Risk Management and Internal Controls Services in the Philippines
Risk management in the Philippines has moved from compliance activity to board governance requirement. Listed companies face SEC corporate governance expectations and investor scrutiny of their risk frameworks. Banks are required by BSP Circular 900 to maintain board-approved operational risk management systems. Insurance companies must satisfy IC risk-based capital requirements. For mid-market corporations, boards and audit committees are increasingly held accountable for the risk oversight function, not just for having a risk policy, but for operating one.
STLAF’s risk management and internal controls practice covers enterprise risk management, internal controls review, risk-based internal audit, forensic accounting, and regulatory compliance assessments for Philippine corporations and regulated industries. When a risk or control finding escalates to regulatory sanction or litigation, our in-house lawyers handle the legal response in the same engagement.
Enterprise Risk Management (ERM) Consulting
Risk Identification and Risk Register Development
An enterprise risk register is not a spreadsheet that gets filled in once. It is a living document that maps the material risks facing the organization, tracks their current status, and provides the audit committee with a basis for risk oversight. We facilitate structured risk identification workshops across business units, drawing on COSO ERM 2017 and ISO 31000 methodologies, and build risk registers that reflect the organization’s actual risk profile, not a generic template.
For each identified risk, we document the risk description, risk category, risk owner, inherent risk rating (likelihood and impact), existing controls, and residual risk rating. The register is designed to be maintained by management between advisory engagements, not dependent on external consultants to remain current.
Risk Assessment and Prioritization
Risk assessment translates identified risks into a prioritized risk landscape that the board and audit committee can act on. We apply both qualitative assessment (board and management workshops, risk interviews) and quantitative analysis (scenario modeling, sensitivity analysis for financial risks) to produce a risk heat map and a ranked list of risks that require treatment.
The assessment distinguishes between risks within the organization’s control (operational, compliance, financial reporting) and external risks that require monitoring and response planning (regulatory changes, market disruption, geopolitical). Both categories are in scope, boards are responsible for how the organization responds to risks it cannot control, not just for preventing risks it can.
Risk Treatment and Mitigation Planning
For each material risk, we develop a risk treatment plan: whether to avoid, reduce, share, or accept the risk; who owns the treatment; what controls are required; and what the residual risk is after treatment is implemented. Treatment plans are costed and time-bound, deliverable to the audit committee in a format that supports board resolution.
Where risk treatment requires legal action (contract revisions, regulatory engagement, policy changes with legal implications), our lawyers contribute to the treatment design directly. The compliance implication of a risk treatment option is assessed before it is recommended.
Risk Appetite Framework
A risk appetite framework defines the level and type of risk the organization is willing to accept in pursuit of its objectives. We develop risk appetite statements for each material risk category and establish risk tolerance thresholds, the quantitative or qualitative triggers that require escalation to the audit committee or board. For Philippine listed companies, a documented risk appetite framework with board approval is a corporate governance expectation, not a best-practice aspiration.
Internal Control Review and Assessment
Control Design Assessment
A well-designed control is one that, if operating as intended, would prevent or detect and correct a material misstatement or operational failure. Design assessment asks whether the right controls exist, not whether they are working. We map the control environment against COSO 2013’s five components (control environment, risk assessment, control activities, information and communication, monitoring) and 17 principles, and identify design gaps.
Common design gaps in Philippine mid-market companies include: manual controls substituting for system-enforced controls where the volume of transactions makes manual review impractical; controls designed for one business environment that have not been updated as the business has scaled; and segregation of duties that exists on paper but is overridden in practice by staffing constraints.
Control Operating Effectiveness Testing
Control design tells you the controls exist. Operating effectiveness testing tells you whether they are actually working. We test controls by inspecting evidence of their operation over a sample period, approvals, system logs, reconciliations, exception reports. The testing scope is determined by the risk assessment: highest-risk controls receive the most intensive testing.
Where testing identifies deficiencies, we classify them by severity (control deficiency, significant deficiency, material weakness, the same classification used in external audit reporting). The severity determines the urgency and scope of remediation and the reporting obligation to the audit committee. A material weakness in internal controls will affect the external audit opinion; we flag that risk early and advise on remediation before the audit cycle.
Segregation of Duties Review
Segregation of duties (SoD) failures are one of the most common preconditions for fraud and error in Philippine organizations. We map authorization, custody, recording, and reconciliation functions across the relevant processes (procurement, payroll, cash management, accounts receivable) and identify instances where one individual controls two or more incompatible functions. For smaller organizations where full SoD is not achievable due to staffing, we design compensating controls that reduce the risk to an acceptable level.
