Auditing Theory 2 Summary Notes

OVERVIEW OF CORPORATE GOVERNANCE - Measurement of performance thru KPIs

5. Transparency and Reporting (Relations with
Corporate governance - various perspectives, shareholders)
including: - Interested parties gain a clear
i. Legal structures understanding of the business’ purpose/
ii. Business controls; check and balances board mandate and the alignment of
iii. Wider concept of how a business is led and strategies to such purpose
managed - There is an obligation to report and be
*Not an official definition; operating def. of PWC UK transparent

Five Pillars of Corporate Governance Why it matters

- Several drivers for better governance, but not all
are of equal importance
- FRC highlights the ff:
▪ Management of external risks
▪ Right tone from the top
▪ Culture of ethical values
- Most effective drivers focus on doing the right
thing
- Ultimate benefit of effective governance: higher
trust (internal/external)

Drivers – shapes the Benefits - value

landscape
- Stakeholder oversight and - Enhanced performance and
performance expectations decision-making
1. Leadership Strategy and Culture (Leadership) - Critical need to manage - Strategic/competitive
- Setting business’ tone from the top business complexity, advantage
volatility, change - All stakeholder confidence
(intangible) through leaders’ exhibition of - Increased global risk and trust
ethics and values - Cost of FRC - Cost efficiency & improved
- Such tone shapes actions, decisions, - Corporate governance code ROI
and regulations - Market value and
relationships across the organization - Need to secure investment reputation
2. Structure and Performance Oversight - Increased enterprise
(Effectiveness) resilience
- Compliance and
- Tone must be infused in all levels of the transparency
organization thru structures thru various *Governance is the bridge, the key to create value
mechanisms s.a. monitoring, internal (benefits)
audit, contingency plans for crisis
management
- Permeating leadership
3. Risk (Accountability)
- Heart of corporate governance
- Components must be designed in the
context of its overall risk appetite
4. Management Information and Controls
(Remuneration)
- Information systems for collecting,
analyzing, reporting information
- Reward and recognition processes to
encourage desired behavior
- Requires that info is managed accurately
and effectively
Auditing Theory 2 Summary Notes
CODE OF CORPORATE GOVERNANCE FOR PUBLIC
COMPANIES AND REGISTERED ISSUERS
Ref: SEC MC No. 24
Essential Points:
- The code is not a one-size-fits-all framework
- Smaller companies may decide that some costs
of provisions outweigh benefits
Board of Directors – elected governing body that
exercises the powers of the corporation; may refer to
Trustees
Corporate Governance
- system of stewardship and control to guide
organizations’ fulfillment of obligations;
- system of direction, feedback, and control that
uses:
▪ regulations
▪ performance standards
▪ ethical guidelines
- Purpose: maximization of long-term success;
sustainability for shareholders and the nation
Enterprise Risk Management – process designed to
identify and manage risks to be within the risk appetite,
and to provide reasonable assurance re: achievement
of objectives
Executive director – day-to-day operations of a part or
whole of the corporation
Independent director – independent of management
and the controlling shareholder; free from
relationships that would interfere independent
judgment
Internal control – process designed and effected by
BOD, management, and all levels of personnel to
achieve the objectives:
1. Effective and efficient operations
2. Reliable financial accounting
3. Compliance with laws, regulations, policies and
procedures
Management – executives given authority by BOD to
implement policies
Members – members of non-stock corps.
Non-executive director – no executive responsibility;
no work related to day-to-day operations
Non-Proprietary Right – interest, participation, or
privilege over a specific property of the corporation;
holder is not entitled to dividends and assets upon
liquidation
Proprietary Right – interest, participation, or privilege
giving the holder right to use facilities and to receive
dividends and assets upon liquidation
Public Company
- Assets: > 50 million
- Shareholders: > 200 holding > 100 shares each
of equity securities
- Registered Issuer
- Issues non/proprietary shares
- Issues equity securities not listed in an
Exchange
- issues debt securities required to be registered
to the SEC, whether listed or not
Related parties – covers entity directors, officers,
substantial shareholders, and their spouses and
relatives within the fourth civil degree of consanguinity
or affinity, legitimate or common-law, and others if
they have control, joint control, significant influence
over the entity
Related party transactions – transfer of resources
between reporting entity and a related party
regardless of whether a price is charged; interpreted
broadly to include transactions with unrelated parties
that subsequently become related parties
Significant influence – power to participate in financial
and operation decisions, but no control or joint control
Stakeholders – any individual/org/society that either
affects or are affected by a company’s strategies,
policies, decisions, operations.
Auditing Theory 2 Summary Notes

