manual audit financiar slovenia_2004_en

8/10/2019 Manual Audit Financiar Slovenia_2004_EN

1/145

BUDGET SUPERVISION OFFICEOF THE REPUBLIC OF SLOVENIA

COHESION FUND MANUAL

FOR THE

EXECUTION OF THE FINANCIAL CONTROL

Document No.: 0 ! "#$00"#%E!&e'()on: CF Au*)t M+nu+, Ve' -0. */

1UL2 $00"


2/145

A 'o&e* 34 t5e *)'ecto' o/ Bu*6et Su e'&)()on o//)ce o/ t5e RS


3/145

Document No. : 0 ! "#$00"#Ve'()on : .0Come )nto /o'ce : 70.8.$00"P+6e : 7 o/ "9

Budget Supervision Office of RSCohesion Fund Manual

Table of Contents PURPOSE AND STRUCTURE OF MANUAL............................................ ................ .

$ BAC GROUND AND REGULARIT2 FRAME;OR ................................. .............

7 MANAGEMENT FRAME;OR ................................................................................. 0

" AUDIT RESPONSIBILITIES OF THE BUDGET SUPERVISION OFFICE %BSOAND RELATIONSHIPS ;ITH OTHER AUDITORS............................................. 7

Comm)(()on (e'&)ce(........................................................................................ ......... 9Co!o e'+t)on 3etAu*)t P'o6'+mme(....................................................................................................."0

0 AUDIT EVIDENCE..................................................................................................... "$

Conce t o/ Au*)t E&)*ence........................................................................................"$P'oce*u'e( /o' O3t+)n)n6 Au*)t E&)*ence............................................................... .."7

DOCUMENTATION AND FILING.............................................................................""

T5e Bene/)t( o/ E//ect)&e Document+t)on.................................................................""Content o/ ;o'@)n6 P+ e'(........................................................................................""Cu''ent +n* Pe'm+nent F),e(......................................................................................"9Con/)*ent)+,)t4 o/ Au*)t In/o'm+t)on........................................................................."=Retent)on o/ Au*)t Document+t)on............................................................................"=

$ AUDIT REPORTING.................................................................................................."8

Content( o/ t5e Au*)t Re o't................................................................................... .."8Re o't( to t5e EC......................................................................................................."


4/145

Document No. : 0 ! "#$00"#Ve'()on : .0Come )nto /o'ce : 70.8.$00"P+6e : " o/ "9


E&+,u+t)on o/ E''o'(..................................................................................................."Fo,,o

7 IRREGULARIT2 FRAUD AND CORRUPTION......................................................9$

APPENDIX : INFORMATION S2STEMS AUDIT GUIDELINE........................... .....98

ANNEX :................................................................................................................ .="ANNEX $............................................................................................................... ...=>ANNEX 7............................................................................................................... ...89

APPENDIX $: AUDIT OF INTERNAL CONTROL........................................................88

APPENDIX 7: GUIDANCE FOR PERFORMANCE OF 9 PER CENT CHEC S......8APPENDIX ": OB1ECTIVES OF SUBSTANTIVE TESTS............................................>

APPENDIX 9: SUGGESTED LIST OF E2 ?UESTIONS TO EXAMINE THEMANAGEMENT CONTROL S2STEMS................................................................

APPENDIX =: SUGGESTED LIST OF E2 ?UESTIONS FOR ON THE SPOTCONTROL OF A COHESION FUND PRO1ECT.................................................. 09

APPENDIX 8: PREPARATOR2 ;OR # GATHERING OF AUDIT INFORMATION.................................................................................................................................. 9

APPENDIX >: PROCUREMENT DIRECTIVES..........................................................

APPENDIX : PUBLICIT2 RE?UIREMENTS........................................................... $APPENDIX 0: MODEL REPORT PURSUANT TO ARTICLE $ OF REGULATION

7>=#$00$................................................................................................................ $$

APPENDIX :GUIDELINES ON THE PRINCIPLES CRITERIA ANDINDICATIVE SCALES TO BE APPLIED B2 COMMISSION DEPARTMENTSIN DETERMINING FINANCIAL CORRECTIONS UNDER ARTICLE H%$ OFANNEX II TO REGULATION %EC NO ="# " ESTABLISHING ACOHESION FUND......................................................................................... ........ $9

APPENDIX $: GUIDANCE ON 9 SAMPLE CHEC S B2 MEMBER STATES

................................................................................................................................. 7$APPENDIX 7: LIST OF ABBREVIATIONS.......................................................... 79


5/145



1 PURPOSE AND STRUCTURE O !ANUA"

. T5)( M+nu+, *et+),( t5e m+n+6ement +n* cont'o,( (t'uctu'e )n S,o&en)+ )n 'e( ect o/ t5eCo5e()on Fun*. T5e M+nu+, +,(o *et+),( t5e 6ene'+, 'oce*u'e( +n* + 'o+c5 to 3e +*o te* 34 t5eBu*6et Su e'&)()on O//)ce o/ t5e M)n)(t'4 o/ F)n+nce %5e'e)n+/te': BSO )n ,)ne


6/145

Document No. : 0 ! "#$00"#Ve'()on : .0Come )nto /o'ce : 70.8.$00"P+6e : = o/ "9


C#apter 11 * Docu'entation and iling * out,)ne( t5e @e4 ')nc) ,e( o/ e//ect)&e +u*)t*ocument+t)on t5e content( o/ ;o'@)n6 P+ e'( Cu''ent +n* Pe'm+nent F),e( Con/)*ent)+,)t4

o/ In/o'm+t)on +n* Retent)on o/ Document+t)on.

C#apter 1$ + Audit Reporting * co&e'( t5e content o/ + (t+n*+'* +u*)t 'e o't 'e o't( 'e u)'e* 34 t5e EC +n* /o,,o

C#apter 1) + 3rregularit&6 raud and Corruption * co&e'( t5e 'e( ect)&e 'e( on()3),)t)e( o/ +u*)te* 3o*)e( m+n+6ement +n* t5e +u*)to' t5e 'oce*u'e(


7/145



$ BAC78ROUND AND RE8U"AR3T9 RA!E:OR7

Ob;ectives of t#e Co#esion und

$. T5e Co5e()on Fun*


8/145

Document No. : 0 ! "#$00"#Ve'()on : .0Come )nto /o'ce : 70.8.$00"P+6e : > o/ "9


Eligibilit&

$.= E,)6)3),)t4 )( 'e(t')cte* to Mem3e' St+te( T5e Comm)(()on


9/145

Document No. : 0 ! "#$00"#Ve'()on : .0Come )nto /o'ce : 70.8.$00"P+6e : o/ "9


Appraisal6 !onitoring and Evaluation

$. Be/o'e 'o ect + 'o&+, t5e Comm)(()on +n* t5e Mem3e' St+te mu(t m+@e +n + '+)(+, to +((e((


10/145



) !ANA8E!ENT RA!E:OR7

Regulator& Re/uire'ents

7. T5e 'e6u,+to'4 /'+me


11/145



3o*)e( *et+),e* 3e,o< )n 'e( ect o/ t5e Co5e()on Fun* )nc,u*)n6 /)n+nc)+, m+n+6ement +n* cont'o,.T5e +ut5o')t)e( +n* 3o*)e( 'e( on()3,e /o' t5e )m ,ement+t)on o/ t5e Co5e()on Fun* +'e +( /o,,o

T5e GOSP +ct +( t5e !anaging Aut#orit& =!A>6


12/145

Document No. : 0 ! "#$00"#Ve'()on : .0Come )nto /o'ce : 70.8.$00"P+6e : $ o/ "9


Budget Supervision Office =BSO>

T5e BSO


13/145



, AUD3T RESPONS3B3"3T3ES O T@E BUD8ET

SUPER 3S3ON O 3CE =BSO> AND RE"AT3ONS@3PS:3T@ OT@ER AUD3TORS

". T5e BSO )( +n )n*e en*ent o//)ce


14/145



/)n+nc)n6 5+( )n /+ct 3een m+*e +&+),+3,e +n* t5+t t5e co!/)n+nce* me+(u'e( 5+&e 3een)m ,emente* )n +cco'*+nce


15/145




16/145



3nternal Audit Bodies".> T5e 'e( on()3),)t)e( o/ t5e BSO +n* 6ene'+, ,)+)(on +''+n6ement(


17/145



Co*operation bet(een t#e BSO and t#e Co''ission services

". " T5e He+*( o/ BSO +n* t5e Comm)(()on +u*)t (e'&)ce( 'e( on()3,e /o' +u*)t o/ t5e Co5e()on Fun*en(u'e co!o e'+t)on conce'n)n6 +u*)t o/ t5e Co5e()on Fun*. T5e Comm)(()on (e'&)ce( +n* t5e BSOcon*uct (e +'+te o' o)nt +u*)t( o/ t5e m+n+6ement o/ cont'o, (4(tem( +(

". 9 In +**)t)on to t5e +3o&e ,e&e,( o/ +u*)t )n*)&)*u+, 'o ect m+n+6e'( +n* /)n+nc)+, 3ene/)c)+')e(


