Documents
Resources
Learning Center
Upload
Plans & pricing Sign in
Sign Out

Strategisk analyse

VIEWS: 4 PAGES: 134

									Guidelines for financial auditing

March 2006
Foreword

The guidelines for financial auditing are based on the Auditing Standards for the Office of the Auditor
General. The guidelines shall be used as the foundation for the Office of the Auditor General’s
financial auditing from 1 July 2005.




                                  Guidelines for financial auditing                              Page iii
Contents
==============
1       Structure of the guidelines.......................................... 1
1.1     Guidance for the reader .........................................................1
1.2     Sources ..................................................................................1

2       Financial auditing in the OAG ................................... 2
2.1     Purpose..................................................................................2
2.2     The content of the audit.........................................................3
2.2.1   Audit of the accounting......................................................................................... 4
2.2.2   Compliance of the dispositions............................................................................. 4
2.2.3   Advising the audited entity ................................................................................... 6
2.2.4   Contributing to the prevention and detection of irregularities.............................. 7

3       The audit process for financial auditing..................... 10
3.1     Financial auditing – summary ...............................................10
3.1.1   Objectives and tasks.............................................................................................. 10
3.1.2   Framework conditions .......................................................................................... 11
3.1.3   Basic auditing terms.............................................................................................. 11
3.1.4   The audit process .................................................................................................. 13
3.1.5   Strategic analysis .................................................................................................. 14
3.1.6   Process analysis .................................................................................................... 16
3.1.7   Analysis of residual risk........................................................................................ 18
3.1.8   Conclusions........................................................................................................... 20
3.1.9   Reporting............................................................................................................... 21

3.2     Key documents......................................................................22
3.2.1   Documents produced internally ............................................................................ 22
3.2.2   Some key documents from the Storting and government administration............. 23

3.3     The audit process – from start to finish .................................24

4       Basic auditing terms ................................................... 26
4.1     Assertions ..............................................................................26
4.1.1   Assertions for an audit of the accounting ............................................................. 27
4.1.2   Assertions for compliance..................................................................................... 28
4.1.3   Connection between the financial auditing assertions and criteria for information for
        IT auditing............................................................................................................. 32



                                         Guidelines for financial auditing                                                     Page v
4.2       Materiality ............................................................................ 34
4.2.1     Qualitative materiality...........................................................................................35
4.2.2     Quantitative materiality.........................................................................................36

4.3       Audit risk.............................................................................. 37
4.4       Audit procedures .................................................................. 39
4.4.1     Procedures for risk assessment..............................................................................39
4.4.2     Tests of controls ....................................................................................................41
4.4.3     Substantive tests ....................................................................................................42

4.5       Audit evidence...................................................................... 45

5         Strategic analysis........................................................ 48
5.1       Purpose of the strategic analysis........................................... 49
5.2       Understanding the entity....................................................... 50
5.2.1     Identifying the entity’s goals .................................................................................50
5.2.2     Identifying external factors ...................................................................................51
5.2.3     Identifying internal factors ....................................................................................54
5.2.4     Analysis of financial information..........................................................................57
5.2.5     Identifying processes.............................................................................................58

5.3       Assessing materiality............................................................ 59
5.4       Assessing risk ....................................................................... 60
5.4.1     Identifying risk elements and the management’s reaction ....................................60
5.4.2     Estimating risk.......................................................................................................61
5.4.3     Evaluating risk.......................................................................................................63

5.5       Planning further auditing...................................................... 63
5.6       Documenting the strategic analysis ...................................... 65
5.7       Quality assurance and approval............................................ 66

6         Process analysis.......................................................... 68
6.1       Purpose of the process analysis ............................................ 68
6.2       Understanding the process.................................................... 68
6.2.1     Process goals .........................................................................................................69
6.2.2     Process activities ...................................................................................................69
6.2.3     Information flow ...................................................................................................70
6.2.4     Accounting transactions ........................................................................................71




Page vi                          Guidelines for financial auditing
6.3     Assessing materiality.............................................................72
6.4     Assessing risk........................................................................72
6.4.1   Identifying risk...................................................................................................... 73
6.4.2   Estimating risk ...................................................................................................... 80
6.4.3   Evaluating risk – identifying residual risk ............................................................ 83

6.5     Documentation of the process analysis .................................84

7       Analysis of residual risk............................................. 86
7.1     Purpose of the analysis of residual risk .................................88
7.2     Setting audit objectives for the assertions .............................88
7.3     Identifying remaining audit procedures ................................90
7.3.1   Identifying audit procedures ................................................................................. 90
7.3.2   Requirements for audit procedures ....................................................................... 92
7.3.3   Relating audit procedures to audit objectives ....................................................... 93
7.3.4   Audit programmes ................................................................................................ 93

7.4     Plan for the remaining auditing work....................................93
7.5     Implementing audit procedures .............................................94
7.5.1   Recording audit findings....................................................................................... 94
7.5.2   Assessing audit findings ....................................................................................... 95
7.5.3   Communicating audit findings during the audit ................................................... 96

7.6     Documentation of the analysis of residual risk .....................96

8       Conclusions ................................................................ 98
8.1     Purpose of conclusions..........................................................98
8.2     Basis of the conclusions ........................................................99
8.3     Conclusions for audit objectives ...........................................99
8.4     Conclusions for assertions.....................................................100
8.5     Conclusion for the entity .......................................................100
8.6     Documentation ......................................................................101
8.7     Updating basic data ...............................................................101

9       Reporting.................................................................... 102


                                         Guidelines for financial auditing                                                 Page vii
9.1         Reporting to the entity and the supervisory ministry............ 102
9.2         Reporting to the Storting ...................................................... 102
9.3         Documentation ..................................................................... 103

10          Documentation ........................................................... 104
10.1 Documentation ..................................................................... 104
10.2 Glossary of terms.................................................................. 105
10.3 Scope and content................................................................. 105
10.4 Organisation and filing ......................................................... 106

11          Quality assurance ....................................................... 108
11.1 Responsibility for quality ..................................................... 108
11.2 Quality assurance of the audit process ................................. 109
11.3 Organisation of the quality assurance................................... 110




Page viii                   Guidelines for financial auditing
1 Structure of the guidelines


1.1 Guidance for the reader
                                                               Framework conditions for
The guidelines are divided into two main parts.
                                                               financial auditing:
The first part, Chapters 2–4, consists of introductory         Chap. 2 Financial auditing in
chapters on the framework conditions for financial auditing            the OAG
with the adaptations made in the Office of the Auditor         Chap. 3 The audit process for
General (OAG). Chapter 3 contains a summary of the                     financial auditing
auditing process and a description of some key documents.      Chap. 4 Basic auditing
Chapter 4 shows how the recognised and general auditing                terminology
terms have been adapted to the OAG’s objectives and tasks.

The second part, Chapters 5–10, constitutes a detailed
review of the methodology that is used as a basis for the
OAG’s financial auditing.
                                                               Details of methodology:
                                                               Chap. 5 Strategic analysis
                                                               Chap. 6 Process analysis
                                                               Chap. 7 Analysis of residual
                                                                        risk
                                                               Chap. 8 Conclusions
1.2 Sources                                                    Chap. 9 Reporting
                                                               Chap. 10 Documentation
The following sources have been used in the work of            Chap. 11 Quality assurance
formulating the guidelines:
• W. Robert Knechel: “Auditing Assurance and Risk”
• William F. Messier, jr.: “Auditing & Assurance Services
  – a systematic approach”
• The Norwegian Institute of Public Accountants:
  “Descartes revisjonsmetodikk” (Descartes’ audit
  methodology)
• B.P. Gulden: “Revisjon – teori og metode” (Auditing –
  theory and methods)
• INTOSAI’s auditing standards
• International Private Sector Accounting Standards
  (IFAC)
• Risk management framework (COSO)
• Framework for information systems audit (CobIT)




                           Guidelines for financial auditing                              Page 1
                                    2 Financial auditing in the OAG
                                    2.1 Purpose
                                    The Office of the Auditor General’s main purpose is
 Section 1, Auditor General Act     defined in Section 1 of the Auditor General Act:

                                    ”The Office of the Auditor General shall ensure, through
                                    auditing, monitoring and guidance, that the state’s revenues
                                    are paid as intended, and that the state’s resources and
                                    assets are used and administered in a sound financial
                                    manner and in keeping with the decisions and intentions of
                                    the Storting.”

                                    The purpose of financial audits is to obtain relevant
 Purpose of financial audits        information about the central government accounts and the
                                    transactions and decisions regarding allocations (referred to
                                    in this document as “dispositions”) on which they are based
                                    to enable auditors to form an opinion of reasonable
                                    assurance about whether the accounts can be certified and
                                    the dispositions accepted.



                                    The objective of financial audits is defined in section 3 of
                                    the Instructions concerning the activities of the Office of
 Section 3, Instructions            the Auditor General – the content of the auditing:
 concerning the activities of the
 Office of the Auditor General      “By auditing accounts, the Office of the Auditor General
                                    shall verify whether the financial statements give a correct
                                    picture of the financial activity, including:

                                    a) confirm that the financial statements are free of material
                                       errors and omissions, and

                                    b) verify whether the transactions in the financial
                                       statements reflect the decisions and intentions of the
                                       Storting and the current regulations and whether they
                                       are acceptable in the light of the norms and standards
                                       for financial management in the central government.”
 Objectives of financial audits     On the basis of the above, financial audits in the OAG have
                                    two audit objectives:

 Audit of the accounting            The objective of financial audits is to enable auditors to
                                    form an opinion of reasonable assurance about whether the
                                    financial statements and other financial information are
                                    complete, accurate and reliable.

 Compliance of the dispositions     The objective of compliance is to enable auditors to form
                                    an opinion of reasonable assurance about whether the
                                    ministry’s or the entity’s dispositions on which the accounts
                                    are based:




Page 2                              Guidelines for financial auditing
                               Financial auditing in the OAG


• comply with the Storting’s budget resolutions and
  intentions
• are in accordance with current regulations
• are acceptable in the light of the norms and standards
  for financial management in the central government



2.2 The content of the audit
Section 9 of the Auditor General Act defines the main tasks       Section 9, Auditor General Act
involved in financial auditing as follows:

”The Office of the Auditor General shall audit the Central
Government Financial Statements and all financial
statements that are rendered by central government
agencies or other authorities that are accountable to the
central government, including government corporations,
government agencies with special powers, government
funds and other agencies or entities where it is so
stipulated in a special act […].”

”The Office of the Auditor General shall through auditing
contribute to the prevention and detection of irregularities
and errors.”

”The Office of the Auditor General can advise the
government administration to prevent future errors and
omissions.”

The OAG therefore audits the central government financial
statements and all accounts submitted by government
agencies/entities. The central government financial
statements represent a compilation of all the entities’            Auditing central government
accounts, and the OAG conducts its own audit procedures            financial statements
on these accounts. Auditing the entity’s accounts includes
ensuring the compliance of the dispositions and conducting
a financial audit of the financial statements of each
individual entity.

The comments to the Act state that the definition of
accounts in this context may change over time depending
on how the central government administration is organised
and how the central government accounting scheme is
arranged.

In these guidelines the term “entity” is used to describe the     The term “entity”
entity that is being audited, irrespective of whether this is a
ministry, a government entity or an entity that has a
different form of organisation. The term is also used in
cases where the audit assignment has been made mandatory
                                                                   Audit tasks
in another way – for example by law or agreement.
                                                                   •   financial auditing
The OAG’s mandate gives financial auditing a wider                 •   compliance
content than private sector auditing since it also includes        •   contributing to preventing
compliance. As the auditing and monitoring body for the                and detecting irregularities
                                                                   •   advising

                            Guidelines for financial auditing                                    Page 3
         Financial auditing in the OAG


         Storting, the Storting expects the OAG to express an
         opinion on budget allocations in addition to its statement on
         the accounts.

         Through auditing the OAG is also intended to contribute to
         the prevention and detection of irregularities and errors,
         and to advise the government administration in order to
         prevent the occurrence of future errors and omissions. In
         their role as advisor, auditors must exercise caution and
         must conduct themselves in a manner that does not
         jeopardise the audit’s independence and objectivity.



         2.2.1   Audit of the accounting

         Pursuant to section 3 of the Instructions, the OAG shall:

         ”confirm that the financial statements are free of material
         errors and omissions.”

         An audit of the accounting is defined as the procedures that
         are required to confirm that the accounts are complete,
         accurate and reliable. This entails ensuring that expenses
         and revenues, stock and assets of any kind have been
         recorded in the accounts in keeping with the applicable
         rules.

         As the auditing and monitoring body for the Storting, the
         OAG is an external auditor and conducts financial auditing
         in line with audits that are performed by other auditing
         bodies – both private and public.

         The OAG has an independent position, and there is no
         financial commitment between the auditor and the audited
         entity. Furthermore, financial auditing has an extended
         content since the accounts that the OAG audits are of
         interest to a more complex group of users. Here the OAG
         has a social responsibility with regard to monitoring the
         administration’s use of the nation’s resources.

         At the same time as it presents its financial statements, an
         entity also submits assertions that the information in the
         accounts meets certain qualitative requirements. Through
         its work, the audit must verify with reasonable assurance
         that the assertions submitted are accurate and reliable. The
         assertions that are used for financial auditing are based on
         international auditing standards.



         2.2.2   Compliance of the dispositions

         The term “compliance” is given in the objective for
         financial audits and is described in section 3 (b) of the




Page 4   Guidelines for financial auditing
                              Financial auditing in the OAG


Instructions, referred to here as “verifying…..transactions”
(cf. 2.1).

Compliance involves examining the extent to which the
ministry and the entity have attained the performance
targets and objectives that are given in the budget
resolution for the accounting year in question. Compared
with performance auditing, the financial audit is restricted
to matters concerning the accounts for the individual year.

Three assertions have been derived for compliance. These
are based on the division of the definition into three parts
and on the objective of the financial audit:
• The dispositions comply with parliamentary decisions
• The dispositions comply with laws and regulations
• The dispositions are acceptable on the basis of the
  norms and standards for financial management in the
  central government
The tasks of the financial audit do not include assessing
whether the budget proposition’s goals and performance
requirements are relevant. The degree of detail in the
description of goals and performance requirements varies
from ministry to ministry and may partly depend on the
management signals that have been given priority in each
individual case. In addition, a main element in the financial
management regulations is that the management and
supervision of the entities must be adapted to their
individual distinctive features – for example based on an
assessment of risk and materiality.

In some cases it may be difficult to identify clear goals and
result requirements in the budget documents, and this may
make it problematic to identify the intentions on which the
Storting has based the budget resolution.

Provisions concerning financial management in the central
government impose upon the ministries the duty to follow
up the budget resolutions and to ensure that the central
government budget is implemented through annual letters
of allocation to subordinate bodies. The letter of allocation
forms part of the ministry’s management of subordinate
agencies. It must contain management parameters that
allow an assessment of goal achievement and results to be
made that remain as stable as possible over time.

If the Storting amends the allocation proposal or the
intentions, it will be the task of the ministry – through an
letter of allocation or if appropriate a supplementary letter
of allocation – to adapt the management of its subordinate
agencies to new frameworks or intentions. Auditors must
constantly use the entire budget deliberations as a basis for
their work of identifying intentions. If the budget proposal
does not contain a precise indication of what is to be
achieved, it is not impossible that during the proceedings



                            Guidelines for financial auditing   Page 5
         Financial auditing in the OAG


         the committee will attach more detailed intentions to the
         allocation by a statement in the budget recommendation.

         The OAG’s compliance process is limited to the
         transactions that have financial importance or are of
         significance for achieved results compared with intended
         targets. It must also be possible to make any deficient
         implementation of an allocation decision on the part of the
         ministry the object of auditing.

         The point of departure for financial auditing is the annual
         budget and financial statements. However, compliance will
         not always only be restricted to data concerning the
         accounting period in question since several years may pass
         from the allocation to implementation and reporting. If
         errors or weaknesses have their origin in previous
         accounting periods, it will be appropriate for auditors to
         express an opinion on this material. However, it will not be
         relevant to audit previous years’ accounts or routines.



         2.2.3   Advising the audited entity

         The following is stated in the OAG’s standards concerning
         advice:

         8
         In conjunction with the audit work, auditors can advise the
         audited entity in areas in which the auditors have the
         required competence.


         9
         When advising an audited entity, auditors shall conduct
         themselves in a manner that prevents any doubt arising as
         to the independence and objectivity of the Office of the
         Auditor General.


         10
         Auditors shall take care to act in a way that prevents the
         audited entity from perceiving their advice as a directive.

         The advisory task is incorporated into the object clause for
         the OAG. The task is of key significance in enabling the
         OAG’s financial audit to cover the administration’s need
         for auditing and advice. The administration will always
         retain independent responsibility for its choices –
         regardless of the OAG’s advice. Advice must neither
         formally nor actually exert any undue influence on
         subsequent audit and monitoring assessments.




Page 6   Guidelines for financial auditing
                                Financial auditing in the OAG


In Recommendation no. 54 to the Odelsting (2003–2004),
page 13, the Standing Committee on Scrutiny and
Constitutional Affairs states the following 1 :

”Through its work, the Office of the Auditor General has
accrued substantial insight that can be converted into
constructive advice for the administration. In connection
with the Office of the Auditor General’s advisory function
towards the administration, the Committee wishes to
emphasise that the advice should be imparted with care and
in a manner that does not jeopardise the independence and
objectivity of the control activities. The administration has
independent responsibility for its own choices, irrespective
of the Office of the Auditor General’s advice. Nonetheless
there is a risk of the advice actually being perceived as
control, or of it influencing the Office of the Auditor
General’s assessments in subsequent monitoring. This may
put the Office of the Auditor General’s independence and
objectivity at risk. The Committee therefore expresses its
doubt as to whether the Office of the Auditor General
should have a more proactive role, and requires the
Government to ensure that systems that meet the need for
quality control are in place at all times.”

The OAG’s advisory role must be seen in the light of the
factors the Committee expresses in its comments.



2.2.4   Contributing to the prevention and detection of
        irregularities

Pursuant to section 9 (4) of the Auditor General Act, the
OAG shall through auditing contribute to the prevention
and detection of irregularities and errors.

In Recommendation no. 54 to the Odelsting (2003–2004),
page 13, the Standing Committee on Scrutiny and
Constitutional Affairs has the following comments on the
OAG’s role 2 :

”The Committee emphasises that the Office of the Auditor
General also plays an important role in the fight against
irregularities and corruption, including through its
opportunity to report its findings and suspicions to the
police or other supervisory authorities.”




1
 All translations of quotations from the Appropriations
Regulations in this document are unofficial.




                              Guidelines for financial auditing   Page 7
         Financial auditing in the OAG


         The OAG has compiled the following standards concerning
         irregularities:

         5
         Through auditing, the Office of the Auditor General shall
         contribute to preventing and identifying irregularities.


         6
         When planning and performing audit procedures and
         assessing and reporting the results of these, auditors shall
         assess the risk that there may be irregularities.


         7
         Auditors shall consider gathering information in the audited
         entity about detected cases of irregularities and about the
         consequences these may have entailed.

         This is an important task for both exercising the role of
         external auditor and for acting as the auditing and
         monitoring body for the Storting. Auditors’ assessments of
         the risk of irregularities must be related to both the
         financial dispositions and to the correctness of the financial
         statements.

         An extended assessment of the risk of irregularities entails
         auditors being fully aware of the audit question during the
         planning and performance of the audit. This applies to
         collecting information, risk analyses and audit procedures.

         Audits of irregularities form an integral part of financial
         auditing. The cause of irregularities can often be linked to
         pressure or attitudes as well as to existing opportunities.
         Through discussions in the audit team, auditors must assess
         where the entity that is exposed to irregularities is to be
         found. The audit team should also specify more closely the
         types of irregularity that may occur – such as corruption,
         misappropriation, theft etc. In addition, auditors must
         engage in a dialogue with the management to inform them
         that irregularities have been detected.

         If, through their monitoring activities or as a result of a tip-
         off or similar, auditors should detect signs that irregularities
         have occurred, they must behave cautiously and correctly
         and must not draw hasty conclusions. In such cases it is
         important for auditors to follow the administrative
         procedures that apply at all times for this area.

         Auditors must document the assessments of the aspect of
         irregularity that have been made for the entity.




Page 8   Guidelines for financial auditing
  Financial auditing in the OAG




Guidelines for financial auditing   Page 9
                                  3 The audit process for financial
                                    auditing
                                  3.1 Financial auditing – summary
                                  The purpose of this chapter is to give a complete picture of
                                  the process for financial auditing. This includes the
                                  methodology and time frame – from strategic analysis to
                                  the concluding audit letter and reporting to the Storting.

                                  The audit process has been defined in the context of both
                                  the OAG’s objectives and tasks and the particular
                                  framework conditions that apply for financial auditing. The
                                  connection between the audit process and key documents is
                                  also described.



                                  3.1.1   Objectives and tasks

 The tasks of financial           The OAG’s objectives and tasks are stipulated in the Act
 auditing are:                    and Instructions concerning the Office of the Auditor
                                  General.
 • to conduct an audit of the
   accounting                     The objective of a financial audit is to verify that the
 • to ensure compliance           financial statements do not contain material errors and
 • to advise                      omissions, and that the dispositions on which the accounts
 • to contribute to preventing    are based comply with parliamentary decisions.
   and detecting irregularities
                                  An audit of the accounting is performed to enable auditors
                                  to confirm that the financial statements do not contain
                                  material errors and omissions.

                                  Auditors must also express an opinion as to whether the
                                  dispositions on which the accounts are based comply with
                                  parliamentary decisions and with applicable laws and
                                  regulations. To facilitate this, auditors conduct a
                                  compliance process.

                                  In addition the OAG must advise the entities in order to
                                  prevent future errors and omissions, and through auditing
                                  must contribute to preventing and detecting irregularities.

                                  In their advisory role, auditors must act with caution and
                                  advise in a manner that does not jeopardise the
                                  independence and objectivity of the audit.

                                  In order to prevent and detect irregularities, auditors must
                                  be fully aware of the audit question when both planning
                                  and performing the audit.




page 10                           Guidelines for financial auditing
                                            The audit process


3.1.2   Framework conditions

The OAG has its own framework conditions for the
auditing work. These govern the performance of the
financial audit.

The framework conditions consist first and foremost of the
Act relating to the Office of the Auditor General and the
accompanying Instructions. The content is specified more
closely in auditing standards and guidelines.

The auditing standards and guidelines are based on
INTOSAI’s standards for public sector auditing. Standards
that apply for auditing the private sector are also used as a
basis for the OAG’s standards and guidelines.



3.1.3   Basic auditing terms

Financial auditing in the OAG draws on recognised
auditing principles. Well-known terms such as assertion,
materiality, audit risk, audit procedures and audit evidence
are also fundamental to the OAG’s auditing work. To the
extent it has proved necessary, the content of the terms has
been adapted to the auditing of government agencies.




                            Guidelines for financial auditing   Page 11
          The audit process




          Figure 1 The audit process




Page 12   Guidelines for financial auditing
                                            The audit process


3.1.4   The audit process

The figure on the opposite page is intended to give an
overview of the audit process. The entity is presented as a
grey background. It can have wider objectives than those
included in the audit objectives for financial auditing,          The entity
which are shown in blue. This symbolises that not all the
entity’s goals are necessarily relevant for financial auditing.

In the figure the audit objectives have been drawn to reach
farther down than the entity. The OAG reports to the              Audit objectives
Storting, and the reporting in the audit process reduces
communication with the entity.

Risk is here defined as the possibility of the entity not
achieving its goals, and in the figure it is represented by the
dark-red area. The fact that the red area becomes narrower
symbolises that auditors eliminate risk through risk
analyses and audit procedures.                                    Risk analysis

The risk analyses are conducted using a top-bottom
approach. They start at strategic level and gradually
become more detailed. The purpose is to direct the auditing
work towards risk that is identified at a general level. Risk
at this level usually has the greatest consequence for the
entity and is therefore of most interest to auditors and users.

The assessment of risk is made in three phases: strategic
analysis, process analysis and analysis of residual risk.

In the strategic analysis auditors assess the entity’s external
factors and internal factors that are of a general nature that
can influence the extent to which the entity achieves it
goals. On the basis of this, auditors assess risk elements at a   Audit procedures
general level.

In the process analysis auditors identify risk elements in the
processes and assess whether the established control
measures have a risk-reducing effect. After the process
analysis, auditors are left with residual risk.

To determine the scope of the procedures that are to be
implemented to achieve an acceptable level of audit risk, in
their analysis of residual risk auditors must assess and
compare residual risk with audit risk.

The figure shows that we conduct audit procedures and
collect audit evidence at all levels throughout the audit
                                                                  Audit evidence
process. The character of the audit procedures and the
strength of the audit evidence gradually changes as auditors
proceed more deeply into the audit or downwards in the
audit process shown in figure 1. To ensure that the
conclusions are based on correct information, auditors must
verify that evidence that is collected during the year is still
valid at 31 December. In the figure this is symbolised by a



                             Guidelines for financial auditing                       Page 13
                             The audit process


                             narrow strip of audit objectives and audit procedures that
                             extend to the edge of the audit evidence field.



                             3.1.5   Strategic analysis

                             The purpose of conducting a strategic analysis is to acquire
                             knowledge about the entity, identify critical processes and
 PROSIT’s navigation tree:   provide auditors with an overview of the risk that threatens
                             the entity’s goal achievement. A strategic analysis will also
                             form the basis for planning the assignment and will give
                             input to a joint overall risk analysis/ministry level.

                             A strategic analysis is to be conducted for all the entities
                             the OAG audits, including the ministries.

                             A strategic analysis consists of four steps:
                             •   understanding the entity
                             •   assessing materiality
                             •   assessing risk
                             •   planning further auditing
                             In order to understand the entity, auditors carry out a
                             systematic collection of information about the entity’s goals
                             and external and internal factors, as well as analysing
                             financial information. On the basis of the information
                             collected, auditors identify the processes in the entity that
                             are relevant for goal achievement and for financial auditing
                             objectives.



