risk-based auditing 2015

Risk Based Audit Approach: Understanding Risk, Internal Controls and the Risk Based Audit Approach 8 June 2015

Joseph Ian M. Canlas Partner

Leonardo J. Matignas, Jr. Partner

2 PICPA Risk Based Audit Approach

Risk Assessment - Concept

Relevant Regulatory Developments & Impact

Understanding Internal Control Concepts

Internal Control COSO Integrated Framework 2013

Risk Based Audit Approach:

Internal Audit

External Audit

Agenda


At the end of this training, participants are expected to: Understand basic concepts about risk, internal controls and the

risk-based audit approach.

Gain a basic understanding of internal control principles under the COSO Internal Control - Integrated Framework 2013.

Recognize the need for risk based audit approach to continually address risks due to changing business environment and manage stakeholder expectations.

Purpose of this training


Getting to know







Internal Audit

External Audit

Agenda


From a paper presented by EJ Smith

the first & last Captain of

RMS Titanic

Setting the context


When anyone asks me how I can describe my experience of

nearly forty years at sea, I merely say uneventful. Of course

there have been winter gales and storms and fog and the

like, but in all my experience, I have never been in an

accident of any sort worth speaking about

I never saw a wreck and have never been wrecked, nor was I

ever in any predicament that threatened to end in disaster of

any sort.

- E.J. Smith 1907


Disregard for safety considerations in the excitement to break a

record Misplaced objectives

Sealed compartments not effective enough to handle damage of

this magnitude

Safety measures compromised in design

The new ship had a crew & individual responsibilities were not

clear

Responsibilities not clear

The iceberg warning that were received were overlooked Information overlooked

1

2

3

4

Not enough safety boats, for improved aesthetics Inadequate

contingency plans 5

So what really went wrong?


Setting strategic objectives with clear consideration for risk management

Thorough evaluation of the mitigation measures

Clear communication of roles and responsibilities

Contingency planning - Knowing what can go wrong and Having

appropriate mitigation measures in place

Effective monitoring and thorough analysis of the risk indicators

1

2

3

4

5

Lessons learnt


A business risk is a threat that an event or action will adversely affect the Companys

ability to achieve its business objectives and maximize stakeholder value.

or

What keeps the Board and Management awake at night?

Business risk definition


Attributes of Business Risk

Could be existing

Could be emerging (has a potential of happening)

Presents an exposure to both tangible and intangible assets

Can arise from the external environment, from internal processes and from the lack of information for decision making

Presents an exposure (downside) if not managed or a potential opportunity (upside) if managed well

How can we use these to our advantage?

COMPANYS GOAL, OBJECTIVES AND

STRATEGY

BUSINESS RISKS EXTERNAL INTERNAL

WHAT WILL NOT ALLOW THE

COMPANY TO SUCCEED?

Linking Risk to Business Strategy


Business Objectives and Strategies Key Business Risks

Lin

k R

isks

to

Bu

sin

ess

Pro

cess

es

Eval

uat

e M

anag

emen

t an

d C

on

tro

l Act

ivit

ies

Lin

k B

usi

ne

ss O

bje

ctiv

es

To R

isks

Ev

alu

ate

the

sign

ific

ance

of

the

risk

to

bu

sin

ess

ob

ject

ives

Business Processes

Economic Conditions

Raw Material Price Volatility

Interest Rate Volatility

International Expansion

New Product Development

Environmental Regulation

IT Infrastructure Capacity

Key Supplier Dependence

Recruitment & Retention

Customer Migration

Regulatory Compliance

Health/Pension Costs

Joint venture Partnerships

Business Continuity

Intellectual Property

Evolving Global Economy

Expand Product Offering

Expand into New Markets

Maximize Return on Capital

Maximize Benefits from Technology Investments

Achieve Cost Optimization

Optimize Operating Efficiency

Retain Top Performers

Earnings and Operating Margins

Asset and Capital

Management

Revenue and Market Share

Reputation and Brand

New Product Development

Gain New Business

Procurement

Production

Distribution

Customer Support

Deliver Superior Customer Service

Enhance Quality Product

Linking Risks to Objectives and Processes


Risk Management is a set of coordinated activities to direct and control an organization with regard to risk.

-ISO 31000

Risk Management (RM)


To provide management with a venue to identify and assess the impact of significant business risks that may threaten business objectives.

To identify the key risks that will be given audit focus in the audit plan.

To focus the audit work on the critical business risks of the Company.

Identify risks Prioritize risks

Risk Assessment

Why Assess Risk?


Management is primarily responsible to identify, measure, prioritize and manage risk

Internal Audit can facilitate the risk assessment process and should use the results for determining the audit focus

Who is Responsible for Assessing Risk?


Better Knowledge of the Business

Better, More Timely Information on Risks

More Knowledge of the Impact of Risks on the Business

Better Awareness of What is Implementable

The Best Resources to Identify Risks are the Process Owners


Environment Risks

Exposures to fraud or money laundering activity

Unsafe working conditions resulting to accident

Technology becoming obsolete

Process Risks

Adequate levels of inventory are not maintained

Inadequate resources, staffing or untimely staff changes

Information for Decision Making Risks

Poor or failure in communication

Pressure to meet expectations set by key holders

Sample Risks


Enterprise Risk Management Process

Assess business risks

Establish RM goals and objectives,

and RM oversight structure

Develop common

language

Develop RM strategies

Continuously improve RM

process

Monitor RM process


ISO 31000 Risk Management Principles and Guidelines


Communicate and Consult

Risk Management Framework Comparison

ISO 31000 Risk Management Process for Managing Risk

The ERM Process


Enterprise Risk Management Process

Assess business risks

Establish RM goals and objectives, and

RM oversight structure

Develop common

language

Develop RM strategies

Continuously improve RM

process

Monitor RM process


Survey Questionnaires Interviews

Brainstorming Sessions

Filtering Issues to Identify Business Risks

Developing a Common Risk

Language

Steps to Risk Identification


Facilitate a risk assessment Session with management

8.3

7.8

7.3

6.

8

6.3

4.3 4.8 5.3 5.8 6.3 6.8

Competitor

Risk

Regulatory

Risk

Technology

Risk

Product/

Service

Failure

Business

Interruption

Risk

Customer

Satisfaction

Human

Resources

Customer

Wants

Capacity

Risk

Credit

Default

Risk Partnering

Risk

Risk Map

Risk Prioritization


Sample Consideration in Determining the Significance of the Risk

If the risk happens, how significant will the Impact be to the companys business?


