INTERNAL CONTROL DOCUMENTATION

Entity: XXX A Savings Bank XXX Prepared:

Subsidiary or Division: Approved:
Balance Sheet Date: Partner:

General
Instructions for Completing the Internal Control Document
This form assists us in:
 Gaining an understanding of internal control at the entity level 1. Many sections of the form require the engagement team to
to plan the audit and to determine the nature, timing and extent document observations based on a list of factors to consider. It is
of our audit procedures; not necessary to provide a response for each factor. Rather, the list
of factors is intended to be thought-provoking so that the
 Identifying and evaluating the design of the entity-level controls
engagement team can apply its collective knowledge of the entity in
important to the audit;
tailoring an appropriate response for the applicable section.
 Determining whether the entity-level controls important to the
audit have been implemented; 2. We document our consideration of the components of internal
control at the entity level in Part 1 of the form. The responses
 Assessing the effectiveness of internal control at the entity level;
provided should include relevant observations (whether positive or
and
negative) based on the Factors to Consider. Accordingly, a response
 Summarizing the procedures performed and information of “none” or “not applicable” is not appropriate for this section
considered in identifying the risks of material misstatement due within Part 1. We also identify the entity-level controls important to
to fraud. the audit and determine whether those controls have been properly
designed and implemented in Part 1. Responses within Part 1 should
We also are required to obtain information about internal control at the be sufficient to support our Conclusion on the Effectiveness of
individual application/process level to plan the audit (e.g., make our Internal Control at the Entity Level. Any response within Part 1 that is
combined inherent and control risk assessments) and to determine the indicative of a potential fraud risk also is included in the Summary of
nature, timing, and extent of our audit procedures. Observations and Identified Fraud Risks.

The information we obtain and document in this form also is useful in 3. Part 2 is used to document sources of information available
evaluating entity-level controls in connection with engagements to specific to our identification of the risks of material misstatement
report on internal control over financial reporting (e.g., Section 404 of due to fraud. Responses in Part 2 that are indicative of a potential
the Sarbanes-Oxley Act of 2002, FDICIA). fraud risk are included in the Summary of Observations and
Identified Fraud Risks.
Internal Control Document
1
 Contents
4. The form includes a Table of Contents that has hyperlinks to each
applicable section. Also, hyperlinks back to the Table of Contents or Conclusion on the Effectiveness of Internal Control at the Entity Level
to other specific sections within Parts 1 and 2 are included within the
form. After using a hyperlink, you may return to the point of origin Summary of Observations and Identified Fraud Risks
by selecting the back arrow key on the Microsoft Word toolbar.
These hyperlinks provide the engagement team the ability to copy, Summary of Identified Fraud Risks and Planned Responses
paste, and edit information from the detailed sections within Parts 1
and 2 to the Conclusion on the Effectiveness of Internal Control at Part 1 – Evaluating Entity-Level Controls
the Entity level and the Summary of Observations and Identified 1.1 Control Environment
Fraud Risks. In addition, the hyperlinks will facilitate review of the a. Integrity and Ethical Values, and the Behavior of Key
information in the form. Executives
b. Management’s Control Consciousness and Operating Style
c. Management’s Commitment to Competence
d. Board of Directors and/or Audit Committee Participation in
Governance and Oversight
e. Organizational Structure and Assignment of Authority and
Responsibility
f. Human Resource Policies and Practices
1.2 Risk Assessment
1.3 Control Activities, Information and Communication
1.4 Monitoring

Part 2 – Identifying Potential Risks of Material Misstatement

Due to Fraud
2.1 Engagement Team Discussion(s)
2.2 Risk Factors Relating to Fraudulent Financial Reporting
2.3 Risk Factors Relating to Misappropriation of Assets
2.4 Results of Analytical Procedures During Planning
2.5 Inquiries of Senior Management, the Audit Committee,
Internal Audit and Others
2.6 Other Information

Internal Control Document

2
Result of Evaluating Entity-Level Controls

Our overall assessment of the effectiveness of internal control at the hyperlinks therein to sections within Part 1 – Evaluating Entity-Level
entity level is interrelated with our consideration of fraud risks and other Controls. For audits of public companies, if we conclude that internal
procedures that occur throughout the audit. We consider whether the control at the entity level is ineffective, we consult with the Managing
information obtained in Part 2, Identifying Potential Risks of Material Partner for Audit regarding the effect on our audit strategy and the
Misstatement Due to Fraud, has a significant effect on our overall implications on client continuance.
assessment of the effectiveness of internal control at the entity level.
Similarly, we consider whether deficiencies in internal control at the Internal Control Component
entity level should be considered in assessing the risks of material Control Environment We asses that the Bank’s control enviro
misstatement due to fraud (e.g., inappropriate attention to internal Risk Assessment The Bank can be considered as a highly
control and information technology, lack of accounting and finance Bangko Sentral ng Pilipinas (BSP), Secur
personnel with required technical skills, lack of an internal audit (BIR). The Bank also follows the Philipp
department). statements. For this reason, along with
assess that the Bank is a high risk client
The presence of one or more negative observations within Part 1 of the Control Activities and The control activities of the Bank are d
form does not necessarily mean that internal control at the entity level is Information and Communicatoin which is easily accessible in their intran
ineffective. However, we consider whether positive observations Monitoring The Bank has different committees to e
sufficiently mitigate any deficiencies or concerns before making our set out by the Board of Directors (BOD)
overall conclusion on the effectiveness of internal control at the entity
level. Similarly, the presence of several fraud risk factors within Part 2 of
Document below the identified consider the significant
the form may bring into question a conclusion that controls at the entity
risks of material misstatement accounts and assertions that are
level are effective and we should give them due consideration in making
due to fraud. We expect one or affected by the identified risk of
our assessment. In this regard, we pay particular attention to risk factors
more fraud risks will be fraud and plan our audit
relating to attitudes of management or the board of directors, or
identified for most responses to address those
opportunities resulting from inappropriate attention to, or a disregard
engagements. In addition, there specific assertions. In those
for, internal control.
is a presumption that we will infrequent cases when we have
identify one or more fraud risks not identified one or more fraud
Based upon our observations documented in Parts 1 and 2, and
relating to revenue recognition. risks relating to revenue
identified fraud risks included in the Summary of Observations and
In doing so, we consider the recognition, we document such
Identified Fraud Risks, we conclude that internal control at the entity
aspects of revenue recognition reasons in the Summary of
level is:
that are most susceptible to the Audit Strategies.
risk of fraud and carefully
Effective Not Effective
Identified Fraud
Describe the basis for your conclusion below. To access the detailed
Fraud Risk Area
responses within Part 1, click here for a link to the Table of Contents and
 Revenue Recognition The Bank’s revenues may be misstated due to th
Internal Control Document
3
  Improper accounting treatment for interest Observations income from Parts 2.2 and 2.3 –
 Incorrect amortization of loans and receivables  and The controls of the
held-to-maturity Bank are inusing
investments o effective
place Code
and of conduct
are interest
functioning rate or
(EIR) method effectively. ethics policy, especially
 Incorrect revenue recognition from sale of real and other properties acquired provisions related to
 Expense recognition The Bank’s expenses may be misstated due to the following: conflicts of interest,
 Recording of expenses in the wrong period Observations from Part 2.4 – Planning Analytics related party
 The controls of
 Inadequate loan loss provisioning and provisioning for contingencies arising from lawsuits the Bank are in place and are functioning
transactions, illegal acts,
 Erroneous assessment for possible impairment of branch licenses effectively. and the monitoring of
 Improper computation and accrual of interest expense, income tax expenses and other expenses the code or policy by
 Cash The Bank’s cash may be misstated due to the following: management and the
Observations from Part 2.5 – Inquiries
 Incompleteness of cash because it’s inherently audit committee or
 susceptible to theft
The controls of the Bank are in place and are functioning
board;
 Incorrect and incomplete recording of bank reconciling adjustments
effectively.
 Investment additions Investments of the Bank may be misstated due to the following: o An effective internal
and disposals  Incomplete recording of additions and disposals of investments audit function, including
 Improper computation of gains and losses onObservations additions andfrom Part 2.6
disposals – Other Information
of investments the nature and extent of
 Improper valuation of additions and disposals of investments N/A activity and coverage,
 Completeness of The Bank may have transactions with related parties, including DOSRI, which are not in arm’s length andterms
the or on terms
extent of the
related party similar to those offered to non-related entities in an economically comparable environment. Furthermore, internal the Bankaudit’s may
transactions have significant related party transactions which are non-existent. involvement and
Entity’s Overall Programs and
 Prior year adjustments Since the Bank maintains its balances in accordance to BSP’s regulations and standards, thus priorinteraction year PFRS with the
Controls That Address or audit committee;
adjustments may not be completely and accurately recorded.
Mitigate
Note: Risks associated with improper revenue recognition should be tailored to the specific engagement (e.g., Fraud Risks
side agreements, channel stuffing, incentives to accelerate revenue recognition, past
history of improper sales cut-off). o Adequate oversight of
An entity’s programs and financial reporting and
controls that address or mitigate internal control over
Document below the key  The controls of the Bank are inthe place and are functioning
identified risks of material financial reporting by
observations from the various effectively. misstatement due to fraud may the audit committee
sources of information in other be part of any of the five and the board of
parts of this form that support components of internal control directors;
the identified fraud risks listed Observations from Part 2.1 – Engagement Team Discussion
over financial reporting, but o Whistleblower policy
above.  The controls of the Bank are inoften place areand aare functioning
part of the control
effectively. and related
environment. Effective anti- whistleblower or ethics
Observations from Part 1 – Considering the Components of fraud programs might include hotline, including the
Internal Control at the Entity Level the following elements:
Internal Control Document
4
-
 company’s procedures response can be (1) a response
for handling complaints List below the entity’s Audit Responses to Identified that has an overall effect on
and for accepting programs and controls that Fraud Risks how the audit is conducted (e.g.,
confidential submissions address or mitigate the Because identified fraud risks assigning additional persons
of concerns about identified risks of material are always significant risks, we with specialized skills or
questionable accounting misstatement due to fraud. identify any fraud risks, along knowledge to the engagement,
or auditing matters; These programs and controls with other significant risks in the performing procedures at
are also listed in each relevant Summary of Audit Strategies locations on an unannounced
o A well-defined
component of internal control (SAS) and include a brief basis); (2) tests of overall
organization structure,
throughout this form where we description of our audit strategy programs and controls or
include policies and
evaluate their design and for each risk. Our audit must controls designed to mitigate
procedures related to
implementation. include understanding and the specific fraud risk; and/or (3)
the hiring, promotion,
evaluating the design of the a specific response involving the
and compensation of
 The Bank employs authorizationcontrols andover
controls determining
their entire nature, timing, or extent of our
key personnel;
operation. whether the controls have been substantive auditing procedures.
o The entity’s risk  implemented
Review and approval are also employed overBank.
by the the fraud
They
assessment processes; have an established organizationalrisks. For each
structure of the fraud
and approval matrix Because management may
and that they use. risks, we carefully consider have the ability to override
o Controls that help to  which significant
Proper documentation is also maintained by theaccounts
Bank. and controls that otherwise appear
prevent  Since the Bank uses a computerassertions are risk
system, the affected by the
of having to be operating effectively, it is
fraud risks,
misstatements due to human errors is lower. and then identify unlikely that audit risk can be
misappropriation of
controls that help to prevent or reduced to an appropriately
company assets that
detect a material misstatement low level by performing only
could result in a
in the financial statements. tests of controls. Accordingly,
material misstatement
we always will perform some
of the financial
For each of the fraud risks substantive procedures to
statements (e.g.,
identified, provide a brief respond to the particular fraud
segregation of duties,
description of our planned audit risk, in addition to any tests of
authorization of assets,
response. Our planned audit controls.
security systems).