18/145



+'t)cu,+' to &e')/4 t5e +*e u+c4 o/ t5e Mem3e' St+te(K (4(tem( +n* 'oce*u'e(. I/ t5e(e cont'o,( *etect(4(tem)c /+),u'e( 34 t5e 'e( on()3,e +ut5o')t)e( t5en /)n+nc)+, co''ect)on(


19/145



- !ON3TOR3N8 AND REPORT3N8 RA!E:OR7

9. T5)( c5+ te' out,)ne( t5e 6ene'+, mon)to')n6 +n* 'e o't)n6 /'+me


20/145

Document No. : 0 ! "#$00"#Ve'()on : .0Come )nto /o'ce : 70.8.$00"P+6e : $0 o/ "9


E4*post Evaluation of Co#esion und Pro;ects

9.8 E ! o(t e&+,u+t)on


21/145



. AUD3T APPROAC@ AND TEC@N3 UES

=. T5e o&e'+,, o3 ect)&e o/ t5e +u*)t o/ Co5e()on Fun* )( to (ee@ +((u'+nce t5+t t5e o e'+t)on( 3e)n6/)n+nce* 34 t5e Eu'o e+n Comm)(()on +'e 3e)n6 'o e',4 c+'')e* out )n +cco'*+nce


22/145

Document No. : 0 ! "#$00"#Ve'()on : .0Come )nto /o'ce : 70.8.$00"P+6e : $$ o/ "9


Stages of t#e Audit

=.9 T5)( Sect)on out,)ne( t5e +u*)t 'oce(( o/ t5e BSO t5+t un*e' )n( t5e *e,)&e'4 o/ )t(K o3 ect)&e(.T5e +u*)t 'oce(( )( (5o


23/145



=.= E+c5 e,ement )n t5e +3o&e +u*)t 'oce(( )( 'e6u,+te* 34 + (4(tem o/ ?u+,)t4 Cont'o,. T5)( (4(tem)( out,)ne* )n t5e /o,,o


24/145

Document No. : 0 ! "#$00"#Ve'()on : .0Come )nto /o'ce : 70.8.$00"P+6e : $" o/ "9


=. $ An4 c5+n6e( to t5e ,+nne* t)me!t+3,e (5ou,* 3e 'eco'*e* t5e u(e o/ + (t+n*+'* 'o6'e(( 'e o't/o'm m+4 3e con()*e'e* /o' t5)( u' o(e. T5e +u*)t m+n+6e' (5ou,* con()*e' t5e +ctu+, m+n *+4( ( ent

on e+c5 +u*)t +6+)n(t t5e ,+n +n* *ete'm)ne 'e+(on( /o' &+')+nce(. T5e +u*)t m+n+6e' (5ou,* con()*e' )m ,)c+t)on( /o' /utu'e ,+n(.

=. 7 Au*)t m+n+6e'( (5ou,* +4 (c5e*u,e* +n* un(c5e*u,e* &)()t( to (ee +u*)t te+m( +t


25/145



Second Level

=.$0 T5e /o,,o


26/145

Document No. : 0 ! "#$00"#Ve'()on : .0Come )nto /o'ce : 70.8.$00"P+6e : $= o/ "9


0 AUD3T P"ANN3N8

T#e Ai's of Audit Planning

8. T5e +u*)to' (5ou,* ,+n t5e +u*)t


27/145



o T5e e//ect o/ )n/o'm+t)on tec5no,o64 on t5e +u*)t. !uidance on IT audit is contained at Appendi" #$

Coo'*)n+t)on D)'ect)on Su e'&)()on +n* Re&)e.$0 Su3(t+nt)&e 'oce*u'e( +'e *e/)ne* +(:

M)n)mum Su3(t+nt)&e P'oce*u'e(

Te(t)n6 (5ou,* 3e e'/o'me* +t t5)( ,e&e, )/ t5e m+ )mum +((u'+nce )( t+@en /'om t5e e +m)n+t)on o/ cont'o,( o' )/ t5e +'e+ to 3e te(te* )( *eeme* to 3e not m+te')+, +n* no ()6n)/)c+nt ')(@( 5+&e 3een)*ent)/)e*.

St+n*+'* Su3(t+nt)&e P'oce*u'e(Te(t)n6 (5ou,* 3e e'/o'me* +t t5)( ,e&e, )/ no ')(@( 5+&e 3een )*ent)/)e* t5+t )n*)c+te otent)+, m+te')+,e''o' +n* no 'e,)+nce )( to 3e ,+ce* on t5e e +m)n+t)on o/ cont'o,(.


35/145



Focu((e* Su3(t+nt)&e P'oce*u'e(

Te(t)n6 (5ou,* 3e e'/o'me* +t t5)( ,e&e, )/ ')(@ 5+( 3een )*ent)/)e* t5+t )n*)c+te( otent)+, m+te')+,e''o' +n* no 'e,)+nce )( ,+ce* on m)t)6+t)n6 cont'o,(.

NoteF Different Audit Ob;ectives can be substantivel& tested at different levels? for e4a'ple6 t#eCo'pleteness and Regularit& Ob;ectives 'ig#t be perceived to #ave a #ig#er ris% of 'aterialerror t#an6 sa&6 t#e !easure'ent Ob;ective .

International Standard on Auditing

Inte'n+t)on+, St+n*+'* on Au*)t)n6 "00 'o&)*e( +**)t)on+, 6u)*+nce on ')(@ +((e((ment +n* )nte'n+,cont'o,.


36/145

Document No. : 0 ! "#$00"#Ve'()on : .0Come )nto /o'ce : 70.8.$00"P+6e : 7= o/ "9


2 AUD3T APPROAC@ TO CO@ES3ON UND 3NCO!E AND

EGPEND3TURE

8eneral Considerations9.1 Having completed the risk assessment the BSO will need to incorporate theirunderstanding of the business and of the control environment within theManagement Framework into the detailed planning e ercise and the auditapproach to be adopted.

Audit 3nfor'ation9.! Before concluding on the audit approach" the BSO will need to establish the

#ohesion Fund population that the$ are auditing. %his will involve con&rming' t5e num3e' o/ 'o ect( t5+t +'e )n o e'+t)on

t5e +nnu+, )ncome 'e,+t)n6 to e+c5 'o ect

t5e +nnu+, e en*)tu'e 'e,+t)n6 to e+c5 'o ect( +n*

t5e 3+n@ 3+,+nce( /o' e+c5 'o ect +t t5e 4e+' en*.

9.( )n terms of the overall audit approach it will be for the *udgement of the BSOto use the information obtained at 9.! to determine how man$ pro*ects" receiptsand pa$ments will be e amined within each &nancial $ear' i.e. the degree of substantive testing to be carried out to support the controls e amination. +s theBSO e amination is not directl$ linked to the audit of an$ speci&c account" theconcept of materialit$ will mainl$ involve the determination of the throughput of receipts and pa$ments within each $ear. +s part of the longer term strateg$ theBSO audit approach should aim to ensure that each pro*ect is e amined at leastonce in its lifetime.

Understanding t#e Business

9., )n order to determine the audit approach it is essential to identif$ which partsof the Management Framework in Slovenia are responsible for operating the ke$

controls over #ohesion Fund- the following diagram details the higher level controlframework'


37/145



European Co''ission

=EC Delegation>

Designated Aut#orit&

8OEA =N3C>Signs the FM and send

! R)(@ +((e((ment !St'+te6)c#Lon6 te'm ,+n!Annu+, ,+n




( to NF CFCU IB +n* FB

inancial ControlNational und =NAO>

F)n+nc)+, m+n+6ement +4)n6A6enc4 /o' CFCU %F'+me(it# C CU

3'ple'enting Agenc&C CU =SAO>

Im ,ement)n6 A6'eement


38/145

Document No. : 0 ! "#$00"#Ve'()on : .0Come )nto /o'ce : 70.8.$00"P+6e : 7> o/ "9



39/145



lo( of unds E4penditureClai's

P+4ment o/ C,+)m /o' Fun*( Fun*(

E en*)tu'e C,+)m

P+4ment o/ C,+)m

E en*)tu'e C,+)m

T@E AUD3T TRA3"

!ANA8E!ENT CONTRO" RA!E:OR7 3N S"O EN3A

European Co''ission

!anaging Aut#orit&8OSP

3nter'ediate Bodies=!ESP and !oT>

Pa&ing Aut#orit&

National und =N >

3'ple'enting Bodies!unicipalities andTransport Sectors


40/145

Document No. : 0 ! "#$00"#Ve'()on : .0Come )nto /o'ce : 70.8.$00"P+6e : "0 o/ "9


9. +rticle / of #0 1( /2!33! re4uires that Member States management andcontrol s$stems should provide a su5cient audit trail. %he detailed roles and

responsibilities of all the above elements should be set out in a documented audittrail. + clear understanding of the Management Framework and the controlss$stems in place at each level of the organisation" should allow the BSO to identif$a clear audit trail to cover all aspects of #ohesion Fund. Hence to obtain a full67nderstanding of the Business6 should be a pre8re4uisite of all BSO sta prior tocarr$ing out an audit. %his understanding is essential to both the planning andaudit e amination processes. +uditors should therefore ensure that the$ arefamiliar with these s$stems and that the description which the$ have of the audittrail is up to date.

