Study Visit Hungary 2010

Study Visit on Internal Audit
Vienna
March 17th to 18th, 2010
Exchange of professional experiences

between
the Hungarian Ministry of Finance
and
the Austrian Ministry of Finance
Presentations of the Austrian MoF

Vienna, March 2010 2
Programme
• General report of the working field of the Internal Audit

Department of the Austrian Ministry of Finance
• Training and methological system regarding public finances and

control
• Internal control system – audit standards and evaluation for EU-

Funds

Participants
• AUSTRIA
- Mr. Hannes Schuh

- Mr. Johann Rieser
- Mr. Andreas Berger

1. The Ministry of Finance
Overview

Organizational Chart
MINISTRY OF FINANCE OFFICES
MINISTER
State Secretary State Secretary
Advisor for Capital Secretary

Markets 1 tax Investigation
General
office
DG Corporate
Operations & Services
40 Tax offices
DG Budget & Public
Finances
5 Regional
DG Economic Policy & Management for Tax & 1 Audit Unit
Financial Markets Customs Large Enterprises
Administration
DG Customs,
international tax
issues & organization 9 Customs offices
DG IT Infrastructure
Management
1 Court of Appeal
(independent)
DG Tax Policy & Tax
Law
Annexes :
e.g. Law Firm of the
Republic

Staff (FTE – status 8/2008)
• Ministry of Finance
- Ministry (6 directorates general) 735
- Law Firm of the Republic 89
- regional managements of tax & customs admin. 646
- court of appeal 260
- academy 64
• offices
- tax offices, customs offices, audit unit large enterprises
9.151
- tax investigation office 136
- Total 11.080

Revenues
revenues 2008 Mio. €

Value Added Tax 21.700
Stamp Duties and Fees 850
Tobacco Tax 1.350
consumption taxes 311
24.211 trade and services
Wage Tax (PAYE) 20.000
Corporation Tax 5.900
Assessed Income Tax 2.850
Capital Yields Tax 2.550
31.300 income
Mineral Oil Tax 3.800
taxes concernig vehicles 2.040
Energy Taxes (electricity, coal, ..) 750
6.590 energy
Customs Duties 270
others 3.509
Total 65.880
2. The Internal Audit of the MoF
2.1 Overview

Position of Internal Audit Service
• The Internal Audit Unit is a directorate of the Secretary

General ,
• but it is organizationally independent,
- meaning that the chief audit executive receives its orders
directly from the minister and he reports directly to him,
- the independency is fixed by a regulation (Audit Charter)
and by a legally binding order on the competencies of the
staff
• Clear separation in competencies between Internal Audit

Directorate and the Commissioner against Corruption.

Cooperation with
Commissioner against Corruption (BIA)
• IA uses the general information of the BIA (risk map) for

the creation of the audit plan and also for single audit
areas of the audit engagements.
• Exchange of relevant cases in both directions
- IA to BIA : detected risk scenarios (processes, persons)
- BIA to IA : single cases the might be of interest for an
audit to be started
• quarterly exchange of information and experiences
• common training of audit professionals

Working Area of Internal Audit
Ministry of Finance :
• nearly 12.000 employees
• more than 65 bn € revenue
The Directorates General

I :corporate operations and services
II : budget and public finances
III: economic policy and financial markets
IV : administration of the taxes, excises and customs
including the tax offices and customs offices
V :T infrastructure management
VI : tax policy and tax law
and the so called “annexes”, such as the advocacy of the
federal republic
Measures of Internal Audit Directorate
Internal Audit Directorate
AUDIT
SUPPORT
audits procurement
audits
audits
anticorruption
certifications (EU) consulting
joint audits (EU)

Philosophy of Internal Audit Directorate
Add value by
- insight (giving clear analyses about SWOT of the

administrations)
- oversight (looking at co-operations between DG, directorates
and tax administration and customs administration)
- foresight (keeping in mind the national and international
public management reform and other important impacts of
the near future)

2.2 Organization

Staff
1 Chief Audit Executive

6 Teams : 2 – 3 persons each, 15 total
1-2 auditors for the EU-certification of a paying agency
2 secretary
20 persons
Our bureaus are in Vienna, Linz and Salzburg.
Each team has to finish an audit in ~3 months.

A new audit case causes a new team composition.
-> pool organisation

Pool-organization
chief audit
executive change change of change of change of
of teams teams teams teams
1. audit 2. audit 3. audit 4. audit

office
period period period period
audit audit audit audit

TL
1a 2a 3a 4a
Wa
A B E L F G H F
audit audit audit audit

TL
1b 2b 3b 4b
Wb
C D B K E H I G
port folio TL audit audit audit audit

group Wc 1c 2c 3c 4c
E F C A A I J E
TL audit audit audit

Wd 1d 3d 4d
G H B C A D
TL audit audit audit

Sbg 1e 3e 4e
I J J L L B
audit audit audit audit 4f

TL
1f 2f 3f
pool of Linz
experts K L F D D K C K
permanent organization temporary organization
remark : TL = team leader, A, B, ...;L = auditors

MbO-Process of IA Directorate
audit plan strategy framework
goals of
Secretary General
goals of department goals of department

staff infrastructre, budget
goals of IA - etc. etc.

reporting to SG directorate
(Half a year)
goals of employees
bonus awarded by
SG

MbO - goals
• directorate level
- number of audits to be carried out in time (80 – 90%)
- additional goals concerning personal development, quality (20-
10%)
• employee level
- team goals : audits to be carried out in the scheduled time +
one quality element to be reached (eg : concise audit
questions /2007 or high quality and good documentation of
the preparation work / 2008)
- individual goals : eg. producing / renewing audit modules,
searching in expert areas and communicating it, improvement
of skills

