IRRBAM Vol2

Commission on Audit
INTEGRATED RESULTS AND

RISK-BASED AUDIT MANUAL
FORMS AND TEMPLATES
(Funded by The World Bank IDF Grant No. TF 092158)
Strategic Planning and Risk Identification

Planning
Agency Audit
Planning and Risk
Assessment
Delivery
Execution
Conclusion
and Reporting
Monitoring
(Quality Control System)
SEPTEMBER 2011
Integrated Results and Risk-Based Audit Manual
FORMS AND TEMPLATES

1.
Strategic Planning and Risk Identification

Form 01-01
Government Risk Model (GRM)
Form 01-02
Government Risk Identification Template (GRIT)
2.
Agency Audit Planning and Risk Assessment

Form 02-01
Agency Audit Workstep
Form 02-02
Understanding the Agency (UTA) Template
Form 02-03
Agency Risk Model (ARM)
Form 02-04
Agency Risk Identification (AgRI) Matrix
Form 02-05
Agency-level Control Checklist (ALCC)
Form 02-06
Process-Risk-Control (PRC) Matrix
Form 02-07
Audit Risk Assessment and Planning (ARAP) Tool
3A.
Delivery: Execution
Form 03A-01
Audit Test Summary (ATS)
3B.
Delivery: Conclusion and Reporting

Form 03B-01
Summary of Audit Results and Recommendations (SARR)
Form 03B-02
Quality Inspection Tool (QIT)
Form 03B-03
Agency Action Plan (AAP)
Form 03B-04
Action Plan Monitoring Tool (APMT)
Last updated
Version
: March 2011
: 00-02/2011/v1
1|Pa ge
Phase 1 Strategic Planning and Risk Identification

Form 01-01: Government Risk Model
GOVERNMENT RISK MODEL
Objective
Part of the Strategic Planning and Risk Identification process of the Integrated Results and Riskbased Audit (IRRBA) is the identification of government risks. This activity will be conducted
annually, supervised by the Assistant Commissioners and attended by directors from the
following sectors/offices:
National Government Sector (NGS)
Corporate Government Sector (CGS)
Local Government Sector (LGS)
Regional Offices
Fraud and Investigation office (FAIO)
Special Audits Office (SAO)
Information Technology Office (ITO)
Technical Services Office (TSO)
The Government Risk Model is introduced to guide the participants in the identification of
government risks. The Government Risk Model is a comprehensive list of risks that a
government may encounter which could threaten the achievement of its mandate and
objectives.
This model shall be regularly reviewed, updated and customized to consider changes in the
public sector environment, as well as to consider the impact of new standards, laws, rules and
regulations.
*The COA shall identify the process champion in this activity, which will ensure the maintenance and updating of this
tool.
Accomplishing this tool

Risk Listing
- The Risk Listing is a table of government risks divided into the following risk categories:
a. Strategic
b. Operations
c. Compliance
d. Financial
Last updated
Version
: March 2011
: 01-01/2011/v1
1|Page

The table lists down all potential risks that the government may face. Therefore, there are
risks that may be identified as a risk of the government in the current audit period that was
not identified in the preceding audit period. In either case, the risk listing shall be
maintained regardless of the existence of the risk at the time of the identification. Likewise,
the list shall be regularly updated to include emerging risks that may affect the
achievement of the governments mandate and objectives.
Risk Definition
- Customize/create the definition of the risks based on the nature of the risk.
a. Risk Title The label for the risks identified shall be properly chosen to reflect the nature
of the risk even by just looking at the risk title.
b. Risk Description - The risk description shall be clear on the cause and effect of the risk
once it materializes. The risk definition shall be generic in nature and shall avoid including
process-level effects to not limit/restrict the risk descriptions.
NOTE: The items in the succeeding pages are just samples to illustrate the tool. It does not represent any factual
data nor any result of prior audit projects.
Last updated
Version
: March 2011
: 01-01/2011/v1
2|Page
Last updated
Version
: March 2011
: 01-01/2011/v1

3|Page

GOVERNMENT RISK MODEL

Prepared by
Date
Reviewed by
Date
Approved by
Date
Strategic
Operations
Public service and operations
Customer/public satisfaction
Channel effectiveness
Cycle time
Service failure
Efficiency
Capacity
Performance measure/gap
Partnering/contracting
Citizen relationship management
system and organization
Corruption and fraud
Planning and resource allocation

Organizational structure
Strategic planning
Operational planning
Budgeting
Forecasting
Resource allocation
Capital/fund availability
Operational model
Operational portfolio
Outsourcing
Major initiatives
Vision and direction
Planning and execution
Measurement and monitoring
Technology implementation
Project evaluation
Change readiness
Climate change and sustainability initiatives
Education
Healthcare services delivery
Energy and water management
(supply/distribution)
Environment dynamics
Economic changes
Financial market
Sovereign/political
Customer/public wants
Technological innovation
Environment scan
Agency environment/industry
Sensitivity
Market dynamics
Macroeconomic factors
Lifestyle trends
Sociopolitical
Technology changes
Communication and public relations
Media relations
Public relations
Crisis communications
Employee communication
Last updated
Version
People
Culture
Recruiting and retention
Development and performance
Succession planning
Knowledge capital
Compensation and benefits
Performance incentives
Health and safety
Information technology
Information management
Security/access
Availability/continuity
Integrity
Infrastructure
Hazards
Natural events
Terror and malicious acts
Physical assets
Real estate
Property, plant and facilities
Maintenance and performance
Inventory
: March 2011
: 01-01/2011/v1
Compliance
Mandate
Functions
Governance
Board performance/Agency
Management Committee
Tone at the top
Authority/limit
Control environment
Corporate social responsibility
Reputation
Code of conduct
Ethics
Fraud
Employee/third party fraud
Illegal acts
Management fraud
Unauthorized use
Legal
Contract
Liability
Intellectual property
Anticorruption
Legal
Regulatory
Trade
Customs
Procurement
Road-right of way (RROW )Acquisition
Labor
Securities
Environment
Data protection and privacy
International
Product/service quality
Health and safety
Competitive practice/antitrust
Financial
Market
Interest rate
Foreign currency
Commodity
Financial instrument
Public policies
Debt and fiscal policy
Liquidity and credit
Cash management
Opportunity cost
Funding
Hedging
Credit and collections
Insurance
Foreign assisted loan
Accounting and reporting
Accounting, reporting and disclosure
Internal control
Investment evaluation
Tax strategy and planning
Capital structure
Debt
Equity
Pension funds
4|Page

Risk Definition
RISK TITLE
RISK DESCRIPTION
STRATEGIC
Planning and Resource Allocation
Strategic planning
The overall structure of the government instrumentalities does not

support the achievement of strategic objectives in an efficient manner.
This risk pertains to the inability to discover, evaluate and select among
alternatives to provide direction and allocate resources for effective
execution to achieve the strategic objectives of the government.
This risk pertains to the misalignment of operating plans and execution
to strategic planning. There is also a lack of information needed to make
the right decisions.
This risk pertains to the inability to effectively budget for new and
existing initiatives that support the overall strategic goals and objectives
for growth, expansion, acquisition for public welfare.
Budgeting
It also pertains to the inability to effectively budget for programs and
projects that would meet the governments Medium Term Philippine
Development Plan (MTPDP).
Forecasting
This risk pertains to the inability to forecast financial information to

enable the allocation of resources to new and existing initiatives.
Resource allocation
Unavailability and inappropriateness of resource allocation process

prohibits the governments ability to provide value for public.
Insufficient access to fund threatens the governments capacity to grow,

execute its strategies and achieve its objectives.
Operational model
Outsourcing
The government has an obsolete operation model and does not

recognize it and/or lacks the information needed to make an up-to-date
assessment of its current model and build a compelling operational case
form modifying that model in a timely manner.
Lack of relevant and reliable information that enables agency
management to effectively prioritize its services or balance its operations
in a strategic context may preclude a diversified agency from maximizing
its overall performance.
Outsourcing activities to third parties may result in the third parties not
acting within the intended limits of their authority or not performing in a
manner consistent with the governments strategies and objectives.
Major initiatives
This risk pertains to the failure to establish a vision and direction for
major initiatives, including services, products and programs that will
drive future growth. It also pertains to failure to establish project
acceptance criteria and adequately measure against the criteria.
This risk pertains to the failure to plan and execute major initiatives due
in a coordinated manner.
Last updated
Version
: March 2011
: 01-01/2011/v1
5|Page
RISK TITLE

RISK DESCRIPTION
This risk pertains to the failure to identify appropriate metrics and assess
performance, quality and adherence to the standards as set forth by the
government.
This risk pertains to the failure of a major technology implementation to

meet the organizations strategic objectives.
Project evaluation
Failure to evaluate project proposals may result in problems when the

project has been approved.
Change readiness
Climate change and
sustainability initiatives
The people within the government are unable to implement process and
service improvements quickly enough to keep pace with changes in the
public environment.
Failure to foresee changes in the environment and establish initiatives to
keep pace with biological changes may result in operations
discontinuance and degradation.
Environment Dynamics
Economic changes
Economic changes such as lower economic growth reduce tax revenue

and opportunities to provide a wide range of services or limit the
availability or quality of existing services.
Financial market
Movements in prices, rates, indices and the like threaten the value of the
agencys financial assets.
Sovereign/political
Environment scan
Adverse political actions in a country in which the agency has invested

significantly is dependent on a significant volume of operation or has
entered into a significant agreement with a counterparty subject to the
laws of that country threaten the agencys resources and future cash
flows.
This risk pertains to the changing pervasive public needs and wants that
the agency is not aware of, e.g., increased demand for faster turnaround
on services.
The agency is not leveraging advancements in technology in its
operations to achieve or sustain advantage. The agency may also be
exposed to the actions of another agency or substitute that does not
leverage technology to attain superior quality, cost and/or time
performance in their services processes.
Failure to monitor the external environment or formulation of unrealistic
or erroneous assumptions about environment risks may cause the
agency to retain operation strategies long after they have become
obsolete.
Agency environment/Industry
This risk pertains to the changes in opportunities and threats, and other
conditions affecting the agencys environment.
Sensitivity
Overcommitment of resources and expected future cash flows threatens

the agencys capacity to withstand changes in the environment (e.g.,
interest rates, public demand, changes in regulations and so on) forces.
Market Dynamics
Macroeconomics factors
This risk pertains to the factors relating to macroeconomic conditions

that affect the ability to maintain or increase revenue and profitability in a
specific agency environment.
Lifestyle trends
This risk pertains to the failure to anticipate and respond to changes in

overall trends related to lifestyle demands of consumers.
Last updated
Version
: March 2011
: 01-01/2011/v1
6|Page
RISK TITLE
Sociopolitical
Technology changes

RISK DESCRIPTION
This risk pertains to the exposure to social and political factors within a
market environment that affect the ability to market, sell and deliver
products and services.
This risk pertains to the dramatic changes in current technologies that
may impact the market viability or demand of current products and
services offered by the agency.

Media relations
This risk pertains to the inability to anticipate and manage shifts in the
information stakeholders wants and the way in which they want it
communicated to them. It also pertains to the ineffective ongoing,
transparent communications with the public in order to create goodwill.
Public relations
A decline in customer/public confidence threatens the agencys capacity

to efficiently raise or collect funds.
This risk pertains to the failure to communicate the right message in an

effective manner to recover and maintain agency operations in the event
of a crisis or disruption due to physical or natural circumstances.
Employee communications
This risk pertains to the inability to understand and respond to the

communication needs of different employees.
OPERATIONS
Public Service and Operations
A lack of focus on the customer/ public threatens the agencys capacity

to meet or exceed the customers/ publics expectations.
Poorly performing or positioned channels access threaten the agencys

capacity to effectively and efficiently service the customer/ public.
Cycle time
Unnecessary activities threaten the agencys capacity deliver services in

a timely manner.
Service failure
Faulty or non-performing services expose the agency to customer/public

complaints, litigation, and loss of revenues and agency reputation.
Efficiency
Inefficient operations threaten the agencys capacity to deliver services

at the lowest cost and shortest time possible.
Capacity
Insufficient capacity threatens the agencys ability to meet

customer/public demands, or excess capacity threatens the agencys
ability to generate competitive profit margins.
Inability to perform at world-class levels in terms of quality, costs and/or
cycle time due to inferior operating practices threatens the demand for
the agencys services.
Inefficient or ineffective external relationships affect the agencys
capacity to serve. These uncertainties arise due to choosing the wrong
partner, poor execution, taking more than what is given (resulting in loss
of a partner) and failing to capitalize on partnering opportunities.
People
Last updated
Version
: March 2011
: 01-01/2011/v1
7|Page
RISK TITLE

RISK DESCRIPTION
Culture
This risk pertains to the failure to establish a culture that is consistent

with management philosophy and that encourages integrity, values, and
ethical competence.
This risk pertains to the failure to attract, hire and retain the qualified
resources to optimize execution of the organization's objectives.
Succession planning
Knowledge capital
Performance Incentives
Health and safety
This risk pertains to the inability to develop and enhance employee skills
and provide performance management that ensures optimal
achievement of organizational strategies, goals and objectives.
This risk pertains to the failure to create and implement an effective
succession plan for senior executive and other key positions and
employees throughout the organization. It also pertains to the failure to
align succession planning with strategic planning and leadership
development objectives).
Processes for capturing and institutionalizing learning across the
agency are either non-existent or ineffective, resulting in slow response
time, high costs, repeated mistakes, slow development, constraints on
growth and unmotivated employees.
Failure to provide a total compensation package (base salary,
annual/long-term incentive, benefits/perquisites) that are market
competitive, aligned to agency and compensation strategies and retain
and motivate employees to achieve desired results.
Unrealistic, misunderstood, subjective or non-actionable performance
measures may cause senior management, division heads and
employees to act in a manner inconsistent with the agencys objectives,
strategies, and ethical standards, and with prudent agency practice.
Failure to provide a safe working environment for its workers exposes
the agency to compensation liabilities, loss of operational reputation and
other costs.
Information and technology

Security/access
Failure of Information systems to adequately protect the critical data and

infrastructure from theft, corruption, unauthorized usage, viruses, or
sabotage.
The inability to recover from, and continue uninterrupted operations in

the event of extraordinary events, systems and implementation failures.
Integrity
Information systems that do not provide reliable information when it is

needed or perform so slowly that operations are not efficient.
Infrastructure
The computer and telecommunications systems with supporting

software do not capture, retain and transfer data in a secure and reliable
environment and do not meet the expected requirements of the agency
at a reasonable cost.
Hazards
Natural events
Last updated
Version
Threat to disrupt operation and ability of the agency to sustain

operations, provide essential services or recover operating costs or
accomplish planned target due to natural events (e.g., fire, earthquake,
tornado).
Threat to disrupt operation and ability of the agency to sustain
operations, provide essential services or recover operating costs or
accomplish planned target due to terrorist activities or other malicious
acts.
: March 2011
: 01-01/2011/v1
8|Page
RISK TITLE