The Board’s Governance Responsibilities 2.5. Formal and transparent board nomination
and election policy (see qualifications and
*Refer to material for further information
disqualifications)
1. COMPETENT BOARD
1.1. Directors must be competent Qualifications Disqualifications
▪ Competence: working knowledge, experience, - Knowledge, skills, - Convicted of final
expertise relevant to industry experience for NEDs judgment of a crime
▪ board should set qualification standards - Independence of mind - Judicially declared
1.2. Headed by a competent and qualified - Integrity record insolvent
- Good rep Temporary:
Chairperson - Sufficient time - Absence in more than
1.3. Orientation program (first-timers) & - Smooth interaction with 50% of regular and special
continuing training (all) for directors members meetings
- Dismissal as director in
1.4. Board diversity any company (may clear
▪ avoid groupthink: individual members of small himself)
cohesive groups accept viewpoint that - Beneficial equity of more
represents consensus than 2% of subscribed
▪ ensure that optimal decision-making is capital stock
achieved - Judgments in grounds of
1.5. Corporate secretary permanent
disqualification not yet
▪ Separate from Compliance officer
final
▪ Not a member of the Board
▪ Attends annual training on corporate
governance 2.6. Policy governing related party transactions
▪ Responsible to the corporation and 2.7. Selection and performance assessment of
shareholders Management led by the CEO
1.6. Compliance officer 2.8. Effective performance evaluation framework
▪ Rank of Senior VP or equivalent
2.9. Appropriate internal control system
▪ Not a member of the Board
▪ Attends annual training on corporate 2.10. Enterprise Risk Management framework
governance ▪ for managing key business risks
▪ Responsible to the corporation and ▪ board is responsible for defining risk tolerance
shareholders 2.11. Board Charter
▪ Roles ▪ guide to all directors;
2. CLEAR ROLES AND RESPONSIBILITIES OF THE ▪ publicly available
BOARD 3. BOARD COMMITTEES
2.1. Board should act in good faith with due 3.1. Establish board committees for specific board
diligence, serving the best interest of functions composed only of board members
company and shareholders (including chairperson)
Two elements: 3.2. Audit Committee
1. duty of care 3.3. Corporate Governance Committee
2. duty of loyalty
3.4. Board Risk Oversight Committee
2.2. Board should oversee, approve, monitor 3.5. Committee Charters
strategy 4. Commitment
2.3. Effective succession planning program for 4.1. Directors should attend and participate all
continuous growth; includes retirement policy meetings (in person or thru tele-conferencing
2.4. Policy specifying relationship of performance unless w/ justifiable excuse)
and remuneration 4.2. Maximum concurrent directorships in public
▪ Remuneration must be commensurate to
responsibilities
companies and/or registered issuers:
▪ No director should participate in determining ▪ 10
own compensation ▪ 5 if sitting in 3 publicly-listed companies
▪ Pay-out schedules should be sensitive to risk 4.3. Director must notify board where he is an
outcomes over a multi-year horizon incumbent director before accepting
▪ Independent determination of remuneration directorship in another company
for those in control functions
5. Board independence
5.1. Board must be composed of majority of NEDs
Auditing Theory 2 Summary Notes

5.2. At least 2 or 1/3 of member must be 8. ENHANCE DISCLOSURE POLICIES AND

independent directors, whichever is higher PROCEDURES
5.3. Independent directors must possess all 8.1. Establish corporate disclosure policies and
qualifications and none of the procedures to ensure that shareholders are
disqualifications given accurate picture of company’s condition
5.4. Independent directors serve for maximum 8.2. Require directors and officers to disclose
term of 9 years (may be retained if there is dealings with shares within 5 business days
justification) 8.3. Manual on Corporate Governance
5.5. Chairperson of the Board and CEO are ▪ Submitted to the Commission
▪ Posted on website
separate
8.4. Annual Corporate Governance Report
Chairperson of the Board CEO 9. STRENGTHENING INDEPENDENCE OF EXTERNAL
- Makes sure meetings focus - Implement corporate
on strategic matters strategic plan
AUDITOR & IMPROVING AUDIT QUALITY
- Guarantees receipt of - Communicate and 9.1. Audit Committee must have robust process
information that would implement VMG, values, for appointment, reappointment, removal,
enable sound decision- strategy
fees of external auditor
making - Oversee operations
- Foster environment of - Manage human and ▪ If there is a change, reason must be
constructive debate financial resources disclosed
- Challenge and inquire - Good working knowledge of 9.2. Audit Committee is responsible for assessing
representations by the industry integrity and independence of external
management - Directs key officers
- Proper orientation and - Manage resources auditors
trainings for directors prudently 9.3. Disclose nature of non-audit services
- Evaluation of the board at - Provide Board with timely performed by external auditor
least annually info
- Build corporate culture
10. FOCUS ON NON-FINANCIAL AND SUSTAINABILITY
- Motivate employees REPORTING
- Serve as link between 10.1. Clear and focused strategy on disclosure
internal operations and ▪ Strategic goals (long-term)
external stakeholders ▪ Operational objectives (short-term)
▪ Impacts of sustainability issues
11. COMPREHENSIVE AND COST-EFFICIENT ACCESS
5.6. Designate a lead director among independent
TO RELEVANT INFO
directors if Chairperson is not independent
▪ Intermediary between chairperson and other 11.1. Website
directors 12. Internal control and risk management
▪ Convenes meetings of NEDs 12.1. Internal control system and ERM framework
▪ Contributes to performance evaluation of 12.2. Independent internal audit function
chairperson ▪ May be in-house or outsourced
5.7. Directors w/ material or potential interest in 13. SHAREHOLDER/MEMBER RIGHTS
any transaction should: 13.1. Disclosed in Manual on Corporate
▪ disclose such
▪ abstain in deliberations
Governance
▪ recuse from voting approval of transaction Rights Additional Rights
5.8. NEDs should have separate periodic meetings - Approval of material - Preemptive right
with external auditor and internal audit, corporate acts - Right to dividends
- Propose holding of - Appraisal rights
compliance and risk function meetings and inclusion
6. BOARD PERFORMANCE ASSESSMENT of agenda items
6.1. Annual self-assessment - Nominate candidates to
BOD
6.2. Place a system that provides, at minimum, - Information to
criteria and process to determine nomination and removal
performance process
- Information of voting
7. STRENGTHENING BOARD ETHICS
procedures
7.1. Adopt a Code of Business Conduct and Ethics
7.2. Ensure proper implementation and
monitoring of compliance with the Code
Auditing Theory 2 Summary Notes

