This document is an excerpt from the EUR-Lex website
Document 52006DC0279
Communication from the Commission to the Council and the European Parliament - Annual Report to the Discharge Authority on Internal Audits Carried out in 2005 (Article 86.4 of the Financial Regulation) {SEC(2006) 725}
Communication from the Commission to the Council and the European Parliament - Annual Report to the Discharge Authority on Internal Audits Carried out in 2005 (Article 86.4 of the Financial Regulation) {SEC(2006) 725}
Communication from the Commission to the Council and the European Parliament - Annual Report to the Discharge Authority on Internal Audits Carried out in 2005 (Article 86.4 of the Financial Regulation) {SEC(2006) 725}
/* COM/2006/0279 final */
Communication from the Commission to the Council and the European Parliament - Annual Report to the Discharge Authority on Internal Audits Carried out in 2005 (Article 86.4 of the Financial Regulation) {SEC(2006) 725} /* COM/2006/0279 final */
[pic] | COMMISSION OF THE EUROPEAN COMMUNITIES | Brussels, 7.6.2006 COM(2006) 279 final COMMUNICATION FROM THE COMMISSION TO THE COUNCIL AND THE EUROPEAN PARLIAMENT Annual Report to the Discharge Authority on Internal Audits Carried out in 2005 (Article 86.4 of the Financial Regulation){SEC(2006) 725} TABLE OF CONTENTS 1. Introduction 3 2. IAS Working Environment and Work Programme 3 2.1. Working Environment 3 2.2. Internal Audit Developments 4 2.3. Implementation of IAS work programme 4 2.4. Acceptance of Internal Audit Work 6 3. Findings 7 3.1. The External Environment 7 3.2. Planning, Processes and Systems 8 3.3. People and the Organisation 10 3.4. Legality and Regularity 11 4. Conclusions 12 1. INTRODUCTION Internal audit is a professional, objective and independent assurance and consulting service within an organisation. Its objective is to help the organisation to better achieve its objectives, by continually improving the way it operates. This report informs the Discharge Authority about the work carried out by the Commission's Internal Audit Service (IAS) in 2005, in accordance with Article 86.4 of the Financial Regulation (FR). It is based on the report of the Internal Audit Service (IAS) according to Article 86(3) FR on key audit findings and, in accordance with professional standards, on "significant risk exposures and control issues, corporate governance issues ..."[1]. The present report is based on IAS audit work and consulting activities in 2005. It also draws on the work of the DGs' Internal Audit Capabilities (IACs), via the IAS' twice yearly reports on IAC work. The report does not cover the IAS audit work for the Community Agencies[2]. The Commission's reactions to the findings and conclusions of the Internal Auditor are covered in the synthesis report on Director's-General annual activity reports. In this synthesis report, adopted at the same time, the Commission takes a position on the cross-cutting issues raised by the Internal Auditor, the European Court of Auditors, the Discharge Authority, or identified by the Audit Progress Committee and by the Director-General for Budget in his overview report. This means that certain views or opinions in the present report are not necessarily fully shared by the Commission. This difference of views reflects the normal process of dialogue between the institution and its internal auditor. 2. IAS WORKING ENVIRONMENT AND WORK PROGRAMME Internal audit work in the Commission takes place in a rapidly evolving environment; developments in the Commission’s management and control system in 2005 also reflected some of the Internal Auditor's conclusions in its 2004 report. 2.1. Working Environment Implementing the new accounting system is a major step forward for the Commission, its services and control bodies[3]. The envisaged sign-off of the accounts by the Accounting Officer closes one important accountability gap. He needs clear empowerment to execute this responsibility, in particular to carry out plausibility checks (without putting into question the primary responsibility of Authorising Officers for transactions). The Commission is setting up the first executive agencies to take over programme implementation tasks. This aims at reducing costs and control risks existing in earlier externalisation approaches, and at increasing specialisation. For the IAS, particular attention should be paid to complex delegation and reporting lines and management difficulties such as administrative obligations, recruitment, training etc. The split budget authorising responsibility renders the role of Internal Audit particularly complex. Risk Management is set to become firmly embedded into the Commission's planning, reporting and resource allocation cycle[4]. Implementation will need to progress from the DG level, to assessing and managing risks across families of services as foreseen, and, in the view of the IAS, ultimately for the entire Commission. The IAS takes the view that a full involvement of Commissioners to evaluate political risks would allow better overall management of risks and thus improve planning, resource allocation and policy delivery. The inter-institutional debate on the roadmap towards an integrated internal control framework focuses on the central question of accountability and assurance. For the Commission it is important to protect its political responsibility by assurance(s) coming from its own services and from its partners in implementing the budget, notably the Member States. Internally, the individual assurance declarations from Directors-General already in place proved highly valuable, but questions concerning Commission-wide processes and consistency between DGs need to be further addressed, according to the Internal Auditor. 