Internal Control Document

5
-
 Identified Fraud Risk Affected Accounts and Assertions a
Identified Fraud Risk Affected Accounts and Assertions Expense recognition
Revenue Recognition The Bank’s expenses may be  Expenses – Completeness,
The Bank’s revenues may be  Held-to-maturity investment – misstated due to the following: Existence, Occurrence, Cut-Off
misstated due to the following: Existence and Valuation  Recording of expenses in the  Allowance for Credit Losses –
 Improper accounting  Loan receivable – Existence, wrong period Valuation
treatment for interest Valuation, Presentation and  Inadequate loan loss  Branch licences – valuation
income Disclosure provisioning and
 Incorrect amortization of  Interest income – Occurrence, provisioning for
loans and receivables and Measurement contingencies arising from
held-to-maturity  ROPA – Existence, Valuation, lawsuits
investments using effective Presentation and Disclosure  Erroneous assessment for
interest rate (EIR) method  Sales Contract Receivable – possible impairment of
 Incorrect revenue Existence, Valuation branch licenses
recognition from sale of real  Improper computation and
and other properties accrual of interest expense,
acquired income tax expenses and
other expenses

Cash
The Bank’s cash may be  Cash – Completeness,
misstated due to the following: Existence, Cut-Off
 Incompleteness of cash
because it’s inherently
susceptible to theft
 Incorrect and incomplete
recording of bank reconciling
adjustments

Internal Control Document

6
-
 Identified Fraud Risk Affected Accounts and Assertions Identified Fraud Risk Affected Accounts and Assertions a
Investment additions and disposals Completeness of related party
Investments of the Bank may be  Real and other properties transactions
misstated due to the following: acquired– Completeness, The Bank may have transactions  Loans and recevables –
 Incomplete recording of Existence, Valuation, with related parties, including Completeness, Existence, and
additions and disposals of Presentation and Disclosure DOSRI, which are not in arm’s Occurrence
investments  AFS Financial assets – length terms or on terms similar  Deposit liabilities –
 Improper computation of Completeness, Existence, to those offered to non-related Completeness, Existence, and
gains and losses on additions Valuation, Presentation and entities in an economically Occurrence
and disposals of investments Disclosure comparable environment.
 Improper valuation of  HFT Financial assets – Furthermore, the Bank may have
additions and disposals of Completeness, Existence, significant related party
investments Valuation, Presentation and transactions which are non-
Disclosure existent.
 HTM Financial assets– Prior year adjustments
Completeness, Existence, Since the Bank maintains its  All accounts – Valuation
Valuation, Presentation and balances in accordance to BSP’s
Disclosure regulations and standards, thus
prior year PFRS adjustments may
not be completely and accurately
recorded.

Internal Control Document

7
-
Part 1 — Evaluating Entity-Level Controls
1.1 Control Environment

Procedures to Address the Risk of Management Override In making our assessment of the entity’s internal control at the entity
level, we consider information relating to the five components of internal
Even if specific risks of material misstatement due to fraud are not control for the entity as a whole. Exhibit 4.1 of the Global Audit
identified, there is a possibility that management override of controls Methodology contains additional considerations for each of the
could occur. Required procedures to address the risk of management components of internal control.
override are included in the Program for General Audit Procedures. Such
required procedures include procedures to 1) select and examine 1.1 Control Environment
supporting documentation for journal entries and other adjustments, 2)
review significant accounting estimates for evidence of management The control environment sets the tone of an organization, influencing the
bias, including a retrospective review of significant estimates, and 3) control consciousness of its people. It is the foundation for all other
evaluate the business rationale for significant unusual transactions. components of internal control, providing discipline and structure. We
obtain sufficient knowledge of the control environment, including IT
aspects of the control environment, to understand management’s and
the board of directors’ attitudes, awareness, and actions concerning the
control environment, considering both the substance of controls and
their collective effects.

The control environment consists of the following:

 Integrity and ethical values, and behavior of key executives.

 Management’s control consciousness and operating style.
 Management’s commitment to competence.
 Board of directors’ and/or audit committee participation in
governance and oversight.
 Organizational structure and assignment of authority and
responsibility.
 Human resource policies and practices.

When gaining an understanding of the control environment, we consider

each of these and their interrelationships. In particular, we recognize

Internal Control Document

8
-
Part 1 — Evaluating Entity-Level Controls
1.1 Control Environment

that deficiencies in any one of the factors may undermine the  Does management take appropriate action in response to
effectiveness of the others. departures from approved policies and procedures or the code of
conduct?
Integrity and Ethical Values, and the Behavior of Key Executives Observations on the Integrity and Ethical Values
 The Bank has a written code of conduct that all employees, irrespective
The effectiveness of controls cannot rise above the integrity and ethical but have not yet been cleared, adhere to. Their code defines behaviors whic
values of the people who create, administer, and monitor them. Integrity integrity, dedication, prudence, diligence, decency propriety, and decorum.
and ethical values are essential elements of the control environment,
affecting the design, administration, and monitoring of key processes.  The Bank upholds good governance as a key to a strong corporate cultu
Integrity and ethical behavior is the product of the entity’s ethical and governance, risk management and internal processes.As part of strengthen
behavioral standards, how they are communicated, and how they are (SMC) are actively involved in planning approving and reviewing the Bank’s
monitored and enforced in its business activities. They include
management’s actions to remove or reduce incentives and temptations  The Bank is run by seasoned professional bankers with competencied in
that might prompt personnel to engage in dishonest, illegal, or unethical banks.
acts. They also include the communication of the entity’s values and
behavioral standards to personnel through policy statements and codes  To institutionalize the Bank’s ethical standards, the Bank adheres to stri
of conduct, as well as the examples set by the executives. Group and Discipline Ethics and Values Committee (DEVCOM).

