20061212 guidelines financial audit2

7/27/2019 20061212 Guidelines Financial Audit2

1/134

Guidelines for financial auditing

March 2006


2/134

Foreword

The guidelines for financial auditing are based on theAuditing Standards for the Office of the Auditor

General. The guidelines shall be used as the foundation for the Office of the Auditor Generals

financial auditing from 1 July 2005.

Guidelines for financial auditing Page iii


3/134

Contents

==============

1 Structure of the guidelines.......................................... 1

1.1 Guidance for the reader .........................................................1

1.2 Sources ..................................................................................1

2 Financial auditing in the OAG ................................... 2

2.1 Purpose..................................................................................2

2.2 The content of the audit.........................................................32.2.1 Audit of the accounting.........................................................................................4

2.2.2 Compliance of the dispositions.............................................................................4

2.2.3 Advising the audited entity ...................................................................................6

2.2.4 Contributing to the prevention and detection of irregularities.............................. 7

3 The audit process for financial auditing..................... 10

3.1 Financial auditing summary ...............................................103.1.1 Objectives and tasks..............................................................................................10

3.1.2 Framework conditions .......................................................................................... 11

3.1.3 Basic auditing terms..............................................................................................11

3.1.4 The audit process ..................................................................................................13

3.1.5 Strategic analysis ..................................................................................................14

3.1.6 Process analysis ....................................................................................................16

3.1.7 Analysis of residual risk........................................................................................18

3.1.8 Conclusions........................................................................................................... 20

3.1.9 Reporting............................................................................................................... 21

3.2 Key documents......................................................................22

3.2.1 Documents produced internally ............................................................................223.2.2 Some key documents from the Storting and government administration.............23

3.3 The audit process from start to finish.................................24

4 Basic auditing terms ................................................... 26

4.1 Assertions..............................................................................264.1.1 Assertions for an audit of the accounting .............................................................27

4.1.2 Assertions for compliance.....................................................................................28

4.1.3 Connection between the financial auditing assertions and criteria for information forIT auditing............................................................................................................. 32

Guidelines for financial auditing Page v


4/134

4.2 Materiality ............................................................................ 344.2.1 Qualitative materiality...........................................................................................35

4.2.2 Quantitative materiality.........................................................................................36

4.3 Audit risk.............................................................................. 37

4.4 Audit procedures .................................................................. 394.4.1 Procedures for risk assessment..............................................................................39

4.4.2 Tests of controls ....................................................................................................41

4.4.3 Substantive tests ....................................................................................................42

4.5 Audit evidence...................................................................... 45

5 Strategic analysis........................................................ 48

5.1 Purpose of the strategic analysis........................................... 49

5.2 Understanding the entity....................................................... 505.2.1 Identifying the entitys goals .................................................................................50

5.2.2 Identifying external factors ...................................................................................51

5.2.3 Identifying internal factors ....................................................................................54

5.2.4 Analysis of financial information..........................................................................57

5.2.5 Identifying processes.............................................................................................58

5.3 Assessing materiality............................................................ 59

5.4 Assessing risk....................................................................... 605.4.1 Identifying risk elements and the managements reaction ....................................60

5.4.2 Estimating risk.......................................................................................................61

5.4.3 Evaluating risk.......................................................................................................63

5.5 Planning further auditing...................................................... 63

5.6 Documenting the strategic analysis ...................................... 65

5.7 Quality assurance and approval............................................ 66

6 Process analysis.......................................................... 68

6.1 Purpose of the process analysis ............................................ 68

6.2 Understanding the process.................................................... 686.2.1 Process goals .........................................................................................................69

6.2.2 Process activities ...................................................................................................69

6.2.3 Information flow ...................................................................................................70

6.2.4 Accounting transactions ........................................................................................71

Page vi Guidelines for financial auditing


5/134


6/134


7/134

1 Structure of the guidelines

1.1 Guidance for the readerFramework conditions for

financial auditing:The guidelines are divided into two main parts.

The first part, Chapters 24, consists of introductory

chapters on the framework conditions for financial auditing

with the adaptations made in the Office of the Auditor

General (OAG). Chapter 3 contains a summary of the

auditing process and a description of some key documents.

Chapter 4 shows how the recognised and general auditing

terms have been adapted to the OAGs objectives and tasks.

Chap. 2 Financial auditing in

the OAG

Chap. 3 The audit process for

financial auditing

Chap. 4 Basic auditing

terminology

The second part, Chapters 510, constitutes a detailed

review of the methodology that is used as a basis for the

OAGs financial auditing.

Details of methodology:

Chap. 5 Strategic analysis

Chap. 6 Process analysis

Chap. 7 Analysis of residual

risk

Chap. 8 Conclusions1.2 Sources Chap. 9 Reporting

Chap. 10 DocumentationThe following sources have been used in the work of

formulating the guidelines:

Chap. 11 Quality assurance

W. Robert Knechel: Auditing Assurance and Risk William F. Messier, jr.: Auditing & Assurance Services

a systematic approach

The Norwegian Institute of Public Accountants:Descartes revisjonsmetodikk (Descartes audit

methodology)

B.P. Gulden: Revisjon teori og metode (Auditing theory and methods)

INTOSAIs auditing standards International Private Sector Accounting Standards

(IFAC) Risk management framework (COSO) Framework for information systems audit (CobIT)

Guidelines for financial auditing Page 1


8/134

2 Financial auditing in the OAG

2.1 PurposeThe Office of the Auditor Generals main purpose is

defined in Section 1 of the Auditor General Act:Section 1, Auditor General Act

The Office of the Auditor General shall ensure, through

auditing, monitoring and guidance, that the states revenues

are paid as intended, and that the states resources and

assets are used and administered in a sound financial

manner and in keeping with the decisions and intentions of

the Storting.

The purpose of financial audits is to obtain relevant

information about the central government accounts and the

transactions and decisions regarding allocations (referred to

in this document as dispositions) on which they are based

to enable auditors to form an opinion of reasonable

assurance about whether the accounts can be certified and

the dispositions accepted.

Purpose of financial audits

The objective of financial audits is defined in section 3 of

the Instructions concerning the activities of the Office of

the Auditor General the content of the auditing:Section 3, Instructions

concerning the activities of the

Office of the Auditor General By auditing accounts, the Office of the Auditor General

shall verify whether the financial statements give a correctpicture of the financial activity, including:

a) confirm that the financial statements are free of material

errors and omissions, and

b) verify whether the transactions in the financial

statements reflect the decisions and intentions of the

Storting and the current regulations and whether they

are acceptable in the light of the norms and standards

for financial management in the central government.

Objectives of financial audits On the basis of the above, financial audits in the OAG havetwo audit objectives:

Audit of the accounting The objective of financial audits is to enable auditors to

form an opinion of reasonable assurance about whether the

financial statements and other financial information are

complete, accurate and reliable.

