Annexes to COM(2008)499 - Council - Annual report to the discharge authority on internal audits carried out in 2007

Please note

This page contains a limited version of this dossier in the EU Monitor.

annexed.

DG/Service | Engagement | Issue date |

Administrative and other support systems |

SG/BUDG/REGIO/ EMPL/RTD/ ADMIN/DIGIT/INFSO/ JLS/AIDCO | AAR Assurance Process | 21 January 2008[3] |

ADMIN | Follow-up human resources management phase I | 13 December |

BUDG | ABAC - implementation of accrual based accounting | 3 May |

BUDG | Comparative Analysis of the Accruals-Based Accounting Systems and Financial Reporting as Implemented by the European Commission and some Member States | 26 April |

COMM | Examination of the purchase of office buildings in Cyprus | 14 September |

COMM | Special report on tendering procedures for transmission services in DG COMM | 14 December |

DGT | Management of translation demand | 13 June |

DGT | Follow-up of IAS validation of self-assessment of the IAC of DGT | 14 December |

DIGIT | IT procurement and service delivery in DG DIGIT | 5 December |

EPSO | Follow-up on limited review of the selection process as managed by EPSO | 18 December |

ESTAT | Second follow-up audit of the in-depth audit of Eurostat | 9 March |

ESTAT | IT procurement and service delivery | 20 November |

OIB | Management of procurement contracts in OIB | 3 April |

OIB | Management of buildings procurement contracts by OIB | 3 April |

OIB | Follow-up on buildings infrastructure managed by the European Commission | 8 February |

OIB | Follow-up on transaction testing | 20 April |

OIB | Evaluation of targeted ICS | 4 October |

OIL | Management of procurement contracts | 3 April |

PMO | Controls over payment of pensions | 7 September |

SCIC | Follow-up of validation of self-assessment of the SCIC IAC | 29 November |

Internal policies |

COMP | Follow-up report on the audit of IT controls | 16 May |

EAC | ABAC - implementation of accrual-based accounting in DG EAC/2006 closing | 18 July |

EAC | Follow-up report on the implementation of ABAC | 18 July |

EACEA | Implementation of the financial circuits for operational budget of the EAC executive agency | 19 March |

ENTR | Management letter ex-post controls | 20 April |

ENTR | Follow-up report on the financial management of the innovation relay centre (IRC) network | 23 October |

ENTR | Follow-up of validation of self-assessment of the DG ENTR IAC | 18 December |

ENV | Monitoring the implementation of EC law | 22 January |

ENV | Second follow-up audit of DG ENV's 2004 in-depth audit | 29 March |

ENV | Grant management of non-life programmes | 18 September |

INFSO | Ex-post controls | 20 February |

JRC | Second follow-up of in-depth audit of the JRC of 2004 | 21 September |

MARKT | Follow-up report on DG MARKT financial management and financial circuits | 18 January |

RTD | Follow-up report on the in-depth audit of DG RTD (2003) and the audit on financial circuits & financial management in DG RTD (2005) | 16 March |

RTD | IT procurement and service delivery | 30 November |

TAXUD | IT procurement and service delivery | 18 October |

TREN | Follow-up report on the audit of financial management and financial circuits in DG TREN | 20 March |

TREN | Follow-up report of "Audit of local IT management process" | 7 September |

TREN-IEEA | TREN executive agency | 30 January |

TREN | Follow-up of validation of self-assessment of DG TREN IAC | 20 December |

Structural Measures and Common Agricultural Policy |

AGRI | Local IT systems of DG AGRI feeding into ABAC | 25 May |

AGRI | Interventions in agricultural markets | 23 November |

AGRI | Follow-up report on structural funds - EAGGF GUIDANCE | 22 November |

EMPL | Prevention and detection of fraud in the structural funds | 19 December |

EMPL | Implementation of programmes in the new Member States | 12 December |

FISH | Follow-up audit report on structural fund - financial instrument for fisheries guidance | 20 July |

REGIO | Implementation of programmes in the new Member States | 13 November |

REGIO | Follow-up on the ERDF - audit of the implementation of Article 38 of Council Regulation 1260/1999 | 14 December |

REGIO | Prevention and detection of fraud in the structural funds | 19 December |

