Risk-Based Auditing 2015

Risk Based Audit Approach:
Understanding Risk, Internal Controls and

the Risk Based Audit Approach
8 June 2015
Leonardo J. Matignas, Jr.

Partner
Joseph Ian M. Canlas

Partner
Agenda
Risk Assessment - Concept
Relevant Regulatory Developments & Impact
Understanding Internal Control Concepts
Internal Control COSO Integrated Framework 2013
Internal Audit
External Audit
PICPA Risk Based Audit Approach
Purpose of this training

At the end of this training, participants are expected to:
Understand basic concepts about risk, internal controls and the

risk-based audit approach.
Gain a basic understanding of internal control principles under

the COSO Internal Control - Integrated Framework 2013.
Recognize the need for risk based audit approach to continually

address risks due to changing business environment and manage
stakeholder expectations.
Getting to know
Agenda
Internal Audit
External Audit
Setting the context
From a paper presented by

EJ Smith
the first & last Captain
of
RMS Titanic
6
When anyone asks me how I can describe my experience of
nearly forty years at sea, I merely say uneventful. Of course

there have been winter gales and storms and fog and the
like, but in all my experience, I have never been in an
accident of any sort worth speaking about
I never saw a wreck and have never been wrecked, nor was I
ever in any predicament that threatened to end in disaster of
any sort.
- E.J. Smith 1907
So what really went wrong?

1
Misplaced objectives
Safety measures
compromised in design
Responsibilities not
clear
Information
overlooked
Inadequate
contingency plans
Disregard for safety considerations in the excitement to break a

record
Sealed compartments not effective enough to handle damage of
this magnitude
The new ship had a crew & individual responsibilities were not
clear
The iceberg warning that were received were overlooked
Not enough safety boats, for improved aesthetics
Lessons learnt
1
Setting strategic objectives with clear consideration for risk management
Contingency planning - Knowing what can go wrong and Having
appropriate mitigation measures in place

3
Thorough evaluation of the mitigation measures
Clear communication of roles and responsibilities
Effective monitoring and thorough analysis of the risk indicators
Business risk definition

A business risk is a threat that an event or
action will adversely affect the Companys
ability to achieve its business objectives and
maximize stakeholder value.
or
What keeps the Board and Management

awake at night?
10
Linking Risk to Business Strategy

COMPANYS GOAL,
OBJECTIVES AND
STRATEGY
WHAT WILL NOT
ALLOW THE
COMPANY TO
SUCCEED?
EXTERNAL
BUSINESS RISKS
INTERNAL
How can we use these to our advantage?
11
Attributes of Business Risk

Could be existing
Could be emerging (has a potential
of happening)
Presents an exposure to both
tangible and intangible assets
Can arise from the external
environment, from internal
processes and from the lack of
information for decision making
Presents an exposure (downside) if
not managed or a potential
opportunity (upside) if managed
well
Linking Risks to Objectives and Processes

Business Objectives and Strategies
Key Business Risks

Economic Conditions
Maximize Return on Capital

Maximize Benefits from
Technology Investments
Optimize Operating
Efficiency
Earnings and
Operating
Margins
Achieve Cost Optimization
International Expansion
New Product Development
Environmental Regulation
IT Infrastructure Capacity
Key Supplier Dependence
Recruitment & Retention
Customer Migration
Regulatory Compliance
Health/Pension Costs
Joint venture Partnerships
Gain New
Business
Procurement
Production
Distribution
Business Continuity
Intellectual Property
Retain Top Performers
12
Interest Rate Volatility

Evaluate Management and Control Activities
Enhance Quality Product
New Product
Development
Raw Material Price

Volatility
Link Risks to Business Processes
Asset
and Capital
Management
Deliver Superior
Customer Service
Link Business Objectives To Risks
Reputation
and Brand
Expand into New Markets
Evaluate the significance of the risk to business objectives
Expand Product Offering
Revenue and
Market Share
Business Processes
Evolving Global Economy
Customer
Support
Risk Management (RM)

Risk Management is a set of coordinated activities to direct and
control an organization with regard to risk.
-ISO 31000
13
Why Assess Risk?
To provide management with a

venue to identify and assess the
impact of significant business risks
that may threaten business
objectives.
To identify the key risks that will

be given audit focus in the audit
plan.
To focus the audit work on the

critical business risks of the
Company.
Risk
Assessment
Identify risks
Prioritize risks
14
Who is Responsible for Assessing Risk?

Management is primarily responsible to identify,
measure, prioritize and manage risk
Internal Audit can facilitate the risk

assessment process and should use
the results for determining the
audit focus
15
The Best Resources to Identify Risks are the Process Owners
Better Knowledge of the Business

Better, More Timely Information
on Risks
More Knowledge of the Impact of
Risks on the Business
Better Awareness of What is
Implementable
16
Sample Risks
Environment Risks
Exposures to fraud or money laundering activity
Unsafe working conditions resulting to accident
Technology becoming obsolete
Process Risks
Adequate levels of inventory are not maintained
Inadequate resources, staffing or untimely staff

changes
Information for Decision Making Risks
17
Poor or failure in communication
Pressure to meet expectations set by key holders
Enterprise Risk Management Process
Establish RM goals
and objectives,
and RM oversight
structure
Assess
business risks
Develop RM
strategies
Develop common
language
18
Monitor RM
process
Continuously
improve RM
process
ISO 31000 Risk Management Principles and Guidelines
19
Risk Management Framework Comparison

ISO 31000 Risk Management Process for Managing Risk
The ERM Process
Communicate and Consult
20
Enterprise Risk Management Process
Establish RM goals
and objectives, and
RM oversight
structure
Assess
business risks
Develop RM
strategies
Develop common
language
21
Monitor RM
process
Continuously
improve RM
process
Steps to Risk Identification
Survey Questionnaires
Interviews
Brainstorming Sessions
22
Filtering Issues to
Identify Business Risks
Developing a
Common Risk
Language
Risk Prioritization
Customer
Satisfaction
Customer
Human
ResourcesWants
Technology
Risk
RegulatoryCredit
Business
Default
Risk
InterruptionProduct/
Risk
7.8 Risk
Service
Capacity
Failure
Risk
8.3
Facilitate a risk assessment

Session with management
7.3
Partnering
Risk
Competitor
Risk
6.
8
6.3
4.3
4.8
5.3
5.8
Risk Map
23
6.3
6.8
Sample Consideration in Determining the Significance of the Risk

If the risk happens,
how significant will the
Impact be to the
companys business?
24
Sample Consideration in Determining the Likelihood of the Risk

What is the
probability of the
risk happening,
over the next
5 years (without us
consciously doing
something to
manage the risk) ?
25
Identification of Risks for Audit Focus

RISKS FOR AUDIT FOCUS
Identify risks for audit focus
Customer
Satisfaction
Human Customer
ResourcesWants
Technology
Risk
RegulatoryCredit
Business Risk
Default
Interruption
Product/ Risk
Risk
Service
Capacity
Failure
Risk
Partnering
Risk
Competitor
Risk
26
Agree with management on

risks to be covered by internal
audit
Agenda

Internal Audit
External Audit
27

Specific Regulations
SEC MC 6, 2009 SEC Revised Code of

Corporate Governance
SEC MC 2, 2002 Code of Corporate
Governance
2010 PSE Corporate Governance Guidelines
for Listed Companies
Primary Objectives
Global Regulations
USA: SOX 404

Japan: J-Sox
Basel II
Others
Philippine Corporations
Increased investors trust

Increased management
responsibility and accountability
Increased transparency
Reduce number of financial
surprises and related business
failures
More reliable financial reporting
The regulatory environment continues to evolve and gain maturity

28
Corporate Governance Framework

Corporate governance is
the system, including
objectives, rules and
procedures, by which
business corporations are
directed and controlled.
or simply
It is about doing the right
things for the shareholders
and stakeholders in a
business.
29
PSE Memorandum
PSE Memorandum No. 2010-0574
PSE Guidelines for a

Well-governed Company
1.
2.
3.
4.
5.
Develops and executes a sound business strategy.

