COHESION FUND MANUAL
advertisement
BUDGET SUPERVISION OFFICE OF THE REPUBLIC OF SLOVENIA COHESION FUND MANUAL FOR THE EXECUTION OF THE FINANCIAL CONTROL Document No.: 011-14/2004/1 (E-version: CF Audit Manual Ver 1_0.pdf) JULY 2004 Approved by the director of Budget Supervision office of the RS Budget Supervision Office of RS Cohesion Fund Manual Document No. Version Come into force Page : 01-14/2004/1 : 1.0 : 30.7.2004 : 3 of 135 Table of Contents 1 PURPOSE AND STRUCTURE OF MANUAL .............................................................5 2 BACKGROUND AND REGULARITY FRAMEWORK ..............................................7 3 MANAGEMENT FRAMEWORK.................................................................................10 4 AUDIT RESPONSIBILITIES OF THE BUDGET SUPERVISION OFFICE (BSO) AND RELATIONSHIPS WITH OTHER AUDITORS ............................................13 Commission services .................................................................................................15 Co-operation between the BSO and the Commission services ..................................16 Audit Strategy for DG REGIO ..................................................................................16 5 MONITORING AND REPORTING FRAMEWORK..................................................18 6 AUDIT APPROACH AND TECHNIQUES ..................................................................20 Stages of the Audit .....................................................................................................21 Quality Control and Assurance ..................................................................................22 7 AUDIT PLANNING ......................................................................................................25 The Aims of Audit Planning ......................................................................................25 The Planning Process for the BSO ............................................................................25 8 RISK ASSESSMENT ....................................................................................................28 The Process for the BSO: What the BSO is auditing ................................................28 Risk Identification......................................................................................................28 Assessing Risk Importance ........................................................................................31 9 AUDIT APPROACH TO COHESION FUND INCOME AND EXPENDITURE .......35 Setting Audit Objectives ............................................................................................38 Audit Programmes .....................................................................................................40 10 AUDIT EVIDENCE .....................................................................................................42 Concept of Audit Evidence ........................................................................................42 Procedures for Obtaining Audit Evidence .................................................................43 11 DOCUMENTATION AND FILING ............................................................................44 The Benefits of Effective Documentation .................................................................44 Content of Working Papers ........................................................................................44 Current and Permanent Files......................................................................................45 Confidentiality of Audit Information .........................................................................46 Retention of Audit Documentation ............................................................................46 12 AUDIT REPORTING ..................................................................................................47 Contents of the Audit Report .....................................................................................47 Reports to the EC .......................................................................................................49 Budget Supervision Office of RS Cohesion Fund Manual Document No. Version Come into force Page : 01-14/2004/1 : 1.0 : 30.7.2004 : 4 of 135 Evaluation of Errors ...................................................................................................49 Follow-Up Audits ......................................................................................................50 Sys-audit ....................................................................................................................51 13 IRREGULARITY, FRAUD AND CORRUPTION .....................................................52 APPENDIX 1: INFORMATION SYSTEMS AUDIT GUIDELINE ................................57 ANNEX 1: .................................................................................................................64 ANNEX 2 ..................................................................................................................68 ANNEX 3 ..................................................................................................................75 APPENDIX 2: AUDIT OF INTERNAL CONTROL .......................................................77 APPENDIX 3: GUIDANCE FOR PERFORMANCE OF 15 PER CENT CHECKS ......79 APPENDIX 4: OBJECTIVES OF SUBSTANTIVE TESTS ............................................89 APPENDIX 5: SUGGESTED LIST OF KEY QUESTIONS TO EXAMINE THE MANAGEMENT CONTROL SYSTEMS ................................................................91 APPENDIX 6: SUGGESTED LIST OF KEY QUESTIONS FOR ON THE SPOT CONTROL OF A COHESION FUND PROJECT..................................................105 APPENDIX 7: PREPARATORY WORK / GATHERING OF AUDIT INFORMATION .....................................................................................................115 APPENDIX 8: PROCUREMENT DIRECTIVES..........................................................119 APPENDIX 9: PUBLICITY REQUIREMENTS ...........................................................121 APPENDIX 10: MODEL REPORT PURSUANT TO ARTICLE 12 OF REGULATION 1386/2002......................................................................................122 APPENDIX 11:GUIDELINES ON THE PRINCIPLES, CRITERIA AND INDICATIVE SCALES TO BE APPLIED BY COMMISSION DEPARTMENTS IN DETERMINING FINANCIAL CORRECTIONS UNDER ARTICLE H(2) OF ANNEX II TO REGULATION (EC) NO 1164/94 ESTABLISHING A COHESION FUND .................................................................................................125 APPENDIX 12: GUIDANCE ON 15% SAMPLE CHECKS BY MEMBER STATES 132 APPENDIX 13: LIST OF ABBREVIATIONS .........................................................135 Budget Supervision Office of RS Cohesion Fund Manual Document No. Version Come into force Page : 01-14/2004/1 : 1.0 : 30.7.2004 : 5 of 135 1 PURPOSE AND STRUCTURE OF MANUAL 1.1 This Manual details the management and controls structure in Slovenia in respect of the Cohesion Fund. The Manual also details the general procedures and approach to be adopted by the Budget Supervision Office of the Ministry of Finance (hereinafter: BSO), in line with their responsibilities for the audit of the Cohesion Fund. This covers the procedures, methods and techniques that staff of the BSO should use for the effective review of the management and control of the Fund; whilst the Appendices provide further information and specific guidance on the audit approach to be adopted. 1.2 The audit role of BSO is defined throughout this manual as that of a certifying body comparable to the work of an external auditor. Reference has been made in this manual to International Auditing Standards. 1.3 These guidelines are developed from the principles and rules set out in the regulations of the European Commission (EC) governing Cohesion Fund and are mandatory for all staff of BSO. The manual is structured as follows: Chapter 2 – Background and Regulatory Framework - details the aims and objectives of the Cohesion Fund and sets out the legislative framework. Chapter 3 - Management Framework – explains the roles and responsibilities of key organisations in the management and control process and the accounting and financial reporting system. Chapter 4 - Audit Responsibilities of BSO and Relationships with Other Auditors defines the role of the BSO and the relationship with both Internal Audit and the Slovenian Court of Audit, the Supreme Audit Institution (SAI); and with auditors of the Commission and the European Court of Audit (ECA).. Chapter 5 - Monitoring and Reporting Framework - discusses the methodology for reporting during Project Implementation, the Monitoring arrangements; and the Ex-Post Evaluation criteria. Chapter 6 – Audit Approach and Techniques - describes the general approach to auditing the Cohesion Fund; the BSO audit process; and Quality Control and Assurance. Chapter 7 - Audit Planning - provides guidance on the approach to planning coverage across the audit area including long term strategic and also annual planning. Chapter 8 - Risk Assessment - looks at the risk factors to be considered when devising the audit approach, as part of the overall planning strategy. Chapter 9 - Audit Approach to Cohesion Fund Income and Expenditure- discusses the understanding of the business; the audit trail; audit objectives and test programmes. Chapter 10 - Audit Evidence - describes the overall concepts and the sources methods and nature of audit evidence. Budget Supervision Office of RS Cohesion Fund Manual Document No. Version Come into force Page : 01-14/2004/1 : 1.0 : 30.7.2004 : 6 of 135 Chapter 11 - Documentation and Filing - outlines the key principles of effective audit documentation; the contents of Working Papers; Current and Permanent Files; Confidentiality of Information; and Retention of Documentation. Chapter 12 – Audit Reporting - covers the content of a standard audit report; reports required by the EC; and follow-up audits. Chapter 13 – Irregularity, Fraud and Corruption - covers the respective responsibilities of audited bodies, management and the auditor; the procedures where fraud or other irregularities are suspected; and the arrangements in Slovenia. Appendixes from 1 to 12 - the specific items are described in more detail on the audit procedures for information systems (computer) audit, audit of internal controls, guidance for performance of sample checks, gathering audit information ( preparatory work), audit tests for the management and control systems at the programme and audit tests on final beneficiary level, gathering audit information, than about procurement and publicity issues. In appendix 10 there is a model report to the commission and in next appendixes guidance on financial corrections and sample checks. The annexes follow some appendixes. Appendix 13 – lists the abbreviations used in the manual. Budget Supervision Office of RS Cohesion Fund Manual Document No. Version Come into force Page : 01-14/2004/1 : 1.0 : 30.7.2004 : 7 of 135 2 BACKGROUND AND REGULARITY FRAMEWORK Objectives of the Cohesion Fund 2.1 The Cohesion Fund was established in 1994 in addition to the other Community development instruments, to provide assistance in the fields of the environment and transport infrastructure of common interest with a view to promoting economic and social cohesion and solidarity between Member States. The Cohesion Fund provides support through the balanced financing of projects and also contributes to preliminary studies relating to such projects and their implementation, as well as technical support measures such as comparative studies, impact studies, monitoring, and since entry into force of Regulation (EC) No 1264/1999, publicity and information campaigns. 2.2 All projects financed must be compatible with the Treaties and instruments adopted under them and with Community policies, especially those concerned with the protection of the environment, transport, trans-European networks, competition and the award of contracts. European Union Legislation - The Act 2.3 Council Regulation (CR) (EC) No 1164/94 of 16 May 1994 established the Cohesion Fund. It was amended by the following CRs which came into effect on 1 January 2000: Council Regulation (EC) No 1264/1999 of 21 June 1999, amending Regulation 1164/94; and Council Regulation (EC) No 1265/1999 of 21 June 1999, amending Article G of Annex II to Regulation 1164/94 CR 1265/99 made significant changes to the use of Cohesion Fund, including: Clarification of the definitions of "project", "project stages" and groups of projects; Additional guidance on "ex-ante" evaluations of projects; Commitments to be made at the start of each financial year; A single payment, in advance, of up to 20% of the assistance to the Fund; followed by subsequent payments to refund expenditure certified and paid; all transactions to be carried out in Euros; and finally Various measures to penalize failure to complete projects, including cancellation of the assistance granted. 2.4 There were two Commission regulations issued for implementation of provisions for Cohesion Fund: Commission Regulation (EC) No 16/2003 of 6 January 2003 laying down special detailed rules for implementing Council Regulation (EC) No 1164/94 as regards eligibility of expenditure in the context of measures part-financed by the Cohesion Fund, and Commission Regulation (EC) No 621/2004 of 1 April 2004 laying down rules for implementing Council Regulation (EC) No 1164/94 as regards information and publicity measures concerning the activities of the Cohesion Fund. 2.5 The Regulations lay down a minimum project value of 10 million Euros, which is aimed at ensuring that projects will have a significant impact on the infrastructure within Member States. Commission Regulation 1386/2002 laid down detailed rules for the implementation of CR 1164/94, as regards the management and control systems for assistance granted from the Cohesion Fund and the procedures for making financial corrections for projects first approved after 1 January 2000. Budget Supervision Office of RS Cohesion Fund Manual Document No. Version Come into force Page : 01-14/2004/1 : 1.0 : 30.7.2004 : 8 of 135 Eligibility 2.6 Eligibility is restricted to Member States whose per capita gross national product (GNP) is less than 90% of the Community average and which have a programme designed to achieve the conditions of economic convergence as set out in Article 104 of the Treaty establishing the European Community. If the GNP rises above the 90% threshold it may no longer receive funding for new projects or new project stages. Commission Regulation (EC) No 16/2003 of 6 January 2003 lays down special detailed rules for implementing Council Regulation (EC) No 1164/94 as regards eligibility of expenditure in the context of measures part-financed by the Cohesion Fund. Commission Regulation (EC) No 1831/94 of 26 July 1994 concerning irregularities and the recovery of sums wrongly paid in connection with the financing of the Cohesion Fund and the organization of an information system in this field. Commission Regulation (EC) No 621/2004 of 1 April 2004 lays down rules for implementing Council Regulation (EC) No 1164/94 as regards information and publicity measures concerning the activities of the Cohesion Fund. Project Application and Approval 2.7 Applications for assistance from Member States to the Commission must contain the information specified in the Regulation, that is: the body responsible for implementing the project, project description, cost, location, investment timetable, assessment of the impact on employment and the environment, and information on public contracts. 2.8 The Commission will normally decide whether or not to approve a project within three months of the application and publish the decision in the Official Journal of the European Union. Financial Control and Provisions 2.9 CR 1264/1999 states that the financial control of projects is primarily the responsibility of Member States. They must check that projects are managed correctly, prevent and detect irregularities and recover any amounts lost as a result. They must provide the Commission with details of the methods they take and of the internal management and audit arrangements that they establish. In turn, the Commission may carry out on the spot checks, in accordance with Annex II to the Regulation, and may ask Member States to verify the correctness of transactions. 2.10 The Cohesion Fund routinely contributes between 80% and 85% of public or equivalent project expenditure. (Since 1 January 2000 it has been possible to reduce this rate to take account of any revenue generated by the project and any application of the "polluter pays" principle). The full cost of preliminary studies and technical support measures may be financed up to 0.5% of the total resources of the Fund. To qualify for re-imbursement, all expenditure must have been incurred after the date the Commission receives the project application. Payments made after the initial advance must be linked to implementation of the project and no item of expenditure may receive assistance from both the Cohesion and Structural Funds at the same time. Finally, assistance from the Cohesion Fund, the Structural Funds and other Community aid may not exceed 90% of the total project expenditure. Budget Supervision Office of RS Cohesion Fund Manual Document No. Version Come into force Page : 01-14/2004/1 : 1.0 : 30.7.2004 : 9 of 135 Appraisal, Monitoring and Evaluation 2.11 Before project approval, the Commission and the Member State must make an appraisal to assess whether it complies with the Regulations. During implementation they must make any necessary adjustments and after completion they must evaluate to what extent the original project objectives were achieved. Budget Supervision Office of RS Cohesion Fund Manual Document No. Version Come into force Page : 01-14/2004/1 : 1.0 : 30.7.2004 : 10 of 135 3 MANAGEMENT FRAMEWORK Regulatory Requirements 3.1 The regulatory framework for the management and control systems of the Member States must comply with Commission Regulation 1386/2002 (in particular Article 2) and CR 1164/94 (in particular Article 12, and Article G of Annex II). CR 1386/2002 requires that Member States must comply with: Article 2 - verify that management and control arrangements have been set up and are being implemented in such a way as to ensure that Community funds are being used efficiently and correctly Article 5 - provide the Commission with a description of these arrangements. Article 7 - prevent and detect irregularities, notify these to the Commission in accordance with the rules, and keep the Commission informed of the progress of administrative and legal proceedings. Information exchanged should be kept confidential Article 8 - certify that the declarations of the expenditure presented to the Commission are accurate and guarantee that they result from accounting systems based on verifiable supporting documents. The certification of expenditure shall be drawn up by a person or department within the paying authority which is functionally independent of any services that approve the claims. Articles 9 and 10 - organise checks on projects on an appropriate sampling basis, to ensure that projects are managed in accordance with all the applicable Community rules and that the funds placed at their disposal are used in accordance with the principles of sound financial management. The checks carried out shall cover at least 15% of eligible expenditure on projects first approved after 1 January 2000. The selection of the sample of transactions to be checked is dealt with in detail in Appendix 3. Articles 13, 14 and 15 - present to the Commission, when each project is wound up, a declaration drawn up by a person or department independent of the designated authority. This declaration shall, be based on an examination of the management and control system, summarise the conclusions of the checks carried out during previous years and shall assess the validity of the application for payment of the final balance and the legality and regularity of the expenditure covered by the final certificate. The person or department issuing the declaration shall make all necessary enquiries to obtain reasonable assurance that the certified statement of expenditure is correct, that the underlying transactions are legal and regular and that the project has been carried out in accordance with the terms of the granting Decision and the objectives assigned to the project. co-operate with the Commission to ensure that Community funds are used in accordance with the principles of sound financial management Article 20.4 - recover any amounts lost as a result of an irregularity detected and where appropriate charge interest on late payments. Management Framework 3.2 The Decree of the Government of Slovenia (implementing Decree) based on the Execution of the State Budget Act, will define in detail the programming and implementing, arrangements between the Budget Supervision Office of RS Cohesion Fund Manual Document No. Version Come into force Page : 01-14/2004/1 : 1.0 : 30.7.2004 : 11 of 135 bodies detailed below in respect of the Cohesion Fund, including financial management and control. The authorities and bodies responsible for the implementation of the Cohesion Fund are as follows. Government Office for Structural Policies and Regional Development (GOSP) The GOSP act as the Managing Authority (MA), with overall responsibility for the general management of the Fund, in terms of programming implementation, monitoring and evaluation, financial management and control and information and publicity. The GOSP provide guidance to Intermediate bodies, by way of the production of a Cohesion Fund Manual, and set up, operate and maintain a single computer based system for management of the Fund. Ministries of Environment, Spatial Planning and Energy (MESP) and Transport (MoT) These two Ministries will act as the Intermediate Bodies, under the overall responsibility of the MA. They will have responsibility for the preparation and implementation of strategic programmes and action plans, and for monitoring and reporting on the progress of funded projects. The Intermediate Bodies will also be responsible for: Reviewing the tendering documentation submitted by Implementing Bodies; Checking and assessing the project applications and submitting them to the MA; Implementation of projects in accordance with signed contracts; Checking and verifying claims for payment; Monitoring and reporting to the MA; Reporting to the Commission on the implementation of EU funded projects; Co-ordination and assistance to Municipalities in preparing project applications. Municipalities and Transport Sectors The Municipalities will act as the Implementing Body (Final Beneficiary) within the environment sector; whilst for Transport that responsibility will rest with the Public Agency for Rail Transport and the Motorway Company of the Republic of Slovenia (DARS). The Implementing Bodies will be responsible for: Preparation of project proposals; Tendering and contracting; Supervising contract implementation; Providing relevant information to the Intermediate Body; Guaranteeing the project publicity. Ministry of Finance - National Fund (NF) The Ministry of Finance (NF) will act as the Paying Authority (PA), with responsibility for the overall financial management of the Fund; and is authorized to issue certificates of expenditure under Article 12 of CR 1164/94 and Article 8 of CR 1386/2002. Budget Supervision Office of RS Cohesion Fund Manual Document No. Version Come into force Page : 01-14/2004/1 : 1.0 : 30.7.2004 : 12 of 135 Budget Supervision Office (BSO) The BSO, which is part of the Ministry of Finance, will act as the Independent Financial Control Body; a separate function that is totally independent of that of the MA, IB and PA. The responsibilities of BSO as the certifying body for Cohesion and ISPA Funds are the same for both funds. Also, many of the audit approach and methodologies defined in this manual in respect of the Cohesion Fund are equally appropriate to ISPA funded projects. Users of the manual should therefore be confident that, in following the processes defined in the following chapters, the certification requirements of the EC are met. Budget Supervision Office of RS Cohesion Fund Manual Document No. Version Come into force Page : 01-14/2004/1 : 1.0 : 30.7.2004 : 13 of 135 4 AUDIT RESPONSIBILITIES OF THE BUDGET SUPERVISION OFFICE (BSO) AND RELATIONSHIPS WITH OTHER AUDITORS 4.1 The BSO is an independent office within the Ministry of Finance charged with the central coordination role for public internal financial control (PIFC system) and independent control of all EU funds and AFCOS function. The BSO reports directly to the Minister and to the State Secretary. From 1 January 2004, following a Slovenian governmental decree, the BSO has taken on an enhanced status and will increase its independence as an Office within the Ministry of Finance. 4.2 Tasks of the BSO: coordination and harmonization of financial management and control and internal audit of budget users and assessing the overall performance of PIFC System (BSO-Sector PIFC); acting as the anti-fraud coordinating service (AFCOS) for OLAF and communicating on irregularities to EC/OLAF (BSO-Sector PIFC); independent financial control of all EU funds (BSO-Sector for Audit and Certification). 4.3 By law, the main functions of the BSO in terms of Public Internal Financial Control (PIFC), are as follows: Issue guidelines to aim to harmonise the functionality of the system of Public Internal Financial Control (PIFC); Issue guidelines and methodology for internal controls and internal audit at budget direct and independent spending centres; Issue rules and conditions for the nomination and dismissal of internal auditors and check their implementation; Check the implementation of guidelines, methodology and standards for internal control and internal audit and reports to the government thereon; Follow up and analyses the findings and recommendations of internal audit services for the improvement of financial management and internal controls and reports its findings to the Government and to the Court of Audit; Cohesion Fund 4.4 Regarding the independent financial control of the Cohesion Fund the main tasks and responsibilities are: to perform sample checks of at least 15% of the Cohesion Fund expenditure in order to verify: the practical application and effectiveness of the management and control systems; the execution of the measure in accordance with the terms of the Regulations granting the assistance and the objectives assigned to the measure; for an adequate number of accounting records, the correspondence of those records with supporting documents held by the implementing agencies, delegated bodies and final beneficiaries; the presence of a sufficient audit trail; for an adequate number of expenditure items, that the nature and timing of the relevant expenditure comply with Community provisions and correspond to the approved specifications of the measure and the works actually executed; that the appropriate national cofinancing has in fact been made available; and that the co-financed measures have been implemented in accordance with Community rules and policies. Budget Supervision Office of RS Cohesion Fund Manual Document No. Version Come into force Page : 01-14/2004/1 : 1.0 : 30.7.2004 : 14 of 135 to establish whether any problems encountered are of a systemic character, entailing a risk for other operations carried out by the same Implementing Body; to recommend improvements and corrective actions, identify the causes of such situations and carry out any further examinations which may be necessary; to provide information by 30 June each year, of their application of provisions for sample checks in the previous calendar year and in addition provide opinion on effectiveness of management and control systems; to issue declarations at winding-up of Cohesion Fund projects; in order to issue declarations at winding-up of the projects BSO conducts examinations according to internationally accepted auditing standards upon the receipt of all information required and upon given access to the records and supporting evidence necessary for drawing up the declaration by the responsible authorities; 4.5 The BSO, as Independent Financial Control Body, is responsible for the independent auditing of Cohesion Fund; for certifying annual reports; for co-ordinating internal auditing at BSCs; and for carrying out additional auditing for the projects co-financed by the EU in compliance with international agreements. Organisation of the BSO 4.6 In order to carry out these responsibilities, the BSO is organised into four teams in support of Senior Management. These are: Budgetary Inspection Sector - carries out inspection functions for the Ministry of Finance at all BSCs that use the Central State Budget. In the future it is envisaged that this team will work in co-operation with the European Anti-Fraud Office - OLAF. Sector for Public Internal Financial Control - is responsible for carrying out the Central Harmonisation function of the PIFC. Audit and Certification Sector - has broad responsibilities covering the audit of the Cohesion Fund. These include: Carrying out independent audits of the Implementing Bodies and assessing their capacity and competency to effectively control EU funds and national co-financing; Co-ordinating the operations of the internal audit services of the Implementing Bodies in relation to the management and control of Cohesion Fund; Carrying out audits of the Cohesion Fund Programme; and The closure certification examination and report at the end of the Cohesion Fund projects. 4.7 The BSO is the organisation responsible for the independent control of EU Funds and therefore acts in an external audit role in examining all aspects of the Cohesion Fund Programme. Budget Supervision Office of RS Cohesion Fund Manual Document No. Version Come into force Page : 01-14/2004/1 : 1.0 : 30.7.2004 : 15 of 135 Internal Audit Bodies 4.8 The responsibilities of the BSO and general liaison arrangements with internal Audit are outlined above. In terms of the approach to be adopted for the audit of Cohesion Fund, the BSO will need to regularly review the amount of reliance that they can place on the work of Internal Audit. In particular they will need to liaise with: the Internal Audit Service (IAS), within the Ministry of Finance; and the Internal Audit units within the Ministries of Transport and Environment. Slovenian Court of Audit 4.9 The Republic of Slovenia Court of Audit is the Supreme Audit Institution (SAI) and as such is the highest body for the supervision of state accounts, the state budget and for all public spending in Slovenia. The Court of Audit carries out its functions in compliance with the Court of Audit Act and in accordance with the Slovenian Constitution. In terms of the audit of Cohesion Fund, the main aims of the Court of Audit are to ensure that operations co-financed by Cohesion Fund have been properly carried out, that the appropriate actions have been taken against any identified irregularities, and that any amounts lost are recovered. European Court of Audit 4.10 The European Court of Auditors’ primary tasks are to examine the accounts of all revenue and expenditure of the European Communities; to examine whether all revenue and expenditure has been received or incurred in a lawful and regular manner; and to examine whether financial management is sound. The Court is an independent institution whose role is to assist the European Parliament and the Council of the European Union in exercising their powers of control over the implementation of the budget. Additionally, the Court may, at any time, submit observations on specific questions and deliver opinions at the request of one of the European institutions. 4.11 As part of its audit work, the Court examines both systems and expenditure relating to the Cohesion Fund, and its audits take place in the Commission services and on the spot in the Member States. Its auditors have access to any document or information relating to the financial management of the departments and other bodies subject to its examination, and may carry out audits of all bodies receiving Community funds. Commission services 4.12 The overall objectives of the audits carried out by the Commission services responsible for the audit of the Cohesion Fund are to determine: to what extent the Member States have put into place adequate management and control systems, and to what extent these systems give a satisfactory assurance concerning the legality and regularity of the underlying operations; the accuracy of the expenditure declared to the Commission for co-financing; the level of ineligible expenditure where the Member State’s management and control systems control have been proven inadequate. 4.13 The unit responsible for the audit of the Cohesion Fund may be assisted by external audit firms to carry out audits in Member States. Budget Supervision Office of RS Cohesion Fund Manual Document No. Version Come into force Page : 01-14/2004/1 : 1.0 : 30.7.2004 : 16 of 135 Co-operation between the BSO and the Commission services 4.14 The Heads of BSO and the Commission audit services responsible for audit of the Cohesion Fund ensure co-operation concerning audit of the Cohesion Fund. The Commission services and the BSO conduct separate or joint audits of the management of control systems, as well as control of any project or works co-financed by the Cohesion Fund. That methodology is in accordance with Commission Regulation (EC) N° 1386/2002 of 29 July 2002 and with Article 12, and article G of Annex II, of the Cohesion Fund regulation. The Commission services and the BSO also exchange the results of their audit findings and meet at least once a year to discuss results of the audits and audit strategy for the next period Other auditors (private) 4.15 In addition to the above levels of audit, individual project managers and financial beneficiaries will have their own auditors. The function of these auditors is to carry out audits to verify the accuracy of the accounts prepared by their clients, and as such, the auditors are likely to examine all types of financial records, not solely those relating to the Cohesion Fund Audit Strategy for DG REGIO Formal obligations to audit the Fund 4.16 Materially all the operations financed by the Cohesion Fund are carried out under shared management. Article 274 of the Treaty stipulates that the Commission shall implement the budget on its own responsibility. The Member States co-operate with the Commission to ensure that appropriations are used in accordance with the principles of sound financial management. 4.17 Article 159 of the new Financial Regulation provides that the requirements regarding the audit of the Cohesion Fund are those laid down in the applicable Council regulations. These regulations empower the Commission to carry out checks on the spot, but do not impose any precise obligations. The only formal obligations are laid down in Council Regulation 1164/94 as amended, and in the corresponding Commission Regulation 1386/2002. Article 12(2) of Regulation 1164/94 provides for the Commission to ensure smooth running management and control systems, inter alia by undertaking onspot-checks for this purpose; and Article 5 of Regulation 1386/2002) to review the management and control systems presented by the Member States. Under the latter provisions the Commission must satisfy itself that these systems meet the standards required by the Council and Commission regulations, and make known any obstacles which they present to the transparency of checks and to the Commission’s discharge of its responsibilities under Article 274 of the Treaty. 4.18 As regards operations carried out under shared or decentralised management, the charter of tasks and responsibilities of the authorising officer by delegation requires him to: determine to what extent the beneficiary countries have put into place appropriate management and control systems, and to what extent these systems give a satisfactory assurance concerning the regularity of the underlying operations in terms of the law applicable; check the accuracy of the amounts concerned; carry out financial corrections where the beneficiary country’s control procedures have proven inadequate. 