Risk-based Auditing 2015

(1)

Risk Based Audit Approach:

Understanding Risk, Internal Controls and

the Risk Based Audit Approach

8 June 2015

Joseph Ian M. Canlas

Partner

Leonardo J. Matignas, Jr.

(2)

2



Risk Assessment - Concept



Relevant Regulatory Developments & Impact



Understanding Internal Control Concepts



Internal Control – COSO Integrated Framework 2013



Risk Based Audit Approach:



Internal Audit



External Audit

(3)

At the end of this training, participants are expected to:



_{Understand basic concepts about risk, internal controls and the}

risk-based audit approach.



Gain a basic understanding of internal control principles under

the COSO Internal Control - Integrated Framework 2013.



Recognize the need for risk based audit approach to continually

address risks due to changing business environment and manage

stakeholder expectations.

(4)

4

(5)



Risk Assessment - Concept



Relevant Regulatory Developments & Impact



Understanding Internal Control Concepts



Internal Control – COSO Integrated Framework 2013



Risk Based Audit Approach:



Internal Audit



External Audit

(6)

6

From a paper presented by EJ Smith

the first & last Captain of

RMS Titanic

(7)

“

When anyone asks me how I can describe my experience of

nearly forty years at sea, I merely say uneventful. Of course

there have been winter gales and storms and fog and the

like, but in all my experience, I have never been in an

accident of any sort worth speaking about…

I never saw a wreck and have never been wrecked, nor was I

ever in any predicament that threatened to end in disaster of

any sort.”

(8)

8

Disregard for safety considerations in the excitement to break a record

Misplaced objectives

Sealed compartments not effective enough to handle damage of this magnitude

Safety measures compromised in design

The new ship had a crew & individual responsibilities were not clear

Responsibilities not clear

The iceberg warning that were received were overlooked

Information overlooked 1 2 3 4

Not enough safety boats, for improved aesthetics

Inadequate contingency plans 5

(9)

Setting strategic objectives with clear ‘consideration’ for risk management

Thorough evaluation of the mitigation measures Clear communication of roles and responsibilities

Contingency planning - ‘Knowing’ what can go wrong and ‘Having’ appropriate mitigation measures in place

Effective monitoring and thorough analysis of the risk indicators

1 2 3 4 5

Lessons learnt

(10)

10

“A

business

risk

is a threat that an event or

action will adversely affect the Company’s

ability to achieve its business objectives and

maximize stakeholder value.”

or

“What keeps the Board and Management

awake at night?”

(11)

Attributes of Business Risk

 Could be existing

 Could be emerging (has a potential of happening)

 Presents an exposure to both

tangible and intangible assets  Can arise from the external

environment, from internal

processes and from the lack of information for decision making  Presents an exposure (downside) if

not managed or a potential

opportunity (upside) if managed well

How can we use these to our advantage?

COMPANY’S GOAL, OBJECTIVES AND

STRATEGY

BUSINESS RISKS

EXTERNAL INTERNAL

WHAT WILL NOT ALLOW THE COMPANY TO

SUCCEED?

(12)

12

Business Objectives and Strategies Key Business Risks

Li nk R is ks t o B us ine ss P roce ss e s Ev al u at e M an ag emen t an d C o n tr o l Ac ti vi ti es Li nk Bus ine ss O bject iv e s To R is ks Ev al u at e th e si gn if ic an ce o f th e ri sk t o b u si n es s o b je ct iv es Business Processes • Economic Conditions • Raw Material Price

Volatility

• Interest Rate Volatility • International Expansion • New Product Development • Environmental Regulation • IT Infrastructure Capacity • Key Supplier Dependence • Recruitment & Retention • Customer Migration • Regulatory Compliance • Health/Pension Costs • Joint venture Partnerships • Business Continuity

• Intellectual Property • Evolving Global Economy

Expand Product Offering Expand into New Markets

Maximize Return on Capital Maximize Benefits from Technology Investments

Achieve Cost Optimization Optimize Operating

Efficiency

Retain Top Performers

Earnings and Operating Margins Asset and Capital Management Revenue and Market Share Reputation and Brand New Product Development Gain New Business Procurement Production Distribution Customer Support Deliver Superior Customer Service Enhance Quality Product

(13)

Risk Management

is a set of coordinated activities to direct and

control an organization with regard to risk.

-ISO 31000

(14)

14



To provide management with a

venue to identify and assess the

impact of significant business risks

that may threaten business

objectives.



To identify the key risks that will

be given audit focus in the audit

plan.



To focus the audit work on the

critical business risks of the

Company.

