Transcription
Republic of the PhilippinesRamon Magsaysay Technological UniversityIba, ZambalesInternal Audit ServicesStandard Operating Policies and Procedures Manual(IASSOPPM)October 2017
TABLE OF CONTENTSRMTU At a Glance .IPREFACE . II1.0 Introduction .12.0 Internal Audit Services Charter2.1 Purpose and Application . .22.2 Mandate .22.3 Mission 22.4 Vision .22.5 Core Values . . .22.6 Objectives . .32.7 Responsibilities and Accountabilities . .32.8 Authority . .42.9 Auditees’ Responsibilities . 42.10 Special Assignments . .52.11 Standards . .53.0 Personnel Management3.1 Organizational Structure . .63.2 Conduct of Internal Audit . 63.3 Standard Qualifications and Functions . 73.4 Training and Professional Development . .93.5 Personnel Performance Evaluation . .93.6 Personnel Recruitment and Transition . .104.0 The Audit Process4.1 Overview and Conduct of the Audit Process . .114.2 The Annual Audit Plan . .124.3 Audit Engagement Planning . .124.4 Audit Execution . .164.5 Audit Reporting . .194.6 Audit Follow-Up . .224.7 Summary of Outstanding Recommendations . .255.0 Workpapers5.1 Qualities of Good Workpapers . 265.2 Retention . .265.3 Workpaper Techniques 265.4 Types of Workpapers . .275.5 Workpaper Organization . .285.6 Security and Control . 286.0 IAS Management6.1 Audit Monitoring . .306.2 Time Reports 306.3 Progress Reports . .30IASSOPPM
TABLE OF CONTENTS6.4 Meetings . .306.5 Decision-Making Procedures . .306.6 Performance Evaluation . .316.7 Periodic Review of Policies and Procedures . .317.0 Glossary . .328.0 Appendices . .38Appendix 1 Annual Audit Plan (AAP)Appendix 2 Audit Work Program (AWP)Appendix 3 Risk and Control Matrix (RCM)Appendix 4 Entry Conference (ENC)Appendix 5 Exit Conference (EXC)Appendix 6 Audit Finding Data Sheet (AFDS)Appendix 7 Draft Audit Report (DAR)Appendix 8 Final Audit Report (FAR)Appendix 9 Summary of Outstanding Recommendations (SOR)Appendix 10 Audit Monitoring Sheet (AMS)Appendix 11 Flowchart SymbolsAppendix 12 Audit Process Flowchart (APF)Appendix 13 Summary of Audit Process Flowchart (SAPF)Appendix 14 Time Report (TR)Appendix 15 Monthly Progress Report (MPR)Appendix 16 Quarterly Return (QR)Appendix 17 Evaluation of Internal Audit – Self AssessmentAppendix 18 Code of EthicsAppendix 19 Evaluation of Internal Audit – Management9.0 References . .58List of TablesTable 1Table 2Table 3Table 4Director/Head of Internal Audit .7Internal Auditor .8Internal Auditing Assistant .9Contents of an Audit Plan . .15List of FiguresFigure 1Figure 2Figure 3Figure 4Figure 5IASSOPPMAudit Process Flow Diagram . .11Audit Engagement Planning Flow Diagram . .13Audit Execution Flow Diagram . .17Audit Reporting Flow Diagram . .20Audit Follow-Up Flow Diagram . 23
RMTU At a GlanceThe Ramon Magsaysay Technological University, a merger of three public educationinstitutions in the province of Zambales, was established by Republic Act 8498 enacted onFebruary 12, 1998 through the initiative of Congressman Antonio M. Diaz. The UniversityCharter integrated the former Ramon Magsaysay Polytechnic College (RMPC) in Iba, theWestern Luzon Agricultural College (WLAC) in San Marcelino, and the Candelaria Schoolof Fisheries (CSF) in Candelaria. The strengths of its parent-institutions, which had existedsince the early 1900s, served as RMTU’s springboard for its accelerated growth anddevelopment.With a viable organizational structure, the institution transformed dramatically as itaccelerated the full integration of its component campuses. Through strong partnership withthe Provincial Government, DepEd and municipal governments, the University hadestablished LGU-subsidized satellite campuses in Masinloc, Castillejos, and Sta. Cruz in theyear 2002, 2003 and 2004, respectively. Faculty development and infrastructure build-upwere intensified. Degree programs increased from 12 to 64 in the last 10 years. Enrolmentexpanded from 2,000 to more than 8,000 per semester over the same period. Massivescholarships from various stakeholders attracted more and more students. Graduatesregistered commendable performance in licensure examinations especially in electrical,mechanical and civil engineering and other flagship programs. Major curricular programsattained various accreditation levels and the University achieved an unprecedented Level IIIA status under the CHED-DBM-PASUC Leveling Scheme. The University was also includedamong the top 30 higher education institutions (HEIs) recognized by the People’s Republicof China, South Korea and other technology-oriented countries.As of September 30, 2017, RMTU stands proud with its high-performing seven (7) campuses,64 curricular offerings, 8,748 students, 757 strong faculty and staff, and viable internationallinkages and consortium agreements.IASSOPPMI
