of 134
7/27/2019 20061212 Guidelines Financial Audit2
1/134
Guidelines for financial auditing
March 2006
7/27/2019 20061212 Guidelines Financial Audit2
2/134
Foreword
The guidelines for financial auditing are based on theAuditing Standards for the Office of the Auditor
General. The guidelines shall be used as the foundation for the Office of the Auditor Generals
financial auditing from 1 July 2005.
Guidelines for financial auditing Page iii
7/27/2019 20061212 Guidelines Financial Audit2
3/134
Contents
==============
1 Structure of the guidelines.......................................... 1
1.1 Guidance for the reader .........................................................1
1.2 Sources ..................................................................................1
2 Financial auditing in the OAG ................................... 2
2.1 Purpose..................................................................................2
2.2 The content of the audit.........................................................32.2.1 Audit of the accounting.........................................................................................4
2.2.2 Compliance of the dispositions.............................................................................4
2.2.3 Advising the audited entity ...................................................................................6
2.2.4 Contributing to the prevention and detection of irregularities.............................. 7
3 The audit process for financial auditing..................... 10
3.1 Financial auditing summary ...............................................103.1.1 Objectives and tasks..............................................................................................10
3.1.2 Framework conditions .......................................................................................... 11
3.1.3 Basic auditing terms..............................................................................................11
3.1.4 The audit process ..................................................................................................13
3.1.5 Strategic analysis ..................................................................................................14
3.1.6 Process analysis ....................................................................................................16
3.1.7 Analysis of residual risk........................................................................................18
3.1.8 Conclusions........................................................................................................... 20
3.1.9 Reporting............................................................................................................... 21
3.2 Key documents......................................................................22
3.2.1 Documents produced internally ............................................................................223.2.2 Some key documents from the Storting and government administration.............23
3.3 The audit process from start to finish.................................24
4 Basic auditing terms ................................................... 26
4.1 Assertions..............................................................................264.1.1 Assertions for an audit of the accounting .............................................................27
4.1.2 Assertions for compliance.....................................................................................28
4.1.3 Connection between the financial auditing assertions and criteria for information forIT auditing............................................................................................................. 32
Guidelines for financial auditing Page v
7/27/2019 20061212 Guidelines Financial Audit2
4/134
4.2 Materiality ............................................................................ 344.2.1 Qualitative materiality...........................................................................................35
4.2.2 Quantitative materiality.........................................................................................36
4.3 Audit risk.............................................................................. 37
4.4 Audit procedures .................................................................. 394.4.1 Procedures for risk assessment..............................................................................39
4.4.2 Tests of controls ....................................................................................................41
4.4.3 Substantive tests ....................................................................................................42
4.5 Audit evidence...................................................................... 45
5 Strategic analysis........................................................ 48
5.1 Purpose of the strategic analysis........................................... 49
5.2 Understanding the entity....................................................... 505.2.1 Identifying the entitys goals .................................................................................50
5.2.2 Identifying external factors ...................................................................................51
5.2.3 Identifying internal factors ....................................................................................54
5.2.4 Analysis of financial information..........................................................................57
5.2.5 Identifying processes.............................................................................................58
5.3 Assessing materiality............................................................ 59
5.4 Assessing risk....................................................................... 605.4.1 Identifying risk elements and the managements reaction ....................................60
5.4.2 Estimating risk.......................................................................................................61
5.4.3 Evaluating risk.......................................................................................................63
5.5 Planning further auditing...................................................... 63
5.6 Documenting the strategic analysis ...................................... 65
5.7 Quality assurance and approval............................................ 66
6 Process analysis.......................................................... 68
6.1 Purpose of the process analysis ............................................ 68
6.2 Understanding the process.................................................... 686.2.1 Process goals .........................................................................................................69
6.2.2 Process activities ...................................................................................................69
6.2.3 Information flow ...................................................................................................70
6.2.4 Accounting transactions ........................................................................................71
Page vi Guidelines for financial auditing
7/27/2019 20061212 Guidelines Financial Audit2
5/134
7/27/2019 20061212 Guidelines Financial Audit2
6/134
7/27/2019 20061212 Guidelines Financial Audit2
7/134
1 Structure of the guidelines
1.1 Guidance for the readerFramework conditions for
financial auditing:The guidelines are divided into two main parts.
The first part, Chapters 24, consists of introductory
chapters on the framework conditions for financial auditing
with the adaptations made in the Office of the Auditor
General (OAG). Chapter 3 contains a summary of the
auditing process and a description of some key documents.
Chapter 4 shows how the recognised and general auditing
terms have been adapted to the OAGs objectives and tasks.
Chap. 2 Financial auditing in
the OAG
Chap. 3 The audit process for
financial auditing
Chap. 4 Basic auditing
terminology
The second part, Chapters 510, constitutes a detailed
review of the methodology that is used as a basis for the
OAGs financial auditing.
Details of methodology:
Chap. 5 Strategic analysis
Chap. 6 Process analysis
Chap. 7 Analysis of residual
risk
Chap. 8 Conclusions1.2 Sources Chap. 9 Reporting
Chap. 10 DocumentationThe following sources have been used in the work of
formulating the guidelines:
Chap. 11 Quality assurance
W. Robert Knechel: Auditing Assurance and Risk William F. Messier, jr.: Auditing & Assurance Services
a systematic approach
The Norwegian Institute of Public Accountants:Descartes revisjonsmetodikk (Descartes audit
methodology)
B.P. Gulden: Revisjon teori og metode (Auditing theory and methods)
INTOSAIs auditing standards International Private Sector Accounting Standards
(IFAC) Risk management framework (COSO) Framework for information systems audit (CobIT)
Guidelines for financial auditing Page 1
7/27/2019 20061212 Guidelines Financial Audit2
8/134
2 Financial auditing in the OAG
2.1 PurposeThe Office of the Auditor Generals main purpose is
defined in Section 1 of the Auditor General Act:Section 1, Auditor General Act
The Office of the Auditor General shall ensure, through
auditing, monitoring and guidance, that the states revenues
are paid as intended, and that the states resources and
assets are used and administered in a sound financial
manner and in keeping with the decisions and intentions of
the Storting.
The purpose of financial audits is to obtain relevant
information about the central government accounts and the
transactions and decisions regarding allocations (referred to
in this document as dispositions) on which they are based
to enable auditors to form an opinion of reasonable
assurance about whether the accounts can be certified and
the dispositions accepted.
Purpose of financial audits
The objective of financial audits is defined in section 3 of
the Instructions concerning the activities of the Office of
the Auditor General the content of the auditing:Section 3, Instructions
concerning the activities of the
Office of the Auditor General By auditing accounts, the Office of the Auditor General
shall verify whether the financial statements give a correctpicture of the financial activity, including:
a) confirm that the financial statements are free of material
errors and omissions, and
b) verify whether the transactions in the financial
statements reflect the decisions and intentions of the
Storting and the current regulations and whether they
are acceptable in the light of the norms and standards
for financial management in the central government.
Objectives of financial audits On the basis of the above, financial audits in the OAG havetwo audit objectives:
Audit of the accounting The objective of financial audits is to enable auditors to
form an opinion of reasonable assurance about whether the
financial statements and other financial information are
complete, accurate and reliable.