2.2. Internal Audit Developments Early 2005 the IAS reviewed its quality assurance arrangements and set up a dedicated quality cell that is systematically reviewing the quality of audit work, from audit engagement planning through to the final audit report. Common standards for reporting, in particular on the rating of audit recommendations, were agreed with the Internal Audit Capabilities (IACs), making findings more readily comparable. The quality review of the IACs, launched with self-assessments in 2005 will be finalised with a validation of assessments by the IAS in 2006. This exercise, in line with professional standards, not only has the objective of guaranteeing the availability of quality internal audit services for the Directorates-General but also to establish an objective basis to rely on internal audit work done at other levels. In general, the co-operation between IAS and IACs has developed positively throughout 2005 (e.g. joint audits). Co-ordination of audit plans for the accounting system and joint training efforts illustrate the effective working relationship with the European Court of Auditors (ECA). 2.3. Implementation of IAS work programme The 2005 work programme of the IAS, based on its strategic plan for 2004–2006, was fine-tuned following 2004 audit work and in extensive consultation of stakeholders (APC, horizontal services, Directors General, IACs and Internal Control Co-ordinators), including an exchange of views with the ECA. It was endorsed by the APC end 2004. Implementation of the work programme was satisfactory, with a 90% completion rate: 36 audit reports (18 audit and 8 follow-up reports on Commission audits and 10 reports on Agencies audits) were finalised in 2005, the remaining audits in early 2006. Details for the Commission audits are available in annex. Delays were encountered mainly because of difficulties in the finalisation phase. Consequently, the IAS sees a clear need to reduce the time needed to conclude audits. The IAS itself will even more shorten audit reports and aim at clearer language. IAS engagements finalised in 2005: Service | Engagement | Issued | Cross-cutting, Administrative and other Support Systems | OIB | Transactions | Feb 2005 | BUDG | Follow-up | July 2005 | SG et al. | EU Law Implementation Review | July 2005 | BUDG/SG | ABM/SPP Cycle Review | Oct 2005 | DIGIT, ADMIN, BUDG, SG, TREN, COMP, ECFIN | ITC consolidated | Nov 2005 | DIGIT | Follow-up | Nov 2005 | Internal Policies | ESTAT | Follow-up Taskforce | Mar 2005 | ECFIN | Local IT control (joint IAS/IAC) | Apr 2005 | TREN | Local IT control | May 2005 | TREN | Financial Management | July 2005 | ESTAT | Financial Management / Follow-up | Oct 2005 | RTD | Financial Management | Oct 2005 | SANCO | Financial Management | Nov 2005 | INFSO | Follow-up | Dec 2005 | MARKT | Financial Management | Dec 2005 | PRESS | Follow-up | Dec 2005 | EAC | Follow-up | Dec 2005 | Structural Measures and Common Agricultural Policy | AGRI | Follow-up | March 2005 | FISH | In-depth | June 2005 | EMPL | Structural Funds (ex-post controls) | Oct 2005 | FISH | Structural Funds (ex-post controls) | Nov 2005 | AGRI | Structural Funds (ex-post controls) | Dec 2005 | External Policies | ELARG | Follow-up | Jan 2005 | RELEX | Information & communication | July 2005 | AIDCO | NGOs | July 2005 | ECHO | NGOs | Oct 2005 | Follow-up The Audit Management Software used by internal auditors in the Commission now includes a follow-up mechanism fed by auditees that allows management, auditors and APC alike to directly monitor the progress in implementation of audit recommendations. The IAS is regularly reviewing timeliness and extent of implementation of recommendations by auditees, in order to be able to appropriately inform the APC and its own risk analysis. In March 2006 the IAS issued its first overview report to the APC on follow-up of IAS recommendations. While acceptance of recommendations by DGs is very good, the implementation of action plans can show considerable delays, which need particular management attention. More than half of outstanding critical recommendations and about 17% of outstanding very important recommendations are over 12 months beyond the original target date, according to auditee assessments. This may indicate that there is a general weakness in implementation of action plans[5]. Reasons given by DGs relate to re-organisations, resource problems, difficulties with external service suppliers, lack of mandate and difficulties in co-operating with other DGs. By producing more concise and better focused audit reports, the IAS contributes to facilitating the implementation tasks of auditees. 