risk-based auditing 2015
DESCRIPTION
Risk Based AuditingTRANSCRIPT
-
Risk Based Audit Approach: Understanding Risk, Internal Controls and the Risk Based Audit Approach 8 June 2015
Joseph Ian M. Canlas Partner
Leonardo J. Matignas, Jr. Partner
-
2 PICPA Risk Based Audit Approach
Risk Assessment - Concept
Relevant Regulatory Developments & Impact
Understanding Internal Control Concepts
Internal Control COSO Integrated Framework 2013
Risk Based Audit Approach:
Internal Audit
External Audit
Agenda
-
3 PICPA Risk Based Audit Approach
At the end of this training, participants are expected to: Understand basic concepts about risk, internal controls and the
risk-based audit approach.
Gain a basic understanding of internal control principles under the COSO Internal Control - Integrated Framework 2013.
Recognize the need for risk based audit approach to continually address risks due to changing business environment and manage stakeholder expectations.
Purpose of this training
-
4 PICPA Risk Based Audit Approach
Getting to know
-
5 PICPA Risk Based Audit Approach
Risk Assessment - Concept
Relevant Regulatory Developments & Impact
Understanding Internal Control Concepts
Internal Control COSO Integrated Framework 2013
Risk Based Audit Approach:
Internal Audit
External Audit
Agenda
-
6 PICPA Risk Based Audit Approach
From a paper presented by EJ Smith
the first & last Captain of
RMS Titanic
Setting the context
-
7 PICPA Risk Based Audit Approach
When anyone asks me how I can describe my experience of
nearly forty years at sea, I merely say uneventful. Of course
there have been winter gales and storms and fog and the
like, but in all my experience, I have never been in an
accident of any sort worth speaking about
I never saw a wreck and have never been wrecked, nor was I
ever in any predicament that threatened to end in disaster of
any sort.
- E.J. Smith 1907
-
8 PICPA Risk Based Audit Approach
Disregard for safety considerations in the excitement to break a
record Misplaced objectives
Sealed compartments not effective enough to handle damage of
this magnitude
Safety measures compromised in design
The new ship had a crew & individual responsibilities were not
clear
Responsibilities not clear
The iceberg warning that were received were overlooked Information overlooked
1
2
3
4
Not enough safety boats, for improved aesthetics Inadequate
contingency plans 5
So what really went wrong?
-
9 PICPA Risk Based Audit Approach
Setting strategic objectives with clear consideration for risk management
Thorough evaluation of the mitigation measures
Clear communication of roles and responsibilities
Contingency planning - Knowing what can go wrong and Having
appropriate mitigation measures in place
Effective monitoring and thorough analysis of the risk indicators
1
2
3
4
5
Lessons learnt
-
10 PICPA Risk Based Audit Approach
A business risk is a threat that an event or action will adversely affect the Companys
ability to achieve its business objectives and maximize stakeholder value.
or
What keeps the Board and Management awake at night?
Business risk definition
-
11 PICPA Risk Based Audit Approach
Attributes of Business Risk
Could be existing
Could be emerging (has a potential of happening)
Presents an exposure to both tangible and intangible assets
Can arise from the external environment, from internal processes and from the lack of information for decision making
Presents an exposure (downside) if not managed or a potential opportunity (upside) if managed well
How can we use these to our advantage?
COMPANYS GOAL, OBJECTIVES AND
STRATEGY
BUSINESS RISKS EXTERNAL INTERNAL
WHAT WILL NOT ALLOW THE
COMPANY TO SUCCEED?
Linking Risk to Business Strategy
-
12 PICPA Risk Based Audit Approach
Business Objectives and Strategies Key Business Risks
Lin
k R
isks
to
Bu
sin
ess
Pro
cess
es
Eval
uat
e M
anag
emen
t an
d C
on
tro
l Act
ivit
ies
Lin
k B
usi
ne
ss O
bje
ctiv
es
To R
isks
Ev
alu
ate
the
sign
ific
ance
of
the
risk
to
bu
sin
ess
ob
ject
ives
Business Processes
Economic Conditions
Raw Material Price Volatility
Interest Rate Volatility
International Expansion
New Product Development
Environmental Regulation
IT Infrastructure Capacity
Key Supplier Dependence
Recruitment & Retention
Customer Migration
Regulatory Compliance
Health/Pension Costs
Joint venture Partnerships
Business Continuity
Intellectual Property
Evolving Global Economy
Expand Product Offering
Expand into New Markets
Maximize Return on Capital
Maximize Benefits from Technology Investments
Achieve Cost Optimization
Optimize Operating Efficiency
Retain Top Performers
Earnings and Operating Margins
Asset and Capital
Management
Revenue and Market Share
Reputation and Brand
New Product Development
Gain New Business
Procurement
Production
Distribution
Customer Support
Deliver Superior Customer Service
Enhance Quality Product
Linking Risks to Objectives and Processes
-
13 PICPA Risk Based Audit Approach
Risk Management is a set of coordinated activities to direct and control an organization with regard to risk.
-ISO 31000
Risk Management (RM)
-
14 PICPA Risk Based Audit Approach
To provide management with a venue to identify and assess the impact of significant business risks that may threaten business objectives.
To identify the key risks that will be given audit focus in the audit plan.
To focus the audit work on the critical business risks of the Company.
Identify risks Prioritize risks
Risk Assessment
Why Assess Risk?
-
15 PICPA Risk Based Audit Approach
Management is primarily responsible to identify, measure, prioritize and manage risk
Internal Audit can facilitate the risk assessment process and should use the results for determining the audit focus
Who is Responsible for Assessing Risk?
-
16 PICPA Risk Based Audit Approach
Better Knowledge of the Business
Better, More Timely Information on Risks
More Knowledge of the Impact of Risks on the Business
Better Awareness of What is Implementable
The Best Resources to Identify Risks are the Process Owners
-
17 PICPA Risk Based Audit Approach
Environment Risks
Exposures to fraud or money laundering activity
Unsafe working conditions resulting to accident
Technology becoming obsolete
Process Risks
Adequate levels of inventory are not maintained
Inadequate resources, staffing or untimely staff changes
Information for Decision Making Risks
Poor or failure in communication
Pressure to meet expectations set by key holders
Sample Risks
-
18 PICPA Risk Based Audit Approach
Enterprise Risk Management Process
Assess business risks
Establish RM goals and objectives,
and RM oversight structure
Develop common
language
Develop RM strategies
Continuously improve RM
process
Monitor RM process
-
19 PICPA Risk Based Audit Approach
ISO 31000 Risk Management Principles and Guidelines
-
20 PICPA Risk Based Audit Approach
Communicate and Consult
Risk Management Framework Comparison
ISO 31000 Risk Management Process for Managing Risk
The ERM Process
-
21 PICPA Risk Based Audit Approach
Enterprise Risk Management Process
Assess business risks
Establish RM goals and objectives, and
RM oversight structure
Develop common
language
Develop RM strategies
Continuously improve RM
process
Monitor RM process
-
22 PICPA Risk Based Audit Approach
Survey Questionnaires Interviews
Brainstorming Sessions
Filtering Issues to Identify Business Risks
Developing a Common Risk
Language
Steps to Risk Identification
-
23 PICPA Risk Based Audit Approach
Facilitate a risk assessment Session with management
8.3
7.8
7.3
6.
8
6.3
4.3 4.8 5.3 5.8 6.3 6.8
Competitor
Risk
Regulatory
Risk
Technology
Risk
Product/
Service
Failure
Business
Interruption
Risk
Customer
Satisfaction
Human
Resources
Customer
Wants
Capacity
Risk
Credit
Default
Risk Partnering
Risk
Risk Map
Risk Prioritization
-
24 PICPA Risk Based Audit Approach
Sample Consideration in Determining the Significance of the Risk
If the risk happens, how significant will the Impact be to the companys business?
-
25 PICPA Risk Based Audit Approach
Sample Consideration in Determining the Likelihood of the Risk
What is the probability of the risk happening, over the next 5 years (without us consciously doing something to manage the risk) ?
