JULY 2004
Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 3 of 145
Table of Contents
1 PURPOSE AND STRUCTURE OF MANUAL.............................................................
2 BACKGROUND AND REGULARITY FRAMEWORK..............................................
3 MANAGEMENT FRAMEWORK.................................................................................10
4 AUDIT RESPONSIBILITIES OF THE BUDGET SUPERVISION OFFICE (BSO)
AND RELATIONSHIPS WITH OTHER AUDITORS.............................................13
Commission services.................................................................................................15
Co-operation between the BSO and the Commission services..................................16
Audit Strategy for DG REGIO..................................................................................16
5 MONITORING AND REPORTING FRAMEWORK..................................................18
6 AUDIT APPROACH AND TECHNIQUES...................................................................20
Stages of the Audit.....................................................................................................21
Quality Control and Assurance..................................................................................22
7 AUDIT PLANNING......................................................................................................25
The Aims of Audit Planning......................................................................................25
The Planning Process for the BSO............................................................................25
8 RISK ASSESSMENT....................................................................................................28
The Process for the BSO: What the BSO is auditing.................................................28
Risk Identification......................................................................................................28
Assessing Risk Importance........................................................................................31
9 AUDIT APPROACH TO COHESION FUND INCOME AND EXPENDITURE........35
Setting Audit Objectives............................................................................................38
Audit Programmes.....................................................................................................40
10 AUDIT EVIDENCE.....................................................................................................42
Concept of Audit Evidence........................................................................................42
Procedures for Obtaining Audit Evidence.................................................................43
11 DOCUMENTATION AND FILING.............................................................................44
The Benefits of Effective Documentation.................................................................44
Content of Working Papers........................................................................................44
Current and Permanent Files......................................................................................45
Confidentiality of Audit Information.........................................................................46
Retention of Audit Documentation............................................................................46
12 AUDIT REPORTING..................................................................................................47
Contents of the Audit Report.....................................................................................47
Reports to the EC.......................................................................................................49
Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 4 of 145
Evaluation of Errors...................................................................................................49
Follow-Up Audits......................................................................................................50
Sys-audit....................................................................................................................51
13 IRREGULARITY, FRAUD AND CORRUPTION......................................................52
APPENDIX 1: INFORMATION SYSTEMS AUDIT GUIDELINE................................57
ANNEX 1:.................................................................................................................64
ANNEX 2..................................................................................................................68
ANNEX 3..................................................................................................................75
APPENDIX 2: AUDIT OF INTERNAL CONTROL........................................................77
APPENDIX 3: GUIDANCE FOR PERFORMANCE OF 15 PER CENT CHECKS......79
APPENDIX 4: OBJECTIVES OF SUBSTANTIVE TESTS............................................89
APPENDIX 5: SUGGESTED LIST OF KEY QUESTIONS TO EXAMINE THE
MANAGEMENT CONTROL SYSTEMS................................................................91
APPENDIX 6: SUGGESTED LIST OF KEY QUESTIONS FOR ON THE SPOT
CONTROL OF A COHESION FUND PROJECT..................................................105
APPENDIX 7: PREPARATORY WORK / GATHERING OF AUDIT INFORMATION
..................................................................................................................................115
APPENDIX 8: PROCUREMENT DIRECTIVES..........................................................119
APPENDIX 9: PUBLICITY REQUIREMENTS...........................................................121
APPENDIX 10: MODEL REPORT PURSUANT TO ARTICLE 12 OF REGULATION
1386/2002................................................................................................................122
APPENDIX 11:GUIDELINES ON THE PRINCIPLES, CRITERIA AND
INDICATIVE SCALES TO BE APPLIED BY COMMISSION DEPARTMENTS
IN DETERMINING FINANCIAL CORRECTIONS UNDER ARTICLE H(2) OF
ANNEX II TO REGULATION (EC) NO 1164/94 ESTABLISHING A
COHESION FUND.................................................................................................125
APPENDIX 12: GUIDANCE ON 15% SAMPLE CHECKS BY MEMBER STATES
.................................................................................................................................132
APPENDIX 13:
LIST OF ABBREVIATIONS..........................................................135
Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 5 of 145
Chapter 2 Background and Regulatory Framework - details the aims and objectives of
the Cohesion Fund and sets out the legislative framework.
Chapter 3 - Management Framework explains the roles and responsibilities of key
organisations in the management and control process and the accounting and financial
reporting system.
Chapter 4 - Audit Responsibilities of BSO and Relationships with Other Auditors defines the role of the BSO and the relationship with both Internal Audit and the Slovenian
Court of Audit, the Supreme Audit Institution (SAI); and with auditors of the Commission and
the European Court of Audit (ECA)..
Chapter 5 - Monitoring and Reporting Framework - discusses the methodology for
reporting during Project Implementation, the Monitoring arrangements; and the Ex-Post
Evaluation criteria.
Chapter 6 Audit Approach and Techniques - describes the general approach to auditing the
Cohesion Fund; the BSO audit process; and Quality Control and Assurance.
Chapter 7 - Audit Planning - provides guidance on the approach to planning coverage across
the audit area including long term strategic and also annual planning.
Chapter 8 - Risk Assessment - looks at the risk factors to be considered when devising the
audit approach, as part of the overall planning strategy.
Chapter 9 - Audit Approach to Cohesion Fund Income and Expenditure- discusses the
understanding of the business; the audit trail; audit objectives and test programmes.
Chapter 10 - Audit Evidence - describes the overall concepts and the sources methods and
nature of audit evidence.
Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 6 of 145
Chapter 11 - Documentation and Filing - outlines the key principles of effective audit
documentation; the contents of Working Papers; Current and Permanent Files; Confidentiality
of Information; and Retention of Documentation.
Chapter 12 Audit Reporting - covers the content of a standard audit report; reports required
by the EC; and follow-up audits.
Chapter 13 Irregularity, Fraud and Corruption - covers the respective responsibilities of
audited bodies, management and the auditor; the procedures where fraud or other irregularities
are suspected; and the arrangements in Slovenia.
Appendixes from 1 to 12 - the specific items are described in more detail on the audit
procedures for information systems (computer) audit, audit of internal controls, guidance for
performance of sample checks, gathering audit information ( preparatory work), audit tests for
the management and control systems at the programme and audit tests on final beneficiary
level, gathering audit information, than about procurement and publicity issues. In appendix 10
there is a model report to the commission and in next appendixes guidance on financial
corrections and sample checks. The annexes follow some appendixes.
Appendix 13 lists the abbreviations used in the manual.
Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 7 of 145
Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 8 of 145
Eligibility
2.6 Eligibility is restricted to Member States whose per capita gross national product (GNP) is less than
90% of the Community average and which have a programme designed to achieve the conditions of
economic convergence as set out in Article 104 of the Treaty establishing the European Community. If
the GNP rises above the 90% threshold it may no longer receive funding for new projects or new
project stages.
Commission Regulation (EC) No 16/2003 of 6 January 2003 lays down special detailed rules for
implementing Council Regulation (EC) No 1164/94 as regards eligibility of expenditure in the context
of measures part-financed by the Cohesion Fund.
Commission Regulation (EC) No 1831/94 of 26 July 1994 concerning irregularities and the recovery of
sums wrongly paid in connection with the financing of the Cohesion Fund and the organization of an
information system in this field.
Commission Regulation (EC) No 621/2004 of 1 April 2004 lays down rules for implementing Council
Regulation (EC) No 1164/94 as regards information and publicity measures concerning the activities of
the Cohesion Fund.
Project Application and Approval
2.7 Applications for assistance from Member States to the Commission must contain the information
specified in the Regulation, that is: the body responsible for implementing the project, project
description, cost, location, investment timetable, assessment of the impact on employment and the
environment, and information on public contracts.
2.8 The Commission will normally decide whether or not to approve a project within three months
of the application and publish the decision in the Official Journal of the European Union.
Financial Control and Provisions
2.9 CR 1264/1999 states that the financial control of projects is primarily the responsibility of
Member States. They must check that projects are managed correctly, prevent and detect irregularities
and recover any amounts lost as a result. They must provide the Commission with details of the
methods they take and of the internal management and audit arrangements that they establish. In turn,
the Commission may carry out on the spot checks, in accordance with Annex II to the Regulation, and
may ask Member States to verify the correctness of transactions.
2.10 The Cohesion Fund routinely contributes between 80% and 85% of public or equivalent project
expenditure. (Since 1 January 2000 it has been possible to reduce this rate to take account of any
revenue generated by the project and any application of the "polluter pays" principle). The full cost of
preliminary studies and technical support measures may be financed up to 0.5% of the total resources of
the Fund. To qualify for re-imbursement, all expenditure must have been incurred after the date the
Commission receives the project application. Payments made after the initial advance must be linked to
implementation of the project and no item of expenditure may receive assistance from both the
Cohesion and Structural Funds at the same time. Finally, assistance from the Cohesion Fund, the
Structural Funds and other Community aid may not exceed 90% of the total project expenditure.
Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 9 of 145
Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 10 of 145
3 MANAGEMENT FRAMEWORK
Regulatory Requirements
3.1 The regulatory framework for the management and control systems of the Member States must
comply with Commission Regulation 1386/2002 (in particular Article 2) and CR 1164/94 (in particular
Article 12, and Article G of Annex II). CR 1386/2002 requires that Member States must comply with:
Article 2 - verify that management and control arrangements have been set up and are being
implemented in such a way as to ensure that Community funds are being used efficiently and correctly
Article 7 - prevent and detect irregularities, notify these to the Commission in accordance with the
rules, and keep the Commission informed of the progress of administrative and legal proceedings.
Information exchanged should be kept confidential
Article 8 - certify that the declarations of the expenditure presented to the Commission are accurate
and guarantee that they result from accounting systems based on verifiable supporting documents. The
certification of expenditure shall be drawn up by a person or department within the paying authority
which is functionally independent of any services that approve the claims.
Articles 9 and 10 - organise checks on projects on an appropriate sampling basis, to ensure that
projects are managed in accordance with all the applicable Community rules and that the funds placed
at their disposal are used in accordance with the principles of sound financial management. The checks
carried out shall cover at least 15% of eligible expenditure on projects first approved after 1 January
2000. The selection of the sample of transactions to be checked is dealt with in detail in Appendix 3.
Articles 13, 14 and 15 - present to the Commission, when each project is wound up, a declaration
drawn up by a person or department independent of the designated authority. This declaration shall, be
based on an examination of the management and control system, summarise the conclusions of the
checks carried out during previous years and shall assess the validity of the application for payment of
the final balance and the legality and regularity of the expenditure covered by the final certificate. The
person or department issuing the declaration shall make all necessary enquiries to obtain reasonable
assurance that the certified statement of expenditure is correct, that the underlying transactions are legal
and regular and that the project has been carried out in accordance with the terms of the granting
Decision and the objectives assigned to the project.
co-operate with the Commission to ensure that Community funds are used in accordance with the
principles of sound financial management
Article 20.4 - recover any amounts lost as a result of an irregularity detected and where appropriate
charge interest on late payments.
Management Framework
3.2 The Decree of the Government of Slovenia (implementing Decree) based on the Execution of the
State Budget Act, will define in detail the programming and implementing, arrangements between the
Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 11 of 145
bodies detailed below in respect of the Cohesion Fund, including financial management and control.
The authorities and bodies responsible for the implementation of the Cohesion Fund are as follows.
Checking and assessing the project applications and submitting them to the MA;
Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 12 of 145
Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 13 of 145
coordination and harmonization of financial management and control and internal audit of
budget users and assessing the overall performance of PIFC System (BSO-Sector PIFC);
acting as the anti-fraud coordinating service (AFCOS) for OLAF and communicating on
irregularities to EC/OLAF (BSO-Sector PIFC);
independent financial control of all EU funds (BSO-Sector for Audit and Certification).
4.3 By law, the main functions of the BSO in terms of Public Internal Financial Control (PIFC), are
as follows:
Issue guidelines to aim to harmonise the functionality of the system of Public Internal Financial
Control (PIFC);
Issue guidelines and methodology for internal controls and internal audit at budget direct and
independent spending centres;
Issue rules and conditions for the nomination and dismissal of internal auditors and check their
implementation;
Check the implementation of guidelines, methodology and standards for internal control and
internal audit and reports to the government thereon;
Follow up and analyses the findings and recommendations of internal audit services for the
improvement of financial management and internal controls and reports its findings to the
Government and to the Court of Audit;
Cohesion Fund
4.4 Regarding the independent financial control of the Cohesion Fund the main tasks and
responsibilities are:
to perform sample checks of at least 15% of the Cohesion Fund expenditure in order to verify:
the practical application and effectiveness of the management and control systems; the
execution of the measure in accordance with the terms of the Regulations granting the
assistance and the objectives assigned to the measure; for an adequate number of accounting
records, the correspondence of those records with supporting documents held by the
implementing agencies, delegated bodies and final beneficiaries; the presence of a sufficient
audit trail; for an adequate number of expenditure items, that the nature and timing of the
relevant expenditure comply with Community provisions and correspond to the approved
specifications of the measure and the works actually executed; that the appropriate national co-
Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 14 of 145
financing has in fact been made available; and that the co-financed measures have been
implemented in accordance with Community rules and policies.
to establish whether any problems encountered are of a systemic character, entailing a risk for
other operations carried out by the same Implementing Body; to recommend improvements and
corrective actions, identify the causes of such situations and carry out any further examinations
which may be necessary;
to provide information by 30 June each year, of their application of provisions for sample
checks in the previous calendar year and in addition provide opinion on effectiveness of
management and control systems;
4.5 The BSO, as Independent Financial Control Body, is responsible for the independent auditing of
Cohesion Fund; for certifying annual reports; for co-ordinating internal auditing at BSCs; and for
carrying out additional auditing for the projects co-financed by the EU in compliance with international
agreements.
Carrying out independent audits of the Implementing Bodies and assessing their capacity and
competency to effectively control EU funds and national co-financing;
Co-ordinating the operations of the internal audit services of the Implementing Bodies in
relation to the management and control of Cohesion Fund;
The closure certification examination and report at the end of the Cohesion Fund projects.
4.7 The BSO is the organisation responsible for the independent control of EU Funds and therefore
acts in an external audit role in examining all aspects of the Cohesion Fund Programme .
Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 15 of 145
Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 16 of 145
the Internal Audit Service (IAS), within the Ministry of Finance; and
the Internal Audit units within the Ministries of Transport and Environment.
Commission services
4.12 The overall objectives of the audits carried out by the Commission services responsible for the
audit of the Cohesion Fund are to determine:
to what extent the Member States have put into place adequate management and control
systems, and to what extent these systems give a satisfactory assurance concerning the legality
and regularity of the underlying operations;
the level of ineligible expenditure where the Member States management and control systems
control have been proven inadequate.
4.13 The unit responsible for the audit of the Cohesion Fund may be assisted by external audit firms to
carry out audits in Member States.
Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 17 of 145
determine to what extent the beneficiary countries have put into place appropriate
management and control systems, and to what extent these systems give a satisfactory
assurance concerning the regularity of the underlying operations in terms of the law applicable;
carry out financial corrections where the beneficiary countrys control procedures have proven
inadequate.
4.19 The Commission has made a commitment to the European Parliament in response to the Court of
Auditors finding of high levels of irregularity in declared expenditure: so far as resources permit, the
Commission intends to intensify its own control activity in the area of the Structural Funds, in order in
Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 18 of 145
particular to verify the adequacy of the Member States systems and procedures. If these controls detect
systemic failures by the responsible authorities, then financial corrections will be applied, with a more
extensive use of extrapolation whenever appropriate.
Mission of the audit and control units of Directorate G
4.20 Audit units G3 is responsible for leading the work of DG Regional Policy and, as chef de file for
the Cohesion Fund, that of the other responsible Directorates General to ensure the satisfactory quality
of the national management and control systems in relation to operations carried out under shared or
decentralised management and for providing assurance that meets the requirements of the authorising
officer by delegation to this effect. They may also undertake ad-hoc enquiries into directly managed
expenditure at the request of the Director-General.
4.21 In collaboration with the other services of DG Regional Policy and with the other Directorates
General responsible for the Cohesion Fund, they contribute towards the establishment of the conditions
necessary for sound financial management in the beneficiary countries, in particular by proposing rules
and guidelines, by organising and animating working groups of beneficiary countries, and by
undertaking preventive and ex post audits of the implementation of new rules.
4.22 In collaboration with the audit units of the other responsible Directorates General, they promote
the development of effective arrangements for financial management, control and audit in the Member
States and closer co-ordination between the audit activities of Member States and the Commission, in
the framework particularly of the bilateral administrative agreements. They also encourage the adoption
of a uniform approach to audit and control within the Commission services. They ensure effective cooperation with the operational units to promote effective control of Community funds, in particular by
consulting them on the annual review of the audit strategy, and at all stages of the planning process for
audit enquiries so that the requirements of the operational services are taken into account. They also
consult them on all audit reports and letters to beneficiary countries, and issues of financial correction.
They undertake to collaborate with operational units in clarifying their respective control functions to
ensure maximum effectiveness in the use of resources. They may undertake ad-hoc audits requested by
operational units within the limits of the resources reserved for this contingency.
Audit Strategy - Cohesion Fund
Objective
4.23 For the period 2000-2006, reasonable assurance is required that the management and control
systems established by the Member States comply with the provisions of the Community regulations
and are functioning effectively. The audit objective is therefore to obtain such assurance, or, in the event
that deficiencies are identified in the Member States systems to recommend remedial action, to follow
up the implementation of such measures, and to propose financial corrections where Community funds
have been put at risk. In the case of projects for which specific irregularities are detected, the ineligible
expenditure should be excluded from Community financing and recovery action taken.
Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 19 of 145
With particular respect to the flow of funds within the system, the following reports are expected:
Global cash flows these reports outline the forecasted expenditures related to the entire
project for the coming year, justify the commitment to these projects and indicate the progress
of each project. These reports can be incorporated into the annual progress report.
Payment flows these consist of four components: first advance payments, second advance
payments, intermediate payments and final/balance payments.
Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 20 of 145
Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 21 of 145
A review of the management control system, to confirm what controls are in place; and an
examination to determine whether or not the controls are operating effectively in practice;
A programme for examining annual expenditure that covers at least 15% of the total
eligible expenditure, and is representative of the different areas of activity and type and
size of project. Appendix 3 comments on the methodology for selecting the 15%
sample: whilst Appendix 12 details the Commission guidance on carrying out the work;
Arrangements for the annual reporting, both within Slovenia and to the European
Commission;
A constant risk assessment process that re-appraises potential areas of risk in line with
developments in funding received or the approval of new projects; and finally
A programme to examine all projects that close within the year, and guidance as to how to
effectively carry out the function of issuing a declaration on the winding-up of measures, which
will include obtaining assurances on the controls that applied over the life of the project.
6.3 The audit should therefore determine whether systems are operating effectively to prevent errors
and irregularities, and that, where errors and irregularities do occur, the systems are effective in
detecting and correcting them. Essentially, Slovenian Government management and control systems
should ensure at the appropriate levels that final beneficiaries and actions are eligible when selected to
receive support, that they remain eligible for the duration of the action, that objectives are being
achieved, and that expenditure claimed is eligible and in accordance with the financial plan. Controls
should also ensure that claims made to the Commission are correct.
Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 22 of 145
DELIVERING OBJECTIVES
OF THE BSO
OF THE BSO
Audit planning
Audit reporting
Fieldwork/Gathering Evidence
- Enquiries, observations,
interviews, inspection of documents
- Evaluate systems/controls - Test
transactions, documents, records
(sampling) Documents & record
audit results
Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 23 of 145
6.6 Each element in the above audit process is regulated by a system of Quality Control. This system
is outlined in the following Section.
Assuring the quality of audits carried out by the BSO is a two stage process:
At the first level, the BSO has adopted policies and procedures at each stage of the audit process
(from audit planning through to audit reporting and follow up) designed to ensure that audit tasks
are carried out to an acceptable level of quality.
At the second level, the BSO carries out higher level quality assurance (Q.A.) reviews of audit
tasks to establish that these policies and procedures are adhered to uniformly within the BSO.
First Level
Audit Briefing
6.9 Team leaders should brief their teams before audits start. They should make sure that all relevant
documentation and background material is assembled. The aim of the briefing should be to ensure that
audit objectives are understood by the team and particularly by auditors responsible for individual tasks.
The audit objectives may include giving particular emphasis to certain types of risk such as those
relating to fraud. The scope of the audit may be limited, for example where the emphasis is on the
testing of high risk systems which have already been reviewed and evaluated. The briefing should
include techniques, allocation of tasks, conduct, liaison with line management, reporting and
administrative arrangements. Details of the briefing should be recorded.
Supervision
6.10 Regular control of the assignment of staff is the responsibility of the team leader. Supervision
involves the monitoring of staff undertaking audit assignments, reviewing their work, developing their
skills and making sure that performance is in line with standards and work plans. More supervision is
called for where a trainee is being used or if an auditor has a low level of skills in, or experience of, the
type of assignment to which he or she has been allocated. The same principles apply when contractors
are used.
Progress control
6.11 The responsible audit manager or Head of BSO should periodically review performance and
progress. As part of this process regular meetings should be held with team leaders. Failure to exercise
control may result in objectives not being achieved or loss of direction and efficiency. The prime
responsibility for control over progress lies with the team leader who should be familiar with any
specific audit requirements and performance targets. The team leader should report on progress,
possibly on an exception basis. The findings arising during an audit may indicate a need for priorities
to be reassessed or for more work to be done. This should be discussed with the audit manager as soon
as possible so that, if warranted, appropriate action can be taken.
Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 24 of 145
6.12 Any changes to the planned time-table should be recorded; the use of a standard progress report
form may be considered for this purpose. The audit manager should consider the actual man days spent
on each audit against the plan and determine reasons for variances. The audit manager should consider
implications for future plans.
6.13 Audit managers should pay scheduled and unscheduled visits to see audit teams at work to assess
the way in which the audit is being carried-out and the expertise which is being applied. They should
note any training needs arising during the audit.
Review
6.14 All work should be continuously reviewed as an integral part of audit procedures. Review may
be partly achieved through supervision. Completed working papers should be inspected to ensure that
they meet laid down standards and are relevant to audit findings and conclusions. Review should
continue throughout an audit so that a more experienced auditor always appraises the work of another.
6.15 The extent of review will vary with the experience of staff and nature of the assignment but it
should be such that the Head of BSO, who may undertake a final review of the draft report, can be
satisfied that the conclusions are sound and are demonstrably supported by relevant, reliable and
sufficient audit evidence. There should also be evidence that all elements of the plan have been
satisfactorily achieved and that the audit file has been reviewed by the responsible manager. The result
of these reviews should be discussed with the auditors involved and any lessons learnt should be
applied across auditors work.
Review record
6.16 A summary record of reviews can help quality control and quality assurance. The record should
identify:
6.17 Separate columns should be provided for each reviewer. Space may be allocated to record
examinations made during internal or external peer reviews.
Appraisal
6.18 Each audit should be appraised on completion to assess its conduct and value. Audit management
should consider any need for additional guidance, implications for other audits, the effect on audit plans
and on the use of contractors. Solutions to any problems identified may involve staff training, better
planning, better contract management, the use of other techniques, different approach, change in
management style, etc. The views of line management may be helpful in assessing audit performance.
Internal review
6.19 In addition to routine reviews of audit assignments (see above) planned internal reviews should
be carried out by members of staff not involved in the original audit to appraise the quality of audit
work performed. Over time, the work of all teams should be subject to review. Any weaknesses
revealed should be discussed with the responsible auditors and more pervasive problems brought to the
attention of all auditors. Corrective action should be taken where necessary.
Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 25 of 145
Second Level
6.20 The following are the main elements of the quality assurance reviews carried out by the
management:
staff carrying out Q.A. reviews are suitably qualified and experienced (they may be either
employed full-time in quality assurance, or on short-term secondments from other parts of
BSO);
staff carrying out Q.A. reviews are independent of the audits being reviewed;
staff carrying out Q.A. reviews have the power to select audit tasks for review;
procedures are established for the selection of all audits to be reviewed, which will ensure an
appropriate coverage of all the activities of the BSO over a set period of time; all tasks of the
BSO must potentially be subject to review (the reviewer must have full knowledge of the
activities of the BSO);
procedures are established to determine the nature, extent, frequency and timing of the Q.A.
reviews;
procedures are established to resolve disagreements which may arise between Q.A. reviewers
and audit staff;
staff carrying out reviews have right of access to all relevant internal documents and to the staff
who prepared them or managed the task;
staff carrying out reviews normally have the duty to report and make recommendations in a
timely manner to the BSO' senior management, and senior management normally has the duty
to respond to these;
audit staff can request that a Q.A. review is carried out at any stage of an audit task;
6.21 In certain cases, and particularly when the BSO uses temporary secondments to carry out internal
quality assurance reviews, the BSO may decide to develop and use standard checklists of objectives that
the reviewer must achieve to ensure the consistency and completeness of the reviews carried out.
Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 26 of 145
7 AUDIT PLANNING
The Aims of Audit Planning
7.1 The auditor should plan the audit work so that the audit will be performed in an effective manner.
This means developing a general strategy and a detailed approach for the expected nature, timing and
extent of the audit. Adequate planning of the audit work helps to ensure that appropriate attention is
devoted to important areas of the audit; that potential problems are identified; and that the work is
completed expeditiously. Planning also assists in proper assignment of work to assistants and in
coordination of work done by other auditors and experts. The plan also allows management to
supervise and control the audit work being performed.
7.2 Obtaining knowledge of the how the Cohesion Fund Programme is managed and of the
organisations involved is an essential element in identifying risks and planning an effective audit
approach: as detailed at Chapter 9. The auditor may wish to discuss elements of the overall audit plan
and certain audit procedures with the management and staff of audited bodies to improve the
effectiveness and efficiency of the audit and to coordinate audit procedures with work of the audited
bodies personnel. The overall audit plan and the audit program, however, remain the auditors
responsibility.
the strategic long term plan, stating how the BSO intends to audit Cohesion Fund over the
programme lifetime in order to assure long term coverage of checks and to assure the effective
winding up of projects; and
the plan detailing the audit work to be carried out each year.
Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 27 of 145
An update of the systems description, as compared to that contained in the Strategic Plan,
detailing any significant facts, events or changes which have taken place and their likely effect
on the operations of the fund and hence the audit;
Details of the nature and extent of use to be made of the work to be carried out by other
auditors, e.g. internal audit sections units (IAU) of line ministries, Court of Audit, European
Commission auditors
o The conclusions from previous work by other auditors may be used to determine the
effectiveness of controls operating;
o It may be possible to ask other auditors to carry out audit work on behalf of the BSO.
Audit objectives
o These should be based on the risk assessment (see Chapter 9).
Audit Programmes
o These programmes should consist of audit tests designed to meet the audit objectives (see
Chapter 9)
Staffing levels and the resources required to carry out the audit work;
Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 28 of 145
provide a basis for regular monitoring of progress on the audit by management; and
Include follow-ups of previous Audit Missions carried out by Internal audit Units, BSO or
auditors of EC
Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 29 of 145
8 RISK ASSESSMENT
The Process for the BSO: What the BSO is auditing
8.1 The audit fieldwork that the BSO will undertake is essentially to check that the Cohesion Fund
income and expenditure taking place in Slovenia is in line with the regularity requirements of the
Commission, i.e. that the management and control system put in place in Slovenia meets the
requirements of the EC Regulations. .
8.2 Specific objectives of the BSO annual audit approach are detailed at Section 6.2. Particular
attention should be paid to the regular review of controls and to the 15% sample checks, both of which
contribute to the ability of the BSO to provide a final closure certificate on individual projects, covering
the full period of the projects' activities.
8.3 In checking that the management and control systems in Slovenia comply with the above, the
BSO should go through a four step process as follows:
Risk Identification
Risk Identification
8.4
8.5
Inherent risk. This is the susceptibility of a class of transactions to misstatement that could be
material, either individually or when aggregated with misstatements in other classes, assuming
that there are no mitigating internal controls. For the Cohesion Fund, there is an additional
inherent risk of irregularity, i.e. that expenditure is not in line with EC regulations.
Control risk. This is the risk that either irregular expenditure or misstatement, that could occur
in a class of transactions and that could be material individually or when aggregated with
misstatements in other classes, will not be prevented or detected and corrected on a timely basis
by the accounting and internal control systems.
In the context of the audit of Cohesion Fund, materiality can be defined as:
Information is material if its omission or misstatement could influence the economic decisions of users
taken on the basis of the financial statements. Materiality depends on the size of the item or error
judged in the particular circumstances of its omission or misstatement. Thus, materiality provides a
threshold or cut-off point rather than being a primary qualitative characteristic which information must
have if it is to be useful.
Inherent Risk
8.6
The following factors should be considered as indicators when assessing the levels of inherent
risk:
Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 30 of 145
the more complex the regulations governing the action, the greater the risk of error will be.
These errors may occur either through the misunderstanding or misinterpretation of regulations,
or through a simple error in application of the rules;
divergence of management arrangements for example, actions delivered through third parties
or agents may have a higher inherent risk than actions delivered directly by a single managing
authority. The more steps there are in the management process, the higher the risk will be;
payments or receipts made on the basis of claims or declarations (for example, a declaration by
the final beneficiary in respect of contributions in kind), rather than in exchange for invoiced
goods or services, are generally more difficult to verify, and therefore lead to an increased
inherent risk;
the absolute absolute amount of the Cohesion Fund support, and the proportion of total cost
supported by the Fund - where the absolute absolute amount of the grant is high, or a very large
proportion of total funding comes from the Fund, the inherent risks may be increased;
the amount of the Cohesion Fund support, in situations where this fund is a part of a structural
investment with other funds, and when the risk of double financing exists;
the type of action and funding - for example, some types of action (projects generating own
revenue) may be considered to have inherently greater risk than others;
the type of project manager/ final beneficiary - for example, public or private; well-established
or newly-formed; and
high levels of staff turnover, the use of temporary staff to undertake key tasks, or the use of
untrained or inexperienced staff within the managing organisations or project managers/ final
beneficiaries are likely to lead to increased inherent risks because the inexperience of staff may
mean that controls do not function properly.
the possibility of conflict of interest situation, the situation where duties are not properly
segregated (when purchase and payment functions are combined), the knowledge of unethical
behaviour.
8.7 As part of the process of "Audit Preparation" (see the diagram at 6.5), the BSO will need to assess
the extent and nature of Inherent Risks within the Management Framework. This assessment should
form part of the annual exercise and should be undertaken at the various levels, for example at the
GOSP, the National Fund, or at the Implementing Bodies.
Control Risk
8.8 The control system for administering Cohesion Fund in Slovenia should be designed to mitigate
inherent risk. Where inherent risk is highest, there should be controls in place to reduce the actual risk
of incorrect or irregular payments being made. For example, for schemes with very complex rules, the
body responsible for checking and approving claims would be expected to put considerable effort into
the verification of claims in that area. A high control risk is where controls to reduce inherent risk are
not working (or are not in place).
8.9 The system put in place by management to mitigate inherent risk is called the Accounting and
Internal Control System. The audit work on the management and control system is designed to check
that controls are in place and working (Appendix 2 gives some general information on the audit of
Internal Controls). Again, the BSO will need to annually review the extent to which the effective
operation of the management control system is mitigating any Inherent Risks that have been identified.
Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 31 of 145
The control environment - the overall attitude, awareness and actions of management
regarding the internal control system and its importance in the entity. The control environment
has an effect on the effectiveness of the specific control procedures. A strong control
environment, for example, one with tight budgetary controls and an effective internal audit
function, can significantly complement specific control procedures. However, a strong
environment does not, by itself, ensure the effectiveness of the internal control system. Factors
reflected in the control environment include:
o The function of the management board.
o
o
o
Control procedures - those policies and procedures in addition to the control environment
which management has established to achieve the entitys specific objectives. Specific control
procedures include:
o Reporting, reviewing and approving reconciliations.
o
o
o
o
o
o
o
o
Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 32 of 145
should focus on determining what controls are in place by way of "walkthrough" tests, before later
testing whether or not those controls are operating in practice. This work would then inform the
assessment of control risk on any subsequent audits.
8.13 From the knowledge gained from previous audits and from their close working relationships with
the key players in the management system in Slovenia the BSO will draw general risk conclusions that
will assist the planning and audit approach exercises. For example:
At the Intermediate Body level - has the BSO identified any significant control weaknesses at either
of the two Ministries - Transport or Environment - that are involved with Cohesion Fund that might
influence the projects to be selected for examination.
At the Implementing Body level - has the BSO identified any significant weaknesses in control at any
of the Municipalities (Environment) or at one of the two sectors (Transport) in relation to their controls
over Cohesion Fund, that again might influence the selection of projects to be examined.
Probability
8.14 Audit effort should be directed towards those areas where risk is likely to be greatest, whilst also
ensuring adequate coverage of lower risk areas. The importance of the risks can be assessed based on
the probability of the occurrence risk and the expected impact of the risk on the quality (of the outputs)
of the project or delays. The assessor can put the scores low, medium and high on the probability of
occurrence and on the expected impact of the risk.
High
Impact
Medium
Low
High
Unacceptable
High
Medium
Medium
Unacceptable
High
Low
High
Medium
Low
Low
8.15 Checks should be carried out on a sample basis, with the aim of carrying out sufficient
examination to provide a reasonable level of assurance that the management and control systems to be
examined by each audit are operating effectively to prevent errors or irregularities.
8.16 Given the potentially wide range of activities, a rolling programme, based on a risk assessment,
may be adopted to ensure that all relevant areas (for example, main implementing authorities, main
final beneficiaries, forms of assistance/operations) are covered, although not necessarily in the same
year. The information available from ex ante controls should be gathered and evaluated during the risk
assessment.
8.17 The process set out above may be used to develop a draft audit plan which may then be adjusted
on the basis of any additional information available to the auditor. Among the main factors to be
considered in selecting the areas to be audited are:
whether the nature of the actions managed means that there are particularly high inherent risks;
Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 33 of 145
information on the quality of the management and control systems, in particular the results of
past audits by Internal Audit Service or other auditors on the operation of a project;
the need to follow-up a selection of past audits to ensure that necessary improvements to
systems have been made;
the programme of control planned by the other auditors, in particular to avoid duplication and
address any identified gaps in coverage;
the level of risks involved in the different funded activities, including problematic actions and
actions in which significant problems have been noted or are expected.
8.18 Adjusting factors may be applied to the selection of the areas to be audited including the physical
location of organizations/activities (for example to prevent excessive travel time during the audit) and
the types of project to be covered. These adjusting factors may also be applied as a filter before the
selection process. Appendix 3 provides further guidance on the use of a risk assessment/sampling
model to determine which projects to examine.
Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 34 of 145
Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 35 of 145
Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 36 of 145
Audit Information
9.2 Before concluding on the audit approach, the BSO will need to establish the
Cohesion Fund population that they are auditing. This will involve confirming:
9.3 In terms of the overall audit approach it will be for the judgement of the BSO
to use the information obtained at 9.2 to determine how many projects, receipts
and payments will be examined within each financial year: i.e. the degree of
substantive testing to be carried out to support the controls examination. As the
BSO examination is not directly linked to the audit of any specific account, the
concept of materiality will mainly involve the determination of the throughput of
receipts and payments within each year. As part of the longer term strategy the
BSO audit approach should aim to ensure that each project is examined at least
once in its lifetime.
Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 37 of 145
Flow of Funds
Payment of
Funds
(EC Delegation)
Designated Authority
GOEA (NIC)
Signs the FM and send
Expenditure
Claims
Claim
for
Funds
Risk
assessment
Strategic/Long
term
plan
-Annual plan
Financial Control
National Fund (NAO)
Risk
assessment
Financial
management;
paying Strategic/Long
term
plan
Agency
for plan
CFCU (Framework
-Annual
Financing Agreement - FFA)
FFA)with CFCU
Expenditure
Claim
Risk
assessment
Strategic/Long
term
plan
Implementing Agency
-Annual plan
Payment of
Claim
CFCU (SAO)
Implementing Agreement with
IB and FB
Risk
assessment
Strategic/Long
term
plan
-Annual plan
Expenditure
Claim
Final Beneficiaries
Municipalities and
Transport Sectors
Check claims and pay final
recipients
Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 38 of 145
Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 39 of 145
Flow of Funds
Payment of
Funds
European Commission
Managing Authority
GOSP
Expenditure
Claims
Claim for
Funds
Paying Authority
National Fund (NF)
Expenditure Claim
Payment of
Claim
Intermediate Bodies
(MESP and MoT)
Expenditure Claim
Implementing Bodies
Municipalities and
Transport Sectors
Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 40 of 145
reconciliation of the summary amounts certified to the European Commission with the
individual expenditure records and supporting documents at the various administrative and final
beneficiary levels; and
verification of the allocation and the transfers of the available Community and national funds.
9.7 The results of audits carried out previously should be examined in the light of
the audit trail to identify any improvements that need to be made to the operation
of the management and control systems under review. These individual systems
should include the relevant managerial levels.
9.8 The audit trail should provide a clear description of the flows of Cohesion
Fund finance and information, their documentation and their control, analysed to
project manager/ final beneficiary level. In particular, the audit trail should show:
which documents are created and data systems used, and who is responsible for these;
which management and control systems exist for financial data flows, who audits them and
how the findings are reported; and
who audits Cohesion Fund expenditure, results, efficiency and management expenditure and
what is the reporting system.
9.9 The Management Control Framework at 9.4 shows the flow of funds from the
designated authority to the Implementing Body and the flow of information on
progress and performance from the IB through to the Commission. The areas
where appropriate controls should be present are indicated on the left of the
figure. It is the operation of these systems, which should be documented and
tested during an audit of authorities or final beneficiaries. Note that the actual
controls implemented will vary according to the nature of individual systems and
according to the level of an audited body within the audit trail hierarchy.
9.10 In order to follow up the information flow (the reports statement of
expenditure from the project managers) and the financial flow (the advances paid
to the IBthe ), the details of the last statement received by the Commission, and
the last advance paid by the Commission, need to be reconciled, with the
Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 41 of 145
Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 42 of 145
Figure 1: Audit objectives relating to the audit of Member States management and control
systems
Audit
objective
Activity /
Process
1.
Systems
descriptions
2.
3.
Objective
Whether there are adequate procedures to ensure that systems
descriptions are reviewed and updated and changes notified to the
Commission as required. (Art.5 and Art. 12 of Commission
Regulation 1386/02)
Approval
Monitoring
4.
Guidance
5.
Irregularity
reporting
6.
Audit
7.
Operational
Checks
8.
Publicity
9.
Accounting
information
10.
Audit trail
9.14 As outlined below, the main purpose of the checks at final beneficiaries is to
determine whether the relevant aspects of Member State authorities
Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 43 of 145
Objective
Whether eligibility rules have been followed in selecting project managers and
projects/ actions for Cohesion Fund support.
Whether receipts and payments are accurately recorded in the project manager/
final beneficiarys accounting system, assets are correctly recorded, and that these
amounts are correctly reflected in demands for payment.
Whether (in respect of public authorities or bodies, and where necessary), services
or actions funded under the Cohesion Fund are procured on the basis of a proper
call for tenders, that there are sound controls over the opening of tenders and that
all tenders are fully evaluated before a final decision is made on the supplier of the
service/action.
Whether progress made is truly and fairly reflected in any reports or other
information submitted to Member State authorities and to the Commission.
Whether the project manager/ final beneficiary has complied with Community
rules on publicity, information, equality and the environment and any other
relevant Community law.
Audit Programmes
9.15 Audit tests need to be devised to gather the evidence to address the audit
objectives. Accordingly Appendix 5 gives examples of tests that may be used to
address the audit objectives for the overall management and control system audit
of Cohesion Fund and the substantive tests to be carried out centrally; whilst
Appendix 6 lists tests that may be used for the audit objectives for the audit of
Implementing Bodies. These tests will enable the BSO to obtain evidence to
establish whether or not the management and control systems provide a sufficient
audit trail
Audit Strategy
9.16 The competent national authorities under the responsibility of the independent body designated
under Article 12 of Regulation 1386/2002 should prepare an audit strategy for the Cohesion Fund
which:
Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 44 of 145
Takes account of the whole audit effort undertaken by the different national and regional
control authorities, and in particular that required by Article 8, Articles 9 to 11 and Articles 13
and 14 of Regulation 1386/2002;
Provides the framework within which annual audit programmes will be established;
Identifies the bodies which will be responsible for audit work and the scope and objectives of
their work, their resources and their methodology;
Provides assurance that there will be an adequate basis for the certification of expenditure under
Article 8 of Regulation 1386/2002, that the effectiveness of the management and control
systems in place will be verified regularly during the programming period, that 15% of total
eligible expenditure will be checked in accordance with Articles 9 and 10 of Regulation
1386/2002, that these checks will be spread evenly throughout the programming period up
until closure, and that consequently there will be a sufficient basis for drawing up the winding
up declaration under Article 13;
Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 45 of 145
10 AUDIT EVIDENCE
10.1 This Section describes the general concepts of audit evidence and should be read in conjunction
with the revised International Standard on Auditing 500, which was approved in October 2003.
in documentary form, whether paper, electronic or other medium (a written record of a meeting
is more reliable than an oral report); and
in the form of original documents, which is more reliable than photocopies or facsimiles;
10.5 Visual evidence is highly reliable for confirming the existence of assets, but not their ownership
or value; whilst oral evidence must be considered as the least reliable. Whenever feasible, auditors
should attempt to obtain documentary confirmation of oral evidence (e.g. agreed written records of
interviews). When this is not feasible, oral evidence might be corroborated by interviewing separately
more than one person.
Completeness - to obtain audit evidence to ensure that all transactions and events that should
have been recorded, have been recorded;
Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 46 of 145
Occurrence - to obtain audit evidence to ensure that all transactions and events that have been
recorded have occurred and are pertinent to the audited body; and
Existence - that all assets recorded by the audited body actually exist.
Tests of Controls - to test the operating effectiveness of controls in preventing, or detecting and
correcting, material misstatements; and to support the risk assessment; and
Substantive Procedures - are always required to support the judgmental risk assessment and
the inherent risks of internal control failures: they are designed to detect material misstatements
at the assertion level.
10.9 Audit evidence may be obtained by one or more of the following procedures, which may be used
as risk assessment procedures, tests of controls or substantive procedures, dependent on the context in
which they are applied by the auditor.
10.10.1 The auditor should evaluate at an early stage in the audit process which method of obtaining
evidence will be suitably reliable, and balance the reliability of the audit evidence against the cost of
obtaining it. Similarly, the auditor should use professional judgement to evaluate the quantity and
quality of audit evidence and its sufficiency and appropriateness, to support the audit opinion.
Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 47 of 145
aids planning;
provides a record of weaknesses, errors and irregularities detected by the audit;
confirms and supports the auditor's judgements, opinions and reports;
serves as a source of information for preparing reports or answering enquiries from the audited
body or from any other party, and provides a record of work done for future reference;
shows compliance with Auditing Standards and Guidelines, and with the internal procedures of
the BSO;
supports (or provides a defence against) claims, law suits and other legal processes;
helps and provides evidence of the auditor's professional development;
aids review, supervision and quality assurance (see below).
11.3 Effective documentation is particularly important for review, supervision and quality assurance.
The main advantages are that it helps the reviewer to:
Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 48 of 145
11.5 Working papers are the auditor's principal record of the work performed and the conclusions
reached on significant matters and are essential to support an effective audit. They provide evidence of
the auditor's exercise of due care; and help the auditor conduct and supervise the audit. All phases of the
audit, from the basic planning to the preparation of the final draft of the report, should be in the working
papers.
11.6 It is not possible to prescribe exactly what working papers should or should not include. As a
general principle, however, a well-documented set of working papers will be sufficiently complete and
detailed to enable an experienced auditor having no previous connection with the audit to ascertain
from them what work was performed to support the conclusions.
11.7 Working papers must have a series of physical qualities such as clarity, legibility, completeness,
relevance, accuracy, conciseness, neatness and be understandable. If computer evidence is used, there
should be adequate identification that completely describes its origin, content and location. They should
be planned and, in many cases, formatted at an early stage in the audit. Prior years' working papers, if
available, might be used as a guide.
11.8 In order to facilitate review, and in particular, to assist the reviewer in finding and evaluating the
audit evidence that supports conclusions, recommendations and reports it is essential that working
papers are cross-referenced backwards and forwards. These cross-references should clearly show the
source and destination. It is to be noted that good cross-referencing requires clear and logical initial
referencing of all working papers.
11.9 Working papers should normally be prepared on the basis that they might be used as evidence in
any legal procedure that could arise. Thus, auditors should sign and date their individual working
documents. It should be clear from the examination of a completed set of working papers, who they
were reviewed by, when, and what was the outcome of the review. Notes of reviewers indicating
agreement, incomplete or unclear items should be retained. These are essential for use by higher level
reviewers. The documentation should include a record of all contact with the audited body on
significant matters (e.g. weaknesses found during tests of control, assurances received from the audited
body's management, etc.).
Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 49 of 145
Copies of any reports produced by Internal Audit, the Court of Audit, the ECA or Commission
and private firms;
Details of proposed future visits to the project contained in the longer term audit plan; and
finally
At the conclusion of the project, details of the winding-up declaration and of the submissions
sent to the Commission.
11.11
In addition to current files, permanent files should also be established and maintained by the
BSO. These contain the overall legislation and planning information that covers all Cohesion Fund
projects. They should routinely include:
length of retention before destruction (this varies according to the status of documents);
transfer of files from audit units to central archives;
standard file contents, indexing and retrieval procedures.
Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 50 of 145
12 AUDIT REPORTING
12.1 The report is the main vehicle for communicating the results of an audit. Reports should be clear
and concise, highlighting the main conclusions of the audit. Audit recommendations should be ranked,
as to their importance to the Cohesion Fund process, and should indicate the action needed to address
weaknesses identified. All reports should contain an executive summary setting out the key findings
and conclusions and should contain key recommendations and their ranking of importance.
12.2 Major errors or system weaknesses should be discussed with relevant staff from the audited body
during the audit, both to confirm the auditors understanding of the nature of the error or weakness, and
to allow discussion of and agreement on the action needed and agreed due date to correct errors and
improve systems. Subsequently, the auditor should check the relevant facts in writing with the audited
body. Audit working papers should include management comments on discussions held. BSO may
decide to agree a formal Action Plan with the audited body which will detail the:
12.3 Reports should contain sufficient detail on audit findings and conclusions to demonstrate to the
audited body the weaknesses in the systems, and recommendations should state clearly the remedial
action that is necessary. Management responses on recommendations made should be included in the
audit report.
12.4 Following the conclusion of the audit, auditors should aim to produce the audit report within a
maximum of one month after the field visit to ensure that audited bodies can rectify weaknesses at the
earliest possible opportunity.
12.5 The letter accompanying the audit report should request a formal reply by an agreed due date (for
example, two months after the issuance date). The audit reply should, for each recommendation:
agree with the recommendation and give details of how it has been implemented (supported
with relevant documentation)
agree with the recommendation and provide a timetable for implementation; or
provide reasons for not agreeing with the recommendation.
12.6 There should be regular monitoring of outstanding replies; the contents of all replies received will
form the basis for future risk assessments.
Executive summary
o Scope
o Conclusion
o Summary findings
Methodology
Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 51 of 145
Executive Summary
12.8 The executive summary consists of 3 sections:
The conclusion should describe the overall opinion of the auditor on the work audited;
The summary findings of the audit should list the findings of the audit and note their
respective importance.
Methodology
12.9 The audit methodology should be briefly outlined. Information provided should include the
authorities and actions chosen for examination, the reasons for choice, and broad details of the checks
carried out.
1:
2:
3:
4:
12.12 Reports should include specific recommendations for action by the audited body to address
weaknesses found during the audit. These recommendations should be clear and should be supported
by convincing evidence as to the need for action. Ideally, a time limit should be set for taking the
corrective action. The recommendations and replies will form the basis for any follow-up examination
in the future.
12.13 At the end of an audit, for example at the Ministry or at an Implementing Body, the BSO may
agree an Action Plan with the audited body to clearly document the follow-up actions to be taken by the
audited body and to re-emphasise the timescale within which the actions to be taken should be finalised.
A review of the outcome of this work should form part of any future BSO visit to that audited body,
which should be detailed within the longer term audit plan.
Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 52 of 145
Reports to the EC
Annual reports
12.14
In accordance with Article F(4) of Annex II to CR 1164/94, as amended by Article 12 of CR
1386/2002 an annual report is required for each complete year of implementation . The purpose of the
Article 12 report (see Model at Appendix 8) in the context of the Contract of confidence will be to:
Provide a summary report on the audit activity for the previous year (both systems audits and
audits of operations), the main results, and follow up of outstanding issues from earlier years;
Draw a conclusion with regard to the assurance obtained for the expenditure for the year
concerned.
The report should be drawn up under the authority of the Article 13 body who should sign (or
countersign) the report.
The systems audit reports should in addition be sent to the Commission as soon as they are
finalised, with a summary of findings and recommendations which can be introduced into
SYSAUDIT.
Evaluation of Errors
12.18 The BSO will need to record the results of the errors found during each project examination and
consolidate those results into an annual evaluation of errors and their consequences. That annual
evaluation should include details of:
The total value of errors identified and what proportion of the total annual receipts/payments
they represent;
What actions have been taken to correct errors that were identified and/or to effect the recovery
of ineligible payments;
Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 53 of 145
The extent to which errors found were deemed to be systemic, i.e. could apply to expenditure
not actually covered by substantive testing (either within the project examined or to other
projects);
In the event of systemic errors having been identified, what further work the BSO has carried
out to assess the likely affect across all Cohesion Fund projects;
What lessons have been learned from the nature of the errors found in terms of perceived
weaknesses in the control environment;
Based on those identified weaknesses, what recommendations the BSO has made to improve
the control environment; and
How they plan to ensure that those recommendations are implemented by the management
authority.
Follow-Up Audits
12.19 As part of the overall planning strategy the BSO should consider the merits of carrying out follow
-up audits to some or all of the audited bodies that are involved with the Cohesion Fund processes.
Given the Management Framework that operates in Slovenia, the likelihood is that the BSO will
routinely visit the GOSP, the NF, the Ministries of Transport and Environment. Hence the concept of
follow-up audits is most likely to occur at the Implementing Bodies - the Municipalities (for
Environment) or the Transport Sectors.
12.20 When the BSO plan to carry out follow-up visits the audit examination should concentrate on
ensuring that management have implemented recommendations for the improvement of control and for
guarding against risk agreed with them during the previous audit. The follow up should ensure that
controls have been introduced in the appropriate manner and that they are working effectively. In the
event of management failing to effectively implement such recommendations, the BSO should consider
reporting such failures to the appropriate internal authorities.
Amounts recoverable
12.21 Article 7 of Regulation 1386/02 requires the Paying Authority to keep a record of all amounts
recoverable from payments of Community assistance already made. The same Article also requires the
Paying Authority to send to the Commission once a year, in annex to the fourth quarterly report on
recoveries supplied under Regulation (EC) 1831/94, a statement of the amounts awaiting recovery at
that date, classified by the year of initiation of the recovery proceedings.
Accounting information
12.22 Article 16 of Regulation 1386/02 requires Member States to forward, on written request from the
Commission, the accounting records referred to in Annex IV of the Regulation on projects. Such
information should be as far as possible be held in computerised form. Such records shall be made
available to the Commission at its specific request for the purpose of carrying out documentary and on
the spot checks. This information should be delivered to the Commission within 10 working days of
receipt of the written request, although a different period may be agreed, particularly where the records
are not available in computerised form.
Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 54 of 145
Sys-audit
12.23 DG Regional Policy is in the process of developing and introducing a new Audit Management
System, SYSAUDIT. The objectives of this system are to offer a standard tool for the various
Commission services auditing the Cohesion Fund and the Structural Funds, to provide a common data
base for audits planned and executed by these services, to facilitate the standardisation and coordination of audit work and give easy access to information for the geographical units. It is intended,
after sufficient testing of the system has been carried out, to give access to the system to approved
administrations in the Member States.
12.24 The application consists of nine modules which include:
Follow-up of findings
12.25 SYSAUDIT will facilitate the follow up of audit report findings and recommendations and will
trace the status of each finding until it has been closed. For open items, the SYSAUDIT system will
remind the auditor, at the agreed date, to issue a letter to the auditee, reminding it that follow up action
needs to be taken. In addition at audit planning stage, the system can be reviewed and projects with no
or very slow action on recommendations identified as possible high risk areas. Once a report is finalised
and satisfactory actions have taken place on all open items, the report can be closed. The SYSAUDIT
system will need to be updated to inform all concerned that the report is closed.