RISK DESCRIPTION
Physical assets
Failure to provide physical protection and stewardship over real estate
designed to optimize longevity and utilization.
Real estate
Inventory
Failure to provide physical protection and stewardship over long-lived

assets (such as buildings, furniture, fixtures, machinery, equipment and
other assets) designed to optimize longevity and utilization.
Failure to provide physical protection and stewardship over inventories
designed to optimize utilization while minimizing obsolescence,
contamination, etc.
COMPLIANCE
Mandate
Failure to align process objectives and performance measures with the
mandate of the agency, its objectives and strategies may result in
conflicting, uncoordinated activities throughout the agency.
Function
Governance
management committee
Tone at the top
Authority/limit
Failure of Board of Directors to discharge their obligations and duties

owed to the agency and its stakeholders in good faith; and to possess
adequate knowledge to interpret and act on the information provided.
Senior management fails to establish an environment that encourages
integrity, ethical values, and competence of the agency's people through
management's philosophy and operating style, assignment of authority
and responsibility, and the organization and development of its people.
Ineffective lines of authority may cause senior management, division
heads or employees to do things they should not do or fail to do things
they should.
Control environment
Failure to establish and maintain an internal control environment which

aligns with stakeholder and regulatory expectations.
The mismanagement of "socially responsible" activities (e.g., conducting

social responsibility training for management of manufacturers,
undertaking environmental programs, participating in community
initiatives) resulting in an unfavorable agency perception with
stakeholders, customers, suppliers, agency partners, employees and the
regulatory community.
Reputation
Damage to the Agencys reputation exposes it to loss of customer/

public trust, profits and the ability to grow.
Code of conduct
Ethics
The absence of formal standards of employee behavior that are

intended to direct and influence the way agency operation is conducted,
above and beyond the letter of the law.
Fraud
Potential unethical acts committed by agency employees or other

stakeholders may negatively impact the agency's reputation.
Employee/Third Party Fraud
Fraudulent activities perpetrated by employees, suppliers, agents, or

third-party administrators against the agency for personal gain (e.g.,
misappropriation of physical, financial or information assets) expose the
agency to financial loss.
Last updated
Version
: March 2011
: 01-01/2011/v1
9|Page
RISK TITLE
Illegal Acts
Management Fraud
Unauthorized Use

RISK DESCRIPTION
Illegal acts committed by senior management, division heads or
employees expose the agency to fines, sanctions, and loss of public
trust, profits and reputation, etc.
Management Fraud (e.g., intentional misstatement of financial
statements or critical reports) may adversely affect stakeholders
decisions.
Unauthorized use of the agencys physical, financial or information
assets by employees or others exposes the agency to unnecessary
waste of resources and financial loss.
Legal
Contract
Entering into contracts that are unfavorable to the agency; and the
failure to comply with and monitor contract terms to protect the agency
from financial losses.
Liability
A responsibility, duty or obligation that may result in lawful consideration

to provide satisfaction, compensation or other form of restitution.
Failure to create, capture, enhance, leverage and protect the collective

knowledge, expertise and ideas of agency employees valued as nonphysical assets.
Anticorruption
Failure to create an agency environment which is opposed to corruption,

and instill agency practices which prevent corruption.
Legal
Changing laws threaten the agencys capacity to consummate important

transactions, enforce contractual agreements or implement specific
strategies and activities.
Regulatory
Failure to identify and prevent legal risks posed by noncompliance with
governmental and International regulatory requirements for Trade
Practices e.g., anti-dumping and trade policy.
Failure to identify and prevent legal risks posed by noncompliance
With governmental and International regulatory requirements for
Customs.
Trade
Customs

the government procurement reform act.
Procurement
Road-right of way (RROW)
acquisition
Labor

governmental and International Securities regulatory requirements.
Securities
Environment
Last updated
Version
Failure to implement infrastructure projects due to RROW problems and

risks posed by non-compliance with Comprehensive and Continuing
Urban development and Housing Program (RA 7279)
governmental and International regulatory requirements for Labor rules
and regulations, including taxes, wages, antidiscrimination, Family and
Medical Leave, workplace violence etc.

governmental and International Environmental regulations e.g.,
noncompliance with ISO 4001 standards.
Failures to identify and prevent legal risks posed by, and prevent noncompliance with privacy rules and regulations standards resulting in
improper disclosure of confidential customer information.
: March 2011
: 01-01/2011/v1
10 | P a g e
RISK TITLE

RISK DESCRIPTION
Exposure to geo-political, regulatory and fraud risks via international
business dealings.
International
Health and safety

governmental and International regulatory requirements for
product/service quality and safety.
governmental and International rules and regulations for health and
safety.
Failures to identify and prevent legal risks posed by, and prevent noncompliance with, government and international rules and regulations for
competitive practices/ anti-trade. Lack of awareness of statutory and
regulatory application of export & customs policies and requirements.
FINANCIAL
Market
Interest rate
Unfavorable price paid per unit of funds borrowed or the rate of return
received on invested assets, or interest rate fluctuations beyond
projected range.
Foreign currency
Unfavorable fluctuations in the currency of another market that is

needed to carry out international transactions.
Commodity
Unfavorable fluctuations in the price of raw materials or other

commodities used in product development/service delivery that are not
anticipated and managed.
Financial market risk can vary depending on the particular segment of
the market to which the holder of a financial instrument is exposed, or
the way in which the exposure is structured.

Cash management
Failure to efficiently and effectively administer and manage cash flows to

maintain adequate liquidity to meet obligations.
The use of funds in a manner that leads to the loss of economic value,
including time value losses, transaction costs and other causes of loss of
value.
Failure to meet the requirements of a portfolio of capital investments and
obligations based on specified commitments or in accordance with terms
of an agreement (i.e. retirement and capital accounts).
Opportunity cost
Funding
Failure to receive appropriate funds to finance programs and projects.

Hedging
Failure to purchase or undertake sale transactions that effectively

minimize profits or losses arising from price fluctuations.
Inability to obtain the optimal level of payment received as a result of a

prior agency transaction.
Insurance
Insurance coverage fails to protect the agency from significant financial

losses due to incidents and claims.
Last updated
Version
: March 2011
: 01-01/2011/v1
11 | P a g e
RISK TITLE

RISK DESCRIPTION
Incomplete, inaccurate and/or untimely reporting of required financial
and operating information to other regulatory agencies may expose the
agency to fines, penalties and sanctions.
Accounting, reporting and

disclosure
Internal control
Over-emphasis on financial accounting and other information to

manage the operations may result in the manipulation of outcomes to
achieve targets at the expense of not meeting public expectation, quality
and efficiency objectives.
Significant or material weaknesses resulting from inadequate financial
internal controls impacting management's assessment and reporting
under country regulations.
Lack of relevant and/or reliable information supporting investment
decisions and linking the financial risks accepted to the capital at risk,
may result in poor short- or long-term investments.
Failure to properly evaluate and execute tax planning strategies.
Misalignment of tax objectives and strategies with overall agency
objectives, strategies and initiatives.
Capital structure
Debt
Potential over reliance on borrowing from creditors to provide adequate

working capital for agency objectives and/or to cover current operating
obligations resulting in an unfavorable debt to equity ratios.
Equity
Inability to offer marketable securities appropriately priced for the

enterprise's value.
Pension funds
Inability to identify, establish and maintain the optimal structure for

pension funds.
Last updated
Version
: March 2011
: 01-01/2011/v1
12 | P a g e

Form 01-02 Government Risk Identification Template
GOVERNMENT RISK IDENTIFICATION TEMPLATE

Objective
The Government Risk Identification Template (GRIT) is used to document the significant
government risks identified for a particular audit period, as well as the basis of selecting
those particular risks, and the agencies and programs or activities affected. By having all of
this information in one sheet, it facilitates ease of summary and discussion with the
participants during the identification of significant government risks as well as increased
efficiency and effectiveness in tracing the effects of those risks.
This template if carefully and exhaustively accomplished will facilitate a unified thrust for the
COA in conducting government auditing.
The GRIT once accomplished shall be cascaded to all audit clusters and concerned offices
through the COAs Annual Strategic Planning for inclusion in the Agency Audit Planning and
Risk Assessment.
Accomplishing this tool is critical to document the high-level inputs from COA directors
assigned in the audit of agencies representing the three audit sector, regions, and auditors
performing Government-wide and Sectoral Performance Audit (GWSPA) and Fraud Audit.
Government Objective
- Identify the objectives of the government as identified in the State of the Nation
Address (SONA), Medium-Term Philippine Development Plan (MTPDP), MediumTerm Public Investment Program (MTPIP) and so on.
Key Government Risk
- Participants may use the Government Risk Model to identify the key government risks
(risk category, risk title and risk definition)
Basis of Selection
- Indicate the basis or reason why the risk was considered as significant.
Relevant data may also be obtained from the following:
COA direction
Sector Strategic Action Plan
ast updated
Version
: March 2011
: 01-02/2011/v1
1|Page

SONA
MTPDP/MTPIP
Government Risk Model
Sector risks
Media releases and media reports
Fraud and geographic risks
Government-wide and sectoral programs and activities
Knowledge of the auditors
Name of Agency
- Indicate the agencies affected by the risks identified. Auditors may also refer to other
outputs of government instrumentalities (e.g., Updated Strategy Planning Matrices for
the MTPDP of NEDA).
Government Program, Activity or Project
- Relate the government program/activity affected by the risk identified. It could be a
program of one agency or inter-agency project.
ast updated
Version
: March 2011
: 01-02/2011/v1
2|Page

GOVERNMENT RISK IDENTIFICATION TEMPLATE

For the Audit Period 20XX
Prepared by
__________________________________________________
Date
Reviewed by
__________________________________________________
Date
Approved by
__________________________________________________
Date
Key Government Risk

Government Objective
Risk
Category
Basis of Selection
Risk Title
Risk Definition
Name of Agency
Government
Program, Activity or Project
Key Risk 1
Key Risk 2
Key Risk 3
Key Risk 4
Key Risk 5
Key Risk 6
Key Risk 7
Key Risk 8
Key Risk 10
Key Risk 11
Key Risk 12
Last updated
Version
: March 2011
: 01-02/2011/v1
3|Page
Phase 2 Agency Audit Planning and Risk Assessment

Form 02-01: Agency Audit Workstep
AGENCY AUDIT WORKSTEP
Auditee
__________________________________________________
Audit Period
__________________________________________________
Prepared By
__________________________________________________
Date Prepared:
___________________
Reviewed By
__________________________________________________
Date Reviewed:
___________________
Approved By
__________________________________________________
Date Approved:
___________________
Activity
Last updated
Version
WP
Ref.
: March 2011
: 02-01/2011/v1
Person
Responsible
Output
J
Target Date to Accomplish

Year
A
M
J
J
A
S
Remarks
O
1|P a ge

Form 02-02: Understanding the Agency Template
UNDERSTANDING THE AGENCY TEMPLATE

Objective
We obtain our understanding by performing review, inquiry, analytical procedures, observation
and inspection.
This template enables us to document our understanding of the agency and its environment and
assist in identifying risks of material misstatement. We document the identified inherent and/or
significant risks in this template.
The Understanding the Agency (UTA) can be used in conjunction with our meeting(s) with the
agency during the planning of the engagement. When we complete the UTA, we:
Consider the use of available industry or sector knowledge
Customize the UTA to each engagement
For future engagements, we base our understanding of the agency and its environment on prior
period knowledge. We update our understanding by focusing on the significant changes in the
agency and its environment in the current period and reflect those changes within the UTA
brought forward from the prior period.
Agency Profile
A. Mandate State the relevant law, rule or regulation mandating the purpose of the
establishment of the agency.
B. Operations Provide a brief description of the agencys operations and critical agency
processes.
C. Structure - Describe the Agencys organizational structure and its relation to other key
government agencies. (Attach the Agencys organizational structure, as necessary)
D. Objectives and Strategies State the objectives and strategies of the Agency. Evaluate
if these objectives and strategies are aligned with the mandate of the Agency.
E. Key Stakeholders List stakeholders, or unified stakeholder groups, whose expectations
or actions (or inactions) can significantly influence management or affect the agency
objectives and strategies (and/or the ability of the agency to meet its objectives and
strategies)
F. Key Environmental Factors Briefly describe the environment of the agency and how
the operations of the Agency are affected/influenced by environmental factors.
Examples of environment to be reviewed are:
Last updated : March 2011
Version
: 02-02/2011/v1
1|Pa ge

Political Environment
Social Environment
Legal and Regulatory Environment
Technological Environment
OPIF/Program Accountability Model Show the Organizational Performance Indicator

Framework of the agency if there is any or the Program Accountability Model developed.
Key Performance Indicators - The key results identified and monitored by management,
generally few in number, that must be achieved to conclude that a strategy has been
implemented successfully. Key performance indicators also refer to the targeted Major
Final Outputs (MFO) as agreed in their Organizational Performance Indicator Framework
(OPIF).
Accounting Policy Provide brief description of key accounting policies applied, including
financial reporting standards or changes in the agencys accounting policies and reasons
for such changes. We evaluate whether the agencys accounting policies are appropriate
and consistent with the applicable financial reporting framework.
Previous Audit Findings Include significant audit findings from previous audits that may still
exist in the agency.
Recent Developments/ News Include any pertinent news or publication about the agency and
indicate the possible impact or risk that may arise on the Agency.
Analytic Review Evaluations of financial and non-financial information through analysis of
plausible relationships among both financial and non-financial data. Analytical procedures
also encompass such investigation as is necessary of identified fluctuations or relationships
that are inconsistent with other relevant information or that differ from expected values by a
significant amount.
A. Financial
Financial Statement Account indicate the financial statement accounts of the
Agency
Current Year indicate the current account balance of the financial statement
account
Prior Year indicate the previous years balance of the financial statement account
Variance (Amount) the amount of difference between the current year and previous
year balance
Version
: 02-02/2011/v1
2|Pa ge

Variance (%) the percentage increase or decrease from previous years balance
(Formula is Amount of Variance/Prior Year balance)
Remarks indicate the reason for the significant increase or decrease in the account
balance
B. Performance
Performance indicators indicate the performance indicator applicable to the
Agency. Examples of performance indicators are Asset Turnover, Inventory
Turnover, Return on Asset and Return on Equity. Should the Agency have an OPIF
structure, we should consider the Major Final Outputs as part of the performance
indicators.
Actual refers to the actual achievement of the Agency on its performance indicator
Budget/Target pertains to the planned or targeted performance expected from the
Agency.
Variance (Amount) the amount of difference between the actual and
budgeted/targeted amounts.
Variance (%) the percentage increase or decrease from the budgeted/targeted
amount (Formula is Amount of Variance/Budgeted or Targeted amount)
Remarks Indicate the reason for any significant increase or decrease from the
budgeted or targeted amount.
PAPs Review This is a review of each PAP of the agency by understanding the details and
overview of the PAP including its objectives. An analytic review on the performance of the
PAP is also included to determine specific areas in the PAP that require audit focus.
UTA Summary
A. UTA Reference States the part/component of the UTA where the information was
taken from.
B. Identified Agency Risk Indicates the agency risks (risk title and risk statement)
identified while understanding the agency. Audit teams may also use the Agency Risk
Model as a reference in plotting the agency risks identified at this point.
C. Impact on the Agency States the impact of risk to the agency if it materializes based
on your initial understanding.

