52014DC0615

1.       Introduction. 2

2.       The IAS Mission: Independence, objectivity and accountability Objectives and scope of the Report  2

3.       Overview of audit production. 3

3.1.         Implementation of the 2013 audit plan. 3

3.2.         Statistical data on IAS recommendations. 3

4.       Principal findings and recommendations. 4

4.1.         Horizontal engagements. 4

4.1.1.      Management letter on the delegation of new tasks to Executive Agencies (multi-DG) 4

4.1.2.      Performance Audit on the Effectiveness of HR management to support the financial crisis in DG ECFIN, DG COMP, DG MARKT (multi-DG) 4

4.2.         Agriculture, Natural Resources and Health. 5

4.2.1.      Limited review of residual error rate calculations (pillar 1 and 2) (DG AGRI) 5

4.2.2.      Audit on Control Strategy - Implementation in DG AGRI (DG AGRI) 6

4.3.         Cohesion. 6

4.3.1.      Performance Audit of DG REGIO Performance Measurement Systems (DG REGIO) 6

4.3.2.      Performance Audit of DG EMPL Performance Measurement Systems (DG EMPL) 7

4.4.         Research, energy and transport. 8

4.4.1.      Limited Review of the calculation and the underlying methodology of DG RTD's residual error rate for the 2012 reporting year (DG RTD) 8

4.4.2.      Joint IAS-IAC Audit on Grant Management in TEN-T EA (Call for proposals-Project Management) (TEN-T EA) 8

4.4.3.      Audit on Control Strategy in EACI (EACI) 9

4.4.4.      Implementation of FP7 Control Systems in REA (REA) 9

4.5.         External Aid, development and enlargement. 10

4.5.1.      Limited Review of the methodology and calculation of the residual error rate (DG DEVCO) 10

4.5.2.      DG DEVCO's state of preparedness for the revised ECA DAS Methodology (DG DEVCO) (Performance Audit) 11

4.5.3.      Procurement - decentralised (DG DEVCO) 11

4.6.         Education and citizenship. 11

4.6.1.      Performance audit of National Agencies (EAC) 11

4.7.         Economic and financial affairs. 12

4.7.1.      Performance Audit of GMES/Copernicus Programme (DG ENTR) 12

4.8.         General services and HR. 12

4.8.1.      DG ESTAT's preparedness to fulfil its role in the Economic Governance Framework (DG ESTAT) (Performance Audit) 12

4.9.         IT audits. 13

4.9.1.      Performance Audit on the management of the security of EU ETS IT (EU ETS) (DG CLIMA, DG DIGIT and DG HR Security Directorate) 13

4.9.2.      SYGMA - Phase 1 – Performance audit on development process (DG CNECT, DG RTD) 14

5.       Consultation with the Commission's Financial Irregularities Panel 15

6.       Conclusions. 15

1. Introduction

This report is to inform the Discharge Authority  of the work carried out by the Commission’s Internal Audit Service (IAS), as required by Article 99(5) of the Financial Regulation. It is based on the report drawn up by  the Commission’s Internal Auditor  under Article 99(3) of the Regulation, regarding IAS audit- and consulting reports completed in 2013[1] on Commission Directorates-General (DGs), Services and Executive Agencies[2]. In line with its legal base it contains a summary of the number and type of internal audits carried out, the recommendations and the action taken on those recommendations[3].

2. The IAS Mission: Independence, objectivity and accountability Objectives and scope of the Report

The IAS's mission  is to contribute to sound management in the European Commission by auditing internal management and control systems to assess their effectiveness with a view to achieving on-going improvements.

The IAS's independence  is enshrined in the Financial Regulation[4] and its Mission Charter as adopted by the Commission. The IAS reports on all of its audits to the Audit Progress Committee (APC)[5].

The IAS performs its work in accordance with the Financial Regulation and the International Standards for the Professional Practice of Internal Auditing and the Code of Ethics of the Institute of Internal Auditors.

The IAS does not audit  Member States’ systems of control over the Commission’s funds. Such audits, which reach down to the level of individual beneficiaries, are carried out by Member States’ internal auditors, national Audit Authorities, other individual Commission DGs and the European Court of Auditors (ECA). The IAS does, however, audit measures taken by the Commission services to supervise and audit bodies in  Member States, and other bodies which are responsible for disbursing EU funds, such as the United Nations. As provided for in the Financial Regulation, the IAS can carry out these duties on the spot, including in the Member States.

