You are on page 1of 23

21/05/2014

EUROPEAN COMMISSION

EGESIF_14-0011

DRAFT
European Structural and Investment Funds

Guidance for Member States and Programme


Authorities
Audit Strategy
(under Article 127 (4) of Regulation (EU) No 1303/2013)

Provisional Disclaimer: This is a draft document based on the new cohesion policy Regulations published in
OJ 347 of 20 December 2013, the Commission Delegated Regulation (EU) No 480/2014, and on the relevant
Commission proposals for Implementing Regulations under preparation and to be discussed with the colegislators. Further review will be made to reflect the final provisions of these draft legal acts once they are
adopted.

DISCLAIMER: "This is a working document prepared by the Commission services. On the basis of the
applicable EU law, it provides technical guidance to the attention of public authorities, practitioners,
beneficiaries or potential beneficiaries, and other bodies involved in the monitoring, control or implementation
of the Cohesion policy on how to interpret and apply the EU rules in this area. The aim of this document is to
provide Commission services' explanations and interpretations of the said rules in order to facilitate the
implementation of operational programmes and to encourage good practice(s). However this guidance is
without prejudice to the interpretation of the Court of Justice and the General Court or decisions of the
Commission."

Page 1 of 23

21/05/2014

CONTENTS

LIST OF ACRONYMS AND ABBREVIATIONS................................................................................3


I.

PREAMBLE...........................................................................................................................4

II. CONTENT OF THE AUDIT STRATEGY.................................................................................5


1. Introduction.........................................................................................................................5
2. Legal Basis and Scope.........................................................................................................8
3. Risk Assessment..................................................................................................................9
4. Methodology.......................................................................................................................9
4.1 Brief description of the audit cycle................................................................................9
4.2 For system audits.........................................................................................................10
4.3 For audits of operations...............................................................................................12
4.4 For audits of the accounts............................................................................................15
4.5 Procedures related to verifications of management declaration..................................15
5. Audit Work Planned..........................................................................................................16
6. Resources..........................................................................................................................16
III. EXAMPLE OF A TEMPLATE FOR A RISK ASSESSMENT TABLE (TO BE ADAPTED BY THE
AA) ........................................................................................................................................18
IV.

ASSURANCE MODEL......................................................................................................19

V. AUDIT WORK INDICATIVE TIMELINES.............................................................................20

Page 2 of 23

21/05/2014

LIST OF ACRONYMS AND ABBREVIATIONS


AA Audit Authority
Audit Body Body carrying out audits under AA's remit
AO Audit Opinion
CA Certifying Authority
CCI Code Commun d'Identification (reference number of each programme, attributed by the
Commission)
CR Control Report
CDR - Commission Delegated Regulation (EU) No 480/2014) of 3.3.2014 supplementing
Regulation (EU) No 1303/2013 of the European Parliament and of the Council
laying down common provisions on the European Regional Development Fund, the
European Social Fund, the Cohesion Fund, the European Agricultural Fund for Rural
Development and the European Maritime and Fisheries Fund and laying down
general provisions on the European Regional Development Fund, the European
Social Fund, the Cohesion Fund and the European Maritime and Fisheries Fund
CPR Common Provisions Regulation (Regulation (EU) No 1303/2013 of the European
Parliament and of the Council of 17 December 2013, laying down common
provisions on the European Regional Development Fund, the European Social Fund,
the Cohesion Fund, the European Agricultural Fund for Rural Development and the
European Maritime and Fisheries Fund and laying down general provisions on the
European Regional Development Fund, the European Social Fund, the Cohesion
Fund and the European Maritime and Fisheries Fund and repealing Council
Regulation (EC) No 1083/2006)1
ETC European Territorial Cooperation
IB Intermediate Body
IR Commission Implementing Regulation (EU) No xx/2014) of xx.xx.2014 [under
approval]
MA Managing Authority
MCS Management and control system
Funds Structural Funds and Cohesion Fund
EMFF - European Maritime and Fisheries Fund