13.2. Notice of Annual and Special

Shareholders’/Members’ Meeting given at
least 21 days before the meeting
13.3. Results of votes on matters taken publicly
available the next working day; Minutes
should be posted on the website within 5
business days
13.4. Alternative dispute mechanism for intra-
corporate disputes
13.5. Investor Relations Office (IRO) and Customer
Relations Office (CRO)
▪ Both should be present at ever SH meeting
14. RESPECTING RIGHTS AND EFFECTIVE REDRESS
FOR VIOLATIONS OF STAKEHOLDERS’ RIGHTS
14.1. Promote cooperation between stakeholders
▪ Customers, employees, Suppliers,
Shareholders, Non-proprietary rights holders,
Investors, Creditors, Community in which it
operates, Society, government, Regulators,
Competitors, etc.
14.2. Mechanism on the fair treatment, protection,
enforcement of rights of stakeholders
15. EMPLOYEES’ PARTICIPATION
15.1. Encourage employees to actively participate
in the realization of goals and governance
15.2. Anti-corruption policy
15.3. Whistleblowing framework
16. Sustainability and social responsibility
16.1. Place importance on interdependence,
promote mutually beneficial relationship,
contribute to advancement of society
Auditing Theory 2 Summary Notes
PSE Corporate Governance
Philippine Stock Exchange (PSE)
- The only stock exchanged in the Philippines
- One of the oldest in Asia
- Operating since the establishment of the
Manila Stock Exchange (1927)
- Currently in BGC, Taguig
- 15 BOD; Chairman: Jose T. Pardo
- Main index: PSEi
- Trading sessions: 9:30AM to 3:30PM
- Daily recess: 12:00PM to 1:30PM
PSEi
- Fixed basket of 30 listed companies; selection
based on specific set of:
▪ public float;
▪ liquidity; and
▪ market capitalization criteria
- Measured relative changes in the free float-
adjusted market capitalization of 30 largest
and most active common stocks
https://www.investopedia.com/terms/f/freefloatmethodology.asp
The free-float method
- better way of calculating market capitalization
- provides a more accurate reflection of market
movements and stocks actively available for trading in
the market.
- resulting market capitalization is smaller than what
would result from a full market capitalization method.
- equity's price X number of shares readily available in the
market
- excludes locked-in shares such as those held by insiders,
promoters and governments.
- Inversely correlated to volatility
Corporate Governance Guidelines for Companies
Listed on the PSE (CG Guidelines handbook)
- One key initiative to carry out the strategy
- Designed for benchmarking CG practices and
guiding companies in improving their
standards
- Not a source of enforceable legal rights & do
not have the force and effect of law;
- no penalties, but companies are required to
explain non-compliance (“adopt or explain”
system)
Corporate Governance as per PSE
- Framework of rules, systems, processes that
governs the performance by the BOD and
management of their respective duties to the
stockholders, with due regard to stakeholders
- System of directing and managing a corporation
which involves:
▪ development and achievement of
corporate goals
▪ function of the Board and its
relationship with management
▪ control, risk, performance management
systems
▪ compliance with laws and best practices
▪ corporate self-restraint and ethics
- sustained value creation as it should ultimately
create long-term value for the SHs while
considering the rights of the stakeholders
- Benefits:
▪ Corporate efficiency; positive impact on
profitability and growth
▪ Improves access to external financing
▪ Lowers cost of capital and raises firm’s
value
▪ Enhances relationships with
stakeholders; improves labor and
community relations
▪ Reduces risk of financial crises
CG and the PSE
- PSE actively supports efforts to adopt world-class
CG practices.
- Includes CG it its 5-year strategic program LEVEL
UP - Value and enforce CG standards
- Corporate Governance Improvement Program
(CGIP) – underscores implementation
Disclosure Requirements
- All listed companies are to submit a compliance
report to PSE’s disclosure dept. on or before Jan.
30; indicating level of compliance
- submitted under oath by the President or
Chairman or a duly authorized representative
- attested by independent director
- only recommendations not met shall be disclosed
- compliance reports should be available in website
- report or summary of deviations shall be included
in the corporate governance sec. of the annual
report
- disclosure period = reporting period
Guidelines
Auditing Theory 2 Summary Notes
1. DEVELOPS AND EXECUTES A SOUND BUSINESS
STRATEGY
1.1. Clearly defined vision, mission, core values
1.2. Well-developed business strategy
1.3. Strategy execution process that facilitates
effective performance management
1.4. Continued discussion by the Board of strategic
business issues
2. ESTABLISHES A WELL-STRUCTURED AND
FUNCTIONING BOARD
2.1. Competence and integrity
2.2. Led by a chairman (ensures that board
functions effectively)
2.3. At least 3 or 30% (whichever is higher)
independent directors
2.4. Written manual, guidelines, issuances that
outline procedures and processes
2.5. Committees:
▪ Audit
▪ Risk
▪ Governance
▪ Nomination and Election
3. MAINTAINS A ROBUST INTERNAL AUDIT AND
CONTROL SYSTEM – Board is responsible for
selection/evaluation/removal of CAE
3.1. Internal Audit as a separate unit, overseen at
the Board level
3.2. Comprehensive enterprise-wide compliance
program; reviewed annually
3.3. Institutionalize quality service programs for
the IA function
3.4. Have a mechanism that allows employees,
suppliers, stakeholders to raise valid issues
3.5. Have the CEO and Chief Audit Executive attest
in writing that a sound internal audit, control,
and compliance is in place
4. RECOGNIZES AND MANAGES ENTERPRISE RISKS
4.1. Board to oversee risk management function
4.2. Formal risk management policy (guide)
4.3. Design and undertake ERM activities, in
accordance with internationally recognized
framework
4.4. Unit at management level headed by a Risk