The objective of compliance is to enable auditors to form

an opinion of reasonable assurance about whether the

ministrys or the entitys dispositions on which the accounts

are based:

Compliance of the dispositions

Page 2 Guidelines for financial auditing


9/134

Financial auditing in the OAG

comply with the Stortings budget resolutions andintentions

are in accordance with current regulations are acceptable in the light of the norms and standards

for financial management in the central government

2.2 The content of the auditSection 9 of the Auditor General Act defines the main tasks

involved in financial auditing as follows:

Section 9, Auditor General Act

The Office of the Auditor General shall audit the Central

Government Financial Statements and all financial

statements that are rendered by central government

agencies or other authorities that are accountable to the

central government, including government corporations,

government agencies with special powers, governmentfunds and other agencies or entities where it is so

stipulated in a special act [].

The Office of the Auditor General shall through auditing

contribute to the prevention and detection of irregularities

and errors.

The Office of the Auditor General can advise the

government administration to prevent future errors and

omissions.

The OAG therefore audits the central government financialstatements and all accounts submitted by government

agencies/entities. The central government financial

statements represent a compilation of all the entities

accounts, and the OAG conducts its own audit procedures

on these accounts. Auditing the entitys accounts includes

ensuring the compliance of the dispositions and conducting

a financial audit of the financial statements of each

individual entity.

Auditing central government

financial statements

The comments to the Act state that the definition of

accounts in this context may change over time depending

on how the central government administration is organised

and how the central government accounting scheme is

arranged.

In these guidelines the term entity is used to describe the

entity that is being audited, irrespective of whether this is a

ministry, a government entity or an entity that has a

different form of organisation. The term is also used in

cases where the audit assignment has been made mandatory

in another way for example by law or agreement.

The term entity


Audit tasks

financial auditing

The OAGs mandate gives financial auditing a widercontent than private sector auditing since it also includes

compliance. As the auditing and monitoring body for the

compliance contributing to preventing

and detecting irregularities

advising


10/134



Storting, the Storting expects the OAG to express an

opinion on budget allocations in addition to its statement on

the accounts.

Through auditing the OAG is also intended to contribute to

the prevention and detection of irregularities and errors,

and to advise the government administration in order toprevent the occurrence of future errors and omissions. In

their role as advisor, auditors must exercise caution and

must conduct themselves in a manner that does not

jeopardise the audits independence and objectivity.

2.2.1 Audit of the accounting

Pursuant to section 3 of the Instructions, the OAG shall:

confirm that the financial statements are free of materialerrors and omissions.

An audit of the accounting is defined as the procedures that

are required to confirm that the accounts are complete,

accurate and reliable. This entails ensuring that expenses

and revenues, stock and assets of any kind have been

recorded in the accounts in keeping with the applicable

rules.

As the auditing and monitoring body for the Storting, the

OAG is an external auditor and conducts financial auditing

in line with audits that are performed by other auditing

bodies both private and public.

The OAG has an independent position, and there is no

financial commitment between the auditor and the audited

entity. Furthermore, financial auditing has an extended

content since the accounts that the OAG audits are of

interest to a more complex group of users. Here the OAG

has a social responsibility with regard to monitoring the

administrations use of the nations resources.

At the same time as it presents its financial statements, anentity also submits assertions that the information in the

accounts meets certain qualitative requirements. Through

its work, the audit must verify with reasonable assurance

that the assertions submitted are accurate and reliable. The

assertions that are used for financial auditing are based on

international auditing standards.

2.2.2 Compliance of the dispositions

The term compliance is given in the objective forfinancial audits and is described in section 3 (b) of the


11/134



Instructions, referred to here as verifying..transactions

(cf. 2.1).

Compliance involves examining the extent to which the

ministry and the entity have attained the performance

targets and objectives that are given in the budget

resolution for the accounting year in question. Comparedwith performance auditing, the financial audit is restricted

to matters concerning the accounts for the individual year.

Three assertions have been derived for compliance. These

are based on the division of the definition into three parts

and on the objective of the financial audit:

The dispositions comply with parliamentary decisions The dispositions comply with laws and regulations The dispositions are acceptable on the basis of the

norms and standards for financial management in the

central governmentThe tasks of the financial audit do not include assessing

whether the budget propositions goals and performance

requirements are relevant. The degree of detail in the

description of goals and performance requirements varies

from ministry to ministry and may partly depend on the

management signals that have been given priority in each

individual case. In addition, a main element in the financial

management regulations is that the management and

supervision of the entities must be adapted to their

individual distinctive features for example based on an

assessment of risk and materiality.

In some cases it may be difficult to identify clear goals and

result requirements in the budget documents, and this may

make it problematic to identify the intentions on which the

Storting has based the budget resolution.

Provisions concerning financial management in the central

government impose upon the ministries the duty to follow

up the budget resolutions and to ensure that the central

government budget is implemented through annual letters

of allocation to subordinate bodies. The letter of allocation

forms part of the ministrys management of subordinateagencies. It must contain management parameters that

allow an assessment of goal achievement and results to be

made that remain as stable as possible over time.

If the Storting amends the allocation proposal or the

intentions, it will be the task of the ministry through an

letter of allocation or if appropriate a supplementary letter

of allocation to adapt the management of its subordinate

agencies to new frameworks or intentions. Auditors must

constantly use the entire budget deliberations as a basis for

their work of identifying intentions. If the budget proposaldoes not contain a precise indication of what is to be

achieved, it is not impossible that during the proceedings


12/134



the committee will attach more detailed intentions to the

allocation by a statement in the budget recommendation.

The OAGs compliance process is limited to the

transactions that have financial importance or are of

significance for achieved results compared with intended

targets. It must also be possible to make any deficientimplementation of an allocation decision on the part of the

ministry the object of auditing.

The point of departure for financial auditing is the annual

budget and financial statements. However, compliance will

not always only be restricted to data concerning the

accounting period in question since several years may pass

from the allocation to implementation and reporting. If

errors or weaknesses have their origin in previous

accounting periods, it will be appropriate for auditors to

express an opinion on this material. However, it will not be

relevant to audit previous years accounts or routines.

2.2.3 Advising the audited entity

The following is stated in the OAGs standards concerning

advice:

8

In conjunction with the audit work, auditors can advise the

audited entity in areas in which the auditors have the

required competence.

9

When advising an audited entity, auditors shall conduct

themselves in a manner that prevents any doubt arising as

to the independence and objectivity of the Office of the

Auditor General.

10

Auditors shall take care to act in a way that prevents the

audited entity from perceiving their advice as a directive.

The advisory task is incorporated into the object clause for

the OAG. The task is of key significance in enabling the

OAGs financial audit to cover the administrations need

for auditing and advice. The administration will always

retain independent responsibility for its choices

regardless of the OAGs advice. Advice must neither

formally nor actually exert any undue influence on

subsequent audit and monitoring assessments.


