7/29/2019 iat manual final.doc
1/62
INTERNAL AUDIT MANUAL
SNIPS UTENSILS MANUFACTURING COMPANY
GROUP 3
CATLI, FELY JANE
PUNZALAN, PRINCESS ANGELA
RAMALES, MA. FIANNE
REYES, VIRGINIA
YAP, AVELINJHEE
7/29/2019 iat manual final.doc
2/62
INTERNAL AUDIT MANUAL
SECTION TABLE OF CONTENTS
10 Introduction
10.1 Organization of the Manual
110.2 Corporate Governance
2Definition and Purpose2Code of Corporate Governance
2Corporate Governance Manual2Role of the Board of Directors for Corporate Governance4
10.3 Overview of the Internal Auditing ActivityDefinition of Internal Audit4Internal Auditing Activity Framework6
10.4 Audit Committee7
10.5 Internal Audit Department8
10.6 Audit StaffingPosition Description and Staffing Level10Staff Knowledge and Skills10
Audit Staff Profession Certification12Continuing Professional Education12
10.7 Internal Audit Professional Organization & Governing BodiesInstitute of Internal Auditors13Institute of Internal Auditors Philippines13Information Systems Audit and Control Association14
7/29/2019 iat manual final.doc
3/62
20 Audit Concepts and Standards
20.1 Professional Practices Framework14
20.2 Internal Auditing Code of Ethics
1420.3 Standards for the Professional Practice of Internal Auditing
1520.4 Overview of Internal Control Framework
15Elements of Internal Control15
Control environment16
Risk assessment16
Information and communication16
Approved for implementation by: Effective Date: Property of
INTERNALAUDIT
DIVISION__________________________
Chairman, Audit and Compliance CommitteeSep 24 2010
This Manual may not be photocopied or taken out of the Companys premises without prior written approval
INTERNAL AUDIT MANUAL
SECTION TABLE OF CONTENTS
Monitoring and Control activities17
20.5 Control Objective for Information and Related TechnologyFramework19
Principles1920.6 Risks Framework
Risks Consideration in Planning the Audit21
20.7 Audit ObjectiveObtaining audit evidence21
7/29/2019 iat manual final.doc
4/62
Sufficiency of audit evidence22
Appropriateness of audit evidence22
Nature
23 Timing24Techniques to obtain audit evidence24
Inspection25
Observation26
Inquiry27
External confirmation28Computation
29
30 Audit Planning
30.1 Introduction30
30.2 Strategic Analysis
31Data Requirements and Sources31
30.3 Risk Assessment and Risk Management SystemRisk Management System34Risk Assessment35
30.4 Performing analytical procedures in planning the audit35
30.5 Setting the Audit Universe
35
Approved for implementation by: Effective Date: Property of
INTERNALAUDIT
DIVISION__________________________ Sep 24 2010
7/29/2019 iat manual final.doc
5/62
Chairman, Audit and Compliance Committee
This Manual may not be photocopied or taken out of the Companys premises without prior written approval
INTERNAL AUDIT MANUAL
SECTION TABLE OF CONTENTS
Establishing the audit universe35Defining the Risk Criteria35Ranking the Audit Universe36
30.6 Engagement time and cost estimates
3830.7 Audit Staffing and Logistical Plan39
30.8 Approval and Communication of Audit Plan40
40 Audit Process
40.1 Audit Engagement Plan40.2OpeningConference
6140.3ProcessAnalysis
62
40.5. ExitConference62
8440.6.AuditReporting
6240.7. Follow-upandMonitoring
62
50 Audit Documentation and Quality Reviews
50.1 Audit Work Documentation
7/29/2019 iat manual final.doc
6/62
Approved for implementation by: Effective Date: Property of
INTERNALAUDIT
DIVISION__________________________
Chairman, Audit and Compliance CommitteeSep 24 2010
This Manual may not be photocopied or taken out of the Companys premises without prior written approval
INTERNAL AUDIT MANUAL
SECTION TABLE OF CONTENTS
Managing working papers 62Standard working papers 63
Documents obtained from Auditee 63Digital format working papers 63Working paper organization and indexing 63Ownership and access to working papers 63
50.2 Quality Assurance ProgramObjectives 64Scope and Approach 64Measuring the Internal Audit Activity performance 64
50 Appendices
1 Code of Corporate Governance2 Corporate Governance Manual3 Sample Audit Committee Charter 4 Sample Internal Audit Department Charter 5 Position Description of Audit Team Members6 Internal Auditing Code of Ethics7 Standards for Professional Practice of Internal Auditing8 Business Risk Model
7/29/2019 iat manual final.doc
7/62
9 Pest Analysis10 Five Forces Analysis11 Audit Universe Risk Ranking Worksheet12 Sample Audit Engagement Plan13 Process Analysis Worksheet
Approved for implementation by: Effective Date: Property of
INTERNALAUDIT
DIVISION__________________________
Chairman, Audit and Compliance CommitteeSep 24 2010
This Manual may not be photocopied or taken out of the Companys premises without prior written approval
INTRODUCTION
10.1 Organization of the Manual
This INTERNAL AUDIT MANUAL was developed using as guide of the
Professional Practice Framework issued by the Institute of Internal Auditors (IIA).
It defines the policies, procedures and standards to be used by the Internal Audit
Department of the company as guidelines in all engagements to be performed.
This would provide the audit team with a tool to consistently provide quality audit
services the board, senior management, and external third parties.
In case there is a deviation to the standards set in this manual, the
judgment of the Chief Audit Executive has to be used with the end in mind of
providing better set of procedures in performing the audit service.
Referenced to specific reference materials for more detailed discussions
and examples about the subject matters or business practices, which are not
within the scope of this manual, can be adopted.
7/29/2019 iat manual final.doc
8/62
10.2 Corporate Governance
Definition and Purpose
Corporate Governance refers to the framework of rules, systems and
processes in the corporation that governs the performance by the Board of
Directors and Management of their respective duties and responsibilities to the
stockholders.
It is the policy of the Company to adopt the above definition and setup a
corporate governance system that institutes checks and balances designed to
permit the appropriate scope of authority (power) and limit the abuse of that
authority (accountability). For the corporate governance system to be effective, it
should be based upon strong working relationships among four groups:
management, the board, external auditors, and internal auditors.
The board of directors is typically central to corporate governance. Its
relationship to the other primary participants, typically shareholders and
management, is critical. Additional participants include employees, customers,
suppliers, and creditors.
The corporate governance framework also depends on the legal,
regulatory, institutional and ethical environment of the community.
Code of Corporate Governance
In the year 2002, the Securities and Exchange Commission (SEC) of the
Philippines in its Memorandum Circular No. 2, Series of 2002 promulgated the
7/29/2019 iat manual final.doc
9/62
Code of Corporate Governance. The Code specifies:
In accordance with the States policy to actively promote corporate
governance reforms aimed to raise investor confidence, develop capital market
and help achieve high sustained growth for the corporate sector and the
economy, the Commission, in its Resolution No.135, Series of 2002 dated April
4, 2002, approved the promulgation and implementation of this Code, which shall
be applicable to corporations whose securities are registered or listed,
corporations which are grantees of permits/licenses and secondary franchise
from the Commission and public companies. This Code also applies to branches
or subsidiaries of foreign corporations operating in the Philippines whose
securities are registered or listed.
