Annexes to COM(2007)280 - Annual Report to the Discharge Authority on Internal Audits Carried out in 2006 - Main contents
Please note
This page contains a limited version of this dossier in the EU Monitor.
dossier | COM(2007)280 - Annual Report to the Discharge Authority on Internal Audits Carried out in 2006. |
---|---|
document | COM(2007)280 |
date | May 30, 2007 |
List of finalised Commission audits and reviews:
DG/Service | Engagement | Issued |
Reviews, administrative and other support systems |
32 IACs | 32 IAC quality reviews and one overview report | 12 October |
ADMIN | Human resources management I | 7 April |
ADMIN | Human resources management II | 27 October |
COMM | Follow-up of 2003 in-depth audit | 24 October |
DIGIT | Data centre-operations and security | 8 December |
EPSO | Selection process as managed by EPSO | 7 April |
OPOCE | Follow-up of 2004 in-depth audit | 18 December |
PMO | Regularity of financial management, implementation of financial circuits | 8 December |
SCIC | Financial management and procurement | 22 September |
Internal policies |
ADMIN, SG, BUDG, SANCO, TREN, COMP | SPP/ABM cycle in the Commission | 27 November |
COMP | Effectiveness and efficiency of the SPP/ABM cycle | 20 July |
SANCO | Effectiveness and efficiency of the SPP/ABM cycle | 7 April |
TREN | Effectiveness and efficiency of the SPP/ABM cycle – resource allocation | 10 April |
SG, MARKT, ENTR, ENV, TREN | Overview report: Monitoring the implementation of EC law | 22 December |
ENTR | Monitoring the implementation of EC law | 5 December |
MARKT | Monitoring the implementation of EC law | 7 November |
TREN | Review of monitoring the implementation of EC law | 14 December |
JLS | Large IT project management | 8 June |
MARKT | Local IT | 10 November |
SANCO | IT management | 8 December |
TAXUD | Large IT systems | 24 January |
COMM | Contract management | 11 October |
EAC | Implementation of ABAC | 30 June |
ENTR* | Financial management of the IRC network | 6 April |
ENV | Follow-up of in-depth audit | 9 February |
INFSO | Follow-up of 2004 in-depth audit | 7 December |
JRC | Interim follow-up audit report | 9 February |
RTD | Ex-post controls | 21 December |
Structural Measures and Common Agricultural Policy |
AGRI,EMPL,FISH,REGIO | Overview report Structural Funds (Article 38) | 8 March |
REGIO | ERDF | 21 February |
FISH | Follow-up of 2004 in-depth audit | 18 December |
REGIO | Financial corrections in Cohesion Fund | 22 November |
External Policies |
AIDCO | Interim follow-up audit report | 22 February |
AIDCO, ECHO | Implementation of framework agreement with UN agencies, combined with ECHO monitoring and management reporting system – overflow 2005 audit | 28 July |
ELARG | Ex-post control activities | 20 December |
RELEX** | Ex-post control activities | 22 December |
RELEX | Follow-up note | 31 October |
*Joint audit with DG ENTR, ** Joint audit with DG RELEX
2.4. Acceptance of recommendations and views of auditees and stakeholders
In 2006 the rate of acceptance of audit recommendations by auditees was 89.4%, with 7.9% rejected and 2.7% pending[3].
Commission audits (excluding IAC quality review) |
Recommendations | Accepted | Rejected | Pending* | % | Total |
Critical | 11 | 1 | 0 | 2.9 | 12 |
Very important | 182 | 6 | 8 | 48.3 | 196 |
Important | 162 | 25 | 3 | 46.8 | 190 |
Desirable | 8 | 0 | 0 | 2.0 | 8 |
% | 89.4 |7.9 |2.7 | | | | Total |363 |32 |11 | |406 | | * Being considered in the context of a Commission decision
As concerns the IAC quality review, 241 recommendations were issued, of which 228 were accepted and 13 were rejected.
Auditees' feedback on the audit scope and the conduct of the audit yielded an average result of 1.95 (previous year: 1.82) on a scale from 1 (highest) to 4 (lowest). In a fresh stakeholders' survey at the end of 2006, 75% thought that the IAS had a clear audit strategy (compared with the previous result of 79%), 86% that audits were performed with honesty, objectivity and fairness (down from 93%) and 61% (previously 63%) that the IAS recommendations are readily useful. In all, 80% (up from 71%) considered that the mission of the IAS is well understood.