13/134



In Recommendation no. 54 to the Odelsting (20032004),

page 13, the Standing Committee on Scrutiny and

Constitutional Affairs states the following1:

Through its work, the Office of the Auditor General has

accrued substantial insight that can be converted into

constructive advice for the administration. In connectionwith the Office of the Auditor Generals advisory function

towards the administration, the Committee wishes to

emphasise that the advice should be imparted with care and

in a manner that does not jeopardise the independence and

objectivity of the control activities. The administration has

independent responsibility for its own choices, irrespective

of the Office of the Auditor Generals advice. Nonetheless

there is a risk of the advice actually being perceived as

control, or of it influencing the Office of the Auditor

Generals assessments in subsequent monitoring. This may

put the Office of the Auditor Generals independence and

objectivity at risk. The Committee therefore expresses itsdoubt as to whether the Office of the Auditor General

should have a more proactive role, and requires the

Government to ensure that systems that meet the need for

quality control are in place at all times.

The OAGs advisory role must be seen in the light of the

factors the Committee expresses in its comments.

2.2.4 Contributing to the prevention and detection ofirregularities

Pursuant to section 9 (4) of the Auditor General Act, the

OAG shall through auditing contribute to the prevention

and detection of irregularities and errors.

In Recommendation no. 54 to the Odelsting (20032004),

page 13, the Standing Committee on Scrutiny and

Constitutional Affairs has the following comments on the

OAGs role2:

The Committee emphasises that the Office of the AuditorGeneral also plays an important role in the fight against

irregularities and corruption, including through its

opportunity to report its findings and suspicions to the

police or other supervisory authorities.

1All translations of quotations from the Appropriations

Regulations in this document are unofficial.


14/134



The OAG has compiled the following standards concerning

irregularities:

5

Through auditing, the Office of the Auditor General shall

contribute to preventing and identifying irregularities.

6

When planning and performing audit procedures and

assessing and reporting the results of these, auditors shall

assess the risk that there may be irregularities.

7

Auditors shall consider gathering information in the audited

entity about detected cases of irregularities and about the

consequences these may have entailed.

This is an important task for both exercising the role of

external auditor and for acting as the auditing and

monitoring body for the Storting. Auditors assessments of

the risk of irregularities must be related to both the

financial dispositions and to the correctness of the financial

statements.

An extended assessment of the risk of irregularities entails

auditors being fully aware of the audit question during the

planning and performance of the audit. This applies to

collecting information, risk analyses and audit procedures.

Audits of irregularities form an integral part of financial

auditing. The cause of irregularities can often be linked to

pressure or attitudes as well as to existing opportunities.

Through discussions in the audit team, auditors must assess

where the entity that is exposed to irregularities is to be

found. The audit team should also specify more closely the

types of irregularity that may occur such as corruption,

misappropriation, theft etc. In addition, auditors must

engage in a dialogue with the management to inform them

that irregularities have been detected.

If, through their monitoring activities or as a result of a tip-

off or similar, auditors should detect signs that irregularities

have occurred, they must behave cautiously and correctly

and must not draw hasty conclusions. In such cases it is

important for auditors to follow the administrative

procedures that apply at all times for this area.

Auditors must document the assessments of the aspect of

irregularity that have been made for the entity.


15/134




16/134

3 The audit process for financialauditing

3.1 Financial auditing summaryThe purpose of this chapter is to give a complete picture of

the process for financial auditing. This includes themethodology and time frame from strategic analysis to

the concluding audit letter and reporting to the Storting.

The audit process has been defined in the context of both

the OAGs objectives and tasks and the particular

framework conditions that apply for financial auditing. The

connection between the audit process and key documents is

also described.

3.1.1 Objectives and tasks

The OAGs objectives and tasks are stipulated in the Act

and Instructions concerning the Office of the Auditor

General.

The tasks of financial

auditing are:

to conduct an audit of theaccounting The objective of a financial audit is to verify that the

financial statements do not contain material errors and

omissions, and that the dispositions on which the accounts

are based comply with parliamentary decisions.

to ensure compliance to advise to contribute to preventing

and detectin irre ularities

An audit of the accounting is performed to enable auditorsto confirm that the financial statements do not contain

material errors and omissions.

Auditors must also express an opinion as to whether the

dispositions on which the accounts are based comply with

parliamentary decisions and with applicable laws and

regulations. To facilitate this, auditors conduct a

compliance process.

In addition the OAG must advise the entities in order to

prevent future errors and omissions, and through auditing

must contribute to preventing and detecting irregularities.

In their advisory role, auditors must act with caution and

advise in a manner that does not jeopardise the

independence and objectivity of the audit.

In order to prevent and detect irregularities, auditors must

be fully aware of the audit question when both planning

and performing the audit.

page 10 Guidelines for financial auditing


17/134

The audit process

3.1.2 Framework conditions

The OAG has its own framework conditions for the

auditing work. These govern the performance of the

financial audit.

The framework conditions consist first and foremost of theAct relating to the Office of the Auditor General and the

accompanying Instructions. The content is specified more

closely in auditing standards and guidelines.

The auditing standards and guidelines are based on

INTOSAIs standards for public sector auditing. Standards

that apply for auditing the private sector are also used as a

basis for the OAGs standards and guidelines.

3.1.3 Basic auditing terms

Financial auditing in the OAG draws on recognised

auditing principles. Well-known terms such as assertion,

materiality, audit risk, audit procedures and audit evidence

are also fundamental to the OAGs auditing work. To the

extent it has proved necessary, the content of the terms has

been adapted to the auditing of government agencies.



18/134

The audit process

Figure 1 The audit process



19/134


20/134

The audit process

narrow strip of audit objectives and audit procedures that

extend to the edge of the audit evidence field.

3.1.5 Strategic analysis

PROSITs navigation tree:

The purpose of conducting a strategic analysis is to acquire

knowledge about the entity, identify critical processes and

provide auditors with an overview of the risk that threatens

the entitys goal achievement. A strategic analysis will also

form the basis for planning the assignment and will give

input to a joint overall risk analysis/ministry level.

A strategic analysis is to be conducted for all the entities

the OAG audits, including the ministries.

A strategic analysis consists of four steps:

understanding the entity assessing materiality assessing risk planning further auditing

In order to understand the entity, auditors carry out a

systematic collection of information about the entitys goals

and external and internal factors, as well as analysing

financial information. On the basis of the information

collected, auditors identify the processes in the entity that

are relevant for goal achievement and for financial auditing

objectives.

Understanding the entity Pursuant to the rules for financial management in the

central government and their accompanying provisions, all

entities must establish internal control procedures that are

adapted to risk and materiality. According to the OAGs

standards for assessing internal control, auditors must make

a preliminary assessment of the entitys risk management

measures that are relevant for the audit. To understand the

entity, auditors make this preliminary assessment by

identifying internal factors and by identifying and assessingrisk elements at strategic level, including the reaction of the

management.