Corporate GovernanceManual
In connection with the SEC Memorandum Circular No.2, Series of 2002,
the Internal Audit Department assisted in the setting up of the Corporate
Governance manual.
The Chief Audit Executive of the company is tasked to coordinate with the
Companys management in the implementation of this Corporate Governance
Manual.
Role of the Board of Directors for corporate Governance
The Companys Board of Directors is the first tier of the levels of elements
of corporate governance. Through oversight, review, and counsel, the Board of
Directors establishes and promotes the business and organization objectives.
7/29/2019 iat manual final.doc
10/62
The Board oversees the companys business affairs and integrity, works with
management to determine the companys mission and long-term strategy,
performs the annual CEO evaluation, oversees CEO succession planning,
oversees internal controls over financial reporting, and assesses company risks
and strategies for risk mitigation.
In ensuring that the stakeholders interests are being protected, the board
should adhere to the implementation of the code of corporate governance
promulgated by the SEC of the Philippines and ensure that a corporate
governance manual is used by the company.
10.3. Overview of Internal auditing activity
This section outlines the Internal Auditors responsibilities with respect to the
internal audit function. The internal auditor describes audit planning and
scheduling, and discusses the scope and types of internal audits generally
performed.
Definition of Internal Audit
Internal Auditing is an independent, objective assurance and consulting
activity designed to add value an organizations operations. It helps an
organization accomplish its objectives by bringing a systematic, disciplined
approach to evaluate and improve the effectiveness of risk management, control,
and governance process.
Internal Audit is an independent appraisal function. The Internal Audit
Department examines and evaluates the company's business and administrative
7/29/2019 iat manual final.doc
11/62
activities. The independent and objective service provided by the Internal Audit
includes the evaluating and promoting of the accomplishment of the vision and
mission of the company.
The Internal Audit Department assists all levels of management of the
company in the effective discharge of their responsibilities. Internal auditing
furnishes them with analyses, recommendations, counsel and information
concerning the activities and records reviewed. The Office of Internal Audit
reports to the board and to management. In carrying out their duties and
responsibilities, the internal auditing office has full, free, unrestricted access to all
of the Company's activity, records, personnel and property.
Objective
The Internal Audit department is committed to the highest professional
standards for conducting audits in the company. The department will continue to
provide assurance that the manufacturing company operates effectively,
efficiently, provides outstanding requirements of the clients and implements best
practices in carrying its operations and activities.
Goal
In executing the aim of the department, the Internal Audit will focus on the
following goals:
Perform all audits in compliance with International Standards for the
Professional Practice of Internal Auditing (Standards)
Develop annual reporting
Perform audits within the assigned time budgets
7/29/2019 iat manual final.doc
12/62
Perform a post audit review
Provide audit sufficient training to satisfy IPPF Continuing
Education Requirements
Adhere to the Code of Ethics of the Institute of Internal
Auditors
Internal Auditing Activity Framework
The Internal Audit Activity of the Company has two major phases, namely
Audit Planning and Audit Process.
In Audit Planning, the audit plan for a year is set, detailing the strategic
analysis and risk assessment, which becomes the basis for prioritizing the audit
engagement to be done. The audit plan comprises the engagements to be
performed; timing, staffing and other logistical aspects are set.
In Audit Process, the activities performed in a specific audit engagement
are presented. It starts with planning the work to be done in that audit
engagement, the actual performance of the audit, reporting on the results of the
audit and follow-up in subsequent period to determine if the recommendations
are implemented.
10.4. Audit Committee
The Audit Committee of the Board shall be responsible for overseeing; the
reliability of financial reporting, the effectiveness of internal controls over financial
reporting, the processes for monitoring compliance with regulatory requirements,
and the processes for monitoring compliance with the organizations code of
7/29/2019 iat manual final.doc
13/62
conduct.
The committee shall be responsible for overseeing the effectiveness of the
organizations risk management and control processes. These responsibilities
are intended to provide reasonable assurance that the Company will be able to
achieve its objectives as they relate to the effectiveness and efficiency of
operations; the reliability of financial and operational information; and the
compliance with applicable laws and regulations.
Audit Committee has the authority to appoint Chief Audit Executive. The
Audit Committee appoints a Chief Audit Executive to manage the Audit
department.
Some of the more important roles of the Audit Committee are:
Evaluate whether management is setting the appropriate tone at the top
by communicating the importance of internal control and the management of risk,
and that employees have an understanding of their roles and responsibilities.
Inquire of management about the areas of greatest financial risk and how
management is managing that risk.
Review and approve the internal audit charter and ensure its compatibility
with the audit committee charter.
Review and approve the annual internal audit plan.
Be involved in the hiring of external auditors, and in the evaluation of their
performance.
Be informed as to whether the internal control recommendations, made by
either the internal and external auditors, are implemented by management.
7/29/2019 iat manual final.doc
14/62
Be made aware of significant accounting and reporting issues, including recent
professional and regulatory pronouncements, and understand their impact on the
organizations financial statements.
Ensure that the internal auditing activity can independently plan audit
projects and conduct and report the results objectively.
Be involved in the hiring, replacement, reassignment, or termination of the
CAE, and in the evaluation of his/her performance.
Ensure that the internal audit activity has adequate staffing and budget
resources to accomplish the plan.
To document the functional roles of the Audit Committee of the Board, an
audit committee charter has to be drawn up and submitted for approval by the
Board to formalize the authority and responsibility being given to it.
10.5 Internal Audit Department
The internal audit department, headed by the Chief Audit Executive (CAE)
is tasked to perform the internal audit activity for the company. The Chief Audit
Executive prepares an audit plan that identifies the individual audits to be
conducted during the year to be approved or not by the Audit Committee. The
approval or rejection of the audit plan prepared by the CAE is also the
responsibility of the Audit Committee. Its function includes assessment of internal
controls and the recommendation to implement measure to ensure adequate
control.
The major functions that the internal audit department performs are:
7/29/2019 iat manual final.doc
15/62
Develop and audit charter, approved by both senior management and the
audit committee, for the internal auditing activity
Develop, along with management, an organization model that can be used
to map major processes/operations for the purpose of identifying the
organizations auditable entities
Develop a risk assessment methodology for the auditable entities
identified in the model of major process/operations
Develop an audit plan based on the risk assessment and request from
management and get it approved by the board
Work with senior management and the audit committee to establish a
reporting relationship that will ensure that the audit recommendations receive
appropriate attention
Establish a quality assurance and improvement program for the internal
auditing activity that provides assurance that the internal auditing activity: 1)
performs in accordance with its charter, 2) adheres to the standard and code of
ethics, 3) operates in an effective and efficient manner, and 4) is perceived by
the board and management as adding value and improving an organization
operation.
10.6 Audit Staffing
The internal audit of the company obtains, develops and retail highly
specialized and qualified staff to ensure that audit engagements are performed
with proficiency and due professional care.
