This document is an excerpt from the EUR-Lex website
Document 52006SC0725
Commission staff working document – Annex to the Communication from the Commission to the Council and the European Parliament - Annual Report to the Discharge Authority on Internal Audits Carried out in 2005 (Article 86.4 of the Financial Regulation) {COM(2006) 279 final}
Commission staff working document – Annex to the Communication from the Commission to the Council and the European Parliament - Annual Report to the Discharge Authority on Internal Audits Carried out in 2005 (Article 86.4 of the Financial Regulation) {COM(2006) 279 final}
Commission staff working document – Annex to the Communication from the Commission to the Council and the European Parliament - Annual Report to the Discharge Authority on Internal Audits Carried out in 2005 (Article 86.4 of the Financial Regulation) {COM(2006) 279 final}
/* SEC/2006/0725 */
52006SC0725
Commission staff working document – Annex to the Communication from the Commission to the Council and the European Parliament - Annual Report to the Discharge Authority on Internal Audits Carried out in 2005 (Article 86.4 of the Financial Regulation) {COM(2006) 279 final} /* SEC/2006/0725 */
[pic] | COMMISSION OF THE EUROPEAN COMMUNITIES | Brussels, 7.6.2006 SEC(2006) 725 COMMISSION STAFF WORKING DOCUMENT Annex to the COMMUNICATION FROM THE COMMISSION TO THE COUNCIL AND THE EUROPEAN PARLIAMENT Annual Report to the Discharge Authority on Internal Audits Carried out in 2005 (Article 86.4 of the Financial Regulation) {COM(2006) 279 final} Overview of Audits carried out by the Internal Audit Service in 2005 TABLE OF CONTENTS Introduction 4 1. Cross-cutting, Administrative and other Support Systems 5 1.1. OIB – Transaction Testing 5 1.2. SG et al. – Monitoring the Implementation of EU Legislation 6 1.3. SG/BUDG – Review of Effectiveness & Efficiency of SPP/ABM cycle 7 1.4. DIGIT et al. – Consolidated Report on Local IT Management Processes 8 1.5. DIGIT et al. – IT Governance - Follow up 11 1.6. BUDG – Follow up 13 1.6.1. Treasury Audit 13 1.6.2. Sincom2 Audit 15 2. Internal Policies 16 2.1. ECFIN – Local IT control 16 2.2. TREN – Local IT control 18 2.3. TREN – Financial Management and Financial Circuits 21 2.4. ESTAT – Financial Management / Follow-up Audit 23 2.5. RTD – Financial Management and Financial Circuits 25 2.6. SANCO – Financial Management and Financial Circuits 27 2.7. MARKT – Financial Management and Financial Circuits 28 2.8. ESTAT – Follow-up Taskforce 30 2.9. INFSO – Follow-up In-depth Audit 30 2.10. PRESS – Follow-up In-depth Audit 32 2.11. EAC – Follow-up In-depth Audit 34 3. Structural Measures and Common Agricultural Policy 35 3.1. FISH - In-depth Audit 35 3.2. EMPL - Structural Funds – European Social Fund (ESF) 38 3.3. FISH - Structural Funds - Financial instrument for Fisheries Guidance (FIFG) 40 3.4. AGRI - Structural Funds- EAGGF-Guidance 42 3.5. AGRI - Follow-up In-depth Audit 44 4. External Policies including Pre-Accession Aid 46 4.1. RELEX - Handling of classified information and communication among the Delegations and DG RELEX 46 4.2. AIDCO - External Aid- Non-Governmental Organisations in AIDCO 48 4.3. ECHO - External Aid- Non-Governmental Organisations in ECHO 50 4.4. ELARG - Follow-up In-depth Audit 52 INTRODUCTION This document contains summary information for audit engagements finalised by the IAS in 2005, including limited reviews. Statistics on implementation reflect the status as of early 2006, except for follow-up audits for which the date is indicated below. The individual engagements are sorted by broad policy area. Service | Engagement | Issued | Cross-cutting, Administrative and other Support Systems | OIB | Transactions | 25 Feb 2005 | BUDG | Follow-up | 25 July 2005 | SG | EU Law Implementation Review | 28 July 2005 | BUDG/SG | ABM/SPP Cycle Review | 24 Oct 2005 | DIGIT, ADMIN, BUDG, SG, TREN, COMP, ECFIN | ITC consolidated | 16 Nov 2005 | DIGIT | Follow-up | 18 Nov 2005 | Internal Policies | ESTAT | Follow-up Taskforce | 15 Mar 2005 | ECFIN | Local IT control (joint IAS/IAC audit) | 29 Apr 2005 | TREN | Local IT control | 17 May 2005 | TREN | Financial Management | 22 July 2005 | ESTAT | Financial Management / Follow-up | 7 Oct 2005 | RTD | Financial Management | 18 Oct 2005 | SANCO | Financial Management | 29 Nov 2005 | INFSO | Follow-up | 20 Dec 2005 | MARKT | Financial Management | 21 Dec 2005 | PRESS | Follow-up | 23 Dec 2005 | EAC | Follow-up | 23 Dec 2005 | Structural Measures and Common Agricultural Policy | AGRI | Follow-up | 7 March 2005 | FISH | In-depth | 30 June 2005 | EMPL | Structural Funds (ex-post controls) | 25 Oct 2005 | FISH | Structural Funds (ex-post controls) | 11 Nov 2005 | AGRI | Structural Funds (ex-post controls) | 7 Dec 2005 | External Policies including Pre-Accession Aid | ELARG | Follow-up | 21 Jan 2005 | RELEX | Information & communication | 4 July 2005 | AIDCO | External aid - NGOs | 8 July 2005 | ECHO | External aid - NGOs | 7 Oct 2005 | CROSS-CUTTING, ADMINISTRATIVE AND OTHER SUPPORT SYSTEMS OIB – Transaction Testing Objectives and Scope En complément de l'exercice de "Risk Assessment" de l'Office d'Infrastructure de Bruxelles (OIB) réalisé dans le cadre de la finalisation de l'action 87 du Livre Blanc sur la Réforme et en accord avec l'APC, différents tests de transactions ont été réalisés. L'objectif de ces tests de transactions limités était d'émettre une opinion quant à l'adéquation et à la qualité du système de contrôle interne lié à la gestion des procédures de marché et à la conformité de ces procédures avec les règles en vigueur, suite à l'introduction du Nouveau Règlement Financier (NRF) et à la création de l'Office, par scission de la DG ADMIN. Acceptance of Recommendations by the Auditee: Transaction testing OIB | IAS-2004-OIB-001-Transcation testing | Accepted | Rejected | Total | % | Critical | 0 | 0 | 0 | 0,0% | Very imp | 14 | 2 | 16 | 43,2% | Important | 13 | 2 | 15 | 40,5% | Desirable | 6 | 0 | 6 | 16,2% | Total | 33 | 4 | 37 | 100,0% | % | 89,2% | 10,8% | 100,0% | [pic] Implementation Progress for Recommendations: Implementation of recommendations (Auditee assessment) | 4 rejected recommendations not counted in the implementation statistics | In progress | Completed | Total | % | Critical | 0 | 0 | 0 | 0,0% | Very imp | 0 | 14 | 14 | 42,4% | Important | 1 | 12 | 13 | 39,4% | Desirable | 2 | 4 | 6 | 18,2% | Total | 3 | 30 | 33 | 100,0% | % | 9,1% | 90,9% | 100,0% | [pic] SG et al. – Monitoring the Implementation of EU Legislation Objectives and Scope The President delivered a strong message emphasising the crucial importance of ensuring a proper application of EU laws in his "Europe 2010" Communication on the strategic objectives for the 2005-2009 period. Underlining the relevance of monitoring the application of EU law is not something new. Much work has already been carried out including the publication of the White Paper on European Governance in 2001 as well as the successive Commission Communications on "Better