International Standards on Auditing (ISA) and their Use for Second Level Control of European Territorial Cooperation Programmes

by Susanne Volz, Financial Control Expert The Programming Period 2007-2013 introduced new Financial Control requirements for the Structural Funds. The consequences were extensively discussed within the Second Level Control Community and with the European Commission, which produced several Guidance Notes with the purpose of clarifying the wide range of open questions. While special attention had been paid to European Territorial Cooperation (ETC) Programmes both with the new EU Regulations and with the Guidance Notes, practitioners of ETC Second Level Control (SLC) are still confronted with special challenges in their attempt to comply. This article intends to assess the past and current benefit of ISA for ETC Programmes, as well as the limits of ISA for the ETC SLC problems.

Major Changes for Financial Control Requirements The biggest change between the last and the current programming period is the replacement of the minimum sample requirement of 5 % of declared eligible expenditure (article 10 Reg. (EC) No 438/2001) with the requirement of an audit opinion based on reasonable audit assurance (article 62 I d) ii) Reg. (EC) 1083/2006), the latter effectively leading to much bigger sample sizes. In the last programming period, in principle Second Level Controllers needed to perform any check necessary to obtain enough assurance for their opinions, however, in practice they would use their room of manoeuvre, meaning that audit work was not extended until reasonable assurance was achieved but until a minimum of 5 % of declared expenditure was checked and SL Controllers were confident to have achieved audit assurance sufficient for their purposes. A further major change is that for the current programming period Audit Authorities need to deliver annual opinions and a final opinion at the end of the programming period, instead of only one opinion at the end of the programming period (Winding-Up declaration). This increases the pressure for Second Level Controllers, as the audit work programme needs to be accomplished each year completely, with overlapping tasks: performing system audit and on-the-spot checks, reporting, follow up in parallel for various years. In principle, audit work as such remained the same: there had been a requirement to perform system audits and on-the-spot checks in the old programming period, which is still foreseen in the current programming period. However, in line with the requirement to deliver an audit opinion based on reasonable assurance, audit work needs to be much more focused on risks and is likely to be more extensive. As strong similarities exist between Second Level Control for the old and the new programming period, it is worthwhile to assess established Second Level Control practices compliant with international audit standards here International Standards on Auditing (ISA) with the intention of evaluating their benefit and their limits for SLC of ETC programmes.

What are International Standards on Auditing (ISA)? Audit standards are a set of systematic guidelines used by auditors when conducting audits on companies or other organisations finances, ensuring the accuracy, consistency and

verifiability of auditors actions and reports. It is important to be aware that audit standards are primarily concerned with the quality of the auditors work, not with the quality of the organisations finances. The key to understand ISA or any other audit standard is that they are a set of rules that is intended to help the auditor to perform his/her work in such a way that it produces assurance1 not absolute certainty about the financial statements in the most efficient way: auditing the right issue with the appropriate audit procedure to the appropriate extent. They are a tool to manage the audit risk2. ISA are published by the International Auditing and Assurance Standards Board (IAASB) of the International Federation of Accountants (IFAC). Some examples of ISA are (list is not complete!): 200 - Objective and General Principles Governing an Audit of Financial Statements 220 Quality Control for Audit Work 230 Audit Documentation 240 The Auditors Responsibility to Consider Fraud in an Audit of Financial Statements 250 Consideration of Laws and Regulations in an Audit of Financial Statements 300 Planning an Audit of Financial Statements 315 Understanding the Entity and its Environment and Assessing the Risks of Material Misstatement 320 Materiality in Planning and Performing an Audit 330 The Auditors Procedures in Response to Assessed Risks 500-599 Audit Evidence, esp: 505 External Confirmations 520 Analytical Procedures 530 Audit Sampling and other Means of Testing For reasonable assurance audits, such as foreseen for ETC SLC, the responsible auditor must apply all ISA relevant to the audit. It is not possible to stick to the selection listed above, ISAs must be used in their entirety, including the code of ethics that deals with the professional behaviour of the auditor, issues of conflict of interests and independence, etc. In practical terms, ISA contain: A risk model that can be applied to ETC Programmes, giving guidance on classification of risks

1

An assurance model, giving guidance on how the risks can be addressed with appropriate audit procedures (nature, timing and extent of audit procedures) Guidelines for the planning and management of audits, including the requirement to extend audit work if detected errors exceed materiality or if not enough assurance is achieved Criteria to assess audit results and to draw up audit opinions

ISA 200 No 5: ISAs require the auditor to obtain reasonable assurance about whether the financial statements as a whole are free from material misstatement, whether due to fraud or error. Reasonable assurance is defined as a high not absolute level of assurance. It is obtained when the auditor has obtained sufficient appropriate audit evidence to reduce audit risk to an acceptably low level. 2 ISA 200 No 23: The risk that the auditor expresses an inappropriate audit opinion when the financial statements are materially misstated is known as audit risk.