Establishes a well-structured and functioning board.
Maintains a robust internal audit and control system.
Recognizes and manages enterprise risks.
Ensures the integrity of its financial reports as well as its external auditing
function.
6. Respects and protects the rights of its shareholders, particularly those that
belong to the minority or non-controlling group.
7. Adopts and implements an internationally-accepted disclosure and
transparency regime.
8. Respects and protects the rights and interests of its employees, community,
environment, and other stakeholders.
9. Does not engage in abusive related-party transactions and insider trading.
10. Develops and nurtures a culture of ethics, compliance & enforcement.
Source: The Philippine Stock Exchange Official Website
30
PSE Memorandum best practices

4. Recognizes and manages enterprise risks.
Have board
oversight
Seek external
support
Disclose risk
information and how
these are managed
An Enterprise-wide Risk
Management system
should be in place and
properly functioning in a
transparent manner.
Establish
risk management
unit
31
Prepare formal
risk management
policy
Have ERM activities in

accordance with
internationally
recognized frameworks
Agenda

Internal Audit
External Audit
32
ACTIVITY 1:
SUPERMARKET RISKS &
CONTROLS
33
Supermarket Risk & Control

Purpose:
To identify the key business risks and the related controls of a supermarket
Case Facts:
ABC Supermarket is a large, leading supermarket that offers almost

everything you need. This particular supermarket is a part of a large chain of
supermarkets that includes approximately 30 supermarkets in total.
Instructions:
Review the supermarket lay-out on the following page
Identify the related risks and controls that will mitigate the key risks
identified
Be prepared to discuss your answers with the group
34
Supermarket Risk & Control

Stockroom
Manager's Office
Toiletries
Books and Magazines
International Goods
Canned Goods
Fresh Produce
Household
Consumables
Snacks
Drinks
Cosmetics
Counter
#1
Customer
Service
35
Counter
#2
Stall #1
Stall #2
Counter
#3
Stall #3
Entrance/
Exit
Stall #4
Fruits / Vegetables
Dairies / Cold Drinks
Wet Goods
Package
Counter
Restrooms
Understanding the concepts of internal control

Internal Control - Defined
Internal control is a process, effected by an entitys board
of directors, management and other personnel, designed to
provide reasonable assurance regarding the achievement
of objectives relating to operations, reporting and
compliance.
Source: COSO Internal Control Integrated Framework 2013
36

Process
A planned series of steps, activities and actions designed to
yield a predictable and desired outcome.
Start
37
Enter/Fix GL
Journal
Submit
Journal for
Approval
Approved?
Post Journal
JE Saved to
Database
Review
Ledger Report
End

People
Establish control mechanisms
Work within the established control

mechanisms
Make control mechanisms succeed
or fail
38

Reasonable Assurance
100%
39
Internal Controls Shift in view
INTERNAL
ACCOUNTING
CONTROL
40
BUSINESS
CONTROLS
Internal Controls Shift in view

Myth
Reality
Controls are documented.
The best control is the culture created by

management.
Controls are a necessary evil.
Controls are actions taken by management to

help the company achieve its objectives.
Controls are the responsibility of the

auditors.
Controls are the responsibility of

management. The auditors role is to assess
the adequacy and effectiveness of the
companys overall internal control system.
As we streamline and empower, we

relinquish control.
As we streamline and empower, we apply

different forms of control.
41
Redefining the Controls focus

NEW PARADIGM
OLD PARADIGM
42
Only auditors are concerned about risk

and controls
Fragmentation
No risk policy
Inspect, detect, react
Only hard tangible controls are
evaluated
Everyone is concerned about risk and

controls
Focused and coordinated
Formal risk policy
Anticipate, prevent, monitor
Both hard tangible and soft
intangible controls must be evaluated
Agenda

Internal Audit
External Audit
43
Overview of internal control

Internal control is
A process consisting of
ongoing tasks and activities
Effected by people
A means to an end, not an end in itself

Not merely about policy and procedures
manuals, systems and forms but about
people and the actions they take
Able to provide reasonable

assurance
But not absolute assurance, to an entitys

senior management and board of directors
Geared to the achievement

of objectives
In one or more categoriesoperations,

compliance and reporting
Adaptable to the entity

structure
Flexible in application for the entire entity

or for a particular subsidiary, division,
operating unit, or business process
Source: COSO IC-IF 2013 Committee of Sponsoring Organizations of the Treadway Commission Internal Control Integrated Framework 2013
44
Types of controls
Preventive controls
Detective controls
Detective
controls
Per COSO IC-IF 2013:

Designed to avoid an unintended event or result at the time of initial
occurrence.
Per laymans:
Designed to prevent or mitigate something from going wrong so that an
error and/or irregularity can be avoided.
Examples:
Authorization of payments prior to processing
Customer credit limit checks
Restricting user access to IT systems
Advance approval of supervisor before overtime occurs
Completion of checklist for updating the master data
45
Types of controls
Preventive controls
Detective controls
Detective
controls
Per COSO IC-IF 2013:

Designed to discover an unintended event or result after the initial
processing has occurred but before the ultimate objective has concluded.
Per laymans:
Designed to detect and correct in a timely manner an error or irregularity
that would materially affect the achievement of the Companys objectives.
Examples:
General ledger to subsidiary ledger reconciliations
Budget vs. actual comparisons
Review of exception reports
Quality inspection
46
Nature of controls
Manual
Performed by
individuals outside
of the system or
application
Independent review of
general ledger
reconciliations
Manual authorization of
employee expense reports
47
IT-dependent
manual
Both manual
and IT output are
combined
Relies on system
generated
information or
functionality for its
effectiveness
Automated
Review and follow-up of

exceptions on a payroll exception
report
System-generated sales orders
that require manual approval
from the controller
Performed by a
system or
incorporated into
an application logic
Automated three-way match

(e.g., purchase order vs. invoice
vs. delivery receipt)
Data input validation checks (e.g.,
valid country code)
Restricted user access (e.g.,
username and password)
Frequency of controls
Ongoing
Daily/multiple
times per day
Firewall
3-way match
Review of general ledger reconciliations
Monthly
Review of user access to IT systems
Quarterly
Annually
Ad hoc / As
required
48
Review of accounting policies

Authorization of back pay to employees
COSOS INTERNAL CONTROL PUBLICATIONS COSO IC-IF 2013 at a glance

1992
2006
2009
Transition period
2014
49
2013
Full implementation period
15 Dec 2014 Old framework will

be superseded by new framework
2015
WHAT IS COSO IC-IF 2013?

