This portion contains texts copied from the PGIAM of the DBM unless otherwise

specified. Its format is predominantly bulleted and does not conform to the report
format used in Part A.

I. INTERNAL AUDIT WORK FLOW

The diagram below presents the Internal Control Work Flow of the OGM-ICS.

Audit
Planning

Performance
Monitoring & Audit Process
Evaluation

This was derived from the Strategic Planning Flow Diagram shown in the PGIAM:

There are three (3) levels of audit planning:

• Defined as the process of identifying the key audit

Strategic Planning strategic direction of the ICS for a three-year period

Annual Work • Based on identified audit areas resulting from the

Planning strategic planning

Audit Engagement • Sets the activities per audit engagement identified in

Planning the Annual Work Plan (AWP)

TWD-OGM-ICS Internal Controls Manual (Part 2) Page | 1

 Strategic and annual work planning are broad activities that form part of the
strategic planning stage in the Internal Audit Work Flow shown on page 1.
Meanwhile, audit engagement planning comes in during the audit process stage.

II. STRATEGIC PLANNING

A. Overview

Definition

• The process of identifying the key audit strategic direction of the IAU for
3 yrs

Approval

• Should be approved by the General Manager

Activities

• Performing the baseline assessment of the IC system;

• Considering the control significance and materiality and control risk of
key processes in the operating and support systems to achieve the
control objectives;
• Assessing internal audit risk;
• Formulating the Strategic Plan; and
• Preparing the annual work plan.

B. Performing the Baseline Assessment of the Internal Control System

1. Overview

 Steps

Audit
Entity ICS Review
areas

TWD-OGM-ICS Internal Controls Manual (Part 2) Page | 2

  Objectives

a. Familiarize with the organization’s operations

b. Identify and document the five (5) components of IC

system
c. Review key control processes and performance of
operating and support systems
d. Gather sufficient information on potential audit areas
to be included in the annual work plan

 PGIAM Diagram

2. Step 1: Gaining an understanding of the organization’s operations

Audit
Entity ICS Review
areas

TWD-OGM-ICS Internal Controls Manual (Part 2) Page | 3

 Gather and analyze information on the following
• Mandate
• Objectives
• Strategies
• Operating and support systems,
• Relevant laws, rules and regulations, and
• Organizational & sectoral performance (ex. audit reports)

There are two (2) types of documents

Primary source documents Secondary source documents

(PSD)
• obtained from the original
source of the information,
documents or records
• e.g. Philippine laws =
Philippine Congress
(SSD)
• obtained from
references/copies of
information, documents or
records other than the
original source)
• e.g. Philippine laws = law firm
website (Chan Robles)

3. Step 2: Identify and document the five (5) components of ICS

Audit
Entity ICS Review
areas

 Overview
Control environment Workshops
HOW?
WHAT?

Risk assessment Observations

Control activities Document review
Information & ICQs
communication FGDs
Monitoring

 WHAT: The 5 Components of the ICS

TWD-OGM-ICS Internal Controls Manual (Part 2) Page | 4

 The following are the recommended steps in identifying and
documenting the five (5) components of the internal control system:
a. Control environment
i. Identify the control environment in the context of a sector:
Stakeholders
•Internal
•External
Constituents
Public service or Public
organizations •Internal
•External

Control
Environment

ii. Document the control environment. See Annex 1 for the Checklist
(Control Environment Documentation Checklist).

b. Risk assessment
i. According to the PGIAM, the organization has to establish its own
Risk Management Framework & Process (see next page).
ii. Check if the organization has a risk management framework and
process. Determine if the components are well defined. If there is
no documented risk management framework and process yet, the
PGIAM guidelines may be used
iii. See Annex 2a for the Risk Management Guidelines
iv. See Annex 2b for the Risk Management Plan Template
v. Perform assessment of internal audit risks
- See the prescribed steps from the PGIAM:

TWD-OGM-ICS Internal Controls Manual (Part 2) Page | 5

 Risk identification Risk analysis Risk evaluation

•Choose the •Choose the •Compare the estimated

method/technique to method/technique to levels of risks with the
be used; be used; risk criteria; and
•Identify risk sources and •Determine •Determine whether or
events; consequences for not the risk or its
•Identify the causes of identified risks; magnitude is acceptable
the risk. •Determine probabilities or tolerable
for identified risks;
•Identify factors that
could affect the
consequences and
probability;
•Determine the level of
the risks.

TWD-OGM-ICS Internal Controls Manual (Part 2) Page | 6

RISK MANAGEMENT FRAMEWORK (ISO 31000)

(Syxon Ltd. GTC, 2013)

TWD-OGM-ICS Internal Controls Manual (Part 2) Page | 7

 - See Annex 2c for the Risk Assessment Checklist
- See Annex 2d for the Risk Assessment Documentation
Template

c. Control activities
i. See Annex 3 for the Control Activities Documentation Template

d. Information and communication

i. See Annex 4 for the Information and Communication Checklist.

e. Monitoring and evaluation

i. See Annex 5 for the Monitoring Checklist.

