Choose the experimental features you want to try

This document is an excerpt from the EUR-Lex website

Document 52020SC0117

    COMMISSION STAFF WORKING DOCUMENT […] Accompanying the document REPORT FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT, THE COUNCIL AND THE COURT OF AUDITORS Annual report to the Discharge Authority on internal audits carried out in 2019

    SWD/2020/117 final

    Brussels, 24.6.2020

    SWD(2020) 117 final

    COMMISSION STAFF WORKING DOCUMENT

    Annual report to the Discharge Authority on internal audits carried out in 2019

    Accompanying the document

    REPORT FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT, THE COUNCIL AND THE COURT OF AUDITORS

    Annual report to the Discharge Authority on internal audits carried out in 2019

    {COM(2020) 268 final}


    Table of Contents

    Content of this STAFF WORKING DOCUMENT    

    PART 1: Final reports    

    Horizontal audits    

    1.Audit on evaluations and studies in DGs CLIMA and ENV

    2.Audit on monitoring the implementation and performance of 2014-2020 operational programmes by DGs REGIO, EMPL and MARE

    3.Audit on management of recovery orders for competition fines (including guarantees for competition fines) and for recovery orders in the context of the Commission’s 'corrective capacity' – phase 2 (DGs BUDG and COMP)

    4.Consulting engagement on the governance and supervision of executive agencies addressed to SG and DGs BUDG and HR

    Agriculture, natural resources and health    

    1.Audit on the management of the fruit and vegetables regime in DG AGRI

    2.Audit on international activities in DG ENV

    3.Audit on the efficiency and effectiveness of the Health and Food Audits and Analysis Directorate of DG SANTE

    4.Audit on the management of food and feed programmes, including emergency measures in DG SANTE

    Cohesion    

    1.Audit on management of the employment and social innovation programme, with special emphasis on the PROGRESS axis in DG EMPL

    Research, energy and transport    

    1.Audit on implementation of the better regulation principles in the preparation of digital single market policy proposals in DG CONNECT

    2.Audit on the implementation of DG ENER’s control strategy for delegated bodies implementing the nuclear decommissioning assistance programme

    3.Audit on the governance structure in ERCEA

    4.Audit on site management infrastructure support services in the JRC

    5.Audit on European Union Finance for Innovators (InnovFin) in DG RTD

    6.Consulting engagement on policy feedback from research and innovation projects delegated to executive agencies and joint undertakings in DG RTD

    7.Audit on supervision of autonomous EU entities by DG MOVE

    External actions    

    1.Audit on annual audit and verification plans in DG DEVCO

    2.Audit on the control strategy for humanitarian aid actions in DG ECHO

    3.Audit on common foreign and security policy in FPI

    4.Audit on annual audit plans in DG NEAR

    5.Audit on ex ante control on payments under the European neighbourhood instrument and the European neighbourhood and partnership instrument in DG NEAR

    Education and citizenship    

    1.Audit on DG HOME’s audit activity and clearance of accounts

    2.Audit on impact assessment in DG JUST

    Economic and financial affairs    

    1.Audit on EASME’s project management (project monitoring, payments and amendments) under the programme for the environment and climate action covering the period from 1 January 2014 to 31 December 2020 (the LIFE programme)

    2.Audit on effectiveness and efficiency of DG ECFIN's performance-management system

    3.Audit on monitoring of EU law implementation in DG TAXUD

    4.Audit on human resources management in DG TAXUD

    5.Audit on human resources management in DG TRADE

    General services    

    1.Limited review on the effective implementation of the internal control framework in DG COMM

    2.Limited review on the implementation of the new internal control framework in DGT

    3.Limited review on the implementation of the new internal control framework in EPSO

    4.Limited review on the implementation of the new internal control framework in OIB

    5.Limited review on the implementation of the new internal control framework in OIL

    6.Limited review on the implementation of the new internal control framework in DG SCIC

    7.Audit on DG ESTAT’s quality management of statistical processes

    8.Audit on OLAF’s human resources strategy

    Information-technology audits    

    1.Audit on information-technology project management practices in OLAF

    2.Audit on information-technology project management practices for multi-Directorate-General projects in DG DIGIT

    3.Audit on information-technology governance and project management in OP

    4.Audit on information-technology governance and project management in DG EAC

    PART 2: Follow-up engagements (summarised)    39

    1.Follow-up audit on DG AGRI’s control strategy for the 2014-2020 common agricultural policy39

    2.Follow-up audit in DG AGRI on the process for managing and sharing data on agri-environmental climate issues in DG AGRI, DG CLIMA and DG ENV39

    3.Follow-up audit in DG CLIMA on the process for managing and sharing data on agri-environmental climate issues in DG AGRI, DG CLIMA and DG ENV40

    4.Follow-up audit in DG ENV on the process for managing and sharing data on agri-environmental climate issues in DG AGRI, DG CLIMA and DG ENV40

    5.Follow-up audit on early implementation of the ESIF control strategy 2014-2020 in DG MARE (based on two follow-up audits performed in 2019)41

    6.Follow-up audit on early implementation of the ESIF control strategy 2014-2020 in DG EMPL (based on two follow-up audits performed in 2019)41

    7.Follow-up audit on early implementation of the ESIF control strategy 2014-2020 in DG REGIO (based on two follow-up audits performed in 2019)41

    8.Follow-up audit on major projects in DG REGIO41

    9.Follow-up audit on the management of recovery orders for competition fines and recovery orders in the context of the Commission’s corrective capacity – Phase 1 in DG CONNECT (based on two follow-up audits performed in 2019)41

    10.Follow-up audit on the production process and the quality of statistics not produced by Eurostat in DG ENER (based on two follow-up audits performed in 2019)42

    11.Follow-up audit on legacy programmes in DG ENER42

    12.Follow-up audit on activities in the JRC to support intellectual-property rights42

    13.Follow-up audit on human-resources management in the JRC42

    14.Follow-up audit on past audits in DG RTD43

    15.Follow-up audit on direct management of grants in DG DEVCO43

    16.Follow-up audit on the assurance-building process in DG DEVCO’s Headquarters43

    17.Follow-up audit on the management of investment facilities (financial instruments) in DG DEVCO44

    18.Follow-up audit on the performance-management system in DG DEVCO44

    19.Follow-up audit on the instrument contributing to stability and peace in FPI46

    20.Follow-up audit on Erasmus+ and Creative Europe – grant-management phase 2 (from project monitoring to payment) in EACEA47

    21.Follow-up audit on monitoring the implementation and performance of 2014-2020 national programmes by DG HOME49

    22.Follow-up audit on activities in DG DEFIS to support intellectual-property rights49

    23.Follow-up audit on evaluation in DG ECFIN49

    24.Follow-up audit on the effectiveness and efficiency of the performance-management system in DG FISMA49

    25.Follow-up audit on the production process and the quality of statistics not produced by Eurostat in DG FISMA50

    26.Follow-up audit on the production process and the quality of statistics not produced by Eurostat in DG GROW50

    27.Follow-up audit on the supervision of outsourced information-technology operations in DG TAXUD50

    28.Follow-up audit on past audits in DG TRADE50

    29.Follow-up audit on the effectiveness and efficiency of the new early-detection and exclusion system in protecting the EU’s financial interests – DG BUDG50

    30.Follow-up audit on the procurement process in DG DIGIT51

    31.Follow-up audit on the statistical production process and the quality of statistics not produced by Eurostat in DG ESTAT51

    32.Follow-up audit on management of intra-muros contractors in DG HR51

    33.Follow-up audit on ethics in OLAF52

    34.Follow-up audit on the charge-back process in PMO52

    35.Follow-up audit on former Internal Audit Capability (IAC) audits in PMO53

    36.Follow-up audit on information-technology governance in DG DEVCO54

    37.Follow-up audit on the security of information-technology applications supporting nuclear accountancy and nuclear-inspection processes in DG ENER54

    38.Follow-up audit on information-technology governance and portfolio management in DG GROW55

    39.Follow-up audit on information-technology security in the information-and-communications-technology (ICT) systems of the JRC55

    40.Follow-up audit on supervision of outsourced information-technology operations in DG TAXUD55

    List of follow-up audits performed in 2019 for which all recommendations have been closed after the follow-up56

    Part 3: summary of long-outstanding recommendations – state of play as at 31 January 2020    59



    List of abbreviations

    SG: Secretariat-General

    SJ: Legal Service

    DG COMM: Directorate-General for Communication

    DG ECFIN: Directorate-General for Economic and Financial Affairs

    DG GROW: Directorate-General for Internal Market, Industry, Entrepreneurship and SMEs

    DG COMP: Directorate-General for Competition

    DG DEFIS: Directorate-General for Defence Industry and Space

    DG EMPL: Directorate-General for Employment, Social Affairs and Inclusion

    DG AGRI: Directorate-General for Agriculture and Rural Development

    DG ENER: Directorate-General for Energy

    DG MOVE: Directorate-General for Mobility and Transport

    DG CLIMA: Directorate-General for Climate Action

    DG ENV: Directorate-General for Environment

    DG RTD: Directorate-General for Research and Innovation

    JRC: Joint Research Centre

    DG CNECT: Directorate-General for Communications Networks, Content and Technology

    DG MARE: Directorate-General for Maritime Affairs and Fisheries

    DG FISMA: Directorate-General for Financial Stability, Financial Services and Capital Markets Union

    DG REGIO: Directorate-General for Regional and Urban Policy

    DG REFORM/SRSS: Directorate-General for Reform (former SRSS - Structural Reform Support Service)

    DG TAXUD: Directorate-General for Taxation and Customs Union

    DG EAC: Directorate-General for Education, Youth, Sport and Culture

    DG SANTE: Directorate-General for Health and Food Safety

    DG HOME: Directorate-General for Migration and Home Affairs

    DG JUST: Directorate-General for Justice and Consumers

    FPI: Service for Foreign Policy Instruments

    DG TRADE: Directorate-General for Trade

    DG NEAR: Directorate-General for Neighbourhood and Enlargement Negotiations

    DG DEVCO: Directorate-General for International Cooperation and Development

    DG ECHO: Directorate-General for European Civil Protection and Humanitarian Aid Operations

    DG ESTAT: Eurostat

    DG HR: Directorate-General for Human Resources and Security

    DG DIGIT: Directorate-General for Informatics

    DG BUDG: Directorate-General for Budget

    IAS: Internal Audit Service

    OLAF: European Anti-Fraud Office

    DG SCIC: Directorate-General for Interpretation

    DGT: Directorate-General for Translation

    OP: Publications Office of the European Union

    OIB: Office for Infrastructure and Logistics in Brussels

    PMO: Office for the Administration and Payment of Individual Entitlements

    OIL: Office for Infrastructure and Logistics in Luxembourg

    EPSO: European Personnel Selection Office

    EASME: Executive Agency for Small and Medium-sized Enterprises

    EACEA: Education, Audiovisual and Culture Executive Agency

    CHAFEA: Consumers, Health, Agriculture and Food Executive Agency

    INEA: Innovation and Networks Executive Agency

    ERCEA: European Research Council Executive Agency

    REA: Research Executive Agency

    Content of this STAFF WORKING DOCUMENT

    Part 1 of this document contains:

    ·a summary of the internal audit engagements performed as part of the 2019 Internal Audit Service (IAS) audit plan (reports issued between 1 February 2019 and 31 January 2020); and

    ·the principal recommendations (critical and very important) ( 1 ) made.

    The information contained in this document reflects the state of play when the audit engagements were finalised. Each audit followed the applicable standard professional validation and contradictory procedures between auditor and auditee at the time of the finalisation of the engagement. The enclosed summary of each engagement aims to provide an overview of the audits and their main results. Additional, up-to-date information is provided in specific sections by the auditees on measures drawn up and already implemented after the internal audit engagements were finalised.

    Part 2 of this document contains a summary of the results of the Internal Audit Service’s follow-up engagements performed between 1 February 2019 and 31 January 2020 ( 2 ).

    Part 3 provides a summarised overview of the six long-overdue very important recommendations as at 31 January 2020.

    PART 1: Final reports

    Horizontal audits

    1.Audit on evaluations and studies in DGs CLIMA and ENV

    The objective of the audit was to assess whether studies in the Directorate-General for Climate Action (DG CLIMA) and the Directorate-General for Environment (DG ENV) are managed effectively, efficiently and in accordance with the applicable legislation and corporate guidance.

    No reservations were made in the 2018 annual activity reports for the two Directorates-General that relate to the area audited. The fieldwork was finalised on 30 September 2019. All recommendations relate to the situation as of that date.

    The Internal Audit Service recognised the commitment and expertise of key staff in the financial and operational units of both the Directorate-General for Climate Action and the Directorate-General for Environment.

    The Internal Audit Service identified one issue concerning procurement in the Directorate-General for Environment and formulated the following very important recommendation:

    The Directorate-General for Environment should ensure that non-compliance events are properly recorded, in line with the applicable corporate guidance. Written guidance should be applied on a more consistent basis. It should also strengthen its monitoring of the implementation of the external contractors’ work, in particular by performing technical evaluations of all reports/deliverables linked to payments. In addition, it should streamline its document management system and access to procurement files and finally it should improve the supervision and quality review of procurement documents.

    Additional information provided by DGs CLIMA and ENV on the measures drawn up and/or implemented following the Internal Audit Service audit

    The audit of the Directorate-General for Climate Action did not identify any critical or very important issues, but there is room for improvement in the planning and design of evaluations and studies and on some specific procurement procedures. The Directorate-General provided an action plan to mitigate the risks identified.

    In the Directorate-General for Environment, the auditors found a number of individual weaknesses in the internal control system underpinning the procurement process. While some of these shortcomings have been addressed immediately, further measures will be taken to ensure that the recommendations from this audit are fully addressed in 2020.

    To mitigate the risks identified by the Internal Audit Service in this recommendation, the Directorate-General for Environment envisaged the following actions:

    It strengthened monitoring of the implementation of external contractors’ work by performing technical evaluations for all reports/deliverables linked to payment. This was achieved by including additional checks for all payments (interims and final), including intellectual-property-rights checks and monitoring of planned publication of studies, if applicable.

    The public procurement management tool (PPMT) is used by the Directorate-General for Environment for all procedures above EUR 15 000 except specific contracts under the framework contract agreements. The tool: (i) ensures consistent application of all procurement procedures; (ii) streamlines document management; (iii) allows for access arrangements for the Directorate-General’s advisory committee members; and (iv) makes it impossible to omit procedural steps. Guidelines how to apply PPMT are available on the Directorate-General’s intranet. Revisions of other procurement guidance and associated templates following the Directorate-General for Budget’s instructions are updated on the intranet of the Directorate-General for Environment on a regular


    basis.

    To improve supervision throughout the internal management plan and quality review of procurement documents, the financial fiche templates have been modified; they will be used for the next management plan (2021). In addition, a studies-tracking system from management-plan request to publication by the Publications Office of the European Union, has been established and will be introduced in the next management plan.

    The Directorate-General for Environment envisaged the following further actions in the course of the year: (i) reminders about the importance of reporting non-compliance events, through training for financial officers in all units of the Directorate-General; (ii) awareness raising for all Authorising Officers by Sub-delegation in the Directorate-General; (iii) specific internal training on filing of procurement files in the ARES IT tool; and (iv) guidance on intellectual-property rights.

    2.Audit on monitoring the implementation and performance of 2014-2020 operational programmes by DGs REGIO, EMPL and MARE

    The objective of the audit was to assess whether the Directorate-Generals for Regional and Urban Policy, for Employment, Social Affairs and Inclusion and for Maritime Affairs and Fisheries effectively monitor the implementation and performance of their 2014-2020 operational programmes and whether they were well prepared for the 2019 performance review.

    No reservations were made in the 2018 annual activity report concerning the implementation and performance of the programmes. However reservations were made by both the Directorate-General for Regional and Urban Policy and the Directorate-General for Employment, Social Affairs and Inclusion for deficiencies in the management and control systems of a number of programmes ( 3 ), which affect the legality and regularity of the payments concerned. The fieldwork was finalised on 30 September 2019. All recommendations relate to the situation as of that date.

    The Directorate-General for Regional and Urban Policy and the Directorate-General for Employment, Social Affairs and Inclusion each adopted a strategy for performance-based culture ( 4 ). These strategies provide a comprehensive overview of the objectives of monitoring activities. The Directorates-General’s strategies are translated into clear procedures, which results in staff focusing on performance of programmes in their monitoring activities. There are detailed operational guidelines in all three Directorates-General and comprehensive manuals on monitoring activities at the Directorates-General for Regional and Urban Policy and for Maritime Affairs and Fisheries.

    Furthermore, the Internal Audit Service found a number of good practices that the Directorates-General apply in their monitoring activities. Some examples of these practices are set out below.

    ·The ‘Stock-taking Group’ and its regular meetings provide an effective platform for coordinating procedures and sharing knowledge among the Directorates-General responsible for the European Structural and Investment Fund.

    ·The management of the Directorate-General for Regional and Urban Policy regularly monitors the implementation of the programmes using a number of internal reporting tools (in particular the implementation reports). This includes close monitoring of programmes ‘in difficulty’, which are identified based on a risk assessment.

    ·The use of information-technology tools (such as monitoring scorecards) to support desk officers’ plausibility and consistency checks of the data reported in the annual implementation reports.

    ·Following its assessment of the audit authorities’ work reported in the 2019 annual control reports, the Directorate-General for Employment, Social Affairs and Inclusion plans to perform additional audit work to close assurance gaps related to performance data reliability.

    The Internal Audit Service identified two issues, one concerning assessing programme performance, identifying and following up on implementation weaknesses and one on performance data reliability, and formulated the following very important recommendations:

    Assessing programme performance, identifying and following up on implementation weaknesses

    The Directorate-General for Regional and Urban Policy, the Directorate-General for Employment, Social Affairs and Inclusion and the Directorate-General for Maritime Affairs and Fisheries should improve the review process of the annual implementation reports by clarifying the scope of the assessment of implementation issues and providing guidance on how to formulate a clear overall assessment on the performance of programmes. Their Article 50(8) letters should communicate clearly on all serious implementation issues identified following their own assessment of operational programme implementation and their expectations about the elements that the managing authorities should include in their replies to facilitate follow-up. Finally, apart from enhanced monitoring by the Directorate-General for Regional and Urban Policy of the implementation of ‘programmes in difficulty’, the Directorates-General should strengthen their follow-up on issues that significantly affect programme implementation. They should therefore critically review the corrective actions communicated by Member States, and follow-up on and keep track of the effective implementation of these corrective actions in a more structured manner through the various monitoring activities.

