Professional Documents
Culture Documents
Integrated Results and Risk-Based Audit Manual Forms and Templates
Integrated Results and Risk-Based Audit Manual Forms and Templates
Planning Delivery
Agency Audit
Conclusion
Planning and Risk Execution
and Reporting
Assessment
Monitoring
(Quality Control System)
SEPTEMBER 2011
Integrated Results and Risk-Based Audit Manual
Objective
Part of the Strategic Planning and Risk Identification process of the Integrated Results and Risk-
based Audit (IRRBA) is the identification of government risks. This activity will be conducted
annually, supervised by the Assistant Commissioners and attended by directors from the
following sectors/offices:
· National Government Sector (NGS)
· Corporate Government Sector (CGS)
· Local Government Sector (LGS)
· Regional Offices
· Fraud and Investigation office (FAIO)
· Special Audits Office (SAO)
· Information Technology Office (ITO)
· Technical Services Office (TSO)
The Government Risk Model is introduced to guide the participants in the identification of
government risks. The Government Risk Model is a comprehensive list of risks that a
government may encounter which could threaten the achievement of its mandate and
objectives.
This model shall be regularly reviewed, updated and customized to consider changes in the
public sector environment, as well as to consider the impact of new standards, laws, rules and
regulations.
*The COA shall identify the process champion in this activity, which will ensure the maintenance and updating of this
tool.
Risk Listing
- The Risk Listing is a table of government risks divided into the following risk categories:
a. Strategic
b. Operations
c. Compliance
d. Financial
The table lists down all potential risks that the government may face. Therefore, there are
risks that may be identified as a risk of the government in the current audit period that was
not identified in the preceding audit period. In either case, the risk listing shall be
maintained regardless of the existence of the risk at the time of the identification. Likewise,
the list shall be regularly updated to include emerging risks that may affect the
achievement of the government’s mandate and objectives.
Risk Definition
- Customize/create the definition of the risks based on the nature of the risk.
a. Risk Title – The label for the risks identified shall be properly chosen to reflect the nature
of the risk even by just looking at the risk title.
b. Risk Description - The risk description shall be clear on the cause and effect of the risk
once it materializes. The risk definition shall be generic in nature and shall avoid including
process-level effects to not limit/restrict the risk descriptions.
NOTE: The items in the succeeding pages are just samples to illustrate the tool. It does not represent any factual
data nor any result of prior audit projects.
Prepared by : Date :
Reviewed by : Date :
Approved by : Date :
Risk Definition
STRATEGIC
OPERATIONS
People
Physical assets
Failure to provide physical protection and stewardship over real estate
Real estate
designed to optimize longevity and utilization.
Failure to provide physical protection and stewardship over long-lived
Property, plant and facilities assets (such as buildings, furniture, fixtures, machinery, equipment and
other assets) designed to optimize longevity and utilization.
Failure to provide physical protection and stewardship over inventories
Inventory designed to optimize utilization while minimizing obsolescence,
contamination, etc.
COMPLIANCE
Mandate
Failure to align process objectives and performance measures with the
Function mandate of the agency, its objectives and strategies may result in
conflicting, uncoordinated activities throughout the agency.
Governance
Failure of Board of Directors to discharge their obligations and duties
Board performance/Agency
owed to the agency and its stakeholders in good faith; and to possess
management committee
adequate knowledge to interpret and act on the information provided.
Senior management fails to establish an environment that encourages
integrity, ethical values, and competence of the agency's people through
Tone at the top
management's philosophy and operating style, assignment of authority
and responsibility, and the organization and development of its people.
Ineffective lines of authority may cause senior management, division
Authority/limit heads or employees to do things they should not do or fail to do things
they should.
Failure to establish and maintain an internal control environment which
Control environment
aligns with stakeholder and regulatory expectations.
The mismanagement of "socially responsible" activities (e.g., conducting
social responsibility training for management of manufacturers,
undertaking environmental programs, participating in community
Corporate social responsibility
initiatives) resulting in an unfavorable agency perception with
stakeholders, customers, suppliers, agency partners, employees and the
regulatory community.
Damage to the Agency’s reputation exposes it to loss of customer/
Reputation
public trust, profits and the ability to grow.
Code of conduct
The absence of formal standards of employee behavior that are
Ethics intended to direct and influence the way agency operation is conducted,
above and beyond the letter of the law.
Potential unethical acts committed by agency employees or other
Fraud
stakeholders may negatively impact the agency's reputation.
Fraudulent activities perpetrated by employees, suppliers, agents, or
third-party administrators against the agency for personal gain (e.g.,
Employee/Third Party Fraud
misappropriation of physical, financial or information assets) expose the
agency to financial loss.
Market
Unfavorable price paid per unit of funds borrowed or the rate of return
Interest rate received on invested assets, or interest rate fluctuations beyond
projected range.
Unfavorable fluctuations in the currency of another market that is
Foreign currency
needed to carry out international transactions.
Unfavorable fluctuations in the price of raw materials or other
Commodity commodities used in product development/service delivery that are not
anticipated and managed.
Financial market risk can vary depending on the particular segment of
Financial instrument the market to which the holder of a financial instrument is exposed, or
the way in which the exposure is structured.
Liquidity and credit
Objective
The Government Risk Identification Template (GRIT) is used to document the significant
government risks identified for a particular audit period, as well as the basis of selecting
those particular risks, and the agencies and programs or activities affected. By having all of
this information in one sheet, it facilitates ease of summary and discussion with the
participants during the identification of significant government risks as well as increased
efficiency and effectiveness in tracing the effects of those risks.
This template if carefully and exhaustively accomplished will facilitate a unified thrust for the
COA in conducting government auditing.
The GRIT once accomplished shall be cascaded to all audit clusters and concerned offices
through the COA’s Annual Strategic Planning for inclusion in the Agency Audit Planning and
Risk Assessment.
Accomplishing this tool is critical to document the high-level inputs from COA directors
assigned in the audit of agencies representing the three audit sector, regions, and auditors
performing Government-wide and Sectoral Performance Audit (GWSPA) and Fraud Audit.
Government Objective
- Identify the objectives of the government as identified in the State of the Nation
Address (SONA), Medium-Term Philippine Development Plan (MTPDP), Medium-
Term Public Investment Program (MTPIP) and so on.