• Identify risks • Prioritize risks

Risk Assessment

(15)

Management is primarily responsible to identify, measure, prioritize and manage risk

Internal Audit can facilitate the risk assessment process and should use the results for determining the audit focus

(16)

16



Better Knowledge of the Business



Better, More Timely Information

on Risks



More Knowledge of the Impact of

Risks on the Business



Better Awareness of What is

Implementable

(17)

 Environment Risks

• Exposures to fraud or money laundering activity • Unsafe working conditions resulting to accident • Technology becoming obsolete

 Process Risks

• Adequate levels of inventory are not maintained • Inadequate resources, staffing or untimely staff

changes

 Information for Decision Making Risks • Poor or failure in communication

• Pressure to meet expectations set by key holders

(18)

18

Enterprise Risk Management Process

Assess business risks Establish RM goals and objectives, and RM oversight structure Develop common language Develop RM strategies Continuously improve RM process Monitor RM process

(19)

(20)

20

Communicate and Consult

Risk Management Framework Comparison

ISO 31000 Risk Management – Process for Managing Risk

(21)

Enterprise Risk Management Process

Assess business risks Establish RM goals

and objectives, and RM oversight structure Develop common language Develop RM strategies Continuously improve RM process Monitor RM process

(22)

22

Survey Questionnaires Interviews

Brainstorming Sessions

Filtering Issues to

Identify Business Risks Developing a

Common Risk Language

(23)

Facilitate a risk assessment Session with management

8.3 7.8 7.3 6. 8 6.3 4.3 4.8 5.3 5.8 6.3 6.8 Competitor Risk Regulatory Risk Technology Risk Product/ Service Failure Business Interruption Risk Customer Satisfaction Human Resources Customer Wants Capacity Risk Credit Default Risk Partnering Risk Risk Map

Risk Prioritization

(24)

24

Sample Consideration in Determining the Significance of the Risk

If the risk happens,

how significant will the

Impact be to the

(25)

Sample Consideration in Determining the Likelihood of the Risk

What is the

probability of the

risk happening,

over the next

5 years (without us

consciously doing

something to

(26)

26

Identification of Risks for Audit Focus

Competitor Risk Regulatory Risk Technology Risk Product/ Service Failure Business Interruption Risk Customer Satisfaction Human Resources Customer Wants Capacity Risk Credit Default Risk Partnering Risk

RISKS FOR AUDIT FOCUS

•Identify risks for audit focus •Agree with management on

risks to be covered by internal audit

(27)



Risk Assessment - Concept



Relevant Regulatory Developments & Impact



Understanding Internal Control Concepts



Internal Control – COSO Integrated Framework 2013



Risk Based Audit Approach:



Internal Audit



External Audit

(28)

28

Relevant Regulatory Developments & Impact

Philippine Corporations Global Regulations

Specific Regulations

Primary Objectives

The regulatory environment continues to evolve and gain maturity

 SEC MC 6, 2009 SEC Revised Code of Corporate Governance

 SEC MC 2, 2002 – Code of Corporate Governance

 2010 PSE Corporate Governance Guidelines for Listed Companies

 USA: SOX 404  Japan: J-Sox  Basel II  Others

 Increased investors’ trust  Increased management

responsibility and accountability  Increased transparency

 Reduce number of financial surprises and related business failures

(29)

Corporate Governance Framework

Corporate governance is

the system, including objectives, rules and procedures, by which business corporations are directed and controlled. or simply…

It is about doing the right things for the shareholders

and stakeholders in a business.

(30)

30

PSE Memorandum No. 2010-0574

1. Develops and executes a sound business strategy. 2. Establishes a well-structured and functioning board. 3. Maintains a robust internal audit and control system. 4. Recognizes and manages enterprise risks.

5. Ensures the integrity of its financial reports as well as its external auditing function.

6. Respects and protects the rights of its shareholders, particularly those that belong to the minority or non-controlling group.

7. Adopts and implements an internationally-accepted disclosure and transparency regime.

8. Respects and protects the rights and interests of its employees, community, environment, and other stakeholders.

9. Does not engage in abusive related-party transactions and insider trading. 10. Develops and nurtures a culture of ethics, compliance & enforcement.

PSE Guidelines for a “Well-governed Company”

Source: The Philippine Stock Exchange Official Website

(31)

Have board oversight Seek external

support

Disclose risk information and how

these are managed

Establish risk management unit Prepare formal risk management policy

Have ERM activities in accordance with

internationally recognized frameworks

“An Enterprise-wide Risk Management system should be in place and properly functioning in a

transparent manner.”

4. Recognizes and manages enterprise risks.

(32)

32



Risk Assessment - Concept



Relevant Regulatory Developments & Impact



Understanding Internal Control Concepts



Internal Control – COSO Integrated Framework 2013



Risk Based Audit Approach:



Internal Audit



External Audit

(33)

ACTIVITY 1:

SUPERMARKET RISKS &

CONTROLS

(34)

34

Purpose:

To identify the key business risks and the related controls of a supermarket

Case Facts:

ABC Supermarket is a large, leading supermarket that offers almost

everything you need. This particular supermarket is a part of a large chain of

supermarkets that includes approximately 30 supermarkets in total.