2.3 Risk Map and Audit Plan

Classic Selection versus Modern Selection
Classical Approach Risk orientated Approach
has its origin in audit has its origin the goals of the
environment (eg processes) organization
result : ranking of audit objects result : classification of sourced

(rotation) risks
advantage : simple method, advantage : broad scope,

defined audit objects "makes managent move"
disadvantage : restricted view on
organization, no covering of risk disadvantage : complex method,
management no defined audit goals
Risk Map and Audit Plan
• risk map
- mid term or long term audit concept
• audit plan
- annual audit concept deriving from the risk map

Risk Map
risk-orientated structure from which the annual audit plan derives
• financial risk
- administrative costs
- revenues
- assets of the republic.
The clusters extracted have to cover at least 85% of the
finance volume.
• complexity
- relation of the amount of leading units to
subordinated units or
- difficulty of subject to be handled.
Risk Map
financial
complexity
risk
cluster 1 cluster 2 cluster n
risk evaluation among the clusters
audit
turnus
Pe
rs
Au on
al
fw au
en sg
du ab
ng en
e n Zo
50.000
0
100.000
150.000
200.000
250.000
300.000
350.000
400.000
450.000
Zo
ll-
ll-
Fi 500.000
Fi na
na nz
Vienna, March 2010

nz
in IT
kl. -B
G er
es ei
et c h
z l.
Ve
Au rp
f li
fw ch
en tg
du Pe
ng rs
e n on
BM al BI
F au G
in sga
kl. be
G n
es BM
et
zl F
.V
er
pf
lic
ht
g.
So
ns UF
Zwt S
ec
ka
Fö uf
rd wa
er nd
un
Fö g
rd Ö
er KB
un -A
gs G
m
Financial Risks : Administrative Costs
aß
Bu na
nd hm
es en
pe
ns
io
ns
Fi am
En
na t
Ve nz
rw ts pr
al ch ok
tu äd ur
ng ig at
eh u ng ur
em sz
.D ah
t. lu
Ve ng
en
rm
ög
Ei en
nh sw
eb er
un te
gs
ve
rg
üt
un
g
29
Financial Risks : Revenues
18.000.000
16.000.000
14.000.000
12.000.000
10.000.000
8.000.000
6.000.000
4.000.000
2.000.000
0
r t t . . l ) r
er er St ue Es e s Z.. er er rag be bg er ein ge be ben po er be en be ern en rag b e be er er üh gen
teu teu Kö ste te +K KF ste u ste u ei t bg a lt.a steu w gän ga ga no ste u bga nd ga teu rie b eit bga bga teu teu eb un
s s öl g n + k s sb a a b um i n ab ab o a u b s t b a s s lg d
hn atz al nla se b) ba ng g ie rw er a te s r lm ngs en eb ea hr Be gs it sa rt rbe rbe rol en
Lo ms ner ra Zin kge Ta eru run erg sve erw Sch es si on fuh pie ku nk ckg erb rke +F run rh e nwe we we ont uw
i e e n R s s n a e W ve L de e e e Z
U M V auf ec ch rd E Bde und ho l+ e, zes .Au ück he i elb zw l r h de G sg gsk on
t Zw r si ufö , r o ch on -u Gl Sc p g ( ita .von tf ö Sic Bo de un V
S ( e n G lk rü K in . S ra p s n er g.
Ke Z - V ba re -u Ka Ab Kun
g
hn üh
A p
r+ n s
E
fts ei
t Bu nzi Ab
F e le, a b
+ K
W
o
ge
b
eu n
a
Zö
l h en Pu
VA ts rst ebe bsc st
h e N r tla
+N
O ec Bi E Al
r , R
e l
eu pe
s st tem
g S
un
her
ic
rs
Ve
o g.
z
be
tor
o
M

Au
sf
Un uh
be rfö
w rd
eg er
lic un
he gs
s ge
200.000
400.000
600.000
800.000
1.000.000
1.200.000
1.400.000
1.600.000
1.800.000
0
Bu se
so n de
tz
ns sv ÖN
t. In er B
m
Vienna, March 2010

Za te
hl rn ög
un a W en
gs s t. o
ve on Fin hn ÖIA
rp sti a un G
fli g n
ch e F zin gsb
tu s a
n g inan itut u
en zh io n
u. a ft en
Au Am
fw ts F u
Do ö rd ng e
en sit na er n
d u z-K uk un
ng on ra ge
e n fe f n
Be (B ren E-W twe
st z r
an era ze irts ke
ds tun ntr ch
w g u a
irk ,W m W ft
so am rk s e ie
ns e leis n
tig Ei tu
e n n
Ei nah g )
nz m
Financial Risks : Expenses
ie e
hu n
ng
Fl e
ug Au n
h a sla
In fe nd
du n
st W
rie ie
un Ver n
d ke
so G
ew hr
Er
lö ns E RP erb
se t.D pr i
ar v at son -F e
au
s le e s on
Li Ha hen De t.Ve ds
q u ft s n
id un em st le rk eh
Au at g e p
i i
fw on n fän st un r
en g
un eg e g e g
du d r- n
ng K a enü Zin
en p. b e se
he r D n
(g ra
Er s e e bs ritte
fo tz et n
zu
Ve lg l. V
rä sw e S n
uß irk r p tr a g
er sa flic ße
u n öf m ht
f n
e u
ve gse ent Ei ng
rs rlö l. D nn e n
ta )
a t s e ien ah m
lic (e s
ht rf o tlei e n
e s
U lgsw tun
nt
er ir k g
ne sa
hm m
un )
ge
G n
m
bH
31
The Risk Map
volume turnus
risk coverage risk cluster (*1.000 €) complexity year 1 year 2 year 3 year 4
administrative 90,20% staff 494.200 73 1
costs administration 121.358 72 1
(chapter 50) IT 107.476 72 1
buildings 45.916 68 1
financial risk
revenues 88,70% enterprises 25.510.000 72 15 14 15 14

