Annex 2.pdf

Ref. Ares(2014)1132238 - 10/04/2014

The FP7

Audit Process

Handbook

Version December 2010

(Last update 21 December 2010)

European Commission

Issued by the working group on

Coordination of external Audit in Research (CAR)

1

1  Introduction
1.1  Purpose of the Audit Process Handbook

The Audit Process Handbook (APH) constitutes the procedural manual how to perform ex-
post controls (external audits) on the use of the research budget by beneficiaries of the EC,
which  are  directly  carried  out  by  staff  of  the  EC  External  Audit  Services  (“own-resource-
audits”). In other words the APH navigates the auditor of the EC External Audit Services on
how  to  carry  out  an  audit  engagement  from  the  audit  assignment  &  planning  phase  to  the
closure and communication of the audit results while respecting the principles and standards
set for the external audit of EC research expenditure.

The  APH  determines  the  procedural  aspects  of  the  audit.  It  is  valid  for  all  external  audit
engagements  under  all  relevant  contractual  provisions  (i.e.  different  Research  FP,  Euratom,
Coal  &  Steel).  Therefore  the  APH  is  based  on  a  modular  concept;  the  different  contractual
provisions  relevant  for  an  individual  audit  engagement  are  included  in  individual  modules
related to the respective contractual basis (e.g. the “Standard Audit Program for FP7”).

Please note that the Audit Process Handbook does not replace or substitute existing guidelines
i.e. the FP7 Audit  Manual.  These manuals  represent  mainly interpretational and explanatory
guidance  on  the  specific  contractual  regulations  as  such  and  should    be  consulted  and  used
during  a  respective  audit  engagement  to  familiarise  with  the  contractual  requirements  and
typical errors detected in external audits of these requirements. The Audit Process Handbook
provides  the  procedural  framework  for  the  audit  process  complemented  by  links  to  existing
documents related to specific contractual framework programs such as e.g. Audit Program for
FP7 or reporting templates.

1.2  Use of the Audit Process Handbook

The APH assists or navigates the auditor to  follow the (standard) audit process designed for
external  audits  in  EC  research.  This  process  is  characterised  by  several  phases  related  to
activities  to  be  performed  by  the  auditor(s).  In  all  phases  specific  procedures  are  foreseen
which  are  laid  down  in  related  documents  or  guidelines  that  are  either  mandatory,
recommended  or  optional  to  be  followed  (within  the  sections  on  the  various  phases  it  is
indicated which documents/guidelines are considered mandatory respectively recommended).
Further documents are provided to assist the auditor in following best practices identified.

Section  2  of  the  APH  includes  a  description  of  the  Audit  Process  to  be  performed.  This
description  is  linked  to  a  checklist  ('Audit  Process  Checklist')  which  lists  the  required  steps
and  procedures  to  be  performed  during  the  audit  engagement  by  the  assigned  (principal)
auditor.  The  completion  of  this  recommended  checklist  will  guide  the  auditor  through  the
entire  audit  process  and  shall  guarantee  that  the  work  performed  respects  the  relevant
standards and policies of the External Audit Service.

The sections 3 to 7 of the APH provide detailed explanation to the steps and procedures to be
performed  from  the  assignment  to  the  closure  of  the  audit.  However,  as  the  APH  follows  a
modular concept, certain sections require the assigned auditor to customise the audit process
relevant  to  the audit engagement.  In other words:  (s)he needs to  select  the relevant  modules
for the individual audit engagement (s)he intends to perform (e.g. for an assignment to audit

4

the  cost  claims  under  FP7,  the  auditor  amongst  others  has  to  select  the  “Standard  Audit
Program for FP7”, the “Standard Reporting Template for FP7 Audits” and the relevant Letter
Templates for FP7).
The respective sections of the APH include the information on which procedures (documents/
guidelines) are valid for all audit engagements and which procedures have to be customised.

Standardised procedures and documents can not exist for all (individual) audit engagements.
E.g.  an  audit  engagement  requires  a  specific  Audit  Programme  which  is  not  provided  as  a
standard document. Nevertheless, for such audit engagements also the forms and procedures
obtainable  for  'standard'  audit  engagements  might  be  taken  as  a  reference  for  a  customised
procedure.
1.3  Constraints of and deviations from the Standard Audit Process

The  standardised  audit  process  and  standard  working  procedures  aim  to  ensure  the
performance  of  high  quality  audits  which  also  guarantee  accordance  with  the  relevant
principles and auditing standards of the External Audit Services.

However,  standardised  processes  and  procedures  may  not  in  all  cases  guarantee  the  optimal
performance of the audit (e.g. specific audit engagements may require specific considerations;
cost-benefit  considerations  for  limited  audit  scopes).  The  APH  does  not  replace  the
responsibility of the individual auditor to carefully plan and perform the audit engagement in
accordance with the generally accepted audit standards.

Therefore,  in  individual  cases,  deviations  from  the  standard  audit  process  described  in  the
APH  might  be  appropriate.  Nevertheless,  significant  deviations  should  be  well  considered,
justified and documented and, where relevant, agreed in advance with the senior management
of the External Audit Service.

Consequently the APH defines three categories of procedures and documents:

  Mandatory  procedures/  documents:  These  procedures/  documents  must  be  followed
without changes or modifications to the content. They have to be completed and must
not  include  blanks  (where  necessary  they  can  include  a  mentioning  'N/A'  or  'Not
relevant'). (Examples are: APM, ACM, DASS )

  Recommended  procedures/  documents:  These  procedures/  documents  shall  be
followed  but  may  be  changed  or  adapted.  The  auditor(s)  can  however  decide  to
deviate from these standardised procedures/ documents in accordance with the overall
principle  stated  above.  (Examples  are  the  Audit  Process  Checklist,  'Standard  Audit
Program' and 'Standard Reporting Template').

In  these  cases  the  auditor  has  to  provide  the  justification  for  deviation  and  to  ensure
that the alternative procedure/ document used is

o  in accordance with the general principles and relevant standards,
o  appropriate to replace the recommended procedure/ document provided and
o  sufficiently documented following the principles of documentation.

  Guidance (optional) documents: These procedures/ documents are obtainable to assist
the  auditor(s)  in  the  audit  process  but  are  neither  binding  nor  require  additional

5

justification  or  documentation  in  case  they  are  not  used.  (Examples  are  the  'Exit
Meeting Checklist' and 'Audit Input File Checklist')

1.4  Outsourced Audit Engagements

By  decision  of  the  Head  of  the  External  Audit  Service,  Audit  Engagements  can  be  out-
sourced to an external audit company.

The Commission therefore has concluded a framework contract which allows the Commission
to procure audits on RTD beneficiaries under two forms, batch and individual assignments. In
essence, batch assignments aim for a high number of audits to be performed, while individual
assignments enable the procurement of ‘tailor made’ audit services.
The  Audit  Process  Handbook  is  in  principle  designed  for  audit  engagements,  which  are
directly  carried  out  by  staff  of  the  EC  External  Audit  Services  (“own-resource-audits”).
Specific  procedures  exist  for  the  management  and  supervision  of  the  outsourced  audit
engagements.  Nevertheless,  elements  of  the  Standard  Audit  Process  Handbook  (e.g.  the
planning  and  closure  procedures)  may  be  useful  and  could  be  considered  for  these  audit
assignments.

6

2  The Audit Process for external Auditing in EC Research
2.1  Overview of the Audit Process
In  the  context  of  research  frameworks-program  projects,  on-the-spot  financial  audits  aim  at
verifying  the  beneficiary's  compliance  with  the  financial  contractual  provisions,  in  view  of
assessing  the  legality  and  regularity  of  the  transaction  underlying  the  implementation  of  the
Union budget. The legal basis for the financial audit is usually included in one of the annexes
to the grant agreement signed between the European Commission and the Beneficiary.1

The audit may also include the review of the system of internal controls of the beneficiary in
order  to  assess  whether  it  is  adequate  and  sufficient  to  ensure  that  costs  incurred  by  the
beneficiary  on  EC-research  funded  projects  are  correctly  allocated  to  those  specific  projects
and recorded as such in the accounting records.

The Audit Process is composed of the following phases:
Audit Initiation
Audit Planning
Audit Examination
Audit Reporting
Audit Closure
Implementation of Audit Result

FLOWCHART AUDIT PROCESS

The  overall  Audit  Process  covers  all  stages  following  the  decision  to  perform  a  certain,
individual  audit  engagement  taken  by  the  management  of  the  external  audit  service  (Audit
Decision)  until  the  (formal)  closure  of  the  audit  including  several  inherent  quality  controls
(see section 2.3).


1 E.g. in Annex II to the contract under FP7

7

Questions  related  to  the  overall  selection  of  audit  assignments  in  the  context  of  the  audit
strategy and the implementation/ follow-up of audit results are not part of the Audit Process as
defined for this Handbook.

The overall audit process is further detailed in the following section. Individual phases of the
audit process are outlined in the sections 4-7 of the APH.

2.2  The Audit Process Checklist
The audit process requires a number of procedures and actions to be performed in the various
phases.  To ensure the completeness  of the Audit  Process  and the audit work performed  it is
recommended that the auditor follows the 'Audit Process Checklist' as below:

o  <Audit Process Checklist>

This checklist includes specific procedures/ actions to be performed and provides references
to  the  specific  sections  in  the  APH  which  contain  detailed  information  and  guidance  on  the
respective procedure/ action.

The use and completion of the 'Audit Process Checklist' is  recommended. With the VISA to
this  checklist  the  assigned  (principal)  auditor  states  that  (s)he  has  carried  out  the  audit
engagement within the requirements, principles and standards defined for the External Audit
Service of the DG/agency.

The Audit-Process-Checklist is the central procedural document to be followed
and to be signed by the assigned (principle) auditor to guide the auditors
through and ensure the completeness of the entire Audit Process.

2.3  Process workflow and responsibilities of the parties involved
2.3.1  Involved parties within the External Audit Service (‘internal parties’)

In  most  audits  during  the  core  work  of  the  audit  (examination  (2)  and  reporting  (3))  the
auditor  (respectively  the  audit  team)  will  be  the  sole  party  involved.  Occasional  needs  for
support  by  other  parties  such  as  colleagues  or  administrative  support  (secretariat  or  back-
office)  may  arise  but  will  be  limited  to  individual  cases.  (Such  a  situation  may  for  example
occur when special procedures, e.g. for sensitive cases, have to be followed).

On the contrary high interaction with other parties is necessary in the planning phase (1) and
the  closure  phase  (4)  of  the  audit.  During  these  phases  activities  related  to  the  quality
management  and  supervision  of  the  audit  as  well  as  technical  and  administrative  elements
require  the  active  involvement  of  the  management  of  the  external  audit  service,  the  audit
back-office and the secretariat.

More  detailed  information  on  the  involvement  of  other  ‘internal  parties’  during  the  audit
process including an indication of the relevant procedural-documents to be used in the various
phase is provided in the respective sections of this Handbook.

8

2.3.2  Involvement and responsibilities of the operational services

The  services  responsible  for  and  concerned  with  the  scientific  and  financial  management  of
the research project (operational services) represent the operational interface between the EC
and  the  audited  organisation.  Thus  these  services  may  be  involved  in  the  Audit  Process  at
various levels.

  The operational services can actively request an audit assignment. Although this is not
considered part of the Audit Process as such, this situation usually requires increased
cooperation  and  communication  with  the  operational  services  to  ensure  an  efficient
and  effective  audit  process  (i.e.  precise  scope  and  terms  of  engagement  –  see  also
section 3).

  The  operational  service  has  ownership  and  direct  access  to  all  documents  obtained
from the audited organisation related to the projects under audit. Thus it is the primary
source  of  information  and  documentation  on  the  audited  organisation  prior  to  the
audit.  Although  standardised  lists  exist  to  request  relevant  information  from  the
operational  services,  the  auditor  is  advised  to  always  seek  direct  contact  with  the
responsible operational service to clarify and assess information obtained as well as to
include potential ‘non-documented’ information.

  The operational service is responsible to provide the auditor with all relevant and up-
to-date  information  and  documentation  on  the  audited  organisation  to  the  extent
available.  However,  the  auditor  also  needs  to  precisely  determine  what  information
(s)he needs to properly plan and prepare the audit. Guidance exists to assist the auditor
in this task (e.g. Audit Input File checklist).

  During the audit work and the reporting, questions may arise which require feedback
and  decisions  from  the  operational  services.  The  auditor  is  encouraged  to  actively
interact with the operational services at an early stage (e.g. during the audit field work)
to  avoid  potential  misunderstandings  and  be  able  to  perform  relevant  procedures  in
due  time.  Therefore  it  is  recommended  that  the  auditor  and  the  operational  services
convene  on  relevant  practical  arrangements  during  the  audit  (i.e.  communication
arrangements during the audit field work).

