PD 9184 and Its IRR-A

TRAINING ON INTERNAL CONTROL
EVALUATION
Learning Objectives:
1.
To discuss Internal Control Structure (ICS);
2.
To link ICS with Risk Based Audit (RBA), from the UTO to
the AARMSC phase;
3.
To develop/improve the skills of participants

evaluation of internal control; and
4.
To provide guidance on the utilization of the knowledge

obtained in this seminar in the execution of audit work in
the MRAR phase and reporting of audit results in the
CVD phase.
on the
ISA 315(International Standards on Auditing)

Understanding the Entity and Its Environment and
Assessing the Risks of Material Misstatement requires
the auditor to:
1.
Obtain an understanding of internal control structure and on

audit risks.
2. Use this understanding to identify types of potential
misstatements.
3. Consider factors affecting the risks of potential
misstatements.
4. Design the nature, timing and extent of further audit
procedures.
INTERNAL CONTROL SYSTEM defined:

All the policies and procedures adopted by management to ensure :
orderly and efficient conduct of its business;
adherence to management policies;
safeguarding of assets;
prevention and detection of fraud and error;
accuracy and completeness of accounting records; and
timely preparation of reliable financial information.
Functions of Internal Control
Preventive Controls are designed to prevent adverse actions or risks from

occurring.
Detective Controls are designed to detect an error or adverse event after it

occurred but within a reasonable time to permit correction.
Corrective Controls are designed to remedy problems discovered with detective

controls.
Objectives of Internal Control

1.
Financial reporting control objective:

relates to the reliability of the financial reporting provided
by accounting information system and recording function.
2.
Operations controls objective:

is intended to enhance the effectiveness and efficiency
of operations.
3.
Compliance controls objective:

relates to compliance with laws and regulations.
Internal Control assertions

There are two assertions of management:
internal control and
financial statements.
Managements Responsibility for

the Financial Statements
Management is responsible for the preparation of
these financial statements in accordance with
Philippine Financial Reporting Standards. This
responsibility includes: designing, implementing
and maintaining internal control relevant to the
preparation and fair presentation of financial
statements that are free from material
misstatements: whether due to fraud or error;
selecting and applying appropriate accounting
policies; and making accounting estimates that are
reasonable in the circumstances.
COSO (Committee of Sponsoring

Organization) Framework
Five Interrelated Components of Internal Control
Control Environment
Risk Assessment
Control Activities
Information and
Communication
Monitoring
The COSO framework

8
COSO Framework
Control Environment
Risk Assessment
Control Activities
Information and
Communication
Monitoring
The COSO framework
9
The Control Environment

sets the tone of an agency,
influencing the control
consciousness of its people
the foundation for all other
components of internal
control
Tone at the Top
10
COMPONENTS OF INTERNAL CONTROL

1.
Control Environment
a. Auditors objective to understand managements
attitude, awareness and actions concerning:
Communication and enforcement of integrity and
ethical values;
Commitment to competence;
Participation by those charged with governance;
Managements philosophy and operating style;
Organizational structure;
Assignment of authority and responsibility; and
Human resource policies and practices.
11

Factors to Consider in Assessing Control Environment
Integrity, ethical values and behavior of key executives
Managements consciousness and operating style
Commitment to competence
Sanggunian/Council participation in governance and

oversight
Organizational structure and assignment of authority

and responsibility
Human resources policies and practices
12
Integrity and ethical values

Foundation for effective control
Core values set and communicated by LGU
Management
Code of Ethics/Conduct
Product of the LGUs ethical and behavioral
standards, how they are communicated and
monitored
Managements control consciousness and

operating style
Importance management attaches to internal
controls
For the most part, an intangible
A management attitude
13
Commitment to competence
Existence of clear job descriptions
Consideration of competence levels for particular

jobs
Assessment of employees requisite knowledge

and skills
Nature and degree of judgment to be applied on

the job and extent of supervision
Sanggunian/Council participation in
governance and oversight
Sanggunian/Councils independence and

experience
Extent of its involvement and oversight
14

The organizational structure and assignment
of authority and responsibility
Segregation of incompatible duties
Clear lines of responsibility and accountability
How decentralized operations are monitored
Establishing and monitoring policies and

procedures
Establishing and monitoring performance

measures
Human resources and policies
HR policies relating to hiring, training, evaluating,

counseling, promoting and compensating personnel
Competence and integrity of organizations

personnel
15
COSO Framework
Control Environment
Risk Assessment
Control Activities
Information and
Communication
Monitoring
The COSO framework
16
Risk Assessment
The process for identifying,
analyzing and managing risks is a
critical component of an effective
internal control system
Identify
Analyze
Manage
LGU and
process or
activity level
Risks
17

2.
Risk Assessment
a. Auditors objective to consider an entitys ability to

continue as a going concern in view of the risks that can
arise due to:
Changes in operating environment;

New personnel;
New or revamped information systems;
Rapid growth;
New technology;
LGU restructuring; and
New accounting pronouncements.
18
Factors affecting Risks

Changes in operating environment.
Changes in the regulatory or operating
environment can result in changes in
competitive pressures and significantly
different risks.
New personnel. New personnel may have
a different focus on or understanding of
internal control.
19

New or revamped information systems.
Significant and rapid changes in information
systems can change the risk relating to
internal control.
Rapid growth. Significant and rapid
expansion of operations can strain controls
and increase the risk of a breakdown in
controls.
20

New technology. Incorporating new
technologies into production processes and
information systems may change the risk
associated with internal control.
LGU restructurings. Restructurings may
be accompanied by staff reductions and
changes in supervision and segregation of
duties that may change the risk associated
with internal control.
New accounting pronouncements.
Adoption of new accounting principles or
changing accounting principles may affect
risks in preparing financial statements.
21
COSO Framework
Control
Environment
Risk Assessment
Control Activities
Information and
Communication
Monitoring
The COSO framework
22
Control Activities
Policies
Regulations
Procedures
X Company
that help ensure that managements directives and control

objectives are carried out
23
Control Activities
Are integral part of an entitys
planning, implementing, reviewing and
accountability for stewardship of
government resources and achieving
effective results.
24

3.
Control Activities
a. Auditors objective to understand an entitys control activities
(also called control procedures) sufficiently to plan the audit.
b. Categories of control procedures:
authorization specific and general
performance review actual performance vs. budget,

forecasts and prior period performance
information processing controls application controls and

general IT controls
physical controls physical security of assets
segregation of duties separation of transaction

authorization (management function), transaction execution
(custodial function), recording (accounting function), and
independent checks on performance (monitoring function)
25
Control Activities
Do policies and procedures exist?
Is there a planning and reporting
system in place?
Does LGU management review
variances and takes corrective
actions if needed?
Are there adequate safeguards in
place to prevent unauthorized
access?
Are duties divided logically
through appropriate set up of IT
applications?
X Company
26
Control Activities
The major categories of control
procedures are:
Authorization
Performance Review
Information Processing Controls
Physical Controls
Segregation of Duties
27
Control Activities
Authorization. All transactions shall be
executed by persons acting within the
scope of their authority. Authorization for the
execution of transactions flows from
management to department heads and
subordinates.
28
Control Activities
Performance reviews. These control

activities include reviews and analyses of
actual performance versus budgets,
forecasts, and prior period performance;
relating different sets of data operating
or financial to one another, together with
analyses of the relationships and
investigative and corrective actions;
comparing internal data with external
sources of information.
29
Control Activities
Information processing controls.
These are policies and procedures