9./ )n terms of the #ohesion Fund" the audit trail should follow the 6cradle tograve concept6" starting with the national strateg$ and overall agreements

entered into with the :uropean 7nion- through pro*ect application and approval-funding and pa$ments- monitoring" evaluation and reporting- and culminating in&nal certi&cation. + su5cient audit trail is one that permits'

'econc),)+t)on o/ t5e (umm+'4 +mount( ce't)/)e* to t5e Eu'o e+n Comm)(()on ote that the actualcontrols implemented will var$ according to the nature of individual s$stems andaccording to the level of an audited bod$ within the audit trail hierarch$.

9.13 )n order to follow up the information


41/145



accounting s$stem and bank statements of >F" )ntermediate and )mplementingBodies.

9.11 %he review of the audit trail and the identi&cation of possible weaknesses arean integral part of the preparation of an audit. )n the same wa$" the preparationphase of the audit should include consideration of the e tent to which the audittrail has been kept up to date.

Setting Audit Ob;ectives

9.1! +udit ob*ectives need to be set in order to gain appropriate evidence toenable the auditor to draw conclusions on the e ectiveness of the management

and control s$stems in operation in ensuring that #ohesion Fund e penditureclaims are correct. %wo sets of audit ob*ectives are recommended' the &rst forlooking at the general management and control s$stem for administering#ohesion Fund and the second for e amining control s$stems and e penditurespeci&call$ at the &nal bene&ciar$ level" as detailed in Figures 1 and ! below'

9.1( )ndividual audits ma$ seek to address all of the ob*ectives set out" or ma$address speci&c areas determined as a result of risk assessment or for thepurposes of a follow8up audit. %he appendices contain checklists24uestionnaireswhich should be used during audits at Member State authorities. %hese can of course be adapted to suit the particular t$pe of #ohesion Fund pro*ect beingaudited ?e.g. road" rail" water treatment" wastewater treatment@. %here are ten

main audit ob*ectives" which should be addressed during audits of the MemberState authorities responsible for managing and controlling #ohesion Fund actions. %hese audit ob*ectives are intended to provide appropriate evidence to enable theauditor to draw conclusions on the e ectiveness of the management and controls$stems in operation. + t$pical audit" will both e amine management and controls$stems" and verif$ one or more declarations of e penditure b$ means of followingthe e penditure through the s$stem to selected pro*ect managers2 &nalbene&ciaries.


42/145

Document No. : 0 ! "#$00"#Ve'()on : .0Come )nto /o'ce : 70.8.$00"P+6e : "$ o/ "9


igure 1F Audit ob;ectives relating to t#e audit of !e'ber StatesH 'anage'ent and controls&ste's

Auditob;ective

Activit& Process

Ob;ective

1< S4(tem(*e(c') t)on(

;5et5e' t5e'e +'e +*e u+te 'oce*u'e( to en(u'e t5+t (4(tem(*e(c') t)on( +'e 'e&)e=#0$

$< A 'o&+,

;5et5e' t5e'e +'e +*e u+te 'oce*u'e( to en(u'e t5+t + ,)c+t)on( /o'+)* +n* t5e *ec)()on( 'e+c5e* on t5o(e + ,)c+t)on( com ,4 =#0$ .

15< Au*)t t'+),;5et5e' t5e'e +'e +*e u+te 'oce*u'e( )n ,+ce to en(u'e t5+t t5em+n+6ement +n* cont'o, (4(tem( 'o&)*e + (u//)c)ent +u*)t t'+),.%A't. =o/ Comm)(()on Re6u,+t)on 7>=#0$

9.1, +s outlined below" the main purpose of the checks at &nal bene&ciaries is todetermine whether the relevant aspects of Member State authorities=


43/145



management and control s$stems relating to actions are operating satisfactoril$.+udits will also involve the documentation of )mplementing BodiesA s$stems ?audit

trail@ as the$ a ect #ohesion funded activit$.

igure $F Audit ob;ectives relating to audits at pro;ect 'anagers final beneficiaries

Auditob;ective Ob;ective

1 ;5et5e' e,)6)3),)t4 'u,e( 5+&e 3een /o,,o


44/145

Document No. : 0 ! "#$00"#Ve'()on : .0Come )nto /o'ce : 70.8.$00"P+6e : "" o/ "9


T+@e( +ccount o/ t5e o/ Re6u,+t)on 7>=#$00$ t5+t t5e e//ect)&ene(( o/ t5e m+n+6ement +n* cont'o,(4(tem( )n ,+ce


45/145



15 AUD3T E 3DENCE

0. T5)( Sect)on *e(c')3e( t5e 6ene'+, conce t( o/ +u*)t e&)*ence +n* (5ou,* 3e 'e+* )n con unct)on


46/145

Document No. : 0 ! "#$00"#Ve'()on : .0Come )nto /o'ce : 70.8.$00"P+6e : "= o/ "9


Occurrence * to o3t+)n +u*)t e&)*ence to en(u'e t5+t +,, t'+n(+ct)on( +n* e&ent( t5+t 5+&e 3een'eco'*e* 5+&e occu''e* +n* +'e e't)nent to t5e +u*)te* 3o*4 +n*

E4istence ! t5+t +,, +((et( 'eco'*e* 34 t5e +u*)te* 3o*4 +ctu+,,4 e )(t.

Procedures for Obtaining Audit Evidence

0.> T5e +u*)to' (5ou,* o3t+)n +u*)t e&)*ence to *'+< 'e+(on+3,e conc,u()on( on


47/145



11 DOCU!ENTAT3ON AND 3"3N8

. T5)( Sect)on (et( out t5e 6ene'+, ')nc) ,e( +n* '+ct)ce /o' m+)nt+)n)n6 e//ect)&e *ocument+t)on+n* /),e(.

T#e Benefits of Effective Docu'entation

.$ Au*)to'( (5ou,* e//ect)&e,4 *ocument t5e +u*)t e&)*ence )n


48/145

Document No. : 0 ! "#$00"#Ve'()on : .0Come )nto /o'ce : 70.8.$00"P+6e : "> o/ "9


Summ+'4 o/ +u*)t /)n*)n6(

.9 ;o'@)n6 + e'( +'e t5e +u*)to'Q( ')nc) +, 'eco'* o/ t5e


49/145



Co )e( o/ +n4 'e o't( 'o*uce* 34 Inte'n+, Au*)t t5e Cou't o/ Au*)t t5e ECA o' Comm)(()on+n* ')&+te /)'m(

Det+),( o/ 'o o(e* /utu'e &)()t( to t5e 'o ect cont+)ne* )n t5e ,on6e' te'm +u*)t ,+n +n*/)n+,,4

At t5e conc,u()on o/ t5e 'o ect *et+),( o/ t5e


50/145



1$ AUD3T REPORT3N8

$. T5e 'e o't )( t5e m+)n &e5)c,e /o' commun)c+t)n6 t5e 'e(u,t( o/ +n +u*)t. Re o't( (5ou,* 3e c,e+' +n* conc)(e 5)65,)65t)n6 t5e m+)n conc,u()on( o/ t5e +u*)t. Au*)t 'ecommen*+t)on( (5ou,* 3e '+n@e*+( to t5e)' )m o't+nce to t5e Co5e()on Fun* 'oce(( , +n* (5ou,* )n*)c+te t5e +ct)on nee*e* to +**'e((


51/145



Detailed indings and reco''endations %"ecutive Summar&

$.> T5e e ecut)&e (umm+'4 con()(t( o/ 7 (ect)on(:

Definition of t#e scope of t#e audit


52/145

Document No. : 0 ! "#$00"#Ve'()on : .0Come )nto /o'ce : 70.8.$00"P+6e : 9$ o/ "9


Reports to t#e EC

Annual reports

$. " In +cco'*+nce =#$00$ +n +nnu+, 'e o't )( 'e u)'e* /o' e+c5 com ,ete 4e+' o/ )m ,ement+t)on . T5e u' o(e o/ t5eA't)c,e $ 'e o't %(ee Mo*e, +t Appendi4 )n t5e conte t o/ t5e Cont'+ct o/ con/)*ence T5e BSO


53/145



T5e e tent to

ollo(*Up Audits

$. A( +'t o/ t5e o&e'+,, ,+nn)n6 (t'+te64 t5e BSO (5ou,* con()*e' t5e me')t( o/ c+''4)n6 out /o,,o$.$ A't)c,e 8 o/ Re6u,+t)on 7>=#0$ 'e u)'e( t5e P+4)n6 Aut5o')t4 to @ee + 'eco'* o/ +,, +mount('eco&e'+3,e /'om +4ment( o/ Commun)t4 +(()(t+nce +,'e+*4 m+*e. T5e (+me A't)c,e +,(o 'e u)'e( t5eP+4)n6 Aut5o')t4 to (en* to t5e Comm)(()on once + 4e+' )n +nne to t5e /ou't5 u+'te',4 'e o't on'eco&e')e( (u ,)e* un*e' Re6u,+t)on %EC >7 # " + (t+tement o/ t5e +mount( +=#0$ 'e u)'e( Mem3e' St+te( to /o'