  In special cases, it can contribute to the effectiveness and efficiency of the audit for
the operational service to actively participate in the audit work. Usually the necessity
to perform such ‘joint audits’ is already included in the phase of the Audit Decision.
However,  it  is  in  the  responsibility  of  the  auditor  to  eventually  suggest  such  a  ‘joint
audit’ to the management of the External Audit Service when considered justified. In
such  cases  a  separate  agreement  with  the  operational  service  as  well  as  increased
cooperation already in the planning phase of the audit will be necessary.

  The operational service may be consulted on the audit results before finalisation and
closure  of  the  audit.  The  feedback  of  the  operational  service  could  be  requested  to
verify  accuracy  of  the  information  used  and  avoid  misunderstandings.  The
consultation also contributes to the quality management of the audit and shall ensure
that  audit  results  are  understood  and  sufficiently  documented  for  implementation  of
the audit results.

  The  operational  service  is  responsible  for  the  implementation  and  follow-up  of  the
audit  results.  All  financial  implications  (such  as  recovery  orders  …)  fall  under  the

9

responsibility  of  the  authorising  officer  in  the  operational  service.  Feedback  and
interaction  with  the  audit/  auditor  may  occur  where  specific  follow-up  actions  are
suggested and have to be performed (e.g. extrapolation of audit results). However, on
the  level  of  the  Audit  Process,  such  interactions  are  considered  to  follow  the  Audit
closure and thus to be outside the Audit Process. Following this, from the procedural
perspective  a  follow-up  audit  is  considered  a  new  audit  eventually  with  a  limited
scope.

2.3.3  Involvement of the audited organisation

The audited organisation is requested to cooperate in the audit by the grant agreement signed
with the EC (different articles depending on research programme). Formally, the audit will be
announced  to  the  audited  organisation  by  registered  letter  of  the  EC  External  Audit  Service
(‘letter  of  announcement’).  During  the  audit  the  audited  organisation  has  to  provide  all
information relevant to the audit of the project(s) selected.

Besides  the  abovementioned  requirements,  the  auditor  is  advised  to  ensure  informal
cooperation  of  the  audited  organisation.  In  various  phases  of  the  audit  process,  additional
involvement  of  the  audited  organisation  is  either  requested  (mandatory)  or  suggested  in  the
APH  (e.g.  in  the  planning  phase  it  is  suggested  that  the  auditor  agrees  with  the  audited
organisation on the date and the practical arrangements of the audit field work before sending
the  letter  of  announcement;  in  the  reporting  phase  it  is  mandatory  to  consult  the  audited
organisation on the audit results).

2.4  Quality Management and Supervision in the Audit Process

Quality management and supervision constitute substantial elements of professional auditing.
The  APH  foresees  various  inherent  quality  controls  at  different  phases  and  shall  ensure
appropriate supervision on the audit process by senior management.

Effective quality controls and supervision to a large extent depend on and require appropriate
and sufficient documentation of the audit work performed. Consequently, the documentation
of  the  audit  work  has  to  follow  basic  standards  and  principles  which  ensure  these
requirements.  By  following  the  APH  and  the  related  procedures/  documents  the  necessary
minimum  requirements  are  considered  to  be  provided.  Nevertheless,  it  remains  the
responsibility of the  auditor to  ensure that the supervising  authority  disposes  of the relevant
information when performing quality controls.

Inherent supervision and quality controls in the APH include amongst others the review and
approval of the audit planning and the audit closure by senior management,  the consultation
of  the  audit  results  with  the  operational  services  and  the  audited  organisation  and  the
standardisation of the audit work/ audit process itself.

Additional  quality  controls  and  supervision  activities  (such  as  peer-reviews  of  the  working
papers) may be foreseen by the External Audit Service on a case-by-case and/or on a random
basis.  However,  as  these  controls  are  not  directly  linked  to  the  audit  process  they  are  not
covered by the APH.

10

2.5  Documentation of the Audit Process
It  is  essential  that  every  auditor  is  aware  of  the  importance  of  the  audit  documentation  and
considers the documentation as an integral part of the audit procedure.

All  information  collected during the  audit should be documented. All  supporting documents
received during the audit should be filed.

The documentation of the audit is  one  of the most  important  parts of the audit process.  The
purpose of the documentation is to provide (i) a sufficient and appropriate record of the basis
for the auditor's report and (ii) evidence that the audit was performed in accordance with the
standards  and  policies  of  the  external  audit  service  of  the  European  Commission.  The  audit
documentation should normally include:

  All mandatory documents and documents related to mandatory procedures that form
part of the audit process according to this Audit Process Handbook

  Copies  of  letters,  notes  and  meeting  minutes  concerning  audit  matters
communicated to, or discussed with, the beneficiary

  All relevant working papers and documents that support the audit conclusions, e.g.

o   excerpts of the beneficiary's policies and procedures;
o  documentation describing the accounting and internal control systems;
o  documents on individual transactions (invoices, …);
o  other evidence supporting the auditor’s analysis and conclusions

Working papers are defined as

“the  records  kept  by  the  auditor  of  the  procedures  applied,  the  tests  performed,  the
information obtained, and the pertinent conclusions reached in the engagement.” 2

According  to  this  definition,  the  working  papers  should  not  only  include  the  obtained  and
prepared  audit  evidence,  but  also  document  the  audit  activities  and  answer  the  following
questions:

Why was it done?
What was done?

How was it done?

When was it done?

Who did it?

What is the conclusion?

Working papers should be properly identified. In relation to every question investigated, the
auditor  should  prepare  the  relevant  facts,  sufficiently  complete  and  detailed,  to  provide  an
understanding of the audit activities performed and the result thereof. Regarding the extent of
the working papers, the  International  Federation  of Accountants (IFAC)  gives the following
guidance:

The  extent  of  working  papers  is  a  matter  of  professional  judgement  since  it  is  neither
necessary  nor  practical  to  document  every  matter  the  auditor  considers.  In  assessing  the
extent  of  working  papers  to  be  prepared  and  retained,  it  may  be  useful  for  the  auditor  to

2  American Institute of Certified Public Accountants (AICPA), Statement on Auditing Standards nr 41

11

link to page 51 consider what would be necessary to provide another auditor who has no previous experience
with  the  audit  with  an  understanding  of  the  work  performed  and  the  basis  of  the  principle
decisions taken but not the detailed aspects of the audit. That other auditor may only be able
to  obtain  an  understanding  of  detailed  aspects  of  the  audit  by  discussing  them  with  the
auditors who prepared the working papers. 3

Working  papers  should  be  kept  to  such  an  extent,  that  another  auditor,  with  no  previous
experience of the audit, could take over the audit in case of need.

To  sum  up,  the  documentation  should  be  logically  structured,  clear  and  concentrate  on
essential  topics.  In  addition,  it  should  be  kept  in  a  way  that  enables  evaluation  of  the  audit
proceedings. For the filing and documentation of the Audit File refer to the section 7.2.2.
3  Audit Initiation and Audit Decision

As already indicated, audit initiation and decision are not considered part of the audit process
in the sense of the APH. However, given the potential impact of these on the audit planning
and examination phases (see also  section 2.3.2) the principle elements  of the audit  initiation
and decision procedures are outlined in the following.

In  total  the  following  flow-chart  summarises  the  Audit  Initiation  and  Decision  procedure
graphically:

Initiation by
Initiation by third parties/ other services
the External
Audit Service
‘Standard’
Other
Audit Request
Audit Request
‘Standard’ Audit
Individual
Request Form
Audit Request
Audit
Decision
YES
NO
Decision
Notification
Audit Planning Phase
Rejection of the
Audit Request


3  IFAC, International Standards on Auditing and Related Services no. 9

12

FLOWCHART AUDIT INITIATION AND AUDIT DECISION

The following forms are available for the Audit Initiation and Audit Decision:

  Link   <Audit Request and Decision Notification Form >

External  audits  performed  by  the  Research  DGs/agencies  have  their  origin  in  two  different
procedures: audits initiated by the External Audit Service and audits initiated by third parties
or other services.

3.1  Audits initiated by the External Audit Service

Audits  initiated  by  the  External  Audit  Service  represent  the  majority  of  audits  and  core
business  of  the  External  Audit  Service.  The  initiation  of  these  audits  usually  follows  an
overall internal selection process. Selection criteria will usually be determined in accordance
with a (multi-) annual audit strategy and/or periodical audit plan. In addition, individual audits
may be initiated on a case-by-case basis by the External Audit Service for specific purposes.

The following is characteristic to audits selected by the (management of the)  External Audit
Service:

  Normally no additional decision by the management of the External Audit Service to
perform the audit (Audit Decision) is necessary as both the selection and decision are
originated by the same authority;

  Typically  a  large  number  of  audit  engagements  will  result  from  a  selection  by  the
External  Audit  Service  which  usually  implies  similar  audit  scope  and  organisational
settings.

3.2  Audits initiated by third parties / other services

Audits initiated by third parties can originate from requests by the operational services, other
audit organisations (i.e. ECA), the organisation to be audited itself or other parties involved.
Such audits – hereinafter named ‘requested audits’ – will usually constitute a minor part of the
audits to be performed.

The following is characteristic to audits initiated by third parties/ other services:

  An additional decision by the management of the External Audit Service to perform
the audit (Audit Decision) is necessary as the request of an audit needs to be analysed
and  evaluated  to  determine  the  effectiveness  and  efficiency  of  a  potential  audit
engagement;

  The audit scope and organisational settings depend on the individual audit case  and
need to be determined in accordance with the party initiating the audit.

13

For ‘requested audits’, a specific procedure exists. Third parties need to address the external
audit service by providing a (written) audit request. The external audit service will assess the
audit request (under consultation of the requesting party) and communicate its audit decision
to  the  requesting  party  in  writing.  In  case  of  a  positive  decision  (which  says  that  the  audit
service will take action), this  answer to  the requesting party also  includes the (agreed) audit
scope and/or the terms of engagement for the respective audit engagement.

For  'standard  audit  requests'  (such  as  most  of  the  requests  introduced  by  the  operational
services) and the communication of the related Audit Decision a specific Audit Request and
Decision Notification Form should be used.

3.3  Specific procedure for audits requests by operational services

As  outlined  above,  the  various  operational  services  within  the  Research  DGs/agencies  can
request the performance of an audit on a specific beneficiary. These requests can be made at
any time during the year. Audit requests should be made in writing and addressed to the Head
of Unit of the External Audit Service.

Requests  from  the  operational  services  shall  be  signed  and  submitted  by  the  respective
Authorising Officer or delegated person (e.g. Audit Liaison Officer). The Authorising Officer
or  delegated  person  is  the  point  of  contact  between  the  operational  service  and  the  Audit
Service of the DG/agency and forwards/initiates requests for audits.

A standard Audit  Request  Form  is  available here  <Audit  Request  and Decision Notification
Form >

This  request,  along  with  supporting  documentation,  will  be  assessed  by  the  Head  of  the
External Audit Service and/ or a Audit Evaluation Committee chaired by the Management of
the External Audit Service or delegated person within the External Audit Service.  The Head
of the External Audit Service/ Audit Evaluation Committee, in concert with the representative
of  the  operational  service,  will  assess  the  information  that  has  been  provided.  A
recommendation  on  the  necessity  and  objective  of  the  audit  assignment  should  be  taken  as
soon as possible, not later than 3 months from the date of the request. As the case may be, the
Management of the External Audit Service or delegated person will assign the audit to one of
the  auditors    .  The  Head  of  the  External  Audit  Service/  Audit  Evaluation  Committee  will
communicate the Audit Decision to the operational service concerned.

A standard Audit Decision Notification is included in the Audit Request Form (see above)

14

4  Process Phase 1: Audit Planning
4.1  Overview of the planning phase

Auditors should plan the audit work so as to perform the audit in an effective manner.
An audit plan is the formulation of the general strategy for the audit, which sets the direction
for the audit, describes the expected scope and conduct of the audit and provides guidance for
the development of the audit program.

For  the  purpose  of  this  Handbook,  Audit  Planning  is  understood  being  the  procedural  steps
following  the  Audit  Decision  and  preceding  the  Audit  Preparation  under  the  Audit
Examination  Phase.    Compared  to  the  Audit  Preparation  the  Audit  Planning  phase  is  more
focussed on the formal assignment, the resources and a preliminary assessment/ determination
of the requirements of the audit engagement. However, overlaps e.g. as to the assessment of
the Audit Risk and the information collection can exist and procedures under the preparation
phase may also be considered for planning purposes.

4.2  The procedural steps during the Planning Phase
4.2.1  The Audit Planning Memorandum

The audit planning on the level of the individual audit engagement is mandatory for all audit
engagements. It is reflected by the Audit Planning Memorandum Document (APM) which is
mandatory for all audits:

The  Audit  Planning  is  the  preliminary  assessment  on  the  specific  requirements  of  the  audit
engagement

The  Audit  Planning  is  issued  by  the  assigned  (principal)  auditor  (eventually  in  cooperation
with the members of the audit team). It includes i.e. a general assessment of the Audit Risk,
the potential impact of the audit, the Audit Plan and the Audit Program foreseen, the resources
needed a declaration as to ethical considerations, and a summary of the audit's objective and
scope.