-
26 PICPA Risk Based Audit Approach
Identification of Risks for Audit Focus
Competitor
Risk
Regulatory
Risk
Technology
Risk
Product/
Service
Failure
Business
Interruption
Risk
Customer
Satisfaction
Human
Resources
Customer
Wants
Capacity
Risk
Credit
Default
Risk Partnering
Risk
RISKS FOR AUDIT FOCUS Identify risks for audit focus Agree with management on
risks to be covered by internal audit
-
27 PICPA Risk Based Audit Approach
Risk Assessment - Concept
Relevant Regulatory Developments & Impact
Understanding Internal Control Concepts
Internal Control COSO Integrated Framework 2013
Risk Based Audit Approach:
Internal Audit
External Audit
Agenda
-
28 PICPA Risk Based Audit Approach
Relevant Regulatory Developments & Impact
Philippine Corporations
Global Regulations
Specific Regulations
Primary Objectives
The regulatory environment continues to evolve and gain maturity
SEC MC 6, 2009 SEC Revised Code of Corporate Governance
SEC MC 2, 2002 Code of Corporate Governance
2010 PSE Corporate Governance Guidelines for Listed Companies
USA: SOX 404 Japan: J-Sox Basel II Others
Increased investors trust Increased management
responsibility and accountability
Increased transparency Reduce number of financial
surprises and related business failures
More reliable financial reporting
-
29 PICPA Risk Based Audit Approach
Corporate Governance Framework
Corporate governance is the system, including objectives, rules and procedures, by which business corporations are directed and controlled.
or simply
It is about doing the right things for the shareholders and stakeholders in a business.
-
30 PICPA Risk Based Audit Approach
PSE Memorandum No. 2010-0574
1. Develops and executes a sound business strategy. 2. Establishes a well-structured and functioning board. 3. Maintains a robust internal audit and control system. 4. Recognizes and manages enterprise risks. 5. Ensures the integrity of its financial reports as well as its external auditing
function. 6. Respects and protects the rights of its shareholders, particularly those that
belong to the minority or non-controlling group. 7. Adopts and implements an internationally-accepted disclosure and
transparency regime. 8. Respects and protects the rights and interests of its employees, community,
environment, and other stakeholders. 9. Does not engage in abusive related-party transactions and insider trading. 10.Develops and nurtures a culture of ethics, compliance & enforcement.
PSE Guidelines for a
Well-governed Company
Source: The Philippine Stock Exchange Official Website
PSE Memorandum
-
31 PICPA Risk Based Audit Approach
Have board oversight
Seek external support
Disclose risk information and how
these are managed Establish
risk management unit
Prepare formal risk management
policy
Have ERM activities in accordance with internationally
recognized frameworks
An Enterprise-wide Risk Management system
should be in place and properly functioning in a
transparent manner.
4. Recognizes and manages enterprise risks.
PSE Memorandum best practices
-
32 PICPA Risk Based Audit Approach
Risk Assessment - Concept
Relevant Regulatory Developments & Impact
Understanding Internal Control Concepts
Internal Control COSO Integrated Framework 2013
Risk Based Audit Approach:
Internal Audit
External Audit
Agenda
-
33 PICPA Risk Based Audit Approach
ACTIVITY 1: SUPERMARKET RISKS & CONTROLS
-
34 PICPA Risk Based Audit Approach
Purpose:
To identify the key business risks and the related controls of a supermarket Case Facts:
ABC Supermarket is a large, leading supermarket that offers almost everything you need. This particular supermarket is a part of a large chain of supermarkets that includes approximately 30 supermarkets in total. Instructions:
Review the supermarket lay-out on the following page Identify the related risks and controls that will mitigate the key risks
identified Be prepared to discuss your answers with the group
Supermarket Risk & Control
-
35 PICPA Risk Based Audit Approach
Toiletries
CosmeticsSnacks
Household
ConsumablesCanned Goods
International Goods
Wet Goods
Dai
ries
/ Col
d Drink
s Fruits / Vegetables
Stockroom
Entrance/
Exit
Manager's Office
Customer
ServiceStall #1 Stall #2 Stall #3 Stall #4
Package
Counter
Counter
#1
Counter
#3
Counter
#2 XX
Books and Magazines
Fresh Produce
Drinks
Restrooms
Supermarket Risk & Control
-
36 PICPA Risk Based Audit Approach
Internal control is a process, effected by an entitys board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting and compliance.
Internal Control - Defined
Understanding the concepts of internal control
Source: COSO Internal Control Integrated Framework 2013
-
37 PICPA Risk Based Audit Approach
A planned series of steps, activities and actions designed to yield a predictable and desired outcome.
Submit
Journal for
Approval
Approved? Review
Ledger Report JE Saved to
Database Post Journal Start End
Enter/Fix GL
Journal
Process
Understanding the concepts of internal control
-
38 PICPA Risk Based Audit Approach
Establish control mechanisms
Work within the established control mechanisms
Make control mechanisms succeed or fail
People
Understanding the concepts of internal control
-
39 PICPA Risk Based Audit Approach
100%
Reasonable Assurance
Understanding the concepts of internal control
-
40 PICPA Risk Based Audit Approach
INTERNAL ACCOUNTING
CONTROL
BUSINESS CONTROLS
Internal Controls Shift in view
-
41 PICPA Risk Based Audit Approach
Controls are documented.
Controls are a necessary evil.
Controls are the responsibility of the auditors.
As we streamline and empower, we relinquish control.
The best control is the culture created by management.
Controls are actions taken by management to help the company achieve its objectives.
Controls are the responsibility of management. The auditors role is to assess the adequacy and effectiveness of the companys overall internal control system.
As we streamline and empower, we apply different forms of control.
Myth Reality
Internal Controls Shift in view
-
42 PICPA Risk Based Audit Approach
NEW PARADIGM OLD PARADIGM
Only auditors are concerned about risk and controls
Fragmentation
No risk policy
Inspect, detect, react
Only hard tangible controls are
evaluated
Everyone is concerned about risk and controls
Focused and coordinated
Formal risk policy
Anticipate, prevent, monitor
Both hard tangible and soft intangible controls must be evaluated
Redefining the Controls focus
-
43 PICPA Risk Based Audit Approach
Risk Assessment - Concept
Relevant Regulatory Developments & Impact
Understanding Internal Control Concepts
Internal Control COSO Integrated Framework 2013
Risk Based Audit Approach:
Internal Audit
External Audit
Agenda
-
44 PICPA Risk Based Audit Approach
Overview of internal control
A means to an end, not an end in itself
Not merely about policy and procedures manuals, systems and forms but about
people and the actions they take
But not absolute assurance, to an entitys senior management and board of directors
Flexible in application for the entire entity or for a particular subsidiary, division,
operating unit, or business process
In one or more categoriesoperations, compliance and reporting
Internal control is
Geared to the achievement of objectives
A process consisting of ongoing tasks and activities
Effected by people
Able to provide reasonable assurance
Adaptable to the entity structure
Source: COSO IC-IF 2013 Committee of Sponsoring Organizations of the Treadway Commission Internal Control Integrated Framework 2013
-
45 PICPA Risk Based Audit Approach
Types of controls
Preventive controls
Per COSO IC-IF 2013: Designed to avoid an unintended event or result at the time of initial occurrence. Per laymans: Designed to prevent or mitigate something from going wrong so that an error and/or irregularity can be avoided. Examples:
Authorization of payments prior to processing Customer credit limit checks Restricting user access to IT systems Advance approval of supervisor before overtime occurs Completion of checklist for updating the master data
Detective controls Detective controls
-
46 PICPA Risk Based Audit Approach
Types of controls
Preventive controls
Per COSO IC-IF 2013: Designed to discover an unintended event or result after the initial processing has occurred but before the ultimate objective has concluded.
Per laymans: Designed to detect and correct in a timely manner an error or irregularity that would materially affect the achievement of the Companys objectives.
Examples: General ledger to subsidiary ledger reconciliations Budget vs. actual comparisons Review of exception reports Quality inspection
Detective controls Detective controls
-
47 PICPA Risk Based Audit Approach
Nature of controls
Manual Automated IT-dependent
manual Performed by
individuals outside of the system or application
Performed by a system or incorporated into an application logic
Both manual and IT output are combined
Relies on system generated information or functionality for its effectiveness
Independent review of general ledger reconciliations
Manual authorization of employee expense reports
Automated three-way match (e.g., purchase order vs. invoice vs. delivery receipt)
Data input validation checks (e.g., valid country code)
Restricted user access (e.g., username and password)
Review and follow-up of exceptions on a payroll exception report
System-generated sales orders that require manual approval from the controller
-
48 PICPA Risk Based Audit Approach
Frequency of controls
Firewall
Review of general ledger reconciliations
Ad hoc / As required
Annually
Review of accounting policies
Authorization of back pay to employees
Quarterly
Monthly
Ongoing
3-way match Daily/multiple times per day
Review of user access to IT systems
-
49 PICPA Risk Based Audit Approach
COSOS INTERNAL CONTROL PUBLICATIONS - COSO IC-IF 2013 at a glance
2014 2015 15 Dec 2014 Old framework will be superseded by new framework
1992 2006 2009 2013
Transition period Full implementation period
-
50 PICPA Risk Based Audit Approach
WHAT IS COSO IC-IF 2013?