4.19 The Commission has made a commitment to the European Parliament in response to the Court of Auditors’ finding of high levels of irregularity in declared expenditure: “so far as resources permit, the Commission intends to intensify its own control activity in the area of the Structural Funds, in order in Budget Supervision Office of RS Cohesion Fund Manual Document No. Version Come into force Page : 01-14/2004/1 : 1.0 : 30.7.2004 : 17 of 135 particular to verify the adequacy of the Member States’ systems and procedures. If these controls detect systemic failures by the responsible authorities, then financial corrections will be applied, with a more extensive use of extrapolation whenever appropriate”. Mission of the audit and control units of Directorate G 4.20 Audit units G3 is responsible for leading the work of DG Regional Policy and, as chef de file for the Cohesion Fund, that of the other responsible Directorates General to ensure the satisfactory quality of the national management and control systems in relation to operations carried out under shared or decentralised management and for providing assurance that meets the requirements of the authorising officer by delegation to this effect. They may also undertake ad-hoc enquiries into directly managed expenditure at the request of the Director-General. 4.21 In collaboration with the other services of DG Regional Policy and with the other Directorates General responsible for the Cohesion Fund, they contribute towards the establishment of the conditions necessary for sound financial management in the beneficiary countries, in particular by proposing rules and guidelines, by organising and animating working groups of beneficiary countries, and by undertaking ‘preventive’ and ex post audits of the implementation of new rules. 4.22 In collaboration with the audit units of the other responsible Directorates General, they promote the development of effective arrangements for financial management, control and audit in the Member States and closer co-ordination between the audit activities of Member States and the Commission, in the framework particularly of the bilateral administrative agreements. They also encourage the adoption of a uniform approach to audit and control within the Commission services. They ensure effective cooperation with the operational units to promote effective control of Community funds, in particular by consulting them on the annual review of the audit strategy, and at all stages of the planning process for audit enquiries so that the requirements of the operational services are taken into account. They also consult them on all audit reports and letters to beneficiary countries, and issues of financial correction. They undertake to collaborate with operational units in clarifying their respective control functions to ensure maximum effectiveness in the use of resources. They may undertake ad-hoc audits requested by operational units within the limits of the resources reserved for this contingency. Audit Strategy - Cohesion Fund Objective 4.23 For the period 2000-2006, reasonable assurance is required that the management and control systems established by the Member States comply with the provisions of the Community regulations and are functioning effectively. The audit objective is therefore to obtain such assurance, or, in the event that deficiencies are identified in the Member States’ systems to recommend remedial action, to follow up the implementation of such measures, and to propose financial corrections where Community funds have been put at risk. In the case of projects for which specific irregularities are detected, the ineligible expenditure should be excluded from Community financing and recovery action taken. Budget Supervision Office of RS Cohesion Fund Manual Document No. Version Come into force Page : 01-14/2004/1 : 1.0 : 30.7.2004 : 18 of 135 5 MONITORING AND REPORTING FRAMEWORK 5.1 This chapter outlines the general monitoring and reporting framework relating to Cohesion Fund. Monitoring is to be carried out jointly by the Republic of Slovenia and the Commission. Reporting During Project Implementation 5.2 The Regulations specify that all public or private bodies involved in the management and implementation of measures must maintain either a separate accounting system or an adequate accounting codification for all Cohesion Fund transactions. 5.3 The Member State must institute a reporting system that provides regular, standardized outputs for each measure financed by the Fund; this allows the Member State to monitor progress in the implementation of the measure, to provide a basis for making payment claims to the Commission, and to facilitate the verification of expenditure by Community and national control authorities. 5.4 During the installation of this system, particular attention should be given to the reporting requirements linked to the intermediate and final payment claims, as set out in the Regulations. Such claims can only be made based on payments certified and actually made by the body responsible for implementation, supported by receipted invoices or accounting documents of equivalent probative value. The system must provide a form for the declarations required from the responsible Ministry and GOSP when submitting claims. 5.5 In addition, the financial reporting systems must cover all eligible costs of a measure (project, stage of project or group of projects) for which assistance has been granted; this includes all measures identified in the Regulations together with all contracts needed for implementation, regardless of the source of financing. The monitoring indicators identified in the application forms, or subsequently agreed between the Commission and the Member State will form the basis for the regular monitoring of the technical progress of projects. These indicators should also be used in the reports required when making payment claims, and in possible ad hoc technical reports requested on a case by case basis by the Commission. Flow of Funds 5.6 With particular respect to the flow of funds within the system, the following reports are expected: Global cash flows – these reports outline the forecasted expenditures related to the entire project for the coming year, justify the commitment to these projects and indicate the progress of each project. These reports can be incorporated into the annual progress report. Payment flows– these consist of four components: first advance payments, second advance payments, intermediate payments and final/balance payments. Budget Supervision Office of RS Cohesion Fund Manual Document No. Version Come into force Page : 01-14/2004/1 : 1.0 : 30.7.2004 : 19 of 135 Ex-post Evaluation of Cohesion Fund Projects 5.7 Ex-post evaluation will consist of detailed assessment of the results and impacts of a project/group of projects; this will include both positive achievements and failures, and will attempt to identify the causes for both. The main objective of this evaluation will be the elaboration of a report for the benefit of the European taxpayers on the use made of their money, but also to assimilate the knowledge gained through the projects, with the goal of strengthening the design and implementation of future projects. Therefore, baseline data should be made available to allow for the quantification of results and impact indicators. 5.8 An ex-post evaluation programme will be implemented by the Commission services for all Cohesion funded activities. The consolidated evaluation methodologies available at the Commission, particularly in the area of Structural/Cohesion Funds operations, will be made available for all interested parties. The time frame for the performance of these evaluations will vary according to the sector concerned (a longer time frame might be necessary for evaluating environmental projects), and to the nature of the projects. Budget Supervision Office of RS Cohesion Fund Manual Document No. Version Come into force Page : 01-14/2004/1 : 1.0 : 30.7.2004 : 20 of 135 6 AUDIT APPROACH AND TECHNIQUES 6.1 The overall objective of the audit of Cohesion Fund is to seek assurance that the operations being financed by the European Commission are being properly carried out in accordance with the relevant regulations and guidance from the Commission, i.e. that the expenditure is free from material errors and irregularities. 6.2 To achieve that overall objective the BSO will need to ensure that each year the planned audit approach includes the following key elements, which are closely linked to the terms and conditions of the Regulations and to the annual reporting requirements to the European Commission (see Section 12): A review of the management control system, to confirm what controls are in place; and an examination to determine whether or not the controls are operating effectively in practice; A programme for examining annual expenditure that covers at least 15% of the total eligible expenditure, and is representative of the different areas of activity and type and size of project. Appendix 3 comments on the methodology for selecting the 15% sample: whilst Appendix 12 details the Commission guidance on carrying out the work; Arrangements for the annual reporting, both within Slovenia and to the European Commission; A constant risk assessment process that re-appraises potential areas of risk in line with developments in funding received or the approval of new projects; and finally A programme to examine all projects that close within the year, and guidance as to how to effectively carry out the function of issuing a declaration on the winding-up of measures, which will include obtaining assurances on the controls that applied over the life of the project. 6.3 The audit should therefore determine whether systems are operating effectively to prevent errors and irregularities, and that, where errors and irregularities do occur, the systems are effective in detecting and correcting them. Essentially, Slovenian Government management and control systems should ensure at the appropriate levels that final beneficiaries and actions are eligible when selected to receive support, that they remain eligible for the duration of the action, that objectives are being achieved, and that expenditure claimed is eligible and in accordance with the financial plan. Controls should also ensure that claims made to the Commission are correct. Independence and Objectivity 6.4 The BSO auditors are not responsible for the activities of the management of the institutions concerned with a project or for the development and implementation of the control procedures. The auditors may not be involved in design, development or management of such systems since it affects their impartiality. However, the auditors may provide recommendations and advice on the necessary controls within the system. Budget Supervision Office of RS Cohesion Fund Manual Document No. Version Come into force Page : 01-14/2004/1 : 1.0 : 30.7.2004 : 21 of 135 Stages of the Audit 6.5 This Section outlines the audit process of the BSO that underpins the delivery of its’ objectives. The audit process is shown in the following diagram. BUDGET SUPERVISORY OFFICE AUDIT PROCES DELIVERING OBJECTIVES OF THE BSO OF THE BSO Audit planning - Risk assessment Strategic/Long term plan Annual plan Review & Follow up - Review audit process (time, budget, quality) – Review & update Risk assessment – follow up implementation of audit recommendations Audit Preparation - Research & Information on audited body - Confirm Risk assessment - Identify System & Controls - Decide Audit Approach - Prepare detailed audit programme Audit reporting Fieldwork/Gathering Evidence - Draw conclusions – Prepare draft report – Consult with audited Body – Review & editing – Produce & Approve Final report – Produce Action plan for implementing recommendations - Enquiries, observations, interviews, inspection of documents - Evaluate systems/controls - Test transactions, documents, records (sampling) Documents & record audit results Budget Supervision Office of RS Cohesion Fund Manual Document No. Version Come into force Page : 01-14/2004/1 : 1.0 : 30.7.2004 : 22 of 135 6.6 Each element in the above audit process is regulated by a system of Quality Control. This system is outlined in the following Section. Quality Control and Assurance 6.7 All audit work undertaken by the BSO is subject to a process of quality control. The purpose of quality control is to provide assurance that all audit work is undertaken to an appropriate and consistent standard. This should be applied to each stage of the audit process (from audit planning through to audit reporting and follow up). This can be supplemented by a periodical higher level quality assurance review of the whole process with regard to particular projects. 6.8 Assuring the quality of audits carried out by the BSO is a two stage process: At the first level, the BSO has adopted policies and procedures at each stage of the audit process (from audit planning through to audit reporting and follow up) designed to ensure that audit tasks are carried out to an acceptable level of quality. At the second level, the BSO carries out higher level quality assurance (Q.A.) reviews of audit tasks to establish that these policies and procedures are adhered to uniformly within the BSO. First Level Audit Briefing 6.9 Team leaders should brief their teams before audits start. They should make sure that all relevant documentation and background material is assembled. The aim of the briefing should be to ensure that audit objectives are understood by the team and particularly by auditors responsible for individual tasks. The audit objectives may include giving particular emphasis to certain types of risk such as those relating to fraud. The scope of the audit may be limited, for example where the emphasis is on the testing of high risk systems which have already been reviewed and evaluated. The briefing should include techniques, allocation of tasks, conduct, liaison with line management, reporting and administrative arrangements. Details of the briefing should be recorded. Supervision 6.10 Regular control of the assignment of staff is the responsibility of the team leader. Supervision involves the monitoring of staff undertaking audit assignments, reviewing their work, developing their skills and making sure that performance is in line with standards and work plans. More supervision is called for where a trainee is being used or if an auditor has a low level of skills in, or experience of, the type of assignment to which he or she has been allocated. The same principles apply when contractors are used. Progress control 6.11 The responsible audit manager or Head of BSO should periodically review performance and progress. As part of this process regular meetings should be held with team leaders. Failure to exercise control may result in objectives not being achieved or loss of direction and efficiency. The prime responsibility for control over progress lies with the team leader who should be familiar with any specific audit requirements and performance targets. The team leader should report on progress, possibly on an exception basis. The findings arising during an audit may indicate a need for priorities to be reassessed or for more work to be done. This should be discussed with the audit manager as soon as possible so that, if warranted, appropriate action can be taken. Budget Supervision Office of RS Cohesion Fund Manual Document No. Version Come into force Page : 01-14/2004/1 : 1.0 : 30.7.2004 : 23 of 135 6.12 Any changes to the planned time-table should be recorded; the use of a standard progress report form may be considered for this purpose. The audit manager should consider the actual man days spent on each audit against the plan and determine reasons for variances. The audit manager should consider implications for future plans. 6.13 Audit managers should pay scheduled and unscheduled visits to see audit teams at work to assess the way in which the audit is being carried-out and the expertise which is being applied. They should note any training needs arising during the audit. Review 6.14 All work should be continuously reviewed as an integral part of audit procedures. Review may be partly achieved through supervision. Completed working papers should be inspected to ensure that they meet laid down standards and are relevant to audit findings and conclusions. Review should continue throughout an audit so that a more experienced auditor always appraises the work of another. 6.15 The extent of review will vary with the experience of staff and nature of the assignment but it should be such that the Head of BSO, who may undertake a final review of the draft report, can be satisfied that the conclusions are sound and are demonstrably supported by relevant, reliable and sufficient audit evidence. There should also be evidence that all elements of the plan have been satisfactorily achieved and that the audit file has been reviewed by the responsible manager. The result of these reviews should be discussed with the auditors involved and any lessons learnt should be applied across auditor’s work. Review record 6.16 A summary record of reviews can help quality control and quality assurance. The record should identify: the audit stages and major documents reviewed; the dates of reviews; the results of the review; and dates of the reviewer’s approval. 6.17 Separate columns should be provided for each reviewer. Space may be allocated to record examinations made during internal or external peer reviews. Appraisal 6.18 Each audit should be appraised on completion to assess its conduct and value. Audit management should consider any need for additional guidance, implications for other audits, the effect on audit plans and on the use of contractors. Solutions to any problems identified may involve staff training, better planning, better contract management, the use of other techniques, different approach, change in management style, etc. The views of line management may be helpful in assessing audit performance. Internal review 6.19 In addition to routine reviews of audit assignments (see above) planned internal reviews should be carried out by members of staff not involved in the original audit to appraise the quality of audit work performed. Over time, the work of all teams should be subject to review. Any weaknesses revealed should be discussed with the responsible auditors and more pervasive problems brought to the attention of all auditors. Corrective action should be taken where necessary. Budget Supervision Office of RS Cohesion Fund Manual Document No. Version Come into force Page : 01-14/2004/1 : 1.0 : 30.7.2004 : 24 of 135 Second Level 6.20 The following are the main elements of the quality assurance reviews carried out by the management: staff carrying out Q.A. reviews are suitably qualified and experienced (they may be either employed full-time in quality assurance, or on short-term secondments from other parts of BSO); staff carrying out Q.A. reviews are independent of the audits being reviewed; staff carrying out Q.A. reviews have the power to select audit tasks for review; procedures are established for the selection of all audits to be reviewed, which will ensure an appropriate coverage of all the activities of the BSO over a set period of time; all tasks of the BSO must potentially be subject to review (the reviewer must have full knowledge of the activities of the BSO); procedures are established to determine the nature, extent, frequency and timing of the Q.A. reviews; procedures are established to resolve disagreements which may arise between Q.A. reviewers and audit staff; staff carrying out reviews have right of access to all relevant internal documents and to the staff who prepared them or managed the task; staff carrying out reviews normally have the duty to report and make recommendations in a timely manner to the BSO' senior management, and senior management normally has the duty to respond to these; audit staff can request that a Q.A. review is carried out at any stage of an audit task; publication of an Annual Report - (normally) made available to all audit staff. 6.21 In certain cases, and particularly when the BSO uses temporary secondments to carry out internal quality assurance reviews, the BSO may decide to develop and use standard checklists of objectives that the reviewer must achieve to ensure the consistency and completeness of the reviews carried out. International Standard on Auditing 6.22 International Standard on Auditing 220 (Quality Control for Audit Work) gives guidance on Quality Control procedures for an audit organisation. Budget Supervision Office of RS Cohesion Fund Manual Document No. Version Come into force Page : 01-14/2004/1 : 1.0 : 30.7.2004 : 25 of 135 7 AUDIT PLANNING The Aims of Audit Planning 7.1 The auditor should plan the audit work so that the audit will be performed in an effective manner. This means developing a general strategy and a detailed approach for the expected nature, timing and extent of the audit. Adequate planning of the audit work helps to ensure that appropriate attention is devoted to important areas of the audit; that potential problems are identified; and that the work is completed expeditiously. Planning also assists in proper assignment of work to assistants and in coordination of work done by other auditors and experts. The plan also allows management to supervise and control the audit work being performed. 7.2 Obtaining knowledge of the how the Cohesion Fund Programme is managed and of the organisations involved is an essential element in identifying risks and planning an effective audit approach: as detailed at Chapter 9. The auditor may wish to discuss elements of the overall audit plan and certain audit procedures with the management and staff of audited bodies to improve the effectiveness and efficiency of the audit and to coordinate audit procedures with work of the audited bodies’ personnel. The overall audit plan and the audit program, however, remain the auditor’s responsibility. The Planning Process for the BSO 7.3 Two types of audit plan should be produced: the strategic long term plan, stating how the BSO intends to audit Cohesion Fund over the programme lifetime in order to assure long term coverage of checks and to assure the effective winding up of projects; and the plan detailing the audit work to be carried out each year. The Long Term Strategic Plan 7.4 The first plan to be produced should be the long term strategic plan. This plan is essentially a management tool and should set out how the BSO intends to carry out its responsibilities for auditing expenditure over the duration of the programme. Key contents of the plan should be: Knowledge of the Cohesion Fund programme o Identification of what BSO’s reporting responsibilities are and the deadlines to be met; o Identification of key articles from the relevant regulations that should be implemented; Understanding the Accounting and Internal Control Systems o Description of the management and control system that the BSO will have to audit (details are at Chapter 3); Nature, Timing and Extent of Procedures o An approach as to when to audit bodies over the programme lifetime. (It is unrealistic to expect to visit all bodies involved in the administration of the programme every year.); o An approach to the level of detail of audit work to be performed; Budget Supervision Office of RS Cohesion Fund Manual o Document No. Version Come into force Page : 01-14/2004/1 : 1.0 : 30.7.2004 : 26 of 135 The effect of information technology on the audit. (Guidance on IT audit is contained at Appendix 1) Coordination, Direction, Supervision and Review o The procedure for managing the conduct of audits o Any requirements for a joint approach with the audit service of the Commission The strategic plan should be reviewed and updated each year. The Annual Plan 7.5 This should be produced before the start of each year and should detail the overall audit approach for the year. This planning should be summarised in a memorandum: the Audit Planning Memorandum and if relevant submitted to the Commission. This document should present an analysis of the main audit areas and the key planning decisions made and should include the following: The regularity context of the audit o The relevant European regulations, o Any relevant Slovenian legislation. An update of the systems description, as compared to that contained in the Strategic Plan, detailing any significant facts, events or changes which have taken place and their likely effect on the operations of the fund and hence the audit; A description of the scope of the audit work. o This section should identify any audit opinions and reports that should directly result from the audit work; o Any audit work required for other auditors (e.g. Commission auditors) A risk assessment that: o Assesses the inherent and control risks (see Chapter 8 for details); o Determines which bodies to visit during the year; o Identifies any key areas that particular audit attention should be paid to (e.g. new guidance / regulations that need to be checked); Details of the nature and extent of use to be made of the work to be carried out by other auditors, e.g. internal audit sections units (IAU) of line ministries, Court of Audit, European Commission auditors o The conclusions from previous work by other auditors may be used to determine the effectiveness of controls operating; o It may be possible to ask other auditors to carry out audit work on behalf of the BSO. Audit objectives o These should be based on the risk assessment (see Chapter 9). Audit Programmes o These programmes should consist of audit tests designed to meet the audit objectives (see Chapter 9) Staffing levels and the resources required to carry out the audit work; Timetable for carrying out the work. The planning memorandum should: provide a basis for regular monitoring of progress on the audit by management; and Budget Supervision Office of RS Cohesion Fund Manual Document No. Version Come into force Page : 01-14/2004/1 : 1.0 : 30.7.2004 : 27 of 135 help auditors to understand what is required of them. Include follow-ups of previous Audit Missions carried out by Internal audit Units, BSO or auditors of EC International Standards on Auditing 7.6 Relevant International Standards on Auditing that provide further guidance are: ISA 300 Planning ISA 310 Knowledge of the Business Budget Supervision Office of RS Cohesion Fund Manual Document No. Version Come into force Page : 01-14/2004/1 : 1.0 : 30.7.2004 : 28 of 135 8 RISK ASSESSMENT The Process for the BSO: What the BSO is auditing 8.1 The audit fieldwork that the BSO will undertake is essentially to check that the Cohesion Fund income and expenditure taking place in Slovenia is in line with the regularity requirements of the Commission, i.e. that the management and control system put in place in Slovenia meets the requirements of the EC Regulations. 8.2 Specific objectives of the BSO annual audit approach are detailed at Section 6.2. Particular attention should be paid to the regular review of controls and to the 15% sample checks, both of which contribute to the ability of the BSO to provide a final closure certificate on individual projects, covering the full period of the projects' activities. 8.3 In checking that the management and control systems in Slovenia comply with the above, the BSO should go through a four step process as follows: Risk Identification Assessing risk importance to identify bodies to audit Define audit objectives (see Chapter 9) Create audit programme to meet audit objectives (see Chapter 9) Risk Identification 8.4 8.5 Two types of risk need to be identified: Inherent risk. This is the susceptibility of a class of transactions to misstatement that could be material, either individually or when aggregated with misstatements in other classes, assuming that there are no mitigating internal controls. For the Cohesion Fund, there is an additional inherent risk of irregularity, i.e. that expenditure is not in line with EC regulations. Control risk. This is the risk that either irregular expenditure or misstatement, that could occur in a class of transactions and that could be material individually or when aggregated with misstatements in other classes, will not be prevented or detected and corrected on a timely basis by the accounting and internal control systems. In the context of the audit of Cohesion Fund, materiality can be defined as: ‘Information is material if its omission or misstatement could influence the economic decisions of users taken on the basis of the financial statements. Materiality depends on the size of the item or error judged in the particular circumstances of its omission or misstatement. Thus, materiality provides a threshold or cut-off point rather than being a primary qualitative characteristic which information must have if it is to be useful.” Inherent Risk 8.6 The following factors should be considered as indicators when assessing the levels of inherent risk: Budget Supervision Office of RS Cohesion Fund Manual Document No. Version Come into force Page : 01-14/2004/1 : 1.0 : 30.7.2004 : 29 of 135 the more complex the regulations governing the action, the greater the risk of error will be. These errors may occur either through the misunderstanding or misinterpretation of regulations, or through a simple error in application of the rules; divergence of management arrangements – for example, actions delivered through third parties or agents may have a higher inherent risk than actions delivered directly by a single managing authority. The more steps there are in the management process, the higher the risk will be; payments or receipts made on the basis of claims or declarations (for example, a declaration by the final beneficiary in respect of contributions in kind), rather than in exchange for invoiced goods or services, are generally more difficult to verify, and therefore lead to an increased inherent risk; the absolute amount of the Cohesion Fund support, and the proportion of total cost supported by the Fund - where the absolute amount of the grant is high, or a very large proportion of total funding comes from the Fund, the inherent risks may be increased; the amount of the Cohesion Fund support, in situations where this fund is a part of a structural investment with other funds, and when the risk of double – financing exists; the type of action and funding - for example, some types of action (projects generating own revenue) may be considered to have inherently greater risk than others; the type of project manager/ final beneficiary - for example, public or private; well-established or newly-formed; and high levels of staff turnover, the use of temporary staff to undertake key tasks, or the use of untrained or inexperienced staff within the managing organisations or project managers/ final beneficiaries are likely to lead to increased inherent risks because the inexperience of staff may mean that controls do not function properly. the possibility of conflict of interest situation, the situation where duties are not properly segregated (when purchase and payment functions are combined), the knowledge of unethical behaviour. 8.7 As part of the process of "Audit Preparation" (see the diagram at 6.5), the BSO will need to assess the extent and nature of Inherent Risks within the Management Framework. This assessment should form part of the annual exercise and should be undertaken at the various levels, for example at the GOSP, the National Fund, or at the Implementing Bodies. Control Risk 8.8 The control system for administering Cohesion Fund in Slovenia should be designed to mitigate inherent risk. Where inherent risk is highest, there should be controls in place to reduce the actual risk of incorrect or irregular payments being made. For example, for schemes with very complex rules, the body responsible for checking and approving claims would be expected to put considerable effort into the verification of claims in that area. A high control risk is where controls to reduce inherent risk are not working (or are not in place). 8.9 The system put in place by management to mitigate inherent risk is called the Accounting and Internal Control System. The audit work on the management and control system is designed to check that controls are in place and working (Appendix 2 gives some general information on the audit of Internal Controls). Again, the BSO will need to annually review the extent to which the effective operation of the management control system is mitigating any Inherent Risks that have been identified. Budget Supervision Office of RS Cohesion Fund Manual Document No. Version Come into force Page : 01-14/2004/1 : 1.0 : 30.7.2004 : 30 of 135 The Accounting and Internal Control System 8.10 The accounting system means the series of tasks and records of an entity by which transactions are processed as a means of maintaining financial records. Such systems identify, assemble, analyse, calculate, classify, record, summarise and report transactions and other events. 8.11 The internal control system means all the policies and procedures (internal controls) adopted by the management of an entity to assist in achieving management’s objective of ensuring, as far as practicable, the orderly and efficient conduct of its business, including adherence to management policies, the safeguarding of assets, the prevention and detection of fraud and error, the accuracy and completeness of the accounting records, the timely preparation of reliable financial information, and, for the Cohesion Fund, compliance with EC regulations. The internal control system extends beyond those matters which relate directly to the functions of the accounting system and comprises: “The control environment” - the overall attitude, awareness and actions of management regarding the internal control system and its importance in the entity. The control environment has an effect on the effectiveness of the specific control procedures. A strong control environment, for example, one with tight budgetary controls and an effective internal audit function, can significantly complement specific control procedures. However, a strong environment does not, by itself, ensure the effectiveness of the internal control system. Factors reflected in the control environment include: o The function of the management board. o Management’s philosophy and operating style. o The entity’s organizational structure and methods of assigning authority and responsibility. o Management’s control system including the internal audit function, personnel policies and procedures and segregation of duties. “Control procedures” - those policies and procedures in addition to the control environment which management has established to achieve the entity’s specific objectives. Specific control procedures include: o Reporting, reviewing and approving reconciliations. o Checking the arithmetical accuracy of the records. o Controlling applications and environment of computer information systems, for example, by establishing controls over changes to computer programs, access to data files. o Maintaining and reviewing control accounts and trial balances. o Approving and controlling of documents. o Comparing internal data with external sources of information. o Comparing the results of cash, security and inventory counts with accounting records. o Limiting direct physical access to assets and records. o Comparing and analyzing the financial results with budgeted amounts. Practical Assessment of Control Risk 8.12 For the first audit of bodies, the assessment of control risk will be limited since sufficient knowledge of the effectiveness of controls would not have been achieved. Therefore, initial audit work should focus on determining what controls are in place by way of "walkthrough" tests, before later Budget Supervision Office of RS Cohesion Fund Manual Document No. Version Come into force Page : 01-14/2004/1 : 1.0 : 30.7.2004 : 31 of 135 testing whether or not those controls are operating in practice. This work would then inform the assessment of control risk on any subsequent audits. 8.13 From the knowledge gained from previous audits and from their close working relationships with the key players in the management system in Slovenia the BSO will draw general risk conclusions that will assist the planning and audit approach exercises. For example: At the Intermediate Body level - has the BSO identified any significant control weaknesses at either of the two Ministries - Transport or Environment - that are involved with Cohesion Fund that might influence the projects to be selected for examination. At the Implementing Body level - has the BSO identified any significant weaknesses in control at any of the Municipalities (Environment) or at one of the two sectors (Transport) in relation to their controls over Cohesion Fund, that again might influence the selection of projects to be examined. Assessing Risk Importance Probability 8.14 Audit effort should be directed towards those areas where risk is likely to be greatest, whilst also ensuring adequate coverage of lower risk areas. The importance of the risks can be assessed based on the probability of the occurrence risk and the expected impact of the risk on the quality (of the outputs) of the project or delays. The assessor can put the scores low, medium and high on the probability of occurrence and on the expected impact of the risk. High Impact Medium Low High Unacceptable High Medium Medium Unacceptable High Low High Medium Low Low 8.15 Checks should be carried out on a sample basis, with the aim of carrying out sufficient examination to provide a reasonable level of assurance that the management and control systems to be examined by each audit are operating effectively to prevent errors or irregularities. 