Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Agenda
Risk Assessment - Concept
Relevant Regulatory Developments & Impact
Understanding Internal Control Concepts
Internal Control COSO Integrated Framework 2013
Risk Based Audit Approach:
Internal Audit
External Audit
Getting to know
Agenda
Risk Assessment - Concept
Relevant Regulatory Developments & Impact
Understanding Internal Control Concepts
Internal Control COSO Integrated Framework 2013
Risk Based Audit Approach:
Internal Audit
External Audit
Misplaced objectives
Safety measures
compromised in design
Responsibilities not
clear
Information
overlooked
Inadequate
contingency plans
Lessons learnt
1
10
EXTERNAL
BUSINESS RISKS
INTERNAL
11
Earnings and
Operating
Margins
International Expansion
New Product Development
Environmental Regulation
IT Infrastructure Capacity
Key Supplier Dependence
Recruitment & Retention
Customer Migration
Regulatory Compliance
Health/Pension Costs
Joint venture Partnerships
Gain New
Business
Procurement
Production
Distribution
Business Continuity
Intellectual Property
Retain Top Performers
12
New Product
Development
Asset
and Capital
Management
Deliver Superior
Customer Service
Reputation
and Brand
Revenue and
Market Share
Business Processes
Customer
Support
-ISO 31000
13
Risk
Assessment
Identify risks
Prioritize risks
14
15
16
Sample Risks
Environment Risks
Process Risks
17
Establish RM goals
and objectives,
and RM oversight
structure
Assess
business risks
Develop RM
strategies
Develop common
language
18
Monitor RM
process
Continuously
improve RM
process
19
20
Establish RM goals
and objectives, and
RM oversight
structure
Assess
business risks
Develop RM
strategies
Develop common
language
21
Monitor RM
process
Continuously
improve RM
process
Survey Questionnaires
Interviews
Brainstorming Sessions
22
Filtering Issues to
Identify Business Risks
Developing a
Common Risk
Language
Risk Prioritization
Customer
Satisfaction
Customer
Human
ResourcesWants
Technology
Risk
RegulatoryCredit
Business
Default
Risk
InterruptionProduct/
Risk
7.8 Risk
Service
Capacity
Failure
Risk
8.3
7.3
Partnering
Risk
Competitor
Risk
6.
8
6.3
4.3
4.8
5.3
5.8
Risk Map
23
6.3
6.8
24
25
Technology
Risk
RegulatoryCredit
Business Risk
Default
Interruption
Product/ Risk
Risk
Service
Capacity
Failure
Risk
Partnering
Risk
Competitor
Risk
26
Agenda
27
Primary Objectives
Global Regulations
Philippine Corporations
29
PSE Memorandum
PSE Memorandum No. 2010-0574
Have board
oversight
Seek external
support
Disclose risk
information and how
these are managed
An Enterprise-wide Risk
Management system
should be in place and
properly functioning in a
transparent manner.
Establish
risk management
unit
31
Prepare formal
risk management
policy
Agenda
32
ACTIVITY 1:
SUPERMARKET RISKS &
CONTROLS
33
Manager's Office
Toiletries
International Goods
Canned Goods
Fresh Produce
Household
Consumables
Snacks
Drinks
Cosmetics
Counter
#1
Customer
Service
35
Counter
#2
Stall #1
Stall #2
Counter
#3
Stall #3
Entrance/
Exit
Stall #4
Fruits / Vegetables
Wet Goods
Package
Counter
Restrooms
36
Start
37
Enter/Fix GL
Journal
Submit
Journal for
Approval
Approved?
