Internal Audit Services Standard Operating Policies and ... of the Philippines Ramon Magsaysay...
45
Republic of the Philippines Ramon Magsaysay Technological University Iba, Zambales Internal Audit Services Standard Operating Policies and Procedures Manual (IASSOPPM) October 2017
Transcript of Internal Audit Services Standard Operating Policies and ... of the Philippines Ramon Magsaysay...
Republic of the Philippines Ramon Magsaysay Technological University
Iba, Zambales
Internal Audit Services
Standard Operating Policies and Procedures Manual
(IASSOPPM)
October 2017
TABLE OF CONTENTS
RMTU At a Glance………………………………………………………………………......I
PREFACE………………………………………………………………………………...… II
1.0 Introduction…………………………………………………………………………........1
2.0 Internal Audit Services Charter
2.1 Purpose and Application……………………………………………………….….....2
2.2 Mandate……………………………………………………………………………...2
2.3 Mission………………………………………………………………………………2
2.4 Vision………………………………………………………………………………...2
2.5 Core Values…………………………………………………………….……...……..2
2.6 Objectives…………………………………………………………………...……….3
2.7 Responsibilities and Accountabilities………………………...……………………..3
2.8 Authority…………………………………………………………...………………..4
2.9 Auditees’ Responsibilities………………………………………...…………………4
2.10 Special Assignments………………………………………………...……………….5
2.11 Standards……………………………………………………………..……………...5
3.0 Personnel Management
3.1 Organizational Structure…………………………………………..………………..6
3.2 Conduct of Internal Audit………………………………………..…………………6
3.3 Standard Qualifications and Functions…………………………..…………………7
3.4 Training and Professional Development…………………………..……………….9
3.5 Personnel Performance Evaluation………………………………..………………..9
3.6 Personnel Recruitment and Transition…………………………..………………..10
4.0 The Audit Process
4.1 Overview and Conduct of the Audit Process………………..……………………..11
4.2 The Annual Audit Plan………………………………………….………………....12
4.3 Audit Engagement Planning………………………………………………..……...12
4.4 Audit Execution……………………………………………………..……………...16
4.5 Audit Reporting………………………………………………..…………………...19
4.6 Audit Follow-Up……………………………………………….…………………..22
4.7 Summary of Outstanding Recommendations………………….…………………..25
5.0 Workpapers
5.1 Qualities of Good Workpapers……………………………….……………………26
5.2 Retention…………………………………………………….……………………..26
5.3 Workpaper Techniques……………………………………………………………26
5.4 Types of Workpapers……………………………………….……………………...27
5.5 Workpaper Organization………………………………….……………………….28
5.6 Security and Control……………………………………….………………………28
6.0 IAS Management
6.1 Audit Monitoring…………………………………………….…………………….30
6.2 Time Reports………………………………………………………………………30
6.3 Progress Reports………………………………………………….………………..30
IASSOPPM
TABLE OF CONTENTS
6.4 Meetings………………………………………………….………………………...30
6.5 Decision-Making Procedures……………………………….……………………...30
6.6 Performance Evaluation………………………………………..…………………..31
6.7 Periodic Review of Policies and Procedures…………………..…………………...31
7.0 Glossary…………………………………………………………….…………………...32
8.0 Appendices………………………………………………………….…………………...38
Appendix 1 Annual Audit Plan (AAP)
Appendix 2 Audit Work Program (AWP)
Appendix 3 Risk and Control Matrix (RCM)
Appendix 4 Entry Conference (ENC)
Appendix 5 Exit Conference (EXC)
Appendix 6 Audit Finding Data Sheet (AFDS)
Appendix 7 Draft Audit Report (DAR)
Appendix 8 Final Audit Report (FAR)
Appendix 9 Summary of Outstanding Recommendations (SOR)
Appendix 10 Audit Monitoring Sheet (AMS)
Appendix 11 Flowchart Symbols
Appendix 12 Audit Process Flowchart (APF)
Appendix 13 Summary of Audit Process Flowchart (SAPF)
Appendix 14 Time Report (TR)
Appendix 15 Monthly Progress Report (MPR)
Appendix 16 Quarterly Return (QR)
Appendix 17 Evaluation of Internal Audit – Self Assessment
Appendix 18 Code of Ethics
Appendix 19 Evaluation of Internal Audit – Management
9.0 References……………………………………………………………...………………..58
List of Tables Table 1 Director/Head of Internal Audit………………………………………….7
Table 2 Internal Auditor…………………………………………………………...8
Table 3 Internal Auditing Assistant……………………………………………….9
Table 4 Contents of an Audit Plan……………………………...………………...15
List of Figures Figure 1 Audit Process Flow Diagram…………………………...………………..11
Figure 2 Audit Engagement Planning Flow Diagram…………...………………..13
Figure 3 Audit Execution Flow Diagram…………………………...……………..17
Figure 4 Audit Reporting Flow Diagram…………………………...……………..20
Figure 5 Audit Follow-Up Flow Diagram…………………………...……………23
IASSOPPM
RMTU At a Glance The Ramon Magsaysay Technological University, a merger of three public education
institutions in the province of Zambales, was established by Republic Act 8498 enacted on
February 12, 1998 through the initiative of Congressman Antonio M. Diaz. The University
Charter integrated the former Ramon Magsaysay Polytechnic College (RMPC) in Iba, the
Western Luzon Agricultural College (WLAC) in San Marcelino, and the Candelaria School
of Fisheries (CSF) in Candelaria. The strengths of its parent-institutions, which had existed
since the early 1900s, served as RMTU’s springboard for its accelerated growth and
development.
With a viable organizational structure, the institution transformed dramatically as it
accelerated the full integration of its component campuses. Through strong partnership with
the Provincial Government, DepEd and municipal governments, the University had
established LGU-subsidized satellite campuses in Masinloc, Castillejos, and Sta. Cruz in the
year 2002, 2003 and 2004, respectively. Faculty development and infrastructure build-up
were intensified. Degree programs increased from 12 to 64 in the last 10 years. Enrolment
expanded from 2,000 to more than 8,000 per semester over the same period. Massive
scholarships from various stakeholders attracted more and more students. Graduates
registered commendable performance in licensure examinations especially in electrical,
mechanical and civil engineering and other flagship programs. Major curricular programs
attained various accreditation levels and the University achieved an unprecedented Level III-
A status under the CHED-DBM-PASUC Leveling Scheme. The University was also included
among the top 30 higher education institutions (HEIs) recognized by the People’s Republic
of China, South Korea and other technology-oriented countries.
As of September 30, 2017, RMTU stands proud with its high-performing seven (7) campuses,
64 curricular offerings, 8,748 students, 757 strong faculty and staff, and viable international
linkages and consortium agreements.
IASSOPPM I
Preface
PREFACE
This Internal Audit Services Standard Operating Policies and Procedures Manual
(IASSOPPM) establishes the policies and procedures to be followed in the conduct of internal
audit. This manual aims at standardizing internal audit in terms of uniformity and consistency
across all the internal control units/departments/offices. The IASSOPPM has been prepared
in lined with the Philippine Government Internal Audit Manual (PGIAM) and the National
Guidelines on Internal Control Systems (NGICS), which are developed by the Philippine
Government. In addition, this manual shall be consistent with the International Standards
for the Professional Practice of Internal Auditing (ISPPIA), developed and maintained by the
Institute of Internal Auditors. Internal Auditors of the University must comply with the
provisions contained in this manual. This document consolidates and brings up-to-date
existing guidelines and supports the development of the internal auditing function in the
University.
I – Integrity
A – Assurance
S – Strategic Support
IASSOPPM II
Introduction
1.0 INTRODUCTION
Internal auditing is an independent, objective assurance and consulting activity designed to
add value and improve an organization’s operations. It helps an organization accomplish its
objectives by bringing a systematic, disciplined approach to evaluate and improve the
effectiveness of risk management, control, and governance process. It is a strategic function
in ensuring good governance throughout the University.
The Internal Auditor in the Philippine Government has the fundamental role of assisting the
Governing Body/Audit Committee of the Governing Board in promoting effective, efficient,
ethical and economical (4Es) operations by appraising the adequacy of internal controls. The
findings on the appraisal of internal controls are provided to said officials/bodies to institute
corrective and preventive measures and achieve the agency objectives.
The role of the Internal Auditor is not about fault-finding, neither is it investigative nor
punitive. As a component of the performance management framework of RMTU, the Internal
Audit Services (IAS) assesses the levels of performance against agreed measures, targets and
objectives. The internal audit function is separate from, but complementary to, the day-to-
day monitoring of internal controls and the conduct of continual management improvement,
which are within the responsibility of operating units.
IAS shall be under the direct administrative supervision and control of the University
President, organized as an independent staff unit and shall correspondingly perform staff
functions. And shall be responsible for instituting and conducting a program of internal audit
for the University.
IASSOPPM 1
IAS Charter
2.0 INTERNAL AUDIT SERVICES CHARTER
2.1 Purpose and Application
The Internal Audit Services will apply cutting edge practices to support the University
in its quest to be a progressive learner centered Research University recognized in the
ASEAN Region.
This IASSOPPM is intended to provide the internal auditors with practical guidance,
tools and information for managing the internal audit activity and for planning,
conducting and reporting on internal auditing assurance engagements.
Users of the manual are expected to draw upon the information provided to form their
own judgments on the most suitable approaches to fulfilling the specific responsibilities
that they have been assigned in the context of continuously striving for the most effective
internal audit activity possible. If users encounter situations where they believe that the
guidance provided in the manual is in conflict with what they believe to be the most
effective approach, they should consult with more senior IAS officers.