 HOW: Methodologies
According to the PGIAM, the procedure in documenting the ICS
includes a combination of the following in order to obtain from the
operating and support units the primary source documents; and validate
all observations and recommendations with key officials of the
organization:

Workshops Observations Doc. review

ICQs FGDs

a. Workshops
i. An educational seminar or series of meetings emphasizing
interaction and exchange of information among a usually small
number of participants (Houghton Mifflin Company, 2000)
ii. A seminar or small group that meets to explore some subject,
develop a skill or technique, carry out a creative project, etc. (K
Dictionaries Ltd., 2010)

TWD-OGM-ICS Internal Controls Manual (Part 2) Page | 8

 b. Observations
i. The act of noting and recording something, such as a phenomenon,
with instruments (Houghton Mifflin Company, 2000)
ii. Detailed examination of phenomena prior to analysis, diagnosis, or
interpretation (HarperCollins Publishers, 2003)

c. Document review
i. involves obtaining documents from primary sources for validation,
such as inspection guidelines or manuals which contain the
standards, timing and methods for the conduct of inspection.

d. Internal Control Questionnaires (ICQs)

i. consists of questions answerable by "Yes", "No" or "Not Applicable"
ii. "Yes" answers would require submission of evidence by the
personnel concerned or gathering of evidence by the auditor to
validate such answer
iii. "Yes" and "No" answers with compensating controls will be subject
to test of controls for validation
iv. "No" answers without compensating controls should be identified as
control deficiencies and their root cause/s should be determined
before courses of action are recommended in the interim report.
Their content should eventually be included in the Baseline
Assessment Report. Subsequently, interim report
recommendations should be monitored, and in the ensuing audit
period, it should be validated if the actions taken addressed the
control deficiencies. The recommendations should not merely
include addressing the control deficiencies, but should hold
accountable the next level in the hierarchy for failure of supervision.
v. See ICQ guidelines in Annex 6a.
vi. See ICQ instructions in Annex 6b.
vii. See ICQ templates in Annex 6c.
(Department of Budget Management, 2011)

e. Focus Group Discussions (FGDs)

i. A data collection procedure in the form of a carefully planned
discussion among about ten (10) people plus a moderator and
observer, in order to obtain diverse ideas and perceptions on a
topic of interest in a relaxed, permissive environment that fosters

TWD-OGM-ICS Internal Controls Manual (Part 2) Page | 9

 the expression of different points of view, with no pressure for
consensus
ii. See the following resources from the Internet discussing the
success factors, procedures and other considerations when using
this monitoring technique
- Annex 7a – Focus Group Toolkit (Rowan University, 2013)
- Annex 7b – How to Conduct a Focus Group (Duke Trinity
College of Arts & Sciences, 2013)
iii. According to an article posted by Ryken, there are five (5) steps for
conducting focus groups:

TWD-OGM-ICS Internal Controls Manual (Part 2) Page | 10

 Define the purpose of the focus group

• Critical; Forms the basis for focus group activities

Determine methodology

• Conceptualization
• Define population and sampling method
• Determine the size and number of focus groups
• Develop and pre-test FGD content
• Logistics
• Secure a focus group facility
• Generate participant contact lists
• Manage participant recruitment and reminders
• Finalize focus group facility & room arrangements
• Organize needed materials

Facilitate the focus group

• Preparation activities
• “Involves the facilitator committing the discussion guide to
memory so seemless [sic] and effortless group discussion
results”
• Pre-session activities
• Facilitator observes participants’ behavior and personality
traits, taking note of any which may require special
attention during the session
• Facilitator helps participants gain rapport with the process
and each other
• Session activities
• Begins when the moderator opens the session with a brief
overview of the major discussion topic

TWD-OGM-ICS Internal Controls Manual (Part 2) Page | 11

 Analyze

• Goal is to break the focus group session into

manageable pieces for report development
• Use a question-by-question approach to summarize
participant comments into multiple themes
• Include non-verbal observations and relevant off-topic
comments

Report

• Can be narrative or bulleted, depends on the audience

• Can be organized by question or by theme
• Include:
• Basic participant demographic information
• Direct participant quotes
• Should be aligned with the purpose of the focus group

(Ryken, 2012)

Gathering of pieces of evidence by the Internal Audit Unit can be

done by triangulation, a multi-approach which may include solicitation,
elicitation and analysis of data. No one type of evidence gathering would
suffice. To raise the level of confidence, at least three sources of evidence
or methods of verification should be obtained. (Department of Budget
Management, 2011)