2.4. Acceptance of Internal Audit Work In 2005 the rate of acceptance of audit recommendations by auditees was very high with over 97% accepted[6]. recommendations | accepted | rejected | total | % | critical | 12 | 0 | 12 | 4,2 | very important | 122 | 2 | 124 | 43,5 | important | 129 | 4 | 133 | 46,7 | desirable | 16 | 0 | 16 | 5,6 | total | 279 | 6 | 285 | % | 97,9 | 2,1 | 100 | The IAS regularly asks for the auditee's opinion after finalisation of an audit, including on audit scope and on conduct of the audit. The average result of these surveys reaches 1,82 on a scale from 1 (highest) to 4 (lowest). A wider consultation in 2005 of stakeholders (DGs, Resource Directors, IACs and APC preparatory group) positively noted a clear audit strategy (79 %), that audits were performed with honesty, objectivity and fairness (93 %) and using appropriate audit techniques (75 %) but also called on the IAS to develop more synergies with IACs, to improve its understanding of auditee activities and communication during the audit and to issue fewer and more focused recommendations; the IAS was not perceived as conveying a clear vision on governance and internal control. 3. FINDINGS The findings reported below are based on audits carried out by the IAS in 2005, on other internal audit activities undertaken (including IAS reports on IAC work) and on the professional judgement of the auditor. These findings are selective as they reflect the chosen focus for the year, according to the risk based audit plan 2004–2006, and avoiding overlap with the work of the ECA in a "single audit" perspective. Key areas of IAS Commission audits in 2005 were: - financial management in internal policies; - management of the structural funds; - local IT management, building on earlier IT audit work; - security of information; - control of funds awarded to non-governmental organisations (NGOs); - key components of the SPP cycle, to be continued in 2006; and - Commission monitoring of compliance with EU law, basis for extended audit work 2006. The overview of findings is organised according to the risk typology adopted by the Commission in October 2005[7]. As there are close inter-relations between risk areas, audit findings frequently touch on more than only one risk type. 3.1. The External Environment The Commission has a major delegation risk for policies in shared management: the Treaty gives it full responsibility for implementing the budget[8] but more than three quarters of the budget are in fact allocated to final beneficiaries by Member States bodies. To be able to assume this responsibility, i.e. to be able to give reasonable assurance, the Commission needs to obtain reasonable assurance for the funds in shared management, on the regularity and legality of transactions managed by Member States. Obtain reasonable assurance Preparing for the structural funds[9] programming period 2007-2013, it is essential, in the opinion of the IAS, that the services involved intensify their efforts and build on good practices to obtain sufficient evidence underpinning their annual assurance declaration: - Welcoming the common audit strategy agreed in 2005 by the structural funds DGs as a good starting point, the IAS recommended developing a strategy for gaining more assurance on sound financial management from audit and evaluation work and that audit work should lead to clear and precise opinions to be used to support the DG assurance. Services should strengthen the quality of the underlying audit process and harmonise and better define internal reporting and assurance requirements (audit coverage, error rates, systemic findings). - Introducing more "single audit" elements, i.e. reliance on the work of other controllers and systematic use of management reporting from Member State bodies, subject to appropriate review, permits more effective use of control resources, reduces the risk of double controls and allows for a more complete overview over the chain of controls. This requires increased efforts to align audit strategies, planning and risk assessment with Member States bodies and setting up a methodology for reviewing their audit work. For the IAS, convincing Member States to conclude "contracts of confidence" would provide additional comfort[10]. The IAS recommends that the Commission communicate more pro-actively with Member States and in particular promote good practices identified at all levels of the control chain. - Taking up earlier concerns regarding the late availability of audit information for the 2000-2006 period, the IAS recommends a more pro-active and preventive approach for the coming period. Major weaknesses identified in the current period should be addressed when establishing the control systems for the new programmes. Adequate disclosure of assurance The Internal Auditor considers that the degree and scope (limitations) of assurance provided should be adequately disclosed by DGs in the annual activity reports (AAR). The AAR should make clear the cumulative amounts covered by the audits and the amounts at risk, together with the criteria used to determine the level of assurance obtained. 