1992 Internal ControlIntegrated Framework
Gained broad public acceptance; widely recognized
as the leading framework
Responded to dramatic
changes in business and
operating environments
Underwent a significant multiyear
update project in 2010
COSO Internal Control-
Integrated Framework
2013
*COSO IC-IF 2013 Committee of Sponsoring Organizations of the Treadway Commission Internal Control Integrated Framework 2013
-
51 PICPA Risk Based Audit Approach
Reasons for updating COSO IC-IF 1992
Demands and complexities in
laws, rules, regulations, and
standards
Expectations relating to
preventing and detecting fraud
Changes and greater
complexities of business
Use of, and reliance on,
evolving technologies
Globalization of markets and operations
Expectations for governance and
oversight
Changes in Business and Operating Environments
Expectations for competencies
and accountabilities
-
52 PICPA Risk Based Audit Approach
KEY AREAS PER COSO IC-IF 2013
1. Control Environment
2. Risk Assessment
3. Control Activities
4. Information & Communication
5. Monitoring
1. Organization demonstrates commitment to integrity and ethical values
2. Board of directors demonstrates independence from management and exercises oversight responsibility
3. Management, with board oversight, establishes structure, authority and responsibility
4. The organization demonstrates commitment to competence
5. The organization establishes accountability
6. Specifies relevant objectives with sufficient clarity to enable identification of risks
7. Identifies and assesses risk
8. Considers the potential for fraud in assessing risk
9. Identifies and assesses significant change that could impact system of internal control
10. Selects and develops control activities
11. Selects and develops general controls over technology
12. Deploys control activities through policies and procedures
13. Obtains or generates relevant, quality information
14. Communicates internally
15. Communicates externally
16. Selects, develops and performs ongoing and separate evaluations
17. Evaluates and communicates deficiencies in a timely manner
Components *** Principles ***
-
53 PICPA Risk Based Audit Approach
Risk Assessment - Concept
Relevant Regulatory Developments & Impact
Understanding Internal Control Concepts
Internal Control COSO Integrated Framework 2013
Risk Based Audit Approach:
Internal Audit
External Audit
Agenda
-
54 PICPA Risk Based Audit Approach
DOCUMENT
RBPF framework
MONITOR DELIVER PLAN ASSESS UNDERSTAND
QUALITY ASSURANCE
Co-develop expectations
Understand the organization
Assess the risks Develop annual plan
Perform the engagement
Communicate the result
Monitor the progress
Communicate the result
Supervise the engagement Quality and improvement program
-
55 PICPA Risk Based Audit Approach
DOCUMENT
RBPF framework
MONITOR DELIVER PLAN ASSESS UNDERSTAND
QUALITY ASSURANCE
Co-develop expectations
Understand the organization
Assess the risks Develop annual plan
Perform the engagement
Communicate the result
Monitor the progress
Communicate the result
Supervise the engagement Quality and improvement program
1. Communicate the value of IA 2. Understand and agree the expectations
of the stakeholders
-
56 PICPA Risk Based Audit Approach
DOCUMENT
RBPF framework
MONITOR DELIVER PLAN ASSESS UNDERSTAND
QUALITY ASSURANCE
Co-develop expectations
Understand the organization
Assess the risks Develop annual plan
Perform the engagement
Communicate the result
Monitor the progress
Communicate the result
Supervise the engagement Quality and improvement program
1. Understand organization strategy and objectives 2. Understand business environment 3. Understand relevant processes 4. Understand control environment
-
57 PICPA Risk Based Audit Approach
To focus audit priorities on important aspects of the business
To identify business risks
To be able to make recommendations that focus on the elements critical to the Companys business
Why do we need to understand the business organization?
-
58 PICPA Risk Based Audit Approach
Charter
Manuals
Policies
Procedures
1. Revisit:
Mission
Vision
Values
Mandates
Strategy The purpose of this activity is to:
have a preliminary understanding of the strategic goals and the corresponding risks that the organization might be facing
identify and clarify the imposed regulations of the organization to properly serve the stakeholders
2. Set expectations meeting with stakeholders to align their needs to the annual internal audit plan
as well as communicate to them the internal audit functions.
1. Understand organization strategy & objectives
-
59 PICPA Risk Based Audit Approach
A process is a group of logically related activities that transform inputs into outputs. The process owner is a person who is responsible for the process.
3. Understand relevant processes
-
60 PICPA Risk Based Audit Approach
3. Understand relevant processes
Why do we need to understand the business processes?
To enhance our understanding of the business by seeing it similar to how management does.
Identify processes where inherent business risks can be sourced.
To assist the IA function in designing an effective and efficient audit plan.
-
61 PICPA Risk Based Audit Approach
But how?
Meet with management to confirm or gain an understanding of the key processes and sub-processes
Understand the objectives and key performance measures for the process
Consider the complexity of the IT environment supporting the process
3. Understand relevant processes
-
62 PICPA Risk Based Audit Approach
Mega
Major
Sub-process
Activity
Mega process highest level of
processes purpose relates to
accomplishment of the overall mission of the business
Sub-process subdivision of a major
process represents a collection
of activities
Major process subdivision of a mega
process represents a collection
of sub-processes
Activity unit of work performed
by one job function and at one time
with one mode of operation at the same location
3. Understand relevant processes Process hierarchy
-
63 PICPA Risk Based Audit Approach
MEGA Processes MAJOR Processes SUB-processes
Gain new business
Manufacturing
Marketing and Advertising
Procurement
Distribution Finance and Accounting
Accounts Receivable
Accounts Payable
Payroll
Recording receivables
Managing aging of
receivables
Managing collection of receivables
Budgeting and Financial Reporting
ACTIVITY
Process customer receipts
Follow-up customer overdue
debt
SAM
PLE
ON
LY
3. Understand relevant processes
-
64 PICPA Risk Based Audit Approach
3. Understand relevant processes Universal process classification scheme
-
65 PICPA Risk Based Audit Approach
The control environment sets the tone of an organization, influencing the
control consciousness of its people. The foundation for all other
components of internal control.
1. Demonstrates commitment to integrity and ethical values
2. Board of Directors demonstrates independence from management and exercises oversight responsibility
3. Management, with Board oversight, establishes structure, authority and responsibility
4. The organization demonstrates commitment to competence
5. The organization establishes and enforces accountability
Control Environment
4. Understand the control environment
-
66 PICPA Risk Based Audit Approach
Demonstrates commitment to
integrity and ethical values
Establishing Standard of
Conduct
Communicating and reinforcing the accountability for
responsible conduct for all
personnel
Send Code of Conduct to all
employees and third parties acting
on behalf of the Company
Post Code of Conduct to the
Companys website
Require all employees to
complete periodic interactive web-based training
Component
Approach/ Point of Focus
Example
Control Environment
Principle
Activity
4. Understand the control environment
-
67 PICPA Risk Based Audit Approach
DOCUMENT
RBPF framework
MONITOR DELIVER PLAN ASSESS UNDERSTAND
QUALITY ASSURANCE
Co-develop expectations
Understand the organization
Assess the risks Develop annual plan
Perform the engagement
Communicate the result
Monitor the progress
Communicate the result
Supervise the engagement Quality and improvement program
1. Identify risks 2. Prioritize risks
-
68 PICPA Risk Based Audit Approach
Risk self-assessment (RSA)
- is a structured process to identify and prioritize business risks within the company or a specific business process within the company.
Risk universe
Relevant risk
Identify the risks
Top risks
Risk profile
Prioritize the risk
Roadmap to assess the risks
-
69 PICPA Risk Based Audit Approach
Roadmap to assess the risks
Comparison of entity and process level RSA
RSA LEVEL PURPOSE
1. Entity level
Entails a comprehensive look at those business risks that affect the organization as a whole.
Assist management in the execution of their overall risk management process.
Develop a common language for understanding risks within the organization.
Drive the development of the annual risk based IA plan.
2. Process level
Entails a comprehensive look at those risks that affect one specific process.
Focus the efforts of the IA procedures within a specific process audit.
