EUR-Lex Access to European Union law

Back to EUR-Lex homepage

This document is an excerpt from the EUR-Lex website

Document 52017DC0497

REPORT FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT AND THE COUNCIL Annual report to the Discharge Authority on internal audits carried out in 2016 (Article 99(5) of the Financial Regulation)

COM/2017/0497 final

Brussels, 15.9.2017

COM(2017) 497 final

REPORT FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT AND THE COUNCIL

Annual report to the Discharge Authority on internal audits carried out in 2016
(Article 99(5) of the Financial Regulation)

{SWD(2017) 306 final}


1.     Introduction    

2.     The IAS Mission: Independence, objectivity and accountability Objectives and scope of the Report    

3.     Overview of audit work    

3.1.     Implementation of the 2016 audit plan    

3.2.     Statistical data on IAS recommendations    

4.     Summary of the audit work    

4.1.     Conclusions on performance audits    

4.1.1. Performance of Commission DGs, Services and Executive Agencies: horizontal processes 8

4.1.2.Performance in implementing budget operational and administrative appropriations 12

4.2.     IAS limited conclusions    

4.3.     Overall opinion on the Commission's financial management    

5.     Consultation with the Commission's Financial Irregularities Panel    

6.     Conclusions    

7.     List of acronyms    

1.Introduction

This report is to inform the European Parliament and Council of the work carried out by the Commission’s Internal Audit Service (IAS), as required by Article 99(5) of the Financial Regulation. It is based on the report drawn up by the Commission’s Internal Auditor under Article 99(3) of the Regulation, regarding IAS audit and consulting reports completed in 2016 1 on Commission Directorates-General, Services and Executive Agencies 2 . In line with its legal base it contains a summary of the number and type of internal audits carried out, the recommendations and the action taken on those recommendations.

2.The IAS Mission: Independence, objectivity and accountability Objectives and scope of the Report

The mission of the Internal Audit Service is to provide to the Commission independent, objective assurance and consulting services designed to add value and improve the operations of the Commission. The IAS helps the Commission accomplish its objectives by bringing a systematic, disciplined approach in order to evaluate and make recommendations for improving the effectiveness of risk management, control and governance processes. Its tasks include assessing and making appropriate recommendations for improving the governance process in its accomplishment of the following objectives: promoting appropriate ethics and values within the organisation, ensuring effective organisational performance management and accountability and effectively communicating risk and control information to appropriate areas of the organisation. Thereby it promotes a culture of efficient and effective management within the Commission and its departments.The IAS's independence is enshrined in the Financial Regulation 3 and its Mission Charter 4 as adopted by the Commission. The IAS reports on all of its audits to the Audit Progress Committee (APC). The Audit Progress Committee assists the College of Commissioners by ensuring that the work of the IAS and of the European Court of Auditors (ECA) is properly taken into account by the Commission services and receives appropriate follow-up.

The IAS performs its work in accordance with the Financial Regulation and the International Standards for the Professional Practice of Internal Auditing and the Code of Ethics of the Institute of Internal Auditors.

The IAS does not audit Member States’ systems of control over the Commission’s funds. Such audits, which reach down to the level of individual beneficiaries, are carried out by Member States’ internal auditors, national Audit Authorities, other individual Commission DGs and the ECA. The IAS does, however, audit measures taken by the Commission services to supervise and audit bodies in Member States, and other bodies which are responsible for disbursing EU funds, such as the United Nations. As provided for in the Financial Regulation, the IAS can carry out these duties on the spot, including in the Member States.

3.Overview of audit work 

3.1.Implementation of the 2016 audit plan

By the cut-off date of 31 January 2017, the implementation of the updated 2016 audit plan reached its target of 100% of planned engagements for audits in the Commission's Directorates-General, Services and Executive Agencies 5 .

