Professional Documents
Culture Documents
Cebu Workshop Material
Cebu Workshop Material
8:30 - 10:00 Overview of IRRBAM/ Phase 2 con’t Phase 2: Con’t Phase 3B - Reporting and
Introduction to Risk Case study 1: Significant Case Study 3: Audit Risk Conclusion
Assessment Agency Risk Identification Assessment
10:30 - 12:00 Introduction to COSO Case study 1: Discussion and Introduction to Governance Phase 4: Monitoring
Presentation
1:00 - 3:00 Introduction to Processes Phase 2: Con’t Introduction to OPIF Wrap-up/ Open Forum
Phase 1: Strategic Planning Case Study 2: Understanding
and Risk Assessment Flow of Significant
Processes
3:30 - 5:00 Phase 2: Agency Planning and Case study 2: Discussion and Phase 3A – Execution
Audit Risk Assessment Presentation
November 4, 2010
Draft
Agenda
► Course Objectives
► Course Topics
► Course Schedule
► Participants
Page 2 Draft
Course Objectives
Page 3 Draft
Course Topics
Day 1 Day 2 Day 3 Day 4
Phase 2: Agency
Planning and Risk
Assessment
Page 4 Draft
Course Schedule
Time Day 1 Day 2 Day 3 Day 4
8:00 - 8:30 Registration Registration Registration Registration
8:30 - 10:00 Overview of IRRBAM/ Phase 2 con’t Phase 2: Con’t Phase 3B - Reporting
Introduction to Risk Case study 1: Significant Case Study 3: Audit and Conclusion
Assessment Agency Risk Identification Risk Assessment
10:30 - 12:00 Introduction to COSO Case study 1: Discussion Introduction to Phase 4: Monitoring
and Presentation Governance
1:00 - 3:00 Introduction to Processes Phase 2: Con’t Introduction to OPIF Wrap-up/ Open Forum
Phase 1: Strategic Planning Case Study 2:
and Risk Assessment Understanding Flow of
Significant Processes
3:30 - 5:00 Phase 2: Agency Planning Case study 2: Discussion Phase 3A – Execution
and Audit Risk Assessment and Presentation
Page 5 Draft
Expectations, activities, and ground rules setting
Activities
► Lectures
► Discussions
► Learning exercises
► Case study
► Presentation/Simulation
► Games
Page 6 Draft
Expectations, activities, and ground rules setting
Page 7 Draft
Parking lot
Page 8 Draft
Questions?
Page 9 Draft
Thank you!
Page 10 Draft
Integrated Results and Risk-
based Audit Workshop
Day 1: Overview of IRRBAM
November 4, 2010
Draft
Outline
► Introduction
► Policy Diagram: Public Sector Audit
► IRRBA framework
► International Standards of Supreme Audit Institutions
► ISSAI and INTOSAI GOV
► IRRBAM tools and templates
► COA audit services and IRRBA framework
► COA audit framework, RBA, and IRRBA framework
► Existing audit guidelines/manuals and IRRBAM
Page 2 Draft
Introduction
► This Integrated Results and Risk-based Audit Manual aims to integrate the different
COA audit services such as Financial and Compliance Audit; Agency-based Value-for-
Money Audit; Government-wide and Sectoral Performance Audit; and Fraud Audit into
a common audit approach.
► The IRRBA approach will provide for a consistent set of processes which will guide the
COA Auditors in performing its audit services. The silo approach in the conduct of the
audit will be addressed by introducing linkages for each type of audit and its results for
a more effective delivery of service.
Page 3 Draft
Introduction
IRRBAM will discuss COA fulfillment of its role in the country’s public governance through
the delivery of the following audit services:
► Comprehensive Audit
► Financial and Compliance
► Agency-based Performance Audit
► Fraud Audit
Page 4 Draft
Policy Diagram: Public Sector Audit
Page 5 Draft
IRRBA framework
Integrated Results and Risk-based Audit Framework
Planning Delivery
Agency Audit
Conclusion
Planning and Risk Execution
and Reporting
Assessment
Monitoring
Note: Procedures for all audit services (Financial and Compliance, Agency-based VFM, Fraud) are integrated
in all phases, except for the Execution phase.
Page 6 Draft
IRRBA framework
Page 7 Draft
IRRBA framework
Page 8 Draft
IRRBA framework
Page 9 Draft
IRRBA framework
Conclusion and Reporting
Strategic Planning and Risk
Identification ► Summarize Audit Results
► Prepare summary of the results and
Planning Delivery
conclusions of the audit
Agency
Planning and Execution Conclusion ► Discuss results of different types of audit
and
Audit Risk
Reporting conducted
Assessment
Page 10 Draft
IRRBA framework
Monitoring
Monitoring
Page 11 Draft
Integrated Results and Risk-based Audit Framework
Planning Delivery
Agency Audit Planning and Risk Execution Conclusion and Reporting
Assessment
Summarize Audit
Design Audit Tests Results
Prepare Identify
Agency Understand Significant Prepare Audit Report
Audit Work the Agency Agency Execute Audit Tests
Plan Risks
Perform Overall Audit
Review
Evaluate Audit Results
Conduct Wrap-up and archive the
Understand Develop
the Process
Audit Risk
Audit Plan
engagement
Assessment Communicate Audit
Follow-up Agency
Results
Action Plan
Monitoring
Page 12 Draft
International Standards of Supreme
Audit Institutions (ISSAI)
Planning Delivery
Agency Audit Planning and Execution Conclusion and
Risk Assessment Reporting
• ISSAI 1230
• ISSAI 1230 • ISSAI 1330
• ISSAI 1265* • ISSAI 400
• ISSAI 1450 • ISSAI 1220
• ISSAI 1300 • ISSAI 1500*
• ISSAI 1315 • ISSAI 1230
• ISSAI 1505* • ISSAI 1700*
• ISSAI 1320* • ISSAI 1520*
• ISSAI 1330 • ISSAI 1530*
• ISSAI 1520* • ISSAI 1540*
Monitoring
• ISSAI 1000 •ISSAI 3000 •ISSAI 4100 •ISSAI 40*
• ISSAI 1220 • ISSAI 3100 • ISSAI 4200
* Endorsement version
Page 13 Draft
ISSAI and INTOSAI GOV
Page 14 Draft
IRRBAM tools and templates
Strategic Planning and Risk Identification
Delivery
► Audit Work Program
► Audit Observation Monitoring ► None
Execution
Memorandum
Page 15 Draft
COA audit services and IRRBA framework
Notes:
Financial Compliance VFM Fraud GWSPA
1 Strategic Planning and Risk
Identification is the integration
point wherein the five COA audit
services are considered.
Comprehensive auditing is
Planning Delivery 3 discussed in Phases 1 and 2.
Although Fraud is given
Agency Audit consideration, the full-length
Conclusion and 2 discussion is in the Fraud Audit
Planning and Risk Execution
Reporting Manual.