54/145

Document No. : 0 ! "#$00"#Ve'()on : .0Come )nto /o'ce : 70.8.$00"P+6e : 9" o/ "9


S&s*audit

$.$7 DG Re6)on+, Po,)c4 )( )n t5e 'oce(( o/ *e&e,o )n6 +n* )nt'o*uc)n6 + ne< Au*)t M+n+6ementS4(tem S2SAUDIT. T5e o3 ect)&e( o/ t5)( (4(tem +'e to o//e' + (t+n*+'* too, /o' t5e &+')ou(Comm)(()on (e'&)ce( +u*)t)n6 t5e Co5e()on Fun* +n* t5e St'uctu'+, Fun*( to 'o&)*e + common *+t+

3+(e /o' +u*)t( ,+nne* +n* e ecute* 34 t5e(e (e'&)ce( to /+c),)t+te t5e (t+n*+'*)(+t)on +n* co!o'*)n+t)on o/ +u*)t


55/145



1) 3RRE8U"AR3T96 RAUD AND CORRUPT3ON

7.$ T5e u' o(e o/ t5)( C5+ te' )( to 6u)*e +u*)to'( o/ t5e BSO on t5e 'e( on()3),)t)e( +n* 'oce*u'e( /o' t5e 'e&ent)on +n* *etect)on o/ )''e6u,+')t)e( /'+u* +n* co''u t)on.

Respective responsibilities of Audited Bodies6 !anage'ent and Auditors

1(.( %he primar$ responsibilit$ for the prevention" detection and investigation of errors and irregularities rests with those responsible for the management ande ecution of State policies" functions and programmes" ?i.e. Ministries and otheraudited bodies@. Management is responsible for e(t+3,)(5)n6 +n e//ect)&e (4(tem o/ )nte'n+,

cont'o,( to en(u'e com ,)+nce


56/145



(u3o'*)n+te( to 'eco'* t'+n(+ct)on( )nco''ect,4 o' to conce+, t5em. T5e +u*)to' m+4 t5e'e/o'e'e&)e< t5e +*e u+c4 o/ 'e&ent+t)&e mec5+n)(m( e(t+3,)(5e* 34 +u*)te* 3o*)e( /o' e +m ,e.

(e6'e6+t)on o/ *ut)e( (4(tem+t)c 'ot+t)on o/ (t+// )n o(t )nte'n+, o&e'()65t +n* )n( ect)on( e//ect)&e 5um+n 'e(ou'ce( o,)c)e( to mon)to' +*m)(()on o/ ne< (t+// )nto t5e u3,)c (e'&)ce +n* to

en(u'e t5+t t5e4 'o e',4 un*e'(t+n* t5e 'e u)'ement /o' 5one(t4 +n* )nte6')t4 e(t+3,)(5 + co*e o/ con*uct *e()6ne* to 'omote et5)c+, 3e5+&)ou' +mon6(t (t+// +n* 'o&)*e

6u)*+nce on (uc5 m+tte'( +(: 'e,+t)on(


57/145



interview techni(ues !"sed primarily in fra"d investigation# : u(e* to 'o&)*eco''o3o'+t)&e e&)*ence t5+t /'+u* 5+( occu''e* u(u+,,4 /'om t5o(e +'oun* t5e

)n*)&)*u+,%( (u( ecte* o/ comm)tt)n6 t5e /'+u* +n* o'servation techni(ues : u(e* to co''o3o'+te t5e (u( )c)on o/ /'+u* 34 o3(e'&)n6c5+n6e( )n 3e5+&)ou' +tte'n( o/ t5o(e (u( ecte* o/ comm)tt)n6 /'+u*.

7. 0 ;5en c+''4)n6 out )nte'&)e


58/145



7. = I/ t5e +u*)to' 3e,)e&e( t5+t t5e )''e6u,+')t4 cou,* 5+&e + m+te')+, e//ect on t5e /)n+nc)+, )n/o'm+t)on5e#(5e (5ou,* con()*e' t5e e//ect o/ t5e )''e6u,+')t4 on t5e o )n)on +n* +( + 'o ')+te e'/o'm +**)t)on+,

+u*)t 'oce*u'e( +( 5e#(5e con()*e'( nece((+'4.


59/145



Ot#er i'plications of irregularities

7. 8 ;5e'e t5e +u*)to' /)n*( t5+t


60/145

Document No. : 0 ! "#$00"#Ve'()on : .0Come )nto /o'ce : 70.8.$00"P+6e : =0 o/ "9


o m+n+6ement 5+&e not)/)e* +n* (ou65t +*&)ce /'om t5e + 'o ')+te +ut5o')t)e( %/o' e +m ,e t5e Po,)ce

o m+n+6ement 5+&e 'e o'te* t5e 'o&en /'+u* (u( ecte* /'+u* o' ot5e' )''e6u,+')t4 )n+cco'*+nce


61/145



APPEND3G 1F 3N OR!AT3ON S9STE!S AUD3T 8U3DE"3NE

3ntroduction

Many administrative and financial functions are now carried out with the aid of computer systems. Theterm information systems (IS) has come into general use for all such systems, as the term does not prejudgethe amount or type of technology concerned.

This guideline deals with the methodology for audit of such information systems. It is intended to provideguidance at the level required by the generalist auditor who is familiar with the issues and methods of ISaudit, can undertake simple IS audit tasks, and can use IS audit specialists to serve general audit objectives.The guideline does not attempt to present detailed specialist information on the highly technical areas of the

subject.

Basic concepts and definitions

The presence of information technology has no direct effect on the objectives of an audit, but it introducesspecific control concerns and may mean that there have to be changes in the audit approach.

Information technology brings two particular problems for management and auditors:

- computers and networks, like any technology, are vulnerable to breakdown and damage . As soon as anorganisation or a function becomes dependent on information technology, therefore, contingency planning

becomes more important than before and must take sufficient account of technical matters.

- data and programs held in computer systems are invisible and intangible , and they can be accessed orchanged without leaving a trace. Management and auditors alike need to take special measures to be sure of the reliability, integrity and confidentiality of any data resulting from computers.

Generally-recognized control techniques have been developed accordingly. IS audit deals with theevaluation of these controls. Different components of IS audit should be distinguished because they requirediffering skill levels, techniques and timing; and because they make different contributions to audit work asa whole. Each of these components is now discussed.

8eneral =installation> controls audit

General controls are the controls in place over a whole computer installation or network. The quality of these controls has a pervasive effect on all applications run in that environment: for example, if there areweaknesses in access control at the installation level or for a whole network, it is most likely that allapplications will be vulnerable to unauthorized access, regardless of any specific access controls in theapplications themselves.

Most auditors need support from IS specialists to carry out a full general controls audit. However, fullaudits are not always necessary. Generalist auditors may be able to obtain sufficient assurance that data arecomplete and correct, and that internal controls covering the computer are functioning adequately so far asthey affect a particular audit, without a full review of general controls.

In some cases generalist auditors may rely on third party statements (TPS) given by specialist IS auditors.These TPS usually cover the general controls regarding computer centres and/or applications. Should TPS


62/145

Document No. : 0 ! "#$00"#Ve'()on : .0Come )nto /o'ce : 70.8.$00"P+6e : =$ o/ "9


not be available, generalist auditors should nevertheless always evaluate certain non-technical generalcontrols: see below.

The areas covered by general controls audits are set out below. The first four are general managementissues which should be addressed by generalist auditors even when the technical aspects are not beingexamined.

$eneral management iss"es

organisational: strategic planning, structure and reporting lines of the IS department,adequate segregation of duties within the department

IS security policy: exists, is adequate, communicated and followed continuity: back-up and standby arrangements management of IT assets

Specialist technical issues

logical and physical access controls: detailed execution operations: all jobs submitted to the computer are properly authorized and are completely,

accurately and promptly processed systems software (including specific access restrictions) programs maintenance and development procedures data/database management data communication (local) networks

ANNEX 1 gives guidance for generalist auditors on the first four subjects above.

Application audit

An application audit evaluates the internal controls specific to the input, processing, data files and output of a defined function. All auditors carrying out systems-based audits of administrative functions whereinformation technology is used need to address this aspect of IS audit.

Applications audits are not necessarily highly technical. Generalist auditors will need to call on ISspecialists where the application controls are exceptionally complex or technical, and there are nosatisfactory compensating controls in the user area. But many applications are designed so that they givedefinite assurance to user managers that data and processing are in order without requiring them to be ISexperts. In such cases, checks and procedures (including manual procedures) routinely carried out by userstaff may give satisfactory assurance that data and output are reliable. In many audit situations this level of assurance will also be adequate for the auditors.The aspects which must always be addressed can be summarized in a generally-applicable form as follows:

Organisation and Documentation

Management responsibility for every aspect of maintaining and running applications should be properlyallocated.