PrefacePREFACEThis Internal Audit Services Standard Operating Policies and Procedures Manual(IASSOPPM) establishes the policies and procedures to be followed in the conduct of internalaudit. This manual aims at standardizing internal audit in terms of uniformity and consistencyacross all the internal control units/departments/offices. The IASSOPPM has been preparedin lined with the Philippine Government Internal Audit Manual (PGIAM) and the NationalGuidelines on Internal Control Systems (NGICS), which are developed by the PhilippineGovernment. In addition, this manual shall be consistent with the International Standardsfor the Professional Practice of Internal Auditing (ISPPIA), developed and maintained by theInstitute of Internal Auditors. Internal Auditors of the University must comply with theprovisions contained in this manual. This document consolidates and brings up-to-dateexisting guidelines and supports the development of the internal auditing function in theUniversity.I – IntegrityA – AssuranceS – Strategic SupportIASSOPPMII
Introduction1.0 INTRODUCTIONInternal auditing is an independent, objective assurance and consulting activity designed toadd value and improve an organization’s operations. It helps an organization accomplish itsobjectives by bringing a systematic, disciplined approach to evaluate and improve theeffectiveness of risk management, control, and governance process. It is a strategic functionin ensuring good governance throughout the University.The Internal Auditor in the Philippine Government has the fundamental role of assisting theGoverning Body/Audit Committee of the Governing Board in promoting effective, efficient,ethical and economical (4Es) operations by appraising the adequacy of internal controls. Thefindings on the appraisal of internal controls are provided to said officials/bodies to institutecorrective and preventive measures and achieve the agency objectives.The role of the Internal Auditor is not about fault-finding, neither is it investigative norpunitive. As a component of the performance management framework of RMTU, the InternalAudit Services (IAS) assesses the levels of performance against agreed measures, targets andobjectives. The internal audit function is separate from, but complementary to, the day-today monitoring of internal controls and the conduct of continual management improvement,which are within the responsibility of operating units.IAS shall be under the direct administrative supervision and control of the UniversityPresident, organized as an independent staff unit and shall correspondingly perform stafffunctions. And shall be responsible for instituting and conducting a program of internal auditfor the University.IASSOPPM1
IAS Charter2.0 INTERNAL AUDIT SERVICES CHARTER2.1 Purpose and ApplicationThe Internal Audit Services will apply cutting edge practices to support the Universityin its quest to be a progressive learner centered Research University recognized in theASEAN Region.This IASSOPPM is intended to provide the internal auditors with practical guidance,tools and information for managing the internal audit activity and for planning,conducting and reporting on internal auditing assurance engagements.Users of the manual are expected to draw upon the information provided to form theirown judgments on the most suitable approaches to fulfilling the specific responsibilitiesthat they have been assigned in the context of continuously striving for the most effectiveinternal audit activity possible. If users encounter situations where they believe that theguidance provided in the manual is in conflict with what they believe to be the mosteffective approach, they should consult with more senior IAS officers.This IASSOPPM is effective as of the date of approval.2.2 MandateIAS is mandated to provide independent, objective assurance and consulting servicesdesigned to add value and improve the RMTU’s system operations, internal control andgovernance processes as a service to the University to assist it accomplish its goals andobjectives.2.3 MissionIAS shall assist RMTU Leadership in providing independent and objective informationanalyses and counsel to achieve the highest quality services in education, research andpublic services by promoting effective internal controls, transparency and accountabilitywith professionalism.2.4 VisionBy 2020, the Internal Audit Services is a holistic value-added service to ensure operationsare managed ethically, effectively, efficiently and economically towards the attainment ofRMTU Vision.2.5 Core ValuesThe Internal Auditors are expected to apply and uphold the following principles: INTEGRITY – We exhibit fairness, honesty and ethical behavior in our service tothe university.IASSOPPM2
