IRRBA Manual

Integrated Results and Risk-Based Audit Manual Introduction
Introduction
The services provided by the Commission on Audit, as a Constitutional Body and as the
country’s Supreme Audit Institution are critical to meet the uttermost expectation of the
public. The evolution of audit approaches, revision and emergence of old and new laws,
rules and regulations necessitates for a more integrated and holistic approach in the
conduct of COA’s audit services.
With this regard, the Philippine Government entered into a contractual agreement with the
International Bank for Reconstruction and Development (World Bank) for a grant (IDF
Grant TF092158) for improving the effectiveness and efficiency of the COA in its efforts in
the audit of government revenues and expenditures through the development and
adoption of a results-based integrated audit methodology that will focus on the outputs
and outcomes of public expenditures, using a risk-based approach.
As early as 2003, COA has already introduced the Risk-based approach in the conduct of
its audit services. Various risk-based manuals have been developed such as the
Government-wide and Sectoral Performance Audit (GWSPA) Manual, Risk-based Audit
Approach (RBAA) Manual, Risk-based Financial Audit Manual (RBFAM) and the recent
2009 Risk-based Audit Manual (RBAM). A significant addition in this manual is the
inclusion of the Organizational Performance Indicators Framework of the Department of
Budget and Management to support the Government’s Public Finance Management
(PFM) reform agenda. .This will be introduced in this manual to complement the results-
based evaluation of the projected and actual outputs and outcomes of programs, activities
and projects of government agencies that will focus on the role of public audit in promoting
increased accountability and transparency in improving capacity in the overall governance
framework of the Philippines.
This Integrated Results and Risk-based Audit Manual aims to integrate the different COA
audit services such as Financial and Compliance Audit; Agency-based Value-for-Money
Audit; Government-wide and Sectoral Performance Audit; and Fraud Audit into a common
audit approach. The IRRBA approach will provide for a consistent set of processes which
will guide the COA Auditors in performing its audit services. The silo approach in the
conduct of the audit will be addressed by introducing linkages of each type of audit and its
results for a more effective delivery of service.
1|Pa ge
Integrated Results and Risk-Based Audit Manual Overview
Overview
Government auditing plays a vital role in the public sector governance through its
oversight, insight and foresight responsibilities. Government auditors help the government
achieve accountability and integrity, improve operations, and instill confidence among
citizens and stakeholders.
The Commission on Audit, as mandated to be the country’s Supreme Audit Institution by

Article IX-D of the 1987 Philippine Constitution, plays a significant role in the Public Sector
Governance. This mandate gives COA the responsibility to serve as the check and
balance in the use of public funds; to become part of the development of a sound financial
management; to examine proper execution of administrative activities; and to provide
information to public authorities and the general public through the publication of objective
reports.
This manual will discuss COA fulfillment of its role in the country’s public governance
through the delivery of the following audit services:
· Comprehensive Audit
- Financial and Compliance
- Agency-based Value For Money Audit
· Government-wide and Sectoral Performance Audit (GWSPA)
· Fraud Audit
The need for an Integrated-Results and Risk-based Audit
INTEGRATION is defined in this manual as the establishment of a common public sector

audit approach and a consistent set of audit processes that reduces redundant activities,
eliminate duplication in the audit of an agency and drive down resource costs through
identifying opportunities to create efficiencies and streamlining public sector audit
processes to allow the delivery of a comprehensive attestation and advisory audit
services.
The Commission has long been implementing the risk-based audit in the conduct of its
audit services. However, to meet the evolving developments in the public governance’s
expenditure management, COA shall incorporate the results-based approach in its audit.
1|Pa ge
Organizational Performance Indicator Framework (OPIF)
The Organizational Performance Indicator Framework (OPIF) is one of the two reform
components of the Public Expenditure Management (PEM) being implemented by the
government. The reform is being headed by the Department of Budget and Management
(DBM) in coordination with other oversight agencies such as the Commission on Audit
(COA) and the National Economic and Development Authority (NEDA).
OPIF is an expenditure management approach which links public resources towards

results and accounts for performance. This approach guides agencies to focus their efforts
and public resources on core functions and on delivering high impact activities at
reasonable costs and qualities.
The role of COA comes in to assess the agency’s performance through indicators which
are initially set to account for accomplishments based on pre-determined targets and
measures.
Linkage of COA’s audit services
The diagram below shows how COA’s audit services are linked into different audit
services as well as to the country’s Public Expenditure Management reform, the
Organizational Indicator Framework (OPIF).
AGENCY INTER-AGENCY
Linkage with other government agencies
Regularity (Financial and Compliance Audit) Government-

wide and
AUDIT
Sectoral
Performance
Agency-based Value For Money Audit
Economy Efficiency Effectiveness
Audit
(GWSPA)
ELEMENTS
Resource Inputs Processes Outputs Outcome Impact
Budget Enacted Programs Major Final Organiza- Sector

Performance
Indicator
Budget Outputs tional Goals

Legislation Activities Outcome
Other Societal
Inputs Projects Goals
Diagram 1: Overview of COA’s audit services
2|Pa ge
The diagram depicts the different audit services provided by the Commission:
· Comprehensive Audit
Financial Audit – This type of audit seeks to determine the accuracy of the data
contained in the financial statements and reports of the agency including the
reliable recording and reporting of historical financial information
Compliance Audit – Compliance audit seeks to ensure that public funds are
obtained and used in accordance with law and propriety as well as to determine
whether or not the accountable agency has properly discharged its responsibilities
in a legal and ethical manner.
Agency-based Value for Money Audit – This audit examines the economy,
efficiency and effectiveness of an agency in using its public resources.
· Government-wide and Sectoral Performance Audit (GWSPA)
This type of audit deals with determining the economy, efficiency and effectiveness
of publicly funded project, activities and programs among different agencies.
The diagram shows the focus of the different audit services provided by COA by
differentiating the elements of an agency’s process. Each element (Resource, input,
process, output, outcome and impact) is interrelated and plays a significant role in an
agency and the government as a whole.
COA’s results-based approach will be used in assessing an agency’s performance

indicators indicated in its OPIF. The OPIF element in an agency’s logframe can be traced
into its processes which will be taken into account during the conduct of the audit.
Although not mentioned in the diagram, auditors shall be aware of any possible fraud
indications which may arise during the course of the audits conducted. Fraud audit shall
always be embedded in the delivery of COA’s audit services.
3|Pa ge
Integrated Results and Risk-Based Audit Manual
TABLE OF CONTENTS
Introduction
Overview of IRRBAM
Glossary
1. Strategic Planning and Risk Identification
1.1 Perform Government Risk Identification

1.1.1 Develop/Update the Government Risk Model
1.1.2 Identify Government Risks
1.1.3 Report the Results of GRI
1.2 Conduct COA Strategic Planning
1.2.1 Conduct Annual Planning Conference
1.2.2 Develop Sector Strategic Action Plan
1.2.3 Develop Cluster/Regional Operation Plan
2. Agency Audit Planning and Risk Assessment
2.1 Prepare Agency Audit Work Step

2.2 Understand the Agency
2.2.1 Understand the Agency Profile
2.2.2 Understand Agency-Level Controls
2.3 Identify Significant Agency Risks
2.3.1 Update Agency Risk Model
2.3.2 Identify Agency Risks
2.3.3 Prioritize Significant Agency Risks
2.4 Understand the Process
2.4.1 Identify Critical Path of the Processes
2.4.2 Identify Process Risks
2.4.3 Identify Existing Controls
2.4.4 Identify Impact
2.5 Conduct Audit Risk Assessment
2.5.1 Financial and Compliance
2.5.2 Performance
2.6 Develop Audit Plan
2.6.1 Determine Audit Scope and Timing
2.6.2 Determine need for specialized skills
2.6.3 Prepare Audit Planning Memorandum
3. Execution
3.1 Design Audit Tests
3.2 Execute Audit Tests
3.3 Evaluate Audit Results
3.4 Communicate Audit Results
4. Conclusion and Reporting

4.1 Summarize Audit Results
4.1.1 Prepare summary of audit results and recommendations
4.1.2 Discuss results of different types of audit conducted
4.2 Prepare Audit Report
4.2.1 Prepare Annual Audit Report
4.3 Perform Overall Audit Review
4.3.1 Perform overall review and approval
4.3.2 Issue report
4.4 Wrap-up and Archive the Engagement
4.5 Follow-up Agency Action Plan
5. Monitor quality control on audit services

TABLE OF CONTENTS
1. Strategic Planning and Risk Identification

Form 01-01 Government Risk Model (GRM)
Form 01-02 Government Risk Identification Template (GRIT)
2. Planning
Form 02-01 Agency Audit Work Plan
Form 02-02 Understanding the Agency (UTA) Template
Form 02-03 Agency-level Control Checklist (ALCC)
Form 02-04 Agency Risk Model (ARM)
Form 02-05 Significant Agency Risk Identification (SAgRI) Matrix
Form 02-06 Process-Risk-Control (PRC) Matrix
Form 02-07 Audit Risk Assessment (ARA) Tool
Form 02-08 Audit Planning Memorandum (APM)
3. Delivery: Execution
Form 03-01 Audit Work Program (AWP)
Form 03-02 Audit Observation Memorandum (AOM)
4. Delivery: Conclusion and Reporting

Form 04-01 Summary of Audit Results and Recommendations (SARR)
Form 04-02 Management Letter (ML)
Form 04-03 Quality Inspection Tool (QIT)
Form 04-04 Agency Action Plan (AAP)
Form 04-05 Action Plan Monitoring Tool (APMT)
Integrated Results and Risk-Based Audit Manual Phase 1 – Strategic Planning and Risk Identification
STRATEGIC PLANNING AND RISK IDENTIFICATION
Integrated Results and Risk-Based Audit Framework
Strategic Planning and Risk Identification
Planning Delivery
Agency Audit
Conclusion
Planning and Risk Execution
and Reporting
Assessment
Monitoring
(Quality Control System)
Introduction
The complexity of today’s public environment necessitates for a more systematic,

integrated and holistic approach to plan for the detection and management of the risks
faced by government institutions. Thus, the mandate of the Commission to safeguard the
transparency and accountability of the transactions of the government is getting more
complicated.
This phase covers the first integration point wherein all COA audit services namely:
Financial and Compliance Audit, Agency-based Value-for-Money Audit, Government-wide
and Sectoral Performance Audit and Fraud Audit, will meet through a common strategic
planning and risk identification process. The succeeding topics will describe the strategic
planning and risk identification processes and outputs of the Commission in relation to the
conduct of its audit services. However, for purposes of illustration and functional relation,
some items on COA’s Annual Strategic Planning process will be tackled. Nevertheless,
the steps provided in this manual will not supersede the processes defined in the
Operations Manual of the Planning, Financial and Management Office (PFMO).
1|Pa ge
The following are the activities involved in this phase:
1.1 Perform Government Risk Identification (GRI)

1.1.1 Develop/Update the Government Risk Model (GRM)
1.1.2 Identify Government Risks
1.1.3 Report the results of Government Risk Identification (GRI)

1.2.1 Conduct Annual Planning Conference
1.2.2 Develop Sector Strategic Plan
1.2.3 Develop Cluster/Regional Operation Plan
Procedures
1.1 Perform Government Risk Identification
Risk is defined as the threat that an event, action or inaction will adversely
affect the agency’s ability to successfully achieve its mandate and objectives
and execute its strategies.
The Government is always faced with internal and external factors which may
influence and make it uncertain whether and when it will achieve its objectives
stated in the Medium-Term Philippine Development Plan (MTPDP) and State of
the Nation Address among others.
The Commission on Audit (COA) as the country’s Supreme Audit Institution shall
independently identify the risks that the government as a whole may face in
achieving its objectives. This is to determine the focus areas which need to be
prioritized given the limited resources. The results will also be an input in the
determination of the appropriate audit strategies needed to be applied by the
Commission for the allocation of resources appropriate for the audit services such
as the people, skills, competence, processes and procedures.
The objectives of this activity are: to obtain high-level inputs from COA directors
assigned in the audit of agencies representing the three audit sectors and regions,
and auditors performing Government-wide and Sectoral Performance Audit
(GWSPA) and Fraud Audit; to have a common language of risk; and to have a
unified thrust in government auditing.
This activity shall be conducted annually, supervised by the Assistant

Commissioners and attended by directors from the following sectors/offices:
2|Pa ge
o National Government Sector (NGS)

o Corporate Government Sector (CGS)
o Local Government Sector (LGS)
o Regional Offices
o Special Audits Office (SAO)
o Information Technology Office (ITO)
o Technical Services Office (TSO)
o Fraud and Investigation Office (FAIO)
1.1.1 Develop/update the Government Risk Model
Government Risk Model (GRM) is a framework consisting of risks categorized into

groups that could threaten the government agencies as a whole or the specific
processes of government agencies. GRM includes a definition of each risk to have
a common understanding of risks.
The GRM, populated with a list of government risks, is the foundation for
conducting the Government Risk Identification. It shall be developed to facilitate
the identification of risks faced by the government as a whole.
Risks are categorized as follows:

• Strategic risk – arises when forces in the environment could significantly ‘change
the fundamentals’ that drive government’s overall social and/or operating
objectives and strategies and, in the extreme, result in failure of the government’s
operations.
• Operation risk – risks that operations are inefficient and ineffective in executing
the government’s operating model, satisfying the public, and achieving the
government’s quality, cost, and time performance objectives. This arises when
operation processes:
o Are not clearly defined
o Are poorly aligned with agency’s strategies, goals, & objectives
o Are not performed effectively and efficiently in satisfying public or the
public’s needs
o Expose significant financial, physical, and intellectual resources to
unacceptable losses, risk taking, misappropriation or misuse
• Financial risk – risk that cash flows and financial risks are not managed cost-
effectively to (a) maximize cash availability; (b) reduce uncertainty of currency,
interest rate, and other financial risks; or (c) move cash funds quickly and without
loss of value to wherever they are needed most. It also includes risks that
government agencies face when misleading financial information becomes the
basis for decision making by the governing management.
3|Pa ge
• Compliance risk – noncompliance with prescribed policies and procedures or

laws and regulations resulting in lower quality, higher execution costs, lost
revenues, unnecessary delays, penalties, fines, etc.
Government Risk Model

COA directors representing the three audit sectors, regions, SAO, TSO, ITO, and
FAIO shall identify and define risks inherent to their sector/region to develop a
comprehensive list of government-wide risks and have a common understanding of
risks within COA. Presented below (Diagram 1.1) is a sample of GRM.
Strategic Operations Compliance Financial

Planning and resource Public service and operations Mandate Market
allocation §Customer/public satisfaction §Functions §Interest rate
§Organizational structure §Channel effectiveness §Foreign currency
§Strategic planning §Cycle time Governance §Commodity
§Operational planning §Service failure §Board performance/Agency §Financial instrument
§Budgeting §Efficiency Management Committee §Public policies
§Forecasting §Capacity §Tone at the top §Debt and fiscal policy
§Resource allocation §Performance measure/gap §Authority/limit
§Capital/fund availability §Partnering/contracting §Control environment Liquidity and credit
§Operational model §Citizen relationship §Corporate social responsibility §Cash management
§Operational portfolio management system and §Reputation §Opportunity cost
§Outsourcing organization §Funding
Code of conduct §Hedging
§Corruption and fraud
Major initiatives §Ethics §Credit and collections
§Vision and direction People §Fraud §Insurance
§Planning and execution §Culture §Employee/third party fraud §Foreign assisted loan
§Measurement and monitoring §Recruiting and retention §Illegal acts
§Technology implementation §Development and performance §Management fraud Accounting and reporting
§Project evaluation §Succession planning §Unauthorized use §Accounting, reporting and
§Change readiness §Knowledge capital disclosure
§Climate change and §Compensation and benefits Legal §Internal control
§Performance incentives §Contract §Investment evaluation
sustainability initiatives
§Education §Health and safety §Liability §Tax strategy and planning
§Intellectual property
§Healthcare services delivery
§Energy and water management Information technology §Anticorruption
(supply/distribution) §Information management §Legal
§Security/access
§Availability/continuity
§Integrity
§Infrastructure
Diagram 1.1 – Sample GRM
GRM shall be revisited at least annually and updated/revised regularly or as

required to reflect changes in government risks brought about by the changing
environment and current events.
GRM shall be used as one of the inputs in identifying government risks. Also, this
shall be used by audit teams in developing their Agency Risk Model (ARM) which
is a list of agency-specific risks. ARM is discussed further in Agency Audit Planning
and Risk Assessment phase.
4|Pa ge
Documentation
Form 01-01 Government Risk Model (GRM) documents all the identified
government risks and its corresponding definition.
1.1.2 Identify government risks
Risk identification is the process of finding, recognizing, and describing risks. It

involves the identification of risk sources, events, their causes and their
potential consequences.
The fundamental principle of a risk-based audit is to identify risks and focus the
audit on those areas which may have a significant effect on the achievement of an
entity’s objectives.
As the country’s Supreme Audit Institution, it is imperative for the Commission to

identify risks which may hinder the government as a whole to achieve its
objectives. Identification of government risks shall be conducted by COA to
determine the areas needed to be focused during their audit activities. This is an
input to the development of their audit strategic during the Annual Strategic
Planning.
Identification of government risks is done by COA as an auditor and is independent

of the government and agencies. Any risk assessment as part of the risk
management process which will be carried out by COA as an “agency” is distinct
and separate from this activity. At the same time, the results of COA’s risk
identification cannot be considered as a substitute for the government’s or agency
management’s own risk assessment process.
Identification of government risks shall be conducted annually. This activity can be

done through workshops, surveys or interviews. In any case, this activity shall be
supervised by the Assistant Commissioners and attended by directors from the
following sectors/offices:
o Regional Offices
5|Pa ge
This activity is conducted to have an over-all consideration of risks coming from all
government agencies. As an agency that is mandated to look at the transparency
and accountability as well as to recommend measures to improve the efficiency
and effectiveness of government operations, COA shall have a unified approach
and same risk language in identifying the exposures of the government. This is the
first integration point of different audit services performed by COA.
Identification of government risks should not be done in a silo approach. This

activity will be conducted in order to identify risks or potential issues which may
vary across different government agencies. Inputs of each audit sector are
therefore relevant to capture the real risk scenarios of the government as a whole.
Linkage of government objectives and initiatives, risks and agencies
Diagram 1.2 - Linkage of objectives and initiatives, risks and agencies
Identifying risks in government objectives and initiatives
6|Pa ge
Understanding the objectives of the government is the first step in this process.
After the objectives have been substantiated, identification of risks which may
hinder the achievement of the set objectives shall be conducted.
In identifying government risks, COA should identify sources of risks, areas of

impacts, events, causes and potential consequences. This is to generate a list of
risks based on those events that might create, enhance, prevent, degrade,
accelerate or delay the achievement of objectives.
The following shall be used as inputs in identifying government risks:

o SONA
o MTPDP
o MTPIP
o GRM
o Previous AARs
o Sector risks
o Media releases and media reporting
o Fraud and geographic risks
o Government-wide and sectoral programs and activities
o Knowledge of the auditors
Risk analysis involves consideration of the causes and sources of risk, their
positive and negative consequences, and the likelihood that those consequences
can occur. Factors that affect consequences and likelihood should be identified.
Risk is analyzed by determining consequences and their likelihood, and other
attributes of the risk. An event can have multiple consequences and can affect
multiple objectives.
Risks are evaluated and prioritized based on the outcomes of risk analysis.
7|Pa ge
Identify Government Link risks to

Inputs
Risks Agency/Programs/Activities
Department of Public
COA Fraud and Works and Highways
Knowledge and prior audit reports

Direction/ geographic
SSAP risks
Metropolitan Waterworks
and Sewerage System
SONA, Media
MTPDP and releases and City Government of Navotas
MTPIP reporting
Hunger mitigation
program
Industry/
GRM sector risks Health sector
development project
Diagram 1.3 – Risk Identification Process Flow
Risks on fraud covered by FAIO and government programs/activities that fall in the
Government-wide and Sectoral Performance Audit (GWSPA) covered by SAO
shall also be considered in this activity. Government Risk Identification, based on
the results, may result directly to the identification of fraud audits and/or GWSPAs.
In this activity, the participants shall identify potential GWSPAs. SAO shall also
recommend government programs and activities to be subjected to GWSPA.
Potential GWSPAs shall be analyzed and evaluated.
Locate identified government risks to affected agency and its programs/activities
After the risks have been identified for a particular government objective, COA
shall now locate these risks with the concerned agencies and the related
processes, programs or activities.
Form 01-02 Government Risk Identification Template (GRIT) is prepared to plot

the key government risks and the affected agencies including
processes/programs/activities.
8|Pa ge
Diagram 1.8 below illustrates the linking of risks to processes.
Government processes/
Key Government Risks Government Agency
programs/activities
Link key government risks to government

Legal
government agencies within the cluster
processes/programs/activities
Link key government risks to

Department of
§Liability Public Works and
Compliance
Highways
§Contract Procurement
Process
§Anticorruption Department of
Transportation
and
§Legal
Communication
Diagram 1.4 – Linkage of risks to processes
Fraud audit and GWSPA
For key government risks that resulted directly to the identification of fraud audits
and GWSPAs (as risk response or planned action), FAIO and SAO shall perform
the audits following the guidelines set forth in their respective manuals (Fraud
Audit Manual and GWSPA Manual).
Documentation
The results of this activity shall be documented in Form 01-02 Government Risk
Identification Template (GRIT).
1.1.3 Report the results of Government Risk Identification
COA shall ensure that the results of the government risk identification will be
presented to and approved by the Assistant Commissioners and Commission
Proper, and distributed to concerned offices, as follows:
o Regional Offices
9|Pa ge

The report on the results of GRI contains/documents the following:

o GRI Matrix
o minutes of the GRI activity
o participants of the GRI activity
The results of this activity shall be an input to COA’s Strategic Planning process
and Phase 2 - Agency Audit Planning and Risk Assessment Phase (refer to phase
2 of the manual).
This section covers the COA Strategic Planning conducted annually. The elements
and processes described here are captured from the PFMO manual to show the
linkage of Strategic Planning of COA as an “agency” to the IRRBA’s Strategic
Planning and Risk Identification of COA as an “auditor”. The IRRBA Manual does
not supersede any activity presented in the Planning, Financial and Management
Office (PFMO) Operations Manual.
Strategic planning is an essential element in the development of an Integrated

Results and Risk-based Audit approach. A long-term perspective for the audit
services may be provided by this process. Likewise, it provides efforts to allocate
resource properly and drives the implementation of COA’s audit objectives and
priorities.
Strategic Planning process
Strategic planning is an iterative and never-ending process. The Commission shall

continuously set goals, values and objectives aligned to its mandate and monitor
its progress all throughout the year. Each element of the planning process cannot
stand alone and is necessary to be linked with other elements to fully achieve its
objective.
The following are some of the Strategic Planning models used by other
organizations. There is however no perfect strategic planning model for a specific
10 | P a g e
Supreme Audit Institution. It is still the management’s responsibility to select and

ensure a model that is tailor-fitted to the needs and culture of the Commission.
· Basic Strategic Planning

Basic strategic planning start with the identification of the organization’s
purpose or mission statement. Goals will then be established to define what an
organization needs to accomplish to meet its purpose, or mission, and address
major issues facing the organization. After the mission statement and goals
have been identified, specific approaches or strategies will be set. Strategies
are often what change the most as the organization eventually conducts more
robust strategic planning. Specific action plans will then be based on the
strategies identified. This is the specific activities set out be each major sector
or department. Then, regular monitoring and update of the plans are performed
as the year progresses.
· Goal-based/Issue-based Planning
The processes are almost the same with the Basic Strategic Planning model
except that the organization conducts an assessment of its Strengths,
Weaknesses, Opportunities and Threats (SWOT).
· Scenario Planning
This model, as the title implies, relates factors which might influence the
organization such as new standards, laws, rules and regulations; economic
downturns, natural disasters. Each possible change in circumstance or
scenarios will be provided with strategies.
· Alignment Planning
The alignment model ensures strong alignment among the organization’s
mission and resources to effectively deliver the services. This model focuses on
the adjustments to be made to fine-tune the strategies needed to align with the
organization’s mission, programs, resources and needed support.
· Self-Organizing/Traditional Planning
These are often liner in nature, e.g. general-to-specific, cause-and-effect.
Typically, the organization starts the planning process with the SWOT Analysis,
then prioritizing issues which will be provided with specific strategies.
Seeking consultation and interaction among the participants during the planning
process is significant. Concurrence shall be obtained not just on the outcomes of
11 | P a g e
development but also on the strategies and tradeoffs needed in establishing the
level of COA audit services to be provided.
Reasons for Planning