Document below our observations about the integrity and ethical values, 
and the behavior of key executives.
Management's Control of internal control, including
Factors to Consider: Consciousness and Operating how it responds to comments
 Does the entity have a written code of conduct that is Style from internal auditors and us
communicated to all employees? about improvements in internal
 Does the entity’s corporate culture emphasize the importance of Management’s control control; management’s attitudes
integrity and ethical behavior? For example, are violators consciousness and operating and actions toward financial
immediately sanctioned? style have a pervasive effect on reporting (conservative or
internal control. This aggressive approach to the
 Does management lead by example? encompasses a broad range of selection and implementation of
 Does senior management hold itself to the highest standards? characteristics that might available alternative accounting
include: management’s principles, and the
attitudes about the importance conscientiousness and

Internal Control Document

9
-
Part 1 — Evaluating Entity-Level Controls
1.1 Control Environment

conservatism with which internal control, including

accounting estimates are information technology  The bank will continue to be conservative and at the same time sensitiv
developed); and management’s controls? the market segment it serves.
attitudes toward information
 Do one or a few
processing and accounting
individuals dominate  The Bank has a defined organizational structure where the Managemen
functions and personnel. say.
management without
effective oversight by the
Document below our
board of directors or audit  The Bank is a first time client and the change in auditors was brought ab
observations about matters relating to internal control and accounting issues will be consulted
committee?
management’s control
consciousness and operating  What is management’s
style (in addition to the factors tendency with respect to Management’s Commitment to management’s commitment to
below, consider any risk factors selecting accounting Competence competence.
identified relating to principles and determining Factors to Consider:
opportunities or attitudes accounting estimates — Management’s commitment to  Do the accounting,
associated with fraudulent aggressive or conservative? competence includes finance, and IT personnel
financial reporting or management’s consideration of
 Does management have the competence and
opportunities or attitudes the competence levels for training needed to deal
consult with us on
associated with particular jobs and how those with the nature and
significant matters relating
misappropriation of assets as levels translate into requisite complexity of the entity’s
to internal control and
indicated in Part 2). skills and knowledge. Among business? Are repeated
accounting issues, or are
there frequent disputes (or, the many factors that should be errors addressed
Factors to Consider: considered by management are appropriately by changes in
for initial engagements,
 Does management give disputes with the the nature and degree of personnel or systems?
appropriate attention to judgment to be applied to a
predecessor auditors)?  Is management
specific job and the extent of
committed to provide
Observations on Management’s Control Consciousness and Operating Style supervision that will be
sufficient accounting,
 The Bank has an internal audit group who: provided.
financial, and IT personnel
- Formulates, develops and implements a risk based audit plan, work program and audit procedures, to keep pace with the
- Document
assesses reports on and makes suggestions for improving the Bank’s key below
operational and our
finance activities and internal control,
growth and/or complexity
- liases with Management on risk assessment and audit issues, observations about
of the business and the
- reports on the development and executiuon of the internal audit plan to the Audit Committee and Management
Internal Control Document
10
-
Part 1 — Evaluating Entity-Level Controls
1.1 Control Environment

demands of the required technical skills to Board of Directors and/or Audit and internal auditors, and
stakeholders? address new or pending Committee Participation in is the nature and frequency
accounting, statutory, or IT Governance and Oversight of communication
 Do accounting, finance,
systems requirements? appropriate given the size
and IT personnel have the
The board of directors and/or and complexity of the
audit committee has a entity?
Observations on Management’s Commitment to Competence
significant influence on the
  Are
The Bank maintains qualified and responsible employees capable of handling its transactions and processes in operations andthe members of the
finance.
entity’s control consciousness.
Management’s commitment to competence enables it to keep pace with the growth and complexity of the business and audit demands of the committee
The board of directors, through
stakeholders. appropriately experienced
its own activities and supported
and qualified?
by an audit committee or an
 The HR group conscientiously implemented recruitment and retention tools to respond to the organization’s personnel
 needs.
Are theThe Service of
members level
the
equivalent function, is
Agreement (SLA) is under constant fine-tuning, and with close coordination with the Marketing Group, to raise the standards and competitiveness
board of directors (and in
responsible for overseeing the
the industry. To keep its gains moving forward, the structure of the employee benefits program has been augmented to meet,
audit if not exceed, industry
committee)
entity’s accounting and financial
practices. independent of
reporting policies and
procedures. management?
 Is the number and
Document below our
length of board and audit
observations about the board of
committee meetings
directors and/or audit
sufficient given the size and
committee participation in
complexity of the entity?
governance and oversight.
 Is the audit committee
Factors to Consider: (and/or board of directors)
 Does the board of adequately involved in the
directors have a charter (or financial reporting process?
other written objectives)  Does the audit
for the audit committee? committee (and/or board
 Is there an open line of of directors) give adequate
communication among the consideration to
board of directors, audit monitoring business risks
committee, and external affecting the entity and

Internal Control Document

11
-
Part 1 — Evaluating Entity-Level Controls
1.1 Control Environment

management’s risk risks periodically and how reporting relationships

assessment processes communicated with the and authorization hierarchies
(including the risks of board of directors or audit are established. It also includes
fraud)? committee? policies relating to appropriate
business practices, knowledge Factors to Consider:
 Are significant IT  Is there high turnover of
and experience of key  Is the assignment of
activities, challenges, and board members?
personnel, and resources responsibilities clear within
provided for carrying out duties. the entity (including
Observations on Board of Directors and/or Audit Committee Participation in Governance and Oversight
In addition, it includes policies responsibilities specific to
 The Bank has an established governance structure that ascertains oversight and accountability for the management of risk across the enterprise.
and communications directed at information systems
Various BOD and Management level committees are in place to regularly monitor and manage various risk areas to which the Bank is exposed to. The
ensuring that all personnel processing and program
Bank’s BOD has overall responsibility for the oversight of the Bank’s risk management process. It is supported by various BOD committees, which are
understand the entity’s development)?
responsible for developing, managing and monitoring risk management policies in their specified areas. They have regular meetings, at least monthly,
objectives, know how their
to discuss the operations of the Bank.  Is there an adequate
individual actions interrelate
structure for assigning
and contribute to those
 ownership
The Board of Directors sets the strategic direction of the Company, fosters its long term success and ensures its sustained of
competitiveness. data,
The
objectives, and recognize how
Board of Directors have been handling their position in quite a number of years. Each member of the audit committee hasincluding
adequatewho is authorized
understanding
and for what they will be held
(at least) or competence (at most) of the company’s financial management systems and environment. to initiate and/or change
accountable.
transactions?
Document below our  Are policies and
Organizational Structure and the identification of key areas of observations about the procedures for the
Assignment of Authority and authority and responsibility and organizational structure and the authorization of
Responsibility appropriate lines of reporting. assignment of authority and transactions established at
The entity should have an responsibility (in addition to the the appropriate level?
The entity’s organizational organizational structure that is factors to consider below,
structure provides the suited to its needs. The consider any risk factors
framework within which its appropriateness of the entity’s identified relating to
activities for achieving entity- organizational structure opportunities associated with
wide objectives are planned, depends, in part, on its size and fraudulent financial reporting or
executed, controlled, and the nature of its activities. The opportunities associated with
monitored. Considerations for assignment of authority and misappropriation of assets in
establishing a relevant responsibility pertains to how Part 2).
organizational structure include operating activities are assigned
Internal Control Document
12
-
Part 1 — Evaluating Entity-Level Controls
1.1 Control Environment

Observations on the Organizational Structure and the Assignment of Authority andduties (or, in the absence of
Responsibility locations (including foreign
 written
There is a clear assignment of responsibilities and accountabilities on the Bank’s documentation,
assets, data operations)?
files and access to information systems and
applications. The Bank has an established job description for each position. adequate communication
 Does the entity have
of job responsibilities and
protection (e.g. insurance,
 The Bank has a Policies and Procedures Manual (PPM) that is installed in theirexpectations)?
intranet and is available to the employees. The PPM
bonding) forcontains the
employees
policies on authorization.  Are policies and with access to cash,
procedures clear, and are securities, and other
 they issued, updated, or valuable assets?
revised timely?
Human Resource Policies and identified risk factors for  Are contract personnel
Practices misappropriation of assets that  Does the entity have subject to policies and
relate to inadequate human adequate procedures for procedures created to
Human resource policies and resource policies and practices). establishing and control their activities by IT
practices relate to hiring, communicating policies function and to protect the
orienting, training, evaluating, and procedures to entity’s information assets?
counseling, promoting, and personnel at decentralized
compensating personnel. These Factors to Consider:
policies and practices also relate  Does the entity have Observations on the Entity’s Human Resource Policies and Practices
to remedial actions, such as adequate standards and  The Bank has adequate standards and procedures for hiring, training, m
disciplining and terminating procedures for hiring, terminating personnel, which can be found in the Bank’s PPM. They have w
personnel. training, motivating,
Document below our evaluating, promoting,  The policies and procedures are clear. Should there be any revisions, th
observations about the entity’s compensating,
human resource policies and transferring, or terminating
practices (in addition to the personnel (particularly Identify and Evaluate the entity-level controls that
factors to consider below, those in accounting, Design of Entity-Level support transaction-level
consider any risk factors finance, and information Controls Important to the controls in effectively
identified in Part 2, particularly systems)? Audit and Determine preventing or detecting material
those relating to Whether the Controls Have misstatements.
 Does the entity have
incentives/pressures and Been Implemented
written job descriptions or
opportunities for fraudulent We have documented our
reference manuals that
financial reporting, and any Entity-level controls important understanding of entity-level
inform personnel of their
to the audit include those controls related to the control
Internal Control Document
13
-
Part 1 — Evaluating Entity-Level Controls
1.1 Control Environment

environment in the boxes  Management has reviewed with each determining that a control has
above. In the box below, established a “whistle- employee. been implemented, we first
indicate those entity-level blower” policy and consider whether the control is
controls that are important to appropriately monitors and After we have identified the properly designed. We obtain
the audit. responds to complaints. entity-level controls important appropriate audit evidence that
to the audit, we evaluate the the internal control at the entity
 Management has other
Examples of entity-level controls design of the controls and level has been properly
processes in place for
in the control environment that determine whether the controls designed and implemented. In
handling complaints about
may be important to the audit have been implemented. all cases, inquiry alone is not
accounting, auditing, IT, or
include: Evaluating the design of the sufficient to evaluate the design
internal control issues.
 The entity has a code of entity-level controls involves of a control at the entity level or
conduct or equivalent  The entity’s considering whether the to determine whether that
policy that is communications reinforce controls effectively support control has been implemented.
communicated and a consistent message transaction-level controls. Our procedures may include a
monitored. regarding policies and Implementation of a control combination of inquiry of entity
culture. means that the control exists personnel (including inquiries of
 There are written job
and has been placed into more than one individual to
descriptions, reference  Management corrects
operation. obtain corroborating evidence),
manuals and other identified internal control
observing the application of
communications to inform deficiencies on a timely
Document the procedures specific controls, and inspecting
personnel of their duties. basis.
performed, including where we documents and reports. Our
 The audit committee  There are appropriate obtained the information used description of Procedures
provides effective oversight policies for such matters as to support our conclusions Performed below may be a
of the entity’s external accepting new business, below of whether the entity- reference to other working
financial reporting and conflicts of interest, and level controls important to the papers where our procedures
internal control over security practices that are audit have been properly are documented.
financial reporting. adequately communicated designed and implemented. In
throughout the
 Management
organization. Entity-Level Controls
maintains, monitors and
 Job performance is Relevant to the Audit Implemented?
appropriately responds to a
fraud hotline. periodically evaluated and  The entity has a code of conduct that is Yes No
communicated and monitored.