 Understanding the entity    Pursuant to the rules for financial management in the
                             central government and their accompanying provisions, all
                             entities must establish internal control procedures that are
                             adapted to risk and materiality. According to the OAG’s
                             standards for assessing internal control, auditors must make
                             a preliminary assessment of the entity’s risk management
                             measures that are relevant for the audit. To understand the
                             entity, auditors make this preliminary assessment by
                             identifying internal factors and by identifying and assessing
                             risk elements at strategic level, including the reaction of the
                             management.

                             Auditors are to begin the strategic analysis by identifying
                             the entity’s goals by examining its tasks. The primary tasks
                             of the entity are expressed to some extent in parliamentary
                             decisions. To enable it to carry out its primary tasks, the
                             entity has secondary tasks in the form of support functions
                             which, for example, secure staffing levels, operations or the
                             reporting of the accounts. In addition, tasks of a temporary
                             nature can be imposed on the entity – for instance
                             relocation, downsizing or reorganising.




Page 14                      Guidelines for financial auditing
                                             The audit process


To gain an overview of the conditions that have an
influence on the entity’s goal achievement, auditors must
obtain information about external and internal factors that
affect the entity. External factors can be the users,
competitors, political decisions and technology. Internal
factors are, for example, organisation, the entity’s
management and risk management, information and
communication. Auditors must also analyse relevant
financial information.

Through the audit, auditors must also contribute to the
prevention and detection of irregularities. In the strategic
analysis the audit team must therefore assess and in
particular document the risk of the entity being exposed to
irregularities.

The final step for the auditor is identifying the entity’s
processes. A process is a series of activities that the entity
has initiated to achieve its goals. The purpose of a process
is to promote goal achievement and reduce risk. Processes
can be designed for primary, secondary and temporary
tasks.

Auditors assess qualitative and quantitative materiality at
strategic level. The assessment is intended to help them to       Assessing materiality
determine the factors that the users – particularly the
Storting – regard as important.

Risk assessment at strategic level is divided into three parts.   Assessing risk
Auditors must first identify risk at strategic level and
consider the management’s reaction. Auditors use
information from understanding the entity and assessing
materiality when they assess the risk elements that threaten
the entity’s goal achievement.

Auditors then estimate the probability and consequence of
risk elements being realised, basing this on combinations of
high and low. We have chosen to use high and low rather
than a continuous scale. The use of a scale entails
considerable professional judgement and may give an
impression of objective precision. The use of the categories
high and low is a simplification of the scale, but will
provide auditors with a level of precision that is adequate to
enable them to decide which risk elements must be
followed up in their further work. Auditors’ assessment of
probability and consequence must be supported by audit
evidence – irrespective of the scale that is used.

In the risk evaluation, auditors decide the risk elements that
are to be followed up in the subsequent audit work. Risk
elements characterised as high-high must always be
followed up, high-low must be assessed in relation to
materiality, and low-low can be ignored by auditors in their
subsequent audit. Auditors link all risk elements to audit



                             Guidelines for financial auditing                            Page 15
                               The audit process


                               objectives and process, but only risk elements that are of
                               significance for the audit are included in the further
                               implementation of the audit process.
 Meeting with the management   In connection with the assessment of risk and materiality
                               that is conducted in the strategic analysis, auditors hold a
                               meeting with the management where analyses, strategies
                               and plans are addressed. At the meeting auditors must
                               match their risk picture with that of the entity in order to
                               establish a shared communication platform and ensure
                               contact with the management.

                               Auditors draw up a proposal for a plan for the audit of the
 Plan for auditing the         entity on the basis of the information collected, the meeting
 assignment                    with the entity’s management, the joint overall risk analysis
                               for the ministry, and the assessments that have been made
                               in the strategic analysis. The plan must contain the
                               prioritised risk elements, the organisation of the audit, the
                               need for resources and the schedule for performing the
                               audit.



                               3.1.6   Process analysis
 PROSIT’s navigation tree:     The purpose of process analysis is to conduct a more
                               detailed risk assessment of the processes to which the
                               prioritised risk elements are linked in the strategic analysis.
                               Process analysis will enable auditors to find the residual
                               risk that must be verified further in the analysis of residual
                               risk.

                               The process analysis consists of three steps:
                               •   understanding the process
                               •   assessing materiality
                               •   assessing risk
                               The risk assessment is made for both inherent risk (auditors
                               assess independently of established internal control
                               measures) and control risk (auditors assess whether
                               established control activities function).



 Understanding the process     In order to understand the process, auditors must conduct a
                               systematic collection of information. Based on this
                               material, auditors then compile a process description that
                               covers:




Page 16                        Guidelines for financial auditing
                                             The audit process


•   process goals
•   process activities
•   information flow in the process
•   accounting transactions that influence the process
Auditors must ensure that the collection of information
provides a sufficiently good basis for both an audit of the
accounting and for compliance.

Based on the information collected from the strategic
analysis, auditors identify the goal or goals that the entity’s
management has set for the process. Process goals describe
what the process is intended to attain and must be
connected to the entity’s principal goals and strategies.
Most processes will have several goals.

Auditors must then identify and describe the various
activities that the process consists of. Process activities are
the work operations the entity carries out to achieve the
process goals.

Information flow consists of data that goes in, through and
out of the process. Auditors must acquire an overview of
the information flow and assess it.

As the final step in understanding the process, auditors
must acquire an overview of any accounting transactions
that are influenced by the activities in the process.



Assessments of materiality at process level represent an in-      Assessing materiality
depth study of relevant factors derived from the assessment
of materiality in the strategic analysis. It is mainly
qualitative materiality factors that are included in the
assessment, but it is also possible for auditors to assign
quantitative materiality down to process level if this is
deemed appropriate.



Risk assessment in the process analysis is divided into three     Assessing risk
parts.

On the basis of the information collected by the auditors,
through “understanding the process” and “assessing
materiality”, auditors identify the risk elements of the
process and connect these to the relevant assertions. For
each element of risk auditors must identify the control
activities in the process and if relevant how these are
supervised by the management. The control activities can
be identified simultaneously with the process activities.

Auditors must estimate the probability and consequence of
each element of risk, irrespective of the established control
activities (inherent risk). Auditors must also test whether



                             Guidelines for financial auditing                            Page 17
                                  The audit process


                                  established control activities function. If auditors assess the
                                  control activities as having a risk-reducing effect, they can
                                  choose to build on them in the audit and reduce the scope
                                  of substantive testing. In this event, auditors must obtain
                                  evidence with tests of controls to substantiate the
                                  functioning of the control activities. Finally, auditors assess
                                  the probability and consequence of each element of risk on
                                  the prerequisite that the established control activities are
                                  functioning (control risk).

                                  As the final step in the process analysis, auditors evaluate
                                  the estimated risk to identify any residual risk that must be
                                  followed up by further review procedures. The estimates
                                  can have four possible outcomes based on the combinations
                                  of high and low for probability and consequence.

                                  Risk elements that are assessed as having low probability
                                  and low consequence can be given low priority in the
                                  subsequent audit. Risk elements that are assessed as having
                                  high probability and high consequence must always be the
                                  object of further auditing. For risk elements that are
                                  assessed as having other outcomes, auditors must assess in
                                  each individual case whether the element of risk is to be
                                  addressed further.

                                  The process analysis is to be documented. For the risk
                                  elements that are not to be followed up by further
                                  monitoring, the assessment must be supported by audit
                                  evidence.

                                  If residual risk is identified in the process analysis, auditors
                                  must take the risk elements further for an analysis of
                                  residual risk through substantive tests.



                                  3.1.7    Analysis of residual risk

 PROSIT’s navigation tree:        The purpose of analysing residual risk is to test the
                                  management’s assertions relating to the submission of the
                                  financial statements and their accompanying dispositions.
                                  Auditors must plan and implement audit procedures in
                                  order to collect audit evidence that can with reasonable
                                  assurance substantiate their opinion as to whether the
                                  management’s assertions have been fulfilled. To determine
                                  the scope of the audit procedures that are required, auditors
                                  use the audit risk model.

                                  Analysis of residual risk consists of four steps:
                                  •   defining audit objectives for the assertions
                                  •   identifying remaining audit procedures
                                  •   planning the remaining auditing work
                                  •   implementing the audit procedures
   Setting audit objectives for
   the assertions


Page 18                           Guidelines for financial auditing
                                             The audit process


The purpose of defining audit objectives is to enable
auditors to work in a goal-oriented, efficient and effective
manner in order to decide whether the management’s
assertions have been fulfilled, and thus to draw a
conclusion for the entity.

All the assertions are broken down to form one or more
audit objectives. The audit objectives describe the quality
the financial statements are to have at reporting date.
Through strategic analysis and process analysis auditors
have acquired knowledge about the entity and its processes.
This knowledge is critical to enable them to set good audit
objectives.

The audit objectives give auditors a better basis for
collecting necessary and sufficient evidence for important
and material matters connected to the accounts and their
accompanying dispositions before they assess whether the
assertions have been met. Auditors must limit the number
of audit objectives to those that are necessary to conduct an
appropriate and adequate audit.



Auditors must identify audit procedures that ensure that
residual risk is followed up, as well as audit procedures that
verify that previously procured evidence can be carried           Identifying remaining audit
forward to 31 December. They must also ensure that                procedures
compulsory procedures are implemented.


The audit procedures must contain information about how
they are to be carried out, their scope, and the date for their
implementation. They must also be seen in the light of the
audit objectives. In this context auditors must check
whether audit evidence procured previously in the audit is
included to support the audit objectives adequately so that
further procedures are unnecessary.

For some entities, the scope of the remaining audit
procedures can be so extensive that it is difficult to handle
them collectively. In such cases it will be appropriate to
organise them into several audit programmes.

Once auditors have identified the remaining audit
procedures, they have acquired a foundation for updating
the plan that was drawn up according to the strategic             Plan for the remaining
analysis. The plan is to include the remaining work to be         auditing work
done on the assignment and is to help the audit to be
managed and conducted in an appropriate, efficient and
effective manner.

The plan is to contain information about organisation, an
estimate of resources required, and the time schedule for
carrying out the remaining work. The plan for the



                             Guidelines for financial auditing                             Page 19
                              The audit process


                              remaining auditing work must go through a quality
                              assurance process.

                              When auditors implement the audit procedures they must
                              record the outcome of each procedure – the
                              findings – irrespective of whether errors have
                              been detected or not. If the procedure reveals
                              errors, it must be made clear whether or not the
                              error is in the accounting, and also the extent to which it
                              may be significant for subsequent conclusions. Auditors
                              assess the findings of each procedure.

                              In the course of the audit, auditors must consider
                              the way in which they are to communicate the
                              findings to the entity. The purpose of
                              communicating audit findings is to contribute to
                              preventing future errors and omissions and to clarify any
                              misunderstandings and misinterpretations. It is therefore
                              important for auditors to communicate with the entity
                              during the audit before conclusions are drawn.



                              3.1.8   Conclusions
  PROSIT’s navigation tree:
                              The purpose of the conclusions is to summarise the results
                              of the auditing work. Auditors must base their conclusions
                              on the procured audit evidence and audit findings from all
                              the audit procedures that have been conducted throughout
                              the audit process. The conclusions will draw on the
                              auditors’ professional judgement and the deliberations they
                              have made on materiality for the entity in question. Before
                              the conclusions can be drawn, auditors must verify that
                              required and sufficient audit evidence is available to form a
                              basis for reaching a conclusion of reasonable assurance, i.e.
                              with acceptable audit risk.

                              To assist auditors in drawing the various strands together,
                              the conclusions are reached on three levels:
                                  •   conclusion for each audit objective
                                  •   conclusion for each assertion
                                  •   conclusion for the entity



                              Auditors must draw conclusions for all the audit objectives.
 Conclusion for each audit    These are made on the basis of the procured evidence and
 objective                    the findings that are available for the audit procedures
                              under each audit objective. Auditors must take into account
                              any corrections that the entity may have made as a result of
                              the findings.

 Conclusion for each          Auditors must draw conclusions for all the assertions.
 assertion                    These are made on the basis of the conclusions for the audit
                              objectives that cover the assertion in question. In this



Page 20                       Guidelines for financial auditing
                                            The audit process


context auditors must also take into account any audit
evidence that has been acquired and must document “non-
prioritised elements of risk” that can be linked to the
assertion.

Finally, in keeping with the dual audit objective, auditors
reach a total conclusion for the entity. In this total          Conclusion for the entity
conclusion auditors must decide whether or not there are
material errors and omissions in the financial statements
submitted and whether the dispositions on which the
accounts are based comply with parliamentary decisions.

The conclusion for the entity is made on the basis of the
conclusions for all the assertions. In this context auditors
must also take into account any audit evidence that has
been acquired and must document “non-prioritised
elements of risk” from the strategic analysis that can be
linked to the dual audit objective.

Auditors must document and substantiate their conclusions
with reasons and audit evidence.



3.1.9   Reporting

The purpose of reporting is to inform the entities and the
Storting about the result of the performed audit.

The OAG reports annually to the entities through the            Concluding audit letter to the
concluding audit letter. The audit letter states whether or     agencies
not material comments have been made on the entity’s
submitted accounts with their accompanying dispositions.
No concluding audit letter is sent for the ministries’
financial statements.

Each year the OAG gives the Storting all the information        Document no. 1 to the Storting
about the result of the annual audit in Document no. 1,
which is compiled for each ministry. The document reports
on the audit in general and gives specific details about the
audit of the financial statements, management and goal
achievement as well as about performance reporting to the
Storting on the annual budget, management of subordinate
bodies, grant administration etc. Factors that the OAG has
noted in connection with the performed audit and the
ministries’ reply to items that have been addressed in the
concluding audit letter must also be described in Document
no. 1.

Special guidelines and guidance have been drawn up for
the written reporting to both the entities and the Storting.




                            Guidelines for financial auditing                               Page 21
          The audit process


          3.2 Key documents
          3.2.1   Documents produced internally

          The OAG compiles a general risk assessment for each
          ministry, cf. template for joint overall risk analysis for
          ministry X. The risk assessment is common for all types of
          audit, it is conducted at the same time, and it forms the
          basis for collaboration and exchange of experience. Much
          of the information that the general risk assessment draws
          on is also used by auditors in the strategic analysis of the
          ministries and entities.

          In order to provide information and assessment, parts of the
          strategic analysis should be conducted during the first three
          months of the year. The work on the strategic analysis can
          begin once the appropriations decision has been taken and
          letters of allocation have been formulated. This applies to
          both the ministry and to the principal subordinate agencies
          since these may be of importance for the overall assessment
          of the ministerial area.



          In accordance with the OAG’s standards, an audit plan
          must be drawn up for each audit assignment. The plan is to
          contain priorities, organisation, an estimate of resources
          required, and a work schedule. The plan is normally
          approved by the head of division.

          The Secretary General sets the deadline for the completion
          of the audit plans. The audit plan should be finalised before
          the process analyses begin.

          If auditors subsequently find new information or become
          aware of changes made to the allocations or to the
          prerequisites assigned to them, adjustments to the audit
          plan may be required.



          According to the guidelines for written audit
          communication, all the entities – with the exception of the
          ministries – must receive a concluding audit letter from the
          OAG, cf. guidelines and templates for the concluding audit
          letter. Since the OAG maintains its dialogue with the
          ministries until Document no. 1 has been drawn up, no
          concluding audit letter is prepared for the ministries.



          The OAG reports the auditing work annually in Document
          no. 1 to the Storting, cf. template and internal routines for
          reporting to the Storting about the Office of the Auditor
          General’s audit and monitoring activities (Document no. 1).




Page 22   Guidelines for financial auditing
                                             The audit process


The department that is responsible for auditing the Ministry
of Finance prepares a joint statement concerning the central
government accounts in collaboration with the other
financial auditing departments.



3.2.2   Some key documents from the Storting and
        government administration

The Government submits a budget proposition (Proposition
no. 1 to the Storting) within six days of the opening of
parliament in the autumn. In accordance with the Storting’s
rules of procedure, the budget recommendations from the
committees involved must be deliberated by 15 December
at the latest.

The Storting undertakes two main budget revisions. An
aggregate budget proposition must be submitted by 15 May
(the revised national budget). The Storting approves the
changes during June. The second main revision is
conducted in December (the new final budget).

In addition the Storting approves appropriations for
individual cases.



The Ministry must send letters of allocation to subordinate
bodies as soon as the Storting has taken the appropriations
decision. If the Storting changes the allocations, the
ministry must send out supplementary letters of allocation.

The letters of allocation often contain precise information
about the intentions of the Storting’s allocation as well as
more specific requirements regarding results.



The entities submit the financial statements and the annual
report to the supervisory ministry. The deadline for
reporting is usually included in the letter of allocation.
Requirements regarding reporting to the ministries are also
stated in the regulations for financial management in
central government and the accompanying provisions.

There must be agreement between the reporting
requirements in the letter of allocation and those in the
annual report, and ensuring that this is the case is part of
the financial audit.



At the beginning of March the ministries send “Notes to the
central government accounts” to the OAG. These give an
explanation of any non-compliance between budget figures



                             Guidelines for financial auditing   Page 23
          The audit process


          and accounting figures for the appropriations accounts. The
          explanations are given at item level, i.e. the same
          specification as that used by the Storting in its
          appropriations decision.

          Around the end of April or the beginning of May the
          Ministry of Finance presents the central government
          accounts in Report no. 3 to the Storting. The central
          government accounts consist of two main parts: the
          appropriations accounts and the capital accounts. In
          addition to the accounting statements, the report also
          contains comments on the results with regard to the
          different programme categories.



          Pursuant to the Appropriations Regulations, the results
          must be reported in the budget proposition after the fiscal
          year.

          Auditors must ensure that the ministry’s report to the
          Storting is in keeping with the budget.



          3.3 The audit process – from start to finish
          Figure 2 gives a graphic presentation of the main activities
          of the financial audit and the key documents that are
          described above.




          Figure 2 The audit process and selected key documents

Page 24   Guidelines for financial auditing
                                            The audit process




The lightly shaded documents directly under the time line
are those that are compiled by the Storting and government
administration. The darker documents below these are
prepared in the OAG. The length of the various phases in
the figure does not express the amount of work involved at
each individual phase.

Auditors work on two audit years in parallel, but on
different steps in the audit process. Auditors conclude one
audit at the same time as they start on the next.




Explanation of the colours in the figure:




                            Guidelines for financial auditing   Page 25
                                   4 Basic auditing terms
 Basic auditing terms:             Financial auditing in the OAG draws on recognised
                                   auditing principles. Well-known terms such as assertion,
 •   assertions                    materiality, audit risk, audit procedures and audit evidence
 •   materiality                   are also fundamental to our auditing work.
 •   audit risk
 •   audit procedures              To the extent it has proved necessary, the content of the
 •   audit evidence                terms has been adapted to the auditing of government
                                   agencies.



                                   4.1 Assertions
                                   The audit objectives are broken down into assertions.
                                   Contrary to private sector auditing, where assertions
                                   concern the correctness of the accounts, the OAG has two
                                   sets of assertions related to its dual monitoring task.

                                   The entities submit financial statements annually that must
                                   contain “correct” information about the entity’s activities
                                   during the period in question. The accounts must give a
                                   correct picture of how the budget has actually been
                                   employed. For the accounting information to be correct, it
                                   must have certain qualitative features. When the
                                   management submits the financial statements, they “assert”
                                   that the information has these features. Using an audit of
                                   the accounting, the task of financial auditing is to verify the
                                   quality of the accounts and thus show that the assertions are
                                   valid.

                                   However, for government agencies it is not sufficient
                                   merely to submit correct financial statements. It is also the
                                   duty of the entities to follow certain requirements and
                                   instructions – for example those resulting from the annual
                                   budget resolutions in the Storting as well as other specific
                                   framework conditions that apply to government
                                   administration. When government agencies submit their
                                   financial statements, in addition to claiming that the
                                   accounts are correct they therefore assert that the
                                   dispositions carried out comply with the specific
                                   framework conditions. Financial auditing confirms these
                                   assertions through the compliance process.

                                   To enable auditors to make a statement as to whether the
 Assertions and audit objectives
                                   financial statements and the dispositions on which the
                                   accounts are based comply with parliamentary decisions,
                                   they must collect sufficient and appropriate audit evidence.
                                   The correctness of the financial statements and the budget
                                   appropriations depend on the assertions being free of
                                   material errors. When auditors make the risk analysis, it is
                                   important to link the risk elements to the assertions that are
                                   threatened.




page 26                            Guidelines for financial auditing
                                         Basic auditing terms


When auditors are to draw their conclusion, the conclusion
represents a statement of the extent to which the assertions
are free of material errors.

Our dual monitoring task can complicate the conclusions                  Conclusion vis-à-vis assertions
somewhat, depending on which assertions auditors regard
as encumbered with material errors.

When auditors are of the opinion that one or more of the
assertions in the financial statements are encumbered by
material errors, one or more of the assertions concerning
the dispositions will often also contain errors. Cases may
also arise where the material errors are only related to one
set of assertions. An example of this is when auditors do
not find material errors in the actual accounts, but reveal
that the budget has not been appropriated in compliance
with parliamentary decisions. It may be that large parts of
the budget have still not been used or have been employed
for purposes other than those stated in the decision.

The overview below shows the two sets of assertions used
for an audit of the accounts and for the compliance of
dispositions.

               Audit of the accounts

Result         Validity                  Correct
                                         measurement
                                                               Completeness     Correct
Balance        Existence   Ownership Valuation                                  classification and
                                                                                presentation




               Compliance of dispositions

Appropr-       Parliamentary decisions      Laws and regulations       Norms and standards for
iation of                                                              financial management in the
funds                                                                  central government



4.1.1 Assertions for an audit of the accounting

Assertions that are related to an audit of the accounting
draw on general auditing theory and international auditing
standards.

The assertions are somewhat differently defined for balance
sheet items and profit and loss items since balance sheet
items relate to the situation on balance sheet day, while
profit and loss entries describe the flows during the period.




                            Guidelines for financial auditing                                    Page 27
                                   Basic auditing terms


                                   Existence
 Assertions: balance sheet items   A balance sheet item (asset or liability) represents an actual
                                   figure on the closing date.

                                   Ownership
                                   A balance sheet item represents a right or a liability for the
                                   entity on the closing date.

                                   Correct valuation
                                   Assets and liabilities are assessed in accordance with
                                   accepted valuation rules.



 Assertions: profit & loss items   Validity
                                   Transactions that are recorded in the accounts are related to
                                   the entity and to the period during which they have been
                                   recorded.

                                   Correct measurement
                                   All revenue and expense flows during the period are
                                   recorded correctly.


 Assertions: the entire accounts
                                   Two of the assertions apply for all the information in the
                                   accounts.

                                   Completeness
                                   All the relevant information has been included in the
                                   accounts.

                                   Correct presentation and classification
                                   All the entries in the accounts are correctly classified and
                                   correctly described.



                                   4.1.2 Assertions for compliance

                                   Three assertions have been derived for compliance. These
                                   are based on a three-part division of the definition and
                                   objective of financial auditing:
                                   • The dispositions comply with parliamentary decisions
                                   • The dispositions comply with laws and regulations
                                   • The dispositions are acceptable on the basis of norms
                                     and standards for financial management in the central
                                     government




Page 28                            Guidelines for financial auditing
                                         Basic auditing terms


4.1.2.1   The dispositions comply with parliamentary
          decisions

This assertion is related to the entity’s primary tasks in the
individual accounting year. Parliamentary decisions can
also cover secondary tasks through decisions about
downsizing, rationalising operations and the like. When
such decisions are taken, they will often entail a need for
the entity to follow them up separately as primary goals for
the period in question.

Government agencies are established to carry out certain
tasks. Their framework conditions are set by the Storting –
for example through the annual budget resolutions. At the
same time, the entities are given allocations from the
Storting to enable them to perform their tasks. The
decisions and intentions that result from the budget
proceedings govern the operations and the performance of
tasks in the entities.

It is not always easy to interpret the parliamentary
intentions behind a decision. The decision itself will often
be worded very briefly, which means that supplementary
information may be required to clarify the intentions on
which the Sorting has based the decision. Such information
is primarily found in the documents that are fundamental
for taking the decision, i.e. recommendations and
propositions.



The Storting’s budget resolutions can be linked to specific      Budget decisions
performance targets, purposes or measures that it is
assumed the entity will accomplish by using the allocation.
These targets will be given in documents such as the budget
propositions and accompanying recommendations and
decisions. The requirement stating that the ministry is to
describe performance targets is stipulated in the
Appropriations Regulations. Section 2 states that the results
the entity is intended to achieve must be described in the
draft budget. Section 13 of the regulations sets the
following requirement for the ministry’s performance
reporting:

”Details of results achieved for the last accounting year
shall be given in the relevant budget proposition along with
other accounting information that is of importance for
assessing the draft budget for the coming year.”

The intentions may relate to particular parliamentary
                                                                 Intentions
decisions in which, through parliamentary documents, it
has been decided to set up an entity to perform the defined
tasks. The intentions can also be connected to the Storting’s
budget deliberations and to the relevant committees’




                            Guidelines for financial auditing                       Page 29
                           Basic auditing terms


                           definition of goals or requirements in the recommendations
                           to the propositions.

                           4.1.2.2   The dispositions comply with laws and
                                     regulations
                           We can divide the various regulations affecting this
                           assertion into two main groups depending on whether they
                           are linked to the entity’s primary or secondary tasks. The
                           regulations that are linked to the primary tasks are called
                           pertaining regulations, while those linked to the secondary
                           tasks are called general regulations.

                           The OAG is expected to report documented violations of
                           the law and other instances of non-compliance with laws
                           and regulations to the entity, and any material non-
                           compliance to the Storting. In general low tolerance is
                           shown for any breach of regulations in a government entity
                           since the administration must serve as an example with
                           regard to following laws and regulations.



                           The manner in which an entity’s primary tasks are to be
  Pertaining regulations   carried out and the defined performance targets that have
                           been set for resolving these tasks can be regulated by
                           legislation, parliamentary decisions, regulations, guidelines,
                           individual decisions etc., as well as through the policy
                           dialogue between the supervisory ministry and each
                           individual entity. Such overriding framework conditions
                           govern the entities’ performance of their tasks and are
                           termed pertaining regulations. The pertaining regulations
                           are normally ascribed to the individual ministry’s area of
                           work.