3. Overview of audit production 3.1. Implementation of the 2013 audit plan

By the cut-off date of 31 January 2014, the IAS had implemented[6] 100% of its planned engagements (target 100%).

The IAS completed 87 reports (compared with 89 in 2012 and 77 in 2011) including 23 audits, 59 follow-ups, 4 limited reviews and one management letter. A table with comparative data on engagements and reports established for the years 2011 - 2013 is provided in the attached Staff Working Document.

3.2. Statistical data on IAS recommendations

In 2013, the IAS issued 134 new recommendations (of which 2 critical, 59 very important, 67 important and 6 desirable). Action plans for these recommendations were assessed as satisfactory by the IAS.

Auditees reported that 79 % of accepted recommendations issued between 2009 and 2013 were implemented by the start of 2014. Out of all recommendations rated 'very important' or 'critical' and issued in the period 2009-2013, 10 very important recommendations (2.3%) were overdue by more than six months. Three additional overdue very important recommendations were issued before 2009[7]. No critical recommendation is outstanding. The APC was regularly informed of critical or very important recommendations overdue by more than six months and reminded services of their responsibility to implement, where necessary. The total number of accepted recommendations issued during 2009-2013 for which the IAS had conducted follow-up audits by the end of 2013, amounts to 686. The IAS follow-up work confirmed that recommendations were being implemented satisfactorily, contributing to the improvement of control systems in the audited services. The IAS closed 96% of the recommendations followed-up during this period.

The accompanying Staff Working Document provides more detailed information on acceptance rates for new recommendations and the implementation of recommendations relating to the period 2009-2013.

4. Principal findings and recommendations 4.1. Horizontal engagements 4.1.1. Management letter on the delegation of new tasks to Executive Agencies (multi-DG)

This management letter addressed the main issues of a horizontal nature raised in the 2010 IAS overview report on executive agencies and subsequent audits conducted in this field. It aimed to support management in delegating tasks to executive agencies and mitigate the attendant risks. It was not intended to provide an assessment of the state of play or to provide an opinion.

A first issue raised was that the cost-benefit analysis used to assess the various options should be based on a well-defined and consistent methodology, including the use of appropriate tools and methodologies to support the staff allocation process. In addition, the selected option should be regularly confirmed throughout the life of the project.

As executive agencies grow in staff numbers and reach a critical mass of programmes to be managed, consideration should be given to alternative scenarios to achieve further cost savings and efficiency gains by pooling together various agencies’ horizontal services such as IT, HR or communication. Furthermore, greater focus should be placed on improving their performance to meet the rising expectations of stakeholders.

The IAS also noted that, given the scale of the delegation of programme management, appropriate steps should be taken to ensure the continuous availability of sufficient staff with the required profile in the long run together with a policy on the retention of agency staff.

For more details, see section 2.1 of the annex.

4.1.2. Performance Audit on the Effectiveness of HR management to support the financial crisis in DG ECFIN, DG COMP, DG MARKT (multi-DG)

In order to be able to deal with the new challenging responsibilities resulting from the financial crisis, the Commission provided DG ECFIN, DG COMP and DG MARKT with a substantial increase in human resources

The audit's objective was to assess whether the Human Resources Management (hereafter referred to as HRM) of the respective DGs has been effective in responding to HR challenges resulting from the policy responses to the financial crisis.

The IAS considered that the three DGs demonstrated a very strong commitment to respond to the HR-related challenges, which enabled them to pursue their political and operational objectives, including those arising from the crisis itself.

However, the DGs, to varying degrees, still need to further enhance their HR management tools to make the decision-making process more efficient.

With respect to the HRM Strategy, the DGs should further develop their multi-annual HR strategy. In particular they have to perform a qualitative and quantitative analysis of staff needs and address the gap between needs and current situation. The implementation of the HR strategy should be supported by tools to measure, monitor and report on its effectiveness.

As for the HR planning, they should implement tools to regularly assess staff workload and set the priorities of its tasks. The staff allocations should be done on this basis. The DGs should enhance their monitoring and reporting process on the HRM related activities by developing a comprehensive HR report that covers the different aspects of HRM, including the related Key Performance Indicators (KPIs). This would enable the DGs to measure their HR management’s performance and facilitate management decisions on HR.

