52010DC0447

[pic] | EUROPEAN COMMISSION |

Brussels, 31.8.2010

COM(2010) 447 final

REPORT FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT AND THE COUNCIL

Annual Report to the Discharge Authority on internal audits carried out in 2009 (Article 86(4) of the Financial Regulation)

SEC(2010) 994

TABLE OF CONTENTS

1. Introduction 3

1.1. The IAS Mission: Independence, objectivity and accountability 3

2. Working environment and audit plan 3

2.1. The internal audit process 3

2.2. Implementation of the strategic IAS audit plan 4

2.3. Acceptance of recommendations and perception of IAS work 4

3. Main IAS findings and recommendations 5

4. Conclusions 9

INTRODUCTION

This report informs the Discharge Authority about the work carried out by the Commission's Internal Audit Service (IAS), in accordance with Article 86(4) of the Financial Regulation (FR). It is based on the report of the IAS drawn up in accordance with Article 86(3) of the FR on key audit findings and, in accordance with professional standards, on significant risk exposures and control and corporate governance issues.

This report is based on IAS audit and consulting reports completed in 2009[1] in Commission departments and executive agencies. It does not cover the results of audit work in other agencies or bodies audited by the IAS, for which separate annual reports are drawn up.

The Commission's reactions to the findings and conclusions of the Internal Auditor were covered in the synthesis report[2], in which the Commission takes a position on the cross-cutting issues raised by IAS, the European Court of Auditors (ECA) and the Discharge Authority, and those identified by the Audit Progress Committee, and by the proposals for the triennial revision of the Financial Regulation.

The IAS Mission: Independence, objectivity and accountability

The mission of the IAS is to contribute to sound management in the European Commission through the auditing of internal management and control systems within the Commission and the Regulatory and Executive Agencies in order to assess their effectiveness with a view to accomplishing continuous improvement.

The IAS is under the authority of the Member of the Commission responsible for Audit and is accountable to the Audit Progress Committee (APC).

The IAS performs its work in accordance with the International Professional Practices Framework of the Institute of Internal Auditors (IIA), and the internal auditor has declared his organisational independence to the Audit Progress Committee.

No systemic problems were indicated in 2009 by the Financial Irregularities Panel (FIP) under Article 112 of the rules implementing the Financial Regulation.

WORKING ENVIRONMENT AND AUDIT PLAN

The internal audit process

The IAS cooperated with the ECA and with the Internal Audit Capabilities (IACs) in the coordination of audit planning, regular provision of audit reports and exchange of methodology and shared training opportunities.

The IAS and the IACs share a common definition of the audit universe and methodology for risk assessment. The network of IACs chaired by the IAS (Auditnet) continued to provide an effective platform for harmonising the internal audit approach throughout the Commission.

The development of a vocational training programme for internal auditors in the Commission was completed, including a training course on fraud prevention, developed by OLAF.

Implementation of the strategic IAS audit plan

The IAS Strategic Audit Plan for 2007-2009 was updated in 2009 to take into account the results of management’s annual risk assessment and other changes in external and internal environments (e.g. changes to the organisation’s business, operations, programmes, systems and controls).

By the end of the 2007-2009 planning cycle the Commission’s internal control systems, which covered 56 % of the financial audit universe (66 % of the 2009 budget commitments), should have been audited by either the IAS or the IACs. The final coverage achieved will be calculated once all IACs submit the updated figures. The IAS also conducted a number of audits in the non-financial area (e.g. Business Continuity, risk management).

In 2009, the IAS completed 87 % of its work programme, representing 100 % of C1 engagements[3] and 66 % of C2 engagements[4] . In total, 67 reports were issued (34 audits, 32 follow-ups and 1 consultancy). A complete list is annexed.

Acceptance of recommendations and perception of IAS work

In 2009 the acceptance rate of audit recommendations by auditees was 98.8 %.

[pic]

*All recommendations except two ‘very important’ and one 'important' were accepted.