(chapter 52) employees 16.800.000 60 1 1 1 1
vehicles 5.168.000 61 1 1
customs 200.000 27 3 3 3 3
family allowances -1.104.085 58 1 1 1 1
expenditures 93,20% export garanties 1.640.721 3 1
(chapter 56) others 1.758.473 9 1
management control, governance 75 1

risk management 79 1
quality management 82 1
administrative development 70 1
complexity
communication communikation 68 1
others accounting 68 1
budget 13
economic policy 3
internat. economic affairs 5
finance markets
# 23 23 23 23
others 1 1 1 1
total 24 24 24 24

The Audit Plan 2007
• regularity audits
- handling of seized goods ( customs administration, tax
administration)
- procurement
• risk management audits

- control risks and payment risks regarding low sums (one
audit on the procedure, one audit on paying off)
- risk management for wages tax (1 tax office)
- risk management for enterprises (1 tax office)
- risk management for very small enterprises (1 tax office)
• IT-audits
- realization of the approvement regulation by IT

The Audit Plan 2007
• performance audits
- grants of exports in third countries
- loan workers in tax offices
- information exchange in connection with intraeuropean
findings
- IT-audit goups
- valuation of real estates by tax offices
- special /unique competences of a certain tax office
- administration of waste tax

- administration of mineral oil tax

The Audit Plan 2007
• Governance audits
• efficiency of the organizational management of the tax
administration
• efficiency of the personal management of the tax
administration
• efficiency of the educational development of the staff
• „ research“ audits
• e-commerce

The Audit Plan 2008
• audits of tax controls run on the premises of tax payers

- efficiency of visits of new enterprises (1 tax office)
- efficiency of the control of illegal employees (1 tax office)
- quality of tax inspections (1 tax office)
- quality of VAT tax controls (1 tax office)
• special financial audits

- financial aspects of paid overtimes (2 tax offices, 2 customs
offices)
- debt management (1 tax office)
- cost effectiveness of paying expenses by cash (all offices)

The Audit Plan 2008
• IT audits
- „E-Customs“ : internal control system and risk management (2
audits)
- IT budget (transparency, accountability, project orientation,
etc. – MoF)
- „E-Office“ : audit of the project (1 project)
• management audits
- efficiency of the organizational support of the head of an tax
office (1 tax office)
- management of service teams (1 customs office)
- workload of team leaders (1 tax office)
- centre of risk information and analysis (1 office)
- laboratory for the examination of excise goods (1 office)

2.4 Knowledge Management

Audit skills (Volkswagen model)
management
3,0
team orientation knowledge of the enterprise
2,5
2,0
flexibility 1,5 process knowledge
1,0
0,5
ethics 0,0 audit competence
IT knowledge internal control, risk management
techncological knowledges audit experience
financial knowledges
assistant auditor senior aud. teamleader CAE

Audit experts skills (Volkswagen model)
management
3,0
team orientation knowledge of the enterprise
2,5
2,0
flexibility 1,5 process knowledge
1,0
0,5
ethics 0,0 audit competence
IT knowledge internal control, risk management
techncological knowledges audit experience
financial knowledges
financial exp. technology exp. special investigation IT special agendas

MoF : Recruiting
Main principle :
• The internal audit activity collectively should possess or obtain the
knowledge, skills, and other competencies needed to perform its
responsibilities. (IIA-Standard 1210)
• Recruiting = selection of experts who meet the IA-unit needs for

special proficiencies

MoF : Proficiency when Starting
• When joining IA : candidate has 15 years of experience within our

administration on average
• He/she has passed the general official examinations needed to

serve in our administration and
• He/she has passed the official examinations as a tax or customs
auditor or
• He/she has worked as a manager or expert (IT, procurement,
budgeting, ..)
Very important : team orientation and capacity to work as generalist

MoF : Personal Development
Differentiation between
• trainings for all auditors

• trainings for experts
• trainings in preparation for (special) audits
(external training days per auditor : ~ 10 p.a.)
• high level studies

• certifications
• management trainings
• exchange of experiencies
Trainings for all auditors
• IIA-Basic training, Level I • IIA-Basic training, Level II

- introduction to IA - audit of business processes
- basics (audit process) - conflict management
- audit techniques - risk management
- negotiation techniques - internal control system
- reporting - balance sheet analysis, cost
accounting
- introduction to IT-Audit - statistics
- fraud audit
- management skills
• project management
• teambuilding seminars (1 p.a.)
• ethics seminar
• IT applications (MS excel, word, mind map, visio etc. if necessary )
Trainings for experts
• IT audit
• internal IT applications for the tax/ customs adminstration
• budgeting
• public management
• staff management
• etc.

Trainings in Preparation of certain Audits
• depends on the content of the annual audit plan
• eg :
- special audit techniques (in depth)
- procurement, procurement by tender
- program management
- grants of exports in third countries
- etc.