designed to require authorization
of transactions and to ensure the
accuracy,
validity,
and
completeness
of
transaction
processing.
30
Control Activities
The two broad groupings of
information systems control
activities are application
controls and general-IT
controls.
31
Control Activities
Application controls are manual or
automated procedures that typically
operate at an operation process level.
It can be preventive or detective in
nature and are designed to ensure the
integrity of the accounting records.
Application controls apply to the
processing of individual applications.
32
Control Activities
General IT-controls are policies and
procedures that relate to many
applications and support the effective
functioning of application controls by
helping to ensure the continued
proper operation of information
systems.
33
General IT Controls
General IT Controls include controls over:
Data center and network operations
System software acquisition, change and
maintenance
Access security
Application system acquisition,
development, and maintenance
34
General IT Controls
General IT Controls are generally
implemented to deal with the risks of:
Reliance on systems or programs that
are inaccurately processing data,
processing inaccurate data, or both.
35
General IT Controls
The possibility of IT personnel gaining
access
privileges
beyond
those
necessary to perform their assigned
duties
thereby
breaking
down
segregation of duties.
Unauthorized changes to systems or
programs.
36
General IT Controls
Failure to make necessary changes to
systems or programs.
Inappropriate manual intervention.
Potential loss of data or inability to
access data as required.
37
Objectives of Internal controls relating to

the accounting system
Transactions are executed in accordance
with managements general or specific
authorization.
All transactions and other events are
promptly recorded in the correct amount, in
the appropriate accounts and in the proper
accounting period so as to permit
preparation of financial statements in
accordance with the government financial
reporting framework.
38
Objectives of Internal controls relating to

the accounting system
Access to assets and records is
permitted only in accordance with
managements authorization.
Recorded assets are compared with
the existing assets at reasonable
intervals and appropriate action is
taken regarding any differences.
39
Control Activities
Segregation of duties - Assigning
different people the responsibilities of
authorizing transactions, recording
transactions, and maintaining custody
of assets is intended to reduce the
opportunities to allow any person to
be in a position to both perpetrate and
conceal errors or fraud in the normal
course of the persons duties.
40
Control Activities
Physical controls - These activities
encompass the physical security of
assets, including adequate safeguards
such as secured facilities over access
to assets and records; authorization
for access to computer programs and
data files; and periodic counting and
comparison with amounts shown on
control records.
41
Control Activities
Unauthorized access to data that may
result in destruction of data or improper
changes to data, including the
recording of unauthorized or nonexistent transactions, or inaccurate
recording of transactions. Particular
risks may arise where multiple users
access a common database.
42
COSO Framework
Five Interrelated Components of Internal
Control
Control Environment
Risk Assessment
Control Activities
Information and
Communication
Monitoring
The COSO framework
43
Information and Communication

The process of capturing and exchanging
information needed to conduct, manage
and control the LGUs operations
Does the IT system provide LGU
management with necessary reports on
performance relative to goals?
Are information provided to the right
people in sufficient detail and on time?
Does LGU management communicate
employees duties and control activities in
an effective manner?
Does LGU management take timely and
appropriate follow up on communications
received internally and externally?
44

4.
Information System and Communication

a. Auditors objective to understand an entitys accounting
system particularly the following:
Major classes of transactions;
How transactions are initiated;
The records, documents and accounts used in the
processing and reporting of transactions;
The processing of transactions; and
Financial reporting procedures.
45

The information system relevant to
financial reporting objectives, which
includes the accounting system,
consists of the procedures and
records established to initiate, record,
process, and report entity transactions
(as well as events and conditions) and
to maintain accountability for the
related assets, liabilities, and equity.
46
An IS encompasses methods
and records that:
Identify
and
record
all
valid
transactions. (existence or occurrence
and completeness assertions)
Describe on a timely basis the
transactions in sufficient detail to
permit
proper
classification
of
transactions for financial reporting.
(presentation and disclosure)
47
An IS encompasses methods and

records that:
Measure the value of transactions in a
manner that permits recording their
proper monetary value in the financial
statements. (valuation or allocation)
Determine the time period in which
transactions occurred to permit
recording of transactions in the proper
accounting period. (existence or
occurrence and completeness)
48
An IS encompasses methods
and records that:
Present properly the transactions and
related disclosures in the financial
statements. (rights and obligations
and presentation and disclosure)
49
Communication
Communication involves providing an
understanding of individual roles and
responsibilities pertaining to internal control
over financial reporting. It includes the
extent to which personnel understand how
their activities in the financial reporting
information system relate to the work of
others and the means of reporting
exceptions to an appropriate higher level
within the entity.
50

Communication
in all directions
Upward- to provide LGU management at all

levels feedback on decisions and performance
Have we effectively
communicated
control
responsibilities to
all
employees?
Sideways- across
Organization lines
Downward- to provide employees clear

Guidance and direction
51
COSO Framework
Control Environment
Risk Assessment
Control Activities
Information and
Communication
Monitoring
The COSO framework
52
Monitoring
Assessment of internal control
performance over time;
accomplished by:
Ongoing Monitoring Activities
Separate Evaluations
Reporting Deficiencies
53

5.
Monitoring
a. Auditors objective to understand whether management
establishes and maintains control on an ongoing basis, by means of
the following:
continuing or periodic evaluation or both;
whether controls are operating as intended; and
that controls are modified for changes in conditions.
54
Monitoring
Ongoing Monitoring Activities
Management and supervisory activities
Separate Evaluations
Risk/ Control Self Assessments
Internal Audit
Reporting Deficiencies
Exception Reports
Communication from regulators
55
Documentation of Understanding of ICS

The auditor should document the
understanding of the entitys internal
control structure elements obtained to
plan the audit.
The form and extent of this documentation is
influenced by the size and complexity of the
entity, as well as the nature of the entitys
internal control structure.
56
The Internal Accounting Control

Questionnaire
Internal
accounting
control
questionnaire contains a series of
questions designed to detect
control weaknesses.
57

Questionnaire
In
completing
the
internal
control
questionnaire, the auditor should consider
the following critical aspects:
Is the system of internal control sound?

If it is not reliable, what errors might occur?
What alternative audit procedures should be
adopted if the system is unreliable?
58

Questionnaire
Advantages
They provide audit assurance that attention is given
to presence or absence of all controls listed and
that certain features of the system are not
overlooked.
They provide a means of obtaining uniform
documentation of internal control system reviewed.
They provide inexperience audit staff members with
guidance in performing internal control reviews.
They facilitate the early detection of potential
weaknesses in the system.
59

Questionnaire
Disadvantages
Auditors may view the questionnaire device
for accomplishing an automatic evaluation
of internal control.
Controls listed on questionnaires may not
suit the particular circumstances of a
specific audit.
The auditor may overlook pertinent control
included in the questionnaires.
60
Limitations of Internal Control
Errors by personnel
Collusion
Management Override
Present conditions are not guaranteed
in the future
Cost-benefit relationship
Most internal controls are directed at
routine transactions rather than nonroutine
61
Errors by personnel
The effectiveness of many accounting
controls depends upon the quality of the
work performed by the people involved.
Although the personnel may be competent,
realities that human judgment in decisionmaking can be faulty and that breakdowns
in internal control can occur because of
human failures such as simple errors or
mistakes, misunderstanding instructions or
becomes careless due to boredom or
fatigue.
62
Collusion
The effectiveness of many control
steps depends on a proper
segregation of duties and these
controls may be circumvented by
collusion.
63
Management override
In some cases, the management or
the LCE and top officials may have so
much power over the people assigned
to control functions that they can
override the control.
64
Cost-benefit relationship
Management usually requires that the
cost of internal control does not
exceed the expected benefit to be
derived.
65
Controls Relevant to the Audit