Lawmaking" and on "Better monitoring of the application of Community Law" in 2002. In 2004, EU enlargement extended the application of Community law to ten new Member States requiring the implementation of 50 years of pre-accession acquis in nine new languages. Major changes such as enlargement present the Commission with opportunities to make fundamental improvements in key processes such as the monitoring of EU legalisation. Indeed, the SG is currently carrying out a follow-up of the 2002 Communication as part of its continuing function of managing the Commission's monitoring role. The IAS identified, in the context of the 3rd phase of Action 87 - which required the IAS to produce an overall assessment on internal control - the major risks and concerns of several Commission Services. One of the major risks identified was that it is difficult to check that Directives have been correctly transposed and effectively applied in practice. As a result, the IAS included a review of the monitoring of the implementation of EU legislation in its 2005 work programme, to be followed by an audit of 6 pilot DGs in this area in 2006. The audits will focus on DGs' management approach, human resources and efficiency and effectiveness of their monitoring role. It will also enable the IAS to examine in more detail the roles of the Legal Service and the SG in this area. The objectives of this engagement were to review and analyse the existing Commission practices regarding the monitoring of the application of EU legislation with a view to: (a) improve the effectiveness of monitoring the application of EU legislation, (b) properly manage the Commission's risks of "blockage" or overflow caused by a potential increase in the number of complaints, and (c) develop an audit methodology addressing the major risks and key controls identified. The scope of the review includes the roles of the Secretariat-General (Unit SG B01), the Legal Service and primarily six pilot DGs (DG MARKT, DG ENV, DG ENTR, DG TREN, DG TAXUD and DG SANCO) in monitoring the application of EU legislation. These Commission services manage more than two-thirds of infringement cases with SG and the LS having a major coordination role. This review aims at providing independent, objective and professional assessment and views. The IAS recognises that, given the impact of enlargement and other considerations, the key actors in the field of monitoring of EU legislation have an opportunity to make introduce some major improvements. The IAS has therefore submitted "issues for consideration" instead of formal recommendations as an input to the current work of the SG, LS and other Commission services in developing an optimal Commission approach on the monitoring of the application of EU laws. These are to be considered by the appropriate experts within the Commission on their legal and operational feasibility in the context of SG's follow-up of the 2002 Communication on better monitoring of Community law. This process should then lead to a discussion in the College to decide on the political and management priorities in this area. Once the audit of the 6 pilot DGs has been completed, the IAS will issue an overview report including any systemic issues identified, best practices and recommendations. No recommendations were made at this stage. SG/BUDG – Review of Effectiveness & Efficiency of SPP/ABM cycle Contexte Dans le contexte de sa planification stratégique 2005/2006 basée sur une analyse des risques émanant de l'Action 87 du Livre blanc sur la Réforme de la Commission, le Service d'Audit Interne de la Commission a programmé l'audit du cycle SPP/ABM, plus particulièrement sous l'angle de l'efficacité et l'efficience de son fonctionnement. L'audit du cycle SPP /ABM sera réalisé en trois étapes successives. Le présent rapport – qui n’est pas un rapport d’audit per se mais plutôt une revue limitée – conclut la première phase qui a pour objectif une analyse préliminaire de l'efficience et de l'efficacité du cycle SPP / ABM au niveau des services centraux (SG & BUDG) et l'obtention des informations nécessaires à la préparation des audits que l'IAS va réaliser dans un échantillon de DG opérationnelles au début de l’année 2006. Ces audits constitueront la deuxième étape de cette approche. A l'issue de ces audits et sur base de l'ensemble des informations obtenues, l'IAS établira un rapport d'audit "consolidé" présentant les observations, risques et recommandations systémiques globales dépassant le cadre d'une Direction Générale ou d’un service particulier et portant sur l’ensemble du cycle. Objectifs et étendue de la mission L’objectif de cette revue est d’examiner, par sa mise en œuvre au sein du Secrétariat Général et de la DG Budget, l’accomplissement par le cycle SPP/ABM des objectifs principaux initialement assignés. Cet examen portera particulièrement, sous les angles de l’efficacité et de l’efficience, sur les processus et aspects du cycle permettant : - L’identification et la gestion des priorités de la Commission , en ce y compris la manière dont elles se voient reflétées dans la Gestion par Activités; - L’intégration des décisions sur les priorités et sur l’allocation des ressources , en ce y compris vis-à-vis de l’adéquation du niveau des ressources allouées aux activités prioritaires et non prioritaires; - La gestion de la performance , en ce y compris les véhicules d’examen et de prise en compte des résultats. Le champ de cette revue porte sur le déroulement du cycle SPP/ABM au niveau des deux DG coordinatrices SG et BUDG, en partant du débat d’orientation et de la stratégie politique annuelle (APS) jusqu’à la production du programme de travail de la Commission (WP). Etaient exclus du champ l’établissement des plans de gestion (AMP) et rapports d’activités annuels (AAR) au niveau des directions générales ainsi que la mise en œuvre de la fonction d’évaluation, la préparation de l’avant-projet de budget (APB), ainsi que la procédure budgétaire. Cependant, il faut noter que le rôle de l’AMP et de l’AAR, ainsi que la prise en compte des résultats d’évaluations par les autres processus, ont bien été examinés au sein du cycle. No recommendations were made at this stage. Consolidated Report on Local IT Management Processes Les objectifs de cette Mission d'Audit Interne peuvent être définis comme suit : a. Donner à la Commission une assurance raisonnable quant à la maîtrise des risques liés à la gestion par les unités informatiques décentralisées et les Directions Générales respectives des macro-processus suivants : Planification et organisation, Gestion de projet, Gestion de la sécurité informatique. b. Introduire le concept de modèle de maturité (CMM= Capacity Maturity Model) dans l'IT à la Commission, via un exercice d'auto-évaluation des services, reposant sur le standard international CobiT (Control Objectives for Information and related Technology). Grâce à ce modèle, les services informatiques de la Commission seront à même de comparer leurs pratiques de gestion avec