad-based appraisal of the operations subject to audit, without carrying out detailed
verification. The auditors gather information in order to fine-tune initial decisions about
scope, cost, timing and skills, and to propose audit objectives, areas for in-depth review,
criteria, and examination approach. In finalizing these decisions, the audit team designs
an audit to reduce the risk of making erroneous observations, faulty conclusion and
inappropriate recommendations in the report to correspond with the level of assurance
provided by the audit work. All things considered, the purpose of the scoping exercise is to
allow the concentration of audit resources and effort on the areas that can have a
significant impact on the performance and results of the subject being audited.
Unrelenting attention by the auditor is needed to identify and focus the audit on the critical
operations.

In using OPIF, the auditors must be aware of its limitations: First, it is a work in progress.
In view of the innovative nature of the OPIF system, which requires shifts in
practices/procedures, knowledge/capacity and value-orientation of the implementers,
changes in the current system cannot be done overnight. Second, implementation is done
through learning by doing. While the literature is replete with the available methodology

Last updated : March 2011 13 | P a g e


Version : 00-05/2011/v1
Integrated Results and Risk-Based Audit Manual Overview

and tools for a performance and results-oriented system, capacity building can only be
made more effective if the agency staff go through the actual process of implementing the
system and learning from the lessons of experience. Third, the OPIF system is
homegrown and indigenized. Technical assistance from various sources, have been
provided to the government based on the experiences of countries that have adopted
OPIF in their respective planning and budgeting processes. This technical assistance
provided very valuable inputs in bringing OPIF to its status today. However, the technical
inputs have to be adjusted to suit the domestic institutional conditions.

A word about risk management

An important device used in all phases of the planning process is risk assessment. Risk is
defined as the probability that an event or action may harmfully affect the organization,
such as exposure to financial failure, loss of reputation, or inability to deliver the program
with economy, efficiency, cost-effectiveness or take into account the environmental
implications. Risk estimation requires the auditor to ask the following type of questions:
What can go wrong? What is the probability of it going wrong? What are the
consequences? Can the risk be minimized or controlled?

Can OPIF provide guidance and tools to assist auditors to identify and assess
environmental issues and risks in their performance audit work? OPIF can point to the
inherent risks in dealing with organizational outputs beyond the control of the agency (the
susceptibility of the subject matter by its nature to significant error where there are no
related controls). But an agency which is careless in applying OPIF to its operations may
itself induce failure risk. The fact that OPIF is to be carried out through learning by doing
raises significant risks in terms of timing and adequacy of results. Likewise, risk can attend
the consequences of the publics perception of fairness and equitable treatment of citizens
as agencies carry out MFOs. Changes in mandate occasioned by the introduction of new
MFOs may increase the level of exposure to uncertainties. There is also the matter of
process riskOPIF requires a sometimes painful alignment with operation strategies and
alternative delivery approaches. On the other hand, a circumspectly crafted
department/agency OPIF may prevent failure risk by avoiding redundant activities, non-
essential undertakings, uncoordinated policy/program implementation, poor sector
management, superfluous committees, and the politicization of the bureaucracy.

Last updated : March 2011 14 | P a g e


Version : 00-05/2011/v1
Integrated Results and Risk-Based Audit Manual Overview

Recap: OPIF value-adding contribution to performance audit

OPIF should, where the opportunity arises, add value in a variety of ways, including:

Helping auditors to respond effectively to changes in the way public services are
organized and delivered, including, identifying opportunities for worthwhile
innovation;
Providing new insights into the way an audited body manages its resources,
delivers its programs, achieves its objectives and develops business opportunities,
including how cost-effective improvements might be identified and achieved;
Helping generate the audit framework, by providing a convenient way to ascertain
the audit scope;
Keeping audit costs in balance with the significance of the issues being examined;
Taking account of the management circumstances and operational environment as
well as the governance milieu;
Sustaining an iterative planning process to maintain a focus on matters of
significance and interest to decision-makers and Congress;
Helping auditors to recognize institutional risks and to respond to them effectively;
Contributing to new accounting systems by making clear what the auditors
requirements are; and
Benchmarking and developing yardsticks, collating and distilling information, for
example, on good practice from across ranges of public sector agencies.

Last updated : March 2011 15 | P a g e


Version : 00-05/2011/v1
Integrated Results and Risk-Based Audit Manual Phase 1 Strategic Planning and Risk Identification

STRATEGIC PLANNING AND RISK IDENTIFICATION

Integrated Results and Risk-Based Audit Framework

Strategic Planning and Risk Identification

Planning Delivery

Agency Audit
Conclusion
Planning and Risk Execution
and Reporting
Assessment

Monitoring
(Quality Control System)

Introduction

The complexity of todays public environment necessitates for a more systematic,


integrated and holistic approach to plan for the detection and management of the risks
faced by government institutions. Thus, the mandate of COA to safeguard the
transparency and accountability of the transactions of the government is getting more
complicated.

This phase covers the first integration point wherein all COA audit services namely:
Financial and Compliance Audit, Agency-based Performance Audit, Government-wide and
Sectoral Performance Audit and Fraud Audit, will meet through a common strategic
planning and risk identification process. The succeeding topics will describe the strategic
planning and risk identification processes and outputs of COA in relation to the conduct of
its audit services. However, for purposes of illustration and functional relation, some items
on COAs Annual Strategic Planning process will be referred. Nevertheless, the steps
provided in this manual will not supersede the processes defined in the Operations
Manual of the Planning, Financial and Management Office (PFMO).

Last updated : March 2011 1|Pa ge


Version : 01-00/2011/v1
Integrated Results and Risk-Based Audit Manual Phase 1 Strategic Planning and Risk Identification

The following are the activities involved in this phase:

1.1 Perform Government Risk Identification (GRI)


1.1.1 Develop/Update the Government Risk Model (GRM)
1.1.2 Identify Government Risks
1.1.3 Report the results of Government Risk Identification (GRI)

1.2 Conduct COA Strategic Planning

Procedures

1.1 Perform Government Risk Identification

Risk is defined as the threat that an event, action or inaction will adversely
affect the agencys ability to successfully achieve its mandate and objectives
and execute its strategies.

The Government is always faced with internal and external factors that may
influence and make it uncertain whether and when it will achieve its objectives
stated in the Medium-Term Philippine Development Plan (MTPDP) and State of
the Nation Address (SONA) among others.

The Commission on Audit (COA) as the countrys Supreme Audit Institution shall
independently identify the risks that the Government as a whole may face in
achieving its objectives. This is to determine the focus areas which need to be
prioritized given the limited resources. The results will also be an input in the
determination of the appropriate audit strategies needed to be applied by COA for
the allocation of resources appropriate for the audit services such as the people,
skills, competence, processes and procedures.

The objectives of this activity are: to obtain high-level inputs from COA directors
assigned in the audit of agencies representing the three audit sectors, regions and
auditors performing Government-wide and Sectoral Performance Audit (GWSPA)
and Fraud Audit; to have a common language of risk; and to have a unified thrust
in government auditing.

This activity shall be conducted annually, supervised by the Assistant


Commissioners and attended by directors from the following sectors/offices:
o National Government Sector (NGS)
o Corporate Government Sector (CGS)
o Local Government Sector (LGS)

Last updated : March 2011 2|Pa ge


Version : 01-00/2011/v1
Integrated Results and Risk-Based Audit Manual Phase 1 Strategic Planning and Risk Identification

o Regional Offices
o Special Audits Office (SAO)
o Information Technology Office (ITO)
o Technical Services Office (TSO)
o Fraud and Investigation Office (FAIO)

1.1.1 Develop/update the Government Risk Model

The Government Risk Model (GRM) is a framework consisting of risks categorized


into groups that could threaten the government as a whole or the specific
processes of the government. The GRM includes a definition of each risk to have a
common understanding of risks.

The GRM, populated with a list of government risks, is the foundation for
conducting Government Risk Identification. It shall be developed to facilitate the
identification of risks faced by the government as a whole.

Risks are categorized as follows:


Strategic risk arises when forces in the environment could significantly
change the fundamentals that drive governments overall social and/or
operating objectives, strategies and, in the extreme, result in failure of the
Governments operations.

Operation risk risks that operations are inefficient and ineffective in executing
the governments operating model, satisfying the public, and achieving the
governments quality, cost and time performance objectives. This arises when
operation processes:
o Are not clearly defined
o Are poorly aligned with agencys strategies, goals and objectives
o Are not performed effectively and efficiently in satisfying the public
o Expose significant financial, physical and intellectual resources to
unacceptable losses, risk taking, misappropriation or misuse

Financial risk risk that cash flows and financial risks are not managed cost-
effectively to: (a) maximize cash availability; (b) reduce uncertainty of currency,
interest rate, and other financial risks; or (c) move cash funds quickly and
without loss of value to wherever they are needed most. It also includes risks
that government agencies face when misleading financial information becomes
the basis for decision making by the governing management.

Compliance risk non-compliance with prescribed policies and procedures or


laws and regulations resulting in lower quality, higher execution costs, lost
revenues, unnecessary delays, penalties, fines and so on.

Last updated : March 2011 3|Pa ge


Version : 01-00/2011/v1
Integrated Results and Risk-Based Audit Manual Phase 1 Strategic Planning and Risk Identification

Government Risk Model


COA directors representing the three audit sectors, regions, SAO, TSO, ITO, and
FAIO shall identify and define risks inherent to their sector/region to develop a
comprehensive list of government risks and have a common understanding of risks
within the COA. Presented below (Diagram 1.1) is a sample of the GRM.

Strategic Operations Compliance Financial


Planning and resource Public service and operations Mandate Market
allocation Customer/public satisfaction Functions Interest rate
Organizational structure Channel effectiveness Foreign currency
Strategic planning Cycle time Governance Commodity
Operational planning Service failure Board performance/Agency Financial instrument
Budgeting Efficiency Management Committee Public policies
Forecasting Capacity Tone at the top Debt and fiscal policy
Resource allocation Performance measure/gap Authority/limit
Capital/fund availability Partnering/contracting Control environment Liquidity and credit
Operational model Citizen relationship Corporate social responsibility Cash management
Operational portfolio management system and Reputation Opportunity cost
Outsourcing organization Funding
Code of conduct Hedging
Corruption and fraud
Major initiatives Ethics Credit and collections
Vision and direction People Fraud Insurance
Planning and execution Culture Employee/third party fraud Foreign assisted loan
Measurement and monitoring Recruiting and retention Illegal acts
Technology implementation Development and performance Management fraud Accounting and reporting
Project evaluation Succession planning Unauthorized use Accounting, reporting and
Change readiness Knowledge capital disclosure
Climate change and Compensation and benefits Legal Internal control
Performance incentives Contract Investment evaluation
sustainability initiatives
Education Health and safety Liability Tax strategy and planning
Intellectual property
Healthcare services delivery
Energy and water management Information technology Anticorruption
(supply/distribution) Information management Legal
Security/access
Availability/continuity
Integrity
Infrastructure

Diagram 1.1 Sample GRM

The GRM shall be revisited at least annually and updated/revised regularly or as


required to reflect changes in government risks brought about by the changing
environment and current events.

The GRM shall be used as one of the inputs in identifying government risks.

Documentation

Form 01-01 Government Risk Model (GRM) documents all the identified
government risks and its corresponding definition.

Last updated : March 2011 4|Pa ge


Version : 01-00/2011/v1
Integrated Results and Risk-Based Audit Manual Phase 1 Strategic Planning and Risk Identification

1.1.2 Identify government risks

Risk identification is the process of finding, recognizing, and describing risks. It


involves the identification of risk sources, events, their causes and their
potential consequences.

The fundamental principle of a risk-based audit is to identify risks and focus the
audit on those areas which may have a significant effect on the achievement of the
governments objectives.

As the countrys Supreme Audit Institution, it is imperative for the Commission to


identify risks which may hinder the government as a whole to achieve its
objectives. Identification of government risks shall be conducted by the COA to
determine the areas needed to be focused in their audit activities. This is an input
to the development of the Commissions overall audit focus areas during the
Annual Strategic Planning.

Identification of government risks is done by the COA as an auditor and is


independent from the management of the government and its agencies. Any risk
assessment as part of the risk management process which will be carried out by
the COA as an agency is distinct and separate from this activity. At the same
time, the results of the COAs risk identification cannot be considered as a
substitute for the governments or agency managements own risk assessment
process.

Identification of government risks shall be conducted annually. This activity can be


done through workshops, surveys or interviews. In any case, this activity shall be
supervised by the Assistant Commissioners and attended by directors from the
following sectors/offices:
o National Government Sector (NGS)
o Corporate Government Sector (CGS)
o Local Government Sector (LGS)
o Regional Offices
o Special Audits Office (SAO)
o Information Technology Office (ITO)
o Technical Services Office (TSO)
o Fraud and Investigation Office (FAIO)

This activity is conducted to have an over-all consideration of risks of the


government as a whole. As an agency that is mandated to look at the transparency
and accountability as well as to recommend measures to improve the efficiency
and effectiveness of government operations, the COA shall have a unified
approach and same risk language in identifying the exposures of the government.
This is the first integration point of different audit services performed by the COA.

Last updated : March 2011 5|Pa ge


Version : 01-00/2011/v1
Integrated Results and Risk-Based Audit Manual Phase 1 Strategic Planning and Risk Identification

Identification of government risks should not be done on a silo approach. This


activity will be conducted in order to identify risks or potential issues that may cut
across different government agencies. Inputs of each audit sector are therefore
relevant to capture the real risk scenarios of the government as a whole.

Linkage of government objectives and initiatives, risks and agencies

Diagram 1.2 - Linkage of objectives and initiatives, risks and agencies

Identifying risks in government objectives and initiatives

Understanding the objectives of the government is the first step in this process.
After the objectives have been substantiated, risks that may hinder the
achievement of the set objectives shall be identified.

In identifying government risks, the COA should identify sources of risks, areas of
impacts, events, causes and potential consequences. This is to generate a list of
risks based on those events that might create, enhance, prevent, degrade,
accelerate or delay the achievement of objectives.

The following shall be used as inputs in identifying government risks:


o SONA
o MTPDP

Last updated : March 2011 6|Pa ge


Version : 01-00/2011/v1
Integrated Results and Risk-Based Audit Manual Phase 1 Strategic Planning and Risk Identification

o Medium-Term Public Investment Program (MTPIP)


o GRM
o Previous AARs
o Sector risks
o Media releases and media reports
o Fraud and geographic risks
o Government-wide and sectoral programs and activities
o Knowledge of the auditors

Risk analysis involves considering the causes and sources of risk, their positive
and negative consequences, and the likelihood that those consequences can
occur. Factors that affect consequences and likelihood should be identified. Risk is
analyzed by determining consequences and their likelihood, and other attributes of
the risk. An event can have multiple consequences and can affect multiple
objectives.

Risks are evaluated and prioritized based on the outcomes of risk analysis.

Identify Government Link risks to


Inputs
Risks Agency/Programs/Activities

Department of Public
COA Fraud and Works and Highways
Knowledge and prior audit reports

Direction/ geographic
SSAP risks
Metropolitan Waterworks
and Sewerage System

SONA, Media
MTPDP and releases and City Government of Navotas
MTPIP reporting

Hunger mitigation
program
Industry/
GRM sector risks Health sector
development project

Diagram 1.3 Risk Identification Process Flow

Risks on fraud covered by FAIO and government programs/activities under the


scope of Government-wide and Sectoral Performance Audit (GWSPA) covered by
SAO shall also be considered in this activity. Government Risk Identification,
based on the results, may result directly in the identification of fraud audits and/or
GWSPAs.

Last updated : March 2011 7|Pa ge


Version : 01-00/2011/v1
Integrated Results and Risk-Based Audit Manual Phase 1 Strategic Planning and Risk Identification

In this activity, the participants may identify potential GWSPAs. SAO shall also
recommend government programs and activities to be subjected to GWSPA.
Potential GWSPAs shall be analyzed and evaluated.

Locate identified government risks to affected agency and its programs/activities

After the risks have been identified for a particular government objective, the COA
shall now locate these risks with the concerned agencies and the related
processes, programs, activities or projects.

Form 01-02 Government Risk Identification Template (GRIT) is prepared to plot


the key government risks and the affected agencies including processes,
programs, activities or projects.

Diagram 1.8 below illustrates the linking of risks to processes.

Government processes/
Key Government Risks Government Agency
programs/activities

Link key government risks to government


Legal
government agencies within the cluster

processes/programs/activities
Intellectual property
Link key government risks to

Department of
Liability Public Works and
Compliance

Highways
Contract Procurement
Process
Anticorruption Department of
Transportation
Legal and
Communication

Diagram 1.4 Linkage of risks to processes

Fraud audit and GWSPA

For key government risks that resulted directly to the identification of fraud audits
and GWSPAs (as risk response or planned action), FAIO and SAO shall perform
the audits following the guidelines set forth in their respective manuals (Fraud
Audit Manual and GWSPA Manual).

Documentation

The results of this activity shall be documented in Form 01-02 Government Risk
Identification Template (GRIT).

Last updated : March 2011 8|Pa ge


Version : 01-00/2011/v1
Integrated Results and Risk-Based Audit Manual Phase 1 Strategic Planning and Risk Identification

1.1.3 Report the results of Government Risk Identification

The COA shall ensure that the results of the government risk identification will be
presented to and approved by the Assistant Commissioners and Commission
Proper, and distributed to concerned sectors/offices who participated in this
activity.

The report on the results of GRI contains/documents the GRIT and the minutes of
the GRI activity.

The results of this activity shall be cascaded down to the concerned sectors,
clusters, audit groups through the COA Strategic Planning process. The results
will also be an input to the Agency Audit Planning and Risk Assessment Phase
(refer to phase 2 of the manual).

1.2 Conduct COA Strategic Planning

This section covers the COA Strategic Planning conducted annually. The elements
and processes described here are captured from the PFMO manual to show the
linkage of Strategic Planning of the COA as an agency to the IRRBAs Strategic
Planning and Risk Identification of the COA as an auditor. The IRRBA Manual
does not supersede any activity presented in the PFMO Operations Manual.

Strategic planning is an essential element in the development of an IRRBA


approach. A long-term perspective for the audit services may be provided by this
process. Likewise, it provides efforts to allocate resource properly and drives the
implementation of the COAs audit objectives and priorities.

Strategic Planning process

Strategic planning is an iterative and never-ending process. The COA shall


continuously set goals, values and objectives aligned to its mandate and monitor
its progress all throughout the year. Each element of the planning process cannot
stand alone and is necessary to be linked with other elements to fully achieve its
objective.

The following are some of the Strategic Planning models used by other
organizations. There is however no perfect strategic planning model for a specific
Supreme Audit Institution. It is still the managements responsibility to select and
ensure a model that is tailor-fitted to the needs and culture of the COA.

Last updated : March 2011 9|Pa ge


Version : 01-00/2011/v1
Integrated Results and Risk-Based Audit Manual Phase 1 Strategic Planning and Risk Identification

Basic Strategic Planning


Basic strategic planning starts with the identification of the organizations
purpose or mission statement. Goals will then be established to define what an
organization needs to accomplish to meet its purpose or mission, and address
major issues facing the organization. After the mission statement and goals
have been identified, specific approaches or strategies will be set. Strategies
often change the most as the organization eventually conducts more robust
strategic planning. Specific action plans will then be based on the strategies
identified. This is the specific activities set out for each major sector or
department. Then, regular monitoring and update of the plans are performed as
the year progresses.

Goal-based/Issue-based Planning
The processes are almost the same with the Basic Strategic Planning model
except that the organization conducts an assessment of its Strengths,
Weaknesses, Opportunities and Threats (SWOT).

Scenario Planning
This model, as the title implies, relates factors which might influence the
organization such as: new standards; laws, rules and regulations; economic
downturns; and natural disasters. Each possible change in circumstance or
scenarios will be provided with strategies.

Alignment Planning
The alignment model ensures strong alignment among the organizations
mission and resources to effectively deliver the services. This model focuses on
the adjustments to be made to fine-tune the strategies needed to align with the
organizations mission, programs, resources and needed support.

Self-Organizing/Traditional Planning
These are often liner in nature, e.g. general-to-specific, cause-and-effect.
Typically, the organization starts the planning process with the SWOT Analysis,
then prioritizing issues which will be provided with specific strategies.

Seeking consultation and interaction among the participants during the planning
process is significant. Concurrence shall be obtained not just on the outcomes of
development but also on the strategies and tradeoffs needed in establishing the
level of the COA audit services to be provided.

Last updated : March 2011 10 | P a g e


Version : 01-00/2011/v1
Integrated Results and Risk-Based Audit Manual Phase 1 Strategic Planning and Risk Identification

Reasons for Planning


The following are some of the reasons for the strategic planning process:
It is a requirement of the auditing standards
It is a guide for the achievement of the audit objectives
It is a tool used to monitor an organizations progress
It measures accomplishment
It provides control over activities
It assigns responsibility and accountability

Benefits of Strategic Planning


Strategic planning provides benefits such as:
Clearly define the purpose of the organization and to establish realistic goals
and objectives consistent with that mission in a defined time frame within the
organizations capacity for implementation.
Serves as a communication tool to disseminate the organizations goals and
objectives
Assigns ownership of action plans and strategies
Utilizes resources by focusing on the key priorities
Provides a measuring tool for the performance and progress of each segment

Elements of a strategic plan


Development of strategic plan requires consideration of values and priorities. The
plan should reflect the needs of the COA as a whole in response to its mandated
functions.
Key message from the Commission Proper
Mission
Vision
Goals
Strategic thrusts
Key national programs and the entities responsible
Monitoring process
Review and communication

In any case, plans must be adaptable and flexible in response to a changing


environment. Assessment on the capacity and resources shall also be regularly
done to determine any needs for adjustment on the plans set.

Last updated : March 2011 11 | P a g e


Version : 01-00/2011/v1
Integrated Results and Risk-Based Audit Manual Phase 1 Strategic Planning and Risk Identification

Timing
Ideally, the strategic planning process should be conducted at least once a year in
order to be ready for the coming year. This includes identification of the
organizational goals to be achieved at least over the coming fiscal year, resources
needed to achieve those goals, and funding needed to obtain the resources.

Linkage of COAs Annual Strategic Planning process with IRRBA

The diagram below shows the linkage of the COAs Annual Strategic Planning
Process with the Strategic Planning and Risk Identification phase of the IRRBA
approach.

The previous activity, Government Risk Identification will be an input in the


Annual Strategic Planning of COA to determine the focus areas of the audit
sectors. The GRIT, as accomplished by the COA Directors and approved by the
Assistant Commissioners will be cascaded as an attachment to the Sector
Strategic Action Plan (SSAP) and Cluster/Regional Operation Plan (COP/ROP) of
the audit sectors.

The results of the COAs Annual Strategic Planning process specific to the conduct
of the audit services will be an input in the Phase 2 of the IRRBA methodology
Agency Audit Planning and Risk Assessment.

Diagram 1.5 Linkage of COAs Annual Strategic Planning process with IRR

Last updated : March 2011 12 | P a g e


Version : 01-00/2011/v1
Integrated Results and Risk-Based Audit Manual Phase 1 Strategic Planning and Risk Identification

Policy and Standard

Policy/Standard Description
ISSAI 100 Basis principles in Government Auditing
ISSAI 200 General standards in government auditing and
standards with ethical significance

ISSAI 300 Field standards in government auditing


ISSAI 1300 Financial audit guideline Planning an audit of
financial statements
INTOSAI GOV 9130 Guidelines for internal control standards for the public
sector Further information on entity risk
management
ISO/FDIS 31000:2009 Risk management Principles and guidelines
COA Memorandum No. 79-205 Reiteration of unnumbered COA Memorandum dated
May 8, 1978 re: Alignment/Coordination of all
Projects/Programs of COA offices/Committees by the
Planning, Financial & Management Office
July 6, 1979

COA Memorandum No. 95-051 Preparation of a Consolidated Annual Report (CAAR)


by Region and by Department

COA Resolution No. 2008-012 2008 COA Organization Restructuring


COA Memorandum No. 2009-028 Implementing guidelines on audit operations under the
2008 COA organizational restructuring

Documentation

Procedure Sub-procedure Output/Tools


1.1 Perform
Develop/Update the Government Form 01-01 Government
Government Risk
Risk Model Risk Model (GRM)
Identification
Form 01-02 Government
Identify Government Risks Risk Identification Template
(GRIT)
Report the Results of Government
Report on the results of GRI
Risk Identification
1.2 Conduct COA
Strategic Planning

Last updated : March 2011 13 | P a g e


Version : 01-00/2011/v1
Integrated Results and Risk-Based Audit Manual Phase 1 Strategic Planning and Risk Identification
Form 01-01: Government Risk Model

GOVERNMENT RISK MODEL

Objective

Part of the Strategic Planning and Risk Identification process of the Integrated Results and Risk-
based Audit (IRRBA) is the identification of government risks. This activity will be conducted
annually, supervised by the Assistant Commissioners and attended by directors from the
following sectors/offices:
National Government Sector (NGS)
Corporate Government Sector (CGS)
Local Government Sector (LGS)
Regional Offices
Fraud and Investigation office (FAIO)
Special Audits Office (SAO)
Information Technology Office (ITO)
Technical Services Office (TSO)

The Government Risk Model is introduced to guide the participants in the identification of
government risks. The Government Risk Model is a comprehensive list of risks that a
government may encounter which could threaten the achievement of its mandate and
objectives.

This model shall be regularly reviewed, updated and customized to consider changes in the
public sector environment, as well as to consider the impact of new standards, laws, rules and
regulations.

*The COA shall identify the process champion in this activity, which will ensure the maintenance and updating of this
tool.

Accomplishing this tool

Risk Listing

- The Risk Listing is a table of government risks divided into the following risk categories:
a. Strategic
b. Operations
c. Compliance
d. Financial

Last updated : March 2011 1|Page


Version : 01-01/2011/v1
Integrated Results and Risk-Based Audit Manual Phase 1 Strategic Planning and Risk Identification
Form 01-01: Government Risk Model

The table lists down all potential risks that the government may face. Therefore, there are
risks that may be identified as a risk of the government in the current audit period that was
not identified in the preceding audit period. In either case, the risk listing shall be
maintained regardless of the existence of the risk at the time of the identification. Likewise,
the list shall be regularly updated to include emerging risks that may affect the
achievement of the governments mandate and objectives.

Risk Definition

- Customize/create the definition of the risks based on the nature of the risk.

a. Risk Title The label for the risks identified shall be properly chosen to reflect the nature
of the risk even by just looking at the risk title.

b. Risk Description - The risk description shall be clear on the cause and effect of the risk
once it materializes. The risk definition shall be generic in nature and shall avoid including
process-level effects to not limit/restrict the risk descriptions.

NOTE: The items in the succeeding pages are just samples to illustrate the tool. It does not represent any factual
data nor any result of prior audit projects.

Last updated : March 2011 2|Page


Version : 01-01/2011/v1
Integrated Results and Risk-Based Audit Manual Phase 1 Strategic Planning and Risk Identification
Form 01-01: Government Risk Model

Last updated : March 2011 3|Page


Version : 01-01/2011/v1
Integrated Results and Risk-Based Audit Manual Phase 1 Strategic Planning and Risk Identification
Form 01-01: Government Risk Model

GOVERNMENT RISK MODEL

Prepared by : Date :

Reviewed by : Date :

Approved by : Date :

Strategic Operations Compliance Financial


Planning and resource allocation Public service and operations Mandate Market
Organizational structure Customer/public satisfaction Functions Interest rate
Strategic planning Channel effectiveness Foreign currency
Operational planning Cycle time Governance Commodity
Service failure Board performance/Agency
Budgeting Financial instrument
Forecasting Efficiency Management Committee
Public policies
Resource allocation Capacity Tone at the top
Debt and fiscal policy
Capital/fund availability Performance measure/gap Authority/limit
Operational model Partnering/contracting Control environment Liquidity and credit
Operational portfolio Citizen relationship management Corporate social responsibility Cash management
Outsourcing system and organization Reputation Opportunity cost
Corruption and fraud Funding
Major initiatives Code of conduct
Hedging
Vision and direction People Ethics
Credit and collections
Planning and execution Culture Fraud
Insurance
Measurement and monitoring Recruiting and retention Employee/third party fraud
Foreign assisted loan
Technology implementation Development and performance Illegal acts
Project evaluation Succession planning Management fraud Accounting and reporting
Change readiness Knowledge capital Unauthorized use Accounting, reporting and disclosure
Climate change and sustainability initiatives Compensation and benefits Internal control
Education Legal
Performance incentives Investment evaluation
Healthcare services delivery Contract
Health and safety Tax strategy and planning
Energy and water management Liability
(supply/distribution) Information technology Intellectual property Capital structure
Information management Anticorruption Debt
Environment dynamics
Security/access Legal Equity
Economic changes
Financial market Availability/continuity Pension funds
Regulatory
Sovereign/political Integrity Trade
Customer/public wants Infrastructure Customs
Technological innovation Procurement
Hazards
Environment scan Road-right of way (RROW )Acquisition
Natural events
Agency environment/industry Labor
Terror and malicious acts
Sensitivity Securities
Market dynamics Physical assets Environment
Macroeconomic factors Real estate Data protection and privacy
Lifestyle trends Property, plant and facilities International
Sociopolitical Maintenance and performance Product/service quality
Technology changes Inventory Health and safety
Communication and public relations Competitive practice/antitrust
Media relations
Public relations
Crisis communications
Employee communication

Last updated : March 2011 4|Page


Version : 01-01/2011/v1
Integrated Results and Risk-Based Audit Manual Phase 1 Strategic Planning and Risk Identification
Form 01-01: Government Risk Model

Risk Definition

RISK TITLE RISK DESCRIPTION

STRATEGIC

Planning and Resource Allocation


The overall structure of the government instrumentalities does not
Organizational structure
support the achievement of strategic objectives in an efficient manner.
This risk pertains to the inability to discover, evaluate and select among
Strategic planning alternatives to provide direction and allocate resources for effective
execution to achieve the strategic objectives of the government.
This risk pertains to the misalignment of operating plans and execution
Operational planning to strategic planning. There is also a lack of information needed to make
the right decisions.
This risk pertains to the inability to effectively budget for new and
existing initiatives that support the overall strategic goals and objectives
for growth, expansion, acquisition for public welfare.
Budgeting
It also pertains to the inability to effectively budget for programs and
projects that would meet the governments Medium Term Philippine
Development Plan (MTPDP).
This risk pertains to the inability to forecast financial information to
Forecasting
enable the allocation of resources to new and existing initiatives.
Unavailability and inappropriateness of resource allocation process
Resource allocation
prohibits the governments ability to provide value for public.
Insufficient access to fund threatens the governments capacity to grow,
Capital/fund availability
execute its strategies and achieve its objectives.
The government has an obsolete operation model and does not
recognize it and/or lacks the information needed to make an up-to-date
Operational model
assessment of its current model and build a compelling operational case
form modifying that model in a timely manner.
Lack of relevant and reliable information that enables agency
management to effectively prioritize its services or balance its operations
Operational portfolio
in a strategic context may preclude a diversified agency from maximizing
its overall performance.
Outsourcing activities to third parties may result in the third parties not
Outsourcing acting within the intended limits of their authority or not performing in a
manner consistent with the governments strategies and objectives.
Major initiatives
This risk pertains to the failure to establish a vision and direction for
major initiatives, including services, products and programs that will
Vision and direction
drive future growth. It also pertains to failure to establish project
acceptance criteria and adequately measure against the criteria.
This risk pertains to the failure to plan and execute major initiatives due
Planning and execution
in a coordinated manner.