3. FINDINGS
3.1. Quality review of all IACs
This quality review of IACs took the form of validation reports by the IAS on 32 individual IAC self-assessments and the resulting overview report. The objective was to assess the IACs' conformity with the Institute of Internal Auditors' (IIA) Standards for the Professional Practice for Internal Auditing and the Code of Ethics. Eleven of the 32 IACs were found to be generally compliant with both attribute and performance standards, 17 were partially compliant and 30 were found to be compliant with the Code of Ethics. This clearly shows that the effort to increase professionalism and compliance with audit standards has to be maintained.
This review triggered discussions and reflections on the role and organisation of internal audit within the Commission. Considering that some 120 auditors work in the IACs and around 60 for the IAS, there is a clear need for a common definition of the audit universe, risk assessment and coordinated audit planning. Without prejudging any further Commission decision, some IAS proposals related to the independence of the IAC and the possibility for a head of IAC to address a party outside the DG are currently being examined with the IACs. The APC will review implementation of the IAS proposals in July 2007.
3.2. Governance, planning and organisation
Monitoring the implementation of EC law
The timely and correct implementation of EC legislation is primarily the responsibility of the Member States, but as “guardian of the Treaty” the Commission has a monitoring task. In order to improve monitoring of implementation of EC law, the IAS proposed a risk-based plan on transposition of EC directives, a more systematic approach to verification of implementing measures at the level of Member States, prioritisation criteria for complaints and infringement cases and maximum throughput times for the most important cases. A Commission Communication on monitoring EC law is currently being prepared and is expected to be adopted by the end of 2007.
Implementation of SPP/ABM process
While the DGs audited were found to be formally in compliance with the Commission rules on SPP/ABM and the corresponding Commission Internal Control Standards, the IAS considers that further progress is needed on the effectiveness and efficiency of the SPP/ABM cycle so that DGs can move from formal compliance to real ownership and to leverage the benefits for internal management. Some IAS recommendations have already been implemented, such as the need for multi-annual strategic planning and to take into account core business instead of focusing exclusively on new initiatives in the APS. The IAS also recommended screening. In response to the European Parliament's request, the Commission has prepared an assessment of its mid-term staff needs and a detailed report on the staffing of support and coordination functions. Progress has also been made on integrating risk management into the policy-making process. Other recommendations, such as developing a strategy to support the SPP/ABM cycle with IT and full monitoring of human resources allocations have not been taken on board.
IT management/systems
The IAS audited the Commission's data centre and IT management in four operational DGs and the risk analysis was confirmed by five (out of a total of twelve) resulting critical recommendations.
Two critical recommendations related to physical security in the JMO and BECH buildings in Luxembourg. Another very important one was to set up a comprehensive disaster recovery plan covering all critical information systems hosted in the Data Centre. This is linked to the fact that DGs might not be sufficiently prepared to ensure the continuity of their operations, as reliable information on their critical systems was not available.
The Schengen Information System (SIS II) was found to have suffered from inadequate project management, in particular insufficient monitoring of contractors' performance due to insufficient specialised staff and non-optimised use of staff, leading the Commission to rely heavily on the quality and reliability of the contractor.
Measures should also be taken to ensure that all DGs fully comply with Regulation (EC) No 45/2001 on the protection of personal data and that the local information security officer performs sufficient controls and acts independently.
IT-related audits were also carried out by three IACs. Issues identified at local level included the need for a thorough planning process for IT applications, definition of the role of project owners and the need to have a complete local IT inventory.
3.3. Management of EU funds
Structural Funds
The objective was to determine whether the Commission has put in place a system to verify if the control systems presented by Member States meet the required standards, to assess the controls put in place at DG level, including assessment of cooperation with Member States, and to evaluate ex-post controls carried out by the structural funds DGs. The IAS recommended that reporting requirements for authorising officers by sub-delegation should be defined more precisely. Structural Funds DGs should establish a common audit strategy, based on the coordination work already undertaken. Greater coordination with Member States, including through "contracts of confidence", improved compliance with minimum auditing standards and a clear and precise audit opinion or disclaimer would improve the assurance process. The main audit results should be clearly disclosed in DGs' annual activity reports in order to obtain a fuller picture of the level and type of assurance given on the management and control systems put in place by the Member States.