Auditors are to begin the strategic analysis by identifying

the entitys goals by examining its tasks. The primary tasks

of the entity are expressed to some extent in parliamentary

decisions. To enable it to carry out its primary tasks, the

entity has secondary tasks in the form of support functions

which, for example, secure staffing levels, operations or the

reporting of the accounts. In addition, tasks of a temporary

nature can be imposed on the entity for instance

relocation, downsizing or reorganising.



21/134

The audit process

To gain an overview of the conditions that have an

influence on the entitys goal achievement, auditors must

obtain information about external and internal factors that

affect the entity. External factors can be the users,

competitors, political decisions and technology. Internal

factors are, for example, organisation, the entitys

management and risk management, information andcommunication. Auditors must also analyse relevant

financial information.

Through the audit, auditors must also contribute to the

prevention and detection of irregularities. In the strategic

analysis the audit team must therefore assess and in

particular document the risk of the entity being exposed to

irregularities.

The final step for the auditor is identifying the entitys

processes. A process is a series of activities that the entity

has initiated to achieve its goals. The purpose of a processis to promote goal achievement and reduce risk. Processes

can be designed for primary, secondary and temporary

tasks.

Auditors assess qualitative and quantitative materiality at

strategic level. The assessment is intended to help them to

determine the factors that the users particularly the

Storting regard as important.

Assessing materiality

Risk assessment at strategic level is divided into three parts. Assessing risk

Auditors must first identify risk at strategic level and

consider the managements reaction. Auditors use

information from understanding the entity andassessing

materiality when they assess the risk elements that threaten

the entitys goal achievement.

Auditors then estimate the probability and consequence of

risk elements being realised, basing this on combinations of

high and low. We have chosen to use high and low rather

than a continuous scale. The use of a scale entails

considerable professional judgement and may give an

impression of objective precision. The use of the categorieshigh and low is a simplification of the scale, but will

provide auditors with a level of precision that is adequate to

enable them to decide which risk elements must be

followed up in their further work. Auditors assessment of

probability and consequence must be supported by audit

evidence irrespective of the scale that is used.

In the risk evaluation, auditors decide the risk elements that

are to be followed up in the subsequent audit work. Risk

elements characterised as high-high must always be

followed up, high-low must be assessed in relation to

materiality, and low-low can be ignored by auditors in their

subsequent audit. Auditors link all risk elements to audit



22/134

The audit process

objectives and process, but only risk elements that are of

significance for the audit are included in the further

implementation of the audit process.

Meeting with the management In connection with the assessment of risk and materiality

that is conducted in the strategic analysis, auditors hold a

meeting with the management where analyses, strategiesand plans are addressed. At the meeting auditors must

match their risk picture with that of the entity in order to

establish a shared communication platform and ensure

contact with the management.

Auditors draw up a proposal for a plan for the audit of the

entity on the basis of the information collected, the meeting

with the entitys management, the joint overall risk analysis

for the ministry, and the assessments that have been made

in the strategic analysis. The plan must contain the

prioritised risk elements, the organisation of the audit, the

need for resources and the schedule for performing theaudit.

Plan for auditing the

assignment

3.1.6 Process analysis

PROSITs navigation tree: The purpose of process analysis is to conduct a more

detailed risk assessment of the processes to which the

prioritised risk elements are linked in the strategic analysis.

Process analysis will enable auditors to find the residual

risk that must be verified further in the analysis of residual

risk.

The process analysis consists of three steps:

understanding the process assessing materiality assessing risk

The risk assessment is made for both inherent risk (auditors

assess independently of established internal control

measures) and control risk (auditors assess whether

established control activities function).

Understanding the process In order to understand the process, auditors must conduct a

systematic collection of information. Based on this

material, auditors then compile a process description that

covers:



23/134


24/134


25/134


26/134

The audit process

remaining auditing work must go through a quality

assurance process.

When auditors implement the audit procedures they must

record the outcome of each procedure the

findings irrespective of whether errors have

been detected or not. If the procedure revealserrors, it must be made clear whether or not the

error is in the accounting, and also the extent to which it

may be significant for subsequent conclusions. Auditors

assess the findings of each procedure.

In the course of the audit, auditors must consider

the way in which they are to communicate the

findings to the entity. The purpose of

communicating audit findings is to contribute to

preventing future errors and omissions and to clarify any

misunderstandings and misinterpretations. It is therefore

important for auditors to communicate with the entityduring the audit before conclusions are drawn.

3.1.8 Conclusions

PROSITs navigation tree:The purpose of the conclusions is to summarise the results

of the auditing work. Auditors must base their conclusions

on the procured audit evidence and audit findings from all

the audit procedures that have been conducted throughout

the audit process. The conclusions will draw on the

auditors professional judgement and the deliberations they

have made on materiality for the entity in question. Before

the conclusions can be drawn, auditors must verify that

required and sufficient audit evidence is available to form a

basis for reaching a conclusion of reasonable assurance, i.e.

with acceptable audit risk.

To assist auditors in drawing the various strands together,

the conclusions are reached on three levels:

conclusion for each audit objective conclusion for each assertion conclusion for the entity

Auditors must draw conclusions for all the audit objectives.

These are made on the basis of the procured evidence and

the findings that are available for the audit procedures

under each audit objective. Auditors must take into account

any corrections that the entity may have made as a result of

the findings.

Conclusion for each audit

objective

Conclusion for each

assertion

Auditors must draw conclusions for all the assertions.

These are made on the basis of the conclusions for the audit

objectives that cover the assertion in question. In this



27/134


28/134

The audit process

3.2 Key documents3.2.1 Documents produced internally

The OAG compiles a general risk assessment for each

ministry, cf. template for joint overall risk analysis for

ministry X. The risk assessment is common for all types ofaudit, it is conducted at the same time, and it forms the

basis for collaboration and exchange of experience. Much

of the information that the general risk assessment draws

on is also used by auditors in the strategic analysis of the

ministries and entities.

In order to provide information and assessment, parts of the

strategic analysis should be conducted during the first three

months of the year. The work on the strategic analysis can

begin once the appropriations decision has been taken and

letters of allocation have been formulated. This applies to

both the ministry and to the principal subordinate agenciessince these may be of importance for the overall assessment

of the ministerial area.

In accordance with the OAGs standards, an audit plan

must be drawn up for each audit assignment. The plan is to

contain priorities, organisation, an estimate of resources

required, and a work schedule. The plan is normally

approved by the head of division.

The Secretary General sets the deadline for the completion

of the audit plans. The audit plan should be finalised before

the process analyses begin.

If auditors subsequently find new information or become

aware of changes made to the allocations or to the

prerequisites assigned to them, adjustments to the audit

plan may be required.

According to the guidelines for written auditcommunication, all the entities with the exception of the

ministries must receive a concluding audit letter from the

OAG, cf. guidelines and templates for the concluding audit

letter. Since the OAG maintains its dialogue with the

ministries until Document no. 1 has been drawn up, no

concluding audit letter is prepared for the ministries.