High Level Studies
MBA public auditing

• cooperation between University of Business Administration and
Economics Vienna and the Austrian Court of Auditors – 3 students
come from the IA of the MoF
- CBOK : general management (leadership & organization, data
analysis, process management, accounting, corporate finance,
marketing)
- CBOK advanced : managerial economics, competition analysis
and strategy, ethics and leadership skills
- specialist area : business financing and audit of accounting,
economy of the public sector, public law, audit processes
+ master thesis

Certifications
• done
- accreditation in quality assessment (IIA)
- certification in corporate risk management (6 month course)
- MBA public auditing
• in progress
- certification in corporate risk management (6 month course)
- MBA public auditing
• planned
- certifications in project management (IPMA)
- CGAP (IIA)
- CIA (IIA)
- CISA (ISACA)

Management Trainings
• single courses
eg.
- conflict management
- self organisation, time management
- presentation,
• courses of studies
- management training for high potentials (1,5 years)
- summer academy for junior managers

Exchange of Experiences
• national and international co-operation / networking :

eg.
- TWINNING Hungary, (Slovakia), Bulgaria, Romania, ...
- Study visits : Croatia, Slovenia, Azerbaidchan, ..
- consultations with other IA of the public sector in Austria
- IAS (EU) : annual meeting
- IIA – Austria
- IIA
- court of auditors,
- etc.

2. 5 Quality Assessment

IIA-Standards 1300 ff
• The chief audit executive should develop and maintain a quality

assurance and improvement program that covers all aspects of
the internal audit activity and continuously monitors its
effectiveness.
• This program includes

- periodic internal and external quality assessments and
- ongoing internal monitoring.
Each part of the program should be designed to help the internal
auditing activity add value and improve the organization’s
operations and to provide assurance that the internal audit activity
is in conformity with the Standards and the Code of Ethics

Ongoing Internal Monitoring (I)
Involvement of the CAE

• during the audit process
- work is similar to a project :
- approbation of the audit mandate
- approbation of the audit concept
- milestone talks
- documentation (comprehensible and tracable)
- final internal consultation before
- leading of the closing discussion with the auditees
- approbation of the draft of the audit report
- approbation of the audit report

Ongoing Internal Monitoring (II)
• after the audit process

- feedback questionnaires Frage Wert (1-4)
 Wurden die Prüfungsziele klarund zeitgerecht kommuniziert? 1,19
 Wurde die Prüfung in einer angemessenen Zeit durchg eführt? 1,33
 Wurden die Tagesaktivitäten durch die Prüfung mö glichst wenig beeinträchtigt? 1,42
 Wurden die Geschäftsinhalte und–strategien in der Prüfung angemessen
berücksichtigt? 1,44
 War die Information über den Stand und die Ergebni sse während der Prüfung
sichergestellt? 1,44
 Zeigten die Mitarbeiter der Revision auf den geprü ften Gebieten Professionalität? 1,44
 Haben die Mitarbeiter der Internen Revision gen ügend praktische Erfahrung? 1,91
 Waren die Schlussfolgerungen logisch und gut dokume ntiert? 1,72
- informal contact with the audited units and the line executives  Wurden die Ergebnisse sorgfältig berichtet? 1,47
 War der Bericht klar und logisch abgefasst? 1,58
- approbation of audit modules  Sind die vorgeschlagenen Maßnahmen der Mitarbe iter der Internen Revision konstruktiv
und umsetzbar? 1,89
 Haben die Mitarbeiter der Internen Rev ision die Schlussbesprechung gut und zügig
vorbereitet sowie professionell durchgeführt? 1,38
 Haben sich die Mitarbeiter der Internen Revision um gute Zusammena rbeit bemüht? 1,13
 Hat die Prüfung ganz generell einen Mehrwert für die rOganisation gebracht? 1,97
 War das Start-Up-Gespräch informativ für das Prüfung sverständnis und den
Prüfungsablauf? 1,31
 Waren am Ende der Prüfung vor Ort (informelles e Gspräch) alle Sachverhaltsfragen
geklärt? 1,81
 Wurden Sie vor Beginn der Schlussb esprechung rechtzeitig und ausre ichend über die
Besprechungsthemen informiert ? 1,36
 Wurde die Schlussbesprechung effizient abgeha lten? 1,31
 War die Zeit für Änderungsvorschläge zum Rohberichtusreichend?
a 1,11
 DURCHSCHNITTSWERT 1,48

Ongoing Internal Monitoring (III – feed back)
co-operation report content staff

good co-operation 1,15
comprehensible report 1,18
realistic recommondations 1,3
efficient closing discussion 1,35
audit run in a reasonable time 1,35
enough time for amendments to the draft report 1,35
affect of the audit on working time 1,35
report of findings to the local executive 1,38
proficiency of auditors 1,43
sufficient information at the start up event 1,43
sufficient in-time information before closing discussion 1,43
communcation of audit targets 1,48
closing discussion run efficiently 1,53
clear and concise conclusions 1,6
professional experience of the auditors 1,6
added value for the organization 1,63
suffizient information during the audit 1,65
all questions about findings cleared during audit 1,75
strategies taken in account sufficiently 1,98
Durchschnitt 1,43 1,39 1,56 1,52

Periodic Assessments
• internal periodic assessment is established by

- appraisal interview with each employee
- appraisal interview with the whole staff
- information to each employee about bonus award or „non-
award“
- quarterly reports to the minister and state secretary
- yearly audit report
- strategic plan for trainings, seminars etc.
• external periodic assessment has to be done every 4 years (more
rigorous than IIA-standard where every 5 years)
- 2003/2004 (at the end of the conception phase)
- 2007 (after the consolidation, done by Ernst & Young)

2.6. Standards of the Internal Audit

The Legal Basis of Internal Audit
authority adressee private enterprises administration
constitutional law parliament public
law parliament public commercial law federal ministry law
regulations MoF public

decree on controls
audit charter
decree MoF administration anitcorruption decree
Federal Ministry Law : if there is an IA-unit it could be organised

as any other unit of the Ministry

Regulation on Internal Control System
SYSTEM OF CONTROLS
Management Internal Control

