Integrated Results and Risk-Based Audit Manual Forms and Templates

Commission on Audit
INTEGRATED RESULTS AND

RISK-BASED AUDIT MANUAL
FORMS AND TEMPLATES
(Funded by The World Bank IDF Grant No. TF 092158)
Strategic Planning and Risk Identification
Planning Delivery
Agency Audit
Conclusion
Planning and Risk Execution
and Reporting
Assessment
Monitoring
(Quality Control System)
SEPTEMBER 2011
Integrated Results and Risk-Based Audit Manual
FORMS AND TEMPLATES
1. Strategic Planning and Risk Identification

Form 01-01 Government Risk Model (GRM)
Form 01-02 Government Risk Identification Template (GRIT)
2. Agency Audit Planning and Risk Assessment

Form 02-01 Agency Audit Workstep
Form 02-02 Understanding the Agency (UTA) Template
Form 02-03 Agency Risk Model (ARM)
Form 02-04 Agency Risk Identification (AgRI) Matrix
Form 02-05 Agency-level Control Checklist (ALCC)
Form 02-06 Process-Risk-Control (PRC) Matrix
Form 02-07 Audit Risk Assessment and Planning (ARAP) Tool
3A. Delivery: Execution

Form 03A-01 Audit Test Summary (ATS)
3B. Delivery: Conclusion and Reporting

Form 03B-01 Summary of Audit Results and Recommendations (SARR)
Form 03B-02 Quality Inspection Tool (QIT)
Form 03B-03 Agency Action Plan (AAP)
Form 03B-04 Action Plan Monitoring Tool (APMT)
Last updated : March 2011 1|Pa ge

Version : 00-02/2011/v1
Integrated Results and Risk-Based Audit Manual Phase 1 – Strategic Planning and Risk Identification
Form 01-01: Government Risk Model
GOVERNMENT RISK MODEL
Objective
Part of the Strategic Planning and Risk Identification process of the Integrated Results and Risk-
based Audit (IRRBA) is the identification of government risks. This activity will be conducted
annually, supervised by the Assistant Commissioners and attended by directors from the
following sectors/offices:
· National Government Sector (NGS)
· Corporate Government Sector (CGS)
· Local Government Sector (LGS)
· Regional Offices
· Fraud and Investigation office (FAIO)
· Special Audits Office (SAO)
· Information Technology Office (ITO)
· Technical Services Office (TSO)
The Government Risk Model is introduced to guide the participants in the identification of
government risks. The Government Risk Model is a comprehensive list of risks that a
government may encounter which could threaten the achievement of its mandate and
objectives.
This model shall be regularly reviewed, updated and customized to consider changes in the
public sector environment, as well as to consider the impact of new standards, laws, rules and
regulations.
*The COA shall identify the process champion in this activity, which will ensure the maintenance and updating of this
tool.
Accomplishing this tool
Risk Listing
- The Risk Listing is a table of government risks divided into the following risk categories:
a. Strategic
b. Operations
c. Compliance
d. Financial
Last updated : March 2011 1|Page

Version : 01-01/2011/v1
The table lists down all potential risks that the government may face. Therefore, there are
risks that may be identified as a risk of the government in the current audit period that was
not identified in the preceding audit period. In either case, the risk listing shall be
maintained regardless of the existence of the risk at the time of the identification. Likewise,
the list shall be regularly updated to include emerging risks that may affect the
achievement of the government’s mandate and objectives.
Risk Definition
- Customize/create the definition of the risks based on the nature of the risk.
a. Risk Title – The label for the risks identified shall be properly chosen to reflect the nature
of the risk even by just looking at the risk title.
b. Risk Description - The risk description shall be clear on the cause and effect of the risk
once it materializes. The risk definition shall be generic in nature and shall avoid including
process-level effects to not limit/restrict the risk descriptions.
NOTE: The items in the succeeding pages are just samples to illustrate the tool. It does not represent any factual
data nor any result of prior audit projects.

Version : 01-01/2011/v1

Version : 01-01/2011/v1
GOVERNMENT RISK MODEL
Prepared by : Date :
Reviewed by : Date :
Approved by : Date :
Strategic Operations Compliance Financial

Planning and resource allocation Public service and operations Mandate Market
§Organizational structure §Customer/public satisfaction §Functions §Interest rate
§Strategic planning §Channel effectiveness §Foreign currency
§Operational planning §Cycle time Governance §Commodity
§Service failure §Board performance/Agency
§Budgeting §Financial instrument
§Forecasting §Efficiency Management Committee
§Public policies
§Resource allocation §Capacity §Tone at the top
§Debt and fiscal policy
§Capital/fund availability §Performance measure/gap §Authority/limit
§Operational model §Partnering/contracting §Control environment Liquidity and credit
§Operational portfolio §Citizen relationship management §Corporate social responsibility §Cash management
§Outsourcing system and organization §Reputation §Opportunity cost
§Corruption and fraud §Funding
Major initiatives Code of conduct
§Hedging
§Vision and direction People §Ethics
§Credit and collections
§Planning and execution §Culture §Fraud
§Insurance
§Measurement and monitoring §Recruiting and retention §Employee/third party fraud
§Foreign assisted loan
§Technology implementation §Development and performance §Illegal acts
§Project evaluation §Succession planning §Management fraud Accounting and reporting
§Change readiness §Knowledge capital §Unauthorized use §Accounting, reporting and disclosure
§Climate change and sustainability initiatives §Compensation and benefits §Internal control
§Education Legal
§Performance incentives §Investment evaluation
§Healthcare services delivery §Contract
§Health and safety §Tax strategy and planning
§Energy and water management §Liability
(supply/distribution) Information technology §Intellectual property Capital structure
§Information management §Anticorruption §Debt
Environment dynamics
§Security/access §Legal §Equity
§Economic changes
§Financial market §Availability/continuity §Pension funds
Regulatory
§Sovereign/political §Integrity §Trade
§Customer/public wants §Infrastructure §Customs
§Technological innovation §Procurement
Hazards
§Environment scan §Road-right of way (RROW )Acquisition
§Natural events
§Agency environment/industry §Labor
§Terror and malicious acts
§Sensitivity §Securities
Market dynamics Physical assets §Environment
§Macroeconomic factors §Real estate §Data protection and privacy
§Lifestyle trends §Property, plant and facilities §International
§Sociopolitical §Maintenance and performance §Product/service quality
§Technology changes §Inventory §Health and safety
Communication and public relations §Competitive practice/antitrust
§Media relations
§Public relations
§Crisis communications
§Employee communication

Version : 01-01/2011/v1
Risk Definition
RISK TITLE RISK DESCRIPTION
STRATEGIC
Planning and Resource Allocation

The overall structure of the government instrumentalities does not
Organizational structure
support the achievement of strategic objectives in an efficient manner.
This risk pertains to the inability to discover, evaluate and select among
Strategic planning alternatives to provide direction and allocate resources for effective
execution to achieve the strategic objectives of the government.
This risk pertains to the misalignment of operating plans and execution
Operational planning to strategic planning. There is also a lack of information needed to make
the right decisions.
This risk pertains to the inability to effectively budget for new and
existing initiatives that support the overall strategic goals and objectives
for growth, expansion, acquisition for public welfare.
Budgeting
It also pertains to the inability to effectively budget for programs and
projects that would meet the government’s Medium Term Philippine
Development Plan (MTPDP).
This risk pertains to the inability to forecast financial information to
Forecasting
enable the allocation of resources to new and existing initiatives.
Unavailability and inappropriateness of resource allocation process
Resource allocation
prohibits the government’s ability to provide value for public.
Insufficient access to fund threatens the government’s capacity to grow,
Capital/fund availability
execute its strategies and achieve its objectives.
The government has an obsolete operation model and does not
recognize it and/or lacks the information needed to make an up-to-date
Operational model
assessment of its current model and build a compelling operational case
form modifying that model in a timely manner.
Lack of relevant and reliable information that enables agency
management to effectively prioritize its services or balance its operations
Operational portfolio
in a strategic context may preclude a diversified agency from maximizing
its overall performance.
Outsourcing activities to third parties may result in the third parties not
Outsourcing acting within the intended limits of their authority or not performing in a
manner consistent with the government’s strategies and objectives.
Major initiatives
This risk pertains to the failure to establish a vision and direction for
major initiatives, including services, products and programs that will
Vision and direction
drive future growth. It also pertains to failure to establish project
acceptance criteria and adequately measure against the criteria.
This risk pertains to the failure to plan and execute major initiatives due
Planning and execution
in a coordinated manner.

Version : 01-01/2011/v1

This risk pertains to the failure to identify appropriate metrics and assess
Measurement and monitoring performance, quality and adherence to the standards as set forth by the
government.
This risk pertains to the failure of a major technology implementation to
Technology implementation
meet the organization’s strategic objectives.
Failure to evaluate project proposals may result in problems when the
Project evaluation
project has been approved.
The people within the government are unable to implement process and
Change readiness service improvements quickly enough to keep pace with changes in the
public environment.
Failure to foresee changes in the environment and establish initiatives to
Climate change and
keep pace with biological changes may result in operations
sustainability initiatives
discontinuance and degradation.
Environment Dynamics
Economic changes such as lower economic growth reduce tax revenue
Economic changes and opportunities to provide a wide range of services or limit the
availability or quality of existing services.
Movements in prices, rates, indices and the like threaten the value of the
Financial market
agency’s financial assets.
Adverse political actions in a country in which the agency has invested
significantly is dependent on a significant volume of operation or has
Sovereign/political entered into a significant agreement with a counterparty subject to the
laws of that country threaten the agency’s resources and future cash
flows.
This risk pertains to the changing pervasive public needs and wants that
Customer/public wants the agency is not aware of, e.g., increased demand for faster turnaround
on services.
The agency is not leveraging advancements in technology in its
operations to achieve or sustain advantage. The agency may also be
Technological innovation exposed to the actions of another agency or substitute that does not
leverage technology to attain superior quality, cost and/or time
performance in their services processes.
Failure to monitor the external environment or formulation of unrealistic
or erroneous assumptions about environment risks may cause the
Environment scan
agency to retain operation strategies long after they have become
obsolete.
This risk pertains to the changes in opportunities and threats, and other
Agency environment/Industry
conditions affecting the agency’s environment.
Overcommitment of resources and expected future cash flows threatens
Sensitivity the agency’s capacity to withstand changes in the environment (e.g.,
interest rates, public demand, changes in regulations and so on) forces.
Market Dynamics
This risk pertains to the factors relating to macroeconomic conditions
Macroeconomics factors that affect the ability to maintain or increase revenue and profitability in a
specific agency environment.
This risk pertains to the failure to anticipate and respond to changes in
Lifestyle trends
overall trends related to lifestyle demands of consumers.

Version : 01-01/2011/v1

This risk pertains to the exposure to social and political factors within a
Sociopolitical market environment that affect the ability to market, sell and deliver
products and services.
This risk pertains to the dramatic changes in current technologies that
Technology changes may impact the market viability or demand of current products and
services offered by the agency.
Communication and public relations
This risk pertains to the inability to anticipate and manage shifts in the
information stakeholders’ wants and the way in which they want it
Media relations
communicated to them. It also pertains to the ineffective ongoing,
transparent communications with the public in order to create goodwill.
A decline in customer/public confidence threatens the agency’s capacity
Public relations
to efficiently raise or collect funds.
This risk pertains to the failure to communicate the right message in an
Crisis communications effective manner to recover and maintain agency operations in the event
of a crisis or disruption due to physical or natural circumstances.
This risk pertains to the inability to understand and respond to the
Employee communications
communication needs of different employees.
OPERATIONS
Public Service and Operations

A lack of focus on the customer/ public threatens the agency’s capacity
Customer/public satisfaction
to meet or exceed the customer’s/ public’s expectations.
Poorly performing or positioned channels access threaten the agency’s
Channel effectiveness
capacity to effectively and efficiently service the customer/ public.
Unnecessary activities threaten the agency’s capacity deliver services in
Cycle time
a timely manner.
Faulty or non-performing services expose the agency to customer/public
Service failure
complaints, litigation, and loss of revenues and agency reputation.
Inefficient operations threaten the agency’s capacity to deliver services
Efficiency
at the lowest cost and shortest time possible.
Insufficient capacity threatens the agency’s ability to meet
Capacity customer/public demands, or excess capacity threatens the agency’s
ability to generate competitive profit margins.
Inability to perform at world-class levels in terms of quality, costs and/or
Performance measure/gap cycle time due to inferior operating practices threatens the demand for
the agency’s services.
Inefficient or ineffective external relationships affect the agency’s
capacity to serve. These uncertainties arise due to choosing the wrong
Partnering/contracting
partner, poor execution, taking more than what is given (resulting in loss
of a partner) and failing to capitalize on partnering opportunities.
People

Version : 01-01/2011/v1

This risk pertains to the failure to establish a culture that is consistent
Culture with management philosophy and that encourages integrity, values, and
ethical competence.
This risk pertains to the failure to attract, hire and retain the qualified
Recruiting and retention
resources to optimize execution of the organization's objectives.
This risk pertains to the inability to develop and enhance employee skills
Development and performance and provide performance management that ensures optimal
achievement of organizational strategies, goals and objectives.
This risk pertains to the failure to create and implement an effective
succession plan for senior executive and other key positions and
Succession planning employees throughout the organization. It also pertains to the failure to
align succession planning with strategic planning and leadership
development objectives).
Processes for capturing and institutionalizing learning across the
agency are either non-existent or ineffective, resulting in slow response
Knowledge capital
time, high costs, repeated mistakes, slow development, constraints on
growth and unmotivated employees.
Failure to provide a total compensation package (base salary,
annual/long-term incentive, benefits/perquisites) that are market
Compensation and benefits
competitive, aligned to agency and compensation strategies and retain
and motivate employees to achieve desired results.
Unrealistic, misunderstood, subjective or non-actionable performance
measures may cause senior management, division heads and
Performance Incentives
employees to act in a manner inconsistent with the agency’s objectives,
strategies, and ethical standards, and with prudent agency practice.
Failure to provide a safe working environment for its workers exposes
Health and safety the agency to compensation liabilities, loss of operational reputation and
other costs.
Information and technology
Failure of Information systems to adequately protect the critical data and
Security/access infrastructure from theft, corruption, unauthorized usage, viruses, or
sabotage.
The inability to recover from, and continue uninterrupted operations in
Availability/continuity
the event of extraordinary events, systems and implementation failures.
Information systems that do not provide reliable information when it is
Integrity
needed or perform so slowly that operations are not efficient.
The computer and telecommunications systems with supporting
software do not capture, retain and transfer data in a secure and reliable
Infrastructure
environment and do not meet the expected requirements of the agency
at a reasonable cost.
Hazards
Threat to disrupt operation and ability of the agency to sustain
operations, provide essential services or recover operating costs or
Natural events
accomplish planned target due to natural events (e.g., fire, earthquake,
tornado).
Threat to disrupt operation and ability of the agency to sustain
operations, provide essential services or recover operating costs or
Terror and malicious acts
accomplish planned target due to terrorist activities or other malicious
acts.