7/29/2019 iat manual final.doc
16/62
Position Description and Staffing Level
The companys internal audit department shall maintain the qualification
and level of staff to support the performance of audit engagement as planned. In
this connection, the organization of the internal audit department would consist of
the following team members:
Chief audit Executive
Audit managers
Senior auditors
Junior auditors
IS audit specialist
Staff Knowledge and Skills
In order for the internal audit staff to carry out its work, the different
knowledgeable and competency expected has to be maintained in the audit
department staff membership. In case, there are competencies required for
certain audit engagement, which are found within the staff membership, the
Department is authorized to source such requirements from external
organizations providing such qualifications.
To define the different knowledge and skills requirements of the
department, below is a guideline, based on SPPIA, which may be used.
Each internal auditor should possess certain knowledge skills and other
competencies:
Proficiency in applying internal auditing standards, procedures, and
7/29/2019 iat manual final.doc
17/62
techniques is required in performing internal audits. Proficiency means the ability
to apply knowledge to situations likely to be encountered and to deal with them
without extensive resources to technical research and assistance
Proficiency in accounting principles and technique is required of auditors
who work extensively within financial records and reports.
An understanding of management principles is required to
recognize and evaluate the materiality and significance of deviations from good
business practices. An understanding means the ability to apply broad
knowledge to situations likely to encountered, to recognize the significant
deviations, and to be able to carry out the research necessary to arrive at
reasonable solutions.
An appreciation is required of the fundamentals of such subjects as
accounting, economics, commercial law, taxation, finance quantitative methods,
and information technology. An appreciation means the ability to recognize the
existence of problems or potential problems and to determine further research to
be undertaken or the assistance to be obtained.
Internal auditors should be skilled in dealing with people and in
communicating effectively; internal auditors should understand human relations
and maintain satisfactory relationships with engagement clients. Internal auditors
should be skilled in oral and written communications so that they can clearly and
effectively convey such matters as engagement objectives, evaluation, and
7/29/2019 iat manual final.doc
18/62
recommendation.
The chief audit executive should establish suitable criteria of education
and experience for filling internal audit positions, giving due consideration to
scope of work and level of responsibility. Reasonable assurance should be
obtained as to each prospective auditor s qualifications and proficiency. The
internal audit staff should collectively possess the knowledge and skills essential
to the practice of the profession within the organization.
Audit Staff Processional Certification
The internal audit department recognizes the different certification programs
available for members of the internal auditing profession. The department places
value on certification garnered by staff members of the department. Such
certifications may include the following:
Certified Public Accountant (CPA)
Certified internal auditor (CIA)
Certified information system auditors (CISA)
Certification in Control Self-Assessment (CCSA)
Continuing Professional Education
To ensure the maintenance of sufficient qualification to service the audit
engagement, the Internal Audit Department provides internal audit staff the
opportunity to advance his/her level of skill and responsibility. The internal Audit
department shall have a training program that will provide the staff with the
means to learn new methods and develop new skills.
Training program has as their main goal the achievement of both
7/29/2019 iat manual final.doc
19/62
individual staff goals and objectives of the internal audit activity. To achieve this
training should be a continuing program, not just an occasional seminar. A
continuing program should provide for senior auditors to be assigned for a period
of time to supervisory positions, and for supervisors to be assigned a managers
responsibilities. This promotes staff learning firsthand the skill and responsibilities
required of the position above them.
The continuing professional education objective may be implemented by:
Budgeting an appropriate amount of money to be spent on training seminars and
courses each year and spending the money.
Ask staff members to document their plan to improve their skill and
knowledge each year.
Supporting and promoting opportunities for people who continue to
improve and develop their knowledge and skill.
Maintain catalogs of seminar and extension courses for both in-house and
outside training.
Developing recognition programs with incentives for the staffs who are
working on or who have advanced degrees and professional certification.
10. 7 Internal Audit Professional Organization and Governing Bodies
Institute of Internal Auditors (IIA)
IIA is the primary international professional association, organized on a
worldwide basis, dedicated to the promotion and development of the practice of
internal auditing. The IIA are the recognized authority, chief educator, and
7/29/2019 iat manual final.doc
20/62
acknowledged leader in standards, education, certification, and research for the
profession worldwide. For additional information about The Institute, refer to
contacts below.
The Institute of Internal Auditors 247 Maitland Avenue Altamonte
Springs, Florida 32701-4201 USA+1-407-937-1100 Fax +1-407-937-1101
www.theiia.org
Institute of Internal Auditors- Philippines (IIA-P)
The Institute of Internal Auditors Philippines is the primary association of
internal auditors in the Philippines dedicated to develop and promote the practice
of internal auditing, it serves as the principal educator of internal auditors and
provides professional guidance on emerging issues and trends that impacts the
profession.
We, the primary professional association of internal auditors in the Phils.,
are committed to develop and promote the practice of internal auditing,
consistent with recognized professional standards.
In the Philippines, the IIA-P handles the local function of the IIA, it being
the Philippine affiliate. For additional information about IIA-P, refer to contacts
below:
Corporate Address: Unit 1803 & 1807 Cityland Herrera Tower, V.A. Rufino
St. cor. Valero St., Makati City
Contact Numbers: +632 813 2553, +632 812 2754, +632 753-3272, +632
753-3271
7/29/2019 iat manual final.doc
21/62
Fax Number: +632 325 0414
Email Address: [email protected]
Website: http://www.iia-p.org
Information System Audit and Control Association (ISACA)
ISACA is an international professional association that deals with IT
Governance. Previously known as the Information Systems Audit and Control
Association, ISACA now goes by its acronym only, to reflect the broad range of
IT governance professionals it serves. ISACA and its affiliated IT Governance
Institute lead the information technology control community and serve its
practitioners by providing the elements needed by IT professionals in an ever-
changing worldwide environment.
7/29/2019 iat manual final.doc
22/62
AUDIT CONCEPTS AND STANDARDS
20.1 Professional practice framework
The Companys Internal Audit Staff, especially those members of the IIA
and has Certified Internal Auditor (CIA) certification, adheres to the guidelines set
by the Professional Practice Framework. The IPPF is intended to assist
practitioners and stakeholders throughout the world in being responsive to the
expanding market for high quality internal auditing (International Professional
Practices Framework).
The Professional Practice Framework consists of three types of instruction:
1.) Mandatory Guidance
2.) Practice Advisories, and
3.) Development and Practice Aids.
20.2 Internal Audit code of ethics
The Spoon and Fork Manufacturing Company's Internal Audit department
subscribes to the Code of Ethics of the Institute of Internal Auditors. The Institute
of Internal Auditors (IIA) is the setting - body for the internal audit profession
globally.
The purpose of the Code of Ethics is to promote an ethical culture in the
7/29/2019 iat manual final.doc
23/62
profession of internal auditing. The Code of Ethics is necessary and appropriate
for the profession of internal auditing, founded as it is on the trust placed in its
objective assurance about risk management, governance, and control. The Code
of Ethics extends beyond the definition internal auditing to include two essential
elements:
1. Principles that is relevant to the profession and practice of internal auditing
2. Rule of Conduct that describes behavior norms expected of internal
auditors. These rules are an aid to interpreting the Principles into practical
applications and are intended to guide the ethical conduct of internal
auditors.
The four core values or principles considered essential to the effective
practice of internal auditing are Integrity, Objectivity, Confidentiality, and
Competency.
These rules are accompanied by 12 rules conduct describing specific
behaviors expected of internal auditors. The rules serve as practical
applications of their four principles and are intended to guide the ethical
conduct of internal auditors. The purpose in the code is to promote an
ethical culture in the profession of internal auditing.