Feedback on auditee satisfaction with individual audits yielded an average result of 1.71 on a scale from 1 (highest) to 4 (lowest) compared with 1.74 in 2008 and 1.86 in 2007. A survey at the beginning of 2010 found that 78.8 % of stakeholders deem that the IAS delivers and communicates a strong vision in the area of governance and internal control, 90.0 % that its audits are performed with honesty, objectivity and fairness and 76.3 % that the IAS recommendations are readily useful to the auditee (compared with 61.5 % in 2008 and 48.8 % in 2007). Overall, 90.0 % considered that the IAS’s work contributes to the quality of management and control systems in the Commission and its executive agencies.

MAIN IAS FINDINGS AND RECOMMENDATIONS

Business continuity

The adequacy and effectiveness of Business Continuity Management (BCM) was assessed in four services. It was acknowledged that BCM is an evolving process which is not yet mature, and that significant efforts have been deployed since 2006 to develop, implement and improve it. Nevertheless, the IAS considered that there was a need for a better corporate overview and enhanced overall guidance. The IAS recommended that responsibility for addressing these recommendations be attributed to an appropriate oversight body or steering function. The horizontal service in charge of BCM should provide more guidance on how to perform a business impact analysis on the basis of a risk assessment, enhance coordination of cross cutting issues and interdependencies and improve business continuity planning. There must be an overview at institutional level of the services' business continuity planning. To ensure this overview, a complete list of critical activities must be established. The plans should be regularly tested in practice, and a corporate BCM exercise programme should be drawn up with mandatory periodic simulation exercises.

Risk management

The current risk management framework was introduced in 2005, together with an action plan to be implemented during the years 2005 to 2007. The audit engagement carried out in 2009 in two horizontal and two operational services assessed both the adequacy of the risk management framework and its effective implementation.

The audit confirmed that the Commission's risk management framework is consistent with the internationally accepted benchmark, i.e. the COSO-Enterprise Risk Management model, and that it provides a sound basis for risk management. .

The IAS recommended that the role of central services be significantly strengthened, so as to obtain an effective overview of the implementation of risk management in the Commission and to ensure that cross-cutting risks were fully addressed and that risks to the institution as a whole were properly identified. It recommended that the central services promote best practice in risk management, analyse critical risks reported by the DGs as well as the associated management responses, and send a consolidated version of their analysis to the College.

Clarification of key concepts (e.g. assessment of critical risks both at inherent and residual level) and further guidelines (e.g. application of the concept of risk tolerance and consideration of risks arising from dependency on external partners) are necessary to improve management and risk reporting.

Operational DGs need to strengthen the current management of risks as well as to establish risk management as an effective tool embedded in their management process.

Procurement and grant management

Three new audits and five follow-ups were performed on procurement and grant management processes in internal policies.

As regards procurement procedures in DG JRC, there are inherent risks associated with its decentralised structure and the specialised nature of its activities. There is a particular risk exposure stemming from the treatment of nuclear material and the operation of nuclear research installations. The IAS has recommended improvements to the procurement planning process, the documentation of procurement files, ex-post controls, guidance and monitoring of exceptions.

For grants awarded by DG ESTAT, it was proposed to reinforce the ex-ante evaluation of large projects, to enhance evaluation during the preparation of the awarding process and to simplify the basis on which costs are charged to the Commission.

As regards the management of grants under the Schengen facility, it was proposed to improve reporting in the JLS annual activity reports by including a summary of the key controls in place for programmes which are implemented under decentralised management, and by presenting key performance indicators supporting the legality and regularity of the underlying transactions. Checks on the Schengen facility were found to suffer from a lack of clarity in their legal basis. The low implementation rate of the ‘Schengen facility 2’ in Bulgaria and Romania implies that key activities intended to improve effective controls at the EU’s external borders have not yet been carried out or were delayed at the time of the audit. There was also a risk that Bulgaria might not fully implement the ‘Schengen Facility 2’ budget. DG JLS should strengthen the monitoring of this country’s progress by drawing up an action plan in agreement with the Member State's authorities and consider developing a plan to limit the loss of appropriations if the actions were not to be implemented.