1992 Internal
Control
Integrated
Framework
50
Gained broad
public acceptance;
widely recognized
as the leading
framework
Responded to
dramatic
changes in
business and
operating
environments
Underwent a
significant
multiyear
update project
in 2010

*COSO IC-IF 2013 Committee of Sponsoring Organizations of the Treadway Commission Internal Control Integrated Framework 2013
COSO Internal
ControlIntegrated
Framework
2013
Reasons for updating COSO IC-IF 1992

Changes in Business and Operating Environments
Expectations for
governance and
oversight
Globalization of
markets and
operations
Expectations for
competencies
and
accountabilities
51
Changes and
greater
complexities of
business
Use of, and

reliance on,
evolving
technologies
Demands and
complexities in
laws, rules,
regulations, and
standards
Expectations
relating to
preventing and
detecting fraud
KEY AREAS PER COSO IC-IF 2013

Components
52
*** Principles ***
1. Control
Environment
1. Organization demonstrates commitment to integrity and ethical values

2. Board of directors demonstrates independence from management and exercises
oversight responsibility
3. Management, with board oversight, establishes structure, authority and responsibility
4. The organization demonstrates commitment to competence
5. The organization establishes accountability
2. Risk
Assessment
6.
7.
8.
9.
Specifies relevant objectives with sufficient clarity to enable identification of risks

Identifies and assesses risk
Considers the potential for fraud in assessing risk
Identifies and assesses significant change that could impact system of internal control
3. Control
Activities
10. Selects and develops control activities

11. Selects and develops general controls over technology
12. Deploys control activities through policies and procedures
4. Information &
Communication
13. Obtains or generates relevant, quality information

14. Communicates internally
15. Communicates externally
5. Monitoring
16. Selects, develops and performs ongoing and separate evaluations

17. Evaluates and communicates deficiencies in a timely manner
Agenda

Internal Audit
External Audit
53
RBPF framework
ASSESS
UNDERSTAND
Co-develop
expectations
Understand the
organization
PLAN
Assess the risks
Develop annual
plan
DELIVER
Perform the
engagement
Communicate the
result
DOCUMENT
QUALITY ASSURANCE
54
Supervise the engagement

Quality and improvement program
MONITOR
Monitor the
progress
Communicate the
result
RBPF framework
ASSESS
UNDERSTAND
Co-develop
expectations
Understand the
organization
PLAN
Assess the risks
Develop annual
plan
DELIVER
Perform the
engagement
Communicate the
result
DOCUMENT
QUALITY ASSURANCE

1.
2.
55
Communicate the value of IA

Understand and agree the expectations
of the stakeholders
MONITOR
Monitor the
progress
Communicate the
result
RBPF framework
ASSESS
UNDERSTAND
Co-develop
expectations
Understand the
organization
PLAN
Assess the risks
Develop annual
plan
DELIVER
Perform the
engagement
Communicate the
result
DOCUMENT
QUALITY ASSURANCE

1.
2.
3.
4.
56
Understand organization strategy and objectives

Understand business environment
Understand relevant processes
Understand control environment
MONITOR
Monitor the
progress
Communicate the
result
Why do we need to understand the business organization?
To identify business
risks
57
To focus audit priorities

on important aspects
of the business
To be able to make
recommendations that
focus on the elements
critical to the
Companys business
1. Understand organization strategy & objectives

1. Revisit:
Charter
Manuals
Policies
Procedures
Mission
Vision
Values
The purpose of this activity is to:
Strategy
have a preliminary understanding of the strategic goals and the

corresponding risks that the organization might be facing
identify and clarify the imposed regulations of the organization to properly

serve the stakeholders
Mandates
2. Set expectations meeting with stakeholders to align their needs to the annual internal audit plan
as well as communicate to them the internal audit functions.
58
3. Understand relevant processes

A process is a group of logically related activities that transform
inputs into outputs.
The process owner is a person who is responsible for the process.
59

Why do we need to understand the business processes?
To enhance our
understanding of the
business by seeing it similar
to how management does.
Identify processes where

inherent business risks can
be sourced.
To assist the IA function in

designing an effective and
efficient audit plan.
60

But how?
Meet with management to confirm
or gain an understanding of the key
processes and sub-processes
Understand the objectives and

key performance measures for
the process
Consider the complexity of the
IT environment supporting the
process
61

Process hierarchy
Mega process
highest level of
processes
purpose relates to
accomplishment of the
overall mission of the
business
Mega
Major process
Major
subdivision of a mega
process
represents a collection
of
sub-processes
Sub-process
62
subdivision of a major
process
represents a collection
of activities
Sub-process
Activity
Activity
unit of work performed
by one job function and
at one time
with one mode of
operation at the same
location

MEGA Processes
SAMPLE ONLY
Gain new
business
Manufacturing
MAJOR Processes
SUB-processes
Accounts
Receivable
Recording
receivables
Marketing and
Advertising
Procurement
Accounts Payable
Managing
aging of
receivables
Distribution
Finance and
Accounting
Payroll
Managing
collection of
receivables
Budgeting and
Financial
Reporting
63
ACTIVITY
Process customer
receipts
Follow-up
customer overdue
debt

Universal process classification scheme
64
4. Understand the control environment

The control environment sets the tone of an organization, influencing the
control consciousness of its people. The foundation for all other
components of internal control.
Control
Environment
65
1. Demonstrates commitment to integrity and ethical values

2. Board of Directors demonstrates independence from management and
exercises oversight responsibility
3. Management, with Board oversight, establishes structure, authority
and responsibility
4. The organization demonstrates commitment to competence
5. The organization establishes and enforces accountability
4. Understand the control environment

Component
Activity
Principle
Approach/ Point
of Focus
Control
Environment
Demonstrates
commitment to
integrity and
ethical values
Establishing
Standard of
Conduct
Example
Communicating
and reinforcing the
accountability for
responsible
conduct for all
personnel
Send Code of
Conduct to all
employees and
third parties acting
on behalf of the
Company
Post Code of
Conduct to the
Companys website
Require all
employees to
complete periodic
interactive webbased training
66
RBPF framework
UNDERSTAND
Co-develop
expectations
Understand the
organization
PLAN
ASSESS
Assess the risks
Develop annual
plan
DELIVER
Perform the
engagement
Communicate the
result
DOCUMENT
QUALITY ASSURANCE

1.
2.
67
Identify risks
Prioritize risks
MONITOR
Monitor the
progress
Communicate the
result
Roadmap to assess the risks

Risk self-assessment (RSA)
- is a structured process to identify and
prioritize business risks within the company
or a specific business process within the
company.
Prioritize the risk
Risk universe
Relevant risk
Identify the risks
68
Top risks
Risk profile
Roadmap to assess the risks

Comparison of entity and process level RSA
RSA LEVEL
PURPOSE
1. Entity level
Entails a comprehensive look at

those business risks that affect the
organization as a whole.
2. Process level
Entails a comprehensive look at

those risks that affect one specific
process.
69
Assist management in the execution of

their overall risk management process.
Develop a common language for
understanding risks within the organization.
Drive the development of the annual risk
based IA plan.
Focus the efforts of the IA procedures

within a specific process audit.
Ensure that process owner concerns
were considered in developing the audit
plan.
1. Identify risks
In identifying risks, consider relevant information gathered from the Understand the
Business and Control Environment part of the methodology:
Business Analysis Framework (BAF)
Organizational Control Assessment
Customized Process Classification Scheme
Interviews
Questionnaires
On-line, interactive questionnaires (surveys)
Facilitated meetings, with

voting technology
70
Transform
inputs into
output
Facilitated meetings
OUTPUT:
Risk universe
Relevant risks
1. Identify risks
Risk Universe (Pre-work)