154 engagements (including audits, follow-ups, reviews and one consulting assignment) were finalised, broken down as follows:

2016

2015

2014

 

Engagements

Reports

Engagements

Reports

Engagements

Reports

Audit

52

60

38

52 6

25 7

31

Follow-up

95

- 8

96

-

53

-

(Limited) Review

6

6

2

2

5

5

Management Letter

0

1

1

1

1

1

IT Risk Assessment

0

0

0

0

1

1

JSIS Risk Assessment

0

0

1

1

0

0

Consulting

1

1

1

1

0

0

Total

154

68

139

57

85

38

The 2016 initial plan contained 67 audit engagements and limited reviews which were planned to be finalised by the cut-off date of 31 January 2017 and 34 audits which were planned to start before this cut-off date and to be finalised in 2017. The plan was updated at mid-year. Both the initial and updated plans were considered by the Audit Progress Committee.

In accordance with its Charter and the International Standards and in order to ensure an efficient and effective implementation of the audit plan, the IAS plans its audit work on the basis of a risk assessment and a capacity analysis. The implementation is then regularly monitored and adjustments are made as necessary.

3.2.Statistical data on IAS recommendations

The number of recommendations issued by the IAS (including their acceptance rate) in 2016 was as follows:

 

New recommendations

Accepted recommendations 9

Non-accepted recommendations

Priority

 

 

%

 

%

Critical

0

0

100%

0

N.A.

Very Important

119

119

100%

0 10

0%

Important

138

138

100%

0

N.A.

Desirable

1

1

100%.

0

N.A.

Total

258

258

100%

0

N.A

For all accepted recommendations, the auditees drafted action plans, which were submitted to and assessed as satisfactory by the IAS.

The implementation of the accepted recommendations made during the period 2012-2016, as assessed by auditees 11 , as at 31 January 2017 is presented in the following table. Recommendations implemented after the cut-off date of 31 January 2017 are not considered.

Implemented

In progress (by number of months overdue)

Year 

Priority

Total 

#

%

#

%

No delay

0 - 6

6 - 12

12+

2012

Critical

0

0

0%

0

0%

0

0

0

0

Very Important

68

68

100%

0

0%

0

0

0

0

Important

123

118

96%

5

4%

0

1

0

4

Desirable

0

0

0%

0

0%

0

0

0

0

2012 Total

191

186

97%

5

3%

0

1

0

4

2013

Critical

0

0

0%

0

0%

0

0

0

0

Very Important

45

42

93%

3

7%

1

1

0

1

Important

75

64

85%

11

15%

1

0

1

9

Desirable

7

7

100%

0

0%

0

0

0

0

2013 Total

127

113

89%

14

11%

2

1

1

10

2014

Critical

0

0

0%

0

0%

0

0

0

0

Very Important

40

38

95%

2

5%

0

0

0

2

Important

78

65

83%

13

17%

1

2

1

9

Desirable

7

7

100%

0

0%

0

0

0

0

2014 Total

125

110

88%

15

12%

1

2

1

11

IACs recs taken over

Critical

0

0

0%

0

0%

0

0

0

0

Very Important

252

239

95%

13

5%

0

1

3

9

Important

593

551

93%

42

7%

1

1

1

39

Desirable

63

63

100%

0

0%

0

0

0

0

IACs Total

908

853

94%

55

6%

1

2

4

48

2015

Critical

1

1

100%

0

0%

0

0

0

0

Very Important

69

32

46%

37

54%

15

19

2

1

Important

129

78

60%

51

40%

20

17

12

2

Desirable

18

17

94%

1

6%

1

0

0

0

2015 Total

217

128

59%

89

41%

36

36

14

3

2016

Critical

0

0

0%

0

0%

0

0

0

0

Very Important

118

3

3%

115

97%

108

7

0

0

Important

138

19

14%

119

86%

109

9

1

0

Desirable

1

0

0%

1

100%

1

0

0

0

2016 Total

257

22

9%

235

91%

218

16

1

0

TOTAL 2012-2016

1825

1412

77%

413

23%

258

58

21

76

Thereof Critical or Very Important 

593

423

71%

170

29%

124

28

5

13

Overall, 1 412 or 77% of the total number of accepted recommendations made over the period 2012-2016 are considered by the auditees as implemented, leaving a total of 413 recommendations (or 23%) still in progress. Of these 413 recommendations in progress, none is rated critical, and 170 recommendations (or 29% of the total number of accepted critical and very important recommendations) are rated very important.