Internal Control Deficiency Reporting
Control deficiencies identified during the review are documented in an internal control deficiency report, organized by severity and risk area, with remediation recommendations and responsible owners. The report is prepared in a format suitable for audit committee presentation. Where deficiencies have already resulted in BIR findings, SEC management letter comments, or external audit qualifications, we trace the control failure that caused the finding and recommend the specific control change required, not a generic ‘improve controls’ recommendation.
For deficiencies with potential legal implications (BIR exposure, regulatory violation, fiduciary breach), our lawyers assess the exposure at the same time as the control remediation is being designed. See also our BIR tax audit defense practice.
Risk-Based Internal Audit
Risk-based internal audit determines audit scope by risk priority, not by historical coverage or rotation schedule. We assist organizations in transitioning their internal audit function from a compliance-coverage model (audit every area on a fixed schedule) to a risk-based model (audit the areas where the risk exposure is highest, as determined by the current risk assessment).
For organizations without an in-house internal audit function, we provide co-sourced or fully outsourced internal audit services under a risk-based plan. The audit plan is presented to the audit committee at the start of each year, with scope and resource allocation justified by the risk assessment. See also our audit and assurance services.
Forensic Accounting and Fraud Investigation
Asset Misappropriation Investigations
Asset misappropriation, theft of cash, inventory, or other assets by employees, is the most common category of occupational fraud. When a Philippine company suspects or discovers asset misappropriation, the immediate priority is to stop the bleeding, preserve evidence, and determine the full scope of the loss. We conduct forensic investigations of suspected misappropriation: tracing transaction flows, reconstructing records, identifying the perpetrators and the mechanism, and quantifying the loss.
The investigation report is prepared to an evidentiary standard, admissible in Philippine criminal proceedings and civil cases. Our lawyers assess the criminal and civil remedies available (qualified theft, estafa, and civil recovery under Philippine law) and initiate the appropriate legal response from the same engagement.
Financial Statement Fraud
Financial statement fraud involves intentional manipulation of financial records to misrepresent the entity’s financial position or performance, inflated revenues, understated liabilities, or fictitious assets. It is typically perpetrated by management or controlling shareholders and is harder to detect than asset misappropriation because it does not create an obvious cash deficit.
We investigate financial statement fraud by applying forensic analytical techniques to the entity’s historical financial data, reconstructing the true financial position, and identifying the persons responsible. Where financial statement fraud has affected investors, creditors, or regulators, our lawyers manage the regulatory disclosure obligations and legal exposure alongside the investigation.
Corruption and Bribery Investigations
Bribery and corruption investigations require tracing payments through corporate accounts, identifying undisclosed conflicts of interest, and reconstructing relationships between the subject and the counterparty. We apply ACFE-standard fraud examination methodologies and coordinate with our legal team on the legal implications under the Anti-Graft and Corrupt Practices Act, the Anti-Red Tape Act, and the Revised Penal Code, as applicable.
For corporations facing regulatory inquiries related to alleged bribery (Ombudsman referrals, COA findings, PCGG involvement), our lawyers manage the regulatory response and coordinate the factual investigation simultaneously.
Litigation Support and Expert Witness Services
Forensic accounting findings are often used as evidence in Philippine court proceedings, criminal cases (qualified theft, estafa, plunder), civil cases (damages claims, shareholder disputes), and quasi-judicial proceedings (NLRC, SEC). We prepare forensic accounting reports to an evidentiary standard and provide expert witness testimony to support our findings. Our in-house lawyers manage the evidentiary and procedural requirements of the litigation alongside the forensic accounting engagement.
Regulatory Risk and Compliance Assessment
BSP Operational Risk Management Framework: Banking Sector
BSP Circular 900 requires all BSP-supervised financial institutions (commercial banks, thrift banks, rural banks) to adopt a board-approved operational risk management framework that covers all business lines, including outsourced services. The framework must include risk identification and assessment, risk treatment and mitigation, monitoring and reporting mechanisms, and a review cycle for the board.
We assess bank clients’ existing operational risk management frameworks against BSP Circular 900 requirements and develop the framework documentation, policies, and reporting templates required for BSP examination readiness. Where BSP examination findings identify deficiencies, we remediate them and advise on the written response to the BSP.
IC Compliance: Insurance Sector
Philippine insurance companies are subject to IC’s risk-based capital (RBC) framework, which requires both adequate capital levels and demonstrable risk management governance. We advise insurance companies on risk management framework documentation, risk committee governance, and compliance with IC circulars relevant to enterprise risk management. Where IC compliance findings require legal advice on regulatory response, our lawyers engage directly with the IC on the client’s behalf.
SEC Corporate Governance Requirements: Listed Companies
SEC corporate governance requirements for Philippine listed companies include audit committee charters, board risk oversight committee (BROC) functions, and disclosure of risk management practices in annual SEC Form 17-A filings. We advise listed company clients on the governance structure required, facilitate BROC establishment and operation, and assist with risk disclosures for the annual report. Where SEC inquiries relate to corporate governance failures with legal implications, our lawyers handle the regulatory response.