External Policies |

AIDCO | Eligibility of costs under the financial and administrative framework agreement with the United Nations by DG AIDCO | 19 June |

AIDCO | Ex-post control activities | 18 July |

AIDCO | Follow-up audit on NGOs funding | 31 July |

AIDCO | Financial Management of Main Programmes in Directorate D | 20 December |

ECHO | Follow-up audit on NGOs funding | 6 June |

ECHO | Monitoring and supervision tools | 23 November |

ECHO, ADMIN | Management letter on security Issues in DG ECHO | 29 November |

ELARG | Follow-up audit report on the in-depth audit of DG ELARG | 15 March |

RELEX | Follow-up audit of the audit on handling of classified information and communication among the delegations and DG RELEX | 4 July |

TRADE | Implementation of selected internal control standards | 13 June |

Acceptance of recommendations and views of auditees and stakeholders

In 2007, the rate of acceptance of audit recommendations by auditees was 99%, with 1% rejected.

Commission and executive agency audits |

Recommendations | Accepted | Rejected | % | Total |

Critical | 5 | 1 | 2 | 6 |

Very important | 111 | 0 | 41 | 111 |

Important | 129 | 3 | 49 | 132 |

Desirable | 20 | 0 | 8 | 20 |

% | 99 | 1 |

Total | 265 | 4 | 269 |

Auditees' feedback on the scope and conduct of the audit yielded an average result of 1.86 (previous years: 1.95 for 2006 and 1.82 for 2005) on a scale of 1 (highest) to 4 (lowest). In a new stakeholder survey, 80.5% thought that the IAS had a clear audit strategy (compared with the previous result of 75%), 82.9% that audits were performed with honesty, objectivity and fairness (85.7% in 2006) and 48.8% that the IAS recommendations are useful (previously 60.7%). Overall, however, 80.5% (previously 55.4%) considered that the IAS work contributes to the quality of management and control systems in the Commission.

MAIN FINDINGS AND RECOMMENDATIONS

AAR assurance process

The engagements assessed the effectiveness of the Annual Activity Report (AAR) assurance process, which is a key component of the Commission's governance architecture and represents best practice worldwide. They covered six operational DGs plus four horizontal services. The AAR process is being continuously improved (e.g. peer reviews and revised standing instructions). As a result of the audit the standing instructions issued by the Secretariat General have already been revised along the lines of the IAS proposals: more explicit guidance on how the different components feed the assurance, including an explanation of how the IAC opinion has contributed to the assurance; a precise definition of the control strategy; systematic and mandatory use of key indicators on the functioning of control systems; reconciliation with findings by the European Court of Auditors (ECA) and explanations of delays in the implementation of critical and very important internal audit recommendations. A more extensive peer review is planned, aiming at a more complete and consistent synthesis report. While DGs can report major non-financial deficiencies in their AAR, the IAS drew attention to the limitations of the management declarations of assurance, given that they cover neither non-financial nor systemic responsibilities.

Handling of sensitive/classified data and physical security

The data security risks need more attention. The IAS issued recommendations on a formalised security clearance policy and the need to reinforce database security controls in order to avoid any leaks of sensitive information or access by unauthorised persons. On occasions, internal instructions do not encourage the use of the Commission's classification rules and their enforcement is not always proportionate to the specific security risks. Departments accepted that DG-specific rules for dealing with sensitive information (unauthorised disclosure of which would cause harm to the EU) or other security issues should be coordinated with central security services so as to ensure a coherent approach to security. In terms of physical security this concerns in particular staff who by the nature of their work are exposed to a high risk in the area of external aid. As regards the handling of classified information in delegations, three critical recommendations from an earlier audit were being implemented to enable delegations to exchange classified information electronically and to be fully compliant with security rules.

Monitoring the implementation of EC law

The Commission communication on monitoring EC law,[4] which describes what action the Commission will take to improve the application of Community law, takes into account most of the main recommendations issued by the IAS in its consolidated report of December 2006.

The last of this series of audits concerned environmental legislation. Weaknesses were detected in the pro-active monitoring of EC law. In particular, no assurance could be obtained that all directives are being transposed correctly and on time in all Member States. The most important IAS recommendations have been taken into account in a draft Commission Communication on the implementation of EC environmental law and the DG-specific action plan provided for implementation of all recommendations by December 2007 except for two recommendations, the last of which is to be implemented by December 2009.