                           One of the primary tasks of government administration is to
  Examples of pertaining   determine and collect taxes and other dues. This task is
  regulations              carried out by several entities and is regulated in different
                           legislation such as the Tax Act, the VAT Act etc. with
                           accompanying regulations and annual decisions.

                           National insurance and benefits payments represent another
                           major government task. The framework conditions for
                           these payments can be found in the National Insurance Act
                           and its accompanying provisions, as well as in other
                           documents.

                           Similar pertaining regulations will govern the primary tasks
                           of most government agencies.

                           The scope of such pertaining regulations need not be
                           limited to covering only government agencies; they can
                           contain provisions that apply to both the private and public



Page 30                    Guidelines for financial auditing
                                       Basic auditing terms


sectors. In some cases the primary task of a government
entity may be to monitor that the regulations are followed.


                                                               General regulations
Certain regulations have provisions that all government
agencies must follow and are therefore classified as general
regulations. General regulations are established to ensure a
uniform, open and documented budget and accounting
process and uniform government personnel administration.
For most entities this will be related to secondary tasks or
to support functions for the performance of their tasks.



The Appropriations Regulations, the Public Procurement
                                                               Examples of general
Act and various laws and statutory provisions that apply for
                                                               regulations
government personnel administration are examples of
general regulations.

The Appropriations Regulations have been adopted by the
Storting and represent the overriding regulations for the
administration of government resources that apply to all the
entities.

The Public Procurement Act with accompanying
regulations is applicable for most government
procurements.

The Worker Protection and Working Environment Act, the
Civil Service Act, the Freedom of Information Act and the
Public Administration Act are examples of general
regulations for personnel administration in the public
sector. The Civil Service Handbook contains an overview
and an interpretation of key Acts and statutory provisions
etc. that are applicable for government personnel
administration. The handbook also contains decisions on
principles and guidelines that have been drawn up through
experience. The manner in which the handbook is
structured means that only parts of the provisions are
included in general regulations, while the other parts will
normally be incorporated into Assertion 3 concerning the
dispositions being acceptable on the basis of norms and
standards for financial management in the central
government.




4.1.2.3   The dispositions are acceptable on the basis of
          norms and standards for financial management in
          the central government

Norms and standards for financial management in the
central government are provisions that can be both
guidelines and instructions for the entities. These



                           Guidelines for financial auditing                         Page 31
          Basic auditing terms


          provisions often give the entities room for individual
          adaptation within the defined limits, but are frequently
          more detailed and have a more operative angle than the
          regulations described in Assertion 2.

          These norms and standards are largely governed by both
          the regulations and the provisions for financial
          management in the central government. In addition, more
          precise and detailed stipulations resulting from the Ministry
          of Finance’s circulars will set norms for government
          financial management.

          According to the regulations, entities must compile more
          detailed instructions and guidelines to ensure good internal
          financial management and risk management. Such
          instructions and guidelines will also represent norms and
          standards for financial management.

          Other provisions must be drawn up for entities that are
          exempt from general provisions, but such provisions must
          be compiled within the authorisations that will set norms.



          4.1.3 Connection between the financial auditing
                assertions and criteria for information for IT
                auditing

          The purpose of this section is to show the connection
          between financial auditing assertions and criteria for
          information for IT auditing with the aim of strengthening
          the integration of IT auditing as part of financial auditing
          and creating a shared understanding of the various terms.
          IT auditing constitutes an essential tool for supporting
          financial auditing, particularly in entities that largely carry
          out their tasks and reporting by using large and complex IT
          systems.

          ISACA and IIA have drawn up some common criteria for
          how information in IT environments arises, is presented
          and is applied. These are criteria towards which the
          conclusions of the internal audit are directed and which IT
          auditors have found appropriate to use in their work.




Page 32   Guidelines for financial auditing
                                         Basic auditing terms



Goal orientation        Information must be relevant to the
                        entity’s needs, updated, and delivered in
                        a form that is
                        •   punctual
                        •   correct
                        •   consistent
                        •   applicable
Efficiency and          Information must be procured and made
effectiveness           available through the optimal use of
                        resources (in terms of both productivity
                        and economy).

Confidentiality         Classified information must be protected
                        from unauthorised access or
                        presentation.

Integrity               Information must be precise, complete
                        and valid, and in accordance with
                        commercial values and expectations.

Availability            Information must be available when
                        required for the business process – both
                        now and in the future. This also applies
                        to protecting necessary resources.

Compliance              Information must satisfy the legislation,
                        regulatory measures, regulations and
                        contractual agreements to which the
                        business process is subject – for
                        example externally imposed
                        requirements regarding information.

Reliability             Information must be expedient and
                        appropriate
                        • for the management in their
                          governance of the entity
                        • for the management’s performance
                          of financial and (statutory) imposed
                          reporting tasks



The assertions towards which the conclusions of the
financial auditing are directed and the criteria that form the
basis for IT auditing assessments have different content. It
is therefore necessary to recognise the connections to
enable auditors to identify where an IT audit is appropriate
so that the financial audit will be targeted, efficient and
effective in relation to identified risk.

In many cases IT environments support entity processes
and provide important information that the OAG draws on
in its auditing. The information includes descriptions,



                            Guidelines for financial auditing       Page 33
                                 Basic auditing terms


                                 assessments, figures, decisions and transactions that are
                                 processed and stored. Accounting figures or other reports
                                 are aggregated on the basis of information in the entity. In
                                 some cases the figures are founded on information and
                                 professional judgements in pre-systems. Auditors are then
                                 dependent on assessing the information in the pre-systems
                                 – for example the administrative procedure systems
                                 INFOTRYGD (the National Insurance Administration) or
                                 ARENA (the Norwegian Public Employment Service).



                                 When IT systems are to be assessed, auditors who have
                                 adequate IT expertise must contribute to the assessment of
                                 the information that forms the basis of the auditing work.
                                 These assessments will determine how the audit should be
                                 conducted and the extent to which auditors can utilise tests
                                 of controls in their work.

                                 In financial auditing findings are assessed by comparing
                                 them with the assertions. It is therefore necessary to see the
                                 connection between the above information criteria and the
                                 financial auditing assertions.

                                 Appendix 1 gives a table that shows this connection
                                 between the financial auditing assertions and the IT audit
                                 criteria.



                                 4.2 Materiality
                                 The OAG’s standard for materiality states:

                                 18
                                 Auditors shall make assessment of materiality to enable
                                 them to perform an economic, efficient and effective audit.

Definition of materiality        Auditors shall regard errors and omissions as material in
                                 cases where the users would probably have made other
                                 assessments and taken other decisions if they had been
                                 aware of the errors.

Quantitative materiality limit   Materiality in financial auditing is seen in relation to the
                                 fact that the information can contain errors or omissions or
                                 can be based on professional judgement. The costs of
                                 avoiding all errors and omissions can be so great that they
                                 exceed the benefit of such high precision. Errors of a
                                 certain size must therefore be accepted (materiality limit)
                                 provided that this is not of significance for the entity’s
                                 ability to implement the Storting’s budget resolutions and
                                 intentions or is not of critical importance for the users of
                                 the information.




Page 34                          Guidelines for financial auditing
                                          Basic auditing terms


The assessment of materiality is based on both quantitative
and qualitative considerations and is one of the factors that
governs what is to be audited and the scope of the audit that
is to be conducted. Errors that are due to random or
unintentional actions are normally assessed as less serious
than those that may result from deliberate actions.

For the OAG, the assessment of errors will depend on more        Qualitative materiality
than the size of the amount involved since smaller errors
can also have considerable fundamental importance for the
users.

There are many who use an entity’s financial statements,         Definition of users
and they may have different reasons for using the financial
information. The most important users of government
administration accounts are:
•   the Storting
•   the ministries and the Government
•   other government authorities and bodies
•   competing enterprises, customers and suppliers
•   the general public



4.2.1 Qualitative materiality

Auditors must always conduct a qualitative assessment of
materiality. Based on their total acquired knowledge of the
entity, they make an assessment of any violations of budget
resolutions, regulations and/or norms and standards that can
affect the users of the financial statements.

Examples of qualitative factors are:
• the entity’s goal achievement and its use of allocations
• factors in which the Storting has expressed particularly
  great interest and which it is appropriate for the OAG to
  monitor
• any suspicion of irregularity
• any suspicion that allocations have been misused despite
  the entity’s accounts appearing to be free of material
  errors
• any violation of regulations
• information that is to be used as a basis for allocations
  or decisions
• any change of special significance for the entity’s
  activities – for example changes in operations, tasks and
  organisation
Auditors must consider materiality throughout the audit
process. Qualitative material errors can be viewed in
correlation with fundamental errors – a combination that
represents two sides of the same coin.

Fundamental errors can constitute findings that do not
relate to figures, e.g. a breach of the law, regulations or



                             Guidelines for financial auditing                             Page 35
                              Basic auditing terms


                              instructions, the fact that action has been taken that is
                              contrary to parliamentary decisions, or that administrative
                              regulations – including norms and standards for financial
                              management in the central government – have not been
                              followed. An error that does not relate to figures cannot
                              automatically be defined as a fundamental error. The error
                              must be of a certain scope and/or a certain importance to be
                              termed fundamental. It is in the reporting phase, when the
                              conclusions are to be drawn, that auditors assess the type of
                              error that has been found and decide whether this error can
                              be regarded as material in its own right or together with
                              other findings. Auditors must exercise professional
                              judgement when assessing which errors are of such a nature
                              or scope that they must be considered as qualitatively
                              material.



                              4.2.2 Quantitative materiality

                              A quantitative determination of materiality is achieved by
Setting a materiality limit   setting a numerical value for how large an accounting error
                              must be for it to be accepted without auditors regarding the
                              accounts as containing material errors. Setting a materiality
                              limit has a dual purpose – the limit expresses the auditors’
                              specification of the users’ requirements for precision in the
                              financial statements, and the distribution of the limit is
                              intended to contribute to producing a more efficient and
                              effective audit.

                              Efficiency and effectiveness in the audit increases when a
                              larger proportion of the materiality limit is ascribed to
                              entries that demand considerable work for their
                              confirmation and a smaller proportion to those that are
                              easier to verify. It is particularly appropriate to use this
                              technique in combination with statistical methods.
                              However, it is also utilised to set limits for acceptable non-
                              compliance with analytical audit procedures and to assess
                              transactions that have been made according to professional
                              judgement.

                              Auditors’ professional judgement is used as a basis for
                              determining the materiality limit. Auditors can
                              discretionally distribute materiality among entries in the
                              accounts or among transactions or transaction groups if this
                              is deemed appropriate.

                              Auditors must document the grounds for the materiality
                              limit that is set.




Page 36                       Guidelines for financial auditing
                                         Basic auditing terms


4.3 Audit risk
In practice it is impossible to conduct an audit with 100 per
cent assurance of detecting all material errors in the
employment of the budget and in the accounts. Attempts to
procure absolute evidence would be demanding and in
some cases impossible. Auditors do their utmost to ensure
that their assessments have high, although not absolute,
assurance.

The OAG’s auditing standards 19 and 22 state the
following about risk assessment and audit risk:

19
Auditors shall make risk assessments for all audit work
undertaken by the Office of the Auditor General, and the
assessments shall form part of the process that is
implemented to ensure that the audit is economical,
efficient and effective.


22
Auditors shall use professional judgement in their
assessment of the audit risk, and shall implement the audit
procedures that are necessary to reduce this risk to an
acceptable level.

The audit risk model is a model that helps auditors to
determine how comprehensive the audit work must be to
attain the desired assurance for the conclusions. The model
consists of four elements: audit risk, inherent risk, control
risk and detection risk.



Inherent risk is the probability that in the financial            Inherent risk
information or in the entity in general there are dispositions
that cannot be accepted, or errors and omissions that are
material – either in their own right or when aggregated –
when any possible internal control measures are ignored.

The next three risk factors are conditional on there being
material errors or omissions etc.

Control risk is the probability that a material error or
omission will not be prevented or detected and corrected
within reasonable time by the accounting or internal control     Control risk
systems.



Detection risk is the probability that the auditors’             Detection risk
substantive tests will not detect the errors that the
accounting or internal control systems do not discover.




                            Guidelines for financial auditing                     Page 37
             Basic auditing terms




Audit risk   Audit risk is the overall probability that on completion of
             the audit there will be material errors or omissions that
             have not been detected.

             Audit risk is the product of the risk factors described above.




               Revisj-              Iboen          Kontr -          Oppdag-
                risi       =         risi    *      risi      *      risi



             Figure 3 Connection between the risk elements in auditing



             Inherent risk and control risk must be estimated by the
             auditors, while audit risk can be calculated. Setting audit
             risk also determines detection risk. Detection risk
             determines the number of substantive tests the auditors
             must conduct.



             Detection risk will then be:



                                                       Revisjons-
                                                         risiko

               Oppdagelses-
                  risiko          =
                                             Iboende             Kontroll-
                                              risiko      *       risiko


             Figure 4 Detection risk



             Detection risk expresses the extent of the audit evidence
             that must be procured through substantive tests. Tests of
             controls are carried out to confirm the assurance auditors
             ascribe to the internal control. If the internal control does
             not function as intended, detection risk must be increased
             and the possible number of substantive tests raised.



             Auditors base their determination of the levels of inherent
             risk and control risk on the results of the strategic analysis
             and the process analysis.



Page 38      Guidelines for financial auditing
                                         Basic auditing terms


Auditors can define inherent risk and control risk together
or separately. To define these two components in the model,
auditors should assess both the entity’s risk and the risk that
the accounting information contains material errors that are
due to intentional or unintentional actions.

Ultimately it is the auditors’ professional judgement that
decides how inherent risk and control risk are to be
determined. In general, detection risk is also set by
professional judgement. The model must therefore be used
with caution.



4.4 Audit procedures
The purpose of implementing audit procedures is to acquire
adequate and appropriate audit evidence to substantiate
auditors’ assessments and conclusions of the defined audit
objectives. Audit procedures can be implemented as
• procedures for risk assessment
• tests of controls
• substantive tests



4.4.1 Procedures for risk assessment

Auditors carry out procedures for risk assessment in the          Procedures for risk assessment:
strategic analysis and process analysis to gain an                • enquiries to the
understanding of the entity and its risk management. This            management and others
provides the basis for making risk assessments.                   • analytical procedures
                                                                  • observation and inspection
Auditing standard 16 concerning internal control states:

16
Auditors shall make a preliminary assessment of the risk
management procedures of the entity that are relevant for
the audit.

The preliminary assessment is referred to as procedures for
risk assessment since some of the information that is
obtained through such procedures can be used as audit
evidence to substantiate risk assessments. In some cases the
procedure can procure audit evidence on the
appropriateness of risk management measures or the
correctness of the assertions.

Auditors can plan and conduct tests of controls or
substantive tests simultaneously with the procedures for
risk assessment. Procedures for risk assessment must
always be carried out to ensure a satisfactory basis for
strategic analysis and process analysis. Such procedures are
not sufficient in themselves to allow statements about the
dispositions and the accounts to be made, but must be



                            Guidelines for financial auditing                              Page 39
                              Basic auditing terms


                              supplemented with substantive tests and possibly also with
                              tests of controls.

                              To assess the entity’s risk management, the control
                              measures must be evaluated in the process analysis. Among
                              other factors, this entails determining that the measures are
                              in place and that the entity uses them.

                              Procedures for risk assessment must be carried out in order
                              to gain an understanding of the entity, including its risk
                              management.




Enquiries to the management   In this context, management and others includes those who
and others                    are responsible for defining goals for the entity, those
                              responsible for reporting the accounts and the internal
                              auditing, and financial and operative staff. As a rule,
                              enquiries must be directed towards several individuals. The
                              decision as to whom the enquiries are to be directed and
                              how searching they should be is based on whether the
                              expected information will help to identify risk elements.
Analytical procedures:        Analytical review procedures can be useful for identifying
• trends analysis             unusual transactions or incidents and also amounts, ratios
• ratio analysis              and trends that can indicate factors that have consequence
• analysis of business        for the annual accounts and auditing. When conducting
  expectations                analytical review procedures such as the procedure for risk
                              assessment, auditors develop expectations about possible
                              correlations that can reasonably be expected to exist. A
                              distinction is made between analytical procedures such as
                              procedures for risk assessment, and analytical procedures
                              such as substantive tests.

                              Trends analyses are analyses of changes that have occurred
                              since previous periods. There are a number of analysis
                              techniques – for example comparing periods that are
                              appropriate in the planning phase.

                              Ratio analyses are methods that show correlations between
                              various financial information. They are particularly useful
                              in cases where ratios can be calculated for a sufficient
                              number of years to enable the development in the financial
                              information to be viewed and evaluated.

                              Analyses of business expectations involve utilising
                              calculations or a series of calculations to forecast
                              expectations regarding future financial information on the
                              basis of current financial data.



 Observation and inspection   Observations and inspections can be used to support
                              enquiries to the management and others, but can also
                              provide information about the entity. The term covers the



Page 40                       Guidelines for financial auditing
                                           Basic auditing terms


observation of activities in the entity: inspecting documents
(plans and strategies), records and the risk management
handbook, and examining management reports, budget,
accounts and policy dialogues. It also covers visits to the
entity and its operational premises as well as following
transactions through information systems.

It is not necessary to use all three procedures for each of the
sources information that is described in the strategic
analysis and the process analysis, but all the procedures
should be used in the analysis.



4.4.2 Tests of controls

Auditing standard 17 concerning internal control states:

17
Should auditors choose to base the audit on appropriate
internal control activities, these activities shall be tested for
compliance.

Tests of controls are procedures that are conducted to test
                                                                    Tests of controls: used in
control activities that the entity’s management has
established to manage risk. Testing of controls such as audit       • the process analysis
procedures can have two purposes.                                   • analyses of residual risk

In the process analysis the purpose of tests of controls will
be to assess internal control by testing whether the
measures the management have initiated are satisfactorily
followed up. The result of this testing of controls
contributes to determining the scope and the angle of
approach for the substantive tests that must be performed to
procure sufficient audit evidence.

In the analysis of residual risk, auditors can use tests of
controls to procure evidence to show that the established
internal control measures and control activities function
when substantive tests alone do not provide adequate and
appropriate audit evidence.

Audits must perform tests of controls when the risk
assessment in the process analysis contains an expectation
that the risk management measures implemented by the
entity function as intended in the audited accounting
period. Since entities largely use information systems to
carry out both primary and secondary tasks, many risk
management measures are integrated into the IT
environment. If auditors are to use control activities in
information systems as a basis for their work, it is
important that both general controls and application
controls are tested.




                              Guidelines for financial auditing                                  Page 41
          Basic auditing terms


          Tests of controls should provide auditors with adequate
          evidence that risk management measures function as
          intended, i.e. that the measures have been implemented and
          that their quality is satisfactory. Different types of tests can
          be used to achieve this. Enquiries alone are not adequate
          evidence: other procedures should also be carried out –
          such as inspecting routine descriptions, observing the
          implementation of measures or verifying control activities.
          Enquiries, inspection and observation are discussed under
          procedures for risk assessment.

          Verification entails auditors carrying out procedures to
          investigate whether the measure has been correctly
          implemented by the entity. When verifying, auditors can in
          each case select a number of transactions to be tested
          against the measures that govern them. The selection must
          be made from all the transactions that have been subject to
          the measures in question.

          If risk management is assessed as satisfactory, auditors can
          procure appropriate evidence from the tests of controls,
          thus reducing the extent of the substantive tests required for
          the accounts to be certified, and can address the
          dispositions on which the accounts are based.



          4.4.3 Substantive tests

          Substantive tests are tests that are conducted to obtain audit
          evidence to prove that the financial statements and the
          dispositions on which they are based do not contain
          materially incorrect information when compared with the
          submitted assertions.

          Auditing standard 24 concerning audit evidence states:

          24
          When certifying accounts, auditors shall always carry out
          substantive tests.

          Substantive tests are direct tests of transactions and
          accounting items. They are intended to verify that the
          accounting information complies with the Storting’s budget
          decisions and intentions, as well as with legislation,
          regulations and relevant rules. Substantive tests are
          particularly necessary in cases where auditors cannot base
          their work on the entity’s risk management measures
          (internal control).

          The extent of substantive tests will depend on whether the
          entity has established internal control measures and on
          whether such measures function appropriately. The less the
          entity’s control measures appear to function, the higher the




Page 42   Guidelines for financial auditing
                                         Basic auditing terms


number of substantive tests that must be carried out by
auditors to achieve the same assurance in their assessments.

Auditors must attain the desired level of assurance in their
conclusions in the most efficient and effective manner, and
must therefore try to conduct the substantive tests that are
most appropriate in terms of both audit risk and time
consumption.



There are two types of substantive tests: detailed audit         Substantive tests:
procedures and analytical review procedures. When                • detailed audit procedures
auditors conduct detailed audit procedures, they check the       • analytical review procedures
information directly by examining certain transactions,
documents or assets. When they conduct analytical review
procedures, auditors assess variance and reasonableness in
the information after comparing it with historical data or
estimated expectations.



We distinguish between four types of detailed audit
                                                                 Detailed audit procedures:
procedures: inspection, observation, control calculations        • inspection
and enquiries/confirmations.
                                                                 • observation
                                                                 • control calculations
Inspections involve the auditors themselves checking the
                                                                 • enquiries/confirmations
financial information, transactions and documents (voucher
tests) or assets (physical tests) to ensure that the
information is correct when compared with the submitted
assertions about the accounts and the dispositions on which
they are based.

Observations are made when auditors consider the
activities that are carried out in the entity – for example
observation of inventory- and stock-taking.

Control calculations involve auditors checking the
calculations in documents – for example verifying that the
rates used for calculating dues are correct. For entities that
follow the Accounting Act, checking the writing-off of
assets can be a relevant audit procedure for auditors to
conduct.

By enquiries/confirmation we understand that auditors
gather information from persons within or outside the entity
– for example in the form of bank statements and
confirmations of balances.



Analytical review procedures are procedures that assess          Analytical review procedures:
variance and reasonableness in the available accounting          • Analytical substantive tests
information by comparisons, the use of ratios and other
similar techniques. Analytical review procedures provide




                             Guidelines for financial auditing                            Page 43
          Basic auditing terms


          auditors with indications of whether there are material
          errors in the information. An example of this can be large
          variances in the figures from one year to the next.

          When auditing critical accounting items that have a high
          audit risk, analytical review procedures alone are not
          sufficient but they must be combined with detailed audit
          procedures.

          Auditors must bear in mind that the figures in the accounts
          that are included in the analysis may be incorrect from the
          outset, and the analysis will thus give an invalid picture of
          reality. Any indications of errors must be followed up by
          other types of tests.

          One model for analytical substantive tests is:
          • predicting an expected result
          • setting the marginal value and identifying variances
            larger than the marginal value
          • identifying, checking and quantifying explanations of
            the variance
          An expected result is an estimate for an entry or parts of an
          entry. The marginal value is the difference between the
          expected result and the actual figure that can be accepted
          without further explanation. It does not represent actual
          errors but is a measure of acceptable uncertainty
          concerning possible errors. Auditors must set the marginal
          value beforehand, using either their professional judgement
          or statistical methods. The marginal value must be
          considered in conjunction with the materiality level that has
          been set for this or for the accounting items in question. A
          low materiality level indicates that only a small
          differentiation between expected result and actual figures
          can be accepted.

          If auditors find material variance between the expected
          value and the book value (i.e. variance that exceeds the
          marginal value that they have set in advance), more
          detailed investigations must be made to ascertain the extent
          to which the variance is the result of actual errors in the
          accounts or whether it is due to other factors. The causes of
          variance in the figures must always be considered and
          documented and, whenever possible, quantified. In cases
          where variance in the figures cannot be quantified, auditors
          cannot regard the audit evidence as satisfactory. Audit
          evidence must be of the same quality as the evidence for
          the detailed audit procedures, and fair conclusions must be
          drawn regarding the degree of assurance attained.




Page 44   Guidelines for financial auditing
                                          Basic auditing terms


4.5 Audit evidence
Audit evidence is the information auditors have acquired
and documented to substantiate their assessments and
conclusions.

The OAG’s auditing standard no. 23 sets requirements for
audit evidence:

23
Auditors shall procure audit evidence that is appropriate,
sufficient and necessary and that enables them to draw
conclusions on the objective or the issue involved.

The OAG’s right to demand information and access is
defined in Section 12 of the Auditor General Act, and in           Legal authority for the
accordance with Section 14 of the Act, audited entities must       acquisition of information,
make the preparations deemed appropriate for the audit.            Section 12 of the Auditor
                                                                   General Act
Audit evidence is gathered in all phases of the audit
process. It is possible from the very start of the audit to use
knowledge that has been acquired about the entity as
independent audit evidence. Should it prove relevant to use
information from previous years’ audits, auditors should
investigate whether changes have taken place that can
affect the validity of such evidence. New knowledge that is
acquired must update and supplement existing information.
The information collected forms a major part of the
auditors’ documentation.

Audit evidence is gathered through audit procedures.

To document the sufficiency and appropriateness of audit
evidence, auditors must make known:
• the audit evidence on which the assessments and
  conclusions are based (scope)
• from what or who the information has been derived
  (source)
• how the audit evidence has been procured (audit
  procedures)
• the period the evidence applies for, and the date it was
  acquired



Sufficiency is a measure of the scope of audit evidence.
Auditors must collect enough evidence to enable them to
substantiate their conclusions in relation to the audit            Sufficient
objectives. It may be difficult to express in absolute terms
how comprehensive the amount of evidence must be for it
to be considered sufficient, but the need increases
proportionally with the risk. If there is great probability that
a risk element will arise and that the consequence of this
will be of considerable significance, the auditors’




                             Guidelines for financial auditing                                   Page 45
                        Basic auditing terms


                        conclusions must be based on more extensive evidence than
                        in cases where the risk is less probable and less material.