The objective of compliance is to enable auditors to form
an opinion of reasonable assurance about whether the
ministrys or the entitys dispositions on which the accounts
are based:
Compliance of the dispositions
Page 2 Guidelines for financial auditing
7/27/2019 20061212 Guidelines Financial Audit2
9/134
Financial auditing in the OAG
comply with the Stortings budget resolutions andintentions
are in accordance with current regulations are acceptable in the light of the norms and standards
for financial management in the central government
2.2 The content of the auditSection 9 of the Auditor General Act defines the main tasks
involved in financial auditing as follows:
Section 9, Auditor General Act
The Office of the Auditor General shall audit the Central
Government Financial Statements and all financial
statements that are rendered by central government
agencies or other authorities that are accountable to the
central government, including government corporations,
government agencies with special powers, governmentfunds and other agencies or entities where it is so
stipulated in a special act [].
The Office of the Auditor General shall through auditing
contribute to the prevention and detection of irregularities
and errors.
The Office of the Auditor General can advise the
government administration to prevent future errors and
omissions.
The OAG therefore audits the central government financialstatements and all accounts submitted by government
agencies/entities. The central government financial
statements represent a compilation of all the entities
accounts, and the OAG conducts its own audit procedures
on these accounts. Auditing the entitys accounts includes
ensuring the compliance of the dispositions and conducting
a financial audit of the financial statements of each
individual entity.
Auditing central government
financial statements
The comments to the Act state that the definition of
accounts in this context may change over time depending
on how the central government administration is organised
and how the central government accounting scheme is
arranged.
In these guidelines the term entity is used to describe the
entity that is being audited, irrespective of whether this is a
ministry, a government entity or an entity that has a
different form of organisation. The term is also used in
cases where the audit assignment has been made mandatory
in another way for example by law or agreement.
The term entity
Guidelines for financial auditing Page 3
Audit tasks
financial auditing
The OAGs mandate gives financial auditing a widercontent than private sector auditing since it also includes
compliance. As the auditing and monitoring body for the
compliance contributing to preventing
and detecting irregularities
advising
7/27/2019 20061212 Guidelines Financial Audit2
10/134
Financial auditing in the OAG
Page 4 Guidelines for financial auditing
Storting, the Storting expects the OAG to express an
opinion on budget allocations in addition to its statement on
the accounts.
Through auditing the OAG is also intended to contribute to
the prevention and detection of irregularities and errors,
and to advise the government administration in order toprevent the occurrence of future errors and omissions. In
their role as advisor, auditors must exercise caution and
must conduct themselves in a manner that does not
jeopardise the audits independence and objectivity.
2.2.1 Audit of the accounting
Pursuant to section 3 of the Instructions, the OAG shall:
confirm that the financial statements are free of materialerrors and omissions.
An audit of the accounting is defined as the procedures that
are required to confirm that the accounts are complete,
accurate and reliable. This entails ensuring that expenses
and revenues, stock and assets of any kind have been
recorded in the accounts in keeping with the applicable
rules.
As the auditing and monitoring body for the Storting, the
OAG is an external auditor and conducts financial auditing
in line with audits that are performed by other auditing
bodies both private and public.
The OAG has an independent position, and there is no
financial commitment between the auditor and the audited
entity. Furthermore, financial auditing has an extended
content since the accounts that the OAG audits are of
interest to a more complex group of users. Here the OAG
has a social responsibility with regard to monitoring the
administrations use of the nations resources.
At the same time as it presents its financial statements, anentity also submits assertions that the information in the
accounts meets certain qualitative requirements. Through
its work, the audit must verify with reasonable assurance
that the assertions submitted are accurate and reliable. The
assertions that are used for financial auditing are based on
international auditing standards.
2.2.2 Compliance of the dispositions
The term compliance is given in the objective forfinancial audits and is described in section 3 (b) of the
7/27/2019 20061212 Guidelines Financial Audit2
11/134
Financial auditing in the OAG
Guidelines for financial auditing Page 5
Instructions, referred to here as verifying..transactions
(cf. 2.1).
Compliance involves examining the extent to which the
ministry and the entity have attained the performance
targets and objectives that are given in the budget
resolution for the accounting year in question. Comparedwith performance auditing, the financial audit is restricted
to matters concerning the accounts for the individual year.
Three assertions have been derived for compliance. These
are based on the division of the definition into three parts
and on the objective of the financial audit:
The dispositions comply with parliamentary decisions The dispositions comply with laws and regulations The dispositions are acceptable on the basis of the
norms and standards for financial management in the
central governmentThe tasks of the financial audit do not include assessing
whether the budget propositions goals and performance
requirements are relevant. The degree of detail in the
description of goals and performance requirements varies
from ministry to ministry and may partly depend on the
management signals that have been given priority in each
individual case. In addition, a main element in the financial
management regulations is that the management and
supervision of the entities must be adapted to their
individual distinctive features for example based on an
assessment of risk and materiality.
In some cases it may be difficult to identify clear goals and
result requirements in the budget documents, and this may
make it problematic to identify the intentions on which the
Storting has based the budget resolution.
Provisions concerning financial management in the central
government impose upon the ministries the duty to follow
up the budget resolutions and to ensure that the central
government budget is implemented through annual letters
of allocation to subordinate bodies. The letter of allocation
forms part of the ministrys management of subordinateagencies. It must contain management parameters that
allow an assessment of goal achievement and results to be
made that remain as stable as possible over time.
If the Storting amends the allocation proposal or the
intentions, it will be the task of the ministry through an
letter of allocation or if appropriate a supplementary letter
of allocation to adapt the management of its subordinate
agencies to new frameworks or intentions. Auditors must
constantly use the entire budget deliberations as a basis for
their work of identifying intentions. If the budget proposaldoes not contain a precise indication of what is to be
achieved, it is not impossible that during the proceedings
7/27/2019 20061212 Guidelines Financial Audit2
12/134
Financial auditing in the OAG
Page 6 Guidelines for financial auditing
the committee will attach more detailed intentions to the
allocation by a statement in the budget recommendation.
The OAGs compliance process is limited to the
transactions that have financial importance or are of
significance for achieved results compared with intended
targets. It must also be possible to make any deficientimplementation of an allocation decision on the part of the
ministry the object of auditing.
The point of departure for financial auditing is the annual
budget and financial statements. However, compliance will
not always only be restricted to data concerning the
accounting period in question since several years may pass
from the allocation to implementation and reporting. If
errors or weaknesses have their origin in previous
accounting periods, it will be appropriate for auditors to
express an opinion on this material. However, it will not be
relevant to audit previous years accounts or routines.
2.2.3 Advising the audited entity
The following is stated in the OAGs standards concerning
advice:
8
In conjunction with the audit work, auditors can advise the
audited entity in areas in which the auditors have the
required competence.
9
When advising an audited entity, auditors shall conduct
themselves in a manner that prevents any doubt arising as
to the independence and objectivity of the Office of the
Auditor General.
10
Auditors shall take care to act in a way that prevents the
audited entity from perceiving their advice as a directive.
The advisory task is incorporated into the object clause for
the OAG. The task is of key significance in enabling the
OAGs financial audit to cover the administrations need
for auditing and advice. The administration will always
retain independent responsibility for its choices
regardless of the OAGs advice. Advice must neither
formally nor actually exert any undue influence on
subsequent audit and monitoring assessments.
7/27/2019 20061212 Guidelines Financial Audit2
13/134
Financial auditing in the OAG
Guidelines for financial auditing Page 7
In Recommendation no. 54 to the Odelsting (20032004),
page 13, the Standing Committee on Scrutiny and
Constitutional Affairs states the following1:
Through its work, the Office of the Auditor General has
accrued substantial insight that can be converted into
constructive advice for the administration. In connectionwith the Office of the Auditor Generals advisory function
towards the administration, the Committee wishes to
emphasise that the advice should be imparted with care and
in a manner that does not jeopardise the independence and
objectivity of the control activities. The administration has
independent responsibility for its own choices, irrespective
of the Office of the Auditor Generals advice. Nonetheless
there is a risk of the advice actually being perceived as
control, or of it influencing the Office of the Auditor
Generals assessments in subsequent monitoring. This may
put the Office of the Auditor Generals independence and
objectivity at risk. The Committee therefore expresses itsdoubt as to whether the Office of the Auditor General
should have a more proactive role, and requires the
Government to ensure that systems that meet the need for
quality control are in place at all times.
