Documentos de Académico
Documentos de Profesional
Documentos de Cultura
March 2006
Foreword The guidelines for financial auditing are based on the Auditing Standards for the Office of the Auditor General. The guidelines shall be used as the foundation for the Office of the Auditor Generals financial auditing from 1 July 2005.
Page iii
Contents ==============
1
1.1 1.2
2
2.1 2.2
2.2.1 2.2.2 2.2.3 2.2.4
3
3.1
3.1.1 3.1.2 3.1.3 3.1.4 3.1.5 3.1.6 3.1.7 3.1.8 3.1.9
3.2
3.2.1 3.2.2
Key documents......................................................................22
Documents produced internally ............................................................................ 22 Some key documents from the Storting and government administration............. 23
3.3
4
4.1
4.1.1 4.1.2 4.1.3
Page v
4.2
4.2.1 4.2.2
Materiality ............................................................................ 34
Qualitative materiality...........................................................................................35 Quantitative materiality.........................................................................................36
4.3 4.4
4.4.1 4.4.2 4.4.3
4.5
Audit evidence...................................................................... 45
5
5.1 5.2
5.2.1 5.2.2 5.2.3 5.2.4 5.2.5
Strategic analysis........................................................ 48
Purpose of the strategic analysis........................................... 49 Understanding the entity....................................................... 50
Identifying the entitys goals .................................................................................50 Identifying external factors ...................................................................................51 Identifying internal factors ....................................................................................54 Analysis of financial information..........................................................................57 Identifying processes.............................................................................................58
5.3 5.4
5.4.1 5.4.2 5.4.3
Planning further auditing...................................................... 63 Documenting the strategic analysis ...................................... 65 Quality assurance and approval............................................ 66
6
6.1 6.2
6.2.1 6.2.2 6.2.3 6.2.4
Process analysis.......................................................... 68
Purpose of the process analysis ............................................ 68 Understanding the process.................................................... 68
Process goals .........................................................................................................69 Process activities ...................................................................................................69 Information flow ...................................................................................................70 Accounting transactions ........................................................................................71
Page vi
6.3 6.4
6.4.1 6.4.2 6.4.3
6.5
7
7.1 7.2 7.3
7.3.1 7.3.2 7.3.3 7.3.4
7.4 7.5
7.5.1 7.5.2 7.5.3
Plan for the remaining auditing work....................................93 Implementing audit procedures .............................................94
Recording audit findings....................................................................................... 94 Assessing audit findings ....................................................................................... 95 Communicating audit findings during the audit ................................................... 96
7.6
8
8.1 8.2 8.3 8.4 8.5 8.6 8.7
Conclusions ................................................................ 98
Purpose of conclusions..........................................................98 Basis of the conclusions ........................................................99 Conclusions for audit objectives ...........................................99 Conclusions for assertions.....................................................100 Conclusion for the entity .......................................................100 Documentation ......................................................................101 Updating basic data ...............................................................101
Reporting.................................................................... 102
Page vii
Reporting to the entity and the supervisory ministry............ 102 Reporting to the Storting ...................................................... 102 Documentation ..................................................................... 103
10
10.1 Documentation ..................................................................... 104 10.2 Glossary of terms.................................................................. 105 10.3 Scope and content................................................................. 105 10.4 Organisation and filing ......................................................... 106
11
11.1 Responsibility for quality ..................................................... 108 11.2 Quality assurance of the audit process ................................. 109 11.3 Organisation of the quality assurance................................... 110
Page viii
1.2 Sources
The following sources have been used in the work of formulating the guidelines: W. Robert Knechel: Auditing Assurance and Risk William F. Messier, jr.: Auditing & Assurance Services a systematic approach The Norwegian Institute of Public Accountants: Descartes revisjonsmetodikk (Descartes audit methodology) B.P. Gulden: Revisjon teori og metode (Auditing theory and methods) INTOSAIs auditing standards International Private Sector Accounting Standards (IFAC) Risk management framework (COSO) Framework for information systems audit (CobIT)
Page 1
Section 3, Instructions concerning the activities of the Office of the Auditor General
The objective of financial audits is defined in section 3 of the Instructions concerning the activities of the Office of the Auditor General the content of the auditing: By auditing accounts, the Office of the Auditor General shall verify whether the financial statements give a correct picture of the financial activity, including: a) confirm that the financial statements are free of material errors and omissions, and b) verify whether the transactions in the financial statements reflect the decisions and intentions of the Storting and the current regulations and whether they are acceptable in the light of the norms and standards for financial management in the central government.
On the basis of the above, financial audits in the OAG have two audit objectives: The objective of financial audits is to enable auditors to form an opinion of reasonable assurance about whether the financial statements and other financial information are complete, accurate and reliable. The objective of compliance is to enable auditors to form an opinion of reasonable assurance about whether the ministrys or the entitys dispositions on which the accounts are based:
Page 2
Financial auditing in the OAG comply with the Stortings budget resolutions and intentions are in accordance with current regulations are acceptable in the light of the norms and standards for financial management in the central government
Audit tasks financial auditing compliance contributing to preventing and detecting irregularities advising Page 3
Storting, the Storting expects the OAG to express an opinion on budget allocations in addition to its statement on the accounts. Through auditing the OAG is also intended to contribute to the prevention and detection of irregularities and errors, and to advise the government administration in order to prevent the occurrence of future errors and omissions. In their role as advisor, auditors must exercise caution and must conduct themselves in a manner that does not jeopardise the audits independence and objectivity.
2.2.1
Pursuant to section 3 of the Instructions, the OAG shall: confirm that the financial statements are free of material errors and omissions. An audit of the accounting is defined as the procedures that are required to confirm that the accounts are complete, accurate and reliable. This entails ensuring that expenses and revenues, stock and assets of any kind have been recorded in the accounts in keeping with the applicable rules. As the auditing and monitoring body for the Storting, the OAG is an external auditor and conducts financial auditing in line with audits that are performed by other auditing bodies both private and public. The OAG has an independent position, and there is no financial commitment between the auditor and the audited entity. Furthermore, financial auditing has an extended content since the accounts that the OAG audits are of interest to a more complex group of users. Here the OAG has a social responsibility with regard to monitoring the administrations use of the nations resources. At the same time as it presents its financial statements, an entity also submits assertions that the information in the accounts meets certain qualitative requirements. Through its work, the audit must verify with reasonable assurance that the assertions submitted are accurate and reliable. The assertions that are used for financial auditing are based on international auditing standards.
2.2.2
The term compliance is given in the objective for financial audits and is described in section 3 (b) of the
Page 4
Instructions, referred to here as verifying..transactions (cf. 2.1). Compliance involves examining the extent to which the ministry and the entity have attained the performance targets and objectives that are given in the budget resolution for the accounting year in question. Compared with performance auditing, the financial audit is restricted to matters concerning the accounts for the individual year. Three assertions have been derived for compliance. These are based on the division of the definition into three parts and on the objective of the financial audit: The dispositions comply with parliamentary decisions The dispositions comply with laws and regulations The dispositions are acceptable on the basis of the norms and standards for financial management in the central government The tasks of the financial audit do not include assessing whether the budget propositions goals and performance requirements are relevant. The degree of detail in the description of goals and performance requirements varies from ministry to ministry and may partly depend on the management signals that have been given priority in each individual case. In addition, a main element in the financial management regulations is that the management and supervision of the entities must be adapted to their individual distinctive features for example based on an assessment of risk and materiality. In some cases it may be difficult to identify clear goals and result requirements in the budget documents, and this may make it problematic to identify the intentions on which the Storting has based the budget resolution. Provisions concerning financial management in the central government impose upon the ministries the duty to follow up the budget resolutions and to ensure that the central government budget is implemented through annual letters of allocation to subordinate bodies. The letter of allocation forms part of the ministrys management of subordinate agencies. It must contain management parameters that allow an assessment of goal achievement and results to be made that remain as stable as possible over time. If the Storting amends the allocation proposal or the intentions, it will be the task of the ministry through an letter of allocation or if appropriate a supplementary letter of allocation to adapt the management of its subordinate agencies to new frameworks or intentions. Auditors must constantly use the entire budget deliberations as a basis for their work of identifying intentions. If the budget proposal does not contain a precise indication of what is to be achieved, it is not impossible that during the proceedings
Page 5
the committee will attach more detailed intentions to the allocation by a statement in the budget recommendation. The OAGs compliance process is limited to the transactions that have financial importance or are of significance for achieved results compared with intended targets. It must also be possible to make any deficient implementation of an allocation decision on the part of the ministry the object of auditing. The point of departure for financial auditing is the annual budget and financial statements. However, compliance will not always only be restricted to data concerning the accounting period in question since several years may pass from the allocation to implementation and reporting. If errors or weaknesses have their origin in previous accounting periods, it will be appropriate for auditors to express an opinion on this material. However, it will not be relevant to audit previous years accounts or routines.
2.2.3
The following is stated in the OAGs standards concerning advice: 8 In conjunction with the audit work, auditors can advise the audited entity in areas in which the auditors have the required competence.
9 When advising an audited entity, auditors shall conduct themselves in a manner that prevents any doubt arising as to the independence and objectivity of the Office of the Auditor General.
10 Auditors shall take care to act in a way that prevents the audited entity from perceiving their advice as a directive. The advisory task is incorporated into the object clause for the OAG. The task is of key significance in enabling the OAGs financial audit to cover the administrations need for auditing and advice. The administration will always retain independent responsibility for its choices regardless of the OAGs advice. Advice must neither formally nor actually exert any undue influence on subsequent audit and monitoring assessments.
Page 6
In Recommendation no. 54 to the Odelsting (20032004), page 13, the Standing Committee on Scrutiny and Constitutional Affairs states the following 1 : Through its work, the Office of the Auditor General has accrued substantial insight that can be converted into constructive advice for the administration. In connection with the Office of the Auditor Generals advisory function towards the administration, the Committee wishes to emphasise that the advice should be imparted with care and in a manner that does not jeopardise the independence and objectivity of the control activities. The administration has independent responsibility for its own choices, irrespective of the Office of the Auditor Generals advice. Nonetheless there is a risk of the advice actually being perceived as control, or of it influencing the Office of the Auditor Generals assessments in subsequent monitoring. This may put the Office of the Auditor Generals independence and objectivity at risk. The Committee therefore expresses its doubt as to whether the Office of the Auditor General should have a more proactive role, and requires the Government to ensure that systems that meet the need for quality control are in place at all times. The OAGs advisory role must be seen in the light of the factors the Committee expresses in its comments.
2.2.4
Pursuant to section 9 (4) of the Auditor General Act, the OAG shall through auditing contribute to the prevention and detection of irregularities and errors. In Recommendation no. 54 to the Odelsting (20032004), page 13, the Standing Committee on Scrutiny and Constitutional Affairs has the following comments on the OAGs role 2 : The Committee emphasises that the Office of the Auditor General also plays an important role in the fight against irregularities and corruption, including through its opportunity to report its findings and suspicions to the police or other supervisory authorities.
All translations of quotations from the Appropriations Regulations in this document are unofficial.
Page 7
The OAG has compiled the following standards concerning irregularities: 5 Through auditing, the Office of the Auditor General shall contribute to preventing and identifying irregularities.
6 When planning and performing audit procedures and assessing and reporting the results of these, auditors shall assess the risk that there may be irregularities.
7 Auditors shall consider gathering information in the audited entity about detected cases of irregularities and about the consequences these may have entailed. This is an important task for both exercising the role of external auditor and for acting as the auditing and monitoring body for the Storting. Auditors assessments of the risk of irregularities must be related to both the financial dispositions and to the correctness of the financial statements. An extended assessment of the risk of irregularities entails auditors being fully aware of the audit question during the planning and performance of the audit. This applies to collecting information, risk analyses and audit procedures. Audits of irregularities form an integral part of financial auditing. The cause of irregularities can often be linked to pressure or attitudes as well as to existing opportunities. Through discussions in the audit team, auditors must assess where the entity that is exposed to irregularities is to be found. The audit team should also specify more closely the types of irregularity that may occur such as corruption, misappropriation, theft etc. In addition, auditors must engage in a dialogue with the management to inform them that irregularities have been detected. If, through their monitoring activities or as a result of a tipoff or similar, auditors should detect signs that irregularities have occurred, they must behave cautiously and correctly and must not draw hasty conclusions. In such cases it is important for auditors to follow the administrative procedures that apply at all times for this area. Auditors must document the assessments of the aspect of irregularity that have been made for the entity.
Page 8
Page 9
3.1.1
The tasks of financial auditing are: to conduct an audit of the accounting to ensure compliance to advise to contribute to preventing and detecting irregularities
The OAGs objectives and tasks are stipulated in the Act and Instructions concerning the Office of the Auditor General. The objective of a financial audit is to verify that the financial statements do not contain material errors and omissions, and that the dispositions on which the accounts are based comply with parliamentary decisions. An audit of the accounting is performed to enable auditors to confirm that the financial statements do not contain material errors and omissions. Auditors must also express an opinion as to whether the dispositions on which the accounts are based comply with parliamentary decisions and with applicable laws and regulations. To facilitate this, auditors conduct a compliance process. In addition the OAG must advise the entities in order to prevent future errors and omissions, and through auditing must contribute to preventing and detecting irregularities. In their advisory role, auditors must act with caution and advise in a manner that does not jeopardise the independence and objectivity of the audit. In order to prevent and detect irregularities, auditors must be fully aware of the audit question when both planning and performing the audit.
page 10
3.1.2
Framework conditions
The OAG has its own framework conditions for the auditing work. These govern the performance of the financial audit. The framework conditions consist first and foremost of the Act relating to the Office of the Auditor General and the accompanying Instructions. The content is specified more closely in auditing standards and guidelines. The auditing standards and guidelines are based on INTOSAIs standards for public sector auditing. Standards that apply for auditing the private sector are also used as a basis for the OAGs standards and guidelines.
3.1.3
Financial auditing in the OAG draws on recognised auditing principles. Well-known terms such as assertion, materiality, audit risk, audit procedures and audit evidence are also fundamental to the OAGs auditing work. To the extent it has proved necessary, the content of the terms has been adapted to the auditing of government agencies.
Page 11
Page 12
3.1.4
The figure on the opposite page is intended to give an overview of the audit process. The entity is presented as a grey background. It can have wider objectives than those included in the audit objectives for financial auditing, which are shown in blue. This symbolises that not all the entitys goals are necessarily relevant for financial auditing. In the figure the audit objectives have been drawn to reach farther down than the entity. The OAG reports to the Storting, and the reporting in the audit process reduces communication with the entity. Risk is here defined as the possibility of the entity not achieving its goals, and in the figure it is represented by the dark-red area. The fact that the red area becomes narrower symbolises that auditors eliminate risk through risk analyses and audit procedures. The risk analyses are conducted using a top-bottom approach. They start at strategic level and gradually become more detailed. The purpose is to direct the auditing work towards risk that is identified at a general level. Risk at this level usually has the greatest consequence for the entity and is therefore of most interest to auditors and users. The assessment of risk is made in three phases: strategic analysis, process analysis and analysis of residual risk. In the strategic analysis auditors assess the entitys external factors and internal factors that are of a general nature that can influence the extent to which the entity achieves it goals. On the basis of this, auditors assess risk elements at a general level. In the process analysis auditors identify risk elements in the processes and assess whether the established control measures have a risk-reducing effect. After the process analysis, auditors are left with residual risk. To determine the scope of the procedures that are to be implemented to achieve an acceptable level of audit risk, in their analysis of residual risk auditors must assess and compare residual risk with audit risk. The figure shows that we conduct audit procedures and collect audit evidence at all levels throughout the audit process. The character of the audit procedures and the strength of the audit evidence gradually changes as auditors proceed more deeply into the audit or downwards in the audit process shown in figure 1. To ensure that the conclusions are based on correct information, auditors must verify that evidence that is collected during the year is still valid at 31 December. In the figure this is symbolised by a
The entity
Audit objectives
Risk analysis
Audit procedures
Audit evidence
Page 13
narrow strip of audit objectives and audit procedures that extend to the edge of the audit evidence field.