The following are some of the reasons for the strategic planning process:
· It is a requirement of the auditing standards
· It is a guide for the achievement of the audit objectives
· It is a tool used to monitor an organization’s progress
· It measures accomplishment
· It provides control over activities
· It assigns responsibility and accountability
Benefits of Strategic Planning

Strategic planning serves provides benefits in organizations such as:
· Clearly define the purpose of the organization and to establish realistic goals
and objectives consistent with that mission in a defined time frame within the
organization’s capacity for implementation.
· Serves as a communication tool to disseminate the organization’s goals and
objectives
· Assigns ownership of action plans and strategies
· Utilizes resources by focusing on the key priorities.
· Provides a measuring tool for the performance and progress of each segment
Elements of a strategic plan

Development of strategic plan requires consideration of values and priorities. The
plan should reflect the needs of the Commission as a whole in response to its
mandated functions.
· Key message from the Commission Proper

· Mission
· Vision
· Goals
· Strategic thrusts
· Key national programmes and the entities responsible
· Monitoring process
· Review and communication
In any case, plans must be adaptable and flexible in response to a changing

environment. Assessment on the capacity and resources shall also be regularly
done to determine any needs for adjustment on the plans set.
12 | P a g e
Timing
Ideally, strategic planning process should be conducted at least once a year in
order to be ready for the coming year. This includes identification of the
organizational goals to be achieved at least over the coming fiscal year, resources
needed to achieve those goals, and funded needed to obtain the resources.
Linkage of COA’s Annual Strategic Planning process with IRRBA
The diagram below shows the linkage of the Commission’s Annual Strategic
Planning Process with the Strategic Planning and Risk Identification phase of the
IRRBA approach.
The previous activity, “Government Risk Identification” will be an input in the

Annual Strategic Planning of COA to determine the focus areas of the audit
sectors. The GRIT, as accomplished by the COA Directors and approved by the
Assistant Commissioners will be cascaded as an attachment to the Sector
Strategic Action Plan (SSAP) and Cluster/Regional Operation Plan (COP/ROP) of
the audit sectors.
The results of the COA’s Annual Strategic Planning process specific to the conduct
of the audit services will be an input in the Phase 2 of the IRRBA methodology –
Agency Audit Planning and Risk Assessment. It is
13 | P a g e
Diagram 1.5 – Linkage of COA’s Annual Strategic Planning process with IRR
1.2.1. Conduct Annual Planning Conference
The Annual Planning Conference is the commencement point where COA’s

Medium-Term Development Plan (MTDP)/Programs and Timetables for the
succeeding 5-years is developed. The Annual Planning Conference is normally
conducted within the first quarter of each year.
The strategic planning process shall start from the assessment of the
Commission’s audit services. This may involve the review of the prior year’s results
of performance, new and revised laws, rules and regulations affecting COA’s
mandate among others. The assessment will define the areas that are needed to
be given attention. After the areas for improvement have been identified, the
Commission shall now establish the position where COA’s audit service shall be
located .At this point, objectives shall be established and set. The objectives will
then be the basis for the development of the strategic plans.
Aside from COA’s MTDP, annual policy directions and strategic plans of the
Commission is also developed and communicated during the Annual Planning
Conference.
Annual Planning Conference is attended by the COA Officials, Auditors Division

Chiefs and other personnel
Activities (as documented in the Planning, Financial and Management Office

(PFMO) Operations Manual as of October 2000
· Pre-planning
This activity includes the preparation of the following:
- draft memorandum on the submission of nominees who will be attending the
conference
- site/venue and accommodation
- supplies and equipments
- program
- food
· Pre-Conference
- Meeting with staff/PFMO staff concerned/Dry-run
· Conference Proper
· Post-Planning
14 | P a g e
Prepare executive summary/highlights of the planning conference based on

the summary of proceedings in coordination with the Management Audit
Division
(The executive summary is published in the COA News and COA Bulletin in
coordination with PIMRO)
COA’s Medium-Term Development Plan/Programs and Timetables for the

succeeding five years are initiated through any of the following:
a. Through the Annual Planning Conference participated by COA Officials,

Auditors Division Chiefs and other personnel.
b. Through the initiative of the PFMO from the results of the Annual Planning
Conference in consultation with COA Officials, COA Heads of Offices through
the exposure draft of the MTDP.
Below are the procedures during the Annual Planning Conference as lifted from
the Planning, Financial and Management Office Operations Manual (October
2000)
a. Through the Annual Planning Conference participated by COA Officials,

Auditors Division Chiefs and other personnel.
- Presentation of the Draft COA Medium-Term Development Plan/Programs and

Timetables
- Grouping of participants and presentation of the proposals on the strategy,
programs and timetables using a blank COA MTDP forms (See documentation).
Groupings are preferably as follows:
ü Regional Offices
· Luzon
· Visayas
· Mindanao
ü Support Offices
ü Operating Offices
ü Executive Offices
- Consolidation and finalization of the results or outputs of the proceedings by the
PFMO for the approval of the Commission Proper.
- Dissemination of the approved COA MTDP to all COA Offices
b. Through the initiative of the PFMO from the results of the Annual Planning
Conference in consultation with COA Officials, COA Heads of Offices through
the exposure draft of the MTDP.
15 | P a g e
- Preparation of the draft COA Medium Term Development Plan in consultation

with PD staff and Division Chiefs of PFMO for the succeeding five years within
the first quarter of each year based on the following:
ü Prior Years Programs
· Programs which are not applicable and no longer included in the Plan
· Programs which are continuing are included in the Plan
ü Priority Programs agreed upon during the COA Annual Planning
Conference
ü Commitments of COA Offices and other initiatives
ü New programs, developments or initiatives in COA and by Offices
- Preparation and dissemination of the draft memorandum transmitting the COA

MTDP; and preparation of the draft COA resolution to be signed by the
Commission Proper adopting the said COA MTDP and priority areas agreed
upon during the COA Annual Planning Conference
- Corrections draft COA MTDP by the COA Directors, Assistant Directors and
Division Chiefs
- Approval by the Commission Proper of the COA resolution adopting the COA
MTDP and priority areas agreed upon during the COA Annual Planning
Conference
- Dissemination of the approved COA Resolution adopting the COA MTDP to all
COA Offices
1.2.2. Develop Sector Strategic Plan
After the COA MTDP has been approved by the Commission Proper and
promulgated to all COA Offices, all Sectors through the Assistant Commissioners
shall develop a Sector Strategic Plan.
The outcomes and targets in the COA MTDP will be a key input into the Sector
Strategic Plan. The Sector Strategic Plan reflects the targets and activities of the
Sector for the year.
The Government Risk Identification Template (GRIT) accomplished in the

Government Risk Identification shall be an input in developing the audit focus
areas of the Sector. The Sector is however not limited to the results of COA’s
direction and results of the GRI.
16 | P a g e
1.2.3. Develop Cluster/Regional Operation Plan
Each cluster and regional offices shall develop a Cluster/Regional Operation Plan
through the Cluster/Regional Director.
Results of COA’s Annual Strategic Planning, Sector Strategic Plan and

Government Risk Identification shall be used as an input in the development of the
Cluster/Regional Operations Plan
Policy and Standard
Policy/Standard Description
ISSAI 100 Basis principles in Government Auditing
ISSAI 200 General standards in government auditing and
standards with ethical significance
ISSAI 300 Field standards in government auditing

ISSAI 1300 Financial audit guideline – Planning an audit of
financial statements
INTOSAI GOV 9130 Guidelines for internal control standards for the public
sector – Further information on entity risk
management
ISO/FDIS 31000:2009 Risk management – Principles and guidelines
COA Memorandum No. 79-205 Reiteration of unnumbered COA Memorandum dated
May 8, 1978 re: Alignment/Coordination of all
Projects/Programs of COA offices/Committees by the
Planning, Financial & Management Office
July 6, 1979
COA Memorandum No. 95-051 Preparation of a Consolidated Annual Report (CAAR)

by Region and by Department
COA Resolution No. 2008-012 2008 COA Organization Restructuring

COA Memorandum No. 2009-028 Implementing guidelines on audit operations under the
2008 COA organizational restructuring
Documentation
Procedure Sub-procedure Output/Tools
17 | P a g e
1.1 Perform
Develop/Update the Government Form 01-01 Government
Government Risk
Risk Model Risk Model (GRM)
Identification
Form 01-02 Government
Identify Government Risks Risk Identification Template
(GRIT)
Report the Results of Government
Report on the results of GRI
Risk Identification
1.2 Conduct COA Conduct Annual Planning
Strategic Planning Conference
Develop Sector Strategic Action
Plan (SSAP)
Develop Cluster/Regional
Operation Plan
18 | P a g e
Form 01-01: Government Risk Model
GOVERNMENT RISK MODEL
About this Tool
This model will be the guide of the auditors in identifying Government Risks to determine what
areas are to be focused in the conduct of the audit. The Government Risk Model (GRM) is a
comprehensive list of the risks including its definitions, which could threaten the Government in
achieving its objectives.
This model shall be regularly reviewed, updated and customized to consider changes in the
public sector environment as well as new standards, laws, rules and regulations.

Planning and resource allocation Public service and operations Mandate Market
§Organizational structure §Customer/public satisfaction §Functions §Interest rate
§Strategic planning §Channel effectiveness §Foreign currency
§Operational planning §Cycle time Governance §Commodity
§Service failure §Board performance/Agency
§Budgeting §Financial instrument
§Forecasting §Efficiency Management Committee
§Public policies
§Resource allocation §Capacity §Tone at the top
§Debt and fiscal policy
§Capital/fund availability §Performance measure/gap §Authority/limit
§Operational model §Partnering/contracting §Control environment Liquidity and credit
§Operational portfolio §Citizen relationship management §Corporate social responsibility §Cash management
§Outsourcing system and organization §Reputation §Opportunity cost
§Corruption and fraud §Funding
Major initiatives Code of conduct
§Hedging
§Vision and direction People §Ethics
§Credit and collections
§Planning and execution §Culture §Fraud
§Insurance
§Measurement and monitoring §Recruiting and retention §Employee/third party fraud
§Foreign assisted loan
§Technology implementation §Development and performance §Illegal acts
§Project evaluation §Succession planning §Management fraud Accounting and reporting
§Change readiness §Knowledge capital §Unauthorized use §Accounting, reporting and disclosure
§Climate change and sustainability initiatives §Compensation and benefits §Internal control
§Education Legal
§Performance incentives §Investment evaluation
§Healthcare services delivery §Contract
§Health and safety §Tax strategy and planning
§Energy and water management §Liability
(supply/distribution) Information technology §Intellectual property Capital structure
§Information management §Anticorruption §Debt
Environment dynamics
§Security/access §Legal §Equity
§Economic changes
§Financial market §Availability/continuity §Pension funds
Regulatory
§Sovereign/political §Integrity §Trade
§Customer/public wants §Infrastructure §Customs
§Technological innovation §Procurement
Hazards
§Environment scan §Road-right of way (RROW )Acquisition
§Natural events
§Agency environment/industry §Labor
§Terror and malicious acts
§Sensitivity §Securities
Market dynamics Physical assets §Environment
§Macroeconomic factors §Real estate §Data protection and privacy
§Lifestyle trends §Property, plant and facilities §International
§Sociopolitical §Maintenance and performance §Product/service quality
§Technology changes §Inventory §Health and safety
Communication and public relations §Competitive practice/antitrust
§Media relations
§Public relations
§Crisis communications
§Employee communication
1|Page
Risk Definition
RISK TITLE RISK DESCRIPTION
STRATEGIC
Planning and Resource Allocation
The overall structure of the government instrumentalities does not

Organizational structure
support the achievement of strategic objectives in an efficient manner.
Inability to discover, evaluate and select among alternatives to provide
Strategic planning direction and allocate resources for effective execution to achieve the
strategic objectives of the government
Misalignment of operating plans and execution to strategic planning.
Operational planning
Lack of information needed to make the right decisions.
Inability to effectively budget for new and existing initiatives that support
the overall strategic goals and objectives for growth, expansion,
acquisition for public welfare.
Budgeting
Inability to effectively budget for programs and projects that would meet
the government’s Medium Term Philippine Development Plan (MTPDP).
Inability to forecast financial information to enable the allocation of
Forecasting
resources to new and existing initiatives
Unavailability and inappropriateness of resource allocation process
Resource allocation
prohibits the government’s ability to provide value for public.
Insufficient access to fund threatens the government’s capacity to grow,
Capital/fund availability
execute its strategies and achieve its objectives.
The government has an obsolete operation model and doesn’t recognize
it and/or lacks the information needed to make an up-to-date
Operational model
assessment of its current model and build a compelling operational case
form modifying that model on timely basis.
Lack of relevant and reliable information that enables agency
management to effectively prioritize its services or balance its operations
Operational portfolio
in a strategic context may preclude a diversified agency from maximizing
its overall performance.
Outsourcing activities to third parties may result in the third parties not
Outsourcing acting within the intended limits of their authority or not performing in a
manner consistent with the government’s strategies and objectives.
Major initiatives
Failure to establish a vision and direction for major initiatives, including
services, products and programs that will drive future growth. Failure to
Vision and direction
establish project acceptance criteria and adequately measure against
the criteria.
Failure to plan and execute major initiatives due in a coordinated
Planning and execution
manner.
Failure to identify appropriate metrics and assess performance, quality
Measurement and monitoring
and adherence to the standards as set forth by the government.
2|Page
Failure of a major technology implementation to meet the strategic

Technology implementation
objectives of the organization.
Failure to evaluate project proposals may result in problems when the
Project evaluation
project has been approved.
The people within the government are unable to implement process and
Change readiness service improvements quickly enough to keep pace with changes in the
public environment.
Failure to foresee changes in the environment and establish initiatives to
Climate change and
keep pace with biological changes may result to of stop operatios and
degradation
Education Failure to provide
Healthcare services delivery Failure to e
Energy and water

management
(supply/distribution)
Environment Dynamics
Economic changes such as lower economic growth reduce tax revenue
Economic changes and opportunities to provide a wide range of services or limit the
availability or quality of existing services.
Movements in prices, rates, indices, etc. threaten the value of the
Financial market
agency’s financial assets.
Adverse political actions in a country in which the agency has invested
significantly, is dependent on a significant volume of operation or has
Sovereign/political entered into a significant agreement with a counterparty subject to the
laws of that country threaten the agency’s resources and future cash
flows.
Pervasive public needs and wants change and the agency isn’t aware,
Customer/public wants
e.g. increased demand for faster turnaround on services.
The agency is not leveraging advancements in technology in its
operations to achieve or sustain advantage or is exposed to the actions
Technological innovation of other agency’s or substitutes that do not leverage technology or to
attain superior quality, cost and/or time performance in their services
processes.
Failure to monitor the external environment or formulation of unrealistic
or erroneous assumptions about environment risks may cause the
Environment scan
agency to retain operation strategies long after they have become
obsolete.
Changes in opportunities and threats, and other conditions affecting the
Agency environment/Industry
agency’s environment.
Over commitment of resources and expected future cash flows threatens
Sensitivity the agency’s capacity to withstand changes in environment (e.g., interest
rates, public demand, changes in regulations, etc.) forces.
Market Dynamics
3|Page

Factors relating to macroeconomic conditions that affect the ability to
Macroeconomics factors maintain or increase revenue and profitability in a specific agency
environment.
Failure to anticipate and respond to changes in overall trends related to
Lifestyle trends
lifestyle demands of consumers.
Exposure to social and political factors within a market environment that
Sociopolitical
affect the ability to market, sell and service products and services.
Dramatic changes in current technologies which may impact the market
Technology changes viability or demand of current products and services offered by the
agency.
Communication and public relations
Inability to anticipate and manage shifts in the information stakeholders
want, and the way in which they want it communicated to them; and
Media relations
ineffective ongoing, transparent communications with the public in order
to create goodwill.
A decline in customer/public confidence threatens the agency’s capacity
Public relations
to efficiently raise or collect funds.
Failure to communicate the right message in an effective manner to
Crisis communications recover and maintain agency operations in the event of a crisis or
disruption due to physical or natural circumstances.
Inability to understand, and respond to, the communication needs of
Employee communications
different employees.
OPERATIONS
Public Service and Operations

A lack of focus on the customer/ public threatens the agency’s capacity
Customer/public satisfaction
to meet or exceed the customer’s/ public’s expectations.
Poorly performing or positioned channels access threaten the agency’s
Channel effectiveness
capacity to effectively and efficiently service the customer/ public.
Unnecessary activities threaten the agency’s capacity deliver services
Cycle time
on a timely manner.
Faulty or nonperforming services expose the agency to customer/public
Service failure
complaints, litigation, and loss of revenues, and agency reputation.
Inefficient operations threaten the agency’s capacity to deliver services
Efficiency
at the lowest cost and shortest time possible.
Insufficient capacity threatens the agency’s ability to meet
Capacity customer/public demands, or excess capacity threatens the agency’s
ability to generate competitive profit margins.
Inability to perform at world-class levels in terms of quality, costs and/or
Performance measure/gap cycle time due to inferior operating practices threatens the demand for
the agency’s services.
Inefficient or ineffective external relationships affect the agency’s
capacity to serve; these uncertainties arise due to choosing the wrong
Partnering/contracting
partner, poor execution, taking more than is given (resulting in loss of a
partner) and failing to capitalize on partnering opportunities.
4|Page
Citizen relationship
management
Corruption and Fraud
People
Failure to establish a culture that is consistent with management
Culture philosophy and that encourages integrity, values, and ethical
competence.
Failures to attract, hire, and retain the qualified resources to optimize
Recruiting and retention
execution of the organization's objectives.
Inability to develop and enhance employee skills and provide
Development and performance performance management that ensures optimal achievement of
organizational strategies, goals and objectives.
Failure to create and implement an effective succession plan for senior
executive and other key positions and employees throughout the
Succession planning
organization. Failure to align succession planning with strategic planning
and leadership development objectives).
Processes for capturing and institutionalizing learning across the
agency are either non-existent or ineffective, resulting in slow response
Knowledge capital
time, high costs, repeated mistakes, slow development, constraints on
growth and unmotivated employees.
Failure to provide a total compensation package (base salary,
annual/long-term incentive, benefits/perquisites) that are market
Compensation and benefits
competitive, aligned to agency and compensation strategies and retain
and motivate employees to achieve desired results.
Unrealistic, misunderstood, subjective or non-actionable performance
measures may cause senior management, division heads and
Performance Incentives
employees to act in a manner inconsistent with the agency’s objectives,
strategies, and ethical standards, and with prudent agency practice.
Failure to provide a safe working environment for its workers exposes
Health and safety the agency to compensation liabilities, loss of operational reputation and
other costs.
Information and technology
Information management
Failure of Information systems to adequately protect the critical data and

Security/access infrastructure from theft, corruption, unauthorized usage, viruses, or
sabotage.
The inability to recover from, and continue uninterrupted operations in
Availability/continuity
the event of extraordinary events, systems and implementation failures.
Information systems that do not provide reliable information when it is
Integrity
needed or perform so slowly that operations are not efficient.
The computer and telecommunications systems with supporting
software do not capture, retain and transfer data in a secure and reliable
Infrastructure
environment and do not meet the expected requirements of the agency
at a reasonable cost.
5|Page
Hazards
Threat to disrupt operation and ability of the agency to sustain
operations, provide essential services or recover operating costs or
Natural events
accomplish planned target due to natural events (e.g., fire, earthquake,
tornado).
Terror and malicious acts
accomplish planned target due to terrorist activities or other malicious
acts.
Physical assets
Failure to provide physical protection and stewardship over real estate
Real estate
designed to optimize longevity and utilization.
Failure to provide physical protection and stewardship over long-lived
Property, plant and facilities assets (such as buildings, furniture, fixtures, machinery, equipment and
other assets) designed to optimize longevity and utilization.
Maintenance and performance
Failure to provide physical protection and stewardship over inventories

Inventory designed to optimize utilization while minimizing obsolescence,
contamination, etc.
COMPLIANCE
Mandate
Failure to align process objectives and performance measures with the
Function mandate of the agency, its objectives and strategies may result in
conflicting, uncoordinated activities throughout the agency.
Governance
Failure of Board of Directors to discharge their obligations and duties
Board performance/Agency
owed to the agency and its stakeholders in good faith; and to possess
management committee
adequate knowledge to interpret and act on the information provided.
Senior management fails to establish an environment that encourages
integrity, ethical values, and competence of the agency's people through
Tone at the top
management's philosophy and operating style, assignment of authority
and responsibility, and the organization and development of its people.
Ineffective lines of authority may cause senior management, division
Authority/limit heads or employees to do things they should not do or fail to do things
they should.
Failure to establish and maintain an internal control environment which
Control environment
aligns with stakeholder and regulatory expectations.
The mismanagement of "socially responsible" activities (e.g., conducting
social responsibility training for management of manufacturers,
undertaking environmental programs, participating in community
Corporate social responsibility
initiatives) resulting in an unfavorable agency perception with
stakeholders, customers, suppliers, agency partners, employees and the
regulatory community.
6|Page
Damage to the Agency’s reputation exposes it to loss of customer/

Reputation
public trust, profits and the ability to grow.
Code of conduct
The absence of formal standards of employee behavior that are
Ethics intended to direct and influence the way business is conducted, above
and beyond the letter of the law.
Potential unethical acts committed by agency employees or other
Fraud
stakeholders may negatively impact the agency's reputation.
Fraudulent activities perpetrated by employees, suppliers, agents, or
third-party administrators against the agency for personal gain (e.g.,
Employee/Third Party Fraud
misappropriation of physical, financial or information assets) expose the
agency to financial loss.
Illegal acts committed by senior management, division heads or
Illegal Acts employees expose the agency to fines, sanctions, and loss of public
trust, profits and reputation, etc.
Management Fraud (e.g., intentional misstatement of financial
Management Fraud statements or critical reports) may adversely affect stakeholders’
decisions.
Unauthorized use of the agency’s physical, financial or information
Unauthorized Use assets by employees or others exposes the agency to unnecessary
waste of resources and financial loss.
Legal
Entering into contracts that are unfavorable to the agency; and the
Contract failure to comply with and monitor contract terms to protect the agency
from financial losses.
A responsibility, duty or obligation that may result in lawful consideration
Liability
to provide satisfaction, compensation or other form of restitution.
Failure to create, capture, enhance, leverage and protect the collective
Intellectual property knowledge, expertise and ideas of agency employees valued as non-
physical assets.
Failure to create an agency environment which is opposed to corruption,
Anticorruption
and instill agency practices which prevent corruption.
Changing laws threaten the agency’s capacity to consummate important
Legal transactions, enforce contractual agreements or implement specific
strategies and activities.
Regulatory
Failure to identify and prevent legal risks posed by noncompliance with
Trade governmental and International regulatory requirements for Trade
Practices e.g., anti-dumping and trade policy.
Failure to identify and prevent legal risks posed by noncompliance
Customs With governmental and International regulatory requirements for
Customs.
Procurement
the government procurement reform act.
Road-right of way (RROW) Failure to implement infrastructure projects due to RROW problems and
acquisition risks posed by non-compliance with Comprehensive and Continuing
7|Page

Urban development and Housing Program (RA 7279)

governmental and International regulatory requirements for Labor rules
Labor
and regulations, including taxes, wages, antidiscrimination, Family and
Medical Leave, workplace violence etc.
Securities
governmental and International Securities regulatory requirements.
Environment governmental and International Environmental regulations e.g.,
noncompliance with ISO 4001 standards.
Failures to identify and prevent legal risks posed by, and prevent non-
Data protection and privacy compliance with privacy rules and regulations standards resulting in
improper disclosure of confidential customer information.
Exposure to geo-political, regulatory and fraud risks via international
International
business dealings.
Product/service quality governmental and International regulatory requirements for
product/service quality and safety.
Health and safety governmental and International rules and regulations for health and
safety.
compliance with, government and international rules and regulations for
Competitive practice/antitrust
competitive practices/ anti-trade. Lack of awareness of statutory and
regulatory application of export & customs policies and requirements.
FINANCIAL
Market
Unfavorable price paid per unit of funds borrowed or the rate of return
Interest rate received on invested assets, or interest rate fluctuations beyond
projected range.
Unfavorable fluctuations in the currency of another market that is
Foreign currency
needed to carry out international transactions.
Unfavorable fluctuations in the price of raw materials or other
Commodity commodities used in product development/service delivery that are not
anticipated and managed.
Financial market risk can vary depending on the particular segment of
Financial instrument the market to which the holder of a financial instrument is exposed, or
the way in which the exposure is structured.
Public policies
Debt and fiscal policy
Liquidity and credit
8|Page
Failure to efficiently and effectively administer and manage cash flows to

Cash management
maintain adequate liquidity to meet obligations.
The use of funds in a manner that leads to the loss of economic value,
Opportunity cost including time value losses, transaction costs and other causes of loss of
value.
Failure to meet the requirements of a portfolio of capital investments and
obligations based on specified commitments or in accordance with terms
Funding of an agreement (i.e. retirement and capital accounts).
Failure to receive appropriate funds to finance programs and projects.