Assessment
Page 16 Draft
COA audit framework, RBA, and
IRRBA framework
PRE-PLANNING ASSESS AUDIT ASSIGNMENT RISK
PLANNING
ASSESS AGENCY RISK Planning Delivery
MANAGEMENT STRATEGIES
AND CONTROLS Agency Audit
Conclusion
Planning and
Execution and
Risk
Reporting
Assessment
EXECUTION MANAGE
RESIDUAL AUDIT
RISK
Monitoring
COMMUNICAT
E
REPORTING AND AUDIT
MONITORING RESULTS
Note: As illustrated, all phases of RBA framework are aligned with the IRRBA framework.
Page 17 Draft
Existing audit guidelines/manuals and IRRBAM
Note:
Strategic Planning and Risk Identification
► The existing manuals will
be used as references in
Planning Delivery the Execution phase of
IRRBAM.
Agency Audit
Conclusion and ► Fraud audit manual will
Planning and Execution
Reporting be used by the Audit
Risk Assessment
sectors in performing
fraud audit.
Monitoring ► GWSPA manual is used
by Special Audits Office
in performing GWSPA.
1982
RBAM Guidelines on Procurement Fraud Audit GWSPA
2009 Comprehensive Guideline Manual Manual
Auditing
Audit Area of
Complia Financial and
Financial
nce VFM Fraud GWSPA
Compliance
Page 18 Draft
Questions?
Page 19 Draft
Thank you!
Page 20 Draft
Integrated Results and Risk-
based Audit Workshop
Day 1: Introduction to Risk Assessment
November 4, 2010
Draft
IRRBA framework
Planning Delivery
Agency Audit
Conclusion
Planning and Risk Execution
and Reporting
Assessment
Monitoring
Page 2 Draft
Introduction to risk
What is RISK?
Page 3 Draft
Attributes of risks
► Could be existing
► Can arise from the external environment, from internal processes and from
the lack of information for decision making
Page 4 Draft
Risk categories
► Strategic
► arises when forces in the environment could significantly ‘change the fundamentals’ that drive
agency’s overall social and/or operating objectives and strategies and, in the extreme, result in
failure of the agency’ operations
► Operations
► risks that operations are inefficient and ineffective in executing the agency’s model, satisfying
the public, and achieving the agency’s quality, cost, and time performance objectives
► Compliance
► noncompliance with prescribed policies and procedures or laws and regulations resulting in
lower quality, higher execution costs, lost revenues, unnecessary delays, penalties, fines, etc.
► Financial
► risk that cash flows and financial risks are not managed cost-effectively to (a) maximize cash
availability; (b) reduce uncertainty of currency, interest rate, and other financial risks; or (c)
move cash funds quickly and without loss of value to wherever they are needed most. It also
includes risks that government agencies face when misleading financial information becomes
the basis for decision making by the governing management (affecting processes, systems and
people)
Page 5 Draft
Risk Assessment
Page 6 Draft
Levels of Risk Assessment
Page 7 Draft
Define key agency risks
Risk assessment efforts should focus on the issues
with the greatest potential to impact objectives
Risk Model Categories Key considerations for management
Page 8 Draft
Illustration: Linking of objectives and
risks to processes
Objectives and Initiatives Inherent Key Risks Processes
Strategic
Improve revenue § Planning & resource allocation Revenue
collection § Major Initiatives & programs
Improve fiscal §
§
Capital/fund availability
Communication & investor relations
position
Create opportunities for
Link To Risks
school facilities § Compensation and benefits
§ Information Technology
Provide quality § Physical Assets/Facilities
basic education Fixed Asset
Allocate resources to
improve the educational Financial/Reporting
system
§ Accounting and reporting
§ Investment evaluation
§ Cash management Budget
Revisit health care § Funding
policies
Strengthen health
care Compliance
Intensify health care Human
promotions and programs § Labor
Resources
§ Code of Conduct
§ Health and safety
§ Anti-corruption
Page 9 Draft
Risk Assessment Process
Risk Assessment
è In identifying risks,
consider relevant
information gathered from
• Identify risks
the overall understanding
• Prioritize risks
of the Agency and its
Control Environment
Page 10 Draft
The Risk Model
Strategic Operations Compliance Financial
Planning and resource Public service and operations Mandate Market
allocation §Customer/public satisfaction §Functions §Interest rate
§Organizational structure §Channel effectiveness §Foreign currency
§Strategic planning §Cycle time Governance §Commodity
§Operational planning §Service failure §Board performance/Agency §Financial instrument
§Budgeting §Efficiency Management Committee §Public policies
§Forecasting §Capacity §Tone at the top §Debt and fiscal policy
§Resource allocation §Performance measure/gap §Authority/limit
§Capital/fund availability §Partnering/contracting §Control environment Liquidity and credit
§Operational model §Citizen relationship §Corporate social responsibility §Cash management
§Operational portfolio management system and §Reputation §Opportunity cost
§Outsourcing organization §Funding
Code of conduct §Hedging
§Corruption and fraud
Major initiatives §Ethics §Credit and collections
§Vision and direction People §Fraud §Insurance
§Planning and execution §Culture §Employee/third party fraud §Foreign assisted loan
§Measurement and monitoring §Recruiting and retention §Illegal acts
§Technology implementation §Development and performance §Management fraud Accounting and reporting
§Project evaluation §Succession planning §Unauthorized use §Accounting, reporting and
§Change readiness §Knowledge capital disclosure
§Compensation and benefits Legal §Internal control
§Climate change and
§Performance incentives §Contract §Investment evaluation
sustainability initiatives
§Health and safety §Liability §Tax strategy and planning
§Education
§Intellectual property
§Healthcare services delivery
Information technology §Anticorruption
§Energy and water management
§Information management §Legal
(supply/distribution)
§Security/access
§Availability/continuity
§Integrity
§Infrastructure Sample Government Risk Model
Page 11 Draft
The Risk Model
Strategic Operations Compliance Financial
Page 12 Draft
Common risk language
Page 13 Draft
Steps to develop a common risk language
Conduct risk
interviews and
surveys
Analyze results of
surveys and workshops
Develop Risk
Definitions/Risk
Dictionary
Page 14 Draft
How do you define risks?
* In developing risk definitions, avoid using words that are already mentioned in the risk.
Page 15 Draft
What makes a good risk definition?
► Easily understood
► Limited to one specific issue, otherwise consider the other issues as a separate agency
risk
► Limit the customized agency risk definition (e.g., two sentences and not more than 30
words)
4 REGULATORY RISK
Changing regulations may result to increased pressures and significantly affect the agency's
ability to efficiently execute its mandate.
8 REGULATORY RISK
The risk that regulations can affect the agency’s operations.