This IASSOPPM is effective as of the date of approval.
2.2 Mandate
IAS is mandated to provide independent, objective assurance and consulting services
designed to add value and improve the RMTU’s system operations, internal control and
governance processes as a service to the University to assist it accomplish its goals and
objectives.
2.3 Mission
IAS shall assist RMTU Leadership in providing independent and objective information
analyses and counsel to achieve the highest quality services in education, research and
public services by promoting effective internal controls, transparency and accountability
with professionalism.
2.4 Vision
By 2020, the Internal Audit Services is a holistic value-added service to ensure operations
are managed ethically, effectively, efficiently and economically towards the attainment of
RMTU Vision.
2.5 Core Values
The Internal Auditors are expected to apply and uphold the following principles:
• INTEGRITY – We exhibit fairness, honesty and ethical behavior in our service to
the university.
IASSOPPM 2
IAS Charter
• OBJECTIVITY – We perform duties in an unbiased manner and make a balanced
assessment of all the relevant circumstances and are not unduly influenced by their
own interest or by others informing judgments.
• QUALITY – We provide accurate reports and timely, feasible, and relevant
recommendations.
• CONFIDENTIALITY - We respect the value and ownership of information we
receive and do not disclose information without appropriate authority unless there is
a legal or professional obligation to do so.
• COMPETENCY – We apply our professional knowledge, skills, and experience
needed in the performance of internal audit services.
2.6 Objectives
• Check the accuracy, reliability and integrity of applicable financial and performance
issues;
• Compliance with organization policies and procedures, laws, regulations or
guidelines;
• Ensure efficient, effective, ethical and economical operations; and
• Safeguarding of assets.
2.7 Responsibilities and Accountabilities
IAS takes place “after the fact” and covers a complete cycle of operations and is responsible
in performing duties in accordance with the PGIAM and the International Standards for
the Professional Practice of Internal Auditing (Standards). Any aspects of financial
auditing are conducted in accordance to Generally Accepted Accounting Principles
(GAAP) or any other standards adopted by any governing authority such as Government
Accounting Manual (GAM). At a minimum, IAS is charged up the following duties,
functions and responsibilities:
• Conduct management/operations performance audit of activities of the department
and their units and determine the degree of compliance with the mandate, policies, and
government regulations, establish objectives, systems and procedures/processes and
contractual obligations.
• Review and appraise systems and procedures, organization structure, practices,
records and performance standards.
• Verify and analyze management and operations data to ascertain if attendant must
generate data or reports that are complete, accurate and valid.
• Ascertain the reliability and integrity of information and the means used to identify,
measure, classify, and report such information.
• Ascertain the extent to which the assets and other resources of the University is
accounted for and safeguarded from losses of all kinds.
• Review and evaluate the soundness, adequacy and application of accounting financial
and management controls and promote the most effective control at reasonable cost.
IASSOPPM 3
IAS Charter
• Review operation or programs to ascertain whether or not such programs are being
carried out as planned.
• Evaluate the quality of performance of groups/individual is carrying-out their
assigned responsibilities.
• Perform functions of a protective nature, such as prevention and detection of fraud or
dishonesty, revision of cases involving misuse of agency property; and checking of
transactions with outside parties.
• Recommend realistic courses of action or operational deficiencies observed.
• Perform miscellaneous services, including special investigations and assistance to
outside contacts such as Commission on Audit.
• Report significant issues related to the processes for controlling its activities and
managing its risks in the areas set forth under the mission of work.
• Periodically provide information on the status and results of audit plan and the
sufficiency of departmental resources.
• Coordinate with and provide oversight of the control, and monitoring functions, risk
management, compliance, security, legal ethics, and environmental external audit.
• Establish appropriate policies and procedures to guide the internal audit function.
• Maintain a quality assurance and improvement program that covers all aspects of the
internal audit function.
• Advise/Report periodically to the University President on whether management ‘s
action plans have been implemented and whether the actions taken have been effective
2.8 Authority
The IAS’ activity with strict accountability for confidentiality and safeguarding records
and information is authorized full, free, and unrestricted access to any and all
departmental records, physical properties, and employees and has the right to obtain
information and explanations from departmental employees and contractors, subject to
applicable legislations.
We shall be authorized to allocate resources, set frequencies, select subjects, determine
scopes of work and apply the techniques required to accomplish audit objectives. We shall
consult to management on matters such as the design of business control systems, risk
management activities, and governance processes.
We shall participate as member of the Administrative Council and as members of other
committees, teams, boards, etc. provided such participation does not compromise or
appear to compromise the independence of IAS.
2.9 Auditees’ Responsibilities
• Treat Internal Audit Staff with respect and courtesy.
• Where applicable, execute their role faithfully and honestly.
• Respect the chain of command.
IASSOPPM 4
IAS Charter
• Respect the orderly execution of duties including queuing of job task in the internal
audit department.
• To submit their documents for consideration or required information in a timely
manner.
• Familiarize themselves with, and observe the financial regulations, public
procurement regulations and other relevant policies and guidelines applicable to the
public service in general and the University in particular.
• Respond faithfully to specific issues raised including audit queries.
2.10 Special Assignments
IAS Team may, upon request by any Department’s Officer, be assigned audit work on
Special Assignments that are in no way connected with the Annual Audit Plan. This may
be done provided approval is obtained from the IAS Director (IASD). After approval, the
internal auditor will be responsible for the audit assignment and he will report to the
IASD after completion of the assignment.
2.11 Standards
The internal audit function will be conducted in accordance with PGIAM, the NGICS,
the Institute of Internal Auditors’ ISPPIA, the International Organization of Supreme
Audit Institutions’ (INTOSAI) Guidelines for Internal Control Standards for the Public
Sector and the IASSOPPM. In the event of conflict with the International Standards for
the Professional Practice of Internal Audit, the PGIAM will prevail.
Prepared by: Date: _____________________________ ____________________ Rowena Buan-Yost, CPA IAS Director Approved by: Date: _____________________________ ____________________ Dr. Cornelio C. Garcia University President
IASSOPPM 5
Personnel Management
3.0 PERSONNEL MANAGEMENT
3.1 Organizational Structure
3.2 Conduct of Internal Audit
Pursuant to Sec. 2 of Administrative Order No. 70, Internal Audit shall be performed with
proficiency and due professional care in accordance with the following:
• The IAS shall ensure that the technical proficiency and educational background of
internal auditors are appropriate for the audit to be performed;
• Internal auditors shall possess/obtain the knowledge, skills and discipline needed to
carry out the audit responsibilities of the IAS;
• The IAS shall ensure that internal audits are properly supervised and performed with
due professional care;
• The IAS shall conduct the audit in conformity with International Standards for the
Professional Practice of Internal Auditing; and
• The Code of Ethics promulgated by the Association of Government Internal Auditors
(AGIA) shall be strictly observed to maintain high standards of honesty, objectivity,
diligence and loyalty.
IASSOPPM 6
BOARD OF REGENTS
UNIVERSITY PRESIDENT
DIRECTOR
Internal Audit Services
INTERNAL
AUDITOR
INTERNAL AUDITING
ASSISTANT
INTERNAL
AUDITOR
Personnel Management
3.3 Standard Qualifications and Functions
The table hereunder provides for the qualification standards and functions of each position
in the IAS. It reflects the minimum competency required in the areas of: a) Education, b)
Experience, c) Training, d) Eligibility and e) Functions that will enable auditors to
perform in a competent manner.
Table 1 - Director/Head of Internal Audit
Education Any of the following: Master’s Degree in Accounting, Public
Administration, Criminology, Information Technology (IT)/Computer
Science, and other related disciplines relevant to the
Department/Agency where he/she may be assigned; Bachelor’s Degree
in Law would be an advantage
Experience 4 years of relevant experience in one or a combination of the following:
Public Administration, Internal Auditing, Administrative or Criminal
Investigation, Forensics (e.g., Accounting, IT, International
Organization for Standardization (ISO) Management Systems, and
other related disciplines)
Training 40 hours of training in one or a combination of the following: Public
Administration, Internal Auditing, Administrative or Criminal
Investigation, Forensics, etc.
Skills • Intellectual, interpersonal, communication, and information
technology skills.
• Clear understanding of the internal audit’s contribution to effective
governance;
• Ability to develop plans and programs to contribute to the
achievement of mandated objectives;
• Strong management acumen and the ability to anticipate and assess
management control;
• Ability to build a strong network and credibility with the Head of
Agency and senior management; and
• Consistent observance of ethical principles
Eligibility Any of the following: CESO III; CESO III and Lawyer or CESO III
and CPA- Lawyer would be an advantage; Career Service
(Professional)/Secondary Level Eligibility, preferably BAR/CPA, (RA
1080 or both Lawyer and CPA)
Functions Administrative Functions:
1. Submits work and financial plan;
2. Submits annual procurement report;
3. Submits accomplishment reports; and
4. Submits performance evaluation, targets and ratings of staff.
IASSOPPM 7
Personnel Management
Functions of Director (continued)
Operational Functions:
1. Establishes the annual goals, objectives and performance targets of the internal auditing unit;
2. Establishes internal auditing standards, guidelines and procedures
for the guidance of the internal audit staff;
3. Determines the extent of coordination with COA to avoid
duplication of audit report;
4. Ensures support of management in the conduct of internal audit;
5. Responsible for work performance and disciplines of the staff;
6. Reviews and approves internal audit plans;
7. Discusses internal audit scope and objectives with agency/unit or
personnel to be covered prior to the conduct of audit;
8. Reviews and approves internal audit reports;
9. Discusses audit result with auditee/s before the report is finalized;
10. If necessary, discusses the conclusions and recommendations in the
audit report with the appropriate level of management;
11. Follows up actions to determine if audit recommendations have
been carried out or not and inquires for the reasons for non-
implementation;
12. Investigates anomalies discovered in audit and submits reports and
recommendations on investigations completed;
13. Reviews and approves recommendations for enhancement of the
internal audit functions; and
14. Does related work.
Table 2 - Internal Auditor
Education Bachelor’s degree relevant to the job (Law, Accounting, Public
Administration, Criminology, IT/Computer Science and other
disciplines related to the abovementioned)
Experience 3 years of relevant experience involving Internal Auditing,
Administrative or Criminal Investigation and/or Forensics (e.g.,
Accounting, IT, ISO Management Systems and other related
disciplines)
Training 16 hours of training in Internal Auditing, Administrative or criminal
Investigation and /or Forensics, etc.