Instructions:

 Review the supermarket lay-out on the following page

 Identify the related risks and controls that will mitigate the key risks

identified

 Be prepared to discuss your answers with the group

(35)

Toiletries Cosmetics Snacks Household Consumables Canned Goods International Goods Wet Goods D ai ri es / C ol d D ri nk s _Fr uit s / V eg eta ble s Stockroom Entrance/ Exit Manager's Office Customer

Service Stall #1 Stall #2 Stall #3 Stall #4

Package Counter Counter #1 Counter #3 Counter #2 X X

Books and Magazines

Fresh Produce

Drinks

Restrooms

(36)

36

“

Internal control

is a process, effected by an entity’s

board

of directors, management

and

other personnel

, designed to

provide reasonable assurance regarding the achievement

of objectives relating to operations, reporting and

compliance.”

Internal Control - Defined

Understanding the concepts of internal control

(37)

A planned series of steps, activities and actions designed to

yield a predictable and desired outcome.

Submit Journal for Approval Approved? Review Ledger Report JE Saved to Database Post Journal

Start Enter/Fix GL End

Journal

Process

(38)

38

 Establish control mechanisms

 Work within the established control

mechanisms

 Make control mechanisms succeed

or fail

People

(39)

100%

Reasonable Assurance

(40)

40 INTERNAL ACCOUNTING CONTROL

BUSINESS

CONTROLS

(41)

Controls are documented.

Controls are a necessary evil.

Controls are the responsibility of the auditors.

As we streamline and empower, we relinquish control.

The best control is the culture created by management.

Controls are actions taken by management to help the company achieve its objectives.

Controls are the responsibility of

management. The auditor’s role is to assess the adequacy and effectiveness of the

company’s overall internal control system.

As we streamline and empower, we apply different forms of control.

Myth

Reality

(42)

42

NEW PARADIGM OLD PARADIGM

 Only auditors are concerned about risk and controls

 Fragmentation

 No risk policy

 Inspect, detect, react

 Only “hard” tangible controls are evaluated

 Everyone is concerned about risk and controls

 Focused and coordinated

 Formal risk policy

 Anticipate, prevent, monitor

 Both “hard” tangible and “soft”

intangible controls must be evaluated

(43)



Risk Assessment - Concept



Relevant Regulatory Developments & Impact



Understanding Internal Control Concepts



Internal Control – COSO Integrated Framework 2013



Risk Based Audit Approach:



Internal Audit



External Audit

(44)

44

Overview of internal control

A means to an end, not an end in itself Not merely about policy and procedures

manuals, systems and forms but about people and the actions they take But not absolute assurance, to an entity’s senior management and board of directors

Flexible in application for the entire entity or for a particular subsidiary, division, operating unit, or business process In one or more categories—operations, compliance and reporting

Internal control is …

Geared to the achievement of objectives

A process consisting of

ongoing tasks and activities

Effected by people

Able to provide reasonable assurance

Adaptable to the entity structure

(45)

Types of controls

Preventive controls

Per COSO IC-IF 2013:

Designed to avoid an unintended event or result at the time of initial occurrence.

Per layman’s:

Designed to prevent or mitigate something from going wrong so that an error and/or irregularity can be avoided.

Examples:

 Authorization of payments prior to processing

 Customer credit limit checks

 Restricting user access to IT systems

 Advance approval of supervisor before overtime occurs

 Completion of checklist for updating the master data Detective controls

(46)

46

Types of controls

Preventive controls

Per COSO IC-IF 2013:

Designed to discover an unintended event or result after the initial

processing has occurred but before the ultimate objective has concluded.

Per layman’s:

Designed to detect and correct in a timely manner an error or irregularity that would materially affect the achievement of the Company’s objectives.

Examples:

 General ledger to subsidiary ledger reconciliations

 Budget vs. actual comparisons

 Review of exception reports

 Quality inspection

Detective controls

(47)

Nature of controls

Manual IT-dependent Automated

manual  Performed by individuals outside of the system or application  Performed by a system or incorporated into an application logic  Both manual and IT output are combined

 Relies on system generated

information or functionality for its effectiveness

• Independent review of general ledger

reconciliations

• Manual authorization of employee expense reports

• Automated three-way match (e.g., purchase order vs. invoice vs. delivery receipt)

• Data input validation checks (e.g., valid country code)

• Restricted user access (e.g., username and password)

• Review and follow-up of

exceptions on a payroll exception report

• System-generated sales orders that require manual approval from the controller

(48)

48

Frequency of controls

►Firewall

►Review of general ledger reconciliations

Ad hoc / As required

Annually ►Review of accounting policies

►Authorization of back pay to employees

Quarterly Monthly Ongoing

►3-way match

Daily/multiple times per day

(49)

COSO’S INTERNAL CONTROL PUBLICATIONS -

COSO IC-IF 2013 at a glance

2014 15 Dec 2014be superseded by new framework – Old framework will 2015

1992 2006 2009 2013

(50)

50 _{PICPA – Risk Based Audit Approach}

WHAT IS COSO IC-IF 2013?