3.2. Planning, Processes and Systems The 2005 IAS work programme had a strong focus on auditing financial management and on security and IT systems. Important further areas were planning and programming and the monitoring of EU law implementation. The Internal Auditor considers that, despite significant improvements, the Commission remains exposed to risks in these areas, limiting the effectiveness of operations and the assurance available for transactions. The quality and scope of supervision and control activities need to be improved. Supervision and effectiveness of controls Assurance building in the area of shared management is complex and audits of financial management show that supervision remains a problem area also within some DGs and across DGs. IAS and IAC audits noted weaknesses in adhering to Internal Control Standards (ICS) and the Financial Regulation. This concerns the design and setup of control systems: insufficient ex-ante evaluations, risk analyses and separation of functions, including of auditors and management. It also concerns the accuracy and completeness of transaction controls, of project and control data, of documentation of procedures. The Internal Auditor considers that providing assurance on the legality and regularity of transactions is exposed to considerable risks in such circumstances. IAS and IACs made detailed recommendations to services in areas such as payment flows, procurement, grant and contract management and recoveries, but also in security and IT issues. Follow-up audits noted positive developments in areas previously audited, but also point to important delays with the related operational, financial and reputational risks. As to Eurostat, the follow-up audits concluded that, after considerable work, the risk level was now comparable to that of other services. One outstanding point raised in this context concerns bank accounts held in the name of the Commission but not opened by the Accounting Officer, which in the meantime has been addressed by DG Budget. A specific area audited by the IAS in 2005 was the control of funds granted to NGOs in development and humanitarian aid. The management systems concerned are complex and vary between programmes and managing services. Irregularities involving NGOs led to increased attention and to a number of investigations, including on procurement practices. The IAS noted a number of good practices, such as efforts at more regular and more focused communication with the NGO community and at simplifying application procedures, in particular in the context of calls for proposals. Recommendations made concern the need to build up Commission-wide knowledge on NGOs, including a common NGO typology, exchange of best practices and of risk analyses, and strengthened co-operation with Member States and other donors. Recommendations also cover increased monitoring and ongoing assessment of NGOs, more attention to NGO compliance with procurement rules and strengthening the capacity building of partners to improve the quality of projects. Broad acceptance by auditees resulted in EuropeAid's intention to partly revise the approach in managing the relations with NGOs. Planning - co-ordination and coherence The Reform process since 2000 has put emphasis on the responsibility and managerial independence of the Commission DGs; nevertheless, the Commission remains a single body under a single political authority and co-ordination and coherence are key success factors for the Commission as it strives to meet its policy objectives. Findings of a review of horizontal aspects of the strategic planning and programming cycle (SPP) suggest a need for more comprehensive translation of political priorities and legal commitments into co-ordinated planning and resource allocation processes. Audits of operational processes (such as monitoring law implementation, IT) confirm that there is insufficient co-ordination and strategic planning. The SG, together with other horizontal services and the networks involved, is already engaged in reviewing the effectiveness of the SPP cycle. The IAS will further perform a series of audits in operational DGs throughout 2006. They also have some bearing on an issue repeatedly addressed in past annual audit reports: the need of better balancing central and local responsibilities and for stronger horizontal functions in the Commission to ensure coherence and adequate oversight (internal control, risk management, accounting, HR, IT). IT controls and governance An efficient IT environment is essential for the Commission given its importance in providing policy and operations support; the human, financial and physical resources involved are considerable, as are possible external dependencies. The IAS recommends clarifying further the roles and responsibilities of horizontal and operational services in the IT area, for example for security, business continuity, planning, development and management of IT information systems. It sees a clear need for central reporting on the state of IT controls and risks and for a greater role of horizontal services in strategic orientations and methodological support. According to the IAS, IT aspects should be fully reflected in the ICS and in risk management (e.g. disaster recovery plans) at DG and at Commission level. Concerning IT infrastructure, while recognizing important recent improvements in IT governance, the IAS recommends exploiting the potential for economies of scale; this may involve further re-defining roles of central and local IT. In order to ensure optimal use of administrative and operational appropriations, the IAS recommends that resource allocation should follow the evolution of IT architecture. This could include billing for central IT services. A working group (BUDG/DIGIT) on the financing of central IT is in preparation. 