Cebu Workshop Material

Course Schedule
Time Day 1 Day 2 Day 3 Day 4

8:00 - 8:30 Registration Registration Registration Registration
8:30 - 10:00 Overview of IRRBAM/ Phase 2 con’t Phase 2: Con’t Phase 3B - Reporting and
Introduction to Risk Case study 1: Significant Case Study 3: Audit Risk Conclusion
Assessment Agency Risk Identification Assessment
10:00 - 10:30 Break Break Break Break
10:30 - 12:00 Introduction to COSO Case study 1: Discussion and Introduction to Governance Phase 4: Monitoring
Presentation
12:00 - 1:00 Lunch Lunch Lunch Lunch
1:00 - 3:00 Introduction to Processes Phase 2: Con’t Introduction to OPIF Wrap-up/ Open Forum
Phase 1: Strategic Planning Case Study 2: Understanding
and Risk Assessment Flow of Significant
Processes
3:00 - 3:30 Break Break Break
3:30 - 5:00 Phase 2: Agency Planning and Case study 2: Discussion and Phase 3A – Execution
Audit Risk Assessment Presentation
Page 1 Integrated Results and Risk-based Audit Training

Integrated Results and Risk-
based Audit Workshop
Day 1: Welcome and Introduction
November 4, 2010
Draft
Agenda
► Course Objectives
► Course Topics
► Course Schedule
► Participants
Page 2 Draft
Course Objectives
► To provide guidance to COA trainers and auditors on the

Integrated Results and Risk Based Audit Approach on
Comprehensive Auditing.
► To obtain comments and feedback from COA Auditors on the

proposed Integrated Results and Risk Based Audit Manual.
► To provide clear understanding on Governance, Risks, Controls,

and Processes.
► To refine and improve the contents of the IRRBAM.
Page 3 Draft
Course Topics
Day 1 Day 2 Day 3 Day 4
Overview of IRRBAM Phase 2: Agency Planning Introduction to Phase 3B – Delivery:

and Risk Assessment Governance Conclusion and
Reporting
Introduction to Risk Introduction to OPIF Phase 4: Monitoring
Assessment
Introduction to COSO Phase 3A: Delivery – Summary of IRRBAM

Execution (Test of training
controls)
Introduction to Phase 3A: Delivery –
Processes Execution (Test of
details)
Phase 1: Strategic
Planning and Risk
Assessment
Phase 2: Agency
Planning and Risk
Assessment
Page 4 Draft
Course Schedule
Time Day 1 Day 2 Day 3 Day 4
8:00 - 8:30 Registration Registration Registration Registration
8:30 - 10:00 Overview of IRRBAM/ Phase 2 con’t Phase 2: Con’t Phase 3B - Reporting
Introduction to Risk Case study 1: Significant Case Study 3: Audit and Conclusion
Assessment Agency Risk Identification Risk Assessment
10:00 - 10:30 Break Break Break Break
10:30 - 12:00 Introduction to COSO Case study 1: Discussion Introduction to Phase 4: Monitoring
and Presentation Governance
12:00 - 1:00 Lunch Lunch Lunch Lunch
1:00 - 3:00 Introduction to Processes Phase 2: Con’t Introduction to OPIF Wrap-up/ Open Forum
Phase 1: Strategic Planning Case Study 2:
and Risk Assessment Understanding Flow of
Significant Processes
3:00 - 3:30 Break Break Break
3:30 - 5:00 Phase 2: Agency Planning Case study 2: Discussion Phase 3A – Execution
and Audit Risk Assessment and Presentation
Page 5 Draft
Expectations, activities, and ground rules setting
Activities
► Lectures
► Discussions
► Learning exercises
► Case study
► Presentation/Simulation
► Games
Page 6 Draft
Expectations, activities, and ground rules setting
Expectations and Ground Rules Setting

► Turn off/put into silent mode mobile phones, PDAs, etc.
► Actively participate; share knowledge and experiences
► Be punctual
Page 7 Draft
Parking lot
► Any discussion items that cannot be answered during the

course of this class will be placed in a “parking lot” to be
addressed later.
Page 8 Draft
Questions?
Page 9 Draft
Thank you!
Page 10 Draft
Day 1: Overview of IRRBAM
November 4, 2010
Draft
Outline
► Introduction
► Policy Diagram: Public Sector Audit
► IRRBA framework
► International Standards of Supreme Audit Institutions
► ISSAI and INTOSAI GOV
► IRRBAM tools and templates
► COA audit services and IRRBA framework
► COA audit framework, RBA, and IRRBA framework
► Existing audit guidelines/manuals and IRRBAM
Page 2 Draft
Introduction
► This Integrated Results and Risk-based Audit Manual aims to integrate the different
COA audit services such as Financial and Compliance Audit; Agency-based Value-for-
Money Audit; Government-wide and Sectoral Performance Audit; and Fraud Audit into
a common audit approach.
► The IRRBA approach will provide for a consistent set of processes which will guide the
COA Auditors in performing its audit services. The silo approach in the conduct of the
audit will be addressed by introducing linkages for each type of audit and its results for
a more effective delivery of service.
The need for an Integrated-Results and Risk-based Audit
► INTEGRATION is defined in the Manual as the establishment of a common public

sector audit approach and a consistent set of audit processes that reduces redundant
activities, eliminate duplication in the audit of an agency and drive down resource costs
through identifying opportunities to create efficiencies and streamlining public sector
audit processes to allow the delivery of a comprehensive attestation and advisory audit
services.
Page 3 Draft
Introduction
IRRBAM will discuss COA fulfillment of its role in the country’s public governance through
the delivery of the following audit services:
► Comprehensive Audit
► Financial and Compliance
► Agency-based Performance Audit
► Government-wide and Sectoral Performance Audit (GWSPA)
► Fraud Audit
Page 4 Draft
Policy Diagram: Public Sector Audit
Page 5 Draft
IRRBA framework
Integrated Results and Risk-based Audit Framework
Strategic Planning and Risk Identification
Planning Delivery
Agency Audit
Conclusion
Planning and Risk Execution
and Reporting
Assessment
Monitoring
Note: Procedures for all audit services (Financial and Compliance, Agency-based VFM, Fraud) are integrated
in all phases, except for the Execution phase.
Page 6 Draft
IRRBA framework
Strategic Planning and Risk

STRATEGIC PLANNING AND RISK
Identification IDENTIFICATION
Planning Delivery
Activities:
Agency
Execution Conclusion
Planning and
and
Audit Risk
Assessment
Reporting ► Perform Government Risk Identification
(GRI)
Monitoring ► Develop/update the Government Risk
Model (GRM)
► Identify government risks
► Report the results of GRI
Strategic Planning and ► Conduct COA Strategic Planning

Risk Identification ► Conduct Annual Planning Conference
► Develop Sector Strategic Action Plan
► Develop Cluster/Regional Operation Plan
Government Risk Annual Strategic
Identification Planning
Page 7 Draft
IRRBA framework

PLANNING
Identification ► Agency Audit Planning and Risk Assessment
Planning Delivery
Activities:
Agency Audit
Planning and Execution Conclusion
and
► Prepare Agency Audit Work Plan
Risk
Assessment Reporting ► Understand the Agency
► Understand the Agency Profile
Monitoring ► Understand Agency-Level Controls
► Identify Significant Agency Risks
► Understand the Process

Planning ► Conduct Audit Risk Assessment
Agency Planning and Audit Risk Assessment
► Develop Audit Plan
Prepare
Agency Understand
Identify
Significant
► Determine Audit Scope and Timing
Audit Work the Agency
Plan
Agency Risks ► Determine need for specialized skills
► Prepare Audit Planning Memorandum
Conduct
Understand Develop
Audit Risk
the Process Audit Plan
Assessment
Page 8 Draft
IRRBA framework

DELIVERY
Identification
Activities:
Planning Delivery
Execution
Agency
Conclusion
Planning and
Audit Risk
Execution
and ► Design Audit Tests
Reporting
Assessment
► Prepare Audit Work Programs
Monitoring ► Execute Audit Tests

► Execute audit tests throughout the audit
period in accordance with the nature,
extent and timing of the audit procedures
Delivery as designed
Execution Conclusion and Reporting ► Evaluate Audit Results

Design Audit Tests
Summarize Audit
Results
► Identify and accumulate misstatements
Execute Audit Tests

Prepare Audit Report ► Communicate Audit Results
Perform Overall Audit
Review
► Conclude on the results of audit
Evaluate Audit
Results Wrap-up and archive procedures and assess whether sufficient
Communicate
the engagement appropriate audit evidence for each
Follow-up Agency
Agency Results
Action Plan significant account, disclosure and
assertion have been obtained
Page 9 Draft
IRRBA framework
Conclusion and Reporting
Identification ► Summarize Audit Results
► Prepare summary of the results and
Planning Delivery
conclusions of the audit
Agency
Planning and Execution Conclusion ► Discuss results of different types of audit
and
Audit Risk
Reporting conducted
Assessment
► Prepare Audit Report

Monitoring ► Prepare Annual Audit Report
► Perform Overall Audit Review

► Perform overall review and approval
Delivery ► Issue report
Execution Conclusion and Reporting
► Wrap-up and Archive the Engagement
Summarize Audit
Design Audit Tests Results ► Archive working papers/documentation of
Prepare Audit Report audit
Execute Audit Tests
Perform Final Overall
Evaluate Results of Review ► Follow-up Agency Action Plan
Audit Tests Wrap-up and archive
the engagement
Discuss Results with
Monitor and Follow-up
Agency Management
Agency Action Plan
Page 10 Draft
IRRBA framework

MONITORING
Identification
Activity:
Planning Delivery
► Monitor quality control on audit services
Agency
Execution Conclusion
Planning and
and
Audit Risk
Reporting
Assessment
Monitoring
Monitoring
Page 11 Draft

Perform Government Risk Conduct COA Strategic
Identification Planning
Planning Delivery
Agency Audit Planning and Risk Execution Conclusion and Reporting
Assessment
Summarize Audit
Design Audit Tests Results
Prepare Identify
Agency Understand Significant Prepare Audit Report
Audit Work the Agency Agency Execute Audit Tests
Plan Risks
Review
Evaluate Audit Results
Conduct Wrap-up and archive the
Understand Develop
the Process
Audit Risk
Audit Plan
engagement
Assessment Communicate Audit
Follow-up Agency
Results
Action Plan
Monitoring
Page 12 Draft
International Standards of Supreme
Audit Institutions (ISSAI)

• ISSAI 100 • ISSAI 300 • INTOSAI GOV
• ISSAI 200 • ISSAI 1300 9130
Planning Delivery
Agency Audit Planning and Execution Conclusion and
Risk Assessment Reporting
• ISSAI 1230
• ISSAI 1230 • ISSAI 1330
• ISSAI 1265* • ISSAI 400
• ISSAI 1300 • ISSAI 1500*
• ISSAI 1505* • ISSAI 1700*
• ISSAI 1320* • ISSAI 1520*
• ISSAI 1330 • ISSAI 1530*
• ISSAI 1520* • ISSAI 1540*
Monitoring
• ISSAI 1000 •ISSAI 3000 •ISSAI 4100 •ISSAI 40*
• ISSAI 1220 • ISSAI 3100 • ISSAI 4200
* Endorsement version
Page 13 Draft
ISSAI and INTOSAI GOV
The International Standards of Supreme Audit Institutions (ISSAI) states

the basic prerequisites for the proper functioning and professional conduct of
Supreme Audit Institutions and the fundamental principles in auditing of public
entities.
ISSAI is officially authorised and endorsed by the International Organisation of

Supreme Audit Institutions (INTOSAI).
INTOSAI Guidance for Good Governance (INTOSAI GOV) provides

guidance to public authorities on the proper administration of public funds.
Page 14 Draft
IRRBAM tools and templates
► Government Risk Model ► Government Risk Identification Template
► Audit Work Plan

► Understand the Agency ► Summary of Audit
Template Results and
Planning Delivery
► Agency-level Controls Checklist Recommendations
► Agency Risk Model ► Annual Audit Report
Agency Audit
Significant Agency Risk Conclusion and Management Letter
Planning and Risk ► ►
Assessment Identification Matrix Reporting ► Quality Inspection Tool
► Process-Risk-Control Matrix ► Action Plan Status
► Audit Risk Assessment Tool Tracker
► Audit Planning Memorandum
Delivery
► Audit Work Program
► Audit Observation Monitoring ► None
Execution
Memorandum
Page 15 Draft
COA audit services and IRRBA framework
Notes:
Financial Compliance VFM Fraud GWSPA
1 Strategic Planning and Risk
Identification is the integration
point wherein the five COA audit
services are considered.
3 4 3 2 Other types of audit conducted

(i.e., Fraud audit and GWSPA)
are mentioned in audit reports
and considered before rendering
Strategic Planning and Risk Identification 1 audit opinion.
Comprehensive auditing is
Planning Delivery 3 discussed in Phases 1 and 2.
Although Fraud is given
Agency Audit consideration, the full-length
Conclusion and 2 discussion is in the Fraud Audit
Reporting Manual.
Assessment
The guidelines set forth in the

4
Monitoring phase are applicable
Monitoring to comprehensive auditing.
Page 16 Draft
COA audit framework, RBA, and
IRRBA framework
PRE-PLANNING ASSESS AUDIT ASSIGNMENT RISK
UNDERSTAND THE AGENCY

PLANNING
ASSESS AGENCY RISK Planning Delivery
MANAGEMENT STRATEGIES
AND CONTROLS Agency Audit
Conclusion
Planning and
Execution and
Risk
Reporting
Assessment
EXECUTION MANAGE
RESIDUAL AUDIT
RISK
Monitoring
COMMUNICAT
E
REPORTING AND AUDIT
MONITORING RESULTS
Note: As illustrated, all phases of RBA framework are aligned with the IRRBA framework.
Page 17 Draft
Existing audit guidelines/manuals and IRRBAM
Note:
► The existing manuals will
be used as references in
Planning Delivery the Execution phase of
IRRBAM.
Agency Audit
Conclusion and ► Fraud audit manual will
Planning and Execution
Reporting be used by the Audit
Risk Assessment
sectors in performing
fraud audit.
Monitoring ► GWSPA manual is used
by Special Audits Office
in performing GWSPA.
1982
RBAM Guidelines on Procurement Fraud Audit GWSPA
2009 Comprehensive Guideline Manual Manual
Auditing
Audit Area of
Complia Financial and
Financial
nce VFM Fraud GWSPA
Compliance
Page 18 Draft
Questions?
Page 19 Draft
Thank you!
Page 20 Draft
Day 1: Introduction to Risk Assessment
November 4, 2010
Draft
IRRBA framework
Planning Delivery
Agency Audit
Conclusion
and Reporting
Assessment
Monitoring
Page 2 Draft
Introduction to risk
What is RISK?
“Risk is the threat that an event, action or inaction will adversely

affect the agency’s ability to successfully achieve its objectives
and execute its strategies (e.g., better service delivery, revenue
collection, minimized fraud)”
Page 3 Draft
Attributes of risks
► Could be existing
► Could be emerging (has a potential of happening)
► Presents exposure to both tangible and intangible assets
► Can arise from the external environment, from internal processes and from
the lack of information for decision making
► Presents an exposure (downside) if not managed or a potential opportunity

(upside) if managed well
Page 4 Draft
Risk categories
► Strategic
► arises when forces in the environment could significantly ‘change the fundamentals’ that drive
agency’s overall social and/or operating objectives and strategies and, in the extreme, result in
failure of the agency’ operations
► Operations
► risks that operations are inefficient and ineffective in executing the agency’s model, satisfying
the public, and achieving the agency’s quality, cost, and time performance objectives
► Compliance
► noncompliance with prescribed policies and procedures or laws and regulations resulting in
lower quality, higher execution costs, lost revenues, unnecessary delays, penalties, fines, etc.
► Financial
► risk that cash flows and financial risks are not managed cost-effectively to (a) maximize cash
availability; (b) reduce uncertainty of currency, interest rate, and other financial risks; or (c)
move cash funds quickly and without loss of value to wherever they are needed most. It also
includes risks that government agencies face when misleading financial information becomes
the basis for decision making by the governing management (affecting processes, systems and
people)
Page 5 Draft
Risk Assessment
Risk Assessment - is the process of identifying and analyzing relevant

risks to the achievement of the agency’s objectives and determining the
appropriate response.
è To identify and assess the

impact of significant risks
that may threaten agency’s
objectives.
è To create the potential audit
universe and audit plan.
è To focus audit efforts on the
critical risks of the agency.
Page 6 Draft
Levels of Risk Assessment
► Entity Level - entails a

comprehensive look at those risks
that affect the organization as a
whole.
► Process Level - entails a

comprehensive look at those risks
that affect one specific process.
Page 7 Draft
Define key agency risks
Risk assessment efforts should focus on the issues
with the greatest potential to impact objectives
Risk Model Categories Key considerations for management
► Planning and resource allocation