OJ, L 347/320 20.12.2013

Page 3 of 23

I. PREAMBLE
The objective of this document is to provide guidance to the Audit Authority (AA) responsible
for the preparation of the audit strategy (hereafter "the strategy") under Article 127(4) of the
Common Provisions Regulation (EU) No 1303/2013 (CPR), applicable to the Structural
Funds and Cohesion Fund (hereafter "the Funds") and the European Maritime and Fisheries
Fund (EMFF).
This guidance does not establish new requirements but sets out the Commission's
recommendations for the various sections of the strategy. These are drawn not only from the
above-mentioned provisions but also from the Commission's experience with audit strategies
of the previous programming period, existing internationally accepted audit standards and
best practice.
The strategy is a means of establishing the AAs purpose and determining the nature of the
contribution it intends to make while predefining choices that will shape decisions and
actions2. The strategy is a building block in the assurance model for the Funds and EMFF, as
it is a planning document that sets out, in accordance with Article 127(4) of the CPR, the
audit methodology, the sampling method for audits on operations and the planning of audits in
relation to the current accounting year (for the first year, this means the period from the start
date for eligibility of expenditure until 30 June 2015) and the two subsequent accounting
years.
The reference period for expenditure to be audited corresponds to the accounting year. In the
programming period 2014-2020, this reference period starts from July of year N-1 and end in
June of year N, for an audit opinion and annual control report on this accounting year to be
delivered by 15 February of year N+1. As no audit period is explicitly foreseen in the CPR,
the AA needs to agree in advance with the MA and CA the timeframe for the preparation of
the accounts in connection with the audit process, having in mind the need to ensure a timely
submission of a high quality control report and opinion, in accordance with Article 127(5) of
the CPR.
During the programming period 2014-2020, the AA is not obliged to transmit the strategy for
Commission's assessment and prior approval. However, Article 127(4) of the CPR requires
the AA to submit the audit strategy to the Commission upon request. The strategy will be a
key element on the agenda for the annual coordination meetings held under the Article 128(3)
of the CPR. In the context of its on-the-spot audits, the Commission may also assess the
quality of the information contained in the strategy; including the relevant documentation and
explanations of the professional judgement used by the AA when drawing up the strategy.
This guidance sets out, at the beginning of each section, the requirements established in the
model for the strategy, followed by explanations where relevant, including the aspects relating
to the European Territorial Cooperation (ETC) programmes.

Source: International Standard for the Professional Practice of Internal Auditing's Practical Guide on
"Developing the Internal Audit Strategic Plan", adapted to the shared management environment.

Page 4 of 23

21/05/2014

II. CONTENT OF THE AUDIT STRATEGY


1. Introduction
1.1. Identification of the operational programmes (CCI number and title) and Funds
covered by the audit strategy.
1.2. Identification of the audit authority responsible for drawing up, monitoring and
updating the audit strategy and of any other bodies that have contributed. The status
of the audit authority (national, regional or local public body) and the body in which
it is located.
1.3. Explanation of the procedure followed for drawing up, monitoring and updating the
audit strategy.
The explanation of the procedure defined by the AA for drawing up the strategy should
include, where audits are carried out by a body other than the AA (hereafter "audit body"), the
process of coordination with that audit body, covering not only the instructions transmitted by
the AA (top-down approach), but also the information provided from the audit body to the AA
(bottom-up approach).
In section 1.3 of the strategy the AA should describe also the process of approval of the
strategy and how the implementation of the strategy will be monitored by the AA to ensure
that the objectives are met, in particular when audits are carried out by an audit body.
Changes to the audit strategy should be disclosed in section 3 of the control report ("Changes
to the Audit Strategy") - see Annex IX of the IR. Factors to be taken into account for
reviewing the strategy include changes in the management and control systems, for example,
changes related with remedial actions required under Article 124(5) of the CPR related with
the designation procedure, reallocation of the functions of the AA, MA, CA to other national
authorities, organizational structures changes such as splitting a ministry, major changes in
staff, new IT systems. In line with Article 127(4) of the CPR the planning of audits should be
updated annually from 2016 until and including 2024. Within the AA, the documentation
relating to drawing up, monitoring and updating the strategy should be kept for reference.
1.4. Specification of the overall objectives of the audit strategy and the steps taken to
ensure the alignment of the objectives with all the audit bodies.
When audit bodies have contributed to the strategy, the AA must ensure that their objectives
are aligned with those of the strategy, as the AA takes responsibility for the final coordination
and the quality of work. This section should describe the way the AA will ensure this
alignment. This process may include written instructions, regular meetings or other means
considered useful. This is of particular relevance for the ETC programmes, where the audit
work will be carried out in several Member States.
1.5. Explanation of all the functions and responsibilities of the audit authority and other
bodies carrying out audits under its responsibility, with reference to the mission
statement, audit charter or national legislation, where applicable.
This section should describe the functions and responsibilities of the AA and of the audit
bodies, including the functions not related with the ones described under Article 127 of the
CPR.
Page 5 of 23