Version
: 02-02/2011/v1
3|Pa ge

UNDERSTANDING THE AGENCY TEMPLATE

Agency:
Prepared by:
Audit Period:
Reviewed by:
Date
Date
Approved by:
Date
AGENCY PROFILE
A. Mandate
B. Operations
C. Structure
D. Objectives and Strategies

Objectives

Version
: 02-02/2011/v1
Strategies
4|Pa ge

E. Key Stakeholders
F. Key Environmental Factors

Political Environment
Social Environment
Legal and Regulatory Environment
Technological Environment
OPIF/ PROGRAM ACCOUNTABILITY MODEL
MFOs/ KEY PERFORMANCE INDICATORS

Version
: 02-02/2011/v1
5|Pa ge

ACCOUNTING POLICIES
PREVIOUS AUDIT FINDINGS
RECENT DEVELOPMENTS/ NEWS

Recent Developments/ News

Version
: 02-02/2011/v1
Impact on the Agency
6|Pa ge

Form 02-02 Understanding the Agency Template
ANALYTIC REVIEW
Analytical procedures performed may include both financial and non-financial information Our analytical procedures performed provide a basis for
designing and implementing audit procedures that respond to the assessed risks of material misstatement. However, overall analytical procedures
may use data aggregated at a high level and therefore the results only provide an initial indication about whether a risk of material misstatement
exists.
a. Financial
Financial Statement Accounts
Last updated
Version
: March 2011
: 02-02/2011/v1
Current Year
Prior Year
Variance
Amount
Remarks
7|P a ge

Form 02-02 Understanding the Agency Template
b. Performance
Performance Indicators
Actual
Budget/ Target
Variance
Amount
%
Remarks
Major Final Outputs
Last updated
Version
: March 2011
: 02-02/2011/v1
8|P a ge

PAPs REVIEW
a. Program/Project Details
Program/ Project:
Objectives:
Total Budget:
Duration:
Project Overview:
b. Performance Indicators
Performance
Indicators
Actual
Budget/Target
Variance
Amount
Remarks
Financial
Non-financial
Last updated
Version
: March 2011
: 02-02/2011/v1
9|Pa ge

UTA SUMMARY
UTA Ref.
Last updated
Version
Identified Agency Risk

Risk Title
: March 2011
: 02-02/2011/v1
Risk Statement
Impact on the Agency
10 | P a g e

Form 02-03: Agency Risk Model
AGENCY RISK MODEL
Objective
The Agency Risk Model is a tool to guide the audit team of a particular agency in the
identification of agency risks. The Agency Risk Model is a comprehensive list of risks that an
agency may encounter which could threaten the achievement of its mandate and objectives.
This model shall be regularly reviewed, updated and customized to consider changes in the
public sector environment as well as to consider the impact of new standards, laws, rules and
regulations.
Accomplishing this Tool
Risk Reference Number
- Assign a risk reference number for each agency risk identified. The risk reference number
would serve as a reference for the auditors to easily identify agency risks. Develop a risk
reference for the identified risk per risk category (strategic, operations, compliance,
financial).
Risk Listing
- The Risk Listing is a table of agency risks divided into the following risk categories:
a. Strategic
b. Operations
c. Compliance
d. Financial
The table lists down all potential risks that the agency may face. Therefore, there are risks
that may be identified as a risk of the agency in the current audit period that was not
identified in the preceding audit period. In either case, the risk listing shall be maintained
regardless of the existence of the risk at the time of the identification. Likewise, the list
shall be regularly updated to include emerging risks that may affect the achievement of
the agencys mandate and objectives.
Last updated
Version
: March 2011
: 02-03/2011/v1
1|Page

Risk Definition
- Customize/create the definition of the risks based on the nature of the risk.
a. Risk Title The label for the risks identified shall be properly chosen to reflect the nature
of the risk even by just looking at the risk title.
b. Risk Description - The risk description shall be clear as to cause and effect of the risk
once it materializes. The risk definition shall be generic in nature and shall avoid including
process-level effects that limits/restricts the risk descriptions.
NOTE: The items in the succeeding pages are just samples to illustrate the tool. It does not represent any factual
data nor any result of prior audit projects.
Last updated
Version
: March 2011
: 02-03/2011/v1
2|Page

AGENCY RISK MODEL

Prepared by
Date
Reviewed by
Date
Approved by
Date
Strategic
Operations
Public service and operations
Cycle time
Service failure
Efficiency
Capacity
Citizen relationship management
system and organization
Corruption and fraud
Planning and resource allocation

Strategic planning
Budgeting
Forecasting
Resource allocation
Operational model
Outsourcing
Major initiatives
Project evaluation
Change readiness
Climate change and sustainability initiatives
Education
Healthcare services delivery
Energy and water management
(supply/distribution)
Environment dynamics
Economic changes
Financial market
Sovereign/political
Environment scan
Agency environment/industry
Sensitivity
Market dynamics
Macroeconomic factors
Lifestyle trends
Sociopolitical
Technology changes
Media relations
Public relations
Employee communication
Last updated
Version
People
Culture
Succession planning
Knowledge capital
Performance incentives
Health and safety
Information technology
Information management
Security/access
Integrity
Infrastructure
Hazards
Natural events
Physical assets
Real estate
Maintenance and performance
Inventory
: March 2011
: 02-03/2011/v1
Compliance
Mandate
Functions
Governance
Management Committee
Tone at the top
Authority/limit
Control environment
Reputation
Code of conduct
Ethics
Fraud
Employee/third party fraud
Illegal acts
Management fraud
Unauthorized use
Legal
Contract
Liability
Anticorruption
Legal
Regulatory
Trade
Customs
Procurement
Road-right of way (RROW )Acquisition
Labor
Securities
Environment
International
Health and safety
Financial
Market
Interest rate
Foreign currency
Commodity
Public policies
Debt and fiscal policy
Cash management
Opportunity cost
Funding
Hedging
Insurance
Foreign assisted loan
Accounting, reporting and disclosure
Internal control
Capital structure
Debt
Equity
Pension funds
3|Page

Risk Definition
RISK
REF. NO.
RISK TITLE
RISK DESCRIPTION
STRATEGIC
Planning and Resource Allocation
S1
Organizational
structure
The overall structure of the agency instrumentalities does not support the
achievement of strategic objectives in an efficient manner.
S2
Strategic planning
This risk refers to the inability to discover, evaluate and select among
alternatives to provide direction and allocate resources for effective
execution to achieve the strategic objectives of the agency
S3
This risk refers to the misalignment of operating plans and execution to

strategic planning. Lack of information needed to make the right decisions.
This risk refers to the inability to effectively budget for new and existing
initiatives that support the overall strategic goals and objectives for growth,
expansion, acquisition for public welfare.
S4
Budgeting
It also refers to the inability to effectively budget for programs and projects
that would meet the agencys Medium Term Philippine Development Plan
(MTPDP).
S5
Forecasting
This risk refers to the inability to forecast financial information to enable the
allocation of resources to new and existing initiatives
S6
Resource allocation
Unavailability and inappropriateness of resource allocation process

prohibits the agencys ability to provide value for public.
S7
Insufficient access to fund threatens the agencys capacity to grow, execute

its strategies and achieve its objectives.
S8
Operational model
S9
S10
Outsourcing
The agency has an obsolete operation model and doesnt recognize it

and/or lacks the information needed to make an up-to-date assessment of
its current model and build a compelling operational case form modifying
that model on timely basis.
Lack of relevant and reliable information that enables agency management
to effectively prioritize its services or balance its operations in a strategic
context may preclude a diversified agency from maximizing its overall
performance.
Outsourcing activities to third parties may result in the third parties not
acting within the intended limits of their authority or not performing in a
manner consistent with the agencys strategies and objectives.
Major initiatives
S11
This risk refers to the failure to establish a vision and direction for major
initiatives, including services, products and programs that will drive future
growth. It also refers to the failure to establish project acceptance criteria
and adequately measure against the criteria.
S12
Planning and
execution
This risk refers to the failure to plan and execute major initiatives due in a
coordinated manner.
S13
Measurement and
monitoring
This risk refers to the failure to identify appropriate metrics and assess
performance, quality and adherence to the standards as set forth by the
agency.
Last updated
Version
: March 2011
: 02-03/2011/v1
4|Page
RISK
REF. NO.
RISK TITLE

RISK DESCRIPTION
S14
Technology
implementation
This risk refers to the failure of a major technology implementation to meet

the strategic objectives of the organization.
S15
Project evaluation
Failure to evaluate project proposals may result in problems when the

project has been approved.
S16
Change readiness
S17
Climate change and

sustainability initiatives
The people within the agency are unable to implement process and service
improvements quickly enough to keep pace with changes in the public
environment.
Failure to foresee changes in the environment and establish initiatives to
keep pace with biological changes may result in stop operations and
degradation
Environment Dynamics
S18
Economic changes
Economic changes, such as lower economic growth, reduce tax revenue

and opportunities to provide a wide range of services or limit the availability
or quality of existing services.
S19
Financial market
Movements in prices, rates, indices and the like threaten the value of the
agencys financial assets.
S20
Sovereign/political
Adverse political actions in a country in which the agency has invested

significantly, is dependent on a significant volume of operation or has
entered into a significant agreement with a counterparty subject to the laws
of that country threaten the agencys resources and future cash flows.
S21
The agency may not be aware of changing pervasive public needs and
wants, e.g. increased demand for faster turnaround on services.
S22
Technological
innovation
S23
Environment scan
S24
Agency
environment/Industry
This risk refers to the changes in opportunities and threats, and other
conditions affecting the agencys environment.
S25
Sensitivity
Over commitment of resources and expected future cash flows threatens

the agencys capacity to withstand changes in environment (e.g., interest
rates, public demand, changes in regulations) forces.
The agency is not leveraging advancements in technology in its operations

to achieve or sustain advantage or is exposed to the actions of other
agencys or substitutes that do not leverage technology or to attain superior
quality, cost and/or time performance in their services processes.
Failure to monitor the external environment or formulation of unrealistic or
erroneous assumptions about environment risks may cause the agency to
retain operation strategies long after they have become obsolete.
Market Dynamics
S26
Macroeconomics
factors
This risk refers to factors relating to macroeconomic conditions that affect

the ability to maintain or increase revenue and profitability in a specific
agency environment.
S27
Lifestyle trends
This risk refers to the failure to anticipate and respond to changes in overall
trends related to lifestyle demands of consumers.
S28
Sociopolitical
S29
Technology changes
Last updated
Version
: March 2011
: 02-03/2011/v1
This risk refers to the exposure to social and political factors within a market
environment that affect the ability to market, sell and service products and
services.
This risk refers to the dramatic changes in current technologies that may
impact the market viability or demand of current products and services
offered by the agency.
5|Page
RISK
REF. NO.
RISK TITLE

RISK DESCRIPTION

S30
Media relations
This risk refers to the inability to anticipate and manage shifts in the
information stakeholders want, and the way in which they want it
communicated to them and ineffective ongoing, transparent
communications with the public to create goodwill.
S31
Public relations
A decline in customer/public confidence threatens the agencys capacity to

efficiently raise or collect funds.
S32
This risk refers to the failure to communicate the right message effectively
to recover and maintain agency operations in the event of a crisis or
disruption due to physical or natural circumstances.
S33
Employee
communications
This risk refers to the inability to understand, and respond to, the
communication needs of different employees.
OPERATIONS
Public Service and Operations
O1
Customer/public
satisfaction
A lack of focus on the customer/ public threatens the agencys capacity to

meet or exceed the customers/ publics expectations.
O2
Poorly performing or positioned channel access threaten the agencys

capacity to effectively and efficiently service the customer/ public.
O3
Cycle time
Unnecessary activities threaten the agencys capacity deliver services on a

timely manner.
O4
Service failure
Faulty or nonperforming services expose the agency to customer/public

complaints, litigation, and loss of revenues, and agency reputation.
O5
Efficiency
Inefficient operations threaten the agencys capacity to deliver services at

the lowest cost and shortest time possible.
O6
Capacity
O7
Performance
measure/gap
O8
Insufficient capacity threatens the agencys ability to meet customer/public

demands, or excess capacity threatens the agencys ability to generate
competitive profit margins.
Inability to perform at world-class levels in terms of quality, costs and/or
cycle time due to inferior operating practices threatens the demand for the
agencys services.
Inefficient or ineffective external relationships affect the agencys capacity to
serve; these uncertainties arise due to choosing the wrong partner, poor
execution, taking more than is given (resulting in loss of a partner) and
failing to capitalize on partnering opportunities.
People
O9
Culture
This risk refers to the failure to establish a culture that is consistent with
management philosophy and that encourages integrity, values, and ethical
competence.
O10
Recruiting and
retention
This risk refers to the failure to attract, hire and retain the qualified
resources to optimize execution of the organization's objectives.
O11
Development and
performance
Inability to develop and enhance employee skills and provide performance

management that ensures optimal achievement of organizational strategies,
goals and objectives.
Last updated
Version
: March 2011
: 02-03/2011/v1
6|Page
RISK
REF. NO.
RISK TITLE
O12
Succession planning
O13
Knowledge capital
O14
Compensation and
benefits
O15
Performance
Incentives
O16
Health and safety

RISK DESCRIPTION
This risk refers to the failure to create and implement an effective
succession plan for senior executive and other key positions and
employees throughout the organization. It also refers to failure to align
succession planning with strategic planning and leadership development
objectives).
Processes for capturing and institutionalizing learning across the agency
are either non-existent or ineffective, resulting in slow response time, high
costs, repeated mistakes, slow development, constraints on growth and
unmotivated employees.
This risk refers to the failure to provide a total compensation package (base
salary, annual/long-term incentive, benefits/perquisites) that are market
competitive, aligned to agency and compensation strategies and retain and
motivate employees to achieve desired results.
Unrealistic, misunderstood, subjective or non-actionable performance
measures may cause senior management, division heads and employees
to act in a manner inconsistent with the agencys objectives, strategies, and
ethical standards, and with prudent agency practice.
Failure to provide a safe working environment for its workers exposes the
agency to compensation liabilities, loss of operational reputation and other
costs.
Information and technology

O17
Security/access
O18
O19
Integrity
O20
Infrastructure
Failure of Information systems to adequately protect the critical data and

infrastructure from theft, corruption, unauthorized usage, viruses, or
sabotage.
This risk refers to the inability to recover from, and continue uninterrupted
operations in the event of extraordinary events, systems and
implementation failures.
This risk refers to information systems that do not provide reliable
information when it is needed or perform so slowly that operations are not
efficient.
The computer and telecommunications systems with supporting software do
not capture, retain and transfer data in a secure and reliable environment
and do not meet the expected requirements of the agency at a reasonable
cost.
Hazards
O21
Natural events
O22
Terror and malicious

acts
This risk refers to the threat to disrupt operation and ability of the agency to
sustain operations, provide essential services or recover operating costs or
accomplish planned target due to natural events (e.g., fire, earthquake,
tornado).
This risk refers to the threat to disrupt operation and ability of the agency to
sustain operations, provide essential services or recover operating costs or
accomplish planned target due to terrorist activities or other malicious acts.
Physical assets
O23
Real estate
This risk refers to the failure to provide physical protection and stewardship
over real estate designed to optimize longevity and utilization.
O24
Property, plant and

facilities
over long-lived assets (such as buildings, furniture, fixtures, machinery,
equipment and other assets) designed to optimize longevity and utilization.
Last updated
Version
: March 2011
: 02-03/2011/v1
7|Page
RISK
REF. NO.
O25
RISK TITLE
Inventory