les pratiques généralement acceptées (best practices), mais aussi de se situer les uns par rapport aux autres. c. Proposer des recommandations tant locales que structurelles et identifier quelques unes des meilleures pratiques ayant cours à la Commission pour aider chaque service à évoluer positivement. d. Permettre à l'IAS d'acquérir une connaissance approfondie des pratiques de gestion des unités informatiques décentralisées et de dresser une carte des risques liés à la gestion des macro-processus ci-dessus. Le périmètre de l'audit comprend l'organisation et les structures informatiques locales ou décentralisées dans l'ensemble des DG & Services de la Commission pour l'analyse des risques préliminaire, ainsi que les DG TREN, COMP et le SG pour les audits en profondeurs. Les Agences n'y sont par contre pas incluses. Des rapports individuels d'analyse préliminaire des risques IT ont été envoyés et validés à chacune des DG de la Commission et les audits en profondeur on fait l'objet de rapports d'audit séparés. Acceptance of Recommendations by the Auditees: ITC Consolidated | IAS-2004-DIGIT-002-ITC Consolidated | Accepted | Rejected | Total | % | Critical | 3 | 0 | 3 | 12,5% | Very imp | 17 | 0 | 17 | 70,8% | Important | 4 | 0 | 4 | 16,7% | Desirable | 0 | 0 | 0 | 0,0% | Total | 24 | 0 | 24 | 100,0% | % | 100,0% | 0,0% | 100,0% | [pic] Implementation Progress for Recommendations: (Auditee assessment) | In progress | Completed | Total | % | Critical | 3 | 0 | 3 | 12,5% | Very imp | 16 | 1 | 17 | 70,8% | Important | 4 | 0 | 4 | 16,7% | Desirable | 0 | 0 | 0 | 0,0% | Total | 23 | 1 | 24 | 100,0% | % | 95,8% | 4,2% | 100,0% | [pic] DIGIT et al. – IT Governance - Follow up Acceptance of Recommendations by the Auditees: IT Governance | IAS-2004-DIGIT-001 DIGIT Follow-up | Accepted | Rejected | Total | % | Critical | 20 | 1 | 21 | 23,3% | Very imp | 44 | 1 | 45 | 50,0% | Important | 15 | 5 | 20 | 22,2% | Desirable | 3 | 1 | 4 | 4,4% | Total | 82 | 8 | 90 | 100,0% | % | 91,1% | 8,9% | 100,0% | [pic] Implementation Progress for Recommendations: (IAS follow-up) | 8 rejected recommendations not counted in the implementation statsistics | Not Started | In progress | Completed | Total | % | Critical | 0 | 9 | 11 | 20 | 24,4% | Very imp | 1 | 27 | 16 | 44 | 53,7% | Important | 0 | 10 | 5 | 15 | 18,3% | Desirable | 0 | 1 | 2 | 3 | 3,7% | Total | 1 | 47 | 34 | 82 | 100,0% | % | 1,2% | 57,3% | 41,5% | 98,8% | [pic] BUDG – Follow up Treasury Audit Acceptance of Recommendations by the Auditees: Treasury | IAS-2002-BUDG-001 | Accepted | Rejected | Total | % | Critical | 0 | 0 | 0 | 0,0% | Very imp | 5 | 0 | 5 | 62,5% | Important | 2 | 1 | 3 | 37,5% | Desirable | 0 | 0 | 0 | 0,0% | Total | 7 | 1 | 8 | 100,0% | % | 87,5% | 12,5% | 100,0% | [pic] Implementation Progress for Recommendations: (IAS follow-up) | 1 rejected recommendation not counted in the implementation statistics | Actions reported | Completed | Total | % | Critical | 0 | 0 | 0 | 0,0% | Very imp | 0 | 5 | 5 | 71,4% | Important | 0 | 2 | 2 | 28,6% | Desirable | 0 | 0 | 0 | 0,0% | Total | 0 | 7 | 7 | 100,0% | % | 0,0% | 100,0% | 100,0% | [pic] Sincom2 Audit Acceptance of Recommendations by the Auditees: SINCOM2 | IAS-2001-BUDG-001 Audit of SINCOM2 | Accepted | Rejected | Total | % | Critical | 18 | 0 | 18 | 27,3% | Very imp | 32 | 0 | 32 | 48,5% | Important | 12 | 0 | 12 | 18,2% | Desirable | 4 | 0 | 4 | 6,1% | Total | 66 | 0 | 66 | 100,0% | % | 100,0% | 0,0% | 100,0% | [pic] Implementation Progress for Recommendations: (IAS follow-up) | In progress | Completed | Total | % | Critical | 0 | 18 | 18 | 27,3% | Very imp | 1 | 31 | 32 | 48,5% | Important | 0 | 12 | 12 | 18,2% | Desirable | 0 | 4 | 4 | 6,1% | Total | 1 | 65 | 66 | 100,0% | % | 1,5% | 98,5% | 100,0% | [pic] INTERNAL POLICIES ECFIN – Local IT control Objectifs et périmètre de l’audit L’objectif principal de cet audit est de revoir les contrôles liés à la stratégie des Technologies de l’Information (TI), à l’organisation et à la gestion des TI et à la gestion de la sécurité des systèmes d’information. Le périmètre de l’audit recouvre les trois macro processus suivants : - Organisation et planification - Gestion de projets - Sécurité des systèmes d’information Les travaux d'audit porteront aussi bien sur les sites de Bruxelles que de Luxembourg de la DG ECFIN. Cet audit a été réalisé en collaboration avec le Service d’Audit Interne (IAS) sur la base d’un Memorandum of Understanding signé en date du 9 novembre 2004. Conformément à ce document, les travaux d’audit sont conduits en commun mais les responsabilités de chacune des deux parties sont clairement assignées. Ainsi, - L’audit interne de la DG ECFIN est responsable des macro processus « Organisation et planification » et « Gestion de projets » ; - Le Service d’Audit Interne est responsable du macro processus « Sécurité des systèmes d’informations ». Plus spécifiquement, l'objectif de cette partie est de s'assurer que le management de la DG ECFIN a identifié les risques liés à la gestion de la sécurité de ses systèmes informations, qu'il a mis en place un système de contrôle efficace et efficient, lui permettant de garantir cette sécurité des informations sensibles quand cela s'avère nécessaire, et de vérifier que ces mesures suivent bien les prescriptions de la Commission en la matière (compliance). L’approche retenue par les deux services est commune et la méthodologie d’audit fournie par l’IAS est principalement basée sur COBIT[1]. Les résultats des travaux d’audit ont conduit à la préparation d’un rapport d’audit unique réalisé par l’IAC de la DG ECFIN qui intègre in extenso les conclusions des travaux d’audit de l’IAS sur le macro processus « Sécurité des systèmes d’information ». Conformément à l’accord rappelé ci-dessus, l’IAS adresse parallèlement les conclusions de ses travaux directement à l’Audit Progress Committee (APC). Acceptance of Recommendations by the Auditees: IT - Local control (ECFIN) joint IAS/IAC report | IAS-2004-ECFIN-002 | (IAS recommendations only) | Accepted | Rejected | Total | % | Critical | 2 | 0 | 2 | 11,1% | Very imp | 13 | 0 | 13 | 72,2% | Important | 3 | 0 | 3 | 16,7% | Desirable | 0 | 0 | 0 | 0,0% | Total | 18 | 0 | 18 | 100,0% | % | 100,0% | 0,0% | 100,0% | (3 very important recommendations partially accepted) | Implementation Progress for Recommendations: Follow-up of this audit is assured by the IAC of EFCIN. The report is, therefore, not included in the IAS follow-up overview report to the APC of March 2006. TREN – Local IT control Objectives and Scope Les objectifs de la Mission d'Audit Interne globale sont définis comme suit : a. Donner à la Commission une assurance raisonnable quant à la maîtrise des risques liés à la gestion par les unités informatiques décentralisées (IRU = Information Resources Units) et les Directions Générales respectives des macro-processus suivants : Planification et organisation, Gestion de projet, Gestion de la sécurité des systèmes d'information. b. Introduire le concept de modèle de maturité (CMM= Capacity Maturity Model) dans l'IT à la Commission, via un exercice d'auto-évaluation des services, reposant sur CobIT. Grâce à ce modèle, les services informatiques de la Commission seront à même de comparer leurs pratiques de gestion avec celles généralement acceptées (best practices), mais aussi de se situer par rapport aux autres services de la Commission. Un des avantages de ce type de modèle est qu'il permet aux services informatiques de se fixer des objectifs précis pour améliorer leurs performances et de faire remonter de l'information au management pour monitorer leur activité, d'une façon homogène et comparable, basée sur un standard reconnu internationalement. c . Proposer des recommandations tant locales que structurelles et dresser un inventaire des meilleures pratiques ayant cours à la Commission pour aider chaque service à évoluer positivement. d . Permettre à l'IAS d'acquérir une connaissance approfondie des pratiques de gestion des unités informatiques décentralisées et de dresser une carte des risques liés à la gestion des macro-processus ci-dessus. Au niveau de cette action particulière, l'objectif était principalement de revoir l'adéquation et la qualité du système de contrôle visant à une bonne maîtrise par la DG TREN des risques liés à la gestion des macro-processus suivants : Planification et organisation, Gestion de projet, Gestion de la sécurité des systèmes d'information. Le périmètre de l'audit comprend, au niveau structurel, l'organisation et les structures informatiques locales ou décentralisées dans l'ensemble des DG/Services de la Commission et pour cette action particulière, la DG TREN dans son ensemble. Les Agences créées par la DG TREN n'y sont pas incluses. Au niveau géographique, le périmètre d'audit comprend la DG TREN, aussi bien à Luxembourg qu'à Bruxelles, avec une concentration particulière sur l'unité A2 et son secteur Informatique. Compte tenu du temps limité qu'il nous a été donné de passer à Luxembourg et compte tenu de la complexité des systèmes rencontrés dans les directions H et I, et enfin compte tenu qu'une évaluation informatique y avait déjà été réalisée en 2003 par ADMIN/DI , nous nous sommes contentés d'une revue limitée des activités du site luxembourgeois. Le rapport porte sur la situation existante fin avril 2004 lorsque les travaux de terrain ont pris fin à la DG TREN. Un certain nombre de projets, d'actions ou décisions sont intervenus dans le domaine sous revue suite à ces travaux, et ne sont donc que partiellement reflétés dans le rapport. En effet, suite aux entretiens que nous avons eu avec le senior management de la DG, celui-ci a agi avec promptitude dans un certain nombre de domaines pour améliorer les contrôles en place et s'assurer que les risques identifiés étaient bien sous contrôle. Par ailleurs, nos efforts d'audit ont principalement été focalisés sur la gestion de la sécurité des systèmes d'information et dans une moindre mesure sur la planification et l'organisation et/ou sur la gestion des projets de développement. En effet, lors de nos travaux une série de mesure de réorganisation était en cours d'implémentation, notamment à Luxembourg. Il était donc difficile d'en évaluer l'impact. Enfin, les aspects de sécurité logique à Luxembourg n'ont pas pu être totalement testés en détail comme ils l'ont été à Bruxelles. En effet, bien que les extractions demandées ne comportaient que des risques limités pour la sécurité des opérations (copie de logs de connections aux systèmes, copie des profils utilisateurs, etc.…) et ne concernaient nullement des données en production, la DG TREN a préféré ne pas nous transmettre les informations demandées pour des raisons de confidentialité Acceptance of Recommendations by the Auditee: IT local control TREN | IAS-2004-TREN-002 | Accepted | Rejected | Total | % | Critical | 2 | 0 | 2 | 4,2% | Very imp | 19 | 0 | 19 | 39,6% | Important | 22 | 2 | 24 | 50,0% | Desirable | 3 | 0 | 3 | 6,3% | Total | 46 | 2 | 48 | 100,0% | % | 95,8% | 4,2% | 100,0% | [pic] Implementation Progress for Recommendations: (Auditee assessment) | 2 rejected recommendations not counted in the implementation statistics | In progress | Completed | Total | % | Critical | 2 | 0 | 2 | 4,3% | Very imp | 16 | 3 | 19 | 41,3% | Important | 19 | 3 | 22 | 47,8% | Desirable | 2 | 1 | 3 | 6,5% | Total | 39 | 7 | 46 | 100,0% | % | 84,8% | 15,2% | 100,0% | [pic] TREN – Financial Management and Financial Circuits Objectives and Scope The objective of the audit – in line with the IAS Strategic Plan – was to focus on the Financial Management and Financial Circuits in DG TREN. In this context, the audit assessed the adequacy of the design and effective application of the internal control system and risk management. In particular this audit assessed whether the internal control system (ICS) provides reasonable assurance regarding: - the compliance (legality and regularity) with the Financial Regulation (FR) and its Implementing Rules (IR), including the effective implementation of the financial circuits; - the safeguarding of assets and information; - the reliability of financial information; - the effectiveness and efficiency of financial management (i.e. "sound financial management" as stated in Article 27 of the FR), including the extent to which internal controls have been effectively implemented to mitigate risks. As a result of the desk review in the preliminary survey the scope of this audit engagement focussed on the following processes regarding the financial management and the implementation of the financial circuits within DG TREN: the financial management roles, the handover and deputising, the subdelegations, the ex-post controls and the design and implementation of the financial circuits in the DG. More specifically, in reviewing these processes, the audit focussed on the overall organisation of the internal controls in the DG and on the regularity of the financial management and the implementation of the financial circuits. Acceptance of Recommendations by the Auditee: Financial Management and Circuits (TREN) | IAS-2005-TREN-001 | Accepted | Rejected | Total | % | Critical | 0 | 0 | 0 | 0,0% | Very imp | 0 | 0 | 0 | 0,0% | Important | 15 | 0 | 15 | 78,9% | Desirable | 4 | 0 | 4 | 21,1% | Total | 19 | 0 | 19 | 100,0% | % | 100,0% | 0,0% | 100,0% | [pic] Implementation Progress for Recommendations: (Auditee assessment) | In progress | Completed | Total | % | Critical | 0 | 0 | 0 | 0,0% | Very imp | 0 | 0 | 0 | 0,0% | Important | 10 | 5 | 15 | 78,9% | Desirable | 3 | 1 | 4 | 21,1% | Total | 13 | 6 | 19 | 100,0% | % | 68,4% | 31,6% | 100,0% | [pic] ESTAT – Financial Management / Follow-up Audit Objectives and Scope The objective of the follow-up is to assess the progress made in implementing the recommendations that resulted from the in-depth audit of ESTAT finalised on 19 March 2004. This follow-up audit does not result in an assessment of the adequacy of controls as a whole but focuses on the specific recommendations in the original