Last updated : March 2011 5|Page


Version : 01-01/2011/v1
Integrated Results and Risk-Based Audit Manual Phase 1 Strategic Planning and Risk Identification
Form 01-01: Government Risk Model

RISK TITLE RISK DESCRIPTION


This risk pertains to the failure to identify appropriate metrics and assess
Measurement and monitoring performance, quality and adherence to the standards as set forth by the
government.
This risk pertains to the failure of a major technology implementation to
Technology implementation
meet the organizations strategic objectives.
Failure to evaluate project proposals may result in problems when the
Project evaluation
project has been approved.
The people within the government are unable to implement process and
Change readiness service improvements quickly enough to keep pace with changes in the
public environment.
Failure to foresee changes in the environment and establish initiatives to
Climate change and
keep pace with biological changes may result in operations
sustainability initiatives
discontinuance and degradation.
Environment Dynamics
Economic changes such as lower economic growth reduce tax revenue
Economic changes and opportunities to provide a wide range of services or limit the
availability or quality of existing services.
Movements in prices, rates, indices and the like threaten the value of the
Financial market
agencys financial assets.
Adverse political actions in a country in which the agency has invested
significantly is dependent on a significant volume of operation or has
Sovereign/political entered into a significant agreement with a counterparty subject to the
laws of that country threaten the agencys resources and future cash
flows.
This risk pertains to the changing pervasive public needs and wants that
Customer/public wants the agency is not aware of, e.g., increased demand for faster turnaround
on services.
The agency is not leveraging advancements in technology in its
operations to achieve or sustain advantage. The agency may also be
Technological innovation exposed to the actions of another agency or substitute that does not
leverage technology to attain superior quality, cost and/or time
performance in their services processes.
Failure to monitor the external environment or formulation of unrealistic
or erroneous assumptions about environment risks may cause the
Environment scan
agency to retain operation strategies long after they have become
obsolete.
This risk pertains to the changes in opportunities and threats, and other
Agency environment/Industry
conditions affecting the agencys environment.
Overcommitment of resources and expected future cash flows threatens
Sensitivity the agencys capacity to withstand changes in the environment (e.g.,
interest rates, public demand, changes in regulations and so on) forces.
Market Dynamics
This risk pertains to the factors relating to macroeconomic conditions
Macroeconomics factors that affect the ability to maintain or increase revenue and profitability in a
specific agency environment.
This risk pertains to the failure to anticipate and respond to changes in
Lifestyle trends
overall trends related to lifestyle demands of consumers.

Last updated : March 2011 6|Page


Version : 01-01/2011/v1
Integrated Results and Risk-Based Audit Manual Phase 1 Strategic Planning and Risk Identification
Form 01-01: Government Risk Model

RISK TITLE RISK DESCRIPTION


This risk pertains to the exposure to social and political factors within a
Sociopolitical market environment that affect the ability to market, sell and deliver
products and services.
This risk pertains to the dramatic changes in current technologies that
Technology changes may impact the market viability or demand of current products and
services offered by the agency.
Communication and public relations
This risk pertains to the inability to anticipate and manage shifts in the
information stakeholders wants and the way in which they want it
Media relations
communicated to them. It also pertains to the ineffective ongoing,
transparent communications with the public in order to create goodwill.
A decline in customer/public confidence threatens the agencys capacity
Public relations
to efficiently raise or collect funds.
This risk pertains to the failure to communicate the right message in an
Crisis communications effective manner to recover and maintain agency operations in the event
of a crisis or disruption due to physical or natural circumstances.
This risk pertains to the inability to understand and respond to the
Employee communications
communication needs of different employees.

OPERATIONS

Public Service and Operations


A lack of focus on the customer/ public threatens the agencys capacity
Customer/public satisfaction
to meet or exceed the customers/ publics expectations.
Poorly performing or positioned channels access threaten the agencys
Channel effectiveness
capacity to effectively and efficiently service the customer/ public.
Unnecessary activities threaten the agencys capacity deliver services in
Cycle time
a timely manner.
Faulty or non-performing services expose the agency to customer/public
Service failure
complaints, litigation, and loss of revenues and agency reputation.
Inefficient operations threaten the agencys capacity to deliver services
Efficiency
at the lowest cost and shortest time possible.
Insufficient capacity threatens the agencys ability to meet
Capacity customer/public demands, or excess capacity threatens the agencys
ability to generate competitive profit margins.
Inability to perform at world-class levels in terms of quality, costs and/or
Performance measure/gap cycle time due to inferior operating practices threatens the demand for
the agencys services.
Inefficient or ineffective external relationships affect the agencys
capacity to serve. These uncertainties arise due to choosing the wrong
Partnering/contracting
partner, poor execution, taking more than what is given (resulting in loss
of a partner) and failing to capitalize on partnering opportunities.

People

Last updated : March 2011 7|Page


Version : 01-01/2011/v1
Integrated Results and Risk-Based Audit Manual Phase 1 Strategic Planning and Risk Identification
Form 01-01: Government Risk Model

RISK TITLE RISK DESCRIPTION


This risk pertains to the failure to establish a culture that is consistent
Culture with management philosophy and that encourages integrity, values, and
ethical competence.
This risk pertains to the failure to attract, hire and retain the qualified
Recruiting and retention
resources to optimize execution of the organization's objectives.
This risk pertains to the inability to develop and enhance employee skills
Development and performance and provide performance management that ensures optimal
achievement of organizational strategies, goals and objectives.
This risk pertains to the failure to create and implement an effective
succession plan for senior executive and other key positions and
Succession planning employees throughout the organization. It also pertains to the failure to
align succession planning with strategic planning and leadership
development objectives).
Processes for capturing and institutionalizing learning across the
agency are either non-existent or ineffective, resulting in slow response
Knowledge capital
time, high costs, repeated mistakes, slow development, constraints on
growth and unmotivated employees.
Failure to provide a total compensation package (base salary,
annual/long-term incentive, benefits/perquisites) that are market
Compensation and benefits
competitive, aligned to agency and compensation strategies and retain
and motivate employees to achieve desired results.
Unrealistic, misunderstood, subjective or non-actionable performance
measures may cause senior management, division heads and
Performance Incentives
employees to act in a manner inconsistent with the agencys objectives,
strategies, and ethical standards, and with prudent agency practice.
Failure to provide a safe working environment for its workers exposes
Health and safety the agency to compensation liabilities, loss of operational reputation and
other costs.
Information and technology
Failure of Information systems to adequately protect the critical data and
Security/access infrastructure from theft, corruption, unauthorized usage, viruses, or
sabotage.
The inability to recover from, and continue uninterrupted operations in
Availability/continuity
the event of extraordinary events, systems and implementation failures.
Information systems that do not provide reliable information when it is
Integrity
needed or perform so slowly that operations are not efficient.
The computer and telecommunications systems with supporting
software do not capture, retain and transfer data in a secure and reliable
Infrastructure
environment and do not meet the expected requirements of the agency
at a reasonable cost.
Hazards
Threat to disrupt operation and ability of the agency to sustain
operations, provide essential services or recover operating costs or
Natural events
accomplish planned target due to natural events (e.g., fire, earthquake,
tornado).
Threat to disrupt operation and ability of the agency to sustain
operations, provide essential services or recover operating costs or
Terror and malicious acts
accomplish planned target due to terrorist activities or other malicious
acts.

Last updated : March 2011 8|Page


Version : 01-01/2011/v1
Integrated Results and Risk-Based Audit Manual Phase 1 Strategic Planning and Risk Identification
Form 01-01: Government Risk Model

RISK TITLE RISK DESCRIPTION

Physical assets
Failure to provide physical protection and stewardship over real estate
Real estate
designed to optimize longevity and utilization.
Failure to provide physical protection and stewardship over long-lived
Property, plant and facilities assets (such as buildings, furniture, fixtures, machinery, equipment and
other assets) designed to optimize longevity and utilization.
Failure to provide physical protection and stewardship over inventories
Inventory designed to optimize utilization while minimizing obsolescence,
contamination, etc.
COMPLIANCE

Mandate
Failure to align process objectives and performance measures with the
Function mandate of the agency, its objectives and strategies may result in
conflicting, uncoordinated activities throughout the agency.
Governance
Failure of Board of Directors to discharge their obligations and duties
Board performance/Agency
owed to the agency and its stakeholders in good faith; and to possess
management committee
adequate knowledge to interpret and act on the information provided.
Senior management fails to establish an environment that encourages
integrity, ethical values, and competence of the agency's people through
Tone at the top
management's philosophy and operating style, assignment of authority
and responsibility, and the organization and development of its people.
Ineffective lines of authority may cause senior management, division
Authority/limit heads or employees to do things they should not do or fail to do things
they should.
Failure to establish and maintain an internal control environment which
Control environment
aligns with stakeholder and regulatory expectations.
The mismanagement of "socially responsible" activities (e.g., conducting
social responsibility training for management of manufacturers,
undertaking environmental programs, participating in community
Corporate social responsibility
initiatives) resulting in an unfavorable agency perception with
stakeholders, customers, suppliers, agency partners, employees and the
regulatory community.
Damage to the Agencys reputation exposes it to loss of customer/
Reputation
public trust, profits and the ability to grow.
Code of conduct
The absence of formal standards of employee behavior that are
Ethics intended to direct and influence the way agency operation is conducted,
above and beyond the letter of the law.
Potential unethical acts committed by agency employees or other
Fraud
stakeholders may negatively impact the agency's reputation.
Fraudulent activities perpetrated by employees, suppliers, agents, or
third-party administrators against the agency for personal gain (e.g.,
Employee/Third Party Fraud
misappropriation of physical, financial or information assets) expose the
agency to financial loss.

Last updated : March 2011 9|Page


Version : 01-01/2011/v1
Integrated Results and Risk-Based Audit Manual Phase 1 Strategic Planning and Risk Identification
Form 01-01: Government Risk Model

RISK TITLE RISK DESCRIPTION


Illegal acts committed by senior management, division heads or
Illegal Acts employees expose the agency to fines, sanctions, and loss of public
trust, profits and reputation, etc.
Management Fraud (e.g., intentional misstatement of financial
Management Fraud statements or critical reports) may adversely affect stakeholders
decisions.
Unauthorized use of the agencys physical, financial or information
Unauthorized Use assets by employees or others exposes the agency to unnecessary
waste of resources and financial loss.
Legal
Entering into contracts that are unfavorable to the agency; and the
Contract failure to comply with and monitor contract terms to protect the agency
from financial losses.
A responsibility, duty or obligation that may result in lawful consideration
Liability
to provide satisfaction, compensation or other form of restitution.
Failure to create, capture, enhance, leverage and protect the collective
Intellectual property knowledge, expertise and ideas of agency employees valued as non-
physical assets.
Failure to create an agency environment which is opposed to corruption,
Anticorruption
and instill agency practices which prevent corruption.
Changing laws threaten the agencys capacity to consummate important
Legal transactions, enforce contractual agreements or implement specific
strategies and activities.
Regulatory
Failure to identify and prevent legal risks posed by noncompliance with
Trade governmental and International regulatory requirements for Trade
Practices e.g., anti-dumping and trade policy.
Failure to identify and prevent legal risks posed by noncompliance
Customs With governmental and International regulatory requirements for
Customs.
Failure to identify and prevent legal risks posed by noncompliance with
Procurement
the government procurement reform act.
Failure to implement infrastructure projects due to RROW problems and
Road-right of way (RROW)
risks posed by non-compliance with Comprehensive and Continuing
acquisition
Urban development and Housing Program (RA 7279)
Failure to identify and prevent legal risks posed by noncompliance with
governmental and International regulatory requirements for Labor rules
Labor
and regulations, including taxes, wages, antidiscrimination, Family and
Medical Leave, workplace violence etc.
Failure to identify and prevent legal risks posed by noncompliance with
Securities
governmental and International Securities regulatory requirements.
Failure to identify and prevent legal risks posed by noncompliance with
Environment governmental and International Environmental regulations e.g.,
noncompliance with ISO 4001 standards.
Failures to identify and prevent legal risks posed by, and prevent non-
Data protection and privacy compliance with privacy rules and regulations standards resulting in
improper disclosure of confidential customer information.

Last updated : March 2011 10 | P a g e


Version : 01-01/2011/v1
Integrated Results and Risk-Based Audit Manual Phase 1 Strategic Planning and Risk Identification
Form 01-01: Government Risk Model

RISK TITLE RISK DESCRIPTION

Exposure to geo-political, regulatory and fraud risks via international


International
business dealings.
Failure to identify and prevent legal risks posed by noncompliance with
Product/service quality governmental and International regulatory requirements for
product/service quality and safety.
Failure to identify and prevent legal risks posed by noncompliance with
Health and safety governmental and International rules and regulations for health and
safety.
Failures to identify and prevent legal risks posed by, and prevent non-
compliance with, government and international rules and regulations for
Competitive practice/antitrust
competitive practices/ anti-trade. Lack of awareness of statutory and
regulatory application of export & customs policies and requirements.
FINANCIAL

Market
Unfavorable price paid per unit of funds borrowed or the rate of return
Interest rate received on invested assets, or interest rate fluctuations beyond
projected range.
Unfavorable fluctuations in the currency of another market that is
Foreign currency
needed to carry out international transactions.
Unfavorable fluctuations in the price of raw materials or other
Commodity commodities used in product development/service delivery that are not
anticipated and managed.
Financial market risk can vary depending on the particular segment of
Financial instrument the market to which the holder of a financial instrument is exposed, or
the way in which the exposure is structured.
Liquidity and credit

Failure to efficiently and effectively administer and manage cash flows to


Cash management
maintain adequate liquidity to meet obligations.
The use of funds in a manner that leads to the loss of economic value,
Opportunity cost including time value losses, transaction costs and other causes of loss of
value.
Failure to meet the requirements of a portfolio of capital investments and
obligations based on specified commitments or in accordance with terms
Funding of an agreement (i.e. retirement and capital accounts).

Failure to receive appropriate funds to finance programs and projects.


Failure to purchase or undertake sale transactions that effectively
Hedging
minimize profits or losses arising from price fluctuations.
Inability to obtain the optimal level of payment received as a result of a
Credit and collections
prior agency transaction.
Insurance coverage fails to protect the agency from significant financial
Insurance
losses due to incidents and claims.

Accounting and reporting

Last updated : March 2011 11 | P a g e


Version : 01-01/2011/v1
Integrated Results and Risk-Based Audit Manual Phase 1 Strategic Planning and Risk Identification
Form 01-01: Government Risk Model

RISK TITLE RISK DESCRIPTION


Incomplete, inaccurate and/or untimely reporting of required financial
and operating information to other regulatory agencies may expose the
agency to fines, penalties and sanctions.
Accounting, reporting and
disclosure Over-emphasis on financial accounting and other information to
manage the operations may result in the manipulation of outcomes to
achieve targets at the expense of not meeting public expectation, quality
and efficiency objectives.
Significant or material weaknesses resulting from inadequate financial
Internal control internal controls impacting management's assessment and reporting
under country regulations.
Lack of relevant and/or reliable information supporting investment
Investment evaluation decisions and linking the financial risks accepted to the capital at risk,
may result in poor short- or long-term investments.
Failure to properly evaluate and execute tax planning strategies.
Tax strategy and planning Misalignment of tax objectives and strategies with overall agency
objectives, strategies and initiatives.
Capital structure
Potential over reliance on borrowing from creditors to provide adequate
Debt working capital for agency objectives and/or to cover current operating
obligations resulting in an unfavorable debt to equity ratios.
Inability to offer marketable securities appropriately priced for the
Equity
enterprise's value.
Inability to identify, establish and maintain the optimal structure for
Pension funds
pension funds.

Last updated : March 2011 12 | P a g e


Version : 01-01/2011/v1
Phase 1 Strategic Planning and Risk Identification
Form 01-02 Government Risk Identification Template

GOVERNMENT RISK IDENTIFICATION TEMPLATE

Objective

The Government Risk Identification Template (GRIT) is used to document the significant
government risks identified for a particular audit period, as well as the basis of selecting
those particular risks, and the agencies and programs or activities affected. By having all of
this information in one sheet, it facilitates ease of summary and discussion with the
participants during the identification of significant government risks as well as increased
efficiency and effectiveness in tracing the effects of those risks.

This template if carefully and exhaustively accomplished will facilitate a unified thrust for the
COA in conducting government auditing.

The GRIT once accomplished shall be cascaded to all audit clusters and concerned offices
through the COAs Annual Strategic Planning for inclusion in the Agency Audit Planning and
Risk Assessment.

Accomplishing this tool

Accomplishing this tool is critical to document the high-level inputs from COA directors
assigned in the audit of agencies representing the three audit sector, regions, and auditors
performing Government-wide and Sectoral Performance Audit (GWSPA) and Fraud Audit.

Government Objective

- Identify the objectives of the government as identified in the State of the Nation
Address (SONA), Medium-Term Philippine Development Plan (MTPDP), Medium-
Term Public Investment Program (MTPIP) and so on.

Key Government Risk

- Participants may use the Government Risk Model to identify the key government risks
(risk category, risk title and risk definition)

Basis of Selection

- Indicate the basis or reason why the risk was considered as significant.

Relevant data may also be obtained from the following:


COA direction
Sector Strategic Action Plan

ast updated : March 2011 1|Page


Version : 01-02/2011/v1
Phase 1 Strategic Planning and Risk Identification
Form 01-02 Government Risk Identification Template

SONA
MTPDP/MTPIP
Government Risk Model
Sector risks
Media releases and media reports
Fraud and geographic risks
Government-wide and sectoral programs and activities
Knowledge of the auditors

Name of Agency

- Indicate the agencies affected by the risks identified. Auditors may also refer to other
outputs of government instrumentalities (e.g., Updated Strategy Planning Matrices for
the MTPDP of NEDA).

Government Program, Activity or Project

- Relate the government program/activity affected by the risk identified. It could be a


program of one agency or inter-agency project.

ast updated : March 2011 2|Page


Version : 01-02/2011/v1
Integrated Results and Risk-Based Audit Manual Phase 1 Strategic Planning and Risk Identification
Form 01-02 Government Risk Identification Template

GOVERNMENT RISK IDENTIFICATION TEMPLATE


For the Audit Period 20XX

Prepared by : __________________________________________________ Date :

Reviewed by : __________________________________________________ Date :

Approved by : __________________________________________________ Date :

Key Government Risk


Government
Government Objective Basis of Selection Name of Agency
Risk Program, Activity or Project
Risk Title Risk Definition
Category
Key Risk 1

Key Risk 2

Key Risk 3

Key Risk 4

Key Risk 5

Key Risk 6

Key Risk 7

Key Risk 8

Key Risk 10

Key Risk 11

Key Risk 12

Last updated : March 2011 3|Page


Version : 01-02/2011/v1
Integrated Results and Risk-Based Audit Manual Phase 2 Agency Audit Planning and Risk Assessment

AGENCY AUDIT PLANNING AND RISK ASSESSMENT

Integrated Results and Risk-Based Audit Framework

Strategic Planning and Risk Identification

Planning Delivery

Agency Audit
Conclusion
Planning and Risk Execution
and Reporting
Assessment

Monitoring
(Quality Control System)

Introduction

The scope of state audit under our Constitution and the implementing laws and
regulations include financial, compliance and performance audits. These three main
classifications of state audit, when conducted together, are known as comprehensive
audit. Comprehensive audit starts with planning the engagement at the agency level.

Activity 2, Agency Audit Planning and Risk Assessment, is designed to promote the
consistent implementation of the IRRBA methodology and standard documentation in
comprehensive auditing. Activity 2 employs a disciplined, team-based approach to audit
planning, emphasizing the early development of risk assessments and the audit strategy.

Agency Audit Planning and Risk Assessment occur early in the audit cycle to provide time
to appropriately plan and customize the audit strategy, thereby allowing COA auditors to
effectively execute the audit and at the same time, perform other duties and
responsibilities. This activity is ideally done in the first 3 months of the audit cycle.

1|Pa ge
Integrated Results and Risk-Based Audit Manual Phase 2 Agency Audit Planning and Risk Assessment

The following are the activities involved in this phase:

2.1. Prepare Agency Audit Workstep

2.2. Understand the Agency

2.3. Identify Significant Agency Risks


2.3.1 Update Agency Risk Model
2.3.2 Assess Agency Risks
2.3.3 Prioritize Significant Agency Risks

2.4. Understand and Assess Agency-Level Controls

2.5. Understand the Process


2.5.1. Identify Critical Path of the Processes
2.5.2. Identify Process Risks
2.5.3. Identify Impact
2.5.4. Identify Existing Controls

2.6. Conduct Audit Risk Assessment and Planning


2.6.1. Financial and Compliance
2.6.2. Performance
2.6.3. Determine Audit Scope and Timing
2.6.4. Determine need for specialized skills

Procedures

2.1. Prepare Agency Audit Workstep

The Agency Audit Workstep contains a phase by phase detail of the IRRBAM
showing the estimated time to complete each phase and the audit team member
assigned to complete each activity. This should be accomplished by the ATL and
approved by the SA. A copy should be submitted to the CD.

The audit team should prepare the Audit Worksteps for each agency being audited
showing the estimated time to be incurred for the current year audit. For regional
auditors assigned to a regional office or branch of a National or Corporate agency,
they shall prepare the worksteps that will be done by only by regional auditors.

Documentation
Form 02-01 Agency Audit Workstep Template

2|Pa ge
Integrated Results and Risk-Based Audit Manual Phase 2 Agency Audit Planning and Risk Assessment

2.2. Understand the Agency

An important aspect of the Comprehensive audit process is the identification of


risks applicable to the agency. Agency risks have various sources such as new
legislation/law, environmental factors, control environment, nature of agencys
operations and market forces. In identifying the agencys risks, it is important to
gain sufficient understanding of the agency including its purpose, operations and
environment.

The key to an effective planning of an audit is gaining a thorough understanding of


the agency. By understanding how the agency operates and how key
environmental factors affect its goals, objectives, and strategies, we can better
identify and consider its agency risks during our audit.

The knowledge we gain about the agencys operations provides the basis for
making more comprehensive risk evaluations. That is, by gaining an understanding
of the agencys principal risks and their relationship to the inherent and control risk
components of audit risk, we can:
Develop more effective and efficient audit strategies.
Increase the value we deliver by providing timely communications on internal
control observations and emerging issues of importance to the agency.
Better manage COAs risk by using the more comprehensive view of the
agencys risks in making engagement decisions.

In understanding the agency, we comprehend the agency itself and the


environment in which it operates. This assists us in identifying risk factors. We
determine whether these risk factors are inherent risks (i.e., risk factors that may
give rise to risks of material misstatement or risk of not achieving the objectives of
the Agencys PAPs) and consider the effect in our risk assessment and in the
design of our audit test procedures.

We exercise professional judgment in determining the extent of understanding that


is required. Our primary consideration is whether we have obtained a sufficient
understanding of the agency and its environment to identify and assess the risks of
material misstatement, whether due to fraud or error, or risk of not achieving the
objectives of the Agencys PAPs and thereby providing a basis for designing and
implementing audit procedures to respond to the assessed risks.

Components
Accordingly, the audit team should have an understanding of each of the following
and their interrelationships:

Relevant industry, regulatory, and other external factors including the applicable
financial reporting framework

3|Pa ge
Integrated Results and Risk-Based Audit Manual Phase 2 Agency Audit Planning and Risk Assessment

The nature of the agency, including:


- Its operations
- Its ownership and governance structures
- The types of investments that the agency is making and plans to make
- The way that the agency is structured and how it is financed to enable the
auditor to understand the classes of transactions, account balances, and
disclosures to be expected in the agency
The agencys selection and application of accounting policies, including the
reasons for changes thereto The auditor shall evaluate whether the agencys
accounting policies are appropriate and consistent with the applicable financial
reporting framework and accounting policies.
The agencys objectives and strategies, and those related agency risks that
may result in risks of material misstatement or risks of not achieving the
objectives of the Agencys PAPs
The measurement and review of the agencys financial and operational
performance
The mandates of an agency given by the Philippine Government or any other
law or legislation establishing such agency
An understanding of the Agencys PAPs to determine if the objectives of such
PAPs are aligned with the Agencys mandate Transactions outside the
Agencys mandate that are significant give rise to Mandate risk.
Key results identified and monitored by management that must be achieved to
conclude that a strategy has been implemented successfully

Key performance indicators also refer to the targeted Major Final Outputs
(MFO) as stated in the agencys Organizational Performance Indicator
Framework (OPIF).

We share with management our understanding of the agency and its environment
to confirm our understanding of the agency, to determine managements
awareness of the effects of the agencys environment on the operations and to
understand managements attitude and strategies towards managing its risks.

Audit Techniques
A wide variety of procedures and techniques are used to gather the necessary
information for understanding the agency. These may include:

Review of information

Review of relevant information of the agency and its environment assists us in


obtaining an understanding of the agency and its environment and in identifying
risk factors.

Inquiry of agency management and others within the agency

4|Pa ge
Integrated Results and Risk-Based Audit Manual Phase 2 Agency Audit Planning and Risk Assessment

Inquiries of management and those responsible for financial reporting and


operations enhance our understanding of the nature of the agencys operations.
We may also inquire of others within the agency with different levels of authority
to obtain additional information or a different perspective as we identify risk
factors.

Analytical procedures on financial and non-financial information

Analytical procedures performed as risk assessment procedures may include


both financial and non-financial information. This will include our analysis of the
agencys actual performance against the targeted performance Major Final
Outputs in its OPIF.

Our analytical procedures assist us in identifying risk factors that may require
added attention in the audit.

Our analytical procedures performed as risk assessment procedures provide a


basis for designing and implementing audit procedures that respond to the
assessed risks of material misstatement and risks of not achieving the
objectives of an agencys PAPs. However, overall analytical procedures may
use data aggregated at a high level and therefore the results only provide an
initial indication about whether a risk exists.

Documentation
We document our understanding of the Agency using the Form 02-02
Understanding the Agency template.

2.3. Identify Significant Agency Risks

After gathering information to understand the agency, the auditors of a particular


agency (both Head Office and Regions) shall convene to update the Agency Risk
Model and identify and prioritize agency risks.

At this stage, auditors may identify Key Fraud Risks (KFR). KFRs identified during
this phase of the IRRBAM shall be evaluated and assessed through the Fraud
Brainstorming and Fraud Risk Assessment. Auditors shall use the methodology in
Fraud Audit Manual in assessing and evaluation KFRs identified in IRRBAM to
come up with proactive and detective testing.

5|Pa ge
Integrated Results and Risk-Based Audit Manual Phase 2 Agency Audit Planning and Risk Assessment

2.3.1 Update Agency Risk Model

The Agency Risk Model (ARM) is a framework consisting of a list of agency-level


risks that may hinder the achievement of the agencys objectives.

The ARM will be the guide of the auditors in identifying agency risks. The ARM
should be updated annually to consider changes in the agency environment and
new policies, laws, rules and regulations. The agency auditors shall provide input
on the additions or modifications that needs to be reflected in the ARM after
conducting the Understanding the Agency process.

Risks are categorized as follows:


Strategic risk arises when forces in the agency environment could
significantly change the fundamentals that drive agencys overall social and/or
operating objectives and strategies and, in the extreme, result in failure of the
agencys operations.

Operation risk risks that operations are inefficient and ineffective in executing
the agencys operating model, satisfying the public, and achieving the agencys
quality, cost and time performance objectives. This arises when operation
processes:
o Are not clearly defined
o Are poorly aligned with agencys strategies, goals and objectives
o Are not performed effectively and efficiently in satisfying public
o Expose significant financial, physical and intellectual resources to
unacceptable losses, risk taking, misappropriation or misuse

Financial risk risk that cash flows and financial risks are not managed cost-
effectively to (a) maximize cash availability; (b) reduce uncertainty of currency,
interest rate, and other financial risks; or (c) move cash funds quickly and
without loss of value to wherever they are needed most. It also includes risks
that government agencies face when misleading financial information becomes
the basis for decision making by the governing management.

Compliance risk non-compliance with prescribed policies and procedures or


laws and regulations resulting in lower quality, higher execution costs, lost
revenues, unnecessary delays, penalties, fines and so on.

The ARM is somewhat similar with the GRM except that the risks in former are
Agency-specific while the latter relates to the risk of the government as a whole.
ARM shall be customized per Agency by obtaining information from the UTA
template and through inputs from head office and regional auditors.

6|Pa ge
Integrated Results and Risk-Based Audit Manual Phase 2 Agency Audit Planning and Risk Assessment

2.3.2 Assess Agency Risks

Based on the data gathered from the UTA and the results from the GRIT, the audit
team shall identify Agency Risks.

Different modes may be used in identifying agency risks. It could be in the form of
a workshop, survey, questionnaire or interview. In any case, it shall be ensured
that the essence of identifying agency risks is followed.

The participants are to identify the following and document in the Agency Risk
Identification (AgRI) Matrix:
Identified Agency Risks
Basis of Selection
Risk Rating (Impact, Likelihood and Overall Rating)
Risk Location
Initial Audit Response
Remarks

Documentation
We document our identification and assessment of Agency Risks using Form 02-
05 Agency Risk Identification Matrix.

2.3.3 Prioritize Significant Agency Risks

After all the risks of an agency have been identified, the agency auditors shall
prioritize those risks which are significant based on the risk rating provided.

The risks identified as significant will be the audit teams focus for their audit. The
identified significant agency processes affected by the significant agency risks will
be the focus of our Understanding the Process in the succeeding activities.

2.4. Understand and Assess Agency-level Controls

Understanding agency-level controls is an important step in our planning process.


Our understanding assists us in identifying and assessing risk, as well as in
determining the most appropriate audit strategy.

The nature, timing and extent of procedures to obtain an understanding of agency-


level controls varies depending on the size and complexity of the agency, previous
experience with the agency and the nature of the agencys controls.

We often obtain our understanding of agency-level controls through inquiry and


observation due to the nature of agency-level controls and because audit evidence

7|Pa ge
Integrated Results and Risk-Based Audit Manual Phase 2 Agency Audit Planning and Risk Assessment

may not exist or be available in documentary form. This may be even more
apparent in less complex agencies when communication between agency
management and other personnel may be informal. In other instances, we may be
able to corroborate agency managements statements by inspecting documents
and reports (e.g., quarterly reports, interim financial statements and minutes of
meetings).

Internal Control
Agency management is responsible for the design, implementation and
maintenance of effective internal control to address identified agency risks that
threaten the achievement of the agencys objectives. These objectives relate to
the reliability of the agencys financial reporting, the effectiveness and efficiency of
its operations and its compliance with applicable laws and regulations.

The way in which internal control is designed, implemented and maintained will
vary with an agencys size and complexity. Internal control, no matter how
effective, can provide an agency with only reasonable assurance about achieving
the agencys financial reporting and operational objectives. The likelihood of their
achievement is affected by the inherent limitations of internal control. These
inherent limitations include the realities that human judgment in decision-making
can be faulty and that breakdowns in internal control can occur because of human
error.