Of the 413 recommendations in progress, 155 are overdue, representing 8.5% of the total number of accepted recommendations, of which 18 very important recommendations are long overdue (for more than 6 months compared to the original due date). Overall, these represent only 0.99% of the total number of accepted recommendations in the period 2012-2016.

The total number of recommendations issued during the period 2012-2016 for which a follow-up audit has been conducted amounts to 1 314 compared to 1 412 reported as 'ready for review' by the auditees.

Of the total number of recommendations followed up during that period, 1 246 (95%) have been closed by the IAS. This means that on average, the IAS assessed that 5% of recommendations could not be considered as effectively implemented yet, and therefore not closed following the completion of the follow-up audit.

Overall, the IAS considers that the state of play regarding the implementation of audit recommendations is satisfactory and comparable to previous reporting periods. It indicates that the Commission services are diligent in implementing the very important recommendations, hence mitigating the risks identified. Nevertheless, and even though there is no recurrent outstanding issue or a specific service concerned, attention has to be paid to the individual recommendations rated very important which are long overdue, i.e. more than six months. A dedicated report was established and sent to the Audit Progress Committee, a summary of which is provided in the SWD accompanying this report.

4.Summary of the audit work

4.1.Conclusions on performance audits 

In response to the Commission's move towards a performance-based culture and greater focus on value for money, the IAS continued to carry out performance audits 12 and audits which include important performance elements (comprehensive audits) in 2016 as part of its 2016-2018 strategic audit plan.

In line with its methodology and best practice, the IAS approached performance in an indirect way, i.e. whether and how management have set up control systems intended to assess and provide assurance on the performance (efficiency and effectiveness) of its activities. Through this approach, the IAS aims at ensuring that, in the first instance, DGs and Services have established adequate performance frameworks and performance measurement tools, key indicators and monitoring systems. This results in part from the fact that a large number of legal bases set out objectives that are of a wider scope than the Commission can achieve on its own. This means that SMART objectives and benchmarks have first to be established at Commission level, in order to dissociate, to the extent possible, the Commission's specific contribution from those of other major key players who contribute to the implementation and achievement of EU funds' objectives (Member States, Regions, Third Countries, International Organisations etc.).

The following sections set out the conclusions of the IAS on the various performance aspects of its audits carried out in 2016.

4.1.1.Performance of Commission DGs, Services and Executive Agencies: horizontal processes

4.1.1.1. Performance management

DGs and Services are faced with a growing pressure on financial and human resources while at the same time they need to demonstrate that they can deliver on their objectives and achieve value for money. In a political context of strong focus on performance, it is essential for DGs to adequately define, manage, monitor and report on the specific objectives which are under their control and can be achieved through their outputs and actions. Several IAS audits focused on performance management and measurement and revealed that significant improvements are still necessary to enhance the maturity of the DGs performance management and measurement mechanisms. This confirms last year's conclusion which emphasised the need to take further steps at both corporate and DG level to improve the quality of objectives and indicators. In 2016, the European Court of Auditors also highlighted deficiencies in performance management and measurement in its annual report and in its special reports 13 . For many years, the IAS has been formulating recommendations in this area. Important progress has been achieved over the years with, for instance, a number of new initiatives at corporate level. However, the IAS continues to identify significant weaknesses and high risks which illustrates that despite the efforts made, it takes time to develop an effective performance culture and mind-set and to implement efficient and effective performance management throughout the organisation.

The 'Common Monitoring and Evaluation Framework' is one of the key elements of DG AGRI's performance measurement for the common agricultural policy. Significant weaknesses were identified in the setting of objectives, in the set of indicators used and in the collection of data which may impair DG AGRI's ability to monitor, evaluate and report on the performance of the 2014-2020 common agricultural policy.