The IAS considers that the financial correction procedure for the cohesion fund should be significantly improved to reduce its overall length. In order to avoid the risk of non-compliance with the Financial Regulation and other rules, the interpretation of the "net reduction" principle and the application of the "flat rate" correction criterion should be clarified. The financial reporting should be reinforced as well, in particular with regard to the forecasting of revenue.
FAFA (Financial and Administrative Framework Agreement with the UN)
The objective of the audit was to evaluate compliance with the FAFA and the capacity to obtain assurance about the use made of EU funds. The IAS identified a risk that the EU funds might not have been used for intended purposes, especially as the reporting of indirect costs lacked transparency. The audit demonstrated the usefulness of the FAFA, which provided a much needed reference framework for cooperation between very diverse partners on both sides of the EC/UN partnership. The APC invited the IAS to assess the materiality of the residual risks with regard to indirect costs in particular, associated with the overall controls on EC/UN funding in the framework of the FAFA and the UN financial control system.
Ex-post controls on research activities
These audits were carried out to assess the compliance, efficiency and effectiveness of ex-post controls on research activities, which are instrumental for a positive declaration of assurance. In line with the ECA's last annual report, the IAS found that ex-post control activities were unsatisfactory and that coordinated and risk-based planning of ex-post controls is needed. The IAS recommended that objectives of ex-post controls and the underlying strategy should be defined more clearly and the results should be better documented in the DGs' annual activity reports. Sufficient coverage of the auditable programmes and beneficiaries should be guaranteed. The requirements of the Financial Regulation should be met in terms of forecasts of revenue from cost claims following ex-post controls. The coverage by ex-post controls is clearly insufficient compared with the control objectives, which led to a reservation entered in the annual activity report.
3.4. Human resources management
These reviews covered planning, recruitment, mobility, underperformance, absenteeism and the system of internal controls in the selection process for permanent staff. The IAS pointed to the need for DG ADMIN to play a greater coordinating and monitoring role, with the aim of ensuring the consistent application of human resources management policies across the Commission. The IAS also proposed making human resources management an integral part of the Commission's strategic planning/management process in order to improve the match between the needs of the DGs and the availability of human resources and to develop a long-term vision for effective human resources management.
IAS proposals included developing workload indicators, setting targets for vacancy rates and the lead time to recruit, achieving better management of compulsory mobility, reconsidering the ratio between permanent and temporary staff and ensuring better management of underperformance by improving the human resources skills of managers. Introducing a series of control and monitoring activities in the recruitment process could make it easier to organise the appropriate number of competitions in the right areas and to increase the number of successful applicants finally recruited.
The IAS also found a lack of a long-term human resources strategy or the need for improved planning of human resources allocation in the audits relating to the SPP/ABM process.
Human resources management was also the subject of audits by two IACs in 2006, in which strategic planning and efficient resource allocation featured prominently in the recommendations. Very important recommendations in a number of other IACs' audit reports also related to human resources issues.
3.5. ABAC
The implementation of the new accrual-based accounting system (ABAC) is a major challenge for the Commission. In 2006 both the IAS and ECA included ABAC audits in various DGs in their audit plan. Considering that one of the principal obligations of the ECA as external auditor is to give its opinion on the consolidated financial statements, the IAS decided to cancel planned ABAC audits in a number of DGs covered by the ECA and, in close cooperation with the ECA, to perform an audit on implementation of accrual-based accounting in DG EAC which covered the transition process to accrual based accounting as well as the 2005 year-end closing of the accounts in DG EAC.
Based on the results of the IAS audit the accounting control systems of DG EAC appeared inadequate to ensure the completeness, accuracy and reliability of the accounting data. Therefore, the year-end accounting entries reported by DG EAC did not give a true and fair view of the financial position and performance of DG EAC. IAS opinion was based mainly on the lack of adequate documentation of the year-end closing procedures, the absence of full reconciliation between the local systems and the central accounting systems plus significant accounting errors in the accrual calculations with a material impact on the account balances.
3.6. Follow-up
As production of audits has continued, follow-up has become an increasingly important issue and is now subject to a systematic approach and separate reports. The IAS's 2006 year-end report, issued in February 2007, concluded that while the number of outstanding recommendations is falling, significant delays still exist: 50% of outstanding critical and very important recommendations are overdue by more than six months. Therefore there are still significant weaknesses in management's implementation of action plans.