audit. These objectives take into account the fact that ESTAT is undergoing fundamental changes, namely with the revision of the financial circuits and the grant management processes. Acceptance of Recommendations by the Auditee: ESTAT Grant management + procurement + FO audit | IAS-2003-ESTAT-001 | Accepted | Rejected | Total | % | Critical | 8 | 0 | 8 | 27,6% | Very imp | 12 | 0 | 12 | 41,4% | Important | 9 | 0 | 9 | 31,0% | Desirable | 0 | 0 | 0 | 0,0% | Total | 29 | 0 | 29 | 100,0% | % | 100,0% | 0,0% | 100,0% | [pic] Implementation Progress for Recommendations: (IAS follow-up) | In progress | Completed | Total | % | Critical | 4 | 4 | 8 | 27,6% | Very imp | 4 | 8 | 12 | 41,4% | Important | 4 | 5 | 9 | 31,0% | Desirable | 0 | 0 | 0 | 0,0% | Total | 12 | 17 | 29 | 100,0% | % | 41,4% | 58,6% | 100,0% | [pic] RTD – Financial Management and Financial Circuits Objectives and Scope In accordance with the IAS Audit Plan 2005, the engagement focused on RTD's financial circuits and financial management in order to assess: - If the financial circuits as designed and implemented by DG RTD comply with the Regulations in force (Financial Regulation and its Implementing Rules, Commission wide and internal DG RTD), are proportional to activities and related risks and are being effectively and efficiently implemented - If financial management arrangements, including the decisions taken and the activities carried out in order to implement those decisions respect the principles of legality and sound financial management. The audit scope covered the following areas: - The Financial Circuits for transactions belonging to the core business of the DG , in particular the commitments and payments related to the 6th Framework Programme - The management and monitoring of the financial roles, the sub-delegation procedures, the deputising rules, and the management and monitoring of IT accesses - The management of the Reste à Liquider (RAL) arrangements and of the Recovery Orders (ROs). Two other areas were initially identified, namely the grant management process and the ex-post controls, but were excluded from the audit scope as these have either been already covered or are planned to be covered by the DG's Internal Audit Capability. The IAS received one of these reports (Management of FP6 Research Contract) on 24 June 2005. Acceptance of Recommendations by the Auditee: Audit Financial Management and Financial Circuits (RTD) | IAS-2005-RDT-001 | Accepted | Rejected | Total | % | Critical | 0 | 0 | 0 | 0,0% | Very imp | 3 | 0 | 3 | 25,0% | Important | 7 | 0 | 7 | 58,3% | Desirable | 2 | 0 | 2 | 16,7% | Total | 12 | 0 | 12 | 100,0% | % | 100,0% | 0,0% | 100,0% | [pic] Implementation Progress for Recommendations: (Auditee assessment) | In progress | Completed | Total | % | Critical | 0 | 0 | 0 | 0,0% | Very imp | 2 | 1 | 3 | 25,0% | Important | 5 | 2 | 7 | 58,3% | Desirable | 2 | 0 | 2 | 16,7% | Total | 9 | 3 | 12 | 100,0% | % | 75,0% | 25,0% | 100,0% | [pic] SANCO – Financial Management and Financial Circuits The audit was not continued after the preliminary phase, partly in order to avoid overlaps with ongoing audit activities, partly because no significant issues for audit were identified for the remaining areas. A management letter informed the DG that no further IAS work would be conducted in the area of regularity of Financial Management and implementation of Financial Circuits and that no audit report would be issued. MARKT – Financial Management and Financial Circuits Objectives and Scope The IAS' audit plan for 2005 included an audit of the Financial Management and Financial Circuits of DG MARKT. The objective of the audit was to assess the adequacy and effective application of the internal control system and risk management with respect to the "Regularity of Financial Management and the Implementation of Financial Circuits". In particular, it has been assessed whether the internal control system provides for reasonable assurance in relation to; - the compliance (legality and regularity) with the Financial Regulation (FR) and its Implementing Rules (IR), including the effective implementation of the financial circuits; - the safeguarding of assets; - the reliability of financial information; - the efficiency and effectiveness of financial processes ("sound financial management", Art. 27 of the FR). DG MARKT's Internal Audit Capability (IAC) had already undertaken an examination of its financial circuits in 2004-5, on the basis of which the DG decided to revise its circuits by 20 July 2005. Initially it was planned to review the audit work done by the IAC in this area in order to determine the degree of reliance that could be placed on it and to help identify the scope and depth coverage of the IAS examination. However, this review identified weaknesses with regard to the audit trail supporting the work done and conclusions reached by the IAC. This meant that no such reliance could be placed on its work. Consequently, it was decided that as part of this audit the IAS would make a full evaluation of the financial circuits, taking into account, however, the observations and recommendations made by the IAC in its report. The scope of the audit focused on the design and the implementation of the financial circuits (i.e. commitments, payments and recovery orders for the year 2004). Grant and contract management procedures were excluded from the scope. Commitment appropriations made through the financial circuits examined in respect of administrative expenditure, grants and contracts amounted to € 15.7 Mio. The transactions related to the cross-delegations given (i.e. PMO, DG ENTR, DG COMP and DG SANCO) were not covered by the audit. The findings and recommendations took into consideration the revised financial circuit manual of procedures, but no examination was made of the revised circuits in practice (no tests of transactions were made) as they only entered into force as of 20 July 2005. The IAS also would like to recognise the efforts made by DG MARKT to correct the weaknesses reported as a result of its examination and to prepare an action plan. Acceptance of Recommendations by the Auditee: Financial Management and Circuits (MARKT) | IAS-2005-MARKT-001 | Accepted | Rejected | Total | % | Critical | 0 | 0 | 0 | 0,0% | Very imp | 6 | 0 | 6 | 31,6% | Important | 13 | 0 | 13 | 68,4% | Desirable | 0 | 0 | 0 | 0,0% | Total | 19 | 0 | 19 | 100,0% | % | 100,0% | 0,0% | 100,0% | [pic] Implementation Progress for Recommendations: (Auditee assessment) | In progress | Completed | Total | % | Critical | 0 | 0 | 0 | 0,0% | Very imp | 6 | 0 | 6 | 31,6% | Important | 10 | 3 | 13 | 68,4% | Desirable | 0 | 0 | 0 | 0,0% | Total | 16 | 3 | 19 | 100,0% | % | 84,2% | 15,8% | 100,0% | [pic] ESTAT – Follow-up Taskforce Limited follow-up exercise of some specific aspects of the initial ESTAT examination (non sub-delegated contracts). INFSO – Follow-up In-depth Audit Acceptance of Recommendations by the Auditee: INFSO | IAS-2004-INFSO-001 | Accepted | Rejected | Total | % | Critical | 0 | 0 | 0 | 0,0% | Very imp | 14 | 0 | 14 | 42,4% | Important | 19 | 0 | 19 | 57,6% | Desirable | 0 | 0 | 0 | 0,0% | Total | 33 | 0 | 33 | 100,0% | % | 100,0% | 0,0% | 100,0% | [pic] Implementation Progress for Recommendations: Follow-up audit postponed after preliminary phase. Implementation of recommendations as reported by DG INFSO | In progress | Completed | Total | % | Critical | 0 | 0 | 0 | 0,0% | Very imp | 7 | 7 | 14 | 42,4% | Important | 6 | 13 | 19 | 57,6% | Desirable | 0 | 0 | 0 | 0,0% | Total | 13 | 20 | 33 | 100,0% | % | 39,4% | 60,6% | 100,0% | [pic] PRESS – Follow-up In-depth Audit Acceptance of Recommendations by the Auditees: PRESS | IAS-2003-PRESS-002 In Depth Audit of DG PRESS | Accepted | Rejected | Total | % | Critical | 4 | 0 | 4 | 9,1% | Very imp | 9 | 0 | 9 | 20,5% | Important | 20 | 0 | 20 | 45,5% | Desirable | 11 | 0 | 11 | 25,0% | Total | 44 | 0 | 44 | 100,0% | % | 100,0% | 0,0% | 100,0% | [pic] Implementation Progress for Recommendations: (IAS follow-up) | In progress | Completed | Total | % | Critical | 3 | 1 | 4 | 9,1% | Very imp | 4 | 5 | 9 | 20,5% | Important | 7 | 13 | 20 | 45,5% | Desirable | 4 | 7 | 11 | 25,0% | Total | 18 | 26 | 44 | 100,0% | % | 40,9% | 59,1% | 100,0% | [pic] EAC – Follow-up In-depth Audit Acceptance of Recommendations by the Auditees: EAC | Total (3 recommendations transferred to INFSO) | IAS-2004-EAC-001 In Depth Audit of DG EAC | Accepted | Rejected | Total | % | Critical | 7 | 0 | 7 | 16,3% | Very imp | 19 | 0 | 19 | 44,2% | Important | 15 | 0 | 15 | 34,9% | Desirable | 2 | 0 | 2 | 4,7% | Total | 43 | 0 | 43 | 100,0% | % | 100,0% | 0,0% | 100,0% | [pic] Implementation Progress for Recommendations: (IAS follow-up) | In progress | Completed | Total | % | Critical | 5 | 2 | 7 | 16,3% | Very imp | 9 | 10 | 19 | 44,2% | Important | 9 | 6 | 15 | 34,9% | Desirable | 1 | 1 | 2 | 4,7% | Total | 24 | 19 | 43 | 100,0% | % | 55,8% | 44,2% | 100,0% | [pic] STRUCTURAL MEASURES AND COMMON AGRICULTURAL POLICY FISH - In-depth Audit Introduction The in-depth audit of DG FISHERIES is part of the IAS 2004 work programme and follows the desk review conducted earlier as a part of the implementation of Action 87 of the Commission’s White Paper on reforming the Commission. Following its latest reorganisation (October 2004), DG FISHERIES is now composed of five Directorates: Conservation policy; External policy and markets; Structural policy; Regulation and monitoring and Dialogue and resources. There are 309 members of staff (277 officials and 32 others) and the annual budget is approximately EUR 988 million, representing less than 1% of the general budget of the EU. "The mission of the Directorate-General for Fisheries is to manage the Common Fisheries Policy (CFP) in order to provide the basis for sustainable fisheries within and beyond Community waters, taking into account environmental, economic and social aspects and applying good governance principles." The Common Fisheries Policy (CFP) was established in 1983 as a framework for managing the fisheries industry. It consists of a set of rules on conservation, access to resources, fleet policy, market organisation and international fisheries agreements. Objectives and Scope The overall objective of the in-depth audit is to gain an overview of the risk and control profile of DG FISHERIES and more specifically to assess the adequacy of internal control in the selected areas for the audit mentioned hereunder. The scope of the in-depth audit will focus on: - as a first priority: "legality and regularity" (compliance), especially as regards financial audit; - as a second priority: "reliability of information"; - as a third priority: "sound financial management" (economy, efficiency and effectiveness). A preliminary risk analysis was carried out in July 2004 in the form of a desk review (the first phase of the in-depth audit), taking into account the IAC's risk assessment work and audits, the ECA's work and DG FISHERIES management self assessment. The desk review was finalised in September 2004. On the basis of this report and the discussions held with DG FISHERIES management, the following areas have been assessed as high risks and have consequently been selected for the in-depth audit (the second phase): - international fisheries agreements; - fisheries Inspections; - financial circuits; - assessment of Member States' management and control system within the framework of the Financial Instrument for Fisheries Guidance (FIFG); - general overview of the Internal Control Processes and the implementation of the Internal Control Standards. In addition to the above selected areas for the in-depth audit IAS decided to carry out a quality review of the internal audit capability (IAC), because the IAC has an important role in the process of risk management and controls. A separate report has been issued for that purpose. The scope of the audit on the Structural Fund (FIFG) has been limited by the IAS to the area of the assessment process of the management and control system in the Member States. However, the IAS will perform a specific audit on the whole family of Structural Funds in 2005. Acceptance of Recommendations by the Auditee: FISH Phase II | IAS-2004-FISH-001-In Depth Audit DG FISH | Includes 10 recommendations from the IAC quality review | Accepted | Rejected | Total | % | Critical | 1 | 0 | 1 | 2,7% | Very imp | 12 | 0 | 12 | 32,4% | Important | 23 | 0 | 23 | 62,2% | Desirable | 1 | 0 | 1 | 2,7% | Total | 37 | 0 | 37 | 100,0% | % | 100,0% | 0,0% | 100,0% | [pic] Implementation Progress for Recommendations: (Auditee assessment) | In progress | Completed | Total | % | Critical | 1 | 0 | 1 | 2,7% | Very imp | 11 | 1 | 12 | 32,4% | Important | 13 | 10 | 23 | 62,2% | Desirable | 0 | 1 | 1 | 2,7% | Total | 25 | 12 | 37 | 100,0% | % | 67,6% | 32,4% | 100,0% | [pic] EMPL - Structural Funds – European Social Fund (ESF) Objectives and Scope In accordance with its Audit Plan 2005, the IAS will assess the suitability and the effectiveness of the internal management systems and the performance of the Commission departments (i.e. the four Structural Funds DGs) in charge of the Implementation of Article 38 of the Council Regulation (EC) No 1260/1999 laying down the general provisions on the Structural Funds in order: - to determine whether the Commission has put in place a control system in order to satisfy itself that the management and control systems presented by the MS meet the standards required, specifically Article 38 and its Implementing Rules as specified in Commission Regulation (EC) No 438/2001, - to assess the design, implementation, monitoring and effectiveness of the controls put in place at the DG level, including an assessment of the effectiveness of the cooperation with the MS, - to evaluate the overall efficiency and effectiveness of the ex-post controls carried out by the SF DGs, - to contribute to the Commission policy leading up to a positive Déclaration d'Assurance (DAS). - and to identify best