Sample Consideration in Determining the Likelihood of the Risk

What is the probability of the risk happening, over the next 5 years (without us consciously doing something to manage the risk) ?


Identification of Risks for Audit Focus

Competitor

Risk

Regulatory

Risk

Technology

Risk

Product/

Service

Failure

Business

Interruption

Risk

Customer

Satisfaction

Human

Resources

Customer

Wants

Capacity

Risk

Credit

Default

Risk Partnering

Risk

RISKS FOR AUDIT FOCUS Identify risks for audit focus Agree with management on

risks to be covered by internal audit







Internal Audit

External Audit

Agenda



Philippine Corporations

Global Regulations

Specific Regulations

Primary Objectives

The regulatory environment continues to evolve and gain maturity

SEC MC 6, 2009 SEC Revised Code of Corporate Governance

SEC MC 2, 2002 Code of Corporate Governance

2010 PSE Corporate Governance Guidelines for Listed Companies

USA: SOX 404 Japan: J-Sox Basel II Others

Increased investors trust Increased management

responsibility and accountability

Increased transparency Reduce number of financial

surprises and related business failures

More reliable financial reporting


Corporate Governance Framework

Corporate governance is the system, including objectives, rules and procedures, by which business corporations are directed and controlled.

or simply

It is about doing the right things for the shareholders and stakeholders in a business.


PSE Memorandum No. 2010-0574

1. Develops and executes a sound business strategy. 2. Establishes a well-structured and functioning board. 3. Maintains a robust internal audit and control system. 4. Recognizes and manages enterprise risks. 5. Ensures the integrity of its financial reports as well as its external auditing

function. 6. Respects and protects the rights of its shareholders, particularly those that

belong to the minority or non-controlling group. 7. Adopts and implements an internationally-accepted disclosure and

transparency regime. 8. Respects and protects the rights and interests of its employees, community,

environment, and other stakeholders. 9. Does not engage in abusive related-party transactions and insider trading. 10.Develops and nurtures a culture of ethics, compliance & enforcement.

PSE Guidelines for a

Well-governed Company

Source: The Philippine Stock Exchange Official Website

PSE Memorandum


Have board oversight

Seek external support

Disclose risk information and how

these are managed Establish

risk management unit

Prepare formal risk management

policy

Have ERM activities in accordance with internationally

recognized frameworks

An Enterprise-wide Risk Management system

should be in place and properly functioning in a

transparent manner.

4. Recognizes and manages enterprise risks.

PSE Memorandum best practices







Internal Audit

External Audit

Agenda


ACTIVITY 1: SUPERMARKET RISKS & CONTROLS


Purpose:

To identify the key business risks and the related controls of a supermarket Case Facts:

ABC Supermarket is a large, leading supermarket that offers almost everything you need. This particular supermarket is a part of a large chain of supermarkets that includes approximately 30 supermarkets in total. Instructions:

Review the supermarket lay-out on the following page Identify the related risks and controls that will mitigate the key risks

identified Be prepared to discuss your answers with the group

Supermarket Risk & Control


Toiletries

CosmeticsSnacks

Household

ConsumablesCanned Goods

International Goods

Wet Goods

Dai

ries

/ Col

d Drink

s Fruits / Vegetables

Stockroom

Entrance/

Exit

Manager's Office

Customer

ServiceStall #1 Stall #2 Stall #3 Stall #4

Package

Counter

Counter

#1

Counter

#3

Counter

#2 XX

Books and Magazines

Fresh Produce

Drinks

Restrooms

Supermarket Risk & Control


Internal control is a process, effected by an entitys board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting and compliance.

Internal Control - Defined

Understanding the concepts of internal control

Source: COSO Internal Control Integrated Framework 2013


A planned series of steps, activities and actions designed to yield a predictable and desired outcome.

Submit

Journal for

Approval

Approved? Review

Ledger Report JE Saved to

Database Post Journal Start End

Enter/Fix GL

Journal

Process



Establish control mechanisms

Work within the established control mechanisms

Make control mechanisms succeed or fail

People



100%

Reasonable Assurance



INTERNAL ACCOUNTING

CONTROL

BUSINESS CONTROLS

Internal Controls Shift in view


Controls are documented.

Controls are a necessary evil.

Controls are the responsibility of the auditors.

As we streamline and empower, we relinquish control.

The best control is the culture created by management.

Controls are actions taken by management to help the company achieve its objectives.

Controls are the responsibility of management. The auditors role is to assess the adequacy and effectiveness of the companys overall internal control system.

As we streamline and empower, we apply different forms of control.

Myth Reality

Internal Controls Shift in view


NEW PARADIGM OLD PARADIGM

Only auditors are concerned about risk and controls

Fragmentation

No risk policy

Inspect, detect, react

Only hard tangible controls are

evaluated

Everyone is concerned about risk and controls

Focused and coordinated

Formal risk policy

Anticipate, prevent, monitor

Both hard tangible and soft intangible controls must be evaluated

Redefining the Controls focus







Internal Audit

External Audit

Agenda


Overview of internal control

A means to an end, not an end in itself

Not merely about policy and procedures manuals, systems and forms but about

people and the actions they take

But not absolute assurance, to an entitys senior management and board of directors

Flexible in application for the entire entity or for a particular subsidiary, division,

operating unit, or business process

In one or more categoriesoperations, compliance and reporting

Internal control is

Geared to the achievement of objectives

A process consisting of ongoing tasks and activities

Effected by people

Able to provide reasonable assurance

Adaptable to the entity structure

Source: COSO IC-IF 2013 Committee of Sponsoring Organizations of the Treadway Commission Internal Control Integrated Framework 2013


Types of controls

Preventive controls

Per COSO IC-IF 2013: Designed to avoid an unintended event or result at the time of initial occurrence. Per laymans: Designed to prevent or mitigate something from going wrong so that an error and/or irregularity can be avoided. Examples:

Authorization of payments prior to processing Customer credit limit checks Restricting user access to IT systems Advance approval of supervisor before overtime occurs Completion of checklist for updating the master data

Detective controls Detective controls


Types of controls

Preventive controls

Per COSO IC-IF 2013: Designed to discover an unintended event or result after the initial processing has occurred but before the ultimate objective has concluded.

Per laymans: Designed to detect and correct in a timely manner an error or irregularity that would materially affect the achievement of the Companys objectives.