21/05/2014

The AA should have a clear mandate to perform the audit function in accordance with Article
127 of the CPR. This mandate is ordinarily documented in an audit charter that should be
formally accepted by the AA, when the mandate is not already set out in national legislation.
Where an audit charter exists for the audit function as a whole, the AA mandate should be
incorporated. A strong audit charter contributes to increase the independence of the AA.
For ETC programmes, the specificities of the functions and responsibilities of each of the
audit actors (AA, group of auditors and other audit bodies) should be described in the rules of
procedure. The strategy should refer to the rules of procedure. In case the AA is authorised to
carry out directly its functions in the whole of the territory covered by the programme, it
should be indicated for each Member State or third country participating in the programme if
a national auditor will join the AA. In case each Member State or third country is responsible
of carrying out the functions under Article 127 of the CPR, it should be clearly described for
each Member State or third country participating in the programme by whom and how the
results of the audits on its territory will be transmitted to the audit authority in order for the
audit authority to perform its assessment.
1.6. Indication of the independence of the audit authority from the managing authority and
certifying authority.
1.7. Confirmation by the audit authority that the bodies carrying out audits pursuant to
Article 127(2) of Regulation (EU) No 1303/2013 have the requisite functional
independence (and organisational independence, where applicable under Article
123(5) of Regulation (EU) No 1303/2013).
Independence is the freedom from conditions that threaten the ability of the AA to carry out
its responsibilities under Article 127 of the CPR in an unbiased manner. To achieve the degree
of independence necessary to effectively carry out its responsibilities, the AA must have direct
and unrestricted access to senior management at all levels, including the MA and the CA.
During all stages of the audit cycle, the AA should ensure that its work (and the work done by
the audit body) is performed in an independent 3 and objective manner, free of conflict of
interests with the audited entity, including the beneficiary as defined under Article 2(10) of the
CPR.
The organizational placement and status of the AA may pose a practical
constraint or a limit on the scope of the AA work, in particular where the
AA is located in the same public body as (some of) the audited entities. In general,
the higher the reporting level, the greater the potential scope of
engagements that can be undertaken by the AA while remaining
independent of the audited entity. 4 At a minimum, the head of the AA needs to report
to the hierarchy level within that public body that allows the AA to fulfill its responsibilities;
the AA must be free from interference in determining the scope of its audit work, performing
work, and communicating results.

Further advice on the concept of independence can be found in the Commission's recommendation on statutory
auditors'
independence
of
16
May
2002
(OJ
L191/22
of
19.07.2002/
http://eurlex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2002:191:0022:0057:EN:PDF) and in Chapter 3 of the
INTOSAI Code of Ethics (http://www.issai.org/media/12926/issai_30_e.pdf).
4

See also: International Standard for the Professional Practice of Internal Auditing (IPPF) 1100, related Practice
Advisory 1110-1 and IPPF Practice Guide on "Independence and Objectivity".

Page 6 of 23

21/05/2014

As results from Article 123(4) of the CPR, the AA must be functionally independent from
the MA and the CA. The term "functionally independent" means that the AA does not have
any role in the functions pertaining to the MA, the CA or to IBs carrying out tasks of the
managing or the CA under the responsibility of that authority. This concept is also reflected in
the 1st paragraph of Article 123(5) of the CPR, which allows the AA to be part of the same
public authority or body (e.g. a ministry) together with the MA and/or the CA, provided that
the principle of separation of functions is respected and under the conditions set out in the last
paragraph of the same provision.
The same approach applies to the audit bodies carrying out audits under the AA's remit. In
case where audit bodies are internal audit units, special considerations should be taken into
account: the AA should be aware of the organisational set up and reporting lines within the
organisation in question, in order to estimate the position of the internal audit unit and the risk
of impaired independence. For ETC programmes, confirmation of the independence of each
member of the group of auditors should be obtained by the AA, where the members of the
group of auditors carry out audit work themselves in their Member State or
supervise/outsource the audit work. In cases where the audit work is outsourced, the
contractor should be obliged by the contract to immediately inform the audit authority in case
of possible conflict of interests so that the audit authority, assisted by the group of auditors,
can take appropriate measures.
The AA should indicate how the mentioned functional independence is ensured, describing
the relations between the AA and the MA, CA and where applicable the IBs, with reference to
the relevant organisation chart and the reporting lines between the AA and these bodies and,
where applicable the public authority or body to which the MA and/or the CA also report.
In the context of section 1.7 of the strategy, the term "organisational independence" refers to
a situation where the AA cannot be part of the same public authority or body (e.g. a ministry)
together with the MA and/or the CA. According to the 2nd paragraph of Article 123(5) CPR,
this is the case where the total amount of support from the Funds to an operational programme
exceeds EUR 250 000 000 or from the EMFF exceeds EUR 100 000 000. However, there are
two exceptions to this requirement:
a) Either, pursuant to the applicable provisions for the previous programming period, the
Commission has informed the Member State prior to the date of adoption of the operational
programme concerned of its conclusion that it can rely principally on its audit opinion,
b) Or the Commission is satisfied on the basis of the experience of the previous programming
period that the institutional organisation and accountability of the audit authority provide
adequate guarantees of its functional independence and reliability.
Only in the two mentioned cases, exceptionally, where the total amount of support from the
Funds to an operational programme exceeds EUR 250 000 000 or from the EMFF exceeds
EUR 100 000 000, the AA may even be part of the same public authority or body together
with the MA and/or the CA.
For the ETC programmes and in addition to the above-mentioned conditions, the AA should
also be functionally independent from the joint secretariat (set up by the MA under
Article 23(2) of the Regulation (EU) No 1299/2013, hereafter the "ETC Regulation") and
from the 'controller(s)' foreseen under Article 23(4) of the ETC Regulation.