Eligibility Career Service (Professional)/Secondary Level Eligibility, preferably
BAR/CPA, (RA 1080 or both Lawyer and CPA)
Functions 1. Under direct supervision, assists in supervising a division tasked
with internal audit functions;
2. Reviews internal audit plans;
3. Discusses internal audit plans with the concerned staff;
4. Reviews written internal audit reports;
5. Trains new internal auditors;
6. Rates performance of audit staff and does related work.
IASSOPPM 8
Personnel Management
Table 3 - Internal Auditing Assistant
Education Completion of 2 years of study in college
Experience 1 year in position/s involving Internal Auditing, Administrative or
Criminal Investigation and/or Forensics (e.g., Accounting, IT, ISO
Management Systems and other related disciplines)
Training 4 hours of training in Internal Auditing, Administrative or Criminal
Investigation and/or Forensics, etc.
Eligibility Career Service (Sub-professional)/First level eligibility
Functions 1. Under immediate supervision, Assists internal auditors in the
conduct of internal audit; and
2. Does related work.
3.4 Training and Professional Development
Initially, new staff members will be exposed to various rules and regulations, copies of
which are currently maintained in the office library. These include: (a) Institute of Internal
Auditors’ (IIA) Code of Conduct, (b) PGIAM, (c) NGICS, (d) International Standards’
Manuals, (e) the department’s Audit Manual and (e) other relevant Circulars,
Administrative Orders or Executive Orders issued by the different Government Agencies
related to the conduct of Internal Auditing is accessible to each auditor.
Ordinarily, the department runs an annual training budget and auditors are regularly
taken for training seminars relevant to their job and grade. Therefore, the internal
auditors will attend seminars and training as appropriate. Professional proficiency is the
responsibility of the individual auditor. Each auditor should possess a body of specialized
knowledge and should maintain a recognized, continuous process of education to sustain
professional growth in the field of internal auditing.
The IASD, will assign each audit to the individual who possess the necessary knowledge,
skills and disciplines to conduct the audit properly. The internal audit staff has a
professional obligation to schedule and attend on-going professional education forums to
ensure they maintain academic proficiency and to advance professionally. The IASD is
responsible for providing appropriate audit supervision. Supervision is a continuing
process, initiated with the planning process and concluding with the completion of the
audit assignment. IASD will document evidence of supervision and review on all audits.
This may be accomplished by signing off on all work papers and audit documents.
3.5 Personnel Performance Evaluation
Personnel performance is continuously monitored by reviewing work performed and
providing immediate feedback for support. At the end of each engagement, a debriefing
meeting is held to identify areas of personal improvement. Semi-annual evaluations are
held with each employee using the evaluation instrument corresponding to each position.
IASSOPPM 9
Personnel Management
3.6 Personnel Recruitment and Transition
IAS’ policy on recruitment is targeted at candidates who meet minimum academic
qualifications in line with the position they wish to be considered. Each internal auditor
is responsible for maintaining an adequate level and an understanding of the social,
academic, economic and political environment within which the University operates.
The success of IAS is dependent on the ability to proactively manage employee
recruitment and transition of competent staff. Personnel are recruited using the standard
hiring process held by the Human Resource Department (HRD).
Personnel are encouraged to keep the Director informed of any possible employment
changes. With thirty (30) days notification, IAS can actively recruit new employment
while exiting personnel is still with the department. The goal is to have an ample time to
recruit the most competent candidate available and continue audit services with minimal
impact.
IASSOPPM 10
Audit Process
4.0 The Audit Process
4.1 Overview and Conduct of the Audit Process
The Audit Process is divided into four phases, namely: audit engagement planning, audit
execution, audit reporting, and audit follow-up. See Figure 4-1. For each phase, there are
specific criteria to ensure a successful audit engagement.
Figure 4-1 Audit Process Flow Diagram
Although every audit project is unique, the audit process is similar for most engagements
and usually consists of nine stages. Through these stages IAS will determine ways to
minimize risks and increase efficiencies within the area.
Client involvement is critical at each stage of the audit process. An audit will result in a
certain amount of time being diverted from area personnel’s usual routine. One of the key
objectives is to minimize this time and avoid disrupting on-going activities.
4.1.1 Plan. IAS will develop an annual audit plan based on a review of all pertinent
information. Sources may include, but are not limited to: a risk assessment, internal and
external evaluations and management guidance.
4.1.2 Engagement. IAS will schedule a meeting with the area head and the senior
management of the process to be audited. Identify the scope and objectives of the audit,
how long it is expected to last and what the responsibilities for all parties are in the audit
process. Any factors that may impact the audit should be raised at this time. Factors
include vacations, fiscal year end reporting requirements, etc.
4.1.3 Test. Testing will include interviews with the staff, review of procedures and
manuals, compliance with the University policies and governmental laws and regulations
and assessing the adequacy of internal controls.
IASSOPPM 11
Audit Engagement
Planning
Audit Execution
Audit Follow-up
Audit Reporting
Audit Process
4.1.4 Communicate. Keep the department that is undergoing the audit updated on the
status of the audit on a regular basis especially if there are any findings. There may be
instances where the findings can be addressed immediately.
4.1.5 Draft. The report draft will include the audit Scope and Objectives, Audit Findings
and Potential Audit Recommendations.
4.1.6 Management Response. Management will receive the audit draft to confirm the
facts and respond to the Potential Audit Recommendations. Their response should assign
the responsibility and have a specific target date of completion for the corrective actions.
The time window for the Management Response is normally seven (7) business days.
4.1.7 Review. The final version of the audit will be reviewed, and all issues resolved by
the IASD.
4.1.8 Distribute. The report is then released to the audited department, the divisional
Director/Vice President and the President.
4.1.9 Verify. IAS will normally conduct a follow up on the Management responses to the
audit findings and recommendations within a reasonable time frame. This subsequent
review will be discussed with the involved management and the comments published.
4.2 The Annual Audit Plan (AAP)
The IASD, by authorization of the President, annually establishes a plan of scheduled
audits called the “Annual Audit Plan”. The audits selected can relate to specific
departments/areas within the university, or to processes that are carried out across
several different departments/areas. To maximize the use of IAS resources, a risk-based
approach is adopted in drawing up the plan. Major risk factors are identified, using
different risk assessment criteria, and areas with the highest perceived risk are given high
priority for audit.
The AAP (Appendix 1) is prepared and submitted to the President each year for review
and approval. Upon approval, the plan is executed by IAS during the following calendar
year. Additionally, unannounced audits may be performed at the discretion of the audit
director or at the request of the Board of Regents, the President, or area head.
4.3 Audit Engagement Planning
Audit requires good planning. Planning entails familiarization with the objectives,
processes, risks and controls of the auditee and activity to be audited, and developing a
strategy and approach in conducting the audit. It is the most important part of the audit
as the success of an audit depends on how well it has been planned.
Planning is an iterative process with the following important purposes:
• Understanding the control environment and the organization;
• Outlining the scope and objectives of the audit;
• Establishing the basis for budgeting (time, cost, personnel);
IASSOPPM 12
Audit Process
• Identifying the evidence required to develop the audit findings;
• Assisting in choosing/determining the audit procedures (nature, extent and timing);
• Establishing the basis for coordinating the staff.
Audit engagement planning is the third stage of planning, after strategic planning and
annual audit planning. It involves the listing down of audit activities per audit
engagement based on the AAP. The results of the strategic planning shall be validated to
determine if there are relevant changes in the control component, systems and processes.
Figure 4-2 summarizes the steps involved in Audit Engagement Planning.
PLANNING
EXECUTION
REPORTING
FOLLOW-UP
Figure 4-2 Audit Engagement Planning Flow Diagram
4.3.1 Document Understanding of the Program and Project
Audit engagement planning starts from an understanding of the organizational mandate
and focusing on what areas will be audited. It involves the selection of specific internal
controls and focusing on the degree of compliance with laws, regulations and policies of
specific program/project and system/process for evaluation; evaluation of the control
effectiveness; and determination of if operations are conducted economically, efficiently,
ethically and effectively (4Es).
The audit plan should be based on a sound understanding of the internal control system,
operating and support systems and processes.
4.3.2 Determine the Audit Objective, Scope, Criteria and Evidence
a. Determine Audit Objective
Based on information gathered and analyzed during the understanding of the
program/project, the objective and scope of the audit can be defined. An audit objective
is what the audit aims to accomplish.