The auditors judgment about materiality;
The size/classification of the LGU;
The diversity and complexity of the LGUs operation;
Applicable legal and regulatory requirements;
The nature and complexity of the systems that are part of the
LGUs internal control.
66
Overall Assessment of Internal Control
Reaching conclusions about an LGUs

internal control (at the LGU level)
involves a high degree of subjectivity
due to the intangible nature of factors
to consider
Requires considerable professional

judgment
The fact remains that the best policies

and structure are worthless if the will to
make them work is lacking
67
ICS Evaluation
Two Important Questions in Assessing
Internal Control
Has LGU management created a control
environment in which people are motivated
to comply with controls rather than ignore or
circumvent them?
Has the LGU installed the necessary
control mechanisms to monitor and correct
non-compliance and are the mechanisms
functioning effectively?
68
QUESTION
69
70
UTO Assess Risk Management Process

As International Standards on Auditing (ISA) 315 states:
The auditor should obtain an understanding of the
entitys objectives and strategies, and the related
business risks that may result in material
misstatement of the financial statements. This
standard also requires the auditor to obtain an
understanding of the entitys process for identifying
business risks relevant to financial reporting objectives
and deciding about actions to address those risks.
71
Identify Risk Controls

(A Flash Back of Agency Risk
Management Process (ARMP),
Information Process
Framework (IPF) and Agency
Risk Control Document (ARCD)
72
Agency Risk Management

Defined
Agency risk management is a process,
effected by an entitys board of directors,
management and other personnel, applied
in strategy setting and across the
enterprise, designed to identify potential
events that may affect the entity, and
manage risk to be within its risk appetite,
to provide reasonable assurance regarding
the achievement of entity objectives
73

Objectives of Assessing LGUs Risk Management Process:
Help identify significant risks arising from weaknesses of
existing ARMP
Agency Risk Model
Determine the extent to which the audit team can rely on

auditee managements assertion about financial reporting
risks
Document the audit teams evaluation of the auditees control
environment as required by professional standards
Influence the nature and extent of the work
Agency Risk Model
Agency Analysis Framework
in Agency Risk Control Documents
74

What do we need to do before assessing the
LGUs Risk Management Process?
Understand the LGUs Risk Management Process
The assessment tool can be used for LGUs of
varying size and complexity to capture the
essence or substance of an LGUs risk
management activities.
The tool is applicable regardless of:
The degree of formality and sophistication of the

LGUs risk management activities
Whether the LGU even recognizes that it has a

risk management process or activities designed
to reduce the risks inherent in its operation to an
acceptable level
75
The Agency Risk Management Framework

Internal control is an integral part of agency risk
management
76
ARMP Model
Comprehensive and
integrated approach for
carrying out risk
management activities
Establish risk
management process
______________________________________________________________
Goals and objectives

Common Language
Oversight structure
Assess agency risks
To enable senior
management of an
auditee to minimize the
potential impact of LGU
risks
In achieving objectives,
deliver outputs and
enhance social
outcomes
______________________________________________________________
Identify
Continuously improve
risk management
capabilities
Source Measure
Information for
decision making
Monitor risk management

processes performance
Develop risk
management strategies
______________________________________________________________
Avoid Exploit Transfer

Accept and reduce
Design implement risk

management processes
______________________________________________________________
Risk management strategies

_____________________________________________________________
Risk controls
77
Risk Management Strategies and Controls Process

Framework
Fig C.
RCPF
78
Agency Risk Management Process

Components of the LGUs Risk Management Process
Establish risk
management process
______________________________________________________________

Common Language
Oversight structure
Assess agency risks

______________________________________________________________
Identify
risk management
capabilities
Source
Measure
Information for
decision making

Develop risk
______________________________________________________________
Avoid
Exploit
Transfer
Accept and reduce

______________________________________________________________

_____________________________________________________________
Risk controls
Fig. B. The ARMP Model

79

Components of ARMP:
1.
Establish ARMP Structure
2.
Assess Agency Risk
3.
Develop Risk Management
Understand
auditees
RMP

Common Language
Oversight structure
Design/Implement Risk Control
Assess agency risks

______________________________________________________________
Identify
Continuously Improve Risk
risk management
capabilities
Information for
decision making
Management Capabilities
7.
Source Measure
Monitor Risk Management

Performance
6.
Reevaluate
results
______________________________________________________________
Process
5.
Consider
assessment
of RME to
drive audit
procedures
Establish risk
management process
Strategies
4.
Assess
auditees
RME
Information for Decision Making

Develop risk
______________________________________________________________

Accept and reduce

______________________________________________________________

_____________________________________________________________
Risk controls
80

1
Establish risk
management process
Establish Risk Management

Process
______________________________________________________________

Common Language
Oversight structure
Assess agency risks

______________________________________________________________
Identify
a.
b.
risk management
capabilities
Define
Risk management
goals and objectives
Common language
Source
Measure
Information for
decision making

Develop risk
______________________________________________________________
Avoid
Exploit Transfer
Accept and reduce

______________________________________________________________

_____________________________________________________________
Risk controls
Establish risk oversight

structures
81

2 Assess Agency Risk
Identify
Source
a.
b.
Measure
Changes in the environment,
key assumptions, and
operation process, and the
impact of these changes
Establish risk
management process
______________________________________________________________

Common Language
Oversight structure
Assess agency risks

______________________________________________________________
Identify
risk management
capabilities
Source
Measure
Information for
decision making

Develop risk
______________________________________________________________
Avoid
Exploit Transfer
Accept and reduce

______________________________________________________________

_____________________________________________________________
Risk controls
Process or activities to
assess agency risks and
information and information
processing (IIP)
82
3.Develop Risk Management Strategies
Avoid
Exploit
Transfer
Accept and
Reduce
Establish risk
management process
______________________________________________________________

Common Language
Oversight structure
Assess agency risks

______________________________________________________________
Identify
risk management
capabilities
Source Measure
Information for
decision making

Develop risk
______________________________________________________________
Avoid
Exploit Transfer
Accept and reduce

______________________________________________________________

_____________________________________________________________
Risk controls
83
4. Design/Implement Risk Control Process

a. Ensure Division Head
and process/activity
owners:
Have the requisite
skill and expertise
Assume
responsibility and
accountability for
managing significant
risk.
b. Assess the timeliness,
efficiency and
effectiveness of the
design of new or
improved risk control
processes.
Establish risk
management process
______________________________________________________________

Common Language
Oversight structure
Assess agency risks

______________________________________________________________
Identify
risk management
capabilities
Source Measure
Information for
decision making

Develop risk
______________________________________________________________

Accept and reduce

______________________________________________________________

_____________________________________________________________
Risk controls
84

5 Monitor Risk Management Performance
Establish risk
management process
______________________________________________________________
This includes:
a.
b.
Utilization of all
available audit
opportunities
Benchmarking against
leading LGU practices,
standards set by
government and, to
the extent applicable,
international standards

Common Language
Oversight structure
Assess agency risks

______________________________________________________________
Identify
risk management
capabilities
Source
Measure
Information for
decision making

Develop risk
______________________________________________________________
Avoid
Exploit Transfer
Accept and reduce

______________________________________________________________

_____________________________________________________________
Risk controls
85

Establish risk
management process
______________________________________________________________
Continuously Improve
Risk Management
Capabilities

Common Language
Oversight structure
Assess agency risks

______________________________________________________________
Identify
risk management
capabilities
Source
Measure
Information for
decision making

Develop risk
______________________________________________________________
Avoid
Exploit Transfer
Accept and reduce

______________________________________________________________

_____________________________________________________________
Risk controls
Ensure that risk management, control and monitoring

processes/activities are continuously improved throughout the
LGU.
86

7
Establish risk
management process

Ensure there is adequate
communication and
information for decisionmaking:
______________________________________________________________

