Professional Documents
Culture Documents
MANUAL ON INTERNAL
AUDITING
VERSION 4
November 2018
TITLE OF MANUAL INITIAL ISSUE DATE
January 22, 2008
MANUAL ON INTERNAL
REVISION NO.
AUDITING 4 PAGE NO.
2 of 54
REVISION DATE
November 2018
TABLE OF CONTENTS
1 Introduction 4
1.1 Definition of Internal Auditing 4
1.2 Risk-based Internal Audit 5
1.3 Objectives of the Manual 5
1.4 Scope of the Manual 5
1.5 Instructions on How to Use the Manual 6
1.6 Organization of Internal Audit 6
1.7 Roles and Responsibilities 7
A. Board of Directors 7
B. Audit Committee 7
C. Senior Management 8
D. All Personnel 9
E. Head of the Internal Audit Function 9
2 Policies & Standards of Internal Audit 10
2.1 Internal Audit Charter (Annex A)
2.2 Audit Committee Charter (Annex B)
2.3 Internal Audit Policies & Standards 10
3 Internal Control Framework 11
3.1 Objectives of Internal Control 11
3.2 Components of Internal Control 11
4 Organizing Internal Audit 13
4.1 Types of Audit 13
4.2 Scope of Internal Audit Function 13
5 Performance, Monitoring and Evaluation 15
5.1 Assessing Internal Audit Performance 15
5.2 Internal Audit’s Key Performance Indicators (KPI) 15
6 Strategies & Annual Work Planning 16
6.1 Risk-based Audit Planning Process 16
6.2 Audit Coverage Cycle 17
6.3 Audit Process 17
7 Conducting Internal Audit Assignments 18
7.1 Overview of Audit Assignment 18
8 Audit Planning 19
8.1 General Guidelines 19
9 Executing the Audit Plan 20
9.1 Assurance Services 20
9.2 Consulting Services 20
9.3 General Guidelines 20
A. Assurance & Consulting Services 20
B. Special/Fraud Audits 24
9.4 Detailed Procedures 25
A. Regular Audit 25
B. Applications/PIR Audit 27
C. Special/Fraud Audit 29
9.5 Internal Controls 30
A. Assurance Services 30
TITLE OF MANUAL INITIAL ISSUE DATE
January 22, 2008
MANUAL ON INTERNAL
REVISION NO.
AUDITING 4 PAGE NO.
3 of 54
REVISION DATE
November 2018
B. Consulting Services 30
C. Special/Fraud Audits 30
10 Communicating Results 31
10.1 General Guidelines 31
A. Regular/Application/PIR/Consulting Services 32
B. Special/Fraud Audits 33
10.2 Detailed Procedures 34
A. Assurance and Consulting Services 34
B. Special/Fraud Audits 34
C. Preparation and Submission of Reports 35
10.3 Internal Controls 36
11 Audit Tools and Techniques 37
11.1 Collection of Evidence 37
11.2 Audit Evidence Documentation 37
12 Monitoring of Action Plan 39
12.1 General Guidelines 40
12.2 Internal Controls 41
12.3 Detailed Procedures 41
13 Secretariat Functions 41
13.1 General Guidelines 42
13.2 Detailed Procedures 42
A. Pre-Meeting Activities 42
B. During the Meeting 43
C. Post-Meeting Activities 43
D. Preparation of Accomplishment Report 43
13.3 Internal Controls 43
14 Administrative Functions 44
14.1 Personnel Management 44
14.2 Pre-and Post-Fieldwork Activities 46
14.3 Records Management 46
14.4 Supplies and Inventory Management 46
15 Other Services 47
15.1 General Guidelines 47
16 Operational Risk Management 47
16.1 General Guidelines 48
16.2 Detailed Procedures 50
17 Annexes, Appendices and Exhibits 54
TITLE OF MANUAL INITIAL ISSUE DATE
January 22, 2008
MANUAL ON INTERNAL
REVISION NO.
AUDITING 4 PAGE NO.
4 of 54
REVISION DATE
November 2018
CHAPTER I – INTRODUCTION
1. Constitutional provisions;
2. Laws, rules and regulations on public governance and accountability
and applicable jurisprudence;
3. Government policies, standards, guidelines and regulatory issuances;
4. Relevant applicable standards and best practices in governance,
accountability and operations.
This Manual was developed to ensure that all internal auditors are properly
guided in their work.