practices in the four SF DG . This specific engagement focuses on the operations co-financed by the ESF for the programming period 2000-2006 and the results and conclusions will serve, together with the reports prepared for the 3 other SF DGs, as a basis for the consolidated report on the implementation of article 38 of the Council Regulation (EC) No 1260/1999 by the Structural Funds. This report will highlight the best practices identified across the SF DGs. Acceptance of Recommendations by the Auditee: EMPL Structural Funds (ex-post and compliance) | IAS -2005-EMPL-001 | Accepted | Rejected | Total | % | Critical | 0 | 0 | 0 | 0,0% | Very imp | 5 | 0 | 5 | 50,0% | Important | 5 | 0 | 5 | 50,0% | Desirable | 0 | 0 | 0 | 0,0% | Total | 10 | 0 | 10 | 100,0% | % | 100,0% | 0,0% | 100,0% | [pic] Implementation Progress for Recommendations: (Auditee assessment) | In progress | Completed | Total | % | Critical | 0 | 0 | 0 | 0,0% | Very imp | 0 | 5 | 5 | 50,0% | Important | 0 | 5 | 5 | 50,0% | Desirable | 0 | 0 | 0 | 0,0% | Total | 0 | 10 | 10 | 100,0% | % | 0,0% | 100,0% | 100,0% | [pic] FISH - Structural Funds - Financial instrument for Fisheries Guidance (FIFG) Legal framework According to the Financial Regulation (Article 53(5) and its Implementing Rules (Article 35), as well as the Council Regulation (EC) No 1260/99 Article 38(1) and its implementation measures as stated in the Commission Regulations (EC) No 438/2001 and (EC) No 448/2001 the Member States are principally responsible for setting up management control arrangements and systems for assistance granted under the Structural funds . Objectives and scope The IAS' audit plan 2005 included an audit of all Structural funds (ERDF, ESF, EAGGF Guidance section and FIFG) the common objectives of which are: - To determine whether the Commission has put in place its own control arrangements and systems in order to satisfy itself that the management and control systems presented by the Member State meet the standards required by the Council Regulation (EC) No 1260/1999, specifically Articles 38 and 39 and the implementing rules as specified in Commission Regulation (EC) No 438/2001 (Article 6); - To assess the design, monitoring and effectiveness of the controls put in place at the DG level including an assessment of the effectiveness of the cooperation with the Member States [Article 38(2) and (3) of Regulation (EC) No 1260/99] and of the establishment of the protocols [Articles 5 and 6 of Regulation (EC) No 438/2001]; - To evaluate the overall efficiency and effectiveness of the ex-post controls carried out by the Structural Funds DGs (including the role played by the lead DG within the objectives and scope of this audit); - To contribute to the Commission policy leading up to a positive Déclaration d'Assurance (DAS); - To identify best practices in the four Structural Funds DGs. The audit mainly focused on the Financial Instrument for Fisheries Guidance (FIFG) for the programming period 2000-2006 and on Article 38(2) of the Council Regulation (EC) No 1260/1999 and its implementing rules Commission Regulation (EC) No 438/2001 (Management and Control Systems for assistance funded under the Structural Funds). Neither the financial circuits were examined nor the financial corrections of the past programming period. It should be noted that IAS took into account the findings and the recommendations of the previous in-depth audit report on DG FISHERIES (IAS-2004-FISH-001) which was conducted in 2004 as part of the completion of Action 87 of the White Paper. Acceptance of Recommendations by the Auditee: FISH Structural Funds | IAS-2005-FISH-001 | Accepted | Rejected | Total | % | Critical | 0 | 0 | 0 | 0,0% | Very imp | 4 | 0 | 4 | 80,0% | Important | 1 | 0 | 1 | 20,0% | Desirable | 0 | 0 | 0 | 0,0% | Total | 5 | 0 | 5 | 100,0% | % | 100,0% | 0,0% | 100,0% | [pic] Implementation Progress for Recommendations: (Auditee assessment) | In progress | Completed | Total | % | Critical | 0 | 0 | 0 | 0,0% | Very imp | 4 | 0 | 4 | 80,0% | Important | 1 | 0 | 1 | 20,0% | Desirable | 0 | 0 | 0 | 0,0% | Total | 5 | 0 | 5 | 100,0% | % | 100,0% | 0,0% | 100,0% | [pic] AGRI - Structural Funds- EAGGF-Guidance Objectives and Scope The IAS' audit plan 2005 included an audit of all Structural Funds (ERDF, ESF, EAGGF-Guidance section and FIFG). The commonly agreed objectives for the four audits (including Community initiatives as per Article 2 of Council Regulation (EC) No 1260/1999) were: - To determine whether the Commission has put in place a control system in order to satisfy itself that the management and control systems presented by the Member State meet the standards required by Council Regulation (EC) No 1260/1999, specifically Articles 38 and 39 and the Implementing rules as specified in Commission Regulation (EC) No 438/2001; - To assess the design, monitoring and effectiveness of the controls put in place at the DG level, including an assessment of the effectiveness of the cooperation with the Member States [Article 38(2) and (3) of Council Regulation (EC) No 1260/1999] and of the establishment of the protocols [Articles 5 and 6 of Commission Regulation (EC) No 438/2001]; - To evaluate the overall efficiency and effectiveness of the controls carried out by the Structural Funds DGs (including the role played by the Lead DG within the objectives and scope of this audit); - To contribute to the Commission policy leading up to a positive Déclaration d'Assurance (DAS); - To identify best practices in the four SF DGs. In the case of DG AGRI, the audit focused on the Guidance section of the European Agricultural Guidance and Guarantee Fund (EAGGF) for the period 2000-2006. The financial circuits and the financial corrections of the past programming period were not examined. No scope limitations were imposed on the audit . Acceptance of Recommendations by the Auditee: AGRI Structural Funds | IAS-2005-AGRI-001 | Some recommendations have been combined | Accepted | Rejected | Total | % | Critical | 0 | 0 | 0 | 0,0% | Very imp | 4 | 0 | 4 | 36,4% | Important | 7 | 0 | 7 | 63,6% | Desirable | 0 | 0 | 0 | 0,0% | Total | 11 | 0 | 11 | 100,0% | % | 100,0% | 0,0% | 100,0% | [pic] Implementation Progress for Recommendations: Implementation of recommendations (Auditee assessment) | In progress | Completed | Total | % | Critical | 0 | 0 | 0 | 0,0% | Very imp | 4 | 0 | 4 | 36,4% | Important | 7 | 0 | 7 | 63,6% | Desirable | 0 | 0 | 0 | 0,0% | Total | 11 | 0 | 11 | 100,0% | % | 100,0% | 0,0% | 100,0% | [pic] AGRI - Follow-up In-depth Audit Acceptance of Recommendations by the Auditees: AGRI | IAS-2002-AGRI-001 | Accepted | Rejected | Total | % | Critical | 3 | 0 | 3 | 4,3% | Very imp | 35 | 0 | 35 | 50,0% | Important | 27 | 0 | 27 | 38,6% | Desirable | 4 | 1 | 5 | 7,1% | Total | 69 | 1 | 70 | 100,0% | % | 98,6% | 1,4% | 100,0% | [pic] Implementation Progress for Recommendations: (IAS follow-up) | 1 rejected recommendation not counted in the implementation statsistics | In progress | Completed | Total | % | Critical | 0 | 3 | 3 | 4,3% | Very imp | 0 | 35 | 35 | 50,7% | Important | 0 | 27 | 27 | 39,1% | Desirable | 0 | 4 | 4 | 5,8% | Total | 0 | 69 | 69 | 100,0% | % | 0,0% | 100,0% | 100,0% | [pic] EXTERNAL POLICIES INCLUDING PRE-ACCESSION AID RELEX - Handling of classified information and communication among the Delegations and DG RELEX Objectives and Scope The audit objective is to provide an overall assessment of the effectiveness, efficiency and compliance of the internal control system as regards the Handling of Classified Information (HCI). The scope covers the Commission's Delegations including their relationships with DG RELEX Headquarters and third parties. In addition to RELEX K which was the main auditee at Headquarters, four Delegations (i.e. Sarajevo, Moscow, Washington and New York) were audited. In addition to the operational procedures for HCI, the audit has also addressed key related processes in so far they are a pre-condition and/or support the HCI, i.e. Infrastructure and Equipment (I&E) and Human Resources (HR). The audit focuses on organisational and operational issues and does not cover encryption technical characteristics of the communication systems. DG RELEX's IAC has conducted an audit in parallel addressing the same scope from a Headquarters' perspective, so that the two engagements together provide for a more complete coverage of the topic in DG RELEX. Acceptance of Recommendations by the Auditee: Handling of sensitive information (RELEX) | IAS-2005-RELEX-001 | Accepted | Rejected | Total | % | Critical | 3 | 0 | 3 | 20,0% | Very imp | 6 | 0 | 6 | 40,0% | Important | 6 | 0 | 6 | 40,0% | Desirable | 0 | 0 | 0 | 0,0% | Total | 15 | 0 | 15 | 100,0% | % | 100,0% | 0,0% | 100,0% | [pic] Implementation Progress for Recommendations: Implementation of recommendations (Auditee assessment) | In progress | Completed | Total | % | Critical | 3 | 0 | 3 | 20,0% | Very imp | 4 | 2 | 6 | 40,0% | Important | 5 | 1 | 6 | 40,0% | Desirable | 0 | 0 | 0 | 0,0% | Total | 12 | 3 | 15 | 100,0% | % | 80,0% | 20,0% | 100,0% | [pic] AIDCO - External Aid- Non-Governmental Organisations in AIDCO Objectives and Scope The IAS audit of AIDCO in 2003/2004, the reports of both the European Court of Auditors and OLAF, and the 2003 Annual Activity Report of AIDCO all identified the funding of NGOs activities as a major risk area in the external aid environment. The present audit focused on the assessment of the control mechanisms of NGO funding in AIDCO, with an emphasis on compliance, efficiency and effectiveness aspects. In terms of the key processes identified in the management of funds granted to NGOs, this audit focused on the selection of beneficiaries, contract management, audit activities and management reporting and supervision. More specifically, the scope of this audit focused on NGO-funding under certain budget lines: "Co-financing NGOs" and "Health" (AIDCO.04/.05), Tacis (Dir. A) and Asia (Dir. D), as well as under the EDF (Directorate C). The funding of running costs ("core-funding") of NGOs' European Headquarters and the sub-contracting to NGOs by direct beneficiaries were excluded from the scope. Furthermore, the sub-contracting arrangements between the NGOs and third parties were not tested as part of this audit. Field-work was conducted at AIDCO's Headquarters and in the Delegations in Bangladesh and Mozambique. Acceptance of Recommendations by the Auditee: AIDCO | IAS-2004-AIDCO-002 Audit of NGOs in Aidco/Echo | Accepted | Rejected | Total | % | Critical | 1 | 0 | 1 | 5,3% | Very imp | 12 | 0 | 12 | 63,2% | Important | 6 | 0 | 6 | 31,6% | Desirable | 0 | 0 | 0 | 0,0% | Total | 19 | 0 | 19 | 100,0% | % | 100,0% | 0,0% | 100,0% | [pic] Implementation Progress for Recommendations: (Auditee assessment) | In progress | Completed | Total | % | Critical | 0 | 1 | 1 | 5,3% | Very imp | 10 | 2 | 12 | 63,2% | Important | 3 | 3 | 6 | 31,6% | Desirable | 0 | 0 | 0 | 0,0% | Total | 13 | 6 | 19 | 100,0% | % | 68,4% | 31,6% | 100,0% | [pic] ECHO - External Aid- Non-Governmental Organisations in ECHO Objectives and Scope ECHO's 2004 Annual Activity Report, and the reports of both the European Court of Auditors and OLAF underlined the funding of NGOs activities in the external aid environment as a potential major risk area. The present audit focused on the assessment of ECHO's control mechanisms on NGOs funding, with an emphasis on compliance, efficiency and effectiveness aspects. In terms of the key processes identified in the management of funds granted to NGOs, this audit focused on selection of NGO-partners for the Framework Partnership Agreement (FPA), awarding of grants to implementing partners, contract management, audit activities and supervision and management reporting on NGOs. The scope of this audit focused on NGO-funding under the FPA and under the budget line for Humanitarian Aid and the EDF. Aspects linked to the involvement of NGOs as implementing partners by other direct ECHO beneficiaries such as UN Agencies were excluded from the scope. Furthermore, the potential implementing arrangements between the NGOs and third parties were not tested as part of this audit. The field-work was conducted at ECHO Headquarters, and it was complemented by visits to the European Headquarters of three NGO-partners. Due to certain investigations currently carried out by OLAF on a group of NGOs involved in ECHO's projects, the IAS decided to exclude the NGOs concerned from the scope of this audit in order not to interfere with OLAF. This audit can be seen as a continuation of the AIDCO audit finalised on 6 July 2005, which also focused on NGOs. Acceptance of Recommendations by the Auditee: Audit on NGOs in ECHO | IAS -2005-ECHO-001 | Accepted | Rejected | Total | % | Critical | 0 | 0 | 0 | 0,0% | Very imp | 7 | 0 | 7 | 63,6% | Important | 4 | 0 | 4 | 36,4% | Desirable | 0 | 0 | 0 | 0,0% | Total | 11 | 0 | 11 | 100,0% | % | 100,0% | 0,0% | 100,0% | [pic] Implementation Progress for Recommendations: (Auditee assessment) | In progress | Completed | Total | % | Critical | 0 | 0 | 0 | 0,0% | Very imp | 6 | 1 | 7 | 63,6% | Important | 3 | 1 | 4 | 36,4% | Desirable | 0 | 0 | 0 | 0,0% | Total | 9 | 2 | 11 | 100,0% | % | 81,8% | 18,2% | 100,0% | [pic] ELARG - Follow-up In-depth Audit Acceptance of Recommendations by the Auditee: ELARG | IAS-2003-ELARG-001 In Depth Audit of DG ELARG | Accepted | Rejected | Total | % | Critical | 1 | 0 | 1 | 3,8% | Very imp | 8 | 3 | 11 | 42,3% | Important | 5 | 0 | 5 | 19,2% | Desirable | 7 | 2 | 9 | 34,6% | Total | 21 | 5 | 26 | 100,0% | % | 80,8% | 19,2% | 100,0% | [pic] Implementation Progress for Recommendations: (IAS follow-up) | 5 rejected recommendations not counted in the implementation statistics | In progress | Completed | Total | % | Critical | 1 | 0 | 1 | 4,8% | Very imp | 5 | 3 | 8 | 38,1% | Important | 5 | 0 | 5 | 23,8% | Desirable | 7 | 0 | 7 | 33,3% | Total | 18 | 3 | 21 | 100,0% | % | 85,7% | 14,3% | 100,0% | [pic] [1] Control Objectives for Information and related Technology.