The OAGs advisory role must be seen in the light of the
factors the Committee expresses in its comments.
2.2.4 Contributing to the prevention and detection ofirregularities
Pursuant to section 9 (4) of the Auditor General Act, the
OAG shall through auditing contribute to the prevention
and detection of irregularities and errors.
In Recommendation no. 54 to the Odelsting (20032004),
page 13, the Standing Committee on Scrutiny and
Constitutional Affairs has the following comments on the
OAGs role2:
The Committee emphasises that the Office of the AuditorGeneral also plays an important role in the fight against
irregularities and corruption, including through its
opportunity to report its findings and suspicions to the
police or other supervisory authorities.
1All translations of quotations from the Appropriations
Regulations in this document are unofficial.
7/27/2019 20061212 Guidelines Financial Audit2
14/134
Financial auditing in the OAG
Page 8 Guidelines for financial auditing
The OAG has compiled the following standards concerning
irregularities:
5
Through auditing, the Office of the Auditor General shall
contribute to preventing and identifying irregularities.
6
When planning and performing audit procedures and
assessing and reporting the results of these, auditors shall
assess the risk that there may be irregularities.
7
Auditors shall consider gathering information in the audited
entity about detected cases of irregularities and about the
consequences these may have entailed.
This is an important task for both exercising the role of
external auditor and for acting as the auditing and
monitoring body for the Storting. Auditors assessments of
the risk of irregularities must be related to both the
financial dispositions and to the correctness of the financial
statements.
An extended assessment of the risk of irregularities entails
auditors being fully aware of the audit question during the
planning and performance of the audit. This applies to
collecting information, risk analyses and audit procedures.
Audits of irregularities form an integral part of financial
auditing. The cause of irregularities can often be linked to
pressure or attitudes as well as to existing opportunities.
Through discussions in the audit team, auditors must assess
where the entity that is exposed to irregularities is to be
found. The audit team should also specify more closely the
types of irregularity that may occur such as corruption,
misappropriation, theft etc. In addition, auditors must
engage in a dialogue with the management to inform them
that irregularities have been detected.
If, through their monitoring activities or as a result of a tip-
off or similar, auditors should detect signs that irregularities
have occurred, they must behave cautiously and correctly
and must not draw hasty conclusions. In such cases it is
important for auditors to follow the administrative
procedures that apply at all times for this area.
Auditors must document the assessments of the aspect of
irregularity that have been made for the entity.
7/27/2019 20061212 Guidelines Financial Audit2
15/134
Financial auditing in the OAG
Guidelines for financial auditing Page 9
7/27/2019 20061212 Guidelines Financial Audit2
16/134
3 The audit process for financialauditing
3.1 Financial auditing summaryThe purpose of this chapter is to give a complete picture of
the process for financial auditing. This includes themethodology and time frame from strategic analysis to
the concluding audit letter and reporting to the Storting.
The audit process has been defined in the context of both
the OAGs objectives and tasks and the particular
framework conditions that apply for financial auditing. The
connection between the audit process and key documents is
also described.
3.1.1 Objectives and tasks
The OAGs objectives and tasks are stipulated in the Act
and Instructions concerning the Office of the Auditor
General.
The tasks of financial
auditing are:
to conduct an audit of theaccounting The objective of a financial audit is to verify that the
financial statements do not contain material errors and
omissions, and that the dispositions on which the accounts
are based comply with parliamentary decisions.
to ensure compliance to advise to contribute to preventing
and detectin irre ularities
An audit of the accounting is performed to enable auditorsto confirm that the financial statements do not contain
material errors and omissions.
Auditors must also express an opinion as to whether the
dispositions on which the accounts are based comply with
parliamentary decisions and with applicable laws and
regulations. To facilitate this, auditors conduct a
compliance process.
In addition the OAG must advise the entities in order to
prevent future errors and omissions, and through auditing
must contribute to preventing and detecting irregularities.
In their advisory role, auditors must act with caution and
advise in a manner that does not jeopardise the
independence and objectivity of the audit.
In order to prevent and detect irregularities, auditors must
be fully aware of the audit question when both planning
and performing the audit.
page 10 Guidelines for financial auditing
7/27/2019 20061212 Guidelines Financial Audit2
17/134
The audit process
3.1.2 Framework conditions
The OAG has its own framework conditions for the
auditing work. These govern the performance of the
financial audit.
The framework conditions consist first and foremost of theAct relating to the Office of the Auditor General and the
accompanying Instructions. The content is specified more
closely in auditing standards and guidelines.
The auditing standards and guidelines are based on
INTOSAIs standards for public sector auditing. Standards
that apply for auditing the private sector are also used as a
basis for the OAGs standards and guidelines.
3.1.3 Basic auditing terms
Financial auditing in the OAG draws on recognised
auditing principles. Well-known terms such as assertion,
materiality, audit risk, audit procedures and audit evidence
are also fundamental to the OAGs auditing work. To the
extent it has proved necessary, the content of the terms has
been adapted to the auditing of government agencies.
Guidelines for financial auditing Page 11
7/27/2019 20061212 Guidelines Financial Audit2
18/134
The audit process
Figure 1 The audit process
Page 12 Guidelines for financial auditing
7/27/2019 20061212 Guidelines Financial Audit2
19/134
7/27/2019 20061212 Guidelines Financial Audit2
20/134
The audit process
narrow strip of audit objectives and audit procedures that
extend to the edge of the audit evidence field.
3.1.5 Strategic analysis
PROSITs navigation tree:
The purpose of conducting a strategic analysis is to acquire
knowledge about the entity, identify critical processes and
provide auditors with an overview of the risk that threatens
the entitys goal achievement. A strategic analysis will also
form the basis for planning the assignment and will give
input to a joint overall risk analysis/ministry level.
A strategic analysis is to be conducted for all the entities
the OAG audits, including the ministries.
A strategic analysis consists of four steps:
understanding the entity assessing materiality assessing risk planning further auditing
In order to understand the entity, auditors carry out a
systematic collection of information about the entitys goals
and external and internal factors, as well as analysing
financial information. On the basis of the information
collected, auditors identify the processes in the entity that
are relevant for goal achievement and for financial auditing
objectives.
Understanding the entity Pursuant to the rules for financial management in the
central government and their accompanying provisions, all
entities must establish internal control procedures that are
adapted to risk and materiality. According to the OAGs
standards for assessing internal control, auditors must make
a preliminary assessment of the entitys risk management
measures that are relevant for the audit. To understand the
entity, auditors make this preliminary assessment by
identifying internal factors and by identifying and assessingrisk elements at strategic level, including the reaction of the
management.
Auditors are to begin the strategic analysis by identifying
the entitys goals by examining its tasks. The primary tasks
of the entity are expressed to some extent in parliamentary
decisions. To enable it to carry out its primary tasks, the
entity has secondary tasks in the form of support functions
which, for example, secure staffing levels, operations or the
reporting of the accounts. In addition, tasks of a temporary
nature can be imposed on the entity for instance
relocation, downsizing or reorganising.