4. Step 3: Review key control processes & systems performance

Rev- Audit
Entity ICS
iew areas

TWD-OGM-ICS Internal Controls Manual (Part 2) Page | 12

  Overview
a. Scope

Admin

Other
Operating
Support Finance
Sys systems

IT

b. Definitions
Term Definition / Examples
Process The application of a system of processes within an
approach organization, together with the identification and
interactions of these processes, and their management
to produce the desired outcome
Process A set of interrelated or interacting activities which
transform input elements into outputs / results provided
to the citizens
Input elements - Statutory policies
- Resources
- Managerial policies
- Citizens’ needs and expectations
Outputs/ Results - Products / goods
- Services
- Benefits
Performance  The criterion in terms of quantity, quality, cost and
measures perception of plans and programs
 Indicators of performance expressed in units of
work which quantify or measure the outputs and
outcomes
 Requires that every unit of output must have a
standard cost which should be compared with the
actual cost to obtain the difference
 In the absence of a standard cost, the organization
must set up a standard or predetermined cost

TWD-OGM-ICS Internal Controls Manual (Part 2) Page | 13

 Term Definition / Examples
before the start of each undertaking
 Operating Systems Review

a. General audit objectives

For key control processes For key operational processes

•To document controls in key •To understand operational control

processes of operations within the components that are necessary to
organization that are critical to the achieve the target outputs and
achievement of the control outcomes, as well as the identified
objectives key performance measures
•To determine the adequacy of
internal control
•To identify gaps, deficiencies or
breakdown for potential inputs to
the baseline assessment report

b. Guidelines
Criteria for selection of critical processes

• A process with an output that is an input to a major final output

• A process that makes up significant control procedures
• A process where the financial value of inputs are high

Subject of the review

• Existing flowcharts
• Operating manuals
• Periodic accomplishment reports

c. Audit work objectives

TWD-OGM-ICS Internal Controls Manual (Part 2) Page | 14

 For key operational processes

• Determine compliance to milestone reporting

• Determine adequacy and appropriateness of performance
measures
• In case it was found that regular reports are not periodically
rendered, determine the possibility that slippages or gaps
are not immediately addressed to catch up on the target or
the possibility that end of the year reports are bloated

For operational performance

• Determine the relevant operational performance measures

for evaluation based on discussions with the General
Manager
• Determine the frequency of reporting operational
performance, the intermediary goals, and whether or not
improvements have been introduced as a result of the
performance review as part of monitoring their own
performance
• Determine whether or not measures are in place to ensure
compliance with laws, rules, regulations and managerial
policies within the operational level of the sector
• Assess the relative position of the organization, comparing
the current performance to target, past performance and
/or others in the sector or similar organizations
• Prepare a preliminary summary and assessment of the
programs/projects which should be included in the
baseline assessment report or control universe noting
weaknesses, gaps, deviations and processes that are
potential areas for the audit

 Support Systems Review

a. General audit objectives

TWD-OGM-ICS Internal Controls Manual (Part 2) Page | 15

 For key processes in support
system
• To document controls in key
processes of the support
systems within the
organization that are critical
to the achievement of the
control objectives
• To determine compliance
with controls put in place
• To identify gaps, deficiencies
or breakdown for potential
inputs to the strategic plan
For performance of the
support systems
• To identify and understand
the network and linkages of
support services to the
operating units
• To determine whether
adequate controls are in
place in providing the needs
of the operating units for
logistics, funds and
personnel

b. Guidelines
Criteria for selection of critical processes

• A process with an output that is an input to a major final output

• A process that makes up significant control procedures
• A process where the financial value of inputs are high

Subject for review

• Structure
• Personnel qualifications & performance
• Processes of the office of primary responsibility

c. Audit work objectives

TWD-OGM-ICS Internal Controls Manual (Part 2) Page | 16

 For processes

•Determine the compliance with prescribed methods and procedures

•Determine the presence of a manual of operations and review the level
or extent of compliance thereto

For key processes and performance in support system

•Includes a review of the procurement, personnel, accounting,

budgeting, quality management and risk management
•Profile the performance of support services and evaluate the efficiency
and effectiveness in terms of quantity and quality
•Compare performance results against norms and targets
•Involves interviews of key persons responsible in the operating units to
determine the opinions and attitudes that key people outside the
suport unit have about the services delivered and whether or not needs
are served

 Methods of Review

Narrative Walkthrough

Test of
Flowcharting
Controls
KPPs

The following methodologies can help document critical operational /

support processes to help the auditor identify potential audit risk areas.

Term Definition / Examples

a. Flowchart or  An analytical technique used to document a system in
Process Map a clear, concise and logical manner, showing the flow
of documents through various steps and actions from
its origin up to the final disposition

 A workflow diagram in a graphic representation of all

the major steps of a process

 Helps visualize the process and therefore facilitates an

analysis of the operation and assists in identifying

TWD-OGM-ICS Internal Controls Manual (Part 2) Page | 17

 Term Definition / Examples
inefficiencies, overlaps and duplications / missing
procedures and control weaknesses

 Helps the auditor:

- Understand the complete process
- Identify the critical stages of a process
- Locate problem areas
- Show relationships between different steps in a
process
- Evaluate / test controls, where an audit impact has
been identified

 See Annex 8a for a list of flowcharting symbols to be

used, based on the PGIAM.