Management Officer (RMO)
4.5. Disclose info about risk management
procedures and processes + key risks and how
they are managed
4.6. External technical support in risk
management when competencies not
available internally
5. ENSURES THE INTEGRITY OF ITS FINANCIAL
REPORTS AS WELL AS ITS EXTERNAL AUDITING
FUNCTION
5.1. Audit Committee approves all non-audit
services conducted by the internal auditor;
non-audit fees should not outweigh fees
earned from external audit
5.2. Ensure credibility and competence of external
auditor; must be able to understand complex
RP transactions, counterparties, valuations
5.3. Ensure that EA has adequate control
procedures
5.4. Disclose relevant information to external
auditors
5.5. Ensure that EA firm is selected fairly and
transparently
5.6. Audit committee to conduct regular meetings
with EA team without management
5.7. Financial reports to be attested to by CEO and
CFO
5.8. Rotate lead audit partner every 5 years
6. RESPECTS AND PROTECTS THE RIGHTS OF SH,
PARTICULARY THOSE THAT BELONG TO THE
MINORITY OR NON-CONTROLLING GROUP
6.1. Adopt “one share, one vote” principle
6.2. Ensure that all SH of same class are treated
equally (voting, subscription, transfer rights)
6.3. Effective, secure, efficient voting system
6.4. Effective voting mechanisms
▪ Supermajority/ “majority of minority”
requirements to protect minority SH from
controlling SH
6.5 Provide all SH notice of agenda of annual
general meeting:
▪ Regular meeting: at least 30 days before
▪ Special meeting: at least 20 days before
6.6 Allow SH to call a special shareholders
meeting. Submit a proposal for consideration
at the annual general meeting or special
meeting, ensure attendance of EA or other
relevant individuals
6.7 Ensure that all relevant questions during
AGM are answered
6.8 Have clear and enforceable policies with
respect to treatment of minority SH
6.9 Avoid anti-takeover measures that may
entrench ineffective management or the
existing controlling SH group
6.10 Provide all SH with accurate and timely info
re: no. of shares of all classes held by
controlling SH and affiliates
Auditing Theory 2 Summary Notes
6.11 Have a c communications strategy to
promote effective communication
6.12 Have at least 30% public float ton increase
liquidity in the market
6.13 Transparent dividend policy
7. ADOPTS AN INTERNATIONALLY-ACCEPTED
DISCLOSURE AND TRANSPARENCY REGIME
7.1. Written policies and procedures to ensure
compliance with SEC and PSE disclosure rules
+ other disclosure requirements under
existing laws
7.2. Disclose existence, justification details on
agreements (SH, voting rights, confidentiality)
that impact control, ownership, strategic
direction
7.3. Disclose director and executive compensation
policy
7.4. Disclose names of groups or individuals who:
▪ hold 5% or more ownership interest
▪ significant cross-holding relationship and cross
guarantees
▪ nature of company’s other companies if
belonging to a corporate group
7.5. Disclose annual & quarterly reports, CF
statements, special audit revisions
▪ Consolidated FS – within 90 days from end of
financial year
▪ Interim reports – within 45 days from end of
reporting period
7.6. Disclose to SH and Exchange any changes to
corporate governance manual and practices,
and extent of conformity to SEC and PSE
7.7. Publish to SH timely info and materials
relevant to corporate actions that require
shareholder approval
7.8. Disclose the trading of shares by directors,
officers, controlling SH; purchases of shares
from market by the company
7.9. Disclose in annual report:
▪ Principal risks to minority SH associated with
identity of controlling SH
▪ Degree of ownership concentration
▪ Cross-holdings among company affiliates
▪ Imbalances between controlling SH voting power
and overall equity position in the company
8. RESPECTS AND PROTECTS THE RIGHTS AND
INTERESTS OF EMPLOYEES, COMMUNITY,
ENVIRONMENT, AND OTHER STAKEHOLDERS for
long-term sustainable value
8.1. Policy statement that articulate company’s
recognition and protection of the rights and
interests of key stakeholders
8.2. Workplace development program
8.3. Merit-based performance incentive system
s.a. employee stock option plan (ESOP)
8.4. Community involvement program
8.5. Environment-related program
8.6. Clear policies that guide in dealing with
market participants
9. DOES NOT ENGAGE IN ABUSIVE RELATED-PARTY
TRANSACTIONS AND INSIDER TRADING –
transactions should not benefit a particular group
9.1. Policy for RPTs
9.2. Clear definition of thresholds for disclosure
and approval of RPTs, e.g.:
▪ de minimis transactions – those that need not be
reported
▪ those that need to be disclosed
▪ those that need prior SH approval
▪ Aggregate amount of RPT within any 12-month
period should be considered in applying
thresholds
9.3. Voting system where majority of non-RP
shareholders approve specific types of RPTS
9.4. Independent directors or audit committee to
play important role in reviewing sig. RPTs
9.5. Transparency & consistency in reporting RPTs;
summary to be published in annual report
9.6. Clear policy with material non-public info by
company insiders
9.7. Clear policy and practice of full and timely
disclosures of material transactions with
affiliates of controlling SH, directors,
management
10. DEVELOPS AND NURTURES A CULTURE OF ETHICS,
COMPLIANCE, & ENFORCEMENT
10.1. Adopt a code of ethics that guides individual
behavior & decision-making, clarify
responsibilities, and informs stakeholders of
expected conduct
10.2. Formal comprehensive compliance program;
includes training and awareness of initiative
10.3. Not seek exemption from application of law
when referring to a corporate governance
issue; disclose reasons should it do so
10.4. Clear and stringent policies and procedures on
penalizing involvement in bribes
10.5. Designated officer for ensuring compliance
10.6. Respect intellectual property rights
10.7. Alternative dispute resolution system to settle
conflicts and differences with counter parties
Auditing Theory 2 Summary Notes