All three DGs established action plans which the IAS considered adequate to address the identified issues.

For more details on the findings related to the DGs concerned, see section 2.3 of the annex.

4.2. Agriculture, Natural Resources and Health

 (AGRI, ENV, CLIMA, MARE, EAHC, SANCO)

4.2.1. Limited review of residual error rate calculations (pillar 1 and 2) (DG AGRI)

For the first time, the IAS carried out limited reviews on the calculations of residual error rates (RERs) as reported by DG AGRI (current section), DG RTD (see section 4.4.1) and DG DEVCO (see section 4.5) in their draft annual activity reports (AARs) for the 2012 reporting year.

In calculating its RERs, DG AGRI depends very heavily on control statistics reported by MS, which are deemed unreliable by the European Court of Auditors. Consequently, there is a risk that DG AGRI's RERs will be incorrect.  Looking beyond the 2012 AAR, the reliability of the MS statistics should be improved.[8]

In addition, DG AGRI should ensure that the RERs are calculated on the basis of correct and representative data. It should address the inconsistencies noted and ensure that cross-compliance errors are included in the calculation. If excluded, the impact should be explained.

Furthermore, DG AGRI should consider adapting the procedure for making reservations where supported by reliable MS control statistics. This would be more in line with the materiality criteria used by other shared management DGs.

DG AGRI agreed with and accepted all findings and recommendations of the limited review. It recognised the urgency of the recommendations and committed itself to implementing them.

DG AGRI established an action plan which the IAS considered adequate to address the identified issues. It was followed up in the context of the AAR for the 2013 reporting year  which revealed that considerable progress had been made already for the 2012 AAR but in particular for the 2013 AAR.

For more details, see section 3.1 of the annex.

4.2.2. Audit on Control Strategy - Implementation in DG AGRI (DG AGRI)

These audits were a continuation of the IAS's audit in 2012 on the design of the control strategy in place in DG AGRI's Audit Directorate. The objective was to assess the execution of the audit and control strategy, in particular the effective implementation of audit engagements, their supervision and corrective measures to address weaknesses in MS management and control systems.

The auditors recognised the on-going efforts made by DG AGRI to reduce error rates and protect the budget through a range of detective and corrective measures.

Nevertheless, there is scope for improving the audit process which is essential to provide a solid basis for the assurance process on the legality and regularity for the underlying transactions: preparatory documents should be timely obtained and, where necessary, translated and analysed; coordination with operational units should be optimised in order to build on their knowledge and expertise and to identify and address key issues properly; re-performance checks of controls should be made on-the-spot; and a proper documentary trail of the key stages should be ensured.

It is also essential that DG AGRI can rely on a system to monitor real and sustainable improvements of Member States' control systems. DG AGRI should finalise – including data validation checks – and use its existing IT system, to better track and follow up its audit recommendations. In addition, DG AGRI should use this system to monitor its own audit progress, audit coverage and objective achievements.

DG AGRI established an action plan which the IAS considered adequate to address the issues identified.

For more details, see section 3.2 of the annex.

4.3. Cohesion

(REGIO, EMPL)

4.3.1.  Performance Audit of DG REGIO Performance Measurement Systems (DG REGIO)

The audit's main objective was to assess the extent to which DG REGIO has adequate performance measurement systems in place for monitoring, reporting and evaluating the performance of activities both in terms of its operational and administrative activities (internal) and the delivery of policy objectives (external).

DG REGIO should better integrate its priorities into the management plan (MP), and explain how they contribute to the specific objectives. Furthermore targets should be well defined, accompanied by appropriate milestones and indicators that are RACER[9]. For policy implementation in 2014-20, indicators should be developed based on an assessment of the overall performance of each operational programme (OP). It should ensure that the evaluation strategy for 2014-20 draws upon the lessons learnt from the current period, in particular on how to obtain evaluation evidence over time and how this can contribute to the AAR and Article 318 report.

Additionally, DG REGIO should together with DG EMPL (see below), develop a strategy to improve the reliability of performance information reported by the MS while considering a multi-disciplinary approach. DG REGIO should also continue to improve further the quality of data reported for the 2007-13 programming period.