Guidelines for effective audit documentation Guidelines for quality assurance of audit work A code of ethics for the auditor

In the end, these guidelines lead to a specific audit workflow for companies or organisations (see sections below). ISA contain the following audit procedures, that are in use or may be beneficial for SLC work (list is not exclusive): Procedure
Risk Assessment Procedures (inquiry, interview, observation, inspection, visits, walk-through testing)

Audit objectives (examples) System Audit Audit of operations/TA

Understand the OP and the MCS Assess inherent risk Assess control risk Test design of the control Compliance with laws, regulations, internal rules

Understand the beneficiary, and its internal organisation Understand the project Assess inherent risk Assess control risk Test design of the control Compliance with laws, regulations, internal rules Test of Controls Test operating effectiveness of Test operating effectiveness of control control Reconciliations Correctness of information on Correctness of information on various levels of MCS (appropriate various levels of MCS (appropriate audit trail) or in various systems audit trail) or in various systems (IT, manual recording systems) (IT, manual recording systems) Match of financial report with underlying accounting records Match of other summary documents with underlying documents Test of Details Detect material misstatements3 in invoices and other documents of equivalent probative value Recalculation Correctness of data aggregation Correctness of cost shares on programme level allocated to the project (e.g. employee costs if done on the basis of hourly rates and time records) Correctness of data aggregation on project level (aggregated Financial Report) External confirmations Confirming outstanding Confirming outstanding amounts, amounts, e.g. reception of e.g. actual payment of salaries or funds by LP social security contributions, Confirming other issues reception of funds by partners Confirming other issues, e.g. participation in events of the project Substantive analytical Analysis of the Programmes Check of the financial progress of procedures liquidity, if co-financing is the project delayed Check of under-usage or overrun Analysis of undue delays in of budget positions the transfer of funds (EU, Check if project goals are met national) to beneficiaries Whereas misstatement is defined by arithmetical errors, or non-compliance with applicable laws, regulations, internal rules.
3



Check of under-usage or overrun of budget positions within OP Financial Report Check of financial progress of the OP

ISA for INTERREG III: Which benefit so far? Considering the specific problems of INTERREG programmes, especially the highly fragmented implementation structure, the involvement of several Member States (or in the case of INTERREG IIIC all Member States) representing varying legislation, the high variation of First Level Control systems or management and control systems respectively, and last but not least the language barrier, Second Level Control needed to be much more standardised, better planned, and better documented than for mainstream programmes. In addition, coordination effort via the Financial Control Group (the currently named Group of Auditors) and in some cases with the external audit firm performing the checks was extensive and led to the necessity of laying down almost everything in written form. As a result: audit procedures were standardised by using audit manuals, audit programmes, checklists and financial overview tables, documentation was standardised and more extensive, usually exceeding the common checklist approach and requiring the auditors to maintain extensive working papers and to prepare memos and excel files that allow for the verification of financial flows, and reporting and follow-up was standardised so that clear conclusions could be drawn for the complete operations, and that guidelines existed for the formulation of findings as well as the steps necessary for clearing them in the follow-up process. In the programming period 2000-2006 Second Level Controllers used a wide range of audit procedures, as laid down in ISA, for their purposes: Test of details of invoices and other documents of equivalent probative value, Reconciliations of payment claims with lists of expenditure, accounting system information, bank account statements, supporting documents, and budgets, Recalculation of cost allocations (personnel costs, indirect cost and overheads), Compliance checks regarding eligibility rules, laws, regulations, contractual conditions etc. for specific cost items . Tests of controls were applied to a lesser extent, however, they were used for system audits. Its most important application was the walk-through testing of financial management (reception of funds and distribution to LP by the PA), control processes (at the site of the JTS, the MA and PA, on the spot checks can be considered as re-performance of First Level Control) and financial reporting (aggregation of eligible declared expenditure to financial reports of operations at the site of the LP, and aggregation of financial reports to payment claims to EU COM at the site of JTS/MA and PA).