Committee of Sponsoring Organizations of the 2013 Framework for Effective Internal Control (COSO)
Treadway (COSO)
1. Achievement of objectives relating to 1, 2, or all 3
- 1985 categories (reasonable assurance)
- Joint initiative of 5 private orgs: 2. All 5 components and relevant principles present
▪ AICPA and functioning
▪ AAA
Present – exists in design and implementation of IC
▪ FEI
▪ IMA Functioning – continues to exist in conduct of IC
▪ Institute of Internal Auditors
- Mission: provide though leadership through Presumption: All 17 principles are relevant to all
development of frameworks on ERM, IC, fraud entities.
deterrence to improve organizational performance In rare instances where management determines that
and governance a principle is irrelevant, give rationale as to how related
component can be present and functioning.

Objectives of Internal Control 3. 5 components and relevant principles operating

*direct relationship bet. objectives (top), components
(front), and org structure (side)
together in an integrated manner
Operating together – all 5 components collectively
reduce risk of not achieving an objective; can be
demonstrated when:

▪ Components are present and functioning

▪ IC deficiencies aggregated across
components do not result in the
determination that 1 or more major
deficiencies exist

Additional considerations:

1. Judgment
- Effective IC demands more than rigorous
adherence; requires use of judgment
2. Points of focus
Objectives of IC – provide reasonable assurance of - 87 important characteristics
achievement re: - help in design, implementation, evaluation of
1. Operations – effectiveness and efficiency of IC, but they are not required to be assessed
operations, including safeguarding of assets separately when evaluating effectiveness of IC
2. Reporting – reliability, timeliness, 3. Controls to effect principles
transparency, etc. - No prescribed controls
- Controls used is a function of management
judgment
- Internal control deficiency – absence of
controls necessary to effect relevant
principles
- Management may consider other controls
(whether or not related to component or
principle) that compensate for a deficiency
4. Organizational boundaries
- Significant addition to 2013 framework:
considerations relating to outsoutced service
3. Compliance – adherence to laws and providers (OSPs)
regulations
Auditing Theory 2 Summary Notes
- Dependency on OSPs changes risks, increases
importance of info quality, creates challenges
of overseeing activities and controls
- Management retains responsibility for IC
5. Technology
- “all computerized systems, including
applications running on a computer and
operational control systems”
- Principles do not change with the application
of technology
6. Larger vs. smaller entities
- IC components and principles are applicable
for both
- Implementation approaches may vary
7. Benefits and costs of IC
- Management must weigh costs to strike right
balance of making right use of entity’s
resources, mitigating areas of greatest risk,
and meeting objectives
8. Documentation
- Some level is necessary to assure that each
component and relevant principles are
present and functioning, and operating
together
NEW COSO ERM Framework
- Greater insight into role of ERM in setting and
executing strategy
- Enhances alignment between performance and
ERM
- Accommodates expectations for governance and
oversight
- Recognizes globalization and the need to apply a
common, albeit tailored, approach across
geographies
- Presents new ways to view risk to setting and
achieving objectives in the context of greater
business complexity
- Expands reporting to address expectations greater
than stakeholder transparency
- Accommodates evolving technology and data
analytics in supporting decision-making
- Does not replace 2013 IC – Integrated Framework;
they are complementary
- Aspects of IC common to ERM are not repeated
- Some aspects of IC are further developed
Basic Definitions
Risk – possibility that events will (or will not) occur and
affect achievement of strategy and objectives
ERM – culture, capabilities, practices integrated with
strategy and execution that organizations rely on to
manage risk in c.p.r. value
Risk appetite – amount of risk (broad level) that org is
willing to accept in pursuit of value
Acceptable variation in performance – boundaries of
acceptable outcomes related to achieving objectives
Why implement sound ERM principles
- Improves decision-making in governance, strategy,
objective-setting, and operations
- Link strategy and objectives to both risk and
opportunity; enhances performance
- Provides clear path to creating, preserving,
realizing (c.p.r.) value
*Strategy is put in the context of vision, mission, core
values, desired performance along with the risks
*ERM focuses on integration with other processes:
1. Governance processes
2. Strategy setting
3. Objectives setting