IAS Charter OBJECTIVITY – We perform duties in an unbiased manner and make a balancedassessment of all the relevant circumstances and are not unduly influenced by theirown interest or by others informing judgments.QUALITY – We provide accurate reports and timely, feasible, and relevantrecommendations.CONFIDENTIALITY - We respect the value and ownership of information wereceive and do not disclose information without appropriate authority unless there isa legal or professional obligation to do so.COMPETENCY – We apply our professional knowledge, skills, and experienceneeded in the performance of internal audit services.2.6 Objectives Check the accuracy, reliability and integrity of applicable financial and performanceissues;Compliance with organization policies and procedures, laws, regulations orguidelines;Ensure efficient, effective, ethical and economical operations; andSafeguarding of assets.2.7 Responsibilities and AccountabilitiesIAS takes place “after the fact” and covers a complete cycle of operations and is responsiblein performing duties in accordance with the PGIAM and the International Standards forthe Professional Practice of Internal Auditing (Standards). Any aspects of financialauditing are conducted in accordance to Generally Accepted Accounting Principles(GAAP) or any other standards adopted by any governing authority such as GovernmentAccounting Manual (GAM). At a minimum, IAS is charged up the following duties,functions and responsibilities: Conduct management/operations performance audit of activities of the departmentand their units and determine the degree of compliance with the mandate, policies, andgovernment regulations, establish objectives, systems and procedures/processes andcontractual obligations.Review and appraise systems and procedures, organization structure, practices,records and performance standards.Verify and analyze management and operations data to ascertain if attendant mustgenerate data or reports that are complete, accurate and valid.Ascertain the reliability and integrity of information and the means used to identify,measure, classify, and report such information.Ascertain the extent to which the assets and other resources of the University isaccounted for and safeguarded from losses of all kinds.Review and evaluate the soundness, adequacy and application of accounting financialand management controls and promote the most effective control at reasonable cost.IASSOPPM3
IAS Charter Review operation or programs to ascertain whether or not such programs are beingcarried out as planned.Evaluate the quality of performance of groups/individual is carrying-out theirassigned responsibilities.Perform functions of a protective nature, such as prevention and detection of fraud ordishonesty, revision of cases involving misuse of agency property; and checking oftransactions with outside parties.Recommend realistic courses of action or operational deficiencies observed.Perform miscellaneous services, including special investigations and assistance tooutside contacts such as Commission on Audit.Report significant issues related to the processes for controlling its activities andmanaging its risks in the areas set forth under the mission of work.Periodically provide information on the status and results of audit plan and thesufficiency of departmental resources.Coordinate with and provide oversight of the control, and monitoring functions, riskmanagement, compliance, security, legal ethics, and environmental external audit.Establish appropriate policies and procedures to guide the internal audit function.Maintain a quality assurance and improvement program that covers all aspects of theinternal audit function.Advise/Report periodically to the University President on whether management ‘saction plans have been implemented and whether the actions taken have been effective2.8 AuthorityThe IAS’ activity with strict accountability for confidentiality and safeguarding recordsand information is authorized full, free, and unrestricted access to any and alldepartmental records, physical properties, and employees and has the right to obtaininformation and explanations from departmental employees and contractors, subject toapplicable legislations.We shall be authorized to allocate resources, set frequencies, select subjects, determinescopes of work and apply the techniques required to accomplish audit objectives. We shallconsult to management on matters such as the design of business control systems, riskmanagement activities, and governance processes.We shall participate as member of the Administrative Council and as members of othercommittees, teams, boards, etc. provided such participation does not compromise orappear to compromise the independence of IAS.2.9 Auditees’ Responsibilities Treat Internal Audit Staff with respect and courtesy.Where applicable, execute their role faithfully and honestly.Respect the chain of command.IASSOPPM4