Common Language
Oversight structure
Assess agency risks

______________________________________________________________
Identify
risk management
capabilities
Source
Measure
Information for
decision making

Develop risk
______________________________________________________________
Avoid
Exploit Transfer
Accept and reduce

______________________________________________________________

_____________________________________________________________
Risk controls
a.
Enabling senior LGU management to know that all ARMP activities

are performed as intended
b.
Enabling Division Heads and process/activity owners to clearly

understand their responsibilities and accountabilities
87
The
Agency
Risk
Management
Framework
89
Agency Risk Management

Objectives
Strategic high-level goals, aligned with and supporting its
mission
Operations effective and efficient use of its resources
Reporting reliability of reporting
Compliance compliance with applicable laws and
regulations.
90
QUESTION
91
92
UTO Information Process Framework

As International Standards on Auditing (ISA) 310 states:
In performing an audit of financial statements, the auditor
should have or obtain knowledge of the business sufficient to
enable the auditor to identify and understand the events,
transactions and practices that, in the auditors judgment, may
have a significant effect on the financial statements or on the
examination or audit report
93
Understand the Operations (UTO)

Tools used in the performance of UTO
IPF
A more detailed representation of the operation
and information flow with the purpose of:
Information Process
Framework (IPF)
Obtaining an understanding of the flow of transactions from

operations, events, and facts from their inception to their
inclusion in the financial statements and disclosures.
Providing a top down focus to identify and locate error risks
related to (1) principles, (2) estimates, (3) critical information
processes, (4) financial reporting process and (5) disclosures.
94

Objectives
1. Obtain an understanding of the flow of transactions from
operations, events, and facts from their inception to their
inclusion in the financial statements and disclosures.
2. Provide a top down focus to identify and locate error risks
related to:
principles
estimates
critical information processes
financial reporting process
disclosures
95
Risk
Locations
96

Process Flow Diagrams
Receipts and Collection Process
1. Critical Information
Payment
Payment from
from
taxpayers/creditors
taxpayers/creditors
Process Diagrams
2. Financial Reporting
Process Diagrams
Treasurer
Treasurer deposits
deposits
collection
collection in
in bank
bank
account
account
Treasurer
Treasurer records
records
deposit
deposit in
in
Cashbook-Cash
Cashbook-Cash in
in
Bank
Bank
Collector/Teller
Collector/Teller
issues
issues Official
Official
Receipts
Receipts
Collector/Teller
Collector/Teller
prepares
prepares Report
Report of
of
Collections
Collections &
&
Deposits
Deposits
Treasurer
Treasurer records
records
receipts
receipts in
in
Cashbook-Cash
Cashbook-Cash in
in
Treasury
Treasury
Accountant
Accountant
prepares
prepares Journal
Journal
Entry
Entry Voucher
Voucher &
&
record
record in
in Cash
Cash
Receipt
Receipt Journal
Journal
97

Process Flow Diagrams Critical Information Process Diagrams
Key elements to be documented:
Nature and sources of key events, facts and transactions
from operations
Principal transaction types and related data input records
and principal assumptions and related supporting data
Departments and individuals who execute process
activities
Key information systems, databases and records
Routine and non-routine journal entries
Resulting accounting and management information
98

Process Flow Diagrams Financial Reporting Process
Diagrams
Key elements to be documented:
Sources of accounting and management
information
Agencies, departments and individuals who
execute process activities
Processing systems applied
Routine and non-routine financial reporting
adjustments
Resulting financial statements and disclosures
99

Process Flow Diagrams Financial Reporting Process
Diagrams
Receipts and Collection Process

Payment
Payment from
from
taxpayers/creditors
taxpayers/creditors
Treasurer
Treasurer deposits
deposits
collection
collection in
in bank
bank
account
account
Treasurer
Treasurer records
records
deposit
deposit in
in
Cashbook-Cash
Cashbook-Cash in
in
Bank
Bank
Collector/Teller
Collector/Teller
issues
issues Official
Official
Receipts
Receipts
Collector/Teller
Collector/Teller
prepares
prepares Report
Report of
of
Collections
Collections &
&
Deposits
Deposits
Treasurer
Treasurer records
records
receipts
receipts in
in
Cashbook-Cash
Cashbook-Cash in
in
Treasury
Treasury
Accountant
Accountant
prepares
prepares Journal
Journal
Entry
Entry Voucher
Voucher &
&
record
record in
in Cash
Cash
Receipt
Receipt Journal
Journal
100

Key Procedures
1.
Understand information flows and

determine significant information
processes
2.
Understand accounting principles

and practices and identify principle
risks
3.
Understand judgments and

estimates and estimate risks
4.
Understand critical information

processes, and information
processing risks
5.
Understand financial reporting

processes, and identify and locate
financial reporting process risks
6.
Understand disclosures and

identify disclosure risks
3
5
101

1. Accounting Principles and Practices
2. Judgments and Estimates
3. Critical Information Processes
4. Financial Reporting Process
Identify Risks
Audit Team Knowledge
Expert
Knowledge
Complexities
Are there issues

identified by
accounting and
auditing experts
that indicate
current period
risks?
Are there
process-related
risks that
require a
controls-based
approach?
Changes
Are there
changes in the
current period
that indicate
current period
risks?
Problems
Are there prior

or current
period
problems that
indicate current
period risks?
102
Understanding the Process Through

Process Mapping
Process Mapping
An activity to document the understanding
of the process - taking into consideration
the activities involved, the task owners,
the flow of transactions and process
measures.
Types of Process Maps

Primary
Transactional Flowcharts
Process Interfunctional Chart
Secondary
Functional Process Flowchart

Physical Layout Diagram
Benefits of Process Mapping/Flowcharting
Facilitates a more comprehensive identification of process risks
Enables the identification of potential process issues such as:

Duplication of effort
Inadequate or misallocated resources
Unnecessary or non-value added activities
Facilitates evaluation of overall effectiveness of the process

controls
Documents the audit teams understanding of the process and

serves as a continuing audit documentation for future audits
Transactional Flowchart
Purpose
To provide a pictorial
representation of each
activity in a function
To show the sequence
of tasks for each
activity
To show the flow of
inputs and outputs for
each task in an activity
To analyze the
relationship of tasks
involved in each activity
Advantage
s
Easiest to prepare and update

Most commonly used and
understood format
Good tool to use for client
presentations
Disadvantages
Difficult to draw in complex

situations
Does not show inter-functional
relationships
Transactional Flowchart - Sample

PO
Transaction
File
PURCHASING STAFF
Approved PR
Updates PO
transaction file
Encodes PR
PURCHASING STAFF
Generates PO
Attaches PR to PO
Sends PR to
Requesting
Dept.
Purchase Order
(PO)
1
2
3
4
GENERAL MANAGER/
PRESIDENT
1
Purchase Order
(PO)
1
Approves
PO
2
Distributes PO to
user depts.
Sends PO.
Confirms
receipt.
Approved PO
1
2
C
Approved PO
2
3
1
1
To Requesting
Department
PR
A. The General Manager approves POs with

value of P50,000 and less, while the
President approves PO above P50,000.
To Stockroom
4
4
1
To Distribution
3
4
PR
To Accounting
PURCHASING STAFF
1
PR
file
Process Inter-functional Flowchart