RISK DESCRIPTION
over inventories designed to optimize utilization while minimizing
obsolescence, contamination and so on.
COMPLIANCE
Mandate
C1
Function
Failure to align process objectives and performance measures with the

mandate of the agency, its objectives and strategies may result in
conflicting, uncoordinated activities throughout the agency.
Governance
C2
Board
performance/Agency
management
committee
This risk refers to the failure of the Board of Directors to discharge their
obligations and duties owed to the agency and its stakeholders in good faith
and to possess adequate knowledge to interpret and act on the information
provided.
Senior management fails to establish an environment that encourages
integrity, ethical values, and competence of the agency's people through
management's philosophy and operating style, assignment of authority and
responsibility, and the organization and development of its people.
Ineffective lines of authority may cause senior management, division heads
or employees to do things they should not do or fail to do things they
should.
C3
Tone at the top
C4
Authority/limit
C5
Control environment
This risk refers to the failure to establish and maintain an internal control
environment which aligns with stakeholder and regulatory expectations.
C6
Corporate social
responsibility
This risk refers to the mismanagement of "socially responsible" activities

(e.g., conducting social responsibility training for management of
manufacturers, undertaking environmental programs, participating in
community initiatives) resulting in an unfavorable agency perception with
stakeholders, customers, suppliers, agency partners, employees and the
regulatory community.
C7
Reputation
Damage to the Agencys reputation exposes it to loss of customer/public

trust, profits and the ability to grow.
Code of conduct
C8
Ethics
This risk refers to the absence of formal standards of employee behavior

that are intended to direct and influence the way agency operation is
conducted, above and beyond the letter of the law.
C9
Fraud
Potential unethical acts committed by agency employees or other

stakeholders may negatively impact the agency's reputation.
C10
Employee/Third Party
Fraud
C11
Illegal Acts
C12
Management Fraud
Last updated
Version
: March 2011
: 02-03/2011/v1
This risk refers to the fraudulent activities perpetrated by employees,

suppliers, agents, or third-party administrators against the agency for
personal gain (e.g., misappropriation of physical, financial or information
assets) expose the agency to financial loss.
Illegal acts committed by senior management, division heads or employees
expose the agency to fines, sanctions, and loss of public trust, profits and
reputation and the like.
Management Fraud (e.g., intentional misstatement of financial statements
or critical reports) may adversely affect stakeholders decisions.
8|Page
RISK
REF. NO.
C13
RISK TITLE
Unauthorized Use

RISK DESCRIPTION
Unauthorized use of the agencys physical, financial or information assets
by employees or others exposes the agency to unnecessary waste of
resources and financial loss.
Legal
This risk refers to entering into contracts that are unfavorable to the agency
and the failure to comply with and monitor contract terms to protect the
agency from financial losses.
This risk refers to a responsibility, duty or obligation that may result in lawful
consideration to provide satisfaction, compensation or other form of
restitution.
This risk refers to the failure to create, capture, enhance, leverage and
protect the collective knowledge, expertise and ideas of agency employees
valued as non-physical assets.
C14
Contract
C15
Liability
C16
C17
Anticorruption
This risk refers to the failure to create an agency environment which is

opposed to corruption, and instill agency practices that prevent corruption.
C18
Legal
Changing laws threaten the agencys capacity to consummate important

transactions, enforce contractual agreements or implement specific
strategies and activities.
Regulatory
This risk refers to the failure to identify and prevent legal risks posed by
non-compliance with agency and international regulatory requirements for
trade practices, e.g., anti-dumping and trade policy.
non-compliance with agency and international regulatory requirements for
Customs.
C19
Trade
C20
Customs
C21
Procurement
C22
Road-right of way
(RROW) acquisition
C23
Labor
C24
Securities
C25
Environment
C26
Data protection and

privacy
C27
International
This risk refers to the exposure to geo-political, regulatory and fraud risks
via international business dealings.
C28
non-compliance with agency and International regulatory requirements for
product/service quality and safety.
Last updated
Version
: March 2011
: 02-03/2011/v1
non-compliance with the agency procurement reform act.
This risk refers to the failure to implement infrastructure projects due to
RROW problems and risks posed by non-compliance with Comprehensive
and Continuing Urban development and Housing Program (RA 7279)
non-compliance with agency and International regulatory requirements for
Labor rules and regulations, including taxes, wages, anti-discrimination,
Family and Medical Leave, workplace violence and so on.
non-compliance with agency and International Securities regulatory
requirements.
non-compliance with agency and International Environmental regulations,
e.g., noncompliance with ISO 4001 standards.
non-compliance with privacy rules and regulations standards resulting in
improper disclosure of confidential customer information.
9|Page
RISK
REF. NO.
RISK TITLE
C29
Health and safety
C30
Competitive
practice/antitrust

RISK DESCRIPTION
non-compliance with agency and International rules and regulations for
health and safety.
non-compliance with agency and international rules and regulations for
competitive practices/anti-trade. Lack of awareness of statutory and
regulatory application of export and customs policies and requirements.
FINANCIAL
Market
F1
Interest rate
This risk refers to the unfavorable price paid per unit of funds borrowed or
the rate of return received on invested assets, or interest rate fluctuations
beyond projected range.
F2
Foreign currency
This risk refers to the unfavorable fluctuations in the currency of another

market that is needed to carry out international transactions.
F3
Commodity
F4
This risk refers to the unfavorable fluctuations in the price of raw materials
or other commodities used in product development/service delivery that are
not anticipated and managed.
Financial market risk can vary depending on the particular segment of the
market to which the holder of a financial instrument is exposed, or the way
in which the exposure is structured.

F5
Cash management
F6
Opportunity cost
F7
Funding
This risk refers to the failure to efficiently and effectively administer and
manage cash flows to maintain adequate liquidity to meet obligations.
This risk refers to the the use of funds in a manner that leads to the loss of
economic value, including time value losses, transaction costs and other
causes of loss of value.
This risk refers to the failure to meet the requirements of a portfolio of
capital investments and obligations based on specified commitments or in
accordance with terms of an agreement (i.e., retirement and capital
accounts).
It also refers to the failure to receive appropriate funds to finance programs
and projects.
F8
Hedging
This risk refers to the failure to purchase or undertake sale transactions that
effectively minimize profits or losses arising from price fluctuations.
F9
This risk refers to the inability to obtain the optimal level of payment
received as a result of a prior agency transaction.
F10
Insurance
Insurance coverage fails to protect the agency from significant financial

losses due to incidents and claims.
F11
Accounting, reporting
and disclosure
Incomplete, inaccurate and/or untimely reporting of required financial and

operating information to other regulatory agencies may expose the agency
to fines, penalties and sanctions.
Over-emphasis on financial accounting and other information to manage the
operations may result in the manipulation of outcomes to achieve targets at
Last updated
Version
: March 2011
: 02-03/2011/v1
10 | P a g e
RISK
REF. NO.
RISK TITLE

RISK DESCRIPTION
the expense of not meeting public expectation, quality and efficiency
objectives.
F12
Internal control
F13
F14
Tax strategy and

planning
This risk refers to the significant or material weaknesses resulting from

inadequate financial internal controls impacting management's assessment
and reporting under country regulations.
This risk refers to the lack of relevant and/or reliable information supporting
investment decisions and linking the financial risks accepted to the capital
at risk, may result in poor short- or long-term investments.
This risk refers to the failure to properly evaluate and execute tax planning
strategies. It also refers to the misalignment of tax objectives and strategies
with overall agency objectives, strategies and initiatives.
Capital structure
F15
Debt
This risk refers to the potential over-reliance on borrowing from creditors to

provide adequate working capital for agency objectives and/or to cover
current operating obligations resulting in an unfavorable debt to equity
ratios.
F16
Equity
This risk refers to the inability to offer marketable securities appropriately

priced for the enterprise's value.
F17
Pension funds
This risk refers to the inability to identify, establish and maintain the optimal
structure for pension funds.
Last updated
Version
: March 2011
: 02-03/2011/v1
11 | P a g e

Form 02-04 Agency Risk Identification Matrix
AGENCY RISK IDENTIFICATION MATRIX

Objective
The Agency Risk Identification (AgRI) Matrix is used to document the agency risks identified
for a particular audit period. As a tool that will facilitate the risk assessment process, this
document shall be used by audit teams when assessing the impact and likelihood,
identifying the locations affected and determining the initial audit response.

Accomplishing this tool is critical to for the audit team to have a common risk language when
understanding the risk profile of the agency being audited.
a. Risk Reference Number

- Obtain the risk reference number from the risk reference number assigned in
the Agency Risk Model.
b. Agency Risk Title/Risk Statement
- For each audit period, identify the risks of the agency being audited. The team
shall concur and agree on the risks that they perceive will affect the
achievement of the agency objectives and operations.
c. Risk Rating
Impact Assess the impact of the agency risk as to high, moderate and low
including the justification for the assessment
In assessing the impact of an agency risk, COA auditors should consider
the following factors:
Potential financial loss or lost opportunity for the agency
Damage to reputation or relationship with stakeholders or public
Potential business interruption/ reduction of agency operations
Degree of agency failure to achieve mandate
Noncompliance with laws, rules and regulations
Likelihood Assess the likelihood of the risk as to high, moderate and low
including the justification for the assessment.
In assessing the likelihood of an agency risk, COA auditors should
assess the probability/frequency of the risk occurring over a predefined
Last updated
Version
: March 2011
: 02-04/2011/v1
1|Page

time period. In most instances, the time period is set at one year. It can
be adjusted to be aligned with the agencys operating cycle.
Overall Rating The overall rating is the combination of the assessment
made on the impact and likelihood of the agency risk identified.
IMPACT
The overall rating shall be determined using the following matrix:
High
Moderate
High
High
Moderate
Low
Moderate
High
Low
Low
Low
Moderate
Low
Moderate
LIKELIHOOD
High
d. Risk Location
Process/PAPs Identify the process or PAP affected by the agency risk.
Office Identify the offices (departments or units) responsible the process
affected by the agency risk.
e. Initial Audit Response
- Indicate the initial audit response for the agency risk identified using the
auditors judgment and past experiences. The team is not limited to the audit
response identified in this tool since further evaluations will be made to
determine the appropriate audit strategies to be used.
Last updated
Version
: March 2011
: 02-04/2011/v1
2|Page

AGENCY RISK IDENTIFICATION MATRIX

Agency
____________________________
Prepared by
____________________________
Date
________________
Audit Period
____________________________
Reviewed by
____________________________
Date
________________
Office
____________________________
Approved by
____________________________
Date
________________
Risk
Ref.
No.
Risk Rating
Agency Risk Title/

Risk Statement
Impact
Likelihood
High
High
Moderate
Moderate
Risk Location
Overall Rating
High
Process/ PAPs
Office
Initial Audit
Response
Financial
Compliance
Moderate
Low
Low
Justification:
Justification:
High
High
Moderate
Moderate
Perf ormance
Low
FRA
High
Financial
Compliance
Moderate
Low
Low
Justification:
Justification:
Perf ormance
Low
Last updated
Version
: March 2011
: 02-04/2011/v1
FRA
3|Page

Form 02-05: Agency-level Controls Checklist
AGENCY-LEVEL CONTROLS CHECKLIST

Objective
After understanding the agency objectives and risks, auditors shall identify the top-level controls
that the agency has established. Auditors shall obtain an understanding of agency-level controls
to plan their audit and determine the most appropriate audit strategy.
The Agency-level Controls Checklist contains a set of questions for each internal control
component: The questions provided herein will guide auditors in obtaining an initial
understanding of the agency-level controls set by the agency management. However, auditors
shall consider that documenting and evaluating agency-level controls does not by itself provide
a complete perspective of internal controls of an agency. It is an important starting point
because the assessment of agency-level controls particularly when weaknesses are identified
can have a significant effect on the overall assessment of the effectiveness of internal controls
and procedures.
The internal control concepts of the National Guidelines on Internal Control Systems (NGICS)
and the International Standards of Supreme Audit Institutions (ISSAI) are incorporated in this
tool.

I. ALCC Probing Questions
Internal Control Component Probing questions are initially provided for the following internal
control component:
- Control Environment
- Risk Assessment
- Information and communication
- Monitoring
- Control Activities
NOTE:
Auditors are not only limited to the probing questions provided in this questionnaire.
Additional questions may be developed by the team, if deemed necessary.
Yes / No / Not applicable Answer each probing question with the appropriate response as a
result of the auditors validation of each internal control component.
Version
: 02-05/2011/v1
1|Pa ge

Remarks Provide any remark or comment that the auditor may have during on the related
probing question as a result of its validation. Examples of remarks may include identification
of areas needed to be focused for the audit engagement or possible fraud indicators.
Initial Assessment Make an initial assessment as to the design and operating effectiveness of
each sub-component of the agencys internal control using the probing questions supplied.
Indicate the reasons for giving such an assessment in the reason column.
The operating effectiveness of some components of the agencys internal control is hard to
determine. In this case, audit teams shall document the reasons why and focus its
assessment on the design of the internal control. Auditor shall use their professional
judgment during this assessment.
II. ALCC Summary

Observations Document the observations obtained during the understanding of the agency
level controls. Observations may include deficiencies noted on the design of agency-level
controls or red flags that we may note on the process that may indicate source of fraud
risks. Incidentally, audit teams may need to issue an Audit Observation Memorandum
(AOM) to call the attention of the agency for the observations noted.
Recommendations - Provide a recommendation (if applicable) for each key observation noted.
AOM Reference Indicate the AOM reference number for those observations issued with an
Audit Observation Memorandum.

Version
: 02-05/2011/v1
2|Pa ge

AGENCY-LEVEL CONTROLS CHECKLIST

Agency:
Prepared:
Date
Reviewed:
Audit Period:
Date
Approved
Date
I. ALCC Probing Questions

Internal Control Component
Control Environment
Yes
No
NA
Remarks
Integrity, Ethical Values, and behavior of key executives

A.1. The agency has a code of conduct or
equivalent policy that is communicated and
monitored.
A.2. The agencys culture emphasizes the
importance of integrity and ethical behavior.
Senior management holds itself to the highest
standards and leads by example.
A.3. The agencys communications reinforce a
consistent message regarding policies and
culture.
A.4. Agency management takes appropriate
action in response to departures from
approved policies and procedures or the code
of conduct.
A.5. There are appropriate policies for such
matters as conflicts of interest, and security
practices that are adequately communicated
throughout the agency.
A.6. Agency management maintains, monitors and
appropriately responds to a fraud hotline.
A.7. The agency has a whistleblower policy and
related whistleblower or ethics hotline, which
are appropriately communicated throughout
the agency, and include procedures for
handling complaints and for accepting
confidential submissions of concerns about
questionable transactions.
A.8. Agency managements control consciousness

Version
: 02-05/2011/v1
3|Pa ge

Yes
No
NA
Remarks
and operating style are _________.