1992 Internal Control— Integrated Framework Gained broad public acceptance; widely recognized as the leading framework Responded to dramatic changes in business and operating environments Underwent a significant multiyear update project in 2010 COSO Internal Control-Integrated Framework 2013

(51)

Reasons for updating COSO IC-IF 1992

Demands and complexities in laws, rules, regulations, and standards Expectations relating to preventing and detecting fraud Changes and greater complexities of business

Use of, and reliance on, evolving technologies Globalization of markets and operations Expectations for governance and oversight

Changes in Business and Operating Environments

Expectations for competencies

and

(52)

52

KEY AREAS PER COSO IC-IF 2013

1. Control Environment 2. Risk Assessment 3. Control Activities 4. Information & Communication 5. Monitoring

1. Organization demonstrates commitment to integrity and ethical values

2. Board of directors demonstrates independence from management and exercises oversight responsibility

3. Management, with board oversight, establishes structure, authority and responsibility 4. The organization demonstrates commitment to competence

5. The organization establishes accountability

6. Specifies relevant objectives with sufficient clarity to enable identification of risks 7. Identifies and assesses risk

8. Considers the potential for fraud in assessing risk

9. Identifies and assesses significant change that could impact system of internal control 10. Selects and develops control activities

11. Selects and develops general controls over technology 12. Deploys control activities through policies and procedures 13. Obtains or generates relevant, quality information

14. Communicates internally 15. Communicates externally

16. Selects, develops and performs ongoing and separate evaluations 17. Evaluates and communicates deficiencies in a timely manner

(53)



Risk Assessment - Concept



Relevant Regulatory Developments & Impact



Understanding Internal Control Concepts



Internal Control – COSO Integrated Framework 2013



Risk Based Audit Approach:



Internal Audit



External Audit

(54)

54 DOCUMENT

RBPF framework

MONITOR DELIVER PLAN ASSESS UNDERSTAND QUALITY ASSURANCE ► Co-develop expectations ► Understand the organization

► Assess the risks ► Develop annual plan ► Perform the engagement ► Communicate the result ► Monitor the progress ► Communicate the result

► Supervise the engagement

(55)

DOCUMENT

RBPF framework

► Quality and improvement program

1. Communicate the value of IA

2. Understand and agree the expectations of the stakeholders

(56)

56 DOCUMENT

RBPF framework

1. Understand organization strategy and objectives 2. Understand business environment

3. Understand relevant processes 4. Understand control environment

(57)

• To focus audit priorities on important aspects of the business

• To identify business risks

• To be able to make recommendations that focus on the elements critical to the

Company’s business

(58)

58  Charter  Manuals  Policies  Procedures 1. Revisit: Mission Vision Values Mandates Strategy The purpose of this activity is to:

• have a preliminary understanding of the strategic goals and the

corresponding risks that the organization might be facing

• identify and clarify the imposed regulations of the organization to properly

serve the stakeholders

2. Set expectations meeting with stakeholders to align their needs to the annual internal audit plan as well as communicate to them the internal audit functions.

(59)

A

process

is a group of logically related activities that transform

inputs into outputs.

The process owner is a person who is responsible for the process.

(60)

60

3. Understand relevant processes

Why do we need to understand the business processes?

To enhance our

understanding of the

business by seeing it similar to how management does.

Identify processes where inherent business risks can be sourced.

To assist the IA function in designing an effective and efficient audit plan.

(61)

But how…?

 Meet with management to confirm

or gain an understanding of the key processes and sub-processes

 Understand the objectives and

key performance measures for the process

 Consider the complexity of the

IT environment supporting the process

(62)

62 Mega Major Sub-process Activity Mega process • highest level of processes • purpose relates to accomplishment of the overall mission of the business Sub-process • subdivision of a major process • represents a collection of activities Major process • subdivision of a mega process • represents a collection of sub-processes Activity

• unit of work performed by one job function and at one time

• with one mode of operation at the same location

3. Understand relevant processes

(63)

MEGA Processes MAJOR Processes SUB-processes

Gain new

business Manufacturing

Marketing and

Advertising Procurement

Distribution Finance and

Accounting Accounts Receivable Accounts Payable Payroll Recording receivables Managing aging of receivables Managing collection of receivables Budgeting and Financial Reporting ACTIVITY Process customer receipts Follow-up customer overdue debt SA M P LE ONLY

(64)

64

3. Understand relevant processes

(65)

The control environment sets the tone of an organization, influencing the control consciousness of its people. The foundation for all other

components of internal control.

1. Demonstrates commitment to integrity and ethical values

2. Board of Directors demonstrates independence from management and exercises oversight responsibility

3. Management, with Board oversight, establishes structure, authority and responsibility

4. The organization demonstrates commitment to competence 5. The organization establishes and enforces accountability

Control Environment

(66)

66 Demonstrates commitment to integrity and ethical values Establishing Standard of Conduct Communicating and reinforcing the

accountability for responsible conduct for all

personnel

Send Code of Conduct to all employees and third parties acting

on behalf of the Company Post Code of Conduct to the Company’s website Require all employees to complete periodic interactive web-based training Component Approach/ Point of Focus Example Control Environment Principle Activity

(67)

DOCUMENT

RBPF framework

1. Identify risks 2. Prioritize risks

(68)

68

Risk self-assessment (RSA)

- is a structured process to identify and

prioritize business risks within the company

or a specific business process within the

company.