This Operations Manual was prepared and designed to achieve the following
objectives:
For proper guidance, users and persons responsible for this manual shall
observe the following:
a. Verify if the pages of the manual are the current version before using.
b. Review and update the contents of the manual, if necessary.
c. Revisions, updating and/or improvements shall be initiated by the Internal
Audit Unit of LLFC subject to the review and perusal of the Audit
Committee. Thereafter, the Committee shall endorse the proposed
revision/s to the Board for approval. Upon approval of the Board, the
revisions shall be incorporated in the manual.
d. The Internal Audit Unit shall ensure the printing of adequate copies of the
manual, including additions, amendments, revisions and updates thereon.
e. The Internal Audit Unit shall keep a record of all additions, amendments,
revisions and/or updates on the manual to facilitate review and research.
The unit shall maintain the control copy of the manual.
f. The attachment of the manual shall be in the following forms:
A. BOARD OF DIRECTORS
B. AUDIT COMMITTEE
The audit committee shall oversee the internal audit function and shall be
responsible for:
C. SENIOR MANAGEMENT
D. ALL PERSONNEL
The internal audit function shall both assess and complement operational
management, risk management, compliance and other control functions.
Internal audit shall be conducted in frequencies commensurate with the
assessed levels of risk in specific areas/units/processes.
TITLE OF MANUAL INITIAL ISSUE DATE
January 22, 2008
MANUAL ON INTERNAL
REVISION NO.
AUDITING 4 PAGE NO.
14 of 54
REVISION DATE
November 2018
The internal audit functions shall either be established in each of the BSP-
supervised financial institution or centrally by the parent bank, in case of
group structures involving a parent bank and subsidiary or affiliate BSP-
supervised financial institutions.
In compliance to BSP Circular 871, the parent bank, Land Bank (LBP) has the
option to audit LLFC2. LLFC can send the following reports to LBP-IAG for
notation of LBP’s Audit and Compliance Committee:
The scope of internal audit shall cover, among others, the following:
1
BSP Circular No. 871, series of 2015: Internal Control and Internal Audit
2
email of Ms. Nerissa Noma, Senior Management Associate of LBP Quality Assurance and Support – IAG
dated October 24, 2018
TITLE OF MANUAL INITIAL ISSUE DATE
January 22, 2008
MANUAL ON INTERNAL
REVISION NO.
AUDITING 4 PAGE NO.
15 of 54
REVISION DATE
November 2018
Audit Planning is the first stage of audit methodology. The development of the
audit plan is based on the analysis of data and information gathered from:
For internal audit, risk assessment is a key element in the development of the
annual risk-based internal audit plan. The identification, prioritization and
sourcing of key organizational risks is critical to ensuring that internal audit
resources are allocated to the areas that matter most. A risk based audit
planning helps auditors to plan the audit process so that it makes a dynamic
contribution to better governance, robust risk management, and more reliable
controls.
In order to meet the above the risk based audit planning can be divided into
two steps:
1. Establish and communicate the scope and objectives for the audit to
appropriate management.
2. Develop an understanding of the business area under review. This
includes objectives, measurements, and key transaction types. This
involves review of documents and interviews. Flowcharts and narratives
may be created if necessary.
3. Describe the key risks facing the business activities within the scope of the
audit.
4. Identify management practices in the five components of control used to
ensure each key risk is properly controlled and monitored. Internal Audit
Checklist can be a helpful tool to identify common risks and desired
controls in the specific process or industry being audited.
5. Develop and execute a risk-based sampling and testing approach to
determine whether the most important management controls are operating
as intended.
6. Report issues and challenges identified and negotiate action plans with
management to address the problems.
7. Follow-up on reported findings at appropriate intervals. Internal audit
Groups maintain a follow-up database for this purpose.
8. Audit assignment length varies based on the complexity of the activity
being audited and Internal Audit resources available.
TITLE OF MANUAL INITIAL ISSUE DATE
January 22, 2008
MANUAL ON INTERNAL
REVISION NO.
AUDITING 4 PAGE NO.
19 of 54
REVISION DATE
November 2018
9. Many of the above steps are iterative and may not all occur in the
sequence indicated.
1. Senior Management
2. Management goals and objectives
3. Entity resources of types including financial, asset-based,
human, information and intangibles.
4. Products and services, markets, customers and competition
5. Regulatory forces
6. Core processes and operating cycle
7. Investing and financing cycle
3. The Annual Audit Plan shall be presented to the Audit Committee for
approval on the last quarter prior to the succeeding year. Any significant
changes (i.e., special/urgent audit requests) to the plan will be presented
to the Audit Committee for approval within a month prior to
implementation.