System System
Supervision of Conduct Control Measures Independant

in Line Control Measures
Supervision of Profession
Preventive Controls (ex ante,

Measures ex post, INTERNAL AUDIT external
simultaneus) controls
"4-eyes-principle" "Quality Audits" national SAI

separation of
internal regulations controls of collection EU - SAI
IT-roles regularity controls -budget
IT-procedures others, by persons
accounting system by IT
etc.
Anticorruption

Internal Control System - Hierarchy
• The Internal Audit Directorate is on the top of the control

hierarchy.
• According to the Single Audit Principle the Internal Audit

Directorate does not repeat controls of other units but
- it states whether these units function effectively and efficiently
- and /or it uses their results for the own audit

Audit Charter - Stakeholders
Community
IIA
SAI EU (IAS) Co-ordination
AUDITEES
State Secretary Proposal

national IAs
Minister Order + Report

Directors General
IA Internal Audit Directorate
Secretary General
Ministry of Finance
Control units in line Regional Managements
internat. IAs Academy
Appellation Court
Tax Ofiices
Vienna, March 2010 Customs Offices 63
Annexes
Audit Charter
• signed by Minister of Finance on Dec. 13, 2005
• legally binding for all employees of the MoF, the subordinated

offices and the annexes
• the concept on the Audit Charter is based on the IIA-standards

Audit Charter – the content
• Preamble : MoF is a modern administration, charter has to fit to

that form of organization
• Definition : exactly the same as IIA – definition
• Competencies : auditing, consulting, control of procurement
procedures, support in combating fraud
• attribute standards : independence, objectivity, proficiency, due
professional care, quality assurance, general right on information
• planning and reporting : risk map, annual audit plan, reporting
• audit : right on information when auditing, teamwork, technical
support, audit planning, performing the audit, communicating
results, monitoring progress, documentation
• consulting activities
• control of procurement procedures
• co-operation with the Commissioner for Anticorruption
3. Audit Processes
Overview

The Audit Process
preparation fact finding and evaluation and reporting

critical recommendation
interpretation
 Selection of the • Analysis of data • Evaluation of  Draft report about
main audit issues and documents results facts, results
 Generate the • Making interviews  Benchmark of of analysis,
audit concept • Other fact finding indicators evaluation,
 Introduction of measures and  Show fields of
the audit concept analysis improvements recommendations
to the auditee • First critical  Sharpen up and
• Check the time interpretation recommendations agreements
table and the  Record of the  Design the  Mailing the draft to
audit concept results in detail concept of the the auditee
with the auditee  Information of closing discussion  Final report after
 Check list what is the head of the  Closing the statements to
needed for daily audited unit discussion the draft
work about the facts  (agreements  Mailing the final
 Look at first found included) report to the
documents minister
 Improve the
audit concept in
detail
The Internal Audit – Customer Orientation
customer orientation
1. organization : to add value (by risk orientation,
2. auditees :
- first information about planned audit
- start up meeting
- (feed back during the visit when making interviews)
- information of the head of the audited unit at the end of the
visit
- information in written before closing discussion
- closing discussion
- draft report
- report
Follow Ups
focus :
• agreement at the closing discussion (who has to do what within
the next 12 months)
• monitoring of the fulfilment of the agreements (implementation
reports by the person in duty)
• quarterly report of the (non-) realization to the minister
• monitoring the implementation at other audits

Reporting Lines - Audits
partizipants
draft of closing
report discussion
state-
ments
Internal Audit
Directorate
final
report
bureau of
minister
Internal Audit
Directorate
secretary director responsible audited units

general general managers
DG I

Reporting Lines – „periodicals“
• Quarterly Report :
- Minister
- State Secretary
- Secretary General
• Annual Report :
- see Quarterly Report, plus :
- all directors general
- all heads of department
- all directors involved in that year
- Commissioner against Corruption
- Supreme Audit Court
4. Internal control system – audit
standards and evaluation for EU-
Funds
Vienna, March 2010

Johann RIESER 74
Internal Control System - audit standards and
evaluation for EU-funds
Audit Strategy
Rieser Johann
Certifying Body
Ministry of Finance
Internal Audit Service
AIM OF THIS SESSION
• Outline the role of the Certifying Body
• Outline key considerations for undertaking the Certifying Body

audit for the European Agricultural Guarantee Fund (EAGF)
• based on Guideline No 3-EUROPEAN COMMISSION - DIRECTORATE-

GENERAL FOR AGRICULTURE AND RURAL DEVELOPMENT

Purpose
• This Guideline is intended to assist Certifying Bodies in the

establishment of their audit strategy.
• It has been drawn up to guide the CBs in their tasks of gathering

sufficient, appropriate audit evidence to conclude on whether the
annual accounts of the accredited Paying Agencies (PAs) are in all
material respects true, complete, and accurate and that internal
control procedures have operated satisfactorily.

