How does the ECA assess Member States’ internal

control systems?

Workshop on Audit/Evaluation of Public Internal Financial Control Systems

(PIFC)

Ankara, 8-9 July 2008

Alan Findlay (CEAD Directorate B - Audit and Audit Supervision)

European Court of Auditors

2European Court of Auditors

Agenda

The Court’s “Assurance Model”

The DAS audit process

Understanding the environment

Planning audit procedures

Performing the audit & evaluating results

Forming audit opinion

Questions / Discussion

3European Court of Auditors

The Assurance Model (1)

4European Court of Auditors

 Assurance Model

as a tool to manage audit risk:

Preliminary assessment of inherent and control risk (combined risk assessment) to determine:Reasonable expectations concerning level of

confidence (controls assurance) that can be drawn from supervisory and control systems

Resulting extent and scope of substantive testing to be carried out, aiming to reach required overall level of confidence (95%)

Revision and / or final confirmation of preliminary assessment on the basis of audit results achieved

The Assurance Model (2)

5European Court of Auditors

Agenda

The Court’s “Assurance Model”

The DAS audit process

Understanding the environment

Planning audit procedures

Performing the audit & evaluating results

Forming audit opinion

Questions / Discussion

6European Court of Auditors

UNDERSTAND

THE AUDIT

ENVIRONMENT

AuditEnvironment

AuditEvidence

Legal Basis

InternationalAudit

Standards

THE DASArt. 248 of the Treaty

• Reliability• Legality &

regularity(Art. 129(4) of Financial

Regulation)• published with

financial statements

FORM AUDIT

CONCLUSIONS AND

AUDIT OPINION

PLAN AUDIT

PROCEDURES

PERFORM AUDIT AND EVALUATE

RESULTS

• International Standards of Auditing (ISA) published by IFAC

• INTOSAI auditing standards

• COSO Framework

DAS audit process

7European Court of Auditors

Agenda

The Court’s “Assurance Model”

The DAS audit process

Understanding the environment

Planning audit procedures

Performing the audit & evaluating results

Forming audit opinion

Questions / Discussion

8European Court of Auditors

Audit environment

Gain understanding

of the audit environment

Collect /update and analyse information about the audit environment:

Legal frameworkDesign and functioning of the supervisory and control systems

Nature of paymentsAudit standards to be applied, etc.

9European Court of Auditors

Agenda

The Court’s “Assurance Model”

The DAS audit process

Understanding the environment

Planning audit procedures

Performing the audit & evaluating results

Forming audit opinion

Questions / Discussion

10European Court of Auditors

Audit procedures

Plan audit

procedures

Plan audit procedures allowing to obtain reasonable assurance

Preliminary assessment of:

Inherent risk Quality of supervisory and control systems

Determine materiality

11European Court of Auditors

Audit procedures (2)

Determine materiality Errors are material if, individually or aggregated with other errors, they would reasonably affect decisions of addressees of opinion General practice: between 0,5% and 2% Possibility to set different level(s) taking into account addressees

requirements (“tolerable or residual risk”) Issues material by context/nature to be disclosed

Materiality rules not (always) directly applicable to systems weaknesses (often only risk) Qualitative aspects (seriousness of deficiency or frequency) Quantitative aspects (possible financial impact)

12European Court of Auditors

Preliminary assessment of inherent risk

Economic and technical environmentType and operating of activities, programmes, etc.Characteristics of beneficiariesComplexity of rulesManagement policies and practicesOther information to be taken into account: Previous work and knowledge / experience Annual activity reports and declarations of Commission’s

Directors-general and their Synthesis Other obligatory reports of different services of Commission

and Member States Relevant other information (National declarations, national

certificates, ...) Reports of other auditors

Audit procedures (3)

13European Court of Auditors

Audit procedures (4)

Preliminary assessment of quality of supervisory and control systems

Central question: Are supervisory and control systems adequate to manage the risk insofar as compliance with relevant laws, regulations, contracts, etc. is concerned?

Strong link between inherent risk and control risk

Different implementation levels to be considered

14European Court of Auditors

Agenda

The Court’s “Assurance Model”

The DAS audit process

Understanding the environment

Planning audit procedures

Performing the audit & evaluating results

Forming audit opinion

Questions / Discussion

15European Court of Auditors

Performing the audit

Perform audit

procedures and

evaluate resultsEvaluate audit results:(Re-)examine / (Re-)assess preliminary expectations

Modify initial planning on the basis of preliminary audit results, if needed

Perform supplementary audit work, if necessary

Perform audit procedures:Examination of supervisory and control systems

Substantive testing of paymentsAnalysis of management representation (National Declarations Summaries, Annual Activity Reports, etc.)

Possibly work on other sources of audit evidence (e.g. other auditors)

16European Court of Auditors

Audit objectives for supervisory

and control systems

Assessment of their capacity to

Supply management with information needed to ensure that legal, regulatory and contractual provisions have been complied with and, where applicable, corrective action is taken

Give reasonable assurance concerning compliance of revenue and expenditure with laws, regulations, contracts, etc.

17European Court of Auditors

Auditors should first identify the management departments, national/regional/local authorities or other third parties having a role of supervision or control

Preparation of a programme of tests to check systems’ compliance with three key control objectives Design according to regulation or other provisions Transposition by parties concerned Continuous and effective functioning

Main steps of evaluatingsupervisory and control Systems

18European Court of Auditors

Substantive testing samples may also be used for tests of control to limit number of on-the-spot checks Examination of payments affected by errors Identification of systems which should have prevented or

identified and corrected them Analysis of control deficiencies at their origin

Overall analysis of the resultsAssessment of level of assurance obtained

The role of substantive testing in evaluating systems

19European Court of Auditors

Agenda

The Court’s “Assurance Model”

The DAS audit process

Understanding the environment

Planning audit procedures

Performing the audit & evaluating results

Forming audit opinion

Questions / Discussion

20European Court of Auditors

Forming audit conclusions & opinions

Form audit

conclusions and

audit opinion

Form audit conclusions at the level of specific assessments for different areas

Form audit opinion

21European Court of Auditors

Straightforward forming of audit conclusions requires thatActual audit results confirm reasonable expectations

formed on the basis of preliminary combined risk assessment

Findings for different sources are compatible with each other

Forming audit conclusions & opinions

22European Court of Auditors

Evaluation ofsupervisory and control systems

Professional judgement and materiality•Qualitative evaluation of results on work on systems•Quantitative evaluation of results of substantive testing•Analysis of coherence of audit results

Audit conclusions

Audit opinion – the DAS

Analysis of annual activityreports and declarations

Substantive testing

Examination of work of other auditors

Form audit opinion

Audit conclusionsAudit conclusions

23European Court of Auditors

Agenda

The Court’s “Assurance Model”

The DAS audit process

Understanding the environment

Planning audit procedures

Performing the audit & evaluating results

Forming audit opinion

Questions / Discussion