See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/306276816

GETTING READY FOR THE RISK-BASED INTERNAL AUDIT IN THE DEPARTMENT

OF HEALTH (PHILIPPINES)

Article · January 2009

CITATIONS READS

0 131

1 author:

Rufo R. Mendoza
Asian Institute of Management
19 PUBLICATIONS   11 CITATIONS   

SEE PROFILE

All content following this page was uploaded by Rufo R. Mendoza on 18 August 2016.

The user has requested enhancement of the downloaded file.

 Governance, Risk Management and Control: Internal Audit Leading Practices
2009, 1(1), 87-100
Asian Confederation of Institutes of Internal Auditors

GETTING READY FOR THE RISK-BASED INTERNAL AUDIT IN THE

DEPARTMENT OF HEALTH (PHILIPPINES)

by RUFO R. MENDOZA, C.P.A., Ph.D.*

This case study presents the initiatives undertaken by the Department of Health in preparation for the
full implementation of the risk-based approach to internal auditing. It highlights the adoption of a risk
management program (RMP) as a means to achieve the agency’s goals and objectives. The
simultaneous adoption of a risk-based internal audit and the RMP is a best practice that can be
replicated in other government agencies.

Introduction

The Department of Health (DOH) is the principal health agency in the Philippines. It is responsible
for making sure that every Filipino has access to basic public health services through the provision of
quality health care and the regulation of providers of health goods and services.

The agency’s compliance to the use of risk-based internal audit is based on the provisions of
Administrative Order (AO) No.70, issued by the President on April 14, 2003, titled “Strengthening of
the Internal Control Systems of Government Offices, Agencies, Government-Owned and/or
Controlled Corporations, including Government Financial Institutions, State Universities and Colleges
and Local Government Units”. This AO directs all government agencies to organize an Internal Audit
Service (IAS) in their respective offices. It prescribes the conduct of audit in conformity with the
International Standards for the Professional Practice of Internal Auditing and the strict observance of
the Code of Ethics promulgated by the Association of Government Internal Auditors. It enumerates
the functions of routine operating character that should be detached from the internal audit.

Corollary with the AO, the Philippine government received in 2005 a technical assistance from The
World Bank specifically for the project on “Strengthening Internal Audit Units for Effective
Procurement Monitoring and Enforcement”. The grant which was executed by the Presidential Anti-
Graft Commission recognizes the importance of internal audit as a tool to reduce and combat
corruption. One major component of the project is the development of a generic Internal Audit
Manual and the subsequent pilot testing of the same in selected agencies. The DOH is one of the
fifteen agencies selected to use the said manual.

To operationalize the generic manual, the DOH initiated the preparation of a customized manual.
Through the assistance of the Health Sector Policy Support Programme of the European Union, the
DOH was able to start the crafting of a customized manual since 2008. This technical assistance
aimed to support the transition from traditional financial audit methods to a risk-based process-focused
approach. Currently, the DOH management is committed to complete the remaining parts of the
customized manual.

Operating Policies and Principles

The DOH recognizes the important role that IAS plays in the conduct of successful operations of the
department. It acknowledges that the goal of the IAS is to assist all levels of management in the
effective discharge of their responsibilities without encroaching on or be adversarial with the functions
 Governance, Risk Management and Control: Internal Audit Leading Practices
2009, 1(1), 87-100
Asian Confederation of Institutes of Internal Auditors

of the Commission on Audit, the external auditor of the government. These are contained in the
customized internal audit manual.

Similarly, the manual provides the operating policies and principles of the IAS, specifically the scope
of functions, responsibilities, organizational arrangements, and report requirements. In effect, the
preliminary chapters of the manual serve the purpose of an internal audit charter. More importantly, it
contains the detailed procedures in the conduct of a risk-based audit.

The IAS, headed by a Director, performs staff functions encompassing the examination and evaluation
of the adequacy, efficiency and effectiveness of the internal control system and the quality of
performance in carrying out assigned responsibilities in financial, accounting, and operating activities.
To do these, the internal auditors are afforded with full access to all records and pertinent documents
needed for the task.

The IAS has been elevated as an independent office with two divisions: financial audit divisions and
operations audit division. There are 17 positions in the IAS, although at present some of these
positions are still unfilled. The Director and the two chiefs of divisions are all Certified Public
Accountants.