Internal control may be divided into five interrelated components. Although this
does not necessarily reflect how an agency considers and implements internal
control, these components provide a useful framework for us to consider the
agencys internal control and to assess the effect on our audit strategy. The five
components of internal control are:

Control environment
Risk assessment
Monitoring
Information and communication
Control activities

Documenting and evaluating agency-level controls does not by itself provide a


complete perspective of internal controls of an agency. However, it is an important
starting point because the assessment of agency-level controls particularly when
weaknesses are identified can have a significant effect on the overall
assessment of the effectiveness of internal controls and procedures.

Documentation
We document our understanding of agency-level controls using Form 02-03
Agency-Level Controls Checklist.

8|Pa ge
Integrated Results and Risk-Based Audit Manual Phase 2 Agency Audit Planning and Risk Assessment

2.5. Understand the Process

Significant processes where significant agency risks reside that were identified in
the AgRI Matrix are the subject of our Understanding the Process.

Our understanding of significant processes, including risks and controls assist us


in:
Performing risk assessments for each relevant assertion for each significant
account and disclosure
Customizing the nature, timing and extent of our audit procedures to address
the identified risks

2.5.1 Identify critical path of the processes

We obtain our understanding by performing inquiry, observation and inspection


procedures.

Obtaining our understanding of significant processes is a continuous process.


When we perform audit procedures and we identify changes in significant
processes, we update our understanding. When we identify a new significant
process during our audit, we perform the procedures as outlined in this objective.

We obtain an understanding of the critical path of significant processes by


obtaining an understanding of each of the following stages:
Initiation: the point where the transaction first enters the agencys process and
is prepared and submitted for recording
Recording: the point where the transaction is first recorded in the books and
records of the agency
Processing: any changes, manipulation or transfers of data in the books and
records of the agency
Reporting: the point where the transaction is reported (i.e., posted) in the
general ledger

2.5.2 Identify Process Risks

Process risks refer to points where risks of material misstatement or risks to the
Agency PAPs objectives, due to error or fraud, can occur in the significant
process. We do not attempt to identify all process risks, but focus on those
process risks that could have a material effect on objectives of the process or
PAPs.

We use our professional judgment to identify the appropriate level of detail.

9|Pa ge
Integrated Results and Risk-Based Audit Manual Phase 2 Agency Audit Planning and Risk Assessment

2.5.3 Identify Impact

We determine the impact of the process risk by identifying the affected accounts,
including assertions, and its impact on the attainment of the objectives of an
agencys PAPs.

2.5.4 Identify Existing Controls

We identify existing controls that address our identified process risks. We


determine whether the design of these controls mitigate our identified process
risks. Information that will be obtained from our walkthrough (discussed in
succeeding paragraphs) shall become one of our bases for our preliminary
assessment of control risk.

Further, we also evaluate whether the design of the existing controls identified is
adequate to address the identified process risks. Any identified process risk with
no controls in place or with inadequate controls should be communicated to
management to provide them time to address and resolve the control deficiency.

Confirmation of our understanding


We perform a walkthrough to confirm that our understanding of the significant
process is as we have documented and to confirm the points where data is, or
should be, captured, transferred or modified as these are the points where
misstatements are most likely to occur.

We also perform walkthrough to obtain a preliminary assessment of the


effectiveness of controls. The result of our walkthrough will be one of our bases for
our preliminary assessment of control risk (discussed further in 2.5 Conduct Audit
Risk Assessment).

Documentation
Our documentation of process flow may be in narrative format or in graphical form
through the use of process mapping flowcharts. Our documentation of our
Understanding the Process is determined by the size and complexity of the
processes subject for review. The process mapping flowchart including the
identification of process risks, controls and impact are documented using Form 02-
06 Process-Risk-Control (PRC) Matrix.

2.6. Conduct Audit Risk Assessment

The information we have obtained in our UTA, ALC and PRC will be our basis in
evaluating and quantifying risks in our audit. The resulting assessments will
provide us our basis for prioritization in our audit.

10 | P a g e
Integrated Results and Risk-Based Audit Manual Phase 2 Agency Audit Planning and Risk Assessment

In order to develop an audit strategy that is responsive to the agencys risks, we


assess risk for financial, compliance and agency-based performance audit.

2.6.1. Financial and Compliance

In conducting Financial and Compliance Audit Risk Assessment, we assess risk for
each relevant assertion for each significant account.

a. Identify significant and material financial statement accounts

We identify significant financial statement accounts based on the affected


accounts identified in our Understanding the Process using the PRC Tool.
Financial statement accounts that will be assessed are those that are
significant and material.

As a general rule, an account is considered material when the account


balance as of cutoff date is equal to or more than the planning materiality (as
computed using COAs computation of materiality).

Aside from account balance as of cutoff date, we should also consider the
movement in the accounts in determining whether the account is material or
not.

b. Assess Inherent Risk

Definition: Inherent risk: The susceptibility of an assertion about a


class of transactions, account balance or disclosure to a misstatement
that could be material, either individually or when aggregated with other
misstatements, before consideration of any related controls.

We consider the information we gathered in our UTA, ALC and PRC and use
our professional judgment in making our inherent risk assessment for each
relevant assertion.

In deciding whether to assess inherent risk as either High or Low, we


consider whether we identified inherent risk factors that cause us to believe
that there is a higher likelihood that a material misstatement could occur. If we
believe there is a higher likelihood that a material misstatement could occur,
we assess inherent risk for the relevant assertions as High. If we identify
inherent risk factors that cause us to believe that it is less likely that a material

11 | P a g e
Integrated Results and Risk-Based Audit Manual Phase 2 Agency Audit Planning and Risk Assessment

misstatement could occur, assuming no controls, we assess inherent risk as


Low.

Factors that may affect our inherent risk assessment are as follows:
Susceptibility to material misstatement
Size and composition
Variations from expected amounts
Effects of external factors
Competence and experience of agency personnel
Degree of subjectivity
Completion of unusual/complex transactions at or near period-end
Transactions not subjected to routine processing

c. Preliminary Assess Control Risk

Definition: Control risk: The risk that a misstatement that could occur in
an assertion about a class of transactions, account balance or
disclosure and that could be material, either individually or when
aggregated with other misstatements, will not be prevented, or detected
and corrected, in a timely manner by the agencys internal control.

Our preliminary assessment of control risk at this point is based on the


following:
Evaluation of the design of controls done in Understanding the Process
activity
Information we obtained from prior periods engagements, if available
Information we obtained from the results of walkthrough procedures in
Understanding the Process activity

Our preliminary evaluation is typically made after we understand the significant


processes, risks and controls in Understanding the Process, and after we
perform walkthroughs, but before any test of controls is performed. In other
words, our preliminary control risk evaluation is based on the design of
controls and our determination whether controls have been implemented. We
make a preliminary assessment so that we can develop our audit strategy and
plan our resources. As the evaluation is preliminary, it is subject to change
based on the results of our tests of control effectiveness in the Execution
phase.

12 | P a g e
Integrated Results and Risk-Based Audit Manual Phase 2 Agency Audit Planning and Risk Assessment

We assess control risk for each relevant assertion as either:


1. Low - Rely on Controls

We assess whether controls have been designed and are operating


effectively throughout the period of reliance. Our assessment to rely on
controls at this stage in the audit is a preliminary assessment only. A final
assessment shall be made after the conduct of Tests of Controls to
determine the operating effectiveness of the controls.

2. High - Not Rely on Controls

After gaining the necessary understanding of the agencys significant


processes or significant disclosure processes:
We believe that controls have not been designed appropriately,
implemented effectively, or are unlikely to operate effectively
throughout the period of reliance, and therefore we have decided not to
test controls;
We have identified substantive procedures that we believe provide the
evidence necessary to support the related account balances or
disclosure; or
We believe that testing controls would be inefficient.

d. Make Combined Risk Assessment (CRA)

The table below shows how we combine our assessments on inherent and
control risks into one CRA for financial and compliance risk assessment:

High Low High


Inherent Risk
Assessment

Low Minimal Moderate

Low High

Control Risk Assessment

13 | P a g e
Integrated Results and Risk-Based Audit Manual Phase 2 Agency Audit Planning and Risk Assessment

The following chart summarizes the risk conclusion and effect on our audit
procedures:

Overall Risk Risk Conclusion Effect on Substantive


Assessment Tests Audit Procedures
Minimal We have sufficient evidence Designed to confirm that
that controls are effective at material misstatements
preventing or detecting and have not occurred
correcting risks of material
misstatement from occurring
Low We have sufficient evidence Designed to confirm that
that controls are effective at the risks that have created
preventing or detecting and a higher likelihood of
correcting risks of material misstatements occurring
misstatement from occurring have not resulted in a
material misstatement
Moderate We have insufficient evidence Designed to detect and
to conclude that controls evaluate misstatements
operated effectively and will that may not have been
prevent or detect and correct prevented or detected and
misstatements from occurring corrected by controls
High We have insufficient evidence Designed to detect
to conclude that controls whether risks of material
operate effectively and will misstatement have
prevent or detect and correct resulted in a material
misstatements from occurring misstatement
and we assess there is a
higher likelihood that risks of
material misstatements will
occur

e. Other Material Accounts

Other Material Accounts (OMA) refer to material financial statement accounts


that were not considered as significant based on the results of Agency Risk
Assessment and Understanding the Process.

We use high precision analytical procedures for OMAs. This procedure should
not be redundant with the Analytic Review procedures done in the
Understanding the Agency Template.

2.6.2. Performance

In conducting assessment for Performance audit, we consider the following factors


in evaluating each of the agencys PAPs.

14 | P a g e
Integrated Results and Risk-Based Audit Manual Phase 2 Agency Audit Planning and Risk Assessment

Quantitative Factor

Budget
Selection of agencys programs/ projects for performance audit is based on an
assessment of the total value of government assets, annual expenditure and/or
annual revenue of the audit area. The more funds used for a program/project, the
higher is its priority for selection as an audit project.

Qualitative Factors

a. Risk to good management


The auditor should assess the risk that the management of the activity to be
audited is deficient in economy, efficiency and effectiveness.

Evidence of risk to good management includes:


Management inaction in response to identified weakness;
Adverse comment in the legislature or media;
Non-achievement of stated objectives such as revenue raised or clients
assisted;
High staff turnover;
Significant underspending or overspending;
Control deficiencies in PAPs processes;
Sudden program expansion; and
Overlapping or confused responsibility relationships.

An agencys program or activity that is more complex to manage and operates


in an uncertain environment is more likely to have problems associated with
performance. Some possible indicators of high complexity and uncertainty are:
Highly decentralized operations with devolved management decision-making
responsibilities;
A multiplicity of interested parties;
Use of rapidly changing and sophisticated technology;
A dynamic and competitive environment; and
Controversial social and political debate surrounding the issue.

The stage of the agencys program development should also be kept in mind
when assessing management performance. For example, in the development
stage it will be particularly important for the agencys management to set
measurable operation objectives that clearly identify how the program will
contribute to the organizations objectives. During program implementation, it
will be important to see whether appropriate performance measures are
maintained and analyzed to assess performance, and whether there is a clear
identification of roles and responsibilities for each level of program. If the
program has been in place for some time, it will be important to assess whether

15 | P a g e
Integrated Results and Risk-Based Audit Manual Phase 2 Agency Audit Planning and Risk Assessment

a formal evaluation has been undertaken to ascertain whether the program is


continuing to meet relevant needs and the extent to which those needs still exist
or are being met by other programs.

b. Significance
The significance of an audit project should have bearing on the magnitude of its
organizational impacts. It will depend on whether the activity is comparatively
minor or whether shortcomings in the area concerned could flow on to other
activities within the agency.

Significance will rate highly where the audit project is considered to be of


particular importance to the agency and where improvement would have a
significant impact on its operations. A low ranking in relation to significance
would be expected where the project is of a routine nature and the impact of
poor performance would be restricted to a small area or be likely to have
minimal impact.

c. Visibility
This factor is similar in significance but is more concerned with the external
impact of the program. It is related to the social, economic and environmental
aspects of the program/project and the importance of its operations to the
government and the public. In considering this factor some weight would be
attached to the impact of an error, weakness, or irregularity on public
accountability. It would also have regard to the degree of interest by the
legislature and public in the outcome of the audit. Projects that have been
identified with the audit thrust by the Commission would generally warrant a
high rank in terms of visibility.

d. Previous Audit Coverage


Coverage refers not only to previous COA audits undertaken but also to other
independent reviews of the project. Such reviews may have been conducted by
internal audit, external consultants or government committees or the project
could have been subjected to program evaluation. As a general rule, a low
ranking would occur when there has been a substantial review of the activity
within the past two years. A higher ranking would be warranted where a follow-
up review has been requested by the President, Congress or other authorities
or the previous review indicated that such follow-up should be made.

The materiality, risk, significance and visibility of a project will also influence the
ranking for coverage. If a program has ranked highly on all or most of these
elements it would be expected that the coverage cycle would be at fairly
frequent intervals.

16 | P a g e
Integrated Results and Risk-Based Audit Manual Phase 2 Agency Audit Planning and Risk Assessment

The factors that we have described above are the basis for a systematic
approach to assisting the auditor in applying judgment in selecting PAPs for
performance audit. Using these factors when supported by valid information
and data will help auditors in allocating scarce resources for the audit of
projects.

Documentation
We document our audit risk assessments using the Form 02-07 Audit Risk
Assessment and Planning Tool.

2.6.3. Determine Audit Scope and Timing

Our audit scope defines the boundaries and limitations of our audit. We document
our audit scope based on the results of our risk assessment.

In determining the timing of our audit tests (tests of controls and details), we shall
consider COA auditors other responsibilities such as, but not limited to:
Cash examinations to accountable officers
Request for relief of accountabilities
Issuance of disallowances
Pre-audit activities

2.6.4. Determine need for specialized skills

We are not expected to have the expertise of a person qualified to engage in the
practice of another profession or occupation (e.g., an actuary, engineer, fraud
investigator). When such expertise is required in order to obtain sufficient
appropriate audit evidence, we consider whether to use the work of an appropriate
expert. We may use the work of an expert to:

Value complex financial instruments, land and buildings, plant and machinery,
jewelry, works of art, antiques, intangible assets, assets acquired and liabilities
assumed in business combinations and assets that may have been impaired
Understand the technical aspects of the agencys operations
Calculate the liabilities associated with insurance contracts or employee benefit
plans
Value environmental liabilities and site clean-up costs
Analyze complex or unusual tax compliance issues
Measure work completed and to be completed on contracts in progress
Interpret technical requirements, statutes, regulations or agreements (e.g., the
significance of contracts or other legal documents or legal title to property)

17 | P a g e
Integrated Results and Risk-Based Audit Manual Phase 2 Agency Audit Planning and Risk Assessment

Review the work of another expert (e.g., to corroborate the findings of a


managements expert)

Documentation
We document details of our work plan (i.e., scope, audit strategy, timing) as part of
the Audit Risk Assessment and Planning Tool.

18 | P a g e
Integrated Results and Risk-Based Audit Manual Phase 2 Agency Audit Planning and Risk Assessment

Policy and Standard

Policy/Standard Description
ISSAI 1230 Audit Documentation
ISSAI 1265 Communicating Deficiencies in Internal Control to
Those Charged with Governance and Management
ISSAI 1300 Financial audit guideline Planning an audit of
financial statements
ISSAI 1315 Identifying and Assessing the Risks of Material
Misstatement through Understanding the Entity and
Environment
ISSAI 1320 Materiality in Planning and Performing an Audit
ISSAI 1330 The Auditors Responses to Assessed Risks
ISSAI 1520 Analytical Procedures

Documentation

Procedure Sub-procedure Output/Tools


2.1 Prepare Agency Form 02-01 Agency Audit
Audit Workstep Workstep
2.2 Understand the Form 02-02 Understand the
Understand the Agency Profile
Agency Agency (UTA) Template
2.3 Identify Significant Form 02-03 Agency Risk
Update Agency Risk Model
Agency Risks Model (ARM)
Identify Agency Risks Form 02-04 Agency Risk
Prioritize Significant Agency Risks Identification (AgRI) Matrix
2.4 Understand and
Form 02-05 Agency-level
Assess Agency-Level
Control Checklist (ALCC)
Controls
2.5 Understand the Identify critical path of the
Process processes
Identify Process Risks Form 02-06 Process-Risk-
Control (PRC) Matrix
Identify Existing Controls
Identify Impact
2.6 Conduct Audit Risk
Assessment and Financial and Compliance
Planning
Form 02-07 Audit Risk
Performance
Assessment and Planning
Determine Audit Scope and (ARAP) Tool
Timing
Determine need for specialized
skills

19 | P a g e
Integrated Results and Risk-Based Audit Manual Phase 2 Agency Audit Planning and Risk Assessment
Form 02-01: Agency Audit Workstep

AGENCY AUDIT WORKSTEP

Auditee __________________________________________________

Audit Period __________________________________________________

Prepared By __________________________________________________ Date Prepared: ___________________

Reviewed By __________________________________________________ Date Reviewed: ___________________

Approved By __________________________________________________ Date Approved: ___________________

Target Date to Accomplish


WP Person
Activity Output Year Remarks
Ref. Responsible
J F M A M J J A S O N D

Last updated : March 2011 1|P a ge


Version : 02-01/2011/v1
Integrated Results and Risk-Based Audit Manual Phase 2 Agency Audit Planning and Risk Assessment
Form 02-02: Understanding the Agency Template

UNDERSTANDING THE AGENCY TEMPLATE


Objective

We obtain our understanding by performing review, inquiry, analytical procedures, observation


and inspection.

This template enables us to document our understanding of the agency and its environment and
assist in identifying risks of material misstatement. We document the identified inherent and/or
significant risks in this template.

The Understanding the Agency (UTA) can be used in conjunction with our meeting(s) with the
agency during the planning of the engagement. When we complete the UTA, we:
Consider the use of available industry or sector knowledge
Customize the UTA to each engagement

For future engagements, we base our understanding of the agency and its environment on prior
period knowledge. We update our understanding by focusing on the significant changes in the
agency and its environment in the current period and reflect those changes within the UTA
brought forward from the prior period.

Accomplishing this tool

Agency Profile

A. Mandate State the relevant law, rule or regulation mandating the purpose of the
establishment of the agency.
B. Operations Provide a brief description of the agencys operations and critical agency
processes.
C. Structure - Describe the Agencys organizational structure and its relation to other key
government agencies. (Attach the Agencys organizational structure, as necessary)
D. Objectives and Strategies State the objectives and strategies of the Agency. Evaluate
if these objectives and strategies are aligned with the mandate of the Agency.
E. Key Stakeholders List stakeholders, or unified stakeholder groups, whose expectations
or actions (or inactions) can significantly influence management or affect the agency
objectives and strategies (and/or the ability of the agency to meet its objectives and
strategies)
F. Key Environmental Factors Briefly describe the environment of the agency and how
the operations of the Agency are affected/influenced by environmental factors.
Examples of environment to be reviewed are:

Last updated : March 2011 1|Pa ge


Version : 02-02/2011/v1
Integrated Results and Risk-Based Audit Manual Phase 2 Agency Audit Planning and Risk Assessment
Form 02-02: Understanding the Agency Template

Political Environment
Social Environment
Legal and Regulatory Environment
Technological Environment

OPIF/Program Accountability Model Show the Organizational Performance Indicator


Framework of the agency if there is any or the Program Accountability Model developed.

Key Performance Indicators - The key results identified and monitored by management,
generally few in number, that must be achieved to conclude that a strategy has been
implemented successfully. Key performance indicators also refer to the targeted Major
Final Outputs (MFO) as agreed in their Organizational Performance Indicator Framework
(OPIF).

Accounting Policy Provide brief description of key accounting policies applied, including
financial reporting standards or changes in the agencys accounting policies and reasons
for such changes. We evaluate whether the agencys accounting policies are appropriate
and consistent with the applicable financial reporting framework.

Previous Audit Findings Include significant audit findings from previous audits that may still
exist in the agency.

Recent Developments/ News Include any pertinent news or publication about the agency and
indicate the possible impact or risk that may arise on the Agency.

Analytic Review Evaluations of financial and non-financial information through analysis of


plausible relationships among both financial and non-financial data. Analytical procedures
also encompass such investigation as is necessary of identified fluctuations or relationships
that are inconsistent with other relevant information or that differ from expected values by a
significant amount.

A. Financial
Financial Statement Account indicate the financial statement accounts of the
Agency
Current Year indicate the current account balance of the financial statement
account
Prior Year indicate the previous years balance of the financial statement account
Variance (Amount) the amount of difference between the current year and previous
year balance
Last updated : March 2011 2|Pa ge
Version : 02-02/2011/v1
Integrated Results and Risk-Based Audit Manual Phase 2 Agency Audit Planning and Risk Assessment
Form 02-02: Understanding the Agency Template

Variance (%) the percentage increase or decrease from previous years balance
(Formula is Amount of Variance/Prior Year balance)
Remarks indicate the reason for the significant increase or decrease in the account
balance

B. Performance
Performance indicators indicate the performance indicator applicable to the
Agency. Examples of performance indicators are Asset Turnover, Inventory
Turnover, Return on Asset and Return on Equity. Should the Agency have an OPIF
structure, we should consider the Major Final Outputs as part of the performance
indicators.
Actual refers to the actual achievement of the Agency on its performance indicator
Budget/Target pertains to the planned or targeted performance expected from the
Agency.
Variance (Amount) the amount of difference between the actual and
budgeted/targeted amounts.
Variance (%) the percentage increase or decrease from the budgeted/targeted
amount (Formula is Amount of Variance/Budgeted or Targeted amount)
Remarks Indicate the reason for any significant increase or decrease from the
budgeted or targeted amount.

PAPs Review This is a review of each PAP of the agency by understanding the details and
overview of the PAP including its objectives. An analytic review on the performance of the
PAP is also included to determine specific areas in the PAP that require audit focus.

UTA Summary
A. UTA Reference States the part/component of the UTA where the information was
taken from.
B. Identified Agency Risk Indicates the agency risks (risk title and risk statement)
identified while understanding the agency. Audit teams may also use the Agency Risk
Model as a reference in plotting the agency risks identified at this point.
C. Impact on the Agency States the impact of risk to the agency if it materializes based
on your initial understanding.

Last updated : March 2011 3|Pa ge


Version : 02-02/2011/v1
Integrated Results and Risk-Based Audit Manual Phase 2 Agency Audit Planning and Risk Assessment
Form 02-02: Understanding the Agency Template

UNDERSTANDING THE AGENCY TEMPLATE

Agency: Prepared by:


Date
Audit Period: Reviewed by:
Date
Approved by:
Date

AGENCY PROFILE

A. Mandate

B. Operations

C. Structure

D. Objectives and Strategies

Objectives Strategies

Last updated : March 2011 4|Pa ge


Version : 02-02/2011/v1
Integrated Results and Risk-Based Audit Manual Phase 2 Agency Audit Planning and Risk Assessment
Form 02-02: Understanding the Agency Template

E. Key Stakeholders

F. Key Environmental Factors

Political Environment

Social Environment

Legal and Regulatory Environment

Technological Environment

OPIF/ PROGRAM ACCOUNTABILITY MODEL

MFOs/ KEY PERFORMANCE INDICATORS

Last updated : March 2011 5|Pa ge


Version : 02-02/2011/v1
Integrated Results and Risk-Based Audit Manual Phase 2 Agency Audit Planning and Risk Assessment
Form 02-02: Understanding the Agency Template

ACCOUNTING POLICIES

PREVIOUS AUDIT FINDINGS

RECENT DEVELOPMENTS/ NEWS

Recent Developments/ News Impact on the Agency

Last updated : March 2011 6|Pa ge


Version : 02-02/2011/v1
Integrated Results and Risk-Based Audit Manual Phase 2 Agency Audit Planning and Risk Assessment
Form 02-02 Understanding the Agency Template

ANALYTIC REVIEW

Analytical procedures performed may include both financial and non-financial information Our analytical procedures performed provide a basis for
designing and implementing audit procedures that respond to the assessed risks of material misstatement. However, overall analytical procedures
may use data aggregated at a high level and therefore the results only provide an initial indication about whether a risk of material misstatement
exists.

a. Financial

Variance
Financial Statement Accounts Current Year Prior Year Remarks
Amount %

Last updated : March 2011 7|Pa ge


Version : 02-02/2011/v1
Integrated Results and Risk-Based Audit Manual Phase 2 Agency Audit Planning and Risk Assessment
Form 02-02 Understanding the Agency Template

b. Performance

Variance
Performance Indicators Actual Budget/ Target Remarks
Amount %

Major Final Outputs

Last updated : March 2011 8|Pa ge


Version : 02-02/2011/v1
Integrated Results and Risk-Based Audit Manual Phase 2 Agency Audit Planning and Risk Assessment
Form 02-02: Understanding the Agency Template

PAPs REVIEW

a. Program/Project Details

Program/ Project:
Objectives:
Total Budget:
Duration:
Project Overview:

b. Performance Indicators

Performance Variance
Actual Budget/Target Remarks
Indicators Amount %
Financial

Non-financial

Last updated : March 2011 9|Pa ge


Version : 02-02/2011/v1
Integrated Results and Risk-Based Audit Manual Phase 2 Agency Audit Planning and Risk Assessment
Form 02-02: Understanding the Agency Template

UTA SUMMARY

Identified Agency Risk


UTA Ref. Impact on the Agency
Risk Title Risk Statement

Last updated : March 2011 10 | P a g e


Version : 02-02/2011/v1
Integrated Results and Risk-Based Audit Manual Phase 2 Agency Audit Planning and Risk Assessment
Form 02-03: Agency Risk Model

AGENCY RISK MODEL

Objective

The Agency Risk Model is a tool to guide the audit team of a particular agency in the
identification of agency risks. The Agency Risk Model is a comprehensive list of risks that an
agency may encounter which could threaten the achievement of its mandate and objectives.

This model shall be regularly reviewed, updated and customized to consider changes in the
public sector environment as well as to consider the impact of new standards, laws, rules and
regulations.

Accomplishing this Tool

Risk Reference Number


- Assign a risk reference number for each agency risk identified. The risk reference number
would serve as a reference for the auditors to easily identify agency risks. Develop a risk
reference for the identified risk per risk category (strategic, operations, compliance,
financial).

Risk Listing

- The Risk Listing is a table of agency risks divided into the following risk categories:
a. Strategic
b. Operations
c. Compliance
d. Financial

The table lists down all potential risks that the agency may face. Therefore, there are risks
that may be identified as a risk of the agency in the current audit period that was not
identified in the preceding audit period. In either case, the risk listing shall be maintained
regardless of the existence of the risk at the time of the identification. Likewise, the list
shall be regularly updated to include emerging risks that may affect the achievement of
the agencys mandate and objectives.

Last updated : March 2011 1|Page


Version : 02-03/2011/v1
Integrated Results and Risk-Based Audit Manual Phase 2 Agency Audit Planning and Risk Assessment
Form 02-03: Agency Risk Model

Risk Definition

- Customize/create the definition of the risks based on the nature of the risk.

a. Risk Title The label for the risks identified shall be properly chosen to reflect the nature
of the risk even by just looking at the risk title.

b. Risk Description - The risk description shall be clear as to cause and effect of the risk
once it materializes. The risk definition shall be generic in nature and shall avoid including
process-level effects that limits/restricts the risk descriptions.

NOTE: The items in the succeeding pages are just samples to illustrate the tool. It does not represent any factual
data nor any result of prior audit projects.

Last updated : March 2011 2|Page


Version : 02-03/2011/v1
Integrated Results and Risk-Based Audit Manual Phase 2 Agency Audit Planning and Risk Assessment
Form 02-03: Agency Risk Model

AGENCY RISK MODEL

Prepared by : Date :

Reviewed by : Date :

Approved by : Date :

Strategic Operations Compliance Financial


Planning and resource allocation Public service and operations Mandate Market
Organizational structure Customer/public satisfaction Functions Interest rate
Strategic planning Channel effectiveness Foreign currency
Operational planning Cycle time Governance Commodity
Service failure Board performance/Agency
Budgeting Financial instrument
Forecasting Efficiency Management Committee
Public policies
Resource allocation Capacity Tone at the top
Debt and fiscal policy
Capital/fund availability Performance measure/gap Authority/limit
Operational model Partnering/contracting Control environment Liquidity and credit
Operational portfolio Citizen relationship management Corporate social responsibility Cash management
Outsourcing system and organization Reputation Opportunity cost
Corruption and fraud Funding
Major initiatives Code of conduct
Hedging
Vision and direction People Ethics
Credit and collections
Planning and execution Culture Fraud
Insurance
Measurement and monitoring Recruiting and retention Employee/third party fraud
Foreign assisted loan
Technology implementation Development and performance Illegal acts
Project evaluation Succession planning Management fraud Accounting and reporting
Change readiness Knowledge capital Unauthorized use Accounting, reporting and disclosure
Climate change and sustainability initiatives Compensation and benefits Internal control
Education Legal
Performance incentives Investment evaluation
Healthcare services delivery Contract
Health and safety Tax strategy and planning
Energy and water management Liability
(supply/distribution) Information technology Intellectual property Capital structure
Information management Anticorruption Debt
Environment dynamics
Security/access Legal Equity
Economic changes
Financial market Availability/continuity Pension funds
Regulatory
Sovereign/political Integrity Trade
Customer/public wants Infrastructure Customs
Technological innovation Procurement
Hazards
Environment scan Road-right of way (RROW )Acquisition
Natural events
Agency environment/industry Labor
Terror and malicious acts
Sensitivity Securities
Market dynamics Physical assets Environment
Macroeconomic factors Real estate Data protection and privacy
Lifestyle trends Property, plant and facilities International
Sociopolitical Maintenance and performance Product/service quality
Technology changes Inventory Health and safety
Communication and public relations Competitive practice/antitrust
Media relations
Public relations
Crisis communications
Employee communication

Last updated : March 2011 3|Page


Version : 02-03/2011/v1
Integrated Results and Risk-Based Audit Manual Phase 2 Agency Audit Planning and Risk Assessment
Form 02-03: Agency Risk Model

Risk Definition
RISK
REF. NO. RISK TITLE RISK DESCRIPTION

STRATEGIC

Planning and Resource Allocation

Organizational The overall structure of the agency instrumentalities does not support the
S1
structure achievement of strategic objectives in an efficient manner.
This risk refers to the inability to discover, evaluate and select among
S2 Strategic planning alternatives to provide direction and allocate resources for effective
execution to achieve the strategic objectives of the agency
This risk refers to the misalignment of operating plans and execution to
S3 Operational planning
strategic planning. Lack of information needed to make the right decisions.
This risk refers to the inability to effectively budget for new and existing
initiatives that support the overall strategic goals and objectives for growth,
expansion, acquisition for public welfare.
S4 Budgeting
It also refers to the inability to effectively budget for programs and projects
that would meet the agencys Medium Term Philippine Development Plan
(MTPDP).
This risk refers to the inability to forecast financial information to enable the
S5 Forecasting
allocation of resources to new and existing initiatives
Unavailability and inappropriateness of resource allocation process
S6 Resource allocation
prohibits the agencys ability to provide value for public.
Insufficient access to fund threatens the agencys capacity to grow, execute
S7 Capital/fund availability
its strategies and achieve its objectives.
The agency has an obsolete operation model and doesnt recognize it
and/or lacks the information needed to make an up-to-date assessment of
S8 Operational model
its current model and build a compelling operational case form modifying
that model on timely basis.
Lack of relevant and reliable information that enables agency management
to effectively prioritize its services or balance its operations in a strategic
S9 Operational portfolio
context may preclude a diversified agency from maximizing its overall
performance.
Outsourcing activities to third parties may result in the third parties not
S10 Outsourcing acting within the intended limits of their authority or not performing in a
manner consistent with the agencys strategies and objectives.
Major initiatives
This risk refers to the failure to establish a vision and direction for major
initiatives, including services, products and programs that will drive future
S11 Vision and direction
growth. It also refers to the failure to establish project acceptance criteria
and adequately measure against the criteria.
Planning and This risk refers to the failure to plan and execute major initiatives due in a
S12
execution coordinated manner.
This risk refers to the failure to identify appropriate metrics and assess
Measurement and
S13 performance, quality and adherence to the standards as set forth by the
monitoring
agency.