20.3. Standards for the professional practice of Internal Auditing
To provide assurance that the Spoon and Fork Manufacturing Company's
Internal Audit Department operates at a high professional level, the department
adhered to the Standards for the Professional Practice of Internal Auditing issued
7/29/2019 iat manual final.doc
24/62
by the IIA.
These standards are principles - focused, mandatory requirements
consisting of:
Statements of basic requirements for the professional practice of internal
auditing and for evaluating the effectiveness of performance, which are
internationally applicable at organizational and individual levels.
Interpretations, which clarify terms or concepts within the Statements.
The Standards consists of three components:
1. Attribute Standards address attribute of organizations and individuals
performing internal auditing services.
2. Performance Standards described the nature of internal auditing
services and provide quality criteria against which the performance of
these services can be measured, and
3. Implementation Standards provide guidance applicable in specific
types of engagements. These standards may be expanded to ultimately
address industry-specific, regional, or specialty types of audit.
20.4. Internal control framework
The company adopts the Commission on Sponsoring Organization
(COSO) definition of internal control. Internal Control, under COSO definition, is a
process affected by an entity's board of directors, management, and other
7/29/2019 iat manual final.doc
25/62
personnel, designed to provide reasonable assurance regarding the achievement
of objectives in the following category: effectiveness and efficiency of operations,
reliability of financial reporting, and compliance with laws and regulations.
Elements of Internal Control
Control Environment
Control environment sets the tone of an organization, influencing the
control consciousness of its people. It is the foundation for all other components
of internal control. Control environment factors include the integrity, ethical
values, and competence of the entity's people; managements philosophy and
operating style; the way management assigns authority and responsibility, and
organizes and develops its people; and the attention and direction provided by
the board of directors.
Risk Assessment
Risk assessment is the identification and analysis of relevant risks
to achievement of the objectives, forming a basis for determining how the risks
should be managed. Certain broad objectives include operational, financial
reporting, and compliance objectives.
Control Activities
Control activities are the policies and procedures that help ensure
management directives are carried out. They help ensure that necessary actions
are taken to address risks to achievement of the entity's objectives. Control
activities occur throughout the organization, at all levels and in all functions.
Information and Communication
7/29/2019 iat manual final.doc
26/62
Pertinent information must be identified, captured, and communicated in a
form and time frame that enable people to carry out their responsibilities.
Information is only used when communicated appropriately.
Monitoring
Internal control systems need to be monitored- a process that assess the
quality of the system's performance over time. Monitoring includes regular
management and supervisory activities and other actions personnel take in
performing truer duties.
20.5. Control objective for information and related technology
The Internal Audit Department of the company adopts the control
objectives of information and related technology released by the ISACA as the
basis of its audit work relating to information system and related technology.
Information
Accurate and timely information must be available to those management
representatives that need it at all levels of an organization to run the business
effectively. Not only must be provided "to appropriate personnel so they can carry
out their operating, financial, reporting and compliance responsibilities," but
communication also must take place in a broader sense, dealing with
expectations, responsibilities of individuals and groups, and other important
matters.
The access of information of the company must be monitored especially if
unauthorized person can or maybe able to access confidential information.
7/29/2019 iat manual final.doc
27/62
Information Technology
IT controls have not always been the default condition of new systems
hardware or software. The development and implementation of controls typically
lag behind the recognition of vulnerabilities in systems and the threats that exploit
such vulnerabilities. Further, IT controls are not defined in any widely recognized
standard applicable to all systems or to the organizations that use them.
The compliance with applicable regulations and legislation, consistency
without the organization's goals and objectives, and the use of releasable
evidence are use to assess IT and to provide and document its own internal
control framework to meet the organizations objectives.
20.6. Risk framework
Risk in consideration in planning the Audit
The Internal Audit Activity's audit plan shall be designed within the
framework of the Company's risk strategy. In this regard, the risk-based
approach to auditing shall be implemented and adopted by the Internal Audit
Department. Also, the Department shall coordinate its audit approach with the
overall Company's risk management system.
The internal audit activity's audit plan should be designed based on an
assessment of risk and exposures that may affect the organization. Ultimately,
the audit objective is to provide management with information to mitigate the
negative consequences associated with accomplishing the organization's
objectives. The degree or materiality of exposure can be viewed as risk mitigated
7/29/2019 iat manual final.doc
28/62
by establishing control activities.
The audit universe can include components from the organization's
strategic plan. The audit universe can be influenced by the results of the risk
management process. When developing audit plans the outcomes of the risk
management process should be considered.
Audit work schedules should be based on, among other factors, an
assessment of risk priority and exposure. Prioritizing is needed to make
decisions for applying relative resources based on the significance of risk and
exposure.
Change& in management direction, objectives, emphasis, and focus
should be reflected in updates to the audit universe and related audit plan.
In conducting audit engagements, methods and techniques for testing and
validating exposures should be reflective of the risk materiality and likelihood of
occurrence.
Management reporting and communication should convey risk
management conclusions and recommendations to reduce exposures. For
management to fully understand the degree of exposure, it is critical that audit
reporting identify the criticality and consequence of the risk activity to achieving
objectives.
The chief audit executive should, at least annually, prepare a statement of
the adequacy of internal controls to mitigate risks. This statement should also
comment on the significance of unmitigated risk and management's acceptance
of such risk.
7/29/2019 iat manual final.doc
29/62
20.7. Business Risk model and Risks definition
Business Risk model
Internal Audit Department considers the following risks in the planning the
audit:
-Strategic risks
-Compliance risks
-Reporting risks
-Operational risks
Risks
Risk is the possibility that an event will occur and adversely affect the
achievement of objectives. It is the possibility that the company may not attain its
goal due to the threat.
Audit Evidence
Obtaining of Evidence
The work of internal audit depends largely on documenting the audit
procedures performed. These audit work and conclusions thereto are supported
with audit evidence. The audit engagement team should obtain sufficient
appropriate audit evidence to be able to draw reasonable conclusions on which
to base the audit opinion and other reports thereto.
If unable to obtain sufficient appropriate audit evidence, however, the audit
7/29/2019 iat manual final.doc
30/62
engagement team needs to state the reasons for such situation, and the
limitations should be included in the audit report.
Sufficiency of Evidence
Sufficiency is a measure of the quantity of audit evidence. Sufficiency is
related to the extent of our audit work and the corresponding evidence to be
gathered from such work. We judge the required extent of audit procedures by
considering the required volume of audit evidence necessary to achieve the audit
objectives. The use of inspection, observation, inquiry and interview,
confirmation, and computation are sufficient to conduct the audit is a sufficient
means of evidence.
Appropriateness of Audit Evidence
Appropriateness is a measure of the quality of audit evidence, its
relevance to an assertion and its reliability. Appropriateness is related to the
nature and timing of our audit work.
The evidence gather are in its reasonable time to add economic value to
the objective of the organization. The use of manual audit procedure and
computer - assisted audit techniques are used to tests the objectives of Spoon
and Fork Manufacturing Company.
The internal auditors time of testing the operating effectiveness of manual
and computer - assisted audit techniques will be to the time that will cover the
operations.