Examples: General ledger to subsidiary ledger reconciliations Budget vs. actual comparisons Review of exception reports Quality inspection

Detective controls Detective controls


Nature of controls

Manual Automated IT-dependent

manual Performed by

individuals outside of the system or application

Performed by a system or incorporated into an application logic

Both manual and IT output are combined

Relies on system generated information or functionality for its effectiveness

Independent review of general ledger reconciliations

Manual authorization of employee expense reports

Automated three-way match (e.g., purchase order vs. invoice vs. delivery receipt)

Data input validation checks (e.g., valid country code)

Restricted user access (e.g., username and password)

Review and follow-up of exceptions on a payroll exception report

System-generated sales orders that require manual approval from the controller


Frequency of controls

Firewall

Review of general ledger reconciliations

Ad hoc / As required

Annually

Review of accounting policies

Authorization of back pay to employees

Quarterly

Monthly

Ongoing

3-way match Daily/multiple times per day

Review of user access to IT systems


COSOS INTERNAL CONTROL PUBLICATIONS - COSO IC-IF 2013 at a glance

2014 2015 15 Dec 2014 Old framework will be superseded by new framework

1992 2006 2009 2013

Transition period Full implementation period


WHAT IS COSO IC-IF 2013?

1992 Internal ControlIntegrated Framework

Gained broad public acceptance; widely recognized

as the leading framework

Responded to dramatic

changes in business and

operating environments

Underwent a significant multiyear

update project in 2010

COSO Internal Control-

Integrated Framework

2013

*COSO IC-IF 2013 Committee of Sponsoring Organizations of the Treadway Commission Internal Control Integrated Framework 2013


Reasons for updating COSO IC-IF 1992

Demands and complexities in

laws, rules, regulations, and

standards

Expectations relating to

preventing and detecting fraud

Changes and greater

complexities of business

Use of, and reliance on,

evolving technologies

Globalization of markets and operations

Expectations for governance and

oversight

Changes in Business and Operating Environments

Expectations for competencies

and accountabilities


KEY AREAS PER COSO IC-IF 2013

1. Control Environment

2. Risk Assessment

3. Control Activities

4. Information & Communication

5. Monitoring

1. Organization demonstrates commitment to integrity and ethical values

2. Board of directors demonstrates independence from management and exercises oversight responsibility

3. Management, with board oversight, establishes structure, authority and responsibility

4. The organization demonstrates commitment to competence

5. The organization establishes accountability

6. Specifies relevant objectives with sufficient clarity to enable identification of risks

7. Identifies and assesses risk

8. Considers the potential for fraud in assessing risk

9. Identifies and assesses significant change that could impact system of internal control

10. Selects and develops control activities

11. Selects and develops general controls over technology

12. Deploys control activities through policies and procedures

13. Obtains or generates relevant, quality information

14. Communicates internally

15. Communicates externally

16. Selects, develops and performs ongoing and separate evaluations

17. Evaluates and communicates deficiencies in a timely manner

Components *** Principles ***







Internal Audit

External Audit

Agenda


DOCUMENT

RBPF framework

MONITOR DELIVER PLAN ASSESS UNDERSTAND

QUALITY ASSURANCE

Co-develop expectations

Understand the organization

Assess the risks Develop annual plan

Perform the engagement

Communicate the result

Monitor the progress


Supervise the engagement Quality and improvement program


DOCUMENT

RBPF framework


QUALITY ASSURANCE









1. Communicate the value of IA 2. Understand and agree the expectations

of the stakeholders


DOCUMENT

RBPF framework


QUALITY ASSURANCE









1. Understand organization strategy and objectives 2. Understand business environment 3. Understand relevant processes 4. Understand control environment


To focus audit priorities on important aspects of the business

To identify business risks

To be able to make recommendations that focus on the elements critical to the Companys business

Why do we need to understand the business organization?


Charter

Manuals

Policies

Procedures

1. Revisit:

Mission

Vision

Values

Mandates

Strategy The purpose of this activity is to:

have a preliminary understanding of the strategic goals and the corresponding risks that the organization might be facing

identify and clarify the imposed regulations of the organization to properly serve the stakeholders

2. Set expectations meeting with stakeholders to align their needs to the annual internal audit plan

as well as communicate to them the internal audit functions.

1. Understand organization strategy & objectives


A process is a group of logically related activities that transform inputs into outputs. The process owner is a person who is responsible for the process.

3. Understand relevant processes



Why do we need to understand the business processes?

To enhance our understanding of the business by seeing it similar to how management does.

Identify processes where inherent business risks can be sourced.

To assist the IA function in designing an effective and efficient audit plan.


But how?

Meet with management to confirm or gain an understanding of the key processes and sub-processes

Understand the objectives and key performance measures for the process

Consider the complexity of the IT environment supporting the process



Mega

Major

Sub-process

Activity

Mega process highest level of

processes purpose relates to

accomplishment of the overall mission of the business

Sub-process subdivision of a major

process represents a collection

of activities

Major process subdivision of a mega

process represents a collection

of sub-processes

Activity unit of work performed

by one job function and at one time

with one mode of operation at the same location

3. Understand relevant processes Process hierarchy


MEGA Processes MAJOR Processes SUB-processes

Gain new business

Manufacturing

Marketing and Advertising

Procurement

Distribution Finance and Accounting

Accounts Receivable

Accounts Payable

Payroll

Recording receivables

Managing aging of

receivables

Managing collection of receivables

Budgeting and Financial Reporting

ACTIVITY

Process customer receipts

Follow-up customer overdue

debt

SAM

PLE

ON

LY



3. Understand relevant processes Universal process classification scheme


The control environment sets the tone of an organization, influencing the

control consciousness of its people. The foundation for all other

components of internal control.

1. Demonstrates commitment to integrity and ethical values

2. Board of Directors demonstrates independence from management and exercises oversight responsibility

3. Management, with Board oversight, establishes structure, authority and responsibility

4. The organization demonstrates commitment to competence

5. The organization establishes and enforces accountability

Control Environment

4. Understand the control environment


Demonstrates commitment to

integrity and ethical values

Establishing Standard of

Conduct

Communicating and reinforcing the accountability for

responsible conduct for all

personnel

Send Code of Conduct to all

employees and third parties acting

on behalf of the Company

Post Code of Conduct to the

Companys website

Require all employees to

complete periodic interactive web-based training

Component

Approach/ Point of Focus

Example

Control Environment

Principle

Activity

4. Understand the control environment


DOCUMENT

RBPF framework


QUALITY ASSURANCE









1. Identify risks 2. Prioritize risks


Risk self-assessment (RSA)

- is a structured process to identify and prioritize business risks within the company or a specific business process within the company.

Risk universe

Relevant risk

Identify the risks

Top risks

Risk profile

Prioritize the risk

Roadmap to assess the risks


Roadmap to assess the risks

Comparison of entity and process level RSA

RSA LEVEL PURPOSE

1. Entity level

Entails a comprehensive look at those business risks that affect the organization as a whole.

