Uploaded by Geraldine Palma

Compliance-Audit-Manual (2)

advertisement
COMMISSION ON AUDIT
COMPLIANCE AUDIT
MANUAL
DECEMBER 2018
funded by
GRANT NO. TFOA1162
TABLE OF CONTENTS
BACKGROUND .................................................................................................................................................................... 4
COMPLIANCE AUDITING IN THE PHILIPPINE PUBLIC SECTOR..................................................................... 5
CHAPTER 1 Basic Elements, Concepts and Principles of Compliance Auditing ........................................ 7
1.1 PUBLIC SECTOR AUDITING ...................................................................................................................... 7
Three Types of Public Sector Audits ............................................................................................................. 7
Compliance Audit in a Public Sector Context and Its Objective ............................................................ 8
Compliance Audit as a Stand-Alone Activity .............................................................................................. 8
Compliance Audit in Relation with Audit of Financial Statements ...................................................... 8
Compliance Audit in Combination with Performance Audit ................................................................. 9
1.2 BASIC ELEMENTS OF COMPLIANCE AUDITING ...................................................................................... 9
1.2.1 Subject Matter ...................................................................................................................................................... 9
1.2.2 Authorities and Criteria ................................................................................................................................. 10
1.2.3 Three Parties ..................................................................................................................................................... 11
1.2.4 Assurance ........................................................................................................................................................... 13
1.2.5 Types of Audit Engagements ........................................................................................................................ 14
1.2.6 Levels of Assurance and Types of Audit ................................................................................................... 16
1.2.7 Regularity and Propriety Compliance Audit............................................................................................ 16
1.3 PRINCIPLES OF COMPLIANCE AUDITING ............................................................................................. 16
1.3.1 Professional Judgment and Professional Skepticism ............................................................................ 17
1.3.2 Quality Control ................................................................................................................................................. 18
1.3.3 Audit Team Management and Skills ........................................................................................................... 18
1.3.4 Audit Risk ........................................................................................................................................................... 19
1.3.5 Materiality.......................................................................................................................................................... 19
1.3.6 Documentation ................................................................................................................................................. 20
1.3.7 Communication ................................................................................................................................................ 21
1.4 FRAMEWORK FOR COMPLIANCE AUDIT PROCESS .............................................................................. 22
1.5 SUMMARY................................................................................................................................................ 23
CHAPTER 2 Planning the Audit at Strategic Level ............................................................................................. 24
2.1 STRATEGIC PLANNING ........................................................................................................................... 24
2.2 IDENTIFICATION OF AUDIT TOPIC/ FOCUS.......................................................................................... 24
2.3 PRELIMINARY ENGAGEMENT ACTIVITIES/ INITIAL CONSIDERATIONS ........................................... 25
2.3.1 Consider Principles with Ethical Significance ......................................................................................... 26
2.3.2 Consider the Team Engagement and Their Competence..................................................................... 26
2.3.3 Ensure that Quality Control Procedures are in Place ........................................................................... 26
1
2.3.4 Determining the Level of Assurance to be Provided............................................................................. 27
2.4 SUMMARY................................................................................................................................................ 27
CHAPTER 3 Planning the Compliance Audit ........................................................................................................ 28
3.1 PLANNING AT ENGAGEMENT LEVEL .................................................................................................... 28
3.2 STEPS IN PLANNING THE AUDIT ........................................................................................................... 29
3.2.1 Determine the type of engagement- Direct Reporting or Attestation Engagement .................... 29
3.2.2 Identify Intended User(s), the Responsible Party, the Subject Matter, the Corresponding Audit
Criteria and Audit Scope ............................................................................................................................................ 29
3.2.3
Understand the Subject Matter Including Internal Control .............................................................. 32
3.2.3
Determine Materiality .................................................................................................................................. 34
3.2.4
Carry Out Risk Assessment and Assess Audit Risk ............................................................................ 35
3.2.5
Consider Noncompliance That May Indicate Suspected Unlawful Acts/Risks of Fraud.......... 41
3.2.6
Develop Audit Strategy and Audit Plan................................................................................................... 42
3.3 SUMMARY................................................................................................................................................ 43
CHAPTER 4 Performing the Audit Procedures to Gather Evidence ............................................................ 44
4.1 AUDIT EVIDENCE.................................................................................................................................... 44
4.1.1 Sufficient and Appropriate Audit Evidence ............................................................................................. 44
4.2 STEPS IN GATHERING EVIDENCE .......................................................................................................... 46
4.2.1 Gather Sufficient and Appropriate Evidence Through Various Methods and Procedures ........ 47
4.2.2 Continually update planning and risk assessment ................................................................................ 51
4.2.3 Consider noncompliance indicative of fraud and unlawful acts........................................................ 52
4.3 AUDIT SAMPLING ................................................................................................................................... 53
4.4 PROFESSIONAL SKEPTICISM AND JUDGMENT IN GATHERING AUDIT EVIDENCE ............................ 53
4.4.1 Professional Skepticism ................................................................................................................................. 53
4.4.2 Professional Judgment ................................................................................................................................... 54
4.5 SUMMARY................................................................................................................................................ 54
CHAPTER 5 Evaluating Evidence and Forming Conclusions ......................................................................... 55
5.1 STEPS IN EVALUATING AUDIT EVIDENCE AND FORMING CONCLUSIONS......................................... 55
5.1.1 Evaluate whether Sufficient and Appropriate Evidence is Obtained ............................................... 55
5.1.2 Consider Materiality for Reporting Purposes ......................................................................................... 56
5.1.3 Form Conclusions ............................................................................................................................................ 56
5.1.4 Communicate Compliance Audit Findings/Observations ................................................................... 58
5.2 SUMMARY................................................................................................................................................ 59
CHAPTER 6 Reporting a Compliance Audit......................................................................................................... 61
6.1 PRINCIPLES IN REPORTING A COMPLIANCE AUDIT ............................................................................ 61
6.2 STEPS IN REPORTING A COMPLIANCE AUDIT...................................................................................... 61
2
6.2.1 Prepare Audit Report...................................................................................................................................... 61
6.2.2 Perform Overall Audit Review, Approval, and Issuance of Compliance Audit Report ............... 64
6.2.3 Follow-up Agency Action Plan ..................................................................................................................... 64
6.3 TIMELY SUBMISSION AND PUBLICATION OF COMPLIANCE AUDIT REPORTS .................................. 65
6.4 SUMMARY................................................................................................................................................ 65
CHAPTER 7 Carrying Out Quality Control Procedures ................................................................................... 66
7.1 QUALITY CONTROL ................................................................................................................................ 66
7.2 HIGH QUALITY AUDIT ............................................................................................................................ 66
7.3 QUALITY CONTROL ACTIVITIES ............................................................................................................ 67
7.3.1 Adequate Training ........................................................................................................................................... 67
7.3.2 Supervision ........................................................................................................................................................ 67
7.3.3 Review ................................................................................................................................................................. 67
7.3.4 Consultation ...................................................................................................................................................... 68
7.4 ENGAGEMENT QUALITY CONTROL REVIEW (EQCR) .......................................................................... 69
7.4.1 Considerations of EQCR ................................................................................................................................. 69
7.5 FEEDBACK FROM THE AUDITEES ......................................................................................................... 69
7.6 SUMMARY................................................................................................................................................ 70
CHAPTER 8 Wrap-Up and Archiving of the Audit Engagement ................................................................... 71
8.1 ORGANIZATION OF THE AUDIT WORKING PAPERS ............................................................................ 71
8.1.1 Indexing .............................................................................................................................................................. 72
8.1.2 Preparing the Lead Schedule........................................................................................................................ 73
8.1.3 Use of tick marks, Referencing and Cross-referencing......................................................................... 73
8.2 ARCHIVING OF THE AUDIT ENGAGEMENT ........................................................................................... 73
8.2.1 Retention Period .............................................................................................................................................. 74
8.2.2 Confidentiality and Transparency of Working Papers/Audit Evidence ......................................... 74
8.3 SUMMARY................................................................................................................................................ 75
REFERENCES ................................................................................................................................................................... 76
ANNEXES………. ............................................................................................................................................................... 77
ILLUSTRATIVE CASE............................................................................................................................................……113
ACKNOWLEDGMENT .................................................................................................................................................. 164
3
BACKGROUND
The Commission on Audit (COA), the Supreme Audit Institution of the Philippines, is vested with
the exclusive authority to define the scope of its audit and examination; establish techniques and
methods required; and promulgate auditing rules and regulation subject to the limitations
provided in Section 2(2), Article IX-D of the 1987 Constitution of the Republic of the Philippines.
Section 25.2 of Presidential Decree No. 1445, otherwise known as the Government Auditing Code
of the Philippines, prescribes COA to develop and implement a comprehensive program that shall
encompass an examination of financial transactions, accounts, and reports, including evaluation of
compliance with applicable laws and regulations.
In 2015, the International Bank for Reconstruction and Development (IBRD), under its Supreme
Audit Institution Capacity Development Fund, Capacity Development Support for the Commission
on Audit (TFOA1162), extended a grant to the Commission for the enhancement of the Integrated
Results and Risk-Based Audit (IRRBA) Manual through the development of a separate Compliance
Audit (CA) Manual that is in conformance with the International Standards of Supreme Audit
Institutions (ISSAI) 4000.
With the endorsement of ISSAI 4000, CA Standard, during the XXII International Congress of
Supreme Audit Institutions (INCOSAI) in Abu Dhabi, United Arab Emirates in December 2016, the
Public Sector Auditing Standards Board recommended and the Commission Proper approved the
adoption of ISSAI 4000 under COA Resolution No. 2018-012 dated February 01, 2018.
The purposes of this manual are to assist COA auditors in understanding the basic elements and
processes of CA, and to capacitate them in conducting CA as a stand-alone activity in accordance
with the requirements of ISSAI 4000.
Discussion shall include:



4
the differences between CA and other types of audits;
the basic elements, concepts and principles of compliance audit; and
the process (audit phases and audit steps) in the conduct of CA as a stand-alone activity.
COMPLIANCE AUDITING IN THE PHILIPPINE PUBLIC SECTOR
The Commission adopted the COA’s Framework of Professional Standards with reference to the
International Organization of Supreme Audit Institutions (INTOSAI) Framework of Professional
Standards pursuant to COA Resolution No. 2013-006 dated January 29, 2013, as updated by COA
Resolution No. 2016-007 dated May 03, 2016. The Framework provides an overview of all the
standards and guidelines for public sector auditing, assurance engagements, and other related
services, and is harmonized with the international standards on auditing. Under these Resolutions,
the Standards were referred to as Philippine Public Sector Standards on Auditing (PPSSA).
However in 2018, COA Resolution No. 2018-011 dated February 1, 2018, renamed the Standards
from PPSSA to International Standards of Supreme Audit Institutions (ISSAI) to strengthen COA’s
commitment to implement ISSAIs. The renaming also aimed to dispel the notion that COA
developed its own national auditing standards.
In accordance with its mandate, COA is conducting comprehensive audit which consists of financial
audit, compliance audit, agency-based performance audit, and fraud audit. Recognizing the
significant role it plays in the Public Sector Governance, the use of the IRRBA Manual was
prescribed under COA Resolution No. 2011-009 dated October 20, 2011. The objective of the IRRBA
Manual is to integrate the different audit services rendered by COA and to improve the
effectiveness and efficiency of COA auditors through the adoption of a results-based integrated
audit methodology using the risk-based audit approach.
Among the objectives of the COA Strategic Plan 2016-2022 are to enhance and expand risk-based
financial, performance, and compliance audits, and rationalize audit methodologies and
approaches. These objectives prompted the development of the manuals for the three audit
streams – financial, performance, and compliance. Once these manuals become fully implemented,
the audit teams are to perform the common planning activities such as understanding the agency
and its internal control.
Figure 1.1. COA Audit Framework
COA AUDIT FRAMEWORK
Strategic Audit Planning
Preliminary Engagement
FINANCIAL AUDIT
Planning
Execution
Reporting
Quality Control
The first phase of the COA Audit Framework calls for COA to conduct a common strategic planning
and risk identification process. COA as the Supreme Audit Institution shall independently identify
the risks that the Government as a whole may face in achieving its objectives. COA will then be able
to identify the focus areas which need to be prioritized given its limited resources. The result will
also be an input in the determination of the appropriate audit strategies needed to be applied for
5
the allocation of resources appropriate for the audit services such as the people, skills, competence,
processes and procedures.
This identification of government risks shall be annually conducted, supervised by the Assistant
Commissioners and attended by directors. The results of this activity should be cascaded down to
the concerned sectors, clusters, and audit groups through the COA Strategic Planning.1
COA should conduct preliminary engagement activities at the sector/cluster/regional levels to
ensure that: the audit teams meet the relevant ethical requirements in carrying out their audit
work; the members collectively possess the necessary professional competence, knowledge, skills
and expertise to perform the different audit streams in accordance with the relevant professional
standards; and the established quality control mechanism which includes supervision, review,
consultation, and adequate training that cover all phases of the audit – planning, execution and
reporting is adhered to.
As shown in the COA Audit Framework, the audit teams should conduct separate planning,
execution, and reporting activities for each audit stream – financial, compliance and performance.
The templates for the common planning activities shall be used as references/sources of
information for the preparation of the other planning templates for each audit stream.
Presently, an Annual Audit Report (AAR) or Consolidated Annual Audit Report (CAAR) is prepared
to report the results of audit of government agencies. Part I of the AAR/CAAR consists of the
independent auditor’s report on the fairness of the presentation of the financial statements in
accordance with the financial reporting framework and the audited financial statements, while Part
II presents the audit observations and recommendations on:



material misstatements or errors in the financial statements and noncompliance with laws,
rules and regulations related to the audit of the accounts in financial statements;
noncompliance with laws, rules and regulations on subject matter identified during the
engagement but no audit conclusion/opinion is rendered and no separate audit report is
prepared; and
economy, efficiency, and effectiveness of programs, projects, or activities.
CA may be conducted in relation with the audit of the financial statements or in combination with
performance audit (ISSAI 4000.27). However, the conclusion/opinion on CA should be clearly
separated from the opinion on financial audit or conclusion on performance audit. Thus, COA shall
issue the appropriate reporting guidelines on the financial, performance, and compliance audits
conducted.
1
6
Integrated Results and Risk-Based Audit Manual. Phase 1 – Strategic Planning and Risk Identification. Pages 1-3.
CHAPTER 1
Basic Elements, Concepts and
Principles of Compliance Auditing
1.1
PUBLIC SECTOR AUDITING
ISSAI 100.17
Public sector auditing helps to create suitable conditions and reinforce the expectation that
public sector entities and public servants will perform their functions effectively, efficiently,
ethically and in accordance with the applicable laws and regulations.
Public sector auditing is described as the systematic process of objectively obtaining and evaluating
evidence to determine whether information or actual conditions conform to established criteria.
This is essential in that it provides the legislative and oversight bodies, those charged with
governance, and the general public with independent and objective assessments concerning the
stewardship and performance of government policies, programmes or operations (ISSAI 100.18).
All public-sector audits have the same basic elements namely, the subject matter information,
criteria for assessing the subject matter, and the three parties to the audit consisting of the auditor,
the responsible party and intended users. Public sector audits can be categorized into two different
types of audit engagement, which are attestation and direct reporting engagements (ISSAI 100.24).
The intended users will wish to be confident about the reliability and relevance of the information
which they use as the basis for taking decisions. Therefore, audits provide information based on
sufficient and appropriate evidence, and auditors should perform procedures to reduce or manage
the risk of reaching inappropriate conclusions (ISSAI 100.31). The level of assurance may either be
reasonable or limited assurance (ISSAI 100.33).
Three Types of Public Sector Audits
Supreme Audit Institutions (SAIs) usually carry out three types of audits, namely financial audit,
performance audit, and compliance audit (ISSAI 100.22).
Financial audit focuses on determining whether an agency’s financial information is presented in
accordance with the applicable financial reporting and regulatory framework. This is accomplished
by obtaining sufficient and appropriate audit evidence to enable the auditors to express an opinion
as to whether the financial information is free from material misstatement due to fraud or error.
A misstatement or error in the financial statements is considered material if, individually or in the
aggregate, it would influence the economic decision of the users knowing the assertions in the
financial statements.
Performance audit focuses on whether interventions, programs, and institutions are performing in
accordance with the principles of economy, efficiency, and effectiveness and whether there is room
for improvement. Performance is examined against suitable criteria, and the causes of deviations
from those criteria or other problems are analyzed. The aim is to answer key audit questions and
to provide recommendations for improvement.
The auditors determine whether government resources are used economically or the government
agency is able to deliver the intended result and impact.
7
Compliance audit focuses on whether a particular subject matter is in compliance with authorities
identified as criteria. The auditors assess whether activities, financial transactions and information
are, in all material respects, in compliance with the authorities which govern the audited agency.
These authorities may include rules, laws and regulations, budgetary resolutions, policy,
established codes, agreed terms, general principles governing sound public-sector financial
management, and the conduct of public officials.
Compliance Audit in a Public Sector Context and Its Objective
Compliance audit is defined based on the public sector audit with specific focus on criteria, derived
from authorities. It is an independent assessment that focuses on whether a particular subject
matter is in compliance with the applicable authorities, identified as criteria, which govern the
audited agency.
Legislation and other authorities are the primary means by which the legislature holds the
government agency accountable for its income and expenditures, operations and management, to
uplift the citizen's trust in the public sector.
Public officials, entrusted with the administration of public funds, are expected to act for the best
interest of the public by spending the funds they manage for its intended purpose and in accordance
with the authorities. They are accountable to the people and have to exercise good governance on
the public funds entrusted to them and they have to be transparent in their actions.
The main objective of compliance auditing is to provide the intended user(s) with information on
whether the audited government agencies comply with legislative decisions, laws, legislative acts,
policy, established codes and agreed upon terms. These information form the relevant authorities
governing the subject matter/agency that is going to be audited. These authorities are the sources
of audit criteria (ISSAI 4000.23).
In compliance audit, the auditors identify material deviations or departure from established
criteria to take corrective action on individual cases, make those accountable accept responsibility,
obtain compensation, or take steps to prevent such breaches or at least make them more difficult
to occur.
Compliance Audit as a Stand-Alone Activity
ISSAI 4000.27
Compliance auditing may be conducted either:
a. As a separate compliance audit, or
b. In relation with the audit of financial statements, or
c. In combination with performance auditing.
CA may be planned, performed, and reported separately from the audit of financial statements and
from performance audits. The requirements and explanations of ISSAI 4000 apply to CA as a standalone engagement or a component of a financial or a performance audit engagement (ISSAI
4000.17). However, ISSAI 4000 does not provide detailed explanations on how to do combined
audits (ISSAI 4000.28).
Compliance Audit in Relation with Audit of Financial Statements
Combining financial and compliance audits enable the auditors to obtain assurance that the
financial statements are free from material misstatement due to fraud or error and to obtain
8
assurance on whether activities, financial transactions and information comply, in all material
respects, with the authorities/or laws which govern the audited agency. When a CA is combined
with a financial audit, the conclusion/opinion on the aspect of compliance should be clearly
separated from the opinion on the financial statements. The identified applicable law(s) and
regulation(s) should contain all laws and regulations that can influence the outcomes (=amounts)
of the financial transactions that are (or should be) accounted for in the financial statements (ISSAI
4000.16).
Consideration of laws and regulations are important in both CA and in auditing the financial
statements. However, in financial audit, only those laws and regulations with a direct and material
effect on the financial statements are applicable and considered. While in compliance audit, any
laws and regulations relevant to the subject matter may be applied.
Compliance Audit in Combination with Performance Audit
When CA is part of a performance audit, compliance is seen as one of the aspects of economy,
efficiency and effectiveness (ISSAI 400.26). Auditors use their professional judgment in deciding
whether performance or compliance is the primary focus of the audit and determine audit scope
and criteria accordingly.
The following are some of the differences between performance audit and compliance audit which
would help in deciding the primary focus of an audit:



1.2
In performance audit, a noncompliance may be a cause of, an explanation for, or a
consequence of, the state of the activities being subject to the performance audit; whereas
in a compliance audit, the auditors assess the degree to which the audited agency (through
its officials) follows rules, laws and regulation, policy, established codes, or agreed upon
terms which govern a public sector agency;
In performance audit, auditors look at whether or not the audited agency is operating
economically, efficiently, and effectively. These parameters are integral to the definition of
performance audits. The underlying concept is that, if an audited agency uses resources
economically, it generates more value for the input it uses, and creates the intended impact.
In performance audit, the larger focus is on delivering results, though economy and
efficiency aspects are also relevant. Performance criteria are usually based on economy,
efficiency, and effectiveness accordingly; and
In compliance audit, auditors look for instances of noncompliance with relevant authorities
as defined above (e.g. applicable laws, policies, rules, regulations, procedures, terms of
contract or agreement) that can have material impact on the audited agency in achieving
its objectives.
BASIC ELEMENTS OF COMPLIANCE AUDITING
Compliance audit has the same basic elements as public sector audits: subject matter, criteria for
assessing the subject matter and the three parties - the auditor, the responsible party, and intended
users. They can be categorized as two different types of audit engagement: attestation engagements
and direct reporting engagements.
1.2.1
Subject Matter
ISSAI 4000.109
The subject matter should be identifiable, and possible to assess against suitable audit criteria.
9
Subject matter refers to the information, condition or activity that is measured or evaluated against
the suitable criteria. Subject matter depends on the mandate of the SAI, the relevant authorities and
the scope of the audit.
In identifying the subject matter, the auditors, usually start with a broad subject matter, but as they
narrow down the audit scope during the audit planning process, they may modify the subject
matter and scope of the audit to have a more focused audit, which will make the results more
meaningful for the users.
The subject matter of a compliance audit is defined by the scope of the audit. The scope depends
on the needs of the intended user(s), the decided level of assurance, the assessed risk, and the
competence and resources available.
Subject matter information is the result of evaluating or measuring the subject matter against the
criteria. This is prepared by the responsible party for attestation engagements or by the auditors
for direct reporting engagements.
1.2.2
Authorities and Criteria
Authorities are relevant acts or resolutions of the legislature (Congress) or directions and guidance
issued by administrative agencies, oversight, or regulatory agencies with powers provided for in
the statute, with which the government agency is expected to comply. It includes laws, policies,
rules, regulations, budgetary resolutions, established codes, agreed terms or the general principles
governing sound public sectors financial management and the conduct of public official. The
government agency, for which authorities have been framed, has the responsibility to adhere to the
rules, regulations, etc. in order to be compliant. Authorities is the most fundamental element of
compliance auditing, since its structure and content provide the audit criteria.
Various authorities, with conflicting provisions, may affect the operation of government entities.
The Implementing Rules and Regulations issued by an administrative or oversight body may not
be consistent with the requirements or limits of the enabling law. The provisions of laws, rules or
regulations may be the subject of different interpretations. In case of doubt, the auditors have to
have sufficient knowledge and understanding of the premises and intentions in the development
of the law or the structure, or content of the laws, rules and regulations before an assessment of
compliance is conducted. The auditors may find it useful to consult the particular body responsible
for the legislation or consider relevant earlier decisions of the Supreme Court. This is of particular
importance when it comes to identifying the audit criteria, as the sources of the criteria have to be
considered in the audit, both when determining the audit scope and when drawing up the audit
findings.
The auditors only need to understand the parts of the legislation that are relevant to the audit task.
On the other hand, the audited agency has the responsibility to ensure faithful compliance with all
applicable laws and regulations.
Criteria are the benchmarks used to evaluate or measure the subject matter consistently and
reasonably. Criteria may be derived from laws, policies, rules, regulations, budgetary resolutions,
etc. The sources of legal criteria are rules and regulations, international treaties and other
agreements, and code of conduct (ISSAI 4000.114).
10
Figure 1.2. Authorities are the sources of criteria
Authorities
Criteria
The suitable criteria have to be clearly stated in the CA report to enable the intended users to
understand how the subject matter was evaluated or measured by the auditors to prevent
misunderstanding or different interpretations.
Suitable audit criteria have to be identified using the following characteristics:









Relevance;
Completeness;
Reliability;
Neutrality;
Understandability;
Usefulness;
Comparability;
Acceptability; and
Availability.
For example, in the procurement activities of national government agencies, local government
units and government-owned and/or controlled corporation, the authority is the Government
Procurement Reform Act (RA 9184, An Act Providing for the Modernization, Standardization and
Regulation of the Procurement Activities of the Government and for other Purposes, 10 January
2003). The Government Procurement Reform Act provides the policy for procurement of
infrastructure projects, goods, and consulting services, regardless of the source of funds, whether
local or foreign. By virtue of RA 9184, the Government Procurement Policy Board (GPPB)
promulgated the IRR on RA 9184, prepared manuals on Procurement, and issued Resolutions,
Circulars, Guidelines and Opinions. If the subject matter identified by the auditors is the Alternative
Mode of Procurement, then the source of suitable criteria would be the provisions of Article XVI of
RA 9184, and Rule XVI of the IRR which identifies and provides for the conditions for selecting the
alternative methods of procurement. The auditors have to consider all the relevant guidelines,
resolutions, circulars, and opinions issued by GPPB on the alternative methods of Procurement
(subject matter).
1.2.3
Three Parties
ISSAI 4000.19
Public sector audits involve three separate parties: the responsible party, the auditor and the
intended user(s).
Compliance audit is based on a three-party relationship – the responsible party, the intended users,
and the auditor.
11
The responsible party is the government agency to which the fund is released or the public officers
who managed and used the funds in their operations for the attainment of the mandate. They are
responsible for the subject matter.
The intended users could be the legislative (Congress), oversight bodies, those charged with
governance, donors or the general public who are interested to know whether or not the fund
allocated to a government agency has been used in accordance with the authority. Those charged
with governance may also include the head of the agency.
The auditor, Commission on Audit, expresses a conclusion, which is designed to enhance the degree
of confidence of the intended users after obtaining sufficient and appropriate audit evidence to
reduce the risk of making an inappropriate conclusion.
Figure 1.3. Three-Party Relationship
CONGRESS
OVERSIGHT BODIES
THOSE CHARGED WITH GOVERNANCE
DONORS
GENERAL PUBLIC
INTENDED
USER
NATIONAL GOVERNMENT
AGENCIES
ELEMENTS OF
COMMISSION ON AUDIT
AUDITOR
AN AUDIT
LOCAL GOVERNMENT AGENCIES
GOVERNMENT OWNED AND
CONTROLLED CORPORATIONS
RESPONSIBLE
PARTY
Responsible party are the public officials responsible for the management of funds entrusted to
them and the operations of the government agency in accordance with the authorities. There is a
possibility that they would be motivated to provide false or insufficient information regarding the
result of the operation of their managed agency to protect their personal interest. Thus, they shall
be held accountable in case they fail to effectively perform their responsibilities and functions, and
comply with relevant laws, rules and regulations governing their agency.
For this reason, the intended users would like to have an independent assessment of the
correctness of the information provided by the government agencies or if the actual conditions in
the agency comply with relevant laws, rules, and regulations.
The auditors provide assurance, though not absolute, owing to the inherent limitations in the
conduct of the audit, on the condition of the subject matter. This is done by performing procedures
and obtaining sufficient and appropriate evidence to reduce or manage the risk of providing
incorrect conclusion.
12
1.2.4
Assurance
ISSAI 4000.30
Every compliance audit is an assurance engagement. The auditor chooses the level of assurance
based on the needs of the intended user(s). The audit report provides either reasonable or
limited assurance.
Compliance audit is an assurance engagement. The auditors have to provide credible information
and conclusion on the subject matter that will be the basis for the decision making of the intended
user(s). The conclusion should be based on sufficient and appropriate evidence obtained during
the audit after performing the necessary audit procedures that would reduce or manage the risk of
reaching inappropriate conclusions. The level of assurance to be selected by the auditors will
depend on the need(s) of the intended users. The intended users rely on the assurance of the
auditors and should not be misled by inappropriate conclusions that could render their decisions
valueless.
The public officials entrusted with the management of the operations and funds of government
entities are expected to comply with the laws, rules, and regulations to ensure the attainment of
their mandates. They shall be held accountable for their failure to comply with authorities or the
poor performance of their agency. Thus, intended users would like to be confident about the
reliability and relevance of the information provided by the public officials which will be used as
basis for decision making. The auditors then make an independent assessment if the actual
conditions conform to the suitable criteria to enhance the degree of confidence of the intendedusers. The auditors provide either reasonable or limited assurance but not absolute assurance on
the condition of the subject matter, due to the inherent limitations in the conduct of audit.
Reasonable Assurance
Reasonable assurance is high but not absolute. The audit conclusion is expressed positively,
conveying that, in the auditors’ opinions, the subject matter is or is not compliant in all material
respects, or, where relevant, that the subject matter information provides a true and fair view, in
accordance with the applicable criteria (ISSAI 4000.33).
In most cases, compliance audit will not be able to cover all the transactions related to the subject
matter but the auditors have to apply qualitative or quantitative sampling. No matter how wellplanned an audit engagement is, there is a possibility that the auditors may not identify instances
of noncompliance and may therefore reach a wrong conclusion. Thus, it is not possible to provide
an absolute assurance.
Limited Assurance
When providing limited assurance, the audit conclusion states that based on the procedures
performed, nothing has come to the auditors’ attention to cause the auditors to believe that the
subject matter is not in compliance with the applicable criteria. However, if the auditors believe
that the subject matter is not in compliance with the criteria, they have to perform limited
procedures to conclude whether the subject matter is in compliance with the criteria or not. The
procedures performed in a limited assurance audit are limited compared with what is necessary to
obtain reasonable assurance; however, the level of assurance is expected, in the auditors’
professional judgment, to be meaningful to the intended user(s). A limited assurance report
conveys the limited nature of the assurance provided (ISSAI 4000, paras. 35 and 36).
13
The decision to provide a reasonable or limited assurance will have a strong impact on the design
of the audit.
The COA auditors shall provide reasonable assurance in the conduct of compliance audit, except
when the needs of the intended users require limited assurance.
1.2.5
Types of Audit Engagements
ISSAI 100.30
Compliance audits may be attestation or direct reporting, or both at once.
Compliance audit may be direct reporting or attestation engagements. The difference between the
two engagements lies on who prepares the subject matter information. If the auditors evaluate the
actual condition (subject matter) against the criteria, then it is a direct reporting engagement. If
what the auditors evaluate is the subject matter information reported by the responsible party,
then it is an attestation engagement.
Direct Reporting Engagement
In direct reporting engagements, it is the auditors who measure or evaluate the subject matter
evidence against the criteria. The auditors are responsible for preparing the subject matter
information. The auditors select the subject matter and criteria, taking into consideration risks and
materiality. By measuring the subject matter evidence against the criteria, the auditors are able to
form a conclusion. The conclusion is expressed in the form of findings, answers to specific audit
questions, recommendations or an opinion (ISSAI 4000.37).
In direct reporting engagements performed with reasonable assurance, the auditors state in the
audit conclusion that the subject matter is or is not compliant in all material respects with the
applicable criteria.
If it is performed with limited assurance, the conclusion states that nothing has come to the
auditors’ attention that the subject matter is not in compliance with the criteria.
Attestation Engagement
In attestation engagements, the responsible party measures the subject matter against the criteria
and presents the subject matter information on which the auditors then gather sufficient and
appropriate audit evidence to provide a reasonable basis for expressing a conclusion. The
conclusion is expressed in the form of findings, conclusions, recommendations or an opinion (ISSAI
4000.40). When the auditors have been aware of instances of noncompliance, these need to be
reflected in the conclusion.
In an attestation engagement with reasonable assurance, the auditors’ conclusions express their
views that the subject matter information is or is not in accordance with the applicable criteria.
In an attestation engagement with limited assurance, the auditors state whether or not, based on
the procedures performed, nothing has come to their attention to cause the auditors to believe that
the subject matter is not in compliance, in all material respects, with the applicable criteria. The
procedures performed are limited compared with what is necessary to obtain reasonable
assurance (ISSAI 4000.42).
14
Based on the foregoing information, there are two possible scenarios that could lead either to
attestation engagement or to a direct reporting engagement. The following are examples which
build on the same subject matter and scope in different environments:
Illustration:
Scenario 1: Attestation Engagement
Responsible party: Agency ABC
Subject matter of audit: Expenditures on a Foreign-assisted project (FAP)
Subject matter information: Statement of Expenditures (SOE)
Criteria: Terms of Reference with the foreign donor - World Bank
User: House of Representatives (HOR)
Agency ABC is being required by the House of Representatives (HOR) to report on the
expenditures incurred by the agency on a Foreign – assisted project, which is funded by the
World Bank. In this scenario, the subject matter information is the Statement of
Expenditures (SOE) which is prepared by Agency ABC, the responsible party. When the
officials of Agency ABC are producing the SOE, they are obliged to follow the Terms of
Reference (TOR) with the donor (World Bank) as regards the utilization of said funds.
Standards make reference to producing the subject matter information as “evaluation of
subject matter against criteria”. In this situation, Agency ABC had already provided the
subject matter information to the HOR in the form of a statement. With this statement, the
officials of the responsible party are making explicit or implicit claims (assertions) that the
information (SOE) on the Expenditures of the foreign-assisted project (subject matter) is
true and fair in the light of the TOR with the World Bank (criteria).
The auditors’ role in this scenario is to express an opinion (attestation) on whether the
assertion made by the responsible party about the SOE it provided is correct or not;
whether the officials of Agency ABC have indeed followed the TOR by the World Bank on
the utilization of the said funds as they have claimed (explicitly or implicitly). This opinion
enhances the confidence of the HOR about the SOE (subject matter information) they
received.
This form of audit, where the auditors give an opinion on the subject matter information, is
called an attestation engagement.
Scenario 2: Direct Reporting Engagement
Responsible party: Agency ABC
Subject matter of audit: Expenditures on a Foreign-assisted project (FAP)
Subject matter information: Statement of Expenditures (SOE)
Criteria: Terms of Reference with the foreign donor - World Bank
User: House of Representatives (HOR)
Assuming, Agency ABC is not required by the foreign donor to submit an SOE on the
donated funds. Recently, the HOR has been discussing a reform initiative which aims to
improve the implementation of foreign-assisted projects. Hence, they need information on
the utilization of expenditures of FAP. COA decided to prepare the SOE in the form of an
audit report and submit it to the House of Representatives.
In the scenario above, no subject matter information (and therefore no assertions) has been
made available by the responsible party, despite the need for this information. Therefore,
the COA decided to provide the information to the users. The audit will directly evaluate on
the Expenditures of the foreign-assisted projects based on the TOR with the World Bank
15
and provide a conclusion. Therefore, the SOE, which is the subject matter information will
be prepared by the COA and submitted to the HOR in the form of an audit report.
In a direct reporting engagement, the audit is conducted directly on the subject matter.
1.2.6
Levels of Assurance and Types of Audit
The table below shows the link between assurance levels, types of audit, and the conclusion or
opinion to be rendered.
Table 1.1. Levels of assurance and types of engagements in compliance auditing
Engagement Type
Direct reporting engagement
Attestation engagement
Assurance Level
Reasonable Assurance
Limited Assurance
1.2.7
Conclusion
Conclusion
Conclusion/Opinion
Opinion
Regularity and Propriety Compliance Audit
Compliance auditing may be concerned with regularity (adherence to formal criteria such as
relevant laws, regulations and agreements) or with propriety (observance of the general principles
governing sound financial management and the conduct of public officials). While regularity is the
main focus of compliance auditing, propriety may also be pertinent given the public sector context,
in which there are certain expectations about financial management and the conduct of officials.
The criteria for propriety may be less formal, and it considers public expectations regarding the
actions and behaviour of government officials. This requires the auditors to ascertain if the audited
agency has followed the principles of sound financial management and its officials have acted
transparently and equitably in making decisions for the agency.
When assessing the regularity or propriety aspects of an agency, the auditors have to exercise their
professional judgment for the quality of the audit opinion or conclusion depending on how auditors
establish and apply the suitable criteria. The auditors are expected to carry out proper risk
assessment to determine which compliance requirements are likely to be violated. This will be the
basis for the design of the audit procedures to ensure that such violations are detected.
1.3
PRINCIPLES OF COMPLIANCE AUDITING
Compliance audit is a systematic process of objectively obtaining and evaluating evidence as to
whether a given subject matter is in compliance with applicable authorities identified as criteria.
The nature of compliance auditing is iterative and cumulative; but the principles fundamental to
the conduct of the audit may be divided into principles that the auditors should consider prior to
the commencement and at more than one point during the audit process (general principles) and
those related to steps in the audit process itself (ISSAI 400.42).
The general principles are:






16
Professional judgment and skepticism
Quality control
Audit team management and skills
Audit risk
Materiality
Documentation

Communication
Figure 1.4. General Principles of Compliance Auditing
Professional Judgment and Skepticism
Quality
Control
Audit Team
Management
and Skills
Audit Risk
Materiality
Documentation
Communication
Figure 1.4. illustrates that the auditors in the conduct of compliance audit have to exercise
professional judgment and skepticism all throughout the audit engagement while considering the
other principles.
1.3.1
Professional Judgment and Professional Skepticism
Professional Judgment is a skill that the auditors acquire over time through relevant training,
knowledge, and experience, and should be exercised so that informed decisions can be made about
the courses of action that are appropriate given the circumstances of the audit.
The auditors use professional judgment when deciding the level of assurance, assessing risk and
materiality, defining the subject matter, scope and the corresponding audit criteria, assessing the
procedures necessary to gather sufficient and appropriate audit evidence and the evaluation
thereof. The use of professional judgment is crucial when analyzing the audit evidence and forming
conclusions based on the findings.
Professional skepticism is the attitude of the auditors that include maintaining an open and
objective mind by being alert to conditions which may indicate possible noncompliance due to
error or fraud.
Professional skepticism is important when evaluating audit evidence contradicting other audit
evidence already obtained, and information that brings into question the reliability of audit
evidence, such as documents and responses to inquiries. Exercising professional skepticism is
necessary to ensure that the auditors avoid personal bias and to make sure that the auditors are
not overgeneralizing when drawing conclusions from observations. In addition, the auditors will
act rationally based on a critical assessment of all the evidence collected (ISSAI 4000.77-79). The
auditors need to maintain professional skepticism throughout the audit.
17
Figure 1.5. Professional Judgment and Skepticism
Competencies
Professional
Judgment
and
Skepticism
Attitude
Professional judgment is how auditors view different situations from different perspective based
on education, training, experience and knowledge, while professional skepticism is maintaining
professional distance and an alert and questioning attitude in assessing the sufficiency and
appropriateness of audit evidence obtained throughout the audit.
1.3.2
Quality Control
Quality control refers to the processes in place whereby the overall quality of a CA is reviewed to
ensure that the audit is in compliance with applicable governing standards and the audit report,
conclusion or opinion is appropriate given the circumstances. The quality control procedures
include supervision, reviews, consultation, and adequate training; and may cover the planning,
execution, and reporting stages. There must be a quality control system where roles and
responsibilities are clearly defined to secure the overall quality of the audit.
Each audit sector in the Commission ensures that appropriate procedures, reviews, and
supervision are performed throughout the audit process. The quality controls are to be
documented in the audit file. ISSAI 40, Quality Control for SAIs, provides additional guidance on
quality control.
1.3.3
Audit Team Management and Skills
The audit team should collectively possess the necessary professional competence, knowledge,
skills, is capable of selecting criteria free from bias, has general access to accurate information, and
has considered available information, and has sufficient time to complete the audit assignment.
The audit team has to possess an understanding and practical experience of the type of audit being
undertaken, familiarity with the applicable standards and authorities, an understanding of the
audited agency’s operations, and the ability and experience to exercise professional judgment.
There is a need to provide staff with professional development through continuous training on
areas relevant to the conduct of audit. Audit manuals and other written guidance and instructions
should be available and understood by the auditors.
In cases where specialized techniques, methods or skills are necessary in the audit, but not
available within the team or the Commission, services of external experts may be utilized. The
independence, competence, capabilities, and objectivity of the experts have to be evaluated for they
will be performing audit work on behalf of the auditors who are still responsible for their
conclusions.
18
1.3.4
Audit Risk
Audit risk is the risk of the auditors that the report, conclusion or opinion may be inappropriate in
the circumstances of the audit. Thus, the auditors need to consider audit risk throughout the audit
process, and have to manage or reduce it to an acceptable low level. Audit risk is relevant in both
direct reporting and attestation engagements.
The auditors have to consider the three dimensions of audit risk – inherent risk, control risk, and
detection risk – in relation to the subject matter and the reporting format. By identifying and
evaluating the agency’s inherent and control risks, the auditors can define the nature and extent of
the evidence gathering procedures required to test compliance with the criteria. The higher the
level of risk, the greater the extent of audit work that will be required to lower detection risk
sufficiently to achieve the acceptable level of audit risk.
The relative significance of the dimensions of audit risk depends on the nature of the subject
matter, whether the audit is to provide reasonable or limited assurance.
In a reasonable assurance audit, the auditors’ conclusion will provide an overall assurance on the
subject matter. Since the auditors cannot audit all relevant transactions and subject matter, they
will provide assurance by testing a portion of transactions through sampling. This means that the
auditors will also be providing assurance about items which they have not tested. In this case, if a
systematic approach is not used, there is a high risk that the auditors’ conclusion will be wrong. To
reduce this risk, the auditors are likely to systematically analyze the subject matter (such as the
internal controls of an agency), and identify a sample (of transactions, etc.) which will be
representative of the total population. For the sampling to be correct, the auditors should consider
the risk of not identifying significant noncompliance. To be able to do this, the auditors need to
identify first what issues are significant for the intended users.
In a limited assurance audit, the approach used may not be as systematic as it would be in a
reasonable assurance audit. The aim of the audit is not to identify all significant instances of
noncompliance. The audit will be designed to identify significant noncompliance with
consideration to the available resources and methods. Due to the nature of limited assurance audit,
the auditor will accept a higher level of uncertainty in the conclusion on the subject matter. For
audits using samples, there might still be noncompliance in the items which have not been tested
by the auditors. The auditors’ conclusion will not cover the items that have not been tested; hence
the risk of providing a wrong conclusion will be reduced.
1.3.5
Materiality
A matter can be judged material if knowledge of it would likely influence the decisions of the
intended users. In identifying materiality, the auditors pay attention to specific areas of legislative
focus, public interest or expectations, requests, and significant public funding, as well as fraud. For
example, a noncompliance with the terms and conditions of a donor-funded project would be
considered material if that noncompliance could lead to the donor discontinuing funding for the
project or imposing more stringent controls as pre-condition for continued funding.
Determining materiality is a matter of professional judgment and depends on the auditors’
interpretation of the users’ needs. In this context, it is reasonable for the auditors to assume that
intended users:

have adequate knowledge of the underlying subject matter, and willingness to study the
subject matter information with reasonable diligence;
19



understand that the subject matter information is prepared and assured to appropriate
levels of materiality, and have an understanding of any materiality concepts included in the
applicable criteria;
understand any inherent uncertainties involved in measuring or evaluating the underlying
subject matter; and
make reasonable decisions on the basis of the subject matter information taken as a whole.
Materiality includes the nature, context, and value of an individual item or a group of items taken
together, but it also has other quantitative as well as qualitative aspects. The inherent
characteristics of an item or group of items may render a matter material by its very nature or
context in which it occurs.
In performing compliance audits, materiality is determined for all stages of audit:
a. In the planning phase, assessing materiality helps the auditors identify the audit questions
which are of importance to the intended user(s);
b. In performing the audit, the auditors use materiality in deciding the extent of audit
procedures to be executed, and evaluating the audit evidence obtained and the effects of
identified instances of noncompliance; and
c. In evaluating and concluding the audit, the auditors use materiality to evaluate the scope of
work and the level of noncompliance to determine the impact on the conclusion/opinion.
Quantitative factors of materiality may include such as the number of persons or entities affected
by the particular subject matter or the monetary amounts involved as well as the misuse of public
funds, regardless of the amount. Quantitative materiality is determined by applying a percentage
to a chosen benchmark as a starting point. This involves the exercise of professional judgment and
reflects, in the auditors’ judgment, the measures that user(s) of the information are most likely to
consider important. Quantitative materiality is mostly used in attestation engagement. When
performing such engagements, the auditors might want to select separate levels of materiality for
classes of transactions or balances that are more important to the user(s) of the accounts or have
a higher risk of noncompliance by nature or context.
In some cases, the qualitative factors are more important than the quantitative factors. Public
expectations and public interest are examples of qualitative factors that may impact the auditor's
determination of materiality. Instances of excess spending over appropriations authorized by the
legislature or introduction of a new service not provided for in the approved appropriations, may
be instances of noncompliance that are not material but may still warrant communication to the
audited agency due to their nature.
The auditors shall determine materiality to form a basis for the design of the audit, and re-assess it
throughout the audit process.
1.3.6
Documentation
Sufficient audit documentation is important within all steps of the compliance audit. This is to
ensure that all steps taken and decisions made during an audit are properly justified and
documented in such a way that experienced auditors who do not have any prior knowledge or
connection with the previous audit review will be able to understand the significant matters arising
during the audit, the conclusion(s)/opinion(s) reached thereon, and significant professional
judgments made in reaching those conclusion(s)/opinion(s). Documenting the audit work
performed enhances transparency about the work. Documentation includes, as appropriate:
a. an explanation of the subject matter of the audit;
20
b.
c.
d.
e.
f.
risk assessment, audit strategy and plan, and related documents;
the methods applied and the scope and time period covered by the audit;
the nature, the time and extent of the audit procedures performed;
the results of the audit procedures performed, and the audit evidence obtained;
the evaluation of the audit evidence forming the finding(s), conclusion(s)/ opinion(s), and
recommendation(s);
g. judgments done in the audit process, including professional consultations and the
reasoning behind them;
h. communication with and feedback from the audited agency; and
i. supervisory reviews and other quality control safeguards undertaken.
Documentation needs to be sufficient to demonstrate how the auditors defined the audit objective,
subject matter, the criteria and the scope, as well as the reasons why a specific method of analysis
was chosen. For this purpose, documentation needs to be organized in order to provide a clear and
direct link between the findings and the evidence that support them.
1.3.7
Communication
Communication takes place in all audit stages; before the audit starts, during initial planning,
during the gathering and evaluating evidence, and in the reporting phase. It is essential that the
audited agency, together with the COA, are kept informed of all matters relating to the audit. This
is a key in developing a constructive working relationship between the auditors and the agency and
also within the audit team. This would help keep all parties informed of the audit progress and
would assist in resolving any matters that may obstruct and cause delays to the audit.
Communication should include obtaining information relevant to the audit, and providing
management and those charged with governance with timely observations and findings
throughout the engagement. The matters that are communicated in writing to the audited agency
may include the following: the audit subject matter, the audit criteria, the level of assurance, the
time period for the audit, and the government undertakings, organizations and/or programs to be
included in the audit, i.e. confirming the terms of engagement. Communicating these matters can
help achieve mutual understanding of the audit process and the audited agency’s operations.
Any significant difficulties encountered during the audit, as well as instances of material
noncompliance, have to be communicated to the appropriate level of management or those charged
with governance. Communicating these would assist in rectifying any deviations and any other
findings the auditors may come up with immediately or at an earlier stage, rather than later where
the impact of the finding could be substantially material and may be difficult to resolve. The
auditors may also have a responsibility to communicate audit-related matters to other users, such
as legislative and oversight bodies.
Findings that are not deemed material, or do not warrant inclusion in the auditors’ report, may also
be communicated to management during the audit. Communicating such findings may help the
audited agency to remedy instances of noncompliance and avoid similar instances in the future
(ISSAI 4000.100).
21
1.4
FRAMEWORK FOR COMPLIANCE AUDIT PROCESS
The diagram depicts the steps in the compliance audit process.
Figure 1.6. CA Process
Documentation, Communication, Quality Control
Planning the Audit at
Strategic Level
 Carry out preliminary engagement activities/initial
considerations
 Identify audit topic/focus


Planning the Audit
At Engagement Level




Performing the Audit
Procedures to gather
audit evidence




Evaluating Audit
Evidence & Forming
Conclusion
Reporting the Results
of Compliance Audit
Follow-up







Determine the type of engagement
Identify the intended user(s), the responsible
party, subject matter, the corresponding audit
criteria and the audit scope
Understand the subject matter, including internal
control
Determine materiality
Carry out risk assessment and assess audit risk
Develop an audit strategy and audit plan
Gather sufficient and appropriate evidence through
various methods and procedures
Continually update planning and risk assessment
Consider noncompliance that may indicate fraud
Evaluate whether sufficient and appropriate
evidence is obtained
Consider materiality for reporting purpose
Form conclusions
Communicate audit results
Prepare Audit Report
Perform Over-all Audit Review, approval and
issuance of CA Report
Wrap-up and Archive the Engagement
Follow-up Agency Action Plan
It shows that documentation, communication and quality control are crosscutting, and that these
significant requirements of the ISSAI have to be considered at all phases of the audit.
22
1.5
SUMMARY
Section 25(2) of PD 1445, provides that one of the objectives of COA is to develop and implement
a comprehensive audit program that shall encompass an examination of financial transactions,
accounts, and reports, including evaluation of compliance with applicable laws and regulations.
Thus, COA is mandated to conduct compliance audit. The conduct of compliance audit shall be in
conformance with the standards provided under ISSAI 4000.
COA shall conduct compliance audit, as a stand-alone activity, in accordance with ISSAI 4000.
However, when there are limitations in resources or existing conditions that would prevent the
conduct of compliance audit as a stand-alone activity, then compliance audit in combination with
the audit of financial statements or with performance auditing may be conducted.
The auditors, after conducting audit risk assessment and taking into consideration materiality,
shall select the subject matter and the suitable criteria in accordance with the risks and thrust
area cascaded from the COA strategic plan. The level of assurance, shall be reasonable assurance
unless the needs of identified intended user(s) require limited assurance. As regards the type of
engagement, compliance audit engagements shall be direct reporting, except when the enduser(s) would require that an attestation engagement be conducted in accordance with existing
agreements.
23
CHAPTER 2
Planning the Audit at Strategic Level
In this chapter, the COA top management identifies the risks which may prevent the
achievement/accomplishment of the programs, projects and activities of the government. The
identified risks will be cascaded to the Sectors, Clusters/Regions/Audit Groups/Audit Teams for
determination if the identified risks may affect their government agencies. COA also reviews the
initial considerations and information relevant to strategic audit planning. Though this chapter
focuses on strategic level planning for compliance audit, similar process can be used for other
types of audit as well.
2.1
STRATEGIC PLANNING
COA, as the Supreme Audit Institution, has to identify risks which may hinder the government, as
a whole, to achieve its objectives. This activity is done by COA as an auditor and is independent
from the management of the government and its agencies. The sources of risks, areas of impacts,
events, causes and potential consequences have to be identified to determine the areas to be
prioritized and focused.
The objectives of this activity are: to obtain high-level inputs from COA directors assigned in the
audit of agencies representing the three audit sectors, regions and auditors performing
Government-wide and Sectoral Performance Audit (GWSPA) and Fraud Audit; to have a common
language of risk; and to have a unified thrust in government auditing
Reference has to be made to the following inputs that could provide sources of risks: Philippine
Development Plan 2017-2022; 2017-2022 Public Investment Program; the Agenda 2030 or the
Sustainable Development Goals; List of Public Private Partnership Projects; State of the Nation
Address of the President; government-wide and sectoral programs and activities; media releases
and media reports; previous Annual Audit Reports; and knowledge of the auditors.
The identification of government risks shall be annually conducted, supervised by the Assistant
Commissioners and attended by directors from the following sectors/offices:








National Government Sector (NGS)
Corporate Government Sector (CGS)
Local Government Sector (LGS)
Regional Offices (ROs)
Special Audits Office (SAO)
Fraud Audit Office (FAO)
Information Technology Audit Office (ITAO)
Technical Services Office (TSO)
The risks or potential issues identified may cut across different government agencies. Inputs of
each audit sector are therefore relevant to capture the real risk scenarios of the government as a
whole. The results of this activity shall be cascaded down to the concerned sectors, clusters, and
audit groups through the COA Strategic Planning process.
2.2
IDENTIFICATION OF AUDIT TOPIC/ FOCUS
Since COA has the discretion to select the coverage of compliance audits, it may perform the
procedures necessary to identify significant areas and/or areas with potential risk of
noncompliance.
24
In performing such procedures, COA may take into consideration any of the following:
a.
b.
c.
d.
e.
f.
g.
h.
i.
Public or legislative interests or expectations;
Impact on citizens;
Projects with significant public funding;
Beneficiaries of public funds;
Significance of certain provisions of the law;
Principles of good governance;
Roles of different public sector bodies;
Rights of citizens and of public sector bodies;
Potential breaches of applicable laws and other regulations which govern the public
agency’s activity, or the public debt, public deficit and external obligations;
j. Noncompliance with internal controls, or the absence of an adequate internal control
system;
k. Findings identified in previous audits; and
l. Risks of noncompliance signaled by third parties.
When selecting areas, COA may find it valuable to analyze budget proposals, publications,
evaluation reports, etc. Taking part in conferences and discussion fora may also give COA valuable
information to form the basis for selecting its subject matters and reducing the risk of auditing
low risk areas.
2.3
PRELIMINARY ENGAGEMENT ACTIVITIES/ INITIAL CONSIDERATIONS
Preliminary engagement activities have to be conducted at the sector/cluster/regional levels to
ensure that the audit teams: meet the relevant ethical requirements in carrying out their audit
work; the members collectively possess the necessary professional competence, knowledge,
skills and expertise to perform the different audit streams in accordance with the relevant
professional standards; and adhere to the established quality control mechanism which includes
supervision, review, consultation, and adequate training that cover all phases of audit – planning,
execution and reporting.
As shown in the COA Audit Framework, the audit teams shall conduct separate planning,
execution, and reporting activities for each audit stream – financial, compliance and performance.
The templates for the common planning activities such as: Understanding the Agency Template
and Agency Level Control Checklist shall be used as reference/source of information for the
preparation of the other planning templates for each audit stream.
Institutional level considerations for compliance audit should happen prior to commencement of
audit and throughout the audit process. Before reviewing the specific steps in the audit process,
it is important to look at initial considerations relevant to audit planning. Following are the COA
level considerations that are fundamental to the conduct of a compliance audit:




Principles of ethical significance;
Team engagement and their competence;
Importance of quality control; and
Level of assurance
As the nature of the audit is iterative and cumulative, COA should look into these considerations
prior to commencing any audit and also at more than one point during the audit process.
25
2.3.1
Consider Principles with Ethical Significance
The members of the audit team should meet the relevant ethical requirements in carrying out
their audit work. The auditors are to demonstrate professional behavior, integrity, and
objectivity, possess the required professional competence, and exercise due care. They also have
to maintain independence in fact and appearance. Independence is freedom from any influence,
persuasion, or bias.
The members of the audit team must be objective and impartial in the conduct of audit work,
particularly in the preparation of the reports, which should be accurate and objective. They
should be objective in dealing with the subject matter and criteria under review and exercise
confidentiality regarding all audit matters. They should not allow bias, conflict of interest, or
undue influence from other stakeholders to override their professional judgment. They should be
straightforward and honest in all professional and business relationships to maintain their
integrity.
2.3.2
Consider the Team Engagement and Their Competence
In the creation of the audit team, it has to be ensured that the members collectively possess the
necessary professional competence, knowledge, skills, and expertise to perform compliance audit
in accordance with professional standards. Depending on the subject matter, this may include:
a.
b.
c.
d.
e.
auditing skills and skills regarding data collection/analysis;
legal competence;
understanding and practical experience on the type of audit being undertaken;
knowledge of the applicable standards and authorities;
understanding of the audited agency’s operations and appropriate experience for the type
of agency and operations being audited;
f. the ability and experience to exercise professional judgment; and
g. producing an auditor's report that is appropriate in the circumstances.
In cases where specialized techniques, methods, or skills are necessary in the audit, but not
available within the team or the Commission, services of external experts may be utilized. The
independence, competence, capabilities, and objectivity of the experts have to be evaluated for
they will be performing audit work on behalf of the auditors who are still responsible for their
conclusions.
At the onset of audit planning, consideration must be given to whether the audit team has
sufficient and appropriate competence to conduct the audit, is capable of selecting criteria free
from bias, has general access to accurate information, has considered available information, and
has sufficient time to complete the audit assignment. Determining the availability of competent
resources is a factor in deciding the level of assurance that can be provided. If the COA lacks
competent resources knowledgeable of the subject matter, it will be difficult to conduct a
reasonable assurance engagement.
2.3.3
Ensure that Quality Control Procedures are in Place
Quality control refers to ongoing processes in place for reviewing the quality of a compliance
audit at each stage. This is to ensure that the audit is in compliance with applicable governing
standards, and that the audit report, conclusion, or opinion issued is appropriate in the
circumstances. The COA should establish quality control mechanism as a line function for this
purpose. Audit reports are issued only after the report has gone through this assessment.
26
The COA is expected to carry out high quality audits. The Cluster/Regional Directors have to
ensure that the policies and procedures in the review process are clearly defined, understood,
and functioning throughout the audit; the applicable standards are complied; and the audit report
and conclusion are appropriate. Quality control procedures include supervision, review,
consultation, and adequate training. The quality control procedures have to cover the planning,
execution, and reporting stages of the audit. The quality controls are documented in the audit file.
2.3.4
Determining the Level of Assurance to be Provided
The level of assurance to be provided in an audit needs to be considered when the scope and
subject matter of an audit is being identified. Conducting a limited or reasonable assurance audit
is a decision which needs to be made at the strategic level, after considering the following:





Needs of the intended user;
State of internal control environment and system of the audited agency;
Availability of and access to information;
Existing competencies of the auditors; and
Availability of resources.
Although some of these factors may take precedence, all relevant factors should be considered in
reaching a decision. The list above is not exhaustive. COA may consider other factors while
making a decision on the level of assurance to be provided in an audit.
Since the scope and subject matter of compliance audit is very flexible, changing the scope of the
audit could theoretically have an influence on the level of assurance provided. For example, if the
scope of an audit is narrowed down to consist only of the actual number of transactions which
will be tested, the auditor will be able to provide nearly 100% assurance. If the scope of this audit
is made slightly wider, this will enable the auditor to easily provide reasonable assurance.
However, these decisions have to be made on a rational basis. This example is provided only to
highlight that the identification of the scope and subject matter of the audit have a key role in
identifying the level of assurance to be provided.
In COA, the level of assurance shall be reasonable assurance unless the needs of identified
intended user(s) require limited assurance.
2.4
SUMMARY
This chapter explains the initial considerations at the institutional level for compliance audit. This
process is linked to the COA strategic plan, which is then operationalized with the annual plan.
The annual plan preparation process requires the analysis of tasks to be accomplished by COA
and the resources available for the tasks.
The level of assurance shall be reasonable assurance unless the needs of identified intended
user(s) require limited assurance.
After the COA sector heads select the audit topics, make decisions on the strategic level issues,
and conclude high level decisions, such as but not limited to the audit scope, timing, and frequency
of the conduct of compliance audit, the next step is to plan the individual audit. Chapter 3 will
cover the audit planning process at the engagement level.
27
CHAPTER 3
Planning the Compliance Audit
Auditors should plan their work to ensure that the audit is conducted in an effective and efficient
manner. Planning for a specific audit includes strategic and operational aspects. Strategically,
planning should define the audit scope, objectives, and approach. Audit scope basically refers to
the area, extent, and time period covered in the audit of a given subject matter. The objectives refer
to what the audit is intended to accomplish. The approach will describe the nature and extent of
the procedures to be used for gathering audit evidence. The audit should be planned to reduce
audit risk to an acceptably low level. Operationally, planning entails setting a timetable for the
audit and defining the nature, timing, and extent of the audit procedures. Audit planning should
be responsive to significant changes in circumstances and conditions. It is an iterative process
that takes place throughout the audit (ISSAI 100.48).
3.1 PLANNING AT ENGAGEMENT LEVEL
Adequate planning helps to devote appropriate attention to important areas of the audit, identify
potential problems on a timely basis, and properly organize and manage the audit to respond to
users’ needs efficiently and effectively. It also assists the auditors to properly assign work to the
team members and facilitate the direction, supervision, and the review of their work.
Furthermore, it assists, where applicable, the coordination of work done by auditors and experts,
if required.
The nature and extent of planning activities will vary with the circumstances of the audit, for
example, the complexity of the underlying subject matter and criteria. The following are examples
of some of the main matters that may be considered in planning:










The characteristics of the audit that define its scope, including the characteristics of the
underlying subject matter and the criteria;
The expected timing and the nature of the communications required;
Previous audit reports;
The audit process;
The auditor’s understanding of the responsible party and their environment, including
the risks that the subject matter may not be in compliance with the criteria;
Control environment and internal control of the agency;
Identification of intended users and their information needs, and consideration of
materiality and the audit risk;
The extent to which the risk of fraud is relevant to the audit;
The nature, timing, and extent of resources necessary to perform the audit, such as
personnel and expertise requirements, including the nature and extent of experts’
involvement; and
The impact of the internal audit functions on the audit.
The auditors may decide to discuss elements of planning with the responsible party in an
entrance conference or written communication to facilitate the conduct and management of the
audit. Although these discussions often occur, the audit strategy and the audit plan remain the
auditor’s responsibility. When discussing matters included in the audit strategy or audit plan, it
is important not to compromise the effectiveness of the audit (e.g., discussing the nature and
timing of detailed procedures with the responsible party will make the procedures too
predictable).
28
As mentioned earlier, there are common planning activities that will be performed in performing
the three streams of audit. As a result of such activities, these planning templates may be
accomplished, to wit: Understanding the Agency Template and Agency Level Control Checklist.
These planning templates shall be used as references/sources of information for the preparation
of the planning templates for each audit stream.
Also, as discussed earlier, the level of assurance the COA auditors have to apply is reasonable
assurance unless the needs of identified intended user(s) require limited assurance.
3.2 STEPS IN PLANNING THE AUDIT
In planning the CA, the following should be performed:
Step 1 Determine the type of engagement – direct reporting or attestation engagement
Step 2 Identify the intended user(s), the responsible party, subject matter, corresponding
audit criteria, and scope
Step 3 Understand the subject matter including internal control
Step 4 Determine materiality
Step 5 Carry out risk assessment and assess audit risk
- Consider noncompliance that may indicate suspected unlawful acts
Step 6 Develop audit strategy and audit plan
3.2.1
Determine the type of engagement- Direct Reporting or Attestation Engagement
The decision whether to carry out an attestation engagement or a direct reporting engagement is
based on the availability of the subject matter information.
In COA, however, compliance audit engagements shall be direct reporting, except when the enduser(s) would require that an attestation engagement be conducted in accordance with existing
agreements.
3.2.2
Identify Intended User(s), the Responsible Party, the Subject Matter, the Corresponding
Audit Criteria and Audit Scope
The Intended User(s) and Responsible Party
ISSAI 4000.101
The auditor shall explicitly identify the intended user(s) and the responsible party and
consider the implication of their roles in order to conduct the audit and communicate
accordingly.
Public sector audit requires identifying the parties involved. The intended users are the persons
for whom the auditor prepares the compliance audit report. The intended users may be legislative
or oversight bodies, those charged with governance, the public prosecutor, media, or the general
public. The responsible party is responsible for the subject matter, and is the subject for the audit
(ISSAI 4000.102). The intended users and the responsible party are to be identified in order to
consider the implication of their roles. This requires an understanding of the decisions made by
the users, and the type of information they use for their decision making purposes. On the other
hand, the identification of the responsible party is important when setting the audit criteria.
In the Philippine setting, Congress may be one of the intended users of the COA Compliance Audit
Report and the Board of Directors of GOCCs/Department Secretaries of NGAs and Local Chief
29
Executives of LGUs are the responsible parties. While the audit report is not addressed to the
responsible party, the result can be useful in the improvement of their performance (ISSAI
4000.19).
The Subject Matter, Audit Criteria, and Audit Scope
ISSAI 4000.107
Where the SAI has discretion to select the coverage of compliance audits, the auditor shall
define the subject matter to be measured or evaluated against criteria.
Subject Matter and Audit Criteria
Determining the subject matter and criteria is one of the steps to be carried out in planning and
performing a compliance audit. Auditors have the obligation and interest in producing high
quality audit reports. They need to focus/give importance to the subject matter and criteria in
order to produce a report that will meet the expectation of the intended users. Thus, auditors
should try to find the significant aspects of a subject matter, and whether suitable criteria are
available for measurement of the subject matter. The following are examples of subject matter of
a CA:











Fund Utilization (use of appropriated funds)
Revenue collection ( e.g. local taxes, fines and penalties)
Procurement
Expenditures
Service delivery – medical, education, etc.
Heritage protection
Health and safety
Environmental protection
Internal control framework
Payments of social benefits, pensions
Physical characteristics, zoning density, access to government buildings, etc.
The subject matter of a compliance audit should be identifiable, and can be assessed against
suitable criteria. It should be of such nature that it enables sufficient and appropriate audit
evidence to be gathered in support of the audit report, conclusion or opinion. Where the SAI has
discretion to select the coverage of compliance audits, the auditor shall identify relevant audit
criteria prior to the audit to provide a basis for a conclusion/an opinion on the subject matter
(ISSAI 4000.109-110). In COA, the General/Specific Audit Instructions issued by the Sector
Head/Cluster and Regional Directors can be the source of the subject matter and audit criteria.
Since the subject matter and audit criteria are linked and consistent, identifying the
corresponding audit criteria is an iterative process. When auditing a subject matter, the auditor
has to ensure that there are corresponding audit criteria (ISSAI 4000.111-112).
Audit criteria can be derived from:
a. Laws, rules, and regulations (e.g. Republic Acts, Executive Orders, Circulars);
b. International treaties and other agreements (e.g. Loan/Grant Agreements, Memorandum
of Agreement, Terms of Reference); and
c. Codes of conduct (e.g. Code of Conduct and Ethical Standards for Public Officials).
30
Also, suitable propriety criteria may be derived from (ISSAI 4000.116):
a. Public financial management expectations such as compliance with effective and efficient
internal control system;
b. Beneficiaries' expectations regarding the utility of goods, or the quality of the services and
works; and
c. Requirements for a transparent and unbiased allocation of public funds and human
resources.
In some cases, laws and regulations require further interpretation in order to derive relevant
audit criteria. If situations arise where there are conflicting provisions or there may be doubt as
to what is the correct interpretation of the relevant law, regulation, or other authorities, auditors
may consider the intentions and premises set out in developing the law, or to consult with the
particular body responsible for the legislation. They may also consider relevant earlier decisions
made by judicial authorities (ISSAI 4000.117).
Suitable audit criteria exhibit the following characteristics (ISSAI 4000.118):
a. Relevance
Relevant criteria result in subject matter information that assists decision-making by the
intended user(s).
b. Completeness
Criteria are complete when subject matter information prepared in accordance with them
does not omit relevant factors that could reasonably be expected to affect decisions of the
intended user(s) made on the basis of that subject matter information.
c. Reliability
Reliable criteria result in consistent conclusions when used and examined in the same
way, by another auditor, in the same circumstances.
d. Neutrality
Neutral criteria result in subject matter information that is free from bias as appropriate
in the engagement circumstances.
e. Understandability
Understandable criteria result in subject matter information that can be understood by
the intended user(s).
f.
Usefulness
Useful criteria result in findings and conclusions that meet user(s)' information needs.
g. Comparability
Comparable criteria are consistent with those used in Compliance Audits of other similar
agencies or activities and with those used in previous Compliance Audits of the agency
being audited.
h. Acceptability
Acceptable criteria are those that independent experts in the field, audited agencies,
legislature, media, and general public generally agree to.
i.
Availability
The criteria are available for intended user(s) in such way that they understand the
nature of the audit work performed and the basis for the audit report.
31
If, while executing the audit, the auditors identify breaches of other suitable audit criteria other
than those criteria identified in the planning phase, auditors have the responsibility to report
these breaches (ISSAI 4000.120). For example, in the course of conducting compliance audit
where the subject matter is procurement process, noncompliance with the provisions of DBM
Circular No. 2004-5A on the rates of honoraria to government personnel involved in government
procurement should likewise be reported even if this was not considered in the planning phase.
Audit Scope
The scope defines the subject matter, and what is going to be audited. The scope depends on the
needs of the intended user(s), the decided level of assurance, the risk that has been assessed, and
the competence and resources available (ISSAI 4000.44).
Audit scope basically refers to the area, extent, and time period covered in the audit of a given
subject matter. It is a statement of the focus, extent, and limits of the audit in terms of the subject
matter’s compliance with the criteria. The scoping of an audit is also influenced by materiality,
and it determines which authorities and parts thereof will be covered. The audit process as a
whole should be designed to cover the entire audit scope. This is illustrated under Table 3.1
below:
Table 3.1 Relationship of the Subject Matter, Audit Criteria, and Audit Scope
Subject Matter
Audit Criteria
Audit Scope
1. Negotiated
Section 53 and Annex H The audit will cover Negotiated
Procurement under
of the IRR of RA 9184
Procurement under Two Failed Biddings
Two Failed Biddings
(add additional criteria
with ABC of above P1M for the period
based on final templates) January 1 to June 30, 2018
2. Procurement of
Section 10, Rule IV, R.A.
The audit will cover procurement of
instructional materials 9184
instructional materials in CY 2018
(All Procurement shall be amounting to P1 million and above.
done through
Competitive Bidding,
except as provided for in
Article XVI of R.A. 9184.)
3. Fund Utilization (funds Memorandum Of
The audit will cover fund utilization for CY
received by GOCCs,
Agreement/Terms of
2018 pursuant to the Memorandum of
LGUs, and NGAs for
Reference
Agreement executed by and between
specific purpose)
Agency A and Agency X.
3.2.3
Understand the Subject Matter Including Internal Control
The Subject Matter
ISSAI 4000.131
The auditor shall have an understanding of the audited agency and its environment, including
the agency’s internal control, to enable effective planning and execution of audit.
The auditor needs to understand the agency and its environment and how this may influence the
subject matter and the subject matter information (ISSAI 4000.132). Auditors’ understanding the
subject matter as well as the subject matter information requires understanding the audited
agency. In COA, this is documented in Understanding the Agency (UTA) Template. This template
enables the auditors to document their understanding of the agency and its environment and
32
assist in identifying risks of noncompliance. The auditors should therefore be familiar with the
structure and operations of the audited agency and its procedures in achieving compliance.
Understanding the agency is crucial for compliance audit as it may be used to determine the
subject matter and the criteria, audit materiality, and assessment of risk of noncompliance at all
levels. The auditors should examine the following factors in understanding the audited agency in
light of relevant authorities. The auditors should understand and evaluate whether:




the fundamental goals and objectives and measure to implement as outlined in the
strategic plan of the audited agency are aligned to the mandatory coverage and standards
required;
the goals specified in the strategic action plans and programs are linked to the results;
activities and operations are directed towards attainment of the goals and objectives of
audited agency which should in turn respond to all compliance requirements of the
agency; and
legal acts applied to the operations of the audited agency and other authorities like
administrative policies, internal procedures, and instructions/orders do not contradict
the normative legal acts.
Documentation
The identified intended user, subject matter, audit criteria, audit scope and type of engagement
will be documented using the prescribed Understanding the Subject Matter Template (Annex
A).
The Internal Control
The auditors need to obtain an understanding of all components of an internal control system:
the control environment, the agency’s risk assessment process, the information system, the
control activities relevant to the audit, and the monitoring of control relevant to the audit (ISSAI
4000.135).
Auditors’ understanding of the audited agency and subject matter would not be complete unless
internal controls of the audited agency are thoroughly understood. The audited agency
establishes internal controls with the aim of achieving fulfilment with compliance requirements
in its operations; hence, auditors need to understand:



what these controls are;
whether the controls are adequate and can detect, prevent, and correct instances of
noncompliance; and
whether the controls are working as intended.
In the context of compliance audits, an internal control system is composed of policies, structure,
procedures, processes, tasks, and other tangible and intangible factors that help the audited
agency to respond appropriately to risks of noncompliance with the compliance requirements.
An effective system should safeguard the audited agency’s assets, facilitate internal and external
reporting, and help the audited agency comply with relevant legislation. The auditors need to
have a considerable insight into the internal functioning of the subject matter through assessment
of control environment and internal controls of the audited agency.
To obtain an understanding of the internal control, it may be relevant to consider the audited
agency’s communication and enforcement of integrity and ethical values, its commitment to
33
competence, participation by those charged with governance, the management’s philosophy and
operating style, organizational structure, the existence and level of internal audit activity, the
assignment of authority and responsibility, and human resource policies and practices (ISSAI
4000.136).
Documentation
The Internal Control Checklist (Annex B) covers the components of internal control i.e. Control
Environment, Risk Assessment, Control Activities, Information and Communication, and
Monitoring.
3.2.3
Determine Materiality
ISSAI 4000.125
The auditor shall determine materiality to form a basis for the design of the audit, and re-assess
it throughout the audit process.
Materiality reflects the assessed needs of the intended user(s), and these needs have to be
identified when planning the audit. Based on the selected subject matter, materiality is
determined by identifying the level of noncompliance that is likely to influence the decisions of
the intended user(s). In identifying materiality, the auditors pay attention to specific areas of
legislative focus, public interest or expectations, requests and significant public funding as well
as fraud (ISSAI 4000.126).
As discussed earlier, determining materiality is a matter of professional judgment and depends
on the auditors’ interpretation of the users' needs. In applying materiality in the planning phase,
the auditors should follow the guidelines on materiality prescribed by the Commission.
In evaluating the materiality of any noncompliance, matters such as the criteria, the conditions,
the cause, and the effect of noncompliance are also considered. This might be the case in
situations where a law or regulation, or agreed-upon terms establish an unconditional
requirement for compliance, for example, if the General Appropriations Act prohibits
overspending in relation to the approved budget.
Qualitative Factors in Determining Materiality
The relative importance of qualitative factors and quantitative factors when considering
materiality in a particular audit is a matter of professional judgment. In some cases, the
qualitative factors are more important than the quantitative factors. Public expectations and
public interest are examples of qualitative factors that may affect the determination of
materiality. Instances of excess spending over appropriations authorized by the legislature or
introduction of a new service not provided for in the approved appropriations may be instances
of noncompliance that are not material but may still warrant communication to the audited
agency due to their nature. Qualitative factors may include the following:


34
The interaction between, and relative importance of, various components of the subject
matter information when it is made up of multiple components, such as a report that
includes numerous performance indicators;
The wording chosen with respect to subject matter information that is expressed in
narrative form;





The nature of a noncompliance, for example, the nature of observed deviations from a
control when the subject matter information is a statement that the control is effective;
Whether a noncompliance affects compliance with law or regulation;
Whether a noncompliance is the result of an intentional act or is unintentional;
When the subject matter information relates to a conclusion on compliance with law or
regulation, the seriousness of the consequences of noncompliance; and
When the underlying subject matter is related to a particular aspect of the program or
agency is significant with regard to the nature, visibility, and sensitivity of the program or
agency.
Quantitative Factors in Determining Materiality
Quantitative factors relate to the magnitude of noncompliance relative to the reported amounts
for those aspects of the subject matter information which may be:


The number of persons or entities affected by the particular subject matter, or the
monetary amounts involved; and
The number of observed deviations from a control may be a relevant quantitative factor
when the subject matter information is a statement that the control is effective.
Quantitative materiality is determined by applying a percentage to a chosen benchmark as a
starting point. This involves the exercise of professional judgment and reflects the auditor’s
judgment on what the users of the information are most likely to consider important.
Documentation
Materiality will be documented using the prescribed Materiality Template (Annex C).
3.2.4
Carry Out Risk Assessment and Assess Audit Risk
ISSAI 4000.52
The auditor shall perform procedures to reduce the risk of producing incorrect conclusions to
an acceptable low level.
Auditors should perform risk assessment to determine the nature, timing, and extent of the audit
procedures to be performed. In this context, the auditors should consider the risks that the
subject matter will not comply with the criteria. Noncompliance may arise due to fraud, error,
inherent nature of the subject matter, and/or circumstances of the audit. The identification of
risks of noncompliance and their potential impact on the audit procedures should be considered
throughout the audit process. As part of the risk assessment, the auditors should evaluate any
known instances of noncompliance in order to determine whether they are material.
The key criteria used to measure the significance of a potential audit area are the risk tolerances
contained in the approved risk strategies of the audited agency. Risk assessment starts by
analyzing how the audited agency is managing its risks. Therefore, in light of the audit criteria,
the audit scope and the characteristics of the audited agency, auditors should consider both
controls and risk management practices at the audited agency while doing risk assessment during
planning a compliance audit.
35
In assessing risks to the subject matter of the agency, auditors need to understand the inherent
limitations of compliance which may include:








judgment applied by management in interpreting laws and regulations;
human errors;
systems not properly designed or not functioning effectively;
controls circumvented and evidence concealed or withheld;
stakeholders’ concerns;
significant changes;
potential fraud; and
waste and abuse of public resources
Audit risk is the risk that the auditor’s report, conclusion, or opinion may be inappropriate. A
compliance audit should be performed in a manner that would ensure that audit risk is reduced
to an acceptable low level in the circumstances of the audit. The different components of audit
risk include inherent risk, control risk, and detection risk.
Audit risk is the inverse of audit assurance. It is the risk of reaching a wrong conclusion that the
auditor is willing to tolerate. In practice, audit risk is unavoidable. In the public sector, audit risk
is normally 5% for audits providing reasonable assurance. As a consequence, the degree of
assurance is DA = 100 – audit risk (5%) = 95%(American Institute of Certified Public
Accountants Audit Guide – Audit Sampling). However, the auditors need to consider if specific
policies regarding this are in place in the COA. Auditors need to perform audit procedures to
ensure that audit risk is 5% or less to provide reasonable assurance from the audit.
The proper way to reduce audit risk is to consider it during risk assessment. Risk assessment is
the most important step in the planning process. It guides the auditor to focus on the key issues
to be considered for audit, considering the resource and time constraint. Also, risk assessment is
related to audit risk, which is derived from the assurance engagement concept as explained
earlier.
Risk assessment and audit risk must not be confused. Risk assessment is a process of assessing
the risk that the subject matter is not in compliance with the criteria, and it is related to the
intended users’ need to be provided with information that can lead to sound decisions. Audit risk
is the risk that the auditor might reach an incorrect conclusion, and it is related to the amount of
audit evidence the auditor needs to collect to reach a conclusion with the necessary level of
assurance. A compliance audit should be performed in a manner that would ensure that audit risk
is reduced to an acceptable low level in the circumstances of the audit.
Another way to reduce audit risk to an acceptable low level is to ensure that audit teams
collectively possess the knowledge, skills, and expertise necessary to successfully complete the
audit. This includes an understanding and practical experience of the type of audit being
undertaken, familiarity with the applicable standards and authorities, an understanding of the
audited agency’s operations and the ability and experience to exercise professional judgment.
Common to all audits is the need to recruit personnel with suitable qualifications, offer staff
development and training, prepare manuals and other written guidance and instructions
concerning the conduct of audits, and assign sufficient audit resources. Auditors should maintain
their professional competence through ongoing professional development.
36
Inherent Risk
Inherent risk is the risk related to the nature of the activities, operations, and management
structures. This risk is described as “the susceptibility of a subject matter to material compliance
deviation or error from the suitable criteria, before consideration of any related controls.”
The inherent risk that a compliance deviation or error may occur can be assessed by the auditors’
use of judgment to evaluate a range of factors, including:



complexity of the framework/hierarchy of laws, rules, and regulations;
complexity of laws, rules, and regulations; and
introduction of new legislation or changes in existing regulations.
As part of the risk assessment, the auditors determine which of the inherent risks identified are
in their judgment risks that require special audit considerations (significant risks). For such risks,
the auditors should evaluate the design of the related controls and determine through testing
whether these controls have been implemented effectively and continuously throughout the
period under review.
Understanding the framework of laws and regulations and using this information appropriately
will assist the auditors in identifying potential material deviations (e.g. from new and complex
legislation or from a misinterpretation of legislation and its scope). This understanding helps the
auditors to determine whether the inherent risk is to be classified as high or not high and in
deciding upon the nature, timing, and extent of audit procedures to be performed.
The auditors’ understanding includes knowledge of the reasons for the legislation and its
objectives, as this will aid their understanding of any secondary legislation or subsidiary
regulations. The extent of the auditors’ work in obtaining a sufficient understanding of the legal
and regulatory framework will depend on the nature and complexity of the laws and regulations.
However, the auditors only need to understand the parts of the legislation that are relevant to the
particular audit task. In all cases, the audited agency retains the responsibility for ensuring
compliance with applicable laws and regulations; this includes ensuring that legislation and
regulations are appropriately reflected at all stages with operational guidance.
Where the auditors are uncertain whether legislation has been properly interpreted and the
effect could be material, it may be necessary to seek a legal opinion. If the laws and regulations
do not change, the auditors may already have sufficient knowledge from previous audits.
Control Risk
Control risk is the risk that a material deviation could occur that would not be prevented, or
detected and corrected on a timely basis, by the internal control systems. Where the auditors
expect to be able to rely on their assessment of control risk to reduce the extent of substantive
procedures relating to compliance, they make a preliminary assessment of control risks, and plan
and perform test of control to support that assessment.
The auditors need to assess the control risk to determine whether controls can be relied upon,
which affects the appropriate audit response. There are two stages involved in assessing control
risk. The first level is the assessment of the design and implementation of relevant controls and
the second level is the testing of the operating effectiveness of controls over the period of
intended reliance. A control is considered to be relevant if it mitigates (can detect, prevent or
correct) the risk of material noncompliance. If based on the understanding and review of controls,
the design and implementation of the control is NOT adequate to address the risk, there is no
37
reason to test the operating effectiveness of the control. Otherwise, the auditors need to proceed
with the test of controls. There may be cases wherein the design and implementation of controls
are adequate, but found to be ineffective upon testing the operating effectiveness of the controls.
In such cases, the auditors should revisit the assessment of control risk.
The assessment of control risk is affected by the result of internal control checklist, especially in
the control activities element of the internal control system.
Combined Risk Assessment
The auditors’ risk assessment should determine the reasonable expectation about the potential
level of deviations as regards compliance with applicable laws and regulations; thus, assessment
of the inherent and control risks of the identified subject matter of the compliance audit is
imperative. For example, noncompliance with law is inherent in procurement and therefore
auditors should assess control risk, e.g. whether existing controls in procurement could be relied
or not. The combined risk assessment (CRA) involves testing the operating effectiveness of the
controls. However, before performing Test of Controls, assessment of the design of controls e.g.
whether controls are adequate or not must first be done. This is necessary because performing
risk assessment procedures to obtain an understanding of the agency's internal control over
compliance includes an evaluation of the design of controls and whether the controls have been
implemented.
Moreover, the purpose of performing risk assessment in compliance auditing is to identify areas
which are most exposed to high risk of noncompliance, and allocate the scarce audit resources to
audit areas that are critical to the success and sustainability of audited agencies. After assessing
the risks associated with the strategic and operational activities of the audited agency, auditors
need to determine the appropriate response to the material risks identified which involves
consideration of the perceived level of maturity of internal controls. If the auditors identify risks
of material noncompliance, they should develop an overall response to such risks. They have to
design further audit procedures, including tests of details (which may include tests of
transactions) to obtain sufficient and appropriate audit evidence about the agency's compliance
with each of the applicable compliance requirements in response to the assessed risks of material
noncompliance. Based on the evaluation of internal control, auditors will be in a position to decide
on the appropriate audit approach and identify the audit evidence required in conducting the
audit. An illustration of risk assessment, and risk response is shown below:
Table 3.2 Appropriate Risk Response for a Combined Risk Assessment
Combined
Inherent Control
Approach in designing
Risk
Explanation
Risk
Risk
risk response
Assessment
Audit response to be
Evidence is insufficient to
High
High
High
focused on improving
conclude that controls
internal controls through operate effectively and will
assessment of improved
prevent or detect and
plans
correct non-compliance
from occurring, and there is
a higher likelihood that risks
of material non-compliance
will occur.
Low
38
High
Moderate
Evaluate and monitor the
development of risk level
Evidence is insufficient to
conclude that controls
operated effectively and will
Inherent
Risk
Control
Risk
Combined
Risk
Assessment
High
Low
Low
Low
Low
Minimal
Approach in designing
risk response
Focus on obtaining
assurance that controls
continue to operate as
designed and that there is
consistency in risk
management
Audit response to be
focused on compliance
issues
Explanation
prevent or detect and
correct non-compliance
from occurring, although
there is a low likelihood that
risks of material noncompliance will occur.
Evidence is sufficient to
conclude that controls are
effective at preventing or
detecting and correcting
non-compliance from
occurring, but there is a
higher likelihood that risks
of material non-compliance
will occur.
Evidence is sufficient to
conclude that controls are
effective at preventing or
detecting and correcting
non-compliance from
occurring, and there is a low
likelihood that risks of
material non-compliance
will occur.
Inherent Risk
Figure 3.1. Combined Risk Assessment Matrix
High
Low
High
Low
Minimal
Moderate
Low
High
Control Risk
In assessing the risks of material noncompliance, auditors may consider the following factors:





The complexity of the applicable compliance requirements;
The susceptibility of the applicable compliance requirements to noncompliance;
The length of time the agency has been subject to the applicable compliance
requirements;
The auditor's observations about how the agency has complied with the applicable
compliance requirements in prior years;
The potential effect on the agency of noncompliance with the applicable compliance
requirements; and
39

The degree of judgment involved in adhering to the compliance requirements.
Auditors should bear in mind that the nature and extent of risk assessment procedures may vary
from agency to agency and are influenced by factors such as:





The newness and complexity of the applicable compliance requirements;
The auditor’s knowledge of the agency's internal control over compliance with the
applicable compliance requirements obtained in previous audits or other professional
audits;
The nature of the applicable compliance requirements;
The services provided by the agency and how they are affected by external factors; and
The level of oversight by the government.
Risk assessment regarding controls requires the auditor to examine whether:





Managers/key officials of the agency clearly understand key compliance objectives. Also,
if they are able to detect instances of noncompliance and initiate processes necessary to
fix the underlying cause of noncompliance;
Organizational structure identifies risks of noncompliance. A large and complex
organization typically has a dedicated unit for risk management. It continuously examines
compliance and other risks facing the agency, reviews controls, and recommends changes
therein to ensure that the agency complies with applicable compliance requirements;
Key managers/officials of the audited agency have been given responsibility to
communicate changes. An agency operating in a dynamic environment needs to respond
quickly to the changes in the environment. If the agency has assigned
official(s)/manager(s) to communicate information on changes in procedures/controls
across the agency, it decreases the risk of noncompliance;
Key managers/officials have a clear understanding of complex parts of its operations.
When key managers/officials lack such understanding, they are not likely to implement
or oversee compliance with requirements, as they need to. The risk of noncompliance is
likely to be higher in that situation; and
The agency’s management views audit findings/recommendations seriously and takes
appropriate corrective measures. An institutional body, e.g. committee/board, meets
periodically to review compliance issues arising from audits.
The procedures related to understanding how management has responded to audit findings and
recommendations that could have a material effect on the agency's compliance with the
applicable compliance requirements, are performed to assist auditors in understanding whether
management responded appropriately to such findings. Examples of external monitoring include
regulatory reviews, program reviews by government agencies, and reviews by oversight bodies.
Examples of internal monitoring include reports prepared by the internal audit function and
internal quality assessments.
Documentation
The risk assessment will be documented using the Combined Risk Assessment Template
(Annex D).
40
3.2.5
Consider Noncompliance That May Indicate Suspected Unlawful Acts/Risks of Fraud
ISSAI 4000.58
The auditor shall consider the risk of fraud throughout the audit process, and document the
result of the assessment.
Detecting fraud is not the main objective of compliance audit. However, the auditors need to
consider fraud risk factors in their risk assessments and remain alert to indications of fraud when
carrying out their work. As part of the planning stage, the auditors consider the risk of fraud and
document the considerations in the audit file.
The following questions may be relevant to consider while performing a fraud risk assessment
for an agency:
a. Has the audited agency develop a clear overall fraud and corruption control framework
(A fraud control framework is a system of coordinated measures put in place to prevent,
detect, and respond to instances of fraud)?
b. Do policies and procedures relevant to fraud and corruption prevention and detection,
complement each other and operate in an integrated and cohesive manner?
c. Have all relevant users been involved in contributing to and developing the overall policy
regarding fraud and corruption prevention and detection?
d. Does the overall policy address fraud related elements such as (a) tone at the top, (b)
fraud risk assessment, (c) risk based internal controls, (d) internal reporting, (e) external
reporting, (f) public interest disclosures, (g) investigation, (h) code of conduct, (i) staff
education and awareness, and (j) client and community awareness?
e. Do the overall policy and any related policies and procedures reflect the specific needs of
the audited agency?
f. Is the fraud control framework reviewed on a periodic basis? When was the framework
last reviewed?
g. Is there a structured approach to implementing significant review recommendations?
h. Have the recommendations for changes or improvements to policy and operational
procedures been prioritized or implemented?
i. Has the agency implemented effective communication or programs to raise awareness of
its fraud control frameworks?
j. Is the framework easily accessible to all relevant parties?
k. Do the overall framework and its components clearly show the commitment of senior
management to its principles and policies?
l. Is there a person/organizational unit responsible for ‘ownership’ and administration of
the fraud and corruption control framework?
The purpose of the fraud risk assessment is to:



identify inherent fraud and corruption risks of the agency;
identify and assess the agency’s internal controls in place; and
assess residual risks, and to consider possible audit procedures.
Auditors should maintain an attitude of professional skepticism and be alert to fraud risks and
their impact throughout the audit process. There are three key elements normally present when
someone commits fraud and corruption:


Opportunity;
Incentive/pressure; and
41

Rationalization/attitude.
All these elements should be dealt with through the agency's internal controls. Hence, weak
internal controls may indicate risks of fraud and corruption. Depending on the agency’s mandate,
these may be more appropriate starting point for auditors, than looking for indicators of possible
acts of fraud and corruption.
In COA, the Fraud Audit Office (FAO) under the Special Services Sector (SSS), is primarily tasked
to conduct fraud audit. The Supervising Auditor (SA) of the audit team shall make the initial
assessment/evaluation and submit the Evaluation Report (ER) and all supporting documents to
the concerned Cluster Director (CD)/Regional Director (RD); the CD/RD reviews the ER and
transmit the same to the Sector Head; the Sector Head shall review and make the appropriate
recommendation to be submitted to FAO.
Documentation
The fraud risk assessment will be documented in a Fraud Risk Assessment Template (Annex E).
3.2.6
Develop Audit Strategy and Audit Plan
ISSAI 4000.137
The auditor shall develop and document an audit strategy and an audit plan that together
describe how the audit will be performed to issue reports that will be appropriate in the
circumstances, the resources needed to do so and the time schedule for the audit work.
The audit strategy is the basis for deciding whether the audit is possible to execute. The audit
strategy describes what to do, and the audit plan how to do it. The purpose of the audit strategy
is to document/design the overall decisions, and may contain the following (ISSAI 4000.138139):
a. The audit objective, subject matter, scope, criteria, and other characteristics of the
compliance audit taking into account the mandate of the COA;
b. The type of engagement (attestation engagement or direct reporting engagement);
c. The level of assurance to be provided;
d. Composition and work allocation of the audit team, including any need for experts, and
the dates of quality control;
e. Communication with the audited agency and/or those charged with governance;
f. Reporting responsibilities, as well as to whom and when such reporting will take place,
and in what form;
g. The offices, units, branches, etc. covered by the audit, if applicable; and
h. The materiality assessment.
Like all the other types of audit, an audit plan for the compliance audit is also required to be
developed by the auditors. The audit strategy is an essential input to the audit plan. The audit
plan may include:
a. the nature, timing, and extent of planned audit procedures and when they will be
performed;
b. an assessment of risk and of internal controls relevant for the audit;
c. the audit procedures designed as a response to risk; and
d. the potential audit evidence to be collected during the audit.
42
The auditor updates both the audit strategy and the audit plan as necessary throughout the audit.
In preparing an audit plan, the auditors review, rearrange, and document every step of audit
process in sufficient detail. Thus, audit plans eventually work as benchmarks against which the
flow of CA activities is appraised.
Documentation
The audit strategy and audit plan will be documented using the following templates:
 Compliance Audit Strategy Template (Annex F)
 Audit Program (Annex G)
3.3 SUMMARY
In this chapter we have discussed the steps in the planning process including understanding and
evaluation of internal controls, risk assessment, and materiality. Auditors build their audit plan
considering audit risk with the objective of arriving at an appropriate conclusion or opinion.
Auditors also blend fraud risk assessment in their planning process as required by the standards.
The audit strategy and audit plan are the outputs of the planning process.
The required documentation for this phase is as follows:
Activity
Documentation / Working Paper
Identify the intended user(s) and Understanding the Subject Matter Template
responsible party and determine the
type of engagement, subject matter,
criteria and scope
Understand
the
Subject
including Internal Control
Matter Internal Control Checklist
Determine Materiality
Materiality Template
Carry out risk assessment, assess audit
risk and consider risks of fraud


Combined Risk Assessment Template
Fraud Risk Assessment Template
Develop Audit Strategy and Audit Plan


Compliance Audit Strategy Template
Compliance Audit Program
Discuss elements of planning with the
responsible party in an Entrance
Conference


Entrance Conference Agenda (Annex H)
Minutes of Conference (Annex I)
43
CHAPTER 4
Performing the Audit Procedures to Gather Evidence
Based on the audit strategy and audit program, the auditors will perform the audit procedures to
gather audit evidence with the objective of arriving at an appropriate conclusion as to whether
the subject matter, in all material respects, complies with the stated criteria. This chapter explains
the key considerations in performing the audit to obtain evidence.
4.1
AUDIT EVIDENCE
Audit evidence is the information obtained by the auditors to support their judgments and
conclusions.
The nature and sources of the necessary audit evidence shall be determined by the desired level
of assurance, criteria, materiality, subject matter, and scope of the audit. The auditors have to
decide when the audit evidence is sufficient and appropriate to provide the basis of a conclusion
or an opinion. To form a conclusion with reasonable assurance, the auditors need to obtain more
evidence and need to perform a combination of various audit techniques.
4.1.1
Sufficient and Appropriate Audit Evidence
ISSAI 4000.144
The auditor shall plan and perform procedures to obtain sufficient and appropriate audit
evidence to form a conclusion with the selected level of assurance.
Sufficiency is a measure of the quantity of evidence needed to support the audit findings and
conclusions. There is no formula to express in absolute terms how much evidence there must be
to be considered sufficient. In assessing the sufficiency of evidence, the auditor needs to
determine whether enough evidence has been obtained to persuade a knowledgeable person that
the findings are reasonable.
The quantity of the audit evidence needed is related to the nature of the audit task. For example,
to form a conclusion with reasonable assurance, the auditor needs to obtain more evidence than
in a limited assurance engagement. A wider audit scope normally requires more audit evidence
than a narrower scope.
The quantity of evidence needed is also affected by the audit risk (the greater the risk, the more
evidence is likely to be required) and on the quality of such evidence (the higher the quality, the
less evidence may be required). However, merely obtaining more evidence does not compensate
for poor quality.
The auditor’s professional judgment as to what constitutes sufficient appropriate evidence is
influenced by such factors as the following:



44
Significance of a potential noncompliance or compliance deviation and the likelihood of
its having a material effect on the subject matter information, individually or when
aggregated with other potential noncompliance;
Effectiveness of the responsible party’s responses to address the known risk of
noncompliance or compliance deviation;
Experience gained during previous audits with respect to similar potential
noncompliance or compliance deviation;




Results of audit procedures performed, including whether such procedures identified
specific noncompliance or compliance deviation;
Source and reliability of the available information;
Persuasiveness of the evidence; and
Understanding of the responsible party and its environment.
Appropriateness is a measure of the quality of the audit evidence. It encompasses relevance,
validity and reliability.
Relevance refers to the extent to which the evidence has a logical relationship with, and
importance to, the issue being addressed. For evidence to be relevant, it should help to answer
the individual audit objective. Relevance also requires that the evidence apply to the period
under review.
Validity refers to the extent to which the evidence is a meaningful or reasonable basis for
measuring what is being evaluated. In other words, validity refers to the extent to which the
evidence represents what it is purported to represent.
Reliability refers to the extent to which the audit evidence has been gathered and produced
by a transparent and reproducible method. Evidence is reliable if it fulfils the necessary
requirements for credibility. The reliability of audit evidence is affected by its source—
whether internal or external to the audited agency, and type—whether physical,
documentary, oral or analytical, and is dependent on the circumstances under which it is
obtained.
Types of Audit Evidence
a. Documentary Evidence – refers to the documents provided or prepared by the agency
management. This may include reports, vouchers, issuances, invoices, among others.
b. Testimonial Evidence – refers to verbal or oral representation obtained by the audit
team. Examples are responses to surveys or questionnaires, inquiries or interviews.
In case of oral representations, the audit team is encouraged to prepare hardcopy
evidence such as interview notes and the like.
c. Analytical Evidence – refers to data obtained from the management which are
processed by the audit team to produce a more useful information about the subject
matter. Examples are result of trend analysis on expenditures, comparison of budgets,
etc.
d. Physical Evidence – refers to those obtained through observation of performance or
procedure. In some cases involving testing of status or condition of certain subject
matter, the evidence can be documented through photographs.
Sources of Audit Evidence
The auditors will often need to combine and compare evidence from various sources to
be able to meet the requirements for sufficiency and appropriateness. The auditors
should exercise professional judgment in determining whether the audit evidence is
sufficient and appropriate throughout the process of gathering evidence.
45
Audit evidence for compliance with applicable laws and regulations may be derived from
the following sources:



internal to the agency;
external to the agency; and
produced by the auditors.
Table 4.1. Sources of audit evidence
Source
Examples of Evidence
Quality As Evidence
Audit Considerations
Information from databases,
Internal to documents and records
Lower, due to
the agency produced by the audited agency; potential bias
grant agreements; and invoices
Accuracy and
completeness of such
information should be
evaluated
External
to the
agency
Confirmations (from banks, etc.)
and Work of other
auditors/experts
Independence of the
third party
Produced
by the
Auditor
Analytical review of expenditure
Highest
trends
Higher
Base information may
have been produced
internally
When evidence is obtained from external sources, circumstances may exist that could affect its
reliability. For example, evidence obtained from an external source may not be reliable if the
source is not objective. Evidence is likely to be more reliable when:




it is obtained from sources outside the responsible party;
it is generated internally, when the related controls are effective;
it is obtained directly by the auditors. For example, observation of the application of a
control is more reliable than evidence obtained indirectly or by inference, such as inquiry
about the application of a control; or
it exists in documentary form, whether in paper, electronic, or other media. For example,
minutes of a meeting which is recorded during the meeting is generally more reliable than
a subsequent oral representation of what was discussed.
The reliability of evidence is influenced by its source and nature, and is dependent on the specific
circumstances in which it was obtained. The auditors consider both the relevance and the
reliability of the information to be used as evidence (ISSAI 4000.151-152).
4.2
STEPS IN GATHERING EVIDENCE
In gathering evidence for compliance audit, the following should be performed:
Step 1 Gather sufficient and appropriate evidence through various methods and procedures
Step 2 Continually update planning and risk assessment
Step 3 Consider noncompliance that may indicate fraud
46
4.2.1
Gather Sufficient and Appropriate Evidence Through Various Methods and Procedures
ISSAI 4000.158
The auditor shall select a combination of audit techniques to be able to form a conclusion with
the selected level of assurance.
The auditors perform effective audit procedures in line with the audit plan to gather audit
evidence and fulfil audit objectives. For example, by interviewing management and employees,
the auditors may obtain an understanding of how management shares its views on the agency's
practices and ethical behavior with staff. The auditors may determine whether relevant controls
have been implemented by considering, for example, whether management has a written code of
conduct and whether it is followed in practice. A survey submitted to the employees could, for
example, illuminate to what extent the management acts in accordance with the code of conduct.
Based on the scope, the auditors will gather quantitative or qualitative audit evidence, or a
combination thereof (ISSAI 4000.159).
Approaches
After the risk assessment procedures conducted in the planning phase, there are two audit
approaches that the auditors may consider in gathering audit evidence: Test of Key Controls and
Substantive Testing.
Test of Key Controls
ISSAI 4000.168
Test of key controls involves testing the controls that management has put in place to reduce
the risk of noncompliance or the risk that the subject matter information is materially
misstated. For most subject matters, testing key controls is an effective way to collect audit
evidence.
The auditors perform tests of controls so as to confirm the preliminary assessment of those key
controls upon which they intend to rely. If the tests of key controls confirm that these controls
have operated continuously and effectively throughout the period under review, the auditors can
rely on these controls, and will perform minimum substantive testing. If not, the auditors should
reassess the audit approach, and increase the extent of substantive testing to be performed.
The techniques that are generally used to test key controls are observation and inquiry,
inspection and re-calculation, or a combination thereof. In certain situations, the auditors may be
able to use data analysis techniques, principally through the use of automated tools, to obtain
evidence on the effectiveness of the operation of the key controls.
Tests of controls should focus on the key controls that are (i) relevant to the achievement of the
agency's objective in complying with applicable laws and regulations; and (ii) at the highest level
possible to satisfy audit objectives.
Documentation:
The performance of tests of controls will be documented in the Test of Control Working Paper
(TCWP) Template (Annex J).
47
Substantive Testing
ISSAI 4000.167
Substantive testing involves testing detailed transactions or activities against the audit criteria.
It is mostly used in attestation engagements and must always be included as an audit technique
in such engagements. However, performing only substantive testing is effective in rare cases
and this audit technique will normally be combined with other audit techniques.
Substantive procedures are employed where the preliminary assessment shows controls to be
poor, where testing shows that the controls have not operated continuously and effectively
during the period being audited, or where controls (even if deemed to be good or excellent) are
not tested (whether due to lack of resources, expertise, etc.).
Documentation:
The performance of substantive testing will be documented in the Substantive Test Working
Paper (STWP) Template (Annex K).
Techniques
In performing test of key controls and substantive procedures, the auditors may use a variety of
techniques such as:







Observation
Inspection
Inquiry
External Confirmation
Re-performance
Re-calculation
Analytical procedures
A realistic planning of the design of the audit procedures in accordance with the nature, extent
and timing of the audit will contribute to the effectiveness of the evidence gathering process. The
techniques in gathering audit evidence are discussed below.
Observation
Observation involves looking at a process or procedure being performed by the agency’s
personnel. It provides audit evidence about the performance of a process or procedure, but is
limited to the particular point in time at which the observation takes place. In addition, the act of
being observed may affect how the process or procedure is performed (ISSAI 4000.161).
In performing compliance audit, this may include looking at how a bid tendering process is
carried out, and observing how benefit payments are processed or if performance of any kind is
in line with laws and regulations.
Inspection
Inspection involves examining books, records or documents, whether internal or external, in
paper or electronic form or a physical examination. The auditors consider the reliability of any
48
documents inspected, and remain conscious of the risk of fraud and the possibility that
documents inspected may not be authentic (ISSAI 4000.162).
Inspection of records and documents provides audit evidence of varying degrees of reliability,
depending on their nature and source and, in the case of internal records and documents, on the
effectiveness of the controls over their production.
Inspection may include:




examining the books and records to determine how project funds have been accounted
for, and the completeness of recording;
comparing actual project accounting records to the terms of the project agreement;
reviewing case files/relevant documents to determine if recipients of benefits met
eligibility requirements; and
verifying the existence of an asset, such as equipment or building, and determining
whether it meets the applicable specifications.
Applying professional skepticism, the auditors should keep in mind the possibility that the
documents inspected may not be authentic. In cases of fraud, sometimes two different sets of
books and records have been kept. Thus, the auditors may conduct additional audit technique to
ascertain the source of the documents, or the controls over their preparation or maintenance,
such as inquiry to different persons in the agency.
Inquiry
Inquiry involves seeking information from relevant persons, both within and outside the audited
agency. Depending on the subject matter and the scope, only interviews and questionnaires will
in most cases not be sufficient and appropriate evidence (ISSAI 4000.163).
Inquiry may include:




formal written inquiries;
informal oral discussions;
interviewing relevant persons, including experts; and
preparing and sending questionnaires or surveys.
Inquiry is generally used extensively throughout an audit, and it complements other audit
techniques such as observation and inspection.
If inquiry is used solely, it can be a weak form of audit evidence and may not provide auditors
with sufficient appropriate evidence required of the audit. In order to be more effective, it should
be performed together with other audit techniques. For example, obtaining written
representation from management will confirm responses to verbal inquiries. Inquiry is most
effective when conducted with relevant and knowledgeable persons, i.e. persons in positions of
authority who are authorized to speak or give opinions on behalf of the agency.
Evaluating responses is an important part of the inquiry process, as it may provide information
not previously obtained or will corroborate with the audit evidence already obtained.
Consequently, responses to inquiries may provide a basis for the auditors to modify or perform
additional audit procedures.
Written confirmations may also be obtained from management in regard to oral representations
made during the audit. Examples of written management representations may relate to:
49



management's assertion of compliance with a relevant section of legislation, the terms of
an agreement, etc.;
management's disclosure of all instances of noncompliance of which it is aware; and
management having provided the auditors with complete information about the subject
matter.
By its very nature, management representation is a weak form of assurance, but where audited
agency’s management is privy to confidential information, this may be the only source of
evidence.
External Confirmation
External confirmation represents audit evidence obtained by the auditors as a direct written
response from a third party. Hence, the auditors are obtaining feedback directly from
beneficiaries or third parties (that are not beneficiaries) that they have received the grants or
other funds that the audited agency asserts have been paid out, or that funds have been used for
the particular purpose set out in the terms of a grant or funding agreement (ISSAI 4000.164).
Re-performance
Re-performance involves independently carrying out the same procedures already performed by
the audited agency, and controls that were originally performed as part of the agency’s internal
control. Re-performance may be done manually or by using computer assisted audit techniques.
Where highly technical matters are involved, external experts may be involved (ISSAI 4000.165).
Some examples of re-performance are the following:





Review of individual case files to test whether the audited agency made the correct
decisions or provided the appropriate service in accordance with the relevant criteria;
Re-performing of process steps to test the appropriateness of visas or residence permits
issued;
Confirmation of the correct application of criteria involving payments to persons meeting
specific requirements when making benefit payments;
Re-performing of the audited agency's selection of recipients from a public database by
public sector auditors (using computer assisted audit techniques) to test the accuracy of
the agency's process where elderly benefit payments (pension or assistance) involve
payments to persons over a certain age; and
Re-performing of the tender selection process using the selection criteria to test that the
correct bids (tenders) have been selected.
Re-calculation
Re-calculation consists of checking the mathematical accuracy of documents or records. It may
be performed manually or electronically (ISSAI 4000.166). For example, re-computation of taxes
withheld by the audited agency to confirm tax liability.
Analytical Procedures
Analytical procedures involve comparing data, investigating fluctuations or identifying
relationships that appear inconsistent with what was expected, either based on historical data or
the auditor's past experience. Analytical procedures can never be the only technique used. With
reasonable assurance, the conclusion must be formed on the basis of a combination of the audit
techniques (ISSAI 4000.169).
50
Using analytical procedures depends on the availability of reliable and complete operational and
financial data of the agency. For example, comparing the yearly increases and decreases in the
number of beneficiaries of the Conditional Cash Transfer (CCT) program of the government
against the amount of withdrawals. If the increase in withdrawals is not proportionate with the
increase in beneficiaries, the auditors should examine whether this change is due to the
noncompliance in the computation of the benefits.
As shown in Table 4.2 using the audit of procurement of instructional materials as an example,
the auditors have the option of using any of these tools in gathering evidence.
Table 4.2. Techniques/Procedures in gathering audit evidence
Techniques/
Procedures
Observation
Inspection
Inquiry
Confirmation
Re-performance
Analytical
Procedures
4.2.2
Application of Techniques/Procedure
Auditors may observe whether a Review Committee (a) is established and
(b) is staffed with competent staff. Auditors may visit the Head Office and
see how the committee is working.
Auditors can randomly select cases of purchase of instructional materials
and examine whether these cases underwent the review procedures of the
Review Committee.
Auditors inquire from the government officials involved in procurement
through written letters, discussions, interviews, or surveys about
applicable regulations, exemptions, and other procedural requirements to
see whether or not the officers have the same understanding. In many
cases, noncompliance occurs because the government officials concerned
do not clearly understand relevant rules and regulations.
Auditors may request the teachers/users of instructional materials
whether they were getting their allocation timely and as per their
entitlement.
Auditors can compute the allocation of instructional materials based on
the data on the requirements/needs of selected schools/division.
Auditors may tabulate information on the number of instructional
materials procured for three years and compare the figures to see if there
is any unusual change in allocation per division/province. In case auditors
find significant changes/unusual proportion of the number of
instructional materials procured against the number of enrollees, they
should look for explanation. They will need to use professional judgment
in arriving at a conclusion.
Continually update planning and risk assessment
The process of gathering evidence is systematic, iterative and involves the following:



Gathering evidence by performing appropriate audit procedures;
Evaluating the evidence obtained as to its sufficiency (quantity) and appropriateness
(quality); and
Re-assessing risk and gathering further evidence as necessary.
In performing the planned audit procedures, the audit evidence obtained may lead to the
modification of the nature, timing, or extent of other planned audit procedures. Information may
come to the auditors’ attention that differs significantly from the information on which the risk
assessments were based at the outset.
51
The auditors should re-evaluate the planned audit procedures based on revised considerations
of assessed risks in the following circumstances:



The extent of noncompliance that the auditors identify may alter the auditors’
professional judgment about the reliability of particular sources of information;
The auditors may become aware of discrepancies in relevant information, or inconsistent
or missing evidence; and
If analytical procedures were performed towards the end of the engagement, the results
of those procedures may indicate a previously unrecognized risk of noncompliance.
Figure 4.1. Decision making process in evidence gathering and re-assessment of risk
4.2.3
Consider noncompliance indicative of fraud and unlawful acts
Gather audit evidence
Is the audit
evidence
sufficient and
appropriate?
Gather further audit
evidence as necessary
NO
Reassess
YES
Conclude
Prepare Audit Report
ISSAI 4000.225
In conducting compliance audit, if the auditor comes across instances of noncompliance which
may be indicative of unlawful acts or fraud, s/he shall exercise due professional care and
caution and communicate those instances to the responsible body. The auditor shall exercise
due care not to interfere with potential future legal proceedings or investigations.
If in gathering audit evidence auditors come across instances of noncompliance which may be
indicative of unlawful acts or fraud, they shall conduct an initial assessment therefor. If the results
of initial assessment warrant the conduct of fraud audit, the auditors shall elevate the matter to
proper authorities in accordance with the policies/guidelines prescribed by the Commission.
The auditors shall exercise due professional care and caution so as not to interfere with potential
future legal proceedings or investigations. They may consider consulting with higher authorities
of the Commission.
52
4.3
AUDIT SAMPLING
ISSAI 4000.172
The auditor shall use audit sampling, where appropriate, to provide a sufficient amount of
items to draw conclusions about the population from which the sample is selected. When
designing an audit sample, the auditor shall consider the purpose of the audit procedure and
the characteristics of the population from which the sample will be drawn.
Audit sampling is the application of audit procedures to less than 100 percent of items within a
population of audit relevance (ISSAI 4000.173). This may be applied in both test of key controls
and substantive testing. A sample may be quantitative or qualitative depending on the audit
scope, and the need for information to illuminate the subject matter from several angles (ISSAI
4000.174).
In quantitative sampling, the auditors determine a sample size that is sufficient to reduce
sampling risk to an acceptably low level. Sampling risk is the risk that the auditors’ conclusion
based on a sample may be different from the conclusion that would have been reached if the
entire population had been tested.
In qualitative sampling, the auditors may sample on the basis of characteristics of the population
(e.g. eligibility, measurement) without 100% testing. Nevertheless, the sample drawn should be
representative of the population and free from bias. It requires careful assessment and sufficient
knowledge of the subject matter since the auditors form conclusions therefrom.
When applying audit sampling, the auditors shall follow the policies/guidelines issued by the
Commission.
4.4
PROFESSIONAL SKEPTICISM AND JUDGMENT IN GATHERING AUDIT EVIDENCE
4.4.1
Professional Skepticism
Professional skepticism is an attitude that entails auditors being alert to:
a. evidence that is inconsistent with other evidence obtained;
b. information that calls into question the reliability of documents and responses to
inquiries to be used as evidence;
c. circumstances that suggest the need for procedures in addition to those required by
relevant standards; and
d. conditions that may indicate likely noncompliance or compliance deviation.
The auditors need to maintain professional skepticism throughout the audit to reduce the risk of:
a. overlooking unusual circumstances;
b. over generalizing when drawing conclusions from observations; and
c. using inappropriate assumptions in determining the nature, timing and extent of
procedures and evaluating the results thereof.
Professional skepticism is necessary to the critical assessment of evidence gathered by the
auditors. This includes questioning inconsistent evidence and the reliability of documents and
responses to inquiries. It also includes consideration of the sufficiency and appropriateness of
evidence obtained in the light of the circumstances.
53
Also, the auditors are not expected to disregard past experience with the honesty and integrity of
those who provide evidence. Nevertheless, a belief that those who provide evidence are honest
and have integrity does not relieve the auditors of the need to maintain professional skepticism
during the audit.
4.4.2
Professional Judgment
Professional judgment is essential to the proper conduct of an assurance engagement. This is
because interpretation of relevant ethical requirements and relevant standards of audit, and the
informed decisions required throughout the audit process cannot be made by the auditors
without the application of relevant training, knowledge and experience to the facts and
circumstances. It is important in making decisions on:



the nature, timing, and extent of procedures used to meet the requirements of relevant
audit standards and to obtain evidence;
the evaluation on whether sufficient appropriate evidence has been obtained, and
whether additional procedures should be performed to achieve the objectives of relevant
standards; and
the appropriate conclusions to draw based on the evidence obtained.
The distinguishing feature of the professional judgment expected of auditors is that it is exercised
by auditors whose knowledge and experience have assisted in developing the necessary
competencies to achieve reasonable judgments.
4.5
SUMMARY
The quality of audit work depends on the sufficiency and appropriateness of audit evidence. It is
important for auditors to understand different techniques that may be used to collect evidence.
Gathering evidence is essential before evaluating and forming conclusions in the compliance
audit process.
The required documentation for this phase is as follows:
Activity
54
Documentation / Working Paper
Test of Key Controls
Test of Control Working Paper (TCWP) Template
Substantive Testing
Substantive Test Working Paper (STWP) TemplatePart I
CHAPTER 5
Evaluating Evidence and Forming Conclusions
After gathering audit evidence using different techniques, the next step in the process is to
evaluate audit evidence and form audit conclusions, as part of the audit execution. This chapter
discusses the evaluation of the results of tests of controls and substantive testing, and explains
the steps in evaluating evidence and forming audit conclusions.
5.0
5.1
STEPS IN EVALUATING AUDIT EVIDENCE AND FORMING CONCLUSIONS
In evaluating evidence and forming conclusions, the following should be performed:
Step 1
Step 2
Step 3
Step 4
5.1.1
Evaluate whether sufficient and appropriate evidence is obtained
Consider materiality for reporting purposes
Form conclusions
Communicate audit results
Evaluate whether Sufficient and Appropriate Evidence is Obtained
ISSAI 4000.179
The auditor shall compare the obtained audit evidence with the stated audit criteria to form
audit findings for the audit conclusions.
The auditors should evaluate the evidence obtained and determine whether it is sufficient and
appropriate to reduce the audit risk at an acceptably low level and to form conclusions that would
be able to withstand critical examination. When doing such evaluation, they should exercise
professional judgment and skepticism, which involves considering the relationship between the
cost of obtaining evidence and the usefulness of the information obtained.
In making the judgment of whether sufficient and appropriate audit evidence has been obtained,
consider the following questions:





Were audit evidences regarding all relevant criteria obtained?
Were instances requiring further evidence identified? If yes, were these documented?
Was the impact of identified issues on the nature, timing, and extent of further procedures
considered?
Were any significant matters identified and appropriately addressed? If yes, were these
consulted and documented?
Were all planned audit procedures performed?
For a balanced and objective view, the evaluation process entails considering all evidence
provided in relation to the audit findings (ISSAI 4000.182). If audit evidence obtained from one
source is inconsistent with that obtained from another, or if there are any doubts about the
reliability of the information to be used as evidence, the auditors should determine what
modifications or additions to the audit procedures would resolve the matter and consider the
implications, if any, for other aspects of the audit.
55
5.1.2
Consider Materiality for Reporting Purposes
ISSAI 4000.184
Based on the audit findings, and the materiality, the auditor shall draw a conclusion whether
the subject matter is, in all material respects, in compliance with the applicable criteria.
The auditors evaluate audit findings in relation to identified materiality for potential instances of
material noncompliance when drawing a conclusion. What represents a material compliance
deviation is a matter of professional judgment and includes considerations of quantitative and
qualitative aspects of the transactions or issues concerned.
The noncompliance is quantitatively material if it equals or exceeds the materiality set. However,
even if noncompliance is below the materiality set, it may still be considered material based on
the auditors’ professional judgment. The list below identifies some of the factors that you must
consider in applying professional judgment to determine whether an instance of noncompliance
is material.









Importance of amounts involved (monetary amounts or other quantitative measures such
as number of citizens, entities or organizations involved, pollutant emission levels, time
delays in relation to deadlines, etc.);
Extent or monetary value of the noncompliance;
Nature or applicability of the relevant authorities;
Nature of the noncompliance – law, regulation or internal procedure;
The cause leading to the noncompliance – negligence or fraudulent act;
Impact of noncompliance - Possible effects and consequences noncompliance may have
(e.g., the noncompliance will result in pecuniary loss and audit disallowance);
Circumstances;
Visibility and sensitivity of the criteria or program in question (e.g., is it the subject of
significant public interest, does it impact vulnerable citizens, etc.); and
Needs and expectations of the legislature, the public, or other users of the audit report.
In compliance audit, the agency may have complied with nine provisions of the relevant law or
regulation, but did not comply with one provision. Professional judgment is needed to conclude
whether the agency complied with the relevant law or regulation. For example, the auditors may
consider the significance of the provision with which the agency did not comply, as well as the
relationship of that provision with the remaining provisions of the relevant law or regulation.
While evaluating audit evidence, the auditors should consider whether material noncompliance
is pervasive or not. If they are unable to obtain sufficient and appropriate audit evidence due to
an uncertainty or scope limitation, the auditors evaluate whether it is both material and
pervasive.
5.1.3
Form Conclusions
Based on the audit findings and the materiality, the auditors shall draw a conclusion whether the
subject matter is, in all material respects, in compliance with the applicable criteria (ISSAI
4000.184).
When forming conclusions, the auditors should answer the audit questions in the STWP. The
auditors assess that all the audit questions have been answered and that there is a conclusion for
each criterion. Then the auditors form an overall conclusion whether the agency has complied
56
with the applicable criteria for the particular subject matter taking into consideration findings,
risks and materiality.
ISSAI 4000.37
In a direct reporting engagement, it is the auditor who measures or evaluates the subject
matter evidence against the criteria. The auditor is responsible for producing the subject
matter information. The auditor selects the subject matter and criteria, taking into
consideration risk and materiality. By measuring the subject matter evidence against the
criteria, the auditor is able to form a conclusion.
In a direct reporting engagement performed with reasonable assurance, the audit conclusion
expresses the auditor's view that the subject matter is or is not compliant in all material respects
with the applicable criteria (ISSAI 4000.37).
A conclusion is a clear written statement of the auditors expressed in a standardized format,
either complying or not complying, in all material respects, with the established criteria. It is
complying when no material instances of noncompliance have been identified. On the other hand,
it is not complying when compliance deviations are material and pervasive.
When the subject matter complies with the established criteria, the auditors state that:
“Based on the audit work performed, we found that the (subject matter) of the (audited
agency) is in compliance, in all material respects, with the (criteria).”
When the subject matter does not comply with the established criteria, the auditors state that:
“Based on the audit work performed, because of the significance of the matter noted in the
Basis for the Conclusion paragraphs above, the (subject matter) of the (audited agency) is
not in compliance, in all material respects, with the (criteria).”
In case of attestation engagement, the auditor will render an audit opinion, as follows:
a.
No material instances of non-compliance. An unqualified opinion (if there are no
compliance deviations, or if compliance deviations are not material):
“In our opinion, [the subject matter] is in compliance, in all material respects with [the
applied criteria.”
b.
Material instances of non-compliance. Depending on the extent of the noncompliance, this may result in:
i. A qualified opinion (if compliance deviations are material, but not pervasive):
"Based on the audit work performed, we found that except for [describe exception],
the audited agency's subject matter is in compliance, in all material respects with
[the applied criteria]…", or
ii. An adverse opinion (if compliance deviations are material and pervasive):
“In
our opinion, [the subject matter] is not in compliance…" in all material respect with
(the applied criteria)… and compliance deviations are pervasive" or
57
c.
Scope limitation. Depending on the extent of the limitation, this may result in:
i. A qualified opinion (if the auditor is unable to obtain sufficient and appropriate
audit evidence, and the possible effects are material, but not pervasive):
"Based on the audit work performed, we found that except for [describe exception],
the audited agency's subject matter is in compliance, in all material respects with
[the applied criteria]…"
ii. A disclaimer (if the auditor is unable to obtain sufficient and appropriate audit
evidence on compliance with authorities, and the possible effects are material and
pervasive):
‘'We do not express an opinion on the subject matter. We have not been able to
obtain sufficient and appropriate audit evidence to provide a basis for an
opinion…"
Documentation
The overall conclusion of the subject matter is documented in the Substantive Test Working
Paper (STWP) Template - Part II (Annex K).
5.1.4
Communicate Compliance Audit Findings/Observations
ISSAI 4000.188
The auditor shall communicate the level of assurance provided in a transparent way.
When gathering evidence for the findings, the auditors’ interaction with the audited agency
becomes critical. The auditors maintaining good communication with the audited agency are
better placed to review initial findings with the relevant officials in the audited agency, firm up
their findings, and gather sufficient and appropriate evidence in support.
The auditors need to give the intended user(s) confidence in the audit results. This is done by
explaining how findings, criteria and conclusions were developed in a balanced and reasoned
manner and how certain overall conclusion or recommendation(s) were reached based on the
findings (ISSAI 4000.189).
The auditors discuss each audit finding/observation with the appropriate level of agency
management to confirm if their understanding of the nature and cause of the audit finding is
correct. This helps the agency management to identify control weaknesses and other systemic
weakness that it can tackle promptly.
Audit Observation Memorandum
Agency management is generally more willing to correct identified audit findings when they are
notified early. Therefore, the auditors should communicate their initial audit findings through the
issuance of Audit Observation Memorandum (AOM) to allow the responsible party to investigate
the cause of the noncompliance, and provide reasons and justifications. The auditors should
evaluate such response and obtain additional evidence as necessary.
58
Notice of Suspension/Disallowance/Charge
In conducting substantive test, if the auditors come across transactions which require issuance of
notice of suspension/disallowance/charge (NS/ND/NC), they should take appropriate actions in
accordance with the Rules and Regulations on Settlement of Accounts (RRSA) prescribed by the
COA.
Documentation
The audit findings on noncompliance are communicated to the agency’s management through
the issuance of the following documents in accordance with COA policies/guidelines:
 Audit Observation Memorandum (AOM)
 Notice of Suspension (NS)
 Notice of Disallowance (ND)
 Notice of Charge (NC)
Note that said documents can be issued at any stage of the audit process.
Summary of Audit Findings/Observations
Accumulated results of compliance audit are summarized at the end of the audit. Significant
findings, issues and observations are summarized and discussed with the agency.
Before the exit conference with the agency, the auditors should prepare the audit summary
documented in the Summary of Audit Observations and Recommendations (SAOR).
Documentation
The summary of the audit results arising during the execution of the audit is documented in
the SAOR Template (Annex L).
Conduct of Exit Conference
The culminating activity for the audit execution phase is the conduct of an exit conference
wherein the auditors discuss with the key officials of the agency the results of the audit. The team
should furnish the concerned agency officials/employees a SAOR before the conduct of exit
conference for management to be aware of what will be discussed and have time to prepare
further comments, if any.
Documentation
The proceedings are documented in the Minutes of Exit Conference (Annex I) signed by the
auditor and the duly designated agency representative.
5.2
SUMMARY
Auditors exercise professional judgment and skepticism in determining whether audit evidence
is sufficient and appropriate throughout the audit execution phase. Factors that the auditors have
to consider in the audit to evaluate evidence and form conclusions are discussed in this chapter.
The auditors may communicate audit results through the issuance of an AOM/NS/ND/NC.
59
The required documentation for this phase is as follows:
Activity
60
Documentation / Working Paper
Form Conclusions
Substantive Test Working Paper (STWP)Part II
Communicate Audit Results




Summarize Compliance Audit
Findings/Observations and
Recommendations
Summary of Compliance Audit Observations
and Recommendations (SAOR)
Conduct Exit Conference
Minutes of Conference
Audit Observation Memorandum (AOM)
Notice of Suspension (NS)
Notice of Disallowance (ND)
Notice of Charge (NC)
CHAPTER 6
Reporting a Compliance Audit
The previous chapters shed light on gathering and evaluating the audit evidence, forming
conclusions, and communicating the audit findings. The auditors perform the audit procedures
to reduce the audit risk and to ensure that the conclusion provided is appropriate in the
circumstances of the audit. This assurance in effect forms the basis for the compliance audit
report. This chapter covers the reporting phase of the audit process and describes the form and
content of the compliance audit reports.
6.1
PRINCIPLES IN REPORTING A COMPLIANCE AUDIT
ISSAI 4000.202
The auditor shall prepare an audit report based on the principles of completeness, objectivity,
timeliness, accuracy, and contradiction.
To ensure that such report is in accordance with acceptable standards of quality and relevant to
all users, it should conform to the principles of completeness, objectivity, timeliness, accuracy,
and contradiction, both in its form and content.





6.2
Completeness requires the auditors to consider all relevant audit evidence before issuing
the report.
Objectivity requires the auditors to apply professional judgment and skepticism to ensure
that all reports are factually correct and that findings and conclusions are presented in a
relevant and balanced manner.
Timeliness requires the auditors to report in due time when the findings are applicable
and can be relevant to the intended users.
Accuracy and consultation require the auditor to check the accuracy of facts with the
audited agency, and to ensure that the findings portray a correct and logical picture
Contradiction requires the auditors to check the accuracy of facts with the audited agency
and incorporate responses from responsible officials as appropriate.
STEPS IN REPORTING A COMPLIANCE AUDIT
In reporting a compliance audit, the following should be performed:
Step 1 Prepare Audit Report
Step 2 Perform Overall Audit Review, Approval, and Issuance of the Compliance Audit
Report
Step 3 Follow-up Agency Action Plan
6.2.1
Prepare Audit Report
ISSAI 4000.191
The auditor shall communicate the conclusion in an audit report. The conclusion can be
expressed either as an opinion, conclusion, and answer to specific audit questions or
recommendations.
61
At the end of the compliance audit, the auditors prepare a written audit report containing a
conclusion on the compliance or noncompliance of the identified subject matter with the stated
criteria. The report provides an avenue for the responsible party to take corrective action towards
addressing instances of noncompliance and for the auditors to facilitate follow-up of its findings.
As previously discussed, the auditors shall conduct compliance audit using direct reporting
method with reasonable level of assurance.
In direct reporting engagement, the auditors provide reasonable assurance by:


making a clear statement, through conclusions, which explicitly convey the reasonable
level of assurance and/or
explaining how findings, criteria, and conclusions were developed in a balanced and
reasoned manner and why the combinations of findings and criteria result in a certain
overall conclusion or recommendation.
Report Structure
ISSAI 4000.210
The audit report shall include the following elements (although not necessarily in this order):
a. Title
b. Identification of the auditing standards
c. Executive summary (as appropriate)
d. Description of the subject matter and the scope (extent and limits of the audit)
e. Audit criteria
f. Explanation and reasoning for the methods used
g. Findings
h. Conclusion(s) based on answers to specific audit questions or opinion
i. Replies from the audited agency (as appropriate)
j. Recommendations (as appropriate).
The following are brief explanations on specific sections of the report for direct reporting
engagements.
a. Title:
The title should briefly give a picture of the audit scope for an outside reader.
b. Identification of the auditing standards
The auditing standards refer to the Compliance Audit Guidelines as the authoritative
standards for the audit, which is the ISSAI 4000. In this case, reference may be made by
stating:
… We conducted our [compliance] audit[s] in accordance with the International
Standards of Supreme Audit Institutions [on compliance auditing].
c. Executive summary
The executive summary is a brief explanation to an outside reader on of how the audit
was performed.
Factors to consider in determining the level of details to be provided in the summary of
the audit performed may include:
62


circumstances specific to the agency (e.g. the differing nature of the agency’s activities
compared to those typical in the sector); and
specific audit circumstances affecting the nature and extent of the procedures
performed.
d. Description of the subject matter and the scope
Subject matter refers to the information, condition, or activity that is measured or
evaluated against certain criteria. This should be clearly described in the audit report. The
introduction of the report sets out the audit scope in the form of a clear statement of the
focus, extent, and limits of the audit in terms of the subject matter’s compliance with the
criteria. It also includes the time period covered by the audit.
e. Audit criteria
This section states the laws, legislation, rules, and regulations that were used in the audit.
The criteria against which the subject matter is assessed should be identified in the
auditors’ report. Clear identification of the criteria in the report is therefore important so
that the users of the report can understand the basis for public sector auditors' work and
conclusions. The criteria may be included in the report itself, or the report may make
reference to the criteria if they are contained in an assertion from management or
otherwise available from a readily accessible and reliable source.
f.
Explanation and reasoning for the methods used
This includes measurement or evaluation methods used when the applicable criteria
allow choices between a number of methods. Through this section, the readers will be
able to understand the audit approach and how the auditors arrived in their
conclusion.
g. Basis for Conclusion
This comprises the auditors’ material findings based on the comparison of the obtained
evidence against the stated criteria.
h.
Overall Conclusion
The auditors’ report on the compliance of the subject matter normally contains an overall
conclusion based on the audit work performed.
i.
Replies from the audited agency (as appropriate)
Incorporating responses from the audited agency by reporting the views of officials of the
responsible party is part of the principle of contradiction, which is a unique and important
feature of public sector auditing. It relates to the presentation of weaknesses or critical
findings and involves agreeing with the audited agency on the facts to help ensure that
they are complete, accurate, and fairly presented. It may also involve, as appropriate,
incorporating the audited agency's response to matters raised, whether verbatim or in
summary.
j.
Recommendations (as appropriate)
The auditors’ report may include, as appropriate, recommendations for improvement.
While such recommendations may be constructive for the audited agency, these should
not be presented in a detailed nature that the auditors’ objectivity may be impaired in the
future audits. If the auditors make a specific recommendation and the responsible party
does not implement that particular recommendation but considers another option, the
auditors may in subsequent audits be tempted to judge this as noncompliance. In such
instances, the key is to determine whether broad recommendations leave the scope for
63
the agency to use whatever mechanism it considers suitable in the circumstances to
achieve compliance.
k. Status of Implementation of Prior Year’s Audit Recommendations
In addition to the elements of the report prescribed by ISSAI 4000.210, the report should
include the action(s) taken by the audited agency on the audit recommendations
contained in the previous Compliance Audit Report, and the reasons in case of partial or
non-implementation.
Documentation
The auditors use Management Letter (ML) in communicating the results of Compliance Audit.
6.2.2
Perform Overall Audit Review, Approval, and Issuance of Compliance Audit Report
The Supervising Auditors, prior to the issuance of audit reports shall conduct a review on the
outputs prepared by the Audit Team Leaders. The review of the audit report shall be in
accordance with the existing COA policies/guidelines.
After preparation, review, and approval, the ML on Compliance Audit will be issued to the
intended users of the report.
The ML shall be issued to the Head of the Agency for National Government Agencies, to the Chief
Executive Officer for Local Government Units, or to the Board of Directors for Government-Owned
or Controlled Corporations. As may be found necessary, other government officials, such as the
Speaker of the House of Representatives, the Senate President, and the President of the Republic
of the Philippines, shall also be furnished copies thereof.
6.2.3
Follow-up Agency Action Plan
ISSAI 4000.232
The auditor shall decide to follow up on opinions/conclusions/recommendations of instances
of noncompliance in the audit report when appropriate.
An important role for auditors in monitoring the action taken by the responsible party is to
follow-up the matters raised in an audit report. A plan for a follow-up is written after the report
is published containing questions on whether the audited agency has adequately addressed the
matters raised. Insufficient or unsatisfactory action by the audited agency may call for further
report by the auditors.
A follow-up process facilitates the effective implementation of corrective action and provides
useful feedback to the audited agency, the user(s) of the audit report, the general public, and the
auditors for future audit planning.
Part of the Commission’s mandate is to recommend measures to improve the efficiency and
effectiveness of government operations (Sec. 4, Art. IX-D of the 1987 Philippine Constitution). The
full completion of this mandate can only be satisfied once agencies have implemented or acted on
the recommendations made by the auditors through action plans.
64
Under the general provisions of the annual General Appropriations Act (GAA), the audited
agencies are required to submit within 60 days upon receipt of the AAR/Management Letter
(ML), a status report on the actions taken on the audit observations and recommendations.
Pursuant thereto, existing COA policies/guidelines prescribe the use of the Agency Action Plan
and Status of Implementation (AAPSI) form. AAPSI combines both an action plan and status of
implementation of the audit recommendations contained in the AAR/ML to be accomplished by
the concerned personnel of the agency and submitted to the audit team for monitoring and
validation purposes.
Within 30 days upon receipt of the AAPSI from the agency, the auditors shall validate the same.
After validation, the auditors shall submit the revised Action Plan Monitoring Tool (APMT) to the
Cluster/Regional Director concerned for monitoring purposes, within 30 days.
Documentation

The audited agencies take corrective actions based on the audit recommendations using
the Agency Action Plan and Status of Implementation (AAPSI) (Annex M).
The auditors monitor the status of the agency’s action plan using the Action Plan Monitoring
Tool (APMT) (Annex N).

