Republic of the Philippines

TARLAC STATE UNIVERSITY

College of Business and Accountancy
AY 2018-2019

REVIEWER IN INTERNAL
AUDITING

GROUP 2
Lovely D. Santiago
Ken Jonald V. Azur
Mark Joseph A. Garcia
Justine Ivanny C. Pangilinan
Emilyn D. Galang
Mikelle Justin L. Raiz
Maria Divina Millamina
Nezylyn D. Cabulera
Lyra F. Gamit

Prof. Derick S. Figueroa, CPA, CTT, MBA

BSACT-4D
 Internal Audit – independent, objective assurance and consulting activity designed to add value
and improve an organization’s operations.
 Helps and organization accomplish its objectives by bringing a systematic, disciplined
approach to evaluate and improve effectiveness of risk management, control and
governance process.
 Catalyst for improving an organization’s governance, risk management and management
controls by providing insight and recommendations based on analyses and assessments of
data and business process.
 With commitment to integrity and accountability, internal auditing provides value to
governing bodies and senior management as an objective source of independent advice.
Lawrence Sawyer – father of modern internal auditing.
 The philosophy, theory and practice of internal auditing was adopted by the International
Professional Practices Framework (IPPF) of the Institute of Internal Auditors.
Sarbanes-Oxley Act of 2002 – basic foundation law of the Internal audit profession.
 Focused on financial policy and procedures disrupting progress.
 2010 IIA once again began advocating for the broader role internal auditing should play
in the corporate arena.
Scope of Internal Auditing:

Corporate Governance
Risk Management
Management Controls (COSO Component)
Internal Auditors are not responsible for:
 Execution of a company activities (responsible to BOD only on how they better execute
their responsibility).
 Preparation of Financial statements and financial related reports.
THE INSTITUTE OF INTERNAL AUDITORS – recognized international standard setting body
for the internal audit profession and awards the Certified Internal Auditor designation
internationally through rigorous written examinations.
How independence an Internal Auditors?

Employed by companies.
Independent of the business activities that they audit.
Achieved through the organizational placement and reporting lines of the internal audit
department.
Reports directly to BOD or to the Audit Committee of the BOD.
Management is responsible for design and implementation of internal controls.
Role of/on: Internal Auditor

Internal Control performs audit to evaluate whether the control components are present and
operating effectively and if not provide recommendations for improvement.
Risk process by which an organization identifies, analyzes, responds, gathers information
Management about, and monitors strategic risks that could actually or potentially impact the
organization’s ability to achieve its mission and objectives.
Corporate o helps the Audit Committee performs its responsibilities.
Governance o Reporting critical management control issues, suggesting questions or topics
for the Audit Committee’s meeting agendas and coordinating with the
 external auditor and management to ensure the committee receives effective
information.
Internal Audit Philosophy:
Lawrence Sawyer’s Philosophy

IA emphasized assisting management and the Board in achieving the organization’s

objectives through well-reasoned audits, evaluations and analyses of operational areas.
IA acts as counselor to management rather than as an adversary.
IA act active players influencing events in the business rather than criticizing all degrees
or errors and mistakes.
“Catching a manager doing something right.”
Balanced reporting while simultaneously building better relationships.
Focus on operational or performance auditing:
“Looking beyond financial statements and financial related auditing.”
(Purchasing, warehousing and distribution, HR, IT, facilities management, customer
service, field operations and program management).
Chief Audit Executive (CAE)

Head of internal auditor

Recommended by IIA
Director of Internal Audit
Develop, document, implement, test and maintain a comprehensive internal audit plan
and system of internal control.
Evaluate financial and operational procedures to assure adequate internal controls are
present.
Identify assess and evaluate the company’s risk areas.
Make appropriate recommendations for improved internal controls and accounting
procedures.
Research and adopt industry best practices where appropriate.
Provide expert knowledge with respect to maintaining the company’s tax status.
Monitor current financial reporting, tax, fraud and anti-money laundering laws.
Function of Internal Audit:

Assist the company in fulfilling its vision, mission, strategic initiatives and objectives
while adhering to its core values, by bringing a systematic, disciplined approach to
evaluate and improve the effectiveness of enterprise-wide risk management, internal
control systems and governance processes.
Risk are appropriately identified and managed.
Significant financial, managerial and operating information is accurate, reliable and
timely.
Company resources are used efficiently and adequately safeguarded.
Company operations are transacted in accordance with sufficient internal controls, good
business judgement and high ethical standards.
Quality and continuous improvement are fostered in the Company’s internal control
process.
Types of Audit:

Departmental Audit – review and evaluate the activities and operations of a company
function.
 Financial Audits – designed to evaluate the accuracy and completeness of records and
account balances.
 Determines whether the financial information of the company functions, activity,
department or unit under audit fairly presents the financial position, results of operations
and cash flows of the auditee in accordance with the GAAP/IFRS.
Operational Audit – Designed to evaluate policy, procedures and controls which impact
the attainment of the company’s organizational goals and objectives.
 Also measure compliance with company policies and procedures.
Compliance Audit – designed to audit the compliance of the company with all.
 Does not include compliance with accounting standards or IFRS and compliance with
company internal policies.
Internal Auditor External Auditor
Company employee (hired) Work for an outside audit firm (appointed)
Need not be a CPA Must be a CPA
Responsible to the BOD Responsible to shareholders
Can issue their findings in any type of report format Must use formats for their audit opinions and
management letter
Focuses on operations audit Focuses on Financial Statement Audit
Reports to the BOD and management Reports to stakeholders
Can provide advice and other consulting assistance Constrained from supporting an audit client too
to employees closely
Conducted throughout the year Usually conducted annually only

Four Pillars of Corporate Governance

Board of Directors
Management
External Auditors
Internal Auditors
Internal Control Frameworks and Components:
COSO Framework: (universally accepted framework)
o Effectiveness and efficiency of operations;
o Reliability of financial reporting;
o Compliance with applicable laws and regulations.
COSO Components:
a. Control Environment – overall foundation of the controls. Sets the tone of an
organization, influencing the control consciousness of its people.
b. Risk Assessment – identification and analysis of relevant risks to achieve objectives.
 Likelihood of happening
 Impact on the business
c. Control Activities – policies and procedures that help ensure management directives are
carried out. How would risk be mitigated.
d. Information and Communication – info must be identified, captured & communicated in
a form and timeframe that enable people (employees) to carry their responsibility.
e. Monitoring – process that assesses the quality of system’s performance over time. To
check if those related controls applied help to mitigate the risk from happening.
COCO Components:
 a) Purpose – need for a clear direction and sense of purpose. VMSO.
b) Commitment – people in the org must understand and align with the entity’s identity and
values
c) Capability – equipped with resources and competence to understand.
d) Monitoring – process that assesses the quality of system’s performance over time. To
check if those related controls applied help to mitigate the risk from happening
COBIT (Control Objectives for Information and Related Technology) – covers security and
control IT systems in support of business processes and is designed for management, users and
auditors.
COBIT FRAMEWORK:
1. PLAN AND ORGANISE (PO) This domain covers strategy and tactics, and concerns
the identification of the way IT can best contribute to the achievement of the business
objectives. The realization of the strategic vision needs to be planned, communicated and
managed for different perspectives. A proper organization as well as technological
infrastructure should be put in place.
2. ACQUIRE AND IMPLEMENT (AI) To realize the IT strategy, IT solutions need to be
identified, developed or acquired, as well as implemented and integrated into the business
process. In addition, changes in and maintenance of existing systems are covered by this
domain to make sure the solutions continue to meet business objectives
3. DELIVER AND SUPPORT (DS) This domain is concerned with the actual delivery of
required services, which includes service delivery, management of security and
continuity, service support for users, and management of data and operational facilities.
4. MONITOR AND EVALUATE (ME) All IT processes need to be regularly assessed
over time for their quality and compliance with control requirements. This domain
addresses performance management, monitoring of internal control, regulatory
compliance and governance.
Types of Controls:
1. Directive – controls ensue that there is a clear direction and drive towards achieving the
stated objectives.
2. Preventive – ensure that systems work in the first place. May include employing
competent staff, high moral standards or segregation of duties.
3. Detective – designed to pick up transaction errors that have not been prevented.
4. Corrective – ensures that where that where problems are identified they are properly dealt
with.
Fraud – defined as theft, concealment and conversion if personal gain of another’s money,
physical assets or information.
Fraud Triangle:

Incentive to commit fraud – pressure typically leads fraudsters to their deceptive acts.
Opportunity to commit fraud – circumstances may provide access to the assets or records
that are objects of fraudulent activity. Usually done by those persons having access.
Rationalization of the fraudulent action – this justify the fraudsters actions because of
lack of moral character.
Categories of Fraud:
A. Asset Misappropriation (Employee Fraud) – wrongful taking possession or use of
monetary funds or tangible assets. E.g. Embezzlement of fund, Theft of tangible assets,
Misuse of assets, Lack of business purpose, Conflict of interest and Unauthorized asset
disposal or acquisition.
 B. Corruption – abuse of power, position, authority or knowledge with the intent to give
illegal or improper benefit. E.g. Favored Status, Nepotism, Conflict of interest, Bribery
and Bid Rigging
C. Financial Reporting (Management Fraud) – improper reporting of financial statements, it
involves improper recognition, misclassification or false assertions of any item. E.g.
Sham Transactions, Improper recognition, Journal-entry Schemes, Misclassification,
Improper Disclosure, Improper Interpretation of GAAP and Manipulation of Budgets.
REVENUE CYCLE – business activities and related information processing operations
associated with providing goods and services to customers and collecting cash in payment for
those sales.
 Recurring set of activities and related information processing operations.
EXPENDITURE CYCLE – recurring set of business activities and related data processing
objectives associated with the purchase ad payment of goods and services.
Purchase Requisition – Written request to the purchasing department from an employee
or department requesting that goods be purchased.
Purchase Order – a written request issued by purchasing department to a vendor to
purchase goods
PAYROLL CYCLE – includes processes for recording time and attendance and converting that
data into payroll calculations and disbursement.
PAYROLL CONTROLS:
1. Transaction Authorization
2. Segregation of Duties
3. Supervision
4. Accounting Records
1. time cards, job tickets, and disbursement voucher
2. journal information
3. subsidiary ledger account
4. general ledger account
5. Access Control
6. Independent Verification
1. verification of time
2. paymaster
3. accounts payable
4. general ledger

INVESTMENT CYCLE- covers the period, usually spanning several business cycles, from the
time of the Investment until the point where it stops generating cash flows.
Internal Control:
1. Authorization by the Board of Directors
2. Use of an Independent Trustee
3. Interest on Bonds and Notes Payable
FINANCING CYCLE- is the counterpart to the Investment cycle and Business cycle. It covers
the period from raising Financial resources to their repayment.
Internal Controls:
1. Control of Capital Stock Transactions by the Board of Directors
2. Independent Registrar and Stock Transfer Agent
 3. The Stock Certificate Book and Stockholders Ledger
4. Internal Control Over Dividends
PROPERTY, PLANT and EQUIPMENT (PPE) ACQUISITION CYCLE – PPE are assets that
have expected livres of more than one year, are used in the business and are not acquired for
resale.
- Purchase requisition in PPE acquisition can come from different who needs the asset that
is being requested.
INTERNAL CONTROLS
CYCLE BUSINESS DEPARTMEN PURPOSE OF CONTROLS
DOCUMENTS T IN CHARGE THE
DOCUMENT
 Customer Order Sales Dep’t to know if
there is really
an order placed
by the
customer. 1. Transaction
Authority
 Bill of Lading Shipping Dep’t to prove that 2. Segregation
there is of Duties
shipment of 3. Supervision
goods that is 4. Accounting
placed on the Records
customer order. 5. Access
REVENUE
 Sales Invoice Billing Dep’t to check if the 6. Independent
goods that are Verification
being billed are
also the goods
that the
company
delivered
depicted on the
Bill of Lading,
 Purchase Order Purchasing to avoid
Dep’t ordering
unnecessary 1. Transaction
items. Authority
 Receiving Report Receiving a checklist that 2. Segregation
Dep’t will prove the of Duties
existence the 3. Supervision
EXPENDITUR goods that are
E placed in
purchase order.
 Purchase/Vendor Accounts to pay only for
’s Invoice Payable Dep’t goods that
were ordered
and received.
 Time Cards/Job Production to ensure the
Tickets Dep’t existence and
the work done 1. Transaction
by the Authorizatio
employee. n
 Payroll Register HR/Payroll to apply the 2. Supervision
Dep’t appropriate
PAYROLL
rate and
 withholding 3. Accounting
data of the Records
employee. 4. Access
 Voucher Packet Accounts to match the Control
Payable payroll register 5. Independent
and the payroll Verification
check that will
be issued.
 Payroll Check Disbursement to prevent
Dep’t “ghost
employees”.
 Purchase Order Purchasing it ensures the
Dep’t need of the
requesting 1. Authorizatio
department n Controls
 Receiving Report Receiving to prove that 2. Supervision
Property, Plant Dep’t the asset Controls
and Equipment received is 3. Independent
ACQUISITION actually the Verification
one was Controls
ordered.
 Supplier’s Accounts to pay only for
Invoice Payable Dep’t goods ordered
and received.