    Performance data reliability

    The Directorate-General for Regional and Urban Policy and the Directorate-General for Employment, Social Affairs and Inclusion should align their strategies for a performance-based culture to ensure a consistent approach on how to build up assurance on the reliability of performance data. They should conclude on the level of assurance that can be drawn from the work of the audit authorities on performance data reliability during the review of the assurance packages. If the level of assurance is not sufficient, they should apply mitigating measures for closing assurance gaps. Finally, the Directorates-General should give additional clear instructions to the audit authorities on reporting and concluding on their work on performance data in the annual control reports in the years prior to closure and in the annual control report of the last accounting year

    Additional information provided by DGs REGIO, EMPL and MARE on the measures drawn up and/or implemented following the Internal Audit Service audit

    The Directorate-General for Regional and Urban Policy’s action plan was agreed with the Internal Audit Service and sent in February 2020. The Directorate-General has plans in place to implement three (out of three) recommendations concerning assessment of programme performance, performance data reliability and reporting on implementation. Most of these are expected to be implemented by mid-2020.

    As regards the Directorate-General for Employment, Social Affairs and Inclusion, the action plan was agreed with the Internal Audit Service and sent on 14 February 2020, and the Directorate-General plans to implement all three recommendations in the first half of 2020.

    The Directorate-General for Maritime Affairs and Fisheries is affected by two out of three recommendations relating to assessing programme performance and following up on implementation weaknesses (very important). The Directorate-General has drafted its related consolidated action plan and communicated to the Internal Audit Service on time; the actions will be implemented jointly with the Directorates-General for Regional and Urban Policy and for Employment, Social Affairs and Inclusion.

    3.Audit on management of recovery orders for competition fines (including guarantees for competition fines) and for recovery orders in the context of the Commission’s 'corrective capacity' – phase 2 (DGs BUDG and COMP)

    The audit was conducted in a phased approach. This involved first assessing the management of the recovery orders at operational level in a number of selected Directorates-General (focus in phase 1) and then doing the same at central level (focus in phase 2).

    The audit’s overall objective (phase 1 and phase 2) was to assess whether the Commission has put in place an effective and efficient control system to manage: (i) recovery orders for competition fines (including guarantees for competition fines), and (ii) recovery orders in the context of the Commission's 'corrective capacity', both at central and operational level.

    Phase 1 of the audit, which was finalised in September 2017, assessed the efficiency and effectiveness of the system put in place to manage recovery orders in a sample of three services: the Directorate-General for Communications Networks, Content and Technology, the Directorate-General for Energy and the Education, Audiovisual and Culture Executive Agency. It also assessed the timeliness and efficiency of the enforced recovery process performed by the Legal Service, as well as the support and guidance offered by that service to Authorising Officers by Delegation. The Internal Audit Service issued a separate audit report to each of the auditees, as well as a management letter to the Directorate-General for Budget.

    The objective of phase 2 of this audit was to assess whether:

    ·at central level, the Directorate-General for Budget has put in place an effective and efficient control system to: (i) manage recovery orders for competition fines (including guarantees for competition fines); and (ii) manage recovery orders in the context of the Commission's 'corrective capacity';

    ·at operational level, the Directorate-General for Competition has put in place efficient and effective control systems to manage recovery orders for competition fines.

    There were no reservations in the 2018 annual activity reports of the Directorate-General for Budget or the Directorate-General for Competition that relate to the area/process audited. The fieldwork was finalised in June 2019. All recommendations relate to the situation as of that date.

    The auditors recognised the Directorate-General for Budget’s ongoing efforts to develop and improve the recovery process. In particular, the auditors identified the following strengths:

    ·the clarity of the roles and responsibilities between the actors involved in the recovery process (i.e. the Directorate-General for Budget, Authorising Officers by Delegation and the Legal Service);

    ·the good quality of the instructions and guidance provided by the Directorate-General for Budget to the Directorates-General and Agencies, enabling them to take informed decisions on recoveries;

    ·the quarterly information provided by the Accounting Officer to the relevant Resources Directors on any outstanding issues observed at Authorising Officers by Delegation level in order to speed up the recovery process and ensure that it is effective;

    ·the new requirement for the Resources Directors to sign a note on the quality of the financial data; this formalises the Authorising Officers’ responsibility to guarantee the reliability of the information (including on recoveries) used to produce the annual accounts of the Commission.

    The Internal Audit Service identified two issues, one on dealing with insolvencies and bankruptcies and one concerning the offsetting process by the Accounting Officer, and formulated the following very important recommendations:

    Dealing with insolvencies and bankruptcies

    The Directorate-General for Budget should instruct the Authorising Officers by Delegation to ensure that the information on insolvent and bankrupt legal entities is accurately and timely reported in the relevant databases. It should also put in place preventive and detective risk-based controls to review regularly the financial and legal situation of economic operators with pending recovery orders. Finally, the Directorate-General for Budget should invite the Commission’s Corporate Management Board to decide on the set-up of a comprehensive and reliable set of tools at Commission level, enabling the Authorising Officers and ultimately the Accounting Officer to be informed and alerted in a timely manner about the financial and legal situation of contractors and beneficiaries and take remedial action when necessary.

    The offsetting process by the Accounting Officer

    The Directorate-General for Budget should clarify with the Legal Service whether its approach/criteria for not offsetting payments complies with the legal basis and take the necessary actions following the Legal Service’s advice. Furthermore, it should improve the information flows between units, maintain and update the ELC ( 5 ) database in a more efficient way and consider in the long term integrating the ELC database into SUMMA ( 6 ).

    Additional information provided by DG BUDG on the measures drawn up and/or implemented following the Internal Audit Service audit

    The Directorate-General for Budget accepted the recommendations and submitted to the Internal Audit Service an action plan on 10 January 2020.

    According to this action plan the two very important recommendations will be implemented as follows:

    Concerning the recommendation on dealing with insolvencies and bankruptcies, actions will be implemented between Q1 2020 and Q2 2021. As for the recommendation on the offsetting process by the Accounting Officer, the action to ‘Provide the staff member(s) responsible to update the ELC database with access to the Orbis database to obtain reliable information on the legal entities’ structure’ had already been implemented when the action plan was submitted to the Internal Audit Service. The action on the interpretation of Article 102 of the Financial Regulation is under development.

    The rest of the actions will be implemented by end-2020.

    4.Consulting engagement on the governance and supervision of executive agencies addressed to SG and DGs BUDG and HR

    As set out in the terms of reference agreed between the Internal Audit Service and the central services (the Secretariat-General, Directorates-General for Budget and for Human Resources and Security), the objectives of this engagement were to:

    ·define the scope of the supervision;

    ·examine the roles and responsibilities in order to identify possible overlaps;

    ·assess if the existing legal base is fit for purpose;

    ·identify good practices to replicate across the Commission.

    As this was a consulting engagement, no audit recommendations were formulated.

    Agriculture, natural resources and health

    1.Audit on the management of the fruit and vegetables regime in DG AGRI

    The objective of the audit was to assess whether the Directorate-General for Agriculture and Rural Development has put in place adequately designed, efficient and effective internal control processes to manage and supervise the fruit and vegetables regime, thus ensuring that its policy objectives are achieved.

    The 2017 annual activity report included a reservation related to expenditure on market measures for fruit and vegetables operational programmes for producer organisations in Spain and Italy, as well as a general reservation on expenditure on market measures managed by the French paying agency Agrimer( 7 ). The 2018 annual activity report included a similar reservation for Spain, the United Kingdom, Italy and Portugal, and a general reservation on expenditure managed by the French paying agency Agrimer ( 8 ). The fieldwork was finalised on 24 June 2019. All recommendations relate to the situation as of that date.

    The auditors recognised the in-depth knowledge, expertise and commitment of staff managing the fruit and vegetables regime.

    The Internal Audit Service identified two issues, one concerning the instructions provided to Member States for implementing (and controlling) the fruit and vegetables regime and one on the monitoring and evaluation of the fruit and vegetables regime, and formulated the following very important recommendations:

    Instructions to Member States

    The Directorate-General for Agriculture and Rural Development should analyse the root causes of detected weaknesses and develop appropriate targeted actions with Member States to address these issues.

    Monitoring and evaluation of the fruit and vegetables regime

    The Directorate-General for Agriculture and Rural Development should develop guidance for Member States on the expected content of the quality assessment section of the annual reports. In addition, the roles and duties of each official, as laid out in the job descriptions, should be summarised in a procedure manual or workflow.

    Additional information provided by DG AGRI on the measures drawn up and/or implemented following the Internal Audit Service audit

    The Directorate-General for Agriculture and Rural Development has properly addressed this issue in the corresponding action plan and has been implementing all planned measures according to the agreed timeline.

    In relation to improving guidance to Member States for implementing (and controlling) the fruit and vegetables regime, the Directorate-General for Agriculture and Rural Development has resolved the backlog of legal interpretations. As of 2020, the Directorate-General uploads letters of interest of all Member States to CIRCABC (an IT secure platform for sharing information with Member State administrations) when the letters are sent out. It has also updated the Europa website concerning the current fruit and vegetables regime. The analysis of the root causes of the main weaknesses identified regarding the fruit and vegetables regime emanating from audits, the exercise of clarification to Member States was finalised in April 2020 with a note on ‘technical issues following audit findings’ to the delegates of the fruits and vegatables management committee.The Directorate-General for Agriculture and Rural Development will soon finalise internal working tools and instructions to review the draft amended National Framework for Environmental actions to ensure that the reviews are consistent and complete. As regards monitoring and evaluation of the fruit and vegetables regime, the Directorate-General finalised a guidance note enabling Member States to evalute in 2020 progress towards the overall objectives of their national strategies. The note was finalised

    after discussion with the Member States in the September and November 2019 Agricultural Management Committee meetings (i.e. of the Committee for common organisation of agricultural markets). Dashboards on fruit and vegetables are published on the Agri-food data portal. Staff were also briefed on how to make better use of the data and information provided by Member States as part of the monitoring and evaluation of the common agricultural policy.

    2.Audit on international activities in DG ENV

    The objective of the audit was to assess the extent to which the Directorate-General for Environment effectively and efficiently manages its international activities (strategy, internal organisation and operational processes, priority setting and spending).

    There were no reservations in the Directorate-General’s 2018 annual activity report that relate to the area/process audited. The fieldwork was finalised on 19 June 2019. All recommendations relate to the situation as of that date.

    The Internal Audit Service identified one issue concerning coordination with the Directorate-General for International Cooperation and Development as regards voluntary partnership agreements and formulated the following very important recommendation:

    The Directorate-General for Environment should establish in writing the responsibility for various voluntary partnership agreements with the Directorate-General for International Cooperation and Development. It should also prepare and agree with the Directorate-General for International Cooperation and Development working arrangements regarding voluntary partnership agreements, including coordination and reporting mechanisms. These arrangements should be regularly reviewed.

    Additional information provided by DG ENV on the measures drawn up and/or implemented following the Internal Audit Service audit

    To mitigate the risks identified by the Internal Audit Service in this recommendation, the Directorate-General for Environment has envisaged: (i) establishing in writing the responsibility for the various voluntary partnership agreements between itself and the Directorate-General for International Cooperation and Development; and (ii) preparing and agreeing with the Directorate-General for International Cooperation and Development working arrangements for the voluntary partnership agreements, including coordination and reporting mechanisms. These arrangements should be regularly reviewed.

    The implementation of these actions is under way.

    3.Audit on the efficiency and effectiveness of the Health and Food Audits and Analysis Directorate of DG SANTE

    The objective of the audit was to assess whether the Directorate-General for Health and Food Safety has put in place controls and processes that enable its Audits and Analysis Directorate to contribute effectively and efficiently to the correct implementation of EU legislation on food and health.

    There were no reservations in the Directorate-General’s 2018 annual activity report that relate to the area audited. The fieldwork was finalised on 17 September 2019. All recommendations relate to the situation as of that date.

    The auditors recognise the ongoing efforts made by the Audits and Analysis Directorate to implement its audit and analysis work programme, in particular:

    ·the high technical expertise of the auditors of the Audits and Analysis Directorate, as recognised by a large number of colleagues who responded to the IAS online survey ( 9 );

    ·the excellent cooperation with staff of the Directorate-General for Health and Food Safety based in Brussels, with the Directorate-General for Agriculture and Rural Development and with the Directorate-General for Internal Market, Industry, Entrepreneurship and SMEs, as evidenced by the IAS online survey ( 10 ).

    The Internal Audit Service identified two issues, one concerning the staffing of activities and one on time reporting and performance monitoring, and formulated the following very important recommendations:

    Staffing of activities

    The Directorate-General for Health and Food Safety should firstly carry out a comprehensive analysis of the impact of its remote location, but also of the recruitment needs per area on a medium to long-term basis. This should serve as a basis for developing a human-resources strategy, covering in particular recruitment and training. It should also assess the scope for discontinuing part or all policy-based activities of the Audits and Analysis Directorate in order to free up resources for core audit activities. Finally, for audit work performed on behalf of other Directorates-General, the Directorate-General for Health and Food Safety should, in cooperation with those services, re-assess the audit and resource needs in the medium-to-long term on the basis of an assessment of the risks and legal obligations. Where relevant, the Directorate-General for Health and Food Safety should propose amendments to the existing working arrangements.

    Time reporting and performance monitoring

    The Directorate-General for Health and Food Safety should assess the scope for introducing a time recording system in the Audits and Analysis Directorate and take the first steps (e.g. test it in a pilot phase) towards its deployment. It should also systematically collect and analyse performance information relating to the Audits and Analysis Directorate’s activities in order to improve monitoring. Lastly, it should finalise the development of the coverage of its audit universe by establishing risk-based audit frequencies per audit area and re-assess these on a regular basis.

    Additional information provided by DG SANTE on the measures drawn up and/or implemented following the Internal Audit Service audit

    The Directorate-General for Health and Food Safety accepted the recommendations and produced an action plan in November 2019. Most of the actions are ongoing and expected to be fully implemented by June 2020, although some will have to be delayed, as normal audits have not taken place since mid-March 2020 due to the COVID-19 pandemic.

    Concerning the recommendation on the staffing of activities, the Directorate-General for Health and Food Safety has already taken actions and will continue its analysis during the exercise to draft the 2020 management plan. A process has been set up with the Directorate-General for Agriculture and Rural Development to re-assess the audit and resources needed, based on an assessment of risks and legal obligations. Under the new Commission, the policy responsibility for medical devices has been transferred from the Directorate-General for Internal Market, Industry, Entrepreneurship and SMEs to the Directorate-General for Health and Food Safety. Therefore, the assessment of legal obligations and risks will be carried out in-house.

    In cooperation with the Directorate-General for Human Resources and Security, the Directorate-General for Health and Food Safety will assess the impact of the Audits and Analysis Directorate’s location on recruitment and develop a human resources strategy for the medium and long term.


    With regard to the recommendation on time reporting and performance monitoring, the Directorate-General for Health and Food Safety has taken the first steps to introduce a pilot time recording system in early 2020. However, as this coincided wit
    h the COVID-19, crisis the data collected will not be representative; the exercise will have to be relaunched when stability returns. This will feed into a guidance document for the Directorate-General’s management to enhance its performance monitoring of audit work. The documentation of the audits universe and risk-based frequencies is being developed further during the preparations for the 2021 audit work programme.

    4.Audit on the management of food and feed programmes, including emergency measures in DG SANTE

    The objective of the audit was to assess the effectiveness and efficiency of the Directorate-General for Health and Food Safety’s management of food and feed programmes.

    There were no reservations in the 2018 annual activity report that relate to the area/process audited. The fieldwork was finalised on 22 October 2019. All recommendations relate to the situation as of that date.

    The auditors identified the following strengths:

    ·commitment and technical expertise of staff involved in the management of veterinary and plant programmes and emergency measures.

    ·regular comitology meetings with Member States’ representatives within the Standing Committee on Plant, Animal, Food and Feed, with agendas, meeting minutes and presentations publically available on the Europa.eu website.

    The Internal Audit Service identified one issue concerning the unit costs methodology used by Member States to finance veterinary and plant health programmes and emergency measures and formulated the following very important recommendation:

    The Directorate-General for Health and Food Safety should involve all relevant actors within the Directorate-General and consult, as appropriate, other Commission services and use their expertise on the basis of clearly defined working modalities. It should also inform Member States well in advance of the financial impact of any change in the methodology and of the resulting actual amounts of unit costs, lump sums and/or ceilings.

    Additional information provided by DG SANTE on the measures drawn up and/or implemented following the Internal Audit Service audit

    The Directorate-General for Health and Food Safety accepted the recommendation and produced an action plan in late February 2020. Its actions are already under way. Most importantly, in February 2020, the Directorate-General for Health and Food Safety and the Joint Research Centre signed an administrative arrangement which includes the objective to improve the unit cost methodology and inform Member States well in advance of the financial impact of any change in the methodology. The whole project runs for 3 years until February 2023.

    Work is well advanced and first results are expected in June 2020: a new methodology for reimbursement of activities related to animal health programmes and emergency measures is ready to be tested, as is a proposed methodology for Member States’ sampling activities related to plant health.


    Cohesion

    1.Audit on management of the employment and social innovation programme, with special emphasis on the PROGRESS axis in DG EMPL

    The objective of the audit was to assess the adequacy of: (i) the programming process (for all three axes of the employment and social innovation programme); and (ii) the adequacy of the design and the effectiveness of controls in the Directorate-General for Employment, Social Affairs and Inclusion for the operational management of grants under the PROGRESS axis.

    There were no reservations in the Directorate-General’s 2016, 2017 and 2018 annual activity reports relating to the employment and social innovation programme. The fieldwork was finalised on 30 May 2019. All recommendations relate to the situation as of that date.

    The auditors recognised the ongoing efforts by the Directorate-General to improve its control systems for the employment and social innovation programme and the PROGRESS axis. The following strengths were identified in the audited processes and controls:

    Concerning the employment and social innovation programme:

    ·timely collection of contributions from policy units and comments/suggestions from the Employment and Social Innovation Committee in view of the preparation of the employment and social innovation programme’s annual work programmes;

    ·the annual work programmes include sufficient information about the priorities for the year, the objectives to be achieved and the target outcomes with the appropriations authorised for the financial year;

    ·the chosen funding areas are in line with the Directorate-General’s needs and priorities, contributing to the Juncker’s political priorities, the Europe 2020 strategy and the European pillar of social rights.

    Concerning the PROGRESS axis:

    ·internal guidance provided by horizontal Units F3 and F4 and the operational units, which includes workflows for calls for proposals, presentations and training of staff members dealing with calls for proposals and implementation of grant agreements;

    ·the exclusion and award criteria, weightings and technical specifications are properly defined in the calls for proposals, in conformance with the applicable regulatory framework;

    ·regular meetings are held between the operational initiating agents and the call owners on the progress of ongoing calls and to address any questions on the implementation of ongoing projects;

    ·sufficient and timely information is transferred to the members of the Employment and Social Innovation Committee (composed of representatives of the Member States and chaired by a representative of the Commission) on the planned actions to be funded by the employment and social innovation programme and on the PROGRESS calls for proposals included in the annual work programmes.

    The Internal Audit Service did not formulate any critical or very important recommendations.


    Research, energy and transport

    1.Audit on implementation of the better regulation principles in the preparation of digital single market policy proposals in DG CONNECT 

    The objective of the audit was to assess whether the Directorate-General for Communications Networks, Content and Technology has put in place an internal control system for the preparation of digital single market policy proposals - within the remit of this Directorate-General - that is adequately designed and effectively implemented, in line with the better regulation principles.