The OAG reports the auditing work annually in Document

no. 1 to the Storting, cf. template and internal routines for

reporting to the Storting about the Office of the AuditorGenerals audit and monitoring activities (Document no. 1).



29/134

The audit process

The department that is responsible for auditing the Ministry

of Finance prepares a joint statement concerning the central

government accounts in collaboration with the other

financial auditing departments.

3.2.2 Some key documents from the Storting andgovernment administration

The Government submits a budget proposition (Proposition

no. 1 to the Storting) within six days of the opening of

parliament in the autumn. In accordance with the Stortings

rules of procedure, the budget recommendations from the

committees involved must be deliberated by 15 December

at the latest.

The Storting undertakes two main budget revisions. An

aggregate budget proposition must be submitted by 15 May(the revised national budget). The Storting approves the

changes during June. The second main revision is

conducted in December (the new final budget).

In addition the Storting approves appropriations for

individual cases.

The Ministry must send letters of allocation to subordinate

bodies as soon as the Storting has taken the appropriations

decision. If the Storting changes the allocations, the

ministry must send out supplementary letters of allocation.

The letters of allocation often contain precise information

about the intentions of the Stortings allocation as well as

more specific requirements regarding results.

The entities submit the financial statements and the annual

report to the supervisory ministry. The deadline for

reporting is usually included in the letter of allocation.Requirements regarding reporting to the ministries are also

stated in the regulations for financial management in

central government and the accompanying provisions.

There must be agreement between the reporting

requirements in the letter of allocation and those in the

annual report, and ensuring that this is the case is part of

the financial audit.

At the beginning of March the ministries send Notes to thecentral government accounts to the OAG. These give an

explanation of any non-compliance between budget figures



30/134


31/134


32/134

4 Basic auditing terms

Financial auditing in the OAG draws on recognised

auditing principles. Well-known terms such as assertion,

materiality, audit risk, audit procedures and audit evidence

are also fundamental to our auditing work.

Basic auditing terms:

assertions materiality

audit risk audit procedures To the extent it has proved necessary, the content of the

terms has been adapted to the auditing of government

agencies.

audit evidence

4.1 AssertionsThe audit objectives are broken down into assertions.

Contrary to private sector auditing, where assertions

concern the correctness of the accounts, the OAG has two

sets of assertions related to its dual monitoring task.

The entities submit financial statements annually that must

contain correct information about the entitys activities

during the period in question. The accounts must give a

correct picture of how the budget has actually been

employed. For the accounting information to be correct, it

must have certain qualitative features. When the

management submits the financial statements, they assert

that the information has these features. Using an audit of

the accounting, the task of financial auditing is to verify the

quality of the accounts and thus show that the assertions arevalid.

However, for government agencies it is not sufficient

merely to submit correct financial statements. It is also the

duty of the entities to follow certain requirements and

instructions for example those resulting from the annual

budget resolutions in the Storting as well as other specific

framework conditions that apply to government

administration. When government agencies submit their

financial statements, in addition to claiming that the

accounts are correct they therefore assert that the

dispositions carried out comply with the specific

framework conditions. Financial auditing confirms these

assertions through the compliance process.

To enable auditors to make a statement as to whether the

financial statements and the dispositions on which the

accounts are based comply with parliamentary decisions,

they must collect sufficient and appropriate audit evidence.

The correctness of the financial statements and the budget

appropriations depend on the assertions being free of

material errors. When auditors make the risk analysis, it is

important to link the risk elements to the assertions that arethreatened.

Assertions and audit objectives



33/134


34/134


35/134

Basic auditing terms

4.1.2.1 The dispositions comply with parliamentarydecisions

This assertion is related to the entitys primary tasks in the

individual accounting year. Parliamentary decisions can

also cover secondary tasks through decisions about

downsizing, rationalising operations and the like. When

such decisions are taken, they will often entail a need for

the entity to follow them up separately as primary goals for

the period in question.

Government agencies are established to carry out certain

tasks. Their framework conditions are set by the Storting

for example through the annual budget resolutions. At the

same time, the entities are given allocations from the

Storting to enable them to perform their tasks. The

decisions and intentions that result from the budget

proceedings govern the operations and the performance of

tasks in the entities.

It is not always easy to interpret the parliamentary

intentions behind a decision. The decision itself will often

be worded very briefly, which means that supplementary

information may be required to clarify the intentions on

which the Sorting has based the decision. Such information

is primarily found in the documents that are fundamental

for taking the decision, i.e. recommendations and

propositions.

Budget decisionsThe Stortings budget resolutions can be linked to specific

performance targets, purposes or measures that it is

assumed the entity will accomplish by using the allocation.

These targets will be given in documents such as the budget

propositions and accompanying recommendations and

decisions. The requirement stating that the ministry is to

describe performance targets is stipulated in the

Appropriations Regulations. Section 2 states that the results

the entity is intended to achieve must be described in the

draft budget. Section 13 of the regulations sets the

following requirement for the ministrys performancereporting:

Details of results achieved for the last accounting year

shall be given in the relevant budget proposition along with

other accounting information that is of importance for

assessing the draft budget for the coming year.

The intentions may relate to particular parliamentary

decisions in which, through parliamentary documents, it

has been decided to set up an entity to perform the defined

tasks. The intentions can also be connected to the Stortings

budget deliberations and to the relevant committees

Intentions



36/134


37/134


sectors. In some cases the primary task of a government

entity may be to monitor that the regulations are followed.

General regulationsCertain regulations have provisions that all government

agencies must follow and are therefore classified as generalregulations. General regulations are established to ensure a

uniform, open and documented budget and accounting

process and uniform government personnel administration.

For most entities this will be related to secondary tasks or

to support functions for the performance of their tasks.

The Appropriations Regulations, the Public Procurement

Act and various laws and statutory provisions that apply for

government personnel administration are examples of

general regulations.

Examples of general

regulations

The Appropriations Regulations have been adopted by the

Storting and represent the overriding regulations for the

administration of government resources that apply to all the

entities.

The Public Procurement Act with accompanying

regulations is applicable for most government

procurements.

The Worker Protection and Working Environment Act, the

Civil Service Act, the Freedom of Information Act and the

Public Administration Act are examples of general

regulations for personnel administration in the public

sector. The Civil Service Handbook contains an overview

and an interpretation of key Acts and statutory provisions

etc. that are applicable for government personnel

administration. The handbook also contains decisions on

principles and guidelines that have been drawn up through

experience. The manner in which the handbook is

structured means that only parts of the provisions are

included in general regulations, while the other parts will

normally be incorporated into Assertion 3 concerning thedispositions being acceptable on the basis of norms and

standards for financial management in the central

government.