As regards the design of the controls over the 7th Framework Programme (FP7) by DG Research, the IAS recommended improvements to the control strategies. Whilst recognising that the legislative framework places emphasis on simplifying and reducing ex-ante controls over beneficiaries, the audits highlighted the need to strike an effective balance between preventive measures and ex-post controls. The IAS recommended using more selective, risk-based checks where necessary, and developing clear fraud prevention and detection strategies. The sanction mechanisms provided for in the regulations should also be applied in practice, to ensure that there is a deterrent effect.

Executive agencies

Two audits were conducted on the operational budget delegated to executive agencies, and two follow-up audits were carried out in executive agencies. Particular attention should be paid to ensuring a clear and organised handover of tasks from DGs to newly created executive agencies and a clear division of tasks between them. The IAS recommended a memorandum of understanding between each parent DG and executive agency, and a clear and formalised strategy in the parent DG for monitoring the executive agency’s discharge of its responsibilities concerning operational expenditure.

After both audits it was recommended that a comprehensive integrated management information system be set up, in order to improve the basis for monitoring and reporting on the programmes managed by the executive agencies.

The IAS recommended that the EACI should test its business continuity plan in order to ensure effective implementation. In addition, it noted that limiting access to Commission’s IT systems and security services may have an adverse impact on the continuity of executive agencies' operations due to their high level of dependence on some of these systems.

Information technology (IT) issues

At the request of the APC, two management letters were issued summarising the salient points identified in audits undertaken in recent years on large IT systems and on corporate IT systems[5] .

For large IT projects , the following issues were noted for consideration: strengthening the IT risk management procedures by regular and detailed assessment of risks ; developing and applying a formalised project management methodology for all large IT developments; closer monitoring of the performance and quality of IT contractors; and implementing a complete and formalised process for managing changes to IT systems. Particular attention was drawn to the importance of a proper IT procurement planning and sourcing strategy to avoid technical captivity and interruption of service in the event of changes in service providers. Oversight should be strengthened at corporate level in order to monitor major IT developments.

Both large and corporate IT systems bear the following risks: non-compliance with applicable corporate IT governance rules; failure to provide expected deliverables on time and within budget; user dissatisfaction; inefficient use of resources; and reputational damage.

For corporate IT systems , additional risk factors have been identified, mainly related to the need for adequate governance at central and local level: inadequate corporate guidance and supervision with respect to information systems development; unclear governance arrangements; inadequate involvement of stakeholders in the decision-making process; and inappropriate allocation of costs incurred for the execution of IT projects. If these risks materialise, they could jeopardise the implementation of a coherent and effective Commission IT strategy and impair the achievement of the project’s objectives. There is a risk that the Commission may fail to make efficient use of significant human and budgetary resources.

The IAS recommended that a suitable body be made responsible for defining the Commission’s mid- to long-term IT strategy and priorities, and that these should be endorsed by the ABM Steering Group, which would monitor their effective implementation. These IT priorities, to be set for systems financed by both operational and administrative appropriations, should form the basis for the individual DGs' IT strategies (‘Schémas Directeurs’) and for the processes of budgetary allocation and release. The responsibilities for the management of corporate IT systems should be better defined and the related decision-making process should be strengthened by regulating the proper participation of the key actors involved. The current governance structure should be strengthened at project, domain and corporate level, and should include the setting up of specific procedures to escalate disagreements between services to the ABM Steering Group. The budgetary process and the monitoring of costs should also be strengthened.

Shared management

The IAS audits focused on the DGs’ supervisory responsibilities in the key policy areas of Agriculture, Fisheries and Cohesion. These included audits of the start-up phases of the multi-annual control strategies of the respective DGs for the programming period 2007-2013.

In the area of Agriculture, an audit focused on repayments of direct aids to Member States and the monitoring of the implementation of the Integrated Administration and Control System (IACS) in specific Member States where serious weaknesses had been identified, as well as in one candidate country. The IAS concluded that the initiation, verification and authorisation of payments to Member States is functioning satisfactorily and that, in recent years, the Commission had intensively monitored the implementation of IACS in the countries examined. For rural development, the IAS found that the internal control system in place provides reasonable assurance regarding the achievement of the business objectives set up for the EAFRD 2007-2013 programming period. However, internal coordination could be improved in order to ensure that all relevant information concerning audit results is systematically made available to the geographical rural development units, and that this information is regularly consulted.

