Professional Documents
Culture Documents
EVALUATION
Learning Objectives:
1.
2.
To link ICS with Risk Based Audit (RBA), from the UTO to
the AARMSC phase;
3.
4.
on the
2.
3.
Control Environment
Risk Assessment
Control Activities
Information and
Communication
Monitoring
COSO Framework
Five Interrelated Components of Internal Control
Control Environment
Risk Assessment
Control Activities
Information and
Communication
Monitoring
The COSO framework
9
10
Control Environment
a. Auditors objective to understand managements
attitude, awareness and actions concerning:
Communication and enforcement of integrity and
ethical values;
Commitment to competence;
Participation by those charged with governance;
Managements philosophy and operating style;
Organizational structure;
Assignment of authority and responsibility; and
Human resource policies and practices.
11
Commitment to competence
12
Commitment to competence
Sanggunian/Council participation in
governance and oversight
14
COSO Framework
Five Interrelated Components of Internal Control
Control Environment
Risk Assessment
Control Activities
Information and
Communication
Monitoring
The COSO framework
16
Risk Assessment
The process for identifying,
analyzing and managing risks is a
critical component of an effective
internal control system
Identify
Analyze
Manage
LGU and
process or
activity level
Risks
17
Risk Assessment
18
19
20
COSO Framework
Five Interrelated Components of Internal Control
Control
Environment
Risk Assessment
Control Activities
Information and
Communication
Monitoring
22
Control Activities
Policies
Regulations
Procedures
X Company
23
Control Activities
Are integral part of an entitys
planning, implementing, reviewing and
accountability for stewardship of
government resources and achieving
effective results.
24
Control Activities
a. Auditors objective to understand an entitys control activities
(also called control procedures) sufficiently to plan the audit.
b. Categories of control procedures:
25
Control Activities
Do policies and procedures exist?
Is there a planning and reporting
system in place?
Does LGU management review
variances and takes corrective
actions if needed?
Are there adequate safeguards in
place to prevent unauthorized
access?
Are duties divided logically
through appropriate set up of IT
applications?
X Company
26
Control Activities
The major categories of control
procedures are:
Authorization
Performance Review
Information Processing Controls
Physical Controls
Segregation of Duties
27
Control Activities
Authorization. All transactions shall be
executed by persons acting within the
scope of their authority. Authorization for the
execution of transactions flows from
management to department heads and
subordinates.
28
Control Activities
Control Activities
Information processing controls.
Control Activities
The two broad groupings of
information systems control
activities are application
controls and general-IT
controls.
31
Control Activities
Application controls are manual or
automated procedures that typically
operate at an operation process level.
It can be preventive or detective in
nature and are designed to ensure the
integrity of the accounting records.
Application controls apply to the
processing of individual applications.
32
Control Activities
General IT-controls are policies and
procedures that relate to many
applications and support the effective
functioning of application controls by
helping to ensure the continued
proper operation of information
systems.
33
General IT Controls
General IT Controls include controls over:
Data center and network operations
System software acquisition, change and
maintenance
Access security
Application system acquisition,
development, and maintenance
34
General IT Controls
General IT Controls are generally
implemented to deal with the risks of:
Reliance on systems or programs that
are inaccurately processing data,
processing inaccurate data, or both.
35
General IT Controls
General IT Controls are generally
implemented to deal with the risks of:
The possibility of IT personnel gaining
access
privileges
beyond
those
necessary to perform their assigned
duties
thereby
breaking
down
segregation of duties.
Unauthorized changes to systems or
programs.
36
General IT Controls
General IT Controls are generally
implemented to deal with the risks of:
Failure to make necessary changes to
systems or programs.
Inappropriate manual intervention.
Potential loss of data or inability to
access data as required.
37
39
Control Activities
Segregation of duties - Assigning
different people the responsibilities of
authorizing transactions, recording
transactions, and maintaining custody
of assets is intended to reduce the
opportunities to allow any person to
be in a position to both perpetrate and
conceal errors or fraud in the normal
course of the persons duties.
40
Control Activities
Physical controls - These activities
encompass the physical security of
assets, including adequate safeguards
such as secured facilities over access
to assets and records; authorization
for access to computer programs and
data files; and periodic counting and
comparison with amounts shown on
control records.
41
Control Activities
Unauthorized access to data that may
result in destruction of data or improper
changes to data, including the
recording of unauthorized or nonexistent transactions, or inaccurate
recording of transactions. Particular
risks may arise where multiple users
access a common database.