3.1.5
Strategic analysis
The purpose of conducting a strategic analysis is to acquire knowledge about the entity, identify critical processes and provide auditors with an overview of the risk that threatens the entitys goal achievement. A strategic analysis will also form the basis for planning the assignment and will give input to a joint overall risk analysis/ministry level. A strategic analysis is to be conducted for all the entities the OAG audits, including the ministries. A strategic analysis consists of four steps: understanding the entity assessing materiality assessing risk planning further auditing
In order to understand the entity, auditors carry out a systematic collection of information about the entitys goals and external and internal factors, as well as analysing financial information. On the basis of the information collected, auditors identify the processes in the entity that are relevant for goal achievement and for financial auditing objectives.
Pursuant to the rules for financial management in the central government and their accompanying provisions, all entities must establish internal control procedures that are adapted to risk and materiality. According to the OAGs standards for assessing internal control, auditors must make a preliminary assessment of the entitys risk management measures that are relevant for the audit. To understand the entity, auditors make this preliminary assessment by identifying internal factors and by identifying and assessing risk elements at strategic level, including the reaction of the management. Auditors are to begin the strategic analysis by identifying the entitys goals by examining its tasks. The primary tasks of the entity are expressed to some extent in parliamentary decisions. To enable it to carry out its primary tasks, the entity has secondary tasks in the form of support functions which, for example, secure staffing levels, operations or the reporting of the accounts. In addition, tasks of a temporary nature can be imposed on the entity for instance relocation, downsizing or reorganising.
Page 14
To gain an overview of the conditions that have an influence on the entitys goal achievement, auditors must obtain information about external and internal factors that affect the entity. External factors can be the users, competitors, political decisions and technology. Internal factors are, for example, organisation, the entitys management and risk management, information and communication. Auditors must also analyse relevant financial information. Through the audit, auditors must also contribute to the prevention and detection of irregularities. In the strategic analysis the audit team must therefore assess and in particular document the risk of the entity being exposed to irregularities. The final step for the auditor is identifying the entitys processes. A process is a series of activities that the entity has initiated to achieve its goals. The purpose of a process is to promote goal achievement and reduce risk. Processes can be designed for primary, secondary and temporary tasks. Auditors assess qualitative and quantitative materiality at strategic level. The assessment is intended to help them to determine the factors that the users particularly the Storting regard as important. Risk assessment at strategic level is divided into three parts. Auditors must first identify risk at strategic level and consider the managements reaction. Auditors use information from understanding the entity and assessing materiality when they assess the risk elements that threaten the entitys goal achievement. Auditors then estimate the probability and consequence of risk elements being realised, basing this on combinations of high and low. We have chosen to use high and low rather than a continuous scale. The use of a scale entails considerable professional judgement and may give an impression of objective precision. The use of the categories high and low is a simplification of the scale, but will provide auditors with a level of precision that is adequate to enable them to decide which risk elements must be followed up in their further work. Auditors assessment of probability and consequence must be supported by audit evidence irrespective of the scale that is used. In the risk evaluation, auditors decide the risk elements that are to be followed up in the subsequent audit work. Risk elements characterised as high-high must always be followed up, high-low must be assessed in relation to materiality, and low-low can be ignored by auditors in their subsequent audit. Auditors link all risk elements to audit Assessing materiality
Assessing risk
Page 15
objectives and process, but only risk elements that are of significance for the audit are included in the further implementation of the audit process. Meeting with the management In connection with the assessment of risk and materiality that is conducted in the strategic analysis, auditors hold a meeting with the management where analyses, strategies and plans are addressed. At the meeting auditors must match their risk picture with that of the entity in order to establish a shared communication platform and ensure contact with the management. Auditors draw up a proposal for a plan for the audit of the entity on the basis of the information collected, the meeting with the entitys management, the joint overall risk analysis for the ministry, and the assessments that have been made in the strategic analysis. The plan must contain the prioritised risk elements, the organisation of the audit, the need for resources and the schedule for performing the audit.
3.1.6
PROSITs navigation tree:
Process analysis
The purpose of process analysis is to conduct a more detailed risk assessment of the processes to which the prioritised risk elements are linked in the strategic analysis. Process analysis will enable auditors to find the residual risk that must be verified further in the analysis of residual risk. The process analysis consists of three steps: understanding the process assessing materiality assessing risk
The risk assessment is made for both inherent risk (auditors assess independently of established internal control measures) and control risk (auditors assess whether established control activities function).
In order to understand the process, auditors must conduct a systematic collection of information. Based on this material, auditors then compile a process description that covers:
Page 16
process goals process activities information flow in the process accounting transactions that influence the process
Auditors must ensure that the collection of information provides a sufficiently good basis for both an audit of the accounting and for compliance. Based on the information collected from the strategic analysis, auditors identify the goal or goals that the entitys management has set for the process. Process goals describe what the process is intended to attain and must be connected to the entitys principal goals and strategies. Most processes will have several goals. Auditors must then identify and describe the various activities that the process consists of. Process activities are the work operations the entity carries out to achieve the process goals. Information flow consists of data that goes in, through and out of the process. Auditors must acquire an overview of the information flow and assess it. As the final step in understanding the process, auditors must acquire an overview of any accounting transactions that are influenced by the activities in the process.
Assessments of materiality at process level represent an indepth study of relevant factors derived from the assessment of materiality in the strategic analysis. It is mainly qualitative materiality factors that are included in the assessment, but it is also possible for auditors to assign quantitative materiality down to process level if this is deemed appropriate.
Assessing materiality
Risk assessment in the process analysis is divided into three parts. On the basis of the information collected by the auditors, through understanding the process and assessing materiality, auditors identify the risk elements of the process and connect these to the relevant assertions. For each element of risk auditors must identify the control activities in the process and if relevant how these are supervised by the management. The control activities can be identified simultaneously with the process activities. Auditors must estimate the probability and consequence of each element of risk, irrespective of the established control activities (inherent risk). Auditors must also test whether
Assessing risk
Page 17
established control activities function. If auditors assess the control activities as having a risk-reducing effect, they can choose to build on them in the audit and reduce the scope of substantive testing. In this event, auditors must obtain evidence with tests of controls to substantiate the functioning of the control activities. Finally, auditors assess the probability and consequence of each element of risk on the prerequisite that the established control activities are functioning (control risk). As the final step in the process analysis, auditors evaluate the estimated risk to identify any residual risk that must be followed up by further review procedures. The estimates can have four possible outcomes based on the combinations of high and low for probability and consequence. Risk elements that are assessed as having low probability and low consequence can be given low priority in the subsequent audit. Risk elements that are assessed as having high probability and high consequence must always be the object of further auditing. For risk elements that are assessed as having other outcomes, auditors must assess in each individual case whether the element of risk is to be addressed further. The process analysis is to be documented. For the risk elements that are not to be followed up by further monitoring, the assessment must be supported by audit evidence. If residual risk is identified in the process analysis, auditors must take the risk elements further for an analysis of residual risk through substantive tests.
3.1.7
PROSITs navigation tree:
The purpose of analysing residual risk is to test the managements assertions relating to the submission of the financial statements and their accompanying dispositions. Auditors must plan and implement audit procedures in order to collect audit evidence that can with reasonable assurance substantiate their opinion as to whether the managements assertions have been fulfilled. To determine the scope of the audit procedures that are required, auditors use the audit risk model. Analysis of residual risk consists of four steps: defining audit objectives for the assertions identifying remaining audit procedures planning the remaining auditing work implementing the audit procedures
Page 18
The purpose of defining audit objectives is to enable auditors to work in a goal-oriented, efficient and effective manner in order to decide whether the managements assertions have been fulfilled, and thus to draw a conclusion for the entity. All the assertions are broken down to form one or more audit objectives. The audit objectives describe the quality the financial statements are to have at reporting date. Through strategic analysis and process analysis auditors have acquired knowledge about the entity and its processes. This knowledge is critical to enable them to set good audit objectives. The audit objectives give auditors a better basis for collecting necessary and sufficient evidence for important and material matters connected to the accounts and their accompanying dispositions before they assess whether the assertions have been met. Auditors must limit the number of audit objectives to those that are necessary to conduct an appropriate and adequate audit.
Auditors must identify audit procedures that ensure that residual risk is followed up, as well as audit procedures that verify that previously procured evidence can be carried forward to 31 December. They must also ensure that compulsory procedures are implemented.
The audit procedures must contain information about how they are to be carried out, their scope, and the date for their implementation. They must also be seen in the light of the audit objectives. In this context auditors must check whether audit evidence procured previously in the audit is included to support the audit objectives adequately so that further procedures are unnecessary. For some entities, the scope of the remaining audit procedures can be so extensive that it is difficult to handle them collectively. In such cases it will be appropriate to organise them into several audit programmes. Once auditors have identified the remaining audit procedures, they have acquired a foundation for updating the plan that was drawn up according to the strategic analysis. The plan is to include the remaining work to be done on the assignment and is to help the audit to be managed and conducted in an appropriate, efficient and effective manner. The plan is to contain information about organisation, an estimate of resources required, and the time schedule for carrying out the remaining work. The plan for the
Page 19
remaining auditing work must go through a quality assurance process. When auditors implement the audit procedures they must record the outcome of each procedure the findings irrespective of whether errors have been detected or not. If the procedure reveals errors, it must be made clear whether or not the error is in the accounting, and also the extent to which it may be significant for subsequent conclusions. Auditors assess the findings of each procedure. In the course of the audit, auditors must consider the way in which they are to communicate the findings to the entity. The purpose of communicating audit findings is to contribute to preventing future errors and omissions and to clarify any misunderstandings and misinterpretations. It is therefore important for auditors to communicate with the entity during the audit before conclusions are drawn.
3.1.8
PROSITs navigation tree:
Conclusions
The purpose of the conclusions is to summarise the results of the auditing work. Auditors must base their conclusions on the procured audit evidence and audit findings from all the audit procedures that have been conducted throughout the audit process. The conclusions will draw on the auditors professional judgement and the deliberations they have made on materiality for the entity in question. Before the conclusions can be drawn, auditors must verify that required and sufficient audit evidence is available to form a basis for reaching a conclusion of reasonable assurance, i.e. with acceptable audit risk. To assist auditors in drawing the various strands together, the conclusions are reached on three levels: conclusion for each audit objective conclusion for each assertion conclusion for the entity
Auditors must draw conclusions for all the audit objectives. These are made on the basis of the procured evidence and the findings that are available for the audit procedures under each audit objective. Auditors must take into account any corrections that the entity may have made as a result of the findings. Auditors must draw conclusions for all the assertions. These are made on the basis of the conclusions for the audit objectives that cover the assertion in question. In this
Page 20
context auditors must also take into account any audit evidence that has been acquired and must document nonprioritised elements of risk that can be linked to the assertion. Finally, in keeping with the dual audit objective, auditors reach a total conclusion for the entity. In this total conclusion auditors must decide whether or not there are material errors and omissions in the financial statements submitted and whether the dispositions on which the accounts are based comply with parliamentary decisions. The conclusion for the entity is made on the basis of the conclusions for all the assertions. In this context auditors must also take into account any audit evidence that has been acquired and must document non-prioritised elements of risk from the strategic analysis that can be linked to the dual audit objective. Auditors must document and substantiate their conclusions with reasons and audit evidence. Conclusion for the entity
3.1.9
Reporting
The purpose of reporting is to inform the entities and the Storting about the result of the performed audit. The OAG reports annually to the entities through the concluding audit letter. The audit letter states whether or not material comments have been made on the entitys submitted accounts with their accompanying dispositions. No concluding audit letter is sent for the ministries financial statements. Each year the OAG gives the Storting all the information about the result of the annual audit in Document no. 1, which is compiled for each ministry. The document reports on the audit in general and gives specific details about the audit of the financial statements, management and goal achievement as well as about performance reporting to the Storting on the annual budget, management of subordinate bodies, grant administration etc. Factors that the OAG has noted in connection with the performed audit and the ministries reply to items that have been addressed in the concluding audit letter must also be described in Document no. 1. Special guidelines and guidance have been drawn up for the written reporting to both the entities and the Storting. Concluding audit letter to the agencies
Page 21
The OAG compiles a general risk assessment for each ministry, cf. template for joint overall risk analysis for ministry X. The risk assessment is common for all types of audit, it is conducted at the same time, and it forms the basis for collaboration and exchange of experience. Much of the information that the general risk assessment draws on is also used by auditors in the strategic analysis of the ministries and entities. In order to provide information and assessment, parts of the strategic analysis should be conducted during the first three months of the year. The work on the strategic analysis can begin once the appropriations decision has been taken and letters of allocation have been formulated. This applies to both the ministry and to the principal subordinate agencies since these may be of importance for the overall assessment of the ministerial area.
In accordance with the OAGs standards, an audit plan must be drawn up for each audit assignment. The plan is to contain priorities, organisation, an estimate of resources required, and a work schedule. The plan is normally approved by the head of division. The Secretary General sets the deadline for the completion of the audit plans. The audit plan should be finalised before the process analyses begin. If auditors subsequently find new information or become aware of changes made to the allocations or to the prerequisites assigned to them, adjustments to the audit plan may be required.
According to the guidelines for written audit communication, all the entities with the exception of the ministries must receive a concluding audit letter from the OAG, cf. guidelines and templates for the concluding audit letter. Since the OAG maintains its dialogue with the ministries until Document no. 1 has been drawn up, no concluding audit letter is prepared for the ministries.
The OAG reports the auditing work annually in Document no. 1 to the Storting, cf. template and internal routines for reporting to the Storting about the Office of the Auditor Generals audit and monitoring activities (Document no. 1).
Page 22
The department that is responsible for auditing the Ministry of Finance prepares a joint statement concerning the central government accounts in collaboration with the other financial auditing departments.
3.2.2
The Government submits a budget proposition (Proposition no. 1 to the Storting) within six days of the opening of parliament in the autumn. In accordance with the Stortings rules of procedure, the budget recommendations from the committees involved must be deliberated by 15 December at the latest. The Storting undertakes two main budget revisions. An aggregate budget proposition must be submitted by 15 May (the revised national budget). The Storting approves the changes during June. The second main revision is conducted in December (the new final budget). In addition the Storting approves appropriations for individual cases.
The Ministry must send letters of allocation to subordinate bodies as soon as the Storting has taken the appropriations decision. If the Storting changes the allocations, the ministry must send out supplementary letters of allocation. The letters of allocation often contain precise information about the intentions of the Stortings allocation as well as more specific requirements regarding results.
The entities submit the financial statements and the annual report to the supervisory ministry. The deadline for reporting is usually included in the letter of allocation. Requirements regarding reporting to the ministries are also stated in the regulations for financial management in central government and the accompanying provisions. There must be agreement between the reporting requirements in the letter of allocation and those in the annual report, and ensuring that this is the case is part of the financial audit.
At the beginning of March the ministries send Notes to the central government accounts to the OAG. These give an explanation of any non-compliance between budget figures
Page 23
and accounting figures for the appropriations accounts. The explanations are given at item level, i.e. the same specification as that used by the Storting in its appropriations decision. Around the end of April or the beginning of May the Ministry of Finance presents the central government accounts in Report no. 3 to the Storting. The central government accounts consist of two main parts: the appropriations accounts and the capital accounts. In addition to the accounting statements, the report also contains comments on the results with regard to the different programme categories.
Pursuant to the Appropriations Regulations, the results must be reported in the budget proposition after the fiscal year. Auditors must ensure that the ministrys report to the Storting is in keeping with the budget.
Figure 2 The audit process and selected key documents Page 24 Guidelines for financial auditing
The lightly shaded documents directly under the time line are those that are compiled by the Storting and government administration. The darker documents below these are prepared in the OAG. The length of the various phases in the figure does not express the amount of work involved at each individual phase. Auditors work on two audit years in parallel, but on different steps in the audit process. Auditors conclude one audit at the same time as they start on the next.