Internal Control Document

14
-
Part 1 — Evaluating Entity-Level Controls
1.1 Control Environment

Entity-Level Controls
Relevant to the Audit Implemented?
 There are written job descriptions, reference Yes No
manuals and other communications to inform
personnel of their duties.

 The Bank maintains qualified and responsible Yes No

employees capable of handling its transactions and
processes in operations and finance.

 The Bank has a well-defined organizational structure. Yes No

 Management gives appropriate attention to internal Yes No

control including information technology controls.

 Key financial and operating decisions are reviewed Yes No

and approved by the BOD.

 The BOD has adequate accounting and period closing Yes No

practices, in operation which are reviewed regularly
to determine that they are still applicable.

Internal Control Document

15
-
Part 1 — Evaluating Entity-Level Controls
1.2 Risk Assessment

Risk assessment is the entity’s process for identifying and analyzing the
risks (both internal and external) that are relevant to the achievement of Describe the entity’s risk assessment process below or in another
its objectives. In addition, a risk assessment process provides the entity document, specifically as it relates to the financial reporting objective of
with a basis for determining how to manage its risks (e.g., the actions to internal control (i.e., preparing financial statements for external
address specific risks or a decision to accept a risk because of cost or purposes that give a true and fair view (or are presented fairly in all
other considerations). material respects) in accordance with IFRS, generally accepted
accounting principles, or another appropriate financial reporting
An entity’s risk assessment process for financial reporting purposes is its framework. In describing the process, we specifically consider how the
identification, analysis, and management of risks relevant to the entity’s accounting and financial reporting personnel become aware of
preparation of financial statements that give a true and fair view (or are risks that could have a material effect on the financial statements,
presented fairly, in all material respects) in accordance with IFRS, including disclosures.
generally accepted accounting principles, or another appropriate
financial reporting framework. When obtaining an understanding of the Factors to Consider:
entity’s risk assessment process, we should evaluate whether  Has a risk assessment process been established that includes
management has identified the risks of material misstatement in the estimating the significance of risks, assessing the likelihood of
significant accounts and disclosures and related assertions of the their occurrence, and determining needed actions?
financial statements and has implemented controls to prevent or detect
 Does the entity’s risk assessment process specifically include
errors or fraud that could result in material misstatements. For example,
identifying and assessing the risks of fraud?
risk assessment may address how the entity considers the possibility of
unrecorded transactions or identifies and analyzes significant estimates  Does the entity’s risk assessment process specifically include
recorded in the financial statements. Risks relevant to reliable financial identifying and assessing the risks related to IT (e.g., has a
reporting also relate to specific events or transactions. business impact assessment been performed that considers the
effect of system failures on the financial reporting process)?
We gain an understanding of the entity’s risk assessment process,
 Are there mechanisms in place to anticipate, identify, and react
specifically as it relates to the financial reporting objective of internal
to changes that may have a dramatic and pervasive effect on the
control. We then determine, generally through inquiry, observation, and
entity (e.g., asset/liability management committee in a financial
inspection of relevant documents, whether the entity’s risk assessment
institution, commodities trading risk management group in a
process has identified and analyzed each of the risks we have identified
manufacturing entity)?
(e.g., key business risks documented in the Understanding the Entity,
underlying factors that might lead to risks of material misstatement due  Are there mechanisms in place to anticipate, identify, and react
to fraud) that may have a short-term effect on financial statement to routine events or activities that affect achievement of entity or
accounts and assertions. We also consider whether the entity has process/application-level objectives?
implemented appropriate steps to mitigate each of the risks.
Internal Control Document
16
-
Part 1 — Evaluating Entity-Level Controls
1.2 Risk Assessment

 Does the IT department have a process to notify end-users (e.g., regularly reviewed and updated to adapt to changing risk conditions and refl
accounting) when significant changes are made that could affect Mitigation mechanisms are applied to both existing business operations and
the method or the process of recording transactions? identified, sufficiently mitigated, and that residual risks are within risk tolera
 Does the accounting department have in place processes to
identify significant changes in the financial reporting framework
Identify and Evaluate the Design products or services, privacy
promulgated by relevant authoritative bodies?
of Entity-Level Processes or and data protection
 Do communication channels in place notify the accounting and IT Controls Important to the Audit compliance, and other
departments of changes in the entity’s business practices that and Determine Whether They changes in the business,
may affect the method or the process of recording transactions? Have Been Implemented economic and regulatory
 Does the accounting department have processes in place to environment.
We have documented our
identify significant changes in the operating environment,  Management assesses
including regulatory changes? understanding of the entity’s
financial reporting risks
entity-level processes or
 Are entity-level objectives established and communicated, within the organization.
controls related to risk
including how they are supported by strategic plans and assessment in the box above.  Internal audit (or another
complemented on a process/application level? In the box below, indicate group within the entity)
 Does IT management periodically communicate its activities, those elements of the entity- performs a periodic (at least
challenges, and risks with the CEO and CFO? level processes or specific annual) risk assessment,
controls that are important to including IT.
the audit.
Entity’s Risk Assessment Process  The board of directors and/or
 The Bank’s BOD has overall responsibility for the oversight of the Bank’s risk management process. The established risk the governance
audit committee
framework
oversees
together with the supporting structure provides for the mechanism to ensure Examples of entity-level
oversight and accountability for risk at various levels in the
and monitors the risk
organization. Various board and management committees, which are responsible processes or controls related
for developing, managingto and monitoring
assessment
specific risks
process
thatand
the
Bank is exposed to, include the following: risk assessment that may be management’s actions to
i. Risk Management Committee (RMC) important to the audit include: address significant risks
ii. Audit Committee (AC) identified.
iii. Loan Committee (LoanCom)  The entity has an adequate
mechanism for identifying  The accounting department
iv. Asset Liability Committee (ALCO)
business risks, including has a process in place to
v. Credit Committee (CreCom)
those resulting from entering identify and address changes
new of
markets, in the applicable financial
 The Bank’s Policies and Procedures set out the framework for the management credit, offering
market, new
liquidity and operational risks. These are
reporting framework, the
Internal Control Document
17
-
Part 1 — Evaluating Entity-Level Controls
1.2 Risk Assessment

operating environment, or Document the procedures may be a reference to other

the regulatory environment, performed, including where we working papers where our
as well as for approving obtained the information used procedures are documented.
changes in accounting made to support our conclusions
to address such changes below of whether the entity- Entity-Level Controls
level processes or controls Relevant to the Audit Implemented?
 Business objectives are
important to the audit have Board of Directors, thru its committees, closely monitor Yes No
established, communicated,
been properly designed and and supervise the Bank’s operations
and monitored throughout
implemented. In determining
the entity. Internal audit performs a periodic (at least annual) risk Yes No
that a process or control has
 The strategic plan is reviewed assessment, including IT.
been implemented, we first
and approved by the board consider whether it is properly
of directors. designed. We obtain
appropriate audit evidence that
 Budgets/forecasts are
the internal control at the entity
updated during the year to
level has been properly
reflect changing conditions.
designed and implemented. In
all cases, inquiry alone is not
After we have identified the
sufficient to evaluate the design
entity-level processes or
of a process or control at the
controls important to the audit,
entity level or to determine
we evaluate their design and
whether it has been
determine whether they have
implemented at the entity level.
been implemented. Evaluating
Our procedures may include a
the design of the entity-level
combination of inquiry of entity
processes or controls involves
personnel (including inquiries of
considering whether they
more than one individual to
effectively support transaction-
obtain corroborating evidence),
level controls. Implementation
observing the application of
of a process or control means
specific processes or controls,
that it exists and has been
and inspecting documents and
placed into operation.
reports. Our description of
Procedures Performed below
Internal Control Document
18
-
Part 1 — Evaluating Entity-Level Controls
1.3 Control Activities, Information and Communication