 See Annex 8b for general guidelines on flowcharting

transactional processes.

b. Narrative  Provide step-by-step description of the auditee’s major

notes systems or operations which cannot be adequately
described by the flow chart

 Primary purpose is to identify key control activities

 Should include all significant parts of the process,

especially the control points, the names and positions
of the people performing the actions and taking
decisions, and the timing of such actions

 An example might be: “Sales invoices are prepared by

Mr._____ They are checked by Mr. _____ and then
passed to Mr. _____ for recording in the customer’s
account in the sales ledger etc.” (ZainBooks.com,
2013)

c. Walkthrough  Involves following one or two transactions or activities

step-by-step through the process from beginning to
end

 The act of tracing the identified significant controls in a

transaction through organizational records and
procedures

TWD-OGM-ICS Internal Controls Manual (Part 2) Page | 18

 Term Definition / Examples

 A technique for:
- validating the understanding of the transaction flow
and control design, particularly those which may
help prevent or detect fraud and error
- determining whether or not controls have designed
effectively and actually placed in operation
- identifying areas where fraud and error may occur

 Exceptions or deviations identified could be highlighted

in an interim report, and appropriate recommendations
given to help the GM and process owners address the
gaps

(Department of Budget Management, 2011)

 Perform Tests of Controls

a. Done after flowcharting, narrative notes and walkthrough to determine
if controls are actually present or to determine conformance
i. If conforming, the results go to the control universe and included in
the baseline assessment report (BAR)
ii. If non-conforming or deficient, the gap is documented and included
in an interim report and eventually in the BAR

b. Activities include
i. Physical observation of the actual transactions involving the internal
control procedures being performed
ii. Evaluation of evidence that the control procedures were performed
at the proper time
iii. Inquiry about how and when the procedures were performed
iv. May involve touring facilities, making site visits, and reviewing
processes, flow of materials and documents

c. Tools that may be used are:

TWD-OGM-ICS Internal Controls Manual (Part 2) Page | 19

 Statement of Control Attributes (SCA)

• summarizes the selected control attributes / features in

the ICQ that will be subject to test
• see template in Annex 13

Walkthrough Working Paper (WWP)

• summarizes the control attributes / features in the

flowchart that will be subject to test
• see template in Annex 14

Test of Control Working Paper (TCWP)

• used to document the conduct of the actual test of

controls where documents representing the selected
transactions are examined to verify whether or not the
control attributes perceived to be in place are actually
present or to determine conformity
• see template in Annex 15

Summary of Gaps (SoG)

• based on the TCWP

• used to summarize the deviations noted from the conduct
of the test of controls
• deviations include breakdowns or gaps in controls
• see template in Annex 16

 Special Considerations

a. Review of Controls in a Computerized Environment

The objective of internal audit in a manual system does not
change in a computerized environment, that is, assessing the
adequacy of controls embedded in the computerized program. This
involves reviewing the general and application controls.

TWD-OGM-ICS Internal Controls Manual (Part 2) Page | 20

 i. Review of general controls
Definition

• The structure, policies and procedures that apply to all or a

large segment of an entity's information system (IS) and
help ensure their proper operation
• Create the environment in which application systems and
controls operate

The International Organization of Supreme Audit Institutions

(INTOSAI) identified the major categories of general controls:

Term Definition / Examples

Entity wide Provide framework & continuing cycle of activity for:
security  managing risks
program  developing security policies
planning and  assigning responsibilities
management  monitoring the adequacy of the entity’s computer-
related controls

Access controls  Limit or detect access to computer resources

(data, programs, equipment, and facilities),
thereby protecting these resources against
unauthorized modification, loss, and disclosure
 Include both physical and logical controls

Controls on Prevent unauthorized programs or modifications to

DMC of AS existing programs during development, maintenance
& change of application software

System software Limit and monitor access to the powerful programs &
controls sensitive files that control the computer hardware
and secure applications supported by the system
Segregation of Implies that policies, procedures and an
duties organizational structure are established to prevent
one individual from controlling all key aspects of
computer-related operations and thereby conduct
unauthorized actions or gain unauthorized access to
assets or records

Service Help to ensure that when unexpected events occur,

TWD-OGM-ICS Internal Controls Manual (Part 2) Page | 21

 Term Definition / Examples
continuity critical operations continue without interruption or are
controls promptly resumed and critical and sensitive data are
protected.

ii. Review of application controls

Application software

• The software that processes and understands data with

reference to the transaction
• Could be a payroll system, inventory system or billing
system
• Where the rules pertaining to the systems and processes
are implemented

Application controls

• The structure, policies, and procedures that apply to

separate, individual application system, and are directly
related to individual computerized applications
• Generally designed to prevent, detect, and correct errors
and irregularities as information flows through information
systems

