Internal Audit Manual PDF

`
LBP LEASING AND FINANCE CORPORATION

(A LAND BANK SUBSIDIARY)
MANUAL ON INTERNAL
AUDITING
VERSION 4
November 2018
TITLE OF MANUAL INITIAL ISSUE DATE
January 22, 2008
MANUAL ON INTERNAL
REVISION NO.
AUDITING 4 PAGE NO.
2 of 54
REVISION DATE
November 2018
TABLE OF CONTENTS
1 Introduction 4
1.1 Definition of Internal Auditing 4
1.2 Risk-based Internal Audit 5
1.3 Objectives of the Manual 5
1.4 Scope of the Manual 5
1.5 Instructions on How to Use the Manual 6
1.6 Organization of Internal Audit 6
1.7 Roles and Responsibilities 7
A. Board of Directors 7
B. Audit Committee 7
C. Senior Management 8
D. All Personnel 9
E. Head of the Internal Audit Function 9
2 Policies & Standards of Internal Audit 10
2.1 Internal Audit Charter (Annex A)
2.2 Audit Committee Charter (Annex B)
2.3 Internal Audit Policies & Standards 10
3 Internal Control Framework 11
3.1 Objectives of Internal Control 11
3.2 Components of Internal Control 11
4 Organizing Internal Audit 13
4.1 Types of Audit 13
4.2 Scope of Internal Audit Function 13
5 Performance, Monitoring and Evaluation 15
5.1 Assessing Internal Audit Performance 15
5.2 Internal Audit’s Key Performance Indicators (KPI) 15
6 Strategies & Annual Work Planning 16
6.1 Risk-based Audit Planning Process 16
6.2 Audit Coverage Cycle 17
6.3 Audit Process 17
7 Conducting Internal Audit Assignments 18
7.1 Overview of Audit Assignment 18
8 Audit Planning 19
8.1 General Guidelines 19
9 Executing the Audit Plan 20
9.1 Assurance Services 20
9.2 Consulting Services 20
A. Assurance & Consulting Services 20
B. Special/Fraud Audits 24
9.4 Detailed Procedures 25
A. Regular Audit 25
B. Applications/PIR Audit 27
C. Special/Fraud Audit 29
9.5 Internal Controls 30
A. Assurance Services 30
January 22, 2008
MANUAL ON INTERNAL
REVISION NO.
AUDITING 4 PAGE NO.
3 of 54
REVISION DATE
November 2018
B. Consulting Services 30
C. Special/Fraud Audits 30
10 Communicating Results 31
A. Regular/Application/PIR/Consulting Services 32
A. Assurance and Consulting Services 34
C. Preparation and Submission of Reports 35
11 Audit Tools and Techniques 37
11.1 Collection of Evidence 37
11.2 Audit Evidence Documentation 37
12 Monitoring of Action Plan 39
13 Secretariat Functions 41
A. Pre-Meeting Activities 42
B. During the Meeting 43
C. Post-Meeting Activities 43
D. Preparation of Accomplishment Report 43
14 Administrative Functions 44
14.1 Personnel Management 44
14.2 Pre-and Post-Fieldwork Activities 46
14.3 Records Management 46
14.4 Supplies and Inventory Management 46
15 Other Services 47
16 Operational Risk Management 47
17 Annexes, Appendices and Exhibits 54
January 22, 2008
MANUAL ON INTERNAL
REVISION NO.
AUDITING 4 PAGE NO.
4 of 54
REVISION DATE
November 2018
CHAPTER I – INTRODUCTION
The cornerstones of effective governance are the Board of Directors (BOD),

Senior Management (SM), Internal Auditors and External Auditors.
As part of the governance process, LBP Leasing and Finance Corporation

Internal Audit (LLFC-IA) provides an independent and objective evaluation of
management controls and operations performance and the determination of
the degree of compliance with laws, regulations, managerial policies,
accountability measures, ethical standards and contractual obligations. It
involves the appraisal of the plan of the organization and all the coordinated
methods and measures, in order to recommend courses of action on matters
relating to operations and management controls. Moreover in compliance
with the International Standards, internal auditors also add value to LLFC’s
operation by evaluating the risk management and governance processes of
LLFC.
The purpose, authority and responsibility of LLFC IA are properly defined in

the Internal Audit Charter which was approved by the Audit Committee, a
board-level committee. The Audit Committee directly supervises the IA’s
functions and activities, as contained in the charter.
IA is required to adhere to the following Hierarchy of Applicable Internal

Auditing Standards and Practices:
1. Constitutional provisions;
2. Laws, rules and regulations on public governance and accountability
and applicable jurisprudence;
3. Government policies, standards, guidelines and regulatory issuances;
4. Relevant applicable standards and best practices in governance,
accountability and operations.
This Manual was developed to ensure that all internal auditors are properly
guided in their work.
1.1 DEFINITION OF INTERNAL AUDITING
The Institute of Internal Auditors (IIA) defines internal auditing as an

independent, objective assurance and consulting function established to
examine, evaluate and improve the effectiveness of internal control, risk
management and governance systems and processes of the organization,
which helps the management and board of directors in protecting the
organization and its reputation. It is designed to add value and improve an
January 22, 2008
MANUAL ON INTERNAL
REVISION NO.
AUDITING 4 PAGE NO.
5 of 54
REVISION DATE
November 2018
organization’s operations. It helps an organization accomplish its objectives

by bringing a systematic, disciplined approach to evaluate and improve the
effectiveness of risk management, control and governance processes.
The internal control framework shall embody the following:
1. management oversight and control culture;

2. risk recognition and assessment;
3. control activities;
4. information and communication; and
5. monitoring activities and correcting deficiencies.
1.2 RISK –BASED INTERNAL AUDIT
Risk-based auditing is a style of auditing which focuses upon the analysis

and management of risk. A traditional audit would focus upon the
transactions, which would make up financial statements such as the balance
sheet. A risk-based approach will seek to identify risks with the greatest
potential impact. Strategic risk analysis will then include political and social
risks such as the potential effect of legislation and demographic change.
1.3 OBJECTIVES OF THE MANUAL
This Operations Manual was prepared and designed to achieve the following
objectives:
 To help the Internal Auditors maintain a consistent and uniform

approach in applying the audit methodology; hence to deliver high
quality of service;
 To serve as a training and induction tool for new employees;
 To offer extensive and continuous opportunities for improvement; and
 To serve as a reference and guide for other Groups/units of LLFC’s on
the organization, policies, systems and procedures adopted by the
Internal Audit Group (IAG) in the pursuit of its goals and objectives in
the organization.
1.4 SCOPE OF THE MANUAL
This manual contains the policies, detailed procedures, internal control

measures including tools, templates, and other practice aids.
This shall be supplemented further by the risk-based audit methodology,

guidelines, directives and issuance relevant to internal auditing.
January 22, 2008
MANUAL ON INTERNAL
REVISION NO.
AUDITING 4 PAGE NO.
6 of 54
REVISION DATE
November 2018
1.5 INSTRUCTIONS ON HOW TO USE THE AUDIT MANUAL
For proper guidance, users and persons responsible for this manual shall
observe the following:
a. Verify if the pages of the manual are the current version before using.
b. Review and update the contents of the manual, if necessary.
c. Revisions, updating and/or improvements shall be initiated by the Internal
Audit Unit of LLFC subject to the review and perusal of the Audit
Committee. Thereafter, the Committee shall endorse the proposed
revision/s to the Board for approval. Upon approval of the Board, the
revisions shall be incorporated in the manual.
d. The Internal Audit Unit shall ensure the printing of adequate copies of the
manual, including additions, amendments, revisions and updates thereon.
e. The Internal Audit Unit shall keep a record of all additions, amendments,
revisions and/or updates on the manual to facilitate review and research.
The unit shall maintain the control copy of the manual.
f. The attachment of the manual shall be in the following forms:
1. Annex – additional procedures, tips, techniques, flowcharts

2. Exhibit – sample forms and reports
3. Appendix – regulatory issuances and orders
g. The manual on Internal Auditing shall be written with following header

information:
1. Title of the Manual

2. Initial Issue Date – represents the date on which the manual was
first issued
3. Revision No. – represents how many times it was revised
4. Revision Date – represents the date on which revisions on the
manual was approved.
5. Page No. – represents the sequential page number of the sheet as
part of the Manual.
1.6 ORGANIZATION OF INTERNAL AUDIT
To maintain its organization independence and objectivity, IAG is functionally

under the supervision of the Audit Committee and administratively under the
President and CEO.
January 22, 2008
MANUAL ON INTERNAL
REVISION NO.
AUDITING 4 PAGE NO.
7 of 54
REVISION DATE
November 2018
1.7 ROLES AND RESPONSIBILITIES
A. BOARD OF DIRECTORS
 Responsible for ensuring that Senior Management establishes and

maintains an adequate, effective and efficient internal control
framework commensurate with the size, risk profile and complexity of
operations of the company;
 Ensure that the internal audit function has an appropriate stature and
authority within the organization;
 Provide adequate resources to Internal Auditor to enable to effectively
carry out its assignments with objectivity.
Further, the Board of Directors shall, on periodic basis:
i. Conduct discussions with management on the effectiveness of internal

control system;
ii. Review evaluations made by the audit committee on the assessment
of effectiveness of internal control made by management, internal and
external auditors;
iii. Ensure that management has promptly followed up on
recommendations and concerns expressed by auditors and
supervisory authorities on internal control weaknesses; and
iv. Review and approve the remuneration of the head and personnel of
the internal audit function. Said remunerations shall be in accordance
with the company’s remuneration policies and practices and shall be
structured in such a way that these do not create conflicts of interest or
compromise independence and objectivity.
The board of directors shall likewise commission an assessment team outside

of the organization to conduct an independent quality assurance review of the
internal audit function at least every five (5) years.
B. AUDIT COMMITTEE
 Responsible for overseeing senior management in establishing and

maintaining an adequate, effective and efficient internal control
framework;
 Ensure that systems and processes are designed to provide assurance
in areas including reporting, monitoring, compliance with laws,
regulations and internal policies, efficiency and effectiveness of
operations, and safeguarding of assets.
January 22, 2008
MANUAL ON INTERNAL
REVISION NO.
AUDITING 4 PAGE NO.
8 of 54
REVISION DATE
November 2018
The audit committee shall oversee the internal audit function and shall be
responsible for:
i. Monitoring and reviewing the effectiveness of the internal audit

function;
ii. Approving the internal audit plan, scope and budget;
iii. Reviewing the internal audit reports and the corresponding
recommendations to address the weaknesses noted, discussing the
same with the head of the internal audit function and reporting
significance matters to the board of directors;
iv. Ensuring that the internal audit function maintains an open
communication with senior management, the audit committee, external
auditors, and the supervisory authority;
v. Reviewing discoveries of fraud and violations of laws and regulations
as raised by the internal audit function;
vi. Reporting to the board of directors the annual performance appraisal of
the head of the internal audit function;
vii. Recommending for approval of the board of directors the annual
remuneration of the head of the internal audit function and key internal
auditors;
viii. Appointing, reappointing or removing the head of the internal audit
function and key internal auditors; and
C. SENIOR MANAGEMENT
 Responsible for maintaining, monitoring and evaluating the adequacy