Moreover, DG REGIO should strengthen the role of the geographical units in monitoring the performance of the OPs and ensure that results are properly reflected in the Authorising Officer by Sub-delegation (AOSD) management opinion. It should develop a clear approach for building up assurance on the performance of Cohesion policy and how this assurance can be delivered, including through monitoring, evaluation and audit.

DG REGIO established an action plan which the IAS considers adequate to address the issues identified.

For more details, see section. 4.2 of the annex.

4.3.2. Performance Audit of DG EMPL Performance Measurement Systems (DG EMPL)

The main objective of the audit was to assess the adequacy of the performance measurement systems in place.

DG EMPL should better integrate into its MP the objectives and planned outputs for the DG's operational activities which contribute to the European Social Fund's (ESF) specific objectives and the objectives for the main horizontal and administrative activities. It should further improve its indicators to meet the RACER criteria and ensure its targets to be well defined. For ESF policy implementation in 2014-20, indicators should be developed based on EMPL's assessment of the overall performance of each OP. Furthermore, it should improve reporting on the achievements of the ESF by including more qualitative analysis and more information on the context.

Furthermore, building on its work done so far, it should further develop its approach to workload assessments to cover the full range of activities to improve the allocation of resources. It should ensure that it has up-to-date information to further develop its HR plan accordingly.

DG EMPL should also, together with DG REGIO, develop a strategy to improve the reliability of performance information. Although the focus is on the next programming period, it should continue to improve data reported for the 2007-13 period.

Moreover, DG EMPL should strengthen the role of the geographical units in monitoring the performance of the OPs and ensure that results are properly reflected in the AOSD management opinion. It should develop a clear approach for building up assurance on the performance of the ESF, including the need for performance audits making use of multi-disciplinary teams.

DG EMPL established an action plan which the IAS considers adequate to address the identified issues.

For more details, see section 4.3 of the annex.

4.4. Research, energy and transport

(EACI, ERCEA, CNECT, JRC, REA, RTD, TEN-T EA, MOVE, ENER)

4.4.1. Limited review of the calculation and the underlying methodology for DG RTD's residual error rate for the 2012 reporting year (DG RTD)

The objective was to review the calculation and underlying methodology of the RERs reported in the draft AAR 2012. The accuracy of the RER calculation is affected by the incomplete audits of the Common Representative Audit Sample (CRaS) (84%). While some of the reasons for the delays of the audits are outside the DG's control, DG RTD should nonetheless further improve its planning of the audits of the CRaS in order to increase the completion rate of the audit sample at the reporting date.       

In addition, DG RTD should take a more conservative approach when extrapolating ex-post results to reflect the possibility that some of the extrapolated systematic errors will not be implemented. DG RTD accepted the recommendation and corrected it for the 2013 AAR.

For more details, see section 5.1 of the annex.

4.4.2. Joint IAS-IAC Audit on Grant Management in TEN-T EA (Call for proposals-Project Management) (TEN-T EA)

The audit's objective was to assess the adequacy and effective application of the internal control system related to the grants under direct management by the Trans-European Transport Network Executive Agency (TEN-T EA). This joint engagement focused on the grant proposals evaluation process.

No significant risks that may adversely affect the achievement of the business objectives for the process reviewed were identified.

For more details, see section 5.2 of the annex.

4.4.3. Audit on EACI's Control Strategy (EACI)

The audit covered the main building blocks to obtain assurance for the managed funds, ex-ante and ex-post controls, and the disclosure of the assurance within the AAR.

The IAS recommended that the EACI should comprehensively describe its Control Strategy and re-assess the internal control system, including the link between key controls and their results and the specific assurance objectives regarding legality and regularity. The Agency should update its procedures for the reporting by the AOSDs by including additional control related KPIs and should consider re-balancing the weight of ex-ante and ex-post controls according to the assurance to be obtained.

The EACI should also strengthen its ex-ante checks by developing a risk-based approach, based on solid and consistent KPIs, reinforce the verification of eligibility of costs and adopt formal decisions to empower technically competent staff to provide the "passed for payment" endorsements.

As regards the ex-post audit strategy, the EACI should better define and justify global and specific objectives, and improve its risk-based selection process of projects; the Agency's ex-post control sector should be reorganised.

Finally, the EACI should develop an anti-fraud strategy to ensure proper fraud awareness in its overall control strategy.