Page 16 Draft
Risk Assessment Process
Risk Assessment
Page 17 Draft
Risk Prioritization
Page 18 Draft
Risk Assessment Criteria Matrix - Impact
Risk Factor High 7-9 Moderate 4-6 Low 1-3
• Adverse impact on actual revenues resulted to • Impact on actual revenues resulted to • Impact on actual revenues resulted to
collection less by 7.5% of targeted collection collection less by 5 % of targeted collection collection less by 1% of targeted collection
Financial (2008 target is Php254 billion) • External audit management letter contains • External audit raises some isolated findings
• External audit qualification on the report and significant issues
accounts
• Significant number of backlogs in the release of • Moderate number of backlogs in the release of • Less cases of backlogs in the release of
imported/exported items (trade facilitation). imported/exported items (trade facilitation). imported/exported items (trade
• Significant compromise of personnel safety • Minor compromise of personnel safety facilitation).
• Significant number of personnel and customers • Moderate number of personnel and customers • Less number of personnel and customers
suspected of illegal activities. suspected of illegal activities. suspected of illegal activities.
Operations • Instances where anti-social goods, smuggled • Instances where anti-social goods, smuggled • Instances where anti-social goods,
items, prohibited substances and other items items, prohibited substances and other items smuggled items, prohibited substances and
(anti-dumping), etc. are not detected by majority (anti-dumping), etc. are not detected by BOC other items (anti-dumping), etc. are not
of BOC districts and circulated in the market. some districts and circulated in the market. detected by responsible office in a district
and circulated in the market.
• Significant increase in customer complaints • Minor increase in customer complaints against • Isolated cases of customer complaints
against employees, service, etc. employees, service, etc. against employee, service, etc.
• System enhancement or implemented without • System enhancement or implemented without • Minor delays in implementation of new/
major functionality some functionality enhanced systems
• Loss of systems leading to sever or on-going • Loss or disruption to systems leading to • Loss to systems leading to business
business disruption (over 1 day) significant business disruption (up to 1 day) disruption (up to 1 hour)
• Management information used in key decision • Management information used for reporting is • Delays in availability of general
making is inaccurate inaccurate management information
• Serious failure to comply with legal or regulatory • Failure to comply with legal or regulatory • Failure to comply with legal or regulatory
requirements requirements in some instances requirements in non-serious and isolated
• Instances of bad publicity/ reputation damaged • Instances of bad publicity/ reputation cases
Compliance to an international and national audience that damaged to a district audience that will • Instances of bad publicity/ reputation
will compromise the integrity of the BOC and its compromise the integrity of the BOC and its damaged to an particular office/division.
employees. employees.
Page 19 Draft
Risk Assessment Criteria Matrix - Likelihood
Likelihood • Already happening (e.g., based • May happen during the year • May happen within two years
on experience, media • Unlikely to happen
perception, cases filed)
Page 20 Draft
How to interpret the risk map
Page 21 Draft
Sample Risk Map
Service Failure
8.3
Regulatory
Public Satisfaction
Disruption Currency
in (Price)
7.8
Operations
Availability
7.3
Human
Technological Resource
Innovation
Efficiency Public
6.8 Wants
Performance
Gap
Cycle Partnering
Time
6.3
Likelihood
Page 22 Draft
Combined Risk Assessment Criteria
High M H H
IMPACT
Moderate L M H
Low L L M
Page 23 Draft
Forms of Risk Assessment
► Interviews
► Questionnaires
► On-line, interactive questionnaires
► Facilitated meetings
► Facilitated meetings, with voting technology
Page 24 Draft
Questions?
Page 25 Draft
Thank you!
Page 26 Draft
Integrated Results and Risk-
based Audit Workshop
Day 1: Introduction to COSO
November 4, 2010
Draft
What is COSO?
► INTOSAI implemented the COSO model in the “INTOSAI: Guidelines for Internal
Control Standards for the Public Sector”
► It aims not only at updating the concept of internal control, but also attempts to
contribute to a common understanding of internal control among Supreme Audit
Institutions (SAI).
Page 2 Draft
What is NGICS?
► NGICS contains the fundamental principles, policies and general standards that will
guide each government agency in developing its detailed and comprehensive system of
internal controls. Agency characteristics such as mandate, functions, nature of
activities, operating environment, manpower profile, size and organizational structure
will have to be considered in developing or improving the individual controls.
► The guideline provides an Internal Control Framework adapted from the INTOSAI:
Guidelines for Internal Control Standards for the Public Sector. It comprises five
interrelated internal control components, namely: 1) control environment; 2) risk
assessment; 3) control activities; 4) information and communication; 5) monitoring.
► The NGICS will serve as a guide to the heads of departments and agencies in
designing, installing, implementing and monitoring their respective internal control
system taking into consideration the requirements of their organization and operations.
Page 3 Draft
Definition of internal control
Page 4 Draft
Redefine the control focus
► Only “hard” tangible controls are ► Both “hard” tangible and “soft”
evaluated intangible controls are evaluated
Page 5 Draft
COSO Internal Control Framework
Control environment
Risk Assessment
Department
Organization
Entity
Control Activities
Monitoring
Page 6 Draft
COSO Internal Control Framework
Control environment
1. Control Environment
Risk Assessment
Department
2. Risk Assessment Risk Assessment
Organization
Department
Entity
Organization
Entity
3. Control Activities Control Activities
Control Activities
Page 7 Draft
Control Environment
Page 8 Draft
Control Environment
► Commitment to competence
Page 9 Draft
Risk Assessment
Risk Assessment
Identify
Entity and
Analyze process level
risks
Manage
Page 10 Draft
Control Activities
Page 11 Draft
Information and Communication
Capturing and exchanging information
needed to conduct, manage, and
control the Agency’s operations
Page 12 Draft
Information and Communication
Page 13 Draft
Monitoring
► Separate evaluations
► Reporting deficiencies
Page 14 Draft
COSO and IRRBA framework
Planning and
Entity
Organization
Monitoring
Monitoring
Note: COSO is discussed in the Agency Planning and Audit Risk Assessment Phase under Understanding Agency-
level Controls.
Page 15 Draft
Role of COA in the Agency’s Internal Control System
Page 16 Draft
Questions?
Page 17 Draft
Thank you!
Page 18 Draft
Integrated Results and Risk-
based Audit Workshop
Day1: Introduction to Processes
November 4, 2010
Draft
IRRBA framework
Planning Delivery
Understand Agency Audit
Conclusion
the process Planning and Execution
and Reporting
Risk Assessment
Monitoring
Page 2 Draft
Understand the process
Page 3 Draft
Objectives of understanding the process
Page 4 Draft
Key steps in understanding the process
Page 5 Draft
Gather process information
Page 6 Draft
Interview the process owner
Page 7 Draft
Create or update the process map
Gather Create or
Tasks (not all-inclusive) Interview
Process
Gather Process Update
Information the Process
Information Owner Process
1. Select the appropriate process Map
mapping tool
2. Create a first draft of the 5. Validate the process map with the
process map process owner
3. Identify the control points in the 6. Finalize the process map
process
7. Document any preliminary gaps
4. Be alert for process identified at this point
inefficiencies that could be the
subject of recommendations
Page 8 Draft
Create or
What is a Process?
Page 9 Draft
Create or
S I P O C
Questions to ► Who is the ► What inputs ► What is the ► What are the ► Who are the
ask in creating supplier of are required process that outputs from customers of
a SIPOC each input? to enable the produces the the process the process?
process to output? (for each
occur? ► When does customer
the process segment)?
start and
finish?