3.3. People and the Organisation The IAS sees a need for more and more focused training. Clarification of security rules and practice and greater attention to business continuity arrangements is essential for the Commission to prevent and / or contain possible systems or operations exposures. Training and awareness The Commission’s ICS attach particular importance to the control environment. Well developed and monitored, it translates into empowerment and a capacity for pro-activeness, permitting staff to develop flexible solutions and working practices adapted to the political and management environment, while ensuring there is the necessary control. Audits recommended the need to communicate better and to make necessary information more easily available within DGs, by using databases, regular exchange channels and frequent updates. Training is key for responding effectively to frequent changes and new and often complex rules call for even more training efforts. Audits in almost all areas recommended increased and more focused training, principally in financial procedures, procurement and audit. Security and business continuity A number of IAS and IAC audits noted insufficient respect of Commission rules on security of offices, documentation and of IT installations or an inadequate treatment of access to sensitive information and of supervision of access to files. Co-ordination of security aspects can be difficult because of complex procedures, involving a high number of actors and possibly several services. The IAS recommends improving security assessments and a better link with risk assessments in order to be able to develop coherent security strategies. Attributing clear responsibilities in departments for security aspects, and improving internal expert advice and awareness-raising should simplify and increase the security environment. Questions of business continuity and contingency planning play an important, but still underestimated role, in that context. The IAS notes that the Commission is reinforcing its crisis management and co-ordination capacity (ex. Argus) and the SG's initiative on Business Continuity Planning. 3.4. Legality and Regularity Compliance with internal and external rules is a key issue to limit the exposure to financial, legal and reputational risks. Instances of non-compliance call for a swift management response, including better training and planning; simplifying the regulatory environment, to the extent possible, reduces the administrative burden and facilitates compliance. Respect of rules IAS and IAC audits identified shortcomings in various areas (operations, procurement, security) regarding financial, operational or contractual rules. Reasons may be insufficient internal communication and documentation of procedures, lack of training or lack of resources in certain areas or during certain periods of the programme cycle. Staff may be confronted with too many and too complicated rules. According to the IAS, the potential impact can be considerable: financial through a possible loss of funds or mis-management; political if the objectives set are not or only insufficiently achieved; legal if challenged in courts; reputational through damage to the Commission's image in the public, especially in the eyes of its partners. Besides increased and improved training, the IAS recommends a review of staff allocation and planning (implying an extended use of risk analysis) and simplification and streamlining of rules and legislation. Clarity and consistency - simplification A parallel issue is consistency in applying rules; consistent application of rules both within a DG and across DGs. Although there is a legitimate demand for flexibility, from administrative and beneficiary perspective, this should not put at risk the necessary operational stability and guarantee of equal treatment. The insufficient documentation of procedures observed in a number of IAS and IAC audits is closely linked to these questions. Better documenting procedures and making documentation more easily available should not be a bureaucratic burden but a useful tool in analysing procedures (and re-designing or re-engineering, where necessary), for managing risks and facilitating mobility. While audits identify a need in the Commission to better respect and to apply more coherently existing rules, simplification remains an important and parallel challenge. For 2006 the IAS will pay particular attention to simplification, as a specific audit objective in all relevant engagements. 