- Participants may use the Government Risk Model to identify the key government risks
(risk category, risk title and risk definition)
Basis of Selection
- Indicate the basis or reason why the risk was considered as significant.
• SONA
• MTPDP/MTPIP
• Government Risk Model
• Sector risks
• Media releases and media reports
• Fraud and geographic risks
• Government-wide and sectoral programs and activities
• Knowledge of the auditors
Name of Agency
- Indicate the agencies affected by the risks identified. Auditors may also refer to other
outputs of government instrumentalities (e.g., Updated Strategy Planning Matrices for
the MTPDP of NEDA).
Key Risk 2
Key Risk 3
Key Risk 4
Key Risk 5
Key Risk 6
Key Risk 7
Key Risk 8
Key Risk 10
Key Risk 11
Key Risk 12
Auditee __________________________________________________
This template enables us to document our understanding of the agency and its environment and
assist in identifying risks of material misstatement. We document the identified inherent and/or
significant risks in this template.
The Understanding the Agency (UTA) can be used in conjunction with our meeting(s) with the
agency during the planning of the engagement. When we complete the UTA, we:
· Consider the use of available industry or sector knowledge
· Customize the UTA to each engagement
For future engagements, we base our understanding of the agency and its environment on prior
period knowledge. We update our understanding by focusing on the significant changes in the
agency and its environment in the current period and reflect those changes within the UTA
brought forward from the prior period.
Agency Profile
A. Mandate – State the relevant law, rule or regulation mandating the purpose of the
establishment of the agency.
B. Operations – Provide a brief description of the agency’s operations and critical agency
processes.
C. Structure - Describe the Agency’s organizational structure and its relation to other key
government agencies. (Attach the Agency’s organizational structure, as necessary)
D. Objectives and Strategies – State the objectives and strategies of the Agency. Evaluate
if these objectives and strategies are aligned with the mandate of the Agency.
E. Key Stakeholders – List stakeholders, or unified stakeholder groups, whose expectations
or actions (or inactions) can significantly influence management or affect the agency
objectives and strategies (and/or the ability of the agency to meet its objectives and
strategies)
F. Key Environmental Factors – Briefly describe the environment of the agency and how
the operations of the Agency are affected/influenced by environmental factors.
Examples of environment to be reviewed are:
· Political Environment
· Social Environment
· Legal and Regulatory Environment
· Technological Environment
Key Performance Indicators - The key results identified and monitored by management,
generally few in number, that must be achieved to conclude that a strategy has been
implemented successfully. Key performance indicators also refer to the targeted Major
Final Outputs (MFO) as agreed in their Organizational Performance Indicator Framework
(OPIF).
Accounting Policy – Provide brief description of key accounting policies applied, including
financial reporting standards or changes in the agency’s accounting policies and reasons
for such changes. We evaluate whether the agency’s accounting policies are appropriate
and consistent with the applicable financial reporting framework.
Previous Audit Findings – Include significant audit findings from previous audits that may still
exist in the agency.
Recent Developments/ News – Include any pertinent news or publication about the agency and
indicate the possible impact or risk that may arise on the Agency.
A. Financial
· Financial Statement Account – indicate the financial statement accounts of the
Agency
· Current Year – indicate the current account balance of the financial statement
account
· Prior Year – indicate the previous year’s balance of the financial statement account
· Variance (Amount) – the amount of difference between the current year and previous
year balance
Last updated : March 2011 2|Pa ge
Version : 02-02/2011/v1
Integrated Results and Risk-Based Audit Manual Phase 2 – Agency Audit Planning and Risk Assessment
Form 02-02: Understanding the Agency Template
· Variance (%) – the percentage increase or decrease from previous year’s balance
(Formula is Amount of Variance/Prior Year balance)
· Remarks – indicate the reason for the significant increase or decrease in the account
balance
B. Performance
· Performance indicators – indicate the performance indicator applicable to the
Agency. Examples of performance indicators are Asset Turnover, Inventory
Turnover, Return on Asset and Return on Equity. Should the Agency have an OPIF
structure, we should consider the Major Final Outputs as part of the performance
indicators.
· Actual – refers to the actual achievement of the Agency on its performance indicator
· Budget/Target – pertains to the planned or targeted performance expected from the
Agency.
· Variance (Amount) – the amount of difference between the actual and
budgeted/targeted amounts.
· Variance (%) – the percentage increase or decrease from the budgeted/targeted
amount (Formula is Amount of Variance/Budgeted or Targeted amount)
· Remarks – Indicate the reason for any significant increase or decrease from the
budgeted or targeted amount.
PAPs Review – This is a review of each PAP of the agency by understanding the details and
overview of the PAP including its objectives. An analytic review on the performance of the
PAP is also included to determine specific areas in the PAP that require audit focus.
UTA Summary
A. UTA Reference – States the part/component of the UTA where the information was
taken from.
B. Identified Agency Risk – Indicates the agency risks (risk title and risk statement)
identified while understanding the agency. Audit teams may also use the Agency Risk
Model as a reference in plotting the agency risks identified at this point.
C. Impact on the Agency – States the impact of risk to the agency if it materializes based
on your initial understanding.
AGENCY PROFILE
A. Mandate
B. Operations
C. Structure
Objectives Strategies
E. Key Stakeholders
Political Environment
Social Environment
Technological Environment
ACCOUNTING POLICIES
ANALYTIC REVIEW
Analytical procedures performed may include both financial and non-financial information Our analytical procedures performed provide a basis for
designing and implementing audit procedures that respond to the assessed risks of material misstatement. However, overall analytical procedures
may use data aggregated at a high level and therefore the results only provide an initial indication about whether a risk of material misstatement
exists.
a. Financial
Variance
Financial Statement Accounts Current Year Prior Year Remarks
Amount %
b. Performance
Variance
Performance Indicators Actual Budget/ Target Remarks
Amount %
PAPs REVIEW
a. Program/Project Details
Program/ Project:
Objectives:
Total Budget:
Duration:
Project Overview:
b. Performance Indicators
Performance Variance
Actual Budget/Target Remarks
Indicators Amount %
Financial
Non-financial
UTA SUMMARY
Objective
The Agency Risk Model is a tool to guide the audit team of a particular agency in the
identification of agency risks. The Agency Risk Model is a comprehensive list of risks that an
agency may encounter which could threaten the achievement of its mandate and objectives.
This model shall be regularly reviewed, updated and customized to consider changes in the
public sector environment as well as to consider the impact of new standards, laws, rules and
regulations.