DG GROW has implemented different performance management tools to monitor its main areas of intervention and to steer operational performance but the performance management framework has to be further improved to demonstrate how the DG's short-term actions effectively contribute to the achievement of its strategic objectives and consequently to the high-level Commission priorities. In particular, the description of the overarching strategic vision is missing and sufficient performance information is not always available or consistently presented in different strategic planning and programming documents.

In DG MOVE, similar weaknesses have been observed in the DG's performance management framework. The DG has no overarching strategic vision describing how the DG organises its interventions and how short-term outputs will lead to medium and long-term results and impacts and contribute to the achievement of its strategic objectives. Furthermore, there is no centralised approach to monitoring and reporting on longer-term policy achievements and DG MOVE’s specific objectives are not sufficiently specific and relevant. No formal process was in place to prepare the CEF programme statements and internal guidance was missing to define the tasks to be performed, the responsibilities and roles of each unit, the timing and workflow, the definition of the indicators with the source of information, the methodology to calculate the indicators and the unit in charge.

DG DEVCO has developed a number of performance management tools enabling it to steer operational performance both in headquarters and in the EU delegations. However, DG DEVCO's performance management system to plan, monitor and report on the achievement of its objectives needs to be significantly enhanced to strengthen its effectiveness. There is no systematic monitoring of progress made towards the achievement of objectives and targets set in the management plan and most of the EU delegations sampled do not monitor the achievement of the objectives set in their management plans. In addition, there is no central guidance on monitoring on the objectives and targets set in the action documents 14 and the results of the projects belonging to the same action document are not consolidated to provide information on the achievement of the overall objectives. In terms of reporting, the type of information on DG DEVCO's performance provided by the different strategic planning and programming-related reports is limited and does not give an actual assessment of whether objectives have been achieved or not. At the level of programmes, there is no annual reporting on the progress made towards the achievement of the objectives set in the programming documents, which consolidate the results measured at the level of the projects. The Internal Auditor recognised the efforts made by the DG to further complement its performance management tools with result oriented reporting initiatives.

An audit in DG EAC resulted in a positive conclusion and showed that it is possible to implement an effective performance management framework despite the fact that the DG is confronted with a diversity of policy activities and spending programmes.

4.1.1.2. Risk management

Risk management is a continuous activity. In general, management performs annually a risk assessment in the context of the strategic planning and programming activities. An audit in DG NEAR on risk management identified significant deficiencies in the design and implementation of this process, affecting its overall effectiveness. In response to these findings, DG NEAR put into place an action plan to address the significant weaknesses.

4.1.1.3. HR management

In the HR area, the IAS assessed for several DGs and Executive Agencies if they have designed and implemented effective HR strategies to deal with challenges resulting from new priorities, changes in staffing levels and reorganisations. In general, the audits concluded that the DGs and Executive Agencies have taken adequate measures to manage the HR challenges to which they are confronted. Nevertheless, in DG ENV improvements are possible as this DG is currently not able to effectively monitor and compare workload within the DG. In REA, the audit revealed significant weaknesses in the selection process for contractual agents, i.e. in the checks over the eligibility and the application of the selection criteria, and the completeness of the selection files and in the guidance provided to selection panel members and observers.

4.1.1.4. IT management

In the IT area, several IT audits confirmed that there is room for improving the effectiveness of various aspects of IT operations.

DG GROW needs to address significant weaknesses related to the DG's IT governance and portfolio management to ensure that it can make a successful organisational transformation and that business and IT are fully aligned. Weaknesses have been observed in the IT strategy and in linking objectives to key performance indicators, in IT risk management, in the communication of key IT developments, in assessing the cost-benefit of IT and in IT portfolio and programme management in general.

In DG JRC, despite some existing good practices, the IAS identified significant weaknesses in IT security which led it to conclude that the controls in place do not provide sufficient assurance that IT security risk is adequately mitigated. There is insufficient management oversight of IT security, JRC does not define security requirements into the design of IT systems, IT security reviews are not performed for all systems and the inventory of IT systems as regards security is incomplete.