Purpose
To provide an overview of the

process to be mapped
To show the relationship

between different divisions,
departments, and systems that
are part of the process
To show the flow of major

activities in the process
To show the amount of time

required to perform each activity
To analyze the process being

mapped
Advantage
s
Graphic depiction of interfunctional relationships

Illustrates departments involved
Easy to overlay time lines
Does not have set headings and
therefore allows greater flexibility
to show all groups, systems and
operations within functions to be
mapped.
Disadvantages
Difficult to draw when several
functions are involved
Requires large workspace
Functional Process Flowchart - Sample

Description: The Functional Process Flowchart is the form on
which you show the sequence of tasks.
INPUT
INITIATOR
Request for
Credit Memo
PROCESS
OUTPUT
MTEC
Varity
Validity
1.
INITIATOR
Valid
MARKETING TECHNICIAN
Credit Memo
Worksheet
2. Yes
SECRETARY
3.
MTEC
Prepare
CM
Wk Sht
Projection
Credit Memo
Request
CRL
Type
Credit
Memo
Credit
Memo
4.
MTEC
Proofs for
Accuracy
Accurate
5. Yes
MTEC
Obtain
Mgt..
Approval
A/2
Discard
Credit Memo
Worksheet
Process Mapping Guidelines - Primary

Symbols
SYMBOL
NAME
Activity/
Processing
Decision
Document
DESCRIPTION
Indicates that an activity or task is
being performed.
When this symbol appears, the task
sequence flows to the right if the
decision is yes or down if the
decision is no.
Represents the generation of a
physical document. Multiple
overlaying symbols are used if
multiple documents are generated.
Specific Guidelines in Process Mapping

1. When preparing flowcharts at detail level, the activity box is
often replaced by more specific symbols, such as:
Manual Input
Automated
Input
Computer
Storage
Manual
Filing

2.
Label origins and destinations. Always print the origin of input and
destination of output above the respective symbols.
Sales Representative
Purchase Request

3. Use flow lines carefully. If the line from one process to another
crosses over an already existing flow line, draw the secondary line as
shown below:
Existing Process
Secondary Process

4. Number the symbols. Numbering each process symbol can be useful
to cross-reference to a system narrative or the same task number on
a process description chart.
5. Be sure to connect flows. Always use a flowchart connector symbol
when you continue a diagram to another page or carry it over to
another process.
Status
report
approved?
G/20 G/10
yes
Continue flowing the yes

condition here
Make
Changes
to Status
Report

6. Remember to denote the responsible department or individual. Place
the department name or the Responsible Individual above each
process symbol or area of the map.
7. Use a manual activity symbol before a decision diamond. If you show
the flow branching in a yes/no response, someone has made a
decision. Indicate that by using a decision diagram. Since decisions
and approvals are seldom made in a void, a manual activity symbol
generally precedes the decision symbol.
Verify
validity
of
statistics
Valid?
NO
YES
Consider These Additions to the

Flowchart
Time per activity
Delay time
Number of activities
Number of reviews
Cost of each activity
Errors
After Completing the Process Map
The Auditor Should Now:

Have a good understanding of
the process
Have a good view of the key
information about the process
Have a better basis for
identifying process risks and
related controls
Understand the Operations (UTO)

Tools used in the performance of UTO
ARCDs
AOMs
Agency Risk Control Documents (ARCDs)

Audit Observation Memos (AOMs)
ARCDs are the tools used to document risks identified,

prioritized for further considerations and linked to the financial
statement accounts. ARCDs are grouped based on the type
of risks identified. It also documents further procedures
performed to reduce the risks identified to acceptable level.
AOMs are the tools to communicate issues and observations
noted in the course of the audit. These are forwarded to the
management as the need arises.
118
As International Standards on
Auditing (ISA) 315 states:
The auditor should determine which of
the risks identified are, in the auditors
judgment, risks that require special
audit consideration (such risks are
defined as significant risks)
119
QUESTION
120
121
Identify Risk Controls

COA-LGS STANDARD AND POLICY
For each failure risks and critical information
processes, estimation processes and financial
reporting processes risk identified, the audit
team should identify, evaluate and test, as
appropriate, the auditees risk management
strategy and controls in order to determine any
residual audit risks.
122
Risk Management Strategies and Controls Process

Framework
Fig C.
RCPF
123
Assess Auditee Risk Management Strategies &

Controls
Risk Control Process Framework
Assess agency risks
Segregate controls by component to:

1. effectively evaluate the design of
risk controls
2. maximize the extent of control
reliance
3. recommendations for
improvement
124

Controls
Assess agency risks
Specific Risk Controls
Initial defense in
preventing, detecting and
correcting errors
Address risks from capture

of facts to inclusion in
financial statements
125

Controls
Assess agency risks
126

Controls
Assess agency risks
Pervasive Controls
Pervasive Controls
Logical extension of the

agency-wide risk management
environment in the context of a
specific process or risk
127

Controls
Pervasive Controls
Assess agency risks
128

Controls
Assess agency risks
Monitoring
Monitoring
Activities to monitor the

performance of the risk control
process
129

Controls
Assess agency risks
Monitoring
130

Controls
Assess agency risks
Information for
Decision Making
Communication of relevant,
complete, accurate and
timely information
131
Identify and Document Risk Controls

Key Activities:
1.
2.
3.
4.
5.
Plan and conduct effective risk owner interview.

Document identified controls by Risk Control Process
Framework component.
Observe/Determine if identified controls are placed in
operation.
Identify key information used to carry out controls.
Perform walkthrough to confirm understanding of the
LGUs system as recorded in the flowcharts/process
maps and the narrative notes.
132

Tips in Conducting a Walkthrough
Should be performed after preparation of flowcharts or narrative
procedures
Done every year
Evaluator preparing the flowchart should conduct the walkthrough
Walkthrough can be done in any of the following:
At inception of transaction up to its termination
At termination of transaction back to its inception
At the middle of transaction and traced backward and forward
133

Suggested format of Working Paper on Identification of Risk
Control
134
Evaluate and Document Risk Controls

Design
COA - LGS Standard and Policy

The audit team should use an educated and informed
judgment in evaluating the design of the risk controls
identified.
ISA 315, Understanding The Entity and Assessing

Risks, states that it is a matter of the auditors professional
judgment, subject to the requirements of this ISA, whether a

control, individually or in combination with others, is relevant
to the auditors considerations in assessing the risks of
material misstatement and designing and performing further
procedures in response to assessed risks. The ISA also
requires that in exercising that judgment, the auditor
considers the circumstances, the applicable component and
factors such as the auditors judgment about materiality, size
of the entity, applicable legal and regulatory requirements
among others.
135

Controls
CONTROLCHARACTERISTICS
CHARACTERISTICS
CONTROL
RISKSIGNIFICANCE
SIGNIFICANCE
RISK
Identify
Evaluate Design
Test
PROXIMITYTO
TORISK
RISKSOURCE
SOURCE
PROXIMITY
LIKELIHOODOF
OFRISK
RISKOCCURENCE
OCCURENCE
LIKELIHOOD
PREDICTABILITYOF
OFRISK
RISKOCCURENCE
OCCURENCE
PREDICTABILITY
CONTROLRELIABILITY
RELIABILITY
CONTROL
CONTROLVERIFIABILITY
VERIFIABILITY
CONTROL
136

Design
Key Activities
1. Consider design of the following:
specific risk controls for identified risk sources
relevant elements of pervasive controls
monitoring and supporting evidential matter
2. Determine the overall effectiveness of risk controls design
3. Consider integrity of information
137
Evaluate and Document Risk Controls Design

Relative Preferability of Controls
greatest degree
of reliability
lower degree
of reliability
138