Last updated : March 2011 4|Page


Version : 02-03/2011/v1
Integrated Results and Risk-Based Audit Manual Phase 2 Agency Audit Planning and Risk Assessment
Form 02-03: Agency Risk Model

RISK
REF. NO. RISK TITLE RISK DESCRIPTION

Technology This risk refers to the failure of a major technology implementation to meet
S14
implementation the strategic objectives of the organization.
Failure to evaluate project proposals may result in problems when the
S15 Project evaluation
project has been approved.
The people within the agency are unable to implement process and service
S16 Change readiness improvements quickly enough to keep pace with changes in the public
environment.
Failure to foresee changes in the environment and establish initiatives to
Climate change and
S17 keep pace with biological changes may result in stop operations and
sustainability initiatives
degradation
Environment Dynamics
Economic changes, such as lower economic growth, reduce tax revenue
S18 Economic changes and opportunities to provide a wide range of services or limit the availability
or quality of existing services.
Movements in prices, rates, indices and the like threaten the value of the
S19 Financial market
agencys financial assets.
Adverse political actions in a country in which the agency has invested
significantly, is dependent on a significant volume of operation or has
S20 Sovereign/political
entered into a significant agreement with a counterparty subject to the laws
of that country threaten the agencys resources and future cash flows.
The agency may not be aware of changing pervasive public needs and
S21 Customer/public wants
wants, e.g. increased demand for faster turnaround on services.
The agency is not leveraging advancements in technology in its operations
Technological to achieve or sustain advantage or is exposed to the actions of other
S22
innovation agencys or substitutes that do not leverage technology or to attain superior
quality, cost and/or time performance in their services processes.
Failure to monitor the external environment or formulation of unrealistic or
S23 Environment scan erroneous assumptions about environment risks may cause the agency to
retain operation strategies long after they have become obsolete.
Agency This risk refers to the changes in opportunities and threats, and other
S24
environment/Industry conditions affecting the agencys environment.
Over commitment of resources and expected future cash flows threatens
S25 Sensitivity the agencys capacity to withstand changes in environment (e.g., interest
rates, public demand, changes in regulations) forces.
Market Dynamics
This risk refers to factors relating to macroeconomic conditions that affect
Macroeconomics
S26 the ability to maintain or increase revenue and profitability in a specific
factors
agency environment.
This risk refers to the failure to anticipate and respond to changes in overall
S27 Lifestyle trends
trends related to lifestyle demands of consumers.
This risk refers to the exposure to social and political factors within a market
S28 Sociopolitical environment that affect the ability to market, sell and service products and
services.
This risk refers to the dramatic changes in current technologies that may
S29 Technology changes impact the market viability or demand of current products and services
offered by the agency.

Last updated : March 2011 5|Page


Version : 02-03/2011/v1
Integrated Results and Risk-Based Audit Manual Phase 2 Agency Audit Planning and Risk Assessment
Form 02-03: Agency Risk Model

RISK
REF. NO. RISK TITLE RISK DESCRIPTION

Communication and public relations


This risk refers to the inability to anticipate and manage shifts in the
information stakeholders want, and the way in which they want it
S30 Media relations
communicated to them and ineffective ongoing, transparent
communications with the public to create goodwill.
A decline in customer/public confidence threatens the agencys capacity to
S31 Public relations
efficiently raise or collect funds.
This risk refers to the failure to communicate the right message effectively
S32 Crisis communications to recover and maintain agency operations in the event of a crisis or
disruption due to physical or natural circumstances.
Employee This risk refers to the inability to understand, and respond to, the
S33
communications communication needs of different employees.

OPERATIONS

Public Service and Operations


Customer/public A lack of focus on the customer/ public threatens the agencys capacity to
O1
satisfaction meet or exceed the customers/ publics expectations.
Poorly performing or positioned channel access threaten the agencys
O2 Channel effectiveness
capacity to effectively and efficiently service the customer/ public.
Unnecessary activities threaten the agencys capacity deliver services on a
O3 Cycle time
timely manner.
Faulty or nonperforming services expose the agency to customer/public
O4 Service failure
complaints, litigation, and loss of revenues, and agency reputation.
Inefficient operations threaten the agencys capacity to deliver services at
O5 Efficiency
the lowest cost and shortest time possible.
Insufficient capacity threatens the agencys ability to meet customer/public
O6 Capacity demands, or excess capacity threatens the agencys ability to generate
competitive profit margins.
Inability to perform at world-class levels in terms of quality, costs and/or
Performance
O7 cycle time due to inferior operating practices threatens the demand for the
measure/gap
agencys services.
Inefficient or ineffective external relationships affect the agencys capacity to
serve; these uncertainties arise due to choosing the wrong partner, poor
O8 Partnering/contracting
execution, taking more than is given (resulting in loss of a partner) and
failing to capitalize on partnering opportunities.
People
This risk refers to the failure to establish a culture that is consistent with
O9 Culture management philosophy and that encourages integrity, values, and ethical
competence.
Recruiting and This risk refers to the failure to attract, hire and retain the qualified
O10
retention resources to optimize execution of the organization's objectives.
Inability to develop and enhance employee skills and provide performance
Development and
O11 management that ensures optimal achievement of organizational strategies,
performance
goals and objectives.

Last updated : March 2011 6|Page


Version : 02-03/2011/v1
Integrated Results and Risk-Based Audit Manual Phase 2 Agency Audit Planning and Risk Assessment
Form 02-03: Agency Risk Model

RISK
REF. NO. RISK TITLE RISK DESCRIPTION
This risk refers to the failure to create and implement an effective
succession plan for senior executive and other key positions and
O12 Succession planning employees throughout the organization. It also refers to failure to align
succession planning with strategic planning and leadership development
objectives).
Processes for capturing and institutionalizing learning across the agency
are either non-existent or ineffective, resulting in slow response time, high
O13 Knowledge capital
costs, repeated mistakes, slow development, constraints on growth and
unmotivated employees.
This risk refers to the failure to provide a total compensation package (base
Compensation and salary, annual/long-term incentive, benefits/perquisites) that are market
O14
benefits competitive, aligned to agency and compensation strategies and retain and
motivate employees to achieve desired results.
Unrealistic, misunderstood, subjective or non-actionable performance
Performance measures may cause senior management, division heads and employees
O15
Incentives to act in a manner inconsistent with the agencys objectives, strategies, and
ethical standards, and with prudent agency practice.
Failure to provide a safe working environment for its workers exposes the
O16 Health and safety agency to compensation liabilities, loss of operational reputation and other
costs.
Information and technology
Failure of Information systems to adequately protect the critical data and
O17 Security/access infrastructure from theft, corruption, unauthorized usage, viruses, or
sabotage.
This risk refers to the inability to recover from, and continue uninterrupted
O18 Availability/continuity operations in the event of extraordinary events, systems and
implementation failures.
This risk refers to information systems that do not provide reliable
O19 Integrity information when it is needed or perform so slowly that operations are not
efficient.
The computer and telecommunications systems with supporting software do
not capture, retain and transfer data in a secure and reliable environment
O20 Infrastructure
and do not meet the expected requirements of the agency at a reasonable
cost.
Hazards
This risk refers to the threat to disrupt operation and ability of the agency to
sustain operations, provide essential services or recover operating costs or
O21 Natural events
accomplish planned target due to natural events (e.g., fire, earthquake,
tornado).
This risk refers to the threat to disrupt operation and ability of the agency to
Terror and malicious
O22 sustain operations, provide essential services or recover operating costs or
acts
accomplish planned target due to terrorist activities or other malicious acts.
Physical assets

This risk refers to the failure to provide physical protection and stewardship
O23 Real estate
over real estate designed to optimize longevity and utilization.
This risk refers to the failure to provide physical protection and stewardship
Property, plant and
O24 over long-lived assets (such as buildings, furniture, fixtures, machinery,
facilities
equipment and other assets) designed to optimize longevity and utilization.

Last updated : March 2011 7|Page


Version : 02-03/2011/v1
Integrated Results and Risk-Based Audit Manual Phase 2 Agency Audit Planning and Risk Assessment
Form 02-03: Agency Risk Model

RISK
REF. NO. RISK TITLE RISK DESCRIPTION
This risk refers to the failure to provide physical protection and stewardship
O25 Inventory over inventories designed to optimize utilization while minimizing
obsolescence, contamination and so on.
COMPLIANCE

Mandate
Failure to align process objectives and performance measures with the
C1 Function mandate of the agency, its objectives and strategies may result in
conflicting, uncoordinated activities throughout the agency.
Governance
Board This risk refers to the failure of the Board of Directors to discharge their
performance/Agency obligations and duties owed to the agency and its stakeholders in good faith
C2
management and to possess adequate knowledge to interpret and act on the information
committee provided.
Senior management fails to establish an environment that encourages
integrity, ethical values, and competence of the agency's people through
C3 Tone at the top
management's philosophy and operating style, assignment of authority and
responsibility, and the organization and development of its people.
Ineffective lines of authority may cause senior management, division heads
C4 Authority/limit or employees to do things they should not do or fail to do things they
should.
This risk refers to the failure to establish and maintain an internal control
C5 Control environment
environment which aligns with stakeholder and regulatory expectations.
This risk refers to the mismanagement of "socially responsible" activities
(e.g., conducting social responsibility training for management of
Corporate social manufacturers, undertaking environmental programs, participating in
C6
responsibility community initiatives) resulting in an unfavorable agency perception with
stakeholders, customers, suppliers, agency partners, employees and the
regulatory community.
Damage to the Agencys reputation exposes it to loss of customer/public
C7 Reputation
trust, profits and the ability to grow.

Code of conduct
This risk refers to the absence of formal standards of employee behavior
C8 Ethics that are intended to direct and influence the way agency operation is
conducted, above and beyond the letter of the law.
Potential unethical acts committed by agency employees or other
C9 Fraud
stakeholders may negatively impact the agency's reputation.
This risk refers to the fraudulent activities perpetrated by employees,
Employee/Third Party suppliers, agents, or third-party administrators against the agency for
C10
Fraud personal gain (e.g., misappropriation of physical, financial or information
assets) expose the agency to financial loss.
Illegal acts committed by senior management, division heads or employees
C11 Illegal Acts expose the agency to fines, sanctions, and loss of public trust, profits and
reputation and the like.
Management Fraud (e.g., intentional misstatement of financial statements
C12 Management Fraud
or critical reports) may adversely affect stakeholders decisions.

Last updated : March 2011 8|Page


Version : 02-03/2011/v1
Integrated Results and Risk-Based Audit Manual Phase 2 Agency Audit Planning and Risk Assessment
Form 02-03: Agency Risk Model

RISK
REF. NO. RISK TITLE RISK DESCRIPTION
Unauthorized use of the agencys physical, financial or information assets
C13 Unauthorized Use by employees or others exposes the agency to unnecessary waste of
resources and financial loss.
Legal
This risk refers to entering into contracts that are unfavorable to the agency
C14 Contract and the failure to comply with and monitor contract terms to protect the
agency from financial losses.
This risk refers to a responsibility, duty or obligation that may result in lawful
C15 Liability consideration to provide satisfaction, compensation or other form of
restitution.
This risk refers to the failure to create, capture, enhance, leverage and
C16 Intellectual property protect the collective knowledge, expertise and ideas of agency employees
valued as non-physical assets.
This risk refers to the failure to create an agency environment which is
C17 Anticorruption
opposed to corruption, and instill agency practices that prevent corruption.
Changing laws threaten the agencys capacity to consummate important
C18 Legal transactions, enforce contractual agreements or implement specific
strategies and activities.
Regulatory
This risk refers to the failure to identify and prevent legal risks posed by
C19 Trade non-compliance with agency and international regulatory requirements for
trade practices, e.g., anti-dumping and trade policy.
This risk refers to the failure to identify and prevent legal risks posed by
C20 Customs non-compliance with agency and international regulatory requirements for
Customs.
This risk refers to the failure to identify and prevent legal risks posed by
C21 Procurement
non-compliance with the agency procurement reform act.
This risk refers to the failure to implement infrastructure projects due to
Road-right of way
C22 RROW problems and risks posed by non-compliance with Comprehensive
(RROW) acquisition
and Continuing Urban development and Housing Program (RA 7279)
This risk refers to the failure to identify and prevent legal risks posed by
non-compliance with agency and International regulatory requirements for
C23 Labor
Labor rules and regulations, including taxes, wages, anti-discrimination,
Family and Medical Leave, workplace violence and so on.
This risk refers to the failure to identify and prevent legal risks posed by
C24 Securities non-compliance with agency and International Securities regulatory
requirements.
This risk refers to the failure to identify and prevent legal risks posed by
C25 Environment non-compliance with agency and International Environmental regulations,
e.g., noncompliance with ISO 4001 standards.
This risk refers to the failure to identify and prevent legal risks posed by
Data protection and
C26 non-compliance with privacy rules and regulations standards resulting in
privacy
improper disclosure of confidential customer information.
This risk refers to the exposure to geo-political, regulatory and fraud risks
C27 International
via international business dealings.
This risk refers to the failure to identify and prevent legal risks posed by
C28 Product/service quality non-compliance with agency and International regulatory requirements for
product/service quality and safety.

Last updated : March 2011 9|Page


Version : 02-03/2011/v1
Integrated Results and Risk-Based Audit Manual Phase 2 Agency Audit Planning and Risk Assessment
Form 02-03: Agency Risk Model

RISK
REF. NO. RISK TITLE RISK DESCRIPTION
This risk refers to the failure to identify and prevent legal risks posed by
C29 Health and safety non-compliance with agency and International rules and regulations for
health and safety.
This risk refers to the failure to identify and prevent legal risks posed by
Competitive non-compliance with agency and international rules and regulations for
C30
practice/antitrust competitive practices/anti-trade. Lack of awareness of statutory and
regulatory application of export and customs policies and requirements.
FINANCIAL

Market
This risk refers to the unfavorable price paid per unit of funds borrowed or
F1 Interest rate the rate of return received on invested assets, or interest rate fluctuations
beyond projected range.
This risk refers to the unfavorable fluctuations in the currency of another
F2 Foreign currency
market that is needed to carry out international transactions.
This risk refers to the unfavorable fluctuations in the price of raw materials
F3 Commodity or other commodities used in product development/service delivery that are
not anticipated and managed.
Financial market risk can vary depending on the particular segment of the
F4 Financial instrument market to which the holder of a financial instrument is exposed, or the way
in which the exposure is structured.
Liquidity and credit
This risk refers to the failure to efficiently and effectively administer and
F5 Cash management
manage cash flows to maintain adequate liquidity to meet obligations.
This risk refers to the the use of funds in a manner that leads to the loss of
F6 Opportunity cost economic value, including time value losses, transaction costs and other
causes of loss of value.
This risk refers to the failure to meet the requirements of a portfolio of
capital investments and obligations based on specified commitments or in
accordance with terms of an agreement (i.e., retirement and capital
F7 Funding accounts).

It also refers to the failure to receive appropriate funds to finance programs


and projects.
This risk refers to the failure to purchase or undertake sale transactions that
F8 Hedging
effectively minimize profits or losses arising from price fluctuations.
This risk refers to the inability to obtain the optimal level of payment
F9 Credit and collections
received as a result of a prior agency transaction.
Insurance coverage fails to protect the agency from significant financial
F10 Insurance
losses due to incidents and claims.
Accounting and reporting
Incomplete, inaccurate and/or untimely reporting of required financial and
operating information to other regulatory agencies may expose the agency
Accounting, reporting to fines, penalties and sanctions.
F11
and disclosure
Over-emphasis on financial accounting and other information to manage the
operations may result in the manipulation of outcomes to achieve targets at

Last updated : March 2011 10 | P a g e


Version : 02-03/2011/v1
Integrated Results and Risk-Based Audit Manual Phase 2 Agency Audit Planning and Risk Assessment
Form 02-03: Agency Risk Model

RISK
REF. NO. RISK TITLE RISK DESCRIPTION
the expense of not meeting public expectation, quality and efficiency
objectives.
This risk refers to the significant or material weaknesses resulting from
F12 Internal control inadequate financial internal controls impacting management's assessment
and reporting under country regulations.
This risk refers to the lack of relevant and/or reliable information supporting
F13 Investment evaluation investment decisions and linking the financial risks accepted to the capital
at risk, may result in poor short- or long-term investments.
This risk refers to the failure to properly evaluate and execute tax planning
Tax strategy and
F14 strategies. It also refers to the misalignment of tax objectives and strategies
planning
with overall agency objectives, strategies and initiatives.
Capital structure
This risk refers to the potential over-reliance on borrowing from creditors to
provide adequate working capital for agency objectives and/or to cover
F15 Debt
current operating obligations resulting in an unfavorable debt to equity
ratios.
This risk refers to the inability to offer marketable securities appropriately
F16 Equity
priced for the enterprise's value.
This risk refers to the inability to identify, establish and maintain the optimal
F17 Pension funds
structure for pension funds.

Last updated : March 2011 11 | P a g e


Version : 02-03/2011/v1
Integrated Results and Risk-Based Audit Manual Phase 2 Agency Audit Planning and Risk Assessment
Form 02-04 Agency Risk Identification Matrix

AGENCY RISK IDENTIFICATION MATRIX

Objective

The Agency Risk Identification (AgRI) Matrix is used to document the agency risks identified
for a particular audit period. As a tool that will facilitate the risk assessment process, this
document shall be used by audit teams when assessing the impact and likelihood,
identifying the locations affected and determining the initial audit response.

Accomplishing this tool

Accomplishing this tool is critical to for the audit team to have a common risk language when
understanding the risk profile of the agency being audited.

a. Risk Reference Number


- Obtain the risk reference number from the risk reference number assigned in
the Agency Risk Model.

b. Agency Risk Title/Risk Statement


- For each audit period, identify the risks of the agency being audited. The team
shall concur and agree on the risks that they perceive will affect the
achievement of the agency objectives and operations.

c. Risk Rating

Impact Assess the impact of the agency risk as to high, moderate and low
including the justification for the assessment

In assessing the impact of an agency risk, COA auditors should consider


the following factors:
Potential financial loss or lost opportunity for the agency
Damage to reputation or relationship with stakeholders or public
Potential business interruption/ reduction of agency operations
Degree of agency failure to achieve mandate
Noncompliance with laws, rules and regulations

Likelihood Assess the likelihood of the risk as to high, moderate and low
including the justification for the assessment.

In assessing the likelihood of an agency risk, COA auditors should


assess the probability/frequency of the risk occurring over a predefined

Last updated : March 2011 1|Page


Version : 02-04/2011/v1
Integrated Results and Risk-Based Audit Manual Phase 2 Agency Audit Planning and Risk Assessment
Form 02-04 Agency Risk Identification Matrix

time period. In most instances, the time period is set at one year. It can
be adjusted to be aligned with the agencys operating cycle.

Overall Rating The overall rating is the combination of the assessment


made on the impact and likelihood of the agency risk identified.

The overall rating shall be determined using the following matrix:

High Moderate High High

Moderate Low Moderate High


IMPACT

Low Low Low Moderate

Low Moderate High


LIKELIHOOD

d. Risk Location

Process/PAPs Identify the process or PAP affected by the agency risk.

Office Identify the offices (departments or units) responsible the process


affected by the agency risk.

e. Initial Audit Response


- Indicate the initial audit response for the agency risk identified using the
auditors judgment and past experiences. The team is not limited to the audit
response identified in this tool since further evaluations will be made to
determine the appropriate audit strategies to be used.

Last updated : March 2011 2|Page


Version : 02-04/2011/v1
Integrated Results and Risk-Based Audit Manual Phase 2 Agency Audit Planning and Risk Assessment
Form 02-05 Agency Risk Identification Matrix

AGENCY RISK IDENTIFICATION MATRIX

Agency ____________________________ Prepared by : ____________________________ Date : ________________

Audit Period ____________________________ Reviewed by : ____________________________ Date : ________________

Office ____________________________ Approved by : ____________________________ Date : ________________

Risk Risk Rating Risk Location


Agency Risk Title/ Initial Audit
Ref. Overall Rating
Risk Statement Impact Likelihood Process/ PAPs Office Response
No.

High High High Financial

Moderate Moderate Compliance


Moderate
Low Low Perf ormance

Low FRA
Justification: Justification:

High High High Financial

Moderate Moderate Compliance


Moderate
Low Low Perf ormance

Low FRA
Justification: Justification:

Last updated : March 2011 3|Page


Version : 02-04/2011/v1
Integrated Results and Risk-Based Audit Manual Phase 2 Agency Audit Planning and Risk Assessment
Form 02-05: Agency-level Controls Checklist

AGENCY-LEVEL CONTROLS CHECKLIST

Objective

After understanding the agency objectives and risks, auditors shall identify the top-level controls
that the agency has established. Auditors shall obtain an understanding of agency-level controls
to plan their audit and determine the most appropriate audit strategy.

The Agency-level Controls Checklist contains a set of questions for each internal control
component: The questions provided herein will guide auditors in obtaining an initial
understanding of the agency-level controls set by the agency management. However, auditors
shall consider that documenting and evaluating agency-level controls does not by itself provide
a complete perspective of internal controls of an agency. It is an important starting point
because the assessment of agency-level controls particularly when weaknesses are identified
can have a significant effect on the overall assessment of the effectiveness of internal controls
and procedures.

The internal control concepts of the National Guidelines on Internal Control Systems (NGICS)
and the International Standards of Supreme Audit Institutions (ISSAI) are incorporated in this
tool.

Accomplishing this tool

I. ALCC Probing Questions

Internal Control Component Probing questions are initially provided for the following internal
control component:
- Control Environment
- Risk Assessment
- Information and communication
- Monitoring
- Control Activities

NOTE:
Auditors are not only limited to the probing questions provided in this questionnaire.
Additional questions may be developed by the team, if deemed necessary.

Yes / No / Not applicable Answer each probing question with the appropriate response as a
result of the auditors validation of each internal control component.

Last updated : March 2011 1|Pa ge


Version : 02-05/2011/v1
Integrated Results and Risk-Based Audit Manual Phase 2 Agency Audit Planning and Risk Assessment
Form 02-05: Agency-level Controls Checklist

Remarks Provide any remark or comment that the auditor may have during on the related
probing question as a result of its validation. Examples of remarks may include identification
of areas needed to be focused for the audit engagement or possible fraud indicators.

Initial Assessment Make an initial assessment as to the design and operating effectiveness of
each sub-component of the agencys internal control using the probing questions supplied.
Indicate the reasons for giving such an assessment in the reason column.

The operating effectiveness of some components of the agencys internal control is hard to
determine. In this case, audit teams shall document the reasons why and focus its
assessment on the design of the internal control. Auditor shall use their professional
judgment during this assessment.

II. ALCC Summary

Observations Document the observations obtained during the understanding of the agency
level controls. Observations may include deficiencies noted on the design of agency-level
controls or red flags that we may note on the process that may indicate source of fraud
risks. Incidentally, audit teams may need to issue an Audit Observation Memorandum
(AOM) to call the attention of the agency for the observations noted.

Recommendations - Provide a recommendation (if applicable) for each key observation noted.

AOM Reference Indicate the AOM reference number for those observations issued with an
Audit Observation Memorandum.

Last updated : March 2011 2|Pa ge


Version : 02-05/2011/v1
Integrated Results and Risk-Based Audit Manual Phase 2 Agency Audit Planning and Risk Assessment
Form 02-05: Agency-level Controls Checklist

AGENCY-LEVEL CONTROLS CHECKLIST

Agency: Prepared:
Date
Reviewed:
Audit Period: Date
Approved
Date

I. ALCC Probing Questions

Internal Control Component Yes No NA Remarks


Control Environment

Integrity, Ethical Values, and behavior of key executives


A.1. The agency has a code of conduct or
equivalent policy that is communicated and
monitored.

A.2. The agencys culture emphasizes the


importance of integrity and ethical behavior.
Senior management holds itself to the highest
standards and leads by example.

A.3. The agencys communications reinforce a


consistent message regarding policies and
culture.

A.4. Agency management takes appropriate


action in response to departures from
approved policies and procedures or the code
of conduct.

A.5. There are appropriate policies for such


matters as conflicts of interest, and security
practices that are adequately communicated
throughout the agency.

A.6. Agency management maintains, monitors and


appropriately responds to a fraud hotline.

A.7. The agency has a whistleblower policy and


related whistleblower or ethics hotline, which
are appropriately communicated throughout
the agency, and include procedures for
handling complaints and for accepting
confidential submissions of concerns about
questionable transactions.

A.8. Agency managements control consciousness

Last updated : March 2011 3|Pa ge


Version : 02-05/2011/v1
Integrated Results and Risk-Based Audit Manual Phase 2 Agency Audit Planning and Risk Assessment
Form 02-05: Agency-level Controls Checklist

Internal Control Component Yes No NA Remarks


and operating style are _________.

A.9. Agency management gives appropriate


attention to internal control, including
information technology controls.

A.10. Agency management corrects identified


internal control deficiencies in a timely
manner.

A.11. Agency management tends to be


conservative with respect to selecting
accounting principles and determining
accounting estimates.

A.12. Agency management consults with us on


significant matters relating to accounting and
financial reporting issues.

Initial Assessment: Reason:


Effective
Ineffective

Agency managements commitment to competence


A.13. The agency personnel have the competence
and training needed to deal with the nature
and complexity of the agencys operations.

A.14. Agency management has other processes in


place for handling complaints about agency
operational issues.

Initial Assessment: Reason:


Effective
Ineffective

Participation in governance and oversight by those charged with governance


A.15. Those charged with governance provide
effective oversight of the agencys operations.

A.16. There is an open line of communication


among those charged with governance and
COA auditors, and the nature and frequency
of communication is appropriate given the
size and complexity of the agency.

A.17. Those charged with governance have


sufficient knowledge, experience and time to
perform their role effectively.

Last updated : March 2011 4|Pa ge


Version : 02-05/2011/v1
Integrated Results and Risk-Based Audit Manual Phase 2 Agency Audit Planning and Risk Assessment
Form 02-05: Agency-level Controls Checklist

Internal Control Component Yes No NA Remarks


A.18. Those charged with governance are
appropriately independent of agency
management given the size and complexity of
the agency.

Initial Assessment: Reason:


Effective
Ineffective

The organizational structure and assignment of authority and responsibility


A.19. The agency organizational structure is
appropriate given the nature, size and
complexity of the agency

A.20. Agency management engages in


communications so that members of
personnel understand the agencys
objectives, their role in relation to these
objectives, and how they are held
accountable for the achievement of these
objectives.

A.21. There are appropriate methods for


establishing authority, responsibility and lines
of reporting.

A.22. There are written job descriptions, reference


manuals and other communications to inform
personnel of their duties.

Initial Assessment: Reason:


Effective
Ineffective

Human resource policies and practices


A.23. The agency has adequate standards and
procedures for hiring, training, motivating,
evaluating, promoting, compensating,
transferring, or terminating personnel

A.24. Job performance is periodically evaluated and


reviewed with each employee.

Initial Assessment: Reason:


Effective
Ineffective

Last updated : March 2011 5|Pa ge


Version : 02-05/2011/v1
Integrated Results and Risk-Based Audit Manual Phase 2 Agency Audit Planning and Risk Assessment
Form 02-05: Agency-level Controls Checklist

Internal Control Component Yes No NA Remarks


Risk Assessment

B.1. Agency objectives are established,


communicated, and monitored. Key elements
of the agencys strategic plan are
communicated throughout the agency so all
employees have a basic understanding of the
agencys overall strategy.

B.2. A process is in place to periodically review


and update agency-wide strategic plans. The
strategic plan is reviewed and approved by
the agencys board of directors.

B.3. The agency-wide strategic plan includes IT or


there is a separate IT strategic plan that
addresses the technology needs of the
agency to effectively and efficiently meet its
strategic plan.

B.4. There is an adequate mechanism for


identifying agency risks, including those
resulting from:

Entering new markets or lines of


business
Offering new products and services
Privacy and data protection compliance
requirements
Other changes in the operations,
economic, and regulatory environment
B.5. The internal audit (or another group within the
company) performs a periodic (at least
annual) risk assessment. Senior management
reviews the risk assessment and considers
actions to mitigate the significant risks
identified.

B.6. Management considers how much risk it is


willing to accept when setting strategic
direction or entering new markets, and does it
strive to maintain risk within those levels.

B.7. The board of directors and/or the audit


committee oversees and monitors the risk
assessment process and takes action to
address the significant risks identified.

B.8. There are groups or individuals who are


responsible for anticipating or identifying
changes with possible significant effects on
the agency. Processes are in place to inform
appropriate levels of management about

Last updated : March 2011 6|Pa ge


Version : 02-05/2011/v1
Integrated Results and Risk-Based Audit Manual Phase 2 Agency Audit Planning and Risk Assessment
Form 02-05: Agency-level Controls Checklist

Internal Control Component Yes No NA Remarks


changes with possible significant effects on
the agency.

B.9. Budgets/forecasts are updated during the


year to reflect changing conditions.

B.10. Periodic reviews are performed or other


processes in place to, among other things,
anticipate and identify routine events or
activities that may affect the agencys ability
to achieve its objectives and address them.

B.11. Management reports to the board of directors


and/or the audit committee on changes that
may have a significant effect on the agency.

B.12. The board of directors and/or the audit


committee review and approve significant
changes in the agencys accounting
practices.

B.13. There are processes to ensure the


accounting department is made aware of
changes in the operating environment so they
can review the changes and determine what,
if any, effect the change may have on the
agencys accounting practices.

B.14. There are channels of communication


between the accounting department and/or
individual(s) in charge of monitoring
regulatory rules so the accounting department
is aware of regulatory changes that could
affect the agencys accounting practices.

Initial Assessment: Reason:


Effective
Ineffective

Information and Communication

Information
C.1. The agency is able to prepare accurate and
timely financial reports, including interim
reports.

C.2. The board of directors and management


receive sufficient and timely information to
allow them to fulfill their responsibilities.

Last updated : March 2011 7|Pa ge


Version : 02-05/2011/v1
Integrated Results and Risk-Based Audit Manual Phase 2 Agency Audit Planning and Risk Assessment
Form 02-05: Agency-level Controls Checklist

Internal Control Component Yes No NA Remarks


C.3. Managements objectives in terms of budget,
profit, and other financial and operating goals
are defined and measurable. Actual results
are measured against these objectives.

C.4. There is a high level of user satisfaction with


information systems processing, including
reliability and timeliness of reports.

C.5. There is a sufficient level of coordination


between the accounting and information
systems processing functions/departments.