and effectiveness of the internal control system on an ongoing basis,
and for reporting on the effectiveness of internal controls on a periodic
basis;
 Develop a process that identifies, measures, monitors and controls
risks that are inherent to the operations of the company;
 Maintain an organizational structure that clearly assigns responsibility,
authority and reporting relationships;
 Ensure that delegated responsibilities are effectively carried out;
 Implement internal control policies and ensure that activities are
conducted by qualified personnel with the necessary experience and
competence;
 Ensure that personnel undertake continuing professional development
and that there is appropriate balance in the skills and resources of the
front and back offices and control functions;
 Inform the internal audit function of the significant changes in the
company’s risk management systems, policies and processes.
January 22, 2008
MANUAL ON INTERNAL
REVISION NO.
AUDITING 4 PAGE NO.
9 of 54
REVISION DATE
November 2018
D. ALL PERSONNEL
 Need to understand their roles and responsibilities in the internal

control processes;
 Accountable in carrying out their responsibilities effectively;
 Communicate to the appropriate level of management any problem in
operations, action or behavior that is inconsistent with documented
internal control processes and code of ethics.
E. HEAD OF THE INTERNAL AUDIT FUNCTION
 Demonstrate appropriate leadership and have the necessary skills to

fulfill responsibilities for maintaining the unit’s independence and
objectivity;
 Accountable to the board of directors or audit committee on all matters
related to the performance of its mandate as provided in the internal
audit charter. The head of the internal audit functions shall submit a
report to the audit committee or board of directors on the status of
accomplishments of the internal audit unit, including findings noted
during the conduct of the internal audit as well as the status of
compliance of concerned Groups/units;
 Ensure that the internal audit function complies with sound internal
auditing standards such as the Institute of Internal Auditor’s
International Standards for the Professional Practice of Internal
Auditing and other supplemental standards issued by regulatory
authorities/government agencies, as well as with relevant code of
ethics;
 Develop and internal audit plan based on robust risk management,
including inputs form the board of directors, audit committee and senior
management and ensure that such plan is comprehensive and
adequately covers regulatory matters. The head of the internal audit
function shall also ensure that the audit plan, including revisions
thereto, shall be approved by the audit committee;
 Ensure that the internal audit function has adequate human resources
with sufficient qualifications and skills necessary to accomplish its
mandate. In this regard, the head of the internal audit function shall
periodically assess and monitor the skill-set of the internal audit
function and ensure that there is adequate development program for
the internal audit staff that shall enable them to meet the growing
technical complexity of company operations.
January 22, 2008
MANUAL ON INTERNAL
REVISION NO.
AUDITING 4 PAGE NO.
10 of 54
REVISION DATE
November 2018
CHAPTER 2- POLICIES AND STANDARDS

OF INTERNAL AUDIT
2.1 INTERNAL AUDIT CHARTER (Annex A)
2.2 AUDIT COMMITTEE CHARTER (Annex B)
2.3 INTERNAL AUDIT POLICIES AND STANDARDS
a. International Standards for the Professional Practice of Internal Auditing

Standards are principle-focused and provide a framework for performing and
promoting internal auditing.
The purpose of the Standards:
 Delineate basic principles that represent the practice of internal auditing.

 Provide a framework for performing and promoting a broad range of value-
added internal auditing.
 Establish basis for the evaluation of internal audit performance.
 Foster improved organizational process and operations.
The Standards are mandatory requirements:
 Statements of basic requirements for the professional practice of internal

auditing and for evaluating the effectiveness of its performance.
 Interpretations, which clarify terms or concepts within the statements.
The structure of the Standards:
1. Attribute Standards – addresses the attributes of organizations

and individuals performing internal auditing.
2. Performance Standards - describe the nature of internal auditing
activities and criteria for the evaluation of their performance.
b. INTERNAL AUDIT POLICIES AND PROCEDURES
Policies identify key activities and provide a general strategy on how to

handle situations as they arise.
Procedures are the specific methods used to put policy into action in the
daily operations of an organization. Together, written policies and procedures
January 22, 2008
MANUAL ON INTERNAL
REVISION NO.
AUDITING 4 PAGE NO.
11 of 54
REVISION DATE
November 2018
create efficiency within an organization and are also an important element of

internal control. Audit policies and procedures are to be updated periodically
even if they seem to be working. There will be new audit methodologies and
techniques that will be developed over time that will need to be implemented.
CHAPTER 3 - INTERNAL CONTROL FRAMEWORK
3.1 OBJECTIVES OF INTERNAL CONTROL
Internal control systems are designed to meet three major categories of

objectives that are important to businesses: operational, information and
compliance. Internal controls are a set of procedures that a company follows
continuously to maintain the objectives they are designed for. These systems
must be monitored and evaluated on a regular basis to ensure they are
functioning properly. Internal control uses five different components to
accomplish these goals: control environment, risk assessment, control
activities, information and communication, and monitoring.
3.2 COMPONENTS OF INTERNAL CONTROL
In 1992, COSO published the report Internal Control-Integrated Framework

as a basis for developing business control systems and assessing their
effectiveness. This report provides the five components of internal control:
a. The Control Environment - relates to the control consciousness of

the people within the organization. The control environment is the
basis for all other components of internal control. In BSP Circular 871,
series of 2015, it refers to Management oversight and control with
established appropriate culture that emphasizes, demonstrates and
promotes the importance of internal control.
b. Risk Assessment - refers to the organization's identification, analysis,

and management of the risks that are related to financial statement
preparation, in order to ensure that financial statements are presented
fairly and in compliance with generally accepted accounting principles
(GAAP). Further, the risk assessment shall cover all risks facing the
company, which include, among others, credit; country and transfer;
market, interest rate; liquidity; operational; compliance; legal; and
reputational risks.
January 22, 2008
MANUAL ON INTERNAL
REVISION NO.
AUDITING 4 PAGE NO.
12 of 54
REVISION DATE
November 2018
c. Control Activities - the organization's policies and procedures which

help ensure that necessary actions are taken to address the potential
risks involved in accomplishing the entity's objectives. It complement
existing policies, procedures and other control systems in place such
as, among others, having clearly defined organizational structure and
reporting lines, delegating authority; adequate accounting policies,
records and processes; robust physical and environmental controls for
tangible assets and access controls to information assets; and
appropriate segregation of conflicting functions.
d. Information and Communication - focuses "on the nature and quality

of information needed for effective control, the systems used to
develop such information, and reports necessary to communicate it
effectively" (Internal Control Issues). An effective internal control
system requires that there are adequate and comprehensive internal
financial, operation and compliance data, as well as external
information about events and conditions that are relevant to decision
making. Information shall be reliable, timely, accessible, and provided
in a consistent format. The company shall have in place a reliable
management information system that covers significant activities and
has the capability to generate relevant and quality information to
support the functioning of internal control. Effective channels of
communication are established to ensure that all personnel fully
understand and adhere to policies and procedures and control
measures relevant to their duties and responsibilities and that relevant
information is reaching the appropriate personnel.
e. Monitoring - involves assessing the quality and effectiveness of the

organizations internal control process over time. It includes assessing
the design and operation of controls, and assessing compliance with
policies and procedures. It also provides for the implementation of
appropriate actions when necessary. Monitoring functions and
activities shall be adequately defined by management, integrated in the
operating environment and should produce regular reports for review.
All levels of review shall be adequately documented and results thereof
reported on a timely basis to the appropriate level of management. The
overall effectiveness of the internal controls is monitored on an
ongoing basis.
January 22, 2008
MANUAL ON INTERNAL
REVISION NO.
AUDITING 4 PAGE NO.
13 of 54
REVISION DATE
November 2018
CHAPTER 4 - ORGANIZING INTERNAL AUDIT
4.1 TYPES OF AUDIT
There are six general categories of internal audit reviews:
1. Internal Control Reviews - are the most limited form of audit

performed. We will assess the adequacy of internal controls
through completing questionnaires and flow charts. Limited audit
testing will be performed.
2. Financial Audits - address questions of accounting, recording, and
reporting of financial transactions. Reviewing the adequacy of
internal controls also falls within the scope of financial audits.
3. Compliance Audits - seek to determine if Groups are adhering to
government statutory rules and regulations and company policies,
and procedures.
4. Operational Audits - examine the use of company resources to
evaluate whether those resources are being utilized in the most
efficient and effective way to fulfill the company's mission and
objectives. An operational audit may include elements of a
compliance audit, a financial audit, and an information systems
audit.
5. Investigative Audits- are performed when appropriate. These
audits focus on alleged violations of state laws, policies and
regulations. This may result in prosecution or disciplinary action.
Audits precipitated by internal theft, misuse of assets, and conflicts
of interest are examples of investigative audits.
6. Information System (IS) Audits - address the internal control
environment of automated information processing systems and how
these systems are used. IS audits typically evaluate system input,
output and processing controls, backup and recovery plans, and
system security, as well as computer facility reviews.
4.2. SCOPE OF INTERNAL AUDIT FUNCTION
The internal audit function shall both assess and complement operational
management, risk management, compliance and other control functions.
Internal audit shall be conducted in frequencies commensurate with the
assessed levels of risk in specific areas/units/processes.
January 22, 2008
MANUAL ON INTERNAL
REVISION NO.
AUDITING 4 PAGE NO.
14 of 54
REVISION DATE
November 2018
Permanency of the Internal Audit Function1
The internal audit functions shall either be established in each of the BSP-
supervised financial institution or centrally by the parent bank, in case of
group structures involving a parent bank and subsidiary or affiliate BSP-
supervised financial institutions.
Internal audit function in a group structures1
In case each BSP-supervised financial institution belonging to group

structures has its own internal audit function, said internal audit function shall
be accountable to the financial institution’s own board of directors and shall
likewise report to the head of the internal audit function of the parent bank.
In compliance to BSP Circular 871, the parent bank, Land Bank (LBP) has the
option to audit LLFC2. LLFC can send the following reports to LBP-IAG for
notation of LBP’s Audit and Compliance Committee:
1. Annual Audit Plan

2. Quarterly Accomplishment Report
Scope of Internal Audit Function1
All processes, systems, units, and activities, including outsourced services,

shall fall within the overall scope of the internal audit function.
The scope of internal audit shall cover, among others, the following:
 Evaluation of the adequacy, efficiency and effectiveness of internal

control, risk management and governance systems in the context of
current and potential future risks;
 Review of the systems and procedures of safeguarding the company’s
physical and information assets;
 Review compliance of activities with relevant laws, rules and
regulations;
 Review the compliance system and the implementation of established
policies and procedures;
1
BSP Circular No. 871, series of 2015: Internal Control and Internal Audit
2
email of Ms. Nerissa Noma, Senior Management Associate of LBP Quality Assurance and Support – IAG
dated October 24, 2018
January 22, 2008
MANUAL ON INTERNAL
REVISION NO.
AUDITING 4 PAGE NO.
15 of 54
REVISION DATE
November 2018
 Review of areas of interest to regulators such as, among others

monitoring of compliance with relevant laws, rules and regulations,
including but not limited to the assessment of the adequacy of and
provisions; liquidity level; and regulatory and internal reporting;
 Provides independent, objective assurance and support services
designed to add value and improve the internal control systems, risk
management and governance processes of the organization.
The Internal Auditor should be able to determine the following:
 Risks are appropriately identified and managed;