Post Journal
JE Saved to
Database
Review
Ledger Report
End
38
100%
39
INTERNAL
ACCOUNTING
CONTROL
40
BUSINESS
CONTROLS
Reality
41
OLD PARADIGM
42
Agenda
43
Source: COSO IC-IF 2013 Committee of Sponsoring Organizations of the Treadway Commission Internal Control Integrated Framework 2013
44
Types of controls
Preventive controls
Detective controls
Detective
controls
Types of controls
Preventive controls
Detective controls
Detective
controls
Examples:
General ledger to subsidiary ledger reconciliations
Budget vs. actual comparisons
Review of exception reports
Quality inspection
46
Nature of controls
Manual
Performed by
individuals outside
of the system or
application
Independent review of
general ledger
reconciliations
Manual authorization of
employee expense reports
47
IT-dependent
manual
Both manual
and IT output are
combined
Relies on system
generated
information or
functionality for its
effectiveness
Automated
Performed by a
system or
incorporated into
an application logic
Frequency of controls
Ongoing
Daily/multiple
times per day
Firewall
3-way match
Review of general ledger reconciliations
Monthly
Review of user access to IT systems
Quarterly
Annually
Ad hoc / As
required
48
2006
2009
Transition period
2014
49
2013
2015
50
Gained broad
public acceptance;
widely recognized
as the leading
framework
Responded to
dramatic
changes in
business and
operating
environments
Underwent a
significant
multiyear
update project
in 2010
COSO Internal
ControlIntegrated
Framework
2013
Globalization of
markets and
operations
Expectations for
competencies
and
accountabilities
51
Changes and
greater
complexities of
business
Demands and
complexities in
laws, rules,
regulations, and
standards
Expectations
relating to
preventing and
detecting fraud
52
1. Control
Environment
2. Risk
Assessment
6.
7.
8.
9.
3. Control
Activities
4. Information &
Communication
5. Monitoring
Agenda
53
RBPF framework
ASSESS
UNDERSTAND
Co-develop
expectations
Understand the
organization
PLAN
Develop annual
plan
DELIVER
Perform the
engagement
Communicate the
result
DOCUMENT
QUALITY ASSURANCE
54
MONITOR
Monitor the
progress
Communicate the
result
RBPF framework
ASSESS
UNDERSTAND
Co-develop
expectations
Understand the
organization
PLAN
Develop annual
plan
DELIVER
Perform the
engagement
Communicate the
result
DOCUMENT
QUALITY ASSURANCE
55
MONITOR
Monitor the
progress
Communicate the
result
RBPF framework
ASSESS
UNDERSTAND
Co-develop
expectations
Understand the
organization
PLAN
Develop annual
plan
DELIVER
Perform the
engagement
Communicate the
result
DOCUMENT
QUALITY ASSURANCE
56
MONITOR
Monitor the
progress
Communicate the
result
To identify business
risks
57
To be able to make
recommendations that
focus on the elements
critical to the
Companys business
Mission
Vision
Values
Strategy
Mandates
2. Set expectations meeting with stakeholders to align their needs to the annual internal audit plan
as well as communicate to them the internal audit functions.
58
59
60
61
highest level of
processes
purpose relates to
accomplishment of the
overall mission of the
business
Mega
Major process
Major
subdivision of a mega
process
represents a collection
of
sub-processes
Sub-process
62
subdivision of a major
process
represents a collection
of activities
Sub-process
Activity
Activity
unit of work performed
by one job function and
at one time
with one mode of
operation at the same
location
SAMPLE ONLY
Gain new
business
Manufacturing
MAJOR Processes
SUB-processes
Accounts
Receivable
Recording
receivables
Marketing and
Advertising
Procurement
Accounts Payable
Managing
aging of
receivables
Distribution
Finance and
Accounting
Payroll
Managing
collection of
receivables
Budgeting and
Financial
Reporting
63
ACTIVITY
Process customer
receipts
Follow-up
customer overdue
debt
64
Control
Environment
65
Activity
Principle
Approach/ Point
of Focus
Control
Environment
Demonstrates
commitment to
integrity and
ethical values
Establishing
Standard of
Conduct
Example
Communicating
and reinforcing the
accountability for
responsible
conduct for all
personnel
Send Code of
Conduct to all
employees and
third parties acting
on behalf of the
Company
Post Code of
Conduct to the
Companys website
Require all
employees to
complete periodic
interactive webbased training
66
RBPF framework
UNDERSTAND
Co-develop
expectations
Understand the
organization
PLAN
ASSESS
Develop annual
plan
DELIVER
Perform the
engagement
Communicate the
result
DOCUMENT
QUALITY ASSURANCE
67
Identify risks
Prioritize risks
MONITOR
Monitor the
progress
Communicate the
result
68
Top risks
Risk profile
PURPOSE
1. Entity level
2. Process level
69
1. Identify risks
In identifying risks, consider relevant information gathered from the Understand the
Business and Control Environment part of the methodology:
Business Analysis Framework (BAF)
Organizational Control Assessment
Customized Process Classification Scheme
Interviews
Questionnaires
70
Transform
inputs into
output
Facilitated meetings
OUTPUT:
Risk universe
Relevant risks
1. Identify risks
2. Prioritize risks
Criteria
1. Severity of impact
If the risk happens, how much will it affect the
company?