Version : 01-01/2011/v1
Physical assets
Failure to provide physical protection and stewardship over real estate
Real estate
designed to optimize longevity and utilization.
Failure to provide physical protection and stewardship over long-lived
Property, plant and facilities assets (such as buildings, furniture, fixtures, machinery, equipment and
other assets) designed to optimize longevity and utilization.
Failure to provide physical protection and stewardship over inventories
Inventory designed to optimize utilization while minimizing obsolescence,
contamination, etc.
COMPLIANCE
Mandate
Failure to align process objectives and performance measures with the
Function mandate of the agency, its objectives and strategies may result in
conflicting, uncoordinated activities throughout the agency.
Governance
Failure of Board of Directors to discharge their obligations and duties
Board performance/Agency
owed to the agency and its stakeholders in good faith; and to possess
management committee
adequate knowledge to interpret and act on the information provided.
Senior management fails to establish an environment that encourages
integrity, ethical values, and competence of the agency's people through
Tone at the top
management's philosophy and operating style, assignment of authority
and responsibility, and the organization and development of its people.
Ineffective lines of authority may cause senior management, division
Authority/limit heads or employees to do things they should not do or fail to do things
they should.
Failure to establish and maintain an internal control environment which
Control environment
aligns with stakeholder and regulatory expectations.
The mismanagement of "socially responsible" activities (e.g., conducting
social responsibility training for management of manufacturers,
undertaking environmental programs, participating in community
Corporate social responsibility
initiatives) resulting in an unfavorable agency perception with
stakeholders, customers, suppliers, agency partners, employees and the
regulatory community.
Damage to the Agency’s reputation exposes it to loss of customer/
Reputation
public trust, profits and the ability to grow.
Code of conduct
The absence of formal standards of employee behavior that are
Ethics intended to direct and influence the way agency operation is conducted,
above and beyond the letter of the law.
Potential unethical acts committed by agency employees or other
Fraud
stakeholders may negatively impact the agency's reputation.
Fraudulent activities perpetrated by employees, suppliers, agents, or
third-party administrators against the agency for personal gain (e.g.,
Employee/Third Party Fraud
misappropriation of physical, financial or information assets) expose the
agency to financial loss.

Version : 01-01/2011/v1

Illegal acts committed by senior management, division heads or
Illegal Acts employees expose the agency to fines, sanctions, and loss of public
trust, profits and reputation, etc.
Management Fraud (e.g., intentional misstatement of financial
Management Fraud statements or critical reports) may adversely affect stakeholders’
decisions.
Unauthorized use of the agency’s physical, financial or information
Unauthorized Use assets by employees or others exposes the agency to unnecessary
waste of resources and financial loss.
Legal
Entering into contracts that are unfavorable to the agency; and the
Contract failure to comply with and monitor contract terms to protect the agency
from financial losses.
A responsibility, duty or obligation that may result in lawful consideration
Liability
to provide satisfaction, compensation or other form of restitution.
Failure to create, capture, enhance, leverage and protect the collective
Intellectual property knowledge, expertise and ideas of agency employees valued as non-
physical assets.
Failure to create an agency environment which is opposed to corruption,
Anticorruption
and instill agency practices which prevent corruption.
Changing laws threaten the agency’s capacity to consummate important
Legal transactions, enforce contractual agreements or implement specific
strategies and activities.
Regulatory
Failure to identify and prevent legal risks posed by noncompliance with
Trade governmental and International regulatory requirements for Trade
Practices e.g., anti-dumping and trade policy.
Failure to identify and prevent legal risks posed by noncompliance
Customs With governmental and International regulatory requirements for
Customs.
Procurement
the government procurement reform act.
Failure to implement infrastructure projects due to RROW problems and
Road-right of way (RROW)
risks posed by non-compliance with Comprehensive and Continuing
acquisition
Urban development and Housing Program (RA 7279)
governmental and International regulatory requirements for Labor rules
Labor
and regulations, including taxes, wages, antidiscrimination, Family and
Medical Leave, workplace violence etc.
Securities
governmental and International Securities regulatory requirements.
Environment governmental and International Environmental regulations e.g.,
noncompliance with ISO 4001 standards.
Failures to identify and prevent legal risks posed by, and prevent non-
Data protection and privacy compliance with privacy rules and regulations standards resulting in
improper disclosure of confidential customer information.
Last updated : March 2011 10 | P a g e

Version : 01-01/2011/v1
Exposure to geo-political, regulatory and fraud risks via international

International
business dealings.
Product/service quality governmental and International regulatory requirements for
product/service quality and safety.
Health and safety governmental and International rules and regulations for health and
safety.
Failures to identify and prevent legal risks posed by, and prevent non-
compliance with, government and international rules and regulations for
Competitive practice/antitrust
competitive practices/ anti-trade. Lack of awareness of statutory and
regulatory application of export & customs policies and requirements.
FINANCIAL
Market
Unfavorable price paid per unit of funds borrowed or the rate of return
Interest rate received on invested assets, or interest rate fluctuations beyond
projected range.
Unfavorable fluctuations in the currency of another market that is
Foreign currency
needed to carry out international transactions.
Unfavorable fluctuations in the price of raw materials or other
Commodity commodities used in product development/service delivery that are not
anticipated and managed.
Financial market risk can vary depending on the particular segment of
Financial instrument the market to which the holder of a financial instrument is exposed, or
the way in which the exposure is structured.
Liquidity and credit
Failure to efficiently and effectively administer and manage cash flows to

Cash management
maintain adequate liquidity to meet obligations.
The use of funds in a manner that leads to the loss of economic value,
Opportunity cost including time value losses, transaction costs and other causes of loss of
value.
Failure to meet the requirements of a portfolio of capital investments and
obligations based on specified commitments or in accordance with terms
Funding of an agreement (i.e. retirement and capital accounts).
Failure to receive appropriate funds to finance programs and projects.

Failure to purchase or undertake sale transactions that effectively
Hedging
minimize profits or losses arising from price fluctuations.
Inability to obtain the optimal level of payment received as a result of a
Credit and collections
prior agency transaction.
Insurance coverage fails to protect the agency from significant financial
Insurance
losses due to incidents and claims.
Accounting and reporting

Version : 01-01/2011/v1

Incomplete, inaccurate and/or untimely reporting of required financial
and operating information to other regulatory agencies may expose the
agency to fines, penalties and sanctions.
Accounting, reporting and
disclosure Over-emphasis on financial accounting and other information to
manage the operations may result in the manipulation of outcomes to
achieve targets at the expense of not meeting public expectation, quality
and efficiency objectives.
Significant or material weaknesses resulting from inadequate financial
Internal control internal controls impacting management's assessment and reporting
under country regulations.
Lack of relevant and/or reliable information supporting investment
Investment evaluation decisions and linking the financial risks accepted to the capital at risk,
may result in poor short- or long-term investments.
Failure to properly evaluate and execute tax planning strategies.
Tax strategy and planning Misalignment of tax objectives and strategies with overall agency
objectives, strategies and initiatives.
Capital structure
Potential over reliance on borrowing from creditors to provide adequate
Debt working capital for agency objectives and/or to cover current operating
obligations resulting in an unfavorable debt to equity ratios.
Inability to offer marketable securities appropriately priced for the
Equity
enterprise's value.
Inability to identify, establish and maintain the optimal structure for
Pension funds
pension funds.

Version : 01-01/2011/v1
Phase 1 – Strategic Planning and Risk Identification
Form 01-02 Government Risk Identification Template
GOVERNMENT RISK IDENTIFICATION TEMPLATE
Objective
The Government Risk Identification Template (GRIT) is used to document the significant
government risks identified for a particular audit period, as well as the basis of selecting
those particular risks, and the agencies and programs or activities affected. By having all of
this information in one sheet, it facilitates ease of summary and discussion with the
participants during the identification of significant government risks as well as increased
efficiency and effectiveness in tracing the effects of those risks.
This template if carefully and exhaustively accomplished will facilitate a unified thrust for the
COA in conducting government auditing.
The GRIT once accomplished shall be cascaded to all audit clusters and concerned offices
through the COA’s Annual Strategic Planning for inclusion in the Agency Audit Planning and
Risk Assessment.
Accomplishing this tool is critical to document the high-level inputs from COA directors
assigned in the audit of agencies representing the three audit sector, regions, and auditors
performing Government-wide and Sectoral Performance Audit (GWSPA) and Fraud Audit.
Government Objective
- Identify the objectives of the government as identified in the State of the Nation
Address (SONA), Medium-Term Philippine Development Plan (MTPDP), Medium-
Term Public Investment Program (MTPIP) and so on.
Key Government Risk
- Participants may use the Government Risk Model to identify the key government risks
(risk category, risk title and risk definition)
Basis of Selection
- Indicate the basis or reason why the risk was considered as significant.
Relevant data may also be obtained from the following:

• COA direction
• Sector Strategic Action Plan
ast updated : March 2011 1|Page

Version : 01-02/2011/v1
Phase 1 – Strategic Planning and Risk Identification
• SONA
• MTPDP/MTPIP
• Government Risk Model
• Sector risks
• Media releases and media reports
• Fraud and geographic risks
• Government-wide and sectoral programs and activities
• Knowledge of the auditors
Name of Agency
- Indicate the agencies affected by the risks identified. Auditors may also refer to other
outputs of government instrumentalities (e.g., Updated Strategy Planning Matrices for
the MTPDP of NEDA).
Government Program, Activity or Project
- Relate the government program/activity affected by the risk identified. It could be a

program of one agency or inter-agency project.
ast updated : March 2011 2|Page

Version : 01-02/2011/v1
GOVERNMENT RISK IDENTIFICATION TEMPLATE

For the Audit Period 20XX
Prepared by : __________________________________________________ Date :
Reviewed by : __________________________________________________ Date :
Approved by : __________________________________________________ Date :
Key Government Risk

Government
Government Objective Basis of Selection Name of Agency
Risk Program, Activity or Project
Risk Title Risk Definition
Category
Key Risk 1
Key Risk 2
Key Risk 3
Key Risk 4
Key Risk 5
Key Risk 6
Key Risk 7
Key Risk 8
Key Risk 10
Key Risk 11
Key Risk 12

Version : 01-02/2011/v1
Integrated Results and Risk-Based Audit Manual Phase 2 – Agency Audit Planning and Risk Assessment
Form 02-01: Agency Audit Workstep
AGENCY AUDIT WORKSTEP
Auditee __________________________________________________
Audit Period __________________________________________________
Prepared By __________________________________________________ Date Prepared: ___________________
Reviewed By __________________________________________________ Date Reviewed: ___________________
Approved By __________________________________________________ Date Approved: ___________________
Target Date to Accomplish

WP Person
Activity Output Year Remarks
Ref. Responsible
J F M A M J J A S O N D
Last updated : March 2011 1|P a ge

Version : 02-01/2011/v1
Form 02-02: Understanding the Agency Template
UNDERSTANDING THE AGENCY TEMPLATE

Objective
We obtain our understanding by performing review, inquiry, analytical procedures, observation

and inspection.
This template enables us to document our understanding of the agency and its environment and
assist in identifying risks of material misstatement. We document the identified inherent and/or
significant risks in this template.
The Understanding the Agency (UTA) can be used in conjunction with our meeting(s) with the
agency during the planning of the engagement. When we complete the UTA, we:
· Consider the use of available industry or sector knowledge
· Customize the UTA to each engagement
For future engagements, we base our understanding of the agency and its environment on prior
period knowledge. We update our understanding by focusing on the significant changes in the
agency and its environment in the current period and reflect those changes within the UTA
brought forward from the prior period.
Agency Profile
A. Mandate – State the relevant law, rule or regulation mandating the purpose of the
establishment of the agency.
B. Operations – Provide a brief description of the agency’s operations and critical agency
processes.
C. Structure - Describe the Agency’s organizational structure and its relation to other key
government agencies. (Attach the Agency’s organizational structure, as necessary)
D. Objectives and Strategies – State the objectives and strategies of the Agency. Evaluate
if these objectives and strategies are aligned with the mandate of the Agency.
E. Key Stakeholders – List stakeholders, or unified stakeholder groups, whose expectations
or actions (or inactions) can significantly influence management or affect the agency
objectives and strategies (and/or the ability of the agency to meet its objectives and
strategies)
F. Key Environmental Factors – Briefly describe the environment of the agency and how
the operations of the Agency are affected/influenced by environmental factors.
Examples of environment to be reviewed are:

Version : 02-02/2011/v1
· Political Environment
· Social Environment
· Legal and Regulatory Environment
· Technological Environment
OPIF/Program Accountability Model – Show the Organizational Performance Indicator

Framework of the agency if there is any or the Program Accountability Model developed.
Key Performance Indicators - The key results identified and monitored by management,
generally few in number, that must be achieved to conclude that a strategy has been
implemented successfully. Key performance indicators also refer to the targeted Major
Final Outputs (MFO) as agreed in their Organizational Performance Indicator Framework
(OPIF).
Accounting Policy – Provide brief description of key accounting policies applied, including
financial reporting standards or changes in the agency’s accounting policies and reasons
for such changes. We evaluate whether the agency’s accounting policies are appropriate
and consistent with the applicable financial reporting framework.
Previous Audit Findings – Include significant audit findings from previous audits that may still
exist in the agency.
Recent Developments/ News – Include any pertinent news or publication about the agency and
indicate the possible impact or risk that may arise on the Agency.
Analytic Review – Evaluations of financial and non-financial information through analysis of

plausible relationships among both financial and non-financial data. Analytical procedures
also encompass such investigation as is necessary of identified fluctuations or relationships
that are inconsistent with other relevant information or that differ from expected values by a
significant amount.
A. Financial
· Financial Statement Account – indicate the financial statement accounts of the
Agency
· Current Year – indicate the current account balance of the financial statement
account
· Prior Year – indicate the previous year’s balance of the financial statement account
· Variance (Amount) – the amount of difference between the current year and previous
year balance
Version : 02-02/2011/v1
· Variance (%) – the percentage increase or decrease from previous year’s balance
(Formula is Amount of Variance/Prior Year balance)
· Remarks – indicate the reason for the significant increase or decrease in the account
balance
B. Performance
· Performance indicators – indicate the performance indicator applicable to the
Agency. Examples of performance indicators are Asset Turnover, Inventory
Turnover, Return on Asset and Return on Equity. Should the Agency have an OPIF
structure, we should consider the Major Final Outputs as part of the performance
indicators.
· Actual – refers to the actual achievement of the Agency on its performance indicator
· Budget/Target – pertains to the planned or targeted performance expected from the
Agency.
· Variance (Amount) – the amount of difference between the actual and
budgeted/targeted amounts.
· Variance (%) – the percentage increase or decrease from the budgeted/targeted
amount (Formula is Amount of Variance/Budgeted or Targeted amount)
· Remarks – Indicate the reason for any significant increase or decrease from the
budgeted or targeted amount.
PAPs Review – This is a review of each PAP of the agency by understanding the details and
overview of the PAP including its objectives. An analytic review on the performance of the
PAP is also included to determine specific areas in the PAP that require audit focus.
UTA Summary
A. UTA Reference – States the part/component of the UTA where the information was
taken from.
B. Identified Agency Risk – Indicates the agency risks (risk title and risk statement)
identified while understanding the agency. Audit teams may also use the Agency Risk
Model as a reference in plotting the agency risks identified at this point.
C. Impact on the Agency – States the impact of risk to the agency if it materializes based
on your initial understanding.

