52011DC0643

TABLE OF CONTENTS

1. Introduction 3

2. The IAS Mission: Independence, objectivity and accountability 3

3. Working environment and audit plan 3

3.1. The internal audit process 3

3.2. Implementation of the IAS coordinated audit plan 4

3.3. Level of acceptance and follow-up of IAS recommendations 4

3.4. Perception of IAS work 4

3.5. Consultation with the Financial Irregularities Panel (FIP) of the Commission 4

4. Main IAS findings and recommendations 4

4.1. Governance 4

4.2. IT issues 6

4.3. Control strategies 8

4.4. Audit on Compliance with Payment Deadlines (DGs BUDG, ECHO, MOVE, ENER, AIDCO) 10

5. Conclusions 11

5.1. Control procedures 11

5.2. Fraud 12

Introduction

This report informs the Discharge Authority about the work carried out by the Commission's Internal Audit Service (IAS), in accordance with Article 86(4) of the Financial Regulation (FR). It is based on the report drawn up by the IAS under Article 86(3) of the FR, on key audit findings and on significant risk exposures, control and corporate governance issues.

It is based on IAS audit and consulting reports completed in 2010[1] relating to Commission departments and executive agencies. It does not cover the results of audit work in other agencies or bodies audited by the IAS, for which separate annual reports are drawn up.

The Commission has already reacted to some recccomendations of the Internal Auditor in the synthesis report[2], in which it takes a position on the cross-cutting issues raised by the IAS, the European Court of Auditors (ECA) and the Discharge Authority, and on those identified by the Audit Progress Committee (APC).

The IAS Mission: Independence, objectivity and accountability

The IAS mission is to contribute to sound management in the European Commission by auditing internal management and control systems in order to assess their effectiveness with a view to accomplishing continuous improvement.

The IAS is under the authority of the Member of the Commission responsible for Audit and is accountable to the APC. The independence of the IAS is enshrined in its Mission Charter adopted by the Commission.

The IAS performs its work in accordance with the Financial Regulation and the International Standards for the Professional Practice of Internal Auditing and the Code of Ethics of the Institute of Internal Auditors.

Working environment and audit plan

The internal audit process

The IAS cooperated with the ECA and with the Internal Audit Capabilities (IACs) in the coordination of audit planning, regular provision of audit reports, exchange of methodology and shared training.

For the first time, the IAS delivered to the Commission an overall opinion, focused on financial management and based on internal audits carried out by the IAS and by the IACs during the period 2008-2010.

Implementation of the IAS coordinated audit plan

The Strategic Audit Plan for 2008-2010 was regularly updated to take account of specific needs (the first overall opinion, the results of management’s annual risk assessment and other changes in the external and internal environments).

In 2010, the IAS completed 88 % (87% in 2009) of its work programme, representing 100 % of C1 engagements[3] (100% in 2009) and 68 % of C2 engagements[4] (66% in 2009). 85 reports were issued (30 audits, 49 follow-ups, 1 consultancy, 4 management letters and 1 report on the overall opinion).

Level of acceptance and follow-up of IAS recommendations

In 2010 the acceptance rate of critical and very important audit recommendations by the auditees was 100 % (98,8% in 2009).

For the period 2006 – 2010, 86 % of all recommendations had been implemented by the end of 2010.

The IAS concluded that 33% of the recommendationsissued in 2010 have already been implemented. Any critical or very important recommendation which is significantly overdue is followed up by the APC.

Perception of the IAS's work

The overall result of the 2010 survey is positive, with 92.7% (90% in 2009) of respondents confident that the IAS’s work contributes to the quality of management and control systems and 94.5% (90% in 2009) agreeing that the IAS’s work is performed with honesty, objectivity and fairness. 86.2% of respondents were satisfied with the quality of the IAS reports (76.3% in 2009, 61.5% in 2008 and 48.8% in 2007).

Consultation with the Financial Irregularities Panel (FIP) of the Commission

No systemic problems were indicated in 2010 by the Financial Irregularities Panel (FIP) under Article 66(4) of the Financial Regulation.

Main IAS findings and recommendations

Governance

The IAS identified lessons to be learned from the division and restructuring of three major Directorates-General, as well as possible synergies and governance advice that might be considered for future reorganisations. The IAS performed a number of audits of the governance structure within the Commission, on fraud prevention and detection, and in the executive agencies.

- Fraud

To build on its antifraud related audit work carried out since 2007, the IAS conducted two audits (OLAF and JLS) and a follow-up on fraud detection and prevention. Fraud prevention and detection, were also part of the scope of four other audits.