TWD-OGM-ICS Internal Controls Manual (Part 2) Page | 22

 Application controls and the manner in which information flows
through information systems can be categorized into three phases
of a processing cycle:
files and reports

Input

Output
data are data are

Processing
generated by the
authorized, properly application
converted to processed by reflect
an automated the computer transactions or
form, and and files are events that
entered into updated actually occurred
and accurately
the correctly reflect the results
application in of processing,
an accurate, and reports are
complete, and controlled and
distributed to the
timely authorized users
manner

(Department of Budget Management, 2011)

b. Evaluation Reports of Oversight Bodies & Int’l Development Partners

This includes results from the evaluation reports of various
monitoring and oversight bodies such as (as applicable):
- Local Water Utilities Administration (LWUA)
- Department of Budget and Management (DBM)
- Commission on Audit (COA)
- Office of the President (OP)
- Civil Service Commission (CSC) and
- Office of the Ombudsman (OMB)
This also includes the review made by international
development partners working with the Philippine government. The
aim is to identify gaps or control deficiencies / breakdowns that need to
be considered in the baseline assessment report and in prioritizing
internal audit activities. (Department of Budget Management, 2011)

TWD-OGM-ICS Internal Controls Manual (Part 2) Page | 23

 5. Step 4: Identify potential audit areas to be included in the AWP

Audit
Entity ICS Rev-iew
areas

 Prepare the Interim Report

Contains gaps or control deficiencies / breakdowns:

• noted during the documentation of the components of the ICS and

the key processes in the operating and support systems;
• found out after conducting a flowchart, preparing narrative notes
and conducting a walkthrough; and
• after conducting a test of controls

What are gaps or control deficiencies /

breakdowns?

• A control deficiency exists when the design or operation of a

control does not allow management or employees, in the normal
course of performing their assigned functions, to prevent or detect
fraud or error on a timely basis.
• A deficiency in design exists when a control necessary to meet the
control objective is missing or an existing control is not properly
designed, such that even if the control operates as designed, the
control objective is not always met.
• A deficiency in operation exists when a properly designed control
does not operate as designed, or when the person performing the
control procedure does not possess the necessary authority or
qualifications to perform the same.

The gaps or control deficiencies/breakdowns are subjected to a

root cause analysis and the preliminary recommendations should form
part of the interim report. A summary of the interim report will be included
in the baseline assessment report.

A significant deficiency is a control deficiency (or a combination of

control deficiencies) that adversely affects the agency's ability to initiate,
process, authorize, record, or report data reliably such that there is more

TWD-OGM-ICS Internal Controls Manual (Part 2) Page | 24

 than a remote likelihood that an error that is more than inconsequential will
not be prevented or detected. The term “remote likelihood” is defined as
when the “chance of the future events or events occurring is slight.” Thus,
the likelihood that an event is “more than remote” is when it is either
reasonably possible or probable.
(Department of Budget Management, 2011)

 Define the Control Universe

Before defining the Control Universe, the ICS should validate

understanding with the unit concerned. This is to verify the ICS’ complete
and accurate understanding of the control components and key
processes, and to validate this understanding. This step is important to
corroborate initial results as it gives the opportunity to obtain a buy-in that
the audit will be focused on the important organizational / sectoral
concerns.

This step may be formal or informal. The positive results of the test
of controls will be an input to the Control Universe (CU). The CU is a list of
all auditable areas which shall be an input to the baseline assessment
report, included in the strategic plan and will be prioritized in the
formulation of the annual work plan. Aside from the CU, other sources to
be considered in strategic planning are the results of the review of
oversight bodies and international development partners
(Department of Budget Management, 2011)

 Prepare the Baseline Assessment Report (BAR)

The BAR summarizes the gaps and control deficiencies /

breakdowns resulting from the baseline assessment of the internal control
system. This report can be used in the next assessment to determine
improvements from where it came from to the current condition. Issues not
captured in the report should be lessons learned to be included in the next
assessment.

The report includes a summary of the interim report which

contained the gaps or control deficiencies / breakdowns, root cause
analysis, and recommended courses of actions. The BAR also includes
the Control Universe and the results of the review of oversight bodies and
international development partners.