• Risk universe • Relevant risk

Identify the risks

• Top risks • Risk profile

Prioritize the risk

(69)

Roadmap to assess the risks

Comparison of entity and process level RSA

RSA LEVEL PURPOSE

1. Entity level

Entails a comprehensive look at those business risks that affect the organization as a whole.

 Assist management in the execution of their overall risk management process.  Develop a common language for

understanding risks within the organization.  Drive the development of the annual risk

based IA plan.

2. Process level

Entails a comprehensive look at those risks that affect one specific process.

 Focus the efforts of the IA procedures within a specific process audit.

 Ensure that process owner concerns were considered in developing the audit plan.

(70)

70

1. Identify risks

In identifying risks, consider relevant information gathered from the Understand the Business and Control Environment part of the methodology:

 Business Analysis Framework (BAF)

 Organizational Control Assessment

 Customized Process Classification Scheme

OUTPUT:

 Risk universe  Relevant risks

On-line, interactive questionnaires (surveys)

Facilitated meetings, with

voting technology Facilitated meetings

Questionnaires Interviews

Transform inputs into output

(71)

1. Identify risks

(72)

72

2. Prioritize risks

Criteria

1. Severity of impact

If the risk happens, how much will it affect the company?

2. Likelihood of occurrence and frequency

How likely is the risk to happen?

3. Opportunity for Risk Management Improvement

(ORMI)

Is there a room for the company to improve on its existing risk management strategies/controls?

(73)

2. Prioritize risks

Initial Risk Profile

Most Critical Risks

Initial Risk Universe

(74)

74 DOCUMENT

RBPF framework

1. Identify and validate audit universe 2. Prioritize auditable areas

3. Identify resource requirements 4. Obtain approval

(75)

Road map to develop annual plan

Identify and validate audit universe Prioritize auditable areas Identify resource requirements Obtain approval

INPUT PROCESS OUTPUT

 Risk universe  Process universe  Location universe

Validated audit universe

 Date and results of last audit

 Request by Management  Other considerations

Prioritized auditable areas

 Available resources Draft audit plan

(76)

76

1. Identify and validate audit universe

INPUT PROCESS OUTPUT

 Risk universe  Process universe  Location universe

Validated audit universe

Audit Universe refers to risks and processes that could be targeted for the audit. Risks and processes may also be organized and referred to by locations.

1. Obtain different universe (e.g., risk universe, process universe and location universe) from stakeholders.

2. Map the risks in the processes.

3. Identify the location of the processes.

4. Present and validate audit universe to IA function, management and oversight committee.

Identify and validate audit universe

(77)

1. Obtain different universe such as: a. Risk universe b. Process universe c. Location universe Management, IA and committee risk universe Business units risk universe Enterprise risk management risk universe Risk universe could be originated from entity level perspective down to business unit level.

1. Identify and validate audit universe

(78)

78

1. Identify and validate audit universe

1. Obtain different universe such as:

a. Risk universe

b. Process universe c. Location universe

Process universe is the list of processes within the Company that will be subjected for audit of IA function while location universe is the list of all the locations of the Company such as head office, regional office and international office.

b. Sample Process universe

1. Head office

2. Satellite or regional office 3. International office

(79)

2. Map the risks in the processes

Using the process universe, identify what are the risks associated to that specific process. Risks could be existing or emerging, internal or external and tangible or intangible. Note that not all risks are auditable.

Process/ Auditable areas Risk R eg ul at or y P ol it ic al C ont rac t compl ianc e Fr aud Pl anni ng and bud ge ti ng

Sales and marketing x x x x

Customer service x Project development x x Human resource x SA M PL E O N LY

(80)

80

3. Identify the location of the processes.

Determine if the processes are existing in the different locations of the Company.

Process/ Auditable areas Risk Location R eg ul at or y P ol it ic al C ont rac t compl ianc e Fr aud Pl anni ng and bud ge ti ng H ead of fi ce R eg ional or sat el lit e of fi ce Int er nat ional o ffi ce

Sales and marketing x x x x x x x

Customer service x x Project development x x x Human resource x x x SA M P LE O NL Y

4. Present and validate audit universe to different business units, management and oversight committee.

(81)

2. Prioritize auditable areas

Prioritize auditable areas

 Date and results of last audit

 Request by Management  Other considerations

Prioritized auditable areas

The criteria for prioritizing the auditable areas may include but not limited to the following:

 Number and criticality of risks

 Number and complexity of the location  Date and results of last audit

 Financial exposure

 Request by Management  Major changes in operations  Business complexity

 Probability that major improvement for the auditable area is needed

(82)