4.1.2.3 The dispositions are acceptable on the basis ofnorms and standards for financial management in

the central government

Norms and standards for financial management in the

central government are provisions that can be both

guidelines and instructions for the entities. These



38/134



provisions often give the entities room for individual

adaptation within the defined limits, but are frequently

more detailed and have a more operative angle than the

regulations described in Assertion 2.

These norms and standards are largely governed by both

the regulations and the provisions for financialmanagement in the central government. In addition, more

precise and detailed stipulations resulting from the Ministry

of Finances circulars will set norms for government

financial management.

According to the regulations, entities must compile more

detailed instructions and guidelines to ensure good internal

financial management and risk management. Such

instructions and guidelines will also represent norms and

standards for financial management.

Other provisions must be drawn up for entities that areexempt from general provisions, but such provisions must

be compiled within the authorisations that will set norms.

4.1.3 Connection between the financial auditingassertions and criteria for information for ITauditing

The purpose of this section is to show the connection

between financial auditing assertions and criteria for

information for IT auditing with the aim of strengthening

the integration of IT auditing as part of financial auditing

and creating a shared understanding of the various terms.

IT auditing constitutes an essential tool for supporting

financial auditing, particularly in entities that largely carry

out their tasks and reporting by using large and complex IT

systems.

ISACA and IIA have drawn up some common criteria for

how information in IT environments arises, is presented

and is applied. These are criteria towards which the

conclusions of the internal audit are directed and which ITauditors have found appropriate to use in their work.


39/134


Goal orientation Information must be relevant to the

entitys needs, updated, and delivered in

a form that is

punctual correct consistent applicable

Efficiency and

effectiveness

Information must be procured and made

available through the optimal use of

resources (in terms of both productivity

and economy).

Confidentiality Classified information must be protected

from unauthorised access or

presentation.

Integrity Information must be precise, complete

and valid, and in accordance with

commercial values and expectations.

Availability Information must be available when

required for the business process both

now and in the future. This also applies

to protecting necessary resources.

Compliance Information must satisfy the legislation,

regulatory measures, regulations and

contractual agreements to which thebusiness process is subject for

example externally imposed

requirements regarding information.

Reliability Information must be expedient and

appropriate

for the management in theirgovernance of the entity

for the managements performanceof financial and (statutory) imposed

reporting tasks

The assertions towards which the conclusions of the

financial auditing are directed and the criteria that form the

basis for IT auditing assessments have different content. It

is therefore necessary to recognise the connections to

enable auditors to identify where an IT audit is appropriate

so that the financial audit will be targeted, efficient and

effective in relation to identified risk.

In many cases IT environments support entity processesand provide important information that the OAG draws on

in its auditing. The information includes descriptions,



40/134


assessments, figures, decisions and transactions that are

processed and stored. Accounting figures or other reports

are aggregated on the basis of information in the entity. In

some cases the figures are founded on information and

professional judgements in pre-systems. Auditors are then

dependent on assessing the information in the pre-systems

for example the administrative procedure systemsINFOTRYGD (the National Insurance Administration) or

ARENA (the Norwegian Public Employment Service).

When IT systems are to be assessed, auditors who have

adequate IT expertise must contribute to the assessment of

the information that forms the basis of the auditing work.

These assessments will determine how the audit should be

conducted and the extent to which auditors can utilise tests

of controls in their work.

In financial auditing findings are assessed by comparing

them with the assertions. It is therefore necessary to see the

connection between the above information criteria and the

financial auditing assertions.

Appendix 1 gives a table that shows this connection

between the financial auditing assertions and the IT audit

criteria.

4.2 MaterialityThe OAGs standard for materiality states:

18

Auditors shall make assessment of materiality to enable

them to perform an economic, efficient and effective audit.

Auditors shall regard errors and omissions as material in

cases where the users would probably have made other

assessments and taken other decisions if they had been

aware of the errors.

Definition of materiality

Materiality in financial auditing is seen in relation to the

fact that the information can contain errors or omissions or

can be based on professional judgement. The costs of

avoiding all errors and omissions can be so great that they

exceed the benefit of such high precision. Errors of a

certain size must therefore be accepted (materiality limit)

provided that this is not of significance for the entitys

ability to implement the Stortings budget resolutions and

intentions or is not of critical importance for the users of

the information.

Quantitative materiality limit



41/134


The assessment of materiality is based on both quantitative

and qualitative considerations and is one of the factors that

governs what is to be audited and the scope of the audit that

is to be conducted. Errors that are due to random or

unintentional actions are normally assessed as less serious

than those that may result from deliberate actions.

Qualitative materialityFor the OAG, the assessment of errors will depend on more

than the size of the amount involved since smaller errors

can also have considerable fundamental importance for the

users.

There are many who use an entitys financial statements,

and they may have different reasons for using the financial

information. The most important users of government

administration accounts are:

Definition of users

the Storting

the ministries and the Government other government authorities and bodies competing enterprises, customers and suppliers the general public

4.2.1 Qualitative materiality

Auditors must always conduct a qualitative assessment of

materiality. Based on their total acquired knowledge of the

entity, they make an assessment of any violations of budget

resolutions, regulations and/or norms and standards that can

affect the users of the financial statements.

Examples of qualitative factors are:

the entitys goal achievement and its use of allocations factors in which the Storting has expressed particularly

great interest and which it is appropriate for the OAG to

monitor

any suspicion of irregularity any suspicion that allocations have been misused despite

the entitys accounts appearing to be free of material

errors

any violation of regulations information that is to be used as a basis for allocations

or decisions

any change of special significance for the entitysactivities for example changes in operations, tasks and

organisation

Auditors must consider materiality throughout the audit

process. Qualitative material errors can be viewed in

correlation with fundamental errors a combination that

represents two sides of the same coin.

Fundamental errors can constitute findings that do not

relate to figures, e.g. a breach of the law, regulations or



42/134


instructions, the fact that action has been taken that is

contrary to parliamentary decisions, or that administrative

regulations including norms and standards for financial

management in the central government have not been

followed. An error that does not relate to figures cannot

automatically be defined as a fundamental error. The error

must be of a certain scope and/or a certain importance to betermed fundamental. It is in the reporting phase, when the

conclusions are to be drawn, that auditors assess the type of

error that has been found and decide whether this error can

be regarded as material in its own right or together with

other findings. Auditors must exercise professional

judgement when assessing which errors are of such a nature

or scope that they must be considered as qualitatively

material.

4.2.2 Quantitative materiality

A quantitative determination of materiality is achieved by

setting a numerical value for how large an accounting error

must be for it to be accepted without auditors regarding the

accounts as containing material errors. Setting a materiality

limit has a dual purpose the limit expresses the auditors

specification of the users requirements for precision in the

financial statements, and the distribution of the limit is

intended to contribute to producing a more efficient and

effective audit.

Setting a materiality limit

Efficiency and effectiveness in the audit increases when a

larger proportion of the materiality limit is ascribed to

entries that demand considerable work for their

confirmation and a smaller proportion to those that are

easier to verify. It is particularly appropriate to use this

technique in combination with statistical methods.