42
COSO Framework
Five Interrelated Components of Internal
Control
Control Environment
Risk Assessment
Control Activities
Information and
Communication
Monitoring
The COSO framework
43
44
45
An IS encompasses methods
and records that:
Identify
and
record
all
valid
transactions. (existence or occurrence
and completeness assertions)
Describe on a timely basis the
transactions in sufficient detail to
permit
proper
classification
of
transactions for financial reporting.
(presentation and disclosure)
47
An IS encompasses methods
and records that:
Present properly the transactions and
related disclosures in the financial
statements. (rights and obligations
and presentation and disclosure)
49
Communication
Communication involves providing an
understanding of individual roles and
responsibilities pertaining to internal control
over financial reporting. It includes the
extent to which personnel understand how
their activities in the financial reporting
information system relate to the work of
others and the means of reporting
exceptions to an appropriate higher level
within the entity.
50
in all directions
Sideways- across
Organization lines
COSO Framework
Five Interrelated Components of Internal Control
Control Environment
Risk Assessment
Control Activities
Information and
Communication
Monitoring
The COSO framework
52
Monitoring
Assessment of internal control
performance over time;
accomplished by:
Ongoing Monitoring Activities
Separate Evaluations
Reporting Deficiencies
53
Monitoring
a. Auditors objective to understand whether management
establishes and maintains control on an ongoing basis, by means of
the following:
continuing or periodic evaluation or both;
whether controls are operating as intended; and
that controls are modified for changes in conditions.
54
Monitoring
Ongoing Monitoring Activities
Management and supervisory activities
Separate Evaluations
Risk/ Control Self Assessments
Internal Audit
Reporting Deficiencies
Exception Reports
Communication from regulators
55
56
57
completing
the
internal
control
questionnaire, the auditor should consider
the following critical aspects:
Errors by personnel
Collusion
Management Override
Present conditions are not guaranteed
in the future
Cost-benefit relationship
Most internal controls are directed at
routine transactions rather than nonroutine
61
Errors by personnel
The effectiveness of many accounting
controls depends upon the quality of the
work performed by the people involved.
Although the personnel may be competent,
realities that human judgment in decisionmaking can be faulty and that breakdowns
in internal control can occur because of
human failures such as simple errors or
mistakes, misunderstanding instructions or
becomes careless due to boredom or
fatigue.
62
Collusion
The effectiveness of many control
steps depends on a proper
segregation of duties and these
controls may be circumvented by
collusion.
63
Management override
In some cases, the management or
the LCE and top officials may have so
much power over the people assigned
to control functions that they can
override the control.
64
Cost-benefit relationship
Management usually requires that the
cost of internal control does not
exceed the expected benefit to be
derived.
65
66
67
ICS Evaluation
Two Important Questions in Assessing
Internal Control
Has LGU management created a control
environment in which people are motivated
to comply with controls rather than ignore or
circumvent them?
Has the LGU installed the necessary
control mechanisms to monitor and correct
non-compliance and are the mechanisms
functioning effectively?
68
QUESTION
69
70
71
72
74
75
76
ARMP Model
Comprehensive and
integrated approach for
carrying out risk
management activities
Establish risk
management process
______________________________________________________________
To enable senior
management of an
auditee to minimize the
potential impact of LGU
risks
In achieving objectives,
deliver outputs and
enhance social
outcomes
______________________________________________________________
Identify
Continuously improve
risk management
capabilities
Source Measure
Information for
decision making
Develop risk
management strategies
______________________________________________________________
Risk controls
77
Fig C.
RCPF
78
Identify
Continuously improve
risk management
capabilities
Source
Measure
Information for
decision making
Develop risk
management strategies
______________________________________________________________
Avoid
Exploit
Transfer
Accept and reduce
Risk controls
2.
3.
Understand
auditees
RMP
Identify
Continuously improve
risk management
capabilities
Information for
decision making
Management Capabilities
7.
Source Measure
6.
Reevaluate
results
______________________________________________________________
Process
5.
Consider
assessment
of RME to
drive audit
procedures
Establish risk
management process
Strategies
4.
Assess
auditees
RME
Develop risk
management strategies
______________________________________________________________
Risk controls
80
Establish risk
management process
______________________________________________________________
Identify
a.
b.
Continuously improve
risk management
capabilities
Define
Risk management
goals and objectives
Common language
Source
Measure
Information for
decision making
Develop risk
management strategies
______________________________________________________________
Avoid
Exploit Transfer
Accept and reduce
Risk controls
81
Identify
Source
a.
b.