What are our key risks?
► Major initiatives
Strategic ► Reorganization Are we focused on the risks that matter?
► Communication and investor
relations
Who is accountable for the key risks?
► People
Information technology
Operations
►
► Hazards
Are resources aligned to our risk profile?
► Physical assets
Are we accepting an appropriate level of
Budget/IRA
►
► Accounting and reporting
risk?
Financial
► Tax
► Capital structure Are we receiving a fair return on that risk?
► Governance
Compliance ► Code of conduct Who is monitoring the significant risks?
► Legal
► Regulatory
How are we improving key controls?
Page 8 Draft
Illustration: Linking of objectives and
risks to processes
Objectives and Initiatives Inherent Key Risks Processes
Strategic
Improve revenue § Planning & resource allocation Revenue
collection § Major Initiatives & programs
Improve fiscal §
§
Capital/fund availability
Communication & investor relations
position
Create opportunities for
Evaluate the significance of the risk to objectives

private sector investments
Operations Policy
Development
Link Risks to Processes

§ Research & development
Establish and enhance § Recruiting and retention
Link To Risks
school facilities § Compensation and benefits
§ Information Technology
Provide quality § Physical Assets/Facilities
basic education Fixed Asset
Allocate resources to
improve the educational Financial/Reporting
system
§ Accounting and reporting
§ Investment evaluation
§ Cash management Budget
Revisit health care § Funding
policies
Strengthen health
care Compliance
Intensify health care Human
promotions and programs § Labor
Resources
§ Code of Conduct
§ Health and safety
§ Anti-corruption
Page 9 Draft
Risk Assessment Process
Risk Assessment
è In identifying risks,
consider relevant
information gathered from
• Identify risks
the overall understanding
• Prioritize risks
of the Agency and its
Control Environment
Page 10 Draft
The Risk Model
Strategic Operations Compliance Financial
Planning and resource Public service and operations Mandate Market
allocation §Customer/public satisfaction §Functions §Interest rate
§Organizational structure §Channel effectiveness §Foreign currency
§Strategic planning §Cycle time Governance §Commodity
§Operational planning §Service failure §Board performance/Agency §Financial instrument
§Budgeting §Efficiency Management Committee §Public policies
§Forecasting §Capacity §Tone at the top §Debt and fiscal policy
§Resource allocation §Performance measure/gap §Authority/limit
§Capital/fund availability §Partnering/contracting §Control environment Liquidity and credit
§Operational model §Citizen relationship §Corporate social responsibility §Cash management
§Operational portfolio management system and §Reputation §Opportunity cost
§Outsourcing organization §Funding
Code of conduct §Hedging
§Corruption and fraud
Major initiatives §Ethics §Credit and collections
§Vision and direction People §Fraud §Insurance
§Planning and execution §Culture §Employee/third party fraud §Foreign assisted loan
§Measurement and monitoring §Recruiting and retention §Illegal acts
§Technology implementation §Development and performance §Management fraud Accounting and reporting
§Project evaluation §Succession planning §Unauthorized use §Accounting, reporting and
§Change readiness §Knowledge capital disclosure
§Compensation and benefits Legal §Internal control
§Climate change and
§Performance incentives §Contract §Investment evaluation
sustainability initiatives
§Health and safety §Liability §Tax strategy and planning
§Education
§Intellectual property
§Healthcare services delivery
Information technology §Anticorruption
§Energy and water management
§Information management §Legal
(supply/distribution)
§Security/access
§Availability/continuity
§Integrity
§Infrastructure Sample Government Risk Model
Page 11 Draft
The Risk Model
Environment dynamics Hazards Regulatory Capital structure

§Economic changes §Natural events §Trade §Debt
§Financial market §Terror and malicious acts §Customs §Equity
§Sovereign/political §Procurement §Pension funds
§Customer/public wants Physical assets §Road-right of way (RROW
§Technological innovation §Real estate )Acquisition
§Environment scan §Property, plant and facilities §Labor
§Agency environment/industry §Maintenance and performance §Securities
§Sensitivity §Inventory §Environment
Market dynamics §Data protection and privacy
§Macroeconomic factors §International
§Lifestyle trends §Product/service quality
§Sociopolitical §Health and safety
§Technology changes §Competitive practice/antitrust
Communication and public

relations
§Media relations
§Public relations
§Crisis communications
§Employee communication
Sample Government Risk Model
Page 12 Draft
Common risk language
Benefits of a common risk language
► Common understanding of risks across the

organization
► Different people have different perceptions of the
same risk
► Ability to focus on issues faster
Page 13 Draft
Steps to develop a common risk language
Conduct risk
interviews and
surveys
Analyze results of
surveys and workshops
Develop the Agency’s

Risk Model
Develop Risk
Definitions/Risk
Dictionary
Validate and present the

Risk Model and Risk
Definition/Dictionary
Page 14 Draft
How do you define risks?
Focused focused on the nature of the risk; excluding risk drivers
Impact briefly describes immediate significant effect of the risk
Concise specific, clear, simple* (e.g., not more than 30 words)
Standard format state nature of risk first followed by the impact
* In developing risk definitions, avoid using words that are already mentioned in the risk.
Page 15 Draft
What makes a good risk definition?
► Easily understood
► Avoid technical terms
► Limited to one specific issue, otherwise consider the other issues as a separate agency
risk
► Limit the customized agency risk definition (e.g., two sentences and not more than 30
words)
Example of risk definition
4 REGULATORY RISK
Changing regulations may result to increased pressures and significantly affect the agency's
ability to efficiently execute its mandate.
8 REGULATORY RISK
The risk that regulations can affect the agency’s operations.
Page 16 Draft
Risk Assessment Process
Risk Assessment
è In prioritizing risks, assess

each risk in terms of
impact and likelihood of
• Identify risks
• Prioritize risks happening
Page 17 Draft
Risk Prioritization
- the impact that the event, action or inaction would

Significance have on the agency if it were to occur
- the probability that the event or action would

Likelihood
occur assuming no controls are in place to mitigate
the risk
Page 18 Draft
Risk Assessment Criteria Matrix - Impact
Risk Factor High 7-9 Moderate 4-6 Low 1-3
• Adverse impact on actual revenues resulted to • Impact on actual revenues resulted to • Impact on actual revenues resulted to
collection less by 7.5% of targeted collection collection less by 5 % of targeted collection collection less by 1% of targeted collection
Financial (2008 target is Php254 billion) • External audit management letter contains • External audit raises some isolated findings
• External audit qualification on the report and significant issues
accounts
• Significant number of backlogs in the release of • Moderate number of backlogs in the release of • Less cases of backlogs in the release of
imported/exported items (trade facilitation). imported/exported items (trade facilitation). imported/exported items (trade
• Significant compromise of personnel safety • Minor compromise of personnel safety facilitation).
• Significant number of personnel and customers • Moderate number of personnel and customers • Less number of personnel and customers
suspected of illegal activities. suspected of illegal activities. suspected of illegal activities.
Operations • Instances where anti-social goods, smuggled • Instances where anti-social goods, smuggled • Instances where anti-social goods,
items, prohibited substances and other items items, prohibited substances and other items smuggled items, prohibited substances and
(anti-dumping), etc. are not detected by majority (anti-dumping), etc. are not detected by BOC other items (anti-dumping), etc. are not
of BOC districts and circulated in the market. some districts and circulated in the market. detected by responsible office in a district
and circulated in the market.
• Significant increase in customer complaints • Minor increase in customer complaints against • Isolated cases of customer complaints
against employees, service, etc. employees, service, etc. against employee, service, etc.
• System enhancement or implemented without • System enhancement or implemented without • Minor delays in implementation of new/
major functionality some functionality enhanced systems
• Loss of systems leading to sever or on-going • Loss or disruption to systems leading to • Loss to systems leading to business
business disruption (over 1 day) significant business disruption (up to 1 day) disruption (up to 1 hour)
• Management information used in key decision • Management information used for reporting is • Delays in availability of general
making is inaccurate inaccurate management information
• Serious failure to comply with legal or regulatory • Failure to comply with legal or regulatory • Failure to comply with legal or regulatory
requirements requirements in some instances requirements in non-serious and isolated
• Instances of bad publicity/ reputation damaged • Instances of bad publicity/ reputation cases
Compliance to an international and national audience that damaged to a district audience that will • Instances of bad publicity/ reputation
will compromise the integrity of the BOC and its compromise the integrity of the BOC and its damaged to an particular office/division.
employees. employees.
Page 19 Draft
Risk Assessment Criteria Matrix - Likelihood
Risk Factor High 7-9 Moderate 4-6 Low 1-3
Likelihood • Already happening (e.g., based • May happen during the year • May happen within two years
on experience, media • Unlikely to happen
perception, cases filed)
Page 20 Draft
How to interpret the risk map
Page 21 Draft
Sample Risk Map
Service Failure
8.3
Regulatory
Public Satisfaction
Disruption Currency
in (Price)
7.8
Operations
Availability
7.3
Human
Technological Resource
Innovation
Efficiency Public
6.8 Wants
Performance
Gap
Cycle Partnering
Time
6.3
4.3 4.8 5.3 5.8 6.3 6.8
Likelihood
Page 22 Draft
Combined Risk Assessment Criteria
High M H H
IMPACT
Moderate L M H
Low L L M
Low Moderate High

LIKELIHOOD
Page 23 Draft
Forms of Risk Assessment
► Interviews
► Questionnaires
► On-line, interactive questionnaires
► Facilitated meetings
► Facilitated meetings, with voting technology
Page 24 Draft
Questions?
Page 25 Draft
Thank you!
Page 26 Draft
Day 1: Introduction to COSO
November 4, 2010
Draft
What is COSO?
Committee of Sponsoring Organization (COSO)
► Voluntary private sector organization dedicated to improving the quality of financial

reporting through business ethics, effective internal controls, and corporate governance
International Organization of Supreme Audit Institutions (INTOSAI)
► INTOSAI implemented the COSO model in the “INTOSAI: Guidelines for Internal
Control Standards for the Public Sector”
► It aims not only at updating the concept of internal control, but also attempts to
contribute to a common understanding of internal control among Supreme Audit
Institutions (SAI).
► INTOSAI developed the International Standards of Supreme Audit Institution (ISSAI) as

a basic prerequisites for the proper functioning and professional conduct of SAIs and
the fundamental principles in auditing of public entities.
Page 2 Draft
What is NGICS?
National Guidelines on Internal Control System (NGICS)
► NGICS contains the fundamental principles, policies and general standards that will
guide each government agency in developing its detailed and comprehensive system of
internal controls. Agency characteristics such as mandate, functions, nature of
activities, operating environment, manpower profile, size and organizational structure
will have to be considered in developing or improving the individual controls.
► The guideline provides an Internal Control Framework adapted from the INTOSAI:
Guidelines for Internal Control Standards for the Public Sector. It comprises five
interrelated internal control components, namely: 1) control environment; 2) risk
assessment; 3) control activities; 4) information and communication; 5) monitoring.
► The NGICS will serve as a guide to the heads of departments and agencies in
designing, installing, implementing and monitoring their respective internal control
system taking into consideration the requirements of their organization and operations.
Page 3 Draft
Definition of internal control
What is Internal Control?
Internal control is an integral process that is effected by an entity’s

management and personnel and is designed to address risks and to provide
reasonable assurance that in pursuit of the entity’s mission, the
following general objectives are being achieved:
► executing orderly, ethical, economical, efficient and effective

► operations;
► fulfilling accountability obligations;
► complying with applicable laws and regulations;
► safeguarding resources against loss, misuse and damage.
Page 4 Draft
Redefine the control focus
► OLD PARADIGM NEW PARADIGM
► Only auditors are concerned about ► Everyone is concerned about risks

risks and controls and controls
► Fragmentation ► Focused and coordinated
► No risk policy ► Formal risk policy
► Inspect, detect, and react ► Anticipate, prevent, and monitor
► Only “hard” tangible controls are ► Both “hard” tangible and “soft”
evaluated intangible controls are evaluated
Page 5 Draft
COSO Internal Control Framework
Control environment
Risk Assessment
Department
Organization
Entity
Control Activities
Information & Communication
Monitoring
Page 6 Draft
COSO Internal Control Framework
Five Interrelated Components of

Internal Controls
Control environment
1. Control Environment
Risk Assessment
Department
2. Risk Assessment Risk Assessment
Organization
Department
Entity
Organization
Entity
3. Control Activities Control Activities
Control Activities
4. Information & Communication Information & Communication

5. Monitoring Monitoring
Monitoring
Page 7 Draft
Control Environment
► Sets the tone of an entity,

influencing the control
consciousness of its people
Control environment
Control environment
► Foundation for all other
component of internal control
► Tone at the top
e.g., the agency’s organizational structure,

management and personnel, human
resource management system,
performance management system, etc.
Page 8 Draft
Control Environment
Factors to consider in assessing the control

environment
► Integrity, ethical values, and behavior of

key executives
Control environment
► Management’s consciousness and
operating style
► Commitment to competence
► “Those in charge with governance’s”

participation in governance and
oversight
► Organizational structure and assignment

of authority and responsibility
► Human resources policies and practices
Page 9 Draft
Risk Assessment
The process of identifying,

analyzing, and managing risk is a
critical component of an effective
internal control system
Risk Assessment
Identify
Entity and
Analyze process level
risks
Manage
e.g., the risk management in public service

organizations
Page 10 Draft
Control Activities
Are the policies and procedures

established and implemented to
address the risks and to achieve the
agency’s objectives
► Policies and procedures

► Planning and reporting system
► Management review of variances
and corrective actions necessary Control Activities
► Adequate safeguard in place to
prevent unauthorized access
► Proper segregation of duties
e.g., performance review, compliance

review, etc.
Page 11 Draft
Information and Communication
Capturing and exchanging information
needed to conduct, manage, and
control the Agency’s operations
► Does the information system provide

management with necessary reports on
performance relative to goals?
► Information are provided to right persons
in sufficient details and on time.
► Management communicates employee’s
duties and control activities in an
effective manner.
► Management takes timely and Information & Communication
appropriate follow-up on
communications received.
e.g., information system, communication
and feedback mechanism, information
technology etc.
Page 12 Draft
Information and Communication
Communicate in all directions
Upward to provide Agency

management at all levels. Feedback
on decisions and performance
Have we effectively Sideways to

communicated provide consistent
control communication
responsibilities to across all levels of
all employees? the Agency Information & Communication
Downward to provide employees with

clear guidance and direction
Page 13 Draft
Monitoring
Assessing the quality of internal

control system performance over
time. Accomplished through:
► Ongoing monitoring activities
► Separate evaluations
► Reporting deficiencies
e.g., regular management surveys of the

organizational structure and manpower and
operations, evaluation or appraisal of the
internal control system, Monitoring
Page 14 Draft
COSO and IRRBA framework

Identification
Control environment Planning Delivery

Risk Assessment Agency Audit
Conclusion
Department
Planning and
Entity
Organization
Control Activities Execution and

Risk
Reporting
Assessment
Monitoring
Monitoring
Note: COSO is discussed in the Agency Planning and Audit Risk Assessment Phase under Understanding Agency-
level Controls.
Page 15 Draft
Role of COA in the Agency’s Internal Control System
The role of COA in the assessment of the Internal Control System

-NGICS, Chapter 3
The Constitution, as well as the Administrative Code of 1987 provides that,
“where the internal control system of the audited agencies is

inadequate, the COA may adopt such measures, including temporary
or special pre-audit, as necessary and appropriate to correct the
deficiencies.”
Page 16 Draft
Questions?
Page 17 Draft
Thank you!
Page 18 Draft
Day1: Introduction to Processes
November 4, 2010
Draft
IRRBA framework
Planning Delivery
Understand Agency Audit
Conclusion
the process Planning and Execution
and Reporting
Risk Assessment
Monitoring
Page 2 Draft
Understand the process
Understand Its purpose is to develop a thorough

the process understanding of the Agency’s processes
selected in the Audit
In understanding the flow of significant processes we:

► Identify potential risks that will be evaluated in subsequent activities
► Identify existing controls so that important controls can be validated selectively
► Identify missing, weak, or duplicate controls
► Identify how process performance is currently measured which will enable the process owner
to benchmark against similar processes of other agencies
► Highlight parts of the process that appears repetitive or unduly complicated
► Add value by helping the process owner understand and evaluate their own processes
► Describes the relationship between functional areas (e.g. segregation of duties) and develops
the function of roles and responsibilities
Page 3 Draft
Objectives of understanding the process
► Identify and understand what the process