Examples
Sequential numbering of
transactions and
subsequently accounting
for the sequence
System-produce
exception reports
Reviewing exception
reports and investigating
errors
Reconciling subsidiary
records with control
accounts
Requiring password
to access systems
Systems validation of
account numbers
against chart of
account
Manual review for
authorized signatures
on significant
disbursements before
payout
Review of contract
terms and billing
arrangement before
project contractor
139
140

Estimation Process Risks
141
142

Design
Information integrity refers to the reliability of internal and

external information used by LGU management, employees or
the auditor to carry out their individual responsibilities and
includes both:
completeness
accuracy
143
Assess Auditee Risk Management Strategies & Controls

Activity: Identify each control as specific, pervasive or monitoring.
1. Accounting clerk prepares monthly bank reconciliation
2. Segregation of authorization, custody, and recordkeeping activities
3. The accountant reviews and approves the journal entry
4. Internal audit takes a sample of paid invoices and reviews supporting
documents to ensure proper approval
5. The budget officer compares budgeted to actual results of operation,
analyze variations and locate the cause of the variation
6. Contractor-selection approval assigned to an individual with significant
related project experience
7. Setting criteria for acceptance of bidding proposal from contracted
service providers
144
Assess Auditee Risk Management Strategies & Controls

Activity: (cont.)
8. Physical security over supplies stockroom, movable equipment and
cash vault
9. Network and systems security with password controls
10. The accountant verify that the accounting principles and practices are
in accordance with NGAS.
11. Comparing the purchase order with the vendors invoice before receipt
of goods
145
Testing of Risk Controls to

Reduce Risk to Acceptable
Level
146
Testing of Risk Controls

COA-LGS STANDARD AND POLICY
For each failure risks and critical
information
processes,
estimation
processes and financial reporting
processes risk identified, the audit team
should identify, evaluate and test, as
appropriate,
the
auditees
risk
management strategy and controls in
order to determine any residual audit
risks.
147

ISA 330, The Auditors Procedures in
Response of Assessed Risks, par. 23
states: When the auditors assessment
of risks of material misstatement at the
assertion level includes an expectation
that controls are operating effectively,
the auditor should perform tests of
controls to obtain sufficient appropriate
audit evidence that the controls were
operating effectively at relevant times
during the period under audit.
148

Why are tests of controls performed?
To obtain audit evidence about the

effectiveness of the:
Design of the accounting and
internal control systems;
Operation of the internal controls
throughout the period.
149
Fraud indicator that warrants LAO

further investigation
Fraud indicator that w arrants LAO

In case of violation to rules and regulations
LAO
Control Reliance Decision Tree
150

Guides the audit

team in determining
which controls
reliance strategies
may be adopted to
most effectively
identify and test
relevant controls to
reduce information
processing risks to
an acceptable level.

LAO
151
F ra u d in d ic a to r th at w a rra n ts L A O
fu rth e r in v e s tig atio n
F ra u d in d ic a to r th a t w a rra n ts L A O
fu rth e r in v e s tig a tio n
In case of violations to rules and regulations
Reliance on Testing Pervasive Controls and Monitoring

Activities
LAO
152

If the design of the specific, pervasive and, particularly,
monitoring controls are effective..
Tests operating effectiveness of monitoring and pervasive
controls only.
Generally most efficient strategy.
Designed to understand the rigor and quality of risk owner
monitoring activities.
Extent of work is
relatively minimal and
the timing is quite
flexible.
However, if testing of operating

effectiveness of monitoring controls
indicate that the monitoring controls are
not operating effectively, then the audit
team should consider testing specific risk
controls.
153
Frau d ind icato r th at w arran ts L A O

fu rther in vestig ation
F rau d in dicator th at w arrants LA O

fu rther in vestig ation
LAO
Reliance on Testing Pervasive and Specific Risk
Controls
154

If the design of the specific and pervasive controls are effective
but the design of the monitoring controls are ineffective..
Tests operating effectiveness of pervasive and specific controls.
Provides a high degree of
ongoing assurance with
only moderate levels of
testing.
Audit team should
recognize that the lack
of monitoring increases
the
risk
that
a
deficiency in specific
risk controls may not
be
detected
and
corrected on a timely
basis.
However, the absence of effective risk

owner monitoring reduces the
confidence the auditor can have
relating to the consistent application of
specific risk controls.
Audit team should identify monitoring

activities for the auditee to put in place
for future periods.
The proposed monitoring activities

may be included in the advisory report
to be issued to auditee.
155

IDENTIFICATION and EVALUATION of Design of
Controls
Control identification and evaluation of effectiveness of design
of the control can usually be carried out at the same time.
A walkthrough of identified controls with

personnel who carry out the controls ensures
that they have been placed 'in operation'.
It is often efficient to determine whether
controls are 'in operation' concurrently with
controls identification and evaluation of design
effectiveness.
156

RESIDUAL AUDIT RISK
Results from deficiencies in auditee risk control
processes
Audit team needs to evaluate whether the risk can be reduced
through other risk reduction approaches, either those applied by
the auditee or by the audit team.
When the audit team has concluded that there is
residual audit risk, these conclusions, together with
recommendations to improve risk control processes,
should be communicated to management through the
issuance of advisory report.
157
Key Procedures
Determine
type and
extent of
tests
Design tests
of operating
effectiveness
Perform tests
of controls
and evaluate
results
Document tests
of controls
158

The testing approach and
specific objectives for each audit
will vary based on what the
auditor has found in the
preliminary work.
Determine
type and
extent of
tests
Design
tests of
operating
effectiveness
Perform tests
of controls
and evaluate
results
Document
tests of
controls
Objectives of the Testing

If controls appear to be adequate, verification tests should be
conducted to determine if the controls identified are
functioning as expected.
If controls are not adequate, in certain cases, no further audit
testing may be performed. The control weakness is reported
to the auditee.
In other cases, testing may be performed to identify the
extent of the control weakness.
159

Determine
type and
extent of
tests
Design
tests of
operating
effectiveness
Perform tests
of controls
and evaluate
results
Document
tests of
controls
Key Activities
Define nature
of testing
approach
Define
extent and
frequency
of testing
Select risk
control testing
scenarios and
determine testing
approach and
items
160

Select risk
Define
control
testing
scenarios
and
nature of
determine
testing
testing approach
approach
and items
Select risk
Define
control
testing
scenarios
and
extent and
determine
frequency
testing approach
of
testing
and items
Controls
Select risk
control testing
scenarios and
determine
testing approach
and items
Determine
type and
extent of
tests
Nature of Testing
Design
tests of
operating
effectiveness
Perform tests
of controls
and evaluate
results
Document
tests of
controls
Examples of Tests
Monitoring
Review of monitoring
information and reports
Evaluation of actions taken on
exceptions
Inquiry and observation

Exception root cause analysis
Pervasive
controls
Inquiry, observation and

inspection of compliance with
process design

Custom tests of access controls
Specific
risk
controls

Inspection of documents
Reperformance
Tests of controls results

Process metrics analysis
Independent verification
Account or transaction analyses
Computer data analysis
Sampling tests of related account
balances
Attributes sampling
161

Select risk
Define
control
testing
scenarios
nature of
and
determine
testing
testing approach
approach
and items
Select risk
Define
control
testing
scenarios
and
extent and
determine
frequency
testing approach
of
testing
and items
Select risk
control testing
scenarios and
determine
testing approach
and items
Determine
type and
extent of
tests
Design
tests of
operating
effectiveness
Perform tests
of controls
and evaluate
results
Document
tests of
controls
General Considerations
Control
Nature
Monitoring
Review of monitoring
information and reports
Evaluation of actions taken
on exceptions
Extent
If appropriate,
representative sampling
may be applied to test
actions taken on
exceptions
Frequency and Timing
Inquiry, observation and

inspection of compliance
with process design
Consider opportunities
for testing across
multiple processes or
risks where similar
controls are in place