Background
• This Guideline addresses the requirements of Article 5

("Certification") of Commission Regulation (EC) No 885/2006.
• This Regulation lays down detailed rules for the application of

Council Regulation (EC) No 1290/2005 as regards the
accreditation of PAs and other bodies, and the clearance of the
accounts of the European Agricultural Guarantee Fund (EAGF)

Certifying Body (CB)
• Independent from the PA (and the co-ordinating body)
• Capacity to carry out audits in accordance with Internationally

accepted Audit Standards
• Competent to carry out the work

Certification (audit report)
• The Certifying Body (CB) is a body designated by the member

state in order to audit the accounts of the Paying Agency (PA) and
issue the relevant certificate
• - Choice of the CB
• - private firm
• - national audit body
• - audit service from the Ministry of Finance

Certification (audit report)
• guidelines issued by the Commission to define the certification

work
• Guidelines cover e.g.:
• – Audit strategy
• – Sampling method used for testing and error evaluation
• – Model report
• – IT security issues
• – Accreditation criteria
• – Opinion on the Statement of Assurance
• – The form, scope and contents of the certificate

Certification
• For the sake of clarity, the certificate should specify the

Certifying Body, the Paying Agency, the financial year, the
opening and closing dates of the audit examination, the
date of issue and the name and position of the signatory
of the audit certificate.
• It should also confirm that the audit examination was
undertaken in accordance with the provisions of Article
5.2 of Commission Regulation (EC) No. 885/2006 as
regards the nature and quantity of work required to
obtain reasonable assurance.

Certification
• The Certifying Body shall draw up one certificate stating

whether it has gained reasonable assurance that the accounts to
be transmitted to the Commission are true, complete and
accurate and that the internal control procedures have operated
satisfactorily.
• The certificate shall be based on an examination of procedures
and a sample of transactions.

Certification
• The audit was undertaken in accordance with internationally

accepted auditing standards and entailed consideration of the
following matters:
- Whether the Paying Agency complies with the accreditation
criteria;
- Whether the Paying Agency's procedures are such as to give
reasonable assurance that the expenditure charged to the
EAGF was effected in compliance with Community rules and
which recommendations for improvements, if any, have been
made and followed-up;

Certification
• Whether the annual accounts referred to in Article 6(1) of the

Regulation 885/2006 are in accordance with the books and
records of the Paying Agency;
• Whether the statements of expenditure and of intervention
operations are a materially true, complete and accurate record
of the operations charged to the EAGF;
• Whether the financial interests of the Community are properly
protected as regards advances paid, guarantees obtained,
intervention stocks and amounts to be collected

Certification
• Our report is accompanied by:

- information on the number and qualifications of the staff
undertaking the audit;
- on the work done;
- on the number of transactions examined;
- on the level of materiality and confidence obtained;
- on the control weaknesses found and recommendations
made for improvement;
- and on the operations of both the Certifying Body and other
audit bodies, internal and external to the Paying Agency,
from which all or part of the Certifying Body's assurance on
the matters reported was gained;
- an opinion on the statement of assurance

Certification
• The format of the report is also in accordance with Commission

Guidelines, and on a functional basis, deals with:
- the Paying Agency's compliance with the accreditation

criteria;
- the key internal controls in place;
- the procedures for ensuring compliance with Community
rules
- and the procedures for the protection of the financial
interests of the Community, as well as outlining the relevant
recommendations arising.

Control framework – procedural level
• For all PAs, the systems in place and the control framework
feature five main procedures:
- authorisation of payments
- execution of payments
- accounting
- debt management
- advances and securities

Control framework – overview level
• Ongoing higher level monitoring should be built into the normal,

recurring operating activities of the PA;
• at all levels the daily operations and control activities of the PA

should be monitored on an ongoing basis to ensure a sufficiently
detailed audit trail.

• The internal audit function, being a monitoring control, shall be

separately assessed.
• It should verify that procedures adopted by the PA are adequate

to ensure that compliance with Community rules is verified, and
that the accounts are accurate, complete and timely.

• The CB may rely on the work of internal audit.
• The CB should be fully guided by International Standard on

Auditing (ISA) 610 “Considering the work of internal audit” in
determining whether the nature and extent of internal audit's
work is adequate for certification purposes.

Initial Risk Assessment
• The CB's initial risk assessment shall be made based on existing

knowledge of the PA, its control systems and the schemes it
operates.
• When determining the nature, timing and scope of the work, the
CB should assess the risk of significant monetary errors.
• It shall examine controls and procedures to assess whether these

are sufficiently reliable for a proportion of its audit assurance.

Assess PA´s risk management
• ISA 315: "Understanding the entity and its environment and

assessing the risks of material misstatement" requires that the
CB:
- assesses the design and implementation of controls,

regardless of whether a controls-based audit approach is
planned; and
- looks at an organisation's ability to identify risk and assess the
impact which this may have on the accounts

Assess PA´s risk management
• Hence the CB must obtain assurance in three areas:
- The PA's ability to meet accreditation criteria and to recognise

and evaluate operational risks;
- The PA's commitment to prepare quality annual accounts
consistent with EU guidelines and other EU requirements;
- The PA's infrastructure and oversight activities to ensure
reliable financial reporting to the Commission

Audit Approach
Audit assurance
- The total level of assurance required from audit testing has

been set at 95%. This overall degree of audit assurance is
obtained from
- 1) assessing the control environment including compliance

testing and
- 2) substantive testing of files.

Audit Approach
- Assessment of the control environment
- will have to be confirmed by some compliance

testing. This is normally the only way to obtain the
control assurance necessary to reduce the
substantive test sample sizes.
- At least 10 items per population for each PA should

be tested. In practice, this means that 10 items
could be selected to simultaneously cover the
three main controls - authorisation, payments and
accounting.