A.9. Agency management gives appropriate
attention to internal control, including
information technology controls.
A.10. Agency management corrects identified
internal control deficiencies in a timely
manner.
A.11. Agency management tends to be
conservative with respect to selecting
accounting principles and determining
accounting estimates.
A.12. Agency management consults with us on
significant matters relating to accounting and
financial reporting issues.
Initial Assessment:
Reason:
Effective
Ineffective
Agency managements commitment to competence
A.13. The agency personnel have the competence
and training needed to deal with the nature
and complexity of the agencys operations.
A.14. Agency management has other processes in
place for handling complaints about agency
operational issues.
Initial Assessment:
Reason:
Effective
Ineffective
Participation in governance and oversight by those charged with governance
A.15. Those charged with governance provide
effective oversight of the agencys operations.
A.16. There is an open line of communication
among those charged with governance and
COA auditors, and the nature and frequency
of communication is appropriate given the
size and complexity of the agency.
A.17. Those charged with governance have
sufficient knowledge, experience and time to
perform their role effectively.

Version
: 02-05/2011/v1
4|Pa ge

Yes
No
NA
Remarks
A.18. Those charged with governance are

appropriately independent of agency
management given the size and complexity of
the agency.
Initial Assessment:
Reason:
Effective
Ineffective
The organizational structure and assignment of authority and responsibility
A.19. The agency organizational structure is
appropriate given the nature, size and
complexity of the agency
A.20. Agency management engages in
communications so that members of
personnel understand the agencys
objectives, their role in relation to these
objectives, and how they are held
accountable for the achievement of these
objectives.
A.21. There are appropriate methods for
establishing authority, responsibility and lines
of reporting.
A.22. There are written job descriptions, reference
manuals and other communications to inform
personnel of their duties.
Initial Assessment:
Reason:
Effective
Ineffective
Human resource policies and practices
A.23. The agency has adequate standards and
procedures for hiring, training, motivating,
evaluating, promoting, compensating,
transferring, or terminating personnel
A.24. Job performance is periodically evaluated and
reviewed with each employee.
Initial Assessment:
Reason:
Effective
Ineffective

Version
: 02-05/2011/v1
5|Pa ge

Risk Assessment

Yes
No
NA
Remarks
B.1. Agency objectives are established,

communicated, and monitored. Key elements
of the agencys strategic plan are
communicated throughout the agency so all
employees have a basic understanding of the
agencys overall strategy.
B.2. A process is in place to periodically review
and update agency-wide strategic plans. The
strategic plan is reviewed and approved by
the agencys board of directors.
B.3. The agency-wide strategic plan includes IT or
there is a separate IT strategic plan that
addresses the technology needs of the
agency to effectively and efficiently meet its
strategic plan.
B.4. There is an adequate mechanism for
identifying agency risks, including those
resulting from:
Entering new markets or lines of
business
Offering new products and services
Privacy and data protection compliance
requirements
Other changes in the operations,
economic, and regulatory environment
B.5. The internal audit (or another group within the
company) performs a periodic (at least
annual) risk assessment. Senior management
reviews the risk assessment and considers
actions to mitigate the significant risks
identified.
B.6. Management considers how much risk it is
willing to accept when setting strategic
direction or entering new markets, and does it
strive to maintain risk within those levels.
B.7. The board of directors and/or the audit
committee oversees and monitors the risk
assessment process and takes action to
address the significant risks identified.
B.8. There are groups or individuals who are
responsible for anticipating or identifying
changes with possible significant effects on
the agency. Processes are in place to inform
appropriate levels of management about

Version
: 02-05/2011/v1
6|Pa ge

Yes
No
NA
Remarks
changes with possible significant effects on

the agency.
B.9. Budgets/forecasts are updated during the
year to reflect changing conditions.
B.10. Periodic reviews are performed or other
processes in place to, among other things,
anticipate and identify routine events or
activities that may affect the agencys ability
to achieve its objectives and address them.
B.11. Management reports to the board of directors
and/or the audit committee on changes that
may have a significant effect on the agency.
B.12. The board of directors and/or the audit
committee review and approve significant
changes in the agencys accounting
practices.
B.13. There are processes to ensure the
accounting department is made aware of
changes in the operating environment so they
can review the changes and determine what,
if any, effect the change may have on the
agencys accounting practices.
B.14. There are channels of communication
between the accounting department and/or
individual(s) in charge of monitoring
regulatory rules so the accounting department
is aware of regulatory changes that could
affect the agencys accounting practices.
Initial Assessment:
Reason:
Effective
Ineffective
Information and Communication

Information
C.1. The agency is able to prepare accurate and
timely financial reports, including interim
reports.
C.2. The board of directors and management
receive sufficient and timely information to
allow them to fulfill their responsibilities.

Version
: 02-05/2011/v1
7|Pa ge

Yes
No
NA
Remarks
C.3. Managements objectives in terms of budget,

profit, and other financial and operating goals
are defined and measurable. Actual results
are measured against these objectives.
C.4. There is a high level of user satisfaction with
information systems processing, including
reliability and timeliness of reports.
C.5. There is a sufficient level of coordination
between the accounting and information
systems processing functions/departments.
C.6. There are appropriate policies for developing
and modifying accounting systems and
controls (including changes to and use of
computer programs and/or data files).
C.7. Managements efforts to develop or revise
information systems (including accounting
systems) are responsive to its strategic plans.
C.8. There are significant applications or
transactions that are executed /processed by
service organizations. Management has
documented the relevant controls at the
service organization, the company, or both
that mitigate the risk of errors. There are
policies for periodic monitoring of controls
either at the service organization or the
company and taking appropriate action to
mitigate potential new risks.
C.9. The board of directors or audit committee is
involved in monitoring information systems
projects and resource priorities.
C.10. The IT organization chart clearly reflects
areas of responsibility and lines of reporting
and communication.
C.11. There are defined responsibilities for
individuals responsible for implementing,
documenting, testing and approving changes
to computer programs that are purchased or
developed by information systems personnel
or users.
C.12. Systems conversions are well controlled (e.g.,
completed pursuant to written procedures or
plans).
C.13. Financial management ensures and monitors

Version
: 02-05/2011/v1
8|Pa ge

Yes
No
NA
Remarks
user involvement in the development of

programs, including the design of internal
control checks and balances.
C.14. There is a high degree of cooperation and
interaction between users and the IT
department (e.g., procedures to ensure
ongoing monitoring by the IT department of
user satisfaction with IT processing and
policies for the development, modification,
and use of programs and data files).
C.15. Application programs and data files are
backed up regularly.
C.16. There is a current disaster recovery plan for
the significant components of the IT
infrastructure.
C.17. There is a business continuity plan that
incorporates the disaster recovery plan and
end-user department needs for timely
recovery of critical functions, systems,
processes and data.
C.18. The disaster recovery and business continuity
plans are tested periodically (at least
annually).
C.19. The disaster recovery and business continuity
plans are updated for changing conditions.
Initial Assessment:
Reason:
Effective
Ineffective
Communication
C.20. Lines of authority and responsibility (including
lines of reporting) within the company are
clearly defined and communicated.
C.21. There are written job descriptions and
reference manuals that describe the duties of
personnel.
C.22. Policies and procedures are established for
and communicated to personnel at
decentralized locations (including regional
operations).
C.23. There is a training/orientation for new

Version
: 02-05/2011/v1
9|Pa ge

Yes
No
NA
Remarks
employees, or employees when starting a

new position, to discuss the nature and scope
of their duties and responsibilities. Such
training/orientation includes a discussion of
specific internal controls they are responsible
for.
C.24. There is a process for employees to
communicate improprieties. The process is
well communicated throughout the agency.
The process allows for anonymity for
individuals who report possible improprieties.
There is a process for reporting improprieties,
and actions taken to address them, to senior
management, the board of directors, or the
audit committee.
C.25. All reported potential improprieties are
reviewed, investigated, and resolved in a
timely manner.
C.26. Employees believe they have adequate
information to complete their job
responsibilities.
C.27. There is a process to quickly disseminate
critical information throughout the agency
when necessary.
C.28. There is a process for tracking
communications from customers, vendors,
regulators, and other external parties.
C.29. Ownership is assigned to a member of
management to help ensure that the agency
responds appropriately, promptly, and
accurately to communications from
customers, vendors, regulators, and other
external parties.
Initial Assessment:
Reason:
Effective
Ineffective
Monitoring
Internal Audit function
D.1. The agency has an effective internal audit

Version
: 02-05/2011/v1
10 | P a g e

Yes
No
NA
Remarks
function.
D.2. The internal audit function is independent of
the activities they audit and are prohibited
from having operating responsibilities.
D.3. The internal audit function adheres to
professional standards (e.g., International
Standards for the Professional Practice of
Internal Auditing).
D.4. The scope of internal audit activities is
appropriate given the nature, size and
structure of the agency.
D.5. The internal audit department develops an
annual plan that considers risk in determining
the allocation of resources.
D.6. The results of the internal audit activities are
reported to senior management and COA
auditors.
Initial Assessment:
Reason:
Effective
Ineffective
Other monitoring activities
D.7. Periodic evaluations of internal control are
reported to agency management and those
charged with governance.
D.8. Personnel, in carrying out their regular duties,
obtain evidence as to whether the system of
internal control continues to function.
D.9. Policies and procedures are in place to
ensure that corrective action is taken in a
timely manner when control exceptions occur.
D.10. Agency management takes adequate and
timely actions to correct deficiencies reported
by the internal audit function or the
independent auditors.
D.11. Internal audit or another department performs
periodic reviews of internal control
D.12. Agency management or those charged with
governance review communications from
external parties that highlight areas of internal

Version
: 02-05/2011/v1
11 | P a g e

Yes
No
NA
Remarks
control in need of improvement.
Initial Assessment:
Reason:
Effective
Ineffective
Control Activities
E.1. Are accounting and closing practices followed
consistently at interim dates (e.g., quarterly,
monthly) throughout the year?
E.2. Is there appropriate involvement by
management in reviewing significant
accounting estimates and support for
significant unusual transactions and nonstandard journal entries?
E.3. Is there timely and appropriate documentation
for transactions?
E.4. Does the agency review its policies and
procedures periodically to determine if they
continue to be appropriate for the agencys
activities?
E.5. Do members of management have ownership
of the policies and procedures? Does the
ownership include ensuring the policies and
procedures are appropriate for the agencys
activities?
E.6. Is there a budgetary system?
E.7. Does management review key performance
indicators (e.g., budget, profit, financial goals,
operating goals) regularly (e.g., monthly,
quarterly) and identify significant variances?
Does management then investigate the
significant variances and is appropriate
corrective action taken?
E.8. Are variances in planned performance
communicated and discussed with the board
of directors and/or audit committee at least
quarterly?
E.9. Are financial statements submitted to
operating management? Are they
accompanied by analytical comments?

Version
: 02-05/2011/v1
12 | P a g e

Yes
No
NA
Remarks
E.10. Is there an appropriate segregation of

incompatible activities (e.g., separation of
accounting for and access to assets, IT
operations function separate from systems
and programming, database administration
function separate from application
programming and systems programming)?
Are organizational charts reviewed to ensure
proper segregation of duties exist?
E.11. Are appropriate approvals from management
required prior to allowing an individual access
to specific applications and databases?
E.12. Are IT personnel prohibited from having
incompatible responsibilities or duties in user
departments?
E.13. Are there processes to periodically (e.g.,
quarterly, semi-annually) review system
privileges and access controls to the different
applications and databases within the IT
infrastructure to determine if system privileges
and access controls are appropriate?
E.14. Has management established procedures to
periodically reconcile physical assets (e.g.,
cash, receivables, inventories, property and
equipment) with related accounting records?
E.15. Are physical inventories/cycle counts taken
on a periodic basis and the perpetual
inventory system adjusted accordingly? Are
significant or recurring adjustments
investigated to determine the reason for the
adjustment and are appropriate actions taken
to address the reasons for the adjustments?
E.16. Has management established procedures to
prevent unauthorized access to, or
destruction of, documents, records (including
computer programs and data files), and
assets?
E.17. Is data processing access to non-data
processing assets restricted (e.g., blank
checks)?
E.18. Are access security software, operating
systems software, and application software
used to control both centralized and
decentralized access to:

Version
: 02-05/2011/v1
13 | P a g e

Yes
No
NA
Remarks
Data
Functional capabilities of programs (e.g.,
execute, update, modify parameters, read
only)?
E.19. Is physical security over information
technology assets (both IT department and
users) reasonable given the nature of the
agencys operations?
E.20. Is critical computer data backed up daily and
stored off-site?
E.21. Are controls in place over dial-up access to
the agencys computer resources (e.g.,
firewalls; centralized directories to store and
manage user identities and resource
privileges; automated policy-based request,
approval, and fulfillment process for
enterprise access)?
E.22. Is there a dedicated security officer function
that monitors IT processing activities and are
there periodic reports to the board of directors
and/or audit committee on the current state of
IT security at the agency?
E.23. Are there systems to monitor and respond to
potential interruptions in agency operations
due to incidents stemming from malicious
intrusions, and to update security protocols to
prevent them? Are security violations and
other incidents automatically logged and
reviewed?
E.24. Does the agency conduct periodic
reviews/audits of IT security? If yes, are the
results of the review/audit reported to the
board of directors and/or audit committee?
Initial Assessment:
Reason:
Effective
Ineffective

Version
: 02-05/2011/v1
14 | P a g e

II. ALCC Summary

Observations

Version
: 02-05/2011/v1
Recommendations
AOM Ref.
15 | P a g e

Form 02-06: Process-Risk-Control Matrix
PROCESS-RISK-CONTROL MATRIX
Objective
The Process-Risk-Control Matrix facilitates the understanding of processes as well as the
process-level risks and controls affected by agency-levels risks identified. This tool will guide
the agency audit team in identifying their focus areas for a specific audit period by obtaining
an initial view of the processes.
a. Critical Path of the Process
- Document the understanding of the significant process identified which is affected by
the agency-level risks as reflected in the Agency Risk Identification Matrix. Auditors
may use the narrative or flowchart form in documenting the process understanding.
The level of detail needed for the documentation depends on the objective of the
auditors. In any case, the documentation shall be sufficient enough to identify the
process-level risks and controls including the impact to the accounts and PAPs of the
agency. The documented process should reflect the actual process being done by
the agency. This should be validated by conducting process walkthroughs.
b. Process risks and existing controls
Process Risks Identify the risks/what could go wrongs in the process through a risk
statement. Process-level risk is any event or circumstance that could affect the
achievement of the process objectives.
Impact: Accounts Affected (including assertions) Identify the extent to which the risk
if realized would impact the agencys financial statement accounts. This is
critical for planning the financial audit aspect.
Impact: Risk to PAPs Identify the impact of process-level risks to the achievement
of the objectives of the agencys PAPs. Examples are damage to assets,
reputation impacts and ability to achieve key objectives.
Existing Controls Indicate the controls identified during the process understanding.
The controls that should be documented are those that are being carried out at
the time of the audit. Controls that have been presented in operations manual
or procedures shall be validated through walkthrough procedures.
Control Design Assessment Develop an initial assessment on the design of the
controls based on the results of the walkthrough procedures conducted. Tick
the appropriate box if the control design is adequate or inadequate.
Last updated
Version
: March 2011
: 02-06/2011/v1
1|Pa ge