Page 7 of 23

21/05/2014

2. Legal Basis and Scope


2.1 Indication of any national regulatory framework that affects the audit authority and its

functions.
The AA is expected to provide under this section an overview of the provisions in the national
regulatory framework that affect the functions of the AA and of the audit bodies. The AA
should also identify whether there are any discrepancies between such framework and the
relevant EU regulations and, if discrepancies exist, how this affects the work of the AA and of
the audit bodies. If this is the case, it should be indicated what action will be taken by the
Member State to address the discrepancies. If there are no discrepancies, this should be
specified in the strategy.
2.2 Confirmation that the strategy covers the current accounting year and the two subsequent
accounting years.
2.3 In case of a common system, specification of the common key control elements justifying the
common system.

Article 127(4) of the CPR foresees the possibility of elaboration of a single audit strategy
where a common system applies to more than one operational programme. Considering that
the identification of a common system is done for the purposes of determining the sampling
approach, it is advisable that the existence of a common system is agreed by the AA. A
common system can be considered to exist where the same management and control system
supports the activities of several operational programmes. The criterion to take into account
is the presence of the same key control elements, i.e. when the following elements are
essentially the same for a set of operational programmes:
(i) description of the functions of each body involved in management and control, and the
allocation of functions within each body;
(ii) procedures for ensuring the correctness and regularity of expenditure declared, including
an adequate audit trail and supervision of IB, where applicable.
The existence of common risk levels (for example, similar IBs across several OPs with a
common risk linked to the type of IB) may also be a factor to consider when determining the
existence of a common system.
Due to their specificities, namely the involvement of at least two Member States, the ETC
programmes should not be considered as pertaining to a common management and control
system together with mainstream programmes. Hence, the strategy for an ETC programme
should be drawn up separately, even if the bodies involved in their management and control
system are the same as for mainstream programmes.

Page 8 of 23

21/05/2014

3. Risk Assessment
3.1 Explanation of the overall risk assessment method followed, including: an indication
of the risk factors taken into account including those for the specific thematic areas
described under paragraph 4.2.3 below, risk scoring used, the extent to which the results
of previous audits of the bodies and systems have been taken into account (for example,
audits from the 2007-2013 period if relevant), covering the managing authority, certifying
authority and intermediate bodies.
3.2 Procedures for updating the risk assessment.
When setting up the overall risk assessment method for prioritising the system audit work on
the measures, bodies and/or key requirements, the AA should consider the relevant risk factors
and apply them to all priorities and bodies relating to the programme(s) covered by the
strategy. Some examples which may be considered are the following: amount, management
competence, quality of internal controls, degree of change of stability in the control
environment, time of last audit engagement, complexity of the organisational structure, type
of operations, type of beneficiaries, risk of fraud, etc.
As a best practice, the results of the AA's risk assessment are reported in a table where the
programmes and the main bodies involved in the management and control system are
classified by risk level. A non-exhaustive example of such table is provided in section III of
this document. The example table would need to be adapted and complemented by the AA
with the risk factors which the AA considers the relevant ones for the programmes concerned.
For small systems e.g. where all bodies and main key requirements can be audited in the first
exercise, the risk assessment may be less elaborated.
On the basis of the results of the risk assessment, the AA will be able to prioritize the systems
audit of programmes and bodies for which the detection risk is higher over the audit period
and over the "current accounting year" (for the first year, this means the period from the start
date for eligibility of expenditure until 30 June 2015) and the two subsequent accounting
years covered by the strategy. Such prioritization should cover also the specific thematic areas
described under paragraph 4.2.3 below. The timing and scope of the audits might also be
influenced by the implementation rate of the programme, e.g. the (expected) late timing of
declaration of expenditure for a measure or body to the Commission would mean that not all
key requirements might be "auditable" at the same point in time.
4. Methodology
4.1 Brief description of the audit cycle
4.1.1 Short description of the main steps of the audit work such as: planning and design of
audits, objectives to be achieved, performing the audits and gathering evidence, evaluating
evidence and forming conclusions, reporting, follow-up processes and quality control
arrangements for the work of the audit authority and for the work performed by
independent audit bodies on which the audit authority places reliance under Article 127(2)
of Regulation (EU) No 1303/2013.
4.1.2 Reference to existing audit manuals or procedures, where those steps can be
described in more detail.
Page 9 of 23