Version : 02-02/2011/v1
UNDERSTANDING THE AGENCY TEMPLATE
Agency: Prepared by:

Date
Audit Period: Reviewed by:
Date
Approved by:
Date
AGENCY PROFILE
A. Mandate
B. Operations
C. Structure
D. Objectives and Strategies
Objectives Strategies

Version : 02-02/2011/v1
E. Key Stakeholders
F. Key Environmental Factors
Political Environment
Social Environment
Legal and Regulatory Environment
Technological Environment
OPIF/ PROGRAM ACCOUNTABILITY MODEL
MFOs/ KEY PERFORMANCE INDICATORS

Version : 02-02/2011/v1
ACCOUNTING POLICIES
PREVIOUS AUDIT FINDINGS
RECENT DEVELOPMENTS/ NEWS
Recent Developments/ News Impact on the Agency

Version : 02-02/2011/v1
Form 02-02 Understanding the Agency Template
ANALYTIC REVIEW
Analytical procedures performed may include both financial and non-financial information Our analytical procedures performed provide a basis for
designing and implementing audit procedures that respond to the assessed risks of material misstatement. However, overall analytical procedures
may use data aggregated at a high level and therefore the results only provide an initial indication about whether a risk of material misstatement
exists.
a. Financial
Variance
Financial Statement Accounts Current Year Prior Year Remarks
Amount %

Version : 02-02/2011/v1
Form 02-02 Understanding the Agency Template
b. Performance
Variance
Performance Indicators Actual Budget/ Target Remarks
Amount %
Major Final Outputs

Version : 02-02/2011/v1
PAPs REVIEW
a. Program/Project Details
Program/ Project:
Objectives:
Total Budget:
Duration:
Project Overview:
b. Performance Indicators
Performance Variance
Actual Budget/Target Remarks
Indicators Amount %
Financial
Non-financial

Version : 02-02/2011/v1
UTA SUMMARY
Identified Agency Risk

UTA Ref. Impact on the Agency
Risk Title Risk Statement

Version : 02-02/2011/v1
Form 02-03: Agency Risk Model
AGENCY RISK MODEL
Objective
The Agency Risk Model is a tool to guide the audit team of a particular agency in the
identification of agency risks. The Agency Risk Model is a comprehensive list of risks that an
agency may encounter which could threaten the achievement of its mandate and objectives.
This model shall be regularly reviewed, updated and customized to consider changes in the
public sector environment as well as to consider the impact of new standards, laws, rules and
regulations.
Accomplishing this Tool
Risk Reference Number

- Assign a risk reference number for each agency risk identified. The risk reference number
would serve as a reference for the auditors to easily identify agency risks. Develop a risk
reference for the identified risk per risk category (strategic, operations, compliance,
financial).
Risk Listing
- The Risk Listing is a table of agency risks divided into the following risk categories:
a. Strategic
b. Operations
c. Compliance
d. Financial
The table lists down all potential risks that the agency may face. Therefore, there are risks
that may be identified as a risk of the agency in the current audit period that was not
identified in the preceding audit period. In either case, the risk listing shall be maintained
regardless of the existence of the risk at the time of the identification. Likewise, the list
shall be regularly updated to include emerging risks that may affect the achievement of
the agency’s mandate and objectives.

Version : 02-03/2011/v1
Risk Definition
- Customize/create the definition of the risks based on the nature of the risk.
a. Risk Title – The label for the risks identified shall be properly chosen to reflect the nature
of the risk even by just looking at the risk title.
b. Risk Description - The risk description shall be clear as to cause and effect of the risk
once it materializes. The risk definition shall be generic in nature and shall avoid including
process-level effects that limits/restricts the risk descriptions.
NOTE: The items in the succeeding pages are just samples to illustrate the tool. It does not represent any factual
data nor any result of prior audit projects.

Version : 02-03/2011/v1
AGENCY RISK MODEL
Strategic Operations Compliance Financial

Planning and resource allocation Public service and operations Mandate Market
§Organizational structure §Customer/public satisfaction §Functions §Interest rate
§Strategic planning §Channel effectiveness §Foreign currency
§Operational planning §Cycle time Governance §Commodity
§Service failure §Board performance/Agency
§Budgeting §Financial instrument
§Forecasting §Efficiency Management Committee
§Public policies
§Resource allocation §Capacity §Tone at the top
§Debt and fiscal policy
§Capital/fund availability §Performance measure/gap §Authority/limit
§Operational model §Partnering/contracting §Control environment Liquidity and credit
§Operational portfolio §Citizen relationship management §Corporate social responsibility §Cash management
§Outsourcing system and organization §Reputation §Opportunity cost
§Corruption and fraud §Funding
Major initiatives Code of conduct
§Hedging
§Vision and direction People §Ethics
§Credit and collections
§Planning and execution §Culture §Fraud
§Insurance
§Measurement and monitoring §Recruiting and retention §Employee/third party fraud
§Foreign assisted loan
§Technology implementation §Development and performance §Illegal acts
§Project evaluation §Succession planning §Management fraud Accounting and reporting
§Change readiness §Knowledge capital §Unauthorized use §Accounting, reporting and disclosure
§Climate change and sustainability initiatives §Compensation and benefits §Internal control
§Education Legal
§Performance incentives §Investment evaluation
§Healthcare services delivery §Contract
§Health and safety §Tax strategy and planning
§Energy and water management §Liability
(supply/distribution) Information technology §Intellectual property Capital structure
§Information management §Anticorruption §Debt
Environment dynamics
§Security/access §Legal §Equity
§Economic changes
§Financial market §Availability/continuity §Pension funds
Regulatory
§Sovereign/political §Integrity §Trade
§Customer/public wants §Infrastructure §Customs
§Technological innovation §Procurement
Hazards
§Environment scan §Road-right of way (RROW )Acquisition
§Natural events
§Agency environment/industry §Labor
§Terror and malicious acts
§Sensitivity §Securities
Market dynamics Physical assets §Environment
§Macroeconomic factors §Real estate §Data protection and privacy
§Lifestyle trends §Property, plant and facilities §International
§Sociopolitical §Maintenance and performance §Product/service quality
§Technology changes §Inventory §Health and safety
Communication and public relations §Competitive practice/antitrust
§Media relations
§Public relations
§Crisis communications
§Employee communication

Version : 02-03/2011/v1
Risk Definition
RISK
REF. NO. RISK TITLE RISK DESCRIPTION
STRATEGIC
Planning and Resource Allocation
Organizational The overall structure of the agency instrumentalities does not support the
S1
structure achievement of strategic objectives in an efficient manner.
This risk refers to the inability to discover, evaluate and select among
S2 Strategic planning alternatives to provide direction and allocate resources for effective
execution to achieve the strategic objectives of the agency
This risk refers to the misalignment of operating plans and execution to
S3 Operational planning
strategic planning. Lack of information needed to make the right decisions.
This risk refers to the inability to effectively budget for new and existing
initiatives that support the overall strategic goals and objectives for growth,
expansion, acquisition for public welfare.
S4 Budgeting
It also refers to the inability to effectively budget for programs and projects
that would meet the agency’s Medium Term Philippine Development Plan
(MTPDP).
This risk refers to the inability to forecast financial information to enable the
S5 Forecasting
allocation of resources to new and existing initiatives
Unavailability and inappropriateness of resource allocation process
S6 Resource allocation
prohibits the agency’s ability to provide value for public.
Insufficient access to fund threatens the agency’s capacity to grow, execute
S7 Capital/fund availability
its strategies and achieve its objectives.
The agency has an obsolete operation model and doesn’t recognize it
and/or lacks the information needed to make an up-to-date assessment of
S8 Operational model
its current model and build a compelling operational case form modifying
that model on timely basis.
Lack of relevant and reliable information that enables agency management
to effectively prioritize its services or balance its operations in a strategic
S9 Operational portfolio
context may preclude a diversified agency from maximizing its overall
performance.
Outsourcing activities to third parties may result in the third parties not
S10 Outsourcing acting within the intended limits of their authority or not performing in a
manner consistent with the agency’s strategies and objectives.
Major initiatives
This risk refers to the failure to establish a vision and direction for major
initiatives, including services, products and programs that will drive future
S11 Vision and direction
growth. It also refers to the failure to establish project acceptance criteria
and adequately measure against the criteria.
Planning and This risk refers to the failure to plan and execute major initiatives due in a
S12
execution coordinated manner.
This risk refers to the failure to identify appropriate metrics and assess
Measurement and
S13 performance, quality and adherence to the standards as set forth by the
monitoring
agency.

Version : 02-03/2011/v1
RISK
Technology This risk refers to the failure of a major technology implementation to meet
S14
implementation the strategic objectives of the organization.
Failure to evaluate project proposals may result in problems when the
S15 Project evaluation
project has been approved.
The people within the agency are unable to implement process and service
S16 Change readiness improvements quickly enough to keep pace with changes in the public
environment.
Failure to foresee changes in the environment and establish initiatives to
Climate change and
S17 keep pace with biological changes may result in stop operations and
sustainability initiatives
degradation
Environment Dynamics
Economic changes, such as lower economic growth, reduce tax revenue
S18 Economic changes and opportunities to provide a wide range of services or limit the availability
or quality of existing services.
Movements in prices, rates, indices and the like threaten the value of the
S19 Financial market
agency’s financial assets.
Adverse political actions in a country in which the agency has invested
significantly, is dependent on a significant volume of operation or has
S20 Sovereign/political
entered into a significant agreement with a counterparty subject to the laws
of that country threaten the agency’s resources and future cash flows.
The agency may not be aware of changing pervasive public needs and
S21 Customer/public wants
wants, e.g. increased demand for faster turnaround on services.
The agency is not leveraging advancements in technology in its operations
Technological to achieve or sustain advantage or is exposed to the actions of other
S22
innovation agency’s or substitutes that do not leverage technology or to attain superior
quality, cost and/or time performance in their services processes.
Failure to monitor the external environment or formulation of unrealistic or
S23 Environment scan erroneous assumptions about environment risks may cause the agency to
retain operation strategies long after they have become obsolete.
Agency This risk refers to the changes in opportunities and threats, and other
S24
environment/Industry conditions affecting the agency’s environment.
Over commitment of resources and expected future cash flows threatens
S25 Sensitivity the agency’s capacity to withstand changes in environment (e.g., interest
rates, public demand, changes in regulations) forces.
Market Dynamics
This risk refers to factors relating to macroeconomic conditions that affect
Macroeconomics
S26 the ability to maintain or increase revenue and profitability in a specific
factors
agency environment.
This risk refers to the failure to anticipate and respond to changes in overall
S27 Lifestyle trends
trends related to lifestyle demands of consumers.
This risk refers to the exposure to social and political factors within a market
S28 Sociopolitical environment that affect the ability to market, sell and service products and
services.
This risk refers to the dramatic changes in current technologies that may
S29 Technology changes impact the market viability or demand of current products and services
offered by the agency.

Version : 02-03/2011/v1
RISK
Communication and public relations

This risk refers to the inability to anticipate and manage shifts in the
information stakeholders want, and the way in which they want it
S30 Media relations
communicated to them and ineffective ongoing, transparent
communications with the public to create goodwill.
A decline in customer/public confidence threatens the agency’s capacity to
S31 Public relations
efficiently raise or collect funds.
This risk refers to the failure to communicate the right message effectively
S32 Crisis communications to recover and maintain agency operations in the event of a crisis or
disruption due to physical or natural circumstances.
Employee This risk refers to the inability to understand, and respond to, the
S33
communications communication needs of different employees.
OPERATIONS
Public Service and Operations

Customer/public A lack of focus on the customer/ public threatens the agency’s capacity to
O1
satisfaction meet or exceed the customer’s/ public’s expectations.
Poorly performing or positioned channel access threaten the agency’s
O2 Channel effectiveness
capacity to effectively and efficiently service the customer/ public.
Unnecessary activities threaten the agency’s capacity deliver services on a
O3 Cycle time
timely manner.
Faulty or nonperforming services expose the agency to customer/public
O4 Service failure
complaints, litigation, and loss of revenues, and agency reputation.
Inefficient operations threaten the agency’s capacity to deliver services at
O5 Efficiency
the lowest cost and shortest time possible.
Insufficient capacity threatens the agency’s ability to meet customer/public
O6 Capacity demands, or excess capacity threatens the agency’s ability to generate
competitive profit margins.
Inability to perform at world-class levels in terms of quality, costs and/or
Performance
O7 cycle time due to inferior operating practices threatens the demand for the
measure/gap
agency’s services.
Inefficient or ineffective external relationships affect the agency’s capacity to
serve; these uncertainties arise due to choosing the wrong partner, poor
O8 Partnering/contracting
execution, taking more than is given (resulting in loss of a partner) and
failing to capitalize on partnering opportunities.
People
This risk refers to the failure to establish a culture that is consistent with
O9 Culture management philosophy and that encourages integrity, values, and ethical
competence.
Recruiting and This risk refers to the failure to attract, hire and retain the qualified
O10
retention resources to optimize execution of the organization's objectives.
Inability to develop and enhance employee skills and provide performance
Development and
O11 management that ensures optimal achievement of organizational strategies,
performance
goals and objectives.