Ensure that process owner concerns were considered in developing the audit plan.
-
70 PICPA Risk Based Audit Approach
1. Identify risks
In identifying risks, consider relevant information gathered from the Understand the Business and Control Environment part of the methodology:
Business Analysis Framework (BAF) Organizational Control Assessment Customized Process Classification Scheme
OUTPUT:
Risk universe
Relevant risks
On-line, interactive questionnaires (surveys)
Facilitated meetings, with voting technology
Facilitated meetings
Questionnaires Interviews
Transform inputs into output
-
71 PICPA Risk Based Audit Approach
1. Identify risks
Risk Universe (Pre-work)
-
72 PICPA Risk Based Audit Approach
2. Prioritize risks
Criteria 1. Severity of impact
If the risk happens, how much will it affect the company?
2. Likelihood of occurrence and frequency
How likely is the risk to happen?
3. Opportunity for Risk Management Improvement (ORMI)
Is there a room for the company to improve on its existing risk management strategies/controls?
-
73 PICPA Risk Based Audit Approach
2. Prioritize risks
Initial Risk Profile
Most Critical Risks
Initial Risk Universe
Risk Universe (Pre-work)
-
74 PICPA Risk Based Audit Approach
DOCUMENT
RBPF framework
MONITOR DELIVER PLAN ASSESS UNDERSTAND
QUALITY ASSURANCE
Co-develop expectations
Understand the organization
Assess the risks Develop annual plan
Perform the engagement
Communicate the result
Monitor the progress
Communicate the result
Supervise the engagement Quality and improvement program
1. Identify and validate audit universe 2. Prioritize auditable areas 3. Identify resource requirements 4. Obtain approval
-
75 PICPA Risk Based Audit Approach
Road map to develop annual plan
Identify and validate
audit universe
Prioritize auditable
areas
Identify resource requirements
Obtain approval
INPUT PROCESS OUTPUT
Risk universe Process universe Location universe
Validated audit universe
Date and results of last audit
Request by Management Other considerations
Prioritized auditable areas
Available resources Draft audit plan
Draft audit plan Approved audit plan
-
76 PICPA Risk Based Audit Approach
1. Identify and validate audit universe
INPUT PROCESS OUTPUT
Risk universe Process universe Location universe
Validated audit universe
Audit Universe refers to risks and processes that could be targeted for the audit. Risks and processes may also be organized and referred to by locations. 1. Obtain different universe (e.g., risk universe, process universe and location universe) from
stakeholders. 2. Map the risks in the processes. 3. Identify the location of the processes. 4. Present and validate audit universe to IA function, management and oversight committee.
Identify and validate
audit universe
-
77 PICPA Risk Based Audit Approach
1. Obtain different universe such as: a. Risk universe b. Process universe c. Location universe
Management, IA and
committee risk universe
Business units risk universe
Enterprise risk management
risk universe
Risk universe could be originated from entity level perspective down to business unit level.
1. Identify and validate audit universe
a. Sample Risk universe
-
78 PICPA Risk Based Audit Approach
1. Identify and validate audit universe
1. Obtain different universe such as: a. Risk universe b. Process universe c. Location universe
Process universe is the list of processes within the Company that will be subjected for audit of IA function while location universe is the list of all the locations of the Company such as head office, regional office and international office.
b. Sample Process universe
1. Head office
2. Satellite or regional office
3. International office
c. Sample Location universe
-
79 PICPA Risk Based Audit Approach
2. Map the risks in the processes
Using the process universe, identify what are the risks associated to that specific process. Risks could be existing or emerging, internal or external and tangible or intangible. Note that not all risks are auditable.
Process/ Auditable areas
Risk
Re
gu
lato
ry
Po
liti
ca
l
Co
ntr
act
com
plia
nce
Fra
ud
Pla
nn
ing
an
d
bu
dg
eti
ng
Sales and marketing x x x x
Customer service x
Project development x x
Human resource x
SAM
PLE
ON
LY
1. Identify and validate audit universe
-
80 PICPA Risk Based Audit Approach
3. Identify the location of the processes.
Determine if the processes are existing in the different locations of the Company.
Process/ Auditable areas
Risk Location
Re
gu
lato
ry
Po
liti
cal
Co
ntr
act
com
plia
nce
Fra
ud
Pla
nn
ing
an
d
bu
dg
eti
ng
He
ad
off
ice
Re
gio
na
l o
r sa
tellit
e
off
ice
Inte
rna
tio
na
l o
ffic
e
Sales and marketing x x x x x x x
Customer service x x
Project development x x x
Human resource x x x
SAM
PLE
ON
LY
4. Present and validate audit universe to different business units, management and oversight committee.
1. Identify and validate audit universe
-
81 PICPA Risk Based Audit Approach
2. Prioritize auditable areas
Prioritize auditable areas
INPUT PROCESS OUTPUT
Date and results of last audit
Request by Management Other considerations
Prioritized auditable areas
The criteria for prioritizing the auditable areas may include but not limited to the following: Number and criticality of risks Number and complexity of the location Date and results of last audit Financial exposure Request by Management Major changes in operations Business complexity Probability that major improvement for the auditable area is
needed
-
82 PICPA Risk Based Audit Approach
Legend:
H - High C - Complex CD - Cannot determine
M - Medium SC - Semi-complex
L - Low NC - Not complex
Note:
- Financial exposure may be based on the previous year's record
SA
MP
LE
ON
LY
Process\ Auditable areas
Risk Location Other consideration Priority
Re
gu
lato
ry
Po
liti
ca
l
Co
ntr
act
co
mp
lia
nce
Fra
ud
Pla
nn
ing
an
d b
ud
ge
tin
g
He
ad
off
ice
Re
gio
na
l o
r sa
tellit
e o
ffic
e
Inte
rna
tio
na
l off
ice
Nu
mb
er
an
d c
riti
ca
lity
of
risk
s
Nu
mb
er
an
d c
om
ple
xit
y o
f th
e
loca
tio
n
Da
te a
nd
re
sult
s o
f la
st a
ud
it
Fin
an
cia
l e
xp
osu
re (
in p
hp
)
Re
qu
est
by
ma
na
ge
me
nt
ER
M t
op
ris
k
Ma
jor
ch
an
ge
in
th
e o
pe
rati
on
Pri
ori
ty
No
t p
rio
rity
Sales and marketing x x x x x x x 4 (H) 3 (C) 2012 2 B Yes Yes Yes x
Customer service x x 1 (M) 1 (C) 2010 2 B No No Yes x
Project development x x x 2 (H) 1 (C) None 1B Yes Yes Yes x
Human resource x x x 1 (H) 2 (SC) 2007 CD No No No x
2. Prioritize auditable areas
-
83 PICPA Risk Based Audit Approach
3. Identify resource requirements
Identify resource requirements
INPUT PROCESS OUTPUT
Available resources Draft audit plan
In determining the resource requirement of the engagements, IA function may consider the following: 1. Determine the initial type of engagement. 2. Identify the man hours needed to complete the engagement. 3. Check the skill requirements of the engagement. 4. Decide right mix to perform the engagement.
-
84 PICPA Risk Based Audit Approach
3. Identify resource requirements 1. Determine the initial type of engagement
Depending on the risk involved, IA shall assess the initial type of engagement to be performed in the corresponding processes and functions involved. IA may perform one or combination of the following:
a) Compliance evaluation A review to determine the compliance of the concerned business unit to the policies and procedures including its contents.
b) Performance evaluation This evaluation pertains to the assessment of performance of personnel and/or third parties (e.g., contracts review).
c) Controls assessment An assessment with the objective of determining the effectiveness of the control design and its operating application.
