[toc-this]

Instructions

The ECA has determined as a matter of policy that audit risk (AR) is normally 5% for audits providing reasonable assurance. As a consequence the

[a-glossary term="degree%20of%20assurance"]degree of assurance[/a-glossary] 

is DA = 100 - AR = 95%. The ECA applies an assurance model indicating the level of confidence (to be) derived from the two principal sources of the

[a-glossary term="Statement%20of%20Assurance"]Statement of Assurance[/a-glossary] 

, supervisory and control systems and substantive testing. Furthermore, for audits of the legality and regularity of the underlying transactions, additional audit evidence may be available from two supporting sources:

• the Annual Activity Reports (AARs) and statements by the Directors-General, which constitute written management representations. Because of the importance of compliance in the EU context, the auditor analyses representations provided annually by Directors-General on the discharge of their responsibility for the legality and regularity of transactions, particularly in areas where direct evidence is not available to the auditor.
• the work of other auditors. This refers to the external audits carried out by other auditors, such as the Supreme Audit Institution of the relevant member state or the certifying bodies of the member states.

The starting point is the assessment of the inherent risk (high/not high) and the preliminary assessment of control risk (low, medium, high). The aim is to estimate the

[a-glossary term="degree%20of%20confidence"]degree of confidence[/a-glossary] 

that can be derived from the control systems. Depending on the results, the level of substantive testing needed to arrive to desired confidence level has to be determined. Given that 95% confidence is generally required of audit testing, the nature and extent of planned audit tests will vary, depending on the auditor's assessment of both inherent and control risk, known as the combined risk assessment. For our statement of assurance legality and regularity audits, we determine the overall sample size for the total EU expenditure population based on the categorisation of EU expenditure into low- and high-risk population (considering previous results of our work) and our assumptions regarding the estimated level of error and the standard deviation. We use the

[link title="Assurance%20model" link="%23Assurance-model" /] 

to determine the sample sizes per MFF heading, considering the size of respective accepted expenditure, its assessment as being high-risk or low-risk and the aim of providing a specific assessment (or not).

Values assigned to different risks

The following table shows the components of the audit risk model, and the resulting types of audit tests to be carried out. Values are assigned for the assessed inherent risk (not high = 0,6 and high = 1,0) and assessed control risk (low = 0,15; medium = 0,25 and high = 1,0. As ECA's audit risk is set at 5%, and the auditor estimates the inherent risk and control risk, detection risk is calculated using the audit risk equation DR = AR/(IR x CR).

Assurance model

Assessed inherent risk (IR)	Evaluation of internal control systems	Assessed control risk (CR)	Assurance obtained from combined risk assessment	Residual level of substantive testing to be carried out	Corresponding minimum degree of confidence to be derived from substantive tests (%)	Corresponding minimum sample size
Not high	Excellent	Low	High controls assurance	Minimum	45	30
	Good	Medium	Medium controls assurance	Standard	67	55
	Poor, or where controls not tested	High	Low controls assurance	Focused	92	125
High	Excellent	Low	High controls assurance	Standard	67	55
	Good	Medium	Medium controls assurance	Standard	80	80
	Poor, or where controls not tested	High	Low controls assurance	Focused	95	150

For example, for the best-case scenario (IR = 0,6 and CR = 0,15) with audit risk at 0,05, detection risk is 0,55 (0,05 / 0,6 x 0,15). By definition, the confidence level to be derived from substantive testing is 45% (1 - 0,55). (1) It is for the auditor to decide whether the work and the results obtained as part of the overall evaluation of supervisory and control systems and substantive testing are sufficient to provide the required confidence level in the context of the audit in question. This table should be used indicatively. Where there is difficulty carrying out all the necessary audit work and reaching the confidence level of 95%, either more audit evidence must be obtained by other means (e.g. using the results of systems evaluations and substantive tests by Commission departments, member states and/or other auditors), or the scope of the audit conclusion must be limited. (2) The table is based on the hypothesis that the samples have been randomly selected. When a two-stage sampling method is used, the sample size should be increased by 20% to compensate for the increased sampling risk (i.e. the risk that all transactions at second-stage sampling do not have the same probability to be drawn). (3) Sample sizes are rounded to the nearest multiple of 5.

Possible combinations of tests of controls and substantive testing

Minimum substantive testing: Tests of controls are performed, plus a limited amount of substantive tests. Some substantive tests should always be carried out due to (i) the risk of collusion, management override of controls, etc., and (ii) the fact that the ISAs/ISSAIs state that all material accounts should be tested. It is emphasised that, if intending to derive confidence from controls, those controls should be tested. Standard substantive testing: Tests of controls are performed, as well as a relatively large number of substantive tests, as most of the required confidence is derived from substantive testing. Focused substantive testing: The required confidence is largely derived from substantive tests. Note that some control tests may be carried out for the purpose of providing feedback to entity management about control weaknesses. [/toc-this] 

[toc fixed="true" selectors="h2%2Ch3" class="basic-toc" /]