Internal Audit Manual

PREFACE
Internal audit, a component of the internal control system, is a strategic function in

ensuring good governance throughout the bureaucracy. This Manual is being issued
to assist Departments, Government-Owned and/or -Controlled Corporations, State
Universities and Colleges, Local Government Units and other agencies of
government in establishing, and thereafter strengthening, the internal audit function in
their institutions.
The Internal Auditor in the Philippine Government has the fundamental role of
assisting the Department Secretary or the Governing Body/Audit Committee of the
Governing Board in promoting effective, efficient, ethical and economical operations
by appraising the adequacy of internal controls, consistent with the National
Guidelines on Internal Control Systems (NGICS). The findings on the appraisal of
internal controls are provided to said officials/bodies to institute corrective and
preventive measures and achieve the agency objectives.
The role of the Internal Auditor is not about fault-finding. Neither is it investigative nor
punitive. As one of the accountability mechanisms in public service organizations, the
Internal Auditor reviews the extent of compliance with laws and policies under the
authority of the Department Secretary or the Governing Body/Audit Committee.
As a component of the performance management framework of Departments/

Agencies/Government-Owned and/or -Controlled Corporations/Government Financial
Institutions, the Internal Auditor assesses the levels of performance against agreed
measures, targets and objectives. The internal audit function is separate from, but
complementary to, the day-to-day monitoring of internal controls and the conduct of
continual management improvement, which are within the responsibility of operating
units.
The Philippine Government Internal Audit Manual (PGIAM) was developed to

empower Internal Auditors in performing their roles. It is divided into two parts:
Part I – Guidelines outlines the basic concepts and principles of internal audit,
and the policies and standards that will guide government agencies in
organizing, managing, and conducting an effective internal audit.
Part II – Practices contains user-friendly tools, techniques, and approaches in

appraising the internal control systems against strategic objectives, and in
conducting management and operations audits.
To complement the PGIAM and facilitate the roll-out of the NGICS, Generic Manuals
on Controls in the Human Resource Management System, Quality Management
System, and Risk Management System will also be issued. An overview of these
generic manuals is provided in Appendix A.
The Department of Budget and Management, in conjunction with the Office of the
President – Internal Audit Office, the Commission on Audit, and the Reference Panel
will regularly review these manuals to ensure that these remain updated, relevant and
attuned to the developments in the bureaucracy and best practices abroad.
i
TABLE OF CONTENTS
PREFACE…..........................................................................................................i
TABLE OF CONTENTS.............................................................................ii
LIST OF BOXES......................................................................................vii
LIST OF FIGURES..................................................................................vii
LIST OF TABLES.....................................................................................vii
LIST OF APPENDICES...........................................................................viii
LIST OF ACRONYMS...............................................................................x
PART I - GUIDELINES..............................................................................1
INTRODUCTION.......................................................................................2
CHAPTER I - CONCEPTS AND PRINCIPLES

OF INTERNAL AUDIT.....................................................4
1. Definition of Internal Audit........................................................................................5
2. Legal Bases for Internal Audit..................................................................................5
3. Scope of Internal Audit.............................................................................................7
3.1 Scope................................................................................................................. 7
3.2 Functions of IAS/IAU..........................................................................................8
4. Types of Audits.........................................................................................................9
4.1 Compliance Audit............................................................................................... 9
4.2 Management Audit.............................................................................................9
4.2.1 Control Effectiveness...............................................................................10
4.2.2 Management Review and Management Audit.........................................11
4.3 Operations Audit...............................................................................................12
4.3.1 Workback Approach.................................................................................13
4.3.2 The 4 Es of Operations Audit...................................................................20
5. Principles and Standards of Internal Audit..............................................................23
5.1 Conflict of Interest.............................................................................................23
5.2 Objectivity and Impartiality................................................................................23
5.3 Professional Competence.................................................................................24
5.4 Authority and Confidentiality.............................................................................24
5.5 Code of Conduct and Ethics.............................................................................25
5.6 Hierarchy of Applicable Internal Auditing Standards and Practice....................25
5.7 IAS Functions vis-à-vis Activities and Operations of Other Units.....................26
5.8 Internal Audit in Government not an Assurance and Consulting Activity..........28
5.8.1 Consulting Activity is Non-government Service........................................28
5.8.2 Consulting Activity is Non-audit Service...................................................28
5.8.3 Internal Audit in Government Not an Assurance Service.........................29
5.8.4 IAS/IAU Does Not Undertake Process or Systems Improvement............30
5.9 Internal Audit Studies, Services and Other Seminars by Private
Persons or Firms............................................................................................. 32
CHAPTER II - INTERNAL CONTROL SYSTEM AND

INSTITUTIONAL ARRANGEMENTS.............................33
ii
1. Internal Control Framework....................................................................................34
1.1 Objectives of Internal Control...........................................................................34
1.2 Components of Internal Control........................................................................35
1.3 Control Environment.........................................................................................35
1.3.1 Plan of Organization.................................................................................35
1.3.2 Coordinated Methods and Measures.......................................................36
1.3.3 Integral Process.......................................................................................36
1.4 Risk Assessment..............................................................................................37
1.4.1 Risk Identification.....................................................................................37
1.4.2 Risk Analysis............................................................................................38
1.4.3 Risk Evaluation........................................................................................ 38
1.5 Control Activities...............................................................................................41
1.5.1 Risk Response.........................................................................................41
1.5.2 Performance Review and Improvement of Operations,
Processes and Activities..........................................................................42
1.5.3 Compliance Review and Improvement of Operations,
Processes and Activities..........................................................................42
1.6 Information and Communication.......................................................................42
1.6.1 Information............................................................................................... 43
1.6.2 Communication........................................................................................ 44
1.6.3 Accountability for Transparency...............................................................45
1.7 Monitoring.........................................................................................................46
1.7.1 Ongoing Monitoring..................................................................................46
1.7.2 Separate Evaluation.................................................................................47
1.7.3 Combination of Ongoing Monitoring and Separate Evaluation.................47
1.7.4 Distinction Between Monitoring, Performance Review
and Compliance Review..........................................................................49
2. Administrative Relationships...................................................................................49
2.1 Supervision and Control...................................................................................50
2.2 Administrative Supervision...............................................................................50
2.3 Attachment....................................................................................................... 50
CHAPTER III - ORGANIZING THE INTERNAL AUDIT..........................51

1. Establishment of Internal Audit Service/Unit...........................................................52
2. Reporting Lines...................................................................................................... 52
3. Roles and Responsibilities......................................................................................52
4. Relationships with Principals and Key Stakeholders..............................................53
4.1 Internal Audit Service/Internal Audit Unit and the Department Secretary.........54
4.2 Internal Audit Service/internal Audit Unit and the Governing Body..................54
4.3 Internal Audit Service/Internal Audit Unit and the Audit Committee
in GOCCs/GFIs.................................................................................................55
4.4 Internal Audit Service/Internal Audit Unit and Management.............................55
4.5 Internal Audit Service/Internal Audit Unit and the Commission on Audit..........55
4.6 Internal Audit Service/Internal Audit Unit and Oversight, Regulatory and
Other External Bodies.......................................................................................56
4.7 Internal Audit Service/Internal Audit Unit and Professional Bodies..................56
5. Organizational Structure.........................................................................................57
5.1 Management Audit Division..............................................................................59
iii
5.2 Operations Audit Division.................................................................................60
6. Head of Internal Audit.............................................................................................62
6.1 Status............................................................................................................... 62
6.2 Qualifications.................................................................................................... 63
6.3 Responsibilities.................................................................................................64
6.4 Skills................................................................................................................. 64
7. Staffing the Internal Audit Service/Internal Audit Unit.............................................65
7.1 Temporary Personnel Movements to Supplement Internal Audit
Resources.........................................................................................................66
7.1.1 Detail....................................................................................................................66
7.1.2 Secondment.............................................................................................66
7.1.3 Other Arrangements.................................................................................67
8. Internal Audit Budget..............................................................................................68
CHAPTER IV - PERFORMANCE MONITORING AND

EVALUATION................................................................69
1. Performance Evaluation......................................................................................... 70
1.1 Measuring Internal Audit Performance..............................................................70
1.2 Measurement Techniques.................................................................................71
1.3 Internal Audit Annual Performance Report.......................................................72
PART II - PRACTICES............................................................................73
INTRODUCTION.....................................................................................74
CHAPTER I - STRATEGIC AND ANNUAL WORK PLANNING..............76

1. Strategic Planning.................................................................................................. 77
1.1 Conduct Baseline Assessment of Internal Control System..............................78
1.1.1 Familiarization with the Organization‟s Operations......................................78
1.1.2 Flowchart/Narrative Notes and Walkthrough............................................92
1.1.3 Test of Controls........................................................................................95
1.1.4 Interim Report.......................................................................................... 96
1.1.5 Defining Control Universe........................................................................97
1.1.6 Review of Oversight Bodies and International
Development Partners.............................................................................97
1.1.7 Preparation of the Baseline Assessment Report......................................97
1.2 Consider Control Significance and Materiality and Control Risk
of Key Processes..............................................................................................98
1.2.1 Control Significance and Materiality Level...............................................99
1.2.2 Control Risk Level....................................................................................99
1.3 Assess Internal Audit Risks............................................................................100
1.3.1 IAS/IAU Audit Objectives........................................................................101
1.3.2 Steps in the Assessment of Internal Audit Risks....................................101
1.4 Formulate Strategic Plan................................................................................102
1.4.1 Steps in the Formulation of Strategic Plan.............................................102
1.4.2 Components of Strategic Plan................................................................102
2. Prepare the Annual Work Plan............................................................................107

2.1 Prioritize Potential Audit Areas.......................................................................108
iv
2.2 Validate Previous Audit Follow-up Report......................................................110
2.3 Discuss with the DS/HoA or GB/AuditCom.....................................................110
3. Summary.............................................................................................................. 110
CHAPTER II - AUDIT PROCESS..........................................................112

1. The Audit Process................................................................................................113
1.1 Audit Engagement Planning...........................................................................113
1.1.1 Document Understanding of the Program and Project...........................114
1.1.2 Determine the Audit Objective, Scope, Criteria and Evidence...............116
1.1.3 Determine the Resource Required for the Audit and
the Target Milestones/Dates..................................................................119
1.1.4 Develop the Audit Plan and Audit Program............................................119
1.1.5 Determine Key Performance Indicators of the Audit Engagement.........121
1.1.6 Approval of the Audit Plan, Audit Work Program and KPIs....................121
1.2 Audit Execution...............................................................................................122
1.2.1 Entry Conference...................................................................................123
1.2.2 Conduct Compliance Audit.....................................................................123
1.2.3 Conduct System/Process Audit..............................................................124
1.2.4 Exit Conference......................................................................................125
1.3 Audit Reporting...............................................................................................126
1.3.1 Develop Audit Findings..........................................................................126
1.3 2 Develop Audit Recommendations..........................................................127
1.3.3 Prepare the Draft Audit Report...............................................................128
1.3.4 Update the DS/HoA or GB/AuditCom.....................................................129
1.3.5 Prepare the Final Audit Report...............................................................129
1.4 Audit Follow-up...............................................................................................129
1.4.1 Monitor Implementation of Approved Audit Findings and
Recommendations.................................................................................130
1.4.2 Resolve Non-Implementation/Inadequate Implementation
of Audit Recommendations....................................................................130
1.4.3 Prepare Audit Follow-up Report.............................................................130
2. Compliance Audit of Statement of Assets and Liabilities and Net Worth,
Disclosure of Business Interests and Financial Connections,
and Identification and Disclosure of Relatives in Government Service
of Public Officials and Employees........................................................................131
2.1 Audit Engagement Planning...........................................................................131
2.2 Audit Execution...............................................................................................132
2.3 Audit Reporting...............................................................................................134
2.4 Audit Follow-up...............................................................................................135
3. Gathering and Analysis of Evidence.....................................................................136
3.1 Sufficiency and Appropriateness of Audit Evidence.......................................136
3.2 Types of Audit Evidence.................................................................................138
3.2.1 Physical Evidence..................................................................................138
3.2.2 Testimonial Evidence.............................................................................138
3.2.3 Documentary Evidence..........................................................................138
3.2.4 Analytical Evidence................................................................................139
3.2.5 Electronic Evidence................................................................................139
3.3 Audit Approaches and Techniques in Gathering Audit Evidence...................139
3.3.1 Inquiries and Interviews..........................................................................140
v
3.3.2 Sampling................................................................................................ 140
3.3.3 Computer-Assisted Audit Techniques and Tools...................................140
3.4 Techniques in the Analysis of Evidence.........................................................141
4. Root Cause Analysis............................................................................................ 141
4.1 Root Cause Analysis Techniques...................................................................142
4.1.1 5 Whys Technique..................................................................................142
4.1.2 Failure Mode and Effects Analysis.........................................................142
4.1.3 Fault Tree Analysis.................................................................................142
4.1.4 Fishbone or Ishikawa Diagrams.............................................................142
4.1.5 Pareto Analysis...................................................................................... 143
5. Perform Substantive Tests on the Samples.........................................................143
6. Use of Work of Other Experts...............................................................................144
7. Integration and Preparation of Highlights of Audit Findings..................................144
CHAPTER III - INTERNAL AUDIT PERFORMANCE

MONITORING AND EVALUATION.............................146
1. Performance Monitoring and Evaluation...............................................................147
2. Steps in Performance Evaluation.........................................................................147
2.1 Determine Key Performance Indicators..........................................................147
2.2 Design Performance Monitoring Reports........................................................147
2.3 Prepare Evaluation Report.............................................................................148
3. Performance Monitoring By the Head of Internal Audit........................................148
3.1 Review of Process Assessment Report..........................................................148
3.2 Review of Completion Assessment Report....................................................148
4. Performance Evaluation By the DS/HoA or GB/AuditCom...................................149
4.1. Review of the Internal Audit Report...............................................................149
4.2. Review of the IAS/IAU Performance Report..................................................151
5. Oversight over IAS/IAU.........................................................................................151
5.1 By the Commission on Audit..........................................................................151
5.2 By the Department of Budget and Management.............................................153
6. Request for Opinions/Rulings/Interpretations on Issues Arising from the
Approved Internal Audit Findings and Recommendations to COA/CSC/DBM......154
6.1 Rule-making Power of COA, CSC and DBM..................................................155
6.1.1 Commission on Audit.............................................................................155
6.1.2 Civil Service Commission.......................................................................155
6.1.3 Department of Budget and Management...............................................155
6.2 Interpretation by COA, CSC and DBM of their own rules...............................156
6.3 Request for COA, CSC and DBM Opinions/Rulings/Interpretations................157
PGIAM AMENDMENT PROTOCOL......................................................158

REFERENCES (PGIAM) – PART I.......................................................160
REFERENCES (PGIAM) – PART II......................................................163
APPENDICES.......................................................................................167
GLOSSARY...........................................................................................270
ENDNOTES..........................................................................................276
vi
LIST OF BOXES
Box 1 – Chronology of Issuances on the Creation of the IAS/IAU.............................5
Box 2 – Rule X: Grounds for Administrative Disciplinary Action..............................25
Box 3 – Issuances on the Organization and Staffing of the IAS/IAU.......................57
LIST OF FIGURES
Figure 1 – Compliance Audit Flow Diagram.......................................................9
Figure 2 – Management Audit Flow Diagram...................................................10
Figure 3 – Operations Audit Flow Diagram.......................................................12
Figure 4 – Workback Approach Flow Diagram.................................................13
Figure 5 – Internal Control Framework.............................................................34
Figure 6 – Organizational Chart of the Office of the Secretary.........................57
Figure 7 – Organizational Chart of the Department Proper..............................58
Figure 8 – Organizational Chart of the Internal Audit Department
of a GOCC/GFI................................................................................58
Figure 9 – Organizational Chart of the Internal Audit Service...........................59
Figure 10 – Flow of Internal Audit Activities........................................................74
Figure 11 – Diagram of Internal Audit Key Processes........................................74
Figure 12 – Strategic Planning Flow Diagram....................................................77
Figure 13 – Baseline Assessment of ICS Flow Diagram....................................78
Figure 14 – Control Significance and Materiality and Control Risk
Flow Diagram..................................................................................98
Figure 15 – Assessment of Internal Audit Risk Flow Diagram..........................100
Figure 16 – Audit Process Flow Diagram.........................................................113
Figure 17 – Audit Engagement Planning Flow Diagram...................................114
Figure 18 – Audit Execution Flow Diagram.......................................................122
Figure 19 – Audit Reporting Flow Diagram.......................................................126
Figure 20 – Audit Follow-up Flow Diagram.......................................................129
Figure 21 – Ishikawa Diagram..........................................................................143
LIST OF TABLES
Table 1 – Distinction Between Management Review and Management Audit......11
Table 2 – Functions Related to Internal Control Among the Operating Units,
the Support Services Units, and the Internal Audit Service..................31
Table 3 – Qualification Standards for the HoIA.....................................................63
Table 4 – Qualification Standards for the IAS/IAU Staff........................................65
Table 5 – Example of a Management Audit Coverage.......................................106
Table 6 – Example of an Operations Audit Coverage.........................................106
Table 7 – Example of Audit Focus/Foci for One Period......................................109
Table 8 – Contents of the Audit Plan for Management Audit..............................120
Table 9 – Contents of the Audit Plan for Operations Audit.................................120
Table 10 – Oversight Over IAS/IAU by COA and DBM.........................................151
Table 11 – Request for Opinion, Rulings and Interpretations...............................154
vii
LIST OF APPENDICES
Appendix A : Summary of Generic Manuals on Controls in the Human
Resource Management System (HRMS), Quality Management
System (QMS) and Risk Management System (RMS)..................168
Appendix B : Skills, Related Knowledge, Attributes and Other

Competencies of Internal Auditor..................................................174
Appendix C : Qualification Standards and Functions of the Head

and Staff of the IAS/IAU.................................................................178
Appendix D : Diagram and Flowcharts of Internal Audit Key Process................183
D.1 Flowcharting symbols...................................................................................183

D.2 Internal Audit Key Processes Diagram.........................................................184
D.3 Baseline Assessment of internal Control Flow Diagram...............................184
D.4 Control Significance and Materiality and Control Risk Flow Diagram...........185
D.5 Internal Audit Risk Assessment Flow Diagram.............................................185
D.6 Flowchart of Strategic Audit Planning..........................................................186
D. 7 Preparation of Annual Work Plan..........................................192
D. 8 Flow Diagram of Compliance, Management and Operations Audit.............194
D. 9 Audit Process Flow Diagram........................................................................195
D. 10 Flowchart of Audit Process...................................................198
D. 11 Performance Monitoring and Evaluation...............................213
D.11. 1 Performance Monitoring by Head of Internal Audit (HoIA).....214

D.11. 2 Performance Evaluation by the Department
Secretary/Governing Board – Audit Committee............................................216
D.11. 3 Oversight...............................................................................218
D.11. 4 Request for Opinion...............................................................220
D.11.4. 1 Commission on Audit (COA) on Matters of COA Rules

and Regulations 220
D.11.4. 2 Civil Service Commission (CSC) on Matters of CSC Rules
and Regulations 222
D.11.4. 3 Department of Budget and Management (DBM) on Matters of
Budget and Management.............................................................................224
Appendix E : Internal Control Questionnaire............................................................226
E. 1 Instructions for Completion............................................................................226

E. 2 Section I – Control Environment..............................................................228
E. 3 Section II – Risk Assessment...................................................................245
E. 4 Section III – Control Activities....................................................................249
E. 5 Section IV – Information and Communication............................................252
E. 6 Section V – Monitoring..............................................................................263
Appendix F : Types of Sampling............................................................................264
viii
ix
LIST OF ACRONYMS
4Cs Criteria, Condition, Conclusion and Cause
4Es Effective, Efficient, Ethical, Economical
ABM Agency Budget Matrix
AO Administrative Order
AR Audit Risk
ARP Allotment Release Program
AuditCom Audit Committee
AWP Annual Work Plan
BA Baseline Assessment
BAC Bids and Awards Committee
BAR Baseline Assessment Report
BC Budget Circular
BSC Balanced Scorecard
CAATTs Computer-Assisted Audit Techniques and Tools
CIS Computerized Information System
CL Circular Letter
COA Commission on Audit
COSO Committee of Sponsoring Organizations of the Treadway Commission
CPA Certified Public Accountant
CSC Civil Service Commission
CU Control Universe
DA Department of Agriculture
DBIFC Disclosure of Business Interests and Financial Connections
DBM Department of Budget and Management
DepED Department of Education
DOH Department of Health
DOJ Department of Justice
DPWH Department of Public Works and Highways
DS Department Secretary
EO Executive Order
FMEA Failure Mode and Effects Analysis
FTA Fault Tree Analysis
GAA General Appropriations Act
GAAM Government Accounting and Auditing Manual
GB Governing Board
GFI Government Financial Institution
GISP Government Information Systems Plan
GOCC Government-Owned and/or -Controlled Corporation
GQMSS Government Quality Management Systems Standards
HoA Head of Agency
HoIA Head of Internal Audit
HRM Human Resources Management
ICS Internal Control System
IA Internal Auditor
IAS/IAU Internal Audit Service/Internal Audit Unit
ICQ Internal Control Questionnaire
IDR Identification and Disclosure of Relatives
IFAC International Federation of Accountants
IIA Institute of Internal Auditors
x
INTOSAI International Organization of Supreme Audit Institutions
ISO International Organization for Standardization
ISPPIA International Standards for the Professional Practice of Internal
Auditing
IT Information Technology
KPI Key Performance Indicator
MC Memorandum Circular
MD/MU Management Division/Unit
MO Memorandum Order
MTPDP Medium-Term Philippine Development Plan
MUS Monetary Unit Sampling
NCA Notice of Cash Allocation
NEDA National Economic and Development Authority
NGAS National Government Accounting System
NGICS National Guidelines on Internal Control Systems
NOSCA Notice of Organization, Staffing and Compensation Action
OGCC Office of the Government Corporate Counsel
OMB Office of the Ombudsman
OP- IAO Office of the President – Internal Audit Office
OPIF Organizational Performance Indicators Framework
PAPs Programs, Activities, Projects
PD Presidential Decree
PGIAM Philippine Government Internal Audit Manual
PhilGEPS Philippine Government Electronic Procurement System
PMS- Performance Management System – Office Performance Evaluation
OPES System
PNS Philippine National Standards
PSIPOP Personal Services Itemization and Plantilla of Personnel
PSSO Public Service Sector Organizations
QMS Quality Management System
RA Republic Act
RCA Root Cause Analysis
RMS Risk Management System
SAI Supreme Audit Institutions
SALN Statement of Assets, Liabilities and Networth
SARO Special Allotment Release Order
SCA Statement of Control Attributes
SEC Securities and Exchange Commission
SG Salary Grade
SoG Summary of Gaps
SP Strategic Plan
SUCs State Universities and Colleges
SWOT Strengths, Weaknesses, Opportunities, Threats
TCWP Test of Control Working Paper
UNDC United Nations Disarmament Commission
UNTAG United Nations Transition Assistance Group
WB World Bank
WD Working Days
xi
Part I
Guidelines
1
INTRODUCTION
To complement the implementation of the National Guidelines on Internal Control

Systems (NGICS), the Philippine Government Internal Audit Manual (PGIAM) is
being issued to explain and clarify the nature and scope of internal audit in the
Philippine public sector, including its institutional arrangements, as well as its
protocols and processes.
In October 2008, the Department of Budget and Management

issued the NGICS pursuant to Administrative Order No. 119
dated 29 March 1989 and Memorandum Order No. 277 dated
17 January 1990 which directs the DBM to promulgate the
necessary rules, regulations and circulars for the strengthening
of the internal control systems of government agencies.
Following the provisions of the Constitution, the Government

Auditing Code of the Philippines (Presidential Decree No. 1445
dated 11 June 1978, as amended), the Administrative Code of
1987 and the United Nations Convention Against Corruption (UNCAC), the NGICS
serves as a guide to the heads of departments and agencies in designing, installing,
implementing and monitoring a strong and responsive internal control system.
In fulfilling their mandates and missions, departments and agencies must consider
and observe the general objectives of internal control, namely to:
1. Safeguard assets;
2. Check the accuracy and reliability of accounting data;
3. Ensure efficient, effective, ethical and economical operations;
4. Comply with laws and regulations; and
5. Adhere to managerial policies.
To achieve these objectives, five interrelated internal control components as

enumerated below need to be set in place:
1. Control environment;
2. Risk assessment;
3. Control activities;
4. Information and communication; and
5. Monitoring.
While it is the direct responsibility of the agency head to install, implement and
monitor a sound system of internal control, the Internal Audit Service/Unit (IAS/IAU)
assists him/her by conducting a separate evaluation of the internal control system
(ICS) to determine if controls are well designed and properly implemented. This
function of the IAS/IAU is separate or distinct from the function of the operating units,
other support units, and their equivalent in Government-Owned and/or -Controlled
Corporations (GOCCs) and Government Financial Institutions (GFIs), which monitor
and institute continual improvement of internal controls to support the achievement of
performance targets and organizational objectives.
2
From a baseline assessment of the ICS which identifies gaps or control deficiencies,
the IAS/IAU recommends an audit agenda for approval by the Department
Secretary/Head of Agency (DS/HoA) or the Governing Board/Audit Committee
(GB/AuditCom). Once approved, internal audit is conducted based on set procedures
and criteria. The results of internal audit are submitted to the DS/HoA or the
GB/AuditCom with appropriate recommendations. The PGIAM provides guidelines
and protocols in the performance of these internal audit functions.
3
CHAPTER I
CONCEPTS AND PRINCIPLES OF

INTERNAL AUDIT
4
1. Definition of Internal Audit
Internal audit is the evaluation of management controls and operations

performance, and the determination of the degree of compliance with laws,
regulations, managerial policies, accountability measures, ethical standards and
contractual obligations. It involves the appraisal of the plan of organization and all
the coordinated methods and measures, in order to recommend courses of action
on matters relating to operations and management control.1
Internal audit, being a separate component of internal control, is instituted to

determine whether internal controls are well designed and properly operated.2
The results of internal audit are provided to the DS/HoA or the GB/AuditCom to
assist management in achieving organizational objectives in an effective, efficient,
economical and ethical manner.
2. Legal Bases for Internal Audit
The establishment of the internal audit Box 1 – Chronology of Issuances on the Creation
of the IAS/IAU
function is based on Philippine laws and
statutes. The creation of the Internal 1. Presidential Abolished the IAS created under
Audit Service (IAS) was first mandated Decree No. 1 RA 3456, as amended by RA
under Republic Act No. 3456 or the 4177, and transferred the function
to the Management Division
Internal Auditing Act of 1962, as
2. Administrative Created an IAS in the Department
amended by Republic Act No. 4177. Code of 1987 of Public Works and Highways,
With the or EO 292 and included the supervision of
reorganization of the Executive Branch of internal audit activities as one of
government under Presidential Decree the functions of the Department of
No. 1, the IAS was abolished but its Finance‟s Central Financial
Management Office
functions were merged with the 3. AO 278 & AO Provided authority for the creation
Management Division of the Financial 70 of an IAS and its functions, duties
and Management Service (FMS) of and activities
Departments. The Administrative Code of 4. DBM Budget Highlighted the policy guidelines in
Circular 2004-4 the organization, staffing, positions
1987 re-established the IAS in the and salary grades of the IAS
Department of Public Works and 5. DBM-CSC Provided for the creation of an
Highways. Joint IAS/IAU with its functions in line
Resolution No. with Executive Order No. 366
Subsequent administrative 1, s. 2006
orders mandated government 6. DBM Circular Provided the guidelines in the
Letter No.organization of the IAS and
entities to strengthen their 2008-5 clarified its functions, and the rank
internal control systems and and salary grade of the head of the
organize systems and IAS
procedures in coordination with 7. DBM Circular Provided that the IAS would be
the Department of Budget and Letter No. composed of a Management Audit
2008-8 Division and an Operations Audit
Management (DBM). More recent administrative Division, order and and DBM issuances
specified the
provided for the creation, functions, duties and activities of the functions
IAS/IAU‟s IAS/IAU. related to
internal control
5
The chronological summary of issuances on the organization, staffing, functions
and activities of internal audit is provided as follows.
a. Republic Act No. 3456 (Internal Auditing Act of 1962), as amended by RA

No. 4177, created and organized an IAS/IAU in all government agencies to
help management achieve an efficient and effective fiscal administration and
to assist in the performance of agency affairs and functions.
b. Presidential Decree No. 1 (Reorganizing the Executive Branch of the

National Government), which was adopted on 1 September 1972 to effect
the desired changes and reforms in the social, economic and political
structure of the country, merged the IAS/IAU with the Management Division
under the Financial and Management Service in Departments pursuant to
Item 3, Article IV, Chapter I, Part V of the PD.
c. Department of Justice Opinion No. 153 dated 27 September 1974, noted that
the IAS/IAU was abolished by the Integrated Reorganization Plan under PD
No. 1 and found no legal basis to allow the payment of salary differentials to
seven Auditing Examiners II serving in said defunct IAS/IAU.
d. Executive Order No. 292 (Instituting the Administrative Code of 1987) dated
25 July 1987, created an IAS/IAU in the Department of Public Works and
Highways under Sec. 4, Ch. 1, Title V, Book IV, and included the supervision
of internal audit activities as one of the functions of the Department of
Finance‟s Central Financial Management Office under Ch. 3, Title II, Book
IV.
e. Section 1 of Administrative Order No. 119 dated 29 March 1989, mandated

government entities to strengthen their internal control systems and organize
systems and procedures in coordination with the DBM.
f. Memorandum Order No. 277 dated 17 January 1990, Directing the

Department of Budget and Management to promulgate the necessary rules,
regulations and circulars for the strengthening of the internal control systems
of government offices, agencies, government-owned or controlled
corporations and local government units.
g. Administrative Order No. 278 (Directing the Strengthening of the Internal

Control Systems of Government Offices, Agencies, Government-Owned
and/or Controlled Corporations, including Government Financial Institutions
and Local Government Units, in their Operations) dated 28 April 1992,
provided for the functions, duties and activities of the IAS/IAU.
h. Administrative Order No. 70 (Strengthening of the Internal Control Systems

of Government Offices, Agencies, Government-Owned and/or Controlled
Corporations, Including Government Financial Institutions, State Universities
and Colleges and Local Government Units) dated 14 April 2003, reiterated
the authority for the creation of the IAS/IAU and its functions.
6
i. DBM Budget Circular 2004-4 (Guidelines on the Organization and Staffing of
Internal Auditing Units) dated 22 March 2004, provided for the policy
guidelines in the organization, staffing, positions and salary grades of the
IAS/IAU in Departments/Agencies/GOCCs/GFIs concerned.
j. DBM - Civil Service Commission Joint Resolution No. 1 (Rationalization

Program‟s Organization and Staffing Standards and Guidelines) dated 12
May 2006, provided for the creation of the IAS/IAU with its functions in line
with Executive Order No. 366.
k. DOJ Opinion No. 007 dated 29 January 2007, in response to the query on
whether or not RA No. 3456, as amended by RA No. 4177, is still the
enabling law on the establishment of the internal audit function in
government agencies, cited the evolution of the IAS/IAU from RA No. 3456,
as amended by RA No. 4177, to PD No. 1, wherein the IAS/IAU was
abolished but its functions were merged with the Management Division under
the FMS. It also recognized DBM Budget Circular (BC) No. 2004-04 in
setting the Guidelines on the Organization and Staffing of Internal Auditing
Units. However, the DOJ opined that the query be coursed to the Office of
the Government Corporate Counsel (OGCC) and/or the DBM.
l. OGCC Opinion No. 099 dated 30 May 2007, stated that PD No. 1 recognized
that the IAS/IAU had been abolished but its functions had been merged with
the Management Division under the FMS, and DBM BC 2004-04.
m. DBM Circular Letter No. 2008-05 (Guidelines in the Organization and

Staffing of an Internal Audit Service/Unit and Management Division/Unit in
Departments/Agencies/GOCCs/GFIs Concerned) dated 14 April 2008,
provides the guidelines in the organization of the IAS/IAU, clarifying its
functions, and specifying the rank and salary grade of the head of the
IAS/IAU. The Circular states that the head of the IAS/IAU shall directly report
to the Department Secretary/Head of the Agency in the case of Departments
and regular attached agencies, and to the Audit Committee3 of the Governing
Board in the case of GOCCs/GFIs.
3. Scope of Internal Audit
3.1 Scope
Internal audit is an integral part of the internal control system of public

service organizations. The scope of internal audit is broad and involves all
matters relating to operations and management control.
Among others, internal audit encompasses the appraisal of the adequacy of

internal controls, the conduct of management audit and the evaluation of the
results of operations, focusing on the effectiveness of controls of operating
systems and support services units/systems.
7
3.2 Functions of IAS/IAU
Pursuant to the Administrative Code of 1987, and as reiterated in the

NGICS, the functions of the IAS/IAU are as follows:
a. Advise the DS/HoA or in the case of GOCCs/GFIs, the Governing Body

through the Audit Committee, on all matters relating to management
control and operations audits;
b. Conduct management and operations audits of Department/

Agency/GOCC/GFI functions, programs, projects, activities with outputs,
and determine the degree of compliance with their mandate, policies,
government regulations, established objectives, systems and
procedures/processes and contractual obligations;
c. Review and appraise systems and procedures, organizational structures,

asset management practices, financial and management records, reports
and performance standards of the department proper, bureaus and
regional offices;
d. Analyze and evaluate management deficiencies and assist top

management by recommending realistic courses of action; and
e. Perform such other related duties and responsibilities as may be

assigned or delegated by the Secretary or the Governing Board or as
may be required by law.
8
4. Types of Audits
There are three types of audit: compliance audit, management audit, and
operations audit.
4.1 Compliance Audit
Compliance audit is the evaluation of the degree of compliance with laws,

regulations and managerial policies and operating procedures in the agency,
including compliance with accountability measures, ethical standards and
contractual obligations. This type of audit is a necessary first step to, and
part of, management and operations audits.
Components of Established Criteria/

Internal Control Controls Standards Output
System
1) The Philippine
1) Control Environment
Constitution
2) Laws and their IRR
2) Risk Assessment Design

3) Presidential
Issuances Compliance
with Laws,
3) Control Activities 4) Issuances of Regulations
Oversight and and Policies
Regulatory
Bodies
4) Information and
Communication Implementation 5) Agency
Issuances
5) Monitoring 6) Contractual
Obligations
Figure 1 - Compliance Audit Flow Diagram
4.2 Management Audit
Management audit is a separate evaluation of the effectiveness of internal

controls adapted in the operating and support services units/systems to
determine whether they achieve the control objectives over a period of time
or as of a specific date. It includes the determination of the degree of
compliance with laws, regulations, managerial policies, accountability
measures, ethical standards and contractual obligations covering specific
timeframes.
It is a review and appraisal of the systems and processes, organizational and

staffing structures, operations and management practices, records, reports
and performance standards of the agencies/units covered.
Management audit may encompass a comprehensive and thorough

examination of an organization or a specific operating or support system or
work process. Operating systems include aspects such as the rules of
engagement in the conduct of arrest, search and seizure in the case of
9
investigating agencies, and the rules on vaccination and immunization in the
case of health facilities. Examples of support services systems are human
resource management system, financial management system, quality
management system, risk management system and their sub-systems. The
audit is conducted to identify issues and control weaknesses or management
deficiencies in the organization, thus providing top management with courses
of action to address the problem area.
Components of
Control
Internal Control Controls Output
Objectives
System
1) Control Environment 1) Safeguard Assets

Operating
System-Key
2) Check Accuracy &
processes
Reliability of
2) Risk Assessment
Accounting Data
Control
3) Control Activities 3) Adherence to Managerial Effectiveness
Policies
4) Information and
Communication Support 4) Compliance w/ LRP
System-Key
processes 5) Ensure 4Es of Operations
5) Monitoring
Figure 2 - Management Audit Flow Diagram
4.2.1 Control Effectiveness
Management audit focuses on results, evaluating the effectiveness

and suitability of controls by reviewing or appraising existing
measures and methods. Management audits include compliance
audits and root cause analysis. When performed correctly, they are
potentially useful evaluation method because they can be the basis of
corrective or preventive measures.
Control effectiveness refers to the achievement of control objectives.

When these control objectives are achieved, it can be concluded that
management controls are effective.
Management control refers to internal control, which comprises the

plan of organization and all the coordinated methods and measures
adopted within an agency to ensure that resources are used
consistent with laws, regulations and policies; resources are
safeguarded against loss, wastage and misuse; financial and non-
financial information are reliable, accurate and timely; and operations
are economical, efficient and effective. Management controls are
essential in managing any organization. It is not enough to enact laws
or issue regulations, to appropriate budgets, or to establish policies if
there can be no effective controls to ensure that they will be properly
implemented.
10
4.2.2 Management Review and Management Audit
Management audit should be distinguished from management review.
a. Management review is usually conducted by the Management

Committee of a department/agency or delegated to the
Management Division of the FMS. Management audit is conducted
by the Management Audit Division of the IAS/IAU.
b. Under a management review, the operating or functional unit

assesses existing methods, systems and processes, and
implements recommendations for improvement. In a management
audit, the IAS/IAU appraises the management controls of the
operating or support units to determine if the control objectives are
being achieved, conducts root cause analysis in case the controls
are weak, and recommends courses of action to address the
control weakness.
c. Management reviews are conducted any time prior to, during or

after the implementation of the processes. Management audits are
conducted after a system/process has been implemented or over a
specific period of time or as of a given date.
The distinctions between management review and management audit

are summarized in Table 1 below:
Table 1 - Distinction Between Management Review and Management Audit

Management Review Management Audit
Focus Assess existing organizational Evaluate management control
structure, methods, measures, effectiveness and determine the
systems and processes to ensure probable/root cause of control
continuing suitability, adequacy deficiencies, if any
and effectiveness and identify and
assess opportunities for
improvement
Scope Existing management system and Appraise whether internal control
practices, procedures and components are well designed and
processes, organizational properly implemented; evaluate
structure, staffing standards and whether internal control objectives
manpower requirements are achieved; evaluate control
effectiveness of operating systems
and support systems for a specific
period or date
Timing Conducted anytime prior to, during Takes place “after the fact” and
or even after the implementation of covers a complete cycle of
a system or process operations
Action to To improve or develop new To advise/report to the DS/ HoA
be taken management system and or GB/AuditCom all matters
practices, procedures and relating to management control,
processes, staffing standards and and recommend courses of
manpower requirements action to address inadequacy in
internal control
11
4.3 Operations Audit
Operations audit is a separate evaluation of the outcome, output, process

and input to determine whether government operations, programs and
projects are effective, efficient, ethical and economical, including compliance
with laws, regulations, managerial policies, accountability measures and
contractual obligations.
“Doing things right” given the

“Doing the right things”
available inputs and within
achieving expected results
a specified timeframe
and
Efficient contribute to sectoral goals
Effective
Consistent with the Code using
Perform of Conduct and Ethical Standards
the least
amount of inputs within a
specific timeframe Ethical
Economical
Input Evaluation Outcome Evaluation
Process Evaluation Output Evaluation
Quality Quality Quality Quality
Input Process Outputs Outcomes
Law, mandate, Implementation,
program, organization, risk response, Products and Benefits and
staff, system‟, resources performance and services impact or
and managerial policies compliance reviews change
Citizens’ Needs Serving Citizens’ Satisfied Citizens’ Improved Quality

Needs Needs of Life
Figure 3 - Operations Audit Flow Diagram
Operations audit of organizations, programs, and projects involves an

evaluation of whether or not performance targets and expected results were
achieved.
The importance of assessing the effectiveness, efficiency, ethicality and

economy of government operations is to contribute to better public services,
accountability and governance. The matter of outcomes, outputs, processes,
and inputs, as well as their correlation with the goals of effectiveness,
efficiency, ethicality and economy of operations are the focus in the
evaluation.
Before conducting an operations audit, the IAS/IAU must have a good

understanding of the organization, and its program and project processes.
This will give a clear grasp of the processes and the key areas involved, and
accordingly help the IAS/IAU determine the appropriate audit objectives,
scope, criteria and evidence. Information gathered during the strategic and
annual work planning is useful in understanding the organization and the
program and project processes.
12
In undertaking operations audit, the auditor seeks to:
a. Evaluate the outcome, which includes the evaluation of the

benefits/impact of the program or the change in the condition of the
beneficiaries;
b. Evaluate the output, which are products/goods and services produced or

delivered;
c. Evaluate the process. The process is the transformation of an input to an

output. There must be value added to the inputs. There is a need to
evaluate whether or not processes have been properly implemented and
there is proper conduct of risk response, performance and compliance
reviews; and
d. Evaluate the inputs (i.e., statutory policy, mandate, program,

organization, staff, system, resources, managerial policies, and citizens‟
needs).
Evaluation can be done on the outcome-output-process-input (or work back

approach), as it relates to the 4Es or effectiveness, efficiency, ethicality, and
economy (see Figure 4). This approach, in particular, starts with a set of
objectives (e.g., statutory policy objectives), that the DS/HoA or
GB/AuditCom wants to achieve (expected outputs and outcomes) which
have been formulated in SMART terms (i.e., Specific, Measurable,
Attainable, Realistic and Time-bound).
4.3.1 Work back Approach
Essential to the conduct of operations audit is the assessment of

progress with respect to processes, projects and programs, and their
respective outputs and outcomes or impact/change towards improving
the condition of intended beneficiaries. This is the work back
approach of operations audit.
Input Process Output Outcome

Evaluation Evaluation Evaluation Evaluation
Quality Input Quality Process Quality Outputs Quality Outcomes
Law, mandate, program, Implementation, risk
organization, staff, Benefits and Impact
response, performance Products and services
system, resources and or change
and compliance reviews
managerial polic‟ ies
Serving Citizens‟ Satisfied Citizens‟ Improved

Citizens‟ Needs
Needs Needs Quality of
Life
Figure 4 – Work back Approach Flow Diagram
13
The work back approach of operations audit requires proper
identification of programs/projects/processes and their respective
outputs and outcomes. This is to establish causality between
programs and projects, projects and processes, as well as their
respective outputs and outcomes.
a. Programs/Projects/Processes
i. Activities are equivalent to a process.
Activities are actions taken through which inputs are mobilized

to produce specific outputs.4 Activities in public service sector
organizations through which inputs are transformed into
outputs are equivalent to a process5 referred in the
Government Quality Management Systems Standards
(GQMSS) and NGICS.
The concept of an activity referred to in the Organizational

Performance Indicators Framework (OPIF)6 under its programs,
activities, projects (PAPs – strategy and manner for effectively
and efficiently delivering outputs and goods) is the same
concept of an activity in the GQMSS and NGICS. These
activities must add value to inputs to generate intended
outputs. The organization can discard an activity that does not
contribute to the attainment of a particular output.
ii. A project is a component of a program.
The Administrative Code of 1987 defines programs and

projects. A program refers to the functions and activities
necessary for the performance of a major purpose for which a
government agency is established, while a project is a
component of a program covering a homogeneous group of
activities that result in the accomplishment of an identifiable
output.7
Under the Budget of Expenditures and Sources of Financing for

FY 2011 of the DBM, a program is defined as a homogeneous
group of activities necessary for the performance of a major
purpose for which a government agency is established, for the
basic maintenance of the agency‟s administrative operations or
for the provisions of staff support to the agency‟s administrative
operations or for the provisions of staff support to the agency‟s
line functions while projects is defined as special agency
undertakings which are to be carried out within a definite time
frame which are intended to result some pre-determined
measure of goods and services.
14
Based on the foregoing, the following can be construed:
(1) A process is a “set of interrelated or interacting activities of

the public sector organization which transforms input
elements (policies, resources, citizens‟ needs and
expectations, etc.) into outputs/outcomes (the products
and services provided to the citizens).” A process
requires inputs to produce an identifiable output. An
output of one process may be an input to another process.
(2) A project as a component of a program covers a

homogeneous group of activities or processes needed in
the accomplishment of an identifiable output to be carried
out within a definite time frame.
(3) A program is composed of several projects necessary for

the accomplishment of a major output and program
outcome of an agency. An aggregation of these major
outputs generates the program outcome of an agency.
b. Program Outcomes/Project Outputs/Process Outputs
An outcome is a result of a program or programs, projects and

processes of departments/bureaus/regional offices. The
aggregate outputs of processes are considered as major final
outputs of the project while the aggregate major final outputs of
projects results in program outcome. The aggregation of
outcomes results in benefits and impact or change that contributes
to the satisfaction of citizens‟ needs and expectations.
Major final outputs and organizational outcomes under the OPIF

are the same as the output and outcome referred to in the GQMSS
and NGICS. The OPIF viewed organizational outcome as the
“desired effects, i.e., resulting condition when the major final
outputs are utilized as reflected in the agency mandate.”8
c. Outcome, Output, Process and Input Evaluation
In the work back approach, auditors perform sequential

evaluations of the outcome, output, process and inputs. These
evaluations are conducted to determine the extent of the direct
contribution of inputs, processes and outputs to the achievement
of the outcome or impact/change.
i. Outcome Evaluation
In the work back approach of operations audit, an outcome

evaluation is conducted to assess the contribution and proper
attribution of an agency outcome to the impact or change in the
condition of the intended beneficiaries by comparing the
15
outcomes with the baseline data. An estimate of what would
have happened in the absence of a department/bureau/
regional office or a local government unit program is
determined.
In the conduct of outcome evaluation, proper identification and

attribution of the major final outputs to the outcome or
impact/change to the intended beneficiaries should be carried
out. Likewise, an assessment should be made on the extent to
which a program outcome or impact/change fulfills citizens‟
needs and expectations, as well as the contribution of such
program outcome to raising the quality of life.
(1) Attribution of project outputs (major final outputs) to an

agency‟s or program‟s outcome.
There is a need to disaggregate an agency‟s or program‟s

outcome into project outputs (major final outputs) to
establish/document whether such project outputs are
relevant components of a program outcome delivered by
the agency. This is to determine the extent of contribution
of the actual/observed project outputs to the agency‟s or
program‟s outcome.
(2) Attribution of program outcome to impact/change in the

condition of intended beneficiaries.
There are instances when benefits and impact/change are

contributed by several government agencies. For
example, an outcome of 80% passing rate of graduating
pupils is not only attributable to the DepED (with private
learning institutions and internal stakeholders) as the
external stakeholders of the DepED contribute to the
attainment of this outcome which include other public
service sectors such as the public works sector (i.e.,
DPWH and its internal stakeholders) – for roads going to
the school, the health sector (i.e., DOH and its internal
stakeholders) for the health and nutrition of the students.
This form of evaluation is employed when external factors
are known to influence the organization‟s/program‟s
objectives, in order to identify the
organization‟s/program‟s contribution to the achievement
of its targeted outcome.
In the event when benefits and impact/change are

contributed by several government agencies, there is a
need to identify and accurately measure the particular
contribution or intervention of an agency outcome to the
impact or change in the condition of intended
beneficiaries. In this way, causality between the agency
outcome and the impact/change to the condition of
16
intended beneficiaries is established. This is to determine
the extent of the contribution of the
programs/projects/processes to the agency outcome and
to the actual/observed impact or change in the condition of
intended beneficiaries.
ii. Output Evaluation
An output evaluation is undertaken to assess the extent to

which a project/process achieves its output (products/goods
and services). It focuses on outputs to determine the
effectiveness of a project/process, but it may also assess its
process to understand how the outputs are produced. Output
evaluations establish causality of process outputs to project
outputs, as well as the correlation of these
processes/interrelated activities to a particular project.
In the conduct of output evaluation, proper identification and

attribution of process outputs to project outputs (major final
outputs) should be carried out. Likewise, assessment is made
on the relevance and contribution of processes/interrelated
activities to the achievement of the respective process outputs
which contributed to project outputs (major final outputs). In
this way, the auditor determines the correlation of
processes/interrelated activities to a particular project and the
contribution to the achievement of project outputs. Also, the
assessment is performed to determine the extent to which
project outputs (major final outputs) contribute to program
outcomes for the fulfillment of citizens‟ needs and
requirements.
(1) Attribution of process outputs to project outputs (major

final outputs)
There is a need to disaggregate project outputs into

process outputs to establish/document whether such
process outputs are relevant components of a project
output delivered by the agency. This is to determine the
extent of contribution of actual/observed process outputs
to the project outputs (major final outputs).
(2) Attribution of project outputs (major final outputs) to the

program outcome
This involves the disaggregation of the program outcome

into project outputs to identify and accurately measure the
contribution to the program outcome delivered by the
agency. In this way, causality between the project outputs
(major final outputs) and agency/program outcome is
established. This is to determine the extent of contribution
17
of project outputs (major final outputs) to program
outcomes towards the fulfillment of citizens‟ needs and
requirements.
iii. Process Evaluation
Process evaluation involves the assessment of the efficiency

and ethicality of a process. A review is conducted to assess
the process as to the efficiency in the use of available
resources/inputs, as well as its conformity to norms of conduct
and ethical standards.
A review is conducted on interrelated activities to determine the

contribution of each activity within a process to the
achievement of a process output. Likewise, input elements
such as policies, organizational structure, resources, citizens‟
needs and requirements to achieve the process outputs are
properly identified.
Process evaluation entails the assessment of the following:
(1) Implementation of processes/interrelated activities as to

conformity with established standards and policies. This is to
determine whether or not such processes/interrelated
activities add value to the inputs for their transformation into
outputs.
(2) Internal controls embedded within processes/ interrelated

activities as to their design and implementation.
(a) The risk response/treatment designed to contain

uncertainty in achieving the process outputs.
(b) If performance review is conducted to determine

whether actual process outputs meet established
objectives and/or whether processes/ interrelated
activities are efficient and effective. In the event when
processes/interrelated activities and process outputs fall
short of the established standards, the same should be
reviewed to determine if process improvements are
needed.
(c) Conduct of compliance review to determine the extent of

compliance of processes/interrelated activities with
established objectives, policies, methods, procedures,
laws and regulations.
18
Processes/interrelated activities are also evaluated as to their
ability to meet the requirements of quality outputs. Process
evaluation determines whether or not processes/interrelated
activities are quality processes that contribute to the delivery of
quality outputs to meet citizens‟ needs and expectations.
iv. Input Evaluation
Input evaluation is the assessment on the appropriate and

economical sourcing and leveraging of resources/inputs
(statutory policy, mandate, organization, laws, regulations,
managerial policies, resources, citizens‟ needs). This is also a
review on whether or not resources/inputs are acquired at the
right cost, at the right time, at the right place, in the right
quantity and of the right quality.
As provided for in the Administrative Code of 1987, among the

inputs, the budget “shall be oriented towards the achievement
of explicit objectives and expected results, to ensure that funds
are utilized and operations are conducted effectively,
economically and efficiently”.9
Inputs/resources should be evaluated if they have the ability to

meet the requirements of quality outputs. Input evaluation
determines whether or not inputs/ resources are quality inputs
that contribute to the delivery of quality outputs through which
citizens‟ needs and requirements are met.
At each phase of the evaluation, emphasis is given to quality

results (output and outcome or impact/change), quality processes
and quality inputs as these are defined through the identification of
the needs and requirements of the citizens.
The GQMSS supports citizen satisfaction through the identification

and documentation of citizens‟ needs and expectations as basis
for the formulation of public sector organization programs.
“The top management of the public sector organization should

identify current and (where possible) future needs and
expectations of its citizens to meet them and achieve citizen
satisfaction within the framework of its legal powers and
resources available. The requirements of the citizens should
be defined and documented as requirements in public sector
organization programs; specific objectives and performance
indicators should be identified to ensure that these are being
met. The needs and expectation of citizens should be
reviewed at planned intervals and updated as necessary to
ensure citizen satisfaction.“10
19
Citizen-focused public service sector organizations are
characterized by quality results (outputs and outcomes), quality
processes and quality inputs. Quality is defined in terms of its
ability to meet citizens‟ needs and expectations. Hence, quality
results, quality processes and quality inputs of public service
sector organizations are geared towards the fulfillment of these
needs and expectations.
4.3.2 The 4 Es (Effective, Efficient, Ethical and Economical) of

Operations Audit
Public service requires that the organization‟s outputs and outcomes

are measured in terms of how these directly affect the quality and
quantity of public service delivery through effective, efficient, ethical,
and economical operations.
a. Effective means being able to “do the right things”. Effectiveness

refers to the achievement of objectives. It involves an assessment
of the outcomes of the department/bureau/regional office programs
and outputs of the division/project/process which accrues to the
public, measured in terms of performance measures or targets.
Every department/agency has a legislated mandate and functions.