Page 25
4.1 Assertions
The audit objectives are broken down into assertions. Contrary to private sector auditing, where assertions concern the correctness of the accounts, the OAG has two sets of assertions related to its dual monitoring task. The entities submit financial statements annually that must contain correct information about the entitys activities during the period in question. The accounts must give a correct picture of how the budget has actually been employed. For the accounting information to be correct, it must have certain qualitative features. When the management submits the financial statements, they assert that the information has these features. Using an audit of the accounting, the task of financial auditing is to verify the quality of the accounts and thus show that the assertions are valid. However, for government agencies it is not sufficient merely to submit correct financial statements. It is also the duty of the entities to follow certain requirements and instructions for example those resulting from the annual budget resolutions in the Storting as well as other specific framework conditions that apply to government administration. When government agencies submit their financial statements, in addition to claiming that the accounts are correct they therefore assert that the dispositions carried out comply with the specific framework conditions. Financial auditing confirms these assertions through the compliance process. Assertions and audit objectives To enable auditors to make a statement as to whether the financial statements and the dispositions on which the accounts are based comply with parliamentary decisions, they must collect sufficient and appropriate audit evidence. The correctness of the financial statements and the budget appropriations depend on the assertions being free of material errors. When auditors make the risk analysis, it is important to link the risk elements to the assertions that are threatened.
page 26
When auditors are to draw their conclusion, the conclusion represents a statement of the extent to which the assertions are free of material errors. Our dual monitoring task can complicate the conclusions somewhat, depending on which assertions auditors regard as encumbered with material errors. When auditors are of the opinion that one or more of the assertions in the financial statements are encumbered by material errors, one or more of the assertions concerning the dispositions will often also contain errors. Cases may also arise where the material errors are only related to one set of assertions. An example of this is when auditors do not find material errors in the actual accounts, but reveal that the budget has not been appropriated in compliance with parliamentary decisions. It may be that large parts of the budget have still not been used or have been employed for purposes other than those stated in the decision. The overview below shows the two sets of assertions used for an audit of the accounts and for the compliance of dispositions. Audit of the accounts Result Validity Correct measurement Completeness Balance
Existence
Ownership Valuation
Compliance of dispositions Appropriation of funds Parliamentary decisions Laws and regulations Norms and standards for financial management in the central government
Page 27
Existence A balance sheet item (asset or liability) represents an actual figure on the closing date. Ownership A balance sheet item represents a right or a liability for the entity on the closing date. Correct valuation Assets and liabilities are assessed in accordance with accepted valuation rules.
Validity Transactions that are recorded in the accounts are related to the entity and to the period during which they have been recorded. Correct measurement All revenue and expense flows during the period are recorded correctly.
Two of the assertions apply for all the information in the accounts. Completeness All the relevant information has been included in the accounts. Correct presentation and classification All the entries in the accounts are correctly classified and correctly described.
Page 28
4.1.2.1
This assertion is related to the entitys primary tasks in the individual accounting year. Parliamentary decisions can also cover secondary tasks through decisions about downsizing, rationalising operations and the like. When such decisions are taken, they will often entail a need for the entity to follow them up separately as primary goals for the period in question. Government agencies are established to carry out certain tasks. Their framework conditions are set by the Storting for example through the annual budget resolutions. At the same time, the entities are given allocations from the Storting to enable them to perform their tasks. The decisions and intentions that result from the budget proceedings govern the operations and the performance of tasks in the entities. It is not always easy to interpret the parliamentary intentions behind a decision. The decision itself will often be worded very briefly, which means that supplementary information may be required to clarify the intentions on which the Sorting has based the decision. Such information is primarily found in the documents that are fundamental for taking the decision, i.e. recommendations and propositions.
The Stortings budget resolutions can be linked to specific performance targets, purposes or measures that it is assumed the entity will accomplish by using the allocation. These targets will be given in documents such as the budget propositions and accompanying recommendations and decisions. The requirement stating that the ministry is to describe performance targets is stipulated in the Appropriations Regulations. Section 2 states that the results the entity is intended to achieve must be described in the draft budget. Section 13 of the regulations sets the following requirement for the ministrys performance reporting: Details of results achieved for the last accounting year shall be given in the relevant budget proposition along with other accounting information that is of importance for assessing the draft budget for the coming year. The intentions may relate to particular parliamentary decisions in which, through parliamentary documents, it has been decided to set up an entity to perform the defined tasks. The intentions can also be connected to the Stortings budget deliberations and to the relevant committees
Budget decisions
Intentions
Page 29
definition of goals or requirements in the recommendations to the propositions. 4.1.2.2 The dispositions comply with laws and regulations
We can divide the various regulations affecting this assertion into two main groups depending on whether they are linked to the entitys primary or secondary tasks. The regulations that are linked to the primary tasks are called pertaining regulations, while those linked to the secondary tasks are called general regulations. The OAG is expected to report documented violations of the law and other instances of non-compliance with laws and regulations to the entity, and any material noncompliance to the Storting. In general low tolerance is shown for any breach of regulations in a government entity since the administration must serve as an example with regard to following laws and regulations.
Pertaining regulations
The manner in which an entitys primary tasks are to be carried out and the defined performance targets that have been set for resolving these tasks can be regulated by legislation, parliamentary decisions, regulations, guidelines, individual decisions etc., as well as through the policy dialogue between the supervisory ministry and each individual entity. Such overriding framework conditions govern the entities performance of their tasks and are termed pertaining regulations. The pertaining regulations are normally ascribed to the individual ministrys area of work.
One of the primary tasks of government administration is to determine and collect taxes and other dues. This task is carried out by several entities and is regulated in different legislation such as the Tax Act, the VAT Act etc. with accompanying regulations and annual decisions. National insurance and benefits payments represent another major government task. The framework conditions for these payments can be found in the National Insurance Act and its accompanying provisions, as well as in other documents. Similar pertaining regulations will govern the primary tasks of most government agencies. The scope of such pertaining regulations need not be limited to covering only government agencies; they can contain provisions that apply to both the private and public
Page 30
sectors. In some cases the primary task of a government entity may be to monitor that the regulations are followed.
General regulations Certain regulations have provisions that all government agencies must follow and are therefore classified as general regulations. General regulations are established to ensure a uniform, open and documented budget and accounting process and uniform government personnel administration. For most entities this will be related to secondary tasks or to support functions for the performance of their tasks.
The Appropriations Regulations, the Public Procurement Act and various laws and statutory provisions that apply for government personnel administration are examples of general regulations. The Appropriations Regulations have been adopted by the Storting and represent the overriding regulations for the administration of government resources that apply to all the entities. The Public Procurement Act with accompanying regulations is applicable for most government procurements. The Worker Protection and Working Environment Act, the Civil Service Act, the Freedom of Information Act and the Public Administration Act are examples of general regulations for personnel administration in the public sector. The Civil Service Handbook contains an overview and an interpretation of key Acts and statutory provisions etc. that are applicable for government personnel administration. The handbook also contains decisions on principles and guidelines that have been drawn up through experience. The manner in which the handbook is structured means that only parts of the provisions are included in general regulations, while the other parts will normally be incorporated into Assertion 3 concerning the dispositions being acceptable on the basis of norms and standards for financial management in the central government.
4.1.2.3
The dispositions are acceptable on the basis of norms and standards for financial management in the central government
Norms and standards for financial management in the central government are provisions that can be both guidelines and instructions for the entities. These
Page 31
provisions often give the entities room for individual adaptation within the defined limits, but are frequently more detailed and have a more operative angle than the regulations described in Assertion 2. These norms and standards are largely governed by both the regulations and the provisions for financial management in the central government. In addition, more precise and detailed stipulations resulting from the Ministry of Finances circulars will set norms for government financial management. According to the regulations, entities must compile more detailed instructions and guidelines to ensure good internal financial management and risk management. Such instructions and guidelines will also represent norms and standards for financial management. Other provisions must be drawn up for entities that are exempt from general provisions, but such provisions must be compiled within the authorisations that will set norms.
4.1.3 Connection between the financial auditing assertions and criteria for information for IT auditing
The purpose of this section is to show the connection between financial auditing assertions and criteria for information for IT auditing with the aim of strengthening the integration of IT auditing as part of financial auditing and creating a shared understanding of the various terms. IT auditing constitutes an essential tool for supporting financial auditing, particularly in entities that largely carry out their tasks and reporting by using large and complex IT systems. ISACA and IIA have drawn up some common criteria for how information in IT environments arises, is presented and is applied. These are criteria towards which the conclusions of the internal audit are directed and which IT auditors have found appropriate to use in their work.
Page 32
Goal orientation
Information must be relevant to the entitys needs, updated, and delivered in a form that is punctual correct consistent applicable
Information must be procured and made available through the optimal use of resources (in terms of both productivity and economy). Classified information must be protected from unauthorised access or presentation. Information must be precise, complete and valid, and in accordance with commercial values and expectations. Information must be available when required for the business process both now and in the future. This also applies to protecting necessary resources. Information must satisfy the legislation, regulatory measures, regulations and contractual agreements to which the business process is subject for example externally imposed requirements regarding information. Information must be expedient and appropriate for the management in their governance of the entity for the managements performance of financial and (statutory) imposed reporting tasks
Confidentiality
Integrity
Availability
Compliance
Reliability
The assertions towards which the conclusions of the financial auditing are directed and the criteria that form the basis for IT auditing assessments have different content. It is therefore necessary to recognise the connections to enable auditors to identify where an IT audit is appropriate so that the financial audit will be targeted, efficient and effective in relation to identified risk. In many cases IT environments support entity processes and provide important information that the OAG draws on in its auditing. The information includes descriptions,
Page 33
assessments, figures, decisions and transactions that are processed and stored. Accounting figures or other reports are aggregated on the basis of information in the entity. In some cases the figures are founded on information and professional judgements in pre-systems. Auditors are then dependent on assessing the information in the pre-systems for example the administrative procedure systems INFOTRYGD (the National Insurance Administration) or ARENA (the Norwegian Public Employment Service).
When IT systems are to be assessed, auditors who have adequate IT expertise must contribute to the assessment of the information that forms the basis of the auditing work. These assessments will determine how the audit should be conducted and the extent to which auditors can utilise tests of controls in their work. In financial auditing findings are assessed by comparing them with the assertions. It is therefore necessary to see the connection between the above information criteria and the financial auditing assertions. Appendix 1 gives a table that shows this connection between the financial auditing assertions and the IT audit criteria.
4.2 Materiality
The OAGs standard for materiality states: 18 Auditors shall make assessment of materiality to enable them to perform an economic, efficient and effective audit. Definition of materiality Auditors shall regard errors and omissions as material in cases where the users would probably have made other assessments and taken other decisions if they had been aware of the errors. Materiality in financial auditing is seen in relation to the fact that the information can contain errors or omissions or can be based on professional judgement. The costs of avoiding all errors and omissions can be so great that they exceed the benefit of such high precision. Errors of a certain size must therefore be accepted (materiality limit) provided that this is not of significance for the entitys ability to implement the Stortings budget resolutions and intentions or is not of critical importance for the users of the information.
Page 34
The assessment of materiality is based on both quantitative and qualitative considerations and is one of the factors that governs what is to be audited and the scope of the audit that is to be conducted. Errors that are due to random or unintentional actions are normally assessed as less serious than those that may result from deliberate actions. For the OAG, the assessment of errors will depend on more than the size of the amount involved since smaller errors can also have considerable fundamental importance for the users. There are many who use an entitys financial statements, and they may have different reasons for using the financial information. The most important users of government administration accounts are: the Storting the ministries and the Government other government authorities and bodies competing enterprises, customers and suppliers the general public Qualitative materiality
Definition of users
Page 35
instructions, the fact that action has been taken that is contrary to parliamentary decisions, or that administrative regulations including norms and standards for financial management in the central government have not been followed. An error that does not relate to figures cannot automatically be defined as a fundamental error. The error must be of a certain scope and/or a certain importance to be termed fundamental. It is in the reporting phase, when the conclusions are to be drawn, that auditors assess the type of error that has been found and decide whether this error can be regarded as material in its own right or together with other findings. Auditors must exercise professional judgement when assessing which errors are of such a nature or scope that they must be considered as qualitatively material.
Page 36
22 Auditors shall use professional judgement in their assessment of the audit risk, and shall implement the audit procedures that are necessary to reduce this risk to an acceptable level. The audit risk model is a model that helps auditors to determine how comprehensive the audit work must be to attain the desired assurance for the conclusions. The model consists of four elements: audit risk, inherent risk, control risk and detection risk.
Inherent risk is the probability that in the financial information or in the entity in general there are dispositions that cannot be accepted, or errors and omissions that are material either in their own right or when aggregated when any possible internal control measures are ignored. The next three risk factors are conditional on there being material errors or omissions etc. Control risk is the probability that a material error or omission will not be prevented or detected and corrected within reasonable time by the accounting or internal control systems.
Inherent risk
Control risk
Detection risk is the probability that the auditors substantive tests will not detect the errors that the accounting or internal control systems do not discover.
Detection risk
Page 37
Audit risk
Audit risk is the overall probability that on completion of the audit there will be material errors or omissions that have not been detected. Audit risk is the product of the risk factors described above.
Revisjrisi
Iboen risi
Kontr risi
Oppdagrisi
Inherent risk and control risk must be estimated by the auditors, while audit risk can be calculated. Setting audit risk also determines detection risk. Detection risk determines the number of substantive tests the auditors must conduct.
Revisjonsrisiko Oppdagelsesrisiko
=
Iboende risiko
Kontrollrisiko
Detection risk expresses the extent of the audit evidence that must be procured through substantive tests. Tests of controls are carried out to confirm the assurance auditors ascribe to the internal control. If the internal control does not function as intended, detection risk must be increased and the possible number of substantive tests raised.
Auditors base their determination of the levels of inherent risk and control risk on the results of the strategic analysis and the process analysis.
Page 38
Auditors can define inherent risk and control risk together or separately. To define these two components in the model, auditors should assess both the entitys risk and the risk that the accounting information contains material errors that are due to intentional or unintentional actions. Ultimately it is the auditors professional judgement that decides how inherent risk and control risk are to be determined. In general, detection risk is also set by professional judgement. The model must therefore be used with caution.
Page 39
supplemented with substantive tests and possibly also with tests of controls. To assess the entitys risk management, the control measures must be evaluated in the process analysis. Among other factors, this entails determining that the measures are in place and that the entity uses them. Procedures for risk assessment must be carried out in order to gain an understanding of the entity, including its risk management.
In this context, management and others includes those who are responsible for defining goals for the entity, those responsible for reporting the accounts and the internal auditing, and financial and operative staff. As a rule, enquiries must be directed towards several individuals. The decision as to whom the enquiries are to be directed and how searching they should be is based on whether the expected information will help to identify risk elements. Analytical review procedures can be useful for identifying unusual transactions or incidents and also amounts, ratios and trends that can indicate factors that have consequence for the annual accounts and auditing. When conducting analytical review procedures such as the procedure for risk assessment, auditors develop expectations about possible correlations that can reasonably be expected to exist. A distinction is made between analytical procedures such as procedures for risk assessment, and analytical procedures such as substantive tests. Trends analyses are analyses of changes that have occurred since previous periods. There are a number of analysis techniques for example comparing periods that are appropriate in the planning phase. Ratio analyses are methods that show correlations between various financial information. They are particularly useful in cases where ratios can be calculated for a sufficient number of years to enable the development in the financial information to be viewed and evaluated. Analyses of business expectations involve utilising calculations or a series of calculations to forecast expectations regarding future financial information on the basis of current financial data.
Observations and inspections can be used to support enquiries to the management and others, but can also provide information about the entity. The term covers the
Page 40
observation of activities in the entity: inspecting documents (plans and strategies), records and the risk management handbook, and examining management reports, budget, accounts and policy dialogues. It also covers visits to the entity and its operational premises as well as following transactions through information systems. It is not necessary to use all three procedures for each of the sources information that is described in the strategic analysis and the process analysis, but all the procedures should be used in the analysis.
Page 41
Tests of controls should provide auditors with adequate evidence that risk management measures function as intended, i.e. that the measures have been implemented and that their quality is satisfactory. Different types of tests can be used to achieve this. Enquiries alone are not adequate evidence: other procedures should also be carried out such as inspecting routine descriptions, observing the implementation of measures or verifying control activities. Enquiries, inspection and observation are discussed under procedures for risk assessment. Verification entails auditors carrying out procedures to investigate whether the measure has been correctly implemented by the entity. When verifying, auditors can in each case select a number of transactions to be tested against the measures that govern them. The selection must be made from all the transactions that have been subject to the measures in question. If risk management is assessed as satisfactory, auditors can procure appropriate evidence from the tests of controls, thus reducing the extent of the substantive tests required for the accounts to be certified, and can address the dispositions on which the accounts are based.