71
2. Prioritize risks
Criteria
1. Severity of impact
If the risk happens, how much will it affect the
company?
2. Likelihood of occurrence and frequency

How likely is the risk to happen?
3. Opportunity for Risk Management Improvement

(ORMI)
Is there a room for the company to improve on its existing risk
management strategies/controls?
72
2. Prioritize risks
Initial Risk Profile

Most Critical Risks
Initial Risk Universe
Risk Universe (Pre-work)
73
RBPF framework
UNDERSTAND
Co-develop
expectations
Understand the
organization
ASSESS
DELIVER
PLAN
Assess the risks
Develop annual
plan
Perform the
engagement
Communicate the
result
DOCUMENT
QUALITY ASSURANCE

1.
2.
3.
4.
74
Identify and validate audit universe

Prioritize auditable areas
Identify resource requirements
Obtain approval
MONITOR
Monitor the
progress
Communicate the
result
Road map to develop annual plan

INPUT
Risk universe
Process universe
Location universe
Date and results of last

audit
Request by Management
Other considerations
Available resources
Draft audit plan
75
PROCESS
Identify
and validate
audit universe
Prioritize
auditable
areas
Identify resource
requirements
Obtain
approval
OUTPUT
Validated audit
universe
Prioritized auditable
areas
Draft audit plan
Approved audit plan
1. Identify and validate audit universe

INPUT
Risk universe
Process universe
Location universe
PROCESS
Identify
and validate
audit universe
OUTPUT
Validated audit
universe
Audit Universe refers to risks and processes that could be targeted for the audit. Risks and
processes may also be organized and referred to by locations.
1. Obtain different universe (e.g., risk universe, process universe and location universe) from
stakeholders.
2. Map the risks in the processes.
3. Identify the location of the processes.
4. Present and validate audit universe to IA function, management and oversight committee.
76

1. Obtain different universe such as:
a. Risk universe
b. Process universe
c. Location universe
Risk universe could be originated from entity level perspective down to business unit
level.
a. Sample Risk universe
Enterprise
risk management
risk universe
Business
units risk
universe
Management,
IA and
committee risk
universe
77

1. Obtain different universe such as:
a. Risk universe
b. Process universe
c. Location universe
Process universe is the list of processes within the Company that will be subjected
for audit of IA function while location universe is the list of all the locations of the
Company such as head office, regional office and international office.
b. Sample Process universe
c. Sample Location universe

1. Head office
2. Satellite or regional office
3. International office
78

2. Map the risks in the processes
Using the process universe, identify what are the risks associated to that specific
process. Risks could be existing or emerging, internal or external and tangible or
intangible. Note that not all risks are auditable.
Fraud
Planning and
budgeting
Contract compliance
Political
SAMPLE ONLY
Sales and marketing
Customer service
Project development
Human resource
79
Risk
Regulatory
Process/
Auditable areas
x
x

3. Identify the location of the processes.
Determine if the processes are existing in the different locations of the Company.
Head office
x
x
x
x
x
x
International office
Planning and
budgeting
Regional or satellite
office
Fraud
Location
Contract compliance
SAMPLE ONLY
Sales and marketing

Customer service
Project development
Human resource
Political
Risk
Regulatory
Process/
Auditable areas
4. Present and validate audit universe to different business units, management and
oversight committee.
80
2. Prioritize auditable areas

INPUT
audit
Other considerations
PROCESS
Prioritize
auditable areas
OUTPUT
Prioritized auditable
areas
The criteria for prioritizing the auditable areas may include but
not limited to the following:
Number and criticality of risks
Number and complexity of the location
Date and results of last audit
Financial exposure
Major changes in operations
Business complexity
Probability that major improvement for the auditable area is
needed
81
2. Prioritize auditable areas
Legend:
H - High
M - Medium
L - Low
C - Complex
SC - Semi-complex
NC - Not complex
3 (C)
1 (C)
1 (C)
2 (SC)
2012
2010
None
2007
2B
2B
1B
CD
Yes
No
Yes
No
Yes
No
Yes
No
Yes
Yes
Yes
No
CD - Cannot determine
Note:
- Financial exposure may be based on the previous year's record
82
Not priority
Major change in the operation
4 (H)
1 (M)
2 (H)
1 (H)
Priority
ERM top risk
Request by management
Financial exposure (in php)
Number and complexity of the

location
x
x
x
x
Priority
Other consideration
Regional or satellite office
Planning and budgeting
Head office
Fraud
Location
Contract compliance
Sales and marketing

Customer service
Project development
Human resource
Political
Process\
Auditable areas
Regulatory
SAMPLE ONLY
Risk
x
x
x
x
3. Identify resource requirements

INPUT
Available resources
PROCESS
OUTPUT
Identify resource
requirements
Draft audit plan
In determining the resource requirement of the engagements, IA function may

consider the following:
1.
2.
3.
4.
83
Determine the initial type of engagement.

Identify the man hours needed to complete the engagement.
Check the skill requirements of the engagement.
Decide right mix to perform the engagement.

1. Determine the initial type of engagement
Depending on the risk involved, IA shall assess the initial type of engagement to be performed
in the corresponding processes and functions involved.
IA may perform one or combination of the following:
b) Performance evaluation
This evaluation pertains to the
assessment of performance of
personnel and/or third parties
(e.g., contracts review).
a) Compliance evaluation
A review to determine the
compliance of the
concerned business unit to
the policies and procedures
including its contents.
c) Controls assessment
An assessment with the objective of determining the
effectiveness of the control design and its operating
application.
84

2. Identify the man hours needed to complete the engagement
Timeframe of the engagement may depend on the following:
Initial type of engagement
Previous experience
Known changes (e.g., process owners, process, system)
Sales and marketing

Customer service
Project development
Human resource
85
x x x x x x 4 (H)
x
x
1 (M)
x
x x
2 (H)
x
x x
1 (H)
3 (C) 2012
1 (C) 2010
1 (C) None
2 (SC) 2007
2 B Yes Yes Yes x

2 B No No Yes
x
1B Yes Yes Yes x
CD No No No
x
x
x
x
Man hours
needed
Controls assessment
Performance evaluation
Type of
engagement
Compliance evaluation
Major change in the

operation
Priority
Not priority
Priority
ERM top risk
Financial exposure (in

php)

audit
Other consideration
Number and complexity of

the location
Location
Number and criticality of

risks
Risk
Regulatory
Political
Contract compliance
Fraud
Head office
SAMPLE ONLY
Process\
Auditable areas
x
x
480 hours
240 hours
600 hours
160 hours

3. Check the skill requirements of the engagement
Skill set is critical in planning the engagement. It will depend on the initial type of the
engagement including its scope and objective. Some of the considerations are as follows:
Operations skills
Process skills
Risk management
skills
Financial or
accounting
skills
86
Facilitation skills
Industry
knowledge
Understanding of
information technology
risks and processes
Effective presentation
and report preparation
Communication and
change management skills
Knowledge of regulations
affecting the organization