C.6. There are appropriate policies for developing


and modifying accounting systems and
controls (including changes to and use of
computer programs and/or data files).

C.7. Managements efforts to develop or revise


information systems (including accounting
systems) are responsive to its strategic plans.

C.8. There are significant applications or


transactions that are executed /processed by
service organizations. Management has
documented the relevant controls at the
service organization, the company, or both
that mitigate the risk of errors. There are
policies for periodic monitoring of controls
either at the service organization or the
company and taking appropriate action to
mitigate potential new risks.

C.9. The board of directors or audit committee is


involved in monitoring information systems
projects and resource priorities.

C.10. The IT organization chart clearly reflects


areas of responsibility and lines of reporting
and communication.

C.11. There are defined responsibilities for


individuals responsible for implementing,
documenting, testing and approving changes
to computer programs that are purchased or
developed by information systems personnel
or users.

C.12. Systems conversions are well controlled (e.g.,


completed pursuant to written procedures or
plans).

C.13. Financial management ensures and monitors

Last updated : March 2011 8|Pa ge


Version : 02-05/2011/v1
Integrated Results and Risk-Based Audit Manual Phase 2 Agency Audit Planning and Risk Assessment
Form 02-05: Agency-level Controls Checklist

Internal Control Component Yes No NA Remarks


user involvement in the development of
programs, including the design of internal
control checks and balances.

C.14. There is a high degree of cooperation and


interaction between users and the IT
department (e.g., procedures to ensure
ongoing monitoring by the IT department of
user satisfaction with IT processing and
policies for the development, modification,
and use of programs and data files).

C.15. Application programs and data files are


backed up regularly.

C.16. There is a current disaster recovery plan for


the significant components of the IT
infrastructure.

C.17. There is a business continuity plan that


incorporates the disaster recovery plan and
end-user department needs for timely
recovery of critical functions, systems,
processes and data.

C.18. The disaster recovery and business continuity


plans are tested periodically (at least
annually).

C.19. The disaster recovery and business continuity


plans are updated for changing conditions.

Initial Assessment: Reason:


Effective
Ineffective

Communication
C.20. Lines of authority and responsibility (including
lines of reporting) within the company are
clearly defined and communicated.

C.21. There are written job descriptions and


reference manuals that describe the duties of
personnel.

C.22. Policies and procedures are established for


and communicated to personnel at
decentralized locations (including regional
operations).

C.23. There is a training/orientation for new

Last updated : March 2011 9|Pa ge


Version : 02-05/2011/v1
Integrated Results and Risk-Based Audit Manual Phase 2 Agency Audit Planning and Risk Assessment
Form 02-05: Agency-level Controls Checklist

Internal Control Component Yes No NA Remarks


employees, or employees when starting a
new position, to discuss the nature and scope
of their duties and responsibilities. Such
training/orientation includes a discussion of
specific internal controls they are responsible
for.

C.24. There is a process for employees to


communicate improprieties. The process is
well communicated throughout the agency.
The process allows for anonymity for
individuals who report possible improprieties.
There is a process for reporting improprieties,
and actions taken to address them, to senior
management, the board of directors, or the
audit committee.

C.25. All reported potential improprieties are


reviewed, investigated, and resolved in a
timely manner.

C.26. Employees believe they have adequate


information to complete their job
responsibilities.

C.27. There is a process to quickly disseminate


critical information throughout the agency
when necessary.

C.28. There is a process for tracking


communications from customers, vendors,
regulators, and other external parties.

C.29. Ownership is assigned to a member of


management to help ensure that the agency
responds appropriately, promptly, and
accurately to communications from
customers, vendors, regulators, and other
external parties.

Initial Assessment: Reason:


Effective
Ineffective

Monitoring

Internal Audit function

D.1. The agency has an effective internal audit

Last updated : March 2011 10 | P a g e


Version : 02-05/2011/v1
Integrated Results and Risk-Based Audit Manual Phase 2 Agency Audit Planning and Risk Assessment
Form 02-05: Agency-level Controls Checklist

Internal Control Component Yes No NA Remarks


function.

D.2. The internal audit function is independent of


the activities they audit and are prohibited
from having operating responsibilities.

D.3. The internal audit function adheres to


professional standards (e.g., International
Standards for the Professional Practice of
Internal Auditing).

D.4. The scope of internal audit activities is


appropriate given the nature, size and
structure of the agency.

D.5. The internal audit department develops an


annual plan that considers risk in determining
the allocation of resources.

D.6. The results of the internal audit activities are


reported to senior management and COA
auditors.

Initial Assessment: Reason:


Effective
Ineffective

Other monitoring activities


D.7. Periodic evaluations of internal control are
reported to agency management and those
charged with governance.

D.8. Personnel, in carrying out their regular duties,


obtain evidence as to whether the system of
internal control continues to function.

D.9. Policies and procedures are in place to


ensure that corrective action is taken in a
timely manner when control exceptions occur.

D.10. Agency management takes adequate and


timely actions to correct deficiencies reported
by the internal audit function or the
independent auditors.

D.11. Internal audit or another department performs


periodic reviews of internal control

D.12. Agency management or those charged with


governance review communications from
external parties that highlight areas of internal

Last updated : March 2011 11 | P a g e


Version : 02-05/2011/v1
Integrated Results and Risk-Based Audit Manual Phase 2 Agency Audit Planning and Risk Assessment
Form 02-05: Agency-level Controls Checklist

Internal Control Component Yes No NA Remarks


control in need of improvement.

Initial Assessment: Reason:


Effective
Ineffective

Control Activities
E.1. Are accounting and closing practices followed
consistently at interim dates (e.g., quarterly,
monthly) throughout the year?

E.2. Is there appropriate involvement by


management in reviewing significant
accounting estimates and support for
significant unusual transactions and non-
standard journal entries?

E.3. Is there timely and appropriate documentation


for transactions?

E.4. Does the agency review its policies and


procedures periodically to determine if they
continue to be appropriate for the agencys
activities?

E.5. Do members of management have ownership


of the policies and procedures? Does the
ownership include ensuring the policies and
procedures are appropriate for the agencys
activities?

E.6. Is there a budgetary system?

E.7. Does management review key performance


indicators (e.g., budget, profit, financial goals,
operating goals) regularly (e.g., monthly,
quarterly) and identify significant variances?

Does management then investigate the


significant variances and is appropriate
corrective action taken?

E.8. Are variances in planned performance


communicated and discussed with the board
of directors and/or audit committee at least
quarterly?

E.9. Are financial statements submitted to


operating management? Are they
accompanied by analytical comments?

Last updated : March 2011 12 | P a g e


Version : 02-05/2011/v1
Integrated Results and Risk-Based Audit Manual Phase 2 Agency Audit Planning and Risk Assessment
Form 02-05: Agency-level Controls Checklist

Internal Control Component Yes No NA Remarks


E.10. Is there an appropriate segregation of
incompatible activities (e.g., separation of
accounting for and access to assets, IT
operations function separate from systems
and programming, database administration
function separate from application
programming and systems programming)?

Are organizational charts reviewed to ensure


proper segregation of duties exist?

E.11. Are appropriate approvals from management


required prior to allowing an individual access
to specific applications and databases?

E.12. Are IT personnel prohibited from having


incompatible responsibilities or duties in user
departments?

E.13. Are there processes to periodically (e.g.,


quarterly, semi-annually) review system
privileges and access controls to the different
applications and databases within the IT
infrastructure to determine if system privileges
and access controls are appropriate?

E.14. Has management established procedures to


periodically reconcile physical assets (e.g.,
cash, receivables, inventories, property and
equipment) with related accounting records?

E.15. Are physical inventories/cycle counts taken


on a periodic basis and the perpetual
inventory system adjusted accordingly? Are
significant or recurring adjustments
investigated to determine the reason for the
adjustment and are appropriate actions taken
to address the reasons for the adjustments?

E.16. Has management established procedures to


prevent unauthorized access to, or
destruction of, documents, records (including
computer programs and data files), and
assets?

E.17. Is data processing access to non-data


processing assets restricted (e.g., blank
checks)?

E.18. Are access security software, operating


systems software, and application software
used to control both centralized and
decentralized access to:

Last updated : March 2011 13 | P a g e


Version : 02-05/2011/v1
Integrated Results and Risk-Based Audit Manual Phase 2 Agency Audit Planning and Risk Assessment
Form 02-05: Agency-level Controls Checklist

Internal Control Component Yes No NA Remarks

Data
Functional capabilities of programs (e.g.,
execute, update, modify parameters, read
only)?

E.19. Is physical security over information


technology assets (both IT department and
users) reasonable given the nature of the
agencys operations?

E.20. Is critical computer data backed up daily and


stored off-site?

E.21. Are controls in place over dial-up access to


the agencys computer resources (e.g.,
firewalls; centralized directories to store and
manage user identities and resource
privileges; automated policy-based request,
approval, and fulfillment process for
enterprise access)?

E.22. Is there a dedicated security officer function


that monitors IT processing activities and are
there periodic reports to the board of directors
and/or audit committee on the current state of
IT security at the agency?

E.23. Are there systems to monitor and respond to


potential interruptions in agency operations
due to incidents stemming from malicious
intrusions, and to update security protocols to
prevent them? Are security violations and
other incidents automatically logged and
reviewed?

E.24. Does the agency conduct periodic


reviews/audits of IT security? If yes, are the
results of the review/audit reported to the
board of directors and/or audit committee?

Initial Assessment: Reason:


Effective
Ineffective

Last updated : March 2011 14 | P a g e


Version : 02-05/2011/v1
Integrated Results and Risk-Based Audit Manual Phase 2 Agency Audit Planning and Risk Assessment
Form 02-05: Agency-level Controls Checklist

II. ALCC Summary

Observations Recommendations AOM Ref.

Last updated : March 2011 15 | P a g e


Version : 02-05/2011/v1
Integrated Results and Risk-Based Audit Manual Phase 2 Agency Audit Planning and Risk Assessment
Form 02-06: Process-Risk-Control Matrix

PROCESS-RISK-CONTROL MATRIX

Objective

The Process-Risk-Control Matrix facilitates the understanding of processes as well as the


process-level risks and controls affected by agency-levels risks identified. This tool will guide
the agency audit team in identifying their focus areas for a specific audit period by obtaining
an initial view of the processes.

Accomplishing this Tool

a. Critical Path of the Process


- Document the understanding of the significant process identified which is affected by
the agency-level risks as reflected in the Agency Risk Identification Matrix. Auditors
may use the narrative or flowchart form in documenting the process understanding.
The level of detail needed for the documentation depends on the objective of the
auditors. In any case, the documentation shall be sufficient enough to identify the
process-level risks and controls including the impact to the accounts and PAPs of the
agency. The documented process should reflect the actual process being done by
the agency. This should be validated by conducting process walkthroughs.

b. Process risks and existing controls

Process Risks Identify the risks/what could go wrongs in the process through a risk
statement. Process-level risk is any event or circumstance that could affect the
achievement of the process objectives.

Impact: Accounts Affected (including assertions) Identify the extent to which the risk
if realized would impact the agencys financial statement accounts. This is
critical for planning the financial audit aspect.

Impact: Risk to PAPs Identify the impact of process-level risks to the achievement
of the objectives of the agencys PAPs. Examples are damage to assets,
reputation impacts and ability to achieve key objectives.

Existing Controls Indicate the controls identified during the process understanding.
The controls that should be documented are those that are being carried out at
the time of the audit. Controls that have been presented in operations manual
or procedures shall be validated through walkthrough procedures.

Control Design Assessment Develop an initial assessment on the design of the


controls based on the results of the walkthrough procedures conducted. Tick
the appropriate box if the control design is adequate or inadequate.

Last updated : March 2011 1|P a ge


Version : 02-06/2011/v1
Integrated Results and Risk-Based Audit Manual Phase 2 Agency Audit Planning and Risk Assessment
Form 02-06: Process-Risk-Control Matrix

Reason if inadequate Provide reason or the observation noted if the control design
assessment is inadequate

c. Summary

Key Observation Document the observations obtained during the understanding of


the processes, risks and controls. Observations may include deficiencies noted
on the design of process-level controls or red flags that we may note on the
process that may indicate source of fraud risks among others. Incidentally,
audit teams may need to issue an Audit Observation Memorandum (AOM) to
call the attention of the agency for the observations noted.

Recommendation Provide a recommendation (if applicable) for each key


observation noted.

AOM Ref. No. Indicate the AOM reference number for those observations issued
with an Audit Observation Memorandum.

Last updated : March 2011 2|P a ge


Version : 02-06/2011/v1
Integrated Results and Risk-Based Audit Manual Phase 2 Agency Audit Planning and Risk Assessment
Form 02-06: Process-Risk-Control Matrix

PROCESS-RISK-CONTROL MATRIX

Agency : ______________________________________ Prepared: : _______________________ Date : _______________________

Audit Period : ______________________________________ Reviewed: : _______________________ Date : _______________________

Significant Process : ______________________________________ Approved : _______________________ Date : _______________________

Significant Agency Risks : ______________________________________

a. Critical path of the process:


Our documentation of the flow of the process may be in narrative form or graphical form through the use of process mapping flowcharts. The form of documentation depends on the size and complexity of the process.

Last updated : March 2011 3|P a ge


Version : 02-06/2011/v1
Integrated Results and Risk-Based Audit Manual Phase 2 Agency Audit Planning and Risk Assessment
Form 02-06: Process-Risk-Control Matrix

b. Identify Process Risks and Existing Controls

Impact
Accounts Affected Control Design
Process Risks Existing Controls Reason if inadequate
(including Risk to PAPs Assessment
assertions)

Adequate

Inadequate

Adequate

Inadequate

Adequate

Inadequate

Summary

Key Observation Recommendation AOM Ref. No.

Last updated : March 2011 4|P a ge


Version : 02-06/2011/v1
Integrated Results and Risk-Based Audit Manual Phase 2 Agency Audit Planning and Risk Assessment
Form 02-07: Audit Risk Assessment and Planning Tool

AUDIT RISK ASSESSMENT AND PLANNING TOOL

Objective

In order to develop an audit strategy that is responsive to the agencys risks we make an
audit risk assessment for relevant assertions of significant material accounts and the
Agencys PAPs.

The Audit Risk Assessment and Planning Tool will facilitate our documentation of our audit
risk assessment for financial, compliance and performance audits. In addition, it also
documents our audit strategy, scope and estimated timing which will guide the development
of our audit test procedures.

Accomplishing this tool:

A. Financial and Compliance

Significant Account The significant and material financial statement account


identified in the PRC Tool.

Assertion Check the related assertion/s of the financial statement account


identified in the PRC Tool

Inherent Risk Assess the inherent risk of the financial statement account and
assertion. Our assessment of inherent risk may be higher or lower. Factors
that may affect our inherent risk assessment are as follows:

Susceptibility to material misstatement


Size and composition
Variations from expected amounts
Effects of external factors
Competence and experience of agency personnel
Degree of subjectivity
Completion of unusual/complex transactions at or near period-end
Transactions not subjected to routine processing

Include in the justification the reason why we assessed inherent risk as


higher or lower.

Control Assessment Assess the control based on the adequacy of design. At


this point, we also assess the effectiveness of the controls based on the
results of walkthrough procedures conducted in Understanding the Process
and based on testing results we obtained from prior years audit. Our
assessment of the controls on the related financial statement account will be
whether we are intending to rely or not rely on the controls.

Include in the justification the reason why we intend to rely or not rely on the
controls.

Last updated : March 2011 1|P a ge


Version : 02-07/2011/v1
Integrated Results and Risk-Based Audit Manual Phase 2 Agency Audit Planning and Risk Assessment
Form 02-07: Audit Risk Assessment and Planning Tool

Note that this assessment is preliminary only. A final assessment shall be


made after testing the controls in the execution phase (in case we intend to
rely at this point).

Risk Assessment This refers to our combined risk assessment by considering


our inherent risk and control assessment. Combined risk assessment is
determined by using the following diagram:

Inherent Risk High Low High


Assessment

Low Minimal Moderate

Low High

Control Assessment

The above diagram can also be interpreted as follows:

Inherent Risk Control Risk Combined Risk


Assessment Assessment Assessment
Low & Low = Minimal
High & Low = Low
Low & High = Moderate
High & High = High

Audit Strategy Indicate whether our main strategy would be testing the controls
or substantive tests. Test of controls will be the audit strategy for accounts
assessed as Minimal or Low (we are intending to rely on the controls),
whereas, substantive procedures will be the audit strategy for accounts
assessed as Moderate or High.

Timing Indicate the estimated date when the audit test procedures for the
financial statement account will commence.

Person Days Indicate the amount of time or duration for the completion of the
audit test procedures.

B. Performance

Column Headings (Selection Factors) Assign risk weights for each selection
factor. Risk weights are expressed as percentages and when summed up,
should equal to 100%. The assignment of risk weights is based on the
auditors judgment. To minimize bias/subjectivity, the assignment of risk
weights should be discussed among the audit team members and should be

Last updated : March 2011 2|P a ge


Version : 02-07/2011/v1
Integrated Results and Risk-Based Audit Manual Phase 2 Agency Audit Planning and Risk Assessment
Form 02-07: Audit Risk Assessment and Planning Tool

reviewed by the Supervising Auditor/ Director. Illustrated below are


examples on how to assign risk weights:

Example 1: If the auditors would like to give equal risk weights on selection
factors and lesser weight on visibility, auditability and previous audit
coverage:

Selection Factors
Previous
Risk to Good
Materiality Impact Visibility Significance Auditability Audit
Management
(20%) (20%) (10%) (20%) (5%) Coverage
(20%)
(5%)

Example 2: If the auditors would like to focus more on the budget allocated
for the PAPs:

Selection Factors
Previous
Risk to Good
Materiality Impact Visibility Significance Auditability Audit
Management
(50%) (10%) (10%) (10%) (5%) Coverage
(10%)
(5%)

Example 3: If the auditors would like to focus more only on the Budget
allocation, Significance of the PAPs on the Agencys Mandate:

Selection Factors

Materiality Significance
(50%) (50%)

Note that the auditors may remove selection factors that they wish not to
consider in their evaluation of the agencys PAPs. Larger risk weights may
be allocated to those selection factors that the auditors wish to focus more.

As illustrated in the 3 examples, the total of risk weights allocated to the


selection factors is always equal to 100%.

Detailed definition of the selection factors are contained in the IRRBA


Manual.

PAPs List down the Agencys Significant PAPs.

Selection Factors For each PAP, assign points for each selection factors. The
points to be given for each selection factor should not exceed the risk weight
assigned on the column heading of that selection factor. See illustration
below:

Selection Factors
Risk to Previous
PAPs Total
Materiality Impact Visibility Significance Good Auditability Audit
(20%) (20%) (10%) (20%) Management (5%) Coverage
(20%) (5%)
Program A 20 15 8 20 10 5 5
Program B 18 15 5 15 15 5 5

Last updated : March 2011 3|P a ge


Version : 02-07/2011/v1
Integrated Results and Risk-Based Audit Manual Phase 2 Agency Audit Planning and Risk Assessment
Form 02-07: Audit Risk Assessment and Planning Tool

Note that the maximum amount of points to be given for each selection factor
is the risk weight assigned in the column heading. Assignment of points is
based on auditors judgment. To minimize bias/subjectivity, the assignment
of risk weights should be discussed among the audit team members and
should be reviewed by the Supervising Auditor/ Director.

Total Sum up all the points given in the selection factors for the particular PAP.

Basis for Assessment Indicate the auditors remarks/bases why such points
were given for each particular PAP.

PAPs to be subjected for performance audit


- This table summarizes the PAPs selected to be subjected for performance audit
during the audit period. Selection of PAPs will be based on the result of the
assessment performed in the preceding table (PAPs with higher total points will
be selected). The number of PAPs to be subjected for performance audit will
depend on the auditor by considering their workload for the audit period and
their available resources, i.e., manpower, competencies and so on.

Significant PAPs List down the PAPs to be subjected for performance audit
for the audit period.

Audit Focus Area Identify the specific areas of the PAPs to be focused for the
performance audit (e.g., procurement, delivery of services, efficiency of
operations)

Audit Aspect Check whether to objective of the performance audit is to check


the economy, efficiency or effectiveness of the PAP. The auditor may
select one or more audit aspect depending on the scope of the
performance audit.

Timing Indicate the estimated date when the performance audit will
commence.

Person Days Indicate the amount of time or duration for the completion of the
performance audit.

C. Specialized Skills Needed

- This part identifies professionals with specialized skills needed for the audit and
defines their scope of work and timing.

Specialized Skills Needed Identify the professional with specialized skills to be


needed in our audit. (Professionals with specialized skills may pertain to
engineers, IT auditors, actuaries and the like who would be of help in the
execution of audit procedures that require technical skills)

Office Identify the office of the Specialized Skills Needed (e.g., TSO for
Engineers, ITO for IT Auditors).

Scope Identify their scope of work (e.g., infrastructure projects to be reviewed by


engineers, computer programs to be evaluated by IT Auditors).

Last updated : March 2011 4|P a ge


Version : 02-07/2011/v1
Integrated Results and Risk-Based Audit Manual Phase 2 Agency Audit Planning and Risk Assessment
Form 02-07: Audit Risk Assessment and Planning Tool

Timing Indicate the estimated date when the conduct of audit procedures will
commence.

Person Days Indicate the amount of time or duration for the completion of the
audit procedures.

D. Other Material Accounts

- These are formerly termed as LORMA or Low Risk Material Account.


- These are material accounts that were not considered in the audit risk
assessment for financial and compliance audit. Other Material accounts will be
subjected for High-level precision analytics or test of details, if necessary.

Other Material Accounts List down the account titles of Other Material Accounts

Timing Indicate the estimated date when the conduct of High-level precision
analytics would commence.

Person Days Indicate the amount of time or duration for the completion of the
analytic procedures.

Person/s Responsible Indicate the audit staff who will perform the procedures for
Other Material Accounts.

Last updated : March 2011 5|P a ge


Version : 02-07/2011/v1
Integrated Results and Risk-Based Audit Manual Phase 2 Agency Audit Planning and Risk Assessment
Form 02-07: Audit Risk Assessment and Planning Tool

AUDIT RISK ASSESSMENT TOOL

Agency: Prepared by: Date:


Region: Reviewed by: Date:
Audit Period: Approved by: Date:

In order to develop an audit strategy that is responsive to an agencys risk of material misstatement, we make a risk assessment for financial and compliance, performance
audits.

A. Financial and Compliance

For financial and compliance, we make our risk assessment by assessing the inherent risk, preliminary control risk and combining both assessments to arrive at an overall
risk assessment for each relevant assertion for each significant account.

Significant Account/ Inherent Risk Control Risk Person


Assertion Risk Assessment Audit Strategy Timing ATS Ref.
Critical Process (IR) (CR) Days

Existence/ Occurence Low Low-Rely on Controls Minimal TOC Click here to enter
a date.
Completeness High High-Not Rely on Controls Low Substantive
Test
Accuracy Moderate
Justification: Justification:
Rights and Obligations High

Presentation & Disclosure

Compliance

Existence/ Occurence Low Low-Rely on Controls Minimal TOC Click here to enter
a date.
Completeness High High-Not Rely on Controls Low Substantive
Test
Accuracy Moderate
Justification: Justification:
Rights and Obligations High

6|P a ge
Integrated Results and Risk-Based Audit Manual Phase 2 Agency Audit Planning and Risk Assessment
Form 02-07: Audit Risk Assessment and Planning Tool

Significant Account/ Inherent Risk Control Risk Person


Assertion Risk Assessment Audit Strategy Timing ATS Ref.
Critical Process (IR) (CR) Days
Presentation & Disclosure

Compliance

B. Performance

Selection Factors Total Bases for Assessment


PAPs Risk to Good Previous Audit
Materiality Visibility Significance Auditability
Management Coverage
(__%) (__%) (__%) (__%)
(__%) (__%)

7|P a ge
Phase 2 Agency Audit Planning and Risk Assessment
Form 02-07: Audit Risk Assessment and Planning Tool

PAPs to be subjected for performance audit:

Significant PAPs Audit Focus Area Audit Aspect Timing Person Days
Economy
Efficiency
Effectiveness

C. SPECIALIZED SKILLS NEEDED

Specialized Skills Needed Office Scope Timing Person Days

D. OTHER MATERIAL ACCOUNTS


Identify Other Material Accounts that were not considered in the Financial and Compliance Audit Risk Assessment. Audit procedures for Other
Material Accounts include High-level precision analytics and Tests of Details, if necessary.

Other Material Accounts:




Timing: __________________.
Person Days: _______ .
Person/s Responsible: ____ .

8|P a ge
Integrated Results and Risk-Based Audit Manual Phase 3A Execution

DELIVERY:
EXECUTION

Integrated Results and Risk-Based Framework

Strategic Planning and Risk Identification

Planning Delivery

Agency Audit
Conclusion
Planning and Risk Execution
and Reporting
Assessment

Monitoring
(Quality Control System)

Introduction

The Execution activity covers our procedures in designing and executing our audit
tests, evaluation of results and communicating the same to the agency management.

Our audit tests should be designed to obtain audit evidence regarding the
completeness, accuracy, validity of data, and reasonableness of the estimates and
other information. They should also be designed to identify errors, non-compliance,
inefficiency, ineffectiveness that could be indicative of weaknesses in the agencys
operations.

Audit results are communicated to the agency management in a timely manner for
them to take necessary action to prevent its recurrence.

The following are the activities involved in this phase:

3A.1. Design Audit Tests


3A.2. Execute Audit Tests
3A.3. Evaluate Audit Results
3A.4. Communicate Audit Results

Last updated : March 2011 1|Page


Version : 03-00/2011/v1
Integrated Results and Risk-Based Audit Manual Phase 3A Execution

Supplemental:
3A-S1 Execution Financial & Compliance
3A-S2 Execution Performance
3A-S3 Sample Test of Control Working Paper
3A-S4 Sample Substantive Test Audit Program

Procedures

3A.1. Design Audit Tests

We design our audit tests through the preparation of the Audit Test Summary
(Form 03-01) that lists our audit procedures to obtain sufficient appropriate audit
evidence. This enables us to draw reasonable conclusions on which to base our
opinion.

Our audit procedures should be designed in accordance with the nature, extent
and timing of audit approach identified in our Audit Assessment and Planning
Memorandum.

The table below describes the nature of audit procedures we may use to obtain
audit evidence in executing audit tests, together with examples on how to apply
such procedures:

Procedures Application
Inquiry Seeking information from knowledgeable persons, both
financial and non-financial, throughout the agency or outside
the agency. Inquiries can be either written or oral.

Evaluating responses is an important part of the inquiry


process, as it may provide information not previously obtained
or will corroborate audit evidence already obtained. Responses
to inquiries may provide a basis for us to modify or perform
additional audit procedures.

In certain circumstances, we may consider obtaining written


representations from agency management, to confirm
responses to oral inquiries.

Observation Watching processes or procedures being performed by the


agencys personnel. Observation provides audit evidence about
the performance of a process or procedure, but is limited to the
particular point in time at which the observation takes place. In
addition, the act of being observed may affect how the process
or procedure is performed.

Inspection Examine records or documents, whether internal or external, in


paper or electronic form, or other media. Inspection of records
and documents provides audit evidence of varying degrees of
Last updated : March 2011 2|Page
Version : 03-00/2011/v1
Integrated Results and Risk-Based Audit Manual Phase 3A Execution

Procedures Application
reliability, depending on their nature and source and, in the
case of internal records and documents, on the effectiveness of
the controls over their production.

Inspection includes physical examination (e.g., inspection of


individual fixed assets), which provides audit evidence with
respect to their existence, but not necessarily about the
agencys rights and obligations or the valuation of the assets.

Recalculation Checking the mathematical accuracy of documents or records.


Recalculation may be performed manually or electronically.

Reperformance Our independent execution of the relevant control procedures


that were originally performed as part of the agencys internal
control, either manually. We re-perform the control procedures
to obtain audit evidence that the procedures were appropriately
performed as designed.

Data Analysis In certain situations, we may be able to use data analysis


techniques, principally through the use of automated tools, to
obtain evidence about the operating effectiveness of control.

Supplemental Audit Guidelines


Refer to the following supplemental audit guidelines for designing of audit tests in
the context of each audit:
Financial and Compliance Audit F3.1
Performance Audit P3.1

3A.2. Execute Audit Tests

We execute audit tests throughout the audit period in accordance with the
nature, extent and timing of the audit procedures as designed in the previous
sub-activity.

Audit Evidence Considerations

The quality of audit evidence is affected by the relevance and reliability of the
information upon which it is based. Relevance deals with the logical connection
with, or bearing upon, the purpose of the audit procedure or the assertion being
tested.

The reliability of information to be used as audit evidence is influenced by its


source and nature and the circumstance under which the evidence is obtained.
The following factors influence the reliability of audit evidence:
The reliability of audit evidence is increased when it is obtained from
independent sources outside the agency.

Last updated : March 2011 3|Page


Version : 03-00/2011/v1
Integrated Results and Risk-Based Audit Manual Phase 3A Execution

The reliability of audit evidence that is generated internally is increased when


the related controls imposed by the agency are effective.
Audit evidence obtained directly is more reliable than audit evidence obtained
indirectly or by inference.
Audit evidence in documentary form, whether paper, electronic, or other
medium, is more reliable than evidence obtained orally.
Audit evidence provided by original documents is more reliable than audit
evidence provided by photocopies or fax, or documents that have been
filmed, digitized or otherwise transformed into electronic form, the reliability of
which may depend on the controls over their preparation and maintenance,

Accounting Estimates

If our planned procedures include testing how management determined the


accounting estimate, we evaluate whether:
The method of measurement used is appropriate in the circumstances, (e.g.,
in relation to the agencys operations, sector and environment), including
agency managements rationale for selecting the method.
The assumptions used by agency management are reasonable in light of the
measurement requirements of the applicable financial reporting framework,
including the consistency of the assumptions with our understanding of
managements intent and ability to carry out certain courses of action.

Our evaluation of the assumptions used by agency management is based only


on information available to us at the time of the audit. In evaluating the
reasonableness of the assumptions used by agency management we may
consider whether:
Individual assumptions appear reasonable
The assumptions are interdependent and internally consistent
The assumptions appear reasonable when considered collectively or in
conjunction with other assumptions, either for that accounting estimate or for
other accounting estimates
In the case of fair value accounting estimates, the assumptions appropriately
reflect observable marketplace assumptions

External Confirmation Procedures

a. Evaluation Confirmation Responses

Confirmation exceptions may be given to the agency for investigation after we


establish control by making a copy or other record of the confirmation reply. If
agency personnel are used to investigate exceptions, we inspect, at least on a
test basis, evidence explaining and reconciling the exceptions.

We determine whether significant and/or frequently recurring exceptions may be


indicative of a pattern of errors in the unconfirmed accounts.

Last updated : March 2011 4|Page


Version : 03-00/2011/v1
Integrated Results and Risk-Based Audit Manual Phase 3A Execution

We also exercise professional skepticism when dealing with unusual or


unexpected responses to confirmation requests (e.g., a significant change in the
number or timeliness of responses to confirmation requests relative to prior
audits), or a non-response when a response would be expected. These
circumstances may indicate previously unidentified risks of material
misstatement due to fraud.