The costs of running applications should be identified and kept under review.


63/145



All necessary documentation should exist considering the type of application concerned and theorganisation's needs.

- Input

Only authorized items, and all authorized items, should be input.Data input to applications should be accurate and complete. (Input comprises both transaction andpermanent/reference data.)

- Processing

Processing of transactions should be complete and arithmetically accurate, and the results (includinggenerated data) should be correctly classified and recorded properly in the computer files.

Other processing activities should be carried out on time and give correct results.

- Data transmission

Data should be transmitted accurately and completely.

- Standing data

The continued correctness of stored data should be ensured.

- Output

Output released whether on paper, via screens, on magnetic media, or through electronic links, should becorrect and complete.

Output should reach all those, and only those, for whom it is intended.

ANNEX 2 presents these headings together with illustrations of control techniques or procedures whichmight be found. It is important that each phase should include appropriate error-handling procedures, andreferences to these are made in Annex 2.

In deciding which controls he needs to rely on, the auditor should bear in mind that tests of control willneed to establish, among other things, that the control operated correctly throughout the period subject toaudit. It will usually favour good use of audit resources if, where he has a choice, the auditor seeks bypreference to rely on controls in the user area which can be tested readily, provided that these givesufficient assurance about the control objective concerned. The use of CAATs may help to increaseassurance. If there has to be reliance on the more technical controls, it will often make a general controlsaudit necessary. For example, to be certain that validation checks made by a program always operated, theauditor would need to obtain definite evidence that controls over program changes were effectivethroughout the period - a question which would involve a full general controls audit.

Computer-assisted audit techniques (CAATs)

The term CAATs refers to the use of retrieval software (e.g the product IDEA) which auditors may use totest controls or (much more commonly) to sort, compare or extract data for further testing. It is essentialwhen using CAATs to ensure that the data being used by the auditor is in fact complete and correct.


64/145

Document No. : 0 ! "#$00"#Ve'()on : .0Come )nto /o'ce : 70.8.$00"P+6e : =" o/ "9


Specialist help may be needed with CAATs. Whilst some CAATs products on the market can be usedrelatively easily by generalist auditors, where the task is complex, or where the data are not available to a

package in the form it requires, more advanced programming skills are needed. In such cases CAATs canbe an expensive use of audit resources; the decision on whether they are needed, and the design of theprocedures, should depend closely on the objectives of the audit.


65/145



Examples of CAATs tests and procedures are:

identifying erroneous values; identifying exceptional values; testing the posting or summarizing of transactions; re-performing computerized processing (e.g. foreign currency conversions); comparing data on separate files; producing aged analysis of accounts; stratification.

CAATs are the means to an end, not an end in themselves. The use of CAATs needs to be planned andthey should only be used where they produce added value or where manual procedures are not possible orless efficient. The functions to be carried out should be documented in advance and the actual use made of CAATs should be recorded. Normal rules of audit evidence must be applied. The CAATs documentationshould include details of all settings, queries etc. that were used to produce the results. In all cases, it isimportant to be able to show that the CAATs program operated on the complete and correct set of underlying records.

Audit of developing s&ste's

Audits of developing systems cover two main aspects:

- the management of the development work. This may be the subject of a performance audit;

- the adequacy of the system design for achieving the internal control requirements of the function (theseshould normally be defined by user management).

It is important that new information systems should be designed in such a way that they are auditable andthat there is sufficient internal control. Since making changes to the design becomes progressively moreexpensive in the later stages of development, auditors must consider carefully both the timing and thenature of their approach to new information systems. If no audit action is taken, there is a risk that systemsmay be introduced which lack important controls or are unnecessarily difficult to audit. On the other hand,any audit contribution must be made in such a way that audit independence is retained. The possibilitiesare:

(a) carrying out a audit of the developing system;(b) being directly involved as a user of the developing application; in such cases, audit independenceshould be preserved, for example by arranging that other audit staff will be available to review the systemindependently;(c) ensuring that the project owner or another principal user represents auditability requirements as amanagement requirement of the system (in accounting systems it is quite logical for the accountant to dothat, in consultation with both internal and external auditors);(d) ensuring that the audited organisation has general application design standards that provide forauditability and that its quality control assures this (in addition, internal audit should have arrangements forkeeping an eye on auditability generally).

Of these possibilities, (a) and (b) both demand considerable resources and may give little or no reportableaudit result. It is therefore normally preferable to work through (c) and (d).


66/145

Document No. : 0 ! "#$00"#Ve'()on : .0Come )nto /o'ce : 70.8.$00"P+6e : == o/ "9


In order to foster (c), auditors should always take the opportunity of reminding management of the need toensure that adequate management/audit trails are specified in new applications, and should invite

consultation at the planning stage for important new financial systems. ANNEX 3 presents a note of generally-applicable application control requirements, which may be useful in discussions with usermanagement of developing systems.

The general standards can be checked by an examination of the systems development methodology appliedby the IS division of the audited body, and a dialogue with the IS standards branch and the internal auditorsto ensure that it is executed properly.

Planning and staffing information systems audits

Staffing and training

Since there are now few functions without some computer component, all auditors need to know how thepresence of computers influences the evaluation of internal control. Training programmes should reflectthis general requirement.

Auditors need additional training to become specialists in IS audit. And IS professionals usually do nothave training in control evaluation which equates to that of an auditor. Care must be taken therefore thatstaff who are to be IS audit specialists acquire and maintain an appropriate body of both IS and auditknowledge. Specific qualifications exist which can provide a measure of this. IS audit specialists are oftena scarce resource, use of which must be focused on the points where it is of greatest benefit. When this is

so, it follows that IS specialists must only be called on when the objectives of the audit and the complexityof the information systems make their expertise necessary. The following section, on planning, givesguidance on this.

Generalist auditors can be trained in the use of CAATs products without having to become full ISspecialists.

Planning and use of specialists

Standards of IS security and control are not absolute absolute. Too high a level of control (over-engineering) is expensive and usually inefficient. The set of controls in place should reflect the purpose

and use of each system, and is usually a mixture of technical and manual procedures. Efficient controlsover computer processing may be found in manual procedures in user areas, or in user managementactivities. Information systems should, therefore, not be examined in isolation, but as part of the generalaudit of the whole administrative or financial function of which they are part. Only in this way can theauditor realistically assess the appropriate control standard and evaluate the interaction of technical anduser controls.

At the planning stage, information should be gathered to decide on the scope of the IS audit to be carriedout. It may be useful to consult an IS auditor at this stage to help decide on priorities. In particular, adecision should be made on whether a general controls review is necessary, and the extent to whichCAATs will need to be used. Since both of these can represent an expensive demand on specialist

resources, it may be necessary to apply strict priorities in the use of IS auditors.

In the light of the general objectives of the audit, the following factors should be taken into account:


67/145



the extent to which the function concerned uses computer processing or data held on computers; the extent to which the correctness of processing and data is proved, to the degree necessary for the

function, by controls in the user area, including user management procedures; the complexity of the computer processing, specifically the extent to which the function uses data

generated by computer programs (as opposed to data which are simply recorded, sorted oranalysed by the application);

the size of the installation: for example, it may be intrinsically impossible to have good generalcontrols because there are not enough staff to provide sufficient separation of duties. This will bethe case, for example, if a full separation of duties cannot be made between programmers,operators and access administration;

the sensitivity of the data and data protection obligations; any special difficulties in the management/audit trail. In older or poorly-designed systems there

may be problems, for example in tracing the underlying details for data which are accounted for inaggregate, or in getting assurance that totals include all relevant transactions. These will increasethe need for the auditor to use CAATs simply to establish that data are correct.

GLOSSARY

ApplicationA set of programs, data and clerical procedures which together form an information system designed tohandle a specific administrative or business function (e.g. accounting, payment of grants, recording of inventory). Most applications can usefully be viewed as processes with input, processing, stored data, andoutput.

Back-upRelating to the recovery of data and programs, and the provision of alternative operational capabilities, inthe event of damage or loss.

Back-up copyDuplicate of data or software maintained up-to-date and available for use in case of damage to or loss of theoriginal.

CAATs (Computer-assisted audit techniques)Computer programs for carrying out audit tests, retrieving, sorting or selecting data, or obtaining evidenceon the correctness of processing.

Contingency planning (also called Business continuity planning, Disaster planning )Plans and procedures to ensure that information systems (hardware, software, data andtelecommunications) can be restored to availability at the level and in the time required after a disasterwhereby the equipment and/or site become unusable.

Developing systemAn application which is at any stage of preparation and not yet in live running (production). Thepreparation stages may include: proposal, feasibility study, user specification, design, prototyping,programming, program and system testing, user testing, conversion, pilot running.

Information systems (IS)Systems which record, distribute or process information, generally with the use of information technology.


68/145

Document No. : 0 ! "#$00"#Ve'()on : .0Come )nto /o'ce : 70.8.$00"P+6e : => o/ "9


Information technology (IT)Machinery, including computers, used for data handling and processing.