Control activities are the policies and procedures that help ensure that  Does the entity have processes for reviewing actual performance
necessary actions are taken to address risks to achievement of the versus budgets, forecasts, and prior period performance, with
entity’s objectives. Control activities, whether automated or manual, adequate reporting of exceptions and variations from planned
have various objectives and are applied at various organizational and performance and appropriate responses to such exceptions and
functional levels. variations?
 Does the entity have planning and reporting systems (such as
An information system consists of infrastructure (physical and hardware
business planning; budgeting, forecasting, and profit planning; and
components), software, people, procedures (manual and automated),
responsibility accounting) that adequately set forth management’s
and data. The information system relevant to financial reporting
plans and the results of actual performance?
objectives, which includes the accounting system, consists of the
procedures, whether automated or manual, and records established to  Does the entity have adequate segregation of duties (e.g.,
initiate, authorize, record, process, and report entity transactions (as well appropriate segregation of custody of assets, authorization and
as events and conditions) and to maintain accountability for the related approval of transactions and journal entries, recording and
assets, liabilities, and equity. Communication involves providing an reporting transactions and journal entries, access to master files)?
understanding of individual roles and responsibilities pertaining to
 Is the entity able to prepare accurate and timely financial
internal control over financial reporting. Information and communication
reports, including interim reports?
is the process of capturing and exchanging the information needed to
conduct, manage, and control an entity’s operations. The quality of the  Are users generally satisfied with information systems
entity’s information and communication affects management’s ability to processing, including the reliability and availability of reports?
make appropriate decisions in controlling the entity’s activities and to  Is there an appropriate level of coordination between the
prepare reliable financial reports. accounting and IT functions?
Document below our observations about the entity’s control activities,  Are the accounting and IT departments properly staffed, with
and the information and communication components. experienced and/or capable personnel (i.e., there is evidence that
the appropriate staffing levels based on job responsibilities have
Factors to Consider: been determined and that management seeks to maintain these
 Does the entity have adequate physical controls (e.g., secured levels)?
facilities, adequate safeguards over access to assets and data,  Are there adequate policies and procedures for developing and
authorization for access to computer programs and data files, and modifying accounting systems and controls, including changes to
periodic counting and comparison of physical assets with amounts and use of computer programs and/or data files?
shown on control records)?


Internal Control Document

19
-
Part 1 — Evaluating Entity-Level Controls
1.3 Control Activities, Information and Communication

Observations on the Entity’s Control Activities, and the Information & CommunicationIdentify and Evaluate the
Components accounting and closing
 Generally, the Bank employs documentation, approval and authorization Design of controls.
as their Entity-Level
TheControls practices
Bank has adequate facilities to housethat
its assets.are
Important
Every branch is installed with vaults for their storage of cash, they have storage tofor
facilities thetheir
Audit andand they have a disaster
files, consistently applied
risk plan to protect
their electronic data from catastrophes. Determine Whether the through the year and at
Controls Have Been year-end.
 Implemented
The Bank has a defined organizational chart that separates conflicting duties, like recording and custody of assets,  and, database
Management administration
and maintenance of the application programs. The Bank also has an established approval matrix for the significant processes like lending, payroll,
maintains, communicates,
We have documented our
disbursement and CASA. Furthermore, there is also a defined job description that clearly describes the duties and responsibilities of each position in
and monitors clear
the Bank. understanding of entity-level
objectives in terms of
controls related to control
budgets, profits, and other
 Furthermore, the Bank has different departments with their respective activities and the
responsibilities. The information
recording function falls under the Business
financial operatingSupport
goals.
Services Group (BSSG), Management Support Services Department (MSSD),and General Accounting communication
Department (GAD), and, Branch Accounting and
Conrol (BAC). The creation of journal entries is done through the system. The component
entries areinreviewed
the box above.  be posted
In they can
first before Management reviews
to the general
theapproved
ledger. It is the responsibility of the staff to create entries but they need to be box below, indicate
before postedthose key performance
to the General Ledger. They have an indicators
entity-level
established approval matrix for the posting of entries. Should there be any revisions, controls
approval that
should be are (e.g.,
seeked first before budget,are toprofit,
any changes be
effected. important to the audit. financial goals, operating
goals) regularly (e.g.,
 The Controllership Department has a Reports and Reconciliation divisionExamples of entity-level
who is responsible delivering timely and monthly,
for controls quarterly)
accurate reports to and
for control activities and the identifies
Management and Regulatory Bodies. It ensures compliance with Bangko Sentral ng Pilipinas Financial reporting and PDIC and SEC regulations. significant
information and communication variances. Variances are
 component that may be
MIS and Budget division is responsible for finalizing of the Annual Business Plan (Corporate Objectives, Strategies & Action investigated
Plans and Financialand
important to the audit include: appropriate
Budgets) of the Bank and its units, providing feedback mechanisms on the actual performance of the Bank and each unit vis-à-vis targets; monitoring corrective
the actual manpower requisitions, capital expenditures and operating expenses of the different units of the Bank vis-à-visaction budgets,is taken.
and recognition of
Control Activities
the actual performance of each group/unit/individual employee vis-à-vis business plans/key results.  Financial statements
 Adequate policies and are submitted to operating
procedures are in place management accompanied
and they are reviewed by analytical comments.
periodically to determine
that they continue to be  Appropriate approvals
appropriate. are required from
management prior to
 The entity has adequate allowing an individual
policies and procedures for access to specific
Internal Control Document
20
-
Part 1 — Evaluating Entity-Level Controls
1.3 Control Activities, Information and Communication

applications and developed by information obtained the information used to determine whether that
databases. systems personnel or users. to support our conclusions control has been implemented
below of whether the entity- at the entity level. Our
 Physical security over IT  There are appropriate
level controls important to the procedures may include a
assets is reasonable given channels to communicate
audit have been properly combination of inquiry of entity
the nature of the information, monitor
designed and implemented. In personnel (including inquiries of
company’s business. compliance with policies
determining that a control has more than one individual to
and procedures, and
 Critical computer data is been implemented, we first obtain corroborating evidence),
communicate new
backed up daily and stored consider whether the control is observing the application of
requirements.
off-site. properly designed. We obtain specific controls, and inspecting
 There are appropriate appropriate audit evidence that documents and reports. Our
Information and channels to communicate the internal control at the entity description of Procedures
Communication information to level has been properly Performed below may be a
 The entity maintains decentralized locations. designed and implemented. In reference to other working
written job descriptions all cases, inquiry alone is not papers where our procedures
and reference manuals After we have identified the sufficient to evaluate the design are documented.
that describe duties of entity-level controls important of a control at the entity level or
personnel. to the audit, we evaluate the
design of the controls and Entity-Level Controls
 The board of directors
determine whether the controls Relevant to the Audit Implemented?
or audit committee is
have been implemented. The Bank has documentation, authorization and approval Yes No
involved in monitoring
Evaluating the design of the controls
information systems
entity-level controls involves
projects and resource Segregation of duties Yes No
considering whether the
priorities.
controls effectively support
 There are defined transaction-level controls.
The Bank has an internal system where messages can be Yes No
responsibilities for Implementation of a control
delivered to appropriate people.
individuals responsible for means that the control exists
implementing, and has been placed into
documenting, testing and operation.
approving changes to
computer programs that Document the procedures
are purchased or performed, including where we
Internal Control Document
21
-
Part 1 — Evaluating Entity-Level Controls
1.4 Monitoring

Monitoring is the process that assesses the quality of the performance of

internal control over time. An important management responsibility is to  Is internal audit adequately staffed and trained, with appropriate
establish and maintain internal control. Management monitors controls specialized skills, including IT, given the nature, size, and complexity
to consider whether they are operating as intended and whether they of the entity and its operating environment?
are modified as appropriate for changes in conditions.
 Is the internal audit department independent (authority and
reporting relationships) and does it have adequate access to the
Document below our observations about the entity’s monitoring
audit committee (or equivalent)?
procedures (in addition to the factors to consider below, consider any
risk factors identified relating to opportunities associated with  Is the scope of internal audit’s activities appropriate given the
fraudulent financial reporting and opportunities associated with nature, size, and complexity of the entity and its operating
misappropriation of assets). environment?
 Does internal audit devote sufficient time and attention to
Factors to Consider:
evaluating the design and operation of internal control?
 Does management respond timely and appropriately to
recommendations on internal control from the internal auditors and  Does internal audit have the authority to examine all aspects of
us? the entity’s operations, including those overseen or controlled by
senior management?
 Are monitoring procedures performed timely?
 Does internal audit adhere to professional standards?
 Is there a low level of customer complaints, and does management
respond timely and appropriately to the cause of such complaints?
 For smaller entities, is the owner/manager actively involved in the
business?
 Does the parent company adequately scrutinize the activities of the
various operating units (e.g., subsidiaries, divisions, plant locations)?
 If applicable, is the oversight by legislative or regulatory bodies
effective?