IASSOPPM 13
What to Audit
1. Document understanding of the program and
project 2. Determine the audit objective, scope and criteria
and audit evidence 3. Determine the resource required for the audit and
the target milestone/dates 4. Develop the audit plan and audit work program
5. Secure approval of the audit plan and audit program
How to Audit
What and How to Report
What to Follow-up
Audit Process
This is critical in establishing the scope, criteria, evidence and approach of the audit. It
is normally expressed in terms of what questions the audit is expected to answer about
the performance of an activity. Ideally, an audit objective would be consistent with the
achievement of the objectives of the organization, program or project. Determining the
audit objectives involves the following activities:
i. Preliminary gathering of documents/information;
ii. Identifying the focus of the audit and the aspect of performance to be examined;
and
iii. Determining the type of audit to be performed:
1) compliance with laws, regulations and policies;
2) evaluation of control effectiveness; or
3) determination if operations are conducted economically, efficiently, ethically
and effectively.
Audit objectives also relate to why the audit is being conducted. If controls are weak,
the IAS traces the root cause and recommends to top management courses of action to
address the deficiency. The IAS can also recommend further examination of the
underlying issues, or the legal action to take, if conditions so warrant.
b. Determine the Audit Scope
Audit scope is the framework or limits of the audit. It is normally defined by stating
what the audit intends to cover and the relevant timeframes.
The steps in determining the audit scope are as follows:
i Define the parameters and nature of the audit work to achieve the audit objectives;
ii Determine the audit tools, techniques and methodology to be utilized; and
iii Select the method to be utilized.
The Internal Auditors could look for the answers to these questions:
i. Are the control components sufficient to safeguard the assets?
ii. Do they provide accurate and reliable accounting data?
iii. Do they adhere to managerial policies?
iv. Are they in compliance with laws, rules and regulations?
v. Do they ensure effectiveness, efficiency, economy and ethicality of operations?
The IAS can conclude on the effectiveness of the controls only when the internal
control components achieve all the control objectives.
c. Determine Audit Criteria and Evidence
Audit criteria are reasonable standards against which existing conditions are assessed.
These are expectations of the program or project as to what should be. It includes
statutory and/or managerial requirements; process requirements; and citizens’
requirements, needs and expectations.
IASSOPPM 14
Audit Process
To be able to come up with sound criteria, auditors must:
i. Gather/Identify the standards (laws, regulatory policies) for audit
evaluation;
ii. Set reasonable and attainable standards of performance, statutory or
managerial policies for evaluation; and
iii. Identify pieces of audit evidence required by law and standards and
the approaches to be utilized in obtaining them.
4.3.3 Determine the Resources Required for the Audit and the Target Milestones/Dates
Careful planning involves the determination of the overall resource requirements to
accomplish the planned audits. This involves assessing the current staff
capability/capacity; technological resources (e.g., computers, software); financial
resources (budget requirements), among others.
Target milestones/dates for the completion or accomplishment of critical elements during
the audit process should be established to keep track of the progress of the engagement
and check on the quality of the outputs.
4.3.4 Develop the Audit Plan and Audit Program
An audit plan and audit work program must be prepared for all audits, and should be
approved by the audit director before the start of the fieldwork. Any substantial
adjustments should be promptly approved.
An audit plan is a document that provides the main guidance of the whole audit process
to achieve the audit objective in an efficient and effective way. It provides an integrated
description of the auditee and the audit by serving as a guide for the whole audit. The
audit plan for Management and Operations Audits will document the results of all the
planning tools which would necessarily contain the following:
Table 4 - Contents of an Audit Plan
Element Information
Introduction A brief description or background information of the internal controls,
i.e., the plan of organization and all the methods and measures adopted
within the University to ensure that resources are used consistent with
laws, regulations and managerial policies; resources are safeguarded
against loss, wastage and misuse; financial and non-financial information
are reliable, accurate and timely; and operations are economical, efficient,
ethical and effective
Audit Objective
and Scope
Overall objective and scope of the work to be accomplished
Assessment of Controls
Critical processes identified by the IAS during the planning phase which
led to the selection of the audit area approved by the President and the
formulation of the audit objective
IASSOPPM 15
Audit Process
Audit Approach Compliance audit, management control process audit, audit of program
or project results
Resources/
Inputs
Statutory policies, mandates, managerial policies, government
regulations, established objectives, systems and procedures/processes,
stakeholders’ needs and expectations, manpower, materials, equipment
and timeliness
Audit Criteria Set of reasonable and attainable standards of performance, statutory or
managerial policies, laws and regulations, etc.
An audit work program (AWP) is the list of procedures, or steps, to be performed during
the fieldwork phase of the review. The procedures in the AWP should be sufficiently
comprehensive to ensure that the audit objectives are met. However, the program should
not be so rigid as to prohibit flexibility when unanticipated events arise.
For each segment of the audit, the program should include:
i. A statement of the objectives;
ii. The work steps required to test the effectiveness of the existing controls or make a recommendation to require management to establish and implement controls where needed;
iii. A space for referencing the related audit work papers and the initials of the auditor performing the work step and;
iv. The specified time frame.
The AWP (Appendix 2) should be completed and approved at the end of the planning
phase and before the start of any fieldwork. Any adjustments made to the program should
be approved by the audit director, prior to implementation. An approved hardcopy of the
program should be maintained with the work papers.
A Risk and Control Matrix (Appendix 3) will be prepared to summarize the above
information. The audit program is derived from the outcome of the risk and control
analysis.
4.3.5 Approval of the Audit Plan and Audit Work Program
The audit plan and AWP are submitted by the internal auditor to the IASD for review
and approval prior to the commencement of the audit execution. The director will evaluate
the documents to assess the relevance, significance, auditability and other factors affecting
the conduct of the audit.
After the documents have been approved, management should be informed about the
approved audit plan and AWP. The audit plan should be discussed with management but
the AWP should not be shared.
4.4 Audit Execution
Execution of the audit is initiated with an entry conference to discuss the focus,
requirements and timeliness of the audit.
IASSOPPM 16
Audit Process
It involves performing the audit techniques and procedures enumerated in the audit
program to gather data and pieces of evidence, to achieve the stated audit objective/s.
During audit execution, if the auditor finds a need to revise the audit program, the revision
should be submitted to the IASD for approval.
The director uses the audit program to supervise and monitor the progress of the audit
and to check whether the team is generating sufficient and appropriate pieces of
substantial evidence.
At any point during the audit and during the conduct of the baseline assessment of the
Internal Control System (ICS), when significant risks/issues arise, the IAS will prepare
an Interim Report to the President to communicate findings, issues, and problems that
may affect the conduct of the audit and may expose the organization to considerable risks.
A summary of the interim report will be included in the audit report.
PLANNING
EXECUTION
REPORTING
FOLLOW-UP
Figure 4-3 Audit Execution Flow Diagram
4.4.1 Entry Conference
An audit starts with the issue of an engagement letter. The head of the department/area
to be audited (the ‘auditee’) is contacted by the audit director in writing before the audit
is scheduled to start and notified of the audit process.
IASSOPPM 17
What to Audit
1. Entry Conference
2. Conduct compliance audit
a. Gather and analyze evidence
b. Compare conditions with criteria
c. Determine probable cause(s)
d. Prepare working papers
3. Conduct system/process audit a. Gather and analyze evidence
b. Compare conditions with criteria c. Determine root cause(s) d. Prepare working papers
4. Exit conference
How to Audit
What and How to Report
What to Follow-up
Audit Process
The entry conference (Appendix 4) sets the tone of the audit. It is scheduled with area
management and key personnel to discuss the purpose, objectives and scope of the audit,
and the expected start and completion dates of the field work. Input from the area
management is welcomed at this stage, particularly with reference to any known concerns
or areas of potential internal control weakness. Matters arising from the entry conference
must be recorded (Entry Conference Notes) and should be considered during the conduct
of the engagement planning.
4.4.2 Conduct Compliance Audit
Compliance audit is the evaluation of the extent or degree of compliance with laws,
regulations, managerial policies and operating processes in the University, including
compliance with accountability measures, ethical standards and contractual obligations.
Only when there is compliance that control effectiveness is determined. If there is no
compliance, the probable cause for such non-compliance is determined. The IAS identifies
the standards as specified in the organization’s mandate and objectives or
laws/rules/regulations and compares whether the operations conform to the identified
standards.
The steps in the conduct of Compliance Audit are as follows:
a. Gather and analyze (substantial) evidence to establish the condition that the
auditee is in.
b. Compare conditions with criteria to draw conclusion.
c. Determine the probable cause(s). It must be noted that to come up with the
determination of probable cause/s, the IAS must be able to establish, not only the
facts and circumstances, but also the whys, the whats and the hows of the non-
compliance.
d. Prepare the working papers. These contain sufficient information to allow an
experienced auditor having no previous connection with the audit to ascertain
from them the evidence that supports the auditors’ findings.
e. Integrate audit findings and prepare the highlights of the audit findings in terms
of the 4Cs – Criteria, Condition, Conclusion and Cause.
4.4.3 Conduct System/Process Audit
Process audit is designed to evaluate the 4Es of operating systems selected for audit and
aims to evaluate control effectiveness. This step involves the documentation of the process
or system under audit, identification of the control procedures, verification and validation
if such control procedures are complied with and are working effectively. Progress is
discussed with area management, usually as individual objectives are finished, and
particularly regarding any audit concerns.
IASSOPPM 18
Audit Process
The steps in the conduct of Process Audit are as follows:
a. Gather and analyze (substantial) evidence to establish the condition, including
consequence, effects or impact.
b. Compare conditions with criteria to draw conclusion. This refers to conclusion of
facts which is defined as an inference drawn from the subordinate or evidentiary
fact.
c. Determine the root cause(s). Root cause is a structured investigation that aims to
identify the true cause of a problem and the actions necessary to eliminate it. The
determination of root cause through varying techniques is an essential audit
methodology that will assists auditors in analyzing pieces of audit evidence to
come up with appropriate recommendations.
d. Prepare the working papers.
e. Integrate audit findings and prepare the highlights of the audit findings in terms
of the 4Cs.