Each operating unit has a responsibility in achieving the
department/agency‟s mandate and functions. Effective operations
mean that operating units are able to deliver their major final
outputs and outcomes, able to achieve the expected results, and
contribute to the achievement of sectoral and societal goals.
It is concerned with the relationship between goals and objectives,

outputs and outcomes. Are the stipulated aims being met by the
means employed, the outputs delivered and when aggregated will
achieve the outcome? Are the impacts or change observed really
the results of operations rather than other circumstances?
In auditing effectiveness, operations audit may, for instance:
i. Assess whether or not government programs have been

formulated and approved with clear and specific objectives;
ii. Assess whether or not the means provided (legal, budget, etc.)
for a new or ongoing government program are adequate,
consistent, suitable or relevant;
iii. Assess whether or not the quality and quantity of the public
services meet the citizens‟ needs or the statutory objectives;
iv. Assess the effectiveness of government investments and

programs and/or their individual components, i.e., ascertain
whether or not the goals and objectives are met;
20
v. Identify the relative utility of alternative approaches to yield
better performance or eliminate factors that inhibit
program/project effectiveness.
b. Efficient means being able to “do things right” given the available
resources/inputs and within a specified timeframe. This is about
delivering a given quantity and quality of outputs with minimum
inputs or maximizing outputs with a given quantity and quality of
inputs. It follows the principle of prioritization and leveraging by
determining the critical path and assigning available resources.
Efficiency means optimum utilization of resources keeping in mind
the objectives of the organization.
In evaluating efficiency, the main question is whether or not

available inputs have been put to optimal or satisfactory use or
whether the same or similar results in terms of quantity, quality and
turn-around time could have been achieved when compared with
other public service organizations, both public and private.
For instance, are the processes generating the most output – in

terms of quantity and quality – from the inputs? The question
refers to the relationship between the quality and quantity of
products/goods and services generated and the inputs utilized to
produce them, in order to achieve the desired results.
The efficiency of a process is audited by examining the inputs

based on available resources utilized, determining whether or not
policy and regulatory measures are properly in place, or assessing
the degree of leverage with other public service sector
organizations.
Any finding on efficiency is usually only relative, while occasionally,

inefficiency is immediately apparent. A finding on efficiency can be
formulated by means of a comparison with similar activities, with
other periods, or with a standard that has been explicitly adopted.
There is a need for a process evaluation to review the efficiency

and the ethicality of a process. As previously mentioned, efficiency
is “doing things right” given the available resources/inputs and
within a specified timeframe, while ethicality is about conforming to
the norms of conduct and ethical standards. A three-pronged
approach is done involving the review of implementation, risk
response, performance review and compliance review. It is a
typical work back approach to evaluate the conformity of the
organization/program/project to statutory and regulatory
requirements, design, standards, and citizens‟ needs and
expectations.
21
In essence, efficiency indicates how well an organization uses its
inputs to produce or deliver products/goods and services. Thus, it
focuses on the transformation of inputs to outputs, and the rate
(productivity) at which inputs are used to produce or deliver the
outputs. Output dimensions include quantity and quality. The
quantity of outputs delivered to the public are in terms of amount,
volume, or number of products/goods and services produced or
delivered. Outputs should meet the quality requirements; statutory
and regulatory requirements; agency requirements; process
design and standards; and the needs and expectations of the
citizens. In short, quality outputs are delivered to improve the
quality of life of the public being served.
c. Ethical means being able to conform to the norms of conduct and

ethical standards as contained in RA No. 6713, otherwise known
as the Code of Conduct and Ethical Standards for Public Officials
and Employees.
The "Code of Conduct and Ethical Standards for Public Officials

and Employees" or Republic Act No. 6713 dated 20 February
1989, declares that public officials and employees shall at all times
be accountable to the people and shall discharge their duties with
utmost responsibility, integrity, competence, and loyalty, act with
patriotism and justice, lead modest lives, and uphold public interest
over personal interest. Every public official and employee is
expected to observe the standards of personal conduct in the
discharge and execution of official duties which, among others,
include:
i. Commitment to public interest. Public officials and employees

shall always uphold public interest over and above their
personal interest. All government resources and powers of their
respective offices must be employed and used efficiently,
effectively, honestly and economically, particularly to avoid
wastage in public funds and revenues.
ii. Professionalism. Public officials and employees shall perform

and discharge their duties with the highest degree of
excellence, professionalism, intelligence and skill. They shall
enter public service with utmost devotion and dedication to
duty. They shall endeavor to discourage wrong perceptions of
their roles as dispensers or peddlers of undue patronage.
A compliance audit shall be made to determine conformity with the

norms of conduct and ethical standards. The procedures for fact-
finding review in administrative cases (e.g., CSC Uniform Rules on
Administrative Cases in the Civil Service or Ombudsman Rules of
Procedure) can be used in the evaluation of ethicality.
22
d. Economical means being able to perform functions and tasks
using the least amount of resources/inputs within a specific
timeframe. It implies that the resources/inputs should be acquired
at the right cost, at the right time, at the right place, in the right
quantity and of the right quality.
Organizations are enjoined to exercise prudence and restraint in

the use of their resources by focusing on their core functions and
prioritizing their programs/projects to those which would contribute
best to the attainment of agency objectives. A compliance audit is
made in an input evaluation (economy). Adherence to the
Government Procurement Reform Act (RA 9184) and its Revised
Implementing Rules and Regulations will also help in ensuring
economy.
Audits of economy may provide answers to questions such as:
i. Do the means chosen, policy, organization (public or private

service entities) – the inputs – represent the most economical
in the achievement of the organization‟s objectives and goals?
ii. Have the human, financial and non-financial resources been

used economically?
It is often a challenging task for an auditor to assess whether or

not the inputs chosen represent the most economical use of public
funds and property and whether or not the least amount of
resources available have been used economically. These are
considered as inputs: statutory policy, mandate, organization,
laws, regulations, managerial policies, resources – men, money,
minutes, materials, machines, methods and measures.
5. Principles and Standards of Internal Audit
5.1 Conflict of Interest
The Internal Auditor should avoid conflict of interest at all times, thereby
maintaining objectivity and impartiality and upholding public interest. He/she
should maintain an impartial, unbiased attitude, characterized by integrity
and an objective approach to work and be constantly conscious of and alert
to factors which may give rise to conflict of interest.
5.2 Objectivity and Impartiality
Objectivity and impartiality are vital to the effectiveness of the internal audit
function. Objectivity means an unbiased mental attitude and professionalism
that allows an Internal Auditor to perform engagements with no quality
compromises. The principle of objectivity imposes on all Internal Auditors the
obligation to be fair and intellectually honest. Objectivity requires the auditors
not to subordinate their judgment on audit matters to that of others. In the
23
execution of an audit, the Internal Auditor must base his/her findings on
relevant, reliable, sufficient and timely audit evidence and a set of criteria.
Such criteria include statutory policies, rules, regulations and procedures. 11
Impartiality, on the other hand, means that the Internal Auditor is free from
bias and conflict of interest. He/she does not use his/her position to acquire
benefits or advantage for his/herself or his/her related interests. In case of an
actual or potential conflict of interest, he/she practices full disclosure and
inhibits his/herself from participating in the decision making process.
To be objective and impartial, the Internal Auditor shall at all times uphold
public interest over and above personal interest. He/she should have no
direct authority or responsibility for the activities he/she reviews and no
responsibility for developing or implementing processes or systems. He/she
should not engage in regular functions or activities which are the primary
duties of the unit of the agency, except as noted in the NGICS. He/she
should not have a vested interest in the activity being audited. Internal
auditors are not allowed to make the rules – they shall audit against
performance standards that are already in place and accepted by the
agency. If they develop the rules, they cannot impartially evaluate the
effectiveness and application of these rules.
5.3 Professional Competence
The Internal Auditor must maintain high standards of competence and

professional integrity commensurate with his/her responsibilities and
mandated functions. He/she should commit to the highest degree of
professional competence, both in the technical and ethical sense, through
empowerment and continuing self-development. He/she must possess and
continually develop the knowledge, skills and other competencies needed to
perform their responsibilities in order to continually enhance the quality of
audit. Examples of skills, related knowledge, attributes and other
competencies that Internal Auditors should possess are provided in
Appendix B.
5.4 Authority and Confidentiality
Based on the audit objectives and subject to compliance with the internal
security policies of public service organizations,12 the head of agency should
authorize Internal Auditors to have full, free and unrestricted access to all
functions, premises, assets, personnel, records, and other documents and
information that the head of internal audit (HoIA) considers necessary in
undertaking internal audit activities.
All records, documentation and information accessed in the course of

undertaking internal audit activities are to be used solely for the conduct of
these activities. The Internal Auditor should respect the confidentiality of
information acquired in the course of performing the audit activities and
should not use or disclose any such information without proper and specific
authority, unless there is a legal or professional right or duty to disclose.
24
Confidentiality is not only a matter of disclosure of information. It also
requires that the Internal Auditor acquiring information in the course of the
audit neither uses nor appears to use that information for personal
advantage or for the advantage of a third party.
The HoIA and the individual internal audit staff are responsible and
accountable for maintaining the confidentiality of the information they receive
during the course of their work.
5.5 Code of Conduct and Ethics
As public servants, internal Box 2 – Rule X: Grounds for Administrative

auditors are bound by the Disciplinary Action
Code of Conduct and Ethical
Standards for Public Officials
Section 1. In addition to the grounds for
and Employees in the administrative disciplinary action prescribed
performance of their functions. under existing laws, the acts and omissions of
Rule X of the Rules any official or employee, whether or not he holds
Implementing said Code office or employment in a casual, temporary,
hold-over, permanent or regular capacity,
affirms as grounds for
declared unlawful or prohibited by the Code,
administrative disciplinary shall constitute grounds for administrative
action at least twenty-three disciplinary action, and without prejudice to
(23) acts or omissions criminal and civil liabilities provided herein, such
declared unlawful or prohibited as:
by the Code. (a) Directly or indirectly having financial and
material interest in any transaction
5.6 Hierarchy of Applicable requiring the approval of his office.
Financial and material interest is defined
Internal Auditing Standards as a pecuniary or proprietary interest by
and Practice which a person will gain or lose
something;
The hierarchy in determining (b) Owning, controlling, managing or
government internal auditing accepting employment as officer,
employee, consultant, counsel, broker,
standards in the Philippine agent, trustee, or nominee in any private
public sector, in the order of enterprise regulated, supervised or
authority, is as follows: licensed by his office, unless expressly
allowed by law;
a. Constitutional provisions; (c) Engaging in the private practice of his
profession unless authorized by the
b. Laws, rules, and Constitution, law or regulation, provided
that such practice will not conflict or tend
regulations on public to conflict with his official functions;
governance and
(d) Recommending any person to any
accountability, and position in a private enterprise which has
applicable jurisprudence; a regular or pending official transaction
with his office, unless such
c. Government policies, recommendation or referral is mandated
by (1) law, or (2) international
standards, guidelines, and
agreements, commitment and obligation,
regulatory issuances; or as part of the functions of his office;
25
d. Standards and other Continuation of Box 2
issuances of
These acts shall continue to be
intergovernmental prohibited for a period of one (1) year
organizations such as the after resignation, retirement, or
United Nations‟ specialized separation from public office, except in
committees and agencies; the case of paragraph (c) above, but the
and professional concerned cannot practice
his profession in connection with any
matter before the office he used to be
e. Relevant or applicable with, within one year after such
standards and best resignation, retirement, or separation
practices in governance, provided that any violation hereof shall
accountability, and be a ground for administrative
disciplinary action upon re-entry to the
operations, both local and government service.
international, such as the
(e) Disclosing or misusing confidential or
International Organization classified information officially known to
for Standardization (ISO) him by reason of his office and not made
and other officially available to the public, to further his
recognized organizations private interests or give undue
advantage to anyone, or to prejudice the
and associations.
public interest;
5.7 IAS Functions vis-à-vis (f) Soliciting or accepting, directly or
indirectly, any gift, gratuity, favor,
Activities and Operations of entertainment, loan or anything of
Other Units monetary value which in the course of
The IAS should not participate his official duties or in connection with
any operation being regulated by, or any
in the activities and operations
transaction which may be affected by the
of another unit. The IAS/IAU is functions of, his office. The propriety or
not responsible for or required impropriety of the foregoing shall be
to participate in procedures determined by its value, kinship or
which are essentially part of relationship between giver and receiver
and the motivation. A thing of monetary
regular operating activities or
value is one which is evidently or
the primary responsibility of manifestly excessive by its very nature.
another unit in the Gift refers to a thing or a right disposed
13
organization. These include of gratuitously, or any act of liberality, in
management and process favor of another who accepts it, and shall
improvement of operating and include a simulated sale or an ostensibly
support services systems such onerous disposition thereof.
as quality management, human Loan covers both simple loan and
resource management, and commodatum as well as guarantees,
financing arrangement or
financial management, which accommodations intended to ensure its
are the responsibilities of the approval. Commodatum refers to a
operating and support services contract whereby one of the parties
units concerned. Refer to Table deliver to another something not
2 for the functions related to consumable so that the latter may use
the same for a certain time and return it.
Internal Control among the
Operating Units, the Support
Services Units and the IAS.
26
In particular, the IAS/IAU
should not undertake agency Continuation of Box 2
and sectoral risk assessment. This prohibition shall not include:
This responsibility rests with top (1) Unsolicited gift of nominal or insignificant
management and the functional value not given in anticipation of, or in
exchange for, a favor from a public
and operating units concerned. official or employee or given after the
transaction is completed, or service is
Operational risk assessment is rendered. As to what is a gift of nominal
best undertaken by a person or value will depend on the circumstances
a unit responsible for managing of each case taking into account the
salary of the official or employee, the
those risks. frequency or infrequency of the giving,
the expectation of benefits, and other
Moreover, except for purposes similar factors.
of planning and prioritizing (2) A gift from a member of his family or
potential audit areas, the relative as defined in the Code on the
IAS/IAU should not conduct occasion of a family celebration, and
control risk assessment. without any expectation of pecuniary gain
or benefit.
Control risk assessment is
(3) Nominal donations from persons with no
primarily performed by top
regular, pending, or expected
management as part of its transactions with the department, office
regular functions. Heads of or agency with which the official or
organizations or units from the employee is connected, and without any
Department Secretary down to expectation of pecuniary gain or benefit.
the regional and local (4) Donations coming from private
government heads who organizations, whether local or foreign,
which are considered and accepted as
exercise supervision and humanitarian and altruistic in purpose
control or administrative and mission.
supervision at their levels, i.e., (5) Donations coming from government to
sector, organization/agency, government entities.
services, bureaus, regions, as As to gift or grants from foreign
well as local government units, governments, the Congress consents to:
must conduct an assessment of (i) The acceptance and retention by a
their own control risks. public official or employee of a gift of
nominal value tendered and received
Control risks include as a souvenir or mark of courtesy;
operational risks. In bureaus, (ii) The acceptance and retention by a
regional offices and local public official or employee of a gift in
the nature of a scholarship or
government units, the bureau fellowship grant or medical treatment;
director, regional director, or
governor and mayor performing (iii)The acceptance by a public official or
management control functions employee of travel grant or expenses
shall conduct both operations for travel taking place entirely outside
and control risk assessments. the Philippines (such as allowances,
transportation, food and lodging) of
more than nominal value, if such
acceptance is appropriate or
consistent with the interests of the
Philippines, and permitted by the head
of office, branch, or agency to which
he belongs.
27
5.8 Internal Audit Not an
Assurance and Consulting Continuation of Box 2
Activity Nothing in the Code shall be construed
to restrict or prohibit any educational,
Internal audit in government is scientific or cultural exchange programs
not an “assurance” and subject to national security
“consulting” activity. The IAS/IAU requirements.
is an office/unit within a (g) Obtaining or using any statement filed
government department or under the Code for any purpose
contrary to morals or public policy or
certain agencies as authorized by any commercial purpose other than by
law to have such. It assists the news and communications media for
Department Secretary or the dissemination to the general public;
Governing Body and performs (h) Unfair discrimination in rendering public
functions delegated by the head service due to party affiliation or
of agency. Its auditees are not its preference;
customers; neither is the (i) Disloyalty to the Republic of the
Department Secretary nor the Philippines and to the Filipino people;
Governing Body its client. The (j) Failure to act promptly on letters and
request within fifteen (15) days from
IAS/IAU is therefore subordinate
receipt, except as otherwise provided
to the head of the organization in these Rules;
within which it has been (k) Failure to process documents and
established. complete action on documents and
papers within a reasonable time from
5.8.1 Consulting Activity is preparation thereof, except as
otherwise provided in these Rules;
Non-government Service
(l) Failure to attend to anyone who wants
to avail himself of the services of the
Consultancy services are office, or to act promptly and
not considered expeditiously on public personal
government service since transactions;
no employer-employee (m) Failure to file sworn statements of
relationship exists assets, liabilities and net worth and
between the consultant disclosure of business interests and
financial connections; and
and the government.14
(n) Failure to resign from his position in the
They are not covered by private business enterprise within thirty
Civil Service Law, Rules (30) days from assumption of public
and Regulations. They office when conflict of interest arises,
however are covered by and/or failure to divest himself of his
shareholdings or interests in private
COA rules.15
business enterprise within sixty (60)
days from such assumption
5.8.2 Consulting Activity is of public office when conflict of interest
Non-audit Service arises,: Provided however, that for
those who are already in the service
and a conflict of interest arises, the
Non-audit services are
official or employee must either resign
those tasks like consulting or divest himself of said interests within
services which are the periods here-in above provided,
requested by management reckoned from the date when the
for the IAS/IAU to perform conflict of interest had arisen.
that directly support the
agency‟s operations.16
28
Section 5 (f), RA 9184, “Government Procurement Reform Act”
defines consulting services, to wit:
“(f) Consulting Services – refers to services for Infrastructure

Projects and other types of projects or activities of the
Government requiring adequate external technical and
professional expertise that are beyond the capability and/or
capacity of the government to undertake such as, but not
limited to: (i) advisory and review services; (ii) pre-investment
or feasibility studies; (iii) design; (iv) construction supervision;
(v) management and related services; and (vi) other technical
services or special studies.”
Engagement in non-audit services is therefore not encouraged as this

may put the IAS/IAU at risk of conflict of interest or result in prejudice
in the conduct of internal audit.17
5.8.3 Internal Audit in Government Not an Assurance Service
Under the Philippine setting, the IAS/IAU is not involved in assurance

activity. The internal audit function or appraisal activity as conducted
by the Internal Audit Office or Unit constitutes a separate component
of internal control, the objective of which is to determine whether other
internal controls are well designed and properly implemented.18 Said
appraisal by the IAS/IAU does not include an assurance that the
agency‟s internal controls and operations are effective, efficient,
ethical and economical.
Section 1, Chapter 1, Subtitle B, Book V of the Administrative Code of

1987 provides the policy on fiscal responsibility that “all resources of
the government shall be managed, expended or utilized in accordance
with law and regulations and safeguarded against loss or wastage
through illegal or improper disposition to ensure efficiency, economy
and effectiveness in the operations of the government.” Said law
further provides that “the responsibility to take care that such policy is
faithfully adhered rests directly with the chief or head of the
government agency concerned.”
Section 124 of the Government Auditing Code of the Philippines

categorically provides that “it shall be the direct responsibility of the
agency head to install, implement and monitor a sound system of
internal control.” It is, therefore, the responsibility of the agency head
to ensure, not only to assure, adequate internal control.
Corollary thereto, Section 74, Volume I of the Manual on the New

Government Accounting System (NGAS), requires the agency to
submit a Statement of Management‟s Responsibility for Financial
Statements which shall serve as a covering letter in transmitting the
agency‟s financial statements to COA, DBM, other oversight agencies
and other parties.19 The statement has to be signed by the Director of
29
Finance and Management Office or Comptrollership Office, or the
Chief of Office who has direct supervision and control over the
agency‟s accounting and financial transactions, and the Head of
Agency or his/her authorized representative. In said statement, those
signatories have to certify that “management maintains a system of
accounting and reporting which provides for the necessary internal
controls to ensure that transactions are properly authorized and
recorded, assets are safeguarded against unauthorized use or
disposition and liabilities are recognized.”
The IAS/IAU does not exercise direct supervision and control and is
not responsible for procedures which are essentially a part of regular
operating activities or in operations which are the primary
responsibility of another unit in the agency/organization. 20 Thus, it is
not the function of the IAS/IAU to ensure and even assure that the
agency‟s internal controls and operations are effective, efficient,
ethical and economical.
5.8.4 IAS/IAU Does Not Undertake Process or Systems

Improvement
In essence, the IAS/IAU does not engage itself in undertaking process

or systems improvement for, or providing assistance to, operating and
support service units in departments and agencies. Instead, it
conducts root cause analysis in cases where the controls are weak,
and recommends courses of action (corrective or preventive
measures) for top management to take.
a. Corrective measures refer to an organization‟s actions to eliminate

the causes of noncompliance to policies, rules and regulations in
order to prevent recurrence. These actions shall be appropriate to
the effects of the nonconformities encountered.
b. Preventive measures refer to determined actions of the

organization to eliminate the causes of potential noncompliance in
order to prevent their occurrence. These actions shall be
appropriate to the effects of the potential problems.
c. Top management refers to the DS/HoA and GB/Audit Committee.
30
Table 2 - Functions Related to Internal Control Among the Operating Units,
the Support Services Units, and the Internal Audit Service
Support Services Units
Operating Units,
such as Planning, Internal Audit
Bureaus, Regional and
Administrative, Financial Service/Unit
Field Offices
and Management Services
Nature and Purpose of Review
1) Performance review of 1) Review whether 1) Appraise whether

operations, processes monitoring is applied at internal control
and activities; and all levels within and components are well-
across the agency and designed and properly
2) Compliance review of sector. implemented; and
operations, processes
and activities. 2) Evaluate whether
internal control
objectives are achieved.
Scope, Coverage and Frequency
1) Performance is 1) Planning, administrative, 1) Compliance,

reviewed on a regular financial, management, management and
basis. If actual and other support operations audits;
accomplishments do not systems and processes;
meet established 2) Evaluate the control
objectives or standards, 2) Existing methods, effectiveness of
the processes and measures, and other operating systems and
activities established to support systems and support systems for a
achieve the objectives processes; specific period or date;
should be reviewed to
determine if 3) On-going monitoring and 3) Evaluate whether
improvements are on a real-time basis; and operations are
needed; and conducted effectively,
4) Ingrained in the efficiently, ethically, and
2) Operations, processes operations. economically; and
and activities are
periodically reviewed to 4) Takes place “after the
ensure that they are in fact” and covers a
compliance with current complete cycle of
regulations, policies and operations.
other requirements.
Actions To Be Taken
1) Institute process 1) Develop new or improved 1) Advise/report to the

improvements to meet methods, measures and Department Secretary or
objectives or standards other support systems the Audit Committee of
and achieve efficiency and processes; and the Governing Board on
and effectiveness in all matters relating to
operations; and 2) Conduct trainings and management control and
provide staff supervision operations audit; and
2) Institute process on the application of new 2) Recommend realistic
improvements to or improved methods, courses of action.
achieve compliance measures and other
with regulations, support systems and
policies and other processes.
requirements in
operations.
31
5.9 Internal Audit Studies, Services and Other Seminars by Private Persons
or Firms
The Administrative Code of 1987 specifies that no government agency shall

enter into any contract with any private person or firm for services to
undertake studies and services related to government auditing, including
services to conduct, for a fee, seminars or workshops for government
personnel on these topics, unless:
a. The proposed contract is first submitted to the Commission on Audit to

enable it to determine if it has the resources to undertake such studies or
services; and
b. The Commission shall have certified in writing its prior decision not to
undertake such contract.
The Commission may, however, engage the services of experts from the
public or private sectors in the conduct of these studies subject to the
following provision:
“It is hereby reiterated that no government agency shall enter into a

contract with any private person or firm to undertake studies and/or
render services pertaining to government auditing, including the
internal audit services, much less disburse public funds pertaining
thereto, unless the Commission on Audit shall have certified in writing
its prior decision not to undertake such contract. Payment for
contracts entered into without the required certification shall be
disallowed in audit.”21 [underscoring supplied]
COA Memorandum No. 2009-011 dated 26 March 2009 requires Supervising

Auditors and Audit Team Leaders of Departments/Agencies/GOCCs/GFIs,
who have entered into consultancy contracts with private contractors under a
grant or loan agreement with foreign funding institutions, for the
establishment/strengthening of their IAS/IAU pursuant to DBM Circular
Letters No. 2008-5 and 2008-8, to submit to their respective Cluster Directors
or Regional Directors said consultancy contracts. This is for purposes of
evaluating their appropriateness and monitoring the extent of the
implementation of said DBM Circular Letters.
Aside from the certification requirements from COA, contracts with private
institutions for consulting services must comply with the governing principles,
rules and regulations for government procurement.22 With reference to RA
9184 or the Government Procurement Reform Act, consulting services
include, among others, advisory and review services, management and
related services, and other technical services or special studies.
32
CHAPTER II
INTERNAL CONTROL SYSTEM

AND
INSTITUTIONAL ARRANGEMENTS
33
1. Internal Control Framework
The most basic competence that an Internal Auditor must possess is the
knowledge of internal controls. Pursuant to DBM CL 2008-5, one of the functions
of the IAS/IAU in relation to internal control is to conduct an appraisal of the
organization‟s internal control system to determine whether internal controls are
well designed and properly operated.
It is reiterated here that the Internal Auditor is not responsible for establishing
internal controls. As mentioned earlier, it is the direct responsibility of the agency
head to install, implement and monitor a sound system of internal control. 23
Figure 5 shows the Internal Control Framework consisting of the internal control
objectives and the internal control components in the context of the public service
sector.
Internal Control Objectives
Reliability of Accounting and Ethical Operations
Safeguarding Assets Ensure Economical,
Check Accuracy and Managerial Policies
Comply Efficient , Effective
with Laws
and Regulations
Adherence to
Data
Public Service
Organizations
Internal Control Cont rol Environ ment

Components 1) Public Entity
Risk Assessme nt 2) Private Entity

Providing Public
Cont rol Activiti es Services
Informati on and Com municati on
Mo nitoring
Figure 5 - Internal Control Framework
1.1 Objectives of Internal Control
In fulfilling its mission and mandates, an agency must achieve as well the
separate but interrelated general objectives of internal control, namely to:
a. Safeguard assets;
b. Check the accuracy and reliability of accounting data;
c. Adhere to managerial policies;
d. Comply with laws and regulations; and
e. Ensure effective, efficient, ethical, and economical operations.24
34
1.2 Components of Internal Control
The internal control system consists of control features built into and made
an integral part of an organization‟s processes to regulate and guide its
operations to ensure that the abovementioned objectives are attained.
Internal control has five interrelated components:
a. Control environment;
b. Risk assessment;
c. Control activities;
d. Information and communication; and
e. Monitoring.25
1.3 Control Environment
Control environment is the general framework serving as basis for the other
four components of internal control. It is the scope and coverage of an
organization‟s internal control system which impacts on its structural and
operational framework.26
This component integrates all the other four internal control components that
influence the direction and quality of an agency‟s strategies and outcomes. It
also includes the concept of “Tone from the Top”, emphasizing the important
role that top management plays in instilling control consciousness.
The control features are built into, not on, and made as integral part of the
plan of organization and all the coordinated methods and measures
implemented by top management and personnel to achieve the control
objectives.
1.3.1. Plan of Organization
The plan of organization comprises the organizational structure, as

well as the management and the personnel set-up which enable the
organization to carry out its functions. This plan defines and
distributes powers, functions and responsibilities to various units and
personnel in the organization to enable the various parts to contribute
to the attainment of the overall objectives. The details of the roles and
the distribution of functions to the different units are drawn into an
organizational chart. The distribution of functions may be revised from
time to time to reflect management decisions resulting in structural
changes.
The typical set-up of an agency, both in the operating and support

services units, allows specialization of functions for them to operate
efficiently. Operating units are structured to perform the main tasks or
mandates of the agency. Support services units provide planning,
financial and management, administrative and other support services
35
to operating units to ensure the efficient functioning of the entire
organization.
1.3.2. Coordinated Methods and Measures
Coordinated methods and measures pertain to managerial policies,

rules, regulations, and processes which underlie the proper
functioning of the operating and support services units to enable the
various units to accomplish their functional objectives.
1.3.3. Integral Process
Integral process means that internal controls are integrated in the

organizational and decision-making processes to guide and regulate
its operations to achieve expected results and contribute to sectoral
goals and objectives.
The control environment includes the informal, and often intangible, soft
controls, such as ethics, integrity, management practices, discipline and
commitment to competence. It also includes laws, rules, regulations and
managerial policies currently in place to support good governance and
accountability.
The control environment in the public service sector context is also sectoral
and is not restricted by organizational boundaries. Thus, it includes the
following:
a. Public service sector organizations providing public services which refer

to public entities which generally pertain to agencies of the government
and public offices and private entities providing public services, e.g., utility
and service providers and withholding tax agents;
b. Constituents or the publics to serve; and
c. Stakeholders.
For example, the public service sector organization of the education sector
consists of the following: (a) schools - public and private educational
institutions; (b) learning centers - non-formal and informal sources of
knowledge and skills; and (c) the Department of Education (DepEd).
As to constituency, the publics to serve of the DepEd in the education sector

are classified into:
a. Internal public - such as teaching and non-teaching personnel; and
b. External public – students as the object and subject of instructions.
36
To illustrate, the internal stakeholders of the DepEd in the education sector
include, among others, the local school boards, Parents Teachers and
Community Associations (PTCAs), the Congressional and local Sanggunian
committees on education. Its external stakeholders include other public
service sectors such as the public works sector (i.e., DPWH and its internal
stakeholders) – for roads going to the school, the health sector (i.e., DOH
and its internal stakeholders) for the health and nutrition of the students.
Control environment operates in a cross-functional network of organizations

and sectors that can assist the agency or which may have an influence in the
achievement of its mandate. It includes not only the public agency
concerned, but also other public service sector organizations, the public they
serve and other stakeholders. In effect, it coordinates or converges
government and private entities. Thus, the governance and accountability of
the Head of Agency is on the specific sector and transcends or goes beyond
his/her agency.
Administrative governance refers to institutions, policies, mechanisms and

processes that ensure the effective, efficient, accountable and transparent
implementation of political and economic governance. It involves the system
of networking within and outside government to attain better coordination or
convergence of the execution of responsibilities.27
In order to attain better coordination or convergence of efforts in the

execution of their responsibilities, all agencies must develop a
comprehensive approach in fulfilling their mandates and missions, including
the necessary networking within and outside the government.
1.4 Risk Assessment
Risk assessment is the overall process of identifying, analyzing and

evaluating relevant risks to the achievement of the control objectives and
determining the appropriate response. In other words, it is the identification,
analysis and evaluation of what could go wrong and how to address it.
1.4.1. Risk Identification
Risk identification refers to the identification of opportunities and

threats to the achievement of the control objectives. Risk identification
involves pinpointing the most important areas where resources in risk
assessment should be channeled or directed. It also determines who
is best responsible for the management of the risk.
As specified in ISO 31010, “The risk identification process includes

identifying the causes and sources of the risk (hazard in the context of
physical harm), events, situations or circumstances which could have
a material impact upon objectives and the nature of that impact.”28
37
1.4.2. Risk Analysis
Risk analysis is the systematic use of information to identify the

sources and to estimate the extent of the risk. This is about developing
an understanding of the risk and providing an input to risk evaluation
and to decisions on whether or not risks need to be responded to, as
well as on what the most appropriate response strategies and
methods are. This involves consideration of the causes and sources of
risks.
As stated in ISO 31010, “Risk analysis consists of determining the

consequences and their probabilities for identified risk events, taking
into account the presence (or not) and the effectiveness of any
existing controls. The consequences and their probabilities are then
combined to determine a level of risk.”29
1.4.3. Risk Evaluation
Risk evaluation is the process of evaluating the significance of the risk

and assessing the likelihood of its occurrence. With risk evaluation,
management becomes aware of the actions which need to be
undertaken and their relative priority or urgency.
As defined in ISO 31010, “Risk evaluation involves comparing

estimated levels of risk with risk criteria defined when the context was
established, in order to determine the significance of the level and type
of risk.”30
Aside from risk assessment, the other core elements of the risk
management process are:
a. Communication and consultation;

b. Establishing the context;
c. Risk assessment (comprising risk identification, risk analysis and
risk evaluation);
d. Risk treatment; and
e. Monitoring and review.
It should be noted that, “Risk assessment is not a stand-alone activity

and should be fully integrated into the other components in the risk
management process.”31 As with all the other elements in the risk
management process, risk assessment should not be taken in
isolation. Indeed, it should be seen as an integral part of
organizational processes and decision-making.
Risk assessment, along with the other foregoing elements of the risk
management process, is the basis for determining how those risks
should be managed, to assess the relative susceptibility of agencies
to uncertainties due to internal and external opportunities and threats.
38
As a component of internal control, risk assessment plays a key role
in the selection of the appropriate control activities to undertake.32
As global, national and operating conditions are in constant change,

risk assessment should be an ongoing iterative process.
Generally, the purpose of risk assessment is to provide evidence-

based information and analysis to make informed decisions on how to
treat particular risks and how to select between options.33
“Risk assessment provides decision-makers and responsible parties

with an improved understanding of risks that could affect achievement
of objectives, and the adequacy and effectiveness of controls already
in place. This provides a basis for decisions about the most
appropriate approach to be used to treat the risks. The output of risk
assessment is an input to the decision-making processes of the
organization.”34
Risk assessment provides an understanding of risks, their causes,

consequences and their probabilities.
Risks can be assessed at the organizational and sectoral levels. Risk

assessment must cover not only the risk of public
agencies/organizations, but also the risk to the network of public
service sector organizations, the public to serve and stakeholders that
are involved in the achievement of their sectoral goals and objectives.
a. Assessment of Operations Risk
Everyone in the agency plays a role in ensuring successful

operations risk assessment. The units responsible for addressing
risks must make the assessment of their own risks. Operations
risks are the responsibility of the operating units, thus, assessment
of risks at the operational level must be done by the operating
units themselves. In like manner, planning, administrative, and
financial risks are the responsibility of the functional units
concerned.
Neither the Internal Auditors nor anyone else not involved in a

particular operation can perform operational risk assessment. Only
the officers and employees responsible for achieving the agency‟s
functional objectives can do so. Operational risk assessment is a
responsibility of the functional and operating units of an agency.
The risk assessment process is an opportunity for said units to
look at their operations, determine the areas of significant risk, and
evaluate what actions can be taken to address the risk and
enhance the effectiveness and efficiency of operations.
39
The IAS/IAU should not undertake agency and sectoral operational
risk assessment. The determination on whether or not the risk
management system would address the risk in operations is the
responsibility of the operating and functional units concerned, i.e.,
the bureaus and offices, including the regional and field units and
the planning, administrative, financial and management services
concerned.
b. Assessment of Control Risk
Top management primarily performs control risk assessment as

part of its regular functions. In the course of control risk
assessment, top management identifies, analyzes and evaluates
control risks which could have an impact on its control objectives
and forms a basis for determining how the risks should be
managed. Top management should have identified and initiated
measures to modify the significant control risks, based on
probability and impact, before the Internal Auditors begin an audit.
Top management, as mentioned, refers to the Department

Secretary/Head of Agency and the Governing Board/Audit
Committee. In the bureaus, regional offices and local government
units, the bureau director, regional director, governor and mayor
performing management control functions shall conduct both
operations and control risk assessments.
Except for planning and prioritizing audit areas, the Internal Auditor
should not conduct control risk assessment. Heads of agencies or
units from the Department Secretary down to the regional and
local government heads who exercise supervision and control over
the sector, organization/ agency, service, bureau, region, as well
as the local government units, must make an assessment of their
own control risks. They must conduct identification, analysis, and
evaluation of those risks which may undermine the achievement of
the control objectives, e.g., risks that their policies and guidelines
may not be achieved.
c. Assessment of Internal Audit Risk
In line with the auditorial functions of the IAS/IAU, Internal Auditors

shall conduct an assessment of their audit risk (not risk on
management) vis-à-vis their functional objectives. A more detailed
discussion on the assessment of internal audit risk is found in a
separate section of this manual.
40
1.5 Control Activities
Control activities are the policies and procedures established to address

risks and achieve the agency‟s mandate and objectives. Control is a
measure that is modifying a risk. Control includes any process, policy,
device, practice, or any other action which is intended to modify risk.35
These are the mechanisms that management establishes to ensure that their
policies and guidelines are carried out, including the processes identified to
address the risks. They occur at all levels and in all functions throughout and
across the agency. They are the response to a risk designed to contain the
uncertainty of an outcome that has been identified.
Control activities must be appropriate, cost effective, comprehensive,

reasonable and must directly relate to the control objectives and mandate of
the agency. Appropriate means that the control activity is in the right place
and is commensurate to the risk response, operating performance and
compliance improvements. Cost effective means that the cost of
implementing the control activity should not outweigh its benefits.
Comprehensive and reasonable mean that the control activity directly relates
to the control objectives. The control activities should also be doable and
should function consistently with the design or plan.
1.5.1 Risk Response
Determining a risk and the response to it is an important part of

decision-making. Because risks are uncertain, deciding whether to
accept or avoid a risk-related activity can have significant
consequences for an organization.
In general, there are four ways to effectively respond to a risk. In

some instances, risks can be transferred, tolerated or terminated. In
most instances, however, the risk will have to be treated with a
combination of several options at various levels and stages.
a. For some risks, the best response is to transfer them. This is done
by removing the impact or the consequences of the risk event. An
example of a risk transfer is through insurance coverage, that is,
by paying a third party to take the risk in another way.
b. Tolerating a risk is done when the ability to do something about it

may be limited, or the cost of taking an action is disproportionate to
the potential benefits that could be derived.
c. Terminating the risk is usually done by eliminating the cause since

some risks could only be addressed or contained to acceptable
levels by terminating the activity.
41
d. Risk treatment involves one or more options for modifying risks
and implementing those options. Once implemented, treatments
provide or modify the risks.
Under ISO 31000 and ISO 31010, risk treatment options are not
necessarily mutually exclusive or appropriate in all circumstances.
The options can include the following:
a. Avoiding the risk by deciding not to start or continue with the

activity that gives rise to the risk;
b. Taking or increasing the risk in order to pursue an opportunity;
c. Removing the risk source;
d. Changing the likelihood;
e. Changing the consequences;
f. Sharing the risk with another party or parties (including contracts

and risk financing); and
g. Retaining the risk by informed decision.36
1.5.2 Performance Review and Improvement of Operations, Processes

and Activities
All units of the agency have to conduct performance reviews of their

operations. If performance reviews determine that actual
accomplishments do not meet established objectives or standards, the
processes and activities established to achieve the objectives should
be assured to determine if improvements are needed.
1.5.3 Compliance Review and Improvement of Operations, Processes

and Activities
Operations, processes and activities should be periodically reviewed

to ensure that they are in compliance with current regulations,
policies, procedures, and other requirements. It is not enough that a
unit regularly evaluates the level of its performance. It must at the
same time conduct compliance review.
1.6 Information and Communication
Information and communication are vital in attaining the five control

objectives. They go hand in hand and cut across all other internal control
components. Information and communication include the records system
which will ensure the transfer of required information to employees and top
management, to the public it serves, to other public service organizations,
and to its network of organizations and sectors that need the information.
42
Information must be shared in a determined format and communicated in a
given time period which enables the parties concerned to fulfill internal
control objectives and other responsibilities.
1.6.1 Information
Information, in the context of internal control, refers to the act of

receiving or giving data and information needed by public officials and
employees to do their jobs and understanding their roles and
responsibilities. Information includes both internally generated data
(operational, management and compliance-related information) and
information about external events, activities and conditions necessary
for informed decision-making.
Management requires information to make effective decisions.

However, information alone is not enough; it must be the right
information, in an understandable format, which is timely enough to be
useful. Information systems produce reports containing operational,
management, and compliance-related information to operate and
control an organization. This information should reveal the
organization‟s progress towards meeting goals and objectives.
Management also needs information that allows it to evaluate the
efficiency of operations and to ensure that the organization follows
applicable laws and regulations.
The prompt recording and proper classification of transactions and

events are preconditions for reliable and relevant information.
Relevant information should be identified, captured and
communicated in a form and timeframe that enables personnel to
carry out internal controls and other responsibilities. As such, the
internal control systems and all transactions and significant events
should be fully documented.
Relevant information must be communicated throughout the agency,

to the public it serves, to other public service sector organizations, as
well as to its network of organizations and sectors. Organizations
within the sector must clearly understand the standards set by
management, including any reportorial obligation to the agency
concerned.
“Section 2. x x x. They shall establish information systems

that will inform the public of the following: (a) policies, rules, and
procedures; (b) work programs, projects, and performance
targets; (c) performance reports; and (d) all other documents as
may hereafter be classified as public information.
x x x.”37
43
1.6.2 Communication
Communication is the exchange of useful information between and

among people and organizations to support decisions and coordinate
activities. It relates to the free flow of relevant, complete, reliable,
correct and timely information up, down, across, inside and outside
the organization, including the public they serve, other public service
sector organizations and sectors concerned.
Communication is multi-faceted – verbal, non-verbal and written.

Effective verbal communication is two-way, requiring that
management welcomes, and listens to, suggestions and feedback.
Employees must be comfortable enough to share their awareness of
problems with top management who can act on this information.
Verbal communication should be in support of, not in place of, written
documentation of policies and procedures. All written documentations,
whether they are an official policy/procedure, memorandum, or e-mail,
must be distributed to everyone who require the information in order to
perform their responsibilities.
Communication is also multi-level – from the top down, bottom up,

and across the organization. Effective communication informs all
levels of the organization and must be ongoing.
Top management is responsible for facilitating communications and

information flow within the agency, with the public it serves, other
public service sector organizations, including its network of
organizations and sectors. The Department Secretary/Governing
Board must establish a feed forward and feedback mechanism to
ensure that relevant information coming from the top management is
communicated and clearly understood throughout the agency and to
all persons concerned and vice versa.
“Section 5. Every department, office and agency shall consult

the public they serve for the purpose of gathering feedback and
suggestions on the efficiency, effectiveness and economy of
services. They shall establish mechanisms to ensure the
conduct of public consultations and hearings.”38
The agency and its management must be kept up-to-date on the

performance, developments, risks and the functioning of internal
controls, as well as other relevant events and issues.
External parties can provide inputs that may have highly significant
impact on the extent to which an agency achieves its goals, thus, the
agency should also ensure adequate means of communicating with,
and obtaining information from them.
44
1.6.3 Accountability for Transparency
Public service sector organizations are accountable for transparency.
Accountability for transparency requires that heads of agencies must

establish mechanisms to inform their constituents about their policies,
rules and procedures; plans, work programs, projects, services and
performance targets/expected results; and all other documents which
may be classified as public information. These may include the
following:
a. RA No. 9485 (Anti-Red Tape Act of 2007) involving the

implementation of the:
i. Citizen‟s Charter;
ii. Public assistance desk; and
iii. Report card survey.
b. RA No. 6713 (Code of Conduct and Ethical Standards for Public

Officials and Employees) and RA No. 3109 (Anti-Graft and Corrupt
Practices Act) requiring the:
i. Submission of Statements of Assets, Liabilities and Net Worth,

Disclosure of Business Interests and Financial Connections,
and Disclosure of Relation in Government Service of all public
officials and employees;
ii. Establishment of Review and Compliance procedures for the

review of statements to determine whether said statements
have been properly accomplished; and
iii. Establishment of a mechanism to make documents available to

the public for inspection within reasonable working hours.
c. The Administrative Code of 1987 and RA 6713 require the heads

of departments, bureaus, offices and agencies of government to
submit performance reports to document accomplishments for a
particular period.
The concept of accountability is intrinsic to the governing process.

Accountability for transparency is not achieved by providing relevant
information alone. The public is entitled to know whether or not
government agencies are properly handling funds and complying with
laws and regulations. It needs to know whether or not government
organizations, programs, and services are achieving the purposes for
which they were authorized and funded.
45
Thus, in addition to providing information, the heads of agencies must
also report to their constituents on the results of those plans and
programs implemented and services delivered and must ensure
access to said reports and supporting documents.
1.7 Monitoring
Monitoring as a component of internal control is aimed at assessing the

quality of the internal control systems‟ performance over time.
Monitoring considers the collective effectiveness of the five components of

internal control. It is aimed at ensuring that the other components of internal
control continue to function over time in relation to the achievement of the
control objectives and are modified appropriately to remain attuned to
changes in objectives, environment, resources and risks.
Monitoring is done in various degrees and circumstances to ensure that

internal controls continue to be applied at all levels and across the agency
and sector, and are able to achieve the control objectives. There are three
(3) ways through which monitoring is accomplished:
a. Ongoing monitoring which is ingrained in the daily operations and

management of the organization;
b. Periodic separate evaluation of the controls‟ effectiveness; and
c. Combination of ongoing monitoring and separate evaluation.
1.7.1 Ongoing Monitoring
Ongoing monitoring occurs when the normal operations and

management of an organization provide feedback about the
effectiveness of the internal control system. It includes regular
submission of reports, performance measurement and other
management and supervisory activities. It is built into the normal,
recurring activities of an agency and in all its operating and support
services units. It is performed regularly and on a real-time basis,
responds dynamically to changing conditions and is embedded in the
agency‟s operations.
Ongoing monitoring of internal controls is both a function of all units

and of the top management of an agency. The bureaus and offices
and the support services (i.e., planning, financial and administrative
units) monitor the performance of regional and field units within their
functional concerns. Top management shall ensure proper check and
balance in the monitoring by operating units and support services.
Monitoring the internal control activities should be clearly

distinguished from reviewing the operations of a unit which is an
internal control activity performed by the operating unit.
46
1.7.2 Separate Evaluation
Specific separate evaluations cover the periodic evaluation of the

effectiveness of the internal control system to ensure that internal
controls achieve the desired results through predefined methods and
procedures. Separate evaluations are a way to take a fresh look at the
internal controls by focusing directly on the controls‟ effectiveness at a
specific time or date.
In the agency structure, the IAS/IAU is mandated to conduct a

separate evaluation or appraisal of the internal control system to
determine whether controls are well designed and properly
implemented. In the conduct of separate evaluation, the IAS/IAU shall
determine the extent of compliance and assess the adequacy of
controls embedded in operating and support systems/units, as well as
evaluate the performance of programs, projects and activities of the
agency.
Internal audit is a separate evaluation and review function or activity

within the overall internal control framework of each public service
sector organization. To distinguish, operational and management
monitoring and review include management review, monitoring and
evaluation, operating performance and compliance reviews which are
part of the control activities. These are day-to-day responsibilities of
operating and support units, distinct from the internal audit function.
The scope and frequency of separate evaluation by the internal audit

unit should depend primarily on the results of the baseline
assessment of the internal control system. The baseline assessment
should focus on the five components of internal control, the
significance and materiality and control risk of key processes and
systems to achieve the five control objectives, and the assessment of
the internal audit risks.
1.7.3 Combination of Ongoing Monitoring and Separate Evaluation
In the assessment of the quality of the internal control systems‟

performance, a combination of ongoing monitoring and separate
evaluation will help ensure that internal control maintains its
effectiveness overtime.39
a. Conduct of Baseline Assessment of ICS
Separate evaluation starts with an understanding of the internal

control system and whether or not controls have been
implemented to accomplish the control objectives, and continue to
be relevant.
47
Baseline assessment is primarily done by the heads of
organizations or units from the Department Secretary down to the
regional and local government heads who exercise supervision
and control at their levels, i.e., sector, agency, service, bureau and
region, as well as local government units.
A baseline assessment of the internal controls provides a starting

point for more effective and more efficient conduct of internal audit.
The assessment also provides a reference point against which
future evaluation or improvement can be benchmarked.
Thus, for purposes of preparing the audit plan and planning

decisions which include the nature, extent and timing of the audit
process, areas or functions to be audited and amount of time and
resources to be used, the internal auditors may utilize the baseline
assessment of the internal control system in combination with
other audit techniques.
The baseline assessment should cover the five components of the

internal control system which include the assessment of the control
environment, the adequacy of risk assessment, control activities,
information and communication, and monitoring. All five
components must be present and functioning to conclude that
internal control over operations is initially adequate. (Refer to
PGIAM Part II – Practices on the tools, techniques and
approaches that will facilitate the conduct of the baseline
assessment of ICS.)
b. Control Significance and Materiality and Control Risk of

Key Processes
After conducting a baseline assessment of the internal control

system in accordance with the standards, the IAS/IAU should also
consider the control materiality and significance and control risk of
the key processes of the operating and support systems to achieve
the control objectives.
Significance is considered in terms of quality. A process is

significant if it has an impact on the control objectives.
Materiality is quantitative and is often considered in terms of value

or amount.
For purposes of planning and prioritizing potential audit areas, the

IAS/IAU will conduct risk assessment on the identified material
and significant controls where there may be high risk of impact on
key processes of operating and support systems.
48
c. Assessment of Internal Audit Risk
After the baseline assessment of the internal control system and

determination of the control significance and materiality and control
risk of the key processes, the Internal Auditor should also assess
those risks or factors which may affect the conduct of the audit and
may have an impact on the planned results without neglect or
failure and in spite of the exercise of due diligence, such as
sudden change in political leadership/administration, replacement
of principal, natural calamities, judicial findings and decisions
which may affect audit objectives.
Internal audit risk is assessed during the planning phase of the

audit. Internal Auditors assess risks for purposes of addressing
those with high significance and high likelihood of occurrence and
which will impact on the attainment of the audit objectives. Based
on said assessment, Internal Auditors will be able to determine
where to focus their internal auditing efforts.
1.7.4 Distinction Between Monitoring, Performance Review and

Compliance Review
Monitoring, as the fifth component of the internal control system,

should not be confused with performance and compliance review of
operations performed by all units of the agency.
a. Performance review of the operations is done by all organizational

units as part of the internal control activity to determine whether or
not their accomplishments meet the established objectives and
standards and to implement improvements, when necessary.
b. To ensure that the operations are conducted in compliance with

ethical and quality procedures, applicable laws, regulations and
managerial policies, all units also perform compliance review.
c. The IA does not conduct performance and compliance review. The

operating and support units do. The IAS/IAU conducts
management and compliance audits.
2. Administrative Relationships
The agency head or executive/management committee disseminates managerial

policies through the issuance of guidelines and standards. They are given to
provide guidance to personnel in the proper execution of their individual and unit
tasks that collectively contribute to the attainment of the agency goals.
49
To operationalize this particular objective, the Administrative Code of 1987
distinguishes the following administrative relationships pertaining to the manner
by which agency activities may be controlled, supervised and coordinated.40
2.1 Supervision and Control
This is usually the relationship between a department and the bureaus under
it. This includes the authority to act directly whenever a specific function is
entrusted by law or regulation to a subordinate; direct the performance of
duty; restrain the commission of acts; review, approve, reverse or modify
acts and decisions of subordinate officials or units; determine priorities in the
execution of plans and programs; and prescribe standards, guidelines, plans
and programs.
2.2 Administrative Supervision
This is the relationship of a department with regulatory agencies under it.

This is limited to the authority of a department or its equivalent to generally
oversee the operations of such agencies and ensure that they are managed
effectively, efficiently, ethically, and economically without interference in day-
to-day activities.
The department can require the submission of reports and initiate the
conduct of management audit, performance evaluation and inspection to
determine compliance with policies, standards and guidelines; and take
action as may be necessary for the proper performance of official functions,
including rectification of violations, abuses and other forms of
maladministration. Further, the department has the authority to review and
pass upon the budget of such agencies under its administrative supervision
but it may not increase or add to it.
2.3 Attachment
This is the relationship of a department with a corporation and other

agencies as may be provided by law. This refers to the lateral relationship
between a department or its equivalent and the attached agency for
purposes of policy and program coordination.
“(3) Attachment. – (a) x x x. The coordination may be accomplished by

having the department represented in the governing board of the
attached agency or corporation, either as chairman or as a member, with
or without voting rights, if this is permitted by the charter; having the
attached corporation or agency comply with a system of periodic
reporting which shall reflect the progress of programs and projects and
having the department or its equivalent provide general policies through
its representative in the board, which shall serve as the framework for the
internal policies of the attached corporation or agency; x x x.” 41
50
CHAPTER III
ORGANIZING THE INTERNAL AUDIT
51
1. Establishment of Internal Audit Service/Unit
Each Department, Governing Body, Commission or Council of the Executive

Branch is authorized to establish its own IAS/IAU to cover audit areas in the Office
of the Department Secretary, bureaus, offices, agencies, including regional/field
offices, regulatory agencies and other agencies either under the supervision and
control or under the administrative supervision of a department, consistent with
the foregoing provisions of the Administrative Code of 1987 on administrative
relationships.42
2. Reporting Lines
The IAS/IAU is an integral part of the agency which provides assistance to the
DS/HoA or GB/AuditCom and performs functions delegated by the DS/HoA or
GB/AuditCom.43 As such, the IAS/IAU shall report to the following:
a. In departments, the IAS/IAU shall report directly to the Department Secretary.
b. In the case of regular attached agencies, the IAS/IAU shall report to the HoA.44
c. For multi-headed agencies, the IAS/IAU may report directly to the Governing
Body. The GB may opt to organize an Audit Committee from among its
members to which the IAS/IAU shall report directly.45
d. In the case of GOCCs/GFIs, the IAS/IAU shall report to the Audit Committee of
the Governing Board of the corporation.
3. Roles and Responsibilities
Pursuant to Section 124 of the Government Auditing Code of the Philippines and
the Administrative Code of 1987, the DS/HoA or the GB/AuditCom has the direct
responsibility to install, implement and monitor a sound system of internal control.
However, the DS/HoA/GB/AuditCom may task the IAS/IAU to undertake the
appraisal of the internal control within the department, agency, GOCC/GFI or
SUC.
The Head of Internal Audit (HoIA) is accountable to the DS/HoA or the

GB/AuditCom, as the case may be, for the efficient and effective operation of the
internal audit function. The HoIA has direct access to the DS/HoA/Chair and other
members of the Board, and the Chair and other members of the Audit Committee.
This means that the IAS/IAU functionally/operationally reports to the DS/HoA or
GB/AuditCom, as often as necessary. They meet regularly to provide the DS/HoA
or the Chair/members of the GB/AuditCom the opportunity to seek the comments
of the HoIA on management control and audit function, quality of the audit effort
and internal controls, and other areas of concern, as deemed appropriate.
52
As an output of its internal audit functions, the IAS/IAU may provide inputs to the
DS/HoA or GB/AuditCom in:
a. Maintaining accountability for results, norms of conduct and transparency;
b. Promoting self-assessment and adherence to professional and ethical

standards;
c. Ensuring that funds are utilized in order to attain objectives;
d. Enhancing management controls to ensure that control objectives are

achieved; and
e. Ensuring that the 4Es of operations are achieved.
In the conduct of internal audit work, the internal audit staff must:
a. Comply with the government‟s Code of Conduct and Ethical Standards for
Public Officials and Employees;
b. Possess the knowledge, skills, technical and functional expertise;
c. Acquire the skills in dealing with people and communicating audit findings and
recommendations and related issues effectively;
d. Regularly improve their technical competence through a program of

professional development;
e. Exercise due professional diligence in performing their duties;
f. Keep the confidentiality of information;
g. Maintain internal audit records; and
h. Foster teamwork in performing the internal audit function.
4. Relationships with Principals and Key Stakeholders
To be effective, the IAS/IAU must have the trust and confidence of the principals
and key stakeholders it works with. This can only be established and maintained
by fostering effective working relationships and delivering high quality and timely
internal audit services.
The principals of the IAS/IAU are the DS/HoA/GB/AuditCom.
Stakeholder refers to a person or organization that can affect, be affected by, or

perceive themselves to be affected by a decision or activity.
53
Key stakeholders may either be internal or external.
a. Internal stakeholders include those within the sector (e.g., Civil Service
Commission, Office of the Ombudsman, and other review and oversight
bodies). These are the individuals and groups that can affect and be affected
by the agency‟s operation within a particular public service sector. In terms of
relationship, the IAS/IAU basically coordinates with internal stakeholders.
b. External stakeholders, on the other hand, pertain to those outside the sector.
These are the persons, organizations and other service groups that are
outside a specific public service sector but may have an interest and can
influence the achievement of the sectoral goals of the agency concerned. The
IAS/IAU only collaborates with external stakeholders.
External stakeholders must always deal with the principal (DS/GB/AuditCom)

and not directly with the IAS/IAU.
To illustrate, the internal stakeholders of the DepEd in the education sector

include the local school boards, Parents Teachers and Community Associations
(PTCAs), the Congressional and local sanggunian committees on education,
among others. Its external stakeholders include other public service sectors such
as the public works sector (i.e., DPWH and its internal stakeholders) – for roads
going to the school, the health sector (i.e., DOH and its internal stakeholders) for
the health and nutrition of the students, among others.
4.1 Internal Audit Service/Internal Audit Unit and the Department Secretary
As mentioned in the previous section, the IAS/IAU must report directly to the
DS/HoA.46 It is reiterated that the Department Secretary or the agency head
is not the client of the IAS/IAU. Instead, a superior-subordinate relationship
exists between the DS/HoA and the Internal Auditors. This means that the
HoIA is accountable to the DS/HoA. This relationship should be used as an
opportunity for internal audit to gain insights into new and emerging issues
and concerns facing the organization, and to discuss the role that the
DS/HoA requires the IAS/IAU to fulfil, in line with the latter‟s mandated
function.
4.2 Internal Audit Service/Internal Audit Unit and the Governing Body
In GOCCs and GFIs, the IAS/IAU reports to the Governing

Board/Commission/Council on the effectiveness of the internal audit function.
The Governing Body shall periodically meet with the HoIA to discuss reports
of evaluation. As a minimum, it is important that the HoIA has direct access
to the Chair of the GB as required.
Again, it is reiterated that the relationship between the GB and IAS/IAU is

that of principal and agent, respectively.
54
4.3 Internal Audit Service/Internal Audit Unit and the Audit Committee in
GOCCs/GFIs
The relationship between the IAS/IAU and the Audit Committee is also
crucial and is likely to have a number of dimensions. These involve the
following:
a. The IAS/IAU being functionally responsible to the Audit Committee for the
implementation of the internal audit program which places the Audit
Committee in the role of being the IAS‟ primary principal and requires the
latter to have a close professional relationship with the Audit Committee;
b. The IAS/IAU being a key source of information on management controls

and the performance of the organization through its reports and general
interaction with the Audit Committee;
c. In many organizations, the Audit Committee being responsible for either

reviewing and approving internal audit plans, or recommending their
approval to the GB; and
d. The Audit Committee being involved in assessing the performance of the

IAS/IAU.
4.4 Internal Audit Service/Internal Audit Unit and Management
To effectively fulfill its responsibilities, the IAS/IAU needs to have a

professional and constructive relationship with senior management in
particular, and with the management staff of the organization in general. The
IAS/IAU members should interact on a regular basis with the members of the
senior management team, and build a relationship that is based on
cooperation, mutual respect and adherence to the highest degree of
professionalism.
While interacting on a regular basis with management, the IAS/IAU may be

privy to information which might impact on professional and, at times,
personal reputations. It is important that the IAS/IAU respects the
confidentiality of such information and its communication to others be made
on a strictly need-to-know basis. In situations where managers consider that
such information is being used inappropriately, the reputation and credibility
of the IAS/IAU is likely to be adversely affected.
4.5 Internal Audit Service/Internal Audit Unit and the Commission on Audit
The COA has the Constitutional authority and duty to examine, audit and
settle accounts in accordance with law and regulations. 47 The Constitution,
as well as the Administrative Code of 1987, also provides that, “where the
internal control system of the audited agencies is inadequate, the COA may
adopt such measures, including temporary or special pre-audit, as necessary
and appropriate to correct the deficiencies”. This authority of the COA is
distinguished from the functions of the IAS/IAU.
55
The IAS/IAU is an integral part of the department or agency and assists in
the management and effective discharge of the responsibilities of the Office
without intruding into the authority and mandate of the COA granted under
the Constitution48 or encroaching on or be adversarial with those of the
auditors of the COA.49 However, there must be constructive cooperation
between the IAS/IAU and the COA.
The coverage of internal audit provided in the Strategic and Annual Internal
Audit Work Plans, including the appropriate amendments, are subject to the
authority of the DS/HoA or the GB/AuditCom.
Access to internal audit plans, working papers and reports is subject to the
authority of the DS/HoA or GB/AuditCom and/or in accordance with
Department-specific policies on security of information and disclosure.
4.6 Internal Audit Service/Internal Audit Unit and Oversight, Regulatory and
Other External Bodies
The HoIA can liaise in behalf of, and with authority from, the DS/HoA or the
GB/AuditCom, with other external reviewers as part of the organization‟s
governance arrangements. It is critical that these activities are performed
with authority from the DS/HoA or the GB/AuditCom.
There are benefits in formalizing protocols for such activities as exchange of

information and reports in a coordinated manner. This arrangement can be
applied where internal audit needs to work closely with its programs in other
public service sector organizations as a result of inter-agency agreements,
as may be authorized by the DS/HoA or GB/AuditCom.
4.7 Internal Audit Service/Internal Audit Unit and Professional Bodies
It is generally expected that Internal Auditors may be members of

professional bodies.
It is important that the Internal Auditors are abreast with professional and
industry developments, and use networking opportunities to assist in their
continuing professional development. They must continually update
themselves on new frontiers of internal auditing and respond to
developments affecting their profession, subject to applicable laws and
regulations.
In doing so, and in accordance with government policies on confidentiality of

organizational activities and audit functions, and policies on objectivity and
impartiality, it is important that due care is strictly upheld.
56
5. Organizational Structure
Box 3 – Issuances on the
To be able to provide the services Organization and
expected of the IAS/IAU, it is important Staffing of the
that it has: IAS/IAU
DBM Budget Circular No. 2004-4
a. An appropriate organizational structure; dated 22 March 2004
entitled, “Guidelines in the
b. Access to sufficient human resources Organization and Staffing of Internal
Auditing Units” DBM Circular
with the necessary skills and
Letter No. 2008-5 dated 14
experience; and April2008 entitled,
“Guidelines
Staffing ofin thean Organization and
Internal Audit
c. An adequate budget. Service/Unit and Management
Division/Unit in Departments/
The quantum and mix of resources Agencies/GOCCs/GFIs Concerned”
DBM Circular Letter No. 2008-8
required is influenced by a number of dated 23 October 2008 entitled,
factors. “National Guidelines on Internal
Control Systems”
It is important that the IAS/IAU be positioned well within the organization. The
location of the IAS/IAU in the organizational structure of the Office of the
Secretary and in the department proper is provided in Figure 6 and Figure 7.50
Secretary
Internal Audit Service
Undersecretary Undersecretary
Asst. Secretary Asst. Secretary
Figure 6 – Organizational Chart of the Office of the Secretary
The IAS/IAU of the Department shall report directly to the Department Secretary.
It shall be headed by a Director IV or as may be provided by the Administrative
Code of 1987 or other special laws. The Director IV shall be occupied by a career
official with a third level eligibility.
57
Office of the Secretary Internal Audit
Service
Planning Financial and Administrative Technical Legal