    There were no reservations in the Directorate-General’s 2018 annual activity report that relate to the area/process audited. The fieldwork was finalised on 19 June 2019. All recommendations relate to the situation as of that date.

    The Internal Audit Service acknowledged the Directorate-General’s ongoing efforts to ensure effective implementation of the better regulation principles in the preparation of digital single market policy proposals. In particular, the Internal Audit Service highlighted the following strengths:

    ·the Directorate-General has set up a dedicated better regulation sector in its Unit D2 that assists the operational units in the key steps of the policy-making process; this has brought significant improvements to working procedures and workflows;

    ·the Directorate-General has set up clear procedural guidance, complementing the corporate guidance, for the application of the better regulation requirements;

    ·the Directorate-General has developed and applied innovative and good practices for the implementation of the better regulation requirements, namely:

    ·development of an information-technology tool (DORIS) for reporting on the results of stakeholders’ consultations;

    ·systematic use of SharePoint as working spaces for each major policy proposal, in particular when different units inside the Directorate-General or different Commission departments are involved in their preparation;

    ·upstream preparation of meetings with the Regulatory Scrutiny Board, including mock-up meetings organised by Unit D2.

    The Internal Audit Service did not formulate any critical or very important recommendations.

    2.Audit on the implementation of DG ENER’s control strategy for delegated bodies implementing the nuclear decommissioning assistance programme 

    The objective of the audit was to assess the effective implementation of the Directorate-General for Energy’s control strategy for the activities of the delegated bodies implementing the nuclear decommissioning assistance programme and the level of assurance the Directorate-General derives from it.

    There were no reservations in the Directorate-General’s 2018 annual activity report related to the area/process audited. The fieldwork was finalised on 3 October 2019. All recommendations relate to the situation as of that date.

    The auditors recognised the Directorate-General’s ongoing efforts to implement its control strategy for the delegated bodies implementing the nuclear decommissioning assistance programme, in particular:

    ·the systematic and well-documented risk review process set out in the risk-management plan for the programmes, with identified key risks recorded in a programme-specific risk register;

    ·the expertise and skills of the programme officers in charge of the three decommissioning programmes, which are appropriate for monitoring effectively the programmes’ implementation and performing the necessary checks;

    ·close involvement of the Authorising Officer by Sub-delegation in the monitoring of the programmes.

    The Internal Audit Service identified one issue concerning clearing of pre-financed amounts and formulated the following very important recommendation:

    The Directorate-General for Energy should use the result of the work of independent audit bodies on the disbursed amounts reported by the delegated bodies, in addition to the payment requests, to clear pre‑financed amounts. In addition, it should request that the opinion of the independent audit body for the Central Project Management Agency contain references that enable the Directorate-General to reconcile the disbursed amounts with those reported in the Agency’s summary report.

    Additional information provided by DG ENER on the measures drawn up and/or implemented following the Internal Audit Service audit

    The Directorate-General for Energy accepted the recommendation and implemented actions to mitigate the identified risks:

    ·In April 2020 the procedure for clearing of pre-financed amounts was updated to include: (i) the certified (audited) financial statements as soon as they are reported by the delegated bodies; and (ii) a coherence check with certified financial statements when non-certified figures are used. The Directorate-General for Energy accounting manual was updated accordingly on 17 April 2020 and duly notified to users involved in these processes.

    ·In February 2020, the Directorate-General for Energy obtained from the Central Project Management Agency the opinion of the independent audit body on an agreed template that facilitates reconciliation of the disbursed amounts with those reported in the summary report. This agency therefore fulfilled obligations on reporting according to the Delegation Agreement.

    3.Audit on the governance structure in ERCEA 

    The objective of the audit was to assess the governance structure specific to the European Research Council Executive Agency (ERCEA), with a focus on roles and responsibilities of the different stakeholders, i.e. the Scientific Council, the European Research Council Board, the Steering Committee and the Directorate-General for Research and Innovation, and the communication between them.

    The elements gathered by the Internal Audit Service during the preliminary survey, complemented by the results of the previous audits on the grant-management process in ERCEA ( 11 ), enabled the IAS to consider the Agency’s governance framework as adequately designed and to assess the inherent risks related to its implementation as medium to low. Given the positive outcome of the preliminary survey, the audit was stopped at that stage and no formal audit report was issued.

    4.Audit on site management infrastructure support services in the JRC 

    The objective of the audit was to assess whether the Joint Research Centre has set up efficient and effective management and control systems to ensure the proper delivery of site management and infrastructure support services.

    There were no reservations in the Joint Research Centre’s 2018 annual activity report that relate to the area/process audited. The fieldwork was finalised on 17 December 2019. All recommendations relate to the situation as of that date.

    The Internal Audit Service identified the following strengths:

    ·Communication between the sites of the Joint Research Centre has improved thanks to the creation of the site management network and the centralisation of all site support units (with the exception of Karlsruhe) in Directorate R, following the Directorate-General’s 2016 reorganisation.

    ·The identification and sharing of best practices to address cases of ineffective procurement planning.

    ·The completion of the site development implementation plans by the Joint Research Centre (which translate the long-term vision up to 2030 into concrete plans/projects for the next 3 years) will boost harmonisation and ease the integration of small and medium investments into the plans.

    ·The high level of professionalism and dedication of site support staff and the demonstrated ability to cope with high workload and to protect the financial interests of the Commission. In this respect, the Internal Audit Service highlights the following two examples:

    ·In procurement, JRC Geel provides information on the content of calls for tender before launching them. This gives potential candidates a better idea of the site management and infrastructure services / construction works to be performed. It also increases the number of applicants (reducing the number of calls for tender that fail due to a lack of suitable applicants).

    ·As part of the measures to increase the number of competitions and broaden the reach of potential candidates, notifications are addressed to various chambers of commerce in the area of JRC Karlsruhe (IHK-Rhein-Neckar, Karlsruhe, Rheinland-Pfalz) and information is exchanged with KIT (the German research institute in the premises of which JRC Karlsruhe is located).

    ·Asset management:

    ·the Joint Research Centre recently finalised the procedure for the 'management of old IT inventoried items under corporate network' and the 'workflow of old IT inventoried items under corporate network' initiatives;

    ·Geel has included in the maintenance contract the obligation for contractors to store technical parts so that space is available in the site for other purposes than storage;

    ·the Management Centre in Ispra recently updated its work instructions on downgrading assets and for the inventory;

    ·Karlsruhe has outsourced its stock-taking exercise in order to cope with the shortage of staff.

    The IAS identified two issues, one concerning site management and infrastructure process in respect of governance and organisation and one on HR management, and formulated the following very important recommendations:

    Site management and infrastructure process: governance and organisation

    The Joint Research Centre should assess and review the current governance and management structure of its site management and infrastructure services. It should also clarify the mandates, roles and responsibilities of those involved in the site management process, as well as those of process owners, and facilitate exchanges across sites and ensure that governing bodies’ mandates are effectively carried out.

    HR management

    The Joint Research Centre should ensure that the services performing site management and infrastructure related activities are adequately staffed. Staff should have the relevant expertise and operational staff managing site management and infrastructure procurement procedures and contracts should be able to receive adequate support from specialists.

    Additional information provided by JRC on the measures drawn up and/or implemented following the Internal Audit Service audit

    The Joint Research Centre accepted all recommendations and the corresponding action was approved by the Internal Audit Service.

    5.Audit on European Union Finance for Innovators (InnovFin) in DG RTD 

    The objective of the audit was to assess the adequacy and effectiveness of internal controls put in place by the Directorate-General for Research and Innovation to supervise and monitor the implementation and performance of InnovFin.

    There were no reservations in the Directorate-General’s 2018 annual activity report relating to the area/process audited. The fieldwork was finalised on 9 December 2019. All recommendations relate to the situation as of that date.

    The Internal Audit Service identified one issue concerning the performance framework and formulated the following very important recommendation:

    The Directorate-General for Research and Innovation should: (i) ensure that the targets for the key performance indicators are well justified and consistent between different documents; (ii) formalise a methodology to calculate the key performance indicators; and (iii) ensure traceability of their calculation. In addition, it should ensure consistency between the key performance indicators presented in the different reports and if there are unavoidable differences they should be explained in the reports. Finally, the Directorate-General should improve the information on InnovFin performance presented in the different reports so that the reports demonstrate the contribution of InnovFin to Horizon 2020 policy objectives. The indicators included in the Horizon 2020 legal basis should be included in the Directorate-General’s management plan and reported in the annual activity report.

    Additional information provided by DG RTD on the measures drawn up and/or implemented following the Internal Audit Service audit

    The action plan was sent on 27 March 2020 (the final audit report was issued on 28 January 2020).

    The text and figures in the final annual activity report 2019 of the Directorate-General for Research and Innovation concerning InnovFin were carefully prepared and discussed and are representative of the activities in 2019, as requested by the Internal Audit Service. However, the detailed requirements of the recommendation as stated above are still under preparation by the responsible unit, Task Force 3, which will have developed and finalised the methodologies before the end of summer 2020.

    As for ensuring that targets for the key performance indicators are well justified and consistent between different documents, Working Document 10 is now being coordinated and prepared by the Directorate-General for Budget and the Directorate-General for Economic and Financial Affairs and will be adopted as an annex to the 2021 draft budget.

    6.Consulting engagement on policy feedback from research and innovation projects delegated to executive agencies and joint undertakings in DG RTD

    The objective of the engagement was to review the existing research and innovation policy feedback process and to advise the Common Implementation Centre, based in the Directorate-General for Research and Innovation, on improvements required, if any, for achieving structured input for policy-making at research and innovation family level.

    As this was a consulting engagement, no audit recommendations were formulated.

    7.Audit on supervision of autonomous EU entities by DG MOVE

    The objective of the audit was to assess if the Directorate-General for Mobility and Transport’s strategy for supervising autonomous entities is adequately designed and effectively implemented to ensure that the autonomous entities:

    ·guarantee a level of protection of the EU’s financial interests equivalent to what is expected of the Directorates-General, and;

    ·carry out activities in compliance with the mandate of their founding act in a way that is aligned with the Commission's political priorities.

    There were no reservations in the Directorate-General’s 2018 annual activity report that relate to the area/process audited. The fieldwork was finalised on 13 September 2019. All recommendations relate to the situation as of that date.

    The auditors recognised the Directorate-General’s efforts to supervise the decentralised agencies and joint undertakings. In particular:

    ·The supervision of autonomous entities is carried out at the highest management level. The supervision strategy and the discussion on autonomous entities’ risks is a standing point in the agenda of the Control Board ( 12 ) meetings and regular meetings are held between the Director-General and the Directors of the autonomous entities.

    ·There is a supervision strategy for the autonomous entities. This includes a separate fiche for each of them, provides a division of tasks between responsible units and a timeline for the main annual supervision activities (thus going beyond the guidance template provided by the Secretariat-General of the Commission).

    ·Staff involved in supervision are experienced, knowledgeable and committed.

    The Internal Audit Service did not formulate any critical or very important recommendations.

    External actions

    1.Audit on annual audit and verification plans in DG DEVCO

    The objective of the audit was to assess: (i) the effectiveness and efficiency of the design, preparation and implementation of the annual audit and verification plans in EU Delegations; and (ii) the monitoring and follow-up of the related audit results.

    There were no reservations in the Directorate-General’s 2018 annual activity report that relate to the area/process audited. The fieldwork was finalised on 30 September 2019. All recommendations relate to the situation as of that date .

    The auditors identified the following strengths:

    ·The monitoring carried out by the Directorate-General for International Cooperation and Development Headquarters through specific key performance indicators helped speed up audit contracting and reporting over time.

    ·The templates provided for the terms of reference for audit work and for audit reports contribute to the overall consistency/comparability of audit reports and to their quality.

    ·The documentation of the tasks performed at the Directorate-General Headquarters (in particular, by Unit DEVCO.R.2) to create and publish the annual planning file is generally comprehensive and clear.

    ·The ‘Audit Module’ ( 13 ) used by the Directorate-General is an efficient and effective tool for storing data and information on audits, for extracting data and statistics, and for follow-up on the status and result of audits.

    The Internal Audit Service identified one issue concerning monitoring the audit implementation and formulated the following very important recommendation:

    The Directorate-General for International Cooperation and Development should complement the current set of key performance indicators in order to cover the key steps of the audit life cycle and the completion of the annual audit and verification plans. It should also revise the targets of the existing audit-related key performance indicators to ensure that: (i) they remain relevant; (ii) continue to drive for improvements in the audit process; and (iii) are not misleading/prone to misinterpretation. Moreover, the Directorate-General should introduce central monitoring arrangements to follow up the EU Delegations’ implementation of the annual audit plans.

    Additional information provided by DG DEVCO on the measures drawn up and/or implemented following the Internal Audit Service audit

    The recommendations have already been completed by the Directorate-General for International Cooperation and Development. The Internal Audit Service will assess their effective implementation through a follow-up audit to be performed in the second quarter of 2020.

    2.Audit on the control strategy for humanitarian aid actions in DG ECHO

    The objective of the audit was to assess the adequacy of the design and the effectiveness of the implementation of the control strategy for humanitarian aid actions in the Directorate-General for European Civil Protection and Humanitarian Aid Operations in order to ensure the legality and regularity of the transactions and sound financial management.

    There were no reservations in the Directorate-General’s 2018 annual activity report that relate to the area audited. The fieldwork was finalised on 24 September 2019. All recommendations relate to the situation as of that date.

    Since the humanitarian aid actions funded by the Directorate-General for European Civil Protection and Humanitarian Aid Operations are implemented mainly by its partner organisations (humanitarian non-governmental organisations, international organisations and UN agencies), the availability of clear and comprehensive guidelines and instructions describing the working modalities is an important element of the control strategy. For this reason, the Directorate-General has developed a ‘Partners website’ ( 14 ), which provides complete and well-organised information on the legal and contractual framework, a detailed description of the action lifecycle and guidelines for using the IT systems. The ‘Partners website’ is also a useful educational tool and provides a valuable overview of the business processes and control activities from the point of view of the implementing partners. The Internal Audit Service considers this a good practice that supports the efficiency and effectiveness of relations between the Directorate-General and its partners in delivering humanitarian aid.

    The IAS identified two issues, one concerning ex ante controls on final reports and final payments and one on ex post headquarters audits and verifications, and formulated two very important recommendations:

    Ex ante controls on final reports and final payments

    The Internal Audit Service recommended that the Directorate-General for European Civil Protection and Humanitarian Aid Operations: (i) document the results of the checks by the financial initiator and verifier; and (ii) amend the formulation of the ‘certified correct’ in its internal procedures and IT tool.

    The Directorate-General for European Civil Protection and Humanitarian Aid Operations should also: (i) require that its partners state explicitly in the final reports the total amount of non-recoverable value added tax; (ii) strengthen the related checks; and (iii) consider the value added tax exemption status when selecting projects to undergo headquarters audits and verifications.

    Ex post headquarters audits and verifications

    The Directorate-General for European Civil Protection and Humanitarian Aid Operations should revise the audit methodology, also taking into account: (i) the outcome of the reassessment of the policy for the minimum sample size per action; and (ii) the audit contractors’ sampling methodology for headquarters audits of NGOs and international organisations. In addition, The Directorate-General should ensure that the level of testing is well justified in the audit and verification reports. It should also: (i) provide guidance to the audit contractors on how to formulate the recommendations; and (ii) revise the follow-up approach to ensure timely review of the implementation of all significant recommendations.

    Additional information provided by DG ECHO on the measures drawn up and/or implemented following the Internal Audit Service audit

    To ensure that the effectiveness of the control strategy over time and that the overall assurance are not affected, the Directorate-General for European Civil Protection and Humanitarian Aid Operations is taking action to address the recommendations. Most notably, the current control stategy has been better reflected and described in the control architecture of the 2019 annual activity report. As per the action plan, most of the actions will be completed by the end of 2020. The action plan was drawn up by the Directorate-General for European Civil Protection and Humanitarian Aid Operations and agreed with the Internal Audit Service.

    3.Audit on common foreign and security policy in FPI 

    The objective of the audit was to assess the effectiveness of the control processes put in place by the Service for Foreign Policy Instruments to implement the common foreign and security policy budget managed directly or indirectly via the common security and defence policy missions.

    There were no reservations in the Service for Foreign Policy Instruments’ 2018 annual activity report that relate to the area/process audited. The fieldwork was finalised on 4 July 2019. All recommendations relate to the situation as of that date.

    The Internal Audit Service identified two issues, one concerning the closure of mandates for common security and defence policy missions and one on mitigating measures applied for European Union capacity building in Somalia, and formulated the following very important recommendations:

    Closure of mandates for common foreign and security policy missions

    The Service for Foreign Policy Instruments should close mandates in a timely manner and take appropriate measures to address the most common causes of late closure. In addition, it should ensure earlier clearing of pre-financing.

    Mitigating measures applied for EU capacity building in Somalia

    The Service for Foreign Policy Instruments should adopt adequate measures to mitigate risks that have a financial impact in the missions. These measures relate to: (i) administrative regularity of payments; and (ii) keeping supporting documents on the recruitment of international staff. Moreover, the Service for Foreign Policy Instruments should invite the European External Action Service to better coordinate with it to provide complete and clear guidance to missions on grading of local staff and to approve the main standard operating procedures with financial implications in force in EU capacity building in Somalia. Mitigating measures against the risk of missing documents in common foreign and security policy missions should also be implemented.

    Additional information provided by FPI on the measures drawn up and/or implemented following the Internal Audit Service audit

    The Service for Foreign Policy Instruments accepted all recommendations and established an action plan to address them. It is expected that the recommendations will be fully implemented during 2020. Some actions have already been implemented, as described below:

    Concerning the closure of mandates for common foreign and security policy missions, in order to address issues resulting in late closure of mandates the Service for Foreign Policy Instruments has, in consultation with the Directorate-General for Budget, updated the Vade-Mecum on financial and accounting procedures for CSDP missions. The updated Vade-Mecum was sent to all CSDP missions on 16 December 2019.

    An internal guidance note to guide project managers through the closure of mandates was issued on 12 May 2020;

    Concerning the mitigating measures applied for EU capacity building in Somalia, in order to mitigate risks that have a financial impact, the Mission Support Platform at the Service for Foreign Policy Instruments’ Headquarters provides continuous/daily support to EU capacity buidling in Somalia on finance and procurement issues. In addition, EU capacity building in Somalia’s standard operating procedures in finance and procurement has been updated following the Service’s assessement and recommendations.

    Futhermore, the updated Vade-Mecum included specific provisions on electronic archiving of supporting documents.

    Finally, the Service for Foreign Policy Instruments is contributing to the local staff policy document under development by the European External Action Service’s Civilian Planning and Conduct Capability, in particular on the need for clearer guidance on grading of local staff.

    4.Audit on annual audit plans in DG NEAR

    The objective of the audit was to assess the design and the implementation of the annual audit plans (including the monitoring and follow-up arrangements) to check whether they effectively contribute to the Authorising Officer by Delegation’s assurance on the legality and regularity of transactions.