Systems description update
12.26 Article 12 of Commission Regulation 1386/02 also states that Member States shall provide to
the Commission, by 30 June each year, any necessary amplification or updating of the description of
their management and control systems communicated under Article 5(1) of the same regulation. Article
5(1) of Regulation 1386/02 required the initial description of the management and control systems to be
forwarded to the Commission by 7 November 2002. A model report pursuant to Article 12 of
Commission Regulation 1386/02 is contained at Appendix 8.
Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 55 of 145
there will always be a risk of internal controls failing to operate as designed. Any system of
internal control may be ineffective against fraud involving collusion amongst employees or by
management. This is because certain levels of management may be in a position to override
controls that would prevent similar frauds by other employees; for example, by directing
Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 56 of 145
subordinates to record transactions incorrectly or to conceal them. The auditor may therefore
review the adequacy of preventative mechanisms established by audited bodies, for example.
segregation of duties;
systematic rotation of staff in post;
internal oversight and inspections;
effective human resources policies, to monitor admission of new staff into the public service and to
ensure that they properly understand the requirement for honesty and integrity;
establish a code of conduct designed to promote ethical behaviour amongst staff and provide
guidance on such matters as:
relations with third parties;
acceptance of employment/appointments outside the public service;
declaring conflicts of interest (e.g. where a staff member has interests outside public service which
may conflict with their official duties);
monitor implementation of the human resources policies, including regular review of the code of
conduct; and
appropriate procedures for reporting, investigating and acting upon possible irregularities and/or
suspected fraud, including, where necessary, appropriate disciplinary measures.
Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 57 of 145
13.10 When carrying out interviews as a means of gathering evidence to substantiate fraud, the auditor
needs to observe the rules of evidence appropriate to the jurisdiction in which he is operating. This is to
ensure that the evidence gathered from such work can be used in any judicial proceedings which the
authorities decide to pursue. Before proceeding with any additional audit procedures, the auditor should
consider whether to seek guidance or assistance from experts in fraud investigation, such as the prosecuting
authorities.
13.15 In the first instance, where the auditor discovers what may be an irregularity, he/she should
document the findings and discuss them with the audited bodys management. If management does not
provide satisfactory information that the transactions concerned are, in fact, regular, the auditor may consult
with managements legal adviser about the application of the relevant laws and regulations to the particular
circumstances and the possible effects on the financial information.
Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 58 of 145
13.16 If the auditor believes that the irregularity could have a material effect on the financial information,
he/she should consider the effect of the irregularity on the opinion and as appropriate, perform additional
audit procedures as he/she considers necessary.
Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 59 of 145
it may raise doubts about other audit evidence supplied by the audited body, including compliance
reports and management representations;
where internal controls have failed to detect irregularities, this may indicate significant.
the results of the initial risk assessment, tests of control or substantive testing indicate a possibility
that fraud exists ;
the results of the additional audit procedures point to suspected fraud ; and
management of the audited body fail to take the appropriate action to investigate or report the
suspected fraud .
the audited bodys management have taken the necessary action to investigate the
suspected fraud or irregularity (for example by asking Internal Audit to carry out further work,
as appropriate);
o
o
Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 60 of 145
management have notified, and sought advice from, the appropriate authorities (for
example, the Police);
management have reported the proven fraud, suspected fraud, or other irregularity in
accordance with any statutory requirements.
Arrangements in Slovenia
13.23 There are already systems in place within Slovenia for the handling of "irregularities". In
general the same procedures apply to both EU and National Funds, with the additional factor of
agreements entered into between the Republic of Slovenia and the European Union. The guidance
currently in place is part of the Public Internal Financial Control (PIFC) initiative and applies equally to
internal and external auditors.
13.24 In Slovenia the following organisations will be directly involved in the control systems for the
treatment of irregularities in relation to Cohesion Fund:
o
o
o
o
o
o
o
o
o
Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 61 of 145
Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 62 of 145
notbeavailable,generalistauditorsshouldneverthelessalwaysevaluatecertainnontechnicalgeneral
controls:seebelow.
Theareascoveredbygeneralcontrolsauditsaresetoutbelow. Thefirstfouraregeneralmanagement
issueswhichshouldbeaddressedbygeneralistauditorsevenwhenthetechnicalaspectsarenotbeing
examined.
General management issues
Specialisttechnicalissues
logicalandphysicalaccesscontrols:detailedexecution
operations:alljobssubmittedtothecomputerareproperlyauthorizedandarecompletely,
accuratelyandpromptlyprocessed
systemssoftware(includingspecificaccessrestrictions)
programsmaintenanceanddevelopmentprocedures
data/databasemanagement
datacommunication
(local)networks
ANNEX1givesguidanceforgeneralistauditorsonthefirstfoursubjectsabove.
Applicationaudit
Anapplicationauditevaluatestheinternalcontrolsspecifictotheinput,processing,datafilesandoutputof
adefinedfunction. Allauditorscarryingoutsystemsbasedauditsofadministrativefunctionswhere
informationtechnologyisusedneedtoaddressthisaspectofISaudit.
Applications audits are not necessarily highly technical. Generalist auditors will need to call on IS
specialists where the application controls are exceptionally complex or technical, and there are no
satisfactorycompensatingcontrolsintheuserarea.Butmanyapplicationsaredesignedsothattheygive
definiteassurancetousermanagersthatdataandprocessingareinorderwithoutrequiringthemtobeIS
experts.Insuchcases,checksandprocedures(includingmanualprocedures)routinelycarriedoutbyuser
staffmaygivesatisfactoryassurancethatdataandoutputarereliable.Inmanyauditsituationsthislevelof
assurancewillalsobeadequatefortheauditors.
Theaspectswhichmustalwaysbeaddressedcanbesummarizedinagenerallyapplicableformasfollows:
OrganisationandDocumentation
Managementresponsibilityforeveryaspectofmaintainingandrunningapplicationsshouldbeproperly
allocated.
Thecostsofrunningapplicationsshouldbeidentifiedandkeptunderreview.
Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 63 of 145
All necessary documentation should exist considering the type of application concerned and the
organisation'sneeds.
Input
Onlyauthorizeditems,andallauthorizeditems,shouldbeinput.
Data input to applications should be accurate and complete. (Input comprises both transaction and
permanent/referencedata.)
Processing
Processing of transactions should be complete and arithmetically accurate, and the results (including
generateddata)shouldbecorrectlyclassifiedandrecordedproperlyinthecomputerfiles.
Otherprocessingactivitiesshouldbecarriedoutontimeandgivecorrectresults.
Datatransmission
Datashouldbetransmittedaccuratelyandcompletely.
Standingdata
Thecontinuedcorrectnessofstoreddatashouldbeensured.
Output
Outputreleasedwhetheronpaper,viascreens,onmagneticmedia,orthroughelectroniclinks,shouldbe
correctandcomplete.
Outputshouldreachallthose,andonlythose,forwhomitisintended.
ANNEX2 presentstheseheadingstogetherwithillustrationsofcontroltechniquesorprocedureswhich
mightbefound.Itisimportantthateachphaseshouldincludeappropriateerrorhandlingprocedures,and
referencestothesearemadeinAnnex2.
Indecidingwhichcontrolsheneedstorelyon,theauditorshouldbearinmindthattestsofcontrolwill
needtoestablish,amongotherthings,thatthecontroloperatedcorrectlythroughouttheperiodsubjectto
audit.Itwillusuallyfavourgooduseofauditresourcesif,wherehehasachoice,theauditorseeksby
preferencetorelyoncontrols intheuserareawhichcanbe testedreadily,providedthatthese give
sufficientassuranceaboutthecontrolobjectiveconcerned. TheuseofCAATs mayhelptoincrease
assurance.Iftherehastoberelianceonthemoretechnicalcontrols,itwilloftenmakeageneralcontrols
auditnecessary.Forexample,tobecertainthatvalidationchecksmadebyaprogramalwaysoperated,the
auditor would need to obtain definite evidence that controls over program changes were effective
throughouttheperiodaquestionwhichwouldinvolveafullgeneralcontrolsaudit.
Computerassistedaudittechniques(CAATs)
ThetermCAATsreferstotheuseofretrievalsoftware(e.gtheproductIDEA)whichauditorsmayuseto
testcontrolsor(muchmorecommonly)tosort,compareorextractdataforfurthertesting.Itisessential
whenusingCAATstoensurethatthedatabeingusedbytheauditorisinfactcompleteandcorrect.
Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 64 of 145
SpecialisthelpmaybeneededwithCAATs. WhilstsomeCAATsproductsonthemarketcanbeused
relativelyeasilybygeneralistauditors,wherethetaskiscomplex,orwherethedataarenotavailabletoa
packageintheformitrequires,moreadvancedprogrammingskillsareneeded.InsuchcasesCAATscan
beanexpensiveuseofauditresources;thedecisiononwhethertheyareneeded,andthedesignofthe
procedures,shoulddependcloselyontheobjectivesoftheaudit.
Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 65 of 145
ExamplesofCAATstestsandproceduresare:
identifyingerroneousvalues;
identifyingexceptionalvalues;
testingthepostingorsummarizingoftransactions;
reperformingcomputerizedprocessing(e.g.foreigncurrencyconversions);
comparingdataonseparatefiles;
producingagedanalysisofaccounts;
stratification.
CAATsarethemeanstoanend,notanendinthemselves.TheuseofCAATsneedstobeplannedand
theyshouldonlybeusedwheretheyproduceaddedvalueorwheremanualproceduresarenotpossibleor
lessefficient.Thefunctionstobecarriedoutshouldbedocumentedinadvanceandtheactualusemadeof
CAATsshouldberecorded.Normalrulesofauditevidencemustbeapplied.TheCAATsdocumentation
shouldincludedetailsofallsettings,queriesetc.thatwereusedtoproducetheresults.Inallcases,itis
important tobeableto show that the CAATs program operated on the complete andcorrect set of
underlyingrecords.
Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 66 of 145
Inordertofoster(c),auditorsshouldalwaystaketheopportunityofremindingmanagementoftheneedto
ensure that adequate management/audit trails are specified in new applications, and should invite
consultationattheplanningstageforimportantnewfinancialsystems. ANNEX3 presentsanoteof
generallyapplicable application control requirements, which may be useful in discussions with user
managementofdevelopingsystems.
Thegeneralstandardscanbecheckedbyanexaminationofthesystemsdevelopmentmethodologyapplied
bytheISdivisionoftheauditedbody,andadialoguewiththeISstandardsbranchandtheinternalauditors
toensurethatitisexecutedproperly.
Planningandstaffinginformationsystemsaudits
Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 67 of 145
theextenttowhichthefunctionconcernedusescomputerprocessingordataheldoncomputers;
theextenttowhichthecorrectnessofprocessinganddataisproved,tothedegreenecessaryforthe
function,bycontrolsintheuserarea,includingusermanagementprocedures;
thecomplexityofthecomputerprocessing,specificallytheextenttowhichthefunctionusesdata
generated by computer programs (as opposed to data which are simply recorded, sorted or
analysedbytheapplication);
thesizeoftheinstallation:forexample,itmaybeintrinsicallyimpossibletohavegoodgeneral
controlsbecausetherearenotenoughstafftoprovidesufficientseparationofduties.Thiswillbe
the case, for example, if a full separation of duties cannot be made between programmers,
operatorsandaccessadministration;
thesensitivityofthedataanddataprotectionobligations;
anyspecialdifficultiesinthemanagement/audittrail.Inolderorpoorlydesignedsystemsthere
maybeproblems,forexampleintracingtheunderlyingdetailsfordatawhichareaccountedforin
aggregate,oringettingassurancethattotalsincludeallrelevanttransactions.Thesewillincrease
theneedfortheauditortouseCAATssimplytoestablishthatdataarecorrect.
GLOSSARY
Application
Asetofprograms,dataandclericalprocedureswhichtogetherformaninformationsystemdesignedto
handleaspecificadministrativeorbusinessfunction(e.g.accounting,paymentofgrants,recordingof
inventory).Mostapplicationscanusefullybeviewedasprocesseswithinput,processing,storeddata,and
output.
Backup
Relatingtotherecoveryofdataandprograms,andtheprovisionofalternativeoperationalcapabilities,in
theeventofdamageorloss.
Backupcopy
Duplicateofdataorsoftwaremaintaineduptodateandavailableforuseincaseofdamagetoorlossofthe
original.
CAATs(Computerassistedaudittechniques)
Computerprogramsforcarryingoutaudittests,retrieving,sortingorselectingdata,orobtainingevidence
onthecorrectnessofprocessing.
Contingencyplanning(alsocalledBusinesscontinuityplanning,Disasterplanning)
Plans and procedures to ensure that information systems (hardware, software, data and
telecommunications)canberestoredtoavailabilityatthelevelandinthetimerequiredafteradisaster
wherebytheequipmentand/orsitebecomeunusable.
Developingsystem
An application which is at any stage of preparation and not yet in live running (production). The
preparation stages may include: proposal, feasibility study, user specification, design, prototyping,
programming,programandsystemtesting,usertesting,conversion,pilotrunning.
Informationsystems(IS)
Systemswhichrecord,distributeorprocessinformation,generallywiththeuseofinformationtechnology.
Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 68 of 145
Informationtechnology(IT)
Machinery,includingcomputers,usedfordatahandlingandprocessing.
Logicalaccesscontrol
TheuseofsoftwaretopreventunauthorizedaccesstoITresources(includingfiles,data,andprograms)
andtheassociatedadministrativeprocedures.
Owner
Theindividual(orunit)responsibleforparticular(ISorIT)assets,includingtheirsecurityandcorrectness.
Program
Thecompletesetofinstructionsnecessarytosolveaparticularproblemorcarryoutaparticular(setof)
procedure(s)onacomputer.
Software
Computerinstructionsgenerally.
Systemsoftware
Acollectionofprogramsusedtocontrolandmanagetheoperationofacomputerandtheallocationand
useofcomputerresources.(Systemsoftwareincludesprogramswhichcanmodifydataorotherprograms
withoutfollowingthenormalprocessesestablishedintheapplicationconcerned;thereforeaccesstosystem
softwareshouldbeveryrestrictedandstaffwhohavethisaccessshouldbeseparatefromtheprogramming
staffandpreferablyalsofromtheoperationsandaccessmanagementfunctions.)
Thirdpartystatements(TPS)
StatementsgivenbyspecialistISauditorsworkingforanorganisationotherthantheSAI.TPSusually
coverthegeneralcontrolsregardingcomputercentresand/orapplications.Seeparagraph3.6.
User
Individualorunitthatmakesuseofinformationsystems.Specifically,inbusinessandadministration,a
departmentwhichusesinformationsystemstocarryoutthefunctionsforwhichitisresponsibleinthe
organisation.
Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 69 of 145
ANNEX 1:
GENERAL(INSTALLATION)CONTROLS
GENERAL MANAGEMENT ISSUES
CONTROLOBJECTIVESANDEXAMPLESOFCONTROLTECHNIQUES
CONTROLOBJECTIVES
Possibleproceduresorcontrols
Note:Theseare,ineachcase,arangeofpossibilitiesgivenforillustration;theydonotall
havetobepresenttomeetthecontrolobjective,andtheobjectivemaybemetbyother
means. Theauditorneedstomakeajudgmentontheoveralleffectivenessofthemixof
controlsactuallypresent,bearinginmindthesize,complexityandimportanceofthesystem
concerned.
GA.ORGANISATIONANDMANAGEMENT
GA1.Planning,staffing,reportingandsegregationofduties
ToensurethattheITdepartmentiscorrectlyplacedintheauditedbody(organization)andis
adequatelystaffed,andthatincompatibledutiesareseparated.
1.TheheadofITisofanappropriaterankinviewoftheimportanceofITfortheorganisationandthe
positionoftheITdepartmentwithintheoverallorganisationisconsistentwiththeresponsibilitiesand
objectivesassignedtoit.
2.ITstrategicplansaremadeandreviewedannually,andtheyreceiveseniormanagement(directionor
board)attentionandapproval.
3.ITpersonnelanduserstaffareseparate:ITstaffcannotinitiateorapprovetransactionsanduserstaff
cannotwriteprogramswhichwouldchangedata.
4.AnITorganisationchartispublishedandkeptuptodate.
5.AnITpersonnelpolicyexistswhichwillensurerecruitment,trainingandretentionofstaffwiththe
necessarytypesofexpertiseandwhichprovidesforsuccessionplanning.
6.AdequatesupervisoryandapprovallevelsexistineachfunctionalareawithintheITdepartment.
7.FormaljobdescriptionsexistintheITdepartmentandarekeptuptodate.
8.Operationsandprogrammingstaffareseparate:operatorsmaynotwriteprogramsandprogrammers
maynotoperatethecomputer.
9.IftheITdepartmentislargeenough,staffwhohaveaccesstosystemsoftwareshouldbeseparatefrom
bothprogrammersandoperators.
10.Logicalsecurity(accessrightsandpasswords)isadministeredbystaffwhoarenotresponsiblefor
programming.
Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 70 of 145
11.Regularliaisonismaintainedwithuserdepartments.
12.Thereisachangemanagementpolicywhichgovernsthedevelopmentandenhancementofapplications
andensuresthatnewprogramsarefullytestedandareacceptedbytheuser.
GB.SECURITYPOLICY
GB1.Securityawarenessandpolicy
To define and communicate information security policies and procedures and to ensure that
management,usersandISpersonnelareawareofsecuritymattersandfollowsecurityprocedures
consistently.
1.Apolicyforaccess,bothlogicalandphysical,tocomputerresourcesexists,iscommunicatedandis
adheredtobymanagementandemployees.
2.Aphysicalsecuritypolicycovering:
accessrestrictionstobuildings,computerrooms,ITstorageareas,
fireandotherdisasters,
contingencyplanning
exists,iscommunicatedandisadheredtobymanagementandemployees.
