You are on page 1of 8

International Standards on Auditing (ISA) and their Use for Second Level Control of European Territorial Cooperation Programmes

by Susanne Volz, Financial Control Expert The Programming Period 2007-2013 introduced new Financial Control requirements for the Structural Funds. The consequences were extensively discussed within the Second Level Control Community and with the European Commission, which produced several Guidance Notes with the purpose of clarifying the wide range of open questions. While special attention had been paid to European Territorial Cooperation (ETC) Programmes both with the new EU Regulations and with the Guidance Notes, practitioners of ETC Second Level Control (SLC) are still confronted with special challenges in their attempt to comply. This article intends to assess the past and current benefit of ISA for ETC Programmes, as well as the limits of ISA for the ETC SLC problems.

Major Changes for Financial Control Requirements The biggest change between the last and the current programming period is the replacement of the minimum sample requirement of 5 % of declared eligible expenditure (article 10 Reg. (EC) No 438/2001) with the requirement of an audit opinion based on reasonable audit assurance (article 62 I d) ii) Reg. (EC) 1083/2006), the latter effectively leading to much bigger sample sizes. In the last programming period, in principle Second Level Controllers needed to perform any check necessary to obtain enough assurance for their opinions, however, in practice they would use their room of manoeuvre, meaning that audit work was not extended until reasonable assurance was achieved but until a minimum of 5 % of declared expenditure was checked and SL Controllers were confident to have achieved audit assurance sufficient for their purposes. A further major change is that for the current programming period Audit Authorities need to deliver annual opinions and a final opinion at the end of the programming period, instead of only one opinion at the end of the programming period (Winding-Up declaration). This increases the pressure for Second Level Controllers, as the audit work programme needs to be accomplished each year completely, with overlapping tasks: performing system audit and on-the-spot checks, reporting, follow up in parallel for various years. In principle, audit work as such remained the same: there had been a requirement to perform system audits and on-the-spot checks in the old programming period, which is still foreseen in the current programming period. However, in line with the requirement to deliver an audit opinion based on reasonable assurance, audit work needs to be much more focused on risks and is likely to be more extensive. As strong similarities exist between Second Level Control for the old and the new programming period, it is worthwhile to assess established Second Level Control practices compliant with international audit standards – here International Standards on Auditing (ISA) – with the intention of evaluating their benefit and their limits for SLC of ETC programmes.

What are International Standards on Auditing (ISA)? Audit standards are a set of systematic guidelines used by auditors when conducting audits on companies’ or other organisations’ finances, ensuring the accuracy, consistency and


2 . The key to understand ISA or any other audit standard is that they are a set of rules that is intended to help the auditor to perform his/her work in such a way that it produces assurance1 – not absolute certainty – about the financial statements in the most efficient way: auditing the right issue with the appropriate audit procedure to the appropriate extent. They are a tool to manage the audit risk2. not with the quality of the organisations’ finances. issues of conflict of interests and independence. It is obtained when the auditor has obtained sufficient appropriate audit evidence to reduce audit risk to an acceptably low level. including the requirement to extend audit work if detected errors exceed materiality or if not enough assurance is achieved Criteria to assess audit results and to draw up audit opinions ISA 200 No 5: ISAs require the auditor to obtain reasonable assurance about whether the financial statements as a whole are free from material misstatement. etc. ISAs must be used in their entirety. whether due to fraud or error. ISA contain: A risk model that can be applied to ETC Programmes. timing and extent of audit procedures) Guidelines for the planning and management of audits. giving guidance on how the risks can be addressed with appropriate audit procedures (nature.verifiability of auditors’ actions and reports. It is important to be aware that audit standards are primarily concerned with the quality of the auditors’ work. Reasonable assurance is defined as a high – not absolute – level of assurance. In practical terms. 2 ISA 200 No 23: The risk that the auditor expresses an inappropriate audit opinion when the financial statements are materially misstated is known as audit risk. ISA are published by the International Auditing and Assurance Standards Board (IAASB) of the International Federation of Accountants (IFAC). It is not possible to stick to the selection listed above. including the code of ethics that deals with the professional behaviour of the auditor. such as foreseen for ETC SLC. esp: 505 – External Confirmations 520 – Analytical Procedures 530 – Audit Sampling and other Means of Testing For reasonable assurance audits. the responsible auditor must apply all ISA relevant to the audit. giving guidance on classification of risks 1 An assurance model.Objective and General Principles Governing an Audit of Financial Statements 220 – Quality Control for Audit Work 230 – Audit Documentation 240 – The Auditor’s Responsibility to Consider Fraud in an Audit of Financial Statements 250 – Consideration of Laws and Regulations in an Audit of Financial Statements 300 – Planning an Audit of Financial Statements 315 – Understanding the Entity and its Environment and Assessing the Risks of Material Misstatement 320 – Materiality in Planning and Performing an Audit 330 – The Auditor’s Procedures in Response to Assessed Risks 500-599 Audit Evidence. Some examples of ISA are (list is not complete!): 200 .

