Manual Audit Financiar Slovenia - 2004 - EN

BUDGET SUPERVISION OFFICE
OF THE REPUBLIC OF SLOVENIA
COHESION FUND MANUAL

FOR THE
EXECUTION OF THE FINANCIAL CONTROL
Document No.: 011-14/2004/1
(E-version: CF Audit Manual Ver 1_0.pdf)
JULY 2004
Approved by the director of Budget Supervision office of the RS
Budget Supervision Office of RS

Cohesion Fund Manual
Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 3 of 145
Table of Contents
1 PURPOSE AND STRUCTURE OF MANUAL.............................................................
2 BACKGROUND AND REGULARITY FRAMEWORK..............................................
3 MANAGEMENT FRAMEWORK.................................................................................10
4 AUDIT RESPONSIBILITIES OF THE BUDGET SUPERVISION OFFICE (BSO)
AND RELATIONSHIPS WITH OTHER AUDITORS.............................................13
Commission services.................................................................................................15
Co-operation between the BSO and the Commission services..................................16
Audit Strategy for DG REGIO..................................................................................16
5 MONITORING AND REPORTING FRAMEWORK..................................................18
6 AUDIT APPROACH AND TECHNIQUES...................................................................20
Stages of the Audit.....................................................................................................21
Quality Control and Assurance..................................................................................22
7 AUDIT PLANNING......................................................................................................25
The Aims of Audit Planning......................................................................................25
The Planning Process for the BSO............................................................................25
8 RISK ASSESSMENT....................................................................................................28
The Process for the BSO: What the BSO is auditing.................................................28
Risk Identification......................................................................................................28
Assessing Risk Importance........................................................................................31
9 AUDIT APPROACH TO COHESION FUND INCOME AND EXPENDITURE........35
Setting Audit Objectives............................................................................................38
Audit Programmes.....................................................................................................40
10 AUDIT EVIDENCE.....................................................................................................42
Concept of Audit Evidence........................................................................................42
Procedures for Obtaining Audit Evidence.................................................................43
11 DOCUMENTATION AND FILING.............................................................................44
The Benefits of Effective Documentation.................................................................44
Content of Working Papers........................................................................................44
Current and Permanent Files......................................................................................45
Confidentiality of Audit Information.........................................................................46
Retention of Audit Documentation............................................................................46
12 AUDIT REPORTING..................................................................................................47
Contents of the Audit Report.....................................................................................47
Reports to the EC.......................................................................................................49

Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 4 of 145
Evaluation of Errors...................................................................................................49
Follow-Up Audits......................................................................................................50
Sys-audit....................................................................................................................51
13 IRREGULARITY, FRAUD AND CORRUPTION......................................................52
APPENDIX 1: INFORMATION SYSTEMS AUDIT GUIDELINE................................57
ANNEX 1:.................................................................................................................64
ANNEX 2..................................................................................................................68
ANNEX 3..................................................................................................................75
APPENDIX 2: AUDIT OF INTERNAL CONTROL........................................................77
APPENDIX 3: GUIDANCE FOR PERFORMANCE OF 15 PER CENT CHECKS......79
APPENDIX 4: OBJECTIVES OF SUBSTANTIVE TESTS............................................89
APPENDIX 5: SUGGESTED LIST OF KEY QUESTIONS TO EXAMINE THE
MANAGEMENT CONTROL SYSTEMS................................................................91
APPENDIX 6: SUGGESTED LIST OF KEY QUESTIONS FOR ON THE SPOT
CONTROL OF A COHESION FUND PROJECT..................................................105
APPENDIX 7: PREPARATORY WORK / GATHERING OF AUDIT INFORMATION
..................................................................................................................................115
APPENDIX 8: PROCUREMENT DIRECTIVES..........................................................119
APPENDIX 9: PUBLICITY REQUIREMENTS...........................................................121
APPENDIX 10: MODEL REPORT PURSUANT TO ARTICLE 12 OF REGULATION
1386/2002................................................................................................................122
APPENDIX 11:GUIDELINES ON THE PRINCIPLES, CRITERIA AND
INDICATIVE SCALES TO BE APPLIED BY COMMISSION DEPARTMENTS
IN DETERMINING FINANCIAL CORRECTIONS UNDER ARTICLE H(2) OF
ANNEX II TO REGULATION (EC) NO 1164/94 ESTABLISHING A
COHESION FUND.................................................................................................125
APPENDIX 12: GUIDANCE ON 15% SAMPLE CHECKS BY MEMBER STATES
.................................................................................................................................132
APPENDIX 13:
LIST OF ABBREVIATIONS..........................................................135

Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 5 of 145
1 PURPOSE AND STRUCTURE OF MANUAL

1.1 This Manual details the management and controls structure in Slovenia in respect of the
Cohesion Fund. The Manual also details the general procedures and approach to be adopted by the
Budget Supervision Office of the Ministry of Finance (hereinafter: BSO), in line with their
responsibilities for the audit of the Cohesion Fund. This covers the procedures, methods and techniques
that staff of the BSO should use for the effective review of the management and control of the Fund;
whilst the Appendices provide further information and specific guidance on the audit approach to be
adopted.
1.2 The audit role of BSO is defined throughout this manual as that of a certifying body comparable
to the work of an external auditor. Reference has been made in this manual to International Auditing
Standards.
1.3 These guidelines are developed from the principles and rules set out in the regulations of the
European Commission (EC) governing Cohesion Fund and are mandatory for all staff of BSO. The
manual is structured as follows:
Chapter 2 Background and Regulatory Framework - details the aims and objectives of
the Cohesion Fund and sets out the legislative framework.
Chapter 3 - Management Framework explains the roles and responsibilities of key
organisations in the management and control process and the accounting and financial
reporting system.
Chapter 4 - Audit Responsibilities of BSO and Relationships with Other Auditors defines the role of the BSO and the relationship with both Internal Audit and the Slovenian
Court of Audit, the Supreme Audit Institution (SAI); and with auditors of the Commission and
the European Court of Audit (ECA)..
Chapter 5 - Monitoring and Reporting Framework - discusses the methodology for
reporting during Project Implementation, the Monitoring arrangements; and the Ex-Post
Evaluation criteria.
Chapter 6 Audit Approach and Techniques - describes the general approach to auditing the
Cohesion Fund; the BSO audit process; and Quality Control and Assurance.
Chapter 7 - Audit Planning - provides guidance on the approach to planning coverage across
the audit area including long term strategic and also annual planning.
Chapter 8 - Risk Assessment - looks at the risk factors to be considered when devising the
audit approach, as part of the overall planning strategy.
Chapter 9 - Audit Approach to Cohesion Fund Income and Expenditure- discusses the
understanding of the business; the audit trail; audit objectives and test programmes.
Chapter 10 - Audit Evidence - describes the overall concepts and the sources methods and
nature of audit evidence.

Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 6 of 145
Chapter 11 - Documentation and Filing - outlines the key principles of effective audit
documentation; the contents of Working Papers; Current and Permanent Files; Confidentiality
of Information; and Retention of Documentation.
Chapter 12 Audit Reporting - covers the content of a standard audit report; reports required
by the EC; and follow-up audits.
Chapter 13 Irregularity, Fraud and Corruption - covers the respective responsibilities of
audited bodies, management and the auditor; the procedures where fraud or other irregularities
are suspected; and the arrangements in Slovenia.
Appendixes from 1 to 12 - the specific items are described in more detail on the audit
procedures for information systems (computer) audit, audit of internal controls, guidance for
performance of sample checks, gathering audit information ( preparatory work), audit tests for
the management and control systems at the programme and audit tests on final beneficiary
level, gathering audit information, than about procurement and publicity issues. In appendix 10
there is a model report to the commission and in next appendixes guidance on financial
corrections and sample checks. The annexes follow some appendixes.
Appendix 13 lists the abbreviations used in the manual.

Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 7 of 145
2 BACKGROUND AND REGULARITY FRAMEWORK

Objectives of the Cohesion Fund
2.1 The Cohesion Fund was established in 1994 in addition to the other Community development
instruments, to provide assistance in the fields of the environment and transport infrastructure of
common interest with a view to promoting economic and social cohesion and solidarity between
Member States. The Cohesion Fund provides support through the balanced financing of projects and
also contributes to preliminary studies relating to such projects and their implementation, as well as
technical support measures such as comparative studies, impact studies, monitoring, and since entry
into force of Regulation (EC) No 1264/1999, publicity and information campaigns.
2.2 All projects financed must be compatible with the Treaties and instruments adopted under them and
with Community policies, especially those concerned with the protection of the environment, transport,
trans-European networks, competition and the award of contracts.
European Union Legislation - The Act

2.3 Council Regulation (CR) (EC) No 1164/94 of 16 May 1994 established the Cohesion Fund. It was
amended by the following CRs which came into effect on 1 January 2000:
Council Regulation (EC) No 1264/1999 of 21 June 1999, amending Regulation 1164/94; and
Council Regulation (EC) No 1265/1999 of 21 June 1999, amending Article G of Annex II to Regulation
1164/94
CR 1265/99 made significant changes to the use of Cohesion Fund, including:
Clarification of the definitions of "project", "project stages" and groups of projects;
Additional guidance on "ex-ante" evaluations of projects;
Commitments to be made at the start of each financial year;
A single payment, in advance, of up to 20% of the assistance to the Fund; followed by subsequent
payments to refund expenditure certified and paid; all transactions to be carried out in Euros; and
finally
Various measures to penalize failure to complete projects, including cancellation of the assistance
granted.
2.4 There were two Commission regulations issued for implementation of provisions for Cohesion
Fund:
Commission Regulation (EC) No 16/2003 of 6 January 2003 laying down special detailed rules for
implementing Council Regulation (EC) No 1164/94 as regards eligibility of expenditure in the context
of measures part-financed by the Cohesion Fund, and
Commission Regulation (EC) No 621/2004 of 1 April 2004 laying down rules for implementing
Council Regulation (EC) No 1164/94 as regards information and publicity measures concerning the
activities of the Cohesion Fund.
2.5 The Regulations lay down a minimum project value of 10 million Euros, which is aimed at ensuring
that projects will have a significant impact on the infrastructure within Member States. Commission
Regulation 1386/2002 laid down detailed rules for the implementation of CR 1164/94, as regards the
management and control systems for assistance granted from the Cohesion Fund and the procedures for
making financial corrections for projects first approved after 1 January 2000.

Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 8 of 145
Eligibility
2.6 Eligibility is restricted to Member States whose per capita gross national product (GNP) is less than
90% of the Community average and which have a programme designed to achieve the conditions of
economic convergence as set out in Article 104 of the Treaty establishing the European Community. If
the GNP rises above the 90% threshold it may no longer receive funding for new projects or new
project stages.
Commission Regulation (EC) No 16/2003 of 6 January 2003 lays down special detailed rules for
implementing Council Regulation (EC) No 1164/94 as regards eligibility of expenditure in the context
of measures part-financed by the Cohesion Fund.
Commission Regulation (EC) No 1831/94 of 26 July 1994 concerning irregularities and the recovery of
sums wrongly paid in connection with the financing of the Cohesion Fund and the organization of an
information system in this field.
Commission Regulation (EC) No 621/2004 of 1 April 2004 lays down rules for implementing Council
Regulation (EC) No 1164/94 as regards information and publicity measures concerning the activities of
the Cohesion Fund.
Project Application and Approval
2.7 Applications for assistance from Member States to the Commission must contain the information
specified in the Regulation, that is: the body responsible for implementing the project, project
description, cost, location, investment timetable, assessment of the impact on employment and the
environment, and information on public contracts.
2.8 The Commission will normally decide whether or not to approve a project within three months
of the application and publish the decision in the Official Journal of the European Union.
Financial Control and Provisions
2.9 CR 1264/1999 states that the financial control of projects is primarily the responsibility of
Member States. They must check that projects are managed correctly, prevent and detect irregularities
and recover any amounts lost as a result. They must provide the Commission with details of the
methods they take and of the internal management and audit arrangements that they establish. In turn,
the Commission may carry out on the spot checks, in accordance with Annex II to the Regulation, and
may ask Member States to verify the correctness of transactions.
2.10 The Cohesion Fund routinely contributes between 80% and 85% of public or equivalent project
expenditure. (Since 1 January 2000 it has been possible to reduce this rate to take account of any
revenue generated by the project and any application of the "polluter pays" principle). The full cost of
preliminary studies and technical support measures may be financed up to 0.5% of the total resources of
the Fund. To qualify for re-imbursement, all expenditure must have been incurred after the date the
Commission receives the project application. Payments made after the initial advance must be linked to
implementation of the project and no item of expenditure may receive assistance from both the
Cohesion and Structural Funds at the same time. Finally, assistance from the Cohesion Fund, the
Structural Funds and other Community aid may not exceed 90% of the total project expenditure.

Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 9 of 145
Appraisal, Monitoring and Evaluation

2.11 Before project approval, the Commission and the Member State must make an appraisal to assess
whether it complies with the Regulations. During implementation they must make any necessary
adjustments and after completion they must evaluate to what extent the original project objectives were
achieved.

Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 10 of 145
3 MANAGEMENT FRAMEWORK
Regulatory Requirements
3.1 The regulatory framework for the management and control systems of the Member States must
comply with Commission Regulation 1386/2002 (in particular Article 2) and CR 1164/94 (in particular
Article 12, and Article G of Annex II). CR 1386/2002 requires that Member States must comply with:
Article 2 - verify that management and control arrangements have been set up and are being
implemented in such a way as to ensure that Community funds are being used efficiently and correctly
Article 5 - provide the Commission with a description of these arrangements.
Article 7 - prevent and detect irregularities, notify these to the Commission in accordance with the
rules, and keep the Commission informed of the progress of administrative and legal proceedings.
Information exchanged should be kept confidential
Article 8 - certify that the declarations of the expenditure presented to the Commission are accurate
and guarantee that they result from accounting systems based on verifiable supporting documents. The
certification of expenditure shall be drawn up by a person or department within the paying authority
which is functionally independent of any services that approve the claims.
Articles 9 and 10 - organise checks on projects on an appropriate sampling basis, to ensure that
projects are managed in accordance with all the applicable Community rules and that the funds placed
at their disposal are used in accordance with the principles of sound financial management. The checks
carried out shall cover at least 15% of eligible expenditure on projects first approved after 1 January
2000. The selection of the sample of transactions to be checked is dealt with in detail in Appendix 3.
Articles 13, 14 and 15 - present to the Commission, when each project is wound up, a declaration
drawn up by a person or department independent of the designated authority. This declaration shall, be
based on an examination of the management and control system, summarise the conclusions of the
checks carried out during previous years and shall assess the validity of the application for payment of
the final balance and the legality and regularity of the expenditure covered by the final certificate. The
person or department issuing the declaration shall make all necessary enquiries to obtain reasonable
assurance that the certified statement of expenditure is correct, that the underlying transactions are legal
and regular and that the project has been carried out in accordance with the terms of the granting
Decision and the objectives assigned to the project.
co-operate with the Commission to ensure that Community funds are used in accordance with the
principles of sound financial management
Article 20.4 - recover any amounts lost as a result of an irregularity detected and where appropriate
charge interest on late payments.
Management Framework
3.2 The Decree of the Government of Slovenia (implementing Decree) based on the Execution of the
State Budget Act, will define in detail the programming and implementing, arrangements between the

Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 11 of 145
bodies detailed below in respect of the Cohesion Fund, including financial management and control.
The authorities and bodies responsible for the implementation of the Cohesion Fund are as follows.
Government Office for Structural Policies and Regional Development (GOSP)

The GOSP act as the Managing Authority (MA), with overall responsibility for the general
management of the Fund, in terms of programming implementation, monitoring and evaluation,
financial management and control and information and publicity. The GOSP provide guidance to
Intermediate bodies, by way of the production of a Cohesion Fund Manual, and set up, operate and
maintain a single computer based system for management of the Fund.
Ministries of Environment, Spatial Planning and Energy (MESP) and Transport (MoT)
These two Ministries will act as the Intermediate Bodies, under the overall responsibility of the MA.
They will have responsibility for the preparation and implementation of strategic programmes and
action plans, and for monitoring and reporting on the progress of funded projects. The Intermediate
Bodies will also be responsible for:
Reviewing the tendering documentation submitted by Implementing Bodies;
Checking and assessing the project applications and submitting them to the MA;
Implementation of projects in accordance with signed contracts;
Checking and verifying claims for payment;
Monitoring and reporting to the MA;
Reporting to the Commission on the implementation of EU funded projects;
Co-ordination and assistance to Municipalities in preparing project applications.
Municipalities and Transport Sectors

The Municipalities will act as the Implementing Body (Final Beneficiary) within the environment
sector; whilst for Transport that responsibility will rest with the Public Agency for Rail Transport and
the Motorway Company of the Republic of Slovenia (DARS). The Implementing Bodies will be
responsible for:
Preparation of project proposals;
Tendering and contracting;
Supervising contract implementation;
Providing relevant information to the Intermediate Body;
Guaranteeing the project publicity.
Ministry of Finance - National Fund (NF)

The Ministry of Finance (NF) will act as the Paying Authority (PA), with responsibility for the overall
financial management of the Fund; and is authorized to issue certificates of expenditure under Article
12 of CR 1164/94 and Article 8 of CR 1386/2002.

Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 12 of 145
Budget Supervision Office (BSO)

The BSO, which is part of the Ministry of Finance, will act as the Independent Financial Control
Body; a separate function that is totally independent of that of the MA, IB and PA. The responsibilities
of BSO as the certifying body for Cohesion and ISPA Funds are the same for both funds. Also, many of
the audit approach and methodologies defined in this manual in respect of the Cohesion Fund are
equally appropriate to ISPA funded projects. Users of the manual should therefore be confident that, in
following the processes defined in the following chapters, the certification requirements of the EC are
met.

Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 13 of 145
4 AUDIT RESPONSIBILITIES OF THE BUDGET

SUPERVISION OFFICE (BSO) AND RELATIONSHIPS
WITH OTHER AUDITORS
4.1 The BSO is an independent office within the Ministry of Finance charged with the central
coordination role for public internal financial control (PIFC system) and independent control of all EU
funds and AFCOS function. The BSO reports directly to the Minister and to the State Secretary. From 1
January 2004, following a Slovenian governmental decree, the BSO has taken on an enhanced status
and will increase its independence as an Office within the Ministry of Finance.
4.2
Tasks of the BSO:
coordination and harmonization of financial management and control and internal audit of
budget users and assessing the overall performance of PIFC System (BSO-Sector PIFC);
acting as the anti-fraud coordinating service (AFCOS) for OLAF and communicating on
irregularities to EC/OLAF (BSO-Sector PIFC);
independent financial control of all EU funds (BSO-Sector for Audit and Certification).
4.3 By law, the main functions of the BSO in terms of Public Internal Financial Control (PIFC), are
as follows:
Issue guidelines to aim to harmonise the functionality of the system of Public Internal Financial
Control (PIFC);
Issue guidelines and methodology for internal controls and internal audit at budget direct and
independent spending centres;
Issue rules and conditions for the nomination and dismissal of internal auditors and check their
implementation;
Check the implementation of guidelines, methodology and standards for internal control and
internal audit and reports to the government thereon;
Follow up and analyses the findings and recommendations of internal audit services for the
improvement of financial management and internal controls and reports its findings to the
Government and to the Court of Audit;
Cohesion Fund
4.4 Regarding the independent financial control of the Cohesion Fund the main tasks and
responsibilities are:
to perform sample checks of at least 15% of the Cohesion Fund expenditure in order to verify:
the practical application and effectiveness of the management and control systems; the
execution of the measure in accordance with the terms of the Regulations granting the
assistance and the objectives assigned to the measure; for an adequate number of accounting
records, the correspondence of those records with supporting documents held by the
implementing agencies, delegated bodies and final beneficiaries; the presence of a sufficient
audit trail; for an adequate number of expenditure items, that the nature and timing of the
relevant expenditure comply with Community provisions and correspond to the approved
specifications of the measure and the works actually executed; that the appropriate national co-

Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 14 of 145
financing has in fact been made available; and that the co-financed measures have been
implemented in accordance with Community rules and policies.
to establish whether any problems encountered are of a systemic character, entailing a risk for
other operations carried out by the same Implementing Body; to recommend improvements and
corrective actions, identify the causes of such situations and carry out any further examinations
which may be necessary;
to provide information by 30 June each year, of their application of provisions for sample
checks in the previous calendar year and in addition provide opinion on effectiveness of
management and control systems;
to issue declarations at winding-up of Cohesion Fund projects;
in order to issue declarations at winding-up of the projects BSO conducts examinations

according to internationally accepted auditing standards upon the receipt of all information
required and upon given access to the records and supporting evidence necessary for drawing
up the declaration by the responsible authorities;
4.5 The BSO, as Independent Financial Control Body, is responsible for the independent auditing of
Cohesion Fund; for certifying annual reports; for co-ordinating internal auditing at BSCs; and for
carrying out additional auditing for the projects co-financed by the EU in compliance with international
agreements.
Organisation of the BSO

4.6 In order to carry out these responsibilities, the BSO is organised into four teams in support of
Senior Management. These are:
Budgetary Inspection Sector - carries out inspection functions for the Ministry of Finance at all BSCs
that use the Central State Budget. In the future it is envisaged that this team will work in co-operation
with the European Anti-Fraud Office - OLAF.
Sector for Public Internal Financial Control - is responsible for carrying out the Central
Harmonisation function of the PIFC.
Audit and Certification Sector - has broad responsibilities covering the audit of the Cohesion Fund.
These include:
Carrying out independent audits of the Implementing Bodies and assessing their capacity and
competency to effectively control EU funds and national co-financing;
Co-ordinating the operations of the internal audit services of the Implementing Bodies in
relation to the management and control of Cohesion Fund;
Carrying out audits of the Cohesion Fund Programme; and
The closure certification examination and report at the end of the Cohesion Fund projects.
4.7 The BSO is the organisation responsible for the independent control of EU Funds and therefore
acts in an external audit role in examining all aspects of the Cohesion Fund Programme .

Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 15 of 145

Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 16 of 145
Internal Audit Bodies

4.8 The responsibilities of the BSO and general liaison arrangements with internal Audit are outlined
above. In terms of the approach to be adopted for the audit of Cohesion Fund, the BSO will need to
regularly review the amount of reliance that they can place on the work of Internal Audit. In particular
they will need to liaise with:
the Internal Audit Service (IAS), within the Ministry of Finance; and
the Internal Audit units within the Ministries of Transport and Environment.
Slovenian Court of Audit

4.9 The Republic of Slovenia Court of Audit is the Supreme Audit Institution (SAI) and as such is the
highest body for the supervision of state accounts, the state budget and for all public spending in
Slovenia. The Court of Audit carries out its functions in compliance with the Court of Audit Act and in
accordance with the Slovenian Constitution. In terms of the audit of Cohesion Fund, the main aims of
the Court of Audit are to ensure that operations co-financed by Cohesion Fund have been properly
carried out, that the appropriate actions have been taken against any identified irregularities, and that
any amounts lost are recovered.
European Court of Audit
4.10 The European Court of Auditors primary tasks are to examine the accounts of all revenue and
expenditure of the European Communities; to examine whether all revenue and expenditure has been
received or incurred in a lawful and regular manner; and to examine whether financial management is
sound. The Court is an independent institution whose role is to assist the European Parliament and the
Council of the European Union in exercising their powers of control over the implementation of the
budget. Additionally, the Court may, at any time, submit observations on specific questions and deliver
opinions at the request of one of the European institutions.
4.11 As part of its audit work, the Court examines both systems and expenditure relating to the
Cohesion Fund, and its audits take place in the Commission services and on the spot in the Member
States. Its auditors have access to any document or information relating to the financial management of
the departments and other bodies subject to its examination, and may carry out audits of all bodies
receiving Community funds.
Commission services
4.12 The overall objectives of the audits carried out by the Commission services responsible for the
audit of the Cohesion Fund are to determine:
to what extent the Member States have put into place adequate management and control
systems, and to what extent these systems give a satisfactory assurance concerning the legality
and regularity of the underlying operations;
the accuracy of the expenditure declared to the Commission for co-financing;
the level of ineligible expenditure where the Member States management and control systems
control have been proven inadequate.
4.13 The unit responsible for the audit of the Cohesion Fund may be assisted by external audit firms to
carry out audits in Member States.

Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 17 of 145
Co-operation between the BSO and the Commission services

4.14 The Heads of BSO and the Commission audit services responsible for audit of the Cohesion Fund
ensure co-operation concerning audit of the Cohesion Fund. The Commission services and the BSO
conduct separate or joint audits of the management of control systems, as well as control of any project
or works co-financed by the Cohesion Fund. That methodology is in accordance with Commission
Regulation (EC) N 1386/2002 of 29 July 2002 and with Article 12, and article G of Annex II, of the
Cohesion Fund regulation. The Commission services and the BSO also exchange the results of their
audit findings and meet at least once a year to discuss results of the audits and audit strategy for the
next period
Other auditors (private)
4.15 In addition to the above levels of audit, individual project managers and financial beneficiaries
will have their own auditors. The function of these auditors is to carry out audits to verify the accuracy
of the accounts prepared by their clients, and as such, the auditors are likely to examine all types of
financial records, not solely those relating to the Cohesion Fund
Audit Strategy for DG REGIO

Formal obligations to audit the Fund
4.16 Materially all the operations financed by the Cohesion Fund are carried out under shared
management. Article 274 of the Treaty stipulates that the Commission shall implement the budget on its
own responsibility. The Member States co-operate with the Commission to ensure that appropriations
are used in accordance with the principles of sound financial management.
4.17 Article 159 of the new Financial Regulation provides that the requirements regarding the audit of
the Cohesion Fund are those laid down in the applicable Council regulations. These regulations
empower the Commission to carry out checks on the spot, but do not impose any precise obligations.
The only formal obligations are laid down in Council Regulation 1164/94 as amended, and in the
corresponding Commission Regulation 1386/2002. Article 12(2) of Regulation 1164/94 provides for the
Commission to ensure smooth running management and control systems, inter alia by undertaking onspot-checks for this purpose; and Article 5 of Regulation 1386/2002) to review the management and
control systems presented by the Member States. Under the latter provisions the Commission must
satisfy itself that these systems meet the standards required by the Council and Commission regulations,
and make known any obstacles which they present to the transparency of checks and to the
Commissions discharge of its responsibilities under Article 274 of the Treaty.
4.18 As regards operations carried out under shared or decentralised management, the charter of tasks
and responsibilities of the authorising officer by delegation requires him to:
determine to what extent the beneficiary countries have put into place appropriate
management and control systems, and to what extent these systems give a satisfactory
assurance concerning the regularity of the underlying operations in terms of the law applicable;
check the accuracy of the amounts concerned;
carry out financial corrections where the beneficiary countrys control procedures have proven
inadequate.
4.19 The Commission has made a commitment to the European Parliament in response to the Court of
Auditors finding of high levels of irregularity in declared expenditure: so far as resources permit, the
Commission intends to intensify its own control activity in the area of the Structural Funds, in order in

Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 18 of 145
particular to verify the adequacy of the Member States systems and procedures. If these controls detect
systemic failures by the responsible authorities, then financial corrections will be applied, with a more
extensive use of extrapolation whenever appropriate.
Mission of the audit and control units of Directorate G
4.20 Audit units G3 is responsible for leading the work of DG Regional Policy and, as chef de file for
the Cohesion Fund, that of the other responsible Directorates General to ensure the satisfactory quality
of the national management and control systems in relation to operations carried out under shared or
decentralised management and for providing assurance that meets the requirements of the authorising
officer by delegation to this effect. They may also undertake ad-hoc enquiries into directly managed
expenditure at the request of the Director-General.
4.21 In collaboration with the other services of DG Regional Policy and with the other Directorates
General responsible for the Cohesion Fund, they contribute towards the establishment of the conditions
necessary for sound financial management in the beneficiary countries, in particular by proposing rules
and guidelines, by organising and animating working groups of beneficiary countries, and by
undertaking preventive and ex post audits of the implementation of new rules.
4.22 In collaboration with the audit units of the other responsible Directorates General, they promote
the development of effective arrangements for financial management, control and audit in the Member
States and closer co-ordination between the audit activities of Member States and the Commission, in
the framework particularly of the bilateral administrative agreements. They also encourage the adoption
of a uniform approach to audit and control within the Commission services. They ensure effective cooperation with the operational units to promote effective control of Community funds, in particular by
consulting them on the annual review of the audit strategy, and at all stages of the planning process for
audit enquiries so that the requirements of the operational services are taken into account. They also
consult them on all audit reports and letters to beneficiary countries, and issues of financial correction.
They undertake to collaborate with operational units in clarifying their respective control functions to
ensure maximum effectiveness in the use of resources. They may undertake ad-hoc audits requested by
operational units within the limits of the resources reserved for this contingency.
Audit Strategy - Cohesion Fund
Objective
4.23 For the period 2000-2006, reasonable assurance is required that the management and control
systems established by the Member States comply with the provisions of the Community regulations
and are functioning effectively. The audit objective is therefore to obtain such assurance, or, in the event
that deficiencies are identified in the Member States systems to recommend remedial action, to follow
up the implementation of such measures, and to propose financial corrections where Community funds
have been put at risk. In the case of projects for which specific irregularities are detected, the ineligible
expenditure should be excluded from Community financing and recovery action taken.

Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 19 of 145
5 MONITORING AND REPORTING FRAMEWORK

5.1 This chapter outlines the general monitoring and reporting framework relating to Cohesion Fund.
Monitoring is to be carried out jointly by the Republic of Slovenia and the Commission.
Reporting During Project Implementation
5.2 The Regulations specify that all public or private bodies involved in the management and
implementation of measures must maintain either a separate accounting system or an adequate
accounting codification for all Cohesion Fund transactions.
5.3 The Member State must institute a reporting system that provides regular, standardized outputs
for each measure financed by the Fund; this allows the Member State to monitor progress in the
implementation of the measure, to provide a basis for making payment claims to the Commission, and
to facilitate the verification of expenditure by Community and national control authorities.
5.4 During the installation of this system, particular attention should be given to the reporting
requirements linked to the intermediate and final payment claims, as set out in the Regulations. Such
claims can only be made based on payments certified and actually made by the body responsible for
implementation, supported by receipted invoices or accounting documents of equivalent probative
value. The system must provide a form for the declarations required from the responsible Ministry and
GOSP when submitting claims.
5.5 In addition, the financial reporting systems must cover all eligible costs of a measure (project,
stage of project or group of projects) for which assistance has been granted; this includes all measures
identified in the Regulations together with all contracts needed for implementation, regardless of the
source of financing. The monitoring indicators identified in the application forms, or subsequently
agreed between the Commission and the Member State will form the basis for the regular monitoring of
the technical progress of projects. These indicators should also be used in the reports required when
making payment claims, and in possible ad hoc technical reports requested on a case by case basis by
the Commission.
Flow of Funds
5.6
With particular respect to the flow of funds within the system, the following reports are expected:
Global cash flows these reports outline the forecasted expenditures related to the entire
project for the coming year, justify the commitment to these projects and indicate the progress
of each project. These reports can be incorporated into the annual progress report.
Payment flows these consist of four components: first advance payments, second advance
payments, intermediate payments and final/balance payments.

Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 20 of 145
Ex-post Evaluation of Cohesion Fund Projects

5.7 Ex-post evaluation will consist of detailed assessment of the results and impacts of a
project/group of projects; this will include both positive achievements and failures, and will attempt to
identify the causes for both. The main objective of this evaluation will be the elaboration of a report for
the benefit of the European taxpayers on the use made of their money, but also to assimilate the
knowledge gained through the projects, with the goal of strengthening the design and implementation of
future projects. Therefore, baseline data should be made available to allow for the quantification of
results and impact indicators.
5.8 An ex-post evaluation programme will be implemented by the Commission services for all
Cohesion funded activities. The consolidated evaluation methodologies available at the Commission,
particularly in the area of Structural/Cohesion Funds operations, will be made available for all
interested parties. The time frame for the performance of these evaluations will vary according to the
sector concerned (a longer time frame might be necessary for evaluating environmental projects), and to
the nature of the projects.

Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 21 of 145
6 AUDIT APPROACH AND TECHNIQUES

6.1 The overall objective of the audit of Cohesion Fund is to seek assurance that the operations being
financed by the European Commission are being properly carried out in accordance with the relevant
regulations and guidance from the Commission, i.e. that the expenditure is free from material errors
and irregularities.
6.2 To achieve that overall objective the BSO will need to ensure that each year the planned audit
approach includes the following key elements, which are closely linked to the terms and conditions of
the Regulations and to the annual reporting requirements to the European Commission (see Section 12):
A review of the management control system, to confirm what controls are in place; and an
examination to determine whether or not the controls are operating effectively in practice;
A programme for examining annual expenditure that covers at least 15% of the total
eligible expenditure, and is representative of the different areas of activity and type and
size of project. Appendix 3 comments on the methodology for selecting the 15%
sample: whilst Appendix 12 details the Commission guidance on carrying out the work;
Arrangements for the annual reporting, both within Slovenia and to the European
Commission;
A constant risk assessment process that re-appraises potential areas of risk in line with
developments in funding received or the approval of new projects; and finally
A programme to examine all projects that close within the year, and guidance as to how to
effectively carry out the function of issuing a declaration on the winding-up of measures, which
will include obtaining assurances on the controls that applied over the life of the project.
6.3 The audit should therefore determine whether systems are operating effectively to prevent errors
and irregularities, and that, where errors and irregularities do occur, the systems are effective in
detecting and correcting them. Essentially, Slovenian Government management and control systems
should ensure at the appropriate levels that final beneficiaries and actions are eligible when selected to
receive support, that they remain eligible for the duration of the action, that objectives are being
achieved, and that expenditure claimed is eligible and in accordance with the financial plan. Controls
should also ensure that claims made to the Commission are correct.
Independence and Objectivity

6.4 The BSO auditors are not responsible for the activities of the management of the institutions
concerned with a project or for the development and implementation of the control procedures. The
auditors may not be involved in design, development or management of such systems since it affects
their impartiality. However, the auditors may provide recommendations and advice on the necessary
controls within the system.

Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 22 of 145
Stages of the Audit

6.5 This Section outlines the audit process of the BSO that underpins the delivery of its objectives.
The audit process is shown in the following diagram.
BUDGET SUPERVISORY OFFICE AUDIT PROCES
DELIVERING OBJECTIVES
OF THE BSO
OF THE BSO
Audit planning
Review & Follow up
- Risk assessment Strategic/Long term plan

-Annual plan
- Review audit process (time, budget,

quality) Review & update Risk
assessment follow up
implementation of audit
recommendations
Audit Preparation
- Research & Information on
audited body - Confirm Risk
assessment - Identify
System & Controls - Decide
Audit Approach - Prepare
detailed audit programme
Audit reporting
Fieldwork/Gathering Evidence
- Draw conclusions Prepare draft

report Consult with audited Body
Review & editing Produce &
Approve Final report Produce
Action plan for implementing
recommendations
- Enquiries, observations,
interviews, inspection of documents
- Evaluate systems/controls - Test
transactions, documents, records
(sampling) Documents & record
audit results

Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 23 of 145
6.6 Each element in the above audit process is regulated by a system of Quality Control. This system
is outlined in the following Section.
Quality Control and Assurance

6.7 All audit work undertaken by the BSO is subject to a process of quality control. The purpose of
quality control is to provide assurance that all audit work is undertaken to an appropriate and consistent
standard. This should be applied to each stage of the audit process (from audit planning through to audit
reporting and follow up). This can be supplemented by a periodical higher level quality assurance
review of the whole process with regard to particular projects.
6.8
Assuring the quality of audits carried out by the BSO is a two stage process:
At the first level, the BSO has adopted policies and procedures at each stage of the audit process
(from audit planning through to audit reporting and follow up) designed to ensure that audit tasks
are carried out to an acceptable level of quality.
At the second level, the BSO carries out higher level quality assurance (Q.A.) reviews of audit
tasks to establish that these policies and procedures are adhered to uniformly within the BSO.
First Level
Audit Briefing
6.9 Team leaders should brief their teams before audits start. They should make sure that all relevant
documentation and background material is assembled. The aim of the briefing should be to ensure that
audit objectives are understood by the team and particularly by auditors responsible for individual tasks.
The audit objectives may include giving particular emphasis to certain types of risk such as those
relating to fraud. The scope of the audit may be limited, for example where the emphasis is on the
testing of high risk systems which have already been reviewed and evaluated. The briefing should
include techniques, allocation of tasks, conduct, liaison with line management, reporting and
administrative arrangements. Details of the briefing should be recorded.
Supervision
6.10 Regular control of the assignment of staff is the responsibility of the team leader. Supervision
involves the monitoring of staff undertaking audit assignments, reviewing their work, developing their
skills and making sure that performance is in line with standards and work plans. More supervision is
called for where a trainee is being used or if an auditor has a low level of skills in, or experience of, the
type of assignment to which he or she has been allocated. The same principles apply when contractors
are used.
Progress control
6.11 The responsible audit manager or Head of BSO should periodically review performance and
progress. As part of this process regular meetings should be held with team leaders. Failure to exercise
control may result in objectives not being achieved or loss of direction and efficiency. The prime
responsibility for control over progress lies with the team leader who should be familiar with any
specific audit requirements and performance targets. The team leader should report on progress,
possibly on an exception basis. The findings arising during an audit may indicate a need for priorities
to be reassessed or for more work to be done. This should be discussed with the audit manager as soon
as possible so that, if warranted, appropriate action can be taken.

Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 24 of 145
6.12 Any changes to the planned time-table should be recorded; the use of a standard progress report
form may be considered for this purpose. The audit manager should consider the actual man days spent
on each audit against the plan and determine reasons for variances. The audit manager should consider
implications for future plans.
6.13 Audit managers should pay scheduled and unscheduled visits to see audit teams at work to assess
the way in which the audit is being carried-out and the expertise which is being applied. They should
note any training needs arising during the audit.
Review
6.14 All work should be continuously reviewed as an integral part of audit procedures. Review may
be partly achieved through supervision. Completed working papers should be inspected to ensure that
they meet laid down standards and are relevant to audit findings and conclusions. Review should
continue throughout an audit so that a more experienced auditor always appraises the work of another.
6.15 The extent of review will vary with the experience of staff and nature of the assignment but it
should be such that the Head of BSO, who may undertake a final review of the draft report, can be
satisfied that the conclusions are sound and are demonstrably supported by relevant, reliable and
sufficient audit evidence. There should also be evidence that all elements of the plan have been
satisfactorily achieved and that the audit file has been reviewed by the responsible manager. The result
of these reviews should be discussed with the auditors involved and any lessons learnt should be
applied across auditors work.
Review record
6.16 A summary record of reviews can help quality control and quality assurance. The record should
identify:
the audit stages and major documents reviewed;
the dates of reviews;
the results of the review; and
dates of the reviewers approval.
6.17 Separate columns should be provided for each reviewer. Space may be allocated to record
examinations made during internal or external peer reviews.
Appraisal
6.18 Each audit should be appraised on completion to assess its conduct and value. Audit management
should consider any need for additional guidance, implications for other audits, the effect on audit plans
and on the use of contractors. Solutions to any problems identified may involve staff training, better
planning, better contract management, the use of other techniques, different approach, change in
management style, etc. The views of line management may be helpful in assessing audit performance.
Internal review
6.19 In addition to routine reviews of audit assignments (see above) planned internal reviews should
be carried out by members of staff not involved in the original audit to appraise the quality of audit
work performed. Over time, the work of all teams should be subject to review. Any weaknesses
revealed should be discussed with the responsible auditors and more pervasive problems brought to the
attention of all auditors. Corrective action should be taken where necessary.

Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 25 of 145
Second Level
6.20 The following are the main elements of the quality assurance reviews carried out by the
management:
staff carrying out Q.A. reviews are suitably qualified and experienced (they may be either
employed full-time in quality assurance, or on short-term secondments from other parts of
BSO);
staff carrying out Q.A. reviews are independent of the audits being reviewed;
staff carrying out Q.A. reviews have the power to select audit tasks for review;
procedures are established for the selection of all audits to be reviewed, which will ensure an
appropriate coverage of all the activities of the BSO over a set period of time; all tasks of the
BSO must potentially be subject to review (the reviewer must have full knowledge of the
activities of the BSO);
procedures are established to determine the nature, extent, frequency and timing of the Q.A.
reviews;
procedures are established to resolve disagreements which may arise between Q.A. reviewers
and audit staff;
staff carrying out reviews have right of access to all relevant internal documents and to the staff
who prepared them or managed the task;
staff carrying out reviews normally have the duty to report and make recommendations in a
timely manner to the BSO' senior management, and senior management normally has the duty
to respond to these;
audit staff can request that a Q.A. review is carried out at any stage of an audit task;
publication of an Annual Report - (normally) made available to all audit staff.
6.21 In certain cases, and particularly when the BSO uses temporary secondments to carry out internal
quality assurance reviews, the BSO may decide to develop and use standard checklists of objectives that
the reviewer must achieve to ensure the consistency and completeness of the reviews carried out.
International Standard on Auditing

6.22 International Standard on Auditing 220 (Quality Control for Audit Work) gives guidance on
Quality Control procedures for an audit organisation.

Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 26 of 145
7 AUDIT PLANNING
The Aims of Audit Planning
7.1 The auditor should plan the audit work so that the audit will be performed in an effective manner.
This means developing a general strategy and a detailed approach for the expected nature, timing and
extent of the audit. Adequate planning of the audit work helps to ensure that appropriate attention is
devoted to important areas of the audit; that potential problems are identified; and that the work is
completed expeditiously. Planning also assists in proper assignment of work to assistants and in
coordination of work done by other auditors and experts. The plan also allows management to
supervise and control the audit work being performed.
7.2 Obtaining knowledge of the how the Cohesion Fund Programme is managed and of the
organisations involved is an essential element in identifying risks and planning an effective audit
approach: as detailed at Chapter 9. The auditor may wish to discuss elements of the overall audit plan
and certain audit procedures with the management and staff of audited bodies to improve the
effectiveness and efficiency of the audit and to coordinate audit procedures with work of the audited
bodies personnel. The overall audit plan and the audit program, however, remain the auditors
responsibility.
The Planning Process for the BSO

7.3
Two types of audit plan should be produced:
the strategic long term plan, stating how the BSO intends to audit Cohesion Fund over the
programme lifetime in order to assure long term coverage of checks and to assure the effective
winding up of projects; and
the plan detailing the audit work to be carried out each year.
The Long Term Strategic Plan

7.4 The first plan to be produced should be the long term strategic plan. This plan is essentially a
management tool and should set out how the BSO intends to carry out its responsibilities for auditing
expenditure over the duration of the programme.
Key contents of the plan should be:
Knowledge of the Cohesion Fund programme

o Identification of what BSOs reporting responsibilities are and the deadlines to be met;
o Identification of key articles from the relevant regulations that should be implemented;
Understanding the Accounting and Internal Control Systems

o Description of the management and control system that the BSO will have to audit (details
are at Chapter 3);
Nature, Timing and Extent of Procedures

o An approach as to when to audit bodies over the programme lifetime. (It is unrealistic to
expect to visit all bodies involved in the administration of the programme every year.);
o An approach to the level of detail of audit work to be performed;

Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 27 of 145
The effect of information technology on the audit. (Guidance on IT audit is contained at

Appendix 1)
Coordination, Direction, Supervision and Review

o The procedure for managing the conduct of audits
o Any requirements for a joint approach with the audit service of the Commission
The strategic plan should be reviewed and updated each year.
The Annual Plan

7.5 This should be produced before the start of each year and should detail the overall audit approach
for the year. This planning should be summarised in a memorandum: the Audit Planning Memorandum
and if relevant submitted to the Commission. This document should present an analysis of the main
audit areas and the key planning decisions made and should include the following:
The regularity context of the audit

o The relevant European regulations,
o Any relevant Slovenian legislation.
An update of the systems description, as compared to that contained in the Strategic Plan,
detailing any significant facts, events or changes which have taken place and their likely effect
on the operations of the fund and hence the audit;
A description of the scope of the audit work.

o This section should identify any audit opinions and reports that should directly result from
the audit work;
o Any audit work required for other auditors (e.g. Commission auditors)
A risk assessment that:

o Assesses the inherent and control risks (see Chapter 8 for details);
o Determines which bodies to visit during the year;
o Identifies any key areas that particular audit attention should be paid to (e.g. new guidance /
regulations that need to be checked);
Details of the nature and extent of use to be made of the work to be carried out by other
auditors, e.g. internal audit sections units (IAU) of line ministries, Court of Audit, European
Commission auditors
o The conclusions from previous work by other auditors may be used to determine the
effectiveness of controls operating;
o It may be possible to ask other auditors to carry out audit work on behalf of the BSO.
Audit objectives
o These should be based on the risk assessment (see Chapter 9).
Audit Programmes
o These programmes should consist of audit tests designed to meet the audit objectives (see
Chapter 9)
Staffing levels and the resources required to carry out the audit work;
Timetable for carrying out the work.

Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 28 of 145
The planning memorandum should:
provide a basis for regular monitoring of progress on the audit by management; and
help auditors to understand what is required of them.
Include follow-ups of previous Audit Missions carried out by Internal audit Units, BSO or
auditors of EC
International Standards on Auditing

7.6 Relevant International Standards on Auditing that provide further guidance are:
ISA 300 Planning
ISA 310 Knowledge of the Business

Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 29 of 145
8 RISK ASSESSMENT
The Process for the BSO: What the BSO is auditing
8.1 The audit fieldwork that the BSO will undertake is essentially to check that the Cohesion Fund
income and expenditure taking place in Slovenia is in line with the regularity requirements of the
Commission, i.e. that the management and control system put in place in Slovenia meets the
requirements of the EC Regulations. .
8.2 Specific objectives of the BSO annual audit approach are detailed at Section 6.2. Particular
attention should be paid to the regular review of controls and to the 15% sample checks, both of which
contribute to the ability of the BSO to provide a final closure certificate on individual projects, covering
the full period of the projects' activities.
8.3 In checking that the management and control systems in Slovenia comply with the above, the
BSO should go through a four step process as follows:
Risk Identification
Assessing risk importance to identify bodies to audit
Define audit objectives (see Chapter 9)
Create audit programme to meet audit objectives (see Chapter 9)
Risk Identification
8.4
8.5
Two types of risk need to be identified:
Inherent risk. This is the susceptibility of a class of transactions to misstatement that could be
material, either individually or when aggregated with misstatements in other classes, assuming
that there are no mitigating internal controls. For the Cohesion Fund, there is an additional
inherent risk of irregularity, i.e. that expenditure is not in line with EC regulations.
Control risk. This is the risk that either irregular expenditure or misstatement, that could occur
in a class of transactions and that could be material individually or when aggregated with
misstatements in other classes, will not be prevented or detected and corrected on a timely basis
by the accounting and internal control systems.
In the context of the audit of Cohesion Fund, materiality can be defined as:
Information is material if its omission or misstatement could influence the economic decisions of users
taken on the basis of the financial statements. Materiality depends on the size of the item or error
judged in the particular circumstances of its omission or misstatement. Thus, materiality provides a
threshold or cut-off point rather than being a primary qualitative characteristic which information must
have if it is to be useful.
Inherent Risk
8.6
The following factors should be considered as indicators when assessing the levels of inherent
risk:

Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 30 of 145
the more complex the regulations governing the action, the greater the risk of error will be.
These errors may occur either through the misunderstanding or misinterpretation of regulations,
or through a simple error in application of the rules;
divergence of management arrangements for example, actions delivered through third parties
or agents may have a higher inherent risk than actions delivered directly by a single managing
authority. The more steps there are in the management process, the higher the risk will be;
payments or receipts made on the basis of claims or declarations (for example, a declaration by
the final beneficiary in respect of contributions in kind), rather than in exchange for invoiced
goods or services, are generally more difficult to verify, and therefore lead to an increased
inherent risk;
the absolute absolute amount of the Cohesion Fund support, and the proportion of total cost
supported by the Fund - where the absolute absolute amount of the grant is high, or a very large
proportion of total funding comes from the Fund, the inherent risks may be increased;
the amount of the Cohesion Fund support, in situations where this fund is a part of a structural
investment with other funds, and when the risk of double financing exists;
the type of action and funding - for example, some types of action (projects generating own
revenue) may be considered to have inherently greater risk than others;
the type of project manager/ final beneficiary - for example, public or private; well-established
or newly-formed; and
high levels of staff turnover, the use of temporary staff to undertake key tasks, or the use of
untrained or inexperienced staff within the managing organisations or project managers/ final
beneficiaries are likely to lead to increased inherent risks because the inexperience of staff may
mean that controls do not function properly.
the possibility of conflict of interest situation, the situation where duties are not properly
segregated (when purchase and payment functions are combined), the knowledge of unethical
behaviour.
8.7 As part of the process of "Audit Preparation" (see the diagram at 6.5), the BSO will need to assess
the extent and nature of Inherent Risks within the Management Framework. This assessment should
form part of the annual exercise and should be undertaken at the various levels, for example at the
GOSP, the National Fund, or at the Implementing Bodies.
Control Risk
8.8 The control system for administering Cohesion Fund in Slovenia should be designed to mitigate
inherent risk. Where inherent risk is highest, there should be controls in place to reduce the actual risk
of incorrect or irregular payments being made. For example, for schemes with very complex rules, the
body responsible for checking and approving claims would be expected to put considerable effort into
the verification of claims in that area. A high control risk is where controls to reduce inherent risk are
not working (or are not in place).
8.9 The system put in place by management to mitigate inherent risk is called the Accounting and
Internal Control System. The audit work on the management and control system is designed to check
that controls are in place and working (Appendix 2 gives some general information on the audit of
Internal Controls). Again, the BSO will need to annually review the extent to which the effective
operation of the management control system is mitigating any Inherent Risks that have been identified.

Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 31 of 145
The Accounting and Internal Control System

8.10 The accounting system means the series of tasks and records of an entity by which transactions
are processed as a means of maintaining financial records. Such systems identify, assemble, analyse,
calculate, classify, record, summarise and report transactions and other events.
8.11 The internal control system means all the policies and procedures (internal controls) adopted by
the management of an entity to assist in achieving managements objective of ensuring, as far as
practicable, the orderly and efficient conduct of its business, including adherence to management
policies, the safeguarding of assets, the prevention and detection of fraud and error, the accuracy and
completeness of the accounting records, the timely preparation of reliable financial information, and,
for the Cohesion Fund, compliance with EC regulations. The internal control system extends beyond
those matters which relate directly to the functions of the accounting system and comprises:
The control environment - the overall attitude, awareness and actions of management
regarding the internal control system and its importance in the entity. The control environment
has an effect on the effectiveness of the specific control procedures. A strong control
environment, for example, one with tight budgetary controls and an effective internal audit
function, can significantly complement specific control procedures. However, a strong
environment does not, by itself, ensure the effectiveness of the internal control system. Factors
reflected in the control environment include:
o The function of the management board.
o
o
o
Managements philosophy and operating style.

The entitys organizational structure and methods of assigning authority and
responsibility.
Managements control system including the internal audit function, personnel policies
and procedures and segregation of duties.
Control procedures - those policies and procedures in addition to the control environment
which management has established to achieve the entitys specific objectives. Specific control
procedures include:
o Reporting, reviewing and approving reconciliations.
o
o
Checking the arithmetical accuracy of the records.

Controlling applications and environment of computer information systems, for
example, by establishing controls over changes to computer programs, access to data
files.
Maintaining and reviewing control accounts and trial balances.
Approving and controlling of documents.
o
o
Comparing internal data with external sources of information.

Comparing the results of cash, security and inventory counts with accounting records.
o
o
Limiting direct physical access to assets and records.

Comparing and analyzing the financial results with budgeted amounts.
o
o
Practical Assessment of Control Risk

8.12 For the first audit of bodies, the assessment of control risk will be limited since sufficient
knowledge of the effectiveness of controls would not have been achieved. Therefore, initial audit work

Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 32 of 145
should focus on determining what controls are in place by way of "walkthrough" tests, before later
testing whether or not those controls are operating in practice. This work would then inform the
assessment of control risk on any subsequent audits.
8.13 From the knowledge gained from previous audits and from their close working relationships with
the key players in the management system in Slovenia the BSO will draw general risk conclusions that
will assist the planning and audit approach exercises. For example:
At the Intermediate Body level - has the BSO identified any significant control weaknesses at either
of the two Ministries - Transport or Environment - that are involved with Cohesion Fund that might
influence the projects to be selected for examination.
At the Implementing Body level - has the BSO identified any significant weaknesses in control at any
of the Municipalities (Environment) or at one of the two sectors (Transport) in relation to their controls
over Cohesion Fund, that again might influence the selection of projects to be examined.
Assessing Risk Importance
Probability
8.14 Audit effort should be directed towards those areas where risk is likely to be greatest, whilst also
ensuring adequate coverage of lower risk areas. The importance of the risks can be assessed based on
the probability of the occurrence risk and the expected impact of the risk on the quality (of the outputs)
of the project or delays. The assessor can put the scores low, medium and high on the probability of
occurrence and on the expected impact of the risk.
High
Impact
Medium
Low
High
Unacceptable
High
Medium
Medium
Unacceptable
High
Low
High
Medium
Low
Low
8.15 Checks should be carried out on a sample basis, with the aim of carrying out sufficient
examination to provide a reasonable level of assurance that the management and control systems to be
examined by each audit are operating effectively to prevent errors or irregularities.
8.16 Given the potentially wide range of activities, a rolling programme, based on a risk assessment,
may be adopted to ensure that all relevant areas (for example, main implementing authorities, main
final beneficiaries, forms of assistance/operations) are covered, although not necessarily in the same
year. The information available from ex ante controls should be gathered and evaluated during the risk
assessment.
8.17 The process set out above may be used to develop a draft audit plan which may then be adjusted
on the basis of any additional information available to the auditor. Among the main factors to be
considered in selecting the areas to be audited are:
information about the control environment and specific control risks;
information about conflict of interests situation;
whether the nature of the actions managed means that there are particularly high inherent risks;

Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 33 of 145
information from other sources relating to specific risk factors;
information on the quality of the management and control systems, in particular the results of
past audits by Internal Audit Service or other auditors on the operation of a project;
the need to follow-up a selection of past audits to ensure that necessary improvements to
systems have been made;
the programme of control planned by the other auditors, in particular to avoid duplication and
address any identified gaps in coverage;
the level of risks involved in the different funded activities, including problematic actions and
actions in which significant problems have been noted or are expected.
8.18 Adjusting factors may be applied to the selection of the areas to be audited including the physical
location of organizations/activities (for example to prevent excessive travel time during the audit) and
the types of project to be covered. These adjusting factors may also be applied as a filter before the
selection process. Appendix 3 provides further guidance on the use of a risk assessment/sampling
model to determine which projects to examine.
CONCLUSIONS ON RISK ASSESSMENT

8.19 When the Risk Assessment exercise has been completed the results of the work will inform the
standard Audit Decision Tree model, see below, which directs the audit approach to be followed; in
particular the linkage between controls assurance and what substantive testing should be carried out. It
should be stressed that this model is primarily designed for the audit of accounts and therefore in the
case of the audit of Cohesion Fund it should only be used as a guide to the audit approach to be
adopted; which will be a judgemental decision for the BSO to take. This is discussed in more detail in
Chapter 9.

Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 34 of 145
8.20 Substantive procedures are defined as:

Minimum Substantive Procedures
Testing should be performed at this level if the maximum assurance is taken from the examination of
controls, or if the area to be tested is deemed to be not material and no significant risks have been
identified.
Standard Substantive Procedures
Testing should be performed at this level if no risks have been identified that indicate potential material
error and no reliance is to be placed on the examination of controls.

Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 35 of 145
Focussed Substantive Procedures

Testing should be performed at this level if risk has been identified that indicates potential material
error and no reliance is placed on mitigating controls.
Note: Different Audit Objectives can be substantively tested at different levels; for example, the
Completeness and Regularity Objectives might be perceived to have a higher risk of material
error than, say, the Measurement Objective.
International Standard on Auditing
International Standard on Auditing 400 provides additional guidance on risk assessment and internal
control.

Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 36 of 145
9 AUDIT APPROACH TO COHESION FUND INCOME AND

EXPENDITURE
General Considerations
9.1 Having completed the risk assessment the BSO will need to incorporate their
understanding of the business and of the control environment within the
Management Framework into the detailed planning exercise and the audit
approach to be adopted.
Audit Information
9.2 Before concluding on the audit approach, the BSO will need to establish the
Cohesion Fund population that they are auditing. This will involve confirming:
the number of projects that are in operation;
the annual income relating to each project;
the annual expenditure relating to each projects; and
the bank balances for each project at the year end.
9.3 In terms of the overall audit approach it will be for the judgement of the BSO
to use the information obtained at 9.2 to determine how many projects, receipts
and payments will be examined within each financial year: i.e. the degree of
substantive testing to be carried out to support the controls examination. As the
BSO examination is not directly linked to the audit of any specific account, the
concept of materiality will mainly involve the determination of the throughput of
receipts and payments within each year. As part of the longer term strategy the
BSO audit approach should aim to ensure that each project is examined at least
once in its lifetime.
Understanding the Business

9.4 In order to determine the audit approach it is essential to identify which parts
of the Management Framework in Slovenia are responsible for operating the key
controls over Cohesion Fund; the following diagram details the higher level control
framework:

Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 37 of 145
MANAGEMENT CONTROL FRAMEWORK IN SLOVENIA

European Commission
Flow of Funds
Payment of
Funds
(EC Delegation)
Designated Authority
GOEA (NIC)
Signs the FM and send
Expenditure
Claims
Claim
for
Funds
Risk
assessment
Strategic/Long
term
plan
-Annual plan
Financial Control
National Fund (NAO)
Risk
assessment
Financial
management;
paying Strategic/Long
term
plan
Agency
for plan
CFCU (Framework
-Annual
Financing Agreement - FFA)
FFA)with CFCU
Expenditure
Claim
Risk
assessment
Strategic/Long
term
plan
Implementing Agency
-Annual plan
Payment of
Claim
CFCU (SAO)
Implementing Agreement with
IB and FB
Risk
assessment
Strategic/Long
term
plan
-Annual plan
Expenditure
Claim
s to NF, CFCU, IB and FB

Implementing Body
Ministries of Transport and
Environment
Expenditure
Claim
Final Beneficiaries
Municipalities and
Transport Sectors
Check claims and pay final
recipients

Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 38 of 145

Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 39 of 145
MANAGEMENT & CONTROL FRAMEWORK IN SLOVENIA
Flow of Funds
Payment of
Funds
European Commission
Managing Authority
GOSP
Expenditure
Claims
Claim for
Funds
Paying Authority
National Fund (NF)
Expenditure Claim
Payment of
Claim
Intermediate Bodies
(MESP and MoT)
Expenditure Claim
Implementing Bodies
Municipalities and
Transport Sectors
THE AUDIT TRAIL

Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 40 of 145
9.5 Article 6 of CR 1386/2002 requires that Member States management and

control systems should provide a sufficient audit trail. The detailed roles and
responsibilities of all the above elements should be set out in a documented audit
trail. A clear understanding of the Management Framework and the controls
systems in place at each level of the organisation, should allow the BSO to identify
a clear audit trail to cover all aspects of Cohesion Fund. Hence to obtain a full
"Understanding of the Business" should be a pre-requisite of all BSO staff prior to
carrying out an audit. This understanding is essential to both the planning and
audit examination processes. Auditors should therefore ensure that they are
familiar with these systems and that the description which they have of the audit
trail is up to date.
9.6 In terms of the Cohesion Fund, the audit trail should follow the "cradle to
grave concept", starting with the national strategy and overall agreements
entered into with the European Union; through project application and approval;
funding and payments; monitoring, evaluation and reporting; and culminating in
final certification. A sufficient audit trail is one that permits:
reconciliation of the summary amounts certified to the European Commission with the
individual expenditure records and supporting documents at the various administrative and final
beneficiary levels; and
verification of the allocation and the transfers of the available Community and national funds.
9.7 The results of audits carried out previously should be examined in the light of
the audit trail to identify any improvements that need to be made to the operation
of the management and control systems under review. These individual systems
should include the relevant managerial levels.
9.8 The audit trail should provide a clear description of the flows of Cohesion
Fund finance and information, their documentation and their control, analysed to
project manager/ final beneficiary level. In particular, the audit trail should show:
processes and who is responsible;
which documents are created and data systems used, and who is responsible for these;
which management and control systems exist for financial data flows, who audits them and
how the findings are reported; and
who audits Cohesion Fund expenditure, results, efficiency and management expenditure and
what is the reporting system.
9.9 The Management Control Framework at 9.4 shows the flow of funds from the
designated authority to the Implementing Body and the flow of information on
progress and performance from the IB through to the Commission. The areas
where appropriate controls should be present are indicated on the left of the
figure. It is the operation of these systems, which should be documented and
tested during an audit of authorities or final beneficiaries. Note that the actual
controls implemented will vary according to the nature of individual systems and
according to the level of an audited body within the audit trail hierarchy.
9.10 In order to follow up the information flow (the reports statement of
expenditure from the project managers) and the financial flow (the advances paid
to the IBthe ), the details of the last statement received by the Commission, and
the last advance paid by the Commission, need to be reconciled, with the

Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 41 of 145
accounting system and bank statements of NF, Intermediate and Implementing

Bodies.
9.11 The review of the audit trail and the identification of possible weaknesses are
an integral part of the preparation of an audit. In the same way, the preparation
phase of the audit should include consideration of the extent to which the audit
trail has been kept up to date.
Setting Audit Objectives

9.12 Audit objectives need to be set in order to gain appropriate evidence to
enable the auditor to draw conclusions on the effectiveness of the management
and control systems in operation in ensuring that Cohesion Fund expenditure
claims are correct. Two sets of audit objectives are recommended: the first for
looking at the general management and control system for administering
Cohesion Fund and the second for examining control systems and expenditure
specifically at the final beneficiary level, as detailed in Figures 1 and 2 below:
9.13 Individual audits may seek to address all of the objectives set out, or may
address specific areas determined as a result of risk assessment or for the
purposes of a follow-up audit. The appendices contain checklists/questionnaires
which should be used during audits at Member State authorities. These can of
course be adapted to suit the particular type of Cohesion Fund project being
audited (e.g. road, rail, water treatment, wastewater treatment). There are ten
main audit objectives, which should be addressed during audits of the Member
State authorities responsible for managing and controlling Cohesion Fund actions.
These audit objectives are intended to provide appropriate evidence to enable the
auditor to draw conclusions on the effectiveness of the management and control
systems in operation. A typical audit, will both examine management and control
systems, and verify one or more declarations of expenditure by means of following
the expenditure through the system to selected project managers/ final
beneficiaries.

Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 42 of 145
Figure 1: Audit objectives relating to the audit of Member States management and control
systems
Audit
objective
Activity /
Process
1.
Systems
descriptions
2.
3.
Objective
Whether there are adequate procedures to ensure that systems
descriptions are reviewed and updated and changes notified to the
Commission as required. (Art.5 and Art. 12 of Commission
Regulation 1386/02)
Approval
Whether there are adequate procedures to ensure that applications for

aid and the decisions reached on those applications comply with the
relevant rules, are in accordance with the needs of the area in question,
and that decisions by the authority are fully documented. (Art 10 of
Council Regulation 1164/94)
Monitoring
Whether there are adequate procedures for the effective monitoring of

both the physical and financial progress of Cohesion Fund projects
throughout their lifetime.
4.
Guidance
Whether there are adequate procedures in place to ensure that

adequate guidance is given to the bodies responsible for the
implementation of Cohesion Fund projects. (Art. 2 of Commission
Regulation 1386/02)
5.
Irregularity
reporting
Whether there are adequate procedures to ensure that irregularity

reports are prepared, submitted, followed-up and recoveries made
where appropriate. (Art.7 of Commission Regulation 1386/02)
6.
Audit
Whether there are adequate procedures and arrangements in place for

the audit of Member States management and control systems for the
Cohesion Fund. (Art. 9, 10, 11, 12 of Commission Regulation
1386/02) and for the drawing up of the winding-up declaration (Art
12.1(f) of Council Regulation 1164/94 and Art. 13, 14 and 15 of
Commission Regulation 1386/02)
7.
Operational
Checks
Whether the relevant authorities have adequate financial and checking

procedures to ensure the regularity, legality and eligibility of
expenditure. (Art. 4 and 8 of Commission Regulation 1386/02)
8.
Publicity
Whether there are adequate arrangements in place to ensure

compliance with the publicity requirements set out both in the
Commission Decision for the particular project and in Commission
Decision 96/455.
9.
Accounting
information
Whether the Member State has adequate procedures for maintaining

adequate accounting records on projects which are available to the
Commission on request. (Art. 16 of Commission Regulation
1386/02) .
10.
Audit trail
Whether there are adequate procedures in place to ensure that the

management and control systems provide a sufficient audit trail.(Art. 6
of Commission Regulation 1386/02)
9.14 As outlined below, the main purpose of the checks at final beneficiaries is to
determine whether the relevant aspects of Member State authorities

Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 43 of 145
management and control systems relating to actions are operating satisfactorily.

Audits will also involve the documentation of Implementing Bodies' systems (audit
trail) as they affect Cohesion funded activity.
Figure 2: Audit objectives relating to audits at project managers/ final beneficiaries
Audit
objective
Objective
Whether eligibility rules have been followed in selecting project managers and
projects/ actions for Cohesion Fund support.
Whether receipts and payments are accurately recorded in the project manager/
final beneficiarys accounting system, assets are correctly recorded, and that these
amounts are correctly reflected in demands for payment.
Whether (in respect of public authorities or bodies, and where necessary), services
or actions funded under the Cohesion Fund are procured on the basis of a proper
call for tenders, that there are sound controls over the opening of tenders and that
all tenders are fully evaluated before a final decision is made on the supplier of the
service/action.
Whether progress made is truly and fairly reflected in any reports or other
information submitted to Member State authorities and to the Commission.
Whether the project manager/ final beneficiary has complied with Community
rules on publicity, information, equality and the environment and any other
relevant Community law.
Designing Substantive Tests

9.15 Appendix 4 provides guidance on designing substantive tests to meet the
audit assertions
Audit Programmes
9.15 Audit tests need to be devised to gather the evidence to address the audit
objectives. Accordingly Appendix 5 gives examples of tests that may be used to
address the audit objectives for the overall management and control system audit
of Cohesion Fund and the substantive tests to be carried out centrally; whilst
Appendix 6 lists tests that may be used for the audit objectives for the audit of
Implementing Bodies. These tests will enable the BSO to obtain evidence to
establish whether or not the management and control systems provide a sufficient
audit trail
Audit Strategy
9.16 The competent national authorities under the responsibility of the independent body designated
under Article 12 of Regulation 1386/2002 should prepare an audit strategy for the Cohesion Fund
which:

Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 44 of 145
Takes account of the whole audit effort undertaken by the different national and regional
control authorities, and in particular that required by Article 8, Articles 9 to 11 and Articles 13
and 14 of Regulation 1386/2002;
Covers the whole period up to closure;
Provides the framework within which annual audit programmes will be established;
Identifies the bodies which will be responsible for audit work and the scope and objectives of
their work, their resources and their methodology;
Provides assurance that there will be an adequate basis for the certification of expenditure under
Article 8 of Regulation 1386/2002, that the effectiveness of the management and control
systems in place will be verified regularly during the programming period, that 15% of total
eligible expenditure will be checked in accordance with Articles 9 and 10 of Regulation
1386/2002, that these checks will be spread evenly throughout the programming period up
until closure, and that consequently there will be a sufficient basis for drawing up the winding
up declaration under Article 13;
Is validated by the independent body designated under Article 13.

Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 45 of 145
10 AUDIT EVIDENCE
10.1 This Section describes the general concepts of audit evidence and should be read in conjunction
with the revised International Standard on Auditing 500, which was approved in October 2003.
Concept of Audit Evidence

10.2 The overall aim is that the auditor should obtain sufficient appropriate audit evidence to be able
to draw reasonable conclusions on which to base the audit opinion. "Audit evidence" is all the
information used by the auditor in arriving at the conclusions on which that audit opinion is based.
Sufficient and Appropriate Audit Evidence

10.3 Sufficiency is the measure of the quantity of audit evidence. Appropriateness is the measure of
the quality of audit evidence; that is, its relevance and reliability in providing support for, or detecting
misstatements. The quantity of audit evidence needed is affected by the risk of misstatement (the
greater the risk, the more audit evidence is likely to be required) and also by the quality of such
evidence (the higher the quality, the less may be required). Hence sufficiency and appropriateness of
audit evidence are inter-related; although merely obtaining more evidence may not compensate for its
poor quality.
10.4 The reliability of audit evidence is influenced by its source and nature and is dependent on the
individual circumstances on which it is obtained. In order to obtain reliable audit evidence, the
information on which the audit procedures are based needs to be sufficiently complete and accurate.
Whilst recognising that exceptions may exist, in general audit evidence is more reliable when it is:
obtained from independent sources outside the entity;
supported by effective internal controls, when generated internally;
obtained directly by the auditor (observation of the application of a control);
in documentary form, whether paper, electronic or other medium (a written record of a meeting
is more reliable than an oral report); and
in the form of original documents, which is more reliable than photocopies or facsimiles;
10.5 Visual evidence is highly reliable for confirming the existence of assets, but not their ownership
or value; whilst oral evidence must be considered as the least reliable. Whenever feasible, auditors
should attempt to obtain documentary confirmation of oral evidence (e.g. agreed written records of
interviews). When this is not feasible, oral evidence might be corroborated by interviewing separately
more than one person.
The Use of Assertions in Obtaining Audit Evidence

10.6 The auditor should use audit assertions for classes of transactions, accounts balances, and
presentation and disclosures in sufficient detail to form a basis for the assessment of risks of material
misstatements and for the design and performance of further audit procedures.
10.7 It is for the judgment of the auditor to determine how to test against the relevant assertions for the
audit of Cohesion Fund. The auditor should take into account the legislative framework and all other
regulations or directives that might affect the issue of regularity. Examples would be:
Completeness - to obtain audit evidence to ensure that all transactions and events that should
have been recorded, have been recorded;

Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 46 of 145
Occurrence - to obtain audit evidence to ensure that all transactions and events that have been
recorded have occurred and are pertinent to the audited body; and
Existence - that all assets recorded by the audited body actually exist.
Procedures for Obtaining Audit Evidence

10.8 The auditor should obtain audit evidence to draw reasonable conclusions on which to base the
audit opinion by performing audit procedures:
Risk Assessment Procedures - to obtain an understanding of the entity and its

environment, including internal controls, to assess the risk of material misstatement. By
themselves, such procedures do not give sufficient appropriate audit evidence on which to base
the audit opinion, and are therefore supplemented by;
Tests of Controls - to test the operating effectiveness of controls in preventing, or detecting and
correcting, material misstatements; and to support the risk assessment; and
Substantive Procedures - are always required to support the judgmental risk assessment and
the inherent risks of internal control failures: they are designed to detect material misstatements
at the assertion level.
10.9 Audit evidence may be obtained by one or more of the following procedures, which may be used
as risk assessment procedures, tests of controls or substantive procedures, dependent on the context in
which they are applied by the auditor.
Inspection of records or documents - examining records or documents, both internal and

external, in paper or electronic form;
Inspection of tangible assets - physical examination of the assets;
Observation - looking at a process or procedures being performed by others;
Inquiry - seeking information of knowledgeable persons both within and outside the entity;
Confirmation - is a specific type of inquiry based on obtaining information directly from a
third party;
Recalculation - checking the mathematical accuracy of documents or records;
Re-performance - the auditor's independent execution of procedures or controls that form part
of the entity's internal controls; and
Analytical Procedures - evaluation of financial statements and interrelationships or
comparisons between elements of relevant information (see also ISA 520).
10.10.1 The auditor should evaluate at an early stage in the audit process which method of obtaining
evidence will be suitably reliable, and balance the reliability of the audit evidence against the cost of
obtaining it. Similarly, the auditor should use professional judgement to evaluate the quantity and
quality of audit evidence and its sufficiency and appropriateness, to support the audit opinion.

Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 47 of 145
11 DOCUMENTATION AND FILING

11.1 This Section sets out the general principles and practice for maintaining effective documentation
and files.
The Benefits of Effective Documentation

11.2 Auditors should effectively document the audit evidence in working papers, including the basis
and extent of the planning, work performed and the findings of the audit.
The benefits of effective documentation are that it:
aids planning;
provides a record of weaknesses, errors and irregularities detected by the audit;
confirms and supports the auditor's judgements, opinions and reports;
serves as a source of information for preparing reports or answering enquiries from the audited
body or from any other party, and provides a record of work done for future reference;
shows compliance with Auditing Standards and Guidelines, and with the internal procedures of
the BSO;
supports (or provides a defence against) claims, law suits and other legal processes;
helps and provides evidence of the auditor's professional development;
aids review, supervision and quality assurance (see below).
11.3 Effective documentation is particularly important for review, supervision and quality assurance.
The main advantages are that it helps the reviewer to:
ascertain whether the audit objectives have been achieved;

ensure that delegated work has been properly performed;
assess the judgements made by the auditor during the course of the audit and identify areas
where additional work may be necessary to obtain evidence required to reach conclusions or
make recommendations;
carry out the tasks of reviewing audit working papers and supervising audit staff more
efficiently and effectively; and
provides the basis for independent quality assurance reviews
Content of Working Papers

11.4 All audit steps must be carefully documented, as well as the resulting observations and
conclusions. This documentation is collectively known as working papers. The main examples of
working papers are:
The audit planning documents

Authority for the audit to proceed
Interview records
Record of documents reviewed
Internal control analysis sheets
Audit test plans and results

Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 48 of 145
Summary of audit findings
11.5 Working papers are the auditor's principal record of the work performed and the conclusions
reached on significant matters and are essential to support an effective audit. They provide evidence of
the auditor's exercise of due care; and help the auditor conduct and supervise the audit. All phases of the
audit, from the basic planning to the preparation of the final draft of the report, should be in the working
papers.
11.6 It is not possible to prescribe exactly what working papers should or should not include. As a
general principle, however, a well-documented set of working papers will be sufficiently complete and
detailed to enable an experienced auditor having no previous connection with the audit to ascertain
from them what work was performed to support the conclusions.
11.7 Working papers must have a series of physical qualities such as clarity, legibility, completeness,
relevance, accuracy, conciseness, neatness and be understandable. If computer evidence is used, there
should be adequate identification that completely describes its origin, content and location. They should
be planned and, in many cases, formatted at an early stage in the audit. Prior years' working papers, if
available, might be used as a guide.
11.8 In order to facilitate review, and in particular, to assist the reviewer in finding and evaluating the
audit evidence that supports conclusions, recommendations and reports it is essential that working
papers are cross-referenced backwards and forwards. These cross-references should clearly show the
source and destination. It is to be noted that good cross-referencing requires clear and logical initial
referencing of all working papers.
11.9 Working papers should normally be prepared on the basis that they might be used as evidence in
any legal procedure that could arise. Thus, auditors should sign and date their individual working
documents. It should be clear from the examination of a completed set of working papers, who they
were reviewed by, when, and what was the outcome of the review. Notes of reviewers indicating
agreement, incomplete or unclear items should be retained. These are essential for use by higher level
reviewers. The documentation should include a record of all contact with the audited body on
significant matters (e.g. weaknesses found during tests of control, assurances received from the audited
body's management, etc.).
Current and Permanent Files

11.10
Working Papers relating to individual audits are generally known as current files. Individual
current files will be established and maintained by the BSO for each project. They will routinely
contain the following information which will provide a full history of the project and of the audit
examinations that have been carried out relating to that project:
A copy of the Financial Memorandum/Contract detailing values, duration, location, measures

and details of the Implementing and Intermediate Bodies;
Details of any amendments to the funding of the Project;
Key findings arising from previous BSO examinations of the project; specifically, details of any
unresolved issues or matters highlighted to be examined in future visits;
Details of the BSO examination at the National Fund and the sponsoring Ministry;

Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 49 of 145
Copies of any reports produced by Internal Audit, the Court of Audit, the ECA or Commission
and private firms;
Details of proposed future visits to the project contained in the longer term audit plan; and
finally
At the conclusion of the project, details of the winding-up declaration and of the submissions
sent to the Commission.
11.11
In addition to current files, permanent files should also be established and maintained by the
BSO. These contain the overall legislation and planning information that covers all Cohesion Fund
projects. They should routinely include:
All EU/EC Regulations, guidance and directives relating to Cohesion Fund;

All relevant National Legislation;
The National Strategy for the implementation and delivery of the Programme;
Copies of the higher level reports produced by the ECA/Commission covering the Programme;
Details of the working arrangements and responsibilities of all other organisations involved in
the management of the Fund
The Annual BSO Audit Plan/Approach for the examination of the funding;
Results of high level systems reviews and examinations;
Copies of reports submitted by the BSO to the Commission;
Copies of any Management Letters prepared by the BSO, which might routinely include
details of the number of projects examined each year and the percentage of expenditure
covered.
Confidentiality of Audit Information

11.12 The BSO frequently has access to information which may be considered sensitive from a
commercial, political or security point of view. Accordingly the staff of the BSO must exercise due
professional care to ensure that such information is properly safeguarded. Procedures and controls have
been established to assure the physical security of working papers. Similarly, it is normal to treat
working papers, communications with audited entities and draft reports as confidential documents, until
recognised and established procedures for their release have been followed. The BSO must balance the
need for confidentiality of audit information with any legislation allowing freedom of information to
citizens.
Retention of Audit Documentation

11.13 The BSO has a clear policy for the storage and retention of documentation which supports the
conclusions reached in published reports. This policy covers, amongst other things:
length of retention before destruction (this varies according to the status of documents);
transfer of files from audit units to central archives;
standard file contents, indexing and retrieval procedures.

Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 50 of 145
12 AUDIT REPORTING
12.1 The report is the main vehicle for communicating the results of an audit. Reports should be clear
and concise, highlighting the main conclusions of the audit. Audit recommendations should be ranked,
as to their importance to the Cohesion Fund process, and should indicate the action needed to address
weaknesses identified. All reports should contain an executive summary setting out the key findings
and conclusions and should contain key recommendations and their ranking of importance.
12.2 Major errors or system weaknesses should be discussed with relevant staff from the audited body
during the audit, both to confirm the auditors understanding of the nature of the error or weakness, and
to allow discussion of and agreement on the action needed and agreed due date to correct errors and
improve systems. Subsequently, the auditor should check the relevant facts in writing with the audited
body. Audit working papers should include management comments on discussions held. BSO may
decide to agree a formal Action Plan with the audited body which will detail the:
Findings in order of significance;

Audit Recommendation; and
Conclusion/Actions required.
12.3 Reports should contain sufficient detail on audit findings and conclusions to demonstrate to the
audited body the weaknesses in the systems, and recommendations should state clearly the remedial
action that is necessary. Management responses on recommendations made should be included in the
audit report.
12.4 Following the conclusion of the audit, auditors should aim to produce the audit report within a
maximum of one month after the field visit to ensure that audited bodies can rectify weaknesses at the
earliest possible opportunity.
12.5 The letter accompanying the audit report should request a formal reply by an agreed due date (for
example, two months after the issuance date). The audit reply should, for each recommendation:
agree with the recommendation and give details of how it has been implemented (supported
with relevant documentation)
agree with the recommendation and provide a timetable for implementation; or
provide reasons for not agreeing with the recommendation.
12.6 There should be regular monitoring of outstanding replies; the contents of all replies received will
form the basis for future risk assessments.
Contents of the Audit Report

12.7 The audit report should contain the following items:
Executive summary
o Scope
o Conclusion
o Summary findings
Methodology

Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 51 of 145
Detailed Findings and recommendations
Executive Summary
12.8 The executive summary consists of 3 sections:
Definition of the scope of the audit, which could be to:
ascertain the accuracy of the expenditure declared by the designated authorities

in support of the last payment request;
o examine the operation of the management and control system; and
o verify the operation of the systems by examination at the final beneficiary level.
o
The conclusion should describe the overall opinion of the auditor on the work audited;
The summary findings of the audit should list the findings of the audit and note their
respective importance.
Methodology
12.9 The audit methodology should be briefly outlined. Information provided should include the
authorities and actions chosen for examination, the reasons for choice, and broad details of the checks
carried out.
Detailed Findings and Recommendations

12.10 Findings should include a short description of weakness noted or errors found and the reason of
any deviation. This will enable audited bodies to verify the points made and to take corrective action.
Each finding should result in a recommendation. Some findings can be grouped and result in one
recommendation.
12.11 Recommendations should receive a ranking, for example:
1:
2:
3:
4:
requires immediate action

requires action within 3 months
requires action between 3 to 6 months
requires action over 6 months
12.12 Reports should include specific recommendations for action by the audited body to address
weaknesses found during the audit. These recommendations should be clear and should be supported
by convincing evidence as to the need for action. Ideally, a time limit should be set for taking the
corrective action. The recommendations and replies will form the basis for any follow-up examination
in the future.
12.13 At the end of an audit, for example at the Ministry or at an Implementing Body, the BSO may
agree an Action Plan with the audited body to clearly document the follow-up actions to be taken by the
audited body and to re-emphasise the timescale within which the actions to be taken should be finalised.
A review of the outcome of this work should form part of any future BSO visit to that audited body,
which should be detailed within the longer term audit plan.

Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 52 of 145
Reports to the EC
Annual reports
12.14
In accordance with Article F(4) of Annex II to CR 1164/94, as amended by Article 12 of CR
1386/2002 an annual report is required for each complete year of implementation . The purpose of the
Article 12 report (see Model at Appendix 8) in the context of the Contract of confidence will be to:
Indicate any changes to the management and control systems;
Indicate any proposed changes to the audit strategy;
Provide a summary report on the audit activity for the previous year (both systems audits and
audits of operations), the main results, and follow up of outstanding issues from earlier years;
Draw a conclusion with regard to the assurance obtained for the expenditure for the year
concerned.
The report should be drawn up under the authority of the Article 13 body who should sign (or
countersign) the report.
The systems audit reports should in addition be sent to the Commission as soon as they are
finalised, with a summary of findings and recommendations which can be introduced into
SYSAUDIT.
The Article 12 report will be discussed in the annual bilateral meeting.
Final Report and Certification

12.15 The Final report is to be submitted within six months of the physical completion of the project,
should report on the work carried out, the expenditure incurred and the conformity with the decision
approving the project; and should give an initial appraisal of the chances of achieving the project
objectives.
12.16 When each project, step of project or group of projects is wound up, the Slovenian government
presents to the Commission a declaration summarising the conclusions of the checks carried out during
previous years. That declaration should also include an assessment of the validity of the application for
payment of the final balance, and the legality and regularity of the expenditure covered by the final
certificate. The declaration will be prepared by the BSO.
12.17 Responsibility for the preparation of these reports rests with the BSO. The reports should contain
information from audits undertaken by BSOS each year on each project and should indicate changes to
the management and control systems identified in the audit trail for each project.
Evaluation of Errors
12.18 The BSO will need to record the results of the errors found during each project examination and
consolidate those results into an annual evaluation of errors and their consequences. That annual
evaluation should include details of:
The total value of errors identified and what proportion of the total annual receipts/payments
they represent;
What actions have been taken to correct errors that were identified and/or to effect the recovery
of ineligible payments;

Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 53 of 145
The extent to which errors found were deemed to be systemic, i.e. could apply to expenditure
not actually covered by substantive testing (either within the project examined or to other
projects);
In the event of systemic errors having been identified, what further work the BSO has carried
out to assess the likely affect across all Cohesion Fund projects;
What lessons have been learned from the nature of the errors found in terms of perceived
weaknesses in the control environment;
Based on those identified weaknesses, what recommendations the BSO has made to improve
the control environment; and
How they plan to ensure that those recommendations are implemented by the management
authority.
(Appendix 11 gives Commission guidance on the treatment of Financial Corrections)
Follow-Up Audits
12.19 As part of the overall planning strategy the BSO should consider the merits of carrying out follow
-up audits to some or all of the audited bodies that are involved with the Cohesion Fund processes.
Given the Management Framework that operates in Slovenia, the likelihood is that the BSO will
routinely visit the GOSP, the NF, the Ministries of Transport and Environment. Hence the concept of
follow-up audits is most likely to occur at the Implementing Bodies - the Municipalities (for
Environment) or the Transport Sectors.
12.20 When the BSO plan to carry out follow-up visits the audit examination should concentrate on
ensuring that management have implemented recommendations for the improvement of control and for
guarding against risk agreed with them during the previous audit. The follow up should ensure that
controls have been introduced in the appropriate manner and that they are working effectively. In the
event of management failing to effectively implement such recommendations, the BSO should consider
reporting such failures to the appropriate internal authorities.
Amounts recoverable
12.21 Article 7 of Regulation 1386/02 requires the Paying Authority to keep a record of all amounts
recoverable from payments of Community assistance already made. The same Article also requires the
Paying Authority to send to the Commission once a year, in annex to the fourth quarterly report on
recoveries supplied under Regulation (EC) 1831/94, a statement of the amounts awaiting recovery at
that date, classified by the year of initiation of the recovery proceedings.
Accounting information
12.22 Article 16 of Regulation 1386/02 requires Member States to forward, on written request from the
Commission, the accounting records referred to in Annex IV of the Regulation on projects. Such
information should be as far as possible be held in computerised form. Such records shall be made
available to the Commission at its specific request for the purpose of carrying out documentary and on
the spot checks. This information should be delivered to the Commission within 10 working days of
receipt of the written request, although a different period may be agreed, particularly where the records
are not available in computerised form.

Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 54 of 145
Sys-audit
12.23 DG Regional Policy is in the process of developing and introducing a new Audit Management
System, SYSAUDIT. The objectives of this system are to offer a standard tool for the various
Commission services auditing the Cohesion Fund and the Structural Funds, to provide a common data
base for audits planned and executed by these services, to facilitate the standardisation and coordination of audit work and give easy access to information for the geographical units. It is intended,
after sufficient testing of the system has been carried out, to give access to the system to approved
administrations in the Member States.
12.24 The application consists of nine modules which include:
Planning of the Annual Audit Programme and advising Auditee
Allocation of Auditors and assistants/replacements
Audit report production
Recording of findings from the Audit
Follow-up of findings
DAS follow-up, the annual co-ordination meetings
Document management for securely storing all correspondence related to an Audit.
12.25 SYSAUDIT will facilitate the follow up of audit report findings and recommendations and will
trace the status of each finding until it has been closed. For open items, the SYSAUDIT system will
remind the auditor, at the agreed date, to issue a letter to the auditee, reminding it that follow up action
needs to be taken. In addition at audit planning stage, the system can be reviewed and projects with no
or very slow action on recommendations identified as possible high risk areas. Once a report is finalised
and satisfactory actions have taken place on all open items, the report can be closed. The SYSAUDIT
system will need to be updated to inform all concerned that the report is closed.
Systems description update
12.26 Article 12 of Commission Regulation 1386/02 also states that Member States shall provide to
the Commission, by 30 June each year, any necessary amplification or updating of the description of
their management and control systems communicated under Article 5(1) of the same regulation. Article
5(1) of Regulation 1386/02 required the initial description of the management and control systems to be
forwarded to the Commission by 7 November 2002. A model report pursuant to Article 12 of
Commission Regulation 1386/02 is contained at Appendix 8.

Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 55 of 145
13 IRREGULARITY, FRAUD AND CORRUPTION

13.2
The purpose of this Chapter is to guide auditors of the BSO on the responsibilities and
procedures for the prevention and detection of irregularities, fraud and corruption.
Respective responsibilities of Audited Bodies, Management and Auditors

13.3 The primary responsibility for the prevention, detection and investigation of
errors and irregularities rests with those responsible for the management and
execution of State policies, functions and programmes, (i.e. Ministries and other
audited bodies). Management is responsible for establishing an effective system of internal
controls to ensure compliance with laws and regulations.
13.4 The work of the BSO in this area should focus primarily on assessing the performance of the
audited bodies in preventing, detecting and correcting irregularities. In designing steps and procedures to
test or assess compliance, auditors should evaluate the audited bodys internal controls and assess the risk
that the control structure might not prevent or detect non-compliance.
13.5 As a general principle, the auditor is not and cannot be held responsible for the prevention of
fraud and irregularity. Similarly, an audit planned and implemented in accordance with auditing standards
cannot give complete assurance that the financial information is free from material error. This is because
errors which are intentional, arising as a consequence of fraud or irregularity, often involve attempted
concealment which the auditor may not necessarily detect, even though his/her audit was planned and
executed in accordance with auditing standards.
13.6
There are also inherent limitations placed on every audit because the test nature of an audit
involves judgment as to the areas to be tested and the number of transactions to be examined. Furthermore,
much audit evidence is persuasive rather than conclusive in nature.
Planning and undertaking a Regularity audit

13.1
The audit process has the following focus and emphasis:

In planning the audit, the auditor obtains a general understanding of the legal framework
applicable to the activity under audit and should understand how management complies with that
framework. Amongst the sources of information that BSO auditors may refer to in carrying out this
work are EC Regulations and the laws and regulations of Slovenia.
In planning an audit of financial information, the auditor considers the extent to which the
incidence of fraud or other irregularity is likely to be material, either by nature or by value.
The auditor should assess the particular risk of fraud or irregularity in the body or function to be
audited. Previous audit reports, investigations/reviews by the EC can be drawn on in making these
judgements. Other factors to be considered include the:
o
o
o
complexity of the schemes and activities under examination;

competences and perceived integrity of the managers of budgets and funds;
likely reliability and/or sufficiency of the audit evidence available.
there will always be a risk of internal controls failing to operate as designed. Any system of
internal control may be ineffective against fraud involving collusion amongst employees or by
management. This is because certain levels of management may be in a position to override
controls that would prevent similar frauds by other employees; for example, by directing

Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 56 of 145
subordinates to record transactions incorrectly or to conceal them. The auditor may therefore
review the adequacy of preventative mechanisms established by audited bodies, for example.
segregation of duties;
systematic rotation of staff in post;
internal oversight and inspections;
effective human resources policies, to monitor admission of new staff into the public service and to
ensure that they properly understand the requirement for honesty and integrity;
establish a code of conduct designed to promote ethical behaviour amongst staff and provide
guidance on such matters as:
relations with third parties;
acceptance of employment/appointments outside the public service;
declaring conflicts of interest (e.g. where a staff member has interests outside public service which
may conflict with their official duties);
monitor implementation of the human resources policies, including regular review of the code of
conduct; and
appropriate procedures for reporting, investigating and acting upon possible irregularities and/or
suspected fraud, including, where necessary, appropriate disciplinary measures.
Audit procedures to be adopted where fraud or other irregularity is suspected

13.7 If, during the risk assessment, or as results of tests of control or substantive testing, the auditor
concludes that circumstances indicate the possible existence of a fraud, he/she needs to consider the
potential impact of such an occurrence on the financial information. If the auditor believes that the
suspected fraud could have a material effect on the financial information, then he/she should perform such
modified or additional procedures as are considered appropriate.
13.8
The extent of the auditors modifications to the audit plan, or additional audit procedures, will
depend on his/her judgement about:
the nature of the suspected fraud that could have occurred;

the perceived risk that suspected fraud has actually occurred, based on the risk assessment or
results of testing; and
the likelihood that a particular type of suspected fraud could have a material effect on the financial
information.
Performing additional audit procedures

13.9
The auditor should use his/her judgement to determine the audit procedures best able to indicate
the existence of suspected fraud. These may include, amongst others:
tests of control : used to provide evidence on the effectiveness or otherwise of the

controls designed to prevent or detect fraud and irregularity;
substantive testing: used to substantiate the scope and/or value of the suspected fraud;
analytical procedures: used to corroborate, through comparison, trend analysis or
predictive testing, the possibility that fraud or irregularity exists;

Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 57 of 145
interview techniques (used primarily in fraud investigation): used to provide

corroborative evidence that fraud has occurred, usually from those around the
individual(s) suspected of committing the fraud; and
observation techniques: used to corroborate the suspicion of fraud, by observing
changes in behaviour patterns of those suspected of committing fraud.
13.10 When carrying out interviews as a means of gathering evidence to substantiate fraud, the auditor
needs to observe the rules of evidence appropriate to the jurisdiction in which he is operating. This is to
ensure that the evidence gathered from such work can be used in any judicial proceedings which the
authorities decide to pursue. Before proceeding with any additional audit procedures, the auditor should
consider whether to seek guidance or assistance from experts in fraud investigation, such as the prosecuting
authorities.
Reviewing the results of additional work

13.11 Performing modified or additional procedures may enable the auditor to confirm or dispel a
suspicion of fraud. Where confirmed, the auditor should confirm that the effect of fraud is properly
reflected in the financial information. In some cases, the auditor may be unable to obtain sufficient
evidence either to confirm or dispel a suspicion of fraud. In that situation, the auditor should consider the
possible impact of this uncertainty; both on the financial information and on the statement of assurance.
The auditor will also need to consider the relevant laws and regulations of the jurisdiction in which the
suspected fraud has occurred. As appropriate, the auditor may wish to obtain legal advice before reporting.
13.12 Unless circumstances clearly indicate otherwise, the auditor does not assume that an instance of
fraud is an isolated occurrence. If the fraud should have been prevented or detected by the system of
internal control, the auditor should re-consider any prior evaluation of that system and, if necessary, adjust
the nature, timing and extent of substantive procedures.
13.13 When a fraud involves a member of senior management, the auditor needs to reconsider the
reliability of any representations made by that person to the auditor.
Audit procedures where irregularities other than fraud are identified

13.14 When the auditor becomes aware of information concerning a possible existence of irregularities
other than fraud, for example, irregularities arising from unintentional error, oversight or ignorance of the
law; the auditor should obtain an understanding of the nature of the irregularities and the circumstances in
which they have occurred; plus sufficient other information to evaluate the effects on the financial
information. For example, the auditor should consider:
o
o
o
the potential financial consequences;

whether, and how the financial consequences of the irregularity should be disclosed in the
financial information; and
whether the potential financial consequences are so serious as to impact on the audit opinion
or statement of assurance on the legality and regularity of the underlying transactions.
13.15 In the first instance, where the auditor discovers what may be an irregularity, he/she should
document the findings and discuss them with the audited bodys management. If management does not
provide satisfactory information that the transactions concerned are, in fact, regular, the auditor may consult
with managements legal adviser about the application of the relevant laws and regulations to the particular
circumstances and the possible effects on the financial information.

Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 58 of 145
13.16 If the auditor believes that the irregularity could have a material effect on the financial information,
he/she should consider the effect of the irregularity on the opinion and as appropriate, perform additional
audit procedures as he/she considers necessary.

Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 59 of 145
Other implications of irregularities

13.17 Where the auditor finds that within the audited body, there is a high incidence of irregularities, the
impact of these failures could have additional effects:
it may raise doubts about other audit evidence supplied by the audited body, including compliance
reports and management representations;
where internal controls have failed to detect irregularities, this may indicate significant.
Responsibilities for reporting on fraud or irregularity

13.18 As a general principle, the auditor needs to be aware of the internal and external reporting
procedures which the BSO will normally apply when fraud, suspected fraud, or irregularity is discovered.
Knowledge of these procedures, and timely consultation with the appropriate authorities (internal and
external) is important to ensure that investigation of suspected fraud is properly carried out, without risk of
compromising any judicial or administrative proceedings that may follow.
Internal reporting (within the BSO)

13.19 The auditor should normally observe the internal reporting procedures for the notification of fraud,
suspected fraud or irregularity that the BSO has prescribed. To help determine the most appropriate action
to take, the auditor should report to his senior audit management where:
o
o
o
the results of the initial risk assessment, tests of control or substantive testing indicate a possibility
that fraud exists ;
the results of the additional audit procedures point to suspected fraud ; and
management of the audited body fail to take the appropriate action to investigate or report the
suspected fraud .
Reporting to the Audited Body (Management)

13.20 Once the auditor has carried out additional audit procedures to confirm the existence or otherwise
of suspected fraud or other irregularity, he/she should then report the findings to the management of the
audited body as soon as possible. This is normally done via the senior management of the BSO.
13.21 The auditor needs to consider all aspects of the suspected fraud in determining who to report to in
the management of the audited body. In particular, the auditor should assess the likelihood of senior
management involvement in the fraud. In most cases, it is appropriate for the auditor to report the findings
to a management level above that responsible for the persons believed to be implicated in the fraud.
However, where the auditor has doubts about the integrity of those persons ultimately responsible for the
overall direction of the audited body, the auditor should normally seek advice to assist him/her in
determining who to report to on the suspected fraud. Such advice would normally be sought from the Head
of the BSO.
13.22 In the case of suspected fraud or other irregularity, the auditors interest does not end when he/she
has reported to management. The auditor should monitor the audited bodys response to the notification of
the suspected fraud or irregularity and in particular, confirm that:
o
the audited bodys management have taken the necessary action to investigate the
suspected fraud or irregularity (for example by asking Internal Audit to carry out further work,
as appropriate);

o
o
Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 60 of 145
management have notified, and sought advice from, the appropriate authorities (for
example, the Police);
management have reported the proven fraud, suspected fraud, or other irregularity in
accordance with any statutory requirements.
Arrangements in Slovenia
13.23 There are already systems in place within Slovenia for the handling of "irregularities". In
general the same procedures apply to both EU and National Funds, with the additional factor of
agreements entered into between the Republic of Slovenia and the European Union. The guidance
currently in place is part of the Public Internal Financial Control (PIFC) initiative and applies equally to
internal and external auditors.
13.24 In Slovenia the following organisations will be directly involved in the control systems for the
treatment of irregularities in relation to Cohesion Fund:
o
o
o
o
o
o
o
o
o
Government Office for the Prevention of Corruption

Office of the State Prosecutor of the Republic of Slovenia
Ministry of Justice
Ministry of Internal Affairs - Police, Criminal Investigation
Ministry of Finance - the BSO
Ministry of Finance - Tax Administration
Ministry of Finance - Customs Administration
Ministry of Finance - Office for the Prevention of Money Laundering
Ministry of Finance - Foreign Exchange Inspectorate
13.25 In addition an Inter-Ministerial Working Group has been established, comprised of

representatives from the above organisations, to liaise with the European Anti-Fraud Office (OLAF).
More specifically, the BSO acts as the central control point for the collection of information and the
reporting to OLAF of all instances concerning irregularities in the use of European Funds that are
identified during internal audits, independent audits by the BSO and budget inspections.

Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 61 of 145
APPENDIX 1: INFORMATION SYSTEMS AUDIT GUIDELINE

Introduction
Manyadministrativeandfinancialfunctionsarenowcarriedoutwiththeaidofcomputersystems.The
terminformationsystems(IS)hascomeintogeneraluseforallsuchsystems,asthetermdoesnotprejudge
theamountortypeoftechnologyconcerned.
Thisguidelinedealswiththemethodologyforauditofsuchinformationsystems.Itisintendedtoprovide
guidanceatthelevelrequiredbythegeneralistauditorwhoisfamiliarwiththeissuesandmethodsofIS
audit,canundertakesimpleISaudittasks,andcanuseISauditspecialiststoservegeneralauditobjectives.
Theguidelinedoesnotattempttopresentdetailedspecialistinformationonthehighlytechnicalareasofthe
subject.
Basic concepts and definitions

Thepresenceofinformationtechnologyhasnodirecteffectontheobjectivesofanaudit,butitintroduces
specificcontrolconcernsandmaymeanthattherehavetobechangesintheauditapproach.
Informationtechnologybringstwoparticularproblemsformanagementandauditors:
computersandnetworks,likeanytechnology,arevulnerabletobreakdownanddamage.Assoonasan
organisationorafunctionbecomesdependentoninformationtechnology,therefore,contingencyplanning
becomesmoreimportantthanbeforeandmusttakesufficientaccountoftechnicalmatters.
dataandprogramsheldincomputersystemsareinvisibleandintangible,andtheycanbeaccessedor
changedwithoutleavingatrace.Managementandauditorsalikeneedtotakespecialmeasurestobesureof
thereliability,integrityandconfidentialityofanydataresultingfromcomputers.
Generallyrecognized control techniques have been developed accordingly. IS audit deals with the
evaluationofthesecontrols.DifferentcomponentsofISauditshouldbedistinguishedbecausetheyrequire
differingskilllevels,techniquesandtiming;andbecausetheymakedifferentcontributionstoauditworkas
awhole.Eachofthesecomponentsisnowdiscussed.
General (installation) controls audit

Generalcontrolsarethecontrolsinplaceoverawholecomputerinstallationornetwork.Thequalityof
thesecontrolshasapervasiveeffectonallapplicationsruninthatenvironment:forexample,ifthereare
weaknessesinaccesscontrolattheinstallationlevelorforawholenetwork,itismostlikelythatall
applicationswillbevulnerabletounauthorizedaccess,regardlessofanyspecificaccesscontrolsinthe
applicationsthemselves.
MostauditorsneedsupportfromISspecialiststocarryoutafullgeneralcontrolsaudit. However,full
auditsarenotalwaysnecessary.Generalistauditorsmaybeabletoobtainsufficientassurancethatdataare
completeandcorrect,andthatinternalcontrolscoveringthecomputerarefunctioningadequatelysofaras
theyaffectaparticularaudit,withoutafullreviewofgeneralcontrols.
Insomecasesgeneralistauditorsmayrelyonthirdpartystatements(TPS)givenbyspecialistISauditors.
TheseTPSusuallycoverthegeneralcontrolsregardingcomputercentresand/orapplications.ShouldTPS

Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 62 of 145
notbeavailable,generalistauditorsshouldneverthelessalwaysevaluatecertainnontechnicalgeneral
controls:seebelow.
Theareascoveredbygeneralcontrolsauditsaresetoutbelow. Thefirstfouraregeneralmanagement
issueswhichshouldbeaddressedbygeneralistauditorsevenwhenthetechnicalaspectsarenotbeing
examined.
General management issues
organisational: strategic planning, structure and reporting lines of the IS department,

adequatesegregationofdutieswithinthedepartment
ISsecuritypolicy:exists,isadequate,communicatedandfollowed
continuity:backupandstandbyarrangements
managementofITassets
Specialisttechnicalissues
logicalandphysicalaccesscontrols:detailedexecution
operations:alljobssubmittedtothecomputerareproperlyauthorizedandarecompletely,
accuratelyandpromptlyprocessed
systemssoftware(includingspecificaccessrestrictions)
programsmaintenanceanddevelopmentprocedures
data/databasemanagement
datacommunication
(local)networks
ANNEX1givesguidanceforgeneralistauditorsonthefirstfoursubjectsabove.
Applicationaudit
Anapplicationauditevaluatestheinternalcontrolsspecifictotheinput,processing,datafilesandoutputof
adefinedfunction. Allauditorscarryingoutsystemsbasedauditsofadministrativefunctionswhere
informationtechnologyisusedneedtoaddressthisaspectofISaudit.
Applications audits are not necessarily highly technical. Generalist auditors will need to call on IS
specialists where the application controls are exceptionally complex or technical, and there are no
satisfactorycompensatingcontrolsintheuserarea.Butmanyapplicationsaredesignedsothattheygive
definiteassurancetousermanagersthatdataandprocessingareinorderwithoutrequiringthemtobeIS
experts.Insuchcases,checksandprocedures(includingmanualprocedures)routinelycarriedoutbyuser
staffmaygivesatisfactoryassurancethatdataandoutputarereliable.Inmanyauditsituationsthislevelof
assurancewillalsobeadequatefortheauditors.
Theaspectswhichmustalwaysbeaddressedcanbesummarizedinagenerallyapplicableformasfollows:
OrganisationandDocumentation
Managementresponsibilityforeveryaspectofmaintainingandrunningapplicationsshouldbeproperly
allocated.
Thecostsofrunningapplicationsshouldbeidentifiedandkeptunderreview.

Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 63 of 145
All necessary documentation should exist considering the type of application concerned and the
organisation'sneeds.
Input
Onlyauthorizeditems,andallauthorizeditems,shouldbeinput.
Data input to applications should be accurate and complete. (Input comprises both transaction and
permanent/referencedata.)
Processing
Processing of transactions should be complete and arithmetically accurate, and the results (including
generateddata)shouldbecorrectlyclassifiedandrecordedproperlyinthecomputerfiles.
Otherprocessingactivitiesshouldbecarriedoutontimeandgivecorrectresults.
Datatransmission
Datashouldbetransmittedaccuratelyandcompletely.
Standingdata
Thecontinuedcorrectnessofstoreddatashouldbeensured.
Output
Outputreleasedwhetheronpaper,viascreens,onmagneticmedia,orthroughelectroniclinks,shouldbe
correctandcomplete.
Outputshouldreachallthose,andonlythose,forwhomitisintended.
ANNEX2 presentstheseheadingstogetherwithillustrationsofcontroltechniquesorprocedureswhich
mightbefound.Itisimportantthateachphaseshouldincludeappropriateerrorhandlingprocedures,and
referencestothesearemadeinAnnex2.
Indecidingwhichcontrolsheneedstorelyon,theauditorshouldbearinmindthattestsofcontrolwill
needtoestablish,amongotherthings,thatthecontroloperatedcorrectlythroughouttheperiodsubjectto
audit.Itwillusuallyfavourgooduseofauditresourcesif,wherehehasachoice,theauditorseeksby
preferencetorelyoncontrols intheuserareawhichcanbe testedreadily,providedthatthese give
sufficientassuranceaboutthecontrolobjectiveconcerned. TheuseofCAATs mayhelptoincrease
assurance.Iftherehastoberelianceonthemoretechnicalcontrols,itwilloftenmakeageneralcontrols
auditnecessary.Forexample,tobecertainthatvalidationchecksmadebyaprogramalwaysoperated,the
auditor would need to obtain definite evidence that controls over program changes were effective
throughouttheperiodaquestionwhichwouldinvolveafullgeneralcontrolsaudit.
Computerassistedaudittechniques(CAATs)
ThetermCAATsreferstotheuseofretrievalsoftware(e.gtheproductIDEA)whichauditorsmayuseto
testcontrolsor(muchmorecommonly)tosort,compareorextractdataforfurthertesting.Itisessential
whenusingCAATstoensurethatthedatabeingusedbytheauditorisinfactcompleteandcorrect.

Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 64 of 145
SpecialisthelpmaybeneededwithCAATs. WhilstsomeCAATsproductsonthemarketcanbeused
relativelyeasilybygeneralistauditors,wherethetaskiscomplex,orwherethedataarenotavailabletoa
packageintheformitrequires,moreadvancedprogrammingskillsareneeded.InsuchcasesCAATscan
beanexpensiveuseofauditresources;thedecisiononwhethertheyareneeded,andthedesignofthe
procedures,shoulddependcloselyontheobjectivesoftheaudit.

Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 65 of 145
ExamplesofCAATstestsandproceduresare:
identifyingerroneousvalues;
identifyingexceptionalvalues;
testingthepostingorsummarizingoftransactions;
reperformingcomputerizedprocessing(e.g.foreigncurrencyconversions);
comparingdataonseparatefiles;
producingagedanalysisofaccounts;
stratification.
CAATsarethemeanstoanend,notanendinthemselves.TheuseofCAATsneedstobeplannedand
theyshouldonlybeusedwheretheyproduceaddedvalueorwheremanualproceduresarenotpossibleor
lessefficient.Thefunctionstobecarriedoutshouldbedocumentedinadvanceandtheactualusemadeof
CAATsshouldberecorded.Normalrulesofauditevidencemustbeapplied.TheCAATsdocumentation
shouldincludedetailsofallsettings,queriesetc.thatwereusedtoproducetheresults.Inallcases,itis
important tobeableto show that the CAATs program operated on the complete andcorrect set of
underlyingrecords.
Audit of developing systems

Auditsofdevelopingsystemscovertwomainaspects:
themanagementofthedevelopmentwork.Thismaybethesubjectofaperformanceaudit;
theadequacyofthesystemdesignforachievingtheinternalcontrolrequirementsofthefunction(these
shouldnormallybedefinedbyusermanagement).
Itisimportantthatnewinformationsystemsshouldbedesignedinsuchawaythattheyareauditableand
thatthereissufficientinternalcontrol.Sincemakingchangestothedesignbecomesprogressivelymore
expensiveinthelaterstagesofdevelopment,auditorsmustconsidercarefullyboththetimingandthe
natureoftheirapproachtonewinformationsystems.Ifnoauditactionistaken,thereisariskthatsystems
maybeintroducedwhichlackimportantcontrolsorareunnecessarilydifficulttoaudit.Ontheotherhand,
anyauditcontributionmustbemadeinsuchawaythatauditindependenceisretained.Thepossibilities
are:
(a)carryingoutaauditofthedevelopingsystem;
(b)beingdirectlyinvolvedasa user ofthedevelopingapplication;insuchcases,auditindependence
shouldbepreserved,forexamplebyarrangingthatotherauditstaffwillbeavailabletoreviewthesystem
independently;
(c)ensuringthattheprojectowneroranotherprincipal userrepresentsauditabilityrequirements asa
managementrequirementofthesystem(inaccountingsystemsitisquitelogicalfortheaccountanttodo
that,inconsultationwithbothinternalandexternalauditors);
(d) ensuring that the audited organisation has general application design standards that provide for
auditabilityandthatitsqualitycontrolassuresthis(inaddition,internalauditshouldhavearrangementsfor
keepinganeyeonauditabilitygenerally).
Ofthesepossibilities,(a)and(b)bothdemandconsiderableresourcesandmaygivelittleornoreportable
auditresult.Itisthereforenormallypreferabletoworkthrough(c)and(d).

Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 66 of 145
Inordertofoster(c),auditorsshouldalwaystaketheopportunityofremindingmanagementoftheneedto
ensure that adequate management/audit trails are specified in new applications, and should invite
consultationattheplanningstageforimportantnewfinancialsystems. ANNEX3 presentsanoteof
generallyapplicable application control requirements, which may be useful in discussions with user
managementofdevelopingsystems.
Thegeneralstandardscanbecheckedbyanexaminationofthesystemsdevelopmentmethodologyapplied
bytheISdivisionoftheauditedbody,andadialoguewiththeISstandardsbranchandtheinternalauditors
toensurethatitisexecutedproperly.
Planningandstaffinginformationsystemsaudits
Staffing and training

Sincetherearenowfewfunctionswithoutsomecomputercomponent,allauditorsneedtoknowhowthe
presenceofcomputersinfluencestheevaluationofinternalcontrol.Trainingprogrammesshouldreflect
thisgeneralrequirement.
AuditorsneedadditionaltrainingtobecomespecialistsinISaudit.AndISprofessionalsusuallydonot
havetrainingincontrolevaluationwhichequatestothatofanauditor.Caremustbetakenthereforethat
staffwhoaretobeISauditspecialistsacquireandmaintainanappropriatebodyofbothISandaudit
knowledge.Specificqualificationsexistwhichcanprovideameasureofthis.ISauditspecialistsareoften
ascarceresource,useofwhichmustbefocusedonthepointswhereitisofgreatestbenefit.Whenthisis
so,itfollowsthatISspecialistsmustonlybecalledonwhentheobjectivesoftheauditandthecomplexity
oftheinformationsystemsmaketheirexpertisenecessary. Thefollowingsection,onplanning,gives
guidanceonthis.
Generalist auditors can be trained in the use of CAATs products without having to become full IS
specialists.
Planning and use of specialists

Standards of IS security and control are not absolute absolute. Too high a level of control (over
engineering)isexpensiveandusuallyinefficient.Thesetofcontrolsinplaceshouldreflectthepurpose
anduseofeachsystem,andisusuallyamixtureoftechnicalandmanualprocedures.Efficientcontrols
overcomputerprocessingmaybefoundinmanualproceduresinuserareas,orinusermanagement
activities.Informationsystemsshould,therefore,notbeexaminedinisolation,butaspartofthegeneral
auditofthewholeadministrativeorfinancialfunctionofwhichtheyarepart.Onlyinthiswaycanthe
auditorrealisticallyassesstheappropriatecontrolstandardandevaluatetheinteractionoftechnicaland
usercontrols.
Attheplanningstage,informationshouldbegatheredtodecideonthescopeoftheISaudittobecarried
out. ItmaybeusefultoconsultanISauditoratthisstagetohelpdecideonpriorities. Inparticular,a
decisionshouldbemadeonwhetherageneralcontrolsreviewisnecessary,andtheextenttowhich
CAATs willneedtobeused. Sincebothofthesecanrepresentanexpensivedemandonspecialist
resources,itmaybenecessarytoapplystrictprioritiesintheuseofISauditors.
Inthelightofthegeneralobjectivesoftheaudit,thefollowingfactorsshouldbetakenintoaccount:

Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 67 of 145
theextenttowhichthefunctionconcernedusescomputerprocessingordataheldoncomputers;
theextenttowhichthecorrectnessofprocessinganddataisproved,tothedegreenecessaryforthe
function,bycontrolsintheuserarea,includingusermanagementprocedures;
thecomplexityofthecomputerprocessing,specificallytheextenttowhichthefunctionusesdata
generated by computer programs (as opposed to data which are simply recorded, sorted or
analysedbytheapplication);
thesizeoftheinstallation:forexample,itmaybeintrinsicallyimpossibletohavegoodgeneral
controlsbecausetherearenotenoughstafftoprovidesufficientseparationofduties.Thiswillbe
the case, for example, if a full separation of duties cannot be made between programmers,
operatorsandaccessadministration;
thesensitivityofthedataanddataprotectionobligations;
anyspecialdifficultiesinthemanagement/audittrail.Inolderorpoorlydesignedsystemsthere
maybeproblems,forexampleintracingtheunderlyingdetailsfordatawhichareaccountedforin
aggregate,oringettingassurancethattotalsincludeallrelevanttransactions.Thesewillincrease
theneedfortheauditortouseCAATssimplytoestablishthatdataarecorrect.
GLOSSARY
Application
Asetofprograms,dataandclericalprocedureswhichtogetherformaninformationsystemdesignedto
handleaspecificadministrativeorbusinessfunction(e.g.accounting,paymentofgrants,recordingof
inventory).Mostapplicationscanusefullybeviewedasprocesseswithinput,processing,storeddata,and
output.
Backup
Relatingtotherecoveryofdataandprograms,andtheprovisionofalternativeoperationalcapabilities,in
theeventofdamageorloss.
Backupcopy
Duplicateofdataorsoftwaremaintaineduptodateandavailableforuseincaseofdamagetoorlossofthe
original.
CAATs(Computerassistedaudittechniques)
Computerprogramsforcarryingoutaudittests,retrieving,sortingorselectingdata,orobtainingevidence
onthecorrectnessofprocessing.
Contingencyplanning(alsocalledBusinesscontinuityplanning,Disasterplanning)
Plans and procedures to ensure that information systems (hardware, software, data and
telecommunications)canberestoredtoavailabilityatthelevelandinthetimerequiredafteradisaster
wherebytheequipmentand/orsitebecomeunusable.
Developingsystem
An application which is at any stage of preparation and not yet in live running (production). The
preparation stages may include: proposal, feasibility study, user specification, design, prototyping,
programming,programandsystemtesting,usertesting,conversion,pilotrunning.
Informationsystems(IS)
Systemswhichrecord,distributeorprocessinformation,generallywiththeuseofinformationtechnology.

Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 68 of 145
Informationtechnology(IT)
Machinery,includingcomputers,usedfordatahandlingandprocessing.
Logicalaccesscontrol
TheuseofsoftwaretopreventunauthorizedaccesstoITresources(includingfiles,data,andprograms)
andtheassociatedadministrativeprocedures.
Owner
Theindividual(orunit)responsibleforparticular(ISorIT)assets,includingtheirsecurityandcorrectness.
Program
Thecompletesetofinstructionsnecessarytosolveaparticularproblemorcarryoutaparticular(setof)
procedure(s)onacomputer.
Software
Computerinstructionsgenerally.
Systemsoftware
Acollectionofprogramsusedtocontrolandmanagetheoperationofacomputerandtheallocationand
useofcomputerresources.(Systemsoftwareincludesprogramswhichcanmodifydataorotherprograms
withoutfollowingthenormalprocessesestablishedintheapplicationconcerned;thereforeaccesstosystem
softwareshouldbeveryrestrictedandstaffwhohavethisaccessshouldbeseparatefromtheprogramming
staffandpreferablyalsofromtheoperationsandaccessmanagementfunctions.)
Thirdpartystatements(TPS)
StatementsgivenbyspecialistISauditorsworkingforanorganisationotherthantheSAI.TPSusually
coverthegeneralcontrolsregardingcomputercentresand/orapplications.Seeparagraph3.6.
User
Individualorunitthatmakesuseofinformationsystems.Specifically,inbusinessandadministration,a
departmentwhichusesinformationsystemstocarryoutthefunctionsforwhichitisresponsibleinthe
organisation.

Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 69 of 145
ANNEX 1:
GENERAL(INSTALLATION)CONTROLS
GENERAL MANAGEMENT ISSUES
CONTROLOBJECTIVESANDEXAMPLESOFCONTROLTECHNIQUES
CONTROLOBJECTIVES
Possibleproceduresorcontrols
Note:Theseare,ineachcase,arangeofpossibilitiesgivenforillustration;theydonotall
havetobepresenttomeetthecontrolobjective,andtheobjectivemaybemetbyother
means. Theauditorneedstomakeajudgmentontheoveralleffectivenessofthemixof
controlsactuallypresent,bearinginmindthesize,complexityandimportanceofthesystem
concerned.
GA.ORGANISATIONANDMANAGEMENT
GA1.Planning,staffing,reportingandsegregationofduties
ToensurethattheITdepartmentiscorrectlyplacedintheauditedbody(organization)andis
adequatelystaffed,andthatincompatibledutiesareseparated.
1.TheheadofITisofanappropriaterankinviewoftheimportanceofITfortheorganisationandthe
positionoftheITdepartmentwithintheoverallorganisationisconsistentwiththeresponsibilitiesand
objectivesassignedtoit.
2.ITstrategicplansaremadeandreviewedannually,andtheyreceiveseniormanagement(directionor
board)attentionandapproval.
3.ITpersonnelanduserstaffareseparate:ITstaffcannotinitiateorapprovetransactionsanduserstaff
cannotwriteprogramswhichwouldchangedata.
4.AnITorganisationchartispublishedandkeptuptodate.
5.AnITpersonnelpolicyexistswhichwillensurerecruitment,trainingandretentionofstaffwiththe
necessarytypesofexpertiseandwhichprovidesforsuccessionplanning.
6.AdequatesupervisoryandapprovallevelsexistineachfunctionalareawithintheITdepartment.
7.FormaljobdescriptionsexistintheITdepartmentandarekeptuptodate.
8.Operationsandprogrammingstaffareseparate:operatorsmaynotwriteprogramsandprogrammers
maynotoperatethecomputer.
9.IftheITdepartmentislargeenough,staffwhohaveaccesstosystemsoftwareshouldbeseparatefrom
bothprogrammersandoperators.
10.Logicalsecurity(accessrightsandpasswords)isadministeredbystaffwhoarenotresponsiblefor
programming.

Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 70 of 145
11.Regularliaisonismaintainedwithuserdepartments.
12.Thereisachangemanagementpolicywhichgovernsthedevelopmentandenhancementofapplications
andensuresthatnewprogramsarefullytestedandareacceptedbytheuser.
GB.SECURITYPOLICY
GB1.Securityawarenessandpolicy
To define and communicate information security policies and procedures and to ensure that
management,usersandISpersonnelareawareofsecuritymattersandfollowsecurityprocedures
consistently.
1.Apolicyforaccess,bothlogicalandphysical,tocomputerresourcesexists,iscommunicatedandis
adheredtobymanagementandemployees.
2.Aphysicalsecuritypolicycovering:
accessrestrictionstobuildings,computerrooms,ITstorageareas,
fireandotherdisasters,
contingencyplanning
exists,iscommunicatedandisadheredtobymanagementandemployees.
3.AllstaffwhousePCsarerequiredtosignastatementofthesecurityandotherpracticestheymust
follow,includingphysicalsecurityrules,useonlyofauthorized(andlicensed)software,andantivirus
measures(restrictionsonimportingdangerousdataandprograms).
4.AccesstoITresourcesiscontrolledbyindividualuserIDsandconfidentialpasswords.
5.UserIDsandpasswordsaresetupbyspecificstaffandonlyonthewrittenauthorityofthemanagerof
thepersonwhoneedsaccess.
6.ApolicyonaccessbystafftooutsideresourcesincludingtheInternetisdefinedandannounced.
7.Asecurityofficerwithappropriatetechnicalexpertiseisnominatedandisinvolvedintheapprovalof
accesscontrolschemesimplemented.
8.Securityproceduresareperiodicallytested.
9.Thesecurityofficermakesformalreportsperiodicallyonthestateofsecurityproceduresandthese
reportsarefollowedupbymanagement.
10.ManagementhasformalreviewsofISsecuritycarriedoutfromtimetotimebyspecialists(either
externalconsultantsorinternalaudit).
11.Ifthenetworkisopentoaccessfromoutside(e.g.Internet),afirewallhasbeensetup.
12.Thefirewallseffectivenesshasbeenreviewedbyaspecialistconsultant.

Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 71 of 145

Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 72 of 145
GC.CONTINUITYANDDISASTERRECOVERY
GC1.Backup,off
sitestorage,recoveryanddisasterplan
Toprovidesecurityagainstloss/damageofdataandtoensurecontinuityofoperations.
1.Adetailedpolicyandprocedurecoveringbackupofdataandprogramshasbeenestablished.
2.Filebackuproutinesarescheduledaspartofthenormaldailyactivities(especiallyimportantfor
distributedsystemswithremoteinputetc).
3.Backupcopiesofkeymasterfilesaremadeonanappropriatescheduleandstoredoffsite.
4.Backupcopiesofkeyapplicationprogramsanddocumentationaremadeandstoredoffsite.
5.Backupcopiesofoperatingsystemprogramsaremadeandstoredoffsite.
6. Offsite application and operating system programs are updated or replaced whenever significant
changesaremadetotheprograms.Accesstotheoffsitemasterfiles,applicationprogramsandoperating
systemprogramsisrestrictedtoauthorizedpersonnel.
7.Recoveryandrestartprocedures,includingrapidrestorationofcorruptedorlostfiles,existandaretested
onarecurringbasis.
8.Adisaster(businesscontinuity)planexistswhichenablesongoingoperations,atthelevelrequiredby
users,intheeventoftheITdepartmentinabilitytomaintainthenormalservice.
9.Thedisasterplanisregularlytested(forexample,annually). Formalreportsonthetestsexistand
necessaryactionistakenbymanagement.
10.Copiesofthedisasterplanarestoredinaremotelocation.
GD.MANAGEMENTOFITASSETSANDUSEOFEXTERNALSERVICEPROVIDERS
GD1.ResponsibilitiesfortheorganisationsITassets
ToensurethatresponsibilityformanagementofITassetsisassigned.
1.OrganisationalownershipofeveryITasset(hardware,software,applicationsanddata)isdefined.
2.Personnelandmachineactivityareaccountedfor.
3.Usersaretheownersoftheirdataandapplications.
4.Inventoriesofhardwareexistandareregularlychecked.
5.Areliableinventoryofsoftware(includingsoftwareonPCs)existsandisregularlychecked.
6.Responsibilityforensuringcompliancewiththetermsofsoftwarelicencesisallocatedandmeasuresare
carriedout.

Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 73 of 145
7.A clearpolicyexistsonthemanagementofandresponsibilityforendusercomputing,coveringamong
otherthings:
security(seeGB1.3);
backuprequirements;
theextenttowhichprogramsmaybedevelopedbyendusers;
thedocumentationandotherstandardrequirementsforsuchlocalprogramsandforspreadsheetswhich
arepartofbusinessfunctions.
8.Thestatusandownershipofemailmessageshasbeendefinedandannouncedtostaff.
GD2.Useofexternalserviceproviders(e.g.outsourcingofspecificservices,useofexternalcomputer
bureaux)
Toensurethattheuseofexternalserviceprovidersismanagedeffectively.
1.Accessbytheauditorsisprovidedfor.
2.Thecontractorservicelevelagreementspecifiesrequirementsincluding,asappropriate:
performance;
security;
dataownershipandaccesstodata;
serviceavailability;
contingencyarrangements(e.g.ifserviceproviderceasesoperations).
3.Managementactivelymonitorsperformanceagainsttherequirementsspecified.

Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 74 of 145
ANNEX 2
APPLICATIONAUDITS
CONTROL OBJECTIVES AND EXAMPLES OF CONTROL TECHNIQUES
CONTROLOBJECTIVES
Possibleproceduresorcontrols
Note:Theseare,ineachcase,arangeofpossibilitiesgivenforillustration;theydonotall
havetobepresenttomeetthecontrolobjective,andtheobjectivemaybemetbyother
means. Theauditorneedstomakeajudgmentontheoveralleffectivenessofthemixof
controlsactuallypresent,bearinginmindthesize,complexityandimportanceofthesystem
concerned.
AA.ORGANISATIONANDDOCUMENTATION
AA1.Responsibilityforapplications
Toensurethatmanagementresponsibilityforeveryaspectofmaintainingandrunningapplications
isproperlyallocated.
1.Theuser(oraprincipaluser)isdefinedasowneroftheapplication.
2.Maintenanceoftheapplicationanddecisionsonitsfuturedevelopmentareformallymanaged,preferably
bytheowner.
3.Theapplication'sperformanceanditscontributiontotheoperationalfunctionofwhichitformsapartare
activelymanaged,preferablybytheowner.
4.Ownershipofthedatausedbytheapplicationisspecified.
5.Thedutiesofthecomputercentre,andofanythirdparties(e.g.softwarehouses)foroperatingand
supportingtheapplicationarecoveredbyservicelevelagreements(contractuallyinthecaseofthird
parties).
6.Allthedepartmentsresponsibleforinputorforhandlingoutputareknownandtheirresponsibilities(for
timing,quality,securityetc)areformallyagreed.
7.Thedivisionofresponsibilityfortheaccuracyandcontinuedintegrityofstoreddataisclear(ultimate
responsibilityshouldnormallyliewiththeuser).
8.Responsibilityfordeciding,andforexecuting,thesecurityandcontrolrequirementsoftheapplicationis
assigned,takingaccountoftheorganisation'sgeneralsecuritypolicyandoftheITdepartment'sstandard
securitymeasures.
9.Responsibilityforprovidingandformaintainingdocumentation,includingusermanuals,isdefined.
AA2.Costallocation

Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 75 of 145
Toensurethatthecostsofrunningapplicationsareidentifiedandthattheyarekeptunderreview.
1.Computerrunningcostsareloggedandtheapplication'sshareidentified.
2.ITdepartmentoverheadsandstaffcostsareidentifiedandallocatedtotheapplications.
3.Running costs are reported to the owner of the application and to those responsible for resource
management,andreviewedinaccordancewiththeorganisation'spolicy.
4.Costsofmaintenanceandenhancementoftheapplicationareidentifiedandreported.
5.Estimatesaremadefordevelopmentandmaintenancetasks,areapprovedbytheownerorresource
manager,andareusedtocontrolthework.
AA3.Documentation
Toensurethatallnecessarydocumentationexistsinthelightofthetypesofapplicationconcerned
andtheorganisation'sneeds.(Documentationmaybekeptonmediaotherthanpaperprovidedthat
availabilityandreliablestorageareassured.)
1.ASYSTEMSSPECIFICATIONdescribesthedataandprocessingoftheapplicationintermswhich
allowittobeaneffectivemediumofcommunicationbetweentheusersandtheITproviders.
2.Thesystemsspecificationiskeptuptodate.
3.Itmeetstheorganisation'sdocumentationstandardsandsystemsdevelopmentmethodology.
4.Itincludes(oraseparatedocumentsetsout)theuser'scontrolneedsandanyotherspecialrequirements
fortheapplication.
5.StructuredPROGRAMDOCUMENTATIONincludingcomprehensiblesourcelistingsisavailableand
iskeptuptodate.
6.Theorganisationsrightstoobtaindocumentationandsourcelistingsdevelopedbyoutsidecontractors
areguaranteedevenifthesupplierbecomesbankrupt(forexamplebydepositingtheminescrow).
7.OPERATORS'INSTRUCTIONSareuptodateandcoveranyspecialactionrequirede.g.responseto
errormessages,abnormaltermination,etc.
8.USERMANUALSfullydescriberesponsibilitiesandproceduresandaresystematicallykeptuptodate.
AB.INPUT
AB1.Authorization
Toensurethatonlyauthorizeditems,andallauthorizeditems,areinput.
1.Accesscontrolsensurethatonlythoseauthorizedhaveaccesstoinputprocesses.
2.Inputisfromauthorizeddocuments,whicharecheckedfortheauthority(usuallyasignature)bythe
persondoingtheinput,orinapreliminaryclericalcheckingstage.

Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 76 of 145
3.Documentsusedforinputareseriallynumberedandthereisacheckforvalidityandforcompletenessof
sequenceeitherbythecomputerorclerically.
4.Inputotherthantranscriptionofauthorizeddocumentsreceivesauthorizationinaccordancewithits
significancebeforebeingprocessed.(Thismaybeonastatisticalbasiswhereappropriate.)Methods
include:
holdinginputinaspecialcomputerfileuntilreleasedinteractivelybyasupervisor;
flaggingrecentinputforsupervisorycheck;
postinputauthorizationofprintoutsbeforefurtherprocessing.
5.Transmissionofauthorizedandcheckeddocumentsiscontrolledbybatching.
6.Confirmatoryprintsofinputaresenttoauthorizingofficers,whosignforapproval.
7.Changestopermanentdataareproperlyauthorized.
8.Programmed checks prevent validation and processing of input which logically cannot have been
authorized,e.g.paymentsinexcessofavailablebudget.
AB2.Completenessandaccuracy
To ensure that data input to applications is accurate and complete. (Input comprises both
transactionandpermanent/referencedata.)
1.Batchcontrolsincluding(hash)totallingofallsensitivefieldsareused,andapositivecheckismadethat
requiredtotalsmatch.
2.Validationchecksarecarriedoutbyprogramtoensurethatthedataentered:
havetheformatexpectedforeachfield;
arewithinappropriateranges(e.g..notnegativewherelogicallyimpossible;donotexceedpredetermined
reasonableamounts;arewithintheknownsequenceofitemsoftheirkind(chequenumbers,etc).
3.Doublekeyingisusedforsensitivedata.
4.Foronlineentry,inputreportsareproducedshowingaggregatedtotals,whicharecheckedormatched
withtotalsestablishedseparatelyforthesession.
5.Checkdigitsareusedwithreferencenumbersandvalidationactuallychecksthem.
6.Validationincludestestsofselfconsistencyofthedatainput(e.g.debits=credits,referencenumbers
matchrelateddescriptivematerial).
7.Logicalchecksaremadewithaccessibleexistingrecordse.g.accountbalances.
8.Permanentdata(andotherkeydata)areprintedoutandpositivelyapprovedbytheresponsibleuser
beforebeingusedinprocessing.

Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 77 of 145
9.Errorhandlingclericalorcomputersuspensefilesofinputrejectedbythesystemduringvalidationor
processingaremaintained,andproceduresensurethatsuspensedataispromptlycorrectedandreinput
(withoutbypassingnormalauthorizationandotherinputchecks),orcancelled.

Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 78 of 145
AC.PROCESSING
AC1.Transactionprocessing
Toensurethatprocessingoftransactionsiscompleteandarithmeticallyaccurate,andthatthe
results(includinggenerateddata)arecorrectlyclassifiedandrecordedproperlyinthecomputer
files.
1.Batchorsessioncontroltotalsarematchedtotheaggregatechangeinappropriatecontrolrecordsin
computerfiles.(Itisimportantthatthestructureofbatchtypesandcontrolrecordsshouldbesuchthat
significantmisclassificationwouldbedetectedbythiscontrol.)
2.Wheretheprogramgeneratesdata(iecarriesoutarithmeticaloperationssuchascurrencyconversion,or
looksupandwritesdatawhichhasalogicalbutnotarithmeticalconnexionwiththeinput,forexample
pay),theusermakescheckseitheragainstaseparatelymadeforecastoftheaggregateamountorofa
sampleoftransactions.
3.Outputincludescontrolprintsorscreensonwhichresponsibleusersmustpositivelycheckandaccept
keycontroltotals.
4.Validationcontrolswithintheprogramsinclude:
(1)ensuringthat(batch)totalsestablishedbeforetheprocessingremaincompletelyaccountedforateach
stage;
(2)consistencycheckswhereinputhandledrecapitulatesinformationalreadyheld(e.g.whenaccount
numberandnamearebothgiven);
(3)rangechecksonamountsgenerated(calculated,lookedup)byprogram.
5.Controlcountsandtotalsaremaintainedoneachofthedatafilesaccessedbytheapplication.
6.Controlcountsandtotalsaremaintainedforeachtransactiontype.
7."Successunits"areusedtoensurethatcomplextransactionsareentirelypostedtoallappropriatefiles,or
elsebackedoutcompletely.
8.Separatecontrolfilesheldonadifferentdeviceareusedtocheckthatappropriatefileversionshavebeen
loaded.
9.Manualcontroltotalsaremaintainedandreconciledonatimelybasistothetotalsproducedbythe
system.
10.Errorhandlingclericalorcomputersuspensefilesofinputrejectedbythesystemduringvalidationor
processingaremaintained,andproceduresensurethatsuspensedataispromptlycorrectedandreinput
(withoutbypassingnormalauthorizationandotherinputchecks),orcancelled.
AC2.Otherprocessing
To ensure that other processing activities (including data reorganisation such as
yearend/monthendprocedures,routinedataintegritychecks,productionofreportsandanalyses

Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 79 of 145
notdirectlyrelatedtoinput,supplyofdatatootherapplications,andenquiryfacilities)arecarried
outontimeandgivecorrectresults.
1.Thetimetableforregularprocessingofthistypeiscontrolledbytheuser,andrunsareinitiatedonhis
instructions.
2.Userprocedureslaydownresponsibilityforthecheckstobemadeontheresultsofsuchprocessing(e.g.
checkingthatamountsreportedasprocessedmatchthoseexpected,thatnewaggregatefiguresincontrol
recordsreflecttheadjustmentsforecast,thatmanagementinformationreportsindicatebycontroltotals
thattheyincludethewholebodyofthedataintended).
3.Wheredatabelongingtotheapplicationareavailabletoanenquiryfacility,theappropriatedegreeof
checkisbuiltintotheprocessingwhichproducesresponses(e.g.,wherethisisimportant,provingthatall
relevantrecordshavebeenread,byaggregatingandshowingthetotalfortherecordswithinthesame
controlaccountwhichwerenotselected).
4.Usersofenquiryfacilitiesandownersofotherapplicationsusingthedataareawareofthelevelof
reliabilityofthedataassuchandoftheprogrammedprocedurethroughwhichtheyobtainthem.
AD.DATATRANSMISSION
AD1. Datashouldbetransmittedaccuratelyandcompletely
Toensurethatalldatatransmitted,whetherthroughanetworkorbydisksortapes,isreceivedina
completeandaccuratestate,andthatthereisnolossordisclosureofdataintransit(seealsosection
AF1).
1.Useofcheckdigits,andhashandothercontroltotals.
2.Useofdigitalsignatures.
3.Useofdataencryption.
4.Useofpasswords.
5.Sequentialmessagenumbering,sequencingoftransactions.
6.Reportsconfirmingreceiptaresentandarereconciledpromptlytorecordsofdatatransmitted.
AE.STANDINGDATA
AE1. Continuedcorrectnessofstandingdata
Toensurethatalldatastoredinthesystemasapermanentrecordorforreferenceremainscorrect
andcomplete.
1.Responsibility for checking the continued correctness of data is allocated either to a database
administratorortoappropriateusers.
2.Controltotalsorhashtotalsareusedtomonitorthestateoffilescontainingpermanentdata.

Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 80 of 145
3.Printoutsofstandingorreferencedataarecheckedperiodicallytosourcedocumentsbytheresponsible
user.Thiscanbedoneonacyclicalorstatisticalbasis,dependingontheriskrepresentedbyincorrect
data.

Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 81 of 145
AF.OUTPUT
AF1. Correctnessofoutput
To ensure that output released whether on paper, via screens, on magnetic media, or through
electroniclinks,iscorrectandcomplete.
1.Validationandrangeetc.checksarecarriedoutbytheprogramonrecordsoutput.Warningmessagesare
giveniftheoutputdoesnotcomply.Thereisauserprocedureforhandlingsuchwarningmessages.
2.Thereareproceduresinplacetogiveanappropriatedegreeofreasonablenesschecktoprintedoutput
(mayrangefromnoneforinternalpaperwhichisnotabasefordecisions,to100%readthroughagainst
supportingdocuments(e.g.,perhaps,forlargecheques)).
3.Fortransmissionsofpaymentinstructionstobanks:
theresponsibleuserusesbothcontroltotalsandspotchecks(suchassampletestsfromtimetotimeon
thedisktobedespatchedorbrowsingandsamplingthemessagestransmitted)toobtainreasonable
assurancethattheinformationactuallysentisidenticalwiththatauthorized;
despatchoftapesordisksbyasecuremessengerservice;
prepareddisksortapesarestoredsecurelyuptodespatch;
preestablishedlimitsareagreedwiththebankonthetotalamountandonindividualtransactions;
acceptancereportsarereconciledpromptly(intimetorecallpayments)
postpaymentreconciliationisdonepromptly.
4.Outputreportsincludetotalswhicharereconciledbytheusertototalsestablishedbeforeinput.Detailed
printsofinputareavailabletoinvestigatedifferenceswhennecessary.
AF2.Correctdistributionofoutput
Toensurethatoutputreachesallandonlythoseforwhomitisintended.
1.Outputproducedbythecomputercenteriskeptundersurveillance,anddistributedwithappropriate
security/privacy.
2.Mailinglistsforoutputareregularlyreviewedandunnecessaryorincorrectaddresseesremoved.
3.Superfluouscopiesofoutputforwhichthereisnoaddresseearenotproduced.
4.ThegeneralsecurityrulesappliedtoPCs,terminalsandprinterslocatedwithendusersensuresufficient
privacyforoutput,takingintoaccountthelevelofbuildingsecurityandthequalityofpasswordetc
controls.
5.Thepersonresponsibleforsecuritydecisionsfortheapplicationhasaclearpictureofthevarioususer
groupswithaccesstooutputinanyformandmakesdecisionsoncontrolaccordingly(seepointAA1.8
above).Inparticular,logicalaccesscontrolsfortheapplicationtakeaccountofpossibleapproaches
throughallnetworksinwhichtheinstallationisinvolved.
6.Allexpectedoutputisaccountedfor(e.g.useofserialnumberingtodetectunauthorizedsuppressionof
exceptionreports).

Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 82 of 145
7.Reportsareregularlyproducedevenifthereisnoproblemtoreport(recipientsshouldthenbecomeused
toreceivingareportandlesslikelytooverlookareportthatissuppressedbysomeonewhodoesnot
wantthereportscontentsknown).
8.Negotiable,sensitiveorcriticalforms(forexamplecheques)shouldbeproperlyloggedandsecuredto
provideadequatesafeguardsagainsttheftordamage.Theformslogshouldberoutinelyreconciledto
inventoryonhandandanydiscrepanciesshouldbeproperlyinvestigated.

Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 83 of 145
ANNEX 3
APPLICATIONCONTROLREQUIREMENTS
Thefollowingrequirementsareexpressedingeneralterms. Ingeneraltherequirementisthatevidence
shouldbeprovidedatsuitableintervals(forexample,daily)tousermanagerstoenablethemtobeassured
thatthedataandprocessingintheapplicationarecorrect.Specificsolutions(forexampleaggregationsand
controltotals,serialnumbers,reportsforreconciliationorreasonablenesschecking,supervisor/manager
consultationandrecordedapprovalofcontroldataonscreen)needtobedefinedintheearlystagesofthe
project.
Itisassumedinwhatfollowsthatgeneralinstallationcontrolssatisfactorytotheusersareinplaceinthe
systems/networkswhichwillrunthisapplication. Suchcontrolsshouldcover,forexample,physical
access, logical access generally, separation of IT staff duties, backup, disaster recovery, (software)
changes,andshouldincludeperformanceindicatorstomeasuretheefficiencyofthesystem.
1. Access
Theapplicationshouldpreventaccesstoprogramsexceptbyauthorizedstaff,andshouldprovidefor
accesstouserresources(processesordata)tobemanagedby(a)senioruser(s)andtoberestrictedasmay
berequiredtoreflectdifferingpatternsofworkandseparationsofdutiesinuserdivisions(forexample,by
accountcodes,byvalues,byfunctions,etc.).Allaccessshouldbecontrolledandloggedonanindividual
basisandthesystemshouldpreventandreportallunauthorizedaccessattempts.
2. Inputofdata
Thesystemshouldprovideevidencepermittingusermanagerstobesurethatdatainput,includingstanding
data,iscomplete,isvalidatedinaccordancewithuserrequirements,andiscorrectlywrittentothecorrect
files.
3. Integrityofdata
Thesystemshouldbeorganizedsoastoprovideregularevidencetousermanagersthatstandingandstored
dataremainscompleteandcorrect.
4. Transactionprocessing
Thesystemshouldprovideregularevidencethattransactionsare,inaggregate,correctlyprocessedand
writtentothecorrectfiles.
5. Changingdataandprogramsbyemergencyroutes
Sofarastheyarewithintheapplication,theuseofanyemergencydatachangefacilitiesorprocesses,
whichallowdatatobechangedwithoutpassingthroughnormalvalidation,shouldbecapableofbeing
heavilyrestrictedandlogged.
6. Management(audit)trail
All transactions shouldbe traceableforwards and backwards throughthe system. A trail should be
maintainedofdatawhichisaggregatedatvariousreportinglevels,sothatcomponenttransactionscanbe
identified.

Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 84 of 145
7. Records Allactionsoneachtransactionrecordshouldbestampedwiththeloggedinidentity
concerned,andthemachinetimeanddate(andanactioncode).Fullrecordsofeverychangeshouldbe
retained(nooverwriting).
8. Output Outputsshouldbedatedandtimed,and(wherenecessaryforcontrol)seriallynumbered.
Theremustbeappropriatecontrols(andevidencetotheaccountantthattheyhaveoperated)overelectronic
transferofpaymentdatatoensurethatonlyandallauthorizedtransactionsaretimeouslyexecuted.

Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 85 of 145
APPENDIX 2: AUDIT OF INTERNAL CONTROL

Types of controls
Internal controls normally comprise both the control environment (that is, the philosophy of
management, the assignment of responsibilities within the management systems, and the
policing of control procedures) and control procedures (preventive and detective measures
introduced by management to protect against fraud, irregularity or error. Control procedures
can be broadly grouped under the following headings:
management controls high level supervision and review by management, including
reviews of performance against budgets, exception reports and the use of internal audit;
organisational controls controls derived from the structure of the organisation, such as
segregation of duties and the clear definition of responsibilities;
authorisation controls controls to stop the processing of a transaction where it has not
been approved at the appropriate level, including clear delegations of authority to
approve transactions and well-defined and documented checks before approval is
given;
operational controls to ensure the complete and accurate processing of transactions,
including sequence checking of numbered documents, reconciliations and the
comparison of one set of documents with another (for example checking purchase
orders against invoices); and
access controls both physical controls, such as safes, and logical controls, such as
password protection of computer files.
An understanding of the nature and likely effectiveness of the management and control system
operated by the auditee is essential so that the audit can be designed to provide adequate
information on the operation of controls for example, to identify the effects of perceived
weaknesses in the control system. The audit should be designed to collect appropriate and
sufficient evidence on the operation of controls, while ensuring the efficient use of resources.
Typically, an audit will involve the identification and testing of all such controls. In carrying
out audits, the auditor must always bear in mind that no control system, however sound it
appears, can guarantee proper administration and completeness and accuracy of transactions.
Audit evidence cannot therefore solely be gained from the controls, and audit tests should, inter
alia, aim to identify events, which may reduce the effectiveness of the controls.
These events may include:
the overriding of controls by those responsible for enforcing them;
human error in the application of controls;
the inability of the control system to deal with a non-standard event or transaction; and
a break down of the control system because of changes or the development of non-standard
procedures.
Methods used in testing the operation of controls
The operation of controls can be tested in a number of ways. In practice, most testing will
involve a combination of the following methods of testing:

Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 86 of 145
observation and enquiry essentially, the observation of control staff while they are
undertaking their work and interviews to establish what they do;
examination the obtaining of evidence that controls have functioned correctly, for
example by inspection of documents for evidence that checks have been carried out,
reconciliation, re-performance and walk-through tests; and
sampling a sample of transactions can be taken for examination to determine whether

controls have operated on those transactions. The sample may either be a judgement
sample, or a statistically based sample, which may allow conclusions to be drawn on
the accuracy of all transactions passing through the same system.
Where serious weaknesses are identified in control procedures, the auditor will need to
consider whether additional audit procedures (such as substantive testing) are necessary to
provide further information on the effects of the weaknesses. In all such cases, the auditor
should make recommendations to management aimed at ensuring the improvement of systems
to address the weaknesses identified.
Documentation and testing of systems for Cohesion Fund

In addition to the above, auditors must ensure that they cover the following tests that are
required by the EC Regulations.
A key element of an audit of activities co-financed by the Cohesion Fund is to examine
whether management and control systems are operating effectively at all relevant levels. This
examination involves the documentation of the relevant systems (including appropriate
information from the audit trail), together with testing (tests of controls) to examine whether
the systems are actually operating as described and are effective.
Tests of controls should check that management and control systems are operating consistently
and effectively. Tests should be carried out on a sample of transactions selected for on the spot
audits. Where the effectiveness of the management and control system is likely to vary (for
example where different staff are responsible for applying the same checks on different
transaction streams), the auditor should ensure that the sample is representative of these
possible differences. It is important during tests of controls to identify the reasons for any
errors and omissions identified, which may indicate weaknesses in management and control
systems. In addition to the documentation of systems, audits involve tests of controls
(compliance or conformity tests) and the in-depth checking ( substantive testing) of a selected
expenditure declaration against source documents and other relevant information. The purpose
of this checking is to enable a conclusion to be reached on the accuracy and validity of the
particular expenditure declaration examined.
Substantive testing may also include analytical review for example the comparison of
different ratios or trends to identify possible areas for further investigation. Tests should also
include reconciliation between expenditure declared by the auditee to a higher authority and
the financial records maintained by the auditee. In addition to verifying the accuracy of
payment requests, such checks can be a useful indicator of the effectiveness of the audit carried
out by higher authorities and of the proper functioning of the audit trail.
The results of the tests of controls should be documented in working papers for presentation in
the audit report. Auditors should clearly describe, in separate working papers, the problems or
errors identified during audits, their effects and the recommended solutions. All weaknesses

Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 87 of 145
and errors should be discussed with auditees and their views recorded for use in the audit
report. Working papers, including the analysis of problems, effects and solutions should then
be used in the preparation of the audit report.

Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 88 of 145
APPENDIX 3: GUIDANCE FOR PERFORMANCE OF 15 PER

CENT CHECKS
Introduction
Figure 1: The relevant criteria for the 15 per cent sample checks
REGULATIONS
Articles 9-11 of Regulation (EC) No 1386/2002, based on Article 12 of Regulation (EC) No
1164/94, and again largely taken - via Regulation 438/2001 - from Regulation 2064/97, are the
parallel provisions governing sample checks and systems audits of projects co-financed by the
Cohesion Fund. On account of the larger size and higher average aid rate of projects, sample
checks here are required to cover 15% of expenditure, taking as the basis the total eligible
expenditure on projects that are financed by the Cohesion Fund over the period 2000-2006 and
which were first approved after 1 January 2000.
Article 12 of CR 1386/2002 states that in accordance with Article G(1) of Annex II to Regulation
(EC) 1164/94, Member States shall inform the Commission by 30 June each year (and for the first
time by 30 June 2003) of their application of Articles 9-11, above, in the previous calendar year.
The aim of this Appendix is to provide an approach for the auditor to conduct tests which fulfil
the EC requirements.
Audit planning scheme
The audit shall examine whether the expenditure on Cohesion Fund projects was spent in
accordance with the rules and regulations covering the assistance granted.
The audit shall be based on substantive audit procedures comprising a minimum 15% check of
programmes and projects. The selection of these projects will be determined via a risk
assessment approach. Projects will be tested at the transaction level to help form an opinion on
the performance of that project in that period.
At the end of the assistance the information from testing over the whole life of the assistance
will be combined to provide the winding-up declaration.
Risk assessment and selection of projects
Risk assessment
Decide on a set of clear risk based criteria in order to select a sample of projects. This is called
a risk based approach and is used as a method to stratify the projects into distinct risk

Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 89 of 145
categories from which a multistage sample of projects and payments within projects can be
randomly selected to achieve a 15 per cent check of expenditure in each year and therefore
over the life of the assistance.
Figure 2: The criteria for assessing risk
Complexity
Control
risk
Staff
turnover
Criteria
Prior audit
checks
Size of
subsidy
Type of
programme
Project manager
experience
Criteria should include (Figure 2):

Complexity in terms of multiple streams of funds for one programme, legislation,
administrative organisation, decentralisation;
The size of the payment or receipt in-year compared to the total Cohesion Fund values;
The type of project: certain projects may be connected with greater inherent risk than
others;
The project manager. There can be public or private project managers, they can be newly
established or experienced, in general the more experienced the project manager the less
risk there is attached to the project;
Whether the project has been sampled before, if a project has not been sampled before it
will be given a greater probability of selection than one chosen in the prior year;
Great staff turnover or substitutes within the organisation, a project with a high turnover
of staff may prove more risky as staff will be new to the work and require training; and
Control risk: the risk that the organisations internal controls do not discover the errors,
little would be known about this initially, but as more controls work is carried out the
information on this should be improved.
Risk assessment questionnaire
To assess the risk for each project the auditor should complete a risk assessment
questionnaire(Figure 3). For each project the auditor should assess the risks under the seven
key criteria. Each of these criteria has a weight attached to it and the risk score for the criteria

Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 90 of 145
is multiplied by the weight of that criteria. The total weighted score over all seven criteria
should then be totalled to obtain a final score for the project. This score can then be placed
within the high, medium or low risk category.
Figure 3: An illustration of the risk assessment questionnaire

RISK CRITERIA
RISK SCORE
3
4 Weight Rating
50,000 Over
4
16
100,000
100,000
High risk Very high
4
8
risk
Poor Very poor
4
12
1
2
What is the size of the project
Under
10,000budget
10,000
50,000
What risk is associated with the
Very low
Low risk
project
risk
How good are management
Very good
Good
control structures
How experienced are the project
Very Experienced
Little
No
3
6
managers
experienced
experience experience
Has the project been sampled
In last year
2-3 years
4-5 years
No
3
12
before
ago
ago
How complex is the project in
Not at all
Not
Complex
Highly
2
4
terms of its funding streams,
complex
complex
complex
legislation, and organisation
What is the level of staff
Very low
Low
High Very high
2
4
turnover in the project manager's
turnover
turnover
turnover
turnover
organisation
Total Score
22
62
Low
Medium
High
Risk Category
22 to 40
41 to 50
51 to 88
The numbers in the figure are provided for illustrative purposes, the values for the size of
projects have yet to be determined and the weights and risk category values could also be
altered.
Sample selection procedure
The objective is to ensure that the requirements set out in the Regulations are met. In order to
meet the requirements of this regulation the auditor should ensure that:
the checks carried out before the winding-up of each project shall cover at least 15 % of
the total eligible expenditure;
Beneficiary Countries shall seek to spread the implementation of the checks evenly over
the period concerned; and
There is an appropriate separation of tasks as between such checks and implementation or
payment procedures concerning operations.

Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 91 of 145
The risk assessment should be conducted for all the projects. This will provide the auditor with
a list of projects divided into high, medium and low risk categories. The sample shall be
selected using these risk categories as the basis for stratification.
The overall sample size required for projects is calculated using stratified sampling theory
(Annex 1). This sample size is allocated between categories in proportion to the amount of
total expenditure within each strata for the period being tested, where this value is greater than
the number of projects it is reduced to the number of projects in the strata, and where it is less
than one project, it is rounded up to one project (Figure 4).

Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 92 of 145
Figure 4: Example of stratified sample size calculation

Project sampling information
Projects
High
Medium
Low
Total
6
14
10
30
Expenditure Proportion
SIT 40,000,000
77.5%
SIT 11,084,167
21.5%
SIT 540,833
1.0%
SIT 51,625,000
100.0%
Sample size
6
2
1
10
Sample Expenditure
SIT 40,000,000
SIT 1,958,333
SIT 12,500
SIT 41,970,833
The formulae used to calculate the overall sample size is shown at Annex 1
The projects should be selected randomly from within the risk categories. This will ensure that
the sample is representative of all types of projects and is targeted to the areas of greatest risk.
The requirement is to check a minimum of 15 per cent of the expenditure. If the auditor were to
test all of the expenditure on the selected projects this would more than exceed the 15 per cent
due to the targeting of high expenditure, high risk projects. The sample should therefore be
treated as a multistage audit and the expenditure within the sampled projects should also be
sampled so that a minimum of 15 per cent of annual expenditure is tested each year.
Figure 5: Calculation of payment sample to ensure 15 per cent of expenditure
Payment sampling information
High
Medium
Low
Total
Payments
689
75
4
768
Expenditure
SIT 40,000,000
SIT 1,958,333
SIT 12,500
SIT 41,970,833
Average
SIT 58,055
SIT 26,111
SIT 3,125
SIT 87,291
Proportion
89.7%
9.8%
0.5%
100.0%
Of target
Payments
SIT 2,315,731
40
SIT 252,075
10
SIT 13,444
4
SIT 2,581,250
54
The number of payments to test is calculated in order to be proportional to the number of

payments and to ensure that the 15 per cent target is achieved.
Figure 5 shows how this can be achieved. Using the expenditure and number of payments in
each risk strata an average value for each category can be calculated. The proportion of
payments can also be calculated and applied to the target value of 15 per cent of expenditure in
the period. By dividing this proportion of the target figure by the average for the risk category
a number of payments under each category can be assigned. This assignment should be done,
where possible on an equal basis (Figure 6).

Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 93 of 145
Figure 6: Stratified multistage sampling approach

FUND
Project 1
Project 2
Project 3
Project 4
Project 5
Project 6
Project 7
Project 8
Project 9
Project 10
Project 11
Project 12
Project 13
Project 14
Project 15
Project 16
Project 17
Project 18
Project 19
Project 20
Project 21
Project 22
Project 23
Project 24
Project 25
Project 26
Project 27
Project 28
Project 29
Project 30
Risk Assessment
High
High
High
High
High
High
Total
Mean
Standard deviation
Medium
Medium
Medium
Medium
Medium
Medium
Medium
Medium
Medium
Medium
Medium
Medium
Medium
Medium
Total
Mean
Standard deviation
Low
Low
Low
Low
Low
Low
Low
Low
Low
Low
Total
Mean
Standard deviation
Total
Mean
5 Per cent
Budgeted
Expenditure
SIT 150,000,000
SIT 75,000,000
SIT 15,000,000
SIT 25,000,000
SIT 60,000,000
SIT 35,000,000
SIT 360,000,000
SIT 1,000,000
SIT 6,000,000
SIT 2,500,000
SIT 3,750,000
SIT 4,650,000
SIT 1,750,000
SIT 7,350,000
SIT 8,000,000
SIT 9,150,000
SIT 1,950,000
SIT 4,050,000
SIT 2,600,000
SIT 6,605,000
SIT 7,150,000
SIT 66,505,000
SIT 25,000
SIT 320,000
SIT 750,000
SIT 115,000
SIT 75,000
SIT 250,000
SIT 315,000
SIT 825,000
SIT 90,000
SIT 480,000
SIT 3,245,000
SIT 429,750,000
SIT 21,487,500
Expenditure in
period
SIT 5,000,000
SIT 12,500,000
SIT 2,500,000
SIT 4,166,667
SIT 10,000,000
SIT 5,833,333
SIT 40,000,000
SIT 6,666,667
SIT 3,800,585
SIT 166,667
SIT 1,000,000
SIT 416,667
SIT 625,000
SIT 775,000
SIT 291,667
SIT 1,225,000
SIT 1,333,333
SIT 1,525,000
SIT 325,000
SIT 675,000
SIT 433,333
SIT 1,100,833
SIT 1,191,667
SIT 11,084,167
SIT 791,726
SIT 437,391
SIT 4,167
SIT 53,333
SIT 125,000
SIT 19,167
SIT 12,500
SIT 41,667
SIT 52,500
SIT 137,500
SIT 15,000
SIT 80,000
SIT 540,833
SIT 54,083
SIT 46,885
SIT 51,625,000
SIT 1,720,833
SIT 2,581,250
Sampled projects
Payments in
period
Sampled
Payments
Sampled
Expenditure
SIT 5,000,000
SIT 12,500,000
SIT 2,500,000
SIT 4,166,667
SIT 10,000,000
SIT 5,833,333
SIT 40,000,000
SIT 6,666,667
SIT 3,800,585
4
300
50
10
250
75
689
4
8
7
7
7
7
40
SIT 5,000,000
SIT 333,333
SIT 350,000
SIT 2,916,667
SIT 280,000
SIT 544,444
SIT 9,424,444
SIT 625,000
45
SIT 69,444
SIT 1,333,333
30
SIT 222,222
SIT 1,958,333
SIT 979,167
SIT 500,867
75
10
SIT 291,667
SIT 12,500
SIT 12,500
SIT 12,500
SIT 12,500
SIT 0
SIT 41,970,833
SIT 12,500
768
54
SIT 9,728,611
The above dataset is for illustrative purposes only to demonstrate how the techniques should be
applied.
Substantive procedures
In accordance with the Regulations the Beneficiary Country shall organise checks on measures
on an appropriate sampling basis, designed in particular to:
verify the effectiveness of the management and control systems in place; and
verify selectively, on the basis of risk analysis, expenditure declarations made at the
various levels concerned.
The checks can be completed using the following audit programme.

Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 94 of 145
Audit programme
Inspection officer:
Project:
Inspection date: / /
Project Ref:
Risk rating: High / Medium / Low

Total approved expenditure
SIT
Expenditure during period
SIT
Total value checked during inspection
SIT
Value of ineligible expenditure
SIT
Are the issues laid down in Annex III. 4 addressed?
Satisfactory (S)
Unsatisfactory (U)
No response possible
(N)
Practical application and effectiveness of the management and

control systems
Correspondence of accounting records with supporting
documents held by intermediate bodies, final beneficiaries and
the bodies carrying out the operations
Sufficient audit trail
Eligibility of expenditure
Consistency between the use of the project and the use
described in the original application to the EC
Sufficient national co-financing
EC contributions are within the limits laid down in the
Financing Memorandum
EC grants are paid to final beneficiaries without any reduction
or delay
Compatibility with other EU policies and actions, including
rules on competition, on the award of public contracts (tenders)
and on environmental protection
Comments on findings

Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 95 of 145
Reporting results
Individual programmes
To report the results a report can be written for each project detailing the sample results for
payments tested within that project, combined with findings from work on the management
and control over the project.
Annual reports
The work across all projects can be combined to give a report for the period drawing out
similar themes of weaknesses and strengths in management and controls as well as informing
on any ineligible monetary payments.

Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 96 of 145
Annex 1
Step by step guide to drawing a 15 per cent sample
1
Using the risk matrix divide the projects or programmes into risk categories, if there are
no differences in risk then put all the projects or programmes into one category.
Using the formula below calculate the sample size required for the number of projects.
3 Nh = population size for high strata, nh = sample size for high strata
Nm = population size for medium strata, nm = sample size for medium strata
Nl = population size for low strata, nl = sample size for low strata
Xh= population expenditure for high strata
Xm= population expenditure for medium strata
Expenditufor
rein
thstrata
e period
Xl= population expenditure
low
Proportion
Project sample size
M = materiality, set at 5%
of total value, X = (Xh+X
m+Xl)
77
,5%
SIT 40.000.000
6 High risk projects
2x = variance = standard deviation2
Shouldbe7 but
already sam
plingall
high risk projects
z = z score for confidence required = 1.96 for 95 per cent

14 Mediumrisk
projects
SIT 11.084.167
21,5%
Sample size, n = X * (N2I)* (2xi/XI))

(M/z) 2 + (N * 2x )
I
i
10 Low risk
1,0%
1
SIT 540.833
projects
Stratified sample sizes nh= n * (Xh/X), nm= n * (Xm/X), nl= n * (Xl/X)
30 projects in total
SIT 51.625.000
100,0%
10
To calculate the stratified sample size in each risk category divide the overall
sample size from step 2 in proportion to the total expenditure in the period in each risk
category (see formula for stratified sample sizes above). Select the projects or
programmes randomly from within the risk category. If any of the stratified sample
sizes are larger than the population of projects or programmes in that strata, simply test
the whole population.
4
To calculate the sample size for payments at those projects or programmes calculate an
average expenditure per payment for each risk category.
Expenditurein the period
Average
689 paym
ents
over 6 projects
SIT 40.000.000
SIT 58.055
75 paym
ents
over 2 projects
SIT 1.958.333
SIT 26.111
SIT 12.500
SIT 3.125
SIT 41.970.833
SIT 87.291
4 paym
ents over
1 project
768 paym
ents in total

Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 97 of 145
Calculate 15 per cent of the overall expenditure in the period over all projects or
programmes. Allocate this amount to each risk category in proportion to the number of
payments in each risk category for the selected projects or programmes. Divide this
expenditure by the average payment to get the sample size for each risk category.
Divide the sample size on an equal basis between the projects or programmes, and then
select random payments from within those projects or programmes.
This approach ensures that higher risks are targeted, that the sample is selected in a
statistically robust manner and that 15 per cent coverage of expenditure in the period is
achieved.
If, at any stage, there is insufficient information increase the sample size to cover the
additional bias which may be included from the non-statistical element.
Average
Proportion 15%total expenditurein

periodsplit by proportion
89,7%
SIT 6.946.144
Payment sam
ple
size
120
689 payments
over 6 projects
SIT 58.055
75 payments
over 2 projects
SIT 26.111
9,8%
SIT 758.887
29
4 payments over
1 project
SIT 3.125
0,5%
SIT 38.719
12
SIT 87.291
100,0%
SIT 7.743.750
161
768 paym
ents in total

Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 98 of 145
APPENDIX 4: OBJECTIVES OF SUBSTANTIVE TESTS

This Appendix sets out guidance on the broad criteria to be used in designing substantive tests
in relation to Cohesion Fund actions.
The objective of substantive testing is to determine the conformity of individual transactions or
activities with the relevant rules or regulations. In the context of a Cohesion Fund audit, these
tests are used in particular to carry out further investigation where systems weaknesses have
been identified. Because substantive tests are used to investigate particular types of
transaction, audit programmes will need to be developed to meet each eventuality using the
criteria set out below.
Each substantive test audit programme should be designed to check that the following criteria
are met. Each criterion is illustrated by a possible substantive test. Note that the examples are
not intended to be definitive or complete.
Criterion
Nature and example of a substantive test
Legality and
regularity of the
activity
A check that the activity actually carried out conforms to the relevant
legal base. For example, the tests could examine whether a particular
activity undertaken under the Cohesion Fund conforms to the detailed
requirements of the regulations in respect of the amount or percentage
rate of financing.
A check that financial and other information systems record all relevant
details. For example, a substantive test could check whether all
incoming invoices were allocated a sequential number and were all
accounted for, and held centrally by the project manager/ final
beneficiary and whether all receipts or works done resulted in an
invoice. Analytical procedures may be used in connection with these
tests especially ratios and predictive tests.
A check that operations recorded within financial and other systems
actually took place. For example, a substantive test could check that
payments to subcontractors recorded in financial systems actually took
place through tracing booked payments to bank statements. Likewise,
stock records could be examined to test whether goods were actually
delivered.
Completeness of
financial and
other records
Reality of the
operation
Measurement of
the activity
A check that amounts of transactions are calculated on the correct basis.

For example, a substantive test may check that the correct exchange rate
was used in converting a claim from national currency into EURO.

Criterion
Valuation
Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 99 of 145
Nature and example of a substantive test
A check that assets and other items are recorded at the correct value in
financial records. For example, a substantive test may check that the
sale or purchase of an asset purchased with Cohesion Fund support is
recorded at the correct value in the accounting system by checking the
original invoice or sale note.
Existence
A check that assets and other items actually exist. For example, a
substantive test may check that an asset recorded in the financial records
actually exists. These substantive tests involve the physical verification
of existence confirmation by custodian of the assets, or actually seeing
the asset.
Ownership
A check that assets recorded are actually owned or properly used by the
audited body. For example, a substantive test may involve checking that
the audited body has a valid lease, or is the legal owner, of premises
used for and financially supported by Cohesion Fund activity.
Quality of inputs A check that inputs and outputs are of an appropriate quality. For
and outputs
example, for inputs we could check that the accounting system has input
controls built in, to ensure a completeness and integrity control of data.
For outputs, we could check that the system ensures through process
controls that reporting is complete and correct.

Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 100 of 145
APPENDIX 5: SUGGESTED LIST OF KEY QUESTIONS TO

EXAMINE THE MANAGEMENT CONTROL
SYSTEMS
This appendix sets out the audit objectives and gives examples of the detailed questions to be
asked. The appendix provides a structure for the audits, including the criteria which should be
used to assess compliance with regulations and other requirements.
Note that where a question asks whether there are procedures to ensure a particular
action or activity, the answers to these questions will be provided both through
documentation of systems and through tests of controls and/ or substantive tests to
determine whether the system actually operates effectively in practice.
The checklists have been prepared in a modular format, whereby all of the questions covered
by the Appendix may be used during an audit, or specific objectives may be selected for use.
Audit
objective
1.
Activity /
Process
Objective
Whether there are adequate procedures to ensure that systems

Systems
descriptions are reviewed and updated and changes notified to the
descriptions Commission as required. (Art.5 and Art. 12 of Commission
Regulation 1386/02)
2.
Approval
Whether there are adequate procedures to ensure that applications

for aid and the decisions reached on those applications comply
with the relevant rules, are in accordance with the needs of the area
in question, and that decisions by the authority are fully
documented. (Art 10 of Council Regulation 1164/94)
3.
Monitoring
Whether there are adequate procedures for the effective monitoring

of both the physical and financial progress of Cohesion Fund
projects throughout their lifetime.
4.
Guidance
Whether there are adequate procedures in place to ensure that

adequate guidance is given to the bodies responsible for the
implementation of Cohesion Fund projects. (Art. 2 of Commission
Regulation 1386/02)
5.
Irregularity
reporting
Whether there are adequate procedures to ensure that irregularity

reports are prepared, submitted, followed-up and recoveries made
where appropriate. (Art.7 of Commission Regulation 1386/02)
6.
Audit
Whether there are adequate procedures and arrangements in place

for the audit of Member States management and control systems
for the Cohesion Fund. (Art. 9, 10, 11, 12 of Commission
Regulation 1386/02) and for the drawing up of the winding-up

Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 101 of 145
declaration (Art 12.1(f) of Council Regulation 1164/94 and Art. 13,

14 and 15 of Commission Regulation 1386/02)
7.
Whether the relevant authorities have adequate financial and

Operational
checking procedures to ensure the regularity, legality and eligibility
Checks
of expenditure. (Art. 4 and 8 of Commission Regulation 1386/02)
8.
Whether there are adequate arrangements in place to ensure

compliance with the publicity requirements set out both in the
Commission Decision for the particular project and in Commission
Decision 96/455.
Publicity
9.
Whether the Member State has adequate procedures for

Accounting maintaining adequate accounting records on projects which are
information available to the Commission on request. (Art. 16 of Commission
Regulation 1386/02) .
10.
Whether there are adequate procedures in place to ensure that the

management and control systems provide a sufficient audit trail.
(Art. 6 of Commission Regulation 1386/02)
Audit trail

Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 102 of 145
Checklist for the audit of Management and Control Systems for the
Cohesion Fund
Prepared. by: ______________________________ Date: ________________
Follow up by: _____________________________ Date: ________________
Revised by: _______________________________ Date: ________________
Systems description
Objective: Whether there are adequate procedures to ensure that systems descriptions are reviewed and
updated and changes notified to the Commission as required. (Art.5 and Art. 12 of Commission
Regulation 1386/02)
Question
Has the Member State submitted the system
description in accordance with the Regulations, as
required by Article 5 of Regulation 1386/02 and by
the due date?
If yes, indicate record date of receipt
If not received by due date7 Nov., ask when expected
Has the Member State designated an appropriate
person with responsibility for monitoring changes to
the system ?
If yes, indicate the person responsible and procedure
If not, indicate when expected to have such a procedure
Is there a formal procedure to ensure that changes to
the system are notified to the responsible person ?
If yes, obtain a copy of the document
If not, is there a uniform/standard procedure ?
If yes, describe the procedure
Overall conclusion regarding the systems descriptions
Yes/No/
N/A
File
ref
Comments

Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 103 of 145
Application and approval process

Objective: Whether there are adequate procedures to ensure that applications for aid and the decisions
reached on those applications comply with the relevant rules, are in accordance with the needs of the
area in question, and that decisions by the authority are fully documented. (Art 10 of Council
Regulation 1164/94)
Question
Yes/No/
N/A
File
ref
Comments
Does the systems description adequately describe the

application and approval process ?
Has the national authority carried out an in-depth
study of the regions needs as regards CF assistance ?
If yes:
Is this study recent and up to date ?
Is there a clear link between the projects selected and
the assessed needs ?
Are there controls to ensure an even split of
environmental and transport projects ?
Is there a procedures manual that covers the
application and approval process ?
Is there a designated person who has the authority and
responsibility to approve applications ?
Are there adequate procedures to ensure that approved
projects are in conformity with EU Regulation, in
terms of:
Environmental impact assessment ?
Transport strategy ?
Are there adequate procedures to ensure that the same
project does not receive other EU funding ?
Are there procedures to establish the VAT status of the final
beneficiary at the outset, to ensure that:
the financial plan is accurately costed ?
the eligibility of expenditure to be declared on the
project is correctly stated (net or gross) ?
Overall conclusion regarding the adequacy of the Application and Approval process

Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 104 of 145
Project Monitoring process

Objective: Whether there are adequate procedures for the effective monitoring of both the physical and
financial progress of Cohesion Fund projects throughout their lifetime.
Question
Yes/No/
N/A
File
ref

project monitoring process ?
Is there a procedures manual that covers the project
monitoring process ?
Do the written procedures set out:
how actions are to be monitored ?
checks to be carried out on progress reports received ?
action to be taken where progress is unsatisfactory ?
Are there procedures to ensure that the operation of
projects is monitored throughout its lifetime as
regards:
the relevant conditions contained in the Commission
Decision approving the project ?
EU and National rules on:
Publicity ?
Public procurement ?
Eligibility of expenditure ?
Do progress reports cover both financial and physical
progress ?
Indicate who prepares these reports
Are reports received in accordance with an agreed
timetable ?
Monitoring Committee
Does it consist of suitably qualified people ?
Are progress reports on projects sufficiently detailed
(financial and physical data) to give a true view of
project progress ?
Are there procedures to ensure that action is taken as
regards areas of weakness/problems identified by the
Monitoring Committee ?
Indicate who is responsible for follow up action
Overall conclusion regarding the adequacy of the Project Monitoring process
Comments

Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 105 of 145
Guidance
Objective: Whether there are adequate procedures in place to ensure that adequate guidance is given to
the bodies responsible for the implementation of Cohesion Fund projects. (Art. 2 of Commission
Regulation 1386/02)
Question
Yes/No/ File
Comments
N/A
ref
Has the responsibility for issuing relevant guidance
been assigned to a particular person / unit ? (at each
level , Paying / Managing and Intermediate levels)
Has guidance been issued covering all of the
authorities and bodies responsible for the general
management, co-ordination and implementation of CF
projects ?
Is the guidance issued sufficient to assist those authorities to
establish the systems necessary to provide adequate assurance:
of the correctness, regularity and eligibility of
expenditure ?
that projects are carried out in accordance with the
terms of the relevant decision ?
Overall conclusion regarding the adequacy of the arrangements in place for the issuing of guidance

Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 106 of 145
Irregularity reporting / Recoveries

Objective: Whether there are adequate procedures to ensure that irregularity reports are prepared,
submitted, followed-up and recoveries made where appropriate. (Art.7 of Commission Regulation
1386/02)
Question
Yes/No/
N/A
File
ref
Comments

irregularity reporting process ?
Has the responsibility for preparation, submission and
follow up of irregularities been assigned to a particular
person / unit ? (at each level , Paying / Managing and
Intermediate levels)
Indicate:
How often are irregularity reports prepared
How are cases of identified irregularities followed-up
If a distinction between systemic and non systemic irregularities
is made
Article 7 of Regulation 1386/02
Has the responsibility for accounting for and making
recoveries of Cohesion Fund aid been assigned to a
particular individual / unit ?
Is there a debtors ledger system used to record the
status of recoveries ?
Indicate who maintains this record
Are there procedures in place to ensure that recoveries
are made without unjustified delays ?
Are there procedures in place to ensure that the Paying
Authority sends the Commission once a year, a
statement of the amounts awaiting recovery at that
date, classified by the year of initiation of the recovery
proceedings ?
Indicate who is responsible for this
Overall conclusion regarding the adequacy of the Irregularity Reporting process

Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 107 of 145
Audit arrangements
Objective: To ensure that there are adequate arrangements in place for the audit of Member States
management and control system for the Cohesion Fund (Article 9 of Reg. 1386/02) NOTE: This work
to be carried out by the BSO, but the guidance and methodology is temporarily included for
information.
Question
Yes/No/ File
Comments
N/A
ref
audit arrangements in place?
Has the responsibility for the systems audits required
by Art 9 of Reg. 1386/02 been assigned to a specific
body ?
If yes, indicate which is the body responsible
If not, ask when and to whom it is expected to designate this
responsibility
Are these bodies functionally independent from the
operational bodies (Paying / Managing / Implementing
etc) ?
Indicate who they report to
Have operational bodies any influence over which
projects are selected for audit ?
Are these bodies (i.e. bodies responsible for Article 9
audits) adequately staffed with suitably experienced /
qualified personnel ? (Get details)
Do these bodies use risk analysis in the selection of
projects / transactions to be audited ?
Obtain details/examples of the application of risk analysis
Indicate how an even spread of checks over the entire period is
ensured (2000-06)
Indicate how an appropriate mix of types and sizes of projects to
be examined (i.e. balance between environment and transport)
and coverage of all implementing bodies is ensured
Have these bodies drawn up annual audit plans for the
Cohesion Fund for the current year ? (Obtain copy of
plan and program and assess same)
Do these bodies use a standard report format (similar
to the example report in the CF Manual) ? (Obtain
example)
Are there procedures in place within these bodies to
follow up the findings and recommendations made in
their reports ?
If yes, indicate procedure
Have these units developed audit checklists specific to
the audit of Cohesion Fund projects ?
Is there evidence indicating that the manager has a

Document No.
Version
Come into force
Page
separate register for each project ?