Additional factors for entities with internal audit departments (if the
entity does not have an internal audit function, consider whether its
absence constitutes a significant deficiency in internal control or
exacerbates identified risks of fraud):

Internal Control Document

22
-
Part 1 — Evaluating Entity-Level Controls
1.4 Monitoring

having operating committee, and the

Observations on the Entity’s Monitoring Procedures responsibilities. independent auditors.
 The Bank has an Audit Committee (AC) who is responsible for monitoring compliance with the Bank’s risk management policies and procedures,
The results of the
and for reeeviewing the adequacy of risk management framework in relation to the risks faced by the Bank. The AC is assisted
internal audit functions
in these activities by
are
 The controls
Internal Audit (IA). IA undertakes both regular and ad-hoc reviews of risk management internal andauditors
procedures, the results of which are reported to
reported to senior
the AC. have direct access to the
management, the board of
board of directors or audit
directors or audit
 The IA is composed of 15 qualified employees who have the appropriate skillscommittee.
to execute their responsibilities. committee, and the
 The internal audit independent auditors.
 Policies and procedures function adheres to
Identify and Evaluate the are in place to assure that professional standards After we have identified the
Design of Entity-Level corrective action is taken (e.g., International entity-level processes or
Processes or Controls on a timely basis when Standards for the controls important to the
Important to the Audit control exceptions occur. Professional Practice of audit, we evaluate their
and Determine Whether Internal Auditing).
 Management takes design and determine
They Have Been whether they have been
Implemented
adequate and timely  The scope of internal
actions to correct audit activities is implemented. Evaluating the
deficiencies reported by the appropriate given the design of entity-level
We have documented our processes or controls involves
internal audit function or nature, size and structure
understanding of entity-level considering whether they will
the independent auditors. of the entity.
processes or controls related to effectively support
the monitoring component in  The audit committee  The internal audit transaction-level controls.
the box above. In the box provides effective oversight department develops an Implementation of a process
below, indicate those elements of the company’s external annual plan that considers or control means that it exists
of the entity-level processes or financial reporting and risk in determining the and has been placed into
specific controls that are internal control over allocation of resources. operation.
important to the audit. financial reporting.
 The scope of planned
 The internal audit internal audit activities is Document the procedures
Examples of entity-level performed, including where
function is independent of reviewed in advance with
processes or controls for we obtained the information
the activities they audit senior management, the
monitoring that may be used to support our
and are prohibited from board of directors or audit
important to the audit include: conclusions below of whether
Internal Control Document
23
-
Part 1 — Evaluating Entity-Level Controls
1.4 Monitoring

the entity-level processes or determine whether it has

controls important to the been implemented at the
audit have been properly entity level. Our procedures
designed and implemented. In may include a combination of
determining that a process or inquiry of entity personnel
control has been (including inquiries of more
implemented, we first than one individual to obtain
consider whether it is properly corroborating evidence),
designed. We obtain observing the application of
appropriate audit evidence specific processes or controls,
that the internal control at the and inspecting documents and
entity level has been properly reports. Our description of
designed and implemented. Procedures Performed below
In all cases, inquiry alone is may be a reference to other
not sufficient to evaluate the working papers where our
design of a process or control procedures are documented.
at the entity level or to

Entity-Level Controls
Relevant to the Audit Implemented?
The audit committee provides effective oversight of the Yes No
company’s external financial reporting and internal
control over financial reporting.
• Policies and procedures are in place to assure Yes No
that corrective action is taken on a timely basis when
control exceptions occur.
The internal audit function is independent of the Yes No
activities they audit and are prohibited from having
operating responsibilities.

Internal Control Document

24
-
Part 2 — Identifying Potential Risks of Material Misstatement Due To Fraud
Description and Characteristics of Fraud judgment and subjectivity also may present risks of material
misstatement due to fraud because they are susceptible to
Two types of misstatements are relevant to our consideration of fraud: manipulation by management. For example, liabilities resulting from a
1) misstatements arising from fraudulent financial reporting; and 2) restructuring may be deemed to have higher inherent risk because of
misstatements arising from misappropriation of assets (for which the the high degree of subjectivity and management judgment involved in
effect of the misappropriation causes the financial statements not to their estimation. Similarly, revenues for software companies may be
give a true and fair view (or not to be presented fairly, in all material deemed to have higher inherent risk because of the subjectivity and
respects), in accordance with IFRS, generally accepted accounting complexities often involved in recognizing and measuring software
principles, or another applicable financial reporting framework). As we revenue transactions.
gather information to identify risks of material misstatement due to
fraud, we consider both types of misstatements. We expect that one or more risks of material misstatement due to
fraud will be identified for most engagements. In particular, there is a
Three conditions generally are present when fraud occurs: (1) presumption that we ordinarily will identify one or more fraud risks
management or other employees have an incentive or are under relating to revenue recognition.
pressure that provides a reason to commit fraud; (2) circumstances
exist —for example, the absence of controls, ineffective controls or the Although the fraud risk factors below cover a broad range of situations,
ability of management to override controls— that provide an they are only examples and, accordingly, we may wish to consider
opportunity for a fraud to be perpetrated; and (3) those involved are additional or different risk factors. Also, the examples of fraud risk
able to rationalize a fraudulent act as being consistent with their factors are not presented in an order that might reflect their relative
personal code of ethics. Some individuals possess an attitude, importance or frequency of occurrence. In addition, risk factors known
character, or set of ethical values that allow them to knowingly and to the engagement team but not included in Parts 2.2 and 2.3 should
intentionally commit a dishonest act. However, even otherwise honest be added to the applicable sections.
individuals can commit fraud in an environment that imposes sufficient
pressure on them. The greater the incentive or pressure, the more The relative importance of the risk factors varies among engagements
likely an individual will be able to rationalize the acceptability of from critical to insignificant. Accordingly, we exercise professional
committing fraud. judgment when considering the risk factors individually and in
combination.
Although the risk of material misstatement due to fraud may be
greatest when all three fraud conditions are observed or evident, we
cannot assume that the inability to observe one or two of these
conditions means there is no risk of material misstatement due to
fraud.

Certain assertions, accounts, and classes of transactions that have high

inherent risk because they involve a high degree of management
Internal Control Document
25
-
Part 2 — Identifying Potential Risks of Material Misstatement Due To Fraud
2.1 Engagement Team Discussion(s)

In planning the audit, members of the audit team discuss the potential
for material misstatement due to fraud or errors. The objectives of this
discussion are (1) to increase the overall awareness of and sensitivity to
fraud or errors by all members of the team, (2) to have an interactive
exchange of ideas and sharing of information about how and where the
entity’s financial statements might be susceptible to material
misstatement due to fraud or errors, and (3) for the executive in charge
of the audit to emphasize the importance of maintaining the proper
state of mind and level of professional skepticism throughout the audit.

Although our consideration of risk of material misstatement due to fraud

or error is an ongoing process during the audit, at least one such
engagement team discussion takes place as part of the team planning
event.

Document below or in a separate memorandum the engagement team

discussion(s) about the susceptibility of the entity’s financial statements
to material misstatement due to fraud or error. The documentation
includes how and when the discussion(s) occurred, and the team
members who participated, the information discussed, and the
significant decisions reached. The engagement partner also considers
which matters should be communicated to members of the engagement
team not involved in the discussion. Observations from the engagement
team discussion that should be considered in identifying and assessing
the risks of fraud are documented in the Summary of Observations and
Identified Fraud Risks.

Internal Control Document

26
-
Part 2 — Identifying Potential Risks of Material Misstatement Due To Fraud
2.1 Engagement Team Discussion(s)

The following are the key risk areas and audit considerationsdiscussed in the team planning event, which occurred on September 15, 2014:
 Loans and receivables:
- Completeness of recorded receivables and interest income
- Proper valuation of loans and receivables using effective interest method
- Proper accrual of interest considering Section 305.4 of MORB
 Adequacy of loan loss provisioning
 Valuation and assessment for possible impairment of branch licenses
 Classification and accounting of property and equipment
 Accounting of investment properties
 Accounting for financial instruments other than loans and receivables:
- Financial assets at fair value through profit or loss
- Available-for-sale financial instruments
- Held-to-maturity investments
- Bills payable
 Deposit liabilities:
- Completeness and proper valuation of deposit liabilities
- Proper computation and accrual of interest
 Provision for contingencies arising from pending lawsuits
 Accounting for retirement benefits obligation
 Related party balances and transactions
 Proper computation of income tax and other taxes
 Compliance with relevant BSP regulations, SEC reportorial requirements, which include among others:
- Capital requirements
- Reserve requirements
- Real estate exposure limits
- Credit exposure limits
 Consolidation procedures

Internal Control Document

27
-
Part 2 — Identifying Potential Risks of Material Misstatement Due To Fraud
2.2 Risk Factors Relating to Fraudulent Financial Reporting (Continued)

Fraud Risk Factors Associated With Fraudulent Financial Incentives/Pressures

Reporting and Misappropriation of Assets - Recurring negative cash flows from operations or an
inability to generate cash flows from operations while
Identifying one or more fraud risk factors does not necessarily mean that reporting earnings and earnings growth.
internal control at the entity level is ineffective. However, the presence
of numerous fraud risk factors should heighten our awareness, and we - Rapid growth or unusual profitability especially
would give them due consideration in making our assessment of internal compared to that of other companies in the same
control at the entity level. In this regard, we pay particular attention to industry.
our understanding of the business environment for the year under audit,
the risk factors relating to attitudes of management or the board of - New accounting, statutory, or regulatory requirements.
directors, or opportunities resulting from inappropriate attention to, or a
disregard for, internal control. b Excessive pressure exists for management to meet the
. requirements or expectations of third parties due to:
2.2 Risk Factors Relating to Fraudulent Financial Reporting
- Profitability or trend level expectations of investment
Incentives/Pressures analysts, institutional investors, significant creditors, or
a. Financial stability or profitability is threatened by economic, other external parties (particularly expectations that are
industry, or entity operating conditions, such as (or as indicated unduly aggressive or unrealistic) including expectations
by): created by management in, for example, overly optimistic
press releases or annual report messages.
- High degree of competition or market saturation,
accompanied by declining margins. - Need to obtain additional debt or equity financing to
stay competitive—including financing of major research
- High vulnerability to rapid changes, such as changes in and development or capital expenditures.
technology, product obsolescence, or interest rates.
- Marginal ability to meet debt repayment or other debt
- Significant declines in customer demand and increasing covenant requirements.
business failures in either the industry or overall economy.
- Perceived adverse effects of reporting poor financial
- Operating losses making the threat of bankruptcy, results on significant pending transactions, such as
foreclosure, or hostile takeover imminent. business combinations or contract awards.