Service Management Service Service Service Service
Figure 7 – Organizational Chart of the Department Proper
In the absence of special provisions, the major staff units of a Department include
the Planning Service, Financial and Management Service, Administrative Service,
and when necessary, the Technical and Legal Services. 51
Except when otherwise provided by law, each Department may have units which
shall perform planning, financial and management, administrative services,
internal audit, and other support to operations.52
In the case of regular agencies attached to a Department for policy and program
coordination, their respective Board/Council shall determine the propriety of
establishing a separate unit for the purpose or avail of the services of the IAS/IAU
of the Department.53
GOCCs/GFIs which have original charters or those created through the

Corporation Code shall likewise establish their respective IAS/IAU. The IAS/IAU
shall report to the respective Audit Committee of the Governing Board of the
corporation, as shown in Figure 8.54
Risk Board of
Management Directors Audit Committee
Chief Executive Internal Audit

Officer (CEO) Department
Management Audit Operations Audit

Division Division
Figure 8 – Organizational Chart of the Internal Audit Department of a GOCC/GFI
58
The IAS/IAU in departments and equivalent agencies shall consist of two divisions
- an Operations Audit Division and a Management Audit Division as shown in
Figure 9.55 The Divisions shall be headed by an Internal Auditor V (SG 24).
Office of the
DS/HoA or
Internal
Audit
Management Operations Audit

Audit Division
Figure 9 – Organizational Chart of the Internal Audit Service
5.1 Management Audit Division
The Management Audit Division is responsible for conducting compliance

and management audits in departments, agencies or GOCCs.
Pursuant to the Administrative Code of 1987 56, and as adopted in DBM
Circular Letter 2008-5, s. 200857, the Internal Audit Service shall “[c]onduct
management and operations performance audit of Department activities and
units and determine the degree of compliance with established objectives,
policies, methods and procedures, government regulations, and contractual
obligations of the Department.” (underscoring supplied)
Administrative Order No. 278,58 s. 1992 further espoused the management

audit function where it explicitly stated that the internal audit activities shall
include “[r]eviewing and evaluating the soundness, adequacy and application
of accounting, financial and other operating controls and promoting the most
effective control at reasonable cost.” (underscoring supplied)
Functional Statements
The Management Audit Division shall evaluate the achievement of the

control objectives which include the safeguarding of assets, checking the
accuracy and reliability of accounting data, adherence to managerial policies,
compliance with laws, rules and regulations by utilizing internal auditing
methods. It has the following functions:
a. Conduct management audit of activities and its units and determine the
degree of compliance with the mandate, policies, government regulations,
established objectives, systems and procedures/processes and
contractual obligations (Section 2.4b, DBM Circular Letter No. 2008-5 and
Section 1.1.2, AO 278, s. 1992);
59
b. Review and appraise systems and procedures/processes, organizational
structure, assets management practices, financial and management
records, reports and performance standards of the agencies/units
covered (Section 2.4c, DBM Circular Letter No. 2008-5);
c. Verification and analysis of financial and management data to ascertain if

attendant management information systems generate data or reports that
are complete, accurate and valid (Section 4.1.1.2, DBM Budget Circular
No. 2004-4);
d. Ascertain the reliability and integrity of financial and management

information and the means used to identify, measure, classify and report
such information (Section 1.1.1, AO No. 278, s. 1992);
e. Ascertain the extent to which the assets and other resources of the
institutions are accounted for and safeguarded from losses of all kinds
(Section 1.1.3, AO 278, s. 1992);
f. Review and evaluate the soundness, adequacy and application of

accounting, financial and management controls and promote the most
effective control at reasonable cost (Section 1.1.4, AO 278, s. 1992);
g. Evaluate the quality of performance of groups/individuals in carrying out

their assigned responsibilities (Section 1.1.6, AO 278, s. 1992);
h. Perform functions of a protective nature, such as prevention and

detection of fraud or dishonesty; review of cases involving misuse of
agency property; and checking of transactions with outside parties
(4.1.1.4, DBM Budget Circular No. 2004-4); and
i. Perform miscellaneous services, including special investigations and

assistance to outside contacts such as COA (Section 4.1.1.5, DBM
Budget Circular No. 2004-4).
5.2 Operations Audit Division
The Operations Audit Division is responsible for conducting compliance and

operations audits in departments, agencies or GOCCs.
Pursuant to the Administrative Code of 1987, 59 and as adopted in DBM

Circular Letter 2008-5 s. 2008,60 the Internal Audit Service shall “[c]onduct
management and operations performance audit of Department activities and
units and determine the degree of compliance with established objectives,
policies, methods and procedures, government regulations, and contractual
obligations of the Department.” (underscoring supplied)
60
Administrative Order No. 278,61 s. 1992 further espoused the operations
audit function where it explicitly stated that the internal audit activities shall
include “[r]eviewing of operations or programs to ascertain whether or not
results are consistent with established objectives and goals and whether or
not such programs are being carried out as planned.” (underscoring
supplied)
Functional62 Statements
The Operations Audit Division shall evaluate the extent of compliance and
ascertain the effective, efficient, ethical and economical execution of
operations by utilizing internal auditing methods. The Division is tasked to
perform the following functions:
a. Conduct operations performance audit of activities of the

department/GOCC and their units and determine the degree of
compliance with the mandate, policies, government regulations,
established objectives, systems and procedures/processes and
contractual obligations (Section 2.4b, DBM Circular Letter No. 2008-5);
b. Review and appraise systems and procedures/processes, organizational

structure, operations practices, operations records, reports and
performance standards of the agencies/units covered (Section 2.4c, DBM
Circular Letter No. 2008-5);
c. Verify and analyze operations data to ascertain if attendant management

information systems generate data or reports that are complete, accurate
and valid (Section 4.1.1.2, DBM Budget Circular No. 2004-4);
d. Ascertain the reliability and integrity of operational information and the

means used to identify, measure, classify and report such information
(Section 1.1.1, AO No. 278 s. 1992);
e. Review operations or programs to ascertain whether or not results are

consistent with established objectives and goals and whether or not such
programs are being carried out as planned (Section 1.1.5, AO 278 s.
1992);
f. Evaluate the quality of performance of groups/individuals in carrying out

their assigned responsibilities (Section 1.1.6, AO 278 s. 1992);
g. Recommend courses of action on operational deficiencies observed

(Section 1.1.7, AO 278 s. 1992);
h. Perform functions of a protective nature, such as prevention and

detection of fraud or dishonesty; review of cases involving misuse of
agency property; and checking of transactions with outside parties
(Section 4.1.1.4, DBM Budget Circular No. 2004-4); and
61
i. Perform miscellaneous services, including special investigations and
assistance to outside contacts such as COA (Section 4.1.1.5, DBM
Budget Circular No. 2004-4).
6. Head of Internal Audit
The HoIA is responsible for ensuring that the internal audit function and
engagement are delivered efficiently and effectively toward the attainment of the
IAS/IAU objectives. In doing so, the HoIA should maintain utmost commitment to
public interest and the highest degree of excellence, professionalism, intelligence
and skill.
6.1 Status
The rank and salary grade of the HoIA are stipulated in Sections 2.5 to 2.7 of
DBM Circular Letter 2008-5.
In departments covering the Office of the Secretary-Proper, Bureaus,

Regional Offices and Regulatory Agencies, the IAS/IAU shall be headed by a
Director IV or as may be provided by the Administrative Code of 1987 or
other special laws. The Director IV shall be occupied by a career official with
a third level eligibility, and with a Salary Grade of 28 or its equivalent
position.63 Said position is highly technical in nature and shall be
station/office specific.
The HoIA of a regular agency attached to a department for policy and

program coordination shall have the rank equivalent to the fourth ranking
official of the agency.
In the case of GOCCs/GFIs, the HoIA shall be headed by a Department

Manager with Salary Grade of 26 or its equivalent position.
Considering, however, the complexity and scope of the internal audit

functions and the nature of undertakings of the IAS/IAU in such agencies as
the Office of the President and in Congress, which may entail the conduct of
fraud detection, forensic audit, computer forensics, investigation and litigation
in criminal and administrative cases, among others, their IAS/IAU may be
headed by a third or second ranking official. Under the current set-up, the
Office of the President Proper is headed by a Deputy Executive Secretary,
while in the House of Representatives, it is headed by a Deputy Secretary
General.
62
6.2 Qualifications
The HoIA must meet the eligibility requirements specified in Sections 2.5 to
2.7 of DBM Circular Letter No. 2008-564. As a career service officer, he/she
must also meet the prescribed minimum education, training and experience
requirements. However, CSC MC No. 12, s. 2006 encourages agencies to
set specific or higher standards for their IAS/IAU positions. These must be
submitted to the CSC for approval, and once approved, shall be adopted by
the Commission as qualification standards in the attestation of the
appointments of non-Presidential appointees of the agency concerned.
The following Qualification Standards for the HoIA may be adopted for CSC
approval:
Table 3 - Qualification Standards for the HoIA
Education Any of the following: Master‟s Degree in Accounting, Public

Administration, Criminology, Information Technology/Computer
Science and other related disciplines relevant to the
department/agency/sector where the HoIA is assigned;
Bachelor‟s Degree in Law would be an advantage.
Experience 4 years of relevant experience in one or a combination of the
following: Public Administration, Internal Auditing, Administrative
or Criminal Investigation, Forensics (e.g., Accounting,
Information Technology), International Organization for
Standardization (ISO) Management Systems and other related
disciplines
Training 40 hours of relevant training in one or a combination of the
following: Public Administration, Internal Auditing, Administrative
or Criminal Investigation, Forensics (e.g., Accounting,
Information Technology), International Organization for
Standardization (ISO) Management Systems and other related
disciplines
Eligibility Any of the following: CESO III; CESO III and Lawyer or CESO III
and CPA-Lawyer would be an advantage
The knowledge that the HoIA must possess prior to qualification consists of
general knowledge and professional knowledge.
a. General knowledge is obtained upon completion of a course of

appropriate studies from an accredited higher education institution prior to
becoming certified.
b. Professional knowledge refers to the range of one‟s information and

understanding of organizational, business, information technology, and
accounting-related matters.
Since both management and operations audits start with compliance audit,
which involves the determination of the degree of compliance with laws,
regulations, managerial policies, accountability measures, ethical standards
and contractual obligations, it would be an advantage if the HoIA possesses
63
sufficient foundation in law and is familiar with the rudiments of the law, in
addition to the general knowledge gained from the basic education.
The HoIA must also possess functional expertise. His/her knowledge of a
specific function and sector (e.g., health) must be contextualized within the
operations of the department/agency which performs this particular function.
It helps if he/she has relevant experience in applying this knowledge in a
work setting as it enhances his/her understanding of the organization and its
operations.
6.3 Responsibilities
The HoIA is responsible for:
a. Ensuring the efficient and effective operation of the internal audit function;
b. Developing strong professional relationships with the DS/HoA or

GB/AuditCom and key stakeholders;
c. Leading the development of the internal audit strategic plan and annual
work plan that outlines the objectives, priorities and proposed internal
audit coverage; and
d. Liaising with other external monitoring and evaluation bodies in

developing internal audit plans for the review and approval by the
DS/HoA or GB/AuditCom.
6.4 Skills
To operate effectively, the HoIA requires a broad range of skills and specific
personal qualities which are critical to the credibility and acceptance of the
internal audit function that he/she leads. These include intellectual,
interpersonal, communication, and information technology skills. Other skills
and qualities that could be expected of a HoIA include:
a. Clear understanding of the internal audit‟s contribution to effective

governance;
b. Ability to develop plans and programs to contribute to the achievement of

mandated objectives;
c. Strong management acumen and the ability to anticipate and assess

management control;
d. Ability to build a strong network and credibility with the DS/HoA or

GB/AuditCom and senior management; and
e. Consistent observance of ethical principles.
64
7. Staffing the Internal Audit Service/Internal Audit Unit
The rank and salary grades of the IAS/IAU staff are stipulated in Section 4.1.3 of
DBM Budget Circular No. 2004-4, Annex A.
The qualification standards for the IAS/IAU staff are enumerated in the following:
a. Rule IV, CSC Omnibus Rules Implementing Book V of EO 292, s. 1987 or the
Administrative Code of 1987; and
b. CSC MC 12, s. 2006, “Qualification Standards for IAS Positions”.
CSC MC No. 12, s. 2006 provides the minimum qualification standards to be

followed for the IAS/IAU positions, namely, Internal Auditor I-V (SG 11 to SG
24), and Internal Auditing Assistant (SG 8).
Table 4 - Qualification Standards for the IAS/IAU Staff
IAS/IAU Education Experience Training Eligibility

Positions
Internal Auditor Master‟s degree 4 years in 24 hrs. of Career Service
V relevant to the position/s relevant (Professional)/
(SG 24) position/agency/sector involving training in Second level
management management eligibility
and and supervision
supervision
Internal Auditor Bachelor‟s degree 3 years of 16 hrs. of Career Service
IV relevant to the relevant relevant (Professional)/
(SG 22) position/agency/sector experience training Second level
eligibility
Internal Auditor 2 years of 8 hrs. of Career Service
III relevant relevant (Professional)/
(SG 18) experience training Second level
Internal Auditor 1 year of 4 hrs. of eligibility
II relevant relevant
(SG 15) experience training
Internal
Auditor I 65
(SG 11)
Internal Auditing Completion of 2 years Career Service
Assistant (SG 8) of study in college (Sub-
professional)/
First level
eligibility
A detailed matrix providing for the qualification standards and functions of each
position in the IAS/IAU is provided in Appendix C.
In government, the organizations, programs, activities, and functions are usually

created by law and are subject to specific rules and regulations. 66 It cannot be
subject to an Internal Audit Charter which may provide a formal, written
agreement with management and the board about the organization‟s internal
audit activity.67
65
7.1 Temporary Personnel Movements to Supplement Internal Audit
Resources
The need to establish and maintain an internal audit unit that is staffed with
people who have the necessary competence, skills and experience is an
ongoing issue for most, if not all, agencies. Temporary movement of officials
and staff to the IAS/IAU can be a useful way of supplementing internal audit
resources.
Temporary personnel movements can be a useful way of gaining training

and experience for the IAS/IAU staff. The following arrangements are
supported by the CSC under its MC No. 40, s. 1998, as amended by MC No.
15, s. 1999 and MC No. 21, s. 2002.
7.1.1 Detail
This involves the temporary movement (detail) of an internal audit

expert of one department/agency/GOCC/GFI to the IAS/IAU of
another, to train the IAS/IAU staff of the latter by coaching, or the
conduct of in-house training.
Detail is the temporary movement of an employee from one

Department or agency to another which does not involve a reduction
in rank, status or salary. (Refer to CSC MC No. 21, s. 2002 for the
policies on detail.)
7.1.2 Secondment
This involves the secondment of the IAS/IAU staff from one

Department/agency to another or to an international body/organization
which offers an opportunity to engage in services related to internal
audit functions, either for short-term or long-term engagement.
Secondment is the movement of an employee from one department or

agency to another which is temporary in nature and which may or may
not require the issuance of an appointment which may either involve a
reduction or increase in compensation or benefits. However,
secondment shall be limited to employees occupying managerial,
professional, technical and scientific positions; and to international
bodies/organizations recognized by the Philippine government. (Refer
to CSC MC No. 40, s. 1998, as amended by CSC MC No. 15, s. 1999
for the guidelines on secondment.)
66
7.1.3 Other Arrangements
Other arrangements may be explored including the following:
a. Temporary detail of experts on functional areas from other public

service sector organizations to the IAS/IAU
This arrangement provides an opportunity for internal audit to gain

special expertise and/or extra resources from outside the
organization and for the internal audit staff to be trained by such a
specialist.
b. Temporary detail of staff to the IAS/IAU from other public service

sector organizations
This entails the movement of the IAS/IAU staff to the IAS/IAU of

another agency for them to gain experience in a different
organization and/or work area. This may be done without the
issuance of an appointment and shall be allowed only for a limited
period.
c. Temporary detail of internal experts to the IAS/IAU
Internal experts or subject matter experts from within the

organization can provide additional resources for the IAS/IAU for a
specified period and help train the IAS/IAU staff in complex audits
through adequate training and supervision. Such experts can also
add credibility to the audit findings. However, these experts must
disclose that they are free from any conflict of interest and can
maintain impartiality.
This arrangement benefits the organization and the individuals

involved by developing officers who have a good understanding of the
organization‟s governance and accountability relationships and a
good overview of the different parts of the organization.
There are merits in rotating potential senior officers and exposing

them to the internal audit function for set periods as part of their
career development. The IAS/IAU benefits by having auditors or
experts with operational experience in the organization that can
provide a reality check on audit findings. To ensure that the IAS/IAU
staff remains objective and to avoid any perception of conflict of
interest, appropriate disclosure of such arrangements must be made,
including the official‟s scope of internal audit assignment. Effective
training and supervision is essential to maintain objectivity, impartiality
and integrity of the internal audit function.
However, in the secondment or temporary movement of the IAS/IAU

staff, a confidentiality agreement will have to be drawn and signed by
said staff to ensure non-disclosure of confidential information.
67
8. Internal Audit Budget
To provide an effective internal audit function, it is important that the budget is

sufficient to implement the role expected of the IAS/IAU and, in particular,
responds to the priorities and requirements of the approved strategic and annual
work plan. The DS/HoA or GB/AuditCom approves the internal audit budget.
The factors that influence the internal audit budget include:
a. The number and types of audits included in the annual work plan -
performance audit is more complicated and costly than compliance audit, but
more beneficial in terms of agency opportunities;
b. Complexity of the annual work plan - an audit requiring special skills, such as
an information technology expert, could add to the cost of the audit;
c. Geographic spread of audit work - the more travel that is required, the greater
the required budget; and
d. Related audit services, such as being reference point for contacts like the
COA, Office of the Ombudsman and other oversight or regulatory bodies
and/or intervening activities or tasks that may be assigned to the IAS/IAU by
the DS/HoA or GB/AuditCom.
In presenting the internal audit strategic and annual work plan, the HoIA may
submit the proposed budget for the planned activities. If the approved budget is
less than the proposed, the IAS/IAU should review the audit plan and prioritize the
activities that can be undertaken for the year. Other activities may be rescheduled
in the succeeding years.
68
CHAPTER IV
PERFORMANCE MONITORING
AND
EVALUATION
69
1. Performance Evaluation
Periodically assessing performance and addressing opportunities for improvement

can help maximize the efficiency and effectiveness of the internal audit function.
Measuring performance is also the means whereby the internal audit‟s own
performance is assessed and internal audit is held accountable for the use of its
resources. By adopting appropriate indicators, implementing a rigorous
performance measurement system and acting on the results, internal audit can
demonstrate that it practices what it preaches, and thus encourage acceptance of
its role within the organization.
Since the DS or GB/AuditCom is responsible for reviewing the performance of

internal audit, the performance indicators must be mutually agreed upon by the
DS or GB/AuditCom and the HoIA.
1.1 Measuring Internal Audit Performance
Performance assessment has three interrelated elements.
a. Performance measurement, which refers to the systematic analysis of

performance against goals taking account of reasons behind the
performance and the influencing factors.
b. Rating, which refers to the judgment of progress - good or bad - based on

indicators. This can also include rating another performance dimension.
c. Indicators, which are used to verify if progress towards results has taken
place.68
The key performance indicators (KPIs) used to measure performance should

focus on matters that receive the highest priority. It is important, therefore,
that the KPIs for internal audit are aligned with the internal audit strategic
plan and annual work plan and help drive the performance which the DS or
GB/AuditCom expects from internal audit.
It is also important that performance is measured over time in order to

identify trends against both qualitative and quantitative targets. Such targets
should be challenging but realistic.
The most suitable KPIs vary from one organization to another depending on
the approved internal audit strategic plan. It is expected that KPIs would be
sufficient in number and as a minimum, would measure audit work and other
significant services provided by internal audit. Good KPIs include
measurement of the:
a. Timeliness and cost of audits;
b. Quality of audits, including quality of evidence-based findings and

realistic courses of action;
70
c. Auditees‟ survey on the extent of impartiality, professionalism,
communication and due care in managing the internal audit;
d. Number of audit findings approved by the DS or GB/AuditCom;
e. Number of recommendations implemented by the auditee;
f. Number of audit support activities undertaken;
g. Internal audit staff satisfaction; and
h. Overall contribution made by the internal audit function.
It is relatively easier to measure the cost and timeliness of internal audit

reports, but it is more difficult to measure, in an objective way, the quality of
internal audit services or the contribution that internal audit makes to the
organization. Consequently, measurement of the effectiveness of or the
benefits from individual internal audit reports and the internal audit function
itself is generally best done over time by seeking the views of the DS or
GB/AuditCom as principals and key stakeholders, where appropriate.
In any event, internal audit should keep track of where it has significantly
influenced change in the organization.
1.2 Measurement Techniques
Management information systems and processes should be established to

record and report the required performance data in a cost-effective way.
Principal and key stakeholders‟ surveys at the end of an audit are useful and
well-accepted ways of measuring the level of satisfaction with internal audit
services. Short surveys that can be completed electronically are efficient
means of collecting data, but manual approaches can also be done in cases
when IT-based systems are not adequate. Any significant issue identified
from such surveys should be followed up, where possible.
Key issues to address in such audit surveys include the following:
a. Auditors‟ understanding of the area under review;
b. Quality of the analysis undertaken;
c. Usefulness of the suggested courses of action;
d. Efficiency of the process;
e. Level of collaboration with management, the public they serve, and the
agency‟s stakeholders; and
f. Overall value of the report to the management, the public they serve, and
the agency‟s stakeholders.
71
As principal, the DS or GB/AuditCom should also be involved in providing
regular feedback on the quality and cost-effectiveness of the audit reports
and other services provided by internal audit.
It is expected that the views of the DS or GB/AuditCom will be sought

periodically, and at least once annually.
1.3 Internal Audit Annual Performance Report
To assist the DS or GB/AuditCom in reviewing the performance of internal

audit, it is good practice for the HoIA to prepare a report for them, at least
annually, on progress in implementing the internal audit strategic plan and
annual work plan.
The report should contain:
a. Comments on the internal audit activities and any variance from approved
plans;
b. Progress in the implementation of the internal audit strategic plan and

completion of the annual work plan;
c. Highlights and challenges during the period;
d. Overall contribution of internal audit in managing the organization‟s

internal control deficiencies; and
e. Issues that may require attention in relation to the internal audit function.
A summary of the internal audit reports could be included in the

organization‟s annual report.
(Refer to PGIAM Part II – Practices, Chapter 3 for discussion on

performance monitoring and evaluation by the HoIA and DS/HoA or
GB/AuditCom.)
72
Part II
Practices
73
INTRODUCTION
The Philippine Government Internal Audit Manual (PGIAM) Part II - Practices
contains the approaches, tools and techniques that will facilitate the conduct of
internal audit activities as explained in the PGIAM Part I - Guidelines.
The Internal Audit Service/Unit (IAS/IAU) is mandated to conduct an evaluation or

appraisal of the Internal Control System (ICS) to determine if internal controls are well
designed and properly implemented. It is also mandated to conduct management
audit and operations audit.
The PGIAM Part II - Practices is composed of three chapters representing the major
steps in the conduct of internal auditing. To facilitate navigation of this manual,
reference should be made on the flow of internal audit activities as illustrated in
Figure 10 and the internal audit key processes as illustrated in Figure 11.
STRATEGIC
PLANNING
AUDIT PROCESS
Management Compliance Operations

Audit Audit Audit
PERFORMANCE MONITORING AND

EVALUATION
Figure 10 – Flow of Internal Audit Activities
Strategic and Annual Types of Monitoring &

Audit Process
Planning Audit Evaluation
BAICS Audit Planning

Compliance
Audit
Control
Significance Performance
Annual Audit Execution
and Management Monitoring and
Materiality
Work Audit Evaluation
Plan
Control Risk (AWP) Audit Reporting
Operations
Internal Audit
Audit Follow-up
Audit Risk
Figure 11 - Diagram of Internal Audit Key Processes
74
Internal audit activities start with the development of a strategic plan for a three-year
period, which consists of the strategic plan and the annual work plan. The strategic
planning begins with a baseline assessment of ICS that establishes how the IAS/IAU:
(1) reviews the organization‟s internal control components in the context of the public
service organization in the sector and key strategic challenges and advantages; and
(2) leverages on this knowledge to plan for the work to be undertaken in assisting the
organization to achieve its objectives. After the baseline assessment of ICS, the
IAS/IAU considers the control significance and materiality and control risk of key
processes in the operating and support systems to achieve the control objectives,
assesses the internal audit risks, formulates the Strategic Plan and prepares the
Annual Work Plan.
The audit process, as will be discussed in Chapter 2, involves four (4) stages,
namely: (1) audit engagement planning; (2) audit execution; (3) audit reporting; and
(4) audit follow-up. The processes pertain specifically to the preparation of the audit
engagement plan, conduct of the audit itself by identifying the standards/criteria and
gathering pieces of evidence for the conditions and causes, analysis of the findings of
facts and pieces of evidence, formulation of recommendations, and monitoring of the
implementation of approved audit recommendations. At any point during the audit
and during the conduct of the baseline assessment of ICS, when significant
risks/issues arise, the IAS/IAU will prepare an Interim Report to the DS or
GB/AuditCom to communicate findings, issues, and problems that may affect the
conduct of the audit and expose the organization to considerable risks. The audit
process applies to compliance, management and operations audits.
Chapter 3 elucidates how the performance evaluation of the IAS/IAU is undertaken in

order to: (1) ensure that the audit service achieves and delivers planned results; (2)
continually improve the internal audit process; and (3) enhance the professionalism of
the audit staff.
Workflow charts and diagrams of internal audit key processes are provided in
Appendix D of this Manual.
75
CHAPTER I
STRATEGIC
AND
ANNUAL WORK PLANNING
76
1. Strategic Planning
Strategic planning is the process of identifying the key audit strategic direction of
the IAS/IAU for a three-year period. Its format and content shall be agreed upon
between the Department Secretary/Head of Agency or the Governing Board/Audit
Committee (DS/HoA or GB/AuditCom) and the Head of Internal Audit (HoIA). In
strategic planning, the IAS/IAU:
a. Performs the baseline assessment of the ICS;

b. Considers the control significance and materiality and control risk of key
processes in the operating and support systems to achieve the control
objectives;
c. Assesses internal audit risk;
d. Formulates the Strategic Plan; and
e. Prepares the annual work plan.
STRATEGIC
PLANNING
Conduct of Baseline Assessment (BA) of ICS
Assessment of Control Significance and Materiality and

Control Risk
Assessment of Internal Audit Risk
Formulation of Strategic Plan Preparation
of Annual Work Plan
AUDIT PROCESS
Management Compliance Operations

Audit Audit Audit
PERFORMANCE MONITORING AND

EVALUATION
Figure 12 – Strategic Planning Flow Diagram
There are three levels of planning:
a. Strategic planning, discussed in this Chapter;

b. Annual work planning, also discussed herein; and
c. Audit engagement planning, discussed in Chapter 2.
The annual work plan (AWP) is based on identified audit areas resulting from the
strategic planning, while the audit engagement plan sets the activities per audit
engagement identified in the AWP.
77
The first activity to develop the strategic plan is the baseline assessment of the
ICS. Baseline assessment is done for the purpose of formulating a three-year
strategic plan which should be iterative and updated for changes in the control
component. This is to ensure that the focus of the IAS/IAU is relevant to the
conditions of the organization. Conceptually, it should have two parts. Part A is
the Strategic Plan (SP). Part B is the Annual Work Plan (AWP).
1.1 Conduct Baseline Assessment (BA) of the Internal Control System
The objectives of the baseline assessment are to: (1) get familiar with the
organization‟s operations; (2) identify and document the five components of
ICS; (3) review key control processes and performance of operating and
support systems; and (4) gather sufficient information on potential audit
areas to be included in the strategic plan.
Baseline assessment is carried out by performing activities such as: administering internal
control questionnaires/checklist and verifying the results; using flowchart/narrative notes,
conducting walkthrough and test of controls.
Components of
Internal Control Controls
System
Control Gaps,
Operating Deficiencies and Interim Report
1) Control Environment Breakdowns
System-Key
processes N
O NO NO
2) Risk Assessment
Test of
Flow Controls
Y Chart,
3) Control Activities YE
Narrative S Reviews of
4) Information and Support E YES B
S Notes and Oversight
Communication System-Key Walk Control and Int’l.
processes A
Through + Dev’t. =
5) Monitoring Universe Bodies
R
Figure 13 – Baseline Assessment of ICS Flow Diagram
1.1.1 Familiarization with the Organization’s Operations
The IAS/IAU gathers and analyzes information on the organization‟s

mandate, objectives, strategies, operating and support systems,
relevant laws, rules and regulations, and organizational and sectoral
performance. This involves a table review of the pertinent materials
such as previous audit reports.
The documents to be obtained and reviewed to be familiar with the

organization‟s operations may be the primary source documents
(obtained from the original source of the information, documents or
records) or the secondary source documents (obtained from
78
references/copies of information, documents or records other than the
original source). For example: the primary source of Philippine laws is
the Philippine Congress, and the primary source of the Department of
Health‟s operating manual is the DOH itself. On the other hand, the
secondary source of Philippine laws are copies of said laws in the
records of an agency; and the secondary source of DOH‟s operating
manual is a copy of it maintained in the UP Law Center, if any.
a. Documenting the Five Components of ICS
To obtain an understanding of the agency‟s ICS in the context of a

public service sector, the IAS/IAU identifies and documents the
five components of ICS, to wit: Control Environment, Risk
Assessment, Control Activities, Information and Communication,
and Monitoring and Evaluation.
i. Control Environment
It is important that the IAS/IAU understands what composes

the control environment and identifies the management
controls that are necessary to achieve the control objectives.
Control environment is the foundation of the ICS. It provides

discipline and structure, as well as the climate, which
influences the overall quality of internal control.
Control environment is the scope and coverage of an

organization‟s ICS which impacts on its structural and
operational framework. It integrates all other internal control
components, elements and features to influence the direction
and shape of an organization or agency‟s strategies and
outcomes. This component constitutes the plan of organization
and all the coordinated methods and measures. These are
based on the specific law creating the agency or the
Administrative Code of 1987, which is a general law.
To understand the control environment of a specific

organization, the IAS/IAU needs to identify its components in
the context of a sector. A sector consists of: (1) public service
organizations providing public service; (2) constituents or the
publics to serve; and (3) stakeholders.
Public service sector organizations are the: (1) public entities

referring to agencies of the government, including departments,
bureaus, offices, instrumentalities, GOCCs or local government
units; and (2) private entities required or authorized by law to
provide goods and services for public benefit such as
transportation, electricity, water, shipping, telecommunications
and oil companies.
79
Constituents or publics to serve are: (1) internal public relating
to individuals or groups within the organization; and (2) external
public refer to the recipients of services outside the agency
directly or indirectly affected by an agency‟s operations.69
Stakeholders are persons or organizations that can affect, be

affected by, or perceive themselves to be affected by a
decision or activity. Stakeholders are categorized into: (1)
internal stakeholders affected by an agency‟s operation within
a particular public service sector; and 2) external stakeholders
who are outside a specific public service sector but may have
an interest on and can influence the effective performance of
the sectoral goals of an agency concerned.70
The documents/criteria to be considered are listed below. The

list is a starting point. It is not all-inclusive and not every
document/criterion will apply to every
department/agency/process.
(1) The Plan of Organization
(a) Structural Principles of Governance (Organizational

Structure and Staffing)
(i) DBM Manual on Position Classification and

Compensation;71
(ii) Department/Agency‟s approved Rationalization
Plan;72
(iii) Notice of Organization, Staffing and
Compensation Action (NOSCA) or DBM
issuances as bases of the following:
organizational chart and functional chart/
statements; Organizational Linkages/ Work
Flows; Staffing Pattern, Position Description/
Statement of Duties and Responsibilities; and
(iv) Personal Services Itemization and Plantilla
of Personnel (PSIPOP).73
(b) Functional Principles of Governance (Management

and Personnel)
(i) Department/Agency‟s Code of Conduct and

other policies/issuances relating to integrity and
ethical standards74 in accordance with the
minimum standards of RA 671375;
(ii) Department/Agency‟s Performance
Measurement and Evaluation System in
accordance with the minimum requirements of
EO 29276; and
(iii) Doctrine of Completed Staff Work.77
80
(2) The Coordinated Methods and Measures
(a) Planning78 - Planning Manual for sectoral planning

and organizational planning;
(b) Budget79 - Primer on Government Budgeting and

Primer on Barangay Budgeting;80 (Agency Budget
Matrix [ABM]; Allotment Release Program [ARP];
Special Allotment Release Order [SARO]; Notice of
Cash Allocation [NCA]); General Appropriations Act
(GAA);81 DBM Documentary Requirements for
Budgetary Requests;82 President‟s Budget Message;
(c) Accounting83 – Government Accounting and Auditing

Manual;84 Manual on the National Government
Accounting System (NGAS) for National Government
Agencies85 (Accounting Systems); Chart of
Accounts; Description of Accounts; Books of
Accounts; Registries and Records; Accounting
Forms and Reports; Trial Balances, Financial
Reports and Statements;
(d) Administrative86 - Generic Procurement Manual and

Local Procurement Manual (Project Procurement
Management Plan; Approved Budget for the
Contract; Bidding Documents; Terms of Reference;
Contracts and Annual Procurement Plan);87
Philippine Government Electronic Procurement
System (PhilGEPS);88 Operating Manuals or Service
Guides;89 National Archives of the Philippines
Guidelines on Records Disposal;90
(e) Human Resource91 - Human Resource Management

Manual (recruitment, selection and placement of
personnel; appointments; employee benefits;
discipline; leave and attendance; separation;
promotion; employee suggestions and incentive
awards system; employee programs; etc.);92 Uniform
Rules on Administrative Cases in the Civil Service; 93
Rules on Qualification Standards;94 Performance
Management System – Office Performance
Evaluation System (PMS-OPES);95 and
(f) Quality Management96 – Quality Management

Manual including documents on Six (6) Mandatory
Procedures (control of documents; control of records;
control of nonconforming service; internal quality
audit; corrective action and preventive action);
process approach; perception monitoring.97
81
ii. Risk Assessment
Risk assessment is the process of identifying, analyzing and

evaluating relevant risks to the achievement of the control
objectives and determining the appropriate response. In other
words, it is the identification, analysis and evaluation of what
could go wrong and how to address it.

list is a starting point, thus is not all-inclusive. Not every
document/criterion will apply to every
department/agency/process.
(1) Risk management manual which contains the risk

management framework and risk management process.
(2) Risk assessment methodology, tools and techniques

used:
(a) Risk identification (risk register/risk log, risk profile),

risk analysis (risk matrix), and risk evaluation (risk
evaluation results) which may be contained in the
agency‟s operating manuals, risk management
manual, or separate manuals/documents by
reference.
(b) Documentation of the risk assessment which

includes: objectives and scope; description of
relevant parts of the system and their functions;
summary of the external and internal context of the
organization and how it relates to the situation,
system or circumstances being assessed; risk criteria
applied and their justifications; limitations,
assumptions and justifications of hypotheses; risk
identification results; data, assumptions and their
sources, and validation; risk analysis results and their
evaluation; sensitivity and uncertainty analysis;
critical assumptions and other factors which need to
be monitored; discussion of results; conclusions and
recommendation; and references.98
(3) Risk management plan which specifies the approaches,

management components and resources to be applied to
the management of the risk.99 This includes, among
others, the risk management policy, risk assessment
objectives, risk criteria (based on organizational
objectives, and internal and external context; it is derived
from standards, laws, policies and other requirements); 100
risk assessment program, procedures and practices;
assignment of responsibilities; sequence and timing of
82
activities; skills, experience and competence; resources
needed for each step of the risk management process;
and training programs.
iii. Control Activities
Control activities are the policies and procedures established to

address risks and to achieve the organization‟s objectives.
They are the response to a risk designed to contain the
uncertainty of an outcome that has been assessed. These are
the procedures that an organization establishes to treat risks of
the internal control activities. Once implemented, control
activities are ingrained into the control environment of the
agency.
The IAS/IAU should obtain an understanding of the risk

response (transfer, tolerated, terminated or treated); operating
performance review and operating compliance review.101
The documents/criteria to be considered are listed below. This

is a starting point. It is not all-inclusive and not every document
or criterion is applicable to every department, agency or
process.
(1) Implementation of the risk management plan through

policies and procedures pertaining to the risk response 102
(tolerated, transferred, terminated or treated103)104 such as
insurance contracts (risk sharing105), and risk financing106
(risk treatment);
(2) Risk monitoring and review reports; and
(3) Results of the operating performance review and

operating compliance review by management.
iv. Information and Communication
Information and communication are vital in attaining the control

objectives. They go hand in hand and cut across all other
internal control components. Relevant information must be
communicated throughout the agency, as well as to its network
of organizations and sectors.
83
list, which is a starting point, is not all-inclusive. Not every
document/criterion will apply to every department/agency/
process.
(1) Information
(a) Department‟s/Agency‟s Citizen‟s Charter;107
(b) Information systems as part of knowledge

management108 - Government Information Systems
Plan (GISP) also known as Philippine Government
Online;109 and
(c) Review and Compliance Procedures in the Filing and

Submission of the Statement of Assets, Liabilities
and Networth (SALN) and Disclosure of Business
Interests and Financial Connections.110
(2) Communication
(a) Report Card Survey and feedback mechanism of RA

9485 (Anti-Red Tape Act of 2007);111
(b) Consultations and dialogues between officials and

staff;112
(c) Consultations with various offices to evaluate public

and private entities providing public goods and
services;113
(d) Mechanism of public consultations and hearings to

the public to serve;114 and
(e) Consultation with internal and external stakeholders.
v. Monitoring
The ICS must be monitored by management and service units

in the organization. Monitoring the internal control activities
themselves should be clearly distinguished from reviewing the
operations of a unit which is an internal control activity
performed by the operating unit concerned.
The IAS/IAU should obtain an understanding on how

management ensures that internal controls continue to be
applied at all levels and across the agency and achieve the
control objectives through ongoing monitoring activities,
separate evaluation, or a combination of both.
84
The documents/criteria to be considered which are listed below
is a starting point. It is not all-inclusive. Thus, not every
document/criterion is applicable to every department/agency/
process.
(1) Ongoing Monitoring
(a) Monitoring of compliance by various offices to the

performance measurement reports115 by the
Planning Service, Financial and Management
Service, Administrative Service, and other support
service units; and
(b) Attendance and leave monitoring system.116
(2) Separate Evaluation
(a) Internal Audit - Philippine Government Internal Audit

Manual (PGIAM);117 DBM Circular Letter No. 2008-8
(National Guidelines on Internal Control Systems);
and
(b) External Audit - Value for Money Audit –

Participant‟s Manual;118 COA Memorandum No.
2009-04 on DBM Circular Letter No. 2008-8 (National
Guidelines on Internal Control Systems).119
(3) Combination
(a) Consultation and coordination between and among

operating units, support services units and the
IAS/IAU; and
(b) Consultation and coordination with COA and the

IAS/IAU on matters of internal control.
The procedure in documenting the ICS includes a combination

of workshops, observations, documentary review, internal
control questionnaires, and focus group discussions, to obtain
from the operating and support units the primary source
documents; and validate all observations and
recommendations with key officials of the organization.
It includes obtaining documents from primary sources for

validation, e.g., the Department of Health, in reviewing the
compliance of hospitals on the standard health care services,
would require the submission of their reports of compliance; the
Civil Service Commission, in the review of the implementation
of recruitment policies and guidelines, would require the
submission of their reports from agencies on the hiring of
85
officers and employees. The relevant documents may be
inspection guidelines or manuals which contain the standards,
timing and methods for the conduct of inspection.
Internal controls are management controls. These are controls

used by the DS/HoA or GB/AuditCom to achieve the following
objectives:
(1) Safeguard assets;

(2) Check the accuracy and reliability of accounting data;
(3) Adherence to managerial policies;
(4) Compliance with laws and regulations; and
(5) Ensure economic, efficient, ethical, and effective
operations.
A generic Internal Control Questionnaire (ICQ) has been

designed (Appendix E) to evaluate the five components of the
ICS. These components have a pervasive effect, and their
absence can increase the opportunity for fraud or errors in the
organization. Both the management and the internal auditors
can make use of the ICQ in documenting the components of
the ICS.
Before farming out the ICQ, target respondents should first be

identified within the strategic requirements of the information
gathering and for the conduct of orientation to set a common
understanding and language. The questions should be crafted
to obtain information on the attributes and effectiveness of
internal controls, with follow-up questions to validate the
previous answers.
The Questionnaire is divided into the five interrelated

components of internal control that make up the organization‟s
system, as follows:
Section 1 - Control Environment

Section 2 - Risk Assessment
Section 3 - Control Activities
Section 4 - Information and Communication
Section 5 - Monitoring and Evaluation
“Yes” answers to questions would require submission of

evidence by the personnel concerned or gathering of evidence
by the auditor to validate such answer. “Yes” answers and “No”
answers with compensating controls will be subject to a test of
controls for validation.
“No” answers without compensating controls should be

identified as control deficiencies and their root cause/s should
be determined before courses of action are recommended in
86
the interim report. Their content should eventually be included
in the Baseline Assessment Report. Subsequently, interim
report recommendations should be monitored, and in the
ensuing audit period, it should be validated if the actions taken
addressed the control deficiencies. The recommendations
should not merely include addressing the control deficiencies,
but should hold accountable the next level in the hierarchy for
failure of supervision.
Gathering of pieces of evidence by the IAS/IAU can be done by

triangulation, a multi-approach which may include solicitation,
elicitation and analysis of data. No one type of evidence
gathering would suffice. To raise the level of confidence, at
least three sources of evidence or methods of verification
should be obtained.
b. Review of Key Processes and Performance in the Operating

System
The objective of the review is to document controls in key

processes of operations within the organization that are critical to
the achievement of the control objectives. This is to determine
adequacy of internal control and identify gaps, deficiencies or
breakdown for potential inputs to the baseline assessment report.
The processes include operating processes for programs and
projects.
Process refers to a set of interrelated or interacting activities of the

public sector organization which transform input elements
(statutory policies, resources, managerial policies, citizens‟ needs
and expectations, etc.) into outputs/results (products/goods and
services; benefits) provided to the citizens.120 The application of a
system of processes within an organization, together with the
identification and interactions of these processes, and their
management to produce the desired outcome, can be referred to
as the “process approach”.
An example can be the procurement of medicines in the delivery of

health services. The critical processes may include: planning the
procurement; identifying citizens‟ needs and expectations;
transparency of bidding and award; inspection and acceptance;
and monitoring and output/outcome evaluation.
The criteria for the selection of critical processes can include the
following:
i. A process with an output that is an input to a major final output;

ii. A process that makes up significant control procedures; and
iii. A process where the financial value of inputs are high.
87
The review also includes the key operational processes used to
manage and monitor the organization‟s operational strategy (plans
and programs) to attain the expected outputs/outcomes, including
how they support and reinforce the overall sectoral goals. The
objective is to understand operational control components that are
necessary to achieve the target outputs and outcomes, as well as
the identified key performance measures.
The subject of the review may include existing flowcharts,

operating manuals, and periodic accomplishment reports. The
IAS/IAU should determine compliance to milestone reporting and
adequacy and appropriateness of performance measures. If for
instance, the IAS/IAU found out that regular reports are not
periodically rendered, the IAS/IAU should also determine the
possibility that slippages or gaps are not immediately addressed to
catch up on the target or the possibility that end of the year reports
are bloated.
Performance measures refer to the criterion in terms of quantity,

quality, cost, and perception (responsive rating) of plans and
programs. These are the indicators of performance expressed in
units of work, which quantify or measure the outputs and
outcomes. Every unit of output (public goods/products and
services) must have a standard cost which should be compared
with the actual cost to obtain the difference. Ordinarily, the DBM
should develop standard costs with the agency for duly approved
units of work measurement for each agency‟s budgetary projects
or activities. These standard costs should be compared with the
actual unit costs and utilized in the evaluation of agency budgetary
performance.121 In the absence of a standard cost, the agency
must set up a standard or predetermined cost before the start of
each undertaking. Said cost will be made as reference in
determining irregular, unnecessary, excessive, extravagant or
unconscionable expenditures.
In analyzing operational performance, it is important to:
(1) Determine the relevant operational performance measures for

evaluation based on discussions with the DS/HoA or
GB/AuditCom;
(2) Determine the frequency of reporting operational

performance, the intermediary goals, and whether or not
improvements have been introduced as a result of the
performance review as part of monitoring their own
performance;
(3) Determine whether or not measures are in place to ensure

compliance with laws, rules, regulations and managerial
policies within the operational level or of the sector;
88
(4) Assess the relative position of the organization, comparing
one or more of the following:
(a) Current performance to target;

(b) Current performance to past performance; and
(c) Current performance to others in the sector (or similar
organizations).
Any indication of performance below expectation

(target/previous year/sectoral indicator/average) is a cue to
the IAS/IAU that an operations audit is necessary, by working
back from outcome to output to implementation
(process/input) to policy formulation. The objective is to
determine the root cause of deficiencies, if adequate
resources are in place to achieve goals, if responses to risks
are beneficial, if controls are imbedded in the operational
procedures, and to check compliance with standards.
(5) Prepare a preliminary summary and assessment of the

programs/projects which should be included in the baseline
assessment report/control universe noting weaknesses, gaps,
deviations and processes that are potential areas for the
audit.
c. Review the Key Processes and Performance in the Support

System
The objective of the review is to document controls in key

processes of the support systems within the organization/sector
that are critical to the achievement of the control objectives. This is
to determine compliance with controls put in place and to identify
gaps, deficiencies or breakdown for potential inputs to the strategic
plan. The processes include support systems to operations, e.g.,
administrative, finance, budget, planning, technical support
systems.
As previously indicated, the criteria for the selection of key or

critical processes can include the following:
i. A process with an output that is an input to a major final output;

ii. A process that comprises significant control procedures; and
iii. A process where the financial value of inputs are high.
This also includes a review of the performance of the support

systems such as procurement, personnel, accounting, budgeting,
quality management and risk management. The objective is to
identify and understand the network and linkages of support
services to the operating units; or determine whether adequate
controls are in place in providing the needs of the operating units
for logistics, funds, and personnel (e.g., review of the controls in
89
the procurement system or in the hiring of personnel). The review
is expected to identify strengths and weaknesses, sources of
problems, and potential problem areas.
This may include a query on the structure, personnel qualifications

and performance, and processes of the office of primary
responsibility to determine compliance with prescribed methods
and procedures; the presence of a manual of operations, and a
review of the level or extent of compliance. Support services‟
performance is profiled, then efficiency and effectiveness are
evaluated in terms of quantity and quality, and compared against
norms and targets. If any activity within the support unit has no
output, it may be eliminated.
This also involves interviews of key persons responsible in the

operating units to determine the opinions and attitudes that key
people outside the support unit have about the services delivered
and whether or not needs are served. While many criteria can be
measured quantitatively, the IAS/IAU has to use sound judgment
and objectivity when evaluating issues (quality) that cannot be
measured.
d. Review of Controls in a Computerized Environment
In public service organizations operating in an information

technology (IT) environment, the IAS/IAU should consider the
criticality of the control processes in place in the IT operations.
The objective of internal audit in a manual system does not

change in a computerized environment, that is, assessing the
adequacy of controls embedded in the computerized program.
This involves reviewing the general and application controls.
Controls in a computerized environment consist of two broad
groupings.
i. Review of General Controls
“General controls are the structure, policies and procedures

that apply to all or a large segment of an entity‟s information
system (IS) and help ensure their proper operation. They
create the environment in which application systems and
controls operate.”122
90
The International Organization of Supreme Audit Institutions
(INTOSAI) identified major categories of general controls:
(1) Entity wide security program planning and management

provide a framework and continuing cycle of activity for
managing risks, developing security policies, assigning
responsibilities, and monitoring the adequacy of the
entity‟s computer-related controls.
(2) Access controls limit or detect access to computer

resources (data, programs, equipment, and facilities),
thereby protecting these resources against unauthorized
modification, loss, and disclosure. Access controls include
both physical and logical controls.
(3) Controls on the development, maintenance and change of

application software prevent unauthorized programs or
modifications to existing programs.
(4) System software controls limit and monitor access to the

powerful programs and sensitive files that control the
computer hardware and secure applications supported by
the system.
(5) Segregation of duties implies that policies, procedures

and an organizational structure are established to prevent
one individual from controlling all key aspects of
computer-related operations and thereby conduct
unauthorized actions or gain unauthorized access to
assets or records.
(6) Service continuity controls help to ensure that when

unexpected events occur, critical operations continue
without interruption or are promptly resumed and critical
and sensitive data are protected.
ii. Review of Application Controls
“Application controls are the structure, policies, and procedures

that apply to separate, individual application system, and are
directly related to individual computerized applications. These
controls are generally designed to prevent, detect, and correct
errors and irregularities as information flows through
information systems.”123
Application software is the software that processes and

understands data with reference to the transaction. The
application software could be a payroll system, an inventory
system, or a billing system. The rules pertaining to the systems
and processes are implemented in the application software.
91
“Application controls and the manner in which information flows
through information systems can be categorized into three
phases of a processing cycle:
(1) Input - data are authorized, converted to an automated

form, and entered into the application in an accurate,
complete, and timely manner;
(2) Processing - data are properly processed by the computer

and files are updated correctly; and
(3) Output - files and reports generated by the application

reflect transactions or events that actually occurred and
accurately reflect the results of processing, and reports
are controlled and distributed to the authorized users.”124
1.1.2 Flowchart/Narrative Notes and Walkthrough
The critical operational/support processes may be documented and

analyzed using flow charts and walkthrough, among the array of
methods and techniques, to identify and understand their key
activities. A narrative note shall be added to be more descriptive of
the process. The DS/HoA or GB/AuditCom control structure such as
policies, guidelines, feedback mechanism, reportorial requirements,
monitoring and evaluation should also be understood because it
significantly influences the effectiveness of management controls. If
flowcharts are available, the IAS/IAU should make use of them.
System/process flowcharts and system/process narratives should be
evaluated by the internal auditor subject to validation/walkthrough.
a. A process map or flowchart is an analytical technique used to

document a system in a clear, concise and logical manner,
showing the flow of documents thru various steps and actions from
its origin up to the final disposition.
It is used to illustrate by means of symbols, the procedures, forms,

records and reports handled by each position, and charts the flow
of forms, records and reports by each position and from one
position to another.
A flowchart shows the series of procedures and their inter-

relationships, identifies the major controls and aids in the review of
the system.
92
It is a workflow diagram in a graphic representation of all the major
steps of a process. It helps visualize the process and therefore
facilitates an analysis of the operation and assists in identifying
inefficiencies, overlaps and duplications/missing procedures and
control weaknesses. It helps the auditor:
i. Understand the complete process;

ii. Identify the critical stages of a process;
iii. Locate problem areas;
iv. Show relationships between different steps in a process; and
v. Evaluate/test controls, where an audit impact has been
identified.
Elements of a Flowchart
(1) Heading - Name of Organization

- Title of System (being documented)
- Existing Procedural Flowchart
(2) Area of Responsibility - defines the organizational unit and

the position or name of personnel responsible for the
procedures being charted
(3) Symbols - used to show predefined items, steps and actions.

The IAS/IAU should adopt and follow standard symbols for
uniformity.
Guidance on flowcharting, including the standard flowchart format

and symbols can be found in PNS ISO 5807:2004 – “Information
processing – Documentation symbols and conventions for data,
program and system flowcharts, program network charts and
system resources charts”. Commonly used flowcharting symbols
are provided in Appendix D of this Manual.
b. Narrative notes provide a step-by-step description of the auditee‟s

major systems or operations. It contains a narrative explanation of
certain items that cannot be adequately described by the flow. A
narrative statement may be made regarding the existing internal
controls of the agency. The primary purpose of preparing narrative
notes is to identify key control activities. Information for preparing
narrative notes may be obtained through interviews, observations,
review of procedures, manuals and other system documentation.
The notes should include all significant parts of the process,
especially the control points, the names and positions of the
people performing the actions and taking decisions, and the timing
of such actions.
93
c. The internal auditor must conduct a walkthrough test after
documenting the auditee‟s processes. This involves following one
or two transactions or activities step-by-step through the process
from beginning to end. From a control standpoint, a walkthrough is
simply the act of tracing the identified significant controls in a
transaction through organizational records and procedures – a
practical approach to learning how a process works and
determining whether or not the policies have been communicated
and implemented. In a walkthrough, the auditor traces a
transaction from its origin through the agency's information
systems, until it is reflected in the reports.
The auditor's primary objective when performing a walkthrough is

to develop an understanding of the transactions flow – that is, how
transactions are initiated, processed, authorized, recorded, and
reported. It is a technique for validating the understanding of the
system/process and verifying the accuracy of the flowcharts,
narratives and other documentations. The critical information that
the validated procedures can provide are as follows:
i. An understanding of the transaction flow and control design,

particularly with respect to controls that may help prevent or
detect fraud and error;
ii. A determination of whether or not controls have been designed
effectively and actually placed in operation; and
iii. An identification of areas in the organizational processes
where fraud or error might occur.
When performing a walkthrough, the auditor may find that some

processes having control significance were inadvertently omitted in
the flowcharts or narrative notes. Such exceptions or deviations
disclosed during the walkthrough are validated through
triangulation by reviewing other transaction/s, reviewing other
documents, and/or interviewing the personnel concerned, and
documenting the same in a working paper. Such deficiencies in
the flowcharts prepared by the functional units and their root
causes serve as inputs to the interim report, and appropriate
recommendations are addressed to the DS/HOA/GB or AuditCom
to enable the same to direct the responsible offices having
supervision over the process owners/functional units to address
the gaps. The recommendations should not merely include the
updating of the flowcharts by the functional units by, example,
adding additional steps, but to hold accountable the next level in
the hierarchy for failure of supervision.
94
1.1.3 Test of Controls
An understanding of the ICS is obtained during the strategic planning.