Walk-through testing was usually limited to a so-called Test of One with the exception of the re-performance of First Level Control. ISA require the SL Controller to extend testing of controls for the most important controls, which is in the case of INTERREG and other cross border programmes the First Level Control. Furthermore, Second Level Controllers checked compliance of the management and control systems and the financial reporting processes as well as operations with EU, national and programme provisions. Documentation methods in line with ISA proved to be of special benefit for SLC. Considering the decentralised structure of operations, where various Project Partners and Lead Partners in different EU Member States were involved in implementation and consequently spending was done by various partners, following their own accountancy rules, national legislation or organisation rules, it was especially important for Second Level Controllers to document the audit work performed and the conclusions drawn in a standardised and transparent way. One has to keep in mind that for some programmes the audit reports were supposed to be written per operation and therefore were based on various audits in different Member States. The Lead Auditor responsible for reporting had to be able to understand the documentation of audit work performed by another auditor, even though the audit file contained documents in an unfamiliar language. The SLC Lead Auditor needed to trace the flow of information between Project Partners and Lead Partners, the verification work performed by First Level Controllers on all levels and the aggregation of financial reports to the financial report of the operation by the Lead Partner. This could only be done, if SL Controllers cooperating for a particular INTERREG programme followed the same documentation rules and included a specific set of documents in their working papers, even though these documents might not have been relevant to their own audit work. Sampling turned out to be especially difficult for INTERREG programmes and ISA standards were of no help in this respect. Due to the specific legal situation, Second Level Controllers could not refer to statistical sampling of operations or Lead Partners and Project Partners. Neither could they use statistical sampling for the test of details. Instead, samples had to be defined manually according to risk considerations and representative aspects. This in turn limited the use of the results of on-the-spot checks, as a transfer of the results of a sample based on risk assessment to the whole population is limited (no extrapolation of error rates).

ISA for ETC Programmes: Which benefit in addition? The use of internationally accepted audit standards is compulsory for Second Level Control in the 2007-13 programming period (see Article 62(2) of Regulation (EC) No 1083/2006). The Audit Authority needs to provide an opinion based on reasonable assurance. This is a high, but not absolute, level of assurance, that the financial statement is free of material error. It is obtained when the auditor has achieved sufficient appropriate audit evidence to reduce audit risk to an acceptably low level. This is a direct reference to the ISA audit risk model, which defines the audit risk as a combination of inherent risk, control risk and detection risk. In the context of ETC programmes, they can be described as follows4:

For the general definitions, please refer to the ISA Glossary and ISA 200.

Audit Risk (AR) is the risk that the auditor/Second Level Controller expresses a positive opinion when the declaration of expenditure to the EU COM contains material errors or that the auditor expresses a negative opinion even though the declaration of expenditure does not contain material errors. Inherent Risk (IR) is the risk that material errors (ineligible expenditure) are included in the declaration of expenditure to the EU COM, whereas the reasons for these material errors are inherent to the purpose and content of the operational programme, the operations, the legal framework and all the other factors influencing the programme, its structure and its environment. Control Risk (CR) is the risk that material errors (ineligible expenditure) in the declaration of expenditure to the EU COM was not prevented, or detected and corrected by the OPs management and control system, esp. the First Level Control. Detection Risk (DR) is the risk that the auditor/Second Level Controller does not detect material errors (ineligible expenditure) during SLC. This is influenced by the audit procedures applied, the extent of the audit work and the quality of the audit.

Expressed in quantitative terms, by performing the adequate audit procedures to the necessary extent, the auditor endeavours to bring down the audit risk to 5 %, thereby achieving a reasonable assurance of 95 % that no material errors exist. Annex IV of Regulation (EC) No 1828/2006 builds on the quantitative expression of the audit risk model when it defines the variance to be applied for the definition of confidence levels, which in turn are statistical parameters for sample sizes for the audit of operations. The variance is as follows, with the respective confidence levels in the lower right corner: For low control risk = reliable management and control systems