Page 14 Guidelines for financial auditing
7/27/2019 20061212 Guidelines Financial Audit2
21/134
The audit process
To gain an overview of the conditions that have an
influence on the entitys goal achievement, auditors must
obtain information about external and internal factors that
affect the entity. External factors can be the users,
competitors, political decisions and technology. Internal
factors are, for example, organisation, the entitys
management and risk management, information andcommunication. Auditors must also analyse relevant
financial information.
Through the audit, auditors must also contribute to the
prevention and detection of irregularities. In the strategic
analysis the audit team must therefore assess and in
particular document the risk of the entity being exposed to
irregularities.
The final step for the auditor is identifying the entitys
processes. A process is a series of activities that the entity
has initiated to achieve its goals. The purpose of a processis to promote goal achievement and reduce risk. Processes
can be designed for primary, secondary and temporary
tasks.
Auditors assess qualitative and quantitative materiality at
strategic level. The assessment is intended to help them to
determine the factors that the users particularly the
Storting regard as important.
Assessing materiality
Risk assessment at strategic level is divided into three parts. Assessing risk
Auditors must first identify risk at strategic level and
consider the managements reaction. Auditors use
information from understanding the entity andassessing
materiality when they assess the risk elements that threaten
the entitys goal achievement.
Auditors then estimate the probability and consequence of
risk elements being realised, basing this on combinations of
high and low. We have chosen to use high and low rather
than a continuous scale. The use of a scale entails
considerable professional judgement and may give an
impression of objective precision. The use of the categorieshigh and low is a simplification of the scale, but will
provide auditors with a level of precision that is adequate to
enable them to decide which risk elements must be
followed up in their further work. Auditors assessment of
probability and consequence must be supported by audit
evidence irrespective of the scale that is used.
In the risk evaluation, auditors decide the risk elements that
are to be followed up in the subsequent audit work. Risk
elements characterised as high-high must always be
followed up, high-low must be assessed in relation to
materiality, and low-low can be ignored by auditors in their
subsequent audit. Auditors link all risk elements to audit
Guidelines for financial auditing Page 15
7/27/2019 20061212 Guidelines Financial Audit2
22/134
The audit process
objectives and process, but only risk elements that are of
significance for the audit are included in the further
implementation of the audit process.
Meeting with the management In connection with the assessment of risk and materiality
that is conducted in the strategic analysis, auditors hold a
meeting with the management where analyses, strategiesand plans are addressed. At the meeting auditors must
match their risk picture with that of the entity in order to
establish a shared communication platform and ensure
contact with the management.
Auditors draw up a proposal for a plan for the audit of the
entity on the basis of the information collected, the meeting
with the entitys management, the joint overall risk analysis
for the ministry, and the assessments that have been made
in the strategic analysis. The plan must contain the
prioritised risk elements, the organisation of the audit, the
need for resources and the schedule for performing theaudit.
Plan for auditing the
assignment
3.1.6 Process analysis
PROSITs navigation tree: The purpose of process analysis is to conduct a more
detailed risk assessment of the processes to which the
prioritised risk elements are linked in the strategic analysis.
Process analysis will enable auditors to find the residual
risk that must be verified further in the analysis of residual
risk.
The process analysis consists of three steps:
understanding the process assessing materiality assessing risk
The risk assessment is made for both inherent risk (auditors
assess independently of established internal control
measures) and control risk (auditors assess whether
established control activities function).
Understanding the process In order to understand the process, auditors must conduct a
systematic collection of information. Based on this
material, auditors then compile a process description that
covers:
Page 16 Guidelines for financial auditing
7/27/2019 20061212 Guidelines Financial Audit2
23/134
7/27/2019 20061212 Guidelines Financial Audit2
24/134
7/27/2019 20061212 Guidelines Financial Audit2
25/134
7/27/2019 20061212 Guidelines Financial Audit2
26/134
The audit process
remaining auditing work must go through a quality
assurance process.
When auditors implement the audit procedures they must
record the outcome of each procedure the
findings irrespective of whether errors have
been detected or not. If the procedure revealserrors, it must be made clear whether or not the
error is in the accounting, and also the extent to which it
may be significant for subsequent conclusions. Auditors
assess the findings of each procedure.
In the course of the audit, auditors must consider
the way in which they are to communicate the
findings to the entity. The purpose of
communicating audit findings is to contribute to
preventing future errors and omissions and to clarify any
misunderstandings and misinterpretations. It is therefore
important for auditors to communicate with the entityduring the audit before conclusions are drawn.
3.1.8 Conclusions
PROSITs navigation tree:The purpose of the conclusions is to summarise the results
of the auditing work. Auditors must base their conclusions
on the procured audit evidence and audit findings from all
the audit procedures that have been conducted throughout
the audit process. The conclusions will draw on the
auditors professional judgement and the deliberations they
have made on materiality for the entity in question. Before
the conclusions can be drawn, auditors must verify that
required and sufficient audit evidence is available to form a
basis for reaching a conclusion of reasonable assurance, i.e.
with acceptable audit risk.
To assist auditors in drawing the various strands together,
the conclusions are reached on three levels:
conclusion for each audit objective conclusion for each assertion conclusion for the entity
Auditors must draw conclusions for all the audit objectives.
These are made on the basis of the procured evidence and
the findings that are available for the audit procedures
under each audit objective. Auditors must take into account
any corrections that the entity may have made as a result of
the findings.
Conclusion for each audit
objective
Conclusion for each
assertion
Auditors must draw conclusions for all the assertions.
These are made on the basis of the conclusions for the audit
objectives that cover the assertion in question. In this
Page 20 Guidelines for financial auditing
7/27/2019 20061212 Guidelines Financial Audit2
27/134
7/27/2019 20061212 Guidelines Financial Audit2
28/134
The audit process
3.2 Key documents3.2.1 Documents produced internally
The OAG compiles a general risk assessment for each
ministry, cf. template for joint overall risk analysis for
ministry X. The risk assessment is common for all types ofaudit, it is conducted at the same time, and it forms the
basis for collaboration and exchange of experience. Much
of the information that the general risk assessment draws
on is also used by auditors in the strategic analysis of the
ministries and entities.
In order to provide information and assessment, parts of the
strategic analysis should be conducted during the first three
months of the year. The work on the strategic analysis can
begin once the appropriations decision has been taken and
letters of allocation have been formulated. This applies to
both the ministry and to the principal subordinate agenciessince these may be of importance for the overall assessment
of the ministerial area.
In accordance with the OAGs standards, an audit plan
must be drawn up for each audit assignment. The plan is to
contain priorities, organisation, an estimate of resources
required, and a work schedule. The plan is normally
approved by the head of division.
The Secretary General sets the deadline for the completion
of the audit plans. The audit plan should be finalised before
the process analyses begin.
If auditors subsequently find new information or become
aware of changes made to the allocations or to the
prerequisites assigned to them, adjustments to the audit
plan may be required.
According to the guidelines for written auditcommunication, all the entities with the exception of the
ministries must receive a concluding audit letter from the
OAG, cf. guidelines and templates for the concluding audit
letter. Since the OAG maintains its dialogue with the
ministries until Document no. 1 has been drawn up, no
concluding audit letter is prepared for the ministries.
The OAG reports the auditing work annually in Document
no. 1 to the Storting, cf. template and internal routines for
reporting to the Storting about the Office of the AuditorGenerals audit and monitoring activities (Document no. 1).
Page 22 Guidelines for financial auditing
7/27/2019 20061212 Guidelines Financial Audit2
29/134
The audit process
The department that is responsible for auditing the Ministry
of Finance prepares a joint statement concerning the central
government accounts in collaboration with the other
financial auditing departments.