 Interaction with the various governance groups occurs as needed;
 Significant financial, managerial and operating information is accurate,
reliable, and timely;
 Employees’ actions are in compliance with policies, standards,
procedures and applicable laws and regulations;
 Resources are acquired economically, used efficiently, and adequately
protected;
 Programs, plans, and objectives are achieved;
 Quality and continuous improvement are fostered in the organization’s
control process; and
 Significant legislative or regulatory issues affecting the organization are
recognized and addressed appropriately.
CHAPTER 5 - PERFORMANCE, MONITORING & EVALUATION

5.1 Assessing Internal Audit Performance
Key benchmarks performance measurement outlined by leading research

institutes and a few regulators includes:
 Effectiveness of audit in covering key areas

 Feedback of audit findings during audit
 Duration & Timeliness of the audit
 Accuracy of audit findings
 Value of the audit recommendation
 Value added by the internal audit function
5.2 Internal Audit’s Key Performance Indicators (KPI)
A performance indicator or key performance indicator (KPI) is a type of

performance measurement. An organization may use KPIs to evaluate its
success, or to evaluate the success of a particular activity in which it is
January 22, 2008
MANUAL ON INTERNAL
REVISION NO.
AUDITING 4 PAGE NO.
16 of 54
REVISION DATE
November 2018
engaged. Sometimes success is defined in terms of making progress toward

strategic goals, but often success is simply the repeated, periodic
achievement of some level of operational goal (e.g. zero defects, 10/10
customer satisfaction, etc.). Accordingly, choosing the right KPIs relies upon a
good understanding of what is important to the organization. 'What is
important' often depends on the Group measuring the performance - e.g. the
KPIs useful to finance will be quite different from the KPIs assigned to sales.
Since there is a need to understand well what is important (to an
organization), various techniques to assess the present state of the business,
and its key activities, are associated with the selection of performance
indicators. These assessments often lead to the identification of potential
improvements, so performance indicators are routinely associated with
'performance improvement' initiatives. A very common way to choose KPIs is
to apply a management framework such as the balanced scorecard.
CHAPTER 6 - STRATEGIES & ANNUAL WORK PLANNING
6.1 RISK-BASED ANNUAL PLANNING PROCESS
Audit Planning is the first stage of audit methodology. The development of the
audit plan is based on the analysis of data and information gathered from:
a) Set expectations meeting;

b) Understanding the company and its processes;
c) Identification and prioritization of risks.
For internal audit, risk assessment is a key element in the development of the
annual risk-based internal audit plan. The identification, prioritization and
sourcing of key organizational risks is critical to ensuring that internal audit
resources are allocated to the areas that matter most. A risk based audit
planning helps auditors to plan the audit process so that it makes a dynamic
contribution to better governance, robust risk management, and more reliable
controls.
In order to meet the above the risk based audit planning can be divided into
two steps:
 Risk assessment process

 Execution of risk based audit plan
January 22, 2008
MANUAL ON INTERNAL
REVISION NO.
AUDITING 4 PAGE NO.
17 of 54
REVISION DATE
November 2018
Risk Assessment Process:
A risk assessment is an effort to identify measure and prioritize risks facing an

organization in order to focus the internal audit activities in auditable areas
with higher significance.
6.2 AUDIT COVERAGE CYCLE
An auditor should be able to do the following:
• Determine which aspects of current work are to be considered

• Describe and measure present performance
• Develop explicit standards
• Decide what needs to be changed
• Negotiate change
• Mobilize resources for change
• Review and renew the process
6.3 AUDIT PROCESS
The 10 steps of audit process enumerated as follows:
1. Notification-The notification process alerts the party to be audited of the

date and time of the process. The notification also will list the documents
that the order wishes to review in order to understand the organization of
the company.
2. Planning- Before the audit, the auditor should identify key areas of risk
and areas of concern.
3. Opening meeting - Meeting between audit and senior management, as
well as the staff to be audited. The auditors will describe the process they
will undertake. Management will describe areas of concern to them and
the schedule of the employees that will be consulted.
4. Fieldwork- Begins after the results of the meetings are used to adjust the
final audit plans. Employees are notified of the audit, schedules are drawn
up regarding the activities of the auditor, and initial investigation begins
after learning of business procedures, interviewing key staff, testing
current business practices by sampling, reviewing the law and testing
internal rules and practices for reasonableness.
5. Communication - The auditor should consistently be in contact with the
audited unit to clarify processes, gain access to documents and clarify
procedures.
6. Draft audit is prepared after the completion of the audit. The draft audit will
detail what has been done and what was found, a distribution list of parties
to receive preliminary results, and a list of concerns. The draft is given to
January 22, 2008
MANUAL ON INTERNAL
REVISION NO.
AUDITING 4 PAGE NO.
18 of 54
REVISION DATE
November 2018
management to review, edit and suggest changes, probe areas of concern

and correct errors.
7. Management response- Management is requested to answer the report by
stating whether they agree with the problems cited, the plan to correct
noted problem and the expected date by which all issues will have been
addressed.
8. Final meeting is designed to close loose ends, discuss the management
response and address the scope of the audit.
9. Report distribution, where the final audit report is sent to appropriate
officials inside and outside the audit area.
10. Audit feedback whereby the audited unit implements the recommended
changes and the auditors review and test the quality, adherence and
effects of the adopted changes. This continues until all issues are adopted
and the next audit cycle begins.
CHAPTER 7 - CONDUCTING INTERNAL AUDIT ASSIGNMENTS
7.1 OVERVIEW OF AUDIT ASSIGNMENT
A typical internal audit assignment involves the following steps:
1. Establish and communicate the scope and objectives for the audit to
appropriate management.
2. Develop an understanding of the business area under review. This
includes objectives, measurements, and key transaction types. This
involves review of documents and interviews. Flowcharts and narratives
may be created if necessary.
3. Describe the key risks facing the business activities within the scope of the
audit.
4. Identify management practices in the five components of control used to
ensure each key risk is properly controlled and monitored. Internal Audit
Checklist can be a helpful tool to identify common risks and desired
controls in the specific process or industry being audited.
5. Develop and execute a risk-based sampling and testing approach to
determine whether the most important management controls are operating
as intended.
6. Report issues and challenges identified and negotiate action plans with
management to address the problems.
7. Follow-up on reported findings at appropriate intervals. Internal audit
Groups maintain a follow-up database for this purpose.
8. Audit assignment length varies based on the complexity of the activity
being audited and Internal Audit resources available.
January 22, 2008
MANUAL ON INTERNAL
REVISION NO.
AUDITING 4 PAGE NO.
19 of 54
REVISION DATE
November 2018
9. Many of the above steps are iterative and may not all occur in the
sequence indicated.
CHAPTER 8 - AUDIT PLANNING
8.1 GENERAL GUIDELINES
Audit Planning is the first stage of audit methodology.
1. The Annual Audit Plan shall consider the following:
a. Data gathered from understanding the organization’s strategies, goals,

objectives, processes, associated business risks and initiatives to
manage risks;
b. Results of set expectations meeting with management and
stakeholders; and
c. Risk assessment or risk scoring undertaken at least annually.
2. The following steps are involved in audit planning:
a. Obtaining an understanding of the company’s business and industry.

Key issues to focus:
1. Senior Management
2. Management goals and objectives
3. Entity resources of types including financial, asset-based,
human, information and intangibles.
4. Products and services, markets, customers and competition
5. Regulatory forces
6. Core processes and operating cycle
7. Investing and financing cycle
b. Develop expectations. An expectation is an estimate of an account

balance based on the auditor’s analysis of the trend of the account.
The three broad types of analytical procedures to form expectations:
 Trend Analysis – comparison of a current balance or item with a

trend in two or more prior periods’ balances
 Ratio Analysis – the comparison of a ratio calculated for the
current year with a related ration for a prior year.
January 22, 2008
MANUAL ON INTERNAL
REVISION NO.
AUDITING 4 PAGE NO.
20 of 54
REVISION DATE
November 2018
 Model-based procedures – the use of company’s operating data

and relevant external data to develop an expectation for the
account balance, in addition to financial data.
c. Do the computations, analyse the data and pick out significant

differences.
3. The Annual Audit Plan shall be presented to the Audit Committee for
approval on the last quarter prior to the succeeding year. Any significant
changes (i.e., special/urgent audit requests) to the plan will be presented
to the Audit Committee for approval within a month prior to
implementation.
CHAPTER 9 - EXECUTING THE AUDIT PLAN
The objective of this IAG activity is to provide guidance in the execution of the
audit plan that will enable the internal auditors to understand the unit and its
processes, identify and assess the key risks and controls, identify
performance and control gaps on the key processes, and provide
improvement opportunities that will add value in the overall improvement of
the risk management, control and governance processes of the auditee.
This chapter embodies the policies and procedures on how to conduct the
services from engagement planning up to the issuance of pre-exit (i.e.,
regular audit, applications audit and post Implementation review), consulting
services and special/fraud audits.
9.1 ASSURANCE SERVICES
Regular audits are conducted at the Group/unit’s level based on IAG’s risk
scoring to provide reasonable assurance to the LLFC BOD and Senior
Management that the internal controls are working effectively and efficiently.
Meanwhile, the Application audit on organization’s system aids the Senior

Management in deciding whether the system needs to be enhanced,
terminated, replaced or retained.
On the other hand, the Post Implementation Review (PIR) is typically

performed after the application system has been running live for at least six
months from its implementation.
January 22, 2008
MANUAL ON INTERNAL
REVISION NO.
AUDITING 4 PAGE NO.
21 of 54
REVISION DATE
November 2018
9.2 CONSULTING SERVICES
A. Consulting services performed by the IAG may vary in nature, type and level
of its preparation in every engagement. The role of IAG in every consulting
service is defined so as not to impair its independence and objectivity.
B. Consulting services may be categorized as to:
1. Formal Engagement
a. Advisory services during development of IT projects of the

Corporation;
b. As observer on various committee and special projects of the
Company.
2. Informal/Special Engagement
a. As a subject matter expert of internal controls relative to the review

of new policies and procedures;
b. As a resource person to various meetings to provide advice/inputs;
and
c. As resource speaker on trainings, seminars and workshops.
A. ASSURANCE AND CONSULTING SERVICES
1. The approved annual audit plan and the results of the risk scoring shall
be the bases for assigning assurance and consulting engagements.
2. The Engagement Plan shall be developed and documented for every
engagement with the following considerations, whenever applicable:
a. The objectives of the process/unit being reviewed and the means

by which the process/unit manages its performance;
b. The significant risks to the process/unit and the means by which the
potential impact of risks is kept to an acceptable level;
c. The adequacy and effectiveness of the process/unit’s control, risk
management, and governance vis-à-vis relevant control framework
or model; and
d. The opportunities for making significant improvements to the
process/unit’s control, risk management and governance.
January 22, 2008
MANUAL ON INTERNAL
REVISION NO.
AUDITING 4 PAGE NO.
22 of 54
REVISION DATE
November 2018
For IT consulting engagements, the objectives, scope, respective

responsibilities, and other expectations shall be agreed with the
client, such as, but not limited to the following:
 Collaborating with project team in establishing and defining

business requirements for computerization project pertaining
to system controls and security requirements;
 Providing advice on the design of systems pertaining to
system controls and security requirement of the application
to be developed;
 Conducting independent testing of the presence of
established controls and security parameters of the
developed application system;
 Reviewing project’s adherence to the System Development
Life Cycle (SDLC) methodologies; and
 Reviewing project management methodologies concerning
issues on security and controls of the application system
being developed.
3. The engagement objectives shall consider the following whenever

applicable:
a. Preliminary assessment of the risks relevant to the activity under

review;
b. Possibility of significant errors, fraud, noncompliance, and other
exposures;
c. Adequacy of established policies and procedures as basis to
evaluate internal controls.
For IT consulting engagements, engagement objectives shall address

governance, risk management, and control processes to the extent
agreed upon with the client.
4. The engagement scope shall be sufficient to meet the engagement

objectives.
5. The appropriateness and sufficiency of resources shall be determined
to achieve engagement objectives based on evaluation of the nature
and complexity of each engagement, time constraints, and available
resources.
6. The engagement work program shall be developed, documented, and
approved before commencing the fieldwork activity with the following
considerations, whenever applicable:
a. Project Team
January 22, 2008
MANUAL ON INTERNAL
REVISION NO.
AUDITING 4 PAGE NO.
23 of 54
REVISION DATE
November 2018
b. Project Schedule
c. Audit Objectives
d. Nature and extent of testing required;
e. Audit procedures for collecting, analysing, interpreting, and
documenting information during the audit; and
For IT consulting engagement, work program may vary in earlier than

six months from the implementation of the IT system to:
a. Ascertain if the project objectives have been attained

b. Identify processing errors and other unsatisfactory conditions that
were not detected during the development phase.
c. Examine the effectiveness of all elements of the business
application system and identify possible improvements to optimize
the benefit/s
d. Compare actual cost incurred with the estimated project cost
e. Verify if the financial and management reports generated by the IT
solution are in accordance with the requirements
f. Identify potential risks and weaknesses in controls, and recommend
solutions
g. Ensure that IT application system is properly supported and
maintained by concerned units.
7. Issuance of comment sheets and summary of findings (SOF) Pre-exit
a. Audit results shall be initially documented through a Comment