82

Legend:

H - High C - Complex CD - Cannot determine M - Medium SC - Semi-complex

L - Low NC - Not complex

Note:

- Financial exposure may be based on the previous year's record

S A M PLE ON LY Process\ Auditable areas

Risk Location Other consideration Priority

Re gu la to ry Po lit ica l C on tr act co m pl ia nce F ra ud Pl an ni ng a nd b ud ge ti ng H ea d of fi ce Re gi on al o r sa te lli te o ff ice In te rn at io na l o ff ice N um be r an d cr it ica lit y of r isk s N um be r an d co m pl ex it y of t he lo ca ti on D at e an d re su lt s of la st a ud it F in an ci al e xp osu re ( in php ) Re qu est b y m an ag em en t E RM to p ri sk M aj or ch an ge in t he o pe ra ti on Pr io ri ty N ot p ri or it y

Sales and marketing x x x x x x x 4 (H) 3 (C) 2012 2 B Yes Yes Yes x Customer service x x 1 (M) 1 (C) 2010 2 B No No Yes x Project development x x x 2 (H) 1 (C) None 1B Yes Yes Yes x Human resource x x x 1 (H) 2 (SC) 2007 CD No No No x

(83)

3. Identify resource requirements

Identify resource requirements

Available resources Draft audit plan

In determining the resource requirement of the engagements, IA function may consider the following:

1. Determine the initial type of engagement.

2. Identify the man hours needed to complete the engagement. 3. Check the skill requirements of the engagement.

(84)

84

3. Identify resource requirements

1. Determine the initial type of engagement

Depending on the risk involved, IA shall assess the initial type of engagement to be performed in the corresponding processes and functions involved.

IA may perform one or combination of the following: a) Compliance evaluation

A review to determine the compliance of the

concerned business unit to the policies and procedures including its contents.

b) Performance evaluation

This evaluation pertains to the assessment of performance of personnel and/or third parties (e.g., contracts review).

c) Controls assessment

An assessment with the objective of determining the effectiveness of the control design and its operating application.

(85)

2. Identify the man hours needed to complete the engagement

Timeframe of the engagement may depend on the following:  Initial type of engagement

 Previous experience

 Known changes (e.g., process owners, process, system)

Process\

Auditable areas Risk Location Other consideration Priority

Type of

engagement Man hours needed

Re gu la to ry Po lit ica l Co nt ra ct co m pl ia nce F ra ud Pl an ni ng a nd b ud ge ti ng H ea d of fi ce Re gi on al o r sa te lli te o ff ice In te rn at io na l o ff ice N um be r an d cr it ica lit y of ri sk s N um be r an d co m pl ex it y of th e lo ca ti on D at e an d re su lt s of la st au di t F in an ci al e xp osu re ( in php ) Re qu est b y m an ag em en t E RM to p ri sk M aj or ch an ge in t he op er at io n Pr io ri ty N ot p ri or it y C om pl ia nce e va lu at io n Pe rf or m an ce e va lu at io n Co nt ro ls asse ssm en t

Sales and marketing x x x x x x x 4 (H) 3 (C) 2012 2 B Yes Yes Yes x x 480 hours Customer service x x 1 (M) 1 (C) 2010 2 B No No Yes x x 240 hours Project development x x x 2 (H) 1 (C) None 1B Yes Yes Yes x x x 600 hours Human resource x x x 1 (H) 2 (SC) 2007 CD No No No x x 160 hours

SA M P LE O NL Y

(86)

86

3. Identify resource requirements

3. Check the skill requirements of the engagement

Skill set is critical in planning the engagement. It will depend on the initial type of the engagement including its scope and objective. Some of the considerations are as follows:

Facilitation skills

Risk management skills

Communication and change management skills

Industry knowledge Process skills

Knowledge of regulations affecting the organization Understanding of

information technology risks and processes

Effective presentation and report preparation

Operations skills

Financial or accounting

(87)

Process\

Auditable areas Risk Location Other consideration

Priorit

y Type of engagement

Manhours

needed Skills requirement

R eg ulat or y P oli tica l Co nt rac t co m pli an ce Fr au d P lan nin g an d bu dg et in g H ead o ff ice R eg io nal or sa tel lit e of fice In tern at io nal o ff ice N um ber an d cr it ica lit y of r isk s N um ber an d co m ple xit y of t he lo cat io n D at e an d resu lt s of last au dit Fin an cial ex po su re R eq uest b y m an ag em en t E R M t op risk M ajo r ch an ge in t he op era tio n P rio rit y N ot p rio rit y Co m pli an ce ev alu at io n P erf or m an ce ev alu at io n Co nt ro ls as sessm en t S ki ll set r eq uired

development x x x 2 (H) 1 (C) None 1B Yes Yes Yes x x x 600 hours Auditor III (350) Engineer (250) Human resource x x x 1 (H) 2 (SC) 2007 CD No No No x x 160 hours Auditor I (80)

Auditor II (80)

Total man hours for Auditor III 1800 hours

Total man hours for Auditor II 2000 hours

S A M PLE ON LY

3. Identify resource requirements

Note that some skills are not readily available within IA function. Hence, IA may consider outsourcing that to external parties or internal parties.