Nature
7/29/2019 iat manual final.doc
31/62
We judge the nature of the required audit procedures by considering the
following generalizations:
Audit evidence obtained from outside the entity is more persuasive than
that obtained from within the entity;
Audit evidence obtained from or created by unrelated third parties is more
persuasive than that obtained from related parties;
Audit evidence obtained from inside the entity is more persuasive when
related controls are effective;
Audit evidence obtained directly through performing an inspection,
observation or computation is more persuasive than that obtained indirectly by
inquiry of others;
Audit evidence in the form of documents and written representations is
more persuasive than oral representations;
Audit evidence obtained from several sources that suggest the same
conclusion is more persuasive: than that obtained from only one source.
Timing
Some of the accounting data and corroborating information are available
only manual form at a certain period in time, or date, or moment in time. We
consider the time during which information exists or is available in determining
the timing audit procedures applicable.
Techniques to obtain audit evidence
We obtain audit evidence by performing an appropriate mix of audit
procedures, including tests of control, analytical procedures and tests of details.
7/29/2019 iat manual final.doc
32/62
Such audit work 'involves inspection, observation, inquiry, confirmation, and
computation as the techniques used to obtain evidence for the audit.
Inspection
Inspection involves reading records or documents, either visually or
electronically. Unlike observation, we do not need to be present at the time a
process or procedure is performed to obtain audit evidence. Inspection also
includes examining tangible items such as an item of equipment or inventory. We
often use inspection techniques as part of our follow-up procedures for
observations or enquiries.
Observation
Observation involves looking at the process or procedure performed by
others. We often use observation techniques to obtain an understanding of, and
test controls. In these situations we:
Observe and evaluate the performance of the control.
We observe the operation of the control and compare it to our
understanding of what ought to happen. There is always a danger that when we
observe a control it will be performed correctly just because we are present.
We assess this risk.
Ask what happens when breakdowns in control are found.
An operations control operates by preventing or detecting and correcting a
misstatement of theft.
7/29/2019 iat manual final.doc
33/62
Find instances where errors have occurred and review clearance.
To assess the effectiveness of the operations control, we investigate
occasions where the operations control has prevented, detected or corrected
theft in the operations.
Assess adequacy of procedures.
For an operations control to be effective, any misstatement detected must
be corrected. We assess both the operation of the operations controls in
preventing / detecting a misstatement and the subsequent corrective action.
Inquiry
Inquiry technique consists of asking appropriate questions of knowledgeable
persons inside or outside the entity, listening to and considering their responses,
asking follow-up questions, corroborating information, as appropriate.
Inquiry is an important technique both in obtaining knowledge of an entity's
business and in performing tests of control. It is more than simply asking the
entity's staff for information or to confirm that they perform specified activities. It
involves:
External confirmation
An external confirmation is a direct communication from a third party in
response to an inquiry requesting information.
The degree of our professional skepticism is heightened if we obtain
information that leads to questions about the respondent's competence,
knowledge, motivation, ability, or willingness to respond or about the
7/29/2019 iat manual final.doc
34/62
respondent's objectivity and freedom from bias. We usually apply alternative
audit procedures when we do not receive responses to positive confirmation
requests.
Computation
Computation involves checking the arithmetical accuracy of source
documents and accounting records or performing independent calculations.
Computer assisted audit techniques (CAATs) can remove much of the
mechanical routine of audit work. They can be used in the performance of tests
of control, analytical procedures and tests of details.
Data interrogation, which refer to performing audit tests to client's data
using CAATs, may allow us to apply audit procedures that would otherwise be
very time consuming, because of the sheer volume of information to investigate
or the complexity of the audit procedures, or a combination of both;
7/29/2019 iat manual final.doc
35/62
AUDITING PLANNING
30.1 Introduction
Audit planning shall be done annually to reflect the most current strategies
and direction of the Company. The Audit Plan should be prepared based on an
assessment of risks and exposures that may affect the organization.
There are three main benefits from planning audit. First, it helps the
auditor obtain sufficient appropriate evidence for the circumstances. Second, it
helps keep audit costs at a reasonable level. Third, helps avoid
misunderstandings with the client.
"Auditors should plan the audit work so that the engagement is
performed in an effective manner. It is important to clarify what are meant by the
terms overall audit strategy and audit plan as per ISA 300. The overall audit
strategy describes in general terms how the audit is to be carried out and the
audit plan details the specific procedures to be carried out to implement the
strategy and complete the audit. It is also important for students to understand
the precise meaning of the risk terms: audit risk and inherent risk as both risks
influence how the audit is carried out and the costs involved.
The best way to add value to an organization is to make sure the risk
assessment and the plan developed from the assessment reflect the overall
objectives of the organization. Risk assessments need to include input from
management. To accomplish this, there is a need to study the Company's
strategic plan and then discuss with management where the risks are in
obtaining the objectives.
7/29/2019 iat manual final.doc
36/62
The overall objective of an internal audit activity is to provide management
with information to lessen the negative consequences associated with
accomplishing its objectives. Implementing control activities in areas where the
risks are high can mitigate the risks of an organization not accomplishing its
goals.
A risk-based audit plan ensures that audit activities are effectively focused
on those areas where the risks or materiality of exposure is greatest.
30.2 Strategic Analysis
Strategic Analysis is performed to provide initial understanding of the
business risks that can be linked to strategic objectives of the Company. This
would pave way to the identification of the business risks that will be assessed in
the succeeding part of the audit planning activity. In detail, the strategic analysis
is undertaken to:
Gain a high-level understanding of a Company's business, its markets and
external forces;
Understand and identify the Company's strategic objectives that provide
for its business continuity and strategic vision;
Understand how the Company reacts to these challenges;
Provide foundation for the Annual Audit Plan;
Assist in identifying the key business processes that address strategic
risks and will be targeted for audit engagements.
7/29/2019 iat manual final.doc
37/62
Data Requirements and Sources
In order for the Internal Audit Team to proceed to analyze strategies of the
Company for audit planning purposes, it has to obtain the following information:
- Company's vision, mission, goals
- Objectives and strategies to achieving the objectives
- Business plans
- Organization charts
- Industry data and literature
Procedures -- Strategic Analysis
The procedures for strategic analysis that are listed below may be
performed concurrently to a certain extent and would normally overlap. In
performing these activities, care should be exercised to determine that no
duplication takes place and that the whole Strategic Analysis process is
undertaken in the most efficient and cost effective manner.
1. Review Background Information
The review of background information will enable the INTERNAL AUDIT
team to understand the detailed operations of the Company and environment in
which it operates. The background information may be obtained through in-house
or external sources. It is recommended that the audit team obtain all relevant
internal and external data relating the operations of the Company.
7/29/2019 iat manual final.doc
38/62
Sources of the required information include, among others, the following:
Chief Executive Officer and other senior management; Chairperson of the
Board and/or the Audit Committee and other Directors; Persons external to the
organization who are knowledgeable about the Company, its operations, its
prospects and the industry in general. These may include analysts, customers,
lenders, suppliers, alliance partners, industry professionals, the external audit
partner/manager, other consultants, etc.