Page 42
number of substantive tests that must be carried out by auditors to achieve the same assurance in their assessments. Auditors must attain the desired level of assurance in their conclusions in the most efficient and effective manner, and must therefore try to conduct the substantive tests that are most appropriate in terms of both audit risk and time consumption.
There are two types of substantive tests: detailed audit procedures and analytical review procedures. When auditors conduct detailed audit procedures, they check the information directly by examining certain transactions, documents or assets. When they conduct analytical review procedures, auditors assess variance and reasonableness in the information after comparing it with historical data or estimated expectations.
We distinguish between four types of detailed audit procedures: inspection, observation, control calculations and enquiries/confirmations. Inspections involve the auditors themselves checking the financial information, transactions and documents (voucher tests) or assets (physical tests) to ensure that the information is correct when compared with the submitted assertions about the accounts and the dispositions on which they are based. Observations are made when auditors consider the activities that are carried out in the entity for example observation of inventory- and stock-taking. Control calculations involve auditors checking the calculations in documents for example verifying that the rates used for calculating dues are correct. For entities that follow the Accounting Act, checking the writing-off of assets can be a relevant audit procedure for auditors to conduct. By enquiries/confirmation we understand that auditors gather information from persons within or outside the entity for example in the form of bank statements and confirmations of balances.
Analytical review procedures are procedures that assess variance and reasonableness in the available accounting information by comparisons, the use of ratios and other similar techniques. Analytical review procedures provide
Page 43
auditors with indications of whether there are material errors in the information. An example of this can be large variances in the figures from one year to the next. When auditing critical accounting items that have a high audit risk, analytical review procedures alone are not sufficient but they must be combined with detailed audit procedures. Auditors must bear in mind that the figures in the accounts that are included in the analysis may be incorrect from the outset, and the analysis will thus give an invalid picture of reality. Any indications of errors must be followed up by other types of tests. One model for analytical substantive tests is: predicting an expected result setting the marginal value and identifying variances larger than the marginal value identifying, checking and quantifying explanations of the variance An expected result is an estimate for an entry or parts of an entry. The marginal value is the difference between the expected result and the actual figure that can be accepted without further explanation. It does not represent actual errors but is a measure of acceptable uncertainty concerning possible errors. Auditors must set the marginal value beforehand, using either their professional judgement or statistical methods. The marginal value must be considered in conjunction with the materiality level that has been set for this or for the accounting items in question. A low materiality level indicates that only a small differentiation between expected result and actual figures can be accepted. If auditors find material variance between the expected value and the book value (i.e. variance that exceeds the marginal value that they have set in advance), more detailed investigations must be made to ascertain the extent to which the variance is the result of actual errors in the accounts or whether it is due to other factors. The causes of variance in the figures must always be considered and documented and, whenever possible, quantified. In cases where variance in the figures cannot be quantified, auditors cannot regard the audit evidence as satisfactory. Audit evidence must be of the same quality as the evidence for the detailed audit procedures, and fair conclusions must be drawn regarding the degree of assurance attained.
Page 44
Sufficiency is a measure of the scope of audit evidence. Auditors must collect enough evidence to enable them to substantiate their conclusions in relation to the audit objectives. It may be difficult to express in absolute terms how comprehensive the amount of evidence must be for it to be considered sufficient, but the need increases proportionally with the risk. If there is great probability that a risk element will arise and that the consequence of this will be of considerable significance, the auditors
Sufficient
Page 45
conclusions must be based on more extensive evidence than in cases where the risk is less probable and less material. Necessary It is important for auditors to be critical of the scope and content of the information that is gathered. The standard also contains a requirement that the information must be necessary in other words only information that is necessary should be collected. The quality of the audit evidence is significant for the scope of the evidence that must be gathered. Auditors can base their conclusions on a smaller scope if the evidence is of high quality. Auditors normally make use of audit evidence that is of a more substantiating than absolute nature, and they will often obtain audit evidence from different sources or of different types. Auditors must assess the relationship between the use of resources for collecting audit evidence and the sufficiency and appropriateness of the information that is obtained. However, the fact that it is difficult and resource-consuming to collect audit evidence does not in itself provide grounds for neglecting the process.
Appropriate
Appropriateness is a measure of the quality of the audit evidence, i.e. its relevance and reliability. For evidence to be relevant, it must be valuable as documentation for auditors conclusions in the light of the individual audit objective or assertions. In this sense it is important to be aware of what is to be proved when the audit procedures are compiled and the collection of evidence is undertaken. That the evidence is relevant also entails that it is timely and that it applies to the audited accounting period. It is particularly important to be aware of the evidences timeliness in cases where it has been procured at an early point in the audit process and may thus represent only parts of the audited accounting period. The total evidence must be representative for the entire audited accounting period.
Criticism of sources
Evidence is reliable if it fulfils the necessary requirements set for credibility. The reliability of audit evidence is affected by the source, internal or external, and by whether it is visual, written or verbal. Auditors must be critical of information that is gathered from different sources. For example, consideration must be given to whom the information has been produced by and for, to the consequence this may have for the content, and also to whether the content meets the auditors need. This
Page 46
critical review of the sources and content contributes to making auditors assessments of the most important risk factors in the entity as accurate as possible. Auditors must assess whether the sources satisfy the requirements for audit evidence. The following are used as a basis for the assessments: External audit evidence (e.g. confirmation received from a third party) is more reliable than audit evidence that has been generated internally. Audit evidence that has been produced internally is more reliable if the entity has effective accounting and internal control procedures. External evidence is more reliable if it has been procured directly by auditors than if it has been obtained by the entity. Audit evidence in the form of documents (on paper, electronically or via other media) and written statements is more reliable than verbal statements. Audit evidence in the form of original documents is more reliable than copies or faxes.
Assurance will be greater when there is a correlation between audit evidence procured from different sources or between different types of evidence. If information from one sources does not correspond with that from another, auditors must decide on the additional procedures that are necessary to allow the information to be used as audit evidence.
Page 47
5 Strategic analysis
Prosits navigation tree: This chapter is intended to give auditors an understanding of how they should conduct a strategic analysis, the information they must gather and assess, and how they are to document the assessments. A strategic analysis must be conducted for all the entities audited by the OAG, and also for the ministries. To carry out the best possible general risk assessment per ministry and to ensure an appropriate foundation for overall reporting of the audit, the risk analysis for the assignments that belong to the same ministerial area must be coordinated and synchronised. One of the primary tasks in ministerial assignments will be the management of subordinate bodies. The strategic analysis provides a general framework for the auditing work. It is therefore important that those who conduct the analysis have an adequate understanding of the audit assignment plus good auditing expertise. Normally it is the auditor who is responsible for the assignment who conducts the analysis in cooperation with the division manager and possibly others in the audit team. According to the financial regulations, all entities must establish an internal control system. The entitys management is responsible for ensuring that this system is adapted to risk and materiality, that it functions satisfactorily, and that it can be documented. Internal control shall primarily be incorporated into the entitys internal governance. The provisions in the financial regulations for central government stipulate that financial management shall ensure that: defined objectives and performance requirements are followed up the use of resources is efficient and effective the entity is run in compliance with laws and regulations The ministries must ensure that the entities internal control measures are satisfactory in relation to the above. Pursuant to the OAGs standards for assessing internal control, auditors must make a preliminary assessment of the entitys risk management measures that are relevant for the audit. To understand the entity, auditors conduct the following: a preliminary assessment of the entitys risk management measures an identification and assessment of risk elements and the managements reaction an identification of internal factors
page 48
Strategic analysis
Auditors elaborate on their assessment of internal control in the process analysis. If they choose to base their audit on relevant control activities, these must undergo tests of controls in the process analysis. An important part of the strategic analysis is holding a meeting/meetings with the entitys top management where subjects addressed include the entitys risk management and risk assessment. The auditor must adapt the arrangements for such meetings to the entity under audit. Expectations of the role of auditors in the prevention and detection of irregularities have become higher. This means that auditors must be fully alert to the presence of irregularities in all parts of the audit. The audit team must therefore separately assess the risk of the entity being exposed to irregularities, and these assessments must be documented. At this stage of the audit process, the main challenge for the auditors is to keep the assessments at a general rather than detailed level. The strategic analysis consists of the following steps:
Assessing materiality
Assessing risk
Page 49
Strategic analysis
Page 50
Strategic analysis
The primary tasks of most entities are laid down in Proposition no. 1 to the Storting. More details may be given in letters of allocation. Acts of law can govern the primary tasks of some entities for example the Taxation Act plays a key role for the Inland Revenue Service. The ministries are responsible for implementing and following up parliamentary decisions. The management of subordinate bodies will always represent a primary task for the ministries.
Primary tasks
The majority of entities have secondary tasks such as staffing and payroll duties, purchasing and storage, management and supervision, the annual submission of accounts and reporting. Regulations for these tasks include those relating to public procurement, the regulations for financial management in the central government, and the Civil Service Handbook.
Secondary tasks
Some of the entities primary and secondary tasks can be of a temporary nature for example reorganisation, relocation and the introduction of finance systems. There will often be a need for auditors to consider temporary tasks and to assess their risk, particularly since such tasks normally involve greater uncertainty with regard to goal achievement. In addition, several users may have a particular interest in temporary tasks and may therefore also influence auditors materiality assessments of the assignment.
Temporary tasks
Auditors must identify and document the entitys primary and secondary goals.
Page 51
Strategic analysis
The eight factors described in the figure above can affect the entity in ways that prevent it from performing its tasks and reaching its goals. The entities external environments will vary, and not all the factors are of equal relevance for all entities. Political decisions With its legislative and budgetary powers, the Storting exerts great influence on the entities framework conditions. The Storting sets the framework for the employment of the budget and adopts general laws that apply to society at large, and specific laws that can apply to the entity. In addition the Storting lay down the form of affiliation including financing for government agencies. Political decisions can be: new tasks a new form of affiliation resulting in new accounting principles changed framework conditions resulting in changes for the administration (for example large reorganisation or the relocation of entire entities)
Socio-economic factors
General socio-economic factors can affect the entitys possibility of achieving its goals. Unemployment often rises in periods of recession, leading to a greater demand for public services for example from the Public Employment Service and the National Insurance Service.
Social factors
Societys attitudes and expectations of the welfare state and its willingness to pay taxes and dues are examples of social factors that can be of importance for the possibility of some entities achieving their defined goals. Changes in level of education and settlement patterns are other examples of social factors that may exert influence.
Page 52
Strategic analysis
In certain periods it may be difficult to recruit and retain well-qualified employees in the public sector. Government agencies are to a large extent dependent on human resources to produce their services. Employees are often expected to have acquired special skills to carry out these services, and entities are thus extremely vulnerable with regard to losing this special competence.
Through their specific ministries, cabinet ministers are responsible for ensuring that parliamentary decisions are fulfilled. The follow-up takes place through the policy dialogue with the entity for example in letters of allocation. The contents of such letters are intended to include purposes and goals as well as framework conditions defining how the entity is to perform its mandatory tasks. The ministry is ascribed the management, follow-up and monitoring of the entitys operations. The entitys letter of allocation must be in line with parliamentary decisions.
Supervisory authority
Technological development is another factor that may have an impact on the entities ability to reach their goals, particularly entities that use and are dependent on information technology or other technology to produce or deliver their services. These entities are particularly vulnerable if technology ceases to function. Technological development in this context includes changes in large systems, in the development of software and hardware, and in infrastructure and information systems. One example of the consequences of the entity not giving appropriate consideration to technological development is that it retains old systems that are not able to meet internal and external requirements. It may also lead to the entity becoming unable to perform its tasks due to factors such as impractical systems, capacity problems and the like. Many entities are dependent on collaboration with private or public enterprises. These can be enterprises with closely related tasks or tasks that form part of a chain for example the police collaborating with the prosecuting authorities, courts of law and the probation services. Private cooperative partners can be suppliers of goods and services or other operators outside the entity. If the entitys goal achievement is dependent on a particular or complex item or service that can only be obtained from one or few suppliers, this may pose a risk for the entitys goal achievement.
Technology
Cooperative partners
Page 53
Many government agencies have a monopoly on their production of goods or services. They therefore have little experience of competitors with alternative goods and services posing a threat or risk to their goal achievement. In many cases a lack of competition can increase the danger of inefficiency, and this in turn can threaten the entitys goal achievement. Development has generated an ever-increasing outsourcing of public services. This sets stricter demands to restructuring and re-thinking in the administration. Entities that are exposed to competition must keep informed about the market and their competitors. Ways they can handle this type of risk include active planning of strategies that take the competitive situation into account.
Users
One goal of government agencies is to have satisfied customers. Users requirements and attitudes can constitute a risk for the entitys possibilities of attaining its goals. Strong user groups may affect the entitys activities for example through attempts to influence political decisions. The entity should have identified its users and the extent to which these users can affect the prioritisation of tasks and their performance. Equal treatment and legal protection are two requirements that users set for government administration. It is therefore important that the entitys management is familiar with the content of these and similar basic principles and that it draws up strategies that adapt administrative procedures and information flow to the needs of the users. Auditors must assess whether each of these factors is of significance for the entitys goal achievement. After assessing the external factors that can influence this goal achievement, auditors summarise those that are relevant for the subsequent audit process.
Page 54
Strategic analysis
The provisions set requirements for the entities internal management of such areas as authority and responsibility, the management process and establishing internal control. Identifying internal factors provides auditors with grounds for deciding whether the entity is following the defined framework conditions. Auditors must obtain information about internal factors that are relevant for the audit, and must structure it suitably. The information is intended to help them in their identification of risk elements and when considering the managements reaction to risk elements later in the audit process.
Overriding regulations laid down by the Ministry of Finance, 12 December 2003: Regulations for financial management in central government Provisions for financial management in central govt.
Figure 8 Internal factors in the entity Implementing procedures for risk assessment is one of the ways auditors can become familiar with how the entitys management carries out mandatory tasks. The management is responsible for supervising and performing the entitys tasks. Based on goals and performance requirements set by the Storting, the management draws up both one-year and multi-year plans, as well as a risk and materiality assessment that forms the basis for compiling strategies on how the management can handle detected risks that threaten goal and result achievement. The management is also responsible for ensuring that the entity complies with the laws and regulations that apply for its operations. The entitys management
Page 55
Strategic analysis
The managements attitudes and values affect the way in which the entity is run. They also influence the types of risk and how much risk the management accepts.
Auditors must examine: whether the entity conducts risk assessments whether the entity has a methodological approach how often the entity conducts risk assessments who takes part in them in which parts of the entity the assessments are conducted which types of risk are included in the analysis
Organisation
The organisation of the entity influences how the planning, performance and supervision of the tasks are carried out in order to meet the entitys goals and performance requirements. The way in which the management chooses to organise the entity can be influenced by size, form of organisation, complexity, form of affiliation and geographical spread. The organisation can also be affected by whether there are plans for reorganisation, restructuring or deregulation, or whether these processes have been initiated. Auditors must acquire an overview of the entitys size and complexity and of how it is organised and divided for example into departments, divisions and operational units. This is important in order to decide the most appropriate way auditors can approach and organise the audit. In addition it is important that auditors see how the organisation has created the conditions for internal control activities through the assignment of responsibility and tasks.
The entitys ethical values are based on the managements preferences, assessments and philosophy. These preferences and assessments are transferred to norms of conduct and reflect the managements attitudes to ethical values. If the entity does not follow ethical values, this can lead to undesirable behaviour, which in turn may result in irregularities. Auditors must acquire information about the managements attitudes to ethical values and whether irregularities have occurred in the entity.
Page 56
Strategic analysis
The entity may be vulnerable with regard to key competencies, and must therefore be aware of the expertise that is required in both the short and long term to enable it to perform its primary and secondary tasks. The need for competence affects recruitment, pay policy and training programmes. In general, entities organise their various tasks through job descriptions. Auditors must collect information about the personnel policy.
Personnel policy
The entity has information and communication channels that it uses to disseminate and receive information. The management is dependent on having the required information available at the right time as a basis for making its decisions. Many entities are dependent on information technology in their production process or for their delivery of services and are therefore extremely vulnerable when errors or deficiencies arise in the technical systems. Auditors must gather information about the main information and communication systems and must acquire sufficient knowledge about how the IT environment influences financial matters, operations and other functions that are of crucial importance to the entity.