In order to gather initial evidence on the presence of key controls in
place (“YES” answers in ICQ) which have been identified by auditees,
a test of controls is performed in one or two transactions after making
a flowchart/narrative notes and walkthrough to determine if controls
are actually present or to determine conformance. If the control turns
out to be a gap or if the control is not present or is deficient, the
IAS/IAU issues an interim report on the gap or control
deficiency/breakdown by the operating or support units. Positive
results of the test of controls go to the control universe and will
eventually be included in the baseline assessment report.
A test of controls includes a physical observation of the actual

transactions involving the internal control procedures being
performed, evaluation of evidence that the control procedures were
performed (and performed at the appropriate time), and inquiry about
how and when the procedures were performed. Test of controls reveal
what is going on and how, and whether or not what are purported to
exist corresponds to reality. They may involve touring facilities/site
visits, reviewing processes, flow of materials and documents.
The tools/working papers that may be used in the test of controls are
the:
a. Statement of Control Attributes (SCA) - This document

summarizes the selected control attributes/features in the ICQ that
will be subject to test;
b. Walkthrough Working Paper - This document summarizes the

control attributes/features in the flowchart that will be subject to
test.
c. Test of Control Working Paper (TCWP) – This working paper is

used to document the conduct of the actual test of controls where
documents representing the selected transactions are examined to
verify whether or not the control attributes perceived to be in place
are actually present or to determine conformity.
d. Summary of Gaps (SoG) – Based on the TCWP, this document is

used to summarize the deviations noted from the conduct of the
test of controls. The deviations indicate breakdowns or gaps in
controls.
95
1.1.4 Interim Report
The Interim Report contains the following:
a. Gaps or control deficiencies/breakdowns noted during the

documentation of the components of the ICS and the key
processes in the operating and support systems;
b. Gaps or control deficiencies/breakdowns found out after

conducting a flowchart, preparing narrative notes and conducting a
walkthrough; and
c. Gaps or control deficiencies/breakdowns after conducting a test of

controls.
The gaps or control deficiencies/breakdowns are subjected to a root

cause analysis and the preliminary recommendations should form part
of the interim report. A summary of the interim report will be included
in the baseline assessment report.
For guidance on how to determine if a deficiency is significant, a

weakness is material, or when a combination of significant
deficiencies becomes material weaknesses, the following definitions
are to be used:
i. A control deficiency exists when the design or operation of a

control does not allow management or employees, in the normal
course of performing their assigned functions, to prevent or detect
fraud or error on a timely basis.
ii. A deficiency in design exists when a control necessary to meet the

control objective is missing or an existing control is not properly
designed, such that even if the control operates as designed, the
control objective is not always met.
iii. A deficiency in operation exists when a properly designed control

does not operate as designed, or when the person performing the
control procedure does not possess the necessary authority or
qualifications to perform the same.
A significant deficiency is a control deficiency (or a combination of

control deficiencies) that adversely affects the agency's ability to
initiate, process, authorize, record, or report data reliably such that
there is more than a remote likelihood that an error that is more than
inconsequential will not be prevented or detected. The term “remote
likelihood” is defined as when the “chance of the future events or
events occurring is slight.” Thus, the likelihood that an event is “more
than remote” is when it is either reasonably possible or probable.
96
A material weakness is a significant deficiency, or a combination of
significant deficiencies, that results in more than a remote likelihood
that fraud or error will not be prevented or detected.
1.1.5 Defining Control Universe
Before defining the Control Universe, the IAS/IAU should validate

understanding with the unit concerned. This is to verify the IAS‟/IAU‟s
complete and accurate understanding of the control components and
key processes, and to validate this understanding. This step is
important to corroborate initial results as it gives the opportunity to
obtain a buy-in that the audit will be focused on the important
organizational/sectoral concerns. This step may be formal or informal.
The positive results of the test of controls will be an input to the

Control Universe (CU). The CU is a list of all auditable areas which
shall be an input to the baseline assessment report, included in the
strategic plan and will be prioritized in the formulation of the annual
work plan. Aside from the CU, other sources to be considered in
strategic planning are the results of the review of oversight bodies and
international development partners.
1.1.6 Review of Oversight Bodies and International Development

Partners
This includes results from the evaluation reports of various monitoring

and oversight bodies like the Department of Budget and Management
(DBM), Commission on Audit (COA), National Economic and
Development Authority (NEDA), Office of the President (OP), Civil
Service Commission (CSC) and Office of the Ombudsman (OMB).
This also includes the review made by international development
partners working with the Philippine government such as the United
Nations Disarmament Commission (UNDC); United Nations Transition
Assistance Group (UNTAG) (e.g., millennium development goals);
Australian Agency for International Development (AusAID) (e.g.,
Philippines – Australia Country Assistance Strategy); World Bank‟s
Improving Public Expenditure Management Project); and Asian
Development Bank (ADB).
The aim is to identify gaps or control deficiencies/breakdowns that

need to be considered in the baseline assessment report and in
prioritizing internal audit activities.
1.1.7 Preparation of the Baseline Assessment Report (BAR)
The BAR summarizes the gaps and control deficiencies/breakdowns

resulting from the baseline assessment of the ICS. This report can be
used in the next assessment to determine improvements from where
it came from to the current condition. Issues not captured in the report
should be lessons learned to be included in the next assessment. The
97
report includes a summary of the interim report which contained the
gaps or control deficiencies/breakdowns, root cause analysis, and
recommended courses of actions. The BAR also includes the Control
Universe and the results of the review of oversight bodies and
international development partners.
The parts of the report include an executive summary; objectives,

scope and methodology; detailed findings and recommendations on
each internal control component; overall findings (which includes a
summary of the interim report; control environment and results of
review of oversight bodies and international development partners);
and attachments. The detailed findings portion discusses the results
of the assessment of the five components of internal control. The
findings are supported with at least three methods of assessment, the
results of which corroborate each other.
1.2 Consider Control Significance and Materiality and Control Risk of Key
Processes
After the baseline assessment of the ICS, the IAS/IAU also considers the
control significance and materiality and control risk of key processes of the
operating and support systems to achieve the control objectives as illustrated
in Figure 14 below:
• Control
significance
Control Objectives Controls and
materiality
• Control Risk
1) Safeguard Assets
Operating NO Not prioritized in
2) Check Accuracy & System-Key the strategic and
Reliability of processes annual work plan
Accounting Data
3) Adherence to
Managerial Policies
Support Assessment for
4) Compliance w/ LRP internal audit risk
System-Key
processes YES
5) Ensure 4Es of
Operations
Figure 14 - Control Significance and Materiality and Control Risk Flow

Diagram
98
1.2.1. Control Significance and Materiality Level
Significance is considered in terms of quality and is based on a

process‟ possible impact on the control objectives.
Materiality is quantitative and is often considered in terms of value or

the relative importance of an amount. The materiality level may or
may not be set based on a specific amount. Information is material if
its omission or misstatement could affect the control objectives. It
depends on the nature and size of the item or error judged in
particular circumstances.
This involves the following steps:
a. Assess the significance level taking into account qualitative

factors, including cumulative effects of errors, legal and regulatory
requirements;
b. Assess the materiality level taking into account quantitative factors

and nonfinancial items that, independent of the amount, may
impact on the achievement of the control objectives, e.g., legal and
regulatory requirements; and
c. Identify controls in the potential audit areas (controls in the

organization and those embedded in the system).
1.2.2. Control Risk Level
Generally, the units responsible for addressing risks must make the
assessment of their own risks. Control risk assessment is primarily
performed by top management as part of its regular functions. As
control risk owners, they should have identified and initiated measures
to modify the material and significant control risks, based on
probability and impact, before the auditors begin an audit.
In like manner, operations risks are the responsibility of the operating

units. Thus, assessment of risks at the operational level must be done
by the operating units themselves. Neither the auditors nor anyone
else not involved in a particular operation can perform operational risk
assessment.
99
However, as opposed to operations risk, for purposes of planning and
prioritizing potential audit areas, the IAS/IAU will have to conduct risk
assessment on the identified material and significant controls where
there may be high risk of impact on key processes of operating and
support systems. This involves the following steps:
a. Conduct risk assessment on the identified material and significant

controls where there may be high risk of impact on key processes
of operating and support systems;
b. Determine those controls that are vulnerable to be omitted, being
improperly implemented or bypassed.
1.3 Assess Internal Audit Risks
The IAS/IAU also focuses its auditing efforts based on the assessment of
internal audit risks illustrated in Figure 15 below:
Functions Process for managing risk Risk
1. Advise the DS/GB/AuditCom on all

matters relating to management control Not
and operations audit; prioritized in
the Strategic
Establishing the and Annual
2. Conduct management and operations context
performance audit of the Department/ Plan
Agency/GOCC/GFI activities and their HIGH
units and determine the degree of Risk assessment
compliance with their mandate, policies,
Communication and consultation
government regulations, established

objectives, systems and procedures/ Risk identification Monitoring and review
processes and contractual obligations;
3. Review and appraise systems and

procedures/processes, organizational
structure, assets management practices,
financial and management records, Risk analysis
reports and performance standards of the
agencies/units covered;
4. Analyze and evaluate management

deficiencies and assist top management Risk evaluation
LOW
by recommending realistic courses of
action; and Strategic
Plan and
5. Perform such other related duties and
Annual Work
responsibilities assigned or delegated by
the Secretary/Head of Agency or the Risk treatment Plan
Governing Board, thru the Audit
Committee, or as may be required by law.
Figure 15 – Assessment of Internal Audit Risk Flow Diagram
Internal audit risks are those risks or factors which may affect the conduct of
the audit and may have an impact on the planned results without neglect and
inspite of the exercise of due diligence, e.g., sudden change in political
leadership/administration, replacement of the principal, natural calamities,
judicial findings and decisions which may affect audit objectives.
100
1.3.1 IAS/IAU Audit Objectives
The IAS/IAU assesses internal audit risks which will impact on its
functions (audit objectives) to:
a. Give an appropriate advice to the DS/HoA or GB/AuditCom on all

matters relating to management control and operations audit;
b. Properly conduct management and operations audits of the

Department/Agency/GOCC/GFI activities and their units and
determine the degree of compliance with their mandate, policies,
government regulations, established objectives, systems,
procedures/processes and contractual obligations;
c. Review and appraise systems and procedures/processes,

organizational structure, assets management practices, financial
and management records, reports and performance standards
(such as budgets and standard costs) of the agencies/units
covered;
d. Analyze and evaluate management deficiencies and assist top

management by recommending realistic courses of action; and
e. Perform such other related duties and responsibilities as may be

assigned or delegated by the Secretary or the Governing Board
through the Audit Committee, or as may be required by law.
1.3.2 Steps in the Assessment of Internal Audit Risks
Assessment of internal audit risks involves the following steps:
a. Risk identification
i. Choose the risk identification method/s or technique/s to be

used;
ii. Identify risk sources and events; and
iii. Identify the causes of the risk.
b. Risk analysis
i. Choose the risk analysis method/s or technique/s to be used;

ii.Determine the consequences for the identified risks;
iii.
Determine the probabilities for the identified risks;
iv.Identify the factors that could affect the consequences and
probability; and
v. Determine the level of the risks.
101
c. Risk evaluation
i. Compare the estimated levels of the risks with the risk criteria;
and
ii. Determine whether or not the risk or its magnitude is
acceptable or tolerable.
1.4 Formulate Strategic Plan
The Strategic Plan consists of the

three-year direction of the IAS/IAU
Components of the
Strategic Plan considering the results of the baseline
assessment of the ICS of the
• IAS objectives
organization/sector, the control
• Methodology significance and materiality and
• Organizational strategic control risk of key processes, and the
environment
• Fraud and errors assessment of internal audit risks.
• IAS management strategies The IAS/IAU prepares the proposed
• IAS work strategies and audit
coverage
three-year direction of the internal
• Allocation of resources audit activities for approval by the
• Performance measures DS/HoA or the GB/AuditCom.
• Review of Strategic Plan
1.4.1 Steps in the Formulation of a Strategic Plan
The formulation of a Strategic Plan involves the following steps:
a. Analyze the results of the BAR;
b. Evaluate the result of the assessment of the significance and

materiality and the risk involved in the identified controls that may
impact on the achievement of control objectives, if omitted,
improperly implemented and/or bypassed; and
c. Evaluate the result of the assessment of internal audit risks.
1.4.2 Components of a Strategic Plan
The Strategic Plan shall consist of the following components:
a. IAS/IAU Objectives
This section provides a statement of the broad audit objectives

and directions for internal audit over a three-year period, including
the limitations. It focuses on both audit and management goals
and is consistent with organization/sector policies and guidelines.
102
b. Methodology
This section outlines the approach in developing the plan,

consisting of the conduct of the baseline assessment of the ICS,
consideration of the control significance and materiality and control
risk of key processes in the operating and support systems,
assessment of internal audit risks, and consultation with the
principal, constituents or public it serves, and key stakeholders.
c. Organizational Strategic Environment
This section identifies issues and trends relevant to the

organization which may impact on the achievement of the
organization‟s objectives. Such issues could come from a number
of sources including:
i. Governance, organizational structure, roles and

accountabilities;
ii. Policies, objectives, and strategies that are in place to
achieve the organization‟s objectives;
iii. Capabilities, understood in terms of resources and
knowledge;
iv. Information systems, information flows and decision making
processes;
v. Relationships with, and perceptions and values of,
stakeholders;
vi. Organization‟s culture;
vii. Standards, guidelines and models adopted by the
organization;
viii. Form and extent of contractual relationships;
ix. social and cultural, political, legal, regulatory, financial,
technological, economic, natural and competitive
environment, whether international, national, regional or local;
and
x. Key drivers and trends having impact on the objectives of the
organization.125
This is derived from a review of key strategic and other planning

documents and discussions with the DS/HoA or GB/AuditCom,
senior executives, other public sector organizations, the public
they serve, and key stakeholders.
The aim of this section is to demonstrate that internal audit has a

good understanding of the organization and the sector operations,
what is planned for the future and how the work undertaken by
internal audit will assist the organization achieve its objectives.
103
d. Fraud and Errors
The primary responsibility for establishing and maintaining control

rests with the DS/HoA or GB/AuditCom and the organization‟s
personnel. Management has a responsibility to establish and
maintain an effective control system to prevent fraud and error.
Fraud encompasses an array of irregularities and illegal acts

characterized by intentional and unintentional deception. It can be
perpetrated to the detriment of the organization and by persons
outside, as well as inside, the organization.
The IA should have sufficient knowledge to identify the indicators

of fraud but it is not expected to have the expertise of a person
whose primary responsibility is detecting and investigating fraud.
The IA should be alert to opportunities that could allow fraud,
evaluate the need for investigation, and notify the appropriate
authorities. The IAs have a responsibility to exercise "due
professional care".
A well-designed ICS should not be conducive to fraud and error.

The functional units, not the IAS/IAU, are responsible for the
deterrence and detection of fraud and error. The IAS/IAU,
however, may determine whether or not:
i. The organizational environment fosters control consciousness;

ii. Realistic organizational goals and objectives are set;
iii. Written policies (e.g., code of conduct) exist that describe
prohibited activities and the action required whenever violations
are discovered;
iv. Appropriate authorization policies for transactions are
established and maintained;
v. Policies, practices, procedures, reports, and other mechanisms
are developed to monitor activities and safeguard assets; and
vi. Communication channels provide management with adequate
and reliable information.
When an IA suspects wrongdoing, prompt recommendations need

to be given to management and to the DS/HoA or GB/AuditCom
to establish or enhance cost-effective controls to help deter
fraud. The IA may recommend whatever investigation is
considered necessary in accordance with law, given the
circumstances.
104
e. IAS/IAU Management Strategies
This section describes the IAS‟/IAU‟s three-year management

strategy to achieve its broad audit objectives described earlier
considering the emerging trend in the sector. The strategies,
detailed into plans and approaches, should: (1) address short and
long term direction focused on the audit needs of the sector; and
(2) describe the capabilities and resources, both dictated by the
assessment of internal controls.
Examples of management strategies include:
i. Changes in work practices and enhancement of audit

methodologies to ensure that internal audit meets the needs of
its publics and delivers value for money;
ii. Review of the internal audit professional development program
to address new trends in audit;
iii. Development or introduction of new audit technology;
iv. Benchmarking exercises or external reviews, as may be
deemed appropriate;
v. Introduction of secondment programs aimed at augmenting the
capacity of the IAS/IAU; and
vi. Skilled and experienced staffing resources to deliver the
internal audit annual work plan.
f. IAS/IAU Work Strategies and Audit Coverage
This section describes the major focus of the audit function and any
audit related activity over the three-year period; and any change that
is required to ensure that the audit plan and other activities remain
relevant to the strategic direction of the organization/sector.
The section clarifies the audit coverage, as follows:
i. The focus of the audit prioritized from the baseline assessment of

the ICS, consideration of the control significance and materiality
and control risk of key operating and support processes, and
assessment of internal audit risks.
ii. The audits proposed to be conducted over a three-year period

categorized into compliance, management and operations audits,
containing the following:
(1) Audit area;

(2) Site; and
(3) Priority.
iii. Rationale on the greater need for compliance, management or

operations audit.
105
For transparency in the prioritization of the audit coverage,
potential audit areas are calculated by assigning scores to the
controls as to consequence and probability (or the total impact).
Those controls with the highest impact shall be covered in the
audit and included in the three-year audit plan. The IAS/IAU may
further formulate criteria on which offices/units may be included in
audit, such as offices/units/system with the biggest budget, least
achievement, or with the most adverse findings reported by the
external auditor and oversight bodies.
A sample of a proposed audit coverage for management audit is

provided in Table 5 below:
Table 5 - Example of a Management Audit Coverage
Department of Education
YEAR 1 YEAR 2 YEAR 3
Audit Area Site Audit Area Site Audit Area Site
Controls in Selected Controls in the Selected Controls in Selected
the Regional payroll system Regional the bureaus
procurement Field Units – Field Units performance and
system Procuring (frontline evaluation agencies
Entities units) system
A sample of a proposed audit coverage for operations audit is

provided in Table 6 below:
Table 6 - Example of an Operations Audit Coverage
YEAR 1 YEAR 2 YEAR 3
Audit Area Site Audit Area Site Audit Area Site
Output Selected Input - process - Selected Outcome Selected

evaluation of regional output evaluation regional evaluation of the regional
public offices of the alternative offices national learning offices
secondary learning system of pupils enrolled
education services in secondary
services education
106
g. Allocation of Audit Resources
This section details the relative allocation of financial and human

resources between audit, audit support and any audit related activity
over the life of the plan, including the previous year, for comparative
purposes.
Other options include showing the allocation of resources between the

different types of audit, organizational units and/or geographical
locations. Details may be provided in tabular or graphic form.
h. Performance Measures
This section lists the performance measures of the IAS/IAU that are
used to measure the performance of internal audit and any change in
measures or targets over time.
i. Review of the Strategic Plan
This section describes the timeframe and arrangements for the review
and update of the plan. The plan covers a three-year rolling period
and needs to be reviewed iteratively.
It is developed by the IAS/IAU and approved by the DS/HoA or

GB/AuditCom, as appropriate.
2. Prepare the Annual Work Plan
An Annual Work Plan (AWP) contains the prioritized audit areas from the
Strategic Plan and approved by the DS/HoA or GB/AuditCom which will be
focused on during a one-year period, the type and approach of the audit, and the
timelines of the same.
The AWP should include areas for management audit and operations audit. The
audit area can also come from the DS/HoA or GB/AuditCom. In doing so, the
basic frame of reference is the objective established by the organization and the
weight of the expected results from the audit area. If failure to deliver expected
results is attributed to a control deficiency in the system, there is a need to
conduct a management audit. The IAS/IAU should refer to the approved Annual
Work Plan for management audit developed during the strategic planning phase.
As part of strategic planning and developing the AWP, the IAS/IAU may review
the control components for any change, new systems and processes, and the
results obtained on, for example, the top five key audit issues and the
organization‟s priorities.
107
2.1 Prioritize Potential Audit Areas
From the list of controls identified in the Strategic Plan, the IAS/IAU
categorizes by process the control methods and measures of the operating
and support units/systems, into potential audit areas/topics.
The following steps shall be made in prioritizing potential audit areas:
a. Validate the Baseline Assessment Report (on the 2nd and 3rd year);
b. Update consideration of the control significance and materiality and

control risk assessment (on the 2nd and 3rd year);
c. Update the internal audit risk assessment (on the 2nd and 3rd year); and
d. Prioritize the potential audit areas.
Of the three-year strategic plan, the IAS/IAU schedules the prioritized audit
areas into three annual plans or AWPs, subject to the approval of the
DS/HoA/GB/AuditCom. The IAS/IAU then prepares the Audit Engagement
Plan which focuses on the specific audit areas prioritized for the year. An
example of an audit focus is shown in Table 7. In case the allocated budget
is insufficient, the IAS/IAU should strategically source augmentation of
resources.
108
Table 7 - Example of Audit Focus/Foci for One Period
Audit Foci – Year 1
Audit Area Audit Audit Expected Area Priority Estimated Estimated
Type Description Benefit Responsible Duration Start
Bureau of 1 30 WD Jan 15
Controls in M Appraisal of Raise Elementary
the a A the existing recommendation Education
Procurement n u controls on the (BEE)
System a d in the controls to Bureau of 2 30 WD Jan 15
g i procurement ensure that Secondary
e t system the procurement Education
m system will be (BSE)
e observed and Bureau of 3 30 WD April 15
n satisfy citizens‟ Technical
t needs and and Voca-
expectations tional Edu-
cation
(BTVE)
Bureau of 4 30 WD April15
Physical
Education
And
School
Sports
(BPESS)
National 5 30 WD July 15
Book Deve-
lopment
Board
(NBDB)
National 6 30 WD July 15
Council for
Children‟s
Television
(NCCT)
Region V – 1 30 WD Aug. 15
Output O Validation of Raise Bicol
evaluation of p A the recommendation Region III 2 30 WD Aug. 15
the e u effectiveness to ensurethe Region XI – 3 30 WD Sept.15
secondary r d of the public effectiveness of Davao
education a i secondary the public Region
services t t education secondary Region II – 4 30 WD Oct 15
i services education Cagayan
o services Valley
n Region VI – 5 30 WD Oct 15
s Western
Visayas
CAR 6 30 WD Nov.15
109
2.2 Validate Previous Audit Follow-up Report
In the preparation of AWP, auditors should take into consideration previous

audit follow-up reports in order to validate the implementation/ non-
implementation/inadequate implementation by the units concerned of the
approved actions and recommendations. The steps involved are as follows:
a. Validate the report of the non-implementation/inadequate implementation

of preventive/corrective actions;
b. Validate the report of justification for the non-implementation/ inadequate

implementation of actions; and
c. Validate the recommendations for possible legal/management action for

the non-implementation/inadequate implementation of preventive/
corrective actions
2.3 Discuss with the DS/HoA or GB/AuditCom
The HoIA should present and discuss the Strategic Plan and Annual Work
Plan with the DS/HoA or GB/AuditCom. The objective is to obtain a good
understanding of the insights of the DS/HoA or GB/AuditCom on the
organizational and sectoral objectives. It also allows the IAS/IAU to focus on
important issues throughout the planning process and audit. Finally, the
HoIA should obtain the approval of the Strategic Plan and the Annual Work
Plan by the DS/HoA or GB/AuditCom.
3. Summary
The significance of the strategic and annual work planning is to identify and
prioritize potential audit areas where controls are claimed by auditees to be in
place based on the results of the baseline assessment of the ICS. Before this can
be achieved, the IAS/IAU needs a thorough understanding of the internal control
components of the public service organization as a going concern in the context of
the sector. The assessment also includes a review of the operating and support
units/systems with all their coordinate methods and measures.
On the other hand, all the gaps or control deficiencies/breakdowns are contained
in the interim report and summarized in the Baseline Assessment Report and
recommendations are offered at the level of the DS/HoA/GB or AuditCom. The
gaps or control deficiencies/breakdowns where courses of actions have been
recommended are critical and should form part of the ensuring year‟s Audit Plan
to determine if recommendations have been implemented.
The three-year Strategic Plan is prepared based on the information gathered

during the baseline assessment of the ICS, consideration of the control
significance and materiality and control risk of key processes in the operating and
support systems, and assessment of internal audit risks geared towards observing
IAS/IAU audit functions (objectives), and directions for internal audit over the
110
three-year period. It focuses on both audit and management goals and is
consistent with organization/sector policies and guidelines. This Plan needs to be
updated iteratively for changes occurring in the control component of the
organization.
The Strategic Plan is developed from the prioritized audit areas contained in the
control universe and the results of the review of oversight bodies and international
development partners, and incorporated in three Annual Work Plans. The IAS/IAU
then prepares the Audit Engagement Plan for the first year, which is explained in
the succeeding chapters. The possible audit areas for the second and third year
audit plans are updated and/or revised when necessarily affected by the changes
occurring in the control component, and should include gaps or control
deficiencies/breakdowns where courses of action have been recommended.
The Strategic and Annual Work Plans are a matter of agreement between the
DS/HoA or GB/AuditCom and the HoIA. The approval of the plans by the DS/HoA
or GB/AuditCom gives the go signal for the IAS/IAU to plan the audit engagement.
111
CHAPTER II
AUDIT PROCESS
112
1. The Audit Process
The Audit Process is divided into four phases, namely: audit engagement
planning, audit execution, audit reporting, and audit follow-up. See Figure 16. This
audit process is applicable for both management audit and operations audit. For
each phase, there are specific criteria to ensure a successful audit engagement.
Audit Engagement Planning
Audit Execution
Audit Reporting
Audit Follow-up
Figure 16 – Audit Process Flow Diagram
1.1 Audit Engagement Planning
Audit requires good planning. Planning entails familiarization with the

objectives, processes, risks and controls of the auditee and activity to be
audited, and developing a strategy and approach in conducting the audit. It is
the most important part of the audit as the success of an audit depends on
how well it has been planned.
Planning is an iterative process with the following important purposes:
a. Understanding the control environment and the organization;

b. Outlining the scope and objectives of the audit;
c. Establishing the basis for budgeting (time, cost, personnel);
d. Identifying the evidence required to develop the audit findings;
e. Assisting in choosing/determining the audit procedures (nature, extent
and timing); and
f. Establishing the basis for coordinating the staff.
Audit engagement planning is the third stage of planning, after strategic

planning and annual work planning. It involves the listing down of audit
activities per audit engagement based on the AWP. The results of the
strategic planning shall be validated to determine if there are relevant
changes in the control component, systems and processes.
113
A key aim in planning an audit should be to complete the audit in the least
time necessary, without compromising its quality. It is therefore important
that in planning and scoping audits, audit effort and resources are directed to
the key issues that matter most.
Figure 17 summarizes the steps involved in Audit Engagement Planning.
PLANNING What to Audit
1. Document understanding
How to Audit of the
EXECUTION program and project
2. Determine the audit objective, scope
REPORTING andWhat
criteria
andand audit
How toevidence
Report
3. Determine the resource required for the
audit and the target milestone/dates
4. DevelopWhat to Follow-up
the audit plan and audit
program
5. Determine the Key Performance
Indicators (KPIs) of the audit
engagement
6. Secure approval of the audit plan and
audit work program and KPIs
FOLLOW-UP
Figure 17 – Audit Engagement Planning Flow Diagram
1.1.1 Document Understanding of the Program and Project
Audit engagement planning starts from an understanding of the

organizational mandate and focusing on what areas will be audited. It
involves the selection of specific internal controls and focusing on the
degree of compliance with laws, regulations and policies of specific
program/project/ system/process for evaluation; evaluation of the
control effectiveness; and determination of whether or not operations
are conducted economically, efficiently, ethically and effectively.
Specifically, for Management Audit, engagement planning starts from

an understanding of the management controls to be audited. This is
important considering that the main objective of management audit is
to evaluate the effectiveness of management controls. Management
controls are internal controls. They consist of the controls interwoven
into and made an integral part of each operating and support system
that management uses to regulate and guide its operations.
114
The audit plan should be based on a sound understanding of the
internal control system, operating and support systems and
processes.
For Operations Audit, engagement planning starts from an

understanding of the organizational mandate. The IAS/IAU should
understand the objective of the organization and focus on what output
or outcome will be audited. It involves the selection of a specific
activity and focusing only on a specific program/project/process for
evaluation, being concerned with the economy, efficiency, ethicality
and effectiveness of operations. The audit plan should be based on a
sound understanding of the objectives, accountability, internal control
system, and operating and support processes.
A program refers to the functions and activities necessary for the

performance of a major purpose for which a government agency is
established. A program consists of an organization/agency‟s
functions, projects, systems, and processes. An activity is auditable if
it transforms an input to an output. It may be an implementing or a
monitoring activity or a process in itself as an input to another
process.
A project means a component of a program covering a homogeneous

group of activities or processes needed that result in the
accomplishment of an identifiable output to be carried out within a
definite time frame.
In Operations Audit, there are drawbacks that may often be

encountered. The IAS/IAU should then come up with
recommendations. The common drawbacks may be as follows:
a. Program objectives are not clear enough; a policy review has to be

recommended;
b. Measurement systems are inadequate (effectiveness measures

are often subjective, e.g., surveys, feedback and very scientific
bases should not be expected); a restudy of the system may be
recommended;
c. Subject matter is difficult to measure (e.g., effectiveness of an anti-

alcoholism program is very difficult to measure merely by using the
number of patients whose consumption is reduced. Many social
factors blur the evaluation of such a program like degree of family
support); the IAS/IAU may focus its audit on measurable subject
matters;
115
d. Purely systematic review may not be adequate (e.g., effectiveness
of a vocational training program may be measured by the auditee
through % of trainees gaining employment; but the auditor may
have to review what % of the trainees gained employment related
to the training and what % retained their employment); the IAS/IAU
should identify appropriate audit procedures; and
e. Time constraints restrict the auditor; the IAS/IAU should prioritize

audit activities.
1.1.2 Determine the Audit Objective, Scope, Criteria and Evidence
a. Determine Audit Objective
Based on information gathered and analyzed during the

understanding of the program/project, the objective and scope of
the audit can be defined. An audit objective is what the audit aims
to accomplish. This is critical in establishing the scope, criteria,
evidence and approach of the audit. It is normally expressed in
terms of what questions the audit is expected to answer about the
performance of an activity. Ideally, an audit objective would be
consistent with the achievement of the objectives of the
organization/ program/project. Determining the audit objectives
involves the following activities:
i. Preliminary gathering of documents/information;

ii. Identifying the focus of the audit and the aspect of performance
to be examined; and
iii. Determining the type of audit to be performed: (1) compliance
with laws, regulations and policies; (2) evaluation of control
effectiveness; or (3) determination of whether or not operations
are conducted economically, efficiently, ethically and
effectively.
One of the objectives of a management audit is to ascertain if the

operations has its measurement and evaluation system which will
be used to review and improve performance and assess
compliance with laws, rules, methods and procedures.
If the IAS/IAU verifies that such a self-assessment is in place, it
evaluates the components of the performance evaluation system
for adequacy, appropriateness of the measures and reliability of
the reporting, as well as the evaluation result.
If the IAS/IAU verifies that such self-assessment is not in place,

then it assesses the internal control system built in the operating
and support system under audit to determine if there are
compensating controls. The IAS/IAU makes a report on the matter.
116
Audit objectives also relate to why the audit is being conducted. If
controls are weak, the IAS/IAU traces the root cause and
recommends to top management courses of action to address the
deficiency. The IAS/IAU can also recommend further examination
of the underlying issues, or the legal action to take, if conditions so
warrant.
For Operations Audit, the IAS/IAU may choose from any of the
following objectives, or may formulate more which are appropriate
to the results of the audit planning:
i. To determine if the program or project is achieving its target

The IAS/IAU compares the identified performance
accomplishments with the corresponding targets to determine
variances, if any. Variances may be positive/favorable or
negative, which means that targets have not been achieved.
ii. To validate the reported accomplishments of the program or
project as of a certain period from the data source to the
consolidation and preparation of the final report
iii. To assess and gauge the level of achievement of the program
or project objective
For example, in the case of the program of the DepEd, the
audit objective may be: to determine if the expected passing
rate of graduating pupils of 75% is achieved from the given
inputs (such as school buildings and classrooms, textbooks,
curriculum, and number of teachers) using the prescribed
teaching methodologies to attain the desired level of literacy,
function and life skills.
b. Determine the Audit Scope
Audit scope is the framework or limits of the audit. It is normally

defined by stating what the audit intends to cover and the relevant
timeframes.
The steps in determining the audit scope are as follows:
i. Define the parameters and nature of the audit work to achieve

the audit objectives;
ii. Determine the audit tools, techniques and methodology to be
utilized; and
iii. Select the sampling method to be utilized. Discussions on
sampling methods are provided in Appendix F.
117
In Operations Audit, for example, audit scope includes the
determination of which phase of the program or project will be
examined. What will be the duration of the program or project?
What portion of the program or project will be covered in audit?
What will be the sources of information for examination?
To continue the example for the DepEd program, the scope for the
given audit objective may be to: validate the rate of graduating
pupils (information on graduation) covering a schools division in
each city in Metro Manila (coverage) for the school year 2008-
2009 (timeframe) to determine if the expected level of graduating
pupils was attained. This scope can be reduced or expanded
depending on the sampling requirement and the resources
allocated for the audit.
For Management Audit, the scope includes the review and

appraisal of the systems (operating and support) and
procedures/processes, organizational structure, assets
management practices, financial and management records,
reports and performance standards of the agencies/units covered.
An appraisal of the operating and support systems is conducted to

determine whether or not the five different components, i.e.,
control environment, risk assessment, control activities,
information and communication, and monitoring and evaluation,
accomplish each of the five control objectives. Every component
should individually achieve the control objectives.
For example, in the procurement system (as a support system),

the control component can be evaluated for the presence of the
control activities such as, but not limited to:
i. The existence of a Bids and Awards Committee (BAC), BAC

Secretariat, Procurement unit/s and Technical Working
group/s;
ii. The separation of duties of the above entities in procurement;
iii. Participation of observers in all stages of the procurement
process;
iv. Compliance with the rules and regulations on the preparation of
the bids, the invitation to bid, advertising, receipt and opening
of bids, bid evaluation, award, implementation and termination
of the contract.
Moreover, the IAS/IAU does not only check on the presence of

these control components. More importantly, it assesses whether
these activities achieve the control objectives of the organization.
Thus, the IAS/IAU could look for the answers to these questions:
i. Are the control components sufficient to safeguard the assets?

ii. Do they provide accurate and reliable accounting data?
118
iii. Do they adhere to managerial policies?
iv. Are they in compliance with laws, rules and regulations?
v. Do they ensure effectiveness, efficiency, economy and
ethicality of operations?
The IAS/IAU can conclude on the effectiveness of the controls only

when the internal control components achieve all the control
objectives.
c. Determine Audit Criteria and Evidence
Audit criteria are reasonable standards against which existing

conditions are assessed. They reflect a normative condition for the
subject of the audit. These are expectations of the program or
project as to what should be. It includes statutory and/or
managerial requirements; process requirements; and
citizens„ requirements, needs and expectations. To be able to
come up with sound criteria, auditors must:
i. Gather/Identify the standards (laws, regulatory policies) for

audit evaluation;
ii. Set reasonable and attainable standards of performance,
statutory or managerial policies for evaluation; and
iii. Identify pieces of audit evidence required by law and standards
and the approaches to be utilized in obtaining them.
1.1.3 Determine the Resources Required for the Audit and the Target
Milestones/Dates
Careful planning involves the determination of the overall resource

requirements to accomplish the planned audits. This involves
assessing the current staff capability/capacity; technological
resources (e.g., computers, software); financial resources (budget
requirements), among others.
Target milestones/dates for the completion or accomplishment of

critical elements during the audit process should be established to
keep track of the progress of the engagement and check on the
quality of the outputs.
1.1.4 Develop the Audit Plan and Audit Program
An audit plan is a document that provides the main guidance of the

whole audit process in order to achieve the audit objective in an
efficient and effective way. It provides an integrated description of the
auditee and the audit by serving as a guide for the whole audit.126
119
The audit plan for Management and Operations Audits will document
the results of all the planning tools which would necessarily contain
the following:
Table 8 - Contents of the Audit Plan for Management Audit
Element Information
Introduction A brief description of the management controls, i.e., the plan of
organization and all the methods and measures adopted within an
agency to ensure that resources are used consistent with laws,
regulations and managerial policies; resources are safeguarded
against loss, wastage and misuse; financial and non-financial
information are reliable, accurate and timely; and operations are
economical, efficient, ethical and effective
Audit Objective Overall objective and scope of the work to be accomplished
and Scope
Assessment of Critical processes identified by the IAS/IAU during the planning
Controls phase which led to the selection of the audit area approved by the
DS/HoA or GB/ AuditCom and the formulation of the audit objective
Audit Approach Compliance audit and management control process audit
Resources/ Statutory policies, mandates, managerial policies, government
Inputs regulations, established objectives, systems and
procedures/processes, etc.
Audit Criteria Set of reasonable and attainable standards of performance,
statutory or managerial policies, laws and regulations, etc.
Table 9 - Contents of the Audit Plan for Operations Audit

Element Information
Introduction A brief description or background information of the program or
project, including the main activities and significant events; may
include information on the structure of the program or project,
systems and processes, which lead to the attainment of the output or
the aggregate of the outputs to achieve the outcome, which process
is underperforming causing delays in completion
Audit Objective Overall objective and scope of the work to be accomplished
and Scope
Assessment of Critical points identified by the IAS/IAU during the understanding
Controls phase which led to the selection of the audit area which was
approved by the DS/HoA or GB/AuditCom and the formulation of the
audit objective
Audit approach Audit of program or project results
Resources/ Statutory policies, mandates, managerial policies, citizens‟ needs and
Inputs expectations, manpower, materials, equipment and timelines
Audit Criteria Set of reasonable and attainable standards of performance, statutory
or managerial policies, laws, regulations, etc.
The audit work program or audit program contains the audit objective,
the step by step audit procedures to accomplish the audit objective,
the auditor responsible to perform the procedures, and the specified
timeframe.
120
Audit programs are guidelines for action during the execution phase of
the audit. Audit programs set out the detailed audit procedures for
cost effective collection of evidence.127 It is the detailed listing of steps
to be taken by the IA when analyzing samples to achieve an audit
objective. It describes the details of the planned audit and enumerates
the processes or methods and tools for identifying, analyzing, and
recording information gathered during the engagement.
1.1.5 Determine Key Performance Indicators (KPIs) of the Audit

Engagement
KPIs are performance measures that are utilized to assess the

outputs/outcomes contributing to the overall organizational efficiency
and effectiveness. In evaluating performance, KPIs are employed to
gauge the IAS‟s/IAU‟s accomplishments and to determine whether or
not:
a. Audit objectives are met as reflected in the audit findings and

recommendations;
b. Findings and recommendations are based on facts, substantial

evidence and in compliance with relevant laws, rules and
regulations;
c. There is compliance with Internal Auditing Standards (NGICS,

PGIAM and other relevant standards) under COA/DBM rules and
regulations;
d. Findings and recommendations promote the adequacy of internal

control under COA rules and regulations; and
e. High standards of ethics and efficiency of public officials and

employees are being observed under OMB and CSC rules and
regulations.
It is important that the KPIs for internal audit are aligned with the
internal audit strategic plan and the annual work plan and help drive
the performance that the organization expects from the IAS/IAU. It is
incorporated in the audit plan to guide the auditors during the
execution of the audit engagement.
1.1.6 Approval of the Audit Plan, Audit Work Program and KPIs
The audit plan, audit work program and KPIs, are submitted by the
internal audit team leader to the HoIA for review and approval prior to
the commencement of the audit execution. The HoIA will evaluate the
documents to assess the relevance, significance, auditability and
other factors affecting the conduct of the audit.
121
After the documents have been approved, management should be
informed about the approved audit plan, audit work program and the
KPIs. The audit plan and the KPIs should be discussed with
management but the audit work program should not be shared.
1.2 Audit Execution
Execution of the audit is initiated with an entry conference to discuss the

focus, requirements and timelines of the audit. It involves performing the
audit techniques and procedures enumerated in the audit work program to
gather data and pieces of evidence, to achieve the stated audit objective/s.
During audit execution, if the auditor finds a need to revise the audit work
program, the revision should be submitted to the HoIA for approval. The
HoIA uses the audit work program to supervise and monitor the progress of
the audit and to check whether the team is generating sufficient and
appropriate pieces of (substantial) evidence.
At any point during the audit and during the conduct of the baseline
assessment of the ICS, when significant risks/issues arise, the IAS/IAU will
prepare an Interim Report to the DS or GB/AuditCom to communicate
findings, issues, and problems that may affect the conduct of the audit and
may expose the organization to considerable risks. A summary of the interim
report will be included in the audit report.
EXECUTION How to Audit
REPORTING 1. EntryWhat and How to Report

Conference
2. Conduct compliance audit
a. GatherWhat
and analyze evidence
to Follow-up
FOLLOW-UP b. Compare conditions with criteria
c. Determine probable cause(s)
d. Prepare working papers
3. Conduct system/process audit
a. Gather and analyze evidence
b. Compare conditions with criteria
c. Determine root cause(s)
4. Exit conference
Figure 18 – Audit Execution Flow Diagram
122
1.2.1 Entry Conference
The entry conference sets the tone of the audit. The initial conference
aims to discuss the plans for the conduct of the audit as well as to
obtain the audited entity‟s views and expectations for the overall
framework for the conduct of the audit. Matters arising from the entry
conference must be recorded (Entry Conference Notes) and should
be considered during the conduct of the engagement planning.
1.2.2 Conduct Compliance Audit

Compliance audit is the evaluation of the extent or degree of
compliance with laws, regulations, managerial policies and operating
processes in the agency, including compliance with accountability
measures, ethical standards and contractual obligations. It is a
necessary first step to, and part of, management and operations
audits.
The approach in management audit is to first conduct compliance
audit. Only when there is compliance that control effectiveness is
determined. If there is no compliance, the probable cause for such
non-compliance is determined.
The first approach to operations audit is also to conduct a compliance

audit to determine whether government operations are in accordance
with the organization‟s mandate and explicit objectives. The IAS/IAU
identifies the standards as specified in the organization‟s mandate
and objectives or laws/rules/regulations and compares whether the
operations conform to the identified standards.
For instance, the auditor will determine whether or not the

procurement process has resulted in the best value being obtained.
Areas to be considered may include verification if a Bids and Awards
Committee (BAC) exists in the procuring entity, if the procurement
entity has an Annual Procurement Plan, and the BAC has a
mechanism in the selection of observers. COA Memorandum No.
2010-003, “Guide in the Audit of Procurement” dated 14 January 2010
may be used for this purpose.
The steps in the conduct of Compliance Audit are as follows:
a. Gather and analyze evidence to establish the condition that the

auditee is in.
This refers to findings of facts which is defined as a fact, supported

by substantial evidence (includes consequence, effects or impact).
b. Compare conditions with criteria to draw conclusion.
This refers to conclusion of facts which is defined as an inference

drawn from the subordinate or evidentiary fact.128
123
c. Determine the probable cause(s).
In the context of public accountability, this refers to the act/s or

omission/s of the person responsible, which more likely than
not,129 could have caused the non-compliance with laws,
regulations and managerial policies and operating procedures in
the agency, including compliance with accountability measures,
ethical standards and contractual obligations, which may warrant
the conduct of administrative proceeding by the disciplining
authority. It must be noted that to come up with the determination
of probable cause/s, the IAS/IAU must be able to establish, not
only the facts and circumstances, but also the why‟s, the what‟s
and the how‟s130 of the non-compliance.
d. Prepare the working papers.
The IAS/IAU should record relevant information to support the

audit results. The working papers should contain sufficient
information to allow an experienced auditor having no previous
connection with the audit to ascertain from them the evidence that
supports the auditors„ findings.
e. Integrate audit findings and prepare the highlights of the audit

findings in terms of the 4Cs – Criteria, Condition, Conclusion and
Cause.
1.2.3 Conduct System/Process Audit
Operations process audit is designed to evaluate the effectiveness,

efficiency, ethicality and economy of operating systems selected for
audit. On the other hand, management process audit aims to evaluate
control effectiveness. This step involves the documentation of the
process or system under audit, identification of the control
procedures, verification and validation on whether or not such control
procedures are complied with and are working effectively.
a. Gather and analyze evidence to establish the condition.
This refers to findings of facts which is defined as a fact, supported

by substantial evidence (includes consequence, effects or impact).
b. Compare conditions with criteria to draw conclusion.
This refers to conclusion of facts which is defined as an inference

drawn from the subordinate or evidentiary fact.131
124
c. Determine the root cause(s).
Root cause is a structured investigation that aims to identify the

true cause of a problem and the actions necessary to eliminate
it.132 The determination of root cause through varying techniques
is an essential audit methodology that will assists auditors in
analyzing pieces of audit evidence to come up with appropriate
recommendations.
d. Prepare the working papers
The IAS/IAU should record relevant information to support the

audit results. The working papers should contain sufficient
information to allow an experienced auditor having no previous
connection with the audit to ascertain from them the evidence that
supports the auditors„ findings.
e. Integrate audit findings and prepare the highlights of the audit

findings in terms of the 4Cs – Criteria, Condition, Conclusion and
Cause.
1.2.4 Exit conference
The purpose of the exit conference is to discuss the highlights of the

audit findings with the auditee and/or the responsible official who has
sufficient knowledge about the audit area. It also provides an
opportunity to get the auditee‟s comments (management comments)
and insights about the significant audit issues as a way of validating
the audit findings. Management‟s comments should be taken into
consideration so as to arrive at workable recommendations and obtain
the auditee‟s commitment towards performing remedial actions – as a
manifestation of progressive attitude towards the audit findings. The
auditee‟s comments/responses are recorded in the audit findings
sheet and integrated into the draft report.
125
1.3 Audit Reporting
Audit reporting represents the culmination of the audit execution and the
associated analysis and considerations made during the audit. The audit
report sets out the findings in appropriate format; provides the pieces of
evidence gathered to arrive at the audit findings, and the recommendations.
REPORTING What and How to Report
1. Develop audit findings

a. Criteria (laws and standards)
b. Condition (findings of facts)
c. Conclusion (conclusion of
facts)
d. Cause (root cause(s) or
probable cause(s))
2. Develop audit recommendations
FOLLOW-UP What to Follow-up
Figure 19 – Audit Reporting Flow Diagram
1.3.1 Develop Audit Findings
The audit findings can be developed by analyzing the pieces of

evidence gathered for each of the audit elements. Evidence may be
categorized as physical, documentary, testimonial, analytical or
electronic. Evidence should be sufficient and appropriate (substantial),
competent, and relevant. Audit findings provide answers to the audit
objectives.
Audit findings compare the conditions (factual and evidentiary

conditions such as the current state/practices or what is obtaining,
and their effects) with the audit criteria, and determine the causes.
Once an audit finding has been identified, two complementary forms
of assessment take place: the assessment of the significance of the
findings and the determination of the probable cause/s and the root
cause/s. In fine, all audit findings should be formulated based on the
four Cs (criteria, condition, conclusion, cause) defined as follows:
a. Criteria – the standards against which a condition is compared

with (i.e., laws, regulations, policies).
b. Condition – a fact, backed up by substantial evidence. The

condition refers to what is currently being done or the current
situation.
126
Condition is what the auditor actually finds as a result of the
review. It is a situation that exists. The auditor may find that the
actual condition of an event is not in accordance with the criteria.
For example, under the program of the DepEd, the actual cost of
school building is more than the estimated cost; the ratio of book
distribution per pupil of 1:1 was not followed despite the sufficiency
of budget for books; the actual passing rate of pupils was reduced
to 66% from the expected or acceptable passing rate of 75%.
The condition should be compared with the criteria to assess if the

condition falls short of the criteria or it is beyond acceptable levels.
c. Conclusion – the evaluation of the criteria and the conditions that

could either result in compliance or non-compliance with laws,
regulations and policies, as supported by substantial evidence;
control effectiveness; determination of adequacy or inadequacy of
controls; determination of the efficiency, effectiveness, ethicality,
and economy of agency operations.
d. Cause – the immediate and proximate reason/s for the condition

for which substantial evidence will be used as basis of the audit
recommendation. It may also refer to the probable cause which
needs only to rest on evidence showing that more likely than not133
the act/s or omission/s of the person responsible had caused the
non-compliance which may warrant the conduct of administrative
proceeding by the disciplining authority – in case of compliance
audit; and root cause – in case of management/operations audit.
Root cause is a structured investigation that aims to identify the
true cause of a problem and the actions necessary to eliminate
134
it.
The audit findings should align with the audit objectives and should be
rational and based on specific standards and criteria. Audit findings on
probable cause of illegality of a transaction constitute a violation of
law, while irregularity constitutes a violation of regulations.
1.3.2 Develop Audit Recommendations
Much of the work of internal audit is judged on the quality of the final
audit report, including its analyses, findings, and recommendations.
The recommendations, in particular, provide courses of action as the
basis for improving internal controls.
Workable recommendations are clear, based on science of facts,

conditions and evidence and on practicable, incontestable, and
workable solutions that can stand alone and address the issue(s) at
hand.
127
Audit recommendations are management/legal remedies to avoid
occurrence (preventive action) or avoid recurrence (corrective action)
of control weaknesses and incidences.
The issues to consider in developing recommendations are as follows:
a. Recommendations are submitted to the DS/HoA or the

GB/AuditCom as the official primarily responsible. The
recommendations should identify the probable/root cause of the
gaps or deficiencies/breakdowns. The IAS/IAU should not address
the probable/root cause; instead, it should recommend courses of
action wherein the responsible units will take preventive (avoid
occurrence) and corrective (avoid recurrence) measures.
b. Recommended courses of action to indicate what needs to be

done, but not how to do it. The “how” of it is the responsibility of
the unit and/or management concerned.
c. The circumstances that aid or hinder the organization in achieving

the criteria should be identified.
d. The feasibility and cost of adopting a recommendation, with the

benefit of a recommendation outweighing the costs.
e. Alternative courses for remedial actions.
f. Effects of the recommendation (positive and negative).
1.3.3 Prepare the Draft Audit Report
The draft audit report is prepared by laying out and analyzing the
pieces of evidence gathered to arrive at preliminary audit findings and
recommendations.
When preparing a draft audit report, the auditor should:
a. Delineate the objectives and scope and report within that scope,
unless other issues of substance are identified;
b. Identify all criteria;
c. Report significant matters – positive or negative;
d. Describe the context and background of the reported matter only
as far as is necessary to provide an understanding of the issue;
e. State initial findings, management‟s comments and team‟s
rejoinder, if any;
f. Present the audit findings in a manner that is concise, fair and
objective; and
g. State the recommendations so that they indicate what needs to be
done but not how to do it.
128
1.3.4 Update the DS/HoA or GB/AuditCom
The DS/HoA or GB/AuditCom should be updated on the results of the

audit engagement.
1.3.5 Prepare the Final Audit Report
The draft report may then be finalized integrating the following as

parts of the final report:
a. Table of Contents;
b. Executive Summary;
c. Detailed Audit Findings;
d. Management Comments and Team‟s Rejoinder;
e. Monitoring and Feedback on Prior Year‟s Recommendations;
f. Recommendations; and
g. Appendices.
The final audit report should be presented to the DS/HoA or

GB/AuditCom who decides on the distribution of the audit report
based on the recommendation of the HoIA.
The IAS/IAU proceeds to follow-up on the audit recommendations.
1.4 Audit Follow-up
Follow-up is a monitoring and feedback activity undertaken to ensure the

extent and adequacy of preventive/corrective actions taken by the
Management to address the inadequacies identified during the audit. It aims
to increase the probability that recommendations will be implemented.
Figure 20 illustrates the Audit Follow-up Flow Diagram
FOLLOW-UP What to Follow Up
1. Monitor implementation of approved

audit findings and recommendations
2. Resolve non-implementation/in-
adequate implementation of audit
recommendations
3. Prepare audit follow-up report
Figure 20 – Audit Follow-up Flow Diagram
129
1.4.1 Monitor Implementation of Approved Audit Findings and
Recommendations
It is a sound practice to monitor the implementation of approved

recommendations (management/legal remedies) to avoid the
occurrence (preventive measures) and recurrence (corrective
measures) of control weaknesses/incidences after a reasonable
period from the report submission date. The benefits of internal audit
report recommendations are reduced, and deficiencies remain, if
recommendations are not implemented within the specified timeframe.
It is management„s responsibility to implement approved findings and
recommendations, but the internal audit is in a good position to
monitor the progress of implementation of the recommendations.
1.4.2 Resolve Non-Implementation/Inadequate Implementation of Audit

Recommendations
In the event of non-implementation of recommendation/ inadequate

action, the IAS/IAU recommends appropriate legal and/or
management remedies for non-implementation of recommendation
and inadequate preventive/corrective actions.
1.4.3 Prepare Audit Follow-up Report
Results of the audit follow-up should be recorded and reported in

order to apprise the DS/HoA or GB/AuditCom of the status of actions
on the approved recommendations. The reasons for the lack of action
or non-completion of action on any recommendation should be
documented and further action considered on significant
recommendations that have not been acted upon. Where possible,
the report should:
a. Describe the results of the auditor‟s analysis of actual against

projected benefits for the period under review;
b. Summarize the extent of implementation of the approved

recommendations;
c. Highlight cases where auditee‟s performance in implementing

recommendations have been particularly inadequate; and
d. Describe the actions, if any, that the auditor intends to take in

relation to inadequate auditee‟s actions.
The HoIA should establish and maintain a system to monitor the

disposition of the audit results, and a follow-up process for the
effective implementation of the approved audit recommendations. The
procedure should include an assessment of actions taken on the
report and the status thereof.
130
Follow-up of audit recommendations serves four main purposes:
a. Increase the effectiveness of audits – the prime reason for

following-up audit reports is to increase the probability that
recommendations will be implemented;
b. Assist the government – following-up may be valuable in

proposing some necessary actions to the DS/HoA or
GB/AuditCom and other officials;
c. Evaluate the IAS/IAU performance – follow-up activity provides a

basis for assessing and evaluating the IAS/IAU performance; and
d. Create incentives for learning and development – follow-up

activities may contribute to better knowledge and improved
practice.
2. Compliance Audit of Statement of Assets and Liabilities and Net Worth

(SALN), Disclosure of Business Interests and Financial Connections
(DBIFC), and Identification and Disclosure of Relatives (IDR) in Government
Service of Public Officials and Employees
In line with its functions, the IAS/IAU may conduct compliance audit of the
submission of the Statement of Assets and Liabilities and Net Worth (SALN),
Disclosure of Business Interests and Financial Connections (DBIFC), and
Identification and Disclosure of Relatives (IDR) in government service of public
officials and employees to determine whether such documents have been
properly accomplished pursuant to RA 6713 and its IRR, RA 3019 and other
related laws.
2.1 Audit Engagement Planning
a. The IAS/IAU, when assigned by the DS/HoA or Governing

Board/AuditCom to conduct an independent evaluation and/or fact-finding
of the SALN, DBIFC and IDR of public officials and employees, shall
gather from the Human Resource Management Office (HRMO), or its
equivalent, all submitted documents to determine whether or not said
documents are in proper form,135 complete and accomplished in detail136.
b. SALNs, DBIFCs and IDRs that are not in proper form, incomplete, and/or
not accomplished in detail shall be subject to further fact-finding by the
IAS/IAU.
131
c. To facilitate the conduct of fact-finding of the SALNs, DBIFCs and IDRs
of public officials and employees, the IAS/IAU may require additional
documentation such as:
i. Assets and liabilities;

ii. Amounts and sources of income;
iii. Amounts of personal and family expenses;137
iv. Amounts of income taxes paid;138
v. Business interests and financial connections; and/or
vi. Relatives in the government.139
d. During the fact-finding, the IAS/IAU may also request for documents
readily available from other government offices.140
e. Upon receipt of the SALNs, DBIFCs and IDRs and additional documents,
the IAS/IAU shall perform the following:
i. Identification of SALNs, DBIFCs and IDRs with incomplete data;

ii. Identification of mathematical errors;
iii. Identification of:
(1) Omission, understatement and/or overstatement of assets,

liabilities and net worth;
(2) Erroneous disclosure or non-disclosure of:
(a) Business interests and financial connections; and
(b) Relatives in the government service within the fourth degree
of consanguinity.
iv. Identification of property manifestly out of proportion to the

employee‟s salary, disposable funds141 and income taxes paid.
v. Identification of personal and family expenses142 manifestly out of
proportion to the employee‟s salary, disposable funds and income
taxes paid.
2.2 Audit Execution
The IAS/IAU determines whether the submitted SALN, DBIFC and IDR of the
public officials and employees are compliant with the provisions of RA 3019,
RA 6713 and RA 1379 and with the internal auditing methods in the
identification of assets and/or expenses manifestly out of proportion to the
public official‟s or employee‟s salary, disposable funds and income taxes
paid such as:
a. Assets to Income Analysis143 - This method is used to compare the

property and business interests and financial connections acquired
against the salary and disposable funds. Where the total value of the
property acquired during the public official‟s incumbency or period under
review is greater than his/her salary and disposable funds during the said
period, the difference may give rise to findings for further investigation.
132
Computation:
Real and personal property P xxx
Business interests and xxx
financial connections
Total Assets acquired by the public P xxx
officer during the year
Less:Salary P xxx
Other lawful income xxx
Income from legitimately
acquired property xxx
Other cash/fund inflow xxx
Disposable funds xxx
Discrepancy P xxx
b. Expenses to Income Analysis144 - Under this method, the personal and

family expenses, reduction in liabilities, and cash and bank deposits,
when allowed, of the public official during the year is compared with
his/her salary and disposable funds during the same year. Where the
total expenses incurred, reduction in liabilities and cash and bank
deposits during the year is greater than his/her salary and disposable
funds during the said period, the difference may give rise to findings for
further investigation.
Computation:
Personal and family expenses P xxx
Reduction in liabilities xxx
Total P xxx
Less:Salary P xxx
Discrepancy P xxx
c. Net Worth to Income Discrepancy Analysis 145 - This is a method of

reconstructing net worth based on the theory that if the net worth has
increased in a given year in an amount larger than his reported salary
and disposable funds, the difference may give rise to findings for further
investigation of the official or employee.
Computation:
Assets (Real, personal and other
properties) P xxx
Less: Liabilities xxx
Net Worth for the Current Year P xxx
Less: Net Worth over Previous Year xxx
Increase(Decrease) in Net Worth P xxx
Less: Salary P xxx
Discrepancy P xxx
133
d. Cash/Funds Flow Analysis Method146 - Proceeds from the theory that
where the amount of money spent during a given year exceeds the
reported salary and disposable funds, and the sources of such fund is
otherwise unexplained, the difference may give rise to findings for further
investigation of the official or employee.
Computation:
Sources of Funds
Declared compensation income per SALN P xxx
Business income (add back non-cash
expenses, e.g., depreciation, bad debts) xxx
Income of spouse xxx
Non-taxable receipts such as prizes, royalties xxx
Receipts subject to final tax such as
dividends, donations, inheritance and xxx
interest on deposit
Loans or credits xxx
Cash at the beginning of the period xxx
Total Funds P xxx
Less: Application of Funds
Personal and family expenses declared P xxx
Payments of debts, payables, accruals, xxx
and other liabilities
Payments of taxes xxx
Acquisition of assets – real, personal
and other assets xxx xxx
Discrepancy P xxx
e. Business Interests and Financial Connection to Assets Analysis -

Proceeds from the theory that when the public officer or employee has
declared business assets, he/she should have likewise declared the
corresponding business interest or financial connection he/she has on
said asset; or when he/she has declared a business interest or financial
connection, he/she must likewise indicate the corresponding business or
financial asset in his/her SALN.147
f. Analysis of IDR - For purposes of determining compliance on the filing of

IDR, the IAS/IAU should also look into the veracity and/or inconsistencies
of the entries in the IDR declared by the public official or employee. To
substantiate the same, the IAS/IAU may require from the public official or
employee concerned other documents wherein information on
relationship, as required by law to be disclosed, may be contained.
2.3 Audit Reporting
a. Criteria. The IAS/IAU will determine whether the submitted SALN, DBIFC
and IDR of the public officials and employees are compliant with the
provisions of RA 3019, RA 6713 and RA 1379 and with the internal
auditing methods in the identification of assets and/or expenses
manifestly out of proportion to the public official‟s or employee‟s salary,
disposable funds and income taxes paid.
134
b. Conditions. These conditions may arise in the course of the evaluation of
the SALN, DBIFC or IDR of the public officials or employees.
i. The SALN, DBIFC and IDR submitted by the public officials and
employees are in proper form, complete and detailed.
ii. The SALN, DBIFC and IDR submitted by the public officials and
employees are not in proper form, incomplete and/or not detailed but
after being given the opportunity to correct said documents, the public
official or employee concerned complied and corrected the same to
be in proper form, complete and detailed.
iii. The SALN, DBIFC and IDR submitted by the public officials and
employees are not in proper form, incomplete and/or not detailed and
after being given the opportunity to correct said documents, the public
official or employee concerned failed to comply and correct the same
to be in proper form, complete and detailed.
c. Conclusion. The evaluation and/or fact-finding by the IAS/IAU of the

criteria and conditions in the compliance of the SALN, DBIFC or IDR of
the public officials or employees could either result in compliance or non-
compliance by said officials and employees in the filing of said
documents pursuant to RA 6713 and its IRR, RA 3019 and other related
laws.
d. Cause. The IAS/IAU shall determine the probable cause/s of the

difference between the criteria and conditions which resulted in non-
compliance by the public official or employee to accomplish and file
his/her SALN, DBIFC and IDR in proper form, complete and in detail, i.e.,
more likely than not148 the public official or employee concerned has
unexplained wealth which may warrant the conduct of administrative
proceeding by the disciplining authority. “Unexplained” matter normally
results from “non-disclosure” or concealment of vital facts. 149 To come up
with the determination of probable cause/s, the IAS/IAU must be able to
establish, not only the facts and circumstances, but also the why‟s, the
what‟s and the how‟s150 of the non-disclosure or concealment of vital
facts.
2.4 Audit Follow-up
The IAS/IAU shall render assistance to the disciplining body in the conduct of
the investigation in the event that there is a finding of probable cause against
the public officials and employees who have failed to comply after being
given the opportunity to correct, or have failed to justify the property acquired
and/or their personal and family expenses are manifestly out of proportion to
their salary, disposable funds and income taxes paid.
135
3. Gathering and Analysis of Evidence
Under the execution phase of the audit, the audit work program is executed to
gather more evidence and draw the audit findings. Audit evidence covers all the
information used by the auditor in arriving at the audit findings and audit report.
Sources of information include sampling results of accounting records (books of
entry, checks, invoices, contracts, ledgers, journal entries, etc.); minutes of
meetings; analyst reports; controls manual; information obtained from such audit
procedures as inquiry, observation, and inspection; and other information
developed by, or available to, the auditor that permits him to reach conclusions
through valid reasoning.
In executing the annual work program developed during the planning stage,
gathering of evidence will be completed to form the audit findings. The process
therefore involves the following:
a. Identify the control tested;

b. Consider the evidence available to support or contradict;
c. Select the method of obtaining the necessary evidence; and
d. Collect and evaluate that evidence to form the audit findings.
3.1 Sufficiency and Appropriateness of Audit Evidence
In the test of controls, the internal auditor obtains sufficient and appropriate
evidence to support the initial findings.
What is sufficient and appropriate is the result of the auditor‟s sound

evaluation and is dependent on:
a. Nature of the control deficiency;

b. Materiality;
c. Source of information and evidence;
d. Prior audit experience; and
e. Results of other audit procedures.
The sufficiency and appropriateness of audit evidence are interrelated.