The IAS issued an unsatisfactory opinion, on grounds of the lack of an updated anti-fraud strategy for the Commission. According to the IAS, the strategy should include developments in IT tools to help prevent and detect fraud, should stimulate cooperation between OLAF and its stakeholders, and foresee awareness-raising and training.

The Commission adopted a Communication on the ‘Commission Anti-Fraud Strategy[5], in line with the recommendations of the IAS, aiming at improving the Commission services' anti-fraud strategies, at reinforcing the EU policies and contributing to increase protection of the EU financial interests. The Commission believes that the measures proposed in the action plan will resolve the potential weaknesses identified and improve the efficiency and effectiveness of the management and control systems.

On governance, the IAS also recommended that both DG JUST and DG HOME should improve their risk-assessment process by giving due consideration to the risks of fraud and, on this basis, develop and formalise an anti-fraud strategy.

On fraud prevention, the IAS recommended DG HOME to ensure that the regulatory framework of the Solidarity Funds complies with the Financial Regulation and Central Exclusion Database provisions. On fraud detection, the IAS recommended DG HOME to design, organise and put in place procedures and systems for recording, monitoring and following up irregularities reported by Member States.

Awareness raising actions have already been taken with the SOLID[6] committee. During 2011, specific anti-fraud strategies will be developed by the two Directorates-General with the support of OLAF. The provisions of the Commission regulation on the Central Exclusion Database will be taken into consideration in the specific legislation supporting the next multi-annual financial framework (post- 2013).

- Splitting of DGs

The IAS examined the splitting of DG TREN, ENV and JLS, which took place in 2010 and resulted in the creation of Shared Resource Directorates and Shared Internal Audit Capabilities. The organisational changes were made as part of the Commission’s commitment to meet all staffing requirements up to 2013 under constant resources and to reduce the share of administrative support.

A Management Letter[7] addresses a number of issues for consideration, including strengthened and structured monitoring of the process of reorganisation and makes several suggestions for prior guidance, provision of expertise and better preparation by the central services.

The Commission took note of the issues raised in the management letter but considers it is too early to draw definitive conclusions on the benefits/drawbacks of shared directorates. It will take stock later on when the services concerned have gained more experience with the new organisational structure.

- Executive Agencies

An Overview Report on the executive agencies looked at systemic issues identified in audit engagements performed between 2006 and 2009. The IAS expressed a “satisfactory except for” opinion and recommended to update their resource strategies, to clarify certain aspects of the roles and responsibilities of the agencies and their parent DG(s), and to adapt the security policy regarding the use of Commission software. Remedial actions, mainly in the form of guidelines, are recommended to the Central Services to prevent systemic issues from recurring.

As foreseen in the report of the Task Force on IT, the ABM + IT Steering Group will address the issue of IT governance, architecture and systems development in the executive agencies. The Commission considers that some of the changes required in guidance (e.g. roles and responsibilities, configuration of assets accounting) can only be operated after the adoption of the triennial revision of the financial regulation. The Commission is currently preparing new security rules and will take this opportunity to ensure that executive agencies seeking access to the Commission's IT systems comply with the Commission's IT security policy, implementing provisions, standards and guidelines.

Concerning the Research Executive Agency (REA) and the European Research Council Executive Agency (ERCEA), the IAS concluded that their internal controls provide "reasonable assurance" regarding the design and set up of the overall control environment and the grant management processes for managing the delegated programmes. However, the IAS highlighted some very important issues to address, namely, the need for agencies' own anti-fraud strategies, improvements in audit strategies and procedures, risk management, assurance building processes and the project selection process.

Improvements have already been made at the level of the audit plan (planning process, risk assessment, audit universe and scope) and its implementation within the general audit strategy for the seventh Framework Programme (guidance, monitoring and follow-up). Following the adoption of the Commission's Anti-Fraud Strategy, both agencies will develop their own fraud prevention strategies in cooperation with their parent DG and with the support of OLAF . The action plans are expected to be fully implemented during 2011.

IT issues

- Management Letters

A Management Letter on the Commission's IT Security Policy summarised the main issues surrounding the implementation of the Commission's IT security governance and the related policies as identified in the IT audit engagements performed by the IAS over the last four years.

The IAS suggested that an appropriate body be made responsible for overseeing the Commission’s security strategy, ensuring it is aligned with corporate objectives and monitoring its implementation. It also suggested that a high-level committee be set up to oversee implementation of security policies and recommendations from the Security Directorate (DG HR.DS). Such a committee could also play the role of an escalation body competent to resolve disagreements within project steering committees. Other issues for consideration set out in the Management Letter were the clarification of roles and responsibilities of the key actors, the participation of DG HR.DS in the security aspects of the development of corporate or large IT systems and the strengthening of the position of the Local Informatics Security Officer at DG level.