Inspection of documents
Reperformance
Tests of controls results
If appropriate,
representative sampling
may be applied
Pervasive
controls
Specific
risk
controls
As necessary to test whether controls

are operating effectively throughout the
period
Consider the nature and extent of any
significant changes in process activities,
people or systems
Supplement interim tests with other
tests covering the entire audit period
162

Select risk
Define
control
testing
scenarios
and
nature of
determine
testing
testing approach
approach
and items
Select risk
Define
control
testing
scenarios
and
extent and
determine
frequency
testing approach
of
testing
and items
Select risk
control testing
scenarios and
determine
testing approach
and items
Determine
type and
extent of
tests
Design
tests of
operating
effectiveness
Perform tests
of controls
and evaluate
results
Document
tests of
controls
Factors Guiding the Extent of Tests of Controls

Factor
Impact on Extent
Existence of large transactions

or specific transactions more
likely to contain errors
Consider targeted items (a 100% stratum) plus a sample of

the remaining population
Importance placed on the

controls to be tested
Extent may increase when a high degree of reliance is

placed on a single control to reduce risk to an acceptable
level
Tolerable rate of exceptions
Extent decreases as tolerable rate increases
Expected frequency of
exceptions
Extent increases as the expected frequency of exceptions

increases
Strength of the risk

management effectiveness
Extent may decrease (including locations/sites tested) when

a strong risk management effectiveness provides
confidence that controls operate effectively throughout the
period
163

Select risk
Define
control
testing
scenarios
and
nature of
determine
testing
testing approach
approach
and items
Factor
Select risk
Define
control
testing
scenarios
and
extent and
determine
frequency
testing approach
of
testing
and items
Select risk
control testing
scenarios and
determine
testing approach
and items
Determine
type and
extent of
tests
Design
tests of
operating
effectiveness
Perform tests
of controls
and evaluate
results
Document
tests of
controls
Factors Guiding the Frequency and Timing of Tests of Controls

Impact on Frequency and Timing
Changes in processes (activities,

systems or people) or controls
Stable processes generally will require less frequent testing than a process that is
undergoing change
Expectations for early detection and

correction of potential errors
Tests performed early provide the auditee opportunity to correct existing errors and
improve processes during the period
Reliability and desirability of controls

to be tested
System-based, preventive controls may require less frequent testing than humanbased, detective controls
Availability of evidence to corroborate

the control was executed
When evidence is not retained by the auditee for extended periods of time, or is
based primarily on inquiry and observation, more frequent testing may be necessary
Efficiencies gained by performing

tests of controls with other scheduled
interim work
Testing may be most efficiently performed concurrent with timely quarterly reviews
or other interim activities
Strength of the risk management

effectiveness
Less frequent testing may be necessary when a stronger risk management

effectiveness provides confidence that controls operate effectively throughout the
period
164

Determine
type and
extent of
tests
Design
tests of
operating
effectiveness
Perform tests
of controls
and evaluate
results
Document
tests of
controls
Key Activities
Test control
attributes or
balances affected
by the controls to
identify
exceptions or
misstatements
Analyze root
causes of
exceptions or
misstatements
Determine if
risk is reduced
to acceptable
level
165

Test control
attributes or
balances
affected by the
controls to
identify
exceptions or
misstatements
Analyze root
causes of
exceptions or
misstatements
Determine if
risk is reduced
to acceptable
level
Determine
type and
extent of
tests
Design
tests of
operating
effectiveness
Perform tests
of controls
and evaluate
results
Document
tests of
controls
Attributes
Sampling Tests
of Controls
Sample is examined to identify potential

exceptions in the operation of controls (as
compared to the understanding of their
design).
Tests of
Balances
Sample is examined for

misstatements that should have
been prevented or detected by
the controls.
166

ISA 530
When designing audit procedures,
the auditor should determine
appropriate means for selecting
items for testing so as to gather
sufficient
appropriate
audit
evidence to meet the objectives of
the audit procedures
167

ISA 500
Audit evidence is obtained by performing
risk assessment procedures, test of
controls and substantive procedures.
The type of audit procedure to be
performed
is
important
to
an
understanding of the application of audit
sampling in gathering audit evidence.
168

Test control
attributes or
balances
affected by the
controls to
identify
exceptions or
misstatements
Analyze root
causes of
exceptions or
misstatements
Determine if
risk is reduced
to acceptable
level
Determine
type and
extent of
tests
Design
tests of
operating
effectiveness
Perform tests
of controls
and evaluate
results
Document
tests of
controls
ROOT CAUSE ANALYSIS

includes:
Understanding their nature
Determining their potential
causes
Identifying most likely causes
169

Test control
attributes or
balances
affected by the
controls to
identify
exceptions or
misstatements
Analyze root
causes of
exceptions or
misstatements
Determine if
risk is reduced
to acceptable
level
Determine
type and
extent of
tests
Design
tests of
operating
effectiveness
Perform tests
of controls
and evaluate
results
Document
tests of
controls
The audit team should have a sufficient Understanding of the

Root Cause in order to appropriately evaluate the impact of
exceptions
Enable the audit team to determine whether the
exceptions can be isolated to a particular component
of the population.
When exceptions can be attributed
narrow component of the population,
might be able to perform additional
component to evaluate the extent
effects on the financial statements
to a relatively
the audit team
testing of that
and potential
170

Test control
attributes or
balances
affected by the
controls to
identify
exceptions or
misstatements
Analyze root
causes of
exceptions or
misstatements
Determine if
risk is reduced
to acceptable
level
Determine
type and
extent of
tests
Design
tests of
operating
effectiveness
Perform tests
of controls
and evaluate
results
Document
tests of
controls
In evaluating the results of tests of controls, the audit

team:
Projects the results (the rate of exceptions or amount of
misstatement) to the population,
Considers sampling risk; i.e., the possibility that the results
may significantly understate the true rate or amount in the
population and
Compares the results with the tolerable rate of exceptions
or the tolerable error
171

Test control
attributes or
balances
affected by the
controls to
identify
exceptions or
misstatements
Analyze root
causes of
exceptions or
misstatements
Determine if
risk is reduced
to acceptable
level
Determine
type and
extent of
tests
Design
tests of
operating
effectiveness
Perform tests
of controls
and evaluate
results
Document
tests of
controls
Three Alternative Assessments

Effective
All controls being

tested are operating
as designed for the
entire audit period
Partially
Effective
Some controls being
tested are not operating
as designed for either
part of or the entire
audit period
Ineffective
All controls being
tested are not
operating as designed
for the entire audit
period
172

Include the following information:
Key Procedures
Design of tests
Determine
type and
extent of
tests
Design
tests of
operating
effectiveness
Perform tests
of controls
and evaluate
results
Document
tests of
controls
Key Information
Nature and type of tests to be performed

Extent of Test
Population and period covered
Sampling approaches or judgments to determine items
tested
Frequency and timing of testing
Performance of Tests
Identification of items tested

Individual exceptions noted
Individuals performing tests
Auditee personnel involved
Dates of testing
Evaluation of results
Nature of exceptions noted

Root causes of exceptions
Disposition of exceptions
Recommended improvements
Process and risk control improvements
173

Documentation
a. Additional Documentation
Additional working papers might be warranted to support
greater efficiency in testing in future audits. This might
include situations where the working papers:
Convey unique approaches or formats for conducting complex tests
Include tests which will be relied on in future periods
b. Auditee Documents
Should be available to reviewers as necessary to carry out their
responsibilities
Should not be retained in the working papers
c.
Documentation Templates
To support more efficient documentation of tests of controls, templates have
been created for the alternative types of testing (for optional use).
174
QUESTION
175