In DG BUDG, significant weaknesses were observed in the effectiveness of measures taken to handle manual interventions in ABAC. The IAS observed an extensive use of manual interventions in the production environment, combined with a relatively high number of privileged users assigned to internal staff and external consultants with unlimited access and rights to perform changes in the production environment as well as weaknesses in controls over privileged user accounts and in preventive controls, which are not sufficiently compensated by adequate detective controls.

OP is highly dependent on IT for its core business processes and hence has put a number of controls in place to ensure business continuity in this area. Nevertheless, the IAS identified shortcomings in the physical security of the alternate data centre, recovery time objectives not met for key business processes and a business impact analysis delivering an incomplete picture and misleading results.

The audit of the electronic exchange of social security information project in DG EMPL highlighted a number of risks associated to the effective implementation of an IT project. The IAS concluded that the controls in place do not provide sufficient assurance that the remaining high risks associated with such a sensitive and complex project have been fully mitigated. In particular, the first main deliverable (production ready release), required urgent and stricter controls on project objectives, milestones and ownership of tasks. A clear overview of tasks and ownership to address weaknesses identified during the early life of the system is required. DG EMPL had already initiated action plans to address some of the weaknesses identified, but the IAS stressed the urgency and the need to ensure that these actions are implemented as soon as possible.

4.1.1.5. Other

Other IAS audits in the areas of Anti-Fraud activities for traditional own resources, managing and sharing data on agro-environmental-climate issues, better regulation and ex-post audits by the common audit service showed that further steps are necessary to increase the overall performance of these processes.

The IAS identified significant weaknesses related to the planning, management and coordination of fraud prevention and detection activities in the traditional own resource area, which may lead to ineffective prevention and detection of fraud.

Data management is an essential component of evidence-based policymaking. One of the key areas requiring the effective sharing of data is on agri-environmental-climate issues as these cut across a number of DGs and policy areas. The IAS concluded that although a number of rules and procedures on data management are in place, there are significant weaknesses to ensure an effective and efficient process for managing and sharing agri-environmental-climate data. This is due to the absence of a Commission-wide framework for managing and sharing data and to deficiencies in the way in which agri-environmental-climate data is currently shared and managed between the DGs.

In terms of better regulation the IAS found that the Commission has taken significant steps to implement the new better regulation agenda. However, despite these achievements, significant efforts, primarily at the corporate level, are still necessary to bring the better regulation agenda to a fully mature state.

The Common Audit Service (CAS) in the Common Support Centre (CSC) needs to make significant efforts to increase the maturity of its internal processes, thus ensuring that it will achieve the objectives of the FP7 ex-post audit strategy, and that it will be prepared for the challenges brought by the H2020 ex-post audit strategy. In particular, the CAS should reduce the average time to close audits and improve the internal processes for ex-post audit planning, monitoring, and reporting. It should also establish SMART objectives, and develop an approach and guidance for fraud detection.

Certain weaknesses were identified in the supervision by DG MOVE of aviation and maritime security. This is an area were security events may, ultimately, result in serious reputational consequences for the institution. The IAS concluded that there are significant weaknesses in DG MOVE's current monitoring system due to the lack of a formalised comprehensive monitoring strategy which sets out firstly the degree of assurance DG MOVE should obtain on Member States' compliance with the EU legislation on aviation and maritime security through its monitoring mechanisms, and secondly the scope and coverage of its inspection activities.

4.1.2.Performance in implementing budget operational and administrative appropriations

4.1.2.1. Direct management

In the area of directly managed funds, several audits (in DGs HOME, JUST, RTD and in REA) assessed the grant management processes and in each of these audits the IAS identified some issues which can improve the efficiency and effectiveness of these processes. Furthermore, one audit assessed if the Commission uses external contractors working intra-muros in an effective and efficient way and concluded that in the absence of a corporate framework to provide steer and guidance to DGs, the Commission is exposed to significant risks in ensuring an efficient and effective use of intra-muros contractors. At the DG level, more can be done to proactively manage the issue, through for example building in safeguards into the contracts aimed at ensuring value for money.