Measure
Changes in the environment,
key assumptions, and
operation process, and the
impact of these changes
Establish risk
management process
______________________________________________________________
Identify
Continuously improve
risk management
capabilities
Source
Measure
Information for
decision making
Develop risk
management strategies
______________________________________________________________
Avoid
Exploit Transfer
Accept and reduce
Risk controls
Process or activities to
assess agency risks and
information and information
processing (IIP)
82
Avoid
Exploit
Transfer
Accept and
Reduce
Establish risk
management process
______________________________________________________________
Identify
Continuously improve
risk management
capabilities
Source Measure
Information for
decision making
Develop risk
management strategies
______________________________________________________________
Avoid
Exploit Transfer
Accept and reduce
Risk controls
83
Establish risk
management process
______________________________________________________________
Identify
Continuously improve
risk management
capabilities
Source Measure
Information for
decision making
Develop risk
management strategies
______________________________________________________________
Risk controls
84
Establish risk
management process
______________________________________________________________
This includes:
a.
b.
Utilization of all
available audit
opportunities
Benchmarking against
leading LGU practices,
standards set by
government and, to
the extent applicable,
international standards
Identify
Continuously improve
risk management
capabilities
Source
Measure
Information for
decision making
Develop risk
management strategies
______________________________________________________________
Avoid
Exploit Transfer
Accept and reduce
Risk controls
85
Continuously Improve
Risk Management
Capabilities
Identify
Continuously improve
risk management
capabilities
Source
Measure
Information for
decision making
Develop risk
management strategies
______________________________________________________________
Avoid
Exploit Transfer
Accept and reduce
Risk controls
86
Establish risk
management process
______________________________________________________________
Identify
Continuously improve
risk management
capabilities
Source
Measure
Information for
decision making
Develop risk
management strategies
______________________________________________________________
Avoid
Exploit Transfer
Accept and reduce
Risk controls
a.
b.
87
The
Agency
Risk
Management
Framework
89
90
QUESTION
91
92
93
94
95
Risk
Locations
96
1. Critical Information
Payment
Payment from
from
taxpayers/creditors
taxpayers/creditors
Process Diagrams
2. Financial Reporting
Process Diagrams
Treasurer
Treasurer deposits
deposits
collection
collection in
in bank
bank
account
account
Treasurer
Treasurer records
records
deposit
deposit in
in
Cashbook-Cash
Cashbook-Cash in
in
Bank
Bank
Collector/Teller
Collector/Teller
issues
issues Official
Official
Receipts
Receipts
Collector/Teller
Collector/Teller
prepares
prepares Report
Report of
of
Collections
Collections &
&
Deposits
Deposits
Treasurer
Treasurer records
records
receipts
receipts in
in
Cashbook-Cash
Cashbook-Cash in
in
Treasury
Treasury
Accountant
Accountant
prepares
prepares Journal
Journal
Entry
Entry Voucher
Voucher &
&
record
record in
in Cash
Cash
Receipt
Receipt Journal
Journal
97
98
Treasurer
Treasurer deposits
deposits
collection
collection in
in bank
bank
account
account
Treasurer
Treasurer records
records
deposit
deposit in
in
Cashbook-Cash
Cashbook-Cash in
in
Bank
Bank
Collector/Teller
Collector/Teller
issues
issues Official
Official
Receipts
Receipts
Collector/Teller
Collector/Teller
prepares
prepares Report
Report of
of
Collections
Collections &
&
Deposits
Deposits
Treasurer
Treasurer records
records
receipts
receipts in
in
Cashbook-Cash
Cashbook-Cash in
in
Treasury
Treasury
Accountant
Accountant
prepares
prepares Journal
Journal
Entry
Entry Voucher
Voucher &
&
record
record in
in Cash
Cash
Receipt
Receipt Journal
Journal
100
2.
3.
4.
5.
6.
3
5
101
Identify Risks
Audit Team Knowledge
Expert
Knowledge
Complexities
Are there
process-related
risks that
require a
controls-based
approach?
Changes
Are there
changes in the
current period
that indicate
current period
risks?
Problems
102
Transactional Flowcharts
Process Interfunctional Chart
Secondary
Transactional Flowchart
Purpose
To provide a pictorial
representation of each
activity in a function
To show the sequence
of tasks for each
activity
To show the flow of
inputs and outputs for
each task in an activity
To analyze the
relationship of tasks
involved in each activity
Advantage
s
Disadvantages
Approved PR
Updates PO
transaction file
Encodes PR
PURCHASING STAFF
Generates PO
Attaches PR to PO
Sends PR to
Requesting
Dept.
Purchase Order
(PO)
1
2
3
4
GENERAL MANAGER/
PRESIDENT
1
Purchase Order
(PO)
1
Approves
PO
2
Distributes PO to
user depts.
Sends PO.
Confirms
receipt.
