Corporate code of Good Governance

By: Securities and Exchange Commission

Companies should have:

1) At least (2) independent directors; or

2) Such a number of independent directors that constitutes 20% of the members of the Board
whichever is lesser but not less than two

BOARD: Audit committee

1) At least (3) directors where:

a. One shall be an independent director (Chair)
b. Others: audit experience
2) Preferably have an accounting and finance background

The Code requires Chief Audit Executive to report directly to the Board of directors, Audit committee or
other appropriate governing authority instead to the President or CEO who are in-charged of day to day
operation and the subject of the examination.

Internal auditing as defined by the Institute of Internal Auditors (IIA)

– Is an independent, objective assurance and consulting activity designed to add value and
improve an organization’s operations. It helps an organization accomplish its objectives by
bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk
management, control and governance processes.

Primary purpose: To assist members of the organization in the effective discharge of their
responsibilities (Proper segregation of duties and responsibilities)

Three (3) Main objectives of Internal Audit

1) Helping the organization achieve its objectives

Categories of business objectives

a. Strategic objectives – to provide value creation choices which management makes in behalf
of the organization’s stakeholders.
b. Operations objectives – to provide effectiveness and efficiency (magbigay ng bisa at
kahusayan)of the organization’s operations
c. Compliance objectives – to adhere with applicable laws and regulations
d. Reporting objectives – to have a reliable internal and external report of financial and
nonfinancial information.

2) Assurance and consulting activity designed to add value and improve operations
3) Evaluating and improving the effectiveness of risk management, control and governance
processes

Types of audit

1) Management audit – is an audit performed by internal auditors to identify management

weaknesses and to recommend ways to rectify them.

2) Performance audit – also known as operational audit or value for money audit. Is an audit
performed by internal auditor to evaluate the performance of organizational or business unit.

3) Systems-based audit – this approach concentrates on the functioning of the accounting system,
rather than the accuracy of accounting records and the evaluation of controls and control
systems.
 4) Financial audit –is an audit performed by external auditors to provide an opinion on whether
the financial statements presented is true and complied with applicable accounting standards

5) Risk-based audit – this approach reviews the risk management process: how the organization
manages risk and takes action to mitigate risks, including the use of controls

6) Environmental audit – this is a systematic, documented, periodic and objective evaluation of

how well an organization, its management and equipment are performing, with the aim of
helping to safeguard the environment by facilitating management control of environmental
practices; and assessing compliance with company policies and external regulation.

7) Compliance audit – is an audit performed by external auditors to determine whether

performance is in conformity with laws and regulations.

Independence – For what reason? To have a freedom from conditions that threaten the ability of the
internal audit activity to carry out internal audit responsibilities in an unbiased manner.

Through:

a. Organizational independence

It is achieved when the Chief Audit Executive reports directly to the Board and senior
management (CEO) – Dual reporting

Threats arises – Scope Limitation

Scope limitation – is a restriction placed upon the internal audit activity that precludes
(pagsarhan) the audit activity from accomplishing its objectives and plans.

Under Practice Advisory 1130-1, a scope limitation, among other things, may restrict the:
i. Scope defined in the internal audit charter
Internal audit charter – is a formal document that defines internal audit’s purpose,
authority, responsibility and position within an organization.
ii. Internal audit activity’s access to records, personnel and physical properties
relevant to the performance of the engagements
iii. Approved engagement work schedule
iv. performance of necessary engagement procedures
v. approved staffing plan and financial budget

Due to independence, a threat may possibly arises such as having scope limitation, along with its
potential effect, needs to be communicated, preferably in writing, to the Board.

Threat arises – Self-interest threat

Internal auditors are not to accept fees, gifts or entertainment from an employee, client, customer,
supplier or business associate that may create appearance that the auditor’s objectivity has been
impaired. Except for receipt of promotional items (such as pens, calendars or samples) having minimal
value. Internal auditors are to report immediately the offer of all material fees or gifts to their
supervisors.

Reporting line (functional reporting) – is the ultimate source of its independence and authority.

Administrative line – is the relationship within the organization’s management structure that facilitates
day-to-day operations of the internal audit activity and provides appropriate interface and support for
effectiveness (coordination)

Administrative reporting typically includes:

1) budgeting and management accounting

 2) human resource administration
3) internal communications and information flows
4) administration of the organization’s internal policies and procedures (expense approval, leave
approvals)

II. Individual objectivity of the auditors

Objectivity – an unbiased mental attitude that allows internal auditors to perform

engagements in such manner that they believe in their work product and that no quality
compromises are made.

Individual objectivity – means the internal auditors perform engagements in such a manner
that they have an honest belief in their work product and that no significant quality
compromises are made.

Conflict of interest – is a situation in which an internal auditor, who is in a position of trust, has a
competing professional or personal interest. It exists even if no unethical or improper act results.