TWD-OGM-ICS Internal Controls Manual (Part 2) Page | 25

 Parts of the report

• Executive summary
• Objectives
• Scope and methodology
• Detailed findings and recommendations on each internal control
component
• Overall findings
• Summary of interim report
• Control environment
• Results of oversight bodies and international dev't partners
• Attachments

The detailed findings portion discusses the results of the assessment of

the five components of internal control. The findings are supported with at
least three methods of assessment, the results of which corroborate each
other.
(Department of Budget Management, 2011)

TWD-OGM-ICS Internal Controls Manual (Part 2) Page | 26

 C. Identify control significance, materiality and control risks of key processes

1. Objective
To identify which controls should be assessed for internal audit risk and those
which should not be prioritized in the strategic and annual work plan

2. Diagram

3. Control Significance & Materiality Level

 Overview: Steps

Assess Assess
Identify controls
significance level materiality level

 Definitions

Significance

•Considered in terms of quality

•Based on a process' possible impact on the control objectives

Materiality

•Quantitative
•Often considered in terms of value or relative importance of an amount
•Level may or may not be set based on a specific amount
•of information is determined if the ommission or misstatement of such
could affect control objectives
•Depends on the nature and size of the item or error judged in particular
circumstances

TWD-OGM-ICS Internal Controls Manual (Part 2) Page | 27

  Detailed Steps

Assess the significance level

•Take into account the qualitative factors, including cumulative effects of

errors, legal and regulatory requirements

Assess the materiality level

•Take into account the quantitative factors and nonfinancial items that,
independent of the amount, may impact on the achievement of the
control objectives (e.g. legal & regulatory requirements)

Identify controls in the potential audit areas

•Controls in the organization and those embedded in the system

4. Control Risk Level

 Overview: Steps

Determine vulnerable
Conduct risk assessment
controls

 Rationale
Generally, the units responsible for addressing risks must make the
assessment of their own risks, including top management as control risk
assessment is part of its regular functions. Thus, the control risk owners
should already have identified and initiated measures to modify the
material and significant control risks, based on probability and impact,
before the auditors begin an audit. Nevertheless, the ICS will still have to
conduct risk assessment on the identified material and significant controls
where they may be high risk of impact on key processes of operating and
support systems in order to properly prioritize potential audit areas.

 Detailed Steps
a. Conduct risk assessment on the identified material and significant
controls where there may be high risk of impact on key processes of
operating and support systems;
b. Determine those controls that are vulnerable to be omitted, being
improperly implemented or bypassed.

TWD-OGM-ICS Internal Controls Manual (Part 2) Page | 28

 D. Assess internal audit risk

1. Overview

Risk Risk
Risk analysis
identification evaluation

TWD-OGM-ICS Internal Controls Manual (Part 2) Page | 29

 2. Objectives

TWD-OGM-ICS Internal Controls Manual (Part 2) Page | 30

 Give appropriate advice to
the GM on all matters relating
to management control &
operations audit;

Perform such other related

duties and responsibilities Properly conduct
assigned or delegated by the management & operations
GM, or as may be required audits of the WD
by law.

Analyze & evaluate

Determine degree of
management deficiencies
compliance with their
and recommend realistic
mandate, policies, etc.
courses of action

Review & appraise systems

and procedures / processes
•organizational structure,
•assets management practices,
•financial and management records,
reports and performance standards

TWD-OGM-ICS Internal Controls Manual (Part 2) Page | 31

 3. Detailed Steps
Risk identification

• Choose the risk identification method/s or technique/s to be used;

• Identify risk sources and events; and
• Identify the causes of the risk.

Risk analysis

• Choose the risk analysis method/s or technique/s to be used;

• Determine the consequences for the identified risks;
• Determine the probabilities for the identified risks;
• Identify the factors that could affect the consequences & probability;
• Determine the level of the risks.

Risk evaluation

• Compare the estimated levels of the risks with the risk criteria; and
• Determine whether or not the risk or its magnitude is acceptable or
tolerable.

TWD-OGM-ICS Internal Controls Manual (Part 2) Page | 32

 E. Formulate Strategic Plan

1. Definition

The Strategic Plan consists of the three-year direction of the ICS

considering the results of the following:
 baseline assessment of the internal control system of the TWD,
 the control significance and materiality and control risk of key processes,
 the assessment of internal audit risks

The ICS prepares the proposed three-year direction of the internal audit
activities for approval by the General Manager.

2. Steps

Evaluate result of
Evaluate result of
Analyze the results assessment of
assessment of
of the BAR significance,
internal audit risk
materiality and risk

3. Components

a. Internal Control c. Organizational

Service (ICS) b. Methodology Strategic
Objectives Environment

d. Responsibility
f. ICS Work
e. ICS Management for Deterring and
Strategies and
Strategies Dectecting Fraud &
Audit Coverage
Errors

g. Allocation of h. Performance i. Review of the

Audit Resources Measures Strategic Plan

TWD-OGM-ICS Internal Controls Manual (Part 2) Page | 33

 a. ICS Objectives
• Broad audit objectives
• Directions for internal audit over a 3-year period
• Limitations
• Audit & management goals consistent with the TWD's policies and guidelines

b. Methodology
• Approach in developing the plan
• Consists of:
• Conduct of baseline assessment of internal control system
• Consideration of control significance, materiality and risk
• assessment of internal audit risks
• consultation with key stakeholders