walk-through testing) Audit objectives (examples) System Audit Audit of operations/TA Understand the OP and the MCS Assess inherent risk Assess control risk Test design of the control Compliance with laws. inspection. internal rules Test of Controls Test operating effectiveness of Test operating effectiveness of control control Reconciliations Correctness of information on Correctness of information on various levels of MCS (appropriate various levels of MCS (appropriate audit trail) or in various systems audit trail) or in various systems (IT. 3 3 . or non-compliance with applicable laws. regulations.g. if co-financing is the project delayed Check of under-usage or overrun Analysis of undue delays in of budget positions the transfer of funds (EU. internal rules. e. regulations. amounts. employee costs if done on the basis of hourly rates and time records) Correctness of data aggregation on project level (aggregated Financial Report) External confirmations Confirming outstanding Confirming outstanding amounts.g. e. ISA contain the following audit procedures. that are in use or may be beneficial for SLC work (list is not exclusive): Procedure Risk Assessment Procedures (inquiry. Guidelines for effective audit documentation Guidelines for quality assurance of audit work A code of ethics for the auditor In the end. participation in events of the project Substantive analytical Analysis of the Programmes’ Check of the financial progress of procedures liquidity. and its internal organisation Understand the project Assess inherent risk Assess control risk Test design of the control Compliance with laws. these guidelines lead to a specific audit workflow for companies or organisations (see sections below). manual recording systems) Match of financial report with underlying accounting records Match of other summary documents with underlying documents Test of Details Detect material misstatements3 in invoices and other documents of equivalent probative value Recalculation Correctness of data aggregation Correctness of cost shares on programme level allocated to the project (e. observation. manual recording systems) (IT.g. actual payment of salaries or funds by LP social security contributions. reception of e.g. internal rules Understand the beneficiary. visits. Check if project goals are met national) to beneficiaries Whereas misstatement is defined by arithmetical errors. Confirming other issues reception of funds by partners Confirming other issues. regulations. interview.

and better documented than for mainstream programmes. laws. as laid down in ISA. Reconciliations of payment claims with lists of expenditure. the involvement of several Member States (or in the case of INTERREG IIIC all Member States) representing varying legislation. checklists and financial overview tables. and aggregation of financial reports to payment claims to EU COM at the site of JTS/MA and PA). they were used for system audits. Tests of controls were applied to a lesser extent. and last but not least the language barrier. • documentation was standardised and more extensive. Its most important application was the walk-through testing of financial management (reception of funds and distribution to LP by the PA). on the spot checks can be considered as re-performance of First Level Control) and financial reporting (aggregation of eligible declared expenditure to financial reports of operations at the site of the LP. the high variation of First Level Control systems or management and control systems respectively. accounting system information. usually exceeding the common checklist approach and requiring the auditors to maintain extensive working papers and to prepare memos and excel files that allow for the verification of financial flows. In addition. for their purposes: Test of details of invoices and other documents of equivalent probative value. coordination effort via the Financial Control Group (the currently named Group of Auditors) and in some cases with the external audit firm performing the checks was extensive and led to the necessity of laying down almost everything in written form. As a result: • audit procedures were standardised by using audit manuals. and budgets. bank account statements. for specific cost items . better planned. the MA and PA. and • reporting and follow-up was standardised so that clear conclusions could be drawn for the complete operations. and that guidelines existed for the formulation of findings as well as the steps necessary for clearing them in the follow-up process. Check of under-usage or overrun of budget positions within OP Financial Report Check of financial progress of the OP ISA for INTERREG III: Which benefit so far? Considering the specific problems of INTERREG programmes. 4 . supporting documents. regulations. control processes (at the site of the JTS. Second Level Control needed to be much more standardised. Compliance checks regarding eligibility rules. however. In the programming period 2000-2006 Second Level Controllers used a wide range of audit procedures. contractual conditions etc. audit programmes. indirect cost and overheads). especially the highly fragmented implementation structure. Recalculation of cost allocations (personnel costs.