 Necessary              It is important for auditors to be critical of the scope and
                        content of the information that is gathered. The standard
                        also contains a requirement that the information must be
                        necessary – in other words only information that is
                        necessary should be collected.

                        The quality of the audit evidence is significant for the scope
                        of the evidence that must be gathered. Auditors can base
                        their conclusions on a smaller scope if the evidence is of
                        high quality.

                        Auditors normally make use of audit evidence that is of a
                        more substantiating than absolute nature, and they will
                        often obtain audit evidence from different sources or of
                        different types. Auditors must assess the relationship
                        between the use of resources for collecting audit evidence
                        and the sufficiency and appropriateness of the information
                        that is obtained. However, the fact that it is difficult and
                        resource-consuming to collect audit evidence does not in
                        itself provide grounds for neglecting the process.



                        Appropriateness is a measure of the quality of the audit
 Appropriate            evidence, i.e. its relevance and reliability.

                        For evidence to be relevant, it must be valuable as
                        documentation for auditors’ conclusions in the light of the
                        individual audit objective or assertions. In this sense it is
                        important to be aware of what is to be proved when the
                        audit procedures are compiled and the collection of
                        evidence is undertaken. That the evidence is relevant also
                        entails that it is timely and that it applies to the audited
                        accounting period. It is particularly important to be aware
                        of the evidence’s timeliness in cases where it has been
                        procured at an early point in the audit process and may thus
                        represent only parts of the audited accounting period. The
                        total evidence must be representative for the entire audited
                        accounting period.



                        Evidence is reliable if it fulfils the necessary requirements
 Criticism of sources   set for credibility. The reliability of audit evidence is
                        affected by the source, internal or external, and by whether
                        it is visual, written or verbal.

                        Auditors must be critical of information that is gathered
                        from different sources. For example, consideration must be
                        given to whom the information has been produced by and
                        for, to the consequence this may have for the content, and
                        also to whether the content meets the auditors’ need. This



Page 46                 Guidelines for financial auditing
                                        Basic auditing terms


critical review of the sources and content contributes to
making auditors’ assessments of the most important risk
factors in the entity as accurate as possible. Auditors must
assess whether the sources satisfy the requirements for
audit evidence.

The following are used as a basis for the assessments:
• External audit evidence (e.g. confirmation received
  from a third party) is more reliable than audit evidence
  that has been generated internally.
• Audit evidence that has been produced internally is
  more reliable if the entity has effective accounting and
  internal control procedures.
• External evidence is more reliable if it has been
  procured directly by auditors than if it has been obtained
  by the entity.
• Audit evidence in the form of documents (on paper,
  electronically or via other media) and written statements
  is more reliable than verbal statements.
• Audit evidence in the form of original documents is
  more reliable than copies or faxes.



Assurance will be greater when there is a correlation
between audit evidence procured from different sources or
between different types of evidence. If information from
one sources does not correspond with that from another,
auditors must decide on the additional procedures that are
necessary to allow the information to be used as audit
evidence.




                            Guidelines for financial auditing   Page 47
                            5 Strategic analysis
Prosit’s navigation tree:   This chapter is intended to give auditors an understanding
                            of how they should conduct a strategic analysis, the
                            information they must gather and assess, and how they are
                            to document the assessments.

                            A strategic analysis must be conducted for all the entities
                            audited by the OAG, and also for the ministries. To carry
                            out the best possible general risk assessment per ministry
                            and to ensure an appropriate foundation for overall
                            reporting of the audit, the risk analysis for the assignments
                            that belong to the same ministerial area must be
                            coordinated and synchronised. One of the primary tasks in
                            ministerial assignments will be the management of
                            subordinate bodies.

                            The strategic analysis provides a general framework for the
                            auditing work. It is therefore important that those who
                            conduct the analysis have an adequate understanding of the
                            audit assignment plus good auditing expertise. Normally it
                            is the auditor who is responsible for the assignment who
                            conducts the analysis in cooperation with the division
                            manager and possibly others in the audit team.

                            According to the financial regulations, all entities must
                            establish an internal control system. The entity’s
                            management is responsible for ensuring that this system is
                            adapted to risk and materiality, that it functions
                            satisfactorily, and that it can be documented. Internal
                            control shall primarily be incorporated into the entity’s
                            internal governance. The provisions in the financial
                            regulations for central government stipulate that financial
                            management shall ensure that:
                            • defined objectives and performance requirements are
                              followed up
                            • the use of resources is efficient and effective
                            • the entity is run in compliance with laws and regulations
                            The ministries must ensure that the entities’ internal control
                            measures are satisfactory in relation to the above.

                            Pursuant to the OAG’s standards for assessing internal
                            control, auditors must make a preliminary assessment of
                            the entity’s risk management measures that are relevant for
                            the audit. To understand the entity, auditors conduct the
                            following:
                            • a preliminary assessment of the entity’s risk
                              management measures
                            • an identification and assessment of risk elements and
                              the management’s reaction
                            • an identification of internal factors




page 48                     Guidelines for financial auditing
                                            Strategic analysis


Auditors elaborate on their assessment of internal control in
the process analysis. If they choose to base their audit on
relevant control activities, these must undergo tests of
controls in the process analysis.

An important part of the strategic analysis is holding a
meeting/meetings with the entity’s top management where
subjects addressed include the entity’s risk management
and risk assessment. The auditor must adapt the
arrangements for such meetings to the entity under audit.

Expectations of the role of auditors in the prevention and
detection of irregularities have become higher. This means
that auditors must be fully alert to the presence of
irregularities in all parts of the audit. The audit team must
therefore separately assess the risk of the entity being
exposed to irregularities, and these assessments must be
documented. At this stage of the audit process, the main
challenge for the auditors is to keep the assessments at a
general rather than detailed level.

The strategic analysis consists of the following steps:


             Understanding the entity




               Assessing materiality




                   Assessing risk




            Planning further auditing


Figure 6 Steps in the strategic analysis

5.1 Purpose of the strategic analysis
• To plan a risk-based, efficient and effective financial
  audit: an audit of the accounts and to carry out a
  compliance process
• To provide a basis for discussion with the Board and
  management on objectives, risk and risk management
• To provide input to the general risk assessment
• To identify processes




                            Guidelines for financial auditing    Page 49
          Strategic analysis


          5.2 Understanding the entity
          Auditors must acquire an understanding of the entity that
          provides a satisfactory foundation for conducting an
          adequate and appropriate audit.

          Firstly, auditors must give priority to obtaining an overview
          of the entity’s primary tasks, i.e. the tasks that the Storting
          assumes the entity will perform and that form the basis for
          the establishment of the entity. Auditors must also be
          acquainted with the goals and performance requirements
          associated with the implementation of the year’s budget
          and with parliamentary decisions related to these.
          Knowledge of the entity’s framework conditions, any
          affiliation with the ministry in question, and the entity’s
          internal control system will also be of importance to
          auditors. In addition, updated basic data from the previous
          year’s audit provides them with a source that helps them to
          identify factors that are significant for understanding the
          entity and for subsequently identifying material risk
          elements for the entity.

          Auditors’ understanding of the entity can be divided
          systematically as follows:
          •   identifying the entity’s goals
          •   identifying external factors
          •   identifying internal factors
          •   analysing financial information and identifying
              processes



          5.2.1 Identifying the entity’s goals

          Government agencies shall be run within the framework of
          parliamentary decisions, and shall comply with current
          laws and regulations for administrating public resources.
          The entity’s goals stem from these framework conditions.

          Identifying the entity’s goals involves ascertaining the tasks
          it has been assigned. The entity’s tasks can be divided into
          three categories: primary, secondary and temporary tasks.
          Primary tasks are connected to the social tasks for which
          the entity has been assigned responsibility by the Storting.
          Secondary tasks are established to secure the operations of
          the entity, to ensure that the activities are run according to
          laws and regulations, and to enable the entity to submit
          accounts and to report the results attained. Temporary tasks
          are linked to assignments of a short-term nature and of
          limited duration.

          The entity’s goals are divided into primary goals (linked to
          its primary tasks) and secondary goals (linked to its
          secondary tasks).




Page 50   Guidelines for financial auditing
                                           Strategic analysis




The primary tasks of most entities are laid down in             Primary tasks
Proposition no. 1 to the Storting. More details may be given
in letters of allocation. Acts of law can govern the primary
tasks of some entities – for example the Taxation Act plays
a key role for the Inland Revenue Service. The ministries
are responsible for implementing and following up
parliamentary decisions. The management of subordinate
bodies will always represent a primary task for the
ministries.



The majority of entities have secondary tasks such as           Secondary tasks
staffing and payroll duties, purchasing and storage,
management and supervision, the annual submission of
accounts and reporting. Regulations for these tasks include
those relating to public procurement, the regulations for
financial management in the central government, and the
Civil Service Handbook.



Some of the entities’ primary and secondary tasks can be of     Temporary tasks
a temporary nature – for example reorganisation, relocation
and the introduction of finance systems. There will often be
a need for auditors to consider temporary tasks and to
assess their risk, particularly since such tasks normally
involve greater uncertainty with regard to goal
achievement. In addition, several users may have a
particular interest in temporary tasks and may therefore
also influence auditors’ materiality assessments of the
assignment.



Auditors must identify and document the entity’s primary
and secondary goals.



5.2.2 Identifying external factors

The next step in the process of understanding the entity is
to gather information about external factors.

Auditors must gather information about external factors
that are relevant for the audit, and must structure this
appropriately. The information is intended to help auditors
in their identification of risk elements and their
consideration of the management’s reaction to risk
elements later in the audit process.




                            Guidelines for financial auditing                     Page 51
                         Strategic analysis




                         Figure 7 External factors that can affect the entity


                         The eight factors described in the figure above can affect
                         the entity in ways that prevent it from performing its tasks
                         and reaching its goals.

                         The entities’ external environments will vary, and not all
                         the factors are of equal relevance for all entities.
Political decisions      With its legislative and budgetary powers, the Storting
                         exerts great influence on the entities’ framework
                         conditions. The Storting sets the framework for the
                         employment of the budget and adopts general laws that
                         apply to society at large, and specific laws that can apply to
                         the entity. In addition the Storting lay down the form of
                         affiliation – including financing – for government agencies.
                         Political decisions can be:
                         • new tasks
                         • a new form of affiliation resulting in new accounting
                            principles
                         • changed framework conditions resulting in changes for
                            the administration (for example large reorganisation or
                            the relocation of entire entities)



Socio-economic factors   General socio-economic factors can affect the entity’s
                         possibility of achieving its goals. Unemployment often
                         rises in periods of recession, leading to a greater demand
                         for public services – for example from the Public
                         Employment Service and the National Insurance Service.



Social factors           Society’s attitudes and expectations of the welfare state and
                         its willingness to pay taxes and dues are examples of social
                         factors that can be of importance for the possibility of some
                         entities achieving their defined goals. Changes in level of
                         education and settlement patterns are other examples of
                         social factors that may exert influence.




Page 52                  Guidelines for financial auditing
                                            Strategic analysis


In certain periods it may be difficult to recruit and retain
well-qualified employees in the public sector. Government
agencies are to a large extent dependent on human
resources to produce their services. Employees are often
expected to have acquired special skills to carry out these
services, and entities are thus extremely vulnerable with
regard to losing this special competence.



Through their specific ministries, cabinet ministers are         Supervisory authority
responsible for ensuring that parliamentary decisions are
fulfilled. The follow-up takes place through the policy
dialogue with the entity – for example in letters of
allocation. The contents of such letters are intended to
include purposes and goals as well as framework conditions
defining how the entity is to perform its mandatory tasks.
The ministry is ascribed the management, follow-up and
monitoring of the entity’s operations.

The entity’s letter of allocation must be in line with
parliamentary decisions.



Technological development is another factor that may have        Technology
an impact on the entities’ ability to reach their goals,
particularly entities that use and are dependent on
information technology or other technology to produce or
deliver their services. These entities are particularly
vulnerable if technology ceases to function. Technological
development in this context includes changes in large
systems, in the development of software and hardware, and
in infrastructure and information systems.

One example of the consequences of the entity not giving
appropriate consideration to technological development is
that it retains old systems that are not able to meet internal
and external requirements. It may also lead to the entity
becoming unable to perform its tasks due to factors such as
impractical systems, capacity problems and the like.

Many entities are dependent on collaboration with private        Cooperative partners
or public enterprises. These can be enterprises with closely
related tasks or tasks that form part of a chain – for
example the police collaborating with the prosecuting
authorities, courts of law and the probation services. Private
cooperative partners can be suppliers of goods and services
or other operators outside the entity.

If the entity’s goal achievement is dependent on a particular
or complex item or service that can only be obtained from
one or few suppliers, this may pose a risk for the entity’s
goal achievement.




                            Guidelines for financial auditing                            Page 53
Competitors
              Strategic analysis


              Many government agencies have a monopoly on their
              production of goods or services. They therefore have little
              experience of competitors with alternative goods and
              services posing a threat or risk to their goal achievement. In
              many cases a lack of competition can increase the danger of
              inefficiency, and this in turn can threaten the entity’s goal
              achievement.

              Development has generated an ever-increasing outsourcing
              of public services. This sets stricter demands to
              restructuring and re-thinking in the administration. Entities
              that are exposed to competition must keep informed about
              the market and their competitors. Ways they can handle this
              type of risk include active planning of strategies that take
              the competitive situation into account.



Users         One goal of government agencies is to have satisfied
              customers. Users’ requirements and attitudes can constitute
              a risk for the entity’s possibilities of attaining its goals.
              Strong user groups may affect the entity’s activities – for
              example through attempts to influence political decisions.
              The entity should have identified its users and the extent to
              which these users can affect the prioritisation of tasks and
              their performance.

              Equal treatment and legal protection are two requirements
              that users set for government administration. It is therefore
              important that the entity’s management is familiar with the
              content of these and similar basic principles and that it
              draws up strategies that adapt administrative procedures
              and information flow to the needs of the users.

               Auditors must assess whether each of these factors is of
              significance for the entity’s goal achievement. After
              assessing the external factors that can influence this goal
              achievement, auditors summarise those that are relevant for
              the subsequent audit process.



              5.2.3 Identifying internal factors

              The next step in understanding the entity is to identify
              internal factors. It is important for auditors to keep to a
              general level in this context while they make more detailed
              investigations in the process analysis.

              The financial regulations set requirements for basic
              management principles in the entities, at the same time as
              the management, follow-up, supervision and administration
              must be adapted to the entity’s distinctive features and its
              risk and materiality.




Page 54       Guidelines for financial auditing
                                            Strategic analysis


The provisions set requirements for the entities’ internal        Overriding regulations laid
management of such areas as authority and responsibility,         down by the Ministry of
the management process and establishing internal control.         Finance, 12 December 2003:

Identifying internal factors provides auditors with grounds       • Regulations for financial
for deciding whether the entity is following the defined            management in central
framework conditions.                                               government
                                                                  • Provisions for financial
Auditors must obtain information about internal factors that        management in central govt.
are relevant for the audit, and must structure it suitably. The
information is intended to help them in their identification
of risk elements and when considering the management’s
reaction to risk elements later in the audit process.




Figure 8 Internal factors in the entity

Implementing procedures for risk assessment is one of the
ways auditors can become familiar with how the entity’s
management carries out mandatory tasks.

The management is responsible for supervising and                 The entity’s management
performing the entity’s tasks. Based on goals and
performance requirements set by the Storting, the
management draws up both one-year and multi-year plans,
as well as a risk and materiality assessment that forms the
basis for compiling strategies on how the management can
handle detected risks that threaten goal and result
achievement. The management is also responsible for
ensuring that the entity complies with the laws and
regulations that apply for its operations.




                            Guidelines for financial auditing                           Page 55
                                    Strategic analysis


                                    The management’s attitudes and values affect the way in
                                    which the entity is run. They also influence the types of risk
                                    and how much risk the management accepts.



                                    Auditors must examine:
The management’s system for
risk management                     • whether the entity conducts risk assessments
                                    • whether the entity has a methodological approach
                                    • how often the entity conducts risk assessments
                                    • who takes part in them
                                    • in which parts of the entity the assessments are
                                      conducted
                                    • which types of risk are included in the analysis



Organisation                        The organisation of the entity influences how the planning,
                                    performance and supervision of the tasks are carried out in
                                    order to meet the entity’s goals and performance
                                    requirements.

                                    The way in which the management chooses to organise the
                                    entity can be influenced by size, form of organisation,
                                    complexity, form of affiliation and geographical spread.
                                    The organisation can also be affected by whether there are
                                    plans for reorganisation, restructuring or deregulation, or
                                    whether these processes have been initiated.

                                    Auditors must acquire an overview of the entity’s size and
                                    complexity and of how it is organised and divided – for
                                    example into departments, divisions and operational units.
                                    This is important in order to decide the most appropriate
                                    way auditors can approach and organise the audit. In
                                    addition it is important that auditors see how the
                                    organisation has created the conditions for internal control
                                    activities through the assignment of responsibility and
                                    tasks.



Ethical values and irregularities   The entity’s ethical values are based on the management’s
                                    preferences, assessments and philosophy. These preferences
                                    and assessments are transferred to norms of conduct and
                                    reflect the management’s attitudes to ethical values. If the
                                    entity does not follow ethical values, this can lead to
                                    undesirable behaviour, which in turn may result in
                                    irregularities.

                                    Auditors must acquire information about the management’s
                                    attitudes to ethical values and whether irregularities have
                                    occurred in the entity.




Page 56                             Guidelines for financial auditing
                                             Strategic analysis


The entity may be vulnerable with regard to key
                                                                   Personnel policy
competencies, and must therefore be aware of the expertise
that is required in both the short and long term to enable it
to perform its primary and secondary tasks. The need for
competence affects recruitment, pay policy and training
programmes. In general, entities organise their various
tasks through job descriptions.

Auditors must collect information about the personnel
policy.



The entity has information and communication channels
                                                                   Information and
that it uses to disseminate and receive information. The
                                                                   communication
management is dependent on having the required
information available at the right time as a basis for making
its decisions.

Many entities are dependent on information technology in
their production process or for their delivery of services
and are therefore extremely vulnerable when errors or
deficiencies arise in the technical systems.

Auditors must gather information about the main
information and communication systems and must acquire
sufficient knowledge about how the IT environment
influences financial matters, operations and other functions
that are of crucial importance to the entity.



Auditors must find out whether the entity has established          Internal audits
an internal audit. It may be appropriate for auditors to
acquire information about the plans and reports of such
internal audits, and they must decide whether they can use
the information in their work, cf. the OAG’s auditing
standards.



After assessing how internal factors influence the entity’s
goal achievement, auditors summarise relevant information
for the subsequent audit process.



5.2.4 Analysis of financial information

An analysis of financial information increases auditors’           The budget, preliminary accounts
understanding of critical activities in the entity. In addition,   and accounts from the previous
an understanding of financial information is necessary for         year give important information.
the OAG to carry out its role of external auditor.




                             Guidelines for financial auditing                                 Page 57
                                   Strategic analysis


                                   An analysis of this type can include:
                                   • understanding the principles on which the accounts have
                                     been compiled, such as accounting principles, chart of
                                     accounts, use of codes, subaccounts etc.
                                   • identifying the accounts’ main accounting system,
                                     subsystems, interface and reconciliation systems, as
                                     well as the reports that are used for the management’s
                                     supervisory activities
                                   • conducting preliminary analytical review procedures
                                   The accounts always constitute a key source of
                                   information. The budgets and information about expected
                                   results are sources that provide auditors with an overview
                                   of the implementation of present and future plans and the
                                   financial consequences of such plans. A comparison of data
                                   from the budgets and the accounts gives auditors a general
                                   view of the operations in terms of the budgets and the goals
                                   defined for the entity’s activities.



 Analyses                          The use of analyses – for instance analyses of trends, ratio
                                   and business expectations – helps auditors to identify actual
                                   or expected changes in the financial information, and thus
                                   also actual or expected changes in the entity’s performance
                                   of its tasks. When auditors conduct a strategic analysis, the
                                   budget and previous years’ accounting data are available,
                                   but the accounting data for the current year is limited.



                                   5.2.5 Identifying processes

                                   Using the information they have gathered to enable them to
                                   understand the entity, auditors identify relevant processes in
 Definition of a process:
                                   the entity. Relevant processes are those that to the greatest
 A series of activities that the   extent support the entity’s goal achievement and reduce
 entity has initiated to achieve   risk. At the same time, auditors must identify the goals of
 its goals.                        the processes. In order to identify relevant processes and
                                   their associated process goals, auditors must gain a total
                                   picture of the entity’s organisation and how it performs its
                                   tasks.

                                   A process is a series of activities that the entity has initiated
                                   to achieve its goals. Processes are also intended to
                                   contribute to reducing the risk of a specific event having a
                                   negative impact on the entity.

                                   All entities must have established processes related to their
 Processes must cover primary      primary and secondary tasks – and to their temporary tasks
 and secondary tasks and           if appropriate. Processes for primary tasks can be collecting
 temporary tasks.                  taxes and dues, making national insurance payments,
                                   administrating grants, and managing subordinate bodies.
                                   Processes for secondary tasks can include staffing and




Page 58                            Guidelines for financial auditing
                                            Strategic analysis


payroll duties, purchasing and storage, submitting the
accounts and reporting.

When performing an audit of the accounts, the task of the        Identifying processes that cover
OAG always entails identifying the processes that cover the
submission of the accounts and the central government            • management
accounts.                                                        • goal achievement
                                                                 • reporting results
When ensuring compliance, the task of the OAG always
entails auditors inspecting key processes that cover
management by objectives and results, and processes that
cover the management of subordinate bodies in the
ministries. Ministries can be responsible for tasks that are
performed by subordinate bodies or other public
authorities. To enable auditors to perform an efficient and
effective audit, they must therefore identify how the
ministry has organised the monitoring of these tasks.

Large complex processes can be divided into subprocesses          Subprocessses
if this is deemed appropriate. Division into subprocesses
depends on how the audit is to be organised, the size of the
entity, and the complexity of the risk elements involved in
the process. When auditors are to decide whether the use of
subprocesses is appropriate, they must take the following
consequences for the audit into consideration:
•   increased use of resources
•   higher degree of detail
•   possibilities for eliminating risk
•   making the audit too complicated
Identifying processes represents a very important part of
the strategic analysis and forms the basis of an efficient,
effective and appropriate audit.



5.3 Assessing materiality
Auditors must use their understanding of the entity in their
assessment of the errors and omissions that can be
considered as material. Auditors regard errors and
omissions as material when users would probably have
made other evaluations and taken other decisions if they
had been aware of the errors.

A distinction is made between quantitative and qualitative
materiality factors. Quantitative factors are related to an
audit of the accounts, while qualitative factors concern
violations of the budget resolutions, regulations and/or
norms and standards that affect the users of the
information.

The materiality assessment is used when auditors are to
assess the importance of a risk element for the audit and are


                                                                 Qualitative materiality

                            Guidelines for financial auditing                               Page 59
                                Strategic analysis


                                to decide the processes to which they must assign priority
                                during the subsequent audit.

                                Users want to be sure that the entity is fulfilling the social
                                tasks for which it has been assigned responsibility through
                                the allocation decisions. For example, building roads is of
                                major importance to local communities and local
                                politicians.

                                The entity’s primary tasks are normally assigned the
                                greatest significance when auditors assess qualitative
                                materiality. However, laws and regulations that govern
                                secondary tasks can be of interest for users – for instance
                                violations of the regulations for public procurement or
                                budget overruns.



 Quantitative materiality       The size of the figures involved influences the materiality
                                assessment. Using professional judgement, auditors can set
                                a limit for the size of errors in the figures that can be
                                accepted in the accounts. For small accounts it may prove
                                expedient to set a proportionally higher materiality limit
                                than that set for more extensive accounts.

                                Chapter 4 gives more information on materiality.



                                5.4 Assessing risk

 Assessing risk consists of:    In understanding the entity and assessing materiality
                                auditors gathered information that provides input for the
 • identifying risk elements    risk assessment. On the basis of this information, auditors
   and the management’s         must identify the risk of the entity not achieving its goals.
   reaction                     In addition, they must estimate the degree of probability
 • estimating probability and   and the consequences of the risk elements if they are
   consequence                  activated. Finally, auditors evaluate the importance of the
 • evaluting risk               risk elements for the audit and decide whether or not to
                                include them in the subsequent audit process, as well as
                                determining the processes to which the risk elements are
                                linked.



                                5.4.1 Identifying risk elements and the
                                      management’s reaction

 Identifying risk elements      At strategic level the risk situation will normally not
                                change much from year to year, and the results of the
                                previous year’s audit represent a major source for
                                identifying risk elements. In addition to identifying any
                                new risk elements, auditors must place particular emphasis
                                on checking whether material changes have taken place in
                                the risk factors that were identified in previous years.




Page 60                         Guidelines for financial auditing
                                             Strategic analysis


Auditors base their identification of risk elements on:
• the information they have gathered about the entity’s
  goals and the internal and external factors
• the analysis of financial information
• the assessment of materiality
Through the risk identification procedure, auditors must
also define the management’s reaction to the risk elements.

At strategic level risk can constitute large-scale changes in
framework conditions or unclear formulations of goals for
the entity’s tasks. Changes in external factors – for instance
among users, suppliers or in technological development –
may also represent a threat to the entity’s goal achievement,
as will internal factors such as organisational changes or a
high turnover of managers. The user aspect is of key
importance when assessing materiality.



Auditors must investigate whether and how the                      The management’s reaction
management reacts for each identified risk element. The
most interesting point for auditors is whether the
management chooses to accept or to reduce risk.

Auditors must find out whether the entity’s management is
aware of the individual risk elements and has made a
decision about the level of risk that can be accepted.
Through procedures for risk assessment, auditors collect
documentation for the management’s assessment of the risk
elements. Adequate evidence must be obtained in cases
where auditors consider that the management’s handling of
risk is of such a nature that it results in a possible reduction
in the risk level in the subsequent assessment.