21/05/2014

4.1.3 Reference to the internationally accepted audit standards that the audit authority
intends to follow.
4.1.4 Reference to the procedures in place for drawing up the control report and audit
opinion to be submitted to the Commission in accordance with Article 127(5) of
Regulation (EU) No 1303/2013.
The description of the planning and design of audits should include a reference to materiality
thresholds and other quantitative and qualitative factors to consider when assessing the
materiality of audit findings for system audits, audits of operations and audits of the accounts.
Reporting is intended to cover a reference to the different phases of reporting (such as draft
audit reports, contradictory procedure with the auditee and final audit reports), deadlines for
reporting, follow-up processes. The description of the reporting should also include an
explanation of the reporting process to be used between the audit authority and the
coordinating body(ies) that may be designated by the Member State under Article 123(8) and
Article 128(2) of the CPR. Follow-up processes should be described so as to include
procedures for monitoring the implementation of recommendations and corrective measures
resulting from audit reports.
The AA's audit manual needs to provide a description of the working procedures for the
different phases of an audit, i.e. audit planning, preliminary survey, risk assessment,
performance of engagements, recording and documentation, supervision, reporting, quality
assurance process and external review, using the work of other auditors, use of any computer
assisted audit techniques (CAATs), sampling methods used, etc.
4.1.5 For ETC programmes, an explanation of how the audit authority intends to ensure
the coordination and supervision process with the group of auditors from the other
Member States concerned by these programmes and a description of the rules of
procedures adopted.
4.2 For system audits
4.2.1 Specification of the body or bodies responsible for the audit work (audit authority or
other independent audit bodies as foreseen in article 127(2) of Regulation (EU) No
1303/2013
4.2.2 Specification of the bodies to be audited and the related key requirements.
A complete list of the bodies/functions that will be covered by the system audits can be
provided in the indicative schedule of audit assignments foreseen under section 5.2 of the
strategy. It is expected that the AA will audit all bodies and functions included in the
management and control system of a certain operational programme (including the IB) at least
once during the programming period.
For ETC programmes, the specification of the bodies to be audited during the programming
period should cover all bodies having responsibilities for ETC programmes in all Member
States with responsibilities on a given programme, including the controllers under Article 23
(4) of the ETC Regulation.

Page 10 of 23

21/05/2014

4.2.3 Indication of any system audits relating to key requirements targeted to specific
thematic areas, such as:
- quality of management verifications including in relation to the respect of public
procurement rules, State aid rules, environmental requirements, equal opportunities;
- quality of project selection and management verifications related to the
implementation of financial engineering instruments;
- the functioning and security of IT systems set up in accordance with Articles 72(d),
125(2)(d) and 126(d) of Regulation (EU) No 1303/2013; and their connection with the
IT system "SFC2014" as foreseen in Article 74(4) of Regulation (EU) No 1303/2013
- the reliability of data relating to indicators and milestones and on the progress of the
operational programme in achieving its objectives provided by the managing authority
under Article 125(2)(a) of Regulation (EU) No 1303/2013
- reporting of irregularities, withdrawals and recoveries;
- the implementation of effective and proportionate anti-fraud measures underpinned
by a fraud risk assessment in line with Article 125(4)(c) of Regulation (EU) No
1303/2013;
Concerning the system audits on the reliability of data reporting the programme's
performance, the AA should assess whether effective controls are implemented over
collecting, summarizing and reporting the related data, and whether the reported compiled
figures reconcile with the source data.
Regarding the system audits on the functioning of IT systems5, standards related to
information technology are not as well-developed or universally accepted as standards in
some other audit areas. The lack of generally accepted information systems standards has
prompted many organizations to develop their own standards. However, there have been
efforts to develop uniform standards for processing and audit activities. The following are
three examples of information systems audit standards:
- COBIT: Control Objectives for Information and related Technology;
- FIPS: Federal Information Processing Standards (developed by the United States General
Accounting Office (GAO)
- SAC: Systems Audibility and Control report (sponsored by the IIA Research Foundation and
written by PriceWaterhouse Coopers LLP.
Examples of internationally accepted standards for information security are:
- ISO/IEC standard 27001:2013 and ISO/IEC 27002:2013
The AA may also take into consideration any related national standards, such as ITGrundschutz Catalogues of the Federal Office for Information Security in Germany (BSI).

Source references: Ronell B Raaum, Stephen L Morgan, Copyright 2009, Performance Auditing A
measurement approach, 2nd edition, The Institute of Internal Auditors Research Foundation

Page 11 of 23

21/05/2014

4.3 For audits of operations


4.3.1 Specification of the body or bodies responsible for the audit work (audit
authority or other independent audit bodies as foreseen in article 127(2) of Regulation
(EU) No 1303/2013.
4.3.2 Specification of the sampling methodology to be used in line with the said
Article 127(1), including the procedures for its revision when necessary, the criteria
for determining the assurance level obtained from system audits, description of the
arrangements to take into account the proportional control of operational programmes
as established in Article 148(1) of Regulation (EU) No 1303/2013.
The sampling methodology (sampling method, sampling unit and the parameters for
calculating the sample size) is determined by the AA based on professional judgment and
taking into account the regulatory requirements and factors such as the characteristics of the
population and the expectation regarding the level and variability of errors. Different
sampling methods and their respective advantages and considerations for their application are
presented in the "Guidance on sampling methods for audit authorities" developed for the
2007-2013 programming period (COCOF 08-0021-03, updated version of 04/04/2013). The
need for revising the sampling methodology should be assessed regularly and especially
before each sampling exercise.
On the basis of Article 28(11) of the CDR the confidence level for sampling is determined
according to the reliability level obtained from the system audits.
The complete cycle of the assurance model is illustrated by the scheme presented in section
IV of this guidance.
If several operational programmes belonging to a common system are grouped for the
sampling, a single confidence level is applied. It is possible to use a sampling design stratified
by programme to improve precision or allow a smaller sample size. However, audit
conclusions are only possible for the whole group of programmes, not for the individual
programmes.
The requirements of proportional control of operational programmes are set out under
Article 148(1) of the CPR. Regarding the practical implementation of this provision, Article
28(8) of the CDR establishes that the audit authority may exclude from the population to be
sampled the operations for which the conditions for the proportional control provided for in
Article 148(1) of Regulation (EU) No 1303/2013 apply. In case the operation concerned has
already been selected in the sample, the audit authority has to replace it using appropriate
random selection. The easiest way to implement this substitution is to select additional items,
in the same number of the ones excluded from the sample, using exactly the same selection
methodology (either random selection or probability proportional to expenditure selection).
When selecting the new items for the sample the ones already included in the sample and the
ones covered by Article 148(1) of the CPR should be previously excluded from the
population. The extrapolation can be performed as usual, not forgetting to correct the total
expenditure of the population with the expenditure of items under Article 148(1) of the CPR.
4.3.3 Where applicable, a description of the approach for non-statistical sampling in
order to ensure a sufficient size of the random sample enabling the audit authority to
draw up a valid audit opinion.
Page 12 of 23