3.2.2 Some key documents from the Storting andgovernment administration
The Government submits a budget proposition (Proposition
no. 1 to the Storting) within six days of the opening of
parliament in the autumn. In accordance with the Stortings
rules of procedure, the budget recommendations from the
committees involved must be deliberated by 15 December
at the latest.
The Storting undertakes two main budget revisions. An
aggregate budget proposition must be submitted by 15 May(the revised national budget). The Storting approves the
changes during June. The second main revision is
conducted in December (the new final budget).
In addition the Storting approves appropriations for
individual cases.
The Ministry must send letters of allocation to subordinate
bodies as soon as the Storting has taken the appropriations
decision. If the Storting changes the allocations, the
ministry must send out supplementary letters of allocation.
The letters of allocation often contain precise information
about the intentions of the Stortings allocation as well as
more specific requirements regarding results.
The entities submit the financial statements and the annual
report to the supervisory ministry. The deadline for
reporting is usually included in the letter of allocation.Requirements regarding reporting to the ministries are also
stated in the regulations for financial management in
central government and the accompanying provisions.
There must be agreement between the reporting
requirements in the letter of allocation and those in the
annual report, and ensuring that this is the case is part of
the financial audit.
At the beginning of March the ministries send Notes to thecentral government accounts to the OAG. These give an
explanation of any non-compliance between budget figures
Guidelines for financial auditing Page 23
7/27/2019 20061212 Guidelines Financial Audit2
30/134
7/27/2019 20061212 Guidelines Financial Audit2
31/134
7/27/2019 20061212 Guidelines Financial Audit2
32/134
4 Basic auditing terms
Financial auditing in the OAG draws on recognised
auditing principles. Well-known terms such as assertion,
materiality, audit risk, audit procedures and audit evidence
are also fundamental to our auditing work.
Basic auditing terms:
assertions materiality
audit risk audit procedures To the extent it has proved necessary, the content of the
terms has been adapted to the auditing of government
agencies.
audit evidence
4.1 AssertionsThe audit objectives are broken down into assertions.
Contrary to private sector auditing, where assertions
concern the correctness of the accounts, the OAG has two
sets of assertions related to its dual monitoring task.
The entities submit financial statements annually that must
contain correct information about the entitys activities
during the period in question. The accounts must give a
correct picture of how the budget has actually been
employed. For the accounting information to be correct, it
must have certain qualitative features. When the
management submits the financial statements, they assert
that the information has these features. Using an audit of
the accounting, the task of financial auditing is to verify the
quality of the accounts and thus show that the assertions arevalid.
However, for government agencies it is not sufficient
merely to submit correct financial statements. It is also the
duty of the entities to follow certain requirements and
instructions for example those resulting from the annual
budget resolutions in the Storting as well as other specific
framework conditions that apply to government
administration. When government agencies submit their
financial statements, in addition to claiming that the
accounts are correct they therefore assert that the
dispositions carried out comply with the specific
framework conditions. Financial auditing confirms these
assertions through the compliance process.
To enable auditors to make a statement as to whether the
financial statements and the dispositions on which the
accounts are based comply with parliamentary decisions,
they must collect sufficient and appropriate audit evidence.
The correctness of the financial statements and the budget
appropriations depend on the assertions being free of
material errors. When auditors make the risk analysis, it is
important to link the risk elements to the assertions that arethreatened.
Assertions and audit objectives
page 26 Guidelines for financial auditing
7/27/2019 20061212 Guidelines Financial Audit2
33/134
7/27/2019 20061212 Guidelines Financial Audit2
34/134
7/27/2019 20061212 Guidelines Financial Audit2
35/134
Basic auditing terms
4.1.2.1 The dispositions comply with parliamentarydecisions
This assertion is related to the entitys primary tasks in the
individual accounting year. Parliamentary decisions can
also cover secondary tasks through decisions about
downsizing, rationalising operations and the like. When
such decisions are taken, they will often entail a need for
the entity to follow them up separately as primary goals for
the period in question.
Government agencies are established to carry out certain
tasks. Their framework conditions are set by the Storting
for example through the annual budget resolutions. At the
same time, the entities are given allocations from the
Storting to enable them to perform their tasks. The
decisions and intentions that result from the budget
proceedings govern the operations and the performance of
tasks in the entities.
It is not always easy to interpret the parliamentary
intentions behind a decision. The decision itself will often
be worded very briefly, which means that supplementary
information may be required to clarify the intentions on
which the Sorting has based the decision. Such information
is primarily found in the documents that are fundamental
for taking the decision, i.e. recommendations and
propositions.
Budget decisionsThe Stortings budget resolutions can be linked to specific
performance targets, purposes or measures that it is
assumed the entity will accomplish by using the allocation.
These targets will be given in documents such as the budget
propositions and accompanying recommendations and
decisions. The requirement stating that the ministry is to
describe performance targets is stipulated in the
Appropriations Regulations. Section 2 states that the results
the entity is intended to achieve must be described in the
draft budget. Section 13 of the regulations sets the
following requirement for the ministrys performancereporting:
Details of results achieved for the last accounting year
shall be given in the relevant budget proposition along with
other accounting information that is of importance for
assessing the draft budget for the coming year.
The intentions may relate to particular parliamentary
decisions in which, through parliamentary documents, it
has been decided to set up an entity to perform the defined
tasks. The intentions can also be connected to the Stortings
budget deliberations and to the relevant committees
Intentions
Guidelines for financial auditing Page 29
7/27/2019 20061212 Guidelines Financial Audit2
36/134
7/27/2019 20061212 Guidelines Financial Audit2
37/134
Basic auditing terms
sectors. In some cases the primary task of a government
entity may be to monitor that the regulations are followed.
General regulationsCertain regulations have provisions that all government
agencies must follow and are therefore classified as generalregulations. General regulations are established to ensure a
uniform, open and documented budget and accounting
process and uniform government personnel administration.
For most entities this will be related to secondary tasks or
to support functions for the performance of their tasks.
The Appropriations Regulations, the Public Procurement
Act and various laws and statutory provisions that apply for
government personnel administration are examples of
general regulations.
Examples of general
regulations
The Appropriations Regulations have been adopted by the
Storting and represent the overriding regulations for the
administration of government resources that apply to all the
entities.
The Public Procurement Act with accompanying
regulations is applicable for most government
procurements.
The Worker Protection and Working Environment Act, the
Civil Service Act, the Freedom of Information Act and the
Public Administration Act are examples of general
regulations for personnel administration in the public
sector. The Civil Service Handbook contains an overview
and an interpretation of key Acts and statutory provisions
etc. that are applicable for government personnel
administration. The handbook also contains decisions on
principles and guidelines that have been drawn up through
experience. The manner in which the handbook is
structured means that only parts of the provisions are
included in general regulations, while the other parts will
normally be incorporated into Assertion 3 concerning thedispositions being acceptable on the basis of norms and
standards for financial management in the central
government.
4.1.2.3 The dispositions are acceptable on the basis ofnorms and standards for financial management in
the central government
Norms and standards for financial management in the
central government are provisions that can be both
guidelines and instructions for the entities. These
Guidelines for financial auditing Page 31
7/27/2019 20061212 Guidelines Financial Audit2
38/134
Basic auditing terms
Page 32 Guidelines for financial auditing
provisions often give the entities room for individual
adaptation within the defined limits, but are frequently
more detailed and have a more operative angle than the
regulations described in Assertion 2.
These norms and standards are largely governed by both
the regulations and the provisions for financialmanagement in the central government. In addition, more
precise and detailed stipulations resulting from the Ministry
of Finances circulars will set norms for government
financial management.