2. Identify Business Objectives & Strategies
We have focused on understanding the client, the industry in which it
operates and the client's position in the industry. At this point we integrate this
information with the business objectives and strategies the client management
has chosen for achieving its business objectives. The identification and review of
the client's business objectives and management's strategies/plans to meet
these objectives is primarily achieved through:
Discussions with Directors and senior management;
Review of business and strategic plans prepared by management;
Review of other relevant documentation (e.g., vision, mission and values
statements, minutes of Board/executive committee meetings, special Board
resolution, etc.)
At the conclusion of this step we document the strategic objectives and the
7/29/2019 iat manual final.doc
39/62
strategies in place to achieve each objective.
3. Analyze Business Objectives & Strategies
Having identified the client's business objectives and strategies, we
objectively assess their reasonableness in light of our knowledge of the
organization and the industry in which it operates. By combining the background
information with Strategic Analysis tools and models, we perform an objective,
balanced evaluation of the Company's organizational structures, processes and
strategic plans.
After performing the analysis, we document our analysis which will be the
basis in discussing them with senior management of the Company.
4. Confirm the Results of Analysis with Management
The INTERNAL AUDIT team presents the results of its analysis to
management to get agreement and input on our understanding of their corporate
objectives, market strategies, organizational structures and processes, and
general risk areas that may threaten the achievement of objectives. At the end of
this activity, the audit team should have the following already documented:
A summary of the market issues identified;
A list of the general risk areas
5. Periodically Revise/Update Strategic Analysis
The Strategic Analysis performed, together with the related risk
assessments, is regularly reviewed and updated to take account of changing
circumstances, new management strategies and risks. This update takes place
at least annually with a complete re-performance of the Strategic Analysis and
7/29/2019 iat manual final.doc
40/62
risk assessment occurring every three to five years, or more frequently as
required.
30.3Risk Assessment and Risk Management System
Risk Management System
It is the responsibility of the Company's Management to institute a risk
management system to ensure that the Company is ready to face the business
challenges. Management need to understand the major risks that the business
faces, if they are to avoid being adversely affected by unexpected or uncontrolled
events.
They need to identify areas of risks, assess the likelihood of an adverse
event arising and consider the potential effect of such an occurrence. Only then
can they decide how to respond to the risk and take steps to minimize its effect.
These activities, when institutionalized represent the risk management system of
the Company.
The risk management system may be considered effective if it achieves at
least the following key objectives:
Risks arising from business strategies and activities are identified and
prioritized. Management and the board have determined the level of risks
acceptable to the organization, including the acceptance of risks designed to
accomplish the organization's strategic plans. Risk mitigation activities are
designed and implemented to reduce, or otherwise manage, risk at levels that
were determined to be acceptable to management and the board. Ongoing
7/29/2019 iat manual final.doc
41/62
monitoring activities are conducted to periodically reassess risk and the
effectiveness of controls to manage risk.
It should be stressed that the board and management receive periodic reports
of the results of the risk management process. The corporate governance
processes of the Company should provide periodic communication of risks, risk
strategies, and controls to stakeholders.
Risk Assessment
As part of the annual audit planning to be done by the Internal Audit
Department, considerable time has to be spent on establishing a good
assessment of the risk position of the Company.
The auditors main concern is the risk of material misstatement in
the financial statements due to client business risk. It is important to note that not
all business risks will turn into risks leading to material misstatement in the
financial statements.
In this regard, the Internal Audit Department has to undergo an annual
assessment of the risk management system.
The objectives of the assessment are:
Focuses the internal audit effort on strategic risks identified by
management that have the greatest potential effect on the Company;
Provides a trial to demonstrate whether the Audit Plan is aligned with the
Company's strategic risks;
Provides risk awareness and education of the Management and
stakeholders;
7/29/2019 iat manual final.doc
42/62
Assists compliance to corporate governance codes, reports and
legislation;
It provides access, exposure and relationship-building with senior
management in the Company.
Develop foundations that will assist in identifying the key business process
that mitigate strategic risks and should be targeted for individual audit
engagements (Audit Process)
In doing the risk assessment, the following activities have to be done:
1. Establish and Agree Criteria to Assess the Significance of Risks
The INTERNAL AUDIT team assists management to develop criteria to be
used in assessing the significance of risks identified in the Strategic Risk
Assessment process. The significance of the risks identified can be determined
by considering two factors:
The potential IMPACT of the risks;
The LIKELY HOOD that the risks will occur.
30.4 PERFORM PRELIMINARY ANALYTICAL PROCEDURES
Analytical procedures applied at the planning stage can assist the auditor
in gaining an understanding of the clients business and in assessing client
business risk. ISA 520 states, The auditor should apply analytical procedures at
the planning and overall review stages of the audit. ISA 520 Analytical
Procedures states that analytical procedures include the consideration of
7/29/2019 iat manual final.doc
43/62
comparisons of the entitys financial information with, for example:
Comparable information for prior periods
Anticipated results of the entity, such as budgets or forecasts, or
expectations of the auditor, such as an estimate for depreciation
Similar industry information, such as comparison of the entitys ratio of
sales to receivables with industry averages or with other entities of comparable
size in the same industry
30.5 Setting the Audit Universe
Defining the Risk Criteria
For each risk unit identified and listed in the risk profile, assign weight to each
risk by using points for each risk criteria defined below:
Control Environment based on preliminary assessment
Prior Audit Findings based on prior audit experience
Management/Interest concern how much concern management put into
it
Comfort with Operations Management based on operating management
experience
Changes to system whether new system or new changes to system
introduced
Asset sensitivity whether related asset accounts are susceptible to
7/29/2019 iat manual final.doc
44/62
exposure
Size/Amount relates to revenue, expenses, asset or liability impact
Date last audited whether the area has not been audited for a while
Using a worksheet to summarize the criteria for each risk identified and listed
in the risk profile , assign to each criterion a weight of 1 to 5, 1 being the least
impact or risk and 5, most impact. Get the sum of the points assigned to all the
criteria for each risk item. After getting all the summary points, rank the risks
based on these total points in the order of risk impact i.e. the highest total points
to the lowest total.
Ranking the Audit Universe
An audit universe represents the potential range of all audit activities and
is comprised of a number of auditable entities. These entities generally include a
range of programs, activities, functions, structures and initiatives which
collectively contribute to the achievement of the department's strategic
objectives.
The last step in constructing the risk model is ranking all the
auditable items in the universe. Each auditable area should be evaluated using
risk rating opposite the auditable area identified. The scale to be used is listed
below:
1 = Low risk
2= Medium risk
7/29/2019 iat manual final.doc
45/62
3= High risk
4= Extreme risk
Based on the assessment specified for each auditable area, these areas
will have to be listed in the audit plan in the order of importance and assign a
frequency or times the audit area will be performed.
Risk-based Audit Plan
Audit Universe Audit Plan Total
Coverage
10 % 100% 10%
20% 50% Sampled 10%
40% 10% Sampled 4%
30% 5% Sampled 1%
100% 25% of
Universe 4-Year
Cycle
7/29/2019 iat manual final.doc
46/62
The sample risk-based audit plan presented above indicates the level of
effort that has to be spent when planning for the audit of the areas included in the
scope of the audit plan. Such is the case when not all or 100% of the auditable
areas could be covered by the audit team or audit resources in a given period. A
prioritization and allocation of the resources could be done by sampling the areas
that need not be covered 100% in one period.