Approved PO
1
2
C
Approved PO
2
3
1
1
To Requesting
Department
PR
To Stockroom
4
4
1
To Distribution
3
4
PR
To Accounting
PURCHASING STAFF
1
PR
file
Advantage
s
Disadvantages
Difficult to draw when several
functions are involved
Requires large workspace
PROCESS
OUTPUT
MTEC
Varity
Validity
1.
INITIATOR
Valid
MARKETING TECHNICIAN
Credit Memo
Worksheet
2. Yes
SECRETARY
3.
MTEC
Prepare
CM
Wk Sht
Projection
Credit Memo
Request
CRL
Type
Credit
Memo
Credit
Memo
4.
MTEC
Proofs for
Accuracy
Accurate
5. Yes
MTEC
Obtain
Mgt..
Approval
A/2
Discard
Credit Memo
Worksheet
NAME
Activity/
Processing
Decision
Document
DESCRIPTION
Indicates that an activity or task is
being performed.
When this symbol appears, the task
sequence flows to the right if the
decision is yes or down if the
decision is no.
Represents the generation of a
physical document. Multiple
overlaying symbols are used if
multiple documents are generated.
Manual Input
Automated
Input
Computer
Storage
Manual
Filing
Label origins and destinations. Always print the origin of input and
destination of output above the respective symbols.
Sales Representative
Purchase Request
Existing Process
Secondary Process
Status
report
approved?
G/20 G/10
yes
Make
Changes
to Status
Report
Valid?
NO
YES
Delay time
Number of activities
Number of reviews
Errors
118
As International Standards on
Auditing (ISA) 315 states:
The auditor should determine which of
the risks identified are, in the auditors
judgment, risks that require special
audit consideration (such risks are
defined as significant risks)
119
QUESTION
120
121
122
Fig C.
RCPF
123
124
Initial defense in
preventing, detecting and
correcting errors
125
126
Pervasive Controls
Pervasive Controls
127
128
Monitoring
Monitoring
129
Monitoring
130
Information for
Decision Making
Communication of relevant,
complete, accurate and
timely information
131
132
133
134
135
Identify
Evaluate Design
Test
PROXIMITYTO
TORISK
RISKSOURCE
SOURCE
PROXIMITY
LIKELIHOODOF
OFRISK
RISKOCCURENCE
OCCURENCE
LIKELIHOOD
PREDICTABILITYOF
OFRISK
RISKOCCURENCE
OCCURENCE
PREDICTABILITY
CONTROLRELIABILITY
RELIABILITY
CONTROL
CONTROLVERIFIABILITY
VERIFIABILITY
CONTROL
136
137
greatest degree
of reliability
lower degree
of reliability
138
Reviewing exception
reports and investigating
errors
Reconciling subsidiary
records with control
accounts
Requiring password
to access systems
Systems validation of
account numbers
against chart of
account
Manual review for
authorized signatures
on significant
disbursements before
payout
Review of contract
terms and billing
arrangement before
project contractor
139
140
141
142
143
145
146
LAO
150
LAO
151
F ra u d in d ic a to r th at w a rra n ts L A O
fu rth e r in v e s tig atio n
F ra u d in d ic a to r th a t w a rra n ts L A O
fu rth e r in v e s tig a tio n
LAO
152
153
LAO
Reliance on Testing Pervasive and Specific Risk
Controls
154
155
156
processes
Audit team needs to evaluate whether the risk can be reduced
through other risk reduction approaches, either those applied by
the auditee or by the audit team.
When the audit team has concluded that there is
residual audit risk, these conclusions, together with
recommendations to improve risk control processes,
should be communicated to management through the
issuance of advisory report.