Failure to purchase or undertake sale transactions that effectively
Hedging
minimize profits or losses arising from price fluctuations.
Inability to obtain the optimal level of payment received as a result of a
Credit and collections
prior agency transaction.
Insurance coverage fails to protect the agency from significant financial
Insurance
losses due to incidents and claims.
Foreign assisted loan
Accounting and reporting

Incomplete, inaccurate and/or untimely reporting of required financial
and operating information to other regulatory agencies may expose the
agency to fines, penalties and sanctions.
Accounting, reporting and
disclosure Over-emphasis on financial accounting and other information to
manage the operations may result in the manipulation of outcomes to
achieve targets at the expense of not meeting public expectation, quality
and efficiency objectives.
Significant or material weaknesses resulting from inadequate financial
Internal control internal controls impacting management's assessment and reporting
under country regulations.
Lack of relevant and/or reliable information supporting investment
Investment evaluation decisions and linking the financial risks accepted to the capital at risk,
may result in poor short- or long-term investments.
Failure to properly evaluate and execute tax planning strategies.
Tax strategy and planning Misalignment of tax objectives and strategies with overall agency
objectives, strategies and initiatives.
Capital structure
Potential over reliance on borrowing from creditors to provide adequate
Debt working capital for agency objectives and/or to cover current operating
obligations resulting in an unfavorable debt to equity ratios.
Inability to offer marketable securities appropriately priced for the
Equity
enterprise's value.
Inability to identify, establish and maintain the optimal structure for
Pension funds
pension funds.
9|Page
Prepared by : Date :
Reviewed by : Date :
Approved by : Date :
10 | P a g e
Form 01-02 Government Risk Identification Template
GOVERNMENT RISK IDENTIFICATION TEMPLATE
For the year 20XX
Key Agency Risk

Audit Response Government
Government Objective Basis of Selection Name of Agency
Risk Risk (Planned Action) Program/Activity
Risk Title
Category Definition
Key Risk 1
Key Risk 2
Key Risk 3
Key Risk 4
Key Risk 5
Key Risk 6
Key Risk 7
Key Risk 8
Key Risk 9
Key Risk 10
Key Risk 11
Key Risk 12
1|Page
Form 01-02 Government Risk Identification Template
2|Page
AGENCY AUDIT PLANNING AND RISK ASSESSMENT
Planning Delivery
Agency Audit
Conclusion
and Reporting
Assessment
Monitoring
Introduction
The scope of state audit under our Constitution and the implementing laws and
regulations include financial, compliance and performance audits. These three main
classifications of state audit, when conducted together, are known as comprehensive
audit. Conduct of comprehensive audit starts with planning of the engagement at the
agency level.
Activity 2, Agency Planning and Risk Assessment, is designed to promote the consistent
implementation of the IRRBAM methodology and standard documentation in
comprehensive auditing. Activity 2 employs a disciplined, team-based approach to audit
planning, emphasizing the early development of risk assessments and the audit strategy.
Agency Planning and Risk Assessment occur early in the audit cycle to provide time to
appropriately plan and customize the audit strategy, thereby allowing COA auditors to
effectively execute the audit and at the same time, perform other duties and
responsibilities. This activity should be done in the first 3 months of the audit cycle.
1|Pa ge
2.1. Prepare Agency Audit Work Plan
2.2. Understand the Agency

2.5.1. Understand Agency Profile
2.5.2. Understand Agency-level Controls
2.3. Identify Significant Agency Risks

2.4. Understand the Process

2.4.1. Identify Critical Path of the Processes
2.4.2. Identify Process Risks
2.4.3. Identify Existing Controls
2.4.4. Identify Impact
2.5. Conduct Audit Risk Assessment

2.5.1. Financial and Compliance
2.5.2. Performance
2.6. Develop Audit Plan

2.6.1 Determine Audit Scope and Timing
2.6.2 Determine need for specialized skills
2.6.3 Prepare Audit Planning Memorandum
Procedures
2.1. Prepare Agency Audit Work Step
The Agency Audit Work Plan is a phase by phase detail of the IRRBAM showing
the estimated time to complete each phase and the audit team member assigned
to complete the job. This should be accomplished by the ATL and approved by the
SA/CD. A copy should be submitted to the CD.
2|Pa ge
The audit team should prepare an Audit Plan for each agency being audited
showing the estimated time to be incurred for the current year audit.
Documentation
We document our workplan using the Form 02-01 Agency Audit Work Plan
Template
2.2. Understand the Agency
An important aspect of the Comprehensive audit process is the identification of

risks applicable to the agency. Agency risks have various sources such as new
legislation/law, environmental factors, control environment, nature of agency’s
operations, market forces, etc. In identifying the agency’s risks, it is important to
gain sufficient understanding of the agency including its purpose, operations and
environment.
2.2.1. Understand Agency Profile
The key to an effective planning of an audit is gaining a thorough understanding of

the agency. By understanding how the agency operates and how key
environmental factors affect its goals, objectives, and strategies, we can better
identify and consider its agency risks during our audit.
The knowledge we gain about the agency’s operations provides the basis for
making more comprehensive risk evaluations. That is, by gaining an understanding
of the agency’s principal risks and their relationship to the inherent and control risk
components of audit risk, we can:
· Develop more effective and efficient audit strategies.
· Increase the value we deliver by providing timely communications on internal
control observations and emerging issues of importance to the agency.
· Better manage COA’s risk by using the more comprehensive view of the
agency’s risks in making engagement decisions.
In understanding the agency, we obtain an understanding of the agency itself and

the environment in which it operates. This assists us in the identification of risk
factors. We determine whether these risk factors are inherent risks (i.e., risk factors
that may give rise to risks of material misstatement) and consider the effect in our
risk assessment and in designing substantive procedures. In addition, we
determine whether inherent risks that we identified in our understanding of the
agency and its environment are significant to the agency.
3|Pa ge
We exercise professional judgment in determining the extent of understanding that

is required. Our primary consideration is whether we have obtained a sufficient
understanding of the agency and its environment to identify and assess the risks of
material misstatement, whether due to fraud or error, and thereby providing a basis
for designing and implementing audit procedures to respond to the assessed risks
of material misstatement.
Components
Accordingly, the audit team should have an understanding of each of the following
and their interrelationships:
· Agency Mandate
The mandates of an agency are the responsibilities given by the Philippine

Government or any other law or legislation establishing such agency.
· Programs Activities and Projects (PAPs)
We obtain an understanding of the structure of the Agency to determine

whether the Agency’s program and activities are aligned with its mandate.
Transactions outside the Agency’s mandate that are significant give rise to
Mandate risk.
· Agency’s goals, objectives and strategies
The Agency defines objectives and determines strategies to respond to

influences from environmental factors, legal and regulatory framework and other
external factors. Objectives are the overall plans of the Agency. Strategies are
the approaches by which the Agency’s management intends to achieve its
objectives. Due to changes in circumstances, the Agency’s objectives and
strategies may change over time.
· Performance Indicators
The key results identified and monitored by management, generally few in

number, that must be achieved to conclude that a strategy has been
implemented successfully.
Key Performance indicators also refer to the targeted Major Final Outputs
(MFO) as agreed in the agency’s Organizational Performance Indicator
Framework (OPIF).
4|Pa ge
We share with management our understanding of the agency and its environment
to confirm our understanding of the agency, to determine management’s
awareness of the effects of the business environment on the operations and to
obtain an understanding of management’s attitude and strategies towards
managing its risks.
Audit Techniques
A wide variety of procedures and techniques are used to gather the necessary
information for understanding the agency. These may include:
· Review of information
Review of relevant information of the agency and its environment assists us in

obtaining an understanding of the agency and its environment and in identifying
risk factors.
· Inquiry of agency management and others within the agency
Inquiries of management and those responsible for financial reporting enhance

our understanding of the agency’s operations that we obtain by analyzing the
agency’s financial information. We may also inquire of others within the agency
with different levels of authority to obtain additional information or a different
perspective as we identify risk factors.
· Analytical procedures on financial and non-financial information
Analytical procedures performed as risk assessment procedures may include

both financial and non-financial information. This will include our analysis of the
agency’s actual performance against the targeted Major Final Outputs in its
OPIF.
Our analytical procedures assist us in identifying risk factors that may give
require added attention in the performance of audit.
Our analytical procedures performed as risk assessment procedures provide a

basis for designing and implementing audit procedures that respond to the
assessed risks of material misstatement. However, overall analytical
procedures may use data aggregated at a high level and therefore the results
only provide an initial indication about whether a risk of material misstatement
exists.
Documentation
5|Pa ge
We document our understanding of the Agency using the Form 02-02

Understanding the Agency template.
2.2.2. Understand Agency-level Controls
Understanding of agency-level controls is an important step in our planning

process. Our understanding assists us in identifying and assessing risk of material
misstatement due to fraud or error, as well as assisting us in determining the most
appropriate audit strategy.
The nature, timing and extent of procedures to obtain an understanding of agency-

level controls varies depending on the size and complexity of the agency, previous
experience with the agency and the nature of the agency’s controls.
We often obtain our understanding of agency-level controls through inquiry and

observation due to the nature of agency-level controls and because audit evidence
may not exist or be available in documentary form. This may be even more
apparent in less complex agencies when communication between agency
management and other personnel may be informal. In other instances, we may be
able to corroborate agency management’s statements by inspection of documents
and reports (e.g., quarterly reports, interim financial statements and minutes of
meetings).
Internal Control
Agency management is responsible for the design, implementation and
maintenance of effective internal control to address identified agency risks that
threaten the achievement of the agency’s objectives. These objectives relate to
the reliability of the agency’s financial reporting, the effectiveness and efficiency of
its operations and its compliance with applicable laws and regulations.
The way in which internal control is designed, implemented and maintained will
vary with an agency’s size and complexity.
Internal control, no matter how effective, can provide an agency with only
reasonable assurance about achieving the agency’s financial reporting and
operational objectives. The likelihood of their achievement is affected by the
inherent limitations of internal control. These inherent limitations include the
realities that human judgment in decision-making can be faulty and that
breakdowns in internal control can occur because of human error.
Internal control may be divided into five interrelated components. Although this
does not necessarily reflect how an agency considers and implements internal
6|Pa ge
control, these components provide a useful framework for us to consider the

agency’s internal control and to assess the effect on our audit strategy. The five
components of internal control are:
· Control environment
· Risk assessment
· Monitoring
· Information and communication
· Control activities
Documenting and evaluating agency-level controls does not by itself provide a

complete perspective of internal controls of an agency. However, it is important
starting point because the assessment of agency-level controls – particularly when
weaknesses are identified – can have a significant effect on the overall
assessment of the effectiveness of internal controls and procedure
Documentation
We document our understanding of an agency-level controls using Form 02-03
Agency-Level Controls Checklist.
2.3. Identify Significant Agency Risks
After gathering information to understand the agency, the auditors of a particular

agency (both Head Office and Regions) shall convene to update the Agency Risk
Model and identify and prioritize agency risks.
The Agency Risk Model (ARM) is a framework consisting of a list agency-level

risks which may hinder the achievement of the agency objectives and risk
definitions.
The ARM will be the guide of the auditors in identifying agency risks. It is
imperative that the ARM be updated to consider changes in the agency
environment and new policies, laws, rules and regulations. The agency auditors
shall provide input on the additions or modifications that needs to be reflected in
the ARM after conducting the “Understanding the Agency” process.
Risks are categorized as follows:

• Strategic risk – arises when forces in the agency environment could significantly
‘change the fundamentals’ that drive agency’s overall social and/or operating
7|Pa ge
objectives and strategies and, in the extreme, result in failure of the agency’s
operations.
• Operation risk – risks that operations are inefficient and ineffective in executing
the agency’s operating model, satisfying the public, and achieving the agency’s
quality, cost, and time performance objectives. This arises when operation
processes:
o Are not clearly defined
o Are poorly aligned with agency’s strategies, goals, & objectives
o Are not performed effectively and efficiently in satisfying public or the
public’s needs
o Expose significant financial, physical, and intellectual resources to
unacceptable losses, risk taking, misappropriation or misuse
• Financial risk – risk that cash flows and financial risks are not managed cost-
effectively to (a) maximize cash availability; (b) reduce uncertainty of currency,
interest rate, and other financial risks; or (c) move cash funds quickly and without
loss of value to wherever they are needed most. It also includes risks that
government agencies face when misleading financial information becomes the
basis for decision making by the governing management.
• Compliance risk – noncompliance with prescribed policies and procedures or

laws and regulations resulting in lower quality, higher execution costs, lost
revenues, unnecessary delays, penalties, fines, etc.

Planning and resource Public service and operations Mandate Market
allocation §Customer/public satisfaction §Functions §Interest rate
§Organizational structure §Channel effectiveness §Foreign currency
§Strategic planning §Cycle time Governance §Commodity
§Operational planning §Service failure §Board performance/Agency §Financial instrument
§Budgeting §Efficiency Management Committee §Public policies
§Forecasting §Capacity §Tone at the top §Debt and fiscal policy
§Resource allocation §Performance measure/gap §Authority/limit
§Capital/fund availability §Partnering/contracting §Control environment Liquidity and credit
§Operational model §Citizen relationship §Corporate social responsibility §Cash management
§Operational portfolio management system and §Reputation §Opportunity cost
§Outsourcing organization §Funding
Code of conduct §Hedging
§Corruption and fraud
Major initiatives §Ethics §Credit and collections
§Vision and direction People §Fraud §Insurance
§Planning and execution §Culture §Employee/third party fraud §Foreign assisted loan
§Measurement and monitoring §Recruiting and retention §Illegal acts
§Technology implementation §Development and performance §Management fraud Accounting and reporting
§Project evaluation §Succession planning §Unauthorized use §Accounting, reporting and
§Change readiness §Knowledge capital disclosure
§Climate change and §Compensation and benefits Legal §Internal control
§Performance incentives §Contract §Investment evaluation
§Education §Health and safety §Liability §Tax strategy and planning
§Healthcare services delivery
§Energy and water management Information technology §Anticorruption
(supply/distribution) §Information management §Legal
§Security/access
§Availability/continuity
§Integrity
§Infrastructure
8|Pa ge
Diagram 1.1 – Sample ARM
The Agency Risk Model (ARM) is somewhat similar with the Government Risk
Model (GRM) except that the former is Agency-specific while the latter is a generic
Risk Model for the whole government. ARM shall be customized per Agency by
obtaining information from the UTA template and through inputs of head office and
regional auditors.
Based on the data gathered from the Understanding the Agency and ALC and the
results from the GRIT, the audit team composed of the head office representatives
and regional representatives shall have a discussion to identify Agency Risks
Different modes may be used in identifying agency risks. It could be in the form of
a workshop, survey, questionnaire or interview, or a simple phone call. In any
case, it shall be ensured that the essence of identifying agency risks is followed.
The participants are to identify the following and document in the Significant
Agency Risk Identification (SAgRI) Matrix:
· Identified Agency Risks
· Basis of Selection
· Risk Rating (Impact, Likelihood and Overall Rating)
· Related Processes, Projects, Activities and Programs of the Agency
· Risk Location
· Audit Response
· Remarks
(The criteria to be used for the risk rating will be developed by COA)
After all the risks of an agency has been identified, the agency auditors shall
prioritize those risks which are significant based on the risk rating provided.
The significant agency risks identified will be summarized into the summary portion
of the Significant Agency Risk Identification (SAgRI) Matrix.
The risks identified as significant will be the audit team’s priority for their audit
focus areas.The identified significant agency processes affected by the significant
agency risks will be the focus of the Understanding of flow of significant processes
in the next step.
9|Pa ge
2.4. Understand the Process
2.4.1. Identify critical path of the processes
We obtain our understanding by performing inquiry, observation and inspection

procedures.
Obtaining our understanding of significant processes is a continuous process.

When we perform audit procedures and we identify changes in significant
processes, we update our understanding. When we identify a new significant
process during our audit, we perform the procedures as outlined in this objective.
We obtain an understanding of the critical path of significant processes by

obtaining an understanding of each of the following stages:
· Initiation: the point where the transaction first enters the agency’s process and
is prepared and submitted for recording
· Recording: the point where the transaction is first recorded in the books and
records of the agency
· Processing: any changes, manipulation or transfers of the data in the books
and records of the agency
· Reporting: the point where the transaction is reported (i.e., posted) in the
general ledger
Our understanding of significant processes, including risks and controls assist us

in:
· Performing risk assessments for each relevant assertion for each significant
account and disclosure
· Customizing the nature, timing and extent of our audit procedures to address
the identified risks
2.4.2. Identify Process Risks
Process risks refer to points where risks of material misstatement, due to error or
fraud, can occur in the significant process. We do not attempt to identify all risk
scenarios, but focus on those risk scenarios that could have a material effect on
the relevant assertions.
We use our professional judgment to identify the appropriate level of detail.
2.4.3. Identify Existing Controls
10 | P a g e
We select relevant controls that address our identified process risks. We

determine whether the design of these controls mitigate our identified process
risks. Our information obtained from our walkthrough (discussed in succeeding
paragraphs) shall become our basis for our preliminary assessment of control risk.
2.4.4. Identify Impact
We determine the impact of the process risk by identifying the affected accounts,
including assertions, and its impact on the attainment of the objectives of an
agency’s PAPs.
Documentation
Our documentation of process flow may be in narrative format or in graphical form
through the use of process mapping flowcharts. Our documentation of our
understanding of the flow of significant processes is determined by the size and
complexity of the processes subject for review. The process mapping flowchart
including the identification of process risks, controls and impact are documented
using Form 02-06 Process-Risk-Control Matrix.
Confirmation of our understanding

We perform a walkthrough to confirm that our understanding of the significant
process is as we have documented and to confirm the points where data is, or
should be captured, transferred or modified as these are the points where
misstatements are most likely to occur.
We also perform walkthrough to obtain a preliminary assessment of the

effectiveness of controls. The result of our walkthrough will be our basis for our
preliminary assessment of control risk (discussed further in 2.5 Conduct Audit Risk
Assessment).
2.5. Conduct Audit Risk Assessment
One of the foundations of a comprehensive audit is the conduct of audit risk

assessment. The information we have obtained in our understanding of the
agency, agency-level controls and significant processes will be our basis in
evaluating and quantifying the risks applicable to the agency. The resulting
assessments will provide us our basis for risk prioritization.
In order to develop an audit strategy that is responsive to the agency’s risks, we
make an audit risk assessment for each identified risk.
2.5.1. Financial and Compliance
11 | P a g e
In conducting Financial and Compliance Risk Assessment, we perform risk

assessment for each relevant assertion for each significant account.
a. Assess Inherent Risk
Definition: Inherent risk: The susceptibility of an assertion about a class of

transactions, account balance or disclosure to a misstatement that could be
material, either individually or when aggregated with other misstatements,
before consideration of any related controls.
We consider the information we gathered in our Understanding the Agency,

Understanding of Agency-Level Controls and Understanding of Flow of
Significant Processes and use our professional judgment in making our inherent
risk assessment for each relevant assertion.
In deciding whether to assess inherent risk as either higher or lower, we

consider whether we identified inherent risk factors that cause us to believe
there is a higher likelihood that a material misstatement could occur. If we
believe there is a higher likelihood that a material misstatement could occur, we
assess inherent risk for the relevant assertions as higher. If we identify inherent
risk factors that cause us to believe that it is less likely that a material
misstatement could occur, assuming no controls, we assess inherent risk as
lower.
Factors that may affect our inherent risk assessment are as follows:
· Susceptibility to material misstatement
· Size and composition
· Variations from expected amounts
· Effects of external factors
· Competence and experience of agency personnel
· Degree of subjectivity
· Completion of unusual/complex transactions at or near period-end
· Transactions not subjected to routine processing
b. Assess Preliminary Control Risk
12 | P a g e
Definition: Control risk: The risk that a misstatement that could occur in an
assertion about a class of transactions, account balance or disclosure and that
could be material, either individually or when aggregated with other
misstatements, will not be prevented, or detected and corrected, on a timely
basis by the agency’s internal control.
Our assessment of control risk at this point is based on our preliminary

assessment of controls using:
· Information we obtained from prior periods’ engagements, if available
· Information we obtained as part of our planning procedures performed to
date (e.g. results of walkthrough procedures)
Our preliminary evaluation is typically made after we understand the significant

processes, risks and controls in Understanding the Process, and after we
perform walkthroughs, but before any tests of controls are performed. In other
words, our preliminary control risk evaluation is based on the design of controls
and our determination of whether controls have been implemented. We make a
preliminary assessment so that we can develop our audit strategy and plan our
resources. As the evaluation is preliminary, it is subject to change based on the
results of our tests of controls in the Execution phase.
We assess control risk for each relevant assertion as either:

1. Rely on Controls
We assess whether controls have been designed and are operating

effectively throughout the period of reliance. Our assessment to ‘rely on
controls’ at this stage in the audit is a preliminary assessment.
2. Not Rely on Controls
After gaining the necessary understanding of the agency’s significant

processes or significant disclosure processes:
· We believe that controls have not been designed appropriately,
implemented effectively, or are unlikely to operate effectively throughout
the period of reliance, and therefore we have decided not to test
controls;
· We have identified substantive procedures that we believe provide the
evidence necessary to support the related account balances or
disclosure; or
· We believe that testing controls would be inefficient
c. Make overall financial and compliance risk assessment
13 | P a g e
The table below shows how we combine our assessments of inherent and
control risks into one CRA for financial and compliance risk assessment:
Control Risk Assessment

Inherent
Assess
Rely on controls Not rely on controls
ment
Risk Lower Minimal Moderate
Higher Low High
The following chart summarizes the risk conclusion and effect on our audit
procedures:
Overall Risk Risk Conclusion Effect on Audit Procedures

Assessment
Minimal We have sufficient evidence Designed to confirm that
that controls are effective at material misstatements
preventing or detecting and have not occurred
correcting risks of material
misstatement from occurring
Low We have sufficient evidence Designed to confirm that
that controls are effective at the risks that have created
preventing or detecting and a higher likelihood of
correcting risks of material misstatements occurring
misstatement from occurring have not resulted in a
material misstatement
Moderate We have insufficient evidence Designed to detect and
to conclude that controls evaluate misstatements
operated effectively and will that may not have been
prevent or detect and correct prevented or detected and
misstatements from occurring corrected by controls
High We have insufficient evidence Designed to detect
to conclude that controls whether risks of material
operate effectively and will misstatement have
prevent or detect and correct resulted in a material
misstatements from occurring misstatement
and we assess there is a
higher likelihood that risks of
material misstatements will
occur
2.5.2. Performance
In conducting assessment for Performance audit, we consider the following factors

in evaluating each of the agency’s PAPs.
Quantitative Factor
Financial Materiality
14 | P a g e
Selection of agency’s programs/ projects for performance audit is based on an

assessment of the total value of government assets, annual expenditure and/or
annual revenue of the audit area. The more funds used for a program/project,
the higher is its priority for selection as an audit project.
Qualitative Factors
a. Impact
Major importance in the final selection of the program/project is the added value
expected from the audit. A preliminary estimate of the audit’s benefits should be
made at the strategic planning stage. This is an important process in the overall
management of the audit since decisions on projects to be audited are made
prior to designing the actual VFM audit plan for a particular program or project.
Impact is measured through consideration of:

· Effect – importance of audit results to immediate/direct beneficiaries and
other end-users
· Improvement – public administration (delivery of service, effectiveness in
achieving program objectives), accountability, and better practices
· Value-added – value expected to be gained from the audit, savings to be
realized
The greater the opportunities for audit impact of the program/project, the higher
is the priority for its selection.
b. Risk to good management

The auditor should assess the risk that the management of the activity to be
audited is deficient in economy, efficiency and effectiveness.
Evidence of risk to good management includes:

· Management inaction in response to identified weakness;
· Adverse comment in the legislature or media;
· Non-achievement of stated objectives such as revenue raised or clients
assisted;
· High staff turnover;
· Significant underspending or overspending;
· Sudden program expansion; and
· Overlapping or confused responsibility relationships.
An agency’s program or activity that is more complex to manage and operates

in an uncertain environment is more likely to have problems associated with
performance. Some possible indicators of high complexity and uncertainty are:
15 | P a g e
· Highly decentralized operations with devolved management decision-making

responsibilities;
· A multiplicity of interested parties;
· Use of rapidly changing and sophisticated technology;
· A dynamic and competitive environment; and
· Controversial social and political debate surrounding the issue.
The stage of the agency’s program development should also be kept in mind
when assessing management performance. For example, in the development
stage it will be particularly important for the agency’s management to set
measurable, operation objectives which clearly identify how the program will
contribute to the organization’s objectives. During program implementation, it
will be important to see whether appropriate performance measures are
maintained and analyzed to assess performance, and whether there is a clear
identification of roles and responsibilities for each level of program. If the
program has been in place for some time, it will be important to assess whether
a formal evaluation has been undertaken to ascertain whether the program is
continuing to meet relevant needs and the extent to which those needs still exist
or are being met by other programs.
c. Significance
The significance of an audit project should have bearing on the magnitude of its
organizational impacts. It will depend on whether the activity is comparatively
minor or whether shortcomings in the area concerned could flow on to other
activities within the agency.
Significance will rate highly where the audit project is considered to be of

particular importance to the agency and where improvement would have a
significant impact on its operations. A low ranking in relation to ‘significance’
would be expected where the project is of a routine nature and the impact of
poor performance would be restricted to a small area or be likely to have
minimal impact.
Audits of program/project implemented by a number of agencies (inter-agency

implementation) are more likely to rank high on significance.
d. Visibility
This factor is similar in significance but is more concerned with the external
impact of the program. It is related to the social, economic and environmental
aspects of the program/project and the importance of its operations to the
government and the public. In considering this factor some weight would be
attached to the impact of an error, weakness, or irregularity on public
accountability. It would also have regard to the degree of interest by the
legislature and public in the outcome of the audit. Projects that have been
16 | P a g e
identified with the “audit thrust” by the Commission would generally warrant a
high rank in terms of ‘visibility’.
e. Previous Audit Coverage

Coverage refers not only to previous COA audits undertaken but also to other
independent reviews of the project. Such reviews may have been conducted by
internal audit, external consultants or government committees or the project
could have been subjected to program evaluation. As a general rule, a low
ranking would occur when there has been a substantial review of the activity
within the past two years. A higher ranking would be warranted where a follow-
up review has been requested by the President, Congress or other authorities or
the previous review indicated that such follow-up should be made.
The materiality, risk, significance and visibility of a project will also influence the
ranking for coverage. If a program has ranked highly on all or most of these
elements it would be expected that the coverage cycle would be at fairly
frequent intervals.
The factors that we have described above are the basis for a systematic
approach to assisting the auditor in applying judgment in selecting audit
projects. Using these factors when supported by valid information and data will
help auditors in allocating scarce resources for the audit of projects. One
method of ranking a list of projects to be considered for auditing as compared
against the selection factors using a matrix is shown in Risk Assessment
template.
Documentation
We document our audit risk assessments using the Form 02-07 Audit Risk
Assessment Tool.
2.6. Develop Audit Plan
2.6.1. Determine Audit Scope and Timing
Our audit scope defines the boundaries and limitations of our audit. We document
our audit scope based on the results of our risk assessment.
In determining the timing of our audit tests (tests of controls and details), we shall
consider COA auditor’s other responsibilities such as, but not limited to:
· Cash examinations to accountable officers
17 | P a g e
· Request for relief of accountabilities

· Issuance of disallowances
· Pre-audit activities
2.6.2. Determine need for specialized skills
We are not expected to have the expertise of a person qualified to engage in the
practice of another profession or occupation (e.g., an actuary, engineer, fraud
investigator). When such expertise is required in order to obtain sufficient
appropriate audit evidence, we consider whether to use the work of an appropriate
expert. We may use the work of an expert to:
· Value complex financial instruments, land and buildings, plant and machinery,
jewelry, works of art, antiques, intangible assets, assets acquired and liabilities
assumed in business combinations and assets that may have been impaired
· Understand the technical aspects of the agency’s operations
· Calculate the liabilities associated with insurance contracts or employee benefit
plans
· Value environmental liabilities and site clean-up costs
· Analyze complex or unusual tax compliance issues
· Measure work completed and to be completed on contracts in progress
· Interpret technical requirements, statutes, regulations or agreements (e.g., the
significance of contracts or other legal documents or legal title to property)
· Review the work of another expert (e.g., to corroborate the findings of a
management’s expert)
2.6.3. Prepare Audit Planning Memorandum
We apply our judgment when deciding on the content of our Audit Planning
Memorandum and the level of details to include.
At a minimum, our Audit Planning Memorandum contains the following:
· Our audit focus areas with regards to Financial, Compliance and Performance
audit; and our planned audit approach (nature and extent of audit procedures)
including timing, duration and person/s responsible.
· Our documentation for Professionals with specialized skills needed for the audit
and the scope of work to be performed.
· Our identification of Other Material Accounts not covered in the Financial and
Compliance Audit Risk Assessment that will be subjected to High-level precision
analytics.
18 | P a g e
Documentation
We document our audit work plan using Form 02-08 Audit Planning Memorandum.
Policy and Standard
ISSAI 1230 Audit Documentation
ISSAI 1265 Communicating Deficiencies in Internal Control to
Those Charged with Governance and Management
ISSAI 1300 Financial audit guideline – Planning an audit of
financial statements
ISSAI 1315 Identifying and Assessing the Risks of Material
Misstatement through Understanding the Entity and
Environment
ISSAI 1320 Materiality in Planning and Performing an Audit
ISSAI 1330 The Auditor’s Responses to Assessed Risks
ISSAI 1520 Analytical Procedures
Documentation

2.1 Prepare Agency Form 02-01 Audit Work
Audit Work Plan Plan
2.2 Understand the Form 02-02 Understand the
Understand the Agency Profile
Agency Agency (UTA) Template
Form 02-03 Agency-level
Understand Agency-level Controls
Control Checklist (ALCC)
2.3 Identify Significant Form 02-04 Agency Risk
Update Agency Risk Model
Agency Risks Model (ARM)
Identify Agency Risks Form 02-5 Significant
Agency Risk Identification
Prioritize Significant Agency Risks (SAgRI) Matrix
2.4 Understand the Identify critical path of the Form 02-06 Process-Risk-
Process processes Control (PRC) Matrix
Identify Process Risks
Identify Existing Controls
Identify Impact
2.5 Conduct Audit Risk Financial and Compliance Form 02-07 Audit Risk
19 | P a g e
Assessment Assessment (ARA) Tool

Performance
Determine Audit Scope and
2.6 Develop Audit Plan
Timing
Determine need for specialized
skills
Prepare Audit Planning Form 02-08 Audit Planning
Memorandum Memorandum
20 | P a g e
Form 02-01 AUDIT WORKPLAN
NAME OF AGENCY
AUDIT WORKPLAN
For the period _____ to _____
Auditee
Audit Period
Prepared By Date Prepared:
Reviewed By Date Reviewed:
Approved By Date Approved:
Target Date to Accomplish

WP PERSONS
ACTIVITY OUTPUT Year REMARKS
REF. RESPONSIBLE
J F M A M J J A S O N D
Form 02-02 UNDERSTANDING THE AGENCY
We obtain our understanding by performing review, inquiry, analytical procedures, observation

and inspection.
This template enables us to document our understanding of the agency and its environment and
assist in identifying risks of material misstatement. We document the identified inherent and/or
significant risks in this template.
The Understanding the Agency (UTA) can be used in conjunction with our meeting(s) with the
agency during the planning of the engagement. When we complete the UTA, we:
· Consider the use of available industry or sector knowledge
· Customize the UTA to each engagement
For future engagements, we base our understanding of the agency and its environment on prior
period knowledge. We update our understanding by focusing on the significant changes in the
agency and its environment in the current period and reflect those changes within the UTA
brought forward from the prior period.
AGENCY PROFILE
A. Mandate
State relevant law, rule of regulation mandating the purpose of establishment of the agency.
B. Operations
Provide a brief description of the agency’s operations and critical agency processes. Document here or cross-reference other
documentation.
C. Structure
Describe the Agency’s organizational structure and its relation to other key government agencies. (Attach the Agency’s
organizational structure, as necessary)
D. Objectives and Strategies
Objectives Strategies
E. Key Stakeholders
List stakeholders, or unified stakeholder groups, whose expectations or actions (or inactions) can significantly influence
management or affect the agency objectives and strategies (and/or the ability of the agency to meet its objectives and
strategies).
Key Environmental Factors
Political Environment
Social Environment
Legal and Regulatory Environment
Technological Environment
KEY PERFORMANCE INDICATORS

The key results identified and monitored by management, generally few in number, that must be achieved to conclude that a
strategy has been implemented successfully.
Key Performance indicators also refer to the targeted Major Final Outputs (MFO) as agreed in their Organizational
Performance Indicator Framework (OPIF).
PROGRAM ACCOUNTABILITY MODEL
RECENT DEVELOPMENTS/ NEWS
Recent Developments/ News Impact on the Agency

UNDERSTANDING THE AGENCY
ANALYTIC REVIEW
Analytical procedures performed may include both financial and non-financial information Our analytical procedures performed provide a basis for designing and implementing audit procedures that
respond to the assessed risks of material misstatement. However, overall analytical procedures may use data aggregated at a high level and therefore the results only provide an initial indication about
whether a risk of material misstatement exists.
a. Financial
Variance
Financial Statement Accounts Current Year Prior Year Remarks
Amount %
b. Performance
Variance
Accounts/Performance Indicators Actual Budget/ Target Remarks
Amount %
Income Statement Accounts
Major Final Outputs

PROGRAM REVIEW
a. Program/Project Details
Program/ Project:
Objectives:
Total Budget:
Duration:
Project Overview:
b. Performance Indicators
Variance
Performance Indicators Actual Budget/Target Remarks
Amount %
Financial
Non-financial
SUMMARY
Document key audit issues and inherent risks noted from the information obtained for the Understanding the Agency Template.
IDENTIFIED AGENCY RISKS IMPACT ON THE AGENCY

Form 02-03 AGENCY-LEVEL CONTROLS CHECKLIST
AGENCY-LEVEL CONTROLS CHECKLIST
Agency: Prepared:
Date
Audit Period: Reviewed:
Date
Yes No NA Remarks
A. Control Environment
Integrity, Ethical Values, and behavior of key executives

The agency has a code of conduct or equivalent policy that is
communicated and monitored.
The agency’s culture emphasizes the importance of integrity
and ethical behavior. Senior management holds itself to the
highest standards and leads by example.
The agency’s communications reinforce a consistent message
regarding policies and culture.
Agency management takes appropriate action in response to
departures from approved policies and procedures or the
code of conduct.
There are appropriate policies for such matters as conflicts of
interest, and security practices that are adequately
communicated throughout the agency.
Agency management maintains, monitors and appropriately
responds to a fraud hotline.
The agency has a whistleblower policy and related
whistleblower or ethics hotline, which are appropriately
communicated throughout the agency, and include
procedures for handling complaints and for accepting
confidential submissions of concerns about questionable
transactions.
Agency management’s control consciousness and operating
style
Agency management gives appropriate attention to internal
control, including information technology controls.
Agency management corrects identified internal control
deficiencies on a timely basis.
Agency management’s tendency is to be conservative with
respect to selecting accounting principles and determining
accounting estimates.
Agency management consults with us on significant matters
relating to accounting and financial reporting issues.
Agency management’s commitment to competence
The agency personnel have the competence and training
needed to deal with the nature and complexity of the
agency’s operations.
Agency management has other processes in place for handling
complaints about agency operational issues.
Participation in governance and oversight by those charged with governance
Those charged with governance provide effective oversight of
the agency’s operations.
Yes No NA Remarks
There is an open line of communication among those charged
with governance and COA auditors, and the nature and
frequency of communication is appropriate given the size and
complexity of the agency.
Those charged with governance have sufficient knowledge,
experience and time to perform their role effectively.
Those charged with governance are appropriately
independent of agency management given the size and
complexity of the agency.
The organizational structure and assignment of authority and responsibility
The agency organizational structure is appropriate given the
nature, size and complexity of the agency
Agency management engages in communications so that
personnel understand the agency’s objectives, their role in
relation to these objectives, and how they are held
accountable for the achievement of these objectives.
There are appropriate methods for establishing authority,
responsibility and lines of reporting.
There are written job descriptions, reference manuals and
other communications to inform personnel of their duties.
Human resource policies and practices
The agency has adequate standards and procedures for hiring,
training, motivating, evaluating, promoting, compensating,
transferring, or terminating personnel
Job performance is periodically evaluated and reviewed with
each employee.
B. Risk Assessment
Agency objectives are established, communicated, and

monitored. Key elements of the agency’s strategic plan are
communicated throughout the agency so all employees have
a basic understanding of the agency’s overall strategy.
A process is in place to periodically review and update agency-
wide strategic plans. The strategic plan is reviewed and
approved by the agency’s board of directors.
The agency-wide strategic plan includes IT or there is a
separate IT strategic plan that addresses the technology needs
of the agency to effectively and efficiently meet its strategic
plan.
There is an adequate mechanism for identifying agency risks,
including those resulting from:
— Entering new markets or lines of business
— Offering new products and services
— Privacy and data protection compliance requirements
— Other changes in the operations, economic, and regulatory
environment
The internal audit (or another group within the company)
performs a periodic (at least annual) risk assessment. Senior
management reviews the risk assessment and consider
actions to mitigate the significant risks identified?
Management considers how much risk it is willing to accept
when setting strategic direction or entering new markets, and
does it strive to maintain risk within those levels.
The board of directors and/or the audit committee oversee
and monitor the risk assessment process and take action to
address the significant risks identified.
Yes No NA Remarks
There groups or individuals who are responsible for
anticipating or identifying changes with possible significant
effects on the agency. Processes are in place to inform
appropriate levels of management about changes with
possible significant effects on the agency.
Budgets/forecasts are updated during the year to reflect
changing conditions.
Periodic reviews are performed or other processes in place to,
among other things, anticipate and identify routine events or
activities that may affect the agency’s ability to achieve its
objectives and address them.
Management reports to the board of directors and/or the
audit committee on changes that may have a significant effect
on the agency.
The board of directors and/or the audit committee review and
approve significant changes in the entity’s accounting
practices.
There are processes to ensure the accounting department is
made aware of changes in the operating environment so they
can review the changes and determine what, if any, effect the
change may have on the agency’s accounting practices.
There are channels of communication between the
accounting department and/or individual(s) in charge of
monitoring regulatory rules so the accounting department is
aware of regulatory changes that could affect the agency’s
accounting practices.
C. Information and Communication
Information
The agency is able to prepare accurate and timely financial
reports, including interim reports.
The board of directors and management receive sufficient and
timely information to allow them to fulfill their
responsibilities.
Management’s objectives in terms of budget, profit, and
other financial and operating goals are defined and
measurable. Actual results are measured against these
objectives.
There is a high level of user satisfaction with information
systems processing, including reliability and timeliness of
reports.
There is a sufficient level of coordination between the
accounting and information systems processing
functions/departments.
There are appropriate policies for developing and modifying
accounting systems and controls (including changes to and
use of computer programs and/or data files).
Management’s efforts to develop or revise information
systems (including accounting systems) are responsive to its
strategic plans.
There are significant applications or transactions that are
executed /processed by service organizations. Management
has documented the relevant controls at the service
organization, the company, or both that mitigate the risk of
errors. There are policies for periodic monitoring of controls
either at the service organization or the company and taking
Yes No NA Remarks
appropriate action to mitigate potential new risks.
The board of directors or audit committee are involved in
monitoring information systems projects and resource
priorities.
The IT organization chart clearly reflects areas of responsibility
and lines of reporting and communication.
There are defined responsibilities for individuals responsible
for implementing, documenting, testing and approving
changes to computer programs that are purchased or
developed by information systems personnel or users.
Systems conversions are well controlled (e.g., completed
pursuant to written procedures or plans).
Financial management ensures and monitors user
involvement in the development of programs, including the
design of internal control checks and balances.
There is a high degree of cooperation and interaction
between users and the IT department (e.g., procedures to
ensure ongoing monitoring by the IT department of user
satisfaction with IT processing and policies for the
development, modification, and use of programs and data
files).
Application programs and data files are backed-up regularly.
There is a current disaster recovery plan for the significant
components of the IT infrastructure.
There is a business continuity plan that incorporates the
disaster recovery plan and end-user department needs for
timely recovery of critical business functions, systems,
processes and data.
The disaster recovery and business continuity plans are tested
periodically (at least annually).
The disaster recovery and business continuity plans are
updated for changing conditions.
Communication
Lines of authority and responsibility (including lines of
reporting) within the company are clearly defined and
communicated.
There are written job descriptions and reference manuals that
describe the duties of personnel.
Policies and procedures are established for and
communicated to personnel at decentralized locations
(including regional operations).
There is a training/orientation for new employees, or
employees when starting a new position, to discuss the nature
and scope of their duties and responsibilities. Such
training/orientation includes a discussion of specific internal
controls they are responsible for.
There is a process for employees to communicate
improprieties. The process is well communicated throughout
the agency. The process allows for anonymity for individuals
who report possible improprieties. There is a process for
reporting improprieties, and actions taken to address them, to
senior management, the board of directors, or the audit
committee.
All reported potential improprieties are reviewed,
investigated, and resolved in a timely manner?
Employees believe they have adequate information to
Yes No NA Remarks
complete their job responsibilities.
There is a process to quickly disseminate critical information
throughout the agency when necessary.
There is a process for tracking communications from
customers, vendors, regulators, and other external parties?
Ownership is assigned to a member of management to help
ensure the agency respond appropriately, timely, and
accurately to communications from customers, vendors,
regulators, and other external parties.
D. Monitoring
Periodic evaluations of internal control are reported to agency

management and those charged with governance.
Personnel, in carrying out their regular duties, obtain evidence
as to whether the system of internal control continues to
function.
Policies and procedures are in place to ensure that corrective
action is taken on a timely basis when control exceptions
occur.
Agency management takes adequate and timely actions to
correct deficiencies reported by the internal audit function or
the independent auditors.
Internal audit or another department performs periodic
reviews of internal control
Agency management or those charged with governance
review communications from external parties that highlight
areas of internal control in need of improvement
Internal audit function
The agency has an effective internal audit function
The internal audit function is independent of the activities
they audit and are prohibited from having operating
responsibilities
The internal audit function adheres to professional standards
(e.g., International Standards for the Professional Practice of
Internal Auditing)
The scope of internal audit activities is appropriate given the
nature, size and structure of the agency
The internal audit department develops an annual plan that
considers risk in determining the allocation of resources
The results of the internal audit activities are reported to
senior management and COA auditors
Integrated Results and Risk-Based Audit Manual Form 02-04: Agency Risk Model
AGENCY RISK MODEL
About this Tool
This model will be the guide of the auditors in identifying Agency-level Risks to determine what
areas are to be focused in the conduct of the audit. The Agency Risk Model (ARM) is a
comprehensive list of the risks including its definitions, which could threaten the Agency in
achieving its objectives.
This model shall be regularly reviewed, updated and customized to consider changes in the
public sector environment as well as new standards, laws, rules and regulations.

Planning and resource allocation Public service and operations Mandate Market
§Organizational structure §Customer/public satisfaction §Functions §Interest rate
§Strategic planning §Channel effectiveness §Foreign currency
§Operational planning §Cycle time Governance §Commodity
§Service failure §Board performance/Agency
§Budgeting §Financial instrument
§Forecasting §Efficiency Management Committee
§Public policies
§Resource allocation §Capacity §Tone at the top
§Debt and fiscal policy
§Capital/fund availability §Performance measure/gap §Authority/limit
§Operational model §Partnering/contracting §Control environment Liquidity and credit
§Operational portfolio §Citizen relationship management §Corporate social responsibility §Cash management
§Outsourcing system and organization §Reputation §Opportunity cost
§Corruption and fraud §Funding
Major initiatives Code of conduct
§Hedging
§Vision and direction People §Ethics
§Credit and collections
§Planning and execution §Culture §Fraud
§Insurance
§Measurement and monitoring §Recruiting and retention §Employee/third party fraud
§Foreign assisted loan
§Technology implementation §Development and performance §Illegal acts
§Project evaluation §Succession planning §Management fraud Accounting and reporting
§Change readiness §Knowledge capital §Unauthorized use §Accounting, reporting and disclosure
§Climate change and sustainability initiatives §Compensation and benefits §Internal control
§Education Legal
§Performance incentives §Investment evaluation
§Healthcare services delivery §Contract
§Health and safety §Tax strategy and planning
§Energy and water management §Liability
(supply/distribution) Information technology §Intellectual property Capital structure
§Information management §Anticorruption §Debt
Environment dynamics
§Security/access §Legal §Equity
§Economic changes
§Financial market §Availability/continuity §Pension funds
Regulatory
§Sovereign/political §Integrity §Trade
§Customer/public wants §Infrastructure §Customs
§Technological innovation §Procurement
Hazards
§Environment scan §Road-right of way (RROW )Acquisition
§Natural events
§Agency environment/industry §Labor
§Terror and malicious acts
§Sensitivity §Securities
Market dynamics Physical assets §Environment
§Macroeconomic factors §Real estate §Data protection and privacy
§Lifestyle trends §Property, plant and facilities §International
§Sociopolitical §Maintenance and performance §Product/service quality
§Technology changes §Inventory §Health and safety
Communication and public relations §Competitive practice/antitrust
§Media relations
§Public relations
§Crisis communications
§Employee communication
1|Page
Risk Definition
STRATEGIC
Planning and Resource Allocation

The overall structure of the agency does not support the achievement of
Organizational structure
strategic and agency objectives in an efficient manner.
Inability to discover, evaluate and select among alternatives to provide
Strategic planning direction and allocate resources for effective execution to achieve the
strategic objectives of the agency.
Operational and agency Misalignment of agency and operating plans and execution to strategic
planning planning. Lack of information needed to make the right decisions.
Inability to effectively budget for new and existing initiatives that support
the overall strategic goals and objectives for growth, expansion,
acquisition and overall profitability.
Budgeting
Inability to effectively budget for programs and projects that would meet
the government’s Medium Term Philippine Development Plan (MTPDP).
Inability to forecast financial information to enable the allocation of
Forecasting resources to new and existing initiatives; and communicate earnings
expectations to the market.
Unavailability and inappropriateness of resource allocation process
Resource allocation
prohibits the agency’s ability to provide value for customer/public.
Insufficient access to capital/fund threatens the agency’s capacity to
Capital/fund availability
grow, execute its strategies and achieve its objectives.
The agency has an obsolete operation model and doesn’t recognize it
and/or lacks the information needed to make an up-to-date assessment
Operational model
of its current model and build a compelling operational case form
modifying that model on timely basis.
Lack of relevant and reliable information that enables agency
management to effectively prioritize its services or balance its operations
Operational portfolio
in a strategic context may preclude a diversified agency from maximizing
its overall performance.
Outsourcing activities to third parties may result in the third parties not
Outsourcing acting within the intended limits of their authority or not performing in a
manner consistent with the agency’s strategies and objectives.
Major initiatives
Failure to establish a vision and direction for major initiatives, including
services, products and programs that will drive future growth. Failure to
Vision and direction
establish project acceptance criteria and adequately measure against
the criteria.
Failure to plan and execute major initiatives due in a coordinated
Planning and execution
manner.
Failure to identify appropriate metrics and assess performance, quality
Measurement and monitoring
and adherence to the standards as set forth by the agency.
Failure of a major technology implementation to meet the strategic
Technology implementation
objectives of the organization.
2|Page