    The following reservations made in the 2018 annual activity report underline the importance of the area and processes within the scope of this audit engagement:

    Reservation 1: Difficulties in monitoring all projects in Libya and Syria adequately

    Reservation 2: Error rate above 2% in direct management grants.

    The fieldwork was finalised on 27 September 2019. All recommendations relate to the situation as of that date.

    The auditors identified the following strengths:

    ·the Internal Audit Service acknowledges the improvement in the timing of the risk assessment exercise (compared to the previous years), which enabled the timely approval of the 2019 control plan;

    ·the risk assessment takes into account different types of risks that are assessed from the perspectives of both impact and likelihood;

    ·the templates provided for the terms of reference for audit work and for the audit reports contribute to the overall consistency of audit reports and to their generally satisfactory quality;

    ·the Directorate-General for Neighbourhood and Enlargement Negotiations uses the Audit Module ( 15 ) tool, which enables it to store various audit-related information and easily extract and process data for monitoring and reporting purposes.

    The Internal Audit Service identified two issues, one concerning follow-up of audit results and one on key performance indicators and reporting, and formulated the following two very important recommendations:

    Follow-up of audit results

    The Directorate-General for Neighbourhood and Enlargement Negotiations should: (i) improve its strategy on the follow-up of financial findings by introducing actions that go beyond recovering ineligible expenditure; and (ii) issue corresponding guidance. It should also make full use of findings stemming from verification missions to international organisations, either via regular in-house analysis by headquarters or by concluding a formal agreement to this end with the Directorate-General for International Cooperation and Development.

    Key performance indicators and reporting

    The Directorate-General for Neighbourhood and Enlargement Negotiations should revise the current key performance indicators and targets in cooperation with the Directorate-General for International Cooperation and Development to ensure that they are relevant, appropriate, unambiguous, and understood by staff. Finally, the Directorate-General should correctly report on the achievement of the key performance indicators in its annual activity report.

    Additional information provided by NEAR on the measures drawn up and/or implemented following the Internal Audit Service audit

    The Directorate-General for Neighbourhood and Enlargement Negotiations accepted the recommendations and produced an action plan, which was approved in March 2020. The actions are being implemented according to the plan, and their completion is expected by January 2021.

    5.Audit on ex ante control on payments under the European neighbourhood instrument and the European neighbourhood and partnership instrument in DG NEAR 

    The objective of the audit was to assess whether or not the ex ante control on interim and final payments under the European neighbourhood instrument and the European neighbourhood and partnership instrument is effective and efficient.

    There were no reservations in the Directorate-General’s 2018 annual activity report that relate to the area/process audited. The fieldwork was finalised on 16 December 2019. All recommendations relate to the situation as of that date.

    The auditors identified the following strengths:

    ·the guidance for the ex ante control on payment available in the manual of procedures is generally comprehensive and clear;

    ·the manual of procedures and the support provided by the helpdesk at Headquarters contribute to the consistent application of the Directorate-General’s rules and procedures throughout the delegations;

    ·the reporting of financial information to senior management is done via the ‘Portfolio Management Dashboard’ that extracts, computes and aggregates automatically the information from the ABAC accounting system. This information is used, amongst other, to feed the key performance indicators, which are then used to monitor implementation of the programme.

    The Internal Audit Service did not formulate any critical or very important recommendations.

    Education and citizenship

    1.Audit on DG HOME’s audit activity and clearance of accounts

    The objective of the audit was to assess whether the Directorate-General for Migration and Home Affairs has put in place effective processes for auditing the asylum migration and integration fund and the internal security fund, for providing audit services to the Directorate-General for Justice and Consumers and for managing the clearance of accounts.

    The reservations below were made in the Directorate-General for Migration and Home Affairs’ 2018 annual activity report. They concern specifically the area/process under the scope of this audit engagement:

    ·shared management: reservation concerning the asylum migration and integration fund and the 2014-2020 internal security fund in several Member States because of serious deficiencies in the management and control system and especially in the audit work of the audit authority;

    ·centralised direct management: non-research grants. The reservation was issued because the residual error rate (3.29%) was above the materiality threshold of 2% for grants directly managed (except research) by the Directorate-General for Migration and Home Affairs.

    The fieldwork was finalised on 19 July 2019. All recommendations relate to the situation as of that date.

    The auditors identified the following strengths in the practices followed by the Directorate-General for Migration and Home Affairs:

    ·the recent reorganisation of the Directorate-General strengthened the position and independence of the ex post audit function by separating it from the Fund Management Directorate;

    ·as from the financial year 2018, audit authorities are required to submit an annual control report supporting their audit opinion. This significantly strengthens the Directorate-General’s assurance over the audit authorities’ work;

    ·the audit sector has developed a comprehensive checklist to support auditors in their checks during the clearance of accounts process;

    ·the checklist used by desk officers for the clearance of accounts is embedded in the workflow system ( 16 ), which enhances the traceability and transparency of the review process;

    ·shared management weekly meetings (until the reorganisation of June 2019 within its Directorate E) involved financial units and the unit in charge of audits. These constituted a solid platform for discussing implementation of funds, including audit-related topics.

    The Internal Audit Service identified three issues, one concerning set-up and planning of the audit activity, one on execution of the audit plan and one on the clearance of accounts, and formulated the following very important recommendations:

    Set-up and planning of the audit activity

    The Directorate-General for Migration and Home Affairs should define the mission statement and mandate of the audit activity. Roles and responsibilities for the clearance of accounts process should be adjusted to the new organisational structure. The audit strategies for both shared and direct management should be revised (including for providing the audit function to the Directorate-General for Justice and Consumers). Furthermore, the Directorate-General for Migration and Home Affairs should analyse the resource needs for the audit activity. For the 2020 audit work programme, the Directorate-General should align the annual audit plan with the available capacity and explain the impact of any shortfall. In addition, for the 2021-2027 period, it should analyse the resources required under the new programming period and examine the options/scope for making use of available expertise and capacity in the audit directorates of other Commission departments.

    Execution of the audit plan

    The Directorate-General for Migration and Home Affairs should launch direct management audits as early as possible after adoption of the audit work programme so that the audits can be completed before the end of the reporting period (i.e. 31 March N+1), as required by the audit strategy. In addition, final audit reports should be sent to the beneficiaries without delay. This process should be regularly monitored by senior management. As regards shared management, the Directorate-General should launch system audits as early as possible after finalising the review of the annual control reports and audit opinions. Draft and final audit reports should be sent on time.

    Clearance of accounts

    The Directorate-General for Migration and Home Affairs should review and update its internal procedures to ensure that the clearance decisions are made on time. Furthermore, it should clarify the procedure and timing for reviewing accounts that were submitted early (i.e. before year-end) in the context of the decommitment procedure. The processes for managing the clearance of accounts should be adapted to the new organisational structure, and the communication between the financial units and the audit sector should be improved.

    Additional information provided by HOME on the measures drawn up and/or implemented following the Internal Audit Service audit

    The Directorate-General for Migration and Home Affairs accepted the recommendations and produced an action plan which was approved by the Internal Audit Service in March 2020. The actions are being implemented according to the plan, and some of them have been already implemented. Regarding the recommendation on the setting up and planning of the audit activity, the Directorate-General performed an analysis of available capacity and resources for its 2020 audit work programme, which can be updated during the year if necessary. The Directorate-General also implemented actions in response to the recommendation on clearance of accounts. These actions included the revision of the internal procedures and the Manual for the Clearance of Accounts to ensure the timely revision of accounts submitted before the year’s end and that accounts are cleared only exceptionally after the regulatory deadline of 31 May N+1.

    2.Audit on impact assessment in DG JUST

    The objective of the audit was to assess whether the Directorate-General for Justice and Consumers has put in place effective controls for conducting impact assessments that comply with the better regulation guidance and principles.

    There were no reservations in the Directorate-General’s 2018 annual activity report that relate to the area/process audited. The fieldwork was finalised on 18 July 2019. All recommendations relate to the situation as of that date.

    The auditors recognised the Directorate-General’s ongoing efforts to improve the impact assessment process and identified in particular the following strengths:

    ·The Directorate-General has set up a dedicated and experienced Unit 03 ‘Economic Analysis and Evaluation’. The unit has a dual role in the impact assessment process, which consists in: (i) providing comments and support to the operational units on the key steps of the impact assessment process; and (ii) playing an important role in decisions affecting the impact assessment process e.g. the quality scrutiny of a draft impact assessment report before submission to the Regulatory Scrutiny Board. Overall, the involvement and assistance provided by Unit 03 to policy officers on drafting impact assessments is perceived by the operational units to be very positive. The policy officers appreciate the regular contacts and availability of Unit 03’s staff, together with their valuable support on technical and methodological aspects of impact assessment.

    ·Since 2018, the Directorate-General has made use of upstream meetings offered to Directorate-Generals by the Regulatory Scrutiny Board ( 17 ) for the preparation of impact assessments.

    The Internal Audit Service did not formulate any critical or very important recommendations.

    Economic and financial affairs

    1.Audit on EASME’s project management (project monitoring, payments and amendments) under the programme for the environment and climate action covering the period from 1 January 2014 to 31 December 2020 (the LIFE programme) 

    The objective of the audit was to assess whether the Executive Agency for Small and Medium-sized Enterprises has adequately designed and effectively implemented a project management system (project monitoring, payments and amendments and anti-fraud strategy and checks) that provide reasonable assurance to the Authorising Officer by Delegation regarding: (i) the effective contribution of the projects to the achievement of objectives of the programme for the environment and climate action and (ii) the legality and regularity of the underlying transactions.

    There were no reservations in the Agency’s 2018 annual activity report that relate to the area/process audited. The fieldwork was finalised on 3 July 2019. All recommendations relate to the situation as of that date.

    The auditors recognised the Executive Agency for Small and Medium-sized Enterprises’ ongoing efforts to manage and monitor the programme for the environment and climate action so as to ensure that: (i) the programme objectives are met; and (ii) the residual error rate remains far below the materiality threshold of 2% ( 18 ). In particular, the Internal Audit Service acknowledged the following good practices:

    ·staff of the Agency implementing the control strategy are knowledgeable and motivated, and have valuable experience in supervising the programme implementation;

    ·there is good cooperation between the operational unit and the financial sector as well as with the external contractor performing the ongoing monitoring activities;

    ·the team managing the programme drives continuous improvement of the internal procedures, workflows, templates and checklists to be used for each project management task and phase of monitoring;

    ·there is an adequate document management system in place that makes all the project information and in-depth data easily accessible to the Agency staff involved.

    The Internal Audit Service identified one issue concerning use of risk-related information to define the level of control and cost effectiveness of controls and formulated the following very important recommendation:

    The Executive Agency for Small and Medium-sized Enterprises should establish an effective link between risks identified and control activities to tailor the extent and depth of checks to be performed (both by the external contractor and by its own staff). Moreover, the reporting templates and relevant checklists should be amended to reflect the differences in checks to be performed. The risk assessment tool should also be regularly updated. Additionally, the Agency should assess the cost effectiveness of controls for the environment and climate action programme.

    Additional information provided by EASME on the measures drawn up and/or implemented following the Internal Audit Service audit

    The action plan of the Executive Agency for Small and Medium-sized Enterprises was accepted by the Internal Audit Service and aims to address its recommendation by June 2020.

    In the meantime, several sub-actions have been implemented. These include: (i) a revised risk-based assessment methodology to better tailor the extent and depth of controls; (ii) the update of the reporting templates and checklists to reflect the different types of checks to carry out depending on the risk; (iii) the update of the risk assessment tool when new information becomes available; and (iv) training of the project advisers and financial officers on the new methodology and checklists.

    Further, assessment of the cost effectiveness of controls for the LIFE programme (programme for the environment and climate action) will begin soon and will be implemented with the support of the Directorate-General for Environment.

    2.Audit on effectiveness and efficiency of DG ECFIN's performance-management system

    The objective of the audit was to assess the adequacy of the performance-management system of the Directorate-General for Economic and Financial Affairs to plan, monitor and report on the achievement of its key policy objectives.

    There were no reservations in the Directorate-General’s 2018 annual activity report that relate to the area/process audited. The fieldwork was finalised on 20 May 2019. All recommendations relate to the situation as of that date.

    The Directorate-General for Economic and Financial Affairs implements a wide range of activities. In addition, its operations are affected largely by the political environment. The auditors recognised its ongoing efforts to continuously improve its performance-management system within this challenging environment and highlighted the following good practices:

    ·the management of the strategic planning and programming cycle is well organised: a clear link has been established between the Directorate-General’s general objectives, specific objectives and activities, supported by the work-stream mapping table;

    ·a number of good management tools have been implemented both at directorate and unit levels, namely:

    ·the directorates’ work programmes, which complement the Directorate-General’s management plan; these provide a good narrative of each directorate’s priorities and explain how the directorates contribute to the Directorate-General’s general and specific objectives;

    ·Directorate C’s dedicated monitoring tool (the fortnightly report), which is used at directorate and unit levels, enables effective monitoring of ongoing activities for the forthcoming 2 months. Directorate C uses the table to structure discussions in the bi-weekly directorate meetings;

    ·different units have developed specific tools, e.g. a calendar of international events (Unit D.3), tables of communication activities and events (Unit A.4), a ‘dashboard used for the weekly Investment Committee’ (Unit L.2), and the ‘échéancier’ (Unit G.3) used to monitor closely ongoing activities.

    ·In terms of performance reporting:

    ·Unit 01 has developed an inventory of the unit’s tasks performed in 2018;

    ·Unit D.3 presented a mid-year report on ‘progress on 2018 work programme on economic analysis and policy advice’, which gives a complete report to senior management on the unit’s activities.

    The Internal Audit Service did not formulate any critical or very important recommendations.

    3.Audit on monitoring of EU law implementation in DG TAXUD

    The objective of the audit was to assess the effectiveness and efficiency of the management and control systems of the Directorate-General for Taxation and Customs Union regarding the monitoring of EU law implementation as well as the compliance with the applicable Commission guidelines.

    There were no observations/reservations in the Directorate-General’s 2018 annual activity report that relate to the area/process audited. The fieldwork was finalised on 20 June 2019. All recommendations relate to the situation as of that date.

    The auditors recognised the Directorate-General’s ongoing efforts to continuously improve the process of monitoring EU law implementation and application and highlighted the following good practices. In particular:

    ·The Directorate-General has established effective cooperation with its Commissioner’s Cabinet, which is systematically consulted on any key decision with regard to new pre-infringement cases, cases of opportunity closures ( 19 ) and for the final approval of proposals for infringement cases to be submitted for a decision in the College’s infringement cycle. There is an agreement between the Directorate-General and its Commissioner’s Cabinet to go ahead in the absence of a reply from the latter within 5 working days.

    ·A very good system of internal coordination exists between the units involved in EU law monitoring and the policy units. An infringement coordinator (Unit C3 Indirect taxation) effectively coordinates all activities at Directorate-General level related to EU law implementation monitoring. This coordinator is backed up by the infringement coordinators in the other units.

    ·The Directorate-General’s infringement coordinator in Unit C3 has put in place a ‘pop-up’ monitoring tool (called NIF) embedded in the Infringement and Directives IT application, which enables effective and efficient monitoring of all ongoing infringement cases in the Unit. The Internal Audit Service considers that this tool could also be used by the other infringement units.

    ·The Head of Unit of Unit D3 has developed a system to monitor compliance with the Commission guidelines and benchmarks for the transposition of all new directives in the area of direct taxation. It consists of a table for each directive and an overview table for all directives and Member States with the corresponding milestones. The overview table provides the Head of Unit with a good summary of the status of the transposition of directives for which Unit D3 is responsible. The Internal Audit Service considers that this tool could also be implemented by the Infringement Unit in the area of indirect taxation.

    The Internal Audit Service did not formulate any critical or very important recommendations.

    4.Audit on human resources management in DG TAXUD

    The objective of the audit was to assess whether the Directorate-General for Taxation and Customs Union has put in place an adequate system for managing its human resources that supports effectively achievement of its operational objectives.

    The Directorate-General’s 2018 annual activity report did not include any reservations that relate to the area/process audited. The fieldwork was finalised on 10 December 2019. All recommendations relate to the situation as of that date.

    The Internal Audit Service has identified the following strengths:

    ·the Directorate-General regularly organises staff fora to improve communication between the Director-General and staff;

    ·a collaborative space known as ‘TAXUD in Action’ is available for all staff in the Directorate-General to promote dialogue and provide information, in particular in the areas of:

    ·learning and development;

    ·knowledge management and collaboration;

    ·well-being and work-life balance;

    ·green TAXUD;

    ·improved procedures and briefings;

    ·smooth running of information-technology projects;

    ·efficient meeting and email management.

    ·the Human Resources Business Correspondent team is actively involved in a wide range of human-resources activities including recruitment, training needs development and reporting.

    The Internal Audit Service identified three issues, one concerning human-resources strategic management, one on the management of task and skills mapping and workload assessment and one on staff allocation and project teams. The IAS formulated three very important recommendations:

    Human-resources strategic management

    The Directorate-General for Taxation and Customs Union should develop an overarching human-resources strategy, defining specific objectives and expected results, in line with its business strategy. The Directorate-General should link the actions set out in the knowledge management action plan to specific end dates and adopt measures that effectively address the main issues raised in the staff survey.

    Human resources management: task and skills mapping

    The Directorate-General for Taxation and Customs Union should implement processes to map tasks and skills covering all the activities of the service.

    Workload assessment, staff allocation and project teams

    The Directorate-General for Taxation and Customs Union should develop a workload assessment framework based on robust workload indicators and assess if the current allocation of staff is appropriate taking into consideration the tasks to be accomplished and the workload across the Directorate-General. If needed, the Directorate-General should implement measures to re-balance workload and monitor the effectiveness of these measures.

    The Directorate-General should set its expectations and the conditions for applying flexitime recuperation and analyse the reasons for non-recoverable overtime.

    The Directorate-General should further promote project teams and put in place relevant guidelines.

    Additional information provided by TAXUD on the measures drawn up and/or implemented following the Internal Audit Service audit

    The 'very important' recommendations for the Directorate-General for Taxation and Customs Union correspond also to areas covered by the Directorate-General for Human Resources and Security strategy (due by end-2020), mapping of skills and tasks (due by end-June 2021), and workload assessment framework (due by end-June 2021). All the three require (and will depend on) support from the Directorate-General for Human Resources and Security.

    The relevant action plan to implement recommendations was accepted by the Internal Audit Service as satisfactory on 25 February 2020. The Directorate-General for Taxation and Customs Union has started preparatory implementation work, including cooperation with the Directorate-General for Human Resources and Security. So far, it has begun drawing up its local human resources strategy in line with the guidance received from the Directorate-General for Human Resources and Security. The Directorate-General for Taxation and Customs Union has also begun to consider what methods are required for skills/tasks mapping and workload assessment. Given the imminence of some of the deadlines and the number of actions to be accomplished, the Directorate-General is endeavouring to progress on implementation, despite the adverse conditions created by the COVID-19 crisis. The whole action plan is planned to be implemented by end-June 2021. This audit by Internal Audit Service shows that some improvements to internal control principle 4 could be achieved. The action plan, as confirmed by the Internal Audit Service, adequately tackles these improvements.