4. Performance management
ERM and Innovation Likenesses
1. Risk appetite statement and tolerance
discussions
2. Both integrated in existing processes to create
sustainable value
3. Linked to strategy & objectives and execution
& optimization for maximum value
ERM and Innovation Leverage Points
1. Looking at risks to drive internal and external
value (make money by taking risk to deliver
value)
2. Using ERM as a source for innovation
(innovating with strategic intent)
3. ERM already has the C-suite engaged
4. ERM is traditionally tied into governance and
audit; extend ERM & innovation discussions
with the full board especially the executive
committee
Auditing Theory 2 Summary Notes
INTERNAL AUDIT
IPPF: The Framework for Internal Audit Effectiveness
(Video)
- Auditors protect and enhance
- Evolving risk due to changing technology, comms,
global economics, geopolitics, etc.; auditors adapt
to speed of risk
- IPPF provides direction to auditors to keep up with
change
- The framework adapts as well → Enhanced
professionalism, proficiency, effectiveness
- New IPPF Mission: “To enhance and protect
organizational value by providing risk-based and
objective assurance, advice, & insight”
Assurance – bedrock of any internal audit
function
Advise – informed view offered
Insight – objective and independent
perspective to help see risk
- New emerging challenge: cybercrime. Can auditors
keep up?
- Characteristics of IA: Integrity, objectivity,
competence
- New principles:
▪ IA to be insightful, productive, future-
focused
▪ Promote organizational improvement
▪ Provide further direction to what makes
us effective
- Further changes in the new IPPF:
▪ Mandatory
▪ Recommended
▪ Implementation
▪ Supplemental guidance
Definition of Internal Auditing
- Independent, objective, assurance, and consulting
activity
- Designed to add value and improve organization’s
operations
- Helps accomplish objectives by bringing a
systematic, disciplined approach to evaluate and
improve the effectiveness of
▪ Risk management
▪ Control
▪ Governance processes
Core Principles for the Professional Practice of Internal
Auditing
1. Integrity
2. Competence and due professional care
3. Objective and free from undue influence
(independent)
4. Alignment with strategies, objectives, risks of
the organization
5. Appropriately positioned and adequately
resourced
6. Quality and continuous improvement
7. Effective communication
8. Risk-based assurance
9. Insightful, proactive, future-focused
10. Promotes organizational improvement
For IA function to be considered effective, ALL
principles should be present and operating effectively.
Code of Ethics – Principles
1. Integrity – establish trust and provide basis for
reliance on their judgement
2. Objectivity – highest level of professional
objectivity in gathering, evaluation,
communicating info; make a balanced
assessment of all relevant circumstances; not
unduly influenced by own interests or by
others in forming judgment
3. Confidentiality – respect and value ownership
of info; do not disclose w/o proper authority
unless there is a legal/professional obligation
to do so
4. Competency – apply knowledge, skills,
experience needed in performing IA services
3 Lines of Defense
Senior Management
1st line: Operational Management
- Mgmt. Control and Internal Control
- Ownership, responsibility, accountability for
assessing, controlling, mitigating risks
2nd line: Risk Management and Compliance Function
- Financial control, security risk management,
quality, inspection, compliance
- Oversight function
Governing Body/Board/Audit/Committee
3rd line: Internal Audit
- Reports to BOD/Audit Comm
- Independent of BOD/Audit Comm & Senior
Management
Auditing Theory 2 Summary Notes
- Provides objective assurance on effectiveness
of compliance risk management
Internal Audit’s Stakeholder Groups
a) Operational and Executive Management
- Decision-making core responsible for
overall performance of the org
b) Board and Audit Committee
- Monitors overall performance on behalf of
shareholders/owners
- Audit Committee: provides oversight of
financial reporting, risk management,
internal control, compliance, ethics,
internal auditors, external auditors
c) Other Assurance Providers
- Quality audit (ISO)
- Health, safety, and environment functions
- Compliance functions
- Risk management functions
- Legal and/or general counsel functions
d) External Stakeholders
- Reside outside the org structure, but have
important role in overall governance and
control structure
Relevant Standards Organizations
a) Institute of Internal Auditors (IAA)
- IA and risk management guidance-
setting body
- Serves in 190 countries
- Largest professional org of IA
- IPPF: mandatory for IAA members and IA
organizations claiming to complete
audits to IAA technical standards
b) Information Systems Audit and Control
Association (ISACA)
- Focused on IT governance and IT internal
audit
- Serves in 180 countries