AR = Risk Assurance

IR * 100,00% 0,00%

CR * 12,50% 87,50%

DR 40,00% 60,00%

5,00% 95,00%

For high control risk = unreliable management and control systems

AR = Risk Assurance 5,00% 95,00%

IR * 100,00% 0,00%

CR * 50,00% 50,00%

DR 10,00% 90,00%

Of course, the risk oriented audit approach as foreseen by ISA is not only limited to questions about how to determine sample sizes. ISA provide a workflow based on the audit risk model and the related assurance model for the auditor, so that the auditors plan and perform adequate audit procedures, assess their results appropriately and conclude on further audit procedures that ensure the achievement of the overall audit objective and the required assurance level. The new EU Regulations and the guidance notes of the EU COM apply the risk oriented audit approach to Second Level Control and give a general guidance on the workflow. However, still a lot of open questions remain, especially regarding actual audit procedures to be applied. The workflow for Second Level Control as foreseen by the EU Regulations and EU COM Guidance documents is: Initial risk assessment (see Guidance Note on Audit Strategy and Compliance Assessment)

Assessment of inherent risks and control risks and conclusion on the reliability of the management and control systems (see Guidance on a common methodology for the assessment of management and control systems in the Member States, which represents the System Audit component) Sampling of operations or payments (see Sampling Guide) Performance of on-the-spot checks Extension of sample, if indicated by the results of the initial sample (see Sampling Guide) Performance of additional SLC work Assessment of results and reporting, inclusive opinion

This workflow is overall compliant with ISA. The ISA workflow can be described as follows: Get an understanding of the entity and its environment Understand and assess inherent risks and control risks Decide on crucial controls and test them Conclude on the reliability of the controls Assess the detection risk and conclude on the extent of audit work necessary to cover it Perform substantive audit procedures Conclude on the audit results and decide whether further audit procedures are necessary If necessary, perform additional audit procedures Finalise audit opinion and report While what is foreseen in the Regulations and in the European Commission guidance notes matches with ISA workflow, it is not the case for audit procedures, where Regulations are not so detailed. It is precisely the case where ISA can be of particular benefit for SLC of ETC Programmes. For audit procedures, ISA provide instructions on: the objective, nature, timing, extent of audit procedures, and guidance when a particular audit procedure should or can be used5.

A thorough understanding of ISA, the audit procedures and the workflow foreseen by ISA helps the Audit Authority to develop an efficient audit strategy and audit manuals. Furthermore, ISA contain precise instructions on the assessment of audit results and how the audit approach should be adapted considering the results so far. In this sense ISA help the Audit Authority to manage the audit.

Open questions or room for manoeuvre? Are ISA the solution to all crucial questions of Second Level Control for ETC Programmes? Certainly not, as ISA are originally intended to serve as standards for audits of companies or organisations, and as the application of ISA is in some respects restricted by the EU Regulations and Guidance Notes.

See ISA 315, 330.

The first aspect is problematic e.g. whenever an extension of audit work is required, which is usually a manageable task when a company is concerned, but can be almost impossible, when an OP needs to be audited. Furthermore, the Audit Authority needs to get a clear understanding of the analogies ISA uses for processes within companies or organisations and transfer this to ETC Programmes, so that the Audit Authority can develop a consistent Audit Approach on how to achieve reasonable assurance. The latter aspect is the case for example with regards the planning of system audits and the rotation of the most important bodies instead of most important controls (see Guidance Note on Audit Strategy and ISA 330). The Guidance Note on System Audits limits the application of ISA in another respect as well. By requiring System Audits each year following an audit plan for the complete programming period, the possibilities of Audit Authorities to opt for the most efficient audit approach is diminished. In the case of a high control risk, ISA would allow an audit approach almost completely based on substantive audit procedures (here: checks of operations), and would limit Risk Assessment Procedures and Tests of Controls to an absolute minimum. Furthermore, ISA cannot provide an answer for the problem of small programmes that often do not have enough operations (or payment transfers to Lead Partners and Project Partners) to allow for a statistical sampling approach. In this respect, the only thing the Audit Authority can do is go for the practical solution that serves the purpose, e.g. applying a non-statistical sampling approach that ensures sufficient coverage. The Second Level Control currently implemented will bring about new open questions and problems. They will reveal weaknesses in the audit approaches and limitations to the application of ISA. Whether this will result in a wider room of manoeuvre for Audit Authorities cannot be assessed at this state. A prerequisite for this might be a clear understanding of ISA, the audit risk model and available audit procedures.