Page 10 Draft
Create or
Page 11 Draft
Create or
Page 12 Draft
Create or
Page 13 Draft
Create or
Page 14 Draft
Standard process mapping Create or
Update
symbols
Process
Map
Page 15 Draft
Standard process mapping Create or
Update
symbols
Process
Map
1 A
Yes
Page 16 Draft
Standard process mapping Create or
Update
symbols
Process
Map
Database
Tape Storage
Page 17 Draft
Create or
Tools
► Basic Tools
► Powerpoint, Excel, MS Visio
Page 18 Draft
Comprehensive Audit: Context Diagram
AGENCY INTER-AGENCY
Sectoral
Performance
Agency-based Value For Money Audit
Economy Efficiency Effectiveness Audit
(GWSPA)
ELEMENTS
GAA Sector
- Personnel Revenue Organiza-
Programs Goals
- MOOE Procurement MFO tional
- CO Activities
Budget KPI /Sector Societal
Budget Projects
Fixed Asset Outcome Goals
IRA
The diagram shows how COA’s audit services are linked into different audit services as well as to the country’s Public
Expenditure Management reform, the Organizational Indicator Framework (OPIF). It shows the focus of the different
audit services provided by COA by differentiating the elements of an agency’s process. Each element is interrelated
and plays a significant role in an agency and the government as a whole.
Page 19 Draft
IRRBA framework
Significant
Operating Process
-Plan to Budget
-Procure to Pay
-Order/Contract to Cash SIGNIFICANT INFORMATION PROCESSES
Identify
Agency -Record to Report Capture
transactio Data input Outputs
improve- -Facility Management AGENCY Data Conversion and journal
ment ns, events and
- Supplies/Inventory REALITY transfer /processin entries
opportun and facts changes
g
i-ties
Management from
-Performance operations
Management Process
Processes and application systems
- Market to
Customer/Public
Page 20 Draft
Understand the Process
RBAM IRRBAM
Agency Information Framework (AIF) Understand the Process
Process Mapping
Procurement (operations)
Page 21 Draft
Questions?
Page 22 Draft
Thank you!
Page 23 Draft
Integrated Results and Risk-
based Audit Workshop
Day 1: Strategic Planning and Risk Identification
November 4, 2010
Draft
IRRBA framework
Planning Delivery
Agency Audit
Conclusion
Planning and Risk Execution
and Reporting
Assessment
Monitoring
Page 2 Draft
Phase 1: Strategic Planning and Risk Identification
COA as an Auditor COA as an Agency
Cluster/
Regional
Operation Plan GRIT
(COP/ROP)
Planning
Agency Audit Planning and
Risk Assessment
Page 3 Draft
Phase 1: Strategic Planning and Risk Identification
Page 4 Draft
Phase 1: Strategic Planning and Risk Identification
Page 5 Draft
Government Risk Identification
The objectives of this activity are as follows:
► To obtain high-level inputs from COA directors assigned in the audit of agencies
representing the three audit sectors and regions, and auditors performing
Government-wide and Sectoral Performance Audit (GWSPA) and Fraud Audit
► To have a common language of risk
► To have a unified thrust in government auditing
This activity will be conducted annually, supervised by the Assistant Commissioners and
attended by directors from the following sectors/offices:
Page 6 Draft
Government Risk Identification
► COA direction
► Sector Strategic Action Plan
► SONA
► MTPDP/MTPIP
► Government Risk Model
► Sector risks
► Media releases and media reporting
► Fraud and geographic risks
► Government-wide and sectoral programs and activities
► Knowledge of the auditors
Page 7 Draft
Government Risk Identification
Strategic Operations Compliance Financial
Planning and resource allocation Public service and operations Mandate Market
§Organizational structure §Customer/public satisfaction §Functions §Interest rate
§Strategic planning §Channel effectiveness §Foreign currency
§Cycle time Governance
§Operational planning §Commodity
§Service failure §Board performance/Agency Management
§Budgeting §Financial instrument
§Efficiency Committee
§Forecasting §Public policies
§Capacity §Tone at the top
§Resource allocation §Debt and fiscal policy
§Performance measure/gap §Authority/limit
§Capital/fund availability
§Partnering/contracting §Control environment Liquidity and credit
§Operational model
§Citizen relationship management system §Corporate social responsibility §Cash management
§Operational portfolio
and organization §Reputation §Opportunity cost
§Outsourcing
§Corruption and fraud Code of conduct §Funding
Major initiatives §Hedging
People §Ethics
§Vision and direction §Credit and collections
§Culture §Fraud
§Planning and execution §Insurance
§Recruiting and retention §Employee/third party fraud
§Measurement and monitoring §Foreign assisted loan
§Development and performance §Illegal acts
§Technology implementation
§Succession planning §Management fraud Accounting and reporting
§Project evaluation
§Knowledge capital §Unauthorized use §Accounting, reporting and disclosure
§Change readiness
§Climate change and sustainability initiatives §Compensation and benefits Legal §Internal control
§Education §Performance incentives §Contract §Investment evaluation
§Healthcare services delivery §Health and safety §Liability §Tax strategy and planning
§Energy and water management §Intellectual property Capital structure
Information technology
(supply/distribution) §Anticorruption §Debt
§Information management
Environment dynamics §Security/access §Legal §Equity
§Economic changes §Availability/continuity Regulatory §Pension funds
§Financial market §Integrity §Trade
§Sovereign/political §Infrastructure §Customs
§Customer/public wants §Procurement
§Technological innovation Hazards
§Natural events §Road-right of way (RROW )Acquisition
§Environment scan §Labor
§Agency environment/industry §Terror and malicious acts
§Securities
§Sensitivity Physical assets §Environment
Market dynamics §Real estate §Data protection and privacy Tool 1 – GRM documents all the identified
§Property, plant and facilities §International
§Macroeconomic factors
§Maintenance and performance §Product/service quality
government risks and its corresponding
§Lifestyle trends
§Sociopolitical §Inventory §Health and safety definition.
§Technology changes §Competitive practice/antitrust
Page 8 Draft
EY 2010 - Government and public sector risks
Page 9 Draft
Government Risk Identification
Government Risk Identification Process Flow
Department of Public
COA Fraud and Works and Highways
SONA, Media
MTPDP and releases and City Government of Navotas
MTPIP reporting
Hunger mitigation
program
Industry/
GRM sector risks Health sector
development project
Page 10 Draft
Government Risk Identification Matrix
Page 11 Draft
Sample Government Risk Identification
Template
GOVERNMENT RISK IDENTIFICATION TEMPLATE
For the year 20XX
Improve Fiscal Strategic Vision and Failure to establish a Included in Department of Industry
Position Direction vision and direction for SONA 2010 Trade and Development and
major initiatives, Industry Investment
- Create including services, Promotion,
opportunities for products and programs Generation and
private sector that will drive future Facilitation Services
investment growth. Failure to
establish project
acceptance criteria and National Investment
adequately measure Economic and Programming
against the criteria. Development Services
Authority
Page 12 Draft
COA-wide Audit Risk Assessment
► GRI Template
► Minutes of the GRI activity
► Participants of GRI
Page 13 Draft
Phase 1: Strategic Planning and Risk Identification
Page 14 Draft
Linkage of COA’s strategic planning
process with IRRBAM
The outputs of the Annual Planning Conference will be the basis of the Sectors in
developing its Sector Strategic Action Plans. Likewise, the IRRBAM will focus on the
audit specific plans provided during the Annual Planning Conference and the Sector
Strategic Planning. This will serve as their direction in the conduct of the risk
identification.