Note that some skills are not readily available within IA function. Hence, IA may consider
outsourcing that to external parties or internal parties.
Number and complexity of the

location
Financial exposure
ERM top risk
Major change in the operation
Priority
4 (H)
3 (C)
2012
2B
Yes
Yes
Yes
Project
development
Human resource
x
x
1 (M)
1 (C)
2010
2B
No
No
Yes
2 (H)
1 (C)
None
1B
Yes
Yes
Yes
2 (SC) 2007
CD
No
No
No
1 (H)
x
x
x
x
x
x
Skill set required

x
Controls assessment
Head office
x
Performance evaluation

x
Compliance evaluation
Fraud
x
Not priority
Priorit
Manhours
Type of engagement
Skills requirement
y
needed
Other consideration
Sales and marketing x

Customer service
Location
Contract compliance
Political
Risk
Regulatory
SAMPLE ONLY
Process\
Auditable areas
480 hours Auditor II (200)

Fraud Auditor
(280)
240 hours Auditor I (120)
Auditor II (120)
600 hours Auditor III (350)
Engineer (250)
160 hours Auditor I (80)
Auditor II (80)
Total man hours for Auditor III
1800 hours
Total man hours for Auditor II
2000 hours
87
Outsource
4. Obtain approval
INPUT
Draft audit plan
PROCESS
OUTPUT
Obtain
approval
Approved audit plan
Ensure audit plan documentation is complete, accurate and reviewed by CAE.

Identify all approvals (e.g., Audit Committee, Board) necessary to confirm audit plan.
Set-up meeting to present audit plan:
Audit Committee Head or equivalent
Oversight Committee or similar committee
88
RBPF framework
UNDERSTAND
Co-develop
expectations
Understand the
organization
ASSESS
PLAN
Assess the risks
Develop annual
plan
MONITOR
DELIVER
Perform the
engagement
Communicate the
result
Monitor the
progress
Communicate the
result
DOCUMENT
QUALITY ASSURANCE

1.
2.
3.
4.
5.
89
Understand the process

Assess risks in the process
Assess process performance and control gaps
Validate process measures and control
Identify root causes and solutions
1. Understand the process
90
Conduct
opening
meeting
Perform walkthrough
Document the
understanding
of the process
Validate the
understanding
of the process

Conduct
opening
meeting
Document the
understanding
of the process
91
Perform walkthrough
Validate the
understanding
of the process
The opening meeting shall cover the

following:
Background discussion
Engagement objectives and scope
Deliverables and timelines
Other matters

Conduct
opening
meeting
Perform walkthrough
Document the
understanding
of the process
Validate the
understanding
of the process
Ask questions about (but not limited to):

What are the beginning and end
points of the process?
Understand each task within the
process
Key inputs and outputs of the
process
Types and nature of controls
Automated vs. manual
o Detective vs. preventive
o Specific, pervasive, and monitoring
controls
o
92
Any history of problems with key

controls or process areas in the past

Conduct
opening
meeting
Perform walkthrough
Tasks (but not limited to):

Select the appropriate process
mapping tool:
o
Document the
understanding
of the process
Validate the
understanding
of the process
93
Process maps
Narrative
Create a first draft of the process map

Identify the control points in the
process
Be alert for process inefficiencies that
could be the subject of the
recommendations
94
Conduct
opening
meeting
Perform walkthrough
Document the
understanding
of the process
Validate the
understanding
of the process
Tasks (but not limited to):

Validate the process with the auditee
Finalize the process map/narrative
Document any preliminary gaps
identified at this point
Sample output
PROCESS NAME: Credit and Collection
Prepared by: Juana dela Cruz

Version 1 (Page 1 of 20)
Sub-Process: Collection
Customer
Check
Start
Payment through
check
Pay the monthly

rental
Page 3
Wire Transfer
Payment through
wire
SAMPLE ONLY
Cash
Page 6
At the end of the day
Accept the cash
Match the cash and

issued official
receipts
Prepare official
receipt
Cashier
Official Recipt
Prepare remittance
slip
Deposit the cash
Deposit collection
Cashier Supervisor
Page 11
95
Yes
Match the cash,

remittance slip and
official receipt
issued
No
2. Assess risks in the process

Identify the process
level or transactional
level risks
Control details
Process and/or financial reporting risk
Process: Credit and Collection

Sub-process: Collection
R.1.1 Cash collection is misappropriately used.
R.1.2 Cash collection is not deposited on time.
96
Control ref #
Ref #
SAMPLE ONLY
Risk details
Detailed
control
description
X
X
Frequency
Control
nature
Control
type
Control
owner
3. Assess process performance and control gaps

a. Identify the existing
controls including relevant
details (e.g., frequency,
nature, type, owner, IT
support application, critical
reports) in the process
b. Map the existing controls

in the risks initially
identified
c. Determine if there is any
risk without control or risk
with excessive controls
d. Determine if the existing

controls properly addressed
the risks
97
e. Document the initial

results of the design
effectiveness testing
3. Assess process performance and control gaps

Process and/or
financial reporting
risk
Control details
Control ref #
Ref #
Risk details
Detailed control
description
Frequency
Control
nature
Control type
Control
owner
Supporting IT
applications
Critical
reports
SAMPLE ONLY
R.1.1
Cash collection is
misappropriated.
C.1.1
C.1.2
R.1.2
98
Cash collection is not

deposited on time.
C.1.3
Upon
Event driven
preparation of
official receipt,
cash collection is
automatically
recorded in the
book as
collection.
Preventive
Automated
The Cashier
Supervisor
matches the
cash, remittance
slip and official
receipt issued.
Detective
IT-dependent Cashier
Supervisor
Cashier deposits
the cash
collection when
she's not busy.
Daily
SAP
Control might not be sufficient

to mitigate the risk. IA function
should check if there is any
compensating control in the
Event driven
Preventive
Manual
Cashier
process.
SAP
Remittance
slip
None
None
None
Remittance
slip
Deposit slip
4. Validate process measures and controls
Prepare detailed test

procedures and
request samples to
be tested
99
Perform testing
Identify gaps in the

operating
effectiveness of
controls
4. Validate process measures and controls

Control ref #
Control details
Detailed control
description
Testing information
Test procedures
Test sample
Test result
SAMPLE ONLY
C.1.1
Upon preparation of official

receipt, cash collection is
automatically recorded in
the book as collection.
1. Try to prepare dummy official receipt (or observe

actual official receipt) in the system.
2. Determine if such is automatically recorded in the
book as cash collection
Test of 1
The system automatically captured the prepared

official receipt upon its preparation. No exceptions
noted.
C.1.2
The Cashier Supervisor

matches the cash,
remittance slip and official
receipt issued.
1. Obtain the list of remittance slip from the system

during the covered period.
2. Select 25 samples to be tested.
3. Request the supporting hard copy remittance slip,
official receipt issued and other supporting
documents.
4. Check if the Cashier Supervisor reviewed the
selected samples.
5. Determine if the details in the system-generated
remittance slip matched against the hard copy
remittance slip and official receipt.
6. Perform some footing and cross-footing.
7. Further match the system-generated remittance
slip with the deposit slip.
8. Document the gaps noted.
25 transactions
There is noted discrepancy between the systemgenerated remittance slip and deposit slip:
C.1.3
100
Cashier deposits the cash

collection when she's not
busy.
No testing will be performed
Total cash collection in 8 July 2013:

Per remittance slip
Php 8,700,909.00
Per deposit slip
7,001,500.00
Difference
Php 1,699,409.00
Further, no bank reconciliation is being performed.
There is no specific date or timeline to deposit the

cash collection in the bank.
5. Identify root causes and solutions

People
We determine the root causes of control

or compliance or performance gaps:
To determine which root causes have

the greatest negative impact on a
process or control and where to focus
efforts to minimize or eliminate gaps.
Oversight
Control or
Compliance or
performance
gap
To develop implemental solutions that

will minimize or eliminate the
identified control gaps or compliance
IT
101
Process
Policies and
procedures
5. Identify root causes and solutions

1. a. Cashier has an opportunity to edit the
remittance slip when generated.
2. b. There is no assigned personnel to review
or match if the system-generated remittance
slip matched against the deposit slip.
SAMPLE ONLY
People
Oversight
Control or
Compliance or
Process
2.a. There is no process

to review or match if the
system-generated
remittance slip matched
against the deposit slip.
performance
gap
1. b. System-generated
remittance slip is
editable upon
generation.
102
IT
Policies and
procedures
2. c. Matching of
remittance slip against
the deposit slip is not
documented in the
process.
RBPF framework
UNDERSTAND
Co-develop
expectations
Understand the
organization
ASSESS
PLAN
Assess the risks
MONITOR
DELIVER
Develop annual
plan
Perform the
engagement
Communicate the
result
Monitor the
progress
Communicate the
result
DOCUMENT
QUALITY ASSURANCE
103

1.
2.
3.
Provide recommendation and agree action plan

Conduct closing meeting
Issue final report
Communicate results
SAMPLE ONLY
Recommendation may be based on the following:

Root causes identified
Leading practice
Test result
Root cause
Recommendation
There is noted discrepancy between the systemgenerated remittance slip and deposit slip:
1. a. Cashier has an opportunity to edit the

remittance slip when generated from the
system.
b. System-generated remittance slip is
editable upon generation.
1. The IT or system developer

should revisit the program in the
system to make the reports noneditable upon generation from the
system.
2.a. There is no process to review or match

if the system-generated remittance slip
matched against the deposit slip.
b. There is no assigned personnel to
review or match if the system-generated
remittance slip matched against the
deposit slip.
c. Matching of remittance slip against
the deposit slip is not documented in the
process.
2. The concerned management

should consider putting additional
control in the process. An
independent personnel from
custody and recording of cash
collection should review if the
recorded cash collection in the
system matches against the deposit
slip and ultimately in the bank
account. This control may be part of
the bank reconciliation process.
Total cash collection in 8 July 2013

Remittance slip
Php 8,700,909.00
Per deposit slip
7,001,500.00
Difference
Php 1,699,409.00
Further, no bank reconciliation is being
performed.
104
Communicate results
Audit observations are discussed with auditee as they are identified.
Co-develop recommendations - team approach.
Where significant, a closing meeting may be held.
Communicating results is formalized through audit reports:

o
o
o
105
Objective and factual

Contains observations, conclusion, recommendations, and auditees response
Reviewed and approved by the CAE
Final audit report is issued to the auditee, senior management, the Executive
Office, and the Audit Committee.
RBPF framework
UNDERSTAND
Co-develop
expectations
Understand the
organization
ASSESS
PLAN
Assess the risks
Develop annual
plan
DELIVER
MONITOR
Perform the
engagement
Communicate the
result
Monitor the
progress
Communicate the
result
DOCUMENT
QUALITY ASSURANCE

1.
2.
106
Validate the implementation of

action plan
Issue monitoring report
RBPF framework
UNDERSTAND
Co-develop
expectations
Understand the
organization
ASSESS
PLAN
Assess the risks
Develop annual
plan
DELIVER
Perform the
engagement
Communicate the
result
DOCUMENT
QUALITY ASSURANCE
107

Document the result of:

Understanding
Assessing
Planning
Delivering
Monitoring
Quality assurance
MONITOR
Monitor the
progress
Communicate the
result
RBPF framework
UNDERSTAND
Co-develop
expectations
Understand the
organization
ASSESS
PLAN
Assess the risks
Develop annual
plan
DELIVER
Perform the
engagement
Communicate the
result
DOCUMENT
QUALITY ASSURANCE

Review and supervise
Conduct internal assessment
Facilitate the conduct of external assessment
108
MONITOR
Monitor the
progress
Communicate the
result
Agenda

Internal Audit
External Audit
109
RBA framework
Strategic Planning and Risk Identification
Planning
Audit Planning and
Risk Assessment
Delivery
Execution
Conclusion
and Reporting
Monitoring
(Quality Control System)
Note: Procedures for all audit services are integrated in all phases, except for the Execution phase.
110
RBA framework
Strategic Planning and Risk
Identification
Planning
STRATEGIC PLANNING AND RISK

IDENTIFICATION
Delivery
Audit
Planning and
Risk
Assessment
Execution
Conclusion
and
Reporting
Activities:
Perform Risk Identification (RI)

o
Develop/update the Business Risk Model (BRM)
o
Identify risks
o
Report the results of RI
Conduct Strategic Planning
Monitoring
Strategic Planning and

Risk Identification
Risk
Identification
111
Conduct
Strategic
Planning
RBA framework
PLANNING

Identification
Planning
Audit
Planning and
Risk
Assessment
Activities:
Delivery
Execution
Audit Planning and Risk Assessment
Conclusion
and
Reporting
Prepare Audit Work step

Understand the Business
Identify Significant Business Risks
o
Monitoring
o
o
Planning
112
Understand and Assess Business-level Controls

Understand the Process
o
o
Business Planning and Audit Risk Assessment

Prepare Audit
Work
step
Understand
the Business
Identify
Significant
Business
Risks
Understand and
Assess
Business-level
Controls
Understand
the Process
Conduct Audit
Risk
Assessment
and Planning
o
o
Update Business Risk Model

Identify Business Risks
Prioritize Significant Business Risks
Identify Critical Path of the Processes

Identify Process Risks
Identify Impact
Identify Existing Controls
Conduct Audit Risk Assessment and Planning
RBA framework
CONCLUSION AND REPORTING
Identification
Planning
Summarize Audit Results

o
Prepare summary of the results and
conclusions of the audit
o
Discuss results of different types of audit
conducted
Prepare Audit Report

o
Prepare Annual Audit Report
Wrap-up and Archive the Engagement

o
Archive working papers/documentation of
audit
Follow-up Action Plan
Delivery
Planning and
Audit Risk
Assessment
Execution
Conclusion
and
Reporting
Monitoring
Delivery
Execution
113
Conclusion and Reporting
Design Audit Tests
Summarize Audit
Results
Execute Audit Tests
Evaluate Audit
Results
Wrap-up and archive

the engagement
Communicate Audit
Results
RBA framework
Identification
Planning
Planning and
Audit Risk
Assessment
Delivery
Execution
MONITORING
Activity:
Monitor quality control on audit services
Conclusion
and
Reporting
Monitoring
Monitoring
114
RBA framework
Perform Risk
Identification
Conduct Strategic
Planning
Planning
Delivery
Execution
Planning and Audit Risk Assessment
Prepare
Audit Work
step
Understand
and Assess
Businesslevel
Controls
Understand
the
Business
Understand
the Process
Identify
Significant
Business
Risks
Conduct
Audit Risk
Assessment
and Planning
Design Audit Tests
Summarize Audit
Results
Execute Audit Tests
Evaluate Audit Results
Wrap-up and archive the

engagement
Communicate Audit
Results
Monitoring
115
RBA Tools and Templates

Form 01-01: Business Risk Model
Form 01-02: Business Risk Identification Template
Planning
Delivery
Execution
Planning and Audit Risk Assessment
Form 02-01: Audit Work step

