Draft Guidance Audit Strategy-Rev Aftertwg

21/05/2014

EGESIF_14-0011

DRAFT

European Structural and Investment Funds

Guidance for Member States and Programme Authorities

Audit Strategy

(under Article 127 (4) of Regulation (EU) No 1303/2013)

Provisional Disclaimer: This is a draft document based on the new cohesion policy Regulations published in OJ 347 of 20 December 2013, the Commission Delegated Regulation (EU) No 480/2014, and on the relevant Commission proposals for Implementing Regulations under preparation and to be discussed with the co-legislators. Further review will be made to reflect the final provisions of these draft legal acts once they are adopted.

DISCLAIMER: "This is a working document prepared by the Commission services. On the basis of the applicable EU law, it provides technical guidance to the attention of public authorities, practitioners, beneficiaries or potential beneficiaries, and other bodies involved in the monitoring, control or implementation of the Cohesion policy on how to interpret and apply the EU rules in this area. The aim of this document is to provide Commission services' explanations and interpretations of the said rules in order to facilitate the implementation of operational programmes and to encourage good practice(s). However this guidance is without prejudice to the interpretation of the Court of Justice and the General Court or decisions of the Commission."

CONTENTS

List of acronyms and abbreviations

I.Preamble

II.Content of the Audit Strategy

1. Introduction

2. Legal Basis and Scope

3. Risk Assessment

4. Methodology

4.1 Brief description of the audit cycle

4.2 For system audits

4.3 For audits of operations

4.4 For audits of the accounts

4.5 Procedures related to verifications of management declaration

5. Audit Work Planned

6. Resources

III.Example of a Template for a risk assessment table (to be adapted by the AA)...

IV.Assurance Model

V.Audit work indicative timelines

List of acronyms and abbreviations

AA – Audit Authority

Audit Body – Body carrying out audits under AA's remit

AO – Audit Opinion

CA – Certifying Authority

CCI – Code Commun d'Identification (reference number of each programme, attributed by the Commission)

CR – Control Report

CDR - Commission Delegated Regulation (EU) No 480/2014) of 3.3.2014 supplementing Regulation (EU) No 1303/2013 of the European Parliament and of the Council laying down common provisions on the European Regional Development Fund, the European Social Fund, the Cohesion Fund, the European Agricultural Fund for Rural Development and the European Maritime and Fisheries Fund and laying down general provisions on the European Regional Development Fund, the European Social Fund, the Cohesion Fund and the European Maritime and Fisheries Fund

CPR – Common Provisions Regulation (Regulation (EU) No 1303/2013 of the European Parliament and of the Council of 17 December 2013, laying down common provisions on the European Regional Development Fund, the European Social Fund, the Cohesion Fund, the European Agricultural Fund for Rural Development and the European Maritime and Fisheries Fund and laying down general provisions on the European Regional Development Fund, the European Social Fund, the Cohesion Fund and the European Maritime and Fisheries Fund and repealing Council Regulation (EC) No 1083/2006)[1]

ETC – European Territorial Cooperation

IB – Intermediate Body

IR – Commission Implementing Regulation (EU) No xx/2014) of xx.xx.2014 [under approval]

MA – Managing Authority

MCS – Management and control system

Funds – Structural Funds and Cohesion Fund

EMFF - European Maritime and Fisheries Fund

Page 1 of 21

21/05/2014

I. Preamble

The objective of this document is to provide guidance to the Audit Authority (AA) responsible for the preparation of the audit strategy (hereafter "the strategy") under Article 127(4) of the Common Provisions Regulation (EU) No 1303/2013 (CPR), applicable to the Structural Funds and Cohesion Fund (hereafter "the Funds") and the European Maritime and Fisheries Fund (EMFF).

This guidance does not establish new requirements but sets out the Commission's recommendations for the various sections of the strategy. These are drawn not only from the above-mentioned provisions but also from the Commission's experience with audit strategies of the previous programming period, existing internationally accepted audit standards and best practice.

The strategy is a means of establishing the AA’s purpose and determining the nature of the contribution it intends to make while predefining choices that will shape decisions and actions[2]. The strategy is a building block in the assurance model for the Funds and EMFF, as it is a planning document that sets out, in accordance with Article 127(4) of the CPR, the audit methodology, the sampling method for audits on operations and the planning of audits in relation to the current accounting year (for the first year, this means the period from the start date for eligibility of expenditure until 30 June 2015) and the two subsequent accounting years.

The reference period for expenditure to be audited corresponds to the accounting year. In the programming period 2014-2020, this reference period starts from July of year N-1 and end in June of year N, for an audit opinion and annual control report on this accounting year to be delivered by 15 February of year N+1. As no audit period is explicitly foreseen in the CPR, the AA needs to agree in advance with the MA and CA the timeframe for the preparation of the accounts in connection with the audit process, having in mind the need to ensure a timely submission of a high quality control report and opinion, in accordance with Article 127(5) of the CPR.