Sheet (Exhibit 7). Each finding shall contain the following
attributes:
1. Criteria
2. Statement of adverse condition including supporting facts and
test results;
3. Effect/implication of the condition;
4. Root cause of the condition;
5. Recommendation for corrective action
b. A comment sheet shall be immediately issued after completion of
each activity/process to give the auditee reasonable time to review
and prepare its response. All audit findings shall be consolidated
thru the Summary of Findings Pre-exit which shall be used in the
pre-exit conference.
c. All audit findings shall be consolidated thru the SOF Pre-Exit which
shall be used in the pre-exit conference.
January 22, 2008
MANUAL ON INTERNAL
REVISION NO.
AUDITING 4 PAGE NO.
24 of 54
REVISION DATE
November 2018
8. Working Papers Documentation
a. Information shall be gathered, analysed, and documented as

evidence to support audit findings/exceptions. Such evidence shall
be sufficient, competent, relevant and useful as basis for audit
opinions, judgments, conclusions and recommendations.
b. The process of gathering, analyzing and documenting information
shall be supervised and checked to ensure the quality of data.
c. The organization, design, and content of the working papers shall
depend on the nature of services provided (i.e., assurance,
consulting, special/fraud audits).
d. The working papers prepared shall meet the following
characteristics of an effective documentation:
1. Complete and accurate - Working papers shall show the nature

and scope of the work performed, and supports the
observations, testing, conclusions, and recommendations.
2. Relevant - Working papers shall contain important and
necessary information that support the scope and objectives of
the audit assignment.
3. Comprehensible- Working papers should be readable.
4. Properly Indexed - Working papers shall be properly indexed
accordingly.
B. SPECIAL/FRAUD AUDITS
1. Special/Fraud Audit shall be conducted on covered complaints and

fraud incidents as requested by Management and/or LLFC BOD.
2. Special/Fraud audit shall be based on requests, management
instruction, and cases discovered by IAG during regular audits. The
request for special/fraud audit shall be supported by an incident report
and related information/documents.
3. All special/fraud audit requests, even if addressed to IAG unit shall be
submitted to or coursed thru the IAG Head for information and proper
disposition. Discovered cases by the auditor shall be reported to the
IAG Head.
4. Special/fraud audit shall be conducted by the IAG which discovered
such incident during the performance of regular audits.
January 22, 2008
MANUAL ON INTERNAL
REVISION NO.
AUDITING 4 PAGE NO.
25 of 54
REVISION DATE
November 2018
9.4 DETAILED PROCEDURES
ASSURANCE SERVICES:
A. REGULAR AUDIT
Pre-Fieldwork Activities:
1. Gather initial data/preliminary information of the auditee for the

engagement planning.
2. Organize, analyse and evaluate the following information/data to
acquire sufficient understanding of the unit and its processes,
whenever applicable:
 Group/unit key objectives
 Key result areas and its accomplishment
 Nature of business, products/services and processes/activities
 Risk assessment, strategies and business risk plans to manage
risks
 Manpower complement and personnel movement/competencies
 Results of audit/review by internal auditors and regulatory
bodies (BSP and COA)
 Applicable internal policies and control procedures, laws and
regulations
 Business profile/data analytics (financial statements, loans,
ancillary products)
 Automation/IT system used
 Such other relevant information/data
3. Document the evaluated data/information on the engagement plan
4. Based on the data/information gathered, conduct risk assessment:
 Identify the strengths and weaknesses of COSO components
 Perform assessment of risks residing in sub-processes under
the control activities and identify the controls to be tested.
 Accomplish the risk assessment/scoring matrix (Exhibit 15).
5. Based on the results of risk assessment, complete the engagement
plan and prepare the engagement work program (Exhibit 2/2.1) and
the introduction letter.
6. These planning documents shall be attached or filed in the appropriate
folder or cabinet of the electronic working paper, if any.
Fieldwork Activities:
1. The Internal Auditor/IAG Head shall conduct opening conference

with audited covering the following:
 Audit approach and objectives
 Processes to be covered
January 22, 2008
MANUAL ON INTERNAL
REVISION NO.
AUDITING 4 PAGE NO.
26 of 54
REVISION DATE
November 2018
 Audit rating system

 Duration, engagement protocols and expectations
 Responsibilities of the auditee and the Internal Auditor on audit
requirements, findings, observations, submission of management
actions taken and plans
 Dates of pre-exit and final exit conferences, whenever applicable
 Other concerns
2. Validate the overall processes, risks and controls of the auditee by:
 Conducting meetings and interviews with key process owners
 Documenting process understanding through SIPOC (Exhibit 5)
 Requiring the process owner to confirm/sign-off the updated
SIPOC, for re-audit, a walk-thru is undertaken with the unit.
3. Perform test of controls:
 Validate control gaps thru the use of applicable audit techniques
(e.g., review, observations, inquiry, inspections, vouching,
recalculations, confirmation and reconciliation). This includes the
validations of actions taken on the previous/open audit findings.
 Test compliance with internal policies, procedures, and
guidelines, and relevant laws, and rules and regulations of
regulatory bodies
4. Document results as follows:
 Prepare the working papers and ensure that these are:
a. Labelled to describe the engagement and period covered;
b. Cross-referenced, whenever applicable;
c. Symbols used are explained;
d. Conclusion are indicated; and
e. For hard copy, documents are signed and dated by the
preparer and reviewer, for electronic working paper,
procedures in the user manual are observed.
 Secure relevant documents (i.e., photocopy, scan, etc.) to support
audit findings, if necessary.
5. Validate with the process owner the identified control
gap/finding/issue.
6. Identify the root causes and effects and provide
recommendations/improvements.
7. Prepare the comment sheet.
8. Issue and discuss the Comment Sheet with the auditee; request the
unit head or representative to acknowledge its receipt.
9. Generate the summary of findings (SOF) Pre-exit to the auditee;
copy furnished the supervising unit; request unit head or
representative to acknowledge receipt.
January 22, 2008
MANUAL ON INTERNAL
REVISION NO.
AUDITING 4 PAGE NO.
27 of 54
REVISION DATE
November 2018
Post-Fieldwork Activities (Working Paper Indexing)
1. Index working papers accomplished/gathered during fieldwork

2. Affix signature on the appropriate column of the index file
3. File the working papers in accordance with the index number
4. Check working papers as to proper filing and completeness, and
initial on the appropriate portion of the index file
5. For electronic working papers, sign-off all audit findings and
accomplish all necessary activities, if any
6. Save the report/files (soft and hard copy) for proper records
keeping.
B. APPLICATIONS AUDIT AND PIR:
Pre-Fieldwork Activities:
1. The Internal Auditor shall prepare the Notice of Audit (Exhibit 4)

containing the following information together with the list of audit
requirements for Applications Audit/PIR addressed to the
Management of the application system to be audited:
 Audit Objectives
 Audit Processes
2. Transmit the notice of audit to the President/CEO.
3. Obtain sufficient understanding on the following areas of the
application system to be audited:
a. For Applications Audit:

 Size and complexity
 Extent of user’s dependency on the system based on the list
of audit requirements
b. For PIR:
General overview based on the system development report,
policies and procedures, application manual and other
applicable information.
4. Prepare the Engagement Plan (Exhibit 1/1.1/1.2) and Engagement

work Plan (Exhibit 2/2.1) and introduction letter, depending to the
audit activity to be done.
Fieldwork Activities:
1. Conduct opening conference to discuss the following:

 Audit objectives and scope
 Application audit rating
January 22, 2008
MANUAL ON INTERNAL
REVISION NO.
AUDITING 4 PAGE NO.
28 of 54
REVISION DATE
November 2018
 Timeliness on significant engagement milestone

 Protocols, expectations and other concerns
 Assessment criteria (for PIR only)
2. Distribute survey forms/questionnaires to the system users to be
audited to obtain their understanding/comments regarding the
system.
3. Collect the same at the scheduled date of submission.
For Applications Audit:
4. Obtain understanding of system functionalities/processes through

focus group discussion and process walkthrough. Confirm
understanding of processes and existing controls.
5. Evaluate the effectiveness of the application system
implementation based on the system incident Report, results of
user’s survey and feedbacks from stakeholders.
For Post Implementation Review (PIR):
6. Review project documents, reports, files, policies and guidelines,

and other sources of information to ascertain if the:
 Project met its objectives, delivered desired benefits, and
addressed the requirement cited in the business case and
requirement documents.
 Projected return on investment was achieved.
7. Evaluate the effectiveness of the application system and its
implementation based on systems incident reports prepared by the
System Administrator.
For Applications Audit and PIR:
8. Verify action taken on outstanding issued during PIR (for

applications audit)/System Development Audit (for PIR) if any.
9. Prepare the comment sheet and discuss the finding, impact, root
cause and recommendation with concerned auditee.
10. Assign control number for every comment sheet and sent it to the
auditee for response and action plan.
11. Consolidate the comment sheets with auditee’s reply, in the
summary of findings.
12. Finalize and issue the SOF to the auditee. Request the auditee to
acknowledge its receipts.
January 22, 2008
MANUAL ON INTERNAL
REVISION NO.
AUDITING 4 PAGE NO.
29 of 54
REVISION DATE
November 2018
Post-Fieldwork Activities:
Refer to the detailed procedures under the regular audit. Refer to

Communicating results for the detailed procedures for the conduct of
pre-exit and final conference and preparation and issuance of Final
Audit Reports.
C. Special/Fraud Audits:
Special/Fraud Audit Initiation:
1. Upon receipt of the memo-request or report of discovery, the

Internal Auditor shall determine if request is within the scope of
authority of IAG.
Special/Fraud Audit Planning:
1. Prepare introduction letter