Sufficiency is the measure of the quantity of audit evidence. The quantity of
audit evidence needed is affected by the auditor‟s assessment of the impact
of control deficiencies (the higher the impact, the more audit evidence is
likely to be required) and also by the quality of such audit evidence (the
higher the quality, the less may be required). If no evidence is obtainable for
certain deficiencies, the particular area/topic is not auditable.
Appropriateness of audit evidence is the measure of the quality of audit

evidence; that is, its relevance and reliability in providing support for the audit
findings. It should assist in meeting the audit objectives and is credible.
136
Sufficient and appropriate means that the audit evidence must be substantial
enough to influence or convince the DS/HoA or GB/AuditCom to implement
the recommended courses of action. “Substantial evidence is more than a
mere scintilla of evidence. It means such relevant evidence as a reasonable
mind might accept as adequate to support a conclusion, even if other minds
equally reasonable might conceivably opine otherwise.”151
a. Relevant evidence is one having value in reason as tending to prove any

matter provable in an action.
b. Direct evidence is that which proves the fact in dispute without the aid of
any inference or presumption.
c. Circumstantial evidence is the proof of a fact or facts from which, taken

either singly or collectively, the existence of the particular fact in dispute
may be inferred as a necessary or probable consequence.
d. Corroborative evidence is additional evidence of a different character to

the same point.
The reliability of evidence is influenced by its source and nature, and is

dependent on the individual circumstances under which it is obtained,
including the controls over its preparation and maintenance where relevant.
The reliability of audit evidence that is generated internally is increased when
the related controls, including those over its preparation and maintenance
imposed by the entity, are effective. The reliability of audit evidence is
increased when it is obtained from independent sources outside the entity
and it has been validated.
Materiality relates to the degree of audit evidence required to obtain a certain

level of confidence that the information is reliable and not misstated. Audit
evidence is credible if there is consistency of information obtained from two
or more sources. This may be the case when, for example, responses to
inquiries of management and external sources are consistent, or when
responses to inquiries of those in-charge of governance corroborate the
responses to inquiries of beneficiaries and other stakeholders.
Admissible evidence is any testimonial, documentary, or tangible evidence

that may be introduced in order to establish or bolster a point. In order for a
piece of evidence to be admissible, it must be relevant, without being
prejudicial, and it must have some signs of reliability. An evidence, whose
probative value is outweighed by the risk of confusing the issues to be
decided, may be excluded as it may be inadmissible.
137
3.2 Types of Audit Evidence
Overreliance on any one form of evidence may impact on the validity of the
findings. One should gather a wide variety of evidence for purposes of
triangulation of multiple forms of diverse and corroborating types of
evidence. This is to check the validity and reliability of the findings. Thus,
more cross-checks on the accuracy of the decision should be undertaken.
Pieces of evidence in support of the findings should be corroborative as a
result of triangulation of evidence gathered in at least three approaches.
Triangulation involves employing multiple forms of corroborating diverse

types and sources of evidence and perspectives. By using multiple forms of
evidence and perspectives, a veritable portrait of the facts and conditions
can be developed.
Audit evidence usually falls into the following types:
3.2.1 Physical evidence
Physical evidence is obtained by direct observation. Examples are

physical verification of cash, site visits to projects and verification of
inventory. This type of evidence can be obtained from the following
sources: observation of processes and procedures; site visits to gain
personal knowledge of the practicality and the physical state of work
as they are at a point in time; and physical verification of assets, etc.
Said evidence may require proof of another evidence thus,
documentary or photographic evidence can become handy in this
situation.
3.2.2 Testimonial Evidence
Testimonial evidence is obtained from others through oral or written

statements in response to inquiries or through interview. Testimonial
evidence comes from interviews with interested parties. It can be
documented in the form of interview notes, recorded conversations, or
corroborated evidence or testimonies from other people that have
knowledge of the issue at hand.
3.2.3 Documentary Evidence
Documentary evidence consists of files, reports, manuals and

instructions. This is the most commonly used source of evidence. In
the final analysis, most pieces of evidence gathered are processed
into documentary evidence. This type of evidence can also come in
various forms and names. The following are examples of sources
where documentary evidence can be obtained: manuals; files; reports;
instructions; contracts; invoices; and vouchers.
138
Documentary evidence may be obtained through solicitation or
elicitation. Independent external (third party confirmation) evidence
may be more reliable than internally provided evidence. Evidence
obtained by the auditor directly (third party confirmation direct to/from
auditor) is more reliable than internally provided evidence.
Documentary evidence is more reliable than oral representations;
internal evidence is more reliable when related internal controls are
satisfactory, e.g., elicit – draw, extract, obtain; and solicit – ask for or
request.
3.2.4 Analytical Evidence
Analytical evidence is built up by analyzing the information obtained

from other sources. The most common is the cost-benefit analysis.
This type of evidence may not be easily available in a ready-made
format. Most of this type of evidence is developed by the auditor.
3.2.5 Electronic Evidence
There are many different types of electronic evidence and these may
include: hardware and network diagrams; operating systems software;
network and communications software; journal and activity logs;
application programs; and flow diagrams. Collecting electronic
evidence requires careful planning and execution, preferably by
experts. Electronic evidence may be challenged on the basis of
unreliability. Such challenges may be countered if it can be shown
that controls are in place. Thus, the auditor should exercise due care
to document such controls if electronic evidence is going to be used.
3.3 Audit Approaches and Techniques in Gathering Audit Evidence
In selecting the audit techniques to be used, the IA should first determine

what needs to be done and what pieces of evidence to obtain. There are a
number of audit approaches and techniques that can be adopted in
gathering audit evidence. These include interviews, document reviews,
sampling, testing of controls, policy study, review of management
information, review of processes, and output-input evaluation.
Generally, an audit will involve a combination of such approaches. The audit

approach selected should be the most time and cost-effective given the
objectives and scope of the audit. It should aim to collect sufficient and
appropriate evidence that enables the auditor to come to well-founded audit
findings about the program or activity under review and to make appropriate
recommendations.
Decisions will have to be made at each stage of the audit about the need for
specific testing, data collection and analysis by the internal audit and the
extent that reliance can be placed on the work of other internal or external
reviewers.
139
3.3.1 Inquiries and Interviews
An inquiry/interview is basically a question and answer session to

elicit specific information. A great deal of audit work is based on
inquiries/interviews, and different kinds of interviews are carried out at
different stages of the audit.
The entire spectrum of inquiries is used, from fact-finding
conversations and discussions, through unstructured interviews (that
is, with „open-ended‟ questions), to structured interviews that follow a
list of closed questions:
a. Preparatory interviews;
b. Interviews to collect or validate material information; and
c. Interviews to generate and assess facts and pieces of evidence.
Inquiry is a way of gathering facts and information and gaining support

for a variety of arguments, but one cannot rely solely on interviews.
The results of the interviews must be compiled and documented in a

way that facilitates analysis and reliability of information. For example,
materials such as problems, causes, consequences, and proposals
can be in a separate group. These can be sources of conditions,
causes and potential recommendations for the development of audit
findings and recommendations.
3.3.2 Sampling
Sampling is a scientific method of selecting the transactions to be

subjected to audit. It promotes efficiency and economy in the audit
process. Sampling allows the auditor to test less than 100% of the
population to form audit findings. The assumption is that the sample
selected is representative of the population.
There are various sampling methods available to the auditor. (Please

refer to Appendix F for discussions on sampling methods).
3.3.3 Computer-Assisted Audit Techniques and Tools152
Computer-Assisted Audit Techniques and Tools (CAATTs) are

computer tools and techniques in performing various auditing
procedures and improving the effectiveness and efficiency of
obtaining and evaluating audit evidence. It provides effective tests of
controls and substantive procedures where a wide range of
techniques and tools are used to automate the test procedures for
evaluating controls, obtaining evidence and data analysis.
140
The Asian Organization of Supreme Audit Institutions (ASOSAI)
identified types of CAATTS into two discrete areas of operations:
a. CAATTs used to validate programs/systems (functionality of the

programmable controls)
Program review involves a detailed examination of program

coding. It generally involves a fair degree of programming skill
and a thorough knowledge of program specification.
b. CAATTs used to analyze data files.
These are CAATTs which are primarily used on data files. Of

course, results of data analysis can indirectly help the auditor to
reach conclusions regarding the quality of programs. However,
these CAATTs do not directly test the validity of programs.
3.4 Techniques in the Analysis of Evidence
All audit findings must therefore be based on appropriate analyses and

evaluation of the information and/or evidence.
Some of the techniques to be used in the analysis of evidence include:

Structured or semi-structured interviews, Delphi Technique, Root Cause
Analysis, Fault Tree Analysis (FTA), Cause-Consequence Analysis, Cause
and Effect Analysis, Bow Tie Analysis, and Cost/Benefit Analysis. IEC/ISO
31010, Risk management – Risk assessment techniques, may be used as
reference on these techniques, although caution should be observed as the
discussion is centered on risk assessment. An example using the root cause
analysis is the determination of the root cause in case of any difference
between the automated and manual count in the conduct of the Random
Manual Audit of the Automated Election System (Section 24, RA 9369,
Automated Election Law, January 23, 2007).
4. Root Cause Analysis
Root cause analysis (RCA) is a method that is used to address a deficiency to

determine the “root cause” of the problem. It is used to correct or eliminate the
cause and prevent the problem from recurring. It attempts to identify the root or
original causes, instead of dealing with the immediately obvious symptoms. It is a
structured review and evaluation that aims to identify the true cause of a
deficiency and the courses of action necessary to address it. RCA is continuing to
ask why the control deficiency occurred, until the fundamental process element
that failed is identified.
141
The basic steps in conducting the RCA relating to non-compliance of
management controls are:
a. Establishing the scope and objectives of the RCA;

b. Gathering data and evidence relating to the non-compliance;
c. Performing a structured analysis to determine the root cause; and
d. Developing solutions and making recommendations.
4.1 Root Cause Analysis Techniques
There are various root cause analysis techniques that can be used. Some of
these are the: (1) “5 Whys” Technique; (2) Failure Mode and Effects
Analysis; (3) Fault Tree Analysis; (4) Fishbone or Ishikawa Diagrams; and
(5) Pareto Analysis. These techniques are presented below:153
4.1.1 “5 Whys” Technique
The “5 whys” technique is a simple technique done by repeatedly

asking „why‟ to peel away layers of cause and sub-causes.
4.1.2 Failure Mode and Effects Analysis
Failure Mode and Effects Analysis (FMEA) is a technique used to

identify the ways in which the components, systems or processes can
fail to fulfill their design intent.
The FMEA identifies
i. All potential failure modes of the various parts of a system (a

failure mode is what is observed to fail or to perform incorrectly,
i.e., the deficiency in control design and control operation);
ii. The effects these failures may have on the system;
iii. The mechanisms of failure; and
iv. How to avoid the failures and/or mitigate the effects of the failures
on the system.
4.1.3 Fault Tree Analysis
Fault Tree Analysis (FTA) is a technique for identifying and analyzing

the factors that can contribute to a specified undesired event (top
event). Causal factors are deductively identified, organized in a logical
manner and represented pictorially in a tree diagram which depicts
the causal factors and their logical relationship to the top event.
4.1.4 Fishbone or Ishikawa Diagrams
Cause and effect analysis is a structured method to identify the

possible causes of an undesirable event or problem. It organizes the
possible contributory factors into broad categories so that all possible
hypotheses can be considered. It does not, however, by itself point to
142
the actual causes, since these can only be determined by real
evidence and empirical testing of the hypotheses. The information is
organized in either a Fishbone (also called Ishikawa) or sometimes a
tree diagram.
The Fishbone diagram (Figure 21) is structured by separating causes

into major categories (represented by the lines off the fishbone) with
branches and sub-branches that describe more specific causes in
those categories.
Cause Cause Cause

Category Category Category
Cause
Sub cause
EFFECT
Cause Cause Cause

Category Category Category
Figure 21 - Ishikawa Diagram
4.1.5 Pareto Analysis
The Pareto Analysis is a method using statistics to discover the most

important causes of an effect. The Pareto Principle states that only
"vital few" factors are responsible for producing most of the problems.
This principle can be applied to quality improvement to the extent that
a great majority of problems (80%) are produced by a few key causes
(20%). If we correct these few key causes, we will have a greater
probability of success.
5. Perform Substantive Tests on the Samples
Performing substantive tests on the samples selected is a comprehensive

analysis by using ratios, analytical procedures, inquiries, confirmation, and other
tools and techniques. It is the execution of the audit procedures enumerated in
the audit work program on samples selected. The procedures seek to provide
evidence as to the various control attributes/features established during the
planning stage of the audit, e.g., existence, occurrence, completeness, validity,
adequacy, efficiency, effectiveness, economy, etc. Where necessary and
possible, this process fully quantifies the audit elements such as criteria, cause,
and conditions, which include the effects or consequences, of transactions
covered in audit.
143
The IAS/IAU may use these concepts or procedures in determining the degree of
compliance and in performing management or operations audit of a sample
population.
6. Use of Work of Other Experts
When there is a need to make use of other experts‟ work to corroborate or

substantiate the facts/evidence gathered by the internal auditors, they remain
responsible for its use. Experts are those who have acquired special knowledge,
skill, experience or training in a particular field other than auditing. The auditor
may use the work of an expert as evidence but the auditor retains full
responsibility for the contents of the audit report.
Expert task in auditing is expertise gained in the course of audit activities. Expert
tasks are performed in a way that does not endanger the impartiality of audit
activities. Expert tasks include participating in working groups or projects,
presenting initiatives to correct observed deficiencies in administration, issuing
statements and arranging trainings.
The steps the auditor should take are:
a. Obtain information on the qualifications, competence or specialization of the

experts and the context of their assignment, e.g., in certifying an opinion on
hospital operations, a doctor should not just be a general practitioner but a
recognized hospital administrator who is able to demonstrate a profound level
of expertise; opinions on information technology (IT) process should not just
be from a computer science graduate but from a recognized and reputable IT
practitioner demonstrating a profound level of expertise;154
b. Consider the nature, complexity and materiality of the matter, assumptions

used, and corroborative evidence available;
c. Consider the objectivity of the expert; and
d. Advise the expert on what the work is being used for and the purpose.
7. Integration and Preparation of Highlights of Audit Findings
In the preparation of audit findings, the conditions, conclusions and the causes
must be supported by sufficient audit evidence. The quantum of evidence
required to support an audit finding is substantial evidence. Such substantial
evidence would lead to the determination/finding of a probable cause or a prima
facie case and would draw a reasonable conclusion that more likely than not, a
non-compliance or failure of control/supervision was established, and that an
offense may have been committed.
a. “Substantial evidence is more than a mere scintilla of evidence. It means such

relevant evidence as a reasonable mind might accept as adequate to support
a conclusion, even if other minds equally reasonable might conceivably opine
otherwise.”155
144
b. A finding of probable cause for non-compliance needs only to rest on evidence
showing that more likely than not156 the act/s or omission/s of the person
responsible had caused the non-compliance with laws, regulations and
managerial policies and operating procedures in the agency, including
compliance with accountability measures, ethical standards and contractual
obligations, which may warrant the conduct of administrative proceeding by
the disciplining authority. It must be noted that to come up with the
determination of probable cause/s, the IAS/IAU must be able to establish, not
only the facts and circumstances, but also the why‟s, the what‟s and the
how‟s157 of the non-compliance.
c. “Prima facie requires a degree or quantum of proof greater than probable

cause. „[i]t denotes evidence, which, if unexplained or uncontradicted, is
sufficient to sustain a prosecution or establish the facts as to counterbalance
the presumption of innocence and warrant conviction x x x.”158
This could also give rise to a disputable presumption of non-compliance with a

regulation or rule. “A disputable presumption has been defined as a species of
evidence that may be accepted and acted on where there is no other evidence
to uphold the contention for which may be overcome by other evidence.”159
The Supreme Court in Balbastro vs. COA, G.R. No. 171481, 30 June 2008,
found the petitioner guilty on the basis of the audit report which constitutes
substantial evidence. The pertinent ruling reads:
“In fine, petitioner‟s arguments only render more pronounced the correctness
of the Ombudsman‟s decision finding her guilty on the basis of the audit
report which constitutes substantial evidence. As Balbastro v. Junio held, an
administrative case also involving herein petitioner:
As to the findings of the Ombudsman, it is settled that in

administrative proceedings, the quantum of proof required for a
finding of guilt is only substantial evidence – that amount of relevant
evidence which a reasonable mind might accept as adequate to justify
a conclusion. x x x.”
The audit findings supported by substantial evidence are deemed admitted by the
auditee if not controverted by any evidence to overcome the same. In this case,
the burden of proof now lies with the auditee. “Burden of proof is the duty of a
party to present such amount of evidence on the facts in issue as the law deems
necessary for the establishment of his claim.”160
145
CHAPTER III
INTERNAL AUDIT
PERFORMANCE MONITORING
AND
EVALUATION
146
1. Performance Monitoring and Evaluation
Periodically assessing performance and addressing opportunities for improvement

can help maximize the efficiency and effectiveness of the internal audit function.
Measuring performance is also the means whereby the internal audit‟s own
performance is judged and internal audit is held accountable for its functions and
use of resources. By adopting appropriate indicators, implementing a rigorous
performance measurement regime and acting on the results, internal audit can
demonstrate that it “practices what it preaches”, thus encourage acceptance of its
role within the organization.
The DS/HoA or GB/AuditCom is responsible for periodically reviewing the

performance of the internal audit. They would normally approve the performance
indicators used.
2. Steps in Performance Evaluation
2.1 Determine Key Performance Indicators (KPI)
It is important that the KPIs for internal audit are aligned with the internal
audit strategic plan and the annual work plan and help drive the performance
that the organization expects from the IAS/IAU.
It is also important that performance is measured over time in order to

identify trends, and that performance is measured against both qualitative
and quantitative factors.
KPIs include measurements of the IAS/IAU accomplishment per audit

engagement, such as:
a. Timely completion of each audit engagement;

b. Benefits exceed the cost of audit;
c. Cost of audit is within the approved budget;
d. Number of audit findings approved by the Ds/HoA or GB/AuditCom;
e. Number of recommendations implemented by the auditee;
f. Number of audit support activities undertaken;
g. Internal audit staff satisfaction; and
h. Overall contribution made by the IAS/IAU.
2.2 Design Performance Monitoring Reports
The IAS/IAU should design performance report forms to collect data in

between and during each audit engagement and audit support activities,
aligned with the KPIs. The report forms should provide for the relevant
information regarding the IAS/IAU performance outputs on a per
engagement basis summarized on a periodic basis.
147
2.3 Prepare Evaluation Report
It is good for the IAS/IAU to prepare an evaluation report on its performance

after an audit engagement for the information and advice of the DS/HoA or
GB/AuditCom.
3. Performance Monitoring By the Head of Internal Audit
The Head of IA shall have primary responsibility over the work performance and
discipline of the staff. He/she shall direct the conduct of audit progress
assessment based on a monitoring plan utilizing KPIs and conduct two types of
performance monitoring, as follows: (1) Review of Progress Assessment Report;
and (2) Review of Completion Assessment Report.
3.1 Review of Progress Assessment Report
Progress Assessment Report focuses on whether or not:
a. Audit objectives are met as reflected in the audit findings and

recommendations;
b. Findings and recommendations are based on facts and substantial

evidence and in compliance with relevant laws, rules and regulations;
c. Internal Auditing Standards (NGICS, PGIAM and other relevant

standards) pursuant to COA and DBM rules and regulations are applied;
d. Findings and recommendations promote the adequacy of internal control

pursuant to COA and DBM rules and regulations; and
e. High standards of ethics and efficiency of public officials and employees

are observed pursuant to CSC rules and regulations.
Progress Assessment Report shall be subject to the approval of the HoIA.

Audit team leaders shall ensure that audit engagements are assessed at the
stage before exit conference.
3.2 Review of Completion Assessment Report
Completion Assessment Report focuses on the:
a. Overall effectiveness and efficiency of the IAS/IAU in accordance with

DBM and COA rules and regulations and the agency‟s policies and
standards;
b. Findings and recommendations which are based on facts and substantial
evidence and in compliance with relevant laws, rules and regulations;
c. Application of internal auditing standards (NGICS, PGIAM and other

relevant standards) pursuant to COA and DBM rules and regulations;
148
d. Findings and recommendations which promote the adequacy of internal
control pursuant to COA rules and regulations; and
e. High standards of ethics and efficiency of public officials and employees

are observed pursuant to CSC rules and regulations.
Completion Assessment Report shall be subject to the approval of the HoIA.

Audit team leaders shall ensure that audit engagements are assessed at the
conclusion of the activity.
4. Performance Evaluation by the DS/HoA or GB/AuditCom
Pursuant to the Administrative Code of 1987, the authority and responsibility for
the exercise of the mandate of the Department and for the discharge of its powers
and functions shall be vested in the Secretary, who shall have supervision and
control of the Department.
The IAS/IAU is an integral part of the Department which provides assistance to

the DS/HoA or GB/AuditCom and performs functions delegated by the DS/HoA or
GB/AuditCom.161
Work performance of the IAS/IAU is evaluated by the DS/HoA or GB/AuditCom as

part of supervision and control.162 They shall monitor and evaluate the
performance of the IAS/IAU either through: (1) Review of the Internal Audit
Report, or (2) Review of the IAS/IAU Performance Report.
4.1 Review of the Internal Audit Report
At the conclusion of each audit engagement, the IAS/IAU submits to the

DS/HoA or GB/AuditCom an Internal Audit Memorandum and the Internal
Audit Report - prepared in conformity with the standards set by the
Commission on Audit, Department of Budget and Management and the
Philippine Government Internal Audit Manual.
In the review of the Internal Audit Report, the DS/HoA or GB/AuditCom shall
also consider adherence of the IAS/IAU on the following:
a. The hierarchy of applicable internal auditing standards and practices as

discussed in Chapter 1 of PGIAM – Part I are adhered to.
b. All audit findings are formulated and synthesized based on the 4Cs
(criteria, condition, conclusion, probable/root cause) defined as follows:
i. Criteria – the standards against which a condition is compared (i.e.,

laws, regulations, policies);
ii. Conditions – a fact, backed up by substantial evidence;
149
iii. Conclusion – evaluation of criteria and the conditions that could either
result in compliance or non-compliance with laws, regulations and
policies as supported by substantial evidence; determination of the
adequacy or inadequacy of controls; determination of the efficiency,
effectiveness, ethicality, and economy of agency operations; and
iv. Cause – the probable cause, in case of compliance audit; or root

cause, in case of management audit or operations audit. Relatedly, a
finding of probable cause needs only to rest on evidence showing that
more likely than not163 the act/s or omission/s of the person
responsible had caused the non-compliance which may warrant the
conduct of administrative proceeding by the disciplining authority.
Root cause is a structured investigation that aims to identify the true
cause of the control weaknesses or incidences and the actions
necessary to eliminate it.164
c. Findings are supported by sufficient audit evidence and the quantum of

evidence required to support an audit finding is substantial evidence. As
earlier noted, substantial evidence is more than a mere scintilla of
evidence. It means such relevant evidence as a reasonable mind might
accept as adequate to support a conclusion, even if other minds equally
reasonable might conceivably opine otherwise.165
d. Its recommendations are feasible, cost-effective and cost-efficient, find

sufficient basis in law, evidence-based and classified according to the
following:
i. Preventive actions – refer to determined actions of the organization to

eliminate the causes of potential noncompliance in order to avoid their
occurrence;166 and
ii. Corrective actions – refer to an organization‟s actions to eliminate the

causes of noncompliance in order to avoid recurrence;167
e. At any point during the audit, when significant risks/issues arise, the
IAS/IAU will prepare an Interim Report to the DS/HoA or GB/AuditCom to
communicate findings, issues, and problems that may affect the conduct
of the audit and may expose the organization to considerable risks. The
Interim Report contains the following:
i. Gaps or control deficiencies/breakdowns noted during the

documentation of the components of the ICS and the key processes
in the operating and supports systems;
ii. Gaps or control deficiencies/breakdowns found out after the conduct
of the review and evaluation of the flowchart and narrative notes or
conduct of the walkthrough; and
iii. Gaps or control deficiencies/breakdowns after the conduct of the test
of controls.
150
4.2 Review of the IAS/IAU Performance Report
At the close of every fiscal year, the DS/HoA or GB/AuditCom shall review
the performance of the IAS/IAU through the various reports/outputs (i.e.,
baseline assessment report, assessment of control significance and
materiality and control risk report, assessment of internal audit risk report,
annual audit plan, audit engagement report, audit follow-up report and
performance monitoring evaluation report) that are submitted to their office.
The DS/HoA or GB/AuditCom being the head of the agency, as directly

responsible for the installation, implementation and monitoring of internal
control system (ICS),168 shall review the adequacy of the internal audit as
part of the ICS.
5. Oversight over IAS/IAU
In addition to the performance monitoring and evaluation conducted by the HoIA

and the DS/HoA or GB/AuditCom, oversight functions over the IAS/IAU are also
performed by the COA and the DBM.
Table 10 - Oversight Over the IAS/IAU by COA and DBM
COA DBM
Efficiency and
Adequacy of IAS/IAU
Oversight effectiveness of IAS/
as part of ICS
IAU as part of ICS
5.1 By the Commission on Audit
a. The 1987 Constitution169 and the Administrative Code of 1987170

provide that the “Commission on Audit shall have the power, authority,
and duty to examine, audit, and settle all accounts pertaining to the
revenue and receipts of, and expenditures or uses of funds and property,
owned or held in trust by, or pertaining to, the Government, or any of its
subdivisions, agencies, or instrumentalities, including government-owned
or controlled corporations with original charters, and on a post- audit
basis”. “However, where the internal control system of the audited
agencies is inadequate, the Commission may adopt such measures,
including temporary or special pre-audit, as are necessary and
appropriate to correct the deficiencies.” (underscoring supplied)
b. In a case decided by the Supreme Court, “[A]s can be gleaned from the
foregoing provisions of the Constitution, state audit is not limited to the
auditing of the accountable officers and the settlement of accounts, but
includes accounting functions and the adoption in the audited agencies of
internal controls to see to it, among other matters, that the correct fees
and penalties due the government are collected.” 171 (underscoring
supplied)
151
c. Under the Administrative Code of 1987, it is a declared policy that “all
resources of the government shall be managed, expended or utilized in
accordance with law and regulations and safeguarded against loss or
wastage through illegal or improper disposition to ensure efficiency,
economy and effectiveness in the operations of government. The
responsibility to take care that such policy is faithfully adhered to rests
directly with the chief or head of the government agency concerned.”172
d. The Government Accounting and Auditing Manual, Volume III 173 provides
that internal audit is part of the internal control system.
“Sec. 33. Distinction from other systems within the organization. –
Except for the Internal Audit Office which is part of the internal
control system, internal controls are not separate specialized
systems within an agency. They consist of control features
interwoven into and made an integral part of each system that
management uses to regulate and guide its operations. In this
sense, internal controls are management controls.” (underscoring
supplied)
e. Under COA Circular 2009-002174, it stressed the need for agencies to

evaluate the adequacy and results of the design, implementation, and
maintenance of the internal controls, as follows:
“Subsequent identification of the national government agencies,

local government units and government-owned and controlled
corporations and their respective transactions that may be
included or excluded in pre-audit shall proceed from the results of
an evaluation of the internal control system put in place and
operating in each agency. x x x”
f. Pursuant to the aforementioned laws and issuances, the COA performs

oversight functions over the internal audit office which is part of the
internal control system.
g. In the course of evaluating the ICS, the COA may request the IAS/IAU,
through the DS or GB/AuditCom, to submit documents that will allow
them to determine the adequacy of the IAS/IAU as part of the ICS.
Among the documents that may be submitted are as follows:
i. Internal Audit Memorandum;

ii. Baseline Assessment of the Internal Control System;
iii. Assessment of Control Significance and Materiality and Control Risk;
iv. Assessment of Internal Audit Risk;
v. Annual Internal Audit Plan;
vi. Internal Audit Report;
vii. Internal Audit Follow-up Report; and
viii.Performance Monitoring Evaluation Report.
152
5.2 By the Department of Budget and Management
a. The DBM is responsible for the efficient and sound utilization of funds
and revenues. Pursuant to this mandate, it “shall assist the President in
the preparation of a national resources and expenditures budget,
preparation, execution and control of the National Budget, preparation
and maintenance of accounting systems essential to the budgetary
process, achievement of more economy and efficiency in the
management of government operations, administration of compensation
and position classification systems, assessment of organizational
effectiveness and review and evaluation of legislative proposals having
budgetary or organizational implications.”175 (underscoring supplied)
b. The Administrative Code of 1987 also empowers the DBM to evaluate

agency performance and to monitor budget performance and assess the
effectiveness of the agencies‟ operations, including the IAS/IAU, to wit:
“Sec. 51. Evaluation of Agency Performance – The President,

through the Secretary shall evaluate on a continuing basis the
quantitative and qualitative measures of agency performance as
reflected in the units of work measurement and other indicators of
agency performance, including the standard and actual costs per
unit of work.
“Sec. 52. Budget Monitoring and Information System – The

Secretary of Budget shall determine accounting and other items
of information, financial, or otherwise, needed to monitor budget
performance and to assess effectiveness of agencies‟ operations
and shall prescribe the forms, schedule of submission, and other
components of reporting systems, including the maintenance of
subsidiary and other recording which will enable agencies to
accomplish and submit said information requirements: xxx.”176
(underscoring supplied)
c. In the case of Gutierrez vs. DBM177, the Supreme Court recognized the
power of the DBM to make rules and regulations to implement a given
legislation and effectuate its policies, to wit:
“Delegated rule-making is a practical necessity in modern

governance because of the increasing complexity and variety of
public functions. Congress has endowed administrative agencies
like respondent DBM with the power to make rules and
regulations to implement a given legislation and effectuate its
policies.” (underscoring supplied)
d. Pursuant to its mandate and the provisions of Administrative Order (AO)

No. 119 dated 29 March 1989, 178 the DBM issued Budget Circular No.
2004-04 dated 22 March 2004 which provides for the “Guidelines on the
Organization and Staffing of Internal Audit Units (IAUs)”, and Circular
Letter No. 2008-5 dated 14 April 2008 which provides for the “Guidelines
153
in the Organization and Staffing of an Internal Audit Service/Unit
[IAS/IAU] and Management Division/Unit [MD/MU] in
Departments/Agencies/GOCCs/GFIs Concerned” and providing for the
functions of the IAS/IAU and MD/MU.
e. The DBM reviews the performance of the IAS/IAU by focusing on the

evaluation of the effectiveness and efficiency of the Office as part of the
ICS. They may request the IAS/IAU, through the DS/HoA or
GB/Auditcom, for relevant documents that will aid them in the process,
such as:
i. Internal Audit Memorandum;

ii. Baseline Assessment of the Internal Control System;
iii. Assessment of Control Significance and Materiality and Control Risk;
iv. Assessment of Internal Audit Risk;
v. Annual Internal Audit Plan;
vi. Internal Audit Report;
vii. Internal Audit Follow-up Report; and
viii.Performance Monitoring Evaluation Report.
6. Request for Opinions/Rulings/Interpretations on Issues Arising from the

Approved Internal Audit Findings & Recommendations to COA/ CSC/DBM
Audit findings and recommendations resulting from the audit conducted by the
IAS/IAU shall be submitted to the DS/HoA or GB/AuditCom for approval, pursuant
to its authority and responsibility to exercise supervision and control of the
Department179/Board/Commission/Corporation. Once approved, the same shall be
subject for implementation.
Approved audit findings and recommendations for implementation may be

appealed by the auditee who has been adversely affected to the DS/HoA or
GB/AuditCom. They may also request for opinions/rulings/interpretations on the
issues involved from the COA, the CSC and/or the DBM.
Table 11 - Request for Opinions, Rulings and Interpretations
COA DBM CSC
Opinion/Rulings/ Matters on COA Matters on DBM Matters on CSC

Interpretations rules and rules and rules and
regulations regulations regulations
154
6.1 Rule-making Power of COA, CSC and DBM
The COA, CSC and DBM are bestowed by the Constitution and the law with
rule-making powers necessary for the proper discharge and management of
its mandated functions. Apart from the rules and regulations upon which the
COA, CSC and DBM are authorized to come up with to carry into effect the
provisions of a particular law, said agencies are also authorized to
promulgate their own rules on matters coming under their special and
technical expertise, to wit:
6.1.1 Commission on Audit
The Commission on Audit is empowered under the Constitution to

have the exclusive authority to “promulgate accounting and auditing
rules and regulations, including those for the prevention and
disallowance of irregular, unnecessary, excessive, extravagant or
unconscionable expenditures, or uses of government funds and
properties”.180
In keeping with its Constitutional mandate, the COA adheres, among

others, to “institute control measures through the promulgation of
auditing and accounting rules and regulations governing the receipts
disbursements, and uses of funds and property, consistent with the
total economic development efforts of the Government”.181
6.1.2 Civil Service Commission
Pursuant to EO 292, the Civil Service Commission, as the central

personnel agency, is empowered to “promulgate policies, standards
and guidelines for the Civil Service and adopt plans and programs to
promote economical, efficient and effective personnel administration
in government;”182
6.1.3 Department of Budget and Management
a. Under the Administrative Code of 1987, the Department of Budget

and Management “shall be responsible for the efficient and sound
utilization of government funds and revenues to effectively achieve
our country‟s development objectives.”183 It is empowered, among,
others, to assist the President in the preparation, execution and
control of the National Budget and the achievement of more
economy and efficiency in the management of government
operations.184
b. It is a declared policy of the State that the budget shall be “oriented

towards the achievement of explicit objectives and expected
results, to ensure that funds are utilized and operations are
conducted effectively, economically and efficiently”.185 To ensure
and implement the same, the DBM issues rules and regulations
155
through circulars and other issuances on budget and management
matters.
6.2 Interpretation by COA, CSC and DBM of their own rules
“The Court has consistently yielded and accorded great respect to the
interpretation by administrative agencies of their own rules unless there is
an error of law, abuse of power, lack of jurisdiction or grave abuse of
discretion clearly conflicting with the letter and spirit of the law.” 186 (emphasis
supplied)
a. “More specifically, in cases where the dispute concerns the interpretation

by an agency of its own rules, we should apply only these standards:
"Whether the delegation of power was valid; whether the regulation was
within that delegation; and if so, whether it was a reasonable regulation
under a due process test. An affirmative answer in each of these
questions should caution us from discarding the agency's interpretation of
its own rules.“187
b. In City Government of Makati vs. Civil Service Commission 188, the

Supreme Court cited cases where the interpretation of a particular
administrative agency of a certain rule was adhered to, viz.:
“The same precept was enunciated in Bagatsing v. Committee on

Privatization 189 where we upheld the action of the Commission on
Audit (COA) in validating the sale of Petron Corporation to
Aramco Overseas Corporation on the basis of COA's
interpretation of its own circular that set bidding and audit
guidelines on the disposal of government assets –
“The COA itself, the agency that adopted the rules on bidding
procedure to be followed by government offices and corporations,
had upheld the validity and legality of the questioned bidding. The
interpretation of an agency of its own rules should be given
more weight than the interpretation by that agency of the law
it is merely tasked to administer.” (emphasis and underscoring
original).
c. “As properly noted, CSC was only interpreting its own rules on leave of
absence and not a statutory provision in coming up with this uniform rule.
Undoubtedly, the CSC like any other agency has the power to
interpret its own rules and any phrase contained in them with its
interpretation significantly becoming part of the rules
themselves.”190 (emphasis original)
d. In the case of Gutierrez vs. DBM191, the Supreme Court stated that
“Congress has endowed administrative agencies like respondent DBM
with the power to make rules and regulations to implement a given
156
legislation and effectuate its policies”. In like manner, the DBM has the
power and is in the best position to interpret its own rules.
6.3 Request for COA, CSC and DBM Opinions/Rulings/ Interpretations
In the conduct of compliance audit, the IAS/IAU may find some violations by
the auditee of compliance with COA and CSC rules and regulations and/or
DBM circulars and other issuances. In case of dispute on issues relating to
personnel matters and violation of Civil Service rules and regulations, the
auditee may elevate the same to the CSC. For issues relating to violations of
COA rules and regulations, the same may be elevated to COA. Likewise, for
issues concerning budget and management matters, the same may be
elevated to the DBM. Vested with the power to promulgate their own rules
and regulations, COA, CSC and DBM are in the best position to determine
and interpret if a violation of their own rules has been committed by an
agency.
a. Relatedly, the Administrative Code of 1987 provides that the CSC shall
“render opinions and rulings on all personnel and other Civil Service
matters which shall be binding on all heads of departments, offices and
agencies and which may be brought to the Supreme Court on
certiorari.”192 In line with this, Section 16 (3), Chapter 3, Subtitle A, Book
V of the Administrative Code of 1987 provides that the “the Office of
Legal Affairs shall “ x x x; prepare opinions and rulings in the
interpretation and application of the Civil Service Law, rules and
regulations; x x x”.
b. Pursuant to the 2009 Revised Rules of Procedure of the Commission on

Audit, COA‟s jurisdiction shall extend over “resolution of novel,
controversial, complicated or difficult questions of law relating to
government accounting and auditing”.193 Corollary thereto, COA
Memorandum No. 96-010194 provides that “all queries and requests for
advice and opinion concerning any matter germane to the functions of
this Commission as well as requests for interpretation of pertinent laws
and auditing rules and regulations shall be submitted directly to the Legal
Office which shall take cognizance thereof and thereby render legal
opinions pursuant to its authority under Section 11 195, P.D. 1445196 and
Section 7 (7)197, Subtitle B, Book V, Executive Order No. 292, otherwise
known as the Administrative Code of 1987.
In view of the foregoing, request for opinions/rulings on the results of a

compliance audit relating to violations of personnel and other Civil Service
matters may be taken to the CSC and matters relating to budget and
management, to the DBM. All queries and requests for advice and opinion
concerning violation of any matter germane to the functions of the COA, as
well as requests for interpretation of pertinent laws and auditing rules and
regulations, shall be submitted directly to the Legal Office of the COA in
accordance with the guidelines described under COA Memorandum No. 96-
010.198
157
PGIAM AMENDMENT PROTOCOL
1. Introduction
The Philippine Government Internal Audit Manual – Guidelines and Practices

(PGIAM I and II) are the definitive policy resource guiding the operations of
internal audit in the Philippine public sector.
Both documents reflect the policy, legal and institutional arrangements governing
internal audit in the Philippine public sector. The PGIAM I and II shall be reviewed
regularly to ensure they are still current.
The need to amend any or both documents may be prompted by feedback from
Departments and Agencies on the implementation of the PGIAM; Department-
specific and sector-based internal audit implementation insights; changes in laws,
policies, guidelines and regulations; and requisites for enhancing work practices.
A proposal for amendment of any provision, standard, procedure and/or policy in

PGIAM I and II needs to be submitted to the Department of Budget and
Management and OP-IAO, and after initial review, said agencies will submit the
same to the Inter-Agency Reference Panel for discussion and endorsement to the
DBM Secretary for approval.
2. New Policy/Major Revisions
The DBM is the main policy approval body.
When submitting a new or significantly revised policy statement to the DBM, it

must be accompanied by a statement outlining:
a. The rationale for the preparation or review of the policy;

b. Impact of implementation (including obvious resource implications, effects on
staffing and other issues, changes to delegations for decision-making); and
c. Policies or provisions to be rescinded.
3. Minor Amendments
Minor amendments (e.g., to reflect changes in position titles or nomenclature of

organizational units) which do not otherwise affect the policy content can be
incorporated in another amendment to the document in the near future.
4. Periodic Review of Policies
In order to enhance the Philippine Government internal audit management

standards, including policies, procedures and ethical pronouncements, a periodic
review of policies and practices will be undertaken. In addition to requiring new
policy statements or major revisions to include a specified date of the next review,
routine alerts to review a certain policy will be sent periodically and as appropriate
to all Departments and Agencies.
158
Notification that a certain policy is due for periodic review will be sent three
months prior to the review date. The expectation is that a timely review of the
policy will be undertaken, generally within three to six months following
notification.
Where review will result in a major overhaul of a policy, development of a brief

review and approval plan may be advisable. The plan should outline relevant
steps associated with the review, including consultation, review by relevant
committees, and target dates for final approval by the designated "approving
authority".
At the end of the review, an Amendment History table will be completed and
made part of the PGIAM Manual and Practices.
5. Amendment History
1. xxxxxxxxxxxxxxxxxxxxxxx
Contact Officer
Approval Date
Updated to New
Standard
Improvement and
Clarification
Approval Authority
Date of Next
Review
Printed Copy
Electronic Copy
159
REFERENCES
(PGIAM – Part I)
1. Administrative Order (AO) No. 278. “Directing the Strengthening of the Internal
Control Systems of Government Offices, Agencies, Government-Owned and/or
Controlled Corporations, Including Government Financial Institutions and Local
Government Units, in Their Operations”, 28 April 1992.
2. AO No. 70, “Strengthening of the Internal Control Systems of Government Offices,

Agencies, Government-Owned and/or Controlled Corporations, Including
Government Financial Institutions, State Universities and Colleges and Local
Government Units”, 14 April 2003.
3. Asian Development Bank (ADB). ADB Audit Manual (Vol. I – Policies and
Procedures), ADB, December 2003.
4. Civil Service Commission (CSC) Memorandum Circular (MC) No. 27, “Policy on
Consultancy Contracts”, 24 June 1993.
5. CSC MC No. 40, s.1998, “Revised Omnibus Rules on Appointments and Other
Personnel Actions”, as amended by CSC MC. No. 15, s. 1999, “Additional
Provisions and Amendments to CSC MC No. 40, s. 1998” and CSC MC No. 21,
“Policies on Detail”, 26 September 2002.
6. CSC MC No. 12-06, “Qualification Standards for IAS Positions”, 22 June 2006.
7. CSC MC No. 1, “Repeal of CSC MCs No. 17, s. 2002 also known as the „Policy
Guidelines for Contracts of Service‟ and CSC No. 24, s. 2002 also known as the
„Clarification of Policy Guidelines for Contract of Service‟”, 12 January 2007.
8. Commission on Audit (COA) Circular No. 93-214-A, “Government Contracts for

Internal Audit Services”, 4 March 1993.
9. COA Circular No. 91-368, “Government Accounting and Auditing Manual”, Vol. III,
19 December 1991.
10.COA Circular No. 2002-002, “Prescribing the Manual on the National Government
Accounting System (Manual Version) For Use in All Government Agencies”, 18
June 2002.
11.Department of Budget and Management (DBM) Budget Circular 2004-4,

“Guidelines in the Organization and Staffing of Internal Auditing Units”, 22 March
2004.
12.DBM Circular Letter Nos. 2008-05, “Guidelines in the Organization and Staffing of
an Internal Audit Service/Unit and Management Division/Unit in
Departments/Agencies/ GOCCs/GFIs Concerned”, 14 April 2008.
13.DBM Circular Letter No. 2008-8, “National Guidelines on Internal Control Systems
(NGICS)”, 23 October 2008.
160
14.DBM-CSC Joint Resolution No. 1, “Rationalization Program‟s Organization and
Staffing Standards and Guidelines”, 12 May 2006.
15.Executive Order (EO) No. 292, “Administrative Code of 1987”, 25 July 1987.
16.EO No. 605, “Institutionalizing the Structure, Mechanisms and Standards to

Implement the Government Quality Management Program Amending for the
Purpose Administrative Order No. 161, s. 2006”, 23 February 2003.
17.IEC/ISO 31010:2009, Risk Management – Risk Assessment Techniques, 1

December 2009. ISBN 2-8318-1068-2.
18.International Organization of Supreme Audit Institutions (INTOSAI). Guidelines for

Internal Control Standards for the Public Sector [online]. 16 October 2004.
Available from World Wide Web:<intosai.connexcc-
hosting.net/blueline/upload/1guicspubsece.pdf>.
19.ISO 31000: 2009(E), “Risk Management – Principles and Guidelines,” 15

November 2009.
20.Medium-Term Philippine Development Plan 1999-2004
21.Muro vs. State Prosecutors, A.M. No. RTJ-92-876, 11 December 1995.
22.Office of the Auditor General of Canada. Performance Audit Manual. Canada:

Minister of Public Works and Government Services. June 2004. Available from
World Wide Web:<http://www.oag-bvg.gc.ca/internet/docs/ pam_e.pdf>.
23.Office of the President Memorandum. “Paper on the Doctrine of Completed Staff

Work”. 3 August 1993. MC No. 110, 23 August 2006. MC No. 68, 17 September
2004; MC No. 24, 7 August 2002; and Memorandum from the President dated 10
June 1999 signed by President Joseph Estrada.
24.Philippine National Standards International Organization for Standardization

(PNS ISO 19011:2002), ISO published in 2002, “Guidelines for Quality and/or
Environmental Management Systems Auditing”.
25.Presidential Decree No. 1445, “Government Auditing Code of the Philippines”,

11 June 1978.
26.Republic Act (RA) No. 6713, “Code of Conduct and Ethical Standards for Public
Officials and Employees” and its IRR, 20 February 1989.
27.RA No. 9485, “Anti-Red Tape Act of 2007” and its IRR, 2 June 2007.
28.Republic Act No. 9184, “Government Procurement Reform Act”, 10 January 2003.
29.The 2009 Revised Rules of Procedures of the Commission on Audit
161
30.The 1987 Philippine Constitution.
31.The Institute of Internal Auditors. International Professional Practices Framework

(IPPF). USA: The Institute of Internal Auditors, January 2009.ISBN 978-0-89413-
639-9
32.United Nations. United Nations Audit Manual. New York: Internal Audit Division,
Office of Internal Oversight Services, March 2009. Available from World Wide
Web: <http://www.un.org/Depts/
oios/pages/audit%20manual%20%20march%202009%20edition.pdf>
33.United Nations. Comprehensive Review of Governance and Oversight within

the United Nations, Funds, Programmes and Specialized Agencies; Vol. II,
Governance and Oversight Principles and Practices; Draft, 2006. Available from
World Wide Web:<http://www. un.org/reform/ governance/ pdf/gov_princ.pdf>.
34.United Nations Development Programme (UNDP). Handbook on Planning,

Monitoring and Evaluation for Development Results. New York, USA:UNDP,
2009. Avaiable from World Wide Web:<http://www.undp.org/
evaluation/handbook/>.
35.United States General Accounting Office (USGAO). Performance Measurement

and Evaluation:Definitions and Relationships (Glossary). United States General
Accountability Office. Availabe from World Wide
Web:<http://www.gao.gov/special.pubs/gg98026.pdf>.
36.Veneracion and Linatoc vs. Office of the Court Administrator, A.M. No. RTJ-99-
1432, 21 June 2000.
37.World Bank (WB). Report on the Observance of Standards and Codes (ROSC);
Republic of the Philippines; Accounting and Auditing Update. Available from
World Wide Web:<http://www. worldbank. org/ifa/ rosc_aa_phl_2006.pdf>.
162
REFERENCES
(PGIAM – Part II)
1. Air France vs. Carrascoso, G.R. No. L-1438, 28 September 1966.
2. Andersen, B. and Fagerhaug, T. Root Cause Analysis: Simplified Tools and

Techniques, (2nd ed.) Milwaukee, U.S.A.:American Society for Quality, Quality
Press, 2006. ISBN 0-87389-692-0.
3. Asian Organization of Supreme Audit Institutions (ASOSAI). “IT Audit Guidelines”.

September 2003. Available from World Wide
Web:<http://www.asosai.org/system/upload_file/function/_20091218135249.pdf>.
4. Bagatsing vs. Committee on Privatization, et.al., G.R. No. 112399, July 14, 1995.
5. Boiser vs. People of the Philippines, G.R. No. 180299, 31 January 2008.
6. Black‟s Law Dictionary, (ed.), (p.290, 6th ed.), St. Paul, Minn.: West Publishing Co.
1990.ISBN 971-30-0356-X.
7. City of Makati vs. CSC, G.R. No. 131392, 6 February 2002.
8. Cometa vs. Court of Appeals, G.R. No. 126005, 21 January 1999.
9. Commission on Appointments vs. Celso M. Paler, G.R. No. 172623, March 3,

2010 citing Eastern Telecommunications Philippines, Inc. and
Telecommunications Technologies, Inc. vs. International Communication
Corporation, G.R.No. 135992, 31 January 2006.
10. COA. Handbook on Internal Control Structure. Quezon City: COA, November
2002.
11. COA Circular No. 2009-002, “Reinstituting Selective Pre-Audit on Government

Transactions”, 18 May 2009.
12. COA. The Financial Audit Manual, 2003.
13. COA Circular No. 368-91, “Government Auditing Standards and Procedures and
Internal Control System”, 19 December 1991.
14. CSC MC No. 07, “Installation of Performance Management System (PMS) in the
Civil Service”, 18 April 2007.
15. CSC MC No. 12, “Revised Policies on Qualification Standards”, 29 October 2003.
16. CSC MC No. 14, “Additional Provisions and Amendments to CSC Memorandum
Circular No. 41, s. 1998”, 23 August 1999.
17. CSC Resolution No. 991936, “The Uniform Rules on Administrative Cases in the
Civil Service (URACCS)”, 31 August 1999.
163
18. CSC MC No. 41, “Amendments to Rule I and XVI of the Omnibus Rules
Implementing Book V of the Administrative Code of 1987”, 24 December 1998.
19. DBM Circular Letter Nos. 2007-6, “Manual on Position Classification and
Compensation”,19 February 2007.
20. DBM National Budget Circular No. (NBC) 518, “FY 2008 Personal Services
Itemization and Plantilla of Personnel (PSIPOP)”, 8 January 2009.
21. DBM NBC No. 522, “FY 2009 Personal Services Itemization and Plantilla of
Personnel (PSIPOP)”, 14 December 2009.
22. DBM NBC No. 507, “Omnibus Circular on the Submission of Budget Execution
Documents/ Accountability Reports”, 31 January 2007.
23. Destreza vs. Plazo, G.R. No. 176863, 30 October 2009.
24. Eastern Telecommunications Philippines, Inc. and Telecommunications

Technologies, Inc. vs. International Communication Corporation, G.R.No. 135992,
January 31, 2006.
25. EO No. 366, “Directing a Strategic Review of the Operations and Organizations of
the Executive Branch and Providing Options and Incentives for Government
Employees Who May Be Affected by the Rationalization of the Functions and
Agencies of the Executive Branch”, 4 October 2004.
26. EO No. 605, “Institutionalizing the Structure, Mechanisms and Standards to

Implement the Government Quality Management Program Amending for the
Purpose Administrative Order No. 161, s. 2006”, 23 February 2003.
27. EO No. 265, “Approving and Adopting the Government Information Systems Plan
(GISP) as Framework and Guide for All Computerization Efforts in Government”,
12 July 2000.
28. Galario vs. Office of the Ombudsman, et. Al., G.R. No. 166797, 10 July 2007.
29. Gutierrez, et.al. vs. DBM, et.al. G.R. No. 153266, 18 March 2010.
30. IEC/ISO 31010:2009(E), Risk management – Risk assessment techniques
31. International Organization of Supreme Audit Institutions (INTOSAI). (2004).