Understand
Understand objectives are for the selected process(es), and
the
theProcess
process
how those objectives align with and contribute to
the Agency’s overall strategy
► Understand the process activities, sequence,

work volumes, time durations, and frequency of
errors
Page 4 Draft
Key steps in understanding the process
Gather Interview Create or

Process the Process Update
Information Owner Process
Map
Examples: Procedures Validate understanding “Current state process map”

manual, existing of the processes
flowcharts, prior-year
working papers
Page 5 Draft
Gather process information
Tasks (not all-inclusive)

Gather
Gather Create or
Interview
Process
Process the Process Update
1. Note any risks specific to the Information Owner Process
Information Map
process that were identified in
the risk assessment
2. Preliminarily, assess 5. Obtain a high-level understanding
completeness of process risks of the process
and key controls ►Tasks performed
3. Meet with the Agency ►Who performs and when
personnel involved in the ►Interface with other process
process and obtain relevant
►Reports and forms
data from the process owner
►Information systems used
4. Identify opportunities to
eliminate, simplify and focus 6. Prepare high-level process map
the process 7. Document preliminary findings
Page 6 Draft
Interview the process owner
Tasks (not all-inclusive) Gather Interview Create or

Process
Gather Process
the Process Update
Information Process
1. Determine who should be Information Owner Map
interviewed and which
interviewing method(s) to use
5. Conduct the interview and gather
2. Schedule interviews all necessary information -
3. Review previously prepared ►Objectives
process map to identify areas
►Process
where the process differs from
documented process ►Performance Measures
►Technology
4. Develop an agenda
Page 7 Draft
Create or update the process map
Gather Create or
Tasks (not all-inclusive) Interview
Process
Gather Process Update
Information the Process
Information Owner Process
1. Select the appropriate process Map
mapping tool
2. Create a first draft of the 5. Validate the process map with the
process map process owner
3. Identify the control points in the 6. Finalize the process map
process
7. Document any preliminary gaps
4. Be alert for process identified at this point
inefficiencies that could be the
subject of recommendations
Page 8 Draft
Create or
Process definition Update

Process
Map
What is a Process?
► A process is a group of activities, logically interconnected, that use the resources of

the organization to deliver a product. Processes are the interpretation of and link
between strategy and people.
► A process must have clearly defined boundaries, inputs and outputs that add value
to the recipient, either upstream or downstream, .and can regularly (but not
necessarily) span several functions.
Page 9 Draft
Create or
SIPOC Process Maps Update

Process
Map
The SIPOC Approach

SIPOC is an acronym that stands for Suppliers, Inputs, Process, Outputs, and Customer. It is just one of
the different approaches to documenting the process map. Definitions for each of the segments of a
SIPOC are provided in the diagram below.
S I P O C
Suppliers Inputs Processes Outputs Customers
Anyone who Materials, The primary Products, Internal or

supplies inputs resources, and activities that services, or external
to a process data needed to use one or data resulting recipients and
execute the more inputs to from a process users of
process create an outputs
output that is
of value to
customers
Questions to ► Who is the ► What inputs ► What is the ► What are the ► Who are the
ask in creating supplier of are required process that outputs from customers of
a SIPOC each input? to enable the produces the the process the process?
process to output? (for each
occur? ► When does customer
the process segment)?
start and
finish?
Page 10 Draft
Create or
Sample SIPOC Process Map Update

Process
Map
Page 11 Draft
Create or

Process
Map
The Output of the previous

process is the Input for the
next process.
Page 12 Draft
Create or

Process
Map
The Process Owner of the

previous process is the
Source for the next process.
Page 13 Draft
Create or

Process
Map
The Customer of the

previous process is the
Process Owner for the next
process.
Page 14 Draft
Standard process mapping Create or
Update
symbols
Process
Map
Process Decision Document Documents

This symbol represents This symbol represents This symbol represents This symbol represents
any
. kind of processing a decision or switching Human readable data, Multiple documents.
function type function such as print output
Software Application Preparation Manual Input/Operation Universal Connector

This symbol represents This symbol represents This symbol represents Connector elements in
.
a software application the preparation process. any manual intervention the process map
used to complete a in the process or operation
process .
Page 15 Draft
Update
symbols
Process
Map
Process Connector On Page Connector Terminator Result

This symbol represents This symbol represents an This symbol represents Use in conjunction with
.
a cross-reference to exit to, or entry from, the start and end of a decisions.
another page of the another part of the same process flow Type "Yes" or "No" to
flowchart flowchart Indicate result
1 A
Yes
Jumper Double tree square Annotation Risk/Control

Use to indicate "no Splits one line into two Annotation callout for
Annotation
connection“ when branches; put several making notes at specific This symbol represents a
crossing other lines. together to form a tree locations in a flowchart risk or control that are
document in a separate
and its associated line
increases or decreases as you
document in greater detail
add text. To change the
width of the comment, drag
the side handle.
. 2
Page 16 Draft
Update
symbols
Process
Map
Data Database Tape Storage

This symbol represents This symbol represents This symbol represents
input
. or output data a database on disk the storage of audio
involved in the process tapes (e.g. taped phone
Lines)
Database
Tape Storage
Page 17 Draft
Create or
Process mapping tools Update

Process
Map
Tools
► Basic Tools
► Powerpoint, Excel, MS Visio
► Advanced Tools (incl. process

analysis functions)
► ARIS
► ViFlow Professional
► iGrafx 2007
► etc.
Page 18 Draft
Comprehensive Audit: Context Diagram
AGENCY INTER-AGENCY
Linkage with other government agencies

Government
Regularity (Financial and Compliance Audit)
-wide and
AUDIT
Sectoral
Performance
Agency-based Value For Money Audit
Economy Efficiency Effectiveness Audit
(GWSPA)
ELEMENTS
Resource Inputs Processes Outputs Outcome Impact

PERFORMANCE
GAA Sector
- Personnel Revenue Organiza-
Programs Goals
- MOOE Procurement MFO tional
- CO Activities
Budget KPI /Sector Societal
Budget Projects
Fixed Asset Outcome Goals
IRA
The diagram shows how COA’s audit services are linked into different audit services as well as to the country’s Public
Expenditure Management reform, the Organizational Indicator Framework (OPIF). It shows the focus of the different
audit services provided by COA by differentiating the elements of an agency’s process. Each element is interrelated
and plays a significant role in an agency and the government as a whole.
Page 19 Draft
IRRBA framework
IRRBAM Understand the flow of significant processes

(process mapping)
Significant
Operating Process
-Plan to Budget
-Procure to Pay
-Order/Contract to Cash SIGNIFICANT INFORMATION PROCESSES
Identify
Agency -Record to Report Capture
transactio Data input Outputs
improve- -Facility Management AGENCY Data Conversion and journal
ment ns, events and
- Supplies/Inventory REALITY transfer /processin entries
opportun and facts changes
g
i-ties
Management from
-Performance operations
Management Process
Processes and application systems
- Market to
Customer/Public
Page 20 Draft
Understand the Process
RBAM IRRBAM
Agency Information Framework (AIF) Understand the Process
Process Mapping
Illustration: Procure to Pay process
Procurement (operations)
§ Preparation of purchase request

§ Bidding/awarding to supplier
§ Preparation of purchase order
“The AIF per RBFAM has only focused on the § Receipt of goods/supplies/services
accounting process/system, however, prior to
the entry of the transactions in the accounting and Sales Invoice
system, there are already a number of critical Payment (financial reporting)
processes that need to be analyzed for possible
risks. This Operating Process AIF addresses § Preparation of Journal Entry Voucher
this lacking feature in the RBFAM to make the
manual more responsive to other types of § Preparation and processing of
audit.” Disbursement Voucher
§ Preparation of check
Note: Laws, rules and regulations and accounting principles and
practices are considered in understanding the flow of significant
processes. Risks and controls are also identified and documented
in the process maps.
Page 21 Draft
Questions?
Page 22 Draft
Thank you!
Page 23 Draft
Day 1: Strategic Planning and Risk Identification
November 4, 2010
Draft
IRRBA framework
Planning Delivery
Agency Audit
Conclusion
and Reporting
Assessment
Monitoring
Page 2 Draft
Phase 1: Strategic Planning and Risk Identification
COA as an Auditor COA as an Agency
Strategic Planning and COA’s Annual Strategic

Risk Identification Planning process
Annual Strategic Planning

Government
Risk
Identification
Government Risk Sector Strategic

Identification Action Plan
Template (GRIT) (SSAP) GRIT
Cluster/
Regional
Operation Plan GRIT
(COP/ROP)
Planning
Agency Audit Planning and
Risk Assessment
Page 3 Draft
► Government Risk Identification (GRI)

► Develop/update the Government Risk Model (GRM)
► Annual Strategic Planning

► Conduct Annual Planning Conference
► Develop Sector Strategic Plan
► Develop Cluster/Regional Operations Plan
Page 4 Draft


Page 5 Draft
Government Risk Identification
The objectives of this activity are as follows:
► To obtain high-level inputs from COA directors assigned in the audit of agencies
representing the three audit sectors and regions, and auditors performing
Government-wide and Sectoral Performance Audit (GWSPA) and Fraud Audit
► To have a common language of risk
► To have a unified thrust in government auditing
This activity will be conducted annually, supervised by the Assistant Commissioners and
attended by directors from the following sectors/offices:
► National Government Sector (NGS) ► Fraud and Investigation Office (FAIO)

► Corporate Government Sector (CGS) ► Special Audits Office (SAO)
► Local Government Sector (LGS) ► Information Technology Office (ITO)
► Regional Offices ► Technical Services Office (TSO)
Page 6 Draft
COA shall use the following as input in identifying government risks:
► COA direction
► Sector Strategic Action Plan
► SONA
► MTPDP/MTPIP
► Government Risk Model
► Sector risks
► Media releases and media reporting
► Fraud and geographic risks
► Government-wide and sectoral programs and activities
► Knowledge of the auditors
Page 7 Draft
Planning and resource allocation Public service and operations Mandate Market
§Organizational structure §Customer/public satisfaction §Functions §Interest rate
§Strategic planning §Channel effectiveness §Foreign currency
§Cycle time Governance
§Operational planning §Commodity
§Service failure §Board performance/Agency Management
§Budgeting §Financial instrument
§Efficiency Committee
§Forecasting §Public policies
§Capacity §Tone at the top
§Resource allocation §Debt and fiscal policy
§Performance measure/gap §Authority/limit
§Capital/fund availability
§Partnering/contracting §Control environment Liquidity and credit
§Operational model
§Citizen relationship management system §Corporate social responsibility §Cash management
§Operational portfolio
and organization §Reputation §Opportunity cost
§Outsourcing
§Corruption and fraud Code of conduct §Funding
Major initiatives §Hedging
People §Ethics
§Vision and direction §Credit and collections
§Culture §Fraud
§Planning and execution §Insurance
§Recruiting and retention §Employee/third party fraud
§Measurement and monitoring §Foreign assisted loan
§Development and performance §Illegal acts
§Technology implementation
§Succession planning §Management fraud Accounting and reporting
§Project evaluation
§Knowledge capital §Unauthorized use §Accounting, reporting and disclosure
§Change readiness
§Climate change and sustainability initiatives §Compensation and benefits Legal §Internal control
§Education §Performance incentives §Contract §Investment evaluation
§Healthcare services delivery §Health and safety §Liability §Tax strategy and planning
§Energy and water management §Intellectual property Capital structure
Information technology
(supply/distribution) §Anticorruption §Debt
§Information management
Environment dynamics §Security/access §Legal §Equity
§Economic changes §Availability/continuity Regulatory §Pension funds
§Financial market §Integrity §Trade
§Sovereign/political §Infrastructure §Customs
§Customer/public wants §Procurement
§Technological innovation Hazards
§Natural events §Road-right of way (RROW )Acquisition
§Environment scan §Labor
§Agency environment/industry §Terror and malicious acts
§Securities
§Sensitivity Physical assets §Environment
Market dynamics §Real estate §Data protection and privacy Tool 1 – GRM documents all the identified
§Property, plant and facilities §International
§Macroeconomic factors
§Maintenance and performance §Product/service quality
government risks and its corresponding
§Lifestyle trends
§Sociopolitical §Inventory §Health and safety definition.
§Technology changes §Competitive practice/antitrust
Communication and public relations

§Media relations
§Public relations Sample Government Risk Model
§Crisis communications
§Employee communication
Page 8 Draft
EY 2010 - Government and public sector risks
The top 10 risks for government and public

sector
1. Failure to manage debt and fiscal policy

2. Unaffordable public policies
3. Inappropriate regulation
4. Reputation risk
5. Corruption & fraud
6. Delaying climate change and sustainability
initiatives
7. Failures in health care services delivery
8. Inefficient level & coverage of education
9. Inefficient energy and water management
supply/ distribution
10. Ineffective citizen relationship management
systems & organization
Page 9 Draft
Government Risk Identification Process Flow
Identify Government Link risks to

Inputs
Risks Agency/Programs/Activities
Department of Public
COA Fraud and Works and Highways
Knowledge and prior audit reports

Direction/ geographic
SSAP risks
Metropolitan Waterworks
and Sewerage System
SONA, Media
MTPDP and releases and City Government of Navotas
MTPIP reporting
Hunger mitigation
program
Industry/
GRM sector risks Health sector
development project
Page 10 Draft
Government Risk Identification Matrix
The results of Government Risk

Identification activity is documented in
GRI Matrix. The risks identified are linked
to affected agency/programs/activity.
GRI Matrix shall be cascaded to all audit

clusters and concerned offices for
inclusion in Agency Planning and Audit
Risk Assessment.
Page 11 Draft
Sample Government Risk Identification
Template
GOVERNMENT RISK IDENTIFICATION TEMPLATE
For the year 20XX
Key Agency Risk

Government
Objective Basis of Selection Name of Agency
Risk Program/Activity
Risk Title Risk Definition
Category
Improve Fiscal Strategic Vision and Failure to establish a Included in Department of Industry
Position Direction vision and direction for SONA 2010 Trade and Development and
major initiatives, Industry Investment
- Create including services, Promotion,
opportunities for products and programs Generation and
private sector that will drive future Facilitation Services
investment growth. Failure to
establish project
acceptance criteria and National Investment
adequately measure Economic and Programming
against the criteria. Development Services
Authority
Page 12 Draft
COA-wide Audit Risk Assessment
Report on the results of Government Risk Identification
The report on the results of Government Risk Identification contains/documents:
► GRI Template
► Minutes of the GRI activity
► Participants of GRI
The report shall be presented to and

approved by the Assistant Commissioners
and Commission Proper, and distributed to
concerned sectors/offices.
Page 13 Draft


Page 14 Draft
Linkage of COA’s strategic planning
process with IRRBAM
The outputs of the Annual Planning Conference will be the basis of the Sectors in
developing its Sector Strategic Action Plans. Likewise, the IRRBAM will focus on the
audit specific plans provided during the Annual Planning Conference and the Sector
Strategic Planning. This will serve as their direction in the conduct of the risk
identification.
Page 15 Draft
Policy and standard
Policy/Standard Description
ISSAI 100 Basis principles in Government Auditing
ISSAI 200 General standards in government auditing and standards with
ethical significance
ISSAI 300 Field standards in government auditing
ISSAI 1300 Financial audit guideline – Planning an audit of financial statements
INTOSAI GOV 9130 Guidelines for internal control standards for the public sector –
Further information on Entity Risk Management
ISO/FDIS 31000:2009 Risk management – Principles and guidelines
COA Memorandum No. 79-205 Reiteration of unnumbered COA Memorandum dated May 8, 1978
re: Alignment/Coordination of all Projects/Programs of COA
offices/Committees by the Planning, Financial & Management
Office
July 6, 1979
COA Memorandum No. 95-051 Preparation of a Consolidated Annual Report (CAAR) by Region
and by Department
COA Resolution No. 2008-012 2008 COA Organization Restructuring
COA Memorandum No. 2009- Implementing guidelines on audit operations under the 2008 COA
028 organizational restructuring
Page 16 Draft
Summary
Reference
Procedure Sub-procedure Tools/Templates Output
Manual
Government Risk Develop/update the GRM IRRBAM Tool 1 – Government Tool 1 – GRM
Identification (GRI) Risk Model (GRM)
Identify government risks IRRBAM Tool 2 – GRI Template Tool 2 – GRI Template
Report the results of GRI IRRBAM - Report on the results of