Assist management in the execution of their overall risk management process.

Develop a common language for understanding risks within the organization.

Drive the development of the annual risk based IA plan.

2. Process level

Entails a comprehensive look at those risks that affect one specific process.

Focus the efforts of the IA procedures within a specific process audit.

Ensure that process owner concerns were considered in developing the audit plan.


1. Identify risks

In identifying risks, consider relevant information gathered from the Understand the Business and Control Environment part of the methodology:

Business Analysis Framework (BAF) Organizational Control Assessment Customized Process Classification Scheme

OUTPUT:

Risk universe

Relevant risks

On-line, interactive questionnaires (surveys)

Facilitated meetings, with voting technology

Facilitated meetings

Questionnaires Interviews

Transform inputs into output


1. Identify risks

Risk Universe (Pre-work)


2. Prioritize risks

Criteria 1. Severity of impact

If the risk happens, how much will it affect the company?

2. Likelihood of occurrence and frequency

How likely is the risk to happen?

3. Opportunity for Risk Management Improvement (ORMI)

Is there a room for the company to improve on its existing risk management strategies/controls?


2. Prioritize risks

Initial Risk Profile

Most Critical Risks

Initial Risk Universe

Risk Universe (Pre-work)


DOCUMENT

RBPF framework


QUALITY ASSURANCE









1. Identify and validate audit universe 2. Prioritize auditable areas 3. Identify resource requirements 4. Obtain approval


Road map to develop annual plan

Identify and validate

audit universe

Prioritize auditable

areas

Identify resource requirements

Obtain approval

INPUT PROCESS OUTPUT

Risk universe Process universe Location universe

Validated audit universe

Date and results of last audit

Request by Management Other considerations

Prioritized auditable areas

Available resources Draft audit plan

Draft audit plan Approved audit plan


1. Identify and validate audit universe


Risk universe Process universe Location universe

Validated audit universe

Audit Universe refers to risks and processes that could be targeted for the audit. Risks and processes may also be organized and referred to by locations. 1. Obtain different universe (e.g., risk universe, process universe and location universe) from

stakeholders. 2. Map the risks in the processes. 3. Identify the location of the processes. 4. Present and validate audit universe to IA function, management and oversight committee.

Identify and validate

audit universe


1. Obtain different universe such as: a. Risk universe b. Process universe c. Location universe

Management, IA and

committee risk universe

Business units risk universe

Enterprise risk management

risk universe

Risk universe could be originated from entity level perspective down to business unit level.


a. Sample Risk universe



1. Obtain different universe such as: a. Risk universe b. Process universe c. Location universe

Process universe is the list of processes within the Company that will be subjected for audit of IA function while location universe is the list of all the locations of the Company such as head office, regional office and international office.

b. Sample Process universe

1. Head office

2. Satellite or regional office

3. International office

c. Sample Location universe


2. Map the risks in the processes

Using the process universe, identify what are the risks associated to that specific process. Risks could be existing or emerging, internal or external and tangible or intangible. Note that not all risks are auditable.

Process/ Auditable areas

Risk

Re

gu

lato

ry

Po

liti

ca

l

Co

ntr

act

com

plia

nce

Fra

ud

Pla

nn

ing

an

d

bu

dg

eti

ng

Sales and marketing x x x x

Customer service x

Project development x x

Human resource x

SAM

PLE

ON

LY



3. Identify the location of the processes.

Determine if the processes are existing in the different locations of the Company.

Process/ Auditable areas

Risk Location

Re

gu

lato

ry

Po

liti

cal

Co

ntr

act

com

plia

nce

Fra

ud

Pla

nn

ing

an

d

bu

dg

eti

ng

He

ad

off

ice

Re

gio

na

l o

r sa

tellit

e

off

ice

Inte

rna

tio

na

l o

ffic

e

Sales and marketing x x x x x x x

Customer service x x

Project development x x x

Human resource x x x

SAM

PLE

ON

LY

4. Present and validate audit universe to different business units, management and oversight committee.



2. Prioritize auditable areas

Prioritize auditable areas


Date and results of last audit

Request by Management Other considerations

Prioritized auditable areas

The criteria for prioritizing the auditable areas may include but not limited to the following: Number and criticality of risks Number and complexity of the location Date and results of last audit Financial exposure Request by Management Major changes in operations Business complexity Probability that major improvement for the auditable area is

needed


Legend:

H - High C - Complex CD - Cannot determine

M - Medium SC - Semi-complex

L - Low NC - Not complex

Note:

- Financial exposure may be based on the previous year's record

SA

MP

LE

ON

LY

Process\ Auditable areas

Risk Location Other consideration Priority

Re

gu

lato

ry

Po

liti

ca

l

Co

ntr

act

co

mp

lia

nce

Fra

ud

Pla

nn

ing

an

d b

ud

ge

tin

g

He

ad

off

ice

Re

gio

na

l o

r sa

tellit

e o

ffic

e

Inte

rna

tio

na

l off

ice

Nu

mb

er

an

d c

riti

ca

lity

of

risk

s

Nu

mb

er

an

d c

om

ple

xit

y o

f th

e

loca

tio

n

Da

te a

nd

re

sult

s o

f la

st a

ud

it

Fin

an

cia

l e

xp

osu

re (

in p

hp

)

Re

qu

est

by

ma

na

ge

me

nt

ER

M t

op

ris

k

Ma

jor

ch

an

ge

in

th

e o

pe

rati

on

Pri

ori

ty

No

t p

rio

rity

Sales and marketing x x x x x x x 4 (H) 3 (C) 2012 2 B Yes Yes Yes x

Customer service x x 1 (M) 1 (C) 2010 2 B No No Yes x

Project development x x x 2 (H) 1 (C) None 1B Yes Yes Yes x

Human resource x x x 1 (H) 2 (SC) 2007 CD No No No x

2. Prioritize auditable areas


3. Identify resource requirements

Identify resource requirements


Available resources Draft audit plan

In determining the resource requirement of the engagements, IA function may consider the following: 1. Determine the initial type of engagement. 2. Identify the man hours needed to complete the engagement. 3. Check the skill requirements of the engagement. 4. Decide right mix to perform the engagement.