When auditors have identified the entity’s risk elements and
the management’s reaction, they must match these against
the entity’s risk assessment. Assessing risk is one of the
items that must be discussed at the meeting between
auditors and the management of the entity in question.



5.4.2 Estimating risk

Auditors must estimate the probability and the consequence
of risk, basing their assessments on the results of the audit
procedures that have been conducted.

Auditors must assess how probable it is for risk elements to       Estimating probability
be realised and – if this is the case – the time frame in
which this may happen. The greater the probability of a risk
element being activated in the accounting period in
question, the higher the risk will be.




                             Guidelines for financial auditing                                 Page 61
                           Strategic analysis


                           Auditors must assume an advisory role to prevent future
                           errors and omissions. They must therefore also assess risk
                           elements that may be activated in the future. Auditors
                           estimate probability as high or low and give reasons for
                           their estimate.


  Estimating consequence
                           When estimating consequence, auditors must assess the
                           impact of a risk element if it is realised. The considerations
                           of materiality already made by auditors are used when
                           assessing the consequence. The overall consequence of
                           several events within a certain period must be used as a
                           basis. Systematic errors are given a higher degree of
                           consequence than individual errors.

                           Efficient and effective emergency plans, back-up plans, the
                           opportunity to relocate production and insurances can
                           reduce the consequences of an event. In this context
                           auditors must assess materiality in relation to both the
                           transaction and decisions made – the dispositions – and the
                           impact on the accounts.

                           Auditors estimate the consequence as high or low and give
                           reasons for their estimate.

                           Auditors’ assessment of risk must be substantiated with
                           audit evidence. It may be sufficient to follow up a risk
                           element with an updating of the audit evidence if the
                           assessment is based on the results of the previous year’s
                           audit. It may also be relevant to give a risk element low
                           priority if the entity’s plans or measures indicate that the
                           event will not occur or the budgets indicate that the
                           consequences are of minor significance for the accounting
                           period being audited.

                           Estimating risk can be illustrated by the following diagram:




                           Figure 9 Combinations of probability and consequence




Page 62                    Guidelines for financial auditing
                                            Strategic analysis


5.4.3 Evaluating risk

The result of the risk evaluation provides a basis for
making priorities between the risk elements auditors are to
follow up in the process analysis and in subsequent
auditing. Auditors must first assess the extent to which each
risk element is relevant for the audit of the accounts, and
must relate the relevant elements to the audit objectives that
are threatened. The audit objectives encompass the
compliance process and performing an audit of the
accounts.

Risk elements that are estimated to have high probability        High probability and
and high consequence must always be the object of further        consequence
auditing.
                                                                 Combination high/low

Risk elements that are assessed as having high probability
and low consequence, or low probability and high
consequence, must be assessed individually by auditors to
decide whether they should be monitored further. Auditors
must take materiality into consideration in the assessment.



In the subsequent audit process auditors can give low
                                                                 Low probability and
priority to risk elements that have been assessed at low
                                                                 consequence
probability and low consequence. Their assessment and the
grounds on which it is based must be documented by audit
evidence.



Finally auditors must relate the risk elements to relevant
processes – the processes that they have identified earlier in   Relating risk elements to
the strategic analysis. Auditors must only conduct process       processes
analyses for processes that have risk elements attached to
them, and they must ensure that the risk assessment is
completely and satisfactorily documented.

In some case auditors may choose not to conduct a process
analysis but to handle risk elements directly in the analysis
of residual risk. This is appropriate when the process
analysis is not effective and suitable, or when the risk
element is not attached to any process.



5.5 Planning further auditing
After conducting the strategic analysis auditors should have     The audit plan must contain:
acquired an understanding of the entity and have assessed        •   prioritised processes
materiality and risk at a general level. Auditors must now       •   organisation
draw up a plan for further auditing that is to be submitted to   •   estimate of resources
the division manager for approval. There may be a need to        •   time schedule


                            Guidelines for financial auditing                                Page 63
                                  Strategic analysis


                                  adjust or supplement the preliminary plan as and when
                                  auditors gain new and extended knowledge of the entity.

                                  The plan must contain information about prioritised
                                  processes, organisation, an estimate of resources required
                                  and a time schedule for subsequent auditing.



  Prioritised processes           It must be clear which processes or parts of processes are to
                                  be reviewed in the process analyses. Auditors must make a
                                  list of priorities or must indicate the sequence of the work
                                  to be performed.

                                  On the background of the knowledge auditors have
                                  acquired through understanding the entity, assessing
                                  materiality and assessing risk, they may find it most
                                  appropriate to transfer all or parts of the risk that is left
                                  directly to the analysis of residual risk. This could, for
                                  example, be the case for small entities where it is hardly
                                  fitting to base the audit on internal control measures, or
                                  when a process analysis is somewhat unfeasible.



                                  In cases where the audit assignment concerns a ministry
 Organisation                     where some of the tasks are administered by entities that
                                  are managed by another ministry, auditors must plan the
                                  subsequent auditing separately. They must assess how the
                                  residual risk for this assignment is to be handled to enable
                                  them to draw conclusions.

                                  If other assignments are to handle part of the residual risk,
                                  this information must be conveyed early enough for it to be
                                  considered in the planning of the assignments in question.
                                  This is one reason for planning the audit of a ministry at an
                                  early stage. In addition, the planning of the audit for a
                                  ministry provides input to the joint overall risk
                                  analysis/ministry level.

                                  Auditors prepare proposals for how the audit should be
                                  organised and for which auditors can be included in the
                                  audit team. It may, for instance, be relevant to collaborate
                                  with other divisions or departments. If there is a need to
                                  bring any special expertise to the audit team – such as the
                                  use of IT auditors – this must also be stated.



 Estimate of resources required   Auditors must estimate the anticipated need for resources in
                                  the form of man-days and travel expenses. The estimate of
                                  resources must be kept within realistic limits.




Page 64                           Guidelines for financial auditing
                                           Strategic analysis


Auditors should also draft a time schedule for completing
the audit. In their planning, auditors must distribute the      Time schedule
auditing work appropriately throughout the year.



5.6 Documenting the strategic analysis
Auditors must document the information on which the
strategic analysis is based and which is of importance for
the assessments that have been conducted. As a minimum
auditors must document the following:
• their understanding of the entity, which includes:
             o identifying the entity’s goals
             o identifying external factors
             o identifying internal factors
             o analysing financial information
• the assessment of materiality, which includes:
             o qualitative materiality
             o quantitative materiality, possibly also
                setting a materiality limit
• identifying risk elements and the management’s
   reaction, which includes:
             o a list of the risk elements auditors feel may
                threaten the entity’s goal achievement at
                strategic level
             o the reaction it is assumed the management
                will have regarding whether it accepts or
                wants to reduce the risk – for each of the
                risk elements
• estimating and evaluating strategic risk, which includes:
             o auditors’ assessment of the probability and
                consequences of each risk element being
                activated
             o auditors’ assessment of whether the risk
                estimate for each element of risk is so high
                that it must be followed up with further
                tests, or whether the estimate is so low that
                the risk element does not need to be
                followed up by further tests
• discussions in the audit team about irregularities, which
   include:
             o assessing where the entity that is exposed
                to irregularity is presumed to be, and
                specifying the type of irregularity
                concerned
             o the result after enquiries that have been
                made to the management about whether
                irregularities have been detected




                            Guidelines for financial auditing                   Page 65
          Strategic analysis


          • meeting with the entity to address risk, which includes:
                     o written minutes of the meeting with any
                         attachments that have been verified by the
                         entity
          • proposal for a plan for the subsequent auditing work,
            which includes:
                     o prioritised processes for the process
                         analysis
                     o organisation
                     o estimate of resources
                     o time schedule
          Documentation must be compiled continuously, stored
          systematically and appropriately, and be readily available to
          those participating in the audit.



          5.7 Quality assurance and approval
          Auditors must submit the strategic analysis and the auditing
          plan for the assignment to the division manager or to
          another person to whom quality assurance and approval has
          been delegated. The objective of quality assurance and
          approval at this level is to ensure that the strategic analysis
          is of a professionally satisfactory quality and is adequately
          documented. Those who give their approval must also
          consider auditors’ proposed plan for further auditing to
          ensure that the audit will be conducted in a professional
          manner that is also satisfactory, efficient and effective.

          The requirements for quality assurance are described in
          more detail in Chapter 11.




Page 66   Guidelines for financial auditing
               Strategic analysis




Guidelines for financial auditing   Page 67
                                       6 Process analysis
   PROSIT’s navigation tree:           This chapter is intended to give auditors an understanding
                                       of how they should conduct a process analysis, the
                                       information they must gather and assess, and how they are
                                       to document the assessments.

                                       In the process analysis auditors conduct a more detailed
                                       risk assessment of the processes to which risk elements are
                                       attached in the strategic analysis. Auditors must only
                                       conduct the analysis for processes that contain risk
                                       elements that are to be followed up.

                                       The process analysis consists of the following steps:


                                                     Understanding the process




                                                        Assessing materiality




                                                             Assessing risk


                                       Figure 10 Steps in the process analysis



                                       6.1 Purpose of the process analysis
                                       • To conduct a risk-based, efficient and effective audit
                                       • To gather appropriate and adequate audit evidence in
                                         order to assess whether the audit can be based on the
                                         entity’s internal control system
                                       • To assess whether the process goals support those of the
                                         entity
                                       • To identify residual risk that is of significance for both
                                         the audit of the accounts and the compliance of the
                                         dispositions



                                       6.2 Understanding the process
                                       Auditors identified the entity’s processes in the strategic
 A process is a series of activities   analysis and will now gather more information about the
 that the entity has initiated to      processes that contain risk elements that must be followed
 achieve its goals.                    up.

                                       A process is a series of activities that the entity has initiated
                                       to achieve its goals. Processes are also intended to



Page 68                                Guidelines for financial auditing
                                              Process analysis


contribute to reducing the risk of specific events having a
negative impact on the entity.

Much of the information about a process can be of interest
to auditors, and they must therefore make a systematic
collection of information. The information is to be used for
a process description that will support auditors in their
identification, estimation and evaluation of process risk
later in the process analysis.

Auditors must collect information about:
•   process goals
•   process activities
•   information flow
•   accounting transactions



6.2.1 Process goals

The goals of the process must give a clear description of
what the entity should achieve with the process. Most
processes have several goals, and for government agencies
the goals will often be connected to quality requirements
and/or to performing tasks efficiently and effectively. The
process goals must be in agreement with the entity’s prime
objectives and strategies.

Auditors must identify the goal or goals that the
management has defined for the process. Auditors can have
identified the process goals in the strategic analysis.



6.2.2 Process activities

The process has a starting point and a finishing point, with
a series of activities in between.

A process consists of several types of activities. These may
be:
• collecting information (e.g. assessing procurement
  needs)
• processing information (e.g. compiling requirement
  specifications and assessing bids)
• taking decisions (e.g. choosing suppliers)
• effectuating decisions (e.g. entering into contracts and
  paying invoices)
Auditors must identify and describe the various process
activities. The description can also cover control activities.
It is a challenge for auditors to determine the required level
of detail for the description of the activities. However, the
description must contain sufficient details to enable risk
elements that threaten the process goals to be identified




                              Guidelines for financial auditing   Page 69
                        Process analysis


                        later in the audit process. Most processes consist of a large
                        number of activities. If auditors’ descriptions of process
                        activities are too detailed, the material will soon become
                        extremely comprehensive and will in time be difficult to
                        handle.



                        6.2.3 Information flow

                        All processes use, produce and process information. In a
                        well-functioning process, relevant and necessary
                        information is available to those who need it. Auditors must
                        therefore gain an overview of the information that flows in,
                        through and out of the process to enable them to assess the
                        materiality and reliability of the information.

                        Some of the information may have a direct effect on the
                        accounts – for example by the process using information
                        from a register of current rates to calculate amounts in an
                        accounting transaction. Other information can be used as a
                        basis to substantiate an assessment – for instance an entity
                        may use information from external registers to obtain credit
                        details to assess a customer’s credit-worthiness.

                        At all levels in the process, a lack of reliable and correct
                        information can lead to the entity taking decisions on an
                        inaccurate or incomplete basis. If the basic information and
                        its handling are not reliable, the risk of errors in the
                        accounts and the dispositions will increase. Knowledge of
                        the information flow in the process enhances auditors’
                        assurance when assessing the quality of the information.

                        The information flow can follow both manual and
                        electronic systems.



                        Auditors must find out which information systems are used
  Information systems
                        in the process and must check the completeness, accuracy
                        and validity of these systems. Those that are directly linked
                        to a financial system and primary tasks in the entity will be
                        important, while others that do not have such associations
                        can often be considered as less important. More detailed
                        requirements regarding functionality in the financial system
                        – including documentation and security – are given in the
                        provisions relating to financial management in the central
                        government.

                        If the entity uses electronic information systems that have
                        many automatic and mechanical operations, it may often be
                        difficult to assess whether the system secures a complete,
                        accurate, reliable and valid information flow. In many cases
                        these assessments should therefore be made by an IT
                        auditor.



Page 70                 Guidelines for financial auditing
                                             Process analysis


6.2.4 Accounting transactions

Auditors must also gain an overview of the accounting
transactions and the entries that may be affected by the
activities in the process.

To acquire a picture of the entity’s or the process’
transactions, auditors can use computer tools to classify the
accounting data electronically.

We can basically define three categories of transactions in a
process:
• routine transactions
• non-routine transactions
• accounting estimates


                                                                 Routine transactions
Routine transactions are transactions that follow a fixed
system and that occur regularly over a period of time (main
salary transactions, rental payments, calculations and
automatic payments of demands for dues or taxes,
reminders etc.). These are transactions the entity is familiar
with, and they are often handled according to fixed and
reliable procedures. A single error that may occur among
such transactions will seldom in its own right lead to
material errors. On the other hand, if the error is due to
incorrect handling or inaccurate calculations (for example
wrong rates), this may well lead to material errors in the
accounts.



Non-routine transactions are related to more unsystematic        Non-routine transactions
or irregular events. Such transactions will often also require
involving management personnel – particularly when
decisions or approvals of the validity of the transaction are
required. Among these transactions are non-recurring
payments connected to large procurements.

Non-routine transactions pose a greater risk of errors than
routine transactions since there may not be reliable routines
for handling them. Auditors should therefore be aware of
whether non-routine transactions are included in the
process, and should investigate whether the entity has
special follow-up and monitoring for such transactions that
can contribute to reducing the risk involved.



Accounting estimates are transactions that are based on          Accounting estimates
subjective assessment and that therefore have a high risk of
containing errors, e.g. transactions that involve write-
downs, provisions or estimates of value. So far, central
government accounts contain relatively few such



                            Guidelines for financial auditing                               Page 71
          Process analysis


          transactions, but the situation may change. If accounting
          estimates of a certain amount are made, auditors must make
          themselves familiar with the methods and assessment
          principles on which the entity has based the calculation,
          and must ensure that these comply with applicable laws and
          regulations.



          6.3 Assessing materiality
          Assessing materiality at process level represents a more in-
          depth evaluation of relevant factors from the materiality
          assessment in the strategic analysis. Auditors must regard
          errors and omissions as material when users would
          probably have made other evaluations and taken other
          decisions if they had been aware of the error.

          It is mainly qualitative materiality factors that are included
          in the assessment of materiality, but auditors also have the
          opportunity to distribute quantitative materiality (the
          materiality limit) down to process level if they view it as
          appropriate.

          More details of materiality are given in Chapters 4 and 5.



          6.4 Assessing risk
          Through the risk assessment at process level, auditors
          elaborate on their assessment of the risk elements from the
          strategic analysis that cannot be ignored in the subsequent
          audit. Some of the risk elements are a direct consequence
          of strategic risk elements, while others are specifically
          related to the individual process. For instance, a difficult
          labour market situation represents a strategic risk that may
          also have an impact on the process risk if there is a shortage
          of qualified personnel who can conduct the process
          activities.

          The results from auditors’ risk assessments give a picture of
          the entity’s risk. They will also provide auditors with useful
          input for their assessment of the inherent risk and control
          risk in the audit risk model.

          Auditors must base their assessment of risk on their
          understanding of the process and associated materiality
          assessments. Risk assessment in the process analysis can be
          divided into three stages:
          • identifying risk
          • estimating the probability and consequence
          • evaluating risk




Page 72   Guidelines for financial auditing
                                              Process analysis


6.4.1 Identifying risk

Auditors must first identify risk elements that impair the
quality of the performance of the process and impede its
goal achievement. They then identify established control
activities in the process, and define how the management
monitors them. If auditors wish to use the established
control activities as a basis for the audit, they must procure
evidence in the form of tests of controls.

6.4.1.1   Identifying risk elements and relating them to
          assertions
At this stage auditors must identify the risk elements that
affect both the process and goal achievement. Below is a          Identifying risk:
list of risk factors that may help auditors to identify process   • risk elements
risk. Only some of the factors may be relevant for the            • control activities
process in question. The eight factors are:                       • management’s monitoring
•   management                                                      of control activities
•   ethics and integrity
•   laws and regulations
•   technology
•   planning and budgeting
•   human resources
•   operational risk
•   information and communication



The management supervises the processes and lays downs            Management
authorisations, lines of responsibility and reporting
routines, including risk assessment and change
management.

Auditors must be familiar with the management principles
in the processes, how they have been established and
whether they are followed in the entity. The management’s
own assessment of risk and how risk is taken into account
in the management of the entity provides auditors with
crucial information.

Lack of leadership increases the risk of unclear process
goals and of inefficient and indeterminate use of resources.
It also increases the risk of budget overruns and of the
allocations not being employed as intended by the Storting.



The management sets ethical values for the entity.                Ethics and integrity
Documents that incorporate the values include the entity’s
visions and strategic plans. In addition there are often ideal
values and attitudes that are not stipulated in writing.
Auditors should be familiar with such attitudes and values
and should investigate whether they are in compliance and
agreement with the values of the employees.



                             Guidelines for financial auditing                           Page 73
                         Process analysis


                         If those who are involved in the process lack adequate
                         integrity or display unethical conduct, this will entail a risk
                         for process goal achievement.

                         Auditors should investigate whether there are any
                         indications of lack of integrity, and should consider
                         whether cases have arisen or may arise that cause normally
                         honest individuals to act in a way that generates doubt – for
                         example by committing irregularities.



                         Most of the entities are subject to a wide range of laws and
  Laws and regulations   regulations. Some of these apply to all government
                         agencies while others are only relevant for one or a few
                         entities.

                         The consequences of any entity’s non-compliance with
                         laws and regulations can be claims for compensation – for
                         example from suppliers – injunctions and fines. Such lack
                         of compliance can also lead to individual and other
                         decisions being erroneous, which in turn can have serious
                         consequences for the rights and obligations of private
                         persons and enterprises and possibly also for the services
                         these offer. If an entity does not follow the appropriations
                         regulations, this may result in direct errors in the entity’s
                         accounts.

                         Auditors must identify the laws and regulations that affect
                         the process and the manner in which the entity ensures
                         compliance with them.



                         The processes are designed on the basis of the
   Technology            technological solutions the entity chooses. Some entities
                         decide to use several different IT systems to cope with
                         individual tasks, while others choose solutions that
                         coordinate several processes.

                         The development of Internet solutions can also affect the
                         entity’s performance of its tasks – for example by the users
                         themselves carrying out parts of the work for which the
                         entity was previously responsible, such as correcting basic
                         data in income tax returns.

                         In most cases the use of technology increases the quality of
                         managing transactions. New technology also increases
                         opportunities and reduces the costs of monitoring
                         processes. However, information systems may contain
                         deficiencies or may be too complicated. Systems with
                         manual data input and data controls are normally less
                         reliable than automated solutions.




Page 74                  Guidelines for financial auditing
                                              Process analysis


Using old IT systems may lead to the entity not fulfilling
the formal requirements laid down in the financial
management regulations for central government. Old IT
and accounting systems can also constitute deficient
management tools and can cause the management to base
decisions on incorrect material.

Auditors must be aware of how the entity uses technology
in the processes, and must assess how appropriately the
technology is used. This includes evaluating whether the
entity invests sufficient time and resources in the
technological solutions to ensure goal achievement. If
necessary auditors must request assistance from a specialist
(an IT auditor) to assess risk related to the IT systems in the
process.



The process is dependent on being given adequate                  Planning and budgeting
resources to perform the activities. Insufficient planning
and budgeting may lead to an imbalance between the
distribution of resources and the needs of the process,
which in turn may result in the process not being carried
out satisfactorily. Quality problems will presumably also
arise.

The allocation of resources in letters of allocation along
with the objectives of the entity’s plans provide auditors
with information about the goals the management is to
achieve with the planned input of resources.

Auditors must also become familiar with the internal
resources that have been set aside for the process, and must
investigate whether changes have taken place during the
accounting period.



A well-functioning process is also dependent on the human
resources that are associated with its activities and the          Human resources
competence of these employees.

The attitudes and motivation of the employees affect
quality and productivity in the process. The employees’
level of competence must be adapted to the work tasks
involved in the process. The entity must provide employees
with sufficient training to enable them to perform their
assignments successfully.

The labour market situation has a critical impact on
whether the entity can recruit staff with satisfactory
competence. Auditors must assess whether – and if relevant
how – fluctuations in the labour market affect the human
resources available for the process.




                            Guidelines for financial auditing                              Page 75
                               Process analysis


                               Turnover of personnel, particularly key staff, may lead to a
                               higher risk of errors in the process activities. Lack of
                               personnel or competence can result in some activities in the
                               process not being carried out or being performed
                               deficiently, or to control activities not being initiated as
                               intended. It may also lead to a total cessation of the process
                               and to the management not receiving the necessary
                               information in time.



                               This risk factor includes an assessment of risk related to the
                               performance of the activities in the process, i.e. risk that
 Operational risk
                               covers aspects such as quality, “customer satisfaction”,
                               time taken to perform the activities, capacity, limitations,
                               operational stoppage and interface with other processes.
                               For instance, lack of goods or spare parts in stock may
                               result in a stoppage.

                               The operational risk is influenced by management, ethics,
                               laws and regulations, technology, planning and budgeting,
                               and human resources – in other words all the categories
                               mentioned above.



                               Well-functioning communication and a good flow of
 Information & communication
                               information in the entity form the basis of all the strategies
                               and processes within the entity.

                               A shortage of accurate and reliable information will make it
                               difficult to continuously follow up the results within the
                               process and to take remedial measures. There is therefore a
                               risk of decisions being taken on the wrong basis and of the
                               process’ goals not being attained. Erroneous information
                               can result in direct errors in the accounts – for example if
                               all the basic data from a payroll system is not correctly
                               transferred to the accounting system.

                               Auditors must be aware of the systems and routines that are
                               used in the process to convey information – a particularly
                               important aspect being the reliable management of
                               transactions in the process.



 Connecting risk elements to   It is important for auditors to identify the risk elements that
 assertions                    threaten the process’s goal achievement and that are
                               relevant for the audit. Auditors must link all identified risk
                               elements to assertions. Some risk elements are obvious,
                               while others are difficult to foresee. Auditors must
                               determine the appropriate level of detail for the risk
                               elements in order to conduct an efficient, effective and
                               goal-oriented audit.




Page 76                        Guidelines for financial auditing
                                              Process analysis


6.4.1.2   Identifying control activities
In this context auditors identify the control activities the     Identifying risk:
entity has established to reduce the risk in the process.        • risk elements
Auditors may already have carried out this work when             • control activities
identifying the risk elements in the process.                    • management’s monitoring
                                                                   of control activities
When the management chooses to reduce the risk, it must
find control activities that provide satisfactory risk
management. These include action plans and routines that
safeguard the performance of the process activities and that
are established as a result of the risk assessments
conducted. Control activities can be found at all levels in
the entity – within both management and operations.

Many of the control activities in strategic processes actively
involve the management through various supervisory tasks
and through the monitoring of external and internal factors.
Many of the control activities in operational processes will
be associated with the documentation, archiving, approval
and safeguarding of assets.

Auditors must identify the control activities that are
relevant to the audit. Control activities will in general be
aimed at one risk element but may also contribute to
reducing the risk involved in several elements. In some
cases a number of control activities may be aimed at the
same risk element, and in such cases it is seldom necessary
to gain an understanding of all the control activities.

There are several types of control activities that an
organisation can use to minimise process risk. These
include:
•   reviews of performance and efforts
•   controls integrated into the course of the process
•   physical safeguarding
•   segregation of duties and functions



The management must make reviews of performance and              Review of performance and
efforts in order to ensure that the work in the process is       efforts
actually carried out and is of the right quality.

An IT environment will often contribute to this task by
producing different types of reports and logs that assist the
management.



Controls that deal with aspects such as authorisations and       Controls integrated into the
reconciliations are normally incorporated into a process.        course of the process
These controls are intended to ensure that the process
functions in an overall perspective – for example that
descriptions of routines have been compiled or that the
necessary activities have been carried out. In a procurement



                             Guidelines for financial auditing                              Page 77
                                      Process analysis


                                      process in which goods are received, relevant control
                                      activities can be checking goods received against the order
                                      (type of goods, price and number/amount) and checking the
                                      invoice against the goods received.

                                      The current use of information systems often involves
                                      automated or IT-dependent controls rather than manual
                                      controls. These are divided into two groups: general
                                      controls and application controls.

                                      General controls apply to all information systems. They are
                                      intended to secure data integrity and data safety and
                                      thereby functioning application controls. General controls
                                      include monitoring IT management, infrastructure and
                                      procurements as well as the maintenance of software,
                                      access controls and emergency plans.

                                      Application controls can be programmed or IT-dependent
                                      controls that occur generally in processes. Application
                                      controls are intended to ensure that information is correct
                                      and is processed at the right time, and that transactions are
                                      only handled once. Examples of application controls are
                                      validity controls that ensure that figures are within given
                                      limits, or automated reconciliations on erroneous reporting.



                                      The entity must safeguard assets and sensitive information
  Physical safeguarding               in a satisfactory way. In the case of information, this
                                      applies to both manual documents and IT systems.

                                      Closed doors and locked documentation can often be
                                      circumvented by inadequate logical controls in IT
                                      environments. Logical access restrictions are therefore
                                      equally as important as physical restrictions.