The IAS reports directly to the Secretary of the DOH, which is the highest official in the organization
hierarchy. Currently, the IAS is properly supervised by an Assistant Secretary in performing the
following functions:

1. Ascertaining the reliability and integrity of financial and operational information and means
used to identify measures, classify and report such information;

2. Determining the extent of compliance with established policies and applicable laws and
regulations and reviewing the system established to ensure compliance with government
policies, plans and procedures, laws and regulations, which could have significant impact on
operations;

3. Ascertaining the extent to which the assets and other resources of the institutions are
accounted for and safeguarded from losses of all kinds;

4. Reviewing and evaluating the soundness, adequacy and application of accounting, financial
and other operating controls and promoting the most effective control at reasonable cost;

5. Reviewing the operations and programs to ascertain whether or not results are consistent with
established goals and objectives according to plan;

6. Evaluating the quality of performance of groups/individuals in carrying out their assigned

responsibilities; and

7. Recommending corrective actions on the operational deficiencies noted.

In addition, the IAS is also called upon to perform special assignments relative to the Integrity
Development Committee (IDC) of the Department of Health. Due to lack of regular staff for the IDC,
the IAS serves as the Secretariat during IDC meetings and performs fact-finding investigations for
graft-related complaints.
 Governance, Risk Management and Control: Internal Audit Leading Practices
2009, 1(1), 87-100
Asian Confederation of Institutes of Internal Auditors

The internal auditors are not responsible for or required to participate in procedures which are
essentially a part of regular operating activities or in operations which are the primary responsibility of
another unit in the organization. Only personnel assigned to the IAS are regarded as auditors and only
their works are referred to as audit activities.

In accordance with the national government pronouncements, the IAS does not perform the following
functions which are considered as operating in character:

1. Pre-audit of vouchers and counter-signature of checks;

2. Inspection of deliveries, although the internal auditor may, as part of his examination observe
inspection;

3. Preparation of treasury and bank reconciliation statements;

4. Development and installation of systems and procedures, however, in exceptional cases, the
internal auditor may assist by giving suggestions preferably during the development stage;

5. Taking physical inventories, however, the internal auditor may review the plans in advance
and observe and test-check the accuracy of counting, costing, and summarizing; and

6. Maintaining property records.

Internal Audit Process

The IAS of the DOH follows six steps in the conduct of internal audit: co-developing the
expectations, understanding the agency, risk assessment, development the internal audit plan, audit
execution, and communicating the results (Figure 1).

Co-developing Expectations

Understanding Risk Developing Audit Communicating

the Agency Assessment Internal Audit Execution Results
Plan

Figure 1. Internal Audit Process in the DOH

The process starts with an agreement between the IAS and the management regarding their respective
expectations. This is necessary to enhance the value of internal audit. In this step, the internal
auditors meet with senior/line management to hold preliminary discussions with respect to the current
activities to be reviewed and to identify areas of specific concern which may be looked into as part of
the audit.
 Governance, Risk Management and Control: Internal Audit Leading Practices
2009, 1(1), 87-100
Asian Confederation of Institutes of Internal Auditors

Understanding the agency entails the preliminary identification of agency risks focusing on the
elements critical to the operations. The auditors obtain information on the agency’s mandates,
strategies, critical processes, financial and operational performance, and overall control environment,
to aid in the identification of the risks that will be the focus of the audit effort.

The risk assessment process deals with the identification and assessment of significant risks necessary
for the auditors to create the potential audit universe and audit plan. In identifying risks, the auditors
consider the relevant information gathered from the preceding steps.

The preparation of an internal audit plan aims to summarize the information gathered and to develop
and document the audit plan. This is necessary to identify the resource requirements and to obtain
approval from senior management. The audit plan also helps in determining the most efficient and
effective way to audit the high priority areas.

The audit execution entails the conduct of field work, where the auditors review the covering systems
and agency processes and collect information through discussions with personnel, observation, and
performing selective tests. Before the execution, line management is being briefed on the work plan,
including the audit objectives. During the fieldwork, preliminary discussions are made with the
process and activity owners in order to enhance communication and achieve better buy-in and
cooperation.

At the end of each assignment, the auditors meet the line management to finalize the discussion of
findings or areas of concern noted during the audit. This is done to assist the management formulate
specific action points meant to address concerns within an agreed timetable. The IAS periodically
follows up the implementation of the agreed action points that are meant to address critical risks and
reports the status of accomplishment to the head of the agency.