Logical access controlThe use of software to prevent unauthorized access to IT resources (including files, data, and programs)and the associated administrative procedures.OwnerThe individual (or unit) responsible for particular (IS or IT) assets, including their security and correctness.

ProgramThe complete set of instructions necessary to solve a particular problem or carry out a particular (set of)procedure(s) on a computer.

SoftwareComputer instructions generally.

System softwareA collection of programs used to control and manage the operation of a computer and the allocation anduse of computer resources. (System software includes programs which can modify data or other programswithout following the normal processes established in the application concerned; therefore access to systemsoftware should be very restricted and staff who have this access should be separate from the programmingstaff - and preferably also from the operations and access management functions.)

Third party statements (TPS)Statements given by specialist IS auditors working for an organisation other than the SAI. TPS usuallycover the general controls regarding computer centres and/or applications. See paragraph 3.6.

UserIndividual or unit that makes use of information systems. Specifically, in business and administration, adepartment which uses information systems to carry out the functions for which it is responsible in theorganisation.


69/145



ANNEG 1F

GENERAL (INSTALLATION) CONTROLS -8ENERA" !ANA8E!ENT 3SSUESCONTROL OBJECTIVES AND EXAMPLES OF CONTROL TECHNIQUES

CONTROL OBJECTIVES

Possible procedures or controlsNote: These are, in each case, a range of possibilities given for illustration; they do not allhave to be present to meet the control objective, and the objective may be met by othermeans. The auditor needs to make a judgment on the overall effectiveness of the mix of controls actually present, bearing in mind the size, complexity and importance of the system

concerned.

GA.ORGANISATION AND MANAGEMENT

GA1. Planning, staffing, reporting and segregation of dutiesTo ensure that the IT department is correctly placed in the audited body (organization) and isadequately staffed, and that incompatible duties are separated.

1. The head of IT is of an appropriate rank in view of the importance of IT for the organisation and theposition of the IT department within the overall organisation is consistent with the responsibilities andobjectives assigned to it.

2. IT strategic plans are made and reviewed annually, and they receive senior management (direction orboard) attention and approval.

3. IT personnel and user staff are separate: IT staff cannot initiate or approve transactions and user staff cannot write programs which would change data.

4.An IT organisation chart is published and kept up to date.

5. An IT personnel policy exists which will ensure recruitment, training and retention of staff with thenecessary types of expertise and which provides for succession planning.

6. Adequate supervisory and approval levels exist in each functional area within the IT department.

7. Formal job descriptions exist in the IT department and are kept up to date.

8. Operations and programming staff are separate: operators may not write programs and programmersmay not operate the computer.

9. If the IT department is large enough, staff who have access to system software should be separate fromboth programmers and operators.

10. Logical security (access rights and passwords) is administered by staff who are not responsible forprogramming.


70/145



11. Regular liaison is maintained with user departments.

12. There is a change management policy which governs the development and enhancement of applicationsand ensures that new programs are fully tested and are accepted by the user.

GB.SECURITY POLICY

GB1. Security awareness and policyTo define and communicate information security policies and procedures and to ensure thatmanagement, users and IS personnel are aware of security matters and follow security proceduresconsistently.

1. A policy for access, both logical and physical, to computer resources exists, is communicated and isadhered to by management and employees.

2. A physical security policy covering:- access restrictions to buildings, computer rooms, IT storage areas,- fire and other disasters,- contingency planningexists, is communicated and is adhered to by management and employees.

3. All staff who use PCs are required to sign a statement of the security and other practices they must

follow, including physical security rules, use only of authorized (and licensed) software, and anti-virusmeasures (restrictions on importing dangerous data and programs).

4. Access to IT resources is controlled by individual user IDs and confidential passwords.

5. User IDs and passwords are set up by specific staff and only on the written authority of the manager of the person who needs access.

6. A policy on access by staff to outside resources including the Internet is defined and announced.

7. A security officer with appropriate technical expertise is nominated and is involved in the approval of

access control schemes implemented.

8. Security procedures are periodically tested.

9. The security officer makes formal reports periodically on the state of security procedures and thesereports are followed up by management.

10. Management has formal reviews of IS security carried out from time to time by specialists (eitherexternal consultants or internal audit).

11. If the network is open to access from outside (e.g. Internet), a firewall has been set up.

12. The firewalls effectiveness has been reviewed by a specialist consultant.


71/145




72/145


73/145



7. A clear policy exists on the management of and responsibility for end-user computing, covering amongother things:

- security (see GB1.3);- back-up requirements;- the extent to which programs may be developed by end-users;- the documentation and other standard requirements for such local programs and for spreadsheets which

are part of business functions.

8. The status and ownership of e-mail messages has been defined and announced to staff.

GD2.Use of external service providers (e.g. outsourcing of specific services, use of external computer

bureaux)To ensure that the use of external service providers is managed effectively.

1.Access by the auditors is provided for.

2.The contract or service level agreement specifies requirements including, as appropriate:- performance;- security;- data ownership and access to data;- service availability;- contingency arrangements (e.g. if service provider ceases operations).

3.Management actively monitors performance against the requirements specified.


74/145

Document No. : 0 ! "#$00"#Ve'()on : .0Come )nto /o'ce : 70.8.$00"P+6e : 8" o/ "9


ANNEG $

APPLICATION AUDITS -CONTRO" OB ECT3 ES AND EGA!P"ES O CONTRO" TEC@N3 UES

CONTROL OBJECTIVES

Possible procedures or controls

Note: These are, in each case, a range of possibilities given for illustration; they do not allhave to be present to meet the control objective, and the objective may be met by othermeans. The auditor needs to make a judgment on the overall effectiveness of the mix of controls actually present, bearing in mind the size, complexity and importance of the system

concerned.

AA.ORGANISATION AND DOCUMENTATION

AA1.Responsibility for applicationsTo ensure that management responsibility for every aspect of maintaining and running applicationsis properly allocated.

1.The user (or a principal user) is defined as owner of the application.

2.Maintenance of the application and decisions on its future development are formally managed, preferablyby the owner.

3.The application's performance and its contribution to the operational function of which it forms a part areactively managed, preferably by the owner.

4.Ownership of the data used by the application is specified.

5.The duties of the computer centre, and of any third parties (e.g. software houses) for operating andsupporting the application are covered by service level agreements (contractually in the case of thirdparties).

6.All the departments responsible for input or for handling output are known and their responsibilities (fortiming, quality, security etc) are formally agreed.

7.The division of responsibility for the accuracy and continued integrity of stored data is clear (ultimateresponsibility should normally lie with the user).

8.Responsibility for deciding, and for executing, the security and control requirements of the application isassigned, taking account of the organisation's general security policy and of the IT department's standardsecurity measures.

9.Responsibility for providing and for maintaining documentation, including user manuals, is defined.

AA2.Cost allocation


75/145


76/145



3.Documents used for input are serially numbered and there is a check for validity and for completeness of

sequence either by the computer or clerically.

4.Input other than transcription of authorized documents receives authorization in accordance with itssignificance before being processed. (This may be on a statistical basis where appropriate.) Methodsinclude:

- holding input in a special computer file until released interactively by a supervisor;- flagging recent input for supervisory check;- post-input authorization of print-outs before further processing.

5.Transmission of authorized and checked documents is controlled by batching.

6.Confirmatory prints of input are sent to authorizing officers, who sign for approval.

7.Changes to permanent data are properly authorized.

8.Programmed checks prevent validation and processing of input which logically cannot have beenauthorized, e.g. payments in excess of available budget.

AB2.Completeness and accuracyTo ensure that data input to applications is accurate and complete. (Input comprises bothtransaction and permanent/reference data.)

1.Batch controls including (hash) totalling of all sensitive fields are used, and a positive check is made thatrequired totals match.

2.Validation checks are carried out by program to ensure that the data entered:

- have the format expected for each field;-are within appropriate ranges (e.g.. not negative where logically impossible; do not exceed pre-determined

reasonable amounts; are within the known sequence of items of their kind (cheque numbers, etc).

3.Double-keying is used for sensitive data.

4.For on-line entry, input reports are produced showing aggregated totals, which are checked or matchedwith totals established separately for the session.

5.Check digits are used with reference numbers and validation actually checks them.

6.Validation includes tests of self-consistency of the data input (e.g. debits = credits, reference numbersmatch related descriptive material).

7.Logical checks are made with accessible existing records e.g. account balances.

8.Permanent data (and other key data) are printed out and positively approved by the responsible userbefore being used in processing.


77/145



9.Error handling - clerical or computer suspense files of input rejected by the system during validation orprocessing are maintained, and procedures ensure that suspense data is promptly corrected and reinput

(without bypassing normal authorization and other input checks), or cancelled.


78/145



AC.PROCESSING

AC1.Transaction processingTo ensure that processing of transactions is complete and arithmetically accurate, and that theresults (including generated data) are correctly classified and recorded properly in the computerfiles.

1.Batch or session control totals are matched to the aggregate change in appropriate control records incomputer files. (It is important that the structure of batch types and control records should be such thatsignificant mis-classification would be detected by this control.)