Version : 02-03/2011/v1
RISK
This risk refers to the failure to create and implement an effective
succession plan for senior executive and other key positions and
O12 Succession planning employees throughout the organization. It also refers to failure to align
succession planning with strategic planning and leadership development
objectives).
Processes for capturing and institutionalizing learning across the agency
are either non-existent or ineffective, resulting in slow response time, high
O13 Knowledge capital
costs, repeated mistakes, slow development, constraints on growth and
unmotivated employees.
This risk refers to the failure to provide a total compensation package (base
Compensation and salary, annual/long-term incentive, benefits/perquisites) that are market
O14
benefits competitive, aligned to agency and compensation strategies and retain and
motivate employees to achieve desired results.
Unrealistic, misunderstood, subjective or non-actionable performance
Performance measures may cause senior management, division heads and employees
O15
Incentives to act in a manner inconsistent with the agency’s objectives, strategies, and
ethical standards, and with prudent agency practice.
Failure to provide a safe working environment for its workers exposes the
O16 Health and safety agency to compensation liabilities, loss of operational reputation and other
costs.
Information and technology
Failure of Information systems to adequately protect the critical data and
O17 Security/access infrastructure from theft, corruption, unauthorized usage, viruses, or
sabotage.
This risk refers to the inability to recover from, and continue uninterrupted
O18 Availability/continuity operations in the event of extraordinary events, systems and
implementation failures.
This risk refers to information systems that do not provide reliable
O19 Integrity information when it is needed or perform so slowly that operations are not
efficient.
The computer and telecommunications systems with supporting software do
not capture, retain and transfer data in a secure and reliable environment
O20 Infrastructure
and do not meet the expected requirements of the agency at a reasonable
cost.
Hazards
This risk refers to the threat to disrupt operation and ability of the agency to
sustain operations, provide essential services or recover operating costs or
O21 Natural events
accomplish planned target due to natural events (e.g., fire, earthquake,
tornado).
This risk refers to the threat to disrupt operation and ability of the agency to
Terror and malicious
O22 sustain operations, provide essential services or recover operating costs or
acts
accomplish planned target due to terrorist activities or other malicious acts.
Physical assets
This risk refers to the failure to provide physical protection and stewardship
O23 Real estate
over real estate designed to optimize longevity and utilization.
Property, plant and
O24 over long-lived assets (such as buildings, furniture, fixtures, machinery,
facilities
equipment and other assets) designed to optimize longevity and utilization.

Version : 02-03/2011/v1
RISK
O25 Inventory over inventories designed to optimize utilization while minimizing
obsolescence, contamination and so on.
COMPLIANCE
Mandate
Failure to align process objectives and performance measures with the
C1 Function mandate of the agency, its objectives and strategies may result in
conflicting, uncoordinated activities throughout the agency.
Governance
Board This risk refers to the failure of the Board of Directors to discharge their
performance/Agency obligations and duties owed to the agency and its stakeholders in good faith
C2
management and to possess adequate knowledge to interpret and act on the information
committee provided.
Senior management fails to establish an environment that encourages
integrity, ethical values, and competence of the agency's people through
C3 Tone at the top
management's philosophy and operating style, assignment of authority and
responsibility, and the organization and development of its people.
Ineffective lines of authority may cause senior management, division heads
C4 Authority/limit or employees to do things they should not do or fail to do things they
should.
This risk refers to the failure to establish and maintain an internal control
C5 Control environment
environment which aligns with stakeholder and regulatory expectations.
This risk refers to the mismanagement of "socially responsible" activities
(e.g., conducting social responsibility training for management of
Corporate social manufacturers, undertaking environmental programs, participating in
C6
responsibility community initiatives) resulting in an unfavorable agency perception with
stakeholders, customers, suppliers, agency partners, employees and the
regulatory community.
Damage to the Agency’s reputation exposes it to loss of customer/public
C7 Reputation
trust, profits and the ability to grow.
Code of conduct
This risk refers to the absence of formal standards of employee behavior
C8 Ethics that are intended to direct and influence the way agency operation is
conducted, above and beyond the letter of the law.
Potential unethical acts committed by agency employees or other
C9 Fraud
stakeholders may negatively impact the agency's reputation.
This risk refers to the fraudulent activities perpetrated by employees,
Employee/Third Party suppliers, agents, or third-party administrators against the agency for
C10
Fraud personal gain (e.g., misappropriation of physical, financial or information
assets) expose the agency to financial loss.
Illegal acts committed by senior management, division heads or employees
C11 Illegal Acts expose the agency to fines, sanctions, and loss of public trust, profits and
reputation and the like.
Management Fraud (e.g., intentional misstatement of financial statements
C12 Management Fraud
or critical reports) may adversely affect stakeholders’ decisions.

Version : 02-03/2011/v1
RISK
Unauthorized use of the agency’s physical, financial or information assets
C13 Unauthorized Use by employees or others exposes the agency to unnecessary waste of
resources and financial loss.
Legal
This risk refers to entering into contracts that are unfavorable to the agency
C14 Contract and the failure to comply with and monitor contract terms to protect the
agency from financial losses.
This risk refers to a responsibility, duty or obligation that may result in lawful
C15 Liability consideration to provide satisfaction, compensation or other form of
restitution.
This risk refers to the failure to create, capture, enhance, leverage and
C16 Intellectual property protect the collective knowledge, expertise and ideas of agency employees
valued as non-physical assets.
This risk refers to the failure to create an agency environment which is
C17 Anticorruption
opposed to corruption, and instill agency practices that prevent corruption.
Changing laws threaten the agency’s capacity to consummate important
C18 Legal transactions, enforce contractual agreements or implement specific
strategies and activities.
Regulatory
This risk refers to the failure to identify and prevent legal risks posed by
C19 Trade non-compliance with agency and international regulatory requirements for
trade practices, e.g., anti-dumping and trade policy.
C20 Customs non-compliance with agency and international regulatory requirements for
Customs.
C21 Procurement
non-compliance with the agency procurement reform act.
This risk refers to the failure to implement infrastructure projects due to
Road-right of way
C22 RROW problems and risks posed by non-compliance with Comprehensive
(RROW) acquisition
and Continuing Urban development and Housing Program (RA 7279)
non-compliance with agency and International regulatory requirements for
C23 Labor
Labor rules and regulations, including taxes, wages, anti-discrimination,
Family and Medical Leave, workplace violence and so on.
C24 Securities non-compliance with agency and International Securities regulatory
requirements.
C25 Environment non-compliance with agency and International Environmental regulations,
e.g., noncompliance with ISO 4001 standards.
Data protection and
C26 non-compliance with privacy rules and regulations standards resulting in
privacy
improper disclosure of confidential customer information.
This risk refers to the exposure to geo-political, regulatory and fraud risks
C27 International
via international business dealings.
C28 Product/service quality non-compliance with agency and International regulatory requirements for
product/service quality and safety.

Version : 02-03/2011/v1
RISK
C29 Health and safety non-compliance with agency and International rules and regulations for
health and safety.
Competitive non-compliance with agency and international rules and regulations for
C30
practice/antitrust competitive practices/anti-trade. Lack of awareness of statutory and
regulatory application of export and customs policies and requirements.
FINANCIAL
Market
This risk refers to the unfavorable price paid per unit of funds borrowed or
F1 Interest rate the rate of return received on invested assets, or interest rate fluctuations
beyond projected range.
This risk refers to the unfavorable fluctuations in the currency of another
F2 Foreign currency
market that is needed to carry out international transactions.
This risk refers to the unfavorable fluctuations in the price of raw materials
F3 Commodity or other commodities used in product development/service delivery that are
not anticipated and managed.
Financial market risk can vary depending on the particular segment of the
F4 Financial instrument market to which the holder of a financial instrument is exposed, or the way
in which the exposure is structured.
Liquidity and credit
This risk refers to the failure to efficiently and effectively administer and
F5 Cash management
manage cash flows to maintain adequate liquidity to meet obligations.
This risk refers to the the use of funds in a manner that leads to the loss of
F6 Opportunity cost economic value, including time value losses, transaction costs and other
causes of loss of value.
This risk refers to the failure to meet the requirements of a portfolio of
capital investments and obligations based on specified commitments or in
accordance with terms of an agreement (i.e., retirement and capital
F7 Funding accounts).
It also refers to the failure to receive appropriate funds to finance programs

and projects.
This risk refers to the failure to purchase or undertake sale transactions that
F8 Hedging
effectively minimize profits or losses arising from price fluctuations.
This risk refers to the inability to obtain the optimal level of payment
F9 Credit and collections
received as a result of a prior agency transaction.
Insurance coverage fails to protect the agency from significant financial
F10 Insurance
losses due to incidents and claims.
Accounting and reporting
Incomplete, inaccurate and/or untimely reporting of required financial and
operating information to other regulatory agencies may expose the agency
Accounting, reporting to fines, penalties and sanctions.
F11
and disclosure
Over-emphasis on financial accounting and other information to manage the
operations may result in the manipulation of outcomes to achieve targets at

Version : 02-03/2011/v1
RISK
the expense of not meeting public expectation, quality and efficiency
objectives.
This risk refers to the significant or material weaknesses resulting from
F12 Internal control inadequate financial internal controls impacting management's assessment
and reporting under country regulations.
This risk refers to the lack of relevant and/or reliable information supporting
F13 Investment evaluation investment decisions and linking the financial risks accepted to the capital
at risk, may result in poor short- or long-term investments.
This risk refers to the failure to properly evaluate and execute tax planning
Tax strategy and
F14 strategies. It also refers to the misalignment of tax objectives and strategies
planning
with overall agency objectives, strategies and initiatives.
Capital structure
This risk refers to the potential over-reliance on borrowing from creditors to
provide adequate working capital for agency objectives and/or to cover
F15 Debt
current operating obligations resulting in an unfavorable debt to equity
ratios.
This risk refers to the inability to offer marketable securities appropriately
F16 Equity
priced for the enterprise's value.
This risk refers to the inability to identify, establish and maintain the optimal
F17 Pension funds
structure for pension funds.

Version : 02-03/2011/v1
Form 02-04 Agency Risk Identification Matrix
AGENCY RISK IDENTIFICATION MATRIX
Objective
The Agency Risk Identification (AgRI) Matrix is used to document the agency risks identified
for a particular audit period. As a tool that will facilitate the risk assessment process, this
document shall be used by audit teams when assessing the impact and likelihood,
identifying the locations affected and determining the initial audit response.
Accomplishing this tool is critical to for the audit team to have a common risk language when
understanding the risk profile of the agency being audited.
a. Risk Reference Number

- Obtain the risk reference number from the risk reference number assigned in
the Agency Risk Model.
b. Agency Risk Title/Risk Statement

- For each audit period, identify the risks of the agency being audited. The team
shall concur and agree on the risks that they perceive will affect the
achievement of the agency objectives and operations.
c. Risk Rating
Impact – Assess the impact of the agency risk as to high, moderate and low
including the justification for the assessment
In assessing the impact of an agency risk, COA auditors should consider

the following factors:
· Potential financial loss or lost opportunity for the agency
· Damage to reputation or relationship with stakeholders or public
· Potential business interruption/ reduction of agency operations
· Degree of agency failure to achieve mandate
· Noncompliance with laws, rules and regulations
Likelihood – Assess the likelihood of the risk as to high, moderate and low
including the justification for the assessment.
In assessing the likelihood of an agency risk, COA auditors should

assess the probability/frequency of the risk occurring over a predefined

Version : 02-04/2011/v1
time period. In most instances, the time period is set at one year. It can
be adjusted to be aligned with the agency’s operating cycle.
Overall Rating – The overall rating is the combination of the assessment

made on the impact and likelihood of the agency risk identified.
The overall rating shall be determined using the following matrix:
High Moderate High High
Moderate Low Moderate High

IMPACT
Low Low Low Moderate
Low Moderate High

LIKELIHOOD
d. Risk Location
Process/PAPs – Identify the process or PAP affected by the agency risk.
Office – Identify the offices (departments or units) responsible the process

affected by the agency risk.
e. Initial Audit Response

- Indicate the initial audit response for the agency risk identified using the
auditor’s judgment and past experiences. The team is not limited to the audit
response identified in this tool since further evaluations will be made to
determine the appropriate audit strategies to be used.

Version : 02-04/2011/v1
AGENCY RISK IDENTIFICATION MATRIX
Agency ____________________________ Prepared by : ____________________________ Date : ________________
Audit Period ____________________________ Reviewed by : ____________________________ Date : ________________
Office ____________________________ Approved by : ____________________________ Date : ________________
Risk Risk Rating Risk Location

Agency Risk Title/ Initial Audit
Ref. Overall Rating
Risk Statement Impact Likelihood Process/ PAPs Office Response
No.
High High High Financial
Moderate Moderate Compliance

Moderate
Low Low Perf ormance
Low FRA
Justification: Justification:
High High High Financial
Moderate Moderate Compliance

Moderate
Low Low Perf ormance
Low FRA

Version : 02-04/2011/v1
Form 02-05: Agency-level Controls Checklist
AGENCY-LEVEL CONTROLS CHECKLIST
Objective
After understanding the agency objectives and risks, auditors shall identify the top-level controls
that the agency has established. Auditors shall obtain an understanding of agency-level controls
to plan their audit and determine the most appropriate audit strategy.
The Agency-level Controls Checklist contains a set of questions for each internal control
component: The questions provided herein will guide auditors in obtaining an initial
understanding of the agency-level controls set by the agency management. However, auditors
shall consider that documenting and evaluating agency-level controls does not by itself provide
a complete perspective of internal controls of an agency. It is an important starting point
because the assessment of agency-level controls – particularly when weaknesses are identified
– can have a significant effect on the overall assessment of the effectiveness of internal controls
and procedures.
The internal control concepts of the National Guidelines on Internal Control Systems (NGICS)
and the International Standards of Supreme Audit Institutions (ISSAI) are incorporated in this
tool.
I. ALCC Probing Questions
Internal Control Component – Probing questions are initially provided for the following internal
control component:
- Control Environment
- Risk Assessment
- Information and communication
- Monitoring
- Control Activities
NOTE:
Auditors are not only limited to the probing questions provided in this questionnaire.
Additional questions may be developed by the team, if deemed necessary.
Yes / No / Not applicable – Answer each probing question with the appropriate response as a
result of the auditor’s validation of each internal control component.

Version : 02-05/2011/v1
Remarks – Provide any remark or comment that the auditor may have during on the related
probing question as a result of its validation. Examples of remarks may include identification
of areas needed to be focused for the audit engagement or possible fraud indicators.
Initial Assessment – Make an initial assessment as to the design and operating effectiveness of
each sub-component of the agency’s internal control using the probing questions supplied.
Indicate the reasons for giving such an assessment in the “reason” column.
The operating effectiveness of some components of the agency’s internal control is hard to
determine. In this case, audit teams shall document the reasons why and focus its
assessment on the design of the internal control. Auditor shall use their professional
judgment during this assessment.
II. ALCC Summary
Observations – Document the observations obtained during the understanding of the agency
level controls. Observations may include deficiencies noted on the design of agency-level
controls or red flags that we may note on the process that may indicate source of fraud
risks. Incidentally, audit teams may need to issue an Audit Observation Memorandum
(AOM) to call the attention of the agency for the observations noted.
Recommendations - Provide a recommendation (if applicable) for each key observation noted.
AOM Reference – Indicate the AOM reference number for those observations issued with an
Audit Observation Memorandum.