The risk assessment performed by the IAS results in the identification of auditable areas. In the
prioritization of the auditable areas, the IAS uses a set of criteria such as the following: (a) financial
impact, (b) public service delivery impact, (c) reputation impact, (d) complexity of operation, (e)
regulatory requirements and political sensitivity, (f) existence of fraud, (g) extent of use of information
technology, (h) extent of changes in operations and processes, and (i) results of previous audits. The
IAS may also consider certain risk management factors or control effectiveness in the prioritization,
such as the quality of controls shown in prior audits and current high-level assessment of the
organizational controls.

Risk Management Program

One milestone in the DOH is the adoption of a risk management program (RMP) for the entire
organization. The RMP gives adequate attention to the various organizational risks and entails three
major processes of managing the risks: risk identification, risk assessment, and risk control. The
program serves two major objectives: 1) to guide the agency management, office/bureau heads, and
program managers in the preparation of their work and financial plans by focusing on the high risks
areas, and 2) to serve as the basis in the preparation of a good audit plan by IAS.

Risk Identification by the Management. A risk is a set of circumstances that hinder the
achievement of goals or objectives of the DOH and its offices or organizational units. It is also
 Governance, Risk Management and Control: Internal Audit Leading Practices
2009, 1(1), 87-100
Asian Confederation of Institutes of Internal Auditors

defined as the threat that an event, action or inaction will adversely affect the agency’s ability to
successfully achieve its objectives and execute its strategies.

Through a facilitated workshop, the DOH management identifies the risks using six categories: (a)
environment risks, (b) operation risks, (c) empowerment risks, (d) integrity risks, (e) information risks,
and (f) financial management risks.

Environment risks arise when there are external forces that could affect the viability of the agency’s
performance of its mandate or mission, including the fundamentals that drive the overall agency
objectives and strategies. They are further classified as follows: political and regulatory factors,
economic trends, social/demographic patterns, technological advances, catastrophic loss, and public
image.

Operation risks arise from situations when the different offices and organizational units within the
DOH are inefficient and ineffective in conducting their operational activities. These are further
classified into compliance, customer or public satisfaction, human resources in the operation, capacity
of the organizational unit, and service delivery.

Empowerment risks arise from events where the managers and employees (a) are not properly led; (b)
do not know what to do under certain circumstances; (c) exceed the boundaries of assigned authorities;
and (d) are given incentives to the wrong things. These are further categorized as leadership,
authority, performance incentives, change readiness, communication, and outsourcing risks.

Integrity risks include management fraud, employee fraud, and illegal acts, any or all of which could
lead to reputation loss in the marketplace or public at large.

Information processing risks occur when the information technology used in the agency are (a) not
operating as intended; (b) compromising the integrity and reliability of data and information; (c)
exposing significant assets to potential loss or misuse; and (d) exposing the agency’s ability to sustain
the operation of critical processes. Information for decision-making risk deals with the relevance and
reliability of the information used to support the execution of the agency’s mandate or mission. It also
refers to the internal and external reporting on performance and the continuous evaluation of the
effectiveness of the agency’s operation.

Financial management risks are those related to the planning, handling, recording and reporting of
funds entrusted to the agency or office. These are found in budget formulation and execution, cash
management, transaction processing, transaction recording, asset accounting, payroll, billing and
service pricing, expenditure planning and control, and financial reporting.

To maintain uniformity in the risk statement, the key officials and employees engaged in the facilitated
workshop for risk identification and assessment use the following structure in defining the specific
risks: EVENT leads to a CONSEQUENCE which results in a negative EFFECT ON
AGENCY/BUSINESS OBJECTIVE.
.
Risk Assessment by the Management. Once the risks are identified, they are subjected to an
assessment based on two major criteria: likelihood of occurrence and impact.
 Governance, Risk Management and Control: Internal Audit Leading Practices
2009, 1(1), 87-100
Asian Confederation of Institutes of Internal Auditors

The likelihood of the risk occurring (also called probability of occurrence) is expressed as a
percentage, ranging from one to a hundred (Table 1), while the impact (also called consequence) when
the risk occurs is assessed in a scale of 1 to 5 (Table 2).

Table 1. Risk Scores Based on the Likelihood of Occurrence.