Page 15 Draft
Policy and standard
Policy/Standard Description
ISSAI 100 Basis principles in Government Auditing
ISSAI 200 General standards in government auditing and standards with
ethical significance
ISSAI 300 Field standards in government auditing
ISSAI 1300 Financial audit guideline – Planning an audit of financial statements
INTOSAI GOV 9130 Guidelines for internal control standards for the public sector –
Further information on Entity Risk Management
ISO/FDIS 31000:2009 Risk management – Principles and guidelines
COA Memorandum No. 79-205 Reiteration of unnumbered COA Memorandum dated May 8, 1978
re: Alignment/Coordination of all Projects/Programs of COA
offices/Committees by the Planning, Financial & Management
Office
July 6, 1979
COA Memorandum No. 95-051 Preparation of a Consolidated Annual Report (CAAR) by Region
and by Department
COA Resolution No. 2008-012 2008 COA Organization Restructuring
COA Memorandum No. 2009- Implementing guidelines on audit operations under the 2008 COA
028 organizational restructuring
Page 16 Draft
Summary
Reference
Procedure Sub-procedure Tools/Templates Output
Manual
Government Risk Develop/update the GRM IRRBAM Tool 1 – Government Tool 1 – GRM
Identification (GRI) Risk Model (GRM)
Identify government risks IRRBAM Tool 2 – GRI Template Tool 2 – GRI Template
Page 17 Draft
Questions?
Page 18 Draft
Thank you!
Page 19 Draft
Integrated Results and Risk-
based Audit Training
Day 1: Agency Audit Planning and
Risk Assessment
November 4, 2010
Draft
Learning Objectives
► Describe the importance of audit planning
► Define the components of our
Understanding of the Agency and complete
the related documentation in IRRBAM
► Document and evaluate flow of significant
processes, risk scenarios and related
controls
► Define the factors for assessing audit risk in
the conduct of financial, compliance and
performance audits
► Identify factors to be considered in
preparing our audit strategy
► Familiarize with the Forms and Templates
for Agency Planning and Audit Risk
Assessment
Page 2 Draft
IRRBA framework
Integrated Results and Risk-based Audit Framework
Planning Delivery
Agency Audit
Conclusion
Planning and Execution
and Reporting
Risk Assessment
Monitoring
Note: Procedures for all audit services (Financial and Compliance, Agency-based VFM, Fraud) are integrated
in all phases, except for the Execution phase.
Page 3 Draft
IRRBA framework
Page 4 Draft
Understanding the Agency
Page 5 Draft
Understanding the Agency
Page 7 Draft
Understanding the Agency
Page 8 Draft
Understand Agency-Level
Controls
5 Components of Internal Control:
1. Control Environment
2. Risk Assessment Control environment
3. Monitoring
Risk Assessment
Department
4. Information and Communication
Organization
Entity
5. Control Activities
Control Activities
Monitoring
Page 9 Draft
Understand Agency-Level
Controls
Documentation: Agency-Level Controls Checklist
Page 10 Draft
Update Agency Risk Model
► The Agency Risk Model (ARM) is somewhat similar with the Government
Risk Model (GRM) except that the former is Agency-specific while the latter is
a generic Risk Model for the whole government.
► ARM shall be customized per Agency by obtaining information from the UTA
template and through inputs of head office and regional auditors.
Page 11 Draft
Identify Significant Agency Risks
Page 12 Draft
Identify Significant Agency Risks
Ø Based on the data gathered from the Understanding the Agency and
ALC and the results from the GRIT, we discuss with the engagement
team our identified Agency Risks and select significant ones as focus
areas in our audit.
Page 13 Draft
Prioritize Significant Agency Risk
► After all the risks of an agency has been identified, the agency auditors shall
prioritize those risks which are significant based on the risk rating provided.
► The significant agency risks identified will be summarized into the summary
portion of the Significant Agency Risk Identification (SAgRI) Matrix.
► The risks identified as significant will be the audit team’s priority for their audit
focus areas.The identified significant agency processes affected by the
significant agency risks will be the focus of the Understanding of flow of
significant processes in the next step.
Page 14 Draft
Prepare Significant Agency Risk
Identification Matrix
Ø In coordination with the regional supervising auditors, we shall
prepare an Significant Agency Risk Identification (SAgRI) Matrix for
the Agency as a whole.
Page 15 Draft
Significant Agency Risk Identification Matrix
Page 16 Draft
Case Study
Page 17 Draft
Understand the Process
Steps:
Page 18 Draft
Understand Flow of
Significant Processes
Ø Identify Critical Path of Significant Processes
Page 19 Draft
Understand Flow of
Significant Processes
Ø Identify Process Risks
Page 21 Draft
Case Study
Page 22 Draft
Planning Materiality
Page 23 Draft
Assess Audit Risk:
Financial and Compliance
Step 1: Assess Inherent Risk
Inherent Risk
Lower Higher
Page 24 Draft
Assess Audit Risk:
Financial and Compliance
Ø We consider the information we gathered in our Understanding the
Agency, Understanding of Agency-Level Controls and
Understanding of Flow of Significant Processes and use our
professional judgment in making our inherent risk assessment for
each relevant assertion.
Ø Factors that may affect our inherent risk assessment are as follows:
§ Susceptibility to material misstatement
§ Size and composition
§ Variations from expected amounts
§ Effects of external factors
§ Competence and experience of agency personnel
§ Degree of subjectivity
§ Completion of unusual/complex transactions at or near period-end
§ Transactions not subjected to routine processing
Page 25 Draft
Assess Audit Risk:
Financial and Compliance
Step 2: Assess Preliminary Control Risk
Preliminary
Control Risk
Page 26 Draft
Assess Audit Risk:
Financial and Compliance
Our preliminary assessment of control risk is based on the following:
Page 27 Draft
Assess Audit Risk:
Financial and Compliance
Step 3: Make overall financial and compliance risk assessment
Page 28 Draft
Assess Audit Risk:
Performance
For performance audit, we select from the agency’s PAPs by
considering the following selection factors:
§ Financial Materiality
§ Impact
§ Risk to good management
§ Significance
§ Visibility
§ Auditability
§ Previous Audit Coverage
Page 30 Draft
Determine Audit Scope
and Timing
Our audit scope defines the boundaries and limitations of our audit. We
document our audit scope based on the results of our risk assessment.