    5.Audit on human resources management in DG TRADE

    The objective of the audit was to assess whether the internal control system put in place by the Directorate-General for Trade for its human-resources management processes is adequately designed and effectively implemented to support the achievement of its operational objectives.

    The fieldwork was finalised on 16 December 2019. All recommendations relate to the situation as of that date.

    The Internal Audit Service recognised the Directorate-General’s ongoing efforts to continuously improve its human-resources management processes and in particular identified the following good practices:

    ·the Directorate-General uses its spring and autumn review exercises to collect and discuss human-resources needs at Directorate level. It presents the results to the Director-General for subsequent decisions on staff (re)allocation (redeployments, cuts, reinforcements) and on additional requests for staff to be introduced in the context of the budgetary procedure;

    ·the Directorate-General periodically organises internal surveys to collect information on staff and management learning needs and updates its annual learning & development policy document based on the results of the surveys.

    The Internal Audit Service did not formulate any critical or very important recommendations.

    General services

    1.Limited review on the effective implementation of the internal control framework in DG COMM 

    The objective of the limited review was to assess if the Authorising Officer by Delegation has performed an adequate overall assessment of the presence and functioning of all internal control principles and components as laid down in the Communication on the revision of the internal control framework.

    The fieldwork was finalised on 27 February 2019. All recommendations relate to the situation as of that date.

    The Internal Audit Service did not formulate any critical or very important recommendations.

    2.Limited review on the implementation of the new internal control framework in DGT

    The objective of the limited review was to assess if the Authorising Officer by Delegation has performed an adequate overall assessment of the presence and functioning of all internal control principles and components as laid down in the Communication on the revision of the internal control framework.

    The fieldwork was finalised on 27 February 2019. All recommendations relate to the situation as of that date.

    The Internal Audit Service did not formulate any critical or very important recommendations.

    3.Limited review on the implementation of the new internal control framework in EPSO

    The objective of the limited review was to assess if the Authorising Officer by Delegation has performed an adequate overall assessment of the presence and functioning of all internal control principles and components as laid down in the Communication on the revision of the internal control framework.

    The fieldwork was finalised on 26 March 2019. All recommendations relate to the situation as of that date.

    The Internal Audit Service did not formulate any critical or very important recommendations.

    4.Limited review on the implementation of the new internal control framework in OIB

    The objective of the limited review was to assess if the Authorising Officer by Delegation has performed an adequate overall assessment of the presence and functioning of all internal control principles and components as laid down in the Communication on the revision of the internal control framework.

    The fieldwork was finalised on 29 August 2019. All recommendations relate to the situation as of that date.

    The Internal Audit Service did not formulate any critical or very important recommendations.

    5.Limited review on the implementation of the new internal control framework in OIL

    The objective of the limited review was to assess if the Authorising Officer by Delegation has performed an adequate overall assessment of the presence and functioning of all internal control principles and components as laid down in the Communication on the revision of the internal control framework.

    The fieldwork was finalised on 23 September 2019. All recommendations relate to the situation as of that date.

    The Internal Audit Service did not formulate any critical or very important recommendations.

    6.Limited review on the implementation of the new internal control framework in DG SCIC

    The objective of the limited review was to assess if the Authorising Officer by Delegation has performed an adequate overall assessment of the presence and functioning of all internal control principles and components as laid down in the Communication on the revision of the internal control framework.

    The fieldwork was finalised on 1 October 2019. All recommendations relate to the situation as of that date.

    The Internal Audit Service did not formulate any critical or very important recommendations.

    7.Audit on DG ESTAT’s quality management of statistical processes 

    The objective of the audit was to assess the processes and procedures put in place by Eurostat to ensure the quality of the statistical process, in line with the quality principles applicable to European statistics.

    There were no reservations in Eurostat’s 2019 annual activity report that relate to the area/process audited. The fieldwork was finalised on 15 April 2019. All recommendations relate to the situation as of that date.

    The auditors recognised Eurostat’s ongoing efforts to ensure the quality of the statistical production. In particular:

    ·Eurostat has implemented quality management of statistical processes and uses an overall quality framework for European statistics. This includes the European statistics code of practice, the quality assurance framework of the European statistical system and other quality reporting and metadata standards.

    ·Eurostat has developed a list of good practices Member States can use when implementing the European statistics code of practice principles and indicators.

    ·Eurostat has introduced two-layer quality management of statistical processes that includes: (i) quality controls, validations and checks by statistical domain; and (ii) quality review at central level including quality reporting activities, error management and dedicated quality reviews of statistical processes.

    ·Production units have developed many internal guidelines and methodological instructions to improve the effectiveness of their automated validation procedures and Member State statistical inputs.

    The Internal Audit Service identified one issue concerning the design and implementation of quality reviews and formulated the following very important recommendation:

    Eurostat should: (i) ensure the effective functioning of the quality review process by implementing the ‘mixed approach’ of centralised and decentralised quality reviews that has already been agreed; (ii) ensure adequate support to staff involved in the quality review process; (iii) prepare a realistic quality review plan; and (iv) implement adequate monitoring and reporting arrangements which enable management to obtain re-assurance on the compliance of European statistics with the code of practice and quality assurance framework of the European statistical system.

    Additional information provided by ESTAT on the measures drawn up and/or implemented following the Internal Audit Service audit

    The new cycle of quality reviews based on a new methodology was launched in July 2019.

    Eurostat has drafted an overarching document describing the follow-up measures taken for quality reviews implemented in 2016-2019. The document presents a realistic schedule for implementing the 2019-2022 quality reviews and outlining resource planning, and presents the lessons learnt from previous rounds of quality reviews. The document will be presented for endorsement by senior management in May 2020.

    A checklist was prepared, describing in detail the steps taken for performing a quality review, the sources of information available, the items pre-filled by the quality review team, and the checks and controls performed on the checklists filled in by the reviewed units.

    The quality assurance framework of the European statistical system and the European Statistical System Handbook for Quality Reports were updated and published in 2019 and 2020 respectively on Eurostat’s ‘quality’ web pages.

    8.Audit on OLAF’s human resources strategy

    The objective of the audit was to assess whether the European Anti-Fraud Office has put in place an adequate human resources management strategy to enable it to effectively plan and manage its human resources to support the achievement of its operational objectives.

    The European Anti-Fraud Office’s 2018 annual activity report did not include any reservations that relate to the area/process audited. The fieldwork was finalised on 24 September 2019. All recommendations relate to the situation as of that date.

    The auditors recognised the European Anti-Fraud Office’s ongoing efforts to address its human resources management challenges in a context of staff reduction and uncertainty linked to the upcoming change in the Office’s role and responsibilities. In particular:

    ·in line with good practices, in January 2019 European Anti-Fraud Office prepared a human resources strategic plan which describes the Office’s future human resources management challenges, provides an overview and forecast of the Office’s workforce structure and identifies priorities;

    ·recently the Director-General of the European Anti-Fraud Office invited staff to come up with ideas on how operations could be improved. The ideas submitted through this exercise were then prioritised by senior management following an all-staff strategic seminar on the future of the Office;

    ·the European Anti-Fraud Office organises many activities to foster good communication between management and staff and to enhance collaboration and sharing of information in-house. Staff can also take advantage of numerous well-being and social activities;

    ·the European Anti-Fraud Office’s human resources business correspondent team has developed a number of guides for managers and their staff (e.g. guides on welcoming newcomers, on team events, on absence management), as well as a guide for newcomers;

    ·the Business Correspondent team provides regular reports to the Office’s senior management on human-resources issues and attends the weekly directors meetings, at which human resources matters are discussed.

    The Internal Audit Service identified three issues, one concerning the human resources strategic plan and monitoring, one on the management of task and skills mapping, and one on the management of workload assessment and staff allocation. The IAS formulated three very important recommendations:

    Human resources strategic plan and monitoring

    The European Anti-Fraud Office should translate the objectives of its human resources strategic plan into an action plan, accompanied by milestones, targets and responsible actors, and followed up through an effective monitoring framework. The action plan should encompass all initiatives to improve human-resources management (including initiatives resulting from the follow-up of the 2018 Commission staff survey or from the reflection on the future of the Office). The action plan’s implementation should be monitored regularly.

    Human-resources management: task and skills mapping

    The European Anti-Fraud Office should implement processes to map tasks (including moving to ATLAS ( 20 ) full mode), skills and competencies exhaustively, covering all the activities of the Office.

    Human-resources management: workload assessment and staff allocation

    The European Anti-Fraud Office should develop a workload assessment framework, establish clear criteria for staff allocation and assess if the current allocation of staff to units and directorates is appropriate. Based on the outcome of the assessment, the Office should reallocate staff to meet its priorities and balance workload across the organisation. It should also promote the temporary reallocation of staff if necessary to meet any specific needs.

    Additional information provided by OLAF on the measures drawn up and/or implemented following the Internal Audit Service audit

    The European Anti-Fraud Office management has taken the necessary measures to start implementing the corresponding action plan. All actions are scheduled for implementation by the end of 2020, although most of them should be closed by the summer.

    Information-technology audits

    1.Audit on information-technology project management practices in OLAF

    The objective of the audit was to assess the adequacy of the design and the effective and efficient implementation of the governance, management and control systems the European Anti-Fraud Office has put in place to manage its information-technology projects.

    There were no reservations in the European Anti-Fraud Office’s 2017 annual activity report that relate to the area audited. The fieldwork was finalised on 17 December 2018. All recommendations relate to the situation as of that date.

    The Internal Audit Service recognised the European Anti-Fraud Office’s recent efforts in respect of its content management project to:

    ·improve the management of the Office’s content management project to ensure better involvement and communication between users and the solution provider;

    ·align with the information technology governance requirements at corporate level (IT Board) and keep GovIS2 ( 21 ) up to date.

    In the anti-fraud information system domain, the Internal Audit Service notes that OLAF has applied a robust governance approach. The IAS also considers the way the anti-fraud information system team applies the Agile ( 22 ) approach to managing its projects as good practice. Moreover, the fact that the anti-fraud information system team managed to avoid any significant staff turnover for a couple of years is an indication of a stable and solid environment.

    The Internal Audit Service identified five issues concerning the European Anti-Fraud Office’s content management project and formulated the following very important recommendations:

    European Anti-Fraud Office’s content management governance

    The European Anti-Fraud Office should make the new governance structure effective by properly documenting the decision workflow and implementing operational procedures. Moreover, the Office should ensure that organisational change management is properly set up and should strengthen coordination between the business and information-technology sides. Finally, it should define and communicate roles and responsibilities in its content management project more clearly and ensure that key staff have the correct authority.

    The European Anti-Fraud Office’s content management business requirements management

    The European Anti-Fraud Office should identify and prioritise the remaining requirements. The Project Steering Committee should prioritise the requirements and the project owner should arbitrate as necessary as to whether any may need to be de-prioritised/dropped. Moreover, the Office should ensure that the acceptance and implementation processes are signed off at the correct level. It should also improve the documentation of the business requirements and the corresponding work packages.

    Content management testing and performance in the European Anti-Fraud Office

    The European Anti-Fraud Office should formalise its user acceptance procedures by basing them on predefined acceptance criteria. The project owner should formally sign off the acceptance tests and the implemented requirements. To address the performance issues, the Office’s solution provider should assess in detail the impact linked to performance-tuning activities. Based on this assessment, the project owner should decide whether those activities should be applied or not. Moreover, the Office should implement an emergency procedure to supervise developers’ access to the production environment.

    Content management cost management in the European Anti-Fraud Office

    The European Anti-Fraud Office should make a detailed calculation of the total cost of ownership ( 23 ) in line with common practices applied in the Commission. Wherever possible, this data should also include costs stemming from business stakeholders participating in the project. The Office should then ensure these figures are reported in the follow-up of the discharge procedure.

    Moreover, the European Anti-Fraud Office should recalculate the budget needed to finish the content management based on more detailed business requirements and reliable cost estimates.

    Content management project planning, progress and performance in the European Anti-Fraud Office

    The European Anti-Fraud Office should break down the tasks into more detailed work packages. It should also assess and report the actual project performance against predefined success criteria and continue measuring content management user satisfaction within the Office.

    Additional information provided by OLAF on the measures drawn up and/or implemented following the Internal Audit Service audit

    All recommendations issued by the Internal Audit Service have been accepted. Hence, in order to implement these recommendations, the European Anti-Fraud Office’s management has adopted an action plan which the Internal Audit Service considers adequate to address the residual risks identified by the auditors.

    In February 2020, the Internal Audit Service confirmed to the European Anti-Fraud Office that based on the results of the follow-up audit, all recommendations had been adequately and effectively implemented and therefore closed.

    2.Audit on information-technology project management practices for multi-Directorate-General projects in DG DIGIT

    The objective of the audit was to assess the adequacy of the design and the effective and efficient implementation of the management and control systems that the Directorate-General for Informatics put in place to manage its multi-Directorate-General information-technology projects .

    There were no reservations in the Directorate-General’s 2018 annual activity report that relate to the area/process audited. The fieldwork was finalised on 9 July 2019. All recommendations relate to the situation as of that date.

    The audit highlighted the following strengths:

    The Directorate-General for Informatics has developed a project management methodology (PM2) inspired by best practices and complemented by a set of proven ‘agile’ practices. It offers a complete set of artefacts, tools and techniques, roles and responsibilities and activities to manage projects in an efficient and effective way. A training and certification programme is in place for all people involved in project management to acquire the necessary skills and demonstrate their expertise in the field.

    DG DIGIT’s Directorate B decided in January 2017 to establish a project management office and introduced a new delivery model in May 2017, aimed at better accommodating changes in demand or priorities and offering strong interaction between business representatives (process owners and business managers) and information-technology solutions providers and suppliers.

    The Internal Audit Service did not formulate any critical or very important recommendations.

    3.Audit on information-technology governance and project management in OP

    The objective of the audit was to assess the adequacy of the design and the effectiveness and efficiency of the information-technology governance and project management practices put in place by the Publications Office of the European Union.

    In particular, the Internal Audit Service assessed whether the Publications Office has put in place effective controls for its information technology governance and oversight, and management of its information-technology projects, to enable it to achieve its objectives while minimising information technology-related risks and optimising resources.

    There were no reservations in the Publications Office’s 2018 annual activity report that relate to the area/process audited. The fieldwork was finalised on 28 June 2019. All recommendations relate to the situation as of that date.

    The auditors recognised the Publications Office’s ongoing efforts to strengthen its governance and project management practices. The definition of the 10 strategic objectives for the period 2017-2025 linked to information-technology projects, systems and new developments is a very valuable tool in helping to develop a clear information-technology strategic view and to leverage the technology necessary to efficiently achieve its mission. The information technology governance model has been recently redefined to address these challenges, and a number of information-technology projects are now more explicitly linked to these objectives, which has in turn led to tangible improvements. For example, most of the projects covered as part of the audit sample are now accompanied by a project status report based on a common template used in the PM² methodology.

    In addition, the Publications Office has made good use of business process modelling practices for modelling and designing the business processes, although the auditors noted that an update is now required. Moreover, the Office uses the corporate business process modelling tool ARIS (architecture of integrated information systems) to model and support the different business workflows, as recommended by corporate best practices ( 24 ).

    The Internal Audit Service identified one issue concerning governance practices for monitoring of programmes and projects and formulated the following very important recommendation:

    The Publications Office of the European Union should improve project status reporting in order to make it more objective and fact-based. This should include the introduction and regular update of a multi-year information-technology programme roadmap, showing the dependencies of all the projects per strategic objective (programme). In parallel, the Office should update its governance framework to reflect the lessons learnt from the past and current operational practices. This should include defining the roles and responsibilities of the project / programme steering committees, together with accompanying working modalities. The Office should also update the modelling of core-business processes and supporting information systems and ensure that the information-technology architecture is adapted accordingly. It should also ensure that the project support office plays a full role in the information technology governance set-up, starting with a clear definition of its role and responsibilities.

    Additional information provided by OP on the measures drawn up and/or implemented following the Internal Audit Service audit

    The action plan submitted was accepted by the Internal Audit Service. Work on its implementation started in 2019 and is progressing as planned. Several action points related to these recommendations have already been implemented.

    4.Audit on information-technology governance and project management in DG EAC

    The objective of the audit was to assess the adequacy of the design and the efficiency and effectiveness of the management and control systems put in place by the Directorate-General for Education, Youth, Sport and Culture for its information technology governance and project management processes.

    There were no reservations in the Directorate-General’s 2018 annual activity report that relate to the areas/processes audited. The fieldwork was finalised on 11 November 2019. All recommendations relate to the situation as of that date.

    The Internal Audit Service noted a number of good practices within the Directorate-General regarding information technology governance and project management practices:

    ·Defined, formalised and implemented information-technology governance arrangements, consisting of both information-technology and business stakeholders who periodically discuss, monitor and decide upon information-technology activities and their objectives. This ensures that information-technology is seen by senior management as a key component in delivering on the Directorate-General’s policies. It also ensures business-focused and value-driven information-technology activities.

    ·An efficient risk-management process, which focuses on policy priorities and major impacts and integrates information-technology risks in the overall business context. This provides a better understanding and impact assessment for information-technology risks identified.

    ·Defined project management and software development methodology aligned with the Commission standards.

    ·Comprehensive involvement of stakeholders through formal project organisation structures. This ensures that business requirements and expectations are identified, continuously validated and, if needed, updated throughout the project.

    The Internal Audit Service did not formulate any critical or very important recommendations.

    PART 2: Follow-up engagements (summarised)

    1.Follow-up audit on DG AGRI’s control strategy for the 2014-2020 common agricultural policy

    Based on the results of the follow-up audit, the Internal Audit Service concluded that the following recommendations were adequately and effectively implemented and were closed:

    Recommendation No 1 (very important): financial corrections;

    Recommendation No 2 (important): follow-up of identified deficiencies;

    Recommendation No 3 (important): procedures for financial corrections based on errors detected by the certification bodies;

    Recommendation No 4 (important): audit strategy and audit plan;

    Recommendation No 6 (important): handling of Member State reporting requirements on their control systems.

    2.Follow-up audit in DG AGRI on the process for managing and sharing data on agri-environmental climate issues in DG AGRI, DG CLIMA and DG ENV

    Based on the results of the follow-up audit, the Internal Audit Service concluded that the following recommendations were adequately and effectively implemented and were closed:

    Recommendation No 2 (very important): coordination of Member State reporting requirements and re-use of data;

    Recommendation No 3 (important): registration, storage, and sharing of agri-environmental data collected by the Directorate-General for Agriculture and Rural Development, the Directorate-General for Climate Action and the Directorate-General for Environment;

    Recommendation No 4 (important): dissemination of agri-environmental climate data.

    The following recommendation was assessed as not fully and/or adequately implemented:

    Recommendation No 1 (very important): mapping of information needs and available data related to agri-environmental climate issues.