3. Identify resource requirements 1. Determine the initial type of engagement

Depending on the risk involved, IA shall assess the initial type of engagement to be performed in the corresponding processes and functions involved. IA may perform one or combination of the following:

a) Compliance evaluation A review to determine the compliance of the concerned business unit to the policies and procedures including its contents.

b) Performance evaluation This evaluation pertains to the assessment of performance of personnel and/or third parties (e.g., contracts review).

c) Controls assessment An assessment with the objective of determining the effectiveness of the control design and its operating application.


2. Identify the man hours needed to complete the engagement Timeframe of the engagement may depend on the following: Initial type of engagement Previous experience Known changes (e.g., process owners, process, system)

Process\

Auditable areas Risk Location Other consideration Priority

Type of engagement

Man hours needed

Re

gu

lato

ry

Po

liti

ca

l

Co

ntr

act

co

mp

lia

nce

Fra

ud

Pla

nn

ing

an

d b

ud

ge

tin

g

He

ad

off

ice

Re

gio

na

l o

r sa

tellit

e o

ffic

e

Inte

rna

tio

na

l off

ice

Nu

mb

er

an

d c

riti

ca

lity

of

risk

s

Nu

mb

er

an

d c

om

ple

xit

y o

f th

e lo

ca

tio

n

Da

te a

nd

re

sult

s o

f la

st

au

dit

Fin

an

cia

l e

xp

osu

re (

in

ph

p)

Re

qu

est

by

ma

na

ge

me

nt

ER

M t

op

ris

k

Ma

jor

ch

an

ge

in

th

e

op

era

tio

n

Pri

ori

ty

No

t p

rio

rity

Co

mp

lia

nce

ev

alu

ati

on

Pe

rfo

rma

nce

ev

alu

ati

on

Co

ntr

ols

ass

ess

me

nt

Sales and marketing x x x x x x x 4 (H) 3 (C) 2012 2 B Yes Yes Yes x x 480 hours Customer service x x 1 (M) 1 (C) 2010 2 B No No Yes x x 240 hours Project development x x x 2 (H) 1 (C) None 1B Yes Yes Yes x x x 600 hours Human resource x x x 1 (H) 2 (SC) 2007 CD No No No x x 160 hours

SAM

PLE

ON

LY




3. Check the skill requirements of the engagement

Skill set is critical in planning the engagement. It will depend on the initial type of the engagement including its scope and objective. Some of the considerations are as follows:

Facilitation skills

Risk management skills

Communication and change management skills

Industry knowledge

Process skills

Knowledge of regulations affecting the organization

Understanding of

information technology risks and processes

Effective presentation and report preparation

Operations skills

Financial or accounting

skills


Process\ Auditable areas

Risk Location Other consideration Priorit

y Type of engagement

Manhours needed

Skills requirement

Re

gu

lato

ry

Po

liti

ca

l

Co

ntr

act

co

mp

lia

nce

Fra

ud

Pla

nn

ing

an

d b

ud

ge

tin

g

He

ad

off

ice

Re

gio

na

l or

sate

llit

e o

ffic

e

Inte

rna

tio

na

l off

ice

Nu

mb

er

an

d c

riti

ca

lity

of

risk

s

Nu

mb

er

an

d c

om

ple

xit

y o

f th

e

loca

tio

n

Da

te a

nd

re

sult

s o

f la

st a

ud

it

Fin

an

cia

l exp

osu

re

Re

qu

est

by

ma

na

ge

me

nt

ER

M t

op

ris

k

Ma

jor

ch

an

ge

in t

he

op

era

tio

n

Pri

ori

ty

No

t p

rio

rity

Co

mp

lia

nce

ev

alu

ati

on

P

erf

orm

an

ce

ev

alu

ati

on

Co

ntr

ols

asse

ssm

en

t

Skill s

et

req

uir

ed

Sales and marketing x x x x x x x 4 (H) 3 (C) 2012 2 B Yes Yes Yes x x 480 hours Auditor II (200) Fraud Auditor (280)

Customer service x x 1 (M) 1 (C) 2010 2 B No No Yes x x 240 hours Auditor I (120) Auditor II (120)

Project development

x x x 2 (H) 1 (C) None 1B Yes Yes Yes x x x 600 hours Auditor III (350) Engineer (250)

Human resource x x x 1 (H) 2 (SC) 2007 CD No No No x x 160 hours Auditor I (80) Auditor II (80)

Total man hours for Auditor III 1800 hours

Total man hours for Auditor II 2000 hours

SA

MP

LE

ON

LY


Note that some skills are not readily available within IA function. Hence, IA may consider outsourcing that to external parties or internal parties.

Outsource


4. Obtain approval

Obtain approval


Draft audit plan Approved audit plan

Ensure audit plan documentation is complete, accurate and reviewed by CAE.

Identify all approvals (e.g., Audit Committee, Board) necessary to confirm audit plan.

Set-up meeting to present audit plan: Audit Committee Head or equivalent Oversight Committee or similar committee


DOCUMENT

RBPF framework


QUALITY ASSURANCE









1. Understand the process 2. Assess risks in the process 3. Assess process performance and control gaps 4. Validate process measures and control 5. Identify root causes and solutions


1. Understand the process

Conduct opening meeting

Perform walk-through

Document the understanding of the process

Validate the understanding of the process


The opening meeting shall cover the following: Background discussion Engagement objectives and scope Deliverables and timelines Other matters








Ask questions about (but not limited to):

What are the beginning and end points of the process?

Understand each task within the process

Key inputs and outputs of the process

Types and nature of controls

o Automated vs. manual

o Detective vs. preventive

o Specific, pervasive, and monitoring controls

Any history of problems with key controls or process areas in the past






Tasks (but not limited to):

Select the appropriate process mapping tool:

o Process maps

o Narrative

Create a first draft of the process map

Identify the control points in the process

Be alert for process inefficiencies that could be the subject of the recommendations







Tasks (but not limited to):

Validate the process with the auditee

Finalize the process map/narrative

Document any preliminary gaps identified at this point







SA

MP

LE

ON

LY

PROCESS NAME: Credit and CollectionSub-Process: Collection

Cus

tom

erCas

hier

Cas

hier

Sup

erviso

r

Accept the cash

Prepare official

receipt

Cash

Yes

Start

Pay the monthly

rental

Official Recipt

At the end of the day

Match the cash and

issued official

receipts

Check

Payment through

check

Wire Transfer

Payment through

wire

Page 3

Page 6

Prepare remittance

slip

Match the cash,

remittance slip and

official receipt

issued

Deposit the cash

No

Deposit collection

Page 11

Prepared by: Juana dela CruzVersion 1 (Page 1 of 20)

Sample output


2. Assess risks in the process

Risk details Control details

Re

f #

Process and/or financial reporting risk

Co

ntr

ol r

ef

#

Detailed control

description Frequency

Control nature

Control type

Control owner

Process: Credit and Collection

Sub-process: Collection

R.1.1 Cash collection is misappropriately used. X X

R.1.2 Cash collection is not deposited on time. X

SA

MP

LE

ON

LY

Identify the process level or transactional

level risks


a. Identify the existing controls including relevant

details (e.g., frequency, nature, type, owner, IT

support application, critical reports) in the process

b. Map the existing controls in the risks initially

identified

d. Determine if the existing controls properly addressed

the risks

e. Document the initial results of the design effectiveness testing

c. Determine if there is any risk without control or risk

with excessive controls

3. Assess process performance and control gaps


3. Assess process performance and control gaps

Risk details Control details R

ef

# Process and/or

financial reporting risk

Co

ntr

ol r

ef

#

Detailed control description

Frequency Control nature

Control type Control owner

Supporting IT applications

Critical reports



R.1.1 Cash collection is misappropriated.