2. Gather information through the following sources:
a. HRIS data of employee involved;
b. Report of crime and losses;
c. Incident report and updates;
d. Investigation reports
e. Interview with the Unit Head (for updates and clarification);
f. Other relevant information (e.g., latest pay slip of suspected
personnel involved, advances copies of documents, related
policies and guidelines on processes affected by the case)
3. Develop a case theory based on the Fraud Examinations
Methodology (Annex 4)
4. Formulate the audit program based on the case theory developed.
5. Prepare the Introduction Letter and Audit Program.
6. The Group/Unit Head review and approve the Audit program, sign
the Introduction letter and return to the IAG.
7. IAG to coordinate with the unit concerned on the requirements for
the conduct of the special/fraud audit.
8. Schedule the conduct of fieldwork.
Executing the Audit Program:
1. Present the introduction letter to the concerned unit Head and

discuss the requirements of the special/fraud audit.
2. Based on the approved audit program, conduct the special/fraud
audit.
January 22, 2008
MANUAL ON INTERNAL
REVISION NO.
AUDITING 4 PAGE NO.
30 of 54
REVISION DATE
November 2018
For communicating results, refer to procedures in reporting

special/fraud audit (Exhibit 11).
9.5 INTERNAL CONTROLS
A. ASSURANCE SERVICES
1. All units shall conduct audit engagements (i.e., regular, applications

PIR audits) only within the approved IAG Annual Audit Plan. Any
change in the plan shall be approved by the Audit Committee.
2. The Internal Auditor shall ensure that the fieldwork is within the
engagement plan/work program. Any deviations thereto (e.g., change
in the engagement period, scope, etc.) shall be subject to approval of
the Group/unit head.
3. The Internal Auditor shall practice adherence to the IAG rules of
conduct, policies and procedures in the performance of their duties and
responsibilities.
4. The Internal Auditor assigned during the development period of the IT
system should not be assigned to perform an application system of a
certain IT system.
B. CONSULTING SERVICES
1. Any participation of Internal Auditor in every IT project shall be covered

by a Special Order (SO).
2. The Internal Auditor assigned to a particular IT project/system shall not
perform any future audit engagement (e.g., PIR, application audit, etc.)
involving the same IT project/system to preclude impairment to
independence.
3. The Internal Auditor’s competency shall be considered in assigning
any consultancy services.
4. IAG shall make full disclosure to concerned unit pertaining to its role in
very type of consultancy service it will perform.
C. SPECIAL/FRAUD AUDITS
1. The Internal Auditor must possess competency, expertise, and

objectivity in the assigned Special/Fraud Audit engagement.
2. For monitoring purposes, all requests for Special/Fraud Audit/report of
discovery shall be recorded with the following minimum information:
a. Date received
b. Requesting/reporting unit
c. Subject
d. Assigned to
January 22, 2008
MANUAL ON INTERNAL
REVISION NO.
AUDITING 4 PAGE NO.
31 of 54
REVISION DATE
November 2018
e. Instructions
f. Date of final report
3. If during the conduct of Special/Fraud Audit, additional information
gathered suggests the need to change the Audit Program, the same
shall be reported and approved by the concerned Group/unit head.
4. Documentation of information and handling of audit evidences shall be
in accordance with the IAG’s working paper/evidence handling policy.
5. In case of extension for the conduct and reporting of Special/Fraud
Audit, the concerned Dept/Unit Head shall seek approval of the
Internal Auditor.
CHAPTER 10 - COMMUNICATING RESULTS
The audit report is the key deliverable of IAG. It reflects the quality of the
audit work performed, judgment and integrity of the role of the internal
auditors of LLFC. Maximum impact can be achieved only if the results of the
audit are communicated clearly and effectively to the intended parties.
Through reports, internal auditors have an opportunity to get management’s

attention. Reporting can be regarded as an effective medium to show
management how the internal audit function can help and add value to the
Corporation.
This chapter establishes the guidelines and procedures for communicating

audit results in compliance and requirements of the International Standards
for the Professional Practice of Internal Auditing (ISPPIA). The reporting
standards relate to the form of the report, its content, and manner of issuance
and distribution.
Audit Reports shall have the following characteristics:
 Accurate – free from errors and distortions and are faithful to the
underlying facts
 Objective – fair, impartial, and unbiased and are the result of fair-
minded and balanced assessment of all relevant facts and
circumstances
 Clear – easily understood and logical, avoiding unnecessary technical
language and providing all significant and relevant information
 Concise – direct to the point and avoid unnecessary elaboration,
superfluous detail, redundancy, and wordiness
January 22, 2008
MANUAL ON INTERNAL
REVISION NO.
AUDITING 4 PAGE NO.
32 of 54
REVISION DATE
November 2018
 Constructive – emphasis is on improvement and not on criticism of

people or past action/event
 Complete - lack nothing that is essential to the target audience and
include all significant and relevant information and observations to
support recommendations and conclusions
 Timely – opportune and expedient, depending on the significance of
the issue, allowing management to take appropriate corrective action.
A. REGULAR/APPLICATION AUDIT/PIR/CONSULTING SERVICES
1. A pre-exit conference with the auditee shall be held at the end

of the fieldwork to discuss the findings, recommendations, and
content of the audit report. This activity shall ensure that there
are no misunderstandings or misinterpretations of facts by
providing the opportunity for the auditee to clarify specific items
and to express views on the findings and recommendations.
2. For regular audit, an overall control assessment summary shall
be prepared to serve as reference/guide in rating the
unit/process. For Applications Audit and PIR, Summary of
Findings (SOF) shall be the basis for rating/assessment.
3. A final exit conference shall be conducted (except for consulting
services) to discuss the audit results with the Unit Head
concerned. It is not normally conducted for PIR but maybe done
upon request of the auditee.
4. After the final exit conference, a final rating of the unit/process
audited in accordance with the Audit Rating System shall be
presented (except for PIR and Consulting Services). PIR shall
be assessed based on the objective of the project and defined
criteria (i.e., Acceptability, Usability, and Sustainability).
5. The Final Audit Report consisting of the covering memorandum
and Executive Summary for Regular Audit (Exhibit 8); for
Applications Audit (Exhibit 10); for PIR (Exhibit 9) shall be:
a) Signed by the Group/Unit Head concerned and duly

endorsed by the IAG Head.
b) Addressed to the President and CEO and the
Chairman of the Audit Committee, copy furnished the
units concerned and audited.
c) Issued within 30 calendar days from the date of final
exit conference.
The Covering Memorandum of the Final Audit Report shall

include:
January 22, 2008
MANUAL ON INTERNAL
REVISION NO.
AUDITING 4 PAGE NO.
33 of 54
REVISION DATE
November 2018
i. Date of the report, the addressee, the subject of

the audit, and the cut-off date (last day of
fieldwork);
ii. Audit objectives, audit period, scope and any audit
limitation;
iii. Disclosure that the audit was conducted in
accordance with ISPPIA;
iv. Overall assessment/rating (such as exemplary,
acceptable, below acceptable or unsatisfactory)
except for PIR and Consulting Services;
v. Significant findings or issues noted or
acknowledgement of satisfactory performance.
vi. Disclosure that the audit results are summarized in
the Executive Summary and the detailed findings,
recommendations, management responses and
action plans are in the SOF provided to the
audited and supervising units.
vii. The position title of personnel/attendees and date
of preliminary and /or final exit conferences.
On annual basis, IAG shall report significant audit findings to the

President and CEO within 45 calendars days after the end of the year.
These reports shall summarize the major findings noted during each
period and indicate the corrective actions already implemented or
management’s plan for corrective action.
B. FOR SPECIAL/FRAUD AUDITS
a. Special/fraud audit report shall be prepared in accordance with IAG

Special Report format (Exhibit 11).
b. The Special/Fraud Audit Report shall be addressed to the President
and CEO, the Audit Committee Chairman and copy furnished the
Legal Dept., Group Head concerned and the IAG unit.
In addition to the submission of audit reports, IAG shall communicate

results/status of its accomplishments to the Audit Committee every
semester including the summary of major findings mentioned in Item
2.g.
January 22, 2008
MANUAL ON INTERNAL
REVISION NO.
AUDITING 4 PAGE NO.
34 of 54
REVISION DATE
November 2018
A. ASSURANCE AND CONSULTING SERVICES

Preliminary Exit Conference:
1. Meet with the unit head/personnel of the auditee to discuss the

audit findings, recommendations and action plans using the SOF
Pre-Exit.
2. If necessary, perform additional procedures to validate new
information presented.
3. Co-develop with the auditee the action plans to address the
issues/exceptions.
4. Decide if the particular audit finding will be considered as “out”,
closed, or will remain outstanding.
Final Exit Conference:
1. The Internal Auditor prepares the Audit Report including the

CAS/SOF/General Assessment.
2. Conducts the final exit conference with the Auditee’s
management/stakeholders to discuss the audit results.
3. Evaluates responses and documents presented by the auditee’s
management.
4. Conduct re-assessment, if necessary, and discuss the audit rating.
Issuance of Final Audit Report to the Audit Committee and Senior

Management:
1. Prepare the Final Audit Report.

2. Forward the Final Audit Report to the Group/Unit Head concerned
for signature.
3. Unit Head receives and signs the duplicate copy of the Final Audit
Report and forward the signed copy to the Internal Auditor as file
copy.
B. SPECIAL/FRAUD AUDITS:
1. Prepares Special/Fraud Audit report addressed to the appropriate

bodies/units such as the President, CEO, Audit Committee and
Legal.
2. Transmits the Special/Fraud Audit Report to the appropriate
bodies/units.
January 22, 2008
MANUAL ON INTERNAL
REVISION NO.
AUDITING 4 PAGE NO.
35 of 54
REVISION DATE
November 2018
3. Provide a copy of the report for file and update the Special/Fraud
Audit database.
C. PREPARATION AND SUBMISSION OF AUDIT REPORTS
Internal auditors typically issue reports at the end of each audit that
summarize their findings, recommendations, and any responses or
action plans from management. An audit report may have an executive
summary; a body that includes the specific issues or findings identified
and related recommendations or action plans; and appendix
information such as detailed graphs and charts or process information.
Each audit finding within the body of the report may contain five
elements, sometimes called the "5 C's":
1. Condition: What is the particular problem identified?