  Segregation of duties & functions   The entity must segregate duties adequately. Among other
                                      things this will prevent irregularities. Ensuring that several
                                      persons have the same area of work may also have a risk-
                                      reducing effect. It is not normally desirable to have the
                                      same person performing all the tasks in a process. For
                                      instance the same person should not order goods, endorse
                                      invoices, register invoices and authorise payment files.
                                      Requirements for satisfactory segregation of duties apply to
                                      both the processes that largely consist of manual routines
                                      and those that are IT-based.



                                      Control activities can be of a preventive, detective or
                                      corrective nature.




Page 78                               Guidelines for financial auditing
                                              Process analysis


Preventive controls are intended to prevent the occurrence
of errors or undesired events. These can be controls that are
integrated into a mechanical system or manual controls –
for example the segregation of duties and functions.

Detective controls are designed to give the management
notification of errors or problems as they arise or
immediately afterwards. Detective controls can be
integrated mechanical controls, physical controls, or
manual controls in the form of manual reconciliations.

Corrective controls are used together with detective
controls and neutralise the consequences of undesired
events. Corrective controls can be mechanical controls or
manual actions such as correcting errors.

Control activities will in general be aimed at one risk
element but may also contribute to reducing the risk
involved in several risk elements. In some cases a number
of control activities can be aimed at the same risk element.

Auditors must identify the control activities the entity has
established to reduce the probability of the risk elements
being activated. The control activities can also reduce the
consequence if the risk elements are actually realised.

Reconciliations and continuous performance reporting can
result in an error being corrected before it has large-scale
consequences. Continuous comparisons of the budget with
the accounts provides the opportunity of avoiding large
budget overruns.

6.4.1.3   Management’s monitoring of control activities

The management must ensure that the risk management              Identifying risk:
functions as intended. The monitoring can take place             • risk elements
continuously or as retrospective supervision, and can take       • control activities
the form of:                                                     • management’s monitoring
• monitoring ongoing activities                                    of control activities
• periodic reviews and evaluations of the performance of
  the activities
• assessment of the internal audit
For instance, the management may discover non-
compliance with expected results and may attempt to find
the cause of the variance. If required it can intervene in the
process, take remedial measures and inform the top
management or the supervisory ministry.

Documentation of procedures such as cash audits and
stock-taking or bank reconciliations can give the
management information as to whether the control
activities have been carried out as intended.




                            Guidelines for financial auditing                        Page 79
                           Process analysis


                           The management can initiate evaluations – for example of
                           large investments. Such evaluation can be made by
                           employees within the entity or by external consultants.

                           The internal audit can investigate the use of external
                           consultants in the entity or the development of salary
                           expenses over time. It can assess the causes and can
                           propose measures.

                           Auditors must identify any measures relevant to the audit
                           that have been initiated by the management to monitor the
                           control activities. The monitoring must be based on reliable
                           and relevant information, must be carried out
                           systematically and regularly, and must be satisfactorily
                           documented. The management’s follow-up must also
                           include an evaluation of variances that result in the
                           initiation of remedial measures when required.



                           6.4.2 Estimating risk

                           To establish the residual risk that is to be followed up by
                           further audit procedures, auditors must at this stage
                           estimate the risk level for the risk elements that have
                           emerged in the process analysis. By estimating the
                           probability and consequence for each risk element, auditors
                           discover which of the risk elements are left that have high
                           residual risk, and which are under appropriate control and
                           do not therefore represent an immediate threat to the entity.

                           Estimates are made on the basis of probability and
                           consequence in the same way as those made in the strategic
                           analysis.

                           Estimating process risk can be divided into three phases:
                           • estimating the risk level for the individual risk element
                             independently of established control activities
                           • testing whether the established control activities
                             function
                           • estimating the risk level for each risk element with the
                             impact of the established control activities


                           6.4.2.1   Estimating the risk level for the individual risk
                                     element independently of established control
                                     activities (inherent risk)

                           In this first phase auditors must estimate the probability of
                           the risk being realised and the effect of the risk element on
  Estimating probability
                           goal achievement (consequence). Auditors should only
                           estimate the risk level of the risk elements that are
                           independent of established control activities.




Page 80                    Guidelines for financial auditing
                                                     Process analysis


Auditors must estimate the probability of the risk element
being realised and, in that event, the time perspective
involved. The higher the probability of the risk element
being activated immediately or within the accounting
period in question, the higher the probability assessment of
the risk element must be set.



When estimating consequence auditors must assess the
significance of the risk element being realised. They must               Estimating consequence
assess the consequence in relation to the materiality
considerations that were made earlier in the audit process.
For example an error in a single salary payment has low
consequence, but an error in the salary calculations can lead
to higher consequence.

The risk evaluation gives four possible combinations of
low and high. Estimating the risk elements’ probability and
consequence can be illustrated by this figure:


       Høy                             Rm5

                                                      Rm4

                                             Rm1
 Konsekvens




                                                      Rm3

                               Rm2




              Lav                                                Høy
                                     Sannsynlighet

               Forklaringer:

     Rx        Risikomoment

Figure 11 Risk level for identified risk elements without
         established control measures (inherent risk)

The figure shows an example of estimating risk with four
risk elements. One of the risk elements – Re 2 – has been
set at low probability and low consequence. Another of the
risk elements – Re 3 – has been set at high probability and
low consequence, and another – Re 5 – has been set at low
probability and high consequence. The two final risk
elements – Re 1 and Re 4 – have been set at high
probability and high consequence.




                                     Guidelines for financial auditing                            Page 81
                                  Process analysis


                                  6.4.2.2   Testing whether the established control activities
                                            function

                                  Auditors must assess whether the established control
                                  activities in the process contribute to reducing the risk
                                  element’s probability and/or consequence.

                                  This includes assessing the efficiency and effectiveness of
                                  the internal control system with regard to preventing risk
                                  (preventive controls) and detecting risk (detective controls).
                                  Auditors must consider the general assessment of internal
                                  control conducted in the strategic analysis. The control
                                  activities at process level can be aimed towards special risk
                                  elements in the process or may be of a more general nature.

                                  If auditors consider that a control activity reduces one or
                                  more risk elements, they can choose to base their work on
                                  this, thus reducing the scope of audit procedures later in the
                                  audit process. In such cases auditors must procure evidence
                                  to substantiate that the control activities are functioning.
                                  Procedures conducted for risk assessment will normally not
                                  provide sufficient evidence alone, and auditors must
                                  therefore carry out relevant tests of controls.

                                  Auditors must procure evidence to show that the control
                                  activities function as intended.



  Transferring risk elements to   In cases where auditors assess the impact of established
  residual risk                   internal controls to be so low that it is inappropriate to use
                                  them as a basis for subsequent auditing, they must transfer
                                  the risk elements directly to the analysis of residual risk.
                                  There may also be risk elements of such a nature that the
                                  consequence of errors will always be high. In this event it is
                                  not appropriate to conduct tests on the internal control
                                  system since auditors must in any case carry out
                                  substantive tests. This may for instance occur in relation to
                                  the submission of the accounts and the reporting.




                                  6.4.2.3   Estimating the risk level for the individual risk
                                            element with the impact of established control
                                            activities (control risk)
                                  Auditors must assess whether the established control
                                  activities in the process contribute to reducing the risk
                                  element’s probability and/or consequence. Auditors must
                                  therefore estimate the probability and consequence when
                                  they consider the impact of the control activities.




Page 82                           Guidelines for financial auditing
                                                                 Process analysis

      Høy                                       Rm5

                                                                     Rm4

                                                      Rm1
                   Rm5



      Konsekvens
                                    Rm1


                                                                     Rm3
                           Rm2            Rm3




         Lav                              Sannsynlighet                           Høy


      Forklaringer:

Rmx   Risikomoment       Rmx
                         Rx    Risikonivå når           Effekten av           Gjenværende risiko
                               kontrollaktiviteter      kontrollaktiviteter
                               er tatt hensyn til




Figure 12 Effect of established control activities (control
risk)

The figure above shows the impact of risk-reducing
measures that are considered to be functioning.

The figure shows that in our example the control activities
that are linked to the risk elements Re 1, Re 3 and Re 5 are
assessed as having a risk-reducing effect that is marked
with arrows. For risk elements Re 1 and Re 3, both
probability and consequence are set at low as a result of the
effect of risk-reducing measures. Risk element Re 4 has
been assessed as not having risk-reducing measures, and is
left with high probability and high consequence.

The risk evaluation gives four possible combinations, as in
6.4.2.1 on page 80.

Auditors must document their assessment of probability
and consequence for each individual risk element with the
impact of established control measures.



6.4.3 Evaluating risk – identifying residual risk

Before auditors complete the evaluation, they must ensure
that all risk elements are linked to assertions.



The final step in the process analysis consists of auditors                                        Low probability and
assessing the extent to which there are still risk elements                                        consequence
with residual risk that must be followed up by further audit
procedures. Risk elements that have been assessed as
having low probability and low consequence are eliminated
and can be ignored in the subsequent audit process. Audit
evidence must be provided for this risk assessment.



                                           Guidelines for financial auditing                                             Page 83
                        Process analysis




 High probability and   Risk elements that have been assessed as having high
 consequence            probability and high consequence cannot be eliminated and
                        must always be the object of further auditing.



                        Auditors must perform a concluding and summarising
                        evaluation for risk elements that fall into the group high
                        probability and low consequence or low probability and
 Combination high/low
                        high consequence to determine whether the risk elements
                        can be eliminated or whether they must be followed up by
                        further audit procedures. Auditors must give reasons for
                        their decision, and if the outcome is low/low, this must be
                        documented with audit evidence.

                        If internal control cannot be regarded as significant and the
                        risk is high, auditors must procure comprehensive audit
                        evidence in the form of substantive tests.



                        6.5 Documentation of the process analysis
                        Auditors must document in working papers any
                        information that is of significance for the assessments and
                        the conducting of the process analysis. As a minimum the
                        documentation from the process analysis includes:
                        • a description of the auditor’s understanding of the
                          process
                        • the auditor’s assessment of materiality
                        • identified risk elements, control activities and the
                          management’s monitoring
                        • an estimate and evaluation of risk elements
                        • audit evidence that substantiates the assessments of risk-
                          reducing measures, including documentation of tests of
                          controls
                        Documentation must be compiled continuously, stored
                        systematically and appropriately, and be readily available to
                        those participating in the audit.




Page 84                 Guidelines for financial auditing
                Process analysis




Guidelines for financial auditing   Page 85
                               7 Analysis of residual risk
 PROSIT’s navigation tree:     This chapter is intended to give auditors an understanding
                               of how they should conduct the analysis of residual risk.

                               In the strategic analysis and process analyses auditors have
                               gathered information about the entity and the processes it
                               has established to reach its goals. They have also identified
                               risk elements that can threaten the entity’s goal
                               achievement. In the process analyses auditors identified the
                               control activities established by the management to handle
                               risk. If auditors wish to base their activities on the entity’s
                               internal control system, they have conducted tests of
                               controls as part of process analysis to ensure that this
                               system functions.

                               In the analysis of residual risk, auditors plan and conduct
 The management’s assertions   audit procedures to test whether the management’s
                               assertions about the submitted accounts and their
                               accompanying dispositions are correct. The audit
                               procedures aim to secure the collection of appropriate,
                               necessary and sufficient audit evidence to support auditors’
                               opinion on whether the management’s assertions are
                               correct. Details of the assertions are given in Chapter 4.

                               Auditors must break down the assertions into one or more
 Audit objectives              appropriate audit objectives. The audit objectives represent
                               a closer specification of the assertions and should help to
                               ensure that the auditors’ subsequent work is goal-oriented.
                               Auditors must collect necessary and sufficient evidence for
                               major and material aspects related to the accounts and their
                               accompanying dispositions before they assess whether the
                               management’s assertions have been met.
 Audit procedures
                               The assessments auditors conduct during the audit process
                               determine which remaining audit procedures must be
                               carried out to ensure that sufficient evidence has been
                               acquired to allow conclusions about the assertions to be
                               drawn. Auditors must form procedures:
                               • that cover residual risk elements in accordance with the
                                 process analysis
                               • that cover risk elements directly from the strategic
                                 analysis in cases where it was assessed as inappropriate
                                 to conduct a process analysis
                               • that must be conducted at 31 December to enable them
                                 to apply previously gathered audit evidence to the end
                                 of the accounting period
                               • of the type “obligatory procedures” that relate to the
                                 submission of the accounts and their accompanying
                                 dispositions and that must be conducted at 31 December
                                 to ensure an adequate audit
                               The audit procedures that are to be conducted must be
                               linked to audit objectives. In this context auditors must
                               check whether audit evidence previously acquired in the



Page 86                        Guidelines for financial auditing
                                    Analysis of residual risk


audit provides adequate support to the audit objectives so
that further procedures are unnecessary.

The audit risk model is used for auditors’ analysis of
residual risk. More details of the model are given in
Chapter 4.

There is a certain risk of auditors drawing incorrect
conclusions. Risk can arise either when auditors conclude       Audit risk model:
that the accounts or dispositions do contain material errors
when in fact they do not, or when auditors conclude that the    AR = IR * CR * DR
accounts or the dispositions do not contain material errors
when they actually do. The risk of auditors drawing
incorrect conclusions is termed audit risk.

Through the strategic analysis and process analyses
auditors have gathered and assessed relevant information to
enable them to assess the risk factors in the entity. In the
model these factors are inherent risk and control risk.

Detective risk is the auditors’ management variable, i.e.       Detective risk
auditors must adapt method and scope to make audit risk
acceptable. There is always a certain detective risk, and the
more thoroughly the accounts and the dispositions are
investigated, the smaller is the risk of auditors drawing the
wrong conclusion. However, auditors must conduct a cost-
benefit analysis as a basis for planning the audit.

Analysis of residual risk consists of the following steps:


   Defining audit objectives for the assertions




     Identifying remaining audit procedures




        Compiling a plan for the remaining
                 auditing work



   Conducting the remaining audit procedures



Figure 13 Steps in the analysis of residual risk




                            Guidelines for financial auditing                       Page 87
                                  Analysis of residual risk


                                  7.1 Purpose of the analysis of residual risk
                                  • To conduct a risk-based, efficient and effective audit
                                  • To plan and perform further audit procedures in order to
                                    test the management’s assertions
                                  • To procure appropriate, necessary and sufficient audit
                                    evidence to enable conclusions to be reached regarding
                                    the management’s assertions and the audit objectives



                                  7.2 Setting audit objectives for the assertions
   Requirements for assertions:   The purpose of defining audit objectives is to enable
   • Validity                     auditors to conclude whether the assertions have been met
   • Existence                    and to ensure a goal-oriented, efficient and effective audit.
   • Ownership
                                  As auditors gradually acquire knowledge about the audit
   • Valuation
                                  assignment through strategic analysis and process analysis,
   • Correct measurement
                                  they will be able to set appropriate audit objectives for their
   • Completeness
                                  work. The analysis of residual risk requires all the audit
   • Correct classification and
                                  objectives to be set before the planning of the remaining
     presentation
                                  auditing work involved in the assignment is started.
   • Parliamentary decisions
   • Laws and regulations
                                  Financial audits verify the quality of the financial
   • Norms and standards
                                  statements and determine whether the entity has conducted
                                  the dispositions in compliance with the framework
                                  conditions. The assertions describe the quality that the
                                  accounts and reporting the entity submits must possess.
                                  Auditors must therefore modify the assertions to enable
                                  them to reach a conclusion on whether they have been met.
                                  These modifications are termed audit objectives.

                                  The audit objectives describe the quality the accounts and
                                  their accompanying dispositions must have at the time of
                                  reporting rather than the tasks (controls) auditors must
                                  carry out to reach conclusions about the assertions.

                                  Auditors break each assertion down into one or more audit
                                  objectives. The audit objectives represent a closer
                                  specification of each individual assertion and should help to
                                  ensure that the auditors’ work is goal-oriented. The audit
                                  objectives are intended to provide auditors with a better
                                  basis for collecting necessary and sufficient evidence for
                                  major and material aspects related to the accounts and their
                                  accompanying dispositions before they assess whether the
                                  assertions are correct. Auditors must limit the number of
                                  audit objectives to those necessary for an appropriate and
                                  adequate audit.

                                  Through strategic analysis and process analysis, auditors
                                  have acquired knowledge about the entity and the
                                  processes. This knowledge is crucial to enable them to set
                                  good audit objectives.




Page 88                           Guidelines for financial auditing
                                     Analysis of residual risk


Several aspects play a role when determining what are
appropriate and suitable audit objectives for an assertion.
To formulate audit objectives, auditors must take various
factors into account – e.g. the entity’s size and complexity,
the tasks assigned to the entity and how the entity is
organised.

For minor assignments it may often be sufficient to set few
and more general audit objectives for the assertions, while
for large-scale assignments more specific audit objectives
should be defined. Auditors must identify the factors that
are of importance for determining whether the various
assertions are met. They must also decide which audit
objectives are appropriate for ensuring a balanced basis for
drawing conclusions.

Examples of audit objectives:

Assertion: “Dispositions in accordance with laws and
regulations” (REG)

                                               Example 1:

                                               1 All determinations of duty and special
                                                 dues comply with the Customs Act and
                  Reg 2                          accompanying regulations.

    Reg 1            Reg 3
                                               2 All national insurance payments comply
                                                 with the National Insurance Act and
                                                 accompanying regulations.

          Reg 4                                3 All purchasing is made in compliance
                                                 with the procurement regulations.

                                               4 All overtime payments are in line with
Figure 14 Examples of audit objectives
                                                 the Working Environment Act.



Assertion: “Completeness” (COM)


                                 Example 2:

                Com2             1   All tax revenues are completely defined.

 Com1                            2 All tax revenues are completely recorded.
                    Com 3
                                 3 All charges are completely defined,
                                   recovered and recorded.
          Com4
                                 4 All annual vehicle duties have been
                                   collected.
Figure 15 Examples of
audit objectives




                            Guidelines for financial auditing                             Page 89
                                    Analysis of residual risk


                                    7.3 Identifying remaining audit procedures
                                    The remaining audit procedures are the outcome of the
                                    auditors’ risk analysis, the need to convey previously
                                    procured evidence to the end of the accounting period, and
                                    obligatory procedures relating to the submission of the
                                    accounts and their accompanying dispositions – including
                                    reporting to the central government accounts.



  Handling residual risk elements   To ensure that the audit is conducted efficiently and
  collectively                      effectively, all residual risk should initially be handled
                                    collectively for the assignment, irrespective of how the risk
                                    element emerges. Risk elements identified at different
                                    points in the audit process can be concurrent and can
                                    perhaps be covered by the same audit procedure. A
                                    collective assessment and handling of residual risk provides
                                    the opportunity for a flexible structuring of the remaining
                                    work and will help auditors to plan more efficiently.

                                    In practice this means that all the process analyses should
                                    be completed before auditors identify remaining audit
                                    procedures in the analysis of residual risk and decide how
                                    the subsequent auditing work is to be conducted.

                                    Residual risk can be of varying importance for auditors’
                                    conclusions. Risk elements that are concurrent for several
                                    processes will often have greater importance than a single
                                    risk element. Risk elements that indicate a system error
                                    normally have greater importance than those that indicate
                                    single errors. Auditors must take into consideration the
                                    presumed importance the risk elements have for the
                                    conclusions, thus ensuring that sufficient evidence is
                                    procured for risk that is of great significance for the
                                    conclusions. Previous assessments of qualitative and
                                    quantitative materiality are important for the assessment.



                                    7.3.1 Identifying audit procedures

  Handling residual risk elements   The majority of remaining audit procedures will normally
  from strategic analysis           be derived from risk transferred from the process analyses.
                                    Residual risk from process analysis consists of risk
                                    elements that still have an unacceptably high control risk,
                                    i.e. where no appropriate control activities have been
                                    established, or where the control activities established by
                                    the management have not contributed sufficiently to
                                    reducing risk, or where auditors have chosen not to test the
                                    control activities.




Page 90                             Guidelines for financial auditing
                                     Analysis of residual risk


As previously mentioned, auditors can choose to transfer          Handling residual risk elements
risk elements directly from the strategic analysis to the         from process analysis
analysis of residual risk without first handling the risk
element in a process analysis.

This will most often be relevant for small entities where it
may be difficult for auditors to base their audit on any
assurance from internal control. In these entities, tests of
controls can have limited value – for example because there
is no satisfactory segregation of duties and functions, or
because few control activities have been established. In
such cases it can be more expedient, efficient and effective
to obtain evidence directly through substantive tests.



If auditors conduct tests of controls or substantive tests that    Audit procedures for applying
do not cover the entire accounting period or the final date,       previously procured evidence
they must decide which other audit procedures must be
implemented on the submitted accounts to enable them to
apply previously procured evidence from the date of the
test to the end of the accounting period.

Auditors must specifically consider whether they can base
the auditing on previously procured audit evidence from
strategic analysis and process analysis, or whether other
factors have arisen that change the perception of risk and
preclude applying the evidence to the submitted accounts.



Irrespective of the assessed risk, auditors must compile and      Obligatory procedures
conduct tests to ensure that the entity’s financial statements
and its reporting to the central government accounts are in
accordance with the subsidiary accounting material. In this
context auditors have the opportunity to ensure that their
auditing covers the entity’s management, goal achievement
and reporting, cf. the OAG’s template and internal routines
for compiling Document no. 1.

Furthermore, auditors must monitor the posting of main
entries and any adjustments that have been made during the
compilation of the annual accounts. These audit procedures
are termed obligatory procedures and are essential tests that
must be conducted satisfactorily irrespective of risk.



Auditors must assign priority to residual risk that is related
to irregularities, and must follow up risk elements with           Risk of irregularities
suitable audit procedures in order to obtain reliable
evidence.




                             Guidelines for financial auditing                               Page 91
                Analysis of residual risk


                7.3.2 Requirements for audit procedures

                Audit procedures must contain information about how they
                are to be conducted, their scope, and the stated date on
                which they are to be carried out.

                Auditors decide for each audit procedure how
                audit evidence should be procured. There are        How to procure audit evidence
                several ways of obtaining evidence. More
                details of this are given in Chapter 4.

                Auditors must decide on the scope of the audit for each
  Scope         audit procedure. The decision about the scope – for
                example the size of the sample or the number of
                observations – is based on the level of detective risk that is
                required to fulfil the stated audit risk: the lower the
                detective risk, the greater the scope of the audit.

                When developing audit procedures, auditors must decide on
                the sampling method. The various methods for sample-
                based auditing include:
                •   sampling of all units (100 per cent testing)
                •   sampling of selected units
                •   representative testing
                •   multi-stage sampling
                Sampling of all units (100 per cent testing) is appropriate in
                cases where there are few transactions and where checking
                all the transactions constitutes the most effective procedure.

                Auditors often determine the scope of audit procedures for
                sampling particular units by using professional judgement
                according to an assessment of materiality, the evaluated
                risk and the degree of assurance they plan to achieve.

                Representative testing presupposes a normal use of
                statistical methods, but by selecting larger samples auditors
                can also attain the same assurance without statistical
                methods. Program packages such as IDEA can be used to
                calculate the scope and the level of assurance, to select
                samples or to evaluate findings.

                Multi-stage sampling is used when the total samples are
                selected in various stages – for example auditors may first
                select an operational unit and then select the sample.

                The choice of method and the determination of the sizes of
                the sampling is a comprehensive matter that is widely
                discussed in theoretical material and textbooks. We refer to
                such literature for a more thorough explanation.



                The stated time refers to the period or to the date for which
  Stated time
                the audit evidence applies.




Page 92         Guidelines for financial auditing
                                     Analysis of residual risk


7.3.3 Relating audit procedures to audit objectives

Auditors must relate each of the remaining audit procedures
to audit objectives.

It should be possible to attach a procedure to one audit
objective. If a procedure is related to several audit
objectives, auditors must then assess audit findings
separately to determine which audit objective each part of
the findings affects. In most cases it will therefore be more
appropriate and preferable to divide the audit procedure so
that it can be attached to only one audit objective.



Auditors must group the procedures according to the audit
objectives to ensure that all the audit objectives are
                                                                 Assessing whether the audit
adequately covered by procedures. If it transpires that there
                                                                 objectives are adequately
are neither procedures nor sufficient previously procured
audit evidence to cover relevant audit objectives, auditors
must formulate procedures that ensure the acquisition of
supplementary evidence.



7.3.4 Audit programmes

For some entities the scope of remaining audit procedures
may be so extensive that it is difficult to handle them
collectively. In such cases it will be appropriate to organise
the audit procedures into several audit programmes. These
programmes contribute to ensuring the quality and
efficiency of subsequent audit procedures.

The audit programme must be flexible. If new information
becomes available that indicates that the risk assessments
or other prerequisites for the programme are inaccurate, the
audit programme must be amended to allow auditors to
take new facts into account. The programme must give a
detailed description of all the procedures that are to be
conducted, cf. 7.3.2 Requirements for audit procedures.



7.4 Plan for the remaining auditing work
Auditors have now obtained a basis for updating the plan
that was drawn up in line with the strategic analysis. The
plan must cover the remaining auditing work and must help
to ensure that the audit is performed in an appropriate,
efficient and effective manner.

The plan must contain information about organisation,
estimated resources required, and a time schedule for
performing the remaining work in the audit assignment.




                            Guidelines for financial auditing                              Page 93
                                Analysis of residual risk




                                The plan must describe how the remaining auditing is to be
  Organisation
                                organised and which auditors are to be included in the audit
                                team. If it proves necessary to collaborate with other
                                divisions and departments or to use special skills in the
                                audit team, this must be stated.



 Estimated resources required   Auditors must estimate the need for resources in the form
                                of man-days and travel expenses. The estimate is based on
                                the limits approved by the division manager, cf. 5.5
                                Planning further auditing.