GRI
Annual Strategic Annual Planning PFMO - COA Direction/

Planning Conference Operations Strategic Plan
Manual
Develop Sector Strategic PFMO Sector Strategic Action
Plan Operations Plan
Manual
Develop Cluster/Regional PFMO Cluster/Regional
Operations Plan Operations Operations Plan
Manual
Page 17 Draft
Questions?
Page 18 Draft
Thank you!
Page 19 Draft
based Audit Training
Day 1: Agency Audit Planning and
Risk Assessment
November 4, 2010
Draft
Learning Objectives
► Describe the importance of audit planning
► Define the components of our
Understanding of the Agency and complete
the related documentation in IRRBAM
► Document and evaluate flow of significant
processes, risk scenarios and related
controls
► Define the factors for assessing audit risk in
the conduct of financial, compliance and
performance audits
► Identify factors to be considered in
preparing our audit strategy
► Familiarize with the Forms and Templates
for Agency Planning and Audit Risk
Assessment
Page 2 Draft
IRRBA framework
Planning Delivery
Agency Audit
Conclusion
Planning and Execution
and Reporting
Risk Assessment
Monitoring
Note: Procedures for all audit services (Financial and Compliance, Agency-based VFM, Fraud) are integrated
in all phases, except for the Execution phase.
Page 3 Draft
IRRBA framework

PLANNING
Identification ► Agency Audit Planning and Risk Assessment
Planning Delivery
Activities:
Agency Audit
Planning and Execution Conclusion
and
► Prepare Agency Audit Work Plan
Risk
Assessment Reporting ► Understand the Agency
► Understand the Agency Profile
Monitoring ► Understand Agency-Level Controls
► Identify Significant Agency Risks
► Understand the Process

Planning ► Conduct Audit Risk Assessment
Agency Planning and Audit Risk Assessment
► Develop Audit Plan
Prepare
Agency Understand
Identify
Significant
► Determine Audit Scope and Timing
Audit Work the Agency
Plan
Agency Risks ► Determine need for specialized skills
► Prepare Audit Planning Memorandum
Conduct
Understand Develop
Audit Risk
the Process Audit Plan
Assessment
Page 4 Draft
Understanding the Agency
By gaining an understanding of the

Agency, we can:
Ø Develop more effective and efficient

audit strategies
Ø Increase the value we deliver by
providing timely communications
Ø Better manage COA’s risk by using
the more comprehensive view of the
agency’s audit risks in making
decisions
Page 5 Draft
The audit team should have an understanding of each of the following

components of our understanding of the Agency:
Ø Nature of the Agency

Ø Programs, Activities and Projects (PAPs)
Ø Agency’s goals, objectives and strategies
Ø Performance Indicators
Ø Stakeholders
We perform surveys to gain a better understanding of the agency,

including its PAPs
Our understanding will enable us to make a preliminary assessment of

significant or key areas and identify possible audit issues.
Page 6 Draft
Documentation: Understanding the Agency Template
Page 7 Draft
Documentation: Understanding the Agency Template
Components obtained from AAF and APR:

• Environmental Factors
• Key Stakeholders
• Performance Indicators
• Ratio Analysis
What’s being introduced?

• Analysis of Mandate
• Significant Agency Processes
• Program/Activities/Projects Review
• Major Final Outputs
Page 8 Draft
Understand Agency-Level
Controls
5 Components of Internal Control:
1. Control Environment
2. Risk Assessment Control environment
3. Monitoring
Risk Assessment
Department
4. Information and Communication
Organization
Entity
5. Control Activities
Control Activities
Monitoring
Page 9 Draft
Understand Agency-Level
Controls
Documentation: Agency-Level Controls Checklist
Page 10 Draft
Update Agency Risk Model
► The Agency Risk Model (ARM) is a framework consisting of a list agency-

level risks which may hinder the achievement of the agency objectives and
risk definitions.
► The Agency Risk Model (ARM) is somewhat similar with the Government
Risk Model (GRM) except that the former is Agency-specific while the latter is
a generic Risk Model for the whole government.
► ARM shall be customized per Agency by obtaining information from the UTA
template and through inputs of head office and regional auditors.
► ARM shall be regularly updated to consider changes in the agency

environment and new policies, laws, rules and regulations. .
Page 11 Draft
Identify Significant Agency Risks
The Agency Risk provides a comprehensive list of the types of agency

risks that could threaten an agency as a whole, or specific processes
within the agency. The ARM supports the audit team in:
• defining key agency risks and improvement opportunities, and
• communicating key agency risks and improvement opportunities to

management
Page 12 Draft
Identify Significant Agency Risks
Ø Based on the data gathered from the Understanding the Agency and
ALC and the results from the GRIT, we discuss with the engagement
team our identified Agency Risks and select significant ones as focus
areas in our audit.
Ø Identify significant agency processes affected by the significant

agency risks.
The identified significant agency processes will be our focus in our

Understanding of flow of significant processes in the next step.
Page 13 Draft
Prioritize Significant Agency Risk
► After all the risks of an agency has been identified, the agency auditors shall
prioritize those risks which are significant based on the risk rating provided.
► The significant agency risks identified will be summarized into the summary
portion of the Significant Agency Risk Identification (SAgRI) Matrix.
► The risks identified as significant will be the audit team’s priority for their audit
focus areas.The identified significant agency processes affected by the
significant agency risks will be the focus of the Understanding of flow of
significant processes in the next step.
► Criteria for the impact and likelihood will be developed by COA
Page 14 Draft
Prepare Significant Agency Risk
Identification Matrix
Ø In coordination with the regional supervising auditors, we shall
prepare an Significant Agency Risk Identification (SAgRI) Matrix for
the Agency as a whole.
Ø In preparation of the SAgRI, the following shall be identified:

§ Agency Risks
§ Basis of Selection
§ Risk Rating (Impact, Likelihood and Overall Rating
§ Related Processes, Projects, Activities and Programs
§ Risk Location
§ Audit Response
Page 15 Draft
Significant Agency Risk Identification Matrix
Page 16 Draft
Case Study
Page 17 Draft
Understand the Process
Steps:
Ø Identify Critical Path of the Process

Ø Identify Process Risks
Ø Identify Existing Controls
Ø Determine Impact
Ø Affected Accounts including Assertions
Ø Risk to PAPs objectives
Page 18 Draft
Understand Flow of
Ø Identify Critical Path of Significant Processes
§ We obtain our understanding by performing inquiry, observation

and inspection procedures.
§ Documentation of the flow is determined by the size and
complexity of the processes subject for review.
Documentation may be in narrative form or in graphical form

through the use of process mapping flowcharts.
§ We perform walkthrough to confirm our understanding of the flow

of significant processes.
Page 19 Draft
Understand Flow of
Ø Identify Process Risks
Process Risks refer to points where risks of material misstatement,

due to error or fraud, can occur in the significant process.
Ø Identify Existing Controls
We identify relevant controls that address our identified risk

scenarios. If no controls are present, we inquire with agency
management for the reason of not having controls in place and
include it in our audit findings, as necessary.
Ø Identify Affected Accounts including Assertions

Ø Identify Risk to PAP objectives
Page 20 Draft
Understand Flow of
Documentation: Process-Risk-Control (PRC) Tool
Page 21 Draft
Case Study
Page 22 Draft
Planning Materiality
Documentation: Materiality Template
Page 23 Draft
Assess Audit Risk:
Financial and Compliance
Step 1: Assess Inherent Risk
Inherent risk: The susceptibility of an assertion about a class of

transactions, account balance or disclosure to a misstatement that
could be material, either individually or when aggregated with other
misstatements, before consideration of any related controls.
Inherent Risk
Lower Higher
Page 24 Draft
Assess Audit Risk:
Ø We consider the information we gathered in our Understanding the
Agency, Understanding of Agency-Level Controls and
Understanding of Flow of Significant Processes and use our
professional judgment in making our inherent risk assessment for
each relevant assertion.
Ø Factors that may affect our inherent risk assessment are as follows:
§ Susceptibility to material misstatement
§ Size and composition
§ Variations from expected amounts
§ Effects of external factors
§ Competence and experience of agency personnel
§ Degree of subjectivity
§ Completion of unusual/complex transactions at or near period-end
§ Transactions not subjected to routine processing
Page 25 Draft
Assess Audit Risk:
Step 2: Assess Preliminary Control Risk
Control risk: The risk that a misstatement that could occur in an

assertion about a class of transaction, account balance or disclosure
and that could be material, either individually or when aggregated
with other misstatements, will not be prevented, or detected and
corrected, on a timely basis by the agency’s internal control.
Preliminary
Control Risk
Rely Not Rely
Page 26 Draft
Assess Audit Risk:
Our preliminary assessment of control risk is based on the following:
• Information we obtained from prior periods’ engagements, if

available
• Results of our walkthrough in our understanding of flow of
significant processes
Page 27 Draft
Assess Audit Risk:
Step 3: Make overall financial and compliance risk assessment
Inherent Risk Assessment

Higher Low High
Lower Minimal Moderate
Rely Not Rely

Control Risk Assessment
Page 28 Draft
Assess Audit Risk:
Performance
For performance audit, we select from the agency’s PAPs by
considering the following selection factors:
§ Financial Materiality
§ Impact
§ Risk to good management
§ Significance
§ Visibility
§ Auditability
§ Previous Audit Coverage
Information gained from the surveys we conducted in Understanding the

Agency will help us in assessing which PAPs or agency process will
be subject for performance audit.
Page 29 Draft
Assess Audit Risk
Documentation: Audit Risk Assessment Template
Page 30 Draft
Determine Audit Scope
and Timing
Our audit scope defines the boundaries and limitations of our audit. We
document our audit scope based on the results of our risk assessment.
In determining the timing of our audit tests (tests of controls and details),
we shall consider COA auditor’s other responsibilities such as, but not
limited to:
Ø Cash examinations to accountable officers

Ø Request for relief of accountabilities
Ø Issuance of disallowances
Ø Pre-audit activities
Page 31 Draft
Prepare Audit Planning
Memorandum
At a minimum, our Audit Planning Memorandum contains the following:
Ø Our audit focus areas with regards to Financial and Compliance, and
Performance Audits and our planned audit approach (nature and
extent of audit procedures) including timing.
Ø Our documentation of Professionals with specialized skills needed for

the audit and the scope of work to be performed.
Ø Our documentation of Other Material accounts to be subjected to

High-level precision analytics.
Page 32 Draft
Memorandum
• We determine the overall audit risk assessment for each assertion of

each significant account.
• Based on the overall risk assessment, we determine the audit
approach and our estimated timing for execution of the audit
approach.
Page 33 Draft
Memorandum
Performance
Significant PAPs Basis for Selection Focus Area Audit Aspect
• We determine the significant PAPs subject to performance audit

• We determine the audit approach by defining our audit objectives for
the performance audit. Audit objectives identify the aspect of the
performance audit (e.g. economy, efficiency or effectiveness).
• We also include the audit scope for the performance audit.
Page 34 Draft
Prepare Audit Strategy
Documentation: Audit Planning Memorandum
Page 35 Draft
Course Summary
► Describe the importance of audit planning
► Define the components of our
Understanding of the Agency and complete
the related documentation in IRRBAM
► Document and evaluate flow of significant
processes, risk scenarios and related
controls
► Define the factors for assessing audit risk in
the conduct of financial, compliance and
performance audits
► Identify factors to be considered in
preparing our audit strategy
► Familiarize with the Forms and Templates
for Agency Planning and Audit Risk
Assessment
Page 36 Draft
Questions?
Page 37 Draft
Thank you!
Page 38 Draft
GRIM
Phase 1 Govt-wide Strategic Planning
Understanding the Understanding

UTA
Agency ALC
UTA ALC
Agency Risk Identify Significant

Identification Agency Risk
Agency Risk
Identification
Identify Significant
Processes/
Program
Phase 2
Process-level Understanding
Understand Flow
of Significant
Process/Program
PRC
Planning
Materiality
Identify Significant Planning
Accounts Materiality
Audit Risk Assessment
Assess Audit Risk:

Assess Audit Risk:
Financial &
Performance
Compliance
Audit Risk
Audit Risk
Assessment
Assessment
Part II
Part I
Phase 2 Output Prepare Audit

Planning Memo
Audit
Planning
Memo
Day 3: The significance of auditing for effective public
sector governance
November 8, 2010
DRAFT
DRAFT
Outline
► Trends in auditing
► Public sector governance
► Governance principles vital to the public sector
► Role of government auditing in advancing good
governance
► Oversight, insight and foresight
► Key elements of governance-friendly public sector audit

DRAFT
Conventional wisdom
► Traditional audit operated within a narrow frame of

reference, concentrating more on probity and regularity,
as well as on fraud detection. The focus:
► appraisal of transactions, their correctness and conformity with the
relevant policies and regulations.
► compliance with established procedures,
► whether the agency’s assets were properly safeguarded and
whether financial recordkeeping was being truthfully maintained.
► The current conventional approach is that audit should put
the spotlight on the agency’s operating structure and its
internal control environment.

DRAFT
The new trend
► Today, without abandoning these “regular” functions,

auditors are increasingly directing audit resources to
those government aspects that present the greatest risk to
the operational need of agencies
► (1) to be accountable to their publics or clients, and
► (2) to effectively deliver services required under their
organizational mandates.

DRAFT
The new trend
► As government has embraced a broad set of reforms in

order to make itself responsive, professionally competent,
and coherent, the key is to put at center-stage those
agency governance functions that need to be
backstopped by a reliable and supportive audit function.
► Assisting agencies in improving governance is therefore a
strategic priority of an auditing agency as an
accountability institution itself.

DRAFT
Public sector governance
► Generally, governance can be seen as the exercise of

economic, political and administrative authority to manage
a country's affairs at all levels.
► Public sector governance includes the policies and
procedures used to direct the government’s resources to
offer realistic guarantee that objectives are fulfilled, that
operations are carried out in an accountable and
responsible conduct, and the interests of its various
stakeholders are protected.

DRAFT
Performance and conformance
► But from an audit point of view, good governance

happens when a government agency that is the subject of
audit has in place structures and processes that ensure
both
► good performance (capacity to deliver goods and services
effectively and efficiently) and
► good conformance (capacity to meet the requirements of law as
well as the standards and public expectations of probity,
accountability and transparency).

DRAFT
Good and poor governance
► When governance is good, it means the agency is

allocating its resources wisely and fairly, and that it is
doing its job in an open and transparent manner, which in
turn is indispensable for building and sustaining public
confidence in government.
► When governance is poor, it means that the agency is
involved in activities that impair the equitable provision of
services, reduce government credibility, and provide
opportunities for inappropriate behavior, thus increasing
the danger of public corruption—the wrong use of
entrusted power for private gain.

DRAFT
Public sector vs. private sector
► Private sector: profit motive, competitive attitude that

benefits both suppliers of goods and services and their
consumers, market forces at work
► Public sector: public service only quandary (which impairs
incentives to perform well), in an environment where
political (rather than market) forces are at work.

DRAFT
Coercive powers
► To deliver services, government must partly rely on its

coercive powers—regulatory, taxation, police—over
businesses and consuming citizens.
► Hence, government must enact safeguards to guarantee
responsible use of those powers in performing its
functions.

DRAFT
Constraints on power
► In an open, democratic system, citizens can benefit from

constraints on power, and on accountability measures that
make certain government officials use resources and
authority fairly and impartially.
► Strengthening accountability institutions such as audit
agencies, anticorruption commissions, and the judiciary is
fundamental in a political system in which citizens entrust
the government with such powers and duties.

DRAFT
Governance principles vital to the
public sector
► Accountability
► Predictability
► Transparency
► Probity
► Equity

DRAFT
Accountability
► Accountability is essential to make public sector

entities, and the individuals within them, answerable for
their decisions and actions, especially their stewardship of
public resources and all aspects of agency performance.
► The resources that public employees use are held in trust;
these resources are not privately owned.
► A government agency demonstrates stewardship by
maintaining or improving its capacity to efficiently and
effectively manage public resources.

DRAFT
Accountability
► Accountability also means

► quickness to respond to the entity from which they draw their
power and
► willingness to submit to external scrutiny—which suggests that
public audit is a vital link in the chain of accountability.

DRAFT
Accountability
► Oversight mechanisms such as audit covenants reinforce

answerability, both upwards to the elected or appointed
officials who provide resources, and outwards to the
consumers and beneficiaries, taxpayers and the wider
community at large.
► The accountability of public sector institutions is made
possible by an evaluation of their performance.
► Economic accountability relates to the efficacy of policy
formulation and implementation, and efficiency in
resource use. Financial accountability covers accounting
systems for expenditure control.