As regards the European Fisheries Fund, the IAS recommended that DG MARE should strengthen the existing process for monitoring implementation in the Member States and provide better documentation. DG MARE should adopt a detailed audit plan and set up documented working arrangements with DG REGIO and DG EMPL when dealing with the same national audit authorities. The IAS further recommended that it includes fraud prevention and detection procedures in its audit strategy.

In the Cohesion area, the IAS examined controls by DG REGIO and DG EMPL over the management and control systems which the Member States had announced for the 2007-13 programming period. The IAS found that, although the checks were performed as intended, the process suffered from delays incurred by the Member States’ services. The IAS raised concerns about the quality of the information provided at Member State level and recommended that the DGs follow these up in the next stage of the assurance building process. The IAS shares the ECA's view that it is too early in the programming period to conclude that the changes to the rules and supervisory systems have succeeded in reducing the number of errors in payments at final beneficiary level. The audits highlighted the need for DGs to define their own audit strategies more explicitly, in particular the extent to which they take account of the results of Member State audit work. There is scope for a more coordinated audit approach between the Commission and Member States, or even for joint audits, particularly when different audits concern the same national audit authorities.

Asset management

An audit of the inventory process as managed by OIB (excluding the management centre for IT equipment) found that the legal basis was obsolete and that there was a lack of evidence to show that the required periodic inventory checks had always been carried out. The IAS stressed the importance of the clarification of roles and responsibilities, the documentation of procedures and coordination, as prerequisites for an effective process.

The main results of the audit conducted on the Supply and Assets Management (SAM) project are summarised in the section on IT issues.

External policies

The audit on the Common Foreign and Security Policy (CFSP) budget found that, due to the shared responsibilities with the Council, the Commission has only a limited influence on the operational implementation and capacity of CFSP actions. The IAS could not obtain reasonable assurance regarding the management of the CFSP budget. It recommended that the Commission ensure full compliance with the legal requirements relating to ex-ante assessments. The delays observed in the start-up and implementation of CFSP actions could be remedied, in cooperation with the Council, by means of better guidance (procedural manuals), standardised procedures, and through the provision of toolkits. The IAS identified a risk of significant under spending in civilian CSDP crisis management missions, and a need for an on-the-spot mission strategy, harmonised reporting and timely closing procedures.

An audit of the financial management of the food assistance scheme provided reasonable assurance regarding the achievement of the objectives set. Audits of the Neighbourhood policy and of the closure of CARD and PHARE gave rise to recommendations for improving controls, and underlined the risks arising from the high staff turnover.

Follow-up of the recommendations of earlier audits

Audited services draw up action plans to address the IAS recommendations. The implementation of these plans is followed up through ‘Issue-track’, and tested by follow-up audits.

Of the 34 follow-up audits finalised in 2009, 24 concluded that all the recommendations issued in the initial audit reports had been implemented and another six concluded that only one recommendation had not yet been fully implemented.

There was some further improvement in the overall rate of implementation of internal audit recommendations. The latest statistics (as at 29 January 2010) show that 26 % of the outstanding ‘very important’ recommendations (41 out of 159) were overdue by more than six months, down from 29 % reported the year before.

CONCLUSIONS

On the basis of the audits and related work, finalised in 2009, the following conclusions can be drawn:

Conclusion 1: Further progress has been made, but more improvements are needed

The IAS saw continuous improvements in the Commission’s internal control environment, linked to the efforts towards an unqualified DAS (declaration of assurance). However, the IAS noted that further improvements are needed on several aspects of financial management:

- Shared management:

- Concerning the management of grants under the Schengen Facility II, and despite the contract extension granted and changes decided on the repartition of funds between the Schengen part and the cash-flow, the risk profiles will have to be better defined, closure audits will have to be adapted accordingly and JLS will have to closely monitor the budgetary execution;

- Improvements should be made on the general co-ordination of audit strategies by the Commission services responsible for the management of structural funds policies, thereby improving the coverage of common audit authorities. The results of the enquiry launched in 2009 to review the audit authorities' work will allow the Commission to rely on the opinions provided and, consequently, reduce its own on the spot audits.