In addition, an audit on the effectiveness of the management of the COSME programme in EASME revealed deficiencies in the cooperation between EASME and its parent DG. The Agency has had most of the time no robust basis for preparing the COSME related part of its annual work programme and for planning its work due to the late contribution by the parent DG and the significant changes in the COSME work programme during the mid-term review. EASME has not sufficiently assessed the impact of this on the efficient implementation of the delegated actions and has not established an up-to-date planning document that takes into account all the changes to the delegated actions during the year.

4.1.2.2. Indirect management

In the area of indirectly managed funds, several audits focused on the supervision arrangements in place in the DGs and Services and several significant weaknesses were identified which may endanger the achievement of the policy objectives.

An audit on the coordination and working arrangements with EU regulatory Agencies and Bodies in DGs HOME and SANTE noted the challenges faced by the Commission partner DGs when dealing with EU decentralised Agencies, including the non-legally binding nature of the 'Common Approach' on EU decentralised Agencies (agreed in July 2012 by the European Parliament, the Council and the Commission) aimed at making the Agencies more coherent, effective and accountable. The audit also noted that the level of supervision that partner DGs can exercise in practice depends on: (1) the limited (in terms of number of votes) decision 'power' of the Commission in the Agencies' Management Boards; (2) the resources available to the partner DG to supervise the Agencies; (3) the willingness of the Agencies to cooperate with the DG as real partners, given that this type of Agencies are autonomous Union Bodies subject to a separate discharge by the European Parliament and (4) the need for these Agencies to preserve their independence in relation to the Commission, particularly when delivering scientific opinions. Nevertheless, any significant issues arising in the Agencies could have major reputational implications for the Commission. In terms of performance, significant weaknesses were identified in three key parts of the partner DGs' overall strategy towards those Agencies, namely (1) the contribution of the partner DG to the Agencies' programming and the link between the Agencies' programming and the DG's own programming activities; (2) the monitoring by the partner DG of the Agencies' activities and (3) the control strategy of the partner DG to build assurance and report (in the AAR) on the tasks 'entrusted' to its Agencies (such as 'budget implementation tasks' entrusted through 'Delegation Agreements').

An audit on DG ENER's supervision of the ITER project also revealed significant weaknesses affecting the effective supervision of the implementation of the ITER project, as it was not clearly established what the DG 15 and Euratom aim to achieve with their supervision activities and how they will assess the effectiveness of these supervision activities. Furthermore, the Commission does not receive all the information that is essential to effectively monitor F4E and use this knowledge in the discussions in the relevant governance bodies of this Agency.

4.1.2.3. Shared management

In the area of shared management, the audit on voluntary coupled support in DG AGRI confirmed that the area is very complex and that the legislation provides for a wide range of options for Member States which in turn, results in considerable pressure on the Commission's resources to ensure that voluntary coupled support is properly managed. Significant weaknesses were identified in the management and control systems put in place by DG AGRI for voluntary coupled support, in particular in relation to the monitoring of voluntary coupled support performance with a risk of not meeting the scheme objectives and potentially distorting other agricultural markets.

An audit on the effectiveness of simplification measures under 2014-2020 European structural and investment funds revealed that DGs will need to address certain high risks to ensure a continued focus on results which is a key expectation of the current programming period. In particular, the risks associated to simplified cost options need to be mitigated and the uptake and impact of simplification measures by Member States is lower than expected.

4.2.IAS limited conclusions on the state of internal control of each DG

The IAS issued limited conclusions on the state of internal control to every DG and Service in February 2017. These conclusions contribute to the 2016 annual activity reports of the DGs and Services concerned. They draw on the audit work carried out in the last three years and cover all open recommendations issued by the IAS and former Internal Audit Capabilities (insofar as the IAS has taken them over). In addition, the conclusions draw particular attention to all open recommendations rated critical or the combined effect of a number of recommendations rated very important as they may require the issuance of a reservation in the annual activity report of the DG/Service concerned. The IAS conclusion on the state of internal control is limited to the management and control systems which were subject to an audit and does not cover those which had not been audited by the IAS or the IAC in the past three years.