    The Internal Audit Service noted the progress made in implementing the action plan. In particular, the Directorate-General for Agriculture and Rural Development attended the meetings of the Eurostat working groups on agri-environmental climate statistics and indicators. In addition, it participated in the meetings of the environmental-knowledge community and introduced relevant indicators into the indicator inventory created by the Directorate-General for Environment. It also provided the Directorate-General for Environment and the Directorate-General for Climate Action with access to some of its local databases (data/notifications received from the Member States, such as RDIS and ISAMM). However, certain sub-actions were not yet finalised. These non-finalised sub-actions were linked to: (i) the Eurostat inventory on ‘other statistics’; (ii) the post-2020 regulation on statistics on agricultural inputs and outputs; and (iii) the memorandum of understanding between the Directorate-General for Agriculture and Rural Development and Eurostat. Nonetheless, the Internal Audit Service considered that the progress made in implementing the recommendation is sufficient to downgrade this recommendation to important. Subsequently, the Directorate-General for Agriculture and Rural Development reported the recommendation as implemented and is awaiting the follow-up check by the Internal Audit Service.

    3.Follow-up audit in DG CLIMA on the process for managing and sharing data on agri-environmental climate issues in DG AGRI, DG CLIMA and DG ENV

    Based on the results of the follow-up audit, the Internal Audit Service concluded that the following recommendations were adequately and effectively implemented and were closed:

    Recommendation No 2 (very important): coordination of Member State reporting requirements and re-use of data;

    Recommendation No 3 (important): registration, storage, and sharing of agri-environmental data collected by the Directorate-General for Agriculture and Rural Development, the Directorate-General for Climate Action and the Directorate-General for Environment;

    Recommendation No 4 (important): dissemination of agri-environmental climate data.

    The following recommendation was assessed as not fully and/or adequately implemented:

    Recommendation No 1 (very important): mapping of information needs and available data related to agri-environmental climate issues.

    The Internal Audit Service noted the progress made in implementing the action plan. In particular, the Directorate-General for Climate Action attended the meetings of the Eurostat working groups on agri-environmental climate statistics and indicators. In addition, it participated in the meetings of the environmental-knowledge community and received access to some of the Directorate-General for Agriculture and Rural Development’s local databases (data/notifications received from the Member States, such as RDIS and ISAMM). However, certain sub-actions were not yet finalised. These non-finalised sub-actions were linked to: (i) the Eurostat inventory on ‘other statistics’; and (ii) the memorandum of understanding between the Directorate-General for Climate Action and Eurostat. Nonetheless, the Internal Audit Service considered that the progress made in implementing the recommendation is sufficient to downgrade this recommendation to important.

    4.Follow-up audit in DG ENV on the process for managing and sharing data on agri-environmental climate issues in DG AGRI, DG CLIMA and DG ENV

    Based on the results of the follow-up audit, the Internal Audit Service concluded that the following recommendations were adequately and effectively implemented and were closed:

    Recommendation No 2 (very important): coordination of Member State reporting requirements and re-use of data;

    Recommendation No 3 (important): registration, storage, and sharing of agri-environmental data collected by the Directorate-General for Agriculture and Rural Development, the Directorate-General for Climate Action and the Directorate-General for Environment;

    Recommendation No 5 (important): coordination and working arrangements with the European Environmental Agency for the management of agri-environmental climate data.

    The following recommendations were assessed as not fully and/or adequately implemented:

    Recommendation No 1 (very important): mapping of information needs and available data related to agri-environmental climate issues.

    The Internal Audit Service noted the progress made in implementing the action plan. In particular, the Directorate-General for Environment attended the meetings of the Eurostat working groups on agri-environmental climate statistics and indicators. It also participated in the meetings of the environmental-knowledge community and received access to some of the local databases of the Directorate-General for Agriculture and Rural Development (data/notifications received from the Member States, such as RDIS and ISAMM). However, certain sub-actions were not yet finalised. These non-finalised sub-actions were linked to: (i) the Eurostat inventory on ‘other statistics’; and (ii) an update of the memorandum of understanding between the Directorate-General for Environment and Eurostat. Nonetheless, the Internal Audit Service considered that the progress made in implementing the recommendation is sufficient to downgrade this recommendation to important.

    Recommendation No 4 (important): dissemination of agri-environmental climate data.

    The Directorate-General for Environment has yet to make data available through the open-data portal.

    5.Follow-up audit on early implementation of the ESIF control strategy 2014-2020 in DG MARE (based on two follow-up audits performed in 2019)

    Based on the results of the follow-up audits, the Internal Audit Service concluded that the following recommendation was adequately and effectively implemented and was closed:

    Recommendation No 10 (very important): audits on financial instruments.

    6.Follow-up audit on early implementation of the ESIF control strategy 2014-2020 in DG EMPL (based on two follow-up audits performed in 2019)

    Based on the results of the follow-up audits, the Internal Audit Service concluded that the following recommendation was adequately and effectively implemented and was closed:

    Recommendation No 10 (very important): audits on financial instruments.

    7.Follow-up audit on early implementation of the ESIF control strategy 2014-2020 in DG REGIO (based on two follow-up audits performed in 2019)

    Based on the results of the follow-up audits, the Internal Audit Service concluded that the following recommendation was adequately and effectively implemented and was closed:

    Recommendation No 10 (very important): audits on financial instruments.

    8.Follow-up audit on major projects in DG REGIO

    Based on the results of the follow-up audit, the Internal Audit Service concluded that the following recommendation was adequately and effectively implemented and was closed:

    Recommendation No 3 (important): appraisal of major projects.

    9.Follow-up audit on the management of recovery orders for competition fines and recovery orders in the context of the Commission’s corrective capacity – Phase 1 in DG CONNECT (based on two follow-up audits performed in 2019)

    Based on the results of the follow-up audits, the Internal Audit Service concluded that the following recommendation was adequately and effectively implemented and was closed:

    Recommendation No 1 (important): encoding of the recovery context in ABAC.

    The following recommendation was assessed as not fully and/or adequately implemented:

    Recommendation No 2 (important): monitoring of – and reporting on – the uncashed recovery orders.

    In line with the action plan, the Internal Audit Service noted that the Directorate-General for Communications Networks, Content and Technology improved the monitoring of the uncashed recovery orders by:

    ·setting objectives and indicators, which are applicable for all recovery files as of the beginning of 2019 (these indicators are monitored on a daily basis by the unit in charge);

    ·reporting to management in March 2019 on the detailed state of play of 2018 activities;

    ·reinforcing the recovery team in Unit R.1 in order to clear the backlog of recovery orders existing at the time of the audit by the Internal Audit Service;

    ·merging the two existing Excel files used to track liquidated damages into one single file and monitoring the situation, in particular with the Legal Service.

    However, while acknowledging the actions taken, the Internal Audit Service considered that the risks related to the backlog of recovery files were not yet sufficiently mitigated. Since the finalisation of the original audit by the Internal Audit Service, a new backlog has built up. Although the ageing profile is lower than at the time of the audit, this situation will need to be monitored carefully over time to see whether the measures taken are yielding more effective results.

    10.Follow-up audit on the production process and the quality of statistics not produced by Eurostat in DG ENER (based on two follow-up audits performed in 2019)

    Based on the results of the follow-up audits, the Internal Audit Service concluded that the following recommendations were adequately and effectively implemented and were closed:

    Recommendation No 1 (important): completion of the statistical inventory and master plan;

    Recommendation No 2 (important): management of the statistical process by the Directorate-General for Energy.

    11.Follow-up audit on legacy programmes in DG ENER

    Based on the results of the follow-up audit, the Internal Audit Service concluded that the following recommendations were adequately and effectively implemented and were closed:

    Recommendation No 1 (important): procedures for – and monitoring of – closure processes;

    Recommendation No 3 (important): management of major changes to the seventh framework programme grant agreements.

    12.Follow-up audit on activities in the JRC to support intellectual-property rights

    Based on the results of the follow-up audit, the Internal Audit Service concluded that the following recommendations were adequately and effectively implemented and were closed:

    Recommendation No 3 (important): efficiency and effectiveness of the intellectual-property-rights network in the Commission;

    Recommendation No 4 (very important): software and information-technology solutions.

    13.Follow-up audit on human-resources management in the JRC

    The following recommendation was assessed as not fully and/or adequately implemented:

    Recommendation No 3 (important): documentation of the recruitment process.

    Two out of three sub-recommendations have been adequately and effectively implemented as set out in the two bullet points below.

    ·Sub-recommendation No 3.2

    During its recruitment exercises, the JRC started to employ not only the selection-evaluation template, but also in relevant cases the corporate template for the pre-selection phase. This ensures that the selection process is documented in compliance with the updated Guide for recruiting units on selection & recruitment of contract agents.

    ·Sub-recommendation No 3.3

    The questionnaire for staff members who attend or may be interested in attending interviews as part of the recruitment panel has been prepared. Based on the survey results, the JRC drew up the list of its employees with basic knowledge of human-resources management who can attend interviews as external members to ensure human-resources expertise in the panels.

    However, the Internal Audit Service did not consider that sub-recommendation No 3.1 was fully implemented. The updated Guide for recruiting units on selection & recruitment of contract agents and the available template for the pre-selection phase ensure consistent documentation of the process for the position published. However, when the position is not published and the potential candidates are pre-selected from the recruiter portal, the pre-selection grid is not completed and the pre-selection phase is not documented. Consequently, the procedure should be modified by extending the mandatory use of the pre-selection template for all the recruitment procedures.

    14.Follow-up audit on past audits in DG RTD

    Audit on Horizon 2020 grant management

    Based on the results of the follow-up audit, the Internal Audit Service concluded that the following recommendation was adequately and effectively implemented and was closed:

    Recommendation No 4(a) (important): evaluation procedures and lessons learnt.

    Audit on Horizon 2020 project management in the Directorate-General for Research and Innovation

    Based on the results of the follow-up audit, the Internal Audit Service concluded that the following recommendations were adequately and effectively implemented and were closed:

    Recommendation No 2(a) (important): guidance, support and training;

    Recommendation No 3 (important): implementation of ethics requirements.

    15.Follow-up audit on direct management of grants in DG DEVCO

    Based on the results of the follow-up audit, the Internal Audit Service concluded that the following recommendation was adequately and effectively implemented and was closed:

    Recommendation No 1 (important): design of the projects.

    16.Follow-up audit on the assurance-building process in DG DEVCO’s Headquarters

    Based on the results of the follow-up audit, the Internal Audit Service concluded that the following recommendation was adequately and effectively implemented and was closed:

    Recommendation No 2 (very important): guidance, instructions and management declarations.

    17.Follow-up audit on the management of investment facilities (financial instruments) in DG DEVCO

    The following recommendations were assessed as not fully and/or adequately implemented:

    Recommendation No 1 (very important): blending project cycle; post-contract signature phase – monitoring project implementation.

    The Internal Audit Service acknowledged the actions taken by the Directorate-General for International Cooperation and Development to implement the recommendation (compulsory in-house training; improvements made to the Excel database of projects; the instruction note addressed to its directors and to EU Delegations). Nevertheless, a number of measures have not yet been implemented, notably: (i) the improvement of monitoring at the Directorate-General for International Cooperation and Development headquarter’s level via a results-oriented monitoring consolidated report and an annual report based on external-action management reports; (ii) the replacement of the current Excel database by a more automated solution; and (iii) the update of the Guidelines on EU blending operations. In the light of the above, the Internal Audit Service decided to maintain the rating.

    Recommendation No 2 (very important): pre-financing.

    The Internal Audit Service assessed that the three short-term measures implemented (an instruction note addressed to the directors of the Directorate-General for International Cooperation and Development and to EU Delegations; a presentation to the EU platform on blending in external cooperation on the reporting requirements to be met by the international financial institutions; and an information-technology report on pre-financing transactions to facilitate the proactive monitoring of pre-financing payments), contribute to the reduction of the risk identified by the audit conducted by the Internal Audit Service. Consequently, the rating of the recommendation was downgraded to important.

    18.Follow-up audit on the performance-management system in DG DEVCO

    The following recommendations were assessed as not fully and/or adequately implemented:

    Recommendation No 2 (important): monitoring of – and reporting on – the performance of the Directorate-General for International Cooperation and Development towards achieving its objectives.

    As stated by the Directorate-General for International Cooperation and Development, ‘OPSYS release 2.1 took a significant step towards monitoring and reporting of results of ongoing projects. However, it was not in time to carry out the 2019 results-reporting exercise’. Furthermore, certain requirements needed for monitoring and reporting are not yet available and will only be available with OPSYS releases 2.2 and 3.1. Full implementation of certain other sub-recommendations resulting from this audit (see below) also depends partly on the next OPSYS releases.

    Recommendation No 3 (important): definition of objectives and performance indicators in the strategic plan/management plan of the Directorate-General for International Cooperation and Development.

    ·Sub-recommendations No 3.3 and 3.4

    The Internal Audit Service considered these sub-recommendations to be adequately implemented for two reasons. Firstly, the Directorate-General for International Cooperation and Development improved the presentation of the key performance indicators in the internal management plan. Since the 2018 planning exercise, Annex 3 of the management plan outlines the link between the key performance indicators of the Directorate-General for International Cooperation and Development and the related organisational objectives. Secondly, the Directorate-General for International Cooperation and Development reviewed the existing internal/organisational indicators and assessed their relevance for the directorates and the delegations. The Directorate-General concluded that there was no need to modify the templates and instructions for the preparation of: (i) the management plan; (ii) the external assistance management reports; or (iii) the reports by the Authorising-Officer by Sub-delegation.

    However, the following two sub-recommendations were not fully implemented.

    ·Sub-recommendation No 3.1

    Although specific objectives and indicators of the 2016-2020 strategic plan were revised, and specific objectives reformulated, the definition of these objectives can be improved in accordance with the SMART criteria (primarily by making them more specific and measurable). In addition, the specific objectives for the next multi-annual financial framework have not yet been decided. Consequently, the Directorate-General for International Cooperation and Development should improve the formulation of its specific objectives during the next strategic planning exercise.

    ·Sub-recommendation No 3.2

    Although the Directorate-General for International Cooperation and Development updated indicators for the specific objectives of the 2016-2020 strategic plan, the definition of the milestones and targets was not reviewed. Furthermore, complete implementation of this recommendation depends on the next OPSYS releases. In addition, the indicators for the next multi-annual financial framework, as well as their milestones and targets, have not yet been decided.

    Recommendation No 4 (important): EU result framework (set-up).

    ·Sub-recommendations No 4.1 and No 4.4:

    The Internal Audit Service considered these sub-recommendations to be adequately implemented, for two main reasons. Firstly, the Directorate-General for International Cooperation and Development revised and updated the EU result framework by indicating ‘results statements’ for each of the sustainable development goals. All ‘level 1’ and ‘level 2’ indicators now have an associated results statement to demonstrate which results relate to which objectives. In addition, the revised 2016-2020 strategic plan maps the specific objectives of the Directorate-General against the result framework. Secondly, the Directorate-General for International Cooperation and Development revised the EU result framework to increase the sector coverage by including (where appropriate) missing indicators on migration and asylum; civil society organisations; and local authorities.

    However, this recommendation cannot be closed as the implementation of sub-recommendations No 4.2 and 4.3 depends on future OPSYS releases.

    Recommendation No 5 (important): the Directorate-General for International Cooperation and Development key performance indicators.

    ·Sub-recommendations No 5.2 and 5.3

    The Internal Audit Service considered these sub-recommendations to be adequately implemented for two main reasons. Firstly, the Directorate-General for International Cooperation and Development updated the formulation and methods to evaluate the results of some key performance indicators. Four secondary indicators on moderately problematic (‘orange’) projects were created and their results are presented in the annex of the annual activity report. In addition, two key performance indicators were renamed in line with what they actually measure. Moreover, the evaluation methods of two audit-related key performance indicators were changed to match them to their names. Secondly, the Directorate-General for International Cooperation and Development aligned the name of the groups of key performance indicators with their content (i.e. what they measure).

    The Internal Audit Service assessed the following sub-recommendations as not fully implemented:

    ·Sub-recommendation No 5.1(a)

    The Directorate-General for International Cooperation and Development did not introduce an indicator to measure and report on the ‘percentage of completed projects that achieved all (or most) of their objectives’. Furthermore, the implementation of the action plan partially depends on future OPSYS releases.

    ·Sub-recommendations No 5.1(b) and 5.1(e)

    The Internal Audit Service recommended that the Directorate-General for International Cooperation and Development introduce indicators to measure and report on important aspects of performance. The Directorate-General for International Cooperation and Development introduced ‘secondary indicators’ which do not have the same quality as the official key performance indicators. In particular, they do not have targets so they cannot be used to measure performance. In addition, the indicator ‘percentage of projects completed on time’ is measured through the percentage of completed ‘decisions’ and not completed ‘projects’.

    ·Sub-recommendation No 5.1(c)

    The Internal Audit Service acknowledged that, to implement the sub-recommendation, the Directorate-General for International Cooperation and Development introduced the new key performance indicator ‘percentage of payments paid within contractual deadline’. However, the Internal Audit Service observed that the associated target is lower than the results achieved in previous years, with no particular justification for this choice.

    ·Sub-recommendation No 5.1(d)

    The calculation of two key performance indicators measuring the timely completion of annual audit plans was changed to fit their names. Nevertheless, the key performance indicator for implementation of the annual audit plan in year N-1 continues to be measured based on the submission dates of the draft audit reports. In addition, the benchmarks for these indicators are set lower than the actual results of previous years with no explanation for these figures either.

    19.Follow-up audit on the instrument contributing to stability and peace in FPI

    Based on the results of the follow-up audit, the Internal Audit Service concluded that the following recommendation was adequately and effectively implemented and was closed:

    Recommendation No 2 (important): project-level objectives and indicators.

    The following recommendations were assessed as not fully and/or adequately implemented:

    Recommendation No 1 (important): swiftness of launching crisis-response actions.

    ·Sub-recommendation No 1(a):

    The Internal Audit Service considered this sub-recommendation to be adequately implemented for four main reasons. Firstly, FPI defined in an internal note: (i) key milestones for the identification/formulation phase and the contracting phase; and (ii) the relevant time required for each phase. Secondly, FPI designed and implemented a template that allows for the monitoring of the time spent in each phase and can assist the team leaders in identifying cases of delays and take appropriate actions. Thirdly, FPI adapted the financing-decision template to include the changes required by the new Financial Regulation and the new financing-decision template that is now part of the internal rules. Fourthly, FPI enhanced monitoring during the contracting phase by increasing the level of details provided on activities and targets in: (i) monitoring tools (contracting tables, and the pipeline of the instrument contributing to stability and peace); and (ii) the meetings between the Headquarters and regional teams.

    ·Sub-recommendation No 1(b):

    The actions to be implemented for the next programming period required FPI to analyse the relevance of the current mechanisms in the instrument contributing to stability and peace. The goal of this analysis was to adapt the instrument’s basic act to allow for faster crisis response. Proposals were made by FPI to the central services in this respect. However, these proposals need to be streamlined with the new common instrument for neighbourhood, development and international cooperation, the modalities of which have not yet been discussed. The recommendation cannot therefore be considered as implemented at this stage.