The  Audit  Planning  also  includes  a  summary  of  the  mission  plan.  The  specifications  of  the
mission plan and its formal approval are defined by the relevant Mission Order (MIPS). This
should be forwarded to the administrative support function of the External Audit Service. The
plan should include all relevant information for the encoding of the mission into the relevant
IT systems and the issuing of the formal mission order.

For the Audit Planning the following mandatory document has to be used:

o  <Audit Planning Memorandum>

4.2.2  Other procedures and documents in the planning phase

Further to the Audit Planning Memorandum the following procedures and documents should
be followed.

15

4.2.2.1 Audit Reference Number

With the (positive) Audit Decision or internal selection a future Audit Engagement receives a
unique Audit Reference Number which will be used for all documentation related to the Audit
Engagement.  This  number  follows  internal  needs  and  should  be  provided  to  the  Auditor  by
the Management of the External Audit Service or delegated person (based on the information
by the Administrative Support Function of the respective External Audit Service).

4.2.2.2 Relevant Information for the planning of the Audit Engagement
4.2.2.2.1  General Information Requirements

The audit planning (and eventually the Audit Decision) usually  requires the parties involved
to  give  an  assessment/  estimation  based  on  the  information  about  the  individual  audit
engagement. It can be assumed that the more information is obtained the better the accuracy
of  the  planning  will  be.  However,  for  reasons  of  effectiveness  and  efficiency  the  detailed
collection and assessment of information is subject to the preparation and examination phase.

For  the  planning  stage  it  is  therefore  recommended  to  focus  on  such  information  which  is
essential and required for the planning. This usually includes the following:

  General information on the project(s) to be audited (grant agreement, amounts, …);
  General information on the organisation to be audited (legal form, contact details, …);
  Information  on  eventual  previous  audits  on  the  organisation  to  be  audited  by  the
(External) Audit Services of the EC.

4.2.2.2.2  Audit Input File

An Audit File is required to be created for every audit assignment. This file consists of copies
of  documents  held  by  the  operational  service  for  each  of  the  projects  to  be  reviewed  within
the scope of the audit assignment.

While  some  of  the  documents  could  be  compiled  by  the  External  Audit  Service  with  the
assistance of the administrative support function of the External  Audit  Service  centrally, for
other  documentation  the  auditor  is  advised  to  directly  approach  the  operational  service
concerned. The detailed procedures for obtaining information may differ for individual audit
engagements.

The  nature  of  the  Audit  Assignment  determines  who  should  request  the  compilation  of  the
Audit Input File by the operational services. For internal selections a centralised request may
be chosen whereas for Audits on Requests a decentralised request by the assigned auditor may
be  considered.  For  each  case,  the  assigned  (principal)  auditor  needs  to  assess  what
information  and  documentation  has  already  been  requested  centrally  and  which  (additional)
information/  documentation  (s)he  needs  or  wants  to  obtain  directly  from  the  operational
services.

16

The audit input file related to the projects shall include hardcopies or electronic copies. The
following  checklist(s)  is  suggested  for  use  (to  be  customised  for  individual  service  and
individual audit):

  <  Audit  Input  File  -  List  of  possible  information  and  documentation  to  be
requested from the operational services under FP7 >

If no specific checklist for the audit engagement exists, the auditor is recommended to obtain
a  detailed  understanding  of  the  grant  agreement  management  by  the  DG/agency  and
determine  the  relevant  documentation  available.  This  may  be  facilitated  by  a  direct  contact
(meeting) with the operational service involved. (See also section 5.2.2.6)

4.2.2.2.3  Information on previous audits

If an audit has previously been performed on the beneficiary, useful information for the audit
work may be found in the audit documentation.

Following  an  internal  selection  or  a  (positive)  Audit  Decision  the  Management  of  the
External Audit Service or delegated person should request the respective information from the
administrative  support  function  of  the  External  Audit  Service  and  forward  this  information
with the Audit Assignment. However, the assigned (principle) auditor also has to check that
respective  information  (or  indication  that  no  prior  audit  has  been  noted)  has  been  provided
and needs to obtain the specific information on the audits carried out previously as considered
relevant (Audit Report, DASS, access to Working Papers).

Further guidance on relevant information to be obtained is to be found under section 5.2.2.2

4.2.2.3 Informal contact with the beneficiary (timing of the field work)

The  auditor  may  consider  to  informally  agreeing  with  the  audited  organisation  on  the
arrangements of the audit prior to the sending of the 'Letter of announcement'.

In  the  Grant  Agreement  Preparation  Forms  or  in  similar  forms  for  other  framework
programmes, it is stated who is responsible for preparing the Financial Statements (Form C).
Normally this is the person to contact to set up a tentative appointment.

The contact with the beneficiary may be made by phone or email. The Auditor may agree on a
preliminary date and location for the initial meeting and the audit on site. Further (s)he should
inform the beneficiary about the scope and the necessary preparation and make clear that the
presence of the project manager and of the financial officer who is familiar with the financial
management of the EU project(s), is desirable during the audit.

Where  such  informal  telephone/  email  arrangements  have  been  undertaken  they  shall  be
confirmed  by  the  letter  of  announcement,  after  the  formal  approval  for  the  audit  has  been
received.

17

link to page 27 4.2.2.4 General Audit Risk Assessment

Audit risk is defined as the risk that the auditor gives an inappropriate audit opinion when the
financial statements are materially misstated.4

Audit risk is a function of the risk of a material misstatement and the risk that the auditor will
not  detect  such  misstatement  ("detection  risk").  The  risk  of  material  misstatement  has  two
components: inherent risk and control risk. Inherent risk is the susceptibility of an assertion to
a material misstatement assuming there were no internal controls. Control risk is the risk that
a material misstatement will not be prevented, detected and corrected on a timely basis by the
entity's internal control.

Within the framework of audits performed by the External Audit Service, the auditor will be
requested  to  estimate  the  inherent  risk  and  the  control  risk.  The  assessment  of  risks  is
expressed in terms of low, medium or high. Medium risk represents the normal situation.

The detailed Audit Risk Assessment has to be performed during the audit examination phase
and is therefore also foreseen in the (Standard) Audit Program. For the planning phase 'only' a
general  assessment based on the information  available at  that stage needs to  be given in  the
Audit Planning Memorandum.

Unless  other  information  is  obtainable  in  the  planning  phase  (this  includes  e.g.  situations
where the auditor already possesses information on the audited organisation from prior audits
or by third parties (e.g. audit requests)) the audit risk should be classified 'Medium'.

For more information and explanation on the Audit Risk Assessment see section 5.2.4.

4.2.2.5 Audit Plan and Audit Program

The Audit Plan is the formulation of the general strategy for the audit, which sets the direction
for the audit, describes the expected scope and conduct of the audit and provides guidance for
the development of the Audit Program.

An Audit Program is a set of instructions to the audit team that sets out the audit procedures
the  auditors  intend  to  adopt  and  may  include  references  to  other  matters  such  as  the  audit
objectives, timing, sample size and basis for selection of each audited area. It also serves as a
mean to control and record the proper execution of the work.

It  is  important  to  know  how  the  Audit  Plan  is  translated  in  detail  in  the  form  of  the  Audit
Program. The Audit Program is the result of the planned Audit Plan (see below). Indeed, the
outcome  of  the  preliminary  analysis  of  the  Audit  Engagement,  i.e.  indications  of  where  the
auditing  resources  should  be  concentrated,  is  to  be  reflected  in  the  further  audit  process.
Moreover, during the course of the audit process, the Audit Plan may again be the subject of
modification.  After  the  Audit  Preparation  phase,  the  preliminary  Audit  Plan  should  be
reconsidered  and  possibly  modified.  During  the  substantive  tests,  the  auditor  may  find
evidence that differs significantly from that on which the Audit Plan was originally based. In
such a case, the planned procedures foreseen in the Audit Program may again be altered.


4 IFAC International Standards on Auditing and Related Services no. 6

18

link to page 29 The  preliminary  Audit  Plan  includes  a  brief  description  of  the  field  work  (mission)  i.e.  the
timing/ resources, the site and the agenda for the audit field work. Information on this part of
the Audit Plan is part of the Audit Planning Memorandum.

The  Audit  Program  is  designed  to  assist  the  auditor(s)  in  the  implementation  of  the  audit
examination  procedures  and  can  also  be  used  for  the  documentation  of  the  audit.  It  outlines
the specific audit procedures to be carried out for an audit in accordance with the respective
requirements  of  the  assignment  (i.e.  the  scope).  The  program  includes  the  audit  approach
(implicitly),  the  audit  risk  assessment  and  the  testing  procedures  during  the  examination
(usually in form of checklists).

Within  the  Planning  phase  (in  the  Audit  Planning  Memorandum)  the  auditor  has  to  give  an
indication  on  the  planned  Audit  Program  to  be  executed.  Where  standard  audit  program
exists,  the  assigned  (principal)  auditor  is  recommended  to  follow  this  standard  program.
Where  no  standard  audit  program  is  provided,  the  assigned  (principal)  auditor  has  to
formulate a customised preliminary audit program for the audit assignment as an annex to the
Audit Planning Memorandum.

For more information and explanation on the Audit Program see section 5.2.5

4.2.2.6 Potential Impact of the Audit

With  the  Audit  Assignment  the  Management  of  the  External  Audit  Service  (or  delegated
person)  should  already  try  to  assess  the  impact  of  the  results  of  an  audit by  anticipating  the
population  of  a  potential  extrapolation  of  the  audit  results.  The  information  on  the  potential
impact supports assessments and decisions on the Audit Risk Assessment, the resources to be
allocated and the Audit Plan.

The Management of the External Audit Service or a delegated person should therefore obtain
and  provide  a  list  of  all  research-grant  agreements  under  the  same  regulatory  research
framework with the organisation to be audited. A respective list can (also) be requested from
the administrative support function of the External Audit Service.

4.2.2.7 Ethical considerations

The assigned (principal) auditor and the members of the audit team must formally declare for
their  assignment  the  respect  with  the  following  ethical  considerations  to  avoid  conflict  of
interests.

  <Document Ethical Considerations>

The declaration is to be given in part B of the Audit Planning Memorandum.

Further reference to ethical considerations for all EC personnel is to be found under:

http://myintracomm.ec.europa.eu/hr_admin/en/ethics

19

4.2.2.8 Letter of Announcement

The audit and the arrangements of the audit are to be formally communicated and confirmed
(announced) to the beneficiary in writing.

A  draft  of  the  letter  is  to  be  attached  to  the  Audit  Planning  Memorandum  by  the  assigned
(principal) auditor. After the Approval of the Audit Plan, the draft letter is transferred into a
final  letter  by  the  back-office  and  the  administrative  support  of  the  External  Audit  Service
(provision of a (final) Audit Reference Number, registration and formal aspects) to be signed
by the Head of the external Audit Service and sent to the beneficiary by email and registered
post.

A standard letter ("Letter of Announcement") can be obtained from:

  <Letter of Announcement>

In  the  standard  template,  references  are  made  to  articles  in  the  underlying  grant  agreement.
The  assigned  (principal)  auditor  needs  to  ensure  that  the  relevant  articles  are  mentioned
depending on under which (Framework) Program the grant agreement is signed.

Annex to the Letter of Announcement:

The auditor is suggested to annex to the letter a specification of documentation that should be
made  available  prior  to  and  during  the  audit.  This  annex  shall  ensure  that  the  relevant
information and documentation is provided timely and in an appropriate form.

When used, the list/ annex should be customised according to the specific requirements of the
audit engagement. A comprehensive list of possible information and documentation required
– both, prior and during the audit field work – is provided below:
    <List  of  possible  information  and  documentation  to  be  requested  from  the
beneficiary>

20

4.3  Summary: Mandatory procedures and documents

The use of the following procedures and related documents are mandatory for the planning
phase:

Mandatory Procedure/
Related Document (link)
Action

Audit Planning
<Audit Planning Memorandum>
Memorandum

Letter of Announcement
<Letter of Announcement>

Ethical Considerations
<Document Ethical Considerations>
(declaration) for the
statement included in the
Audit Planning
Memorandum)

4.4  Summary: Further guidance on procedures and documents

The following documents and guidance on suggested procedures are available:

Suggested Procedure/
Related Document (link)
Guidance

Audit Input File
<  Audit  Input  File  -  List  of  possible  information  and
documentation  to  be  requested  from  the  operational  services
under FP7 >

Annex to Letter of
<List  of  possible  information  and  documentation  to  be
Announcement
requested from the beneficiary>
(to be customised)

21

5  Process Phase 2: Audit Examination
5.1  Overview of the examination phase

The Audit Examination Phase includes three sub-phases:

  The Audit Preparation Phase:

In  the  Audit  Preparation  Phase  the  auditor  collects  and  assesses  detailed  information  on
the  organisation  and  projects  to  be  audited,  amends  the  Audit  Program  and  performs
analytical audit procedures to prepare the substantive testing.

