SESSION 3.

0
PERFORMING PLANNING
ACTIVITIES
Session Overview

Why Plan the Audit

 Steps in Compliance Audit Planning

COMPLIANCE AUDIT SEMINAR | SESSION NO. 3.0

Learning Objective
Given the lecture and exercises, at the end of this
session, the participants may now apply the steps in
planning the compliance audit.

COMPLIANCE AUDIT SEMINAR | SESSION NO. 3.0

Why Plan the Audit
(ISSAI 300 3.1.1, 3.4.3)

The Fundamental Auditing Principles state that the

auditor should plan the audit in a manner which ensures
that an audit of high quality is carried out in an
economic, efficient and effective way and in a timely
manner. Furthermore, those planning the audit need to
be knowledgeable of the compliance requirements that
apply to the entity being audited.

COMPLIANCE AUDIT SEMINAR | SESSION NO. 3.0

1. Identify Intended User(s) of the Compliance Audit
Report

ISSAI 4000.101

The auditor shall explicitly identify the intended user(s)

and the responsible party and consider the implication of
their roles in order to conduct the audit and
communicate accordingly.

COMPLIANCE AUDIT SEMINAR | SESSION NO. 3.0

 Intended persons for whom the auditor prepares
User(s) the compliance audit report and may
be legislative or oversight bodies, those
charged with governance the public
prosecutor, media or the general public

 Responsible is responsible for the subject matter,

Party and is as such the subject for the audit

COMPLIANCE AUDIT SEMINAR | SESSION NO. 3.0

2. Determine The Subject Matter, the Corresponding
Audit Criteria and Audit Scope

ISSAI 4000.109-110

The subject matter should be identifiable, and it should be

possible to assess it against suitable criteria. It should be of
such nature that it enables sufficient and appropriate audit
evidence to be gathered in support of the audit report,
conclusion or opinion. Where the SAI has discretion to
select the coverage of compliance audits, the auditor shall
identify relevant audit criteria prior to the audit to provide
a basis for a conclusion/an opinion on the subject matter.

COMPLIANCE AUDIT SEMINAR | SESSION NO. 3.0

The Audit Scope
The audit scope is a clear statement of the focus, extent
and limits of the audit in terms of the subject matter’s
compliance with the criteria. The scoping of an audit is
influenced by materiality and risk, and it determines
which authorities and parts thereof will be covered. The
audit process as a whole should be designed to cover the
entire audit scope.

COMPLIANCE AUDIT SEMINAR | SESSION NO. 3.0

 Subject Matter Audit Criteria Audit Scope
1. Clean Water and P.D. 198, as The audit will cover
Sanitation amended, otherwise , on a test basis,
known as the compliance of the
Provincial Water operations and
Utilities Act of 1973. transactions of
Agency L with the
provisions of P.D.
198, as amended for
CYs 2016-2018.

COMPLIANCE AUDIT SEMINAR | SESSION NO. 3.0

 Subject Matter Audit Criteria Audit Scope
1. Fund Utilization Memorandum Of The audit will cover ,
Agreement/Terms on a test basis, fund
of Reference utilization for CY ___
to ___pursuant to the
Memorandum of
Agreement executed
by and between
Agency AB and
Agency X.

COMPLIANCE AUDIT SEMINAR | SESSION NO. 3.0

3. Determine the Level of Assurance

ISSAI 4000.30

Every compliance audit is an assurance engagement.

The auditor chooses the level of assurance based on the
needs of the intended user(s). The audit report provides
either reasonable or limited assurance.

COMPLIANCE AUDIT SEMINAR | SESSION NO. 3.0

3. Determine the Level of Assurance

Limited Or Negative
Assurance

Level of
Assurance
Reasonable Or
`Positive Assurance

COMPLIANCE AUDIT SEMINAR | SESSION NO. 3.0

Level of Assurance: Factors to decide
Needs of Intended user

Availability of Information

Existing competencies of
the audit teams
Level of
Assurance Availability of time, budget.
Materiality, risk &
sensitivity
Availability of Other
Resources

COMPLIANCE AUDIT SEMINAR | SESSION NO. 3.0

Direct Reporting Engagement
In direct reporting engagement, it is the auditor who
measures or evaluates the subject matter against the criteria.
The auditor is responsible for producing the subject matter
information. The auditor selects the subject matter and
criteria, taking into consideration risk and materiality. By
measuring the subject matter evidence against the criteria,
the auditor is able to form a conclusion. The conclusion is
expressed in the form of findings, answers to specific audit
questions, recommendations or an opinion.