Version : 02-05/2011/v1
AGENCY-LEVEL CONTROLS CHECKLIST
Agency: Prepared:
Date
Reviewed:
Audit Period: Date
Approved
Date
I. ALCC Probing Questions
Internal Control Component Yes No NA Remarks

Control Environment
Integrity, Ethical Values, and behavior of key executives

A.1. The agency has a code of conduct or
equivalent policy that is communicated and
monitored.
A.2. The agency’s culture emphasizes the

importance of integrity and ethical behavior.
Senior management holds itself to the highest
standards and leads by example.
A.3. The agency’s communications reinforce a

consistent message regarding policies and
culture.
A.4. Agency management takes appropriate

action in response to departures from
approved policies and procedures or the code
of conduct.
A.5. There are appropriate policies for such

matters as conflicts of interest, and security
practices that are adequately communicated
throughout the agency.
A.6. Agency management maintains, monitors and

appropriately responds to a fraud hotline.
A.7. The agency has a whistleblower policy and

related whistleblower or ethics hotline, which
are appropriately communicated throughout
the agency, and include procedures for
handling complaints and for accepting
confidential submissions of concerns about
questionable transactions.
A.8. Agency management’s control consciousness

Version : 02-05/2011/v1

and operating style are _________.
A.9. Agency management gives appropriate

attention to internal control, including
information technology controls.
A.10. Agency management corrects identified

internal control deficiencies in a timely
manner.
A.11. Agency management tends to be

conservative with respect to selecting
accounting principles and determining
accounting estimates.
A.12. Agency management consults with us on

significant matters relating to accounting and
financial reporting issues.
Initial Assessment: Reason:

Effective
Ineffective
Agency management’s commitment to competence

A.13. The agency personnel have the competence
and training needed to deal with the nature
and complexity of the agency’s operations.
A.14. Agency management has other processes in

place for handling complaints about agency
operational issues.

Effective
Ineffective
Participation in governance and oversight by those charged with governance

A.15. Those charged with governance provide
effective oversight of the agency’s operations.
A.16. There is an open line of communication

among those charged with governance and
COA auditors, and the nature and frequency
of communication is appropriate given the
size and complexity of the agency.
A.17. Those charged with governance have

sufficient knowledge, experience and time to
perform their role effectively.

Version : 02-05/2011/v1

A.18. Those charged with governance are
appropriately independent of agency
management given the size and complexity of
the agency.

Effective
Ineffective
The organizational structure and assignment of authority and responsibility

A.19. The agency organizational structure is
appropriate given the nature, size and
complexity of the agency
A.20. Agency management engages in

communications so that members of
personnel understand the agency’s
objectives, their role in relation to these
objectives, and how they are held
accountable for the achievement of these
objectives.
A.21. There are appropriate methods for

establishing authority, responsibility and lines
of reporting.
A.22. There are written job descriptions, reference

manuals and other communications to inform
personnel of their duties.

Effective
Ineffective
Human resource policies and practices

A.23. The agency has adequate standards and
procedures for hiring, training, motivating,
evaluating, promoting, compensating,
transferring, or terminating personnel
A.24. Job performance is periodically evaluated and

reviewed with each employee.

Effective
Ineffective

Version : 02-05/2011/v1

Risk Assessment
B.1. Agency objectives are established,

communicated, and monitored. Key elements
of the agency’s strategic plan are
communicated throughout the agency so all
employees have a basic understanding of the
agency’s overall strategy.
B.2. A process is in place to periodically review

and update agency-wide strategic plans. The
strategic plan is reviewed and approved by
the agency’s board of directors.
B.3. The agency-wide strategic plan includes IT or

there is a separate IT strategic plan that
addresses the technology needs of the
agency to effectively and efficiently meet its
strategic plan.
B.4. There is an adequate mechanism for

identifying agency risks, including those
resulting from:
— Entering new markets or lines of

business
— Offering new products and services
— Privacy and data protection compliance
requirements
— Other changes in the operations,
economic, and regulatory environment
B.5. The internal audit (or another group within the
company) performs a periodic (at least
annual) risk assessment. Senior management
reviews the risk assessment and considers
actions to mitigate the significant risks
identified.
B.6. Management considers how much risk it is

willing to accept when setting strategic
direction or entering new markets, and does it
strive to maintain risk within those levels.
B.7. The board of directors and/or the audit

committee oversees and monitors the risk
assessment process and takes action to
address the significant risks identified.
B.8. There are groups or individuals who are

responsible for anticipating or identifying
changes with possible significant effects on
the agency. Processes are in place to inform
appropriate levels of management about

Version : 02-05/2011/v1

changes with possible significant effects on
the agency.
B.9. Budgets/forecasts are updated during the

year to reflect changing conditions.
B.10. Periodic reviews are performed or other

processes in place to, among other things,
anticipate and identify routine events or
activities that may affect the agency’s ability
to achieve its objectives and address them.
B.11. Management reports to the board of directors

and/or the audit committee on changes that
may have a significant effect on the agency.
B.12. The board of directors and/or the audit

committee review and approve significant
changes in the agency’s accounting
practices.
B.13. There are processes to ensure the

accounting department is made aware of
changes in the operating environment so they
can review the changes and determine what,
if any, effect the change may have on the
agency’s accounting practices.
B.14. There are channels of communication

between the accounting department and/or
individual(s) in charge of monitoring
regulatory rules so the accounting department
is aware of regulatory changes that could
affect the agency’s accounting practices.

Effective
Ineffective
Information and Communication
Information
C.1. The agency is able to prepare accurate and
timely financial reports, including interim
reports.
C.2. The board of directors and management

receive sufficient and timely information to
allow them to fulfill their responsibilities.

Version : 02-05/2011/v1

C.3. Management’s objectives in terms of budget,
profit, and other financial and operating goals
are defined and measurable. Actual results
are measured against these objectives.
C.4. There is a high level of user satisfaction with

information systems processing, including
reliability and timeliness of reports.
C.5. There is a sufficient level of coordination

between the accounting and information
systems processing functions/departments.
C.6. There are appropriate policies for developing

and modifying accounting systems and
controls (including changes to and use of
computer programs and/or data files).
C.7. Management’s efforts to develop or revise

information systems (including accounting
systems) are responsive to its strategic plans.
C.8. There are significant applications or

transactions that are executed /processed by
service organizations. Management has
documented the relevant controls at the
service organization, the company, or both
that mitigate the risk of errors. There are
policies for periodic monitoring of controls
either at the service organization or the
company and taking appropriate action to
mitigate potential new risks.
C.9. The board of directors or audit committee is

involved in monitoring information systems
projects and resource priorities.
C.10. The IT organization chart clearly reflects

areas of responsibility and lines of reporting
and communication.
C.11. There are defined responsibilities for

individuals responsible for implementing,
documenting, testing and approving changes
to computer programs that are purchased or
developed by information systems personnel
or users.
C.12. Systems conversions are well controlled (e.g.,

completed pursuant to written procedures or
plans).
C.13. Financial management ensures and monitors

Version : 02-05/2011/v1

user involvement in the development of
programs, including the design of internal
control checks and balances.
C.14. There is a high degree of cooperation and

interaction between users and the IT
department (e.g., procedures to ensure
ongoing monitoring by the IT department of
user satisfaction with IT processing and
policies for the development, modification,
and use of programs and data files).
C.15. Application programs and data files are

backed up regularly.
C.16. There is a current disaster recovery plan for

the significant components of the IT
infrastructure.
C.17. There is a business continuity plan that

incorporates the disaster recovery plan and
end-user department needs for timely
recovery of critical functions, systems,
processes and data.
C.18. The disaster recovery and business continuity

plans are tested periodically (at least
annually).
C.19. The disaster recovery and business continuity

plans are updated for changing conditions.

Effective
Ineffective
Communication
C.20. Lines of authority and responsibility (including
lines of reporting) within the company are
clearly defined and communicated.
C.21. There are written job descriptions and

reference manuals that describe the duties of
personnel.
C.22. Policies and procedures are established for

and communicated to personnel at
decentralized locations (including regional
operations).
C.23. There is a training/orientation for new

Version : 02-05/2011/v1

employees, or employees when starting a
new position, to discuss the nature and scope
of their duties and responsibilities. Such
training/orientation includes a discussion of
specific internal controls they are responsible
for.
C.24. There is a process for employees to

communicate improprieties. The process is
well communicated throughout the agency.
The process allows for anonymity for
individuals who report possible improprieties.
There is a process for reporting improprieties,
and actions taken to address them, to senior
management, the board of directors, or the
audit committee.
C.25. All reported potential improprieties are

reviewed, investigated, and resolved in a
timely manner.
C.26. Employees believe they have adequate

information to complete their job
responsibilities.
C.27. There is a process to quickly disseminate

critical information throughout the agency
when necessary.
C.28. There is a process for tracking

communications from customers, vendors,
regulators, and other external parties.
C.29. Ownership is assigned to a member of

management to help ensure that the agency
responds appropriately, promptly, and
accurately to communications from
customers, vendors, regulators, and other
external parties.

Effective
Ineffective
Monitoring
Internal Audit function
D.1. The agency has an effective internal audit

Version : 02-05/2011/v1

function.
D.2. The internal audit function is independent of

the activities they audit and are prohibited
from having operating responsibilities.
D.3. The internal audit function adheres to

professional standards (e.g., International
Standards for the Professional Practice of
Internal Auditing).
D.4. The scope of internal audit activities is

appropriate given the nature, size and
structure of the agency.
D.5. The internal audit department develops an

annual plan that considers risk in determining
the allocation of resources.
D.6. The results of the internal audit activities are

reported to senior management and COA
auditors.

Effective
Ineffective
Other monitoring activities

D.7. Periodic evaluations of internal control are
reported to agency management and those
charged with governance.
D.8. Personnel, in carrying out their regular duties,

obtain evidence as to whether the system of
internal control continues to function.
D.9. Policies and procedures are in place to

ensure that corrective action is taken in a
timely manner when control exceptions occur.
D.10. Agency management takes adequate and

timely actions to correct deficiencies reported
by the internal audit function or the
independent auditors.
D.11. Internal audit or another department performs

periodic reviews of internal control
D.12. Agency management or those charged with

governance review communications from
external parties that highlight areas of internal

Version : 02-05/2011/v1

control in need of improvement.

Effective
Ineffective
Control Activities
E.1. Are accounting and closing practices followed
consistently at interim dates (e.g., quarterly,
monthly) throughout the year?
E.2. Is there appropriate involvement by

management in reviewing significant
accounting estimates and support for
significant unusual transactions and non-
standard journal entries?
E.3. Is there timely and appropriate documentation

for transactions?
E.4. Does the agency review its policies and

procedures periodically to determine if they
continue to be appropriate for the agency’s
activities?
E.5. Do members of management have ownership

of the policies and procedures? Does the
ownership include ensuring the policies and
procedures are appropriate for the agency’s
activities?
E.6. Is there a budgetary system?
E.7. Does management review key performance

indicators (e.g., budget, profit, financial goals,
operating goals) regularly (e.g., monthly,
quarterly) and identify significant variances?
Does management then investigate the

significant variances and is appropriate
corrective action taken?
E.8. Are variances in planned performance

communicated and discussed with the board
of directors and/or audit committee at least
quarterly?
E.9. Are financial statements submitted to

operating management? Are they
accompanied by analytical comments?

Version : 02-05/2011/v1

E.10. Is there an appropriate segregation of
incompatible activities (e.g., separation of
accounting for and access to assets, IT
operations function separate from systems
and programming, database administration
function separate from application
programming and systems programming)?
Are organizational charts reviewed to ensure

proper segregation of duties exist?
E.11. Are appropriate approvals from management

required prior to allowing an individual access
to specific applications and databases?
E.12. Are IT personnel prohibited from having

incompatible responsibilities or duties in user
departments?
E.13. Are there processes to periodically (e.g.,

quarterly, semi-annually) review system
privileges and access controls to the different
applications and databases within the IT
infrastructure to determine if system privileges
and access controls are appropriate?
E.14. Has management established procedures to

periodically reconcile physical assets (e.g.,
cash, receivables, inventories, property and
equipment) with related accounting records?
E.15. Are physical inventories/cycle counts taken

on a periodic basis and the perpetual
inventory system adjusted accordingly? Are
significant or recurring adjustments
investigated to determine the reason for the
adjustment and are appropriate actions taken
to address the reasons for the adjustments?
E.16. Has management established procedures to

prevent unauthorized access to, or
destruction of, documents, records (including
computer programs and data files), and
assets?
E.17. Is data processing access to non-data

processing assets restricted (e.g., blank
checks)?
E.18. Are access security software, operating

systems software, and application software
used to control both centralized and
decentralized access to:

Version : 02-05/2011/v1
— Data
— Functional capabilities of programs (e.g.,
execute, update, modify parameters, read
only)?
E.19. Is physical security over information

technology assets (both IT department and
users) reasonable given the nature of the
agency’s operations?
E.20. Is critical computer data backed up daily and

stored off-site?
E.21. Are controls in place over dial-up access to

the agency’s computer resources (e.g.,
firewalls; centralized directories to store and
manage user identities and resource
privileges; automated policy-based request,
approval, and fulfillment process for
enterprise access)?
E.22. Is there a dedicated security officer function

that monitors IT processing activities and are
there periodic reports to the board of directors
and/or audit committee on the current state of
IT security at the agency?
E.23. Are there systems to monitor and respond to

potential interruptions in agency operations
due to incidents stemming from malicious
intrusions, and to update security protocols to
prevent them? Are security violations and
other incidents automatically logged and
reviewed?
E.24. Does the agency conduct periodic

reviews/audits of IT security? If yes, are the
results of the review/audit reported to the
board of directors and/or audit committee?

Effective
Ineffective

Version : 02-05/2011/v1
II. ALCC Summary
Observations Recommendations AOM Ref.

Version : 02-05/2011/v1
Form 02-06: Process-Risk-Control Matrix
PROCESS-RISK-CONTROL MATRIX
Objective
The Process-Risk-Control Matrix facilitates the understanding of processes as well as the

process-level risks and controls affected by agency-levels risks identified. This tool will guide
the agency audit team in identifying their focus areas for a specific audit period by obtaining
an initial view of the processes.
a. Critical Path of the Process

- Document the understanding of the significant process identified which is affected by
the agency-level risks as reflected in the Agency Risk Identification Matrix. Auditors
may use the narrative or flowchart form in documenting the process understanding.
The level of detail needed for the documentation depends on the objective of the
auditors. In any case, the documentation shall be sufficient enough to identify the
process-level risks and controls including the impact to the accounts and PAPs of the
agency. The documented process should reflect the actual process being done by
the agency. This should be validated by conducting process walkthroughs.
b. Process risks and existing controls
Process Risks – Identify the risks/what could go wrongs in the process through a risk
statement. Process-level risk is any event or circumstance that could affect the
achievement of the process’ objectives.
Impact: Accounts Affected (including assertions) – Identify the extent to which the risk
if realized would impact the agency’s financial statement accounts. This is
critical for planning the financial audit aspect.
Impact: Risk to PAPs – Identify the impact of process-level risks to the achievement
of the objectives of the agency’s PAPs. Examples are damage to assets,
reputation impacts and ability to achieve key objectives.
Existing Controls – Indicate the controls identified during the process understanding.
The controls that should be documented are those that are being carried out at
the time of the audit. Controls that have been presented in operations manual
or procedures shall be validated through walkthrough procedures.
Control Design Assessment – Develop an initial assessment on the design of the

controls based on the results of the walkthrough procedures conducted. Tick
the appropriate box if the control design is adequate or inadequate.