According to the regulations, entities must compile more
detailed instructions and guidelines to ensure good internal
financial management and risk management. Such
instructions and guidelines will also represent norms and
standards for financial management.
Other provisions must be drawn up for entities that areexempt from general provisions, but such provisions must
be compiled within the authorisations that will set norms.
4.1.3 Connection between the financial auditingassertions and criteria for information for ITauditing
The purpose of this section is to show the connection
between financial auditing assertions and criteria for
information for IT auditing with the aim of strengthening
the integration of IT auditing as part of financial auditing
and creating a shared understanding of the various terms.
IT auditing constitutes an essential tool for supporting
financial auditing, particularly in entities that largely carry
out their tasks and reporting by using large and complex IT
systems.
ISACA and IIA have drawn up some common criteria for
how information in IT environments arises, is presented
and is applied. These are criteria towards which the
conclusions of the internal audit are directed and which ITauditors have found appropriate to use in their work.
7/27/2019 20061212 Guidelines Financial Audit2
39/134
Basic auditing terms
Goal orientation Information must be relevant to the
entitys needs, updated, and delivered in
a form that is
punctual correct consistent applicable
Efficiency and
effectiveness
Information must be procured and made
available through the optimal use of
resources (in terms of both productivity
and economy).
Confidentiality Classified information must be protected
from unauthorised access or
presentation.
Integrity Information must be precise, complete
and valid, and in accordance with
commercial values and expectations.
Availability Information must be available when
required for the business process both
now and in the future. This also applies
to protecting necessary resources.
Compliance Information must satisfy the legislation,
regulatory measures, regulations and
contractual agreements to which thebusiness process is subject for
example externally imposed
requirements regarding information.
Reliability Information must be expedient and
appropriate
for the management in theirgovernance of the entity
for the managements performanceof financial and (statutory) imposed
reporting tasks
The assertions towards which the conclusions of the
financial auditing are directed and the criteria that form the
basis for IT auditing assessments have different content. It
is therefore necessary to recognise the connections to
enable auditors to identify where an IT audit is appropriate
so that the financial audit will be targeted, efficient and
effective in relation to identified risk.
In many cases IT environments support entity processesand provide important information that the OAG draws on
in its auditing. The information includes descriptions,
Guidelines for financial auditing Page 33
7/27/2019 20061212 Guidelines Financial Audit2
40/134
Basic auditing terms
assessments, figures, decisions and transactions that are
processed and stored. Accounting figures or other reports
are aggregated on the basis of information in the entity. In
some cases the figures are founded on information and
professional judgements in pre-systems. Auditors are then
dependent on assessing the information in the pre-systems
for example the administrative procedure systemsINFOTRYGD (the National Insurance Administration) or
ARENA (the Norwegian Public Employment Service).
When IT systems are to be assessed, auditors who have
adequate IT expertise must contribute to the assessment of
the information that forms the basis of the auditing work.
These assessments will determine how the audit should be
conducted and the extent to which auditors can utilise tests
of controls in their work.
In financial auditing findings are assessed by comparing
them with the assertions. It is therefore necessary to see the
connection between the above information criteria and the
financial auditing assertions.
Appendix 1 gives a table that shows this connection
between the financial auditing assertions and the IT audit
criteria.
4.2 MaterialityThe OAGs standard for materiality states:
18
Auditors shall make assessment of materiality to enable
them to perform an economic, efficient and effective audit.
Auditors shall regard errors and omissions as material in
cases where the users would probably have made other
assessments and taken other decisions if they had been
aware of the errors.
Definition of materiality
Materiality in financial auditing is seen in relation to the
fact that the information can contain errors or omissions or
can be based on professional judgement. The costs of
avoiding all errors and omissions can be so great that they
exceed the benefit of such high precision. Errors of a
certain size must therefore be accepted (materiality limit)
provided that this is not of significance for the entitys
ability to implement the Stortings budget resolutions and
intentions or is not of critical importance for the users of
the information.
Quantitative materiality limit
Page 34 Guidelines for financial auditing
7/27/2019 20061212 Guidelines Financial Audit2
41/134
Basic auditing terms
The assessment of materiality is based on both quantitative
and qualitative considerations and is one of the factors that
governs what is to be audited and the scope of the audit that
is to be conducted. Errors that are due to random or
unintentional actions are normally assessed as less serious
than those that may result from deliberate actions.
Qualitative materialityFor the OAG, the assessment of errors will depend on more
than the size of the amount involved since smaller errors
can also have considerable fundamental importance for the
users.
There are many who use an entitys financial statements,
and they may have different reasons for using the financial
information. The most important users of government
administration accounts are:
Definition of users
the Storting
the ministries and the Government other government authorities and bodies competing enterprises, customers and suppliers the general public
4.2.1 Qualitative materiality
Auditors must always conduct a qualitative assessment of
materiality. Based on their total acquired knowledge of the
entity, they make an assessment of any violations of budget
resolutions, regulations and/or norms and standards that can
affect the users of the financial statements.
Examples of qualitative factors are:
the entitys goal achievement and its use of allocations factors in which the Storting has expressed particularly
great interest and which it is appropriate for the OAG to
monitor
any suspicion of irregularity any suspicion that allocations have been misused despite
the entitys accounts appearing to be free of material
errors
any violation of regulations information that is to be used as a basis for allocations
or decisions
any change of special significance for the entitysactivities for example changes in operations, tasks and
organisation
Auditors must consider materiality throughout the audit
process. Qualitative material errors can be viewed in
correlation with fundamental errors a combination that
represents two sides of the same coin.
Fundamental errors can constitute findings that do not
relate to figures, e.g. a breach of the law, regulations or
Guidelines for financial auditing Page 35
7/27/2019 20061212 Guidelines Financial Audit2
42/134
Basic auditing terms
instructions, the fact that action has been taken that is
contrary to parliamentary decisions, or that administrative
regulations including norms and standards for financial
management in the central government have not been
followed. An error that does not relate to figures cannot
automatically be defined as a fundamental error. The error
must be of a certain scope and/or a certain importance to betermed fundamental. It is in the reporting phase, when the
conclusions are to be drawn, that auditors assess the type of
error that has been found and decide whether this error can
be regarded as material in its own right or together with
other findings. Auditors must exercise professional
judgement when assessing which errors are of such a nature
or scope that they must be considered as qualitatively
material.
4.2.2 Quantitative materiality
A quantitative determination of materiality is achieved by
setting a numerical value for how large an accounting error
must be for it to be accepted without auditors regarding the
accounts as containing material errors. Setting a materiality
limit has a dual purpose the limit expresses the auditors
specification of the users requirements for precision in the
financial statements, and the distribution of the limit is
intended to contribute to producing a more efficient and
effective audit.
Setting a materiality limit
Efficiency and effectiveness in the audit increases when a
larger proportion of the materiality limit is ascribed to
entries that demand considerable work for their
confirmation and a smaller proportion to those that are
easier to verify. It is particularly appropriate to use this
technique in combination with statistical methods.
However, it is also utilised to set limits for acceptable non-
compliance with analytical audit procedures and to assess
transactions that have been made according to professional
judgement.
Auditors professional judgement is used as a basis fordetermining the materiality limit. Auditors can
discretionally distribute materiality among entries in the
accounts or among transactions or transaction groups if this
is deemed appropriate.
Auditors must document the grounds for the materiality
limit that is set.