-
85 PICPA Risk Based Audit Approach
2. Identify the man hours needed to complete the engagement Timeframe of the engagement may depend on the following: Initial type of engagement Previous experience Known changes (e.g., process owners, process, system)
Process\
Auditable areas Risk Location Other consideration Priority
Type of engagement
Man hours needed
Re
gu
lato
ry
Po
liti
ca
l
Co
ntr
act
co
mp
lia
nce
Fra
ud
Pla
nn
ing
an
d b
ud
ge
tin
g
He
ad
off
ice
Re
gio
na
l o
r sa
tellit
e o
ffic
e
Inte
rna
tio
na
l off
ice
Nu
mb
er
an
d c
riti
ca
lity
of
risk
s
Nu
mb
er
an
d c
om
ple
xit
y o
f th
e lo
ca
tio
n
Da
te a
nd
re
sult
s o
f la
st
au
dit
Fin
an
cia
l e
xp
osu
re (
in
ph
p)
Re
qu
est
by
ma
na
ge
me
nt
ER
M t
op
ris
k
Ma
jor
ch
an
ge
in
th
e
op
era
tio
n
Pri
ori
ty
No
t p
rio
rity
Co
mp
lia
nce
ev
alu
ati
on
Pe
rfo
rma
nce
ev
alu
ati
on
Co
ntr
ols
ass
ess
me
nt
Sales and marketing x x x x x x x 4 (H) 3 (C) 2012 2 B Yes Yes Yes x x 480 hours Customer service x x 1 (M) 1 (C) 2010 2 B No No Yes x x 240 hours Project development x x x 2 (H) 1 (C) None 1B Yes Yes Yes x x x 600 hours Human resource x x x 1 (H) 2 (SC) 2007 CD No No No x x 160 hours
SAM
PLE
ON
LY
3. Identify resource requirements
-
86 PICPA Risk Based Audit Approach
3. Identify resource requirements
3. Check the skill requirements of the engagement
Skill set is critical in planning the engagement. It will depend on the initial type of the engagement including its scope and objective. Some of the considerations are as follows:
Facilitation skills
Risk management skills
Communication and change management skills
Industry knowledge
Process skills
Knowledge of regulations affecting the organization
Understanding of
information technology risks and processes
Effective presentation and report preparation
Operations skills
Financial or accounting
skills
-
87 PICPA Risk Based Audit Approach
Process\ Auditable areas
Risk Location Other consideration Priorit
y Type of engagement
Manhours needed
Skills requirement
Re
gu
lato
ry
Po
liti
ca
l
Co
ntr
act
co
mp
lia
nce
Fra
ud
Pla
nn
ing
an
d b
ud
ge
tin
g
He
ad
off
ice
Re
gio
na
l or
sate
llit
e o
ffic
e
Inte
rna
tio
na
l off
ice
Nu
mb
er
an
d c
riti
ca
lity
of
risk
s
Nu
mb
er
an
d c
om
ple
xit
y o
f th
e
loca
tio
n
Da
te a
nd
re
sult
s o
f la
st a
ud
it
Fin
an
cia
l exp
osu
re
Re
qu
est
by
ma
na
ge
me
nt
ER
M t
op
ris
k
Ma
jor
ch
an
ge
in t
he
op
era
tio
n
Pri
ori
ty
No
t p
rio
rity
Co
mp
lia
nce
ev
alu
ati
on
P
erf
orm
an
ce
ev
alu
ati
on
Co
ntr
ols
asse
ssm
en
t
Skill s
et
req
uir
ed
Sales and marketing x x x x x x x 4 (H) 3 (C) 2012 2 B Yes Yes Yes x x 480 hours Auditor II (200) Fraud Auditor (280)
Customer service x x 1 (M) 1 (C) 2010 2 B No No Yes x x 240 hours Auditor I (120) Auditor II (120)
Project development
x x x 2 (H) 1 (C) None 1B Yes Yes Yes x x x 600 hours Auditor III (350) Engineer (250)
Human resource x x x 1 (H) 2 (SC) 2007 CD No No No x x 160 hours Auditor I (80) Auditor II (80)
Total man hours for Auditor III 1800 hours
Total man hours for Auditor II 2000 hours
SA
MP
LE
ON
LY
3. Identify resource requirements
Note that some skills are not readily available within IA function. Hence, IA may consider outsourcing that to external parties or internal parties.
Outsource
-
88 PICPA Risk Based Audit Approach
4. Obtain approval
Obtain approval
INPUT PROCESS OUTPUT
Draft audit plan Approved audit plan
Ensure audit plan documentation is complete, accurate and reviewed by CAE.
Identify all approvals (e.g., Audit Committee, Board) necessary to confirm audit plan.
Set-up meeting to present audit plan: Audit Committee Head or equivalent Oversight Committee or similar committee
-
89 PICPA Risk Based Audit Approach
DOCUMENT
RBPF framework
MONITOR DELIVER PLAN ASSESS UNDERSTAND
QUALITY ASSURANCE
Co-develop expectations
Understand the organization
Assess the risks Develop annual plan
Perform the engagement
Communicate the result
Monitor the progress
Communicate the result
Supervise the engagement Quality and improvement program
1. Understand the process 2. Assess risks in the process 3. Assess process performance and control gaps 4. Validate process measures and control 5. Identify root causes and solutions
-
90 PICPA Risk Based Audit Approach
1. Understand the process
Conduct opening meeting
Perform walk-through
Document the understanding of the process
Validate the understanding of the process
-
91 PICPA Risk Based Audit Approach
The opening meeting shall cover the following: Background discussion Engagement objectives and scope Deliverables and timelines Other matters
Conduct opening meeting
Perform walk-through
Document the understanding of the process
Validate the understanding of the process
1. Understand the process
-
92 PICPA Risk Based Audit Approach
1. Understand the process
Ask questions about (but not limited to):
What are the beginning and end points of the process?
Understand each task within the process
Key inputs and outputs of the process
Types and nature of controls
o Automated vs. manual
o Detective vs. preventive
o Specific, pervasive, and monitoring controls
Any history of problems with key controls or process areas in the past
Conduct opening meeting
Perform walk-through
Document the understanding of the process
Validate the understanding of the process
-
93 PICPA Risk Based Audit Approach
Tasks (but not limited to):
Select the appropriate process mapping tool:
o Process maps
o Narrative
Create a first draft of the process map
Identify the control points in the process
Be alert for process inefficiencies that could be the subject of the recommendations
Conduct opening meeting
Perform walk-through
Document the understanding of the process
Validate the understanding of the process
1. Understand the process
-
94 PICPA Risk Based Audit Approach
Tasks (but not limited to):
Validate the process with the auditee
Finalize the process map/narrative
Document any preliminary gaps identified at this point
Conduct opening meeting
Perform walk-through
Document the understanding of the process
Validate the understanding of the process
1. Understand the process
-
95 PICPA Risk Based Audit Approach
SA
MP
LE
ON
LY
PROCESS NAME: Credit and CollectionSub-Process: Collection
Cus
tom
erCas
hier
Cas
hier
Sup
erviso
r
Accept the cash
Prepare official
receipt
Cash
Yes
Start
Pay the monthly
rental
Official Recipt
At the end of the day
Match the cash and
issued official
receipts
Check
Payment through
check
Wire Transfer
Payment through
wire
Page 3
Page 6
Prepare remittance
slip
Match the cash,
remittance slip and
official receipt
issued
Deposit the cash
No
Deposit collection
Page 11
Prepared by: Juana dela CruzVersion 1 (Page 1 of 20)
Sample output
-
96 PICPA Risk Based Audit Approach
2. Assess risks in the process
Risk details Control details
Re
f #
Process and/or financial reporting risk
Co
ntr
ol r
ef
#
Detailed control
description Frequency
Control nature
Control type
Control owner
Process: Credit and Collection
Sub-process: Collection
R.1.1 Cash collection is misappropriately used. X X
R.1.2 Cash collection is not deposited on time. X
SA
MP
LE
ON
LY
Identify the process level or transactional
level risks
-
97 PICPA Risk Based Audit Approach
a. Identify the existing controls including relevant
details (e.g., frequency, nature, type, owner, IT
support application, critical reports) in the process
b. Map the existing controls in the risks initially
identified
d. Determine if the existing controls properly addressed
the risks
e. Document the initial results of the design effectiveness testing
c. Determine if there is any risk without control or risk
with excessive controls
3. Assess process performance and control gaps
-
98 PICPA Risk Based Audit Approach
3. Assess process performance and control gaps
Risk details Control details R
ef
# Process and/or
financial reporting risk
Co
ntr
ol r
ef
#
Detailed control description
Frequency Control nature
Control type Control owner
Supporting IT applications
Critical reports
Process: Credit and Collection
Sub-process: Collection
R.1.1 Cash collection is misappropriated.
C.1.1 Upon preparation of official receipt, cash collection is automatically recorded in the book as collection.
Event driven Preventive Automated SAP SAP Remittance slip
C.1.2 The Cashier Supervisor matches the cash, remittance slip and official receipt issued.
Daily Detective IT-dependent Cashier Supervisor
None None
R.1.2 Cash collection is not deposited on time.
C.1.3 Cashier deposits the cash collection when she's not busy.