30.6 Engagement Time and Cost Estimates
After compiling a list of major auditable units and subunits, identify a
number for planning purposes that represents the hours that will be allocated for
auditing each auditable unit. The hours estimated for each unit should include
time for the following:
Conducting the preliminary survey
Developing the audit test work program
Performing the fieldwork, and;
Communicating the results of the review to management
As the budget time and costs for the entire audit areas are identified and
summarized, the audit team has to prepare the final audit plans budget. Below is
a benchmark allocation of the total budget for each year.
7/29/2019 iat manual final.doc
47/62
Activity Percentage Allocation
Developing the Audit Plan 10-20%
Administration and overall Engagement
Management
10-20%
Reviews contained in the plan and
deliverables
50-80%
Follow up 5-15%
Special projects 0-30%
Attendance at Audit Committee
meetings
5-10%
The following points have to be considered also when preparing the audit budget:
Administration and management of the overall engagement is a significant
task and should not be underestimated. This however can appear significant to
the client and hence can be blended by allocating this amongst the reviews in the
plan.
A separate allocation for special projects during the year may be required.
The advantages of this approach are flexibility and ability to respond quickly
without protracted negotiations and seeking of funding. The disadvantage of this
approach is that the internal audit team could spend a significant amount of time
on PREFERRED type reviews which could undermine the value to the
Company if the reviews are not strategic or addressing significant risks. It is
usually done to avoid allocating money for special projects unless specifically
requested by Management.
7/29/2019 iat manual final.doc
48/62
30.7 Audit Staffing and Logistical Plan
Based on the engagement time and cost estimates computed for each
audit engagement planned during the year, the audit team has to determine how
much audit staff quantity and quality could support such requirements as well as
the other overhead costs to be incurred in servicing all the audit engagements.
Using the required hours on the engagement (staff and supervisors time),
compute the number of staff and supervisors that has to be working on the
planned audit engagements for the year.
If it appears that there is not enough staff to work on the engagement and
there is limitation on the total peso budget allocated to staff costs for the
department, the audit team may have to balance the factors by establishing a risk
strategy or selection policy based on the following:
Where the audit team may start to work on audit engagements from
top of the list with the high-risk audits and proceed to the engagements
with less risk as they complete those jobs from the top of the list.
Coordinate with external auditor on the scope of the external audit
work to be covered since the latters work may have some cost
consideration and work duplication impact with the work of the internal
audit team.
Allow the assignment of certain staff to work at the same time on
projects at the top of the list and succeeding jobs following such top
priority audit job.
When the second option is chosen, it may be necessary to develop
7/29/2019 iat manual final.doc
49/62
a strategic audit plan of 2-3 years to accommodate overflow of the
estimated hours to be worked on by staff in projects that cannot be
covered in one year.
However, it should be assured by the team that the plan for 12
months be updated each year. The CAE has to finally decide on which
approach will satisfy the objectives of the department and the Company as
a whole.
30.8 Approval and Communication Audit Plan
After completing all the data necessary to formulate the audit plan, a draft
may already be prepared for presentation to the Audit Committee. This enables
the Audit Committee to make an informed decision on whether the annual audit
plan coverage is sufficient to meet their governance obligations.
The draft audit plan should have the following elements or selections:
- Planning process and approach
- Business risk matrix
- Summary of reviews by strategic and significant risk
- Risk rating criteria
- Business Process Matrix
- Scopes of reviews
- Detailed list of risks which will not be addressed within the proposed
plan
- Budget and indicative timing
7/29/2019 iat manual final.doc
50/62
Once the audit team is able to formulate the audit plan containing the
above information, it may already present this to the Audit Committee. There is a
negotiation process that may take place on the scope of work to be undertaken.
AUDITING PROCESS
40.1. Audit Engagement Plan
Determine engagement objectives and scope
In executing the aim of the department, the Internal Audit will focus on the
7/29/2019 iat manual final.doc
51/62
following goals:
Perform all audits in compliance with International Standards for the
Professional Practice of Internal Auditing (Standards)
Adhere to the Code of Ethics of the Institute of Internal Auditors
To ensure that annual reporting assigned time budgets
Understand the auditee including the auditee objectives
The SNIPS Utensils Manufacturing locates at Muoz, Quezon City has the
goal to expand their company not only locally but international and be the
number one supplier of Utensils in the Philippines
Identify the assess risk
There are a lot of known competitors in the market
The Company is new to Market
There are cheaper Utensils in the market.
The process of establishing branch abroad is not easy.
Identify key control activity
Establish a strategy to override the competitors.
Evaluate adequacy of control design
The controls are adequate but added recommendation will be needed to improve
the operations of the company by department.
Develop a Work Program
An audit program is a detailed plan of tasks to be performed during the
audit in order to assess the quality of management systems and practices in the
7/29/2019 iat manual final.doc
52/62
organization. This will provide the auditor with sufficient evidence to support the
audit conclusions. Key aspects of the audit plan include:
1. Understand the objective of the department
2. Determine whether the objective of the department being audited meet
the objectives
3. Know the risks of the department for not attaining the set objectives
4. Know the problem in the department by interviewing, observing and
inspecting the department need for the audit
5. Look for the records of the department
6. Assess the risks given the information gather
7. Identify the control activities to prevent those risks
8. Evaluate the adequacy of the controls given
9. Finalize the process
10. Prepare an Audit report
11. Communicate the Audit report
12. Follow - up and monitor the given recommendations if they are being
implemented by the department being audited
Allocate Resources to the Engagement
The need of the ability of acquiring information about the auditee is
needed in the engagement. The time allotted in auditing one department of the
company is based on the time allotted given by the board in a time that could
improve the operations of the company.
7/29/2019 iat manual final.doc
53/62
40.2. Opening Conference
The opening conference should be held to gather information about the
mission, critical processes, and control procedures of the unit. The auditor uses
this information in the risk assessment process to determine an appropriate
objective and scope for the audit. Under some conditions, the objective and
scope may be predetermined. The auditor should prepare an opening conference
e-mail confirming the appointment. The e-mail should briefly state the
announcement of the audit; the date, time, and place of the opening conference;
the purpose of the opening conference; and the desire to resolve any questions
regarding the tentative draft objective and scope.
Audits with a surprise component, such as investigative audits, cash
counts, etc., may not have an opening conference.
The opening conference is an important step in a regular audit. It is an
opportunity to establish the proper tone and to begin building good relationships.
Explain the "who, what, where, when, why, and how" for those who have not
been exposed to the audit process.
40.3. Process Analysis
Process Documentation
1.Marketing Department
a. Objectives of Internal Audit
-Ensure that marketing strategies are being met.
-Determine whether the personnel in marketing department are doing their
job well.
7/29/2019 iat manual final.doc
54/62
-Establishing and communicating of overall product or marketing strategy.
b.Internal Audit Procedures
-Evaluate the effectiveness of their marketing strategy like observation
and survey.
-Assessing the rules and regulation of marketing department of the
personnel.
-Evaluate customer research
-Know market condition
-Assessing the marketing plan changes as needed
2.Human Resource Department
a. Objectives of Internal Audit
-To determine the proper hiring of employees to audit the HR.
-Appraise and develop internal personnel resources.