In such cases, we reconsider the judgments we made in planning our audit


approach and our CRA, and the effect on our planned procedures.

a. Alternative Procedures

When we do not receive replies to positive confirmation requests, we apply


alternative procedures to the non-responses to obtain the evidence necessary to
reduce audit risk to an acceptably low level. The nature of alternative
procedures to be performed varies according to the account and assertion.

We apply our alternative procedures to each item that make up the entire
balance that we have not received confirmations for.

Substantive Analytical Procedures

We execute our substantive analytical procedures and compare the recorded


amount, trend or ratio with our expectation. When the difference between the
recorded amount, trend or ratio and our expectation is less than our variance
threshold, no further investigation is required.

If we identify differences that exceed our variance threshold or fluctuations or


relationships that are inconsistent with other relevant information, we investigate
them by:
Inquiring of management to provide an explanation
Obtaining audit evidence to support agency managements responses

3A.3. Evaluate Audit Results

When we execute our audit test procedures, we may identify findings or


misstatements. The identification and accumulation of misstatements is one of
our most important audit responsibilities and is critical in enabling us to formulate
our audit opinion.

A misstatement may also result from fraud, such as:


Manipulation, falsification or alteration of accounting records or supporting
documentation from which the financial statements are prepared
Misrepresentation in, or intentional omission from, the financial statements of
events, transactions or other significant information
Intentional misapplication of accounting principles relating to amounts,
classification, manner of presentation or disclosure
Last updated : March 2011 5|Page
Version : 03-00/2011/v1
Integrated Results and Risk-Based Audit Manual Phase 3A Execution

Misappropriation of assets that has not been detected and recorded

If we identify an intentional misstatement in the financial statements, we


determine if this is an incident of suspected fraud or represents non-compliance
with applicable laws and regulations.

We report the matter to the Supervising Auditor of the engagement and


communicate it to the appropriate level of agency management. In this case, the
appropriate level of agency management is at least one level above the
person(s) who appears to be involved with the misstatement.

3A.4. Communicate Audit Results

We conclude on the results of our audit procedures and assess whether we have
obtained sufficient appropriate audit evidence for each significant account,
disclosure and assertion.

We document a conclusion statement for each significant account and


disclosure, that addresses the execution of the designed procedures, the
adequacy of those procedures, and when identified, significant findings.

For significant findings and issues, our conclusions include a summary of the
procedures performed, the results of our procedures, including significant
professional judgments and consultations made, and any misstatements
identified.

Communication of Audit Findings

Agency Management does not like surprises, and they are generally more willing
to correct identified audit findings when they are notified early. Early notification
gives the agency time to investigate the cause of the misstatement, evaluate it
and perform additional work, if necessary, to quantify it.

We discuss each audit finding with the appropriate level of agency management
to confirm that our understanding of the nature and cause of the audit finding is
factually correct. We also discuss what actions the agency can take to prevent
an errors recurrence.

The appropriate level of agency management is the one that has responsibility
and authority to evaluate the audit finding and take the necessary action to
prevent its recurrence. Generally, this depends on the agencys organization
structure and the nature and significance of the audit finding.

If the agency disagrees that there is an audit finding, or disputes the amount
involved, we ask the agency to support its position by providing additional audit
evidence. We exercise professional skepticism when auditing the additional
evidence to verify whether it supports the agencys position.
Last updated : March 2011 6|Page
Version : 03-00/2011/v1
Integrated Results and Risk-Based Audit Manual Phase 3A Execution

If, in our opinion, the evidence provided by the agency does not support the
agencys position, we determine the effect on our audit opinion, which may
include consulting with the Supervising Auditor or Cluster Director.

Documentation

We communicate our audit findings to the agencys management through the


issuance of the following documents in accordance with COA Circular No.
2009-006:
Audit Observation Memorandum (AOM)
Notice of Suspension (NS)
Notice of Disallowance (ND)
Notice of Charge (NC)

Note that AOM/NS/ND/NCs can be issued at any point in or stage of the audit
process.

Policy and Standard

Policy/Standard Description
ISSAI 1230 Audit Documentation

ISSAI 1330 The Auditors Responses to Assessed Risks

ISSAI 1450 Evaluation of Misstatement Identified during the Audit


ISSAI 1500
Audit Evidence

ISSAI 1505
External Confirmations

ISSAI 1520
Analytical Procedures

ISSAI 1530 Audit Sampling


Auditing Accounting Estimates, Including Fair Value
ISSAI 1540
Accounting Estimates, and Related Disclosures
ISSAI 1520,
Analytical Procedures

Last updated : March 2011 7|Page


Version : 03-00/2011/v1
Integrated Results and Risk-Based Audit Manual Phase 3A Execution

Documentation

Procedure Sub-procedure Output/Tools

Form 03A-01 Audit Test


3.1 Design Audit Tests
Summary

3.2 Execute Audit


Tests
3.3 Evaluate Audit
Results

Audit Observation
Memorandum
3.4 Communicate
Notice of Suspension
Audit Results
Notice of Disallowance
Notice of Charge

Last updated : March 2011 8|Page


Version : 03-00/2011/v1
Integrated Results and Risk-Based Audit Manual Phase 3A Execution

Supplemental

3A-S1 Execution Financial & Compliance

DESIGN AUDIT TESTS FINANCIAL AND COMPLIANCE

This supplement provides additional considerations in the design of audit tests our Financial
and Compliance Audit. We use this supplement in conjunction with the Design Audit Tests
sub-activity in Execution.

Procedures

F3.1Design Audit Tests

F3.1.1 Design Tests of Controls

a. Determine the appropriate controls to select and test

We use our professional judgment in determining the appropriate controls to


select and test, recognizing that we may be more effective and efficient to
select and test controls that address multiple process risks and assertions.

If a process risk is addressed by more than one control, we are not required
to select and test every control.

We also consider selecting controls tested by internal audit and others that
we are able to rely on, as this may be an effective and efficient approach to
obtain sufficient appropriate audit evidence about the operating effectiveness
of those controls.

b. Confirm that controls to test are relevant to the audit

We identify and document controls that are relevant to the audit when we
understand the processes. However, to avoid selecting inappropriate
controls to test, we confirm that the controls selected to test are relevant to
the audit, considering the following:

The nature of the control. The control appropriately addresses the risk
scenario(s) for the relevant assertion(s) to prevent or detect and correct
misstatements.
The relevance and reliability of evidence we expect to be available to
support the operating effectiveness of the control.
The objectivity and competency of the person performing the control.
The control is applied to a complete and reliable set of data.

Last updated : March 2011 9|Page


Version : 03-00/2011/v1
Integrated Results and Risk-Based Audit Manual Phase 3A Execution

Subsequent Audits
In subsequent years, we use our understanding of the operating effectiveness of
controls tested in prior periods to determine whether to select the same controls
to test, considering:

The results or findings of procedures performed and conclusions reached


from prior periods. We determine if these controls are still relevant for the
purpose of our audit.

Changes that have occurred in significant processes since the prior period
that may affect the relevance of the controls to respond to existing or
additional risk scenarios identified. We determine the effects of these
changes over the controls that we plan to rely on and evaluate if the controls
are still effective to address the process risks for the relevant assertions.

F3.1.2 Design Substantive Tests

a. Customize substantive tests for significant accounts in accordance with our


audit strategy outlined in the Audit Assessment and Planning Memorandum

b. Plan the timing of substantive tests

The timing of our substantive tests is primarily driven by our Risk


Assessment conducted in Phase 2. We may design our substantive tests to
be performed at an interim date(s). These interim tests of details provide
benefits such as:
Enabling earlier identification of significant findings and issues
Allowing more time to address and resolve significant findings and issues
Reducing work performed during year end
Helping to manage tight reporting deadlines

Timing of Substantive Tests


We may design the timing of our interim substantive tests as follows:
Earlier in the reporting period (e.g., up to six months before the balance
sheet date) if the Risk Assessment is minimal
During the later portion of the reporting period (e.g., up to three months
before the balance sheet date) if the Risk Assessment is low
At or near the period end (e.g., up to one month before the balance sheet
date) if the Risk Assessment is moderate or high

When Interim Tests may not be effective


Interim tests of details may not be effective or efficient in the following
circumstances:
Significant changes are expected to the agency because more extensive
rollforward procedures will be needed as a result of the changes

Last updated : March 2011 10 | P a g e


Version : 03-00/2011/v1
Integrated Results and Risk-Based Audit Manual Phase 3A Execution

The agency does not prepare or analyze financial statements at the


interim date, as this affects our ability to perform interim audit procedures
The agencys accounting system does not provide details of transactions
for the period between the interim to the balance sheet dates, as this
affects our ability to perform rollforward procedures
There are significant risks that affect the significant account, disclosure
or relevant assertion which may require more extensive rollforward
procedures

Rollforward Considerations
When we design interim procedures, we also design rollforward procedures
to obtain sufficient audit evidence that provides a reasonable basis for
extending our audit conclusions at the date of our interim procedures to the
year end.

The extent of rollforward procedures shall be customized depending on the rollforward


period and risk assessment as follows:

Last updated : March 2011 11 | P a g e


Version : 03-00/2011/v1
Integrated Results and Risk-Based Audit Manual Phase 3A Execution

RISK ASSESSMENT
Rollforward period
Minimal Low Moderate High
Less than 1 month Update lead schedule and Update lead schedule and Update lead schedule and Update lead schedule and
extend substantive extend substantive extend substantive extend substantive
analytical procedures to analytical procedures to analytical procedures to analytical procedures to
the balance sheet date. the balance sheet date. the balance sheet date. the balance sheet date.

Design additional Analyze and understand Analyze and understand


procedures during the movements during movements during
rollforward period to rollforward period, which rollforward period, which
address higher inherent may include preparing or may include preparing or
risks. obtaining a detailed obtaining a detailed
rollforward schedule. rollforward.

Test a sample of Test a sample of


transactions in the transactions in the
rollforward period. rollforward period.

Design additional
procedures during the
rollforward period to
address higher inherent
risks.

1 to 3 months Same as above Same as above. N/A N/A


Consider testing a sample
of transactions made
during the rollforward
period.
3 to 6 months Same as above N/A N/A N/A

Last updated : March 2011 12 | P a g e


Version : 03-00/2011/v1
Integrated Results and Risk-Based Audit Manual Phase 3A Execution

c. Design procedures for Other Material accounts

Our procedures for Other Material accounts are limited to substantive


analytical procedures and limited tests of details, when appropriate, that are
designed to confirm the basis of assessing the account as not significant.

F3.2 Execute Audit Tests

Execute Tests of Controls and Substantive Tests

Refer to the attached Diagram for the Execution of Tests of Controls and Substantive
Tests.

Last updated : March 2011 13 | P a g e


Version : 03-00/2011/v1
Integrated Results and Risk-Based Audit Manual Phase 3A Execution

FINANCIAL AUDIT
EXECUTION

Risk Assessment

Minimal Low Moderate High

Design Tests of Controls


Audit Work
Program

Execute Tests of Controls

Control Exceptions noted?

Yes
No

Determine and Evaluate


Audit Response

Conclude on operating
effectiveness

Rely on Controls Not Rely on Controls

Reassess

Design Tests of Details: Design Tests of Details:


Less extensive tests of details Audit Work More extensive Tests of Details Audit Work
Program Program

Execute Tests of Details

Diagram for the Execution of Financial Audit

Last updated : March 2011 14 | P a g e


Version : 03-00/2011/v1
Integrated Results and Risk-Based Audit Manual Phase 3A Execution

3A-S2 Execution Performance

DESIGN AUDIT TESTS PERFORMANCE

This supplement provides additional considerations in the design of audit tests for
Performance Audit.

Procedures

P3.1Design Audit Tests

P3.1.1.Define Audit Objectives

The audit objectives should articulate what the audit is to accomplish. This
means phrasing the objectives to identify the audit subject and the performance
aspect to be included. Because it is rare for one to audit all aspects of value for
money, it is important to know, in planning what aspect or aspects are going to
be included. This is critical in establishing the audit boundaries or scope, criteria
and approach.

P3.1.2.Develop Audit Criteria

Types of Performance Audit Criteria


There are two types of criteria in Performance Audit: the general criteria and the
specific criteria

General Criteria
General Criteria are broad statements of acceptable and reasonable
performance. They are often derived from common sense or general rationality.
For example, the procedures in an organization may be too cumbersome to be
effective. Even a general review of its procedures may suggest potential areas
for simplification. Thus the auditors would need to acquaint themselves with
generally accepted management practices of different areas. These practices
can be adopted as general audit criteria for an audit assignment.

Specific Criteria
Specific criteria are more closely related to the agencys legislation, objectives,
programs, controls and systems. Specific criteria are mostly derived from the
objectives laid down for a particular project or program and their related
standards and practices. For example, a malaria eradication of disease over
certain period or a mass literacy program may have laid down a target literacy
ratio over the plan period. These program objectives can be adopted as specific
criteria for the project or program.

Auditors face difficulties in this area as well. In most cases, the objectives are
not given in a specific quantified form, which is always a challenge to the
auditors.
Last updated : March 2011 15 | P a g e
Version : 03-00/2011/v1
Integrated Results and Risk-Based Audit Manual Phase 3A Execution

Specific criteria are closely related to the particular operations in specific areas.
Auditors need to know the details of those operations. For example, when
auditing an energy project, the specific audit criteria could include standards for
such activities as fuel inputs for electricity generation, range of cost per unit for
power generation, close-down time for routine maintenance of the power house,
ratio of average maintenance cost of total capital cost of the plant and expected
output of energy. Until auditors familiarize themselves with the operations, they
cannot establish a reasonable specific audit criterion. In highly specialized or
technical areas auditors may require the assistance of technical experts. In fact,
one of the auditing standards prescribes that the auditors should collectively
possess the qualification and competence to audit an organization or a project.
For technical projects, this competence can be achieved through a team of
auditors that consists of professional auditors and technical experts.

Sources of Audit Criteria

In order to avoid always creating audit criteria from the basic principles for each
audit, auditors should investigate existing sources of criteria. Audit criteria can
be derived from a number of sources. However, the judgment of the auditor
plays an important role in identifying relevant and reliable sources. The following
can often be used as sources of criteria:

Basic planning documents such as feasibility study and approved plan


Financial reports of the agency
Expenditure reports
Budget documents
Project reports
Criteria published by other audit agencies
Similar audit agencies
Standards set by International bodies
Government policies and directions
Laws, rules, regulations
Literature on the subject matter
Pronouncements by professional bodies and standard bodies
Past performance
Performance standards set by management
Interviews with professionals

Auditors should seek guidance from all such sources and then formulate realistic
audit criteria. While doing so, they must appreciate the local conditions. For
example, it would be unfair to apply quality of drinking water standards issued by
the World Health Organization in a developing country where simple availability
of potable water is a problem. When adopting generally accepted management
practices of developed countries, suitable adjustments should be made in
consultation with experienced people.

Last updated : March 2011 16 | P a g e


Version : 03-00/2011/v1
Integrated Results and Risk-Based Audit Manual Phase 3A Execution

P3.1.3.Develop Audit Work Program

Audit programs are guidelines for actions during the execution phase of the
audit. Audit programs set out the detailed audit procedures for cost effective
collection of evidence.

Purpose of Audit Program


Developing a program for carrying out audits is a key link between the
development of audit objectives and the conduct of an audit leading to a
defensible report. In this respect, audit programs serve as:
A guide for gathering competent, relevant, sufficient evidence during the
execution phase of audit in a cost-effective way;
A framework for assigning work amongst the members of the audit team;
A means of transferring knowledge to junior staff; and
A basis for documenting the work done and the exercise of due care.

Developing an Audit Program


The audit objective and criteria will normally be tested by an audit program of
audit procedures/techniques that include:
Physical observation (which may include photography and video)
Interview
Questionnaire
Documents review
Data analysis

In developing an audit program, it is important that the procedures:


Relate to the audit objectives and criteria which will enable the collection
of relevant evidence on issues which will maximize the impact of the
audit;
Are clearly stated and include sufficient details to enable them to be
readily understood by those carrying out the audit;
Are organized in a logical manner so that the audit examination can be
conducted as efficiently as possible;
Form an efficient method of gathering sufficient evidence without
superfluous testing; and
Take account of any earlier related audit work/ published research on the
topic.

Performance Audit Work Programs will need to be customized for each audit.
Furthermore, factors to be considered when developing the programs include:
Size Audit programs generally increase in size and complexity (more
detailed procedures, questionnaires and checklists) with increases in the
size of the audit;
Geographic dispersion The dispersion and location of sites to be visited
will affect the audit program. Detailed procedures may be required to
ensure consistency when different personnel are carrying out the same
audit at different locations;
Last updated : March 2011 17 | P a g e
Version : 03-00/2011/v1
Integrated Results and Risk-Based Audit Manual Phase 3A Execution

Audit environment Managements receptiveness to being audited,


whether it is the first audit of the area, and the sensitivity of the area in
the organization will affect the way in which procedures are developed
and applied;
Components of the system to be audited, e.g. its inputs, processing,
activities and outputs; and
Whether broad issues only have been identified, or specific criteria are
available.

P3.2. Execute Audit Tests

Refer to the attached Diagram for the Execution of Performance Audit.

Last updated : March 2011 18 | P a g e


Version : 03-00/2011/v1
Integrated Results and Risk-Based Audit Manual Phase 3A Execution

3A-S3 Sample Test of Control Working Paper

NOTE: The items in this document are just samples to illustrate the template. It does not represent any factual data nor any
result of prior audit projects.

Process: Cash Disbursement Prepared by: J. Dela Cruz 08-31-2010


Sub-process: Payment for goods Date
Accounts Affected: Cash, Accounts Payable Reviewed by: A. Santos 09-02-2010
Date

TEST OF CONTROLS WP# _CD-01_

Control
Process Risk Controls Control Testing Procedure
Ref.

Cash payments Accounting staff performs Examine whether vendor's 1


may be made for three-way match by invoices, receiving reports and
goods not delivered comparing vendor's invoice purchase orders are attached to
with receiving reports and the cash disbursement vouchers.
Cash payments purchase orders.
may be made for
goods not ordered

Duplicate Accounting staff stamps Examine whether processed cash 2


processing of cash "Paid" on processed cash disbursement vouchers and
disbursements may disbursement vouchers supporting documents are duly
be made including supporting stamped "Paid."
documents.

Cash payments Accounting Head reviews Examine whether cash 3


may not be cash disbursement vouchers disbursement vouchers are
recorded in the and supporting documents reviewed and signed by the
proper amount prepared by accounting staff Accounting Head.
before posting to the ledger.

Duplicate posting of Accounting staff stamps Examine whether posted cash 4


cash disbursement "Posted" on posted cash disbursement vouchers are duly
may be made on disbursement vouchers. stamped "Posted."
the ledger

Last updated : March 2011 19 | P a g e


Version : 03-00/2011/v1
Integrated Results and Risk-Based Audit Manual Phase 3A Execution

Cash Control Ref.


Item # Disbursement Date Payee Remarks
Voucher 1 2 3 4

1 CD - 00545 5/22/2010 ABC Company 3 3 3 5 No signature of


Accounting Head
on the CD Voucher

2 CD - 01345 7/12/2010 XYZ Corp. 3 3 3 3

3 CD - 00112 2/26/2010 XXX Mfg., Inc. 3 3 3 3

4 CD - 00050 1/31/2010 AAA Medical 3 3 3 3


Laboratories

5 CD - 00358 3/25/2010 ABC Company 3 3 3 3

Last updated : March 2011 20 | P a g e


Version : 03-00/2011/v1
Integrated Results and Risk-Based Audit Manual Phase 3A Execution

3A-S4 Sample Substantive Test Audit Program

Agency: Prepared:

Date

Audit Reviewed:
Period:

Date

Significant Cash
Account:

Audit Objectives Audit Assertions


E/O C R&O V P&D Comp
3
3
3
3
3
3

Audit Procedures to Consider

Assertions W/P Assigned Prepared Reviewed


Audit Procedures Mandays
Addressed Ref. to by by

1.

2.

3.

4.

5.

6.

7.

8.

Last updated : March 2011 21 | P a g e


Version : 03-00/2011/v1
Integrated Results and Risk-Based Audit Manual Phase 3A - Execution
Form 03A-01: Audit Test Summary

AUDIT TEST SUMMARY

Objective

The Audit Test Summary is used to document our approach in executing financial and
compliance audit tests for each significant account. We also document the results of our audit
tests performed and conclusions reached based on such results.

Accomplishing this tool:

Significant Account Indicate the account title of the significant account. Significant accounts
are taken from the significant accounts identified in Part A of the Audit Assessment and
Planning Memorandum.

Account Balance Indicate the balance of the account.

Audit Risk Assessment Check the audit risk assessment based on Part A of Audit
Assessment and Planning Memorandum. The Risk Assessment will determine our audit
strategy in the execution phase.

Part I: Test of Controls (TOC)

Note: TOC is performed only for accounts assessed as Minimal or Low (wherein we rated
control risk as Low we are intending to rely on controls). If our audit risk assessment is either
Moderate or High, we will only accomplish Part II of this template.

Process Indicate the process/es where TOC for the significant account will be done

Controls to be Tested List down specific controls to be tested.

Person/s Assigned Indicate the person/s who will execute the TOC for the significant
account.

Due Date Indicate the estimated date when the TOC is expected to be completed.

TOC Working Paper Reference Indicate the working paper reference where the execution of
the TOC is documented.

Summary of Test Results


Findings Indicate the findings or exceptions noted during the conduct of TOC.

Last updated : March 2011 1|Pa ge


Version : 03-01/2011/v1
Integrated Results and Risk-Based Audit Manual Phase 3A - Execution
Form 03A-01: Audit Test Summary

Recommendation Indicate recommendations to correct the findings or other comments


for the improvement of the Agencys controls on the process.
TOC W/P Ref. Indicate the working paper reference where the findings/exceptions were
noted.
AOM Ref. Indicate the AOM reference number (if any).

Conclusion Indicate our conclusion statement on the operating effectiveness of the controls
tested.

Final Assessment of Control Risk Based on the results of the TOC conducted, make a final
assessment of Control Risk:
Low Controls are operating effectively
High Controls are not operating effectively

In case our final control risk assessment is High, we need to reassess the overall audit risk,
reassessed audit risk will fall as Moderate or High depending on the inherent risk
assessment, as illustrated in the diagram below:
Inherent Risk Assessment

High Low High

Low Minimal Moderate

Low High
Control Risk Assessment

Part II Substantive Tests

Extent of Testing Check the appropriate box for the extent of testing (i.e., Extensive for
Moderate or High; Less Extensive for Minimal or Low)

ST Work Program Reference Indicate the working paper reference where the execution of
the ST is documented.

Summary of Test Results


Findings Indicate the findings or exceptions noted during the conduct of ST.

Last updated : March 2011 2|Pa ge


Version : 03-01/2011/v1
Integrated Results and Risk-Based Audit Manual Phase 3A - Execution
Form 03A-01: Audit Test Summary

Recommendation Indicate recommendations to correct the findings.


ST W/P Ref. Indicate the working paper reference where the findings/exceptions were
noted.
AOM Ref. Indicate the AOM reference number (if any).

Conclusion Indicate our conclusion statement whether the account is fairly presented in the
Agencys financial statements (considering unbooked adjusting journal entries, if any).

Last updated : March 2011 3|Pa ge


Version : 03-01/2011/v1
Integrated Results and Risk-Based Audit Manual Phase 3A - Execution
Form 03A-01: Audit Test Summary

AUDIT TEST SUMMARY


Agency: Prepared by: Date:
Reviewed by: Date:
Audit Period: Approved by: Date:

Significant Account: Audit Risk Minimal Moderate

Account Balance: Assessment Low High

Part I: TEST OF CONTROLS


Note: TOC is not performed if audit risk assessment is High or Moderate since our preliminary
assessment of Control Risk is High - Not Rely on Controls

Process: _______________________
Controls to be Tested:


Person/s Assigned: ____________________________


Due Date: ___________________________________
TOC Working Paper Reference: __________________

Summary of Test Results

TOC W/P
Findings Recommendation AOM Ref.
Ref.

Conclusion Final Assessment of Control Risk

Low - Rely on Controls


(Controls are operating effectively)

High - Not Rely


(Controls are not operating effectively)

Re-assess audit risk


Moderate

High

Last updated : March 2011 4|Pa ge


Version : 03-01/2011/v1
Integrated Results and Risk-Based Audit Manual Phase 3A - Execution
Form 03A-01: Audit Test Summary

Part II: SUBSTANTIVE TEST


Extent of Testing ST Work Program Reference
Extensive (For Moderate or High)

Less Extensive (For Minimal or Low)

Summary of Test Results

Findings Recommendation ST W/P Ref. AOM Ref.

Conclusion

Last updated : March 2011 5|Pa ge


Version : 03-01/2011/v1
Integrated Results and Risk-Based Audit Manual Phase 3B Conclusion and Reporting

DELIVERY:
CONCLUSION AND REPORTING

Integrated Results and Risk-Based Audit Framework

Strategic Planning and Risk Identification

Planning Delivery

Agency Audit
Conclusion
Planning and Risk Execution
and Reporting
Assessment

Monitoring
(Quality Control System)

Introduction

Delivery phase is divided into two parts: (1) Execution and (2) Conclusion and Reporting.
Conclusion and Reporting is the last step of the audit wherein the results of the audits
conducted are communicated to the agency and oversight bodies. This section provides
guidelines in preparing audit conclusions and audit reports.

In this section, other types of audits [e.g., Fraud Audit and Government-wide and Sectoral
Performance Audit (GWSPA)] conducted are considered in the preparation of reports on
financial, compliance, and performance audits.

This part covers: summarizing audit results; preparing audit report; performing final overall
audit review; wrapping-up and archiving the engagement; and following-up agency action
plans.

1|Pa ge
Integrated Results and Risk-Based Audit Manual Phase 3B Conclusion and Reporting

The following are the activities involved in this phase:

3B.1. Summarize Audit Results


3B.1.1 Prepare summary of audit results and recommendations
3B.1.2 Discuss results of other types of audit conducted

3B.2. Prepare Audit Report


3B.3. Perform Overall Audit Review
3B.3.1 Perform overall review and approval
3B.3.2 Issue report
3B.4. Wrap-up and Archive the Engagement
3B.5. Follow-up Agency Action Plan

Procedures

3B.1. Summarize Audit Results

Accumulated results of financial, compliance, and performance audits are


summarized at the end of the audit.

Significant findings, issues and observations, including misstatements, are


summarized and discussed with the agency. Conclusion for each misstatement,
finding, issue, and observation is documented. This serves as basis in formulating
an audit opinion in the audit report.

Results of Fraud audit and GWSPA conducted by other audit teams are also
considered in this section.

3B.1.1 Prepare summary of audit results and recommendations


The identification and accumulation of misstatements are performed in the
Execution phase of the audit. It is one of the most important audit responsibilities
and is critical in enabling the auditors in formulating audit opinion.

After the audit exit conference with the agency, the auditor shall prepare the audit
summary and conclusion. It is documented in the Summary of Audit Results and
Recommendations (SARR) containing the following:

A. Matrix of Audit Findings and Recommendations


B. Results/status of other audits (e.g., fraud audit and GWSPA)
C. Summary of unrecorded adjusting/reclassifying journal entries

2|Pa ge
Integrated Results and Risk-Based Audit Manual Phase 3B Conclusion and Reporting

D. Conclusion The overall conclusion of the audit, after considering the effects
of identified misstatements, other findings, issues, and observations.

Documentation
Form 03B-01: SARR. This template provides the audit team with a summary of the
audit results and conclusion, and a description of the important matters and
significant findings and issues arising during the execution of the audit.

3B.1.2 Discuss results of different types of audit conducted


The agency may have been subjected not only to comprehensive audit but also to
other types of audit like fraud audit and GWSPA. In this case, the audit team,
together with the Cluster Director (CD), shall discuss with the counterpart audit
team the results or status of the audit, if ongoing, for disclosure or inclusion in the
AAR.

The findings, observations, and issues that may have significant impact on the
financial statements shall be considered before finalizing the conclusion of the
audit. This shall be documented in SARR and disclosed as Other Matters of the
Audit Certificate in the AAR.

Minutes of discussions with the counterpart audit team [e.g., Fraud Audit and
Investigation Office (FAIO) and/or Special Audits Office (SAO)] shall form part of
the working papers.

Forensic/Fraud Audit
It is the responsibility of FAIO to initiate, monitor, assess performance, and
continuously improve the conduct of fraud audits. Also, it is their responsibility to
prepare fraud audit reports.

The guidelines in the performance and reporting of fraud audit conducted by FAIO
are documented in the Fraud Audit Manual.

GWSPA
SAO conducts the GWSPA. SAO, when necessary, coordinates with the audit
sectors for more concerted efforts in the conduct of performance audits in the
agencies implementing government programs and/or projects.

The guidelines in the performance and reporting of GWSPA are documented in the
GWSPA Manual.

3|Pa ge
Integrated Results and Risk-Based Audit Manual Phase 3B Conclusion and Reporting

3B.2. Prepare Audit Report

At the end of the audit, a written auditors report to the agency, containing opinion
on the agencys financial statements, is prepared.

In addition, regardless of the agencys governance structure or size, the auditor:


Communicates with management the observations arising from the audit, to
clarify facts and issues and to give management the opportunity to provide
further information.
Communicates with those charged with governance the observations arising
from the audit that are significant and relevant to their responsibility to oversee
the financial reporting process.

This is achieved by communicating to those charged with governance and


management the significant and relevant observations identified within the audit,
through the issuance of Audit Observation Memorandum (AOM).

The timing of communications is dependent on the communication protocols


agreed with management and those charged with governance at the start of the
audit. These protocols are used to communicate significant and relevant
observations in a timely manner.

As the audit progresses, the status of the significant and relevant observations
communicated may change and new significant and relevant observations may
arise as audit procedures are performed and facts and circumstance change.
Updated or additional communications to management and those charged with
governance of new information are provided on a timely basis.

Financial and Compliance Audits


COA Memorandum No. 2002-047 dated August 13, 2002, provides the guidelines
on the preparation, submission and transmittal of the AAR.

Performance Audit
Performance audit may take more than a year and the report may not be released
at the same time as financial and compliance audits. However, the concerned
auditor shall mention in his AAR the fact that a performance audit has been
undertaken during the year and include in the AAR the gist of significant findings,
observations and recommendations of the audit under the Observations and
Recommendations section.

Fraud Audit
Fraud audit conducted by the Audit sectors shall be mentioned in the AAR. The
summary of the results or the status of the audit, if the audit is still ongoing, and its

4|Pa ge
Integrated Results and Risk-Based Audit Manual Phase 3B Conclusion and Reporting

impact or possible impact to the financial statements shall be disclosed as Other


Matters in the Audit Certificate of the AAR.

The guidelines in the performance and reporting of fraud audit conducted by the
Audit sectors are documented in the Fraud Audit Manual

Annual Audit Report


In reporting the results of comprehensive audit, the auditors shall prepare the
following audit reports:

a) Annual Audit Report (AAR) for the year-end financial audit of agencies with
complete books of accounts and listed in the General Appropriations Act and;

b) Management Letter (ML) for the year-end financial audit of the regional offices
and operating units with and without complete books of accounts. The ML
shall also be issued at the conclusion of an interim audit, if warranted.