21/05/2014

The approach to be used by the AA in regard to non-statistical sampling must comply with the
requirements of Article 127(1) of the CPR. As follows from Article 28(3) of the CDR, the
random sample drawn by the AA for its audits of operations has to enable the AA to
extrapolate the results to the population from which the sample was drawn, also in case a nonstatistical sampling method is used. The sample size necessary is determined by the AA based
on professional judgment and taking account of the level of assurance provided by the system
audits. The minimum requirement of 5% of operations and 10 % of the expenditure in Article
127(1) of the CPR corresponds to the 'best case scenario' of high assurance from the system.
In line with annex 3 of the ISA 530, the higher the auditor's assessment of the risk of material
misstatement, the larger the sample size needs to be. Therefore, subject to the professional
judgment of the audit authority, the following minimum sample sizes are recommended for
other scenarios: When the management and control system provides an average assurance (i.e.
the system works but some improvements are needed, the sample size should not be less than
10% of operations and 20% of the expenditure. In case the system works partially and
substantial improvements are needed, the sample size should not be less than 20% of
operations and 30% of the expenditure. Finally, when the system essentially does not work,
the sample size should not be less than 30% of operations and 40% of the expenditure.
4.3.4 Specification of the procedure for recommending appropriate steps to be taken
by the concerned authorities where errors are detected (or reference to the audit
manuals or procedures where this matter is set out).
The procedure on the action to be taken by the AA (e.g. further audit work needed involving
an additional sample or a complementary sample) and/or by the auditee when errors
(including irregularities and suspected fraud) are detected should be described in this section,
ensuring that the AA keeps a consistent approach when the audit work is carried out by other
audit bodies.
4.3.5 Description of the procedures in place for the classification and treatment of the
errors detected (or reference to the audit manuals or procedures where this matter is set
out).
Article 28(14) of the CDR establishes the definition of total error rate "[] which shall
correspond to the sum of the projected random errors and, if applicable, systemic errors and
uncorrected anomalous errors, divided by the population."
A systemic error corresponds to a systemic irregularity as defined under Article 2(38) of CPR.
An anomalous error is an error of exceptional nature which is demonstrably not representative
of the population. A random error is an error which is neither systemic nor anomalous.
Further guidance on treatment of errors is presented in chapter 4 of the Guidance on sampling
methods for audit authorities for the 2007-2013 programming period (COCOF 08-0021-03)
which may be equally useful for the 2014-2020 period.
The procedure in place for the classification of errors should include the following elements
in relation to each audit of operations:
1. A report/conclusion should be prepared and attached to the audit file.
2. Such report/conclusion should contain a complete description of the findings, covering
all elements (condition/actual situation, criteria/standard, effect and especially - the
cause of the errors), as well as the classification of each error resulting from the
intrinsic cause of the particular finding, for example as illustrated below.
Page 13 of 23

21/05/2014

Description of the cause


element of finding
Nature of cause

Classification of error

Related to weakness in the


MCS requiring remedial
actions

Not representative of
population (unique)

Yes

No

Yes

Systemic

Random

Anomalous

The report should also mention if errors detected were considered as suspected fraud cases
and what type of action has been or will be initiated (transmission to OLAF, to law
enforcement authorities). All errors identified should be corrected by the MA/CA. With
regard to systemic errors, the following additional steps should be taken:
- clear identification of weaknesses to be corrected in the management and control system and
definition of corresponding action plan;
- coordination of the bodies, time and resources involved in the implementation of the
action plan for treatment of systemic errors;
- in time reporting channels of the work and actions planned and carried out.
The AA should assess the adequacy of the action plan and whether it has been fully
implemented.
The error rate resulting from the audits of operations is to be disclosed in the annual control
report without deducting corrections. However, any corrective measures taken with regard to
irregularities detected should be considered by the AA when drawing up the audit opinion.
4.3.6 Specific aspects related to the audits of financial instruments, in line with
Article 40(3) of Regulation (EU) No 1303/2013.
The AA is expected to explain how it intends to audit payments into financial instruments in
the context of audits of operations (e.g. as a separate stratum), having in mind possible system
audits covering also those instruments.
4.3.7. Specific aspects related to the audits of simplified cost options, in line with
Articles 67 and 68 of Regulation (EU) No 1303/2013.
For more detailed guidance see the separate Guidance note on auditing simplified cost options
(EGESIF document No XXX/2014).