- COBIT (Control Objectives for
Information and Related Technology)
- Standards, Guidelines, and Procedures
for information system auditing
c) Committee of Sponsoring Organizations of
the Treadway Commission (COSO)
- Joint initiative to combat corporate
fraud
- Established in the US by 5 private orgs
- Common internal control model
- Supported by IMA, AAA, AICPA, IIA, FEI
Eight Attributes of Excellence
1. Business Alignment
- Documented goals and objectives
focusing on key internal improvement
dimensions
- Process level KPIs in place
- Strategy addresses short- and long-term
vision
- Quantitative and qualitative metrics
2. Risk Focus
- Encompasses all applicable areas of the
org
- Risk assessment based on top-down,
strategic view of business risks
- Produces a risk profile
- Identified risks are mapped to activities
within ERM
3. Talent Model
- Proficient in financial internal audit,
ICFR, ITGCs
- Offer industry and technical expertise
- Rotational program developed for
management to work in IA for some
period to provide holistic understanding
& to integrate specialized knowledge
4. Stakeholder Management
- Focus: reporting and resolving audit
issues. Limited, non-audit interactions
occur and stakeholder insight is NOT
obtained to identify or validate risks
- SH view IA as a key business partner that
provides appropriate and strategic
support
5. Cost Effectiveness
- Includes those incurred by core staff,
specialists, third party consultants
- Take corrective action on a timely basis
- Measure overall productivity for all
audits, which would serve as a guide in
creating most cost-effective mix of
services offering most risk coverage
6. Technology
- Audit Management System: working
papers, engagement management,
issue tracking functionality
- Use integrated AMS that links fata
from risk assessment through audit
results to maximize efficiency and
effectiveness
Auditing Theory 2 Summary Notes
7. Service Culture
- Communication strategy to provide
management with info about planned
audit
- Formal kick-off meeting with auditees
and subset of senior management to
provide insight on how audit was
selected and to collaborate with
auditees
8. Quality & Innovation
- All members trained in the concept
and application of methodology to
ensure consistency
- Continual improvement processes
developed to ensure that tools are
adequately designed
International Standards for the Professional Practice of
Internal Auditing
1000: Purpose, Authority and Responsibility
- Chief Audit Executive discusses IA Charter to
Board for approval
- Signature/approval on actual IA Charter
- CAE reviews IA Charter with Senior
Management and the Board
1100: Independence and Objectivity
- I and O Statement in the Charter
- Reporting lines in org chart
- Policies on I, O, addressing conflicts,
performance evaluation
1200: Proficiency and Due Professional Care
- Policies communicated to and acknowledged
by IA staff
- Annual declaration related to IIA’s Code of
Ethics and org’s Code of Conduct
- Sufficient and appropriate allocation of IA
staff
- Evident in procedures and processes during
audit engagement
- Results of feedback from engagement reviews
and client surveys
- Performance of regular external assessments
1300: Quality Assurance and Improvement Program
- A QAIP is an ongoing and periodic assessment
of the entire spectrum of audit and consulting
work performed by the organization's internal
audit activity
- 1310: Requirements of QAIP
- 1311: Internal Assessment
- Ongoing Monitoring
- Periodic self-assessment
- 1312: External Assessments
- 1320: Reporting on QAIP. CAE communicated
QAIP results to Board or Senior Management
- 1321: Use of “Conforms with the ISPPIA”
- 1322: Disclosure of Nonconformance
- Actions are taken to improve IA efficiency and
effectiveness
- External assessment or self-assessment with
independent validation
2000: Managing the Internal Audit Activity
- Evidence of how well IA has been managed
and whether it has added value to the org
exists in surveys
- Results of both internal and external
assessments evidence how well the IA was
managed
2100: Nature of Work
- IA roles and responsibilities related to
governance, risk management, control are
documented in IA charter
- Elements of the standards are discussed
among CAE, Board, SM
- Disciplines, systematic, risk-based approach
documented in Engagement Plan
- Outcome of relevant and value-added results
are documented in the engagement reports
2200: Engagement Planning
- Planning considerations, engagement scope,
objectives, resource allocations, approved
engagement work program
- Discussion of engagement objectives and
scope to client
- Approved documentation templates related
to planning the engagement
2400: Communicating Results
- Policies and procedures for guidance on
communication of noncompliance, sensitive
info within and outside chain of command,
outside the org
Auditing Theory 2 Summary Notes