157
Key Procedures
Determine
type and
extent of
tests
Design tests
of operating
effectiveness
Perform tests
of controls
and evaluate
results
Document tests
of controls
158
Determine
type and
extent of
tests
Design
tests of
operating
effectiveness
Perform tests
of controls
and evaluate
results
Document
tests of
controls
Design
tests of
operating
effectiveness
Perform tests
of controls
and evaluate
results
Document
tests of
controls
Key Activities
Define nature
of testing
approach
Define
extent and
frequency
of testing
Select risk
control testing
scenarios and
determine testing
approach and
items
160
Select risk
Define
control
testing
scenarios
and
extent and
determine
frequency
testing approach
of
testing
and items
Controls
Select risk
control testing
scenarios and
determine
testing approach
and items
Determine
type and
extent of
tests
Nature of Testing
Design
tests of
operating
effectiveness
Perform tests
of controls
and evaluate
results
Document
tests of
controls
Examples of Tests
Monitoring
Review of monitoring
information and reports
Evaluation of actions taken on
exceptions
Pervasive
controls
Specific
risk
controls
161
Select risk
Define
control
testing
scenarios
and
extent and
determine
frequency
testing approach
of
testing
and items
Select risk
control testing
scenarios and
determine
testing approach
and items
Determine
type and
extent of
tests
Design
tests of
operating
effectiveness
Perform tests
of controls
and evaluate
results
Document
tests of
controls
General Considerations
Control
Nature
Monitoring
Review of monitoring
information and reports
Evaluation of actions taken
on exceptions
Extent
If appropriate,
representative sampling
may be applied to test
actions taken on
exceptions
Consider opportunities
for testing across
multiple processes or
risks where similar
controls are in place
If appropriate,
representative sampling
may be applied
Pervasive
controls
Specific
risk
controls
162
Select risk
Define
control
testing
scenarios
and
extent and
determine
frequency
testing approach
of
testing
and items
Select risk
control testing
scenarios and
determine
testing approach
and items
Determine
type and
extent of
tests
Design
tests of
operating
effectiveness
Perform tests
of controls
and evaluate
results
Document
tests of
controls
Impact on Extent
Expected frequency of
exceptions
163
Factor
Select risk
Define
control
testing
scenarios
and
extent and
determine
frequency
testing approach
of
testing
and items
Select risk
control testing
scenarios and
determine
testing approach
and items
Determine
type and
extent of
tests
Design
tests of
operating
effectiveness
Perform tests
of controls
and evaluate
results
Document
tests of
controls
Stable processes generally will require less frequent testing than a process that is
undergoing change
Tests performed early provide the auditee opportunity to correct existing errors and
improve processes during the period
System-based, preventive controls may require less frequent testing than humanbased, detective controls
When evidence is not retained by the auditee for extended periods of time, or is
based primarily on inquiry and observation, more frequent testing may be necessary
Testing may be most efficiently performed concurrent with timely quarterly reviews
or other interim activities
164
Design
tests of
operating
effectiveness
Perform tests
of controls
and evaluate
results
Document
tests of
controls
Key Activities
Test control
attributes or
balances affected
by the controls to
identify
exceptions or
misstatements
Analyze root
causes of
exceptions or
misstatements
Determine if
risk is reduced
to acceptable
level
165
Analyze root
causes of
exceptions or
misstatements
Determine if
risk is reduced
to acceptable
level
Determine
type and
extent of
tests
Design
tests of
operating
effectiveness
Perform tests
of controls
and evaluate
results
Document
tests of
controls
Attributes
Sampling Tests
of Controls
Tests of
Balances
166
Analyze root
causes of
exceptions or
misstatements
Determine if
risk is reduced
to acceptable
level
Determine
type and
extent of
tests
Design
tests of
operating
effectiveness
Perform tests
of controls
and evaluate
results
Document
tests of
controls
169
Analyze root
causes of
exceptions or
misstatements
Determine if
risk is reduced
to acceptable
level
Determine
type and
extent of
tests
Design
tests of
operating
effectiveness
Perform tests
of controls
and evaluate
results
Document
tests of
controls
to a relatively
the audit team
testing of that
and potential
170
Analyze root
causes of
exceptions or
misstatements
Determine if
risk is reduced
to acceptable
level
Determine
type and
extent of
tests
Design
tests of
operating
effectiveness
Perform tests
of controls
and evaluate
results
Document
tests of
controls
171
Analyze root
causes of
exceptions or
misstatements
Determine if
risk is reduced
to acceptable
level
Determine
type and
extent of
tests
Design
tests of
operating
effectiveness
Perform tests
of controls
and evaluate
results
Document
tests of
controls
Partially
Effective
Some controls being
tested are not operating
as designed for either
part of or the entire
audit period
Ineffective
All controls being
tested are not
operating as designed
for the entire audit
period
172
Key Procedures
Design of tests
Determine
type and
extent of
tests
Design
tests of
operating
effectiveness
Perform tests
of controls
and evaluate
results
Document
tests of
controls
Key Information
Performance of Tests
Evaluation of results
Recommended improvements
173
b. Auditee Documents
Should be available to reviewers as necessary to carry out their
responsibilities
Should not be retained in the working papers
c.
Documentation Templates
To support more efficient documentation of tests of controls, templates have
been created for the alternative types of testing (for optional use).
174
QUESTION
175
176
177
180
183
185
186
187
188
192
Recommendations on material
deficiencies contained in the
AOM, not acted upon, shall be
included in the Comments
and Observation portion of
the AAR.
194
QUESTION
195
Thank you
Ladies and Gentlemen
Good Day and
God Bless You All
196