In determining the timing of our audit tests (tests of controls and details),
we shall consider COA auditor’s other responsibilities such as, but not
limited to:
Page 31 Draft
Prepare Audit Planning
Memorandum
At a minimum, our Audit Planning Memorandum contains the following:
Ø Our audit focus areas with regards to Financial and Compliance, and
Performance Audits and our planned audit approach (nature and
extent of audit procedures) including timing.
Page 32 Draft
Prepare Audit Planning
Memorandum
Financial and Compliance
Page 33 Draft
Prepare Audit Planning
Memorandum
Performance
Page 34 Draft
Prepare Audit Strategy
Page 35 Draft
Course Summary
► Describe the importance of audit planning
► Define the components of our
Understanding of the Agency and complete
the related documentation in IRRBAM
► Document and evaluate flow of significant
processes, risk scenarios and related
controls
► Define the factors for assessing audit risk in
the conduct of financial, compliance and
performance audits
► Identify factors to be considered in
preparing our audit strategy
► Familiarize with the Forms and Templates
for Agency Planning and Audit Risk
Assessment
Page 36 Draft
Questions?
Page 37 Draft
Thank you!
Page 38 Draft
GRIM
Phase 1 Govt-wide Strategic Planning
UTA ALC
Identify Significant
Processes/
Program
Phase 2
Process-level Understanding
Understand Flow
of Significant
Process/Program
PRC
Planning
Materiality
Identify Significant Planning
Accounts Materiality
Audit Risk Assessment
November 8, 2010
DRAFT
DRAFT
Outline
► Trends in auditing
► Public sector governance
► Governance principles vital to the public sector
► Role of government auditing in advancing good
governance
► Oversight, insight and foresight
► Key elements of governance-friendly public sector audit
Conventional wisdom
Coercive powers
Constraints on power
Accountability
Accountability
Accountability
Predictability
Predictability
Predictability
Transparency
Transparency
Transparency
Probity
Equity
Equity
Principal-agent problem
Principal-agent problem
Oversight
Oversight
Oversight
Oversight: Detection
Oversight: Detection
Oversight: Detection
Oversight: Deterrence
► Khan (2006):
► If auditors cannot quantify corruption or report the actual
event of corruption, they can indicate the existence of
opportunities for corruption, which in turn can become
basis for corrective, forestalling action by government.
► For instance, the discretionary powers of public
functionaries often induce occasions for rent-seeking.
The key for auditors is to insist on public disclosure of
guidelines for the use of discretion or personal judgment
in decision-making.
► Khan (2006):
► If the auditors are auditing procurement, they should map
out the total procurement cycle and then try to see,
theoretically, what could be the chances for sleaze that is
opened up by the agency’s rules and procedures.
► Khan (2006):
► A list of such possibilities constitutes an inventory of
corruption opportunities—giving the auditors a framework
for further focus during the audit process. The method of
building this list is to look for certain indicators of
corruption.
► Once the auditors have the inventory, they should apply a
corruption opportunity test, to determine if the actual
circumstances prevailing in the organization are
conducive to corruption and if so, to what extent.
► Khan (2006):
► New auditing methodologies may also help. Participatory
auditing is one option—the possibility of involving the
clients or general public in ascertaining if there was a
proper delivery of the public services.
► This is a major departure from the traditional approach
where the auditors are not supposed to go “beyond the
books”. The auditors may come across independent
assessments by the users, who can lift the veil on any
dishonesty that may have gone into the whole process.
► Khan (2006):
► Corruption indicated by lack of effectiveness
► Absence of well-articulated, measurable or quantified performance
indicators.
► Actual internal rate of return (IRR) significantly lower than
anticipated.
► High level of dissatisfaction of clients with the delivery of services.
► Bureaucratic barriers to reach the senior management for
protesting against poor quality of service; no reliable complaint
handling mechanism.
Insight
Insight
Foresight
Foresight
Organizational independence
Organizational independence
Organizational independence
External reporting
Parting shot
Questions?
Thank you!
Draft
Starting point: the right scope
Page 2 Draft
OPIF as ‘compass’
Page 3 Draft
Links with OPIF: a preview
Page 4 Draft
The drivers
Page 5 Draft
Emphasis on risk-based planning
Page 6 Draft
Outcome orientation: twinning of
performance audit and OPIF
► In the past, many audits were driven by control and
process concerns rather than added-value considerations
in assessing public sector performance.
► The current trend is toward a more outcome-based audit.
The need of government to achieve more concrete results
in societal goals such as poverty reduction, full
employment and education for all is shifting the emphasis
of public sector audit, in recent years, to pay more
attention on results.
Page 7 Draft
Not ‘by the book’
Page 8 Draft
The challenge:
policy-linked audit
Page 9 Draft
Caveats
Page 10 Draft
No second-guessing
► OPIF provides a good platform for auditors not to
second-guess the strategic intentions of
government, when government selects a certain
policy direction.
► Departments and agencies are now required to
define results commitments in their corporate plans
and to report goals and actual performance
annually. These provide excellent points of
reference for results-oriented auditing.
► The corporate plan details out the operating environment,
business conditions and planned process improvements
for delivering MFOs and sub-outputs.
Page 11 Draft
Role of DBM
Page 12 Draft
Crossover between
OPIF and audit
Page 13 Draft
Crossover between
OPIF and audit
Page 14 Draft
E3
Page 15 Draft
A striking similarity
Page 16 Draft
Audits of efficiency, economy
Page 17 Draft
Audits of efficiency, economy
► Audits of economy:
¡ Do the means chosen or the equipment obtained—the
inputs—represent the most economical use of public
funds, consistent with the quality needs of the program?
¡ Have the human, financial or material resources been
used cost-effectively?
¡ Are the management activities performed in accordance
with sound administrative principles, contract
requirements, acceptable standards, and good
management policies? In short, has the agency keep the
costs low?
Page 18 Draft
Audits of efficiency, economy
► Audits of efficiency:
¡ Have agency resources been put to optimal or suitable
use or whether
¡ Could identical results in terms of quality and turn-around
time have been achieved with fewer resources?
► Auditors examine productivity, unit cost, or
indicators such as utilization rates, backlogs, or
service wait times.
¡ In short, has the agency made the most of available
resources?
Page 19 Draft
OPIF approach to efficiency
Page 20 Draft
Audits of effectiveness
Page 21 Draft
Audits of effectiveness
Page 22 Draft
Audits of effectiveness
How audit perspectives enter into an effectiveness
model:
Page 23 Draft
Audits of effectiveness
Page 24 Draft
Audits of effectiveness
Page 25 Draft
OPIF approach to effectiveness
Page 26 Draft
Identical results-based approach
Page 27 Draft
Crossing agency lines
Page 28 Draft
Understanding the agency
Page 29 Draft
First-round knowledge
Page 30 Draft
Environmental scan
Page 31 Draft
Environmental scan
Page 32 Draft
Environmental scan
Page 33 Draft
Other inputs
Page 34 Draft
How OPIF aids
in understanding the agency
► First it is necessary to check whether the OPIF logical framework will
match up with an agency program structure—otherwise known as a
program accountability model.