2500: Monitoring Progress

- Prior audit observations, associated

corrective action plan, status, internal audit’s
confirmation documented in an updated
exception tracking system
- Status of corrective actions are
communicated to senior management and
the board

2600: Communicating the Acceptance of Risks

- Significant risked discussed with executive

management team, Board, or Risk Committee
- Steps taken to alert mgmt and the Board are
documented in a memo file for
communication made through one-on-one
meetings during private sessions
- Detailed P&P in reporting significant risks in
compliance with standards

Internal Audit Process

1. Foundation
- Understand IA value drivers
- Mission and Charter
- Develop a strategic plan
2. Planning
- Understand objectives
- Assess risks
- Audit plan
- Update risk assessment
3. Fieldwork
- Understand area under review
- Determine approach:
- Value protection
- Value enhancement
4. Reporting
- Outline major issues and findings
- Outline recommendations
- Outline management’s action plans to
identified issues
5. Quality
- To be embedded in each stage
- Performance metric measurement
- Internal quality review/assessment
Auditing Theory 2 Summary Notes

Internal vs. External Audit

Auditing Theory 2 Summary Notes

Tests of Controls - Considerations:

Webinar Notes ▪ Effectiveness of other elements of IC
Relevant Standards ▪ Risks arising from characteristics of control
(manual/automated)
• ISA 330 Planning and Audit of FS ▪ Effectiveness of general IT controls
• ISA 500 Audit Evidence ▪ Effectiveness of the control and its
• ISA 530 Audit Sampling application; nature & extent of deviations in
previous audits; personnel changes that affect
Process vs Control control application
▪ Whether lack of change in control poses risk
Process. What is done to initiate, record, authorize, due to changing circumstances
sage custody ▪ Risks of MM and extent of reliance on control
- Establish continuing relevance by obtaining evidence
Control. Gives management assurance that processes of significant changes using inquiry +
will work observation/inspection
▪ With changes. Test controls in CURRENT audit
_________________________________________ ▪ No changes. Test at least 1once in every third
audit; test 2some controls in each audit;
Audit sampling. Application of procedures to less than include audit 3documentation of conclusions
100% of items in reliance of controls tested in previous audit
- Describe 1control attributes to be tested and
Population. Entire set of data from which conclusions
what would constitute a 2control deviation
are drawn
2. Selection
Sampling risk. Risk that results from sample is - Sample size and selection method
different from results from population 3. Testing & Evaluation
- May be performed at interim + top up testing
Expected deviation rate. Rate of deviations found
at final visit
during ToC
- If actual deviation rate > expected: (options)
Tolerable deviation rate. Tolerable rate of deviations ▪ Test an alternative/mitigating control
in populations NOT found during ToC ▪ Place reliance on substantive audit
procedures
Tests of Controls Practice ▪ Increase sample size
i. ABSENT from a high risk area
1. Design 4. Documentation
- Consider purpose of audit procedure & - Reference to work papers documenting the
characteristics of the population in selecting test
sample - Document conclusions
- Select size sufficient to reduce sampling risk to an - Consider impact on other audit areas s.a.:
acceptable low level ▪ Other audit procedures
- Walkthrough. Provides evidence re: ▪ Reporting to TCWG
- design and implementation i. Report on a timely basis if
- operational effectiveness controls cannot be identified, are
- adequacy of performance; not designed effectively, are not
operating effectively
- only provides evidence at point of conduct
ii. Report as soon as practicable if
- Document the basics: key mitigating controls are
- Objective of test
- Account
- Assertion
- Period
- Extent of reliance (high or low risk)
- Sample size
- Frequency/ no. of operations during acc period
- Significant risk
- Appropriateness of reliance on prior period evidence. ISA
330.13
Auditing Theory 2 Summary Notes

Code of Ethics 5. Sec 291.2

- Refer to PFAE, PSAs, PSREs, PSAEs
Adoption of the 2016 Ed. Of the International Ethics
6. Sec 225. 38
Standards Board For Accountants CoE
- Professional Accountant: individual who
- Resolution no. 263 holds a valid CoR and current PIC issued
- December 18, 2015 by BOA and PRC… (revised def)

Changes from 2014 & 2015 editions BOA Resolution 2016 s2

1. TCWG definition revision to align with ISA 260
by IAASB
2. Withdrawal of exception provisions that
permit audit firm to provide bookkeeping and
taxation services to public interest entity
(PIE) audit clients in emergency or unusual
BOA Resolution #3
situations
3. Strengthening of provisions addressing
management responsibility + additional
guidance + clarification of what constitutes
MR
4. Clarification of “routine or mechanical”
services relating to prep. of accounting
records and FS for audit clients that are not
PIEs
- Requiring the submission of engagement
reports by individual certified public
accountant, firms and partnerships of
certified public accountants engaged in the
practice of public accountancy
- Requiring the submission of certificate by the
responsible CPAs (should not be the CPA
performing the attest service) on the
compilation services for the preparation of
financial statements and notes thereto
- Attached to DS with gross sales exceeding 10
million pesos

NOCLAR (non-compliance with laws and regulations)

Ethics
- Potential illegal act by client or employer - set of principles that guides professional
Changes in 2016 ed. provisions to fit PH setting accountants in appropriately conducting and
portraying themselves to help fulfill the
1. Sec 290.12 responsibility of the profession
- no prescription for specific - to act in the public interest
responsibilities related to independence,
- PSQC req.: establish P&P to provide
reasonable assurance of its Ref. Code of Ethics Focus Notes
independence
- PSA req.: form conclusion on
compliance with independence
requirements
2. Sec 290.152
- Audit client becomes a PIE
- # 𝒐𝒇 𝒚𝒓𝒔 𝒕𝒊𝒍 𝒓𝒐𝒕𝒂𝒕𝒊𝒐𝒏 =
7𝑦𝑟𝑠 − # 𝑦𝑟𝑠 𝑠𝑒𝑟𝑣𝑒𝑑
3. If 6 or more years, max 2 years before
rotation
4. Sec 290.153
- Rotation of key audit partners (KAP)
may not be an available safeguard if
only a few people in the firm have
necessary knowledge and experience
- Independent regulator may allow KAP
to serve beyond max years; alternative
safeguards must be specified