The IAS also issued a Management Letter on the set-up of IT projects in the Commission aiming at identifying the root causes of the most frequently encountered problems.

The IAS considers that corporate IT experts should be more involved at the inception of information system development projects and that some DGs should systematically communicate their IT master plan and project definitions to the corporate level. The IAS also considers that IT projects should comply with a set of minimum requirements on methodology and enterprise architecture aspects.

The Commission believes that the new IT governance structure responds to needs flagged in the two management letters. In line with the roadmap contained in the IT Task Force's report, it will also lead to an overall reduction of the IT systems in the Commission.

IT Security policy falls within the remit of the High Level Committee on IT, whereas operational IT security matters fall under the remit of the Commission's Security Board. The Commission considers that there is no need for any additional structure dedicated solely to IT security matters.

With respect to IT project management, an Information System Project Management Board was set up under the new IT governance provision of the Commission's communication "Getting the Best from IT in the Commission"[8]. Part of its mandate is to ensure that projects are aligned with standard methodologies, end redundancies and ensure synergies between projects that pass muster.

The High Level Committee on IT is steering the rationalisation work and has already identified eight business domains in which simplification exercises are being conducted. For each business domain, recommendations were made on IT systems that could be discontinued or whose functions should be taken over by a common/corporate IT tool.

The Commission considers that the changes operated in IT governance have addressed the IAS's observations and represent a major improvement in the way IT Strategy is formulated and implemented.

- Audit on Local IT in DG EAC

On IT project management the audit recommended that DG EAC should introduce a formal IT project risk assessment framework and a more specific Project Risk Register for every major IT project to be implemented. The IAS also concluded that DG EAC should complete the Vision document for LLPLink[9].

The formal IT project risk management, the Project Risk Register and the Vision document have been finalised during 2010.

On Information Security , the IAS found potential security problems regarding one information system. A new password policy has been implemented improving the authentication mechanisms, and the complete action plan addressing all the comments is expected to be fully implemented during 2011.

- Audit on Business Continuity Management (BCM) in DG DIGIT

This audit assignment is part of the assessment of BCM in the Commission, which started in 2009. The IAS issued recommendations designed to improve business continuity programme management, including full integration of the incident management procedures in the business continuity framework and testing under crisis simulation conditions. A steering function for supervising the implementation of BCM in DG DIGIT was also recommended as well as improvements in overall planning and coordination activities, including identification and coordination of (inter)dependencies.

The IAS will issue an audit opinion after a follow-up engagement, once the recommendations made in this report are implemented.

Control strategies

- Structural Funds – DG REGIO and DG EMPL

The IAS carried out two control strategy audits in DG REGIO and DG EMPL. The Member States (MS) have primary responsibility for implementing effective internal control systems and the Commission exercises a supervisory role over national systems and assumes final responsibility for budget implementation.

The audit identified various strengths in both DGs (which now have mature audit services), but there are still some gaps in strategic planning processes, in particular in the balance between on-the-spot controls and desk reviews. The IAS recommended extending audit plans beyond one year to match the audit strategy, strengthening the risk assessment process, better coordinating activities in common areas, better linking audit coverage to planned assurances, and developing a more comprehensive quality assurance. These provisions should provide a clear statement of the auditing standards to be complied with, plus periodic internal and external quality assessments.

Both DGs have submitted action plans that were considered satisfactory, and have started implementing a quality assurance programme in collaboration with the audit departments of the other Structural Funds DGs (including a full set of key performance indicators and the international audit standards to be followed).

The audit strategy for Structural Funds is now based on regular co-ordination and monitoring of the audit strategy through structural funds' coordination meetings (audit approach, planning, risk assessment, methodologies and modalities of the audit of the representative sample) and on multi-annual audit plans allowing for a better re-allocation of resources. A new risk assessment model has been implemented, including a consolidation of past audit results and specific criteria related to fraud prevention and detection. All actions included in the action plans are expected to be implemented during 2011.

- Audit strategy – DG EAC

DG EAC's audit strategy for the centralised indirect management mode was assessed by the audit on Supervision and Monitoring of National Agencies Managing the Lifelong Learning Programme, including the supervision of primary and secondary controls by National Agencies (NAs) and National Authorities (NAUs) respectively. While significant efforts were being made by DG EAC, further improvements are needed in clearing past years’ pre-financing and in the DGs supervisory mechanisms in order to benefit from the effective contribution from various control layers.