8.16 Given the potentially wide range of activities, a rolling programme, based on a risk assessment, may be adopted to ensure that all relevant areas (for example, main implementing authorities, main final beneficiaries, forms of assistance/operations) are covered, although not necessarily in the same year. The information available from ex ante controls should be gathered and evaluated during the risk assessment. 8.17 The process set out above may be used to develop a draft audit plan which may then be adjusted on the basis of any additional information available to the auditor. Among the main factors to be considered in selecting the areas to be audited are: information about the control environment and specific control risks; information about conflict of interests situation; whether the nature of the actions managed means that there are particularly high inherent risks; information from other sources relating to specific risk factors; Budget Supervision Office of RS Cohesion Fund Manual Document No. Version Come into force Page : 01-14/2004/1 : 1.0 : 30.7.2004 : 32 of 135 information on the quality of the management and control systems, in particular the results of past audits by Internal Audit Service or other auditors on the operation of a project; the need to follow-up a selection of past audits to ensure that necessary improvements to systems have been made; the programme of control planned by the other auditors, in particular to avoid duplication and address any identified gaps in coverage; the level of risks involved in the different funded activities, including “problematic actions” and actions in which significant problems have been noted or are expected. 8.18 Adjusting factors may be applied to the selection of the areas to be audited including the physical location of organizations/activities (for example to prevent excessive travel time during the audit) and the types of project to be covered. These adjusting factors may also be applied as a filter before the selection process. Appendix 3 provides further guidance on the use of a risk assessment/sampling model to determine which projects to examine. CONCLUSIONS ON RISK ASSESSMENT 8.19 When the Risk Assessment exercise has been completed the results of the work will inform the standard Audit Decision Tree model, see below, which directs the audit approach to be followed; in particular the linkage between controls assurance and what substantive testing should be carried out. It should be stressed that this model is primarily designed for the audit of accounts and therefore in the case of the audit of Cohesion Fund it should only be used as a guide to the audit approach to be adopted; which will be a judgemental decision for the BSO to take. This is discussed in more detail in Chapter 9. Budget Supervision Office of RS Cohesion Fund Manual Document No. Version Come into force Page : 01-14/2004/1 : 1.0 : 30.7.2004 : 33 of 135 8.20 Substantive procedures are defined as: Minimum Substantive Procedures Testing should be performed at this level if the maximum assurance is taken from the examination of controls, or if the area to be tested is deemed to be not material and no significant risks have been identified. Standard Substantive Procedures Testing should be performed at this level if no risks have been identified that indicate potential material error and no reliance is to be placed on the examination of controls. Budget Supervision Office of RS Cohesion Fund Manual Document No. Version Come into force Page : 01-14/2004/1 : 1.0 : 30.7.2004 : 34 of 135 Focussed Substantive Procedures Testing should be performed at this level if risk has been identified that indicates potential material error and no reliance is placed on mitigating controls. Note: Different Audit Objectives can be substantively tested at different levels; for example, the Completeness and Regularity Objectives might be perceived to have a higher risk of material error than, say, the Measurement Objective. International Standard on Auditing International Standard on Auditing 400 provides additional guidance on risk assessment and internal control. Budget Supervision Office of RS Cohesion Fund Manual Document No. Version Come into force Page : 01-14/2004/1 : 1.0 : 30.7.2004 : 35 of 135 9 AUDIT APPROACH TO COHESION FUND INCOME AND EXPENDITURE General Considerations 9.1 Having completed the risk assessment the BSO will need to incorporate their understanding of the business and of the control environment within the Management Framework into the detailed planning exercise and the audit approach to be adopted. Audit Information 9.2 Before concluding on the audit approach, the BSO will need to establish the Cohesion Fund population that they are auditing. This will involve confirming: the number of projects that are in operation; the annual income relating to each project; the annual expenditure relating to each projects; and the bank balances for each project at the year end. 9.3 In terms of the overall audit approach it will be for the judgement of the BSO to use the information obtained at 9.2 to determine how many projects, receipts and payments will be examined within each financial year: i.e. the degree of substantive testing to be carried out to support the controls examination. As the BSO examination is not directly linked to the audit of any specific account, the concept of materiality will mainly involve the determination of the throughput of receipts and payments within each year. As part of the longer term strategy the BSO audit approach should aim to ensure that each project is examined at least once in its lifetime. Understanding the Business 9.4 In order to determine the audit approach it is essential to identify which parts of the Management Framework in Slovenia are responsible for operating the key controls over Cohesion Fund; the following diagram details the higher level control framework: Error! Budget Supervision Office of RS Cohesion Fund Manual Document No. Version Come into force Page : 01-14/2004/1 : 1.0 : 30.7.2004 : 36 of 135 MANAGEMENT & CONTROL FRAMEWORK IN SLOVENIA Flow of Funds Payment of Funds European Commission Managing Authority GOSP Expenditure Claims Claim for Funds Paying Authority National Fund (NF) Expenditure Claim Payment of Claim Intermediate Bodies (MESP and MoT) Expenditure Claim Implementing Bodies Municipalities and Transport Sectors Budget Supervision Office of RS Cohesion Fund Manual Document No. Version Come into force Page : 01-14/2004/1 : 1.0 : 30.7.2004 : 37 of 135 THE AUDIT TRAIL 9.5 Article 6 of CR 1386/2002 requires that Member States management and control systems should provide a sufficient audit trail. The detailed roles and responsibilities of all the above elements should be set out in a documented audit trail. A clear understanding of the Management Framework and the controls systems in place at each level of the organisation, should allow the BSO to identify a clear audit trail to cover all aspects of Cohesion Fund. Hence to obtain a full "Understanding of the Business" should be a pre-requisite of all BSO staff prior to carrying out an audit. This understanding is essential to both the planning and audit examination processes. Auditors should therefore ensure that they are familiar with these systems and that the description which they have of the audit trail is up to date. 9.6 In terms of the Cohesion Fund, the audit trail should follow the "cradle to grave concept", starting with the national strategy and overall agreements entered into with the European Union; through project application and approval; funding and payments; monitoring, evaluation and reporting; and culminating in final certification. A sufficient audit trail is one that permits: reconciliation of the summary amounts certified to the European Commission with the individual expenditure records and supporting documents at the various administrative and final beneficiary levels; and verification of the allocation and the transfers of the available Community and national funds. 9.7 The results of audits carried out previously should be examined in the light of the audit trail to identify any improvements that need to be made to the operation of the management and control systems under review. These individual systems should include the relevant managerial levels. 9.8 The audit trail should provide a clear description of the flows of Cohesion Fund’ finance and information, their documentation and their control, analysed to project manager/ final beneficiary level. In particular, the audit trail should show: processes and who is responsible; which documents are created and data systems used, and who is responsible for these; which management and control systems exist for financial data flows, who audits them and how the findings are reported; and who audits Cohesion Fund expenditure, results, efficiency and management expenditure and what is the reporting system. 9.9 The Management Control Framework at 9.4 shows the flow of funds from the designated authority to the Implementing Body and the flow of information on progress and performance from the IB through to the Commission. The areas where appropriate controls should be present are indicated on the left of the figure. It is the operation of these systems, which should be documented and tested during an audit of authorities or final beneficiaries. Note that the actual controls implemented will vary according to the nature of individual systems and according to the level of an audited body within the audit trail hierarchy. 9.10 In order to follow up the information flow (the reports statement of expenditure from the project managers) and the financial flow (the advances paid to the IB), the details of the last statement received by the Commission, and the last advance paid by the Commission, need to be reconciled, with the accounting system and bank statements of NF, Intermediate and Implementing Bodies. 9.11 The review of the audit trail and the identification of possible weaknesses are an integral part of the preparation of an audit. In the same way, the preparation phase of the audit should include consideration of the extent to which the audit trail has been kept up to date. Budget Supervision Office of RS Cohesion Fund Manual Document No. Version Come into force Page : 01-14/2004/1 : 1.0 : 30.7.2004 : 38 of 135 Setting Audit Objectives 9.12 Audit objectives need to be set in order to gain appropriate evidence to enable the auditor to draw conclusions on the effectiveness of the management and control systems in operation in ensuring that Cohesion Fund expenditure claims are correct. Two sets of audit objectives are recommended: the first for looking at the general management and control system for administering Cohesion Fund and the second for examining control systems and expenditure specifically at the final beneficiary level, as detailed in Figures 1 and 2 below: 9.13 Individual audits may seek to address all of the objectives set out, or may address specific areas determined as a result of risk assessment or for the purposes of a follow-up audit. The appendices contain checklists/questionnaires which should be used during audits at Member State authorities. These can of course be adapted to suit the particular type of Cohesion Fund project being audited (e.g. road, rail, water treatment, wastewater treatment). There are ten main audit objectives, which should be addressed during audits of the Member State authorities responsible for managing and controlling Cohesion Fund actions. These audit objectives are intended to provide appropriate evidence to enable the auditor to draw conclusions on the effectiveness of the management and control systems in operation. A typical audit, will both examine management and control systems, and verify one or more declarations of expenditure by means of following the expenditure through the system to selected project managers/ final beneficiaries. Budget Supervision Office of RS Cohesion Fund Manual Document No. Version Come into force Page : 01-14/2004/1 : 1.0 : 30.7.2004 : 39 of 135 Figure 1: Audit objectives relating to the audit of Member States’ management and control systems Audit objective 1. Activity / Process Systems descriptions Objective Whether there are adequate procedures to ensure that systems descriptions are reviewed and updated and changes notified to the Commission as required. (Art.5 and Art. 12 of Commission Regulation 1386/02) 2. Approval Whether there are adequate procedures to ensure that applications for aid and the decisions reached on those applications comply with the relevant rules, are in accordance with the needs of the area in question, and that decisions by the authority are fully documented. (Art 10 of Council Regulation 1164/94) 3. Monitoring Whether there are adequate procedures for the effective monitoring of both the physical and financial progress of Cohesion Fund projects throughout their lifetime. 4. Guidance Whether there are adequate procedures in place to ensure that adequate guidance is given to the bodies responsible for the implementation of Cohesion Fund projects. (Art. 2 of Commission Regulation 1386/02) 5. Irregularity reporting Whether there are adequate procedures to ensure that irregularity reports are prepared, submitted, followed-up and recoveries made where appropriate. (Art.7 of Commission Regulation 1386/02) 6. Audit Whether there are adequate procedures and arrangements in place for the audit of Member States ‘ management and control systems for the Cohesion Fund. (Art. 9, 10, 11, 12 of Commission Regulation 1386/02) and for the drawing up of the winding-up declaration (Art 12.1(f) of Council Regulation 1164/94 and Art. 13, 14 and 15 of Commission Regulation 1386/02) 7. Operational Checks Whether the relevant authorities have adequate financial and checking procedures to ensure the regularity, legality and eligibility of expenditure. (Art. 4 and 8 of Commission Regulation 1386/02) Whether there are adequate arrangements in place to ensure compliance with the publicity requirements set out both in the Commission Decision for the particular project and in Commission Decision 96/455. 8. Publicity 9. Accounting information Whether the Member State has adequate procedures for maintaining adequate accounting records on projects which are available to the Commission on request. (Art. 16 of Commission Regulation 1386/02) . 10. Audit trail Whether there are adequate procedures in place to ensure that the management and control systems provide a sufficient audit trail.(Art. 6 of Commission Regulation 1386/02) 9.14 As outlined below, the main purpose of the checks at final beneficiaries is to determine whether the relevant aspects of Member State authorities’ management and control systems relating to actions Budget Supervision Office of RS Cohesion Fund Manual Document No. Version Come into force Page : 01-14/2004/1 : 1.0 : 30.7.2004 : 40 of 135 are operating satisfactorily. Audits will also involve the documentation of Implementing Bodies' systems (audit trail) as they affect Cohesion funded activity. Figure 2: Audit objectives relating to audits at project managers/ final beneficiaries Audit objective Objective 1 Whether eligibility rules have been followed in selecting project managers and projects/ actions for Cohesion Fund support. 2 Whether receipts and payments are accurately recorded in the project manager/ final beneficiary’s accounting system, assets are correctly recorded, and that these amounts are correctly reflected in demands for payment. 3 Whether (in respect of public authorities or bodies, and where necessary), services or actions funded under the Cohesion Fund are procured on the basis of a proper call for tenders, that there are sound controls over the opening of tenders and that all tenders are fully evaluated before a final decision is made on the supplier of the service/action. 4 Whether progress made is truly and fairly reflected in any reports or other information submitted to Member State authorities and to the Commission. 5 Whether the project manager/ final beneficiary has complied with Community rules on publicity, information, equality and the environment and any other relevant Community law. Designing Substantive Tests 9.15 Appendix 4 provides guidance on designing substantive tests to meet the audit assertions Audit Programmes 9.15 Audit tests need to be devised to gather the evidence to address the audit objectives. Accordingly Appendix 5 gives examples of tests that may be used to address the audit objectives for the overall management and control system audit of Cohesion Fund and the substantive tests to be carried out centrally; whilst Appendix 6 lists tests that may be used for the audit objectives for the audit of Implementing Bodies. These tests will enable the BSO to obtain evidence to establish whether or not the management and control systems provide a sufficient audit trail Audit Strategy 9.16 The competent national authorities under the responsibility of the independent body designated under Article 12 of Regulation 1386/2002 should prepare an audit strategy for the Cohesion Fund which: Takes account of the whole audit effort undertaken by the different national and regional control authorities, and in particular that required by Article 8, Articles 9 to 11 and Articles 13 and 14 of Regulation 1386/2002; Covers the whole period up to closure; Budget Supervision Office of RS Cohesion Fund Manual Document No. Version Come into force Page : 01-14/2004/1 : 1.0 : 30.7.2004 : 41 of 135 Provides the framework within which annual audit programmes will be established; Identifies the bodies which will be responsible for audit work and the scope and objectives of their work, their resources and their methodology; Provides assurance that there will be an adequate basis for the certification of expenditure under Article 8 of Regulation 1386/2002, that the effectiveness of the management and control systems in place will be verified regularly during the programming period, that 15% of total eligible expenditure will be checked in accordance with Articles 9 and 10 of Regulation 1386/2002, that these checks will be spread evenly throughout the programming period up until closure, and that consequently there will be a sufficient basis for drawing up the winding up declaration under Article 13; Is validated by the independent body designated under Article 13. Budget Supervision Office of RS Cohesion Fund Manual Document No. Version Come into force Page : 01-14/2004/1 : 1.0 : 30.7.2004 : 42 of 135 10 AUDIT EVIDENCE 10.1 This Section describes the general concepts of audit evidence and should be read in conjunction with the revised International Standard on Auditing 500, which was approved in October 2003. Concept of Audit Evidence 10.2 The overall aim is that the auditor should obtain sufficient appropriate audit evidence to be able to draw reasonable conclusions on which to base the audit opinion. "Audit evidence" is all the information used by the auditor in arriving at the conclusions on which that audit opinion is based. Sufficient and Appropriate Audit Evidence 10.3 Sufficiency is the measure of the quantity of audit evidence. Appropriateness is the measure of the quality of audit evidence; that is, its relevance and reliability in providing support for, or detecting misstatements. The quantity of audit evidence needed is affected by the risk of misstatement (the greater the risk, the more audit evidence is likely to be required) and also by the quality of such evidence (the higher the quality, the less may be required). Hence sufficiency and appropriateness of audit evidence are inter-related; although merely obtaining more evidence may not compensate for its poor quality. 10.4 The reliability of audit evidence is influenced by its source and nature and is dependent on the individual circumstances on which it is obtained. In order to obtain reliable audit evidence, the information on which the audit procedures are based needs to be sufficiently complete and accurate. Whilst recognising that exceptions may exist, in general audit evidence is more reliable when it is: obtained from independent sources outside the entity; supported by effective internal controls, when generated internally; obtained directly by the auditor (observation of the application of a control); in documentary form, whether paper, electronic or other medium (a written record of a meeting is more reliable than an oral report); and in the form of original documents, which is more reliable than photocopies or facsimiles; 10.5 Visual evidence is highly reliable for confirming the existence of assets, but not their ownership or value; whilst oral evidence must be considered as the least reliable. Whenever feasible, auditors should attempt to obtain documentary confirmation of oral evidence (e.g. agreed written records of interviews). When this is not feasible, oral evidence might be corroborated by interviewing separately more than one person. The Use of Assertions in Obtaining Audit Evidence 10.6 The auditor should use audit assertions for classes of transactions, accounts balances, and presentation and disclosures in sufficient detail to form a basis for the assessment of risks of material misstatements and for the design and performance of further audit procedures. 10.7 It is for the judgment of the auditor to determine how to test against the relevant assertions for the audit of Cohesion Fund. The auditor should take into account the legislative framework and all other regulations or directives that might affect the issue of regularity. Examples would be: Completeness - to obtain audit evidence to ensure that all transactions and events that should have been recorded, have been recorded; Budget Supervision Office of RS Cohesion Fund Manual Document No. Version Come into force Page : 01-14/2004/1 : 1.0 : 30.7.2004 : 43 of 135 Occurrence - to obtain audit evidence to ensure that all transactions and events that have been recorded have occurred and are pertinent to the audited body; and Existence - that all assets recorded by the audited body actually exist. Procedures for Obtaining Audit Evidence 10.8 The auditor should obtain audit evidence to draw reasonable conclusions on which to base the audit opinion by performing audit procedures: Risk Assessment Procedures - to obtain an understanding of the entity and its environment, including internal controls, to assess the risk of material misstatement. By themselves, such procedures do not give sufficient appropriate audit evidence on which to base the audit opinion, and are therefore supplemented by; Tests of Controls - to test the operating effectiveness of controls in preventing, or detecting and correcting, material misstatements; and to support the risk assessment; and Substantive Procedures - are always required to support the judgmental risk assessment and the inherent risks of internal control failures: they are designed to detect material misstatements at the assertion level. 10.9 Audit evidence may be obtained by one or more of the following procedures, which may be used as risk assessment procedures, tests of controls or substantive procedures, dependent on the context in which they are applied by the auditor. Inspection of records or documents - examining records or documents, both internal and external, in paper or electronic form; Inspection of tangible assets - physical examination of the assets; Observation - looking at a process or procedures being performed by others; Inquiry - seeking information of knowledgeable persons both within and outside the entity; Confirmation - is a specific type of inquiry based on obtaining information directly from a third party; Recalculation - checking the mathematical accuracy of documents or records; Re-performance - the auditor's independent execution of procedures or controls that form part of the entity's internal controls; and Analytical Procedures - evaluation of financial statements and interrelationships or comparisons between elements of relevant information (see also ISA 520). 10.10.1 The auditor should evaluate at an early stage in the audit process which method of obtaining evidence will be suitably reliable, and balance the reliability of the audit evidence against the cost of obtaining it. Similarly, the auditor should use professional judgement to evaluate the quantity and quality of audit evidence and its sufficiency and appropriateness, to support the audit opinion. Budget Supervision Office of RS Cohesion Fund Manual Document No. Version Come into force Page : 01-14/2004/1 : 1.0 : 30.7.2004 : 44 of 135 11 DOCUMENTATION AND FILING 11.1 This Section sets out the general principles and practice for maintaining effective documentation and files. The Benefits of Effective Documentation 11.2 Auditors should effectively document the audit evidence in working papers, including the basis and extent of the planning, work performed and the findings of the audit. The benefits of effective documentation are that it: aids planning; provides a record of weaknesses, errors and irregularities detected by the audit; confirms and supports the auditor's judgements, opinions and reports; serves as a source of information for preparing reports or answering enquiries from the audited body or from any other party, and provides a record of work done for future reference; shows compliance with Auditing Standards and Guidelines, and with the internal procedures of the BSO; supports (or provides a defence against) claims, law suits and other legal processes; helps and provides evidence of the auditor's professional development; aids review, supervision and quality assurance (see below). 11.3 Effective documentation is particularly important for review, supervision and quality assurance. The main advantages are that it helps the reviewer to: ascertain whether the audit objectives have been achieved; ensure that delegated work has been properly performed; assess the judgements made by the auditor during the course of the audit and identify areas where additional work may be necessary to obtain evidence required to reach conclusions or make recommendations; carry out the tasks of reviewing audit working papers and supervising audit staff more efficiently and effectively; and provides the basis for independent quality assurance reviews Content of Working Papers 11.4 All audit steps must be carefully documented, as well as the resulting observations and conclusions. This documentation is collectively known as working papers. The main examples of working papers are: The audit planning documents Authority for the audit to proceed Interview records Record of documents reviewed Internal control analysis sheets Audit test plans and results Summary of audit findings Budget Supervision Office of RS Cohesion Fund Manual Document No. Version Come into force Page : 01-14/2004/1 : 1.0 : 30.7.2004 : 45 of 135 11.5 Working papers are the auditor's principal record of the work performed and the conclusions reached on significant matters and are essential to support an effective audit. They provide evidence of the auditor's exercise of due care; and help the auditor conduct and supervise the audit. All phases of the audit, from the basic planning to the preparation of the final draft of the report, should be in the working papers. 11.6 It is not possible to prescribe exactly what working papers should or should not include. As a general principle, however, a well-documented set of working papers will be sufficiently complete and detailed to enable an experienced auditor having no previous connection with the audit to ascertain from them what work was performed to support the conclusions. 11.7 Working papers must have a series of physical qualities such as clarity, legibility, completeness, relevance, accuracy, conciseness, neatness and be understandable. If computer evidence is used, there should be adequate identification that completely describes its origin, content and location. They should be planned and, in many cases, formatted at an early stage in the audit. Prior years' working papers, if available, might be used as a guide. 11.8 In order to facilitate review, and in particular, to assist the reviewer in finding and evaluating the audit evidence that supports conclusions, recommendations and reports it is essential that working papers are cross-referenced backwards and forwards. These cross-references should clearly show the source and destination. It is to be noted that good cross-referencing requires clear and logical initial referencing of all working papers. 11.9 Working papers should normally be prepared on the basis that they might be used as evidence in any legal procedure that could arise. Thus, auditors should sign and date their individual working documents. It should be clear from the examination of a completed set of working papers, who they were reviewed by, when, and what was the outcome of the review. Notes of reviewers indicating agreement, incomplete or unclear items should be retained. These are essential for use by higher level reviewers. The documentation should include a record of all contact with the audited body on significant matters (e.g. weaknesses found during tests of control, assurances received from the audited body's management, etc.). Current and Permanent Files 11.10 Working Papers relating to individual audits are generally known as current files. Individual current files will be established and maintained by the BSO for each project. They will routinely contain the following information which will provide a full history of the project and of the audit examinations that have been carried out relating to that project: A copy of the Financial Memorandum/Contract detailing values, duration, location, measures and details of the Implementing and Intermediate Bodies; Details of any amendments to the funding of the Project; Key findings arising from previous BSO examinations of the project; specifically, details of any unresolved issues or matters highlighted to be examined in future visits; Details of the BSO examination at the National Fund and the sponsoring Ministry; Copies of any reports produced by Internal Audit, the Court of Audit, the ECA or Commission and private firms; Budget Supervision Office of RS Cohesion Fund Manual Document No. Version Come into force Page : 01-14/2004/1 : 1.0 : 30.7.2004 : 46 of 135 Details of proposed future visits to the project contained in the longer term audit plan; and finally At the conclusion of the project, details of the winding-up declaration and of the submissions sent to the Commission. 11.11 In addition to current files, permanent files should also be established and maintained by the BSO. These contain the overall legislation and planning information that covers all Cohesion Fund projects. They should routinely include: All EU/EC Regulations, guidance and directives relating to Cohesion Fund; All relevant National Legislation; The National Strategy for the implementation and delivery of the Programme; Copies of the higher level reports produced by the ECA/Commission covering the Programme; Details of the working arrangements and responsibilities of all other organisations involved in the management of the Fund The Annual BSO Audit Plan/Approach for the examination of the funding; Results of high level systems reviews and examinations; Copies of reports submitted by the BSO to the Commission; Copies of any Management Letters prepared by the BSO, which might routinely include details of the number of projects examined each year and the percentage of expenditure covered. Confidentiality of Audit Information 11.12 The BSO frequently has access to information which may be considered sensitive from a commercial, political or security point of view. Accordingly the staff of the BSO must exercise due professional care to ensure that such information is properly safeguarded. Procedures and controls have been established to assure the physical security of working papers. Similarly, it is normal to treat working papers, communications with audited entities and draft reports as confidential documents, until recognised and established procedures for their release have been followed. The BSO must balance the need for confidentiality of audit information with any legislation allowing freedom of information to citizens. Retention of Audit Documentation 11.13 The BSO has a clear policy for the storage and retention of documentation which supports the conclusions reached in published reports. This policy covers, amongst other things: length of retention before destruction (this varies according to the status of documents); transfer of files from audit units to central archives; standard file contents, indexing and retrieval procedures. Budget Supervision Office of RS Cohesion Fund Manual Document No. Version Come into force Page : 01-14/2004/1 : 1.0 : 30.7.2004 : 47 of 135 12 AUDIT REPORTING 12.1 The report is the main vehicle for communicating the results of an audit. Reports should be clear and concise, highlighting the main conclusions of the audit. Audit recommendations should be ranked, as to their importance to the Cohesion Fund process, and should indicate the action needed to address weaknesses identified. All reports should contain an executive summary setting out the key findings and conclusions and should contain key recommendations and their ranking of importance. 12.2 Major errors or system weaknesses should be discussed with relevant staff from the audited body during the audit, both to confirm the auditor’s understanding of the nature of the error or weakness, and to allow discussion of and agreement on the action needed and agreed due date to correct errors and improve systems. Subsequently, the auditor should check the relevant facts in writing with the audited body. Audit working papers should include management comments on discussions held. BSO may decide to agree a formal Action Plan with the audited body which will detail the: Findings in order of significance; Audit Recommendation; and Conclusion/Actions required. 12.3 Reports should contain sufficient detail on audit findings and conclusions to demonstrate to the audited body the weaknesses in the systems, and recommendations should state clearly the remedial action that is necessary. Management responses on recommendations made should be included in the audit report. 12.4 Following the conclusion of the audit, auditors should aim to produce the audit report within a maximum of one month after the field visit to ensure that audited bodies can rectify weaknesses at the earliest possible opportunity. 12.5 The letter accompanying the audit report should request a formal reply by an agreed due date (for example, two months after the issuance date). The audit reply should, for each recommendation: agree with the recommendation and give details of how it has been implemented (supported with relevant documentation) agree with the recommendation and provide a timetable for implementation; or provide reasons for not agreeing with the recommendation. 12.6 There should be regular monitoring of outstanding replies; the contents of all replies received will form the basis for future risk assessments. Contents of the Audit Report 12.7 The audit report should contain the following items: Executive summary o Scope o Conclusion o Summary findings Methodology Detailed Findings and recommendations Budget Supervision Office of RS Cohesion Fund Manual Document No. Version Come into force Page : 01-14/2004/1 : 1.0 : 30.7.2004 : 48 of 135 Executive Summary 12.8 The executive summary consists of 3 sections: Definition of the scope of the audit, which could be to: o ascertain the accuracy of the expenditure declared by the designated authorities in support of the last payment request; o examine the operation of the management and control system; and o verify the operation of the systems by examination at the final beneficiary level. The conclusion should describe the overall opinion of the auditor on the work audited; The summary findings of the audit should list the findings of the audit and note their respective importance. Methodology 12.9 The audit methodology should be briefly outlined. Information provided should include the authorities and actions chosen for examination, the reasons for choice, and broad details of the checks carried out. Detailed Findings and Recommendations 12.10 Findings should include a short description of weakness noted or errors found and the reason of any deviation. This will enable audited bodies to verify the points made and to take corrective action. Each finding should result in a recommendation. Some findings can be grouped and result in one recommendation. 