c. Organizational Strategic Environment

• Relevant issues and trends which may impact on the achievement of the
organization's objectives which may come from
• Governance, organizational structure, roles & accountabilities
• Policies, objectives, and strategies that are in place to achieve organization
objectives
• Capabilities, understood in terms of resources and knowledge
• Information systems, information flows and decision making processes
• Relationships with, and perceptions and values of, stakeholders
• Organization's culture
• Standards, guidelines and models adopted by the organization
• Form and extent of contractual relationships
• Socio-cultural, political, legal, regulatory, financial, technological, economic,
natural and competitive environment, whether international, national,
regional or local
• Key drivers and trends having impact on the objectives of the organization
• Derived from review of key strategic and other planning documents and
discussions with the management and stakeholders
• Aim is to demonstrate that internal audit has a good understanding of the
organization and sector operations, what is planned for the future and how
the work undertaken by internal audit will assist the organization achieve its
objectives

TWD-OGM-ICS Internal Controls Manual (Part 2) Page | 34

 d. Responsibility for Detection and Deterrence of Fraud &
Error
• Fraud Basics:
• It should be established that management has a responsibility to
establish and maintain an effective control system to prevent fraud
and error
• Fraud encompasses an array of irregularities and illegal acts
characterized by intentional and unintentional deception
• Fraud can be perpetrated by persons outside as well as inside the
organization

• Responsibilities:
• Responsibility for deterrence and detection of fraud & error lies on
the functional units
• Responsibility to exercise due professional care is required of the
internal auditor.

• The Internal Audit may determine whether or not:

• The organizational environment fosters control consciousness
• Realistic organizational goals and objectives are set
• Written policies exist that describe prohibited activities and the action
required whenever violations are discovered
• Appropriate authorization policies for transactions are established and
maintained
• Policies, practices, procedures, reports, and other mechanisms are
developed to monitor activities and safeguard assets
• Communication channels provide management with adequate and
reliable information

• When Internal Audit suspects wrongdoing, prompt recommendations

should be given to management to establish or enhance cost-effective
controls to help deter fraud

• IA may recommend whatever investigation is considered necessary in

accordance with law, given the circumstances

TWD-OGM-ICS Internal Controls Manual (Part 2) Page | 35

 e. ICS Management Strategies
• Describe the 3-year management strategy to achieve its broad audit
objectives described earlier
• The strategies, detailed into plans and approaches, should:
• Address short and long erm direction focused on the audit needs of the
sector
• Describe the capabilities and resources, both dictated by the assessment of
internal controls
• Examples:
• Changes in work practices and enhancement of audit methodologies to
ensure that internal audit meets the needs of its publics and delivers value
for money
• Review of the internal audit professional development program to address
new trends in audit
• Development or introduction of new audit technology
• Benchmarking exercises or external reviews, as may be deemed appropriate
• Introduction of secondment programs aimed at augmenting the capacity of
the ICS
• Skilled and experienced staffing resources to deliver the internal audit work
plan

f. ICS Work Strategies and Audit Coverage

• Describe the major focus of the audit function and any audit-related activity
over the 3-year period
• Clarify the audit coverage:
• Focus of the audit prioritized from the baseline assessment of the
internal control system, consideration of the control significance, materiality
and risk, and assessment of internal audit risks
• Audits proposed to be conducted over a 3-year period categorized into
compliance, management and operations audits, containing the audit area,
site and priority
• Rationale on the greater need from compliance, management or
operations audit
• Potential audit areas are calculated by assigning scores to the controls as to
consequence and porbability (or total impact)
• Also, the IA may further formulate criteria on which offices or units may be
included in audit (such as those with the biggest budget, least achievement,
or with most adverse findings reported by the external auditor and oversight
bodies

TWD-OGM-ICS Internal Controls Manual (Part 2) Page | 36

  Example of Management Audit Coverage
Year 1 Year 2 Year 3
Audit Area Site Audit Area Site Audit Area Site
Controls in Office and Controls in Office Controls in Office
inventory & warehouse billing, and field procurement
warehousing collections system
system and
receivables

 Example of Operations Audit Coverage

Year 1 Year 2 Year 3
Audit Area Site Audit Area Site Audit Area Site
Financial Office Capital Office and Water Office
analysis Projects field Resource and
Management field
program

g. Allocation of Audit Resources

• Details the relative allocation of financial and human resources between
audit, audit support and any audit related activity over the life of the plan,
including the previous year, for comparative purposes
• Other options include showing the allocation of resources between the
different types of audit, organizational units and /or geographical locations
• May be provided in tabular or graphic form

h. Performance measures
• Used to measure the performance of internal audit and any change in
measures or targets over time

i. Review of the Strategic Plan

• Describes the timeframe and arrangements for the review and update of the
plan
• Plan covers a 3-year rolling period and needs to be reviewed iteratively
• Developed by ICS and approved by the GM

TWD-OGM-ICS Internal Controls Manual (Part 2) Page | 37

 F. Prepare the Annual Work Plan

1. Definition
• Contains the prioritized audit areas from the Strategic Plan and approved by the
GM which will be focused on during a one-year period, the type and approach of
audit and the timelines of the same

