9.12.2015   

EN

Official Journal of the European Union

C 409/275

REPORT

on the annual accounts of the European Agency for the operational management of large-scale IT systems in the area of freedom, security and justice (eu-LISA) for the financial year 2014, together with the Agency’s reply

(2015/C 409/31)

INTRODUCTION

1.

The European Agency for the operational management of large-scale IT systems in the area of freedom, security and justice (eu-LISA), hereinafter ‘the Agency’, which is located in Tallinn, Strasbourg and St. Johann im Pongau, was established by Regulation (EU) No 1077/2011 of the European Parliament and of the Council (1). The core mission of this Agency is to fulfil the operational management tasks for the Second Generation Schengen Information System (SIS II), the Visa Information System (VIS) and Eurodac (2).

INFORMATION IN SUPPORT OF THE STATEMENT OF ASSURANCE

2.

The audit approach taken by the Court comprises analytical audit procedures, direct testing of transactions and an assessment of key controls of the Agency’s supervisory and control systems. This is supplemented by evidence provided by the work of other auditors and an analysis of management representations.

STATEMENT OF ASSURANCE

3.

Pursuant to the provisions of Article 287 of the Treaty on the Functioning of the European Union (TFEU), the Court has audited:

(a)

the annual accounts of the Agency, which comprise the financial statements (3) and the reports on the implementation of the budget (4) for the financial year ended 31 December 2014; and

(b)

the legality and regularity of the transactions underlying those accounts.

The management’s responsibility

4.

The management is responsible for the preparation and fair presentation of the annual accounts of the Agency and the legality and regularity of the underlying transactions (5).

(a)

The management’s responsibilities in respect of the Agency's annual accounts include designing, implementing and maintaining an internal control system relevant to the preparation and fair presentation of financial statements that are free from material misstatement, whether due to fraud or error; selecting and applying appropriate accounting policies on the basis of the accounting rules adopted by the Commission’s accounting officer (6); making accounting estimates that are reasonable in the circumstances. The Executive Director approves the annual accounts of the Agency after its accounting officer has prepared them on the basis of all available information and established a note to accompany the accounts in which he declares, inter alia, that he has reasonable assurance that they present a true and fair view of the financial position of the Agency in all material respects.

(b)

The management’s responsibilities in respect of the legality and regularity of the underlying transactions and compliance with the principle of sound financial management consist of designing, implementing and maintaining an effective and efficient internal control system comprising adequate supervision and appropriate measures to prevent irregularities and fraud and, if necessary, legal proceedings to recover funds wrongly paid or used.

The auditor’s responsibility

5.

The Court’s responsibility is, on the basis of its audit, to provide the European Parliament and the Council (7) with a statement of assurance as to the reliability of the annual accounts and the legality and regularity of the underlying transactions. The Court conducts its audit in accordance with the IFAC International Standards on Auditing and Codes of Ethics and the INTOSAI International Standards of Supreme Audit Institutions. These standards require the Court to plan and perform the audit to obtain reasonable assurance as to whether the annual accounts of the Agency are free from material misstatement and the transactions underlying them are legal and regular.

6.

The audit involves performing procedures to obtain audit evidence about the amounts and disclosures in the accounts and the legality and regularity of the underlying transactions. The procedures selected depend on the auditor’s judgement, which is based on an assessment of the risks of material misstatement of the accounts and material non-compliance by the underlying transactions with the requirements in the legal framework of the European Union, whether due to fraud or error. In assessing these risks, the auditor considers any internal controls relevant to the preparation and fair presentation of the accounts, as well as the supervisory and control systems that are implemented to ensure the legality and regularity of underlying transactions, and designs audit procedures that are appropriate in the circumstances. The audit also entails evaluating the appropriateness of accounting policies, the reasonableness of accounting estimates and the overall presentation of the accounts. In preparing this report and statement of assurance, the Court considered the audit work of the independent external auditor performed on the Agency’s accounts as stipulated in Article 208(4) of the EU Financial Regulation (8).

7.

The Court considers that the audit evidence obtained is sufficient and appropriate to provide a basis for its statement of assurance.

Opinion on the reliability of the accounts

8.