Version : 02-06/2011/v1
Reason if inadequate – Provide reason or the observation noted if the control design
assessment is inadequate
c. Summary
Key Observation – Document the observations obtained during the understanding of

the processes, risks and controls. Observations may include deficiencies noted
on the design of process-level controls or red flags that we may note on the
process that may indicate source of fraud risks among others. Incidentally,
audit teams may need to issue an Audit Observation Memorandum (AOM) to
call the attention of the agency for the observations noted.
Recommendation – Provide a recommendation (if applicable) for each key

observation noted.
AOM Ref. No. – Indicate the AOM reference number for those observations issued
with an Audit Observation Memorandum.

Version : 02-06/2011/v1
PROCESS-RISK-CONTROL MATRIX
Agency : ______________________________________ Prepared: : _______________________ Date : _______________________
Audit Period : ______________________________________ Reviewed: : _______________________ Date : _______________________
Significant Process : ______________________________________ Approved : _______________________ Date : _______________________
Significant Agency Risks : ______________________________________
a. Critical path of the process:

Our documentation of the flow of the process may be in narrative form or graphical form through the use of process mapping flowcharts. The form of documentation depends on the size and complexity of the process.

Version : 02-06/2011/v1
b. Identify Process Risks and Existing Controls
Impact
Accounts Affected Control Design
Process Risks Existing Controls Reason if inadequate
(including Risk to PAPs Assessment
assertions)
Adequate
Inadequate
Adequate
Inadequate
Adequate
Inadequate
Summary
Key Observation Recommendation AOM Ref. No.

Version : 02-06/2011/v1
Form 02-07: Audit Risk Assessment and Planning Tool
AUDIT RISK ASSESSMENT AND PLANNING TOOL
Objective
In order to develop an audit strategy that is responsive to the agency’s risks we make an
audit risk assessment for relevant assertions of significant material accounts and the
Agency’s PAPs.
The Audit Risk Assessment and Planning Tool will facilitate our documentation of our audit
risk assessment for financial, compliance and performance audits. In addition, it also
documents our audit strategy, scope and estimated timing which will guide the development
of our audit test procedures.
Accomplishing this tool:
A. Financial and Compliance
Significant Account – The significant and material financial statement account

identified in the PRC Tool.
Assertion – Check the related assertion/s of the financial statement account

identified in the PRC Tool
Inherent Risk – Assess the inherent risk of the financial statement account and
assertion. Our assessment of inherent risk may be higher or lower. Factors
that may affect our inherent risk assessment are as follows:
· Susceptibility to material misstatement

· Size and composition
· Variations from expected amounts
· Effects of external factors
· Competence and experience of agency personnel
· Degree of subjectivity
· Completion of unusual/complex transactions at or near period-end
· Transactions not subjected to routine processing
Include in the justification the reason why we assessed inherent risk as

higher or lower.
Control Assessment – Assess the control based on the adequacy of design. At

this point, we also assess the effectiveness of the controls based on the
results of walkthrough procedures conducted in Understanding the Process
and based on testing results we obtained from prior year’s audit. Our
assessment of the controls on the related financial statement account will be
whether we are intending to rely or not rely on the controls.
Include in the justification the reason why we intend to rely or not rely on the
controls.

Version : 02-07/2011/v1
Note that this assessment is preliminary only. A final assessment shall be

made after testing the controls in the execution phase (in case we intend to
rely at this point).
Risk Assessment – This refers to our combined risk assessment by considering

our inherent risk and control assessment. Combined risk assessment is
determined by using the following diagram:
Inherent Risk High Low High

Assessment
Low Minimal Moderate
Low High
Control Assessment
The above diagram can also be interpreted as follows:
Inherent Risk Control Risk Combined Risk

Assessment Assessment Assessment
Low & Low = Minimal
High & Low = Low
Low & High = Moderate
High & High = High
Audit Strategy – Indicate whether our main strategy would be testing the controls
or substantive tests. Test of controls will be the audit strategy for accounts
assessed as ‘Minimal’ or ‘Low’ (we are intending to rely on the controls),
whereas, substantive procedures will be the audit strategy for accounts
assessed as ‘Moderate’ or ‘High’.
Timing – Indicate the estimated date when the audit test procedures for the
financial statement account will commence.
Person Days – Indicate the amount of time or duration for the completion of the
audit test procedures.
B. Performance
Column Headings (Selection Factors) – Assign risk weights for each selection
factor. Risk weights are expressed as percentages and when summed up,
should equal to 100%. The assignment of risk weights is based on the
auditor’s judgment. To minimize bias/subjectivity, the assignment of risk
weights should be discussed among the audit team members and should be

Version : 02-07/2011/v1
reviewed by the Supervising Auditor/ Director. Illustrated below are

examples on how to assign risk weights:
Example 1: If the auditors would like to give equal risk weights on selection
factors and lesser weight on visibility, auditability and previous audit
coverage:
Selection Factors
Previous
Risk to Good
Materiality Impact Visibility Significance Auditability Audit
Management
(20%) (20%) (10%) (20%) (5%) Coverage
(20%)
(5%)
Example 2: If the auditors would like to focus more on the budget allocated
for the PAPs:
Selection Factors
Previous
Risk to Good
Materiality Impact Visibility Significance Auditability Audit
Management
(50%) (10%) (10%) (10%) (5%) Coverage
(10%)
(5%)
Example 3: If the auditors would like to focus more only on the Budget
allocation, Significance of the PAPs on the Agency’s Mandate:
Selection Factors
Materiality Significance
(50%) (50%)
Note that the auditors may remove selection factors that they wish not to
consider in their evaluation of the agency’s PAPs. Larger risk weights may
be allocated to those selection factors that the auditors wish to focus more.
As illustrated in the 3 examples, the total of risk weights allocated to the

selection factors is always equal to 100%.
Detailed definition of the selection factors are contained in the IRRBA

Manual.
PAPs – List down the Agency’s Significant PAPs.
Selection Factors – For each PAP, assign points for each selection factors. The
points to be given for each selection factor should not exceed the risk weight
assigned on the column heading of that selection factor. See illustration
below:
Selection Factors
Risk to Previous
PAPs Total
Materiality Impact Visibility Significance Good Auditability Audit
(20%) (20%) (10%) (20%) Management (5%) Coverage
(20%) (5%)
Program A 20 15 8 20 10 5 5
Program B 18 15 5 15 15 5 5

Version : 02-07/2011/v1
Note that the maximum amount of points to be given for each selection factor
is the risk weight assigned in the column heading. Assignment of points is
based on auditor’s judgment. To minimize bias/subjectivity, the assignment
of risk weights should be discussed among the audit team members and
should be reviewed by the Supervising Auditor/ Director.
Total – Sum up all the points given in the selection factors for the particular PAP.
Basis for Assessment – Indicate the auditor’s remarks/bases why such points
were given for each particular PAP.
PAPs to be subjected for performance audit

- This table summarizes the PAPs selected to be subjected for performance audit
during the audit period. Selection of PAPs will be based on the result of the
assessment performed in the preceding table (PAPs with higher total points will
be selected). The number of PAPs to be subjected for performance audit will
depend on the auditor by considering their workload for the audit period and
their available resources, i.e., manpower, competencies and so on.
Significant PAPs – List down the PAPs to be subjected for performance audit
for the audit period.
Audit Focus Area – Identify the specific areas of the PAPs to be focused for the
performance audit (e.g., procurement, delivery of services, efficiency of
operations)
Audit Aspect – Check whether to objective of the performance audit is to check

the economy, efficiency or effectiveness of the PAP. The auditor may
select one or more audit aspect depending on the scope of the
performance audit.
Timing – Indicate the estimated date when the performance audit will
commence.
performance audit.
C. Specialized Skills Needed
- This part identifies professionals with specialized skills needed for the audit and
defines their scope of work and timing.
Specialized Skills Needed – Identify the professional with specialized skills to be

needed in our audit. (Professionals with specialized skills may pertain to
engineers, IT auditors, actuaries and the like who would be of help in the
execution of audit procedures that require technical skills)
Office – Identify the office of the Specialized Skills Needed (e.g., TSO for
Engineers, ITO for IT Auditors).
Scope – Identify their scope of work (e.g., infrastructure projects to be reviewed by

engineers, computer programs to be evaluated by IT Auditors).

Version : 02-07/2011/v1
Timing – Indicate the estimated date when the conduct of audit procedures will
commence.
audit procedures.
D. Other Material Accounts
- These are formerly termed as LORMA or “Low Risk Material Account.”

- These are material accounts that were not considered in the audit risk
assessment for financial and compliance audit. Other Material accounts will be
subjected for High-level precision analytics or test of details, if necessary.
Other Material Accounts – List down the account titles of Other Material Accounts
Timing – Indicate the estimated date when the conduct of High-level precision
analytics would commence.
analytic procedures.
Person/s Responsible – Indicate the audit staff who will perform the procedures for
Other Material Accounts.

Version : 02-07/2011/v1
AUDIT RISK ASSESSMENT TOOL
Agency: Prepared by: Date:

Region: Reviewed by: Date:
Audit Period: Approved by: Date:
In order to develop an audit strategy that is responsive to an agency’s risk of material misstatement, we make a risk assessment for financial and compliance, performance
audits.
A. Financial and Compliance
For financial and compliance, we make our risk assessment by assessing the inherent risk, preliminary control risk and combining both assessments to arrive at an overall
risk assessment for each relevant assertion for each significant account.
Significant Account/ Inherent Risk Control Risk Person

Assertion Risk Assessment Audit Strategy Timing ATS Ref.
Critical Process (IR) (CR) Days
Existence/ Occurence Low Low-Rely on Controls Minimal TOC Click here to enter
a date.
Completeness High High-Not Rely on Controls Low Substantive
Test
Accuracy Moderate
Rights and Obligations High
Presentation & Disclosure
Compliance
Existence/ Occurence Low Low-Rely on Controls Minimal TOC Click here to enter
a date.
Completeness High High-Not Rely on Controls Low Substantive
Test
Accuracy Moderate
Rights and Obligations High
6|P a ge
Significant Account/ Inherent Risk Control Risk Person

Assertion Risk Assessment Audit Strategy Timing ATS Ref.
Critical Process (IR) (CR) Days
Presentation & Disclosure
Compliance
B. Performance
Selection Factors Total Bases for Assessment

PAPs Risk to Good Previous Audit
Materiality Visibility Significance Auditability
Management Coverage
(__%) (__%) (__%) (__%)
(__%) (__%)
7|P a ge
Phase 2 – Agency Audit Planning and Risk Assessment
PAPs to be subjected for performance audit:
Significant PAPs Audit Focus Area Audit Aspect Timing Person Days
¡ Economy
¡ Efficiency
¡ Effectiveness
C. SPECIALIZED SKILLS NEEDED
Specialized Skills Needed Office Scope Timing Person Days
D. OTHER MATERIAL ACCOUNTS

Identify Other Material Accounts that were not considered in the Financial and Compliance Audit Risk Assessment. Audit procedures for Other
Material Accounts include High-level precision analytics and Tests of Details, if necessary.
Other Material Accounts:

·
·
·
Timing: __________________.
Person Days: _______ .
Person/s Responsible: ____ .
8|P a ge
Integrated Results and Risk-Based Audit Manual Phase 3A - Execution
Form 03A-01: Audit Test Summary
AUDIT TEST SUMMARY
Objective
The Audit Test Summary is used to document our approach in executing financial and
compliance audit tests for each significant account. We also document the results of our audit
tests performed and conclusions reached based on such results.
Accomplishing this tool:
Significant Account – Indicate the account title of the significant account. Significant accounts
are taken from the significant accounts identified in Part A of the Audit Assessment and
Planning Memorandum.
Account Balance – Indicate the balance of the account.
Audit Risk Assessment – Check the audit risk assessment based on Part A of Audit
Assessment and Planning Memorandum. The Risk Assessment will determine our audit
strategy in the execution phase.
Part I: Test of Controls (TOC)
Note: TOC is performed only for accounts assessed as “Minimal” or “Low” (wherein we rated
control risk as Low – we are intending to rely on controls). If our audit risk assessment is either
“Moderate” or “High,” we will only accomplish Part II of this template.
Process – Indicate the process/es where TOC for the significant account will be done
Controls to be Tested – List down specific controls to be tested.
Person/s Assigned – Indicate the person/s who will execute the TOC for the significant
account.
Due Date – Indicate the estimated date when the TOC is expected to be completed.
TOC Working Paper Reference – Indicate the working paper reference where the execution of
the TOC is documented.
Summary of Test Results

Findings – Indicate the findings or exceptions noted during the conduct of TOC.

Version : 03-01/2011/v1
Recommendation – Indicate recommendations to correct the findings or other comments

for the improvement of the Agency’s controls on the process.
TOC W/P Ref. – Indicate the working paper reference where the findings/exceptions were
noted.
AOM Ref. – Indicate the AOM reference number (if any).
Conclusion – Indicate our conclusion statement on the operating effectiveness of the controls
tested.
Final Assessment of Control Risk – Based on the results of the TOC conducted, make a final
assessment of Control Risk:
· Low – Controls are operating effectively
· High – Controls are not operating effectively
In case our final control risk assessment is High, we need to reassess the overall audit risk,
reassessed audit risk will fall as Moderate or High depending on the inherent risk
assessment, as illustrated in the diagram below:
Inherent Risk Assessment
High Low High
Low Minimal Moderate
Low High
Control Risk Assessment
Part II – Substantive Tests
Extent of Testing – Check the appropriate box for the extent of testing (i.e., Extensive – for
Moderate or High; Less Extensive – for Minimal or Low)
ST Work Program Reference – Indicate the working paper reference where the execution of
the ST is documented.

Findings – Indicate the findings or exceptions noted during the conduct of ST.

Version : 03-01/2011/v1
Recommendation – Indicate recommendations to correct the findings.

ST W/P Ref. – Indicate the working paper reference where the findings/exceptions were
noted.
AOM Ref. – Indicate the AOM reference number (if any).
Conclusion – Indicate our conclusion statement whether the account is fairly presented in the
Agency’s financial statements (considering unbooked adjusting journal entries, if any).