3.AllstaffwhousePCsarerequiredtosignastatementofthesecurityandotherpracticestheymust
follow,includingphysicalsecurityrules,useonlyofauthorized(andlicensed)software,andantivirus
measures(restrictionsonimportingdangerousdataandprograms).
4.AccesstoITresourcesiscontrolledbyindividualuserIDsandconfidentialpasswords.
5.UserIDsandpasswordsaresetupbyspecificstaffandonlyonthewrittenauthorityofthemanagerof
thepersonwhoneedsaccess.
6.ApolicyonaccessbystafftooutsideresourcesincludingtheInternetisdefinedandannounced.
7.Asecurityofficerwithappropriatetechnicalexpertiseisnominatedandisinvolvedintheapprovalof
accesscontrolschemesimplemented.
8.Securityproceduresareperiodicallytested.
9.Thesecurityofficermakesformalreportsperiodicallyonthestateofsecurityproceduresandthese
reportsarefollowedupbymanagement.
10.ManagementhasformalreviewsofISsecuritycarriedoutfromtimetotimebyspecialists(either
externalconsultantsorinternalaudit).
11.Ifthenetworkisopentoaccessfromoutside(e.g.Internet),afirewallhasbeensetup.
12.Thefirewallseffectivenesshasbeenreviewedbyaspecialistconsultant.
Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 71 of 145
Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 72 of 145
GC.CONTINUITYANDDISASTERRECOVERY
GC1.Backup,off
sitestorage,recoveryanddisasterplan
Toprovidesecurityagainstloss/damageofdataandtoensurecontinuityofoperations.
1.Adetailedpolicyandprocedurecoveringbackupofdataandprogramshasbeenestablished.
2.Filebackuproutinesarescheduledaspartofthenormaldailyactivities(especiallyimportantfor
distributedsystemswithremoteinputetc).
3.Backupcopiesofkeymasterfilesaremadeonanappropriatescheduleandstoredoffsite.
4.Backupcopiesofkeyapplicationprogramsanddocumentationaremadeandstoredoffsite.
5.Backupcopiesofoperatingsystemprogramsaremadeandstoredoffsite.
6. Offsite application and operating system programs are updated or replaced whenever significant
changesaremadetotheprograms.Accesstotheoffsitemasterfiles,applicationprogramsandoperating
systemprogramsisrestrictedtoauthorizedpersonnel.
7.Recoveryandrestartprocedures,includingrapidrestorationofcorruptedorlostfiles,existandaretested
onarecurringbasis.
8.Adisaster(businesscontinuity)planexistswhichenablesongoingoperations,atthelevelrequiredby
users,intheeventoftheITdepartmentinabilitytomaintainthenormalservice.
9.Thedisasterplanisregularlytested(forexample,annually). Formalreportsonthetestsexistand
necessaryactionistakenbymanagement.
10.Copiesofthedisasterplanarestoredinaremotelocation.
GD.MANAGEMENTOFITASSETSANDUSEOFEXTERNALSERVICEPROVIDERS
GD1.ResponsibilitiesfortheorganisationsITassets
ToensurethatresponsibilityformanagementofITassetsisassigned.
1.OrganisationalownershipofeveryITasset(hardware,software,applicationsanddata)isdefined.
2.Personnelandmachineactivityareaccountedfor.
3.Usersaretheownersoftheirdataandapplications.
4.Inventoriesofhardwareexistandareregularlychecked.
5.Areliableinventoryofsoftware(includingsoftwareonPCs)existsandisregularlychecked.
6.Responsibilityforensuringcompliancewiththetermsofsoftwarelicencesisallocatedandmeasuresare
carriedout.
Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 73 of 145
7.A clearpolicyexistsonthemanagementofandresponsibilityforendusercomputing,coveringamong
otherthings:
security(seeGB1.3);
backuprequirements;
theextenttowhichprogramsmaybedevelopedbyendusers;
thedocumentationandotherstandardrequirementsforsuchlocalprogramsandforspreadsheetswhich
arepartofbusinessfunctions.
8.Thestatusandownershipofemailmessageshasbeendefinedandannouncedtostaff.
GD2.Useofexternalserviceproviders(e.g.outsourcingofspecificservices,useofexternalcomputer
bureaux)
Toensurethattheuseofexternalserviceprovidersismanagedeffectively.
1.Accessbytheauditorsisprovidedfor.
2.Thecontractorservicelevelagreementspecifiesrequirementsincluding,asappropriate:
performance;
security;
dataownershipandaccesstodata;
serviceavailability;
contingencyarrangements(e.g.ifserviceproviderceasesoperations).
3.Managementactivelymonitorsperformanceagainsttherequirementsspecified.
Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 74 of 145
ANNEX 2
APPLICATIONAUDITS
CONTROL OBJECTIVES AND EXAMPLES OF CONTROL TECHNIQUES
CONTROLOBJECTIVES
Possibleproceduresorcontrols
Note:Theseare,ineachcase,arangeofpossibilitiesgivenforillustration;theydonotall
havetobepresenttomeetthecontrolobjective,andtheobjectivemaybemetbyother
means. Theauditorneedstomakeajudgmentontheoveralleffectivenessofthemixof
controlsactuallypresent,bearinginmindthesize,complexityandimportanceofthesystem
concerned.
AA.ORGANISATIONANDDOCUMENTATION
AA1.Responsibilityforapplications
Toensurethatmanagementresponsibilityforeveryaspectofmaintainingandrunningapplications
isproperlyallocated.
1.Theuser(oraprincipaluser)isdefinedasowneroftheapplication.
2.Maintenanceoftheapplicationanddecisionsonitsfuturedevelopmentareformallymanaged,preferably
bytheowner.
3.Theapplication'sperformanceanditscontributiontotheoperationalfunctionofwhichitformsapartare
activelymanaged,preferablybytheowner.
4.Ownershipofthedatausedbytheapplicationisspecified.
5.Thedutiesofthecomputercentre,andofanythirdparties(e.g.softwarehouses)foroperatingand
supportingtheapplicationarecoveredbyservicelevelagreements(contractuallyinthecaseofthird
parties).
6.Allthedepartmentsresponsibleforinputorforhandlingoutputareknownandtheirresponsibilities(for
timing,quality,securityetc)areformallyagreed.
7.Thedivisionofresponsibilityfortheaccuracyandcontinuedintegrityofstoreddataisclear(ultimate
responsibilityshouldnormallyliewiththeuser).
8.Responsibilityfordeciding,andforexecuting,thesecurityandcontrolrequirementsoftheapplicationis
assigned,takingaccountoftheorganisation'sgeneralsecuritypolicyandoftheITdepartment'sstandard
securitymeasures.
9.Responsibilityforprovidingandformaintainingdocumentation,includingusermanuals,isdefined.
AA2.Costallocation
Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 75 of 145
Toensurethatthecostsofrunningapplicationsareidentifiedandthattheyarekeptunderreview.
1.Computerrunningcostsareloggedandtheapplication'sshareidentified.
2.ITdepartmentoverheadsandstaffcostsareidentifiedandallocatedtotheapplications.
3.Running costs are reported to the owner of the application and to those responsible for resource
management,andreviewedinaccordancewiththeorganisation'spolicy.
4.Costsofmaintenanceandenhancementoftheapplicationareidentifiedandreported.
5.Estimatesaremadefordevelopmentandmaintenancetasks,areapprovedbytheownerorresource
manager,andareusedtocontrolthework.
AA3.Documentation
Toensurethatallnecessarydocumentationexistsinthelightofthetypesofapplicationconcerned
andtheorganisation'sneeds.(Documentationmaybekeptonmediaotherthanpaperprovidedthat
availabilityandreliablestorageareassured.)
1.ASYSTEMSSPECIFICATIONdescribesthedataandprocessingoftheapplicationintermswhich
allowittobeaneffectivemediumofcommunicationbetweentheusersandtheITproviders.
2.Thesystemsspecificationiskeptuptodate.
3.Itmeetstheorganisation'sdocumentationstandardsandsystemsdevelopmentmethodology.
4.Itincludes(oraseparatedocumentsetsout)theuser'scontrolneedsandanyotherspecialrequirements
fortheapplication.
5.StructuredPROGRAMDOCUMENTATIONincludingcomprehensiblesourcelistingsisavailableand
iskeptuptodate.
6.Theorganisationsrightstoobtaindocumentationandsourcelistingsdevelopedbyoutsidecontractors
areguaranteedevenifthesupplierbecomesbankrupt(forexamplebydepositingtheminescrow).
7.OPERATORS'INSTRUCTIONSareuptodateandcoveranyspecialactionrequirede.g.responseto
errormessages,abnormaltermination,etc.
8.USERMANUALSfullydescriberesponsibilitiesandproceduresandaresystematicallykeptuptodate.
AB.INPUT
AB1.Authorization
Toensurethatonlyauthorizeditems,andallauthorizeditems,areinput.
1.Accesscontrolsensurethatonlythoseauthorizedhaveaccesstoinputprocesses.
2.Inputisfromauthorizeddocuments,whicharecheckedfortheauthority(usuallyasignature)bythe
persondoingtheinput,orinapreliminaryclericalcheckingstage.
Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 76 of 145
3.Documentsusedforinputareseriallynumberedandthereisacheckforvalidityandforcompletenessof
sequenceeitherbythecomputerorclerically.
4.Inputotherthantranscriptionofauthorizeddocumentsreceivesauthorizationinaccordancewithits
significancebeforebeingprocessed.(Thismaybeonastatisticalbasiswhereappropriate.)Methods
include:
holdinginputinaspecialcomputerfileuntilreleasedinteractivelybyasupervisor;
flaggingrecentinputforsupervisorycheck;
postinputauthorizationofprintoutsbeforefurtherprocessing.
5.Transmissionofauthorizedandcheckeddocumentsiscontrolledbybatching.
6.Confirmatoryprintsofinputaresenttoauthorizingofficers,whosignforapproval.
7.Changestopermanentdataareproperlyauthorized.
8.Programmed checks prevent validation and processing of input which logically cannot have been
authorized,e.g.paymentsinexcessofavailablebudget.
AB2.Completenessandaccuracy
To ensure that data input to applications is accurate and complete. (Input comprises both
transactionandpermanent/referencedata.)
1.Batchcontrolsincluding(hash)totallingofallsensitivefieldsareused,andapositivecheckismadethat
requiredtotalsmatch.
2.Validationchecksarecarriedoutbyprogramtoensurethatthedataentered:
havetheformatexpectedforeachfield;
arewithinappropriateranges(e.g..notnegativewherelogicallyimpossible;donotexceedpredetermined
reasonableamounts;arewithintheknownsequenceofitemsoftheirkind(chequenumbers,etc).
3.Doublekeyingisusedforsensitivedata.
4.Foronlineentry,inputreportsareproducedshowingaggregatedtotals,whicharecheckedormatched
withtotalsestablishedseparatelyforthesession.
5.Checkdigitsareusedwithreferencenumbersandvalidationactuallychecksthem.
6.Validationincludestestsofselfconsistencyofthedatainput(e.g.debits=credits,referencenumbers
matchrelateddescriptivematerial).
7.Logicalchecksaremadewithaccessibleexistingrecordse.g.accountbalances.
8.Permanentdata(andotherkeydata)areprintedoutandpositivelyapprovedbytheresponsibleuser
beforebeingusedinprocessing.
Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 77 of 145
9.Errorhandlingclericalorcomputersuspensefilesofinputrejectedbythesystemduringvalidationor
processingaremaintained,andproceduresensurethatsuspensedataispromptlycorrectedandreinput
(withoutbypassingnormalauthorizationandotherinputchecks),orcancelled.
Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 78 of 145
AC.PROCESSING
AC1.Transactionprocessing
Toensurethatprocessingoftransactionsiscompleteandarithmeticallyaccurate,andthatthe
results(includinggenerateddata)arecorrectlyclassifiedandrecordedproperlyinthecomputer
files.
1.Batchorsessioncontroltotalsarematchedtotheaggregatechangeinappropriatecontrolrecordsin
computerfiles.(Itisimportantthatthestructureofbatchtypesandcontrolrecordsshouldbesuchthat
significantmisclassificationwouldbedetectedbythiscontrol.)
2.Wheretheprogramgeneratesdata(iecarriesoutarithmeticaloperationssuchascurrencyconversion,or
looksupandwritesdatawhichhasalogicalbutnotarithmeticalconnexionwiththeinput,forexample
pay),theusermakescheckseitheragainstaseparatelymadeforecastoftheaggregateamountorofa
sampleoftransactions.
3.Outputincludescontrolprintsorscreensonwhichresponsibleusersmustpositivelycheckandaccept
keycontroltotals.
4.Validationcontrolswithintheprogramsinclude:
(1)ensuringthat(batch)totalsestablishedbeforetheprocessingremaincompletelyaccountedforateach
stage;
(2)consistencycheckswhereinputhandledrecapitulatesinformationalreadyheld(e.g.whenaccount
numberandnamearebothgiven);
(3)rangechecksonamountsgenerated(calculated,lookedup)byprogram.
5.Controlcountsandtotalsaremaintainedoneachofthedatafilesaccessedbytheapplication.
6.Controlcountsandtotalsaremaintainedforeachtransactiontype.
7."Successunits"areusedtoensurethatcomplextransactionsareentirelypostedtoallappropriatefiles,or
elsebackedoutcompletely.
8.Separatecontrolfilesheldonadifferentdeviceareusedtocheckthatappropriatefileversionshavebeen
loaded.
9.Manualcontroltotalsaremaintainedandreconciledonatimelybasistothetotalsproducedbythe
system.
10.Errorhandlingclericalorcomputersuspensefilesofinputrejectedbythesystemduringvalidationor
processingaremaintained,andproceduresensurethatsuspensedataispromptlycorrectedandreinput
(withoutbypassingnormalauthorizationandotherinputchecks),orcancelled.
AC2.Otherprocessing
To ensure that other processing activities (including data reorganisation such as
yearend/monthendprocedures,routinedataintegritychecks,productionofreportsandanalyses
Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 79 of 145
notdirectlyrelatedtoinput,supplyofdatatootherapplications,andenquiryfacilities)arecarried
outontimeandgivecorrectresults.
1.Thetimetableforregularprocessingofthistypeiscontrolledbytheuser,andrunsareinitiatedonhis
instructions.
2.Userprocedureslaydownresponsibilityforthecheckstobemadeontheresultsofsuchprocessing(e.g.
checkingthatamountsreportedasprocessedmatchthoseexpected,thatnewaggregatefiguresincontrol
recordsreflecttheadjustmentsforecast,thatmanagementinformationreportsindicatebycontroltotals
thattheyincludethewholebodyofthedataintended).
3.Wheredatabelongingtotheapplicationareavailabletoanenquiryfacility,theappropriatedegreeof
checkisbuiltintotheprocessingwhichproducesresponses(e.g.,wherethisisimportant,provingthatall
relevantrecordshavebeenread,byaggregatingandshowingthetotalfortherecordswithinthesame
controlaccountwhichwerenotselected).
4.Usersofenquiryfacilitiesandownersofotherapplicationsusingthedataareawareofthelevelof
reliabilityofthedataassuchandoftheprogrammedprocedurethroughwhichtheyobtainthem.
AD.DATATRANSMISSION
AD1. Datashouldbetransmittedaccuratelyandcompletely
Toensurethatalldatatransmitted,whetherthroughanetworkorbydisksortapes,isreceivedina
completeandaccuratestate,andthatthereisnolossordisclosureofdataintransit(seealsosection
AF1).
1.Useofcheckdigits,andhashandothercontroltotals.
2.Useofdigitalsignatures.
3.Useofdataencryption.
4.Useofpasswords.
5.Sequentialmessagenumbering,sequencingoftransactions.
6.Reportsconfirmingreceiptaresentandarereconciledpromptlytorecordsofdatatransmitted.
AE.STANDINGDATA
AE1. Continuedcorrectnessofstandingdata
Toensurethatalldatastoredinthesystemasapermanentrecordorforreferenceremainscorrect
andcomplete.
1.Responsibility for checking the continued correctness of data is allocated either to a database
administratorortoappropriateusers.
2.Controltotalsorhashtotalsareusedtomonitorthestateoffilescontainingpermanentdata.
Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 80 of 145
3.Printoutsofstandingorreferencedataarecheckedperiodicallytosourcedocumentsbytheresponsible
user.Thiscanbedoneonacyclicalorstatisticalbasis,dependingontheriskrepresentedbyincorrect
data.
Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 81 of 145
AF.OUTPUT
AF1. Correctnessofoutput
To ensure that output released whether on paper, via screens, on magnetic media, or through
electroniclinks,iscorrectandcomplete.
1.Validationandrangeetc.checksarecarriedoutbytheprogramonrecordsoutput.Warningmessagesare
giveniftheoutputdoesnotcomply.Thereisauserprocedureforhandlingsuchwarningmessages.
2.Thereareproceduresinplacetogiveanappropriatedegreeofreasonablenesschecktoprintedoutput
(mayrangefromnoneforinternalpaperwhichisnotabasefordecisions,to100%readthroughagainst
supportingdocuments(e.g.,perhaps,forlargecheques)).
3.Fortransmissionsofpaymentinstructionstobanks:
theresponsibleuserusesbothcontroltotalsandspotchecks(suchassampletestsfromtimetotimeon
thedisktobedespatchedorbrowsingandsamplingthemessagestransmitted)toobtainreasonable
assurancethattheinformationactuallysentisidenticalwiththatauthorized;
despatchoftapesordisksbyasecuremessengerservice;
prepareddisksortapesarestoredsecurelyuptodespatch;
preestablishedlimitsareagreedwiththebankonthetotalamountandonindividualtransactions;
acceptancereportsarereconciledpromptly(intimetorecallpayments)
postpaymentreconciliationisdonepromptly.