2. Criteria: What is the standard that was not met? The standard may
be a company policy or other benchmark.
3. Cause: Why did the problem occur?
4. Consequence: What is the risk/negative outcome (or opportunity
foregone) because of the finding?
5. Corrective action: What should management do about the finding?
What have they agreed to do and by when?
The recommendations in an internal audit report are designed to help

the organization achieve effective and efficient governance, risk and
control processes associated with operations objectives, financial and
management reporting objectives; and legal/regulatory compliance
objectives.
Audit findings and recommendations may also relate to particular

assertions about transactions, such as whether the transactions
audited were valid or authorized, completely processed, accurately
valued, processed in the correct time period, and properly disclosed in
financial or operational reporting, among other elements.
Under the IIA standards, a critical component of the audit process is

the preparation of a balanced report that provides executives and the
board with the opportunity to evaluate and weigh the issues being
reported in the proper context and perspective. In providing
perspective, analysis and workable recommendations for business
improvements in critical areas, auditors help the organization meet its
objectives.
January 22, 2008
MANUAL ON INTERNAL
REVISION NO.
AUDITING 4 PAGE NO.
36 of 54
REVISION DATE
November 2018
A well-written internal audit report is an effective tool for management,

the audit committee and the process owners affected by the report to
bring about positive change and to improve controls, accuracy of
information and the underlying process reviewed.
The report should consider the following questions:
1. Objective and background: Why was the area selected for audit?
Was it due to inherent or perceived high risk, known problems,
history of past issues, and a management change, materiality of the
area or other factors? What are the key aspects, risks and
objectives of the area reviewed? Was it part of the original plan
arising from the risk- assessment process?
2. Scope: – What was the scope of the work and when was it
performed? What time period and business units did it cover, and
which facets of operations were included? What key risks did the
work try to address?
3. Findings: What were the overall findings? How severe were they?
Are there only minor issues to be addressed, or are there
significant deficiencies in internal controls or the process being
reviewed?
4. Recommendations: What actions must management take to
adequately address the audit findings? Recommendations in the
audit report should state precisely what needs to be changed or
fixed.
5. Management action plans – Is there a clear plan to correct the
deficiencies noted? Who will take responsibility for the corrective
action? When will the issues be corrected?
6. Follow-up and tracking: How is internal audit monitoring
management’s progress in addressing noted deficiencies?
Quarterly and annual internal audit reporting to the audit committee
should include tracking and confirmed resolution of management
action plans resulting from audit findings.
1. Audit reports shall be reviewed whether the facts logically lead to

conclusions and recommendations and if supported by
documents/evidences before the same are issued to the recipients.
2. Conduct of Final Exit Conference beyond the allowable period shall be
subject to the approval of the IAG Head.
3. Internal Audit Reports are confidential and shall not be distributed to
parties other than the intended recipients without the approval of the
IAG Head.
January 22, 2008
MANUAL ON INTERNAL
REVISION NO.
AUDITING 4 PAGE NO.
37 of 54
REVISION DATE
November 2018
CHAPTER 11 - AUDIT TOOLS AND TECHNIQUES
11.1 Collection of Audit Evidence
Auditors used different methods of audit evidence collection such as:
1. Inspections - This involves physical examination of supporting

accounting documentation, contracts, records and board of director
minutes. It also includes physical examination of the assets. This
enables the auditor to verify the existence but not necessarily
ownership and valuation of assets.
2. Observation - This involves looking at a process or procedure being
performed by others. For instance, observation of payment of wages
and salaries, physical count of inventory or opening of mail. This helps
the auditor to have an assurance whether official procedures are
followed
3. Inquiry and observation - Inquiry consists of seeking information of
knowledgeable person inside or outside the entity. It may range from
formal written inquiry to oral inquiries. Confirmation consists of
corroborating evidence from third parties with the internal evidence.
For instance the auditor may verify accounts receivables by
circularizing the debtors.
4. Computations - This involves verifying the arithmetical accuracy on
accounting records or accounts balance. The auditor does this by
independent recalculating account balances to establish how they
were arrived at.
5. Analytical review procedures - This involves analysis of significant
accounting ratios and trend performance including investigations of
fluctuations that occur between the current financial performance with
the previous one and check whether other information is consistent
with such relationship.
6. Computer assisted audit techniques - These are audit software that
enables the auditor to perform significant audit tasks that may include:
 Computation of tax liabilities

 Performance of regression analysis to determine slow moving
items.
 Preparation of debtors listing and age analysis of debtors.
11.2 Audit Evidence Documentation
From the initial client interview all the way down to issuing the audit report,
the Internal Auditor should keep a record of all the work done. This
information is kept in the audit file and shows the basis for the conclusions
January 22, 2008
MANUAL ON INTERNAL
REVISION NO.
AUDITING 4 PAGE NO.
38 of 54
REVISION DATE
November 2018
reach. The audit file comes in many shapes and forms, all of which will be
classified as either permanent or current.
The permanent audit file
The Internal Auditor carries forward documents in the permanent file from
year to year. The auditor forms the base for planning the subsequent year’s
audit. Most of the information in the permanent file doesn’t change from one
year to the next.
Documents kept in the client’s permanent file:
a) Copies of the company’s incorporation documents: Businesses
have to file articles of incorporation, which cover the basics
about the company such as its name, address, the stock it
issues (what type and how many shares), and the registered
agent.
b) Chart of accounts: The numerical listing of all the company’s
asset, liability, equity, revenue, and expense accounts as a sort
of road map to figure out where certain accounts should be
showing up in company’s general ledger. The general ledger
shows all the accounts in the chart of accounts and lists what
transactions affect them during the year under audit.
c) Organization chart: This document shows the levels of
management from the head all the way down to the lowest
member of the staff.
d) Accounting manual: The manual provides an overview of how
the accounting functions of a company work. It provides a guide
to the responsibilities of each accounting Group and how
accounting employees should do their jobs.
e) Copies of important leases or contracts: You should have a
copy of the contracts for any property, plant, or equipment the
company leases. You use this information to verify rent expense
on the financial statements. Any major contracts with suppliers,
customers, or unions are also kept in the permanent file.
f) Internal control documentation: Any records the Internal Auditor
keep or write-ups done during the evaluation of the company’s
internal controls are kept in the permanent file.
g) Stock and bond issuances: These documents list the number of
shares outstanding and give information on the terms of any
bonds.
h) Prior years' analytical procedures: Use these documents to see
whether plausible and expected relationships exist in both
financial and nonfinancial data from year to year.
January 22, 2008
MANUAL ON INTERNAL
REVISION NO.
AUDITING 4 PAGE NO.
39 of 54
REVISION DATE
November 2018
The current audit file
The current file contains all the work of the Internal Auditor on current year’s
audit.
Some examples in the current file:
a) Audit Plan: Road map for conducting the current year audit is
definitely included in the current file. This plan includes
understanding of the client, the allocation of firm resources, and
risk assessments.
b) Working trial balance and work papers: A really simple

explanation of a trial balance is that it’s a chart of accounts with
ending balances for each account. The purpose of the trial
balance is to show that the fundamental accounting equation
(assets = liabilities + owners’ equity) is satisfied.
c) Journal entries: All adjusting and reclassification entries

recorded and booked.
CHAPTER 12 - MONITORING OF ACTION PLAN
The value of the audit must be assessed to assure that the findings and
recommendations, reflecting cost-conscious, workable and timely solutions,
have been achieved to some quantifiable degree and provide value to the
organization.
The monitoring of action plan, one of the major components of the Audit
Methodology, is designed to ensure the adequacy, effectiveness, and
timeliness of audited unit’s corrective actions to address audit
findings/observations and recommendations.
Monitoring of action plan wraps up the whole internal audit process. This IAG
activity is as important as the other activities of the internal audit process
because it measures the effectiveness of IAG in providing value in improving
the corporation’s operation through client acceptance/rejection of
recommendations. IAG should establish and maintain a system to monitor
the disposition of the audit results, and a follow-up process for the effective
implementation of the approved audit recommendations. The procedure
should include the assessment of action plans taken on the report and the
status thereof.
January 22, 2008
MANUAL ON INTERNAL
REVISION NO.
AUDITING 4 PAGE NO.
40 of 54
REVISION DATE
November 2018
1. The Internal Audit group should have a system that provides the
structure and discipline to promote action on audit recommendations. It
should ensure that recommendations are aggressively pursued until
they have been resolved and successfully implemented. A follow up
system should adequately meet the basic responsibility for resolving
and implementing audit recommendations.
2. The Internal Auditor should establish and maintain a system to monitor
and follow-up disposition of results communicated to Management.
Follow-up by Internal Auditors is defined as a process by which they
determine the adequacy, effectiveness and timeliness of actions taken
by Management on reported audit observations and recommendations.
3. The Internal Auditor should establish procedures to include the
following:
a. A time frame within which management’s response to the audit

recommendations is required.
b. Evaluation of management’s response.
c. Verification of action plan. Documentation to carry actions plans
should be examined.
d. Follow-up audit. Implementation of the actions plans should be
tested. If action is satisfactory, the recommendation should be
closed.
4. Action Plans submitted shall be evaluated if it is aligned with the audit

findings and recommendations. Its implementation shall be validated as to
its truthfulness. Clarification shall be made, if necessary.
5. Open findings/issues shall be monitored and validated/reviewed in the
next audit engagements as part of the standard audit procedure.
6. The results of evaluation of the Action Plan shall be communicated to the
concerned unit not later than a month before the cut-off date of the next
quarterly update.
7. Unacted major findings shall be elevated to the supervising unit.
8. If the audited unit opts to accept the risk on any noted major findings, it
shall be communicated to the appropriate level via the Management
Acceptance Risk Report (MARR) with a copy furnished to IAG. The same
shall be consolidated and presented to the Management Committee
before presentation to the Audit Committee.
9. Every after audit engagement, a summary of policy issues, if any, shall be
forwarded to the concerned unit for appropriate action.
January 22, 2008
MANUAL ON INTERNAL
REVISION NO.
AUDITING 4 PAGE NO.
41 of 54
REVISION DATE
November 2018
1. Incoming documents shall be duly acknowledged, dated and initiated by

the Internal Auditor.
2. The Internal Auditor shall be responsible for the proper safekeeping of
records.
3. Back-up of records shall be maintained offsite or in a fire-proof records
vault.
4. All boxes for storage shall be properly labelled and sealed prior to
safekeeping.
Monitoring Progress and Follow-Up Activity:
1. Prepare a summary of open findings/issues.

2. Monitor auditee's submission of action plans (Exhibit 13), to wit:
a. Initial Action Plan – 15 days after issuance of the Final Audit
Report
b. Quarterly Action Plan – not later than one month after the end of
the calendar quarter (first quarter update shall be due on the
succeeding quarter after the initial action plan submission).
3. Prepare follow-up letter to the Auditee, if the auditee fails to submit the
action plan on dates specified in no. 2.
4. Upon receipt of the action plan/taken by auditee, IAG will evaluate and
assess the action plan submitted and close those resolved
findings/issues if acceptable.
5. Prepare transmittal memo addressed to the auditee for the remaining
open findings/issues.
6. Send the approved documents to the auditee.
CHAPTER 13 - SECRETARIAT FUNCTIONS

Aside from providing assurance and consulting services, IAG plays a vital role
in the corporation by providing secretariat services to the Audit Committee.
The Audit Committee is a Board-level committee that assists the BOD in
fulfilling its oversight responsibilities over the LLFC’s financial reporting
policies, practices and control, internal and external audit functions, and
compliance function.
This chapter discusses the policies and procedures adopted by IAG in

performing its functions as secretariat.
January 22, 2008
MANUAL ON INTERNAL
REVISION NO.
AUDITING 4 PAGE NO.
42 of 54
REVISION DATE
November 2018
1. IAG shall be providing secretariat services to the Audit Committee in the

following areas:
a. Schedule and logistics of Committee meetings;

b. Maintenance and custody of records;
c. Preparation and distribution /dissemination of Minutes of Meetings,
Notices of Resolutions/Directives//Instructions
d. Preparation of accomplishment report
2. Issuances of notices/directives of the Audit Committee shall be within the

prescribed period.
A. Pre-Meeting Activities:
1. Preparation of Annual Schedule of Meetings

a. At the start of the year, prepare memo detailing the tentative
annual schedule of meetings. Any changes on the scheduled
meetings shall be coordinated to the Committee members.
b. Transmit the approved memo to the Committee members.
2. Receipt of Audit, Investigation Reports and related documents

a. Record the receipt of the documents in the logbook.
b. Assign a reference number for each case
c. Within two days, prepare a memo requiring the functionally
involved personnel to submit explanations not later than ten
days from receipt and transmit the same to the recipient thru
personal delivery or thru courier.
3. Determination of Attendees and Preparation and Distribution of
Materials
a. Confirm the availability of the Committee members.
b. Prepare proposed agenda and secure clearance from the
Chairman of the Audit Committee.
c. Based on the proposed agenda, photocopy related documents
and ensure completeness.
d. Coordinate with concerned unit/Group on the submission of
presentation materials, if any.
e. Distribute materials to the Committee members and resource
persons/observers at least two days before the scheduled
meetings.
January 22, 2008
MANUAL ON INTERNAL
REVISION NO.
AUDITING 4 PAGE NO.
43 of 54
REVISION DATE
November 2018
f. Prepare action sheets detailing the names of the cited

personnel, findings attributable to the personnel based on IAG,
responses of personnel, policies violated.
B. During the Meeting:
1. Present the action sheet on the case/matter being deliberated.