    Recommendation No 3 (important): guidance to – and supervision of – EU Delegations.

    FPI: (i) clarified the rules for contract extensions in the interim-response programme and monitored the application of these rules in exceptional-assistance measures and the interim-response programme; (ii) improved access to guidance for all old and new staff on the operational instrument contributing to stability and peace; (iii) improved reporting on projects from EU Delegations working on the instrument contributing to stability and peace; and (iv) reminded EU Delegations of the rules on negotiation reports.

    However, sub-recommendation No 3(c) related to the clarification of guidance on field visits specific to the instrument contributing to stability and peace (including guidance on the frequency of visits; documentation requirements; and the monitoring of compliance with the requirements) is considered to be not fully implemented. A workshop on the subject took place during the 2017 ‘FPI days’ meeting, but there is no written guidance resulting from the workshops or other sources. Nor is there any evidence of the information and guidance discussed in the workshops.

    20.Follow-up audit on Erasmus+ and Creative Europe – grant-management phase 2 (from project monitoring to payment) in EACEA 

    Based on the results of the follow-up audit, the Internal Audit Service concluded that the following recommendation was not fully and/or adequately implemented:

    Recommendation No 3 (critical): assurance on the functioning of the internal control system.

    ·Information from the Authorising Officers by Sub-delegation

    The EACEA revised the template for the reporting by Authorising Officers by Sub-delegation to the Authorising Officer by Delegation, which was used as part of the preparation of the 2018 annual activity report. The Internal Audit Service tested a sample of three reports by Authorising Officers by Sub-delegation.

    The template for the reporting of the Authorising Officers by Sub-delegation includes one general question on the internal controls in the unit, i.e. ‘What is your assessment of the control activities in place within your unit (risks are adequately mitigated, procedures are available and adequate)?’. However, it does not explicitly require the Authorising Officer by Sub-delegation to provide more details on the controls in place and their effectiveness.

    The Internal Audit Service found that the reports contain general statements such as ‘internal control systems in the unit are well defined and function efficiently...’ but that there was no additional information on the controls implemented (type, coverage, frequency and depth) and their results. Consequently, it is not possible to assess on which basis the statement on the effectiveness of controls included in the annual activity report has been built.

    The Internal Audit Service concluded that this sub-recommendation is not yet implemented.

    ·Non-compliance and exception report

    Development of a central register

    The EACEA has developed a register which is available on its intranet and is regularly filled in (since 1 January 2019, four cases have been reported in the register). For each entry, the register summarises information on the nature of the issue (exception or non-compliance; the description of the event; the financial impact of the issue; the cause of the deviation; and the corrective measures to mitigate the risks and prevent the risks from recurring). However, the template does not include information about the internal control(s) that failed. Thus the register does not make it possible to identify structural/cross-cutting issues in order to decide on the necessary measures to address them. This limits the extent and effectiveness of the monitoring at central level.

    In this respect, the Internal Audit Service observed that the last version of the template for the notification of non-compliance or for exceptions contains a specific reference to ‘controls not effective’. The Internal Audit Service considered that this reference could also be reported in the register. The Internal Audit Service also suggested including in the register the date of the document in order to clearly indicate when the last entry was made.

    Provision of support and advice to operational units

    The EACEA has revised the procedure for handling exceptions and non-compliance events. To ensure the reliability and robustness of the file, the EACEA has also introduced an obligation to consult: (i) the person in charge for risk management and internal control; (ii) the director’s team member; and (iii) the legal team's head of sector. The contribution of these three people must be formally recorded in the declaration of exceptions. The Internal Audit Service analysed the four cases declared so far in 2019 and found that the new procedure is adequately implemented. In particular: (i) the risk-management-and-internal-control team provided support and quality control; (ii) the exception requests included adequate assessment and justification for the case; and (iii) the information provided to the director was complete.

    On 23 January 2019, the acting director of the agency reminded the heads of unit of the need to draw the attention of their staff (and more particularly the Authorising Officers by Sub-delegation) to the importance of correctly handing exceptions.

    On 28 February 2019, the EACEA and the Directorate-General for Budget organised a two-hour training session for all Authorising Officers by Sub-delegation. The Directorate-General for Budget gave a general presentation about exceptions and non-compliance events and the EACEA made a detailed presentation about the new procedure (guidance) applicable to the initiating actors in the EACEA.

    Monitoring the effective implementation of mitigating actions

    The new guidelines (V. 1.0 of 23 January 2019) state that ‘the implementation of the proposed mitigating measures to avoid a recurrence of the action is to be centrally monitored, incorporated into the internal control-assessment progress, and be included into the agreed set of reporting requirements to senior management and Steering Committee of the EACEA.’

    The EACEA provided evidence of checks carried out on the implementation of the mitigating measure for individual exceptions by the risk-management-and-internal-control team. However, there is no evidence of structural monitoring at central level of the proposed mitigating measures defined for the exceptions/non-compliance events that occurred in 2018.

    Preparation of an overview of all exceptions and non-compliance events for the director

    The EACEA performed a ‘specific assessment of its register of exception requests and notification of non-compliance event as per 31/12/2018’. The note contains a summary of the exceptions and non-compliance events that were declared in 2018 (so using the previous template), complemented by: (i) an overall conclusion on the internal control principles mostly affected and specific actions to be taken; and (ii) the identification of the structural changes that need to be introduced in the management of the exceptions.

    However, the analysis needed to be improved as it did not contain a specific assessment of the internal controls that did not work effectively or that were lacking and it did not distinguish between exceptions and non-compliance. Moreover, the note included a very general statement on the mitigating measures, without providing elements supporting this conclusion.

    The Internal Audit Service concluded that the sub-recommendations related to the non-compliance and exception reports have been partially implemented for what concerns the design of the process and its practical implementation.

    Taking into account the progress already made, the Internal Audit Service considered that the EACE has partially mitigated the underlying risks and therefore downgraded the rating of recommendation No 3 from critical to very important.

    Additional information provided by the EACEA on the measures defined and/or implemented following the Internal Audit Service audit

    The Internal Audit Service follow-up audit in early 2019 (March) was a limited review to assess the initial critical recommendation in view of the finalisation of the 2018 annual activity report, well before the deadlines agreed in the audit action plan. That review downgraded the critical recommendation to very important.

    Since the limited review, the EACEA has continued working on the agreed action plan, including by giving regular status updates to senior management, parent Directorates-General and the Steering Committee. In summary, the agency has flagged the four audit recommendations (three very important and one important) as fully implemented within the agreed timeframe and ready for review. The Internal Audit Service is currently performing the review process.

    21.Follow-up audit on monitoring the implementation and performance of 2014-2020 national programmes by DG HOME

    Based on the results of the follow-up audit, the Internal Audit Service concluded that the following recommendation was adequately and effectively implemented and was closed:

    Recommendation No 1 (important): processes for monitoring and reporting on the implementation and performance of national programmes.

    22.Follow-up audit on activities in DG DEFIS to support intellectual-property rights

    Based on the results of the follow-up audit, the Internal Audit Service concluded that the following recommendation was not fully and/or adequately implemented:

    Recommendation No 1 (important): intellectual-property-rights management in the Galileo and European geostationary navigation overlay service programmes.

    As the dynamic intellectual-property-inventory information system (EURECA) is not yet available, the Directorate-General for Defence Industry and Space is not yet in a position to implement the above-mentioned recommendation.

    23.Follow-up audit on evaluation in DG ECFIN

    Based on the results of the follow-up audit, the Internal Audit Service concluded that the following recommendation was adequately and effectively implemented and was closed:

    Recommendation No 2 (important): organisation of the evaluation process.

    24.Follow-up audit on the effectiveness and efficiency of the performance-management system in DG FISMA

    Based on the results of the follow-up audit, the Internal Audit Service concluded that the following recommendation was adequately and effectively implemented and was closed:

    Recommendation No 3 (important): traceability of the process to prepare the strategic plan/management plan.

    25.Follow-up audit on the production process and the quality of statistics not produced by Eurostat in DG FISMA

    Based on the results of the follow-up audit, the Internal Audit Service concluded that the following recommendation was adequately and effectively implemented and was closed:

    Recommendation No 2 (important): management of the statistical process by the Directorate-General for Financial Stability, Financial Services and Capital Markets Union.

    26.Follow-up audit on the production process and the quality of statistics not produced by Eurostat in DG GROW

    Based on the results of the follow-up audit, the Internal Audit Service concluded that the following recommendation was adequately and effectively implemented and was closed:

    Recommendation No 2 (very important): management of the statistical process by the Directorate-General for Internal Market, Industry, Entrepreneurship and SMEs.

    27.Follow-up audit on the supervision of outsourced information-technology operations in DG TAXUD

    Based on the results of the follow-up audit, the Internal Audit Service concluded that the following recommendations were adequately and effectively implemented and were closed:

    Recommendation No 1 (important): ensuring information-technology service continuity;

    Recommendation No 3 (important): audit arrangements.

    28.Follow-up audit on past audits in DG TRADE

    Audit on internal processes supporting trade-policy negotiations

    Based on the results of the follow-up audit, the Internal Audit Service concluded that the following recommendation was adequately and effectively implemented and was closed:

    Recommendation No 5 (important): information-technology support to trade negotiations.

    29.Follow-up audit on the effectiveness and efficiency of the new early-detection and exclusion system in protecting the EU’s financial interests – DG BUDG

    Based on the results of the follow-up audit, the Internal Audit Service concluded that the following recommendation was adequately and effectively implemented and was closed:

    Recommendation No 8 (important): monitoring deadlines of early-detection and exclusion system panel procedures.

    Based on the results of the follow-up audit, the Internal Audit Service concluded that the following recommendation was not fully and/or adequately implemented:

    Recommendation No 1 (very important): guidelines and awareness raising.

    In line with the action plan, the Directorate-General for Budget published the corporate guide for the early-detection and exclusion system. The Directorate-General for Budget also launched a communication plan, endorsed by the Corporate Management Board in March 2019, to increase awareness about the early-detection and exclusion system within the Commission and to set the appropriate tone at the top.

    The Internal Audit Service acknowledged that progress was made in raising awareness and guiding external stakeholders in the use of the early-detection and exclusion system (e.g. via workshops targeting different management modes). However, further actions are still needed to raise awareness on the use of the early-detection and exclusion system at the level of Member State authorities. These actions should include: (i) nominating ‘national user administrators’ for the early-detection and exclusion system; and (ii) participating in the relevant working groups in the Council and in expert groups with Member State experts.

    The risks identified during the audit have not been adequately mitigated in the area of shared management as outlined above. Nevertheless, the Internal Audit Service considered that the actions implemented so far have increased the overall level of awareness of the early-detection and exclusion system and have therefore reduced the residual risk. Consequently, the recommendation was downgraded to important.

    30.Follow-up audit on the procurement process in DG DIGIT

    Based on the results of the follow-up audit, the Internal Audit Service concluded that the following recommendation was adequately and effectively implemented and was closed:

    Recommendation No 2 (important): low-value procurement procedures.

    Based on the results of the follow-up audit, the Internal Audit Service concluded that the following recommendation was not fully and/or adequately implemented:

    Recommendation No 3 (important): sensitive functions and ABAC access rights.

    The Internal Audit Service recommended to the Directorate-General for Informatics that it (i) finalise the assessment of potentially sensitive functions in the Directorate-General and follow-up on the results in line with the applicable guidance; and (ii) implement the existing action plan to address the findings of the ABAC access-rights review.

    On point (i), the Internal Audit Service acknowledged that the list of sensitive functions has been updated. However, the process for assessing sensitive functions is not adequately structured and documented. Point (i) is therefore only partially implemented. 

    The process for assessing sensitive functions should be documented with an analysis of the financial and reputational risks linked to a function that may be considered sensitive, as well as the internal controls (such as the segregation of duties, the four-eyes principle, strong supervisory mechanisms, and information-technology control mechanisms) which allow for the function not to be considered as sensitive. In addition, the roles and responsibilities of the person performing the coordination of the exercise should be clearly defined and the sensitive-functions list should be endorsed by the hierarchy.

    On point (ii), the Directorate-General for Informatics has addressed the issues identified in the action plan on the validation of ABAC access rights. In addition, adequate monitoring has been ensured. Two meetings were held in July 2018 and January 2019 to follow up on the progress of implementation. A state of play has been prepared, which includes future actions to take. Therefore, point (ii) can be considered as fully implemented.

    31.Follow-up audit on the statistical production process and the quality of statistics not produced by Eurostat in DG ESTAT

    Based on the results of the follow-up audit, the Internal Audit Service concluded that the following recommendation was adequately and effectively implemented and was closed:

    Recommendation No 5 (very important): referencing and use of a disclaimer when publishing other statistics.

    32.Follow-up audit on management of intra-muros contractors in DG HR

    Based on the results of the follow-up audit, the Internal Audit Service concluded that the following recommendation was not fully and/or adequately implemented and was re-opened:

    Recommendation No 1 (very important): corporate framework for the use of intra-muros contractors.

    The Internal Audit Service recommended that Directorate-General for Human Resources and Security develop a corporate framework and guidelines for the use of intra-muros contractors. The guidelines have not yet been finalised by the Directorate-General for Human Resources and Security and have therefore not yet been endorsed by the Corporate Management Board. However, the Internal Audit Service acknowledged that progress has been made in implementing the recommendation. Firstly, the Directorate-General for Human Resources and Security identified the main structure and parts of the guidelines by consulting the Resource Directors of all the Directorates-General in cooperation with the Directorate-General for Budget and the Directorate-General for Informatics. Secondly, the Directorate-General for Human Resources and Security developed a draft of the corporate guidelines in April 2019, and requested comments from the Directorates-General/services concerned. The draft guidelines cover the appropriateness of the use of intra-muros contractors through a cost-benefit analysis as well as the daily management of those contractors. However, the Internal Audit Service noted that the draft guidelines did not cover the issues related to achieving value for money for ‘times and means’ contracts, where there is no incentive for the contractor to increase efficiency, as opposed to ‘result’ contracts.

    Consequently, the risks that were identified during the audit, regarding the ineffective or inefficient use of intra-muros contractors and inconsistent practices across the Commission, have not been adequately mitigated.

    Moreover, the Internal Audit Service noted that there have recently been several developments at the corporate level regarding intra-muros contractors. In particular, when discussing the topic in October 2019, the Corporate Management Board recommended freezing the number of intra-muros service providers at the current levels with immediate effect. It also invited all Directorates-General to reduce their reliance on service providers with office space in the Commission by at least 5% by mid-2020. The Internal Audit Service therefore stressed the importance for the Directorate-General for Human Resources and Security to consider all these aspects when finalising the guidelines.

    33.Follow-up audit on ethics in OLAF 

    Based on the results of the follow-up audit, the Internal Audit Service concluded that the following recommendation was adequately and effectively implemented and was closed:

    Recommendation No 1 (very important): use of social media and contacts with interest groups.

    34.Follow-up audit on the charge-back process in PMO

    Based on the results of the follow-up audit, the Internal Audit Service concluded that the following recommendations were adequately and effectively implemented and were closed:

    Recommendation No 2 (very important): cost methodology.

    Recommendation No 3 (important): efficiency of the invoicing system.

    The Internal Audit Service concluded that the following recommendation was not fully and/or adequately implemented and was re-opened:

    Recommendation No 1 (very important): service-level agreements.

    The Internal Audit Service acknowledged that the Office for the Administration and Payment of Individual Entitlements made significant progress in implementing the recommendation by putting in place a series of actions, namely:

    ·a catalogue of services with estimated unit costs was included in the annex to the service-level-agreement template;

    ·a charge-back methodology and service-level-agreement templates have been designed in compliance with the central guidance;

    ·provisions on reporting have been included in the service-level-agreement template ‘General Conditions’ Article 3 (which is in line with the 2018 central guidelines on the external charge-back process issued by the Directorate-General for Budget) and key performance indicators have been defined and are published monthly on the PMO website;

    ·the 2018 reporting to the Corporate Management Board of March 2019 follows the requirements set out in the corporate guidance on charge-back.

    However, the revision of all existing service-level agreements with external clients has not yet been fully completed. This is because the new service-level agreements have only been signed with agencies and joint undertakings, but not with other European institutions (except for the Council). This means that the Office for the Administration and Payment of Individual Entitlements is offering services at 2017 prices (which are lower than the current prices paid by other clients) to the European institutions that have not signed a new service-level agreement. Applying two pricing systems in parallel infringes the principle of equal treatment of clients, which was one of the key risks identified during the Internal Audit Service audit.

    The Internal Audit Service acknowledges that the Office for the Administration and Payment of Individual Entitlements informed the Directorate-General for Budget and the Legal Service about the refusal of the European Parliament and resistance of other institutions to sign the new agreements. The Office for the Administration and Payment of Individual Entitlements has also asked for the Corporate Management Board’s support in the negotiations for the agreements with all the European institutions in its report of March 2019. The Internal Audit Service encouraged the Office for the Administration and Payment of Individual Entitlements to engage in further actions, involving the Directorate-General for Budget if needed, to speed up the negotiation process and finalise the signature of the new service-level agreements with all its external clients before the next report to the Corporate Management Board.

    35.Follow-up audit on former Internal Audit Capability (IAC) audits in PMO

    Based on the results of the follow-up audit, the Internal Audit Service concluded that the following recommendation was not fully and/or adequately implemented:

    IAC audit on management of accident’s insurance in PMO.3

    Recommendation No 5 (very important): reliable monitoring of accident files.

    The Internal Audit Capability recommended that the Office for the Administration and Payment of Individual Entitlements design, develop and implement an effective monitoring system for accident files. It recommended that this system include: (i) efficient management of delays (e.g. a warning system); (ii) tracing controls of accident costs submitted for reimbursement; and (iii) correct calculation of permanent, partial-invalidity capitals.

    The recommendation has been addressed by the Office for the Administration and Payment of Individual Entitlements as part of developing the information-technology tool Assmal2 ('assurance maladie') in the ‘accidents’ module. The Internal Audit Service noted that Assmal2 includes pre-defined deadlines for the key steps in processing an accident file. These deadlines are in place only for the accident files encoded in Assmal2, notably those opened after the Assmal2 ‘accidents’ module was launched in May 2018. According to the Office for the Administration and Payment of Individual Entitlements, a limited number of older accident files, which are in the final phase of the administrative process, are not encoded in Assmal2 and are monitored separately.

    The Internal Audit Service noted that Assmal2 has features that can provide an overview of the accident files per case handler, including the related deadlines. This information is available on the screen or can be obtained in the form of a business-object report. However, no such report is extracted on a regular basis and monitored by staff or management.

    The Internal Audit Service also recommended that the Office for the Administration and Payment of Individual Entitlements implement a warning signal (which can be an email sent to the case handler) when a deadline in the process has lapsed. This warning signal would draw attention to the fact that action needs to be taken on a specific file. The Internal Audit Service found that this feature has yet to be implemented as part of Assmal2.