In the Court’s opinion, the annual accounts of the Agency present fairly, in all material respects, its financial position as at 31 December 2014 and the results of its operations and its cash flows for the year then ended, in accordance with the provisions of its Financial Regulation and the accounting rules adopted by the Commission’s accounting officer.

Opinion on the legality and regularity of the transactions underlying the accounts

9.

In the Court’s opinion, the transactions underlying the annual accounts for the year ended 31 December 2014 are legal and regular in all material respects.

Emphasis of matter in relation to the reliability of the accounts

10.

Without calling into question the opinion expressed in paragraph 8, the Court draws attention to the valuation of the Schengen Information System (SIS II), the Visa Information System (VIS) and Eurodac (systems) in the Agency’s accounts. The operational management of these systems is the Agency’s core task. In the absence of reliable and complete information in respect of their total development cost, they are recorded in the Agency’s accounts at their net book values as per the Commission’s books and updated at year end (approximately 6,6 million euro at date of transfer and 2,1 million euro at 31 December 2014). These values relate mainly to hardware and off-the-shelf software components and do not include software development costs (see note 6.3.1 to the annual accounts of the Agency).

11.

The comments which follow do not call the Court’s opinion on the reliability of the accounts and its opinion on the legality and regularity of the transactions underlying the accounts into question.

COMMENTS ON BUDGETARY MANAGEMENT

12.

Out of the 6,6 million euro committed appropriations for titles I (staff expenditure) and II (administrative expenditure) which were carried over from 2013 to 2014, 1,7 million euro (26 %) were cancelled in 2014, showing that budgetary needs were overestimated at the end of 2013.

13.

Committed appropriations carried over to 2015 were very high for title II (administrative expenditure) at 15 million euro, i.e. 87 % (2013: 6 million euro or 79 %). These carry-overs mainly resulted from delayed procurements for the extension and refurbishment of the Agency’s site in Strasbourg. Carry-overs of committed appropriations were also high for title III (operational expenditure) at 24,5 million euro (85 %) (2013: no comparative figures available), mainly in relation to multi-annual contracts for the maintenance of the IT systems. The high levels of cancelled carry-overs from 2013 and the extent of carry-overs made from 2014 to 2015 is at odds with the budgetary principle of annuality. Reliable procedures for budget planning, execution and monitoring need to be put in place.

FOLLOW-UP OF PREVIOUS YEAR’S COMMENTS

14.

An overview of the corrective actions taken in response to the Court's comments from the previous year is provided in Annex I.

This Report was adopted by Chamber IV, headed by Mr Milan Martin CVIKL, Member of the Court of Auditors, in Luxembourg at its meeting of 15 September 2015.

For the Court of Auditors

Vítor Manuel da SILVA CALDEIRA

President

(1)  OJ L 286, 1.11.2011, p. 1.

(2)  Annex II summarises the Agency’s competences and activities. It is presented for information purposes.

(3)  These include the balance sheet and the statement of financial performance, the cash flow table, the statement of changes in net assets and a summary of the significant accounting policies and other explanatory notes.

(4)  These comprise the budgetary outturn account and the annex to the budgetary outturn account.

(5)  Articles 39 and 50 of Commission Delegated Regulation (EU) No 1271/2013 (OJ L 328, 7.12.2013, p. 42).

(6)  The accounting rules adopted by the Commission’s accounting officer are derived from the International Public Sector Accounting Standards (IPSAS) issued by the International Federation of Accountants or, where relevant, the International Accounting Standards (IAS)/International Financial Reporting Standards (IFRS) issued by the International Accounting Standards Board.

(7)  Article 107 of Regulation (EU) No 1271/2013.

(8)  Regulation (EU, Euratom) No 966/2012 of the European Parliament and of the Council (OJ L 298, 26.10.2012, p. 1).

ANNEX I

Follow-up of previous year’s comments

Year

Court's comment

Status of corrective action

(Completed/Ongoing/Outstanding/N/A)

2013

Emphasis of matter in relation to the reliability of the accounts

11.

Without calling into question the opinion expressed in paragraph 9, the Court draws attention to the valuation of the Schengen Information System (SIS II), the Visa Information System (VIS) and Eurodac (systems) in the Agency’s accounts. The operational management of these systems was transferred to the Agency from the Commission in May 2013 by way of a non-exchange transaction and is the core task of the Agency. In the absence of reliable and complete information in respect of their total development cost, they are recorded in the Agency’s accounts at their net book values as per the Commission’s books and updated at year end. These values relate mainly to hardware and off-the-shelf software components and do not include software development costs (see note 6.3.1 to the annual accounts of the Agency).