Page 36 Guidelines for financial auditing
7/27/2019 20061212 Guidelines Financial Audit2
43/134
Basic auditing terms
4.3 Audit riskIn practice it is impossible to conduct an audit with 100 per
cent assurance of detecting all material errors in the
employment of the budget and in the accounts. Attempts to
procure absolute evidence would be demanding and in
some cases impossible. Auditors do their utmost to ensurethat their assessments have high, although not absolute,
assurance.
The OAGs auditing standards 19 and 22 state the
following about risk assessment and audit risk:
19
Auditors shall make risk assessments for all audit work
undertaken by the Office of the Auditor General, and the
assessments shall form part of the process that is
implemented to ensure that the audit is economical,
efficient and effective.
22
Auditors shall use professional judgement in their
assessment of the audit risk, and shall implement the audit
procedures that are necessary to reduce this risk to an
acceptable level.
The audit risk model is a model that helps auditors to
determine how comprehensive the audit work must be to
attain the desired assurance for the conclusions. The modelconsists of four elements: audit risk, inherent risk, control
risk and detection risk.
Inherent risk is the probability that in the financial
information or in the entity in general there are dispositions
that cannot be accepted, or errors and omissions that are
material either in their own right or when aggregated
when any possible internal control measures are ignored.
Inherent risk
The next three risk factors are conditional on there being
material errors or omissions etc.
Control risk is the probability that a material error or
omission will not be prevented or detected and corrected
within reasonable time by the accounting or internal control
systems.
Control risk
Detection risk is the probability that the auditors
substantive tests will not detect the errors that theaccounting or internal control systems do not discover.
Detection risk
Guidelines for financial auditing Page 37
7/27/2019 20061212 Guidelines Financial Audit2
44/134
7/27/2019 20061212 Guidelines Financial Audit2
45/134
7/27/2019 20061212 Guidelines Financial Audit2
46/134
7/27/2019 20061212 Guidelines Financial Audit2
47/134
7/27/2019 20061212 Guidelines Financial Audit2
48/134
7/27/2019 20061212 Guidelines Financial Audit2
49/134
7/27/2019 20061212 Guidelines Financial Audit2
50/134
Basic auditing terms
Page 44 Guidelines for financial auditing
auditors with indications of whether there are material
errors in the information. An example of this can be large
variances in the figures from one year to the next.
When auditing critical accounting items that have a high
audit risk, analytical review procedures alone are not
sufficient but they must be combined with detailed auditprocedures.
Auditors must bear in mind that the figures in the accounts
that are included in the analysis may be incorrect from the
outset, and the analysis will thus give an invalid picture of
reality. Any indications of errors must be followed up by
other types of tests.
One model for analytical substantive tests is:
predicting an expected result
setting the marginal value and identifying varianceslarger than the marginal value identifying, checking and quantifying explanations of
the variance
An expected result is an estimate for an entry or parts of an
entry. The marginal value is the difference between the
expected result and the actual figure that can be accepted
without further explanation. It does not represent actual
errors but is a measure of acceptable uncertainty
concerning possible errors. Auditors must set the marginal
value beforehand, using either their professional judgement
or statistical methods. The marginal value must beconsidered in conjunction with the materiality level that has
been set for this or for the accounting items in question. A
low materiality level indicates that only a small
differentiation between expected result and actual figures
can be accepted.
If auditors find material variance between the expected
value and the book value (i.e. variance that exceeds the
marginal value that they have set in advance), more
detailed investigations must be made to ascertain the extent
to which the variance is the result of actual errors in the
accounts or whether it is due to other factors. The causes ofvariance in the figures must always be considered and
documented and, whenever possible, quantified. In cases
where variance in the figures cannot be quantified, auditors
cannot regard the audit evidence as satisfactory. Audit
evidence must be of the same quality as the evidence for
the detailed audit procedures, and fair conclusions must be
drawn regarding the degree of assurance attained.
7/27/2019 20061212 Guidelines Financial Audit2
51/134
7/27/2019 20061212 Guidelines Financial Audit2
52/134
Basic auditing terms
conclusions must be based on more extensive evidence than
in cases where the risk is less probable and less material.
It is important for auditors to be critical of the scope and
content of the information that is gathered. The standard
also contains a requirement that the information must be
necessary in other words only information that isnecessary should be collected.
Necessary
The quality of the audit evidence is significant for the scope
of the evidence that must be gathered. Auditors can base
their conclusions on a smaller scope if the evidence is of
high quality.
Auditors normally make use of audit evidence that is of a
more substantiating than absolute nature, and they will
often obtain audit evidence from different sources or of
different types. Auditors must assess the relationship
between the use of resources for collecting audit evidenceand the sufficiency and appropriateness of the information
that is obtained. However, the fact that it is difficult and
resource-consuming to collect audit evidence does not in
itself provide grounds for neglecting the process.
Appropriateness is a measure of the quality of the audit
evidence, i.e. its relevance and reliability.Appropriate
For evidence to be relevant, it must be valuable as
documentation for auditors conclusions in the light of the
individual audit objective or assertions. In this sense it is
important to be aware of what is to be proved when the
audit procedures are compiled and the collection of
evidence is undertaken. That the evidence is relevant also
entails that it is timely and that it applies to the audited
accounting period. It is particularly important to be aware
of the evidences timeliness in cases where it has been
procured at an early point in the audit process and may thus
represent only parts of the audited accounting period. The
total evidence must be representative for the entire audited
accounting period.
Evidence is reliable if it fulfils the necessary requirements
set for credibility. The reliability of audit evidence is
affected by the source, internal or external, and by whether
it is visual, written or verbal.
Criticism of sources
Auditors must be critical of information that is gathered
from different sources. For example, consideration must be
given to whom the information has been produced by and
for, to the consequence this may have for the content, and
also to whether the content meets the auditors need. This
Page 46 Guidelines for financial auditing
7/27/2019 20061212 Guidelines Financial Audit2
53/134
Basic auditing terms
Guidelines for financial auditing Page 47
critical review of the sources and content contributes to
making auditors assessments of the most important risk
factors in the entity as accurate as possible. Auditors must
assess whether the sources satisfy the requirements for
audit evidence.
The following are used as a basis for the assessments: External audit evidence (e.g. confirmation received
from a third party) is more reliable than audit evidence
that has been generated internally.
Audit evidence that has been produced internally ismore reliable if the entity has effective accounting and
internal control procedures.
External evidence is more reliable if it has beenprocured directly by auditors than if it has been obtained
by the entity.
Audit evidence in the form of documents (on paper,
electronically or via other media) and written statementsis more reliable than verbal statements.
Audit evidence in the form of original documents ismore reliable than copies or faxes.
Assurance will be greater when there is a correlation
between audit evidence procured from different sources or
between different types of evidence. If information from
one sources does not correspond with that from another,
auditors must decide on the additional procedures that are
necessary to allow the information to be used as auditevidence.
7/27/2019 20061212 Guidelines Financial Audit2
54/134
5 Strategic analysis
Prosits navigation tree: This chapter is intended to give auditors an understanding
of how they should conduct a strategic analysis, the
information they must gather and assess, and how they are
to document the assessments.
A strategic analysis must be conducted for all the entities
audited by the OAG, and also for the ministries. To carry
out the best possible general risk assessment per ministry
and to ensure an appropriate foundation for overall
reporting of the audit, the risk analysis for the assignments
that belong to the same ministerial area must be
coordinated and synchronised. One of the primary tasks in
ministerial assignments will be the management of
subordinate bodies.
The strategic analysis provides a general framework for theauditing work. It is therefore important that those who
conduct the analysis have an adequate understanding of the
audit assignment plus good auditing expertise. Normally it
is the auditor who is responsible for the assignment who
conducts the analysis in cooperation with the division
manager and possibly others in the audit team.