- Direct management:

- Regarding the inventory process, a revision was made of the legal basis, and the control requirements must be fully implemented by OIB;

- Despite the strengths of its Public Procurement Advisory Group, the procurement process in JRC needs to be substantially improved, particularly regarding the documentation of exceptions, planning, the quality of ex post controls and the justifications provided for market captivity.

- In the research area attention was drawn to the need for a strategy for fraud detection and prevention and for improving guidance on the implementation of financial viability checks. Nevertheless, a number of improvements have already been made in the internal control systems for the management of the 7th Framework programme (e.g., the balance between ex ante and ex post controls and the completion of a procedure for the management of the Guarantee Funds).

- Indirect centralised management - implementation of CFSP actions; progress was made on the requirements to be met by CSDP missions in relation to indirect centralised management, on the set-up, support and monitoring of CSDP missions, and on the closure procedure for CSDP contracts. Further actions still need to be implemented by DG RELEX in order to fully comply with indirect centralised management requirements (“six-pillar” assessments under Article 56 of the Financial Regulation). Moreover, guidance and methodology for assessments of civilian crisis management missions and on the setting up of financial management systems for missions will have to be developed, and ex post controls on missions will need to be strengthened.

It is the IAS opinion that an overview is necessary at the level of the institution if common processes, such as risk analysis and business continuity management, are to be effective in protecting the institution as a whole. An overview is also necessary in order to ensure sound financial management of investments in IT systems through economies of scale and by providing common solutions to common requirements.

The IAS recommends that appropriate bodies be made responsible for gaining this overview, and for making appropriate recommendations, whilst taking care not to dilute responsibility for the implementation of each process.

The Commission considers that corporate oversight is already in place or planned for certain processes, such as the Impact Assessment Board, the ABM Steering Group, the Internal Control Correspondents Network or the Peer Review of the Annual Activity Reports and a wide range of networks, workshops, and online assistance to services in these areas.

It further considers that any allocation of this type of responsibilities to central services would dilute the responsibility of each Director-General and Head of Service.

Conclusion 2: Risk management

The IAS noted the progress made since the Commission's adoption of a risk management framework in 2005, but considered that its implementation needs to be better embedded in the management processes of each service. This should be combined with an enhanced overview of cross-cutting risks and improved guidance at central level.

The central services could not accept this recommendation in its entirety, as they considered parts of it to be inconsistent with the Commission's governance framework.. The Commission considers that within the current governance structure the central services already provide an overview of cross-cutting risks and guidance on the risk management framework and implementation.

Conclusion 3: Corporate business continuity

The IAS audit showed that the Commission needs to keep up the momentum in its efforts to ensure business continuity in the event of serious disruptions, in particular through enhanced steering, coordination and testing of the recovery of critical activities. The Commission shares this point of view.

Conclusion 4: Corporate IT approach

The IAS has demonstrated the need to further strengthen IT strategic decision-making and IT project management processes, in order to ensure that IT projects are properly aligned with the Commission’s objectives, provide value for money and are implemented in a timely manner. The Commission shares this analysis.

Final remarks

The Internal Audit Service submitted its Strategic Audit Plan for the period 2010–2012 in April 2010. Its aim is to cover the main risks identified, and achieving the necessary coverage to support the Internal Auditor’s overall opinion on financial management.

[1] Some reports finalised at the beginning of 2009 had been included in the 2008 report and are therefore not included again in the 2009 report. Likewise, some reports drafted in 2009, but finalised at the beginning of 2010 are included in the 2009 report.

[2] COM(2010)0281, of 25 May 2010

[3] C1 engagements are those due to be completed within the year.

[4] C2 engagements are those that may be carried over to the following year, in particular when the implementation of action plans is insufficient to justify a follow-up audit, or when the subject of an audit experiences delays

[5] Systems used by a large number of users outside the owner DG