Ex-post controls (EPC)

The series of audits of EPC in the research family was completed with an audit in DG INFSO. As a follow-up to the recommendations made, the DGs of the research family decided to implement detailed action plans which are regularly monitored by the APC.

Further EPC audits were carried out in two DGs to assess the compliance, efficiency and effectiveness of EPC, which are instrumental for a positive declaration of assurance. Recommendations to increase the ex-post audit coverage, the integration of EPC into control chains and the increased use of key performance indicators (KPIs) were accepted and are being implemented.

Fraud prevention in Structural Funds

Following audits on the European Social Fund and the European Regional Development Fund, a specific joint fraud prevention strategy for Structural Funds will be set up with the co-operation of OLAF and will subsequently be reviewed on an annual basis. The quality and accuracy of information on fraud cases and the assessment and monitoring of controls exercised by Member States in relation to fraud will also be improved, for instance by setting up a hotline in the Member States. All recommendations were accepted with completion dates up to the end of 2008.

Procurement

As part of the wider audit work on IT procurement and service delivery in the Commission, four DGs were audited for compliance with Commission rules and effectiveness and efficiency. Limited residual risks were identified in three DGs, these relating to an insufficiently precise description of services to be provided, time reporting by external providers, the late start of the procedure to renew contracts and insufficient recording of exceptions.

Following the IAS audit, a new buildings procurement procedure was developed which, among other things, will improve the documentation of the decision-making process, ensure that key information is circulated at an appropriate stage, introduce a risk management system for all building procurement projects and incorporate long-term strategic management with clearly separated, but interacting, policy definition and implementation processes. For procurement contracts other than for buildings the DG concerned decided to develop a module to ensure the effective follow-up of steps in the procurement procedure, to create a register containing all correspondence related to complaints and to produce, for important tenders, a strategy document which will include cost-benefit analyses and will also cover needs.

Controls over payments of pensions

This audit assessed the adequacy and effective application of the internal control system and risk management in relation to the determination and payment of pensions to retired staff. An outdated computer system makes manual controls necessary. While there are sound ex-ante controls in place, targeted, risk-based ex-post controls will be carried out in future, thereby reducing the risks of, for instance, incorrect payments, loss of paper files and incorrect manual adjustments.

Implementation of ABAC

As the introduction phase of ABAC, closely accompanied by European Court of Auditors (ECA) audits, is being completed, the IAS is reducing its audit activity in this area. Following an adverse opinion on the closing of accounts for 2005 in DG EAC, a closing accounts audit of DG EAC and its executive agency for 2006 (in cooperation with the ECA) was carried out and a qualified reasonable assurance was given, although there was a finding of limited reconciliation between local and central accounting systems and incomplete documentation. The implementation of ABAC was also the subject of IAC audits.

Executive agencies

The IAS audited two executive agencies with reasonable assurances regarding the business objectives being given in both cases.

Some of the issues highlighted related to compliance with the Commission Decision on the Security of Information Systems and with the Personal Data Protection Regulations, procedures regarding year-end transactions, harmonisation and simplification of checklists and workflows and a comprehensive approach to ex-post controls.

Other newly created executive agencies (European Research Council Executive Agency and Research Executive Agency) may benefit from the experience gained by existing agencies on how best to implement all the necessary steps in the start-up phase.

FAFA (Financial and Administrative Framework Agreement with the UN)

Following last year's audit on compliance with the FAFA and the capacity to obtain assurance regarding the use made of EU funds, the APC invited the IAS to assess the materiality of the residual risks with regard to indirect costs in particular, and in association with the overall controls on EC/UN funding within the FAFA and the UN financial control system. The additional audit work confirmed that the design of FAFA is appropriate, but also that the control mechanisms still need to be effectively and further implemented. The DGs concerned have accepted all the recommendations and have already undertaken several initiatives to increase the use of FAFA control tools on direct and indirect costs.

Financial and grant management

Financial audits were carried out in the areas of Asian delegations and for environmental programmes.