Guidelines for Internal Control Standards for the Public Sector. Retrieved from
http://intosai.connexcc-hosting.net/blueline/upload/ 1guicspubsece.pdf
32. ISO 9001:2008, Quality management systems – Requirements, 15 November

2008.
33. ISO 31000:2009(E), Risk management – Principles and guidelines, 15 November

2009.
164
34. ISO Guide 73:2009, Risk management – Vocabulary, 13 Novemember 2009.
35. National Archives of the Philippines General Circular No. 1, “Rules and
Regulations Governing the Management of Public Records and Archives
Administration”, 20 January 2009.
36. National Archives of the Philippines General Circular No. 2, “Guidelines on the
Disposal of Valueless Records in Government Agencies”, 20 January 2009.
37. Mamaril vs. Domingo, G.R. No. 100284, 13 October 1993.
38. Marcelo vs. Bungubung, G.R. No. 175201, 23 April 2008.
39. Montemayor vs. Bundalian, G.R. No. 149335, 1 July 2003.
40. National Economic Development Authority (NEDA) Office Circular No. 01-2009,
“Adopting the Code of Conduct for the Officials and Employees of NEDA, 19 May
2009; LTFRB, “Code of Conduct for Officials and Employees of the Land
Transportation and Franchising Regulatory Board,” 4 February 2005.
41. Omnibus Rules Implementing Book V of EO 292 and Other Pertinent Civil Service
Laws, as amended such as by CSC MC 38, s. 1993; MC 40, s. 1998, MC 41, s.
1998; MC 20, s. 2002; MC 15, s. 2006; CSC MC 28, s. 2009.
42. Philippine National Standards International Organization for Standardization (PNS

ISO 690:2003), ISO published 1987, “Documentation-Bibliographic references-
Content, form and structure”.
43. Philippine National Standards International Organization for Standardization

(PNS ISO 690-2:2003), ISO published 1997, “Information and documentation-
Bibliographic references-Part 2:electronic documents or parts thereof”.
44. Philippine National Standards International Organization for Standardization

(PNS ISO 5807:2004), ISO published 1985, “Information processing-
documentation sysmbols and conventions for data, program and system
flowcharts, program network charts and system resources charts”.
45. Regalado, F. D. (2001). Remedial Law Compendium, II, 9th Rev. Ed., Caloocan
City:National Bookstore.
46. RA No. 9524, “General Appropriations Act for Fiscal Year 2009”, effective, 1 April
2009.
47. RA No. 3019, “Anti-graft and Corrupt Practices Act”; CSC Resolution No. 06-
0231, 1 February 2006.
48. RA No. 9013, “An Act Establishing the Philippine Quality Award in Order to
Encourage Organizations in Both the Private and Public Sectors to Attain
Excellence in Quality in the Production and/or Delivery of their Goods and
Services”, 28 February 2001.
165
49. RA No. 7160, “Local Government Code of 1991”, 10 October 1991.
50. Republic of the Philippines vs. Desierto, G.R. No. 135123, 22 January 2007.
51. Standard on Auditing (SA) 500 (Revised) Audit Evidence. Available from World
Wide Web:<www.icai.org/resource_file/ 15576sa500revised. pdf>.
52. United Nations Industrial Development Organization (UNIDO). UNIDO

Competencies. January 2002. Available from World Wide Web:
<http://homepage.cem.itesm.mx/jltellez/S11/UNIDO%20COMPETENCIES.pdf>.
53. United Nations Development Programme (UNDP). Handbook on Planning,

Monitoring and Evaluation for Development Results. New York:UNDP,2009. New
York:Author. Avaiable from World Wide Web: <http://www.undp.org/evaluation/
handbook/>.
54. United States General Accounting Office (USGAO). Performance Measurement

and Evaluation:Definitions and Relationships (Glossary) .1998. United States
General Accountability Office. Available from World Wide
Web:<http://www.gao.gov/ special.pubs/gg98026.pdf>.
55. United States General Accounting Office (USGAO) Government Auditing

Standards. Revision (GAO-07-731G), July 2007. Available from World Wide
Web:< http://www.gao.gov/new. items/d07731g.pdf>.
56. Sevilla vs. Cardenas, G.R. No. 167684, 31 July 2006.
57. State Accounting and Auditing Development Office. Value for Money Audit –
Participant‟s Manual. Quezon City: Commission on Audit. 2000.
58. Webb vs. De Leon, G.R. No. 121234, 23 August1995.
166
APPENDICES
167
Appendix A : Summary of Generic Manuals on Controls in the Human Resource
Management System (HRMS), Quality Management System (QMS) and Risk
Management System (RMS)
Briefer on NGICS Modules
The National Guidelines on Internal Control Systems (NGICS) was formulated by

incorporating Constitutional provisions; existing laws, policies, rules and regulations;
relevant or applicable standards and best practices, as well as standards set by
intergovernmental organizations on internal control in one convenient and useful
document. It will serve as a guide to the heads of departments and agencies in
designing, installing, implementing and monitoring their respective internal control
systems taking into consideration the requirements of their organization and
operations.1 The NGICS was issued by the Department of Budget and Management
(DBM) thru DBM Circular Letter 2008-8 dated 23 October 2008 which will be
implemented in all National Government Agencies (NGAs), including State
Universities and Colleges (SUCs), Government-Owned and/or -Controlled
Corporations (GOCCs), Local Government Units (LGUs), and all others concerned.
The Commission on Audit (COA), in a memorandum 2, required COA officials
concerned to monitor adherence by the audited agencies to the provisions of DBM
Circular Letter 2008-8.
To facilitate the roll-out of the implementation of the NGICS, it is imperative to

develop generic modules to identify and strengthen internal controls in the
management support systems, specifically on Human Resource Management (HRM),
Quality Management (QM) and Risk Management (RM). The learning modules will
be used for the capacity-building of agencies in designing, installing, implementing
and monitoring internal controls in their support services units/systems and operating
units/systems to achieve agency objectives. Specifically, the learning modules and
sets of instructions are intended to:
1) Emphasize understanding of the concepts of internal control among public

officials and employees required in the support services units/systems, as
well as operating units/systems to meet the agency objectives;
2) Develop relevant expertise and competence among target audiences in
installing and updating internal controls in the management systems,
particularly in the areas of human resource management, quality
management and risk management; and
3) Foster continual improvement in government characterized by citizen-driven
agencies by integrating internal controls in their support and operating
units/systems.
The Training Manuals and Sets of Instructions (SOIs) will contain minimum guidelines
and requirements that will focus on the internal controls that are built into and made
an integral part of each system that management uses to regulate and guide its
1
Par. 1.1, DBM Circular Letter 2008-8, “National Guidelines on Internal Control Systems (NGICS)”, 23 October
2008.
2
Commission on Audit (COA) Memorandum No. 2009-004, “DBM Circular Letter No. 2008-8 dated October
23, 2008 entitles “National Guidelines on Internal Control Systems (NGICS), dated 16 February 2009.
168
operations to meet its objectives.3 The built-in controls in the support system such as
HRMS, QMS and RMS interfaces with that of the operations‟ own controls to come
up with stronger accountability; efficient, effective, ethical, and economical
operations; improved ability to address risks to achieve general control objectives;
better systems of responding to the needs of citizens; and quality outputs and
outcomes and effective governance.4 The Learning modules will serve as guide for
trainers and reference material for target audiences.
Generic Module on Controls in the Human Resource Management System
The Human Resource Management System (HRMS) forms part of the coordinated
methods and measures of every agency. Based on the guidelines provided in the
NGICS, the HRM system encompasses the processes from recruitment, retention,
training, supervision and discipline, until an employee‟s severance from the service,
either through retirement, resignation, or separation. These processes have built-in
controls to ensure 4Es (efficient, effective, ethical and economical) of operations to
meet agency objectives.
The module is focused on the internal controls that must be in place within the
Human Resource Management System (HRMS). It is intended to develop individual
competencies of the target audience in determining internal controls in the area of
human resource management. At the end of the module, the target audiences are
expected to:
1) Understand the application of internal controls in the concept of public

accountability;
2) Enhance the skills of the target audience in the establishment, administration
and maintenance of clearly stated position descriptions and strong qualification
standards as important controls in the HRMS ; and
3) Uphold and promote a well designed personnel performance measurement
and discipline as a control to link employees‟ performance to that of the
agency performance in meeting agency objectives.
The module consists of three sub-modules.
Sub-Module 1. The Nature of Public Office as a Public Trust
Sub-Module 1 discusses the concept of public accountability and public trust which
promotes responsibility, integrity, loyalty, professionalism and the 4Es (efficient,
effective, ethical and economical) of operations in the government. This is provided
under pertinent provisions of the 1987 Philippine Constitution, the Administrative
Code of 1987 and the Code of Conduct and Ethical Standards for Public Officials and
Employees. Government officials and employees should always remember that
public service is public trust which means that “[t]he powers so delegated to the
officer are held in trust for the people and are to be exercised in behalf of the
government or of all citizens who may need the intervention of the officers. Such trust
extends to all matters within the range of duties pertaining to the office. In other
3
National Guidelines on Internal Control Systems (NGICS), 23 October 2008.
4
Ibid.
169
words, public officers are but the servants of the people, and not their rulers.” 5 They
are duty bound to maintain their integrity and fitness to discharge their functions.
Sub-Module 2. The Position Description and Qualification Standards (QS)
Sub-Module 2 focuses on the establishment of accurate and adequate written

description of duties and responsibilities for every position, as well as the
qualification standards required by the job to ensure that public officials and
employees satisfactorily perform their duties with the highest degree of excellence,
professionalism, intelligence and skill. The QS expresses the minimum requirements
for a class of positions in terms of education, training and experience, civil service
eligibility, physical fitness, and other qualities required for the successful performance
of the duties and responsibilities to achieve organizational objectives. The
qualification requirements should conform with the approved qualification standards
of the positions involved and not the qualifications of the appointee.6
Sub-Module 3. Performance Measurement and Discipline
Sub-Module 3 emphasizes the controls in measuring the effectiveness and efficiency

of public officials and employees in the performance and discharge of their duties by
setting standards and targets as basis for evaluation. The performance evaluation
should be designed and administered to (a) continually improve employee
performance and efficiency; (b) enhance organizational effectiveness and
productivity; and (c) provide an objective performance rating which shall serve as a
basis for incentives and rewards, promotion, training and development, personnel
actions and administrative sanctions.7 Officials and employees who commit
infractions are subject to discipline and administrative sanctions wherein the
governing principle is that “when an officer or employee is disciplined, the object
sought is not the punishment of such officer or employee but the improvement of the
public service and the preservation of the public's faith and confidence in the
government.”8
Generic Module on Controls in the Quality Management System
The Quality Management System (QMS) is one way in which a public sector
organization can direct and control its activities in order to satisfy the needs and
expectations of the citizens.9 To develop a culture of quality and integrity in
governance, the government mandated policy on quality service provides that “the
State shall encourage all sectors of the economy to aim for optimum productivity and
improved quality and shall recognize their contribution to raising the quality of life for
all, especially the underprivileged.”10 Agencies use the process approach as a
control measure to meet citizens‟ requirements.
5
Sabio vs. Gordon, G.R. No. 174340, 17 October 2006.
6
IV, Guidelines, Procedures and Requirements in the Preparation and Submission of Appointments, Omnibus
Rules Implementing Book V of Executive Order 292 and other Pertinent Civil Service Laws, May 2007).
7
Rule IX Performance Evaluation Promotion, Omnibus Rules Implementing Book V of Executive Order No.
292 and other Pertinent Civil Service Laws, 2007.
8
Remolana vs. CSC, G.R. No. 137473, 2 August 2001.
9
Clause 0, Government Quality Management Systems Standards (GQMSS), 21 June 2007.
10
Sec. 2, Republic Act (RA) No. 9013, “An Act Establishing the Philippine Quality Award in Order to Encourage
Organizations in Both the Private and Public Sectors to Attain Excellence in Quality in the Production And/Or
Delivery of Their Goods and Service,” 28 February 2001.
170
The module is focused on the internal controls that must be in place within the
agencies‟ support and operating processes to enable them to identify and meet the
needs, expectations and requirements of the citizens. It aims to promote
organizational capabilities in revitalizing internal controls, particularly in the area of
quality management. At the end of the module, the target audiences are expected to
be able to:
1) Ensure the adequacy and effectiveness of controls in meeting citizens‟

requirements in the support, as well as operating units/systems;
2) Operationalize the process approach by creating and understanding the
network of processes and their interactions to improve performance to achieve
the desired results; and
3) Promote continual improvement as a control to ensure continual delivery of
efficient service and meet citizens‟ requirements
Sub-Module 1. Understanding and Meeting Citizens‟ Requirements
Sub-Module 1 guides the support services and operating units/systems in identifying

their respective clients and other interested parties, as well as their requirements,
needs and expectations, to define the organization‟s intended outputs. 11 The sub-
module assists organizations in understanding requirements specified by the citizens;
requirements not stated by the citizens but necessary for specified or intended use;
statutory and regulatory requirements; and any additional requirement determined by
the organization. In addition, the sub-module discusses the integration and alignment
of internal controls in the support systems with those of the operating systems
towards the realization of agency objectives.
Sub-Module 2. The Process Approach
Sub-Module 2 promotes the adoption of the process approach12 in obtaining desired

results. The approach involves a set of interrelated or interacting activities, which
transforms inputs (policies, resources, citizens needs and expectations, etc.) into
outputs/outcomes (the products and services provided to the citizens) 13. In order to
use the process approach, it is necessary that the sub-module clearly defines the
parts. The sub-module likewise covers the control of the interactions between these
processes and the interfaces in the support and operating systems. The primary step
in the process approach requires the organization to identify its customers and other
interested parties, as well as their requirements, needs and expectations as inputs to
define the organization‟s intended outputs.14
11
Clause 5.1.1. ISO 9000, the “Introduction and Support Package: Guidance on the Concept and Use of the
Process Approach for Management Systems,” ISO/TC 176/SC 2/N 544R3, 15 October 2008; Executive Order
(EO) No. 605 s. 2007; and Republic Act (RA) No. 9013.
12
Clause 0.2, ISO 9001:2008 Quality Management System – Requirements, 15 November 2008 “Process
approach refers tothe application of a system of processes within an organization, together with the
identification and interactions of these processes, and their management to produce the desired outcome.”
13
Clause 3.5., Government Quality Management System Standards (GQMSS), the “Quality Management
Systems - Guidance Document for the Application of ISO 9001:2000 in Public Sector Organizations,” 21 June
2007; Executive Order (EO) No. 605 s. 2007; and Republic Act (RA) No. 9013.
14
Clause 5.1.1, ISO 9000 Introduction and support Package:Guidance on the Concept and Use of the Process
Approach for management systems.
171
Sub-Module 3. The Continual Improvement
Sub-Module 3 accentuates the need for continual improvement to be integrated in the

support, as well as in the operating systems to deal with the changing citizens‟
needs, expectations and requirements. The sub-module likewise incorporates
methods to identify and implement potential improvements in their operations to meet
the organization‟s objectives.
Generic Module on Controls in the Risk Management System
As a Member State of the United Nations, the government is required to take

appropriate measures on effective and efficient systems of risk management and
internal control to promote transparency and accountability in the bureaucracy. 15
Among the elements of risk management, risk assessment and risk treatment plays
an important role to ensure that risks in the organization are managed efficiently and
effectively in order to meet the diverse needs of citizens. ISO 31000:2009 Risk
Management System (RMS) – Principles and Guidelines together with ISO
31010:2009 Risk Management-Risk Assessment Techniques serve as guides in the
conduct of risk assessment to arrive at an appropriate response that could lead to the
successful achievement of agency objectives.
The module is focused on internal controls such as risk assessment and risk
treatment that are integrated in the organizational processes and decision making
process. Risk treatment, which forms part of the risk management process, is a risk
response that also falls under the control activity. It is discussed in this sub-module
on RMS. At the end of the module, the target readers are expected to:
1) Understand the concept of risk assessment in the public service sector as an

important control that provides input to decisions;
2) Be capacitated in the conduct of risk assessment in the support services and
operating units; and
3) Be capacitated in the development and implementation of risk response in the
support services and operating units to meet agency objectives.
Sub-Module 1. Understanding Risk Assessment in the Public Service Sector
Sub-Module 1 provides the readers an improved understanding of risk assessment in

the support services and operating units/systems that could affect the achievement of
objectives since “the output of risk assessment is an input to the decision-making
processes of the organization.”16
15
Article 9 Public Procurement and Management of Public Finances, Chapter II, Preventive Measures, United
Nations Convention Against Corruption (UNCAC), 31 October 2003.
16
Clause 5.1, ISO 31010 – Risk management – Risk assessment techniques, 13 November 2009.
172
Sub-Module 2. Risk Assessment: Process and Techniques
Sub-Module 2 attempts to promote the enhancement of risk assessment as a control

measure covering risk identification, risk analysis and risk evaluation. The sub-
module provides organizational capability in the of conduct risk assessment to
provide evidence-based information in making informed decisions on how to treat
particular risks and how to select between options.17
Sub-Module 3. Risk Modification Option or Risk Response
Sub-Module 3 focuses on the organizational capabilities in developing and

implementing the risk response (risk treatment, risk transfer, risk tolerance and risk
termination) as a control to ensure 4Es in its operations. Controls include any
process, policy, device, practice, or other actions which modify the risk.18 In addition,
the sub-module helps in developing appropriate skills in installing risk response in
agencies.
17
Ibid.
18
Clause 3.8.1.1, ISO Guide 73:2009 “Risk management – vocabulary”, 13 November 2009.
173
Appendix B : Skills, Related Knowledge, Attributes and Other Competencies of
an Internal Auditor
Competency “is a set of skills, related knowledge and attributes that allow an
individual to perform a task or an activity within a specific function or job.”19
a. Related knowledge “relates to information, cognitive domain.” These are the

related theories, concepts and ideas necessary to perform a task or job.
b. Set of skills “relates to the ability to do, physical domain” of performing the task.
The set of skills are the applied knowledge needed for the tasks.
c. Attributes “relate to the qualitative aspects, characteristics or traits of the

competency.” These are the characteristics or traits required in performing the
task.
The following are the types of competencies that an individual must possess to
perform a task.
a. Generic. “Competencies which are considered essential for all staff, regardless of
their function or level, i.e., communication, execution, processing tools, linguistics,
etc.”
b. Technical/Functional. “Specific competencies which are considered essential to

perform any job within a defined technical or functional area of work”, i.e.,
positions being unique and highly technical as they involve investigatorial, quasi-
judicial, prosecutorial20 and auditorial functions.
c. Managerial. “Competencies which are managerial or supervisory in any service.

Managerial competencies are applied horizontally across the organization, i.e.,
analysis and decision-making, team leadership, change management, etc.”
In PNS ISO 19011:200221, the competence of auditors is defined as the

demonstration of “the personal attributes…and ability to apply the knowledge and
skills… gained through education, work experience, auditor training and audit
experience x x x” (underscoring supplied).
19
United Nations Industrial Development Organization (UNIDO) Competencies.
20
Office of the Ombudsman vs. Civil Service Commission, G.R.No.159940, 16 February 2005.
21
Guidelines for Quality and/or Environmental Management Systems Auditing.
174
The concept of competence of auditors under PNS ISO 19011:2002 is adopted to
provide competency in management control and operations audit.
Competence
Management Control Organization and

Generic Sector
Operations Audit
Knowledge
and Specific Knowledge and
Specific Knowledge
Skills Skills
and Skills
Education Work Auditor Audit

Experience Training Experience
Personal Attributes
a. Examples of the generic knowledge and skills essential for all government
employees regardless of function and position include those provided under the
1987 Constitution, Civil Service Rules and Regulations, RA 6713 or the “Code of
Conduct and Ethical Standards for Public Officials and Employees and the
General Principles Governing Public Officers and Employees under the
Administrative Code of 1987.
b. Organizational and sectoral specific knowledge and skills include:

i. Organizational mandate and objectives, programs and projects, systems and
processes.
ii. Organization and sectoral situations that enable the auditor to comprehend the
organization‟s operational context.
iii. Applicable laws, regulations and other requirements: to enable the auditor to
work within, and be aware of the requirements that apply to the organization
and sector.
c. The specific knowledge and skills of management control, operations audit and
compliance audit include:
i. Internal control components (control environment; risk assessment; control
activities; information and communication; and monitoring).
ii. Internal control objectives (safeguard assets; check accuracy and reliability of
accounting data; adherence to managerial policies; comply with laws, rules
and regulations; and ensure economical, ethical, efficient and effective
operations).
iii. Management audit, operations audit and compliance audit principles,

processes, methodologies and techniques.
175
iv. Operating systems, management support systems and reference international
best practices.
d. The personal attributes of public officials and employees essential in the
discharge and execution of duties include the norms of conduct of public officials
and employees provided under Section 4 of RA 6713, herein provided as follows:
“Section 4. Norms of Conduct of Public Officials and Employees. - (A) Every
public official and employee shall observe the following as standards of
personal conduct in the discharge and execution of official duties:
(a) Commitment to public interest. - Public officials and employees shall
always uphold the public interest over and above personal interest. All
government resources and powers of their respective offices must be
employed and used efficiently, effectively, honestly and economically,
particularly to avoid wastage in public funds and revenues.
(b) Professionalism. - Public officials and employees shall perform and
discharge their duties with the highest degree of excellence,
professionalism, intelligence and skill. They shall enter public service with
utmost devotion and dedication to duty. They shall endeavor to discourage
wrong perceptions of their roles as dispensers or peddlers of undue
patronage.
(c) Justness and sincerity. - Public officials and employees shall remain true to
the people at all times. They must act with justness and sincerity and shall
not discriminate against anyone, especially the poor and the
underprivileged. They shall at all times respect the rights of others, and
shall refrain from doing acts contrary to law, good morals, good customs,
public policy, public order, public safety and public interest. They shall not
dispense or extend undue favors on account of their office to their relatives
whether by consanguinity or affinity except with respect to appointments of
such relatives to positions considered strictly confidential or as members of
their personal staff whose terms are coterminous with theirs.
(d) Political neutrality. - Public officials and employees shall provide service to
everyone without unfair discrimination and regardless of party affiliation or
preference.
(e) Responsiveness to the public. - Public officials and employees shall extend
prompt, courteous, and adequate service to the public. Unless otherwise
provided by law or when required by the public interest, public officials and
employees shall provide information of their policies and procedures in
clear and understandable language, ensure openness of information,
public consultations and hearings whenever appropriate, encourage
suggestions, simplify and systematize policies, rules and procedures, avoid
red tape and develop an understanding and appreciation of the socio-
economic conditions prevailing in the country, especially in the depressed
rural and urban areas.
(f) Nationalism and patriotism. - Public officials and employees shall at all
times be loyal to the Republic and to the Filipino people, promote the use
of locally produced goods, resources and technology and encourage
appreciation and pride of country and people. They shall endeavor to
maintain and defend Philippine sovereignty against foreign intrusion.
176
(g) Commitment to democracy. - Public officials and employees shall commit
themselves to the democratic way of life and values, maintain the principle
of public accountability, and manifest by deeds the supremacy of civilian
authority over the military. They shall at all times uphold the Constitution
and put loyalty to country above loyalty to persons or party.
(h) Simple living. - Public officials and employees and their families shall lead
modest lives appropriate to their positions and income. They shall not
indulge in extravagant or ostentatious display of wealth in any form. “
In addition, government auditors should possess the following personal attributes
relevant to management control, operations audit and compliance audit:
(a) open-minded, i.e., willing to consider alternative ideas or points of view;
(b) diplomatic, i.e., tactful in dealing with people;
(c) observant, i.e., actively aware of the physical surroundings and activities;
(d) perceptive, i.e., instinctively aware of and able to understand situations;
(e) versatile, i.e., adjusts readily to different situations;
(f) tenacious, i.e., persistent, focused on achieving objectives;
(g) decisive, i.e., reaches timely conclusions based on logical reasoning and
analysis; and
(h) self-reliant, i.e., acts and functions independently while interacting effectively
with others.22
22
Adopted from the personal attributes of auditors under PNS ISO 19011:2002, Guidelines for Quality and/or
Environmental Management Systems Auditing
177
Appendix C : Qualification Standards and Functions of the Head and Staff of
the IAS/IAU
The table hereunder provides for the qualification standards and functions of each
position in the IAS/IAU. It reflects the minimum competency required in the areas of:
a) Education; b) Experience; c) Training; and d) Eligibility that will enable auditors to
perform in a competent manner, the functions so desired by the IAS/IAU.
Position Qualification Standards23 Functions24
Director IV (Head 1. Education: any of the following: Administrative Functions

of Internal Audit) Master‟s Degree in Accounting, 1. Submits work and financial plan;
Public Administration, Criminology, 2. Submits annual procurement report;
Information Technology/Computer 3. Submits accomplishment reports;
Science, and other related and
disciplines relevant to the 4. Submits performance evaluation,
Department/Agency where he/she targets and ratings of staff.
may be assigned; Bachelor‟s
Degree in Law would be an Operational Functions
advantage 1. Establishes the annual goals,
objectives and performance
2. Experience: 4 years of relevant targets of the internal auditing
experience in one or a unit;
combination of the following: 2. Establishes internal auditing
Public Administration, Internal standards, guidelines and
Auditing, Administrative or Criminal procedures for the guidance of the
Investigation, Forensics (e.g., internal audit staff;
Accounting, Information 3. Determines the extent of
Technology, International coordination with the Commission on
Organization for Standardization Audit to avoid duplication of audit
[ISO] Management Systems, and report;
other related disciplines) 4. Ensures support of management in
the conduct of internal audit;
3. Training: 40 hours of training in one 5. Responsible for work performance
or a combination of the following: and discipline of the staff;
Public Administration, Internal 6. Reviews and approves internal audit
Auditing, Administrative or Criminal plans;
Investigation, Forensics 7. Discusses internal audit scope and
(e.g., Accounting, Information objectives with agency/unit or
Technology, International personnel to be covered prior to the
Organization for Standardization conduct of audit;
[ISO] Management Systems, and 8. Reviews and approves internal
other related disciplines) audit reports;
9. Discusses audit results with
4. Eligibility: Any of the following: auditee/s before the report is
CESO III; CESO III and Lawyer or finalized;
CESO III and CPA-Lawyer would 10.If necessary, discusses the
be an advantage conclusions and
recommendations in the audit
report with the appropriate level of
management;
11.Follows up actions to determine if
audit recommendations have been
carried out or not and inquires for
the reasons for non-implementation;
23
Civil Service Commission Memorandum Circular No. 12, s. 2006.
24
DBM Budget Circular No. 2004-4, Guidelines on the Organization and Staffing of Internal Auditing Units
(IAUs), 22 March 2004.
178
12. Investigates anomalies discovered

in audit and submits reports and
recommendations on investigations
completed;
13. Reviews and approves
recommendations for enhancement
of the internal audit functions; and
14. Does related work.
Internal Auditor V 1. Education: Master‟s Degree in 1. Under direction, supervises a

Accounting, Public Administration, division tasked with internal
Criminology, Information audit functions;
Technology/Computer Science and 2. Establishes the annual goals,
other disciplines related to the objectives and performance tar-gets;
abovementioned, preferably 3. Establishes internal auditing
Bachelor‟s Degree in Law. standards, guidelines and
procedures for the guidance of the
2. Experience: 4 years in position/s internal audit staff;
involving Internal Auditing, 4. Does final review of internal
Administrative or Criminal audit plans;
Investigation and/or Forensics 5. Recommends approval of internal
(e.g., Accounting, Information audit plans;
Technology, International 6. Reviews internal audit report;
Organization for Standardization 7. Determines training needs of internal
[ISO] Management Systems and audit staff;
other related disciplines); 8. Responsible for work performance
Management and Supervisory and discipline of audit staff; and
experience 9. Does related work.
3. Training : 24 hours of training in

Internal Auditing, Administrative or
Criminal Investigation, Forensics
(e.g., Accounting, Information
Technology, International
Organization for Standardization
[ISO] Management Systems and
other related
disciplines);Management and
Supervision
4. Eligibility: Career Service

(Professional)/Secondary Level
Eligibility, preferably Bar/CPA, (RA
1080 or both Lawyer and CPA)
Internal Auditor IV 1. Education : Bachelor‟s degree 1. Under direct supervision, assists in

relevant to the job (Law, supervising a division tasked with
Accounting, Public Administration, internal audit functions;
Criminology, Information 2. Reviews internal audit plans;
Technology/Computer Science and 3. Discusses internal audit plans with
other disciplines related to the the concerned staff;
abovementioned) 4. Reviews written internal audit
reports;
5. Trains new internal auditors;
6. Rates performance of audit staff;
and
7. Does related work.
179
2. Experience : 3 years of relevant

experience involving Internal
Auditing, Administrative or Criminal
Investigation and/or Forensics (e.g.,
Accounting, Information
other related disciplines)
3. Training: 16 hours of training in

Criminal Investigation and/or
Forensics (e.g., Accounting,
Information Technology,
International Organization for
Standardization [ISO] Management
Systems and other related
disciplines)
4. Eligibility : Career Service

Eligibility or Bar/ board passer on
disciplines related to the
abovementioned
Internal Auditor III 1. Education: Bachelor‟s degree 1. Under general supervision, reviews
relevant to the job (Law, agency organizational structure,
Accounting, Public Administration, staffing, administrative systems and
Criminology, Information procedures;
Technology/Computer Science and 2. Drafts audit plans for review of
other disciplines related to the immediate supervisor,
abovementioned) 3. Follows-up actions to determine if
audit recommendations have been
2. Experience: 2 years in position/s carried out;
involving Internal Auditing,
Administrative or Criminal 4. Performs difficult auditing work; and
Investigation and/or Forensics (e.g., 5. Does related work.

disciplines)
180

Eligibility or board passer on
disciplines related to the
abovementioned
Internal Auditor II 1. Education : Bachelor‟s degree 1. Under general supervision, conducts

relevant to the job (Law, researches to obtain background
Accounting, Public Administration, information on the activities to be
Criminology, Information audited;
Technology/Computer Science and 2. Discusses research findings with
other disciplines related to the the leader of the auditing team;
abovementioned) 3. Performs simple auditing work;
4. Drafts report on the results of audit;
2. Experience : 1 year in position/s and
involving Internal Auditing, 5. Does related work.
Administrative or Criminal
Investigation and/ or Forensics
(e.g., Accounting, Information

disciplines)

(Professional)/ Secondary Level
Eligibility
Internal Auditor I 1. Education : Bachelor‟s degree 1. Under general supervision,

relevant to the job (Law, conducts researches to obtain
Accounting, Public Administration, background information on the
Criminology, Information activities to be audited;
Technology/Computer Science and 2. Discusses research findings with the
other disciplines related to the leader of the auditing team;
abovementioned) 3. Performs simple auditing work;
4. Drafts report on the results of the
2. Experience : 1 year in position/s audit completed;
involving Internal Auditing, 5. Does related work.
181

disciplines)

(Professional)/ Secondary Level
Eligibility
Internal Auditing 1. Completion of 2 years of study in 1. Under immediate supervision,

Assistant college assists internal auditors in the
conduct of internal audit; and
2. Experience : 1 year in position/s 2. Does related work.
involving Internal Auditing,

disciplines)
4. Eligibility: Career Service (Sub-

professional)/First level eligibility
182
Appendix D : Diagram and Flowcharts of Internal Audit Key Process
D. 1 Flowcharting symbols25
Start/end of audit process
Description of process
Document
Reference document
Decision box
Process flow direction
Link to reference document
Link to document
Off-page reference
Incoming reference
25
PNS ISO 5807:2004 – “Information processing – Documentation symbols and conventions for data, program
and system flowcharts, program network charts and system resources charts”; UN Audit Manual, Internal
Audit Division, Office of Internal Oversight Services, March 2009.
183
D. 2 Internal Audit Key Processes Diagram
Strategic and Annual Types of Audit Process Monitoring &

Planning Audit Evaluation
BAICS Compliance Audit Planning

Audit
Control
Significance Audit Execution Performance
Annual
and Management Monitoring and
Materiality
Work Audit Evaluation
Plan
Control Risk Audit Reporting
(AWP)
Operations
Internal Audit
Audit Follow-up
Audit Risk
D. 3 Baseline Assessment of internal Control Flow Diagram
Components of
Internal Control Controls
System
1) Control Control Gaps,

Environment Operating Deficiencies and Interim Report
System-Key Breakdowns
2) Risk Assessment processes N
O NO NO
3) Control Activities Test of
Flow Controls
Y Chart, YE
Narrative S
4) Information and Support E YES Reviews of B
Notes and Oversight
Communication System-Key Walk Control and Int’l. A
processes Through Dev’t.
+ =
5) Monitoring Universe Bodies
R
184
D. 4 Control Significance and Materiality and Control Risk Flow Diagram
Control Controls • Control

significance
and
Objectives materiality
• Control Risk
Operating
System-Key NO Not prioritized in
1) Safeguard Assets
processes the strategic and
2) Check Accuracy & annual work plan
Reliability of
Accounting Data
3) Adherence to YES
Support Assessment for
Managerial
5) Compliance
Ensure Policies
4Es of
4) w/ LRP System-Key internal audit risk
Operations
processes
D. 5 Internal Audit Risk Assessment Flow Diagram
Functions Process for managing risk Risk
1. Advise the DS/GB/AuditCom on all

matters relating to management control Not
and operations audit; prioritized in
the Strategic
Establishing the and Annual
2. Conduct management and operations context
performance audit of the Department/ Plan
Agency/GOCC/GFI activities and their HIGH
units and determine the degree of Risk assessment
compliance with their mandate, policies,
government regulations, established
objectives, systems and procedures/ Risk identification
processes and contractual obligations;
Communication and consultation
3. Review and appraise systems and

Monitoring and review
procedures/processes, organizational
structure, assets management practices,
financial and management records, Risk analysis
reports and performance standards of the
agencies/units covered;
4. Analyze and evaluate management

deficiencies and assist top management Risk evaluation
LOW
by recommending realistic courses of
action; and
5. Perform such other related duties and
responsibilities assigned or delegated by
the Secretary/Head of Agency or the Risk treatment Strategic
Governing Board, thru the Audit Plan and
Committee, or as may be required by law. Annual Work
Plan
185
D. 6 Flowchart of Strategic Audit Planning
D.6. 1 Conduct of Baseline Assessment of Internal Control System
Head of Internal Audit Audit Team Leader

(HoIA) Audit Team Members
Issue Office Order for

the conduct of strategic Formulate internal control
and annual work plan questionnaire
sometime September
Internal Control
Questionnaire
(ICQ)
Guide staff and monitor progress of

Administer internal control
audit and analyze gaps/deficiencies
questionnaire
Interim Report,
ICQ Working
if critical
Papers

audit and analyze gaps/deficiencies Evaluate system/process
flowcharts
Interim Report,
if critical Flowcharts
Working
Papers

Evaluate system/process narrative audit and analyze gaps/deficiencies
Interim Report, Narrative

if critical Descriptive Working
Statement Papers

audit and analyze gaps/deficiencies Conduct of walkthrough
Interim Report,
if critical Flowcharts
and Working
Narratives Papers
D.6.1a
186
D.6 Strategic Audit Planning
D.6.1a Conduct of Baseline Assessment of Internal Control System (continuation)
Head of Internal Audit Audit Team Leader

(HoIA) Audit Team Members
D.6.1
Perform test of control
Analyze gaps/deficiencies Working

Papers
Interim
Report, if
critical
Validation of controls and define control universe
Control
Consider reports of various monitoring and oversight bodies and
Universe
interim reports
Control
Universe
Working
Papers
Review the draft Baseline Prepare the draft Baseline

Assessment Report (BAR) Assessment Report (BAR)
BAR BAR
No
Approved? Revise the Baseline
Assessment Report (BAR)
Yes
Sign Baseline Assessment

Report
D.6.4
D.6.2
187
D.6 Strategic Audit Planning
D.6. 2 Assessment of Control Significance and Materiality and Control Risk
Head of Internal Audit Audit Team Leader Audit Team Members

(HoIA)
D.6.1a
Assess control significance and materiality level Identify controls in the potential
audit area
Working
Working
papers
papers
Conduct risk assessment of

Assess control risk level significant and material controls
on operating and support system/
process
Working
papers
Working
papers
Rank potential audit areas based on the assessment of control

significance and materiality and control risk levels D.6.3
Working
papers
Significant?
Material?
High Risk?
Yes No
Not included
D.6.4 in the Stra-
tegic Plan
188
D.6 Strategic Planning
D.6. 3 Assessment of Internal Audit Risk

(HoIA)
D.6.2
Choose the risk identification method/s or technique/s to be used
Working
papers
Guide staff and monitor progress Identify risk sources and events
of audit
Working
papers
Guide staff and monitor progress Identify causes of risk

of audit
Working
papers
Choose the risk analysis method or technique to be used
Working
papers
Guide staff and monitor progress Determine consequences for iden-

of audit tified risks
Working
papers
Guide staff and monitor progress Determine probabilities for identified

of audit risks
Working
papers
Guide staff and monitor progress

Identify factors that could affect
of audit
consequences and probability
Working
papers
Guide staff and monitor progress Determine level of risks

of audit
Working
D.6.3a
papers
189
D.6.3a Assessment of Internal Audit Risk (continuation)
Head of Internal
Audit (HoIA) Audit Team Leader Audit Team Members
D.6.3
Compare estimated levels of risks with risk criteria
Working
Papers
Determine whether risk or its magnitude is acceptable or

tolerable
Working
Papers
Risk?
Low High
Not
prioritized
D.6.4
190
D.6. 4 Formulation of Strategic Plan
Head of Internal
D.6.1 D.6.2 D.6.3
Analyze the results of the Baseline

Assessment Report (BAR)
BAR
Working
Papers
Evaluate the result of the assessment of

control significance and materiality and
control risk
Control
Significance &
Working
Materiality &
Papers
Control Risk
Evaluate the result of the assessment of

internal audit risk
Internal
Audit Risk Working
Papers
Formulate and submit the Strategic Plan

Review Strategic Plan
Strategic
Strategic
Plan
Plan
No
Approved?
Yes
D.7.1
191
D. 7 Preparation of Annual Work Plan
D.7. 1 Prioritize, by Process, the Control Methods and Measures into Potential Audit Areas
Head of Internal
D.6.4
Guide staff and monitor Validate the Baseline Assessment

progress of audit Report (2nd and 3rd year)
Working
Papers
Update consideration of control

Guide staff and monitor significance, materiality and risk
progress of audit (2nd and 3rd year)
Working
Papers
Update internal audit risk

Guide staff and monitor
assessment (2nd and 3rd year)
progress of audit
Working
Papers
Review prioritization of potential Prioritize potential audit areas

audit areas Prepare priority potential audit
areas
Working Working
Working
Papers Papers
Papers
No
Revise prioritized potential audit
Approved?
areas
Yes
D.7.2
192
D.7 Preparation of Annual Work Plan
D.7. 2 Validate Previous Audit Follow-up Report
Head of Internal Audit Audit Team Members

Audit Team Leader
(HoIA)
D.7.1
Validate report of non-implement-

Guide staff and monitor ation/inadequate implementation
progress of audit of preventive/corrective actions
Working
Papers
Validate report of justification

Guide staff and monitor for non-implementation/inade-
progress of audit quate implementation of actions
Working
Papers
Validate recommendations for

Guide staff and
possible legal/management
monitor progress of
action for non-implementation/in-
audit
adequate implementation of
preventive/corrective actions
Working
Papers
Review (revised) annual work plan Evaluate (revised) annual Prepare annual work plan
work plan
Annual Annual Annual

Work Plan Work Plan Work Plan
No
Approved?
Revise annual work plan
Yes
Submit and discuss the Strategic Revised

Audit Plan and Annual Work Plan Annual Work
with the DS/HoA or GB-AuditCom Plan
in the first year (Annual Work Plan
(AWP) only on the second and third
year)
Strategic Audit
END
Plan and AWP
193
D. 8 Flow Diagram of Compliance, Management and Operations Audit
D.8. 1 Compliance Audit Flow Diagram
Components of Established Criteria/

Internal Control Controls Standards Output
System
1) Control Environment 1) The Philippine

Constitution
2) Laws and their IRR

2) Risk Assessment Design
3) Presidential
Issuances Compliance
with Laws,
3) Control Activities 4) Issuances of Regulations
Oversight and and Policies
Regulatory
4) Information and Bodies
Communication Implementation 5) Agency
Issuances
5) Monitoring 6) Contractual
Obligations
D.8 Flow Diagram of Compliance, Management and Operations Audit

D.8. 2 Management Audit Flow Diagram
Components of
Control
Internal Control Controls Output
Objectives
System
1) Control 1) Safeguard Assets

Environment Operating
System-Key
processes 2) Check Accuracy &
2) Risk Assessment Reliability of
Accounting Data
Control
3) Control Activities 3) Adherence to Effectiveness
Managerial Policies
4) Information and
Communication Support 4) Compliance w/ LRP
System-Key
processes 5) Ensure 4Es of
5) Monitoring
Operations
194
D.8 Flow Diagram of Compliance, Management and Operations Audit
D.8. 3 Operations Audit Flow Diagram
“Doing things right” given the

“Doing the right things”
available inputs and within
achieving expected results and
a specified timeframe
contribute to sectoral goals
Efficient
Effective
Consistent with the Code

Perform usingof Conduct
the least and Ethical Standards
amount of inputs within a
specific timeframe Ethical
Economical
Input Evaluation Outcome Evaluation
Process Evaluation Output Evaluation
Quality Quality Quality Quality
Input Process Outputs Outcomes
Law, mandate, Implementation,
program, organization, risk response, Products and Benefits and
staff, system‟, resources performance and services impact or
and managerial policies compliance reviews change
Citizens’ Needs Serving Citizens’ Satisfied Citizens’ Improved Quality

Needs Needs of Life
D. 9 Audit Process Flow Diagram
Audit Engagement Planning
Audit Execution
Audit Reporting
Audit Follow-up
195
D.9 Audit Process Flow Diagram
D.9. 1 Audit Engagement Planning Flow Diagram
1. Document understanding of the

program and project
2. Determine the audit objective, scope
and criteria and audit evidence
3. Determine the resource required for the
audit and the target milestone/dates
4. Develop the audit plan and audit
program
5. Determine the Key Performance
Indicators (KPIs) of the audit
engagement
6. Secure approval of the audit plan and
audit work program and KPIs
How to Audit
EXECUTION

D.9. 2 Audit Execution Flow Diagram
REPORTING 1. Entry Conference

2. Conduct compliance audit
FOLLOW- b. Compare conditions with criteria
c. Determine probable cause(s)
UP d. Prepare working papers
3. Conduct system/process audit
b. Compare conditions with criteria
c. Determine root cause(s)
4. Exit conference
What and How to Report
What to Follow-up
196
D.9. 3 Audit Reporting Flow Diagram
1. Develop audit findings

a. Criteria (laws and standards)
b. Condition (findings of facts)
c. Conclusion (conclusion of
facts)
d. Cause (root cause(s) or
probable cause(s))
2. Develop audit recommendations

D.9. 4 Audit Follow-up Flow Diagram
FOLLOW-UP What to Follow Up
1. Monitor implementation of approved

audit findings and recommendations
2. Resolve non-implementation/inadequate
implementation of audit
recommendations
3. Prepare audit follow-up report
197
D. 10 Flowchart of Audit Process
D.10. 1 Flowchart of Audit Engagement Planning

(HoIA)
Issue Office Order for the

conduct of MA/OA of an
office/agency/department
Implement office order to conduct

Constitute Audit Team
MA/OA/RC
Validate assumptions in annual

Data built-up and analyses on
Issue memo to auditee for plan (determine whether assump-
audited entity
the conduct of audit and tions are still valid and relevant)
request of documents
Working Working
papers papers
Memo
Update assumptions in annual plan in case of

changes
Working
papers
Determine audit objective based on the data built-

up and updated assumptions
Statement of
audit objective
Determine audit scope to achieve the audit

objective by stating what the audit intends to cover
and the relevant time frames
Statement of
audit scope
D.10.1a
198
D.10 Flowchart of Audit Process
D.10.1a Flowchart of Audit Engagement Planning (continuation)
Head of Internal
Audit Team Leader Audit Team Members
Audit (HoIA)
D.10.1
Select sampling method to be adopted

Determine sample size for detailed testing
Determine audit tools and techniques
Working
papers
Determine the audit criteria including statutory and/or

managerial requirements; process requirements; citizens‟
requirements, needs and expectations; and audit evidence
Working
papers
Determine the resources required for the audit and target

milestone dates
Working
papers
Determine Audit Plan

Determine the nature, extent and timing of the audit
Review Draft Audit Plan engagement
Describe the rationale for the audit and the relevant
facts and information about the organization, audit
objective and scope and the criteria to be used
Describe resources/inputs
Draft Audit
Plan
Draft Audit
Plan
D.10.1b
199
D.10.1 b Audit of Engagement Planning (continuation)
Head of Internal
Audit (HoIA)
D.10.1a
Develop Audit Program

List steps to be taken by the audit team when analyzing transactions to achieve the audit objective Specify the
Review
name/s of the auditor Draft Audit
responsible forProgram
a given job
Draft Audit Draft Audit

Program Program
Review (revised) draft Audit Plan Evaluate (revised) draft Audit

and Program Plan and Program
Draft
Draft Audit
Audit Plan
Plan and
and
Program
Program
No
Approved?
Revise draft Audit Plan and Program
Yes
Prepare final Audit Plan and Revised
Program draft Audit
Plan and
Program
Final
Sign Audit Plan and Program Audit Plan
and
Program
Approved
Audit Plan
and
D.10.2 Program
200
D.10. 2 Flowchart of Audit Execution
D.10.2.1 Entry Conference

(HoIA) Audit Team Leader
Recommends schedule of Entry

Conference and Draft Audit
Directs the conduct of audit Notification Memorandum (ANM)
Audit Plan
and Program
Consider the recommended Entry
Conference schedule and the
ANM
ANM
No
Approved?
Yes
Approve recommended Organize Entry Conference

Entry Conference schedule Issue ANM to Auditee Coordination on schedule,
Sign ANM Guide audit team and time, venue and attendees
Direct Entry Conference monitor progress
preparation
ANM ANM
Perform/ arrange preparatory

Supervise the Audit Team activities needed for the entry
Identify Entry Conference conference
attendees
Attend and conduct Entry Conference
Entry
Conference
Notes
D.10.2.2
201
D.10.2.2 Compliance Audit

(HoIA)
D.10.1b D.10.2.1
Meet with audit team to discuss audit plan and program
Built-up facts and evidence to

Entry determine compliance with laws,
Audit rules, regulations, managerial
Conference
Plan and policies and operating processes
Notes
Program
Working
papers
Perform substantive tests on

compliance with rules, regu-
of audit
lations, managerial policies and
operating processes to establish
the condition
Supervise the audit team in the
progress of the audit Report progress of the audit
Working
papers
Report

Compare conditions with criteria
of audit
to draw specific conclusions

Report progress of the audit Working
progress of the audit
papers
Report

Determine root/probable cause
of the audit
Working
Supervise the audit team in the papers
Report progress of the audit
Report
D.10.2.2a
202
D.10.2.2 a Compliance Audit (continuation)

Audit Team Leader
(HoIA)
D.10.2.2
Guide staff and monitor progress Index, file and collect inform-
of audit ation and working papers
Working
papers
Analyze audit findings in

Guide staff and monitor progress terms of 4 Cs- Criteria,
of audit Condition, Conclusion and
Cause
Working
Review progress of the Report progress of the
papers
compliance audit report, control compliance audit and report con-
gaps, deficiencies trol gaps, deficiencies or
breakdowns
Interim Audit Interim Audit

Report, if Report, if
critical critical
Is there a
need to report No
to DS/GB – Conduct System/Process Audit
AuditCom
Yes
Send Internal Audit Memorandum D.10.2.3

and Interim Audit Report for the
DS/HoA or GB/AuditCom
Interim Audit Internal

Report Audit Memo
END
203
D.10.2.3 System/Process Audit
Head of Internal Audit

(HoIA)
D.10.2.2a
Guide staff and monitor progress Perform substantive tests on

of audit System/Process to establish
condition

progress of the audit Report progress of the audit Working
papers
Report
Compare conditions with

Guide staff and monitor progress criteria to draw specific
of audit conclusions
Supervise the audit team in the Working

Report progress of the audit
progress of the audit papers
Report
Guide staff and monitor progress Determine root/probable

of audit cause
Working
Supervise the audit team in the Report progress of the audit papers
Report
Index, file and collect

Guide staff and monitor progress information and working
of audit papers
D.10.2.3a
204
D.10.2.3a System/Process Audit (continuation)
Head of Internal Audit

(HoIA)
D.10.2.3
Guide staff and monitor progress Analyze findings in terms of

of audit 4Cs - Criteria, Condition,
Conclusion and Cause
Supervise the audit team in the Working

progress of the audit Report progress of audit papers
Progress
Report
Review (revised) report on Evaluate (revised) report on Prepare report on Compliance

Compliance and System/Process Compliance and System/Process and System/Process Audits
Audits Audits
Report Report
Working
papers
No
Approved? Revise report on Compliance and System/
Yes Process Audits
D.10.2.3b Report
Conduct progress assessment based on monitoring plan
Review (revised) progress Evaluate (revised) progress assess-

assessment report ment report
Report Report
Yes
No
Approved? Revise progress assessment report
D.10.2.3b
Revised
progress
assessment D.10.2.3b
report
205
D.10.2 Audit Execution
D.10.2.3 b System/Process Audit (continuation)
Head of Internal
D.10.2.3a
Integrate audit findings
Prepare audit highlights of

audit findings in terms of 4Cs -
of audit
Criteria, Condition, Conclusion
and Cause
Supervise the audit team in the Report audit highlights and obser-
progress of the audit vations
Working
papers
Report
D.10.2.4
206
D.10.2 Flowchart of Audit Execution
D.10.2.4 Exit Conference

(HoIA)
D.10.2.3b
Recommends schedule of Exit

Conference and draft Exit Conference
Notification Memorandum (ECNM)
Consider the recommended
schedule of Exit Conference and
the ECNM
No
Approved?
Yes
Approve recommended schedule

Organize Exit Conference
of Exit Conference
Issue ECNM to auditee Coordination on sche-
Sign ECNM
Guide audit team and monitor dule, time, venue and
Direct Exit Conference attendees
progress
preparation
ECNM
ECNM
Supervise the Audit Team

Identify Exit Conference attendees Perform/ arrange preparatory activi- Execute
ties needed for the Exit Conference preparatory acti-
vities
Attend and conduct Exit Conference with request for management comment
Exit
D.10.2.4a
Conference
Notes
207
D.10.2 Flowchart of Audit Execution
D.10.2.4a Exit Conference (continuation)

(HoIA)
D.10.2.4
Direct evaluation of manage-

ment comments Evaluate and analyze management comments
Management
Comments submitted
after 10-15 days Rejoinder
revie
Review management comments

with that of the audit team‟s
rejoinder
Manage-
ment
Rejoinder
Comments
No
Acceptable?
Yes
revie
Direct the inclusion of the

management‟s valid comments D.10.3
and reiterate unsubstantiated
comments to the preparation of
Audit Report
No
Conduct completion assessment based on evaluation plan
Review (revised) completion Evaluate (revised) completion

assessment report assessment report
Report
Completion
Assessment
Report
No
Approved?
Revise completion assessment report
Yes
Revised
completion
assessment
report
D.10.3
208
D.10. 3 Flowchart of Audit Reporting
Head of internal Audit Audit Team Leader Audit Team Members

(HoIA)
D.10.2.4a
Synthesize audit findings in

Guide staff and monitor progress terms of 4 C‟s - Condition,
of audit Criteria, Conclusion and
Cause)
Supervise the audit team in the Report progress of the audit

progress of the audit Working
papers
Report
Recommend preventive
Guide staff and monitor progress action to avoid occurrence
of audit and corrective action to
avoid recurrence

progress of the audit Report progress of the audit
Working
papers
Report
Guide staff and monitor Recommend follow-up

progress of audit activities

progress of the audit Report progress of the audit Working
papers
Report
Review (revised) Internal Audit Evaluate (revised) Internal

Report Draft Internal Audit Report
Audit Report
Internal Internal
Audit Report Audit Report Draft Internal
Audit Report
No
Revise Internal Audit Report
Approved?
Yes Revised
Internal Audit
Send Internal Audit Memo for Report
DS/HoA or GB/AuditCom with the
Internal Audit Report
Final Internal Internal

Audit Report Audit Memo
END
209
D.10. 4 Flowchart of Audit follow-up
D.10.4. 1 Monitoring Implementation of Approved Audit Findings and Recommendations

Audit Team Leader
(HoIA)
Directs the conduct of moni-

Recommended follow-up activities
toring implementation of ap-
proved audit findings and Draft Audit Follow-up Notification Memorandum
recommendations (indicating the need to submit the status of
implementation)
Internal Audit draft Internal

Report Audit Follow-up
Notification Memo
Evaluate recommended follow-

up activities including the draft
Internal Audit Follow-up Noti-
fication Memorandum
draft Internal Audit

Follow-up Notifi-
cation Memo
No
Approved?
Yes
Issue Internal Audit Follow-up

Verify implementation of preventive/corrective actions
Notification Memorandum
Internal Audit
Follow-up
Notification
Review Status and evidence of Evaluate the implemented pre-

implementation ventive/corrective actions
Evaluation Evaluation
Report Report
D.10.4.1a
210
D.10.4. Flowchart of Audit follow-up
D.10.4.1 a Monitoring Implementation of Approved Audit Findings and
Recommendations (continuation)
Head of Internal Audit (HoIA) Audit Team Leader Audit Team Members
D.10.4.1
Sufficiency of
evidence
provided?
No
Yes
Instruct for the
change of status from
“Recommendation to
“Implemented
Instruct Audit Team to Obtain additional evidence of implementation

request for additional
evidence of imple-
mentation
Additional evidence
of implementation
Review additional evidence

and recommendation of the Evaluate sufficiency of additional evidence.
audit team Recommend appropriate action
Evaluation
Evaluation
Report
Report
Satisfactory
additional Yes Change status from “Recommendation to
evidence? “Implementation”
No
Follow-up
Report
Request audited entity justi-
fication for non-implementation
/inadequate implementation
END
Internal
Audit
D.10.4.2 Memo
211
D.10.4. Flowchart of Audit Follow-up
D.10.4. 2 Resolving Non-implemented/Inadequate Implementation of Recommendations
D.10.4.1a
Direct evaluation of auditee

Evaluation of auditee justification
justification
Auditee Evaluate report on:

Justification
Report of non-implementation/ Draft report on:
inadequate implementation of Non-implementation/inade-
preventive/ corrective actions quate implementation of
Review reports and recom-
Report of justification for non- preventive/corrective actions
mend possible legal/manage-
implementation/inadequate Justification for non-imple-
ment action for non-
implementtation of actions mentation/inadequate imple-
implementation/inadequate
mentation of preventive/cor-
implementation of preventive/ Recommend possible legal/
rective actions
corrective actions management action for non-
implementation/ inadequate
implementation of preven-
tive/corrective actions
Reports Reports
Reports
No
Approved?
Obtain additional documents required in the conduct of review
Yes
Additional
evidence
Instruct Audit Team Leader to
draft Internal Audit Memo for
DS/HoA or GB/AuditCom for Draft Audit Memorandum for DS/HoA or GB/AuditCom or appropriate
appropriate legal/management legal/management action on the non-implementation/inadequate
action on the non- implementation of preventive/ corrective actions
implementation/inadequate im-
plementtation of preventive/cor-
rective actions Internal
Submit draft Internal Audit Memo Audit
for DS/HoA or GB/AuditCom for Audit Follow-up
appropriate legal/ management Memo Report
Review and approval of the
Internal Audit Memo for release action on the non-implementation
of preventive/ corrective actions
Audit Follow- Internal Audit

up Report Memo Internal Audit Follow-
Audit Memo up Report
Send Internal Audit Memo for the

DS/HoA or GB/AuditCom
Audit Follow- Internal

up Report
Audit Memo
END
212
D. 11 Performance Monitoring and Evaluation
Monitoring Evaluation
By DS/HoA or Review of Review of IAS/IAU

GB/AuditCom Internal Performance
Audit Report
Report
By Head Review of Review of
of IAS/IAU Progress Completion
Assessmen Assessment
t Report Report
COA DBM CSC
Adequacy of Efficiency
Oversight IAS/IAU as and
part of ICS effectiveness
of IAS/IAU
as part of
ICS
Opinion/ Matters Matters on Matters on
Ruling/ on COA Budget and CSC rules
Interpretation rules and Management and
regulation regulations
213
D.11 Performance Monitoring and Evaluation
D.11. 1 Performance Monitoring by Head of Internal Audit (HoIA)
D.11.1. 1 Review of Progress Assessment Report
Direct the conduct of audit

progress assessment based on Assess progress of audit engagement
monitoring plan
Key Performance indicators (KPIs)

per engagement:
Audit objectives are met as
reflected in the audit findings
and recommendations
Findings and recommendations
are based on facts and
substantial evidence and in
compliance with relevant laws, Evaluate and submit (revised) Draft Internal Audit Progress
rules and regulations; Internal Audit Progress Assessment Report
Assessment Report
Internal Auditing Standards
(NGICS, PGIAM and other
relevant standards) per COA
and DBM rules and regulations
Findings and recommendations Draft Internal
promote the adequacy of Internal Audit Audit Prog-
internal control per COA rules Progress ress Assess-
and regulations; Assessment ment Report
Observance of high standards Report
of ethics and efficiency of public
officials and employees
per CSC rules and
regulations.
Review (revised) Internal Audit

Progress Assessment Report
Report
No
Approved? Revise Internal Audit Progress Assessment Report
Yes
Revised Inter-
Approve Internal Audit Progress As- nal Audit Pro-
sesment Report gress Assess-
ment Report
Internal Audit
Progress As-
sessment Re-
port
214
D.11.1 Performance Monitoring by Head of Internal Audit (HoIA)
D.11.1. 2 Review of Completion Assessment Report
Direct the conduct of audit

completion assessment based on Assess completion of audit engagement
evaluation plan
Key Performance indicators (KPIs)

and evaluation criteria:
Overall effectiveness and
efficiency of IAO in relation to
OPIF per DBM rules and
regulations;
are based on facts and
substantial evidence and in
compliance with relevant laws,
rules and regulations;
Internal Auditing Standards
(NGICS, PGIAM and other
relevant standards) per COA
and DBM rules and regulations
Evaluate and submit (revised)
Internal Audit Completion
promote the adequacy of
Assessment Report Draft Internal Audit Completion
internal control per COA rules
Assessment Report
and regulations;
Observance of high standards
of ethics and efficiency of public
officials and employees Internal Audit Draft Internal
per CSC rules and Completion Audit Comple-
regulations. Assessment tion Assess-
Report ment Report
Review (revised) Internal Audit

Completion Assessment Report
Report
No
Approved?
Revise Internal Audit Completion Assessment Report
Yes
Revised Inter-
Approve Internal Audit Completion nal Audit Com-
Assessment Report pletion Assess-
ment Report
Internal Audit Com-

pletion Assessment
Report
215
D.11. 2 Performance Evaluation by the Department Secretary/Governing Board –
Audit Committee
D.11.2. 1 Review of Internal Audit Report
Department Secretary/Head of Agency or

Governing Board/Audit Committee Internal Audit Service/Unit (IAS/IAU)
(DS/HoA or GB/AuditCom)
Review of the following:

1. Internal Audit Memorandum
2. Audit Report Internal Audit Memorandum
Audit Findings
Audit Recommendations
Internal Internal
Audit Audit Memo
Report
No
Evaluate Audit Findings and
Approved? Recommendations
Yes
1. Audit Report
Audit findings in terms of 4Cs
Direct the Auditee on the implementation of the which are supported by facts and
approved audit findings and recommendation substantial evidence.
Audit recommendations based on
laws and applicable jurisprudence
Approved Internal Memorandum to

Audit Report auditee on the im-
plementation of the
approved internal
audit finding and
recommendations
216
D.11.2. Performance Evaluation by the Department Secretary/Governing Board –
Audit Committee
D.11.2. 2 Review of Internal Audit Service/Unit (IAS/IAU) Performance Report
Department Secretary/Head of Agency or

Governing Board/Audit Committee Head of Internal Audit (HoIA)
Review on the adequacy of Internal Audit

Service/Unit (IAS/IAU) as part of Internal Control Internal Audit Memorandum
System (ICS)
Internal Audit Internal

Report Audit Memo
No
Adequate?
Submit relevant documents
Yes
1. Strategic Audit Plan

Baseline Assessment Report
Notification on the adequacy of IAS/IAU as part of (BAR) of ICS
ICS by the DS/HoA or GB/AuditCom
Assessment of Control Signifi-
cance and Materiality and
Control Risk Report
Notification Assessment of Internal Audit
from DS/HoA Risk Report
or GB/
AuditCom 2. Annual Audit Plan
END
3. Audit Engagement Report
4. Audit Follow-up Report
5. Performance Monitoring and
Evaluation Report.
217
D.11. 3 Oversight
D.11.3. 1 Oversight by Commission on Audit (COA)
Department Secretary/Head of
Commission on Audit (COA) Agency or Governing Board/Audit Head of Internal Audit (HoIA)
Committee
Request IAS/IAU to submit Request IAS/IAU to submit

documents needed for the documents needed for the
evaluation of the effective- evaluation of the effective-
ness and efficiency of ness and efficiency of
Internal Audit Service/Unit IAS/IAU as part of ICS
(IAS/IAU) as part of Internal
Control System (ICS)
Letter
Request Memo
Review pertinent documents Internal

for the evaluation of the
effectiveness and efficiency Audit Memorandum
of IAS/IAU as part of ICS