During the programming period 2014-2020, the AA is not obliged to transmit the strategy for Commission's assessment and prior approval. However, Article 127(4) of the CPR requires the AA to submit the audit strategy to the Commission upon request. The strategy will be a key element on the agenda for the annual coordination meetings held under the Article 128(3) of the CPR. In the context of its on-the-spot audits, the Commission may also assess the quality of the information contained in the strategy; including the relevant documentation and explanations of the professional judgement used by the AA when drawing up the strategy.

This guidance sets out, at the beginning of each section, the requirements established in the model for the strategy, followed by explanations where relevant, including the aspects relating to the European Territorial Cooperation (ETC) programmes.

II. Content of the Audit Strategy

1. Introduction

1.1. Identification of the operational programmes (CCI number and title) and Funds covered by the audit strategy.

1.2. Identification of the audit authority responsible for drawing up, monitoring and updating the audit strategy and of any other bodies that have contributed. The status of the audit authority (national, regional or local public body) and the body in which it is located.

1.3. Explanation of the procedure followed for drawing up, monitoring and updating the audit strategy.

The explanation of the procedure defined by the AA for drawing up the strategy should include, where audits are carried out by a body other than the AA (hereafter "audit body"), the process of coordination with that audit body, covering not only the instructions transmitted by the AA (top-down approach), but also the information provided from the audit body to the AA (bottom-up approach).

In section 1.3 of the strategy the AA should describe also the process of approval of the strategy and how the implementation of the strategy will be monitored by the AA to ensure that the objectives are met, in particular when audits are carried out by an audit body.

Changes to the audit strategy should be disclosed in section 3 of the control report ("Changes to the Audit Strategy") - see Annex IX of the IR. Factors to be taken into account for reviewing the strategy include changes in the management and control systems, for example, changes related with remedial actions required under Article 124(5) of the CPR related with the designation procedure, reallocation of the functions of the AA, MA, CA to other national authorities, organizational structures changes such as splitting a ministry, major changes in staff, new IT systems. In line with Article 127(4) of the CPR the planning of audits should be updated annually from 2016 until and including 2024. Within the AA, the documentation relating to drawing up, monitoring and updating the strategy should be kept for reference.

1.4. Specification of the overall objectives of the audit strategy and the steps taken to ensure the alignment of the objectives with all the audit bodies.

When audit bodies have contributed to the strategy, the AA must ensure that their objectives are aligned with those of the strategy, as the AA takes responsibility for the final coordination and the quality of work. This section should describe the way the AA will ensure this alignment. This process may include written instructions, regular meetings or other means considered useful. This is of particular relevance for the ETC programmes, where the audit work will be carried out in several Member States.

1.5. Explanation of all the functions and responsibilities of the audit authority and other bodies carrying out audits under its responsibility, with reference to the mission statement, audit charter or national legislation, where applicable.

This section should describe the functions and responsibilities of the AA and of the audit bodies, including the functions not related with the ones described under Article 127 of the CPR.

The AA should have a clear mandate to perform the audit function in accordance with Article 127 of the CPR. This mandate is ordinarily documented in an audit charter that should be formally accepted by the AA, when the mandate is not already set out in national legislation. Where an audit charter exists for the audit function as a whole, the AA mandate should be incorporated. A strong audit charter contributes to increase the independence of the AA.

For ETC programmes, the specificities of the functions and responsibilities of each of the audit actors (AA, group of auditors and other audit bodies) should be described in the rules of procedure. The strategy should refer to the rules of procedure. In case the AA is authorised to carry out directly its functions in the whole of the territory covered by the programme, it should be indicated for each Member State or third country participating in the programme if a national auditor will join the AA. In case each Member State or third country is responsible of carrying out the functions under Article 127 of the CPR, it should be clearly described for each Member State or third country participating in the programme by whom and how the results of the audits on its territory will be transmitted to the audit authority in order for the audit authority to perform its assessment.

1.6. Indication of the independence of the audit authority from the managing authority and certifying authority.

1.7. Confirmation by the audit authority that the bodies carrying out audits pursuant to Article 127(2) of Regulation (EU) No 1303/2013 have the requisite functional independence (and organisational independence, where applicable under Article 123(5) of Regulation (EU) No 1303/2013).

Independence is the freedom from conditions that threaten the ability of the AA to carry out its responsibilities under Article 127 of the CPR in an unbiased manner. To achieve the degree of independence necessary to effectively carry out its responsibilities, the AA must have direct and unrestricted access to senior management at all levels, including the MA and the CA. During all stages of the audit cycle, the AA should ensure that its work (and the work done by the audit body) is performed in an independent[3] and objective manner, free of conflict of interests with the audited entity, including the beneficiary as defined under Article 2(10) of the CPR.