but not absolute. ISA for ETC Programmes: Which benefit in addition? The use of internationally accepted audit standards is compulsory for Second Level Control in the 2007-13 programming period (see Article 62(2) of Regulation (EC) No 1083/2006). control risk and detection risk. national legislation or organisation rules. Neither could they use statistical sampling for the test of details. Second Level Controllers checked compliance of the management and control systems and the financial reporting processes as well as operations with EU. which defines the audit risk as a combination of inherent risk. It is obtained when the auditor has achieved sufficient appropriate audit evidence to reduce audit risk to an acceptably low level. following their own accountancy rules. Sampling turned out to be especially difficult for INTERREG programmes and ISA standards were of no help in this respect. This is a direct reference to the ISA audit risk model. even though these documents might not have been relevant to their own audit work. that the financial statement is free of material error. Considering the decentralised structure of operations. 5 . Furthermore. where various Project Partners and Lead Partners in different EU Member States were involved in implementation and consequently spending was done by various partners. This is a high. One has to keep in mind that for some programmes the audit reports were supposed to be written per operation and therefore were based on various audits in different Member States. ISA require the SL Controller to extend testing of controls for the most important controls. Second Level Controllers could not refer to statistical sampling of operations or Lead Partners and Project Partners. as a transfer of the results of a sample based on risk assessment to the whole population is limited (no extrapolation of error rates). the verification work performed by First Level Controllers on all levels and the aggregation of financial reports to the financial report of the operation by the Lead Partner. The Lead Auditor responsible for reporting had to be able to understand the documentation of audit work performed by another auditor. Instead. samples had to be defined manually according to risk considerations and representative aspects. Documentation methods in line with ISA proved to be of special benefit for SLC. it was especially important for Second Level Controllers to document the audit work performed and the conclusions drawn in a standardised and transparent way. This in turn limited the use of the results of on-the-spot checks. if SL Controllers cooperating for a particular INTERREG programme followed the same documentation rules and included a specific set of documents in their working papers. which is in the case of INTERREG and other cross border programmes the First Level Control. national and programme provisions.Walk-through testing was usually limited to a so-called Test of One with the exception of the re-performance of First Level Control. The Audit Authority needs to provide an opinion based on reasonable assurance. The SLC Lead Auditor needed to trace the flow of information between Project Partners and Lead Partners. This could only be done. even though the audit file contained documents in an unfamiliar language. please refer to the ISA Glossary and ISA 200. they can be described as follows4: 4 For the general definitions. In the context of ETC programmes. Due to the specific legal situation. level of assurance.

This is influenced by the audit procedures applied. with the respective confidence levels in the lower right corner: • For low control risk = reliable management and control systems AR = Risk Assurance • IR * 100. Inherent Risk (IR) is the risk that material errors (ineligible expenditure) are included in the declaration of expenditure to the EU COM. by performing the adequate audit procedures to the necessary extent. The variance is as follows. Control Risk (CR) is the risk that material errors (ineligible expenditure) in the declaration of expenditure to the EU COM was not prevented. esp.00% 50.00% CR * 12.00% 95. the First Level Control.00% 60.00% 90. The workflow for Second Level Control as foreseen by the EU Regulations and EU COM Guidance documents is: • Initial risk assessment (see Guidance Note on Audit Strategy and Compliance Assessment) 6 .50% DR 40.00% For high control risk = unreliable management and control systems AR = Risk Assurance 5. its structure and its environment.50% 87.00% 95. the operations. whereas the reasons for these material errors are inherent to the purpose and content of the operational programme. thereby achieving a reasonable assurance of 95 % that no material errors exist.00% 5.00% 0. still a lot of open questions remain.00% CR * 50. which in turn are statistical parameters for sample sizes for the audit of operations. the auditor endeavours to bring down the audit risk to 5 %. ISA provide a workflow based on the audit risk model and the related assurance model for the auditor.00% IR * 100. Annex IV of Regulation (EC) No 1828/2006 builds on the quantitative expression of the audit risk model when it defines the variance to be applied for the definition of confidence levels.00% 0. or detected and corrected by the OP’s management and control system. especially regarding actual audit procedures to be applied. The new EU Regulations and the guidance notes of the EU COM apply the risk oriented audit approach to Second Level Control and give a general guidance on the workflow.00% DR 10. the risk oriented audit approach as foreseen by ISA is not only limited to questions about how to determine sample sizes. assess their results appropriately and conclude on further audit procedures that ensure the achievement of the overall audit objective and the required assurance level. Expressed in quantitative terms. the legal framework and all the other factors influencing the programme. Detection Risk (DR) is the risk that the auditor/Second Level Controller does not detect material errors (ineligible expenditure) during SLC. so that the auditors plan and perform adequate audit procedures. the extent of the audit work and the quality of the audit.00% Of course.• • • • Audit Risk (AR) is the risk that the auditor/Second Level Controller expresses a positive opinion when the declaration of expenditure to the EU COM contains material errors or that the auditor expresses a negative opinion even though the declaration of expenditure does not contain material errors. However.