Reason if inadequate Provide reason or the observation noted if the control design
assessment is inadequate
c. Summary
Key Observation Document the observations obtained during the understanding of
the processes, risks and controls. Observations may include deficiencies noted
on the design of process-level controls or red flags that we may note on the
process that may indicate source of fraud risks among others. Incidentally,
audit teams may need to issue an Audit Observation Memorandum (AOM) to
call the attention of the agency for the observations noted.
Recommendation Provide a recommendation (if applicable) for each key
observation noted.
AOM Ref. No. Indicate the AOM reference number for those observations issued
with an Audit Observation Memorandum.
Last updated
Version
: March 2011
: 02-06/2011/v1
2|Pa ge

PROCESS-RISK-CONTROL MATRIX
Agency
______________________________________
Prepared:
_______________________
Date
_______________________
Audit Period
______________________________________
Reviewed:
_______________________
Date
_______________________
Significant Process
______________________________________
Approved
_______________________
Date
_______________________
Significant Agency Risks
______________________________________
a. Critical path of the process:

Our documentation of the flow of the process may be in narrative form or graphical form through the use of process mapping flowcharts. The form of documentation depends on the size and complexity of the process.
Last updated
Version
: March 2011
: 02-06/2011/v1
3|P a ge

b. Identify Process Risks and Existing Controls

Impact
Process Risks
Accounts Affected
(including
assertions)
Risk to PAPs
Existing Controls
Control Design
Assessment
Reason if inadequate
Adequate
Inadequate
Adequate
Inadequate
Adequate
Inadequate
Summary
Key Observation
Last updated
Version
: March 2011
: 02-06/2011/v1
Recommendation
AOM Ref. No.
4|P a ge

Form 02-07: Audit Risk Assessment and Planning Tool
AUDIT RISK ASSESSMENT AND PLANNING TOOL

Objective
In order to develop an audit strategy that is responsive to the agencys risks we make an
audit risk assessment for relevant assertions of significant material accounts and the
Agencys PAPs.
The Audit Risk Assessment and Planning Tool will facilitate our documentation of our audit
risk assessment for financial, compliance and performance audits. In addition, it also
documents our audit strategy, scope and estimated timing which will guide the development
of our audit test procedures.
Accomplishing this tool:
A. Financial and Compliance
Significant Account The significant and material financial statement account
identified in the PRC Tool.
Assertion Check the related assertion/s of the financial statement account
identified in the PRC Tool
Inherent Risk Assess the inherent risk of the financial statement account and
assertion. Our assessment of inherent risk may be higher or lower. Factors
that may affect our inherent risk assessment are as follows:
Susceptibility to material misstatement

Size and composition
Variations from expected amounts
Effects of external factors
Competence and experience of agency personnel
Degree of subjectivity
Completion of unusual/complex transactions at or near period-end
Transactions not subjected to routine processing
Include in the justification the reason why we assessed inherent risk as

higher or lower.
Control Assessment Assess the control based on the adequacy of design. At
this point, we also assess the effectiveness of the controls based on the
results of walkthrough procedures conducted in Understanding the Process
and based on testing results we obtained from prior years audit. Our
assessment of the controls on the related financial statement account will be
whether we are intending to rely or not rely on the controls.
Include in the justification the reason why we intend to rely or not rely on the
controls.

Version
: 02-07/2011/v1
1|P a ge

Note that this assessment is preliminary only. A final assessment shall be

made after testing the controls in the execution phase (in case we intend to
rely at this point).
Inherent Risk
Assessment
Risk Assessment This refers to our combined risk assessment by considering

our inherent risk and control assessment. Combined risk assessment is
determined by using the following diagram:
High
Low
High
Low
Minimal
Moderate
Low
High
Control Assessment
The above diagram can also be interpreted as follows:

Inherent Risk
Assessment
Low
High
Low
High
&
&
&
&
Control Risk
Assessment
Low
Low
High
High
=
=
=
=
Combined Risk
Assessment
Minimal
Low
Moderate
High
Audit Strategy Indicate whether our main strategy would be testing the controls
or substantive tests. Test of controls will be the audit strategy for accounts
assessed as Minimal or Low (we are intending to rely on the controls),
whereas, substantive procedures will be the audit strategy for accounts
assessed as Moderate or High.
Timing Indicate the estimated date when the audit test procedures for the
financial statement account will commence.
Person Days Indicate the amount of time or duration for the completion of the
audit test procedures.
B. Performance
Column Headings (Selection Factors) Assign risk weights for each selection
factor. Risk weights are expressed as percentages and when summed up,
should equal to 100%. The assignment of risk weights is based on the
auditors judgment. To minimize bias/subjectivity, the assignment of risk
weights should be discussed among the audit team members and should be
Version
: 02-07/2011/v1
2|P a ge

reviewed by the Supervising Auditor/ Director. Illustrated below are

examples on how to assign risk weights:
Example 1: If the auditors would like to give equal risk weights on selection
factors and lesser weight on visibility, auditability and previous audit
coverage:
Selection Factors
Materiality
(20%)
Impact
(20%)
Visibility
(10%)
Risk to Good
Management
(20%)
Significance
(20%)
Previous
Audit
Coverage
(5%)
Auditability
(5%)
Example 2: If the auditors would like to focus more on the budget allocated
for the PAPs:
Selection Factors
Materiality
(50%)
Impact
(10%)
Visibility
(10%)
Significance
(10%)
Risk to Good
Management
(10%)
Previous
Audit
Coverage
(5%)
Auditability
(5%)
Example 3: If the auditors would like to focus more only on the Budget
allocation, Significance of the PAPs on the Agencys Mandate:
Selection Factors
Materiality
(50%)
Significance
(50%)
Note that the auditors may remove selection factors that they wish not to
consider in their evaluation of the agencys PAPs. Larger risk weights may
be allocated to those selection factors that the auditors wish to focus more.
As illustrated in the 3 examples, the total of risk weights allocated to the
selection factors is always equal to 100%.
Detailed definition of the selection factors are contained in the IRRBA
Manual.
PAPs List down the Agencys Significant PAPs.
Selection Factors For each PAP, assign points for each selection factors. The
points to be given for each selection factor should not exceed the risk weight
assigned on the column heading of that selection factor. See illustration
below:
Selection Factors
PAPs
Program A
Program B
Materiality
(20%)
20
18

Version
: 02-07/2011/v1
Impact
(20%)
15
15
Visibility
(10%)
Significance
(20%)
Risk to
Good
Management
(20%)
Auditability
(5%)
Previous
Audit
Coverage
(5%)
8
5
20
15
10
15
5
5
5
5
3|P a ge
Total

Note that the maximum amount of points to be given for each selection factor
is the risk weight assigned in the column heading. Assignment of points is
based on auditors judgment. To minimize bias/subjectivity, the assignment
of risk weights should be discussed among the audit team members and
should be reviewed by the Supervising Auditor/ Director.
Total Sum up all the points given in the selection factors for the particular PAP.
Basis for Assessment Indicate the auditors remarks/bases why such points
were given for each particular PAP.
PAPs to be subjected for performance audit
- This table summarizes the PAPs selected to be subjected for performance audit
during the audit period. Selection of PAPs will be based on the result of the
assessment performed in the preceding table (PAPs with higher total points will
be selected). The number of PAPs to be subjected for performance audit will
depend on the auditor by considering their workload for the audit period and
their available resources, i.e., manpower, competencies and so on.
Significant PAPs List down the PAPs to be subjected for performance audit
for the audit period.
Audit Focus Area Identify the specific areas of the PAPs to be focused for the
performance audit (e.g., procurement, delivery of services, efficiency of
operations)
Audit Aspect Check whether to objective of the performance audit is to check
the economy, efficiency or effectiveness of the PAP. The auditor may
select one or more audit aspect depending on the scope of the
performance audit.
Timing Indicate the estimated date when the performance audit will
commence.
performance audit.
C. Specialized Skills Needed
-
This part identifies professionals with specialized skills needed for the audit and
defines their scope of work and timing.
Specialized Skills Needed Identify the professional with specialized skills to be

needed in our audit. (Professionals with specialized skills may pertain to
engineers, IT auditors, actuaries and the like who would be of help in the
execution of audit procedures that require technical skills)
Office Identify the office of the Specialized Skills Needed (e.g., TSO for
Engineers, ITO for IT Auditors).
Scope Identify their scope of work (e.g., infrastructure projects to be reviewed by
engineers, computer programs to be evaluated by IT Auditors).
Version
: 02-07/2011/v1
4|P a ge

Timing Indicate the estimated date when the conduct of audit procedures will
commence.
audit procedures.
D. Other Material Accounts
-
These are formerly termed as LORMA or Low Risk Material Account.

These are material accounts that were not considered in the audit risk
assessment for financial and compliance audit. Other Material accounts will be
subjected for High-level precision analytics or test of details, if necessary.
Other Material Accounts List down the account titles of Other Material Accounts
Timing Indicate the estimated date when the conduct of High-level precision
analytics would commence.
analytic procedures.
Person/s Responsible Indicate the audit staff who will perform the procedures for
Other Material Accounts.

Version
: 02-07/2011/v1
5|P a ge

AUDIT RISK ASSESSMENT TOOL

Agency:
Region:
Audit Period:
Prepared by:
Reviewed by:
Approved by:
Date:
Date:
Date:
In order to develop an audit strategy that is responsive to an agencys risk of material misstatement, we make a risk assessment for financial and compliance, performance
audits.
A. Financial and Compliance
For financial and compliance, we make our risk assessment by assessing the inherent risk, preliminary control risk and combining both assessments to arrive at an overall
risk assessment for each relevant assertion for each significant account.
Significant Account/
Critical Process
Inherent Risk
(IR)
Assertion
Control Risk
(CR)
Risk Assessment
Audit Strategy
Existence/ Occurence
Low
Low-Rely on Controls
Minimal
TOC
Completeness
High
High-Not Rely on Controls
Low
Substantive
Test
Accuracy
Justification:
Justification:
Rights and Obligations
Moderate
Timing
Person
Days
ATS Ref.
Click here to enter

a date.
High
Presentation & Disclosure

Compliance
Existence/ Occurence
Low
Low-Rely on Controls
Minimal
TOC
Completeness
High
High-Not Rely on Controls
Low
Substantive
Test
Accuracy
Rights and Obligations
Justification:
Justification:
Moderate
Click here to enter

a date.
High
6|P a ge
Significant Account/
Critical Process

Inherent Risk
(IR)
Assertion
Control Risk
(CR)
Risk Assessment
Audit Strategy
Timing
Person
Days
ATS Ref.
Presentation & Disclosure

Compliance
B. Performance
Selection Factors
PAPs
Materiality
(__%)
Visibility
(__%)
Significance
(__%)
Risk to Good
Management
(__%)
Total
Auditability
(__%)
Bases for Assessment
Previous Audit
Coverage
(__%)
7|P a ge

PAPs to be subjected for performance audit:

Significant PAPs
Audit Focus Area
Audit Aspect
Timing
Person Days
Economy
Efficiency
Effectiveness
C. SPECIALIZED SKILLS NEEDED

Specialized Skills Needed
Office
Scope
Timing
Person Days
D. OTHER MATERIAL ACCOUNTS

Identify Other Material Accounts that were not considered in the Financial and Compliance Audit Risk Assessment. Audit procedures for Other
Material Accounts include High-level precision analytics and Tests of Details, if necessary.
Other Material Accounts:
Timing: __________________.
Person Days:
_______
.
Person/s Responsible: ____ .
8|P a ge
Phase 3A - Execution
Form 03A-01: Audit Test Summary
AUDIT TEST SUMMARY

Objective
The Audit Test Summary is used to document our approach in executing financial and
compliance audit tests for each significant account. We also document the results of our audit
tests performed and conclusions reached based on such results.
Accomplishing this tool:
Significant Account Indicate the account title of the significant account. Significant accounts
are taken from the significant accounts identified in Part A of the Audit Assessment and
Planning Memorandum.
Account Balance Indicate the balance of the account.
Audit Risk Assessment Check the audit risk assessment based on Part A of Audit
Assessment and Planning Memorandum. The Risk Assessment will determine our audit
strategy in the execution phase.
Part I: Test of Controls (TOC)
Note: TOC is performed only for accounts assessed as Minimal or Low (wherein we rated
control risk as Low we are intending to rely on controls). If our audit risk assessment is either
Moderate or High, we will only accomplish Part II of this template.
Process Indicate the process/es where TOC for the significant account will be done
Controls to be Tested List down specific controls to be tested.
Person/s Assigned Indicate the person/s who will execute the TOC for the significant
account.
Due Date Indicate the estimated date when the TOC is expected to be completed.
TOC Working Paper Reference Indicate the working paper reference where the execution of
the TOC is documented.
Summary of Test Results
Findings Indicate the findings or exceptions noted during the conduct of TOC.
Last updated
Version
: March 2011
: 03-01/2011/v1
1|P a ge
Recommendation Indicate recommendations to correct the findings or other comments

for the improvement of the Agencys controls on the process.
TOC W/P Ref. Indicate the working paper reference where the findings/exceptions were
noted.
AOM Ref. Indicate the AOM reference number (if any).
Conclusion Indicate our conclusion statement on the operating effectiveness of the controls
tested.
Final Assessment of Control Risk Based on the results of the TOC conducted, make a final
assessment of Control Risk:
Low Controls are operating effectively
High Controls are not operating effectively
Inherent Risk Assessment
In case our final control risk assessment is High, we need to reassess the overall audit risk,
reassessed audit risk will fall as Moderate or High depending on the inherent risk
assessment, as illustrated in the diagram below:
High
Low
High
Low
Minimal
Moderate
Low
High
Control Risk Assessment
Part II Substantive Tests

Extent of Testing Check the appropriate box for the extent of testing (i.e., Extensive for
Moderate or High; Less Extensive for Minimal or Low)
ST Work Program Reference Indicate the working paper reference where the execution of
the ST is documented.
Findings Indicate the findings or exceptions noted during the conduct of ST.
Last updated
Version
: March 2011
: 03-01/2011/v1
2|P a ge
Recommendation Indicate recommendations to correct the findings.