Event driven Preventive Manual Cashier None Remittance slip Deposit slip
SA
MP
LE
ON
LY
Control might not be sufficient to mitigate the risk. IA function should check if there is any compensating control in the process.
-
99 PICPA Risk Based Audit Approach
4. Validate process measures and controls
Prepare detailed test procedures and
request samples to be tested
Perform testing
Identify gaps in the operating
effectiveness of controls
-
100 PICPA Risk Based Audit Approach
4. Validate process measures and controls Control details Testing information
Co
ntr
ol r
ef
#
Detailed control description
Test procedures Test sample Test result
Process: Credit and Collection
Sub-process: Collection
C.1.1 Upon preparation of official receipt, cash collection is automatically recorded in the book as collection.
1. Try to prepare dummy official receipt (or observe actual official receipt) in the system. 2. Determine if such is automatically recorded in the book as cash collection
Test of 1 The system automatically captured the prepared official receipt upon its preparation. No exceptions noted.
C.1.2 The Cashier Supervisor matches the cash, remittance slip and official receipt issued.
1. Obtain the list of remittance slip from the system during the covered period. 2. Select 25 samples to be tested. 3. Request the supporting hard copy remittance slip, official receipt issued and other supporting documents. 4. Check if the Cashier Supervisor reviewed the selected samples. 5. Determine if the details in the system-generated remittance slip matched against the hard copy remittance slip and official receipt. 6. Perform some footing and cross-footing. 7. Further match the system-generated remittance slip with the deposit slip. 8. Document the gaps noted.
25 transactions There is noted discrepancy between the system-generated remittance slip and deposit slip: Total cash collection in 8 July 2013: Per remittance slip Php 8,700,909.00 Per deposit slip 7,001,500.00 Difference Php 1,699,409.00 Further, no bank reconciliation is being performed.
C.1.3 Cashier deposits the cash collection when she's not busy.
No testing will be performed There is no specific date or timeline to deposit the cash collection in the bank.
SA
MP
LE
ON
LY
-
101 PICPA Risk Based Audit Approach
5. Identify root causes and solutions
We determine the root causes of control or compliance or performance gaps:
To determine which root causes have the greatest negative impact on a process or control and where to focus efforts to minimize or eliminate gaps.
To develop implemental solutions that will minimize or eliminate the identified control gaps or compliance
Process
Policies and procedures
People
Oversight
IT
Control or
Compliance or
performance
gap
-
102 PICPA Risk Based Audit Approach
5. Identify root causes and solutions
2.a. There is no process to review or match if the system-generated remittance slip matched against the deposit slip.
2. c. Matching of remittance slip against the deposit slip is not documented in the process.
1. b. System-generated remittance slip is editable upon generation.
2. b. There is no assigned personnel to review or match if the system-generated remittance slip matched against the deposit slip.
1. a. Cashier has an opportunity to edit the remittance slip when generated.
SAM
PLE
ON
LY
Process
Policies and procedures
People
Oversight
IT
Control or
Compliance or
performance
gap
-
103 PICPA Risk Based Audit Approach
DOCUMENT
RBPF framework
MONITOR DELIVER PLAN ASSESS UNDERSTAND
QUALITY ASSURANCE
Co-develop expectations
Understand the organization
Assess the risks Develop annual plan
Perform the engagement
Communicate the result
Monitor the progress
Communicate the result
Supervise the engagement Quality and improvement program
1. Provide recommendation and agree action plan 2. Conduct closing meeting 3. Issue final report
-
104 PICPA Risk Based Audit Approach
Recommendation may be based on the following: Root causes identified Leading practice
Test result Root cause Recommendation
There is noted discrepancy between the system-generated remittance slip and deposit slip: Total cash collection in 8 July 2013 Remittance slip Php 8,700,909.00 Per deposit slip 7,001,500.00 Difference Php 1,699,409.00 Further, no bank reconciliation is being performed.
1. a. Cashier has an opportunity to edit the remittance slip when generated from the system. b. System-generated remittance slip is editable upon generation. 2.a. There is no process to review or match if the system-generated remittance slip matched against the deposit slip. b. There is no assigned personnel to review or match if the system-generated remittance slip matched against the deposit slip. c. Matching of remittance slip against the deposit slip is not documented in the process.
1. The IT or system developer should revisit the program in the system to make the reports non-editable upon generation from the system. 2. The concerned management should consider putting additional control in the process. An independent personnel from custody and recording of cash collection should review if the recorded cash collection in the system matches against the deposit slip and ultimately in the bank account. This control may be part of the bank reconciliation process.
SA
MP
LE
ON
LY
Communicate results
-
105 PICPA Risk Based Audit Approach
Audit observations are discussed with auditee as they are identified.
Co-develop recommendations - team approach.
Where significant, a closing meeting may be held.
Communicating results is formalized through audit reports: o Objective and factual o Contains observations, conclusion, recommendations, and auditees response o Reviewed and approved by the CAE
Final audit report is issued to the auditee, senior management, the Executive
Office, and the Audit Committee.
Communicate results
-
106 PICPA Risk Based Audit Approach
DOCUMENT
RBPF framework
MONITOR DELIVER PLAN ASSESS UNDERSTAND
QUALITY ASSURANCE
Co-develop expectations
Understand the organization
Assess the risks Develop annual plan
Perform the engagement
Communicate the result
Monitor the progress
Communicate the result
Supervise the engagement Quality and improvement program
1. Validate the implementation of action plan
2. Issue monitoring report
-
107 PICPA Risk Based Audit Approach
DOCUMENT
RBPF framework
MONITOR DELIVER PLAN ASSESS UNDERSTAND
QUALITY ASSURANCE
Co-develop expectations
Understand the organization
Assess the risks Develop annual plan
Perform the engagement
Communicate the result
Monitor the progress
Communicate the result
Supervise the engagement Quality and improvement program
Document the result of: Understanding Assessing Planning Delivering Monitoring Quality assurance
-
108 PICPA Risk Based Audit Approach
DOCUMENT
RBPF framework
MONITOR DELIVER PLAN ASSESS UNDERSTAND
QUALITY ASSURANCE
Co-develop expectations
Understand the organization
Assess the risks Develop annual plan
Perform the engagement
Communicate the result
Monitor the progress
Communicate the result
Supervise the engagement Quality and improvement program
Review and supervise Conduct internal assessment Facilitate the conduct of external assessment
-
109 PICPA Risk Based Audit Approach
Risk Assessment - Concept
Relevant Regulatory Developments & Impact
Understanding Internal Control Concepts
Internal Control COSO Integrated Framework 2013
Risk Based Audit Approach:
Internal Audit
External Audit
Agenda
-
110 PICPA Risk Based Audit Approach
RBA framework
Strategic Planning and Risk Identification
Planning Delivery
Monitoring (Quality Control System)
Audit Planning and Risk Assessment
Execution Conclusion
and Reporting
Note: Procedures for all audit services are integrated in all phases, except for the Execution phase.