Auditors must find out whether the entity has established an internal audit. It may be appropriate for auditors to acquire information about the plans and reports of such internal audits, and they must decide whether they can use the information in their work, cf. the OAGs auditing standards.
Internal audits
After assessing how internal factors influence the entitys goal achievement, auditors summarise relevant information for the subsequent audit process.
Page 57
Strategic analysis
An analysis of this type can include: understanding the principles on which the accounts have been compiled, such as accounting principles, chart of accounts, use of codes, subaccounts etc. identifying the accounts main accounting system, subsystems, interface and reconciliation systems, as well as the reports that are used for the managements supervisory activities conducting preliminary analytical review procedures The accounts always constitute a key source of information. The budgets and information about expected results are sources that provide auditors with an overview of the implementation of present and future plans and the financial consequences of such plans. A comparison of data from the budgets and the accounts gives auditors a general view of the operations in terms of the budgets and the goals defined for the entitys activities.
Analyses
The use of analyses for instance analyses of trends, ratio and business expectations helps auditors to identify actual or expected changes in the financial information, and thus also actual or expected changes in the entitys performance of its tasks. When auditors conduct a strategic analysis, the budget and previous years accounting data are available, but the accounting data for the current year is limited.
Definition of a process: A series of activities that the entity has initiated to achieve its goals.
Page 58
Strategic analysis
payroll duties, purchasing and storage, submitting the accounts and reporting. When performing an audit of the accounts, the task of the OAG always entails identifying the processes that cover the submission of the accounts and the central government accounts. When ensuring compliance, the task of the OAG always entails auditors inspecting key processes that cover management by objectives and results, and processes that cover the management of subordinate bodies in the ministries. Ministries can be responsible for tasks that are performed by subordinate bodies or other public authorities. To enable auditors to perform an efficient and effective audit, they must therefore identify how the ministry has organised the monitoring of these tasks. Large complex processes can be divided into subprocesses if this is deemed appropriate. Division into subprocesses depends on how the audit is to be organised, the size of the entity, and the complexity of the risk elements involved in the process. When auditors are to decide whether the use of subprocesses is appropriate, they must take the following consequences for the audit into consideration: increased use of resources higher degree of detail possibilities for eliminating risk making the audit too complicated Subprocessses Identifying processes that cover management goal achievement reporting results
Identifying processes represents a very important part of the strategic analysis and forms the basis of an efficient, effective and appropriate audit.
Strategic analysis
to decide the processes to which they must assign priority during the subsequent audit. Users want to be sure that the entity is fulfilling the social tasks for which it has been assigned responsibility through the allocation decisions. For example, building roads is of major importance to local communities and local politicians. The entitys primary tasks are normally assigned the greatest significance when auditors assess qualitative materiality. However, laws and regulations that govern secondary tasks can be of interest for users for instance violations of the regulations for public procurement or budget overruns.
Quantitative materiality
The size of the figures involved influences the materiality assessment. Using professional judgement, auditors can set a limit for the size of errors in the figures that can be accepted in the accounts. For small accounts it may prove expedient to set a proportionally higher materiality limit than that set for more extensive accounts. Chapter 4 gives more information on materiality.
Page 60
Strategic analysis
Auditors base their identification of risk elements on: the information they have gathered about the entitys goals and the internal and external factors the analysis of financial information the assessment of materiality Through the risk identification procedure, auditors must also define the managements reaction to the risk elements. At strategic level risk can constitute large-scale changes in framework conditions or unclear formulations of goals for the entitys tasks. Changes in external factors for instance among users, suppliers or in technological development may also represent a threat to the entitys goal achievement, as will internal factors such as organisational changes or a high turnover of managers. The user aspect is of key importance when assessing materiality.
Auditors must investigate whether and how the management reacts for each identified risk element. The most interesting point for auditors is whether the management chooses to accept or to reduce risk. Auditors must find out whether the entitys management is aware of the individual risk elements and has made a decision about the level of risk that can be accepted. Through procedures for risk assessment, auditors collect documentation for the managements assessment of the risk elements. Adequate evidence must be obtained in cases where auditors consider that the managements handling of risk is of such a nature that it results in a possible reduction in the risk level in the subsequent assessment. When auditors have identified the entitys risk elements and the managements reaction, they must match these against the entitys risk assessment. Assessing risk is one of the items that must be discussed at the meeting between auditors and the management of the entity in question.
Page 61
Strategic analysis
Auditors must assume an advisory role to prevent future errors and omissions. They must therefore also assess risk elements that may be activated in the future. Auditors estimate probability as high or low and give reasons for their estimate.
Estimating consequence
When estimating consequence, auditors must assess the impact of a risk element if it is realised. The considerations of materiality already made by auditors are used when assessing the consequence. The overall consequence of several events within a certain period must be used as a basis. Systematic errors are given a higher degree of consequence than individual errors. Efficient and effective emergency plans, back-up plans, the opportunity to relocate production and insurances can reduce the consequences of an event. In this context auditors must assess materiality in relation to both the transaction and decisions made the dispositions and the impact on the accounts. Auditors estimate the consequence as high or low and give reasons for their estimate. Auditors assessment of risk must be substantiated with audit evidence. It may be sufficient to follow up a risk element with an updating of the audit evidence if the assessment is based on the results of the previous years audit. It may also be relevant to give a risk element low priority if the entitys plans or measures indicate that the event will not occur or the budgets indicate that the consequences are of minor significance for the accounting period being audited. Estimating risk can be illustrated by the following diagram:
Page 62
Strategic analysis
In the subsequent audit process auditors can give low priority to risk elements that have been assessed at low probability and low consequence. Their assessment and the grounds on which it is based must be documented by audit evidence.
Finally auditors must relate the risk elements to relevant processes the processes that they have identified earlier in the strategic analysis. Auditors must only conduct process analyses for processes that have risk elements attached to them, and they must ensure that the risk assessment is completely and satisfactorily documented. In some case auditors may choose not to conduct a process analysis but to handle risk elements directly in the analysis of residual risk. This is appropriate when the process analysis is not effective and suitable, or when the risk element is not attached to any process.
Page 63
Strategic analysis
adjust or supplement the preliminary plan as and when auditors gain new and extended knowledge of the entity. The plan must contain information about prioritised processes, organisation, an estimate of resources required and a time schedule for subsequent auditing.
Prioritised processes
It must be clear which processes or parts of processes are to be reviewed in the process analyses. Auditors must make a list of priorities or must indicate the sequence of the work to be performed. On the background of the knowledge auditors have acquired through understanding the entity, assessing materiality and assessing risk, they may find it most appropriate to transfer all or parts of the risk that is left directly to the analysis of residual risk. This could, for example, be the case for small entities where it is hardly fitting to base the audit on internal control measures, or when a process analysis is somewhat unfeasible.
Organisation
In cases where the audit assignment concerns a ministry where some of the tasks are administered by entities that are managed by another ministry, auditors must plan the subsequent auditing separately. They must assess how the residual risk for this assignment is to be handled to enable them to draw conclusions. If other assignments are to handle part of the residual risk, this information must be conveyed early enough for it to be considered in the planning of the assignments in question. This is one reason for planning the audit of a ministry at an early stage. In addition, the planning of the audit for a ministry provides input to the joint overall risk analysis/ministry level. Auditors prepare proposals for how the audit should be organised and for which auditors can be included in the audit team. It may, for instance, be relevant to collaborate with other divisions or departments. If there is a need to bring any special expertise to the audit team such as the use of IT auditors this must also be stated.
Auditors must estimate the anticipated need for resources in the form of man-days and travel expenses. The estimate of resources must be kept within realistic limits.
Page 64
Strategic analysis
Auditors should also draft a time schedule for completing the audit. In their planning, auditors must distribute the auditing work appropriately throughout the year.
Time schedule
Page 65
Strategic analysis meeting with the entity to address risk, which includes: o written minutes of the meeting with any attachments that have been verified by the entity proposal for a plan for the subsequent auditing work, which includes: o prioritised processes for the process analysis o organisation o estimate of resources o time schedule Documentation must be compiled continuously, stored systematically and appropriately, and be readily available to those participating in the audit.
Page 66
Strategic analysis
Page 67
6 Process analysis
PROSITs navigation tree: This chapter is intended to give auditors an understanding of how they should conduct a process analysis, the information they must gather and assess, and how they are to document the assessments. In the process analysis auditors conduct a more detailed risk assessment of the processes to which risk elements are attached in the strategic analysis. Auditors must only conduct the analysis for processes that contain risk elements that are to be followed up. The process analysis consists of the following steps:
Assessing materiality
Assessing risk
Figure 10 Steps in the process analysis
Page 68
Process analysis
contribute to reducing the risk of specific events having a negative impact on the entity. Much of the information about a process can be of interest to auditors, and they must therefore make a systematic collection of information. The information is to be used for a process description that will support auditors in their identification, estimation and evaluation of process risk later in the process analysis. Auditors must collect information about: process goals process activities information flow accounting transactions
Page 69
Process analysis
later in the audit process. Most processes consist of a large number of activities. If auditors descriptions of process activities are too detailed, the material will soon become extremely comprehensive and will in time be difficult to handle.
Information systems
Auditors must find out which information systems are used in the process and must check the completeness, accuracy and validity of these systems. Those that are directly linked to a financial system and primary tasks in the entity will be important, while others that do not have such associations can often be considered as less important. More detailed requirements regarding functionality in the financial system including documentation and security are given in the provisions relating to financial management in the central government. If the entity uses electronic information systems that have many automatic and mechanical operations, it may often be difficult to assess whether the system secures a complete, accurate, reliable and valid information flow. In many cases these assessments should therefore be made by an IT auditor.
Page 70
Process analysis
Routine transactions are transactions that follow a fixed system and that occur regularly over a period of time (main salary transactions, rental payments, calculations and automatic payments of demands for dues or taxes, reminders etc.). These are transactions the entity is familiar with, and they are often handled according to fixed and reliable procedures. A single error that may occur among such transactions will seldom in its own right lead to material errors. On the other hand, if the error is due to incorrect handling or inaccurate calculations (for example wrong rates), this may well lead to material errors in the accounts.
Non-routine transactions are related to more unsystematic or irregular events. Such transactions will often also require involving management personnel particularly when decisions or approvals of the validity of the transaction are required. Among these transactions are non-recurring payments connected to large procurements. Non-routine transactions pose a greater risk of errors than routine transactions since there may not be reliable routines for handling them. Auditors should therefore be aware of whether non-routine transactions are included in the process, and should investigate whether the entity has special follow-up and monitoring for such transactions that can contribute to reducing the risk involved.
Non-routine transactions
Accounting estimates are transactions that are based on subjective assessment and that therefore have a high risk of containing errors, e.g. transactions that involve writedowns, provisions or estimates of value. So far, central government accounts contain relatively few such
Accounting estimates
Page 71
Process analysis
transactions, but the situation may change. If accounting estimates of a certain amount are made, auditors must make themselves familiar with the methods and assessment principles on which the entity has based the calculation, and must ensure that these comply with applicable laws and regulations.
Page 72
Process analysis
At this stage auditors must identify the risk elements that affect both the process and goal achievement. Below is a list of risk factors that may help auditors to identify process risk. Only some of the factors may be relevant for the process in question. The eight factors are: management ethics and integrity laws and regulations technology planning and budgeting human resources operational risk information and communication
The management supervises the processes and lays downs authorisations, lines of responsibility and reporting routines, including risk assessment and change management. Auditors must be familiar with the management principles in the processes, how they have been established and whether they are followed in the entity. The managements own assessment of risk and how risk is taken into account in the management of the entity provides auditors with crucial information. Lack of leadership increases the risk of unclear process goals and of inefficient and indeterminate use of resources. It also increases the risk of budget overruns and of the allocations not being employed as intended by the Storting.
Management
The management sets ethical values for the entity. Documents that incorporate the values include the entitys visions and strategic plans. In addition there are often ideal values and attitudes that are not stipulated in writing. Auditors should be familiar with such attitudes and values and should investigate whether they are in compliance and agreement with the values of the employees.
Page 73
Process analysis
If those who are involved in the process lack adequate integrity or display unethical conduct, this will entail a risk for process goal achievement. Auditors should investigate whether there are any indications of lack of integrity, and should consider whether cases have arisen or may arise that cause normally honest individuals to act in a way that generates doubt for example by committing irregularities.
Most of the entities are subject to a wide range of laws and regulations. Some of these apply to all government agencies while others are only relevant for one or a few entities. The consequences of any entitys non-compliance with laws and regulations can be claims for compensation for example from suppliers injunctions and fines. Such lack of compliance can also lead to individual and other decisions being erroneous, which in turn can have serious consequences for the rights and obligations of private persons and enterprises and possibly also for the services these offer. If an entity does not follow the appropriations regulations, this may result in direct errors in the entitys accounts. Auditors must identify the laws and regulations that affect the process and the manner in which the entity ensures compliance with them.
Technology
The processes are designed on the basis of the technological solutions the entity chooses. Some entities decide to use several different IT systems to cope with individual tasks, while others choose solutions that coordinate several processes. The development of Internet solutions can also affect the entitys performance of its tasks for example by the users themselves carrying out parts of the work for which the entity was previously responsible, such as correcting basic data in income tax returns. In most cases the use of technology increases the quality of managing transactions. New technology also increases opportunities and reduces the costs of monitoring processes. However, information systems may contain deficiencies or may be too complicated. Systems with manual data input and data controls are normally less reliable than automated solutions.
Page 74
Process analysis
Using old IT systems may lead to the entity not fulfilling the formal requirements laid down in the financial management regulations for central government. Old IT and accounting systems can also constitute deficient management tools and can cause the management to base decisions on incorrect material. Auditors must be aware of how the entity uses technology in the processes, and must assess how appropriately the technology is used. This includes evaluating whether the entity invests sufficient time and resources in the technological solutions to ensure goal achievement. If necessary auditors must request assistance from a specialist (an IT auditor) to assess risk related to the IT systems in the process.
The process is dependent on being given adequate resources to perform the activities. Insufficient planning and budgeting may lead to an imbalance between the distribution of resources and the needs of the process, which in turn may result in the process not being carried out satisfactorily. Quality problems will presumably also arise. The allocation of resources in letters of allocation along with the objectives of the entitys plans provide auditors with information about the goals the management is to achieve with the planned input of resources. Auditors must also become familiar with the internal resources that have been set aside for the process, and must investigate whether changes have taken place during the accounting period.
A well-functioning process is also dependent on the human resources that are associated with its activities and the competence of these employees. The attitudes and motivation of the employees affect quality and productivity in the process. The employees level of competence must be adapted to the work tasks involved in the process. The entity must provide employees with sufficient training to enable them to perform their assignments successfully. The labour market situation has a critical impact on whether the entity can recruit staff with satisfactory competence. Auditors must assess whether and if relevant how fluctuations in the labour market affect the human resources available for the process.
Human resources
Page 75
Process analysis
Turnover of personnel, particularly key staff, may lead to a higher risk of errors in the process activities. Lack of personnel or competence can result in some activities in the process not being carried out or being performed deficiently, or to control activities not being initiated as intended. It may also lead to a total cessation of the process and to the management not receiving the necessary information in time.
Operational risk
This risk factor includes an assessment of risk related to the performance of the activities in the process, i.e. risk that covers aspects such as quality, customer satisfaction, time taken to perform the activities, capacity, limitations, operational stoppage and interface with other processes. For instance, lack of goods or spare parts in stock may result in a stoppage. The operational risk is influenced by management, ethics, laws and regulations, technology, planning and budgeting, and human resources in other words all the categories mentioned above.
Well-functioning communication and a good flow of information in the entity form the basis of all the strategies and processes within the entity. A shortage of accurate and reliable information will make it difficult to continuously follow up the results within the process and to take remedial measures. There is therefore a risk of decisions being taken on the wrong basis and of the process goals not being attained. Erroneous information can result in direct errors in the accounts for example if all the basic data from a payroll system is not correctly transferred to the accounting system. Auditors must be aware of the systems and routines that are used in the process to convey information a particularly important aspect being the reliable management of transactions in the process.
It is important for auditors to identify the risk elements that threaten the processs goal achievement and that are relevant for the audit. Auditors must link all identified risk elements to assertions. Some risk elements are obvious, while others are difficult to foresee. Auditors must determine the appropriate level of detail for the risk elements in order to conduct an efficient, effective and goal-oriented audit.