4.Outputreportsincludetotalswhicharereconciledbytheusertototalsestablishedbeforeinput.Detailed
printsofinputareavailabletoinvestigatedifferenceswhennecessary.
AF2.Correctdistributionofoutput
Toensurethatoutputreachesallandonlythoseforwhomitisintended.
1.Outputproducedbythecomputercenteriskeptundersurveillance,anddistributedwithappropriate
security/privacy.
2.Mailinglistsforoutputareregularlyreviewedandunnecessaryorincorrectaddresseesremoved.
3.Superfluouscopiesofoutputforwhichthereisnoaddresseearenotproduced.
4.ThegeneralsecurityrulesappliedtoPCs,terminalsandprinterslocatedwithendusersensuresufficient
privacyforoutput,takingintoaccountthelevelofbuildingsecurityandthequalityofpasswordetc
controls.
5.Thepersonresponsibleforsecuritydecisionsfortheapplicationhasaclearpictureofthevarioususer
groupswithaccesstooutputinanyformandmakesdecisionsoncontrolaccordingly(seepointAA1.8
above).Inparticular,logicalaccesscontrolsfortheapplicationtakeaccountofpossibleapproaches
throughallnetworksinwhichtheinstallationisinvolved.
6.Allexpectedoutputisaccountedfor(e.g.useofserialnumberingtodetectunauthorizedsuppressionof
exceptionreports).
Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 82 of 145
7.Reportsareregularlyproducedevenifthereisnoproblemtoreport(recipientsshouldthenbecomeused
toreceivingareportandlesslikelytooverlookareportthatissuppressedbysomeonewhodoesnot
wantthereportscontentsknown).
8.Negotiable,sensitiveorcriticalforms(forexamplecheques)shouldbeproperlyloggedandsecuredto
provideadequatesafeguardsagainsttheftordamage.Theformslogshouldberoutinelyreconciledto
inventoryonhandandanydiscrepanciesshouldbeproperlyinvestigated.
Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 83 of 145
ANNEX 3
APPLICATIONCONTROLREQUIREMENTS
Thefollowingrequirementsareexpressedingeneralterms. Ingeneraltherequirementisthatevidence
shouldbeprovidedatsuitableintervals(forexample,daily)tousermanagerstoenablethemtobeassured
thatthedataandprocessingintheapplicationarecorrect.Specificsolutions(forexampleaggregationsand
controltotals,serialnumbers,reportsforreconciliationorreasonablenesschecking,supervisor/manager
consultationandrecordedapprovalofcontroldataonscreen)needtobedefinedintheearlystagesofthe
project.
Itisassumedinwhatfollowsthatgeneralinstallationcontrolssatisfactorytotheusersareinplaceinthe
systems/networkswhichwillrunthisapplication. Suchcontrolsshouldcover,forexample,physical
access, logical access generally, separation of IT staff duties, backup, disaster recovery, (software)
changes,andshouldincludeperformanceindicatorstomeasuretheefficiencyofthesystem.
1. Access
Theapplicationshouldpreventaccesstoprogramsexceptbyauthorizedstaff,andshouldprovidefor
accesstouserresources(processesordata)tobemanagedby(a)senioruser(s)andtoberestrictedasmay
berequiredtoreflectdifferingpatternsofworkandseparationsofdutiesinuserdivisions(forexample,by
accountcodes,byvalues,byfunctions,etc.).Allaccessshouldbecontrolledandloggedonanindividual
basisandthesystemshouldpreventandreportallunauthorizedaccessattempts.
2. Inputofdata
Thesystemshouldprovideevidencepermittingusermanagerstobesurethatdatainput,includingstanding
data,iscomplete,isvalidatedinaccordancewithuserrequirements,andiscorrectlywrittentothecorrect
files.
3. Integrityofdata
Thesystemshouldbeorganizedsoastoprovideregularevidencetousermanagersthatstandingandstored
dataremainscompleteandcorrect.
4. Transactionprocessing
Thesystemshouldprovideregularevidencethattransactionsare,inaggregate,correctlyprocessedand
writtentothecorrectfiles.
5. Changingdataandprogramsbyemergencyroutes
Sofarastheyarewithintheapplication,theuseofanyemergencydatachangefacilitiesorprocesses,
whichallowdatatobechangedwithoutpassingthroughnormalvalidation,shouldbecapableofbeing
heavilyrestrictedandlogged.
6. Management(audit)trail
All transactions shouldbe traceableforwards and backwards throughthe system. A trail should be
maintainedofdatawhichisaggregatedatvariousreportinglevels,sothatcomponenttransactionscanbe
identified.
Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 84 of 145
7. Records Allactionsoneachtransactionrecordshouldbestampedwiththeloggedinidentity
concerned,andthemachinetimeanddate(andanactioncode).Fullrecordsofeverychangeshouldbe
retained(nooverwriting).
8. Output Outputsshouldbedatedandtimed,and(wherenecessaryforcontrol)seriallynumbered.
Theremustbeappropriatecontrols(andevidencetotheaccountantthattheyhaveoperated)overelectronic
transferofpaymentdatatoensurethatonlyandallauthorizedtransactionsaretimeouslyexecuted.
Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 85 of 145
Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 86 of 145
observation and enquiry essentially, the observation of control staff while they are
undertaking their work and interviews to establish what they do;
examination the obtaining of evidence that controls have functioned correctly, for
example by inspection of documents for evidence that checks have been carried out,
reconciliation, re-performance and walk-through tests; and
Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 87 of 145
and errors should be discussed with auditees and their views recorded for use in the audit
report. Working papers, including the analysis of problems, effects and solutions should then
be used in the preparation of the audit report.
Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 88 of 145
REGULATIONS
Articles 9-11 of Regulation (EC) No 1386/2002, based on Article 12 of Regulation (EC) No
1164/94, and again largely taken - via Regulation 438/2001 - from Regulation 2064/97, are the
parallel provisions governing sample checks and systems audits of projects co-financed by the
Cohesion Fund. On account of the larger size and higher average aid rate of projects, sample
checks here are required to cover 15% of expenditure, taking as the basis the total eligible
expenditure on projects that are financed by the Cohesion Fund over the period 2000-2006 and
which were first approved after 1 January 2000.
Article 12 of CR 1386/2002 states that in accordance with Article G(1) of Annex II to Regulation
(EC) 1164/94, Member States shall inform the Commission by 30 June each year (and for the first
time by 30 June 2003) of their application of Articles 9-11, above, in the previous calendar year.
The aim of this Appendix is to provide an approach for the auditor to conduct tests which fulfil
the EC requirements.
Audit planning scheme
The audit shall examine whether the expenditure on Cohesion Fund projects was spent in
accordance with the rules and regulations covering the assistance granted.
The audit shall be based on substantive audit procedures comprising a minimum 15% check of
programmes and projects. The selection of these projects will be determined via a risk
assessment approach. Projects will be tested at the transaction level to help form an opinion on
the performance of that project in that period.
At the end of the assistance the information from testing over the whole life of the assistance
will be combined to provide the winding-up declaration.
Risk assessment and selection of projects
Risk assessment
Decide on a set of clear risk based criteria in order to select a sample of projects. This is called
a risk based approach and is used as a method to stratify the projects into distinct risk
Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 89 of 145
categories from which a multistage sample of projects and payments within projects can be
randomly selected to achieve a 15 per cent check of expenditure in each year and therefore
over the life of the assistance.
Figure 2: The criteria for assessing risk
Complexity
Control
risk
Staff
turnover
Criteria
Prior audit
checks
Size of
subsidy
Type of
programme
Project manager
experience
Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 90 of 145
is multiplied by the weight of that criteria. The total weighted score over all seven criteria
should then be totalled to obtain a final score for the project. This score can then be placed
within the high, medium or low risk category.
RISK SCORE
3
4 Weight Rating
50,000 Over
4
16
100,000
100,000
High risk Very high
4
8
risk
Poor Very poor
4
12
1
2
What is the size of the project
Under
10,000budget
10,000
50,000
What risk is associated with the
Very low
Low risk
project
risk
How good are management
Very good
Good
control structures
How experienced are the project
Very Experienced
Little
No
3
6
managers
experienced
experience experience
Has the project been sampled
In last year
2-3 years
4-5 years
No
3
12
before
ago
ago
How complex is the project in
Not at all
Not
Complex
Highly
2
4
terms of its funding streams,
complex
complex
complex
legislation, and organisation
What is the level of staff
Very low
Low
High Very high
2
4
turnover in the project manager's
turnover
turnover
turnover
turnover
organisation
Total Score
22
62
Low
Medium
High
Risk Category
22 to 40
41 to 50
51 to 88
The numbers in the figure are provided for illustrative purposes, the values for the size of
projects have yet to be determined and the weights and risk category values could also be
altered.
Sample selection procedure
The objective is to ensure that the requirements set out in the Regulations are met. In order to
meet the requirements of this regulation the auditor should ensure that:
the checks carried out before the winding-up of each project shall cover at least 15 % of
the total eligible expenditure;
Beneficiary Countries shall seek to spread the implementation of the checks evenly over
the period concerned; and
There is an appropriate separation of tasks as between such checks and implementation or
payment procedures concerning operations.
Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 91 of 145
The risk assessment should be conducted for all the projects. This will provide the auditor with
a list of projects divided into high, medium and low risk categories. The sample shall be
selected using these risk categories as the basis for stratification.
The overall sample size required for projects is calculated using stratified sampling theory
(Annex 1). This sample size is allocated between categories in proportion to the amount of
total expenditure within each strata for the period being tested, where this value is greater than
the number of projects it is reduced to the number of projects in the strata, and where it is less
than one project, it is rounded up to one project (Figure 4).
Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 92 of 145
6
14
10
30
Expenditure Proportion
SIT 40,000,000
77.5%
SIT 11,084,167
21.5%
SIT 540,833
1.0%
SIT 51,625,000
100.0%
Sample size
6
2
1
10
Sample Expenditure
SIT 40,000,000
SIT 1,958,333
SIT 12,500
SIT 41,970,833
The formulae used to calculate the overall sample size is shown at Annex 1
The projects should be selected randomly from within the risk categories. This will ensure that
the sample is representative of all types of projects and is targeted to the areas of greatest risk.
The requirement is to check a minimum of 15 per cent of the expenditure. If the auditor were to
test all of the expenditure on the selected projects this would more than exceed the 15 per cent
due to the targeting of high expenditure, high risk projects. The sample should therefore be
treated as a multistage audit and the expenditure within the sampled projects should also be
sampled so that a minimum of 15 per cent of annual expenditure is tested each year.
Figure 5: Calculation of payment sample to ensure 15 per cent of expenditure
Payment sampling information
High
Medium
Low
Total
Payments
689
75
4
768
Expenditure
SIT 40,000,000
SIT 1,958,333
SIT 12,500
SIT 41,970,833
Average
SIT 58,055
SIT 26,111
SIT 3,125
SIT 87,291
Proportion
89.7%
9.8%
0.5%
100.0%
Of target
Payments
SIT 2,315,731
40
SIT 252,075
10
SIT 13,444
4
SIT 2,581,250
54
Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 93 of 145
Project 7
Project 8
Project 9
Project 10
Project 11
Project 12
Project 13
Project 14
Project 15
Project 16
Project 17
Project 18
Project 19
Project 20
Project 21
Project 22
Project 23
Project 24
Project 25
Project 26
Project 27
Project 28
Project 29
Project 30
Risk Assessment
High
High
High
High
High
High
Total
Mean
Standard deviation
Medium
Medium
Medium
Medium
Medium
Medium
Medium
Medium
Medium
Medium
Medium
Medium
Medium
Medium
Total
Mean
Standard deviation
Low
Low
Low
Low
Low
Low
Low
Low
Low
Low
Total
Mean
Standard deviation
Total
Mean
5 Per cent
Budgeted
Expenditure
SIT 150,000,000
SIT 75,000,000
SIT 15,000,000
SIT 25,000,000
SIT 60,000,000
SIT 35,000,000
SIT 360,000,000
SIT 1,000,000
SIT 6,000,000
SIT 2,500,000
SIT 3,750,000
SIT 4,650,000
SIT 1,750,000
SIT 7,350,000
SIT 8,000,000
SIT 9,150,000
SIT 1,950,000
SIT 4,050,000
SIT 2,600,000
SIT 6,605,000
SIT 7,150,000
SIT 66,505,000
SIT 25,000
SIT 320,000
SIT 750,000
SIT 115,000
SIT 75,000
SIT 250,000
SIT 315,000
SIT 825,000
SIT 90,000
SIT 480,000
SIT 3,245,000
SIT 429,750,000
SIT 21,487,500
Expenditure in
period
SIT 5,000,000
SIT 12,500,000
SIT 2,500,000
SIT 4,166,667
SIT 10,000,000
SIT 5,833,333
SIT 40,000,000
SIT 6,666,667
SIT 3,800,585
SIT 166,667
SIT 1,000,000
SIT 416,667
SIT 625,000
SIT 775,000
SIT 291,667
SIT 1,225,000
SIT 1,333,333
SIT 1,525,000
SIT 325,000
SIT 675,000
SIT 433,333
SIT 1,100,833
SIT 1,191,667
SIT 11,084,167
SIT 791,726
SIT 437,391
SIT 4,167
SIT 53,333
SIT 125,000
SIT 19,167
SIT 12,500
SIT 41,667
SIT 52,500
SIT 137,500
SIT 15,000
SIT 80,000
SIT 540,833
SIT 54,083
SIT 46,885
SIT 51,625,000
SIT 1,720,833
SIT 2,581,250
Sampled projects
Payments in
period
Sampled
Payments
Sampled
Expenditure
SIT 5,000,000
SIT 12,500,000
SIT 2,500,000
SIT 4,166,667
SIT 10,000,000
SIT 5,833,333
SIT 40,000,000
SIT 6,666,667
SIT 3,800,585
4
300
50
10
250
75
689
4
8
7
7
7
7
40
SIT 5,000,000
SIT 333,333
SIT 350,000
SIT 2,916,667
SIT 280,000
SIT 544,444
SIT 9,424,444
SIT 625,000
45
SIT 69,444
SIT 1,333,333
30
SIT 222,222
SIT 1,958,333
SIT 979,167
SIT 500,867
75
10
SIT 291,667
SIT 12,500
SIT 12,500
SIT 12,500
SIT 12,500
SIT 0
SIT 41,970,833
SIT 12,500
768
54
SIT 9,728,611
The above dataset is for illustrative purposes only to demonstrate how the techniques should be
applied.
Substantive procedures
In accordance with the Regulations the Beneficiary Country shall organise checks on measures
on an appropriate sampling basis, designed in particular to:
verify the effectiveness of the management and control systems in place; and
verify selectively, on the basis of risk analysis, expenditure declarations made at the
various levels concerned.
Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 94 of 145
Audit programme
Inspection officer:
Project:
Inspection date: / /
Project Ref:
SIT
SIT
SIT
SIT
Satisfactory (S)
Unsatisfactory (U)
No response possible
(N)
Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 95 of 145
Reporting results
Individual programmes
To report the results a report can be written for each project detailing the sample results for
payments tested within that project, combined with findings from work on the management
and control over the project.
Annual reports
The work across all projects can be combined to give a report for the period drawing out
similar themes of weaknesses and strengths in management and controls as well as informing
on any ineligible monetary payments.
Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 96 of 145
Annex 1
Step by step guide to drawing a 15 per cent sample
1
Using the risk matrix divide the projects or programmes into risk categories, if there are
no differences in risk then put all the projects or programmes into one category.
Using the formula below calculate the sample size required for the number of projects.
3 Nh = population size for high strata, nh = sample size for high strata
Nm = population size for medium strata, nm = sample size for medium strata
Nl = population size for low strata, nl = sample size for low strata
Xh= population expenditure for high strata
Xm= population expenditure for medium strata
Expenditufor
rein
thstrata
e period
Xl= population expenditure
low
Proportion
M = materiality, set at 5%
of total value, X = (Xh+X
m+Xl)
77
,5%
SIT 40.000.000
Shouldbe7 but
already sam
plingall
high risk projects
SIT 11.084.167
21,5%
I
i
10 Low risk
1,0%
1
SIT 540.833
projects
Stratified sample sizes nh= n * (Xh/X), nm= n * (Xm/X), nl= n * (Xl/X)
30 projects in total
SIT 51.625.000
100,0%
10
To calculate the stratified sample size in each risk category divide the overall
sample size from step 2 in proportion to the total expenditure in the period in each risk
category (see formula for stratified sample sizes above). Select the projects or
programmes randomly from within the risk category. If any of the stratified sample
sizes are larger than the population of projects or programmes in that strata, simply test
the whole population.
4
To calculate the sample size for payments at those projects or programmes calculate an
average expenditure per payment for each risk category.
Expenditurein the period
Average
689 paym
ents
over 6 projects
SIT 40.000.000
SIT 58.055
75 paym
ents
over 2 projects
SIT 1.958.333
SIT 26.111
SIT 12.500
SIT 3.125
SIT 41.970.833
SIT 87.291
4 paym
ents over
1 project
768 paym
ents in total
Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 97 of 145
Calculate 15 per cent of the overall expenditure in the period over all projects or
programmes. Allocate this amount to each risk category in proportion to the number of
payments in each risk category for the selected projects or programmes. Divide this
expenditure by the average payment to get the sample size for each risk category.
Divide the sample size on an equal basis between the projects or programmes, and then
select random payments from within those projects or programmes.
This approach ensures that higher risks are targeted, that the sample is selected in a
statistically robust manner and that 15 per cent coverage of expenditure in the period is
achieved.
If, at any stage, there is insufficient information increase the sample size to cover the
additional bias which may be included from the non-statistical element.