ST W/P Ref. Indicate the working paper reference where the findings/exceptions were
noted.
AOM Ref. Indicate the AOM reference number (if any).
Conclusion Indicate our conclusion statement whether the account is fairly presented in the
Agencys financial statements (considering unbooked adjusting journal entries, if any).
Last updated
Version
: March 2011
: 03-01/2011/v1
3|P a ge
AUDIT TEST SUMMARY

Agency:
Prepared by:
Reviewed by:
Approved by:
Audit Period:
Significant Account:
Account Balance:
Audit Risk
Assessment
Date:
Date:
Date:
Minimal
Moderate
Low
High
Part I: TEST OF CONTROLS

Note: TOC is not performed if audit risk assessment is High or Moderate since our preliminary
assessment of Control Risk is High - Not Rely on Controls
Process: _______________________
Controls to be Tested:
Person/s Assigned: ____________________________

Due Date: ___________________________________
TOC Working Paper Reference: __________________
Findings
Conclusion
Recommendation
TOC W/P
Ref.
AOM Ref.
Final Assessment of Control Risk

Low - Rely on Controls
(Controls are operating effectively)

High - Not Rely
(Controls are not operating effectively)

Re-assess audit risk
Moderate
High
Last updated
Version
: March 2011
: 03-01/2011/v1
4|P a ge
Part II: SUBSTANTIVE TEST

Extent of Testing
ST Work Program Reference
Extensive (For Moderate or High)
Less Extensive (For Minimal or Low)

Findings
Recommendation
ST W/P Ref.
AOM Ref.
Conclusion
Last updated
Version
: March 2011
: 03-01/2011/v1
5|P a ge
Phase 3B Conclusion and Reporting

Form 03B-01: Summary of Audit Results and Recommendations
SUMMARY OF AUDIT RESULTS AND RECOMMENDATIONS

Objective
This form is used to summarize and evaluate the results of comprehensive audit and other
types of audits conducted. It has three parts as follows:
Part I
Part II
Part III
Introduction
Summary of Audit Results and Recommendations
Evaluation Factors
After the exit conference with the agency, the audit team shall accumulate the
findings/observations and recommendations, as documented in Audit Observation
Memorandum (AOM), together with management comments using the Summary of Audit
Results and Recommendations provided in Part II of this Form.
The completed template should be initialed by the ATL and SA, and approved by the CD prior to
audit report sign-off. This completed template altogether with other relevant documentation
should be filed in the working papers.
The audit team should perform the following steps in relation to audit findings and observations
and their disposition:
A. Matrix of Audit Findings and Recommendations
Summarize the findings and recommendations as documented in AOMs. This includes
the findings and recommendation from financial, compliance, and performance audits
conducted.
Document managements comments on each findings and recommendations. This
includes the disposition of proposed adjusting journal entries, disclosures, and
comments on performance audit findings.
Document the audit teams response to managements comments on the findings and
recommendations.
B. Summary of Unbooked Adjusting/ Reclassifying Journal Entries
Summarize the unrecorded proposed adjusting/reclassifying journal entries and
determine its effect on the Asset, Liabilities, Current Period Income or Prior Year
Income, as applicable
C.
Results/Status of Other Audits (e.g., Fraud and GWSPA)

Summarize the findings/issues of other audits conducted.
Document the reference of the findings/issues.
State the status of audit(s). The audit(s) may be ongoing or completed.
Document the possible effect/impact of the audit in the agencys financial statements.
Document other information deemed relevant by the audit team in the remarks column.
Please refer to Phase 3 - Delivery: Conclusion and Reporting of the IRRBAM for further details.
Last updated
Version
: March 2011
: 04-01/2011/v1
1|Page

SUMMARY OF AUDIT RESULTS AND RECOMMENDATIONS
Agency
Audit Period
____________________________
Prepared by
_________________
Date
________________
____________________________
Reviewed by
_________________
Date
________________
____________________________
Approved by
_________________
Date
________________
A. Matrix of Audit Findings and Recommendations

A.1. Financial and Compliance Audit
No.
AOM No./Date
Observation
Recommendation
Management Comment
Rejoinder
Observation
Recommendation
Management Comment
Rejoinder
A.2. Performance Audit

No.
AOM No./Date
Last updated
Version
: March 2011
: 04-01/2011/v1
2|Page

B. Summary of Unrecorded Adjusting/ Reclassifying Journal Entries

AOM
Ref.
Amount
Accounts and Description
Debit
Credit
Financial Statement Effects of Unbooked Entries

Assets
Liabilities
Current
Current
Non-Current
Current
Non-Current
Income
Prior Period
Income
Total
C. Results/Status of Other Audits (e.g., Fraud and GWSPA)

No.
Last updated
Version
Significant findings/issues
: March 2011
: 04-01/2011/v1
Reference
Status of Audit
Conclusion
Remarks
3|Page

D. Conclusion
In our opinion:
Yes
No
1. Considering quantitative factors as well as non-quantitative factors

(refer to Evaluation Factors of this Template), the effects of
unrecorded proposed entries, either individually or in the
aggregate, is not material to the financial statements taken as a
whole and therefore does not require modification of our auditors
report.
2. The proposed entries, whether or not recorded, are not the result
of a significant weakness in internal control over financial reporting.
3. The proposed entries, whether or not recorded, are not indications

of possible fraud or illegal acts.
4. For any No responses above, indicate the steps taken or to be

taken:
Opinion modified
Audit scopes reassessed
Others: _____________________________________
Comments:
Last updated
Version
: March 2011
: 04-01/2011/v1
4|Page

EVALUATION FACTORS
A. Materiality Factors
The following factors may be relevant to the evaluation of the materiality of passed entries,
recognizing that some may be more important than others.
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
Quantitative factors:
a. Earnings/Surplus
b. Other financial statement captions
c. Segment information
Meeting earnings/budget goals
Compliance with contracts and regulations
Impact on other periods
Trends
Possible undetected errors
Certainty of amount
Interpretations of ISSAI
Establishing accounting precedent
Large offsetting items
Nonrecurring items
Carryovers from prior periods
Additional factors to be considered by the audit team:

13. Current user needs
We may need to reassess our original materiality judgment in light of changed
circumstances or knowledge gained during the audit. For example, there may be
significant changes in economic trends, budgeted earnings/surplus or negotiations for
a line of credit.
14.
Special circumstances.
The materiality threshold may be reduced when it is reasonably possible that third
parties will closely scrutinize the agencys accounting practices and question why even
small errors were not corrected. This might apply to, for example:
o
o
o
o
o
15.
Maximum-risk assignments,
Agencies with weakening financial condition,
Agencies that may soon have new management (within a year or shortly
thereafter),
Management that need to significantly improve their accounting and control
practices,
Potentially sensitive areas, such as revenue recognition
Agency managements past practices.

When entries are passed, it is usually assumed that agency management will
(a) subsequently correct the errors, and (b) improve its controls to prevent a
recurrence of the problem. However, when agency management appears to be unable
or unwilling to do either, the errors may take on greater significance. This is especially
true when the accounting system is capable, without significant additional cost or
effort, of correctly processing transactions.
Last updated
Version
: March 2011
: 04-01/2011/v1
5|Page
16.

Special purposes of the audit.

The impact of proposed entries could be magnified if the financial statements will be
used for special purposes. For example, if a buy-sell agreement bases the sale price
on a multiple of earnings, an otherwise minor adjustment could have a significant
immediate effect on the price.
B. Indications of significant weakness in internal control

Even when misstatements are not material, we need to consider whether their root
causes are due to inadequacies in internal control, particularly when the errors are
more widespread or significantly larger than anticipated. We may need to expand our
audit testing to compensate for an unexpected control weakness. We also may need to
communicate the weakness to senior agency management and the Oversight Body if it
is deemed to be a "reportable condition.
C. Indications of possible fraud or illegal acts
Proposed entries may be indications of fraud or illegal acts (possibly the "tip of the
iceberg"). Examples are:
o
o
o
o
o
Last updated
Version
A significant increase over the prior year in the number or size of proposed
adjustments.
"Last minute" entries that significantly increase earnings.
Misstatements that appear to have been made with the intent of achieving targeted
earnings or similar goals.
Unsupported or unauthorized transactions, balances and reconciling items.
Entries apparently made to conceal illegal acts.
: March 2011
: 04-01/2011/v1
6|Page

Form 03B-02: Quality Inspection Tool
QUALITY INSPECTION TOOL

Objectives
The Quality Inspection Tool will guide the audit team in performing overall review and
approval of the audit engagement prior to the release of the audit report.
The tool is divided into two parts:
Part I :
IRRBA Workstep Checklist
Part II :
Quality Assurance Checklist
This tool is not all-inclusive; audit teams shall customize it as appropriate.
Part I: IRRBA Workstep Checklist
This part consists of the activities/processes as reflected in the IRRBA Manual. As part of
the quality assurance, audit teams shall ensure conformance to the prescribed
methodology in the conduct of their audits.
IRRBA Activities
- Identify the IRRBA Activities as prescribed in the methodology.
Working Paper Reference
- Indicate the Working Paper tag/label for easier reference of documents.
Performed by
- Staff member who completed the procedure/activity shall indicate his/her initials to
confirm his/her performance.
Reviewed by
- Reviewer shall append his/her initials as a proof of the evaluation.
Part II: Quality Assurance Checklist
This part consists of the minimum requirements in conducting audit engagements

as reflected in relevant standards, laws, rules and regulations.
General Audit Procedures
- Identify the minimum requirement of the relevant standards, laws, rules and
regulations.
Working Paper Reference
- Indicate the Working Paper tag/label for easier reference of documents.
Last updated
Version
: March 2011
: 03B-02/2011/v1
1|Page

Performed by
- Staff who completed the procedure/activity shall indicate his/her initials to confirm
his/her performance.
Reviewed by
- Reviewer shall append his/her initials as a proof of the evaluation.
Last updated
Version
: March 2011
: 03B-02/2011/v1
2|Page

QUALITY INSPECTION TOOL

Prepared by
Date
Reviewed by
Date
Approved by
Date
Agency:
_____________________________________________________
Period:
_____________________________________________________
PART I: IRRBA Workstep Checklist
IRRBA Activities
1.
Performed by
Reviewed by
Strategic Planning and Risk

Identification
1.1
1.2
2.
WP Ref.
Perform Government Risk

Identification
1.1.1
Develop/Update the
Government Risk Model
1.1.2
Identify Government Risks
1.1.3
Report the Results of GRI
Conduct COA Strategic Planning
Agency Audit Planning and Risk

Assessment
2.1
Prepare Agency Audit Workstep
2.2
Understand the Agency
2.3
Identify Significant Agency Risks
Last updated
Version
: March 2011
: 03B-02/2011/v1
3|Page
IRRBA Activities
Update Agency Risk Model
2.3.2
Identify Agency Risks
2.3.3
Prioritize Significant Agency

Risks
2.4
Understand the Agency-level

Controls
2.5
Understand the Process
2.6
3.
2.3.1
2.5.1
Identify Critical Path of the

Processes
2.5.2
Identify Process Risks
2.5.3
Identify Impact
2.5.4
Identify Existing Processlevel Controls

WP Ref.
Performed by
Reviewed by
Conduct Audit Risk Assessment and

Planning
2.6.1
Financial and Compliance
2.6.2
Performance
2.6.3
Determine Audit Scope and

Timing
2.6.4
Determine need for

specialized skills
Execution
3.1
Design Audit Tests
3.2
Execute Audit Tests
3.3
Evaluate Audit Results
3.4
Communicate Audit Results
Last updated
Version
: March 2011
: 03B-02/2011/v1
4|Page
IRRBA Activities
4.
WP Ref.
Performed by
Reviewed by
Conclusion and Reporting

4.1
4.2
Summarize Audit Results

4.1.1
Prepare summary of audit

results and
recommendations
4.1.2
Discuss results of different

types of audit conducted
Prepare Audit Report

4.2.1
4.3
5.

Prepare Annual Audit Report
Perform Overall Audit Review

4.3.1
Perform overall review and

approval
4.3.2
Issue report
4.4
Wrap-up and Archive the

Engagement
4.5
Follow-up Agency Action Plan
Monitor quality control on audit services
Last updated
Version
: March 2011
: 03B-02/2011/v1
5|Page

PART II: Quality Assurance Checklist

WP Ref.
Performed
by
Reviewed
by
1. Terms of Audit Engagements

An engagement letter has been prepared in
accordance with COA policies and professional
standards.
2. Independence
Members of the audit team are independent with
respect to this audit client and its affiliates
3. Initial Engagements Opening Balances
For initial audits, perform procedures to obtain
sufficient appropriate audit evidence that:
a. The opening balances do not contain
misstatements that materially affect the current
periods financial statements.
b. The prior periods closing balances have been
correctly brought forward to the current period
or, when appropriate have been restated.
c. Appropriate accounting policies are consistently
applied or changes in accounting policies have
been properly accounted for and adequately
disclosed.
4. Consultation
Identify areas and specialized situations where
consultation is required and consult with others or
use authoritative sources on other complex or
unusual matters.
Areas identified:
Consulted:
____________________
_________________
____________________
_________________
____________________
_________________
____________________
Last updated
Version
: March 2011
: 03B-02/2011/v1
6|Page

WP Ref.
Performed
by
Reviewed
by
_________________
Appropriate consultation has occurred in areas and
special situations where required by COA policies
and where the audit team otherwise deemed
necessary.
Appropriate documentation has been prepared and
reviewed for all consultation on significant issues
and those consulted were informed of all the
relevant facts and circumstances and the
conclusions are reasonable and consistent with
professional standards.
Memoranda that address all significant issues on
which consultation occurred are associated with, or
are attached to, the Audit Observation
Memorandum (AOM) with an indication of the
consultants approval. If consultation memoranda
have not yet been completed or approved in
writing, oral approvals have been obtained from the
individuals consulted and noted in the AOM or an
attachment to it.
Copies of the memoranda have been provided to
the individuals consulted.
Conclusions resulting from the consultations have
been implemented.
5. Minutes and Contracts
Obtain information regarding meetings of the
management, board of directors, shareholders and
important committees up to the report date.
a. Read minutes. Obtain copies of the signed
minutes or prepare excerpts. (If the copies are
not signed, compare them with the original
signed minutes.)
b. If minutes have not been prepared for recent
meetings, obtain a summary of what was
discussed.
c. Compare significant matters identified above
with information obtained during the audit and
cross-reference significant matters affecting the
financial statements to the appropriate
workpapers.
Last updated
Version
: March 2011
: 03B-02/2011/v1
7|Page

WP Ref.
Performed
by
Reviewed
by
Obtain information about important contracts,

agreements and similar documents and consider
their accounting or auditing implications. Crossreference significant matters affecting the financial
statements and other agency-issued reports to the
appropriate workpapers.
6. Consideration of Laws and Regulations in an
Audit of Financial Statements
When planning and performing audit procedures
and evaluating and reporting the results thereof,
consider the risk of non-compliance by the agency
with laws and regulations that may materially affect
the financial statements.
Obtain a general understanding of the legal and
regulatory framework applicable to the agency and
how the agency is complying with that framework.
The procedures ordinarily include:
a. Use of existing understanding of the agencys
industry and operation
b. Inquiry of management concerning the
agencys policies and procedures regarding
compliance with laws and regulations
c. Inquiry of agency as to the laws or regulations
that may be expected to have a fundamental
effect on the operations of the agency
d. Discussion with management about the policies
or procedures adopted for identifying,
evaluating and accounting for litigation, claims
and assessments
Met with:
Findings:
____________________
_________________
____________________
_________________
____________________
_________________
Last updated
Version
: March 2011
: 03B-02/2011/v1
8|Page