For audit procedures. ISA contain precise instructions on the assessment of audit results and how the audit approach should be adapted considering the results so far. inclusive opinion This workflow is overall compliant with ISA. perform additional audit procedures • Finalise audit opinion and report While what is foreseen in the Regulations and in the European Commission guidance notes matches with ISA workflow. it is not the case for audit procedures. nature. and guidance when a particular audit procedure should or can be used5. • as ISA are originally intended to serve as standards for audits of companies or organisations. if indicated by the results of the initial sample (see Sampling Guide) Performance of additional SLC work Assessment of results and reporting. Open questions or room for manoeuvre? Are ISA the solution to all crucial questions of Second Level Control for ETC Programmes? Certainly not. In this sense ISA help the Audit Authority to manage the audit. Furthermore. timing. and • as the application of ISA is in some respects restricted by the EU Regulations and Guidance Notes. It is precisely the case where ISA can be of particular benefit for SLC of ETC Programmes. extent of audit procedures. 330. which represents the System Audit component) Sampling of operations or payments (see Sampling Guide) Performance of on-the-spot checks Extension of sample. The ISA workflow can be described as follows: • Get an understanding of the entity and its environment • Understand and assess inherent risks and control risks • Decide on crucial controls and test them • Conclude on the reliability of the controls • Assess the detection risk and conclude on the extent of audit work necessary to cover it • Perform substantive audit procedures • Conclude on the audit results and decide whether further audit procedures are necessary • If necessary. 7 . where Regulations are not so detailed. 5 See ISA 315. the audit procedures and the workflow foreseen by ISA helps the Audit Authority to develop an efficient audit strategy and audit manuals. A thorough understanding of ISA. ISA provide instructions on: the objective.• • • • • • Assessment of inherent risks and control risks and conclusion on the reliability of the management and control systems (see Guidance on a common methodology for the assessment of management and control systems in the Member States.

and would limit Risk Assessment Procedures and Tests of Controls to an absolute minimum. the Audit Authority needs to get a clear understanding of the analogies ISA uses for processes within companies or organisations and transfer this to ETC Programmes. so that the Audit Authority can develop a consistent Audit Approach on how to achieve reasonable assurance. which is usually a manageable task when a company is concerned.The first aspect is problematic e. A prerequisite for this might be a clear understanding of ISA. ISA would allow an audit approach almost completely based on substantive audit procedures (here: checks of operations). the only thing the Audit Authority can do is go for the practical solution that serves the purpose. ISA cannot provide an answer for the problem of small programmes that often do not have enough operations (or payment transfers to Lead Partners and Project Partners) to allow for a statistical sampling approach. 8 . The Second Level Control currently implemented will bring about new open questions and problems.g. The Guidance Note on System Audits limits the application of ISA in another respect as well. In this respect. Whether this will result in a wider room of manoeuvre for Audit Authorities cannot be assessed at this state.g. The latter aspect is the case for example with regards the planning of system audits and the rotation of the most important bodies instead of most important controls (see Guidance Note on Audit Strategy and ISA 330). They will reveal weaknesses in the audit approaches and limitations to the application of ISA. By requiring System Audits each year following an audit plan for the complete programming period. In the case of a high control risk. applying a non-statistical sampling approach that ensures sufficient coverage. Furthermore. whenever an extension of audit work is required. Furthermore. but can be almost impossible. the possibilities of Audit Authorities to opt for the most efficient audit approach is diminished. the audit risk model and available audit procedures. e. when an OP needs to be audited.