-
111 PICPA Risk Based Audit Approach
RBA framework
STRATEGIC PLANNING AND RISK IDENTIFICATION
Activities:
Perform Risk Identification (RI)
o Develop/update the Business Risk Model (BRM)
o Identify risks
o Report the results of RI
Conduct Strategic Planning
Conduct
Strategic
Planning
Strategic Planning and Risk Identification
Risk
Identification
Planning Delivery
Monitoring
Audit Planning and
Risk Assessment
Execution Conclusion and
Reporting
Strategic Planning and Risk Identification
-
112 PICPA Risk Based Audit Approach
RBA framework PLANNING Audit Planning and Risk Assessment
Delivery
Monitoring
Execution Conclusion and
Reporting
Strategic Planning and Risk Identification
Activities: Planning
Audit Planning and
Risk Assessment
Planning
Business Planning and Audit Risk Assessment
Prepare Audit
Work
step
Identify
Significant
Business
Risks
Understand and
Assess
Business-level
Controls
Prepare Audit Work step
Understand the Business
Identify Significant Business Risks
o Update Business Risk Model
o Identify Business Risks
o Prioritize Significant Business Risks
Understand and Assess Business-level Controls
Understand the Process
o Identify Critical Path of the Processes
o Identify Process Risks
o Identify Impact
o Identify Existing Controls
Conduct Audit Risk Assessment and Planning
Understand
the Business
Understand
the Process
Conduct Audit
Risk
Assessment
and Planning
-
113 PICPA Risk Based Audit Approach
RBA framework
Delivery
Execution
Execute Audit Tests
Evaluate Audit
Results
Design Audit Tests
Communicate Audit
Results
Conclusion and Reporting
CONCLUSION AND REPORTING
Summarize Audit Results
o Prepare summary of the results and conclusions of the audit
o Discuss results of different types of audit conducted
Prepare Audit Report
o Prepare Annual Audit Report
Wrap-up and Archive the Engagement
o Archive working papers/documentation of audit
Follow-up Action Plan
Monitoring
Strategic Planning and Risk Identification
Planning
Planning and Audit Risk
Assessment
Delivery
Execution Conclusion and
Reporting
Summarize Audit
Results
Prepare Audit Report
Wrap-up and archive
the engagement
Follow-up Action Plan
-
114 PICPA Risk Based Audit Approach
RBA framework
MONITORING
Monitor quality control on audit services
Delivery
Execution Conclusion and
Reporting
Strategic Planning and Risk Identification
Planning
Planning and Audit Risk
Assessment
Monitoring (Quality Control System)
Monitoring (Quality Control System)
Activity:
-
115 PICPA Risk Based Audit Approach
RBA framework
Monitoring
Perform Risk
Identification
Strategic Planning and Risk Identification
Conduct Strategic
Planning
Delivery
Execution Conclusion and Reporting
Execute Audit Tests
Evaluate Audit Results
Design Audit Tests
Communicate Audit
Results
Summarize Audit
Results
Prepare Audit Report
Wrap-up and archive the
engagement
Follow-up Action Plan
Planning
Planning and Audit Risk Assessment
Prepare
Audit Work
step
Identify
Significant
Business
Risks
Understand
and Assess
Business-
level
Controls
Understand
the
Business
Understand
the Process
Conduct
Audit Risk
Assessment
and Planning
-
116 PICPA Risk Based Audit Approach
RBA Tools and Templates
Monitoring
Form 01-01: Business Risk Model Form 01-02: Business Risk Identification Template
Strategic Planning and Risk Identification
Delivery
Execution Conclusion and Reporting
Form 03A-01: Audit Test Summary
Form 03B-01: Summary of Audit
Results and
Recommendations
Form 03B-02: Quality Inspection
Tool
Form 03B-03 Action Plan
Form 03B-04 Action Plan
Monitoring Tool
Planning
Planning and Audit Risk Assessment
Form 02-01: Audit Work step Form 02-02: Understanding the
Business Template
Form 02-03: Business Risk Model Form 02-04: Business Risk
Identification Matrix
Form 02-05: Business-level Control Checklist
Form 02-06 Process-Risk-Control Matrix
Form 02-07 Audit Risk Assessment and Planning Tool
-
117 PICPA Risk Based Audit Approach
Audit services and RBA framework
Strategic Planning and Risk Identification
Planning Delivery
Monitoring
Audit Planning and Risk Assessment
Execution Conclusion and
Reporting
Financial Compliance Fraud
Notes: Strategic Planning and Risk Identification is the integration point wherein the five audit services are considered. Other types of audit conducted are mentioned in audit reports and considered before rendering audit opinion. Comprehensive auditing is discussed in Phases 1 and 2. Although Fraud is given consideration, the full-length discussion is in the Fraud Audit Manual. The guidelines set forth in the Monitoring phase are applicable to comprehensive auditing.
1
2
3
1
2
3
4
3 4
-
118 PICPA Risk Based Audit Approach
RBA framework
Strategic Planning and Risk Identification
Planning Delivery
Monitoring (Quality Control System)
Audit Planning and Risk Assessment
Execution Conclusion and
Reporting
-
119 PICPA Risk Based Audit Approach
Strategic Planning and Risk Identification
Risk Identification (RI)
o Develop/update the Business Risk Model
o Identify risks
o Report the results of Risk Identification
Conduct Strategic Planning
-
120 PICPA Risk Based Audit Approach
Risk Identification Process Flow
Identify Risks Inputs
Industry risks
Fraud and geographic
risks
Technological changes
Global Trends
Kn
ow
led
ge
an
d p
rio
r a
ud
it r
ep
ort
s Media
releases and reporting
Finance
Human Resource
Marketing
Purchasing
Accounting
Linkage of risks to
Departments
-
121 PICPA Risk Based Audit Approach
SAMPLE Risk Identification Template
Business
Objective
Key Risk Basis of
Selection Departments
Program / Activity
/ Project Risk
Category Risk Title Risk Definition
Improve
Financial
Position
- Create
opportunities for
non-traditional
revenue streams
Strategic Vision and
Direction
Failure to establish a
vision and direction for
major initiatives,
including services,
products and programs
that will drive future
growth. Failure to
establish project
acceptance criteria and
adequately measure
against the criteria.
Changes in
management
Purchasing Centralization of
Purchasing
Functions
Finance Proper reporting of
financial records
-
122 PICPA Risk Based Audit Approach
Enterprise-wide Audit Risk Assessment
The report on the results of Risk Identification contains/documents:
RI Template
Minutes of the RI activity
Participants of RI
Report on the results of Risk Identification (RI)
The report shall be presented to the management and distributed to concerned departments.
-
123 PICPA Risk Based Audit Approach
Strategic Planning and Risk Identification
Risk Identification (RI)
o Develop/update the Business Risk Model
o Identify risks
o Report the results of Risk Identification
Conduct Strategic Planning
-
124 PICPA Risk Based Audit Approach
Linkage of strategic planning process with RBA
Company Auditor
Annual Strategic Planning process
Risk Identification
Risk
Identification
Audit Planning and Risk Assessment
Planning
Risk
Identification
Template (RIT)
Annual Strategic Planning
RIT
Strategic Action
Plan (SAP)
RIT
Departmental
Plan (COP/ROP)
-
125 PICPA Risk Based Audit Approach
RBA framework
Strategic Planning and Risk Identification
Planning Delivery
Monitoring (Quality Control System)
Audit Planning and Risk Assessment
Execution Conclusion and
Reporting
-
126 PICPA Risk Based Audit Approach
Assess Audit Risk
Step 1: Assess Inherent Risk
Inherent risk:
The susceptibility of an assertion about a class of transactions, account balance or disclosure to a misstatement that could be material, either individually or when aggregated with other misstatements, before consideration of any related controls.
Inherent Risk
Lower Higher
-
127 PICPA Risk Based Audit Approach
Assess Audit Risk
Factors that may affect our inherent risk assessment are as follows: Susceptibility to material misstatement
Size and composition
Variations from expected amounts
Effects of external factors
Competence and experience of personnel
Degree of subjectivity
Completion of unusual/complex transactions at or near period-end
Transactions not subjected to routine processing
-
128 PICPA Risk Based Audit Approach
Assess Audit Risk
Step 2: Assess Preliminary Control Risk
Control risk:
The risk that a misstatement that could occur in an assertion about a class of transaction, account balance or disclosure and that could be material, either individually or when aggregated with other misstatements, will not be prevented, or detected and corrected, on a timely basis by the internal control.
Preliminary Control Risk
Rely Not Rely
-
129 PICPA Risk Based Audit Approach
Assess Audit Risk
Our preliminary assessment of control risk is based on the following:
Information we obtained from prior periods engagements, if available Results of our walkthrough in our understanding of the processes
-
130 PICPA Risk Based Audit Approach
Assess Audit Risk
Step 3: Make overall risk assessment
Higher Low High
Lower Minimal Moderate
Rely Not Rely
Control Risk Assessment
Inh
ere
nt
Ris
k A
sse
ssm
en
t
-
131 PICPA Risk Based Audit Approach
Determine Audit Scope and Timing
Our audit scope defines the boundaries and limitations of our audit. We document our audit scope based on the results of our risk assessment. In determining the timing of our audit tests (tests of controls and substantive tests), we shall consider auditors other responsibilities such as, but not limited to: Cash examinations to accountable officers Request for relief of accountabilities Issuance of disallowances Pre-audit activities
-
132 PICPA Risk Based Audit Approach
Prepare Audit Risk Assessment and Planning Tool
The Audit Risk Assessment and Planning Tool will facilitate:
The documentation of the audit teams audit risk assessment.
The documentation of the audit strategies, scope and estimated timing which will guide the auditors in the development of the audit test procedures.
-
133 PICPA Risk Based Audit Approach
Prepare Audit Risk Assessment and Planning Tool
At a minimum, our Audit Risk Assessment and Planning Tool contains the following:
Our audit focus areas and our planned audit approach (nature and extent of audit procedures) including timing.