Page 14 of 23

21/05/2014

4.4 For audits of the accounts


Indication of the audit approach for the audit of the accounts, including the procedure
for recommending appropriate steps to be taken by the concerned authorities where
errors are detected. The audit approach should take into account the results of the
systems audits carried out on the certifying authority, results of the audits on
operations carried out in accordance with Article 127 (1) of Regulation (EU) No
1303/2013 and verifications foreseen in Article 29(5) of the Commission Delegated
Regulation.

The AA should ensure through a system audit (including control testing) that the CA has
adequate procedures in place for the reporting and monitoring of irregularities and to account
for the amounts to be withdrawn or to be recovered and to be deducted from payment claims
during the accounting year as well as to follow-up pending recoveries and irrecoverable
amounts.
The AA should check for each accounting year, before the submission of the accounts to the
Commission, that the results of any audit or control activity are adequately reflected in the
accounts when these audits or controls have detected ineligible expenditure or amounts at
risk. This means that all ineligible expenditure identified during the audits and controls is
deducted before the accounts are submitted to the Commission. The following audits and
controls should be considered:
- system audits
- audits of operation
- audits performed by the Commission and the European Court of Auditors, results of OLAF's
on the spot checks and controls
- controls performed by other programme authorities (quality checks, management
verifications on the spot)
The AA should check whether the figures included in payment applications to the
Commission during the accounting year reconcile with the figures included in the accounts.
4.5 Procedures related to verifications of management declaration
Procedures to enable the audit authority to determine whether the audit work puts in
doubt the assertions made in the management declaration.
Since the AA has to provide on a yearly basis a statement on whether the audit work carried
out puts in doubt the assertions made in the management declaration, it should put in place a
procedure ensuring that it receives the management declaration in due time and that the
management declaration has taken into account the conclusions of any audits and of any
controls.
More detailed guidance is provided in the separate Guidance note on management declaration
and annual summary (EGESIF document No XXX/2014).
Page 15 of 23

21/05/2014

5. Audit Work Planned


5.1 Indication and justification of the audit priorities and specific objectives in relation
to the current accounting year and the two subsequent accounting years, together with
an explanation of the link of the risk assessment results to the audit work planned.
5.2 An indicative schedule of audit assignments in relation to the current accounting
year and the two subsequent accounting years for systems and thematic audits, as
follows.

Authorities/Bodi CCI
Amount
es or specific numbe approve
thematic areas to r
d
be audited

Body
responsibl
e
for
auditing

Result of 20xx
risk
assessme Audit
objectiv
nt
e and
scope

20xx

20xx

Audit
objectiv
e and
scope

Audit
objectiv
e
and
scope

A description of the criteria used to determine the audit priorities and the justification should
be included. The results of the risk assessment exercise should be the main basis for
prioritising the systems audit work planned.
It is recommended that the AA prepares a general planning for the whole programming period
to cover the entire management and control system to gain reasonable assurance on its
effectiveness, in addition to the mandatory detailed "rolling" planning setting out the priorities
for the current accounting year and the subsequent two accounting years. Annex V presents
indicative timelines for the AA's work concerning one accounting year.

6. Resources
6.1 Provide the organisation chart of the audit authority and of any audit body, where
appropriate.
6.2 Indication of planned resources to be allocated in relation to the current accounting
year and the two subsequent accounting years.
6.3 Indication of the qualifications and experience required for the staff performing
audits and controls, and training requirements, where applicable
The strategy should indicate the human resources in auditor days available (or to be
mobilised) to accomplish its objectives for the coming years, including the resources of other
audit bodies and outsourced audit activities. It is recommended to indicate the auditor days
Page 16 of 23

21/05/2014

available at the level of the AA, other audit bodies and outsourced activities separately. An
indication of available auditor days per audit type (system audit, audit of accounts and audit
of operations) should be included as well as a short description of the professional experience
of audit staff.
It is essential to provide for adequate resources from the beginning of the programming
period. The use of Technical Assistance might be considered as a possibility to meet the
needs. It is recommended to have a long-term planning so that future requirements in
recruitment, training and continuing professional development can be adequately planned in
advance. The use of any specialist skills required should be identified.
In case the AA and/or audit bodies are the same as those for the programming period 20072013, it is important that adequate resources are also be planned with respect to the on-going
period. Therefore, the AA should confirm that the resources indicated are available in addition
to the resources allocated to the remaining audit work for the current programming period,
having in mind that the workload for the closure of 2007-2013 programmes will affect mostly
the last two years of the first strategy for the period 2014-2020, i.e. 2015 and 2016.
In terms of audit resources, guidance is provided by the INTOSAI European Implementing
Guidelines N 11 and the IIA standards.