2. Indicate the resolutions/instructions of the Committee on the action
sheet.
3. Route the Action sheet to the Committee members for approval.
4. Record discussions of the Committee.
C. Post-Meeting Activities:
1. Transcribe the recorded discussions and prepare the Minutes of the

meeting.
2. Review the Minutes of the Meeting within two working days.
3. Include the Minutes of the Meeting in the agenda of the next
meeting for the approval of the Committee.
4. Submit the approved Minutes of the Meeting to the Chairman and
members for their signatures.
5. Transmit the approved Minutes of the Meeting as follows:
 Audit Committee – for BOD notation/confirmation

 Management Committee – for information
D. Preparation of Accomplishment Report
1. Prepare an annual Accomplishment Report for Audit

Committee
2. Present and submit the report to the Audit Committee for BOD.
1. Minutes of meeting of the Audit Committee shall be presented to the LLFC

BOD and to the Audit Committee, respectively for notation/confirmation.
2. Minutes of meeting and related files/documents shall be handled and
secured by the IAG.
3. The recorded discussion in audio form shall be maintained in accordance
with record disposition schedule.
4. A folder shall be maintained for all incoming and outgoing communication
for the committees.
5. All pages of the Minutes of Meeting shall be signed by the Internal Auditor.
January 22, 2008
MANUAL ON INTERNAL
REVISION NO.
AUDITING 4 PAGE NO.
44 of 54
REVISION DATE
November 2018
CHAPTER 14 - ADMINISTRATIVE FUNCTIONS
This chapter discusses in detail the policies and procedures adopted by IAG
in the following areas:
1. Personnel Management – covers the determination of manpower

requirement, hiring, promotion, retirement, resignation or transfer of
IAG personnel, training/seminars, performance management,
personnel policies, communication policies, conduct of managers/staff
meetings, and orientation of newly-hired internal auditors;
2. Pre and Post-Fieldwork Activities – covers the preparation of cash
advances, travel orders, liquidation of cash advances;
3. Records Management – covers the handling, filing, retention and
disposition of files and records including the maintenance of back-up
files; and
4. Supplies and Property Management – covers the handling of
requisition, receipt, issuances and inventory of office supplies.
14.1 PERSONNEL MANAGEMENT
1. Determination of Manpower Requirement

The manpower complement of IAG shall complement the Annual Audit
Plan.
2. Hiring, Promotion, and Retirement/Resignation/Transfer of IAG Personnel
a. The hiring and promotion of IAG personnel shall be in accordance

with approved qualification standards for internal auditors and LLFC
policies.
b. The processing and approval of retirement/resignation/transfer of
IAG personnel shall be subject to existing LLFC policies (i.e.,
clearance, proper turn-over of accountabilities, etc.)
c. Newly-hired auditors shall be oriented on the following matters,
pertaining to LLFC and IAG prior to fieldwork;
 Organizational Structure
 Rules of Conduct
 Policy on Conflict of Interest
 Competency Framework and Development Program
 Facilities and Emergency Preparedness
 Internal Audit Standards, Concepts and Methodologies
d. Newly-hired auditors shall be introduced to officers and staff
January 22, 2008
MANUAL ON INTERNAL
REVISION NO.
AUDITING 4 PAGE NO.
45 of 54
REVISION DATE
November 2018
3. Trainings/Seminars
a. The training requirement of IAG personnel shall be assessed against

the competencies required for the position and Annual Audit Plan.
b. IAG personnel shall be trained and developed based on the approved
competency framework and development program to ensure that they
have the comprehensive set of competencies relevant to the broad
spectrum of internal audit work.
c. Competence framework is the integrated knowledge, skills, judgment,
and attributes that people need to perform a job effectively. By having a
defined set of competencies for each role in your business, it shows
workers the kind of behaviours the organization values, and which it
requires to help achieve its objectives. Not only can team members
work more effectively and achieve their potential, but there are many
business benefits to be had from linking personal performance with
corporate goals and values.
4. Performance Management
a. There shall also be performance evaluation at the end of each audit

engagement to provide feedback to IAG auditors on their strengths and
weaknesses. The completion of such feedback on performance shall
be accomplished on a timely basis, usually within two weeks after the
completion of the fieldwork.
b. During the formal performance evaluation progress, the consolidated
assignments performance feedback shall be considered against the
agreed-upon targets.
5. Personnel Policies
Each employee shall strictly adhere to the Personnel policies of LLFC as

contained in the LLFC Administrative Policies and Procedures Manual and
other existing guidelines.
6. Communication Policies
a. All outgoing memoranda shall be approve/sign by the IAG Head.

b. All communications through use of telephones, notes and internet shall
be in accordance with LLFC’s existing policies.
January 22, 2008
MANUAL ON INTERNAL
REVISION NO.
AUDITING 4 PAGE NO.
46 of 54
REVISION DATE
November 2018
7. Handling of Administrative Offenses/Violations/Conflicts
a. Reporting and resolutions of violations/offenses of office rules shall be

handled in accordance with LLFC’s existing policies (i.e., Rules of
Conduct, Office Decorum, Administrative Disciplinary Cases, etc.)
b. Any major conflict involving IAG personnel that affects the internal audit
work shall be resolved at once, thru proper protocol, to preclude further
damage to professional relationship of these personnel or to the
reputation of IAG from the viewpoint of its stakeholders.
c. The proper protocol in cascading/reporting information shall be by
levels of authority.
14.2 PRE- AND POST-FIELDWORK ACTIVITIES
1. Cash advances/Travel Orders/Liquidations

IAG personnel shall adhere strictly to LLFC’s policies and guidelines on
Official Travel.
14.3 RECORDS MANAGEMENT
IAG shall adhere to the existing policies on records retention and disposition.
In addition, the following shall be observed:
1. Incoming and outgoing documents should be filed properly

2. There should be maintenance of files after the end of every engagement
for safekeeping.
3. The culling and archiving of documents shall be based on the existing
policies of the corporation.
4. Classification of records to be retained and disposed shall be based on the
Record Management Table of IAG.
14.4 SUPPLIES AND PROPERTY MANAGEMENT
Handling of supplies and properties shall be in accordance with LLFC’s

existing policies.
January 22, 2008
MANUAL ON INTERNAL
REVISION NO.
AUDITING 4 PAGE NO.
47 of 54
REVISION DATE
November 2018
CHAPTER 15 - OTHER SERVICES
This chapter covers other assignments being carried out or services

provided/performed by IAG which are not included in the Annual Audit Plan.
A. Issuance of Personnel Clearance
 Processing and issuance of clearances shall be supported by a

request and shall be handled in accordance with existing policies and
guidelines.
 The request shall be routed to IAG for audit inputs.
 The inputs on the clearance shall be transmitted to the requesting
unit/personnel upon approval of IAG head.
B. As Observer on Various Committee and Special Projects of LLFC
 The nomination of IAG representatives shall be approved by the IAG

Head.
C. As Subject Matter Expert of Internal Controls Relative to Review of New

Policies and Procedures
 IAG personnel assigned to review the new policies and procedures of

the corporation shall comment particularly on matters related to
internal controls, risks and other issues to the best interest of LLFC.
D. As Resource Person to Various Meetings to Provide Advice/Inputs
 Attendance of IAG personnel to various meetings as resource person

shall be upon instruction of IAG Head and/or Audit Committee.
CHAPTER 16 - OPERATIONAL RISK MANAGEMENT
As an integral part of LLFC’s Risk Management System, IAG shall identify the
risks involved in its operations, assess the impact and probability of
occurrence of the identified risks, suggest parameters for measurement of
said risks, and recommend mitigating measures to control risk occurrence.
January 22, 2008
MANUAL ON INTERNAL
REVISION NO.
AUDITING 4 PAGE NO.
48 of 54
REVISION DATE
November 2018
This chapter was prepared and designed to achieve the following objectives:
 Provide guidance and ready reference on risk management to IAG;

 Set forth best practices and procedures to facilitate execution of risk
management; and
 Clarify the roles and responsibilities of IAG in managing risks.
1. The IAG Head shall be designated as the Operations Risk Manager

(ORM) of the unit, in addition to the existing functions.
2. ORM shall refer to Risk Management Manual for operations risks a
reference guide in preparing the RCSA.
3. The IAG Head shall adopt the following steps/phases in risk
management:
a. Identification
The Group/Unit shall determine the origin of risks, weaknesses
in business process of the corporation and the relevant services
executed by third parties whether existing or emerging.
b. Measurement
The Group/Unit shall assess the magnitude of risks. It shall
quantitatively and qualitatively determine the consequences,
including the financial impact of possible worst-case scenario
risk events.
c. Control
The Group/Unit shall implement measures to reduce risks or to
maintain risks within the corporation’s risk appetite. It shall
implement at all times the policies, systems, and procedures
approved by Risk Committee or LLFC’s BOD to address risks.
d. Monitoring
The Group/Unit shall track and evaluate the effectiveness and
status of risk management controls. The Group/Unit shall
monitor risk to determine if:
 Risk management strategies or responses crafted have

been implemented as planned;
 Risk action plans are effective in addressing the risks or if
new responses should be developed;
 Risk exposures of the corporation have changed from its
prior state and decide on whether risk priorities should be
updated;
January 22, 2008
MANUAL ON INTERNAL
REVISION NO.
AUDITING 4 PAGE NO.
49 of 54
REVISION DATE
November 2018
 New risks have occurred that were not previously

identified or residual risks are still existing and require
new responses; and
 Business assumptions are still valid and if there is a need
to revisit and revise the corporation’s risk management
framework (refer to Risk Management Manual).
4. The Group/Unit may use the following management tools/reports in

mitigating the risks.
 Risk and Control Risk Assessment (RCSA) – Exhibit 15)
 Business Continuity Questionnaire (BCQ) Validation Form -
(Exhibit 14)
5. All documents containing data/information shall be classified based on
the levels of sensitivity and criticality.
6. The RCSA Matrix shall be monitored for compliance by the Group
Head. The RCSA shall be updated as the need arises or at least once
a year.
7. Specific actions shall be undertaken to manage risks that have been
identified and prioritized and the unit may adopt any of the following
risk treatment or strategies to address the same:
a. Risk Avoidance – is the taking steps to remove the hazard,

engage in other activity or end a specific exposure (e.g., divest,
prohibit, stop or eliminate).
The business unit shall opt for risk avoidance if the potential
gain is lower than the expected risk cost, taking into
consideration several aspects such as time horizon, available
specialized expertise, compliance, strategies and reputation
risks.
b. Risk Reduction – also called risk mitigation is a systematic