C.1.1 Upon preparation of official receipt, cash collection is automatically recorded in the book as collection.

Event driven Preventive Automated SAP SAP Remittance slip

C.1.2 The Cashier Supervisor matches the cash, remittance slip and official receipt issued.

Daily Detective IT-dependent Cashier Supervisor

None None

R.1.2 Cash collection is not deposited on time.

C.1.3 Cashier deposits the cash collection when she's not busy.

Event driven Preventive Manual Cashier None Remittance slip Deposit slip

SA

MP

LE

ON

LY

Control might not be sufficient to mitigate the risk. IA function should check if there is any compensating control in the process.


4. Validate process measures and controls

Prepare detailed test procedures and

request samples to be tested

Perform testing

Identify gaps in the operating

effectiveness of controls


4. Validate process measures and controls Control details Testing information

Co

ntr

ol r

ef

#

Detailed control description

Test procedures Test sample Test result



C.1.1 Upon preparation of official receipt, cash collection is automatically recorded in the book as collection.

1. Try to prepare dummy official receipt (or observe actual official receipt) in the system. 2. Determine if such is automatically recorded in the book as cash collection

Test of 1 The system automatically captured the prepared official receipt upon its preparation. No exceptions noted.

C.1.2 The Cashier Supervisor matches the cash, remittance slip and official receipt issued.

1. Obtain the list of remittance slip from the system during the covered period. 2. Select 25 samples to be tested. 3. Request the supporting hard copy remittance slip, official receipt issued and other supporting documents. 4. Check if the Cashier Supervisor reviewed the selected samples. 5. Determine if the details in the system-generated remittance slip matched against the hard copy remittance slip and official receipt. 6. Perform some footing and cross-footing. 7. Further match the system-generated remittance slip with the deposit slip. 8. Document the gaps noted.

25 transactions There is noted discrepancy between the system-generated remittance slip and deposit slip: Total cash collection in 8 July 2013: Per remittance slip Php 8,700,909.00 Per deposit slip 7,001,500.00 Difference Php 1,699,409.00 Further, no bank reconciliation is being performed.

C.1.3 Cashier deposits the cash collection when she's not busy.

No testing will be performed There is no specific date or timeline to deposit the cash collection in the bank.

SA

MP

LE

ON

LY


5. Identify root causes and solutions

We determine the root causes of control or compliance or performance gaps:

To determine which root causes have the greatest negative impact on a process or control and where to focus efforts to minimize or eliminate gaps.

To develop implemental solutions that will minimize or eliminate the identified control gaps or compliance

Process

Policies and procedures

People

Oversight

IT

Control or

Compliance or

performance

gap


5. Identify root causes and solutions

2.a. There is no process to review or match if the system-generated remittance slip matched against the deposit slip.

2. c. Matching of remittance slip against the deposit slip is not documented in the process.

1. b. System-generated remittance slip is editable upon generation.

2. b. There is no assigned personnel to review or match if the system-generated remittance slip matched against the deposit slip.

1. a. Cashier has an opportunity to edit the remittance slip when generated.

SAM

PLE

ON

LY

Process

Policies and procedures

People

Oversight

IT

Control or

Compliance or

performance

gap


DOCUMENT

RBPF framework


QUALITY ASSURANCE









1. Provide recommendation and agree action plan 2. Conduct closing meeting 3. Issue final report


Recommendation may be based on the following: Root causes identified Leading practice

Test result Root cause Recommendation

There is noted discrepancy between the system-generated remittance slip and deposit slip: Total cash collection in 8 July 2013 Remittance slip Php 8,700,909.00 Per deposit slip 7,001,500.00 Difference Php 1,699,409.00 Further, no bank reconciliation is being performed.

1. a. Cashier has an opportunity to edit the remittance slip when generated from the system. b. System-generated remittance slip is editable upon generation. 2.a. There is no process to review or match if the system-generated remittance slip matched against the deposit slip. b. There is no assigned personnel to review or match if the system-generated remittance slip matched against the deposit slip. c. Matching of remittance slip against the deposit slip is not documented in the process.

1. The IT or system developer should revisit the program in the system to make the reports non-editable upon generation from the system. 2. The concerned management should consider putting additional control in the process. An independent personnel from custody and recording of cash collection should review if the recorded cash collection in the system matches against the deposit slip and ultimately in the bank account. This control may be part of the bank reconciliation process.

SA

MP

LE

ON

LY

Communicate results


Audit observations are discussed with auditee as they are identified.

Co-develop recommendations - team approach.

Where significant, a closing meeting may be held.

Communicating results is formalized through audit reports: o Objective and factual o Contains observations, conclusion, recommendations, and auditees response o Reviewed and approved by the CAE

Final audit report is issued to the auditee, senior management, the Executive

Office, and the Audit Committee.

Communicate results


DOCUMENT

RBPF framework


QUALITY ASSURANCE









1. Validate the implementation of action plan

2. Issue monitoring report


DOCUMENT

RBPF framework


QUALITY ASSURANCE









Document the result of: Understanding Assessing Planning Delivering Monitoring Quality assurance


DOCUMENT

RBPF framework


QUALITY ASSURANCE









Review and supervise Conduct internal assessment Facilitate the conduct of external assessment







Internal Audit

External Audit

Agenda


RBA framework

Strategic Planning and Risk Identification

Planning Delivery

Monitoring (Quality Control System)

Audit Planning and Risk Assessment

Execution Conclusion

and Reporting

Note: Procedures for all audit services are integrated in all phases, except for the Execution phase.