Form 02-02: Understanding the
Business Template
Form 02-03: Business Risk Model
Form 02-04: Business Risk
Identification Matrix
Form 02-05: Business-level Control
Checklist
Form 02-06 Process-Risk-Control
Matrix
Form 02-07 Audit Risk Assessment
and Planning Tool
Form 03A-01:
Audit Test Summary
Monitoring
116
Form 03B-01:
Summary of Audit
Results and
Recommendations
Form 03B-02:
Quality Inspection
Tool
Form 03B-03
Action Plan
Form 03B-04
Action Plan
Monitoring Tool
Audit services and RBA framework

Notes:
Financial
Compliance
Fraud
Planning
Audit Planning and

Risk Assessment
Conclusion and
Reporting

Identification is the integration
point wherein the five audit
services are considered.
Other types of audit conducted

are mentioned in audit reports
and considered before
rendering audit opinion.
1
3
Delivery
Execution
4
Monitoring
117
Comprehensive auditing is
discussed in Phases 1 and 2.
Although Fraud is given
consideration, the full-length
discussion is in the Fraud Audit
Manual.
The guidelines set forth in the
Monitoring phase are
applicable to comprehensive
auditing.
RBA framework

Planning
Delivery
Audit Planning and

Risk Assessment
Execution
Conclusion and
Reporting
Monitoring
118
119
Risk Identification (RI)

o Develop/update the Business Risk Model
o Identify risks
o Report the results of Risk Identification
Risk Identification Process Flow

Identify Risks
Inputs
Global
Trends
Technological
changes
120
Media
releases and
reporting
Industry
risks
Departments
Finance
Knowledge and prior audit reports
Fraud and
geographic
risks
Linkage of risks to
Human Resource
Marketing
Purchasing
Accounting
SAMPLE Risk Identification Template
Business
Objective
Improve
Financial
Position
- Create
opportunities for
non-traditional
revenue streams
121
Key Risk
Risk
Category
Strategic
Risk Title
Risk Definition
Vision and
Direction
Failure to establish a
vision and direction for
major initiatives,
including services,
products and programs
that will drive future
growth. Failure to
establish project
acceptance criteria and
adequately measure
against the criteria.
Basis of
Selection
Changes in
management
Departments
Program / Activity
/ Project
Purchasing
Centralization of
Purchasing
Functions
Finance
Proper reporting of
financial records
Enterprise-wide Audit Risk Assessment

Report on the results of Risk Identification (RI)
The report on the results of Risk Identification contains/documents:
RI Template
Minutes of the RI activity
Participants of RI
The report shall be presented to the

management and distributed to concerned
departments.
122
123
Risk Identification (RI)

o Develop/update the Business Risk Model
o Identify risks
o Report the results of Risk Identification
Linkage of strategic planning process with RBA

Auditor
Company
Risk
Identification
Annual Strategic Planning

process
Annual Strategic Planning

Risk
Identification
Risk
Identification
Template (RIT)
Strategic Action
Plan (SAP)
Departmental
Plan (COP/ROP)
Planning
Audit Planning and
Risk Assessment
124
RIT
RIT
RBA framework

Planning
Delivery
Audit Planning and

Risk Assessment
Execution
Conclusion and
Reporting
Monitoring
125
Assess Audit Risk

Step 1: Assess Inherent Risk
Inherent risk:
The susceptibility of an assertion about a class of transactions, account balance
or disclosure to a misstatement that could be material, either individually or
when aggregated with other misstatements, before consideration of any
related controls.
Inherent Risk
Lower
126
Higher
Assess Audit Risk

Factors that may affect our inherent risk assessment are as follows:
127
Susceptibility to material misstatement

Size and composition
Variations from expected amounts
Effects of external factors
Competence and experience of personnel
Degree of subjectivity
Completion of unusual/complex transactions at or near period-end
Transactions not subjected to routine processing
Assess Audit Risk

Step 2: Assess Preliminary Control Risk
Control risk:
The risk that a misstatement that could occur in an assertion about a class
of transaction, account balance or disclosure and that could be material,
either individually or when aggregated with other misstatements, will not
be prevented, or detected and corrected, on a timely basis by the internal
control.
Preliminary
Control Risk
Rely
128
Not Rely
Assess Audit Risk

Our preliminary assessment of control risk is based on the following:
129
Information we obtained from prior periods engagements, if available

Results of our walkthrough in our understanding of the processes
Assess Audit Risk
Inherent Risk Assessment
Step 3: Make overall risk assessment
Higher
Low
High
Lower
Minimal
Moderate
Rely
Not Rely
Control Risk Assessment

130
Determine Audit Scope and Timing

Our audit scope defines the boundaries and limitations of our audit. We document
our audit scope based on the results of our risk assessment.
In determining the timing of our audit tests (tests of controls and substantive tests),
we shall consider auditors other responsibilities such as, but not limited to:
131
Cash examinations to accountable officers

Request for relief of accountabilities
Issuance of disallowances
Pre-audit activities
Prepare Audit Risk Assessment and Planning Tool

The Audit Risk Assessment and Planning Tool will facilitate:
132
The documentation of the audit teams audit risk assessment.
The documentation of the audit strategies, scope and estimated timing

which will guide the auditors in the development of the audit test
procedures.

At a minimum, our Audit Risk Assessment and Planning Tool contains the
following:
133
Our audit focus areas and our planned audit approach (nature and extent
of audit procedures) including timing.
Our documentation of Professionals with specialized skills needed for the

audit and the scope of work to be performed.
Our documentation of Other Material accounts to be subjected to Highlevel precision analytics.
134
We determine the overall audit risk assessment for each assertion of each
significant account.
Based on the overall risk assessment, we determine the audit approach

and our estimated timing for execution of the audit approach.
RBA framework

Planning
Delivery
Audit Planning and

Risk Assessment
Execution
Conclusion and
Reporting
Monitoring
135
SAMPLE Test of Control Working Paper
136
Design Substantive Tests

Nature
We customize the test of details for significant accounts in accordance

with our audit strategy outlined in our Audit Planning Memorandum
Extent
Minimal or Low Less extensive tests of details

Moderate or High More extensive test of details
Timing
137
Timing of our tests of details depends on the results of the risk

assessment conducted in Phase 2
We may design the timing at interim dates.