4.4.4 Exit conference
An exit conference (Appendix 5) is held to discuss the results of the completed audit and
any concerns that may have arisen. Those attending the conference usually include the
audit director, the in- charge auditor, the area head, and anyone the area head wishes to
invite. The exit conference provides an opportunity to resolve any question the audit
client may have about the concerns raised and to address any other issues before the audit
report is finalized. It also provides an opportunity to get the auditee’s comments
(management comments) and insights about the significant audit issues as a way of
validating the audit findings.
Management’s comments should be taken into consideration to arrive at workable
recommendations and obtain the auditee’s commitment towards performing remedial
actions – as a manifestation of progressive attitude towards the audit findings. The
auditee’s comments/responses are recorded in the audit findings sheet and integrated into
the draft report.
4.5 Audit Reporting
Audit reporting represents the culmination of the audit execution and the associated
analysis and considerations made during the audit. The audit report sets out the findings
in appropriate format; provides the pieces of evidence gathered to arrive at the audit
findings and the recommendations.
IASSOPPM 19
Audit Process
PLANNING
EXECUTION
REPORTING
FOLLOW-UP
Figure 4-4 Audit Reporting Flow Diagram
4.5.1 Develop Audit Findings
The audit findings can be developed by analyzing the pieces of evidence gathered for each
of the audit elements. Evidence may be categorized as physical, documentary, testimonial,
analytical or electronic. Evidence should be sufficient and appropriate (substantial),
competent, and relevant. Audit findings provide answers to the audit objectives
(Appendix 6) and should be rational and based on specific standards and criteria.
Audit findings compare the conditions (factual and evidentiary conditions such as the
current state/practices or what is obtaining, and their effects) with the audit criteria, and
determine the causes. Once an audit finding has been identified, two complementary forms
of assessment take place: the assessment of the significance of the findings and the
determination of the probable cause/s and the root cause/s. All audit findings should be
formulated based on the 4Cs.
Audit findings on probable cause of illegality of a transaction constitute a violation of law,
while irregularity constitutes a violation of regulations.
4.5.2 Develop Audit Recommendations
Much of the work of internal audit is judged on the quality of the final audit report,
including its analyses, findings, and recommendations. The recommendations provide
courses of action as the basis for improving internal controls.
Workable recommendations are clear, based on science of facts, conditions and evidence
and on practicable, incontestable, and workable solutions that can stand alone and address
the issue(s) at hand.
IASSOPPM 20
1. Develop audit findings
a. Criteria (laws and standards)
b. Condition (findings of facts)
c. Conclusion (conclusion of facts
d. Cause (root cause/s or probable cause/s)
2. Develop audit recommendations
3. Prepare the draft audit report
4. Prepare the final audit report
How to Audit
What and How to Report
What to Follow-up
What to Audit
Audit Process
Audit recommendations are management/legal remedies to avoid occurrence (preventive
action) or avoid recurrence (corrective action) of control weaknesses and incidences.
The issues to consider in developing recommendations are as follows:
a. Recommendations are submitted to the President as the official primarily
responsible. The recommendations should identify the probable/root cause of the
gaps or deficiencies/breakdowns. The IAS should not address the probable/root
cause; instead, it should recommend courses of realistic action wherein the
responsible units will take preventive (avoid occurrence) and corrective (avoid
recurrence) measures.
b. Recommended realistic courses of action to indicate what needs to be done, but not
how to do it. The “how” of it is the responsibility of the unit and/or management
concerned.
c. The circumstances that aid or hinder the organization in achieving the criteria
should be identified.
d. The feasibility and cost of adopting a recommendation, with the benefit of a
recommendation outweighing the costs.
e. Alternative courses for remedial actions.
f. Effects of the recommendation (positive and negative).
4.5.3 Prepare the Draft Audit Report
The draft audit report (Appendix 7) is prepared by laying out and analyzing the pieces of
evidence gathered to arrive at preliminary audit findings and recommendations.
Recommendations for action necessary to address those concerns are included in the
report and are addressed to the unit and/or management concerned with a copy given to
the President.
When preparing a draft audit report, the auditor should:
a. Delineate the objectives and scope and report within that scope, unless other
issues of substance are identified;
b. Identify all criteria;
c. Report significant matters – positive or negative;
d. Describe the context and background of the reported matter only as far as is
necessary to provide an understanding of the issue;
e. State initial findings, management’s comments and team’s rejoinder, if any;
f. Present the audit findings in a manner that is concise, fair and objective; and
g. State the recommendations so that they indicate what needs to be done but not
how to do it.
When audit recommendations are made, a written management response to each
recommendation is required. The response should include an agreement or disagreement
with the audit findings and potential recommendation. The unit head should coordinate
the development of these responses with appropriate staff and management.
IASSOPPM 21
Audit Process
Written responses are due within seven (7) business days of a recommendation being
issued. In cases where a fully developed action plan requires further study and analysis,
management may indicate this in their action plan. Management personnel to whom audit
recommendations have been directed are responsible for ensuring that corrective action
is taken. If a plan for action is reported, a date for implementation is to be included. This
response should be provided to the attention of the audit director and to the responding
party’s immediate supervisor. When management declines to respond to a
recommendation, a written statement to that effect should be provided.
If unit management and IAS do not reach agreement on the recommendations, the
unresolved issues will be provided to senior management and/or the President for
additional discussion and final decision. Unresolved recommendations can only be
resolved by senior management and/or the President. In this instance a written
statement of intent to resolve or acceptance of risk must be documented in the audit file.
The responses are incorporated into the audit report and sent to unit management for
final review and concurrence before the report is issued as a final document.
4.5.4 Prepare the Final Audit Report
The draft report may then be finalized (Appendix 8) and presented to the President who
decides on the distribution of the audit report based on the recommendation of the audit
director. An executive summary should be prepared and addressed to the President.
Both the final report and the executive summary should be submitted to the audit director
for review/approval. If no changes are needed, the audit director will review both
documents and sign them.
Follow-up reviews will be scheduled by the audit director during the annual audit plan
preparation process. The audit director will develop the most effective method to perform
follow-up reviews.
4.6 Audit Follow-Up
Follow-up is a monitoring and feedback activity undertaken to ensure the extent and
of preventive/corrective actions taken by the Management to address the inadequacies
identified during the audit. It aims to increase the probability that recommendations will
be implemented. IAS will verify that items reported as resolved are implemented during
the follow-up review process. IAS will issue individual, follow-up review reports on the
verification of implemented recommendations. If a significant number of the items
reported as resolved are not resolved, this will be communicated to senior management
for follow-up action.
IASSOPPM 22
Audit Process
PLANNING
EXECUTION
REPORTING
FOLLOW-UP
Figure 4-5 Audit Follow-Up Flow Diagram
4.6.1 Monitor Implementation of Approved Audit Findings and Recommendations
It is a sound practice to monitor the implementation of approved recommendations
(management/legal remedies) to avoid the occurrence (preventive measures) and
recurrence (corrective measures) of control weaknesses/incidences after a reasonable
period from the report submission date. The benefits of internal audit report
recommendations are reduced, and deficiencies remain, if recommendations are not
implemented within the specified timeframe.
It is management’s responsibility to implement approved findings and recommendations,
but the internal audit is in a good position to monitor the progress of implementation of
the recommendations.
4.6.2 Resolve Non-Implementation/Inadequate Implementation of Audit Recommendations
In the event of non-implementation of recommendation/inadequate action, the IAS
recommends appropriate legal and/or management remedies for non-implementation of
recommendation and inadequate preventive/corrective actions.
4.6.3 Prepare Audit Follow-up Report
Results of the audit follow-up should be recorded and reported to apprise the President of
the status of actions on the approved recommendations. The reasons for the lack of action
or non-completion of action on any recommendation should be documented and further
action considered on significant recommendations that have not been acted upon. The
report in the form of a memorandum order/letter should:
a. Describe the results of the auditor’s analysis of actual against projected benefits
for the period under review;
b. Summarize the extent of implementation of the approved recommendations;
IASSOPPM 23
1. Monitor implementation of approved audit
findings and recommendations
2. Resolve non-implementation/inadequate
implementation of audit recommendations
3. Prepare audit follow-up report
What to Follow-up
What to Audit
How to Audit
What and How to Report
Audit Process
c. Highlight cases where auditee’s performance in implementing recommendations
have been particularly inadequate; and
d. Describe the actions, if any, that the auditor intends to take in relation to
inadequate auditee’s actions.
Follow-up of audit recommendations serves four main purposes:
a. Increase the effectiveness of audits – the prime reason for following-up audit
reports is to increase the probability that recommendations will be implemented;
b. Assist the government – following-up may be valuable in proposing some
necessary actions to the President and other officials;
c. Evaluate the IAS performance – follow-up activity provides a basis for assessing
and evaluating the IAS performance; and
d. Create incentives for learning and development – follow-up activities may
contribute to better knowledge and improved practice.
IAS will utilize the following procedures for follow-up reviews:
A. Scheduling Follow-up Activities - The audit director is responsible for scheduling
follow-up activities as part of the annual audit plan and the current audit schedule.
The budget hours allocated to follow-up will be estimated and included in the audit
planning process.
B. Definition and Objective of Follow-up Review - IAS will determine if corrective action
taken is achieving the desired results, or that management has assumed the risk of not
taking corrective action on reported findings.
C. Planning and Scheduling a Follow-up Review - The following steps should be taken
in planning and scheduling a follow-up review:
1. The “Status of Audit Recommendations” spreadsheet from the original audit
should be used as the basis for planning the follow-up review. The auditor
should note the recommendations and corresponding management responses
from the original audit.