Risk Listing
- The Risk Listing is a table of agency risks divided into the following risk categories:
a. Strategic
b. Operations
c. Compliance
d. Financial
The table lists down all potential risks that the agency may face. Therefore, there are risks
that may be identified as a risk of the agency in the current audit period that was not
identified in the preceding audit period. In either case, the risk listing shall be maintained
regardless of the existence of the risk at the time of the identification. Likewise, the list
shall be regularly updated to include emerging risks that may affect the achievement of
the agency’s mandate and objectives.
Risk Definition
- Customize/create the definition of the risks based on the nature of the risk.
a. Risk Title – The label for the risks identified shall be properly chosen to reflect the nature
of the risk even by just looking at the risk title.
b. Risk Description - The risk description shall be clear as to cause and effect of the risk
once it materializes. The risk definition shall be generic in nature and shall avoid including
process-level effects that limits/restricts the risk descriptions.
NOTE: The items in the succeeding pages are just samples to illustrate the tool. It does not represent any factual
data nor any result of prior audit projects.
Prepared by : Date :
Reviewed by : Date :
Approved by : Date :
Risk Definition
RISK
REF. NO. RISK TITLE RISK DESCRIPTION
STRATEGIC
Organizational The overall structure of the agency instrumentalities does not support the
S1
structure achievement of strategic objectives in an efficient manner.
This risk refers to the inability to discover, evaluate and select among
S2 Strategic planning alternatives to provide direction and allocate resources for effective
execution to achieve the strategic objectives of the agency
This risk refers to the misalignment of operating plans and execution to
S3 Operational planning
strategic planning. Lack of information needed to make the right decisions.
This risk refers to the inability to effectively budget for new and existing
initiatives that support the overall strategic goals and objectives for growth,
expansion, acquisition for public welfare.
S4 Budgeting
It also refers to the inability to effectively budget for programs and projects
that would meet the agency’s Medium Term Philippine Development Plan
(MTPDP).
This risk refers to the inability to forecast financial information to enable the
S5 Forecasting
allocation of resources to new and existing initiatives
Unavailability and inappropriateness of resource allocation process
S6 Resource allocation
prohibits the agency’s ability to provide value for public.
Insufficient access to fund threatens the agency’s capacity to grow, execute
S7 Capital/fund availability
its strategies and achieve its objectives.
The agency has an obsolete operation model and doesn’t recognize it
and/or lacks the information needed to make an up-to-date assessment of
S8 Operational model
its current model and build a compelling operational case form modifying
that model on timely basis.
Lack of relevant and reliable information that enables agency management
to effectively prioritize its services or balance its operations in a strategic
S9 Operational portfolio
context may preclude a diversified agency from maximizing its overall
performance.
Outsourcing activities to third parties may result in the third parties not
S10 Outsourcing acting within the intended limits of their authority or not performing in a
manner consistent with the agency’s strategies and objectives.
Major initiatives
This risk refers to the failure to establish a vision and direction for major
initiatives, including services, products and programs that will drive future
S11 Vision and direction
growth. It also refers to the failure to establish project acceptance criteria
and adequately measure against the criteria.
Planning and This risk refers to the failure to plan and execute major initiatives due in a
S12
execution coordinated manner.
This risk refers to the failure to identify appropriate metrics and assess
Measurement and
S13 performance, quality and adherence to the standards as set forth by the
monitoring
agency.
RISK
REF. NO. RISK TITLE RISK DESCRIPTION
Technology This risk refers to the failure of a major technology implementation to meet
S14
implementation the strategic objectives of the organization.
Failure to evaluate project proposals may result in problems when the
S15 Project evaluation
project has been approved.
The people within the agency are unable to implement process and service
S16 Change readiness improvements quickly enough to keep pace with changes in the public
environment.
Failure to foresee changes in the environment and establish initiatives to
Climate change and
S17 keep pace with biological changes may result in stop operations and
sustainability initiatives
degradation
Environment Dynamics
Economic changes, such as lower economic growth, reduce tax revenue
S18 Economic changes and opportunities to provide a wide range of services or limit the availability
or quality of existing services.
Movements in prices, rates, indices and the like threaten the value of the
S19 Financial market
agency’s financial assets.
Adverse political actions in a country in which the agency has invested
significantly, is dependent on a significant volume of operation or has
S20 Sovereign/political
entered into a significant agreement with a counterparty subject to the laws
of that country threaten the agency’s resources and future cash flows.
The agency may not be aware of changing pervasive public needs and
S21 Customer/public wants
wants, e.g. increased demand for faster turnaround on services.
The agency is not leveraging advancements in technology in its operations
Technological to achieve or sustain advantage or is exposed to the actions of other
S22
innovation agency’s or substitutes that do not leverage technology or to attain superior
quality, cost and/or time performance in their services processes.
Failure to monitor the external environment or formulation of unrealistic or
S23 Environment scan erroneous assumptions about environment risks may cause the agency to
retain operation strategies long after they have become obsolete.
Agency This risk refers to the changes in opportunities and threats, and other
S24
environment/Industry conditions affecting the agency’s environment.
Over commitment of resources and expected future cash flows threatens
S25 Sensitivity the agency’s capacity to withstand changes in environment (e.g., interest
rates, public demand, changes in regulations) forces.
Market Dynamics
This risk refers to factors relating to macroeconomic conditions that affect
Macroeconomics
S26 the ability to maintain or increase revenue and profitability in a specific
factors
agency environment.
This risk refers to the failure to anticipate and respond to changes in overall
S27 Lifestyle trends
trends related to lifestyle demands of consumers.
This risk refers to the exposure to social and political factors within a market
S28 Sociopolitical environment that affect the ability to market, sell and service products and
services.
This risk refers to the dramatic changes in current technologies that may
S29 Technology changes impact the market viability or demand of current products and services
offered by the agency.
RISK
REF. NO. RISK TITLE RISK DESCRIPTION
OPERATIONS
RISK
REF. NO. RISK TITLE RISK DESCRIPTION
This risk refers to the failure to create and implement an effective
succession plan for senior executive and other key positions and
O12 Succession planning employees throughout the organization. It also refers to failure to align
succession planning with strategic planning and leadership development
objectives).
Processes for capturing and institutionalizing learning across the agency
are either non-existent or ineffective, resulting in slow response time, high
O13 Knowledge capital
costs, repeated mistakes, slow development, constraints on growth and
unmotivated employees.