12.11 Recommendations should receive a ranking, for example: 1: 2: 3: 4: requires immediate action requires action within 3 months requires action between 3 to 6 months requires action over 6 months 12.12 Reports should include specific recommendations for action by the audited body to address weaknesses found during the audit. These recommendations should be clear and should be supported by convincing evidence as to the need for action. Ideally, a time limit should be set for taking the corrective action. The recommendations and replies will form the basis for any follow-up examination in the future. 12.13 At the end of an audit, for example at the Ministry or at an Implementing Body, the BSO may agree an Action Plan with the audited body to clearly document the follow-up actions to be taken by the audited body and to re-emphasise the timescale within which the actions to be taken should be finalised. A review of the outcome of this work should form part of any future BSO visit to that audited body, which should be detailed within the longer term audit plan. Budget Supervision Office of RS Cohesion Fund Manual Document No. Version Come into force Page : 01-14/2004/1 : 1.0 : 30.7.2004 : 49 of 135 Reports to the EC Annual reports 12.14 In accordance with Article F(4) of Annex II to CR 1164/94, as amended by Article 12 of CR 1386/2002 an annual report is required for each complete year of implementation. The purpose of the Article 12 report (see Model at Appendix 8) in the context of the “Contract of confidence” will be to: Indicate any changes to the management and control systems; Indicate any proposed changes to the audit strategy; Provide a summary report on the audit activity for the previous year (both systems audits and audits of operations), the main results, and follow up of outstanding issues from earlier years; Draw a conclusion with regard to the assurance obtained for the expenditure for the year concerned. The report should be drawn up under the authority of the Article 13 body who should sign (or countersign) the report. The systems audit reports should in addition be sent to the Commission as soon as they are finalised, with a summary of findings and recommendations which can be introduced into SYSAUDIT. The Article 12 report will be discussed in the annual bilateral meeting. Final Report and Certification 12.15 The Final report is to be submitted within six months of the physical completion of the project, should report on the work carried out, the expenditure incurred and the conformity with the decision approving the project; and should give an initial appraisal of the chances of achieving the project objectives. 12.16 When each project, step of project or group of projects is wound up, the Slovenian government presents to the Commission a declaration summarising the conclusions of the checks carried out during previous years. That declaration should also include an assessment of the validity of the application for payment of the final balance, and the legality and regularity of the expenditure covered by the final certificate. The declaration will be prepared by the BSO. 12.17 Responsibility for the preparation of these reports rests with the BSO. The reports should contain information from audits undertaken by BSOS each year on each project and should indicate changes to the management and control systems identified in the audit trail for each project. Evaluation of Errors 12.18 The BSO will need to record the results of the errors found during each project examination and consolidate those results into an annual evaluation of errors and their consequences. That annual evaluation should include details of: The total value of errors identified and what proportion of the total annual receipts/payments they represent; What actions have been taken to correct errors that were identified and/or to effect the recovery of ineligible payments; Budget Supervision Office of RS Cohesion Fund Manual Document No. Version Come into force Page : 01-14/2004/1 : 1.0 : 30.7.2004 : 50 of 135 The extent to which errors found were deemed to be systemic, i.e. could apply to expenditure not actually covered by substantive testing (either within the project examined or to other projects); In the event of systemic errors having been identified, what further work the BSO has carried out to assess the likely affect across all Cohesion Fund projects; What lessons have been learned from the nature of the errors found in terms of perceived weaknesses in the control environment; Based on those identified weaknesses, what recommendations the BSO has made to improve the control environment; and How they plan to ensure that those recommendations are implemented by the management authority. (Appendix 11 gives Commission guidance on the treatment of Financial Corrections) Follow-Up Audits 12.19 As part of the overall planning strategy the BSO should consider the merits of carrying out follow -up audits to some or all of the audited bodies that are involved with the Cohesion Fund processes. Given the Management Framework that operates in Slovenia, the likelihood is that the BSO will routinely visit the GOSP, the NF, the Ministries of Transport and Environment. Hence the concept of follow-up audits is most likely to occur at the Implementing Bodies - the Municipalities (for Environment) or the Transport Sectors. 12.20 When the BSO plan to carry out follow-up visits the audit examination should concentrate on ensuring that management have implemented recommendations for the improvement of control and for guarding against risk agreed with them during the previous audit. The follow up should ensure that controls have been introduced in the appropriate manner and that they are working effectively. In the event of management failing to effectively implement such recommendations, the BSO should consider reporting such failures to the appropriate internal authorities. Amounts recoverable 12.21 Article 7 of Regulation 1386/02 requires the Paying Authority to keep a record of all amounts recoverable from payments of Community assistance already made. The same Article also requires the Paying Authority to send to the Commission once a year, in annex to the fourth quarterly report on recoveries supplied under Regulation (EC) 1831/94, a statement of the amounts awaiting recovery at that date, classified by the year of initiation of the recovery proceedings. Accounting information 12.22 Article 16 of Regulation 1386/02 requires Member States to forward, on written request from the Commission, the accounting records referred to in Annex IV of the Regulation on projects. Such information should be as far as possible be held in computerised form. Such records shall be made available to the Commission at its specific request for the purpose of carrying out documentary and on the spot checks. This information should be delivered to the Commission within 10 working days of receipt of the written request, although a different period may be agreed, particularly where the records are not available in computerised form. Budget Supervision Office of RS Cohesion Fund Manual Document No. Version Come into force Page : 01-14/2004/1 : 1.0 : 30.7.2004 : 51 of 135 Sys-audit 12.23 DG Regional Policy is in the process of developing and introducing a new Audit Management System, SYSAUDIT. The objectives of this system are to offer a standard tool for the various Commission services auditing the Cohesion Fund and the Structural Funds, to provide a common data base for audits planned and executed by these services, to facilitate the standardisation and coordination of audit work and give easy access to information for the geographical units. It is intended, after sufficient testing of the system has been carried out, to give access to the system to approved administrations in the Member States. 12.24 The application consists of nine modules which include: Planning of the Annual Audit Programme and advising Auditee Allocation of Auditors and assistants/replacements Audit report production Recording of findings from the Audit Follow-up of findings DAS follow-up, the annual co-ordination meetings Document management for securely storing all correspondence related to an Audit. 12.25 SYSAUDIT will facilitate the follow up of audit report findings and recommendations and will trace the status of each finding until it has been closed. For open items, the SYSAUDIT system will remind the auditor, at the agreed date, to issue a letter to the auditee, reminding it that follow up action needs to be taken. In addition at audit planning stage, the system can be reviewed and projects with no or very slow action on recommendations identified as possible high risk areas. Once a report is finalised and satisfactory actions have taken place on all open items, the report can be closed. The SYSAUDIT system will need to be updated to inform all concerned that the report is closed. Systems description update 12.26 Article 12 of Commission Regulation 1386/02 also states that Member States shall provide to the Commission, by 30 June each year, any necessary amplification or updating of the description of their management and control systems communicated under Article 5(1) of the same regulation. Article 5(1) of Regulation 1386/02 required the initial description of the management and control systems to be forwarded to the Commission by 7 November 2002. A model report pursuant to Article 12 of Commission Regulation 1386/02 is contained at Appendix 8. Budget Supervision Office of RS Cohesion Fund Manual Document No. Version Come into force Page : 01-14/2004/1 : 1.0 : 30.7.2004 : 52 of 135 13 IRREGULARITY, FRAUD AND CORRUPTION 13.1 The purpose of this Chapter is to guide auditors of the BSO on the responsibilities and procedures for the prevention and detection of irregularities, fraud and corruption. Respective responsibilities of Audited Bodies, Management and Auditors 13.2 The primary responsibility for the prevention, detection and investigation of errors and irregularities rests with those responsible for the management and execution of State policies, functions and programmes, (i.e. Ministries and other audited bodies). Management is responsible for establishing an effective system of internal controls to ensure compliance with laws and regulations. 13.3 The work of the BSO in this area should focus primarily on assessing the performance of the audited bodies in preventing, detecting and correcting irregularities. In designing steps and procedures to test or assess compliance, auditors should evaluate the audited body’s internal controls and assess the risk that the control structure might not prevent or detect non-compliance. 13.4 As a general principle, the auditor is not and cannot be held responsible for the prevention of fraud and irregularity. Similarly, an audit planned and implemented in accordance with auditing standards cannot give complete assurance that the financial information is free from material error. This is because errors which are intentional, arising as a consequence of fraud or irregularity, often involve attempted concealment which the auditor may not necessarily detect, even though his/her audit was planned and executed in accordance with auditing standards. 13.5 There are also inherent limitations placed on every audit because the test nature of an audit involves judgment as to the areas to be tested and the number of transactions to be examined. Furthermore, much audit evidence is persuasive rather than conclusive in nature. Planning and undertaking a Regularity audit 13.6 The audit process has the following focus and emphasis: In planning the audit, the auditor obtains a general understanding of the legal framework applicable to the activity under audit and should understand how management complies with that framework. Amongst the sources of information that BSO auditors may refer to in carrying out this work are EC Regulations and the laws and regulations of Slovenia. In planning an audit of financial information, the auditor considers the extent to which the incidence of fraud or other irregularity is likely to be material, either by nature or by value. The auditor should assess the particular risk of fraud or irregularity in the body or function to be audited. Previous audit reports, investigations/reviews by the EC can be drawn on in making these judgements. Other factors to be considered include the: o o o complexity of the schemes and activities under examination; competences and perceived integrity of the managers of budgets and funds; likely reliability and/or sufficiency of the audit evidence available. there will always be a risk of internal controls failing to operate as designed. Any system of internal control may be ineffective against fraud involving collusion amongst employees or by management. This is because certain levels of management may be in a position to override controls that would prevent similar frauds by other employees; for example, by directing subordinates to record transactions incorrectly or to conceal them. The auditor may therefore review the adequacy of preventative mechanisms established by audited bodies, for example. Budget Supervision Office of RS Cohesion Fund Manual Document No. Version Come into force Page : 01-14/2004/1 : 1.0 : 30.7.2004 : 53 of 135 segregation of duties; systematic rotation of staff in post; internal oversight and inspections; effective human resources policies, to monitor admission of new staff into the public service and to ensure that they properly understand the requirement for honesty and integrity; establish a code of conduct designed to promote ethical behaviour amongst staff and provide guidance on such matters as: relations with third parties; acceptance of employment/appointments outside the public service; declaring conflicts of interest (e.g. where a staff member has interests outside public service which may conflict with their official duties); monitor implementation of the human resources policies, including regular review of the code of conduct; and appropriate procedures for reporting, investigating and acting upon possible irregularities and/or suspected fraud, including, where necessary, appropriate disciplinary measures. Audit procedures to be adopted where fraud or other irregularity is suspected 13.7 If, during the risk assessment, or as results of tests of control or substantive testing, the auditor concludes that circumstances indicate the possible existence of a fraud, he/she needs to consider the potential impact of such an occurrence on the financial information. If the auditor believes that the suspected fraud could have a material effect on the financial information, then he/she should perform such modified or additional procedures as are considered appropriate. 13.8 The extent of the auditor’s modifications to the audit plan, or additional audit procedures, will depend on his/her judgement about: the nature of the suspected fraud that could have occurred; the perceived risk that suspected fraud has actually occurred, based on the risk assessment or results of testing; and the likelihood that a particular type of suspected fraud could have a material effect on the financial information. Performing additional audit procedures 13.9 The auditor should use his/her judgement to determine the audit procedures best able to indicate the existence of suspected fraud. These may include, amongst others: – – – – – tests of control : used to provide evidence on the effectiveness or otherwise of the controls designed to prevent or detect fraud and irregularity; substantive testing: used to substantiate the scope and/or value of the suspected fraud; analytical procedures: used to corroborate, through comparison, trend analysis or predictive testing, the possibility that fraud or irregularity exists; interview techniques (used primarily in fraud investigation): used to provide corroborative evidence that fraud has occurred, usually from those around the individual(s) suspected of committing the fraud; and observation techniques: used to corroborate the suspicion of fraud, by observing changes in behaviour patterns of those suspected of committing fraud. Budget Supervision Office of RS Cohesion Fund Manual Document No. Version Come into force Page : 01-14/2004/1 : 1.0 : 30.7.2004 : 54 of 135 13.10 When carrying out interviews as a means of gathering evidence to substantiate fraud, the auditor needs to observe the rules of evidence appropriate to the jurisdiction in which he is operating. This is to ensure that the evidence gathered from such work can be used in any judicial proceedings which the authorities decide to pursue. Before proceeding with any additional audit procedures, the auditor should consider whether to seek guidance or assistance from experts in fraud investigation, such as the prosecuting authorities. Reviewing the results of additional work 13.11 Performing modified or additional procedures may enable the auditor to confirm or dispel a suspicion of fraud. Where confirmed, the auditor should confirm that the effect of fraud is properly reflected in the financial information. In some cases, the auditor may be unable to obtain sufficient evidence either to confirm or dispel a suspicion of fraud. In that situation, the auditor should consider the possible impact of this uncertainty; both on the financial information and on the statement of assurance. The auditor will also need to consider the relevant laws and regulations of the jurisdiction in which the suspected fraud has occurred. As appropriate, the auditor may wish to obtain legal advice before reporting. 13.12 Unless circumstances clearly indicate otherwise, the auditor does not assume that an instance of fraud is an isolated occurrence. If the fraud should have been prevented or detected by the system of internal control, the auditor should re-consider any prior evaluation of that system and, if necessary, adjust the nature, timing and extent of substantive procedures. 13.13 When a fraud involves a member of senior management, the auditor needs to reconsider the reliability of any representations made by that person to the auditor. Audit procedures where irregularities other than fraud are identified 13.14 When the auditor becomes aware of information concerning a possible existence of irregularities other than fraud, for example, irregularities arising from unintentional error, oversight or ignorance of the law; the auditor should obtain an understanding of the nature of the irregularities and the circumstances in which they have occurred; plus sufficient other information to evaluate the effects on the financial information. For example, the auditor should consider: o o o the potential financial consequences; whether, and how the financial consequences of the irregularity should be disclosed in the financial information; and whether the potential financial consequences are so serious as to impact on the audit opinion or statement of assurance on the legality and regularity of the underlying transactions. 13.15 In the first instance, where the auditor discovers what may be an irregularity, he/she should document the findings and discuss them with the audited body’s management. If management does not provide satisfactory information that the transactions concerned are, in fact, regular, the auditor may consult with management’s legal adviser about the application of the relevant laws and regulations to the particular circumstances and the possible effects on the financial information. 13.16 If the auditor believes that the irregularity could have a material effect on the financial information, he/she should consider the effect of the irregularity on the opinion and as appropriate, perform additional audit procedures as he/she considers necessary. Budget Supervision Office of RS Cohesion Fund Manual Document No. Version Come into force Page : 01-14/2004/1 : 1.0 : 30.7.2004 : 55 of 135 Other implications of irregularities 13.17 Where the auditor finds that within the audited body, there is a high incidence of irregularities, the impact of these failures could have additional effects: it may raise doubts about other audit evidence supplied by the audited body, including compliance reports and management representations; where internal controls have failed to detect irregularities, this may indicate significant. Responsibilities for reporting on fraud or irregularity 13.18 As a general principle, the auditor needs to be aware of the internal and external reporting procedures which the BSO will normally apply when fraud, suspected fraud, or irregularity is discovered. Knowledge of these procedures, and timely consultation with the appropriate authorities (internal and external) is important to ensure that investigation of suspected fraud is properly carried out, without risk of compromising any judicial or administrative proceedings that may follow. Internal reporting (within the BSO) 13.19 The auditor should normally observe the internal reporting procedures for the notification of fraud, suspected fraud or irregularity that the BSO has prescribed. To help determine the most appropriate action to take, the auditor should report to his senior audit management where: o the results of the initial risk assessment, tests of control or substantive testing indicate a possibility that fraud exists ; o the results of the additional audit procedures point to suspected fraud ; and o management of the audited body fail to take the appropriate action to investigate or report the suspected fraud . Reporting to the Audited Body (Management) 13.20 Once the auditor has carried out additional audit procedures to confirm the existence or otherwise of suspected fraud or other irregularity, he/she should then report the findings to the management of the audited body as soon as possible. This is normally done via the senior management of the BSO. 13.21 The auditor needs to consider all aspects of the suspected fraud in determining who to report to in the management of the audited body. In particular, the auditor should assess the likelihood of senior management involvement in the fraud. In most cases, it is appropriate for the auditor to report the findings to a management level above that responsible for the persons believed to be implicated in the fraud. However, where the auditor has doubts about the integrity of those persons ultimately responsible for the overall direction of the audited body, the auditor should normally seek advice to assist him/her in determining who to report to on the suspected fraud. Such advice would normally be sought from the Head of the BSO. 13.22 In the case of suspected fraud or other irregularity, the auditor’s interest does not end when he/she has reported to management. The auditor should monitor the audited body’s response to the notification of the suspected fraud or irregularity and in particular, confirm that: o the audited body’s management have taken the necessary action to investigate the suspected fraud or irregularity (for example by asking Internal Audit to carry out further work, as appropriate); Budget Supervision Office of RS Cohesion Fund Manual o o Document No. Version Come into force Page : 01-14/2004/1 : 1.0 : 30.7.2004 : 56 of 135 management have notified, and sought advice from, the appropriate authorities (for example, the Police); management have reported the proven fraud, suspected fraud, or other irregularity in accordance with any statutory requirements. Arrangements in Slovenia 13.23 There are already systems in place within Slovenia for the handling of "irregularities". In general the same procedures apply to both EU and National Funds, with the additional factor of agreements entered into between the Republic of Slovenia and the European Union. The guidance currently in place is part of the Public Internal Financial Control (PIFC) initiative and applies equally to internal and external auditors. 13.24 In Slovenia the following organisations will be directly involved in the control systems for the treatment of irregularities in relation to Cohesion Fund: o o o o o o o o o Government Office for the Prevention of Corruption Office of the State Prosecutor of the Republic of Slovenia Ministry of Justice Ministry of Internal Affairs - Police, Criminal Investigation Ministry of Finance - the BSO Ministry of Finance - Tax Administration Ministry of Finance - Customs Administration Ministry of Finance - Office for the Prevention of Money Laundering Ministry of Finance - Foreign Exchange Inspectorate 13.25 In addition an Inter-Ministerial Working Group has been established, comprised of representatives from the above organisations, to liaise with the European Anti-Fraud Office (OLAF). More specifically, the BSO acts as the central control point for the collection of information and the reporting to OLAF of all instances concerning irregularities in the use of European Funds that are identified during internal audits, independent audits by the BSO and budget inspections. Budget Supervision Office of RS Cohesion Fund Manual Document No. Version Come into force Page : 01-14/2004/1 : 1.0 : 30.7.2004 : 57 of 135 APPENDIX 1: INFORMATION SYSTEMS AUDIT GUIDELINE Introduction Many administrative and financial functions are now carried out with the aid of computer systems. The term information systems (IS) has come into general use for all such systems, as the term does not prejudge the amount or type of technology concerned. This guideline deals with the methodology for audit of such information systems. It is intended to provide guidance at the level required by the generalist auditor who is familiar with the issues and methods of IS audit, can undertake simple IS audit tasks, and can use IS audit specialists to serve general audit objectives. The guideline does not attempt to present detailed specialist information on the highly technical areas of the subject. Basic concepts and definitions The presence of information technology has no direct effect on the objectives of an audit, but it introduces specific control concerns and may mean that there have to be changes in the audit approach. Information technology brings two particular problems for management and auditors: - computers and networks, like any technology, are vulnerable to breakdown and damage. As soon as an organisation or a function becomes dependent on information technology, therefore, contingency planning becomes more important than before and must take sufficient account of technical matters. - data and programs held in computer systems are invisible and intangible, and they can be accessed or changed without leaving a trace. Management and auditors alike need to take special measures to be sure of the reliability, integrity and confidentiality of any data resulting from computers. Generally-recognized control techniques have been developed accordingly. IS audit deals with the evaluation of these controls. Different components of IS audit should be distinguished because they require differing skill levels, techniques and timing; and because they make different contributions to audit work as a whole. Each of these components is now discussed. General (installation) controls audit General controls are the controls in place over a whole computer installation or network. The quality of these controls has a pervasive effect on all applications run in that environment: for example, if there are weaknesses in access control at the installation level or for a whole network, it is most likely that all applications will be vulnerable to unauthorized access, regardless of any specific access controls in the applications themselves. Most auditors need support from IS specialists to carry out a full general controls audit. However, full audits are not always necessary. Generalist auditors may be able to obtain sufficient assurance that data are complete and correct, and that internal controls covering the computer are functioning adequately so far as they affect a particular audit, without a full review of general controls. In some cases generalist auditors may rely on third party statements (TPS) given by specialist IS auditors. These TPS usually cover the general controls regarding computer centres and/or applications. Should TPS not be available, generalist auditors should nevertheless always evaluate certain non-technical general controls: see below. Budget Supervision Office of RS Cohesion Fund Manual Document No. Version Come into force Page : 01-14/2004/1 : 1.0 : 30.7.2004 : 58 of 135 The areas covered by general controls audits are set out below. The first four are general management issues which should be addressed by generalist auditors even when the technical aspects are not being examined. General management issues organisational: strategic planning, structure and reporting lines of the IS department, adequate segregation of duties within the department IS security policy: exists, is adequate, communicated and followed continuity: back-up and standby arrangements management of IT assets Specialist technical issues logical and physical access controls: detailed execution operations: all jobs submitted to the computer are properly authorized and are completely, accurately and promptly processed systems software (including specific access restrictions) programs maintenance and development procedures data/database management data communication (local) networks ANNEX 1 gives guidance for generalist auditors on the first four subjects above. Application audit An application audit evaluates the internal controls specific to the input, processing, data files and output of a defined function. All auditors carrying out systems-based audits of administrative functions where information technology is used need to address this aspect of IS audit. Applications audits are not necessarily highly technical. Generalist auditors will need to call on IS specialists where the application controls are exceptionally complex or technical, and there are no satisfactory compensating controls in the user area. But many applications are designed so that they give definite assurance to user managers that data and processing are in order without requiring them to be IS experts. In such cases, checks and procedures (including manual procedures) routinely carried out by user staff may give satisfactory assurance that data and output are reliable. In many audit situations this level of assurance will also be adequate for the auditors. The aspects which must always be addressed can be summarized in a generally-applicable form as follows: Organisation and Documentation Management responsibility for every aspect of maintaining and running applications should be properly allocated. The costs of running applications should be identified and kept under review. All necessary documentation should exist considering the type of application concerned and the organisation's needs. - Input Only authorized items, and all authorized items, should be input. Budget Supervision Office of RS Cohesion Fund Manual Document No. Version Come into force Page : 01-14/2004/1 : 1.0 : 30.7.2004 : 59 of 135 Data input to applications should be accurate and complete. (Input comprises both transaction and permanent/reference data.) - Processing Processing of transactions should be complete and arithmetically accurate, and the results (including generated data) should be correctly classified and recorded properly in the computer files. Other processing activities should be carried out on time and give correct results. - Data transmission Data should be transmitted accurately and completely. - Standing data The continued correctness of stored data should be ensured. - Output Output released whether on paper, via screens, on magnetic media, or through electronic links, should be correct and complete. Output should reach all those, and only those, for whom it is intended. ANNEX 2 presents these headings together with illustrations of control techniques or procedures which might be found. It is important that each phase should include appropriate error-handling procedures, and references to these are made in Annex 2. In deciding which controls he needs to rely on, the auditor should bear in mind that tests of control will need to establish, among other things, that the control operated correctly throughout the period subject to audit. It will usually favour good use of audit resources if, where he has a choice, the auditor seeks by preference to rely on controls in the user area which can be tested readily, provided that these give sufficient assurance about the control objective concerned. The use of CAATs may help to increase assurance. If there has to be reliance on the more technical controls, it will often make a general controls audit necessary. For example, to be certain that validation checks made by a program always operated, the auditor would need to obtain definite evidence that controls over program changes were effective throughout the period - a question which would involve a full general controls audit. Computer-assisted audit techniques (CAATs) The term CAATs refers to the use of retrieval software (e.g the product ‘IDEA’) which auditors may use to test controls or (much more commonly) to sort, compare or extract data for further testing. It is essential when using CAATs to ensure that the data being used by the auditor is in fact complete and correct. Specialist help may be needed with CAATs. Whilst some CAATs products on the market can be used relatively easily by generalist auditors, where the task is complex, or where the data are not available to a package in the form it requires, more advanced programming skills are needed. In such cases CAATs can be an expensive use of audit resources; the decision on whether they are needed, and the design of the procedures, should depend closely on the objectives of the audit. Budget Supervision Office of RS Cohesion Fund Manual Document No. Version Come into force Page : 01-14/2004/1 : 1.0 : 30.7.2004 : 60 of 135 Examples of CAATs tests and procedures are: identifying erroneous values; identifying exceptional values; testing the posting or summarizing of transactions; re-performing computerized processing (e.g. foreign currency conversions); comparing data on separate files; producing aged analysis of accounts; stratification. CAATs are the means to an end, not an end in themselves. The use of CAATs needs to be planned and they should only be used where they produce added value or where manual procedures are not possible or less efficient. The functions to be carried out should be documented in advance and the actual use made of CAATs should be recorded. Normal rules of audit evidence must be applied. The CAATs documentation should include details of all settings, queries etc. that were used to produce the results. In all cases, it is important to be able to show that the CAATs program operated on the complete and correct set of underlying records. Audit of developing systems Audits of developing systems cover two main aspects: - the management of the development work. This may be the subject of a performance audit; - the adequacy of the system design for achieving the internal control requirements of the function (these should normally be defined by user management). It is important that new information systems should be designed in such a way that they are auditable and that there is sufficient internal control. Since making changes to the design becomes progressively more expensive in the later stages of development, auditors must consider carefully both the timing and the nature of their approach to new information systems. If no audit action is taken, there is a risk that systems may be introduced which lack important controls or are unnecessarily difficult to audit. On the other hand, any audit contribution must be made in such a way that audit independence is retained. The possibilities are: (a) carrying out a audit of the developing system; (b) being directly involved as a user of the developing application; in such cases, audit independence should be preserved, for example by arranging that other audit staff will be available to review the system independently; (c) ensuring that the project owner or another principal user represents auditability requirements as a management requirement of the system (in accounting systems it is quite logical for the accountant to do that, in consultation with both internal and external auditors); (d) ensuring that the audited organisation has general application design standards that provide for auditability and that its quality control assures this (in addition, internal audit should have arrangements for keeping an eye on auditability generally). Of these possibilities, (a) and (b) both demand considerable resources and may give little or no reportable audit result. It is therefore normally preferable to work through (c) and (d). In order to foster (c), auditors should always take the opportunity of reminding management of the need to ensure that adequate management/audit trails are specified in new applications, and should invite consultation at the planning stage for important new financial