Page 76
Process analysis
6.4.1.2
Identifying control activities Identifying risk: risk elements control activities managements monitoring of control activities
In this context auditors identify the control activities the entity has established to reduce the risk in the process. Auditors may already have carried out this work when identifying the risk elements in the process. When the management chooses to reduce the risk, it must find control activities that provide satisfactory risk management. These include action plans and routines that safeguard the performance of the process activities and that are established as a result of the risk assessments conducted. Control activities can be found at all levels in the entity within both management and operations. Many of the control activities in strategic processes actively involve the management through various supervisory tasks and through the monitoring of external and internal factors. Many of the control activities in operational processes will be associated with the documentation, archiving, approval and safeguarding of assets. Auditors must identify the control activities that are relevant to the audit. Control activities will in general be aimed at one risk element but may also contribute to reducing the risk involved in several elements. In some cases a number of control activities may be aimed at the same risk element, and in such cases it is seldom necessary to gain an understanding of all the control activities. There are several types of control activities that an organisation can use to minimise process risk. These include: reviews of performance and efforts controls integrated into the course of the process physical safeguarding segregation of duties and functions
The management must make reviews of performance and efforts in order to ensure that the work in the process is actually carried out and is of the right quality. An IT environment will often contribute to this task by producing different types of reports and logs that assist the management.
Controls that deal with aspects such as authorisations and reconciliations are normally incorporated into a process. These controls are intended to ensure that the process functions in an overall perspective for example that descriptions of routines have been compiled or that the necessary activities have been carried out. In a procurement
Page 77
Process analysis
process in which goods are received, relevant control activities can be checking goods received against the order (type of goods, price and number/amount) and checking the invoice against the goods received. The current use of information systems often involves automated or IT-dependent controls rather than manual controls. These are divided into two groups: general controls and application controls. General controls apply to all information systems. They are intended to secure data integrity and data safety and thereby functioning application controls. General controls include monitoring IT management, infrastructure and procurements as well as the maintenance of software, access controls and emergency plans. Application controls can be programmed or IT-dependent controls that occur generally in processes. Application controls are intended to ensure that information is correct and is processed at the right time, and that transactions are only handled once. Examples of application controls are validity controls that ensure that figures are within given limits, or automated reconciliations on erroneous reporting.
Physical safeguarding
The entity must safeguard assets and sensitive information in a satisfactory way. In the case of information, this applies to both manual documents and IT systems. Closed doors and locked documentation can often be circumvented by inadequate logical controls in IT environments. Logical access restrictions are therefore equally as important as physical restrictions.
The entity must segregate duties adequately. Among other things this will prevent irregularities. Ensuring that several persons have the same area of work may also have a riskreducing effect. It is not normally desirable to have the same person performing all the tasks in a process. For instance the same person should not order goods, endorse invoices, register invoices and authorise payment files. Requirements for satisfactory segregation of duties apply to both the processes that largely consist of manual routines and those that are IT-based.
Page 78
Process analysis
Preventive controls are intended to prevent the occurrence of errors or undesired events. These can be controls that are integrated into a mechanical system or manual controls for example the segregation of duties and functions. Detective controls are designed to give the management notification of errors or problems as they arise or immediately afterwards. Detective controls can be integrated mechanical controls, physical controls, or manual controls in the form of manual reconciliations. Corrective controls are used together with detective controls and neutralise the consequences of undesired events. Corrective controls can be mechanical controls or manual actions such as correcting errors. Control activities will in general be aimed at one risk element but may also contribute to reducing the risk involved in several risk elements. In some cases a number of control activities can be aimed at the same risk element. Auditors must identify the control activities the entity has established to reduce the probability of the risk elements being activated. The control activities can also reduce the consequence if the risk elements are actually realised. Reconciliations and continuous performance reporting can result in an error being corrected before it has large-scale consequences. Continuous comparisons of the budget with the accounts provides the opportunity of avoiding large budget overruns. 6.4.1.3 Managements monitoring of control activities Identifying risk: risk elements control activities managements monitoring of control activities
The management must ensure that the risk management functions as intended. The monitoring can take place continuously or as retrospective supervision, and can take the form of: monitoring ongoing activities periodic reviews and evaluations of the performance of the activities assessment of the internal audit For instance, the management may discover noncompliance with expected results and may attempt to find the cause of the variance. If required it can intervene in the process, take remedial measures and inform the top management or the supervisory ministry. Documentation of procedures such as cash audits and stock-taking or bank reconciliations can give the management information as to whether the control activities have been carried out as intended.
Page 79
Process analysis
The management can initiate evaluations for example of large investments. Such evaluation can be made by employees within the entity or by external consultants. The internal audit can investigate the use of external consultants in the entity or the development of salary expenses over time. It can assess the causes and can propose measures. Auditors must identify any measures relevant to the audit that have been initiated by the management to monitor the control activities. The monitoring must be based on reliable and relevant information, must be carried out systematically and regularly, and must be satisfactorily documented. The managements follow-up must also include an evaluation of variances that result in the initiation of remedial measures when required.
6.4.2.1
Estimating the risk level for the individual risk element independently of established control activities (inherent risk)
Estimating probability
In this first phase auditors must estimate the probability of the risk being realised and the effect of the risk element on goal achievement (consequence). Auditors should only estimate the risk level of the risk elements that are independent of established control activities.
Page 80
Process analysis
Auditors must estimate the probability of the risk element being realised and, in that event, the time perspective involved. The higher the probability of the risk element being activated immediately or within the accounting period in question, the higher the probability assessment of the risk element must be set.
When estimating consequence auditors must assess the significance of the risk element being realised. They must assess the consequence in relation to the materiality considerations that were made earlier in the audit process. For example an error in a single salary payment has low consequence, but an error in the salary calculations can lead to higher consequence. The risk evaluation gives four possible combinations of low and high. Estimating the risk elements probability and consequence can be illustrated by this figure:
Estimating consequence
Hy
Rm5 Rm4
Konsekvens
Rm1
Rm3 Rm2
Lav
Sannsynlighet
Hy
Forklaringer:
Rx
Risikomoment
Figure 11 Risk level for identified risk elements without established control measures (inherent risk) The figure shows an example of estimating risk with four risk elements. One of the risk elements Re 2 has been set at low probability and low consequence. Another of the risk elements Re 3 has been set at high probability and low consequence, and another Re 5 has been set at low probability and high consequence. The two final risk elements Re 1 and Re 4 have been set at high probability and high consequence.
Page 81
Process analysis
6.4.2.2
Auditors must assess whether the established control activities in the process contribute to reducing the risk elements probability and/or consequence. This includes assessing the efficiency and effectiveness of the internal control system with regard to preventing risk (preventive controls) and detecting risk (detective controls). Auditors must consider the general assessment of internal control conducted in the strategic analysis. The control activities at process level can be aimed towards special risk elements in the process or may be of a more general nature. If auditors consider that a control activity reduces one or more risk elements, they can choose to base their work on this, thus reducing the scope of audit procedures later in the audit process. In such cases auditors must procure evidence to substantiate that the control activities are functioning. Procedures conducted for risk assessment will normally not provide sufficient evidence alone, and auditors must therefore carry out relevant tests of controls. Auditors must procure evidence to show that the control activities function as intended.
In cases where auditors assess the impact of established internal controls to be so low that it is inappropriate to use them as a basis for subsequent auditing, they must transfer the risk elements directly to the analysis of residual risk. There may also be risk elements of such a nature that the consequence of errors will always be high. In this event it is not appropriate to conduct tests on the internal control system since auditors must in any case carry out substantive tests. This may for instance occur in relation to the submission of the accounts and the reporting.
6.4.2.3
Estimating the risk level for the individual risk element with the impact of established control activities (control risk)
Auditors must assess whether the established control activities in the process contribute to reducing the risk elements probability and/or consequence. Auditors must therefore estimate the probability and consequence when they consider the impact of the control activities.
Page 82
Process analysis
Hy
Rm5 Rm4 Rm5 Rm1 Rm1
Konsekvens
Lav
Sannsynlighet
Hy
Forklaringer:
Rmx
Risikomoment
Rx Rmx
Effekten av kontrollaktiviteter
Gjenvrende risiko
Figure 12 Effect of established control activities (control risk) The figure above shows the impact of risk-reducing measures that are considered to be functioning. The figure shows that in our example the control activities that are linked to the risk elements Re 1, Re 3 and Re 5 are assessed as having a risk-reducing effect that is marked with arrows. For risk elements Re 1 and Re 3, both probability and consequence are set at low as a result of the effect of risk-reducing measures. Risk element Re 4 has been assessed as not having risk-reducing measures, and is left with high probability and high consequence. The risk evaluation gives four possible combinations, as in 6.4.2.1 on page 80. Auditors must document their assessment of probability and consequence for each individual risk element with the impact of established control measures.
The final step in the process analysis consists of auditors assessing the extent to which there are still risk elements with residual risk that must be followed up by further audit procedures. Risk elements that have been assessed as having low probability and low consequence are eliminated and can be ignored in the subsequent audit process. Audit evidence must be provided for this risk assessment.
Page 83
Process analysis
Risk elements that have been assessed as having high probability and high consequence cannot be eliminated and must always be the object of further auditing.
Combination high/low
Auditors must perform a concluding and summarising evaluation for risk elements that fall into the group high probability and low consequence or low probability and high consequence to determine whether the risk elements can be eliminated or whether they must be followed up by further audit procedures. Auditors must give reasons for their decision, and if the outcome is low/low, this must be documented with audit evidence. If internal control cannot be regarded as significant and the risk is high, auditors must procure comprehensive audit evidence in the form of substantive tests.
Page 84
Process analysis
Page 85
Audit objectives
Audit procedures
Page 86
audit provides adequate support to the audit objectives so that further procedures are unnecessary. The audit risk model is used for auditors analysis of residual risk. More details of the model are given in Chapter 4. There is a certain risk of auditors drawing incorrect conclusions. Risk can arise either when auditors conclude that the accounts or dispositions do contain material errors when in fact they do not, or when auditors conclude that the accounts or the dispositions do not contain material errors when they actually do. The risk of auditors drawing incorrect conclusions is termed audit risk. Through the strategic analysis and process analyses auditors have gathered and assessed relevant information to enable them to assess the risk factors in the entity. In the model these factors are inherent risk and control risk. Detective risk is the auditors management variable, i.e. auditors must adapt method and scope to make audit risk acceptable. There is always a certain detective risk, and the more thoroughly the accounts and the dispositions are investigated, the smaller is the risk of auditors drawing the wrong conclusion. However, auditors must conduct a costbenefit analysis as a basis for planning the audit. Analysis of residual risk consists of the following steps: Detective risk Audit risk model: AR = IR * CR * DR
Page 87
Page 88
Several aspects play a role when determining what are appropriate and suitable audit objectives for an assertion. To formulate audit objectives, auditors must take various factors into account e.g. the entitys size and complexity, the tasks assigned to the entity and how the entity is organised. For minor assignments it may often be sufficient to set few and more general audit objectives for the assertions, while for large-scale assignments more specific audit objectives should be defined. Auditors must identify the factors that are of importance for determining whether the various assertions are met. They must also decide which audit objectives are appropriate for ensuring a balanced basis for drawing conclusions. Examples of audit objectives: Assertion: Dispositions in accordance with laws and regulations (REG) Example 1: 1 All determinations of duty and special dues comply with the Customs Act and accompanying regulations. 2 All national insurance payments comply with the National Insurance Act and accompanying regulations. 3 All purchasing is made in compliance with the procurement regulations. 4 All overtime payments are in line with the Working Environment Act.
Reg 3
Com 3
2 All tax revenues are completely recorded. 3 All charges are completely defined, recovered and recorded. 4 All annual vehicle duties have been collected.
Page 89
To ensure that the audit is conducted efficiently and effectively, all residual risk should initially be handled collectively for the assignment, irrespective of how the risk element emerges. Risk elements identified at different points in the audit process can be concurrent and can perhaps be covered by the same audit procedure. A collective assessment and handling of residual risk provides the opportunity for a flexible structuring of the remaining work and will help auditors to plan more efficiently. In practice this means that all the process analyses should be completed before auditors identify remaining audit procedures in the analysis of residual risk and decide how the subsequent auditing work is to be conducted. Residual risk can be of varying importance for auditors conclusions. Risk elements that are concurrent for several processes will often have greater importance than a single risk element. Risk elements that indicate a system error normally have greater importance than those that indicate single errors. Auditors must take into consideration the presumed importance the risk elements have for the conclusions, thus ensuring that sufficient evidence is procured for risk that is of great significance for the conclusions. Previous assessments of qualitative and quantitative materiality are important for the assessment.
Page 90
As previously mentioned, auditors can choose to transfer risk elements directly from the strategic analysis to the analysis of residual risk without first handling the risk element in a process analysis. This will most often be relevant for small entities where it may be difficult for auditors to base their audit on any assurance from internal control. In these entities, tests of controls can have limited value for example because there is no satisfactory segregation of duties and functions, or because few control activities have been established. In such cases it can be more expedient, efficient and effective to obtain evidence directly through substantive tests.
If auditors conduct tests of controls or substantive tests that do not cover the entire accounting period or the final date, they must decide which other audit procedures must be implemented on the submitted accounts to enable them to apply previously procured evidence from the date of the test to the end of the accounting period. Auditors must specifically consider whether they can base the auditing on previously procured audit evidence from strategic analysis and process analysis, or whether other factors have arisen that change the perception of risk and preclude applying the evidence to the submitted accounts.
Irrespective of the assessed risk, auditors must compile and conduct tests to ensure that the entitys financial statements and its reporting to the central government accounts are in accordance with the subsidiary accounting material. In this context auditors have the opportunity to ensure that their auditing covers the entitys management, goal achievement and reporting, cf. the OAGs template and internal routines for compiling Document no. 1. Furthermore, auditors must monitor the posting of main entries and any adjustments that have been made during the compilation of the annual accounts. These audit procedures are termed obligatory procedures and are essential tests that must be conducted satisfactorily irrespective of risk.
Obligatory procedures
Auditors must assign priority to residual risk that is related to irregularities, and must follow up risk elements with suitable audit procedures in order to obtain reliable evidence.
Risk of irregularities
Page 91
Auditors must decide on the scope of the audit for each audit procedure. The decision about the scope for example the size of the sample or the number of observations is based on the level of detective risk that is required to fulfil the stated audit risk: the lower the detective risk, the greater the scope of the audit. When developing audit procedures, auditors must decide on the sampling method. The various methods for samplebased auditing include: sampling of all units (100 per cent testing) sampling of selected units representative testing multi-stage sampling
Sampling of all units (100 per cent testing) is appropriate in cases where there are few transactions and where checking all the transactions constitutes the most effective procedure. Auditors often determine the scope of audit procedures for sampling particular units by using professional judgement according to an assessment of materiality, the evaluated risk and the degree of assurance they plan to achieve. Representative testing presupposes a normal use of statistical methods, but by selecting larger samples auditors can also attain the same assurance without statistical methods. Program packages such as IDEA can be used to calculate the scope and the level of assurance, to select samples or to evaluate findings. Multi-stage sampling is used when the total samples are selected in various stages for example auditors may first select an operational unit and then select the sample. The choice of method and the determination of the sizes of the sampling is a comprehensive matter that is widely discussed in theoretical material and textbooks. We refer to such literature for a more thorough explanation.
Stated time
The stated time refers to the period or to the date for which the audit evidence applies.
Page 92
Auditors must group the procedures according to the audit objectives to ensure that all the audit objectives are adequately covered by procedures. If it transpires that there are neither procedures nor sufficient previously procured audit evidence to cover relevant audit objectives, auditors must formulate procedures that ensure the acquisition of supplementary evidence.
Page 93
Organisation
The plan must describe how the remaining auditing is to be organised and which auditors are to be included in the audit team. If it proves necessary to collaborate with other divisions and departments or to use special skills in the audit team, this must be stated.
Auditors must estimate the need for resources in the form of man-days and travel expenses. The estimate is based on the limits approved by the division manager, cf. 5.5 Planning further auditing.