Internal Control Document

28
-
Part 2 — Identifying Potential Risks of Material Misstatement Due To Fraud
2.2 Risk Factors Relating to Fraudulent Financial Reporting (Continued)

Incentives/Pressures strategically placed in Metro Manila and key cities in the

c. Management or the board of directors’ personal net worth is provinces, and with their acquisition of 13 new branch
threatened by the entity’s financial performance due to: licenses, it expects to have 51 branches in the next three
years. Additionally, the Bank is one of the two thrift banks
- Significant personal financial interests in the entity. who hold an LC certificate. There is risk in fraudulent
reporting should the Bank want to increase its rating.
- Significant portions of their compensation (e.g., bonuses,
stock options) being contingent upon achieving aggressive  The Bank’s main source of revenue is interest received from
targets for stock price, operating results, financial position, its customers/clients, and is therefore subject to the changes
or cash flow. on interest rates. Despite the volatility of its income, the
Bank magaged to have positive net income and cash flows for
- Personal guarantees of debts of the entity. the past two years.

d Excessive pressure on management or operating personnel  The Bank heavily regulated by the Bangko Sentral ng Pilipinas
. (including those at subsidiaries or remote locations with (BSP) and prepares its financial statements based on
separate systems or records) to meet financial targets set up by Philippine Financial Reporting Standards (PFRS).
the board of directors or management, including sales or
profitability incentive goals.  Under the Controller Department, the MIS & Budget division
is tasked to prepare budgets for the Bank.
Indicate any of the above or other risk factors to be considered relating
to incentives/pressures associated with misstatements arising from
fraudulent financial reporting:

 Risk of fraudulent financial reporting exists since the Bank is

heavily regulated by the BSP.

 The Bank is rated 19th on www.workingpinoy.com’s Top 27

Savings Banks in the Philippines or Top 27 Thrift Banks.
Furthermore, as of December 31, 2013, it has 38 branches

Internal Control Document

29
-
Part 2 — Identifying Potential Risks of Material Misstatement Due To Fraud
2.2 Risk Factors Relating to Fraudulent Financial Reporting (Continued)

Opportunities Opportunities
Opportunities Opportunities - Significant, unusual, - The degree of
a The nature of the industry - Assets, liabilities, or highly complex decentralization and
or the entity’s operations revenues, or expenses transactions, oversight of remote
provides opportunities to based on significant especially those close locations.
engage in fraudulent estimates that involve to year end that pose b There is ineffective
financial reporting due to: subjective judgments difficult “substance monitoring of
or uncertainties that over form” questions. management due to:
- Significant related are difficult to
party transactions not corroborate. - Significant use of - Domination of
in the ordinary course derivatives and management by a
of business or with complex hedging single person or small
related entities not activities. group (in a non-owner
audited or audited by managed business)
another firm. - Significant operations without
located or conducted compensating
- A strong financial across international controls.
presence or ability to borders in
dominate a certain jurisdictions where - Ineffective board of
industry sector that differing business directors or audit
allows the entity to environments and committee oversight
dictate terms or cultures exist. over the financial
conditions to reporting process and
suppliers or - Significant bank internal control.
customers that may accounts or subsidiary
result in or branch operations
inappropriate or non- in tax-haven
arm’s length jurisdictions for which
transactions. there appears to be
no clear business
justification.

Internal Control Document

30
-
Part 2 — Identifying Potential Risks of Material Misstatement Due To Fraud
2.2 Risk Factors Relating to Fraudulent Financial Reporting (Continued)

Opportunities Opportunities Opportunities Indicate any of the above or

- Lack of management - High turnover of - Ineffective accounting other risk factors to be
personnel with senior management, and information considered relating to
sufficient knowledge counsel, or board systems. opportunities associated with
and competence to members. misstatements arising from
recognize when other fraudulent financial reporting:
members of d Internal control
management may components are deficient
attempt to commit due to:  Significant fraud risk factors include:
fraud. - Revenue recognition
- Inadequate - Expense recognition
c There is a complex or monitoring of - Cash
unstable organizational controls, including - Investment additions and disposals
structure as evidenced by: automated controls - Completeness of related party transactions
and controls over - Prior year adjustments
- Difficulty in interim financial  The Bank’s related party transactions compose of loans and transactions w
determining the reporting (where related interests (DOSRI). The DOSRI transactions have to be approved by t
organization or external reporting is
individuals that have required).  The Bank does not have derivative instruments, only spot and swap contra
a controlling interest
in the entity. - Inadequate  The Bank provides an allowance and provision for losses for the following a
segregation of duties - Loans and receivable,
- Overly complex between data access - Financial assets,
organizational and processing - Property and equipment, and
structure involving responsibilities. - Acquired assets (a.k.a. ROPA).
unusual legal entities
or managerial lines of - High turnover rates or  The Bank has a set of Board of Directors and different committees that ove
authority. employment of management.
ineffective
accounting, internal  The Bank has a defined organizational structure that is known throughout t
audit, or information
technology staff. Attitudes

Internal Control Document

31
-
Part 2 — Identifying Potential Risks of Material Misstatement Due To Fraud
2.2 Risk Factors Relating to Fraudulent Financial Reporting (Continued)

Risk factors reflective of c Known history of g An interest by - Unreasonable

attitudes by board members, violations of securities management in employing demands such as
management, or employees laws or other laws and inappropriate means to excessive fee
that allow them to engage in regulations, or claims minimize reported pressure, or
and/or justify fraudulent against the entity, its earnings for tax-motivated unreasonable time
financial reporting may not be senior management, or reasons. constraints regarding
susceptible to observation. board members alleging the completion of the
Nevertheless, if we become fraud or violations of laws h Recurring attempts by audit or the issuance
aware of the existence of such and regulations. management to justify of the auditor’s
information, we should consider marginal or inappropriate report.
it in identifying the risks of d Excessive interest by accounting on the basis of
material misstatement arising management in materiality. - Formal or informal
from fraudulent financial maintaining or increasing restrictions that
reporting. the entity’s stock price or i The relationship between inappropriately limit
earnings trend. management and us or access to people or
a Ineffective communication management and the information or the
and support of the entity’s eA practice by predecessor auditor is ability to
values or ethical standards management of strained as exhibited by: communicate
by management or the committing to analysts, effectively with the
communication of creditors, and other third - Frequent disputes board of directors or
inappropriate values or parties to achieve with us or the audit committee.
ethical standards. aggressive or unrealistic predecessor auditor
forecasts. on accounting, - Domineering
b Nonfinancial auditing, or reporting management
management’s excessive f Management failing to matters. behavior, especially
participation in, or correct known control involving attempts to
preoccupation with, the deficiencies on a timely influence the scope
selection of accounting basis. of our work or the
principles or the selection or
determination of continuance of audit
significant estimates. personnel assigned to
the engagement.

Internal Control Document

32
-
Part 2 — Identifying Potential Risks of Material Misstatement Due To Fraud
2.2 Risk Factors Relating to Fraudulent Financial Reporting (Continued)

Indicate any of the above or

other risk factors to be
considered relating to attitudes
associated with misstatements
arising from fraudulent financial
reporting:
 The Bank has an established Code of Conduct, which is
distributed to the employees upon hiring. The Bank enforces its
implementation of its Code of Conduct through its Human
Resource Group and the DEVCOM.

 The Bank has various suits and claims outstanding as of

December 31, 2014 but is perceived that these will have no
material effect on the Bank’s financial position and financial
performance.

 Based on BSP’s examination dated July 30, 2013, the Bank was
given a rating of “3”, which indicated that “some degree of
supervisory concern particularly credit, operational, compliance
and strategic risks.” The Bank gave its reply within the required
time, which also includes the actions that the Bank has taken in
response to the BSP’s findings.

Internal Control Document

33
-
Part 2 — Identifying Potential Risks of Material Misstatement Due To Fraud
2.3 Risk Factors Relating to Misappropriation of Assets

Risk factors that relate to misstatements arising from misappropriation Indicate any of the above or other risk factors to be considered relating
of assets are also classified along the three conditions generally present to incentives/pressures associated with misstatements arising from
when fraud exists: 1) incentives/pressures, 2) opportunities, and 3) misappropriation of assets:
attitudes. Many of these risk factors relate to a disregard for, or
inappropriate attention to, safeguarding of assets or controls over assets  As of September 2014, there were no employees let go, only
that are susceptible to misappropriation. Some of the risk factors related resigned ones. Furthermore, there are no imminent plans of
to misstatements arising from fraudulent financial reporting also may be laying off employees.
present when misstatements arising from misappropriation of assets
occur. For example, ineffective monitoring of management and  The Bank offers loans to its employees.
weaknesses in internal control may be present when a misstatement due
to either fraudulent financial reporting or misappropriation of assets
exists. Opportunities
a. Certain characteristics or circumstances may increase the
Incentives/Pressures susceptibility of assets to misappropriation. For example,
a. Personal financial obligations may create pressure on opportunities to misappropriate assets increase when there
management or employees with access to cash or other assets are:
susceptible to theft to misappropriate those assets.
- Large amounts of cash on hand or processed.
b. Strained, difficult or adverse relationships between the entity
and employees with access to cash or other assets susceptible - Inventory items that are small in size, of high value, or in
to theft may motivate those employees to misappropriate high demand.
those assets. Such relationships may be created by:
- Easily convertible assets, such as bearer bonds, diamonds,
- Known or anticipated future employee layoffs. or computer chips.