N/A

2013

The development of the Agency’s Internal Control Standards was ongoing at the end of the year. They were approved by the Management Board in June 2014.

Completed

2013

There is no insurance coverage for fixed tangible assets, except for multi-risk fire for the premises in Tallinn.

Ongoing

2013

According to the Agency’s Founding Regulation, the Commission was responsible for the establishment and initial operation of the Agency until it was granted financial autonomy on 22 May 2013. The migration of data on commitment and payment appropriations from the Commission to the Agency was a complex process and a reconciliation of the figures between the Commission’s and the Agency’s accounting systems was finally completed in June 2014. This affected the Agency’s payment planning and the preparation of its provisional accounts.

N/A

2013

According to the Agency’s final accounts budget implementation rates were 96 % for commitment appropriations and 67 % for payment appropriations. Due to the fact that part of the Agency’s total annual budget was executed by the Commission and the differences between the Commission’s and the Agency’s budgetary structures, a more detailed analysis per budget title could not be carried out for 2013.

N/A

2013

According to the Agency’s Founding Regulation, countries associated with the implementation, application and development of the Schengen acquis and Eurodac-related measures must make a contribution to the Agency’s budget. Although Schengen associated countries were using the systems managed by the Agency in 2013 the Commission’s negotiations were still ongoing.

Ongoing

2013

Though the seat of the Agency is in Tallinn (with 46 occupied posts), operational activities are carried out in Strasbourg (with 79 occupied posts). It is likely that management effectiveness could be increased and administrative costs reduced if all staff were centralised in one location.

N/A

(Not under the Agency’s control)

2013

A headquarters agreement that would clarify the conditions under which the Agency and its staff operate has not yet been signed with the host Member State, Estonia, and negotiations were still ongoing at the time of the audit.

Completed

ANNEX II

EU Agency for the operational management of large scale IT systems in the area of freedom, security and justice (Tallinn)

Competences and activities

Areas of Union competence deriving from the Treaty

(Article 74, 77(2)(a) and (b), 78(2)(e), 79(2)(c), 82(1)(d), 85(1), 87(2)(a) and Article 88(2) of the Treaty on the Functioning of the European Union)

Contribute to the creation of an area of free circulation of people by increasing cooperation on cross-border issues, such as asylum, immigration, border control, as well as judicial and police cooperation in criminal matters.

Competences of the Agency

(Regulation (EU) No 1077/2011 of the European Parliament and of the Council)

With reference to its establishing Regulation (EU) No 1077/2011 of 25 October 2011, and without prejudice to the respective responsibilities of the Commission and of the Member States under the legislative instruments governing large-scale IT Systems, the Agency objectives are the following:

(a)

effective, secure and continuous operation of large-scale IT systems (at present the second generation Schengen Information System (SIS II), the Visa Information System (VIS) and a large-scale database for the comparison of fingerprints for the effective application of the Dublin Convention (Eurodac));

(b)

the efficient and financially accountable management of large-scale IT systems;

(c)

an adequately high quality of service for users of large-scale IT systems;

(d)

continuity and uninterrupted service;

(e)

a high level of data protection, in accordance with the applicable rules, including specific provisions for each large-scale IT system;

(f)

an appropriate level of data and physical security, in accordance with the applicable rules, including specific provisions for each large-scale IT system; and

(g)

the use of an adequate project management structure for efficiently developing large-scale IT systems.

Governance

1.

 Management Board

The eu-LISA Management Board is composed of one member designated by each Member State, two representatives of the European Commission plus one member from each country associated with the implementation, application and development of the Schengen acquis and Eurodac-related measures. Its function is to ensure that the Agency carry out its tasks, including the appointment and if appropriate the dismissal of the Executive Director.

2.

 Executive Director

The eu-LISA Executive Director is appointed by the Management Board on the basis of a list of eligible candidates identified in an open competition organised by the Commission. His/her function is to manage and represent the Agency. For this purpose he/she shall assume full responsibility for the tasks entrusted to the Agency and shall be subject to the procedure for annual discharge by the European Parliament for the implementation of the budget.