(88)

88

4. Obtain approval

Obtain approval

Draft audit plan Approved audit plan

 Ensure audit plan documentation is complete, accurate and reviewed by CAE.

 Identify all approvals (e.g., Audit Committee, Board) necessary to confirm audit plan.  Set-up meeting to present audit plan:

 Audit Committee Head or equivalent

(89)

DOCUMENT

RBPF framework

1. Understand the process 2. Assess risks in the process

3. Assess process performance and control gaps 4. Validate process measures and control

(90)

90

1. Understand the process

Conduct

opening

meeting

Perform

walk-through

Document the

understanding

of the process

Validate the

understanding

of the process

(91)

The opening meeting shall cover the following:

 _{Background discussion}

 _{Engagement objectives and scope}  _{Deliverables and timelines}

 _{Other matters} Conduct opening meeting Perform walk-through Document the understanding of the process Validate the understanding of the process

(92)

92

1. Understand the process

Ask questions about (but not limited to):

 What are the beginning and end points of the process?

 Understand each task within the process

 Key inputs and outputs of the process

 _{Types and nature of controls}

o Automated vs. manual o _{Detective vs. preventive}

o _{Specific, pervasive, and monitoring}

controls

 Any history of problems with key controls or process areas in the past

Conduct opening meeting Perform walk-through Document the understanding of the process Validate the understanding of the process

(93)

Tasks (but not limited to):

 Select the appropriate process mapping tool:

o _{Process maps} o _Narrative

 Create a first draft of the process map

 Identify the control points in the process

 Be alert for process inefficiencies that could be the subject of the

recommendations Conduct opening meeting Perform walk-through Document the understanding of the process Validate the understanding of the process

(94)

94

Tasks (but not limited to):

 Validate the process with the auditee

 Finalize the process map/narrative

 Document any preliminary gaps identified at this point

Conduct opening meeting Perform walk-through Document the understanding of the process Validate the understanding of the process

(95)

S A M PLE ON LY

PROCESS NAME: Credit and Collection

Sub-Process: Collection C us to m er C as hi er C as hi er S up er vi so r

Accept the cash Prepare official

receipt

Cash

Yes

Start Pay the monthly _rental

Official Recipt

At the end of the day

Match the cash and issued official

receipts

Check Payment through

check

Wire Transfer Payment through _wire

Page 3

Page 6

Prepare remittance slip

Match the cash, remittance slip and

official receipt issued

Deposit the cash

No

Deposit collection

Page 11

Prepared by: Juana dela Cruz Version 1 (Page 1 of 20)

(96)

96

2. Assess risks in the process

Risk details

Control details

R

ef

#

Process and/or financial reporting risk

Co nt ro l r ef # Detailed control description Frequency Control

nature Control type Control owner

Process: Credit and Collection Sub-process: Collection

R.1.1 Cash collection is misappropriately used. X X

R.1.2 Cash collection is not deposited on time. X

S A M PLE ON LY

Identify the process level or transactional

(97)

a. Identify the existing controls including relevant

details (e.g., frequency, nature, type, owner, IT support application, critical

reports) in the process

b. Map the existing controls in the risks initially

identified

d. Determine if the existing controls properly addressed

the risks

e. Document the initial results of the design effectiveness testing c. Determine if there is any

risk without control or risk with excessive controls

(98)

98

3. Assess process performance and control gaps

Risk details Control details

R ef # Process and/or financial reporting risk Co nt ro l ref # Detailed control

description Frequency Control nature Control type Control owner Supporting IT applications reports Critical

R.1.1 Cash collection is

misappropriated. C.1.1 Upon preparation of official receipt, cash collection is automatically recorded in the book as collection.

Event driven Preventive Automated SAP SAP Remittance slip

C.1.2 The Cashier Supervisor matches the cash, remittance slip and official receipt issued.

Daily Detective IT-dependent Cashier Supervisor

None None

R.1.2 Cash collection is not

deposited on time. C.1.3 Cashier deposits the cash collection when she's not busy.

Event driven Preventive Manual Cashier None Remittance slip Deposit slip S A M PLE ON LY

Control might not be sufficient to mitigate the risk. IA function should check if there is any compensating control in the process.

(99)

4. Validate process measures and controls

Prepare detailed test procedures and request samples to

be tested

Perform testing

Identify gaps in the operating

effectiveness of controls

(100)

100

4. Validate process measures and controls

Control details Testing information

Co nt ro l r ef # Detailed control

description Test procedures Test sample Test result

C.1.1 Upon preparation of official receipt, cash collection is automatically recorded in the book as collection.

1. Try to prepare dummy official receipt (or observe actual official receipt) in the system.

2. Determine if such is automatically recorded in the book as cash collection

Test of 1 The system automatically captured the prepared official receipt upon its preparation. No exceptions noted.