IAS Charter Respect the orderly execution of duties including queuing of job task in the internalaudit department.To submit their documents for consideration or required information in a timelymanner.Familiarize themselves with, and observe the financial regulations, publicprocurement regulations and other relevant policies and guidelines applicable to thepublic service in general and the University in particular.Respond faithfully to specific issues raised including audit queries.2.10 Special AssignmentsIAS Team may, upon request by any Department’s Officer, be assigned audit work onSpecial Assignments that are in no way connected with the Annual Audit Plan. This maybe done provided approval is obtained from the IAS Director (IASD). After approval, theinternal auditor will be responsible for the audit assignment and he will report to theIASD after completion of the assignment.2.11 StandardsThe internal audit function will be conducted in accordance with PGIAM, the NGICS,the Institute of Internal Auditors’ ISPPIA, the International Organization of SupremeAudit Institutions’ (INTOSAI) Guidelines for Internal Control Standards for the PublicSector and the IASSOPPM. In the event of conflict with the International Standards forthe Professional Practice of Internal Audit, the PGIAM will prevail.Prepared by:Date:Rowena Buan-Yost, CPAIAS DirectorApproved by:Dr. Cornelio C. GarciaUniversity PresidentIASSOPPMDate:5
Personnel Management3.0 PERSONNEL MANAGEMENT3.1 Organizational StructureBOARD OF REGENTSUNIVERSITY PRESIDENTDIRECTORInternal Audit ServicesINTERNALAUDITORINTERNAL AUDITINGASSISTANTINTERNALAUDITOR3.2 Conduct of Internal AuditPursuant to Sec. 2 of Administrative Order No. 70, Internal Audit shall be performed withproficiency and due professional care in accordance with the following: The IAS shall ensure that the technical proficiency and educational background ofinternal auditors are appropriate for the audit to be performed;Internal auditors shall possess/obtain the knowledge, skills and discipline needed tocarry out the audit responsibilities of the IAS;The IAS shall ensure that internal audits are properly supervised and performed withdue professional care;The IAS shall conduct the audit in conformity with International Standards for theProfessional Practice of Internal Auditing; andThe Code of Ethics promulgated by the Association of Government Internal Auditors(AGIA) shall be strictly observed to maintain high standards of honesty, objectivity,diligence and loyalty.IASSOPPM6
Personnel Management3.3 Standard Qualifications and FunctionsThe table hereunder provides for the qualification standards and functions of each positionin the IAS. It reflects the minimum competency required in the areas of: a) Education, b)Experience, c) Training, d) Eligibility and e) Functions that will enable auditors toperform in a competent yFunctionsIASSOPPMTable 1 - Director/Head of Internal AuditAny of the following: Master’s Degree in Accounting, PublicAdministration, Criminology, Information Technology (IT)/ComputerScience, and other related disciplines relevant to theDepartment/Agency where he/she may be assigned; Bachelor’s Degreein Law would be an advantage4 years of relevant experience in one or a combination of the following:Public Administration, Internal Auditing, Administrative or CriminalInvestigation, Forensics (e.g., Accounting, IT, InternationalOrganization for Standardization (ISO) Management Systems, andother related disciplines)40 hours of training in one or a combination of the following: PublicAdministration, Internal Auditing, Administrative or CriminalInvestigation, Forensics, etc. Intellectual, interpersonal, communication, and informationtechnology skills. Clear understanding of the internal audit’s contribution to effectivegovernance; Ability to develop plans and programs to contribute to theachievement of mandated objectives; Strong management acumen and the ability to anticipate and assessmanagement control; Ability to build a strong network and credibility with the Head ofAgency and senior management; and Consistent observance of ethical principlesAny of the following: CESO III; CESO III and Lawyer or CESO IIIand CPA- Lawyer would be an advantage; Career Service(Professional)/Secondary Level Eligibility, preferably BAR/CPA, (RA1080 or both Lawyer and CPA)Administrative Functions:1. Submits work and financial plan;2. Submits annual procurement report;3. Submits accomplishment reports; and4. Submits performance evaluation, targets and ratings of staff.7