Contents of the AAR

The AAR shall contain the following:


a) Executive Summary
b) Audit Certificate
c) Financial Statements
o Balance Sheet
o Statement of Income and Expenses
o Statement of Cash Flows
o Notes to the Financial Statements
d) Observations and Recommendations
e) Status of Implementation of Prior Years Audit Recommendations

Executive Summary
The Executive Summary presents in brief the contents of the AAR. It includes the
financial highlights of the agency, a statement on the scope of audit and the
auditors opinion on the financial statements and the synopsis of the significant
observations, recommendations and the implementation of prior years
recommendations.

Audit Certificate
The Audit Certificate contains the overall conclusion of the auditor on the financial
statements. Its basic elements are:

a) Addressee The Audit Certificate shall be addressed to the board of directors


or to the head of office, department, agency or local government unit.

5|Pa ge
Integrated Results and Risk-Based Audit Manual Phase 3B Conclusion and Reporting

b) Introductory Paragraph This shall include statements on:


o The name of the agency and its financial statements that have been
audited, including the date of and period covered by the financial
statements
The financial statements and the notes thereon are the responsibility and
representation of the agencys management and that the auditors
responsibility is to express an opinion on the financial statements based on the
audit.
c) Scope Paragraph This paragraph contains statements on the basis and
scope of the audit conducted, as follows:
o That the audit was conducted in accordance with the generally
accepted auditing standards and the laws, rules and regulations, as
applicable.
o That the audit was planned and performed to obtain reasonable
assurance about whether the financial statements are free of material
misstatements.
o That the audit performed includes: (1) examining, on a test basis,
evidence to support the financial statements amounts and
disclosures; (2) assessing the accounting principles used and the
significant estimates made by management on the preparation of the
financial statements; and (3) evaluating the overall financial
statements presentation.
o That the auditor believes his audit provides a reasonable basis for the
opinion.
d) Opinion Paragraph This paragraph contains the auditors opinion on the fair
presentation of the financial statements and their compliance with other
requirements of relevant laws or statutes. The types of opinion that the auditor
may express are discussed under sub-caption Types of Audit Opinion.
e) Other Matters this paragraph contains other relevant matters that have or
may have impact on the auditors opinion. It may include the results of other
types of audit (e.g., fraud audit and GWSPA) conducted that have or may
have significant impact on the financial statements or on the conclusions of the
audit.
f) Date of Report The date of the Audit Certificate shall be as of completion
date of the audit fieldwork. The date is generally considered as the end of the
auditors responsibility for subsequent events that may affect the financial
statements and which may require adjustments or disclosures. Also, it should
not be earlier than the date on which the financial statements are signed or
approved by management.
g) Auditors Signature The report shall be signed pursuant to COA
Memorandum No. 2010-015.

Financial Statements

6|Pa ge
Integrated Results and Risk-Based Audit Manual Phase 3B Conclusion and Reporting

The financial statements to be submitted to the auditor should have a covering


Statement of Management Responsibility for Financial Statements to be signed
by the official who has direct supervision and control over the agencys accounting
and financial transactions and the Head of Agency or his authorized
representative. It shall include the following statements:

o Balance Sheet This shows the financial position/condition of the


agency as of a certain date. It provides information on the agencys
resources, obligations and the government equity in the agency.
o Income and Expenses This shows the results of operation of the
agency at the end of a particular period. It explains the changes in
the agencys equity resulting from operations and economic activities
during the period.
o Cash Flows This summarizes all the cash activities of the agency
classified into operating, investing and financing activities. It informs
about the inflows and outflows of cash in the agency during the year.
o Notes to financial statements This is an integral part of the financial
statements to provide additional information or disclosure necessary
for their fair presentation in conformity with the generally accepted
accounting principles.

The audited financial statements shall be attached to the audit certificate in the
AAR.

Observations and Recommendations


This portion discusses the observations noted by the auditor and his
recommendations. The agencys explanation or reply to the observations shall
also be presented as well as the auditors rejoinder, as necessary or appropriate.

The gist of the significant findings, observations, and recommendations in the


performance audit conducted shall also be included in this section.

Status of Implementation of Prior Years Audit Recommendations


This portion summarizes the actions taken by management to implement the
previous years audit recommendations and the results of the auditors validation of
the same.

Specific Guidelines
COA Memorandum No. 2010-015 provides permanent and uniform guidelines in
the preparation and submission of the audit reports for CY 2009 and onwards for
National Government Sector (NGS) and Local Government Sector (LGS), as
follows:

7|Pa ge
Integrated Results and Risk-Based Audit Manual Phase 3B Conclusion and Reporting

1. The Regional Directors (RDs) shall ensure that: (a) all the elements of an audit
observation are present to facilitate consolidation and prevent guesswork on the
part of the consolidator; (b) the status of implementation of prior years
recommendations is updated and validated; and (c) the financial statements and
the notes submitted for regional consolidation are in order;

2. The signatories to the audit reports shall be as follows:

Local Government Units Type of Report/ Signatory/


(LGUs)/ National Government Document Transmittal of
Agencies (NGAs) Report
Provinces and Cities AAR SA/RD
Municipalities and Barangays AAR ATL/SA
Municipalities and Cities in Metro AAR SA/CD
Manila
Barangays in Metro Manila AAR ATL/SA
NGAs with complete set of books AAR /CAAR SA/CD or RD
(including specialized agencies, Audit Certificate SA/CD
Foreign-Assisted Projects, and
Official Development Assistance)
and with consolidation
NGAs with incomplete set of MLs SA
books
NGAs with incomplete set of Regional MLs RD
books and with regional
consolidation
NGAs with field offices with no Simplified ML ATL
accounting books and accounts Concerned ATL to
are centrally recorded in the Head Matrix of submit to the HO/
Office (HO)/ Regional Office (RO) Observations and RO ATL
Recommendations
with Managements
Comments and
Auditor's Rejoinder

3. The RDs shall state categorically in the transmittal of the audit report to the CDs
whether a particular account/specific sub-account covered by the latters audit
guide was audited or not, with or without significant findings;

4. The RDs shall ensure the timely submission of the transmitted MLs to the CDs;

5. The SAs and ATLs in the central and regional offices, respectively, may
communicate directly with each other on matters pertaining to consolidation of
reports.

8|Pa ge
Integrated Results and Risk-Based Audit Manual Phase 3B Conclusion and Reporting

For Corporate Government Sector, COA Memorandum No. 2010-020 states that
pending approval of the guidelines on the preparation, consolidation, and
transmittal of AARs and Annual Operations Audit Reports for the audit sectors, the
signing and transmittal of the AARs, Consolidated AARs, and MLs for CY 2009
shall be in conformity with that of the NGS, pursuant to COA Memorandum No.
2010-015 dated May 18, 2010.

Types of Audit Opinion


The audit opinion is the heart of the financial audit report. It features the Auditors
overall conclusion as to the reliability of the audited financial statements. Without
the opinion, the report would be meaningless and the users of the statements
would have no way of knowing the extent of reliance they should place on these
statements.

Depending on the circumstances of each audit, the Auditor shall express any of the
following opinions on the financial statements:

1) Unqualified Opinion
2) Qualified Opinion
3) Adverse Opinion
4) Disclaimer / Denial of Opinion

These are explained as follows:


1) Unqualified Opinion
An unqualified opinion states that the financial statements present fairly, in all
material respects, the financial position, results of operations, and (when
applicable) cash flows of the agency in accordance with applicable laws, rules
and regulations and in conformity with generally accepted state accounting
principles.

However, certain circumstances while not affecting the auditors unqualified


opinion on the financial statements may require that the auditor add an
explanatory paragraph to his report. These circumstances include:

o Opinion based in part on report of another auditor;


o Existence of unusual uncertainties;
o Emphasis of a matter included in the financial statements; and
o Inconsistency in the application of accounting principles/methods of
their application.

2) Qualified Opinion
A qualified opinion is rendered when the auditor has objection to certain
matters which are material in relation to the financial statements being
reported on, but not sufficiently material to warrant an adverse or denial of

9|Pa ge
Integrated Results and Risk-Based Audit Manual Phase 3B Conclusion and Reporting

opinion depending on the nature and materiality of the qualification(s). This


type of opinion is expressed through the use of the phrase except for or with
the exception on in the opinion paragraph.

o Lack of sufficient competent evidential matter


o Scope limitations
o Departure from generally accepted auditing principles (GAAP)
o Inadequate disclosure

3) Adverse Opinion
An adverse opinion is rendered when the effect of certain matters, to which the
auditor does not concur, is highly material to make the financial statements
misleading. In this type of opinion, the auditor uses the phrase do not present
fairly.

4) Disclaimer/Denial of Opinion
The auditor disclaims/denies an opinion when an audit scope limitation or a
pervasive probability of a material loss has a highly material effect on the
financial statements. Under these circumstances, the auditor states that he is
unable to express, and he does not express, an opinion on the financial
statements.

The issuance of split or piecemeal opinion has long been discontinued and is
no longer acceptable for purposes of COA audit reports.

Hereunder is a summary of the conditions which would warrant the expression


of each type of opinion:

Effect on the
Financial
Type of Audit Opinion Conditions Statements

1. Unqualified

- Without explanatory - None - None


paragraph

- With explanatory - Inconsistent application of


paragraph accounting principles to
which the auditor:
a. Concurs with the - None
change
b. Objects to the change - None
because the newly-
adopted principle does
not meet conditions for
change

10 | P a g e
Integrated Results and Risk-Based Audit Manual Phase 3B Conclusion and Reporting

Effect on the
Financial
Type of Audit Opinion Conditions Statements

- Uncertainties with - None


probable change or
reasonable possibility of
material loss

2. Qualified - Audit scope limitation - Moderately material


wherein the Auditor was
unable to employ
alternative audit
procedures

- Departure from GAAP - Moderately material

- Non-compliance with laws - Moderately material


and regulations

- Inconsistent application of - Moderately material


accounting principles to
which the auditor objects
to the change because the
newly-adopted principle
does not meet conditions
for change

3. Adverse - Departure from GAAP - Highly material

- Non-compliance with laws - Highly material


and regulations

- Inconsistent application of - Highly material


accounting principles to
which the auditor objects
to the change because the
newly-adopted principle
does not meet conditions
for change

4. Disclaimer - Audit scope limitation - Highly material


wherein the auditor was
unable to employ
alternative audit
procedures

- Uncertainties with - Highly material


pervasive probability of
material loss

The effect of an item on the financial statements is based on its materiality.

11 | P a g e
Integrated Results and Risk-Based Audit Manual Phase 3B Conclusion and Reporting

For samples of the different audit opinion, please refer to Philippine Audit
Standard 2009 edition.

3B.3. Perform Overall Audit Review

Pursuant to COA Memorandum No. 2009-028 the CD supervises the audit groups
under the cluster in the conduct of audits and the preparation of audit reports
considering the audit thrusts and significant findings, in coordination with the
Regional Directors (RD) for issues affecting regional and/or field office. The
Supervising Auditors (SA), prior to the issuance of audit reports shall conduct a
review on the outputs prepared by the Audit Team Leaders (ATL).

3B.3.1 Perform overall review and approval


At this point, the Supervising Auditor shall complete an overall review and approval
of the engagement to document and confirm that:
Engagement has been completed in accordance with IRRBAM
Sufficient appropriate audit evidence has been obtained
Audit documentation provides a basis for audit opinion

The overall review and approval of the audit engagement will be documented in
Form 3B-02: Quality Inspection Tool (QIT).

The QIT, at a minimum, confirms the opinions of the audit teams involved in the
engagement including other related offices (e.g., FAIO, SAO) that:
The audit team members with supervisory responsibilities have fulfilled their
duties
The review of the audit work for the engagement has been completed in
accordance with COA policies for reviews as well as with other relevant
auditing standards.
The planned audit work has been completed and that important matters and
significant accounting and auditing issues have been addressed.
Sufficient appropriate audit evidence has been obtained to support the audit
opinion
The auditors report is appropriate
The audit work has been performed in accordance with the IRRBAM, COA
policies and standards, as well as other professional standards, laws, rules
and regulations

The appropriate members of the audit team shall sign and date the QIT at the
conclusion of the audit.

3B.3.2 Issue report

12 | P a g e
Integrated Results and Risk-Based Audit Manual Phase 3B Conclusion and Reporting

After the reports have been prepared and reviewed by the appropriate officers, the
reports will be issued to the appropriate report recipients.

Annual Audit Report (AAR)

Signing of Annual Audit Report

Pursuant to COA Memorandum No. 2009-028, the SAs shall sign the audit reports
prepared by the ATLs, while the CDs transmit said reports to the agency.

Number of copies and distribution of reports

There shall be as many copies of the AAR as necessary to be reproduced. In


addition to copies for the agency, the AAR shall be furnished to the oversight
bodies.

The AAR shall be submitted to the COA Chairman on or before the last working
day of February every year. The COA Chairman shall transmit the AAR to the
following heads of oversight bodies:
o President
o Vice- President
o President of the Senate
o Chairman- Senate Finance Committee
o Speaker of the House of Representatives
o Chairman-Appropriations Committee, and the
o Secretary of the Budget and Management

The final report shall be transmitted to the Head of the Agency for National
Government Agencies, to the Chief Executive Officer for Local Government Units,
or to the Board of Directors for Government-Owned or Controlled Corporations
under signature of the COA Chairman or his duly authorized representative. As
may be found necessary, other government officials, such as the Speaker of the
House of Representatives, the Senate President, and the President of the Republic
of the Philippines, shall also be furnished copies thereof.

The transmittal letter is a simple communication transmitting the report and


acknowledging the assistance and support extended by the officials and staff of
the agency. It shall also include a request to implement the recommendations
contained in the report and to be informed of the actions taken thereon within 30
working days from receipt thereof.

In order to facilitate communication of the agencys action to be taken on the AAR,


COA auditors shall provide the agency Form 03B-03: Agency Action Plan upon

13 | P a g e
Integrated Results and Risk-Based Audit Manual Phase 3B Conclusion and Reporting

issuing the AAR. The Agency Action Plan should be returned by the agency within
30 working days from receipt of the AAR.

3B.4. Wrap-up and archive the engagement

Working papers document the procedures performed and the evidence obtained
and evaluated to support a conclusion rendered by the auditors. As required by the
professional standards, audit documentation shall be sufficient for an experienced
auditor with no previous association with the audit to be able to understand the
nature, timing and extent, and results of procedures performed, evidence obtained
and conclusions reached.

Auditors shall use professional judgment in determining the nature and extent of
the audit documentation. However, it shall be ensured that it is consistent with
COA policies, professional standards and other legal and regulatory requirements.

Working papers/documentation is an integral part of the auditors responsibilities.


Thus, there is a need for a systematic archiving of electronic and hard copy
working papers/documentation.

Archiving of workpapers (electronic and/or hardcopy) should be done in a timely


manner after the date of our auditors report when the procedures and
documentation are complete.

At the completion of the audit, the Audit Team Leader is responsible for authorizing
the final archive process for determining that workpapers are archived in
accordance with COA policies, professional standards, and legal and regulatory
requirements.

Auditors shall retain records which are relevant to the audit that:
Are created, sent or received in connection with the audit
Contain conclusions, opinion, analyses or financial data related to the audit

The following items are examples of those documents that are not necessarily
retained as they do not support the conclusions reached in the audit:
Superseded drafts of memoranda, financial statements or regulatory filings
Notes on superseded drafts of memoranda, financial statements of
regulatory filings that reflect incomplete or preliminary thinking
Previous copies of workpapers that have been corrected for typographical
errors or errors due to training of new employees
Duplicates of documents
Superseded agency-prepared schedules and analyses

14 | P a g e
Integrated Results and Risk-Based Audit Manual Phase 3B Conclusion and Reporting

E-mails that do not contain conclusions, opinions, analyses or financial data


related to the audit
Voice-mail or instant messages
Electronic data files (including files in the teams discussion database) other
than those described below

In any case, auditors shall use their professional judgment in determining which
documents shall form part of the teams working papers/documentation.

Timing of the archive process


The documentation completion date is no later than 60 days after the date of our
auditors report.

Carryforward documentation guidelines


When workpapers are carried forward to the current period, the original current
workpapers are carried forward while prior periods workpapers are maintained
unchanged. This practice should be followed to make sure that each periods
workpapers provide support for the conclusions reached and the procedures
performed and are separate and distinct from any other periods workpapers.

Confidentiality
The audit team is responsible for adopting appropriate procedures for maintaining
the confidentiality and safe custody of the workpapers to comply with the COAs
and professional standards archiving requirements.

Lost or destroyed workpapers


If the workpapers (either electronic or hard copy) needed to support our audit
opinion have been corrupted, lost, stolen or destroyed subsequent to the
documentation completion date, the audit team shall report the loss to the team
leader/supervisor.

The following factors shall be considered in determining if there is a need to


create/replace the lost workpapers:
Significance of the lost or destroyed workpapers in the audit project
Length of time that has passed since the AAR was issued
Ability to easily obtain copies of the documents from the agency

3B.5. Follow-up Agency Action Plan

Part of the Commissions mandate is to recommend measures to improve the


efficiency and effectiveness of government operations (Sec. 4, Art. IX-D of the

15 | P a g e
Integrated Results and Risk-Based Audit Manual Phase 3B Conclusion and Reporting

1987 Philippine Constitution). This full completion of this mandate can only be
satisfied once agencies have implemented or acted on the recommendations
made by the auditors through action plans.

Audit follow-up/monitoring of recommendations is an integral part of good


management and a responsibility shared by the auditor and the agency. Corrective
actions taken to implement audit recommendations enable the agency to improve
the effectiveness and efficiency of their operations. An effective monitoring system
not only ensures the prompt and proper resolution of audit observations and
recommendations and the implementation of corrective action, but also ensures
that a complete record of actions taken on observations and recommendations is
maintained.

Benefits of Monitoring
Assures the auditor that the benefit of audit work is realized
Validates that the recommendations as implemented are truly advantageous to
the auditee.
Assists the auditor in re-evaluating his analytical techniques and evidence that
aid in the formulation of the recommendation.

This activity will be conducted all throughout the year for the audit projects handled
by the following Sectors/Offices:
Audit Sectors:
- National Government Sector (NGS)
- Corporate Government Sector (CGS)
- Local Government Sector (LGS)
Regional Offices
Special Offices:
- Fraud and Investigation Office (FAIO)
- Special Audit Office (SAO)
- Technical Services Office (TSO)

Monitor Progress
Part of the auditors role is to determine that the audited agencies take corrective
actions (as documented in the Form 04-04: Agency Action Plan) on the
recommendations provided, as a result of the audit observations, in a timely
manner.

The auditor shall accomplish the Form 04-05 Action Plan Monitoring Tool to
monitor the status of the agencys action plan.

16 | P a g e
Integrated Results and Risk-Based Audit Manual Phase 3B Conclusion and Reporting

The Commission, as the countrys Supreme Audit Institution, handles


voluminous transactions and documents. Therefore, maintaining a database
may support in monitoring all issues and the subsequent action taken by the
auditors and agencies during the audit. Also, a database adds value by storing
history of issues of a certain auditable agency. The historical issues and
recommendations maintained in the database may guide COA during the
assessment of the key risks of an agency or a sector as a whole. The database
may also serve as a reference in conducting an in-depth analysis on the
relationships of issues among different agencies (e.g., conduct of the
government-wide and sectoral performance audit).

Conduct Follow-up procedures


Being an integral part of the audit process, follow-up should be scheduled along
with other steps necessary to perform the review. However, specific follow-up
activity depends on the results of the audit and can be carried out at the time the
report draft is reviewed with concerned agency personnel or after the issuance of
the report.

Perform the following:

Classify Audit Issues According to Follow-up Procedures to be done

The risk assessment done in the second phase, Agency Audit Planning and Risk
Assessment plays an important role in the follow-up procedures to be performed.
Normally, follow-up procedures are based on the impact of the risk. Follow-up
activities may be broken down into three areas:

- Casual
This is the most basic form of follow-up and may be satisfied by review of the
process owners/clients procedures or an informal telephone conversation.
Memo correspondence may also be used. This is usually applicable to the
less critical findings.

- Limited
Limited follow-up typically involves more process owner/client interaction.
This may include actually verifying procedures or transactions and in most
cases, is not accomplished through memos or telephone conversations with
the process owner/client.

- Detailed

17 | P a g e
Integrated Results and Risk-Based Audit Manual Phase 3B Conclusion and Reporting

Detailed follow-up is usually more time-consuming and can include


substantial process owner/client involvement. Verifying procedures and audit
trails as well as substantiating account balances and computerized records
are examples. The more critical review findings usually require detailed
follow-up.

Follow-up scheduling can begin when corrective action is confirmed by acceptance


of an audit recommendation or when management elects to accept the risk of not
implementing the recommendation. Based on the risk and exposure involved, as
well as the degree of difficulty in achieving the recommended action, follow-up
activity should be scheduled to monitor the situation or confirm completion of the
changes that were planned. These same factors establish whether a simple
telephone call would suffice or whether further review procedures would be
required. Enumerated below are general procedures in conducting a detailed
follow-up:
- Analyze the response of the unit involved and verify if it is aligned with the
strategy previously agreed upon.
- Assess action taken against recommendation
- Seek evidence to verify implementation of the action and seek clarification if
necessary.
- In case the response of the process owner/client is different from the
recommendation, assess if the response is effectively mitigating the risk and
is more efficient than the recommendation.
- In case the response of the management is different from the
recommendation and is assessed to be ineffective or inefficient, reiterate
recommendations and evaluate management response to COA reiteration.
- In case management decided not to act on issues raised or elected to accept
the risks, prepare a Management Acceptance of Risk.
- Prepare to communicate results of the follow up procedures.
Policy and Standard

Policy/Standard Description
ISSAI 400 Reporting standards in government auditing
ISSAI 1220 Quality Control for Audits of Historical Financial
Information
ISSAI 1230 Audit Documentation

ISSAI 1700 Forming an Opinion and Reporting on Financial


Statements
COA Memorandum No. 2002-047 Guidelines on the preparation, submission and
transmittal of the Annual Audit Report
COA Resolution No. 2006-002 Conduct of comprehensive audits by the offices of this

18 | P a g e
Integrated Results and Risk-Based Audit Manual Phase 3B Conclusion and Reporting

Commission
COA Resolution No. 2008-012 2008 COA organization restructuring
COA Memorandum No. 2009-028 Implementing guidelines on audit operations under the
2008 COA organizational restructuring
COA Memorandum No. 2010-015 Uniform guidelines for the signing and transmittal of
the Annual Audit Reports (AARs), Consolidated
Annual Audit Reports (CAARs), and Management
Letters (MLs) of the National Government Sector and
Local Government Sector, for CY 2009 and onwards.
COA Memorandum No. 2010-020 Signing and transmittal of the Annual Audit Reports
(AARs), Consolidated Annual Audit Reports (CAARs),
and Management Letters (MLs) of the Corporate
Government Sector for 2009

Documentation

Procedure Sub-procedure Output/Tools


Form 03B-01 Summary of
3B.1 Summarize Audit Prepare summary of audit results
Audit Results and
Results and recommendations Recommendations
Discuss results of other types of
audit conducted
3B.2 Prepare Annual Prepare Annual Audit Report
Audit Report Draft Annual Audit Report

3B.3 Perform Overall Perform overall review and Form 03B-02 Quality
Audit Review Inspection Tool
approval

Transmittal Letter
Form 03B-03: Agency
Issue Report Action Plan

3B.4 Wrap-up and Archive working


archive the
papers/documentation of audit
engagement
3B.5 Follow-up Agency Form 03B-03: Agency
Action Plan Action Plan

Form 03B-04: Action Plan


Monitoring Tool

19 | P a g e
Integrated Results and Risk-Based Audit Manual Phase 3B Conclusion and Reporting
Form 03B-01: Summary of Audit Results and Recommendations

SUMMARY OF AUDIT RESULTS AND RECOMMENDATIONS

Objective

This form is used to summarize and evaluate the results of comprehensive audit and other
types of audits conducted. It has three parts as follows:

Part I - Introduction
Part II - Summary of Audit Results and Recommendations
Part III - Evaluation Factors

After the exit conference with the agency, the audit team shall accumulate the
findings/observations and recommendations, as documented in Audit Observation
Memorandum (AOM), together with management comments using the Summary of Audit
Results and Recommendations provided in Part II of this Form.

The completed template should be initialed by the ATL and SA, and approved by the CD prior to
audit report sign-off. This completed template altogether with other relevant documentation
should be filed in the working papers.

Accomplishing this Tool

The audit team should perform the following steps in relation to audit findings and observations
and their disposition:

A. Matrix of Audit Findings and Recommendations


Summarize the findings and recommendations as documented in AOMs. This includes
the findings and recommendation from financial, compliance, and performance audits
conducted.
Document managements comments on each findings and recommendations. This
includes the disposition of proposed adjusting journal entries, disclosures, and
comments on performance audit findings.
Document the audit teams response to managements comments on the findings and
recommendations.

B. Summary of Unbooked Adjusting/ Reclassifying Journal Entries


Summarize the unrecorded proposed adjusting/reclassifying journal entries and
determine its effect on the Asset, Liabilities, Current Period Income or Prior Year
Income, as applicable

C. Results/Status of Other Audits (e.g., Fraud and GWSPA)


Summarize the findings/issues of other audits conducted.
Document the reference of the findings/issues.
State the status of audit(s). The audit(s) may be ongoing or completed.
Document the possible effect/impact of the audit in the agencys financial statements.
Document other information deemed relevant by the audit team in the remarks column.

Please refer to Phase 3 - Delivery: Conclusion and Reporting of the IRRBAM for further details.

Last updated : March 2011 1|Page


Version : 04-01/2011/v1
Integrated Results and Risk-Based Audit Manual Phase 3B Conclusion and Reporting
Form 03B-01: Summary of Audit Results and Recommendations

SUMMARY OF AUDIT RESULTS AND RECOMMENDATIONS

Agency ____________________________ Prepared by : _________________ Date : ________________

____________________________ Reviewed by : _________________ Date : ________________

Audit Period ____________________________ Approved by : _________________ Date : ________________

A. Matrix of Audit Findings and Recommendations

A.1. Financial and Compliance Audit

No. AOM No./Date Observation Recommendation Management Comment Rejoinder

A.2. Performance Audit

No. AOM No./Date Observation Recommendation Management Comment Rejoinder

Last updated : March 2011 2|Page


Version : 04-01/2011/v1
Integrated Results and Risk-Based Audit Manual Phase 3B Conclusion and Reporting
Form 03B-01: Summary of Audit Results and Recommendations

B. Summary of Unrecorded Adjusting/ Reclassifying Journal Entries

Amount Financial Statement Effects of Unbooked Entries


AOM
Accounts and Description Assets Liabilities Current Prior Period
Ref. Debit Credit Current Non-Current Current Non-Current Income Income

Total

C. Results/Status of Other Audits (e.g., Fraud and GWSPA)

No. Significant findings/issues Reference Status of Audit Conclusion Remarks

Last updated : March 2011 3|Page


Version : 04-01/2011/v1
Integrated Results and Risk-Based Audit Manual Phase 3B Conclusion and Reporting
Form 03B-01: Summary of Audit Results and Recommendations

D. Conclusion

In our opinion:

Yes No

1. Considering quantitative factors as well as non-quantitative factors


(refer to Evaluation Factors of this Template), the effects of
unrecorded proposed entries, either individually or in the
aggregate, is not material to the financial statements taken as a
whole and therefore does not require modification of our auditors
report.

2. The proposed entries, whether or not recorded, are not the result
of a significant weakness in internal control over financial reporting.
3. The proposed entries, whether or not recorded, are not indications
of possible fraud or illegal acts.
4. For any No responses above, indicate the steps taken or to be
taken:

Opinion modified
Audit scopes reassessed
Others: _____________________________________

Comments:

Last updated : March 2011 4|Page


Version : 04-01/2011/v1
Integrated Results and Risk-Based Audit Manual Phase 3B Conclusion and Reporting
Form 03B-01: Summary of Audit Results and Recommendations

EVALUATION FACTORS

A. Materiality Factors

The following factors may be relevant to the evaluation of the materiality of passed entries,
recognizing that some may be more important than others.

1. Quantitative factors:
a. Earnings/Surplus
b. Other financial statement captions
c. Segment information
2. Meeting earnings/budget goals
3. Compliance with contracts and regulations
4. Impact on other periods
5. Trends
6. Possible undetected errors
7. Certainty of amount
8. Interpretations of ISSAI
9. Establishing accounting precedent
10. Large offsetting items
11. Nonrecurring items
12. Carryovers from prior periods

Additional factors to be considered by the audit team:


13. Current user needs
We may need to reassess our original materiality judgment in light of changed
circumstances or knowledge gained during the audit. For example, there may be
significant changes in economic trends, budgeted earnings/surplus or negotiations for
a line of credit.

14. Special circumstances.


The materiality threshold may be reduced when it is reasonably possible that third
parties will closely scrutinize the agencys accounting practices and question why even
small errors were not corrected. This might apply to, for example:

o Maximum-risk assignments,
o Agencies with weakening financial condition,
o Agencies that may soon have new management (within a year or shortly
thereafter),
o Management that need to significantly improve their accounting and control
practices,
o Potentially sensitive areas, such as revenue recognition

15. Agency managements past practices.


When entries are passed, it is usually assumed that agency management will
(a) subsequently correct the errors, and (b) improve its controls to prevent a
recurrence of the problem. However, when agency management appears to be unable
or unwilling to do either, the errors may take on greater significance. This is especially
true when the accounting system is capable, without significant additional cost or
effort, of correctly processing transactions.
Last updated : March 2011 5|Page
Version : 04-01/2011/v1
Integrated Results and Risk-Based Audit Manual Phase 3B Conclusion and Reporting
Form 03B-01: Summary of Audit Results and Recommendations

16. Special purposes of the audit.


The impact of proposed entries could be magnified if the financial statements will be
used for special purposes. For example, if a buy-sell agreement bases the sale price
on a multiple of earnings, an otherwise minor adjustment could have a significant
immediate effect on the price.

B. Indications of significant weakness in internal control

Even when misstatements are not material, we need to consider whether their root
causes are due to inadequacies in internal control, particularly when the errors are
more widespread or significantly larger than anticipated. We may need to expand our
audit testing to compensate for an unexpected control weakness. We also may need to
communicate the weakness to senior agency management and the Oversight Body if it
is deemed to be a "reportable condition.

C. Indications of possible fraud or illegal acts

Proposed entries may be indications of fraud or illegal acts (possibly the "tip of the
iceberg"). Examples are:

o A significant increase over the prior year in the number or size of proposed
adjustments.
o "Last minute" entries that significantly increase earnings.
o Misstatements that appear to have been made with the intent of achieving targeted
earnings or similar goals.
o Unsupported or unauthorized transactions, balances and reconciling items.
o Entries apparently made to conceal illegal acts.

Last updated : March 2011 6|Page


Version : 04-01/2011/v1
Integrated Results and Risk-Based Audit Manual Phase 3B Conclusion and Reporting
Form 03B-02: Quality Inspection Tool

QUALITY INSPECTION TOOL


Objectives

The Quality Inspection Tool will guide the audit team in performing overall review and
approval of the audit engagement prior to the release of the audit report.

The tool is divided into two parts:


Part I : IRRBA Workstep Checklist
Part II : Quality Assurance Checklist

This tool is not all-inclusive; audit teams shall customize it as appropriate.