EACI established an action plan which the IAS considered adequate to address the identified issues.

For more details, see section 5.4 of the annex.

4.4.4. Implementation of the Seventh Framework Programme (FP7) Control Systems in REA (REA)

The audit assessed whether the REA's control strategy in the context of the FP7 had produced the expected results. Ex-post audits carried out in 2010-2012 detected that the SMEs schemes managed by the Agency were affected by significant errors.  The IAS recommended that the REA should assess the risk of irregularity and potential fraud in these schemes and report it in its AAR 2013, fully apply the corrective actions foreseen and launch a specific intensified audit exercise.

The REA, for the purpose of deciding on reservations in its 2012 AAR, did not use the Common Representative Error Rate across all FP7 operations as the Research DGs did. Instead, it opted for an alternative approach. Furthermore, the REA substituted the error rate relating to legality and regularity by an indicator of the financial budgetary impact of the errors. The REA should therefore improve the disclosure of error rates and assurance in its AAR.

In addition, the REA should formalise a specific ex post control strategy, defining objectives, priorities, KPIs for monitoring the performance and an improved risk assessment approach to increase the number of risk-based controls. The risk-based approach should also be developed for ex-ante controls.

Finally, the REA should address the actions included in its Anti-fraud Approach document, initiate a reflection in the Research family on how to perform a proper risk assessment on double funding and coordinate efforts with other Research services on anti-plagiarism.

REA established an action plan which the IAS considered adequate to address the identified issues.

For more details, see section 5.5 of the annex.

4.5. External Aid, development and enlargement

(DEVCO, ECHO, ELARG, FPI)

4.5.1. Limited review of the methodology and calculation of the residual error rate (DG DEVCO)

The objective was to review the calculation and underlying methodology of the RER in the draft 2012 AAR.

In 2011, DG DEVCO launched a study on the calculation of its RER which was an important step towards the improvement of its assurance-building process.

However, the IAS review revealed weaknesses on the reliability of the calculation of the estimated part of the error rate such as the absence of a methodology that is consistently applied for estimating errors in the absence of underlying documentation and on the incorporation of the RER and other building blocks of assurance in the draft AAR.

Furthermore, the IAS concluded that the draft 2012 AAR did not contain sufficient information to enable an assessment of the cost-efficiency of the overall controls in place (including the RER study) to be made. Such an assessment may enable DG DEVCO to identify opportunities for cost efficiency and/or areas where controls could be redesigned.

The IAS recommended that for the next reporting year, DG DEVCO should ensure that appropriate steps are taken to ensure the use of a database of transactions extracted from the Common Relex Information system (CRIS) where consistency checks have already been performed.

DG DEVCO established an action plan which the IAS considered adequate to address the identified issues. Subsequently, the IAS noted that DG DEVCO took appropriate steps to improve the narrative part of the final 2012 AAR on the residual error rate.

For more details, see section 6.1 of the annex.

4.5.2. DG DEVCO's state of preparedness for the revised ECA DAS Methodology (DG DEVCO) (Performance Audit)

The ECA's new approach to its Statement of Assurance audit is likely to increase reported error rates due to the exclusion of less error-prone pre-financing transactions from the sample and the quantification of serious irregularities in public tendering at 100% for all management modes. In view of this, the IAS carried out an audit on DG DEVCO's state of preparedness for the revised ECA DAS methodology.

The audit showed that DG DEVCO had made adequate preparations in order to mitigate the discharge risk associated with the revised ECA DAS Methodology.

DG DEVCO has prepared a comprehensive action plan to address potential issues related to the revised DAS methodology and also other issues identified by its external auditors or in audits carried out by the IAC of DG DEVCO or the IAS.

For more details, see section 6.2 of the annex.

4.5.3. Procurement - decentralised (DG DEVCO)

The audit's objective was to assess the adequacy and effective application of the internal control system, risk management and governance processes related to procurement award and contracting processes of the European Development Fund (EDF) and the EU budget which are implemented under the decentralised management mode.

The audit highlighted two specific cases related to the identification and implementation of the principles of ethics and the prevention of conflicts of interest. Therefore, the IAS recommended that DG DEVCO clarify these in its Practical Guide instructions.

DG DEVCO established an action plan which the IAS considered adequate to address the issues identified.

