19.12.2007   

EN

Official Journal of the European Union

C 309/1

REPORT

on the annual accounts of the European Network and Information Security Agency for the financial year 2006 together with the Agency's replies

(2007/C 309/01)

CONTENTS

1-2

 INTRODUCTION

3-6

 STATEMENT OF ASSURANCE

7-9

 OBSERVATIONS

Tables 1 to 4

The Agency's replies

INTRODUCTION

1.

The European Network and Information Security Agency (hereinafter ‘the Agency’) was created by Regulation (EC) No 460/2004 of the European Parliament and of the Council of 10 March 2004 (1). The Agency's main task is to enhance the capability of the Community to prevent and respond to network and information security problems by building on national and Community efforts.

2.

Table 1 summarises the Agency's competences and activities. Key data summarised from the financial statements drawn up by the Agency for the financial year 2006 is presented in Tables 2, 3 and 4 for information purposes.

STATEMENT OF ASSURANCE

3.

This Statement is addressed to the European Parliament and the Council in accordance with Article 185(2) of Council Regulation (EC, Euratom) No 1605/2002 of 25 June 2002 (2); it was drawn up following an examination of the Agency's accounts, as required by Article 248 of the Treaty establishing the European Community.

4.

The Agency's accounts for the financial year ended 31 December 2006 (3) were drawn up by its Executive Director, pursuant to Article 17 of Regulation (EC) No 460/2004, and sent to the Court, which is required to give a statement of assurance on their reliability and on the legality and regularity of the underlying transactions.

5.

The Court conducted its audit in accordance with the IFAC and INTOSAI International Auditing Standards and Codes of Ethics, insofar as these are applicable in the European Community context. The audit was planned and performed to obtain reasonable assurance that the accounts are reliable and that the underlying transactions are legal and regular.

6.

The Court has thus obtained a reasonable basis for the Statement set out below:

Reliability of the accountsThe Agency's accounts for the financial year ended 31 December 2006 are, in all material respects, reliable.Legality and regularity of the underlying transactionsThe transactions underlying the Agency's annual accounts, taken as a whole, are legal and regular.The observations which follow do not call the Court's Statement into question.

OBSERVATIONS

7.

The implementation of the Agency's budget for the financial year 2006 shows a utilisation rate of 90 % of commitment appropriations and 76 % of payment appropriations. There was a concentration of transactions in the last quarter of the year. Furthermore, the weaknesses of the procedures for establishing the budget, led to a high number of transfers (4). Thus, the budgetary principles of annuality and specification were not strictly observed.

8.

The general accounting software used by the Agency makes it possible to amend entries without leaving an audit trail. Furthermore, a system for recording invoices that ensures the accuracy of the financial information in the final accounts, has not been established.

9.

The internal control procedures required by the Financial Regulation to ensure transparency and sound financial management have not yet all been documented. The Management Board did not formally adopt standards for internal control and the code of professional ethics. Written instructions for archiving supporting documentation of transactions were missing. A financial irregularities panel was not established.

This report was adopted by the Court of Auditors in Luxembourg at its meeting of 27 September 2007.

For the Court of Auditors

Hubert WEBER

President

(1)  OJ L 77, 13.3.2004, p. 1.

(2)  OJ L 248, 16.9.2002, p. 1.

(3)  These accounts were drawn up on 1st July 2007 and received by the Court on 5th July 2007.

(4)  During 2006, more than 45 transfers were made.

 

Table 1

European Network and Information Security Agency (Heraklion)

Areas of Community competence

Competences of the Agency

(Council Regulation (EC) No 460/2004 of 10 March 2004)

Governance

Resources made available to the Agency

Products and services supplied

The representatives of the Member State governments have, by common agreement, adopted a statement on the creation of a European Network and Information Security Agency. The Agency should operate as a point of reference and establish confidence by virtue of its independence, the quality of the advice it delivers and the information it disseminates, the transparency of its procedures and methods of operating, and its diligence in performing the tasks assigned to it.

(Council Decision of 19 February 2004, taken on the basis of Article 251 of the Treaty).

Objectives

1.

The Agency enhances the capability of the Community, the Member States and the business community to prevent, address and respond to network and information security problems.

2.

The Agency provides assistance and delivers advice to the Commission and the Member States on issues related to network and information security falling within its competencies.

3.

The Agency develops a high level of expertise and uses this expertise to stimulate broad cooperation between actors from the public and private sectors.

4.

The Agency assists the Commission, when called upon, in developing Community legislation in the field of network and information security.

Tasks

The Agency:

(a)

collects information on current and emerging risks that could produce an impact on electronic communications networks;

(b)

provides the European Parliament, the Commission and European bodies or competent national bodies with advice and assistance;

(c)

enhances cooperation between actors in its field;

(d)

facilitates cooperation on common methodologies to address network and information security issues;

(e)

contributes to awareness raising on network and information security issues for all users;

(f)

assists the Commission and the Member States in relations with industry;

(g)

tracks standards;

(h)

advises the Commission on research in the area of network and information;

(i)

promotes risk assessment activities, on prevention solutions;

(j)

contributes to cooperation with third countries.

1.   Management Board

1.