Version : 03-01/2011/v1
AUDIT TEST SUMMARY

Agency: Prepared by: Date:
Reviewed by: Date:
Audit Period: Approved by: Date:
Significant Account: Audit Risk ¡ Minimal ¡ Moderate
Account Balance: Assessment ¡ Low ¡ High
Part I: TEST OF CONTROLS

Note: TOC is not performed if audit risk assessment is High or Moderate since our preliminary
assessment of Control Risk is “High - Not Rely on Controls”
Process: _______________________
Controls to be Tested:
·
·
·
Person/s Assigned: ____________________________

Due Date: ___________________________________
TOC Working Paper Reference: __________________
TOC W/P
Findings Recommendation AOM Ref.
Ref.
Conclusion Final Assessment of Control Risk
Low - Rely on Controls

(Controls are operating effectively)
High - Not Rely

(Controls are not operating effectively)
Re-assess audit risk

Moderate
High

Version : 03-01/2011/v1
Part II: SUBSTANTIVE TEST

Extent of Testing ST Work Program Reference
¨ Extensive (For Moderate or High)
¨ Less Extensive (For Minimal or Low)
Findings Recommendation ST W/P Ref. AOM Ref.
Conclusion

Version : 03-01/2011/v1
Integrated Results and Risk-Based Audit Manual Phase 3B– Conclusion and Reporting
Form 03B-01: Summary of Audit Results and Recommendations
SUMMARY OF AUDIT RESULTS AND RECOMMENDATIONS
Objective
This form is used to summarize and evaluate the results of comprehensive audit and other
types of audits conducted. It has three parts as follows:
• Part I - Introduction
• Part II - Summary of Audit Results and Recommendations
• Part III - Evaluation Factors
After the exit conference with the agency, the audit team shall accumulate the
findings/observations and recommendations, as documented in Audit Observation
Memorandum (AOM), together with management comments using the Summary of Audit
Results and Recommendations provided in Part II of this Form.
The completed template should be initialed by the ATL and SA, and approved by the CD prior to
audit report sign-off. This completed template altogether with other relevant documentation
should be filed in the working papers.
The audit team should perform the following steps in relation to audit findings and observations
and their disposition:
A. Matrix of Audit Findings and Recommendations

§ Summarize the findings and recommendations as documented in AOMs. This includes
the findings and recommendation from financial, compliance, and performance audits
conducted.
§ Document management’s comments on each findings and recommendations. This
includes the disposition of proposed adjusting journal entries, disclosures, and
comments on performance audit findings.
§ Document the audit team’s response to management’s comments on the findings and
recommendations.
B. Summary of Unbooked Adjusting/ Reclassifying Journal Entries

§ Summarize the unrecorded proposed adjusting/reclassifying journal entries and
determine its effect on the Asset, Liabilities, Current Period Income or Prior Year
Income, as applicable
C. Results/Status of Other Audits (e.g., Fraud and GWSPA)

§ Summarize the findings/issues of other audits conducted.
§ Document the reference of the findings/issues.
§ State the status of audit(s). The audit(s) may be ongoing or completed.
§ Document the possible effect/impact of the audit in the agency’s financial statements.
§ Document other information deemed relevant by the audit team in the remarks column.
Please refer to Phase 3 - Delivery: Conclusion and Reporting of the IRRBAM for further details.

Version : 04-01/2011/v1
SUMMARY OF AUDIT RESULTS AND RECOMMENDATIONS
Agency ____________________________ Prepared by : _________________ Date : ________________
____________________________ Reviewed by : _________________ Date : ________________
Audit Period ____________________________ Approved by : _________________ Date : ________________
A. Matrix of Audit Findings and Recommendations
A.1. Financial and Compliance Audit
No. AOM No./Date Observation Recommendation Management Comment Rejoinder
A.2. Performance Audit
No. AOM No./Date Observation Recommendation Management Comment Rejoinder

Version : 04-01/2011/v1
B. Summary of Unrecorded Adjusting/ Reclassifying Journal Entries
Amount Financial Statement Effects of Unbooked Entries

AOM
Accounts and Description Assets Liabilities Current Prior Period
Ref. Debit Credit Current Non-Current Current Non-Current Income Income
Total
C. Results/Status of Other Audits (e.g., Fraud and GWSPA)
No. Significant findings/issues Reference Status of Audit Conclusion Remarks

Version : 04-01/2011/v1
D. Conclusion
In our opinion:
Yes No
1. Considering quantitative factors as well as non-quantitative factors

(refer to “Evaluation Factors” of this Template), the effects of □ □
unrecorded proposed entries, either individually or in the
aggregate, is not material to the financial statements taken as a
whole and therefore does not require modification of our auditors’
report.
2. The proposed entries, whether or not recorded, are not the result
of a significant weakness in internal control over financial reporting. □ □
3. The proposed entries, whether or not recorded, are not indications
of possible fraud or illegal acts. □ □
4. For any “No” responses above, indicate the steps taken or to be
taken:
□ Opinion modified
□ Audit scopes reassessed
□ Others: _____________________________________
Comments:

Version : 04-01/2011/v1
EVALUATION FACTORS
A. Materiality Factors
The following factors may be relevant to the evaluation of the materiality of passed entries,
recognizing that some may be more important than others.
1. Quantitative factors:
a. Earnings/Surplus
b. Other financial statement captions
c. Segment information
2. Meeting earnings/budget goals
3. Compliance with contracts and regulations
4. Impact on other periods
5. Trends
6. Possible undetected errors
7. Certainty of amount
8. Interpretations of ISSAI
9. Establishing accounting precedent
10. Large offsetting items
11. Nonrecurring items
12. Carryovers from prior periods
Additional factors to be considered by the audit team:

13. Current user needs
We may need to reassess our original materiality judgment in light of changed
circumstances or knowledge gained during the audit. For example, there may be
significant changes in economic trends, budgeted earnings/surplus or negotiations for
a line of credit.
14. Special circumstances.

The materiality threshold may be reduced when it is reasonably possible that third
parties will closely scrutinize the agency’s accounting practices and question why even
small errors were not corrected. This might apply to, for example:
o Maximum-risk assignments,
o Agencies with weakening financial condition,
o Agencies that may soon have new management (within a year or shortly
thereafter),
o Management that need to significantly improve their accounting and control
practices,
o Potentially sensitive areas, such as revenue recognition
15. Agency management’s past practices.

When entries are passed, it is usually assumed that agency management will
(a) subsequently correct the errors, and (b) improve its controls to prevent a
recurrence of the problem. However, when agency management appears to be unable
or unwilling to do either, the errors may take on greater significance. This is especially
true when the accounting system is capable, without significant additional cost or
effort, of correctly processing transactions.
Version : 04-01/2011/v1
16. Special purposes of the audit.

The impact of proposed entries could be magnified if the financial statements will be
used for special purposes. For example, if a buy-sell agreement bases the sale price
on a multiple of earnings, an otherwise minor adjustment could have a significant
immediate effect on the price.
B. Indications of significant weakness in internal control
Even when misstatements are not material, we need to consider whether their root
causes are due to inadequacies in internal control, particularly when the errors are
more widespread or significantly larger than anticipated. We may need to expand our
audit testing to compensate for an unexpected control weakness. We also may need to
communicate the weakness to senior agency management and the Oversight Body if it
is deemed to be a "reportable condition.”
C. Indications of possible fraud or illegal acts
Proposed entries may be indications of fraud or illegal acts (possibly the "tip of the
iceberg"). Examples are:
o A significant increase over the prior year in the number or size of proposed
adjustments.
o "Last minute" entries that significantly increase earnings.
o Misstatements that appear to have been made with the intent of achieving targeted
earnings or similar goals.
o Unsupported or unauthorized transactions, balances and reconciling items.
o Entries apparently made to conceal illegal acts.

Version : 04-01/2011/v1
Integrated Results and Risk-Based Audit Manual Phase 3B – Conclusion and Reporting
Form 03B-02: Quality Inspection Tool
QUALITY INSPECTION TOOL

Objectives
The Quality Inspection Tool will guide the audit team in performing overall review and
approval of the audit engagement prior to the release of the audit report.
The tool is divided into two parts:

Part I : IRRBA Workstep Checklist
Part II : Quality Assurance Checklist
This tool is not all-inclusive; audit teams shall customize it as appropriate.
Part I: IRRBA Workstep Checklist
This part consists of the activities/processes as reflected in the IRRBA Manual. As part of
the quality assurance, audit teams shall ensure conformance to the prescribed
methodology in the conduct of their audits.
IRRBA Activities
- Identify the IRRBA Activities as prescribed in the methodology.
Working Paper Reference

- Indicate the Working Paper tag/label for easier reference of documents.
Performed by
- Staff member who completed the procedure/activity shall indicate his/her initials to
confirm his/her performance.
Reviewed by
- Reviewer shall append his/her initials as a proof of the evaluation.
Part II: Quality Assurance Checklist
This part consists of the minimum requirements in conducting audit engagements

as reflected in relevant standards, laws, rules and regulations.
General Audit Procedures

- Identify the minimum requirement of the relevant standards, laws, rules and
regulations.
Working Paper Reference

- Indicate the Working Paper tag/label for easier reference of documents.

Version : 03B-02/2011/v1
Performed by
- Staff who completed the procedure/activity shall indicate his/her initials to confirm
his/her performance.
Reviewed by
- Reviewer shall append his/her initials as a proof of the evaluation.

Version : 03B-02/2011/v1
QUALITY INSPECTION TOOL
Agency: _____________________________________________________
Period: _____________________________________________________
PART I: IRRBA Workstep Checklist
IRRBA Activities WP Ref. Performed by Reviewed by
1. Strategic Planning and Risk

Identification
1.1 Perform Government Risk

Identification
1.1.1 Develop/Update the

Government Risk Model
1.1.2 Identify Government Risks
1.1.3 Report the Results of GRI
1.2 Conduct COA Strategic Planning
2. Agency Audit Planning and Risk

Assessment
2.1 Prepare Agency Audit Workstep
2.2 Understand the Agency
2.3 Identify Significant Agency Risks

Version : 03B-02/2011/v1
2.3.1 Update Agency Risk Model
2.3.2 Identify Agency Risks
2.3.3 Prioritize Significant Agency

Risks
2.4 Understand the Agency-level

Controls
2.5 Understand the Process
2.5.1 Identify Critical Path of the

Processes
2.5.2 Identify Process Risks
2.5.3 Identify Impact
2.5.4 Identify Existing Process-

level Controls
2.6 Conduct Audit Risk Assessment and

Planning
2.6.1 Financial and Compliance
2.6.2 Performance
2.6.3 Determine Audit Scope and

Timing
2.6.4 Determine need for

specialized skills
3. Execution
3.1 Design Audit Tests
3.2 Execute Audit Tests
3.3 Evaluate Audit Results
3.4 Communicate Audit Results

Version : 03B-02/2011/v1
4. Conclusion and Reporting
4.1 Summarize Audit Results
4.1.1 Prepare summary of audit

results and
recommendations
4.1.2 Discuss results of different

types of audit conducted
4.2 Prepare Audit Report
4.2.1 Prepare Annual Audit Report
4.3 Perform Overall Audit Review
4.3.1 Perform overall review and

approval
4.3.2 Issue report
4.4 Wrap-up and Archive the

Engagement
4.5 Follow-up Agency Action Plan
5. Monitor quality control on audit services

Version : 03B-02/2011/v1
PART II: Quality Assurance Checklist
Performed Reviewed
General Audit Procedures WP Ref.
by by
1. Terms of Audit Engagements
An engagement letter has been prepared in

accordance with COA policies and professional
standards.
2. Independence
Members of the audit team are independent with

respect to this audit client and its affiliates
3. Initial Engagements – Opening Balances
For initial audits, perform procedures to obtain

sufficient appropriate audit evidence that:
a. The opening balances do not contain
misstatements that materially affect the current
period’s financial statements.
b. The prior period’s closing balances have been
correctly brought forward to the current period
or, when appropriate have been restated.
c. Appropriate accounting policies are consistently
applied or changes in accounting policies have
been properly accounted for and adequately
disclosed.
4. Consultation
Identify areas and specialized situations where

consultation is required and consult with others or
use authoritative sources on other complex or
unusual matters.
Areas identified: Consulted:
____________________
_________________
____________________
_________________
____________________
_________________
____________________

Version : 03B-02/2011/v1
Performed Reviewed
by by
_________________
Appropriate consultation has occurred in areas and

special situations where required by COA policies
and where the audit team otherwise deemed
necessary.
Appropriate documentation has been prepared and

reviewed for all consultation on significant issues
and those consulted were informed of all the
relevant facts and circumstances and the
conclusions are reasonable and consistent with
professional standards.
Memoranda that address all significant issues on

which consultation occurred are associated with, or
are attached to, the Audit Observation
Memorandum (AOM) with an indication of the
consultant’s approval. If consultation memoranda
have not yet been completed or approved in
writing, oral approvals have been obtained from the
individuals consulted and noted in the AOM or an
attachment to it.
Copies of the memoranda have been provided to

the individuals consulted.
Conclusions resulting from the consultations have

been implemented.
5. Minutes and Contracts
Obtain information regarding meetings of the

management, board of directors, shareholders and
important committees up to the report date.
a. Read minutes. Obtain copies of the signed
minutes or prepare excerpts. (If the copies are
not signed, compare them with the original
signed minutes.)
b. If minutes have not been prepared for recent
meetings, obtain a summary of what was
discussed.
c. Compare significant matters identified above
with information obtained during the audit and
cross-reference significant matters affecting the
financial statements to the appropriate
workpapers.