systems. ANNEX 3 presents a note of Budget Supervision Office of RS Cohesion Fund Manual Document No. Version Come into force Page : 01-14/2004/1 : 1.0 : 30.7.2004 : 61 of 135 generally-applicable application control requirements, which may be useful in discussions with user management of developing systems. The general standards can be checked by an examination of the systems development methodology applied by the IS division of the audited body, and a dialogue with the IS standards branch and the internal auditors to ensure that it is executed properly. Planning and staffing information systems audits Staffing and training Since there are now few functions without some computer component, all auditors need to know how the presence of computers influences the evaluation of internal control. Training programmes should reflect this general requirement. Auditors need additional training to become specialists in IS audit. And IS professionals usually do not have training in control evaluation which equates to that of an auditor. Care must be taken therefore that staff who are to be IS audit specialists acquire and maintain an appropriate body of both IS and audit knowledge. Specific qualifications exist which can provide a measure of this. IS audit specialists are often a scarce resource, use of which must be focused on the points where it is of greatest benefit. When this is so, it follows that IS specialists must only be called on when the objectives of the audit and the complexity of the information systems make their expertise necessary. The following section, on planning, gives guidance on this. Generalist auditors can be trained in the use of CAATs products without having to become full IS specialists. Planning and use of specialists Standards of IS security and control are not absolute. Too high a level of control (“over-engineering”) is expensive and usually inefficient. The set of controls in place should reflect the purpose and use of each system, and is usually a mixture of technical and manual procedures. Efficient controls over computer processing may be found in manual procedures in user areas, or in user management activities. Information systems should, therefore, not be examined in isolation, but as part of the general audit of the whole administrative or financial function of which they are part. Only in this way can the auditor realistically assess the appropriate control standard and evaluate the interaction of technical and user controls. At the planning stage, information should be gathered to decide on the scope of the IS audit to be carried out. It may be useful to consult an IS auditor at this stage to help decide on priorities. In particular, a decision should be made on whether a general controls review is necessary, and the extent to which CAATs will need to be used. Since both of these can represent an expensive demand on specialist resources, it may be necessary to apply strict priorities in the use of IS auditors. In the light of the general objectives of the audit, the following factors should be taken into account: the extent to which the function concerned uses computer processing or data held on computers; the extent to which the correctness of processing and data is proved, to the degree necessary for the function, by controls in the user area, including user management procedures; the complexity of the computer processing, specifically the extent to which the function uses data generated by computer programs (as opposed to data which are simply recorded, sorted or analysed by the application); Budget Supervision Office of RS Cohesion Fund Manual Document No. Version Come into force Page : 01-14/2004/1 : 1.0 : 30.7.2004 : 62 of 135 the size of the installation: for example, it may be intrinsically impossible to have good general controls because there are not enough staff to provide sufficient separation of duties. This will be the case, for example, if a full separation of duties cannot be made between programmers, operators and access administration; the sensitivity of the data and data protection obligations; any special difficulties in the management/audit trail. In older or poorly-designed systems there may be problems, for example in tracing the underlying details for data which are accounted for in aggregate, or in getting assurance that totals include all relevant transactions. These will increase the need for the auditor to use CAATs simply to establish that data are correct. GLOSSARY Application A set of programs, data and clerical procedures which together form an information system designed to handle a specific administrative or business function (e.g. accounting, payment of grants, recording of inventory). Most applications can usefully be viewed as processes with input, processing, stored data, and output. Back-up Relating to the recovery of data and programs, and the provision of alternative operational capabilities, in the event of damage or loss. Back-up copy Duplicate of data or software maintained up-to-date and available for use in case of damage to or loss of the original. CAATs (Computer-assisted audit techniques) Computer programs for carrying out audit tests, retrieving, sorting or selecting data, or obtaining evidence on the correctness of processing. Contingency planning (also called Business continuity planning, Disaster planning) Plans and procedures to ensure that information systems (hardware, software, data and telecommunications) can be restored to availability at the level and in the time required after a disaster whereby the equipment and/or site become unusable. Developing system An application which is at any stage of preparation and not yet in live running (production). The preparation stages may include: proposal, feasibility study, user specification, design, prototyping, programming, program and system testing, user testing, conversion, pilot running. Information systems (IS) Systems which record, distribute or process information, generally with the use of information technology. Information technology (IT) Machinery, including computers, used for data handling and processing. Logical access control The use of software to prevent unauthorized access to IT resources (including files, data, and programs) and the associated administrative procedures. Owner The individual (or unit) responsible for particular (IS or IT) assets, including their security and correctness. Budget Supervision Office of RS Cohesion Fund Manual Document No. Version Come into force Page : 01-14/2004/1 : 1.0 : 30.7.2004 : 63 of 135 Program The complete set of instructions necessary to solve a particular problem or carry out a particular (set of) procedure(s) on a computer. Software Computer instructions generally. System software A collection of programs used to control and manage the operation of a computer and the allocation and use of computer resources. (System software includes programs which can modify data or other programs without following the normal processes established in the application concerned; therefore access to system software should be very restricted and staff who have this access should be separate from the programming staff - and preferably also from the operations and access management functions.) Third party statements (TPS) Statements given by specialist IS auditors working for an organisation other than the SAI. TPS usually cover the general controls regarding computer centres and/or applications. See paragraph 3.6. User Individual or unit that makes use of information systems. Specifically, in business and administration, a department which uses information systems to carry out the functions for which it is responsible in the organisation. Budget Supervision Office of RS Cohesion Fund Manual Document No. Version Come into force Page : 01-14/2004/1 : 1.0 : 30.7.2004 : 64 of 135 ANNEX 1: GENERAL (INSTALLATION) CONTROLS GENERAL MANAGEMENT ISSUES CONTROL OBJECTIVES AND EXAMPLES OF CONTROL TECHNIQUES CONTROL OBJECTIVES Possible procedures or controls Note: These are, in each case, a range of possibilities given for illustration; they do not all have to be present to meet the control objective, and the objective may be met by other means. The auditor needs to make a judgment on the overall effectiveness of the mix of controls actually present, bearing in mind the size, complexity and importance of the system concerned. GA.ORGANISATION AND MANAGEMENT GA1. Planning, staffing, reporting and segregation of duties To ensure that the IT department is correctly placed in the audited body (organization) and is adequately staffed, and that incompatible duties are separated. 1. The head of IT is of an appropriate rank in view of the importance of IT for the organisation and the position of the IT department within the overall organisation is consistent with the responsibilities and objectives assigned to it. 2. IT strategic plans are made and reviewed annually, and they receive senior management (direction or board) attention and approval. 3. IT personnel and user staff are separate: IT staff cannot initiate or approve transactions and user staff cannot write programs which would change data. 4.An IT organisation chart is published and kept up to date. 5. An IT personnel policy exists which will ensure recruitment, training and retention of staff with the necessary types of expertise and which provides for succession planning. 6. Adequate supervisory and approval levels exist in each functional area within the IT department. 7. Formal job descriptions exist in the IT department and are kept up to date. 8. Operations and programming staff are separate: operators may not write programs and programmers may not operate the computer. 9. If the IT department is large enough, staff who have access to system software should be separate from both programmers and operators. 10. Logical security (access rights and passwords) is administered by staff who are not responsible for programming. 11. Regular liaison is maintained with user departments. Budget Supervision Office of RS Cohesion Fund Manual Document No. Version Come into force Page : 01-14/2004/1 : 1.0 : 30.7.2004 : 65 of 135 12. There is a change management policy which governs the development and enhancement of applications and ensures that new programs are fully tested and are accepted by the user. GB.SECURITY POLICY GB1. Security awareness and policy To define and communicate information security policies and procedures and to ensure that management, users and IS personnel are aware of security matters and follow security procedures consistently. 1. A policy for access, both logical and physical, to computer resources exists, is communicated and is adhered to by management and employees. 2. A physical security policy covering: - access restrictions to buildings, computer rooms, IT storage areas, - fire and other disasters, - contingency planning exists, is communicated and is adhered to by management and employees. 3. All staff who use PCs are required to sign a statement of the security and other practices they must follow, including physical security rules, use only of authorized (and licensed) software, and anti-virus measures (restrictions on importing dangerous data and programs). 4. Access to IT resources is controlled by individual user IDs and confidential passwords. 5. User IDs and passwords are set up by specific staff and only on the written authority of the manager of the person who needs access. 6. A policy on access by staff to outside resources including the Internet is defined and announced. 7. A security officer with appropriate technical expertise is nominated and is involved in the approval of access control schemes implemented. 8. Security procedures are periodically tested. 9. The security officer makes formal reports periodically on the state of security procedures and these reports are followed up by management. 10. Management has formal reviews of IS security carried out from time to time by specialists (either external consultants or internal audit). 11. If the network is open to access from outside (e.g. Internet), a firewall has been set up. 12. The firewall’s effectiveness has been reviewed by a specialist consultant. Budget Supervision Office of RS Cohesion Fund Manual Document No. Version Come into force Page : 01-14/2004/1 : 1.0 : 30.7.2004 : 66 of 135 GC.CONTINUITY AND DISASTER RECOVERY GC1. Backup, off-site storage, recovery and disaster plan To provide security against loss/damage of data and to ensure continuity of operations. 1. A detailed policy and procedure covering back-up of data and programs has been established. 2. File back-up routines are scheduled as part of the normal daily activities (especially important for distributed systems with remote input etc). 3. Back-up copies of key master files are made on an appropriate schedule and stored off-site. 4. Back-up copies of key application programs and documentation are made and stored off-site. 5. Back-up copies of operating system programs are made and stored off-site. 6. Off-site application and operating system programs are updated or replaced whenever significant changes are made to the programs. Access to the off-site master files, application programs and operating system programs is restricted to authorized personnel. 7. Recovery and restart procedures, including rapid restoration of corrupted or lost files, exist and are tested on a recurring basis. 8. A disaster (business continuity) plan exists which enables ongoing operations, at the level required by users, in the event of the IT department inability to maintain the normal service. 9. The disaster plan is regularly tested (for example, annually). Formal reports on the tests exist and necessary action is taken by management. 10. Copies of the disaster plan are stored in a remote location. GD.MANAGEMENT OF IT ASSETS AND USE OF EXTERNAL SERVICE PROVIDERS GD1.Responsibilities for the organisation’s IT assets To ensure that responsibility for management of IT assets is assigned. 1. Organisational ownership of every IT asset (hardware, software, applications and data) is defined. 2. Personnel and machine activity are accounted for. 3. Users are the owners of their data and applications. 4. Inventories of hardware exist and are regularly checked. 5. A reliable inventory of software (including software on PCs) exists and is regularly checked. 6. Responsibility for ensuring compliance with the terms of software licences is allocated and measures are carried out. 7. A clear policy exists on the management of and responsibility for end-user computing, covering among other things: Budget Supervision Office of RS Cohesion Fund Manual Document No. Version Come into force Page : 01-14/2004/1 : 1.0 : 30.7.2004 : 67 of 135 - security (see GB1.3); - back-up requirements; - the extent to which programs may be developed by end-users; - the documentation and other standard requirements for such local programs and for spreadsheets which are part of business functions. 8. The status and ownership of e-mail messages has been defined and announced to staff. GD2.Use of external service providers (e.g. outsourcing of specific services, use of external computer bureaux) To ensure that the use of external service providers is managed effectively. 1.Access by the auditors is provided for. 2.The contract or service level agreement specifies requirements including, as appropriate: - performance; - security; - data ownership and access to data; - service availability; - contingency arrangements (e.g. if service provider ceases operations). 3.Management actively monitors performance against the requirements specified. Budget Supervision Office of RS Cohesion Fund Manual Document No. Version Come into force Page : 01-14/2004/1 : 1.0 : 30.7.2004 : 68 of 135 ANNEX 2 APPLICATION AUDITS CONTROL OBJECTIVES AND EXAMPLES OF CONTROL TECHNIQUES CONTROL OBJECTIVES Possible procedures or controls Note: These are, in each case, a range of possibilities given for illustration; they do not all have to be present to meet the control objective, and the objective may be met by other means. The auditor needs to make a judgment on the overall effectiveness of the mix of controls actually present, bearing in mind the size, complexity and importance of the system concerned. AA.ORGANISATION AND DOCUMENTATION AA1.Responsibility for applications To ensure that management responsibility for every aspect of maintaining and running applications is properly allocated. 1.The user (or a principal user) is defined as owner of the application. 2.Maintenance of the application and decisions on its future development are formally managed, preferably by the owner. 3.The application's performance and its contribution to the operational function of which it forms a part are actively managed, preferably by the owner. 4.Ownership of the data used by the application is specified. 5.The duties of the computer centre, and of any third parties (e.g. software houses) for operating and supporting the application are covered by service level agreements (contractually in the case of third parties). 6.All the departments responsible for input or for handling output are known and their responsibilities (for timing, quality, security etc) are formally agreed. 7.The division of responsibility for the accuracy and continued integrity of stored data is clear (ultimate responsibility should normally lie with the user). 8.Responsibility for deciding, and for executing, the security and control requirements of the application is assigned, taking account of the organisation's general security policy and of the IT department's standard security measures. 9.Responsibility for providing and for maintaining documentation, including user manuals, is defined. AA2.Cost allocation To ensure that the costs of running applications are identified and that they are kept under review. 1.Computer running costs are logged and the application's share identified. Budget Supervision Office of RS Cohesion Fund Manual Document No. Version Come into force Page : 01-14/2004/1 : 1.0 : 30.7.2004 : 69 of 135 2.IT department overheads and staff costs are identified and allocated to the applications. 3.Running costs are reported to the owner of the application and to those responsible for resource management, and reviewed in accordance with the organisation's policy. 4.Costs of maintenance and enhancement of the application are identified and reported. 5.Estimates are made for development and maintenance tasks, are approved by the owner or resource manager, and are used to control the work. AA3.Documentation To ensure that all necessary documentation exists in the light of the types of application concerned and the organisation's needs. (Documentation may be kept on media other than paper provided that availability and reliable storage are assured.) 1.A SYSTEMS SPECIFICATION describes the data and processing of the application in terms which allow it to be an effective medium of communication between the users and the IT providers. 2.The systems specification is kept up to date. 3.It meets the organisation's documentation standards and systems development methodology. 4.It includes (or a separate document sets out) the user's control needs and any other special requirements for the application. 5.Structured PROGRAM DOCUMENTATION including comprehensible source listings is available and is kept up-to-date. 6.The organisation’s rights to obtain documentation and source listings developed by outside contractors are guaranteed even if the supplier becomes bankrupt (for example by depositing them in escrow). 7.OPERATORS' INSTRUCTIONS are up-to-date and cover any special action required e.g. response to error messages, abnormal termination, etc. 8.USER MANUALS fully describe responsibilities and procedures and are systematically kept up to date. AB.INPUT AB1.Authorization To ensure that only authorized items, and all authorized items, are input. 1.Access controls ensure that only those authorized have access to input processes. 2.Input is from authorized documents, which are checked for the authority (usually a signature) by the person doing the input, or in a preliminary clerical checking stage. 3.Documents used for input are serially numbered and there is a check for validity and for completeness of sequence either by the computer or clerically. 4.Input other than transcription of authorized documents receives authorization in accordance with its significance before being processed. (This may be on a statistical basis where appropriate.) Methods include: Budget Supervision Office of RS Cohesion Fund Manual Document No. Version Come into force Page : 01-14/2004/1 : 1.0 : 30.7.2004 : 70 of 135 - holding input in a special computer file until released interactively by a supervisor; - flagging recent input for supervisory check; - post-input authorization of print-outs before further processing. 5.Transmission of authorized and checked documents is controlled by batching. 6.Confirmatory prints of input are sent to authorizing officers, who sign for approval. 7.Changes to permanent data are properly authorized. 8.Programmed checks prevent validation and processing of input which logically cannot have been authorized, e.g. payments in excess of available budget. AB2.Completeness and accuracy To ensure that data input to applications is accurate and complete. (Input comprises both transaction and permanent/reference data.) 1.Batch controls including (hash) totalling of all sensitive fields are used, and a positive check is made that required totals match. 2.Validation checks are carried out by program to ensure that the data entered: - have the format expected for each field; -are within appropriate ranges (e.g.. not negative where logically impossible; do not exceed pre-determined reasonable amounts; are within the known sequence of items of their kind (cheque numbers, etc). 3.Double-keying is used for sensitive data. 4.For on-line entry, input reports are produced showing aggregated totals, which are checked or matched with totals established separately for the session. 5.Check digits are used with reference numbers and validation actually checks them. 6.Validation includes tests of self-consistency of the data input (e.g. debits = credits, reference numbers match related descriptive material). 7.Logical checks are made with accessible existing records e.g. account balances. 8.Permanent data (and other key data) are printed out and positively approved by the responsible user before being used in processing. 9.Error handling - clerical or computer suspense files of input rejected by the system during validation or processing are maintained, and procedures ensure that suspense data is promptly corrected and reinput (without bypassing normal authorization and other input checks), or cancelled. Budget Supervision Office of RS Cohesion Fund Manual Document No. Version Come into force Page : 01-14/2004/1 : 1.0 : 30.7.2004 : 71 of 135 AC.PROCESSING AC1.Transaction processing To ensure that processing of transactions is complete and arithmetically accurate, and that the results (including generated data) are correctly classified and recorded properly in the computer files. 1.Batch or session control totals are matched to the aggregate change in appropriate control records in computer files. (It is important that the structure of batch types and control records should be such that significant mis-classification would be detected by this control.) 2.Where the program generates data (ie carries out arithmetical operations such as currency conversion, or looks up and writes data which has a logical but not arithmetical connexion with the input, for example pay), the user makes checks either against a separately-made forecast of the aggregate amount or of a sample of transactions. 3.Output includes control prints or screens on which responsible users must positively check and accept key control totals. 4.Validation controls within the programs include: (1) ensuring that (batch) totals established before the processing remain completely accounted for at each stage; (2) consistency checks where input handled recapitulates information already held (e.g. when account number and name are both given); (3) range checks on amounts generated (calculated, looked-up) by program. 5.Control counts and totals are maintained on each of the data files accessed by the application. 6.Control counts and totals are maintained for each transaction type. 7."Success units" are used to ensure that complex transactions are entirely posted to all appropriate files, or else backed out completely. 8.Separate control files held on a different device are used to check that appropriate file versions have been loaded. 9.Manual control totals are maintained and reconciled on a timely basis to the totals produced by the system. 10.Error handling - clerical or computer suspense files of input rejected by the system during validation or processing are maintained, and procedures ensure that suspense data is promptly corrected and reinput (without bypassing normal authorization and other input checks), or cancelled. AC2.Other processing To ensure that other processing activities (including data re-organisation such as year-end/month-end procedures, routine data integrity checks, production of reports and analyses not directly related to input, supply of data to other applications, and enquiry facilities) are carried out on time and give correct results. 1.The timetable for regular processing of this type is controlled by the user, and runs are initiated on his instructions. Budget Supervision Office of RS Cohesion Fund Manual Document No. Version Come into force Page : 01-14/2004/1 : 1.0 : 30.7.2004 : 72 of 135 2.User procedures lay down responsibility for the checks to be made on the results of such processing (e.g. checking that amounts reported as processed match those expected, that new aggregate figures in control records reflect the adjustments forecast, that management information reports indicate by control totals that they include the whole body of the data intended). 3.Where data belonging to the application are available to an enquiry facility, the appropriate degree of check is built into the processing which produces responses (e.g., where this is important, proving that all relevant records have been read, by aggregating and showing the total for the records within the same control account which were not selected). 4.Users of enquiry facilities and owners of other applications using the data are aware of the level of reliability of the data as such and of the programmed procedure through which they obtain them. AD.DATA TRANSMISSION AD1. Data should be transmitted accurately and completely To ensure that all data transmitted, whether through a network or by disks or tapes, is received in a complete and accurate state, and that there is no loss or disclosure of data in transit (see also section AF1). 1.Use of check digits, and hash and other control totals. 2.Use of digital signatures. 3.Use of data encryption. 4.Use of passwords. 5.Sequential message numbering, sequencing of transactions. 6.Reports confirming receipt are sent and are reconciled promptly to records of data transmitted. AE.STANDING DATA AE1. Continued correctness of standing data To ensure that all data stored in the system as a permanent record or for reference remains correct and complete. 1.Responsibility for checking the continued correctness of data is allocated either to a database administrator or to appropriate users. 2.Control totals or hash totals are used to monitor the state of files containing permanent data. 3.Print-outs of standing or reference data are checked periodically to source documents by the responsible user. This can be done on a cyclical or statistical basis, depending on the risk represented by incorrect data. Budget Supervision Office of RS Cohesion Fund Manual Document No. Version Come into force Page : 01-14/2004/1 : 1.0 : 30.7.2004 : 73 of 135 AF.OUTPUT AF1. Correctness of output To ensure that output released whether on paper, via screens, on magnetic media, or through electronic links, is correct and complete. 1.Validation and range etc. checks are carried out by the program on records output. Warning messages are given if the output does not comply. There is a user procedure for handling such warning messages. 2.There are procedures in place to give an appropriate degree of reasonableness check to printed output (may range from none for internal paper which is not a base for decisions, to 100% read-through against supporting documents (e.g., perhaps, for large cheques)). 3.For transmissions of payment instructions to banks: - the responsible user uses both control totals and spot checks (such as sample tests from time to time on the disk to be despatched or browsing and sampling the messages transmitted) to obtain reasonable assurance that the information actually sent is identical with that authorized; - despatch of tapes or disks by a secure messenger service; - prepared disks or tapes are stored securely up to despatch; - pre-established limits are agreed with the bank on the total amount and on individual transactions; - acceptance reports are reconciled promptly (in time to recall payments) - post-payment reconciliation is done promptly. 4.Output reports include totals which are reconciled by the user to totals established before input. Detailed prints of input are available to investigate differences when necessary. AF2.Correct distribution of output To ensure that output reaches all and only those for whom it is intended. 1.Output produced by the computer center is kept under surveillance, and distributed with appropriate security/privacy. 2.Mailing lists for output are regularly reviewed and unnecessary or incorrect addressees removed. 3.Superfluous copies of output for which there is no addressee are not produced. 4.The general security rules applied to PCs, terminals and printers located with end-users ensure sufficient privacy for output, taking into account the level of building security and the quality of password etc controls. 5.The person responsible for security decisions for the application has a clear picture of the various user groups with access to output in any form and makes decisions on control accordingly (see point AA1.8 above). In particular, logical access controls for the application take account of possible approaches through all networks in which the installation is involved. 6.All expected output is accounted for (e.g. use of serial numbering to detect unauthorized suppression of exception reports). 7.Reports are regularly produced even if there is no problem to report (recipients should then become used to receiving a report and less likely to overlook a report that is suppressed by someone who does not want the report’s contents known). Budget Supervision Office of RS Cohesion Fund Manual Document No. Version Come into force Page : 01-14/2004/1 : 1.0 : 30.7.2004 : 74 of 135 8.Negotiable, sensitive or critical forms (for example cheques) should be properly logged and secured to provide adequate safeguards against theft or damage. The forms log should be routinely reconciled to inventory on hand and any discrepancies should be properly investigated. Budget Supervision Office of RS Cohesion Fund Manual Document No. Version Come into force Page : 01-14/2004/1 : 1.0 : 30.7.2004 : 75 of 135 ANNEX 3 APPLICATION CONTROL REQUIREMENTS The following requirements are expressed in general terms. In general the requirement is that evidence should be provided at suitable intervals (for example, daily) to user managers to enable them to be assured that the data and processing in the application are correct. Specific solutions (for example aggregations and control totals, serial numbers, reports for reconciliation or reasonableness checking, supervisor/manager consultation and recorded approval of control data on screen) need to be defined in the early stages of the project. It is assumed in what follows that general installation controls satisfactory to the users are in place in the systems/networks which will run this application. Such controls should cover, for example, physical access, logical access generally, separation of IT staff duties, back-up, disaster recovery, (software) changes, and should include performance indicators to measure the efficiency of the system. 1. Access The application should prevent access to programs except by authorized staff, and should provide for access to user resources (processes or data) to be managed by (a) senior user(s) and to be restricted as may be required to reflect differing patterns of work and separations of duties in user divisions (for example, by account codes, by values, by functions, etc.). All access should be controlled and logged on an individual basis and the system should prevent and report all unauthorized access attempts. 2. Input of data The system should provide evidence permitting user managers to be sure that data input, including standing data, is complete, is validated in accordance with user requirements, and is correctly written to the correct files. 3. Integrity of data The system should be organized so as to provide regular evidence to user managers that standing and stored data remains complete and correct. 4. Transaction processing The system should provide regular evidence that transactions are, in aggregate, correctly processed and written to the correct files. 5. Changing data and programs by emergency routes So far as they are within the application, the use of any emergency data change facilities or processes, which allow data to be changed without passing through normal validation, should be capable of being heavily restricted and logged. 6. Management (audit) trail All transactions should be traceable forwards and backwards through the system. A trail should be maintained of data which is aggregated at various reporting levels, so that component transactions can be identified. 