The objective of this IAG activity is to provide guidance in the execution of the
audit plan that will enable the internal auditors to understand the unit and its
processes, identify and assess the key risks and controls, identify
performance and control gaps on the key processes, and provide
improvement opportunities that will add value in the overall improvement of
the risk management, control and governance processes of the auditee.
This chapter embodies the policies and procedures on how to conduct the
services from engagement planning up to the issuance of pre-exit (i.e.,
regular audit, applications audit and post Implementation review), consulting
services and special/fraud audits.
Regular audits are conducted at the Group/unit’s level based on IAG’s risk
scoring to provide reasonable assurance to the LLFC BOD and Senior
Management that the internal controls are working effectively and efficiently.
A. Consulting services performed by the IAG may vary in nature, type and level
of its preparation in every engagement. The role of IAG in every consulting
service is defined so as not to impair its independence and objectivity.
1. Formal Engagement
2. Informal/Special Engagement
1. The approved annual audit plan and the results of the risk scoring shall
be the bases for assigning assurance and consulting engagements.
2. The Engagement Plan shall be developed and documented for every
engagement with the following considerations, whenever applicable:
a. Project Team
TITLE OF MANUAL INITIAL ISSUE DATE
January 22, 2008
MANUAL ON INTERNAL
REVISION NO.
AUDITING 4 PAGE NO.
23 of 54
REVISION DATE
November 2018
b. Project Schedule
c. Audit Objectives
d. Nature and extent of testing required;
e. Audit procedures for collecting, analysing, interpreting, and
documenting information during the audit; and
B. SPECIAL/FRAUD AUDITS
ASSURANCE SERVICES:
A. REGULAR AUDIT
Pre-Fieldwork Activities:
Fieldwork Activities:
Pre-Fieldwork Activities:
Fieldwork Activities:
Post-Fieldwork Activities:
C. Special/Fraud Audits:
A. ASSURANCE SERVICES
B. CONSULTING SERVICES
C. SPECIAL/FRAUD AUDITS
e. Instructions
f. Date of final report
3. If during the conduct of Special/Fraud Audit, additional information
gathered suggests the need to change the Audit Program, the same
shall be reported and approved by the concerned Group/unit head.
4. Documentation of information and handling of audit evidences shall be
in accordance with the IAG’s working paper/evidence handling policy.
5. In case of extension for the conduct and reporting of Special/Fraud
Audit, the concerned Dept/Unit Head shall seek approval of the
Internal Auditor.
The audit report is the key deliverable of IAG. It reflects the quality of the
audit work performed, judgment and integrity of the role of the internal
auditors of LLFC. Maximum impact can be achieved only if the results of the
audit are communicated clearly and effectively to the intended parties.
Accurate – free from errors and distortions and are faithful to the
underlying facts
Objective – fair, impartial, and unbiased and are the result of fair-
minded and balanced assessment of all relevant facts and
circumstances
Clear – easily understood and logical, avoiding unnecessary technical
language and providing all significant and relevant information
Concise – direct to the point and avoid unnecessary elaboration,
superfluous detail, redundancy, and wordiness
TITLE OF MANUAL INITIAL ISSUE DATE
January 22, 2008
MANUAL ON INTERNAL
REVISION NO.
AUDITING 4 PAGE NO.
32 of 54
REVISION DATE
November 2018
B. SPECIAL/FRAUD AUDITS:
3. Provide a copy of the report for file and update the Special/Fraud
Audit database.
Internal auditors typically issue reports at the end of each audit that
summarize their findings, recommendations, and any responses or
action plans from management. An audit report may have an executive
summary; a body that includes the specific issues or findings identified
and related recommendations or action plans; and appendix
information such as detailed graphs and charts or process information.
Each audit finding within the body of the report may contain five
elements, sometimes called the "5 C's":
1. Objective and background: Why was the area selected for audit?
Was it due to inherent or perceived high risk, known problems,
history of past issues, and a management change, materiality of the
area or other factors? What are the key aspects, risks and
objectives of the area reviewed? Was it part of the original plan
arising from the risk- assessment process?
2. Scope: – What was the scope of the work and when was it
performed? What time period and business units did it cover, and
which facets of operations were included? What key risks did the
work try to address?
3. Findings: What were the overall findings? How severe were they?
Are there only minor issues to be addressed, or are there
significant deficiencies in internal controls or the process being
reviewed?