Audit Approach
- Assessment of the control environment
- The CB's work should begin with a review of the

general control environment. This includes inter alia:
- “walk through” tests to confirm its understanding

of the schemes and control procedures;
- a review of the “translation” process, whereby the

requirements set out in EC Regulations are
incorporated in the PA’s manual and computer
procedures and written instructions; and

Audit Approach
work to establish whether:
- written guidance on the receipt, processing and

authorisation of claims is comprehensive and up-to-
date and available to all staff;
- authorisation, payment and accounting duties are

appropriately segregated and subject to supervisory
control;

Audit Approach
work to establish whether:
- there is appropriate staff training and rotation;

- there are adequate procedures for senior
management checks, and
- appropriate action is being taken in response to
recommendations on improvement accepted by
agencies as necessary as part of the accreditation
process.

Audit Approach
• Authorisation controls
• The detailed elements of the authorisation procedures, i.e. the
administrative and on-the-spot checks, should be tested.
• In addition, a review of controls over the maintenance of
standing data, such as any claimant registration systems, should
be undertaken.
• This should include checks to establish whether changes
resulting from new Community legislation are implemented
promptly in the PA's systems.

Audit Approach
• Payment controls
• only approved claims are selected and passed for payment;
• payment is made only to the claimant or final beneficiary, to the
claimant’s bank account or assignee, and that no payments are
made in cash;
• “negative expenditure” is properly controlled and processed via
a debtor's ledger; and
• appropriate levels of security exist, including a record of the
identity of the signatory, where payments are approved
electronically

Audit Approach
• Accounting controls
• all payments have been accurately recorded in the PA's ledgers;

• a clear audit trail exists between the original claim and final
entry, including for amounts modulated;
• the maintenance of claimant records is satisfactorily controlled;
• reconciliations between the ledger and the payments and
operational systems are complete and up-to-date;
• any amounts held in suspense accounts would have altered the
Annual Declaration had they been cleared.

Audit Approach
• Debt management
• review the PA’s procedures for reconciling debtors' ledger

figures to operational systems records;
• review the procedures for the recovery and non-recovery of
debts;
• ensure that a mechanism for calculating debt interest exists in
the system and is operational.

Audit Approach
• Advances and securities
• the records contain all necessary details to allow for proper

identification, ageing and accounting;
• regular internal reconciliations are carried out with the bank
payments; with the authorised payment and with final
payments;
• regular internal analyses are made of the advance payment
accounts and securities records: this includes timely follow-up of
all abnormal or long outstanding cases, including initiation of
recovery procedures where conditions have not been respected;
the release of bank guarantees and redemption of securities.

Audit Approach
• Non-operational transactions
• These fall into three main categories:
• - irregularities;
• - other assigned revenues;
• - and advances and securities.

Audit Approach
• To substantively test the truth, completeness and accuracy of

irregularities the CB should:
- test completeness of the record of recoveries by reconciling

control reports with financial consequences to the data on
the debtors record;
- test a sample of recoveries, new cases, corrections and
amounts declared irrecoverable, to ensure that these are
properly recorded on the debtors' ledger;
- audit the reported debt as per Annex III and ensure that this
reconciles back to the debtors' ledger.

Audit Approach
• The CB should confirm that advances and securities are correct

as to account, amount and period, mainly via testing against
supporting documentation. It should also verify that:
- the securities exist, and are held in a safe place;
- only approved standard bank securities are accepted which
remain valid.

The audit strategy document
The CB should compile an audit strategy document, which should be

made available to the Commission upon request. As a minimum, it
should cover the following:
- the audit scope and objectives;

- key audit activities arising from the risk assessment;
- audit assurance and materiality;
- systems and controls;
- the audit approach;

The audit strategy document
• the nature and extent of the CB's reliance on the work of

Internal Audit;
• the CB's audit report, certificate, and opinion on the Statement
of Assurance
• an audit timetable, a description of audit resources and a
contact (liaison) point.

SAMPLING AND ERROR EVALUATION
• Certifying Bodies (CBs) cannot examine all Paying Agency (PA)

transactions in their audits. They must, therefore, choose a
sample of transactions and use the results of this testing to
draw conclusions about the PA's accounts as a whole.

• In planning the audit, the CB must reach a judgement as to the

level of overall errors or misstatements that is likely to influence
users of the accounts, i.e. what is material. Per International
Standard on Auditing (ISA) 320 ("Audit Materiality"), paragraph
7:
• "The auditor considers materiality at both the overall financial
statement level and in relation to classes of transactions,
account balances, and disclosures. Materiality may be influenced
by considerations such as legal and regulatory requirements and
considerations relating to classes of transactions, account
balances, and disclosures and their relationships."

• Therefore, for each PA, overall materiality should be set at 2%

of total declared expenditure for each Fund separately.
• The CB's evaluation should involve professional judgement and
take into account qualitative as well as quantitative
considerations. CBs must provide separate opinions on each
account as to whether they are free from material
misstatement.

- Population - stratification criteria
- The first task when preparing for sampling is to define the

populations involved. A population is a set of transactions for
which the control system can be said to be homogenous.
Any populations which have a different control system should
be treated separately, and a separate sample should be
taken.

Monetary Unit Sampling (MUS)
- The chief characteristic of MUS is that, although

each monetary unit within the population has an
equal chance of being selected, higher value items
have a higher probability of being selected, as they
contain more monetary units.
- A pre-condition for any statistical sampling is the
availability of a listing of all the transactions which
make up the population. As accounting records are
generally computerised, such a listing should be
easily available.

- Small populations
With a statistical sampling method, such as MUS, for any

given confidence level and materiality threshold, the sample
size will always be the same, irrespective of the population
size. A statistical sampling approach is therefore not efficient
in populations with a small number of transactions (less than
2 000).