Benefits of performing tests of details at interim dates:
138
Enable earlier identification of significant findings and issues

Allow more time to address and resolve significant findings and issues
Reduce work performed during year-end
Help to manage tight reporting deadlines

Timing Substantive Tests at Interim Dates
139
Risk Assessment
Timing
Minimal
Earlier in the reporting period

(e.g., up to six months before the balance
sheet date)
Low
During the later portion of the reporting

period (e.g., up to three months before the
balance sheet date)
Moderate or High
At or near the period end (e.g., up to one

month before the balance sheet date)

Roll forward Considerations
140
When we design interim procedures, we also design roll forward

procedures
Extent of roll forward procedures shall be customized depending on the

roll forward period and risk assessment.
141
Execute Substantive Tests

Audit Evidence Considerations
142
Quality of audit evidence is affected by the relevance and reliability of

the information upon which it is based.
Reliability of audit evidence is increased when:

o Obtained from independent sources outside
o The related controls imposed is effective
o Obtained directly
o Obtained in documentary form as opposed to those obtained orally
o It is in original form as opposed to evidences provided by
photocopies or fax.

Accounting Estimates
If our planned procedures include testing how management determined the
accounting estimate, we evaluate whether:
143
The method of measurement used is appropriate in the circumstances,

(e.g., in relation to the operations, sector and environment), including
managements rationale for selecting the method.
The assumptions used by the management are reasonable in light of the

measurement requirements of the applicable financial reporting
framework, including the consistency of the assumptions with our
understanding of managements intent and ability to carry out certain
courses of action.

External Confirmations
144
To ensure reliability, confirmation responses should be received by the

auditors directly from parties where confirmations were sent.
Confirmation exceptions may be given for investigation after we establish

control by making a copy or other record of the confirmation reply.
When we do not receive replies to confirmation requests, we apply

alternative procedures to the non-responses to obtain the evidence
necessary.
Evaluate Results of Audit Tests
145
Identification and accumulation of misstatements is one of our most

important audit responsibilities and is critical in enabling us to formulate
our audit opinion.
If we identify an intentional misstatement in the financial statements, we

determine if this is an incident of fraud or represents non-compliance
with applicable laws and regulations.
The matter is reported to the Supervising Auditor of the engagement and

communicate it to the appropriate level of management.
Communicate Audit Results
We discuss each audit finding with the appropriate level of management to

confirm that our understanding of the nature and cause of the audit finding is
factually correct.
If the company disagrees that there is an audit finding, or disputes the amount
involved, we ask them to support their position by providing additional audit
evidence.
If the evidence provided by the company does not support the companys
position, we determine the effect on our audit opinion, which may include
consulting with the Supervising Auditor.
Documentation: Audit Observation Memorandum
146
RBA framework

Planning
Delivery
Audit Planning and

Risk Assessment
Execution
Conclusion and
Reporting
Monitoring
147

o
o

o
148
Prepare summary of audit results and recommendations

Discuss results of other types of audit conducted
Prepare Annual Audit Report (AAR)
Wrap-up and archive the engagement
Delivery Conclusion and Reporting

o
o

o
149

Summarize audit results

Accumulated results are summarized at the end of the audit.
Significant findings, issues and observations, including misstatements, are summarized and
discussed with the company. Conclusion for each misstatement, finding, issue, and observation is
documented. This serves as basis in formulating audit opinion in the audit report.
Summary of Audit Results and Recommendation (SARR) is presented on the next slide.
150
Summary of Audit Results and Recommendations
Reference
number for
the audit
findings
Indicate AOM No.
and date issued
151
Document the observation noted

including the corresponding
recommendation
Document
managements
feedback
Supply the auditors

rejoinder on the
management
comments, if any
Reference
number for
the audit
findings
152
Summarize the unrecorded adjusting/classifying journal entries including its amount

and effects on the financial statement
153

o
o

o
154

Prepare audit report

In reporting the results of audit, the auditors prepare the following reports:
155
Audit opinion
Management Letter

o
o

o
156

157
Audit documentation shall be sufficient for an experienced auditor with no

previous association with the audit to be able to understand the nature, timing
and extent and results of procedures performed, evidence obtained and
conclusions reached.
Auditors shall use professional judgment in determining the nature and extent of
the audit documentation. However, it shall be ensured that it is consistent with
policies, professional standards and other legal and regulatory requirements.

o
o

o
158

Follow-up Action Plans

An effective monitoring system not only ensures the prompt and
proper resolution of audit recommendations and the
implementation of corrective action, but also ensures that a
complete record of actions taken on observations and
recommendations is maintained.
An audit issue database may:
Audit Issue
Database
159
Support in monitoring all issues and the subsequent action

taken by the auditors during the audit.
Guide during the assessment of the key risks of the
business.
Serve as reference in conducting an in-depth analysis on the
relationships of issues among different departments.
Follow-up Action Plans

Benefits of Monitoring:
Assures the auditor that the benefit of work done is realized
Validates that the recommendations as implemented are truly

advantageous to the company
Monitor progress
160
Part of the auditors role is to determine that the audited company take
corrective actions on the audit recommendations provided on a timely basis
RBA framework

Planning
Delivery
Audit Planning and

Risk Assessment
Execution
Conclusion and
Reporting
Monitoring
161
Monitoring
Monitor Quality Control on Audit Services:
162
Quality Control System
Responsibilities on Quality Control
Quality Assurance
Quality Assurance Review Program
Questions?
163
Thank You!
164

Risk-Based Auditing 2015

Загружено:

Сведения о документе

Исходное описание:

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Risk-Based Auditing 2015

Загружено:

Авторское право:

Доступные форматы

Risk Based Audit Approach:

Understanding Risk, Internal Controls and

Leonardo J. Matignas, Jr.

Joseph Ian M. Canlas

PICPA Risk Based Audit Approach

Purpose of this training

Understand basic concepts about risk, internal controls and the

Gain a basic understanding of internal control principles under

Recognize the need for risk based audit approach to continually

PICPA Risk Based Audit Approach

PICPA Risk Based Audit Approach

PICPA Risk Based Audit Approach

Setting the context

From a paper presented by

PICPA Risk Based Audit Approach

When anyone asks me how I can describe my experience of

nearly forty years at sea, I merely say uneventful. Of course

- E.J. Smith 1907

PICPA Risk Based Audit Approach

So what really went wrong?

Disregard for safety considerations in the excitement to break a

Not enough safety boats, for improved aesthetics

PICPA Risk Based Audit Approach

Setting strategic objectives with clear consideration for risk management

Contingency planning - Knowing what can go wrong and Having

appropriate mitigation measures in place

Thorough evaluation of the mitigation measures

Clear communication of roles and responsibilities

Effective monitoring and thorough analysis of the risk indicators

PICPA Risk Based Audit Approach

Business risk definition

What keeps the Board and Management

PICPA Risk Based Audit Approach

Linking Risk to Business Strategy

How can we use these to our advantage?

Attributes of Business Risk

PICPA Risk Based Audit Approach

Linking Risks to Objectives and Processes

Key Business Risks

Maximize Return on Capital

Achieve Cost Optimization

Interest Rate Volatility

Enhance Quality Product

Raw Material Price

Link Risks to Business Processes

Link Business Objectives To Risks

Expand into New Markets

Evaluate the significance of the risk to business objectives

Expand Product Offering

Evolving Global Economy

PICPA Risk Based Audit Approach

Risk Management (RM)

PICPA Risk Based Audit Approach

Why Assess Risk?

To provide management with a

To identify the key risks that will

To focus the audit work on the

PICPA Risk Based Audit Approach

Who is Responsible for Assessing Risk?

Internal Audit can facilitate the risk

PICPA Risk Based Audit Approach

The Best Resources to Identify Risks are the Process Owners