4. Recommendations: What actions must management take to
adequately address the audit findings? Recommendations in the
audit report should state precisely what needs to be changed or
fixed.
5. Management action plans – Is there a clear plan to correct the
deficiencies noted? Who will take responsibility for the corrective
action? When will the issues be corrected?
6. Follow-up and tracking: How is internal audit monitoring
management’s progress in addressing noted deficiencies?
Quarterly and annual internal audit reporting to the audit committee
should include tracking and confirmed resolution of management
action plans resulting from audit findings.
From the initial client interview all the way down to issuing the audit report,
the Internal Auditor should keep a record of all the work done. This
information is kept in the audit file and shows the basis for the conclusions
TITLE OF MANUAL INITIAL ISSUE DATE
January 22, 2008
MANUAL ON INTERNAL
REVISION NO.
AUDITING 4 PAGE NO.
38 of 54
REVISION DATE
November 2018
reach. The audit file comes in many shapes and forms, all of which will be
classified as either permanent or current.
The Internal Auditor carries forward documents in the permanent file from
year to year. The auditor forms the base for planning the subsequent year’s
audit. Most of the information in the permanent file doesn’t change from one
year to the next.
Documents kept in the client’s permanent file:
a) Copies of the company’s incorporation documents: Businesses
have to file articles of incorporation, which cover the basics
about the company such as its name, address, the stock it
issues (what type and how many shares), and the registered
agent.
b) Chart of accounts: The numerical listing of all the company’s
asset, liability, equity, revenue, and expense accounts as a sort
of road map to figure out where certain accounts should be
showing up in company’s general ledger. The general ledger
shows all the accounts in the chart of accounts and lists what
transactions affect them during the year under audit.
c) Organization chart: This document shows the levels of
management from the head all the way down to the lowest
member of the staff.
d) Accounting manual: The manual provides an overview of how
the accounting functions of a company work. It provides a guide
to the responsibilities of each accounting Group and how
accounting employees should do their jobs.
e) Copies of important leases or contracts: You should have a
copy of the contracts for any property, plant, or equipment the
company leases. You use this information to verify rent expense
on the financial statements. Any major contracts with suppliers,
customers, or unions are also kept in the permanent file.
f) Internal control documentation: Any records the Internal Auditor
keep or write-ups done during the evaluation of the company’s
internal controls are kept in the permanent file.
g) Stock and bond issuances: These documents list the number of
shares outstanding and give information on the terms of any
bonds.
h) Prior years' analytical procedures: Use these documents to see
whether plausible and expected relationships exist in both
financial and nonfinancial data from year to year.
TITLE OF MANUAL INITIAL ISSUE DATE
January 22, 2008
MANUAL ON INTERNAL
REVISION NO.
AUDITING 4 PAGE NO.
39 of 54
REVISION DATE
November 2018
The current file contains all the work of the Internal Auditor on current year’s
audit.
a) Audit Plan: Road map for conducting the current year audit is
definitely included in the current file. This plan includes
understanding of the client, the allocation of firm resources, and
risk assessments.
The value of the audit must be assessed to assure that the findings and
recommendations, reflecting cost-conscious, workable and timely solutions,
have been achieved to some quantifiable degree and provide value to the
organization.
The monitoring of action plan, one of the major components of the Audit
Methodology, is designed to ensure the adequacy, effectiveness, and
timeliness of audited unit’s corrective actions to address audit
findings/observations and recommendations.
Monitoring of action plan wraps up the whole internal audit process. This IAG
activity is as important as the other activities of the internal audit process
because it measures the effectiveness of IAG in providing value in improving
the corporation’s operation through client acceptance/rejection of
recommendations. IAG should establish and maintain a system to monitor
the disposition of the audit results, and a follow-up process for the effective
implementation of the approved audit recommendations. The procedure
should include the assessment of action plans taken on the report and the
status thereof.
TITLE OF MANUAL INITIAL ISSUE DATE
January 22, 2008
MANUAL ON INTERNAL
REVISION NO.
AUDITING 4 PAGE NO.
40 of 54
REVISION DATE
November 2018
1. The Internal Audit group should have a system that provides the
structure and discipline to promote action on audit recommendations. It
should ensure that recommendations are aggressively pursued until
they have been resolved and successfully implemented. A follow up
system should adequately meet the basic responsibility for resolving
and implementing audit recommendations.
2. The Internal Auditor should establish and maintain a system to monitor
and follow-up disposition of results communicated to Management.