2. A follow-up review engagement letter should be sent to management, to (a)
explain the objective of the review, (b) schedule a time for follow-up fieldwork,
as applicable and (c) request a report, or appropriate document outlining the
current status of the actions agreed upon in response to the original audit
report recommendations (along with supporting documentation). It is
advisable to correspond with the auditee/management by phone or in person
prior to sending the letter.
3. Follow-up reviews will not include an opening and closing conference, and the
scope should be limited to the findings included in the original audit report
and any nonreportable conditions resulting from the original audit.
D. Management Responsibility - Management is responsible for deciding the appropriate
action to be taken in response to reported audit findings.
IASSOPPM 24
Audit Process
Management has an ethical responsibility to address the recommendations agreed
upon in the management response section of the original audit report. IAS is
responsible for assessing management action for timely resolution of the issues
reported.
E. Follow-up Report - A formal follow-up report or memorandum will be issued in draft
form and distributed to the original audit report recipients, as applicable. The status
of corrective action or management’s waiver of resolution will be included in the
report. Once the draft report, or memorandum is issued, procedures outlined for
issuing audit reports should be followed.
F. Non-reportable Matters (Observations) - During the follow-up, the auditor will also
perform procedures to determine if any nonreportable items that existed during the
original audit have been satisfactorily resolved. If these matters have not been
resolved, a reportable condition may be included in the follow-up audit report.
G. Conditions Still Exist - If the conditions still exist as a result of the follow-up review,
the audit director will elevate the concerns to the President.
4.7 Summary of Outstanding Recommendations
IAS will issue inventories of open recommendations quarterly to remind Management of
the open items. Management is expected to review the list and communicate progress on
items due/overdue or delays in progress for items not yet due to IAS within ten (10)
business days. IAS will maintain an inventory of items reported by management as
resolved. Open recommendations will be reviewed periodically with the President.
A summary of outstanding recommendations report (Appendix 9) is presented by the
audit director at each quarterly scheduled meeting with the President. This report lists
the audit recommendations that have not been fully implemented. If the quarterly reports
indicate management is not making the planned progress, IAS will report this to senior
management for follow-up action.
The summary report takes the form of a color-coded summary of the outstanding issues,
as follows:
Green: Recommendation is fully implemented
Yellow: Implementation of the recommendation is in progress and a revised date for
completion has been agreed.
Red: Recommendations are either: a) not in progress, or b) not fully implemented
and ‘past due’ following a second or later follow-up review. To the extent
that past due issues give rise to special concern, a progress report to the
President may be required from the unit head.
IASSOPPM 25
Workpapers
5.0 IAS Workpapers
5.1 Qualities of Good Workpapers
All relevant information will be documented and maintained in a file that will be reviewed
and approved by the appropriate audit management. All workpapers, including schedules,
analyses, documents, flow charts, and narratives should be filed in a standard department
binder. The following factors describe a good workpaper:
• Complete – Workpapers must be able to “stand alone.” This means that all questions
must be answered, all points raised by the reviewer must be cleared, and a logical, well-
thought-out conclusion must be reached for each audit segment.
• Concise – Workpapers must be confined to those that serve a useful purpose.
• Uniform – All workpapers should be of uniform size and appearance. Smaller papers
should be fastened to standard workpapers, and larger papers should be folded to conform
to size restrictions of the binder.
• Neat – Workpapers should not be crowded. Allow for enough space on each schedule so
that all pertinent information can be included in a logical and orderly manner. At the
same time, keep workpapers economical. Forms and procedures should be included only
when relevant to the audit or to an audit recommendation. Also, try to avoid unnecessary
listings and scheduling. All schedules should have a purpose, which relates to the audit
procedures or recommendations.
5.2 Retention
Workpapers will be retained for seven (7) years from the date of the audit report. The most
recent set of workpapers for each project will be maintained in IAS’ files. All prior workpapers
are to be filed in sealed boxes and maintained at the university’s warehouse facility.
5.3 Workpaper Techniques
A. Descriptive Headings/Footers
All workpapers should include the university name, the area/function being audited
and the title or brief description of the workpaper in the page heading. In the bottom
right corner of the page, next to the index reference number, the auditor should also
include their initials, the date the workpaper was completed, and a space for audit
management’s approval.
B. Tickmarks
The auditor makes frequent use of a variety of symbols to indicate work that has been
done. These symbols are commonly referred to as tickmarks. As these tickmarks have
no special or uniform meaning by themselves, an explanation of each tickmark should
be made on the schedule on which it appears. If necessary, a separate tickmark sheet
can be prepared and attached to the applicable schedule.
IASSOPPM 26
Workpapers
C. Cross-referencing
Cross-referencing within workpapers should be complete and accurate.
D. Indexing
Workpaper indexing should coincide with the audit program.
E. Carry Forward
The auditor should make full use of the workpapers developed in the prior audit
flowcharts, system descriptions, and other data may still be valid. Those papers, which
remain useful, should be made a part of the current workpapers. They should be
updated with current information, renumbered, referenced, and initialed and dated by
the current auditor.
5.4 Types of Workpaper
A. Electronic
For electronic workpapers, a separate directory should be created for each audit.
Subdirectories should be used for each separate section of the audit. Any manual work
papers produced should be maintained in binders, fully cross-referenced into the
electronic files and vice-versa.
B. Interviews
Most verbal information is obtained through informal or formal interviews conducted
either in person or by telephone. Formal interviews are most desirable because the
interviewers know they are providing input to the audit; however, impromptu
interviews, or even casual discussions, can often provide important information. Any
verbal information which is likely to support a conclusion in the audit workpapers
should be documented. Interviews are useful in identifying problem areas, obtaining
general knowledge of the audit subject, collecting data not in a documented form, and
documenting the audit customer's opinions, assessments, or rationale for actions.
Interview notes should contain only the facts presented by the person interviewed,
and not include any of the internal auditor’s opinions.
In preparing interviews for workpapers, consider the following suggestions:
• Be sure to include the name, department, and position title of all persons from
whom information was obtained. This includes data gathered during casual
conversations.
• Indicate when and where the meeting occurred.
• Organize notes by topic wherever possible.
• Identify sources of information quoted by interviewee
IASSOPPM 27
Workpapers
C. Observations
What IAS observed can serve the same purposes as interviews. If observations can be
used to support any conclusions, then they should be documented. They are especially
useful for physical verifications.
Observations used as supporting documentation should generally include:
• Time and date of the observation.
• Where the observation was made.
• Who accompanied the auditor during the observation?
• What was observed? When testing is involved, the workpapers should include
the sample selections and the basis of the sample.
D. Findings
All audit findings should be documented in the workpapers. Findings should be
summarized on an Audit Finding Data Sheet (Appendix 14) whether or not they are
to be included in the audit report. All findings should be documented immediately by
the auditor discovering the situation.
5.5 Workpaper Organization
All workpapers should be placed into an expandable type binder. The sequence of
workpapers should be as follows:
In the first segment, right-hand side, place the following in order:
1. Executive summary
2. Final audit report
3. Draft audit report
4. Audit inquiries and document requests with management responses
5. Survey and management response
In the first segment, left-hand side, place the planning packet, displaying the audit
program on top of the packet. Use the remainder of the folder for the audit workpapers.
5.6 Security and Control of Workpapers
A. Ownership
The audit workpapers are owned by the internal audit services department.
B. Physical Control/Access
• Workpapers are the IAS' property and should be kept under their control.
• Workpapers may contain confidential data as well as data related to internal audit
concerns and development of recommendations that should be considered
confidential.
IASSOPPM 28
Workpapers
• Access to electronic workpapers should be controlled via security controls
(passwords, shared file controls, etc.), and portable computers should be subject to
careful physical security measures. IAS auditors should maintain close control of
any manual workpapers and supporting documents during the audit. When not
in use, they should be kept in a locked file or otherwise secured so they are not
readily available to persons unauthorized to use them.
• The Auditor-in-Charge (AIC) should obtain approval of the IASD prior to
releasing work papers to external parties.
IASSOPPM 29
IAS Management
6.0 IAS Management
6.1 Audit Monitoring
As and when the audit progresses the AIC should monitor the progress of the audits under
his responsibility and fill in an Audit Monitoring Sheet (Appendix 10).
6.2 Time Reports
The time report lists all projects worked on during the month and the number of hours
worked. It also includes all general administrative time such as training, staff meetings,
special research assignments, etc., and leave hours such as vacation, sick and casual leaves. It
is the responsibility of the audit staff to complete Time Report (Appendix 14) at the end of
each day and submit for review by the appropriate AIC at the end of each month.
Time reports should be reviewed by the appropriate AIC and submitted to the IASD by the
fifth day of each month.
6.3 Progress Reports
It is the responsibility of each AIC to complete Monthly Progress Report (Appendix15) at
the end of each day and submit for review by the IASD by the fifth of the following month.
Whenever an AIC, is proceeding on long leave, (vacation, leave without pay, maternity leave
etc.) he/she should inform the IASD in writing.
AIC should prepare Quarterly Return (Appendix 16) of all audit activities carried out during
the period and submit to the IASD by the seventh day of the following month.
6.4 IAS Meetings
The department shall hold quarterly audit staff meetings. The meetings shall be scheduled
and called by the IASD. At the meeting, audit assignments shall be discussed, and any other
problem encountered by auditors in the course of their work. The minutes of such meetings
shall be recorded and confirmed at the next meeting. All members of staff shall receive a
copy of the minutes.