THE AUDIT FIELD WORK

AUDIT PROGRAMME – document that lists the procedures to be followed during the
engagement, designed to achieve the engagement plan, it may include:
1. Defining the various tasks that need to be performed.
2. Defining the extent of work in a part of the operation.
PRELIMINARY ENGAGEMENT ACTIVITIES:
1. Personnel Requirements
2. Independence Issues
3. Engagement Relationship
- Engagement Letter – the terms of engagement and the formal contract established.
PLANNING THE AUDIT:
Not static, it is a living breathing plan can be updated or changes as new information emerges.
THE AUDIT PROCEDURE
- requires the auditor to perform procedures and collect enough appropriate evidence for
each account and assertion to provide reasonable assurance of financial reports and avoid
materially misstated.
1. TEST OF CONTROLS (no need, if there are no controls established) – tests the operating
effectiveness of control policies and procedures in support of a reduced assessed control
risk.
Testing Techniques
a. Inquiry – the auditor asks appropriate management and staff about the controls in
place at the service organization to determine some relevant information.
 b. Re-performance – enables the auditor to comment directly on the accuracy by which
transactions are processed although it does depend on the auditor being able to
perform the necessary task.
c. Observation – useful method of information gathering since it is obtained first-hand
by the auditor.
d. Inspection – formal way of observing physical attributes against a set criterion.

2. SUBSTANTIVE TESTING (required) – examines the financial statements and supporting

documentation to see if they contain errors.
- May also be conducted by a company’s internal audit staff.
Substantive Testing Procedures:
a. Inspection
b. Observation
c. Confirmation
d. Re-calculation
e. Re-performance
f. Inquiry
Test of Detail – used by auditors to collect evidence that the balances, disclosures, and
underlying transactions associated with a client's financial statements are correct.
Test of Balance – balances normally make the most substantial contributions to verification of
the financial statement assertions.
Management Assertions:
a. Accuracy – all information contained in financial statements has been accurately
recorded.
b. Cut-off – transactions are compiled into the correct reporting period.
c. Completeness – all the information that should be disclosed has been included within
the financial statement and accompanying footnotes.
d. Classification – transactions are recorded into their proper accounts.
e. Occurrence – all transactions/events that are recorded and disclosed actually
occurred. (income and expense)
f. Existence – information recorded in the financial statements actually occurred or
acquired during the year. (asset and liability)
g. Presentation and Disclosure – transactions and events are appropriately aggregated or
disaggregated and clearly described, and related disclosures are relevant and
understandable in the context of the requirements of the applicable financial reporting
framework.
h. Valuation – transaction and accounts are properly valued based on the standards.
i. Rights and Obligations – rights over the assets and obligation as to liabilities.
ANALYTICAL PROCEDURE – used throughout the audit process and are conducted for
primary and secondary purposes.
- comparison of data from different sources to determine if reported information looks
‘odd’ or ‘wrong’.
Steps in Conducting Analytical Procedures:
a. Determine the suitability of particular substantive analytical procedures for given
assertions.
b. Evaluate the reliability of data from which the auditor’s expectation is developed.
 c. Develop an expectation for a recorded amount or ratio and evaluate whether it is
adequately precise to identify a misstatement.
d. Determine the amount of discrepancy between the recorded amount or ratio and the
auditor’s expectation that would not require further investigation.

AUDIT SAMPLING
STATISTICAL SAMPLIMG
Random Sampling Ensures that all item within a population stand an equal chance of
selection by the use of random number tables or random number
generators. (Fish bowl method)
Systematic Sampling Divides the number of sampling units within a population into a
sample size to generate a sampling interval.
Monetary unit sampling Determine the accuracy of financial accounts. Depend on the
values. (Value-weighted method)
Stratified Sampling Group the transaction based on the strata. E.g. grouping of
receivables based on age.
NON-STATISCAL SAMPLING
Haphazard Sampling There is no structured technique. Adopting this avoid any
conscious bias or predictability. (combination of block and random
sampling.
Block Selection Involves selecting a bock of contiguous items from within a
population, for example you choose to audit sample 1-100 of the
1000 transaction.