Failure to evaluate properly pilot projects before a new service is
Project evaluation introduced may result in problems when the service becomes fully
operations.
The people within the agency are unable to implement process and
Change readiness service improvements quickly enough to keep pace with changes in the
agency environment.
Climate change and
Education
Healthcare services delivery
Energy and water

management
(supply/distribution)
Environment Dynamics
Economic changes such as lower economic growth reduce tax revenue
Economic changes and opportunities to provide a wide range of services or limit the
availability or quality of existing services.
Movements in prices, rates, indices, etc. threaten the value of the
Financial market
agency’s financial assets.
Adverse political actions in a country in which the agency has invested
significantly, is dependent on a significant volume of operation or has
Sovereign/political entered into a significant agreement with a counterparty subject to the
laws of that country threaten the agency’s resources and future cash
flows.
Pervasive public needs and wants change and the agency isn’t aware,
Customer/public wants
e.g. increased demand for faster turnaround on services.
The agency is not leveraging advancements in technology in its
operations to achieve or sustain advantage or is exposed to the actions
Technological innovation of other agency’s or substitutes that do not leverage technology or to
attain superior quality, cost and/or time performance in their services
processes.
Failure to monitor the external environment or formulation of unrealistic
or erroneous assumptions about environment risks may cause the
Environment scan
agency to retain operation strategies long after they have become
obsolete.
Changes in opportunities and threats, and other conditions affecting the
Agency environment/Industry
agency’s environment.
Over commitment of resources and expected future cash flows threatens
Sensitivity the agency’s capacity to withstand changes in environment (e.g., interest
rates, public demand, changes in regulations, etc.) forces.
Market Dynamics
Factors relating to macroeconomic conditions that affect the ability to
Macroeconomics factors maintain or increase revenue and profitability in a specific agency
environment.
3|Page
Failure to anticipate and respond to changes in overall trends related to

Lifestyle trends
lifestyle demands of consumers.
Exposure to social and political factors within a market environment that
Sociopolitical
affect the ability to market, sell and service products and services.
Dramatic changes in current technologies which may impact the market
Technology changes viability or demand of current products and services offered by the
agency.
Communication and public relations
Inability to anticipate and manage shifts in the information stakeholders
want, and the way in which they want it communicated to them; and
Media relations
ineffective ongoing, transparent communications with the public in order
to create goodwill.
A decline in customer/public confidence threatens the agency’s capacity
Public relations
to efficiently raise or collect funds.
Failure to communicate the right message in an effective manner to
Crisis communications recover and maintain agency operations in the event of a crisis or
disruption due to physical or natural circumstances.
Inability to understand, and respond to, the communication needs of
Employee communications
different employees.
OPERATIONS
Public Service and Operations

A lack of focus on the customer/ public threatens the agency’s capacity
Customer/public satisfaction
to meet or exceed the customer’s/ public’s expectations.
Poorly performing or positioned channels access threaten the agency’s
Channel effectiveness
capacity to effectively and efficiently service the customer/ public.
Unnecessary activities threaten the agency’s capacity deliver services
Cycle time
on a timely manner.
Faulty or nonperforming services expose the agency to customer/public
Service failure
complaints, litigation, and loss of revenues, and agency reputation.
Inefficient operations threaten the agency’s capacity to deliver services
Efficiency
at the lowest cost and shortest time possible.
Insufficient capacity threatens the agency’s ability to meet
Capacity customer/public demands, or excess capacity threatens the agency’s
ability to generate competitive profit margins.
Inability to perform at world-class levels in terms of quality, costs and/or
Performance measure/gap cycle time due to inferior operating practices threatens the demand for
the agency’s services.
Inefficient or ineffective external relationships affect the agency’s
capacity to serve; these uncertainties arise due to choosing the wrong
Partnering/contracting
partner, poor execution, taking more than is given (resulting in loss of a
partner) and failing to capitalize on partnering opportunities.
Citizen relationship
management
4|Page
Corruption and Fraud
People
Failure to establish a culture that is consistent with management
Culture philosophy and that encourages integrity, values, and ethical
competence.
Failures to attract, hire, and retain the qualified resources to optimize
Recruiting and retention
execution of the organization's objectives.
Inability to develop and enhance employee skills and provide
Development and performance performance management that ensures optimal achievement of
organizational strategies, goals and objectives.
Failure to create and implement an effective succession plan for senior
executive and other key positions and employees throughout the
Succession planning
organization. Failure to align succession planning with strategic planning
and leadership development objectives).
Processes for capturing and institutionalizing learning across the
agency are either non-existent or ineffective, resulting in slow response
Knowledge capital
time, high costs, repeated mistakes, slow development, constraints on
growth and unmotivated employees.
Failure to provide a total compensation package (base salary,
annual/long-term incentive, benefits/perquisites) that are market
Compensation and benefits
competitive, aligned to agency and compensation strategies and retain
and motivate employees to achieve desired results.
Unrealistic, misunderstood, subjective or non-actionable performance
measures may cause senior management, division heads and
Performance Incentives
employees to act in a manner inconsistent with the agency’s objectives,
strategies, and ethical standards, and with prudent agency practice.
Failure to provide a safe working environment for its workers exposes
Health and safety the agency to compensation liabilities, loss of operational reputation and
other costs.
Information and technology
Information management
Failure of Information systems to adequately protect the critical data and

Security/access infrastructure from theft, corruption, unauthorized usage, viruses, or
sabotage.
The inability to recover from, and continue uninterrupted operations in
Availability/continuity
the event of extraordinary events, systems and implementation failures.
Information systems that do not provide reliable information when it is
Integrity
needed or perform so slowly that operations are not efficient.
The computer and telecommunications systems with supporting
software do not capture, retain and transfer data in a secure and reliable
Infrastructure
environment and do not meet the expected requirements of the agency
at a reasonable cost.
Hazards
Natural events
5|Page

accomplish planned target due to natural events (e.g., fire, earthquake,
tornado).
Terror and malicious acts
accomplish planned target due to terrorist activities or other malicious
acts.
Physical assets
Failure to provide physical protection and stewardship over real estate
Real estate
designed to optimize longevity and utilization.
Failure to provide physical protection and stewardship over long-lived
Property, plant and facilities assets (such as buildings, furniture, fixtures, machinery, equipment and
other assets) designed to optimize longevity and utilization.
Maintenance and performance
Failure to provide physical protection and stewardship over inventories

Inventory designed to optimize utilization while minimizing obsolescence,
contamination, etc.
COMPLIANCE
Mandate
Failure to align process objectives and performance measures with the
Function mandate of the agency, its objectives and strategies may result in
conflicting, uncoordinated activities throughout the agency.
Governance
Failure of Board of Directors to discharge their obligations and duties
Board performance/Agency
owed to the agency and its stakeholders in good faith; and to possess
management committee
adequate knowledge to interpret and act on the information provided.
Senior management fails to establish an environment that encourages
integrity, ethical values, and competence of the agency's people through
Tone at the top
management's philosophy and operating style, assignment of authority
and responsibility, and the organization and development of its people.
Ineffective lines of authority may cause senior management, division
Authority/limit heads or employees to do things they should not do or fail to do things
they should.
Failure to establish and maintain an internal control environment which
Control environment
aligns with stakeholder and regulatory expectations.
The mismanagement of "socially responsible" activities (e.g., conducting
social responsibility training for management of manufacturers,
undertaking environmental programs, participating in community
Corporate social responsibility
initiatives) resulting in an unfavorable agency perception with
stakeholders, customers, suppliers, agency partners, employees and the
regulatory community.
Damage to the Agency’s reputation exposes it to loss of customer/
Reputation
public trust, profits and the ability to grow.
Code of conduct
6|Page

The absence of formal standards of employee behavior that are
Ethics intended to direct and influence the way business is conducted, above
and beyond the letter of the law.
Potential unethical acts committed by agency employees or other
Fraud
stakeholders may negatively impact the agency's reputation.
Fraudulent activities perpetrated by employees, suppliers, agents, or
third-party administrators against the agency for personal gain (e.g.,
Employee/Third Party Fraud
misappropriation of physical, financial or information assets) expose the
agency to financial loss.
Illegal acts committed by senior management, division heads or
Illegal Acts employees expose the agency to fines, sanctions, and loss of public
trust, profits and reputation, etc.
Management Fraud (e.g., intentional misstatement of financial
Management Fraud statements or critical reports) may adversely affect stakeholders’
decisions.
Unauthorized use of the agency’s physical, financial or information
Unauthorized Use assets by employees or others exposes the agency to unnecessary
waste of resources and financial loss.
Legal
Entering into contracts that are unfavorable to the agency; and the
Contract failure to comply with and monitor contract terms to protect the agency
from financial losses.
A responsibility, duty or obligation that may result in lawful consideration
Liability
to provide satisfaction, compensation or other form of restitution.
Failure to create, capture, enhance, leverage and protect the collective
Intellectual property knowledge, expertise and ideas of agency employees valued as non-
physical assets.
Failure to create an agency environment which is opposed to corruption,
Anticorruption
and instill agency practices which prevent corruption.
Changing laws threaten the agency’s capacity to consummate important
Legal transactions, enforce contractual agreements or implement specific
strategies and activities.
Regulatory
Trade governmental and International regulatory requirements for Trade
Practices e.g., anti-dumping and trade policy.
Failure to identify and prevent legal risks posed by noncompliance
Customs With governmental and International regulatory requirements for
Customs.
Procurement
the government procurement reform act.
Failure to implement infrastructure projects due to RROW problems and
Road-right of way (RROW)
risks posed by non-compliance with Comprehensive and Continuing
acquisition
Urban development and Housing Program (RA 7279)
governmental and International regulatory requirements for Labor rules
Labor
and regulations, including taxes, wages, antidiscrimination, Family and
Medical Leave, workplace violence etc.
7|Page

Securities
governmental and International Securities regulatory requirements.
Environment governmental and International Environmental regulations e.g.,
noncompliance with ISO 4001 standards.
Data protection and privacy compliance with privacy rules and regulations standards resulting in
improper disclosure of confidential customer information.
Exposure to geo-political, regulatory and fraud risks via international
International
business dealings.
Product/service quality governmental and International regulatory requirements for
product/service quality and safety.
Health and safety governmental and International rules and regulations for health and
safety.
compliance with, government and international rules and regulations for
Competitive practice/antitrust
competitive practices/ anti-trade. Lack of awareness of statutory and
regulatory application of export & customs policies and requirements.
FINANCIAL
Market
Unfavorable price paid per unit of funds borrowed or the rate of return
Interest rate received on invested assets, or interest rate fluctuations beyond
projected range.
Unfavorable fluctuations in the currency of another market that is
Foreign currency
needed to carry out international transactions.
Unfavorable fluctuations in the price of raw materials or other
Commodity commodities used in product development/service delivery that are not
anticipated and managed.
Financial market risk can vary depending on the particular segment of
Financial instrument the market to which the holder of a financial instrument is exposed, or
the way in which the exposure is structured.
Public policies
Debt and fiscal policy
Liquidity and credit
Failure to efficiently and effectively administer and manage cash flows to

Cash management
maintain adequate liquidity to meet obligations.
The use of funds in a manner that leads to the loss of economic value,
Opportunity cost including time value losses, transaction costs and other causes of loss of
value.
Failure to meet the requirements of a portfolio of capital investments and
obligations based on specified commitments or in accordance with terms
Funding
of an agreement (i.e. retirement and capital accounts).
8|Page

Failure to receive appropriate funds to finance programs and projects.
Failure to purchase or undertake sale transactions that effectively

Hedging
minimize profits or losses arising from price fluctuations.
Inability to obtain the optimal level of payment received as a result of a
Credit and collections
prior agency transaction.
Insurance coverage fails to protect the agency from significant financial
Insurance
losses due to incidents and claims.
Foreign assisted loan
Accounting and reporting

Incomplete, inaccurate and/or untimely reporting of required financial
and operating information to other regulatory agencies may expose the
agency to fines, penalties and sanctions.
Accounting, reporting and
disclosure Over-emphasis on financial accounting and other information to
manage the operations may result in the manipulation of outcomes to
achieve targets at the expense of not meeting public expectation, quality
and efficiency objectives.
Significant or material weaknesses resulting from inadequate financial
Internal control internal controls impacting management's assessment and reporting
under country regulations.
Lack of relevant and/or reliable information supporting investment
Investment evaluation decisions and linking the financial risks accepted to the capital at risk,
may result in poor short- or long-term investments.
Failure to properly evaluate and execute tax planning strategies.
Tax strategy and planning Misalignment of tax objectives and strategies with overall agency
objectives, strategies and initiatives.
Capital structure
Potential over reliance on borrowing from creditors to provide adequate
Debt working capital for agency objectives and/or to cover current operating
obligations resulting in an unfavorable debt to equity ratios.
Inability to offer marketable securities appropriately priced for the
Equity
enterprise's value.
Inability to identify, establish and maintain the optimal structure for
Pension funds
pension funds.
9|Page
Integrated Results and Risk-Based Audit Manual Form 02-05 Significant Agency Risk Identification Matrix
SIGINIFICANT AGENCY RISK IDENTIFICATION MATRIX
Agency
Audit Period
Involved
Offices/Clusters
Risk Rating Related Processes,

Risk Audit
Ref Agency Risks Basis of Selection Overall Projects, Activities and Remarks
Impact Likelihood Location Response
Rating Programs (PAPs)
Summary:
Significant Agency Risks
Risk Rating
Ref Agency Risks
Impact Likelihood Overall Rating
1|Page
Integrated Results and Risk-Based Audit Manual Form 02-05 Significant Agency Risk Identification Matrix
2|Page
Form 02-04 PRC MATRIX
Agency: Prepared:
Date
Year-end: Reviewed:
Date
Significant Process:
This template assists us in our documentation of our understanding of the flow of significant processes.
a. Critical path of the process:

Our documentation of the flow of the process may be in narrative form or graphical form through the use of process mapping flowcharts. The form of documentation depends on the size and
complexity of the process.
Form 02-04 PRC MATRIX
b. Identify Risk Scenarios and Relevant Controls
Impact
Process Risks Existing Controls Accounts Affected Risk to PAPs Remarks
(including assertions)
Summary
Summarize key observation noted in our understanding of the process, risks and controls. Our summary may include deficiencies that we have noted on the design of process-level controls or red flags
that we may note on the process that may indicate source of fraud risks.
KEY OBSERVATION RECOMMENDATION

Form 02-07 AUDIT RISK ASSESSMENT
Agency: Prepared:
Date
Year-end: Reviewed:
Date
In order to develop an audit strategy that is responsive to an entity’s risk of material misstatement, we make a risk assessment for
financial and compliance, performance and fraud audits.
a. Financial and Compliance
For financial and compliance, we make our risk assessment by assessing the inherent risk, preliminary control risk and combining
both assessments to arrive at an overall risk assessment for each relevant assertion for each significant account.
Risk
Inherent Risk Control Risk
Significant Account Assertion IR Comments CR Comments Assessment
(IR) (CR)
(IR x CR)
Form 02-07 AUDIT RISK ASSESSMENT
b. Performance
Risk to Good Previous Audit Overall

Programs Materiality Impact Visibility Significance Auditability
Management Coverage Assessment
Form 02-08 AUDIT PLANNING MEMORANDUM
Agency: Prepared:
Date
Audit Period: Reviewed:
Date
The Audit Planning Memorandum (APM) is an action plan for the execution phase or our audit. Development of the APM requires a
high degree of analytical ability and constructive thinking for it involves the determination of the scope and timing of our audit
execution.
A. AUDIT FOCUS AND APPROACH
a. Financial and Compliance
Risk Person/s
Significant Accounts Assertion Audit Approach Timing Mandays
Assessment Responsible
b. Performance
Audit Aspect Person/s

Significant PAPs Audit Focus Area (Economy, Efficiency or Timing Mandays Responsible
Effectiveness)
AUDIT PLANNING MEMORANDUM
B. SPECIALIZED SKILLS NEEDED
Identify professionals with specialized skills (e.g. FAIO, TSO, SAO) needed for the audit and define the scope of work to be performed.
C. OTHER MATERIAL ACCOUNTS

Identify Other Material Accounts that were not considered in the Financial and Compliance Audit Risk Assessment. Audit procedures for Other
Material Accounts include High-level precision analytics and Tests of Details, if necessary.
Other Material Accounts:

·
·
·
Timing: ________________
Duration: ______________
Person/s Responsible: ______________
Integrated Results and Risk-Based Audit Manual Phase 3A – Execution
DELIVERY:
EXECUTION
Integrated Results and Risk-Based Framework
Planning Delivery
Agency Audit
Conclusion
and Reporting
Assessment
Monitoring
Introduction
The Execution activity covers our procedures in designing and executing our audit
tests, evaluation of results and communicating the same to the agency management.
Our audit tests should be designed to obtain audit evidence regarding the
completeness, accuracy, validity of data, and reasonableness of the estimates and
other information. They should also be designed to identify errors, noncompliance,
inefficiency, ineffectiveness that could be indicative of weaknesses in the agency’s
operations.
Audit results are communicated to the agency management in a timely manner for
them to take necessary action to prevent its recurrence.

1|P a ge
Procedures
We design our audit tests through the preparation of Audit Work Programs that
lists our detailed audit procedures to obtain sufficient appropriate audit evidence
to enable us to draw reasonable conclusions on which to base our opinion.
Our audit procedures should be designed in accordance with the nature, extent
and timing of audit approach identified in our Audit Planning Memorandum.
The table below describes the nature of audit procedures we may use to obtain
audit evidence in executing audit tests, together with examples on how to apply
such procedures:
Procedures Application
Inquiry · Seeking information from knowledgeable persons, both
financial and non-financial, throughout the agency or outside
the agency. Inquiries can be either written or oral.
· Evaluating responses is an important part of the inquiry

process, as it may provide information not previously obtained
or will corroborate audit evidence already obtained. Responses
to inquiries may provide a basis for us to modify or perform
additional audit procedures.
· In certain circumstances, we may consider obtaining written

representations from agency management, to confirm
responses to oral inquiries.
Observation · Watching processes or procedures being performed by the

agency’s personnel. Observation provides audit evidence about
the performance of a process or procedure, but is limited to the
particular point in time at which the observation takes place. In
addition, the act of being observed may affect how the process
or procedure is performed.
Inspection · Examine records or documents, whether internal or external, in

paper or electronic form, or other media. Inspection of records
and documents provides audit evidence of varying degrees of
reliability, depending on their nature and source and, in the
case of internal records and documents, on the effectiveness of
the controls over their production.
· Inspection includes physical examination (e.g., inspection of

individual fixed assets), which provides audit evidence with
respect to their existence, but not necessarily about the
agency’s rights and obligations or the valuation of the assets.
Recalculation · Checking the mathematical accuracy of documents or records.

Recalculation may be performed manually or electronically.
2|P a ge
Procedures Application
Reperformance · Our independent execution of the relevant control procedures

that were originally performed as part of the agency’s internal
control, either manually. We reperform the control procedures
to obtain audit evidence that the procedures were appropriately
performed as designed.
Data Analysis · In certain situations, we may be able to use data analysis

techniques, principally through the use of automated tools, to
obtain evidence about the operating effectiveness of control.
Supplemental Audit Guidelines

Refer to the following supplemental audit guidelines for designing of audit tests in
the context of each audit:
Financial and Compliance Audit F3.1
Performance Audit P3.1
We execute audit tests throughout the audit period in accordance with the
nature, extent and timing of the audit procedures as designed in the previous
sub-activity.
Audit Evidence Considerations

The quality of audit evidence is affected by the relevance and reliability of the
information upon which it is based. Relevance deals with the logical connection
with, or bearing upon, the purpose of the audit procedure or the assertion being
tested.
The reliability of information to be used as audit evidence is influenced by its

source and nature and the circumstance under which the evidence is obtained.
The following factors influence the reliability of audit evidence:
· The reliability of audit evidence is increased when it is obtained from
independent sources outside the agency
· The reliability of audit evidence that is generated internally is increased when
the related controls imposed by the agency are effective
· Audit evidence obtained directly is more reliable than audit evidence obtained
indirectly or by inference
· Audit evidence in documentary form, whether paper, electronic, or other
medium, is more reliable than evidence obtained orally
· Audit evidence provided by original documents is more reliable than audit
evidence provided by photocopies or fax, or documents that have been
filmed, digitized or otherwise transformed into electronic form, the reliability of
which may depend on the controls over their preparation and maintenance
3|P a ge
Accounting Estimates
If our planned procedures include testing how management determined the
accounting estimate, we evaluate whether:
· The method of measurement used is appropriate in the circumstances, (e.g.,
in relation to the agency’s operations, sector and environment), including
agency management’s rationale for selecting the method.
· The assumptions used by agency management are reasonable in light of the
measurement requirements of the applicable financial reporting framework,
including the consistency of the assumptions with our understanding of
management’s intent and ability to carry out certain courses of action.
Our evaluation of the assumptions used by agency management is based only

on information available to us at the time of the audit. In evaluating the
reasonableness of the assumptions used by agency management we may
consider whether:
· Individual assumptions appear reasonable
· The assumptions are interdependent and internally consistent
· The assumptions appear reasonable when considered collectively or in
conjunction with other assumptions, either for that accounting estimate or for
other accounting estimates
· In the case of fair value accounting estimates, whether the assumptions
appropriately reflect observable marketplace assumptions
Audit Sampling
a. Key items
We select key items for testing based on our planned qualitative criteria and
testing threshold. If no key items are selected for testing, we consider lowering
our testing threshold or selecting a small representative sample so that we obtain
some substantive audit evidence.
b. Representative sample
If our tests of details include a representative sample, we select our sample
(either statistically or non-statistically/judgmentally) from the remainder of the
population (excluding key items).
We consider stratifying the population to focus our testing on sub-populations

with higher risk characteristics, such as:
· Stratifying inventory items by monetary value as items with a higher value
have a higher risk of material misstatement
· Stratifying accounts receivable balances by age as older balances have a
higher risk of material misstatement
· Stratifying property, plant and equipment as additions have a higher risk of
material misstatement
External Confirmation Procedures

c. Evaluation Confirmation Responses
4|P a ge
Confirmation exceptions may be given to the agency for investigation after we

establish control by making a copy or other record of the confirmation reply. If
agency personnel are used to investigate exceptions, we inspect, at least on a
test basis, evidence explaining and reconciling the exceptions.
We determine whether significant and/or frequently recurring exceptions may be

indicative of a pattern of errors in the unconfirmed accounts.
We also exercise professional skepticism when dealing with unusual or unexpected

responses to confirmation requests (e.g., a significant change in the number or
timeliness of responses to confirmation requests relative to prior audits), or a non-
response when a response would be expected. These circumstances may indicate
previously unidentified risks of material misstatement due to fraud.
In such cases, we reconsider the judgments we made in planning our audit approach
and our CRA, and the effect on our planned procedures.
a. Alternative Procedures
When we do not receive replies to positive confirmation requests, we apply

alternative procedures to the non-responses to obtain the evidence necessary to
reduce audit risk to an acceptably low level. The nature of alternative procedures to
be performed varies according to the account and assertion.
We apply our alternative procedures to each item that make up the entire balance
that we have not received confirmations for.
Substantive Analytical Procedures

We execute our substantive analytical procedures and compare the recorded amount,
trend or ratio with our expectation. When the difference between the recorded amount,
trend or ratio and our expectation is less than our variance threshold, no further
investigation is required.
If we identify differences that exceed our variance threshold or fluctuations or

relationships that are inconsistent with other relevant information, we investigate them
by:
· Inquiring of management to provide an explanation
· Obtaining audit evidence to support agency management’s responses
When we execute our substantive procedures, we may identify misstatements. The

identification and accumulation of misstatements is one of our most important audit
responsibilities and is critical in enabling us to formulate our audit opinion.
A misstatement may also result from fraud, such as:
5|P a ge
· Manipulation, falsification or alteration of accounting records or supporting

documentation from which the financial statements are prepared
· Misrepresentation in, or intentional omission from, the financial statements of
events, transactions or other significant information
· Intentional misapplication of accounting principles relating to amounts, classification,
manner of presentation or disclosure
· Misappropriation of assets that has not been detected and recorded
If we identify an intentional misstatement in the financial statements, we determine if

this is an incident of suspected fraud or represents non-compliance with applicable laws
and regulations.
We report the matter to the Supervising Auditor of the engagement and communicate it
to the appropriate level of agency management. In this case, the appropriate level of
agency management is at least one level above the person(s) who appears to be
involved with the misstatement.
We conclude on the results of our audit procedures and assess whether we have
obtained sufficient appropriate audit evidence for each significant account, disclosure
and assertion.
We document a conclusion statement for each significant account and disclosure, that
addresses the execution of the designed procedures, the adequacy of those
procedures, and when identified, significant findings.
For significant findings and issues, our conclusions include a summary of the
procedures performed, the results of our procedures, including significant professional
judgments and consultations made, and any misstatements identified.
Communication of Audit Findings