However, it is also utilised to set limits for acceptable non-

compliance with analytical audit procedures and to assess

transactions that have been made according to professional

judgement.

Auditors professional judgement is used as a basis fordetermining the materiality limit. Auditors can

discretionally distribute materiality among entries in the

accounts or among transactions or transaction groups if this

is deemed appropriate.

Auditors must document the grounds for the materiality

limit that is set.



43/134


4.3 Audit riskIn practice it is impossible to conduct an audit with 100 per

cent assurance of detecting all material errors in the

employment of the budget and in the accounts. Attempts to

procure absolute evidence would be demanding and in

some cases impossible. Auditors do their utmost to ensurethat their assessments have high, although not absolute,

assurance.

The OAGs auditing standards 19 and 22 state the

following about risk assessment and audit risk:

19

Auditors shall make risk assessments for all audit work

undertaken by the Office of the Auditor General, and the

assessments shall form part of the process that is

implemented to ensure that the audit is economical,

efficient and effective.

22

Auditors shall use professional judgement in their

assessment of the audit risk, and shall implement the audit

procedures that are necessary to reduce this risk to an

acceptable level.

The audit risk model is a model that helps auditors to

determine how comprehensive the audit work must be to

attain the desired assurance for the conclusions. The modelconsists of four elements: audit risk, inherent risk, control

risk and detection risk.

Inherent risk is the probability that in the financial

information or in the entity in general there are dispositions

that cannot be accepted, or errors and omissions that are

material either in their own right or when aggregated

when any possible internal control measures are ignored.

Inherent risk

The next three risk factors are conditional on there being

material errors or omissions etc.

Control risk is the probability that a material error or

omission will not be prevented or detected and corrected

within reasonable time by the accounting or internal control

systems.

Control risk

Detection risk is the probability that the auditors

substantive tests will not detect the errors that theaccounting or internal control systems do not discover.

Detection risk



44/134


45/134


46/134


47/134


48/134


49/134


50/134



auditors with indications of whether there are material

errors in the information. An example of this can be large

variances in the figures from one year to the next.

When auditing critical accounting items that have a high

audit risk, analytical review procedures alone are not

sufficient but they must be combined with detailed auditprocedures.

Auditors must bear in mind that the figures in the accounts

that are included in the analysis may be incorrect from the

outset, and the analysis will thus give an invalid picture of

reality. Any indications of errors must be followed up by

other types of tests.

One model for analytical substantive tests is:

predicting an expected result

setting the marginal value and identifying varianceslarger than the marginal value identifying, checking and quantifying explanations of

the variance

An expected result is an estimate for an entry or parts of an

entry. The marginal value is the difference between the

expected result and the actual figure that can be accepted

without further explanation. It does not represent actual

errors but is a measure of acceptable uncertainty

concerning possible errors. Auditors must set the marginal

value beforehand, using either their professional judgement

or statistical methods. The marginal value must beconsidered in conjunction with the materiality level that has

been set for this or for the accounting items in question. A

low materiality level indicates that only a small

differentiation between expected result and actual figures

can be accepted.

If auditors find material variance between the expected

value and the book value (i.e. variance that exceeds the

marginal value that they have set in advance), more

detailed investigations must be made to ascertain the extent

to which the variance is the result of actual errors in the

accounts or whether it is due to other factors. The causes ofvariance in the figures must always be considered and

documented and, whenever possible, quantified. In cases

where variance in the figures cannot be quantified, auditors

cannot regard the audit evidence as satisfactory. Audit

evidence must be of the same quality as the evidence for

the detailed audit procedures, and fair conclusions must be

drawn regarding the degree of assurance attained.


51/134


52/134


conclusions must be based on more extensive evidence than

in cases where the risk is less probable and less material.

It is important for auditors to be critical of the scope and

content of the information that is gathered. The standard

also contains a requirement that the information must be

necessary in other words only information that isnecessary should be collected.

Necessary

The quality of the audit evidence is significant for the scope

of the evidence that must be gathered. Auditors can base

their conclusions on a smaller scope if the evidence is of

high quality.

Auditors normally make use of audit evidence that is of a

more substantiating than absolute nature, and they will

often obtain audit evidence from different sources or of

different types. Auditors must assess the relationship

between the use of resources for collecting audit evidenceand the sufficiency and appropriateness of the information

that is obtained. However, the fact that it is difficult and

resource-consuming to collect audit evidence does not in

itself provide grounds for neglecting the process.

Appropriateness is a measure of the quality of the audit

evidence, i.e. its relevance and reliability.Appropriate

For evidence to be relevant, it must be valuable as

documentation for auditors conclusions in the light of the

individual audit objective or assertions. In this sense it is

important to be aware of what is to be proved when the

audit procedures are compiled and the collection of

evidence is undertaken. That the evidence is relevant also

entails that it is timely and that it applies to the audited

accounting period. It is particularly important to be aware

of the evidences timeliness in cases where it has been

procured at an early point in the audit process and may thus

represent only parts of the audited accounting period. The

total evidence must be representative for the entire audited

accounting period.

Evidence is reliable if it fulfils the necessary requirements

set for credibility. The reliability of audit evidence is

affected by the source, internal or external, and by whether

it is visual, written or verbal.

Criticism of sources

Auditors must be critical of information that is gathered

from different sources. For example, consideration must be

given to whom the information has been produced by and

for, to the consequence this may have for the content, and

also to whether the content meets the auditors need. This



53/134



critical review of the sources and content contributes to

making auditors assessments of the most important risk

factors in the entity as accurate as possible. Auditors must

assess whether the sources satisfy the requirements for

audit evidence.

The following are used as a basis for the assessments: External audit evidence (e.g. confirmation received

from a third party) is more reliable than audit evidence

that has been generated internally.

Audit evidence that has been produced internally ismore reliable if the entity has effective accounting and

internal control procedures.

External evidence is more reliable if it has beenprocured directly by auditors than if it has been obtained

by the entity.

Audit evidence in the form of documents (on paper,

electronically or via other media) and written statementsis more reliable than verbal statements.

Audit evidence in the form of original documents ismore reliable than copies or faxes.

Assurance will be greater when there is a correlation

between audit evidence procured from different sources or

between different types of evidence. If information from

one sources does not correspond with that from another,

auditors must decide on the additional procedures that are

necessary to allow the information to be used as auditevidence.


54/134

5 Strategic analysis

Prosits navigation tree: This chapter is intended to give auditors an understanding

of how they should conduct a strategic analysis, the

information they must gather and assess, and how they are

to document the assessments.

A strategic analysis must be conducted for all the entities

audited by the OAG, and also for the ministries. To carry

out the best possible general risk assessment per ministry

and to ensure an appropriate foundation for overall

reporting of the audit, the risk analysis for the assignments

that belong to the same ministerial area must be

coordinated and synchronised. One of the primary tasks in

ministerial assignments will be the management of

subordinate bodies.