COMPLIANCE AUDIT SEMINAR | SESSION NO. 3.0

Attestation Engagement

In an attestation engagement, the responsible party (the

entity) measures the subject matter against the criteria
and presents the subject matter information, on which,
you, the auditor then gathers sufficient and appropriate
audit evidence to provide a reasonable basis for forming
a conclusion. The conclusion is expressed in the form of
findings, conclusions, recommendations or an opinion.

COMPLIANCE AUDIT SEMINAR | SESSION NO. 3.0

4. Determine Materiality
ISSAI 4000.125 -126

The auditor shall determine materiality to form a basis for the

design of the audit, and re-assess it throughout the audit
process. Materiality reflects the assessed needs of the intended
user(s)and these needs have to be identified when planning the
audit. Based on the selected subject matter, materiality is
determined by identifying the level of non-compliance that is
likely to influence the decisions of the intended user(s). In
identifying materiality, the auditor pays attention to specific
areas of legislative focus, public interest or expectations,
requests and significant public funding as well as fraud.

COMPLIANCE AUDIT SEMINAR | SESSION NO. 3.0

Materiality

 Quantitative aspects are: size - usually in terms of value, it

can be percentage, number, amount etc.

 Qualitative aspects are: nature and characteristics etc. by

value it might be insignificant or there may not be any
related value

COMPLIANCE AUDIT SEMINAR | SESSION NO. 3.0

Qualitative Materiality

1. Non- compliance with I.T. access control

2. Unauthorized persons get access to classified information

3. Hiring of unqualified personnel in the case of agencies

responsible for weather forecasting

COMPLIANCE AUDIT SEMINAR | SESSION NO. 3.0

Quantitative Materiality
Basis Rationale
Total Expenditure Based on understanding of the agency, Total
Expenditure is selected based on these realizations:
User’s Focus
- Transactions of DSWD are focused on
implementation of its program, thus the
perspectives and expectations of regulators and the
general public are concentrated on the Expenses of
the agency (Activity-based)
Characteristics of the Agency
- DSWD is a disbursing and not a profit oriented
agency.

COMPLIANCE AUDIT SEMINAR | SESSION NO. 3.0

 Percentage Rationale
0.5% There are no specific guidelines on choosing what percentage
to use and is based on professional judgment. A lower
percentage is selected to be conservative because of the
following:
- DSWD is included in the agencies with the highest budget
allocation based on the People’s Budget
- Because of the visibility of the programs of DSWD, it is
highly criticized by the public and media, especially when
donation is involved.

Total Expenditure Percentage Overall Materiality

(a) (b) (a x b)

Php 971,845,858.19* 0.5% Php 4,859,229.29

COMPLIANCE AUDIT SEMINAR | SESSION NO. 3.0

Quantitative Materiality
Planning Materiality Computation
Total Expenditure Percentage Overall Materiality
(a) (b) (a x b)

Php 971,845,858.19* 0.5% Php 4,859,229.29

*Lifted from the Statement of Financial Performance of DSWD-NCR for

the period ended December 31, 2015.

COMPLIANCE AUDIT SEMINAR | SESSION NO. 3.0

5. Carry out Risk Assessment at Agency Level

I. Identify and Assess Risks of Noncompliance by Assessing Inherent

Risk

II. Identify and Assess Risks of Noncompliance –by determining reliance

on internal controls

COMPLIANCE AUDIT SEMINAR | SESSION NO. 3.0

5. Carry out Risk Assessment at Agency Level

There are three types of risk that should be considered in determining

reliance on internal control of the agency. These risks are the following:

 Inherent risk
 Control risk
 Detection risk

COMPLIANCE AUDIT SEMINAR | SESSION NO. 3.0

Material Risk of Non-Compliance
INHERENT
CONTROL RISK RISK RESPONSE
RISK
High Low levels of controls Audit response to be focused on
improving internal controls through
assessment of improved plans
High Controls are asserted by the Focus on obtaining assurance that
management to be adequate controls continue to operate as
designed and that there is consistency
in risk management
Low Low level of controls that
Evaluate and monitor the development
may be consciously accepted
of risk level
by management
Low High level of control Audit response to be focused on
compliance issues

COMPLIANCE AUDIT SEMINAR | SESSION NO. 3.0

6. Understand the Entity and its Environment
Including Internal Control

ISSAI 4000.131

The auditor shall have an understanding of the audited entity and its
environment, including the entity’s internal control, to enable effective
planning and execution of audit.