  The Audit Testing Phase:

In  the  testing  phase  the  auditor  usually  verifies  the  information  received  and  collects
further  audit  evidence  by  performing  substantive  testing  on  the  site  of  the  audited
organisation.

  The Audit Conclusion Phase:

In  the  Audit  Conclusion  Phase  the  auditor  analyses  the  audit  evidence  and  draws
conclusions to determine the audit results to be reported

Typically,  preparation  can  already  be  performed  prior  to  the  audit  field  work,  whereas  the
testing and the conclusion phase will be respectively on site and/ or after the audit field work.

However,  this  distinction  between  actions  prior  to  the  field  work  and  on  site  shall  only  be
taken as indicative. Depending on the respective needs and planning of the engagement (e.g.
availability  of  information,  timing  and  resources,  …),  the  preparation  can  partially  be
performed on the site of the audited organisation and certain procedures related to the testing
phase  may  be  performed  after  the  audit  field  work  based  on  audit  evidence  collected  or
additional information received at the end or even after the audit field work.

Due  to  the  interference  of  the  phases,  the  following  section  does  not  strictly  differentiate
between  the  3  Phases  mentioned  above.  Moreover,  it  follows  a  division  between  the  usual
functional steps of the audit process during the examination:

  The information collection (prior to the testing phase)
  The analysis of the information collected
  The Assessment of the Audit Risk
  The Amendment of the Audit Program and Audit Work Plan
  The Audit Testing following the Audit Program (collection and analysis of Audit
Evidence)

The flowing figure summarises the Audit Examination Phase:

22

Audit Planning
Collection of Information

Audit Preparation
Audit Risk Assessment
(Detailed) Audit Work Program
Collection of Audit Evidence
Audit Testing
according to audit program
(on site)
Examination of the Accounting
System and Supporting Documents
Evaluation of Evidence &
Audit Conclusions
Information collected
Extrapolation Assessment
Audit Reporting

Figure AUDIT EXAMINATION PHASE

5.2  The procedural steps during the Examination Phase
5.2.1  Audit preparation

The  objective  of  the  audit  preparation  is  to  identify  and  assess  the  risks  of  material
misstatement,  whether  due  to  fraud  or  error,  within  the  financial  statement,  through
understanding  the  entity  and  its  environment,  including  the  entities  internal  control,  thereby
providing a basis for designing and implementing responses to the assessed risks of  material
misstatement.

The  auditor’s  responsibility  to  identify  the  risks  of  material  misstatements  in  the  financial
statements  is  governed  by  the  International  Standard  on  Auditing  (“ISA”)  315  “Identifying
and  assessing  the  risks  of  material  misstatement  through  understanding  the  entity  and  its
environment”.

The  auditor’s  responsibility  is  today  even  expanded  in  consideration  of  the  recent
development of ISA 240 dealing with the auditor’s responsibility relating to fraud in an audit
of financial statements.

23

5.2.2  Information to be collected prior to the audit fieldwork

In  order  to  identify  and  assess  the  risks  of  material  misstatement,  whether  due  to  fraud  or
error, within the financial statement, the auditor shall collect and analyse information prior to
the audit fieldwork.

The information to be collected and analysed is detailed here after.
5.2.2.1 Audit Input File

The  Audit  Input  File  consists  of  copies  of  documentation  related  to  the  projects  included  in
the audit scope.

This  documentation  shall  be  requested  by  the  External  Audit  Service  to  the  operational
services during the planning phase and include the following:
-  Signed grant agreement including amendment(s);
-  Annexes  to  the  grant  agreement  and  in  particular  the  Description  of  Work/Technical
Annex and the General Conditions;
-  Grant Agreement Preparation Forms;
-  Periodic Management Reports;
-  Periodic Review Reports;
-  Financial Statements;
-  Certificates on financial statements;
-  Certificates of methodology (CoM, CoMAv)
-  Conclusions  of  the  acceptance/disallowance  by  the  Operational  Services  of  the  costs
claimed so far by the audited beneficiary;
-  Report from the co-ordinator on the distribution of EC financial contribution.
-  In particular, specific attention should be dedicated to the Description of Work/Technical
Annex  which  usually  includes  a  presentation  of  the  beneficiary,  its  role  in  the  indirect
research  action  as  well  as  its  key  staff  deployed  on  the  implementation  of  the  indirect
research action.

This  list  is  only  indicative  and  may  be  completed  by  any  information  that  the  operational
services consider as valuable for the performance of the audit.

External Audit Services shall set up a checklist in order to agree upfront with the operational
services of the de minimum level of information to be supplied to the external audit service.

<Audit Input File checklist>
5.2.2.2 Previous Audits

If an audit has previously been carried at the Beneficiary, the auditor shall collect the related
Audit  Report  in  order  to  go  through  the  audit  conclusions  and  identify  any  associated  risks.
Where appropriate, additional audit documentation shall be consulted.

General information on previous audits (including the reports) should already be obtained and
considered in the planning stage.

Where  the  previous  audit(s)  identified  systematic  financial  errors  and/or  presented
recommendations to the systems improvement, the auditor must follow up these issues in the

24

course  of  the  normal  work  under  the  current  audit.  The  result  of  this  follow  up  shall  be
described in the audit report.

5.2.2.3 List of projects with the audited organisation

The auditor shall obtain, eventually with the help of the Back office of the external audit unit,
the list of all grant agreements in which the beneficiary has participated within the Research
DG/agency carrying out the audit and if possible with other (Research) DG's.

This will give an indication of
-  the dependence of the audited beneficiary on EC funding;
-  the presumed competence of the beneficiary in consideration of its (active) involvement in
research;
-  the level of operational capacity requested in order to properly participate to the  projects
included in the list.

5.2.2.4 Open source information related to the audited organisation

The auditor shall obtain information regarding the audited beneficiary in order to understand
the organization and its role in the audited indirect research action.

The main objectives are to
-  corroborate its financial viability;
-  identify any risk of dependency on EC funding;
-  understand the area of activity of the beneficiary and corroborate its compatibility with EC
research;
-  corroborate  the  description  of  the  beneficiary  as  disclosed  in  the  project  related
documentation (mainly the Description of Work/Technical Annex) in order to detect any
misrepresentation;
-  assess the operational capacity of the beneficiary and confirm that the beneficiary disposes
a priori of the required competences and resources to participate to EC research.

Information  may  be  gathered  from  the  Legal  Entities  File,  the  Legal  Financial  Viability
Checks  or  open  sources  such  as  the  organization’s  website,  company  registries,  Google,
company databases…

The following Guidance Note may be used in order to gather information from open-sources.

<Guidance Note on data gathering>

5.2.2.5 Open-source information related to the key staff

The  auditor  shall  obtain  information  regarding  the  key  staff  brought  forward  in  the  project
related  documentation  in  order  to  understand  their  competences  and  links  with  the  audited
beneficiary.

The main objectives are to:
-  confirm the existence of the key staff;
-  corroborate the direct link between the audited beneficiary and its presumed key staff;

25

-  identify  any  excessive  use  of  external  consultants  which  could  put  into  question  the
operational capacity of the audited beneficiary;
-  corroborate  the  expertise  of  the  key  staff  which  justifies  the  participation  of  the  audited
beneficiary in EC research;
-  detect any misrepresentation.

Information  may  be  gathered  from  open  sources  such  as  the  Linkedin,  PIPL,  123people,
Yasni  infobel,  ixquick,  wink,  xing,  facebook,  …  The  Guidance  Note  on  data  gathering
mentioned above may be used in order to gather information from open-sources.

5.2.2.6 Internal Contacts with the operational services

A  discussion  with  the  operational  services  may  be  recommended  in  consideration  of  the
information  collected  so  far.  Operation  services  can  provide  the  most  recent  information  as
well  as  informal  information  concerning  the  overall  impression  about  the  project,  the
participants,  the  scientific  result,  risk  factors  and  potential  problem  areas.  They  can  also
present copies of correspondence with the Beneficiary concerning for example amendments to
the costs claimed, etc.

At  this  stage  of  the  audit  process,  it  may  also  be  appropriate  to  discuss  the  need  for  the
presence of the Scientific Project Officer during the audit fieldwork.

5.2.2.7 Information  obtained  from  the  audited  organisation  prior  to  the
audit fieldwork

A list of information requested from the audited beneficiary is usually attached to the Letter of
Announcement.  This  list  may  include  documents  that  need  to  be  sent  to  the  external  audit
service in priority before the audit fieldwork takes place.

These  documents  may  contain  valuable  information  regarding  the  identification  of  risks  of
material misstatement prior to the audit fieldwork.

For  purposes  of  information  collection,  the  auditor  can  use  the  following  checklist  as  a
guidance to support the collection of needed information. However, this list is only indicative
and does not guarantee the exhaustiveness of the information necessary to complete the audit:

   <List  of  possible  information  and  documentation  to  be  requested  from  the
beneficiary>

In addition the following document may be very useful: Audit Manual FP7

5.2.3  Analysis of the information collected prior to the audit fieldwork

The  auditor  shall  carefully  analyse  the  information  collected  prior  to  the  audit  fieldwork  in
order to identify and assess the risks of material misstatement, whether due to fraud or error,
within the financial statement

Such analysis will include:
-  the identification of risk indicators arisen from internal information such as

26

link to page 17 link to page 18 o  significant disallowance of costs by operational services,
o  poor technical reviews,
o  unexplained changes in project consortium;
o  severe conclusions in previous audits …
-  the  overall  assessment  of  the  beneficiary’s  competence  and  resources  justifying  its
participation in the indirect research actions;
-  the identification of risk indicators arisen from external information such as
o  misrepresentation in the way the beneficiary presents itself,
o  high dependency on EC funding,
o  weak financial situation,
o  heavy reliance on subcontracts/external human resources…

In order to structure the analysis of the information gathered prior to the audit fieldwork, the
use of the following document is recommended.

<Data gathering>

The  identification  of  risks  of  material  misstatement  will  impact  the  audit  risk  assessment
covered in the next section of the APH, and in particular the inherent risk.

Appropriate responses should be designed and implemented by tailoring the audit program to
the specific risks identified.

5.2.4  Audit Risk Assessment

Audit risk is defined as the risk that the auditor gives an inappropriate audit opinion when the
financial statement is materially misstated.5 The Audit Risk needs to be considered when (re-
)designing the Audit Plan and the Audit Program (see also sections 4.2.2.4 and 4.2.2.5).

Audit Risk is made up of three components;

1.
INHERENT  RISK  -  the  risk  that  a  material  misstatement  occurs.  A  highly  complex
accounting system increases the inherent risk. The estimation of the level of the inherent risk
implies  that  the  auditor  should  attempt  to  predict  where  misstatements  are  most  and  least
likely in the financial records.

Factors that will affect the inherent risk are for example:

  The type of beneficiary
  The beneficiary’s type of activity
  The beneficiary’s financial situation
  Result of previous audits
  Non-routine transactions
  Related parties; transactions between grant agreement participants
  The beneficiary’s awareness of the risk
  The beneficiary’s motivation to minimise the risk


5 IFAC International Standards on Auditing and Related Services no. 6

27

2.
CONTROL  RISK  -  the  risk  that  a  misstatement  will  not  be  prevented  or  detected  and
corrected  by  the  internal  control  system.  To  be  able  to  estimate  the  control  risk,  the  auditor
must  obtain  an  understanding  of  the  internal  control  system  and  preferably  also  test  it,  to
prove its effectiveness.

3.
DETECTION RISK - the risk that the auditor will not detect a material misstatement. The
level of the detection risk depends on the amount of substantive testing the auditor carries out.

Within the framework of audits performed by the External Audit Service, the auditor will be
requested  to  estimate  the  inherent  risk  and  the  control  risk.  The  assessment  of  risks  is
expressed in terms of low, medium or high. Medium risk represents the normal situation.

Concerning  the  control  risk,  the  following  is  a  list  of  controls  that  the  auditor  will  find  in
many  organisations,  private  as  well  as  governmental.  Based  on  a  combination  of  these,  the
auditor may assess the degree of reliance of the internal control system.

Organisation

The  beneficiary  should  have  a  plan  of  its  organisation  that  shows  how  responsibilities  are
defined and allocated. Reporting procedures and delegation of authority should be specified.

Segregation of Duties

Duties, which may enable one person to record and process a complete transaction, should be
separated. Due to the risk of employee fraud, duties concerning the custody of assets should
be separated from the accounting of these assets. The separation of duties will reduce the risk
of intentional manipulation.

Authorisation of Transactions

Every  transaction  should  be  properly  authorised.  Authorisation  can  be  general  or  specific.
General authorisation is established by the management, and can cover a class of transactions,
or specific transactions.