6.3
TIMELY SUBMISSION AND PUBLICATION OF COMPLIANCE AUDIT REPORTS
The CA Report through a Management Letter should be transmitted to the end-user/responsible
party within three months after the last day of fieldwork, or within the timelines prescribed in
the terms of agreement in cases where CA report is prepared for a specific end-user (e.g. IBRD,
Asian Development Bank, etc.). If the Management Letter has been transmitted before the
issuance of the Annual Audit Report, the results of the compliance audit can be incorporated
therein.
The Compliance Audit Report should be published in the COA website pursuant to existing
policies/guidelines of the Commission.
6.4
SUMMARY
The required documentation for this phase is as follows:
Activity
Reporting a CA
Documentation /Working Paper
Management Letter/ CA Report

Following-up Agency Action Plan

Agency Action Plan and Status of Implementation
(AAPSI)
Action Plan Monitoring Tool (APMT)
65
CHAPTER 7
Carrying Out Quality Control Procedures
ISSAI 4000.80
The SAI shall take responsibility for the overall quality of the audit to ensure that the audits are
carried out in accordance with relevant professional standards, laws, and regulations, and that
the reports are appropriate in the circumstances.
7.1
QUALITY CONTROL
Quality Control refers to processes in place whereby the overall quality of a compliance audit is
reviewed to ensure that the audit was in compliance with applicable governing standards and
that the audit report; conclusion or opinion issued is appropriate in the circumstances.
As with other types of audit, it is important that there are systems and procedures in place to
ensure that the compliance audits conducted is of sufficient quality, and the auditors performing
the audit collectively have the necessary competence and skills, and the work of the audit team is
appropriately directed, supervised and reviewed.
Quality Control should be implemented in the following aspects of the audit process:







7.2
selecting matters for audit;
deciding the timing of the audit;
planning the audit;
executing the audit;
evaluating audit findings;
reporting audit results, including conclusions and recommendations; and
follow-up of audit recommendations to ensure that appropriate action is taken.
HIGH QUALITY AUDIT
Auditors should perform the audit in accordance with professional standards on quality control.
An SAI’s quality control policies and procedures should comply with professional standards, the
aim being to ensure that audits are conducted at a consistently high level. Quality control
procedures should cover matters such as the direction, review and supervision of the audit
process and the need for consultation in order to reach decisions on difficult or contentious
matters. Auditors can find additional guidance in ISSAI 40 – Quality Control for SAIs. (Par. 38,
ISSAI 100)
To ensure high quality audit, the COA should:



66
Develop standards on quality control in the conduct of audit
Establish policies and procedures to meet the requirements of the standards (ISSAI)
Define responsibilities to check if policies and procedures are performed to meet the
standards
7.3
QUALITY CONTROL ACTIVITIES
7.3.1
Adequate Training
As part of quality management, COA should establish policies and procedures designed to provide
it with reasonable assurance that it has sufficient personnel with the competence and capabilities
necessary to perform compliance audit in accordance with relevant standards and applicable
legal and regulatory requirements; and enable it to issue reports that are appropriate in the
circumstances (ISSAI 40, Element 4). Therefore, COA should ensure that all auditors are provided
with adequate training for professional development and compliance with the competency
requirements in conducting compliance audit.
Adequate training encompasses the following:




identifying the current capabilities of the audit team members, audit team leaders and the
supervising auditors;
comparing their capabilities with the competency requirements in performing
compliance audit;
assessing/evaluating the competency gaps; and
identifying training needs to close those gaps.
Training could be in the form of mentoring, coaching, on-the-job advice to more formal training
programs provided by the COA Professional Development Office or trainings/seminars from
other training providers.
7.3.2
Supervision
Supervision is the process of directing and supporting staff so they may effectively perform their
duties. (Stinson, W., et al. 1998, Quality supervision. QA Brief 7(1):4–6. Bethesda, MD: Quality
Assurance Project).
The supervising auditors and audit team leaders should emphasize the value of teamwork in
conducting the audit and producing quality audit report. Proper supervision of the audit group
or audit team is vital to attain this objective. Supervision involves mentoring, performance
feedback, joint problem solving, provision of necessary resources (such as IT equipment, good
working environment, office supplies, etc.), training and two-way communication between the
supervising auditors or audit team leaders and the audit team members.
The activities of supervision should always be respectful, fair and equitable and should always
conform to relevant laws, rules and regulations. The best way to make sure that those conditions
will continue to exist is to work from up-to-date personnel policies.
7.3.3
Review
All works carried out in conducting the audit should be subject to review as a means of ensuring
that relevant standards, policies and processes have been followed in conducting the audit and
that the audit report issued is appropriate in the circumstances.
This includes review of the audit plan, working papers and the work of the team, regular
monitoring of progress of the audit by appropriate levels of COA management, and review of draft
reports at different levels including possible discussion with staff and/or external experts, when
necessary.
67
Considerations in the Quality Control Review
a.
b.
c.
d.
Subject matter and criteria that are properly defined and clearly linked to the audit
Adequate knowledge about the agency
Conduct of audit in accordance with relevant standards, guidelines and directives
Adequate documentation of:
 All works performed, including results
 Significant deviations from the overall audit plan and any changes in the subject
matter and scope of the audit
 Significant professional judgment
e. WPs and procedural steps- completed, signed/ dated by the preparer/ reviewer; with
adequate reasons when procedural steps are omitted
f. Conclusions and reported findings – supported by appropriate and sufficient audit
evidence
g. Correct audit conclusion has been expressed
Levels of Quality Control Review
a) First level - lowest level of review conducted by the audit team leader (ATL). The ATL to
review:
 adequacy and sufficiency of audit working papers
 consistency of documented information and the working papers
 verification of the audit procedures performed against the audit criteria
b) Second level - review done by the signatory of the audit report or the supervising auditor
(SA):
 Review the appropriateness of the nature and extent of the work performed
 Confirm the adequacy of audit evidence that supports the findings and conclusions
 Confirm whether the audit criteria was addressed
 Confirm that audit documentation has provided a basis for the conclusion on the results
of the compliance audit
 Review the work performed by the first reviewer
c) Third level - quality control review by the cluster /regional director before the audit report is
issued:
 Review the work performed by the second reviewer;
 Review the appropriateness and sufficiency of evidence to support the findings and
conclusions;
 Compare the work performed with the audit strategy to ensure that risks have been
addressed and deviations have been documented and explained; and
 Ensure that the audit activities have been properly documented (initial considerations,
planning, execution, reporting)
7.3.4
Consultation
To ensure that audits are conducted at a consistently high level, there is a need for consultation
to reach decisions on difficult or contentious matters. Supervising auditors/audit team leaders
should consult the cluster /regional director or use authoritative sources on areas and specialized
situations and other complex or unusual matters. Results of consultation and the dispositions
reached should be documented.
68
7.4
ENGAGEMENT QUALITY CONTROL REVIEW (EQCR)
An engagement quality control review is conducted before the issuance of the CA report to ensure
that the audit complies with the audit methodology and practices and any other legal and
regulatory requirements and the report is appropriate in the circumstances.
Engagement quality control review is conducted on selected compliance audit engagements in
accordance with the guidelines prescribed by the Commission in conducting EQCR. There shall
be teams of qualified engagement quality control reviewers who are not part of selected audit
engagements subject to EQCR.
7.4.1
Considerations of EQCR
a.
b.
c.
d.
significant risks identified and the responses to those risks;
judgments made with respect to materiality;
consultation has taken place on matters involving differences of opinion;
working papers selected for review reflect the work performed in relation to the
significant judgments and supports the conclusions reached; and
e. appropriateness of the report to be issued.
The review provides an independent and objective evaluation of significant judgments made. This
is to be able to conclude that based on all the relevant facts and circumstances known by the
reviewers, no matters have come to their attention that would cause them to believe that the
conclusions reached are not appropriate.
It should be noted that the engagement quality control review:


does not reduce the review responsibilities of the SA/ATL; and
does not relieve the SA/audit director from the final responsibility for the issuance of the
Audit Report.
The audit team may consult the reviewer during the audit. Such consultation should not
compromise the EQCR’s eligibility to perform the role. Where the nature and extent of the
consultation becomes significant, care should be taken by both the audit team and the reviewer
to maintain the reviewer’s objectivity. In situations where this is not possible, another individual
should be appointed to take on the role of the reviewer(s), or another person should be consulted.
Documentation
The overall review of the audit engagement will be documented in the Quality Control Review
Checklist – Compliance Audit (Annex O).
7.5
FEEDBACK FROM THE AUDITEES
Feedback from the auditees and/or other external stakeholders provides inputs to identify the
strengths and weaknesses of the COA’s audit processes. The purpose is to determine client
perception and satisfaction, and opportunities for improvement as part of COA’s continuous
improvement of its audit services.
An Auditee Feedback Sheet will serve as a tool of obtaining feedback to ensure COA’s commitment
to quality service through quality staff.
69
This Feedback Sheet should be sent directly by the Office of the Audit Director to the audited
agency. It should be addressed to the Agency Head who is requested to respond to the Feedback
within a given timeframe.
The feedback results especially for audit teams receiving negative feedback should be acted upon
by the Audit Director.
It is important to seek the justification of the audit team for negative feedback to make them
aware of actions considered unprofessional and/or unethical by the auditee.
The Audit Director shall assign responsible personnel as Quality Control Reviewer who will
prepare a summary of all feedback results and the actions taken by the Audit Directors. The same
shall be furnished the Assistant Commissioner for his/her appropriate action on or before end of
the current audit period.
Documentation
The feedback on the audit team’s performance will be documented in the Auditee Feedback
Sheet (Annex P).
7.6
SUMMARY
The required documentation for this phase is as follows:
Activity
70
Documentation /Working Paper
Conduct quality control review
Quality Control Review Checklist
Conduct auditee feedback
Auditee Feedback Sheet
CHAPTER 8
Wrap-Up and Archiving of the Audit Engagement
This chapter aims to guide the auditors in organizing and archiving the working papers and other
documents relevant to the compliance audit conducted. Discussions will revolve on the
importance of an organized filing and archiving of audit files in electronic and hard copies,
requirements of related ISSAIs and guidelines on how the auditors should perform these
activities.
ISSAI 4000.89
The auditor shall prepare audit documentation that is sufficiently detailed to provide a clear
understanding of the work performed, evidence obtained, and conclusions reached. The
auditor shall prepare the audit documentation in a timely manner, keep it up to date
throughout the audit, and complete the documentation of the evidence supporting the audit
findings before the audit report is issued.
Working papers document the procedures performed and the evidence obtained to support a
conclusion rendered by the auditors. Because of the significance of these working papers,
organizing and archiving these documents in electronic and hard copy forms is important. Among
the benefits of a systematic and organized wrap-up and archiving are as follows:







8.1
Establishment of clear linkages between the significant findings or issues and the
evidence that support them
Review of process is being facilitated
Understanding of the successor auditors on how the audit was performed is made easy
Security is increased and data loss is prevented
Confidentiality of information is maintained
Compliance with ISSAI and legal requirements
Management of storage areas becomes efficient such as when documents are disposed
after their prescribed retention period
ORGANIZATION OF THE AUDIT WORKING PAPERS
Working papers provide evidence that the audit work has been completed to a sufficient standard
and support the auditor's conclusions. The working papers should stand alone that will enable an
experienced auditor with no connection to the audit to understand the nature, timing and extent
of the audit performed, how the conclusions and recommendations have been reached and
significant professional judgments have been applied in reaching the audit conclusions.
This activity involves the assembly of audit engagement files relevant to the compliance audit
performed. An organized documentation does not only refer to the contents and presentation of
the individual working papers and reports but also pertain to how these working papers are
assembled and filed in a manner that clearly establishes the linkage between the report and
supporting working papers, in all phases of the audit. This activity also involves preparing lead
schedules, indexing, referencing and cross-referencing. While COA has no policy specific to
indexing, referencing and cross-referencing, this manual suggests procedures on how these
activities should be done.
71
Before the assembly of the engagement files, the auditors should ensure that the documents
should be signed and dated by both the preparer and the reviewer. This requirement, particularly
the reviewer’s sign-off, is important to determine what audit work was reviewed, who reviewed
such work, and when it was reviewed.
8.1.1
Indexing
Indexing involves assignment of index/reference number to the working paper and is used in
cross-referencing of working papers in the audit.
The following diagram summarizes the indexing of working papers and other documents
produced at the different phases of the compliance audit:
Figure 8.1 Illustrative Sample of Indexing at Different Phases of Audit
72
8.1.2
Preparing the Lead Schedule
In all types of audit, preparation of a lead schedule is important, especially when numerous
working papers are produced from planning to reporting phases. Lead schedule (also called a
lead sheet) serves as a summary and index of the working papers and is located at the front page
in the relevant section of a file, cross referenced to supporting working papers and
documentation filed behind it.
When the auditor uses excel format, this is the first worksheet in a file and the supporting
worksheets are cross-referenced using hyperlink command.
8.1.3
Use of tick marks, Referencing and Cross-referencing
A tick mark is a little symbol that indicates a task that the auditor has completed. For instance, a
∧ may indicate that a column of numbers has been summed and a √ may indicate that attribute
was verified. To explain the tick marks in the working papers, auditor may have a tick mark
legend, which includes all tick marks and have the legend inside the working papers bind.
The auditors should write the reference number in the lower right portion of each page of the
document, including the page number, especially for evidence and working papers. This will guide
the auditors in arranging the document in case the pages are detached from the compilation. For
document with landscape orientation, the document should be filed in portrait position. The
auditors should use red or other bright-colored ink in writing the index code. Aside from writing
in the document, the auditors are also encouraged to prepare labels for easy tracking of files.
To cross-reference working papers, if the auditor got a number for working paper A from working
paper B, the auditor would write B on working paper A near the number. On working paper B,
the auditor would write a reference to working paper A. Working paper review is nearly
impossible without two-way cross-referencing.
8.2
ARCHIVING OF THE AUDIT ENGAGEMENT
Archiving of CA engagement is embedded in the documentation requirement of ISSAI 4000. As
explained in paragraph 93, the auditor needs to adopt appropriate procedures to maintain the
confidentiality and safe custody of the audit documentation, and retain it for a period sufficient
to meet the needs of the legal, regulatory, administrative and professional requirements of record
retention and to enable the conduct of audit follow-up activities.
This activity involves the storage of engagement files in hard or softcopies, including back-up
plans in case of loss of document.
The following are some suggested guidelines in filing of working papers:
Hardcopy Working Papers. The auditors should use a long folder in filing the working papers and
evidence. The table of contents should be placed at the top of the documents, followed by the lead
schedules, working papers and evidence, accordingly. The auditors shall strictly observe the
sequence in filing the documents, as indicated in the table of contents.
Softcopy Working Papers. Auditors should also apply the same index/reference numbers in filing
of audit working papers and evidence in soft copy. All the softcopy files shall be saved in the
computer unit and backed-up in a Compact Disc (CD). The CD is attached in the hard copy working
papers.
73
While documents produced in the conduct of compliance audit are properties of COA, regardless
of whether the work has been carried out by the COA personnel or contracted out, policies on
confidentiality of information should be carried out.
At the completion of the audit, the SA/ATL is responsible for authorizing the final archive process,
including determining whether working papers are archived in accordance with COA policies,
professional standards, and legal and regulatory requirements.
The documentation completion date should be not later than 60 days after the date of the
auditors’ report.
8.2.1
Retention Period
In the conduct of audit and other works, ISSAI 40 (Quality Control), with reference to
International Standards on Quality Control (ISQC 1), requires that Supreme Audit Institutions
(SAIs) ensure that all documentation (such as audit working papers) is the property of the SAI,
regardless of whether the work has been carried out by the SAI personnel or contracted out and
that they retain all documentation for the periods specified in laws, regulations, professional
standards and guidelines.
ISQC 1 also states that in specific case of audit engagements, the retention period would ordinarily
be not shorter than five years from the date of the auditor’s report or, if later, the date of the group
auditor’s report.
In the COA Records Disposition Schedule, audit working papers are retained within a period of 5
years provided there is no court case or audit disallowances involved, otherwise those working
papers shall be retained until the case or the audit disallowance is settled.
Retention period of Disbursement Vouchers and Official receipts together with all its supporting
documents used by the auditor in the conduct of compliance audit should follow the existing
policies/rules and regulations prescribed by the Commission.
8.2.2
Confidentiality and Transparency of Working Papers/Audit Evidence
ISSAI 30 (Code of Ethics) and ISSAI 40 (Quality Control) with references to ISQC-1, in relation to
confidentiality and transparency, require COA to:



balance the confidentiality of audit documentation and other information with the need
for transparency and accountability;
establish an adequate system for maintaining confidentiality as needed, especially with
regard to sensitive data; and
establish procedures for dealing with information requests that are consistent with
legislation in their jurisdiction
The balance between confidentiality and transparency requires professional judgment to ensure
that documentation of a confidential nature is clearly identified and treated as such, while at the
same time granting access as appropriate.
The guidelines on the disposition of requests for documents/records/reports/decisions and
other information in the possession and/or custody of COA, including furnishing copies to
requesting parties should be in accordance with the guidelines issued under COA Circular No.
2013-006.
74
8.3
SUMMARY
Working papers/documentation is an integral part of the auditors’ responsibilities. Thus, there is a
need for a systematic wrap-up and archiving of working papers/documentation. Wrap-up and
archiving of working papers (electronic and/or hardcopy) should be done in a timely manner
after the date of the auditor’s report when the procedures and documentation are complete. COA
recognizes the right of the people to information thus, COA grants the requesting parties access
to records subject to limitations and considerations of ethical requirements on confidentiality.
75
REFERENCES