Version : 03B-02/2011/v1
Performed Reviewed
by by
Obtain information about important contracts,

agreements and similar documents and consider
their accounting or auditing implications. Cross-
reference significant matters affecting the financial
statements and other agency-issued reports to the
appropriate workpapers.
6. Consideration of Laws and Regulations in an

Audit of Financial Statements
When planning and performing audit procedures

and evaluating and reporting the results thereof,
consider the risk of non-compliance by the agency
with laws and regulations that may materially affect
the financial statements.
Obtain a general understanding of the legal and

regulatory framework applicable to the agency and
how the agency is complying with that framework.
The procedures ordinarily include:
a. Use of existing understanding of the agency’s
industry and operation
b. Inquiry of management concerning the
agency’s policies and procedures regarding
compliance with laws and regulations
c. Inquiry of agency as to the laws or regulations
that may be expected to have a fundamental
effect on the operations of the agency
d. Discussion with management about the policies
or procedures adopted for identifying,
evaluating and accounting for litigation, claims
and assessments
Met with: Findings:
____________________
_________________
____________________
_________________
____________________
_________________

Version : 03B-02/2011/v1
Performed Reviewed
by by
Perform procedures to help identify instances of
noncompliance with those laws and regulations
where noncompliance should be considered when
preparing financial statements, specifically:
a. Inquire with management as to whether the

agency is in compliance with such laws and
regulations
Met with: Findings:
____________________
_________________
____________________
_________________
____________________
_________________
b. Inspect correspondence with the relevant

licensing or regulatory authorities
Obtain sufficient appropriate evidence about

compliance with those laws and regulations
generally recognized to have an effect on:
- The determination of material amounts and
disclosures in financial statements by
considering them when auditing the assertions
related to the determination of the amounts to
be recorded and the disclosures to be made
- Programs, activities and projects of the agency
Sign one of the following statements, as applicable:
Performance of the above procedures has not

indicated any noncompliance by the agency with
laws and regulations that may materially affect the
financial statements.
A possible non-compliance by the agency with

laws and regulations was suspected or detected
and we have obtained an understanding of the
nature of the act and circumstances in which it has
occurred, and sufficient other information to

Version : 03B-02/2011/v1
Performed Reviewed
by by
evaluate the possible effect on the financial
statements and appropriate documentation ,
evaluation and notification of management and
others has been performed.
7. Related parties
Review information provided by the directors and

agency management identifying the names of all
known related parties and perform procedures in
respect of the completeness of this information
including the following:
a. Review prior year workpapers for names of
known related parties.
b. Review the agency’s procedures for
identification of related parties
c. Inquire as to the affiliation of directors and
officers with other entities
Inquired of:
______________________________________
d. Review agency management minutes of the

meetings
e. Inquire of other auditors currently involved in
the audit, or predecessor auditors, as to their
knowledge of additional related parties.
8. Inquiry regarding Litigation and Claims
Carry out procedures in order to become aware of

any litigation and claim involving the agency that
may have a material effect on the financial
statements.
9. Considering the Work of Internal Audit
Obtain a sufficient understanding of internal audit

activities to assist in planning the audit and
developing an effective audit approach.
Perform a preliminary assessment of the internal

audit function when it appears that internal audit is
relevant to the external audit of the financial
statements in specific audit areas. Such
assessment includes evaluating the competence
and objectivity of the internal auditors.

Version : 03B-02/2011/v1
Performed Reviewed
by by
When the audit team intends to use specific work

of internal audit, evaluate and test that work to
confirm its adequacy for our purposes.
10. Subsequent events
Perform procedures designed to obtain sufficient

appropriate audit evidence that all events up to the
date of the auditors’ report that may require
adjustment of, or disclosure In, the financial
statements have been identified.
11. Going concern
The engagement team has considered and

evaluated the appropriateness of management’s
use of the going concern assumption underlying
the preparation of the financial statements both in
the planning phase and throughout the
performance of the audit procedures.
12. Management Representations
Obtain a letter of representations that is tailored to

the particular circumstances, dated the same date
as our auditors’ report, and signed by the members
of management who have primary responsibility for
the agency and its financial aspects
13. Financial Statements Review
Apply analytical procedures at or near the end of

the audit when forming an overall conclusion as to
whether the financial statements as a whole are
consistent with our understanding of the agency.
Verify opening balances on the basis of the prior

year’s audit report and/or workpapers.
Cross-reference year-end amounts on the general

ledger trial balance to the related audit workpapers.
Examine supporting documents and/or inquire of

agency personnel to determine that significant
entries made solely to prepare the financial
statement, other than entries covered by other
audit procedures, were properly authorized and

Version : 03B-02/2011/v1
Performed Reviewed
by by
accounted for.
Agree or reconcile the financial statement amounts

and the financial data in the footnotes to the
general ledger trial balance or other workpapers.
Determine that the financial statements and the

financial data in the footnotes are clerically
accurate
14. Communication of Audit Matters with

Management and those Charged with
Governance
Inform management as soon as practicable:

- If a fraud has been identified or if
information obtained indicates that a fraud
may exist
- Of the existence of material weaknesses in
the design or implementation of internal
control, including material weaknesses in
the design or implementation of internal
control to prevent and detect fraud, that
have come to our attention
The audit team has determined the relevant

persons who are charged with governance and
with whom audit matters of governance interest are
to be communicated.
The audit team has considered all audit matters of

governance interest that arose from the audit of
financial statements and communicated them to
those charged with governance. Ordinarily such
matters include:
a. General audit approach and overall scope of
the audit
b. Selection of, or changes in , significant
accounting policies
c. Potential effect of any significant risk and
exposure that is required to be disclosed
d. Audit adjustments that could have a significant
effect on the agency’s financial statements
e. Material uncertainties relating to going concern
f. Disagreements with management that could
have a significant impact on the financial
statements or the audit report

Version : 03B-02/2011/v1
Performed Reviewed
by by
g. Expected modifications to the audit report
h. Internal control issues
i. Issues with respect to agency’s integrity and or
fraud within the agency
Determine whether any identified risk of materials

misstatements due to fraud has continuing control
implications. Consider whether any control
deficiency related to these risks, or whether the
absence of or deficiencies in programs or controls
to mitigate specific risks of fraud or to otherwise
help prevent, deter, and detect fraud, represent
matters (including potential material weaknesses)
that should be communicated to agency
management or any relevant regulatory body.
Inform those charged with governance about those

uncorrected misstatements aggregated by us
during the current audit that were determined by
management to be immaterial, both individually
and in the aggregate, to the financial statements as
a whole.
Inform those charged with governance if a fraud

has been identified involving management,
employees who have significant roles in internal
control, or others where the fraud results in a
material misstatement in the financial statements.
Inform those charged with governance of material

weakness in the design or implementation of
internal control, including material weaknesses in
the design or implementation of internal control to
prevent and detect fraud, that have come to the
auditors attention.
Inform those charged with governance of the

agency’s noncompliance with laws and regulations
that have come to our attention. If we have reason
to believe that members of agency management
are involved in noncompliance, report the matter at
the next higher level of authority.
The audit team has communicated the above

matters in a timely manner.
The engagement team has communicated the

Version : 03B-02/2011/v1
Performed Reviewed
by by
matters in a way, which is appropriate depending
on the nature and significance o f the matter as
well as on the size and legal structure of the
agency being audited.
I have reviewed this Quality Inspection Tool and the results of the procedures for
this engagement and am satisfied that all applicable general audit procedures
have been completed, the conclusions are reasonable and consistent with
professional standards, and the AAR properly reflect the issues addressed.
Signature: ________________________ Date: __________________

Version : 03B-02/2011/v1
Form 03B-03: Agency Action Plan
AGENCY ACTION PLAN
Objective
Agency management has the responsibility to act upon the audit observation and
recommendation provided by COA during the conduct of audit. To facilitate the process, the
COA shall provide a mechanism to enforce compliance of the activity. Hence, the Agency Action
Plan document is provided and included as part of the IRRBAM.
The Agency Action Plan is a tool for the agency to signify its action plans on the observations
and recommendations provided by the auditors. This document will serve as the basis for
auditors when monitoring agency action plans.
Agency management shall submit their action plans within 30 days from the date of receipt of
the report.
A significant part of this tool is the space provided for the sign-off of agency officer. Concurrence
of the agency, as evidenced by their sign-off, supports the fact that the agency accepts
responsibility as to the ownership of the action plans provided as well as its implementation.
Reference
- The reference will serve as a guide for auditors to trace the audit observations and
recommendations indicated in the prior years’ working papers or reports.
Audit Observation and Recommendation
- The audit observations and the corresponding recommendations of prior years’ audit
shall be reflected by the auditors on this column to guide the auditors and agencies’
monitoring process.

Version : 03B-03/2011/v1
Agency Action Plan
Action Plan/Remarks - Action plan is the response of the audited agency on the
recommendations provided by the auditors during the course of the audit. This
column shall be filled-out by the agency, detailing the appropriate resolution on the
audit observation identified by the auditors.
In any case, auditors shall challenge the appropriateness of the agencies’ action
plans with the audit observations noted. Any comments that the auditors may have
on the Agency Action Plans shall be communicated and resolved with the
appropriate authorities.
Person/Department Responsible - The Agency shall specifically identify the person or

department responsible in implementing the action plan provided. If it is not possible
to identify the specific person (e.g., due to job rotation), the position or rank shall
suffice.
Identification of a specific person or department responsible for implementing the

action plan will guide the auditors during the conduct of their monitoring procedures.
Target Implementation Date - The action plan provided by an agency shall be time-
bound. This holds true exceptionally for major audit observations that require
immediate action.

Version : 03B-03/2011/v1
AGENCY ACTION PLAN
Sector: __________________________________
Agency Audited: __________________________
Audit Period: ________________
AAR date: ___________________
Agency Action Plan

Audit Observation and
Ref.
Recommendation Target
Person/Dept.
Action Plan / Remarks Implem.
Responsible
Date
Agency sign-off:
_______________________________________ _________________
Agency Officer Date

Version : 03B-03/2011/v1
Form 03B-04 Action Plan Monitoring Tool
ACTION PLAN MONITORING TOOL
Objective
As discussed in the IRRBA Manual, the existence of the monitoring process for the prior
years’ recommendations serves as an additional control for the audited agencies to be
motivated in acting upon the recommendations provided by the auditors. Likewise,
monitoring serves as a feedback mechanism for auditors to determine the value that the
agencies obtain from the findings and suggestions that they provide.
The Action Plan Monitoring tool serves as a guide for the auditors and agencies in
conducting a structured monitoring process of prior years’ recommendations on the audit
observations noted.
Take note that the “Agency Action Plan” element will be provided by the audited agency.
The following elements are to be lifted from the Agency Action Plan provided by the agency
management:
Reference
Audit Observation and Recommendation
Agency Action Plan
Action Plan / Remarks

Person/Department Responsible
Target Implementation Date
The columns provided under the COA Monitoring portion are developed to guide the auditors
during the conduct of their monitoring procedures. These elements are essential since this is
the focus of the monitoring function of the auditors.
Date of follow-up
- Indicate the date when the follow-up is made.
Implementation Status
- This column shall be answered by the auditor during the execution of the monitoring
procedures.

Version : 03B-04/2011/v1
The following are the selections for the status of the implementation of agency
action plans:
ü Full – Action plans as provided by the agency management in the Agency
Action Plan document have been fully implemented in all scope mentioned.
ü Partial – Action plans as provided by the agency management in the Agency
Action Plan document have been partially implemented in some areas.
ü Ongoing – Implementation of the action plans provided the agency
management in the Agency Action Plan is still ongoing.
ü Non-implementation – Agency management did not implement the action
plans provided in the Agency Action Plan within the target completion period.
This is the area where auditors should carefully take a look. Auditors shall
examine and assess the reasons for non-implementation of previously stated
action plans.
Actual Implementation Date
- Part of the auditor’s examination is the determination of the actual implementation

date of the action plan set by an agency. Comparison of the actual against the target
date for the implementation of action plans is significant particularly on interrelated
audit observations and action plans.
Reason for Delay/Non-implementation
- Auditors shall uncover the reasons for the delay or non-implementation of action
plans. If the circumstances permit, auditors shall inquire several agency personnel or
officer on the causes of the delay or non-implementation.
Comments/Action Taken
- This column is for the auditors’ comments or actions to be taken as a result of the
monitoring procedures conducted. The remarks that will be provided on this column
can also be a basis for the next year’s audit project.

Version : 03B-04/2011/v1
ACTION PLAN MONITORING TOOL
Sector : Prepared by: Date:
Team : Reviewed by: Date:
Agency Audited : Approved by: Date:
Audit Period :
AAR Date :
Agency Action Plan COA Monitoring

Audit Observation Implem. Status Reason for
Ref. and Action Plan/ Person/Dept. Target Implem. (Full, Partial, Actual implem. Delay/Non- Comments/Action
Date of follow-up
Recommendation Remarks Responsible Date Ongoing, Non- Date Implementation Taken
implementation) (if applicable)
Prepared by: Approved by:
________________________________________ _________________ ________________________________________ _________________

Audit Team Leader Date Supervisor Date
Last updated : March 2011 3|P age

Version : 03B-04/2011/v1

Integrated Results and Risk-Based Audit Manual Forms and Templates

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Integrated Results and Risk-Based Audit Manual Forms and Templates

Uploaded by

Copyright:

Available Formats

Commission on Audit

INTEGRATED RESULTS AND

Strategic Planning and Risk Identification

FORMS AND TEMPLATES

1. Strategic Planning and Risk Identification

2. Agency Audit Planning and Risk Assessment

3A. Delivery: Execution

3B. Delivery: Conclusion and Reporting

Last updated : March 2011 1|Pa ge

GOVERNMENT RISK MODEL

Accomplishing this tool

Last updated : March 2011 1|Page

Last updated : March 2011 2|Page

Last updated : March 2011 3|Page

GOVERNMENT RISK MODEL

Strategic Operations Compliance Financial

Last updated : March 2011 4|Page

RISK TITLE RISK DESCRIPTION

Planning and Resource Allocation

Last updated : March 2011 5|Page

RISK TITLE RISK DESCRIPTION

Last updated : March 2011 6|Page

RISK TITLE RISK DESCRIPTION

Public Service and Operations

Last updated : March 2011 7|Page

RISK TITLE RISK DESCRIPTION

Last updated : March 2011 8|Page

RISK TITLE RISK DESCRIPTION

Last updated : March 2011 9|Page

RISK TITLE RISK DESCRIPTION

Last updated : March 2011 10 | P a g e

RISK TITLE RISK DESCRIPTION

Exposure to geo-political, regulatory and fraud risks via international

Failure to efficiently and effectively administer and manage cash flows to

Failure to receive appropriate funds to finance programs and projects.

Accounting and reporting

Last updated : March 2011 11 | P a g e

RISK TITLE RISK DESCRIPTION

Last updated : March 2011 12 | P a g e

GOVERNMENT RISK IDENTIFICATION TEMPLATE

Accomplishing this tool

Key Government Risk

Relevant data may also be obtained from the following:

ast updated : March 2011 1|Page

Government Program, Activity or Project

- Relate the government program/activity affected by the risk identified. It could be a

ast updated : March 2011 2|Page

GOVERNMENT RISK IDENTIFICATION TEMPLATE

Prepared by : __________________________________________________ Date :

Reviewed by : __________________________________________________ Date :

Approved by : __________________________________________________ Date :

Key Government Risk

Last updated : March 2011 3|Page

AGENCY AUDIT WORKSTEP

Audit Period __________________________________________________

Prepared By __________________________________________________ Date Prepared: ___________________

Reviewed By __________________________________________________ Date Reviewed: ___________________

Approved By __________________________________________________ Date Approved: ___________________

Target Date to Accomplish

Last updated : March 2011 1|P a ge

UNDERSTANDING THE AGENCY TEMPLATE

We obtain our understanding by performing review, inquiry, analytical procedures, observation

Accomplishing this tool

Prepared By ________________________________ Date Prepared: _

Reviewed By ________________________________ Date Reviewed: _

Approved By ________________________________ Date Approved: _

Agency ____________ Prepared by : Date :

Audit Period ____________ Reviewed by : Date :

Office ____________ Approved by : Date :