This risk refers to the failure to provide a total compensation package (base
Compensation and salary, annual/long-term incentive, benefits/perquisites) that are market
O14
benefits competitive, aligned to agency and compensation strategies and retain and
motivate employees to achieve desired results.
Unrealistic, misunderstood, subjective or non-actionable performance
Performance measures may cause senior management, division heads and employees
O15
Incentives to act in a manner inconsistent with the agency’s objectives, strategies, and
ethical standards, and with prudent agency practice.
Failure to provide a safe working environment for its workers exposes the
O16 Health and safety agency to compensation liabilities, loss of operational reputation and other
costs.
Information and technology
Failure of Information systems to adequately protect the critical data and
O17 Security/access infrastructure from theft, corruption, unauthorized usage, viruses, or
sabotage.
This risk refers to the inability to recover from, and continue uninterrupted
O18 Availability/continuity operations in the event of extraordinary events, systems and
implementation failures.
This risk refers to information systems that do not provide reliable
O19 Integrity information when it is needed or perform so slowly that operations are not
efficient.
The computer and telecommunications systems with supporting software do
not capture, retain and transfer data in a secure and reliable environment
O20 Infrastructure
and do not meet the expected requirements of the agency at a reasonable
cost.
Hazards
This risk refers to the threat to disrupt operation and ability of the agency to
sustain operations, provide essential services or recover operating costs or
O21 Natural events
accomplish planned target due to natural events (e.g., fire, earthquake,
tornado).
This risk refers to the threat to disrupt operation and ability of the agency to
Terror and malicious
O22 sustain operations, provide essential services or recover operating costs or
acts
accomplish planned target due to terrorist activities or other malicious acts.
Physical assets
This risk refers to the failure to provide physical protection and stewardship
O23 Real estate
over real estate designed to optimize longevity and utilization.
This risk refers to the failure to provide physical protection and stewardship
Property, plant and
O24 over long-lived assets (such as buildings, furniture, fixtures, machinery,
facilities
equipment and other assets) designed to optimize longevity and utilization.
RISK
REF. NO. RISK TITLE RISK DESCRIPTION
This risk refers to the failure to provide physical protection and stewardship
O25 Inventory over inventories designed to optimize utilization while minimizing
obsolescence, contamination and so on.
COMPLIANCE
Mandate
Failure to align process objectives and performance measures with the
C1 Function mandate of the agency, its objectives and strategies may result in
conflicting, uncoordinated activities throughout the agency.
Governance
Board This risk refers to the failure of the Board of Directors to discharge their
performance/Agency obligations and duties owed to the agency and its stakeholders in good faith
C2
management and to possess adequate knowledge to interpret and act on the information
committee provided.
Senior management fails to establish an environment that encourages
integrity, ethical values, and competence of the agency's people through
C3 Tone at the top
management's philosophy and operating style, assignment of authority and
responsibility, and the organization and development of its people.
Ineffective lines of authority may cause senior management, division heads
C4 Authority/limit or employees to do things they should not do or fail to do things they
should.
This risk refers to the failure to establish and maintain an internal control
C5 Control environment
environment which aligns with stakeholder and regulatory expectations.
This risk refers to the mismanagement of "socially responsible" activities
(e.g., conducting social responsibility training for management of
Corporate social manufacturers, undertaking environmental programs, participating in
C6
responsibility community initiatives) resulting in an unfavorable agency perception with
stakeholders, customers, suppliers, agency partners, employees and the
regulatory community.
Damage to the Agency’s reputation exposes it to loss of customer/public
C7 Reputation
trust, profits and the ability to grow.
Code of conduct
This risk refers to the absence of formal standards of employee behavior
C8 Ethics that are intended to direct and influence the way agency operation is
conducted, above and beyond the letter of the law.
Potential unethical acts committed by agency employees or other
C9 Fraud
stakeholders may negatively impact the agency's reputation.
This risk refers to the fraudulent activities perpetrated by employees,
Employee/Third Party suppliers, agents, or third-party administrators against the agency for
C10
Fraud personal gain (e.g., misappropriation of physical, financial or information
assets) expose the agency to financial loss.
Illegal acts committed by senior management, division heads or employees
C11 Illegal Acts expose the agency to fines, sanctions, and loss of public trust, profits and
reputation and the like.
Management Fraud (e.g., intentional misstatement of financial statements
C12 Management Fraud
or critical reports) may adversely affect stakeholders’ decisions.
RISK
REF. NO. RISK TITLE RISK DESCRIPTION
Unauthorized use of the agency’s physical, financial or information assets
C13 Unauthorized Use by employees or others exposes the agency to unnecessary waste of
resources and financial loss.
Legal
This risk refers to entering into contracts that are unfavorable to the agency
C14 Contract and the failure to comply with and monitor contract terms to protect the
agency from financial losses.
This risk refers to a responsibility, duty or obligation that may result in lawful
C15 Liability consideration to provide satisfaction, compensation or other form of
restitution.
This risk refers to the failure to create, capture, enhance, leverage and
C16 Intellectual property protect the collective knowledge, expertise and ideas of agency employees
valued as non-physical assets.
This risk refers to the failure to create an agency environment which is
C17 Anticorruption
opposed to corruption, and instill agency practices that prevent corruption.
Changing laws threaten the agency’s capacity to consummate important
C18 Legal transactions, enforce contractual agreements or implement specific
strategies and activities.
Regulatory
This risk refers to the failure to identify and prevent legal risks posed by
C19 Trade non-compliance with agency and international regulatory requirements for
trade practices, e.g., anti-dumping and trade policy.
This risk refers to the failure to identify and prevent legal risks posed by
C20 Customs non-compliance with agency and international regulatory requirements for
Customs.
This risk refers to the failure to identify and prevent legal risks posed by
C21 Procurement
non-compliance with the agency procurement reform act.
This risk refers to the failure to implement infrastructure projects due to
Road-right of way
C22 RROW problems and risks posed by non-compliance with Comprehensive
(RROW) acquisition
and Continuing Urban development and Housing Program (RA 7279)
This risk refers to the failure to identify and prevent legal risks posed by
non-compliance with agency and International regulatory requirements for
C23 Labor
Labor rules and regulations, including taxes, wages, anti-discrimination,
Family and Medical Leave, workplace violence and so on.