76
INTOSAI Development Initiative. ISSAI Implementation Handbook Compliance Audit.
Version 1.
INTOSAI Development Initiative. 2018. Compliance Audit ISSAI Implementation
Handbook. Version 0.
INTOSAI Professional Standards Committee. 2016. Compliance Audit Standard.
INTOSAI Professional Standards Committee. 2013. Fundamental Principles of PublicSector Auditing.
Commission on Audit. 2011. Integrated Results and Risk-Based Audit Manual.
African Organization of English-Speaking Supreme Audit Institutions. 2017. Compliance
Audit Manual.
Committee of Sponsoring Organizations of the Treadway Commission (COSO). 2013.
Internal Control-Integrated Framework.
Commission on Audit. 2017. Internal Control Standards for the Philippine Public Sector
(ICSPPS).
INTOSAI Development Initiative. Supreme Audit Institution Performance Measurement
Framework (SAI PMF). 2016.
Annexes
ANNEX
A
B
C
D
E
F
G
H
I
J
K
L
M
N
O
P
NAME OF TEMPLATE
Understanding the Subject Matter Template
Internal Control Checklist
Materiality Template
Combined Risk Assessment Template
Fraud Risk Assessment Template
Compliance Audit Strategy Template
Compliance Audit Program
Entrance Conference Agenda
Minutes of the Entrance (or Exit) Conference
Test of Control Working Paper Template
Substantive Test Working Paper Template
Summary of Audit Observations and Recommendations
Agency Action Plan and Status of Implementation
Action Plan Monitoring Tool
Quality Control Review Checklist on Compliance Audit
Auditee Feedback Sheet
PAGE
78
80
86
88
90
92
94
96
98
99
101
103
104
105
106
110
77
Annex A
UNDERSTANDING THE SUBJECT MATTER TEMPLATE
Objective
This template enables the auditors to document the elements relevant to compliance auditing,
which should be identified before conducting a compliance audit. It also documents the
identified risks of non-compliance of the subject matter with the stated criteria. In addition,
it documents the audit objectives that will address the identified risks.
Accomplishing this Tool
Agency – This refers to the government agency being audited. It may be a national
government agency, a local government unit or a government-owned or controlled
corporation.
Period Covered- This refers to the time period (date/s) covered in the audit of the given
subject matter.
Type of Engagement- Determine whether a direct reporting or attestation engagement is to
be carried out by the audit team.
Level of assurance- Place a mark if the assurance to be provided is reasonable or limited. The
level of assurance will depend on the need(s) of the intended users.
Intended User(s)- Determine who will be the addressee of the compliance audit report. It may
include the head of the agency.
Responsible party- State the public officials who are responsible for the subject matter.
Identified Subject matter- Provide the information, condition or activity that is measured, or
evaluated against a suitable criteria.
Basis of Selection- Indicate the reason(s) for selecting the subject matter to be audited.
Description of the Subject Matter- Describe briefly and clearly the identified subject matter.
Audit scope- Provide a clear focus or area, extent/ limits, and time period covered in the audit
of a given subject matter.
Suitable Criteria- State the specific provision of law, rule or regulation, policy, international
treaty or agreement, etc. governing the agency that will be used to evaluate or measure the
subject matter consistently and reasonably.
Identified Risk(s)- List the possible instances/ or threats of non-compliance with relevant
authorities that can have material impact on the audited agency in achieving its objectives.
Lift from the UTA Template.
Audit Objective(s)- State the purpose(s) of the audit to address the identified risks of noncompliance.
78
UNDERSTANDING THE SUBJECT MATTER TEMPLATE
Prepared by:
Reviewed by:
Approved by:
Agency
Period Covered
Type of
Engagement
Level of Assurance
Date:
Date:
Date:
 Reasonable Assurance
 Limited Assurance
Intended User (s)
Responsible Party
Identified Subject
Matter
Basis of Selection
Description of the
Subject Matter
Audit Scope
Suitable Criteria
Identified Risk(s)
Audit Objective(s)
79
Annex B
INTERNAL CONTROL CHECKLIST
Objective
After identifying the elements of compliance auditing and understanding the identified subject
matter and suitable criteria, the auditors should understand all the components of an internal
control system: the control environment and internal controls relevant to the subject matter.
The internal control checklist contains a set of questions for each internal control component.
The questions provided herein will guide the auditors in obtaining an understanding of the
agency-level controls set by the agency management.
Accomplishing this Tool
I. ICC Probing Questions
Internal Control Component- Probing questions are provided for the following internal control
component:
 Control Environment
 Risk Assessment
 Control Activities
 Information and Communication
 Monitoring
NOTE:
Auditors are not only limited to the probing questions provided in this questionnaire. Additional
questions may be developed by the team, if deemed necessary.
Yes/No/ Not Applicable- Answer each probing question with the appropriate response as a result
of the auditor’s validation of each internal control component.
Remarks- Provide any remark or comment that the auditor may have on the related probing
question as a result of its validation. Examples of remarks may include identification of areas
needed to be focused for the audit engagement or possible fraud indicators. Documents
presented as references for evidence should also be provided in the remarks column.
Initial Assessment- After each component of the agency’s internal control, make an initial
assessment as to whether (a) the control design is present and adequate (b) the control is
functioning or being implemented. Provide an explanation/reason of such initial assessment for
each component.
II. ICC Summary
Observations- Document the observations obtained during the understanding of the agency level
controls relevant to the subject matter. Observations may include deficiencies noted on the
design of agency-level controls or red flags that may be noted on the process which may indicate
source of fraud risks. Incidentally, audit teams may need to issue an Audit Observation
Memorandum (AOM) to call the attention of the agency for the observations noted.
Recommendations- Provide a recommendation (if applicable) for each key observation noted.
AOM Reference- Indicate the AOM reference number for those observations issued with an Audit
Observation Memorandum
80
INTERNAL CONTROL CHECKLIST
Prepared by:
Reviewed by:
Approved by:
Date:
Date:
Date:
I. ICC Probing Questions
Internal Control Component
A. Control Environment
Yes
No
NA
Remarks
1. Do the top management and other Officials support
integrity and ethical values?
2. Do the top management and other Officials lead the
commitment to integrity and ethical values by example
in their day-to-day activities and demonstrate through
their directives, actions and behavior the importance of
integrity and ethical values?
3. Are the Code of Conduct and/or Ethics policy, as well as
other policies regarding acceptable practices, conflicts
of interest, etc., comprehensive and have been clearly
and adequately communicated throughout the agency?
4. Does the top management strictly prohibit
circumvention of established policies and procedures,
except where specific guidance has been provided?
Does it also demonstrate commitment to this principle
and take appropriate disciplinary action in response to
violations of established policies and procedures?
5. Do the top management and other Officials act to
remove or reduce incentives or temptations that might
prompt personnel to engage in dishonest, legal, or
unethical acts?
6. Does the top management give appropriate attention to
internal controls, including regularly educating and
communicating the importance of internal controls to
its employees?
7. Does the top management show willingness to consult
with the internal control reviewers or the external
auditor on significant matters relating to internal
control and accounting issues?
8. Do the agency’s oversight bodies give adequate
consideration to understanding management's
processes for monitoring risks affecting the agency?
9. Is the overall agency structure appropriate and does it
facilitate the flow of information both up and down
within each function, as well as across other functions?
Is the structure reviewed and modified to accommodate
changes in operating conditions, as necessary?
10. Are there appropriate policies for such matters as
creating new Offices/Divisions/Units, reviewing
potential conflicts of interest, approving transactions
and implementing security practices and are they
adequately communicated throughout the agency?
11. Is there adequate supervision and monitoring of
decentralized operations (including accounting and
information systems personnel and services)?
12. Do the top management and other Officials demonstrate
commitment to provide sufficient training to audit,
81
Internal Control Component
13.
14.
15.
16.
17.
18.
19.
information technology, technical and administrative
personnel to keep pace with the growth and complexity
of the agency’s operations?
Do the agency’s personnel have the competence and
training necessary for their assigned level of
responsibility and the nature and complexity of their
assigned responsibilities?
Are there standards and procedures for hiring, training,
motivating, evaluating, promoting, compensating,
transferring, and terminating personnel that are
applicable to all functional areas (e.g., auditing,
accounting, information systems, administration, etc.)?
Are there screening procedures for job applicants
particularly for employees with access to assets
susceptible to misappropriation?
Are human resources policies and procedures (i.e.
written job description, Personnel Handbook/Manual)
clear and issued and updated on a timely basis?
Are Human Resource policies and procedures
effectively communicated to personnel?
Do the top management and other Officials set realistic
(i.e., not unduly aggressive) operational targets and
expectations for operating personnel?
Is job performance periodically evaluated and reviewed
with each employee by supervisory personnel?
Initial Assessment
Control Design- Is it present and adequate?
Control Implementation- Is it functioning?
Explanation/Reason:
B. Risk assessment
20. Has the agency established and clearly communicated
its mission, operating strategy, and objectives?
21. Is a process in place to periodically review and update
the agency-wide strategic plans? Are these plans
reviewed and approved by the top management?
22. Are feedback mechanisms in place and do they enable
the agency officials to periodically assess whether
agency-wide objectives have been achieved?
23. Are objectives established for agency processes? Are
they clearly linked to the audit clients’ strategies and
their overall objectives in support? Are the objectives
clearly understood by employees responsible for
achieving the results?
24. Are there adequate mechanisms in place for identifying
agency risks and barriers to achieving its objectives,
including those resulting from: Entering new
program/projects or lines of operation; Taking on new
policies; Offering new services; Complying with privacy
and data protection compliance requirements; Adapting
to other changes in the political, social, economic and
regulatory environment in terms of auditing and
reporting etc.?
25. Does the top management consider how much risk it is
willing to accept when setting strategic direction and
does it strive to maintain risks within those levels?
82
Yes
No
NA
Remarks
Internal Control Component
Yes
No
NA
Remarks
26. Do the top management and other Officials oversee and
monitor the risk assessment process? Do they take
action to address the significant risks identified?
27. Do the top management and other Officials prepare risk
assessment of agency operations to consider risk
related to fraudulent activity and how the operations
could be impacted?
28. Does the assessment of fraud risk consider the
opportunities for unauthorized acquisition, use or
disposal of assets, altering the reporting records or
committing other inappropriate acts?
29. Are periodic reviews performed or are other processes
in place to anticipate, identify, and communicate to the
appropriate levels of agency’s management events or
activities that may affect the agency's ability to achieve
their objectives, as well as avenues to address these
changes?
30. Do other Officials report to the top management on the
changes in both the external and internal environment
that may have a significant effect on the agency?
Initial Assessment
Control Design- Is it present and adequate?
Control Implementation- Is it functioning?
Explanation/Reason:
C. Control Activities
31. Are appropriate policies and procedures developed,
documented and implemented for each of the agency’s
critical processes?
32. Does appropriate agency management level have
ownership of the policies and procedures? Do the
process owners review the policies and procedures
periodically to determine if they continue to be
appropriate for their own activities?
33. Is there is an appropriate segregation of incompatible
activities within span of control?
34. Is the physical security over the agency IT assets
reasonable given the nature of its operations?
35. Are policies and procedures clearly communicated to
personnel to ensure that they are applied consistently
and conscientiously?
36. Are job roles, responsibilities, and related
system/access privileges periodically reviewed for
proper segregation of duties?
Initial Assessment
Control Design- Is it present and adequate?
Control Implementation- Is it functioning?
Explanation/Reason:
D. Information and Communication
37. Do the top management and other Officials receive
relevant, sufficient and timely information to allow
them to fulfill their responsibilities?
38. Has the agency management documented the relevant
controls that mitigate the risk of errors in information
systems?
83
Internal Control Component
39. Does the agency's information system generate
information that is of sufficient quality to support the
effective operation of controls? Has management
developed and implemented controls related to:
completeness and accuracy of data; capture of data at
the necessary frequency; providing information when
needed; protection of sensitive data; retention of data
complying with (relevant) audit and regulatory needs?
40. Is there a current agency continuity plan and disaster
recovery plan for the significant components of critical
functions and processes, including IT infrastructure,
network components, operating system components,
databases, applications and data files? Are these plans
tested at least annually and updated for changing
conditions?
41. Are application programs and data files backed-up
regularly?
42. Is there a process to quickly disseminate critical
information throughout the agency when necessary?
43. Are policies and guidance generated and used
throughout the agency adequate and contain sufficient
and meaningful information so that its officials and
employees can measure actual results against their
objectives?
44. Are agency employees' roles and responsibilities
communicated clearly and effectively ( ie. Through
written job description, reference manuals) by top
management? Are these roles and responsibilities
uniformly understood?
45. Are all reported agency employees’ potential
improprieties reviewed, investigated, and resolved in a
timely manner? Is the top management notified of
improprieties and the actions taken to address them?
46. Is there is an Ethics Hotline or any process which
provides employees with an anonymous and
confidential channel through which they can report,
among other things, complaints related to overall
operations, accounting, internal controls over financial
reporting, or auditing matters?
47. Is the availability of the Ethics Hotline well
communicated throughout the agency? Are the
procedures in place to appropriately handle the receipt
and retention of any issue raised? Does management
treat all issues raised with serious concern for
confidentiality, integrity, and ultimate resolution?
48. Is the Agency able to prepare accurate and timely
financial reports (or operations reports), including
interim reports?
49. Are external stakeholders satisfied with the agency’s
systems for transaction and information processing,
including the reliability and timeliness of reports it
produces?
50. Is there a process for tracking communications to the
public, vendors/suppliers, regulators, and other
external parties? Is ownership assigned to members of
the agency management to help ensure that it responds
84
Yes
No
NA
Remarks
Internal Control Component
Yes
No
NA
Remarks
appropriately, promptly, and accurately to these
communications?
Initial Assessment
Control Design- Is it present and adequate?
Control Implementation- Is it functioning?
Explanation/Reason:
E. Monitoring
51. Do the top management and/or other Officials review
the agency’s operational process controls to ensure that
the controls are being applied as expected?
52. Are agency procedures in place to monitor when its
operating controls are overridden; and, to determine if
the override was appropriate?
53. Do the internal control reviewers have the authority to
examine any aspect of the agency's operations?
54. Are agency policies and procedures in place to ensure
that corrective action is taken on a timely basis when
control gaps or exceptions occur?
55. Do the top management and/or other Officials take
adequate and timely action to correct its internal
control deficiencies reported by the Internal Audit
Office, audited agency external auditor and/or other
parties (e.g., consultants)?
Initial Assessment
Control Design- Is it present and adequate?
Control Implementation- Is it functioning?
Explanation/Reason:
II. ICC Summary
Observations
Recommendations
AOM Ref.
85
Annex C
MATERIALITY TEMPLATE
Objective
Materiality is applied by the auditor in planning and executing the audit, and in evaluating the
effect of instances of non-compliance. In the planning phase, assessing materiality helps the
auditor to identify the audit questions which are of importance to the intended user(s). In
performing the audit, the auditor uses materiality in the decision of the extent of audit procedures
to be executed and the evaluation of audit evidence. In evaluating and concluding the audit, the
auditor uses materiality to evaluate the scope of work and the level of non-compliance to
determine the impact on the conclusion/opinion.
This template guides the auditor in determining quantitative materiality which will form as basis
for the design of the audit. The computed materiality must be reassessed as to its appropriateness
throughout the audit.
Accomplishing this tool
o Sensitivity of the Subject Matter – The sensitivity of the subject matter should be considered
from the viewpoint of the intended users. Factors affecting the sensitivity of the subject
matter are media interest, significant compliance audit issues in prior years, nature of the
transaction involved, and officials or employees involved, among others.
o
Materiality Benchmark – the selection of the appropriate benchmark shall consider the most
relevant aspect of the subject matter in relation to the selected audit criteria. The auditor shall
consider the nature of the agency and the subject matter, and the intended users’ focus.
o
Measurement percentage – based on the sensitivity of the subject matter, the auditor shall
choose the predetermined percentage. There is an inverse relationship between the
sensitivity of the subject matter and the materiality percentage. The higher the sensitivity, the
lower the materiality percentage.
o
Benchmark amount – After selecting the most appropriate benchmark, the auditor shall
determine the benchmark amount. The benchmark amount may be in the form of monetary
value or number of items for a certain period of time, or for a specific period of time.
o
Source of the benchmark – The source of the benchmark must be reliable and must be linked
with the audit scope
o
Computation – Materiality is simply computed by multiplying the benchmark amount by the
measurement percentage. The product will be the basis in developing conclusion on the
compliance of the subject matter with the selected audit criteria.
Note: The subject matter is not compliant with the criteria if the audit findings are equal to or
above the materiality amount.
86
MATERIALITY TEMPLATE
Prepared by:
Reviewed by:
Approved by:
Date:
Date:
Date:
1. Determine the sensitivity of the subject matter (check one):
Very Sensitive
Sensitive
Not Sensitive
2. Identify the Most Appropriate Materiality Benchmark
a. Select the most relevant materiality benchmark (check one):
Monetary amounts involved (expenditures, revenues, etc.)
Number of citizens or entities affected by the subject matter
Others - (specify)__________________________________________________________
b. Select the measurement percentage by degree of sensitivity (check one):
Degree of sensitivity
Measurement percentage
Very Sensitive
½%
Sensitive
½ - 2%
Not Sensitive
2%
c. Indicate the benchmark amount (monetary value / number of citizens or entities, etc.)
d. Indicate the source of the benchmark (based on audit scope)
e. Calculate materiality
Measurement
Percentage
(from Step 2.b.)
Benchmark Amount
(from Step 2.c.)
X
Materiality
Amount
=
87
Annex D
COMBINED RISK ASSESSMENT TEMPLATE
Objective
The Combined Risk Assessment Template facilitates the auditor’s documentation of the
assessments made on the inherent risk and control risk in order to determine the most
appropriate audit response to address those risks.
Accomplishing this Tool
o Identified Risk(s)- Lift from Understanding the Subject Matter Template.
Inherent Risk – Assess whether High or Low considering the susceptibility of the subject
matter to compliance deviations arising from complexity of the framework/hierarchy of laws,
rules and regulations and the laws, rules and regulations itself, introduction of new legislation
or changes in existing regulations, extent of judgment applied in interpreting laws and
regulations, human errors, and potential fraud, if any. Justifiy or explain your assessment.
o
Control Risk – Assess the control risk as Low if the relevant controls are capable of mitigating
or addressing the risk of noncompliance, otherwise, assess it as High. Justifiy or explain your
assessment. After the initial assessment of risk based on the adequacy of the control design,
revisit this template to reflect the result of the test of operating effectiveness of controls.
o
Combined Risk Assessment – determine the combined assessment using the following matrix:
Inherent Risk
o
High
Low
High
Low Minimal Moderate
Low
High
Control Risk
o
Audit Response – based on the combined risk assessment, determine if the audit response is
either Test of Controls, or Substantive Testing. Design the appropriate audit response with
the guidance of the table below:
Combined Risk
Assessment
High
Moderate
Low
Minimal
88
Approach in designing risk response
Audit response to be focused on improving internal controls
through assessment of improved plans
Evaluate and monitor the development of risk level
Focus on obtaining assurance that controls continue to operate as
designed and that there is consistency in risk management
Audit response to be focused on compliance issues
COMBINED RISK ASSESSMENT TEMPLATE
Prepared by:
Reviewed by:
Approved by:
Identified Risk(s)
Date:
Date:
Date:
Inherent
Risk
☐ High
☐ Low
Justification:
Control Risk
☐ High –
Not Rely
☐ Low – Rely
Justification:
Combined Risk
Assessment
☐ High
☐ Moderate
☐ Low
☐ Minimal
Audit Response
89
Annex E
FRAUD RISK ASSESSMENT TEMPLATE
Accomplishing this Tool
Based on the information gathered from the UTA, the auditor should review and assess the
information about the agency, and identify the fraud risks that may affect the agency’s Mandate,
Operations, Objectives and Strategies, Critical Success Factor, Key Performance Indicators. Using
professional judgment and guided by Fraud-Forensic Audit Manual’s (FoAM) fraud categories,
the auditor should identify all possible fraud risks and schemes of the agency and document them
in the table as follows:
90
a.
Fraud Category and Schemes – list down the category of fraud risk - Corruption, Asset
Misappropriation, or Financial statement Fraud. Specify the potential fraud scheme that
corresponds to the fraud risk the agency has.
b.
Risk Statement – describe the fraud scheme as to its effect on the agency.
c.
Process – identify which process in the agency is affected by the fraud risk identified (e.g.
Procurement).
d.
Sub-Process - identify which specific area in the process is affected by the fraud risk
identified (e.g. bidding).
e.
Impact – assess the extent of the identified fraud risks to the agency. Factors that may
help define the impact rating may include financial effect, reputation impacts, ability
to achieve key objectives, person likely to commit the fraud, etc.
f.
Likelihood – assess the susceptibility of the agency to identified fraud risks. Factors that
may help define likelihood may include volume of transaction, type of asset expose to the
fraud (e.g. cash or inventory), ease of committing the fraud, history of past irregularities in
the agency, etc.
g.
Overall Assessment – assess the combined assessment on the impact and likelihood
of the fraud risks within the agency and rank this as low, moderate, or high.
h.
Supporting Information - provide information and documents to support the assessment.
i.
Fraud Response – based on the overall assessment, indicate the audit response to all
identified fraud risk, e.g. test of controls, performing detective procedures, or a
combination of both. Fraud risks assessed as low usually will not merit an audit response.
j.
Rationale – Include the reason for the overall assessment or the reason why we should not
pursue any audit response for the fraud risk.
FRAUD RISK ASSESSMENT TEMPLATE
Prepared by:
Reviewed by:
Approved by:
Fraud
Category
and
Schemes
Fraud
Risk
Statement
Date:
Date:
Date:
Process
Subprocess
Impact
Likelihood
Overall
Assessment
Supporting
Information
Audit
Response
Rationale
91
Annex F
COMPLIANCE AUDIT STRATEGY TEMPLATE
Objective
The Compliance Audit Strategy Template documents/design the overall decisions in the planning
phase describing the team composition and work allocation, planned communications with the
audited agency, reporting responsibilities and specific details of the audit, among others.
Accomplishing this Tool
o Audit Period- This refers to the date(s) when the audit is conducted, starting from planning
the audit at the engagement level to reporting the compliance audit.
92
o
Composition of the team – List the names, position and designation of all the members of the
audit team. If there are reshuffling during the audit, its effect shall be documented by
indicating the period of participation of the previous and new team members.
o
Significant milestones and work allocation of the team – List the main audit activities from
planning to reporting, the expected output and the person responsible for each activity. The
activities must be consistent with the steps and processes prescribed in the CA Manual. There
shall be a specific work allocation to each member of the audit team. The quality control
aspect throughout the audit process shall also be specified in the milestones.
o
Needed external expertise – If the collective skills and competencies of the audit team are not
sufficient for the complexity of subject matter involved, the audit team shall identify the
expertise needed for the audit activities requiring specialized skills.
o
Planned communication – indicate the planned communications with the audited agency
throughout the audit process which may include entrance conference, communication of
audit findings through issuance of AOMs, and exit conference, among others.
o
Reporting responsibilities – the reporting responsibilities of the auditor include the issuance
of MLs/ compliance audit report, and other reports on matters which the auditor may be
asked to report on if they come to auditor’s attention during the course of the compliance
audit.
COMPLIANCE AUDIT STRATEGY TEMPLATE
Prepared by:
Reviewed by:
Approved by:
Audit Period
Date:
Date:
Date:
Composition of the audit team
Name
Position
Designation
Significant Milestones and Work Allocation
Activity
WP
Ref.
Expected
Output
Person
Responsible
Target Date to Accomplish
20xx
20xx
Remarks
J A S O N D J F M A M J
A. PLANNING
B. EXECUTION
C. REPORTING
Needed external expertise (if any)
Activity
Expertise needed
Planned communication with the audited agency and/or those charged with governance
Communication Activity
Date
Reporting responsibilities
Name of Report
93
Annex G
COMPLIANCE AUDIT PROGRAM
Objective
The Compliance Audit Program documents the procedures on how the audit will be conducted.
The documentation includes the nature, timing and extent of planned audit procedures and dates
when the procedures will be performed.
Accomplishing this Tool
o Identified Risk(s) – Lift from Understanding the Subject Matter Template (Annex A) the
identified potential risks that may be residing on the selected subject matter. The risk shall
link the subject matter with the audit criteria.
94
o
Audit Objectives – Copy from Annex A. The audit objectives must be relevant to the risk
identified, which will become the basis in designing audit procedures responsive to such risk.
o
Audit Questions- The audit objective is translated into audit questions which the auditor may
break into a more precise and specific sub-questions. When broken-down into several subquestions, they must be related and feasible, which collectively, must address the main audit
objective. The auditor must take into consideration that the design of audit procedures must
enable the auditor to obtain sufficient and appropriate audit evidence to answer all audit
questions and sub-questions.
o
Audit Procedures – The auditor shall design audit procedures that are supporting the audit
objectives and responsive to the identified risk. The person responsible, completion date and
reference to the execution working papers shall be indicated to establish accountability of
audit work that will be performed.
COMPLIANCE AUDIT PROGRAM
Prepared by:
Reviewed by:
Approved by:
Date:
Date:
Date:
Identified Risk#1
Audit Objective/
Question(s)
Audit Procedures
Person
Responsible
Date Completed
Reference
Person
Responsible
Date Completed
Reference
Identified Risk#1
Identified Risk#2
Audit Objective/
Question(s)
Audit Procedures
Identified Risk#1
95
Annex H
ENTRANCE CONFERENCE AGENDA
Date :
Time :
Venue :
These should indicate the date, time and venue of the entrance conference
A. Audit Team
Name
Position /Designation
This should indicate the names, position/ designation of the audit team
B. Objective and Scope of Compliance Audit
This will cover the aim and the coverage of the compliance audit
C. Approach and Methodology
This will cover the procedures and methods to be conducted during the audit.
D. Output
This will identify the deliverables of the audit team.
E. Officers / Personnel Involved
This should indicate the concerned agency officials/employees who are invited to attend to
the meeting.
F. Significant schedules
ACTIVITIES
DATES
Entrance Conference
Gathering and analysis of data
Issuance of Audit Observation
Memorandum (AOM)
Exit Conference
This should enumerate the main tasks and their corresponding dates
G. Documents needed for the audit
This should contain the pertinent documents requested during the audit.
96
H. Administrative Matters
This should include other necessary requests for the conduct of the audit (e.g. Designation
of a focal person/s; For non-residency audit- Provision of work space and equipment such
as printer, scanner, and internet)
Prepared by:
Reviewed by:
Approved by:
Name of the preparer
Designation
Name of the reviewer
Designation
Name of the approver
Designation
97
Annex I
MINUTES OF THE ENTRANCE (or EXIT) CONFERENCE
I.
Date, Time, and Venue
Date
Time
Venue
These should indicate the date, time and venue of the entrance o
exit conference
II. Attendees
NAME
POSITION
DESIGNATION
This should indicate the names, position and designation of the attendees of the conference
III. Highlights
This should contain the salient points as chronologically discussed during the entrance or exit
conference.
Prepared by:
Reviewed by:
Approved by:
Name of the preparer
Designation
Name of the reviewer
Designation
Name of the approver
Designation
Noted:
Name of agency head or
Duly designated representative
The signatories for the minutes of the conference should include both the auditor and the agency
head or duly designated representative.
98
Annex J
TEST OF CONTROL WORKING PAPER (TCWP) TEMPLATE
Accomplishing this Tool
I. Determine control and control testing procedures:
a. Material non-compliance risks- These were identified during risk assessment. Copy from
the Compliance Audit Program.
b. Controls- narrate in sentence form the control activities that management has put in
place to prevent the non-compliance. These are as follows:
• Top level review – a person with higher rank reviews the work of the person
responsible for the action needed.
• Physical control – control that management has put in place to protect the assets,
for example, providing a security guard to protect the office premises. The auditors
will have to examine provisions of the contracts indicating how the premises would
be protected such as required number of guards, the actual deployment at a given
shift/schedule, etc.
• Segregation of duties – for example, accounting and treasury functions must be
segregated
• Authorization/approval – agency policy on levels of signing authority
• Appropriate documentation – completeness of supporting documents
c. Control Reference- assign a reference number for each control activity, for example, top
level review is Control Ref. No. 1, Physical Control is Control Ref. No. 2, and so on.
d. Control testing procedures- are the procedures to be undertaken in testing the controls.
e. Proof of evidence- indicate the document examined, for example, work paper no. 1
indicates the vouchers examined and the results of the examination.
II. Test the controls
a. Considering the confidence level, select sample size and determine the tolerable
deviation rate.
b. Fill out the columns appropriately. In Column 5, place a √ if the control is present or X
if not present.
c. Evaluate the controls by counting the deviations (those with X marks) of each control
and indicate the totals appropriately.
III. Tabulate results of evaluation and the corresponding disposition. Use the Sample format.
99
TEST OF CONTROL WORKING PAPER (TCWP) TEMPLATE
Prepared by:
Reviewed by:
Approved by:
Date:
Date:
Date:
Test of Controls WP# ________
I.
Determine control and control testing procedures:
Material
Noncompliance
Risk
(1)
Controls
(Sentence
Form)
(2)
Control Ref.
(3)
Control Testing
Procedure
(4)
Proof Of
Evidence
(5)
II. Test the controls.
Sample Work Paper Format
Item
No.
(1)
Cash Disbursement
Voucher
Date
Payee
(2)
(3)
(4)
Control Ref.
1
2
3
4
5
(5)
Total no. of deviations
III. Tabulate results of evaluation and the corresponding disposition. Sample format follows
CONTROL
REF
1
2
3
4
5
100
RESULTS OF EVALUATION
DISPOSITION
Annex K
SUBSTANTIVE TEST WORKING PAPER (STWP) TEMPLATE
Accomplishing Part I of STWP Template
a. Enumerate the documents that serve as audit evidence gathered, such as: confirmation
letter from a third party; interview questionnaire, etc.
b. Assign working paper reference for each audit evidence for indexing. Indicate the WP
code for cross referencing.
Accomplishing Part II of STWP Template
a. Evaluation of audit evidence- Place a mark on YES column if audit evidence gathered is sufficient and appropriate;
otherwise, place a mark on the NO column.
- State the reason or disposition of the auditor regarding the assessment made and
place it on the remarks column.
b. Audit objectives/audit questions- Lift the audit objectives/ questions from the audit
program.
c. Findings/Observations- Cite the topic sentence lifted from the AOMs issued. These should
answer the audit objective/ questions.
d. WP Reference- Indicate the AOM Number and date of issuance, or the working paper index
code.
e. Summary of Material findings/ observations- Based on all the audit findings, select which
findings/observations are material that would be the basis of the conclusion.
f. Conclusion on the Subject Matter- Express the conclusion in a clear statement.
For direct reporting engagements:
- When the subject matter complies with the established criteria, the auditors state
that: “Based on the audit work performed, we found that the (subject matter) of the
(audited agency) is in compliance, in all material respects, with the (criteria).”
-
When the subject matter does not comply with the established criteria, the auditors
state that: “Based on the audit work performed, because of the significance of the
matter noted in the Basis for the Conclusion paragraphs above, the (subject matter)
of the (audited agency) is not in compliance, in all material respects, with the
(criteria).”
For attestation engagements:
Use the prescribed wordings applicable for qualified, disclaimer and adverse opinions.
101
SUBSTANTIVE TEST WORKING PAPER (STWP) TEMPLATE
Prepared by:
Reviewed by:
Approved by:
Date:
Date:
Date:
Part I
Audit Evidence and links to documents
Part II
Evaluation of Audit Evidence (Assessment of whether audit evidence is sufficient and appropriate)
Yes
No
Remarks/ Disposition
Sufficient
Appropriate
Audit Objectives /Audit
Questions
Summary of Material Findings/Observations
(Basis for the Conclusion)
Conclusion on the Subject Matter
102
Findings/Observations
WP Ref
Annex L
SUMMARY OF AUDIT OBSERVATIONS AND RECOMMENDATIONS
(SAOR)
A Summary of Audit Observations and Recommendations (SAOR) duly supported by individual
AOMs issued with management replies and auditor's rejoinder shall be prepared before the
conduct of exit conference and shall be updated after the exit conference.
A written notification to auditee head for the conduct of exit conference should be made by the
Supervising Auditor at least one week before the schedule of the exit conference, copy furnished
the Director concerned. The notification for the conduct of Exit Conference shall be supported
with a SAOR.
The SAOR shall be presented in matrix form with the following columns:
a. Reference (AOM No.);
b. Compliance Audit Observations;
c. Recommendations;
d. Management comments; and
e. Auditor's rejoinder.
(source: COA Memorandum No. 2014-011 dated October 21, 2014)
SUMMARY OF AUDIT OBSERVATIONS AND RECOMMENDATIONS
Reference
AOM No.
Compliance Audit
Observations
Recommendations
Management
Comments
Auditor’s
Rejoinder
103
Annex M
Name of the Agency and Address
Agency Action Plan and Status of Implementation (AAPSI)
Compliance Audit Observations and Recommendations
For the Calendar Year XXXX
As of __________
Agency Action Plan
Ref
Audit
Observations
Audit
Recommendations
Action
Plan
Person
/Dept.
Responsible
Target
Implementation Date
From
Status of
Implementation
To
Reason for
Partial
/Delay/
Nonimplementation, if
applicable
Action
Taken /
Action
to be
taken
Agency sign-off:
__________________________________________
Name and Position of Agency Officer
____________
Date
Note:
Status of Implementation may be: (a) Fully Implemented, (b) Ongoing, (c) Not Implemented, (d)
Partially Implemented, or (e) Delayed
(Source: COA Memorandum No. 2014-002 dated March 18, 2014- Annex A)
104
Annex N
Action Plan Monitoring Tool (APMT)
Sector:
Team:
Audited Agency:
Audit Period:
ML Date:
AGENCY ACTION PLAN and STATUS OF IMPLEMENTATION
R
e
f
Audit
Observation
Audit
Recommendation
A
C
T
I
O
N
Plan
Agency Action Plan
Target
Person
Implemen/Dept.
tation Date
Responsible
From
To
Reason for
Partial
Status of
/Delay/
ImplemenNontation
implementation, if
applicable
Prepared by:
________________________________
Audit Team Leader
RESULTS of COA VALIDATION
Action
Taken
/
Action
to be
taken
Date of
Follow
-Up
Status of
Implementation
Actual
Implementation Date
From
To
Approved by:
____________
Date
__________________________
Supervisor
___________
Date
Note:
Status of Implementation may be: (a) Fully Implemented, (b) Ongoing, (c) Not Implemented, (d)
Partially Implemented, or (e) Delayed
(Source: COA Memorandum No. 2014-002 dated March 18, 2014- Annex B)
105
R
E
M
A
R
K
S
Annex O
QUALITY CONTROL REVIEW CHECKLIST
Compliance Audit
Agency:
Subject Matter:
Name and Signature of
Reviewer:
Date:
Criteria/Question
1.0 INITIAL CONSIDERATIONS
1.1
Was this subject matter
approved by the Cluster
Director and was it included
and prioritized in the Annual
Overall (Compliance) Audit
Plan?
1.2
Has the initial risk assessment
of the subject matter been
carried out by:
i.
1.3
1.4
1.5
1.6
Identifying the subject
matter where the
potential risk of
noncompliance is high?
ii. Determining that the
subject matter is
significant for the
intended user(s)?
Has the team’s competency
and composition been
assessed?
Are the budgeted hours
sufficient for the audit of this
subject matter, and has the
time been allocated to each
phase and auditor
appropriately?
Have all the team members
signed the code of ethics?
Has the Supervising Auditor
concluded on the code of
ethics conclusion?
1.7
Has the Initial Consideration
working papers been
reviewed?
2.0 PLANNING THE AUDIT
106
ISSAI
Reference
ISSAI 4000.101,
ISSAI 4000.3336, 121-124
ISSAI 100.46,
ISSAI 400.54,
ISSAI 4000.43,
64, 19
ISSAI 4000.46,
74-76, 85-88
ISSAI 4000.86
ISSAI 4000.4551 and
ISSAI 30
ISSAI 4000.4551 and
ISSAI 30
ISSAI 4000.82
and
ISSAI 40
Working
Paper Ref.
Yes/No
Comment
Criteria/Question
2.1
Is the identified subject
matter appropriate to the
circumstances?
2.2
Is the audit objective
corresponding with the
subject matter?
2.3
Is the scope of the compliance
audit covering the subject
matter appropriate?
2.4
Has relevant criteria been
identified for this subject
matter?
2.5
Does the audit criteria exhibit
relevant characteristics? (E.g.
Are they relevant, complete,
neutral etc.)
2.6
Has relevant risks of
noncompliance been
identified in detail relating to
the subject matter including
fraud risk?
2.7
Was materiality
(qualitative/quantitative)
assessed for this subject
matter? Qualitative
materiality is more important
in Compliance Audit and
especially for direct reporting
engagements. Quantitative
materiality is more common
for attestation engagements.
2.8
Was, “Understanding the
Agency's and its Internal
Control” obtained, and does
the work demonstrate a real
understanding of this related
to the subject matter?
2.9
Are the audit questions
formulated to address the
risks of noncompliance?
2.10 Are the planned procedures
designed to answer the audit
questions?
2.11 Has the audit risks been
responded to properly?
2.12 Is there a common thread (a
link) throughout from the
subject matter to criteria, risk
assessment, audit questions
and procedures?
ISSAI
Reference
ISSAI 4000.64,
107-109
Working
Paper Ref.
Yes/No
Comment
ISSAI
4000.138(a)
ISSAI 400.50,
4000.44
ISSAI
4000.110-114
ISSAI 4000.118
ISSAI 100.46
400.54
4000.58-63
ISSAI
4000.125-130
ISSAI
4000.131-136
ISSAI
4000.107-114
and 128
ISSAI 4000.144,
149,
ISSAI 4000.5263
107
Criteria/Question
ISSAI
Reference
ISSAI 4000.9698
Working
Paper Ref.
2.13 Has the subject matter, audit
questions, criteria and
methodology, been
communicated to the agency
in Entry meeting and/or
engagement letter?
2.14 Were all the planning
ISSAI 4000.82
working papers reviewed and
approved?
3.0 PERFORMING THE AUDIT PROCEDURES
3.1
Were procedures performed
ISSAI 4000.84,
with appropriate audit
160
techniques/methods, e.g.
observation, inquiry,
interview, etc.?
3.2
Did the auditor select a
ISSAI
combination of audit
4000.158-169
techniques to be able to form
a conclusion with the selected
level of assurance?
3.3
Was audit sampling used for
ISSAI 4000.172
this subject matter?
3.4
If sampling was used, was it
ISSAI
applied in accordance with
4000.172-178
the COA Sampling Policy?
3.5
Were all the planned
procedures performed? If no,
what was the reason?
3.6
Was sufficient and
ISSAI
appropriate audit evidence
4000.73,78,
gathered?
144-152
3.7
Were audit findings raised
ISSAI 4000.96,
and communicated to audited 100
agency management?
3.8
Were appropriate conclusions ISSAI 4000.158
drawn?
3.9
Were the working papers on
ISSAI 40 and
gathering audit evidence
ISSAI 4000.82
reviewed and approved?
4.0 EVALUATING AUDIT EVIDENCE & FORMING CONCLUSIONS
4.1
Were findings evaluated
ISSAI
against materiality?
4000.184-187
4.2
Was the conclusion formed
ISSAI
based on sufficient and
4000.179-183
appropriate evidence?
4.3
Were the working papers on
ISSAI 4000.82
gathering audit evidence
reviewed and approved?
108
Yes/No
Comment
Criteria/Question
4.4
ISSAI
Reference
Working
Paper Ref.
Yes/No
Comment
Has the code of ethics
compliance been signed by all
team members at the end of
the audit?
5.0 REPORTING
5.1
Was appropriate reporting
ISSAI
structure used?
4000.210-225
5.2
Is the audit report prepared
ISSAI 4000.202
based on the principles of
completeness, objectivity,
timeliness, accuracy and
contradiction?
5.3
Is the audit conclusion
appropriate?
5.4
Have the audit questions been
answered to support the audit
conclusion?
5.5
Did the team conduct Exit
Conference and inform the
audited agency about the
findings, conclusion and
discuss the draft report?
Note: All “YES” answers must be supported with basis and all “NO” answers must be thoroughly
explained and discussed with the engagement partner.
109
Annex P
AUDITEE FEEDBACK SHEET
Date
Adressee:
Dear _____________________,
With reference to the compliance audit of the (subject matter) of the (name of audited agency),
please accomplish the attached feedback survey by placing a check () mark on the items that
best describe the statements 1-11. We consider our audit clients’ feedback on our audit service
very valuable as this will enable us to ensure and to continually improve the quality of our audits.
Please send the filled-out survey directly to the Office of the Cluster/Regional Director,
(Cluster/Region), (Audit Sector), (Address) within five days from receipt.
Thank you for your cooperation.
Very truly yours,
(Signature over printed name)
Cluster/Regional Director
110
Agency Name: _______________________
Address: ____________________________
Date: _______________________________
Compliance Audit Team to be rated
Calendar Year covered: _______________
Supervising Auditor/Regional Supervising Auditor: ____________________
Audit Team Leader: _______________________
Audit Team Members: _____________________
_____________________
_____________________
No
Audit Quality
1
Entrance meeting was held and all
questions/comments were adequately
addressed by the Audit Team.
The objectives and scope of audit were
discussed.
The audit was completed within the
timeframe communicated.
The audit was conducted in a professional
and courteous manner.
The audit was conducted with minimal
disruption to our business.
The Audit Team kept us informed of key
issues throughout the audit.
The exit conference provided us the
opportunity to discuss our comments on
the observations and recommendations
made by the audit team.
All our key concerns were attended to by
the Audit Team.
The
audit
observations
and
recommendations contained in the audit
report were properly communicated.
The audit report reflected our comments
and/or actions taken/to be taken.
The overall audit provided value to the
organization.
2
3
4
5
6
7
8
9
10
11
Remarks
(pls indicate
Not
Agree Disagree
Done reason if
you
disagree)
111
Suggestions to improve future compliance audits (Please use separate page if necessary.)
____________________________________________________________________________________________________________
____________________________________________________________________________________________________________
____________________________________________________________________________________________________________
_______________________________________________
Accomplished by:
Signature: ________________________
Name: ___________________________
Position/Designation: ______________
I fully concur with the ratings given, and this form is approved for release to COA
Signature: ________________________
Name: ___________________________
Position/Designation: ______________
Date Approved: ___________________
112
ILLUSTRATIVE CASE
Agency – City of ABC
File
1
2
3
4
5
6
7
8
9
10
11
12
FILLED-OUT TEMPLATES
Understanding the Agency Template
Understanding the Subject Matter Template
Internal Control Checklist
Materiality Template
Combined Risk Assessment Template
Fraud Risk Assessment Template
Compliance Audit Strategy Template
Compliance Audit Program
Substantive Test Working Paper Template
Management Letter (ML)
ML_Annex A
ML_Annex B
PAGE
114
124
127
138
139
141
142
145
147
150
156
161
113
File 1
UNDERSTANDING THE AGENCY (UTA) TEMPLATE
Agency:
City of ABC
Period
Covered:
Prepared by:
January 01, 2018 to December 31, 2018
Team Member
Date:
Reviewed by:
Team Leader
Date:
Approved by:
Supervising Auditor
Date:
AGENCY PROFILE
A. Mandate/Vision/ Mission/Goals
A.1 Mandate
The City of ABC came into existence by virtue of Republic Act No. 9264 dated July 10,
2004. It is comprised of 18 barangays.
The City derives its mandate from Republic Act No. 7160, also known as the Local
Government Code of 1991.
A.2 Vision
City of ABC is world class, smart and green city with a sustained and inclusive economic
growth that is driven by a transparent and accountable local government, effective civil servants
and empowered citizenry.
A.3 Mission
The City of ABC shall be a model in local governance effectively responding to the
welfare of its people through innovative policies and programs, and integrated strategy anchored
on:

Creation of business-friendly and competitive climate

Support for poverty alleviation and capability building, and establishment of priority
infrastructures