Accomplishing this Tool

Part I: IRRBA Workstep Checklist

This part consists of the activities/processes as reflected in the IRRBA Manual. As part of
the quality assurance, audit teams shall ensure conformance to the prescribed
methodology in the conduct of their audits.

IRRBA Activities
- Identify the IRRBA Activities as prescribed in the methodology.

Working Paper Reference


- Indicate the Working Paper tag/label for easier reference of documents.

Performed by
- Staff member who completed the procedure/activity shall indicate his/her initials to
confirm his/her performance.

Reviewed by
- Reviewer shall append his/her initials as a proof of the evaluation.

Part II: Quality Assurance Checklist

This part consists of the minimum requirements in conducting audit engagements


as reflected in relevant standards, laws, rules and regulations.

General Audit Procedures


- Identify the minimum requirement of the relevant standards, laws, rules and
regulations.

Working Paper Reference


- Indicate the Working Paper tag/label for easier reference of documents.

Last updated : March 2011 1|Page


Version : 03B-02/2011/v1
Integrated Results and Risk-Based Audit Manual Phase 3B Conclusion and Reporting
Form 03B-02: Quality Inspection Tool

Performed by
- Staff who completed the procedure/activity shall indicate his/her initials to confirm
his/her performance.

Reviewed by
- Reviewer shall append his/her initials as a proof of the evaluation.

Last updated : March 2011 2|Page


Version : 03B-02/2011/v1
Integrated Results and Risk-Based Audit Manual Phase 3B Conclusion and Reporting
Form 03B-02: Quality Inspection Tool

QUALITY INSPECTION TOOL

Prepared by : Date :

Reviewed by : Date :

Approved by : Date :

Agency: _____________________________________________________

Period: _____________________________________________________

PART I: IRRBA Workstep Checklist

IRRBA Activities WP Ref. Performed by Reviewed by

1. Strategic Planning and Risk


Identification

1.1 Perform Government Risk


Identification

1.1.1 Develop/Update the


Government Risk Model

1.1.2 Identify Government Risks

1.1.3 Report the Results of GRI

1.2 Conduct COA Strategic Planning

2. Agency Audit Planning and Risk


Assessment

2.1 Prepare Agency Audit Workstep

2.2 Understand the Agency

2.3 Identify Significant Agency Risks

Last updated : March 2011 3|Page


Version : 03B-02/2011/v1
Integrated Results and Risk-Based Audit Manual Phase 3B Conclusion and Reporting
Form 03B-02: Quality Inspection Tool

IRRBA Activities WP Ref. Performed by Reviewed by

2.3.1 Update Agency Risk Model

2.3.2 Identify Agency Risks

2.3.3 Prioritize Significant Agency


Risks

2.4 Understand the Agency-level


Controls

2.5 Understand the Process

2.5.1 Identify Critical Path of the


Processes

2.5.2 Identify Process Risks

2.5.3 Identify Impact

2.5.4 Identify Existing Process-


level Controls

2.6 Conduct Audit Risk Assessment and


Planning

2.6.1 Financial and Compliance

2.6.2 Performance

2.6.3 Determine Audit Scope and


Timing

2.6.4 Determine need for


specialized skills

3. Execution

3.1 Design Audit Tests

3.2 Execute Audit Tests

3.3 Evaluate Audit Results

3.4 Communicate Audit Results

Last updated : March 2011 4|Page


Version : 03B-02/2011/v1
Integrated Results and Risk-Based Audit Manual Phase 3B Conclusion and Reporting
Form 03B-02: Quality Inspection Tool

IRRBA Activities WP Ref. Performed by Reviewed by

4. Conclusion and Reporting

4.1 Summarize Audit Results

4.1.1 Prepare summary of audit


results and
recommendations

4.1.2 Discuss results of different


types of audit conducted

4.2 Prepare Audit Report

4.2.1 Prepare Annual Audit Report

4.3 Perform Overall Audit Review

4.3.1 Perform overall review and


approval

4.3.2 Issue report

4.4 Wrap-up and Archive the


Engagement

4.5 Follow-up Agency Action Plan

5. Monitor quality control on audit services

Last updated : March 2011 5|Page


Version : 03B-02/2011/v1
Integrated Results and Risk-Based Audit Manual Phase 3B Conclusion and Reporting
Form 03B-02: Quality Inspection Tool

PART II: Quality Assurance Checklist

Performed Reviewed
General Audit Procedures WP Ref.
by by
1. Terms of Audit Engagements

An engagement letter has been prepared in


accordance with COA policies and professional
standards.

2. Independence

Members of the audit team are independent with


respect to this audit client and its affiliates

3. Initial Engagements Opening Balances

For initial audits, perform procedures to obtain


sufficient appropriate audit evidence that:
a. The opening balances do not contain
misstatements that materially affect the current
periods financial statements.
b. The prior periods closing balances have been
correctly brought forward to the current period
or, when appropriate have been restated.
c. Appropriate accounting policies are consistently
applied or changes in accounting policies have
been properly accounted for and adequately
disclosed.

4. Consultation

Identify areas and specialized situations where


consultation is required and consult with others or
use authoritative sources on other complex or
unusual matters.

Areas identified: Consulted:

____________________
_________________

____________________
_________________

____________________
_________________

____________________

Last updated : March 2011 6|Page


Version : 03B-02/2011/v1
Integrated Results and Risk-Based Audit Manual Phase 3B Conclusion and Reporting
Form 03B-02: Quality Inspection Tool

Performed Reviewed
General Audit Procedures WP Ref.
by by
_________________

Appropriate consultation has occurred in areas and


special situations where required by COA policies
and where the audit team otherwise deemed
necessary.

Appropriate documentation has been prepared and


reviewed for all consultation on significant issues
and those consulted were informed of all the
relevant facts and circumstances and the
conclusions are reasonable and consistent with
professional standards.

Memoranda that address all significant issues on


which consultation occurred are associated with, or
are attached to, the Audit Observation
Memorandum (AOM) with an indication of the
consultants approval. If consultation memoranda
have not yet been completed or approved in
writing, oral approvals have been obtained from the
individuals consulted and noted in the AOM or an
attachment to it.

Copies of the memoranda have been provided to


the individuals consulted.

Conclusions resulting from the consultations have


been implemented.

5. Minutes and Contracts

Obtain information regarding meetings of the


management, board of directors, shareholders and
important committees up to the report date.
a. Read minutes. Obtain copies of the signed
minutes or prepare excerpts. (If the copies are
not signed, compare them with the original
signed minutes.)
b. If minutes have not been prepared for recent
meetings, obtain a summary of what was
discussed.
c. Compare significant matters identified above
with information obtained during the audit and
cross-reference significant matters affecting the
financial statements to the appropriate
workpapers.

Last updated : March 2011 7|Page


Version : 03B-02/2011/v1
Integrated Results and Risk-Based Audit Manual Phase 3B Conclusion and Reporting
Form 03B-02: Quality Inspection Tool

Performed Reviewed
General Audit Procedures WP Ref.
by by

Obtain information about important contracts,


agreements and similar documents and consider
their accounting or auditing implications. Cross-
reference significant matters affecting the financial
statements and other agency-issued reports to the
appropriate workpapers.

6. Consideration of Laws and Regulations in an


Audit of Financial Statements

When planning and performing audit procedures


and evaluating and reporting the results thereof,
consider the risk of non-compliance by the agency
with laws and regulations that may materially affect
the financial statements.

Obtain a general understanding of the legal and


regulatory framework applicable to the agency and
how the agency is complying with that framework.
The procedures ordinarily include:
a. Use of existing understanding of the agencys
industry and operation
b. Inquiry of management concerning the
agencys policies and procedures regarding
compliance with laws and regulations
c. Inquiry of agency as to the laws or regulations
that may be expected to have a fundamental
effect on the operations of the agency
d. Discussion with management about the policies
or procedures adopted for identifying,
evaluating and accounting for litigation, claims
and assessments

Met with: Findings:

____________________
_________________

____________________
_________________

____________________
_________________

Last updated : March 2011 8|Page


Version : 03B-02/2011/v1
Integrated Results and Risk-Based Audit Manual Phase 3B Conclusion and Reporting
Form 03B-02: Quality Inspection Tool

Performed Reviewed
General Audit Procedures WP Ref.
by by
Perform procedures to help identify instances of
noncompliance with those laws and regulations
where noncompliance should be considered when
preparing financial statements, specifically:

a. Inquire with management as to whether the


agency is in compliance with such laws and
regulations

Met with: Findings:

____________________
_________________

____________________
_________________

____________________
_________________

b. Inspect correspondence with the relevant


licensing or regulatory authorities

Obtain sufficient appropriate evidence about


compliance with those laws and regulations
generally recognized to have an effect on:
- The determination of material amounts and
disclosures in financial statements by
considering them when auditing the assertions
related to the determination of the amounts to
be recorded and the disclosures to be made
- Programs, activities and projects of the agency

Sign one of the following statements, as applicable:

Performance of the above procedures has not


indicated any noncompliance by the agency with
laws and regulations that may materially affect the
financial statements.

A possible non-compliance by the agency with


laws and regulations was suspected or detected
and we have obtained an understanding of the
nature of the act and circumstances in which it has
occurred, and sufficient other information to

Last updated : March 2011 9|Page


Version : 03B-02/2011/v1
Integrated Results and Risk-Based Audit Manual Phase 3B Conclusion and Reporting
Form 03B-02: Quality Inspection Tool

Performed Reviewed
General Audit Procedures WP Ref.
by by
evaluate the possible effect on the financial
statements and appropriate documentation ,
evaluation and notification of management and
others has been performed.

7. Related parties

Review information provided by the directors and


agency management identifying the names of all
known related parties and perform procedures in
respect of the completeness of this information
including the following:
a. Review prior year workpapers for names of
known related parties.
b. Review the agencys procedures for
identification of related parties
c. Inquire as to the affiliation of directors and
officers with other entities

Inquired of:
______________________________________

d. Review agency management minutes of the


meetings
e. Inquire of other auditors currently involved in
the audit, or predecessor auditors, as to their
knowledge of additional related parties.

8. Inquiry regarding Litigation and Claims

Carry out procedures in order to become aware of


any litigation and claim involving the agency that
may have a material effect on the financial
statements.

9. Considering the Work of Internal Audit

Obtain a sufficient understanding of internal audit


activities to assist in planning the audit and
developing an effective audit approach.

Perform a preliminary assessment of the internal


audit function when it appears that internal audit is
relevant to the external audit of the financial
statements in specific audit areas. Such
assessment includes evaluating the competence
and objectivity of the internal auditors.

Last updated : March 2011 10 | P a g e


Version : 03B-02/2011/v1
Integrated Results and Risk-Based Audit Manual Phase 3B Conclusion and Reporting
Form 03B-02: Quality Inspection Tool

Performed Reviewed
General Audit Procedures WP Ref.
by by

When the audit team intends to use specific work


of internal audit, evaluate and test that work to
confirm its adequacy for our purposes.

10. Subsequent events

Perform procedures designed to obtain sufficient


appropriate audit evidence that all events up to the
date of the auditors report that may require
adjustment of, or disclosure In, the financial
statements have been identified.
11. Going concern

The engagement team has considered and


evaluated the appropriateness of managements
use of the going concern assumption underlying
the preparation of the financial statements both in
the planning phase and throughout the
performance of the audit procedures.

12. Management Representations

Obtain a letter of representations that is tailored to


the particular circumstances, dated the same date
as our auditors report, and signed by the members
of management who have primary responsibility for
the agency and its financial aspects

13. Financial Statements Review

Apply analytical procedures at or near the end of


the audit when forming an overall conclusion as to
whether the financial statements as a whole are
consistent with our understanding of the agency.

Verify opening balances on the basis of the prior


years audit report and/or workpapers.

Cross-reference year-end amounts on the general


ledger trial balance to the related audit workpapers.

Examine supporting documents and/or inquire of


agency personnel to determine that significant
entries made solely to prepare the financial
statement, other than entries covered by other
audit procedures, were properly authorized and

Last updated : March 2011 11 | P a g e


Version : 03B-02/2011/v1
Integrated Results and Risk-Based Audit Manual Phase 3B Conclusion and Reporting
Form 03B-02: Quality Inspection Tool

Performed Reviewed
General Audit Procedures WP Ref.
by by
accounted for.

Agree or reconcile the financial statement amounts


and the financial data in the footnotes to the
general ledger trial balance or other workpapers.

Determine that the financial statements and the


financial data in the footnotes are clerically
accurate

14. Communication of Audit Matters with


Management and those Charged with
Governance

Inform management as soon as practicable:


- If a fraud has been identified or if
information obtained indicates that a fraud
may exist
- Of the existence of material weaknesses in
the design or implementation of internal
control, including material weaknesses in
the design or implementation of internal
control to prevent and detect fraud, that
have come to our attention

The audit team has determined the relevant


persons who are charged with governance and
with whom audit matters of governance interest are
to be communicated.

The audit team has considered all audit matters of


governance interest that arose from the audit of
financial statements and communicated them to
those charged with governance. Ordinarily such
matters include:
a. General audit approach and overall scope of
the audit
b. Selection of, or changes in , significant
accounting policies
c. Potential effect of any significant risk and
exposure that is required to be disclosed
d. Audit adjustments that could have a significant
effect on the agencys financial statements
e. Material uncertainties relating to going concern
f. Disagreements with management that could
have a significant impact on the financial
statements or the audit report

Last updated : March 2011 12 | P a g e


Version : 03B-02/2011/v1
Integrated Results and Risk-Based Audit Manual Phase 3B Conclusion and Reporting
Form 03B-02: Quality Inspection Tool

Performed Reviewed
General Audit Procedures WP Ref.
by by
g. Expected modifications to the audit report
h. Internal control issues
i. Issues with respect to agencys integrity and or
fraud within the agency

Determine whether any identified risk of materials


misstatements due to fraud has continuing control
implications. Consider whether any control
deficiency related to these risks, or whether the
absence of or deficiencies in programs or controls
to mitigate specific risks of fraud or to otherwise
help prevent, deter, and detect fraud, represent
matters (including potential material weaknesses)
that should be communicated to agency
management or any relevant regulatory body.

Inform those charged with governance about those


uncorrected misstatements aggregated by us
during the current audit that were determined by
management to be immaterial, both individually
and in the aggregate, to the financial statements as
a whole.

Inform those charged with governance if a fraud


has been identified involving management,
employees who have significant roles in internal
control, or others where the fraud results in a
material misstatement in the financial statements.

Inform those charged with governance of material


weakness in the design or implementation of
internal control, including material weaknesses in
the design or implementation of internal control to
prevent and detect fraud, that have come to the
auditors attention.

Inform those charged with governance of the


agencys noncompliance with laws and regulations
that have come to our attention. If we have reason
to believe that members of agency management
are involved in noncompliance, report the matter at
the next higher level of authority.

The audit team has communicated the above


matters in a timely manner.

The engagement team has communicated the

Last updated : March 2011 13 | P a g e


Version : 03B-02/2011/v1
Integrated Results and Risk-Based Audit Manual Phase 3B Conclusion and Reporting
Form 03B-02: Quality Inspection Tool

Performed Reviewed
General Audit Procedures WP Ref.
by by
matters in a way, which is appropriate depending
on the nature and significance o f the matter as
well as on the size and legal structure of the
agency being audited.

I have reviewed this Quality Inspection Tool and the results of the procedures for
this engagement and am satisfied that all applicable general audit procedures
have been completed, the conclusions are reasonable and consistent with
professional standards, and the AAR properly reflect the issues addressed.

Signature: ________________________ Date: __________________

Last updated : March 2011 14 | P a g e


Version : 03B-02/2011/v1
Integrated Results and Risk-Based Audit Manual Phase 3B Conclusion and Reporting
Form 03B-03: Agency Action Plan

AGENCY ACTION PLAN

Objective

Agency management has the responsibility to act upon the audit observation and
recommendation provided by COA during the conduct of audit. To facilitate the process, the
COA shall provide a mechanism to enforce compliance of the activity. Hence, the Agency Action
Plan document is provided and included as part of the IRRBAM.

The Agency Action Plan is a tool for the agency to signify its action plans on the observations
and recommendations provided by the auditors. This document will serve as the basis for
auditors when monitoring agency action plans.

Agency management shall submit their action plans within 30 days from the date of receipt of
the report.

A significant part of this tool is the space provided for the sign-off of agency officer. Concurrence
of the agency, as evidenced by their sign-off, supports the fact that the agency accepts
responsibility as to the ownership of the action plans provided as well as its implementation.

Accomplishing this Tool

Reference

- The reference will serve as a guide for auditors to trace the audit observations and
recommendations indicated in the prior years working papers or reports.

Audit Observation and Recommendation

- The audit observations and the corresponding recommendations of prior years audit
shall be reflected by the auditors on this column to guide the auditors and agencies
monitoring process.

Last updated : March 2011 1|Pa ge


Version : 03B-03/2011/v1
Integrated Results and Risk-Based Audit Manual Phase 3B Conclusion and Reporting
Form 03B-03: Agency Action Plan

Agency Action Plan

Action Plan/Remarks - Action plan is the response of the audited agency on the
recommendations provided by the auditors during the course of the audit. This
column shall be filled-out by the agency, detailing the appropriate resolution on the
audit observation identified by the auditors.

In any case, auditors shall challenge the appropriateness of the agencies action
plans with the audit observations noted. Any comments that the auditors may have
on the Agency Action Plans shall be communicated and resolved with the
appropriate authorities.

Person/Department Responsible - The Agency shall specifically identify the person or


department responsible in implementing the action plan provided. If it is not possible
to identify the specific person (e.g., due to job rotation), the position or rank shall
suffice.

Identification of a specific person or department responsible for implementing the


action plan will guide the auditors during the conduct of their monitoring procedures.

Target Implementation Date - The action plan provided by an agency shall be time-
bound. This holds true exceptionally for major audit observations that require
immediate action.

Last updated : March 2011 2|Pa ge


Version : 03B-03/2011/v1
Integrated Results and Risk-Based Audit Manual Phase 3B Conclusion and Reporting
Form 03B-03: Agency Action Plan

AGENCY ACTION PLAN

Sector: __________________________________
Agency Audited: __________________________
Audit Period: ________________
AAR date: ___________________

Agency Action Plan


Audit Observation and
Ref.
Recommendation Target
Person/Dept.
Action Plan / Remarks Implem.
Responsible
Date

Agency sign-off:

_______________________________________ _________________
Agency Officer Date

Last updated : March 2011 3|Pa ge


Version : 03B-03/2011/v1
Integrated Results and Risk-Based Audit Manual Phase 3B Conclusion and Reporting
Form 03B-04 Action Plan Monitoring Tool

ACTION PLAN MONITORING TOOL

Objective

As discussed in the IRRBA Manual, the existence of the monitoring process for the prior
years recommendations serves as an additional control for the audited agencies to be
motivated in acting upon the recommendations provided by the auditors. Likewise,
monitoring serves as a feedback mechanism for auditors to determine the value that the
agencies obtain from the findings and suggestions that they provide.

The Action Plan Monitoring tool serves as a guide for the auditors and agencies in
conducting a structured monitoring process of prior years recommendations on the audit
observations noted.

Take note that the Agency Action Plan element will be provided by the audited agency.

Accomplishing this Tool

The following elements are to be lifted from the Agency Action Plan provided by the agency
management:

Reference

Audit Observation and Recommendation

Agency Action Plan

Action Plan / Remarks


Person/Department Responsible
Target Implementation Date

The columns provided under the COA Monitoring portion are developed to guide the auditors
during the conduct of their monitoring procedures. These elements are essential since this is
the focus of the monitoring function of the auditors.

Date of follow-up

- Indicate the date when the follow-up is made.

Implementation Status

- This column shall be answered by the auditor during the execution of the monitoring
procedures.

Last updated : March 2011 1|P age


Version : 03B-04/2011/v1
Integrated Results and Risk-Based Audit Manual Phase 3B Conclusion and Reporting
Form 03B-04 Action Plan Monitoring Tool

The following are the selections for the status of the implementation of agency
action plans:
Full Action plans as provided by the agency management in the Agency
Action Plan document have been fully implemented in all scope mentioned.
Partial Action plans as provided by the agency management in the Agency
Action Plan document have been partially implemented in some areas.
Ongoing Implementation of the action plans provided the agency
management in the Agency Action Plan is still ongoing.
Non-implementation Agency management did not implement the action
plans provided in the Agency Action Plan within the target completion period.
This is the area where auditors should carefully take a look. Auditors shall
examine and assess the reasons for non-implementation of previously stated
action plans.

Actual Implementation Date

- Part of the auditors examination is the determination of the actual implementation


date of the action plan set by an agency. Comparison of the actual against the target
date for the implementation of action plans is significant particularly on interrelated
audit observations and action plans.

Reason for Delay/Non-implementation

- Auditors shall uncover the reasons for the delay or non-implementation of action
plans. If the circumstances permit, auditors shall inquire several agency personnel or
officer on the causes of the delay or non-implementation.

Comments/Action Taken

- This column is for the auditors comments or actions to be taken as a result of the
monitoring procedures conducted. The remarks that will be provided on this column
can also be a basis for the next years audit project.

Last updated : March 2011 2|P age


Version : 03B-04/2011/v1
Integrated Results and Risk-Based Audit Manual Phase 3B Conclusion and Reporting
Form 03B-04 Action Plan Monitoring Tool

ACTION PLAN MONITORING TOOL

Sector : Prepared by: Date:

Team : Reviewed by: Date:

Agency Audited : Approved by: Date:

Audit Period :

AAR Date :

Agency Action Plan COA Monitoring


Audit Observation Implem. Status Reason for
Ref. and Action Plan/ Person/Dept. Target Implem. (Full, Partial, Actual implem. Delay/Non- Comments/Action
Date of follow-up
Recommendation Remarks Responsible Date Ongoing, Non- Date Implementation Taken
implementation) (if applicable)

Prepared by: Approved by:

________________________________________ _________________ ________________________________________ _________________


Audit Team Leader Date Supervisor Date

Last updated : March 2011 3|P age


Version : 03B-04/2011/v1
Integrated Results and Risk-Based Audit Manual Phase 4 Monitoring

MONITORING

Integrated Results and Risk-Based Audit Framework

Strategic Planning and Risk Identification

Planning Delivery

Agency Audit
Conclusion
Planning and Risk Execution
and Reporting
Assessment

Monitoring
(Quality Control System)

Introduction

The Monitoring phase of the IRRBA approach is a roadmap for the COA to maintain the
delivery of quality audit service to the Public. The Commission shall establish a quality
control system that will promote an internal culture recognizing that quality is essential in
performing all of its audit work.

The COA shall ensure that appropriate quality control policies and procedures are in place
(e.g., engagement quality control reviews) in respect of each major product of the type of
engagement such as Comprehensive Audit (Financial, Compliance and Agency-based
Performance Audits) Government-wide and Sectoral Performance Audit and Fraud Audit.

Last updated : March 2011 1|Pa ge


Version : 05-00/2011/v1
Integrated Results and Risk-Based Audit Manual Phase 4 Monitoring

Monitor Quality Control on Audit Services

The COA, as the countrys auditor of all government agencies, government-owned


and controlled corporations, and government financial institutions, shall establish
and maintain a system of quality control to provide reasonable assurance that:
The organization and its personnel comply with professional standards and
applicable legal and regulatory requirements in the delivery of its audit
services.
The reports issued by the Commission are appropriate in the
circumstances.

It is the responsibility of the Commission Proper to establish a strategic direction


for the establishment of a Quality Control System.

If deemed necessary, the Commission as a whole or each audit sector shall


establish a Quality Control Committee that will assist the auditors in the initial and
continuous implementation of the Quality Control System.

Likewise, it is the responsibility of the Cluster Directors to ensure that a monitoring


process comprising an ongoing consideration and evaluation of the COAs system
of quality of control, including a periodic inspection of a selection of completed
engagements, is in place.

Each audit team is responsible to implement the quality control procedures that are
applicable to their audit engagement.

Elements of a Quality Control System

The following are the elements of a Quality Control System as taken from ISSAI 40
- Quality Control for Supreme Audit Institutions:

a. Leadership responsibilities for quality within the firm

An SAI should establish policies and procedures designed to promote an


internal culture recognizing that quality is essential in performing all of its work.
Such policies and procedures should be set by the head of the SAI, who
retains overall responsibility for the system of quality control.

b. Relevant ethical requirements

An SAI should establish policies and procedures designed to provide it with


reasonable assurance that the SAI, including all personnel and all parties

Last updated : March 2011 2|Pa ge


Version : 05-00/2011/v1
Integrated Results and Risk-Based Audit Manual Phase 4 Monitoring

contracted to conduct work for the SAI, complies with the relevant ethical
requirements (e.g., integrity, independence, objectivity and impartiality,
professional secrecy and competence).

c. Acceptance and continuance of client relationships and specific engagements

An SAI should establish policies and procedures designed to provide the SAI
with reasonable assurance that it will only undertake audit tasks and other work
where the SAI:

(a) Is competent to perform the audit task or other work and has the
capabilities, including time and resources, to do so;

(b) Can comply with relevant ethical requirements; and

(c) Has considered the integrity of the organization being audited and has
considered how to treat the risk to quality which arises.

The policies and procedures should reflect the range of work carried out by
each SAI. SAIs broadly carry out work in three categories:

- Tasks that are required of them by their mandate and statute and which
they have no option but to carry out;

- Tasks that they can choose to carry out;

- Tasks that are required by their mandate, but where they have discretion as
to the timing, scope or nature of each task.

d. Human resources

An SAI should establish policies and procedures designed to provide it with


reasonable assurance that it has sufficient resources (personnel and, where
relevant, parties contracted to conduct work for the SAI) with the competence,
capabilities and commitment to ethical principles necessary to:

(a) Perform its tasks in accordance with relevant standards and applicable and
legal and regulatory requirements; and

(b) Enable the SAI to issue reports that are appropriate in the circumstances.

Last updated : March 2011 3|Pa ge


Version : 05-00/2011/v1
Integrated Results and Risk-Based Audit Manual Phase 4 Monitoring

e. Engagement performance

An SAI should establish policies and procedures designed to provide it with


reasonable assurance that its tasks are performed in accordance with relevant
standards and applicable legal and regulatory requirements, and that the SAI
issues reports that are appropriate in the circumstances. Such policies and
procedures should include:

a) Matters relevant to promoting consistency in the quality of the work


performed;

b) Supervision responsibilities;

c) Review responsibilities.

f. Monitoring

An SAI should establish a monitoring process designed to provide it with


reasonable assurance that the policies and procedures relating to the system
of quality control are relevant, adequate and operating effectively. The
monitoring process should:

(a) Include an ongoing consideration and evaluation of the SAIs system of


quality control, including review of a sample of completed tasks across the
range of work performed by the SAI;

(b) Require responsibility for the monitoring process to be assigned to an


individual or individuals with sufficient and appropriate experience and authority
in the SAI to assume that responsibility;

(c) Require that those performing the review have not taken part in the task or
any quality control review of the task.

Quality control policies and procedures

The Quality Control System shall be incorporated in the Commissions strategy,


culture, policies and procedures. For the system to be effective, it shall be
customized according to the COAs own structure, audit assignment risks and the
tasks it performs

COA management shall ensure that the quality control procedures are being
followed by the auditors not only for compliance but as an embedded process in
ensuring delivery of quality audit services.

Last updated : March 2011 4|Pa ge


Version : 05-00/2011/v1
Integrated Results and Risk-Based Audit Manual Phase 4 Monitoring

Quality risk

The COA shall ensure that the Quality Control System addresses the risks to the
quality of its auditing and other work. The risks to quality will be dependent on the
mandate and functions of the COA and the conditions and environment under
which it operates.

Quality risks may concern the professional judgments and performance of


procedures in the conduct of auditing and other work, as well as the
communication of the results and the appropriate understanding of these by
intended users.

Other consideration that needs to be included in the Quality Control System


The COA shall ensure that applicable standards are followed in all work
performed, and that any deviations are appropriately documented.
The COA should consider their work program and whether, at an organizational
level they have the resources to deliver the range of tasks to the desired level of
quality.
All work performed should be subject to review as a means to contributing to
quality and also to promote learning and staff development.
Timely documentation of all work performed (e.g., audit work papers) following
completion of each engagement shall be complied with.
Auditors shall ensure that appropriate principles of natural justice are followed in
respect of finalizing report findings to ensure those parties affected by the
COAs reports have an opportunity to comment prior to the report being
finalized.
Auditors should balance the confidentiality of documentation with the need for
transparency and accountability.
Ensure that the results of quality control reviews are reported to the
Commission Proper in a timely manner and that appropriate action is taken.

Quality Assurance Activities

Quality assurance refers to policies, systems and procedures established by SAIs


to maintain a high standard of audit activity. It also refers to the requirements
applicable to the day-to-day management of audit assignments.

Quality assurance activities include:


- Securing the quality of the planning; the planning of selected tasks should be
reviewed to ensure that adequate consideration has been given to all matters
considered essential.

Last updated : March 2011 5|Pa ge


Version : 05-00/2011/v1
Integrated Results and Risk-Based Audit Manual Phase 4 Monitoring

- Securing the quality of the ongoing work; the ongoing work should be subject
to continual review. This review is essential to maintain the quality of audit work
and to promote learning and feedback.
- Securing the quality of the finalized audit; all completed tasks should be
reviewed prior to signing any reports.

The objectives of quality assurance procedures should incorporate:


- Professional competency and integrity
- Supervision and assignment of personnel to engagements
- Guidance and assistance
- Client evaluation
- Allocation of administrative and technical responsibilities.

Quality Assurance Review Program

The COA shall establish a Quality Assurance Review Program that is flexible to the
needs and mandate of the auditors. The results of the program should be reported
to COA management at least annually.

A quality assurance review program is a series of reviews of activities undertaken


by the SAI to assess the overall quality of the work performed and covers various
issues and perspectives. A quality assurance review may examine adherence to
audit policy and procedures and identify areas where there is any opportunity for
improvements in these policies and procedures, or it may assess the quality of
audit work performed to meet specified objectives or specific stakeholders
perspectives. Quality assurance reviews will generally address both adherence to
specified processes and the quality of the work performed

The following are some of the activities which may be undertaken by the COA in
performing its Quality Assurance Review Program:
- Independent academic review
- Stakeholder surveys
- Peer review
- Follow-up reviews of recommendations
- Citizen review
- Feedback from audited organizations.

Last updated : March 2011 6|Pa ge


Version : 05-00/2011/v1
Integrated Results and Risk-Based Audit Manual Phase 4 Monitoring

Policy and Standard

Policy/Standard Description
ISSAI 40 Quality Control for Supreme Audit Institutions
ISSAI 1000 General Introduction to the INTOSAI Financial Audit
Guidelines
ISSAI 1220 Financial Audit Guideline Quality Control for an
Audit of Financial Statements
Appendix 4 to ISSAI 3000 Communication and Quality Assurance
ISSAI 3100 Performance Audit Guidelines: Key Principles
Appendix
ISSAI 4100 Compliance Audit Guidelines for Audits Performed
Separately from the Audit if Financial Statements
ISSAI 4200 Compliance Audit Guidelines Related to Audit of
Financial Statements

Last updated : March 2011 7|Pa ge


Version : 05-00/2011/v1