2.Where the program generates data (ie carries out arithmetical operations such as currency conversion, orlooks up and writes data which has a logical but not arithmetical connexion with the input, for examplepay), the user makes checks either against a separately-made forecast of the aggregate amount or of asample of transactions.

3.Output includes control prints or screens on which responsible users must positively check and acceptkey control totals.

4.Validation controls within the programs include:

(1) ensuring that (batch) totals established before the processing remain completely accounted for at eachstage;

(2) consistency checks where input handled recapitulates information already held (e.g. when account

number and name are both given);(3) range checks on amounts generated (calculated, looked-up) by program.

5.Control counts and totals are maintained on each of the data files accessed by the application.

6.Control counts and totals are maintained for each transaction type.

7."Success units" are used to ensure that complex transactions are entirely posted to all appropriate files, orelse backed out completely.

8.Separate control files held on a different device are used to check that appropriate file versions have been

loaded.

9.Manual control totals are maintained and reconciled on a timely basis to the totals produced by thesystem.

10.Error handling - clerical or computer suspense files of input rejected by the system during validation orprocessing are maintained, and procedures ensure that suspense data is promptly corrected and reinput(without bypassing normal authorization and other input checks), or cancelled.

AC2.Other processing

To ensure that other processing activities (including data re-organisation such asyear-end/month-end procedures, routine data integrity checks, production of reports and analyses


79/145



not directly related to input, supply of data to other applications, and enquiry facilities) are carriedout on time and give correct results.

1.The timetable for regular processing of this type is controlled by the user, and runs are initiated on hisinstructions.

2.User procedures lay down responsibility for the checks to be made on the results of such processing (e.g.checking that amounts reported as processed match those expected, that new aggregate figures in controlrecords reflect the adjustments forecast, that management information reports indicate by control totalsthat they include the whole body of the data intended).

3.Where data belonging to the application are available to an enquiry facility, the appropriate degree of check is built into the processing which produces responses (e.g., where this is important, proving that allrelevant records have been read, by aggregating and showing the total for the records within the same

control account which were not selected).

4.Users of enquiry facilities and owners of other applications using the data are aware of the level of reliability of the data as such and of the programmed procedure through which they obtain them.

AD.DATA TRANSMISSION

AD1. Data should be transmitted accurately and completelyTo ensure that all data transmitted, whether through a network or by disks or tapes, is received in acomplete and accurate state, and that there is no loss or disclosure of data in transit (see also sectionAF1).

1.Use of check digits, and hash and other control totals.

2.Use of digital signatures.

3.Use of data encryption.

4.Use of passwords.

5.Sequential message numbering, sequencing of transactions.

6.Reports confirming receipt are sent and are reconciled promptly to records of data transmitted.

AE.STANDING DATA

AE1. Continued correctness of standing dataTo ensure that all data stored in the system as a permanent record or for reference remains correctand complete.

1.Responsibility for checking the continued correctness of data is allocated either to a databaseadministrator or to appropriate users.

2.Control totals or hash totals are used to monitor the state of files containing permanent data.


80/145

Document No. : 0 ! "#$00"#Ve'()on : .0Come )nto /o'ce : 70.8.$00"P+6e : >0 o/ "9


3.Print-outs of standing or reference data are checked periodically to source documents by the responsibleuser. This can be done on a cyclical or statistical basis, depending on the risk represented by incorrect

data.


81/145



AF.OUTPUT

AF1. Correctness of outputTo ensure that output released whether on paper, via screens, on magnetic media, or throughelectronic links, is correct and complete.

1.Validation and range etc. checks are carried out by the program on records output. Warning messages aregiven if the output does not comply. There is a user procedure for handling such warning messages.

2.There are procedures in place to give an appropriate degree of reasonableness check to printed output(may range from none for internal paper which is not a base for decisions, to 100% read-through againstsupporting documents (e.g., perhaps, for large cheques)).

3.For transmissions of payment instructions to banks:

- the responsible user uses both control totals and spot checks (such as sample tests from time to time onthe disk to be despatched or browsing and sampling the messages transmitted) to obtain reasonableassurance that the information actually sent is identical with that authorized;

- despatch of tapes or disks by a secure messenger service;- prepared disks or tapes are stored securely up to despatch;- pre-established limits are agreed with the bank on the total amount and on individual transactions;- acceptance reports are reconciled promptly (in time to recall payments)- post-payment reconciliation is done promptly.

4.Output reports include totals which are reconciled by the user to totals established before input. Detailedprints of input are available to investigate differences when necessary.

AF2.Correct distribution of outputTo ensure that output reaches all and only those for whom it is intended.

1.Output produced by the computer center is kept under surveillance, and distributed with appropriatesecurity/privacy.

2.Mailing lists for output are regularly reviewed and unnecessary or incorrect addressees removed.

3.Superfluous copies of output for which there is no addressee are not produced.

4.The general security rules applied to PCs, terminals and printers located with end-users ensure sufficientprivacy for output, taking into account the level of building security and the quality of password etccontrols.

5.The person responsible for security decisions for the application has a clear picture of the various usergroups with access to output in any form and makes decisions on control accordingly (see point AA1.8above). In particular, logical access controls for the application take account of possible approachesthrough all networks in which the installation is involved.

6.All expected output is accounted for (e.g. use of serial numbering to detect unauthorized suppression of exception reports).


82/145

Document No. : 0 ! "#$00"#Ve'()on : .0Come )nto /o'ce : 70.8.$00"P+6e : >$ o/ "9


7.Reports are regularly produced even if there is no problem to report (recipients should then become usedto receiving a report and less likely to overlook a report that is suppressed by someone who does not

want the reports contents known).

8.Negotiable, sensitive or critical forms (for example cheques) should be properly logged and secured toprovide adequate safeguards against theft or damage. The forms log should be routinely reconciled toinventory on hand and any discrepancies should be properly investigated.


83/145



ANNEG )

APPLICATION CONTROL REQUIREMENTS

The following requirements are expressed in general terms. In general the requirement is that evidenceshould be provided at suitable intervals (for example, daily) to user managers to enable them to be assuredthat the data and processing in the application are correct. Specific solutions (for example aggregations andcontrol totals, serial numbers, reports for reconciliation or reasonableness checking, supervisor/managerconsultation and recorded approval of control data on screen) need to be defined in the early stages of theproject.

It is assumed in what follows that general installation controls satisfactory to the users are in place in the

systems/networks which will run this application. Such controls should cover, for example, physicalaccess, logical access generally, separation of IT staff duties, back-up, disaster recovery, (software)changes, and should include performance indicators to measure the efficiency of the system.

1. AccessThe application should prevent access to programs except by authorized staff, and should provide foraccess to user resources (processes or data) to be managed by (a) senior user(s) and to be restricted as maybe required to reflect differing patterns of work and separations of duties in user divisions (for example, byaccount codes, by values, by functions, etc.). All access should be controlled and logged on an individualbasis and the system should prevent and report all unauthorized access attempts.

2. Input of dataThe system should provide evidence permitting user managers to be sure that data input, including standingdata, is complete, is validated in accordance with user requirements, and is correctly written to the correctfiles.

3. Integrity of dataThe system should be organized so as to provide regular evidence to user managers that standing and storeddata remains complete and correct.

4. Transaction processing

The system should provide regular evidence that transactions are, in aggregate, correctly processed andwritten to the correct files.

5. Changing data and programs by emergency routesSo far as they are within the application, the use of any emergency data change facilities or processes,which allow data to be changed without passing through normal validation, should be capable of beingheavily restricted and logged.

6. Management (audit) trailAll transactions should be traceable forwards and backwards through the system. A trail should bemaintained of data which is aggregated at various reporting levels, so that component transactions can be

identified.


84/145

Document No. : 0 ! "#$00"#Ve'()on : .0Come )nto /o'ce : 70.8.$00"P+6e : >" o/ "9


7. Records All actions on each transaction record should be stamped with the logged-in identityconcerned, and the machine time and date (and an action code). Full records of every change should be

retained (no overwriting).8. Output Outputs should be dated and timed, and (where necessary for control) serially numbered.There must be appropriate controls (and evidence to the accountant that they have operated) over electronictransfer of payment data to ensure that only - and all - authorized transactions are timeously executed.