Protection of environment and promotion of a healthy lifestyle

Maintenance of peaceful and orderly communities, and resilience against disaster
A.4 Goals
 Uplift morals and align culture founded on the lessons of history
 Protect and develop the environment focused on proper waste management
 Develop human capital and increase job opportunities along while protecting the interest
of labor
 Enhance health and nutrition programs
 Protect the youth and women and ensure their future
B. Operations
B.1 Nature of Operations
The City of ABC, as a local government unit, shall have the power and authority to
establish an organization that shall be responsible for the efficient and effective implementation
of its development plans, program objectives and priorities; to create its own sources of revenue
and to levy taxes, fees, and charges which shall accrue exclusively for its use and disposition and
which it shall retain; to have a just share in national taxes which shall be automatically and
directly released to it without need of any further action; to have an equitable share in the
114
proceeds from the utilization and development of the national wealth and resources within its
territorial jurisdiction including sharing the same with the inhabitants by way of direct benefits;
to acquire, develop, lease, encumber, alienate, or otherwise dispose of real or personal property
held by it in its propriety capacity and to apply its resources and assets for productive,
developmental, or welfare purpose, in the exercise or furtherance of its governmental or
proprietary powers and functions and thereby ensure its development into self-reliant community
and active participant in the attainment of national goals. (Section 18, RA No. 7160)
B.2 Basic Services and Facilities
The City shall exercise such powers and discharge such functions and responsibilities as
are necessary, appropriate, or incidental to efficient and effective provision of the basic services
and facilities including, but not limited to the following:
a) Agricultural extension and on-site research services and facilities;
b) Industrial research and development services;
c) Enforcement of forestry laws limited to community-based forestry projects,
pollution control law, small-scale mining law and other laws on the protection
of the environment;
d) Health services which include hospitals and other tertiary health services;
e) Social welfare services;
Any fund or resource available for the use of the City shall be first allocated for the
provision of basic services and facilities enumerated above before applying the same for other
purposes. (Section 17, RA No. 7160)
B.3 Funds
(Sections 308 and 309, RA No. 7160)
 General Fund
- Consists of monies and resources of the provincial
government which are available for the payment of
expenditures, obligations or purposes not specifically
declared by law as accruing and chargeable to, or payable
from, any other fund.
 Special Education
Fund
-
Consists of the share of the province in the proceeds of the
additional tax on real property to be appropriated for the
operation and maintenance of public schools, construction
and repair of school buildings, facilities and equipment,
educational research, purchase of books and periodicals,
and sports development as determined and approved by the
provincial school board.
 Trust Fund
-
Consists of private and public monies which have officially
come into the possession of the provincial government or of
a provincial government official as trustee, agent or
administrator, or which have been received as a guaranty
for the fulfilment of some obligation.
B.4 Economic Enterprises
As of December 31, 2018, the City Government has maintained the following economic
enterprises:
Economic Enterprise
City of ABC Community Hospital
Urban Housing and Development
CY 2018 Budget
P224,791,093
9,870,258
Subsidy from General Fund
P204,791,093
9,870,258
115
Market Operations
Cemetery Operations
14,206,838
5,636,727
7,706,838
0.00
B.5 Processes
1. Procurement Process (from preparation of Bid Documents to submission of contract or
PO to COA) Annex 1
2. Acceptance of Delivery (from receipt of items to recording)
3. Revenue System
 Business Tax
 Real Property Tax
 Business and Service Income
4. Disbursement Process (Annex 2)
 Check Disbursement System
 Cash Disbursement System
 Payroll System
5. Receipt and Disposition of Trust Fund
 PAGCOR Funds
 PCSO Funds
 Funds received from National Government Agencies
 Ordinance Violation Receipt (OVR)
6. Granting, Utilization and Liquidation of Cash Advances
7. Solid Waste Management Process (Segregation of Solid Waste to Disposal)
Annex 3
C. Structure
C.1 Organizational Structure (Annex 4)
The City Mayor and City Vice-Mayor shall be elected at large by qualified voters in the
province, and the members of the Sangguniang Panlungsod shall be elected by district. The term
of office of these elective officials shall be three years for a maximum of three consecutive terms
in the same position. (Sections 41 and 43, RA No. 7160)
For CY 2018, the City of ABC had a total of 997 permanent personnel, 1,295 casual
employees, 155 contractual personnel, 391 Job Orders and 28 consultants.
D. Objectives and Strategies
Objectives
Please refer to Annex 5
Strategies
E. Key Stakeholders
The key stakeholders of the City of ABC are the following:
 Its residents, inhabitants or constituents;
 The general public;
 The 18 component barangays within its territorial jurisdiction, as follows:
1)
2)
3)
III
4)
IV
116
Barangay I 6) Barangay VI
Barangay II 7) Barangay VII
Barangay
8) Barangay VIII
11) Barangay I-A
12) Barangay I-B
13) Barangay I-C
Barangay
14) Barangay II-A
9) Barangay IX
16) Barangay II-C
17) Barangay III-A
18) Barangay III-B
5)
Barangay V 10) Barangay X
15) Barangay II-B
 Creditors;
 Donors;
 Programs/Project Implementing Partners;
 National agencies and offices including government-owned or controlled corporations
with field units or branches in the City;
 Other local government units with which the City Government has cooperative
undertakings;
 People’s and non-government organizations;
 Government agencies with oversight functions over the City; and
 Suppliers and Contractors
F. Key Environmental Factors
F.1 Political Environment
Consistent with the basic policy on local autonomy, the President shall exercise general
supervision over the City Government. National agencies and offices with project implementation
functions shall coordinate with one another and with the City Government in the discharge of
these functions. They shall ensure the participation of the City in the planning and
implementation of said national projects. (Section 25, RA No. 7160)
The City Development Council headed by the City Mayor shall initiate the formulation
of the City’s comprehensive multi-sectoral development plan and assist the sanggunian in setting
the direction of economic and social development and coordinating development efforts within
the City. (Sections 106 and 107, RA No. 7160)
The policies, programs, and projects proposed by the City Development Council shall be
submitted to the Sangguniang Panlalawigan for appropriate action. The approved development
plans of the City shall be submitted to the Regional Development Council, which shall be
integrated into the regional development plan for submission to the National Economic and
Development Authority. (Section 114, RA No. 7160)
The City School Board shall be composed of the City Mayor and the City Superintendent
of schools as co-chairman, shall determine, in accordance with the criteria set by the Department
of Education, the annual supplementary budgetary needs for the operation and maintenance of
public schools within the province and the supplementary local cost of meeting such needs, which
shall be reflected in the form of an annual school board budget corresponding to its share from
the proceeds of the special levy on real property constituting the Special Education Fund.
(Sections 98 and 99, RA No. 7160)
The City Health Board headed by the City Mayor as chairman (the City Health Officer as
vice-chairman), shall propose to the Sangguniang Panlungsod, in accordance with the standards
and criteria set by the Department of Health, annual budgetary allocations for the operation and
maintenance of health facilities and services within the City. (Section 102, RA No. 7160)
F.2 Social Environment
The City Government may enter into joint ventures and such other cooperative
arrangements with people’s and nongovernment organizations to engage in the delivery of
certain basic services, capability-building and livelihood projects, and to develop local enterprises
designed to improve productivity and income, diversity agriculture, spur rural industrialization,
promote ecological balance, and enhance the economic and social well-being of the people.
(Section 35, RA No. 7160)
117
The City Government may through its chief executive and with the concurrence of the
sanggunian, provide assistance, financial or otherwise, to such people’s and non-governmental
organizations for economic, socially-oriented, environmental, or cultural projects to be
implemented within its territorial jurisdiction. (Section 36, RA No. 7160)
F.3 Legal and Regulatory Environment
All matters pertinent to human resources and development in local government units
shall be governed by the civil service law and such rules and regulations and other issuances
promulgated pursuant thereto. (Section 78, RA No. 7160)
The Department of the Interior and Local Government shall, among others, establish
and prescribe rules, regulations and other issuances and implementing laws on the general
supervision of local government units and on the promotion of local autonomy and monitor
compliance thereof. (Section 3, Title XII, Book IV, Revised Administrative Code of 1987)
The Bureau of Local Government Finance shall, among others, assist in the formulation
and implementation of policies on local government revenue administration and fund
management, and exercise administrative, technical supervision and coordination over the
treasury and assessment operations of local governments. (Section 33, Title II, Book IV, Revised
Administrative Code of 1987)
The Department of Budget and Management shall review ordinances authorizing the
annual or supplemental appropriations of the City. Appropriations for ordinary administrative
purposes not duly obligated shall terminate with the fiscal year and all unexpended balances
thereof shall be automatically reverted on the thirty-first day of December of each year to the
general fund of the local government unit. (Sections 326 and 328, RA No. 7160)
Other legislations and regulations that significantly affect the agency’s operations
include the following:
 Republic Act No. 9003 known as the Ecological Solid Waste Management Act of 2000;
 Republic Act No. 10121 known as the Philippine Disaster Risk Reduction and Management
Act of 2010;
 Republic Act No. 9184 known as the Government Procurement Reform Act;
 Republic Act No. 9502 known as the Universally Accessible Cheaper and Quality Medicines
Act of 2008
 DILG-DBM Joint Memorandum Circular No. 2011-1 re: Amending DILG-DBM Joint
Memorandum Circular No. 1 dated September 30, 2005 entitled “Guidelines on the
Appropriation and Utilization of the 20% of the Annual Internal Revenue Allotment for
Development Projects”; and
 DBM Budget Circulars.
F.4 Technological Environment
follows:
By and large, the City processes and generates data and/or information manually, as
Process
Collection of taxes and other revenue-raising activities
Local development investment programming
Budgeting
Expenditures, disbursements and accounting
Property and supply management
Hospital pharmacy operations
118
Processing System
Manual
Manual
Manual
e-NGAS
Manual
Manual
MAJOR FINAL OUTPUTS/ KEY PERFORMANCE INDICATORS
Please refer to Annex 6
ACCOUNTING POLICIES
The financial statements of the City of ABC have been prepared in conformity with the
Philippine Public Sector Accounting Standards (PPSAS) and reflect amounts that are based on
best estimates and informed judgment of management with an appropriate consideration of
materiality.
The City of ABC maintains a system of accounting and reporting which provides the
necessary internal controls to ensure that transactions are properly authorized and recorded,
assets are safeguarded against unauthorized use and liabilities are recognized.
PREVIOUS AUDIT FINDINGS
1) City of ABC did not fully comply with the reporting guidelines on the Local Roads Asset
Management System, thus the efficient management of the account as presented in the
financial statements at P129,457,718.98 was not met.
2) Titles to acquired land at approximately 48,633 sq.m. purchased by the City in prior years
in the total amount of P91,692,066.00 were not yet transferred in the name of the City of
ABC, thus ownership by the City over the parcels of lot has not been established yet.
3) The publicity requirement for City’s infrastructure projects with contract cost of
P130,614,399.72 was still not observed, thus affecting the promotion of transparency and
accountability for government program/project/activity (PPA) and denying the right of
the public to pertinent information of general interests.
RECENT DEVELOPMENTS/ NEWS
Source
Recent Developments/ News
Impact on
the Agency
City ABC The worst flooding events recorded in the City were during Typhoon
Official
Maring and during the southwest monsoon or Habagat in 2018,
Website
wherein 16 out of 18 barangays were affected by flash floods. Only
barangays Barangay I and Barangay II were not flooded.
Floodwaters remained for two (2) to three (3) months in the
lakeshore Barangays III, IV, V and VI. The deepest flood level
reached to almost one (1) meter in Barangay I-A. River walls in
Barangays II-B and II-C were badly damaged during these flood
events.
ANALYTIC REVIEW
A. Financial (Figures are presented in ‘000)
Financial Statement
Account
Variance
December
31, 2018
December
31, 2017
2,217,834
1,327,550
890,284
40.14
Receivables
406,350
364,360
41,990
10.33
Inventories
18,499
4,701
13,798
74.59
Amount
%
Remarks
Balance Sheet Accounts
Cash and Cash Equivalents
119
ANALYTIC REVIEW
A. Financial (Figures are presented in ‘000)
Financial Statement
Account
Variance
Amount
%
December
31, 2018
December
31, 2017
5,772,429
4,932,012
840,417
14.56
Construction in Progress
234,076
156,268
80,808
34.52
Accounts Payable
615,711
378,088
237,623
38.59
Other Deferred Credits
274,770
286,667
(11,899)
4.33
2,469,894
1,873,136
596,758
24.16
Business and Service
Income
130,517
135,595
(5,078)
3.89
Internal Revenue Allotment
708,702
575,213
133,489
18.84
Share from National
Wealth
113,321
134,609
(21,288)
18.79
Total PS
752,282
698,570
53,712
7.68
1,026,318
908,884
117,434
11.44
151,289
122,875
28,414
18.78
14.74% of
MOOE
Donations
89,673
78,809
10,864
12.12
8.74% of MOOE
Total Financial Expenses
33,724
36,891
(3,167)
8.58
298,239
246,093
52,146
21.19
2,110,563
1,890,438
220,125
11.64
Property, Plant and
Equipment
Remarks
Income Statement Accounts
Tax Revenue
Total MOOE
Environment/Sanitary
Services
Non-Cash Expenses
Total Current Operating
Expenses
ANALYTIC REVIEW
B. Performance (Figures are presented in ‘000)
Performance
Indicators
Increase Real
Property Tax
(RPT) collection
Increase in
Business Tax
Collections
Increase in
Environment/
Sanitary Expenses
120
Actual
Budget/
Target
Variance
Remarks
Amount
%
353,650
454, 127
128
1,579,563 1,148,000
431,563
38
14,904
11
807,777
151,289
136,385
Collection of RPT represents
12% of the total income of the
City
Collection of Business Taxes
represents 64% of the total
Tax Revenue of the City
Environment and Sanitary
Expenses forms part of 15% of
the total MOOE of the City
PROGRAMS/ ACTIVITIES/ PROJECTS REVIEW
a. Program/
: Environment and Sanitary Services
Project
Objectives
:  To preserve, conserve, and ensure the sustainability of the natural
environment by developing and formulating strategies and
programs to protect the air, water and land
 To lead by example to influence stakeholders and local
governments within City of ABC sub-watershed in developing
appropriate policies as framework for sustainable development
 To transform the City of ABC into a green and sustainable
community with major consideration to environment as a result of
development and human actions
 To formulate policies appropriate to balance economic growth and
development with environmental management
Total Budget
: P53,196,457.08
Duration
: Annual
Project
Overview
: “The vision of the City is to be a highly developed premier City that is
dynamic and progressive with pro-active and efficient governance; its
mission is to attain human development through an integrated
strategy anchored on poverty alleviation, capaCity-building,
promotion of health and wellness, protection of the environment, and
maintenance of a peaceful community” (Section 2, Ordinance No.
1720-2011)
“Local Government Units shall share with the national government the
responsibility in the management and maintenance of ecological
balance within their territorial jurisdiction, subject to the provisions
of this Code and national policies.” (Section 3, RA No. 7160)
The powers of the City Mayor include, among others, adopt adequate
measures of safeguard and conserve land, mineral, marine, forest, and
other resources of the City (Article 1, Section 455, RA No. 7160)
The City recognizes that the increasing level of economic activities and
population growth would lead to an increase in the volume of wastes
and have adverse impact on the environment and health of the
populace and hereby adopts the following principles:
a. The City shall adhere to the provisions of RA No. 6969,
otherwise known as the “Toxic Substances and Hazardous
Nuclear Wastes Control Act of 1990” and RA No. 9003,
otherwise known as the “Ecological Solid Waste Management
Act of 2000”
b. The City shall adhere to the provisions of the “Stockholm
Convention on Persistent Organic Pollutants” and shall
coordinate with the DENR and other government agencies to
ensure that these pollutant do not find their way to the City
c. The City recognizes the primary role of the City’s in solid waste
management and for this purpose, commits to manage its solid
waste properly in accordance with RA No. 9003 and its 10-year
Comprehensive Ecological Solid Waste Management Plan
121
PROGRAMS/ ACTIVITIES/ PROJECTS REVIEW
d. The City shall enlist all sectors of society in solid waste
management
e. The City recognizes crucial role of barangays and the police in
implementing RA No. 9003. For this purpose, the City shall give
primary responsibility to its barangay officials and police
officers to ensure compliance to the mandates of RA No. 9003
f. The City shall come up with a system of rewards and incentives
for those championing solid waste management and
corresponding penalties and obligations to violators (Section
56, Ordinance No. 1720-2011)
Performance Indicators
122
Actual
Budget/
Target
Pollution Control Program
P4,501,702.99
Solid Waste Management
Operation of City’s Centralized
Composting Facility
Installation of 3-Bin Collection System
in Strategic Places around the City
Operation of Charcoal Briquetting
Facility
Installation of 10 Materials Recovery
Facilities (MRFs) in Barangays and
Turned-over Subdivisions
Conduct of waste market days
(Basurahanihan)
City CENRO Environmental Clearance
issuance
Creation of Green Army
Selection, deputation and training of
volunteer members of the City’s Green
Army
Celebration of Environment related
events
Water and Wastewater Management
Solid Waste Management and related
trainings and seminars
Climate change mitigation and
adaptation and related trainings and
seminars
Sustainability, sustainable development,
climate resiliency related trainings and
seminars
Development and production of various
IEC materials and publications
Environmental Conservation and
Enhancement Program
Urban Greening
4,512,802.99
2,356,825.00
1,753,270.00
2,340,000.00
3,000,000.00
377,000.00
940,877.67
1,867,402.57
1,867,402.67
2,736,776.67
2,433,500.00
1,561,000.00
1,950,700.00
2,101,102.57
316,000.00
7,568,600.00
2.474,400.00
Variance
Amount %
Remarks
Performance Indicators
Research and Policy Development and
Database Management Program
GIS Mapping and Environmental
Planning
Ecological Profiling, Database Creation
Environmental Policies / Regulations
Development
Regulating groundwater extraction
Monitoring Wastewater Quality
Conduct of Related Environmental
Studies and Researches
Waste-to-Energy Feasibility Study
Total
Actual
Budget/
Target
Variance
Amount %
Remarks
1,741,720.67
1,494,106.61
482,401.67
590,119.00
577,173.00
2,157,173.00
1,669,200.00
2,299,600.00
P53,196,457.08
UTA SUMMARY
UTA Ref.
Ref.
Objectives
and
Strategies
S2
Operations
– Processes
O5
Operations
- Processes
C25
Identified Agency Risk
Risk Title
Risk Statement
The risk that programs, projects and
Strategic –
activities of the City may not be aligned
Strategic
to achieving efficiently and effectively
planning
its development goals due to ineffective
local
development
investment
programming process.
The risk that the City’s capacity to
Operations –
efficiently deliver services may be
Efficiency
threatened due to inefficiency in
procurement.
Compliance- The risk that the City may fail to
Environment identify and prevent legal risk
posed by non-compliance with
environmental regulations.
Impact on the
Agency
Non-attainment
of agency goals
Non- or
inefficient
implementation
of projects or
activities
Damage to
reputation/
Loss of public
trust
123
File 2
UNDERSTANDING THE SUBJECT MATTER TEMPLATE
Prepared by:
Reviewed by:
Approved by
Audit Team Member
Audit Team Leader
Supervising Auditor
Agency
City of ABC
Period Covered
01/01/2018 to 12/31/2018
Type of
Engagement
Level of Assurance
Direct reporting engagement
Date:
Date:
Date:
01/21/2019
01/21/2019
01/21/2019
☒ Reasonable Assurance
☐ Limited Assurance
Intended User (s)
Sangguniang Bayan(Municipal Council)
Responsible Party
Municipal Mayor
Identified Subject
Matter
Basis of Selection
Establishment and Monitoring of the Material Recovery Facilities
(MRFs)
 One of the major projects of the City of ABC is the construction/
installation of 10 MRFs in Barangays and Turned-over Subdivisions
with an estimated budget of P3 Million (Refer to UTA)
 Audit Focus and Thrust Area for the Local Government Sector for CY
2018
One of the goals of the City of ABC is to pursue an integrated and
sustainable development strategy, anchored on responsible stewardship,
democratic processes and institutions, and efficient and effective
management that will provide world-class infrastructures and support
services to promote and protect the environment. In relation thereto, the
‘’Pillar of Clean Environment and Healthy Lifestyle’’ included an initiative
of finalizing and implementing the 10-year Solid Waste Management
Program.
Description of the
Subject Matter
From the total budget of ₱53.2M for the Environment and Sanitary
Services Project for CY2018, the Solid Waste Management has been
allotted with a budget of ₱4.5M in addition to separate ₱3M allotment for
the installation of the 10 Materials Recovery Facilities (MFs) in
Barangays and Turned-over Subdivisions (see basis of selection above).
The installation of MRFs was intended to support Section 66 of the City
Ordinance No. 1720-2011 (an ordinance enacting the environment code
of the City of ABC, which is in line with Section 1, Rule XI of the IRR of RA
No. 9003) that requires every barangay or cluster of barangays to
establish their own MRFs.
Aside from the requirement of establishing MRFs, the IRR has also stated
the specific attributes of functional MRFs (see audit criteria) in order to
124
Audit Scope
Suitable Criteria
receive biodegradable wastes for composting and mixed nonbiodegradable wastes for final segregation, re-use and recycling.
18 Barangays of City of ABC for CY 2018
Lifted from Implementing Rules and Regulations of Republic Act No. 9003
- Philippine Ecological Solid Waste Management Act of 2000:
RULE XI. MATERIALS RECOVERY FACILITIES AND
COMPOSTING
Section 1. Operations of a Materials Recovery Facility
“Barangays shall be responsible for the collection,
segregation, recycling of biodegradable, recyclable,
compostable and reusable wastes. MRFs will be
established in every barangay or cluster of
barangays.
The facility shall be established in a barangayowned or leased land or any suitable open space to
be determined by the barangay through its
Sanggunian. For this purpose, the barangay or
cluster of barangays shall allocate a certain parcel
of land for the MRF. The determination of site and
actual establishment of the facility shall likewise be
subject.
The MRF shall receive biodegradable wastes for
composting and mixed non-biodegradable wastes for
final segregation, re-use and recycling. Provided, that
each type of mixed waste is collected from the source and
transported to the MRF in separate containers.
The resulting residual wastes shall then be transferred to
a long-term storage or disposal facility or sanitary
landfill.
The MRF shall be designed to receive, sort, process and
store compostable and recyclable material efficiently and
in an environmentally sound manner. The facility shall
address the following considerations:
a) The building and/or land layout and equipment
must be designed to accommodate efficient and
safe materials processing, movement and storage;
b) The building must be designed to allow efficient
and safe external access and to accommodate
internal flow;
c) If the MRF includes a composting operation, it shall
comply with the provisions of Section 2 and of Rule
125
XI of this IRR applicable to composting and
composts;
d) The following records shall be kept and
maintained, such records shall be submitted to the
Department upon request:
1) Record of daily weights or volumes of waste
received, processed and removed from site
accurate to within ten percent (10%) and
adequate for overall planning purposes and
tracking of success of waste diversion goals;
and
2) Daily logbook or file of the following
information shall be maintained: fire, special
occurrences, unauthorized loads, injury and
property damage.”
Identified Risk(s)
1. The risk that Material Recovery Facilities (MRFs) may not be
established in every barangay or cluster of barangays.
2. The risk that MRFs may not be fully operating/functioning.
Audit Objective(s)
1. To determine if every barangay or cluster of barangays has
established MRF.
2. To determine if all MRFs in every barangay or cluster of barangays
are operating/functioning.
126
File 3
INTERNAL CONTROL CHECKLIST
Prepared by:
Reviewed by:
Approved by:
Audit Team Member
Audit Team Leader
Supervising Auditor
Date:
Date:
Date:
01/24/2019
01/24/2019
01/24/2019
I. ICC Probing Questions
Internal Control Component
A. Control Environment
1. Do the top management and
other Officials support integrity
and ethical values?
Yes
2. Do the top management and
other Officials lead the
commitment to integrity and
ethical values by example in
their day-to-day activities and
demonstrate through their
directives, actions and behavior
the importance of integrity and
ethical values?
√
3. Are the Code of Conduct and/or
Ethics policy, as well as other
policies regarding acceptable
practices, conflicts of interest,
etc. comprehensive and have
been clearly and adequately
communicated throughout the
agency?
No
NA
Remarks
√
√
4. Does the top management
strictly prohibit circumvention
of established policies and
procedures, except where
specific guidance has been
provided? Does it also
demonstrate commitment to this
principle and take appropriate
disciplinary action in response
to violations of established
policies and procedures?
√
5. Do the top management and
other Officials act to remove or
reduce incentives or
temptations that might prompt
personnel to engage in
√
Memorandum, administrative
order and CSC issuances
With Grievance Committee under
the Legal Office
127
128
Internal Control Component
dishonest, legal, or unethical
acts?
Yes
6. Does the top management give
appropriate attention to internal
controls, including regularly
educating and communicating
the importance of internal
controls to its employees?
√
7. Does the top management show
willingness to consult with the
internal control reviewers or the
external auditor on significant
matters relating to internal
control and accounting issues?
√
8. Do the agency’s oversight bodies
give adequate consideration to
understanding management's
processes for monitoring risks
affecting the agency?
√
9. Is the overall agency structure
appropriate and does it facilitate
the flow of information both up
and down within each function,
as well as across other
functions? Is the structure
reviewed and modified to
accommodate changes in
operating conditions, as
necessary?
√
10. Are there appropriate policies
for such matters as creating new
Offices/Divisions/Units,
reviewing potential conflicts of
interest, approving transactions
and implementing security
practices and are they
adequately communicated
throughout the agency?
√
11. Is there adequate supervision
and monitoring of decentralized
operations (including
accounting and information
systems personnel and
services)?
√
12. Do the top management and
other Officials demonstrate
commitment to provide
sufficient training to audit,
√
No
NA
Remarks
Open line communication;
Democratic form of
management style
Through trainings/ seminars
with CSC
Internal Control Component
information technology,
technical and administrative
personnel to keep pace with the
growth and complexity of the
agency’s operations?
Yes
13. Do the agency’s personnel have
the competence and training
necessary for their assigned
level of responsibility and the
nature and complexity of their
assigned responsibilities?
√
14. Are there standards and
procedures for hiring, training,
motivating, evaluating,
promoting, compensating,
transferring, and terminating
personnel that are applicable to
all functional areas (e.g.,
auditing, accounting,
information systems,
administration, etc.)?
√
15. Are there screening procedures
for job applicants particularly
for employees with access to
assets susceptible to
misappropriation?
√
16. Are human resources policies
and procedures (i.e. written job
description, Personnel
Handbook/Manual) clear and
issued and updated on a timely
basis?
√
17. Are Human Resource policies
and procedures effectively
communicated to personnel?
√
18. Do the top management and
other Officials set realistic (i.e.,
not unduly aggressive)
operational targets and
expectations for operating
personnel?
√
19. Is job performance periodically
evaluated and reviewed with
each employee by supervisory
personnel?
√
No
NA
Remarks
With Provincial Selection Board
Initial Assessment
129
Internal Control Component
Control Design- Is it present
and adequate?
Control Implementation- Is it
functioning?
Yes
√
No
NA
Remarks
√
Explanation/Reason
Based on observation and review of policies and procedures shown above, there is a strong
“tone at the top” through set of standards, processes, and structures that provide the basis for
carrying out internal control across the agency.
B. Risk assessment
20. Has the agency established and
clearly communicated its
mission, operating strategy, and
objectives?
21. Is a process in place to
periodically review and update
the agency-wide strategic plans?
Are these plans reviewed and
approved by the top
management?
√
Mission, Vision, and Goals
√
Executive Legislative Agenda
22. Are feedback mechanisms in
place and do they enable the
agency officials to periodically
assess whether agency-wide
objectives have been achieved?
130
√
23. Are objectives established for
agency processes? Are they
clearly linked to the audit
clients’ strategies and their
overall objectives in support?
Are the objectives clearly
understood by employees
responsible for achieving the
results?
√
24. Are there adequate mechanisms
in place for identifying agency
risks and barriers to achieving
its objectives, including those
resulting from: Entering new
program/projects or lines of
operation; Taking on new
policies; Offering new services;
Complying with privacy and data
protection compliance
requirements; Adapting to other
changes in the political, social,
economic and regulatory
√
Committee meetings
Internal Control Component
environment in terms of
auditing and reporting etc.?
Yes
No
25. Does the top management
consider how much risk it is
willing to accept when setting
strategic direction and does it
strive to maintain risks within
those levels?
Remarks
√
26. Do the top management and
other Officials oversee and
monitor the risk assessment
process? Do they take action to
address the significant risks
identified?
√
27. Do the top management and
other Officials prepare risk
assessment of agency operations
to consider risk related to
fraudulent activity and how the
operations could be impacted?
√
28. Does the assessment of fraud
risk consider the opportunities
for unauthorized acquisition, use
or disposal of assets, altering the
reporting records or committing
other inappropriate acts?
√
29. Are periodic reviews performed
or are other processes in place
to anticipate, identify, and
communicate to the appropriate
levels of agency’s management
events or activities that may
affect the agency's ability to
achieve their objectives, as well
as avenues to address these
changes?
No audit committee
√
30. Do other Officials report to the
top management on the changes
in both the external and internal
environment that may have a
significant effect on the agency?
Initial Assessment
Control Design- Is it present
and adequate?
NA
√
√
Control Implementation- Is it
functioning?
131
Internal Control Component
Yes
No
NA
Remarks
Explanation/Reason
There is lack of feedback mechanism and risk assessment of agency operations. Also, periodic
reviews are not performed or other processes are not in place to, among other things,
anticipate and identify routine events or activities that may affect the agency’s ability to
achieve its objectives and address them.
C. Control Activities
31. Are appropriate policies and
procedures developed,
documented and
implemented for each of the
agency’s critical processes?
√
32. Does appropriate agency
management level have
ownership of the policies and
procedures? Do the process
owners review the policies
and procedures periodically
to determine if they continue
to be appropriate for their
own activities?
√
33. Is there is an appropriate
segregation of incompatible
activities within span of control?
√
34. Is the physical security over the
agency IT assets reasonable
given the nature of its
operations?
√
35. Are policies and procedures
clearly communicated to
personnel to ensure that they
are applied consistently and
conscientiously?
√
36. Are job roles, responsibilities,
and related system/access
privileges periodically reviewed
for proper segregation of duties?
√
Initial Assessment
Control Design- Is it present
and adequate?
No policies and procedures for
the establishment of MRF
√
Control Implementation- Is it
functioning?
Explanation/Reason
There is inadequate review of policies and procedures for the establishment of MRFs. Other
than the establishment of MRF, the design of control activities, taken as a whole, is adequate,
and implemented as designed.
132
Internal Control Component
Yes
D. Information and Communication
37. Do the top management and
√
other Officials receive relevant,
sufficient and timely information
to allow them to fulfill their
responsibilities?
No
√
39. Does the agency’s information
system generate information
that is of sufficient quality to
support the effective operation
of controls? Has management
developed and implemented
controls related to:
completeness and accuracy of
data; capture of data at the
necessary frequency; providing
information when needed;
protection of sensitive data;
retention of data complying with
(relevant) audit and regulatory
needs?
√
40. Is there a current agency
continuity plan and disaster
recovery plan for the significant
components of critical functions
and processes, including IT
infrastructure, network
components, operating system
components, databases,
applications and data files? Are
these plans tested at least
annually and updated for
changing conditions?
√
√
42. Is there a process to quickly
disseminate critical information
throughout the agency when
necessary?
√
43. Are policies and guidance
generated and used throughout
the agency adequate and
contain sufficient and
meaningful information so that
its officials and employees can
√
Remarks
RRR,TS
38. Has the agency management
documented the relevant
controls that mitigate the risk of
errors in information systems?
41. Are application programs and
data files backed-up regularly?
NA
Memoranda
133
Internal Control Component
measure actual results against
their objectives?
Yes
44. Are agency employees' roles and
responsibilities communicated
clearly and effectively ( ie.
Through written job description,
reference manuals) by top
management? Are these roles
and responsibilities uniformly
understood?
√
45. Are all reported agency
employees’ potential
improprieties reviewed,
investigated, and resolved in a
timely manner? Is the top
management notified of
improprieties and the actions
taken to address them?
134
No
√
46. Is there is an Ethics Hotline or
any process which provides
employees with an anonymous
and confidential channel
through which they can report,
among other things, complaints
related to overall operations,
accounting, internal controls
over financial reporting, or
auditing matters?
√
47. Is the availability of the Ethics
Hotline well communicated
throughout the agency? Are the
procedures in place to
appropriately handle the receipt
and retention of any issue
raised? Does management treat
all issues raised with serious
concern for confidentiality,
integrity, and ultimate
resolution?
√
48. Is the Agency able to prepare
accurate and timely financial
reports (or operations reports),
including interim reports?
√
49. Are external stakeholders
satisfied with the agency’s
systems for transaction and
information processing,
√
NA
Remarks
Internal Control Component
including the reliability and
timeliness of reports it
produces?
Yes
50. Is there a process for tracking
communications to the public,
vendors/suppliers, regulators,
and other external parties? Is
ownership assigned to members
of the agency management to
help ensure that it responds
appropriately, promptly, and
accurately to these
communications?
√
Initial Assessment
Control Design- Is it present
and adequate?
No
NA
Remarks
Logbook
√
Control Implementation- Is it
functioning?
Explanation/Reason
The above deficiencies constitute significant weaknesses in information system. Also, there are
significant applications or transactions that are executed /processed by service organizations.
Management has not documented the relevant controls at the service organization, the
agency, or both that mitigate the risk of errors. There are no policies for periodic monitoring
of controls either at the service organization or the agency.
E. Monitoring
51. Do the top management and/or
other Officials review the
agency’s operational process
controls to ensure that the
controls are being applied as
expected?
√
There are no periodic
evaluations of internal control
53. Do the internal control
reviewers have the authority to
examine any aspect of the
agency's operations?
√
Internal audit is limited to
financial transactions
54. Are agency policies and
procedures in place to ensure
that corrective action is taken on
√
52. Are agency procedures in place
to monitor when its operating
controls are overridden; and, to
determine if the override was
appropriate?
√
135
Internal Control Component
a timely basis when control gaps
or exceptions occur?
Yes
No
55. Do the top management and/or
other Officials take adequate and
timely action to correct its
internal control deficiencies
reported by the Internal Audit
Office, audited agency external
auditor and/or other parties
(e.g., consultants)?
Initial Assessment
Control Design- Is it present
and adequate?
NA
Remarks
√
√
Control Implementation- Is it
functioning?
Explanation/Reason
Internal audit is limited to financial transactions. Also, there are no periodic evaluations of
internal control.
136
II. ICC Summary
Observations
Recommendations
Risk Assessment
For discussion during the
There is lack of feedback mechanism and risk exit conference.
assessment of agency operations. Also, periodic
reviews are not performed or other processes are
not in place to, among other things, anticipate and
identify routine events or activities that may affect
the agency’s ability to achieve its objectives and
address them.
Control Activities
For discussion during the
There is inadequate review of policies and exit conference.
procedures for the establishment of MRFs.
Information and Communication
For discussion during the
There are deficiencies that constitute significant exit conference.
weaknesses in information system. Also, there are
significant applications or transactions that are
executed /processed by service organizations.
Management has not documented the relevant
controls at the service organization, the agency, or
both that mitigate the risk of errors. There are no
policies for periodic monitoring of controls either at
the service organization or the agency.
Monitoring
For discussion during the
Internal audit is limited to financial transactions. exit conference.
Also, there are no periodic evaluations of internal
control.
AOM Ref.
137
File 4
MATERIALITY TEMPLATE
Prepared by:
Reviewed by:
Approved by:
Audit Team Member
Audit Team Leader
Supervising Auditor
Date:
Date:
Date:
01/25/2019
01/25/2019
01/25/2019
1. Determine the sensitivity of the subject matter (check one):

Very Sensitive
Sensitive
Not Sensitive
2. Identify the Most Appropriate Materiality Benchmark
a. Select the most relevant materiality benchmark (check one):
Monetary amounts involved (expenditures, revenues, etc.)
Number of citizens or entities affected by the subject matter
Number of Barangays without established MRFs
 Others - _________________________________________________
b. Select the measurement percentage by degree of sensitivity (check one):
Degree of sensitivity
Measurement percentage
Very Sensitive
½%
Sensitive
½ - 2%