For more details, see section 6.4 of the annex.

4.6. Education and citizenship

(COMM, EAC, EACEA, HOME, JUST)

4.6.1. Performance audit of National Agencies (EAC)

National Agencies (NAs) have been designated by the National Authorities of the participating countries to implement the Lifelong Learning (LLP) and Youth in Action (YiA) programmes. Externalisation, as a form of management, imposes additional risks in the set-up of the supervisory system in a DG for the achievement of its policy objectives.

The audit's main objective was to assess whether DG EAC has set up an effective performance measurement system to monitor, report and evaluate the performance of NAs.

The audit showed that, although a number of actions are currently ongoing in defining a performance measurement system in DG EAC for the period 2014-2020, DG EAC should strengthen its effectiveness, notably with regard to indicators which explicitly measure the efficient and cost-effective use of the operating grant provided to NAs. In addition, a clear link between the objectives of NAs and those of the Commission should be established.

DG EAC established an action plan which the IAS considered adequate to address the issues identified.

For more details, see section 7.1 of the annex.

4.7. Economic and financial affairs

(COMP, ECFIN, ENTR, MARKT, OLAF, TAXUD, TRADE)

4.7.1. Performance Audit of GMES/Copernicus Programme (DG ENTR)

The objective of the audit of the Global Monitoring for Environment and Security (GMES) was to assess the effectiveness of the governance arrangements, risk management and internal control systems to support the management of GMES.  The audit took place in the transition period between the GMES Initial Operations (GIO), implemented in 2011-2013, and the operational phase of the programme, renamed Copernicus, which will increase the total contribution from the EU budget by more than 3 times.

The IAS recommends improving the governance framework for the Space component, enhancing monitoring systems and arrangements, and carrying out thorough analyses in order to effectively support the transition to Copernicus operational phase.

DG ENTR established an action plan which the IAS considered adequate to address the issues identified.

For more details, see section 8.1 of the annex.

4.8. General services and HR

(HR, BUDG, DGT, DIGIT, EPSO, ESTAT, SJ, OIB, OIL, OP, PMO, SCIC, SG)

4.8.1. DG ESTAT's preparedness to fulfil its role in the Economic Governance Framework (DG ESTAT) (Performance Audit)

The economic and financial crisis revealed a number of key structural weaknesses in the economic governance of the EU's economic and monetary union. As part of the response, DG ESTAT's responsibilities have been reinforced and extended. Besides ensuring high quality data on government debt and deficit figures, DG ESTAT has responsibility for establishing the rules and procedures for investigating the manipulation of statistics. This was the subject of the audit which looked at the state of preparedness of the DG.

The IAS recommended DG ESTAT to take immediate steps to formalise its operational procedures and technical guidelines while integrating the legal advices received.

DG ESTAT should also evaluate its requirements in terms of human resources and competence in order to fulfil its new investigations tasks. Consequently, it should reflect these needs in its Management Plan.

In addition, DG ESTAT should ensure that its risk model used for planning of its Upstream Dialogue Visits[10] is compliant with a recognised Quality Management System (QMS). Moreover, it should ensure the added value by disseminating its conclusions timely to the Economic and Financial Committee (EFC).

Furthermore, the IAS recommends DG ESTAT to prepare a clear justification for each ad hoc visit[11] and submit a summary of its ad hoc visits to key stakeholders.

DG ESTAT established an action plan which the IAS considers adequate to address the identified issues. In a recent follow-up audit, the IAS noted the progress made.

For more details, see section 9.1 of the annex.

4.9. IT audits 4.9.1. Performance Audit on the management of the security of the EU ETS IT system (EU ETS) (DG CLIMA, DG DIGIT and DG HR Security Directorate)

As responsible for managing the European Emission Trading System (EU ETS) IT system, the Commission needs to ensure that IT security vulnerabilities of the system are not unlawfully exploited, which could result in dysfunction and distortion of the carbon market, with reputational and financial consequences for the institution.

The audit's overall objective was to assess whether the control system in place ensured that adequate security measures were identified and effectively implemented for the EU ETS system. The audit covered DG CLIMA, DG DIGIT and the Security Directorate of DG HR in line with their respective roles and management responsibilities.

The IAS audit showed that the security measures identified by DG CLIMA are reasonable, given the complexity and the challenges facing the system. However, the resulting security controls were not implemented to the full extent.