Average
Payment sam
ple
size
120
689 payments
over 6 projects
SIT 58.055
75 payments
over 2 projects
SIT 26.111
9,8%
SIT 758.887
29
4 payments over
1 project
SIT 3.125
0,5%
SIT 38.719
12
SIT 87.291
100,0%
SIT 7.743.750
161
768 paym
ents in total
Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 98 of 145
Criterion
Legality and
regularity of the
activity
A check that the activity actually carried out conforms to the relevant
legal base. For example, the tests could examine whether a particular
activity undertaken under the Cohesion Fund conforms to the detailed
requirements of the regulations in respect of the amount or percentage
rate of financing.
A check that financial and other information systems record all relevant
details. For example, a substantive test could check whether all
incoming invoices were allocated a sequential number and were all
accounted for, and held centrally by the project manager/ final
beneficiary and whether all receipts or works done resulted in an
invoice. Analytical procedures may be used in connection with these
tests especially ratios and predictive tests.
A check that operations recorded within financial and other systems
actually took place. For example, a substantive test could check that
payments to subcontractors recorded in financial systems actually took
place through tracing booked payments to bank statements. Likewise,
stock records could be examined to test whether goods were actually
delivered.
Completeness of
financial and
other records
Reality of the
operation
Measurement of
the activity
Criterion
Valuation
Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 99 of 145
A check that assets and other items are recorded at the correct value in
financial records. For example, a substantive test may check that the
sale or purchase of an asset purchased with Cohesion Fund support is
recorded at the correct value in the accounting system by checking the
original invoice or sale note.
Existence
A check that assets and other items actually exist. For example, a
substantive test may check that an asset recorded in the financial records
actually exists. These substantive tests involve the physical verification
of existence confirmation by custodian of the assets, or actually seeing
the asset.
Ownership
A check that assets recorded are actually owned or properly used by the
audited body. For example, a substantive test may involve checking that
the audited body has a valid lease, or is the legal owner, of premises
used for and financially supported by Cohesion Fund activity.
Quality of inputs A check that inputs and outputs are of an appropriate quality. For
and outputs
example, for inputs we could check that the accounting system has input
controls built in, to ensure a completeness and integrity control of data.
For outputs, we could check that the system ensures through process
controls that reporting is complete and correct.
Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 100 of 145
Audit
objective
1.
Activity /
Process
Objective
2.
Approval
3.
Monitoring
4.
Guidance
5.
Irregularity
reporting
6.
Audit
Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 101 of 145
8.
Publicity
9.
10.
Audit trail
Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 102 of 145
Checklist for the audit of Management and Control Systems for the
Cohesion Fund
Prepared. by: ______________________________ Date: ________________
Follow up by: _____________________________ Date: ________________
Revised by: _______________________________ Date: ________________
Systems description
Objective: Whether there are adequate procedures to ensure that systems descriptions are reviewed and
updated and changes notified to the Commission as required. (Art.5 and Art. 12 of Commission
Regulation 1386/02)
Question
Has the Member State submitted the system
description in accordance with the Regulations, as
required by Article 5 of Regulation 1386/02 and by
the due date?
If yes, indicate record date of receipt
If not received by due date7 Nov., ask when expected
Has the Member State designated an appropriate
person with responsibility for monitoring changes to
the system ?
If yes, indicate the person responsible and procedure
If not, indicate when expected to have such a procedure
Is there a formal procedure to ensure that changes to
the system are notified to the responsible person ?
If yes, obtain a copy of the document
If not, is there a uniform/standard procedure ?
If yes, describe the procedure
Overall conclusion regarding the systems descriptions
Yes/No/
N/A
File
ref
Comments
Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 103 of 145
Yes/No/
N/A
File
ref
Comments
Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 104 of 145
Yes/No/
N/A
File
ref
Comments
Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 105 of 145
Guidance
Objective: Whether there are adequate procedures in place to ensure that adequate guidance is given to
the bodies responsible for the implementation of Cohesion Fund projects. (Art. 2 of Commission
Regulation 1386/02)
Question
Yes/No/ File
Comments
N/A
ref
Has the responsibility for issuing relevant guidance
been assigned to a particular person / unit ? (at each
level , Paying / Managing and Intermediate levels)
Has guidance been issued covering all of the
authorities and bodies responsible for the general
management, co-ordination and implementation of CF
projects ?
Is the guidance issued sufficient to assist those authorities to
establish the systems necessary to provide adequate assurance:
of the correctness, regularity and eligibility of
expenditure ?
that projects are carried out in accordance with the
terms of the relevant decision ?
Overall conclusion regarding the adequacy of the arrangements in place for the issuing of guidance
Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 106 of 145
Yes/No/
N/A
File
ref
Comments
Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 107 of 145
Audit arrangements
Objective: To ensure that there are adequate arrangements in place for the audit of Member States
management and control system for the Cohesion Fund (Article 9 of Reg. 1386/02) NOTE: This work
to be carried out by the BSO, but the guidance and methodology is temporarily included for
information.
Question
Yes/No/ File
Comments
N/A
ref
Does the systems description adequately describe the
audit arrangements in place?
Has the responsibility for the systems audits required
by Art 9 of Reg. 1386/02 been assigned to a specific
body ?
If yes, indicate which is the body responsible
If not, ask when and to whom it is expected to designate this
responsibility
Are these bodies functionally independent from the
operational bodies (Paying / Managing / Implementing
etc) ?
Indicate who they report to
Have operational bodies any influence over which
projects are selected for audit ?
Are these bodies (i.e. bodies responsible for Article 9
audits) adequately staffed with suitably experienced /
qualified personnel ? (Get details)
Do these bodies use risk analysis in the selection of
projects / transactions to be audited ?
Obtain details/examples of the application of risk analysis
Indicate how an even spread of checks over the entire period is
ensured (2000-06)
Indicate how an appropriate mix of types and sizes of projects to
be examined (i.e. balance between environment and transport)
and coverage of all implementing bodies is ensured
Have these bodies drawn up annual audit plans for the
Cohesion Fund for the current year ? (Obtain copy of
plan and program and assess same)
Do these bodies use a standard report format (similar
to the example report in the CF Manual) ? (Obtain
example)
Are there procedures in place within these bodies to
follow up the findings and recommendations made in
their reports ?
If yes, indicate procedure
Have these units developed audit checklists specific to
the audit of Cohesion Fund projects ?
Is there evidence indicating that the manager has a
Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 108 of 145
Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 109 of 145
Operational Checks
Objective: Whether the relevant authorities have adequate financial and checking procedures to ensure
the regularity, legality and eligibility of expenditure. (Art. 4 and 8 of Commission Regulation 1386/02)
Question
Yes/No/ File
Comments
N/A
ref
Does the systems description adequately describe the
claims / drawdown / expenditure return / checking
process ?
Are there written procedures covering the checking of
payment requests / expenditure returns / compilation ?
Are there procedures to ensure the eligibility of
expenditure returned e.g. checklists which refer to
the principles of eligibility of expenditure for CF
projects ?
Are there checks to ensure that the expenditure:
has been incurred and paid within the eligible period ?
is actual and not notional (trace payments to bank
statements) ?
does not include advances ?
has been paid by the final beneficiary named in the
Decision ?
is supported by original invoices which have been
properly approved and authorised for payment ?
has not previously been claimed ?
has been checked for arithmetical accuracy ?
relates to actions specifically approved by the
Commission Decision for the project ?
is incurred in accordance with the relevant Community
and National rules on, in particular, protection of the
environment, trans-European networks, competition
and public procurement ?
Is there adequate separation of duties between those
responsible for checking claims and those responsible
for payment of claims ?
Is there adequate separation of duties between those
responsible for certifying expenditure and those
responsible for authorising payment of claims ?
Are checks adequately evidenced ?
Are there procedures to ensure that payments are made
to final beneficiaries in a timely manner and without
undue delays ?
Have all intermediate bodies and final beneficiaries
Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 110 of 145
Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 111 of 145
Publicity requirements
Objective: Whether there are adequate arrangements in place to ensure compliance with the publicity
requirements set out both in the Commission Decision for the particular project and in Commission
Decision 96/455.
Question
Yes/
File
Comments
No/N ref
/A
Are there arrangements to ensure that all intermediate
bodies and final beneficiaries have been informed of the
publicity requirements ?
Has a publicity officer been appointed to monitor the
compliance of projects with CF publicity requirements ?
Are on the spot checks carried out to projects to ensure
that publicity requirements are being observed ?
Is evidence of publicity measures taken obtained from
final beneficiaries for all projects. (e.g. audio-visual
material, brochures, press releases, photographs of
signage ) ?
Is a checklist used to ensure that the publicity measures
taken are appropriate to the size/budget of the project ?
Obtain evidence of the publicity measures taken
Overall conclusion regarding the adequacy of the arrangements in place regarding observance of
publicity requirements
Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 112 of 145
Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 113 of 145
Audit trail
Objective: Whether there are adequate procedures in place to ensure that the management and control
systems provide a sufficient audit trail. (Art. 6 of Commission Regulation 1386/02)
Question
Yes/No/
N/A
File
ref
Comments
Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 114 of 145
Initial
File ref
Comments
Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 115 of 145
Eligibility of expenditure
Objective: To ensure that only expenditure which is eligible for Cohesion Fund assistance has been
returned.
Test
Ensure that the expenditure returned has been incurred
and paid in the eligible period as set out in Article 2 of
the Commission Decision for the project
Initial
File ref
Comments
Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 116 of 145
Public Procurement
Objective: To ensure that in respect of public authorities , that contracts for works, services or supplies
co-funded by the Cohesion Fund have been procured on the basis of a proper call for tenders, that there
are sound controls over the opening of tenders and that all tenders are fully evaluated before the award
of the contract.
General : ORGANISATION (System audit related issues)
Test
Initial
Is a brief description of the system available re the
procurement for Cohesion Fund projects (which
bodies are responsible for procurement of
infrastructure and environment)?
Has the project manager been informed of the rules
governing the award of public contracts as established
by the EU and the Member States authorities ?
Have European Directives regarding procurement
been incorporated into national legislation ? Obtain
copies of relevant documents ?
Are flowcharts and/or organisation-charts available
that show the flow of documents and decision process?
Are procurement procedures written down in a
manual?
How is it ensured that any discriminatory elements are
eliminated? - Are the selection criteria specified in the
invitation to tender?
Overall conclusion regarding Public Procurement
File ref
Comments
Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 117 of 145
for
the
Publication
Is the procurement notice published in advance in the
OJ, the official gazette and other national newspapers
and branch magazines and of the recipient State?
Was a correct deadline applied for submission of
tenders (in general at least 90 days from the date of
publication of the notice)
Is co-financing noted in the public contract notices
placed in the Official Journal in accordance with
Article 1 of Annex II of Council Regulation (EC) N
1164/94
Was any additional information requested by
contractors and if provided, also given to all other
candidate tenderers?
Initial
File ref
Comments
Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 118 of 145
Initial
File ref
Comments
Initial
File ref
Comments
Number of tenderers;
Withdrawals;
Non-compliance and reasoning
Tender prices of those tenders,
accepted for further evaluation
Award procedure
How are tenders shortlisted for evaluation or are all
tenders submitted evaluated ?
Is there an awarding committee ?
What is the make up of this Committee (Obtain names
and role)
What criteria are used in the award of contracts (List
together with point / scoring system used)
Check the appropriateness of these criteria
Is the basis for awarding points to each tenderer under
each criterion recorded / justified
Is a tender assessment / evaluation report prepared
Who prepares this report
Check additions / tots of scores awarded under various
categories
Is a technical report / evaluation of tenderers report
prepared by an engineer as part of the evaluation of
tenders ?
Review this document and check award of scores
Test
Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 119 of 145
Awarding of contracts
Test
Document No.
Version
Come into force
Page
Initial
File ref
: 01-14/2004/1
: 1.0
: 30.7.2004
: 120 of 145
Comments
Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 121 of 145
Initial
File ref
Comments
Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 122 of 145
Publicity Measures
Objective: To ensure that the publicity requirements detailed in the Annex V of the Decision and
Decision 96/455/CE have been complied with.
Test
Initial File ref Comments
Do the MS Authorities make the general public aware
of the role played by the Community in relation to the
projects?
Have the on-the-spot information and publicity
measures been taken?
Has the content of the projects been published in the
most appropriate form throughout the territory of the
MS using the local and regional media?
In the case of investments with a cost exceeding ECU
1 million:
Have the MS Authorities held regular news
conferences on a local level to inform about all facts
concerning the project?
Test
In the case of investments with a cost exceeding
ECU 20 million,
In addition to the measures for 1m and 10m cost
Do the MS Authorities held regular news conferences
on a nation-wide level concerning the projects,
including the presentation of the audio-visual
material?
Document No.
Version
Come into force
Page
Initial
File ref
Overall conclusion regarding the publicity measures taken for this project
: 01-14/2004/1
: 1.0
: 30.7.2004
: 123 of 145
Comments
Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 124 of 145
For projects selected to be reviewed, obtain a copy of the Application for Cohesion
Fund assistance. Review this document and determine if the project or group of
projects clearly conform to the objectives of the Cohesion Fund.
In order to ensure that proper applications were made, ask for list of applicants and
review assess how funded projects were selected.
Decisions:
Obtain a copy of the original Commission Decision approving the project and review
same as regards eligibility dates, national and private financing, percentage aid rate
and expected revenues. Also note the scope of the project and the particular works to
be carried out
Obtain copies of any modifications to the original Decision noting any changes in the
scope of the project and any other changes whether financial or non-financial.
Monitoring:
Ask for last progress report for the project and evidence of the status of completion.
Review and identify items you will pursue on site.
Obtain details of procedures, which set out the action to be taken where progress is
unsatisfactory. Review if there are rules relating to refunds.
Review the annual report and relevant control statements to identify any issues which
should be addressed during the audit;
Review the minutes of the co-ordination Meetings, the minutes of the monitoring
committee and the evaluation reports mid-term.
Examine the systems description together with any updates received under Article 5
of Regulation (EC) N 1386/2002.
Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 125 of 145
For the particular project under review, request that all supporting documents are
made available upon your arrival.
Obtain a listing of all the principal works, services and supply contracts involved in
the project. Request that the following documents are made available in respect of
these contracts.
Administrative clauses
Contract
Obtain schedules of expenditure on the project which support the most recent
expenditure return which has been made by the Paying authority to the Commission
in respect of the project being examined. This should preferably be in spreadsheet
format and analysed between the main works involved in the project and by contract.
Obtain a copy of the systems description and in particular examine the descriptions in
relation to the organisations involved in the implementation of the project being
audited. Check the description of the audit trail, the description of internal controls
for the accounting / payment system, organisation chart duties. This will be a good
source for risk assessment exercise.
For the selected projects, the auditor should request details of all payment claims
made to date.
Examine procedures in relation to errors, fraud and irregularities. Obtain their list of
errors, fraud and irregularities. Evaluate for impact on risk assessment done, and
decide if further review is necessary on site. Also verify with OLAF if they have any
file on this subject.
Assess the risk of cross funding of projects (i.e. Projects receiving ERDF and
Cohesion Fund assistance). Obtain details of any ERDF funded Operational
Programmes in the Environment and Transport sectors.
Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 126 of 145
Audits:
Obtain copies of all audit reports carried out on the project being examined. Examine
findings and request details of any follow up action which has been taken in respect
of recommendations made.
Review previous audits carried out by the Commission or the European Court of
Auditors (ECA) regarding this project.
Check the audit plans discussed at the co-ordination meetings between the Member
State and the Commission to take account of any changes made. Where visits are
planned or have taken place to the same authority or action, care should be taken not
to duplicate recent control effort, while ensuring proper follow-up of reports
Confirm the description of the financial and accounting system of the final
beneficiary and evaluate the internal control environment of final beneficiary.
Obtain a copy of the audit trail and any previous audit reports which have commented
on the audit trail and review them to identify any possible weaknesses which should
be addressed during the audit;
Where IT systems are involved, auditors should ensure that they obtain appropriate
documentation to enable the audit to take account of these systems;
General:
Review available information from ex-ante controls and other sources on the selected
authorities and project managers/ final beneficiaries to determine whether there are
any particular issues which should be addressed during the audit;
As a result of the above work, the auditor should produce an adjusted risk profile of the bodies
to be audited and a list of the particular risks to which special attention should be given during
the audit. The aims and objectives of the audit, together with the specific work programmes
and questionnaires to be used, should be included as part of the audit plan. The initial risk
assessment should be documented in the work papers
In terms of more detailed information, the auditor should consider the following issues:
For Receipts
The auditor should determine:
all receipts relating to the Project in-year;
Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 127 of 145
that each claim for receipt of Cohesion Fund was dealt with by the appropriate
authority (NF)
Payments
The auditor should determine:
all payments made relating to the Project in-year;
that all claims for payment were dealt with by the appropriate bodies in accordance
with the Regulations;
that all claims for payment are supported by the necessary documentation;
that there is evidence of monitoring of the progress of the project by designated
authorities, to support the claims made
Bank Accounts
The auditor should determine
that the NF has opened bank accounts in accordance with the national guidance for
each Sector (Transport and Environment) and for each project;
the current balance;
Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 128 of 145
Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 129 of 145
Restricted- only those parties invited by the Contracting Authority may submit tenders.
Negotiated- Contracting Authorities consult parties of their choice and negotiate the terms of
the contract with one or more of them (this procedure may, however, be used only in the
very limited special circumstances set out in the Directives).
The Commission has a strong preference for open procedures to ensure the greatest possible
transparency and objectivity.
Advertising
OJEC Notices should be drawn up in accordance with the relevant Directives. Advertisements
in the OJEC are usually supplemented by advertisements in the national media to ensure the
widest possible competition for the contract. When advertising in the OJEC, the provisions
of the Directives, including the format in the Model Notices, must be strictly followed in
all cases. These Notices are set out in Annexes to the Directives.