2. Prioritize risks
RBPF framework
UNDERSTAND
Co-develop
expectations
Understand the
organization
ASSESS
DELIVER
PLAN
Develop annual
plan
Perform the
engagement
Communicate the
result
DOCUMENT
QUALITY ASSURANCE
74
MONITOR
Monitor the
progress
Communicate the
result
Available resources
75
PROCESS
Identify
and validate
audit universe
Prioritize
auditable
areas
Identify resource
requirements
Obtain
approval
OUTPUT
Validated audit
universe
Prioritized auditable
areas
PROCESS
Identify
and validate
audit universe
OUTPUT
Validated audit
universe
Audit Universe refers to risks and processes that could be targeted for the audit. Risks and
processes may also be organized and referred to by locations.
1. Obtain different universe (e.g., risk universe, process universe and location universe) from
stakeholders.
2. Map the risks in the processes.
3. Identify the location of the processes.
4. Present and validate audit universe to IA function, management and oversight committee.
76
Enterprise
risk management
risk universe
Business
units risk
universe
Management,
IA and
committee risk
universe
77
3. International office
78
Fraud
Planning and
budgeting
Contract compliance
Political
SAMPLE ONLY
Sales and marketing
Customer service
Project development
Human resource
79
Risk
Regulatory
Process/
Auditable areas
x
x
Head office
x
x
x
x
x
x
International office
Planning and
budgeting
Regional or satellite
office
Fraud
Location
Contract compliance
SAMPLE ONLY
Political
Risk
Regulatory
Process/
Auditable areas
4. Present and validate audit universe to different business units, management and
oversight committee.
80
PROCESS
Prioritize
auditable areas
OUTPUT
Prioritized auditable
areas
The criteria for prioritizing the auditable areas may include but
not limited to the following:
Number and criticality of risks
Number and complexity of the location
Date and results of last audit
Financial exposure
Request by Management
Major changes in operations
Business complexity
Probability that major improvement for the auditable area is
needed
81
Legend:
H - High
M - Medium
L - Low
C - Complex
SC - Semi-complex
NC - Not complex
3 (C)
1 (C)
1 (C)
2 (SC)
2012
2010
None
2007
2B
2B
1B
CD
Yes
No
Yes
No
Yes
No
Yes
No
Yes
Yes
Yes
No
CD - Cannot determine
Note:
- Financial exposure may be based on the previous year's record
82
Not priority
4 (H)
1 (M)
2 (H)
1 (H)
Priority
Request by management
x
x
x
x
Priority
International office
Other consideration
Head office
Fraud
Location
Contract compliance
Political
Process\
Auditable areas
Regulatory
SAMPLE ONLY
Risk
x
x
x
x
Available resources
PROCESS
OUTPUT
Identify resource
requirements
1.
2.
3.
4.
83
b) Performance evaluation
This evaluation pertains to the
assessment of performance of
personnel and/or third parties
(e.g., contracts review).
a) Compliance evaluation
A review to determine the
compliance of the
concerned business unit to
the policies and procedures
including its contents.
c) Controls assessment
An assessment with the objective of determining the
effectiveness of the control design and its operating
application.