Report Audit Memo
No
Approved? Evaluate relevant do-
cuments
Yes

Submit documents to COA Baseline Assessment
Re-port (BAR) of ICS
Assessment of Control
Significance and Mate-
riality and Control Risk
Transmittal Report
Letter with
Assessment of Internal
documents
Audit Risk Report
2. Annual Audit Plan
6. Performance Monitoring
and Evaluation Re-
port.
218
D.11.3 Oversight
D.11.3. 2 Oversight by Department of Budget and Management (DBM)
Department of Budget Agency or Governing Head of Internal Audit (HoIA)
and Management Board/Audit Committee
(DBM) (DS/HoA or GB/AuditCom)
Request IAS/IAU to submit Request IAS/IAU to submit

documents needed for the documents needed for the
evaluation of the effective- evaluation of the effective-
ness and efficiency of ness and efficiency of
Internal Audit Service/Unit IAS/IAU as part of ICS
(IAS/IAU) as part of Internal
Control System (ICS)
Letter
Request Memo
Review pertinent documents

Internal Audit Memorandum
for the evaluation of the
effectiveness and efficiency
of IAS/IAU as part of ICS

Report Audit Memo
No
Approved? Evaluate relevant do-
cuments
Yes

Submit documents to DBM Baseline Assessment
Re-port (BAR) of ICS
Assessment of Control
Significance and Mate-
riality and Control Risk
Transmittal Report
Letter with Assessment of Internal
documents Audit Risk Report
2. Annual Audit Plan
5. Performance Monitoring
and Evaluation Re-
port.
219
D.11. 4 Request for Opinion
D.11.4. 1 Commission on Audit (COA) on Matters of COA Rules and Regulations
Agency or Governing
Board/Audit Committee Head of Internal Audit (HoIA) Auditee
Direct the Auditee to implement Comply with the approved audit

the approved audit findings and findings and recommendations
recommendations
No Yes
Implement?
Memo
Direct IAS/IAU to comment on 1. Appeal the ap- Implement

the issues raised on appeal by proved audit the
the Auditee findings and re- approved
Determine the adequacy of evi- commendations audit
dence presented to support involving viola- findings
Memo appeal tions of COA and recom-
rules and regu- men-
Yes lations dations
No
Review adequacy of evidence 2. Provide substan-
Adequate? tial evidence to
presented for appeal
prove otherwise
3. State grounds
Reverse Affirm audit relied upon for
audit findings findings and the appeal, is-
Evidence and recom- recommenda sues involved,
mendations tions and the relief
sought
Yes No
Adequate? Provide comments and

recommendations on the
adequacy of evidence
presented on issues for
appeal
Notification of Notification of
reversal of affirmation of Internal Audit
the approved the approved Memorandum
audit findings audit findings Comply with the approved audit
and recom- and recom- findings and recommendations
mendations mendations
No Yes
End Implement?
D.10.4.1a
220
D.11.4.1 a Commission on Audit (COA) on Matters of COA Rules and Regulations (continuation)
Agency or Governing
D.10.4.1
Direct IAS/IAU to comment on

the issues moved for reconsi- 1. Auditee moves for recon-
deration by the Auditee sideration
2. Provide any of the following:
New evidence discovered
Memo which materially affects
the decision;
Determine adequacy of grounds
The affirmation of the
for reconsideration
approved audit findings
and recommendations is
not supported by the
Yes No evidence on record; or
Adequate? Errors of law or irregu-
larities have been
committed prejudicial to
Recommenda- Affirm approved the Auditee
tion for the audit findings
grant of per- and recom-
mission to ele- mendations
vate to COA
Review adequacy of grounds

for reconsideration Provide comments and recom-
mendations on the adequacy of
grounds for reconsideration
Evidence Internal Audit

Memorandum
Yes No Implement the approved audit

Adequate?
findings and recommendations
Grant the Auditee permission

to elevate to COA
Memo
221
D.11.4. 2 Civil Service Commission (CSC) on Matters of CSC Rules and Regulations
Agency or Governing

recommendations
No Yes
Implement?
Memo

Memo appeal tions of CSC and recom-
Yes lations dations
No
prove otherwise
3. State grounds
sought
Yes No

appeal
No Yes
End Implement?
D.10.4.2a
222
D.11.4.2 a Civil Service Commission (CSC) on Matters of CSC Rules and Regulations
(continuation)
Agency or Governing
D.10.4.2

the decision;
Determine adequacy of grounds
The affirmation of the
for reconsideration
approved audit findings
larities have been
Recommenda- Affirm approved the Auditee
vate to CSC

for reconsideration Provide comments and recom-

Memorandum
Yes No Implement the approved audit

Adequate?
findings and recommendations

to elevate to CSC
Memo
223
D.11.4 Request for Opinion
D.11.4.3 Department of Budget and Management (DBM) on Matters of Budget and Management
Agency or Governing

recommendations
No Yes
Implement?
Memo

Memo appeal tions of DBM and recom-
Yes lations dations
No
prove otherwise
3. State grounds
sought
Yes No

appeal
No Yes
End Implement?
D.10.4.2a
224
D.11.4 Request for Opinion
D.11.4.3 Department of Budget and Management (DBM) on Matters of Budget and Management
(continuation)
Agency or Governing Board/Audit
Committee Head of Internal Audit (HoIA) Auditee
D.10.4.2

the decision;
Determine adequacy of grounds The affirmation of the
for reconsideration approved audit findings
larities have been
Affirm approved the Auditee
Recommenda-
vate to DBM

Provide comments and recom-
for reconsideration

Memorandum
Yes No
Implement the approved audit
Adequate? findings and recom-
mendations

to elevate to DBM
Memo
225
Appendix E : Internal Control Questionnaire
E. 1 Instructions for Completion
I. For the Internal Auditor
a. Select the appropriate group of respondents and invite them to read each
statement carefully and assess the conditions pertaining to the questions. Ask
the respondents to answer the questions following the instructions given.
b. Prepare a tally sheet for the answers and analyze their impact to the control
objectives. For “YES” answers, select the central or key controls for the
validation/test of controls.
c. Evaluate all “NO” answers if a compensating control is present. If there is a

compensating control, perform a validation/test of controls. If there is none,
gather pieces of evidence by triangulation and develop an interim report and
recommend courses of action for inclusion in the interim report.
d. For questions/control statements with “YES” and “NO” answers, perform a

validation/test of controls to firm up the existing condition.
e. Prepare a Summary of Gaps for reporting or further audit.
II. For the Respondents
The following questionnaire is designed to evaluate the agency‟s/organization‟s

internal control components. This has a pervasive effect on the overall system of
Internal Control because they represent the agency‟s/organization's nature and
overall attitude towards internal control.
This questionnaire is divided into five interrelated components that make up the
agency‟s/organization‟s internal control system:
Section I – Control Environment

Section II – Risk Assessment
Section III – Control Activities
Section IV – Information and
Communication Section V – Monitoring
226
Complete the matrix by performing the following:
a. Please read each statement carefully and assess the conditions pertaining to
the questions.
b. Answer with “YES” or “NO” in the space provided. Answers to questions would
require submission of evidence, such as a flowchart and other reference
documents, by the personnel concerned.
c. A space for reference documents has been provided next to each question.
For questions which require reference documents, cite the same in the space
provided.
d. The internal auditors shall review the ICQ responses as part of the baseline
assessment of internal control and may contact the personnel concerned to
follow- up on some of the questions.
* The questionnaires provided are meant to serve as a guide. The control questions
below may be revised to customize to the conditions of the agency/organization.
* Please add comments for any statement where you think additional information
will assist in validating and understanding the results you have provided
(additional pages may be attached, as necessary).
227
E. 2 Section I – Control Environment
OBJECTIVE: To obtain sufficient knowledge of the control environment in the

public sector context and understand the agency‟s/organization‟s approach,
attitude and perspectives.
These questions involve ways on how the agency/organization can inform public
officers and employees of their roles, responsibilities, accountabilities, and
authorities. They also include ways by which the agency/organization can create
an environment to better ensure that integrity and ethical values are not
compromised and that officers and employees receive and understand that thrust.
YES
QUESTIONS or Cite Reference Documents
NO
1. Are the agency‟s/organization‟s
administrative structures and
procedures designed to serve the
people? (4th whereas clause EO 292,
“Administrative Code of 1987”)
2. Are the agency‟s/organization‟s major
functional, procedural and structural
principles and rules of governance in
accordance with the Administrative
Code of 1987 or the law creating the
agency/organization? (3rd whereas clause
EO 292, “Administrative Code of 1987”)
3. a. Does the Department Secretary
(DS)/Head of Agency
(HoA)/Governing Board (GB)
ensure adherence to the principle
of public office is a public trust?
b. Do the public officers and
employees:
i. hold themselves accountable to
the people at all times?
ii. serve the people with utmost
responsibility, integrity, loyalty
and efficiency, act with
patriotism and justice and lead
modest lives? (Sec. 32, Chapter 9,
Book I, EO 292, “Administrative Code of
1987”)
4. Is the agency/organization structured
and maintained to insure their capacity
to plan and implement programs in
accordance with established national
policies? (Sec. 2(1), Chapter 1, Book IV, EO
292, “Administrative Code of 1987”)
228
YES
NO
5. Do the major staff units of the
agency/organization include the
Planning, Financial and Management,
Administrative and when necessary,
Technical and Legal Services? (Sec. 3
(4), Chapter 1, Book IV, EO 292, “Administrative
Code of 1987”)
6. Does the agency‟s/organization‟s
Planning Service provide economical,
efficient and effective services relating
to planning, programming, and project
development, and discharge such
other functions as provided by law?
(Sec. 13, Chapter 3, Book IV, EO 292,
Administrative Service provide
economical, efficient and effective
services relating to personnel, legal
assistance, information, records,
delivery and receipt of
correspondence, supplies, equipment,
collections, disbursement, security and
custodial work and such other
functions as provided by law? (Sec. 15,
Chapter 3, Book IV, EO 292, “Administrative
Code of 1987”)
Financial and Management Service
advise and assist the DS/HoA/GB on
financial and management matters and
perform such other functions as
provided by law? (Sec. 14, Chapter 3, Book
IV, EO 292, “Administrative Code of 1987”)
9. a. Are the functions of the agency/
organization decentralized in order
to reduce red tape?
b. Are central office officials freed
from administrative details
concerning field operations?
c. Are central office officials relieved
from unnecessary involvement in
routine and local matters?
d. Is adequate authority delegated to
subordinate officials?
e. Are administrative decisions and
actions, as much as possible, at the
level closest to the public?(Sec. 2 (3),
Chapter 1, Book IV, EO 292,
229
YES
NO
10. Are the bureaus and offices grouped
primarily on the basis of major
functions to achieve simplicity,
economy and efficiency in government
operations and minimize duplication
and overlapping of functions and
activities? (Sec. 2(2), Chapter 1, Book IV, EO
11. Does the bureau have divisions, as are
provided by law, for the economical,
efficient and effective performance of
its functions? (Sec. 18 (3), Chapter 4, Book
12. Do the agency‟s/organization‟s regional
offices provide economical, efficient
and effective service to the people in
the area? (Sec.26, Chapter 5, Book IV, EO
13. a. Are the agency‟s/organization‟s
plans and programs directly
implemented by the regional and
field offices as the operating arms
of the agency concerned?
b. Are the implemented plans and
programs in accordance with
approved policies and standards?
c. As counterparts of the agency in
the region, do they undertake
operations within their respective
jurisdictions? (Sec. 40, Chapter 8, Book
14. Does the DS/HoA/GB:
a. Establish the policies and
standards for the operation of the
agency/organization pursuant to
the approved programs of
government?
b. Promulgate rules and regulations
necessary to carry out the
agency‟s/organization‟s policies,
objectives, functions, plans,
programs and projects?
c. Promulgate administrative
issuances necessary for the
efficient administration of the
offices under them and for the
proper execution of the laws
relative thereto?
d. Exercise disciplinary powers over
officers and employees under them
in accordance with law?
230
YES
NO
e. Appoint all officers and employees
of the agency/organization (except
those whose appointments are
vested in the President or in some
other appointing authority)?
f. Delegate authority to officers and
employees in accordance with EO
292 or the law creating the agency/
organization? (Sec. 7, Chapter 2, Book
15. Does the Undersecretary or his
equivalent:
a. Advise and assist the DS/HoA/GB
in the formulation and
implementation of department
policies and objectives?
b. Oversee all the operational
activities of the department for
which he is responsible to the DS?
c. Coordinate the programs and
projects of the department and take
responsibility for its economical,
efficient and effective
administration?
d. Temporarily discharge the duties of
the DS in the latter‟s absence or
inability to discharge his duties?
(Sec.10, Chapter 2, Book IV, EO 292,
16. a. Is the authority and responsibility for
the agency‟s/organization‟s
operations, as may be necessary to
implement the plans and programs,
adequately delegated by the
DS/HoA/GB to the bureau and
regional directors or their
equivalent?
b. Is the delegation in writing?
c. Does it indicate to which officer or
class of officers or employees the
delegation is made?
d. Does it vest sufficient authority to
enable the delegatee to discharge
his assigned responsibility?
e. Is the implementation of national
and local programs in accordance
with the policies and standards
developed by the department or
agency with the participation of the
regional directors?
231
YES
NO
f. Is the implementation economical,
efficient and effective? (Sec.40,
17. Does the Director of a staff bureau
perform the following:
a. Advise and assist the Office of the
Secretary on matters pertaining to
the Bureau‟s area of
specialization?
b. Provide consultative and advisory
services to the regional offices of
the department?
c. Develop plans, programs,
operating standards, and
administrative techniques for the
attainment of the objectives and
functions of the bureau? (Sec. 19 (2),
18.a. Does the staff bureau perform
primarily advisory or auxiliary
functions and exercise, in behalf of
the department or agency/
organization, functional supervision
over the regional offices?
b. Do they develop and set down
policies, standards and
procedures?
c. Are said policies, standards and
procedures implemented by
operating units?
d. Is there continuing evaluation of
the implementation of policies,
standards and procedures?
e. Does the evaluation provide for
recommendation and when
authorized, the corrective
measures to be taken? (Sec.24,
19. For line bureaus, does the Director/
Head:
a. Exercise supervision and control
over all divisions and other units,
including regional offices under the
bureau?
b. Establish policies and standards for
the operations of the bureau
pursuant to the plans and programs
of the agency/organization?
232
YES
NO
c. Promulgate rules and regulations
necessary to carry out bureau
objectives, policies and functions?
(Sec.20, Chapter 4, Book IV, EO 292,
20. Does the Bureau Head issue orders
regarding the administration of their
internal affairs for the guidance of or
compliance by their officers and
employees? (Sec.36, Chapter 6, Book IV, EO
21.a. Are regulatory agencies
administratively supervised by the
department under which they are
placed?
b. Does the regulatory agency
prepare and submit annual budgets
and work plans to the DS/HoA?
c. Are the agency‟s/organization‟s
annual budget and work plans
approved by the DS/HoA?
d. Is the day-to-day operation of the
regulatory agency based on the
approved annual budget and work
plan? (Sec.43, Chapter 9, Book IV, EO
22. Does the Regional Director/Head:
a. Exercise the management
functions of planning, organizing,
directing and controlling in his/her
area of jurisdiction?
b. Prepare and submit budget
proposals for the region to the
central office?
c. Administer the budget of the
regional office?
d. Authorize disbursement of funds
pursuant to approved financial and
work programs?
e. Administer the budget control
machinery in the region? (Sec.27,
23. Does the Regional Director/Head issue
circulars of purely information or
implementing nature and orders
relating to the administration of the
internal affairs of regional offices and
units within their supervision? (Sec. 36,
Code of 1987”)
233
YES
NO
24. Are those having supervision and
control take the responsibility for the
following:
a. Review, approve, reverse or modify
acts and decisions of subordinate
officials or units?;
b. Determine priorities in the
execution of plans and programs?;
c. Prescribe standards, guidelines,
plans and programs? (Sec. 38 (1),
25. Are those having administrative
supervision over an agency/
organization take the responsibility for
the following:
a. Oversee the operations of such
agencies/organization and ensure
that they are managed effectively,
efficiently and economically without
interference with the day-to-day
activities?
b. Require the submission of reports
and cause the conduct of
performance evaluation and
inspection to determine compliance
with policies, standards and
guidelines?
c. Take action as may be necessary
for the proper performance of
official functions, including
rectification of violations, abuses
and other forms of
maladministration?
d. Review and pass upon the budget
of such agencies under its
administrative supervision? (Sec. 38,
26. a. Does the agency/organization
comply with the policies, standards
and guidelines promulgated by the
CSC to promote economical,
efficient and effective personnel
administration in the government?
b. Are there plans and programs
adopted to promote economical,
efficient and effective personnel
administration in the government?
(Sec. 12 (3), Chapter 3, Subtitle A, Title I,
Book V, EO 292, “Administrative Code of
1987”)
234
YES
NO
establish, administer and maintain
qualification standards?
b. Is the establishment, administration
and maintenance of qualification
standards with the assistance and
approval of the Civil Service
Commission? (Sec.22, Chapter 5,
Subtitle A, Title I, Book IV, EO 292,
28. a. Is the degree of qualifications of
an officer or employee determined
based on the qualification
standards for the particular
position?
b. Do the qualification standards
express the minimum requirements
for a position in terms of education,
training and experience, civil
service eligibility, physical fitness,
and other qualities required for
successful performance? (Sec.22,
Chapter 5, Subtitle A, Title I, Book IV, EO
29. Does the agency/organization promote
the primacy of public interest over
personal interest in the performance of
duties? (Sec. 1, Rule III, Rules Implementing
RA 6713, “Code of Conduct and Ethical
Standards for Public Officials and Employees”)
30. Does the agency/organization conduct
value development programs for its
officials and employees in order to
strengthen their commitment to the
public? (Sec. 1, Rule III, Rules Implementing
31. Are the following subjects, among
others, included in the agency‟s/
organization‟s programs and other
parallel efforts on value development:
a. Ethical and moral values?
b. Rights, duties and responsibilities
of public servants?
c. Socio-economic conditions
prevailing in the country?
d. Need for a Code of Conduct and
Ethical Standards? (Sec. 1, Rule III,
Rules Implementing RA 6713, “Code of
Conduct and Ethical Standards for Public
Officials and Employees”)
235
YES
NO
continuing refresher courses, seminars
and/or workshops to promote high
standards of ethics in the public
service? (Sec. 1, Rule III, Rules Implementing
33. Does the head of department, office
and agency/organization ensure that
officials and employees attend the
value development program and
participate in parallel value
development efforts? (Sec. 3, Rule III,
34.a. Does the agency/organization
conduct continuing studies and
analyses of their work systems and
procedures to improve delivery of
public services?
b. Do such studies and analyses
i. Identify systems and procedures
that lead or contribute to
negative bureaucratic behavior?
ii. Simplify rules and procedures to
avoid red tape?
iii. Devise and adopt systems and
procedures that promote official
and employee morale and
satisfaction? (Sec. 4, Rule III, Rules
Implementing RA 6713, “Code of
Conduct and Ethical Standards for
Public Officials and Employees”)
35. Does the agency/organization
continually conduct research and
experimentation on measures to
motivate officials and employees in
raising the level of observance of
public ethical standards? (Sec. 6, Rule III,
36. Does the agency/organization adopt
innovative programs which will provide
motivation to officials and employees in
raising the level of observance of
public ethical standards? (Sec. 6, Rule III,
236
YES
NO
37. Does the agency/organization promote
the functional principles of governance
that the powers so delegated to a
public officer or employee is held in
trust for the people and to be exercised
behalf or of all citizens who may need
their intervention? (Sabio vs. Gordon, G.R.
No. 174340, 17 October 2006.)
38. Do the public officials and employees
perform and discharge their duties with
the highest degree of excellence,
professionalism, intelligence and skill?
(Sec. 4(A) Norms of Conduct of Public Officials
and Employees, Republic Act (RA) No. 6713,
the “Code of Conduct and Ethical Standards for
Public Officials and Employees,” 20 February
1989.)
39. Is there a committee or officer
designated to conduct investigation
over disciplinary matters? (Sec. 7(5),
Code of 1987”)
40.a. Do the employees have the right
to present their complaints or
grievances to management?
b. Are the employees‟ complaints
and grievances adjudicated as
expeditiously as possible in the
best interest of the:
i. Agency?
ii. Government as a whole?
iii. The employee concerned?
c. Are the complaints and
grievances resolved at the lowest
possible level in the department or
agency/organization?
d. Does the employee have the right
to appeal the decision to higher
authorities?
e. Does the agency/organization have
promulgated rules and regulations
governing expeditious, fair and
equitable adjustment of employees‟
complaints or grievances in
accordance with the policies
enunciated by the CSC?(Sec.37,
Chapter 5, Subtitle A, Title I, Book V, EO
have an established performance
evaluation system (PES)?
237
YES
NO
b. Is the PES administered in
accordance with standards, rules
and regulations promulgated by the
CSC?
c. Is the PES administered in such a
manner as to continually foster the
improvement of individual
employee efficiency and
organizational effectiveness?
(Sec.33, Chapter 5, Subtitle A, Title I, Book
V, EO 292, “Administrative Code of 1987”)
42. Does the agency/organization institute
a PES based on objectively measured
output and performance of personnel
and units, such as the Performance
Management System-Office
Performance Evaluation System
developed by the CSC? (Administrative
Order (AO) No. 241s. 2008, “Mandating the
Speedy Implementation of Republic Act No
9485 Otherwise Known as the „Anti-Red Tape
Act of 2007‟ and its Implementing Rules and
Regulations and Strengthening the Application
Thereof,” 2 October 2008.)
43. Does the DS/HoA/GB formulate and
enforce a system of measuring and
evaluating periodically and objectively
the performance of the agency/
organization and submit the same
annually to the President? (Sec.8,
Code of 1987”)
44. Does the organization undertake, on a
continuing basis, programs to promote
constituents/public satisfaction and
improve service delivery, and other
similar activities for officers and
employees in frontline services? (Sec. 1,
Rule VI, Implementing Rules and Regulations of
RA 9485, “Anti-Red Tape Act of 2007)
an analysis of its operating
performance, evaluation of
performance relative to costs incurred
and the review of agency operating
systems and procedures as inherent
parts of the budget process? (Sec. 9,
Chapter 2, Book VI, EO 292, “Administrative
Code of 1987”)
238
YES
NO
46. Does the DS/HoA/GB evaluate on a
continuing basis the quantitative and
qualitative measures of its performance
as reflected in the units of work
measurement and other indicators of
agency performance, including the
standard and actual costs per unit of
work? (Sec. 51, Chapter 6, Book VI, EO 292,
47. Does the agency/organization identify
other public service organizations (e.g.,
public entities and private entities
providing public services), public they
serve and stakeholders as well as their
requirements, needs and expectations,
to define the organization‟s intended
outputs? (Clause 5.1.1. ISO 9000, the
“Introduction and Support Package: Guidance
on the Concept and Use of the Process
Approach for Management Systems,” ISO/TC
176/SC 2/N 544R3, 15 October 2008; Executive
Order (EO) No. 605 s. 2007; and Republic Act
(RA) No. 9013.)
48. Does the agency/organization monitor
information relating to constituents/
public perception as to whether the
organization has met constituents/
public requirements? (Clause 8.2.1 ISO
9001:2008, 15 November 2008; Executive
Order (EO) No. 605 s. 2007; and Republic Act
(RA) No. 9013.)
operating units able to achieve the
expected results and contribute to the
achievement of its sectoral or societal
goals? (DBM Circular Letter No. 2008-8, the
“National Guidelines on Internal Control
Systems (NGICS),” 23 October 2008, pp. 11-
12.)
50. Does the agency/organization include
the necessary networking within and
outside government to attain better
coordination or convergence of efforts
in the execution of their
responsibilities? (Item 3.1, DBM CL 2008-8,
Systems”;)
51. Does the agency/organization perform
functions and tasks using the least
amount of resources within a specific
timeframe? (DBM Circular Letter No. 2008-8,
the “National Guidelines on Internal Control
Systems (NGICS),” 23 October 2008, pp. 11-
12.)
239
YES
NO
52. Are all government resources and
powers of the agency/organization
employed and used efficiently,
effectively, honestly and economically,
particularly to avoid wastage of public
funds and revenues? (Sec. 4(A) Norms of
Conduct of Public Officials and Employees,
Republic Act (RA) No. 6713, the “Code of
Officials and Employees,” 20 February 1989.)
53.a. Are all government resources
managed, expended or utilized in
accordance with law and
regulations?
b. Is it safeguarded against loss or
wastage through illegal or improper
disposition to ensure economy,
effectiveness and efficiency in the
operations of the
c. Does the DS/HoA/GB ensure that
the foregoing policy on fiscal
responsibility is faithfully adhered to
in all the financial affairs,
transactions and operations of the
agency/ organization? (Sec. I, Chapter
1, Subtitle B, Title I, Book V, EO 292,
54. a. Does the agency/organization take
appropriate measures to promote
transparency and accountability in
the management of public
finances?
b. Do said measures encompass
effective and efficient systems of
internal control? (Article 9 Public
Procurement and Management of Public
Finances, Chapter II, Preventive Measures,
United Nations Convention Against
Corruption (UNCAC), 31 October 2003.)
55. a. Does the DS/HoA/GB prepare
and submit to the President,
through the Department of Budget
and Management (DBM), an
estimate of the necessary
expenditures of the agency/
organization during the next fiscal
year?
b. Are these budget estimates based
on the reports and estimates
submitted by the bureaus and
offices under him? (Sec. 9, Chapter 2,
Book IV, EO 292, “Administrative Code of
1987”)
240
YES
NO
56. a. Is the agency‟s/organization‟s
budget supportive of and consistent
with the socio-economic
development plan?
b. Is it oriented towards the
achievement of explicit objectives
and expected results, to ensure
that funds are utilized and
operations are conducted
effectively, economically and
efficiently? (Sec. 3, Chapter 2, Book VI,
57. Does the agency/organization design
and implement the following?
a. Management information systems
yielding both performance and
financial information which will
adequately monitor and control
budget implementation, and
b. Improvements in operating
systems, procedures and practices,
so as to ensure that the targets
approved in budget authorization
are in fact attained at minimum
cost. (Sec. 9, Chapter 2, Book VI, EO 292,
58. Are all the government funds or
property under the administration or
control of the public officer or employee
used in accordance with the purpose
for which it was appropriated by law?
(Sec. 80, Chapter 7, Book VI, Executive Order
(EO) No. 292 s. 1987, the “Administrative Code
of 1987,” 25 July 1987 and Manhit vs. Office of
the Ombudsman, G.R. No. 159349, 7
September 2007)
59. Are the public officers or employees
who apply government funds or
property under his administration or
control to any use other than for which
such fund or property is appropriated
made liable therefor? (Sec.80, Chapter 7,
Book VI, Executive Order (EO) No. 292 s. 1987,
the “Administrative Code of 1987,” 25 July 1987
and Manhit vs. Office of the Ombudsman, G.R.
No. 159349, 7 September 2007)
60. Are the public officers and employees
who are directly responsible for
unlawful expenditures of government
funds or uses of government property
made personally liable therefor? (Sec.
52, Chapter 9, Subtitle B, Title I, Book V, EO
241
YES
NO
61. Are the public officers and employees
who are directly charged in the
processing, review and evaluation of
documents made personally liable for
unlawful expenditures of government
funds or uses of government property
resulting in the approval of said
documents? (Olaguer vs. Domingo, G.R. No.
109666, 20 June 2001; Section 52, Chapter 9,
Subtitle B, Title 1, Book V, Executive Order
(EO) No. 292 s. 1987, the “Administrative Code
of 1987,” 25 July 1987 )
62. Is the agency‟s/organization‟s control
environment understood within the
framework of public service
accountability where government, its
partners and agents, assume fiduciary
responsibilities towards the public they
serve? (Item 3.1.1, DBM Circular Letter No.
2008-8, the “National Guidelines on Internal
Control Systems (NGICS),” 23 October 2008)
63. Are there control features interwoven
into and made an integral part of each
system in the agency/organization that
management can use to regulate and
guide its operations? (Section 33, Title II-
Internal Control System, Vol. III, Commission on
Audit (COA) Circular No. 91-368, GAAM, 19
December 1991, p. 64; DBM CL 2008-8, Item
2.2.1, National Guidelines on Internal Control
Systems)
64. Does the agency/organization adopt
and implement control policies and
measures on the following:
a. Delegation of authority and
supervision?
b. Segregation of functions for
processing, reviewing, recording,
custody and approval?
c. Access to resources and records;
d. Completeness and integrity of
transaction documents and
reports?
e. Verification of transactions; and
f. Reconciliation of records and
data? [DBM Circular Letter No. 2008-8,
the “National Guidelines on Internal
Control Systems (NGICS),” 23 October
2008, pp. 27-28]
242
YES
NO
65. Are there plans of organization and
coordinated methods and measures
adopted within the agency/
organization to:
a. Safeguard its assets?
b. Check the accuracy and reliability
of its accounting data?
c. Encourage adherence to
prescribed managerial policies?
d. Comply with applicable laws and
regulations?
e. Ensure ethical, economical,
effective and efficient operations?
(Presidential Decree (PD) No. 1445, the
“Government Auditing Code of the
Philippines,” as amended, 11 June 1978;
Department of Budget and Management
(DBM) Circular Letter No. 2008-8, the
Systems (NGICS),” 23 October 2008.)
accounting system:
a. Produce information concerning
past operations and present
conditions?
b. Provide a basis for guidance for
future operations?
c. Provide for control of the acts of
public bodies and officers in the
receipt, disposition and utilization of
funds or property?
d. Report on the financial position and
results of operations of the
agency/organization for the
information of all persons
concerned? (Sec. 41, Chapter 6, Subtitle
B, Title I, Book V, EO 292, “Administrative
Code of 1987”)
implement the government-wide
Quality Management Program?
(Executive Order (EO) No. 605 s. 2007,
“Institutionalizing the Structure, Mechanisms
and Standards to Implement the Government
Quality Management Program, Amending for
the Purpose Administrative Order No. 161, s.
2006,” 23 February 2007 and Republic Act
(RA) No. 9013.)
243
YES
NO
68. Is the design and implementation of an
agency‟s/organization‟s quality
management system influenced by the
following:
a. Organizational environment?
b. Changes in that environment, and
the risks associated with that
environment?
c. Varying needs?
d. Particular objectives?
e. Services it provides?
f. Processes it employs?
g. Size and organization structure?
(Clause 0.1, ISO 9001:2008 Quality
Management System, 15 November 2008;
Executive Order (EO) No. 605 s. 2007; and
Republic Act (RA) No. 9013.)
244
E. 3 Section II – Risk Assessment
OBJECTIVES:
a. To obtain sufficient knowledge/information of the agency‟s/ organization‟s

overall process in the following:
i. identifying, analyzing and evaluating relevant risks to the achievement of
the control objectives, and
ii. determining the appropriate response.
b. To identify and document the agency‟s/organization‟s risk assessment
procedure as a component of ICS.
These questions are used to identify and assess the external and internal factors
that could impact on the achievement of control objectives and provide a basis for
certain management controls.
YES
NO
identify, analyze and evaluate
relevant risks to the achievement
of the control objectives and
determine the appropriate
response? [DBM Circular Letter No.
2008-8, the “National Guidelines on
Internal Control Systems (NGICS),” 23
October 2008, p. 29; International
Organization of Supreme Audit
Institutions (INTOSAI), the “Guidelines
for Internal Control Standards for the
Public Sector,” 16 October 2004, p. 22.;
and Clause 4, 4.3.4, IEC/ISO
31010:2009, the “Risk Management –
Risk Assessment Techniques,”
1 December 2009]
2. Is the agency‟s/organization‟s
risk assessment fully integrated
into the other components in the
risk management process which
includes the following:
a. Communication and
consultation?
b. Establishing the context?
c. Risk assessment (comprising
risk identification, risk analysis
and risk evaluation)?
d. Risk treatment?
e. Monitoring and review?
(Clause 4, 4.3.1, IEC/ISO
31010:2009, the “Risk Management
– Risk Assessment Techniques,”
1 December 2009.)
245
YES
NO
3. In establishing the external
context, does the agency/
organization consider
familiarization with the
environment in which the
organization and the system
operates including the following:
a. Cultural, political, legal,
regulatory, financial,
economic and competitive
environment factors, whether
international, national,
regional or local?
b. Key drivers and trends having
impact on the objectives of
the organization?
c. Perceptions and values of
external stakeholders? [DBM
Circular Letter No. 2008-8, the
“National Guidelines on Internal
Control Systems (NGICS),” 23
October 2008, p.30 and Clause 4,
4.3.3a, IEC/ISO 31010:2009, the
“Risk Management – Risk
Assessment Techniques, 1
December 2009]
4. In establishing the internal
context, does the agency/
organization consider an
understanding of the following:
a. Capabilities of the
organization in terms of
resources and knowledge?
b. Information flows and
decision-making processes,
c. Internal stakeholders?
d. Objectives and the strategies
that are in place to achieve
them?
e. Perceptions, values and
culture?
f. Policies and processes?
g. Standards and reference
models adopted by the
organization?
h. Structures (e.g., governance,
roles and accountabilities)?
[DBM) Circular Letter No. 2008-8,
the “National Guidelines on Internal
October 2008, p.30 and Clause 4,
4.3.3b, IEC/ISO 31010:2009, the
“Risk
Management – Risk Assessment
Techniques, 1 December 2009]
246
YES
NO
Risk Identification
make an identification of the
following:
a. Opportunities and threats to
the achievement of the control
objectives?
b. The most important areas to
which resources in risk
assessment should be
channeled?
c. Determine responsibility for
the management of the risk?
[DBM Circular Letter No. 2008-8, the
October 2008, p. 30 and 2.2 Risk
Assessment, International
Institutions (INTOSAI), the
“Guidelines for Internal Control
Standards for the Public Sector,” 16
October 2004, pp. 23-24.]
identify the causes and sources
of the risk (hazard in the context
of physical harm), events,
situations or circumstances which
could have a material impact
upon objectives and the nature of
that impact? (Clause 5, 5.2, IEC/ISO
31010:2009, the “Risk Management –
Risk Assessment Techniques,” 1
December 2009.)
Risk Analysis
systematically use information to
identify sources and to estimate
the risk? [DBM) Circular Letter No.
October 2008, p. 30-31]
identify the factors that affect
consequences and likelihood of
the risk? [DBM Circular Letter No.
October 2008, p. 30-31]
determine the consequences
and their probabilities for
identified risk events?
247
YES
NO
b. In determining said
consequences and their
probabilities, does the
agency/ organization take into
account the presence (or not)
and the effectiveness of any
existing controls? (Clause 5,
5.3.1, IEC/ISO 31010:2009, the
“Risk Management – Risk
Assessment Techniques,” 1
December 2009.)
Risk Evaluation
evaluate the significance of the
risk and assess the likelihood of
its occurrence? [DBM Circular Letter
No. 2008-8, 23 October 2008, the
Systems (NGICS),” p. 31 and 2.2 Risk
Assessment, International Organization
of Supreme Audit Institutions (INTOSAI),
the “Guidelines for Internal Control
October 2004, pp. 22-23]
11. In evaluating the risk, does the
agency/organization compare
estimated levels of risk with risk
criteria defined when the context
was established, in order to
determine the significance of the
level and type of risk? (Clause 5,
5.4, IEC/ISO 31010:2009, the “Risk
Management – Risk Assessment
Techniques,” 1 December 2009.)
248
E. 4 Section III – Control Activities
OBJECTIVES:
a. To obtain sufficient knowledge/information about the policies and procedures

established by the organization to address risks (tolerated, transferred,
terminated or treated) and to achieve its objectives;
b. To obtain sufficient knowledge/information about the agency‟s/ organization‟s
performance review and compliance review; and
c. To identify and document the agency‟s/organization‟s control activities: risk
response, performance review and compliance review process.
These questions involve policies or procedures that help ensure that the
agency‟s/organization‟s objectives are achieved and directives are completed.
YES
NO
A. Risk Response
establish policies and procedures
to address risks and to achieve
the entity‟s objectives?[DBM
Circular Letter No. 2008-8, the “National
Guidelines on Internal Control Systems
(NGICS),” 23 October 2008, pp. 31-32
and 2.3 Control Activities, International
Public Sector,” 16 October 2004, p. 28]
2. a. Are all the moneys and
properties officially received
by a public officer, in any
capacity or upon any
occasion, accounted for as
government funds and
government properties?
b. Are government properties
taken up in the books of the
agency concerned? (Sec. 42,
Chapter 7, Subtitle B, Title I, Book V,
EO 292, “Administrative Code of
1987”)
officers whose duties permit or
require the possession or
custody of government funds
properly bonded in accordance
with law? (Sec. 50, Chapter 9, Subtitle
B, Title I, Book V, EO 292,
249
YES
NO
include the results expected for
each budgetary program and
project, the nature of work to be
performed, estimated costs per
unit of work measurement,
including the various objects of
expenditures for each project in
its budget estimates? (Sec. 14(7),
Chapter 3, Book VI, EO 292,
5. Are the frontline services
complemented with adequate
staff by adopting mechanisms
such as rotation system among
office personnel, sliding
flexitime, reliever system
especially in peak times of
transactions or providing
skeletal personnel during lunch
and snack times? (Section 3, Rule
VI, Implementing Rules and Regulations
of RA 9485, “Anti-Red Tape Act of 2007”)
6. Is disbursement of government
funds made in pursuance of an
appropriation law or other
specific statutory authority?
(Section 45 (1), Chapter 8, Subtitle B,
Title I, Book V, EO 292, “Administrative
Code of 1987”)
B. Performance Review
7. If accomplishments do not meet
established objectives or
standards, are the processes and
activities reviewed to determine if
improvements are needed? [DBM
(NGICS),” 23 October 2008, p. 33 and
2.3 Control Activities, No. 6. Reviews of
Operating Performance, International
Public Sector,” 16 October 2004, p. 30]
250
YES
NO
C. Compliance Review
periodically review operations,
processes and activities to
ensure that they are in
compliance with current
regulations, policies, procedures,
or other requirements? [DBM
(NGICS),” 23 October 2008, p. 33 and
2.3 Control Activities, No. 7. Reviews of
operations, processes and activities,
International Organization of Supreme
Audit Institutions (INTOSAI), the
October 2004, p. 30-31]
251
E. 5 Section IV – Information and Communication
OBJECTIVES:
a. To obtain sufficient knowledge/information about the agency‟s/ organization‟s

information and communication systems;
b. To determine if relevant information is communicated throughout the
agency/organization, as well as to its network of organizations and sectors; and
c. To identify and document the organization‟s information and communication
process.
These questions involve how the agency/organization identifies, captures, processes

and reports information needed to achieve its objectives.
YES
NO
1. Do the heads of agencies/
organizations prepare and submit
annual reports to the President
on or before the first day of July
of each year? (Sec. 43, Chapter 11,
1987”)
2. Are the contents of the agency‟s/
organization‟s annual reports in
accordance with the requirements
prescribed by pertinent laws and
issuances? (Sec. 44, Chapter 11,
1987”)
3. a. Do all heads of bureaus or
offices render annual reports
to their respective DS/HoA on
or before the last day of
February of each year?
b. Do the reports contain the
following:
i. Concise statements of the
accomplishments and
assessment of the
progress attained in terms
of approved programs and
projects?
ii. Pertinent financial
statements on
expenditures incurred in
their implementation
during the calendar year?
iii. Broad recommendations
and plans for undertaking
work during the ensuing
period?
252
YES
NO
iv. Matters specifically
required by laws or
regulation to be
incorporated therein? (Sec.
37, Chapter 6, Book IV, EO 292,
4. Do all heads or other responsible
officers of the
agency/organization render a full
and complete report of
performance and
accomplishments within forty-five
(45) days from the end of the
year? (Sec. 7, Rule VI, Rules
5. Does the DS/HoA/GB establish
measures and standards that will
ensure transparency of and
openness in public transactions,
e.g., biddings, purchases, other
internal transactions, including
contracts, status of projects, and
other matters involving public
interest? (Sec. 2, Rule IV, Rules
6. Does the DS/HoA/GB establish
information system that will
inform the public of the following:
a. Policies, rules and
procedures?
b. Work programs, projects and
performance targets?
c. Performance reports?
d. All other documents classified
as public information? (Sec. 2,
Rule IV, Rules Implementing RA
6713, “Code of Conduct and Ethical
Standards for Public Officials and
Employees”)
7. Are written requests, petitions or
motions sent to the agency/
organization by means of letters,
or the like, acted upon by the
official or employee in charge
within fifteen (15) days from
receipt thereof? (Sec. 3, Rule VI,
Officials and Employees”
253
YES
NO
8. Except as otherwise provided by
law or regulation, does the
agency‟s/organization‟s written
action or decision contain not
more than three (3) initials or
signatures? (Sec. 5, Rule VI, Rules
9. In the evaluation of official forms
for agencies/organizations
rendering frontline services, are
the number of signatories limited
to a maximum of five (5)
signatures of officers or
employees directly supervising
the evaluation, approval or
disapproval or the request,
application, or transaction?
(Section 3, Rule III, Implementing Rules
and Regulations, RA 9485, “Anti-Red
Tape Act of 2007”)
prescribed rules, through
appropriate office order, on the
proper authority to sign in the
absence of regular signatory? (Sec.
5, Rule VI, Rules Implementing RA 6713,
“Code of Conduct and Ethical Standards
for Public Officials and Employees”);
(Section 3, Rule III, Implementing Rules
11. Do all heads or other responsible
officers of the agency/ organization
prepare and submit to the CSC a
report of compliance with the
provisions of RA 6713 and its IRR?
(Sec. 7, Rule VI, Rules Implementing RA
Employees”)
12. a. Do the public officers and
employees file under oath their
Statements of Assets,
Liabilities and Net Worth
(SALN) and a Disclosure of
Business Interests and
Financial Connections (DBIFC)
and Identification and
Disclosure of Relatives (IDR) in
the government? (Sec. 1 & 2,
Rule VII, Rules Implementing RA
Employees”)
254
YES
NO
b. Does it contain a true,
detailed and sworn statement
of assets and liabilities,
including a statement of the
amounts and sources of the
public officer or employee‟
income, the amounts of his
personal and family expenses
and the amount of income
taxes paid for the next
preceding calendar year?
(Section 7, Republic Act (RA) No.
3019, the “Anti-Graft and Corrupt
Practices Act,” as amended, 17
August 1960 and Pleyto vs. PNP-
CIDG, G.R. No. 169982, 23
November 2007.)
have compliance procedures for
the review of the SALN, DBIFC
and IDR in the government to
determine whether said
statements have been properly
accomplished? (Sec. 1, Rule VIII,
review and compliance
procedure, as called for under
item 13 above, approved by the
Secretary of Justice (in the case
of the Executive Department),
affirmatively voted upon by a
majority of the particular House
concerned (in the case of
Congress), the Chief Justice of
the Supreme Court (in the case of
the Judicial Branch), respective
Chairman and members thereof
(in the case of Constitutional
Commissions/ Offices) or the
Ombudsman (in the case of the
Office of the Ombudsman)? (Sec.
1, Rule VIII, Rules Implementing RA
Employees”)
255
YES
NO
15.a. Does the agency/
organization determine which
processes or transactions
constitute frontline service?
b. Does the agency/
organization undertake
reengineering of its
transaction systems and
procedures, including time
and motion studies, if
necessary?
c. Does the agency/
organization set up their
respective service standards
to be known as the Citizens‟
charter? (Section 1, Rule III,
Implementing Rules and
Regulations, RA 9485, “Anti-Red
reengineering process include a
review for purposes of
streamlining the following:
a. Steps in providing the
service?
b. Forms used?
c. Requirements?
d. Processing time? and
e. Fees and charges? (Section 2,
Rule III, Implementing Rules and
Regulations, RA 9485, “Anti-Red Tape
Act of 2007”)
review the location of the offices
providing frontline services and
put in place directional signs to
facilitate transactions? (Section 2,
Rule III, Implementing Rules and
Act of 2007”)
18. a. Does the agency/
organization have a workflow
chart showing procedures or
flow of documents?
b. Is the chart posted in
conspicuous places in the
department, office or agency
for the information and
guidance of all concerned?
(Sec. 4, Rule III, Rules Implementing
RA 6713, “Code of Conduct and
Ethical Standards for Public Officials
and Employees”)
256
YES
NO
19. Are the stakeholders, users and
beneficiaries of the frontline
services taken into consideration
in the preparation of the Citizens‟
Charter? (Section 3, Rule IV,
Implementing Rules and Regulations, RA
9485, “Anti-Red Tape Act of 2007”)
Citizens‟ Charter in the form of
information billboards and
published materials written in
English, Filipino, or in the local
dialect? (Section 2, Rule IV,
21. Is the Citizens‟ Charter posted at
its office‟s main entrance or at the
most conspicuous place? (Section
2, Rule IV, Implementing Rules and
Act of 2007”)
22. Does the Citizens‟ Charter
include the following information:
a. Vision and mission of the
government office or
b. Identification of the frontline
services offered, and the
clientele?
c. The step-by-step procedure to
obtain a particular service?
d. The officer or employee
responsible for each step?
e. The maximum time to
conclude the process?
f. Document/s to be presented
by the client, with a clear
indication of the relevancy of
said document/s?
g. The amount of fees, if
necessary?
h. The procedure for filing
complaints in relation to
requests and applications,
including the names and
contact details of the
officials/channels to approach
for redress?
257
YES
or Cite Reference Documents
QUESTIONS
NO
i. Allowable period for extension
due to unusual
circumstances; i.e.,
unforeseen events beyond
the control of government
office or agency concerned?
j. Feedback mechanisms,
contact numbers to call and/or
persons to approach for
recommendations, inquiries,
suggestions, as well as
complaints? (Section 1, Rule IV,
Implementing Rules and
23. Is the implementation of the
agency‟s/organization‟s Citizens‟
Charter continually monitored and
periodically reviewed? (Section 3,
Rule IVI, Implementing Rules and
Act of 2007”)
24. Are all the transactions and
processes made with the
permission or clearance from the
highest authority having
jurisdiction over the agency/
organization concerned? (Section
1, Rule V, Implementing Rules and
Act of 2007”)
adopt working schedules to
ensure that all clients who are
within the premises prior to the
end of official working hours are
attended to and served even
during lunch break and after
regular working hours? (Section 3,
Rule VI, Implementing Rules and
Act of 2007”)
26. Does the DS/HoA/GB adopt
appropriate mechanisms to
ensure the uninterrupted delivery
of frontline services? (Section 3,
Act of 2007”)
258
YES
NO
27. Are all officers and employees
transacting with the public
provided with an official
identification card which should
be worn during office hours?
(Section 4, Rule VI, Implementing Rules
28.a. Does the agency/organization
have a public assistance/
complaints desk in all their
offices?
b. Is there an officer or employee
knowledgeable on frontline
services who is at all times
available for consultation and
advice?
c. Is the desk attended to even
during breaktime? (Section 5,
institute mechanisms by which
clients may adequately express
their complaints, comments or
suggestions such as hotline
numbers, short message service
or information and
communication technology?
(Section 5, Rule VI, Implementing Rules
30. Does the responsible officer or
employee acknowledge receipt of
written applications, requests,
and/or documents being
submitted by clients of the office
or agency? (Section 2, Rule VI,
31. Does the acknowledgement
indicate, by writing or printing
clearly thereon, the name of the
receiving officer or employee, the
unit where he/she is connected
with, and the time and date of
receipt? (Section 2, Rule VI,
259
YES
NO
32. Is the prescribed period to act
upon all applications and/or
requests not longer than five (5)
working days (in the case of
simple transactions) and ten (10)
working days (in the case of
complex transactions) from the
time the same was received?
(Section 2 (4), Rule VI, Implementing
Rules and Regulations, RA 9485, “Anti-
Red Tape Act of 2007”)
33. Are all applications and/or
requests in frontline services
acted upon within the period
prescribed under the Citizen‟s
Charter? (Section 2 (4), Rule VI,
keep and preserve a logbook in
which shall be recorded in
chronological order, all final
official acts, decisions,
transactions or contracts,
pertaining to the agency/
organization? (Sec. 52, Chapter 11,
Book IV, EO 292, “Administrative Code of
1987”)
adhere to the government-wide
application of the classification of
administrative issuances
pursuant to the Administrative
Code of 1987 or the law creating
them? (Sec. 53, Chapter 11, Book IV,
36. a. Does the agency/
organization comply with the
numbering system of
administrative issuances
pursuant to Administrative
Code of 1987?
b. Are the administrative
issuances (i.e., circulars and
orders) issued by the
Department Secretary, head
of bureaus, offices or
agencies chronologically
numbered and properly
identified as such? (Sec. 51,
260
YES
NO
transactions and events promptly
recorded and properly classified?
Systems (NGICS),” 23 October 2008, p.
34 and 2.4 Information and
Communication, INTOSAI, the
October 2004, p. 36.]
38. Are relevant information
communicated throughout the
agency, as well as to its network
of organizations and sectors?
Systems (NGICS),” 23 October 2008, p.
33 and 2.4 Information and
Communication, International
Public Sector,” 16 October 2004, pp. 36-
39]
39. Are relevant information
identified, captured and
communicated in a form and
timeframe that enables a
personnel to carry out internal
controls and other
responsibilities? [DBM Circular Letter
No. 2008-8, the “National Guidelines on
October 2008, p. 34 and 2.4 Information
and Communication, INTOSAI, the
October 2004, p. 36]
40. a. Does communication flow
down, across, and up the
organization, throughout all
components and the entire
structure?
b. Does the agency/organization
have an effective
communication with external
individuals and organizations?
October 2008, p. 36 and 2.4
Information and Communication,
International Organization of
Supreme Audit Institutions
(INTOSAI), the “Guidelines for
Internal Control
October 2004, p. 38]
261
YES
NO
41. Are the concerned officials
available to their staff for
consultations and dialogues?
(Rule III, Rules Implementing Republic
Act (RA) No. 6713, the “Code of
Officials and Employees,” 21 April 1989.)
consult the public they serve
for the purpose of gathering
feedback and suggestions on
the efficiency, effectiveness
and economy of frontline
services?
b. Do they establish
mechanisms to ensure the
conduct of public
consultations and hearings?
(Rule III, Rules Implementing
Republic Act (RA) No. 6713, the
“Code of Conduct and Ethical
Employees,” 21 April 1989.)
communicate frequently with the
constituents or the public they
serve and stakeholders to ensure
continual understanding of their
requirements, needs and
expectations? Clause 5.1.1. ISO
9000, the “Introduction and Support
Package: Guidance on the Concept and
Use of the Process Approach for
Management Systems,” ISO/TC 176/SC
2/N 544R3, 15 October 2008; Executive
Order (EO) No. 605 s. 2007; and
Republic Act (RA) No. 9013.)
262
E. 6 Section V – Monitoring
OBJECTIVES:
a. To obtain sufficient knowledge/information on how management ensures that

controls are operating as intended and that they are modified appropriately for
changes in conditions through ongoing monitoring activities, separate
evaluations, or a combination of both; and
b. To identify and document the agency‟s/organization‟s monitoring process.
These questions involve the agency‟s/organization‟s activities taken to assess

the achievement of control objectives and the quality of internal control system
performance.
YES
NO
ensure that controls are
operating as intended and
that they are modified
appropriately for changes in
conditions?
b. If yes, is it accomplished
through ongoing monitoring
activities, separate
evaluations or a combination
of both? ]DBM Circular Letter No.
Internal Control Systems (NGICS),”
23 October 2008, p. 37 and 2.5
Monitoring, International Organization
of Supreme Audit Institutions
Internal
Control Standards for the Public
Sector,” 16 October 2004, p. 41.]
2. a. Does the ongoing monitoring
of internal control occur in the
course of the normal,
recurring operations of the
b. Is the ongoing monitoring:
i. performed continually and
on a real-time basis?
ii. ingrained in the entity‟s
operations? [DBM Circular
Letter No. 2008-8, the “National
Guidelines on Internal Control
Systems (NGICS),” 23 October
2008, p. 37 and 2.5 Monitoring,
International Organization of
Supreme Audit Institutions
Internal Control Standards for
the Public Sector,” p. 41]
263
Appendix F : Types of Sampling
Sampling
Sampling is a scientific method of selecting the transactions to be subjected to audit.

It promotes efficiency and economy in the audit process. Sampling allows the auditor
to test less than 100% of the population to form audit findings. The assumption is that
the sample selected is representative of the population.
There are various sampling methods available. The main types of sampling methods
available to the auditor are as follows:
1. Systematic Sampling
Systematic sampling is a statistical method involving the selection of elements

from an ordered sampling frame. The most common form of systematic sampling
is an equal-probability method, in which every kth element in the frame is selected,
where k, the sampling interval (sometimes known as the 'skip'), is calculated as:
sample size (n) = population size (N)/k.
This involves selecting every nth item in the population. The interval is derived by
dividing the population number by the sample size. A random starting point is
selected. Technically, it is a practical approach that approximates the random
sample.
The auditor must ensure that the chosen sampling interval does not hide a
pattern. Any pattern would threaten randomness. A random starting point must
also be selected.
Systematic sampling is to be applied only if the given population is logically

homogeneous, because systematic sample units are uniformly distributed over
the population.
For example, if you determined that your sampling interval is 50 and your starting
point is number 1, every 50th sampling unit is selected to form part of the sample.
2. Statistical Sampling
This type of sampling involves defining the population and related confidence
intervals. Based on these assumptions, a sample size is determined and the
results of testing can be reasonably extrapolated to the overall population, thus, a
quantifiable conclusion can be drawn (e.g., we are 95% confident that the true
value of the accounts receivable balance is between X and Y).
264
There are several things that the IA should be aware of when using statistical
sampling. Some of them are indicated hereunder.
Use statistical sampling only when necessary to satisfy an objective.