This risk refers to the failure to identify and prevent legal risks posed by
C24 Securities non-compliance with agency and International Securities regulatory
requirements.
This risk refers to the failure to identify and prevent legal risks posed by
C25 Environment non-compliance with agency and International Environmental regulations,
e.g., noncompliance with ISO 4001 standards.
This risk refers to the failure to identify and prevent legal risks posed by
Data protection and
C26 non-compliance with privacy rules and regulations standards resulting in
privacy
improper disclosure of confidential customer information.
This risk refers to the exposure to geo-political, regulatory and fraud risks
C27 International
via international business dealings.
This risk refers to the failure to identify and prevent legal risks posed by
C28 Product/service quality non-compliance with agency and International regulatory requirements for
product/service quality and safety.
RISK
REF. NO. RISK TITLE RISK DESCRIPTION
This risk refers to the failure to identify and prevent legal risks posed by
C29 Health and safety non-compliance with agency and International rules and regulations for
health and safety.
This risk refers to the failure to identify and prevent legal risks posed by
Competitive non-compliance with agency and international rules and regulations for
C30
practice/antitrust competitive practices/anti-trade. Lack of awareness of statutory and
regulatory application of export and customs policies and requirements.
FINANCIAL
Market
This risk refers to the unfavorable price paid per unit of funds borrowed or
F1 Interest rate the rate of return received on invested assets, or interest rate fluctuations
beyond projected range.
This risk refers to the unfavorable fluctuations in the currency of another
F2 Foreign currency
market that is needed to carry out international transactions.
This risk refers to the unfavorable fluctuations in the price of raw materials
F3 Commodity or other commodities used in product development/service delivery that are
not anticipated and managed.
Financial market risk can vary depending on the particular segment of the
F4 Financial instrument market to which the holder of a financial instrument is exposed, or the way
in which the exposure is structured.
Liquidity and credit
This risk refers to the failure to efficiently and effectively administer and
F5 Cash management
manage cash flows to maintain adequate liquidity to meet obligations.
This risk refers to the the use of funds in a manner that leads to the loss of
F6 Opportunity cost economic value, including time value losses, transaction costs and other
causes of loss of value.
This risk refers to the failure to meet the requirements of a portfolio of
capital investments and obligations based on specified commitments or in
accordance with terms of an agreement (i.e., retirement and capital
F7 Funding accounts).
RISK
REF. NO. RISK TITLE RISK DESCRIPTION
the expense of not meeting public expectation, quality and efficiency
objectives.
This risk refers to the significant or material weaknesses resulting from
F12 Internal control inadequate financial internal controls impacting management's assessment
and reporting under country regulations.
This risk refers to the lack of relevant and/or reliable information supporting
F13 Investment evaluation investment decisions and linking the financial risks accepted to the capital
at risk, may result in poor short- or long-term investments.
This risk refers to the failure to properly evaluate and execute tax planning
Tax strategy and
F14 strategies. It also refers to the misalignment of tax objectives and strategies
planning
with overall agency objectives, strategies and initiatives.
Capital structure
This risk refers to the potential over-reliance on borrowing from creditors to
provide adequate working capital for agency objectives and/or to cover
F15 Debt
current operating obligations resulting in an unfavorable debt to equity
ratios.
This risk refers to the inability to offer marketable securities appropriately
F16 Equity
priced for the enterprise's value.
This risk refers to the inability to identify, establish and maintain the optimal
F17 Pension funds
structure for pension funds.
Objective
The Agency Risk Identification (AgRI) Matrix is used to document the agency risks identified
for a particular audit period. As a tool that will facilitate the risk assessment process, this
document shall be used by audit teams when assessing the impact and likelihood,
identifying the locations affected and determining the initial audit response.
Accomplishing this tool is critical to for the audit team to have a common risk language when
understanding the risk profile of the agency being audited.
c. Risk Rating
Impact – Assess the impact of the agency risk as to high, moderate and low
including the justification for the assessment
Likelihood – Assess the likelihood of the risk as to high, moderate and low
including the justification for the assessment.
time period. In most instances, the time period is set at one year. It can
be adjusted to be aligned with the agency’s operating cycle.
d. Risk Location
Low FRA
Justification: Justification:
Low FRA
Justification: Justification:
Objective
After understanding the agency objectives and risks, auditors shall identify the top-level controls
that the agency has established. Auditors shall obtain an understanding of agency-level controls
to plan their audit and determine the most appropriate audit strategy.
The Agency-level Controls Checklist contains a set of questions for each internal control
component: The questions provided herein will guide auditors in obtaining an initial
understanding of the agency-level controls set by the agency management. However, auditors
shall consider that documenting and evaluating agency-level controls does not by itself provide
a complete perspective of internal controls of an agency. It is an important starting point
because the assessment of agency-level controls – particularly when weaknesses are identified
– can have a significant effect on the overall assessment of the effectiveness of internal controls
and procedures.
The internal control concepts of the National Guidelines on Internal Control Systems (NGICS)
and the International Standards of Supreme Audit Institutions (ISSAI) are incorporated in this
tool.
Internal Control Component – Probing questions are initially provided for the following internal
control component:
- Control Environment
- Risk Assessment
- Information and communication
- Monitoring
- Control Activities
NOTE:
Auditors are not only limited to the probing questions provided in this questionnaire.
Additional questions may be developed by the team, if deemed necessary.
Yes / No / Not applicable – Answer each probing question with the appropriate response as a
result of the auditor’s validation of each internal control component.
Remarks – Provide any remark or comment that the auditor may have during on the related
probing question as a result of its validation. Examples of remarks may include identification
of areas needed to be focused for the audit engagement or possible fraud indicators.
Initial Assessment – Make an initial assessment as to the design and operating effectiveness of
each sub-component of the agency’s internal control using the probing questions supplied.
Indicate the reasons for giving such an assessment in the “reason” column.
The operating effectiveness of some components of the agency’s internal control is hard to
determine. In this case, audit teams shall document the reasons why and focus its
assessment on the design of the internal control. Auditor shall use their professional
judgment during this assessment.
Observations – Document the observations obtained during the understanding of the agency
level controls. Observations may include deficiencies noted on the design of agency-level
controls or red flags that we may note on the process that may indicate source of fraud
risks. Incidentally, audit teams may need to issue an Audit Observation Memorandum
(AOM) to call the attention of the agency for the observations noted.