84
85
x x x x x x 4 (H)
x
x
1 (M)
x
x x
2 (H)
x
x x
1 (H)
3 (C) 2012
1 (C) 2010
1 (C) None
2 (SC) 2007
x
x
x
Man hours
needed
Controls assessment
Performance evaluation
Type of
engagement
Compliance evaluation
Priority
Request by management
Other consideration
Location
Risk
Regulatory
Political
Contract compliance
Fraud
Planning and budgeting
Head office
Regional or satellite office
International office
SAMPLE ONLY
Process\
Auditable areas
x
x
480 hours
240 hours
600 hours
160 hours
Process skills
Risk management
skills
Financial or
accounting
skills
86
Facilitation skills
Industry
knowledge
Understanding of
information technology
risks and processes
Effective presentation
and report preparation
Communication and
change management skills
Knowledge of regulations
affecting the organization
International office
Financial exposure
Request by management
Priority
4 (H)
3 (C)
2012
2B
Yes
Yes
Yes
Project
development
Human resource
x
x
1 (M)
1 (C)
2010
2B
No
No
Yes
2 (H)
1 (C)
None
1B
Yes
Yes
Yes
2 (SC) 2007
CD
No
No
No
1 (H)
x
x
x
x
x
x
Controls assessment
Head office
x
Performance evaluation
Compliance evaluation
Fraud
x
Not priority
Priorit
Manhours
Type of engagement
Skills requirement
y
needed
Other consideration
Location
Contract compliance
Political
Risk
Regulatory
SAMPLE ONLY
Process\
Auditable areas
1800 hours
2000 hours
87
Outsource
4. Obtain approval
INPUT
PROCESS
OUTPUT
Obtain
approval
88
RBPF framework
UNDERSTAND
Co-develop
expectations
Understand the
organization
ASSESS
PLAN
Develop annual
plan
MONITOR
DELIVER
Perform the
engagement
Communicate the
result
Monitor the
progress
Communicate the
result
DOCUMENT
QUALITY ASSURANCE
89
90
Conduct
opening
meeting
Perform walkthrough
Document the
understanding
of the process
Validate the
understanding
of the process
Document the
understanding
of the process
91
Perform walkthrough
Validate the
understanding
of the process
Background discussion
Engagement objectives and scope
Deliverables and timelines
Other matters
Perform walkthrough
Document the
understanding
of the process
Validate the
understanding
of the process
92
Perform walkthrough
Document the
understanding
of the process
Validate the
understanding
of the process
93
Process maps
Narrative
94
Conduct
opening
meeting
Perform walkthrough
Document the
understanding
of the process
Validate the
understanding
of the process
Sample output
PROCESS NAME: Credit and Collection
Sub-Process: Collection
Customer
Check
Start
Payment through
check
Page 3
Wire Transfer
Payment through
wire
SAMPLE ONLY
Cash
Page 6
Prepare official
receipt
Cashier
Official Recipt
Prepare remittance
slip
Deposit collection
Cashier Supervisor
Page 11
95
Yes
No
Control details
96
Control ref #
Ref #
SAMPLE ONLY
Risk details
Detailed
control
description
X
X
Frequency
Control
nature
Control
type
Control
owner
97
Control details
Control ref #
Ref #
Risk details
Detailed control
description
Frequency
Control
nature
Control type
Control
owner
Supporting IT
applications
Critical
reports
SAMPLE ONLY
Sub-process: Collection
R.1.1
Cash collection is
misappropriated.
C.1.1
C.1.2
R.1.2
98
C.1.3
Upon
Event driven
preparation of
official receipt,
cash collection is
automatically
recorded in the
book as
collection.
Preventive
Automated
The Cashier
Supervisor
matches the
cash, remittance
slip and official
receipt issued.
Detective
IT-dependent Cashier
Supervisor
Cashier deposits
the cash
collection when
she's not busy.