DRAFT
Predictability
► Predictability refers to the continuity of laws,

regulations, and policies; and their fair and consistent
application.
► Rules and regulations encompass rights and duties, as
well as mechanisms for enforcing them in an unbiased
manner.
► It requires the state and its subsidiary agencies to be as
much bound by, and answerable to, the legal system as
are private individuals and enterprises.

DRAFT
Predictability
► Legal frameworks help ensure that risks can be assessed

rationally, transaction costs are lessened, and
governmental arbitrariness is diminished.
► In the opposite scenario, the capricious application of
rules generates uncertainty and inhibits performance.
► Certainty in public policy making is also important.
Government needs to react flexibly to changing
circumstances and to make midcourse adjustments and
fine-tuning.

DRAFT
Predictability
► Predictability can be enhanced through appropriate

institutional arrangements. Granting greater autonomy to
audit institutions is one way that government can signal to
the public that policy-making and implementation will be
evenhanded, sensible and sound.

DRAFT
Transparency
► Transparency refers to the availability of information to

the general public and clarity about government rules,
regulations, and decisions.
► It includes appropriate disclosure of key information to
stakeholders and audit institutions so that they have the
necessary facts about government’s performance and
operations.

DRAFT
Transparency
► Although the public’s interest is sometimes served by

protecting information from revelation—such as instances
where national security, criminal investigations, or
intellectual property rights would be compromised—the
transparency of government actions plays a significant
role in public oversight.
► Independent reviews ensure that government actions are
ethical and lawful, and that financial and performance
reporting accurately reflects the true measure of
operations.

DRAFT
Transparency
► Thus, accurate and timely information about government

policies should be freely and readily available to
auditors—especially financial aspects that are intrinsically
information intensive.
► Transparency can help restrain corruption among public
officials.
► External scrutiny and audit is immensely helped by rules
and procedures that are simple, straightforward, and easy
to apply, and impaired by those that provide discretionary
powers to government officials or that are susceptible to
different interpretations.

DRAFT
Probity
► Probity means acting impartially, ethically—maintaining

high standards of propriety— and not misusing
information or resources.
► The erosion of public trust if public information and actions
are not trustworthy and consistent undermines a
government’s legitimacy and capacity to govern.
► Having an effective control framework in place, abiding by
appropriate legislation, regulations and policies and inculcating
high standards of professionalism at all levels within government
strengthen expectations for probity.

DRAFT
Equity
► Equity relates to how fairly and evenhandedly

government officials exercise the power entrusted to
them. Good governance implies a commitment to
fairness and impartiality in the allocation of resources.
► When government services are of poor quality,
inaccessible or unaffordable, poor recipients lose.
► Indicators for bad governance include lack of attention to
equalizing policies and strategies in delivering direct services such
as transportation infrastructure, public education, and health, as
well as indirect services such as financial stewardship and human
capital management.

DRAFT
Equity
► Failure to tackle corruption, another hallmark of bad

governance, has particularly damaging consequences for
those with little access to government goods and services.
► Other instances of inequitable governance include
► uneven application of taxes and fees charged by the government;
► misuse of government’s coercive powers of arrest, property
seizure and regulatory process; and
► inequitable access to government information.

DRAFT
Principal-agent problem
► The public sector is often troubled by the so-called agency

problem, which gives rise to a principal-agent relationship.
► Government managers act on behalf of
► the public (in the case of regular government entities) as agents
► stakeholders (in the case of government corporations), as
principal(s).

DRAFT
Principal-agent problem
► The principal can act more effectively through the agents

than directly, and must construct incentive schemes to get
them to periodically account to the principal for their use
and stewardship of resources and the extent to which the
public’s objectives have been accomplished.
► The arrangement works well when the agent is an expert
at making the necessary decisions, but doesn't work well
when the interests of the principal and agent differ
substantially or when the actions of the agents may not be
observable.

DRAFT
Consequences of principal-agent problem
► 1. Moral hazard: There is conflict of interest when agents

may use their resources and authority to benefit their own
interests, rather than the principal’s interests.
► 2. Remoteness: Operations may be physically removed
from the principal’s direct oversight.
► 3. Complexity: The principal may not possess the
technical expertise needed to oversee the activity.
► 4. Consequence of error: Mistakes may be costly when
agents are stewards of large amounts of resources and
are responsible for programs affecting citizens’ lives and
health.

DRAFT
Audit reduces the agency problem

► A third party decreases the risks in a principal-agent
relationship. External audit supplies the principal with an
independent, objective evaluation of the accuracy of the
agent’s accounting of his/her uses of the agency’s
resources.
•The auditor’s findings allow the principal to
verify whether the agent’s actions are in
accord with the principal’s wishes.
•Third party intervention bears out the
trustworthiness of the financial reporting,
performance results, compliance, and other
measures

DRAFT
Role of government auditing in
advancing good governance
► The government audit agency role is anchored on the
governance responsibilities of oversight, insight, and
foresight.
► Oversight addresses whether government departments are
doing what they are mandated to do and serves to detect
and deter public corruption.
► Insight assists decision-makers by providing an independent
assessment of government programs, policies, operations,
and results.
► Foresight identifies trends and emerging challenges.
Auditors employ tools such as financial audits, performance
audits, and investigation and advisory services to fulfill each
of these roles.

DRAFT
Oversight
► Oversight —“Has the policy been put into action as

intended?”
► Here, auditors test out whether government entities are
spending funds for the intended purpose, and complying
with laws and regulations.
► Audits focusing on oversight assess whether government
managers are putting in place effective controls to
minimize risks.

DRAFT
Oversight
► Auditors validate agencies’ and programs’ reports of

financial and programmatic performance and test their
faithfulness to the organization’s rules and aims (in
support of the governance structure).
► They make available this performance information to
relevant principals—elected officials and managers who
are responsible for setting direction, defining
organizational objectives, and establishing effective
controls—within and outside of the agency under audit
(thus contributing to public accountability).

DRAFT
Oversight
► Oversight also allows government auditors have to detect

and deter public corruption, including fraud, inappropriate
or abusive acts, and other misuses of the power and
resources entrusted to government officials.

DRAFT
Oversight: Detection
► Detection is intended to identify improper, inefficient,

unlawful, deceitful, or offensive acts that have already
come to light and to gather proof to support decisions
regarding criminal prosecutions, disciplinary actions, or
other remedies.

DRAFT
► It can take the following forms:

► Investigations based on suspicious circumstances or complaints
that include specific procedures and tests to identify fraudulent,
wasteful, or abusive activity. Discovery may also arise from red
flags that appear during the course of an audit initiated for
unrelated reasons.
► Cyclical audits, such as payroll, accounts payable, or information
systems security reviews that examine an agency’s disbursements
and/or related internal controls.

DRAFT
► It can take the following forms:

► Audits requested by Congress or law enforcement officials that
scrutinize intricate financial statements and transactions for use in
investigating and building evidentiary cases against perpetrators.
► Reviews of potential conflicts of interest during the development
and implementation of laws, rules, and procedures.

DRAFT
Oversight: Deterrence
► Deterrence seeks to recognize and reduce the conditions

that breed corruption.
► Preventive action can take the following forms:
► Assessing the effectiveness of management’s internal control
structure.
► Assessing organizational risks.
► Reviewing proposed changes to existing laws, rules, and
implementation procedures.
► Reviewing contracts for potential conflicts of interest.

DRAFT
Oversight: Combating corruption
► Auditors often find it hard to play an effective role in

combating corruption because in many cases corruption is
distinct from fraud as it does not leave any telltale signs in
the records of an organization.
► Muhammad Akram Khan (Role of Audit in Fighting
Corruption, 2006) tells why:
► “Corruption auditing” differs from “fraud auditing”. Corruption is a
highly multifaceted phenomenon. Most of the corruption takes
place “under the table” or under the dark cover of isolated
contacts.
► Audit is only one mechanism in a situation that requires an all-
around offensive.

DRAFT
► Khan (2006):
► If auditors cannot quantify corruption or report the actual
event of corruption, they can indicate the existence of
opportunities for corruption, which in turn can become
basis for corrective, forestalling action by government.
► For instance, the discretionary powers of public
functionaries often induce occasions for rent-seeking.
The key for auditors is to insist on public disclosure of
guidelines for the use of discretion or personal judgment
in decision-making.

DRAFT
► Khan (2006):
► If the auditors are auditing procurement, they should map
out the total procurement cycle and then try to see,
theoretically, what could be the chances for sleaze that is
opened up by the agency’s rules and procedures.

DRAFT
► Khan (2006):
► A list of such possibilities constitutes an inventory of
corruption opportunities—giving the auditors a framework
for further focus during the audit process. The method of
building this list is to look for certain indicators of
corruption.
► Once the auditors have the inventory, they should apply a
corruption opportunity test, to determine if the actual
circumstances prevailing in the organization are
conducive to corruption and if so, to what extent.

DRAFT
► Khan (2006):
► New auditing methodologies may also help. Participatory
auditing is one option—the possibility of involving the
clients or general public in ascertaining if there was a
proper delivery of the public services.
► This is a major departure from the traditional approach
where the auditors are not supposed to go “beyond the
books”. The auditors may come across independent
assessments by the users, who can lift the veil on any
dishonesty that may have gone into the whole process.

DRAFT

► Khan (2006):
► Corruption indicated by lack of economy:
► Cost overruns as a result of subsequent increase in the scope of
work which has not been approved by the competent authority.
► Poor accountability for exceeding the budget, with the government
manager getting away with it.
► Repeat orders for high priced procurement of goods and services,
► Contrived bidding failures to help a specific vendor get the award
of the contract; hike in prices not originally conceived in
competitive bidding; rush procurement at the year-end to consume
the budget.
► Friends, relations or front men of decision-makers purchasing the
public asset in cases of privatization.
► False data or false assumptions led to selecting a particular project
or program.
DRAFT

► Khan (2006):
► Corruption indicated by lack of efficiency
► Disproportionately high expenditure on maintenance; neglected
regular maintenance as infrastructure is allowed to deteriorate
while new projects are being planned.
► Abnormal time-overrun (over and above a reasonable figure
adopted as audit criteria) accepted and regularized by the
management as beyond control.
► Repeated change orders leading to changes in the scope of work
and prices to be paid.
► Overload of controls, or existence of complicated procedures
leading to delay in delivery of service and inducing the clients to
offer bribes.
► Absence of any service delivery benchmarks and excessive time
taken for issuing licenses and permits.
DRAFT
► Khan (2006):
► Corruption indicated by lack of effectiveness
► Absence of well-articulated, measurable or quantified performance
indicators.
► Actual internal rate of return (IRR) significantly lower than
anticipated.
► High level of dissatisfaction of clients with the delivery of services.
► Bureaucratic barriers to reach the senior management for
protesting against poor quality of service; no reliable complaint
handling mechanism.

DRAFT
Insight
► Insight — “Has the policy brought about the targeted

results?”
► Here, auditors assist decision-makers by assessing which
programs and policies are running effectively and which
are not, sharing best practices and benchmarking
information, and looking horizontally across government
organizations (sector-wide audit) and vertically between
the levels of government to find opportunities to borrow,
adapt, or re-engineer management practices.

DRAFT
Insight
► Auditing helps institutionalize organizational learning

through constant feedback to fine-tune policies.
► Insightful auditors, by conducting their work
systematically, develop a detailed understanding of
operations and draw conclusions based on evidence.
► The end result is a methodical description of problems,
resources, roles, and responsibilities that, combined with
practical recommendations, can encourage stakeholders
to rethink issues and consequently enhance the capacity
of government and the public to deal with similar
problems.

DRAFT
Foresight
► Foresight —“What policy revisions or execution would

meet a future need or risk?”
► Auditors can help government agencies look forward by
identifying trends and bringing awareness to emerging
challenges before they turn into crises or unmanageable
situations.
► The audit activity can highlight challenges to come—such
as from demographic trends, economic conditions, or
changing security threats.

DRAFT
Foresight
► Auditors can identify long-term threats and opportunities

emerging from rapidly evolving technological changes, the
complexities of modern society, and changes in the
economy.
► These issues often receive low priority for attention where
scarce resources drive more short-term focus on urgent
concerns.

DRAFT
Foresight: Risk-based auditing
► As well, a regular audit approach—risk-based auditing—

focuses the review on the organization’s overall risk
management framework, which can help identify and
prevent intolerable risks.
► Risk is defined by the combination of the probability of an
event occurrence and its consequences. The public sector
perceives risk as an event or situation of exogenous or
endogenous nature of a public entity which can interfere
with the accomplishment of its missions, and endanger its
staff’s safety.
► Risks should not necessarily be avoided or ignored, as
there is no such thing as a risk-free environment.

DRAFT
► Risk-based auditing supplies practical and relevant

information to the agency for managing its risks—ensuring
that government resources are utilized effectively to
address the agency’s exposure to the following:
► Strategic risks (failure to take the agency’s direction, or reach its
objectives and targets)
► Commercial risks (failed contractual relationships)
► Operational risks (inadequate human resources, physical damage
to assets or threats to physical safety)
► Technical risks (equipment failure)
► Financial and systems risks (fraud)
► Compliance risks (breach of regulatory obligations).

DRAFT
► Agencies often confront risks that considerably influence

other threats (such as insufficient staff skills or low morale
that influence the risk of losing key customers).
► In the chain of perceived or real risks, a risk that does not
look significant in isolation may be a weak link that could
have significant flow-on impact.
► As whole-of-government approaches become more
common, agencies need to understand state-wide risks,
and to pay more attention to identifying and managing
them.

DRAFT
► Each of the following state-sector risk calls for a different

response:
► Agency-level risks (such as the risks above) that can have wider
implications because of their scale and significance.
► Interagency risks, which if unmitigated by one agency, become
risks for other agencies.
► Statewide risks, which are beyond the boundaries of any one
agency and call for a response across agencies coordinated by a
central authority (such as disasters and other emergencies).

DRAFT
► Risk management also assesses the risk appetite of the

organization. That is to say, there should be a balance
between risk-taking and risk-aversion in dealing with
opportunities.
► Effective internal control is the major mechanism to treat
risk. The appropriate controls involved can be either
detection-oriented or preventive. As governmental,
economic, industry, regulatory and operating conditions
are in constant change, risk assessment should be an
ongoing iterative process.

DRAFT
► Integrating risk into governance structures: An agency

with risk management integrated into governance
structures and strategic management would:
► apply risk management as an integral part of its strategic and
business-planning considerations, and at all critical levels of the
organization;
► explicitly incorporate indicators of risk and risk management into
its governance and management structures;

DRAFT

► ensure its board and/or executive management are properly
informed of the agency’s risk exposures, confirm that suitable and
functioning risk management strategies are in place, are fully and
directly involved in setting and reviewing the risk management
strategies, and in the case of government corporations, force onto
the risk agenda regulatory corporate governance requirements
such as the separation of the roles of chairman and chief
executive.

DRAFT

► have good methods to set out the objectives to manage its risks
and desired outcomes, and allocate sufficient resources to risk
management, taking into account the nature and level of the
identified risks and the size of the organization.

DRAFT
Key elements of governance-friendly
public sector audit
► Audit interacts with those aspects of governance that are
crucial in the public sector for promoting credible
commitment, equity, and appropriate behavior of
government officials.
► There are several fundamental principles which underline
public audit:
► The independence of public sector auditors;
► Regularity (or legality), propriety (or probity) and value for money;
and
► The ability of public auditors to make the results of their audits
available to the public, to higher appointed authorities, and to
democratically elected representatives.

DRAFT
Organizational independence
► Organizational independence, guaranteed by statute,

allows the audit activity to conduct work freely and without
intrusion or obstruction by the entity being audited.
► Confidence in auditing rests to a great degree on the
autonomy and objectivity of the auditor. Independent-
minded auditors should be able to make their evaluation
and reporting without fear or favor whilst paying due
regard to statutory requirements, public expectations and
professional standards (such as for competency, behavior
and due diligence).

DRAFT
► Auditors must have complete and unrestricted access to

employees, property, and records under the control of the
audited body.
► They must have sufficient funding relative to the size of
the audit responsibilities.
► They should be prepared to recognize and report
corruption, misuse of authority, or failure to provide equity
or due process in the exercise of a governmental police or
regulatory activity.

DRAFT
► Because such reporting may challenge powerful or

entrenched interests, auditors have need of some
measure of job protection.
► Public sector auditors are of course themselves
accountable for their performance and are duty bound to
undertake their work in a professional, objective and cost-
effective manner and with due regard to the needs of the
organizations they audit.