COMPLIANCE AUDIT SEMINAR | SESSION NO. 3.0

6. Understand the Entity and its Environment
Including Internal Control
Auditors may use the following sources of information to develop a
proper understanding of the nature of the audited agency which should
be documented using the Understanding the Agency Template. (UTA
Template):
 Laws and regulations;

 Budgetary legislation/approved budget;

 Code of ethic, code of conduct;

 Internal policies, strategic plans, operational plans, procedures manuals;

 Contracts;

COMPLIANCE AUDIT SEMINAR | SESSION NO. 3.0

6. Understand the Entity and its Environment
Including Internal Control
 Grant agreements;

 Media Report

 Annual Reports

 Meeting minutes (Board of Directors)

 Internal Audit Reports

 Knowledge from previous reports

 National Statistics

COMPLIANCE AUDIT SEMINAR | SESSION NO. 3.0

7. Develop Audit Strategy and Plan

ISSAI 4000.137.

The auditor shall develop and document an audit strategy and an audit
plan that together describe how the audit will be performed to issue
reports that will be appropriate in the circumstances, the resources
needed to do so and the time schedule for the audit work.

COMPLIANCE AUDIT SEMINAR | SESSION NO. 3.0

8. Assess Audit Risk

ISSAI 4000.52

The auditor shall perform procedures to reduce the risk of producing

incorrect conclusions to an acceptable low level.

COMPLIANCE AUDIT SEMINAR | SESSION NO. 3.0

8. Assess Audit Risk

Audit risk is the risk that the audit report – or more

specifically the auditor's conclusion or opinion will be
inappropriate in the circumstances of the audit.

COMPLIANCE AUDIT SEMINAR | SESSION NO. 3.0

9. Plan Audit Procedures To Enable Reasonable
Assurance

ISSAI 4000.137

The auditor shall develop and document an audit strategy and an

audit plan that together describe how the audit will be performed to
issue reports that will be appropriate in the circumstances, the
resources needed to do so and the time schedule for the audit work.

COMPLIANCE AUDIT SEMINAR | SESSION NO. 3.0

9. Plan Audit Procedures To Enable Reasonable
Assurance

The purpose of the audit strategy is to document/design the

overall decisions, and may contain the following:

a. The audit objective, subject matter, scope, criteria and other

characteristics of the compliance audit

b. The type of engagement

c. The level of assurance to be provided.

COMPLIANCE AUDIT SEMINAR | SESSION NO. 3.0

9. Plan Audit Procedures To Enable Reasonable
Assurance

The purpose of the audit strategy is to document/design the

overall decisions, and may contain the following:
d. Composition and work allocation of the audit team, including any need
for experts, and the dates of quality control.

e. Communication with the auditee and/or those charged with

governance.

COMPLIANCE AUDIT SEMINAR | SESSION NO. 3.0

9. Plan Audit Procedures To Enable Reasonable
Assurance

The purpose of the audit strategy is to document/design the

overall decisions, and may contain the following:
f. Reporting responsibilities, as well as to whom and when such
reporting will take place, and in what form.

g. The entities covered by the audit.

h. The materiality assessment.

COMPLIANCE AUDIT SEMINAR | SESSION NO. 3.0

COMPLIANCE AUDIT SEMINAR | SESSION NO. XXX
COMPLIANCE AUDIT SEMINAR | SESSION NO. XXX
10. Consider Non-Compliance That May Indicate
Suspected Unlawful Acts

ISSAI 4000.58.

The auditor shall consider the risk of fraud throughout the audit process,
and document the result of the assessment.

COMPLIANCE AUDIT SEMINAR | SESSION NO. 3.0

The purpose of the fraud risk assessment is to:

• Identify inherent fraud and corruption risks of the agency;

• Identify and assess the agency’s internal controls in place; and

• Assess residual risks, and to consider possible audit procedures.

COMPLIANCE AUDIT SEMINAR | SESSION NO. 3.0

Fraud Risk Assessment Template

COMPLIANCE AUDIT SEMINAR | SESSION NO. 3.0

COMPLIANCE AUDIT SEMINAR | SESSION NO. 3.0