7. Records All actions on each transaction record should be stamped with the logged-in identity concerned, and the machine time and date (and an action code). Full records of every change should be retained (no overwriting). Budget Supervision Office of RS Cohesion Fund Manual Document No. Version Come into force Page : 01-14/2004/1 : 1.0 : 30.7.2004 : 76 of 135 8. Output Outputs should be dated and timed, and (where necessary for control) serially numbered. There must be appropriate controls (and evidence to the accountant that they have operated) over electronic transfer of payment data to ensure that only - and all - authorized transactions are timeously executed. Budget Supervision Office of RS Cohesion Fund Manual Document No. Version Come into force Page : 01-14/2004/1 : 1.0 : 30.7.2004 : 77 of 135 APPENDIX 2: AUDIT OF INTERNAL CONTROL Types of controls Internal controls normally comprise both the control environment (that is, the philosophy of management, the assignment of responsibilities within the management systems, and the policing of control procedures) and control procedures (preventive and detective measures introduced by management to protect against fraud, irregularity or error. Control procedures can be broadly grouped under the following headings: management controls – high level supervision and review by management, including reviews of performance against budgets, exception reports and the use of internal audit; organisational controls – controls derived from the structure of the organisation, such as segregation of duties and the clear definition of responsibilities; authorisation controls – controls to stop the processing of a transaction where it has not been approved at the appropriate level, including clear delegations of authority to approve transactions and well-defined and documented checks before approval is given; operational controls – to ensure the complete and accurate processing of transactions, including sequence checking of numbered documents, reconciliations and the comparison of one set of documents with another (for example checking purchase orders against invoices); and access controls – both physical controls, such as safes, and logical controls, such as password protection of computer files. An understanding of the nature and likely effectiveness of the management and control system operated by the auditee is essential so that the audit can be designed to provide adequate information on the operation of controls – for example, to identify the effects of perceived weaknesses in the control system. The audit should be designed to collect appropriate and sufficient evidence on the operation of controls, while ensuring the efficient use of resources. Typically, an audit will involve the identification and testing of all such controls. In carrying out audits, the auditor must always bear in mind that no control system, however sound it appears, can guarantee proper administration and completeness and accuracy of transactions. Audit evidence cannot therefore solely be gained from the controls, and audit tests should, inter alia, aim to identify events, which may reduce the effectiveness of the controls. These events may include: the overriding of controls by those responsible for enforcing them; human error in the application of controls; the inability of the control system to deal with a non-standard event or transaction; and a break down of the control system because of changes or the development of non-standard procedures. Methods used in testing the operation of controls The operation of controls can be tested in a number of ways. In practice, most testing will involve a combination of the following methods of testing: observation and enquiry – essentially, the observation of control staff while they are undertaking their work and interviews to establish what they do; Budget Supervision Office of RS Cohesion Fund Manual Document No. Version Come into force Page : 01-14/2004/1 : 1.0 : 30.7.2004 : 78 of 135 examination – the obtaining of evidence that controls have functioned correctly, for example by inspection of documents for evidence that checks have been carried out, reconciliation, re-performance and “walk-through” tests; and sampling – a sample of transactions can be taken for examination to determine whether controls have operated on those transactions. The sample may either be a judgement sample, or a statistically based sample, which may allow conclusions to be drawn on the accuracy of all transactions passing through the same system. Where serious weaknesses are identified in control procedures, the auditor will need to consider whether additional audit procedures (such as substantive testing) are necessary to provide further information on the effects of the weaknesses. In all such cases, the auditor should make recommendations to management aimed at ensuring the improvement of systems to address the weaknesses identified. Documentation and testing of systems for Cohesion Fund In addition to the above, auditors must ensure that they cover the following tests that are required by the EC Regulations. A key element of an audit of activities co-financed by the Cohesion Fund is to examine whether management and control systems are operating effectively at all relevant levels. This examination involves the documentation of the relevant systems (including appropriate information from the audit trail), together with testing (tests of controls) to examine whether the systems are actually operating as described and are effective. Tests of controls should check that management and control systems are operating consistently and effectively. Tests should be carried out on a sample of transactions selected for on the spot audits. Where the effectiveness of the management and control system is likely to vary (for example where different staff are responsible for applying the same checks on different transaction streams), the auditor should ensure that the sample is representative of these possible differences. It is important during tests of controls to identify the reasons for any errors and omissions identified, which may indicate weaknesses in management and control systems. In addition to the documentation of systems, audits involve tests of controls (compliance or conformity tests) and the in-depth checking (substantive testing) of a selected expenditure declaration against source documents and other relevant information. The purpose of this checking is to enable a conclusion to be reached on the accuracy and validity of the particular expenditure declaration examined. Substantive testing may also include analytical review – for example the comparison of different ratios or trends to identify possible areas for further investigation. Tests should also include reconciliation between expenditure declared by the auditee to a higher authority and the financial records maintained by the auditee. In addition to verifying the accuracy of payment requests, such checks can be a useful indicator of the effectiveness of the audit carried out by higher authorities and of the proper functioning of the audit trail. The results of the tests of controls should be documented in working papers for presentation in the audit report. Auditors should clearly describe, in separate working papers, the problems or errors identified during audits, their effects and the recommended solutions. All weaknesses and errors should be discussed with auditees and their views recorded for use in the audit report. Working papers, including the analysis of problems, effects and solutions should then be used in the preparation of the audit report. Budget Supervision Office of RS Cohesion Fund Manual Document No. Version Come into force Page : 01-14/2004/1 : 1.0 : 30.7.2004 : 79 of 135 APPENDIX 3: GUIDANCE FOR PERFORMANCE OF 15 PER CENT CHECKS Introduction Figure 1: The relevant criteria for the 15 per cent sample checks REGULATIONS Articles 9-11 of Regulation (EC) No 1386/2002, based on Article 12 of Regulation (EC) No 1164/94, and again largely taken - via Regulation 438/2001 - from Regulation 2064/97, are the parallel provisions governing sample checks and systems audits of projects co-financed by the Cohesion Fund. On account of the larger size and higher average aid rate of projects, sample checks here are required to cover 15% of expenditure, taking as the basis the total eligible expenditure on projects that are financed by the Cohesion Fund over the period 2000-2006 and which were first approved after 1 January 2000. Article 12 of CR 1386/2002 states that in accordance with Article G(1) of Annex II to Regulation (EC) 1164/94, Member States shall inform the Commission by 30 June each year (and for the first time by 30 June 2003) of their application of Articles 9-11, above, in the previous calendar year. The aim of this Appendix is to provide an approach for the auditor to conduct tests which fulfil the EC requirements. Audit planning scheme The audit shall examine whether the expenditure on Cohesion Fund projects was spent in accordance with the rules and regulations covering the assistance granted. The audit shall be based on substantive audit procedures comprising a minimum 15% check of programmes and projects. The selection of these projects will be determined via a risk assessment approach. Projects will be tested at the transaction level to help form an opinion on the performance of that project in that period. At the end of the assistance the information from testing over the whole life of the assistance will be combined to provide the winding-up declaration. Risk assessment and selection of projects Risk assessment Decide on a set of clear risk based criteria in order to select a sample of projects. This is called a risk based approach and is used as a method to stratify the projects into distinct risk Budget Supervision Office of RS Cohesion Fund Manual Document No. Version Come into force Page : 01-14/2004/1 : 1.0 : 30.7.2004 : 80 of 135 categories from which a multistage sample of projects and payments within projects can be randomly selected to achieve a 15 per cent check of expenditure in each year and therefore over the life of the assistance. Figure 2: The criteria for assessing risk Complexity Control risk Staff turnover Criteria Prior audit checks Size of subsidy Type of programme Project manager experience Criteria should include (Figure 2): Complexity in terms of multiple streams of funds for one programme, legislation, administrative organisation, decentralisation; The size of the payment or receipt in-year compared to the total Cohesion Fund values; The type of project: certain projects may be connected with greater inherent risk than others; The project manager. There can be public or private project managers, they can be newly established or experienced, in general the more experienced the project manager the less risk there is attached to the project; Whether the project has been sampled before, if a project has not been sampled before it will be given a greater probability of selection than one chosen in the prior year; Great staff turnover or substitutes within the organisation, a project with a high turnover of staff may prove more risky as staff will be new to the work and require training; and Control risk: the risk that the organisation’s internal controls do not discover the errors, little would be known about this initially, but as more controls work is carried out the information on this should be improved. Risk assessment questionnaire To assess the risk for each project the auditor should complete a risk assessment questionnaire(Figure 3). For each project the auditor should assess the risks under the seven key criteria. Each of these criteria has a weight attached to it and the risk score for the criteria Budget Supervision Office of RS Cohesion Fund Manual Document No. Version Come into force Page : 01-14/2004/1 : 1.0 : 30.7.2004 : 81 of 135 is multiplied by the weight of that criteria. The total weighted score over all seven criteria should then be totalled to obtain a final score for the project. This score can then be placed within the high, medium or low risk category. Figure 3: An illustration of the risk assessment questionnaire RISK CRITERIA 1 Under €10,000 Very low risk Very good 2 €10,000€50,000 Low risk RISK SCORE 3 4 Weight Rating €50,000 Over 4 16 €100,000 €100,000 High risk Very high 4 8 risk Poor Very poor 4 12 What is the size of the project budget What risk is associated with the project How good are management Good control structures How experienced are the project Very Experienced Little No 3 6 managers experienced experience experience Has the project been sampled In last year 2-3 years 4-5 years No 3 12 before ago ago How complex is the project in Not at all Not Complex Highly 2 4 terms of its funding streams, complex complex complex legislation, and organisation What is the level of staff Very low Low High Very high 2 4 turnover in the project manager's turnover turnover turnover turnover organisation 22 Total Score 62 Low Medium High Risk Category 22 to 40 41 to 50 51 to 88 The numbers in the figure are provided for illustrative purposes, the values for the size of projects have yet to be determined and the weights and risk category values could also be altered. Sample selection procedure The objective is to ensure that the requirements set out in the Regulations are met. In order to meet the requirements of this regulation the auditor should ensure that: the checks carried out before the winding-up of each project shall cover at least 15 % of the total eligible expenditure; Beneficiary Countries shall seek to spread the implementation of the checks evenly over the period concerned; and There is an appropriate separation of tasks as between such checks and implementation or payment procedures concerning operations. Budget Supervision Office of RS Cohesion Fund Manual Document No. Version Come into force Page : 01-14/2004/1 : 1.0 : 30.7.2004 : 82 of 135 The risk assessment should be conducted for all the projects. This will provide the auditor with a list of projects divided into high, medium and low risk categories. The sample shall be selected using these risk categories as the basis for stratification. The overall sample size required for projects is calculated using stratified sampling theory (Annex 1). This sample size is allocated between categories in proportion to the amount of total expenditure within each strata for the period being tested, where this value is greater than the number of projects it is reduced to the number of projects in the strata, and where it is less than one project, it is rounded up to one project (Figure 4). Budget Supervision Office of RS Cohesion Fund Manual Document No. Version Come into force Page : 01-14/2004/1 : 1.0 : 30.7.2004 : 83 of 135 Figure 4: Example of stratified sample size calculation Project sampling information Projects High Medium Low Total 6 14 10 30 Expenditure Proportion SIT 40,000,000 77.5% SIT 11,084,167 21.5% SIT 540,833 1.0% SIT 51,625,000 100.0% Sample size 6 2 1 10 Sample Expenditure SIT 40,000,000 SIT 1,958,333 SIT 12,500 SIT 41,970,833 The formulae used to calculate the overall sample size is shown at Annex 1 The projects should be selected randomly from within the risk categories. This will ensure that the sample is representative of all types of projects and is targeted to the areas of greatest risk. The requirement is to check a minimum of 15 per cent of the expenditure. If the auditor were to test all of the expenditure on the selected projects this would more than exceed the 15 per cent due to the targeting of high expenditure, high risk projects. The sample should therefore be treated as a multistage audit and the expenditure within the sampled projects should also be sampled so that a minimum of 15 per cent of annual expenditure is tested each year. Figure 5: Calculation of payment sample to ensure 15 per cent of expenditure Payment sampling information High Medium Low Total Payments 689 75 4 768 Expenditure SIT 40,000,000 SIT 1,958,333 SIT 12,500 SIT 41,970,833 Average SIT 58,055 SIT 26,111 SIT 3,125 SIT 87,291 Proportion 89.7% 9.8% 0.5% 100.0% Of target Payments SIT 2,315,731 40 SIT 252,075 10 SIT 13,444 4 SIT 2,581,250 54 The number of payments to test is calculated in order to be proportional to the number of payments and to ensure that the 15 per cent target is achieved. Figure 5 shows how this can be achieved. Using the expenditure and number of payments in each risk strata an average value for each category can be calculated. The proportion of payments can also be calculated and applied to the target value of 15 per cent of expenditure in the period. By dividing this proportion of the target figure by the average for the risk category a number of payments under each category can be assigned. This assignment should be done, where possible on an equal basis (Figure 6). Budget Supervision Office of RS Cohesion Fund Manual Document No. Version Come into force Page : 01-14/2004/1 : 1.0 : 30.7.2004 : 84 of 135 Figure 6: Stratified multistage sampling approach FUND Project 1 Project 2 Project 3 Project 4 Project 5 Project 6 Project 7 Project 8 Project 9 Project 10 Project 11 Project 12 Project 13 Project 14 Project 15 Project 16 Project 17 Project 18 Project 19 Project 20 Project 21 Project 22 Project 23 Project 24 Project 25 Project 26 Project 27 Project 28 Project 29 Project 30 Risk Assessment High High High High High High Total Mean Standard deviation Medium Medium Medium Medium Medium Medium Medium Medium Medium Medium Medium Medium Medium Medium Total Mean Standard deviation Low Low Low Low Low Low Low Low Low Low Total Mean Standard deviation Total Mean 5 Per cent Budgeted Expenditure SIT 150,000,000 SIT 75,000,000 SIT 15,000,000 SIT 25,000,000 SIT 60,000,000 SIT 35,000,000 SIT 360,000,000 SIT 1,000,000 SIT 6,000,000 SIT 2,500,000 SIT 3,750,000 SIT 4,650,000 SIT 1,750,000 SIT 7,350,000 SIT 8,000,000 SIT 9,150,000 SIT 1,950,000 SIT 4,050,000 SIT 2,600,000 SIT 6,605,000 SIT 7,150,000 SIT 66,505,000 SIT 25,000 SIT 320,000 SIT 750,000 SIT 115,000 SIT 75,000 SIT 250,000 SIT 315,000 SIT 825,000 SIT 90,000 SIT 480,000 SIT 3,245,000 SIT 429,750,000 SIT 21,487,500 Expenditure in period SIT 5,000,000 SIT 12,500,000 SIT 2,500,000 SIT 4,166,667 SIT 10,000,000 SIT 5,833,333 SIT 40,000,000 SIT 6,666,667 SIT 3,800,585 SIT 166,667 SIT 1,000,000 SIT 416,667 SIT 625,000 SIT 775,000 SIT 291,667 SIT 1,225,000 SIT 1,333,333 SIT 1,525,000 SIT 325,000 SIT 675,000 SIT 433,333 SIT 1,100,833 SIT 1,191,667 SIT 11,084,167 SIT 791,726 SIT 437,391 SIT 4,167 SIT 53,333 SIT 125,000 SIT 19,167 SIT 12,500 SIT 41,667 SIT 52,500 SIT 137,500 SIT 15,000 SIT 80,000 SIT 540,833 SIT 54,083 SIT 46,885 SIT 51,625,000 SIT 1,720,833 SIT 2,581,250 Sampled projects Payments in period Sampled Payments Sampled Expenditure SIT 5,000,000 SIT 12,500,000 SIT 2,500,000 SIT 4,166,667 SIT 10,000,000 SIT 5,833,333 SIT 40,000,000 SIT 6,666,667 SIT 3,800,585 4 300 50 10 250 75 689 4 8 7 7 7 7 40 SIT 5,000,000 SIT 333,333 SIT 350,000 SIT 2,916,667 SIT 280,000 SIT 544,444 SIT 9,424,444 SIT 625,000 45 5 SIT 69,444 SIT 1,333,333 30 5 SIT 222,222 SIT 1,958,333 SIT 979,167 SIT 500,867 75 10 SIT 291,667 SIT 12,500 4 4 SIT 12,500 SIT 12,500 SIT 12,500 SIT 0 SIT 41,970,833 4 4 SIT 12,500 768 54 SIT 9,728,611 The above dataset is for illustrative purposes only to demonstrate how the techniques should be applied. Substantive procedures In accordance with the Regulations the Beneficiary Country shall organise checks on measures on an appropriate sampling basis, designed in particular to: verify the effectiveness of the management and control systems in place; and verify selectively, on the basis of risk analysis, expenditure declarations made at the various levels concerned. The checks can be completed using the following audit programme. Budget Supervision Office of RS Cohesion Fund Manual Document No. Version Come into force Page : 01-14/2004/1 : 1.0 : 30.7.2004 : 85 of 135 Audit programme Inspection officer: Project: Inspection date: / / Project Ref: Risk rating: High / Medium / Low Total approved expenditure SIT Expenditure during period SIT Total value checked during inspection SIT Value of ineligible expenditure SIT Are the issues laid down in Annex III. 4 addressed? Satisfactory (S) Unsatisfactory (U) No response possible (N) Practical application and effectiveness of the management and control systems Correspondence of accounting records with supporting documents held by intermediate bodies, final beneficiaries and the bodies carrying out the operations Sufficient audit trail Eligibility of expenditure Consistency between the use of the project and the use described in the original application to the EC Sufficient national co-financing EC contributions are within the limits laid down in the Financing Memorandum EC grants are paid to final beneficiaries without any reduction or delay Compatibility with other EU policies and actions, including rules on competition, on the award of public contracts (tenders) and on environmental protection Comments on findings Budget Supervision Office of RS Cohesion Fund Manual Document No. Version Come into force Page : 01-14/2004/1 : 1.0 : 30.7.2004 : 86 of 135 Reporting results Individual programmes To report the results a report can be written for each project detailing the sample results for payments tested within that project, combined with findings from work on the management and control over the project. Annual reports The work across all projects can be combined to give a report for the period drawing out similar themes of weaknesses and strengths in management and controls as well as informing on any ineligible monetary payments. Budget Supervision Office of RS Cohesion Fund Manual Document No. Version Come into force Page : 01-14/2004/1 : 1.0 : 30.7.2004 : 87 of 135 Annex 1 Step by step guide to drawing a 15 per cent sample 1 Using the risk matrix divide the projects or programmes into risk categories, if there are no differences in risk then put all the projects or programmes into one category. 2 Using the formula below calculate the sample size required for the number of projects. Nh = population size for high strata, nh = sample size for high strata Nm = population size for medium strata, nm = sample size for medium strata Nl = population size for low strata, nl = sample size for low strata Xh= population expenditure for high strata Xm= population expenditure for medium strata Xl= population expenditure for low strata M = materiality, set at 5% of total value, X = (Xh+Xm+Xl) 2x = variance = standard deviation2 z = z score for confidence required = 1.96 for 95 per cent Sample size, n = X * (N2I)* (2xi/XI)) (M/z)2 + (NI * 2xi) Stratified sample sizes nh= n * (Xh/X), nm= n * (Xm/X), nl= n * (Xl/X) 3 To calculate the stratified sample size in each risk category divide the overall sample size from step 2 in proportion to the total expenditure in the period in each risk category (see formula for stratified sample sizes above). Select the projects or programmes randomly from within the risk category. If any of the stratified sample sizes are larger than the population of projects or programmes in that strata, simply test the whole population. Expenditure in the period Proportion Project sample size 6 High risk projects SIT 40.000.000 77,5% 6 14 Medium risk projects SIT 11.084.167 21,5% 2 SIT 540.833 1,0% 1 SIT 51.625.000 100,0% 10 10 Low risk projects 30 projects in total Should be 7 but already sampling all high risk projects Budget Supervision Office of RS Cohesion Fund Manual 4 Document No. Version Come into force Page : 01-14/2004/1 : 1.0 : 30.7.2004 : 88 of 135 To calculate the sample size for payments at those projects or programmes calculate an average expenditure per payment for each risk category. Expenditure in the period Average 689 payments over 6 projects SIT 40.000.000 SIT 58.055 75 payments over 2 projects SIT 1.958.333 SIT 26.111 4 payments over 1 project SIT 12.500 SIT 3.125 SIT 41.970.833 SIT 87.291 768 payments in total 5 Calculate 15 per cent of the overall expenditure in the period over all projects or programmes. Allocate this amount to each risk category in proportion to the number of payments in each risk category for the selected projects or programmes. Divide this expenditure by the average payment to get the sample size for each risk category. Divide the sample size on an equal basis between the projects or programmes, and then select random payments from within those projects or programmes. 6 This approach ensures that higher risks are targeted, that the sample is selected in a Average Proportion 15%total expenditure in period split by proportion 89,7% SIT 6.946.144 Payment sample size 120 689 payments over 6 projects SIT 58.055 75 payments over 2 projects SIT 26.111 9,8% SIT 758.887 29 4 payments over 1 project SIT 3.125 0,5% SIT 38.719 12 SIT 87.291 100,0% SIT 7.743.750 161 768 payments in total statistically robust manner and that 15 per cent coverage of expenditure in the period is achieved. 7 If, at any stage, there is insufficient information increase the sample size to cover the additional bias which may be included from the non-statistical element. Budget Supervision Office of RS Cohesion Fund Manual Document No. Version Come into force Page : 01-14/2004/1 : 1.0 : 30.7.2004 : 89 of 135 APPENDIX 4: OBJECTIVES OF SUBSTANTIVE TESTS This Appendix sets out guidance on the broad criteria to be used in designing substantive tests in relation to Cohesion Fund actions. The objective of substantive testing is to determine the conformity of individual transactions or activities with the relevant rules or regulations. In the context of a Cohesion Fund audit, these tests are used in particular to carry out further investigation where systems weaknesses have been identified. Because substantive tests are used to investigate particular types of transaction, audit programmes will need to be developed to meet each eventuality using the criteria set out below. Each substantive test audit programme should be designed to check that the following criteria are met. Each criterion is illustrated by a possible substantive test. Note that the examples are not intended to be definitive or complete. Criterion Nature and example of a substantive test Legality and regularity of the activity A check that the activity actually carried out conforms to the relevant legal base. For example, the tests could examine whether a particular activity undertaken under the Cohesion Fund conforms to the detailed requirements of the regulations in respect of the amount or percentage rate of financing. A check that financial and other information systems record all relevant details. For example, a substantive test could check whether all incoming invoices were allocated a sequential number and were all accounted for, and held centrally by the project manager/ final beneficiary and whether all receipts or works done resulted in an invoice. Analytical procedures may be used in connection with these tests – especially ratios and predictive tests. A check that operations recorded within financial and other systems actually took place. For example, a substantive test could check that payments to subcontractors recorded in financial systems actually took place through tracing booked payments to bank statements. Likewise, stock records could be examined to test whether goods were actually delivered. Completeness of financial and other records Reality of the operation Measurement of the activity A check that amounts of transactions are calculated on the correct basis. For example, a substantive test may check that the correct exchange rate was used in converting a claim from national currency into EURO. Budget Supervision Office of RS Cohesion Fund Manual Criterion Document No. Version Come into force Page : 01-14/2004/1 : 1.0 : 30.7.2004 : 90 of 135 Nature and example of a substantive test A check that assets and other items are recorded at the correct value in financial records. For example, a substantive test may check that the sale or purchase of an asset purchased with Cohesion Fund support is recorded at the correct value in the accounting system by checking the original invoice or sale note. A check that assets and other items actually exist. For example, a Existence substantive test may check that an asset recorded in the financial records actually exists. These substantive tests involve the physical verification of existence – confirmation by custodian of the assets, or actually seeing the asset. A check that assets recorded are actually owned or properly used by the Ownership audited body. For example, a substantive test may involve checking that the audited body has a valid lease, or is the legal owner, of premises used for and financially supported by Cohesion Fund activity. Quality of inputs A check that inputs and outputs are of an appropriate quality. For example, for inputs we could check that the accounting system has input and outputs controls built in, to ensure a completeness and integrity control of data. For outputs, we could check that the system ensures through process controls that reporting is complete and correct. Valuation Budget Supervision Office of RS Cohesion Fund Manual Document No. Version Come into force Page : 01-14/2004/1 : 1.0 : 30.7.2004 : 91 of 135 APPENDIX 5: SUGGESTED LIST OF KEY QUESTIONS TO EXAMINE THE MANAGEMENT CONTROL SYSTEMS This appendix sets out the audit objectives and gives examples of the detailed questions to be asked. The appendix provides a structure for the audits, including the criteria which should be used to assess compliance with regulations and other requirements. Note that where a question asks whether there are procedures to ensure a particular action or activity, the answers to these questions will be provided both through documentation of systems and through tests of controls and/ or substantive tests to determine whether the system actually operates effectively in practice. The checklists have been prepared in a modular format, whereby all of the questions covered by the Appendix may be used during an audit, or specific objectives may be selected for use. Audit objective Activity / Process Objective 1. Whether there are adequate procedures to ensure that systems Systems descriptions are reviewed and updated and changes notified to the descriptions Commission as required. (Art.5 and Art. 12 of Commission Regulation 1386/02) 2. Approval Whether there are adequate procedures to ensure that applications for aid and the decisions reached on those applications comply with the relevant rules, are in accordance with the needs of the area in question, and that decisions by the authority are fully documented. (Art 10 of Council Regulation 1164/94) 3. Monitoring Whether there are adequate procedures for the effective monitoring of both the physical and financial progress of Cohesion Fund projects throughout their lifetime. 4. Guidance Whether there are adequate procedures in place to ensure that adequate guidance is given to the bodies responsible for the implementation of Cohesion Fund projects. (Art. 2 of Commission Regulation 1386/02) 5. Irregularity reporting Whether there are adequate procedures to ensure that irregularity reports are prepared, submitted, followed-up and recoveries made where appropriate. (Art.7 of Commission Regulation 1386/02) Audit Whether there are adequate procedures and arrangements in place for the audit of Member States ‘ management and control systems for the Cohesion Fund. (Art. 9, 10, 11, 12 of Commission Regulation 1386/02) and for the drawing up of the winding-up 6. Budget Supervision Office of RS Cohesion Fund Manual Document No. Version Come into force Page : 01-14/2004/1 : 1.0 : 30.7.2004 : 92 of 135 declaration (Art 12.1(f) of Council Regulation 1164/94 and Art. 13, 14 and 15 of Commission Regulation 1386/02) 7. 8. Whether the relevant authorities have adequate financial and Operational checking procedures to ensure the regularity, legality and Checks eligibility of expenditure. (Art. 4 and 8 of Commission Regulation 1386/02) Publicity Whether there are adequate arrangements in place to ensure compliance with the publicity requirements set out both in the Commission Decision for the particular project and in Commission Decision 96/455. 9. Whether the Member State has adequate procedures for Accounting maintaining adequate accounting records on projects which are information available to the Commission on request. (Art. 16 of Commission Regulation 1386/02) . 10. Audit trail Whether there are adequate procedures in place to ensure that the management and control systems provide a sufficient audit trail. (Art. 6 of Commission Regulation 1386/02) Budget Supervision Office of RS Cohesion Fund Manual Document No. Version Come into force Page : 01-14/2004/1 : 1.0 : 30.7.2004 : 93 of 135 Checklist for the audit of Management and Control Systems for the Cohesion Fund Prepared. by: ______________________________ Date: ________________ Follow up by: _____________________________ Date: ________________ Revised by: _______________________________ Date: ________________ Systems description Objective: Whether there are adequate procedures to ensure that systems descriptions are reviewed and updated and changes notified to the Commission as required. (Art.5 and Art. 12 of Commission Regulation 1386/02) Question Has the Member State submitted the system description in accordance with the Regulations, as required by Article 5 of Regulation 1386/02 and by the due date? If yes, indicate record date of receipt If not received by due date7 Nov., ask when expected Has the Member State designated an appropriate person with responsibility for monitoring changes to the system ? If yes, indicate the person responsible and procedure If not, indicate when expected to have such a procedure Is there a formal procedure to ensure that changes to the system are notified to the responsible person ? If yes, obtain a copy of the document If not, is there a uniform/standard procedure ? If yes, describe the procedure Overall conclusion regarding the systems descriptions Yes/No/ N/A File ref Comments Budget Supervision Office of RS Cohesion Fund Manual Document No. Version Come into force Page : 01-14/2004/1 : 1.0 : 30.7.2004 : 94 of 135 Application and approval process Objective: Whether there are adequate procedures to ensure that applications for aid and the decisions reached on those applications comply with the relevant rules, are in accordance with the needs of the area in question, and that decisions by the authority are fully documented. (Art 10 of Council Regulation 1164/94) Question Yes/No/ N/A File ref Comments Does the systems description adequately describe the application and approval process ? Has the national authority carried out an in-depth study of the region’s needs as regards CF assistance ? If yes: Is this study recent and up to date ? Is there a clear link between the projects selected and the assessed needs ? Are there controls to ensure an even split of environmental and transport projects ? Is there a procedures manual that covers the application and approval process ? Is there a designated person who has the authority and responsibility to approve applications ? Are there adequate procedures to ensure that approved projects are in conformity with EU Regulation, in terms of: Environmental impact assessment ? Transport strategy ? Are there adequate procedures to ensure that the same project does not receive other EU funding ? Are there procedures to establish the VAT status of the final beneficiary at the outset, to ensure that: the financial plan is accurately costed ? the eligibility of expenditure to be declared on the project is correctly stated (net or gross) ? Overall conclusion regarding the adequacy of the Application and Approval process Budget Supervision Office of RS Cohesion Fund Manual Document No. Version Come into force Page : 01-14/2004/1 : 1.0 : 30.7.2004 : 95 of 135 Project Monitoring process Objective: Whether there are adequate procedures for the effective monitoring of both the physical and financial progress of Cohesion Fund projects throughout their lifetime. Question Yes/No/ N/A File ref Does the systems description adequately describe the project monitoring process ? Is there a procedures manual that covers the project monitoring process ? Do the written procedures set out: how actions are to be monitored ? checks to be carried out on progress reports received ? action to be taken where progress is unsatisfactory ? Are there procedures to ensure that the operation of projects is monitored throughout its lifetime as regards: the relevant conditions contained in the Commission Decision approving the project ? EU and National rules on: Publicity ? Public procurement ? Eligibility of expenditure ? Do progress reports cover both financial and physical progress ? Indicate who prepares these reports Are reports received in accordance with an agreed timetable ? Monitoring Committee Does it consist of suitably qualified people ? Are progress reports on projects sufficiently detailed (financial and physical data) to give a true view of project progress ? Are there procedures to ensure that action is taken as regards areas of weakness/problems identified by the Monitoring Committee ? Indicate who is responsible for follow up action Overall conclusion regarding the adequacy of the Project Monitoring process Comments Budget Supervision Office of RS Cohesion Fund Manual Document No. Version Come into force Page : 01-14/2004/1 : 1.0 : 30.7.2004 : 96 of 135 Guidance Objective: Whether there are adequate procedures in place to ensure that adequate guidance is given to the bodies responsible for the implementation of Cohesion Fund projects. (Art. 2 of Commission Regulation 1386/02) Question Yes/No/ File Comments N/A ref Has the responsibility for issuing relevant guidance been assigned to a particular person / unit ? (at each level , Paying / Managing and Intermediate levels) Has guidance been issued covering all of the authorities and bodies responsible for the general management, co-ordination and implementation of CF projects ? Is the guidance issued sufficient to assist those authorities to establish the systems necessary to provide adequate assurance: of the correctness, regularity and eligibility of expenditure ? that projects are carried out in accordance with the terms of the relevant decision ? Overall conclusion regarding the adequacy of the arrangements in place for the issuing of guidance Budget Supervision Office of RS Cohesion Fund Manual Document No. Version Come into force Page : 01-14/2004/1 : 1.0 : 30.7.2004 : 97 of 135 Irregularity reporting / Recoveries Objective: Whether there are adequate procedures to ensure that irregularity reports are prepared, submitted, followed-up and recoveries made where appropriate. (Art.7 of Commission Regulation 1386/02) Question Yes/No/ N/A File ref Comments Does the systems description adequately describe the irregularity reporting process ? Has the responsibility for preparation, submission and follow up of irregularities been assigned to a particular person / unit ? (at each level , Paying / Managing and Intermediate levels) Indicate: How often are irregularity reports prepared How are cases of identified irregularities followed-up If a distinction between systemic and non systemic irregularities is made Article 7 of Regulation 1386/02 Has the responsibility for accounting for and making recoveries of Cohesion Fund aid been assigned to a particular individual / unit ? Is there a ‘debtors ledger’ system used to record the status of recoveries ? Indicate who maintains this record Are there procedures in place to ensure that recoveries are made without unjustified delays ? Are there procedures in place to ensure that the Paying Authority sends the Commission once a year, a statement of the amounts awaiting recovery at that date, classified by the year of initiation of the recovery proceedings ? Indicate who is responsible for this Overall conclusion regarding the adequacy of the Irregularity Reporting process Budget Supervision Office of