RBA framework

STRATEGIC PLANNING AND RISK IDENTIFICATION

Activities:

Perform Risk Identification (RI)

o Develop/update the Business Risk Model (BRM)

o Identify risks

o Report the results of RI

Conduct Strategic Planning

Conduct

Strategic

Planning


Risk

Identification

Planning Delivery

Monitoring

Audit Planning and

Risk Assessment

Execution Conclusion and

Reporting



RBA framework PLANNING Audit Planning and Risk Assessment

Delivery

Monitoring


Reporting


Activities: Planning

Audit Planning and

Risk Assessment

Planning

Business Planning and Audit Risk Assessment

Prepare Audit

Work

step

Identify

Significant

Business

Risks

Understand and

Assess

Business-level

Controls

Prepare Audit Work step

Understand the Business

Identify Significant Business Risks

o Update Business Risk Model

o Identify Business Risks

o Prioritize Significant Business Risks

Understand and Assess Business-level Controls

Understand the Process

o Identify Critical Path of the Processes

o Identify Process Risks

o Identify Impact

o Identify Existing Controls

Conduct Audit Risk Assessment and Planning

Understand

the Business

Understand

the Process

Conduct Audit

Risk

Assessment

and Planning


RBA framework

Delivery

Execution

Execute Audit Tests

Evaluate Audit

Results

Design Audit Tests

Communicate Audit

Results

Conclusion and Reporting

CONCLUSION AND REPORTING

Summarize Audit Results

o Prepare summary of the results and conclusions of the audit

o Discuss results of different types of audit conducted

Prepare Audit Report

o Prepare Annual Audit Report

Wrap-up and Archive the Engagement

o Archive working papers/documentation of audit

Follow-up Action Plan

Monitoring


Planning

Planning and Audit Risk

Assessment

Delivery


Reporting

Summarize Audit

Results


Wrap-up and archive

the engagement



RBA framework

MONITORING

Monitor quality control on audit services

Delivery


Reporting


Planning

Planning and Audit Risk

Assessment



Activity:


RBA framework

Monitoring

Perform Risk

Identification


Conduct Strategic

Planning

Delivery

Execution Conclusion and Reporting

Execute Audit Tests

Evaluate Audit Results

Design Audit Tests

Communicate Audit

Results

Summarize Audit

Results


Wrap-up and archive the

engagement


Planning

Planning and Audit Risk Assessment

Prepare

Audit Work

step

Identify

Significant

Business

Risks

Understand

and Assess

Business-

level

Controls

Understand

the

Business

Understand

the Process

Conduct

Audit Risk

Assessment

and Planning


RBA Tools and Templates

Monitoring

Form 01-01: Business Risk Model Form 01-02: Business Risk Identification Template


Delivery

Execution Conclusion and Reporting

Form 03A-01: Audit Test Summary

Form 03B-01: Summary of Audit

Results and

Recommendations

Form 03B-02: Quality Inspection

Tool

Form 03B-03 Action Plan

Form 03B-04 Action Plan

Monitoring Tool

Planning

Planning and Audit Risk Assessment

Form 02-01: Audit Work step Form 02-02: Understanding the

Business Template

Form 02-03: Business Risk Model Form 02-04: Business Risk

Identification Matrix

Form 02-05: Business-level Control Checklist

Form 02-06 Process-Risk-Control Matrix

Form 02-07 Audit Risk Assessment and Planning Tool


Audit services and RBA framework


Planning Delivery

Monitoring



Reporting

Financial Compliance Fraud

Notes: Strategic Planning and Risk Identification is the integration point wherein the five audit services are considered. Other types of audit conducted are mentioned in audit reports and considered before rendering audit opinion. Comprehensive auditing is discussed in Phases 1 and 2. Although Fraud is given consideration, the full-length discussion is in the Fraud Audit Manual. The guidelines set forth in the Monitoring phase are applicable to comprehensive auditing.

1

2

3

1

2

3

4

3 4


RBA framework


Planning Delivery




Reporting



Risk Identification (RI)

o Develop/update the Business Risk Model

o Identify risks

o Report the results of Risk Identification



Risk Identification Process Flow

Identify Risks Inputs

Industry risks

Fraud and geographic

risks

Technological changes

Global Trends

Kn

ow

led

ge

an

d p

rio

r a

ud

it r

ep

ort

s Media

releases and reporting

Finance

Human Resource

Marketing

Purchasing

Accounting

Linkage of risks to

Departments


SAMPLE Risk Identification Template

Business

Objective

Key Risk Basis of

Selection Departments

Program / Activity

/ Project Risk

Category Risk Title Risk Definition

Improve

Financial

Position

- Create

opportunities for

non-traditional

revenue streams

Strategic Vision and

Direction

Failure to establish a

vision and direction for

major initiatives,

including services,

products and programs

that will drive future

growth. Failure to

establish project

acceptance criteria and

adequately measure

against the criteria.

Changes in

management

Purchasing Centralization of

Purchasing

Functions

Finance Proper reporting of

financial records


Enterprise-wide Audit Risk Assessment

The report on the results of Risk Identification contains/documents:

RI Template

Minutes of the RI activity

Participants of RI

Report on the results of Risk Identification (RI)

The report shall be presented to the management and distributed to concerned departments.



Risk Identification (RI)

o Develop/update the Business Risk Model

o Identify risks

o Report the results of Risk Identification



Linkage of strategic planning process with RBA

Company Auditor

Annual Strategic Planning process

Risk Identification

Risk

Identification


Planning

Risk

Identification

Template (RIT)

Annual Strategic Planning

RIT

Strategic Action

Plan (SAP)

RIT

Departmental

Plan (COP/ROP)


RBA framework


Planning Delivery




Reporting


Assess Audit Risk

Step 1: Assess Inherent Risk

Inherent risk:

The susceptibility of an assertion about a class of transactions, account balance or disclosure to a misstatement that could be material, either individually or when aggregated with other misstatements, before consideration of any related controls.

Inherent Risk

Lower Higher


Assess Audit Risk

Factors that may affect our inherent risk assessment are as follows: Susceptibility to material misstatement

Size and composition

Variations from expected amounts

Effects of external factors

Competence and experience of personnel

Degree of subjectivity

Completion of unusual/complex transactions at or near period-end

Transactions not subjected to routine processing


Assess Audit Risk

Step 2: Assess Preliminary Control Risk

Control risk:

The risk that a misstatement that could occur in an assertion about a class of transaction, account balance or disclosure and that could be material, either individually or when aggregated with other misstatements, will not be prevented, or detected and corrected, on a timely basis by the internal control.