Our documentation of Professionals with specialized skills needed for the audit and the scope of work to be performed.
Our documentation of Other Material accounts to be subjected to High-level precision analytics.
-
134 PICPA Risk Based Audit Approach
Prepare Audit Risk Assessment and Planning Tool
We determine the overall audit risk assessment for each assertion of each significant account.
Based on the overall risk assessment, we determine the audit approach
and our estimated timing for execution of the audit approach.
-
135 PICPA Risk Based Audit Approach
RBA framework
Strategic Planning and Risk Identification
Planning Delivery
Monitoring (Quality Control System)
Audit Planning and Risk Assessment
Execution Conclusion and
Reporting
-
136 PICPA Risk Based Audit Approach
SAMPLE Test of Control Working Paper
-
137 PICPA Risk Based Audit Approach
Design Substantive Tests
Nature
We customize the test of details for significant accounts in accordance with our audit strategy outlined in our Audit Planning Memorandum
Extent
Minimal or Low Less extensive tests of details
Moderate or High More extensive test of details
Timing
Timing of our tests of details depends on the results of the risk assessment conducted in Phase 2
We may design the timing at interim dates.
-
138 PICPA Risk Based Audit Approach
Design Substantive Tests
Benefits of performing tests of details at interim dates:
Enable earlier identification of significant findings and issues
Allow more time to address and resolve significant findings and issues
Reduce work performed during year-end
Help to manage tight reporting deadlines
-
139 PICPA Risk Based Audit Approach
Design Substantive Tests
Timing Substantive Tests at Interim Dates
Risk Assessment Timing Minimal Earlier in the reporting period
(e.g., up to six months before the balance sheet date)
Low During the later portion of the reporting period (e.g., up to three months before the balance sheet date)
Moderate or High At or near the period end (e.g., up to one month before the balance sheet date)
-
140 PICPA Risk Based Audit Approach
Design Substantive Tests
Roll forward Considerations
When we design interim procedures, we also design roll forward procedures
Extent of roll forward procedures shall be customized depending on the roll forward period and risk assessment.
-
141 PICPA Risk Based Audit Approach
Design Substantive Tests
-
142 PICPA Risk Based Audit Approach
Execute Substantive Tests
Audit Evidence Considerations
Quality of audit evidence is affected by the relevance and reliability of the information upon which it is based.
Reliability of audit evidence is increased when:
o Obtained from independent sources outside
o The related controls imposed is effective
o Obtained directly
o Obtained in documentary form as opposed to those obtained orally
o It is in original form as opposed to evidences provided by photocopies or fax.
-
143 PICPA Risk Based Audit Approach
Execute Substantive Tests
Accounting Estimates
If our planned procedures include testing how management determined the accounting estimate, we evaluate whether:
The method of measurement used is appropriate in the circumstances, (e.g., in relation to the operations, sector and environment), including managements rationale for selecting the method.
The assumptions used by the management are reasonable in light of the measurement requirements of the applicable financial reporting framework, including the consistency of the assumptions with our understanding of managements intent and ability to carry out certain courses of action.
-
144 PICPA Risk Based Audit Approach
Execute Substantive Tests
External Confirmations
To ensure reliability, confirmation responses should be received by the auditors directly from parties where confirmations were sent.
Confirmation exceptions may be given for investigation after we establish control by making a copy or other record of the confirmation reply.
When we do not receive replies to confirmation requests, we apply alternative procedures to the non-responses to obtain the evidence necessary.
-
145 PICPA Risk Based Audit Approach
Evaluate Results of Audit Tests
Identification and accumulation of misstatements is one of our most important audit responsibilities and is critical in enabling us to formulate our audit opinion.
If we identify an intentional misstatement in the financial statements, we determine if this is an incident of fraud or represents non-compliance with applicable laws and regulations.
The matter is reported to the Supervising Auditor of the engagement and communicate it to the appropriate level of management.
-
146 PICPA Risk Based Audit Approach
Communicate Audit Results
We discuss each audit finding with the appropriate level of management to confirm that our understanding of the nature and cause of the audit finding is factually correct.
If the company disagrees that there is an audit finding, or disputes the amount involved, we ask them to support their position by providing additional audit evidence.
If the evidence provided by the company does not support the companys position, we determine the effect on our audit opinion, which may include consulting with the Supervising Auditor.
Documentation: Audit Observation Memorandum
-
147 PICPA Risk Based Audit Approach
RBA framework
Strategic Planning and Risk Identification
Planning Delivery
Monitoring (Quality Control System)
Audit Planning and Risk Assessment
Execution Conclusion and
Reporting
-
148 PICPA Risk Based Audit Approach
Conclusion and Reporting
Summarize Audit Results
o Prepare summary of audit results and recommendations
o Discuss results of other types of audit conducted
Prepare Audit Report
o Prepare Annual Audit Report (AAR)
Wrap-up and archive the engagement
Follow-up Action Plan
-
149 PICPA Risk Based Audit Approach
Delivery Conclusion and Reporting
Summarize Audit Results
o Prepare summary of audit results and recommendations
o Discuss results of other types of audit conducted
Prepare Audit Report
o Prepare Annual Audit Report (AAR)
Wrap-up and archive the engagement
Follow-up Action Plan
-
150 PICPA Risk Based Audit Approach
Summarize audit results
Accumulated results are summarized at the end of the audit. Significant findings, issues and observations, including misstatements, are summarized and discussed with the company. Conclusion for each misstatement, finding, issue, and observation is documented. This serves as basis in formulating audit opinion in the audit report. Summary of Audit Results and Recommendation (SARR) is presented on the next slide.
Discuss results of other types of audit conducted
Prepare summary of audit results and recommendations
-
151 PICPA Risk Based Audit Approach
Summary of Audit Results and Recommendations
Reference number for
the audit findings
Document managements
feedback
Supply the auditors rejoinder on the
management comments, if any
Indicate AOM No. and date issued
Document the observation noted including the corresponding
recommendation
-
152 PICPA Risk Based Audit Approach
Summary of Audit Results and Recommendations
Reference number for
the audit findings
Summarize the unrecorded adjusting/classifying journal entries including its amount and effects on the financial statement
-
153 PICPA Risk Based Audit Approach
Summary of Audit Results and Recommendations
-
154 PICPA Risk Based Audit Approach
Summarize Audit Results
o Prepare summary of audit results and recommendations
o Discuss results of other types of audit conducted
Prepare Audit Report
o Prepare Annual Audit Report (AAR)
Wrap-up and archive the engagement
Follow-up Action Plan
Delivery Conclusion and Reporting
-
155 PICPA Risk Based Audit Approach
Prepare audit report
Audit opinion
Management Letter
In reporting the results of audit, the auditors prepare the following reports:
-
156 PICPA Risk Based Audit Approach
Summarize Audit Results
o Prepare summary of audit results and recommendations
o Discuss results of other types of audit conducted
Prepare Audit Report
o Prepare Annual Audit Report (AAR)
Wrap-up and archive the engagement
Follow-up Action Plan
Delivery Conclusion and Reporting
-
157 PICPA Risk Based Audit Approach
Wrap-up and archive the engagement
Audit documentation shall be sufficient for an experienced auditor with no previous association with the audit to be able to understand the nature, timing and extent and results of procedures performed, evidence obtained and conclusions reached.
Auditors shall use professional judgment in determining the nature and extent of the audit documentation. However, it shall be ensured that it is consistent with policies, professional standards and other legal and regulatory requirements.
-
158 PICPA Risk Based Audit Approach
Summarize Audit Results
o Prepare summary of audit results and recommendations
o Discuss results of other types of audit conducted
Prepare Audit Report
o Prepare Annual Audit Report (AAR)
Wrap-up and archive the engagement
Follow-up Action Plan
Delivery Conclusion and Reporting
-
159 PICPA Risk Based Audit Approach
Follow-up Action Plans
An effective monitoring system not only ensures the prompt and proper resolution of audit recommendations and the implementation of corrective action, but also ensures that a complete record of actions taken on observations and recommendations is maintained.
An audit issue database may: Support in monitoring all issues and the subsequent action
taken by the auditors during the audit. Guide during the assessment of the key risks of the
business. Serve as reference in conducting an in-depth analysis on the
relationships of issues among different departments.
Audit Issue Database
-
160 PICPA Risk Based Audit Approach
Follow-up Action Plans
Benefits of Monitoring:
Assures the auditor that the benefit of work done is realized
Validates that the recommendations as implement