Time schedule
Auditors must consider on which date or in which time period it would be most efficient to perform the audit. This can depend on factors such as the information that is available on various dates for example with regard to the submission of accounts or the reporting routines in the administrative procedures. Auditors should provide an outline of when the audit programmes are to be conducted. When planning the schedule they must arrange a suitable distribution of the auditing work throughout the year so that it can be concluded in good time for the reporting. Auditors must also take into consideration that the result of the audit will be communicated to both the entity and the supervisory ministry before the work is concluded.
The plan for the remaining auditing must be quality assured. If the plan contains any significant noncompliance compared with the previously approved plan, this must be clarified with the division manager.
Page 94
Auditors record the findings in working papers. These papers must be adequate but should not be so comprehensive and detailed as to obscure important information. Extensive auditing with substantial documentation requires auditors to organise their working papers well. The documentation must also allow subsequent quality assurance and approval. Auditors must compile working papers that along with the procured evidence document the outcome of the audit procedures that have been conducted. The working papers should also indicate who has performed the audit and when it was carried out, as well as whether all the planned audit procedures were implemented according to the programme. Auditors must give grounds for any non-compliance with the programme and must indicate the consequence this may have for audit risk.
Auditors cannot simply presume that indications of irregularity, errors or omissions are non-recurring. They must decide whether and possibly how these affect the risk and materiality assessments on which the audit is based. In the event of indications of irregularity, auditors must consider whether such irregularity can be of significance for the assessment of other internal control activities. They must also assess whether the indication of irregularity concerns persons who are involved in other internal control
Indications of irregularity
Page 95
activities. If this is the case and auditors have acquired assurances from these, they must consider whether such assurances can still be utilised. Indications of irregularity, errors or omissions can result in auditors being obliged to implement more audit procedures.
Page 96
8 Conclusions
PROSITs navigation tree: This chapter is intended to give auditors an understanding of how they are to conclude the performed audit. Once all the audit procedures have been conducted and the evidence has been organised and the work documented, auditors draw their conclusions. Conclusions must be drawn for audit objectives, then assertions and finally for the total assignment. The conclusions are based on the audit evidence from strategic analysis, process analysis and analysis of residual risk. To reach a conclusion, auditors assess all relevant audit evidence, irrespective of whether this confirms or contradicts the assertions related to the accounts or the dispositions. The conclusion phase consists of the following steps:
Page 98
Conclusions
Page 99
Conclusions
Page 100
Conclusions
8.6 Documentation
Auditors must document the information that is of significance for the conclusions. As a minimum, documentation from conclusions must include: conclusion for audit objectives with reasons conclusion for assertions with reasons conclusion for the entity with reasons
Documentation must be compiled continuously, be stored systematically and appropriately, and be readily available to those participating in the audit.
Page 101
9 Reporting
This chapter is intended to give auditors an understanding of how the OAG reports the result of performed audits to the entities, the ministries and the Storting.
Concluding audit letters are not sent for the ministries financial statements. Those to the entities must be sent by 1 July with a copy to the supervisory ministry. If the letter cannot be sent by the deadline, the entity must be notified by 1 July that the concluding audit letter will arrive later, and at the latest by the end of August. An overview of the written communication that has taken place between the OAG and the entity during the audit year must be attached to the letter.
More detailed information on compiling this letter is given in the OAGs guidelines and template for the concluding audit letter.
Page 102
Reporting
The report must also incorporate any special comments on the budget and accounts such as deficient information in the budget documents, errors and omissions in the central government accounts submitted, errors and omissions in the explanations, and whether the consumption of resources in the budget implementation process has been exceeded or kept to the ascribed limit.
If the audit has detected any material deficiency in the ministrys management, goal achievement and performance reporting, this must be stated in the report. This can include an assessment of the ministrys management and supervision of subordinate bodies e.g. the ministerial responsibility for ensuring that all entities have satisfactory internal control so that defined goals and performance requirements can be attained, and whether the use of resources is efficient and effective and the entity is run in compliance with current laws and regulations.
An account must also be given for entities that have received a concluding audit letter that contains comments either as a separate matter or as part of the information on the individual ministry.
The OAGs document containing templates and describing internal routines for reporting to the Storting about the OAGs annual audits and monitoring activities (Document no. 1) gives more details of the information that is included in the OAGs reporting to the Storting.
9.3 Documentation
The OAG must document the reporting in the form of: a concluding audit letter to the entity with (if appropriate) accompanying audit communication reporting to the Storting with accompanying audit communication Documentation must be compiled continuously, be stored systematically and appropriately, and be readily available to those participating in the audit. When storing and filing documentation connected to the reporting to the Storting, the OAGs administrative rules must be followed.
Page 103
10 Documentation
10.1 Documentation
The OAGs standards relating to documentation state: 25 Auditors shall document matters that serve to support the Office of the Auditor Generals internal and external reports. Documentation also constitutes evidence that the audit has been carried out in accordance with best auditing practices in the Office of the Auditor General.
26 The scope and content of the documentation shall be sufficiently adequate and detailed to allow full comprehension of completed audits and the conclusions drawn on the basis of procured audit evidence. All audits shall be documented in accordance with applicable guidelines.
27 Routines shall be implemented to ensure that the documentation is appropriately handled and stored and is filed for a period that is both sufficient to meet the needs of the Office of the Auditor General and is in accordance with regulations and statutory requirements. All audit documentation is the property of the Office of the Auditor General.
Auditors must document the material content of the audit. INTOSAIs standard relating to audit evidence states that the documentation must: confirm and support the auditors opinions and reports (comments) increase the efficiency and effectiveness of the audit serve as a source of information for preparing reports or answering any enquiries from the audited entity or from any other party serve as evidence of the auditors compliance with Auditing Standards facilitate planning and supervision help the auditors professional development help to ensure that delegated work has been satisfactorily performed provide evidence of work done for future reference
Page 104
Documentation
Page 105
Documentation Auditors working papers must give information about the assessments of risk and materiality, the planning of the auditing work with a description of the audit procedures that are to be conducted, and the scope of these procedures. The working papers must document performed audit procedures with a description of the scope of the control, selection criteria, date of their performance and the findings that have been made. In their working papers auditors must summarise in an appropriate manner the findings and results that have emerged during the audit process and must draw the necessary conclusions. The working papers must contain all the material aspects that require auditors to use their professional judgement, as well as auditors conclusions concerning these aspects. Auditors must date and sign their working papers and must ensure that they are stored systematically. Working papers are normally input as attachments in PROSIT and stored electronically. The working papers must be dated and signed by the auditor who is conducting the audit. The signature will then testify who has carried out the audit, made the assessments and drawn the conclusions. The dating must indicate when such actions were carried out since the date may have significance for subsequent assessments and conclusions particularly if substantial changes are made after the work was performed but before the accounts were submitted. In such situations auditors cannot base their conclusions on previously performed auditing activities without first verifying that they are still valid.
Indexing
All documentation must be indexed. The index system must be logical and as self-explanatory as possible, and must give each individual document a unique identificator. The system must also be flexible so that it is easy to insert new documents. Indexing must be structured in a manner
Page 106
Documentation
that enables the assignment, entity, or accounting year to be identified, and must if appropriate refer to the relevant procedure or process. In addition, cross-references must be made between the information in the various working papers. These cross-references are intended to ensure a continuous two-way audit trail between the planning, the performance and the summary or conclusion of the work. When the audit or parts of the audit are concluded, the documentation is sealed by a table of contents that is dated and signed. The table of contents must also show whether working papers or source material have been extracted, supplemented or changed afterwards. The sealed table of contents must not be changed. However, if any new information is added, any changes must be clearly indicated. The table of contents is stored electronically in PROSIT. It is not necessary and often not appropriate to store all the source material as part of the documentation. For material whose storage is the responsibility of others than auditors either within or outside the OAG it is sufficient to indicate in the table of contents where such material can be found.
Page 107
11 Quality assurance
The OAGs standard relating to quality assurance states: 28 Divisions and departments shall carry out quality assurance work that usefully serves the individual audit tasks and their performance.
The main goal of quality assurance is to ensure that the work performed is of the necessary and adequate quality. The audit must be conducted in compliance with principles for best auditing practice in the OAG, cf. page 1 of the Auditing Standards for the Office of the Auditor General. The term quality assurance is understood to cover any action that has the purpose of ensuring that the audit assignment is performed in compliance with best auditing practice. The guidelines for financial auditing will represent a major component of the quality assurance. The audit must be a planned, systematic and documented review of the audited entity to ensure compliance with specified requirements, instructions and rules. The audit must be professionally satisfactory, efficient and effective. Requirements must therefore be set for planning, performance, reporting and documentation. Auditors working papers must be fair, precise, constructive and relevant. The quality of the working papers and the audit communication is of prime importance. Due care and attention must therefore be ascribed to the audit process. This applies not only to the written material, but also to the guidelines auditors give when supplying direct competence through discussions, their participation in improvements etc. The quality assurance will assign priority to making quality an inherent part of each stage in the audit. The point of departure is that quality is primarily created through the audit process.
Page 108
Quality assurance
attention is given to the audit process and to the reports and the matters that are addressed is a managerial responsibility. There must be a continuous collaboration between auditors and management, which in turn requires managers to have knowledge of the audit process and also to participate actively in the planning of the auditing tasks. The departments are responsible for coordinating and quality assuring departmental matters vis--vis the Board of Auditors General, and for checking that applicable methodology is followed. The division manager is responsible for organising, quality assuring and approving the work in compliance with relevant standards and guidelines. This is indicated in PROSIT by the division manager being termed approver. The division manager can utilise an expert coordinator for quality assurance throughout the audit process. This does not alter the responsibility ascribed to the division manager for the quality assurance of the audit process. To attain defined goals it is necessary to develop and implement routines for quality assurance.
Page 109
Quality assurance
Page 110
Quality assurance
Page 111
Appendix I
Information criteria Goal orientation Efficiency/ Effectiveness Confidentiality Integrity Availability Compliance Reliability
9 9 9 9 9 9 9
9 9 9
9 9
9 9 9 9
9 9 9 9
9 9 9 9
9 9 9
9 9 9 9
9 9 9 9
Page 112
Dispositions comply with laws and regulations Dispositions are acceptable in the light of norms and standards for financial management in the central government 9 9 9 9 9 9 9
Correct measurement
Correct valuation
Completeness
Ownership
Existence
Validity
Page 113
13
Term Activities
Appendix II
Explanation
Glossary of terms
Activities including control activities are procedures an entity has initiated to enable it to perform its tasks successfully. Planning and conducting audit procedures to test whether the managements assertions relating to the submission of the accounts and their accompanying dispositions are correct. The purpose of residual risk is: to conduct a risk-based, efficient and effective audit to plan and implement further audit procedures in order to test the managements assertions to procure appropriate and sufficient audit evidence to enable conclusions to be reached regarding the managements assertions and the audit objectives.
Analytical review procedures risk assessment Analytical review procedures substantive tests
Analytical review procedures such as procedures for risk assessment develop expectations about possible correlations that can reasonably be expected to exist. Analytical review procedures such as substantive tests are review procedures that assess variance and reasonableness in the available information by comparisons, the use of ratios etc.
Application controls Application controls can be programmed or IT-dependent controls that occur generally in processes. Application controls are intended to ensure that information is correct and is processed at the right time, and that the transactions are only handled once for example validity controls that ensure that figures are within given limits, or automated reconciliations on erroneous reporting. Working papers Working papers are material compiled by auditors or the OAG, and along with source material they constitute the auditors documentation. Working papers indicate what the auditors planning of the auditing has been based on, the date of the performance of the audit, the scope of the audit procedures conducted, the results of the audit, the grounds for auditors assessments and their professional judgement, and the conclusions that have been drawn. Working papers can be compiled on paper or on electronic media. Concluding audit letter Audit objectives See reporting to the entity.
Audit objectives represent a closer specification of the assertions and should help to ensure that auditors subsequent work is goal-oriented. Auditors must break down the assertions into one or more appropriate audit objectives that are to describe the quality that the accounts and their accompanying dispositions are to have at the time of reporting.
Page 114
Term Subprocess
Explanation Large complex processes can be divided into subprocesses if this is deemed appropriate. Division into subprocesses depends on how the audit is to be organised, the size and complexity of the entity and the risk elements involved in the process. Detailed audit procedures are a type of substantive test. Auditors check the accounts information directly by examining certain transactions, documents or assets. There are four types of detailed audit procedures: inspection observation control calculations enquiries/confirmations
Documentation
Documentation of the audit consists of two parts: working papers and source material. The documentation can be compiled and stored on paper, film, and electronic or other media. The main purposes of documentation are to support the audit objectives and conclusions as well as the reporting made to both the Storting and the entity (the concluding audit letter), and to form the basis for subsequent years audits.
External factors
These are factors outside the entity that can affect the entitys ability to achieve its goals. External factors include users, competitors, political decisions and technology.
Ethical values in the The entitys ethical values are based on the managements preferences, entity value assessments and philosophy. These preferences and value assessments are transferred to norms of conduct and reflect the managements attitudes to ethical values. Pertaining regulations Regulations (found in legislation, parliamentary decisions, guidelines, individual decisions etc. and in policy dialogues with the supervisory ministry and each individual entity) that identify how the entitys primary tasks are to be carried out and that define the performance requirements that have been set to resolve the tasks e.g. the Taxation Act, the VAT Act etc. with accompanying regulations and annual resolutions, the National Insurance Act with accompanying provisions. Errors are distinguished from irregularities by the fact that the underlying action has been carried out unintentionally. Monitoring activities involving auditors procuring information from persons within or outside the entity. This is done in writing or verbally. If it is done verbally, auditors must document this information by noting down in a working paper what has emerged from the conversation for example bank statements and confirmations of balances.
Errors
Enquiries / confirmations
Page 115
13
Term Ratio analyses
Appendix II
Explanation
Glossary of terms
Methods that show correlations between various financial information and that are particularly useful in cases where ratios can be calculated for a sufficient number of years to enable the development in the financial information to be viewed and evaluated.
Analyses of business Analyses that involve utilising calculations or a series of calculations expectations for forecasting expectations regarding future financial information on the basis of current financial data. General (IT) controls Controls that apply for all information systems. They are intended to secure data integrity, data safety and thereby functioning application controls. The controls include monitoring IT management, infrastructure and procurements as well as the maintenance of software, access controls and emergency plans. Regulations that contain provisions that all government agencies must follow. General regulations are established to ensure a uniform, open and documented budget and accounting process and uniform government personnel administration. For most entities this will be related to secondary tasks or support functions for the performance of their tasks. The remaining audit procedures are the outcome of the auditors risk analysis, the need to convey previously procured evidence to the end of the accounting period, and obligatory procedures related to the submission of the accounts and their accompanying dispositions including reporting to the central government accounts. Residual risk is the risk which on completion of strategic analysis and process analysis is still assessed as being so probable and/or to have such high consequence that it must be followed up by audit procedures in the subsequent audit process. See reporting to the Storting. Inherent risk is the probability that in the financial information and in the entity in general there are dispositions that cannot be accepted, or errors and omissions that are material either in their own right or when aggregated when any possible internal control measures are ignored. Transactions that are related to more unsystematic or irregular events. Such transactions will often also require involving management personnel particularly when decisions or approvals of the validity of the transaction are required. Information that flows in, through and out of the process.
General regulations
Residual risk
Non-routine transactions
A continuous process intended to help auditors to identify and understand both events that affect the entity at strategic level and the entitys internal processes.
Page 116
Explanation An information system constitutes routines that handle the information that flows in, through and out of processes in the entity. Information systems can be manual or electronic, and they can include financial systems or administrative systems. More detailed functionality requirements for financial systems including documentation and security are given in the regulations concerning financial management in central government. Inspections involve the auditors themselves checking the financial information, transactions and documents (voucher tests) or assets (physical tests) to ensure that the information is correct when compared with the submitted assertions about the accounts and the dispositions on which they are based. Internal control constitutes measures that have been initiated and implemented by the entitys Board, management and employees and that have been designed to provide reasonable assurance of goal achievement. Goal achievement can therefore be found within the following areas: strategic goals that support the entitys purpose goal-oriented and cost-efficient operations reliable external reporting of the accounts compliance with applicable laws and regulations
Inspection
Internal control
Internal factors
Factors or conditions within the entity that can affect the entitys ability to achieve its goals. Internal factors include organisation, the entitys management and risk management, information and communication.