Is there evidence indicating that the supporting
documents allow the physical verification of the
project ?
Is there evidence indicating that the delivery of goods
and services can be related to the supporting
documents ?
Do these checklists cover issues such as publicity,
public procurement and eligibility ?
Obtain copies of the checklist and evaluate the quality of same
Have auditing responsibilities been delegated to bodies
in other Departments ?
If yes, obtain evidence that formal arrangements have
been put in place for this work e.g. copies of agreements /
protocols
Have auditing responsibilities been contracted out to
private companies ?
If yes, obtain evidence of:
Terms of reference for the work
Guidance issued to these companies regarding EU eligibility,
procurement and publicity rules
How their work is controlled
Designation of a person to review and monitor the work being
carried out by these private companies
Is a schedule maintained on an ongoing basis
of the progress to date as regards both the
minimum 15% transaction testing and the
systems testing ?
Do these bodies or private firms carry out on
the spot visits to projects as part of their audits
?
Has the responsibility for drawing up the statement
required under Art 12.1(f) of Regulation 1164/94 as
amended by Reg 1264/99 been assigned to a specific
body ?
If yes, is this person or service functionally
independent ?
Name:
Contact details:
Overall conclusion regarding the adequacy of the Audit / Control arrangements
: 01-14/2004/1
: 1.0
: 30.7.2004
: 108 of 145

Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 109 of 145
Operational Checks
Objective: Whether the relevant authorities have adequate financial and checking procedures to ensure
the regularity, legality and eligibility of expenditure. (Art. 4 and 8 of Commission Regulation 1386/02)
Question
Yes/No/ File
Comments
N/A
ref
claims / drawdown / expenditure return / checking
process ?
Are there written procedures covering the checking of
payment requests / expenditure returns / compilation ?
Are there procedures to ensure the eligibility of
expenditure returned e.g. checklists which refer to
the principles of eligibility of expenditure for CF
projects ?
Are there checks to ensure that the expenditure:
has been incurred and paid within the eligible period ?
is actual and not notional (trace payments to bank
statements) ?
does not include advances ?
has been paid by the final beneficiary named in the
Decision ?
is supported by original invoices which have been
properly approved and authorised for payment ?
has not previously been claimed ?
has been checked for arithmetical accuracy ?
relates to actions specifically approved by the
Commission Decision for the project ?
is incurred in accordance with the relevant Community
and National rules on, in particular, protection of the
environment, trans-European networks, competition
and public procurement ?
Is there adequate separation of duties between those
responsible for checking claims and those responsible
for payment of claims ?
Is there adequate separation of duties between those
responsible for certifying expenditure and those
responsible for authorising payment of claims ?
Are checks adequately evidenced ?
Are there procedures to ensure that payments are made
to final beneficiaries in a timely manner and without
undue delays ?
Have all intermediate bodies and final beneficiaries

Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 110 of 145
been informed of the exchange rates to be used ?

Obtain evidence.
Are there controls in place to ensure that the average
monthly exchange rate used for declared expenditure
(i.e. that the expenditure returns are checked in this
respect) ?
Check a sample of returns to ensure compliance.
Overall conclusion regarding the adequacy of the arrangements in place for the claims / drawdown
expenditure compilation process

Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 111 of 145
Publicity requirements
Objective: Whether there are adequate arrangements in place to ensure compliance with the publicity
requirements set out both in the Commission Decision for the particular project and in Commission
Decision 96/455.
Question
Yes/
File
Comments
No/N ref
/A
Are there arrangements to ensure that all intermediate
bodies and final beneficiaries have been informed of the
publicity requirements ?
Has a publicity officer been appointed to monitor the
compliance of projects with CF publicity requirements ?
Are on the spot checks carried out to projects to ensure
that publicity requirements are being observed ?
Is evidence of publicity measures taken obtained from
final beneficiaries for all projects. (e.g. audio-visual
material, brochures, press releases, photographs of
signage ) ?
Is a checklist used to ensure that the publicity measures
taken are appropriate to the size/budget of the project ?
Obtain evidence of the publicity measures taken
Overall conclusion regarding the adequacy of the arrangements in place regarding observance of
publicity requirements

Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 112 of 145
Accounting information to be held and communicated to the Commission

Objective: Whether the Member State has adequate procedures for maintaining adequate accounting
records on projects which are available to the Commission on request. (Art. 16 of Commission
Regulation 1386/02)
Question
Yes/No/ File
Comments
N/A
ref
Is a computerised accounting system used to record all
relevant data on Cohesion Fund projects ?
If yes:
Is it adequate to ensure the provision of timely,
relevant and accurate information on CF projects ?
Is information on all fields specified in Annex IV of
Regulation 1386/02 recorded in the system ?
Does the format of data to be supplied to the
Commission conform to the preferred technical
specifications for the transfer of computer files as set
out in Annex V of Regulation 1386/02 ?
Is the data input to the system updated on a regular
basis to ensure that it provides timely information on
projects ?
Indicate how often
Are there procedures to ensure that the information
can be provided to the Commission (on request) within
10 working days of the receipt of the request ?
Indicate name and contact details of person
responsible
Is there a formal definition of access levels ?
Establish who has access to the system
to update data
to view data
Existence of individual passwords
Are there security / access controls to ensure the
integrity of the data ?
If a computerised system has not been developed, are
there plans for same ?
In the absence of a computerised accounting system,
indicate what system is being used and if it complies with
the provisions referred to in the previous questions
Overall conclusion regarding the adequacy of the arrangements in place regarding accounting records

Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 113 of 145
Audit trail
Objective: Whether there are adequate procedures in place to ensure that the management and control
systems provide a sufficient audit trail. (Art. 6 of Commission Regulation 1386/02)
Question
Yes/No/
N/A
File
ref
Comments
Is there a description of the audit trail covering the following

areas:
Location of accounting records (including technical
specifications, , financial plan, progress reports, tender
documentation, reports of inspections of the execution
of the project) at each level ?
A list of all bodies involved ?
The basis for the allocation of costs/expenditure where
costs relate only partly to a project ?
Process of compiling expenditure returns at each
level ?
Computerised transfer of accounting data from each
level ?
For each of the above processes is there:
A written description of the process together with
details of each of the bodies involved ?
A flowchart showing the flow of information between
the different bodies at each level ?
Indicate who is responsible for ensuring that the description of the
audit trail is kept up to date
Overall conclusion regarding the adequacy of the arrangements in place regarding an accurate
documentation of the audit trail

Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 114 of 145
APPENDIX 6: SUGGESTED LIST OF KEY QUESTIONS FOR

ON THE SPOT CONTROL OF A COHESION FUND
PROJECT
Cohesion Fund Project N:

Details:
Audit trail
Objective: To ensure that the authorities have financial and accounting systems which provide an
adequate audit trail and that expenditure returned is capable of summary reconciliation at each level.
Test
Check that the expenditure recorded in the last
drawdown claim made to the Commission is supported
by documentation held at intermediate and final
beneficiary level.
Initial
Is a separate ledger account used to record the receipts

and payment details of the project ? Obtain a copy of
same
Agree or reconcile the ledger account to the summary
amount returned for Cohesion Fund Aid.
Ensure that amounts in national currency have been
translated at the rate prevailing at the date of payment
by the final beneficiary.
Are spreadsheets available which analyse the
expenditure between the various elements of the
project i.e. main contracts placed, land acquisition,
consultancy fees etc.
Overall conclusion regarding the adequacy of the audit trail
File ref
Comments

Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 115 of 145
Eligibility of expenditure
Objective: To ensure that only expenditure which is eligible for Cohesion Fund assistance has been
returned.
Test
Ensure that the expenditure returned has been incurred
and paid in the eligible period as set out in Article 2 of
the Commission Decision for the project
Initial
Select invoices at the start and end of the eligible

period for a number of contracts (and other types of
expenditure)
Ensure for a sample that the type of expenditure
returned is eligible as regards the criteria set in the
Principles of eligibility of expenditure document e.g.
VAT, own land purchase, operating costs etc..
Check that advances made to contractors outside the
terms of the contract have not been included in
expenditure returns prior to the related work having
been carried out.
Overall conclusion regarding the eligibility of expenditure returned
File ref
Comments

Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 116 of 145
Public Procurement
Objective: To ensure that in respect of public authorities , that contracts for works, services or supplies
co-funded by the Cohesion Fund have been procured on the basis of a proper call for tenders, that there
are sound controls over the opening of tenders and that all tenders are fully evaluated before the award
of the contract.
General : ORGANISATION (System audit related issues)
Test
Initial
Is a brief description of the system available re the
procurement for Cohesion Fund projects (which
bodies are responsible for procurement of
infrastructure and environment)?
Has the project manager been informed of the rules
governing the award of public contracts as established
by the EU and the Member States authorities ?
Have European Directives regarding procurement
been incorporated into national legislation ? Obtain
copies of relevant documents ?
Are flowcharts and/or organisation-charts available
that show the flow of documents and decision process?
Are procurement procedures written down in a
manual?
How is it ensured that any discriminatory elements are
eliminated? - Are the selection criteria specified in the
invitation to tender?
Overall conclusion regarding Public Procurement
File ref
Comments

Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 117 of 145
Public Procurement (continued)

Contract examined:
Preliminary work
Test
Before taking any initiative for tendering, does a
Financing Memorandum for the project exist? Obtain
copy of budget.
Was a Project Manager appointed
implementation of the contract?
for
the
Publication
Is the procurement notice published in advance in the
OJ, the official gazette and other national newspapers
and branch magazines and of the recipient State?
Was a correct deadline applied for submission of
tenders (in general at least 90 days from the date of
publication of the notice)
Is co-financing noted in the public contract notices
placed in the Official Journal in accordance with
Article 1 of Annex II of Council Regulation (EC) N
1164/94
Was any additional information requested by
contractors and if provided, also given to all other
candidate tenderers?
Tender / selection procedure

Note the selection procedure used
Open
Restricted
Negotiated
Was any additional information requested by
contractors and if provided, also given to all other
candidate-tenderers?
Initial
File ref
Comments

Tender opening procedures

Test
Have all tenders been opened at the date specified in
the notice, with two or more people present and have
all tenders been recorded ?
Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 118 of 145
Initial
File ref
Comments
Initial
File ref
Comments
Review the Tender opening Report at least on the

following topics:
o
o
o
o
Number of tenderers;
Withdrawals;
Non-compliance and reasoning
Tender prices of those tenders,
accepted for further evaluation
Award procedure
How are tenders shortlisted for evaluation or are all
tenders submitted evaluated ?
Is there an awarding committee ?
What is the make up of this Committee (Obtain names
and role)
What criteria are used in the award of contracts (List
together with point / scoring system used)
Check the appropriateness of these criteria
Is the basis for awarding points to each tenderer under
each criterion recorded / justified
Is a tender assessment / evaluation report prepared
Who prepares this report
Check additions / tots of scores awarded under various
categories
Is a technical report / evaluation of tenderers report
prepared by an engineer as part of the evaluation of
tenders ?
Review this document and check award of scores
Test

Obtain a copy of report on tenders and review same

Does the tender dossier include:
-selection and award criteria;
-grid to be used to evaluate;
-whether variants are allowed;
-sub-contracting is permitted;
-currency of tender;
How have scores been awarded in the evaluation of
tenders
Confirm that the evaluation took place according to
the grid published in the tender dossier and that no
changes afterwards have been made in the grid.
Technical compliance of tenders: Yes or no
Is a check on arithmetic correctness of the offers
carried out and in case of errors have corrections of the
offer(s) taken place?
Are alternatives from a compliant offer from the
bidder with the lowest price been evaluated?
Is the most economically advantageous tender chosen
for each lot?
Is the price within the available budget?
Have tenderers been requested to explain abnormally
low offers and is approval or rejection of these offers
well motivated by the evaluators?
Is the entire procedure formal compliance and the
technical and financial evaluation and choice of the
successful tenderer been fully documented ?
Were the evaluation criteria set in advance of the
receipt of tenders?
Were all of the evaluation criteria listed in the
Conditions of Tendering used in the assessment of
tenders ?
Were criteria other than those listed in the Conditions
of Tendering used in the assessment of tenders ?
Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 119 of 145

Awarding of contracts
Test
Document No.
Version
Come into force
Page
Initial
File ref
Contracts signed by the contracting authority?

Publication of the results in OJ, Internet and other
media
Check/ask whether any contractor submitted an appeal
to the CA, review the content and the reply of the CA.
Overall conclusion regarding the procurement procedure for this project
: 01-14/2004/1
: 1.0
: 30.7.2004
: 120 of 145
Comments

Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 121 of 145
Reality of the project:

Objective: To ensure that the project has been carried out as planned and as approved in the
Commission Decision.
Test
Carry out a site visit to verify the physical existence of
the project.
Note the main elements of the project and check these
against the description of approved works contained in
the Commission Decision / Application for grant
assistance.
Obtain engineering drawings where required.
Obtain details of any cost overruns and obtain
explanations for these.
Obtain copies of any modifications / variations and
ensure that these are
- properly approved
- covered by the scope of the approved works
For more technically complex projects, evaluate the
need to make use of a technical expert to examine
particular aspects of the project (e.g. cost overruns /
unforeseen works, value for money aspects, physical
progress versus financial outlays)
Hold a meeting with the technical expert to determine
the nature and scope of the work to be carried out.
- Agree the scope and terms of reference of the work
formally and confirm same in writing.
- Review the report of the technical expert and arrange
a meeting to discuss the conclusions drawn.
Evaluate the findings and conclusions made in the
experts report.
Determine whether any follow up action is required as
a result of the evaluation of the experts report..
Conclusions
Initial
File ref
Comments

Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 122 of 145
Publicity Measures
Objective: To ensure that the publicity requirements detailed in the Annex V of the Decision and
Decision 96/455/CE have been complied with.
Test
Initial File ref Comments
Do the MS Authorities make the general public aware
of the role played by the Community in relation to the
projects?
Have the on-the-spot information and publicity
measures been taken?
Has the content of the projects been published in the
most appropriate form throughout the territory of the
MS using the local and regional media?
In the case of investments with a cost exceeding ECU
1 million:
Have the MS Authorities held regular news
conferences on a local level to inform about all facts
concerning the project?
Do the MS Authorities erect billboards on the sites of

the project, for not less than two years after
completion of the work, reserving for the EU at least a
section of 50% of the total area, indicating the total
estimated cost and the Cohesion Fund contribution,
and showing the European emblem?
Do the MS Authorities place permanent

commemorative plaques for infrastructures accessible
to the general public, showing the European emblem
and the Unions part financing together with an
indication of the Cohesion Fund?
In the case of investments with a cost exceeding ECU
10 million:
Do the MS Authorities produce regularly a brochure
of general interest and professional audio-visual
material which should be delivered to national,
regional television and radio stations, to the
Commission and, on demand, to interested firms and
the public?
Do the MS Authorities place a commemorative
plaque?

Test
In the case of investments with a cost exceeding
ECU 20 million,
In addition to the measures for 1m and 10m cost
Do the MS Authorities held regular news conferences
on a nation-wide level concerning the projects,
including the presentation of the audio-visual
material?
Document No.
Version
Come into force
Page
Initial
File ref
Award of Public Contracts

Article I of Annex II of Council Regulation (EC) N
1164/94 requires that notices sent for publication in
the OJEC shall specify those projects for which
Community assistance has been applied for or granted.
Check a sample of notices for compliance
Overall conclusion regarding the publicity measures taken for this project
: 01-14/2004/1
: 1.0
: 30.7.2004
: 123 of 145
Comments

Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 124 of 145
APPENDIX 7: PREPARATORY WORK / GATHERING OF

AUDIT INFORMATION
Sound preparation is vital to the efficient and effective conduct of an audit. To ensure that
preparation is adequate, the auditor should carry out the following tasks and record the results
in the audit file:
Applications for support:
For projects selected to be reviewed, obtain a copy of the Application for Cohesion
Fund assistance. Review this document and determine if the project or group of
projects clearly conform to the objectives of the Cohesion Fund.
In order to ensure that proper applications were made, ask for list of applicants and
review assess how funded projects were selected.
Decisions:
Obtain a copy of the original Commission Decision approving the project and review
same as regards eligibility dates, national and private financing, percentage aid rate
and expected revenues. Also note the scope of the project and the particular works to
be carried out
Obtain copies of any modifications to the original Decision noting any changes in the
scope of the project and any other changes whether financial or non-financial.
Monitoring:
Ask for last progress report for the project and evidence of the status of completion.
Review and identify items you will pursue on site.
Obtain details of procedures, which set out the action to be taken where progress is
unsatisfactory. Review if there are rules relating to refunds.
Review the annual report and relevant control statements to identify any issues which
should be addressed during the audit;
Review the minutes of the co-ordination Meetings, the minutes of the monitoring
committee and the evaluation reports mid-term.
Examine the systems description together with any updates received under Article 5
of Regulation (EC) N 1386/2002.

Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 125 of 145
Safeguarding Community Funds:
For the particular project under review, request that all supporting documents are
made available upon your arrival.
Obtain a listing of all the principal works, services and supply contracts involved in
the project. Request that the following documents are made available in respect of
these contracts.
Administrative clauses
Publication of tender notices
Tender opening sheet recording opening of tenders
Tender evaluation and award document
Technical evaluation of tenders
Contract
Details of modifications made to the original contract
Obtain schedules of expenditure on the project which support the most recent
expenditure return which has been made by the Paying authority to the Commission
in respect of the project being examined. This should preferably be in spreadsheet
format and analysed between the main works involved in the project and by contract.
Obtain a copy of the systems description and in particular examine the descriptions in
relation to the organisations involved in the implementation of the project being
audited. Check the description of the audit trail, the description of internal controls
for the accounting / payment system, organisation chart duties. This will be a good
source for risk assessment exercise.
Review procedures as regards ensuring eligibility of expenses.
Review VAT legislation regarding project sponsors / final beneficiaries to determine

their status as regards eligible expenditure returned.
For the selected projects, the auditor should request details of all payment claims
made to date.
Examine procedures in relation to errors, fraud and irregularities. Obtain their list of
errors, fraud and irregularities. Evaluate for impact on risk assessment done, and
decide if further review is necessary on site. Also verify with OLAF if they have any
file on this subject.
Assess the risk of cross funding of projects (i.e. Projects receiving ERDF and
Cohesion Fund assistance). Obtain details of any ERDF funded Operational
Programmes in the Environment and Transport sectors.

Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 126 of 145
Audits:
Obtain copies of all audit reports carried out on the project being examined. Examine
findings and request details of any follow up action which has been taken in respect
of recommendations made.
Review previous audits carried out by the Commission or the European Court of
Auditors (ECA) regarding this project.
Check the audit plans discussed at the co-ordination meetings between the Member
State and the Commission to take account of any changes made. Where visits are
planned or have taken place to the same authority or action, care should be taken not
to duplicate recent control effort, while ensuring proper follow-up of reports
Use SYSAUDIT (when available to Member States) to obtain an overview of all

audits done on sampled project. Update your records for findings and follow up
issues. Ensure that audits done by the ECA are added to the list.
Financial and Accounting Systems:
Confirm the description of the financial and accounting system of the final
beneficiary and evaluate the internal control environment of final beneficiary.
Obtain a copy of the audit trail and any previous audit reports which have commented
on the audit trail and review them to identify any possible weaknesses which should
be addressed during the audit;
Where IT systems are involved, auditors should ensure that they obtain appropriate
documentation to enable the audit to take account of these systems;
General:
Review available information from ex-ante controls and other sources on the selected
authorities and project managers/ final beneficiaries to determine whether there are
any particular issues which should be addressed during the audit;
As a result of the above work, the auditor should produce an adjusted risk profile of the bodies
to be audited and a list of the particular risks to which special attention should be given during
the audit. The aims and objectives of the audit, together with the specific work programmes
and questionnaires to be used, should be included as part of the audit plan. The initial risk
assessment should be documented in the work papers
In terms of more detailed information, the auditor should consider the following issues:
For Receipts
The auditor should determine:
all receipts relating to the Project in-year;
to which Instalment the receipts related;
that each receipt was claimed in accordance with EC Regulations;

Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 127 of 145
that each claim for receipt of Cohesion Fund was dealt with by the appropriate
authority (NF)
Payments
The auditor should determine:
all payments made relating to the Project in-year;
that all claims for payment were dealt with by the appropriate bodies in accordance
with the Regulations;
that all claims for payment are supported by the necessary documentation;
that there is evidence of monitoring of the progress of the project by designated
authorities, to support the claims made
Bank Accounts
The auditor should determine
that the NF has opened bank accounts in accordance with the national guidance for
each Sector (Transport and Environment) and for each project;
the current balance;
the opening and closing balances for the year of examination.

Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 128 of 145
APPENDIX 8: PROCUREMENT DIRECTIVES

General
Cohesion Fund projects are aimed at the transport and environment sectors and generally
involve, inter alia, construction of roads, railways, water and wastewater treatment plants.
Invariably, these types of project involve both works and services type contracts (and
sometimes supplies). Accordingly, the auditor of such projects should be aware of the relevant
EU procurement Directives to ensure that the contracting authorities have complied with the
requirements of these Directives in the award of public contracts.
EU Public Procurement Directives
EU Directives set legal obligations on Contracting Authorities regarding Public procurement.
Violations can give rise to serious legal/financial sanctions. Three different types of contract
are identified in EU Directives:
Works contracts - buildings and civil engineering works
Supplies contracts - purchasing goods and supplies
Services contracts - advertising, property management services, architectural / engineering /
surveying, management consultancy services and so on.
Any contract placed by a Public Contracting Authority, if it is over the relevant financial
threshold in the Directive, must be processed and awarded in accordance with the procedures
of the Directive, unless it is covered by a clearly defined exception.
The EU Public Procurement Directives must be followed where a project is wholly or partly
financed by EU institutions. This also applies whether or not the body concerned would
normally be subject to the Directives.
Thresholds
If the estimated value of a contract exceeds specified thresholds, the contract must be open to
competition across the EU, by means of advertisement in the Supplement to the Official
Journal of the European Communities (OJEC). These thresholds are subject to revision.
Directives
i) The Works Directive in force is 93/37/EEC (OJ L 199/54 of 9.7.1993) consolidating
Directives 71/305/EEC and 89/440/EEC.
ii) The Supplies Directive in force is 93/36/EEC (OJ L 199/1 of 9.7.1993) consolidating
Directives 88/295/EEC, 80/767/EEC and 77/62/EEC.
iii) The Services Directive in force is 92/50/EEC (OJ L 209/1 of 24.7.1992).
Tendering Procedures
The EU Directives recognise three tendering procedures:
Open- all interested parties may submit tenders.

Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 129 of 145
Restricted- only those parties invited by the Contracting Authority may submit tenders.
Negotiated- Contracting Authorities consult parties of their choice and negotiate the terms of
the contract with one or more of them (this procedure may, however, be used only in the
very limited special circumstances set out in the Directives).
The Commission has a strong preference for open procedures to ensure the greatest possible
transparency and objectivity.
Advertising
OJEC Notices should be drawn up in accordance with the relevant Directives. Advertisements
in the OJEC are usually supplemented by advertisements in the national media to ensure the
widest possible competition for the contract. When advertising in the OJEC, the provisions
of the Directives, including the format in the Model Notices, must be strictly followed in
all cases. These Notices are set out in Annexes to the Directives.
Criteria for awarding contracts
Contracting Authorities, in deciding which bid to accept, may do so on the basis of either
- the lowest price only, or
- the most economically advantageous tender (using various criteria such as price, period for
completion, running costs, profitability, technical merit).
Written Report on Contracts Awarded
For all contracts awarded the Contracting Authority must prepare a written report. The
Commission may at any time request that this report be sent to them.
Utilities Directives
A separate set of Directives cover the Utilities, that is the Contracting Authorities operating in
the four sectors, water, energy, transport and telecommunications.
EU Directives 90/531/EEC (OJ L 297 of 29.10.1990) and 92/13/EEC cover Works and Supply
contracts and Remedies in these areas.
Provisions are similar to those of the main Directives but allow, in a number of instances, more
flexible procedures to take due account of the commercial nature of the bodies in question.
Directive 93/38/EEC for the Utilities consolidated these previous Directives and incorporated
Services contracts.
Thresholds in the Utilities Directive
Separate thresholds, which are subject to revision, apply for works and supply contracts in this
area.
The thresholds for Services Contracts, which are covered by Directive 93/38/EEC are the same
as the Supply contracts.

Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 130 of 145
APPENDIX 9: PUBLICITY REQUIREMENTS

European Commission Decision 455/1996 sets out the specific information and publicity requirements
which must be complied with in respect of projects assisted by the Cohesion Fund. As a general
approach, the assistance of the Fund should be fairly reflected in all information and publicity measures
taken in respect of projects co-financed by the Cohesion Fund.
The specific publicity measures to be undertaken in respect of Cohesion Fund projects are set out in
Commission Decision 455/96 and are closely linked to the cost of the project. These are briefly set out
below.
For projects with a total cost which exceeds 1m
Regular news conferences should be held at local level to provide information of public interest
concerning the project.
Billboards should be erected on site and permanent commemorative plaques should be placed where the
project involves infrastructure which is accessible to the general public.
In practice, most Cohesion Fund projects will exceed this threshold and accordingly there are further
requirements which must be complied with which are in addition to those already mentioned.
A brochure of general interest concerning the project should be produced
Audio and visual material such as a short video should be produced.
These should be provided to regional TV and radio stations and should give adequate acknowledgement
to the participation of the Cohesion Fund.
Regular news conferences should be held at national level to create awareness of the project including
the presentation of the audio-visual material already mentioned.
Other requirements
Billboards should be erected for all Cohesion Fund projects exceeding 1m. The billboards should
reserve at least 50% of the area of the billboard for acknowledging the Cohesion Fund assistance and
should make reference to the Cohesion Fund, the rate of assistance and the overall cost of the project.
Commemorative plaques should be installed on all projects which are accessible to the general public.
It should be noted that the costs associated with publicity measures are eligible for Cohesion Fund
assistance.

Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 131 of 145
APPENDIX 10: MODEL REPORT PURSUANT TO ARTICLE 12

OF REGULATION 1386/2002
Preliminary note
Article 12 of Regulation (EC) 1386/2002 (the Regulation) provides that Member States shall inform
the Commission by 30 June each year of their application of Articles 9, 10 and 11 of the Regulation
which relate to sample checks on operations in the previous calendar year and in addition provide any
necessary completion or updating of the description of their management and control systems
communicated under Article 5 of the Regulation.
In addition, for the purposes of the contract of confidence, the report will be specifically the source of
assurance for the Commission that the audit activity is being carried out in accordance with the
established audit strategy and that no material deficiencies in the effective functioning of the
management and control systems have been found.
The report should therefore concern an identified system for the management and control of the
Cohesion Fund (e.g. national/regional/municipal level, by types of bodies, by project), and should be
compiled by, or in collaboration with, the person or department designated to issue declarations on
winding up of the assistance under Article 13 (independent body). The report should be signed or
countersigned by the independent body.
The first report presented in compliance with this model following the establishment of a Contract of
confidence should provide a summary of audit activity carried out in previous years and should cover
in the conclusions all preceding years.
In all cases a copy of the report should be sent to the Director General of the Regional Policy DG, and
the deadline of 30 June should be respected
MODEL REPORT
INTRODUCTION
Identify the management and control systems covered by the report with reference to the
projects and managing and paying authorities;
Indicate the bodies which have been responsible for the preparation of the report;
Describe the steps taken for the preparation of the report;
Indicate the expenditure declared to the Commission for the year concerned for the projects
covered by the report.
COMPLETION AND UPDATING OF DESCRIPTION OF MANAGEMENT AND

CONTROL SYSTEM UNDER ARTICLE 5
Indicate any completion or updating of the description previously provided giving the dates
from which the changes are applicable.
Describe where appropriate any changes that are proposed or are likely to be introduced in the
current year.

Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 132 of 145

Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 133 of 145
CHANGES TO THE AUDIT STRATEGY

Indicate any changes to the audit strategy which have been effected or are proposed, with
explanation and justification for the changes.
Draw up a comparative table between works carried out and the initially foreseen working
programme, with explanation of the reasons why changes occurred.
SYSTEMS AUDITS
Indicate the bodies which have carried out audits;
Attach a summary list of the audits carried out and indicate the date of transmission of the
audit report to the Commission;
Describe the basis for selection of the audits in the context of the audit strategy;
Describe the principal findings and the conclusions drawn from the audit work for the
management and control systems, including the sufficiency of the audit trail and compliance
with Community requirements and policies;
Indicate any potential financial consequences;
Provide information on the follow up of the audit findings, in particular any corrective and
preventive measures applied.
SAMPLE CHECKS ON EXPENDITURE

Indicate the bodies which have carried out the checks;
Attach a summary list indicating the number of checks carried out and the amount of
expenditure checked broken down by sector/project, including an indication of the percentage
of expenditure checked in relation to total eligible expenditure declared to the Commission
(both for the year in question and cumulatively);
Describe the basis for selection of the operations subject to control;
Describe the principal results of the checks, indicating in particular for each project the
number of irregularities identified and the amount of irregular expenditure;
Indicate the conclusions drawn from the results of the checks with regard to the effectiveness
of the management and control system;
Provide information on the follow up of the irregularities;
Indicate whether any problems identified were considered to be of a systemic character, and
the measures taken, including a quantification of any financial corrections.

Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 134 of 145
FOLLOW UP OF PREVIOUS YEARS AUDIT ACTIVITY

Provide information where appropriate on the follow up of outstanding audit findings or
results of expenditure checks from earlier years.
CONCLUSION
In the conclusion it should be confirmed that
The audit activity for the year concerned was in conformity with the audit strategy presented
to the Commission. Where there are any reservations or limitations these should be indicated
and explained;
It should be stated that the results of the audit activity do not show any material deficiency in
the effective functioning of the management and control system applicable to the expenditure
declared to the Commission for the year concerned. Where there are any reservation or
limitations these should be indicated and explained;
It should be confirmed that specific cases of irregularity have been treated satisfactorily, in
particular by making the necessary financial corrections.

Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 135 of 145
APPENDIX 11:GUIDELINES ON THE PRINCIPLES,

CRITERIA AND INDICATIVE SCALES TO BE APPLIED BY
COMMISSION DEPARTMENTS IN DETERMINING
FINANCIAL CORRECTIONS UNDER ARTICLE H(2) OF
ANNEX II TO REGULATION (EC) NO 1164/94
ESTABLISHING A COHESION FUND
1. Principles
The purpose of financial corrections is to restore a situation where 100% of the expenditure
declared for co-financing from the Cohesion Fund is in line with the applicable national and EU
rules and regulations. This allows the establishment of a number of key principles for the
Commission services to apply in determining financial corrections :
(a) Irregularity is defined in Article 1(2) of Regulation 2988/95. Irregularities can be one-off or
systemic.
(b) A systemic irregularity is a recurrent error due to serious failings in management and control
systems designed to ensure correct accounting and compliance with rules and regulations.
If the applicable rules and regulations are respected, and all reasonable measures are taken to
prevent, detect and correct fraud and irregularity, no financial corrections will be required.
If the applicable rules and regulations are respected, but the management and control systems
need to be improved, there should be pertinent recommendations, but no financial corrections
need be envisaged.
If there are serious failings in the management or control systems which could lead to
systemic irregularities, in particular failures to respect the applicable rules and regulations,
financial corrections should always be made.
(c) The amount of the financial correction for individual or systemic irregularities is to be assessed
wherever possible and practicable on the basis of individual files and to be equal to the amount of
expenditure found to have been wrongly charged to the Fund in the cases investigated, having
regard to the principle of proportionality.
(d) There are situations where it is not possible or practicable to quantify the amount of irregular
expenditure precisely, but it would be disproportionate to cancel the entire expenditure in question.
In such cases, the Commission may determine corrections on the basis of extrapolation or at flat
rates.
(e) Extrapolation can be used where an examination of individual files reveals quantifiable
irregularities of the same type and there is a high probability that the irregularity has occurred in a
great number of similar cases, i.e., is systemic, but it is not practicable or cost-effective to
investigate all the cases individually. Extrapolation requires that a homogeneous population of cases
with the same characteristics can be clearly identified. The results of a thorough examination of a
representative sample of transactions selected at random from the homogeneous population can
then be extrapolated to all the files making up the population, in accordance with generally
accepted auditing standards. A homogenous population is defined as being within or among
activities (projects or groups of projects) under the responsibility of the same managing authority,

Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 136 of 145
managed by the same implementing body in the same sector over the same time period, whether
under a single Commission decision or different decisions.
(f) Flat rate corrections may be applied in the case of individual breaches or systemic irregularities
whose financial impact is not precisely quantifiable being subject to too many variables or too
diffuse in its effects but where it would be disproportionate to refuse all the assistance concerned
except in the most extreme cases. Such irregularities typically result from a failure to undertake
checks effectively to prevent or detect breaches of Community rules or conditions of the decision.
Where an irregularity appears to be systemic, a flat rate correction may be applied only to the cases
investigated, or, in situations like those described in para. (e) above, it may be applied to a
homogeneous population of cases with the same characteristics.
(g) When proposing a flat rate correction, the Commission must assess the importance of the
infringement of the rules and the extent and financial implications of any shortcomings in the
management and control system that have led to the irregularity established.
A list of what the Commission considers to be key and ancillary elements of systems for the
purpose of assessing the seriousness of deficiencies is given in section 2.2. and an indicative
scale of flat rates for corrections in section 2.3. The same expenditure will not normally be
subject to more than one correction.
(h) In areas where there is a margin for discretion in evaluating the gravity of the infringement, as in
cases of disregard of environmental conditions, corrections shall be subject to the following
conditions : a significant failure to respect the rules and a clearly identifiable link with the action
receiving EU co-finance.
(i) Unlike the case with corrections made by the Member State under Article 39(1) of Regulation (EC)
No 1260/1999, financial corrections decided by the Commission, whether under Article 39(3) of
Regulation (EC) No 1260/1999 or Article H(2) of Annex II to Regulation (EC) No 1164/94, always
involve a net reduction to the EU funding committed to the project or assistance.
(j) Irrespective of the kind of corrections proposed by the Commission, the Member State is always
given the opportunity to demonstrate that the real loss or risk to the Fund and the extent or gravity
of the irregularity was less than that assessed by the Commission services. The Court of Justice has
held that the burden of such proof is on the Member State. 1 The procedure and time limits are set
out in Article 18 of Regulation (EC) No XX/2002.
(k) Where the Commission bases its position on facts established and fully documented by auditors
other than those of its own services, it shall draw its own conclusions regarding their financial
consequences, after examining the measures taken by the Member State concerned under Article
12(1) and (2) of Regulation (EC) No 1164/94 and Article G(1) of Annex II thereto, the reports
supplied under Article 12 of Regulation (EC) No XX/2002 and Regulation (EC) No 1831/94, and
any replies from the Member State.
(l) In all cases of corrections by extrapolation or on a flat-rate basis, the proposed correction is
submitted to an ad hoc advisory panel, which will consider the arguments presented by the
Commission auditor for applying the correction and assess whether the level is appropriate.
See judgment of ECJ of 21.1.1999 in Case C-54/95, Germany v. Commission, para. 35, referring also to
Netherlands v. Commission, Case C-48/93.

Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 137 of 145
2. Criteria and scales for flat-rate corrections

2.1
Criteria
As noted in para. 1(f) above, flat-rate corrections may be envisaged when the information
resulting from the enquiry does not permit the financial impact of an individual case or several
cases of irregularities to be evaluated precisely by statistical means, or by reference to other
verifiable data, but does lead to the conclusion that the Member State has failed to carry out
adequate verification of the eligibility of claims paid.
Flat-rate corrections should be considered when the Commission finds a failure to adequately
effect any control which is explicitly required by a regulation, or implicitly required in order to
respect an explicit rule, and whose absence could lead to systemic irregularity. They should also
be considered where the Commission finds serious deficiencies in management and control
systems resulting in breaches of applicable rules and regulations on a wide scale or detects
individual breaches. In determining whether a flat-rate financial correction should result and, if so,
at what rate, the general consideration shall be the assessment of the degree of risk of loss to which
Community funds were exposed as a consequence of the control deficiency. Thus the correction
should be in compliance with the principle of proportionality. The specific elements to be taken into
account should include the following:
(1) whether the irregularity is related to an individual case, multiple cases or all cases;
(2) whether the deficiency relates to the effectiveness of the management and control system
generally, to the effectiveness of a particular element of the system, i.e. the operation of
particular functions necessary to ensure the legality, regularity and eligibility of expenditure
declared for cofinancing from the Fund under the applicable national and EU rules (see
section 2.2. below);
(3) the importance of the deficiency within the totality of the administrative, physical and other
controls foreseen;
(4) the vulnerability to fraud of the measures, having regard particularly to the economic
incentive.
2.2. Classification of elements of management and control systems for the purpose of applying flat
rates of financial corrections for system deficiencies or individual breaches
Management and control systems for the Cohesion Fund consist of various elements or functions
of greater or lesser importance for ensuring the legality, regularity and eligibility of expenditure
declared for cofinancing. For the purpose of assessing flat rate corrections for deficiencies in such
systems or individual cases of irregularity, it is useful to classify the functions of management
and control systems into key and ancillary elements.
Key elements are those designed and essential to ensure the legality and regularity and indeed the
substance of operations supported by the Fund, ancillary elements those that contribute to the
quality of a management and control system and help ensure that the system keeps performing well
in relation to its key functions.
The list below contains the majority of elements of good management and control systems and
good audit practice. The seriousness of deficiencies and individual breaches varies considerably,
and cases will therefore be assessed by the advisory panel having regard, in particular, to section
2.4 below.

2.2.1
Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 138 of 145
Key elements for ensuring eligibility for cofinancing

1. Provision and application of procedures for ensuring :
a)
at the planning and design stage

- compliance, where applicable, with national and EU rules on publicity, public
procurement and environmental protection, and with the general Treaty rules and
principles of transparency, equality of treatment and non-discrimination where EC
public procurement directives are not applicable;
- adequacy of preliminary and technical studies
b)
c)
in the pre-selection of projects for funding, especially within groups of projects:

-
projects selected correspond to the objectives and published criteria;
observance of eligibility rules;
selection of contractors/suppliers in according with public procurement rules.
2. Adequate verification of delivery of products and services and of eligibility of expenditure

-
on the part of the implementing body :

(a) verifying the reality of deliverables (services, works, supplies, etc.) against plans,
invoices, acceptance documents, experts reports, etc., and, where appropriate, on
the spot;
(b) verification of observance of conditions of grant approval and of the procedures for
changing those conditions;
(c) verification of eligibility of amounts claimed;
(d) adequate follow-up of all outstanding questions before acceptance of claim;
(e) maintenance of an adequate and reliable accounting system;
(f) maintenance of the audit trail at all levels from the implementing body or body or
firm carrying out operation up through the system.
on the part of the paying authority

Taking reasonable measures to obtain assurance that the declarations of expenditure it
certifies to the Commission are correct, and that:
(a) expenditure was effected within the eligibility period laid down in the decision of
the Commission;
(b) the cofinanced activities have actually been carried out.

Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 139 of 145
3. Sufficient quantity and quality of sample checks on projects and adequate follow-up
a) carrying out sample checks on at least 15% of total eligible expenditure in
accordance with Article 9 of Regulation 1386/2002, supported by a report
on the work done by the auditor;
b) the sample is representative and the risk analysis adequate;
c) adequate separation of functions vis--vis bodies involved in the
implementation of projects to ensure independence ;
d) follow-up to checks, ensuring
1.
appropriate assessment of results and notification of irregularities

under Regulation (EC) 1831/94,
2.
action at a general level to correct systemic irregularities
e) adequate examination underlying declaration on closure under Article 13 of

Regulation (EC) 1386/2002
2.2.2
Ancillary elements
a)
satisfactory administrative controls in the form of standard checklists or equivalent means

and proper documentation of results, to ensure for instance :
- that claims have not been paid before and transactions (contracts, receipts, invoices,
payments) are separately identifiable;
- reconciliation within the accounting system of declarations and expenditure recorded;
b) proper supervision of payment processing and authorisation procedures;

c) satisfactory procedures to ensure proper dissemination of information about EU rules;
d) ensuring timely payment of Community funding to beneficiaries.
2.3
Indicative scales of flat-rate corrections

100% correction
The rate of correction may be fixed at 100% when the deficiencies in the management and
control system are, or an individual breach is, so serious as to constitute a complete failure to
comply with Community rules, so rendering all the payments irregular.
25% correction
When the management and control system is gravely deficient and there is evidence of
widespread irregularity and negligence in countering irregular or fraudulent practices, a
correction of 25% is justified, as it can then reasonably be assumed that the freedom to submit
irregular claims with impunity will occasion exceptionally high losses to the Fund. A correction
at this rate is also appropriate for irregularities in an individual case which are serious but do
not invalidate the whole project.
10% correction
When one or more key elements of the system do not function in the cases concerned or
function so poorly or so infrequently that they are completely ineffective in determining the
eligibility of the claim or preventing irregularity, a correction of 10% is justified, as it can

Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 140 of 145
reasonably be concluded that there was a high risk of widespread loss to the Fund. This rate of
correction is also appropriate for individual irregularities of moderate seriousness in relation to
key elements of the system.
5% correction
When all the key elements of the system function in the cases concerned, but not with the
consistency, frequency, or depth required by the regulations, then a correction of 5% is justified,
as it can reasonably be concluded that they do not provide a sufficient level of assurance of the
regularity of claims, and that the risk to the Fund was significant. A 5% correction can also be
appropriate for less serious irregularities in individual transactions in relation to key elements.
The fact that the way in which a system operates is perfectible is not in itself sufficient grounds
for a financial correction. There must be a serious deficiency of compliance with explicit
Community rules or standards of good practice and the deficiency must expose the Cohesion
Fund to a real risk of loss or irregularity.
2% correction
When performance in the cases concerned is adequate in relation to the key elements of the
system, but there is a complete failure to operate one or more ancillary elements, a correction of
2% is justified in view of the lower risk of loss to the Fund and the lesser seriousness of the
infringement.
A 2% correction will be increased to 5% if the same deficiency is established in relation to
expenditure after the date of the first correction imposed and the Member State has failed to
take adequate corrective measures for the part of the system at fault after the first correction.
A correction of 2% is also justified where the Commission has informed the Member State,
without imposing any correction, of the need to make improvements to ancillary elements of
the system that are in place but do not operate satisfactorily, but the Member State has not taken
the necessary action.
Corrections are only imposed for deficiencies in ancillary elements of management and control
systems where no deficiencies have been identified in key elements. If there are deficiencies in
relation to ancillary elements as well as in key elements, corrections are only made at the rate
applicable to the key elements.
2.4
Borderline cases
Where the correction resulting from a strict application of these guidelines would be clearly
disproportionate, a lower rate of correction may be proposed. The advisory panel referred to in
para.1 l) will give careful consideration to the proportionality of corrections.
For example, where the deficiencies arose from difficulties in the interpretation of Community
rules or requirements (except in cases where it should reasonably be expected that the Member
State raise such difficulties with the Commission), and the national authorities took effective
steps to remedy the deficiencies as soon as they were brought to light, this mitigating factor
may be taken into account and a lower rate or no correction may be proposed. Similarly, due
regard should be paid to claims of legal security when the deficiencies were not reported
following earlier audits by the Commissions services.
In general, the fact that deficient management or control systems were improved immediately
after the deficiencies were reported to the Member State is not considered as a mitigating factor

Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 141 of 145
when assessing the financial impact of the systemic irregularities before the improvement was
made.
2.5
Basis of assessment
Whenever similar cases have arisen in other Member States, there should be a comparison
between them to ensure equal treatment in the assessment of the rates of correction. This is a
prime objective of the advisory panel.
The rate of correction should be applied to that part of the expenditure placed at risk. When the
deficiency results from a failure by the authorities concerned to adopt an appropriate control
system, then the correction should be applied to the entire expenditure for which that control
system was required. The correction should normally concern the expenditure over the period
being examined, for example one financial year. However, when the irregularity results from
systemic deficiencies, which are evidently long-standing and affecting several years
expenditure, then the correction should concern all the expenditure declared by the Member
State while the system deficiency obtained until the month in which it was remedied.
When several deficiencies are found in the same system, the flat rates of correction are not cumulated,
the most serious deficiency being taken as an indication of the risks presented by the control system as
a whole2. They are applied to the expenditure remaining after deduction of the amounts refused for
individual files. In the case of the Member States non-application of sanctions prescribed by national
law, the financial correction should be the amount of the sanctions not applied, together with 2% of the
remaining claims, as the non-application of sanctions increases the risk that irregular claims will be
submitted.
See also section 2.3 (2% correction).

Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 142 of 145
APPENDIX 12: GUIDANCE ON 15% SAMPLE CHECKS BY

MEMBER STATES
General
The Commission has issued the following guidance on carrying out sample checks across all AC funded
Programmes. The Commission has encouraged Member States for the 2000-2006 period to develop an
audit strategy which will initially focus on systems audits, and will then proceed to verify the
functioning of the systems through sample checks of expenditure.
Accordingly, consideration should be given to setting up a single central co-ordinating body to establish
standard methodologies for the audit work; for disseminating good practice; and to plan and monitor the
work - see Article 2 of CR 1386/2002).
Independence of auditors
CR 1386/2002 also stipulates that, to avoid potential conflicts of interest, the controls should be carried
out by a body or person independent of the managing and implementing body or the body responsible
for the implementation of payments procedures.
Even spread over the period
For the Cohesion Fund, the period over which expenditure can be declared and over which therefore
audit work has to be spread can last until 2010 or even beyond (at least for those Member States
remaining eligible for funding until 2006), and therefore requires longer-term planning.
It is recommended that Member States plan their work in such a way as to cover 15% or more of
expenditure declared in each year of the period. In formulating annual audit plans it will be advisable,
in order to ensure the efficient use of audit resources, to obtain expenditure profiles for each project
from each implementing authority annually showing the expenditure declared to date and the
anticipated expenditure profile for each subsequent year. Plans should be updated annually to take
account of changes in actual and anticipated expenditure.
Coverage
In the Cohesion Fund, it is necessary to ensure coverage of each of the main types of projects, i.e.,
roads, railways, ports, waste water, water supply, etc. and the main implementing bodies (national,
regional and local administrations responsible for the projects).
Given the smaller number of mainly large projects, to ensure that the sample within the limits of the
overall 15% coverage is representative, sample checks should not focus only on a few projects which
will be subject to 100% tests of transactions but should check smaller tranches of expenditure from a
larger number of projects. The latter approach would better respect the requirements set out in the
regulation. Projects can be audited more than once, thus ensuring both adequate coverage over the
lifetime of the project and where problems are detected at an early stage allowing timely corrective
action to be taken.

Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 143 of 145
Subject, content and conduct of audit

Expenditure declared from the operation must be audited on the spot on the basis of original
documentation or records held on commonly accepted data carriers. 3 This normally means at final
recipient level.
The work done in sample checks of expenditure follows a different approach from that done in system
audits supplemented by substantive testing. 4 They involve a thorough financial audit aimed at
establishing whether selected expenditure is eligible and regular and thus determining the reliability of
expenditure declarations from the operations concerned and the effectiveness of controls by the
managing authority. They must thus cover the execution of the operation (the actual delivery of goods
and services paid for), reconciliation between the expenditure claimed and the supporting documents,
the eligibility of the expenditure both under the terms of the programme concerned and the general
eligibility rules, the provision of national co-financing, compliance with relevant EU and national
legislation including public procurement, state aid and the environment, and avoidance of common
errors.5
The audit should be performed using a checklist, which should be suited to the type of operation.
Supporting documents should as a rule be checked 100%. Where there are large numbers of similar and
repetitive supporting documents such as invoices or proofs of payment, however, it is accepted audit
practice to check a random sample of adequate size rather than 100%. The sampling methodology
should be recorded in the audit report or working papers in such cases. However, if the check reveals
errors the sample should be widened to establish how widespread these are. 6
For the Cohesion Fund, the above principles hold true but in addition extremely close attention
should be paid to compliance with the conditions of the decision on the project and
achievement of its objectives (see in particular, Article 10(b) of Regulation 1386/2002 in
conjunction with Article 2(1), second subparagraph, and Article 4(1), first subparagraph) and to
compliance with public procurement and environmental legislation. It is advisable to review
procurement procedures in respect of the award of the main contracts on the first occasion a
given project is audited, especially where the project shows a significantly higher expenditure
profile in later years and little expenditure in earlier years. Both the principal construction
contracts and the principal supply of services contracts (e.g., supply of raw materials and
equipment for projects and services such as engineers and other consultants) should be
covered.
Apparent systemic problems within a given implementing body or region or throughout the
Member State must be investigated in depth.
7
Reports and working papers

3
4
5
6
Article 7(2a) of Regulation (EC) No 438/2001, as amended by Regulation (EC) No 2355/2002.

ECA report points 66-69. In its replies to the ECA report the Commission explicitly agreed with
the Court of Auditors description of good practice in points 37-41 of its report.
See ECA report, point 38. See also the financial corrections guidelines, section 2.2, where the
key elements of systems to be checked on the spot are set out..
If the problems appear to be systemic within a whole organisation (intermediate body or final
beneficiary), a further sample of projects managed by the organisation should be audited. (Article 12 of
Regulation 438/2001).
Article 11 of Regulation 1386/2002.

Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 144 of 145
Reports and working papers kept in the audit file should together provide detailed information about the
work done, the methodology, and if a sampling method is applied they should describe it. They should
include, where practicable, a list of the documents checked and also show the value of the expenditure
audited and that of the expenditure in which errors or irregularities have been found. 8
Reports can be short, detailing only findings, conclusions and recommendations. The report may be part
of the same document as the checklist or a separate document to which the checklist is attached.
Reports should be delivered promptly and be clear in their findings, conclusions and recommendations.
Only expenditure declared up to the date of the audit can potentially be

counted, not later expenditure for the same project.
Audits by the Commission or the European Court of Auditors cannot be

counted.9
Expenditure checked but found to be irregular during the audit can still be
counted towards the 15% requirement, but if the level of the irregular expenditure is
significant, the percentage of expenditure checked should normally be increased.
Double counting must be avoided (for example, counting twice the earlier
expenditure on an operation which has been audited at an interim stage and on
completion.)10
Expenditure audited in substantive testing for a systems audit can be counted

under certain conditions. These are that all the criteria required for transaction testing
are respected, in particular an examination of the individual payments and supporting
documents down to the level of the final recipient.
Progress towards the required coverage should be properly monitored. This

would generally be the job of the co-ordinating audit unit for the programme or Fund
(see point 3.2 above).
Follow-up of findings
The findings of audits should be systematically followed up and concluded with errors corrected and
unclear issues resolved. For the follow-up of findings, reports should be passed on to the managing
units for prompt action.
Though the allocation of responsibilities may vary, some body should be in charge of monitoring
follow-up and signing off the file once the necessary action has been taken at the instigation of the
managing unit. In some systems it is the audit body that is responsible for this monitoring.
Remedial measures must be taken to correct systemic deficiencies. Article 11 of Regulation 1386/2002
provide : The checks shall establish whether any problems encountered are of a systemic character,
entailing a risk for other or all projects carried out by the same implementing body or in the Member
State concerned. They shall also identify the causes of such situations, any further examination which
may be required and the necessary corrective and preventive action.
Irregularities must be reported pursuant to Regulation1831/94 for the Cohesion Fund.
8
9
10
ECA report, points 40-41 and 72.

ECA report, point 74.
ECA report, point 72.

APPENDIX 13:
AFCOS
BSC
BSO
CAATs
CR
EC
ECA
EEC
GOSP
IB
IS
ISPA
IT
MA
MESP
MoT
NF
OJ
OLAF
PA
PIFC
Q.A.
SAI
TPS
Document No.
Version
Come into force
Page
: 01-14/2004/1
: 1.0
: 30.7.2004
: 145 of 145
LIST OF ABBREVIATIONS
Anti-Fraud coordinating service

Budgetary Spending Centre
Budget Supervision Office
Computer-assisted audit techniques
Commission Regulation
European Commission
European Court of Audit
European Economic Community
Government Office for Structural Policies and Regional Development
Implementing Body
Information systems
Instrument for Structural Policies for Pre-Accession
Information technology
Managing Authority
Ministry of Environment, Spatial Planning and Energy
Ministry of Transport
National Fund
Official Journal (EU)
European Anti-Fraud Office
Paying Authority
Public Internal Financial Control (system)
Quality Assurance
Supreme Audit Institution
Third party statements

Manual Audit Financiar Slovenia - 2004 - EN

Diunggah oleh

Informasi Dokumen

Deskripsi Asli:

Judul Asli

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

Manual Audit Financiar Slovenia - 2004 - EN

Diunggah oleh

Hak Cipta:

Format Tersedia

BUDGET SUPERVISION OFFICE

OF THE REPUBLIC OF SLOVENIA

COHESION FUND MANUAL

Approved by the director of Budget Supervision office of the RS

Budget Supervision Office of RS

Budget Supervision Office of RS

Budget Supervision Office of RS

1 PURPOSE AND STRUCTURE OF MANUAL

Budget Supervision Office of RS

Budget Supervision Office of RS

2 BACKGROUND AND REGULARITY FRAMEWORK

European Union Legislation - The Act

Budget Supervision Office of RS

Budget Supervision Office of RS

Appraisal, Monitoring and Evaluation

Budget Supervision Office of RS

Article 5 - provide the Commission with a description of these arrangements.

Budget Supervision Office of RS

Government Office for Structural Policies and Regional Development (GOSP)

Reviewing the tendering documentation submitted by Implementing Bodies;

Implementation of projects in accordance with signed contracts;

Checking and verifying claims for payment;

Monitoring and reporting to the MA;

Reporting to the Commission on the implementation of EU funded projects;

Co-ordination and assistance to Municipalities in preparing project applications.

Municipalities and Transport Sectors

Preparation of project proposals;

Tendering and contracting;

Supervising contract implementation;

Providing relevant information to the Intermediate Body;

Guaranteeing the project publicity.

Ministry of Finance - National Fund (NF)

Budget Supervision Office of RS

Budget Supervision Office (BSO)

Budget Supervision Office of RS

4 AUDIT RESPONSIBILITIES OF THE BUDGET

Tasks of the BSO:

Budget Supervision Office of RS

to issue declarations at winding-up of Cohesion Fund projects;

in order to issue declarations at winding-up of the projects BSO conducts examinations

Organisation of the BSO

Carrying out audits of the Cohesion Fund Programme; and

Budget Supervision Office of RS

Budget Supervision Office of RS

Internal Audit Bodies

Slovenian Court of Audit

the accuracy of the expenditure declared to the Commission for co-financing;

Budget Supervision Office of RS

Co-operation between the BSO and the Commission services

Audit Strategy for DG REGIO

check the accuracy of the amounts concerned;

Budget Supervision Office of RS

Budget Supervision Office of RS

5 MONITORING AND REPORTING FRAMEWORK

Budget Supervision Office of RS

Ex-post Evaluation of Cohesion Fund Projects

Budget Supervision Office of RS

6 AUDIT APPROACH AND TECHNIQUES

Independence and Objectivity

Budget Supervision Office of RS

Stages of the Audit

BUDGET SUPERVISORY OFFICE AUDIT PROCES