Recommendations - Provide a recommendation (if applicable) for each key observation noted.
AOM Reference – Indicate the AOM reference number for those observations issued with an
Audit Observation Memorandum.
Agency: Prepared:
Date
Reviewed:
Audit Period: Date
Approved
Date
Information
C.1. The agency is able to prepare accurate and
timely financial reports, including interim
reports.
Communication
C.20. Lines of authority and responsibility (including
lines of reporting) within the company are
clearly defined and communicated.
Monitoring
Control Activities
E.1. Are accounting and closing practices followed
consistently at interim dates (e.g., quarterly,
monthly) throughout the year?
— Data
— Functional capabilities of programs (e.g.,
execute, update, modify parameters, read
only)?
PROCESS-RISK-CONTROL MATRIX
Objective
Process Risks – Identify the risks/what could go wrongs in the process through a risk
statement. Process-level risk is any event or circumstance that could affect the
achievement of the process’ objectives.
Impact: Accounts Affected (including assertions) – Identify the extent to which the risk
if realized would impact the agency’s financial statement accounts. This is
critical for planning the financial audit aspect.
Impact: Risk to PAPs – Identify the impact of process-level risks to the achievement
of the objectives of the agency’s PAPs. Examples are damage to assets,
reputation impacts and ability to achieve key objectives.
Existing Controls – Indicate the controls identified during the process understanding.
The controls that should be documented are those that are being carried out at
the time of the audit. Controls that have been presented in operations manual
or procedures shall be validated through walkthrough procedures.
Reason if inadequate – Provide reason or the observation noted if the control design
assessment is inadequate
c. Summary
AOM Ref. No. – Indicate the AOM reference number for those observations issued
with an Audit Observation Memorandum.
PROCESS-RISK-CONTROL MATRIX
Impact
Accounts Affected Control Design
Process Risks Existing Controls Reason if inadequate
(including Risk to PAPs Assessment
assertions)
Adequate
Inadequate
Adequate
Inadequate
Adequate
Inadequate
Summary
Objective
In order to develop an audit strategy that is responsive to the agency’s risks we make an
audit risk assessment for relevant assertions of significant material accounts and the
Agency’s PAPs.
The Audit Risk Assessment and Planning Tool will facilitate our documentation of our audit
risk assessment for financial, compliance and performance audits. In addition, it also
documents our audit strategy, scope and estimated timing which will guide the development
of our audit test procedures.
Inherent Risk – Assess the inherent risk of the financial statement account and
assertion. Our assessment of inherent risk may be higher or lower. Factors
that may affect our inherent risk assessment are as follows:
Include in the justification the reason why we intend to rely or not rely on the
controls.
Low High
Control Assessment
Audit Strategy – Indicate whether our main strategy would be testing the controls
or substantive tests. Test of controls will be the audit strategy for accounts
assessed as ‘Minimal’ or ‘Low’ (we are intending to rely on the controls),
whereas, substantive procedures will be the audit strategy for accounts
assessed as ‘Moderate’ or ‘High’.
Timing – Indicate the estimated date when the audit test procedures for the
financial statement account will commence.
Person Days – Indicate the amount of time or duration for the completion of the
audit test procedures.
B. Performance
Column Headings (Selection Factors) – Assign risk weights for each selection
factor. Risk weights are expressed as percentages and when summed up,
should equal to 100%. The assignment of risk weights is based on the
auditor’s judgment. To minimize bias/subjectivity, the assignment of risk
weights should be discussed among the audit team members and should be
Example 1: If the auditors would like to give equal risk weights on selection
factors and lesser weight on visibility, auditability and previous audit
coverage:
Selection Factors
Previous
Risk to Good
Materiality Impact Visibility Significance Auditability Audit
Management
(20%) (20%) (10%) (20%) (5%) Coverage
(20%)
(5%)
Example 2: If the auditors would like to focus more on the budget allocated
for the PAPs:
Selection Factors
Previous
Risk to Good
Materiality Impact Visibility Significance Auditability Audit
Management
(50%) (10%) (10%) (10%) (5%) Coverage
(10%)
(5%)
Example 3: If the auditors would like to focus more only on the Budget
allocation, Significance of the PAPs on the Agency’s Mandate:
Selection Factors
Materiality Significance
(50%) (50%)
Note that the auditors may remove selection factors that they wish not to
consider in their evaluation of the agency’s PAPs. Larger risk weights may
be allocated to those selection factors that the auditors wish to focus more.
Selection Factors – For each PAP, assign points for each selection factors. The
points to be given for each selection factor should not exceed the risk weight
assigned on the column heading of that selection factor. See illustration
below:
Selection Factors
Risk to Previous
PAPs Total
Materiality Impact Visibility Significance Good Auditability Audit
(20%) (20%) (10%) (20%) Management (5%) Coverage
(20%) (5%)
Program A 20 15 8 20 10 5 5
Program B 18 15 5 15 15 5 5
Note that the maximum amount of points to be given for each selection factor
is the risk weight assigned in the column heading. Assignment of points is
based on auditor’s judgment. To minimize bias/subjectivity, the assignment
of risk weights should be discussed among the audit team members and
should be reviewed by the Supervising Auditor/ Director.
Total – Sum up all the points given in the selection factors for the particular PAP.
Basis for Assessment – Indicate the auditor’s remarks/bases why such points
were given for each particular PAP.
Significant PAPs – List down the PAPs to be subjected for performance audit
for the audit period.
Audit Focus Area – Identify the specific areas of the PAPs to be focused for the
performance audit (e.g., procurement, delivery of services, efficiency of
operations)
Timing – Indicate the estimated date when the performance audit will
commence.
Person Days – Indicate the amount of time or duration for the completion of the
performance audit.
- This part identifies professionals with specialized skills needed for the audit and
defines their scope of work and timing.
Office – Identify the office of the Specialized Skills Needed (e.g., TSO for
Engineers, ITO for IT Auditors).
Timing – Indicate the estimated date when the conduct of audit procedures will
commence.
Person Days – Indicate the amount of time or duration for the completion of the
audit procedures.
Other Material Accounts – List down the account titles of Other Material Accounts
Timing – Indicate the estimated date when the conduct of High-level precision
analytics would commence.
Person Days – Indicate the amount of time or duration for the completion of the
analytic procedures.