The IA must be able to define and know the characteristics of the population in
order to effectively use statistical sampling in testing.
The IA must ensure that every item in the population has an equal chance of
being selected as part of the sample.
The IA must ensure that the population does not have manipulated patterns in
it that would affect the randomness of selection.
Use an error rate that is reasonable.
If there are defined striations of data within the population, stratify it and
sample from within the striations.
In general, there are some basic steps that are common to the statistical testing
process. They are as follows:
Determine the objectives of the test;

Define the population;
Define acceptable levels of sampling risk (i.e., 5%, 10%, etc.);
Calculate the sample size using tables, formulae, or software applications;
Select the sampling approach (i.e., random, stratification, etc.);
Pull the actual sample and evaluate; and
Document the sample results and approach.
The size of the sample will generally be impacted by the sample size (the larger
the population, the larger the sample is likely to be), the acceptance risk (the
smaller the accepted risk, the larger the sample will likely be), and the population
variability (the more dispersed or variable the population is, the larger the sample
will likely be).
3. Non-statistical Sampling
Judgemental sampling - This type of sampling involves the selection by the

auditor of items for his/her sample based on some types of methodology in an
attempt to select items that exhibit some types of features. This method
purposefully biases the sample, thus, the results of the testing cannot be
extrapolated to the larger population.
a. Random Sampling
This is a selection procedure whereby each item in the population has a

known and equal chance of being selected. Random number tables or certain
computer softwares may be used to generate a random sample. Following ISO
24153:2009, random sampling and randomization procedures may also be
used. Several methods are provided, including approaches based on
mechanical devices, tables of random numbers, and portable computer
algorithms.
265
b. Simple Random Sampling
Under this method, the sample is a subset of individuals/transactions (a

sample) chosen from a larger set (a population). Each individual/transaction is
chosen randomly and entirely by chance, such that each individual/transaction
has the same probability of being chosen at any stage during the sampling
process, and each subset has the same probability of being chosen for the
sample as any other subset.
Conceptually, simple random sampling is the simplest of the probability

sampling techniques. It requires a complete sampling frame, which may not be
available or feasible to construct for large populations. Even if a complete
frame is available, more efficient approaches may be possible if other useful
information are available about the units in the population.
Its advantages include its being free of classification error, and it requires
minimum advanced knowledge of the population other than the frame. Its
simplicity also makes interpretation of data collected relatively easy. For these
reasons, simple random sampling best suits situations where not much
information is available about the population and data collection can be
efficiently conducted on randomly distributed items, or where the cost of
sampling is small enough to make efficiency less important than simplicity. If
these conditions are not true, stratified sampling or cluster sampling maybe a
better choice.
c. Stratified Sampling
In statistics, stratified sampling is a method of sampling from a population.
When subpopulations vary considerably, it is advantageous to sample each

subpopulation (stratum) independently. Stratification is the process of grouping
members of the population into relatively homogeneous subgroups before
sampling. The strata should be mutually exclusive: every element in the
population must be assigned to only one stratum. The strata should also be
collectively exhaustive: no population element can be excluded. Afterwhich,
random or systematic sampling is applied within each stratum. This often
improves the representativeness of the sample by reducing sampling error. It
can produce a weighted mean that has less variability than the arithmetic
mean of a simple random sample of the population.
Stratified sampling strategies involve:
i. Proportionate allocation which uses a sampling fraction in each of the

strata that is proportional to that of the total population. If the population
consists of 60% in the male stratum and 40% in the female stratum, the
relative size of the two samples (e.g., three males, two females) should
reflect this proportion.
266
ii. Optimum allocation (or Disproportionate allocation) - Each stratum is
proportionate to the standard deviation of the distribution of the variable.
Larger samples are taken from the strata with the greatest variability to
generate the least possible sampling variance.
A real world example of using stratified sampling would be for a Philippine

political survey. If the respondents needed to reflect the diversity of the
population of the Philippines, the researcher would specifically seek to
include participants from the various groups such as tribe, religion, gender
and income level, based on their proportionality to the total population as
mentioned above. A stratified survey could thus claim to be more
representative of the population than a survey of simple random sampling
or systematic sampling.
Similarly, if population density varies greatly within a region, stratified

sampling will ensure that estimates can be made with equal accuracy in
different parts of the region, and that comparisons of sub-regions can be
made with equal statistical power. For example, in the Visayas, a survey
taken throughout the island might use a larger sampling fraction in the less
populated north, since the disparity in population between the north and the
south may be so great that a sampling fraction based on the provincial
sample as a whole might result in the collection of only a handful of data
from the north.
Randomized stratification can also be used to improve population

representativeness in a study.
Advantages Over Other Sampling Methods
a. Focuses on important subpopulations and ignores irrelevant ones;

b. Allows use of different sampling techniques for different subpopulations;
c. Improves the accuracy/efficiency of estimation; and
d. Permits greater balancing of the statistical power of tests of differences
between each stratum by sampling equal numbers from the stratum
varying widely in size.
Disadvantages
a. Requires selection of relevant stratification variables which can be

difficult;
b. Is not useful when there are no homogeneous subgroups;
c. Can be expensive to implement; and
d. Requires accurate information about the population or introduces bias
as a result of either measurement error/s (effects of which can be
modeled by the errors-in-variables model) or selection bias.
267
4. Practical Example
In general, the size of the sample in each stratum is taken in proportion to the size
of the stratum. This is called proportional allocation.
Suppose that in an organization, the staff is composed of the following:
male, full time: 90

male, part time: 18
female, full time: 9
female, part time: 63
Total: 180
A sample of 40 staff, stratified according to the above categories, may be

taken.
The first step is to find the total number of staff (180) and calculate the
percentage in each group.
% male, full time = (90 / 180) x 100 = 50%

% male, part time = ( 18 / 180 ) x 100 = 10%
% female, full time = (9 / 180 ) x 100 = 5%
% female, part time = (63 / 180) x 100 = 35%
This tells us that in our sample of 40;
50% should be male, full time;

10% should be male, part time;
5% should be female, full time; and
35% should be female, part time.
Compute the absolute number of samples based on the percentage per

staff allocation in each group.
50% of 40 is 20.
10% of 40 is 4.
5% of 40 is 2.
35% of 40 is 14.
The following references on sampling may be used:
268
The following references on sampling may be used:
a. Philippine Standard on Auditing (PSA) 530 on “Audit Sampling and Other

Selective Testing Procedures” – It established standards and provides
guidance on the use of audit sampling procedures and other means of
selecting items for testing to gather audit evidence;
b. United States Government Accounting Office (US GAO) GAO/PEMD-10.1.6,

“Using Statistical Sampling” – The purpose of the series is to provide GAO
evaluators with guides on various aspects of audit and evaluation
methodology, to illustrate applications, and to indicate where more detailed
information is available; and
c. United Nations Internal Audit Division Audit Manual – In the choice of

sampling method and technique, if the auditor is seeking to determine how
many cases or how much (the amount) of something exists, the IA should
use a statistical sampling method. If on the other hand, the auditor wants to
determine whether a problem exists, the IA should use non-statistical
sampling.
269
GLOSSARY
Accountability. The obligation of an individual or institution to account for its

activities, accept responsibility for them, and disclose the results in a transparent
manner.
Auditee. The public official responsible for the subject of the audit. The auditee for
each audit is the senior manager with overall responsibility for the organizational area
being reviewed.
This person will be the primary senior point of contact for the audit and be
responsible for responding to the audit report, including the suggested courses of
action. For example, the DS/HoA or GB/AuditCom may request an audit of the
Human Resources Management (HRM) System. The auditee is the subordinate unit
under the DS/HoA or GB/AuditCom which includes, among others, the Office of the
Undersecretary.
The NGICS prohibits the auditor to have a client/customer relationship with the
auditee.
Computer Assisted Audit Techniques and Tools. Computer tools and techniques
in performing various auditing procedures and improving the effectiveness and
efficiency of obtaining and evaluating audit evidence. It provides effective tests of
controls and substantive procedures where wide range of techniques and tools are
used to automate the test procedures for evaluating controls, obtaining evidence and
data analysis.199
Compliance Audit. Review of the degree of adherence with laws, regulations,

managerial policies and operating procedures of government, including compliance
with accountability measures and ethical standards and contractual obligations. It is a
necessary „first step‟ to, and part of management and operations audits.
Citizen’s Charter. An official document, a service standard, or a pledge, that

communicates in simple terms, information on the services provided by the
government to its citizens. It describes the step-by-step procedure for availing of a
particular service, and the guaranteed performance level that they may expect for
that service.
Detail. Temporary movement of an employee from one department or agency to

another which does not involve a reduction in rank, status or salary (refer to CSC MC
No. 21, s. 2002 for the policy on detail)
External Stakeholders. The persons, organizations and other service groups that
are outside a specific public service sector but may have an interest and can
influence the achievement of the sectoral goals of the agency concerned. External
stakeholders must always deal with the principal (DS/HoA/GB/AuditCom) and not
directly with the IAS/IAU.
270
Expert. Person who is knowledgeable in a specialized field, that knowledge being
obtained from either education or personal experience. He/she is one who by reason
of education or special experience has knowledge respecting a subject matter about
which persons having no particular training are incapable of forming an accurate
opinion or making a correct deduction.200
Four Cs in Audit Findings. Stands for criteria, condition, cause and conclusion.
Criteria are the standards against which a condition is compared; standards can
be laws, rules, regulations, policies, orders, guidelines, procedures, plans, targets,
best practices, etc.
Condition is a fact, backed up by a substantial evidence (includes consequence,
effects or impact); this is also referred to as the “finding of facts” which is defined
as the written statement of the ultimate facts essential to support the audit
findings.201
Cause refers to the probable cause, in case of compliance audit; or root cause, in
case of management audit or operations audit. Relatedly, a finding of probable
cause needs only to rest on evidence showing that more likely than not 202 the
act/s or omission/s of the person responsible had caused the non-compliance
which may warrant the conduct of administrative proceeding by the disciplining
authority. Root cause is a structured investigation that aims to identify the true
cause of the control weaknesses or incidences and the actions necessary to
eliminate it.
Conclusion is the evaluation of the criteria and the conditions that could either
result in compliance or non-compliance with laws, regulations and policies, as
supported by substantial evidence; control effectiveness; determination of
adequacy or inadequacy of controls; determination of the efficiency, effectiveness,
ethicality, and economy of agency operations; this is also referred to as the
“conclusion of facts” which is defined as an inference drawn from the subordinate
or evidentiary facts.”203
Four Es of Operations. Stands for efficient, effective, economical and ethical.

Efficient refers to “doing things right” given the available resources/inputs and
within a specified timeframe. This is about delivering a given quantity and quality
of outputs with minimum inputs or maximizing outputs with a given quantity and
quality of inputs.
Effective refers to “doing the right things”. Effective operations mean that
operating units are able to deliver their major final outputs and outcomes and able
to achieve the expected results and contribute to the achievement of the sectoral
and societal goals.
Economical refers to the performance of functions and tasks using the least
amount of resources/inputs within a specific timeframe. It implies that the
resources/inputs should be acquired at the right cost, at the right time, at the right
place, in the right quantity and of the right quality.
Ethical refers to conformity with the norms of conduct and ethical standards as
contained in RA 6713, otherwise known as the “Code of Conduct and Ethical
Standards for Public Officials and Employees”.
271
Head of Internal Audit. The highest official in the Internal Audit Service of a
Department or agency concerned. He has overall responsibility for auditing the
organization, managing the entire audit cycle and a team of internal auditors, and
ensuring the quality of audit products produced by the team.
Internal Audit. The evaluation of management control and operations performance

and the determination of the degree of compliance with laws, regulations, managerial
policies, and contractual obligations. It is the appraisal of the plan of organization and
all the coordinate methods and measures to recommend courses of action on all
matters relating to management control and operations audit.204
Internal Audit Annual Work Plan. It contains the coverage of the audit for a given
calendar year and approved by the DS/HoA or GB/AuditCom. The plan should
outline the deficiencies in internal control and vulnerability being addressed, audit
title, specific audit area, type of audit, summary description of the audit, expected
benefit, priority and resources to be used, estimated duration and cost, and proposed
timing of the audit, among others.
Internal Audit Strategic Plan. An internal audit strategic plan outlines the broad
strategic direction of internal audit over the medium term (i.e., three to five years)
and provides an important basis for managerial policies from the DS/HoA and the
detailed internal audit annual work plan. It is approved by the DS/HoA or
GB/AuditCom.
It should articulate the primary focus and direction of the internal audit function over
the period covered by the plan; outline the objectives to be achieved in the period;
and identify the key management strategies (i.e., plans and programs) and actions
that will be needed to achieve these objectives.
Internal Stakeholders. These are the individuals and groups that can affect and be
affected by the agency‟s operation within a particular public service sector. These
include those within the sector (e.g., Civil Service Commission, Office of the
Ombudsman, Presidential Anti-Graft Commission, and relevant professional bodies;
other review and oversight bodies). In terms of relationship, the IAS/IAU basically
coordinates with internal stakeholders and collaborates with external stakeholders.
Key Performance Indicator. Performance measures reflecting the central

importance of evidence and information to support performance results. It is
important that the KPIs for internal audit are aligned with the Strategic and Annual
Internal Audit Plans.
Management Audit. The separate evaluation of the effectiveness of the internal

controls adapted in the operating and support services units/systems, whether it
achieves the control objective over a specific date or period of time. It is a review and
appraisal of systems and processes, organizational structure and staffing, operations
and management practices, records, reports and performance standards of the
agencies/units covered. It includes the determination of the extent of compliance with
laws, rules, regulations, managerial policies, operating procedures, accountability
measures and contractual obligations covering specific timeframes. Examples of
support services systems are human resource management system, financial
272
management system, quality management system, risk management system and
their sub-system; while operating systems of bureaus, regional offices and local
government units include, among others, the rules of engagement in the conduct of
arrest, search and seizure and rules on vaccination and immunization.
Management Audit Division. This is one of the two divisions forming part of the
IAS/IAU in departments and equivalent agencies. It is responsible for, among other
functions, conducting a separate evaluation of the effectiveness of the internal
controls adapted in the operating and support services systems. It conducts an
appraisal and review of management controls of the operating or support units to
determine if the control objectives are being achieved, conducts root cause analysis
in case the controls are weak, and recommends courses of action to address the
control weaknesses.
Management Monitoring. The plethora of measures taken by management to

ensure that internal control systems are operating as intended (see paragraph 3.5 of
the NGICS). Ongoing monitoring occurs in the course of operations. It is performed
regularly on a real time basis, responds dynamically to changing conditions and is
embedded in an agency‟s operations.
Operations Audit. The separate evaluation of the outcome, output, process and
input to determine whether government operations, including management and
personnel structure in programs/projects are effective, efficient, ethical and
economical. Operations audit of organizations, programs, and projects involves an
evaluation of whether or not expected results were achieved and targets were
attained.
Operations Audit Division. This is one of the two divisions forming part of the
IAS/IAU in departments and equivalent agencies. It is responsible for conducting a
separate evaluation of the outcome, output, process and input to determine whether
government operations, including management and personnel structure in
programs/projects are effective, efficient, ethical and economical.
Philippine Government Internal Audit Manual. The documentation of the

standards and procedures for conducting management and operations audits. It
serves as a friendly tool to internal auditors in appraising the internal control systems
of the public entities (agencies). It provides details on the nature and scope of internal
audit in the Philippine public sector, including the institutional arrangements of the
internal audit function, as well as the protocols and processes for the conduct of
internal audit. The PGIAM is divided into two parts. Part I - Guidelines (PGIAM I)
outlines the basic concepts and principles of internal audit, and the policies and
standards that will guide government agencies in organizing, managing, and
conducting an effective internal audit. Part II – Practices (PGIAM 2) contains tools,
techniques, and approaches that will facilitate the conduct of internal audit activities.
273
Public Service Organizations These are classified into: (1) Public Entities; and (2)
Private Entities Providing Public Services.
Public Entities generally pertain to: (1) Agencies of Government, and (2) Public
Offices. Agencies of Government refer to any of the various units of government,
including a department, bureau, office, instrumentality, or government-owned
and/or -controlled corporation, or a local government or distinct unit therein.
Private Entities providing public services, as mandated and authorized by law,
include: (1) Utility and Service Providers; (2) Withholding Tax Agents; (3)
Procurement Observers; (4) Private Contractors; and (5) Volunteers.
Qualifications Standards. Minimum and basic requirements for positions in the

government. These shall serve as the basic guide in the selection of personnel and in
the evaluation of appointments to all positions in the government.205
Related Audit Services. Related activities such as being a resource person (i.e.,
attending to functions outside the organization) for external organizations like the
COA, Office of the Ombudsman, oversight or regulatory bodies and financing
institutions; training of IAS/IAU staff, and intervening activities or tasks that may be
assigned to the IAS/IAU.
Report Card Survey. An evaluation tool that provides a quantitative measure of

actual public service user perceptions on the quality, efficiency and adequacy of
different frontline services, as well as a critical evaluation of the office or agency and
its personnel. It is an instrument that also solicits user feedback on the performance
of public services for the purpose of exacting public accountability and, when
necessary, proposing change.
Risk Assessment. The process of identifying, analyzing and evaluating relevant

risks to the achievement of the control objectives and determining the appropriate
response. In other words, it is the identification, analysis and evaluation of what could
go wrong and how to address it.
Risk Management. The coordinated activities to direct and control an organization

with regard to risks. It is not a stand-alone activity that is separate from the main
activities and processes of the organization. Risk management is part of the
responsibilities of management and an integral part of all organizational processes.206
Root Cause Analysis. A method that is used to address a deficiency in order to get
the “root cause” of the problem. It is used in order to correct or eliminate the cause
and prevent the problem from recurring. It attempts to identify the root or original
causes instead of dealing with the immediately obvious symptoms. It is a structured
review and evaluation that aims to identify the true cause of the deficiency and the
courses of action necessary to address it. RCA is continuing to ask why the control
deficiency occurred until the fundamental process element that failed is identified.
Secondment. The movement of an employee from one department or agency to

another which is temporary in nature and which may not require the issuance of an
appointment which may either involve increase in compensation and benefits.
Acceptance thereof is voluntary on the part of the employee (MC No. 15, s. 1999).
274
Separate Evaluation. Covers the periodic evaluation of the effectiveness of the
internal control system and ensuring that internal controls achieve the desired results
based on predefined methods and procedures. It includes the appraisal of the
internal control system to determine whether controls are well designed and properly
operated. In the conduct of separate evaluation, the IAS/IAU shall determine the
extent of compliance and assess the adequacy of controls embedded in functional
and operating systems/units, as well as evaluate the performance of programs,
projects and activities of the agency.
Stakeholder .A person or organization that can affect, be affected by, or perceive

themselves to be affected by a decision or activity. The IAS /IAU relates with both
internal and external stakeholders.
275
ENDNOTES
1
Sec. 8, Ch. 3, Title V (DPWH), Bk. IV, EO 292, s. 1987, “Administrative Code 1987” and Sec. 123, PD 1445
or the “Government Auditing Code of the Philippines”.
2
Section 55 (b), Title II-Internal Control System, Vol. III, GAAM; COA Circular No. 91-368 dated 19 December
1991; and Sec. 8(3), Ch. 2, Title V, Book IV, EO 292, s. 1987, the “Administrative Code of 1987” and the
“National Guidelines on Internal Control Systems”, DBM Circular Letter No. 2008-8, p. 39 .
3
For GOCCs/GFIs, the Audit Committee is a primary committee of the Board of Directors.
4
United Nations Development Program, Handbook on Planning, Monitoring and Evaluating for Development
Results, 2009.
5
Process refers to the “set of interrelated or interacting activities of the public sector organization which
transforms input elements (policies, resources, citizen needs and expectations, etc.) into outputs/outcomes
(the products and services provided to the citizens).” [underscoring supplied] Clause 3.5., Government
Quality Management System Standards (GQMSS), the “Quality Management Systems - Guidance Document
for the Application of ISO 9001:2000 in Public Sector Organizations,” 21 June 2007; Executive Order (EO)
No. 605 s. 2007; and Republic Act (RA) No. 9013.
6
DBM Circular Letter No. 2007-05, “Conduct of FY 2007 Organizational Performance Indicator Framework
(OPIF) Review and Consultation Meetings with the Agencies”, 8 February 2007.
7
Book VI, Chapter 1, Section 2, Executive Order (EO) No. 292 s. 1987, the “Administrative Code of 1987,” 25
July 1987.
8
Organizational Performance Indicators Framework, FY 2008, December 2007.
9
“SEC. 3. Declaration of Policy. – x x x. The budget shall be supportive of and consistent with the socio-
economic development plan and shall be oriented towards the achievement of explicit objectives and
expected results, to ensure that funds are utilized and operations are conducted effectively, economically and
efficiently. x x x.” [underscoring supplied] Chapter 2, Book VI, Executive Order (EO) No. 292 s. 1987, the
“Administrative Code of 1987,” 25 July 1987.
10
5.2. Government Quality Management Systems Standards, Quality Management Systems – Guidance
Document for the Application of ISO 9001:2000 (now ISO 9001:2008) in the Public Sector, Government
Quality Management Committee Resolution No. 1, series of 2007.
11
This was aptly illustrated in Veneracion and Linatoc vs. Office of the Court Administrator, A.M. No. RTJ-99-
1432, 21 June 2000 and Muro vs. State Prosecutors, A.M. No. RTJ-92-876, 11 December 1995. “What is
required on the part of the judges is objectivity. An independent judiciary does not mean that judges can
resolve specific disputes entirely as they please. They are bound by limitations on their authority, by
substantive and procedural rules of law, more importantly by Constitutional precepts and the recognition of
their places in the hierarchy of courts.”
12
Public service organizations are classified into two: (1) public entities and (2) private enterprises providing
public services.
13
Sec. 1 (2.0), AO 278, s. 1992, “Directing the Strengthening of the Internal Control Systems of Government
Offices, Agencies, Government-Owned and/or - Controlled Corporations, Including Government Financial
Institutions and Local Government Units, in their Operations”, 28 April 1992.
14
CSC Resolution No. 000831, Sison, Mory Q., Re: Consultancy Service, March 29, 2000 citing CSC
Resolution No. 95-6939 dated November 2, 1995 Pagaduan, Ma. Dolores, et al. vs. Malonzo, Reynaldo, et al;
Rule XI, CSC MC No. 40, s. 1998, “Revised Omnibus Rules on Appointments and Other Personnel Actions”.
15
Rule XI, CSC MC No. 40, s. 1998, “Revised Omnibus Rules on Appointments and Other Personnel Actions”.
16
Item 10, Government Auditing Standards Answers to Independence Standards Questions, US Government
Accountability Office [formerly US General Accounting Office until renamed in 2004], July 2002.
17
Despite compliance with supplemental safeguards, the IAS may face independence impairments as a result
of non-audit services. Recent high profile cases involving the auditing practice in corporate governance have
resulted in the realization that, in many cases, it is not appropriate for an auditor to provide both audit and
certain non-audit (consulting) services for the same client. By the nature of certain non-audit services (e.g.,
developing an organization‟s policies, procedures, and internal controls), it encompasses advice and
improvement of processes, operations and outcomes of Operating and Support Units which would impair the
ability of IAS to meet either or both of the overarching independence principles for certain types of audit work.
(Exposure Draft of Proposed New and Amended Standards for the Professional Practice of Internal Auditing,
30 May 2003, paragraphs 3.29 and 3.22).
18
Sec. 8(3), Chapter 3, Title V, Book IV, EO 292, Administrative Code of 1987, 25 July 1987 and Section 55 (b),
Title II-Internal Control System, Vol. III, GAAM, COA Circular No. 91-368, 19 December 1991, p.82.
19
COA Circular 2002-002, 18 June 2002.
20
Sec. 1, (2.0), Administrative Order 278, 28 April 1992, Directing the Strengthening of the Internal Control
Systems of Government Offices, Agencies, Government-Owned and/or –Control Corporations, Including
Government Financial Institutions and Local Government Units, in their Operations.
21
Commission on Audit (COA) Circular No. 93-214A, the “Government Contracts for Internal Audit Services,” 4
March 1993; COA Circular No. 83-214, 8 September 1983.
276
22
Republic Act No. 9184 or the “Government Procurement Reform Act”.
23
Section 124 of PD 1445, “Government Auditing Code of the Philippines”, as amended
24
Section 123 of PD 1445, as amended, and Section 1, Chapter 1, Subtitle B, Book V of the Administrative
Code of 1987.
25
National Guidelines on Internal Control Systems, p.16.
26
National Guidelines on Internal Control Systems, p.17.
27
Medium-Term Philippine Development Plan of 1999-2004.
28
Clause 5, 5.2, IEC/ISO 31010:2009, “Risk Management – Risk Assessment Techniques,” 1 December 2009.
29
Clause 5, 5.3.1, IEC/ISO 31010:2009, “Risk Management – Risk Assessment Techniques,” 1 December
2009.
30
Clause 5, 5.4, IEC/ISO 31010:2009, “Risk Management – Risk Assessment Techniques,” 1 December 2009.
31
Clause 4, 4.3.1, IEC/ISO 31010:2009, “Risk Management – Risk Assessment Techniques,” 1 December
2009.
32
INTOSAI Guidelines for Internal Control Standards for the Public Sector, p.23.
33
4.0 Risk assessment concepts, 4.1 Purpose and benefits, IEC /ISO 31010, Edition 1.0 2009-11, Risk
management-Risk assessment techniques.
34
5.0 Risk assessment process, 5.1 Overview, IEC/ISO 31010, Edition 1.0 2009-11, Risk management-Risk
assessment techniques.
35
Clause 2, 2.26, ISO 31000: 2009(E), the “Risk Management – Principles and Guidelines,” 15 November
2009.
36
Clause 2, 2.25, ISO 31000: 2009(E), the “Risk Management – Principles and Guidelines,” 15 November
2009.
37
Rule IV, Rules Implementing Republic Act (RA) No. 6713, the “Code of Conduct and Ethical Standards for
Public Officials and Employees,” 21 April 1989.
38
Rule III, Rules Implementing Republic Act (RA) No. 6713, the “Code of Conduct and Ethical Standards for
Public Officials and Employees,” 21 April 1989.
39
International Organization of Supreme Audit Institutions (INTOSAI), the “Guidelines for Internal Control
Standards for the Public Sector,” 16 October 2004, p. 41.
40
Section 38, Chapter 7, Book IV of the Administrative Code of 1987.
41
Section 38 (3), (a), Chapter 7, Book IV, EO 292 s. 1987, the “Administrative Code of 1987”.
42
DBM-CSC Joint Resolution No. 1, s. 2006, “Rationalization Program‟s Organization and Staffing Standards
and Guidelines”, 12 May 2006 and Item 2.1, DBM Circular Letter No. 2008-5, “Guidelines in the Organization
and Staffing of an Internal Audit Service/Unit and Management Division/Unit in Departments/
Agencies/GOCCs/GFI Concerned” 14 April 2008.
43
Section 1 of Administrative Order No. 70, s. 2003.
44
Sections 2.5 and 2.6 of DBM Circular Letter No. 2008-5.
45
Section 2.7 of the DBM Circular Letter No. 2008-5.
46
Sections 2.5 to 2.7 of DBM Circular Letter No. 2008-5.
47
All accounts pertaining to revenues, receipts, expenditures or uses of funds and property owned or held in
trust by public service organizations. See Article XII-D, Section 2 of the Philippine Constitution and the
Administrative Code.
48
AO 70, s. 2003.
49
AO 278, s. 1992.
50
DBM-CSC Joint Resolution No. 1, “Rationalization Program‟s Organization and Staffing Standards and
Guidelines”, 12 May 2006 and item 2.1, DBM Circular Letter No. 2008-5, “Guidelines in the Organization and
Staffing of an Internal Audit Service/Unit and Management Division/Unit in Departments/
Agencies/GOCCs/GFI Concerned”, 14 April 2008.
51
Sec. 3, Ch. 1, Bk IV, EO 292, “Administrative Code of 1987”.
52
DBM-CSC Joint Resolution No. 1 dated 12 May 2006, p.5.
53
Item 2.6, DBM Circular Letter No. 2008-5, “Guidelines in the Organization and Staffing of an Internal Audit
Service/Unit and Management Division/Unit in Departments/ Agencies/GOCCs/GFI Concerned”, 14 April
2008.
54
Item 2.7, DBM Circular Letter No. 2008-5, 14 April 2008.
55
Item 2.5, DBM Circular Letter No. 2008-5, 14 April 2008; NGICS Section 3.5.2.
56
Section 8, Chapter 3, Title V, Book V, of the Administrative Code of 1987.
57
Item 2.4.b., DBM Circular Letter No. 2008-5 dated 14 April 2008, “x x x conduct management and operations
performance audit of the Department/Agency/GOCC/GFI activities and their units and determine the degree
of compliance with their mandate, policies, government regulations, established objectives, systems and
procedures/processes and contractual obligations.” Underscoring supplied.
58
Administrative Order (AO) 278 s. 1992, “Directing the Strengthening of the Internal Control Systems of
Government Offices, Government Owned And/Or Controlled Corporations, Including Government Financial
Institutions and Local Government Units, In Their Operations”, 28 April 1992 issued by then President
Corazon C. Aquino.
59
Section 8, Chapter 3, Title V, Book V, of the Administrative Code of 1987.
60
Item 2.4.b., DBM Circular Letter No. 2008-5 dated 14 April 2008, “x x x conduct management and operations
performance audit of the Department/Agency/GOCC/GFI activities and their units and determine the degree
277
of compliance with their mandate, policies, government regulations, established objectives, systems and
procedures/processes and contractual obligations.” Underscoring supplied.
61
AO 278 s. 1992, “Directing the Strengthening of the Internal Control Systems of Government Offices,
Government Owned And/Or Controlled Corporations, Including Government Financial Institutions and Local
Government Units, In Their Operations”, 28 April 1992 issued by then President Corazon C. Aquino.
62
AO No. 278 s. 1992, 28 April 1992 and DBM Circular No. 2004-4 dated 22 March 2004.
63
Item 2.5, DBM Circular Letter No. 2008-5, “Guidelines in the Organization and Staffing of an Internal Audit
Service/Unit and Management Division/Unit in Departments/ Agencies/GOCCs/GFI Concerned” 14 April
2008.
64
“Guidelines in the Organization and Staffing of an Internal Audit Service/Unit and Management Division/Unit
in Departments/ Agencies/GOCCs/GFIs Concerned” 14 April 2008.
65
Under CSC MC No. 12, s. 2006 “Qualification Standards for IAS Positions”, no experience and training is
required for Internal Auditor I, however, agencies are encouraged under said MC to set specific or higher
standards for their IAS/IAU positions. These must be submitted to the CSC for approval, and once approved,
shall be adopted by the Commission as qualification standards in the attestation of the appointments of non-
Presidential appointees of the agency concerned.
66
Sec. 10 (a), Ch. 3, Title I-Government Auditing Standards and Procedures, Volume III, GAAM, COA Circ.
368-91, 19 December 1991.
67
Practice Advisory 1000-1: Internal Audit Charter, International Standards for the Professional Practice of
Internal Auditing (ISPPIA), January 2009, p. 45.
68
Handbook on Monitoring and Evaluating for Results, UNDP, Evaluation Office, p. 64.
69
Department of Budget and Management (DBM) Circular Letter No. 2008-8, the “National Guidelines on
Internal Control Systems (NGICS),” 23 October 2008, p 20.
70
Department of Budget and Management (DBM) Circular Letter No. 2008-8, the “National Guidelines on
Internal Control Systems (NGICS),” 23 October 2008, p 21.
71
DBM Circular Letter No. 2007-6, “Manual on Position Classification and Compensation,” 19 February 2007.
72
EO 366, “Directing a Strategic Review of the Operations and Organizations of the Executive Branch and
Providing Options and Incentives for Government Employees Who May Be Affected by the Rationalization of
the Functions and Agencies of the Executive Branch”, October 4, 2004; CSC-DBM Joint Resolution No. 1,
“Rationalization Program‟s Organization and Staffing Standards and Guidelines,” 12 May 2006.
73
DBM National Budget Circular No. (NBC) 518, 8 January 2009; DBM NBC 522, 14 December 2009.
74
NEDA Office Circular No. 01-2009, “Adopting the Code of Conduct for the Officials and Employees of NEDA,
19 May 2009; LTFRB, “Code of Conduct for Officials and Employees of the Land Transportation and
Franchising Regulatory Board,” 4 February 2005.
75
“Code of Conduct and Ethical Standards for Public Officials and Employees”, 20 February 1989.
76
Section 8, Chapter 2, Book IV, EO 292, “Administrative Code of 1987”, 25 July 1987.
77
Attachment to Memorandum dated 3 August 1993 signed by Teofisto Guingona; Memorandum for the
President dated 10 June 1999 signed by Joseph Estrada; Memorandum Circular (MC) No. 68, s. 2004; MC
No. 24, s. 2006; and MC 110, s. 2006.
78
Section 13, Chapter 3, Book IV, EO 292, “Administrative Code of 1987”.
79
Section 3, Chapter 2, Book VI, EO 292, “Administrative Code of 1987”.
80
DBM Publications, Other Publications; Section 29, Art. VI of the 1987 Constitution; Sections 329-334 of RA
7160, “Local Government Code of 1991”.
81
Such as RA 9524, General Appropriations Act for Fiscal Year 2009.
82
DBM National Budget Circular No. 507, s. 2007.
83
Section 10, Chapter 4, Subtitle B, Book V, EO 292, “Administrative Code of 1987”.
84
PD 1445, “Government Auditing Code of the Philippines”, 11 June 1978.
85
COA Circular No. 2002-002, “Prescribing the Manual on the New Government Accounting System (Manual
Version) for Use in All National Government Agencies”, 18 June 2002.
86
Section 15, Chapter 3, Book IV, EO 292, “Administrative Code of 1987”.
87
RA 9184, “Government Procurement Reform Act”, and its Revised Implementing Rules and Regulations,
GPPB Resolution No. 03-2009, 22 July 2009.
88
Revised Implementing Rules and Regulations of RA 9184, GPPB Resolution No. 03-2009, 22 July 2009.
89
Section 5, RA 6713, 20 February 1989; Rule V of the Rules Implementing RA 6713; OP Memorandum
Circular 35 s. 2003.
90
National Archives of the Philippines General Circular No. 1 and 2, January 2009.
91
Section 7, Chapter 2, Subtitle A, Title I, Book V, EO 292, “Administrative Code of 1987”.
92
Omnibus Rules Implementing Book V of EO 292 and Other Pertinent Civil Service Laws, as amended such
as by CSC MC 38, s. 1993; MC 40, s. 1998, MC 41, s. 1998; MC 20, s. 2002; MC 15, s. 2006; CSC MC 28, s.
2009.
93
CSC Resolution No. 991936, 31 August 1999, as amended.
94
1997 Revised Qualification Standards amended by CSC MC 12, s. 2003; Section 22, Chapter 5, Subtitle A,
Title I, Book V, EO 292, “Administrative Code of 1987”.
95
CSC MC 7, s. 2007, “Installation of Performance Management System (PMS) in the Civil Service”
96
RA 9013, “An Act Establishing the Philippine Quality Award in Order to Encourage Organizations in Both the
Private and Public Sectors to Attain Excellence in Quality in the Production and/or Delivery of their Goods
278
and Services”, 28 February 2001; EO 605, s. 2007, “Institutionalizing the Structure, mechanisms and
Standards to Implement the Government Quality Management Program, Amending for the Purpose
Administrative Order No. 161, s. 2003”, 23 February 2007.
97
ISO 9001:2008; and EO 605, “Institutionalizing the Structure, Mechanisms and Standards to Implement the
Government Quality Management Program amending for the Purpose Administrative Order No. 161, s.
2006”.
98
5.5, Documentation, Ibid., p. 16.
99
1.3, Risk Management Plan, ISO Guide 73:2009 (E/F), p. 2.
100
2.24, Risk Criteria, ISO 31000:2009.
101
NGICS, pp. 32-33.
102
DBM Circular Letter 2008-8, “National Guidelines on Internal Control System”, p. 32, 23 October 2008.
103
Clause 2, 2.25, ISO 31000:2009(E), “Risk Management-Principles and Guidelines”, 15 November 2009.
104
DBM Circular Letter 2008-8, “National Guidelines on Internal Control System”, p. 32, 23 October 2008.
105
Clause 3.8.1.3, ISO Guide 73:2009 (E/F), “Risk management – Vocabulary”.
106
Clause 3.8.1.5, Ibid.
107
Section 6, RA 9485, “An Act to Improve Efficiency in the Delivery of Government Service to the Public by
Reducing Bureaucratic red Tape, Preventing Graft and Corruption, and providing Penalties Therefor”, 2 June
2007 and its Implementing Rules.
108
Rule V, Rules Implementing RA 6713, the “Code of Conduct and Ethical Standards for Public Officials and
Employees”, 21 April 1989.
109
EO 265, s. 2000, “Approving and Adopting the Government Information Systems plan (GISP) as Framework
and Guide for All Computerization Efforts in Government”.
110
Section 8, RA 6713, the “Code of Conduct and Ethical Standards for Public Officials and Employees”,
February 20, 1989 and its Implementing Rules; Section 7, RA 3019, “Anti-graft and Corrupt Practices Act”;
CSC Resolution No. 06-0231, 1 February 2006; CSC MC 10, s. 2006.
111
Section 10, RA 9485; Section 1, Rule IV, Implementing Rules of Regulations of RA 9485, 24 July 2008.
112
Section 8, Rule III, Rules Implementing RA 6713, 21 April 1989.
113
RA 9584, GAA FY 2009.
114
Section 5, Rule III, Rules Implementing RA 6713, 21 April 1989.
115
Item 5.7, DBM National Budget Memorandum No. 103, “Policy Guidelines and Procedures in the Preparation
of the FY 2010 Budget Proposals”, 14 April 2009.
116
CSC MC 41 s. 1998; CSC MC 14, s. 1999.
117
2.11, DBM Circular Letter 2008-5, 14 April 2008.
118
Professional Development Center .
119
16 February 2009.
120
Government Quality Management Systems Standards, Quality Management Systems – Guidance Document
for the Application of ISO 9001:2000 (now ISO 9001:2008) in Public Sector, Government Quality
Management Committee Resolution No. 1, series of 2007).
121
Section 54, Chapter 6, Book VI, EO 292 “Administrative Code of 1987”.
122
Standards for the Public Sector,” 16 October 2004, p. 32. Please refer to the 6th Asian Organization of
Supreme Audit Institutions (ASOSAI) Research Project , “IT Audit Guidelines”, September 2003.
123
124
125
ISO 31000:2009(E), the “Risk Management – Principles and Guidelines,” 15 November 2009
126
The Financial Audit Manual, Commission on Audit, 2003, p.22.
127
Value for Money Audit Manual , Commission of Audit, p. 49.
128
Sixth Edition (1990), Black‟s Law Dictionary, p. 290.
129
Webb vs. De Leon, G.R. No. 121234, 23 August1995; and Boiser vs. People of the Philippines, G.R. No.
180299, 31 January 2008.
130
Albert vs. Gangan, G.R.No. 126557, 6 March 2001.
131
132
Root Cause Analysis, Second Edition, Bjorn Anderson and Tom Fagerhaug p. 12.
133
Galario vs. Office of the Ombudsman, et. Al., G.R. No. 166797, 10 July 2007; Webb vs. De Leon, G.R. No.
121234, 23 August1995; and Boiser vs. People of the Philippines, G.R. No. 180299, 31 January 2008.
134
135
“Furthermore, the only concern of the Review and Compliance Procedure, as per paragraph (a), is to
determine whether the SALNs are complete and in proper form. This means that the SALN contains all the
required data, i.e., the public official answered all the questions and filled in all the blanks in his SALN form.”
(Presidential Anti-Graft Commission [PAGC] and the Office of the President vs. Salvador A. Pleyto, G.R. No.
176058, 23 March 2011).
136
“Both Section 7 of the Anti-Graft and Corrupt Practices Act and Section 8 of the Code of Conduct and Ethical
Standards for Public Officials and Employees require the accomplishment and submission of a true, detailed
279
and sworn statement of assets and liabilities. Petitioner was negligent for failing to comply with his duty to
provide a detailed list of his assets and business interests in his SALN.” (Presidential Anti-Graft Commission
[PAGC] and the Office of the President vs. Salvador A. Pleyto, G.R. No. 176058, 23 March 2011, citing Pleyto
vs. Philippine National Police Criminal Investigation and Detection Group [PNP-CIDG], G.R.No. 169982, 23
November 2007 ).
“The law requires that the SSAL must be accomplished as truthfully, as detailed and as accurately as
possible.” (Hon. Waldo S. Flores, Hon. Arthur P Autea and the PAGC vs. Atty. Antonio F. Montemayor, G.R.
No. 170146, 25 August 2010).
137
“SEC. 7. Statement of Assets and Liabilities. – Every public officer, within thirty days after assuming office
and, thereafter, x x x shall prepare and file x x x a true, detailed and sworn statement of assets and liabilities,
including a statement of the amounts and sources of his income, the amounts of his personal and family
expenses and the amount of income taxes paid for the next preceding calendar year x x x” (RA 3019, “Anti
Graft and Corrupt Practices Act”).
138
139
“(B) Identification and disclosure of relatives. – It shall be the duty of every public official or employee to
identify and disclose to the best of his knowledge and information, his relatives in the Government in the form,
manner and frequency prescribed by the Civil Service Commission.” (Rosalio S. Galeos vs. People of the
Philippines, G.R.Nos. 174730-37, 9 February 2011, citing Section 8 (B) of RA 6713).
140
Sec. 12, Rule II, Uniform Rules on the Administrative Cases in the Civil Service Commission.
141
“We agree with the respondent that the professional fee he received from the law firm of San Juan, Africa,
Gonzales and San Agustin from 1978 to 1986 in the amount of P70,000 per annum, as well as that in the
amount of P55,000 reflected in his Statement of Assets and Liabilities for the period ending 31 December
1969, should not be excluded as part of his lawful income or disposable funds.
xxx
It is unquestionable that the outstanding loan balance of respondent's obligation to the GSIS in the amount of
P775,073.38 as of 28 February 1989 did not constitute as respondent's "income" in the strict sense of the
word. The same, however, formed part of the disposable funds used by him in capitalizing his property
acquisition and business investments.
xxx
It bears emphasis that, as borne out by his own summary of property acquisitions, most of his assets were
acquired in 1980 and in the preceding years. The rental income of P1,748,640, which the Sandiganbayan
included as part of his disposable funds, were for the period from 1981 to 1986. Thus, such income could not
have been used by respondent in financing the purchase of his real properties and shareholdings in various
companies prior to 1981. Besides, as will be shown later, there exists an unshakable doubt on the legality of
this income, considering that the properties from which such income was derived were not wholly funded by
lawful income.” (Republic of the Philippines vs. Sandiganbayan, Third Division, and Jolly R. Bugarin, GR No.
102508, 30 January 2002).
142
143
“Sec. 8. Prima facie evidence of and dismissal due to unexplained wealth. – If in accordance with the
provisions of Republic Act Numbered One thousand three hundred seventy-nine, a public official has been
found to have acquired during his incumbency, whether in his name or in the name of other persons, an
amount of property and/or money manifestly out of proportion to his salary and to his other lawful income, that
fact shall be a ground for dismissal or removal. Properties in the name of the spouse and dependents of such
public official may be taken into consideration, when their acquisition through legitimate means can not be
satisfactorily shown ” (RA 3019, Anti Graft and Corrupt Practices Act)
“Sec. 3…(c) The approximate amount of property he has acquired during his incumbency in his past and
present offices and employments,
(d) A description of said property, or such thereof as has been identified by the Solicitor General,
(e) The total amount of his government salary and other proper earnings and incomes from legitimately
acquired property, and
(f) Such other information as may enable the court to determine whether or not the respondent has
unlawfully acquired property during his incumbency.” (RA 1379, An Act Declaring Forfeiture in Favor of the
State any Property Found to Have Been Unlawfully Acquired by any Public Officer or Employee and
Providing for the Procedure Therefor).
144
“Sec. 8 x x x Bank deposits in the name of or manifestly excessive expenditures incurred by the public official,
his spouse or any of their dependents including but not limited to activities in any club or association or any
ostentatious display of wealth including frequent travels abroad of a non-official character by any public
280
official when such activities entail expenses evidently out of proportion to legitimate income shall likewise be
taken into consideration in the enforcement of this section notwithstanding any provision of law to the contrary
x x x” (RA 3019, as amended by BP 195).
145
In the case of Salvador Pleyto vs. Philippine National Police Criminal Investigation and Detection Group, G.R.
No. 169982, 23 November 2007, the court held that the “net-worth-to-income-discrepancy analysis,” may be
effective as an initial evaluation tool, meant to raise warning bells as to possible unlawful accumulation of
wealth by a public officer or employee, but it is far from being conclusive proof of the same.
146
This is a modification of the Expenditure Method provided by RMO 15-95, as amended, where cash outlays,
other than expenses, are included in the Computation to arrive at the total sources of funds and cash
receipts, other than those from income, are included to arrive at the total application of funds.
147
“4. In his Explanation submitted to the Court on September 5, 2003, respondent contends that one of the
reasons why his assets increased significantly from 1974 to 1995 is that he was appointed as company
directory of ELXSHAR PTY LTD (ELXSHAR), a company based in Australia. He reasoned out that his
appointment was brought about by his daughter‟s connections in Australia wherein the latter is a resident.
However, we agree with the observation of the OCA that nowhere in respondent‟s SAL for 1989, 1991 and
1993 did he declare his business and financial connections with ELXSHAR. It was only his SAL for 1995,
1996 and 1998 that he included his directorship in ELXSHAR as part of his business and financial interests.”
5. Respondent also acknowledged in his Explanation that he constructed a two-hectare fish cage in January
1989 by obtaining a loan in the amount of P300,000.00. However, an examination of the SAL of respondent
for 1989 and 1991 reveals that he failed to declare either his ownership of or his financial interests in the said
fish pens. Respondent also explained that as security for his loan of P300,000.00, obtained in January 1989,
he executed a real estate mortgage in favor of the person who loaned him the money. However, his SAL for
1989 does not contain any declaration of a real estate mortgage for the said amount.
6. Respondent declared his ownership of a fish pen worth P2,500,000.00 in his SAL for 1995 and 1996. He
claims that his ownership of the said fish pen was acquired in 1993. However, a perusal of his SAL for 1993
shows that while respondent declared his being a fish pen operator as part of his business interests, he failed
to include said fish pen among his assets. It was only in 1995 that he began to declare the fish pen as part of
his assets. It was only in 1995 that he began to declare the fish pens as part of his assets” (Concerned
Taxpayer vs. Norberto V. Doblada, Jr., Sheriff IV, Branch 155, Regional Trial Court, Pasig City, A.M. No. P-
99-1342, 8 June 2005)
“Aside from dishonesty, however, respondent is also guilty of failure to perform her legal obligation to disclose
her business interests. Respondent herself admitted that she "had a stall in the market." The Office of the
Court Administrator also found that she had been receiving rental payments from one Rodolfo Luay for the
use of the market stall. That respondent had a stall in the market was undoubtedly a business interest which
should have been reported in her Sworn Statement of Assets and Liabilities. Her failure to do so exposes her
to administrative sanction.
xxx
Respondent should have, therefore, indicated in her „Sworn Statement of Assets, Liabilities and Net Worth,
Disclosure of Business Interests and Financial Connections, and Identification of Relatives in the Government
Service‟ for the years 1991, 1992, 1993, 1994 and 1995 that she had a market stall in the Public market of
Panabo, Davao. She admits that she never indicated such in her sworn statements.
As this Office had earlier stated in its Memorandum dated November 10, 1995 filed in connection with the
instant complaint:
„Such non-disclosure is punishable with imprisonment not exceeding five (5) years, or a fine not exceeding
five thousand (P5,000.00) pesos, or both. But even if no criminal prosecution is instituted against the
offender, the offender can be dismissed from the service if the violation is proven. Respondent 201 file
speaks for itself.
Furthermore, respondent should have divested herself of her interest in said business within sixty (60) days
from assumption into (sic) office. She has not. The penalty for non-disclosure of business interests and non-
divestment is the same.‟ (Citations omitted)
In her explanation, respondent maintains the position that she has no business interest, implicitly contending
that there is nothing to divulge or divest from. As discussed above, respondent had a business interest. We
do not find her administratively liable, however, for failure to divest herself of the said interest. The
requirement for the public officers, in general, to divest themselves of business interest upon assumption of a
public office is prompted by the need to avoid conflict of interests. In the absence of any showing that a
business interest will result in a conflict of interest, divestment of the same is unnecessary. In the present
case, it seems a bit far-fetched to imagine that there is a conflict of interest because an Interpreter III of the
Regional Trial Court has a stall in the market. A court, generally, is not engaged in the regulation of a public
281
market, nor does it concern itself with the activities thereof. While respondent may not be compelled to divest
herself of her business interest, she had the legal obligation of divulging it. (Narita Rabe vs. Delsa M. Flores,
Interpreter III, RTC, Branch IV, Panabo, Davao, A.M. No. P-97-1247, 14 May 1997)
“The OMB did not accord weight to the Joint Affidavit submitted by petitioner. In said Affidavit, Vieto and Dean
Racho, petitioner‟s brothers, stated that they entrusted to the petitioner P1,390,000 and P1,950,000
respectively. On the other hand, petitioner‟s nephew, Henry Racho, claimed that he delivered the amount of
P1,400,000 to petitioner. These sums were purportedly their contribution as stockholders of Angelsons
Lending and Investors, Inc. (Angelsons) and Nal Pay Phone Services (NPPS) – businesses managed by the
spouses Racho. Ironically, Dean Racho was not listed as a stockholder of the lending company. Moreover,
the articles of Incorporation of Angelsons reflected that Vieto, Henry and the spouses Racho individually paid
only P12,500 of the subscribed shares of P50,000 each. Petitioner did not present proofs of succeeding
contributions made and their amounts. Curiously, affiants allegedly tendered their additional contributions
during family reunions. Neither did the affiants describe the extent of their interest in NPPS. Petitioner merely
presented NPPS‟ Certificate of Registration and Business Name secured by his wife Lourdes B. Racho. Yet,
said certificate did not operate as a license to engage in any kind of business, much more a proof of its
establishment and operation. Even assuming that said businesses exist, petitioner should have similarly
reported his interest therein in his SALN.” (Nieto A. Racho vs. Hom. Primo C. Miro, in his capacity as Deputy
Ombudsman for the Visayas, Hon. Virginia Palanca-Santiago, in her capacity as Ombudsman Director, and
Hon. Antonio T. Echavez, in his capacity as Presiding Judge of the Regional Trial Court-Cebu City, Branch 8,
G.R. Nos. 168578-79, 30 September 2008).
148
Webb vs. De Leon, G.R. No. 121234, 23 August 1995; Boiser vs. People of the Philippines, G.R. No. 180299,
31 January 2008.
149
Carabeo vs. Court of Appeals, et. al., G.R. Nos. 178000 and 178003, 4 December 2009 citing Ombudsman
vs. Valeroso, G.R. No. 167828, 2 April 2007.
150
151
Montemayor vs. Bundalian, G.R. No. 149335, 1 July 2003.
152
6th Asian Organization of Supreme Audit Institutions (ASOSAI) Research Project , “IT Audit Guidelines”,
September 2003.
153
IEC/ISO 31010, Edition 1.0, 2009-11, Risk Management – Risk Management Techniques.
154
United Nations Industrial Development Organization (UNIDO), “UNIDO Competencies”, 2002.
155
156
157
158
Cometa vs. Court of Appeals, G.R. No. 126005, 21 January 1999.
159
Sevilla vs. Cardenas, G.R. No. 167684, 31 July 2006.
160
Destreza vs. Plazo, G.R. No. 176863, 30 October 2009.
161
Section 1 of Administrative Order No. 70, s. 2003.
162
Section 38(1) Chapter 7, Book IV, the Administrative Code of 1987.
163
164
165
166
Item 8.5.2, Government Quality Management Systems Standards (GQMSS).
167
Item 8.5.2,, Government Quality Management Systems Standards (GQMSS).
168
Section 124, PD 1445 “Government Auditing Code of the Philippines”, 11 June 1978.
169
Subtitle D (The Commission on Audit), Article IX (Constitutional Commission), 1987 Constitution.
170
Sec. 11, Chapter 4, Subtitle B (Commission on Audit), Book V, EO 292, “Administrative Code of 1987”, 25
July 1987.
171
Mamaril vs. Domingo, G.R. No. 100284, 13 October 1993.
172
Section 1, Chapter 1, Subtitle B – The Commission on Audit, Book V, EO 292 Administrative Code of 1987.
173
Section 32 and 33, Commission on Audit (COA) Circular No. 368-91 dated 19 December 1991, “Government
Auditing Standards and Procedures and Internal Control System”.
174
Reinstituting Selective Pre-Audit on Government Transactions, 18 May 2009.
175
Section 3, Chapter 1, Title XVII, Book IV, EO 292, “Administrative Code of 1987”, 25 July 1987.
176
Chapter 6, Book VI, EO 292, “Administrative Code of 1987”, 25 July 1987.
177
G.R.No.153266, 18 March 2010.
178
“Directing the Strengthening of the Internal Control Systems of Government Offices, Agencies, Government-
Owned or Controlled Corporations and Local Government Units in Their Fiscal Operations”.
179
“Section 6. Authority and Responsibility of the Secretary. – The authority and responsibility for the exercise of
the mandate of the Department and for the discharge of its powers and functions shall be vested in the
Secretary, who shall have supervision and control of the Department.” Chapter 2, Book IV, EO 292
“Administrative Code of 1987”.
180
Section 2 (2), Article IX –D Constitutional Commissions – The Commission on Audit, 1987 Philippine
Constitution.
282
181
Section 10 (3), Chapter 4 – Jurisdiction, Powers and Functions of the Commission, Subtitle B – The
Commission on Audit, Title I – Constitutional Commissions, Book V, EO 292 Administrative Code of 1987.
182
Section 12 (3), Chapter 3 – Organization and Functions of the Civil Service Commission, Subtitle A – Civil
Service Commission, Title I – Constitutional Commissions, Book V, EO 292.
183
Section 2, Chapter 1 – General Provisions, Title XVII – Budget and Management, Book IV – The Executive
Branch, EO 292 “Administrative Code of 1987”.
184
Section 3, Chapter 1 – General Provisions, Title XVII – Budget and Management, Book IV – The Executive
Branch, EO 292 “Administrative Code of 1987”.
185
Section 3, Chapter 2 – Budget Policy and Approach, Book VI – National Government Budgeting, EO 292
“Administrative Code of 1987”.
186
Commission on Appointments vs. Celso M. Paler, G.R. No. 172623, March 3, 2010 citing Eastern
Telecommunications Philippines, Inc. and Telecommunications Technologies, Inc. vs. International
Communication Corporation, G.R.No. 135992, January 31, 2006.
187
Eastern Telecommunications Philippines, Inc. and Telecommunications Technologies, Inc. vs. International
Communication Corporation, G.R.No. 135992, January 31, 2006.
188
G.R. No. 131392, February 6, 2002.
189
G.R. No. 112399, July 14, 1995.
190
City Government of Makati vs Civil Service Commission, G.R. No. 131392, February 6, 2002.
191
G.R.No.153266, 18 March 2010.
192
Section 12 (5), Chapter 3 – Organization and Functions of the Civil Service Commission, Subtitle A – Civil
Service Commission, Title I – Constitutional Commissions, Book V, EO 292.
193
Section 1(d), Rule II – Jurisdiction and Powers of the Commission on Audit, The 2009 Revised Rules of
Procedure of the Commission on Audit.
194
“Authority of the General Counsel/Director, Legal Office, this Commission to render legal opinion on legal
issues and queries elevated by management of auditee-agencies, heads of COA offices and heads of
auditing units”, February 7, 1996.
195
“Section 11. The Legal Office. The Legal Office shall be charged with the following responsibilities: 1. Perform
advisory and consultative functions and render legal services with respect to the performance of the functions
of the Commission and the interpretation of pertinent laws and auditing rules and regulations; x x x .”
196
Government Auditing Code of the Philippines, June 11, 1978.
197
“Section 7. Central Offices. – The Commission shall have the following central offices: x x x (7) The Legal
Office shall be heeded by a General Counsel with the rank and privileges of a director and which shall
perform the following functions: (a) Perform advisory and consultative functions and render legal services with
respect to the performance of the functions of the Commission and the interpretation of the pertinent laws and
regulations; x x x.”
198
“Authority of the General Counsel/Director, Legal Office, this Commission to render legal opinion on legal
issues and queries elevated by management of auditee-agencies, heads of COA offices and heads of
auditing units”, February 7, 1996.
199
6th Asian Organization of Supreme Audit Institutions (ASOSAI) Research Project , “IT Audit Guidelines”,
September 2003.
200
Black‟s Law Dictionary, 6th Edition, (1891-1991) citing Midtown Properties, Inc. v. George Richardson, Inc.
139 Ga.App. 182, 228 S.E.2d 303, 307 and Balfour v. State, Ind. 427 N.E.2d 1091, 1094.
201
Air France vs. Carrascoso, G.R. No. L-1438, 28 September 1966.
202
203
204
Sec. 8, Ch. 3, Title V (DPWH), Bk. IV, EO 292, The “Administrative Code 1987” and Sec. 123, PD 1445
“Government Auditing Code of the Philippines”.
205
CSC MC No. 12, s. 2003, “Revised Policies on Qualification Standards”.
206
ISO 31000:2009, Risk management-Principles and guidelines.
283

Internal Audit Manual

Uploaded by

Copyright:

Available Formats

Internal Audit Manual

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Internal Audit Manual

Uploaded by

Copyright:

Available Formats

PREFACE

Internal audit, a component of the internal control system, is a strategic function in

As a component of the performance management framework of Departments/

The Philippine Government Internal Audit Manual (PGIAM) was developed to

Part II – Practices contains user-friendly tools, techniques, and approaches in

CHAPTER I - CONCEPTS AND PRINCIPLES

CHAPTER II - INTERNAL CONTROL SYSTEM AND

CHAPTER III - ORGANIZING THE INTERNAL AUDIT..........................51

CHAPTER IV - PERFORMANCE MONITORING AND

CHAPTER I - STRATEGIC AND ANNUAL WORK PLANNING..............76

2. Prepare the Annual Work Plan............................................................................107

CHAPTER II - AUDIT PROCESS..........................................................112

CHAPTER III - INTERNAL AUDIT PERFORMANCE

PGIAM AMENDMENT PROTOCOL......................................................158

Appendix B : Skills, Related Knowledge, Attributes and Other

Appendix C : Qualification Standards and Functions of the Head

Appendix D : Diagram and Flowcharts of Internal Audit Key Process................183

D.1 Flowcharting symbols...................................................................................183

D.11. 1 Performance Monitoring by Head of Internal Audit (HoIA).....214

D.11.4. 1 Commission on Audit (COA) on Matters of COA Rules

Appendix E : Internal Control Questionnaire............................................................226

E. 1 Instructions for Completion............................................................................226

Appendix F : Types of Sampling............................................................................264

To complement the implementation of the National Guidelines on Internal Control

In October 2008, the Department of Budget and Management

Following the provisions of the Constitution, the Government

To achieve these objectives, five interrelated internal control components as

CONCEPTS AND PRINCIPLES OF

Internal audit is the evaluation of management controls and operations

Internal audit, being a separate component of internal control, is instituted to

2. Legal Bases for Internal Audit

a. Republic Act No. 3456 (Internal Auditing Act of 1962), as amended by RA

b. Presidential Decree No. 1 (Reorganizing the Executive Branch of the

e. Section 1 of Administrative Order No. 119 dated 29 March 1989, mandated

f. Memorandum Order No. 277 dated 17 January 1990, Directing the

g. Administrative Order No. 278 (Directing the Strengthening of the Internal

h. Administrative Order No. 70 (Strengthening of the Internal Control Systems

j. DBM - Civil Service Commission Joint Resolution No. 1 (Rationalization

m. DBM Circular Letter No. 2008-05 (Guidelines in the Organization and

3. Scope of Internal Audit

Internal audit is an integral part of the internal control system of public

Among others, internal audit encompasses the appraisal of the adequacy of

Pursuant to the Administrative Code of 1987, and as reiterated in the

a. Advise the DS/HoA or in the case of GOCCs/GFIs, the Governing Body

b. Conduct management and operations audits of Department/

c. Review and appraise systems and procedures, organizational structures,

d. Analyze and evaluate management deficiencies and assist top

e. Perform such other related duties and responsibilities as may be

4.1 Compliance Audit

Compliance audit is the evaluation of the degree of compliance with laws,

Components of Established Criteria/

2) Laws and their IRR

2) Risk Assessment Design

Figure 1 - Compliance Audit Flow Diagram

4.2 Management Audit

Management audit is a separate evaluation of the effectiveness of internal

It is a review and appraisal of the systems and processes, organizational and

Management audit may encompass a comprehensive and thorough

1) Control Environment 1) Safeguard Assets

Figure 2 - Management Audit Flow Diagram