reduction of the extent of exposure to a risk and/or the likelihood
of its occurrence (e.g., disperses or control).
The business unit shall aim to reduce loss frequency and loss
severity which can both be achieved by adhering to the
corporation’s internal control measures. These controls may be
preventive, detective or recovery.
January 22, 2008
MANUAL ON INTERNAL
REVISION NO.
AUDITING 4 PAGE NO.
50 of 54
REVISION DATE
November 2018
The following are the corporation’s internal controls:
1. Guidelines and procedures – policies approved by the BOD are

guided by implementing guidelines and procedures thru the
issuances of manuals.
2. Separation of functions – employees’ duties and responsibilities
are supported and documented by job descriptions. Check and
control balance is being maintained in processing corporation’s
transactions. No employee is allowed to have full authority to
process a transaction.
3. “Need-to-know-principle” – access to information is limited to
accountable employees who “need-to-know” or “need- to-do”.
4. Physical access control – all personnel are required to wear
Personal Identification within the LLFC premises.
5. Limit Management – approving levels of transactions are
defined in LLFC’s Codified and Signing Authority (CASA)
6. Conduct of Periodic asset inventory
7. Disaster recovery and business continuity planning
c. Risk Transfer – risk sharing or transfer is a risk management

strategy in which risk is shifted to another party (e.g., insurance,
outsourcing, warranty or indemnity).
The business shall take this option if a risk cannot be controlled or

can be partially reduced by internal controls or if the cost of controls
is higher than the expected loss. Decision to transfer risk shall
consider the corporation’s risk appetite; the risk is so high that it
cannot simply be accepted.
d. Risk Acceptance – The business unit shall take this option if after
a cost-benefit analysis, the expected loss is lower than the cost of
risk management activities to mitigate the risks (e.g., reprice, self-
insure, offset or plan).
A. RCSA Matrix
1. The designated personnel shall accomplish the RCSA template

(Exhibit 15) provided.
2. Select the applicable Mega and Major Process format (refer to Annex
1– list of LBP’s ManCom-approved processes)
3. Indicate Sub-process and Activity for risk assessment.
January 22, 2008
MANUAL ON INTERNAL
REVISION NO.
AUDITING 4 PAGE NO.
51 of 54
REVISION DATE
November 2018
4. Assign risk reference using the following format:

IAG-2014-001
Where: IAG - unit name
2014 - Year of assessment
001 - Count per risk
5. Select from the identified operational risk (business process) to be
assigned.
6. Indicate in the “risk driver” column the causes of risk.
7. In the risk management manual, select the appropriate category.
8. Indicate the “inherent loss” column the estimated amount of loss (in
absolute Peso amount) in case the risk event will happen without
considering any control).
The amount of loss may be:
Hard Loss:
 Costs due to actual loss of equipment (acquisition cost)

 Costs due to re-work (normalization)
 Costs due to resolution of disaster/emergency
 Costs due to consultant’s time, parts repair and replacement
costs.
 Hourly costs due to downtime to production, production capacity
per hour versus non-productive use of staff time.
Soft Loss:
 Costs due to opportunity loss (forgone income)

 Contingency costs (not budgeted, additional cost due to
inflation, etc.)
a. This column is mandatory and the basis for the computation of

potential inherent loss must be filled and be readily available for
audit purposes.
b. Impact level and score columns will be automatically
computed/filled–out as follows:
IMPACT Amount Estimated IMPACT

LEVEL Damages SCORE
Very low 0 to 6.9 1
Low 7.0 to 13.9 2
Moderate 14.0 to 20.9 3
Major 21.0 to 27.90 4
Severe 28.0 and above 5
January 22, 2008
MANUAL ON INTERNAL
REVISION NO.
AUDITING 4 PAGE NO.
52 of 54
REVISION DATE
November 2018
9. Indicate existing controls to manage occurrence of risks or mitigate its

impact.
10. Select from the following the applicable Control Adequacy Description
Control
Description Adequacy Definition
Score
Completely 1  Existing policy and
under control procedures are in place
 Effectively implemented
 No BSP or IAG exception
related to the risk
 Zero historical risk event
Tight Control in 2  Existing policy and
place procedures are in place
 Effectively implemented
 With minor BSP or IAG
exception related to the
risk
 One historical risk event
in a year
Moderate 3  Existing policy and
Control in procedures are in place
Place  With some flaws on the
implementation
 With moderate BSP or
IAG exception related to
the risk
 More than twice in
historical risk event in a
year
Some Control 4  Some existing policy and
in Place procedures are in place
 Not effectively
implemented
 With major BSP or IAG
exception related to the
risk
 More than five times
historical risk event in a
year
January 22, 2008
MANUAL ON INTERNAL
REVISION NO.
AUDITING 4 PAGE NO.
53 of 54
REVISION DATE
November 2018
No Control in 5  No Existing policy and

Place procedures
 Below acceptable in IAG
rating
11. Select the applicable frequency of occurrence from the following in the
dropdown menu:
Frequency of Occurrence Score

O event in a year 1
1 to 2 event/s in a year 2
3 to 4 events in a year 3
5 to 6 events in a year 4
More than 6 events in a year 5
12. Under Risk Mitigation section, fill-out the “Risk Treatment” column with
appropriate risk treatment strategy from the dropdown menu.
13. List down the tangible or specific action plan/s to implement or
materialize the selected risk treatment strategy.
14. Indicate or select from the drop-down menu the target time or
completion of the committed action plan/s.
15. Affix signature on the “Prepared by” portion and forward to the Head
for review.
16. The Group/Unit Head shall review and affix on the “Reviewed by”
portion if in order. Otherwise, return to the designated personnel for
revision.
17. If signed, submit the same to the units concerned.
January 22, 2008
MANUAL ON INTERNAL
REVISION NO.
AUDITING 4 PAGE NO.
54 of 54
REVISION DATE
November 2018
CHAPTER 17
ANNEXES, APPENDICES AND EXHIBITS
ANNEXES: (Additional procedures, tips, techniques and flowcharts)

 Annex A_ Internal Audit Charter
 Annex B_ Audit Committee Charter
 Annex 1_List of LLFC’s ManCom-approved Processes
 Annex 2_Risk Events Types for Operations Risks
 Annex 3_Business and Control Risks
 Annex 4_Data Analytics for Fraud Detection
 Annex 5_Audit Sampling
 Annex 6_Flowcharting
 Annex 7_Guide to Internal Audit Rating System
APPENDICES: (Office circulars and other regulatory issuances)
 Circular 499_Audit Committee and Internal Audit Function

 SEC Memo Circular 4_Guidelines for the Assessment of Audit Committee
 BSP Circular No. 871_Internal Control and Internal Audit
EXHIBITS: (Sample forms, reports and templates)

 Exhibit 1.0_Engagement Plan -Regular
 Exhibit 1.1_Engagement Plan-Consulting
 Exhibit 1.2_Engagement Plan – AA & PIR
 Exhibit 2.1_Engagement Work Program – AA & PIR
 Exhibit 2.0_Engagement Work Program-Regular Audit
 Exhibit 3.0_Risk Assessment
 Exhibit 4.0_Notice of Audit (NOA)
 Exhibit 5.0_SIPOC
 Exhibit 6.0_Issue Form
 Exhibit 7.0_Comment Sheet
 Exhibit 8.0_Regular Audit Report Format
 Exhibit 9.0_PIR Audit Report Format
 Exhibit 10_Applications Audit Report Format
 Exhibit 11_Special Audit Report Format
 Exhibit 12_Management Acceptance of Risk (MARR)
 Exhibit 13_Action Plan Tracker
 Exhibit 14_BCQ Validation Form
 Exhibit 15_RCSA Matrix
 Exhibit 16_Risk Assessment Register (RAR)
 Exhibit 17_Risk Treatment Register (RTR)
 Exhibit 18_Audit Input Form
 Exhibit 19_Clearance Memo

Internal Audit Manual PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Internal Audit Manual PDF

Uploaded by

Copyright:

Available Formats

`

LBP LEASING AND FINANCE CORPORATION

The cornerstones of effective governance are the Board of Directors (BOD),

As part of the governance process, LBP Leasing and Finance Corporation

The purpose, authority and responsibility of LLFC IA are properly defined in

IA is required to adhere to the following Hierarchy of Applicable Internal

1.1 DEFINITION OF INTERNAL AUDITING

The Institute of Internal Auditors (IIA) defines internal auditing as an

organization’s operations. It helps an organization accomplish its objectives

The internal control framework shall embody the following:

1. management oversight and control culture;

1.2 RISK –BASED INTERNAL AUDIT

Risk-based auditing is a style of auditing which focuses upon the analysis

1.3 OBJECTIVES OF THE MANUAL

 To help the Internal Auditors maintain a consistent and uniform

1.4 SCOPE OF THE MANUAL

This manual contains the policies, detailed procedures, internal control

This shall be supplemented further by the risk-based audit methodology,

1.5 INSTRUCTIONS ON HOW TO USE THE AUDIT MANUAL

1. Annex – additional procedures, tips, techniques, flowcharts

g. The manual on Internal Auditing shall be written with following header

1. Title of the Manual

1.6 ORGANIZATION OF INTERNAL AUDIT

To maintain its organization independence and objectivity, IAG is functionally

1.7 ROLES AND RESPONSIBILITIES

 Responsible for ensuring that Senior Management establishes and

Further, the Board of Directors shall, on periodic basis:

i. Conduct discussions with management on the effectiveness of internal

The board of directors shall likewise commission an assessment team outside

 Responsible for overseeing senior management in establishing and

i. Monitoring and reviewing the effectiveness of the internal audit

 Responsible for maintaining, monitoring and evaluating the adequacy

 Need to understand their roles and responsibilities in the internal

E. HEAD OF THE INTERNAL AUDIT FUNCTION

 Demonstrate appropriate leadership and have the necessary skills to

CHAPTER 2- POLICIES AND STANDARDS

2.1 INTERNAL AUDIT CHARTER (Annex A)

2.2 AUDIT COMMITTEE CHARTER (Annex B)

2.3 INTERNAL AUDIT POLICIES AND STANDARDS

a. International Standards for the Professional Practice of Internal Auditing

The purpose of the Standards:

 Delineate basic principles that represent the practice of internal auditing.

The Standards are mandatory requirements:

 Statements of basic requirements for the professional practice of internal

The structure of the Standards:

1. Attribute Standards – addresses the attributes of organizations

b. INTERNAL AUDIT POLICIES AND PROCEDURES

Policies identify key activities and provide a general strategy on how to

create efficiency within an organization and are also an important element of

CHAPTER 3 - INTERNAL CONTROL FRAMEWORK

3.1 OBJECTIVES OF INTERNAL CONTROL

Internal control systems are designed to meet three major categories of

3.2 COMPONENTS OF INTERNAL CONTROL

In 1992, COSO published the report Internal Control-Integrated Framework

a. The Control Environment - relates to the control consciousness of

b. Risk Assessment - refers to the organization's identification, analysis,

c. Control Activities - the organization's policies and procedures which

d. Information and Communication - focuses "on the nature and quality

e. Monitoring - involves assessing the quality and effectiveness of the

CHAPTER 4 - ORGANIZING INTERNAL AUDIT

4.1 TYPES OF AUDIT

There are six general categories of internal audit reviews:

1. Internal Control Reviews - are the most limited form of audit