Page 17 of 23

21/05/2014

III.

EXAMPLE OF A TEMPLATE FOR A RISK ASSESSMENT TABLE (TO BE ADAPTED BY THE AA)

Page 18 of 23

2014xy

Inherent risk factors6


Budgetary
amount

Complexit
y of the
organisatio
nal
structure8

Complex
ity
of
rules and
procedur
es

Wide
variety of
complex
operations9

Risky
benefic
iaries 10

Insufficient
staff
and/or
Lack
of
competenc
es on key
areas11

Control risk factors7


Degree
of
change
from
2007201312

Quality of internal controls


(key requirements
from
Guidance on the assessment
of MCS in the Member
States)13
e.g.
M.1

M.8

Total risk score (Inherent + control risk)

Body
(or
programme
area/
PA,
measure,
etc)

Total scoring for control risk (maximum: 100%)

Programme
CCI

Total scoring for inherent risk (maximum: 100%)

21/05/2014

MA
IB 1

For each factor, assess risk using a scale that ensures that the maximum total scoring for the inherent risk is 100%. With four risk factors, the scale can be: High: 25%; Medium: 12,5%; Low:
6,25%. With more risk factors, this scale would have to be modified accordingly. Some of the factors may not be applicable to a given body; in this case, the scale needs also to be adjusted in
order to ensure that for that body the total inherent risk scoring can reach 100%
7

For each factor, assess risk using a scale that ensures that the maximum total scoring for the control risk is 100%. With two risk factors, the scale would be: High: 50%, Medium: 25%, Low:
12,5%. With more risk factors, this scales would have to be modified accordingly.
8

The complexity may be due to the number of actors/ IBs involved and/or their relation with each other (e.g. a small sized MA responsible to supervise several IBs or to a new MA responsible
to supervise experienced IBs that are the ones with the effective power in the management of the programme).
9

The complexity of the operations may be related with financial instruments, public procurement, State aid, among other areas where a high degree of judgment and estimation is involved. The
specific situation applicable to each programme needs to be explained in detail in a separate sheet, cross-reference to the risk assessment table.
10

Beneficiaries with no experience with the Funds rules and/or Beneficiaries with high error rates in past audits.

11

The specific situation in terms of human resources allocated to the programme's authority needs to be explained in detail in a separate sheet, cross-reference to the risk assessment table.

12

For example, No changes =12,5%; Some changes =25%, Significant changes or totally new system = 50%

13

Assessment based on audit results from 2007-2013 period or the process of assessing compliance with the designation criteria. Scale e.g.: Category 1: 5%, category 2: 20%, category 3: 35%,
category 4: 50%

Page 19 of 23

21/05/2014

CA

Page 20 of 23

21/05/2014

IV.

ASSURANCE MODEL

Page 21 of 23

21/05/2014

V.

AUDIT WORK INDICATIVE TIMELINES


By

01/07/N-

15/02/N+1

30/06/N

_ /_ / N

_ /_ / N

Example:
31/10/N

Example:
31/12/N

Final interim
payment
Accounting period

Exception:
01/03/N+1

Submission
to the
Commissio
n:

claim

AA work
System audits
Audits of operations

CA submits draft accounts


MA preparatory work for
Management Declaration and
Annual Summary

AA

preparatory work to

issue audit opinion and


ACR

CA submits final draft accounts


To (To incorporate the latest audit
findings)

MA submits Management
Page 22 of 23

Declaration + Annual
Summary to AA

AA to finalise its
work and issue audit
opinion, ACR

Accounts
+
Manageme
nt
Declaration
+
Annual
Summary
+
Audit
Opinion
+
ACR
art.59(5)FR

31/05/N

Commissio
n
examinatio
n and
acceptance
of accounts
Art.130

If Commission
not able to
accept
Notification by
the
Commission
Art 130(4)

21/05/2014

_ /_ / N

31/07/N
01/07/N-

01/01/N

15/02/N+1

(internal deadline
to be defined by
the MS)

30/06/N

Exception:
01/03/N+1

Accounting year
Audit period: _ /_ / N to
_ /_ / N
1st Audit period:
1/1/N to 30/6/N

2nd Audit Period:


01/07/N to _ /_ / N

Audit period: 01/07/N-1 to _ /_ /N

1st option: AA draws one sample after the final interim


payment claim.
NB final interim payment claim can be submitted earlier
2nd option: MS draws two samples
Accounting period: 01/07/N-1 to 31/12/N-1 and 01/01/N to _ /_ /N
3rd option: Audit after each
payment claim

Page 23 of 23

MA CA AA
EC

MS

MA CA AA
EC

MS

MACA AA
EC

MS

Submission
to the
Commissio
n:
Accounts
+
Manageme
nt
Declaration
+
Annual
Summary
+
Audit
Opinion
+
ACR

31/05/N

Commissio
n
examinatio
n and
acceptance
of accounts
(art.130)

If Commission
not able to
accept
Notification to
MS