Planning the sample sizes
Materiality level and expected error rates

- Auditors should estimate the error that they are likely to find in
their testing. This will normally be a relatively small proportion
of the materiality; 10% may be assumed if previous error rates
have been low. Use of a higher rate (for example 15%) would
entail a larger sample size, but it reduces the risk that an extra
sample will be needed (when preliminary results indicate that
material error is present)

Level of assurance/confidence level
The total level of assurance required from audit

testing has been set at 95% in the Commission’s
guidelines. The CB's assessment of the internal control
system and compliance of the PA's operational
procedures with the accreditation criteria will provide
the key basis for sample selection

Error evaluation – Operational Transactions
In determining whether the error in a given

population is material, it is necessary to ascertain the
nature of each error. Specifically, the auditor must
determine whether the identified error is systematic or
random.

Systematic errors are those which normally occur in

closely defined circumstances, and which affect normally
a small proportion of transactions. For example, it might
be possible to establish that a certain type of error is
associated with manually processed transactions, or that
the error only occurred during a certain time period.

Random errors are those that could have occurred in

any of those transactions which were not sampled for
testing.
It is necessary to assume that the same type of error
could, in principle, have affected any of the non-sampled
transactions. The CB must, therefore, extrapolate all
random errors over the entire population, in order to
estimate their total effect.

Austrian Partners of the Workshop
Brief Introduction

Andreas BERGER
Education :
• Magister phil. (MA) - Political Science / University of Vienna
• Doctor phil. (PhD) - Political Science / University of Vienna
• Master of Business Administration on public auditing (MBA) / Vienna
University of Economics and Business Administration
• Austrian State Examination for Tax and Customs
• Austrian State Examination for Customs Auditing
Present Position :
• Ministry of Finance, Internal Audit, Teamleader
Teaching :
• Lecturer at the Institute for Internal Research – Risk Management, Process
Auditing, Project Auditing
• Key Expert in some Twinning projects (Hungary, Romania)
Johann RIESER
Education :
• Austrian State Examination for Customs – graduated Customs
Officer (1978)
• Internal Auditor
Present position :
• Internal auditor in the Ministry of Finance
• Head of Certifying Body
• Auditor for Traditional Own Recources
• Key expert for European Twinnings
• Member of international Working Groups
Hannes SCHUH
Education :
• Magister Iuris (LL M) and Doctor Iuris (LL D) / University of Vienna
• Master of Business Administration on public auditing (MBA) / Vienna
University of Economics and Business Administration
• Austrian State Examination for Tax and Customs
• Austrian State Examination for Tax Auditing
• Accreditation in Quality Assessment (IIA-Standard)
• Certificate in Management (3 Semesters)
• etc.
Present position :
• Chief Audit Executive of the Ministry of Finance
• Chairman of Examination Boards at the Federal Academy of the Tax and
Customs Administration (Taxes, Customs, Public Administration)
• Member of Managing Board of the Austrian Institute of Internal Auditors,
responsible for the public sector
• Commissioner of the Austrian Financial Market Authority at two Austrian
banks
Hannes SCHUH
Publications, Lecturing, etc.

• Lecturer at the Federal Academy of the Tax and Customs Administration
• Lecturer at the Federal Academy of Business Administration
• Lecturer at the Academy of Internal Auditing Austria
• Co-editor and Author of the “Österreichische Steuerzeitung” (Austrian Tax

Journal)
• Co-editor and Author of the "Handbuch der Österreichischen
Betriebsprüfung" (Handbook of the Austrian Tax Audit)
• Author about accounting and management
• Short Term Expert in some Twinning projects (Hungary, Slovakia)

THANK YOU !


Study Visit Hungary 2010

Uploaded by

Copyright:

Available Formats

Study Visit Hungary 2010

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Study Visit Hungary 2010

Uploaded by

Copyright:

Available Formats

Study Visit on Internal Audit

Exchange of professional experiences

Presentations of the Austrian MoF

• General report of the working field of the Internal Audit

• Training and methological system regarding public finances and

• Internal control system – audit standards and evaluation for EU-

Vienna, March 2010 3

- Mr. Hannes Schuh

Vienna, March 2010 4

Vienna, March 2010 6

State Secretary State Secretary

Advisor for Capital Secretary

Vienna, March 2010 7

Vienna, March 2010 8

revenues 2008 Mio. €

Vienna, March 2010 11

• The Internal Audit Unit is a directorate of the Secretary

• Clear separation in competencies between Internal Audit

Vienna, March 2010 12

• IA uses the general information of the BIA (risk map) for

• common training of audit professionals

Vienna, March 2010 13

The Directorates General

Internal Audit Directorate

certifications (EU) consulting

joint audits (EU)

Vienna, March 2010 15

- insight (giving clear analyses about SWOT of the

Vienna, March 2010 16

Vienna, March 2010 18

1 Chief Audit Executive

Our bureaus are in Vienna, Linz and Salzburg.

Each team has to finish an audit in ~3 months.

Vienna, March 2010 19

1. audit 2. audit 3. audit 4. audit

audit audit audit audit

audit audit audit audit

port folio TL audit audit audit audit

TL audit audit audit

TL audit audit audit

audit audit audit audit 4f

permanent organization temporary organization

remark : TL = team leader, A, B, ...;L = auditors

audit plan strategy framework

goals of department goals of department

goals of IA - etc. etc.

Vienna, March 2010 21

Vienna, March 2010 22

2.3 Risk Map and Audit Plan

Vienna, March 2010 24

Classical Approach Risk orientated Approach

result : ranking of audit objects result : classification of sourced

advantage : simple method, advantage : broad scope,

Vienna, March 2010 26

risk-orientated structure from which the annual audit plan derives

cluster 1 cluster 2 cluster n

risk evaluation among the clusters

Vienna, March 2010

Vienna, March 2010 30