- Recent or anticipated changes to employee - Fixed assets that are small in size, marketable, or lacking
compensation or benefit plans. observable identification of ownership.

- Promotions, compensation, or other rewards

inconsistent with expectations.

Internal Control Document

34
-
Part 2 — Identifying Potential Risks of Material Misstatement Due To Fraud
2.3 Risk Factors Relating to Misappropriation of Assets

Opportunities Opportunities
b. Inadequate internal control over assets may increase the - Inadequate recordkeeping with respect to assets.
susceptibility of misappropriation of those assets. For
example, misappropriation of assets may occur because there - Inadequate system of authorization and approval of
is a(n): transactions (for example, in purchasing).

- Inadequate segregation of duties or independent checks. - Inadequate physical safeguards over cash, investments,
inventory, or fixed assets.
- Inadequate management oversight of employees
responsible for assets -- for example, inadequate - Lack of complete and timely reconciliations of accounts.
supervision or monitoring of remote locations.
- Lack of timely and appropriate documentation of
- Inadequate job applicant screening of employees with transactions, for example, credits for merchandise
access to assets. returns.

- Lack of mandatory vacations for employees performing

key control functions.

- Inadequate management understanding of information

technology, which enables information technology
employees to perpetrate a misappropriation.

- Inadequate access controls over automated records,

including controls over and review of computer systems
event logs.

Internal Control Document

35
-
Part 2 — Identifying Potential Risks of Material Misstatement Due To Fraud
2.3 Risk Factors Relating to Misappropriation of Assets

Indicate any of the above or other risk factors to be considered relating

to opportunities associated with misstatements arising from
misappropriation of assets:

 The Bank has cash vaults where only authorized persons have
access to them. As added security, there are also CCTV cameras
installed in the Bank’s premises for increased security.

 The Bank has proper segregation of duties.should there be any

control lapses, the Bank employs review and authorization
controls, thus any anomalies done may be found out.

 A separate division records the journal entries and a separate one

does reconciliation.

Internal Control Document

36
-
Part 2 — Identifying Potential Risks of Material Misstatement Due To Fraud
2.3 Risk Factors Relating to Misappropriation of Assets

Attitudes
Risk factors reflective of employee attitudes that enable them to justify
misappropriations of assets are generally not susceptible to observation.
Nevertheless, if we become aware of the existence of such information,
we should consider it in identifying the risks of material misstatement
arising from misappropriation of assets.

a. Disregard for the need for monitoring or reducing risks related

to misappropriations of assets.

b. Disregard for internal control over misappropriation of assets

by overriding existing controls or by failing to correct known
internal control deficiencies.

c. Behavior indicating displeasure or dissatisfaction with the

entity or its treatment of the employee.

d. Changes in behavior or lifestyle that may indicate assets have

been misappropriated.

Indicate any of the above or other risk factors to be considered relating

to attitudes associated with misstatements arising from misappropriation
of assets:

 The Bank also has a DEVCOM who deals with the disciplinary and
ethical compliance of its employees.

Internal Control Document

37
-
Part 2 — Identifying Potential Risks of Material Misstatement Due To Fraud
2.4 Results of Analytical Procedures During Planning

Analytical procedures or unexpected relationships

performed during planning may involving revenue accounts or
be helpful in identifying the risks significant transactions that may
of material misstatement due to be indicative of a material
fraud. However, because such misstatement due to fraudulent
analytical procedures generally financial reporting.
use data aggregated at a high
level, the results of those Document below any unusual or
procedures only provide a broad unexpected observations from
initial indication about whether the results of our analytical
a material misstatement of the procedures performed in
financial statements may exist. planning the audit, particularly
Accordingly, the results of these those related to revenue and
procedures are considered related accounts. We also
along with the other sources of should document observations
information in Part 2. about financial statement
amounts or key financial ratios
In planning the audit, we that have not changed when
perform analytical procedures such changes are expected
relating to revenue with the based on our knowledge of the
objective of identifying unusual entity’s business and industry.

Refer to WP C.60.1, Preliminary Analytics for the results of interim overall analytical procedures on September 30, 2014 balances.

Internal Control Document

38
-
Part 2 — Identifying Potential Risks of Material Misstatement Due To Fraud
2.5 Inquiries of Senior Management, the Audit Committee, Internal Audit, and Others

We make inquiries of senior management about their assessment of Name(s): Title(s): Date:
the risk that the financial statements may be materially misstated due
to fraud, whether they are aware of any fraud or alleged fraud, and
the programs and controls the entity has put in place to prevent,
deter, and detect fraud. We also make certain inquiries, when
applicable, of the audit committee and internal audit. When We inquire about:
responses to inquiries are inconsistent, we obtain additional  Whether senior management has knowledge of any actual,
information to resolve the inconsistencies. suspected or alleged fraud.

A senior manager, principal, director, or partner makes inquiries of

senior management (e.g., the CEO, COO, CFO, and CIO) and the audit
committee on all public entities. For non-public entities, a manager
or above makes such inquiries of senior management and the audit  Whether senior management is aware of allegations of
committee. A manager or above makes such inquiries of internal fraudulent financial reporting, for example, because of
audit for public and non-public entities. We also consider “whistleblower” or other communications from employees, former
information obtained from inquiries of others (e.g. legal counsel, employees, analysts, short sellers, or other investors.
sales director, operating or divisional management, lower-level
financial or operating employees) throughout the course of the
audit.

Senior Management  Senior management's process for identifying and responding to

Document below the results of our fraud inquiries of senior the risks of fraud in the entity, including any specific fraud risks the
management as well as the basis for their responses (e.g., what entity has identified or account balances, classes of transactions, or
processes they employ to provide them with reasonable assurance disclosures for which a risk of fraud is likely to exist.
that their risk assessments are appropriate).
Indicate the name(s) and level(s) of the members of senior
management with whom the discussions were held.
Discussed with:  Programs and controls the entity has established to mitigate
specific fraud risks the entity has identified, or that otherwise help to
prevent, deter, and detect fraud, and how senior management
monitors those programs and controls.

Internal Control Document

39
-
Part 2 — Identifying Potential Risks of Material Misstatement Due To Fraud
2.5 Inquiries of Senior Management, the Audit Committee, Internal Audit, and Others

a material effect on the financial statements, and some audit committees

are assuming a more active role in the oversight of management’s
processes for identifying and responding to the risks of fraud and the
programs and controls the entity has established to mitigate those risks.
 For an entity with multiple locations, (a) the nature and extent of We obtain an understanding of how the audit committee exercises
monitoring of operating locations or business segments, and (b) oversight activities in that area, and we directly inquire of the audit
whether there are particular operating locations or business committee (or at least its chairman) regarding the committee’s views
segments for which a risk of fraud may be more likely to exist. about the risks of fraud and whether the members have knowledge of
any actual, suspected or alleged fraud.

 Whether and how senior management communicates to

employees its views on business practices and ethical behavior. For listed companies, we inquire about matters raised from the audit
committee procedures for the receipt, retention, and treatment of
complaints (including ‘whistleblowers’) regarding accounting, internal
accounting controls or auditing matters, including procedures for the
confidential, anonymous submission by employees of concerns regarding
 Whether senior management has reported to the audit
questionable accounting or auditing matters.
committee or others with equivalent authority and responsibility on
its processes for identifying and responding to the risks of fraud in
the entity, and whether management believes internal control
(including the entity’s control environment, risk assessment
processes, control activities, information and communication
systems, and monitoring activities) serves to prevent, deter, or Internal Audit
detect material misstatements due to fraud.
If the entity does not have an internal audit function, consider whether
its absence constitutes a fraud risk factor or affects our assessment of
the effectiveness of internal control at the entity level.
Audit Committee or Equivalent
For entities that have an internal audit function, we inquire of
appropriate internal audit personnel about (1) their views of the risks
Audit committees or those charged with governance play an important
of fraud, (2) whether they have performed any procedures to identify
role in the oversight of the entity’s assessment of the risks that can have
Internal Control Document
40
-
Part 2 — Identifying Potential Risks of Material Misstatement Due To Fraud
2.5 Inquiries of Senior Management, the Audit Committee, Internal Audit, and Others

or detect fraud during the year, (3) activities concerning the design and
effectiveness of the entity’s internal controls, (4) whether management
has satisfactorily responded to any findings resulting from these
procedures, and (5) whether the internal auditors have knowledge of
any actual, suspected or alleged fraud.

Others within the Entity

In addition to inquiries made above, we make inquiries of others within

the entity, as appropriate, to determine whether they have knowledge
of any actual, suspected, or alleged fraud affecting the entity. Such
others might include: lower-level employees in both financial and
operating areas, in-house legal counsel, marketing or sales personnel,
employees involved in initiating, recording, processing or reporting
complex, unusual transactions and those who supervise these
employees, or the chief ethics officer or equivalent personnel.

Internal Control Document

41
-
Part 2 — Identifying Potential Risks of Material Misstatement Due To Fraud
2.6 Other Information

Other information that may be helpful in identifying the risks of

material misstatement due to fraud might include:
a. Information from the results of our procedures
relating to the acceptance and continuance of
clients and engagements;
b. Reviews of interim financial statements;
c. Our consideration of inherent risk at the individual
account balance or class of transaction level;
d. Prior year Summary Review Memorandum and
Summary of Audit Differences; and
e. Analyst reports.

Document below our observations from the consideration of other

information.

Internal Control Document

42
-