The organizational placement and status of the AA may pose a practical constraint or a limit on the scope of the AA work, in particular where the AA is located in the same public body as (some of) the audited entities. In general, the higher the reporting level, the greater the potential scope of engagements that can be undertaken by the AA while remaining independent of the audited entity. [4] At a minimum, the head of the AA needs to report to the hierarchy level within that public body that allows the AA to fulfill its responsibilities; the AA must be free from interference in determining the scope of its audit work, performing work, and communicating results.

As results from Article 123(4) of the CPR, the AA must be functionally independent from the MA and the CA. The term "functionally independent" means that the AA does not have any role in the functions pertaining to the MA, the CA or to IBs carrying out tasks of the managing or the CA under the responsibility of that authority. This concept is also reflected in the 1st paragraph of Article 123(5) of the CPR, which allows the AA to be part of the same public authority or body (e.g. a ministry) together with the MA and/or the CA, provided that the principle of separation of functions is respected and under the conditions set out in the last paragraph of the same provision.

The same approach applies to the audit bodies carrying out audits under the AA's remit. In case where audit bodies are internal audit units, special considerations should be taken into account: the AA should be aware of the organisational set up and reporting lines within the organisation in question, in order to estimate the position of the internal audit unit and the risk of impaired independence. For ETC programmes, confirmation of the independence of each member of the group of auditors should be obtained by the AA, where the members of the group of auditors carry out audit work themselves in their Member State or supervise/outsource the audit work. In cases where the audit work is outsourced, the contractor should be obliged by the contract to immediately inform the audit authority in case of possible conflict of interests so that the audit authority, assisted by the group of auditors, can take appropriate measures.

The AA should indicate how the mentioned functional independence is ensured, describing the relations between the AA and the MA, CA and where applicable the IBs, with reference to the relevant organisation chart and the reporting lines between the AA and these bodies and, where applicable the public authority or body to which the MA and/or the CA also report.

In the context of section 1.7 of the strategy, the term "organisational independence" refers to a situation where the AA cannot be part of the same public authority or body (e.g. a ministry) together with the MA and/or the CA. According to the 2nd paragraph of Article 123(5) CPR, this is the case where the total amount of support from the Funds to an operational programme exceeds EUR 250 000 000 or from the EMFF exceeds EUR 100 000 000. However, there are two exceptions to this requirement:

a) Either, pursuant to the applicable provisions for the previous programming period, the Commission has informed the Member State prior to the date of adoption of the operational programme concerned of its conclusion that it can rely principally on its audit opinion,

b) Or the Commission is satisfied on the basis of the experience of the previous programming period that the institutional organisation and accountability of the audit authority provide adequate guarantees of its functional independence and reliability.

Only in the two mentioned cases, exceptionally, where the total amount of support from the Funds to an operational programme exceeds EUR 250 000 000 or from the EMFF exceeds EUR 100 000 000, the AA may even be part of the same public authority or body together with the MA and/or the CA.

For the ETC programmes and in addition to the above-mentioned conditions, the AA should also be functionally independent from the joint secretariat (set up by the MA under Article 23(2) of the Regulation (EU) No 1299/2013, hereafter the "ETC Regulation") and from the 'controller(s)' foreseen under Article 23(4) of the ETC Regulation.

2. Legal Basis and Scope

2.1 Indication of any national regulatory framework that affects the audit authority and its functions.

The AA is expected to provide under this section an overview of the provisions in the national regulatory framework that affect the functions of the AA and of the audit bodies. The AA should also identify whether there are any discrepancies between such framework and the relevant EU regulations and, if discrepancies exist, how this affects the work of the AA and of the audit bodies. If this is the case, it should be indicated what action will be taken by the Member State to address the discrepancies. If there are no discrepancies, this should be specified in the strategy.

2.2 Confirmation that the strategy covers the current accounting year and the two subsequent accounting years.

2.3 In case of a common system, specification of the common key control elements justifying the common system.

Article 127(4) of the CPR foresees the possibility of elaboration of a single audit strategy where a common system applies to more than one operational programme. Considering that the identification of a common system is done for the purposes of determining the sampling approach, it is advisable that the existence of a common system is agreed by the AA. A common system can be considered to exist where the same management and control system supports the activities of several operational programmes. The criterion to take into account is the presence of the same key control elements, i.e. when the following elements are essentially the same for a set of operational programmes:

(i) description of the functions of each body involved in management and control, and the allocation of functions within each body;

(ii) procedures for ensuring the correctness and regularity of expenditure declared, including an adequate audit trail and supervision of IB, where applicable.

The existence of common risk levels (for example, similar IBs across several OPs with a common risk linked to the type of IB) may also be a factor to consider when determining the existence of a common system.

Due to their specificities, namely the involvement of at least two Member States, the ETC programmes should not be considered as pertaining to a common management and control system together with mainstream programmes. Hence, the strategy for an ETC programme should be drawn up separately, even if the bodies involved in their management and control system are the same as for mainstream programmes.