Criteria for awarding contracts
Contracting Authorities, in deciding which bid to accept, may do so on the basis of either
- the lowest price only, or
- the most economically advantageous tender (using various criteria such as price, period for
completion, running costs, profitability, technical merit).
Written Report on Contracts Awarded
For all contracts awarded the Contracting Authority must prepare a written report. The
Commission may at any time request that this report be sent to them.
Utilities Directives
A separate set of Directives cover the Utilities, that is the Contracting Authorities operating in
the four sectors, water, energy, transport and telecommunications.
EU Directives 90/531/EEC (OJ L 297 of 29.10.1990) and 92/13/EEC cover Works and Supply
contracts and Remedies in these areas.
Provisions are similar to those of the main Directives but allow, in a number of instances, more
flexible procedures to take due account of the commercial nature of the bodies in question.
Directive 93/38/EEC for the Utilities consolidated these previous Directives and incorporated
Services contracts.
Thresholds in the Utilities Directive
Separate thresholds, which are subject to revision, apply for works and supply contracts in this
area.
The thresholds for Services Contracts, which are covered by Directive 93/38/EEC are the same
as the Supply contracts.
Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 130 of 145
Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 131 of 145
MODEL REPORT
INTRODUCTION
Identify the management and control systems covered by the report with reference to the
projects and managing and paying authorities;
Indicate the bodies which have been responsible for the preparation of the report;
Describe the steps taken for the preparation of the report;
Indicate the expenditure declared to the Commission for the year concerned for the projects
covered by the report.
Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 132 of 145
Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 133 of 145
SYSTEMS AUDITS
Indicate the bodies which have carried out audits;
Attach a summary list of the audits carried out and indicate the date of transmission of the
audit report to the Commission;
Describe the basis for selection of the audits in the context of the audit strategy;
Describe the principal findings and the conclusions drawn from the audit work for the
management and control systems, including the sufficiency of the audit trail and compliance
with Community requirements and policies;
Indicate any potential financial consequences;
Provide information on the follow up of the audit findings, in particular any corrective and
preventive measures applied.
Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 134 of 145
CONCLUSION
In the conclusion it should be confirmed that
The audit activity for the year concerned was in conformity with the audit strategy presented
to the Commission. Where there are any reservations or limitations these should be indicated
and explained;
It should be stated that the results of the audit activity do not show any material deficiency in
the effective functioning of the management and control system applicable to the expenditure
declared to the Commission for the year concerned. Where there are any reservation or
limitations these should be indicated and explained;
It should be confirmed that specific cases of irregularity have been treated satisfactorily, in
particular by making the necessary financial corrections.
Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 135 of 145
If the applicable rules and regulations are respected, and all reasonable measures are taken to
prevent, detect and correct fraud and irregularity, no financial corrections will be required.
If the applicable rules and regulations are respected, but the management and control systems
need to be improved, there should be pertinent recommendations, but no financial corrections
need be envisaged.
If there are serious failings in the management or control systems which could lead to
systemic irregularities, in particular failures to respect the applicable rules and regulations,
financial corrections should always be made.
(c) The amount of the financial correction for individual or systemic irregularities is to be assessed
wherever possible and practicable on the basis of individual files and to be equal to the amount of
expenditure found to have been wrongly charged to the Fund in the cases investigated, having
regard to the principle of proportionality.
(d) There are situations where it is not possible or practicable to quantify the amount of irregular
expenditure precisely, but it would be disproportionate to cancel the entire expenditure in question.
In such cases, the Commission may determine corrections on the basis of extrapolation or at flat
rates.
(e) Extrapolation can be used where an examination of individual files reveals quantifiable
irregularities of the same type and there is a high probability that the irregularity has occurred in a
great number of similar cases, i.e., is systemic, but it is not practicable or cost-effective to
investigate all the cases individually. Extrapolation requires that a homogeneous population of cases
with the same characteristics can be clearly identified. The results of a thorough examination of a
representative sample of transactions selected at random from the homogeneous population can
then be extrapolated to all the files making up the population, in accordance with generally
accepted auditing standards. A homogenous population is defined as being within or among
activities (projects or groups of projects) under the responsibility of the same managing authority,
Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 136 of 145
managed by the same implementing body in the same sector over the same time period, whether
under a single Commission decision or different decisions.
(f) Flat rate corrections may be applied in the case of individual breaches or systemic irregularities
whose financial impact is not precisely quantifiable being subject to too many variables or too
diffuse in its effects but where it would be disproportionate to refuse all the assistance concerned
except in the most extreme cases. Such irregularities typically result from a failure to undertake
checks effectively to prevent or detect breaches of Community rules or conditions of the decision.
Where an irregularity appears to be systemic, a flat rate correction may be applied only to the cases
investigated, or, in situations like those described in para. (e) above, it may be applied to a
homogeneous population of cases with the same characteristics.
(g) When proposing a flat rate correction, the Commission must assess the importance of the
infringement of the rules and the extent and financial implications of any shortcomings in the
management and control system that have led to the irregularity established.
A list of what the Commission considers to be key and ancillary elements of systems for the
purpose of assessing the seriousness of deficiencies is given in section 2.2. and an indicative
scale of flat rates for corrections in section 2.3. The same expenditure will not normally be
subject to more than one correction.
(h) In areas where there is a margin for discretion in evaluating the gravity of the infringement, as in
cases of disregard of environmental conditions, corrections shall be subject to the following
conditions : a significant failure to respect the rules and a clearly identifiable link with the action
receiving EU co-finance.
(i) Unlike the case with corrections made by the Member State under Article 39(1) of Regulation (EC)
No 1260/1999, financial corrections decided by the Commission, whether under Article 39(3) of
Regulation (EC) No 1260/1999 or Article H(2) of Annex II to Regulation (EC) No 1164/94, always
involve a net reduction to the EU funding committed to the project or assistance.
(j) Irrespective of the kind of corrections proposed by the Commission, the Member State is always
given the opportunity to demonstrate that the real loss or risk to the Fund and the extent or gravity
of the irregularity was less than that assessed by the Commission services. The Court of Justice has
held that the burden of such proof is on the Member State. 1 The procedure and time limits are set
out in Article 18 of Regulation (EC) No XX/2002.
(k) Where the Commission bases its position on facts established and fully documented by auditors
other than those of its own services, it shall draw its own conclusions regarding their financial
consequences, after examining the measures taken by the Member State concerned under Article
12(1) and (2) of Regulation (EC) No 1164/94 and Article G(1) of Annex II thereto, the reports
supplied under Article 12 of Regulation (EC) No XX/2002 and Regulation (EC) No 1831/94, and
any replies from the Member State.
(l) In all cases of corrections by extrapolation or on a flat-rate basis, the proposed correction is
submitted to an ad hoc advisory panel, which will consider the arguments presented by the
Commission auditor for applying the correction and assess whether the level is appropriate.
See judgment of ECJ of 21.1.1999 in Case C-54/95, Germany v. Commission, para. 35, referring also to
Netherlands v. Commission, Case C-48/93.
Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 137 of 145
Criteria
As noted in para. 1(f) above, flat-rate corrections may be envisaged when the information
resulting from the enquiry does not permit the financial impact of an individual case or several
cases of irregularities to be evaluated precisely by statistical means, or by reference to other
verifiable data, but does lead to the conclusion that the Member State has failed to carry out
adequate verification of the eligibility of claims paid.
Flat-rate corrections should be considered when the Commission finds a failure to adequately
effect any control which is explicitly required by a regulation, or implicitly required in order to
respect an explicit rule, and whose absence could lead to systemic irregularity. They should also
be considered where the Commission finds serious deficiencies in management and control
systems resulting in breaches of applicable rules and regulations on a wide scale or detects
individual breaches. In determining whether a flat-rate financial correction should result and, if so,
at what rate, the general consideration shall be the assessment of the degree of risk of loss to which
Community funds were exposed as a consequence of the control deficiency. Thus the correction
should be in compliance with the principle of proportionality. The specific elements to be taken into
account should include the following:
(1) whether the irregularity is related to an individual case, multiple cases or all cases;
(2) whether the deficiency relates to the effectiveness of the management and control system
generally, to the effectiveness of a particular element of the system, i.e. the operation of
particular functions necessary to ensure the legality, regularity and eligibility of expenditure
declared for cofinancing from the Fund under the applicable national and EU rules (see
section 2.2. below);
(3) the importance of the deficiency within the totality of the administrative, physical and other
controls foreseen;
(4) the vulnerability to fraud of the measures, having regard particularly to the economic
incentive.
2.2. Classification of elements of management and control systems for the purpose of applying flat
rates of financial corrections for system deficiencies or individual breaches
Management and control systems for the Cohesion Fund consist of various elements or functions
of greater or lesser importance for ensuring the legality, regularity and eligibility of expenditure
declared for cofinancing. For the purpose of assessing flat rate corrections for deficiencies in such
systems or individual cases of irregularity, it is useful to classify the functions of management
and control systems into key and ancillary elements.
Key elements are those designed and essential to ensure the legality and regularity and indeed the
substance of operations supported by the Fund, ancillary elements those that contribute to the
quality of a management and control system and help ensure that the system keeps performing well
in relation to its key functions.
The list below contains the majority of elements of good management and control systems and
good audit practice. The seriousness of deficiencies and individual breaches varies considerably,
and cases will therefore be assessed by the advisory panel having regard, in particular, to section
2.4 below.
2.2.1
Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 138 of 145
b)
c)
Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 139 of 145
3. Sufficient quantity and quality of sample checks on projects and adequate follow-up
a) carrying out sample checks on at least 15% of total eligible expenditure in
accordance with Article 9 of Regulation 1386/2002, supported by a report
on the work done by the auditor;
b) the sample is representative and the risk analysis adequate;
c) adequate separation of functions vis--vis bodies involved in the
implementation of projects to ensure independence ;
d) follow-up to checks, ensuring
1.
2.
Ancillary elements
a)
Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 140 of 145
reasonably be concluded that there was a high risk of widespread loss to the Fund. This rate of
correction is also appropriate for individual irregularities of moderate seriousness in relation to
key elements of the system.
5% correction
When all the key elements of the system function in the cases concerned, but not with the
consistency, frequency, or depth required by the regulations, then a correction of 5% is justified,
as it can reasonably be concluded that they do not provide a sufficient level of assurance of the
regularity of claims, and that the risk to the Fund was significant. A 5% correction can also be
appropriate for less serious irregularities in individual transactions in relation to key elements.
The fact that the way in which a system operates is perfectible is not in itself sufficient grounds
for a financial correction. There must be a serious deficiency of compliance with explicit
Community rules or standards of good practice and the deficiency must expose the Cohesion
Fund to a real risk of loss or irregularity.
2% correction
When performance in the cases concerned is adequate in relation to the key elements of the
system, but there is a complete failure to operate one or more ancillary elements, a correction of
2% is justified in view of the lower risk of loss to the Fund and the lesser seriousness of the
infringement.
A 2% correction will be increased to 5% if the same deficiency is established in relation to
expenditure after the date of the first correction imposed and the Member State has failed to
take adequate corrective measures for the part of the system at fault after the first correction.
A correction of 2% is also justified where the Commission has informed the Member State,
without imposing any correction, of the need to make improvements to ancillary elements of
the system that are in place but do not operate satisfactorily, but the Member State has not taken
the necessary action.
Corrections are only imposed for deficiencies in ancillary elements of management and control
systems where no deficiencies have been identified in key elements. If there are deficiencies in
relation to ancillary elements as well as in key elements, corrections are only made at the rate
applicable to the key elements.
2.4
Borderline cases
Where the correction resulting from a strict application of these guidelines would be clearly
disproportionate, a lower rate of correction may be proposed. The advisory panel referred to in
para.1 l) will give careful consideration to the proportionality of corrections.
For example, where the deficiencies arose from difficulties in the interpretation of Community
rules or requirements (except in cases where it should reasonably be expected that the Member
State raise such difficulties with the Commission), and the national authorities took effective
steps to remedy the deficiencies as soon as they were brought to light, this mitigating factor
may be taken into account and a lower rate or no correction may be proposed. Similarly, due
regard should be paid to claims of legal security when the deficiencies were not reported
following earlier audits by the Commissions services.
In general, the fact that deficient management or control systems were improved immediately
after the deficiencies were reported to the Member State is not considered as a mitigating factor
Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 141 of 145
when assessing the financial impact of the systemic irregularities before the improvement was
made.
2.5
Basis of assessment
Whenever similar cases have arisen in other Member States, there should be a comparison
between them to ensure equal treatment in the assessment of the rates of correction. This is a
prime objective of the advisory panel.
The rate of correction should be applied to that part of the expenditure placed at risk. When the
deficiency results from a failure by the authorities concerned to adopt an appropriate control
system, then the correction should be applied to the entire expenditure for which that control
system was required. The correction should normally concern the expenditure over the period
being examined, for example one financial year. However, when the irregularity results from
systemic deficiencies, which are evidently long-standing and affecting several years
expenditure, then the correction should concern all the expenditure declared by the Member
State while the system deficiency obtained until the month in which it was remedied.
When several deficiencies are found in the same system, the flat rates of correction are not cumulated,
the most serious deficiency being taken as an indication of the risks presented by the control system as
a whole2. They are applied to the expenditure remaining after deduction of the amounts refused for
individual files. In the case of the Member States non-application of sanctions prescribed by national
law, the financial correction should be the amount of the sanctions not applied, together with 2% of the
remaining claims, as the non-application of sanctions increases the risk that irregular claims will be
submitted.
Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 142 of 145
Independence of auditors
CR 1386/2002 also stipulates that, to avoid potential conflicts of interest, the controls should be carried
out by a body or person independent of the managing and implementing body or the body responsible
for the implementation of payments procedures.
Even spread over the period
For the Cohesion Fund, the period over which expenditure can be declared and over which therefore
audit work has to be spread can last until 2010 or even beyond (at least for those Member States
remaining eligible for funding until 2006), and therefore requires longer-term planning.
It is recommended that Member States plan their work in such a way as to cover 15% or more of
expenditure declared in each year of the period. In formulating annual audit plans it will be advisable,
in order to ensure the efficient use of audit resources, to obtain expenditure profiles for each project
from each implementing authority annually showing the expenditure declared to date and the
anticipated expenditure profile for each subsequent year. Plans should be updated annually to take
account of changes in actual and anticipated expenditure.
Coverage
In the Cohesion Fund, it is necessary to ensure coverage of each of the main types of projects, i.e.,
roads, railways, ports, waste water, water supply, etc. and the main implementing bodies (national,
regional and local administrations responsible for the projects).
Given the smaller number of mainly large projects, to ensure that the sample within the limits of the
overall 15% coverage is representative, sample checks should not focus only on a few projects which
will be subject to 100% tests of transactions but should check smaller tranches of expenditure from a
larger number of projects. The latter approach would better respect the requirements set out in the
regulation. Projects can be audited more than once, thus ensuring both adequate coverage over the
lifetime of the project and where problems are detected at an early stage allowing timely corrective
action to be taken.
Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 143 of 145
For the Cohesion Fund, the above principles hold true but in addition extremely close attention
should be paid to compliance with the conditions of the decision on the project and
achievement of its objectives (see in particular, Article 10(b) of Regulation 1386/2002 in
conjunction with Article 2(1), second subparagraph, and Article 4(1), first subparagraph) and to
compliance with public procurement and environmental legislation. It is advisable to review
procurement procedures in respect of the award of the main contracts on the first occasion a
given project is audited, especially where the project shows a significantly higher expenditure
profile in later years and little expenditure in earlier years. Both the principal construction
contracts and the principal supply of services contracts (e.g., supply of raw materials and
equipment for projects and services such as engineers and other consultants) should be
covered.
Apparent systemic problems within a given implementing body or region or throughout the
Member State must be investigated in depth.
7
Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 144 of 145
Reports and working papers kept in the audit file should together provide detailed information about the
work done, the methodology, and if a sampling method is applied they should describe it. They should
include, where practicable, a list of the documents checked and also show the value of the expenditure
audited and that of the expenditure in which errors or irregularities have been found. 8
Reports can be short, detailing only findings, conclusions and recommendations. The report may be part
of the same document as the checklist or a separate document to which the checklist is attached.
Reports should be delivered promptly and be clear in their findings, conclusions and recommendations.
Expenditure checked but found to be irregular during the audit can still be
counted towards the 15% requirement, but if the level of the irregular expenditure is
significant, the percentage of expenditure checked should normally be increased.
Double counting must be avoided (for example, counting twice the earlier
expenditure on an operation which has been audited at an interim stage and on
completion.)10
Follow-up of findings
The findings of audits should be systematically followed up and concluded with errors corrected and
unclear issues resolved. For the follow-up of findings, reports should be passed on to the managing
units for prompt action.
Though the allocation of responsibilities may vary, some body should be in charge of monitoring
follow-up and signing off the file once the necessary action has been taken at the instigation of the
managing unit. In some systems it is the audit body that is responsible for this monitoring.
Remedial measures must be taken to correct systemic deficiencies. Article 11 of Regulation 1386/2002
provide : The checks shall establish whether any problems encountered are of a systemic character,
entailing a risk for other or all projects carried out by the same implementing body or in the Member
State concerned. They shall also identify the causes of such situations, any further examination which
may be required and the necessary corrective and preventive action.
Irregularities must be reported pursuant to Regulation1831/94 for the Cohesion Fund.
8
9
10
APPENDIX 13:
AFCOS
BSC
BSO
CAATs
CR
EC
ECA
EEC
GOSP
IB
IS
ISPA
IT
MA
MESP
MoT
NF
OJ
OLAF
PA
PIFC
Q.A.
SAI
TPS
Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 145 of 145
LIST OF ABBREVIATIONS