The audit of the management of the main financial programmes in Asian delegations identified a number of areas for improvement that management intends to implement by the end of 2008: lines of responsibility between Delegations and line DGs to be more clearly defined; headquarters to play a greater support and guidance role for delegations to ensure coherent and efficient operation across delegations; improved project and portfolio monitoring and an enhanced training strategy.

An assessment of the functioning of the process of grant management for environmental projects revealed the need to improve documentation for controls of beneficiaries' actual costs; to refine the ex-post control strategy to cover smaller beneficiaries; to ensure timeliness of approval of technical reports; and to issue specific guidelines for ex-post controls that are subcontracted to external audit firms.

A considerable number of grant or financial management audits were also carried out by IACs.

Follow-up

The timely follow-up of audit recommendations is crucial for the effectiveness of internal audit and for the continuous improvement of internal control. Some progress has been made, leading to a decrease in the total number of outstanding recommendations made before 2006. In the IAS's view more than 80% of the recommendations have been implemented. However, there are still significant delays in the implementation of critical and very important recommendations, revealing weaknesses in DGs' implementation of action plans, particularly in relation to older recommendations. More than 25% of outstanding critical and very important recommendations are overdue by more than six months (although this is a considerable improvement compared to more than 50% a year ago). In an effort to remedy this situation, the IAS proposed that the DGs/Services which did not take steps to implement overdue critical and very important recommendations be reminded of the importance of doing so and also, where appropriate, to give the reasons for delays in the Annual Activity Reports. The APC pays particular attention to the follow-up of recommendations and fostered implementation by deciding that letters will be sent by the APC Chair to the Commissioners concerned, to draw their attention to critical and very important recommendations that are more than six months overdue.

Conclusions

On the basis of the Commission audits and reviews finalised in 2007, and other related work, the Internal Auditor of the Commission drew the following conclusions (the Commission's position is contained in the synthesis report on the annual activity reports of the Directors-General).

IAS conclusion 1: Overall progress made, but more improvements needed

In the course of its audit work, the IAS noted further improvements in the Commission's internal control systems. The number of critical IAS recommendations issued decreased from twelve in 2006 to six in 2007 and the number of audits with adverse IAS opinions dropped from nine in 2006 to six in 2007. However, further improvements are still needed, for instance in the areas of grant management, ex-post controls, procurement and implementation of data protection provisions.

IAS conclusion 2: Information Security

Ensuring that sensitive information held in the Commission (both at Headquarters and in the Delegations) is protected against unauthorised disclosure and access is of paramount importance for the Commission's effectiveness and reputation. All DGs and services concerned should pay particular attention to information security and should coordinate with and seek validation of all their security measures by the corporate security service.

IAS conclusion 3: Policy Directorates-General have front-line responsibility for fraud prevention

The Commission has recently adopted a new approach to fraud proofing. OLAF plays a key role in fraud investigations and contributes to developing methods of fighting fraud on the basis of its experience. However, in the Commission, Directors-General - as Authorising Officers by Delegation - have, front-line responsibility for the prevention of fraud in their area of responsibility (in which they will be supported by OLAF) and for the follow-up to OLAF investigations (recoveries etc.).

IAS conclusion 4: AAR assurance process steadily being improved

The ultimate aim of both the AAR assurance process and the synthesis report is to support the political responsibility of the Commissioners to manage the Commission. The foundation of the assurances given will be improved by a better definition of the underlying control strategies, backed by indicators for key controls and by better "reconciliation" of the assurances with the results of the ECA's work.

IAS conclusion 5: Some progress in follow-up, but also some areas lagging behind

Follow-up of audit recommendations has improved recently, but still takes too long in some areas. Also some issues raised in previous annual reports still require continued attention, e.g. a human resources strategy that is fully aligned on the strategic planning process and the development of shared services and improvements in IT governance.

[1] Council Regulation (EC, EURATOM) No 1995/2006 of 13 December 2006 amending Regulation (EC, Euratom) No 1605/2002 on the Financial Regulation applicable to the general budget of the European Communities, OJ L 390, 30.12.2006, p. 1.

[2] See COM(2007)806 of 17 December 2007.

[3] One report per DG. Although these reports were only finalised in January 2008, the majority of the audit work was carried out in 2007 and the IAS considers their results important enough already to be reported in the 2007 Annual Report.

[4] COM(2007)502 of 5 September 2007