Agency Management does not like surprises, and they are generally more willing to
correct identified audit findings when they are notified early. Early notification gives the
agency time to investigate the cause of the misstatement, evaluate it and perform
additional work, if necessary, to quantify it.
We discuss each audit finding with the appropriate level of agency management to
confirm that our understanding of the nature and cause of the audit finding is factually
correct. We also discuss what actions the agency can take to prevent its recurrence.
The appropriate level of agency management is the one that has responsibility and
authority to evaluate the audit finding and take the necessary action to prevent its
recurrence. Generally, this depends on the agency’s organization structure and the
nature and significance of the audit finding.
6|P a ge
If the agency disagrees that there is an audit finding, or disputes the amount of the
involved, we ask it to support its position by providing additional audit evidence. We
exercise professional skepticism when auditing the additional evidence to verify whether
it supports the agency’s position.
If, in our opinion, the evidence provided by the agency does not support the agency’s
position, we determine the effect on our audit opinion, which may include consulting
with the Supervising Auditor or Cluster Director.
Documentation
We document our audit findings through Form 03-02 Audit Observation Memorandum
(AOM). The AOM shall be issued to communicate to the agency management the
issues that are identified during the course of audit. AOM can be issued at any point in
or stage of the audit process.
7|P a ge
Standards
ISSAI 1230, Audit Documentation
ISSAI 1330, The Auditor’s Responses to Assessed Risks
ISSAI 1450, Evaluation of Misstatement Identified during the Audit
ISSAI 1500, Audit Evidence
ISSAI 1505, External Confirmations
ISSAI 1520, Analytical Procedures
ISSAI 1530, Audit Sampling
ISSAI 1540, Auditing Accounting Estimates, Including Fair Value Accounting

Estimates, and Related Disclosures
ISSAI 1520, Analytical Procedures
Documentation
Form 03-01 Audit Work Program
Form 03-02 Audit Observation Memorandum
8|P a ge
Integrated Results and Risk-Based Audit Manual Phase 3A - Execution
Form 03-01: Audit Work Program
AUDIT WORK PROGRAM

Agency: Prepared:
Date
Audit Reviewed:
Period:
Date
Significant Cash
Account:
Audit Objectives Audit Assertions

E/O C R&O V P&D Comp
· 3
· 3
· 3
· 3
· 3
· 3
Audit Procedures to Consider
Assertions W/P Assigned Prepared Reviewed

Audit Procedures Mandays
Addressed Ref. to by by
1.
2.
3.
4.
Supplemental Guidelines – Design Audit Tests: Financial and Compliance
DESIGN AUDIT TESTS – FINANCIAL AND COMPLIANCE
This supplement provides additional considerations in the design of audit tests our Financial
and Compliance Audit. We use this supplement in conjunction with the Design Audit Tests
sub-activity in Execution.
Procedures
F3.1 Design Audit Tests
F3.1.1 Design Tests of Controls
a. Determine the appropriate controls to select and test
We use our professional judgment in determining the appropriate controls to

select and test, recognizing that we may be more effective and efficient to
select and test controls that address multiple risk scenarios and assertions.
If a risk scenario is addressed by more than one control, we are not required
to select and test every control.
We also consider selecting controls tested by internal audit and others that
we are able to rely on, as this may be an effective and efficient approach to
obtain sufficient appropriate audit evidence about the operating effectiveness
of those controls.
b. Confirm that controls to test are relevant to the audit
We identify and document controls that are relevant to the audit when we
understand the flow of significant processes. However, to avoid selecting
inappropriate controls to test, we confirm that the controls selected to test
are relevant to the audit, considering the following:
· The nature of the control. The control appropriately addresses the risk
scenario(s) for the relevant assertion(s) to prevent or detect and correct
misstatements.
· The relevance and reliability of evidence we expect to be available to
support the operating effectiveness of the control.
· The objectivity and competency of the person performing the control.
· The control is applied to a complete and reliable set of data.
Documentation
We document our designed tests of controls using Form 03-01 Audit Work
Program
1|P a ge
Subsequent Audits
In subsequent years, we use our understanding of the operating effectiveness of
controls tested in prior periods to determine whether to select the same controls
to test, considering:
· The results or findings of procedures performed and conclusions reached

from prior periods. We determine if these controls are still relevant for the
purpose of our audit.
· Changes that have occurred in significant processes since the prior period
that may affect the relevance of the controls to respond to existing or
additional risk scenarios identified. We determine the effects of these
changes over the controls that we plan to rely on and evaluate if the controls
are still effective to address the risk scenarios for the relevant assertions.
F3.1.2 Design Tests of Details
a. Customize tests of details for significant accounts in accordance with our

audit strategy outlined in the Audit Planning Memorandum
b. Plan the timing of tests of details
The timing of our tests of details is primarily driven by our Risk Assessment
conducted in Phase 2. We may design our tests of details to be performed
at an interim date(s). These interim tests of details provide benefits such as:
· Enabling earlier identification of significant findings and issues
· Allowing more time to address and resolve significant findings and issues
· Reducing work performed during year end
· Helping to manage tight reporting deadlines
Timing of Tests of Details

We may design the timing of our interim tests of details as follows:
· Earlier in the reporting period (e.g., up to six months before the balance
sheet date) if the Risk Assessment is minimal
· During the later portion of the reporting period (e.g., up to three months
before the balance sheet date) if the Risk Assessment is low
· At or near the period end (e.g., up to one month before the balance sheet
date) if the Risk Assessment is moderate or high
When Interim Tests may not be effective

Interim tests of details may not be effective or efficient in the following
circumstances:
· Significant changes are expected to the agency because more extensive
rollforward procedures will be needed as a result of the changes
· The agency does not prepare or analyze financial statements at the
interim date, as this affects our ability to perform interim audit procedures
2|P a ge
· The agency’s accounting system does not provide details of transactions

for the period between the interim to the balance sheet dates, as this
affects our ability to perform rollforward procedures
· There are significant risks that affect the significant account, disclosure
or relevant assertion which may require more extensive rollforward
procedures
Rollforward Considerations
When we design interim procedures, we also design rollforward procedures
to obtain sufficient audit evidence that provides a reasonable basis for
extending our audit conclusions at the date of our interim procedures to the
year end.
The extent of rollforward procedures shall be customized depending on the

rollforward period and risk assessment as follows
3|P a ge
Integrated Results and Risk-Based Audit Approach Phase 3A – Execution
Supplemental Guidelines – Deisgn Audit Tests: Financial and Compliance
RISK ASSESSMENT
Rollforward period
Minimal Low Moderate High
Less than 1 month Update lead schedule and Update lead schedule and Update lead schedule and Update lead schedule and
extend substantive extend substantive extend substantive extend substantive
analytical procedures to analytical procedures to analytical procedures to analytical procedures to
the balance sheet date. the balance sheet date. the balance sheet date. the balance sheet date.
Design additional Analyze and understand Analyze and understand

procedures during the movements during movements during
rollforward period to rollforward period, which rollforward period, which
address higher inherent may include preparing or may include preparing or
risks. obtaining a detailed obtaining a detailed
rollforward schedule. rollforward.
Test a sample of Test a sample of

transactions in the transactions in the
rollforward period. rollforward period.
Design additional
procedures during the
rollforward period to
address higher inherent
risks.
1 to 3 months Same as above Same as above. N/A N/A

Consider testing a sample
of transactions made
during the rollforward
period.
3 to 6 months Same as above N/A N/A N/A
4|P a ge
Integrated Results and Risk-Based Audit Approach Phase 3
Execution
c. Design procedures for Other Material accounts
Our procedures for Other Material accounts are limited to substantive

analytical procedures and limited tests of details, when appropriate, that are
designed to confirm the basis of assessing the account as not significant.
F3.2 Execute Audit Tests
Execute Tests of Controls and Tests of Details
Refer to the attached Diagram for the Execution of TOC and TOD.
5|P a ge
Integrated Results and Risk-Based Audit Approach Phase 3
Execution
FINANCIAL AUDIT
EXECUTION
Risk Assessment
Minimal Low Moderate High
Design Tests of Controls

Audit Work
Program
Execute Tests of Controls
Control Exceptions noted?
Yes
No
Determine and Evaluate

Audit Response
Conclude on operating
effectiveness
Rely on Controls Not Rely on Controls
Reassess
Design Tests of Details: Design Tests of Details:

Less extensive tests of details Audit Work More extensive Tests of Details Audit Work
Program Program
Execute Tests of Details
Diagram for the Execution of Financial Audit
6|P a ge
Supplemental Guidelines – Design Audit Tests: Performance
DESIGN AUDIT TESTS – PERFORMANCE
This supplement provides additional considerations in the design of audit tests for
Performance Audit.
Procedures
P3.1. Design Audit Tests
P3.1.1. Define Audit Objectives
The audit objectives should articulate what the audit is to accomplish. This
means phrasing the objectives to identify the audit subject and the performance
aspect to be included. Because it is rare for one audit all aspects of value for
money, it is important to know, in planning what aspect or aspects are going to
be included. This is critical in establishing the audit boundaries or scope, criteria
and approach.
P3.1.2. Develop Audit Criteria
Types of Performance Audit Criteria

There are two types of criteria in Performance Audit: the general criteria and the
specific criteria
General Criteria
General Criteria are broad statements of acceptable and reasonable
performance. They are often derived from common sense or general rationality.
For example, the procedures in an organization may be too cumbersome to be
effective. Even a general review of its procedures may suggest potential areas
for simplification. Thus the auditors would need to acquaint themselves with
generally accepted management practices of different areas. These practices
can be adopted as general audit criteria for an audit assignment.
Specific Criteria
Specific criteria are more closely related to the agency’s legislation, objectives,
programs, controls and systems. Specific criteria are mostly derived from the
objectives laid down for a particular project or program and their related
standards and practices. For example, a malaria eradication of disease over
certain period or a mass literacy program may have lay down a target literacy
ratio over the plan period. These program objectives can be adopted as specific
criteria for the project or program.
But auditors face difficulties in this area as well. In most cases, the objectives
are not given in a specific quantified form which is always a challenge to the
auditors.
1|P a ge
Specific criteria are closely related to the particular operations in specific areas.
Auditors need to know the details of those operations. For example, when
auditing an energy project the specific audit criteria could include standards for
such activities as fuel inputs for electricity generation, range of cost per unit for
power generation, close-down time for routine maintenance of the power house,
ratio of average maintenance cost of total capital cost of the plant and expected
output of energy etc. Until auditors familiarize themselves with the operations,
they cannot establish a reasonable specific audit criterion. In highly specialized
or technical areas VFM/PA auditors may require the assistance of technical
experts. In fact, one of the auditing standards prescribes that the auditors should
collectively possess the qualification and competence to audit an organization or
a project. For technical projects, this competence can be achieved through a
team of auditors which consists of professional auditors and technical experts.
Sources of Audit Criteria
In order to avoid always creating audit criteria from the basic principles for each
audit, auditors should investigate existing sources of criteria. Audit criteria can
be derived form a number of sources. However, the judgment of the auditor
plays an important role in identifying relevant and reliable sources. The following
can often be used as sources of criteria:
· Basic planning documents such as feasibility study and approved plan

· Financial reports of the agency
· Expenditure reports
· Budget documents
· Project reports
· Criteria published by other audit agencies
· Similar audit agencies
· Standards set by International bodies
· Government policies and directions
· Laws, rules, regulations
· Literature on the subject matter
· Pronouncements by professional bodies and standard bodies
· Past performance
· Performance standards set by management
· Interviews with professionals
Auditors should seek guidance from all such sources and then formulate realistic
audit criteria. While doing so, they must appreciate the local conditions. For
example, it would be unfair to apply quality of drinking water standards issued by
the World Health Organization in a developing country where simple availability
of potable water is a problem. When adopting generally accepted management
practices of developed countries, suitable adjustments should be made in
consultation with experienced people.
2|P a ge
P3.1.3. Develop Audit Work Program
Audit programs are guidelines for actions during the execution phase of the
audit. Audit programs set out the detailed audit procedures for cost effective
collection of evidence.
Purpose of Audit Program

Developing program for carrying out audits is a key link between the
development of audit objectives and the conduct of an audit leading to a
defensible report. In this respect, audit programs serve as:
· A guide for gathering competent, relevant, sufficient evidence during the
execution phase of audit in a cost-effective way;
· A framework for assigning work amongst the members of the audit team;
· A means of transferring knowledge to junior staff; and
· A basis for documenting the work done and the exercise of due care.
Developing an Audit Program

The audit objective and criteria will normally be tested by an audit program of
audit procedures/ techniques which include:
· Physical observation (which may include photography and video)
· Interview
· Questionnaire
· Documents review
· Data analysis
In developing an audit program, it is important that the procedures:

· Relate to the audit objectives and criteria which will enable the collection
of relevant evidence on issues which will maximize the impact of the
audit;
· Are clearly stated and include sufficient details to enable them to be
readily understood by those carrying out the audit;
· Are organized in a logical manner so that the audit examination can be
conducted as efficiency as possible;
· Form an efficient method of gathering sufficient evidence without
superfluous testing; and
· Take account of any earlier related audit work/ published research on the
topic.
Performance Audit Work Programs will need to be customized for each audit.
Furthermore, factors to be considered when developing the programs include:
· Size – audit programs generally increase in size and complexity (more
detailed procedures, questionnaires and checklists) with increases in the
size of the audit;
3|P a ge
· Geographic dispersion – the dispersion and location of sites to be visited

will affect the audit program. Detailed procedures may be required to
ensure consistency when different personnel are carrying out the same
audit at different locations;
· Audit environment – management’s receptiveness to being audited,
whether it is the first audit of the area, and the sensitivity of the area in
the organization will affect the way in which procedures are developed
and applied;
· Components of the system to be audited, e.g. its inputs, processing,
activities and outputs; and
· Whether broad issues only have been identified, or specific criteria are
available.
P3.2. Execute Audit Tests
Refer to the attached Diagram for the Execution of Performance Audit.
4|P a ge
PERFORMANCE AUDIT
EXECUTION
Define Audit Objectives
Develop Audit Criteria
Develop Audit Program
Gather Audit Evidence
Analyze Audit Evidence
Audit Evidence Audit Criteria

(What is) (What should be)
Determine root cause for

Significant Variance
Recommend
Improvements
Diagram for the Execution of Performance Audit
5|P a ge
Integrated Results and Risk-Based Audit Manual Phase 3B –Conclusion and Reporting
DELIVERY:
CONCLUSION AND REPORTING
Planning Delivery
Agency Audit
Conclusion
and Reporting
Assessment
Monitoring
Introduction
Delivery phase is divided into two parts: Execution and Conclusion and Reporting.
Conclusion and Reporting is the last step of the audit wherein the results of the audits
conducted are communicated to the agency and oversight bodies. This section provides
guidelines in preparing audit conclusions and audit reports.
In this section, other types of audits [e.g., Fraud Audit and Government-wide and Sectoral
Performance Audit (GWSPA)] conducted are considered in the preparation of reports on
financial, compliance, and value-for-money (VFM) audits.
This part covers: summarizing audit results; preparing audit report; performing final overall
audit review; wrapping-up and archiving the engagement; and following-up agency action
plans.
1|Pa ge

1.1.2 Discuss results of other types of audit conducted
1.2.1 Prepare Annual Audit Report (AAR)
1.3.1 Perform overall review and approval
1.3.2 Issue report
1.4 Wrap-up and Archive the Engagement
Procedures
Accumulated results of financial, compliance, and VFM audits are summarized at

the end of the audit.
Significant findings, issues and observations, including misstatements, are

summarized and discussed with the agency. Conclusion for each misstatement,
finding, issue, and observation is documented. This serves as basis in formulating
audit opinion in the audit report.
Results of Fraud audit and GWSPA conducted by other audit teams are also
considered in this section.

The identification and accumulation of misstatements are performed in the
Execution phase of the audit. It is one of the most important audit responsibilities
and is critical in enabling the auditors in formulating audit opinion.
After the audit exit conference with the agency, the auditor shall prepare the audit
summary and conclusion. It is documented in the Summary of Audit Results and
Recommendations (SARR) containing the following:
A. Matrix of Audit Findings and Recommendations

o AOM number and date
o Observation
2|Pa ge
o Recommendation
o Management comment
o Rejoinder
B. Results/status of other audits (e.g., fraud audit and GWSPA)

o Significant findings and issues (e.g., disclosures, issues on internal
controls, compliance to laws, rules and regulations, etc.)
o Reference
o Status of audit
o Conclusion
o Remarks
C. Conclusion – the overall conclusion of the audit, after considering the effects of
identified misstatements, other findings, issues, and observations.
Documentation
Form 04-01: SARR. This template provides the audit team with a summary of the
audit results and conclusion, and a description of the important matters and
significant findings and issues arising during the execution of the audit.
1.1.2 Discuss results of different types of audit conducted

The agency may have been subjected not only to comprehensive audit but also to
other types of audit like fraud audit and GWSPA. In this case, the audit team,
together with the Cluster Director (CD), shall discuss with the counterpart audit
team the results or status of the audit, if ongoing, for disclosure or inclusion in the
AAR.
The findings, observations, and issues that may have significant impact on the
financial statements shall be considered before finalizing the conclusion of the
audit. This shall be documented in SARR and disclosed as Other Matters of the
Audit Certificate in the AAR.
Minutes of discussions with the counterpart audit team [e.g., Fraud Audit and
Investigation Office (FAIO) and/or Special Audits Office (SAO)] shall form part of
the working papers.
Forensic/Fraud Audit
It is the responsibility of FAIO to initiate, monitor, assess performance, and
continuously improve the conduct of fraud audits. Also, it is their responsibility to
prepare fraud audit reports.
3|Pa ge
The guidelines in the performance and reporting of fraud audit conducted by FAIO
are documented in the Fraud Audit Manual.
GWSPA
SAO conducts the government-wide performance audit and sectoral performance
audit. SAO, when necessary, coordinates with the audit sectors for more concerted
efforts in the conduct of performance audits in the agencies implementing
government programs and/or projects.
The guidelines in the performance and reporting of GWSPA are documented in the
GWSPA Manual.
At the end of the audit, a written auditors’ report to the entity, containing opinion on
the agency’s financial statements, is prepared.
In addition, regardless of the agency’s governance structure or size, the auditor:

o communicates with management the observations arising from the audit, to
clarify facts and issues and to give management the opportunity to provide
further information
o communicates with those charged with governance the observations

arising from the audit that are significant and relevant to their responsibility
to oversee the financial reporting process
This is achieved by communicating to those charged with governance and

management the significant and relevant observations identified within the audit,
through the issuance of Audit Observation Memorandum (AOM).
The timing of communications is dependent on the communication protocols

agreed with management and those charged with governance at the start of the
audit. These protocols are used to communicate significant and relevant
observations on a timely basis.
As the audit progresses, the status of the significant and relevant observations
communicated may change and new significant and relevant observations may
arise as audit procedures are performed and facts and circumstance change.
Updated or additional communications to management and those charged with
governance of new information are provided on a timely basis.
4|Pa ge
Financial and Compliance Audits

COA Memorandum No. 2002-047 dated August 13, 2002, provides the guidelines
on the preparation, submission and transmittal of the AAR.
VFM Audit
The conduct of VFM audit may take more than a year and the report may not be
released at the same time as financial and compliance audits. However, the
concerned auditor shall mention in his AAR the fact that a VFM audit has been
undertaken during the year and include in the AAR the gist of significant findings,
observations and recommendations of the audit under the Observations and
Recommendations section.
Fraud Audit
Fraud audit conducted by the Audit sectors shall be mentioned in the AAR. The
summary of the results or the status of the audit, if the audit is still ongoing, and its
impact or possible impact to the financial statements shall be disclosed as Other
Matters in the Audit Certificate of the AAR.
The guidelines in the performance and reporting of fraud audit conducted by the
Audit sectors are documented in the Fraud Audit Manual.
1.2.1 Prepare Annual Audit Report

In reporting the results of comprehensive audit, the auditors prepare the following
audit reports:
a) Annual Audit Report (AAR) for the year-end financial audit of agencies with
complete books of accounts and listed in the General Appropriations Act and;
b) Management Letter (ML) for the year–end financial audit of the regional
offices and operating units with and without complete books of accounts. The
ML shall also be issued at the conclusion of an interim audit, if warranted. The
format of the ML is presented in Form 04-02: Management Letter Template.
Contents of the AAR
The AAR shall contain the following:

a) Executive Summary
b) Audit Certificate
c) Financial Statements
o Balance Sheet
o Statement of Income and Expenses
o Statement of Cash Flows
o Notes to the Financial Statements
d) Observations and Recommendations
5|Pa ge
e) Status of Implementation of Prior Year’s Audit Recommendations
Executive Summary
The Executive Summary presents in brief the contents of the AAR. It includes the
financial highlights of the agency, a statement on the scope of audit and the
auditor’s opinion on the financial statements and the synopsis of the significant
observations, recommendations and the implementation of prior year’s
recommendations.
Audit Certificate
The Audit Certificate contains the overall conclusion of the auditor on the financial
statements. Its basic elements are:
a) Addressee – The Audit Certificate shall be addressed to the board of directors

or to the head of office, department, agency or local government unit.
b) Introductory Paragraph – This shall include statements on:

o the name of the agency and its financial statements that have been
audited, including the date of and period covered by the financial
statements
o the financial statements and the notes thereon are the responsibility
and representation of the agency’s management and that the auditor’s
responsibility is to express an opinion on the financial statements
based on the audit.
c) Scope Paragraph – This paragraph contains statements on the basis and

scope of the audit conducted, as follows:
o That the audit was conducted in accordance with the generally
accepted auditing standards and the laws, rules and regulations, as
applicable.
o That the audit was planned and performed to obtain reasonable

assurance about whether the financial statements are free of material
misstatements.
o That the audit performed includes: (1) examining, on a test basis,

evidence to support the financial statements amounts and
disclosures; (2) assessing the accounting principles used and the
significant estimates made by management on the preparation of the
FS; and (3) evaluating the overall financial statements presentation.
o That the auditor believes his audit provides a reasonable basis for the
opinion.
6|Pa ge
d) Opinion Paragraph – This paragraph contains the auditor’s opinion on the fair
presentation of the financial statements and their compliance with other
requirements of relevant laws or statutes. The types of opinion that the auditor
may express are discussed under sub-caption “Types of Audit Opinion”.
e) Other Matters – this paragraph contains other relevant matters that have or
may have impact on the auditor’s opinion. It may include the following:
o Other types of audit (e.g., fraud audit and GWSPA) conducted that
have or may have significant impact on the financial statements or on
the conclusions of the audit.
o Significant findings, observations, and recommendations identified in

the conduct of fraud audit performed by the Audit sectors and FAIO or
its status, if ongoing.
o The status and/or significant findings, observations, and

recommendations identified in GWSPA performed by SAO.
f) Date of Report – The date of the Audit Certificate shall be as of completion

date of the audit fieldwork. The date is generally considered as the end of the
auditor’s responsibility for subsequent events that may affect the financial
statements and which may require adjustments or disclosures. Also, it should
not be earlier than the date on which the financial statements are signed or
approved by management.
g) Auditor’s Signature – The report shall be signed pursuant to COA

Memorandum No. 2010-015.
Financial Statements
The financial statements to be submitted to the auditor should have a covering
“Statement of Management Responsibility for Financial Statements” to be signed
by the official who has direct supervision and control over the agency’s accounting
and financial transactions and the Head of Agency or his authorized
representative. It shall include the following statements:
o Balance Sheet – This shows the financial position/condition of the

agency as of a certain date. It provides information on the agency’s
resources, obligations and the government equity in the agency.
o Income and Expenses – This shows the results of operation of the

agency at the end of a particular period. It explains the changes in
7|Pa ge
the agency’s equity resulting from operations and economic activities

during the period.
o Cash Flows – This summarizes all the cash activities of the agency
classified into operating, investing and financing activities. It informs
about the inflows and outflows of cash in the agency during the year.
o Notes to financial statements – This is an integral part of the financial

statements to provide additional information or disclosure necessary
for their fair presentation in conformity with the generally accepted
accounting principles.
The audited financial statements shall be attached to the audit certificate in the
AAR.
Observations and Recommendations

This portion presents the discussion of the observations noted by the auditor and
his recommendations. The agency’s explanation or reply to the observations shall
also be presented as well as the auditor’s rejoinder, as necessary or appropriate.
The gist of the significant findings, observations, and recommendations in the VFM
audit conducted shall also be included in this section, indicating that separate
report on the VFM audit is available in more detail.
Status of Implementation of Prior Year’s Audit Recommendations

This portion presents a summary of the actions taken by management to
implement the previous year’s audit recommendations and the results of the
auditor’s validation of the same.
Specific Guidelines
COA Memorandum No. 2010-015 provides permanent and uniform guidelines in
the preparation and submission of the audit reports for CY 2009 and onwards for
National Government Sector (NGS) and Local Government Sector (LGS), as
follows:
1. The Regional Directors (RDs) shall ensure that: (a) all the elements of an audit
observation are present to facilitate consolidation and prevent guesswork on the
part of the consolidator; (b) the status of implementation of prior year’s
recommendations is updated and validated; and (c) the financial statements and
the notes submitted for regional consolidation are in order;
2. The signatories to the audit reports shall be as follows:
8|Pa ge
Local Government Units Type of Report/ Signatory/