-To ensure that HR is not hiring incompetent or suspicious applicant that
might commit fraud or destruction to the company.
b. Internal Audit Procedures
-Make a surprise visit to HR department when there is a hiring session.
-Ask a current report to the HR department whenever there is a new hire
employee to the company.
-Attend some of the training meetings and appraise the receptivity on part
of the trainee.
-Evaluate the procedures in terms of efficiency, economy and
7/29/2019 iat manual final.doc
55/62
effectiveness.
3. IT Department
a. Objectives of Internal Audit
-To determine whether the IT department is complying e- commerce
policies and others computer supported systems law.
b. Internal Audit Procedures
-Examine the profile of the IT personnel to see his capacity and
effectiveness of the company computer system
4. Production Department
a. Objectives of Internal Audit
-To evaluate production performance for a specific period of time to
promote understanding of production related cost interdepartmentally and
by upper management.
-To set specific goals that will meet by future objectives.
b. Internal Audit Procedures
-Check first the raw materials to be used in the product and must be
supervised by the head supervisor as to what quality they want to be an
output.
5. Warehouse Department
a. Objectives of Internal Audit
-To determine the accuracy of all the purchases that goes inside the
7/29/2019 iat manual final.doc
56/62
warehouse and the security as well.
b. Internal Audit Procedures
-There must have a security personnel example security guard to check all
the reports and receipts of all the inventories that comes in and out in the
warehouse. There should have verifiability.
-By attaching cameras and lock in the warehouse.
6. Accounting Department
a. Objectives of Internal Audit
-Efficient processing of financial data.
-Maintain adequate employee benefit program.
-Effective reporting format.
-Effective responsibility reporting.
-To ensure that the Accounting Department is complying with the rules
and regulations of a company and segregation of duties are implemented.
b. Internal Audit Procedures
-Discuss and observe whether they are follow.
-Review frequency of errors.
-Review supporting worksheets and sources of information.
-There must have an often meetings by the board of directors to ensure
that the said department is complying department.
7. Treasury Department
a. Objectives of Internal Audit
-To ensure the accuracy of daily transaction of the treasury department
7/29/2019 iat manual final.doc
57/62
b. Internal Audit Procedures
-Receives collections from various sources.
-Process payments of various disbursements and sees to it that funds
are available for these.
-Reports on a daily basis, the cash position of RCAM.
-Acts as comptroller, exercising discretionary authority within certain
clear limits.
8. Delivery department
c. Objectives of Internal Audit
- To assess the profile of the personnel in charge in delivering the product
so that conflict of interest be avoided. To examining the time on
scheduling on when delivering the product.
d. Internal Audit Procedures
-There should have Id requirements for every warehouse personnel who is
in charge for the delivery.
-Check the vendors voucher and the bulletin board to be able to deliver
the product on time.
40.5. Exit Conference
The exit meeting concludes the formal audit process. The final draft
version of the audit report is presented to management. Once the report is
7/29/2019 iat manual final.doc
58/62
finalized, it is prepared for distribution to the Audit Committee.
40.6. Audit Reporting
Audit Committee members are provided with the Executive Summary of all
audit reports. A detailed audit report is provided to Audit Committee members
upon request. In addition, the respective Vice-President is provided with an
Executive Summary. Detailed audit reports are distributed to management of the
areas or functions that were audited.
40.7. Follow-up and Monitoring
In some instances, follow-up audits or monitoring may be part of the audit
process. These projects are selected on an individual basis.
DOCUMENT &QUALITY REVIEW
50.1 Audit Work Documentation
Audit working papers are used to document the engagement process.
This documentation is the principal record of the procedures completed,
evidence obtained, conclusions reached, and recommendations formulated by
the internal audit team during the engagement.Working papers are records kept
by the auditor of the procedures applied, and the tests performed, the information
obtained and the pertinent conclusions reached.
7/29/2019 iat manual final.doc
59/62
Managing Work Papers
Managing the working papers is important in providing evidence that the
audit was performed appropriately (in relation to standards of auditing and other
legal requirements).
The internal auditors should prepare working papers which are sufficiently
complete and detailed to provide an overall understanding of the audit. The
internal auditor should record in the working papers information on planning the
audit work, the nature, timing and extent of the audit procedures performed, and
the results thereof.
Standard audit working papers
The internal auditor shall use standard working papers in documenting the
audit plan. The auditors need to consider the size and complexity of the audit
engagement when applying the use of standard working papers.
Document obtained from auditee
To improve audit efficiency, the auditor may keep the records obtain
during the audit for three years. In such circumstances, the auditor would need to
be satisfied that those documents have been properly prepared or have not been
tampered with. And the records are not already needed for the company.
Digital format working papers
Audit working papers may be printed or retained electronically. Working
papers in digital format are maintained using the same methodologies and
policies used SNIPS Utensils IT Department. To determine that electronic
7/29/2019 iat manual final.doc
60/62
documents have an owner who is conversant with the contents of the document
and that extraneous information is not being retained, the following guidance
applies to electric media.
Working Papers Organization and Indexing
Working paper files should be complete and well - organized. At the end of
an engagement, the files should be cleared out so they contain only the final
versions of the working papers completed during the engagement.
Ownership and Access to Working Papers
We should adopt appropriate procedures for maintaining the confidentiality
and safe custody of the working papers and for retaining them for a period
sufficient to meet the needs of internal audit and in accordance with legal and
professional requirements or record retention.
Audit working papers are the property of the Internal Audit Department.
The CAE considers requests to provide working papers or other documents for
inspection. We provide access to working papers only with the prior approval of
the CAE. In considering a request, the CAE may decide to consult with the Audit
Committee before deciding which working papers may be inspected.
50.2. Quality Assurance Program
The Internal Audit Department shall maintain a quality assurance
program to ensure consistent delivery of quality internal audits. Such quality
assurance program shall be an ongoing program and shall be compliant with the
proposed program by the IIA:
7/29/2019 iat manual final.doc
61/62
The chief audit executive should develop and maintain a quality assurance and
improvement program that covers all aspects of the internal audit activity and
continuously monitors is effectiveness. The program should be designed to help
the internal audit activity add value and improve the internal audit activity is in
conformity with the Standards and the Code of Ethics. (Standard 1300)
Objectives
The main objectives of the quality assurance program are to provide
reasonable assurance to management and the board that it performs in
accordance with the IIA Standards and the Code of Ethics perceived by all as
adding value and improving the organizations operation; and operates in an
effective and efficient manner.
Scope and Approach
The quality assurance program shall cover all aspects of the internal audit
activity, continually monitor the internal audit activitys effectiveness, assure
compliance with the Standards and Code of ethics, and include both periodic and
ongoing internal assessments.
Measuring the Internal Audit Activity Performance
Internal assessment should include:
Ongoing reviews of the performance of the internal audit activity. Periodic
reviews performed through self-assessment or by other persons within the
organizations who have knowledge of internal auditing practices and the
Standards.
7/29/2019 iat manual final.doc
62/62
External Assessment should be concluded at least once every five years by a
qualified, independent reviewer or review team from outside the organization.
The potential need for more frequent external assessments as well as the
qualifications and independence of the external reviewer or review team,
including ant potential conflict of interest, should be discussed by the CAE with
the board. Such discussions should also consider the size, complexity and
industry of the organization in relation to the experience of the reviewer or
review team.