Three (3) General approaches

a. avoidance
Case B. Fermin, the Chief Audit Executive (CAE) of XYZ Company has been appointed to a
committee to evaluate the appointment of the company’s external auditors. Patricia, the
engagement partner of one of the potential external accounting firms wants Fermin to join her
for a week of hunting at her private lodge in Batangas. Should Fermin accept Patricia’s
invitation?
 Answer: No on the grounds of conflict of interest.

b. disclosure to those stakeholders relying upon the decision

c. management of the conflict of interest so that the benefits of the judgment made outweigh the
costs

Value is provided by improving opportunities to achieve organizational objectives, identifying

operational improvement, and/or reducing risk exposure through both assurance and
consulting → Add Value

Engagement - a specific internal audit assignment or project that includes multiple tasks or
activities designed to accomplish a specific set of objectives

SERVICES RENDERED BY AN INTERNAL AUDITOR/S

I. Assurance services – is one involving an internal auditor’s objective (since they gather
evidence on outside parties such as suppliers) assessment of evidence to provide an
independent opinion or conclusions regarding the entity, operation, function, process,
system or other subject matter.
- an objective examination of evidence for the purpose of providing an independent
assessment on governance, risk management, and control processes for the
organization.
 F/S have six (6) classifications

To be audited by an Internal auditor

Internal auditing: Assurance services (if the amounts presented is

reliable)

add value through objective assessment of evidence to provide

objective and independent opinions/conclusions

Interested users (investors, creditors, government, public)

Assurance engagements - assess evidence regarding a particular issue and draw a conclusion

Assurance activities include:

1) Performance or operational audit
2) Evaluating risk management processes
3) Evaluating the reporting on the status of key risks and controls
4) Reviewing the management of key risks, including the effectiveness of the controls and
other responses to them.
5) Providing assurance that risks are correctly evaluated
6) Providing assurance on the design and effectiveness of risk management processes
7) Financial audit, other than the traditional financial audit performed by external
auditors (i.e. audit of cash, audit of expenditures)

Note: the nature and scope of the assurance engagement are determined by the internal auditor as
defined in the internal audit charter

Party responsible for determining the scope

and nature of an assurance engagement
Parties involve in Assurance engagement

1) Process owner – the person or group directly involved with the entity, operation, function,
process, system or other subject matter. In external audit, the process owner is also known as
the “responsible party” or the “auditee”
2) Internal auditor – the person or group making the assessment
3) User – the person or group using the assessment

II. Consulting services – advisory and related client service activities, the nature and scope of
which are agreed with the client and which are intended to add value and improve an
organization’s governance, risk management and control processes without the internal
auditor assuming management responsibility.

Categories of consulting engagement

1) Formal consulting engagements – planned and subject to written agreement such as assessment
of controls in a system
 2) Informal consulting engagements – routine activities, such as, participation on standing
committees, limited-life projects, adhoc meetings, routine information exchange, serving on
task forces to analyze operations and make recommendations.
3) Special consulting engagements – such as participation on a merger and acquisition team or
system conversion team, study and evaluation of the proposed restructure of the organization to
reflect the most practical, economical and logical alignment
4) Emergency consulting engagement – participation on a team established for recovery or
maintenance of operations after a disaster or other extraordinary business event or a team
assembled to supply temporary help to meet a special request or unusual deadline.

Consulting engagement - provide advice and assistance to a specific customer.

Pagkonsulta sa pakikipag-ugnayan

Parties involve in consulting engagement

1) Engagement client – maybe a person, group, business unit or department seeking and receiving
the advice.
2) Internal auditor – the person or group offering the advice

Note: When performing consulting services, the internal auditor should maintain objectivity and not
assume management responsibility.

Note: The client and internal auditor are parties responsible for determining the scope and nature of a
consulting engagement

Note: Independence and objectivity may be impaired if assurance services are provided within one year
after a formal consulting activity

Impairment to Independence and Objectivity

 details of impairment must disclosed to appropriate parties

 nature of disclosure will depend upon the impairment
Systematic and Discipline approach (DDAURIR)

Elements if the systematic and disciplined approach

1) defined audit objectives

2) defined audit procedures
3) audit work plan
4) use of technology
5) risk analysis
6) independent review of audit work
7) review of conclusions with management

Enterprise risk management (ERM) – is a process to identify, assess, manage and control potential
events or situations to provide reasonable assurance regarding the achievement of the organization’s
objective.

– Process conducted by management to understand and deal with difficulties that could affect
ability to achieve.

Control – any action taken by the Board, management and other parties to manage risk and increase
the likelihood that the established objectives and goals will be achieved. “PERC”

– Process by management to mitigate (pagaanin) risks to acceptable levels.

Internal audit areas

1) Proper safeguarding of assets
2) Effectiveness and efficiency of operations
3) Reliability, accuracy (pagiging maaasahan dahil sa katumpakan) and timing of financial
reporting
4) Compliance with Company’s objective, applicable laws and regulations

Classifications of control

1) Preventive control – to deter (stop) undesirable events to occur

2) Detective control – to detect and correct undesirable events which have occurred
3) Directive control – to cause or encourage a desirable event to occur.

Governance – the act of governing by the board to inform, direct, manage and monitor the activities of
the organization through combination of processes and structures.

– The process conducted by a board of directors to authorize, direct, and overse management
toward the achievements of the organization.