4. CONCLUSIONS On the basis of its 2005 work, the Internal Auditor draws attention to four overall conclusions. The Commission's reactions to the findings and conclusions of the Internal Auditor are covered in the synthesis report on Director's-General annual activity reports Conclusion 1 IAS conclusion: Audit work in 2005 shows that the Commission services have made considerable progress in internal control. However, these audits also identified major remaining weaknesses in the design and set up of control systems, and in the effective implementation of standards and controls. Examples include the proper set up of financial circuits, segregation of functions, risk analysis, supervision and the respect of control and documentation requirements in contract and grant management, information security and business continuity and IT management and planning. Services should continue their efforts to move from formal compliance with procedures to making effective use of new tools and controls, which will lead to reduced (administrative) cost and increased management efficiency. Commission reply: The Commission will develop indicators for control objectives, covering in particular the way internal control systems tackle the risk associated with the legality and regularity of operations. Reporting on internal control effectiveness will be further strengthened in annual activity reports where necessary. The Commission also invites the European Parliament and the Council to support efforts to adapt the legal framework to ensure effective application of the principles of proportionality and cost-effectiveness of controls. Conclusion 2 IAS conclusion: Directors-General should ensure that control processes effectively underpin the reasonable assurance given in the AARs. This process and the scope and level of assurance available should be adequately disclosed in the AAR. This could include: - improving and harmonizing control/audit methodologies for "families" of DGs; - integrating different levels of assurance (e.g. Member States, Commission) into a coherent framework and have integrated reporting with clear indicators for the level of assurance. Commission reply: The Commission will ensure that its delegated authorising officers will continue their efforts to guarantee that reasonable assurance in the declarations accompanying the annual reports is effectively underpinned by appropriate internal control systems. Regarding shared management, the Commission will continue to work towards reinforcing assurance from the national authorities managing EU funds. The Commission is committed to establishing an integrated internal control framework. Conclusion 3 IAS conclusion: Under the leadership of the Secretary General, Directors-General should explore the potential for using "shared services" with the objective to increase management efficiency and effectiveness as well as using resources more economically. This could include: - reviewing the distribution of certain tasks and use of resources at horizontal and operational level; - testing, and if successful, introducing Commission wide instruments such as service level agreements and / or funding arrangements between operational and horizontal services. Potential examples include: IT, communication and financial / HR management for small services. Commission reply: The Commission recognises the potential added value of inter-service arrangements for small departments, provided such arrangements are based on a cost-benefit analysis and made in accordance with the applicable rules, while preserving the responsibility of each delegated authorising officer. Conclusion 4 IAS conclusion: Commission services should develop an effective "culture of follow-up". Follow-up actions to control and audit reports should be fully integrated into normal management planning and practice, and timely implementation should be monitored regularly at senior management level. Regular and full attention to management and control weaknesses brings about a learning organisation that can over time considerably reduce burdensome and potentially disruptive control activities. Commission reply: The Commission will ensure that its Directorates-General draw up precise action plans, taking into account priorities assigned and resource constraints, and on this basis follow up audit recommendations in good time. [1] Performance Standard 2060 of the Institute of Internal Auditors (www.theIIA.org). [2] Article 185(3) FR. [3] Comprehensive IAS audit work on ABAC is planned for 2006. [4] SEC(2005) 1327. [5] Internal Control Standard 21, follow-up of audit recommendations. [6] Commission audits only, listed above. [7] SEC(2005) 1327. [8] Article 274 EC Treaty. [9] As from 1 January 2007, the EAGGF-Guidance will be replaced by the European Fund for Rural Development (EFRD). The rules regarding the financial management and the controls of this fund will be aligned as far as possible with the rules governing the EAGGF-Guarantee (Council Regulations (EC) No 1290/2005 and (EC) No 1698/2005). [10] In line with the Roadmap Action Plan - COM(2006) 9.