DRAFT
Regularity, propriety and value for money
► Regularity: Public audit must ensure that financial

transactions comply, where appropriate, with the
legislation that authorizes them; regulations issued by a
body with the power to do so; and Congressional
authority.
► Propriety: Public audit helps ensure that public bodies
meet their statutory and ethical duties to the public and
other stakeholders in an open and even-handed manner.

DRAFT
Regularity, propriety and value for money
► Value for money: Public audit must therefore include

examinations of the economy, efficiency and effectiveness
in the use of public resources, including the evaluation of
service quality and the measurement of performance in
order to ensure that government agencies make the best
use of the resources at their disposal.

DRAFT
External reporting
► External reporting — Public auditors account for the

results of their audits to the representatives of the public
or directly to the public themselves where it is in the public
interest to do so.
► The legitimacy of the audit activity and its mission should
be understood and supported by a broad range of elected
and appointed government officials, as well as the media
and involved citizens.
► Reporting completes the cycle of accountability.

DRAFT
Other governance-related factors
► Competent leadership and staff. The chief audit

executive should be an articulate public spokesperson for
the audit activity.
► Public audit also requires a professional staff that as a
group has the necessary qualifications and competence to
conduct the full range of audits required by its mandate.
► Auditors must meet the minimum terms for continuing
education established by relevant professional
organizations and standards.

DRAFT
► Professional audit standards. Professional audit

standards provide a framework to promote quality audit
work that is systematic, objective, and based on evidence.
Auditors should conduct their work in accordance with
recognized standards.

DRAFT
► Making use of the work of others, such as internal

auditors. It is common for the audit of government
departments, to need to draw on evidence from other
bodies in the public, private or voluntary sectors which
undertake functions on behalf of the body being audited.
► It would be neither cost-effective nor fair and reasonable
for all the agencies in the expenditure chain, from the
funding to the delivery of services, to be constantly
subjected to several layers of audit, each addressing its
own reporting requirements.

DRAFT
► Efficiency requires that public auditors seek to maximize,

both in their audit of financial statements and their value
for money work, the use they make of the work of others
such as internal auditors, regulators and audit committees
of government corporations.
► Indeed, public sector auditors should explore ways to
work together with other assessors across the audit
range, from financial audit to performance examinations.

DRAFT
Parting shot
► There has to be ownership of good governance principles

and a real desire at the highest political level to achieve
progress in ensuring that resources are directed to those
areas where policy decisions indicate that they should go.
The auditor’s own work must reflect the same principles of
transparency, equity, and probity that are expected of
governments.

DRAFT
Questions?

DRAFT
The perfect companion on any government official’s

desk

DRAFT
Thank you!

Day 3: The role of OPIF in public sector
performance audit
November 8, 2010
Draft
Starting point: the right scope
¡ The starting point in the performance audit planning process is

selecting the right scope for audit, given the multitude of government
activities.
¡ requires good knowledge of the government agency’s business or
sector of action and how it contributes to government’s strategic
ends.
¡ If the breadth and depth of audit fail to address the government’s

major final outputs and outcomes, all the audit effort that follows will
have little chance of generating better managed government
programs, better state accountability to the public and an ethical and
effective public service.
Page 2 Draft
OPIF as ‘compass’
¡ The Organizational Performance Indicator Framework, or

OPIF, provides an important “compass” in deciding the
content and substance of performance audit.
¡ OPIF is a systematic approach to planning that seeks to

align the tasks government agencies are funded to do
(i.e., the goods and/or services they provide to external
consumers or end-users) with the desired outcomes,
objectives or goals that the government hopes to achieve
or influence in critical societal areas such as health,
education, economic well-being, law and order, and
environmental sustainability.
Page 3 Draft
Links with OPIF: a preview
► The audit planning process involves several layers

of activity that interrelate with OPIF in a complex
manner before an audit begins. These include
¡ the recognition of external trends and strategic risks
facing government instrumentalities;
¡ the defining of output or “product lines”, functional areas
and sectors to be reviewed over time; and
¡ the choice of agency programs or activities to be
examined.
Page 4 Draft
The drivers
► Typically, these are driven by the relevance of

performance audit to
► the government agency’s mandate,
► the major risks associated with the agency’s mission, and
► auditability (or inability to carry out the audit, as in the
case of societal outcomes where suitable criteria are not
available to assess performance).
Page 5 Draft
Emphasis on risk-based planning
► Risk-based audit planning is emphasized at the

outset because of the crucial role it plays in
ascertaining how well a government agency is
responding to key challenges, opportunities and
critical success factors that shape the
accomplishment of government objectives and the
discharge of stewardship responsibilities for public
resources and assets.
Page 6 Draft
Outcome orientation: twinning of
performance audit and OPIF
► In the past, many audits were driven by control and
process concerns rather than added-value considerations
in assessing public sector performance.
► The current trend is toward a more outcome-based audit.
The need of government to achieve more concrete results
in societal goals such as poverty reduction, full
employment and education for all is shifting the emphasis
of public sector audit, in recent years, to pay more
attention on results.
Page 7 Draft
Not ‘by the book’
► Performance auditing by nature is not a regular

audit with “by the book” opinions. The auditor might
not have to confront a traditional, rule-bound
situation.
► This type of audit looks at the outputs or outcomes
first and avoids conducting a premature scrutiny of
the details of the methods or processes, making the
audit procedure more cost-effective.
► presumes that indicators are on hand to gauge the quality,
quantity and cost of the outputs.
Page 8 Draft
The challenge:
policy-linked audit
► Auditors must understand policies amenable to

audit effectively, and results-oriented auditing
inevitably brings performance auditing closer to
policy matters.
► They must have the expertise to check
¡ (1) whether agency practices comply with policy expectations (for
example, extent of compliance with enacted policy on service standards);
¡ (2) the sufficiency of the agency’s cost-benefit analysis on which a policy
or program is based;
¡ (3) opportunities to fill policy gaps (for example, the need for a
government-wide policy on emergency preparedness); and
¡ (4) the need to update or improve existing policy (for example, the need
for a new directive for national security).
Page 9 Draft
Caveats
¡ Performance audit should confine itself to examining

policy implementation and not to throwing the
development of policy into doubt.
¡ Auditors may evaluate the clarity of the grounds for setting the
objectives.
¡ Also: the risks of mandate concerns proportionately get
bigger as policies get broader.
¡ It is easy enough to deal with departmental administrative policies
(such as service delivery procedures), but the stakes grow to be
larger with program policy goals (such as fisheries conservation
policy, healthcare policy) as well as national policy goals (such as
reducing poverty).
Page 10 Draft
No second-guessing
► OPIF provides a good platform for auditors not to
second-guess the strategic intentions of
government, when government selects a certain
policy direction.
► Departments and agencies are now required to
define results commitments in their corporate plans
and to report goals and actual performance
annually. These provide excellent points of
reference for results-oriented auditing.
► The corporate plan details out the operating environment,
business conditions and planned process improvements
for delivering MFOs and sub-outputs.
Page 11 Draft
Role of DBM
¡ DBM, the implementor of OPIF,

¡ acts as the agent for government in negotiating
performance contracts with the departments and
agencies, and
¡ assists them in linking the goods and services that they
deliver—the major final outputs (MFOs)—to the results
they have committed to (organizational outcomes,
sectoral and societal goals).
Page 12 Draft
Crossover between
OPIF and audit
► The key features of OPIF embody a clear crossover

between a results-oriented performance framework
and a results-based audit perspective.
► These include:
¡ (1) a shift of emphasis in department/agency
accountability towards outputs and results (outcomes)
measured against performance indicators,
¡ (2) clarification of expected performance and
accountability of departments/agencies through these
results,
Page 13 Draft
Crossover between
OPIF and audit
► The key features of OPIF embody a clear crossover

between a results-oriented performance framework
and a results-based audit perspective.
► These include:
¡ (3) focus on the delivery of outputs relevant to the
results/outcomes specified in agency mandates,
¡ (4) establishment of an integrated performance
management system in which performance targets zero in
on the efficiency of departments/agencies in delivering
their MFOs, and
¡ (5) reporting to the public and to Congress in clear terms
the outcomes achieved.
Page 14 Draft
E3
► Both OPIF and performance audit deal mainly with

questions such as: “What has been the upshot of
the agency’s performance, and have the
requirements or the objectives been fulfilled?”
► In this approach, the inquiry centers on
performance (concerning economy, efficiency, and
effectiveness) and relates observations to the given
norms (goals, objectives, regulations).
Page 15 Draft
A striking similarity
Performance Audit OPIF

· Economy - minimizing the cost of · Fiscal discipline - living within the
resources used for an activity, having means (resources) available to the
regard to appropriate quality Government
· Efficiency – producing similar results · Allocative efficiency - spending
with fewer resources or better results money on the “right things” or “right
with the same resources priorities”
· Operational efficiency - obtaining the
best value for the money or resources
available
· Effectiveness – achieving the · Effectiveness - success of process
stipulated aims or objectives by the and outputs in delivering societal and
means employed and the outputs sectoral changes
produced
Page 16 Draft
Audits of efficiency, economy
► At the very basic level, auditors try to answer the

question “Are things being done in the right way?”,
that is, whether policy decisions are being carried
out properly.
¡ Normative outlook — the auditor wants to know whether
government officials have observed the rules or the
requirements.
Page 17 Draft
► Audits of economy:
¡ Do the means chosen or the equipment obtained—the
inputs—represent the most economical use of public
funds, consistent with the quality needs of the program?
¡ Have the human, financial or material resources been
used cost-effectively?
¡ Are the management activities performed in accordance
with sound administrative principles, contract
requirements, acceptable standards, and good
management policies? In short, has the agency keep the
costs low?
Page 18 Draft
► Audits of efficiency:
¡ Have agency resources been put to optimal or suitable
use or whether
¡ Could identical results in terms of quality and turn-around
time have been achieved with fewer resources?
► Auditors examine productivity, unit cost, or
indicators such as utilization rates, backlogs, or
service wait times.
¡ In short, has the agency made the most of available
resources?
Page 19 Draft
OPIF approach to efficiency
¡ The OPIF approach to performance management

displays the same adherence to efficiency and economy:
optimal use of resources to achieve intended outcomes
with the lowest possible costs.
¡ The focus is on allocative efficiency (in terms of national
and sector goals and organizational outcomes) in the
execution of the budget, but also on the operational
efficiency of departments/agencies in the provision of
services (and, in some cases, goods) for the purpose of
achieving the desired government goals and outcomes.
Page 20 Draft
Audits of effectiveness
► The scope for analysis becomes considerably wider

when a second-order question—whether the right
things are being done—is asked.
► This line of inquiry refers to effectiveness or impact
on society—whether the adopted policies have
been suitably put into service or whether ample
means have been utilized to achieve the
predetermined aims.
Page 21 Draft
► There are two parts to the issue of effectiveness:

¡ if the policy objectives have been achieved, and
¡ if the impacts observed are really the upshot of the policy
rather than other circumstances (It is here where a
chosen measure to achieve a certain objective runs the
risk of being contested).
► Effectiveness audits are also on the lookout for
unintended consequences or spillover effects (such
as environmental degradation resulting from
economic policy).
Page 22 Draft
How audit perspectives enter into an effectiveness
model:
Page 23 Draft
► In assessing effectiveness, performance auditing

may ask whether
¡ (1) government programs have been effectively designed,
whether the means provided (legal, financial, etc.) are
proper, consistent, suitable, or relevant;
¡ (2) the program supplements, duplicates, overlaps, or
counteracts other related programs;
¡ (3) the quality of the public services meets the public’s
expectations or the stipulated objectives;
Page 24 Draft
► In assessing effectiveness, performance auditing

may ask whether
¡ (4) the system for measuring, monitoring and reporting is
adequate;
¡ (5) the observed direct or indirect social, economic and
environmental impacts of a policy are due to other
causes; and
¡ (6) alternative approaches can yield better performance or
eliminate factors that inhibit program effectiveness.
Page 25 Draft
OPIF approach to effectiveness
► OPIF effectiveness measures rest on the same

underpinnings as those of performance audit.
► OPIF seeks to measure the effectiveness of the
agency’s outputs in delivering societal and sectoral
changes.
► OPIF measures of effectiveness (as well as of efficiency
and economy) begin as part of a budget proposal, and
attain official standing or legislative base once the
government budget is passed by Congress. Once they
reach this stage, government agencies can prepare a
blueprint of how these criteria will be used when policy
goals, programs and projects are implemented.
Page 26 Draft
Identical results-based approach
Both OPIF and performance audit follow the same

input-throughput-output-outcome cycle:
ECONOMY EFFICIENCY EFFECTIVENESS
Page 27 Draft
Crossing agency lines
► Public sector activities and projects often cross agency lines.

The types of performance audits are
¡ (1) agency or program audits—substantive review of the whole or part
of the operations of an agency;
¡ (2) government-wide audits—focus on cross-sectional issues or
functional areas, such as procurement, in a number of departments;
and
¡ (3) sectoral audits—focus on program areas delivered by a number of
agencies, for example, disaster mitigation operations.
► In a similar vein, OPIF is carried out singularly in specific
agencies, or jointly across sectors (e.g., education, health,
agriculture, science and technology).
Page 28 Draft
Understanding the agency
► Regardless of the size and nature of the subject, it

is important for the audit team to understand “the
big picture”.
► Performance audit begins by having a good grasp
of department/agency objectives, expected results,
and stewardship responsibilities.
► The audit team then identifies the major threats and
opportunities that may affect the agency, or entities
within a functional area.
Page 29 Draft
First-round knowledge
► Prior to starting field work, a process of setting

priorities, developing strategic and long-range
plans, submitting audit proposals, rationalizing
resources and assessing anticipated audit worth
should take place.
► Generating audit conclusions or reporting failings
without this overall familiarity may result in
ambiguous and confusing findings.
Page 30 Draft
Environmental scan
► An agency analysis framework will be required.

► All agencies operate against a background of broad
external forces that influence their operations in
substantial ways.
► These forces affect not just the agency, but also the
public and its resources.
Page 31 Draft
Environmental scan
► Some examples are

¡ (1) economic trends that include recession, inflation,
unemployment, and unfair trade practices;
¡ (2) political and regulatory factors that involve world trade
agreements, government subsidy programs, and political
instability;
¡ (3) demographic patterns that dictate the characteristics of
the work force and the demand preferences of the public
(e.g., aging population affect demand for healthcare);
Page 32 Draft
Environmental scan
► Some examples are

¡ (4) technological advances that lead to dramatic changes
in the way things are done, such as computerization and
the internet;
¡ (5) social/cultural changes that affect the way people live,
work and behave (e.g., more women in the workplace,
concerns about drug abuse); and
¡ (6) ecological concerns about acid rain, global warming,
recycling and waste management that can lead to
substantial changes in the way agencies operate.
Page 33 Draft
Other inputs
► As well, the audit team should have up-to-date

knowledge of
¡ significant legislative authorities;
¡ organizational arrangements;
¡ the bureaucratic environment in which the entity operates;
¡ key personnel;
¡ spending levels and revenues;
¡ the entity’s clients;
¡ major operations, including in the field;
¡ the accountability arrangements;
¡ the major control systems;
¡ major risks facing the entity, and
¡ prior deficiencies/known weaknesses.
Page 34 Draft
How OPIF aids
in understanding the agency
► First it is necessary to check whether the OPIF logical framework will
match up with an agency program structure—otherwise known as a
program accountability model.
Societal Goal
Sectoral Sectoral
Goals Goals
Organizational Organizational Organizational

outcomes outcomes outcomes
MFO MFO MFO MFO
PAPS PAPS PAPS PAPS
OPIF Logical Framework Program Accountability