Not Sensitive
2%
c. Indicate the benchmark amount (monetary value / number of citizens or entities, etc.)
Number of Barangays
18
d. Indicate the source of the benchmark (based on audit scope)
Number of Barangays of City of ABC
e. Calculate materiality
Measurement
Percentage
(from Step 2.b.)
Benchmark Amount
(from Step 2.c.)
18
138
X
2%
Materiality
Amount
=
0.36
File 5
COMBINED RISK ASSESSMENT TEMPLATE
Prepared by:
Reviewed by:
Approved by:
Identified Risks
The
risk
that
Material Recovery
Facilities
(MRFs)
may
not
be
established in every
barangay or cluster
of barangays.
Audit Team Member
Audit Team Leader
Supervising Auditor
Inherent Risk
☒ High
☐ Low
Date:
Date:
Date:
Control Risk
☒ High – Not
Rely
☐ Low – Rely
Justification:
Due to unmonitored
practices, solid waste
management has become
one of the common
problems faced by most of
the cities and provinces
across
the
regions,
especially
on
the
installation
and
operation of MRFs. Thus,
there
is
a
higher
likelihood of risk that
MRFs may not have been
established, or operating.
In addition, the risk may
have a material impact
on the agency once it
materializes considering
that the Solid Waste
Management, including
installation of MRFs, has
a total budget of ₱7.5M,
representing the highest
budget among the PAPs of
the agency.
Justification:
Based on our
evaluation
using
the
Internal Control
Checklist,
we
have
noted
several control
deficiencies in
the
risk
assessment,
control
activities,
information and
communication,
and monitoring.
One of which
refers
to
inadequate
review
of
policies
and
procedures for
the
establishment
of MRFs as part
of the control
activities.
Combined
Risk
Assessment
☒ High
☐
Moderate
☐ Low
☐ Minimal
01/31/2019
02/06/2019
02/08/2019
Audit
Response
Full
Substantive
testing
We will conduct
direct testing on
the subject
matter to
ascertain actual
instances of noncompliance, and
we will provide
recommendations
on how the
agency can
strengthen its
controls over the
program.
139
Identified Risks
The risk that MRFs
may not be fully
operating/
functioning.
Inherent Risk
☒ High
☐ Low
☒ High – Not
Rely
☐ Low – Rely
Justification:
Due to unmonitored
practices, solid waste
management has become
one of the common
problems faced by most of
the cities and provinces
across
the
regions,
especially
on
the
installation
and
operation of MRFs. Thus,
there
is
a
higher
likelihood of risk that
MRFs may not have been
established, or operating.
In addition, the risk may
have a material impact
on the agency once it
materializes considering
that the Solid Waste
Management, including
installation of MRFs, has
a total budget of ₱7.5M,
representing the highest
budget among the PAPs of
the agency.
140
Control Risk
Justification:
Based on our
evaluation
using the
Internal Control
Checklist, we
have noted
several control
deficiencies in
the risk
assessment,
control
activities,
information
and
communication,
and monitoring.
One of which
refers to
inadequate
review of
policies and
procedures for
the
establishment
of MRFs as part
of the control
activities.
Combined
Audit
Risk
Response
Assessment
Full
☒ High
Substantive
☐
testing
Moderate
☐ Low
We will conduct
☐ Minimal
direct testing on
the subject
matter to
ascertain actual
instances of noncompliance, and
we will provide
recommendations
on how the
agency can
strengthen its
controls over the
program.
File 6
FRAUD RISK ASSESSMENT TEMPLATE
Prepared by:
Reviewed by:
Approved by:
Fraud
Category
and
Schemes
Corruption
Fraud Risk
Statement
The City of
ABC may
report the
establishment of
MRFs in all
or some of
the
barangays
which may
not really
be existing,
resulting in
fraudulent
representation on the
use of
government
funds.
Audit Team Member
Audit Team Leader
Supervising Auditor
Process
Solid
Waste
Management
Subproces
s
Establis
h-ment
of
Materia
ls
Recove
ry
Faciliti
es
(MRFs
)
Date:
Date:
Date:
Impact
Likelihoo
d
Overall
Assessmen
t
Low
Low
Low
02/01/2019
02/04/2019
02/08/2019
Supporting
Informatio
n
Audit
Respons
e
o PY audit
findings
o Performance
indicators
o Budget
No
further
fraud
audit
procedur
es needed
Rationale
Given that
there was no
history of
significant
irregularities
noted in
prior years
related to the
audit criteria,
we
concluded
that the
“low” overall
assessment
of this risk
does not
merit an
audit
response.
141
File 7
COMPLIANCE AUDIT STRATEGY TEMPLATE
Prepared by:
Reviewed by:
Approved by:
Audit Period:
I.
Audit Team Member
Audit Team Leader
Supervising Auditor
01/07/2019 to 03/31/2019
Composition of the audit team
Name
Xxx
Xxx
Xxx
Xxx
Position
State Auditor V
State Auditor IV
State Auditor III
State Auditor I
Date:
Date:
Date:
02/06/2019
02/07/2019
02/08/2019
Designation
Supervising Auditor
Audit Team Leader
Audit Team Member
Audit Team Member
II.
Significant Milestones and Work Allocation
Target Date to Accomplish
Person
WP Expected
Activity
Responsibl
2019
Remarks
Ref
Output
e
J F M A M J J A S O N D
A. PLANNING
1 Determine the
Understan ATM/ ATL
type of
ding the
engagement and
Subject
1/21/2019
level of assurance
Matter
Template
2 Identify the
Understan ATM/ ATL
intended user(s),
ding the
the responsible
Subject
party, subject
Matter
1/21/2019
matter,
Template
corresponding
audit criteria,
and scope
3 Understand the
ATM/ ATL
subject matter
Internal
1/24/2019
including
Controls
internal control
Checklist
4 Determine
Materiality ATM/ ATL
Materiality
Template
1/25/2019
5
6
142
Carry out Risk
Assessment
Procedures,
Assess Audit Risk
and Consider
Risks of Fraud
Develop Audit
Strategy and
Audit Plan
Combined
Risk
Assessmen
t Template
Fraud Risk
Assessmen
t Template
Complianc
e Audit
ATM/ ATL
1/31 to
2/8/2019
ATM/ ATL
2/8/2019
Activity
WP
Ref
Expected
Output
Person
Responsibl
e
Target Date to Accomplish
2019
J F M A M J J A S O N D
Remarks
Strategy
Template
Complianc
e Audit
Program
B. EXECUTION
1 Conduct
Entrance
Conference
2
Gather and
evaluate audit
evidence
3
Prepare
and
Issue AOMs
4
5
6
Evaluate
Management
Comments
Prepare SAOR
Conduct Exit
Conference
C. REPORTING
1 Drafting the
ML/CA Report
2 Submission of
Draft ML
Entrance
Conference
Agenda
Minutes of
Entrance
Conference
Test of
Control
Working
Paper
and/or
Substantiv
e Test
Working
Paper
Template
With
supporting
schedules /
WPs
AOMs
ATM/
ATL/SA
ATM/ ATL
ATM/
ATL/SA
ATM/ ATL
2/11/2019
2/11/2019
to
2/22/2019
2/18/2019
to
2/22/2019
2/26/2019
to
2/28/2019
Summary
of
Complianc
e Audit
Observatio
ns and
Recommen
da-tions
Minutes of
Exit
Conference
ATL
ATM/
ATL/SA
3/11/2019
Manageme
nt Letter
Manageme
nt Letter
ATL
3/12/2019
ATL
3/15/2019
3/1/2019
to
3/8/2019
143
Activity
3
Quality Control
Review of Draft
ML
4
Preparation and
Submission of
Final ML
Transmittal of
Final ML to
audited agency
5
WP
Ref
Expected
Output
Manageme
nt Letter/
Quality
Control
Checklist
Manageme
nt Letter
Manageme
nt Letter
Person
Responsibl
e
SA
Target Date to Accomplish
2019
J F M A M J J A S O N D
ATL
3/29/2019
III.
Expertise needed
Technical Services Office
IV.
Planned communication with the audited agency and/or those charged with
governance
Communication Activity
Date
Entrance Conference
02/11/2019
Last day of Issuance of AOM
02/22/2019
Exit Conference
03/11/2019
V.
Reporting responsibilities
Name of Report
Management Letter/CA Report
144
3/18/2019
to
3/22/2019
3/25/2019
to
3/28/2019
ATL/SA
Needed external expertise (if any)
Activity
Ocular Inspection
Remarks
File 8
COMPLIANCE AUDIT PROGRAM
Prepared by:
Reviewed by:
Approved by:
Audit Team Member
Audit Team Leader
Supervising Auditor
Date:
Date:
Date:
02/06/2019
02/07/2019
02/08/2019
Identified Risk#1
The risk that Material Recovery Facilities (MRFs) may not be established
in every barangay or cluster of barangays.
Audit Objective/
Questions
To determine if every barangay or cluster of barangays has established
MRF.
 Do all the Barangays within City of ABC have established MRFs?
 Does the City have plans to ensure that all Barangays have
established MRFs?
Audit Procedures
Persons
Responsible
ATM
Date
Completed
02/11/2019
1.
Obtain a list of Barangays with
established MRFs within City ABC.
2.
Based on the list, conduct an ocular
inspection using geo-tagging on the
existence of the MRFs in all
barangays of City of ABC.
ATM/TAS
02/18/2019
3.
Prepare working paper on the
results of the ocular inspection.
ATM
02/21/2019
4.
In case there are Barangays without
MRFs, inquire the City and
Barangay officials on their plans
and current actions to address the
issue.
ATM
02/21/2019
5.
For the exemptions noted, prepare
and issue an AOM.
ATM/ATL/SA
02/22/2019
6.
Secure Management’s comment on
the AOM issued.
ATM/ATL
02/28/2019
Reference
WP 1
ML_Annex A
AOM No. 2019001 (2018)
Identified Risk#2
The risk that MRFs may not be fully operating/ functioning.
Audit Objective/
Questions
To determine if all MRFs in every barangay or cluster of barangays
are operating/ functioning.
145
 Is there a monitoring mechanism to ensure that the MRFs
are functioning as required?
 Are the established MRFs compliant with the requirements
of Section I, Rule XI of IRR of RA No. 9003?
Audit Procedures
1. Obtain a copy of the monitoring
report and validate the information
by conducting interview and ocular
inspection.
2. If there is no monitoring report,
conduct inspection to evaluate the
conditions of the MRFs.
3. Prepare working paper on the results
of the interview and ocular
inspection.
Summarize the results.
4. For the exemptions noted, prepare
and issue an AOM.
5. Secure Management’s comment on
the AOM issued.
146
Persons
Responsible
ATM
Date
Completed
02/11/2019
ATM/TAS
02/18/2019
ATM
02/21/2019
Reference
WP 2,
WP 2.a to 2.O
ML_Annex B
ATM/ATL/SA
02/22/2019
ATM/ATL
02/28/2019
AOM No.
2019-002
(2018)
File 9
SUBSTANTIVE TEST WORKING PAPER (STWP) TEMPLATE
Prepared by:
Reviewed by:
Approved by:
I.
ATM/ATL
ATL/SA
SA
Date:
Date:
Date:
2/20/2019
2/22/2019
2/22/2019
Audit Evidence and links to documents
1. Pictures during the Ocular Inspection using geo tagging (WP 1)
2. Interview Questionnaires (WPs 2.a to 2.o)
II.

Evaluation of Audit Evidence (Assessment of whether audit evidence is sufficient and
appropriate)
Yes
No
Remarks/ Disposition
Sufficient
√
Appropriate
√
Audit Objectives/ Audit
Findings/Observations
WP Ref
Questions
To determine if every barangay or
cluster of barangays has established
MRF.
a. Do all the Barangays within
City of ABC have established
MRFs?
b. Does the City have plans to
ensure that all Barangays have
established MRFs?

1. Material Recovery Facilities
(MRFs) were not
established in three
barangays of the City of
ABC.
WP 1
2. The Ten Year City Solid
Management Plan of City
ABC was not reviewed and
updated by the City Solid
Waste Management Board
(CSWMB).
WP 1
3. The CSWMB monitors the
establishment of MRFs in
every barangay, however,
there are noted
inconsistencies on the list
WP 2
To determine if all MRFs in every
barangay or cluster of barangays are
operating/ functioning.
a. Is there a monitoring
mechanism to ensure that the
MRFs are functioning as
required?
147
of barangays without
MRFs. This deficiency casts
doubt whether the CSWMB
performs their duties and
responsibilities of
monitoring the
implementation City Solid
Waste Management Plan.
b. Are the established MRFs
compliant with the
requirements of Section I, Rule
XI of IRR of RA No. 9003?
4. Established MRFs in two
Barangays of the City of
ABC were not fully
operating and functioning.
a. All of the inspected
MRFs, except for
Barangay II-B, were
not designed to
receive, sort, process
and store compostable
materials;
b. Most of the MRFs were
not established in a
barangay-owned or
leased land or any
suitable open space;
c. The MRF of Barangay
VI was not designed
and located to
accommodate efficient
and safe materials
processing, movement
and storage;
d. Nine barangays did not
maintain logbook or
record of daily weights
or volumes of waste
received, processed
and removed from
site; and
e. 15 barangays with
MRFs did not provide
daily logbook or file of
accidents and/or
incidents like fire,
special occurrences,
unauthorized loads,
injury and property
damage.
148
WPs 2.a to 2.o
III.
Summary of Material Findings/Observations
(Basis for the Conclusion)
1. Material Recovery Facilities (MRFs) were not established in three
barangays of the City of ABC as required under Section 1, Rule XI of the
Implementing Rules and Regulations (IRR) of Republic Act (RA) No.
9003 due to absence of conducive locations.
AOM No. 2019001 (2018)
2. Established MRFs in two Barangays of the City of ABC were not fully
operating and functioning as required under Section 1, Rule XI of the
Implementing Rules and Regulations (IRR) of Republic Act (RA) No.
9003 due to lack of proper monitoring by the City Solid Waste
Management Board (CSWMB), contrary to Section 4(b) and (c), Rule VI
of the IRR of RA No. 9003.
AOM No. 2019002 (2018)
IV.
Conclusion on the Subject Matter
Based on the audit work performed, we found that, because of the significance of the matter
noted in the Basis for the Conclusion paragraphs above, the establishment and monitoring of
Material Recovery Facilities (MRFs) in the City of ABC is not in compliance, in all material
respects, with Section 1, Rule XI of the Implementing Rules and Regulations (IRR) of Republic
Act (RA) No. 9003.
149
File 10
Republic of the Philippines
COMMISSION ON AUDIT
Commonwealth Avenue, Quezon City
29 March 2019
City Mayor and Chairperson, Solid Waste Management Board
City of ABC
Province of XYZ
Management Letter on the Compliance Audit on the
Establishment and Monitoring of Materials Recovery Facilities of the City of ABC
For the Period from 01 January 2018 to 31 December 2018
Dear Honorable City Mayor:
1)
We have audited the implementation of the Solid Waste Management Program particularly
on the establishment and monitoring of Materials Recovery Facilities (MRFs) of the 18
barangays of the City of ABC, Province of XYZ covering the period 01 January to 31
December 2018.
2)
We conducted our compliance audit in accordance with the International Standards of
Supreme Audit Institutions on compliance auditing (ISSAI 4000). Those standards require
that we plan and perform the audit to obtain a reasonable basis for our conclusions.
3)
The audit was conducted to ascertain compliance with Republic Act (RA) No. 9003 or the
“Philippine Ecological Solid Waste Management Act of 2000”, specifically Section 1, Rule XI
of the Implementing Rules and Regulations (IRR) on the establishment and monitoring of
MRFs in every barangay or cluster of barangays.
4)
RA No. 9003, otherwise known as the Ecological Solid Waste Management (SWM) Act was
approved into law on January 26, 2001. It adopts, among others, the State policy of a
systematic, comprehensive and ecological solid waste management program which shall:
 Ensure the protection of public health and environment;
 Utilize environmentally-sound methods that maximize the utilization of valuable
resources and encourage resources conservation and recovery;
 Set guidelines and targets for solid waste avoidance and volume reduction through
source reduction and waste minimization measures, including composting, recycling,
reuse, recovery, green charcoal process, and others, before collection, treatment and
disposal in appropriate and environmentally-sound solid waste management facilities
in accordance with ecologically sustainable development principles;
150
 Ensure segregation, collection, transport, storage, treatment and disposal of solid waste
through the formulation and adoption of the best environmental practices in ecological
waste management excluding incineration;
 Promote national research and development programs for improved solid waste
management and resource conservation techniques, more effective institutional
arrangement and indigenous and improved methods of waste reduction, collection,
separation and recovery;
 Encourage greater private sector participation in solid waste management;
 Encourage cooperation and self-regulation among waste generators through the
application of market-based instruments;
 Institutionalize public participation in the development and implementation of national
and local integrated, comprehensive and ecological waste management programs; and
 Strengthen the integration of ecological solid waste management and resource
conservation and recovery topics into the academic curricula of formal and non-formal
education in order to promote environmental awareness and action among citizenry.
5)
The law retains primary enforcement and responsibility of solid waste management with
local government units (LGUs) while establishing a cooperative effort among the national
government, other LGUs, Non-government organizations, and private sector.
6)
Section 1, Rule XI of the IRR of RA No. 9003 states that:
“RULE XI. MATERIALS RECOVERY FACILITIES AND COMPOSTING
Section 1. Operations of a Materials Recovery Facility
“Barangays shall be responsible for the collection, segregation, recycling of
biodegradable, recyclable, compostable and reusable wastes. MRFs will be
established in every barangay or cluster of barangays.
The facility shall be established in a barangay-owned or leased land or any suitable
open space to be determined by the barangay through its Sanggunian. For this
purpose, the barangay or cluster of barangays shall allocate a certain parcel of land
for the MRF. The determination of site and actual establishment of the facility shall
likewise be subject.
The MRF shall receive biodegradable wastes for composting and mixed nonbiodegradable wastes for final segregation, re-use and recycling. Provided, that
each type of mixed waste is collected from the source and transported to the MRF in
separate containers.
The resulting residual wastes shall then be transferred to a long-term storage or
disposal facility or sanitary landfill.
The MRF shall be designed to receive, sort, process and store compostable and
recyclable material efficiently and in an environmentally sound manner. The facility
shall address the following considerations:
151
a) The building and/or land layout and equipment must be designed to
accommodate efficient and safe materials processing, movement and storage;
b) The building must be designed to allow efficient and safe external access and
to accommodate internal flow;
c) If the MRF includes a composting operation, it shall comply with the provisions
of Section 2 and of Rule XI of this IRR applicable to composting and composts;
d) The following records shall be kept and maintained, such records shall be
submitted to the Department upon request:

Record of daily weights or volumes of waste received, processed and
removed from site accurate to within ten percent (10%) and adequate
for overall planning purposes and tracking of success of waste diversion
goals; and

Daily logbook or file of the following information shall be maintained:
fire, special occurrences, unauthorized loads, injury and property
damage.”
7)
The City of ABC has a City Solid Waste Management Board (CSWMB) created by virtue of
Ordinance No. 31, series of 2016, composed of the City Mayor as the Chairperson, the
Chairman of Committee on Environment as the Vice Chairman and 16 members from
Sangguniang Panlungsod, Association of Barangay Councils, department heads,
representatives from recycling industry and Non-Government Organizations (NGOs).
8)
The City likewise has a Ten Year Ecological Solid Waste Management Plan (SWMP) (20162025) aimed at ensuring the long-term management of solid waste in City of ABC. For CY
2018, out of the P53.20 million budget for Environment and Sanitary Services, the City has
appropriated P4.5 million for Solid Waste Management and P3 million for the
construction/installation of MRFs in Barangays and Turned-over Subdivisions.
9)
We have inspected the monitoring reports, conducted ocular inspection using geo-tagging
with the assistance of the representatives from the Technical Services Office (TSO) and
interviewed key officials and other concerned individuals to ascertain whether: (a) every
barangay or cluster of barangays has established MRFs; and (b) all MRFs in every barangay
or cluster of barangay are operating/functioning.
10)
We wish to bring to your attention our audit observations and recommendations which
were communicated through Audit Observations Memoranda (AOMs) to the concerned
officials of the City of ABC. Their responses were incorporated in this Management Letter
(ML), where appropriate.
Basis for the Conclusion
11)
152
MRFs were not established in three barangays of the City of ABC as required under Section
1, Rule XI of the IRR of RA No. 9003 due to absence of conducive locations, while most of
the other established MRFs were not located in a barangay-owned or leased land or any
suitable open space.
12)
Established MRFs in two Barangays of the City of ABC were not fully operating and
functioning as required under Section 1, Rule XI of the IRR of RA No. 9003 due to lack of
proper monitoring by the CSWMB.
Conclusion on the Subject Matter
13)
Based on the audit work performed, we found that, because of the significance of the matter
noted in the Basis for the Conclusion paragraphs, the establishment and monitoring of
MRFs, are not in compliance, in all material respects, with the provisions of Section 1, Rule
XI of the IRR of RA No. 9003.
Detailed Observations and Recommendations
MRFs were not established in three barangays of the City of ABC as required under Section
1, Rule XI of the IRR of RA No. 9003 due to absence of conducive locations, while most of
the other established MRFs were not located in a barangay-owned or leased land or any
suitable open space.
14)
Results of the ocular inspection by the Team which includes representatives from Technical
Services Office (TSO), using geo tagging, conducted on January 29, 2019 and February 6-7,
2019 (Annex A) revealed that 15 or 83.33% of the 18 barangays have existing MRFs. Three
barangays, namely, Barangay I-A, Barangay I-B and Barangay II-A have no MRFs, contrary
to Section 1, Rule XI of the IRR of RA No. 9003. In addition, most of the MRFs were not
established in a barangay-owned or leased land or any suitable open space. It was observed
that the facilities were mostly located in small portion of lot provided within the vicinity of
Barangay Hall or in a private lot provided by homeowners of a subdivision or along the
roads.
15)
Interview with the officials of the three barangays disclosed that lack of conducive locations
prevented them from establishing MRFs. However, according to the Head of the
Environmental Committee of Barangay I-A, the barangay is currently negotiating with the
homeowner officials of the subdivisions within their barangay to allow them to use a
portion of lot for the MRFs. Likewise, the Punong Barangay of Barangay I-B and II-A said
that they are still looking for a vacant lot to purchase.
16)
Inquiry with the City Officials disclosed that they are willing to provide financial assistance
to address the issue of those Barangays needing additional or without existing MRFs. For
CY 2018, the City has included in their Annual Investment Plan (AIP) the construction of 10
MRFs and allotted a budget amounting to P3 million.
17)
As envisioned, MRFs will separate different materials found in solid wastes in order to
promote recycling and reuse of resources to reduce the volume of waste for collection and
disposal. Hence, without MRF in barangays, the objective of ensuring environmentallysound methods in solid waste management will not be met.
18)
We recommended and the City Mayor agreed in instructing the concerned Barangay
Officials to look for conducive locations for the MRFs and to fast track the negotiations with
the homeowner officials of the subdivisions to allow the barangay to use a portion of their
lot for the construction of MRFs, in compliance with Section 1, Rule XI of the IRR of RA No.
9003;
153
Established MRFs in two Barangays of the City of ABC were not fully operating and
functioning as required under Section 1, Rule XI of the IRR of RA No. 9003 due to lack of
proper monitoring by the CSWMB.
19)
Interview with Barangay Officials and ocular inspection conducted by the Team which
includes representatives from TSO, on January 29, 2019 and February 6-7, 2019 (Annex B)
disclosed that two or 13.33% out of the 15 established Barangay MRFs were not operating
and functioning, namely, Barangay VIII and Barangay X, contrary to Section 1, Rule XI of the
IRR of RA No. 9003.
20)
In addition, all of the inspected MRFs, except for Barangay II-B, were not designed to
receive, sort, process and store compostable materials. These MRFs only receive, sort and
store recyclable wastes such as papers, cartons, glasses, plastics, bottles and metals.
21)
Aside from the conditions discussed above, the following deficiencies were also noted:
a. The MRF of Barangay VI was not designed and located to accommodate efficient and
safe materials processing, movement and storage;
b. Of the 15 barangays with MRFs, nine of which did not maintain logbook or record of
daily weights or volumes of waste received, processed and removed from site; and
c. The 15 barangays with MRFs did not provide daily logbook or file of accidents and/or
incidents like fire, special occurrences, unauthorized loads, injury and property
damage.
22)
We recommended that the:
a. City Mayor instruct the Barangay Officials to include a composting operation in the
MRFs, keep records/logbook of the daily weights or volumes of waste received,
processed and removed from MRF sites and of accidents or incidents like fire, special
occurrences, unauthorized loads, injury and property damage; and ensure that the MRFs
are fully operating and functioning in compliance with Section 1, Rule XI of the IRR of
RA No. 9003; and
b. City Solid Waste Management Board (CSWMB) strictly monitor and inspect the
condition and operation of established MRFs in each Barangay of the City of ABC.
23)
The management appreciated the audit recommendations and assured taking actions
thereon.
Status of Implementation of Prior Year’s
Audit Recommendations
24)
As no compliance audit was conducted in prior year, hence no data for this section.
Acknowledgment
25)
154
We wish to express our appreciation to the Management and staff of the City of ABC for the
cooperation and assistance extended to our Audit Team during the audit.
26)
We request that the appropriate actions be undertaken on our audit recommendations and
that we be informed of the actions taken thereon by accomplishing the attached Agency
Action Plan and Status of Implementation (AAPSI) form and submit it to us (in hard and
electronic copies) within 60 days from the receipt hereof.
Very truly yours,
COMMISSION ON AUDIT
By:
Supervising Auditor
Copy furnished:
-
The Regional Director
Department of the Interior and Local Government, Region ABC
-
The Regional Director
Department of Budget and Management, Region ABC
-
The Regional Director
Bureau of Local Government Finance, Region ABC
-
The Secretary
Sangguniang Panlungsod, City of ABC
155
File 11
Annex A
ML para. 14
Compliance Audit on the Establishment of Material Recovery Facilities (MRFs)
Objective:
To determine if every barangay or cluster of barangays of the City of ABC has
established MRF.
Results of Validation:
COA Validation
Barangay
Picture
1. Barangay I
2. Barangay II
Materials Recovery Facility (MRF)
Barangay II
City of ABC
3. Barangay III
156
Location (Latitude/
Longitude)
Barangay I, City of
ABC
14°18’55” /
121°7’22”
Barangay II, City of
ABC
14°17’43” /
121°6’17”
Barangay III, City of
ABC
14°17’55” /
121°7’41”
COA Validation
Barangay
Picture
4. Barangay IV
Location (Latitude/
Longitude)
Barangay IV, City of
ABC
14°17’21” /
121°6’60”
Materials Recovery Facility (MRF)
Barangay IV
City of ABC
5. Barangay V
Materials Recovery Facility (MRF)
Barangay V
City of ABC
Barangay V, City of
ABC
14°16’51” /
121°6’46”
6. Barangay VI
Barangay VI, City of
ABC
14°15’21” /
121°3’57”
7. Barangay VII
Barangay VII, City of
ABC
14°18’54” / 121°7’5”
Materials Recovery Facility (MRF)
Barangay VII
City of ABC
157
COA Validation
Barangay
Picture
8. Barangay VIII
Location (Latitude/
Longitude)
Barangay VIII, City of
ABC
14°18’47” /
121°6’27”
Materials Recovery Facility (MRF)
Barangay VIII
City of ABC
9. Barangay IX
Barangay IX, City of
ABC
14°1824” /
121°6’36”
Materials Recovery Facility (MRF)
Barangay IX
City of ABC
10. Barangay X
Barangay X, City of
ABC
14°17’51” /
121°5’40”
Barangay X, City of
ABC
14°18’4” / 121°5’51”
Per interview, the
barangay has 10
mobile MRFs located
along the roads.
11. Barangay I-A
12. Barangay I-B
158
None
None
COA Validation
Barangay
Picture
13. Barangay I-C
Location (Latitude/
Longitude)
Barangay I-C, City of
ABC
14°19’8” / 121°6’43”
Materials Recovery Facility (MRF)
Barangay I-C
City of ABC
14. Barangay II-A
15. Barangay II-B
None
Barangay II-B, City
of ABC
14°17’18” /
121°5’24”
Materials Recovery Facility
(MRF)
Barangay II-B
City of ABC
16. Barangay II-C
Materials Recovery Facility (MRF)
Barangay II-C
City of ABC
17. Barangay III-A
Barangay II-C, City of
ABC
14°13’42” /
121°2’56”
Barangay III-A, City
of ABC
14°19’42” / 121°7’3”
159
COA Validation
Barangay
Picture
18. Barangay III-B
Materials Recovery Facility (MRF)
Barangay III-B
City of ABC
Summary:
160
15 Barangays have existing MRFs
Location (Latitude/
Longitude)
Barangay III-B, City
of ABC
14°9’5” / 121°6’9”
File 12
Annex B
ML para. 19
Compliance Audit on Monitoring of Material Recovery Facilities (MRFs)
Objective:
To determine if MRF in every barangay or cluster of barangays in the City of
ABC is operating/functioning.
Results of Validation:
Barangay
1. Barangay I
2. Barangay II
3. Barangay III
4. Barangay IV
5. Barangay V
6. Barangay VI
7. Barangay VII
8. Barangay VIII
9. Barangay IX
10. Barangay X
Location
(Latitude/ Longitude
Barangay I, City of ABC
14°18’55” / 121°7’22”
Barangay II, City of
ABC
14°17’43” / 121°6’17”
Barangay III, City of
ABC
14°17’55” / 121°7’41”
Barangay IV, City of
ABC
14°17’21” / 121°6’60”
Barangay V, City of
ABC
14°16’51” /
121°6’46”
Barangay VI, City of
ABC
14°15’21” / 121°3’57”
Barangay VII, City of
ABC
14°18’54” / 121°7’5”
Barangay VIII, City of
ABC
14°18’47” / 121°6’27”
Barangay IX, City of
ABC
14°18’24” / 121°6’36”
Barangay X, City of ABC
14°17’51” / 121°5’40”
A
B
C

1

2

3
na
4a
X
4b
X



na

X
X



na

X
X



na

X
X



na
X
X
X

X

na
X
X
X



na
X
X
X
X


na
X
X
X



na
X
X
X
X


na

X
X
X
Barangay X, City of ABC
14°18’4” / 121°5’51”
11. Barangay I-A
Per interview, the
barangay has 10
mobile MRFs located
along the roads.
None
161
Barangay
Location
(Latitude/ Longitude
A
B
C
1
2
3
4a
4b



na
X
X
X



na

X
X
12. Barangay I-B
13. Barangay I-C
None
Barangay I-C, City of
ABC
14°19’8” / 121°6’43”
14. Barangay II-A
15. Barangay II-B
None
Barangay II-B, City of
ABC
14°17’18” / 121°5’24”
16. Barangay II-C
Barangay II-C, City of
ABC
14°13’42” / 121°2’56”



na
X
X
X
17. Barangay III-A
Barangay III-A, City of
ABC
14°19’42” / 121°7’3”



na

X
X
18. Barangay III-B
Barangay III-B, City of
ABC
14°9’5” / 121°6’9”



na
X
X
X
13
14
15
0
6
0
0
Summary (18):
15
Audit Key:
A – Is the Barangay MRF operating/functioning? (2nd audit objective)
B1 – The building and/or land layout and equipment were designed to accommodate efficient
and safe materials processing, movement and storage
B2 – The building was designed to allow efficient and safe external access and to accommodate
internal flow
B3 – If the MRF includes a composting operation, it complied with the provisions of Section 2
and of Rule XI of this IRR applicable to composting and composts
B4 – The following records were kept and maintained, such records were submitted to the
Department upon request:
a. Record of daily weights or volumes of waste received, processed and removed
from site accurate to within ten percent (10%) and adequate for overall planning
purposes and tracking of success of waste diversion goals; and
b. Daily logbook or file of the following information shall be maintained: fire, special
occurrences, unauthorized loads, injury and property damage.
C – The MRF was designed to receive, sort, process and store compostable and recyclable
material efficiently and in an environmentally sound manner
162
ACKNOWLEDGMENT
The Commission on Audit (COA) acknowledges with deepest gratitude the initiatives and the
valuable contribution of the following to the completion of this Compliance Audit (CA) Manual:

Chairperson Michael G. Aguinaldo, Commissioner Jose A. Fabia, Commissioner Roland C.
Pondoc, and Former Commissioners Heidi L. Mendoza and Isabel D. Agito, for the support and
encouragement in this project;

The Technical Working Group that committed and worked vigorously to complete the Manual
and the Courseware, trained the COA auditors, and supervised the training roll-outs
comprised of the following:
o
o
o
o
o
o
o
o
o
o
Asst. Commissioner Luz Loreto Tolentino, Chairperson
Director Josephine B. Manalo, Vice-Chairperson
Director Fidela M. Tan, Member
Director Sofia C. Gemora, Member
Director Eugene R. Dizon, Member
Director Emma V. Moises, Member
Director Mary Joyce G. Eruma, Member
Ms. Normita N. Narvaez, Member
Ms. Judith T. Saliente, Member
Ms. Jessica D. Davila, Secretariat

The Subject Matter Expert on CA, Ms. Ingvild Gulbrandsen for her generosity and dedication
to help in the preparation of this Manual;

The Co-workers of the TWG, Dir. Ma. Corazon S. Gomez, Director Ma. Realiza R. Ysmael, Ms.
Connie G. Benedictos, Ms. Olympia P. Balugay, for sharing their experience in the writing of
the Courseware and delivery of the training roll-outs; Supervising Auditor Ethel Gervacio,
Ms. Olivia C. Puhawan, Ms. Jenica Salena C. Tan, Mr. Irven F. Falamig of the LGS -Province of
Laguna, for their helpful contribution in the improvement of the Manual;

All the participants of the training, as well as their Assistant Commissioners and Directors, in
various regions nationwide, for not only providing feedback to the Manual and complying
with all the training requirements but made every roll-out successful and remarkable;

The staff of the Quality Assurance Office for their relentless efforts in giving their inputs by
editing the Manual;

The following COA Offices for their continuous support until the completion of the project:
o The Planning, Finance and Management Sector headed by Assistant Commissioner
Carmela S. Perez and her staff:
 Ms. Lilia A. Cillo
 Mr. Richard Banate
 Ms. Ana Gelera
164
o The National Government Sector headed by Assistant Commissioner Susan P. Garcia
o The Corporate Government Sector headed by Assistant Commissioner Winnie Rose H.
Encallado
o The Local Government Sector headed by former Assistant Commissioner Rizalina Q.
Mutia
o The Information and Technology Office headed by Director Lorna Cabochan
o The Treasury Division and the Procurement and Property and Supply Management
Services of the General Services Office, and
o The Publication and Printing Services under the supervision of Mr. Fred Romero.

The International Bank for Reconstruction and Development (“World Bank”) for approving
and providing guidance and financial resources all throughout the project:
o
o
o
o
o
Ms. Mara Warwick, Country Director, Philippines; East Asia and Pacific Region
Ms. Bonnie Sirois, Senior Financial Management Specialist
Mr. Tomas Sta. Maria, Senior Financial Management Specialist
Ms. Liennefer Peñaroyo, Financial Management Specialist
Ms. Cecilia Valles, Lead Procurement Specialist
165
Download