It is composed of one representative of each Member State, three representatives appointed by the Commission, and three representatives, without the right to vote, each of whom represents one of the following groups:

(a)

information and communication technologies industry;

(b)

consumer groups;

(c)

academic experts.

2.

Board members may be replaced by alternates.

2.   Executive Director

1.

The Agency is managed by its Executive Director, who is independent in the performance of his duties.

2.

The Executive Director is appointed for a term of office of up to five years.

3.   External audit

Court of Auditors.

4.   Internal audit

The Commission's Internal Auditor.

5.   Discharge authority

Parliament on a recommendation from the Council.

2006 final budget:

6,9 (6,3) million euro (100 % Community subsidy).

Staff figures on 31 December 2006:

44 (38) posts according to the establishment plan

posts occupied: 38 (35)

8 (15) other staff

Total staff: 46 (50)

assigned to the following duties:

operational: 24 (22)

administrative: 22 (28)

Working groups

Three Working Groups on (a) Risk management/Risk Assessment, (b) CERTS and (c) Regulatory Aspects of Network & Information Security (RANIS).

Publications

Annual report,

ENISA Quarterly (four Issues)

Who's Who on NIS database.

1 CD-ROM ‘ENISA inventory of CERT activities in Europe’

1 CD-ROM ‘Raising Awareness in Information Security, Insight and Guidance for Member States’

Six Fact Sheets on ENISA and its activities

30 press releases

The Permanent Stakeholders Group's (PSG) ‘Vision for ENISA’ –document

The Draft ENISA Strategy 2008-2011 processed by the PSG and Management Board

A Guide on how to set up a CERT

A report on CERT co-operation

‘A Users' Guide: How to Raise Information Security Awareness’

Package ‘Information Security Awareness Programmes in the EU — Insight and Guidance for Member States’

Collection of Best Practices — the ‘ENISA Knowledgebase’

Study on security and anti-spam measures of providers

Cooperation with Member States and other institutions

15 joint events with Member States

eight responses to requests by Member States and Institutions

Source: Information supplied by the Agency.

Source: Data supplied by the Agency — These tables summarise the data provided by the Agency in its annual accounts: these accounts are drawn up on an accrual basis.

Table 2

European Network and Information Security Agency (Heraklion) — Implementation of the budget for the financial year 2006

(1000 euro)

Revenue

Expenditure

Source of revenue

Revenue entered in the final budget for the financial year

Revenue collected

Allocation of expenditure

Final budget appropriations

Appropriations carried over from previous financial year(s)

entered

committed

paid

carried over

cancelled

entered

committed

paid

cancelled

Community subsidies

6 940

6 600

Title I

Staff

4 249

3 989

3 728

253

268

257

257

178

79

Other revenue

12

12

Title II

Administration

859

779

653

126

80

1 065

1 065

863

202

 

 

 

Title III

Operating activities

1 844

1 542

989

538

317

790

790

271

519

Total

6 952

6 612

Total

6 952

6 310

5 370

917

665

2 112

2 112

1 312

800

Source: Data supplied by the Agency — These tables summarise the data provided by the Agency in its annual accounts. Revenue collected and payments are estimated on a cash basis.


Table 3

European Network and Information Security Agency (Heraklion) — Economic outturn account for the financial years 2006 and 2005

(1000 euro)

 

2006

2005

Operating revenue

Community subsidies

5 476

4 251

Other revenues

12

Total (a)

5 488

4 251

Operating expenditure

Staff expenditure

3 100

1 040

Fixed asset related expenditure

103

31

Other administrative expenditure

1 515

1 563

Operational expenditure

1 236

518

Total (b)

5 954

3 152

Surplus /(deficit) from operating activities (c = a – b)

– 466

1 099

Financial operations revenue (e)

Financial operations expenditure (f)

–2

–1

Surplus /(deficit) from non-operating activities (g = e – f)

–2

–1

Economic result for the year (h = c + g)

– 468

1 098


Table 4

European Network and Information Security Agency (Heraklion) — Balance sheet at 31 December 2006 and 2005

(1000 euro)

 

2006

2005

Non-current assets

Intangible fixed assets

33

12

Tangible fixed assets

312

332

Current assets

Short-term receivables

56

13

Cash and cash equivalents

2 519

2 510

Total assets

2 920

2 867

Current liabilities

Provisions for risks and charges

66

45

Accounts payable

2 224

1 724

Total liabilities

2 290

1 769

Net assets

Accumulated surplus/deficit

1 098

Economic result for the year

– 468

1 098

Total net assets

630

1 098

Total liabilities and net assets

2 920

2 867

THE AGENCY'S REPLIES

7.

Being in its first full year of operation, the Agency intensified its activity in the second half of the year resulting in having many transactions in the last quarter. Also, in 2006, the position of budget officer remained vacant for more than five months which affected the ability of the Agency to optimise planning and minimize the transfers for the year.

8.

ENISA has already applied for ABAC, the Commission's accounting software since 2005. Based on the schedule of the Commission the project will be launched early in 2008. The system for recording invoices was revised before the preparation of the final accounts and is being applied since.

9.

ENISA will present to its Management Board for adoption standards for internal control as well as a code of ethics. The executive director will put in place the organisational structure and all the procedures and controls necessary to their implementation.