Personnel ManagementFunctionsOperational Functions:of Director 1. Establishes the annual goals, objectives and performance targets of(continued)the internal auditing unit;2. Establishes internal auditing standards, guidelines and proceduresfor the guidance of the internal audit staff;3. Determines the extent of coordination with COA to avoidduplication of audit report;4. Ensures support of management in the conduct of internal audit;5. Responsible for work performance and disciplines of the staff;6. Reviews and approves internal audit plans;7. Discusses internal audit scope and objectives with agency/unit orpersonnel to be covered prior to the conduct of audit;8. Reviews and approves internal audit reports;9. Discusses audit result with auditee/s before the report is finalized;10. If necessary, discusses the conclusions and recommendations in theaudit report with the appropriate level of management;11. Follows up actions to determine if audit recommendations havebeen carried out or not and inquires for the reasons for nonimplementation;12. Investigates anomalies discovered in audit and submits reports andrecommendations on investigations completed;13. Reviews and approves recommendations for enhancement of theinternal audit functions; and14. Does related nsIASSOPPMTable 2 - Internal AuditorBachelor’s degree relevant to the job (Law, Accounting, PublicAdministration, Criminology, IT/Computer Science and otherdisciplines related to the abovementioned)3 years of relevant experience involving Internal Auditing,Administrative or Criminal Investigation and/or Forensics (e.g.,Accounting, IT, ISO Management Systems and other relateddisciplines)16 hours of training in Internal Auditing, Administrative or criminalInvestigation and /or Forensics, etc.Career Service (Professional)/Secondary Level Eligibility, preferablyBAR/CPA, (RA 1080 or both Lawyer and CPA)1. Under direct supervision, assists in supervising a division taskedwith internal audit functions;2. Reviews internal audit plans;3. Discusses internal audit plans with the concerned staff;4. Reviews written internal audit reports;5. Trains new internal auditors;6. Rates performance of audit staff and does related work.8
Personnel nctionsTable 3 - Internal Auditing AssistantCompletion of 2 years of study in college1 year in position/s involving Internal Auditing, Administrative orCriminal Investigation and/or Forensics (e.g., Accounting, IT, ISOManagement Systems and other related disciplines)4 hours of training in Internal Auditing, Administrative or CriminalInvestigation and/or Forensics, etc.Career Service (Sub-professional)/First level eligibility1. Under immediate supervision, Assists internal auditors in theconduct of internal audit; and2. Does related work.3.4 Training and Professional DevelopmentInitially, new staff members will be exposed to various rules and regulations, copies ofwhich are currently maintained in the office library. These include: (a) Institute of InternalAuditors’ (IIA) Code of Conduct, (b) PGIAM, (c) NGICS, (d) International Standards’Manuals, (e) the department’s Audit Manual and (e) other relevant Circulars,Administrative Orders or Executive Orders issued by the different Government Agenciesrelated to the conduct of Internal Auditing is accessible to each auditor.Ordinarily, the department runs an annual training budget and auditors are regularlytaken for training seminars relevant to their job and grade. Therefore, the internalauditors will attend seminars and training as appropriate. Professional proficiency is theresponsibility of the individual auditor. Each auditor should possess a body of specializedknowledge and should maintain a recognized, continuous process of education to sustainprofessional growth in the field of internal auditing.The IASD, will assign each audit to the individual who possess the necessary knowledge,skills and disciplines to conduct the audit properly. The internal audit staff has aprofessional obligation to schedule and attend on-going professional education forums toensure they maintain academic proficiency and to advance professionally. The IASD isresponsible for providing appropriate audit supervision. Supervision is a continuingprocess, initiated with the planning process and concluding with the completion of theaudit assignment. IASD will document evidence of supervision and review on all audits.This may be accomplished by signing off on all work papers and audit documents.3.5 Personnel Performance EvaluationPersonnel performance is continuously monitored by reviewing work performed andproviding immediate feedback for support. At the end of each engagement, a debriefingmeeting is held to identify areas of personal improvement. Semi-annual evaluations areheld with each employee using the evaluation instrument corresponding to each position.IASSOPPM9