Follow-up by Internal Auditors is defined as a process by which they
determine the adequacy, effectiveness and timeliness of actions taken
by Management on reported audit observations and recommendations.
3. The Internal Auditor should establish procedures to include the
following:
A. Pre-Meeting Activities:
C. Post-Meeting Activities:
This chapter discusses in detail the policies and procedures adopted by IAG
in the following areas:
3. Trainings/Seminars
4. Performance Management
5. Personnel Policies
6. Communication Policies
IAG shall adhere to the existing policies on records retention and disposition.
In addition, the following shall be observed:
As an integral part of LLFC’s Risk Management System, IAG shall identify the
risks involved in its operations, assess the impact and probability of
occurrence of the identified risks, suggest parameters for measurement of
said risks, and recommend mitigating measures to control risk occurrence.
TITLE OF MANUAL INITIAL ISSUE DATE
January 22, 2008
MANUAL ON INTERNAL
REVISION NO.
AUDITING 4 PAGE NO.
48 of 54
REVISION DATE
November 2018
This chapter was prepared and designed to achieve the following objectives:
a. Identification
The Group/Unit shall determine the origin of risks, weaknesses
in business process of the corporation and the relevant services
executed by third parties whether existing or emerging.
b. Measurement
The Group/Unit shall assess the magnitude of risks. It shall
quantitatively and qualitatively determine the consequences,
including the financial impact of possible worst-case scenario
risk events.
c. Control
The Group/Unit shall implement measures to reduce risks or to
maintain risks within the corporation’s risk appetite. It shall
implement at all times the policies, systems, and procedures
approved by Risk Committee or LLFC’s BOD to address risks.
d. Monitoring
The Group/Unit shall track and evaluate the effectiveness and
status of risk management controls. The Group/Unit shall
monitor risk to determine if:
The business unit shall opt for risk avoidance if the potential
gain is lower than the expected risk cost, taking into
consideration several aspects such as time horizon, available
specialized expertise, compliance, strategies and reputation
risks.
The business unit shall aim to reduce loss frequency and loss
severity which can both be achieved by adhering to the
corporation’s internal control measures. These controls may be
preventive, detective or recovery.
TITLE OF MANUAL INITIAL ISSUE DATE
January 22, 2008
MANUAL ON INTERNAL
REVISION NO.
AUDITING 4 PAGE NO.
50 of 54
REVISION DATE
November 2018
d. Risk Acceptance – The business unit shall take this option if after
a cost-benefit analysis, the expected loss is lower than the cost of
risk management activities to mitigate the risks (e.g., reprice, self-
insure, offset or plan).
A. RCSA Matrix
Hard Loss:
Soft Loss:
Control
Description Adequacy Definition
Score
Completely 1 Existing policy and
under control procedures are in place
Effectively implemented
No BSP or IAG exception
related to the risk
Zero historical risk event
Tight Control in 2 Existing policy and
place procedures are in place
Effectively implemented
With minor BSP or IAG
exception related to the
risk
One historical risk event
in a year
Moderate 3 Existing policy and
Control in procedures are in place
Place With some flaws on the
implementation
With moderate BSP or
IAG exception related to
the risk
More than twice in
historical risk event in a
year
Some Control 4 Some existing policy and
in Place procedures are in place
Not effectively
implemented
With major BSP or IAG
exception related to the
risk
More than five times
historical risk event in a
year
TITLE OF MANUAL INITIAL ISSUE DATE
January 22, 2008
MANUAL ON INTERNAL
REVISION NO.
AUDITING 4 PAGE NO.
53 of 54
REVISION DATE
November 2018
11. Select the applicable frequency of occurrence from the following in the
dropdown menu:
12. Under Risk Mitigation section, fill-out the “Risk Treatment” column with
appropriate risk treatment strategy from the dropdown menu.
13. List down the tangible or specific action plan/s to implement or
materialize the selected risk treatment strategy.
14. Indicate or select from the drop-down menu the target time or
completion of the committed action plan/s.
15. Affix signature on the “Prepared by” portion and forward to the Head
for review.
16. The Group/Unit Head shall review and affix on the “Reviewed by”
portion if in order. Otherwise, return to the designated personnel for
revision.
17. If signed, submit the same to the units concerned.
TITLE OF MANUAL INITIAL ISSUE DATE
January 22, 2008
MANUAL ON INTERNAL
REVISION NO.
AUDITING 4 PAGE NO.
54 of 54
REVISION DATE
November 2018
CHAPTER 17
ANNEXES, APPENDICES AND EXHIBITS