(LGUs)/ National Government Document Transmittal of
Agencies (NGAs) Report
Provinces and Cities AAR SA/RD
Municipalities and Barangays AAR ATL/SA
Municipalities and Cities in Metro AAR SA/CD
Manila
Barangays in Metro Manila AAR ATL/SA
NGAs with complete set of books AAR /CAAR SA/CD or RD
(including specialized agencies, Audit Certificate SA/CD
Foreign-Assisted Projects, and
Official Development Assistance)
and with consolidation
NGAs with incomplete set of MLs SA
books
NGAs with incomplete set of Regional MLs RD
books and with regional
consolidation
NGAs with field offices with no Simplified ML ATL
accounting books and accounts Concerned ATL to
are centrally recorded in the Head Matrix of submit to the HO/
Office (HO)/ Regional Office (RO) Observations and RO ATL
Recommendations
with Management’s
Comments and
Auditor's Rejoinder
3. The RDs shall state categorically in the transmittal of the audit report to the CDs
whether a particular account/specific sub-account covered by the latter’s audit
guide was audited or not, with or without significant findings;
4. The RDs shall ensure the timely submission of the transmitted MLs to the CDs;
5. The SAs and ATLs in the central and regional offices, respectively, may
communicate directly with each other on matters pertaining to consolidation of
reports.
For Corporate Government Sector, COA Memorandum No. 2010-020 states that
pending approval of the guidelines on the preparation, consolidation, and
transmittal of AARs and Annual Operations Audit Reports for the audit sectors, the
signing and transmittal of the AARs, CAARs, and MLs for CY 2009 shall be in
conformity with that of the NGS, pursuant to COA Memorandum No. 2010-015
dated May 18, 2010.
9|Pa ge
Types of Audit Opinion

The audit opinion is the heart of the financial audit report. It features the Auditor’s
overall conclusion as to the reliability of the audited financial statements. Without
the opinion, the report would be meaningless and the users of the statements
would have no way of knowing the extent of reliance they should place on these
statements.
Depending on the circumstances of each audit, the Auditor shall express any of the
following opinions on the financial statements:
1) Unqualified Opinion
2) Qualified Opinion
3) Adverse Opinion
4) Disclaimer / Denial of Opinion
These are explained as follows:

1) Unqualified Opinion
An unqualified opinion states that the financial statements present fairly, in all
material respects, the financial position, results of operations, and (when
applicable) cash flows of the agency in accordance with applicable laws, rules
and regulations and in conformity with generally accepted state accounting
principles.
However, certain circumstances while not affecting the auditor’s unqualified

opinion on the financial statements may require that the auditor add an
explanatory paragraph to his report. These circumstances include:
o Opinion based in part on report of another auditor;

o Existence of unusual uncertainties;
o Emphasis of a matter included in the financial statements; and
o Inconsistency in the application of accounting principles/methods of
their application.
2) Qualified Opinion
A qualified opinion is rendered when the auditor has objection to certain
matters which are material in relation to the financial statements being
reported on, but not sufficiently material to warrant an adverse or denial of
opinion depending on the nature and materiality of the qualification(s). This
type of opinion is expressed through the use of the phrase “except for” or “with
the exception on” in the opinion paragraph.
o lack of sufficient competent evidential matter

o scope limitations
o departure from generally accepted auditing principles (GAAP)
10 | P a g e
o inadequate disclosure
3) Adverse Opinion
An adverse opinion is rendered when the effect of certain matters, to which the
auditor does not concur, is highly material to make the financial statements
misleading. In this type of opinion, the auditor uses the phrase “do not present
fairly.”
4) Disclaimer/Denial of Opinion
The auditor disclaims/denies an opinion when an audit scope limitation or a
pervasive probability of a material loss has a highly material effect on the
financial statements. Under these circumstances, the auditor states that he is
unable to express, and he does not express, an opinion on the financial
statements.
The issuance of split or piecemeal opinion has long been discontinued and is
no longer acceptable for purposes of COA audit reports.
Hereunder is a summary of the conditions which would warrant the expression

of each type of opinion:
Effect on the
Financial
Type of Audit Opinion Conditions Statements
1. Unqualified
- without explanatory - none - none

paragraph
- with explanatory - inconsistent application of

paragraph accounting principles to
which the auditor:
a. concurs with the - none
change
b. objects to the change - none
because the newly-
adopted principle does
not meet conditions for
change
- uncertainties with probable - none

change or reasonable
possibility of material loss
2. Qualified - audit scope limitation - moderately material

wherein the Auditor was
unable to employ
11 | P a g e
Effect on the
Financial
Type of Audit Opinion Conditions Statements
alternative audit
procedures
- departure from GAAP - moderately material
- non-compliance with laws - moderately material

and regulations
- inconsistent application of - moderately material

accounting principles to
which the auditor objects
to the change because the
newly-adopted principle
does not meet conditions
for change
3. Adverse - departure from GAAP - highly material
- non-compliance with laws - highly material

and regulations
- inconsistent application of - highly material

accounting principles to
which the auditor objects
to the change because the
newly-adopted principle
does not meet conditions
for change
4. Disclaimer - audit scope limitation - highly material

wherein the auditor was
unable to employ
alternative audit
procedures
- uncertainties with - highly material

pervasive probability of
material loss
The effect of an item on the financial statements is based on its materiality.
For samples of the different audit opinion, please refer to Philippine Audit
Standard 2009 edition.
12 | P a g e
Pursuant to COA Memorandum No. 2009-028 the CD supervises the audit groups
under the cluster in the conduct of audits and the preparation of audit reports
considering the audit thrusts and significant findings, in coordination with the
Regional Directors (RD) for issues affecting regional and/or field office. The
Supervising Auditors (SA), prior to the issuance of audit reports shall conduct a
review on the outputs prepared by the Audit Team Leaders (ATL). As part of the
quality assurance, the Sectors may use the existing AAR Review Checklist.
1.3.1. Perform overall review and approval

At this point, the Supervising Auditor shall complete an overall review and approval
of the engagement to document and confirm that:
· Engagement has been completed in accordance with IRRBAM
· Sufficient appropriate audit evidence has been obtained
· Audit documentation provides a basis for audit opinion
The overall review and approval of the audit engagement will be documented in a
Quality Inspection Tool.
The QIT, at a minimum, confirms the opinions of the audit teams involved in the
engagement including other related offices (e.g., FAIO, SAO, etc.), that:
· The audit team members with supervisory responsibilities have fulfilled their
duties
· The review of the audit work for the engagement has been completed in
accordance with COA policies for reviews as well as with other relevant
auditing standards.
· The planned audit work has been completed and that important matters
and significant accounting and auditing issues have been addressed.
· Sufficient appropriate audit evidence has been obtained to support the
audit opinion
· The auditors’ report is appropriate
· The audit work has been performed in accordance with the IRRBAM, COA
policies and standards, as well as other professional standards, laws, rules
and regulations
The appropriate members of the audit team shall sign and date the QIT at the
conclusion of the audit.
1.3.2. Issue report
13 | P a g e
After the reports have been prepared and reviewed by the appropriate officers, the
reports will be issued to the appropriate report recipients.
Annual Audit Report (AAR)
Signing of Annual Audit Report
Pursuant to COA Memorandum No. 2009-028, the SAs shall sign the audit reports
prepared by the ATLs, while the CDs transmit said reports to the agency.
Number of copies and Distribution of Reports
There shall be as many copies of the AAR as necessary to be reproduced. In

addition to copies for the agency, the AAR shall be furnished to the oversight
bodies.
The AAR shall be submitted to COA Chairman on or before the last working day of
February every year. The COA Chairman shall transmit the AAR to the following
heads of oversight bodies:
o President
o Vice- President
o President of the Senate
o Chairman- Senate Finance Committee
o Speaker of the House of Representatives
o Chairman-Appropriations Committee, and the
o Secretary of the Budget and Management
The final report shall be transmitted to the Head of the Agency for National
Government Agencies, to the Chief Executive Officer for Local Government Units,
or to the Board of Directors for Government-Owned or Controlled Corporations
under signature of the COA Chairman or his duly authorized representative. As
may be found necessary, other government officials, such as the Speaker of the
House of Representatives, the Senate President, and the President of the Republic
of the Philippines, shall also be furnished copies thereof.
The transmittal letter is a simple communication transmitting the report and

acknowledging the assistance and support extended by the officials and staff of
the agency. It shall also include a request to implement the recommendations
contained in the report and to be informed of the actions taken thereon within thirty
(30) working days from receipt thereof.
1.4 Wrap-up and archive the engagement
14 | P a g e
Working papers document the procedures performed and the evidence obtained
and evaluated to support a conclusion rendered by the auditors. As required by the
professional standards, audit documentation shall be sufficient for an experienced
auditor with no previous association with the audit to be able to understand the
nature, timing and extent and results of procedures performed, evidence obtained
and conclusions reached.
Auditors shall use professional judgment in determining the nature and extent of
the audit documentation. However, it shall be ensured that it is consistent with
COA policies, professional standards and other legal and regulatory requirements.
Working papers/documentation is an integral part of the auditors’ responsibilities.

Thus, there is a need for a systematic archiving of electronic and hard copy
working papers/documentation.
Archiving of workpapers (electronic and/or hardcopy) should be done on a timely

basis after the date of our auditor’s report when the procedures and documentation
are complete. (Please check COA’s retention policy)
A the completion of the audit, the Audit Team Leader is responsible for authorizing
the final archive process for determining that workpapers are archived in
accordance with COA policies, professional standards, and legal and regulatory
requirements.
Auditors shall retain records which are relevant to the audit that:
· Are created, sent or received in connection with the audit
· Contain conclusions, opinion, analyses or financial data related to the audit
The following items are examples of those documents which are not necessarily
retained as they do not support the conclusions reached in the audit:
· Superseded drafts of memoranda, financial statements or regulatory filings
· Notes on superseded drafts of memoranda, financial statements of
regulatory filings that reflect incomplete or preliminary thinking
· Previous copies of workpapers that have been corrected for typographical
errors or errors due to training of new employees
· Duplicates of documents
· Superseded entity-prepared schedules and analyses
· E-mails that do not contain conclusions, opinions, analyses or financial data
related to the audit
· Voice-mail or instant messages
· Electronic entity data files (including files in the team’s discussion
database) other than those described below
15 | P a g e
In any case, the auditor shall use its professional judgment in determining which
documents shall form part of the team’s working papers/documentation.
Timing of the archive process
The documentation completion date is no later than 60 days after the date of our
auditors’ report.
Carryforward documentation guidelines
When workpapers are carried forward to the current period, the original current
workpapers are carried forward while prior period’s workpapers are maintained
unchanged. This practice should be followed to make sure that each period’s
workpapers provide support for the conclusions reached and the procedures
performed and are separate and distinct from any other period’s workpapers.
Confidentiality
The audit team is responsible for adopting appropriate procedures for maintaining
the confidentiality and safe custody of the workpapers to comply with COA and
professional standard’s archiving requirements
Lost or destroyed workpapers
If the workpapers (either electronic or hard copy) needed to support our audit
opinion have been corrupted, lost, stolen or destroyed subsequent to the
documentation completion date, the audit team shall report the loss to the team
leader/supervisor.
The following factors shall be considered in determining if there is a need to

create/replace the lost workpapers:
· Significance of the lost or destroyed workpapers in the audit project
· Length of time that has passed since the AAR was issued.
· Ability to easily obtain copies of the documents from the agency
Part of the Commission’s mandate is to recommend measures to improve the

efficiency and effectiveness of government operations (Sec. 4, Art. IX-D of the
1987 Philippine Constitution). This full completion of this mandate can only be
satisfied once agencies have implemented or acted on the recommendations
made by the auditors through action plans.
16 | P a g e
Audit follow-up/monitoring of recommendations is an integral part of good

management and a responsibility shared by the auditor and the agency. Corrective
actions taken to implement audit recommendations enable the agency to improve
the effectiveness and efficiency of their operations. An effective monitoring system
not only ensures the prompt and proper resolution of audit observations and
recommendations and the implementation of corrective action, but also ensures
that a complete record of actions taken on observations and recommendations is
maintained.
Benefits of Monitoring
· Assures the auditor that the benefit of audit work is realized
· Validates that the recommendations as implemented are truly advantageous to
the auditee.
· Assists the auditor in re-evaluating his analytical techniques and evidence that
aid in the formulation of the recommendation.
This activity will be conducted all throughout the year for the audit projects handled
by the following Sectors/Offices:
· Audit Sectors:
- National Government Sector (NGS)
- Corporate Government Sector (CGS)
- Local Government Sector (LGS)
· Regional Offices
· Special Offices:
- Fraud and Investigation Office (FAIO)
- Special Audit Office (SAO)
- Technical Services Office (TSO)
a) Monitor Progress
Part of the auditors’ role is to determine that the audited agencies take corrective
actions (as documented in the Form 04-04: Agency Action Plan)on the
recommendations provided, as a result of the audit observations, on a timely basis.
The auditor shall accomplish the Form 04-05 Action Plan Monitoring Tool to
monitor the status of the agency’s action plans.
17 | P a g e
The Commission, as the country’s Supreme Audit Institution, handles voluminous

transactions and documents. Therefore, maintaining a database may support in
monitoring all issues and the subsequent action taken by the auditors and agencies
during the audit. Also, a database adds value by storing history of issues of a certain
auditable agency. The historical issues and recommendations maintained in the
database may guide COA during the assessment of the key risks of an agency or a
sector as a whole. The database may also serve as a reference in conducting an in-
depth analysis on the relationships of issues among different agencies (e.g., conduct of
the government-wide and sectoral performance audit).
b) Conduct Follow-up procedures
Being an integral part of the audit process, follow-up should be scheduled along
with other steps necessary to perform the review. However, specific follow-up
activity depends on the results of the audit and can be carried out at the time the
report draft is reviewed with concerned agency personnel or after the issuance of
the report.
Perform the following:
· Classify Audit Issues According to Follow-up Procedures to be done
The risk assessment done in the second phase, “Agency Audit Planning and Risk
Assessment” plays an important role in the follow-up procedures to be performed.
Normally, follow-up procedures are based on the impact of the risk. Follow-up
activities may be broken down into three areas:
- Casual
This is the most basic form of follow-up and may be satisfied by review of the
process owner’s/client’s procedures or an informal telephone conversation.
Memo correspondence may also be used. This is usually applicable to the
less critical findings.
- Limited
Limited follow-up typically involves more process owner/client interaction.
This may include actually verifying procedures or transactions and in most
cases, is not accomplished through memos or telephone conversations with
the process owner/client.
- Detailed
18 | P a g e
Detailed follow-up is usually more time-consuming and can include

substantial process owner/client involvement. Verifying procedures and audit
trails as well as substantiating account balances and computerized records
are examples. The more critical review findings usually require detailed
follow-up.
Follow-up scheduling can begin when corrective action is confirmed by acceptance

of an audit recommendation or when management elects to accept the risk of not
implementing the recommendation. Based on the risk and exposure involved, as
well as the degree of difficulty in achieving the recommended action, follow-up
activity should be scheduled to monitor the situation or confirm completion of the
changes that were planned. These same factors establish whether a simple
telephone call would suffice or whether further review procedures would be
required. Enumerated below are general procedures in conducting a detailed
follow-up:
- Analyze the response of the unit involved and verify if it is aligned with the
strategy previously agreed upon.
- Assess action taken against recommendation
- Seek evidence to verify implementation of the action and seek clarification if
necessary.
- In case the response of the process owner/client is different from the
recommendation, assess if the response is effectively mitigating the risk and
is more efficient than the recommendation.
- In case the response of the management is different from the
recommendation and is assessed to be ineffective or inefficient, reiterate
recommendations and evaluate management response to COA reiteration.
- In case management decided not to act on issues raised or elected to accept
the risks, prepare a Management Acceptance of Risk.
- Prepare to communicate results of the follow up procedures.
19 | P a g e
Policy and Standard
ISSAI 400 Reporting standards in government auditing
ISSAI 1220 Quality Control for Audits of Historical Financial
Information
ISSAI 1230 Audit Documentation
ISSAI 1700 Forming an Opinion and Reporting on Financial

Statements
COA Memorandum No. 2002-047 Guidelines on the preparation, submission and
transmittal of the Annual Audit Report
COA Resolution No. 2006-002 Conduct of comprehensive audits by the offices of this
Commission
COA Resolution No. 2008-012 2008 COA organization restructuring
COA Memorandum No. 2009-028 Implementing guidelines on audit operations under the
2008 COA organizational restructuring
COA Memorandum No. 2010-015 Uniform guidelines for the signing and transmittal of
the Annual Audit Reports (AARs), Consolidated
Annual Audit Reports (CAARs), and Management
Letters (MLs) of the National Government Sector and
Local Government Sector, for CY 2009 and onwards.
COA Memorandum No. 2010-020 Signing and transmittal of the Annual Audit Reports
(AARs), Consolidated Annual Audit Reports (CAARs),
and Management Letters (MLs) of the Corporate
Government Sector for 2009
Documentation

1.1 Summarize Audit Prepare summary of audit results Form 04-01: SARR
Results and recommendations
Discuss results of other types of Minutes of discussion
audit conducted
1.2 Prepare Annual Prepare Annual Audit Report AAR
Audit Report
Form 04-02: Management
Letter Template
1.3 Perform Overall Perform overall review and AAR Review Checklist
Audit Review
approval
Form 04-03: Quality
Inspection Tool
20 | P a g e
Issue Report Transmittal Letter

1.4 Wrap-up and Archive working
archive the
papers/documentation of audit
engagement
1.5 Follow-up Agency Form 04-04: Agency Action
Action Plan Plan
Form 04:05: Action Plan
Monitoring Tool
21 | P a g e
Integrated Results and Risk-Based Audit Manual Phase 3B– Conclusion and Reporting
Form 04-01: Summary of Audit Results and Recommendations
SUMMARY OF AUDIT RESULTS AND RECOMMENDATIONS

INTRODUCTION
Purpose of this form
This form is used to summarize and evaluate the results of comprehensive audit and other
types of audits conducted. It has three parts as follows:
• Part I - Introduction
• Part II - Summary of Audit Results and Recommendations
• Part III - Evaluation Factors
After the exit conference with the agency, the audit team shall accumulate the
findings/observations and recommendations, as documented in Audit Observation
Memorandum (AOM), together with management comments using the Summary of Audit
Results and Recommendations provided in Part II of this Form.
The completed template should be initialed by the ATL and SA, and approved by the CD prior to
audit report sign-off. This completed template altogether with other relevant documentation
should be filed in the working papers.
Procedures
The audit team should perform the following steps in relation to audit findings and observations
and their disposition:
§ Summarize the findings and recommendations as documented in AOMs. This includes

the findings and recommendation from financial, compliance, and VFM audits
conducted.
§ Document management’s comments on each findings and recommendations. This
includes the disposition of proposed adjusting journal entries, disclosures, and
comments on VFM audit findings.
§ Document the audit team’s response to management’s comments on the findings and
recommendations.
B. Results/Status of Other Audits (e.g., Fraud and GWSPA)
§ Summarize the findings/issues of other audits conducted.

§ Document the reference of the findings/issues.
§ State the status of audit(s). The audit(s) may be ongoing or completed.
§ Document the possible effect/impact of the audit in the agency’s financial statements.
§ Document other information deemed relevant by the audit team in the remarks column.
Please refer to Phase 3 - Delivery: Conclusion and Reporting of the IRRBAM for further details.
1|Page
Integrated Results and Risk-Based Audit Manual Form 04-01: Summary of Audit Results and Recommendations
SUMMARY OF AUDIT RESULTS AND RECOMMENDATIONS
Agency :
Audit period :
No. AOM No./Date Observation Recommendation Management Comment Rejoinder
B. Results/Status of Other Audits (e.g., Fraud and GWSPA)
No. Significant findings/issues Reference Status of Audit Conclusion Remarks
2|Page
C. Conclusion
In our opinion:
Yes No
1. Considering quantitative factors as well as non-quantitative factors

(refer to Part III of this Template), the effects of unrecorded □ □
proposed entries, either individually or in the aggregate, is not
material to the financial statements taken as a whole and therefore
does not require modification of our auditors’ report.
2. The proposed entries, whether or not recorded, are not the result
of a significant weakness in internal control over financial reporting. □ □
3. The proposed entries, whether or not recorded, are not indications
of possible fraud or illegal acts. □ □
4. For any “No” responses above, indicate the steps taken or to be
taken:
□ Opinion modified
□ Audit scopes reassessed
□ Others: _____________________________________
Comments:
3|Page
EVALUATION FACTORS
A. Materiality Factors
The following factors may be relevant to the evaluation of the materiality of passed entries,
recognizing that some may be more important than others.
1. Quantitative factors:
a. Earnings/Surplus
b. Other financial statement captions
c. Segment information
2. Meeting earnings/budget goals
3. Compliance with contracts and regulations
4. Impact on other periods
5. Trends
6. Possible undetected errors
7. Certainty of amount
8. Interpretations of ISSA
9. Establishing accounting precedent
10. Large offsetting items
11. Nonrecurring items
12. Carryovers from prior periods
Additional factors to be considered by the audit team:

13. Current user needs
We may need to reassess our original materiality judgment in light of changed
circumstances or knowledge gained during the audit. For example, there may be
significant changes in economic trends, budgeted earnings/surplus or negotiations for
a line of credit.
14. Special circumstances.

The materiality threshold may be reduced when it is reasonably possible that third
parties will closely scrutinize the agency’s accounting practices and question why even
small errors were not corrected. This might apply to, for example:
o maximum-risk assignments,
o agencies with weakening financial condition,
o agencies that may soon have new management (within a year or shortly
thereafter),
o management that need to significantly improve their accounting and control
practices,
o potentially sensitive areas, such as revenue recognition
15. Agency management’s past practices.

When entries are passed, it is usually assumed that agency management will
(a) subsequently correct the errors, and (b) improve its controls to prevent a
recurrence of the problem. However, when agency management appears to be unable
or unwilling to do either, the errors may take on greater significance. This is especially
true when the accounting system is capable, without significant additional cost or
effort, of correctly processing transactions.
4|Page
16. Special purposes of the audit.