3.

 Advisory Groups: SISII Advisory Group, VIS Advisory Group and Eurodac Advisory Group

The Advisory Groups are composed of a representative of each Member State and the Commission plus one member from each country associated with the implementation, application and development of the Schengen acquis and Eurodac-related measures. Their function is to provide the Management Board with expertise relating to large-scale IT systems and, in particular, in the context of the preparation of the annual work program and the annual activity report.

4.

 External audit

European Court of Auditors

5.

 Internal audit

eu-LISA Internal Audit Capability (IAC)

European Commission’s Internal Audit Service (IAS)

6.

 Discharge authority

European Parliament acting on a recommendation by the Council

Resources made available to the Agency in 2014 (2013)

Budget

59,38 (61,35) million euro (commitment appropriations)

64,91 (34,38) million euro (payment appropriations) of which 100 % (100 %) is a European Union subsidy.

Staff as at 31 December 2014

Authorised:

120 (120) temporary staff

8 (6) contract staff

6 (6) seconded national experts

Occupied:

119 (120) temporary staff

5 (5) contract staff

5 (3) seconded national experts

Products and services in 2014 (2013)

Products and services in 2014 included:

Operational management and evolution of SISII, VIS and EURODAC,

Helpdesk: provide first level support services to users across all systems under the management of eu-LISA,

Monitoring and evolution of appropriate Service Level Agreements for such systems under the management of the Agency,

Provision of coordination, security and supervision of relations between the Member States and the network provider for the communication infrastructure for SIS II, Eurodac and VIS (sTESTA network),

Participation in preparatory processes to design, develop and implement new systems,

Statistics: timely and accurate provision of statistics and information on the performance of the systems as provided for in the relevant legal bases,

Reporting: fulfilment of all reporting obligations laid down in the establishing Regulation and legal bases for the IT systems under the Agency's management,

Monitoring of new technologies and solutions relevant for the operational management and evolution of SIS II, VIS, Eurodac and other large-scale IT systems,

Training: provision of bespoke system training plans for national authorities on IT systems managed by the Agency,

Establishment of an informal network of security experts with the Member States for the exchange of early warnings in cyber areas, best practices and security incident management.

Source: Annex supplied by the Agency.

THE AGENCY’S REPLY

10.

The Agency notes the matter highlighted by the Court. It is anticipated that the net book value of these migrated assets will be less than 2 00  000 euro at 31 December 2015.

12.

The Agency acknowledges the comment. Upon becoming financial independent in 2013, a number of commitments for administrative expenditure were migrated from DG HOME to the Agency. The business case supporting these commitments did not always prove relevant in the new organisational/logistical set up of the Agency. In addition to that, by the time the decision for carry-forward was made, the Agency had still not attained its full staff complement, so that budget management capacity was limited in some areas.

The Agency has meanwhile significantly improved its capacity to monitor and implement carry-forwards. It is expected that the volume and percentage of cancellations will decrease in 2015 compared to 2014.

13.

The Agency recognises the importance of accurate budget planning and has taken steps to improve its capacity to plan, monitor and implement available appropriations. Closer coordination between the operational and administrative functions, the further design of effective internal controls, as well as the progressive increase in the Agency’s experience and expertise after financial independence in 2013, are all expected to contribute to an improved control of the budget implementation cycle. In addition to that, specific organisational measures, including the formalisation of budget line ownership and responsibility at the level of operational verification, the establishment of a Budget Officer post, regular budget implementation reporting, are being implemented to support improved control over budget control and monitoring.

The Agency closely followed the Financial Regulation as regards carry-forwards, resulting in both automatic and non-automatic carry-overs as allowed by the applicable rules on annuality.

As regards non-automatic carry-overs for the Strasbourg site, these were approved by the Management Board based on a duly justified proposal by the Agency in compliance with applicable rules.

The differentiated nature of appropriations in title III should be highlighted when assessing of the volume of commitments carried forward. Already in 2013, upon financial independence, C8 commitments amounting to 40 million euro were migrated from DG HOME to the Agency. At the same time, the 2014, 2015 and — based on preliminary indications — 2016 budgets will foresee an equalisation of commitment and payment appropriations in the Agency’s budget. This poses a challenge to the reduction of the volume of C8 commitments carried forward in title III over the next years.