2. Features
• Should include areas for management audit and operations audit
• Basic frame of reference is the objective established by the organization and the
weight of the expected results from the audit area
• If failure to deliver expected results results from control deficiency, then a
management audit is required
• As part of strategic planning and developing the AWP, the ICS may review the
control components for any change, new systems and processes and the results
obtained on, for example, the top 5 key audit issues in the organization's priorities

3. Steps

Validate
Prioritize
previous audit Discuss with
potential audit
follow-up GM
areas
report

a. Prioritize potential audit areas

• Validate the BAR (on the 2nd and 3rd year)
• Update consideration of the control significance and materiality and
control risk assessment (on the 2nd and 3rd year)
• Update the internal audit risk assessment (on the 2nd and 3rd year
• Prioritize the potential audit areas

Of the three-year strategic plan, the ICS schedules the prioritized audit
areas into three annual plans or AWPs, subject to the approval of the
GM. The ICS then prepares the Audit Engagement Plan which
focuses on the specific audit areas prioritized for the year. An example
of an audit focus is shown in Table 7. In case the allocated budget is
insufficient, the IAS/IAU should strategically source augmentation of
resources.

TWD-OGM-ICS Internal Controls Manual (Part 2) Page | 38

Example of Audit Focus / Foci for 1 Period
Audit Area Audit Type Audit Description Expected Benefit Area Priority Estimated Estimated
Responsible Duration Start
Financial Operations Review, computation and Help identify areas for Finance 1 10 WD June 17
Analysis Audit analysis of relevant financial concern, serve as starting
indicators to measure point for baseline assessment
profitability, activity, liquidity,
and solvency

Baseline General Baseline assessment of Document the components of OGM 1 5 WD July 1

assessment Internal Control System internal control, highlight the
strengths and opportunities, Commercial 2 10 WD July 8
identify weaknesses & threats
and recommend Engineering 3 10 WD July 22
improvements
Administration 4 10 WD August 5
Provide tools for prioritizing
audits Finance 5 10 WD August 19

Controls in Management Appraisal of the existing Ensure inventoriable items are Administration 1 30 WD Sep 9
inventory & Audit controls in inventory and properly safeguarded and – Warehouse
warehousing warehousing practices accounted for;
system
Ensure warehouse
management is efficient and
responsive to the needs of the
TWD

Procurement Compliance Check compliance with RA Assess the compliance with Administration 1 30 WD Oct 21
controls Audit 9184 and related laws rules and regulations and
ensure proper procurement is
done in accordance with
applicable laws

TWD-OGM-ICS Internal Controls Manual (Part 2) Page | 39

 b. Validate previous audit follow-up report
•Done to validate the implementation / non-implementation / inadequate
implementation by the units concerned of the approved actions and
recommendations
•Steps involved are:
• Validate the report of the non-implementation / inadequate
implementation of preventive / corrective actions
• Validate the report of justification for the non-implementation /
inadequate implementation of actions
• Validate the recommendations for possible legal/management action for
the non-implementation / inadequate implementation of preventive /
corrective actions

c. Discuss with the GM

•The ICS should present and discuss the Strategic Plan and Annual Work Plan with
the GM
•Objective: to obtain a good understanding of the insights of the GM on the
organizational and sectoral objectives
•Allows the ICS to focus on important issues throughout the planning process and
audit
•ICS should obtain the approval of the Strategic Plan and Annual Work Plan by the
GM

G. References

Department of Budget and Management. (2008, October 23). Circular Letter No. 2008-8.
Retrieved February 20, 2013, from Department of Budget and Management:
http://www.dbm.gov.ph/wp-content/uploads/2012/03/Circular-letter-National-Guidelines-on-
Internal-Control-Systems.pdf

Department of Budget and Management. (2011, May 19). Circular Letter No. 2011-5. Retrieved
February 20, 2013, from Department of Budget and Management: http://www.dbm.gov.ph/wp-
content/uploads/2012/03/CL-2011-5.pdf

Department of Budget Management. (2011, May). Philippine Government Internal Audit Manual
(PGIAM). Retrieved February 28, 2013, from Department of Budget Management:
http://www.dbm.gov.ph/wp-content/uploads/2012/03/PGIAM.pdf

International Standards of Supreme Audit Institutions (ISSAI). (2013). INTOSAI Guidance for
Good Governance (INTOSAI GOV). Retrieved April 01, 2013, from International Standards of
Supreme Audit Institutions (ISSAI): http://www.issai.org/composite-194.htm

The Institute of Internal Auditors. (2013). Mandatory Guidance. Retrieved April 01, 2013, from
The Institute of Internal Auditors: https://global.theiia.org/standards-guidance/mandatory-
guidance/Pages/Mandatory-Guidance.aspx

TWD-OGM-ICS Internal Controls Manual (Part 2) Page | 40