WP Ref.
Performed
by
Reviewed
by
Perform procedures to help identify instances of

noncompliance with those laws and regulations
where noncompliance should be considered when
preparing financial statements, specifically:
a. Inquire with management as to whether the
agency is in compliance with such laws and
regulations
Met with:
Findings:
____________________
_________________
____________________
_________________
____________________
_________________
b. Inspect correspondence with the relevant
licensing or regulatory authorities
Obtain sufficient appropriate evidence about
compliance with those laws and regulations
generally recognized to have an effect on:
- The determination of material amounts and
disclosures in financial statements by
considering them when auditing the assertions
related to the determination of the amounts to
be recorded and the disclosures to be made
- Programs, activities and projects of the agency
Sign one of the following statements, as applicable:
Performance of the above procedures has not
indicated any noncompliance by the agency with
laws and regulations that may materially affect the
financial statements.
A possible non-compliance by the agency with
laws and regulations was suspected or detected
and we have obtained an understanding of the
nature of the act and circumstances in which it has
occurred, and sufficient other information to
Last updated
Version
: March 2011
: 03B-02/2011/v1
9|Page

WP Ref.
Performed
by
Reviewed
by
evaluate the possible effect on the financial

statements and appropriate documentation ,
evaluation and notification of management and
others has been performed.
7. Related parties
Review information provided by the directors and
agency management identifying the names of all
known related parties and perform procedures in
respect of the completeness of this information
including the following:
a. Review prior year workpapers for names of
known related parties.
b. Review the agencys procedures for
identification of related parties
c. Inquire as to the affiliation of directors and
officers with other entities
Inquired of:
______________________________________
d. Review agency management minutes of the
meetings
e. Inquire of other auditors currently involved in
the audit, or predecessor auditors, as to their
knowledge of additional related parties.
8. Inquiry regarding Litigation and Claims
Carry out procedures in order to become aware of
any litigation and claim involving the agency that
may have a material effect on the financial
statements.
9. Considering the Work of Internal Audit
Obtain a sufficient understanding of internal audit
activities to assist in planning the audit and
developing an effective audit approach.
Perform a preliminary assessment of the internal
audit function when it appears that internal audit is
relevant to the external audit of the financial
statements in specific audit areas. Such
assessment includes evaluating the competence
and objectivity of the internal auditors.
Last updated
Version
: March 2011
: 03B-02/2011/v1
10 | P a g e

WP Ref.
Performed
by
Reviewed
by
When the audit team intends to use specific work

of internal audit, evaluate and test that work to
confirm its adequacy for our purposes.
10. Subsequent events
Perform procedures designed to obtain sufficient
appropriate audit evidence that all events up to the
date of the auditors report that may require
adjustment of, or disclosure In, the financial
statements have been identified.
11. Going concern
The engagement team has considered and
evaluated the appropriateness of managements
use of the going concern assumption underlying
the preparation of the financial statements both in
the planning phase and throughout the
performance of the audit procedures.
12. Management Representations
Obtain a letter of representations that is tailored to
the particular circumstances, dated the same date
as our auditors report, and signed by the members
of management who have primary responsibility for
the agency and its financial aspects
13. Financial Statements Review
Apply analytical procedures at or near the end of
the audit when forming an overall conclusion as to
whether the financial statements as a whole are
consistent with our understanding of the agency.
Verify opening balances on the basis of the prior
years audit report and/or workpapers.
Cross-reference year-end amounts on the general
ledger trial balance to the related audit workpapers.
Examine supporting documents and/or inquire of
agency personnel to determine that significant
entries made solely to prepare the financial
statement, other than entries covered by other
audit procedures, were properly authorized and
Last updated
Version
: March 2011
: 03B-02/2011/v1
11 | P a g e

WP Ref.
Performed
by
Reviewed
by
accounted for.
Agree or reconcile the financial statement amounts
and the financial data in the footnotes to the
general ledger trial balance or other workpapers.
Determine that the financial statements and the
financial data in the footnotes are clerically
accurate
14. Communication of Audit Matters with
Management and those Charged with
Governance
Inform management as soon as practicable:
- If a fraud has been identified or if
information obtained indicates that a fraud
may exist
- Of the existence of material weaknesses in
the design or implementation of internal
control, including material weaknesses in
the design or implementation of internal
control to prevent and detect fraud, that
have come to our attention
The audit team has determined the relevant
persons who are charged with governance and
with whom audit matters of governance interest are
to be communicated.
The audit team has considered all audit matters of
governance interest that arose from the audit of
financial statements and communicated them to
those charged with governance. Ordinarily such
matters include:
a. General audit approach and overall scope of
the audit
b. Selection of, or changes in , significant
accounting policies
c. Potential effect of any significant risk and
exposure that is required to be disclosed
d. Audit adjustments that could have a significant
effect on the agencys financial statements
e. Material uncertainties relating to going concern
f. Disagreements with management that could
have a significant impact on the financial
statements or the audit report
Last updated
Version
: March 2011
: 03B-02/2011/v1
12 | P a g e

WP Ref.
Performed
by
Reviewed
by
g. Expected modifications to the audit report

h. Internal control issues
i. Issues with respect to agencys integrity and or
fraud within the agency
Determine whether any identified risk of materials
misstatements due to fraud has continuing control
implications. Consider whether any control
deficiency related to these risks, or whether the
absence of or deficiencies in programs or controls
to mitigate specific risks of fraud or to otherwise
help prevent, deter, and detect fraud, represent
matters (including potential material weaknesses)
that should be communicated to agency
management or any relevant regulatory body.
Inform those charged with governance about those
uncorrected misstatements aggregated by us
during the current audit that were determined by
management to be immaterial, both individually
and in the aggregate, to the financial statements as
a whole.
Inform those charged with governance if a fraud
has been identified involving management,
employees who have significant roles in internal
control, or others where the fraud results in a
material misstatement in the financial statements.
Inform those charged with governance of material
weakness in the design or implementation of
internal control, including material weaknesses in
the design or implementation of internal control to
prevent and detect fraud, that have come to the
auditors attention.
Inform those charged with governance of the
agencys noncompliance with laws and regulations
that have come to our attention. If we have reason
to believe that members of agency management
are involved in noncompliance, report the matter at
the next higher level of authority.
The audit team has communicated the above
matters in a timely manner.
The engagement team has communicated the
Last updated
Version
: March 2011
: 03B-02/2011/v1
13 | P a g e

WP Ref.
Performed
by
Reviewed
by
matters in a way, which is appropriate depending

on the nature and significance o f the matter as
well as on the size and legal structure of the
agency being audited.
I have reviewed this Quality Inspection Tool and the results of the procedures for
this engagement and am satisfied that all applicable general audit procedures
have been completed, the conclusions are reasonable and consistent with
professional standards, and the AAR properly reflect the issues addressed.
Signature: ________________________
Last updated
Version
: March 2011
: 03B-02/2011/v1
Date: __________________
14 | P a g e

Form 03B-03: Agency Action Plan
AGENCY ACTION PLAN
Objective
Agency management has the responsibility to act upon the audit observation and
recommendation provided by COA during the conduct of audit. To facilitate the process, the
COA shall provide a mechanism to enforce compliance of the activity. Hence, the Agency Action
Plan document is provided and included as part of the IRRBAM.
The Agency Action Plan is a tool for the agency to signify its action plans on the observations
and recommendations provided by the auditors. This document will serve as the basis for
auditors when monitoring agency action plans.
Agency management shall submit their action plans within 30 days from the date of receipt of
the report.
A significant part of this tool is the space provided for the sign-off of agency officer. Concurrence
of the agency, as evidenced by their sign-off, supports the fact that the agency accepts
responsibility as to the ownership of the action plans provided as well as its implementation.
Reference
-
The reference will serve as a guide for auditors to trace the audit observations and
recommendations indicated in the prior years working papers or reports.
Audit Observation and Recommendation

-
The audit observations and the corresponding recommendations of prior years audit
shall be reflected by the auditors on this column to guide the auditors and agencies
monitoring process.
Last updated
Version
: March 2011
: 03B-03/2011/v1
1|Pa ge

Agency Action Plan

Action Plan/Remarks - Action plan is the response of the audited agency on the
recommendations provided by the auditors during the course of the audit. This
column shall be filled-out by the agency, detailing the appropriate resolution on the
audit observation identified by the auditors.
In any case, auditors shall challenge the appropriateness of the agencies action
plans with the audit observations noted. Any comments that the auditors may have
on the Agency Action Plans shall be communicated and resolved with the
appropriate authorities.
Person/Department Responsible - The Agency shall specifically identify the person or
department responsible in implementing the action plan provided. If it is not possible
to identify the specific person (e.g., due to job rotation), the position or rank shall
suffice.
Identification of a specific person or department responsible for implementing the
action plan will guide the auditors during the conduct of their monitoring procedures.
Target Implementation Date - The action plan provided by an agency shall be timebound. This holds true exceptionally for major audit observations that require
immediate action.
Last updated
Version
: March 2011
: 03B-03/2011/v1
2|Pa ge

AGENCY ACTION PLAN

Sector: __________________________________
Agency Audited: __________________________
Audit Period: ________________
AAR date: ___________________
Agency Action Plan

Ref.
Audit Observation and

Recommendation
Action Plan / Remarks
Person/Dept.
Responsible
Target
Implem.
Date
Agency sign-off:
_______________________________________
Agency Officer
Last updated
Version
: March 2011
: 03B-03/2011/v1
_________________
Date
3|Pa ge

Form 03B-04 Action Plan Monitoring Tool
ACTION PLAN MONITORING TOOL

Objective
As discussed in the IRRBA Manual, the existence of the monitoring process for the prior
years recommendations serves as an additional control for the audited agencies to be
motivated in acting upon the recommendations provided by the auditors. Likewise,
monitoring serves as a feedback mechanism for auditors to determine the value that the
agencies obtain from the findings and suggestions that they provide.
The Action Plan Monitoring tool serves as a guide for the auditors and agencies in
conducting a structured monitoring process of prior years recommendations on the audit
observations noted.
Take note that the Agency Action Plan element will be provided by the audited agency.

The following elements are to be lifted from the Agency Action Plan provided by the agency
management:
Reference
Audit Observation and Recommendation
Agency Action Plan
Action Plan / Remarks
Person/Department Responsible
Target Implementation Date
The columns provided under the COA Monitoring portion are developed to guide the auditors
during the conduct of their monitoring procedures. These elements are essential since this is
the focus of the monitoring function of the auditors.
Date of follow-up
-
Indicate the date when the follow-up is made.
Implementation Status
-
This column shall be answered by the auditor during the execution of the monitoring
procedures.

Version
: 03B-04/2011/v1
1|Pa ge

The following are the selections for the status of the implementation of agency
action plans:
Full Action plans as provided by the agency management in the Agency
Action Plan document have been fully implemented in all scope mentioned.
Partial Action plans as provided by the agency management in the Agency
Action Plan document have been partially implemented in some areas.
Ongoing Implementation of the action plans provided the agency
management in the Agency Action Plan is still ongoing.
Non-implementation Agency management did not implement the action
plans provided in the Agency Action Plan within the target completion period.
This is the area where auditors should carefully take a look. Auditors shall
examine and assess the reasons for non-implementation of previously stated
action plans.
Actual Implementation Date
-
Part of the auditors examination is the determination of the actual implementation

date of the action plan set by an agency. Comparison of the actual against the target
date for the implementation of action plans is significant particularly on interrelated
audit observations and action plans.
Reason for Delay/Non-implementation

-
Auditors shall uncover the reasons for the delay or non-implementation of action
plans. If the circumstances permit, auditors shall inquire several agency personnel or
officer on the causes of the delay or non-implementation.
Comments/Action Taken
-
This column is for the auditors comments or actions to be taken as a result of the
monitoring procedures conducted. The remarks that will be provided on this column
can also be a basis for the next years audit project.

Version
: 03B-04/2011/v1
2|Pa ge

ACTION PLAN MONITORING TOOL

Sector
Prepared by:
Date:
Team
Reviewed by:
Date:
Agency Audited
Approved by:
Date:
Audit Period
AAR Date
:
Agency Action Plan
COA Monitoring
Audit Observation
Ref.
Implem. Status
and
Action Plan/
Person/Dept.
Target Implem.
Recommendation
Remarks
Responsible
Date
Date of follow-up
Reason for
(Full, Partial,
Actual implem.
Delay/Non-
Comments/Action
Ongoing, Non-
Date
Implementation
Taken
implementation)
Prepared by:
________________________________________
Audit Team Leader
Version
: 03B-04/2011/v1
(if applicable)
Approved by:
_________________
Date
________________________________________
Supervisor
_________________
Date
3|P age

IRRBAM Vol2

Uploaded by

Copyright:

Available Formats

IRRBAM Vol2

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

IRRBAM Vol2

Uploaded by

Copyright:

Available Formats

Commission on Audit

INTEGRATED RESULTS AND

Strategic Planning and Risk Identification

Integrated Results and Risk-Based Audit Manual

FORMS AND TEMPLATES

Strategic Planning and Risk Identification

Agency Audit Planning and Risk Assessment

Delivery: Conclusion and Reporting

Integrated Results and Risk-Based Audit Manual

Phase 1 Strategic Planning and Risk Identification

GOVERNMENT RISK MODEL

Accomplishing this tool

Integrated Results and Risk-Based Audit Manual

Phase 1 Strategic Planning and Risk Identification

Integrated Results and Risk-Based Audit Manual

Phase 1 Strategic Planning and Risk Identification

Integrated Results and Risk-Based Audit Manual

Phase 1 Strategic Planning and Risk Identification

GOVERNMENT RISK MODEL

Planning and resource allocation

Climate change and sustainability initiatives

Integrated Results and Risk-Based Audit Manual

Phase 1 Strategic Planning and Risk Identification

The overall structure of the government instrumentalities does not

This risk pertains to the inability to forecast financial information to

Unavailability and inappropriateness of resource allocation process

Insufficient access to fund threatens the governments capacity to grow,

The government has an obsolete operation model and does not

Planning and execution

Integrated Results and Risk-Based Audit Manual

Phase 1 Strategic Planning and Risk Identification

Measurement and monitoring

This risk pertains to the failure of a major technology implementation to

Failure to evaluate project proposals may result in problems when the

Economic changes such as lower economic growth reduce tax revenue

Adverse political actions in a country in which the agency has invested

Overcommitment of resources and expected future cash flows threatens

This risk pertains to the factors relating to macroeconomic conditions

This risk pertains to the failure to anticipate and respond to changes in

Integrated Results and Risk-Based Audit Manual

Phase 1 Strategic Planning and Risk Identification

Communication and public relations

A decline in customer/public confidence threatens the agencys capacity

This risk pertains to the failure to communicate the right message in an

This risk pertains to the inability to understand and respond to the

A lack of focus on the customer/ public threatens the agencys capacity

Poorly performing or positioned channels access threaten the agencys

Unnecessary activities threaten the agencys capacity deliver services in

Faulty or non-performing services expose the agency to customer/public

Inefficient operations threaten the agencys capacity to deliver services

Insufficient capacity threatens the agencys ability to meet

Integrated Results and Risk-Based Audit Manual

Phase 1 Strategic Planning and Risk Identification

This risk pertains to the failure to establish a culture that is consistent

Recruiting and retention

Development and performance

Compensation and benefits

Health and safety