C.1.2 The Cashier Supervisor matches the cash,

remittance slip and official receipt issued.

1. Obtain the list of remittance slip from the system during the covered period.

2. Select 25 samples to be tested.

3. Request the supporting hard copy remittance slip, official receipt issued and other supporting

documents.

4. Check if the Cashier Supervisor reviewed the selected samples.

5. Determine if the details in the system-generated remittance slip matched against the hard copy remittance slip and official receipt.

6. Perform some footing and cross-footing. 7. Further match the system-generated remittance slip with the deposit slip.

8. Document the gaps noted.

25 transactions There is noted discrepancy between the system-generated remittance slip and deposit slip: Total cash collection in 8 July 2013:

Per remittance slip Php 8,700,909.00 Per deposit slip 7,001,500.00

Difference Php 1,699,409.00

Further, no bank reconciliation is being performed.

C.1.3 Cashier deposits the cash collection when she's not busy.

No testing will be performed There is no specific date or timeline to deposit the cash collection in the bank.

S A M PLE ON LY

(101)

5. Identify root causes and solutions

We determine the root causes of control or compliance or performance gaps:  To determine which root causes have

the greatest negative impact on a process or control and where to focus efforts to minimize or eliminate gaps.

 To develop implemental solutions that will minimize or eliminate the

identified control gaps or compliance

Process Policies and procedures People Oversight IT Control or Compliance or performance gap

(102)

102

5. Identify root causes and solutions

2.a. There is no process to review or match if the system-generated

remittance slip matched against the deposit slip.

2. c. Matching of

remittance slip against the deposit slip is not documented in the process. 1. b. System-generated remittance slip is editable upon generation.

2. b. There is no assigned personnel to review or match if the system-generated remittance slip matched against the deposit slip.

1. a. Cashier has an opportunity to edit the remittance slip when generated.

SAMP LE O N LY Process Policies and procedures People Oversight IT Control or Compliance or performance gap

(103)

DOCUMENT

RBPF framework

1. Provide recommendation and agree action plan 2. Conduct closing meeting

(104)

104

Recommendation may be based on the following:

 Root causes identified  Leading practice

Test result Root cause Recommendation

There is noted discrepancy between the system-generated remittance slip and deposit slip: Total cash collection in 8 July 2013

Remittance slip Php 8,700,909.00 Per deposit slip 7,001,500.00

Difference Php 1,699,409.00

Further, no bank reconciliation is being performed.

1. a. Cashier has an opportunity to edit the remittance slip when generated from the system.

b. System-generated remittance slip is editable upon generation.

2.a. There is no process to review or match if the system-generated remittance slip matched against the deposit slip. b. There is no assigned personnel to review or match if the system-generated remittance slip matched against the deposit slip.

c. Matching of remittance slip against the deposit slip is not documented in the process.

1. The IT or system developer should revisit the program in the system to make the reports non-editable upon generation from the system.

2. The concerned management should consider putting additional control in the process. An

independent personnel from custody and recording of cash collection should review if the recorded cash collection in the system matches against the deposit slip and ultimately in the bank account. This control may be part of the bank reconciliation process.

S A M PL E ONL Y

Communicate results

(105)

 Audit observations are discussed with auditee as they are identified.

 Co-develop recommendations - “team” approach.

 Where significant, a closing meeting may be held.

 Communicating results is formalized through audit reports:

o _{Objective and factual}

o _{Contains observations, conclusion, recommendations, and auditee’s response} o Reviewed and approved by the CAE

 _{Final audit report is issued to the auditee, senior management, the Executive}

Office, and the Audit Committee.

(106)

106 DOCUMENT

RBPF framework

1. Validate the implementation of action plan

(107)

DOCUMENT

RBPF framework

► Quality and improvement program Document the result of: _{ Understanding}  Assessing

 Planning  Delivering  Monitoring

(108)

108 DOCUMENT

RBPF framework

 Review and supervise

 Conduct internal assessment

(109)



Risk Assessment - Concept



Relevant Regulatory Developments & Impact



Understanding Internal Control Concepts



Internal Control – COSO Integrated Framework 2013



Risk Based Audit Approach:



Internal Audit



External Audit

(110)

110

RBA framework

Strategic Planning and Risk Identification

Planning Delivery

Monitoring

(Quality Control System)

Audit Planning and

Risk Assessment Execution

Conclusion and Reporting

(111)

RBA framework

STRATEGIC PLANNING AND RISK IDENTIFICATION

Activities:

 Perform Risk Identification (RI)

o _{Develop/update the Business Risk Model (BRM)} o _{Identify risks}

o _{Report the results of RI}

 Conduct Strategic Planning

Conduct Strategic Planning

Strategic Planning and Risk Identification Risk Identification Planning Delivery Monitoring Audit Planning and Risk Assessment Execution Conclusion and Reporting

Strategic Planning and Risk Identification