RS Cohesion Fund Manual Document No. Version Come into force Page : 01-14/2004/1 : 1.0 : 30.7.2004 : 98 of 135 Audit arrangements Objective: To ensure that there are adequate arrangements in place for the audit of Member States management and control system for the Cohesion Fund (Article 9 of Reg. 1386/02) NOTE: This work to be carried out by the BSO, but the guidance and methodology is temporarily included for information. Question Yes/No/ File Comments N/A ref Does the systems description adequately describe the audit arrangements in place? Has the responsibility for the systems audits required by Art 9 of Reg. 1386/02 been assigned to a specific body ? If yes, indicate which is the body responsible If not, ask when and to whom it is expected to designate this responsibility Are these bodies functionally independent from the operational bodies (Paying / Managing / Implementing etc) ? Indicate who they report to Have operational bodies any influence over which projects are selected for audit ? Are these bodies (i.e. bodies responsible for Article 9 audits) adequately staffed with suitably experienced / qualified personnel ? (Get details) Do these bodies use risk analysis in the selection of projects / transactions to be audited ? Obtain details/examples of the application of risk analysis Indicate how an even spread of checks over the entire period is ensured (2000-06) Indicate how an appropriate mix of types and sizes of projects to be examined (i.e. balance between environment and transport) and coverage of all implementing bodies is ensured Have these bodies drawn up annual audit plans for the Cohesion Fund for the current year ? (Obtain copy of plan and program and assess same) Do these bodies use a standard report format (similar to the example report in the CF Manual) ? (Obtain example) Are there procedures in place within these bodies to follow up the findings and recommendations made in their reports ? If yes, indicate procedure Have these units developed audit checklists specific to the audit of Cohesion Fund projects ? Is there evidence indicating that the manager has a Budget Supervision Office of RS Cohesion Fund Manual Document No. Version Come into force Page separate register for each project ? Is there evidence indicating that the supporting documents allow the physical verification of the project ? Is there evidence indicating that the delivery of goods and services can be related to the supporting documents ? Do these checklists cover issues such as publicity, public procurement and eligibility ? Obtain copies of the checklist and evaluate the quality of same Have auditing responsibilities been delegated to bodies in other Departments ? If yes, obtain evidence that formal arrangements have been put in place for this work e.g. copies of agreements / protocols Have auditing responsibilities been contracted out to private companies ? If yes, obtain evidence of: Terms of reference for the work Guidance issued to these companies regarding EU eligibility, procurement and publicity rules How their work is controlled Designation of a person to review and monitor the work being carried out by these private companies Is a schedule maintained on an ongoing basis of the progress to date as regards both the minimum 15% transaction testing and the systems testing ? Do these bodies or private firms carry out on the spot visits to projects as part of their audits ? Has the responsibility for drawing up the statement required under Art 12.1(f) of Regulation 1164/94 as amended by Reg 1264/99 been assigned to a specific body ? If yes, is this person or service functionally independent ? Name: Contact details: Overall conclusion regarding the adequacy of the Audit / Control arrangements : 01-14/2004/1 : 1.0 : 30.7.2004 : 99 of 135 Budget Supervision Office of RS Cohesion Fund Manual Document No. Version Come into force Page : 01-14/2004/1 : 1.0 : 30.7.2004 : 100 of 135 Operational Checks Objective: Whether the relevant authorities have adequate financial and checking procedures to ensure the regularity, legality and eligibility of expenditure. (Art. 4 and 8 of Commission Regulation 1386/02) Question Yes/No/ File Comments N/A ref Does the systems description adequately describe the claims / drawdown / expenditure return / checking process ? Are there written procedures covering the checking of payment requests / expenditure returns / compilation ? Are there procedures to ensure the eligibility of expenditure returned – e.g. checklists which refer to the principles of eligibility of expenditure for CF projects ? Are there checks to ensure that the expenditure: has been incurred and paid within the eligible period ? is actual and not notional (trace payments to bank statements) ? does not include advances ? has been paid by the final beneficiary named in the Decision ? is supported by original invoices which have been properly approved and authorised for payment ? has not previously been claimed ? has been checked for arithmetical accuracy ? relates to actions specifically approved by the Commission Decision for the project ? is incurred in accordance with the relevant Community and National rules on, in particular, protection of the environment, trans-European networks, competition and public procurement ? Is there adequate separation of duties between those responsible for checking claims and those responsible for payment of claims ? Is there adequate separation of duties between those responsible for certifying expenditure and those responsible for authorising payment of claims ? Are checks adequately evidenced ? Are there procedures to ensure that payments are made to final beneficiaries in a timely manner and without undue delays ? Have all intermediate bodies and final beneficiaries Budget Supervision Office of RS Cohesion Fund Manual Document No. Version Come into force Page : 01-14/2004/1 : 1.0 : 30.7.2004 : 101 of 135 been informed of the exchange rates to be used ? Obtain evidence. Are there controls in place to ensure that the average monthly exchange rate used for declared expenditure (i.e. that the expenditure returns are checked in this respect) ? Check a sample of returns to ensure compliance. Overall conclusion regarding the adequacy of the arrangements in place for the claims / drawdown expenditure compilation process Budget Supervision Office of RS Cohesion Fund Manual Document No. Version Come into force Page : 01-14/2004/1 : 1.0 : 30.7.2004 : 102 of 135 Publicity requirements Objective: Whether there are adequate arrangements in place to ensure compliance with the publicity requirements set out both in the Commission Decision for the particular project and in Commission Decision 96/455. Question Yes/ File Comments No/N ref /A Are there arrangements to ensure that all intermediate bodies and final beneficiaries have been informed of the publicity requirements ? Has a ‘publicity’ officer been appointed to monitor the compliance of projects with CF publicity requirements ? Are on the spot checks carried out to projects to ensure that publicity requirements are being observed ? Is evidence of publicity measures taken obtained from final beneficiaries for all projects. (e.g. audio-visual material, brochures, press releases, photographs of signage ) ? Is a checklist used to ensure that the publicity measures taken are appropriate to the size/budget of the project ? Obtain evidence of the publicity measures taken Overall conclusion regarding the adequacy of the arrangements in place regarding observance of publicity requirements Budget Supervision Office of RS Cohesion Fund Manual Document No. Version Come into force Page : 01-14/2004/1 : 1.0 : 30.7.2004 : 103 of 135 Accounting information to be held and communicated to the Commission Objective: Whether the Member State has adequate procedures for maintaining adequate accounting records on projects which are available to the Commission on request. (Art. 16 of Commission Regulation 1386/02) Question Yes/No/ File Comments N/A ref Is a computerised accounting system used to record all relevant data on Cohesion Fund projects ? If yes: Is it adequate to ensure the provision of timely, relevant and accurate information on CF projects ? Is information on all fields specified in Annex IV of Regulation 1386/02 recorded in the system ? Does the format of data to be supplied to the Commission conform to the preferred technical specifications for the transfer of computer files as set out in Annex V of Regulation 1386/02 ? Is the data input to the system updated on a regular basis to ensure that it provides timely information on projects ? Indicate how often Are there procedures to ensure that the information can be provided to the Commission (on request) within 10 working days of the receipt of the request ? Indicate name and contact details of person responsible Is there a formal definition of access levels ? Establish who has access to the system to update data to view data Existence of individual passwords Are there security / access controls to ensure the integrity of the data ? If a computerised system has not been developed, are there plans for same ? In the absence of a computerised accounting system, indicate what system is being used and if it complies with the provisions referred to in the previous questions Overall conclusion regarding the adequacy of the arrangements in place regarding accounting records Budget Supervision Office of RS Cohesion Fund Manual Document No. Version Come into force Page : 01-14/2004/1 : 1.0 : 30.7.2004 : 104 of 135 Audit trail Objective: Whether there are adequate procedures in place to ensure that the management and control systems provide a sufficient audit trail. (Art. 6 of Commission Regulation 1386/02) Question Yes/No/ N/A File ref Comments Is there a description of the audit trail covering the following areas: Location of accounting records (including technical specifications, , financial plan, progress reports, tender documentation, reports of inspections of the execution of the project) at each level ? A list of all bodies involved ? The basis for the allocation of costs/expenditure where costs relate only partly to a project ? Process of compiling expenditure returns at each level ? Computerised transfer of accounting data from each level ? For each of the above processes is there: A written description of the process together with details of each of the bodies involved ? A flowchart showing the flow of information between the different bodies at each level ? Indicate who is responsible for ensuring that the description of the audit trail is kept up to date Overall conclusion regarding the adequacy of the arrangements in place regarding an accurate documentation of the audit trail Budget Supervision Office of RS Cohesion Fund Manual Document No. Version Come into force Page : 01-14/2004/1 : 1.0 : 30.7.2004 : 105 of 135 APPENDIX 6: SUGGESTED LIST OF KEY QUESTIONS FOR ON THE SPOT CONTROL OF A COHESION FUND PROJECT Cohesion Fund Project N: Details: Audit trail Objective: To ensure that the authorities have financial and accounting systems which provide an adequate audit trail and that expenditure returned is capable of summary reconciliation at each level. Test Initial Check that the expenditure recorded in the last drawdown claim made to the Commission is supported by documentation held at intermediate and final beneficiary level. Is a separate ledger account used to record the receipts and payment details of the project ? Obtain a copy of same Agree or reconcile the ledger account to the summary amount returned for Cohesion Fund Aid. Ensure that amounts in national currency have been translated at the rate prevailing at the date of payment by the final beneficiary. Are spreadsheets available which analyse the expenditure between the various elements of the project i.e. main contracts placed, land acquisition, consultancy fees etc. Overall conclusion regarding the adequacy of the audit trail File ref Comments Budget Supervision Office of RS Cohesion Fund Manual Document No. Version Come into force Page : 01-14/2004/1 : 1.0 : 30.7.2004 : 106 of 135 Eligibility of expenditure Objective: To ensure that only expenditure which is eligible for Cohesion Fund assistance has been returned. Test Initial Ensure that the expenditure returned has been incurred and paid in the eligible period as set out in Article 2 of the Commission Decision for the project Select invoices at the start and end of the eligible period for a number of contracts (and other types of expenditure) Ensure for a sample that the type of expenditure returned is eligible as regards the criteria set in the Principles of eligibility of expenditure document e.g. VAT, own land purchase, operating costs etc.. Check that advances made to contractors outside the terms of the contract have not been included in expenditure returns prior to the related work having been carried out. Overall conclusion regarding the eligibility of expenditure returned File ref Comments Budget Supervision Office of RS Cohesion Fund Manual Document No. Version Come into force Page : 01-14/2004/1 : 1.0 : 30.7.2004 : 107 of 135 Public Procurement Objective: To ensure that in respect of public authorities , that contracts for works, services or supplies co-funded by the Cohesion Fund have been procured on the basis of a proper call for tenders, that there are sound controls over the opening of tenders and that all tenders are fully evaluated before the award of the contract. General : ORGANISATION (System audit related issues) Test Initial Is a brief description of the system available re the procurement for Cohesion Fund projects (which bodies are responsible for procurement of infrastructure and environment)? Has the project manager been informed of the rules governing the award of public contracts as established by the EU and the Member State’s authorities ? Have European Directives regarding procurement been incorporated into national legislation ? Obtain copies of relevant documents ? Are flowcharts and/or organisation-charts available that show the flow of documents and decision process? Are procurement procedures written down in a manual? How is it ensured that any discriminatory elements are eliminated? - Are the selection criteria specified in the invitation to tender? Overall conclusion regarding Public Procurement File ref Comments Budget Supervision Office of RS Cohesion Fund Manual Document No. Version Come into force Page : 01-14/2004/1 : 1.0 : 30.7.2004 : 108 of 135 Public Procurement (continued) Contract examined: Preliminary work Test Initial Before taking any initiative for tendering, does a Financing Memorandum for the project exist? Obtain copy of budget. Was a Project Manager appointed implementation of the contract? for the Publication Is the procurement notice published in advance in the OJ, the official gazette and other national newspapers and branch magazines and of the recipient State? Was a correct deadline applied for submission of tenders (in general at least 90 days from the date of publication of the notice) Is co-financing noted in the public contract notices placed in the Official Journal in accordance with Article 1 of Annex II of Council Regulation (EC) N° 1164/94 Was any additional information requested by contractors and if provided, also given to all other candidate tenderers? Tender / selection procedure Note the selection procedure used Open Restricted Negotiated Was any additional information requested by contractors and if provided, also given to all other candidate-tenderers? File ref Comments Budget Supervision Office of RS Cohesion Fund Manual Tender opening procedures Test Initial Have all tenders been opened at the date specified in the notice, with two or more people present and have all tenders been recorded ? Review the Tender opening Report at least on the following topics: o o o o Number of tenderers; Withdrawals; Non-compliance and reasoning Tender prices of those tenders, accepted for further evaluation Award procedure How are tenders shortlisted for evaluation or are all tenders submitted evaluated ? Is there an awarding committee ? What is the make up of this Committee (Obtain names and role) What criteria are used in the award of contracts (List together with point / scoring system used) Check the appropriateness of these criteria Is the basis for awarding points to each tenderer under each criterion recorded / justified Is a tender assessment / evaluation report prepared Who prepares this report Check additions / tots of scores awarded under various categories Is a technical report / evaluation of tenderers report prepared by an engineer as part of the evaluation of tenders ? Review this document and check award of scores Document No. Version Come into force Page File ref : 01-14/2004/1 : 1.0 : 30.7.2004 : 109 of 135 Comments Budget Supervision Office of RS Cohesion Fund Manual Test Obtain a copy of report on tenders and review same Does the tender dossier include: -selection and award criteria; -grid to be used to evaluate; -whether variants are allowed; -sub-contracting is permitted; -currency of tender; How have scores been awarded in the evaluation of tenders Confirm that the evaluation took place according to the grid published in the tender dossier and that no changes afterwards have been made in the grid. Technical compliance of tenders: Yes or no Is a check on arithmetic correctness of the offers carried out and in case of errors have corrections of the offer(s) taken place? Are alternatives from a compliant offer from the bidder with the lowest price been evaluated? Is the most economically advantageous tender chosen for each lot? Is the price within the available budget? Have tenderers been requested to explain abnormally low offers and is approval or rejection of these offers well – motivated by the evaluators? Is the entire procedure – formal compliance and the technical and financial evaluation and choice of the successful tenderer been fully documented ? Were the evaluation criteria set in advance of the receipt of tenders? Were all of the evaluation criteria listed in the Conditions of Tendering used in the assessment of tenders ? Were criteria other than those listed in the Conditions of Tendering used in the assessment of tenders ? Document No. Version Come into force Page Initial File ref : 01-14/2004/1 : 1.0 : 30.7.2004 : 110 of 135 Comments Budget Supervision Office of RS Cohesion Fund Manual Awarding of contracts Test Document No. Version Come into force Page Initial File ref Contracts signed by the contracting authority? Publication of the results in OJ, Internet and other media Check/ask whether any contractor submitted an appeal to the CA, review the content and the reply of the CA. Overall conclusion regarding the procurement procedure for this project : 01-14/2004/1 : 1.0 : 30.7.2004 : 111 of 135 Comments Budget Supervision Office of RS Cohesion Fund Manual Document No. Version Come into force Page : 01-14/2004/1 : 1.0 : 30.7.2004 : 112 of 135 Reality of the project: Objective: To ensure that the project has been carried out as planned and as approved in the Commission Decision. Test Carry out a site visit to verify the physical existence of the project. Note the main elements of the project and check these against the description of approved works contained in the Commission Decision / Application for grant assistance. Obtain engineering drawings where required. Obtain details of any cost overruns and obtain explanations for these. Obtain copies of any modifications / variations and ensure that these are - properly approved - covered by the scope of the approved works For more technically complex projects, evaluate the need to make use of a technical expert to examine particular aspects of the project (e.g. cost overruns / unforeseen works, value for money aspects, physical progress versus financial outlays) Hold a meeting with the technical expert to determine the nature and scope of the work to be carried out. - Agree the scope and terms of reference of the work formally and confirm same in writing. - Review the report of the technical expert and arrange a meeting to discuss the conclusions drawn. Evaluate the findings and conclusions made in the experts report. Determine whether any follow up action is required as a result of the evaluation of the expert’s report.. Conclusions Initial File ref Comments Budget Supervision Office of RS Cohesion Fund Manual Document No. Version Come into force Page : 01-14/2004/1 : 1.0 : 30.7.2004 : 113 of 135 Publicity Measures Objective: To ensure that the publicity requirements detailed in the Annex V of the Decision and Decision 96/455/CE have been complied with. Test Initial File ref Comments Do the MS’ Authorities make the general public aware of the role played by the Community in relation to the projects? Have the on-the-spot information and publicity measures been taken? Has the content of the projects been published in the most appropriate form throughout the territory of the MS using the local and regional media? In the case of investments with a cost exceeding ECU 1 million: Have the MS’ Authorities held regular news conferences on a local level to inform about all facts concerning the project? Do the MS’ Authorities erect billboards on the sites of the project, for not less than two years after completion of the work, reserving for the EU at least a section of 50% of the total area, indicating the total estimated cost and the Cohesion Fund contribution, and showing the European emblem? Do the MS’ Authorities place permanent commemorative plaques for infrastructures accessible to the general public, showing the European emblem and the Union’s part financing together with an indication of the Cohesion Fund? In the case of investments with a cost exceeding ECU 10 million: Do the MS’ Authorities produce regularly a brochure of general interest and professional audio-visual material which should be delivered to national, regional television and radio stations, to the Commission and, on demand, to interested firms and the public? Do the MS’ Authorities place a commemorative plaque? Budget Supervision Office of RS Cohesion Fund Manual Test Initial In the case of investments with a cost exceeding ECU 20 million, In addition to the measures for €1m and €10m cost Do the MS’ Authorities held regular news conferences on a nation-wide level concerning the projects, including the presentation of the audio-visual material? Document No. Version Come into force Page File ref Award of Public Contracts Article I of Annex II of Council Regulation (EC) N° 1164/94 requires that notices sent for publication in the OJEC shall specify those projects for which Community assistance has been applied for or granted. Check a sample of notices for compliance Overall conclusion regarding the publicity measures taken for this project : 01-14/2004/1 : 1.0 : 30.7.2004 : 114 of 135 Comments Budget Supervision Office of RS Cohesion Fund Manual Document No. Version Come into force Page : 01-14/2004/1 : 1.0 : 30.7.2004 : 115 of 135 APPENDIX 7: PREPARATORY WORK / GATHERING OF AUDIT INFORMATION Sound preparation is vital to the efficient and effective conduct of an audit. To ensure that preparation is adequate, the auditor should carry out the following tasks and record the results in the audit file: Applications for support: For projects selected to be reviewed, obtain a copy of the Application for Cohesion Fund assistance. Review this document and determine if the project or group of projects clearly conform to the objectives of the Cohesion Fund. In order to ensure that proper applications were made, ask for list of applicants and review assess how funded projects were selected. Decisions: Obtain a copy of the original Commission Decision approving the project and review same as regards eligibility dates, national and private financing, percentage aid rate and expected revenues. Also note the scope of the project and the particular works to be carried out Obtain copies of any modifications to the original Decision noting any changes in the scope of the project and any other changes whether financial or non-financial. Monitoring: Ask for last progress report for the project and evidence of the status of completion. Review and identify items you will pursue on site. Obtain details of procedures, which set out the action to be taken where progress is unsatisfactory. Review if there are rules relating to refunds. Review the annual report and relevant control statements to identify any issues which should be addressed during the audit; Review the minutes of the co-ordination Meetings, the minutes of the monitoring committee and the evaluation reports ‘mid-term’. Examine the systems description together with any updates received under Article 5 of Regulation (EC) N° 1386/2002. Budget Supervision Office of RS Cohesion Fund Manual Document No. Version Come into force Page : 01-14/2004/1 : 1.0 : 30.7.2004 : 116 of 135 Safeguarding Community Funds: For the particular project under review, request that all supporting documents are made available upon your arrival. Obtain a listing of all the principal works, services and supply contracts involved in the project. Request that the following documents are made available in respect of these contracts. Administrative clauses Publication of tender notices Tender opening sheet recording opening of tenders Tender evaluation and award document Technical evaluation of tenders Contract Details of modifications made to the original contract Obtain schedules of expenditure on the project which support the most recent expenditure return which has been made by the Paying authority to the Commission in respect of the project being examined. This should preferably be in spreadsheet format and analysed between the main works involved in the project and by contract. Obtain a copy of the systems description and in particular examine the descriptions in relation to the organisations involved in the implementation of the project being audited. Check the description of the audit trail, the description of internal controls for the accounting / payment system, organisation chart – duties. This will be a good source for risk assessment exercise. Review procedures as regards ensuring eligibility of expenses. Review VAT legislation regarding project sponsors / final beneficiaries to determine their status as regards eligible expenditure returned. For the selected projects, the auditor should request details of all payment claims made to date. Examine procedures in relation to errors, fraud and irregularities. Obtain their list of errors, fraud and irregularities. Evaluate for impact on risk assessment done, and decide if further review is necessary on site. Also verify with OLAF if they have any file on this subject. Assess the risk of cross funding of projects (i.e. Projects receiving ERDF and Cohesion Fund assistance). Obtain details of any ERDF funded Operational Programmes in the Environment and Transport sectors. Budget Supervision Office of RS Cohesion Fund Manual Document No. Version Come into force Page : 01-14/2004/1 : 1.0 : 30.7.2004 : 117 of 135 Audits: Obtain copies of all audit reports carried out on the project being examined. Examine findings and request details of any follow up action which has been taken in respect of recommendations made. Review previous audits carried out by the Commission or the European Court of Auditors (ECA) regarding this project. Check the audit plans discussed at the co-ordination meetings between the Member State and the Commission to take account of any changes made. Where visits are planned or have taken place to the same authority or action, care should be taken not to duplicate recent control effort, while ensuring proper follow-up of reports Use SYSAUDIT (when available to Member States) to obtain an overview of all audits done on sampled project. Update your records for findings and follow up issues. Ensure that audits done by the ECA are added to the list. Financial and Accounting Systems: Confirm the description of the financial and accounting system of the final beneficiary and evaluate the internal control environment of final beneficiary. Obtain a copy of the audit trail and any previous audit reports which have commented on the audit trail and review them to identify any possible weaknesses which should be addressed during the audit; Where IT systems are involved, auditors should ensure that they obtain appropriate documentation to enable the audit to take account of these systems; General: Review available information from ex-ante controls and other sources on the selected authorities and project managers/ final beneficiaries to determine whether there are any particular issues which should be addressed during the audit; As a result of the above work, the auditor should produce an adjusted risk profile of the bodies to be audited and a list of the particular risks to which special attention should be given during the audit. The aims and objectives of the audit, together with the specific work programmes and questionnaires to be used, should be included as part of the audit plan. The initial risk assessment should be documented in the work papers In terms of more detailed information, the auditor should consider the following issues: For Receipts The auditor should determine: all receipts relating to the Project in-year; to which Instalment the receipts related; that each receipt was claimed in accordance with EC Regulations; that each claim for receipt of Cohesion Fund was dealt with by the appropriate authority (NF) Budget Supervision Office of RS Cohesion Fund Manual Document No. Version Come into force Page : 01-14/2004/1 : 1.0 : 30.7.2004 : 118 of 135 Payments The auditor should determine: all payments made relating to the Project in-year; that all claims for payment were dealt with by the appropriate bodies in accordance with the Regulations; that all claims for payment are supported by the necessary documentation; that there is evidence of monitoring of the progress of the project by designated authorities, to support the claims made Bank Accounts The auditor should determine that the NF has opened bank accounts in accordance with the national guidance for each Sector (Transport and Environment) and for each project; the current balance; the opening and closing balances for the year of examination. Budget Supervision Office of RS Cohesion Fund Manual Document No. Version Come into force Page : 01-14/2004/1 : 1.0 : 30.7.2004 : 119 of 135 APPENDIX 8: PROCUREMENT DIRECTIVES General Cohesion Fund projects are aimed at the transport and environment sectors and generally involve, inter alia, construction of roads, railways, water and wastewater treatment plants. Invariably, these types of project involve both works and services type contracts (and sometimes supplies). Accordingly, the auditor of such projects should be aware of the relevant EU procurement Directives to ensure that the contracting authorities have complied with the requirements of these Directives in the award of public contracts. EU Public Procurement Directives EU Directives set legal obligations on Contracting Authorities regarding Public procurement. Violations can give rise to serious legal/financial sanctions. Three different types of contract are identified in EU Directives: Works contracts - buildings and civil engineering works Supplies contracts - purchasing goods and supplies Services contracts - advertising, property management services, architectural / engineering / surveying, management consultancy services and so on. Any contract placed by a Public Contracting Authority, if it is over the relevant financial threshold in the Directive, must be processed and awarded in accordance with the procedures of the Directive, unless it is covered by a clearly defined exception. The EU Public Procurement Directives must be followed where a project is wholly or partly financed by EU institutions. This also applies whether or not the body concerned would normally be subject to the Directives. Thresholds If the estimated value of a contract exceeds specified thresholds, the contract must be open to competition across the EU, by means of advertisement in the Supplement to the Official Journal of the European Communities (OJEC). These thresholds are subject to revision. Directives i) The Works Directive in force is 93/37/EEC (OJ L 199/54 of 9.7.1993) consolidating Directives 71/305/EEC and 89/440/EEC. ii) The Supplies Directive in force is 93/36/EEC (OJ L 199/1 of 9.7.1993) consolidating Directives 88/295/EEC, 80/767/EEC and 77/62/EEC. iii) The Services Directive in force is 92/50/EEC (OJ L 209/1 of 24.7.1992). Tendering Procedures The EU Directives recognise three tendering procedures: Open- all interested parties may submit tenders. Budget Supervision Office of RS Cohesion Fund Manual Document No. Version Come into force Page : 01-14/2004/1 : 1.0 : 30.7.2004 : 120 of 135 Restricted- only those parties invited by the Contracting Authority may submit tenders. Negotiated- Contracting Authorities consult parties of their choice and negotiate the terms of the contract with one or more of them (this procedure may, however, be used only in the very limited special circumstances set out in the Directives). The Commission has a strong preference for open procedures to ensure the greatest possible transparency and objectivity. Advertising OJEC Notices should be drawn up in accordance with the relevant Directives. Advertisements in the OJEC are usually supplemented by advertisements in the national media to ensure the widest possible competition for the contract. When advertising in the OJEC, the provisions of the Directives, including the format in the Model Notices, must be strictly followed in all cases. These Notices are set out in Annexes to the Directives. Criteria for awarding contracts Contracting Authorities, in deciding which bid to accept, may do so on the basis of either - the lowest price only, or - the most economically advantageous tender (using various criteria such as price, period for completion, running costs, profitability, technical merit). Written Report on Contracts Awarded For all contracts awarded the Contracting Authority must prepare a written report. The Commission may at any time request that this report be sent to them. Utilities Directives A separate set of Directives cover the Utilities, that is the Contracting Authorities operating in the four sectors, water, energy, transport and telecommunications. EU Directives 90/531/EEC (OJ L 297 of 29.10.1990) and 92/13/EEC cover Works and Supply contracts and Remedies in these areas. Provisions are similar to those of the main Directives but allow, in a number of instances, more flexible procedures to take due account of the commercial nature of the bodies in question. Directive 93/38/EEC for the Utilities consolidated these previous Directives and incorporated Services contracts. Thresholds in the Utilities Directive Separate thresholds, which are subject to revision, apply for works and supply contracts in this area. The thresholds for Services Contracts, which are covered by Directive 93/38/EEC are the same as the Supply contracts. Budget Supervision Office of RS Cohesion Fund Manual Document No. Version Come into force Page : 01-14/2004/1 : 1.0 : 30.7.2004 : 121 of 135 APPENDIX 9: PUBLICITY REQUIREMENTS European Commission Decision 455/1996 sets out the specific information and publicity requirements which must be complied with in respect of projects assisted by the Cohesion Fund. As a general approach, the assistance of the Fund should be fairly reflected in all information and publicity measures taken in respect of projects co-financed by the Cohesion Fund. The specific publicity measures to be undertaken in respect of Cohesion Fund projects are set out in Commission Decision 455/96 and are closely linked to the cost of the project. These are briefly set out below. For projects with a total cost which exceeds €1m Regular news conferences should be held at local level to provide information of public interest concerning the project. Billboards should be erected on site and permanent commemorative plaques should be placed where the project involves infrastructure which is accessible to the general public. In practice, most Cohesion Fund projects will exceed this threshold and accordingly there are further requirements which must be complied with which are in addition to those already mentioned. For projects with a total cost which exceeds €10m A brochure of general interest concerning the project should be produced Audio and visual material such as a short video should be produced. These should be provided to regional TV and radio stations and should give adequate acknowledgement to the participation of the Cohesion Fund. For projects with a total cost which exceeds €20m Regular news conferences should be held at national level to create awareness of the project including the presentation of the audio-visual material already mentioned. Other requirements Billboards should be erected for all Cohesion Fund