85/145



APPEND3G $F AUD3T O 3NTERNA" CONTRO"

T&pes of controlsInte'n+, cont'o,( no'm+,,4 com ')(e 3ot5 t5e cont'o, en&)'onment %t5+t )( t5e 5),o(o 54 o/ m+n+6ement t5e +(()6nment o/ 'e( on()3),)t)e(


86/145

Document No. : 0 ! "#$00"#Ve'()on : .0Come )nto /o'ce : 70.8.$00"P+6e : >= o/ "9


o3(e'&+t)on +n* en u)'4 e((ent)+,,4 t5e o3(e'&+t)on o/ cont'o, (t+//


87/145



+n* e''o'( (5ou,* 3e *)(cu((e*


88/145

Document No. : 0 ! "#$00"#Ve'()on : .0Come )nto /o'ce : 70.8.$00"P+6e : >> o/ "9


APPEND3G )F 8U3DANCE OR PER OR!ANCE O 1- PERCENT C@EC7S

3ntroduction

Figure 1: The relevant criteria for the 15 per cent sample checks

RE8U"AT3ONS

A't)c,e( ! o/ Re6u,+t)on %EC No 7>=#$00$ 3+(e* on A't)c,e $ o/ Re6u,+t)on %EC No="# " +n* +6+)n ,+'6e,4 t+@en ! &)+ Re6u,+t)on "7>#$00 ! /'om Re6u,+t)on $0="# 8 +'e t5e

+'+,,e, 'o&)()on( 6o&e'n)n6 (+m ,e c5ec@( +n* (4(tem( +u*)t( o/ 'o ect( co!/)n+nce* 34 t5eCo5e()on Fun*. On +ccount o/ t5e ,+'6e' ()Je +n* 5)65e' +&e'+6e +)* '+te o/ 'o ect( (+m ,ec5ec@( 5e'e +'e 'e u)'e* to co&e' 9 o/ e en*)tu'e t+@)n6 +( t5e 3+()( t5e tot+, e,)6)3,ee en*)tu'e on 'o ect( t5+t +'e /)n+nce* 34 t5e Co5e()on Fun* o&e' t5e e')o* $000!$00= +n*=#$00$ (t+te( t5+t )n +cco'*+nce


89/145



c+te6o')e( /'om


90/145



)( mu,t) ,)e* 34 t5e >

%he n"mbers in the fig"re are provided for ill"strative p"rposes, the val"es for the si&e of projects have yet to be determined and the 'eights and risk category val"es co"ld also bealtered(

Sa'ple selection procedure

T5e o3 ect)&e )( to en(u'e t5+t t5e 'e u)'ement( (et out )n t5e Re6u,+t)on( +'e met. In o'*e' tomeet t5e 'e u)'ement( o/ t5)( 'e6u,+t)on t5e +u*)to' (5ou,* en(u'e t5+t:

t5e c5ec@( c+'')e* out 3e/o'e t5e


91/145



T5e ')(@ +((e((ment (5ou,* 3e con*ucte* /o' +,, t5e 'o ect(. T5)(


92/145



igure ,F E4a'ple of stratified sa'ple siIe calculation

Projects Expenditure Proportion Sample size Sample Expenditureigh ! S"T #$%$$$%$$$ &&'() ! S"T #$%$$$%$$$*edium 1# S"T 11%$+#%1!& ,1'() , S"T 1%-(+%.../o0 1$ S"T (#$%+.. 1'$) 1 S"T 1,%($$Total .$ S"T (1%!,(%$$$ 1$$'$) 1$ S"T #1%-&$%+..

Project sampling information

%he form"lae "sed to calc"late the overall sample si&e is sho'n at )nnex *

T5e 'o ect( (5ou,* 3e (e,ecte* '+n*om,4 /'om


93/145



Figure #: Stratified multistage sampling approach

F$%& 'isk !ssessment(udgeted

ExpenditureExpenditure in

period Sampled projectsPa ments in

periodSampled

Pa mentsSampled

Expenditure

Project 1 igh S"T 1($%$$$%$$$ S"T (%$$$%$$$ S"T (%$$$%$$$ # # S"T (%$$$%$$$Project , igh S"T &(%$$$%$$$ S"T 1,%($$%$$$ S"T 1,%($$%$$$ .$$ + S"T ...%...Project . igh S"T 1(%$$$%$$$ S"T ,%($$%$$$ S"T ,%($$%$$$ ($ & S"T .($%$$$Project # igh S"T ,(%$$$%$$$ S"T #%1!!%!!& S"T #%1!!%!!& 1$ & S"T ,%-1!%!!&Project ( igh S"T !$%$$$%$$$ S"T 1$%$$$%$$$ S"T 1$%$$$%$$$ ,($ & S"T ,+$%$$$Project ! igh S"T .(%$$$%$$$ S"T (%+..%... S"T (%+..%... &( & S"T (##%###

Total S"T .!$%$$$%$$$ S"T #$%$$$%$$$ S"T #$%$$$%$$$ !+- #$ S"T -%#,#%###*ean S"T !%!!!%!!& S"T !%!!!%!!&

Standard deviation S"T .%+$$%(+( S"T .%+$$%(+(Project & *edium S"T 1%$$$%$$$ S"T 1!!%!!&Project + *edium S"T !%$$$%$$$ S"T 1%$$$%$$$Project - *edium S"T ,%($$%$$$ S"T #1!%!!&Project 1$ *edium S"T .%&($%$$$ S"T !,(%$$$ S"T !,(%$$$ #( ( S"T !-%###Project 11 *edium S"T #%!($%$$$ S"T &&(%$$$Project 1, *edium S"T 1%&($%$$$ S"T ,-1%!!&Project 1. *edium S"T &%.($%$$$ S"T 1%,,(%$$$Project 1# *edium S"T +%$$$%$$$ S"T 1%...%... S"T 1%...%... .$ ( S"T ,,,%,,,Project 1( *edium S"T -%1($%$$$ S"T 1%(,(%$$$Project 1! *edium S"T 1%-($%$$$ S"T .,(%$$$Project 1& *edium S"T #%$($%$$$ S"T !&(%$$$Project 1+ *edium S"T ,%!$$%$$$ S"T #..%...Project 1- *edium S"T !%!$(%$$$ S"T 1%1$$%+..Project ,$ *edium S"T &%1($%$$$ S"T 1%1-1%!!&

Total S"T !!%($(%$$$ S"T 11%$+#%1!& S"T 1%-(+%... &( 1$ S"T ,-1%!!&*ean S"T &-1%&,! S"T -&-%1!&

Standard deviation S"T #.&%.-1 S"T ($$%+!&Project ,1 /o0 S"T ,(%$$$ S"T #%1!&Project ,, /o0 S"T .,$%$$$ S"T (.%...Project ,. /o0 S"T &($%$$$ S"T 1,(%$$$Project ,# /o0 S"T 11(%$$$ S"T 1-%1!&Project ,( /o0 S"T &(%$$$ S"T 1,%($$ S"T 1,%($$ # # S"T 1,%($$Project ,! /o0 S"T ,($%$$$ S"T #1%!!&Project ,& /o0 S"T .1(%$$$ S"T (,%($$Project ,+ /o0 S"T +,(%$$$ S"T 1.&%($$Project ,- /o0 S"T -$%$$$ S"T 1(%$$$Project .$ /o0 S"T #+$%$$$ S"T +$%$$$

Total S"T .%,#(%$$$ S"T (#$%+.. S"T 1,%($$ # # S"T 1,%($$*ean S"T (#%$+. S"T 1,%($$

Standard deviation S"T #!%++( S"T $Total S)T *+,-.5/-/// S)T 51-#+5-/// S)T *1-,./-0 .#0 5* S)T ,-.+0-#112ean S)T 1-.+/-0

5 Per cent S)T +1-*0.-5// S)T +-501-+5/

The above dataset is for illustrative purposes only to demonstrate how the techniques should beapplied.

Substantive procedures

In +cco'*+nce


94/145



Audit progra''e

3nspection officer :

3nspection date : # #

Ris% rating : H)65 # Me*)um # Lo=#0$

0 o/ "9


(e +'+te 'e6)(te' /o' e+c5 'o ect

I( t5e'e e&)*ence )n*)c+t)n6 t5+t t5e (u o't)n6*ocument( +,,o< t5e 54()c+, &e')/)c+t)on o/ t5e 'o ect

I( t5e'e e&)*ence )n*)c+t)n6 t5+t t5e *e,)&e'4 o/ 6oo*(+n* (e'&)ce( c+n 3e 'e,+te* to t5e (u o't)n6*ocument(

Do t5e(e c5ec@,)(t( co&e' )((ue( (uc5 +( u3,)c)t4 u3,)c 'ocu'ement +n* e,)6)3),)t4

O3t+)n co )e( o/ t5e c5ec@,)(t +n* e&+,u+te t5e u+,)t4 o/ (+me

H+&e +u*)t)n6 'e( on()3),)t)e( 3een *e,e6+te* to 3o*)e()n ot5e' De +'tment(

I/ 4e( o3t+)n e&)*ence t5+t /o'm+, +''+n6ement( 5+&e 3een ut )n ,+ce /o' t5)(


109/145



Operational C#ec%s

O3 ect)&e: ;5et5e' t5e 'e,e&+nt +ut5o')t)e( 5+&e +*e u+te /)n+nc)+, +n* c5ec@)n6 'oce*u'e( to en(u'et5e 'e6u,+')t4 ,e6+,)t4 +n* e,)6)3),)t4 o/ e en*)tu'e. %A't. " +n* > o/ Comm)(()on Re6u,+t)on 7>=#0$uestion 9es No

N Aileref

Co''ents

Doe( t5e (4(tem( *e(c') t)on +*e u+te,4 *e(c')3e t5ec,+)m( # *'+