As from 2011, DG EAC further develops its annual supervisory audit programme on a properly documented risk analysis of the quality and effectiveness of NAU's secondary controls and NA's primary controls. It will be updated on the basis of the analysis of the NAU's annual and multi-annual audit plan in order to ensure that the control strategy (single audit) is working as intended. Moreover, DG EAC will develop a list of indicators related to the secondary controls to substantiate the effectiveness of the assurance provided by the NAUs. All recommendations are expected to be fully implemented during 2011.

- Development Aid – DG AIDCO and DG ELARG

The audit to assess the adequacy and effectiveness of DG AIDCO’s control strategy for the Thematic Budget Lines (centralised management mode) highlighted the need to obtain adequate information from the Heads of Delegation in order to substantiate the assurance provided annually by the Authorising Officer by Delegation (AOD).

The IAS recommended analysing the sub-delegation and reporting chain for this instrument, plus defining and implementing more relevant controls with result indicators, an assessing staffing levels and reducing errors in the evaluations of local calls for proposals.

The procedures for managing programmes under the partial decentralised management mode were assessed by an audit on the financial management of Programme Estimates (PE) funded by the European Development Fund and the EU budget. The IAS recommended that DG AIDCO should enhance guidance, promote use of standard checklists and strengthen supervision to ensure that the control layers provide the AOD with sufficient assurance.

Following the creation of the European External Action Service and the merging of DGs AIDCO and DEV ,the sub-delegation and reporting chains were reviewed and adapted. New reporting requirements and indicators have been put in place in order to substantiate and quantify the effect and cost-effectiveness of controls better and allow stronger assurance to be drawn from reports. DG DEVCO introduced new indicators aiming at better assessing the adequacy of Human Resources. DG DEVCO is also improving the management and application processes for local calls for proposals (simplification, standard grant application) and expects full implementation of its action plan by the end of the current year.

In DG ELARG, the audit on IPA Procurement examined the controls in the centralised and decentralised management modes. The IAS recommended that the checklists should be based on a set of minimum control requirements to be complemented and/or adapted by each Authorising Officer by Sub-delegation (AOSD) to address specific risks.

In the audit on the Instrument for Pre Accession Grants (centralised and joint management modes), the IAS recommended developing practical ex-ante assessment procedures, and ensuring consistent encoding and reporting of data in management tools. Management supervision of Calls for Proposals should be strengthened and the current process optimised by enhancing evaluation procedures, improving IT tools and using multi-annual calls for expression of interest.

DG ELARG set up harmonised checklists to support the ex-ante verification of the procurement procedures and reinforced its supervision of calls for proposals for grants by means of better-targeted reporting and tighter consistency of the data encoded.

- Joint Sickness Insurance Scheme (JSIS) – PMO

The audit focused on the internal organisation and internal control environment of the PMO’s management of the JSIS and on its control strategy. The IAS issued an unsatisfactory audit opinion .

In the IAS’s view, the Central Office of the JSIS should play a stronger and more pro-active coordinating role in providing support to the Settlement Offices in other institutions and geographical locations and should develop an overall ex-ante and ex-post control strategy and ensure consistent application and documentation of the controls. Other recommendations were aimed at developing a fraud prevention and detection strategy.

A new organisational chart has been adopted by the Commission and the Council “antenna” of the JSIS has been absorbed. Regular meetings are now taking place between the several remote bodies and the Central Office. A control strategy has been designed, defining control processes, reporting layers and a control plan. Other actions have been implemented immediately in order to resolve some critical weaknesses identified in the audit (regular monitoring and reporting of financial deficits and reserves, medical confidentiality statements signed by staff, etc.). All critical audit recommendations will be implemented by the end of 2011.

Audit on Compliance with Payment Deadlines (DGs BUDG, ECHO, MOVE, ENER, AIDCO)

The audit engagement covered the processing of payment transactions under centralised management, the monitoring and reporting activities in both operational and horizontal DGs, and the use of central and local IT systems. The IAS considered that the internal control system in place in the Commission to comply with payment deadlines provides reasonable assurance regarding the achievement of the business objectives except for a number of very important issues.

The operational DGs audited (except DG ECHO) did not systematically monitor compliance with payment deadlines and the reports addressed to management did not always include all the information necessary to oversee compliance with payment deadlines.