Particular attention, which led to reservations in the annual activity report of the DG concerned, was drawn in the limited conclusions to:

- DG CLIMA with regard to the delay observed in the implementation of one very important IT security related recommendation (on the management of the security of the EU ETS IT system), which exposes the DG to the risk of security breaches;

- DG DEVCO with regard to the combined effect of three open very important recommendations issued in the context of the audit on the management of the African Peace Facility.

4.3.Overall opinion on the Commission's financial management

As required by its Mission Charter, the IAS issues an annual Overall Opinion on the Commission's financial management. It is based on the audit work in the area of financial management in the Commission carried out by both the IAS and the former Internal Audit Capabilities during the previous three years (2014-2016). It also takes into account information from other sources, namely the reports from the European Court of Auditors. The Overall Opinion is issued in parallel to this report and covers the same financial year.

As in the previous editions, the 2016 Overall Opinion is qualified with regard to the reservations made in the Authorising Officers' by Delegation Declarations of Assurance. In arriving at this opinion, the IAS considered the combined impact of amounts estimated to be at risk as disclosed in the annual activity reports and in the light of the corrective capacity as evidenced by financial corrections and recoveries of the past as well as by estimates of future corrections and amounts at risk at closure. Given the magnitude of financial corrections and recoveries of the past and assuming that corrections in future years will be made at a comparable level, the EU Budget is adequately protected as a whole (not necessarily individual policy areas) and over time (sometimes several years later).

Without further qualifying the opinion, the internal auditor added one "emphasis of matter" which relates to the:

- supervision strategies regarding third parties implementing policies and programmes

Although it remains fully responsible for ensuring the legality and regularity of expenditure and sound financial management (and also the achievement of policy objectives), the Commission is increasingly relying on third parties to implement its programmes. This is mostly done by delegating the implementation of the EC operational budget (under indirect management mode) or certain tasks to third countries or international organisations, to National Agencies, Joint Undertakings, non-EU bodies and EU Decentralised Agencies. Moreover, in some policy areas, greater use is made of financial instruments under the 2014-2020 MFF or third parties/non-EU bodies (e.g. national authorities or private investors) funds. Such instruments and alternative funding mechanisms entail specific challenges and risks for the Commission, as highlighted by the ECA.

To fulfil their overall responsibilities, the operational DGs have to oversee the implementation of the programmes and policies and provide guidance and assistance where needed. The DGs therefore have to define and implement adequate, effective and efficient supervision/monitoring/reporting activities to ensure that the delegated entities and other partners effectively implement the programmes, adequately protect the financial interests of the EU, comply with the delegation agreement, when applicable, and that any potential issues are addressed as soon as possible.

The IAS recommended in a number of audits that certain DGs' control and supervisory strategies should set out more clearly their priorities and needs as regards obtaining assurance on sound financial management in those EU and non-EU bodies. In particular, the control strategies did not sufficiently take into account the different risks involved in entrusting tasks to the delegated entities and independent sources were not effectively used to build up the assurance. These DGs should undertake more effective and efficient supervisory activities.

Furthermore, the objectives of the supervisory/monitoring/reporting activities and how to assess their effectiveness were not sufficiently clear and the supervisory controls were limited in practice.

The IAS notes the recent initiative undertaken by the central services to develop specific guidance to the partner DGs on relations with their decentralised agencies, which covers, among other things, monitoring programming, performance and budgetary issues.

5.Consultation with the Commission's Financial Irregularities Panel

No systemic problems were reported in 2016 by the financial irregularities panel under Article 73(6) 16 of the FR.

6.Conclusions 

The implementation of action plans drawn up in response to IAS audits this year and in the past contributes to the steady improvement of the Commission’s internal control framework.