Societal Goal
Sectoral Sectoral
Goals Goals
Page 35 Draft
Same building blocks
OPIF Logical Framework Program Accountability model
Societal goal – describes the intended desirable Impacts, or effects – refer to all the
impacts of the department/agency’s goods and consequences of the program, whether intended or
services on the country, the environment or the unintended
economy. As end-points to be aimed for, they
represent the high-level vision the Government has
for the country.
Sectoral goals – the longer-term benefits for the
sector from organizational changes.
Organizational outcomes – benefits to the Outcomes – intended consequences of producing
community that result from the or delivering the goods or services; ranked from
department/agency’s provision of goods or services the immediate to the ultimate
Major final outputs – the products (goods and Outputs – refer to the products or services
services) the department/agency delivers to produced or delivered by the program
external clients.
PAPS – programs, activities and projects that are Activities – a collection of activities directed to
necessary undertakings pursued by achieving the program’s objectives.
departments/agencies to be able to deliver the
goods, products or services.
Page 36 Draft
Audit: looking for logical links
Page 37 Draft
OPIF: links in the chain
Page 38 Draft
Major final outputs
► The key level for OPIF is the MFO level. MFOs are tangible
and can be more easily quantified as compared to outcomes
and goals.
¡ Each of the other levels can be defined in relation to MFOs:
activities are “how” MFOs are produced; outcomes and higher-
level goals are the reason or “why” MFOs are produced; and for
the MFOs themselves, there is a need to know “what” is produced
and for “whom.”
► Measuring the marginal contribution that an MFO makes
toward reducing poverty incidence and improved quality of life
is a critical element of strategic budgeting and the development
of the MTPDP.
Page 39 Draft
Department of
Agrarian
Reform:
a well-
formulated
OPIF
logframe
Page 40 Draft
How OPIF assists
performance audit: recap
Page 41 Draft
How OPIF assists
performance audit: recap
Page 42 Draft
How OPIF assists
performance audit: recap
Page 43 Draft
A helpful chart for auditors
► The following chart pinpoints the agency’s extent of control and
accountability over each activity/output level.
Page 44 Draft
Defining MFOs
Page 45 Draft
Defining MFOs
Page 46 Draft
Examples of MFOs
► DOF –
¡ fiscal policies (domestic and international), plans and
programs;
¡ cash and debt management services;
¡ anti-corruption in public finance management, anti-
smuggling and tax evasion activities and exercise of
regulatory power;
¡ policies, plans and programs for domestic financial and
capital market development;
¡ policies, plans and programs for public sector debt
management as well as risk management;
¡ policy oversight on LGUs’ financial operations;
¡ administration of locally-sourced and ODA Funds for LGUs.
Page 47 Draft
Examples of MFOs
► DOH –
¡ Health, nutrition and population policy/program dev’t;
¡ capability building services for LGUs and other stakeholders;
¡ leveraging services for priority health programs;
¡ regulatory services for health products, devices, equipment
and facilities;
¡ tertiary and other specialized health care.
► DOT –
¡ tourism promotional services;
¡ tourism development planning services;
¡ standards for tourism facilities and services;
¡ development, restoration and maintenance services
¡ regulatory services.
Page 48 Draft
¡ The background knowledge that the auditors accumulate
provides the basis for describing the agency that is the subject
of audit, enabling them to make initial scoping decisions and
defining lines of inquiry, such as those shown in the following
figure. This knowledge includes an understanding of the
character of the government agency being audited (role and
function, activities and processes in general, development
trends), legislation and general programs and performance
goals, organizational structure and accountability relationships,
internal and external environment and the stakeholders,
external constraints affecting program delivery, and
management processes and resources.
Page 49 Draft
Defining lines of inquiry
Societal Goal
Congress
Sectoral Goals
Organizational Outcomes
PAPS
Page 50 Draft
OPIF limitations
Page 51 Draft
A word about risk management
Page 52 Draft
Can OPIF minimize risk?
Page 53 Draft
Can OPIF minimize risk?
Page 54 Draft
Can OPIF minimize risk?
Page 55 Draft
Recap: OPIF added-value to performance
audit
Page 56 Draft
Recap: OPIF added-value to performance
audit
Page 57 Draft
Recap: OPIF added-value to performance
audit
Page 58 Draft
The right attitude for government agencies
Page 59 Draft
Integrated Results and Risk-
based Audit Training
Day 3: Execution
November 8, 2010
Draft
Learning Objectives
Page 2 Draft
IRRBA framework
Integrated Results and Risk-based Audit Framework
Planning Delivery
Agency Planning
Conclusion
and Audit Risk Execution
and Reporting
Assessment
Monitoring
Page 3 Draft
IRRBA framework
Page 4 Draft
Outline
Page 5 Draft
Design Tests of Controls
Page 6 Draft
Design Tests of Controls
Nature
The following are the nature of procedures we may use to obtain audit
evidence when testing controls:
• Inquiry
• Observation
• Inspection
• Recalculation
• Reperformance
Note: It is not sufficient to rely on inquiries alone because the audit evidence obtained may not be
reliable. We design our tests of controls to include other procedures in combination with inquiry to
obtain audit evidence about the operating effectiveness of the controls
Page 7 Draft
Design Tests of Controls
Exercise
Nature of Procedures:
• Inquiry
• Inspection
• Recalculation
• Reperformance
Page 8 Draft
Design Tests of Controls
Exercise
Nature of Procedures:
• Inquiry
• Observation
• Reperformance
Page 9 Draft
Design Tests of Controls
Timing
Page 10 Draft
Design Tests of Controls
Page 11 Draft
Design Tests of Details
Nature
• We customize the test of details for significant accounts in
accordance with our audit strategy outlined in our Audit Planning
Memorandum
Extent
Minimal or Low – Less extensive tests of details
•
• Moderate or High – More extensive test of details
Timing
• Timing of our tests of details depends on the results of the risk
assessment conducted in Phase 2
• We may design the timing at interim dates.
Page 12 Draft
Design Tests of Details
Page 13 Draft
Design Tests of Details
Page 14 Draft
Design Tests of Details
Rollforward Considerations
Page 15 Draft
Execute Tests of Details
Page 16 Draft
Execute Tests of Details
Accounting Estimates
Page 17 Draft
Execute Tests of Details
External Confirmations
Page 18 Draft
Evaluate Results of Audit Tests
Page 19 Draft
Discuss Results with Agency Management
Page 20 Draft
Questions?
Page 21 Draft
Thank you!