6.5 Decision Making Procedures
To enhance the efficient running of the department, there is need to have a clear
communication system. The following decision-making procedures shall be followed:
• The IASD shall constitute an internal committee in which all AIC will be members.
• The IASD shall be the chairman to this committee which shall hold meetings on need
basis.
• The committee will deliberate on issues relating to administration, operations and
functions of the department.
IASSOPPM 30
IAS Management
The final authority however is vested on the IASD. The AIC shall also hold meetings with
their unit staff regularly to communicate decisions made in such meetings.
6.6 Performance Evaluations
A. Evaluation of Internal Audit Staff
Performance evaluation shall be based on the performance contracts signed with
management. Performance evaluation of staff should take account of the time budget,
quality of work and attitude towards work.
The IASD shall do semi-annual reviews and prepare a documented evaluation of the
auditor’s performance (Appendix 17). Strengths and weaknesses should be noted and be
supported by specific instances. In this way, the auditor should receive the most objective
assessment and at the same time focus on specific areas for improvement.
The evaluation will be based on the officers’ overall performance and the quality of the
work that was accomplished. Some of the items considered when making the evaluation
for auditors are:
• The ability to identify and raise quality issues in an audit
• Good and well-reasoned audit recommendations
• Audit completion dates versus the promised completion dates
• Communication skills
• Report writing skills.
If the IASD identifies weaknesses, an action plan shall be developed to assist in making
the necessary improvements to achieve a satisfactory level of performance. Training
needs shall also be identified to address areas to be strengthened.
B. Evaluation of Internal Audit Services – Management
Ongoing monitoring activities should also be incorporated into daily operations of the
IAS activity. This will provide assurance that the processes in place are working effectively
to ensure quality is delivered on an engagement-by-engagement basis. A management
assessment (Appendix 19) must be performed every after engagement and results shall
be compiled, summarized and submitted to the President annually.
6.7 Periodic Review of Policies and Procedures
A. Minor Amendments
Minor amendments (e.g., to reflect changes in position titles or nomenclature of
organizational units) which do not otherwise affect the policy content can be incorporated
in another amendment to the document in the near future.
IASSOPPM 31
IAS Management
B. Major Amendments
In order to enhance the IASSOPPM, a periodic review of policies and procedures will be
undertaken every two (2) years to ensure they are still current. The need to amend the
policies and procedures may be prompted by feedback from department specific and
governing bodies’ internal audit implementation insights; changes in laws, policies,
guidelines and regulations; and requisites for enhancing work practices.
Where review will result in a major overhaul of a policy, development of a brief review
and approval plan may be advisable. The plan should outline relevant steps associated
with the review, including consultation, review by relevant committees, and target dates
for final approval by the University President.
At the end of the review, an Amendment History table will be completed and made part
of the IASSOPPM.
Amendment History: 1. xxxxxxxxxxxxxxxxxxxxxxx
2. xxxxxxxxxxxxxxxxxxxxxxx
3. xxxxxxxxxxxxxxxxxxxxxxx
4. xxxxxxxxxxxxxxxxxxxxxxx
Contact Officer
Approval Date
Updated to New Standard
Improvement and Clarification
Approval Authority
Date of Next Review
Printed Copy
Electronic Copy
IASSOPPM 32
Glossary
7.0 Glossary
Accountability. The obligation of an individual or institution to account for its activities,
accept responsibility for them, and disclose the results in a transparent manner.
Add Value. The internal audit activity adds value to the organization (and its stakeholders)
when it provides objective and relevant assurance, and contributes to the effectiveness and
efficiency of governance, risk management, and control processes.
Assurance Services. An objective examination of evidence for the purpose of providing an
independent assessment on governance, risk management, and control processes for the
organization. Examples may include financial, performance, compliance, system security, and
due diligence engagements.
Auditee. The public official responsible for the subject of the audit. The auditee for each audit
is the senior manager with overall responsibility for the organizational area being reviewed.
The NGICS prohibits the auditor to have a client/customer relationship with the auditee.
Board of Regents. The University’s governing body to whom the President functionally
report.
Charter. The internal audit charter is a formal document that defines the internal audit
activity’s purpose, authority, and responsibility. The internal audit charter establishes the
internal audit activity’s position within the organization; authorizes access to records,
personnel, and physical properties relevant to the performance of engagements; and defines
the scope of internal audit activities.
Code of Ethics. The Code of Ethics of The Institute of Internal Auditors (IIA) are Principles
relevant to the profession and practice of internal auditing, and Rules of Conduct that describe
behavior expected of internal auditors. The Code of Ethics applies to both parties and entities
that provide internal audit services. The purpose of the Code of Ethics is to promote an ethical
culture in the global profession of internal auditing.
Compliance. Adherence to policies, plans, procedures, laws, regulations, contracts, or other
requirements.
Compliance Audit. Review of the degree of adherence with laws, regulations, managerial
policies and operating procedures of government, including compliance with accountability
measures and ethical standards and contractual obligations. It is a necessary “first step” to,
and part of management and operations audits.
Conflict of Interest. Any relationship that is, or appears to be, not in the best interest of the
organization. A conflict of interest would prejudice an individual’s ability to perform his or
her duties and responsibilities objectively.
IASSOPPM 33
Glossary
Consulting Services. Advisory and related client service activities, the nature and scope of
which are agreed with the client, are intended to add value and improve an organization’s
governance, risk management, and control processes without the internal auditor assuming
management responsibility. Examples include counsel, advice, facilitation, and training.
Control. Any action taken by management, the board, and other parties to manage risk and
increase the likelihood that established objectives and goals will be achieved. Management
plans, organizes, and directs the performance of sufficient actions to provide reasonable
assurance that objectives and goals will be achieved.
Control Environment. The attitude and actions of the board and management regarding the
importance of control within the organization. The control environment provides the
discipline and structure for the achievement of the primary objectives of the system of internal
control. The control environment includes the following elements:
• Integrity and ethical values.
• Management’s philosophy and operating style.
• Organizational structure.
• Assignment of authority and responsibility.
• Human resource policies and practices.
• Competence of personnel.
Control Processes. The policies, procedures, and activities that are part of a control
framework, designed to ensure that risks are contained within the risk tolerances established
by the risk management process.
Engagement. A specific internal audit assignment, task, or review activity, such as an
internal audit, control self-assessment review, fraud examination, or consultancy. An
engagement may include multiple tasks or activities designed to accomplish a specific set of
related objectives.
Expert. Person who is knowledgeable in a specialized field, that knowledge being obtained
from either education or personal experience. He/she is one who by reason of education or
special experience has knowledge respecting a subject matter about which persons having no
particular training are incapable of forming an accurate opinion or making a correct
deduction.
Four Cs in Audit Findings. Stands for criteria, condition, cause and conclusion.
• Criteria are the standards against which a condition is compared; standards can be laws,
rules, regulations, policies, orders, guidelines, procedures, plans, targets, best practices,
etc.
• Condition is a fact, backed up by a substantial evidence (includes consequence, effects or
impact); this is also referred to as the “finding of facts” which is defined as the written
statement of the ultimate facts essential to support the audit findings.
IASSOPPM 34
Glossary
• Cause refers to the probable cause, in case of compliance audit; or root cause, in case of
management audit or operations audit. Relatedly, a finding of probable cause needs only
to rest on evidence showing that more likely than not the act/s or omission/s of the
person responsible had caused the non-compliance which may warrant the conduct of
administrative proceeding by the disciplining authority. Root cause is a structured
investigation that aims to identify the true cause of the control weaknesses or incidences
and the actions necessary to eliminate it.
• Conclusion is the evaluation of the criteria and the conditions that could either result in
compliance or non-compliance with laws, regulations and policies, as supported by
substantial evidence; control effectiveness; determination of adequacy or inadequacy of
controls; determination of the efficiency, effectiveness, ethicality, and economy of agency
operations; this is also referred to as the “conclusion of facts” which is defined as an
inference drawn from the subordinate or evidentiary facts.”
Four Es of Operations. Stands for efficient, effective, economical and ethical.
• Efficient refers to “doing things right” given the available resources/inputs and within a
specified timeframe. This is about delivering a given quantity and quality of outputs with
minimum inputs or maximizing outputs with a given quantity and quality of inputs.
• Effective refers to “doing the right things”. Effective operations mean that operating
units are able to deliver their major final outputs and outcomes and able to achieve the
expected results and contribute to the achievement of the sectoral and societal goals.
• Economical refers to the performance of functions and tasks using the least amount of
resources/inputs within a specific timeframe. It implies that the resources/inputs should
be acquired at the right cost, at the right time, at the right place, in the right quantity and
of the right quality.
• Ethical refers to conformity with the norms of conduct and ethical standards as
contained in RA 6713, otherwise known as the “Code of Conduct and Ethical Standards
for Public Officials and Employees”.
Fraud. Any illegal act characterized by deceit, concealment, or violation of trust. These acts
are not dependent upon the threat of violence or physical force. Frauds are perpetrated by
parties and organizations to obtain money, property, or services; to avoid payment or loss of
services; or to secure personal or business advantage.
Governance. The combination of processes and structures implemented by the board to
inform, direct, manage, and monitor the activities of the organization toward the achievement
of its objectives.
Impairment. Impairment to organizational independence and individual objectivity may
include personal conflict of interest, scope limitations, restrictions on access to records,
personnel, and properties, and resource limitations (funding).
Independence. The freedom from conditions that threaten the ability of the internal audit
activity to carry out internal audit responsibilities in an unbiased manner.