The IAS will conduct follow-up audits on the execution of action plans that will be examined by the Audit Progress Committee, which will inform the College as appropriate.

The IAS will continue to focus on financial, compliance, IT and performance audits.


7.List of acronyms

Acronym

Description

AAR

Annual Activity Report

ABAC

Accrual Based Accounting

APC

Audit Progress Committee

CAS

Common Audit Service

CEF

Connecting Europe Facility

COSME

Competitiveness of Enterprises and Small and Medium-sized Enterprises

CSC

Common Support Centre

DGs

Directorates-General

EASME

Executive Agency for Small and Medium-sized Enterprises

ECA

European Court of Auditors

F4E

Fusion for Energy

FP7

Seventh Framework Programme for Research and Technological Development

FR

Financial Regulation

IAC

Internal Audit Capability

IAS

Internal Audit Service

ITER

International Thermonuclear Experimental Reactor

SG

Secretariat-General

SMART

Specific, Measurable, Achievable, Relevant, Time-Bound

SWD

Staff Working Document

(1)  The audit reports finalised in the period 1 February 2016 - 31 January 2017 are included in this report.
(2)  The Report does not cover the decentralised European Agencies, the European External Action Service, or other bodies audited by the IAS, which receive separate annual reports.
(3)  Article 100 of the FR.
(4)  C(2015)2541 (20 April 2015), Communication to the Commission, Mission Charter of the Internal Audit Service of the European Commission. The Mission Charter was updated in 2017, ref. C(2017) 4435 final of 30 June 2017, to align it with the revisions brought to the international standards by the Institute of Internal Auditors (IIA).
(5)  The SWD provides an overview of all completed audit and follow-up audit engagements.
(6)  Some audits, in particular multi-DG audits, may give rise to more than one audit report.
(7)  The "Gap analysis of new legislation/design of 2014-20 programming period of European Structural and Investment Funds – Part 2" addressed to DG REGIO and DG EMPL is counted as two engagements.
(8)  For efficiency reasons, audit recommendations can be closed without systematically producing a formal report or closing note after every follow-up engagement. Therefore no figures on the number of reports are shown in the table.
(9)  Five recommendations were partially accepted in 2016:As a rule, the IAS proposes audits in which recommendations are (partially) rejected to the Audit Progress Committee for discussion. This may result in DGs re-considering their position.
(10)  Compared to the figures presented on page 6 (i.e. 118 very important recommendations accepted by the DGs in 2016), the figure of 119 very important recommendations differs slightly, as one recommendation on the quality of the objectives and indicators in the 2016 strategic and management plan, rated very important, and addressed to DG MOVE in the audit on the setting of objectives and measurement of performance was initially rejected by DG MOVE. Since the release of the final audit report, DG MOVE decided to fully accept all the recommendations included in the final audit report.
(11)

     This table shows the latest rating of the recommendations. This may differ from the rating in the original report if actions subsequently taken by the auditee are deemed sufficient by the IAS to partly mitigate the risks identified and therefore to a downgrading of the recommendation.

(12)  In total, the IAS carried out 43 performance and comprehensive audits. For more details see the SWD.
(13)  Examples: Annual report of the Court of Auditors on the implementation of the budget concerning the financial year 2015 – Chapter 3 "Getting results from the EU budget"; Special report N° 1/2016: Is the Commission's system for performance measurement in relation to farmers' income well designed and based on sound data?; Special report N° 16/2016: EU education objectives: programmes aligned but shortcomings in performance measurement.
(14)  Action documents specify the objectives to pursue, the fields of intervention and the description of the activities to be carried out, the expected results, the intervention logic (including 'logframe'), the indicators and their target values.
(15) The responsibility for supervising the ITER project, on behalf of Euratom, was attributed on 1 July 2015 to DG ENER following a transfer of the file from DG RTD.
(16) Article 73(6) of the Financial Regulation  Art. 117, RAP stipulates: "That annual report shall also mention any systemic problems detected by the specialised panel set up pursuant to .
Top