                                Auditors must consider on which date or in which time
 Time schedule                  period it would be most efficient to perform the audit. This
                                can depend on factors such as the information that is
                                available on various dates – for example with regard to the
                                submission of accounts or the reporting routines in the
                                administrative procedures. Auditors should provide an
                                outline of when the audit programmes are to be conducted.
                                When planning the schedule they must arrange a suitable
                                distribution of the auditing work throughout the year so that
                                it can be concluded in good time for the reporting. Auditors
                                must also take into consideration that the result of the audit
                                will be communicated to both the entity and the
                                supervisory ministry before the work is concluded.



Quality assurance of the plan   The plan for the remaining auditing must be quality
                                assured. If the plan contains any significant non-
                                compliance compared with the previously approved plan,
                                this must be clarified with the division manager.



                                7.5 Implementing audit procedures
                                The audit programmes govern the implementation of the
                                audit procedures and give the framework for them.


                                7.5.1 Recording audit findings

                                Auditors record the outcome of each audit procedure – the
                                findings – irrespective of whether errors have been detected
                                or not.

                                If the procedure reveals errors, it must be indicated whether
                                or not the error is in the accounting, and also the extent to
                                which it may be significant for subsequent conclusions.




Page 94                         Guidelines for financial auditing
                                    Analysis of residual risk


Auditors record the findings in working papers. These
papers must be adequate but should not be so
comprehensive and detailed as to obscure important
information. Extensive auditing with substantial
documentation requires auditors to organise their working
papers well. The documentation must also allow
subsequent quality assurance and approval.

Auditors must compile working papers that along with the
procured evidence document the outcome of the audit
procedures that have been conducted. The working papers
should also indicate who has performed the audit and when
it was carried out, as well as whether all the planned audit
procedures were implemented according to the programme.
Auditors must give grounds for any non-compliance with
the programme and must indicate the consequence this may
have for audit risk.



7.5.2 Assessing audit findings

Auditors record findings for each procedure.                     Four types of audit findings:
                                                                 •   Completed without errors
“Completed without errors” is used when auditors do not          •   Completed with errors
find any non-compliance from the purpose of the                  •   Assigned low priority
procedure.                                                       •   Not appropriate
“Completed with errors” is used when auditors find non-
compliance from the purpose of the procedure. All
variances that are revealed must be recorded as “completed
with errors”. Completed with errors can result in auditors
being obliged to conduct further audit procedures to reveal
the scope and consequence of the error.
“Assigned low priority” is used when auditors have
deliberately chosen not to conduct the procedure. Auditors
must state the reasons for this, and the low priority should
be clarified with the person who approved the plan for the
remaining auditing work.

“Not appropriate” is used when auditors assess an audit
procedure as no longer relevant. Auditors must state
reasons for this.



Auditors cannot simply presume that indications of
                                                                Indications of irregularity
irregularity, errors or omissions are non-recurring. They
must decide whether and possibly how these affect the risk
and materiality assessments on which the audit is based.
In the event of indications of irregularity, auditors must
consider whether such irregularity can be of significance
for the assessment of other internal control activities. They
must also assess whether the indication of irregularity
concerns persons who are involved in other internal control



                            Guidelines for financial auditing                                 Page 95
          Analysis of residual risk


          activities. If this is the case and auditors have acquired
          assurances from these, they must consider whether such
          assurances can still be utilised.
          Indications of irregularity, errors or omissions can result in
          auditors being obliged to implement more audit procedures.



          7.5.3 Communicating audit findings during the audit

          The purpose of communicating audit findings is to
          contribute to preventing future errors and omissions and to
          clarify any misunderstandings and misinterpretations. It is
          therefore important for auditors to communicate findings to
          the entity during the audit before conclusions are drawn.

          Auditors must assess which findings are to be
          communicated to the entity while the work is in progress,
          and whether the communication is to be made verbally at
          the summarising meeting or in the form of a letter.

          An open and constructive dialogue with the entity about
          any weaknesses that were revealed can also contribute to
          clarifying any misunderstandings. Communicating audit
          findings constitutes part of the auditors’ advisory role.

          Separate and more detailed guidelines for communicating
          audit findings have been compiled in the OAG.



          7.6 Documentation of the analysis of residual
              risk
          Auditors must document in working papers the information
          that is of importance for assessing and conducting the
          analysis of residual risk.

          As a minimum the documentation from the analysis of
          residual risk must include:
          • an overview of defined audit objectives that specify the
            assertions more closely
          • an overview of the remaining audit procedures that have
            been identified, structured into several audit
            programmes if appropriate
          • a quality-assured plan for conducting the remaining
            audit procedures
          • working papers and audit evidence that document the
            findings
          • communication about the audit
          Documentation must be compiled continuously, stored
          systematically and appropriately, and be readily available to
          those participating in the audit.




Page 96   Guidelines for financial auditing
                             8 Conclusions
                             This chapter is intended to give auditors an understanding
 PROSIT’s navigation tree:   of how they are to conclude the performed audit.

                             Once all the audit procedures have been conducted and the
                             evidence has been organised and the work documented,
                             auditors draw their conclusions. Conclusions must be
                             drawn for audit objectives, then assertions and finally for
                             the total assignment.

                             The conclusions are based on the audit evidence from
                             strategic analysis, process analysis and analysis of residual
                             risk. To reach a conclusion, auditors assess all relevant
                             audit evidence, irrespective of whether this confirms or
                             contradicts the assertions related to the accounts or the
                             dispositions.

                             The conclusion phase consists of the following steps:

                                            Basis of the conclusions




                                       Conclusion for audit objectives




                                          Conclusion for assertions




                                           Conclusion for the entity


                             Figure 16 Steps in the conclusion phase



                             8.1 Purpose of conclusions
                             • To decide whether the assertions about the accounts and
                               the dispositions have been met
                             • To decide whether there are material errors or omissions
                               in the accounts and their accompanying dispositions
                             • To provide a basis for reporting the auditing work to the
                               entities, the ministries and the Storting




Page 98                      Guidelines for financial auditing
                                                Conclusions




8.2 Basis of the conclusions
Auditors must make sure that they have an adequate basis
to enable them to reach conclusions by verifying that
sufficient and appropriate audit evidence has been
procured. This will ensure that the risk of material errors
existing in the accounts and/or the dispositions has been
reduced to an acceptable level (assessing audit risk). The
conclusions must be substantiated by documentation of the
work performed.

Findings from all types of audit procedures that were
conducted in strategic analysis (procedures for risk
assessment), in process analysis (tests of controls), and in
the analysis of residual risk (substantive tests and tests of
controls) must be included in the material on which the
conclusions are based.

If auditors have not procured sufficient and appropriate
audit evidence to enable them to reach a conclusion, they
must attempt to acquire further evidence. If it proves
impossible to obtain sufficient and appropriate audit
evidence, auditors must express their reservations in the
conclusions.



8.3 Conclusions for audit objectives
Auditors must draw conclusions for all the audit objectives.
All audit findings and any corrections made by the entity
must be included in the assessment. The conclusions for the
audit objectives are based on the result of the procedures,
i.e. the findings that are related to the audit objective.

When drawing the conclusion, auditors must compare the
findings with the materiality defined in strategic analysis
and process analysis, and must use their professional
judgement in the assessment.

It is important that auditors provide good grounds to
substantiate whether or not the audit objective has been met
since this forms the basis for the conclusions for the
assertions.




Guidelines for financial auditing                               Page 99
                                   Conclusions




                                   8.4 Conclusions for assertions
                                   Auditors must draw conclusions for all the assertions. The
Requirements for assertions:       conclusion for each individual assertion includes those for
• Validity                         all the audit objectives that belong to the assertion. Auditors
• Existence                        must also include the audit evidence from the risk elements
• Ownership                        assigned low priority from the process analysis related to
• Valuation                        each assertion. These are incorporated into the material to
• Correct measurement              enable an overall conclusion to be drawn.
• Completeness
• Correct classification and       When drawing the conclusion, auditors must compare the
  presentation                     findings with the considerations of materiality that were
• Parliamentary decisions          made in strategic analysis and process analysis, and must
• Laws and regulations             use their professional judgement in the assessment. It is
• Norms and standards              important that auditors provide good grounds to
                                   substantiate whether or not the assertion has been met since
                                   this forms the basis for the conclusions for the entity as a
                                   whole.



                                   8.5 Conclusion for the entity
                                   Finally auditors draw an overall conclusion for the audit
                                   assignment. Auditors must indicate whether the financial
                                   statements contain material errors or omissions, whether
                                   the dispositions on which the accounts are based comply
                                   with parliamentary decisions and with laws and regulations,
                                   and whether the dispositions are acceptable in the light of
                                   norms and standards for financial management in the
                                   central government.

                                   In this part of the work, auditors draw on the conclusions
                                   for the assertions. In addition they must bring in any
                                   relevant audit evidence from strategic analysis to enable
                                   them to reach an overall conclusion.

                                   Auditors compare the findings with the materiality for the
                                   assignment and use their professional judgement in the
                                   assessment to draw the conclusion.

                                   In particular auditors must describe how the risk of
                                   irregularities has been assessed throughout the audit, and if
                                   relevant the findings that have been made and how these
                                   have been handled.

                                   Auditors must consider whether the audit has been
Assessing audit risk critically!   performed with acceptable audit risk. This entails auditors
                                   having adequate assurance about the conclusion according
                                   to good auditing practice. Auditors can base their
                                   assessment of the acceptability of the audit risk on an
                                   overall assessment of the errors that have been found,
                                   indications of errors, and the result of previous audits.



Page 100                           Guidelines for financial auditing
                                              Conclusions


8.6 Documentation
Auditors must document the information that is of
significance for the conclusions.

As a minimum, documentation from conclusions must
include:
• conclusion for audit objectives with reasons
• conclusion for assertions with reasons
• conclusion for the entity with reasons



Documentation must be compiled continuously, be stored
systematically and appropriately, and be readily available to
those participating in the audit.



8.7 Updating basic data
During the auditing work auditors may reveal facts that
change the risk assessments and supply new knowledge and
information that is of significance for the current or later
years’ audits. Such factors must be included in the auditors’
working papers.

Auditors must update the basic data to ensure that new and
relevant information is documented. This should be done
continuously during the year, and is finalised after the
conclusions for the year have been drawn.

Throughout the audit process auditors must constantly
assess the need for updating the basis data, for example:
• the strategic analysis
• process analyses
• budget and accounting figures
For the strategic analysis and the process analyses it may be
relevant to update the basic data for understanding the
entity and the process, assessing materiality and identifying
and estimating risk.

Throughout the year auditors often base their work on
preliminary budget and accounting figures, the final figures
not being available before the end of the accounting year.
Auditors must be aware that an updating of the budget and
the accounting figures may affect items such as the
materiality limit.

When updating basic data, the date of any amendments
must be given as well as notice of what has been changed
and the grounds for making the change. When inserting
new information, auditors must ensure that all previous
information used as a basis for assessments is not deleted.




Guidelines for financial auditing                               Page 101
                            9 Reporting
                            This chapter is intended to give auditors an understanding
                            of how the OAG reports the result of performed audits to
                            the entities, the ministries and the Storting.



                            9.1 Reporting to the entity and the
                                supervisory ministry
                            When the audit for the accounting year in question has been
  Concluding audit letter   completed and auditors have drawn their conclusions, the
                            OAG sends a concluding audit letter to the audited entity.
                            The concluding audit letter consists of information about
                            the audit, the OAG’s conclusion on the auditing of the
                            accounts, and a short description of relevant performance
                            audits. The audit letter also states whether or not material
                            comments have been made on the entity’s submission of
                            accounts and their accompanying dispositions. Auditors’
                            conclusions on audit objectives, assertions and the entity as
                            a whole are internal working documents and will not be
                            presented directly in the reporting to the entity.



                            Concluding audit letters are not sent for the ministries’
                            financial statements. Those to the entities must be sent by 1
                            July with a copy to the supervisory ministry. If the letter
                            cannot be sent by the deadline, the entity must be notified
                            by 1 July that the concluding audit letter will arrive later,
                            and at the latest by the end of August. An overview of the
                            written communication that has taken place between the
                            OAG and the entity during the audit year must be attached
                            to the letter.



                            More detailed information on compiling this letter is given
                            in the OAG’s guidelines and template for the concluding
                            audit letter.



                            9.2 Reporting to the Storting
                            Each year in Document no. 1 the OAG provides the
                            Storting with collective information about the annual
                            auditing and monitoring activities that have been conducted
                            through financial auditing and corporate control. The report
                            is organised per ministry and is intended to provide a
                            general overview of the result of the auditing.




Page 102                    Guidelines for financial auditing
                                                    Reporting


The report must also incorporate any special comments on
the budget and accounts such as deficient information in
the budget documents, errors and omissions in the central         Budget and accounts
government accounts submitted, errors and omissions in
the explanations, and whether the consumption of resources
in the budget implementation process has been exceeded or
kept to the ascribed limit.



If the audit has detected any material deficiency in the
ministry’s management, goal achievement and performance           Management, achievement of
reporting, this must be stated in the report. This can include    goals and results
an assessment of the ministry’s management and
supervision of subordinate bodies – e.g. the ministerial
responsibility for ensuring that all entities have satisfactory
internal control so that defined goals and performance
requirements can be attained, and whether the use of
resources is efficient and effective and the entity is run in
compliance with current laws and regulations.



An account must also be given for entities that have              Entities that have received
received a concluding audit letter that contains comments –       comments
either as a separate matter or as part of the information on
the individual ministry.



The OAG’s document containing templates and describing
internal routines for reporting to the Storting about the
OAG’s annual audits and monitoring activities (Document
no. 1) gives more details of the information that is included
in the OAG’s reporting to the Storting.



9.3 Documentation
The OAG must document the reporting in the form of:
• a concluding audit letter to the entity with (if
  appropriate) accompanying audit communication
• reporting to the Storting with accompanying audit
  communication

Documentation must be compiled continuously, be stored
systematically and appropriately, and be readily available to
those participating in the audit.

When storing and filing documentation connected to the
reporting to the Storting, the OAG’s administrative rules
must be followed.




                            Guidelines for financial auditing                                   Page 103
           10 Documentation
           10.1 Documentation
           The OAG’s standards relating to documentation state:

           25
           Auditors shall document matters that serve to support the
           Office of the Auditor General’s internal and external
           reports. Documentation also constitutes evidence that the
           audit has been carried out in accordance with best auditing
           practices in the Office of the Auditor General.


           26
           The scope and content of the documentation shall be
           sufficiently adequate and detailed to allow full
           comprehension of completed audits and the conclusions
           drawn on the basis of procured audit evidence. All audits
           shall be documented in accordance with applicable
           guidelines.


           27
           Routines shall be implemented to ensure that the
           documentation is appropriately handled and stored and is
           filed for a period that is both sufficient to meet the needs of
           the Office of the Auditor General and is in accordance with
           regulations and statutory requirements. All audit
           documentation is the property of the Office of the Auditor
           General.



           Auditors must document the material content of the audit.

           INTOSAI’s standard relating to audit evidence states that
           the documentation must:
           • confirm and support the auditor’s opinions and reports
             (comments)
           • increase the efficiency and effectiveness of the audit
           • serve as a source of information for preparing reports or
             answering any enquiries from the audited entity or from
             any other party
           • serve as evidence of the auditor’s compliance with
             Auditing Standards
           • facilitate planning and supervision
           • help the auditor’s professional development
           • help to ensure that delegated work has been
             satisfactorily performed
           • provide evidence of work done for future reference




Page 104   Guidelines for financial auditing
                                             Documentation


10.2 Glossary of terms
Definitions of the terms used are derived from explanations
and definitions in the standard.

The documentation of the audit consists of two parts:            Documentation:
working papers and source material. The documentation            • working papers
can be compiled and stored on paper, film, and electronic        • source material
or other media.

Working papers constitute material compiled by auditors or
the OAG. These papers show what the auditor’s planning of
the auditing has been based on, the date of the performance
of the audit, the scope of the audit procedures conducted,
the results of the audit, the grounds for auditors’
assessments and professional judgement, and the
conclusions that have been drawn.

Source material is documentation that has been prepared by
others and that auditors have considered relevant for the
audit. Material that does not contain facts that are relevant
should only be included in the source material to the extent
auditors regard it as a deficiency if such facts are not
described.



10.3 Scope and content
Auditors must document their work, and the documentation
must also include any communication – both written and
verbal – they have had with the entity. Factors indicating
that there may be irregularities or errors must be
documented separately stating what steps auditors have
taken in the matter.

The scope of the documentation may vary and depends
partly on the size and complexity of the entity. Auditors
should limit the amount of information that is to be filed to
that which is directly relevant to the auditing work. The
documentation must be of a scope that allows another
auditor who has no knowledge of the assignment to gain an
understanding of the work that has been carried out and of
the basis on which the assessments and conclusions have
been made.

The working papers must be adequate and sufficiently
detailed to provide a full understanding of the audit. The      Requirements: working papers
OAG sets the following requirements to the content of
working papers:




                            Guidelines for financial auditing                            Page 105
             Documentation


             • Auditors’ working papers must give information about
               the assessments of risk and materiality, the planning of
               the auditing work – with a description of the audit
               procedures that are to be conducted, and the scope of
               these procedures.
             • The working papers must document performed audit
               procedures with a description of the scope of the
               control, selection criteria, date of their performance and
               the findings that have been made.
             • In their working papers auditors must summarise in an
               appropriate manner the findings and results that have
               emerged during the audit process and must draw the
               necessary conclusions.
             • The working papers must contain all the material
               aspects that require auditors to use their professional
               judgement, as well as auditors’ conclusions concerning
               these aspects.
             • Auditors must date and sign their working papers and
               must ensure that they are stored systematically. Working
               papers are normally input as attachments in PROSIT
               and stored electronically.
             The working papers must be dated and signed by the
             auditor who is conducting the audit. The signature will then
             testify who has carried out the audit, made the assessments
             and drawn the conclusions. The dating must indicate when
             such actions were carried out since the date may have
             significance for subsequent assessments and conclusions –
             particularly if substantial changes are made after the work
             was performed but before the accounts were submitted. In
             such situations auditors cannot base their conclusions on
             previously performed auditing activities without first
             verifying that they are still valid.



             10.4 Organisation and filing
             The main purposes of documentation are to support the
             audit objectives and conclusions as well as the reporting
             made to both the Storting and the entity (the concluding
             audit letter), and to form a basis for subsequent years’
             audits. The scope and structure of the documentation must
             therefore primarily be adapted to these purposes.

             Documentation must be put into an appropriate system and
             must follow the requirements for formulation, recording
             and filing that are set by the OAG at any given time.



             All documentation must be indexed. The index system
  Indexing   must be logical and as self-explanatory as possible, and
             must give each individual document a unique identificator.
             The system must also be flexible so that it is easy to insert
             new documents. Indexing must be structured in a manner



Page 106     Guidelines for financial auditing
                                              Documentation


that enables the assignment, entity, or accounting year to be
identified, and must if appropriate refer to the relevant
procedure or process. In addition, cross-references must be
made between the information in the various working
papers. These cross-references are intended to ensure a
continuous two-way audit trail between the planning, the
performance and the summary or conclusion of the work.

When the audit or parts of the audit are concluded, the
documentation is “sealed” by a table of contents that is
dated and signed. The table of contents must also show
whether working papers or source material have been
extracted, supplemented or changed afterwards. The
“sealed” table of contents must not be changed. However, if
any new information is added, any changes must be clearly
indicated. The table of contents is stored electronically in
PROSIT.

It is not necessary – and often not appropriate – to store all
the source material as part of the documentation. For
material whose storage is the responsibility of others than
auditors – either within or outside the OAG – it is sufficient
to indicate in the table of contents where such material can
be found.




                            Guidelines for financial auditing    Page 107
           11 Quality assurance
           The OAG’s standard relating to quality assurance states:

           28
           Divisions and departments shall carry out quality assurance
           work that usefully serves the individual audit tasks and
           their performance.



           The main goal of quality assurance is to ensure that the
           work performed is of the necessary and adequate quality.
           The audit must be conducted in compliance with principles
           for best auditing practice in the OAG, cf. page 1 of the
           Auditing Standards for the Office of the Auditor General.
           The term “quality assurance” is understood to cover any
           action that has the purpose of ensuring that the audit
           assignment is performed in compliance with best auditing
           practice.

           The guidelines for financial auditing will represent a major
           component of the quality assurance. The audit must be a
           planned, systematic and documented review of the audited
           entity to ensure compliance with specified requirements,
           instructions and rules. The audit must be professionally
           satisfactory, efficient and effective. Requirements must
           therefore be set for planning, performance, reporting and
           documentation. Auditors’ working papers must be fair,
           precise, constructive and relevant.

           The quality of the working papers and the audit
           communication is of prime importance. Due care and
           attention must therefore be ascribed to the audit process.
           This applies not only to the written material, but also to the
           guidelines auditors give when supplying direct competence
           through discussions, their participation in improvements
           etc.

           The quality assurance will assign priority to making quality
           an inherent part of each stage in the audit. The point of
           departure is that quality is primarily created through the
           audit process.



           11.1 Responsibility for quality
           Each individual auditor has an independent responsibility
           for the quality of his or her part of the audit process and for
           ensuring that the auditing performed complies with the
           standards and guidelines for auditing work. The
           responsibility for the quality assurance and quality control
           of the audit process is ascribed to the division manager. In
           divisions and departments, ensuring that due care and



Page 108   Guidelines for financial auditing
                                            Quality assurance


attention is given to the audit process – and to the reports
and the matters that are addressed – is a managerial
responsibility. There must be a continuous collaboration
between auditors and management, which in turn requires
managers to have knowledge of the audit process and also
to participate actively in the planning of the auditing tasks.

The departments are responsible for coordinating and
quality assuring departmental matters vis-à-vis the Board of
Auditors General, and for checking that applicable
methodology is followed.

The division manager is responsible for organising, quality
assuring and approving the work in compliance with
relevant standards and guidelines. This is indicated in
PROSIT by the division manager being termed “approver”.

The division manager can utilise an expert coordinator for
quality assurance throughout the audit process. This does
not alter the responsibility ascribed to the division manager
for the quality assurance of the audit process. To attain
defined goals it is necessary to develop and implement
routines for quality assurance.



11.2 Quality assurance of the audit process
Assurance of achieved quality is obtained through auditors
assuming independent responsibility for the quality of their
work during the entire audit process, and through division
managers reviewing available documentation to assess the
extent to which stipulated methodology is being followed.
The division manager, or a person to whom a division
manager may delegate the task, must assure the quality by
ensuring that:
• the stipulated methodology has been followed, and that
  it complies with best auditing practice in the OAG
• risk and materiality assessments in the strategic analysis
  and process analyses are adequately substantiated
• audit plans are firmly based on the risk and materiality
  assessments
• the work has been performed in compliance with
  approved audit plans
• the work performed and the result of the work are
  adequately documented
• all factors that are of importance for the audit have been
  addressed or taken into account in the conclusions
• the audit objectives have been achieved
• the expressed conclusions are in agreement with the
  result of the auditing work performed
• there is a clear connection between plan, performance
  and conclusions




                            Guidelines for financial auditing    Page 109
           Quality assurance


           11.3 Organisation of the quality assurance
           Division managers must ensure that the quality assurance
           of audit assignments is both adequate and in line with
           standards and guidelines in the OAG. They must also
           decide which quality assurance tasks are to be carried out,
           and how this work is to be organised. The way in which the
           quality assurance is organised is documented by
           establishing quality assurance points in PROSIT. Each of
           these points indicates whether the approver or the expert
           coordinator is to carry out the quality assurance. Division
           managers can allow the auditor responsible for the
           assignment to specify the quality assurance points.

           The expert coordinator can be used for all the quality
           assurance tasks at different levels in the audit process.
           However, it is the division manager who is ultimately
           responsible for the quality assurance.

           Depending on the nature, size and complexity of the
           assignment, the expert coordinator can be used in various
           ways – for example:
           • across several assignments within one area of
             competence
           • continuously throughout the audit process for one
             assignment
           • in one special area in one audit assignment
           The expert coordinator must have the required competence
           to be able to quality assure the auditing work. It is up to the
           division manager to assess whether the person concerned
           possesses such necessary competence.

           The expert coordinator and the approver carry out quality
           assurance on the relevant points and document and file
           their work in line with standards and guidelines in the
           OAG.




Page 110   Guidelines for financial auditing
              Quality assurance




Guidelines for financial auditing   Page 111
Page 112
                                    Integrity


                                    Reliability
                                    Efficiency/



                                    Availability
                                    Compliance
                                    Effectiveness
                                    Confidentiality
                                    Goal orientation
                                                                                                                                        Appendix I




                                    Information criteria
                                                      Existence

                                                      Ownership

                                                      Correct valuation

                                                      Validity

                                                      Correct measurement
                                                                                           Assertions for the accounts




                                                      Completeness

                                                      Correct presentation and




Guidelines for financial auditing
                                                      classification
                                                                                                                         financial auditing and IT-audits




                                                      Dispositions comply with the
                                                                                                                         Connection between assertions for




                                                      parliamentary decisions
                                                      Dispositions comply with laws and
                                                      regulations
                                                      Dispositions are acceptable in the
                                                      light of norms and standards for
                                                      financial management in the
                                                                                           Assertions for compliance




                                                      central government
Guidelines for financial auditing   Page 113
              13        Appendix II             Glossary of terms


Term                   Explanation

Activities             Activities – including control activities – are procedures an entity has
                       initiated to enable it to perform its tasks successfully.

Analysis of residual   Planning and conducting audit procedures to test whether the
risk                   management’s assertions relating to the submission of the accounts and
                       their accompanying dispositions are correct.

                       The purpose of residual risk is:
                       • to conduct a risk-based, efficient and effective audit
                       • to plan and implement further audit procedures in order to test the
                         management’s assertions
                       • to procure appropriate and sufficient audit evidence to enable
                         conclusions to be reached regarding the management’s assertions
                         and the audit objectives.
Analytical review      Analytical review procedures such as procedures for risk assessment
procedures             develop expectations about possible correlations that can reasonably be
– risk assessment      expected to exist.

Analytical review      Analytical review procedures such as substantive tests are review
procedures –           procedures that assess variance and reasonableness in the available
substantive tests      information by comparisons, the use of ratios etc.