This is the result, among others, of the challenges of the existing governance structure of the ETS project[12] in taking binding decision and ensuring that they are implemented and in settling participants' conflicting positions and major disagreements, so to facilitate the cooperation between key actors and the flow of information needed to take appropriate decisions on the security measures required for the ETS IT system.

All three DGs established action plans which the IAS considered adequate to address the issues identified.

For more details, see section 10.3 of the annex.

4.9.2. SYGMA - Phase 1 – Performance audit on development process (DG CNECT, DG RTD)

DG CNECT (as System Owner) and DG RTD (as System supplier) are the main actors involved in the development of SYGMA, which is an inter-DG project currently managed within the Research family aiming at providing an IT system supporting the grant management process for FP7/CIP, H2020 and other non-research grants operated by the Research family. SYGMA should become the corporate grant management system at the core of the Grant Management rationalisation exercise[13].

The objective of the audit was to assess the effectiveness and efficiency of the management of SYGMA with a specific focus on IT Project governance, Management and readiness of IT Operations.

Overall, the IT development part of the SYGMA project has been so far adequately managed, without any major deviations from the original plan.

However, due to the pending approval of the sectorial legal base and the definition of harmonised business processes, the IT development has not been based on stable Business Processes and business requirements but rather on fair assumptions

Both DGs established action plans for the accepted recommendations which the IAS considered adequate to address the identified issues.

For more details, see section 10.4 of the annex.

5. Consultation with the Commission's Financial Irregularities Panel

No systemic problems were reported in 2013 by the Financial Irregularities Panel under Article 73(6)[14] of the Financial Regulation applicable to the general budget of the European Communities.

6. Conclusions

The implementation of action plans drawn up in response to IAS audits this year and in the past contributes to the steady improvement of the Commission’s internal control framework.

The IAS will conduct follow-up audits on the execution of action plans that will be examined by the Audit Progress Committee, which will inform the College as appropriate.

 The IAS will continue to focus on financial, compliance and IT audits and will step up its activities in performance auditing.

[1]       Audit and consulting reports finalised by 1 February 2014 are included in this report.

[2]       The report does not cover the decentralised European Agencies, the European External Action Service, or other bodies audited by the IAS, which receive separate annual reports.

[3]       Required by Performance Standard 2060 of the International Standards for the Professional Practice of Internal Auditing (Standards) promulgated by the Institute of Internal Auditors (IIA).

[4]       Article 100 of the FR.

[5]       The Audit Progress Committee assists the College of Commissioners by ensuring that the work of the IAS, Internal Audit Capabilities (IACs) and of the ECA is properly taken into account by the Commission services and receives appropriate follow-up

[6]       The attached SWD provides an overview of all completed audit and follow-up audit engagements.

[7]       IAS - 2006 - DIGIT - 001 Data Center - Operations and Security, IAS - 2007 - DIGIT  - 001 Corporate Data network infrastructures & services and IAS.B - 2008 - ADMIN  - 004 Audit on Security.

[8]       It is expected that the new legislation for the period 2014-2020 and its strengthened control framework will improve the situation in the future.

[9]       RACER: Relevant, Accepted, Credible, Easy, Robust (Internal Control Standard N° 5)

[10]     Upstream Dialogue Visits are designed to identify risks or potential problems arising from "upstream" data sources in an Excessive Deficit Procedures context.

[11]     Ad hoc visits are conducted when a specific important issue raised with a Member State cannot be resolved by any means other than by a physical meeting in situ. Although these visits are not explicitly mentioned in the revised Regulation 479/2009, DG ESTAT considers it has the same rights of access as under the methodological visit.

[12]      The governance structure comprises the ETS project steering Committee at Director-General level, its preparatory group at Director level and the Security Working Group (SWG) which represents the technical layer.

[13]      The grant Management Rationalisation exercise was launched in March 2011 following the Communication "Getting the Best from IT in the Commission" from Vice president Sefčovič. The aim is to achieve an efficient use of the Commission's resources and investments and to ensure that efficient IT tools support the real business needs.

[14]     Art. 117, Rules of Application (RAP) stipulates: "That annual report [i.e. 99(3) report] shall also mention any systemic problems detected by the specialised panel set up pursuant to Article 73(6) of the Financial Regulation.