INTERNAL

AUDIT
MANUAL
I. Introduction and Purpose

The Internal Audit Manual:

This manual summarizes the operations of the internal audit function at the BDO (Banco De Oro) and
delineates the policies, standards, and procedures which will generally govern the internal audit
function. Notwithstanding the foregoing, these policies, standards, and procedures may not be followed
for certain special projects requested by the Audit Committee of the Board of Trustees and/or the
President, fraud, or financial irregularity audits, and under other special circumstances.

BDO (Banco De Oro)

As a publicly listed company, BDO believes that the key to long-term sustainability and success largely
depends on having a good name and solid reputation in the marketplace. Thus, the business and
operations of the Bank will be conducted in accordance with the principles and best practices of good
corporate governance.

It is the responsibility of the Board to oversee that a sound and effective enterprise-wide risk
management framework and appropriate internal control systems are in place to manage the risks and
to provide reasonable assurance against material misstatement or loss. It is also responsible to review
and approve the nature and extent of the key business risks that the Bank is taking in pursuing its
strategic objectives and providing oversight over its risk management policies and procedures and
approving the Internal Audit Charter.

The Importance of Internal Control for BDO:

The Three (3) Objectives of Internal Controls:

1. Reporting – reliability

2. Operations – effective and efficient

3. Compliance – compliant with applicable laws, regulations, contracts, and grant agreements.

The Five (5) Main Components of Internal Controls that are Required to be Addressed:

1. Control Environment

2. Risk Assessment

3. Control Activities

4. Information and Communication

5. Monitoring
 CONTROL ENVIRONMENT

Overview

The control environment is the cornerstone for all other components of internal control, it is the
foundation which provides discipline and structure. Control environment factors include the integrity,
ethical values, and competence of the entity.

Objectives:

1. The governing body and management shall do business with utmost integrity and ethical behavior.

2. The governing body and management should pave a path that will enable for proper oversight to the
internal control systems

3. The governing body and management should employ qualified and competent employees fit to
deliver the entity’s tasks.

RISK ASSESSMENT

Overview

BDO’s management and governing body, as well as the Audit Committee assess the risk of
operations continually. The following are the risks that are most common in BDO’s day to day
operations.

 Credit risk
 Operational risk
 Market risk
 Liquidity risk

Objectives:

1. Identify and evaluate the internal and external factors that could adversely affect the achievement of
the banking organization’s performance, information, and compliance objectives.

2. Evaluation of risks to determine which are controllable by the bank and which are not.

3. Adhere to contractual, local, state, and federal las and regulations.

 CONTROL ACTIVITIES

Overview

Control activities should be an integral part of the daily activities of a bank. An effective internal control
system requires that an appropriate control structure is set up, with control activities defined at every
business level. These should include top level reviews; appropriate activity controls for different
departments or divisions; physical controls; checking for compliance with exposure limits and follow-up
on non-compliance; a system of approvals and authorizations; and a system of verification and
reconciliation.

Objectives:

1. Ensure the proper process of reconciliation

2. Segregation of duties

3. Review of processes and activities.

INFORMATION AND COMMUNICATION

An effective internal control system requires that there are adequate and comprehensive internal
financial, operational and compliance data, as well as external market information about events and
conditions that are relevant to decision making. Information should be reliable, timely, accessible, and
provided in a consistent format.

Objectives:

1. To ensure that information of the highest quality aligned with the objectives of the entity is available.
It shall be useful and can be communicated internally and externally by the management.

MONITORING

Overview

The internal control system changes as technology, staff, objectives, and policies change. Management
is charged with continually monitoring the internal control system to determine if it is operating as it
was designed to do and to ensure the controls are being followed.

Objectives:

1. Familiarize staff on activities aimed to monitor the internal controls and evaluation of its results.
2. Address, if any in a timely manner the deficiencies that are noticed in the internal control system.

INTERNAL CONTROL CONCEPTS

Importance of Internal Controls

Internal controls serve as a guide for the organization in completing or achieving their mission,
vision, and any broad goal they might have in mind. Its other purpose besides becoming a guide in
achieving an organization’s primary goal is to provide reasonable assurance.

Internal controls help achieve the following:

• Carry out management directives

• Reduce unpleasant surprises.

• Enhance the reliability of information.

• Promote effectiveness and efficiency of operations.

• Safeguard assets; and

• Comply with rules and regulations.

Audit Scope

In accordance with the International Standards for the Professional Practice of Internal Auditing,
the audit scope will encompass the examination and evaluation of the adequacy and effectiveness
of the respective agency’s system of internal control and the quality of performance in carrying
out assigned responsibilities. The audit scope considers the following objectives:

 Reliability and Integrity of Financial and Operational Information – Review the reliability and
integrity of financial and operating information and the means used to identify, measure,
classify, and report such information.
 Compliance with Policies, Procedures, Laws, Regulations, and Contracts – Review the systems
established to ensure compliance with those policies, procedures, laws, regulations, and
contracts which could have a significant impact on operations and reports and determine
whether the organization is in compliance.
 Safeguarding of Assets – Review the means of safeguarding assets and, as appropriate, verify
the existence of such assets.
 Effectiveness and Efficiency of Operations and Programs – Appraise the effectiveness and
efficiency with which resources are employed.
 Achievement of the Organization’s Strategic Objectives – Review operations or programs to
ascertain whether results are consistent with established objectives and goals and whether the
operations or programs are being carried out as planned.
Internal Audit Plan
In addition to performing the 2022 risk assessment for preparation of this Internal Audit Plan (Plan), this
Plan also includes 2 audits to be performed, first a follow-up of the prior year audit recommendations,
and other tasks that may be assigned by the Audit Committee, or executive management during the
year; and, preparation of the Annual Internal Audit Report for fiscal year 2022.

Risk Assessment
Utilizing information obtained through the completed questionnaires received and background
information reviewed, 17 audit areas were identified as potential audit topics. A risk analysis utilizing the
8 risk factors, mentioned in section I of this report, was completed for each of the 17 potential audit
topics and then compiled to develop an overall risk assessment. Following are the results of the risk
assessment performed for the 17 potential audit topics identified:

High Risk Moderate Risk Low Risk

 Bank Examinations  Corporate Activities  Imaging and Records

 Payroll & Human Management
Resources  Management
 Fixed Asset information Systems  Financial Reporting
Management  IT examinations
 Trust Examinations  Revenue Accounting
Process