Model
Page 35 Draft
Same building blocks
OPIF Logical Framework Program Accountability model
Societal goal – describes the intended desirable Impacts, or effects – refer to all the
impacts of the department/agency’s goods and consequences of the program, whether intended or
services on the country, the environment or the unintended
economy. As end-points to be aimed for, they
represent the high-level vision the Government has
for the country.
Sectoral goals – the longer-term benefits for the
sector from organizational changes.
Organizational outcomes – benefits to the Outcomes – intended consequences of producing
community that result from the or delivering the goods or services; ranked from
department/agency’s provision of goods or services the immediate to the ultimate
Major final outputs – the products (goods and Outputs – refer to the products or services
services) the department/agency delivers to produced or delivered by the program
external clients.
PAPS – programs, activities and projects that are Activities – a collection of activities directed to
necessary undertakings pursued by achieving the program’s objectives.
departments/agencies to be able to deliver the
goods, products or services.
Page 36 Draft
Audit: looking for logical links
► In performance audit, the audit team checks if there

is a logical link between the activities undertaken,
the output and the program objectives and other
effects.
► They also ascertain whether the agency is clear on
what the expected outputs are (the MFOs in OPIF
terms) and whether performance indicators are
available for guiding the audit.
Page 37 Draft
OPIF: links in the chain
► Similarly, within OPIF, the building blocks are

viewed in a sequence or chain, leading from
activities and processes to long-term goals such
as poverty reduction.
► Each result in the chain is a “link” and is joined to
other results in the chain by causality. The chain
starts with projects, activities, and programs
(PAPs) and moves through MFOs to outcomes
and finally to higher-level goals at the sectoral
and societal levels (defined by MTPDP).
Page 38 Draft
Major final outputs
► The key level for OPIF is the MFO level. MFOs are tangible
and can be more easily quantified as compared to outcomes
and goals.
¡ Each of the other levels can be defined in relation to MFOs:
activities are “how” MFOs are produced; outcomes and higher-
level goals are the reason or “why” MFOs are produced; and for
the MFOs themselves, there is a need to know “what” is produced
and for “whom.”
► Measuring the marginal contribution that an MFO makes
toward reducing poverty incidence and improved quality of life
is a critical element of strategic budgeting and the development
of the MTPDP.
Page 39 Draft
Department of
Agrarian
Reform:
a well-
formulated
OPIF
logframe
Page 40 Draft
How OPIF assists
performance audit: recap
► The OPIF process can assist performance audit

through the following:
¡ Review of the department/agency mandates and
functions and articulation of the organizational outcomes
or results that the department/agency.
¡ Identifying the links between the department/agency’s
organizational outcomes and the higher government
objectives (sectoral and societal goals) enunciated in the
MTPDP, government priorities, sectoral policies, etc.
Page 41 Draft
How OPIF assists

¡ Documenting the MFOs and organizational outcomes in a
framework that shows the linkages between resource
inputs, the programs, activities and projects that the
department/agency implements to produce its MFOs, and
the organizational outcomes for which it is mandated.
Page 42 Draft
How OPIF assists

¡ Identification of performance indicators (PIs) with
performance measures (targets) for each MFO. These PIs
are the major means by which the department/agency can
track progress and will be held accountable to the
government as a whole, the Congress, the general public
and other stakeholders. There are four classes of PIs:
¡ Quantity – indicates the volume of service (output) delivered
during a given period of time
¡ Quality – indicates how well the service (output) is delivered
¡ Timeliness – indicates rate at which service (output) is delivered
¡ Cost – indicates the amount of input used to produce the service
(output).
Page 43 Draft
A helpful chart for auditors
► The following chart pinpoints the agency’s extent of control and
accountability over each activity/output level.
Page 44 Draft
Defining MFOs
► MFOs may reflect delivery of saleable products,

provision of policy advice or other advisory services,
regulatory services, case management services, and
government provision of services not readily available in
the market place.
► It may include goods and services delivered through
outsourcing.
► Each MFO should reflect a core output, deliverable or
business line of the department/agency and will
typically comprise a grouping of PAPs undertaken with
a common outcome in mind.
Page 45 Draft
Defining MFOs
► This grouping of PAPs should also help the

department/agency to assess whether or not it is
providing the right services (or mix of services) to
achieve the organizational outcomes.
► In due course, the department/agency budgets will
be appropriated at MFO level.
Page 46 Draft
Examples of MFOs
► DOF –
¡ fiscal policies (domestic and international), plans and
programs;
¡ cash and debt management services;
¡ anti-corruption in public finance management, anti-
smuggling and tax evasion activities and exercise of
regulatory power;
¡ policies, plans and programs for domestic financial and
capital market development;
¡ policies, plans and programs for public sector debt
management as well as risk management;
¡ policy oversight on LGUs’ financial operations;
¡ administration of locally-sourced and ODA Funds for LGUs.
Page 47 Draft
Examples of MFOs
► DOH –
¡ Health, nutrition and population policy/program dev’t;
¡ capability building services for LGUs and other stakeholders;
¡ leveraging services for priority health programs;
¡ regulatory services for health products, devices, equipment
and facilities;
¡ tertiary and other specialized health care.
► DOT –
¡ tourism promotional services;
¡ tourism development planning services;
¡ standards for tourism facilities and services;
¡ development, restoration and maintenance services
¡ regulatory services.
Page 48 Draft
¡ The background knowledge that the auditors accumulate
provides the basis for describing the agency that is the subject
of audit, enabling them to make initial scoping decisions and
defining lines of inquiry, such as those shown in the following
figure. This knowledge includes an understanding of the
character of the government agency being audited (role and
function, activities and processes in general, development
trends), legislation and general programs and performance
goals, organizational structure and accountability relationships,
internal and external environment and the stakeholders,
external constraints affecting program delivery, and
management processes and resources.
Page 49 Draft
Defining lines of inquiry
Societal Goal
Congress
Sectoral Goals
Organizational Outcomes
Major Final Outputs
PAPS
Page 50 Draft
OPIF limitations
► In using OPIF, the auditors must be aware of its

limitations:
¡ First, it is a work in progress. OPIF requires shifts in
practices/procedures, knowledge/capacity and value-orientation of
the implementers, indicating that changes in the current system
cannot be done overnight.
¡ Second, implementation is done through learning by doing.
Capacity building can only be made more effective if the agency
staff go through the actual process of implementing the system
and learning from the lessons of experience.
¡ Third, the OPIF system is “homegrown” and “indigenized”.
Technical inputs have to be adjusted to suit the domestic
institutional conditions.
Page 51 Draft
A word about risk management
¡ An important device used in all phases of the planning

process is risk assessment. Risk is defined as the
probability that an event or action may harmfully affect
the organization, such as exposure to financial failure,
loss of reputation, or inability to deliver the program with
economy, efficiency, cost-effectiveness or take into
account the environmental implications. Risk estimation
requires the auditor to ask the following type of questions:
What can go wrong? What is the probability of it going
wrong? What are the consequences? Can the risk be
minimized or controlled?
Page 52 Draft
Can OPIF minimize risk?
► OPIF can point to the inherent risks in dealing with

organizational outputs beyond the control of the
agency (the susceptibility of the subject matter by
its nature to significant error where there are no
related controls).
► But an agency which is careless in applying OPIF
to its operations may itself induce failure risk. The
fact that OPIF is to be carried out through learning
by doing raises significant risks in terms of timing
and adequacy of results.
Page 53 Draft
► Likewise, risk can attend the consequences of the

public’s perception of fairness and equitable
treatment of citizens as agencies carry out MFOs.
► Changes in mandate occasioned by the
introduction of new MFOs may increase the level of
exposure to uncertainties. There is also the matter
of process risk—OPIF requires a sometimes painful
alignment with operation strategies and alternative
delivery approaches.
Page 54 Draft
► On the other hand, a circumspectly crafted

department/agency OPIF may prevent failure risk
by avoiding redundant activities, non-essential
undertakings, uncoordinated policy/program
implementation, poor sector management,
superfluous committees, and the politicization of the
bureaucracy.
Page 55 Draft
Recap: OPIF added-value to performance
audit
► OPIF should, where the opportunity arises, add

value in a variety of ways, including:
¡ helping auditors to respond effectively to changes in the
way public services are organized and delivered,
including, identifying opportunities for worthwhile
innovation;
¡ providing new insights into the way an audited body
manages its resources, delivers its programs, achieves its
objectives and develops business opportunities, including
how cost-effective improvements might be identified and
achieved;
Page 56 Draft
audit

¡ helping generate the audit framework, by providing a
convenient way to ascertain the audit scope;
¡ audit costs kept in balance with the significance of the
issues being examined;
¡ taking account of the management circumstances and
operational environment as well as the governance milieu;
¡ sustaining an iterative planning process to maintain a
focus on matters of significance and interest to decision-
makers and Congress;
Page 57 Draft
audit

¡ helping auditors to recognize institutional risks and to
respond to them effectively;
¡ contributing to new accounting systems by making clear
what the auditors’ requirements are; and
¡ benchmarking and developing yardsticks, collating and
distilling information, for example, on good practice from
across ranges of public sector agencies.
Page 58 Draft
The right attitude for government agencies
Page 59 Draft
Day 3: Execution
November 8, 2010
Draft
Learning Objectives
► Discuss the factors affecting the design of

the nature, timing and extent of audit tests
► Determine evaluation procedures after
executing our designed tests of controls
► Discuss special audit considerations in
our execution of tests of details
► Define appropriate procedures for
evaluating agency’s response to audit
findings
► Our role in communicating audit findings
to agency management
Page 2 Draft
IRRBA framework
Planning Delivery
Agency Planning
Conclusion
and Audit Risk Execution
and Reporting
Assessment
Monitoring
Page 3 Draft
IRRBA framework

DELIVERY
Identification
Activities:
Planning Delivery
Execution
Agency
Conclusion
Planning and
Audit Risk
Execution
and ► Design Audit Tests
Reporting
Assessment
► Prepare Audit Work Programs
Monitoring ► Execute Audit Tests

► Execute audit tests throughout the audit
period in accordance with the nature,
extent and timing of the audit procedures
Delivery as designed
Execution Conclusion and Reporting ► Evaluate Audit Results

Design Audit Tests
Summarize Audit
Results
► Identify and accumulate misstatements
Execute Audit Tests

Prepare Audit Report ► Communicate Audit Results
Review
► Conclude on the results of audit
Evaluate Audit
Results Wrap-up and archive procedures and assess whether sufficient
Communicate
the engagement appropriate audit evidence for each
Follow-up Agency
Agency Results
Action Plan significant account, disclosure and
assertion have been obtained
Page 4 Draft
Outline
► Design Tests of Controls

► Execute Tests of Controls
► Design Tests of Details
► Execute Tests of Details
► Evaluate Audit Results
► Communicate Audit Results
Page 5 Draft
Design Tests of Controls
Determine the appropriate controls to select and test
Ø If a process risk is addressed by more than one control, we are not

required to select and test every control
Ø Consider selecting controls tested by the agency’s internal auditors
Page 6 Draft
Nature
The following are the nature of procedures we may use to obtain audit
evidence when testing controls:
• Inquiry
• Observation
• Inspection
• Recalculation
• Reperformance
Note: It is not sufficient to rely on inquiries alone because the audit evidence obtained may not be
reliable. We design our tests of controls to include other procedures in combination with inquiry to
obtain audit evidence about the operating effectiveness of the controls
Page 7 Draft
Exercise
The Accounting Head compares the agency’s actual monthly expenses

against the approved budget and investigates significant variances
between budgeted and actual amounts.
Nature of Procedures:
• Inquiry
• Inspection
• Recalculation
• Reperformance
Page 8 Draft
Exercise
General Administrative staff performs annual physical fixed assets

count.
Nature of Procedures:
• Inquiry
• Observation
• Reperformance
Page 9 Draft
Timing
§ We exercise our professional judgment in deciding when to test

controls.
§ We may perform our tests prior to the balance sheet date or at period
end.
§ We design the timing to obtain sufficient appropriate audit evidence
that the controls operate effectively as designed throughout the
period of reliance.
§ Testing controls early in the period may assist us in identifying
significant matters at an early stage of the audit
Page 10 Draft
Documentation: Audit Work Program
Page 11 Draft
Design Tests of Details
Nature
• We customize the test of details for significant accounts in
accordance with our audit strategy outlined in our Audit Planning
Memorandum
Extent
Minimal or Low – Less extensive tests of details
•
• Moderate or High – More extensive test of details
Timing
• Timing of our tests of details depends on the results of the risk
assessment conducted in Phase 2
• We may design the timing at interim dates.
Page 12 Draft
Benefits of performing tests of details at interim dates:
• Enable earlier identification of significant findings and issues

• Allow more time to address and resolve significant findings and
issues
• Reduce work performed during year-end
• Help to manage tight reporting deadlines
Page 13 Draft
Timing Tests of Details at Interim Dates
Risk Assessment Timing

• Minimal Earlier in the reporting period
(e.g., up to six months before the balance
sheet date)
• Low During the later portion of the reporting
period (e.g., up to three months before the
balance sheet date)
• Moderate or High At or near the period end (e.g., up to one
month before the balance sheet date)
Page 14 Draft
Rollforward Considerations
• When we design interim procedures, we also design rollforward

procedures
• Extent of rollforward procedures shall be customized depending on

the rollforward period and risk assessment.
Page 15 Draft
Execute Tests of Details
Audit Evidence Considerations
• Quality of audit evidence is affected by the relevance and reliability of

the information upon which it is based.
• Reliability of audit evidence is increased when:
• Obtained from independent sources outside the agency
• The related controls imposed by the agency is effective
• Obtained directly
• Obtained in documentary form as opposed to those obtained
orally
• It is in original form as opposed to evidences provided by
photocopies or fax.
Page 16 Draft
Accounting Estimates
If our planned procedures include testing how management determined

the accounting estimate, we evaluate whether:
• The method of measurement used is appropriate in the

circumstances, (e.g., in relation to the agency’s operations, sector
and environment), including agency management’s rationale for
selecting the method.
• The assumptions used by agency management are reasonable in
light of the measurement requirements of the applicable financial
reporting framework, including the consistency of the assumptions
with our understanding of management’s intent and ability to carry
out certain courses of action.
Page 17 Draft
External Confirmations
• To ensure reliability, confirmation responses should be received by

the COA auditors directly from parties where confirmations were
sent.
• Confirmation exceptions may be given to the agency for investigation
after we establish control by making a copy or other record of the
confirmation reply.
• When we do not receive replies to confirmation requests, we apply
alternative procedures to the non-responses to obtain the evidence
necessary.
Page 18 Draft
Evaluate Results of Audit Tests
• Identification and accumulation of misstatements is one of our most

important audit responsibilities and is critical in enabling us to
formulate our audit opinion.
• If we identify an intentional misstatement in the financial statements,

we determine if this is an incident of fraud or represents non-
compliance with applicable laws and regulations.
• The matter is reported to the Supervising Auditor of the engagement

and communicate it to the appropriate level of agency management.
Page 19 Draft
Discuss Results with Agency Management
Ø We discuss each audit finding with the appropriate level of agency

management to confirm that our understanding of the nature and
cause of the audit finding is factually correct.
Ø If the agency disagrees that there is an audit finding, or disputes the
amount of the involved, we ask it to support its position by providing
additional audit evidence.
Ø If the evidence provided by the agency does not support the
agency’s position, we determine the effect on our audit opinion,
which may include consulting with the Supervising Auditor or Cluster
Director.
Documentation: Audit Observation Memorandum
Page 20 Draft
Questions?
Page 21 Draft
Thank you!
Page 22 Draft
FINANCIAL AUDIT
EXECUTION
Phase 2
Risk Assessment
Minimal Low Moderate High

Audit Work
Program
Execute Tests of Controls
Control Exceptions noted?
Yes
No
Determine and Evaluate

Audit Response
Conclude on operating
Phase 3
effectiveness
Rely on Controls Not Rely on Controls
Reassess
Design Tests of Details: Design Tests of Details:

Less extensive tests of details Audit Work More extensive Tests of Details Audit Work
Program Program

PERFORMANCE AUDIT
EXECUTION
Define Audit Objectives
Develop Audit Criteria
Develop Audit Program
Gather Audit Evidence
Analyze Audit Evidence
Audit Evidence Audit Criteria

(What is) (What should be)
Determine root cause for

Significant Variance
Recommend Improvements
Day 4: Delivery – Conclusion and Reporting
November 9, 2010
Draft
IRRBA framework
Planning Delivery
Agency Audit
Conclusion
and Reporting
Assessment
Monitoring
Page 2 Draft
IRRBA framework
Identification ► Summarize Audit Results
► Prepare summary of the results and
Planning Delivery
conclusions of the audit
Agency
Planning and Execution Conclusion ► Discuss results of different types of audit
and
Audit Risk
Reporting conducted
Assessment
► Prepare Audit Report

Monitoring ► Prepare Annual Audit Report
► Prepare agency-based Value-for-Money
Audit Report
Delivery ► Perform Overall Audit Review

Execution Conclusion and Reporting ► Perform overall review and approval
Summarize Audit ► Issue report
Design Audit Tests Results
Prepare Audit Report ► Wrap-up and Archive the Engagement

Execute Audit Tests
Perform Final Overall ► Archive working papers/documentation of
Review
Evaluate Results of audit
Audit Tests Wrap-up and archive
the engagement
Discuss Results with
Monitor and Follow-up
► Follow-up Agency Action Plan
Agency Management
Agency Action Plan
Page 3 Draft
Phase 3b: Delivery –
► Summarize Audit Results
► Prepare summary of the results and conclusions of the audit
► Discuss results of different types of audit conducted
► Prepare Audit Reports
► Prepare Annual Audit Report (AAR)
► Issue report
► Wrap-up and archive the engagement
Page 4 Draft
► Issue report
Page 5 Draft
Summarize audit results
Prepare summary of the results and conclusions of the audit
Accumulated results of financial, compliance, and VFM audits are summarized at the end of the audit.
Significant findings, issues and observations, including misstatements, are summarized and discussed
with the agency. Conclusion for each misstatement, finding, issue, and observation is documented.
This serves as basis in formulating audit opinion in the audit report.
Audit Summary and Conclusion tool is presented on the next slide.
Discuss results of different types of audit conducted
The agency may have been subjected not only to comprehensive audit
but also to other types of audit such as fraud audit and GWSPA. In this
case, the audit team, together with the Cluster Director (CD), shall
discuss with the counterpart audit team the results or status of the audit,
if ongoing, for disclosure or inclusion in the AAR.
Page 6 Draft
Audit Summary and Conclusion
Tool - Audit Summary and Conclusion Template.