Person/s Responsible – Indicate the audit staff who will perform the procedures for
Other Material Accounts.
In order to develop an audit strategy that is responsive to an agency’s risk of material misstatement, we make a risk assessment for financial and compliance, performance
audits.
For financial and compliance, we make our risk assessment by assessing the inherent risk, preliminary control risk and combining both assessments to arrive at an overall
risk assessment for each relevant assertion for each significant account.
Existence/ Occurence Low Low-Rely on Controls Minimal TOC Click here to enter
a date.
Completeness High High-Not Rely on Controls Low Substantive
Test
Accuracy Moderate
Justification: Justification:
Rights and Obligations High
Compliance
Existence/ Occurence Low Low-Rely on Controls Minimal TOC Click here to enter
a date.
Completeness High High-Not Rely on Controls Low Substantive
Test
Accuracy Moderate
Justification: Justification:
Rights and Obligations High
6|P a ge
Integrated Results and Risk-Based Audit Manual Phase 2 – Agency Audit Planning and Risk Assessment
Form 02-07: Audit Risk Assessment and Planning Tool
Compliance
B. Performance
7|P a ge
Phase 2 – Agency Audit Planning and Risk Assessment
Form 02-07: Audit Risk Assessment and Planning Tool
Significant PAPs Audit Focus Area Audit Aspect Timing Person Days
¡ Economy
¡ Efficiency
¡ Effectiveness
Timing: __________________.
Person Days: _______ .
Person/s Responsible: ____ .
8|P a ge
Integrated Results and Risk-Based Audit Manual Phase 3A - Execution
Form 03A-01: Audit Test Summary
Objective
The Audit Test Summary is used to document our approach in executing financial and
compliance audit tests for each significant account. We also document the results of our audit
tests performed and conclusions reached based on such results.
Significant Account – Indicate the account title of the significant account. Significant accounts
are taken from the significant accounts identified in Part A of the Audit Assessment and
Planning Memorandum.
Audit Risk Assessment – Check the audit risk assessment based on Part A of Audit
Assessment and Planning Memorandum. The Risk Assessment will determine our audit
strategy in the execution phase.
Note: TOC is performed only for accounts assessed as “Minimal” or “Low” (wherein we rated
control risk as Low – we are intending to rely on controls). If our audit risk assessment is either
“Moderate” or “High,” we will only accomplish Part II of this template.
Process – Indicate the process/es where TOC for the significant account will be done
Person/s Assigned – Indicate the person/s who will execute the TOC for the significant
account.
Due Date – Indicate the estimated date when the TOC is expected to be completed.
TOC Working Paper Reference – Indicate the working paper reference where the execution of
the TOC is documented.
Conclusion – Indicate our conclusion statement on the operating effectiveness of the controls
tested.
Final Assessment of Control Risk – Based on the results of the TOC conducted, make a final
assessment of Control Risk:
· Low – Controls are operating effectively
· High – Controls are not operating effectively
In case our final control risk assessment is High, we need to reassess the overall audit risk,
reassessed audit risk will fall as Moderate or High depending on the inherent risk
assessment, as illustrated in the diagram below:
Inherent Risk Assessment
Low High
Control Risk Assessment
Extent of Testing – Check the appropriate box for the extent of testing (i.e., Extensive – for
Moderate or High; Less Extensive – for Minimal or Low)
ST Work Program Reference – Indicate the working paper reference where the execution of
the ST is documented.
Conclusion – Indicate our conclusion statement whether the account is fairly presented in the
Agency’s financial statements (considering unbooked adjusting journal entries, if any).
Process: _______________________
Controls to be Tested:
·
·
·
TOC W/P
Findings Recommendation AOM Ref.
Ref.
High
Conclusion
Objective
This form is used to summarize and evaluate the results of comprehensive audit and other
types of audits conducted. It has three parts as follows:
• Part I - Introduction
• Part II - Summary of Audit Results and Recommendations
• Part III - Evaluation Factors
After the exit conference with the agency, the audit team shall accumulate the
findings/observations and recommendations, as documented in Audit Observation
Memorandum (AOM), together with management comments using the Summary of Audit
Results and Recommendations provided in Part II of this Form.
The completed template should be initialed by the ATL and SA, and approved by the CD prior to
audit report sign-off. This completed template altogether with other relevant documentation
should be filed in the working papers.
The audit team should perform the following steps in relation to audit findings and observations
and their disposition:
Please refer to Phase 3 - Delivery: Conclusion and Reporting of the IRRBAM for further details.
Total
D. Conclusion
In our opinion:
Yes No
2. The proposed entries, whether or not recorded, are not the result
of a significant weakness in internal control over financial reporting. □ □
3. The proposed entries, whether or not recorded, are not indications
of possible fraud or illegal acts. □ □
4. For any “No” responses above, indicate the steps taken or to be
taken:
□ Opinion modified
□ Audit scopes reassessed
□ Others: _____________________________________
Comments:
EVALUATION FACTORS
A. Materiality Factors
The following factors may be relevant to the evaluation of the materiality of passed entries,
recognizing that some may be more important than others.
1. Quantitative factors:
a. Earnings/Surplus
b. Other financial statement captions
c. Segment information
2. Meeting earnings/budget goals
3. Compliance with contracts and regulations
4. Impact on other periods
5. Trends
6. Possible undetected errors
7. Certainty of amount
8. Interpretations of ISSAI
9. Establishing accounting precedent
10. Large offsetting items
11. Nonrecurring items
12. Carryovers from prior periods
o Maximum-risk assignments,
o Agencies with weakening financial condition,
o Agencies that may soon have new management (within a year or shortly
thereafter),
o Management that need to significantly improve their accounting and control
practices,
o Potentially sensitive areas, such as revenue recognition
Even when misstatements are not material, we need to consider whether their root
causes are due to inadequacies in internal control, particularly when the errors are
more widespread or significantly larger than anticipated. We may need to expand our
audit testing to compensate for an unexpected control weakness. We also may need to
communicate the weakness to senior agency management and the Oversight Body if it
is deemed to be a "reportable condition.”
Proposed entries may be indications of fraud or illegal acts (possibly the "tip of the
iceberg"). Examples are:
o A significant increase over the prior year in the number or size of proposed
adjustments.
o "Last minute" entries that significantly increase earnings.
o Misstatements that appear to have been made with the intent of achieving targeted
earnings or similar goals.
o Unsupported or unauthorized transactions, balances and reconciling items.
o Entries apparently made to conceal illegal acts.