Daily
SAP
SAP
Remittance
slip
None
None
None
Remittance
slip
Deposit slip
99
Perform testing
Control details
Detailed control
description
Testing information
Test procedures
Test sample
Test result
SAMPLE ONLY
Sub-process: Collection
C.1.1
Test of 1
C.1.2
25 transactions
There is noted discrepancy between the systemgenerated remittance slip and deposit slip:
C.1.3
100
Oversight
Control or
Compliance or
performance
gap
101
Process
Policies and
procedures
SAMPLE ONLY
People
Oversight
Control or
Compliance or
Process
performance
gap
1. b. System-generated
remittance slip is
editable upon
generation.
102
IT
Policies and
procedures
2. c. Matching of
remittance slip against
the deposit slip is not
documented in the
process.
RBPF framework
UNDERSTAND
Co-develop
expectations
Understand the
organization
ASSESS
PLAN
MONITOR
DELIVER
Develop annual
plan
Perform the
engagement
Communicate the
result
Monitor the
progress
Communicate the
result
DOCUMENT
QUALITY ASSURANCE
103
1.
2.
3.
Communicate results
SAMPLE ONLY
Root cause
Recommendation
There is noted discrepancy between the systemgenerated remittance slip and deposit slip:
104
Communicate results
o
o
105
Final audit report is issued to the auditee, senior management, the Executive
Office, and the Audit Committee.
RBPF framework
UNDERSTAND
Co-develop
expectations
Understand the
organization
ASSESS
PLAN
Develop annual
plan
DELIVER
MONITOR
Perform the
engagement
Communicate the
result
Monitor the
progress
Communicate the
result
DOCUMENT
QUALITY ASSURANCE
1.
2.
106
RBPF framework
UNDERSTAND
Co-develop
expectations
Understand the
organization
ASSESS
PLAN
Develop annual
plan
DELIVER
Perform the
engagement
Communicate the
result
DOCUMENT
QUALITY ASSURANCE
107
MONITOR
Monitor the
progress
Communicate the
result
RBPF framework
UNDERSTAND
Co-develop
expectations
Understand the
organization
ASSESS
PLAN
Develop annual
plan
DELIVER
Perform the
engagement
Communicate the
result
DOCUMENT
QUALITY ASSURANCE
108
MONITOR
Monitor the
progress
Communicate the
result
Agenda
109
RBA framework
Strategic Planning and Risk Identification
Planning
Audit Planning and
Risk Assessment
Delivery
Execution
Conclusion
and Reporting
Monitoring
(Quality Control System)
Note: Procedures for all audit services are integrated in all phases, except for the Execution phase.
110
RBA framework
Strategic Planning and Risk
Identification
Planning
Delivery
Audit
Planning and
Risk
Assessment
Execution
Conclusion
and
Reporting
Activities:
Monitoring
111
Conduct
Strategic
Planning
RBA framework
PLANNING
Activities:
Delivery
Execution
Conclusion
and
Reporting
Monitoring
o
o
Planning
112
Understand
the Business
Identify
Significant
Business
Risks
Understand and
Assess
Business-level
Controls
Understand
the Process
Conduct Audit
Risk
Assessment
and Planning
o
o
RBA framework
CONCLUSION AND REPORTING
Strategic Planning and Risk
Identification
Planning
Delivery
Planning and
Audit Risk
Assessment
Execution
Conclusion
and
Reporting
Monitoring
Delivery
Execution
113
Summarize Audit
Results
Evaluate Audit
Results
Communicate Audit
Results
RBA framework
Strategic Planning and Risk
Identification
Planning
Planning and
Audit Risk
Assessment
Delivery
Execution
MONITORING
Activity:
Conclusion
and
Reporting
Monitoring
(Quality Control System)
Monitoring
(Quality Control System)
114
RBA framework
Strategic Planning and Risk Identification
Perform Risk
Identification
Conduct Strategic
Planning
Planning
Delivery
Execution
Prepare
Audit Work
step
Understand
and Assess
Businesslevel
Controls
Understand
the
Business
Understand
the Process
Identify
Significant
Business
Risks
Conduct
Audit Risk
Assessment
and Planning
Summarize Audit
Results
Communicate Audit
Results
Monitoring
115
Planning
Delivery
Execution
Form 03A-01:
Audit Test Summary
Monitoring
116
Form 03B-01:
Summary of Audit
Results and
Recommendations
Form 03B-02:
Quality Inspection
Tool
Form 03B-03
Action Plan
Form 03B-04
Action Plan
Monitoring Tool
Compliance
Fraud
Planning
Conclusion and
Reporting
1
3
Delivery
Execution
4
Monitoring
117
Comprehensive auditing is
discussed in Phases 1 and 2.