Adequate Documents and Records

These  include  items  such  as  system  manuals,  chart  of  accounts,  subsidiary  ledgers,  project
accounts, invoices, employee time records, purchase orders, and payment orders.

System  Manuals  (also  called  Accounting  System  Handbooks)  describe  the  record  keeping
procedures  and  facilitate  consistent  application.  Universities  and  larger  companies,  with
computerised accounting systems, will normally have appropriate instruction manuals.

The chart of accounts classifies accounts into individual balance sheet and income statement
account,  whilst  the  detailed  ledger  exhibits  the  posting  of  the  transaction  in  the  accounting
records of the beneficiary.  From the Audit Service point of view, the chart of accounts and its
detailed ledger can provide useful information about how e.g. a purchase has been recognised
(equipment /consumables) and subsequently measured in the general ledger.

Records  and  supporting  documents  perform  the  function  of  transmitting  information.  They
must  therefore  be  adequate  to  provide  reasonable  assurance  that  all  assets  are  properly
controlled and all transactions are properly recorded.

28

link to page 17 link to page 29 link to page 18 Records and supporting documents should be:

  Pre-numbered sequentially to facilitate control over missing documents
  Prepared at the time a transaction takes place, or as soon as possible thereafter. The
longer the interval, the less credible is the record.
  Constructed in a manner that encourages correct preparation (e.g. time-records).
  Properly managed. From the Audit Service point of view, time records should be kept
and verified in accordance with the contractual obligations.

The  Control  risk  is  considered  low  when  the  beneficiary  is  using  control  functions  that  go
beyond the normal. The auditor should give a general description of the control functions used
and justify  his/ her assessment  of the control  risk. Factors that  will increase the  control risk
are for example:

  Inadequate separation of duties;
  Insufficient authorisation procedures;
  Management override of controls;
  Use of internal documents as verifications;
  Incomplete evidence, e.g. lack of time records

Besides the preliminary  Audit  Risk Assessment  in the planning phases  (see section  4.2.2.4),
an Audit Risk Assessment should be performed during the audit preparation phase and shall
be  finalised  by  the  end  of  the  examination  phase.  A  recommended  assessment  form  is
therefore also foreseen in the Standard Audit Program(s) (see section 5.2.5).

5.2.5  Audit Program
5.2.5.1 Definition and Characteristics

The  Audit  Program  is  designed  to  assist  the  auditor(s)  in  the  preparation  and  in  the
implementation  of  the  audit  examination  procedures  and  can  also  be  used  for  the
documentation of the audit. It outlines the specific audit procedures to be carried out during
an  audit  in  accordance  with  the  respective  requirements  of  the  assignment  (i.e.  the  scope,
objectives and audit plan). The program i.e. includes the audit approach (implicitly), the audit
risk  assessment  and  the  testing  procedures  during  the  examination.  The  audit  program  is
usually designed in form of checklists. (For further definition see also section 4.2.2.5)

The  use  and  design  of  an  Audit  Program  constitutes  an  essential  and  mandatory  part  of  the
audit  process  to  be  performed.  For  certain  audit  engagements,  standard  audit  programs  are
pre-designed and are recommended for use.  However, it remains  in  the responsibility of the
individual  assigned  (principal)  auditor  to  customise  and  design  the  most  appropriate  audit
program  in  accordance  with  the  requirements  of  the  assignments  and  the  policies  of  the
External Audit Service.

The following Standard Audit Program(s) are recommended and available for use:

  <Standard Audit Program for FP7>

29

For  such  audit  engagements  where  no  standard  programs  exist,  the  forms  and  procedures
obtainable  for  'standard'  audit  engagements  might  be  taken  as  a  reference  for  customised
program.

5.2.5.2 Relevance and use of an Audit Program

The use of the Standard Audit Program may facilitate the audit in several ways:

- From the preparation point of view, it will facilitate the preparation for the meeting with
the beneficiary and the execution of the audit, as the main part of the questions is applicable
to each audit.

- From a completeness point of view, the method ensures that no important questions or audit
areas are overlooked.

-  From  a  standardisation  point  of  view,  the  method  gives  a  possibility  to  consider  certain
questions as  standard  and therefore, to  some extent, to  streamline the information  collecting
procedure and the auditing methodology.

-  From  a  documentation  point  of  view,  the  audit  documentation  will  be  systematically
organised,  uniform  and  sufficiently  detailed  to  provide  evidence  to  support  the  audit
conclusion.

-  From  an  evaluation  point  of  view,  systematic  documentation  is  a  pre-condition  for
evaluation.  An  independent  evaluation  of  the  audit  result,  to  conclude  whether  the  audit
resulted in the correct and relevant conclusions, can be done either by redoing the audit, or by
evaluating if sufficient corroborating evidence was accumulated to justify the conclusions.

- From a quality assurance point of view, it is possible to vary these questions and influence
the  depth  of  the  investigation,  to  ensure  that  a  pre-decided  minimum  level  of  quality
concerning the information collecting procedure is achieved, independent of the experience of
the auditor. However, the quality of the evaluation of the information collected, and hence the
audit  as  a  whole,  is  still  very  much  dependent  on  the  individual  auditor's  knowledge,
experience and good judgement.

An  Audit  Program  properly  designed  and  customised  to  a  particular  audit  and  objective,
focuses  the  auditor  throughout  the  audit  process.  It  provides  a  logical  and  documented
progression through the phases of the audit. It is furthermore an instrument to harmonise the
individual  auditors’  auditing  methodology,  and  hence  the  overall  quality  of  the  audits
performed by the External Audit Service.

5.2.6  Planning materiality

When  making  an  audit  risk  analysis  and  performing  audit  sampling  procedures,  one  factor
that has to be considered is materiality. IFAC defines materiality as follows:

"Information is material if its omission or misstatement could influence the economic decisions of
users taken on the basis of the financial statement. Materiality depends on the size of the item or
error  judged  in  the  particular  circumstances  of  its  omission  or  misstatement.  Thus,  materiality

30

provides a threshold or cut-off point rather than being a primary qualitative characteristic which
information must have if it is to be useful".6

Transferred  to  the  operational  environment  of  the  External  Audit  Service,  the  auditor’s
responsibility is to determine whether the cost claims (the Financial Statements submitted to
the  European  Commission)  are  materially  misstated.  Considering  the  analysis  result,  the
auditor  may  identify  –  during  the  audit  preparation  –  the  areas  of  potential  audit  risk.  The
auditor  should  target  his  resources  in  areas  with  the  most  risk.  With  this  understanding  the
auditor can identify the controls that are relevant, in relation to the objectives of the audit.

In principle the setting of the planning materiality threshold is within the responsibility of the
auditor. However, unless otherwise defined and confirmed by the Audit Approval, the auditor
is recommended to use a planning materiality threshold of 5% of the total net costs claimed.
Any  deviations  from  this  figure  should  be  consulted  with  the  Management  of  the  External
Audit Service.

The  above  explanation  relates  to  the  role  of  materiality  in  the  planning  only.  However,  the
materiality threshold is not applicable for reporting purposes. The auditor shall include in the
audit report all financial errors, regardless their value.

5.2.7  Audit Testing on site

5.2.7.1 Initial Meeting with the beneficiary on site

The  initial  meeting  with  the  beneficiary  at  the  beginning  of  the  audit  field  work  is  an
important  opportunity  to  compile  information  and  audit  evidence  concerning  all  relevant
aspects of the beneficiary’s relation with the Commission, that is, information concerning the
accounting system, internal control, project financial management, different categories of cost
etc.

The presence of staff, such as  the scientific project  manager, financial  manager  and internal
auditor of the beneficiary, who can be expected to possess valuable information, is therefore
essential.

It is necessary that the auditor prepares the meeting and, based on previous analyses, tries to
foresee possible problems.

5.2.7.2 Collection of Audit Evidence
5.2.7.2.1  Types of Audit Evidence

Audit evidence is the information obtained by the auditor based on which (s)he will be able to
draw  his/her  conclusions.  Audit  evidence  will  comprise  source  documents  and  accounting
records  underlying  the  financial  statement  (cost  claims,  in  audits  performed  by  the  External
Audit Service) and corroborating information from other sources.7

6 International Federation of Accountants (IFAC), Glossary of Terms, June 1994
7  IFAC, International Standards on Auditing and Related Services no. 8

31

Auditors obtain evidence by one or more of the following procedures:

INQUIRIES  -  Seeking  information  from  client  staff  or  external  sources.  These  can  be  in
writing or oral and may involve the beneficiary’s personnel as well as external sources such as
officers within the Commission. The reliability of evidence from inquiries depends on,  inter
alia, the informant’s competence, experience, independence and integrity.

INSPECTION OF DOCUMENTATION – Confirmation to documentation of items recorded
in accounting records confirms that an asset exists or a transaction occurred. Inspection also
provides  evidence  of  valuation/measurement,  rights  and  obligations  and  the  nature  of  the
items (presentation). It can also be used to confirm authorisation. In this sense, documentation
means the auditor’s examination of the Beneficiary’s documents and records. Each transaction
in the accounts should be supported by at least one document.

PHYSICAL EXAMINATION - is an inspection or count of a tangible asset that is recorded in
the accounting records. This type of evidence can be used to verify the existence of equipment
charged to the project.

OBSERVATIONS – Involves watching a procedure being performed. Compared to physical
examination, an observation test does not require detailed physical inspection or examination
of documentation, and hence a person other than the auditor may perform the observation test.
However,  this  doesn’t  mean  that  the  auditor  should  not  make  observations.  Au  contraire,
observations are a natural element in any audit.

INSPECTION  -  is  a  review,  without  or  with  a  very  brief  analysis.  E.g.  an  inspection  of  the
internal  control  system  would  result  in  a  description,  but  without  an  analysis  of  its  proper
operation or effectiveness. An inspection of a supporting document would be a control of its
existence, but without an analysis of its reliability in terms of the existence of the underlying
action, completeness, occurrence etc.

CONFIRMATION  –  Seeking  information  from  another  source  of  details  in  Beneficiary's
accounting records for example, confirmation from bank of bank balances.

COMPUTATIONS  –  Checking  arithmetic  of  beneficiary's  records  for  example  adding  up
detailed ledger accounts and confirming them with the general ledger.

ANALYTICAL PROCEDURES - are evaluations of the relationship (ratio) between financial
data,  or  financial  versus  non-financial  data,  to  identify  areas  requiring  additional  audit
attention.  The  reasons  for  using  analytical  procedures  are  generally  to  understand  the
Beneficiary’s  business,  his  ability  to  finance  his  part  of  the  project,  and  to  identify  possible
misstatements in the financial data.

Apart  from  the  sources  described  above,  there  are  others,  such  as  re-performance.  As  these
sources are considered less relevant in relation to the External Audit Service audits, they are
not dealt with here.

A Field Audit by the External Audit Service should preferably use all of

the sources described above.

32

5.2.7.2.2  Reliability of Audit Evidence

The  reliability  of  the  audit  evidence  is  influenced  by  its  source.  Physical  examination  is
generally regarded as the most reliable way of compiling audit evidence. However, in the case
of  the  External  Audit  Service  audits,  where  for  example  the  equipment  often  is  technically
complex,  the  auditor  may  not  have  the  competence  to  judge  whether  the  examined  asset  is
actually  the  same  as  the  one  charged.  (If  physical  examination  is  planned  to  be  used  as  a
source of evidence, the presence of the EC Scientific Officer should have be considered in the
planning stage already).

Documents can be classified as internal and external, whereby the Beneficiary creates internal
documents. An example of internal documentation is time records. As internal documents are
considered  less  reliable  than  external  and  therefore  never  enough,  the  auditor  needs  to
question whether the documentation was produced with sufficient internal controls in place.

The  reliability  of  the  evidence  depends  on  the  specific  circumstances  of  each  case,  but  the
following generalisations can be of assistance:8

  Audit evidence from external sources is more reliable than that generated internally.
  Audit evidence generated internally is more reliable when the related accounting and
internal control system are effective.
  Audit  evidence  obtained  directly  by  the  auditor  at  the  spot,  is  more  reliable  than
evidence provided by the Beneficiary.
  Audit evidence in the form of documents and written representations is more reliable
than oral representations.
  Audit evidence based on the auditor’s observations is ordinarily considered as more
reliable  than  written  internal  information  and  auditee's  representation.  Hence,  the
auditor  should  try  to  verify,  e.g.  received  written  information  about  internal  control
procedures,  by  making  inquiries  of  appropriate  personnel  and  making  substantive
tests.
  Original documents are stronger evidence than photocopies, or facsimiles

5.2.7.3 Examination of the Accounting System and Supporting Documents

This  part  of  the  audit  procedure  consists  of  the  execution  of  the  Audit  Plan  and  the  Audit
Program. However, it is important to stress that the Audit Plan and the Audit Program are not
a once and for all fixed strategy. The auditor must always be flexible and ready to modify the
plan in accordance with new circumstances.