The Quality Inspection Tool will guide the audit team in performing overall review and
approval of the audit engagement prior to the release of the audit report.
This part consists of the activities/processes as reflected in the IRRBA Manual. As part of
the quality assurance, audit teams shall ensure conformance to the prescribed
methodology in the conduct of their audits.
IRRBA Activities
- Identify the IRRBA Activities as prescribed in the methodology.
Performed by
- Staff member who completed the procedure/activity shall indicate his/her initials to
confirm his/her performance.
Reviewed by
- Reviewer shall append his/her initials as a proof of the evaluation.
Performed by
- Staff who completed the procedure/activity shall indicate his/her initials to confirm
his/her performance.
Reviewed by
- Reviewer shall append his/her initials as a proof of the evaluation.
Prepared by : Date :
Reviewed by : Date :
Approved by : Date :
Agency: _____________________________________________________
Period: _____________________________________________________
2.6.2 Performance
3. Execution
Performed Reviewed
General Audit Procedures WP Ref.
by by
1. Terms of Audit Engagements
2. Independence
4. Consultation
____________________
_________________
____________________
_________________
____________________
_________________
____________________
Performed Reviewed
General Audit Procedures WP Ref.
by by
_________________
Performed Reviewed
General Audit Procedures WP Ref.
by by
____________________
_________________
____________________
_________________
____________________
_________________
Performed Reviewed
General Audit Procedures WP Ref.
by by
Perform procedures to help identify instances of
noncompliance with those laws and regulations
where noncompliance should be considered when
preparing financial statements, specifically:
____________________
_________________
____________________
_________________
____________________
_________________
Performed Reviewed
General Audit Procedures WP Ref.
by by
evaluate the possible effect on the financial
statements and appropriate documentation ,
evaluation and notification of management and
others has been performed.
7. Related parties
Inquired of:
______________________________________
Performed Reviewed
General Audit Procedures WP Ref.
by by
Performed Reviewed
General Audit Procedures WP Ref.
by by
accounted for.
Performed Reviewed
General Audit Procedures WP Ref.
by by
g. Expected modifications to the audit report
h. Internal control issues
i. Issues with respect to agency’s integrity and or
fraud within the agency
Performed Reviewed
General Audit Procedures WP Ref.
by by
matters in a way, which is appropriate depending
on the nature and significance o f the matter as
well as on the size and legal structure of the
agency being audited.
I have reviewed this Quality Inspection Tool and the results of the procedures for
this engagement and am satisfied that all applicable general audit procedures
have been completed, the conclusions are reasonable and consistent with
professional standards, and the AAR properly reflect the issues addressed.
Objective
Agency management has the responsibility to act upon the audit observation and
recommendation provided by COA during the conduct of audit. To facilitate the process, the
COA shall provide a mechanism to enforce compliance of the activity. Hence, the Agency Action
Plan document is provided and included as part of the IRRBAM.
The Agency Action Plan is a tool for the agency to signify its action plans on the observations
and recommendations provided by the auditors. This document will serve as the basis for
auditors when monitoring agency action plans.
Agency management shall submit their action plans within 30 days from the date of receipt of
the report.
A significant part of this tool is the space provided for the sign-off of agency officer. Concurrence
of the agency, as evidenced by their sign-off, supports the fact that the agency accepts
responsibility as to the ownership of the action plans provided as well as its implementation.
Reference
- The reference will serve as a guide for auditors to trace the audit observations and
recommendations indicated in the prior years’ working papers or reports.
- The audit observations and the corresponding recommendations of prior years’ audit
shall be reflected by the auditors on this column to guide the auditors and agencies’
monitoring process.
Action Plan/Remarks - Action plan is the response of the audited agency on the
recommendations provided by the auditors during the course of the audit. This
column shall be filled-out by the agency, detailing the appropriate resolution on the
audit observation identified by the auditors.
In any case, auditors shall challenge the appropriateness of the agencies’ action
plans with the audit observations noted. Any comments that the auditors may have
on the Agency Action Plans shall be communicated and resolved with the
appropriate authorities.
Target Implementation Date - The action plan provided by an agency shall be time-
bound. This holds true exceptionally for major audit observations that require
immediate action.
Sector: __________________________________
Agency Audited: __________________________
Audit Period: ________________
AAR date: ___________________
Agency sign-off:
_______________________________________ _________________
Agency Officer Date
Objective
As discussed in the IRRBA Manual, the existence of the monitoring process for the prior
years’ recommendations serves as an additional control for the audited agencies to be
motivated in acting upon the recommendations provided by the auditors. Likewise,
monitoring serves as a feedback mechanism for auditors to determine the value that the
agencies obtain from the findings and suggestions that they provide.
The Action Plan Monitoring tool serves as a guide for the auditors and agencies in
conducting a structured monitoring process of prior years’ recommendations on the audit
observations noted.
Take note that the “Agency Action Plan” element will be provided by the audited agency.
The following elements are to be lifted from the Agency Action Plan provided by the agency
management:
Reference
The columns provided under the COA Monitoring portion are developed to guide the auditors
during the conduct of their monitoring procedures. These elements are essential since this is
the focus of the monitoring function of the auditors.
Date of follow-up
Implementation Status
- This column shall be answered by the auditor during the execution of the monitoring
procedures.
The following are the selections for the status of the implementation of agency
action plans:
ü Full – Action plans as provided by the agency management in the Agency
Action Plan document have been fully implemented in all scope mentioned.
ü Partial – Action plans as provided by the agency management in the Agency
Action Plan document have been partially implemented in some areas.
ü Ongoing – Implementation of the action plans provided the agency
management in the Agency Action Plan is still ongoing.
ü Non-implementation – Agency management did not implement the action
plans provided in the Agency Action Plan within the target completion period.
This is the area where auditors should carefully take a look. Auditors shall
examine and assess the reasons for non-implementation of previously stated
action plans.
- Auditors shall uncover the reasons for the delay or non-implementation of action
plans. If the circumstances permit, auditors shall inquire several agency personnel or
officer on the causes of the delay or non-implementation.
Comments/Action Taken
- This column is for the auditors’ comments or actions to be taken as a result of the
monitoring procedures conducted. The remarks that will be provided on this column
can also be a basis for the next year’s audit project.
Audit Period :
AAR Date :