Page 22 Draft
FINANCIAL AUDIT
EXECUTION
Phase 2
Risk Assessment
Yes
No
Conclude on operating
Phase 3
effectiveness
Reassess
Recommend Improvements
Integrated Results and Risk-
based Audit Workshop
Day 4: Delivery – Conclusion and Reporting
November 9, 2010
Draft
IRRBA framework
Planning Delivery
Agency Audit
Conclusion
Planning and Risk Execution
and Reporting
Assessment
Monitoring
Page 2 Draft
IRRBA framework
Conclusion and Reporting
Strategic Planning and Risk
Identification ► Summarize Audit Results
► Prepare summary of the results and
Planning Delivery
conclusions of the audit
Agency
Planning and Execution Conclusion ► Discuss results of different types of audit
and
Audit Risk
Reporting conducted
Assessment
Page 3 Draft
Phase 3b: Delivery –
Conclusion and Reporting
► Issue report
Page 4 Draft
Phase 3b: Delivery –
Conclusion and Reporting
► Issue report
Page 5 Draft
Summarize audit results
Accumulated results of financial, compliance, and VFM audits are summarized at the end of the audit.
Significant findings, issues and observations, including misstatements, are summarized and discussed
with the agency. Conclusion for each misstatement, finding, issue, and observation is documented.
This serves as basis in formulating audit opinion in the audit report.
The agency may have been subjected not only to comprehensive audit
but also to other types of audit such as fraud audit and GWSPA. In this
case, the audit team, together with the Cluster Director (CD), shall
discuss with the counterpart audit team the results or status of the audit,
if ongoing, for disclosure or inclusion in the AAR.
Page 6 Draft
Audit Summary and Conclusion
Page 7 Draft
Phase 3b: Delivery –
Conclusion and Reporting
► Issue report
Page 8 Draft
Prepare audit reports
Annual Audit Report
In reporting the results of audit, the auditors prepare the following audit reports:
► Annual Audit Report (AAR) for the year-end financial audit of agencies with complete books of
accounts and listed in the General Appropriations Act and;
► Management Letter (ML) for the year–end financial audit of the regional offices and operating units
with and without complete books of accounts. The ML shall also be issued at the conclusion of an
interim audit, if warranted.
The format of the ML is presented on the next slide. The template is lifted from the RBAM.
Page 9 Draft
Management Letter
Page 10 Draft
Prepare audit reports
This portion presents the discussion of the observations noted by the auditor and his recommendations.
The agency’s explanation or reply to the observations shall also be presented as well as the auditor’s
rejoinder, as necessary or appropriate.
The gist of the significant findings, observations, and recommendations in the VFM audit conducted shall
also be included in this section, indicating that separate report on the VFM audit is available in more detail.
Other types of audit (i.e., fraud audit and GWSPA) conducted that have or may have significant impact on
the financial statements or on the conclusions of the audit shall be mentioned in this section.
As stated in COA Resolution 2006-002, auditors shall only include the gist of
significant findings, observations and recommendations of the audit in the AAR
under the Observations and Recommendations section.
Page 11 Draft
Phase 3b: Delivery –
Conclusion and Reporting
► Issue report
Page 12 Draft
Perform final overall review for
report issuance
Perform overall review and approval
► The Supervising Auditors (SA), prior to the issuance of audit reports shall conduct a review on the
outputs prepared by the Audit Team Leaders (ATL).
► The overall review and approval of the audit engagement will be documented in a Quality Inspection
Tool as presented in the next slide.
Issue report
Pursuant to COA Memorandum No. 2009-028, the SAs shall sign the audit reports
AAR prepared by the ATLs, while the CDs transmit said reports to the agency.
Page 13 Draft
Quality Inspection Tool
Page 14 Draft
Phase 3b: Delivery –
Conclusion and Reporting
► Issue report
Page 15 Draft
Wrap-up and archive the engagement
► Auditors shall use professional judgment in determining the nature and extent of the
audit documentation. However, it shall be ensured that it is consistent with COA
policies, professional standards and other legal and regulatory requirements.
Page 16 Draft
Phase 3b: Delivery –
Conclusion and Reporting
► Issue report
Page 17 Draft
Monitor and follow-up Agency Action Plans
Page 18 Draft
Monitor and follow-up Agency Action Plans
Benefits of Monitoring:
► Assures the auditor that the benefit of work done is
realized
► Validates that the recommendations as implemented are
truly advantageous to the auditee
Page 19 Draft
Monitor progress
► Part of the auditors’ role is to determine that the audited agencies take
corrective actions on the audit recommendations provided on a timely basis
Page 20 Draft
Conduct follow-up procedures
► Casual
- Most basic form of follow-up
- Applicable to less critical findings
- Example: Review of the process owner’s procedures, informal
telephone conversation, memo/correspondence
► Limited
- Usually involves more interaction with auditee
- Examples: Verifying procedures or transactions
Page 21 Draft
Conduct follow-up procedures
► Detailed
- More time-consuming
- Done with substantial process owner involvement
- Applicable to more critical audit findings
- Includes analyzing, comparing to agreed strategy, and assessing
efficiency, effectiveness and timeliness of the response
- Example: Substantiating account balances and computerized
records
Page 22 Draft
Policy and standard
Policy/Standard Description
ISSAI 400 Reporting standards in government auditing
ISSAI 1220 Quality Control for Audits of Historical Financial Information
COA Memorandum No. 99-021 Segregation of Value-for-Money Audit Reports from the Annual Audit
Report (AAR) and providing guidelines for the preparation,
submission, and transmittal of VFM Audit Reports
COA Memorandum No. 2002- Guidelines on the preparation, submission and transmittal of the
047 Annual Audit Report
COA Resolution No. 2006-002 Conduct of comprehensive audits by the offices of this Commission
COA Memorandum No. 2009- Implementing guidelines on audit operations under the 2008 COA
028 organizational restructuring
Page 23 Draft
Summary
Procedure Sub-procedure Reference Tools/Templates Output
Manual
Summarize Audit Prepare summary of the IRRBAM Tool - Audit Summary Tool - Audit Summary and
Results results and conclusions of and Conclusion Conclusion
the audit Template
Page 24 Draft
Questions?
Page 25 Draft
Thank you!
Page 26 Draft
Integrated Results and Risk-
based Audit Workshop
Day 4: Monitoring
November 9, 2010
Draft
Integrated Results and Risk-based Audit Framework
Planning Delivery
Agency Audit
Conclusion
Planning and Risk Execution
and Reporting
Assessment
Monitoring
Page 2 Draft
Relevant standards
Policy/Standard Description
ISSAI 40 Quality Control for Supreme Audit Institutions
Page 3 Draft
Monitoring
Page 4 Draft
Quality Control System
Page 5 Draft
Responsibilities on Quality Control
Page 6 Draft
Elements of a Quality Control System
Page 7 Draft
Elements of a Quality Control System
Page 8 Draft
Elements of a Quality Control System
Page 9 Draft
Elements of a Quality Control System
Page 10 Draft
Elements of a Quality Control System
►Human resources
Page 11 Draft
Elements of a Quality Control System
► Engagement performance
Page 12 Draft
Elements of a Quality Control System
► Monitoring
Page 13 Draft
Other Quality Control considerations
Page 14 Draft
Other Quality Control considerations
Page 15 Draft
Quality assurance
Page 16 Draft
Quality assurance review program
Page 17 Draft
Questions?
Page 18 Draft
Thank you!
Page 19 Draft