In two cases the IAS concluded that the level of implementation of the pending recommendations was not sufficient to carry out a full follow-up audit. Recommendations from past IAS annual reports by the internal auditor should also be followed up. Examples of recommendations that were not sufficiently followed up in 2006 include the proposals on IT governance and the consolidation of IT infrastructure.
4. CONCLUSIONS
On the basis of his 2006 Commission audits and reviews and related work, the Internal Auditor of the Commission draws the following conclusions (the Commission's position is contained in the synthesis report on the annual activity reports of the Directors-General).
IAS Conclusion 1: Continue improvement efforts
The IAS audit work found clear improvements in the internal control systems in many areas. Big steps have been taken by the Commission to improve the control environment, for instance the Communication on business continuity, the ethics day and the focus provided by the high-level group looking at EC law. However, there are also still major weaknesses and further efforts are needed, as illustrated by the number of critical IAS recommendations (twelve) and the number of audits with adverse IAS opinions (nine). Areas for improvement include ex-post controls, IT (buildings, data security, adequate staffing and planning processes for IT projects and continuity of services), implementation of new accounting rules and contract management[4] (oversight of use of framework contracts, monitoring of subcontracting and multiple roles of a single service provider).
IAS Conclusion 2: Follow-up, a recurring issue
The overview reports on follow-up show that the culture of follow-up proposed in the 2005 report has not yet been fully established. Further efforts must be made in the Commission in order to ensure proper, systematic and swift follow-up of audit recommendations. Implementation of internal and external audit recommendations is vital to achieving the Commission’s strategic objective of a positive DAS.
IAS Conclusion 3: Integrated Human Resources strategy
Not only the reviews of the human resources management, but also the audits of the SPP/ABM process, of monitoring of implementation of EC law and of IT management showed that a long-term strategy for human resources management is an important factor in success and that inadequate allocation of human resources can have a substantial negative impact on the operations and reputation of the Commission. DG ADMIN, as the central service in charge of human resources management, together with the decentralised human resources units in DGs and services, should develop a strategy fully aligned on the strategic planning process.
IAS Conclusion 4: Improve the efficiency and robustness of internal audit architecture
The Commission has a two-tier system of internal audit: the IACs and the IAS, which closely reflects the Commission’s governance architecture. The quality review concluded that the vast majority of IACs partly or generally complied with the standards. However, the efforts to increase professionalism should continue and the recently introduced coordinated planning process should be solidly embedded in order further to improve the overall efficiency of internal audit work in the Commission. Without prejudging any further Commission decision, some issues, such as further strengthening the independence of IACs by giving them the possibility to escalate issues at a corporate level in the Commission, were openly discussed and are still pending; they will be revisited by the APC in 2007.
IAS Conclusion 5: Annual governance statement
A number of governance-related issues were addressed in the audits finalised in 2006 (SPP/ABM, monitoring of EC law, etc.) and in the IAC quality review; governance issues were also focused on at the 2006 IAS conference. The Commission has laid a solid foundation for its governance. In order to achieve full maturity and to make its governance architecture and its latest developments known to stakeholders, the Commission should describe its governance policy and practice, preferably in the synthesis report summarising the DGs' annual activity reports, make it available on its website and provide for its regular updating[5]. Such a description could include explanations of the Commission's risk management system, strategic planning, the code of ethics, the role of the Accountant, the internal control systems, internal audit and the APC. In this way, the Commission could increase credibility and trust on the part of its stakeholders and EU citizens.
[1] In some cases, however, agency audits resulted in recommendations concerning the Commission and are taken into account in the statistics in Section 2.4.
[2] Council Regulation (EC, Euratom) No 1995/2006 of 13 December 2006 amending Regulation (EC, Euratom) No 1605/2002 on the Financial Regulation applicable to the general budget of the European Communities (OJ L 390, 30.12.2006, p. 1).
[3] Commission audits only, excluding the IAC quality review.
[4] A number of IAC audit reports also related to efficient contract management in public procurement.
[5] Directive 2006/46/EC (OJ L 224, 16.8.2006, p. 1) placed an obligation on companies whose securities are admitted to trading on a regulated market and which have their registered office in the Community to disclose an annual corporate governance statement as a specific and clearly identifiable section of their annual report.