This template provides the audit team with a
summary of the audit results and conclusion, and a
description of the important matters and significant
findings and issues arising during the execution of
the audit.
Page 7 Draft
► Issue report
Page 8 Draft
Prepare audit reports
Annual Audit Report
In reporting the results of audit, the auditors prepare the following audit reports:
► Annual Audit Report (AAR) for the year-end financial audit of agencies with complete books of
accounts and listed in the General Appropriations Act and;
► Management Letter (ML) for the year–end financial audit of the regional offices and operating units
with and without complete books of accounts. The ML shall also be issued at the conclusion of an
interim audit, if warranted.
The format of the ML is presented on the next slide. The template is lifted from the RBAM.
Page 9 Draft
Management Letter
Tool - Management Letter (ML) for the year–end

financial audit of the regional offices and operating
units with and without complete books of accounts.
The ML shall also be issued at the conclusion of an
interim audit, if warranted.
Page 10 Draft
Prepare audit reports
Annual Audit Report
Observations and Recommendations Section
This portion presents the discussion of the observations noted by the auditor and his recommendations.
The agency’s explanation or reply to the observations shall also be presented as well as the auditor’s
rejoinder, as necessary or appropriate.
The gist of the significant findings, observations, and recommendations in the VFM audit conducted shall
also be included in this section, indicating that separate report on the VFM audit is available in more detail.
Other types of audit (i.e., fraud audit and GWSPA) conducted that have or may have significant impact on
the financial statements or on the conclusions of the audit shall be mentioned in this section.
Value-for-Money Audit Report
As stated in COA Resolution 2006-002, auditors shall only include the gist of
significant findings, observations and recommendations of the audit in the AAR
under the Observations and Recommendations section.
Page 11 Draft
► Issue report
Page 12 Draft
Perform final overall review for
report issuance
Perform overall review and approval
► The Supervising Auditors (SA), prior to the issuance of audit reports shall conduct a review on the
outputs prepared by the Audit Team Leaders (ATL).
► The overall review and approval of the audit engagement will be documented in a Quality Inspection
Tool as presented in the next slide.
Issue report
Pursuant to COA Memorandum No. 2009-028, the SAs shall sign the audit reports
AAR prepared by the ATLs, while the CDs transmit said reports to the agency.
Page 13 Draft
Quality Inspection Tool
The overall review and approval of the audit

engagement will be documented in Quality
Inspection Tool.
Page 14 Draft
► Issue report
Page 15 Draft
Wrap-up and archive the engagement
► Audit documentation shall be sufficient for an experienced auditor with no previous

association with the audit to be able to understand the nature, timing and extent and
results of procedures performed, evidence obtained and conclusions reached.
► Auditors shall use professional judgment in determining the nature and extent of the
audit documentation. However, it shall be ensured that it is consistent with COA
policies, professional standards and other legal and regulatory requirements.
Page 16 Draft
► Issue report
Page 17 Draft
Monitor and follow-up Agency Action Plans
► An effective monitoring system not only ensures the

prompt and proper resolution of audit recommendations
and the implementation of corrective action, but also
ensures that a complete record of actions taken on
observations and recommendations is maintained.
An audit issue database may:

• Support in monitoring all issues and the subsequent
action taken by the auditors and agencies during the
audit.
Audit Issue • Guide COA during the assessment of the key risks of
Database an agency or a sector
• Serve as reference in conducting an in-depth
analysis on the relationships of issues among
different agencies (e.g., conduct of GWSPA)
Page 18 Draft
Monitor and follow-up Agency Action Plans
Benefits of Monitoring:
► Assures the auditor that the benefit of work done is
realized
► Validates that the recommendations as implemented are
truly advantageous to the auditee
Page 19 Draft
Monitor progress
► Part of the auditors’ role is to determine that the audited agencies take
corrective actions on the audit recommendations provided on a timely basis
Page 20 Draft
Conduct follow-up procedures
Types of follow-up procedures
► Casual
- Most basic form of follow-up
- Applicable to less critical findings
- Example: Review of the process owner’s procedures, informal
telephone conversation, memo/correspondence
► Limited
- Usually involves more interaction with auditee
- Examples: Verifying procedures or transactions
Page 21 Draft
Conduct follow-up procedures
Types of follow-up procedures
► Detailed
- More time-consuming
- Done with substantial process owner involvement
- Applicable to more critical audit findings
- Includes analyzing, comparing to agreed strategy, and assessing
efficiency, effectiveness and timeliness of the response
- Example: Substantiating account balances and computerized
records
Page 22 Draft
Policy and standard
ISSAI 400 Reporting standards in government auditing
ISSAI 1220 Quality Control for Audits of Historical Financial Information
ISSAI 1230 Audit Documentation

ISSAI 1700 Forming an Opinion and Reporting on Financial Statements
COA Resolution No. 98-004 Segregation of Value-for-Money (VFM) or Performance Audit

Reports from the Annual Audit Report
COA Memorandum No. 99-021 Segregation of Value-for-Money Audit Reports from the Annual Audit
Report (AAR) and providing guidelines for the preparation,
submission, and transmittal of VFM Audit Reports
COA Memorandum No. 2002- Guidelines on the preparation, submission and transmittal of the
047 Annual Audit Report
COA Resolution No. 2006-002 Conduct of comprehensive audits by the offices of this Commission
COA Resolution No. 2008-012 2008 COA organization restructuring
COA Memorandum No. 2009- Implementing guidelines on audit operations under the 2008 COA
028 organizational restructuring
Page 23 Draft
Summary
Procedure Sub-procedure Reference Tools/Templates Output
Manual
Summarize Audit Prepare summary of the IRRBAM Tool - Audit Summary Tool - Audit Summary and
Results results and conclusions of and Conclusion Conclusion
the audit Template
Discuss results of different IRRBAM - Minutes of discussion

types of audit conducted
Prepare Annual Audit Prepare Annual Audit IRRBAM Tool - Management Tool - Management Letter
Report Report (AAR) Letter Template
AAR
Prepare agency-based IRRBAM - VFM report
Value-for-Money Audit
Report
Perform Final Overall Perform overall review and IRRBAM Tool - Quality Inspection Tool - QIT
Review for report approval Tool (QIT)
issuance
Issue Report IRRBAM - Transmittal Letter
Wrap-up and archive Archive working IRRBAM - -

the engagement papers/documentation of
audit
Page 24 Draft
Questions?
Page 25 Draft
Thank you!
Page 26 Draft
Day 4: Monitoring
November 9, 2010
Draft
Strategic Planning and Risk Assessment

COA-wide Planning and Risk Assessment
Planning Delivery
Agency Audit
Conclusion
and Reporting
Assessment
Monitoring
Page 2 Draft
Relevant standards
ISSAI 40 Quality Control for Supreme Audit Institutions
ISSAI 1000 General Introduction to the INTOSAI Financial

Audit Guidelines
ISSAI 1220 Financial Audit Guideline – Quality Control for
an Audit of Financial Statements
Appendix 4 to ISSAI 3000 Communication and Quality Assurance
ISSAI 3100 Performance Audit Guidelines: Key Principles

Appendix
ISSAI 4100 Compliance Audit Guidelines for Audits
Performed Separately from the Audit if Financial
Statements
ISSAI 4200 Compliance Audit Guidelines Related to Audit of
Financial Statements
Page 3 Draft
Monitoring
► Monitor Quality Control on Audit Services

Topics:
► Quality Control System
► Responsibilities on Quality Control
► Quality Assurance
► Quality Assurance Review Program
Page 4 Draft
Quality Control System
► COA shall establish a system of quality control to provide

reasonable assurance that:
- The organization and its personnel comply with professional
standards and applicable legal and regulatory requirements
- The reports issued by the Commission are appropriate in the
circumstances.
► The Quality Control System shall be incorporated in the

Commission’s strategy, culture, policies and procedures.
Page 5 Draft
Responsibilities on Quality Control
► It is the responsibility of the Commission Proper to establish a

strategic direction for the establishment of a Quality Control
System.
► It is the responsibility of the Cluster directors to ensure that a

monitoring process comprising an ongoing consideration and
evaluation of the COA’s system of quality of control, including a
periodic inspection of a selection of completed engagements, is
in place.
► Each audit team is responsible to implement quality control

procedures that are applicable to the audit engagement.
Page 6 Draft
Elements of a Quality Control System
Elements of a Quality Control System –

ISSAI 40: Quality Control for Supreme Audit Institutions :
► Leadership responsibilities for quality within the firm
► Relevant ethical requirements
► Acceptance and continuance of client relationships and
specific engagements
► Human resources
► Engagement performance
► Monitoring
Page 7 Draft
► Leadership responsibilities for quality within the firm
COA should establish policies and procedures designed

to promote an internal culture recognizing that quality is
essential in performing all of its work. Such policies and
procedures should be set by the Commision Proper, who
retains overall responsibility for the system of quality
control.
Page 8 Draft
►Relevant ethical requirements
COA should establish policies and procedures designed

to provide it with reasonable assurance that all personnel
complies with the relevant ethical requirements (e.g.,
integrity, independence, objectivity and impartiality,
professional secrecy and competence).
Page 9 Draft
►Acceptance and continuance of client relationships and

specific engagements
COA should establish policies and procedures designed to provide

reasonable assurance that it will only undertake audit tasks and other
work where COA:
a) is competent to perform the audit task or other work and has the
capabilities, including time and resources, to do so;
b) can comply with relevant ethical requirements; and
c) has considered the integrity of the organization being audited and
has considered how to treat the risk to quality which arises.
Page 10 Draft
►Human resources
COA should establish policies and procedures designed to

provide it with reasonable assurance that it has sufficient
resources with the competence, capabilities and commitment to
ethical principles necessary to:
- perform its tasks in accordance with relevant standards and
applicable and legal and regulatory requirements; and
- enable COA to issue reports that are appropriate in the
circumstances.
Page 11 Draft
► Engagement performance
COA should establish policies and procedures designed to

provide it with reasonable assurance that its tasks are
performed in accordance with relevant standards and
applicable legal and regulatory requirements, and that COA
issues reports that are appropriate in the circumstances. Such
policies and procedures should include:
a) matters relevant to promoting consistency in the quality of the
work performed;
b) supervision responsibilities;
c) review responsibilities.
Page 12 Draft
► Monitoring
COA should establish a monitoring process designed to provide it with

reasonable assurance that the policies and procedures relating to the
system of quality control are relevant, adequate and operating
effectively. The monitoring process should:
a) include an ongoing consideration and evaluation COA’s system of quality
control, including review of a sample of completed tasks across the range
of work performed by COA;
b) require responsibility for the monitoring process to be assigned to an
individual or individuals with sufficient and appropriate experience and
authority in COA to assume that responsibility;
c) require that those performing the review have not taken part in the task
or any quality control review of the task.
Page 13 Draft
Other Quality Control considerations
Other consideration that needs to be included in the Quality

Control System
► COA shall ensure that applicable standards are followed in all
work performed, and that any deviations are appropriately
documented.
► COA should consider their work programme and whether, at an
organizational level they have the resources to deliver the range of
tasks to the desired level of quality.
► All work performed should be subject to review as a means to
contributing to quality and also to promote learning and staff
development.
Page 14 Draft
Other Quality Control considerations
Other consideration that needs to be included in the Quality

Control System
► Timely documentation of all work performed (e.g., audit work papers)
following completion of each engagement shall be complied with.
► Auditor shall ensure that appropriate principles of natural justice are
followed in respect of finalizing report findings to ensure those parties
affected by the COA’s reports have an opportunity to comment prior to the
report being finalized.
► Auditors should balance the confidentiality of documentation with the need
for transparency and accountability.
► Ensure that the results of quality control reviews are reported to the
Commission Proper in a timely manner and that appropriate action is
taken.
Page 15 Draft
Quality assurance
► Quality assurance refers to policies, systems and

procedures established by SAIs to maintain a high
standard of audit activity. It also refers to the requirements
applicable to the day-to-day management of audit
assignments. Activities include:
- Securing the quality of the planning; the planning of selected tasks should
be reviewed to ensure that adequate consideration has been given to all
matters considered essential.
- Securing the quality of the on-going work; the on-going work should be
subject to continual review. This review is essential to maintain the quality
of audit work and to promote learning and feedback.
- Securing the quality of the finalized audit; all completed tasks should be
reviewed prior to signing any reports.
Page 16 Draft
Quality assurance review program
► A quality assurance review program is a series of reviews of

activities undertaken by the SAI to assess the overall quality of
the work performed and covers various issues and
perspectives.
► The following are some of the activities which may be undertaken by
COA in performing its Quality Assurance Review Program:
- Independent academic review
- Stakeholder surveys
- Peer review
- Follow-up reviews of recommendations
Page 17 Draft
Questions?
Page 18 Draft
Thank you!
Page 19 Draft

Cebu Workshop Material

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Cebu Workshop Material

Uploaded by

Copyright:

Available Formats

Course Schedule

Time Day 1 Day 2 Day 3 Day 4

10:00 - 10:30 Break Break Break Break

12:00 - 1:00 Lunch Lunch Lunch Lunch

3:00 - 3:30 Break Break Break

Page 1 Integrated Results and Risk-based Audit Training

► To provide guidance to COA trainers and auditors on the

► To obtain comments and feedback from COA Auditors on the

► To provide clear understanding on Governance, Risks, Controls,

► To refine and improve the contents of the IRRBAM.

Overview of IRRBAM Phase 2: Agency Planning Introduction to Phase 3B – Delivery:

Introduction to COSO Phase 3A: Delivery – Summary of IRRBAM

10:00 - 10:30 Break Break Break Break

12:00 - 1:00 Lunch Lunch Lunch Lunch

3:00 - 3:30 Break Break Break

Expectations and Ground Rules Setting

► Any discussion items that cannot be answered during the

The need for an Integrated-Results and Risk-based Audit

► INTEGRATION is defined in the Manual as the establishment of a common public

► Government-wide and Sectoral Performance Audit (GWSPA)

Strategic Planning and Risk Identification

Strategic Planning and Risk

Strategic Planning and ► Conduct COA Strategic Planning

Strategic Planning and Risk

► Identify Significant Agency Risks

► Understand the Process

Strategic Planning and Risk

Monitoring ► Execute Audit Tests

Execution Conclusion and Reporting ► Evaluate Audit Results

Execute Audit Tests

► Prepare Audit Report

► Perform Overall Audit Review

Strategic Planning and Risk

Strategic Planning and Risk Identification

Strategic Planning and Risk Identification

The International Standards of Supreme Audit Institutions (ISSAI) states

ISSAI is officially authorised and endorsed by the International Organisation of

INTOSAI Guidance for Good Governance (INTOSAI GOV) provides

► Government Risk Model ► Government Risk Identification Template

► Audit Work Plan

3 4 3 2 Other types of audit conducted

The guidelines set forth in the

UNDERSTAND THE AGENCY

Integrated Results and Risk-based Audit Framework

Strategic Planning and Risk Identification

“Risk is the threat that an event, action or inaction will adversely

► Could be emerging (has a potential of happening)

► Presents exposure to both tangible and intangible assets

► Presents an exposure (downside) if not managed or a potential opportunity

Risk Assessment - is the process of identifying and analyzing relevant

è To identify and assess the

► Entity Level - entails a

► Process Level - entails a

► Planning and resource allocation

Evaluate the significance of the risk to objectives

Link Risks to Processes

Environment dynamics Hazards Regulatory Capital structure

Communication and public

Sample Government Risk Model

Benefits of a common risk language

► Common understanding of risks across the

► Ability to focus on issues faster

Develop the Agency’s