projects exceeding €1m. The billboards should reserve at least 50% of the area of the billboard for acknowledging the Cohesion Fund assistance and should make reference to the Cohesion Fund, the rate of assistance and the overall cost of the project. Commemorative plaques should be installed on all projects which are accessible to the general public. It should be noted that the costs associated with publicity measures are eligible for Cohesion Fund assistance. Budget Supervision Office of RS Cohesion Fund Manual Document No. Version Come into force Page : 01-14/2004/1 : 1.0 : 30.7.2004 : 122 of 135 APPENDIX 10: MODEL REPORT PURSUANT TO ARTICLE 12 OF REGULATION 1386/2002 Preliminary note Article 12 of Regulation (EC) 1386/2002 (“the Regulation”) provides that Member States shall inform the Commission by 30 June each year of their application of Articles 9, 10 and 11 of the Regulation which relate to sample checks on operations in the previous calendar year and in addition provide any necessary completion or updating of the description of their management and control systems communicated under Article 5 of the Regulation. In addition, for the purposes of the contract of confidence, the report will be specifically the source of assurance for the Commission that the audit activity is being carried out in accordance with the established audit strategy and that no material deficiencies in the effective functioning of the management and control systems have been found. The report should therefore concern an identified system for the management and control of the Cohesion Fund (e.g. national/regional/municipal level, by types of bodies, by project), and should be compiled by, or in collaboration with, the person or department designated to issue declarations on winding up of the assistance under Article 13 (“independent body”). The report should be signed or countersigned by the independent body. The first report presented in compliance with this model following the establishment of a “Contract of confidence” should provide a summary of audit activity carried out in previous years and should cover in the conclusions all preceding years. In all cases a copy of the report should be sent to the Director General of the Regional Policy DG, and the deadline of 30 June should be respected MODEL REPORT INTRODUCTION Identify the management and control systems covered by the report with reference to the projects and managing and paying authorities; Indicate the bodies which have been responsible for the preparation of the report; Describe the steps taken for the preparation of the report; Indicate the expenditure declared to the Commission for the year concerned for the projects covered by the report. COMPLETION AND UPDATING OF DESCRIPTION OF MANAGEMENT AND CONTROL SYSTEM UNDER ARTICLE 5 Indicate any completion or updating of the description previously provided giving the dates from which the changes are applicable. Describe where appropriate any changes that are proposed or are likely to be introduced in the current year. Budget Supervision Office of RS Cohesion Fund Manual Document No. Version Come into force Page : 01-14/2004/1 : 1.0 : 30.7.2004 : 123 of 135 CHANGES TO THE AUDIT STRATEGY Indicate any changes to the audit strategy which have been effected or are proposed, with explanation and justification for the changes. Draw up a comparative table between works carried out and the initially foreseen working programme, with explanation of the reasons why changes occurred. SYSTEMS AUDITS Indicate the bodies which have carried out audits; Attach a summary list of the audits carried out and indicate the date of transmission of the audit report to the Commission; Describe the basis for selection of the audits in the context of the audit strategy; Describe the principal findings and the conclusions drawn from the audit work for the management and control systems, including the sufficiency of the audit trail and compliance with Community requirements and policies; Indicate any potential financial consequences; Provide information on the follow up of the audit findings, in particular any corrective and preventive measures applied. SAMPLE CHECKS ON EXPENDITURE Indicate the bodies which have carried out the checks; Attach a summary list indicating the number of checks carried out and the amount of expenditure checked broken down by sector/project, including an indication of the percentage of expenditure checked in relation to total eligible expenditure declared to the Commission (both for the year in question and cumulatively); Describe the basis for selection of the operations subject to control; Describe the principal results of the checks, indicating in particular for each project the number of irregularities identified and the amount of irregular expenditure; Indicate the conclusions drawn from the results of the checks with regard to the effectiveness of the management and control system; Provide information on the follow up of the irregularities; Indicate whether any problems identified were considered to be of a systemic character, and the measures taken, including a quantification of any financial corrections. Budget Supervision Office of RS Cohesion Fund Manual Document No. Version Come into force Page : 01-14/2004/1 : 1.0 : 30.7.2004 : 124 of 135 FOLLOW UP OF PREVIOUS YEARS’ AUDIT ACTIVITY Provide information where appropriate on the follow up of outstanding audit findings or results of expenditure checks from earlier years. CONCLUSION In the conclusion it should be confirmed that The audit activity for the year concerned was in conformity with the audit strategy presented to the Commission. Where there are any reservations or limitations these should be indicated and explained; It should be stated that the results of the audit activity do not show any material deficiency in the effective functioning of the management and control system applicable to the expenditure declared to the Commission for the year concerned. Where there are any reservation or limitations these should be indicated and explained; It should be confirmed that specific cases of irregularity have been treated satisfactorily, in particular by making the necessary financial corrections. Budget Supervision Office of RS Cohesion Fund Manual Document No. Version Come into force Page : 01-14/2004/1 : 1.0 : 30.7.2004 : 125 of 135 APPENDIX 11:GUIDELINES ON THE PRINCIPLES, CRITERIA AND INDICATIVE SCALES TO BE APPLIED BY COMMISSION DEPARTMENTS IN DETERMINING FINANCIAL CORRECTIONS UNDER ARTICLE H(2) OF ANNEX II TO REGULATION (EC) NO 1164/94 ESTABLISHING A COHESION FUND 1. Principles The purpose of financial corrections is to restore a situation where 100% of the expenditure declared for co-financing from the Cohesion Fund is in line with the applicable national and EU rules and regulations. This allows the establishment of a number of key principles for the Commission services to apply in determining financial corrections : (a) Irregularity is defined in Article 1(2) of Regulation 2988/95. Irregularities can be one-off or systemic. (b) A systemic irregularity is a recurrent error due to serious failings in management and control systems designed to ensure correct accounting and compliance with rules and regulations. If the applicable rules and regulations are respected, and all reasonable measures are taken to prevent, detect and correct fraud and irregularity, no financial corrections will be required. If the applicable rules and regulations are respected, but the management and control systems need to be improved, there should be pertinent recommendations, but no financial corrections need be envisaged. If there are serious failings in the management or control systems which could lead to systemic irregularities, in particular failures to respect the applicable rules and regulations, financial corrections should always be made. (c) The amount of the financial correction for individual or systemic irregularities is to be assessed wherever possible and practicable on the basis of individual files and to be equal to the amount of expenditure found to have been wrongly charged to the Fund in the cases investigated, having regard to the principle of proportionality. (d) There are situations where it is not possible or practicable to quantify the amount of irregular expenditure precisely, but it would be disproportionate to cancel the entire expenditure in question. In such cases, the Commission may determine corrections on the basis of extrapolation or at flat rates. (e) Extrapolation can be used where an examination of individual files reveals quantifiable irregularities of the same type and there is a high probability that the irregularity has occurred in a great number of similar cases, i.e., is systemic, but it is not practicable or cost-effective to investigate all the cases individually. Extrapolation requires that a homogeneous population of cases with the same characteristics can be clearly identified. The results of a thorough examination of a representative sample of transactions selected at random from the homogeneous population can then be extrapolated to all the files making up the population, in accordance with generally accepted auditing standards. A homogenous population is defined as being within or among activities (projects or groups of projects) under the responsibility of the same managing authority, Budget Supervision Office of RS Cohesion Fund Manual Document No. Version Come into force Page : 01-14/2004/1 : 1.0 : 30.7.2004 : 126 of 135 managed by the same implementing body in the same sector over the same time period, whether under a single Commission decision or different decisions. (f) Flat rate corrections may be applied in the case of individual breaches or systemic irregularities whose financial impact is not precisely quantifiable – being subject to too many variables or too diffuse in its effects – but where it would be disproportionate to refuse all the assistance concerned except in the most extreme cases. Such irregularities typically result from a failure to undertake checks effectively to prevent or detect breaches of Community rules or conditions of the decision. Where an irregularity appears to be systemic, a flat rate correction may be applied only to the cases investigated, or, in situations like those described in para. (e) above, it may be applied to a homogeneous population of cases with the same characteristics. (g) When proposing a flat rate correction, the Commission must assess the importance of the infringement of the rules and the extent and financial implications of any shortcomings in the management and control system that have led to the irregularity established. A list of what the Commission considers to be key and ancillary elements of systems for the purpose of assessing the seriousness of deficiencies is given in section 2.2. and an indicative scale of flat rates for corrections in section 2.3. The same expenditure will not normally be subject to more than one correction. (h) In areas where there is a margin for discretion in evaluating the gravity of the infringement, as in cases of disregard of environmental conditions, corrections shall be subject to the following conditions : a significant failure to respect the rules and a clearly identifiable link with the action receiving EU co-finance. (i) Unlike the case with corrections made by the Member State under Article 39(1) of Regulation (EC) No 1260/1999, financial corrections decided by the Commission, whether under Article 39(3) of Regulation (EC) No 1260/1999 or Article H(2) of Annex II to Regulation (EC) No 1164/94, always involve a net reduction to the EU funding committed to the project or assistance. (j) Irrespective of the kind of corrections proposed by the Commission, the Member State is always given the opportunity to demonstrate that the real loss or risk to the Fund and the extent or gravity of the irregularity was less than that assessed by the Commission services. The Court of Justice has held that the burden of such proof is on the Member State.1 The procedure and time limits are set out in Article 18 of Regulation (EC) No XX/2002. (k) Where the Commission bases its position on facts established and fully documented by auditors other than those of its own services, it shall draw its own conclusions regarding their financial consequences, after examining the measures taken by the Member State concerned under Article 12(1) and (2) of Regulation (EC) No 1164/94 and Article G(1) of Annex II thereto, the reports supplied under Article 12 of Regulation (EC) No XX/2002 and Regulation (EC) No 1831/94, and any replies from the Member State. (l) In all cases of corrections by extrapolation or on a flat-rate basis, the proposed correction is submitted to an ad hoc advisory panel, which will consider the arguments presented by the Commission auditor for applying the correction and assess whether the level is appropriate. 1 See judgment of ECJ of 21.1.1999 in Case C-54/95, Germany v. Commission, para. 35, referring also to Netherlands v. Commission, Case C-48/93. Budget Supervision Office of RS Cohesion Fund Manual Document No. Version Come into force Page : 01-14/2004/1 : 1.0 : 30.7.2004 : 127 of 135 2. Criteria and scales for flat-rate corrections 2.1 Criteria As noted in para. 1(f) above, flat-rate corrections may be envisaged when the information resulting from the enquiry does not permit the financial impact of an individual case or several cases of irregularities to be evaluated precisely by statistical means, or by reference to other verifiable data, but does lead to the conclusion that the Member State has failed to carry out adequate verification of the eligibility of claims paid. Flat-rate corrections should be considered when the Commission finds a failure to adequately effect any control which is explicitly required by a regulation, or implicitly required in order to respect an explicit rule, and whose absence could lead to systemic irregularity. They should also be considered where the Commission finds serious deficiencies in management and control systems resulting in breaches of applicable rules and regulations on a wide scale or detects individual breaches. In determining whether a flat-rate financial correction should result and, if so, at what rate, the general consideration shall be the assessment of the degree of risk of loss to which Community funds were exposed as a consequence of the control deficiency. Thus the correction should be in compliance with the principle of proportionality. The specific elements to be taken into account should include the following: (1) whether the irregularity is related to an individual case, multiple cases or all cases; (2) whether the deficiency relates to the effectiveness of the management and control system generally, to the effectiveness of a particular element of the system, i.e. the operation of particular functions necessary to ensure the legality, regularity and eligibility of expenditure declared for cofinancing from the Fund under the applicable national and EU rules (see section 2.2. below); (3) the importance of the deficiency within the totality of the administrative, physical and other controls foreseen; (4) the vulnerability to fraud of the measures, having regard particularly to the economic incentive. 2.2. Classification of elements of management and control systems for the purpose of applying flat rates of financial corrections for system deficiencies or individual breaches Management and control systems for the Cohesion Fund consist of various elements or functions of greater or lesser importance for ensuring the legality, regularity and eligibility of expenditure declared for cofinancing. For the purpose of assessing flat rate corrections for deficiencies in such systems or individual cases of irregularity, it is useful to classify the functions of management and control systems into key and ancillary elements. Key elements are those designed and essential to ensure the legality and regularity and indeed the substance of operations supported by the Fund, ancillary elements those that contribute to the quality of a management and control system and help ensure that the system keeps performing well in relation to its key functions. The list below contains the majority of elements of good management and control systems and good audit practice. The seriousness of deficiencies and individual breaches varies considerably, and cases will therefore be assessed by the advisory panel having regard, in particular, to section 2.4 below. Budget Supervision Office of RS Cohesion Fund Manual 2.2.1 Document No. Version Come into force Page : 01-14/2004/1 : 1.0 : 30.7.2004 : 128 of 135 Key elements for ensuring eligibility for cofinancing 1. Provision and application of procedures for ensuring : a) at the planning and design stage - compliance, where applicable, with national and EU rules on publicity, public procurement and environmental protection, and with the general Treaty rules and principles of transparency, equality of treatment and non-discrimination where EC public procurement directives are not applicable; - adequacy of preliminary and technical studies b) c) in the pre-selection of projects for funding, especially within groups of projects: - projects selected correspond to the objectives and published criteria; - observance of eligibility rules; selection of contractors/suppliers in according with public procurement rules. 2. Adequate verification of delivery of products and services and of eligibility of expenditure - on the part of the implementing body : (a) verifying the reality of “deliverables” (services, works, supplies, etc.) against plans, invoices, acceptance documents, experts’ reports, etc., and, where appropriate, on the spot; (b) verification of observance of conditions of grant approval and of the procedures for changing those conditions; (c) verification of eligibility of amounts claimed; (d) adequate follow-up of all outstanding questions before acceptance of claim; (e) maintenance of an adequate and reliable accounting system; (f) maintenance of the audit trail at all levels from the implementing body or body or firm carrying out operation up through the system. - on the part of the paying authority Taking reasonable measures to obtain assurance that the declarations of expenditure it certifies to the Commission are correct, and that: (a) expenditure was effected within the eligibility period laid down in the decision of the Commission; (b) the cofinanced activities have actually been carried out. Budget Supervision Office of RS Cohesion Fund Manual Document No. Version Come into force Page : 01-14/2004/1 : 1.0 : 30.7.2004 : 129 of 135 3. Sufficient quantity and quality of sample checks on projects and adequate follow-up a) carrying out sample checks on at least 15% of total eligible expenditure in accordance with Article 9 of Regulation 1386/2002, supported by a report on the work done by the auditor; b) the sample is representative and the risk analysis adequate; c) adequate separation of functions vis-à-vis bodies involved in the implementation of projects to ensure independence ; d) follow-up to checks, ensuring (a) appropriate assessment of results and notification of irregularities under Regulation (EC) 1831/94, (b) action at a general level to correct systemic irregularities e) adequate examination underlying declaration on closure under Article 13 of Regulation (EC) 1386/2002 2.2.2 Ancillary elements a) satisfactory administrative controls in the form of standard checklists or equivalent means and proper documentation of results, to ensure for instance : - that claims have not been paid before and transactions (contracts, receipts, invoices, payments) are separately identifiable; - reconciliation within the accounting system of declarations and expenditure recorded; b) proper supervision of payment processing and authorisation procedures; c) satisfactory procedures to ensure proper dissemination of information about EU rules; d) ensuring timely payment of Community funding to beneficiaries. 2.3 Indicative scales of flat-rate corrections 100% correction The rate of correction may be fixed at 100% when the deficiencies in the management and control system are, or an individual breach is, so serious as to constitute a complete failure to comply with Community rules, so rendering all the payments irregular. 25% correction When the management and control system is gravely deficient and there is evidence of widespread irregularity and negligence in countering irregular or fraudulent practices, a correction of 25% is justified, as it can then reasonably be assumed that the freedom to submit irregular claims with impunity will occasion exceptionally high losses to the Fund. A correction at this rate is also appropriate for irregularities in an individual case which are serious but do not invalidate the whole project. 10% correction When one or more key elements of the system do not function in the cases concerned or function so poorly or so infrequently that they are completely ineffective in determining the eligibility of the claim or preventing irregularity, a correction of 10% is justified, as it can Budget Supervision Office of RS Cohesion Fund Manual Document No. Version Come into force Page : 01-14/2004/1 : 1.0 : 30.7.2004 : 130 of 135 reasonably be concluded that there was a high risk of widespread loss to the Fund. This rate of correction is also appropriate for individual irregularities of moderate seriousness in relation to key elements of the system. 5% correction When all the key elements of the system function in the cases concerned, but not with the consistency, frequency, or depth required by the regulations, then a correction of 5% is justified, as it can reasonably be concluded that they do not provide a sufficient level of assurance of the regularity of claims, and that the risk to the Fund was significant. A 5% correction can also be appropriate for less serious irregularities in individual transactions in relation to key elements. The fact that the way in which a system operates is perfectible is not in itself sufficient grounds for a financial correction. There must be a serious deficiency of compliance with explicit Community rules or standards of good practice and the deficiency must expose the Cohesion Fund to a real risk of loss or irregularity. 2% correction When performance in the cases concerned is adequate in relation to the key elements of the system, but there is a complete failure to operate one or more ancillary elements, a correction of 2% is justified in view of the lower risk of loss to the Fund and the lesser seriousness of the infringement. A 2% correction will be increased to 5% if the same deficiency is established in relation to expenditure after the date of the first correction imposed and the Member State has failed to take adequate corrective measures for the part of the system at fault after the first correction. A correction of 2% is also justified where the Commission has informed the Member State, without imposing any correction, of the need to make improvements to ancillary elements of the system that are in place but do not operate satisfactorily, but the Member State has not taken the necessary action. Corrections are only imposed for deficiencies in ancillary elements of management and control systems where no deficiencies have been identified in key elements. If there are deficiencies in relation to ancillary elements as well as in key elements, corrections are only made at the rate applicable to the key elements. 2.4 Borderline cases Where the correction resulting from a strict application of these guidelines would be clearly disproportionate, a lower rate of correction may be proposed. The advisory panel referred to in para.1 l) will give careful consideration to the proportionality of corrections. For example, where the deficiencies arose from difficulties in the interpretation of Community rules or requirements (except in cases where it should reasonably be expected that the Member State raise such difficulties with the Commission), and the national authorities took effective steps to remedy the deficiencies as soon as they were brought to light, this mitigating factor may be taken into account and a lower rate or no correction may be proposed. Similarly, due regard should be paid to claims of legal security when the deficiencies were not reported following earlier audits by the Commission’s services. In general, the fact that deficient management or control systems were improved immediately after the deficiencies were reported to the Member State is not considered as a mitigating factor Budget Supervision Office of RS Cohesion Fund Manual Document No. Version Come into force Page : 01-14/2004/1 : 1.0 : 30.7.2004 : 131 of 135 when assessing the financial impact of the systemic irregularities before the improvement was made. 2.5 Basis of assessment Whenever similar cases have arisen in other Member States, there should be a comparison between them to ensure equal treatment in the assessment of the rates of correction. This is a prime objective of the advisory panel. The rate of correction should be applied to that part of the expenditure placed at risk. When the deficiency results from a failure by the authorities concerned to adopt an appropriate control system, then the correction should be applied to the entire expenditure for which that control system was required. The correction should normally concern the expenditure over the period being examined, for example one financial year. However, when the irregularity results from systemic deficiencies, which are evidently long-standing and affecting several years’ expenditure, then the correction should concern all the expenditure declared by the Member State while the system deficiency obtained until the month in which it was remedied. When several deficiencies are found in the same system, the flat rates of correction are not cumulated, the most serious deficiency being taken as an indication of the risks presented by the control system as a whole2. They are applied to the expenditure remaining after deduction of the amounts refused for individual files. In the case of the Member State’s non-application of sanctions prescribed by national law, the financial correction should be the amount of the sanctions not applied, together with 2% of the remaining claims, as the non-application of sanctions increases the risk that irregular claims will be submitted. 2 See also section 2.3 (2% correction). Budget Supervision Office of RS Cohesion Fund Manual Document No. Version Come into force Page : 01-14/2004/1 : 1.0 : 30.7.2004 : 132 of 135 APPENDIX 12: GUIDANCE ON 15% SAMPLE CHECKS BY MEMBER STATES General The Commission has issued the following guidance on carrying out sample checks across all AC funded Programmes. The Commission has encouraged Member States for the 2000-2006 period to develop an audit strategy which will initially focus on systems audits, and will then proceed to verify the functioning of the systems through sample checks of expenditure. Accordingly, consideration should be given to setting up a single central co-ordinating body to establish standard methodologies for the audit work; for disseminating good practice; and to plan and monitor the work - see Article 2 of CR 1386/2002). Independence of auditors CR 1386/2002 also stipulates that, to avoid potential conflicts of interest, the controls should be carried out by a body or person independent of the managing and implementing body or the body responsible for the implementation of payments procedures. Even spread over the period For the Cohesion Fund, the period over which expenditure can be declared and over which therefore audit work has to be spread can last until 2010 or even beyond (at least for those Member States remaining eligible for funding until 2006), and therefore requires longer-term planning. It is recommended that Member States plan their work in such a way as to cover 15% or more of expenditure declared in each year of the period. In formulating annual audit plans it will be advisable, in order to ensure the efficient use of audit resources, to obtain expenditure profiles for each project from each implementing authority annually showing the expenditure declared to date and the anticipated expenditure profile for each subsequent year. Plans should be updated annually to take account of changes in actual and anticipated expenditure. Coverage In the Cohesion Fund, it is necessary to ensure coverage of each of the main types of projects, i.e., roads, railways, ports, waste water, water supply, etc. and the main implementing bodies (national, regional and local administrations responsible for the projects). Given the smaller number of mainly large projects, to ensure that the sample within the limits of the overall 15% coverage is representative, sample checks should not focus only on a few projects which will be subject to 100% tests of transactions but should check smaller tranches of expenditure from a larger number of projects. The latter approach would better respect the requirements set out in the regulation. Projects can be audited more than once, thus ensuring both adequate coverage over the lifetime of the project and where problems are detected at an early stage allowing timely corrective action to be taken. Budget Supervision Office of RS Cohesion Fund Manual Document No. Version Come into force Page : 01-14/2004/1 : 1.0 : 30.7.2004 : 133 of 135 Subject, content and conduct of audit Expenditure declared from the operation must be audited on the spot on the basis of original documentation or records held on commonly accepted data carriers.3 This normally means at final recipient level. The work done in sample checks of expenditure follows a different approach from that done in system audits supplemented by substantive testing.4 They involve a thorough financial audit aimed at establishing whether selected expenditure is eligible and regular and thus determining the reliability of expenditure declarations from the operations concerned and the effectiveness of controls by the managing authority. They must thus cover the execution of the operation (the actual delivery of goods and services paid for), reconciliation between the expenditure claimed and the supporting documents, the eligibility of the expenditure both under the terms of the programme concerned and the general eligibility rules, the provision of national co-financing, compliance with relevant EU and national legislation including public procurement, state aid and the environment, and avoidance of common errors.5 The audit should be performed using a checklist, which should be suited to the type of operation. Supporting documents should as a rule be checked 100%. Where there are large numbers of similar and repetitive supporting documents such as invoices or proofs of payment, however, it is accepted audit practice to check a random sample of adequate size rather than 100%. The sampling methodology should be recorded in the audit report or working papers in such cases. However, if the check reveals errors the sample should be widened to establish how widespread these are.6 For the Cohesion Fund, the above principles hold true but in addition extremely close attention should be paid to compliance with the conditions of the decision on the project and achievement of its objectives (see in particular, Article 10(b) of Regulation 1386/2002 in conjunction with Article 2(1), second subparagraph, and Article 4(1), first subparagraph) and to compliance with public procurement and environmental legislation. It is advisable to review procurement procedures in respect of the award of the main contracts on the first occasion a given project is audited, especially where the project shows a significantly higher expenditure profile in later years and little expenditure in earlier years. Both the principal construction contracts and the principal supply of services contracts (e.g., supply of raw materials and equipment for projects and services such as engineers and other consultants) should be covered. Apparent systemic problems within a given implementing body or region or throughout the Member State must be investigated in depth.7 3 4 5 6 7 Article 7(2a) of Regulation (EC) No 438/2001, as amended by Regulation (EC) No 2355/2002. ECA report points 66-69. In its replies to the ECA report the Commission explicitly agreed with the Court of Auditors’ description of good practice in points 37-41 of its report. See ECA report, point 38. See also the financial corrections guidelines, section 2.2, where the key elements of systems to be checked on the spot are set out.. If the problems appear to be systemic within a whole organisation (intermediate body or final beneficiary), a further sample of projects managed by the organisation should be audited. (Article 12 of Regulation 438/2001). Article 11 of Regulation 1386/2002. Budget Supervision Office of RS Cohesion Fund Manual Document No. Version Come into force Page : 01-14/2004/1 : 1.0 : 30.7.2004 : 134 of 135 Reports and working papers Reports and working papers kept in the audit file should together provide detailed information about the work done, the methodology, and if a sampling method is applied they should describe it. They should include, where practicable, a list of the documents checked and also show the value of the expenditure audited and that of the expenditure in which errors or irregularities have been found.8 Reports can be short, detailing only findings, conclusions and recommendations. The report may be part of the same document as the checklist or a separate document to which the checklist is attached. Reports should be delivered promptly and be clear in their findings, conclusions and recommendations. - Only expenditure declared up to the date of the audit can potentially be counted, not later expenditure for the same project. - Audits by the Commission or the European Court of Auditors cannot be counted.9 - Expenditure checked but found to be irregular during the audit can still be counted towards the 15% requirement, but if the level of the irregular expenditure is significant, the percentage of expenditure checked should normally be increased. - Double counting must be avoided (for example, counting twice the earlier expenditure on an operation which has been audited at an interim stage and on completion.)10 - Expenditure audited in substantive testing for a systems audit can be counted under certain conditions. These are that all the criteria required for transaction testing are respected, in particular an examination of the individual payments and supporting documents down to the level of the final recipient. - Progress towards the required coverage should be properly monitored. This would generally be the job of the co-ordinating audit unit for the programme or Fund (see point 3.2 above). Follow-up of findings The findings of audits should be systematically followed up and concluded with errors corrected and unclear issues resolved. For the follow-up of findings, reports should be passed on to the managing units for prompt action. Though the allocation of responsibilities may vary, some body should be in charge of monitoring follow-up and signing off the file once the necessary action has been taken at the instigation of the managing unit. In some systems it is the audit body that is responsible for this monitoring. Remedial measures must be taken to correct systemic deficiencies. Article 11 of Regulation 1386/2002 provide : “The checks shall establish whether any problems encountered are of a systemic character, entailing a risk for other or all projects carried out by the same implementing body or in the Member State concerned. They shall also identify the causes of such situations, any further examination which may be required and the necessary corrective and preventive action.” Irregularities must be reported pursuant to Regulation1831/94 for the Cohesion Fund. 8 ECA report, points 40-41 and 72. ECA report, point 74. 10 ECA report, point 72. 9 Budget Supervision Office of RS Cohesion Fund Manual APPENDIX 13: AFCOS BSC BSO CAATs CR EC ECA EEC GOSP IB IS ISPA IT MA MESP MoT NF OJ OLAF PA PIFC Q.A. SAI TPS Document No. Version Come into force Page : 01-14/2004/1 : 1.0 : 30.7.2004 : 135 of 135 LIST OF ABBREVIATIONS Anti-Fraud coordinating service Budgetary Spending Centre Budget Supervision Office Computer-assisted audit techniques Commission Regulation European Commission European Court of Audit European Economic Community Government Office for Structural Policies and Regional Development Implementing Body Information systems Instrument for Structural Policies for Pre-Accession Information technology Managing Authority Ministry of Environment, Spatial Planning and Energy Ministry of Transport National Fund Official Journal (EU) European Anti-Fraud Office Paying Authority Public Internal Financial Control (system) Quality Assurance Supreme Audit Institution Third party statements