Probability of Risk Descriptions/Indications Risk Scores

Happening (In Percent)
Low High
Unlikely to happen Event is expected to occur only once every 3 1 20
(Unlikely) years
Less likely to happen Event is expected to occur only once every 21 40
(Rare) two years
Likely to happen Event is expected to occur once a year 41 60
(Possible)
Very likely to happen Event is expected to occur more than once but 61 80
(Probable) less than12 times a year/once a quarter
Extremely likely to happen; Event is expected to occur more than 12 times 81 100
already happening a year/once a month
(Almost certain)

Table 2. Risk Scores Based on Impact.

Significance of Description Risk

Impact (Any one of the following) Scores

No (or very The event will require attention of the employee concerned 1
negligible) Disturbance in service delivery in the specific unit of the
impact on agency agency
Little impact on The event will require attention of a number of employees 2
agency Disturbance in service delivery in the specific unit of the
agency
Significant The event will require attention of a number of employees 3
impact on agency Disturbance in service delivery in a number of units of the
agency
Threatens public trust and key alliances in the organizational
unit
Very significant The event will require middle management attention 4
impact on agency Disturbance in service delivery in all units of the
agency/whole agency
Temporary loss of public trust and key alliances in the health
sector
Extremely critical The event will require top management attention 5
to agency Prolonged disturbance in service delivery in the whole agency
operations Sustained loss of public trust and key alliances in the general
public

The expected value of a risk is determined by getting the product of the percent of likelihood of
occurrence and the score in the risk impact. Risk prioritization is based on expected value.
 Governance, Risk Management and Control: Internal Audit Leading Practices
2009, 1(1), 87-100
Asian Confederation of Institutes of Internal Auditors

Internal Control System. To mitigate the risks identified, the DOH has started the preparation of
risk-control matrices for specific units in the agency. It adheres to the “National Guidelines on
Internal Control System (ICS)” issued by the Department of Budget and Management on October 23,
2008 as a guide to the heads of departments and agencies in designing, installing, implementing and
monitoring their respective ICS taking into consideration the requirements of their organization and
operations. The guidelines conform to the provisions of the International Organization for
Standardization and the International Organization of Supreme Audit Institutions.

Based on the guidelines, internal control has two basic elements—plan of organization and
coordinated methods and measures. The plan of organization comprises the organizational structure
and the staffing complement that enable DOH to carry out its functions. It defines and distributes
powers, functions and responsibilities to various units and personnel in the DOH to enable them to
meet the overall objectives. Coordinated methods and measures are the systems of authorization,
policies, standards, accounting systems and procedures, and reports used by the DOH to control its
operations and resources and enable the various units to meet the agency objectives.

The five interrelated internal control components in the DOH include the (a) control environment; (b)
risk assessment; (c) control activities; (d) information and communication; and (e) monitoring.

Right Track

DOH is in the right track in the enhancement of its internal control system. While much remains to be
done to institutionalize internal controls and fully implement the risk-based internal audit in the
various organizational units of the department, the primary health agency in the country has already
undertaken the critical preliminary steps.

Supportive leadership has been an essential element in the successful take-off of the risk-based
approach in internal audit at the DOH. The commitment of the top management for reforms and
innovation has been contributory to the massive grasp of this new approach among the individual
employees not only in the IAS but also in other operating units.

The DOH management should continue to disseminate the nitty-gritty of internal controls and risk-
based audit to the rest of its organizational components to enhance appreciation and substantial
implementation. It should continue to develop the technical capacity of its human resource primarily
those engaged in the craft of internal auditing.

It should also institutionalize the Risk Management Program by conducting regular risk assessment
reviews at least once a year for all its offices and bureaus, centers for health development, and
hospitals. Such can be facilitated by properly trained staff with support from the IAS. This will help
ensure timely, adequate, and effective delivery of health service to the public.

Since the needed infrastructure—both hard and soft elements—are in place, the DOH is ready for the
full implementation of risk-based internal audit which the IAS is targeting within the year. These are
all indications that the DOH has overtaken other agencies in the Philippines in the aspect of internal
audit and risk management.
 Governance, Risk Management and Control: Internal Audit Leading Practices
2009, 1(1), 87-100
Asian Confederation of Institutes of Internal Auditors

*Dr. Rufo R. Mendoza is a National Consultant on Risk-Based Internal Audit at the Department of Health
under the Health Sector Policy Support Programme of the European Union. This publication has been
produced with the assistance of the European Union. The contents of this publication are the sole
responsibility of the writer and can in no way be taken to reflect the views of the European Union.

View publication stats