IASSOPPM 35
Glossary
Internal Audit. The evaluation of management control and operations performance and the
determination of the degree of compliance with laws, regulations, managerial policies, and
contractual obligations. It is the appraisal of the plan of organization and all the coordinate
methods and measures to recommend courses of action on all matters relating to
management control and operations audit.
Internal Audit Annual Work Plan. It contains the coverage of the audit for a given calendar
year and approved by the President. The plan should outline the deficiencies in internal
control and vulnerability being addressed, audit title, specific audit area, type of audit,
summary description of the audit, expected benefit, priority and resources to be used,
estimated duration and cost, and proposed timing of the audit, among others.
Internal Audit Services Director (IASD). The highest official in the Internal Audit Service
of the University. He has overall responsibility for auditing the organization, managing the
entire audit cycle and a team of internal auditors, and ensuring the quality of audit products
produced by the team.
International Organization of Supreme Audit Institutions (INTOSAI).
It is a non-governmental organization with special consultative status with the Economic and
Social Council (ECOSOC) of the United Nation. Operates as an umbrella organization for the
external government audit community.
Management Audit. The separate evaluation of the effectiveness of the internal controls
adapted in the operating and support services units/systems, whether it achieves the control
objective over a specific date or period of time. It is a review and appraisal of systems and
processes, organizational structure and staffing, operations and management practices,
records, reports and performance standards of the agencies/units covered. It includes the
determination of the extent of compliance with laws, rules, regulations, managerial policies,
operating procedures, accountability measures and contractual obligations covering specific
timeframes. Examples of support services systems are human resource management system,
financial management system, quality management system, risk management system and
their sub-system; while operating systems of bureaus, regional offices and local government
units include, among others, the rules of engagement in the conduct of arrest, search and
seizure and rules on vaccination and immunization.
Objectivity. An unbiased mental attitude that allows internal auditors to perform
engagements in such a manner that they believe in their work product and that no quality
compromises are made. Objectivity requires that internal auditors do not subordinate their
judgment on audit matters to others.
Operations Audit. The separate evaluation of the outcome, output, process and input to
determine whether government operations, including management and personnel structure
in programs/projects are effective, efficient, ethical and economical. Operations audit of
organizations, programs, and projects involves an evaluation of whether or not expected
results were achieved and targets were attained.
IASSOPPM 36
Glossary
Philippine Government Internal Audit Manual (PGIAM). The documentation of the
standards and procedures for conducting management and operations audits. It serves as a
friendly tool to internal auditors in appraising the internal control systems of the public
entities (agencies). It provides details on the nature and scope of internal audit in the
Philippine public sector, including the institutional arrangements of the internal audit
function, as well as the protocols and processes for the conduct of internal audit.
The PGIAM is divided into two parts. Part I - Guidelines (PGIAM I) outlines the basic
concepts and principles of internal audit, and the policies and standards that will guide
government agencies in organizing, managing, and conducting an effective internal audit.
Part II – Practices (PGIAM 2) contains tools, techniques, and approaches that will facilitate
the conduct of internal audit activities.
Risk. The possibility of an event occurring that will have an impact on the achievement of
objectives. Risk is measured in terms of impact and likelihood.
Risk Appetite. The level of risk that an organization is willing to accept.
Risk Assessment. The process of identifying, analyzing and evaluating relevant risks to the
achievement of the control objectives and determining the appropriate response. In other
words, it is the identification, analysis and evaluation of what could go wrong and how to
address it.
Risk Management. A process to identify, assess, manage, and control potential events or
situations to provide reasonable assurance regarding the achievement of the organization’s
objectives. Risk management is part of the responsibilities of management and an integral
part of all organizational processes.
Root Cause Analysis. A method that is used to address a deficiency in order to get the “root
cause” of the problem. It is used in order to correct or eliminate the cause and prevent the
problem from recurring. It attempts to identify the root or original causes instead of dealing
with the immediately obvious symptoms. It is a structured review and evaluation that aims to
identify the true cause of the deficiency and the courses of action necessary to address it.
RCA is continuing to ask why the control deficiency occurred until the fundamental process
element that failed is identified.
Significance. The relative importance of a matter within the context in which it is being
considered, including quantitative and qualitative factors, such as magnitude, nature, effect,
relevance, and impact. Professional judgment assists internal auditors when evaluating the
significance of matters within the context of the relevant objectives.
Stakeholder. A person or organization that can affect, be affected by, or perceive themselves
to be affected by a decision or activity. The IAS relates with both internal and external
stakeholders.
Standard. A professional pronouncement promulgated by the Internal Audit Standards
Board that delineates the requirements for performing a broad range of internal audit
activities, and for evaluating internal audit performance.
IASSOPPM 37
Appendices
8.0 Appendices
Appendix No.
Form No.
Title Page
1 001 Annual Audit Plan (AAP) 39
2 002 Audit Work Program (AWP) 40 3 003 Risk and Control Matrix (RCM) 41 4 004 Entry Conference (ENC) 42 5 005 Exit Conference (EXC) 43 6 006 Audit Finding Data Sheet (AFDS) 44 7 007 Draft Audit Report (DAR) 45 8 008 Final Audit Report (FAR) 46 9 009 Summary of Outstanding Recommendations (SOR) 47 10 010 Audit Monitoring Sheet (AMS) 48 11 N/A Flowchart Symbols 49 12 N/A Audit Process Flowchart (APF) 50 13 N/A Summary of Audit Process Flowchart (SAPF) 51 14 011 Time Report (TR) 52 15 012 Monthly Progress Report (MPR) 53 16 013 Quarterly Return (QR) 54 17 014 Evaluation of Internal Audit – Self Assessment 55 18 N/A Code of Ethics 56 19 015 Evaluation of Internal Audit – Management 57
IASSOPPM 38
References
9.0 References
1. Administrative Order (AO) No. 278, “Directing the Strengthening of the Internal
Control Systems of Government Offices, Agencies, Government-Owned and/or
Controlled Corporations, Including Government Financial Institutions and Local
Government Units, in Their Operations”, 28 April 1992.
2. AO No. 70, “Strengthening of the Internal Control Systems of Government Offices,
Agencies, Government-Owned and/or Controlled Corporations, Including Government
Financial Institutions, State Universities and Colleges and Local Government Units”, 14
April 2003.
3. Civil Service Commission (CSC) Memorandum Circular (MC) No. 27, “Policy on
Consultancy Contracts”, 24 June 1993.
4. CSC MC No. 1, s.2007, “Repeal of CSC MCs No. 17, s. 2002 also known as the Policy
Guidelines for Contracts of Service” and CSC No. 24, s. 2002 also known as the
“Clarification of Policy Guidelines for Contract of Service”, 12 January 2007.
5. CSC MC No. 12, s.2006, “Qualification Standards for IAS Positions”, 22 June 2006.
6. CSC MC No. 40, s.1998, “Revised Omnibus Rules on Appointments and Other Personnel
Actions”, as amended by CSC MC. No. 15, s. 1999, “Additional Provisions and
Amendments to CSC MC No. 40, s. 1998” and CSC MC No. 21, “Policies on Detail”, 26
September 2002.
7. CSC MC No. 95-092, “AO of the President date 28 April 1992,”23 August 1995.
8. Commission on Audit (COA) Circular No. 93-214-A, “Government Contracts for
Internal Audit Services”, 4 March 1993.
9. Department of Budget and Management (DBM) Budget Circular 2004-4,
“Guidelines in the Organization and Staffing of Internal Auditing Units”, 22 March 2004.
10. DBM Circular Letter Nos. 2008-05, “Guidelines in the Organization and Staffing of an
Internal Audit Service/Unit and Management Division/Unit in Departments/Agencies/
GOCCs/GFIs Concerned”, 14 April 2008.
11. DBM Circular Letter No. 2008-8, “National Guidelines on Internal Control Systems
(NGICS)”, 23 October 2008.
12. DBM-CSC Joint Resolution No. 1, “Rationalization Program’s Organization and
Staffing Standards and Guidelines”, 12 May 2006.
13. Executive Order (EO) No. 292, “Administrative Code of 1987”, 25 July 1987.
14. EO No. 605, “Institutionalizing the Structure, Mechanisms and Standards to Implement
the Government Quality Management Program Amending for the Purpose
Administrative Order No. 161, s. 2006”, 23 February 2003.
IASSOPPM 58
Glossary
15. International Organization of Supreme Audit Institutions (INTOSAI). Guidelines
for Internal Control Standards for the Public Sector [online]. 16 October 2004. Available
from World Wide
Web:<intosai.connexcchosting.net/blueline/upload/1guicspubsece.pdf>.
16. Malacanang Memo Circular No. 89, 18 August 2005.
17. Office of the President Memorandum. “Paper on the Doctrine of Completed Staff
Work”. 3 August 1993. MC No. 110, 23 August 2006. MC No. 68, 17 September 2004;
MC No. 24, 7 August 2002; and Memorandum from the President dated 10 June 1999
signed by President Joseph Estrada.
18. Philippine Government Internal Audit Manual, DBM Circular Letter No. 2011-5, 19
May 2011.
19. Presidential Decree No. 1445, “Government Auditing Code of the Philippines”, 11 June
1978.
20. Republic Act (RA) No. 6713, “Code of Conduct and Ethical Standards for Public
Officials and Employees” and its IRR, 20 February 1989.
21. Republic Act (RA) No. 3456, “Internal Auditing Act of 1962, 16 June 1962.
22. Republic Act (RA) No. 4177, “Amendments to Internal Auditing Act of 1962, 26 March
1965.
23. The Institute of Internal Auditors. International Professional Practices Framework
(IPPF). USA: The Institute of Internal Auditors, January 2009.ISBN 978-0-89413639-9.
IASSOPPM 59