Test of Risk Controls Exercise
176
SUMMARIZE AND REPORT RESULTS

OF EVALUATION
Auditors objective : To maintain a good relationship
with the auditee through regular and immediate
communication of issues and performance gaps
( deficiencies in risk controls) identified during the
course of the audit/evaluation.
Ultimate objective is to ensure the quality of
delivering the results of audit teams work to the
auditee.
177

OF EVALUATION
Reportable Condition
A material misstatement detected by the
auditors procedures that was not
identified by the entity ordinarily is
indicative of the existence of a material
weakness in internal control, which is
communicated to management and
those charged with governance.
178

OF EVALUATION
Internal Control Point is defined as:
any deficiency in the design or
operation of the internal control
structure that could adversely affect
the organization's ability to record,
process, summarize and report
financial data consistent with the
assertions of management in the
financial statements.
179
SUMMARIZE AND REPORT RESULTS OF

EVALUATION
Some reportable conditions are as follows:
Deficiencies in internal control structure design
Inadequate overall internal control structure design

Absence of appropriate segregation of duties
consistent with appropriate control objectives
Absence of appropriate reviews and approvals of
transactions, accounting entries, or systems output
Inadequate procedures for appropriately assessing
and applying accounting principles
180

OF EVALUATION
Deficiencies in internal control structure design
Inadequate provisions for the safeguarding of
assets
Absence of other control techniques considered
appropriate for the type and level of transaction
activity
Evidence that a system fails to provide complete
and accurate output that is consistent with
objectives and current needs because of design
flaws.
181

OF EVALUATION
Failures in the operation of the internal control
structure
Evidence of failure of identified controls in
preventing or detecting misstatements of
accounting information
Evidence that the system fails to provide complete
and accurate output consistent with the agencys
control objectives because of the misapplication of
control procedures
Evidence of failure to safeguard assets from loss,
damage or misappropriation
182
SUMMARIZE AND REPORT

RESULTS OF EVALUATION
Performance failures
Evidence of intentional override of internal control
structure by those in authority
Evidence of failure to perform tasks that are part of
the internal control structure
Evidence of willful wrongdoing by employees or
management
Evidence of manipulation, falsification, or alteration
of accounting records or supporting documents
183

OF EVALUATION
Performance failures
Evidence of intentional misapplication of
accounting principles
Evidence of misrepresentation by client
personnel to the auditor
Evidence that government employees or
management lack the qualifications and
training to fulfill their assigned functions
184

OF EVALUATION
Miscellaneous
Absence of a sufficient level of control
consciousness within the organization
Failure to follow up and correct previously identified
internal control structure deficiencies
Evidence of significant or extensive undisclosed
related party transactions
Evidence of undue bias or lack of objectivity by
those responsible for accounting decisions.
185

OF EVALUATION
Guidance for Communicating Internal Control
Points
Avoid language that has the effect of negating the opinion
expressed in COA-LGS' auditors report.
Deliver internal control points to the auditee at the
appropriate levels of responsibility and report to
management significant deficiencies.
Certain information should be provided for each internal
control point, although brief descriptions are acceptable.
186

OF EVALUATION
Guidance for Communicating Internal Control
Points
If the communication takes the form of a

formal advisory report or comparable
document, a draft should be discussed with
appropriate officers and other auditee
personnel prior to delivery.
187

OF EVALUATION
Presentation of Internal Control Points
A description of the deficiency in the internal control
structure, including, when possible, the nature of the
related financial statement impact and any other known
financial risks.
Suggestions for correcting the deficiency.
For a previously reported, but still uncorrected,
deficiency, a reference to the previous communication.
Management's response, to the extent deemed
appropriate in the circumstances.
188

OF EVALUATION
The Audit Observation Memorandum
(AOM)
The AOM will contain significant
deficiencies that come to the attention of
the audit team in the AARMSC and
constructive suggestions or improvements
in internal control or other suggestions for
increased efficiency in operations.
189

OF EVALUATION
Objectives of the AOM
To comment on the internal control
system examined as part of the audit
process; and
To advise management, on a timely
basis, areas where economies or
improvement could be made.
190

OF EVALUATION
Advantages of the AOM
It provides management with the auditors
carefully prepared analysis of the particular
situation and recommendations for action.
It can be referred to when necessary and
passed along for action without the danger of
distortion.
It is a record of what was said and a
reminder of the services rendered by the
auditor.
191

OF EVALUATION
Issues Related to the AOM
Timeliness Prompt submission of the
AOM to the audited agency is important.
Planning Planning for the AOM should be
an integral part of planning for the audit.
Follow-up Previous management letters
should be filed for reference and
subsequent follow-up by auditors.
192

OF EVALUATION
Issues Related to the AOM
Preparing the Letter The primary consideration

in preparing the AOM is to be familiar with the
intended readers background.
Making Recommendations Bringing the

problem to managements attention is the real
service of the AOM. The auditors service consists
of proposing practical suggestions for solving the
problem.
Processing the Memorandum Before releasing

the AOM, each situation included should be
discussed with an appropriate representative of
the audited agency, one who has the knowledge
and responsibility for the area under discussion.
193

OF EVALUATION
Recommendations on material
deficiencies contained in the
AOM, not acted upon, shall be
included in the Comments
and Observation portion of
the AAR.
194
QUESTION
195
Thank you
Ladies and Gentlemen
Good Day and
God Bless You All
196

PD 9184 and Its IRR-A

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

PD 9184 and Its IRR-A

Uploaded by

Copyright:

Available Formats

TRAINING ON INTERNAL CONTROL

To discuss Internal Control Structure (ICS);

To develop/improve the skills of participants

To provide guidance on the utilization of the knowledge

ISA 315(International Standards on Auditing)

Obtain an understanding of internal control structure and on

INTERNAL CONTROL SYSTEM defined:

Functions of Internal Control

Preventive Controls are designed to prevent adverse actions or risks from

Detective Controls are designed to detect an error or adverse event after it

Corrective Controls are designed to remedy problems discovered with detective

Objectives of Internal Control

Financial reporting control objective:

Operations controls objective:

Compliance controls objective:

Internal Control assertions

Managements Responsibility for

COSO (Committee of Sponsoring

Five Interrelated Components of Internal Control

The COSO framework

The Control Environment

COMPONENTS OF INTERNAL CONTROL

The Control Environment

Integrity, ethical values and behavior of key executives

Managements consciousness and operating style

Sanggunian/Council participation in governance and

Organizational structure and assignment of authority

Human resources policies and practices

The Control Environment

Integrity and ethical values

Managements control consciousness and

The Control Environment

Existence of clear job descriptions

Consideration of competence levels for particular

Assessment of employees requisite knowledge

Nature and degree of judgment to be applied on

Sanggunian/Councils independence and

Extent of its involvement and oversight

The Control Environment

Segregation of incompatible duties

Clear lines of responsibility and accountability

How decentralized operations are monitored

Establishing and monitoring policies and

Establishing and monitoring performance

Human resources and policies

HR policies relating to hiring, training, evaluating,

Competence and integrity of organizations

COMPONENTS OF INTERNAL CONTROL

a. Auditors objective to consider an entitys ability to

Changes in operating environment;

Factors affecting Risks

Factors affecting Risks

Factors affecting Risks

The COSO framework

that help ensure that managements directives and control

COMPONENTS OF INTERNAL CONTROL

authorization specific and general

performance review actual performance vs. budget,

information processing controls application controls and

physical controls physical security of assets

segregation of duties separation of transaction

Performance reviews. These control