Internal audit
An internal audit is an independent, objective confirmation and advisory function. Its purpose is to supply added value and to improve the organisations operations. The tasks of an internal audit include reviewing, assessing and monitoring that the accounting and internal control systems are efficient, effective and adequate. An IT environment is present when one or more computers of any type or capacity are used in the entity for the purpose of processing information that is of major importance for the audit. Such computers can be operated by the enterprise itself or by an external person or body. Source material is documentation that has been prepared by others and that auditors have considered relevant for the audit. Together with working papers, this constitutes auditors documentation. Material that does not contain facts that are relevant should only be included in the source material to the extent auditors regard it as a deficiency if such facts are not described.
IT environment
Source material
Page 117
13
Term Conclusions
Appendix II
Explanation
Glossary of terms
Conclusions represent auditors assessment of the extent to which audit objectives, assertions and audit objectives have been met. The assessment is based on audit evidence from strategic analysis, process analysis and analysis of residual risk. The purpose of conclusions is: to decide whether the assertions about the accounts and the dispositions have been met to decide whether there are material errors or omissions in the accounts and their accompanying dispositions to provide a basis for reporting the auditing work to the entities, the ministries and the Storting.
Compliance
Compliance constitutes the OAGs monitoring of the ministrys or the entitys dispositions that form the basis for the accounts. The disposition must be: in compliance with the Stortings budget resolutions and intentions in accordance with laws and regulations acceptable in the light of norms and standards for financial management in central government Compliance involves examining the extent to which the ministry and the entity have attained the performance targets and objectives that are given in the budget resolution for the accounting year in question. Compared with performance auditing, the financial audit is restricted to matters concerning the accounts for the individual year. The OAGs compliance process for dispositions is limited to the transactions that have financial importance or are of significance for achieved results compared with intended targets.
Control activities
Control activities are action plans and routines that safeguard the performance of the process activities. Control activities can be found at all levels in the entity within both management and operations. There are several types of control activities that an organisation can use to minimise process risk. These include: reviews of performance and efforts controls integrated into the course of the process physical safeguarding segregation of duties and functions
Control calculations Control calculations involve auditors checking documents for example verifying that the rates used for calculating dues are correct. In this context documents include invoices, entries into the accounts and the writing-off of assets. For entities that base their accounting on the accrual principle, checking the writing-off of assets can be a relevant audit procedure for auditors to conduct.
Page 118
Explanation Control risk is the probability that a material error or omission will not be prevented or detected and corrected within reasonable time by the accounting or internal control systems. Auditors use their professional judgement to estimate control risk on the basis of the results from strategic analysis and process analysis. Errors and omissions are regarded as material in cases where the users would probably have made other assessments and taken other decisions if they had been aware of the errors. Qualitative materiality is geared towards violations of budget resolutions and/or norms and standards that will affect the users of the information. The materiality assessment is used when auditors are to assess the importance of a risk element for the audit and are to decide the processes to which they are to assign priority during the subsequent audit. The entitys primary tasks are normally assigned the greatest significance when auditors assess qualitative materiality. However, laws and regulations that govern secondary tasks can be of interest for users.
Qualitative materiality
Quality control
Quality control is an annual systematic review of the divisions auditing work and organisation. It includes all the tasks that auditors are required to perform pursuant to the Act and Instructions concerning the Office of the Auditor General. The quality control is conducted by a working group that has been appointed internally in the OAG and that reports to the Secretary General.
Quality assurance constitutes a review of the performed auditing work in order to ensure that it is of good quality. It is carried out by the division manager, the expert coordinator and the auditor responsible for the assignment or an auditor who has not performed the auditing work. A quantitative determination of materiality is achieved by setting a numerical value for how large an accounting error must be for it to be accepted in the accounts without auditors regarding the accounts as containing material errors. Setting a materiality limits has a dual purpose: the limit expresses the auditors specification of the users requirements for precision in the financial statements, and the distribution of the materiality limit is intended to contribute to producing a more efficient and effective audit.
Quantitative materiality
Managements monitoring
The management must ensure that the measures function as intended. The monitoring can take place continuously or as retrospective supervision, and can take the form of: monitoring ongoing activities periodic reviews and evaluations of the performance of the activities assessment of the internal audit
Page 119
13
Term Temporary tasks
Appendix II
Explanation
Glossary of terms
Primary or secondary tasks that are of a short-term nature and of limited duration. Some of the entitys primary or secondary tasks can be of a temporary nature for instance reorganisation, relocation and the introduction of new financial systems. Intentional actions performed by one or more persons in an entity that involve dishonesty and that are carried out to achieve an unlawful or illegal advantage. Irregularities are distinguished from errors by whether the underlying action has been taken deliberately or unintentionally. An expression of a desired result of the entitys activities, defined by the entity or the supervisory authority. Monitoring that entails auditors considering the activities that are carried out in the entity for example observation of inventory- and stock-taking. Risk related to the performance of the activities in the process. The operational risk is influenced by management, ethics, laws and regulations, technology, planning and budgeting, and human resources. Detection risk is the probability that auditors substantive tests will not detect the errors that the accounting or internal control systems do not discover. In the context of auditing, an assignment is synonymous with the audited entity. Procedures that must be conducted when the consequence is assessed as high, even though the probability is regarded as low. Obligatory procedures will often be related to the submission of the accounts including reporting to the central government accounts. Planning involves structuring, organising and assigning priorities to the auditing work. Planning must be carried out and documented in accordance with applicable guidelines. The tasks that the Storting assumes the entity will perform and that form the basis for the establishment of the entity. Primary tasks are connected to the social tasks for which the entity has been assigned responsibility by the Storting. The primary tasks of most entities are laid down in Proposition no. 1 to the Storting. More details may be given in letters of allocation. Acts of law can govern the primary tasks of some entities for example the Taxation Act plays a key role for the Inland Revenue Services. The ministries are responsible for implementing and following up parliamentary decisions. The management of subordinate bodies will always represent a primary task for the ministries.
Irregularities
Objective
Observation
Operational risk
Detection risk
Assignment
Obligatory procedures
Planning
Primary tasks
Page 120
Explanation Errors in the entitys accounting information or dispositions that the users of the information regard as material but that individually are not necessarily of a considerable sum or extent. Fundamental errors can constitute findings that do not relate to figures, e.g. a breach of the law, regulations or instructions, the fact that action has been taken that is contrary to parliamentary decisions, or that administrative regulations including norms and standards for financial management in the central government have not been followed.
Procedures for risk assessment are audit procedures that auditors conduct in the strategic analysis and process analysis to gain an understanding of the entity and its risk management and to enable them to make a preliminary assessment of the entitys internal control. The preliminary assessment of internal control is referred to as procedures for risk assessment since some of the information that is obtained through such procedures can be used as audit evidence to substantiate risk assessments. In some cases the procedure can procure audit evidence on the appropriateness of risk management measures or the correctness of the assertions. Procedures for risk assessment are: enquiries to the management and others analytical procedures observation and inspection
Process
A process is a series of activities that the entity has initiated to achieve its goals. It reflects how the entity performs its tasks. Processes are intended to help the entity to achieve its goals and to contribute to minimising the risk of specific threats having a negative impact on the entity. The process has a starting point and a finishing point, with a series of activities in between.
Process analysis
Process analysis is a detailed risk assessment of the processes to which the risk elements are linked in the strategic analysis. The purpose of process analysis is: to conduct a risk-based, efficient and effective audit to gather appropriate and adequate audit evidence in order to assess whether the audit can be based on the entitys internal control system to assess whether the process goals support those of the entity to identify residual risk that is of significance for both the audit of the accounts and ensuring the compliance of the dispositions
Page 121
13
Term Process activities
Appendix II
Explanation
Glossary of terms
Process activities are the work operations the entity carries out to achieve the process goals. A process consists of several types of activities such as: collecting information (e.g. assessing procurement needs) processing information (e.g. compiling requirement specifications and assessing bids) taking decisions (e.g. choosing suppliers) effectuating decisions (e.g. entering into contracts and paying invoices)
Process goals
The process goals give a clear description of what the entity should achieve with the process. They must support the entitys goals. When the management submits the accounts, they assert that the financial statements are correct and that they have made the dispositions within the indicated authorisations. To enable auditors to state that the assertions are correct, they must procure adequate and appropriate audit evidence. The OAG has established two sets of assertions one for the audit of the accounts and one for the compliance of the dispositions. The goals and limitations laid down by the supervisory authority that governs the entitys activities. Government agencies are established to carry out certain tasks, and their framework conditions are laid down by the Storting for example through the annual budget resolutions. The Storting also makes appropriations to the entities to enable them to perform their tasks. The operations and the performance of tasks in the entities are governed by the decisions and intentions resulting from the budget deliberations. When the audit has been completed, the OAG sends a concluding audit letter to the entity. The concluding audit letter consists of the conclusion of the annual audit (financial auditing) and a short description of the performance audits projects. The form the letter takes depends on whether or not material comments have been made on the entitys submission of the accounts and their accompanying dispositions. Each year the OAG reports to the Storting in Document no. 1. Document no. 1 is organised per ministry and contains overall information on the annual audit and the monitoring activities that have been conducted through financial auditing and corporate control. Accounting estimates are transactions that are based on subjective assessments and that therefore have a high risk. They can be transactions that involve write-downs, provisions or estimates of value.
Assertions
Framework conditions
Accounting estimates
Assertions about the See assertions. accounts Audit of the accounts Page 122 An audit of the accounts constitutes the procedures that are necessary to confirm that the accounts are complete, accurate and reliable. Guidelines for financial auditing
Explanation The information auditors have acquired and documented to substantiate their assessments and conclusions. Audit evidence is gathered through audit procedures in all phases of the audit process.
The result of the performed audit procedures. Procedures that auditors conduct to procure appropriate audit evidence to substantiate assessments and conclusions concerning defined audit objectives. Audit procedures can be carried out as procedures for risk assessment, tests of controls or substantive tests. Information that is given verbally to the audited entity and if appropriate to the supervisory authority, including verbal advice for example summarising meetings. Continuous communication of findings and the concluding audit letter to the entities, as well as the reporting of results to the Storting in Document no. 1. When the expression reporting is used, it means the external reporting about the audit to the entities and the Storting.
Audit process
Systematic methodology the audit must follow from strategic analysis to reporting. The objective of a financial audit is to confirm that the accounts do not contain material errors or omissions and that the dispositions on which the accounts are based are in accordance with parliamentary decisions. The OAGs objectives are laid down in the Act and Instructions concerning the Office of the Auditor General. A management tool for performing the individual audit assignment. The plan must contain priorities, organisation, the estimated resources required and the time schedule. It is normally approved by the division manager. Any updates to the plan must be quality assured. An audit programme is a detailed plan of the audit procedures that are to be conducted. The audit programme contains relevant assertions about the accounts and audit objectives along with the audit procedures that are related to these. Audit programmes indicate the framework of the audit procedures and govern the performance of these procedures. Audit risk is the overall probability that on completion of the audit there will be material errors or omissions in the accounts and their accompanying dispositions that have not been detected. Audit risk is the product of inherent risk, control risk and detection risk.
Audit objectives
Audit plan
Audit programme
Audit risk
Page 123
13
Term Audit risk model
Appendix II
Explanation
Glossary of terms
The audit risk model is a model that helps auditors to determine how comprehensive the audit work must be to attain the desired assurance for the conclusions. The model consists of four elements: audit risk, inherent risk, control risk and detection risk. An auditor is any person who carries out auditing work for the Office of the Auditor General. Any event that can occur and have a negative impact on goal achievement. A systematic assessment of the factors that affect the entity and that can lead to its goals not being achieved. Risk analyses are conducted using a top-bottom approach. They start at strategic level and gradually become more detailed. The purpose is to direct the auditing work towards risk that is identified at a general level. An evaluation of the importance that risk elements have for the audit and whether they are to be included in the subsequent audit process. Risk evaluations provide a basis for making priorities between the risk elements auditors are to follow up in the subsequent auditing. Estimating the correlation between the degree of probability that an event will occur and the consequence such an occurrence will have. Risk estimates are conducted at both strategic level and process level. Auditors estimate the consequence and probability as high or low and give reasons for their estimate. An event with an unknown outcome that may lead to the entity not achieving its goals. The scope of probability and consequence for each risk element and for overall risk at strategic level and process level.
Auditor
Risk
Risk analysis
Risk evaluation
Risk estimate
Risk element
Risk level
Routine transactions Routine transactions are transactions that follow a fixed system and that occur regularly over a period of time. These are transactions the entity is familiar with, and they are often handled according to fixed and reliable procedures. They can be main salary transactions, rental payments, calculations, automatic payments of demands for dues and taxes, and reminders. Secondary tasks Tasks intended to secure the operations of the entity and to ensure that the activities are run according to laws and regulation, and to enable the entity to submit accounts and to report the results attained. The majority of entities have secondary tasks such as staffing and payroll duties, purchasing and storage, management and supervision, the annual submission of accounts and reporting. Regulations for these tasks include those relating to public procurement, the regulations for financial management in the central government and the Civil Service Handbook.
Page 124
Term Strategy
Explanation The overriding and long-term choices the entity has made to ensure goal achievement. An assessment of the entitys external and internal factors that are of a general nature that can influence the extent to which the entity achieves its goals. The purpose of the strategic analysis is: to plan a risk-based, efficient and effective financial audit: an audit of the accounts and the compliance of the dispositions to provide a basis for discussion with the Board and management on objectives, risk and risk management to provide input to the general risk assessment to identify processes
Strategic analysis
Substantive tests
Substantive tests are tests that are conducted to obtain audit evidence to prove that the financial statements and the dispositions on which they are based do not contain materially incorrect information when compared with the submitted assertions. Tests of controls are procedures that are conducted to test control activities that the entitys management has established to manage risk. Tests of controls as audit procedures can have two purposes. In the process analysis the purpose of tests of controls will be to assess internal control by testing whether the measures the management have initiated are satisfactorily followed up. The result of this testing of controls contributes to determining the scope and the angle of approach for the substantive tests that must be performed to procure sufficient audit evidence. In the analysis of residual risk, auditors can use tests of controls to procure evidence to show that the established internal control measures and control activities function when substantive tests alone do not provide adequate and appropriate audit evidence.
Tests of controls
Letter of allocation
The ministries make appropriations available to subordinate bodies through letters of allocation. The content of such letters includes prime goals, management parameters, the amount allocated, reporting requirements and the authority that has been delegated to the entity in accordance with the appropriations regulations. Trends analyses are analyses that have occurred since previous periods. There are a number of analysis techniques for example comparing periods that are appropriate in the planning phase.
Trends analysis
Page 125
13
Term Sampling method
Appendix II
Explanation
Glossary of terms
A method for selecting the units and transactions to be examined. When developing audit procedures, auditors must decide on the sampling method. The various methods for sample-based auditing include: sampling of all units (100 per cent testing) sampling of selected units representative testing multi-stage sampling
Advice
Advice and recommendations for the entity that are based on professional expertise, knowledge of the entity and other relevant competence. Auditors must regard errors and omissions as material in cases where the users would probably have made other assessments and taken other decisions if they had been aware of the errors. The assessment of materiality is based on both quantitative and qualitative considerations and is one of the factors that govern what is to be audited and the scope of the audit that is to be conducted. In these guidelines the term entity is used to describe the entity that is being audited, irrespective of whether this is a ministry, a government entity or an entity that has a different form of organisation. The term is also used in cases where the audit assignment has been made mandatory in another way for example by law or agreement. Financial crime is a collective term for a number of different types of crime and in general describes the crime that is linked to business and industry and other organised enterprises in the private and public sectors. It constitutes actions that involve violations of laws and regulations and that are performed to achieve personal gains. It also covers irregularities and corruption. This is the managements review of performance and efforts in the process in order to ensure that the work in the process is actually carried out and is of the right quality. An IT environment will often contribute to this task by producing different types of reports and logs that assist the management.
Materiality
Entity
Financial crime
Page 126
Knechel, W. Robert
Auditing assurance and risk ISBN 0-324-02212-1 Statistiske metoder i revisjon (Statistical methods in auditing) ISBN 82-456-0114-4 Descartes revisjonsmetodikk (Descartes audit methodology) ISBN 7082065-2 GTAG Information Technology Controls, 2005
Lillestl, Jostein
NRRF/NRSR
IIA
Page 128