This  is  the  stage  in  which  the  main  part  of  the  audit  evidence  is  normally  collected  and
analysed. The focus is on the quality of the evidence, to determine the cause and quantify the
effect  of  the  conditions  identified.  The  audit  work  should  be  focused  on  collecting  and
analysing data needed to support the findings, conclusions and recommendations.

5.2.7.4 The Control of the Accounting System

The  objective  of  the  control  of  the  Accounting  System  is  to  verify  the  formal  status  of  the
accounting  system,  including  the  existence  and  effectiveness  of  an  internal  control  system.

8 IFAC, International Standards on Auditing and Related Services no. 8

33

The  control  is  limited  to  an  extent,  which  is  relevant  in  view  of  an  External  Audit  Service
audit.

The  internal  control  system  is  defined  as  all  the  policies  and  procedures  adopted  by  the
management,  to  assist  in  achieving  management’s  objectives  of  ensuring  the  orderly  and
efficient  conduct  of  its  business,  including  adherence  to  management  policies,  the
safeguarding  of  assets,  the  prevention  and  detection  of  fraud  and  error,  the  accuracy  and
completeness  of  the  accounting  records,  and  the  timely  preparation  of  reliable  financial
information.9

This definition given to the Internal Control System includes not only those matters which are
directly  related  to  the  accounting  system,  but  also  the  control  environment,  being  the
management’s  awareness  and  concern  about  the  control  system,  and  the  actual  control
procedures in place.


        THE ACCOUNTING SYSTEM

THE INTERNAL CONTROL SYSTEM



  Control

  Procedures

The Control

Environment

Figure X: The Internal Control System

The audit of the accounting system will provide the auditor with evidence to assess whether it
is  suitably  designed  to  prevent  material  misstatements.  The  audit  of  the  control  system  is
aiming at assessing the system’s effectiveness, in terms of its capacity to  detect and correct
misstatements.

The  auditor’s  understanding  of  these  aspects  will  enable  the  design  of  appropriate  audit
controls.  However,  the  extent  of  the  procedures  performed  by  the  auditor  to  obtain  this
understanding will vary depending on a number of conditions such as:

  the cost basis used by the Beneficiary;
  the type of organisation;
  the size and complexity of the Beneficiary and its organisation;
  the type of internal controls involved;
  the auditor’s considerations concerning materiality and inherent risk


9 IFAC, International Standards on Auditing and Related Services no. 6

34

5.2.7.5 Up-dating of the Audit Risk Assessment and the Audit Program

After the initial meeting with the Beneficiary and the assessment (and testing) of the control
system,  but  before  the  testing  of  transactions  and  their  supporting  documents,  it  has  to  be
evaluated if the preliminary Audit Risk Assessment and Audit Program can be maintained or
need  to  be  amended.  E.g.  the  results  of  the  assessment  of  the  internal  control  system  may
determine  areas  to  be  audited  more  thoroughly  or  other  areas  where  less  testing  procedures
are necessary.

Significant  changes  of  the Audit  Plan and the Audit Program  with  substantial  impact  on the
Audit  Process  as approved in  the  Audit  Planning phase  (APM-C) should  be reported to  and
discussed with the Management of the External Audit Service.

5.2.7.6 Audit Sampling

The  level  of  the  detection  risk,  the  risk  that  the  auditor  will  not  detect  a  misstatement,  is
directly  related  to  the  extent  of  the  substantive  tests.  However,  even  if  the  auditor  would
examine  100  %  of  the  costs  charged  to  a  specific  cost  category,  there  would  still  exist  a
detection risk as audit evidence is persuasive rather than conclusive.

For  some  cost  categories,  such  as  consumables  and  computing,  100%  audit  coverage  of  the
costs charged is normally not an efficient way of using scarce audit resources.

Sampling is a method to reach a conclusion about a population by selecting part of the items
within  the  population.  In  the  audits  performed  by  the  External  Audit  Service,  a  population
would ordinarily consist of the records/transactions within an account or a cost category.

Audit  sampling  methods  can  be  divided  in  two  categories:  statistical  and  non-statistical.
Statistical  sampling  is  based  on  the  assumption  that  a  randomly  selected  sample  will  reflect
the same characteristics that occur in the population. The advantage of the statistical sampling
method is that it enables quantification of the sampling risk10. In non-statistical sampling, the
auditor will select those items he thinks will provide the most useful information in relation to
the audit objective.

In the case of the External Audit Service audits, statistical sampling may be used as a method
to  evaluate  and  draw  general  conclusions  about  the  accounting  system  and  its  control
environment, while it is recommended to use non-statistical sampling, such as the selection of
large  items,  to  identify  specific  material  misstatements  among  the  costs.  In  any  case,  when
using  sampling  as  an  audit  approach,  the  method  used  to  select  a  sample  must  be  properly
supported and documented.

Following  and  in  accordance  with  the  above,  the  auditor  can  determine  the  sampling
coordinates  (s)he  considers  appropriate  in  a  given  audit  engagement.  However,  an  effective
identification  and  determination  of  the  sampling  coordinates  (i.e.  the  sample  size)  requires
extended knowledge and time resources by the auditor. Thus, for simplification and guidance
to the auditor the following recommendation for determination of the sample coordinates

10 Sampling risk arises from the possibility that the auditor’s conclusion, based on a sample, may be different from the
conclusion that would be reached if the entire population were subjected to the same audit procedure.

35

is given and should be followed unless the auditor clearly justifies and documents the use of
an individual methodology:

  <Recommendation on Determination of Sampling Coordinates>

5.2.8  Audit Conclusions

After  the  completing  the  preparation  and  the  testing  on  site  the  auditor  has  to  analyse  the
information and evidence obtained and draw the audit conclusions for the reporting.

5.2.8.1 Extrapolation Assessment

After  the  auditor  has  analysed  the  audit  evidence  and  concluded  on  the  findings  as  to  the
audited  projects,  an  additional  assessment  on  the  overall  or  partial  participation  of  the
beneficiary  in  EC  funded  research  projects  may  be  required  by  the  individual  audit
assignment (scope and objectives of the audit).

The auditor needs to assess to what extent individual findings of the audit can be extrapolated
on other projects by indicating whether these findings are of a systematic nature. Systematic
errors are repetitive and recurring; the implication of this type of error is that the beneficiary
is  not  complying  with  his  contractual  obligation  in  a  systematic  way.  In  this  context  it  is
essential that the audit finding is extrapolated to non-audited areas.

The use of the specific guidance on the assessment of extrapolation (i.e. as to the assessment
of errors being systematic) is recommended and to be found under the following:

  < Extrapolation Assessment and systematic errors>

An  extrapolation  assessment  is  further  supported  by  information  on  related  EC  research
funded  projects  under  the  same  contractual  framework  with  the  audited  organisation.  The
Audit  Assignment  (Audit  Planning  Memorandum  –  Form  A)  already  requires  a  list  of  all
ongoing research-grant agreements with the organisation to be audited. The list may be used
for  extrapolation-assessment  purposes  during  the  examination  and  closure  phase.
Nevertheless, depending on the duration of the individual audit process the list may require to
be updated during the audit process.

The respective list can be requested from the administrative support function of the External
Audit Service.

The  conduction  of  the  extrapolation-assessment  needs  to  be  confirmed  in  the  Audit  Process
Checklist and the results have to be expressed in the DASS and the ACM (see the respective
sections under 7.). In case of a positive assessment (extrapolation is considered necessary) a
respective  Letter  of  Conclusion  template  is  foreseen  and  additional  documentation  may  be
required.

Note that a statement as to the qualification of an error as systematic is also required if
the  list  of  projects  does  not  show  any  other  projects  with  the  audited  organisation,  as
extrapolation may affect projects of other Research DGs/agencies or projects not listed.

36

5.2.8.2 Exit Meeting

After  the  audit  work  on  the  spot  is  concluded,  a  meeting  is  generally  held  with  the
Beneficiary’s representatives. At this stage it is normally not possible to indicate or quantify
precisely  the  final  outcome  of  the  audit.    Hence,  the  intention  is  to  give  a  summary  of  the
observations made and to agree these with the beneficiary as far as possible.

The following guidance is obtainable for the exit meeting:

  <Guidance-Checklist on Exit Meeting >

The auditor(s) should document the contents and the important comments of the beneficiary
in the Audit Work Papers.

37

5.3  Summary: Mandatory procedures and documents

The use of the following procedures and related documents are considered mandatory for the
examination phase:

Mandatory Procedure/
Related Document (link)
Action

5.4  Summary: Recommended procedures and documents

The following documents and guidance on recommended procedures are available:

Recommended Procedure/
Related Document (link)
Action

Audit Work Program
<Standard Audit Program for FP7>

(to be customised/ amended
for the respective audit engagement)

Extrapolation Assessment
<  Extrapolation  Assessment  and  systematic
(if applicable)
errors>

Audit Sampling
<Recommendation
on
Determination
of
Sampling Coordinates>

5.5  Summary: Further guidance on procedures and documents

The following documents and guidance on suggested procedures are available:

Suggested Procedure/
Related Document (link)
Guidance

Information collection/
<List  of  possible  information  and  documentation  to  be
Annex to the Letter of
requested from the beneficiary>
Announcement

Interpretation on specific
FP7 Audit Manual
Framework Programs



Exit Meeting
<Guidance-Checklist on Exit Meeting >

38

6  Process Phase 3: Audit Reporting
6.1  Overview of the reporting phase

Within the Audit Process, the Audit Reporting includes two sub-phases:

  The Drafting of the Audit Report. This includes i.e. the assessment and formulation
of the Audit Findings.

  The Finalisation of the Audit Report: This includes i.e. the consultation of the draft
report with the relevant parties, the audit conclusion and where necessary the
application of specific procedures

The flowing figure summarises the Audit Reporting Phase:

Audit Examination

Audit Findings
Draft
Audit Report
Editing of Draft Report
(based on template)
Special Procedures
Letter of Representation

Final
Consultation internal/ external
Audit Report

Audit Conclusion / Qualifications
Finalisation of Report
Audit Closure

Figure AUDIT REPORTING PHASE

39

6.2  The procedural steps during the Reporting Phase
6.2.1  Draft Audit Report

In a first step the Auditor should prepare a draft report presenting the audit findings obtained.

6.2.1.1 Standard Reporting Template

For certain audit assignments, a recommended standard template of an Audit Report is
available:

  < Standard Audit Reporting Template for FP7 Audits >

6.2.1.2 Presentation of the Audit Findings

The structure of the presentation of the audit findings should organise the audit result into a
logical and coherent document. To obtain a formalised structure in the presentation of the
audit findings, it is desirable that each section follows the finding's attributes.

FIVE ATTRIBUTES OF
AN AUDIT FINDING





5. CONCLUSIONS/
1. CONDITION


RECOMMENDATIONS
" what is”
2. CRITERIA
        3. CAUSE
4. EFFECT                “to correct cause and effect”


“what should be”       “why it happened”
"difference between


condition and criteria”






Figure: Audit Finding Attributes

The attributes guide the auditor in organising and analysing relevant evidence and help ensure
that  all  necessary  information  for  a  finding  is  identified,  developed  and  adequately
documented. In audits where the attributes are unclear, the result can be a collection of facts
that provides little or no direction for writing, reviewing and reading the audit report. On the
other hand, if the integrity of the audit attributes is maintained, the reader of the audit report
can be led through the evidence, clearly establishing the credibility of the auditor's position.

The CONDITION is a factual statement describing what was found during the audit, or what the
auditee did or is doing.

The CRITERIA are the standards against which the auditor measures the activity or performance
of the auditee. In audits performed by the external Audit Service, the standards are, apart from

40

link to page 54 the  pertinent  grant  agreement,  the  generally  accepted  accounting  principles  and  normal
accounting conventions in the state where the beneficiary is established.

The  CAUSE  is  a  description  of  why  and  how  a  condition  occurred.  Knowing  the  cause  is
essential  to  developing  meaningful  recommendations.  The  auditor  needs  to  have  a  clear
understanding  of  the  cause  to  be  able  to  develop  recommendations  that  will  correct  the
problem and will be accepted by the Beneficiary.

The  EFFECT  is  the  identified  difference  between  conditions  and  criteria.  The  auditor  needs  to
determine the impact on the audited project and on other EC research-programmes, as well as
whether the impact is ongoing or represents a one-time occurrence. Such considerations will
enable  the  reader  of  the  audit  report  to  grasp  the  relevance  of  the  incorrect  action  and
understand the need for implementing the recommendations.

A  CONCLUSION/RECOMMENDATION  is  a  statement  of  the  action  that  must  be  taken  to  correct  the
findings  identified  by  the  audit.  Recommendations  should  ideally  address  the  underlying
cause and be specific, feasible and cost effective.