Personnel Management3.6 Personnel Recruitment and TransitionIAS’ policy on recruitment is targeted at candidates who meet minimum academicqualifications in line with the position they wish to be considered. Each internal auditoris responsible for maintaining an adequate level and an understanding of the social,academic, economic and political environment within which the University operates.The success of IAS is dependent on the ability to proactively manage employeerecruitment and transition of competent staff. Personnel are recruited using the standardhiring process held by the Human Resource Department (HRD).Personnel are encouraged to keep the Director informed of any possible employmentchanges. With thirty (30) days notification, IAS can actively recruit new employmentwhile exiting personnel is still with the department. The goal is to have an ample time torecruit the most competent candidate available and continue audit services with minimalimpact.IASSOPPM10
Audit Process4.0 The Audit Process4.1 Overview and Conduct of the Audit ProcessThe Audit Process is divided into four phases, namely: audit engagement planning, auditexecution, audit reporting, and audit follow-up. See Figure 4-1. For each phase, there arespecific criteria to ensure a successful audit engagement.Audit EngagementPlanningAudit ExecutionAudit ReportingAudit Follow-upFigure 4-1 Audit Process Flow DiagramAlthough every audit project is unique, the audit process is similar for most engagementsand usually consists of nine stages. Through these stages IAS will determine ways tominimize risks and increase efficiencies within the area.Client involvement is critical at each stage of the audit process. An audit will result in acertain amount of time being diverted from area personnel’s usual routine. One of the keyobjectives is to minimize this time and avoid disrupting on-going activities.4.1.1 Plan. IAS will develop an annual audit plan based on a review of all pertinentinformation. Sources may include, but are not limited to: a risk assessment, internal andexternal evaluations and management guidance.4.1.2 Engagement. IAS will schedule a meeting with the area head and the seniormanagement of the process to be audited. Identify the scope and objectives of the audit,how long it is expected to last and what the responsibilities for all parties are in the auditprocess. Any factors that may impact the audit should be raised at this time. Factorsinclude vacations, fiscal year end reporting requirements, etc.4.1.3 Test. Testing will include interviews with the staff, review of procedures andmanuals, compliance with the University policies and governmental laws and regulationsand assessing the adequacy of internal controls.IASSOPPM11
Audit Process4.1.4 Communicate. Keep the department that is undergoing the audit updated on thestatus of the audit on a regular basis especially if there are any findings. There may beinstances where the findings can be addressed immediately.4.1.5 Draft. The report draft will include the audit Scope and Objectives, Audit Findingsand Potential Audit Recommendations.4.1.6 Management Response. Management will receive the audit draft to confirm thefacts and respond to the Potential Audit Recommendations. Their response should assignthe responsibility and have a specific target date of completion for the corrective actions.The time window for the Management Response is normally seven (7) business days.4.1.7 Review. The final version of the audit will be reviewed, and all issues resolved bythe IASD.4.1.8 Distribute. The report is then released to the audited department, the divisionalDirector/Vice President and the President.4.1.9 Verify. IAS will normally conduct a follow up on the Management responses to theaudit findings and recommendations within a reasonable time frame. This subsequentreview will be discussed with the involved management and the comments published.4.2 The Annual Audit Plan (AAP)The IASD, by authorization of the President, annually establishes a plan of scheduledaudits called the “Annual Audit Plan”. The audits selected can relate to specificdepartments/areas within the university, or to processes that are carried out acrossseveral different departments/areas. To maximize the use of IAS resources, a risk-basedapproach is adopted in drawing up the plan. Major risk factors are identified, usingdifferent risk assessment criteria, and areas with the highest perceived risk are given highpriority for audit.The AAP (Appendix 1) is prepared and submitted to the President each year for reviewand approval. Upon approval, the plan is executed by IAS during the following calendaryear. Additionally, unannounced audits may be performed at the
This Internal Audit Services Standard Operating Policies and Procedures Manual (IASSOPPM) establishes the policies and procedures to be followed in the conduct of internal audit. This manual aims at standardizing internal audit in terms of uniformity and consistency across all the internal control units/departments/offices.