Application controls Application controls can be programmed or IT-dependent controls that
                     occur generally in processes. Application controls are intended to ensure
                     that information is correct and is processed at the right time, and that the
                     transactions are only handled once – for example validity controls that
                     ensure that figures are within given limits, or automated reconciliations
                     on erroneous reporting.

Working papers         Working papers are material compiled by auditors or the OAG, and
                       along with source material they constitute the auditors’ documentation.

                       Working papers indicate what the auditors’ planning of the auditing has
                       been based on, the date of the performance of the audit, the scope of the
                       audit procedures conducted, the results of the audit, the grounds for
                       auditors’ assessments and their professional judgement, and the
                       conclusions that have been drawn. Working papers can be compiled on
                       paper or on electronic media.

Concluding audit       See reporting to the entity.
letter

Audit objectives       Audit objectives represent a closer specification of the assertions and
                       should help to ensure that auditors’ subsequent work is goal-oriented.
                       Auditors must break down the assertions into one or more appropriate
                       audit objectives that are to describe the quality that the accounts and
                       their accompanying dispositions are to have at the time of reporting.


         Page 114                                 Guidelines for financial auditing
Term                     Explanation

Subprocess               Large complex processes can be divided into subprocesses if this is
                         deemed appropriate. Division into subprocesses depends on how the
                         audit is to be organised, the size and complexity of the entity and the
                         risk elements involved in the process.

Detailed audit           Detailed audit procedures are a type of substantive test. Auditors check
procedures               the accounts information directly by examining certain transactions,
                         documents or assets.

                         There are four types of detailed audit procedures:
                         •   inspection
                         •   observation
                         •   control calculations
                         •   enquiries/confirmations
Documentation            Documentation of the audit consists of two parts: working papers and
                         source material. The documentation can be compiled and stored on
                         paper, film, and electronic or other media.

                         The main purposes of documentation are to support the audit objectives
                         and conclusions as well as the reporting made to both the Storting and
                         the entity (the concluding audit letter), and to form the basis for
                         subsequent years’ audits.

External factors         These are factors outside the entity that can affect the entity’s ability to
                         achieve its goals. External factors include users, competitors, political
                         decisions and technology.

Ethical values in the The entity’s ethical values are based on the management’s preferences,
entity                value assessments and philosophy. These preferences and value
                      assessments are transferred to norms of conduct and reflect the
                      management’s attitudes to ethical values.

Pertaining               Regulations (found in legislation, parliamentary decisions, guidelines,
regulations              individual decisions etc. and in policy dialogues with the supervisory
                         ministry and each individual entity) that identify how the entity’s
                         primary tasks are to be carried out and that define the performance
                         requirements that have been set to resolve the tasks – e.g. the Taxation
                         Act, the VAT Act etc. with accompanying regulations and annual
                         resolutions, the National Insurance Act with accompanying provisions.

Errors                   Errors are distinguished from irregularities by the fact that the
                         underlying action has been carried out unintentionally.

Enquiries /              Monitoring activities involving auditors procuring information from
confirmations            persons within or outside the entity. This is done in writing or verbally.
                         If it is done verbally, auditors must document this information by noting
                         down in a working paper what has emerged from the conversation – for
                         example bank statements and confirmations of balances.




                 Guidelines for financial auditing                                                      Page 115
                      13      Appendix II             Glossary of terms

      Term                    Explanation

      Ratio analyses          Methods that show correlations between various financial information
                              and that are particularly useful in cases where ratios can be calculated
                              for a sufficient number of years to enable the development in the
                              financial information to be viewed and evaluated.

      Analyses of business Analyses that involve utilising calculations or a series of calculations
      expectations         for forecasting expectations regarding future financial information on
                           the basis of current financial data.

      General (IT)            Controls that apply for all information systems. They are intended to
      controls                secure data integrity, data safety and thereby functioning application
                              controls. The controls include monitoring IT management, infrastructure
                              and procurements as well as the maintenance of software, access
                              controls and emergency plans.

      General regulations     Regulations that contain provisions that all government agencies must
                              follow. General regulations are established to ensure a uniform, open
                              and documented budget and accounting process and uniform
                              government personnel administration. For most entities this will be
                              related to secondary tasks or support functions for the performance of
                              their tasks.

      Remaining audit         The remaining audit procedures are the outcome of the auditors’ risk
      procedures              analysis, the need to convey previously procured evidence to the end of
                              the accounting period, and obligatory procedures related to the
                              submission of the accounts and their accompanying dispositions –
                              including reporting to the central government accounts.

      Residual risk           Residual risk is the risk which on completion of strategic analysis and
                              process analysis is still assessed as being so probable and/or to have
                              such high consequence that it must be followed up by audit procedures
                              in the subsequent audit process.

      Overall reporting       See reporting to the Storting.

      Inherent risk           Inherent risk is the probability that in the financial information and in
                              the entity in general there are dispositions that cannot be accepted, or
                              errors and omissions that are material – either in their own right or when
                              aggregated – when any possible internal control measures are ignored.

      Non-routine             Transactions that are related to more unsystematic or irregular events.
      transactions            Such transactions will often also require involving management
                              personnel – particularly when decisions or approvals of the validity of
                              the transaction are required.

      Information flow in     Information that flows in, through and out of the process.
      the process

      Information             A continuous process intended to help auditors to identify and
      gathering               understand both events that affect the entity at strategic level and the
                              entity’s internal processes.



Page 116              Guidelines for financial auditing
Term                     Explanation

Information system       An information system constitutes routines that handle the information
                         that flows in, through and out of processes in the entity. Information
                         systems can be manual or electronic, and they can include financial
                         systems or administrative systems. More detailed functionality
                         requirements for financial systems – including documentation and
                         security – are given in the regulations concerning financial management
                         in central government.

Inspection               Inspections involve the auditors themselves checking the financial
                         information, transactions and documents (voucher tests) or assets
                         (physical tests) to ensure that the information is correct when compared
                         with the submitted assertions about the accounts and the dispositions on
                         which they are based.

Internal control         Internal control constitutes measures that have been initiated and
                         implemented by the entity’s Board, management and employees and
                         that have been designed to provide reasonable assurance of goal
                         achievement. Goal achievement can therefore be found within the
                         following areas:
                         •   strategic goals that support the entity’s purpose
                         •   goal-oriented and cost-efficient operations
                         •   reliable external reporting of the accounts
                         •   compliance with applicable laws and regulations
Internal factors         Factors or conditions within the entity that can affect the entity’s ability
                         to achieve its goals.

                         Internal factors include organisation, the entity’s management and risk
                         management, information and communication.

Internal audit           An internal audit is an independent, objective confirmation and advisory
                         function. Its purpose is to supply added value and to improve the
                         organisation’s operations. The tasks of an internal audit include
                         reviewing, assessing and monitoring that the accounting and internal
                         control systems are efficient, effective and adequate.

IT environment           An IT environment is present when one or more computers of any type
                         or capacity are used in the entity for the purpose of processing
                         information that is of major importance for the audit. Such computers
                         can be operated by the enterprise itself or by an external person or body.

Source material          Source material is documentation that has been prepared by others and
                         that auditors have considered relevant for the audit. Together with
                         working papers, this constitutes auditors’ documentation. Material that
                         does not contain facts that are relevant should only be included in the
                         source material to the extent auditors regard it as a deficiency if such
                         facts are not described.




                 Guidelines for financial auditing                                                      Page 117
                    13      Appendix II             Glossary of terms

      Term                  Explanation

      Conclusions           Conclusions represent auditors’ assessment of the extent to which audit
                            objectives, assertions and audit objectives have been met. The
                            assessment is based on audit evidence from strategic analysis, process
                            analysis and analysis of residual risk.

                            The purpose of conclusions is:
                            • to decide whether the assertions about the accounts and the
                              dispositions have been met
                            • to decide whether there are material errors or omissions in the
                              accounts and their accompanying dispositions
                            • to provide a basis for reporting the auditing work to the entities, the
                              ministries and the Storting.

      Compliance            Compliance constitutes the OAG’s monitoring of the ministry’s or the
                            entity’s dispositions that form the basis for the accounts. The disposition
                            must be:
                            • in compliance with the Storting’s budget resolutions and intentions
                            • in accordance with laws and regulations
                            • acceptable in the light of norms and standards for financial
                              management in central government
                            Compliance involves examining the extent to which the ministry and
                            the entity have attained the performance targets and objectives that are
                            given in the budget resolution for the accounting year in question.
                            Compared with performance auditing, the financial audit is restricted to
                            matters concerning the accounts for the individual year.

                            The OAG’s compliance process for dispositions is limited to the
                            transactions that have financial importance or are of significance for
                            achieved results compared with intended targets.

      Control activities    Control activities are action plans and routines that safeguard the
                            performance of the process activities. Control activities can be found at
                            all levels in the entity – within both management and operations.

                            There are several types of control activities that an organisation can use
                            to minimise process risk. These include:
                            •   reviews of performance and efforts
                            •   controls integrated into the course of the process
                            •   physical safeguarding
                            •   segregation of duties and functions
      Control calculations Control calculations involve auditors checking documents – for
                           example verifying that the rates used for calculating dues are correct. In
                           this context documents include invoices, entries into the accounts and
                           the writing-off of assets. For entities that base their accounting on the
                           accrual principle, checking the writing-off of assets can be a relevant
                           audit procedure for auditors to conduct.




Page 118            Guidelines for financial auditing
Term                   Explanation

Control risk           Control risk is the probability that a material error or omission will not
                       be prevented or detected and corrected within reasonable time by the
                       accounting or internal control systems. Auditors use their professional
                       judgement to estimate control risk on the basis of the results from
                       strategic analysis and process analysis.

Qualitative            Errors and omissions are regarded as material in cases where the users
materiality            would probably have made other assessments and taken other decisions
                       if they had been aware of the errors.

                       Qualitative materiality is geared towards violations of budget
                       resolutions and/or norms and standards that will affect the users of the
                       information.

                       The materiality assessment is used when auditors are to assess the
                       importance of a risk element for the audit and are to decide the
                       processes to which they are to assign priority during the subsequent
                       audit. The entity’s primary tasks are normally assigned the greatest
                       significance when auditors assess qualitative materiality. However, laws
                       and regulations that govern secondary tasks can be of interest for users.

Quality control        Quality control is an annual systematic review of the division’s auditing
                       work and organisation. It includes all the tasks that auditors are required
                       to perform pursuant to the Act and Instructions concerning the Office of
                       the Auditor General.

                       The quality control is conducted by a working group that has been
                       appointed internally in the OAG and that reports to the Secretary
                       General.

Quality assurance      Quality assurance constitutes a review of the performed auditing work
(in the division)      in order to ensure that it is of good quality. It is carried out by the
                       division manager, the expert coordinator and the auditor responsible for
                       the assignment or an auditor who has not performed the auditing work.

Quantitative           A quantitative determination of materiality is achieved by setting a
materiality            numerical value for how large an accounting error must be for it to be
                       accepted in the accounts without auditors regarding the accounts as
                       containing material errors.

                       Setting a materiality limits has a dual purpose: the limit expresses the
                       auditors’ specification of the users’ requirements for precision in the
                       financial statements, and the distribution of the materiality limit is
                       intended to contribute to producing a more efficient and effective audit.

Management’s           The management must ensure that the measures function as intended.
monitoring             The monitoring can take place continuously or as retrospective
                       supervision, and can take the form of:
                       • monitoring ongoing activities
                       • periodic reviews and evaluations of the performance of the activities
                       • assessment of the internal audit



               Guidelines for financial auditing                                                     Page 119
                       13      Appendix II              Glossary of terms

      Term                     Explanation

      Temporary tasks          Primary or secondary tasks that are of a short-term nature and of limited
                               duration. Some of the entity’s primary or secondary tasks can be of a
                               temporary nature – for instance reorganisation, relocation and the
                               introduction of new financial systems.

      Irregularities           Intentional actions performed by one or more persons in an entity that
                               involve dishonesty and that are carried out to achieve an unlawful or
                               illegal advantage. Irregularities are distinguished from errors by whether
                               the underlying action has been taken deliberately or unintentionally.

      Objective                An expression of a desired result of the entity’s activities, defined by the
                               entity or the supervisory authority.

      Observation              Monitoring that entails auditors considering the activities that are
                               carried out in the entity – for example observation of inventory- and
                               stock-taking.

      Operational risk         Risk related to the performance of the activities in the process. The
                               operational risk is influenced by management, ethics, laws and
                               regulations, technology, planning and budgeting, and human resources.

      Detection risk           Detection risk is the probability that auditors’ substantive tests will not
                               detect the errors that the accounting or internal control systems do not
                               discover.

      Assignment               In the context of auditing, an assignment is synonymous with the
                               audited entity.

      Obligatory               Procedures that must be conducted when the consequence is assessed as
      procedures               high, even though the probability is regarded as low. Obligatory
                               procedures will often be related to the submission of the accounts –
                               including reporting to the central government accounts.

      Planning                 Planning involves structuring, organising and assigning priorities to the
                               auditing work. Planning must be carried out and documented in
                               accordance with applicable guidelines.

      Primary tasks            The tasks that the Storting assumes the entity will perform and that form
                               the basis for the establishment of the entity. Primary tasks are connected
                               to the social tasks for which the entity has been assigned responsibility
                               by the Storting.

                               The primary tasks of most entities are laid down in Proposition no. 1 to
                               the Storting. More details may be given in letters of allocation. Acts of
                               law can govern the primary tasks of some entities – for example the
                               Taxation Act plays a key role for the Inland Revenue Services.

                               The ministries are responsible for implementing and following up
                               parliamentary decisions. The management of subordinate bodies will
                               always represent a primary task for the ministries.




Page 120               Guidelines for financial auditing
Term                  Explanation

Fundamental errors    Errors in the entity’s accounting information or dispositions that the
                      users of the information regard as material but that individually are not
                      necessarily of a considerable sum or extent.

                      Fundamental errors can constitute findings that do not relate to figures,
                      e.g. a breach of the law, regulations or instructions, the fact that action
                      has been taken that is contrary to parliamentary decisions, or that
                      administrative regulations – including norms and standards for financial
                      management in the central government – have not been followed.

Procedures for risk   Procedures for risk assessment are audit procedures that auditors
assessment            conduct in the strategic analysis and process analysis to gain an
                      understanding of the entity and its risk management and to enable them
                      to make a preliminary assessment of the entity’s internal control.

                      The preliminary assessment of internal control is referred to as
                      procedures for risk assessment since some of the information that is
                      obtained through such procedures can be used as audit evidence to
                      substantiate risk assessments. In some cases the procedure can procure
                      audit evidence on the appropriateness of risk management measures or
                      the correctness of the assertions. Procedures for risk assessment are:
                      • enquiries to the management and others
                      • analytical procedures
                      • observation and inspection
Process               A process is a series of activities that the entity has initiated to achieve
                      its goals. It reflects how the entity performs its tasks.

                      Processes are intended to help the entity to achieve its goals and to
                      contribute to minimising the risk of specific threats having a negative
                      impact on the entity. The process has a starting point and a finishing
                      point, with a series of activities in between.

Process analysis      Process analysis is a detailed risk assessment of the processes to which
                      the risk elements are linked in the strategic analysis.

                      The purpose of process analysis is:
                      • to conduct a risk-based, efficient and effective audit
                      • to gather appropriate and adequate audit evidence in order to assess
                        whether the audit can be based on the entity’s internal control system
                      • to assess whether the process goals support those of the entity
                      • to identify residual risk that is of significance for both the audit of
                        the accounts and ensuring the compliance of the dispositions




              Guidelines for financial auditing                                                      Page 121
                      13      Appendix II              Glossary of terms

      Term                    Explanation

      Process activities      Process activities are the work operations the entity carries out to
                              achieve the process goals.

                              A process consists of several types of activities such as:
                              • collecting information (e.g. assessing procurement needs)
                              • processing information (e.g. compiling requirement specifications
                                and assessing bids)
                              • taking decisions (e.g. choosing suppliers)
                              • effectuating decisions (e.g. entering into contracts and paying
                                invoices)

      Process goals           The process goals give a clear description of what the entity should
                              achieve with the process. They must support the entity’s goals.

      Assertions              When the management submits the accounts, they “assert” that the
                              financial statements are correct and that they have made the dispositions
                              within the indicated authorisations. To enable auditors to state that the
                              assertions are correct, they must procure adequate and appropriate audit
                              evidence. The OAG has established two sets of assertions – one for the
                              audit of the accounts and one for the compliance of the dispositions.

      Framework               The goals and limitations laid down by the supervisory authority that
      conditions              governs the entity’s activities. Government agencies are established to
                              carry out certain tasks, and their framework conditions are laid down by
                              the Storting – for example through the annual budget resolutions. The
                              Storting also makes appropriations to the entities to enable them to
                              perform their tasks. The operations and the performance of tasks in the
                              entities are governed by the decisions and intentions resulting from the
                              budget deliberations.

      Reporting to the        When the audit has been completed, the OAG sends a concluding audit
      entity                  letter to the entity. The concluding audit letter consists of the conclusion
                              of the annual audit (financial auditing) and a short description of the
                              performance audit’s projects. The form the letter takes depends on
                              whether or not material comments have been made on the entity’s
                              submission of the accounts and their accompanying dispositions.

      Reporting to the        Each year the OAG reports to the Storting in Document no. 1.
      Storting                Document no. 1 is organised per ministry and contains overall
                              information on the annual audit and the monitoring activities that have
                              been conducted through financial auditing and corporate control.

      Accounting              Accounting estimates are transactions that are based on subjective
      estimates               assessments and that therefore have a high risk. They can be
                              transactions that involve write-downs, provisions or estimates of value.

      Assertions about the See assertions.
      accounts

      Audit of the            An audit of the accounts constitutes the procedures that are necessary to
      accounts                confirm that the accounts are complete, accurate and reliable.


Page 122              Guidelines for financial auditing
Term                    Explanation

Audit evidence          The information auditors have acquired and documented to substantiate
                        their assessments and conclusions.

                        Audit evidence is gathered through audit procedures in all phases of the
                        audit process.

Audit findings          The result of the performed audit procedures.

Audit procedures        Procedures that auditors conduct to procure appropriate audit evidence
                        to substantiate assessments and conclusions concerning defined audit
                        objectives. Audit procedures can be carried out as procedures for risk
                        assessment, tests of controls or substantive tests.

Audit                   Information that is given verbally to the audited entity and if appropriate
communication –         to the supervisory authority, including verbal advice – for example
verbal                  summarising meetings.

Audit                   Continuous communication of findings and the concluding audit letter
communication –         to the entities, as well as the reporting of results to the Storting in
written                 Document no. 1.

                        When the expression “reporting” is used, it means the external reporting
                        about the audit to the entities and the Storting.

Audit process           Systematic methodology the audit must follow from strategic analysis to
                        reporting.

Audit objectives        The objective of a financial audit is to confirm that the accounts do not
                        contain material errors or omissions and that the dispositions on which
                        the accounts are based are in accordance with parliamentary decisions.
                        The OAG’s objectives are laid down in the Act and Instructions
                        concerning the Office of the Auditor General.

Audit plan              A management tool for performing the individual audit assignment. The
                        plan must contain priorities, organisation, the estimated resources
                        required and the time schedule. It is normally approved by the division
                        manager. Any updates to the plan must be quality assured.

Audit programme         An audit programme is a detailed plan of the audit procedures that are to
                        be conducted. The audit programme contains relevant assertions about
                        the accounts and audit objectives along with the audit procedures that
                        are related to these. Audit programmes indicate the framework of the
                        audit procedures and govern the performance of these procedures.

Audit risk              Audit risk is the overall probability that on completion of the audit there
                        will be material errors or omissions in the accounts and their
                        accompanying dispositions that have not been detected. Audit risk is the
                        product of inherent risk, control risk and detection risk.




                Guidelines for financial auditing                                                     Page 123
                      13      Appendix II             Glossary of terms

      Term                    Explanation

      Audit risk model        The audit risk model is a model that helps auditors to determine how
                              comprehensive the audit work must be to attain the desired assurance
                              for the conclusions. The model consists of four elements: audit risk,
                              inherent risk, control risk and detection risk.

      Auditor                 An auditor is any person who carries out auditing work for the Office of
                              the Auditor General.

      Risk                    Any event that can occur and have a negative impact on goal
                              achievement.

      Risk analysis           A systematic assessment of the factors that affect the entity and that can
                              lead to its goals not being achieved. Risk analyses are conducted using a
                              top-bottom approach. They start at strategic level and gradually become
                              more detailed. The purpose is to direct the auditing work towards risk
                              that is identified at a general level.

      Risk evaluation         An evaluation of the importance that risk elements have for the audit
                              and whether they are to be included in the subsequent audit process.
                              Risk evaluations provide a basis for making priorities between the risk
                              elements auditors are to follow up in the subsequent auditing.

      Risk estimate           Estimating the correlation between the degree of probability that an
                              event will occur and the consequence such an occurrence will have.
                              Risk estimates are conducted at both strategic level and process level.
                              Auditors estimate the consequence and probability as high or low and
                              give reasons for their estimate.

      Risk element            An event with an unknown outcome that may lead to the entity not
                              achieving its goals.

      Risk level              The scope of probability and consequence for each risk element and for
                              overall risk at strategic level and process level.

      Routine transactions Routine transactions are transactions that follow a fixed system and that
                           occur regularly over a period of time. These are transactions the entity is
                           familiar with, and they are often handled according to fixed and reliable
                           procedures. They can be main salary transactions, rental payments,
                           calculations, automatic payments of demands for dues and taxes, and
                           reminders.

      Secondary tasks         Tasks intended to secure the operations of the entity and to ensure that
                              the activities are run according to laws and regulation, and to enable the
                              entity to submit accounts and to report the results attained.

                              The majority of entities have secondary tasks such as staffing and
                              payroll duties, purchasing and storage, management and supervision,
                              the annual submission of accounts and reporting. Regulations for these
                              tasks include those relating to public procurement, the regulations for
                              financial management in the central government and the Civil Service
                              Handbook.



Page 124              Guidelines for financial auditing
Term                   Explanation

Strategy               The overriding and long-term choices the entity has made to ensure goal
                       achievement.

Strategic analysis     An assessment of the entity’s external and internal factors that are of a
                       general nature that can influence the extent to which the entity achieves
                       its goals.

                       The purpose of the strategic analysis is:
                       • to plan a risk-based, efficient and effective financial audit: an audit
                         of the accounts and the compliance of the dispositions
                       • to provide a basis for discussion with the Board and management on
                         objectives, risk and risk management
                       • to provide input to the general risk assessment
                       • to identify processes

Substantive tests      Substantive tests are tests that are conducted to obtain audit evidence to
                       prove that the financial statements and the dispositions on which they
                       are based do not contain materially incorrect information when
                       compared with the submitted assertions.

Tests of controls      Tests of controls are procedures that are conducted to test control
                       activities that the entity’s management has established to manage risk.
                       Tests of controls as audit procedures can have two purposes.

                       In the process analysis the purpose of tests of controls will be to assess
                       internal control by testing whether the measures the management have
                       initiated are satisfactorily followed up. The result of this testing of
                       controls contributes to determining the scope and the angle of approach
                       for the substantive tests that must be performed to procure sufficient
                       audit evidence.

                       In the analysis of residual risk, auditors can use tests of controls to
                       procure evidence to show that the established internal control measures
                       and control activities function when substantive tests alone do not
                       provide adequate and appropriate audit evidence.

Letter of allocation   The ministries make appropriations available to subordinate bodies
                       through letters of allocation. The content of such letters includes prime
                       goals, management parameters, the amount allocated, reporting
                       requirements and the authority that has been delegated to the entity in
                       accordance with the appropriations regulations.

Trends analysis        Trends analyses are analyses that have occurred since previous periods.
                       There are a number of analysis techniques – for example comparing
                       periods that are appropriate in the planning phase.




              Guidelines for financial auditing                                                     Page 125
                    13      Appendix II              Glossary of terms

      Term                  Explanation

      Sampling method       A method for selecting the units and transactions to be examined. When
                            developing audit procedures, auditors must decide on the sampling
                            method.

                            The various methods for sample-based auditing include:
                            •   sampling of all units (100 per cent testing)
                            •   sampling of selected units
                            •   representative testing
                            •   multi-stage sampling
      Advice                Advice and recommendations for the entity that are based on
                            professional expertise, knowledge of the entity and other relevant
                            competence.

      Materiality           Auditors must regard errors and omissions as material in cases where
                            the users would probably have made other assessments and taken other
                            decisions if they had been aware of the errors. The assessment of
                            materiality is based on both quantitative and qualitative considerations
                            and is one of the factors that govern what is to be audited and the scope
                            of the audit that is to be conducted.

      Entity                In these guidelines the term “entity” is used to describe the entity that is
                            being audited, irrespective of whether this is a ministry, a government
                            entity or an entity that has a different form of organisation. The term is
                            also used in cases where the audit assignment has been made mandatory
                            in another way – for example by law or agreement.

      Financial crime       Financial crime is a collective term for a number of different types of
                            crime and in general describes the crime that is linked to business and
                            industry and other organised enterprises in the private and public
                            sectors. It constitutes actions that involve violations of laws and
                            regulations and that are performed to achieve personal gains. It also
                            covers irregularities and corruption.

      Review of             This is the management’s review of performance and efforts in the
      performance and       process in order to ensure that the work in the process is actually carried
      efforts               out and is of the right quality. An IT environment will often contribute
                            to this task by producing different types of reports and logs that assist
                            the management.




Page 126            Guidelines for financial auditing
           Appendix 3 Literary references


           Knechel, W. Robert     Auditing assurance and risk
                                  ISBN 0-324-02212-1

           Lillestøl, Jostein     Statistiske metoder i revisjon
                                  (Statistical methods in auditing)
                                  ISBN 82-456-0114-4

           NRRF/NRSR              Descartes revisjonsmetodikk
                                  (Descartes’ audit methodology)
                                  ISBN 7082065-2

           IIA                    GTAG – Information Technology
                                  Controls, 2005




Page 128          Guidelines for financial auditing

								
To top