6.2.1.3 Nature of Audit Findings

The  nature  of  the  audit  findings  is  a  classification  that  has  to  be  reported  on  the  final  audit
assessment  and  may  impact  further  (specific)  procedures.  There  are  three  categories:
Irregularities, Error and Qualitative. The words have been given the following definitions 11:

Irregularities   -  refers  to  intentional  distortions  by  an  individual  of  the  Beneficiary’s
management, employees, or third parties, which results in a misrepresentation in the Financial
Statement.  Irregularities  may  involve  inter  alia  manipulation  or  falsification  of  documents,
recording of transactions without substance and misappropriation of assets.

Error   - This  term  refers to  unintentional mistakes or oversights  in  the  Financial  Statement,
such as mathematical or clerical mistakes in the underlying records, misinterpretation of facts
or  misapplication  of  accounting  policies.  This  is  the  situation  when,  for  example,
misstatements  are  due  to  the  Beneficiary’s  lack  of  awareness  or  understanding  of  the
contractual obligations.

Qualitative
-  Audit  findings  that  are  not  giving  reasons  for  a  financial  adjustment,  are
categorised  as  qualitative.  An  audit  to  verify  the  correct  cost  basis  would  normally  be
classified as qualitative.

Considering its relative importance, a classification of the findings as “Irregularities”, needs
the  consent  of  the  Audit  Steering  Committee  and  eventually  the  application  of  the  specific
procedures on "Sensitive Cases" and/or "Early Warning System" (see section 8.4 to 8.6).

6.2.1.4 Seriousness of Audit Findings

The  nature  of  the  audit  finding  has  to  be  distinguished  from  the  seriousness  of  the  audit
finding.  The  seriousness  of  the  audit  findings  is  an  additional  classification  that  has  to  be
reported on the final audit assessment and may also impact further (specific) procedures.


11 Reference is made to IFAC International Standards on Auditing and Related Services no. 11, “Fraud and Error”

41

link to page 54 link to page 54 There are four categories: None, Small, Medium, High. The following definitions apply:

None  - no financial adjustments and no recommendations are made.

Small  -  financial  adjustment  less  than  or  equal  to  2  %  and/  or  recommendations  to  issues
other than internal control weaknesses.

Medium  -  financial  adjustment  are  above  2  %  but  not  fulfil  the  criteria  of  'high'    and/  or
recommendations related to  internal control weaknesses which do not substantially affect the
audit findings (e.g. absence of time recording if alternative evidence was obtained).

High  One of the following conditions is fulfilled:

  Adjustment are above EUR 100.000 and represent more than 5 % of the cost claimed
  Adjustment are above EUR 30.000 and represent 30 % or more of the cost claimed
  Recommendations concerning serious internal control weaknesses.

Note that a 'High' finding also requires the involvement of an Audit Steering Committee (see
section 8.4).

6.2.1.5 Audit findings in the absence of a financial adjustment

Not  all  audits  result in  financial  adjustments.  Nevertheless,  the  problems  encountered  might
have been serious, e.g. the audit is not completed due to serious irregularities, or when only a
qualitative audit report is written due to limited or denied access to the accounts.

In  these  cases,  the  auditor  is  expected  to  give  explanatory  comments  in  the  Audit  Closing
Phase  and/or  to  inform  the  management  of  the  External  Audit  Service  (Audit  Coordinator;
Head  of  Unit/  Service).  Furthermore,  these  circumstances  may  have  to  be  presented  to  the
Audit Steering Committee in the procedure of the overall appraise of the level of seriousness
of the audit findings (see section 8.4).

6.2.1.6 Currency of adjustments to cost in the report

The  adjustment  of  costs is  to  be  expressed  in  national  currency  and  EURO.  The  conversion
rate  to  be  used  depends  on  the  Framework  Programme  under  which  the  grant  agreement  is
agreed.
Usually relevant information to determine the exchange rate to be used should be included in
the Audit Work Program (to also verify the exchange rate used by the beneficiary).

6.2.1.7 Detection  of  weaknesses  and  errors  in  the  grant  agreement
management

Findings  related  to  weaknesses  or  errors  in  the  grant  agreement  management  by  the  EC
operational services are for example:

  non-signature of grant agreements
  missing declarations and forms

42

link to page 54   errors in payments
  incomplete consortium agreements

Such findings should be reported to the operational service responsible for the management of
a  grant  agreement  in  a  note  separate  to  the  audit  report.  The  appropriate  reporting  on
respective findings should be agreed with the management of the external Audit Service.

6.2.2  Finalisation of the Audit Report
6.2.2.1 Special Procedures before finalisation of the Audit Report

Special procedures may apply to the audit findings before finalisation of the audit report. The
auditors need to check if such procedures have to be followed and assess whether the report
can be finalised.

I.e. the following situations  and  related special  procedures may  affect  the finalisation of the
audit report:

  The nature of audit findings is classified as irregularities;
  The seriousness of audit findings is considered 'high';
  The audit findings are of systemic character and require extrapolation

Both examples would require to call in an Audit Steering Committee and to eventually follow
further  specific  procedures.  More  information  on  specific  procedures  is  to  be  found  under
section 8.

6.2.2.2 Consultation of the draft audit report

When the draft report is completed the related parties may be consulted on the audit findings
and conclusions by transmission of the draft report and request for comments.

Where  possible,  the  auditor(s)  should  seek  for  an  agreement  of  the  audit  report  and  the
reported findings.  It  is  however important  to  ensure  that the consultation  does not  affect  the
independence and objectivity of the auditor(s). Aim of the consultation is to avoid and clarify
eventual misunderstandings or similar problems before finalisation of the audit report.

The consultation should not lead to a significant delay in the closure of the audit engagement.

The following consultation procedures are foreseen and are recommended for use:

6.2.2.2.1  Consultation of internal parties (i.e. operational service)

The internal parties may be asked for comments on the draft report in writing. The following
form can be used for standard consultations by e-mail or letter:

< Standard Consultation Form – internal parties >

43

link to page 50 Unless otherwise specified or for duly justified reasons, the internal parties should be given a
fixed  deadline  for  comments  of  5  working  days.  If  no  comments  are  received  within  the
deadline a tacit agreement of the internal party is assumed.

6.2.2.2.2  Consultation of the Quality Control officer

Before  sending  the  draft  audit  report  to  the  auditee,  the  auditor  should  consult  the  Quality
Control  officer.  The  latter  should  complete  the  first  part  of  the  Quality  Control  checklist
(ACM-B):

< ACM – Part B: Review >

The  Quality  Control  checklist  (ACM-B)  needs  further  completion  before  sending  the  final
audit report. (see also 7.2.1.2)
6.2.2.2.3  Consultation of the audited organisation (beneficiary)

The  audit  organisation  should  be  asked  for  comments  on  the  draft  report  in  writing.  The
following form can be used for standard consultations by e-mail or letter:

  < Standard Consultation Form – audited organisation >

The audited organisation should be given a fixed deadline for comments within the judgement
of the auditor(s).

6.2.2.2.4  Re-Consultation of internal parties (i.e. operational service)

Generally the consultation of the internal parties should be carried out before the consultation
of  the  beneficiary  to  avoid  substantial  modifications  to  the  draft  report  due  to  internal
differences after consultation of the beneficiary.

In case substantial changes result from the consultation of the beneficiary, the internal parties
may be re-consulted for comments on the revised draft report in writing.

6.2.2.3 Letter of Representation

With the finalisation of the collection of audit evidence (usually at the end of the audit field-
work and testing) the auditor has to obtain a letter of representation from the representatives
of the beneficiary responsible for the financial and scientific management of the EC grant.

The mandatory template to be used can be found under the following:

  <Letter of Representation for FP7 >

  <Letter of Representation for Fusion Audits >

The Letter of Representation is considered audit evidence. If a beneficiary refuses to provide a
Letter of Representation, this constitutes a scope limitation and the auditor should qualify his
opinion or add a disclaimer to his opinion.

44

6.2.2.4 Adaptation of the draft audit report

After analysis and eventual incorporation of the comments received during the consultation
phase the auditor(s) will complete and finalise the draft audit report. Special attention shall be
applied to ensure that all notions to the draft status of the report are removed.

45

6.3  Summary: Mandatory procedures and documents

The use of the  following  procedures  and related  documents is  considered mandatory for the
reporting phase:

Mandatory Procedure/
Related Document (link)
Action







Letter of Representation
<Letter of Representation for FP7>

<Letter of Representation for Fusion Audits >

6.4  Summary: Documents on recommended procedures

The following documents and guidance on recommended procedures are available:

Recommended
Related Document (link)
Procedure/
Action

Audit Reporting Template
< Standard Audit Reporting Template for FP7 Audits >
(to be customised)

Consultation of internal
< Standard Consultation Form – internal parties >
parties (i.e. operational

services)

Consultation of the audited
< Standard Consultation Form – audited organisation >
organisation

46

7  Process Phase 4: Audit Closure
7.1  Overview of the closing phase

Within the Audit Process, the Audit Closure Phase includes the following sub-phases:

  The  Communication  of  the  Audit  Results  for  the  further  implementation  of  the
Audit  Results  including  i.e.  the  Final  Audit  Report,  the  Detailed  Audit  Summary
Sheet, the Letter of Conclusion and the Audit Closure Memorandum

  The Completion of the Audit File to be archived including all documentation related
to the audit engagement  i.e. of the mandatory procedures and evidence related to the
audit findings and conclusions

  The Archiving of the Audit File by the administrative support (secretariat)

Audit Reporting
Communication
Audit Closing Memorandum
Including all annexes
Of Audit
Results
Letter of Conclusion
Detailed Audit Summary Sheet
Completion of the
Audit File
Check Completion of File
Electronic Filing in ARES
Archiving
Final Check completeness of file
of Audit
Electronic/ paper Archiving of audit
Implementation of Audit Results
(not part of this Handbook)

Figure AUDIT CLOSURE PHASE

47

7.2  The procedural steps during the Closure Phase
7.2.1  Communication of the Audit Results and the Audit Closure
Memorandum

As shown in the figure below, four different documents (accompanied by annexes) are used to
communicate the results of the audit: the (Final) Audit Report, the Letter of Conclusion, the
Detailed  Audit  Summary  Sheet  and  the  Audit  Closure  Memorandum.  Some  services  within
the  Research  DGs/agencies  will  receive  all  four  documents,  while  the  Beneficiary  usually
only receives the Letter of Conclusion and the Audit Report.

Audit Closure Memorandum (ACM)

Letter of
Final
Any
Audit
Conclusion
annexes and
Audit

Summary
Supporting
Report
+
Sheet

Documents

Figure: The Documents for the Communication of the Audit Results

The Audit Closure Memorandum constitutes the framework document for the Audit Closure
and  the  communication  of  the  Audit  Results  in  particular.  Analogue  to  the  Audit  Planning
Memorandum  the  Audit  Closure  Memorandum  includes  three  major  procedural  steps  which
are mandatory for all audit engagements and are reflected by the document:

7.2.1.1 Audit Closure Memorandum - Part A: Completion of Audit Work

The Audit Closure Memorandum (ACM) part A has to be issued by the assigned (principal)
auditor. The document requires the auditor to fill in certain information on the execution and
the  results  of  the  audit  useful  to  the  management  of  the  External  Audit  Service  for  the
supervision/ review and the sign off of the audit assignment.

The mandatory closure form to be used (ACM – part A) is obtainable here:

  < Audit Closing Memorandum – Part A: Completion of Audit Work >

The  closure  of  the  Audit  related  to  the  communication  of  the  audit  results  requires  the
following annexes to be provided together with the ACM-part A:

7.2.1.1.1  Letter of Conclusion (LoC)
The Letter of Conclusion is the document in which the audit results are communicated to the
Beneficiary, and it contains remarks, conclusions and recommendations concerning the audit
findings.

48

link to page 51 link to page 43 link to page 44
The standard form of the Letter of Conclusion is available and mandatory to use. It needs to
be fine-tuned to the results of the audit (extrapolation or no-extrapolation):

  < Letter of Conclusion >

The  Letter  of  Conclusion  prepared  by  the  assigned  (principal)  Auditor  is  considered  a  draft
version. The letter is finalised by signature of the authorised representative of the External Audit
Service  (Head  of  the  external  Audit  Service  or  Director  of  the  Directorate  under  which  the
service operates).

7.2.1.1.2   Detailed Audit Summary Sheet (DASS)

The Detailed Audit Summary Sheet (DASS) is a summary of the audit results, communicated
to  relevant  officials  within  the  Research  DGs/agencies  and  the  Court  of  Auditors.  It  is  also
used for statistical reports concerning the audits performed and it forms part of the statistical
information that is used in the audit selection process. The use of a Detailed Audit Summary
Sheet  is  mandatory.  A  list  of  minimal  information  to  be  contained  in  a  summary  sheet  is
binding for all RDGs/agencies. This list is presented in the following document:

  < DASS - Audit Summary Sheet >

Each  RDG/agency  should  implement  this  document  in  a  form  that  suits  its  management
requirements and IT constraints.