Frequently Asked Questions
What is the difference between risk management and internal audit?
Risk management is a management function, identifying, assessing, and treating risks as part of running the business. Internal audit is an independent assurance function that reports to the audit committee and tests whether management’s risk and control processes are working. The two are complementary: internal audit scope is informed by the risk assessment, but internal audit is not responsible for managing risks, that remains with management.
What is the COSO framework and how is it used in the Philippines?
COSO is the Committee of Sponsoring Organizations of the Treadway Commission. Its 2013 Internal Control, Integrated Framework defines five components of internal control (control environment, risk assessment, control activities, information and communication, monitoring) and 17 associated principles. Its 2017 Enterprise Risk Management framework provides the standard for ERM programs. Both are the reference frameworks for IIA Philippines and the Philippine internal audit community. STLAF applies both frameworks in its risk and controls advisory practice.
What are BSP's requirements for risk management in banks?
BSP Circular 900 requires all BSP-supervised financial institutions to adopt a board-approved operational risk management framework covering all business lines. The framework must include risk identification and assessment processes, risk treatment and mitigation mechanisms, monitoring and reporting to the board, and a review cycle. Rural banks and thrift banks are subject to the same requirement as commercial banks, scaled to their size and complexity.
What is forensic accounting and when do companies need it?
Forensic accounting is the application of accounting, auditing, and investigative skills to examine financial records for use in legal proceedings or internal investigations. Companies need forensic accounting when they suspect fraud (misappropriation, financial statement manipulation, bribery), when facing litigation that requires financial quantification, or when a regulatory body requests a forensic review. It is distinct from an audit, an audit attests to financial statement accuracy; forensic accounting investigates specific suspected wrongdoing.
What is a material weakness in internal controls?
A material weakness is a deficiency, or combination of deficiencies, in internal controls such that there is a reasonable possibility that a material misstatement of the financial statements will not be prevented or detected and corrected on a timely basis. It is the most severe classification of control deficiency and, in an external audit context, prevents the auditor from issuing an unqualified opinion. A material weakness must be reported to the audit committee and, for listed companies, may require SEC disclosure.
How often should a company review its internal controls?
At minimum, annually, aligned with the external audit cycle and the internal audit plan. In practice, controls should be reviewed more frequently in areas of high risk or high transaction volume, and whenever there is a significant change to the business (new system, new process, acquisition, or significant headcount change). BSP-supervised financial institutions are subject to periodic BSP examination of their control environment regardless of their internal review cycle.
How do companies investigate employee fraud in the Philippines?
A forensic investigation starts with evidence preservation, securing financial records, access logs, and physical evidence before the subject is aware of the investigation. Forensic CPAs then reconstruct the transaction trail, identify the mechanism and scope of the fraud, and quantify the loss. Concurrently, lawyers assess the criminal exposure (qualified theft and estafa are the most common charges for employee fraud under Philippine law) and the civil recovery options. The investigation report is prepared to an evidentiary standard for use in criminal and civil proceedings.
What is ERM and which Philippine companies need it?
ERM (Enterprise Risk Management) is a structured approach to identifying, assessing, and managing risks across the entire organization, not just the financial function. In the Philippines, listed companies face SEC corporate governance expectations that include board-level risk oversight. Banks are required by BSP to maintain ERM systems under Circular 900. Insurance companies are subject to IC’s risk governance requirements under the RBC framework. Mid-market corporations increasingly adopt ERM in response to investor and creditor due diligence requirements, even where not legally mandated.
Why Choose STLAF for Risk and Internal Controls
Risk and control findings do not always stay within the risk management function.
A COSO assessment that identifies a material weakness in payroll controls is also a BIR audit exposure. A forensic investigation that traces asset misappropriation to a finance manager is also a criminal matter under Philippine law. An IC examination finding that identifies risk governance deficiencies in an insurance company triggers a regulatory response timeline. A BSP supervisory letter about operational risk framework gaps requires both a remediation plan and a written regulatory response.
STLAF’s CPAs design, assess, and test the risk and controls framework. When findings escalate beyond the risk management function, our in-house lawyers handle the regulatory response, the criminal filing, or the civil recovery action, in the same engagement, without a handoff. The team that identified the problem is in the same firm as the team that resolves it.
That continuity matters because regulatory response timelines are measured in weeks. A BSP examination response, an SEC show-cause order, or a BIR Letter of Authority requires a competent, coordinated reply within a defined period. STLAF compresses the response curve.
STLAF Global is a BOA-accredited CPA firm and law firm providing ERM consulting, internal controls assessment, risk-based internal audit, forensic accounting, and BSP/IC/SEC regulatory compliance assessment.