The impact of proposed entries could be magnified if the financial statements will be
used for special purposes. For example, if a buy-sell agreement bases the sale price
on a multiple of earnings, an otherwise minor adjustment could have a significant
immediate effect on the price.
B. Indications of significant weakness in internal control
Even when misstatements are not material, we need to consider whether their root
causes are due to inadequacies in internal control, particularly when the errors are
more widespread or significantly larger than anticipated. We may need to expand our
audit testing to compensate for an unexpected control weakness. We also may need to
communicate the weakness to senior agency management and the Oversight Body if it
is deemed to be a "reportable condition.”
C. Indications of possible fraud or illegal acts
Proposed entries may be indications of fraud or illegal acts (possibly the "tip of the
iceberg"). Examples are:
o A significant increase over the prior year in the number or size of proposed
adjustments.
o "Last minute" entries that significantly increase earnings.
o Misstatements that appear to have been made with the intent of achieving targeted
earnings or similar goals.
o Unsupported or unauthorized transactions, balances and reconciling items.
o Entries apparently made to conceal illegal acts.
5|Page
Integrated Results and Risk-Based Audit Manual Phase 3B – Conclusion and Reporting
Form 04-02: Management Letter Template
(Letterhead)
CONFIDENTIAL
Ref No. (DOH-R01-2010-01)
(Date)____________
Head of Agency____
_________________
_________________
Dear __________:
Management Letter on the Audit of the

(Name of Auditee)
for the period January 1 to December 31, 2005
1. Pursuant to Section 2, Article IX-D of the Constitution of the Philippines and Section 43 of
the Government Auditing Code of the Philippines (PD 1445), we have audited the accounts and
operations of the (Name of Auditee) for the period ended December 31, 2005. The audit was
conducted in accordance with applicable legal and regulatory requirements, and generally
accepted auditing standards. Those standards require that we plan and perform the audit to
obtain a reasonable basis for our conclusions.
2. The audit was conducted to (a) verify the level of assurance that may be placed on
management’s assertions on the financial statements; (b) recommend agency improvement
opportunities; and (c) determine the extent of implementation of prior year’s audit
recommendations.
3. Deficiencies observed in the course of the audit were earlier communicated through Audit
Observations Memoranda (AOMs) and discussed in an exit conference conducted on (Date of
Exit Conference) with concerned (Auditee) officials and employees. Their comments were
incorporated in this letter, where appropriate. The significant audit observations and
recommendations shall be incorporated in the Consolidated Annual Audit Report (CAAR) of the
(Name of Department) for CY 2005.
A. Summary of Recommendations
(applicable if there are more than five observations)
4. For the significant deficiencies observed in the course of the audit, we recommend that:
a. Xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxx;
1|Page
b. Xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx;
c. Xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx; and
d. Xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.
B. Detailed Observations and Recommendations
Caption (Area or Account)
Topic Sentence (As much as possible, it should contain the four elements of an audit
observation: condition, criteria, cause and effect.)
5. (In discussing the audit observation, observe its elements: condition, criteria, cause and
effect.)
6. xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxx.
7. xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.
8. We recommend that (office, official or employee responsible for implementing the

recommendation) ……………..
9. Management explained that ………. (Management comment may also be discussed in

the observation paragraphs.)
10. We maintain, however, that ………………………or We believe, however,

that……………, or We are of the opinion, however, that……………. or, etc. (The audit
rejoinder, if any, should always follow management’s comments or justification.)
Caption (Area or Account)
Topic Sentence (As much as possible, it should contain the four elements of an audit
observation: condition, criteria, cause and effect.)
11. xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxx.
12. We recommend………………………………..
C. Status of Implementation of Prior Year’s Audit Recommendations
13. We made a follow-up on the action taken by the (Auditee) to implement the
recommendations of prior years and noted the following:
2|Page
Status of Implementation No. of Recommendations

Fully Implemented
Partially Implemented
Not Implemented
14. The results of the validation of the implementation of prior year’s recommendations are
presented in Annex ___.
D. Acknowledgment
15. We wish to express our appreciation to the Management and staff of (Auditee) for the
cooperation and assistance extended to our audit team during the audit.
16. We would appreciate receiving your reply, both hard and electronic copies, within fifteen
days from receipt of this letter.
Very truly yours,
________________
Supervising Auditor
Copy furnished:
(Department Secretary)
Enclosures:
(Where applicable)
3|Page
Integrated Results and Risk-Based Audit Manual Form 04-02: Management Letter Template
Annex _____
(Name of Agency)
Validation of Implementation of Prior Year’s Recommendations
As of (Last Day of Fieldwork)
STATUS OF REASON FOR

OBSERVATIONS AND MANAGEMENT IMPLEMENTATION PARTIAL/NON-
REF. (Full, Partial, Ongoing
RECOMMENDATIONS ACTION IMPLEMENTATION
or Non-Imp)
Note: Partial – Not fully implemented and no further action was taken by the Management
4|Page
Form 04-03: Quality Inspection Tool
QUALITY INSPECTION TOOL

About this Tool
The Quality Inspection Tool will guide the audit team in performing overall review and
approval of the audit engagement.
This tool is not all-inclusive; audit teams shall tailor it as appropriate.
Agency: _____________________________________________________
Period: _____________________________________________________
WP
Reference Work
General Audit Procedures
or Review Performed by
by
1. Terms of Audit Engagements
An engagement letter has been prepared in accordance

with COA policies and professional standards.
2. Independence
Members of the audit team are independent with respect

to this audit client and its affiliates
3. Initial Engagements – Opening Balances
For initial audits, perform procedures to obtain sufficient

appropriate audit evidence that:
a. The opening balances do not contain misstatements
that materially affect the current period’s financial
statements
b. The prior period’s closing balances have been
correctly brought forward to the current period or,
when appropriate have been restated.
c. Appropriate accounting policies are consistently
applied or changes in accounting policies have been
properly accounted for and adequately disclosed.
4. Consultation
Identify areas and specialized situations where

consultation is required and consult with others or use
authoritative sources on other complex or unusual
1|Page
WP
Reference Work
by
matters.
Areas identified: Consulted:
____________________ _________________
____________________ _________________
____________________ _________________
____________________ _________________
Appropriate consultation has occurred in areas and

special situations where required by COA policies and
where the audit team otherwise deemed necessary.
Appropriate documentation has been prepared and

reviewed for all consultation on significant issues and
those consulted were informed of all the relevant facts and
circumstances and the conclusions are reasonable and
consistent with professional standards.
Memoranda that address all significant issues on which

consultation occurred are associated with, or are attached
to, the Audit Observation Memorandum (AOM) with an
indication of the consultant’s approval. If consultation
memoranda have not yet been completed or approved in
writing, oral approvals have been obtained from the
individuals consulted and noted in the AOM or an
attachment to it.
Copies of the memoranda have been provided to the

individuals consulted.
Conclusions resulting from the consultations have been

implemented.
5. Minutes and Contracts
Obtain information regarding meetings of the

management, board of directors, shareholders and
important committees up to the report date.
a. Read minutes. Obtain copies of the signed minutes or
prepare excerpts. (If the copies are not signed,
compare them with the original signed minutes.)
b. If minutes have not been prepared for recent
2|Page
WP
Reference Work
by
meetings, obtain a summary of what was discussed.
c. Compare significant matters identified above with
information obtained during the audit and cross-
reference significant matters affecting the financial
statements to the appropriate workpapers.
Obtain information about important contracts, agreements

and similar documents and consider their accounting or
auditing implications. Cross-reference significant matters
affecting the financial statements and other agency-issued
reports to the appropriate workpapers.
6. Consideration of Laws and Regulations in an Audit of

When planning and performing audit procedures and

evaluating and reporting the results thereof, consider the
risk of noncompliance by the agency with laws and
regulations that may materially affect the financial
statements.
Obtain a general understanding of the legal and regulatory

framework applicable to the agency and how the entity is
complying with that framework. The procedures ordinarily
include:
a. Use of existing understanding of the agency’s industry
and business
b. Inquiry of management concerning the agency’s
policies and procedures regarding compliance with
laws and regulations
c. Inquiry of agency as to the laws or regulations that
may be expected to have a fundamental effect on the
operations of the agency
d. Discussion with management about the policies or
procedures adopted for identifying, evaluating and
accounting for litigation, claims and assessments
Met with: Findings:
____________________ _________________
____________________ _________________
____________________ _________________
3|Page
WP
Reference Work
by
Perform procedures to help identify instances of

noncompliance with those laws and regulations where
noncompliance should be considered when preparing
financial statements, specifically:
a. Inquire of management as to whether the entity is in

compliance with such laws and regulations
Met with: Findings:
____________________ _________________
____________________ _________________
____________________ _________________
b. Inspect correspondence with the relevant licensing or

regulatory authorities
Obtain sufficient appropriate evidence about compliance

with those laws and regulations generally recognized to
have an effect on:
- the determination of material amounts and disclosures
in financial statements by considering them when
auditing the assertions related to the determination of
the amounts to be recorded and the disclosures to be
made
- programs, activities and projects of the agency
Sign one of the following statements, as applicable:
Performance of the above procedures has not indicated

any noncompliance by the entity with laws and regulations
that may materially affect the financial statements.
A possible noncompliance by the entity with laws and

regulations was suspected or detected and we have
obtained an understanding of the nature of the act and
circumstances in which it has occurred, and sufficient
other information to evaluate the possible effect on the
financial statements and appropriate documentation ,
evaluation and notification of management and others has
been performed.
4|Page
WP
Reference Work
by
7. Related parties
Review information provided by the directors and agency

management identifying the names of all known related
parties and perform procedures in respect of the
completeness of this information including the following:
a. Review prior year workpapers for names of known
related parties.
b. Review the entity’s procedures for identification of
related parties
c. Inquire as to the affiliation of directors and officers with
other entities
Inquired of:
______________________________________
d. Review agency management minutes of the meetings

e. Inquire of other auditors currently involved in the
audit, or predecessor auditors, as to their knowledge
of additional related parties.
8. Inquiry regarding Litigation and Claims
Carry out procedures in order to become aware of any

litigation and claims involving the agency which may have
a material effect on the financial statements.
9. Considering the Work of Internal Audit
Obtain a sufficient understanding of internal audit activities

to assist in planning the audit and developing an effective
audit approach.
Perform a preliminary assessment of the internal audit

function when it appears that internal audit is relevant to
the external audit of the financial statements in specific
audit areas. Such assessment includes evaluating the
competence and objectivity of the internal auditors.
When the audit team intends to use specific work of

internal audit, evaluate and test that work to confirm its
adequacy for our purposes.
10. Subsequent events
5|Page
WP
Reference Work
by
Perform procedures designed to obtain sufficient
appropriate audit evidence that all events up to the date of
the auditors’ report that may require adjustment of, or
disclosure In, the financial statements have been
identified.
11. Going concern
The engagement team has considered and evaluated the

appropriateness of management’s use of the going
concern assumption underlying the preparation of the
financial statements both in the planning phase and
throughout the performance of the audit procedures.
12. Management Representations
Obtain a letter of representations that is tailored to the

particular circumstances, dated the same date as our
auditors’ report, and signed by the members of
management who have primary responsibility for the
agency and its financial aspects
13. Financial Statements Review
Apply analytical procedures at or near the end of the audit

when forming an overall conclusion as to whether the
financial statements as a whole are consistent with our
understanding of the agency.
Verify opening balances on the basis of the prior year’s

audit report and/or workpapers.
Cross-reference year-end amounts on the general ledger

trial balance to the related audit workpapers.
Examine supporting documents and/or inquire of agency

personnel to determine that significant entries made solely
to prepare the financial statement, other than entries
covered by other audit procedures, were properly
authorized and accounted for.
Agree or reconcile the financial statement amounts and

the financial data in the footnotes to the general ledger
trial balance or other workpapers.
Determine that the financial statements and the financial

data in the footnotes are clerically accurate
6|Page
WP
Reference Work
by
14. Communication of Audit Matters with Management

and those Charged with Governance
Inform management as soon as practicable:

- If a fraud has been identified or if information
obtained indicates that a fraud may exist
- Of the existence of material weaknesses in the
design or implementation of internal control,
including material weaknesses in the design or
implementation of internal control to prevent and
detect fraud, that have come to our attention.
The audit team has determined the relevant persons who

are charged with governance and with whom audit matters
of governance interest are to be communicated.
The audit team has considered all audit matters of

governance interest that arose from the audit of financial
statements and communicated them to those charged with
governance. Ordinarily such matters include:
a. General audit approach and overall scope of the audit.
b. Selection of, or changes in , significant accounting
policies
c. Potential effect of any significant risks and exposures
that are required to be disclosed.
d. Audit adjustments that could have a significant effect
on the entity’s financial statements.
e. Material uncertainties relating to going concern
f. Disagreements with management that could have a
significant impact on the financial statements or the
audit report.
g. Expected modifications to the audit report.
h. Internal control issues
i. Issues with respect to agency’s integrity and or fraud
within the entity.
Determine whether any identified risks of materials

misstatements due to fraud have continuing control
implications. Consider whether any control deficiencies
related to these risks, or whether the absence of or
deficiencies in programs or controls to mitigate specific
risks f fraud or to otherwise help prevent, deter, and detect
fraud, represent matters (including potential material
weaknesses) that should be communicated to agency
management or any relevant regulatory body.
7|Page
WP
Reference Work
by
Inform those charged with governance about those

uncorrected misstatements aggregated by us during the
current audit that were determined by management to be
immaterial, both individually and in the aggregate, to the
financial statements as a whole.
Inform those charged with governance if a fraud has been

identified involving management, employees who have
significant roles in internal control, or others where the
fraud results in a material misstatements in the financial
statements.
Inform those charged with governance of material

weakness in the design or implementation of internal
control, including material weaknesses in the design or
implementation of internal control to prevent and detect
fraud, that have come to the auditors attention.
Inform those charged with governance of the entity’s

noncompliance with laws and regulations that have come
to our attention. If we have reason to believe that
members of agency management are involved in
noncompliance, report the matter at the next higher level
of authority.
The audit team has communicated the above matters in a

timely manner.
The engagement team has communicated the matters in a

way, which is appropriate depending on the nature and
significance o f the matter as well as on the size and legal
structure of the entity being audited.
I have reviewed this Quality Inspection Tool and the results of the procedures for
this engagement and am satisfied that all applicable general audit procedures
have been completed, the conclusions are reasonable and consistent with
professional standards, and the AAR and VFM Report properly reflect the issues
addressed.
Signature: ________________________ Date: __________________
8|Page
Form 04-04: Agency Action Plan
AGENCY ACTION PLAN
About this Tool
Sector: __________________________________
Agency Audited: __________________________
Audit Period: ________________
AAR date: ___________________
AGENCY ACTION PLAN

AUDIT OBSERVATION
REF. and
Target
RECOMMENDATION Person/Dept.
Action Plan / Remarks Implem.
Responsible
Date
Agency sign-off:
_______________________________________ _________________
Agency Officer Date
Prepared by: Approved by:
Audit Team Leader Supervising Auditor
Date Date
1|Pa ge
Form 04-05 Action Plan Monitoring Tool
ACTION PLAN MONITORING TOOL
About this Tool
Sector: __________________________________
Team: ___________________________________
Agency Audited: __________________________
Audit Period: ________________

AAR date: ___________________
AGENCY ACTION PLAN COA MONITORING
Implem. Status
Target Actual
Person/Dept. (Full, Partial, Reason for Delay/Non-implementation
Action Plan / Remarks Implem. Implem. Comments/Action Taken
Responsible Ongoing, Non- (if applicable)
Date Date
implementation
Prepared by: Approved by:
________________________________________ _________________ ________________________________________ _________________

Audit Team Leader Date Supervisory Date
1|P a ge
Integrated Results and Risk-Based Audit Manual Phase 4 – Monitoring
MONITORING
Planning Delivery
Agency Audit
Conclusion
and Reporting
Assessment
Monitoring
Introduction
The Monitoring phase of the IRRBA approach is a roadmap for COA to maintain the
delivery of quality audit service to the Public. The Commission shall establish a quality
control system that will promote an internal culture recognizing that quality is essential in
performing all of its audit work.
COA shall ensure appropriate quality control policies and procedures are in place (e.g.,
engagement quality control reviews) in respect of each major product of the type of
engagement such as Comprehensive Audit (Financial, Compliance and Agency-based
Value for Money Audits) Government-wide and Sectoral Performance Audit and Fraud
Audit.
1|Pa ge
Procedures
Monitor Quality Control on Audit Services
COA, as the country’s auditor of all government agencies, government owned and
controlled corporations and government financial institutions shall establish and
maintain a system of quality control to provide reasonable assurance that:
· The organization and its personnel comply with professional standards and
applicable legal and regulatory requirements in the delivery of its audit
services.
· The reports issued by the Commission are appropriate in the
circumstances.
It is the responsibility of the Commission Proper to establish a strategic direction

for the establishment of a Quality Control System.
If deemed necessary, the Commission as a whole or each audit sector shall

establish a Quality Control Committee which will assist the auditors in the initial
and continuous implementation of the Quality Control System.
Likewise, it is the responsibility of the Cluster directors to ensure that a monitoring

process comprising an ongoing consideration and evaluation of the COA’s system
of quality of control, including a periodic inspection of a selection of completed
engagements, is in place.
Each audit team is responsible to implement the quality control procedures that are
applicable to their audit engagement.
Elements of a Quality Control System
The following are the elements of a Quality Control System as taken in ISSAI 40 -
Quality Control for Supreme Audit Institutions:
a. Leadership responsibilities for quality within the firm
An SAI should establish policies and procedures designed to promote an

internal culture recognizing that quality is essential in performing all of its work.
Such policies and procedures should be set by the head of the SAI, who
retains overall responsibility for the system of quality control.
2|Pa ge
b. Relevant ethical requirements
An SAI should establish policies and procedures designed to provide it with

reasonable assurance that the SAI, including all personnel and all parties
contracted to conduct work for the SAI, complies with the relevant ethical
requirements (e.g., integrity, independence, objectivity and impartiality,
professional secrecy and competence).
c. Acceptance and continuance of client relationships and specific engagements
An SAI should establish policies and procedures designed to provide the SAI
with reasonable assurance that it will only undertake audit tasks and other work
where the SAI:
(a) is competent to perform the audit task or other work and has the
capabilities, including time and resources, to do so;
(b) can comply with relevant ethical requirements; and
(c) has considered the integrity of the organization being audited and has
considered how to treat the risk to quality which arises.
The policies and procedures should reflect the range of work carried out by
each SAI. SAIs broadly carry out work in three categories:
- Tasks which are required of them by their mandate and statute and which
they have no option but to carry out;
- Tasks which they can choose to carry out;
- Tasks which are required by their mandate, but where they have discretion
as to the timing, scope or nature of each task.
d. Human resources

reasonable assurance that it has sufficient resources (personnel and, where
relevant, parties contracted to conduct work for the SAI) with the competence,
capabilities and commitment to ethical principles necessary to:
(a) perform its tasks in accordance with relevant standards and applicable and
legal and regulatory requirements; and
(b) enable the SAI to issue reports that are appropriate in the circumstances.
3|Pa ge
e. Engagement performance

reasonable assurance that its tasks are performed in accordance with relevant
standards and applicable legal and regulatory requirements, and that the SAI
issues reports that are appropriate in the circumstances. Such policies and
procedures should include:
a) matters relevant to promoting consistency in the quality of the work

performed;
b) supervision responsibilities;
c) review responsibilities.
f. Monitoring
An SAI should establish a monitoring process designed to provide it with

reasonable assurance that the policies and procedures relating to the system
of quality control are relevant, adequate and operating effectively. The
monitoring process should:
(a) include an ongoing consideration and evaluation of the SAI’s system of

quality control, including review of a sample of completed tasks across the
range of work performed by the SAI;
(b) require responsibility for the monitoring process to be assigned to an

individual or individuals with sufficient and appropriate experience and authority
in the SAI to assume that responsibility;
(c) require that those performing the review have not taken part in the task or
any quality control review of the task.
Quality control policies and procedures
The Quality Control System shall be incorporated in the Commission’s strategy,

culture, policies and procedures. For the system to be effective, it shall be
customized according to COA’s own structure, audit assignment risks and the
tasks it performs
4|Pa ge
COA management shall ensure that the quality control procedures are being
followed by the auditors not only for compliance but as an embedded process in
ensuring delivery of quality audit services.
Quality risk
COA shall ensure that the Quality Control System addresses the risks to the
quality of its auditing and other work. The risks to quality will be dependent on the
mandate and functions of COA and the conditions and environment under which it
operates.
Quality risks may concern the professional judgments and performance of

procedures in the conduct of auditing and other work, as well as the
communication of the results and the appropriate understanding of these by
intended users.
Other consideration that needs to be included in the Quality Control System
· COA shall ensure that applicable standards are followed in all work performed,
and that any deviations are appropriately documented.
· COA should consider their work programme and whether, at an organizational
level they have the resources to deliver the range of tasks to the desired level of
quality.
· All work performed should be subject to review as a means to contributing to
quality and also to promote learning and staff development.
· Timely documentation of all work performed (e.g., audit work papers) following
completion of each engagement shall be complied with.
· Auditor shall ensure that appropriate principles of natural justice are followed in
respect of finalizing report findings to ensure those parties affected by the
COA’s reports have an opportunity to comment prior to the report being
finalized.
· Auditors should balance the confidentiality of documentation with the need for
transparency and accountability.
· Ensure that the results of quality control reviews are reported to the
Commission Proper in a timely manner and that appropriate action is taken.
Quality Assurance Activities
Quality assurance refers to policies, systems and procedures established by SAIs

to maintain a high standard of audit activity. It also refers to the requirements
applicable to the day-to-day management of audit assignments.
5|Pa ge
Quality assurance activities include:

- Securing the quality of the planning; the planning of selected tasks should be
reviewed to ensure that adequate consideration has been given to all matters
considered essential.
- Securing the quality of the on-going work; the on-going work should be subject
to continual review. This review is essential to maintain the quality of audit work
and to promote learning and feedback.
- Securing the quality of the finalized audit; all completed tasks should be
reviewed prior to signing any reports.
The objectives of quality assurance procedures should incorporate:

- Professional competency and integrity
- Supervision and assignment of personnel to engagements
- Guidance and assistance
- Client evaluation
- Allocation of administrative and technical responsibilities.
Quality Assurance Review Program
COA shall establish a Quality Assurance Review Program that is flexible to the
needs and mandate of the auditors. The results of the program should be reported
to COA management at least annually.
A quality assurance review program is a series of reviews of activities undertaken

by the SAI to assess the overall quality of the work performed and covers various
issues and perspectives. A quality assurance review may examine adherence to
audit policy and procedures and identify areas where there is any opportunity for
improvements in these policies and procedures, or it may assess the quality of
audit work performed to meet specified objectives or specific stakeholders’
perspectives. Quality assurance reviews will generally address both adherence to
specified processes and the quality of the work performed
The following are some of the activities which may be undertaken by COA in
performing its Quality Assurance Review Program:
- Independent academic review
- Stakeholder surveys
- Peer review
- Follow-up reviews of recommendations
- Citizen review
- Feedback from audited organizations.
6|Pa ge
Policy and Standard
ISSAI 40 Quality Control for Supreme Audit Institutions
ISSAI 1000 General Introduction to the INTOSAI Financial Audit
Guidelines
ISSAI 1220 Financial Audit Guideline – Quality Control for an
Audit of Financial Statements
Appendix 4 to ISSAI 3000 Communication and Quality Assurance
ISSAI 3100 Performance Audit Guidelines: Key Principles
Appendix
ISSAI 4100 Compliance Audit Guidelines for Audits Performed
Separately from the Audit if Financial Statements
ISSAI 4200 Compliance Audit Guidelines Related to Audit of
7|Pa ge

IRRBA Manual

Uploaded by

Copyright:

Available Formats

IRRBA Manual

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

IRRBA Manual

Uploaded by

Copyright:

Available Formats

Integrated Results and Risk-Based Audit Manual Introduction

The Commission on Audit, as mandated to be the country’s Supreme Audit Institution by

The need for an Integrated-Results and Risk-based Audit

INTEGRATION is defined in this manual as the establishment of a common public sector

Organizational Performance Indicator Framework (OPIF)

OPIF is an expenditure management approach which links public resources towards

Linkage of COA’s audit services

Regularity (Financial and Compliance Audit) Government-

Resource Inputs Processes Outputs Outcome Impact

Budget Enacted Programs Major Final Organiza- Sector

Budget Outputs tional Goals

Diagram 1: Overview of COA’s audit services

· Government-wide and Sectoral Performance Audit (GWSPA)

COA’s results-based approach will be used in assessing an agency’s performance

1. Strategic Planning and Risk Identification

1.1 Perform Government Risk Identification

2. Agency Audit Planning and Risk Assessment

2.1 Prepare Agency Audit Work Step

3.4 Communicate Audit Results

4. Conclusion and Reporting

5. Monitor quality control on audit services

1. Strategic Planning and Risk Identification

4. Delivery: Conclusion and Reporting

STRATEGIC PLANNING AND RISK IDENTIFICATION

Integrated Results and Risk-Based Audit Framework

Strategic Planning and Risk Identification

The complexity of today’s public environment necessitates for a more systematic,

The following are the activities involved in this phase:

1.1 Perform Government Risk Identification (GRI)

1.2 Conduct COA Strategic Planning

1.1 Perform Government Risk Identification

This activity shall be conducted annually, supervised by the Assistant

o National Government Sector (NGS)

1.1.1 Develop/update the Government Risk Model

Government Risk Model (GRM) is a framework consisting of risks categorized into

Risks are categorized as follows:

• Compliance risk – noncompliance with prescribed policies and procedures or

Government Risk Model

Strategic Operations Compliance Financial

Diagram 1.1 – Sample GRM

GRM shall be revisited at least annually and updated/revised regularly or as

1.1.2 Identify government risks

Risk identification is the process of finding, recognizing, and describing risks. It

As the country’s Supreme Audit Institution, it is imperative for the Commission to

Identification of government risks is done by COA as an auditor and is independent

Identification of government risks shall be conducted annually. This activity can be

Identification of government risks should not be done in a silo approach. This

Linkage of government objectives and initiatives, risks and agencies

Diagram 1.2 - Linkage of objectives and initiatives, risks and agencies

Identifying risks in government objectives and initiatives

In identifying government risks, COA should identify sources of risks, areas of

The following shall be used as inputs in identifying government risks:

Identify Government Link risks to

Knowledge and prior audit reports

Diagram 1.3 – Risk Identification Process Flow

Locate identified government risks to affected agency and its programs/activities

Form 01-02 Government Risk Identification Template (GRIT) is prepared to plot

Diagram 1.8 below illustrates the linking of risks to processes.

Link key government risks to government

government agencies within the cluster