Although Fraud is given
consideration, the full-length
discussion is in the Fraud Audit
Manual.
The guidelines set forth in the
Monitoring phase are
applicable to comprehensive
auditing.
RBA framework
Delivery
Execution
Conclusion and
Reporting
Monitoring
(Quality Control System)
118
119
Inputs
Global
Trends
Technological
changes
120
Media
releases and
reporting
Industry
risks
Departments
Finance
Fraud and
geographic
risks
Linkage of risks to
Human Resource
Marketing
Purchasing
Accounting
Business
Objective
Improve
Financial
Position
- Create
opportunities for
non-traditional
revenue streams
121
Key Risk
Risk
Category
Strategic
Risk Title
Risk Definition
Vision and
Direction
Failure to establish a
vision and direction for
major initiatives,
including services,
products and programs
that will drive future
growth. Failure to
establish project
acceptance criteria and
adequately measure
against the criteria.
Basis of
Selection
Changes in
management
Departments
Program / Activity
/ Project
Purchasing
Centralization of
Purchasing
Functions
Finance
Proper reporting of
financial records
RI Template
Minutes of the RI activity
Participants of RI
122
123
Company
Risk
Identification
Strategic Action
Plan (SAP)
Departmental
Plan (COP/ROP)
Planning
Audit Planning and
Risk Assessment
124
RIT
RIT
RBA framework
Delivery
Execution
Conclusion and
Reporting
Monitoring
(Quality Control System)
125
Inherent Risk
Lower
126
Higher
127
Rely
128
Not Rely
129
Higher
Low
High
Lower
Minimal
Moderate
Rely
Not Rely
In determining the timing of our audit tests (tests of controls and substantive tests),
we shall consider auditors other responsibilities such as, but not limited to:
131
132
133
Our audit focus areas and our planned audit approach (nature and extent
of audit procedures) including timing.
134
We determine the overall audit risk assessment for each assertion of each
significant account.
RBA framework
Delivery
Execution
Conclusion and
Reporting
Monitoring
(Quality Control System)
135
136
Extent
Timing
137
138
139
Risk Assessment
Timing
Minimal
Low
Moderate or High
140
141
142
143
144
145
If the company disagrees that there is an audit finding, or disputes the amount
involved, we ask them to support their position by providing additional audit
evidence.
If the evidence provided by the company does not support the companys
position, we determine the effect on our audit opinion, which may include
consulting with the Supervising Auditor.
146
RBA framework
Delivery
Execution
Conclusion and
Reporting
Monitoring
(Quality Control System)
147
148
149
Significant findings, issues and observations, including misstatements, are summarized and
discussed with the company. Conclusion for each misstatement, finding, issue, and observation is
documented. This serves as basis in formulating audit opinion in the audit report.
Summary of Audit Results and Recommendation (SARR) is presented on the next slide.
150
Reference
number for
the audit
findings
Indicate AOM No.
and date issued
151
Document
managements
feedback
Reference
number for
the audit
findings
152
153
154
155
Audit opinion
Management Letter
156
157
Auditors shall use professional judgment in determining the nature and extent of
the audit documentation. However, it shall be ensured that it is consistent with
policies, professional standards and other legal and regulatory requirements.
158
Audit Issue
Database
159
Monitor progress
160
Part of the auditors role is to determine that the audited company take
corrective actions on the audit recommendations provided on a timely basis
RBA framework
Delivery
Execution
Conclusion and
Reporting
Monitoring
(Quality Control System)
161
Monitoring
Monitor Quality Control on Audit Services:
162
Quality Assurance
Questions?
163
Thank You!
164