The IAS recommended stepping up monitoring at central and local levels and implementing effective management reporting systems. The audit also identified shortcomings in the guidelines and instructions/procedure, as well as areas for improvement in payment processing, in particular with reference to the quality of data entry, suspensions and the timely registration of invoices.

The Commission has improved in this area in recent years (as recognised by the results of the regular investigative work of the European Ombudsman), due to improvements in the ABAC system in the validation of local IT systems, improved guidelines and regular monitoring.

A review of the existing standard reports permitting operational DGs to monitor payment transactions and compliance with payment deadlines is carried out. A working group has been set up to examine existing guidance and propose improvements. Services are reminded of the need for accurate transfer of data on late payments to ABAC. Adaptation of ABAC functionalities supporting suspension of payments will be considered after adoption of the triennial revision of the financial regulations. The action plans will be fully implemented by the end of 2012.

Conclusions

The work of the IAS contributes to a culture of efficiency and effectiveness. Its audit work helps the Commission to identify synergies as well as risks, and consequently strengthtens the Commission's management.

The Commission notes the positive co-operation between the IAS and the audited DGs and with their Internal Audit Capabilities. Implementation of the action plans drawn up this year and in previous years in response to audit recommendations contributes to steady improvement of the Commission's internal control framework.

Control procedures

The IAS highlighted the need for better information from the Heads of Delegation in DG AIDCO's assurance process, and a need for DG EAC to avoid unnecessary overlaps of controls conducted by its services and by National Agencies. DG ELARG should complement its initiative requiring Heads of Delegation to submit an Annual Assurance Strategy by developing checklists applicable to all delegations. The IAS recommended to DG REGIO and DG EMPL improvements deemed necessary in order to obtain adequate assurance for multi-annual programmes. At the level of control strategies the Commission has adopted an important number of measures to allow its services to set up adequate audit and control systems. Action plans have been drawn up and implemented in the domains where the risks are highest, allowing for better planning and monitoring of control activities, eliminating administrative burdens and overlaps and improving the effectiveness of the Commission's internal control systems.

Controls for checking compliance with legal time limits for payment were less effective in some DGs where. the shorter time limits requested by the Commission were not always applied. Management needs to improve its monitoring over the proper implementation of control procedures for the processing of payments. The Commission has taken several measures to improve both payment performance and associated control mechanisms, namely at the levels of the IT system (ABAC), of the validation of local IT systems and of the guidelines and by means of regular and more effective monitoring.

The IAS’s work has raised issues for consideration with the aim of improving the efficiency and effectiveness of IT start-up projects in order to further enable the Commission to achieve its goals in a cost-effective, efficient and secure manner. Following the recommendations of the Task Force on IT, the Commission has reformed its IT governance: the ABM + IT Steering Committee was set up in 2010 followed by the Information Systems Project Management Board and High Level Committee on IT in 2011, which represent a major improvement in the way IT strategy is designed and implemented.

The IAS’s audit work on recently split-up DGs has identified lessons which should be learned ahead of any future divisions of DGs in order to soften the impact of change on DGs, central and horizontal services and staff. The Commission considers it is too early to draw definitive conclusions on the benefits/drawbacks of shared directorates and it will take stock, later on, when the services concerned have gained more experience with the new organisational structure.

Fraud

In this area, the IAS’s efforts have highlighted , in particular the lack of clarity in organisational accountability for fraud prevention and detection and the need for an updated anti-fraud strategy at Commission level.

A new anti-fraud strategy, prepared by OLAF in cooperation with the central services and operational DGs, has been adopted by the Commission and fully addresses the issues raised by the IAS.

[1] Some reports finalised at the beginning of 2010 had been included in the 2009 report and are therefore not included again in the 2010 report. Likewise, some reports drafted in 2010, but finalised by 1 February 2011 are included in the 2010 report.

[2] COM(2011)0323, of 01 June 2011

[3] C1 engagements are those due to be completed within the year.

[4] C2 engagements are those that may be carried over to the following year, in particular when the implementation of action plans is insufficient to justify a follow-up audit, or when the subject of an audit experiences delays

[5] COM(2011)0376 of 24 June 2011

[6] SOLID funds are EU funds managed under the "Solidarity and Management of the Migration Flows" framework programme.

[7] Management letters provide management with advice, usually derived from the findings of a series of audits or from a consultancy engagement, and do not lead to a formal follow up by auditors. They differ from reports on audit engagements (assurance work), in which auditors express an opinion and request an action plan to implement agreed recommendations, which will be the subject of a formal follow up procedure.

[8] SEC(2010)1182 of 07.10.2010.

[9] LLPLink is one of the main information systems.