Preliminary Control Risk

Rely Not Rely


Assess Audit Risk

Our preliminary assessment of control risk is based on the following:

Information we obtained from prior periods engagements, if available Results of our walkthrough in our understanding of the processes


Assess Audit Risk

Step 3: Make overall risk assessment

Higher Low High

Lower Minimal Moderate

Rely Not Rely

Control Risk Assessment

Inh

ere

nt

Ris

k A

sse

ssm

en

t


Determine Audit Scope and Timing

Our audit scope defines the boundaries and limitations of our audit. We document our audit scope based on the results of our risk assessment. In determining the timing of our audit tests (tests of controls and substantive tests), we shall consider auditors other responsibilities such as, but not limited to: Cash examinations to accountable officers Request for relief of accountabilities Issuance of disallowances Pre-audit activities


Prepare Audit Risk Assessment and Planning Tool

The Audit Risk Assessment and Planning Tool will facilitate:

The documentation of the audit teams audit risk assessment.

The documentation of the audit strategies, scope and estimated timing which will guide the auditors in the development of the audit test procedures.



At a minimum, our Audit Risk Assessment and Planning Tool contains the following:

Our audit focus areas and our planned audit approach (nature and extent of audit procedures) including timing.

Our documentation of Professionals with specialized skills needed for the audit and the scope of work to be performed.

Our documentation of Other Material accounts to be subjected to High-level precision analytics.



We determine the overall audit risk assessment for each assertion of each significant account.

Based on the overall risk assessment, we determine the audit approach

and our estimated timing for execution of the audit approach.


RBA framework


Planning Delivery




Reporting


SAMPLE Test of Control Working Paper


Design Substantive Tests

Nature

We customize the test of details for significant accounts in accordance with our audit strategy outlined in our Audit Planning Memorandum

Extent

Minimal or Low Less extensive tests of details

Moderate or High More extensive test of details

Timing

Timing of our tests of details depends on the results of the risk assessment conducted in Phase 2

We may design the timing at interim dates.



Benefits of performing tests of details at interim dates:

Enable earlier identification of significant findings and issues

Allow more time to address and resolve significant findings and issues

Reduce work performed during year-end

Help to manage tight reporting deadlines



Timing Substantive Tests at Interim Dates

Risk Assessment Timing Minimal Earlier in the reporting period

(e.g., up to six months before the balance sheet date)

Low During the later portion of the reporting period (e.g., up to three months before the balance sheet date)

Moderate or High At or near the period end (e.g., up to one month before the balance sheet date)



Roll forward Considerations

When we design interim procedures, we also design roll forward procedures

Extent of roll forward procedures shall be customized depending on the roll forward period and risk assessment.


Execute Substantive Tests

Audit Evidence Considerations

Quality of audit evidence is affected by the relevance and reliability of the information upon which it is based.

Reliability of audit evidence is increased when:

o Obtained from independent sources outside

o The related controls imposed is effective

o Obtained directly

o Obtained in documentary form as opposed to those obtained orally

o It is in original form as opposed to evidences provided by photocopies or fax.



Accounting Estimates

If our planned procedures include testing how management determined the accounting estimate, we evaluate whether:

The method of measurement used is appropriate in the circumstances, (e.g., in relation to the operations, sector and environment), including managements rationale for selecting the method.

The assumptions used by the management are reasonable in light of the measurement requirements of the applicable financial reporting framework, including the consistency of the assumptions with our understanding of managements intent and ability to carry out certain courses of action.



External Confirmations

To ensure reliability, confirmation responses should be received by the auditors directly from parties where confirmations were sent.

Confirmation exceptions may be given for investigation after we establish control by making a copy or other record of the confirmation reply.

When we do not receive replies to confirmation requests, we apply alternative procedures to the non-responses to obtain the evidence necessary.


Evaluate Results of Audit Tests

Identification and accumulation of misstatements is one of our most important audit responsibilities and is critical in enabling us to formulate our audit opinion.

If we identify an intentional misstatement in the financial statements, we determine if this is an incident of fraud or represents non-compliance with applicable laws and regulations.

The matter is reported to the Supervising Auditor of the engagement and communicate it to the appropriate level of management.


Communicate Audit Results

We discuss each audit finding with the appropriate level of management to confirm that our understanding of the nature and cause of the audit finding is factually correct.

If the company disagrees that there is an audit finding, or disputes the amount involved, we ask them to support their position by providing additional audit evidence.

If the evidence provided by the company does not support the companys position, we determine the effect on our audit opinion, which may include consulting with the Supervising Auditor.

Documentation: Audit Observation Memorandum


RBA framework


Planning Delivery




Reporting


Conclusion and Reporting


o Prepare summary of audit results and recommendations

o Discuss results of other types of audit conducted


o Prepare Annual Audit Report (AAR)

Wrap-up and archive the engagement



Delivery Conclusion and Reporting









Summarize audit results

Accumulated results are summarized at the end of the audit. Significant findings, issues and observations, including misstatements, are summarized and discussed with the company. Conclusion for each misstatement, finding, issue, and observation is documented. This serves as basis in formulating audit opinion in the audit report. Summary of Audit Results and Recommendation (SARR) is presented on the next slide.

Discuss results of other types of audit conducted

Prepare summary of audit results and recommendations


Summary of Audit Results and Recommendations

Reference number for

the audit findings

Document managements

feedback

Supply the auditors rejoinder on the

management comments, if any

Indicate AOM No. and date issued

Document the observation noted including the corresponding

recommendation



Reference number for

the audit findings

Summarize the unrecorded adjusting/classifying journal entries including its amount and effects on the financial statement


Prepare audit report

Audit opinion

Management Letter

In reporting the results of audit, the auditors prepare the following reports:



Audit documentation shall be sufficient for an experienced auditor with no previous association with the audit to be able to understand the nature, timing and extent and results of procedures performed, evidence obtained and conclusions reached.

Auditors shall use professional judgment in determining the nature and extent of the audit documentation. However, it shall be ensured that it is consistent with policies, professional standards and other legal and regulatory requirements.


Follow-up Action Plans

An effective monitoring system not only ensures the prompt and proper resolution of audit recommendations and the implementation of corrective action, but also ensures that a complete record of actions taken on observations and recommendations is maintained.

An audit issue database may: Support in monitoring all issues and the subsequent action

taken by the auditors during the audit. Guide during the assessment of the key risks of the

business. Serve as reference in conducting an in-depth analysis on the

relationships of issues among different departments.

Audit Issue Database


Follow-up Action Plans

Benefits of Monitoring:

Assures the auditor that the benefit of work done is realized

Validates that the recommendations as implement

risk-based auditing 2015

Documents