The DASS prepared by the assigned (principal) Auditor is considered a draft version. It has to be
noted that for signature and the archiving of the Audit File a print-out of the DASS from the
IT system might be necessary.

The  DASS  becomes  final  with  the  approval  by  the  authorised  representative  of  the  External
Audit Service (Head of the External Audit Service), i.e. the signed Letter of Conclusion.

7.2.1.1.3  The Final Audit Report

The finalised Audit Report should be re-checked by the auditor and signed by all members of
the audit team.

The final Audit Report becomes valid with the approval by the authorised representative of the
External Audit Service (Head of the external Audit Service), i.e. the signed Letter of Conclusion.

7.2.1.1.4  Any other annexes and supporting documents

With the Audit Closure Memorandum – Part A the completed Audit File has to be provided
by the Auditor. For further information see section 7.2.2.

Further annexes required mandatory are (so far applicable):

  Comments of the internal parties in the consultation phase (see section 6.2.2.2.1 and
6.2.2.2.4)

49

link to page 44 link to page 54 link to page 55 link to page 55 link to page 42   Comments of the external party in the consultation phase (see section 6.2.2.2.3)
  (Updated – if relevant) List of projects with the audited organisation under the same
regulatory research framework (see below)
  Minutes and Decisions of the Audit Steering Committee (if relevant) (see section 8.4)
  Specific documentation in case of 'Sensitive Cases' of 'EWS Cases' (if relevant)  (see
section 8.5 and section 8.6 )
  Draft note to the operational services in case of weaknesses or errors detected in the
grant agreement management (if relevant) (see section 6.2.1.7 )

List of grant agreements with the audited organisation

In case of systematic errors, an updated list of grant agreements with the audited organisation
under  the  same  regulatory  research  framework  needs  to  be  added  to  the  Audit  Closing
Memorandum  –  Part  A.  (see  also  section  4.2.2.6  and  5.2.2.3).  The  respective  list  can  be
requested from the back-office of the External Audit Service.

7.2.1.2 Audit Closure Memorandum - (ACM) Part B: Review

The  ACM  part  B  has  to  be  issued  by  the  Management  of  the  External  Audit  Service  (or
delegated  person).  The  Management  of  the  External  Audit  Service  (or  delegated  person)
conducts a limited supervision/ review of the work performed and the results communicated
to prepare the sign off of the audit assignment.

The mandatory closure form to be used (ACM – part B) is obtainable here:

  < Audit Closing Memorandum – Part B: Review >

7.2.1.3 The practical procedure for the communication of results

With the Audit Closing Memorandum – Part A, the auditor provides all documents related to
the  audit  engagement  to  the  administrative  support  of  the  External  Audit  Service  (here:
secretariat). The secretariat prepares a signataire of the following documents:

  Audit Closing Memorandum - Part A
  (Draft) Letter of Conclusion
  (Draft) Detailed Audit Summary Sheet (printout)
  Final Audit Report
  Other Annexes to the Audit Closing Memorandum Part A

  The  auditor  checks  the  documents  in  the  signataire.  (S)he  signs  the  Final  Report,  the
Detailed  Audit  Summary  Sheet  and  the  Audit  Closing  Memorandum  –  Part  A,  adds  the
completed  Audit  File  to  the  signataire    and  forwards  them  to  the  Management  of  the
External Audit Service (or delegated person) for providing the ACM-Part B.

50

link to page 11   After the return of the signataire to the secretariat the Letter of Conclusion and a copy of
the Audit Report are sent to the Beneficiary by registered letter.

  When the Letter of Conclusions has been communicated to the Beneficiary, and the final
audit  result  is  established,  the  final  Audit  Report,  Letter  of  Conclusions  and  Audit
Summary Sheet are distributed to the (Director of the) operational service concerned.

  The results of the audit (i.e. the DASS) are made available for use of the External Audit
Services of all Research DGs/agencies  electronically. Other DGs/agencies may request a
copy of the Letter of Conclusion and the Audit Summary Sheet via e-mail.

7.2.2  The Completion of the Audit File

The  Audit  File  is  the  complete  set  of  documentation  related  to  the  audit  engagement
performed. For the Audit File the principles of documentation as described in section 2.5 have
to  be  followed.  It  shall  include  all  relevant  documentation  i.e.  the  documentation  of
mandatory  procedures,  the  Audit  Working  Papers  and  all  other  evidence  necessary  to
sufficiently support the audit findings and conclusions.

The documentation in the audit file should be logically structured, clear and concentrated on
essential topics. In addition, it should be kept in a way that enables evaluation (review) of the
audit  proceedings.  For  the  filing  and  documentation  of  the  Audit  File  the  following
mandatory and standardised filing/reference plan exists:

  < Audit File Index >

The auditor is advised to already use this filing plan during the audit process.

Electronic Audit File

An audit file can be archived in a hardcopy and/ or electronic format.

The auditor has to ensure that at least one complete set of documentation (including relevant
e-mails)  is  accessible  and  available  for  use  after  the  archiving.  Typically  the  majority  of
supporting  documentation  in  the  Working  Papers  will  be  available  in  hardcopy  version
(paper-copies)  only.  An  electronic  compilation  (e.g.  by  scanning  all  documents)  in  the
majority  of  cases  may  not  be  efficient.  Thus  the  primary  Audit  File  will  usually  be  the
hardcopy version.

However, the auditor is encouraged to use electronic filing where efficient and/ or provide a
copy of the electronic files on a CD-ROM version in with the hardcopy version of the Audit
File for archiving. In such cases the auditor  also should use the mandatory Audit File Index
for the structure of the electronic filing. The auditor is advised to already use this filing plan
during the audit process.

  < Audit File Index  >

ARES in the audit lifecycle

The following guidance describes the internal process used in RTD.M1 in relation to ARES.
It can be used as a source of guidance for the RTD family:

51

<ARES in the audit lifecycle>

7.2.3  The Archiving of the Audit File

The administrative support function performs a (mandatory) final check of the completeness
of the Audit File by the following checklist

  < Checklist Completion of Audit File – Archiving >

The  principal  (assigned)  auditor  receives  a  notification  of  the  archiving  via  a  respective
signataire  for  confirmation  via  signature.  (S)he  confirms  the  checklist  by  the  administrative
support  function  by  Visa  and  approves  the  archiving.  The  administrative  support  function
archives the audit file following the relevant procedures in place.

52

7.3  Summary: Mandatory procedures and documents

The use of the  following  procedures  and related  documents is  considered mandatory for the
audit closure phase:

Mandatory Procedure/
Related Document (link)
Action

Audit Closing Memorandum
–  Part  A:  (Completion  of
Audit Work):
< ACM – Part A: Completion of Audit Work >

Including
all  applicable
Annexes (see 7.2.1.2.4)

Letter of Conclusion
< Letter of Conclusion >

Detailed  Audit  Summary  < DASS - Audit Summary Sheet >
Sheet

Audit Closing Memorandum
–  Part  B:  (Review  by  < ACM – Part B: Review >
Management of the External
Audit Service)

Audit File Index
< Audit File Index >

Checklist  Completion  of  < Checklist Completion of Audit File – Archiving >
Audit  File  –  Archiving  (by
administrative support)

7.4  Summary: Further guidance on procedures and documents

The following documents and guidance on suggested procedures are available:

Recommended
Related Document (link)
Procedure/
Action

ARES
<ARES in the audit lifecycle>

53

link to page 36 link to page 41
8  Special Procedures & Audit Follow-up Actions
8.1  Extrapolation of Audit Results

Within the individual Audit Engagement and Audit Process the responsibility of the assigned
Auditor  is  limited  to  provide  an  assessment  on  the  nature  of  the  error  (systematic/  non-
systematic) recommending a respective treatment of the audit results. (See section 5.2.8.1)

The results of the assessment are to be communicated in various documents (DASS, ACM-A,
and Letter of Conclusion). The further implementation of results is not considered part of the
Audit  Process  and  therefore  not  covered  by  this  Handbook.  However,  the  auditor  should  be
aware of the further procedures related to the implementation of the results which exist in his
DG/agency and obtain the relevant information.

8.2  New evidence after closure of the audit

If  the  beneficiary  provides  the  auditor  with  new  evidence  after  the  expiry  of  the  deadline
established  in  the  Letter  of  Conclusion  or  given  by  general  legal  or  administrative
requirements,  the  concerned officers of the directorate involved in  the  grant  agreement, will
have to consider the value of the new evidence and decide (preferably in consultation with the
auditor)  the  appropriate  action  to  be  taken.    If  however,  the  auditor  requires  further
examination, a follow-up audit may be considered.

8.3  Follow-up Audits

Follow-up Audits are considered to usually follow the standard audit approach as outlined in
the Audit Process Handbook.

However,  typically  for  these  types  of  audit  a  specific  (limited)  scope  applies  and  certain
procedures  need  to  be  amended  or  can  be  reduced.  Thus,  for  follow-up  audits  the  auditor
should  discuss  with  the  Management  of  the  External  Audit  Service  or  delegated  person  the
design of the audit process where appropriate to eventually reduce the procedural workload.

8.4  Audit Steering Committee (ASC)

The Audit Steering Committee (ASC) is formed by members of the Audit Service and headed
by  the  Audit  Co-ordinator  (or  delegated  person).  It  has  an  overall  role  to  ensure  that  the
quality of audits performed conforms to the highest professional standards.

The application of the ASC procedure can be mandatory or voluntary:

  The call of an ASC is mandatory and the Committee will have to give its consent in
case:

o  The audit findings are classified as “Irregularities” (see section 6. 2.1.3)

54

link to page 41 link to page 41 link to page 54 o  The seriousness of the audit findings is high (see section 6.2.1.4), however in
case seriousness of audit findings are high, but have been accepted in writing
by the auditee, no ASC is needed (as no controversy)

o  The  above  applies  whether  adjustments  related  to  the  finding  are  negative  or
positive.

  The call of an ASC is voluntary or subject to judgement of an auditor if (s)he wants to
obtain a formal (documented) advice and/or decision on how to proceed or conclude in
the audit engagement.

The  conclusions  and  decisions  of  the  ASC  are  to  be  documented  in  writing.  Further,  the
Committee will also  suggest  whether the transfer of the  file to  OLAF is  necessary (see  also
8.5).  All  conclusions  and  decisions  need  to  be  approved  by  the  Head  of  the  External  Audit
Service of the DG/agency.

The following information is also available:

<ASC procedure>

8.5  Sensitive Cases and Suspicion of Fraud

'Sensitive  Cases'  are  characterised  as  audit  cases  which  lead  to  indication  or  suspicion  of
fraudulent behaviour towards EC interests and assets.

Typically  such  cases  require  the  classification  as  “Irregularities”  (see  section  6.2.1.3)  and
have to be forwarded to the Audit Steering Committee (ASC) (see section 8.4). The ASC and
in  the  following  the  Director  or  Head  of  the  external  Audit  Service  will  decide  whether  the
transfer of the file to OLAF is necessary via the respective procedure of the DG/agency.

Further, procedures in case of suspicion of fraudulent behaviour are also addressed by the EC
statements on Ethics and i.e. Whistle blowing:

http://myintracomm.ec.europa.eu/hr_admin/en/ethics/Documents/guide_ethics_en.pdf
(EN)
8.6  Consideration of the Early Warning System

The  Early  Warning  System  (EWS)  is  a  inter-institution  information  system  and  aims  to
protect  EU  financial  interests  by  circulation  of  restricted  information  on  third  parties  who
could represent a threat to these Communities' financial interests.

The EWS distinguishes 5 categories:

W1: Suspicion related to a third party
W2: Findings by Union institutions, Commission services or other against a third party
W3: Legal proceedings pending against a third party
W4: Problem of recovery with a third party
W5: Regulatory obligations to exclude a third party

55

link to page 55 link to page 41 link to page 41 link to page 54 Note that the categories are not restricted to sensitive cases' (see section 8.5).

The responsibility of the auditor in the audit process is to indicate and communicate with the
results  of  the  audit  whether  in  a  given  situation  an  audited  organisation  should  be  'flagged'
(included)  in  the  EWS  based  on  the  results  of  the  audit.  The  procedure  to  execute  this
'flagging'  will  be  further  followed-up  by  the  Early  Warning  Officer  and  a  countersigning
authorised person determined by the respective DG/agency.

Typically  a  situation  that  requires  an  EWS-'flagging'  also  requires  a  classification  as  a  high
audit  finding  (see  section  6.2.1.4)  and/  or  a  audit  finding  of  critical  nature  (see  section
6.2.1.3).  Thus  the  assessment  of  the  auditor  should  also  be  supported  by  the  Audit  Steering
Committee (see section 8.4).

More detailed information on the EWS can be found under the following link:

http://www.cc.cec/budg/i/earlywarn/imp-110_earlywarn_en.html

56