The strategic analysis provides a general framework for theauditing work. It is therefore important that those who

conduct the analysis have an adequate understanding of the

audit assignment plus good auditing expertise. Normally it

is the auditor who is responsible for the assignment who

conducts the analysis in cooperation with the division

manager and possibly others in the audit team.

According to the financial regulations, all entities must

establish an internal control system. The entitys

management is responsible for ensuring that this system is

adapted to risk and materiality, that it functions

satisfactorily, and that it can be documented. Internalcontrol shall primarily be incorporated into the entitys

internal governance. The provisions in the financial

regulations for central government stipulate that financial

management shall ensure that:

defined objectives and performance requirements arefollowed up

the use of resources is efficient and effective the entity is run in compliance with laws and regulations

The ministries must ensure that the entities internal control

measures are satisfactory in relation to the above.

Pursuant to the OAGs standards for assessing internal

control, auditors must make a preliminary assessment of

the entitys risk management measures that are relevant for

the audit. To understand the entity, auditors conduct the

following:

a preliminary assessment of the entitys riskmanagement measures

an identification and assessment of risk elements andthe managements reaction

an identification of internal factors



55/134

Strategic analysis

Auditors elaborate on their assessment of internal control in

the process analysis. If they choose to base their audit on

relevant control activities, these must undergo tests of

controls in the process analysis.

An important part of the strategic analysis is holding a

meeting/meetings with the entitys top management wheresubjects addressed include the entitys risk management

and risk assessment. The auditor must adapt the

arrangements for such meetings to the entity under audit.

Expectations of the role of auditors in the prevention and

detection of irregularities have become higher. This means

that auditors must be fully alert to the presence of

irregularities in all parts of the audit. The audit team must

therefore separately assess the risk of the entity being

exposed to irregularities, and these assessments must be

documented. At this stage of the audit process, the main

challenge for the auditors is to keep the assessments at ageneral rather than detailed level.

The strategic analysis consists of the following steps:

Understanding the entity

Assessing materiality

Assessing risk

Planning further auditing

Figure 6 Steps in the strategic analysis

5.1 Purpose of the strategic analysis To plan a risk-based, efficient and effective financial

audit: an audit of the accounts and to carry out a

compliance process

To provide a basis for discussion with the Board andmanagement on objectives, risk and risk management

To provide input to the general risk assessment To identify processes



56/134


57/134


58/134


59/134


60/134


61/134


62/134


63/134


64/134


65/134


66/134

Strategic analysis

to decide the processes to which they must assign priority

during the subsequent audit.

Users want to be sure that the entity is fulfilling the social

tasks for which it has been assigned responsibility through

the allocation decisions. For example, building roads is of

major importance to local communities and localpoliticians.

The entitys primary tasks are normally assigned the

greatest significance when auditors assess qualitative

materiality. However, laws and regulations that govern

secondary tasks can be of interest for users for instance

violations of the regulations for public procurement or

budget overruns.

Quantitative materiality The size of the figures involved influences the materialityassessment. Using professional judgement, auditors can set

a limit for the size of errors in the figures that can be

accepted in the accounts. For small accounts it may prove

expedient to set a proportionally higher materiality limit

than that set for more extensive accounts.

Chapter 4 gives more information on materiality.

5.4 Assessing riskIn understanding the entity andassessing materiality

auditors gathered information that provides input for the

risk assessment. On the basis of this information, auditors

must identify the risk of the entity not achieving its goals.

In addition, they must estimate the degree of probability

and the consequences of the risk elements if they are

activated. Finally, auditors evaluate the importance of the

risk elements for the audit and decide whether or not to

include them in the subsequent audit process, as well as

determining the processes to which the risk elements are

linked.

Assessing risk consists of:

identifying risk elementsand the managements

reaction

estimating probability andconsequence

evaluting risk

5.4.1 Identifying risk elements and themanagements reaction

At strategic level the risk situation will normally not

change much from year to year, and the results of the

previous years audit represent a major source for

identifying risk elements. In addition to identifying any

new risk elements, auditors must place particular emphasis

on checking whether material changes have taken place inthe risk factors that were identified in previous years.

Identifying risk elements



67/134

Strategic analysis

Auditors base their identification of risk elements on:

the information they have gathered about the entitysgoals and the internal and external factors

the analysis of financial information the assessment of materiality

Through the risk identification procedure, auditors mustalso define the managements reaction to the risk elements.

At strategic level risk can constitute large-scale changes in

framework conditions or unclear formulations of goals for

the entitys tasks. Changes in external factors for instance

among users, suppliers or in technological development

may also represent a threat to the entitys goal achievement,

as will internal factors such as organisational changes or a

high turnover of managers. The user aspect is of key

importance when assessing materiality.

Auditors must investigate whether and how the

management reacts for each identified risk element. The

most interesting point for auditors is whether the

management chooses to accept or to reduce risk.

The managements reaction

Auditors must find out whether the entitys management is

aware of the individual risk elements and has made a

decision about the level of risk that can be accepted.

Through procedures for risk assessment, auditors collect

documentation for the managements assessment of the risk

elements. Adequate evidence must be obtained in cases

where auditors consider that the managements handling of

risk is of such a nature that it results in a possible reduction

in the risk level in the subsequent assessment.

When auditors have identified the entitys risk elements and

the managements reaction, they must match these against

the entitys risk assessment. Assessing risk is one of the

items that must be discussed at the meeting between

auditors and the management of the entity in question.

5.4.2 Estimating risk

Auditors must estimate the probability and the consequence

of risk, basing their assessments on the results of the audit

procedures that have been conducted.

Estimating probabilityAuditors must assess how probable it is for risk elements to

be realised and if this is the case the time frame in

which this may happen. The greater the probability of a risk

element being activated in the accounting period in

question, the higher the risk will be.



68/134

Strategic analysis

Auditors must assume an advisory role to prevent future

errors and omissions. They must therefore also assess risk

elements that may be activated in the future. Auditors

estimate probability as high or low and give reasons for

their estimate.

Estimating consequenceWhen estimating consequence, auditors must assess the

impact of a risk element if it is realised. The considerations

of materiality already made by auditors are used when

assessing the consequence. The overall consequence of

several events within a certain period must be used as a

basis. Systematic errors are given a higher degree of

consequence than individual errors.

Efficient and effective emergency plans, back-up plans, the

opportunity to relocate production and insurances can

reduce the consequences of an event. In this contextauditors must assess materiality in relation to both the

transaction and decisions made the dispositions and the

impact on the accounts.

Auditors estimate the consequence as high or low and give

reasons for their estimate.

Auditors assessment of risk must be substantiated with

audit evidence. It may be sufficient to follow up a risk

element with an updating of the audit evidence if the

assessment is based on the results of the previous years

audit. It may also be relevant to give a risk element low

priority if the entitys plans or measures indicate