According to the financial regulations, all entities must
establish an internal control system. The entitys
management is responsible for ensuring that this system is
adapted to risk and materiality, that it functions
satisfactorily, and that it can be documented. Internalcontrol shall primarily be incorporated into the entitys
internal governance. The provisions in the financial
regulations for central government stipulate that financial
management shall ensure that:
defined objectives and performance requirements arefollowed up
the use of resources is efficient and effective the entity is run in compliance with laws and regulations
The ministries must ensure that the entities internal control
measures are satisfactory in relation to the above.
Pursuant to the OAGs standards for assessing internal
control, auditors must make a preliminary assessment of
the entitys risk management measures that are relevant for
the audit. To understand the entity, auditors conduct the
following:
a preliminary assessment of the entitys riskmanagement measures
an identification and assessment of risk elements andthe managements reaction
an identification of internal factors
page 48 Guidelines for financial auditing
7/27/2019 20061212 Guidelines Financial Audit2
55/134
Strategic analysis
Auditors elaborate on their assessment of internal control in
the process analysis. If they choose to base their audit on
relevant control activities, these must undergo tests of
controls in the process analysis.
An important part of the strategic analysis is holding a
meeting/meetings with the entitys top management wheresubjects addressed include the entitys risk management
and risk assessment. The auditor must adapt the
arrangements for such meetings to the entity under audit.
Expectations of the role of auditors in the prevention and
detection of irregularities have become higher. This means
that auditors must be fully alert to the presence of
irregularities in all parts of the audit. The audit team must
therefore separately assess the risk of the entity being
exposed to irregularities, and these assessments must be
documented. At this stage of the audit process, the main
challenge for the auditors is to keep the assessments at ageneral rather than detailed level.
The strategic analysis consists of the following steps:
Understanding the entity
Assessing materiality
Assessing risk
Planning further auditing
Figure 6 Steps in the strategic analysis
5.1 Purpose of the strategic analysis To plan a risk-based, efficient and effective financial
audit: an audit of the accounts and to carry out a
compliance process
To provide a basis for discussion with the Board andmanagement on objectives, risk and risk management
To provide input to the general risk assessment To identify processes
Guidelines for financial auditing Page 49
7/27/2019 20061212 Guidelines Financial Audit2
56/134
7/27/2019 20061212 Guidelines Financial Audit2
57/134
7/27/2019 20061212 Guidelines Financial Audit2
58/134
7/27/2019 20061212 Guidelines Financial Audit2
59/134
7/27/2019 20061212 Guidelines Financial Audit2
60/134
7/27/2019 20061212 Guidelines Financial Audit2
61/134
7/27/2019 20061212 Guidelines Financial Audit2
62/134
7/27/2019 20061212 Guidelines Financial Audit2
63/134
7/27/2019 20061212 Guidelines Financial Audit2
64/134
7/27/2019 20061212 Guidelines Financial Audit2
65/134
7/27/2019 20061212 Guidelines Financial Audit2
66/134
Strategic analysis
to decide the processes to which they must assign priority
during the subsequent audit.
Users want to be sure that the entity is fulfilling the social
tasks for which it has been assigned responsibility through
the allocation decisions. For example, building roads is of
major importance to local communities and localpoliticians.
The entitys primary tasks are normally assigned the
greatest significance when auditors assess qualitative
materiality. However, laws and regulations that govern
secondary tasks can be of interest for users for instance
violations of the regulations for public procurement or
budget overruns.
Quantitative materiality The size of the figures involved influences the materialityassessment. Using professional judgement, auditors can set
a limit for the size of errors in the figures that can be
accepted in the accounts. For small accounts it may prove
expedient to set a proportionally higher materiality limit
than that set for more extensive accounts.
Chapter 4 gives more information on materiality.
5.4 Assessing riskIn understanding the entity andassessing materiality
auditors gathered information that provides input for the
risk assessment. On the basis of this information, auditors
must identify the risk of the entity not achieving its goals.
In addition, they must estimate the degree of probability
and the consequences of the risk elements if they are
activated. Finally, auditors evaluate the importance of the
risk elements for the audit and decide whether or not to
include them in the subsequent audit process, as well as
determining the processes to which the risk elements are
linked.
Assessing risk consists of:
identifying risk elementsand the managements
reaction
estimating probability andconsequence
evaluting risk
5.4.1 Identifying risk elements and themanagements reaction
At strategic level the risk situation will normally not
change much from year to year, and the results of the
previous years audit represent a major source for
identifying risk elements. In addition to identifying any
new risk elements, auditors must place particular emphasis
on checking whether material changes have taken place inthe risk factors that were identified in previous years.
Identifying risk elements
Page 60 Guidelines for financial auditing
7/27/2019 20061212 Guidelines Financial Audit2
67/134
Strategic analysis
Auditors base their identification of risk elements on:
the information they have gathered about the entitysgoals and the internal and external factors
the analysis of financial information the assessment of materiality
Through the risk identification procedure, auditors mustalso define the managements reaction to the risk elements.
At strategic level risk can constitute large-scale changes in
framework conditions or unclear formulations of goals for
the entitys tasks. Changes in external factors for instance
among users, suppliers or in technological development
may also represent a threat to the entitys goal achievement,
as will internal factors such as organisational changes or a
high turnover of managers. The user aspect is of key
importance when assessing materiality.
Auditors must investigate whether and how the
management reacts for each identified risk element. The
most interesting point for auditors is whether the
management chooses to accept or to reduce risk.
The managements reaction
Auditors must find out whether the entitys management is
aware of the individual risk elements and has made a
decision about the level of risk that can be accepted.
Through procedures for risk assessment, auditors collect
documentation for the managements assessment of the risk
elements. Adequate evidence must be obtained in cases
where auditors consider that the managements handling of
risk is of such a nature that it results in a possible reduction
in the risk level in the subsequent assessment.
When auditors have identified the entitys risk elements and
the managements reaction, they must match these against
the entitys risk assessment. Assessing risk is one of the
items that must be discussed at the meeting between
auditors and the management of the entity in question.
5.4.2 Estimating risk
Auditors must estimate the probability and the consequence
of risk, basing their assessments on the results of the audit
procedures that have been conducted.
Estimating probabilityAuditors must assess how probable it is for risk elements to
be realised and if this is the case the time frame in
which this may happen. The greater the probability of a risk
element being activated in the accounting period in
question, the higher the risk will be.
Guidelines for financial auditing Page 61
7/27/2019 20061212 Guidelines Financial Audit2
68/134
Strategic analysis
Auditors must assume an advisory role to prevent future
errors and omissions. They must therefore also assess risk
elements that may be activated in the future. Auditors
estimate probability as high or low and give reasons for
their estimate.
Estimating consequenceWhen estimating consequence, auditors must assess the
impact of a risk element if it is realised. The considerations
of materiality already made by auditors are used when
assessing the consequence. The overall consequence of
several events within a certain period must be used as a
basis. Systematic errors are given a higher degree of
consequence than individual errors.
Efficient and effective emergency plans, back-up plans, the
opportunity to relocate production and insurances can
reduce the consequences of an event. In this contextauditors must assess materiality in relation to both the
transaction and decisions made the dispositions and the
impact on the accounts.
Auditors estimate the consequence as high or low and give
reasons for their estimate.
Auditors assessment of risk must be substantiated with
audit evidence. It may be sufficient to follow up a risk
element with an updating of the audit evidence if the
assessment is based on the results of the previous years
audit. It may also be relevant to give a risk element low
priority if the entitys plans or measures indicate