    Therefore, the Internal Audit Service considered that, overall, the Office for the Administration and Payment of Individual Entitlements has yet to put in place effective monitoring of the accident files, even though certain technical means are available (but not fully used) to facilitate this process.

    On the reimbursement process for the accident files, this is currently integrated in the Assmal2 ‘accidents’ module. The ‘accidents’ module includes the key steps and the related controls for processing an accident file. It also includes template letters for communicating with the affiliates and the medical advisors. The Internal Audit Service noted that the calculation of the permanent partial-invalidity capitals is still performed manually using Excel files, outside Assmal2. However, the Internal Audit Service did not identify any issues in the calculation of the amounts. Therefore, the Internal Audit Service considered that the measures taken adequately address the risks identified for this part of the recommendation.

    Although the Internal Audit Service assessed that, overall, the recommendation has yet to be fully implemented, it nevertheless considered that the level of implementation was sufficient to reduce the level of residual risk from high to medium. Therefore, the rating of the recommendation was downgraded to important.

    36.Follow-up audit on information-technology governance in DG DEVCO

    Based on the results of the follow-up audit, the Internal Audit Service concluded that the following recommendations were adequately and effectively implemented and were closed:

    Recommendation No 2 (very important): data governance.

    Recommendation No 3 (important): information-technology risk-management oversight.

    The following recommendation was assessed as not fully implemented:

    Recommendation No 4 (important): business process governance.

    The Directorate-General for International Cooperation and Development’s revised information-technology-governance framework includes a new governance body in the form of a Process Governance Board, mandated by the Information Technology Board to ensure that business processes are documented, harmonised, optimised and continuously improved. The Directorate-General for International Cooperation and Development appointed external experts to help with this new governance structure, based on a phased approach and encompassing five ‘work packages’. The proposed timeline is estimated at 12 working weeks, starting from mid-November 2019 and will involve the creation of a business case, the set-up of an ad-hoc governance board and communicating with the business-side, as part of a package of preliminary measures before the Process Governance Board can be launched.

    Although the process has clearly begun, the Internal Audit Service considered that the Directorate-General has yet to fully implement the underlying enterprise architecture and business-governance framework in practice, including mandate, roles and responsibilities, resources and workflow between process owners and information-technology system suppliers and service providers.

    37.Follow-up audit on the security of information-technology applications supporting nuclear accountancy and nuclear-inspection processes in DG ENER 

    Based on the results of the follow-up audit, the Internal Audit Service concluded that the following recommendations were adequately and effectively implemented and were closed:

    Recommendation No 1 (very important): information-technology-security governance;

    Recommendation No 2 (very important): information-technology security-risk analysis and security arrangements.

    38.Follow-up audit on information-technology governance and portfolio management in DG GROW

    Based on the results of the follow-up audit, the Internal Audit Service concluded that the following recommendations were adequately and effectively implemented and were closed:

    Recommendation No 2 (very important): information-technology portfolio and programme management;

    Recommendation No 3 (important): data, information and knowledge-assets strategy.

    39.Follow-up audit on information-technology security in the information-and-communications-technology (ICT) systems of the JRC

    Based on the results of the follow-up audit, the Internal Audit Service concluded that the following recommendations were adequately and effectively implemented and were closed:

    Recommendation No 1 (very important): management oversight of information-technology security;

    Recommendation No 2 (very important): information-technology security in the design of new information-technology systems and during maintenance of existing systems.

    The following recommendations were assessed as not fully implemented:

    Recommendation No 3 (very important): deployment of security reference configurations and monitoring of new vulnerabilities.

    The deployment of security reference configurations has not been completed, but the monitoring of new vulnerabilities is already operational.

    In view of the progress made, the IAS downgraded the rating to important since the implementation of the three completed sub-actions results in a lower level of residual risk.

    Recommendation No 4 (very important): inventory of JRC information-technology systems and their security dependencies.

    Although the ICT executive committee endorsed the proposed approach for the development of an integrated inventory-management solution (sub-action 4.1.1), this has yet to be fully implemented. More specifically, there was no central inventory-management solution in place for: (i) the hardware assets in scientific domains that are not managed through an inventory-management tool: and (ii) the information systems not connected to the internet. There was no process in place for maintaining an up-to-date list of active systems. Furthermore, there remained further work to be done to improve coordination of the identified initiatives on network segregation.

    Consequently, although sub-action 4.1.1. was implemented, the IAS considered that in view of the other actions still to be implemented, the residual risk for the recommendation overall remains essentially the same. The IAS therefore maintained the rating.

    40.Follow-up audit on supervision of outsourced information-technology operations in DG TAXUD

    Based on the results of the follow-up audit, the Internal Audit Service concluded that the following recommendations were adequately and effectively implemented and were closed:

    Recommendation No 1 (important): ensuring information-technology service continuity;

    Recommendation No 3 (important): audit arrangements.

    List of follow-up audits performed in 2019 for which all recommendations have been closed after the follow-up

    Based on the results of the follow-up audits performed in 2019, the Internal Audit Service assessed that the following audits listed below could be fully closed as all the recommendations had been adequately implemented ( 25 ).

    Audit Title

    41. Follow-up audit on the limited review of the adjustment of the reported error rate by DG AGRI and the calculation of the amounts at risk at payment

    42. Follow-up audit on the design of DG AGRI’s performance-measurement system for the 2014-2020 common agricultural policy

    43. Follow-up audit of DG AGRI’s management of the agricultural-market crisis

    44. Follow-up audit on the implementation of rural development programmes in DG AGRI

    45. Follow-up audit on payment suspensions and interruptions in the 2014-2020 common agricultural policy framework in DG AGRI

    46. Follow-up audit on the management of grants under the 2014-2020 consumer and health programmes in CHAFEA

    47. Follow-up audit on food-safety preparedness in DG SANTE

    48. Follow-up audit on staff allocation and process management in response to staff reduction in DG ENV

    49. Follow-up audit on the financial management of the SRSS (current REFORM)

    50. Follow-up audit on closure and accounting processes in DG EMPL

    51. Follow-up audit on policy and funding for youth employment in DG EMPL

    52. Follow-up audit on monitoring the implementation and performance of the fund for European aid to the most deprived operational programmes in DG EMPL

    53. Follow-up audit on preparations for the use of financial instruments in DG EMPL

    54. Follow-up of the limited review of the reporting on the corrective capacity in DG EMPL

    55. Follow-up audit on amendments to 2014-2020 operational programmes in DGs REGIO, EMPL and MARE - DG EMPL

    56. Follow-up audit on amendments to 2014-2020 operational programmes in DGs REGIO, EMPL and MARE - DG REGIO

    57. Follow-up audit on the evaluation process in DG REGIO

    58. Follow-up of the limited review of the reporting on the corrective capacity in DG REGIO

    59. Follow-up audit on human resources management in DG CNECT

    60. Follow-up audit on the management of recovery orders for competition fines and recovery orders in the context of the Commission’s corrective capacity – phase 1 in DG ENER

    61. Follow-up audit on the management and functioning of the nuclear-safeguards service in DG ENER

    62. Follow-up audit on the supervision of the international thermonuclear experimental reactor in DG ENER

    63. Follow-up audit on grant-management phase 2: project management and payments for CEF in INEA

    64. Follow-up audit on grant-management phase 2: project management and payments for H2020 in INEA

    65. Follow-up audit on human-resources management in INEA

    66. Follow-up audit on the management of intra-muros contractors in the JRC

    67. Follow-up audit on the effectiveness of the set-up and supervision of the Shift2Rail joint undertaking by DG MOVE

    68. Follow-up audit on past audits in REA: (1) H2020 grant management, (2) human resources management, (3) closure of FP7 projects

    69. Follow-up audit on H2020 grant management – Phase 2 (project monitoring and ex ante controls) in REA

    (p.m.) ( 26 ) Follow-up on past IAS audits in DG RTD: HR management

    70. Follow-up audit on the management of the African Peace Facility in DG DEVCO

    71. Follow-up audit on DG DEVCO’s payment deadlines

    72 Follow-up audit on DG ECHO’s grant management in response to the Syrian crisis in the Middle East (Headquarters and field offices)

    73. and 74. Follow-up audit on procurement under the instrument for pre-accession (direct management and indirect management with beneficiary countries) – Phase 1 in DG NEAR (two follow-up audits performed in 2019)

    75. Follow-up audit on procurement under instrument for pre-accession (direct management and indirect management with beneficiary countries) – Phase 2 in DG NEAR

    76. Follow-up audit on performance-management systems in DG EAC, including the contributions of executive agencies and national agencies to the achievement of policy objectives

    77. Follow-up audit on DG EAC’s: (i) ex post financial audits; (ii) independent audit bodies’ opinions; and (iii) controls on grant-proposal evaluation for Erasmus+ actions implemented by national agencies.

    78. Follow-up audit on human-resources management in EACEA

    79. and 80. Follow-up audit on Erasmus+ and Creative Europe grant-management phase 1 (from the call to the signature of contracts) in EACEA (two follow-up audits performed in 2019)

    81. Follow-up audit on the management of recovery orders for competition fines and for recovery orders in the context of the Commission's 'corrective capacity'– Phase 1 in EACEA

    82. Follow-up audit on risk management in DG HOME

    83. Follow-up audit on risk management in DG JUST

    84. and 85. Follow-up on management of human resources in EASME (two follow-up audits performed in 2019)

    86. Follow-up audit on the setting of objectives and measurement of performance in DG GROW

    87. and 88. Follow-up audit on the performance of the supervision by DG GROW of the European Space Agency’s implementation of Galileo (two follow-up audits performed)

    (p.m.). Follow-up audit on past audits in DG TRADE: audit on ethics

    89. Follow-up audit on the Commission’s framework/arrangements for the estimation, assessment and reporting of the cost effectiveness of controls - DG BUDG

    90. Follow-up audit on the Commission’s governance/oversight arrangements concerning risk management, financial reporting and the ex post verification/audit function – DG BUDG

    91. Follow-up audit on the management of intra-muros contractors in DG COMM

    92. Follow-up audit on the charge-back process in DG DIGIT

    93. Follow-up audit on financial management of grants in Eurostat

    94. Follow-up audit on former IAC audits in Eurostat: IAC audit on sensitive information and IAC audit on statistical process III – agriculture statistics

    95. Follow-up audit on charge-back services in DG HR

    96. Follow-up audit on the management of recovery orders for competition fines and recovery orders in the context of the Commission’s corrective capacity – Phase 1 in the Legal Service

    97. Follow-up audit on effectiveness of the management of absenteeism in OIB, OIL and PMO – OIB

    98. Follow-up audit on the procurement process in OIL

    99. Follow-up audit on performance and coordination of anti-fraud activities in the traditional own-resources area in OLAF

    100. Follow-up audit on former IAC audit in SCIC: technical support provided to meetings and conferences

    101. Follow-up audit on better regulation agenda in the Commission – SG

    102. Follow-up audit on financial management in SG

    103. Follow-up audit on the management of the security of the EU ETS information-technology system in DG CLIMA

    104. Follow-up audit on business continuity in DG COMM

    105. Follow-up audit on the management of local information technology in Eurostat

    106. Follow-up audit on information-technology logical security controls in OLAF

    107. Follow-up audit on business continuity in OP

    108. Follow-up audit on information-technology project management in DG REGIO

    109. Follow-up audit on the corporate information-technology governance framework and portfolio management in SG and DG DIGIT

    110. Follow-up audit on the information-technology programme and project management in the HR family (DG DIGIT, DG HR, EPSO, PMO)

    Part 3: summary of long-outstanding recommendations – state of play as at 31 January 2020

    No.

    DG

    Audit title

    Recommendation

    Comments

    Final report date

    Original agreed completion date

    Revised expected completion date

    I

    DG CLIMA

    LIFE financial instruments: effectiveness and efficiency of the current framework (ENV+CLIMA)

    Visibility and promotion of the EU contribution

    DG CLIMA informed the IAS at the end of January 2020 and in mid-March 2020 that actions had been taken and that the recommendation was close to being fully implemented. The issue of visibility and promotion was being addressed in Steering-Committee meetings, and DG CLIMA has increased its monitoring.

    A follow-up by the IAS will take place in the second quarter of 2020: DG CLIMA reported the recommendation as ‘ready for review’ to the IAS on 26 March 2020.

    The expected delay between the originally agreed and revised expected completion date is 9 months.

    9.11.2018

    30.6.2019

    31.3.2020

    II

    DG HR

    IAS audit on management of intra-muros contractors

    DG HR CORPORATE FRAMEWORK FOR THE USE OF INTRA-MUROS CONTRACTORS

    The IAS follow-up of January 2020 found that two tasks from the action plan still need to be completed, i.e. the approval of the guidelines by the Corporate Management Board and the subsequent publication of the guidelines to the main stakeholders. Consequently, the recommendation has been re-opened.

    A follow-up will take place during the fourth quarter of 2020.

    The expected delay between the originally agreed and revised expected completion date is 2 years and 1 month.

    12.7.2016

    31.7.2018

    1.9.2020

    III

    DG EMPL

    Effectiveness of simplification measures under the 2014-2020 ESI funds in DG EMPL, REGIO and MARE

    UPTAKE AND IMPACT OF SIMPLIFICATION MEASURES AND THE DGS' PROCESSES TO PROMOTE AND MONITOR THESE MEASURES

    Implementation of this recommendation is delayed because the guidance on the simplified cost options is still under revision (latest version circulated in July 2019). The text is currently being finalised.

    In addition, the delay in preparing a guidance note on joint action plans has contributed to the delay in implementing this recommendation.

    A follow-up audit started in 2019 and is being finalised. Based on its results, the IAS concludes that the recommendation has been adequately and effectively implemented and will therefore be closed.

    The expected delay between the originally agreed and revised expected completion date is 1 year and 2 months.

    23.1.2017

    31.12.2018

    1.3.2020

    IV

    DG MARE

    Effectiveness of simplification measures under the 2014-2020 ESI funds in DG EMPL, REGIO and MARE

    UPTAKE AND IMPACT OF SIMPLIFICATION MEASURES AND THE DGS' PROCESSES TO PROMOTE AND MONITOR THESE MEASURES

    DG EMPL is the lead service for implementing this recommendation. DG MARE has aligned its revised date of implementation with that of DG EMPL.

    A follow-up audit started in 2019 and is being finalised. Based on its results, the IAS concludes that the recommendation has been adequately and effectively implemented and will therefore be closed.

    The expected delay between the originally agreed and revised expected completion date is 1 year and 2 months.

    23.1.2017

    31.12.2018

    1.3.2020

    V

    OIB

    Procurement process in OIB, OIL and DG BUDG

    PROCUREMENT PROCEDURES

    OIB prepared a working document including a proposal to revise substantially the current real estate procedure (‘Kallas procedure’) and submitted it at the end of September 2018 to the working group. The working group was set up to prepare the revision of the procedure to align it with the Financial Regulation. Technical meetings took place with DG HR on the proposal to replace the current Kallas methodology. The next steps are: (i) the validation of the new methodology by OIB and DG HR senior management; (ii) consulting the Legal Service; and (iii) launching the inter-service consultation. The further delay is due to the lengthy process of the technical meetings.

    A follow-up will take place as soon as OIB reports the recommendation as ‘ready for review’.

    The expected delay between the originally agreed and revised expected completion date is 2 years and 4 months.

    20.1.2017

    22.2.2017

    30.4.2020

    VI

    PMO

    Charge-back in PMO

    SERVICE-LEVEL AGREEMENTS (SLAS)

    The IAS found in a first follow-up in September 2019 that, while PMO had made significant progress, it had not yet implemented important parts of the recommendation. In particular, it had not yet fully completed the revision of all existing SLAs with external clients. Discussions with the parties concerned are still ongoing.

    The IAS will perform a second follow-up in the second half of 2020, once PMO’s management reports this recommendation as ‘ready for review’.

    The expected delay between the originally agreed and revised expected completion date is 2 years.

    19.1.2017

    31.3.2018

    31.3.2020

    (1) ()    Important recommendations are not reproduced in this document.
    (2) ()     The summary reflects the IAS’s assessment of the audit recommendations’ implementation status at the end of the follow-up assignment. It does not take into account any further action with possible impact on the status of the recommendation that the auditee may have undertaken and reported to the IAS since the release of the IAS follow-up note or report.
    (3) ()    DG REGIO reports a reservation on 30 programmes, DG EMPL on 25 programmes.
    (4) ()    Cohesion Policy 2014-2020: A Strategy to Manage Change towards a more Performance-Based Culture; EMPL strategy for a performance-based culture for the ESF 2016-2023.
    (5) ()     Entité légale de compensation (ELC).
    (6) ()     SUMMA is a platform being developed by the Commission to replace ABAC (Accrual Based Accounting System). ABAC is the central accounting, budgetary and treasury system set up by the Commission to implement its budget and prepare its annual accounts.
    (7) ()    DG AGRI 2017 Annual Activity Report.
    (8) ()    DG AGRI 2018 Annual Activity Report.
    (9) ()    The IAS collected information for this audit through an online survey sent to colleagues in DG SANTE, DG AGRI and DG GROW who are in contact with DG SANTE.F’s work. The purpose was to collect their views on the main reports produced by DG SANTE.F, as well as on the overall working relationship with DG SANTE.F, through a series of open or closed questions.
    (10) ()     Almost 90% of the respondents rated cooperation with DG SANTE.F from good to excellent.
    (11) IAS audit on H2020 Grant Management in ERCEA: from the evaluation of proposals to the signature of the Grant Agreements (2016) and IAS Audit on H2020 Grant management (phase 2) in ERCEA (2018).
    (12) ()    The Control Board is the forum for senior management to discuss and decide on issues related to budget, finance and internal control. The Control Board is chaired by the Director-General, with all the Directors attending, as well as the Director of the shared resource directorate and the Heads of Units of SRD.1 and SRD.3.
    (13) ()     The Audit Module is a database that contains information on all audits and audit-related engagements carried out on contracts managed by DG DEVCO, DG NEAR and FPI (including those performed by the European Court of Auditors and other external entities).
    (14) ()      http://dgecho-partners-helpdesk.eu/  
    (15) ()     The Audit Module tool is a database that contains information on all audits and audit-related engagements carried out on contracts managed by DG DEVCO, DG NEAR and FPI (including those performed by the European Court of Auditors and other external entities).
    (16) ()     RDIS2 (Rural Development Information System).
    (17) ()     According to the 2017 Regulatory Scrutiny Board report, the Board developed its advisory function in 2017. This included ‘upstream meetings’ with Commission departments.
    (18) ()     Estimated 0.36% multi-annual residual error rate for the LIFE programme in the 2018 annual activity report.
    (19) ()     E.g. cases with no practical effect or cases, which go against a Commission policy.
    (20) ()     ATLAS is the Commission’s corporate tool for mapping tasks and linking jobs to political priorities.
    (21) ()     GovIS2 is the European Commission's corporate IT portfolio management tool that provides IT governance capabilities at local (DGs) and corporate (Commission) levels, by acting as a central repository for IT projects, operations, information systems and services.
    (22) ()    An Agile framework is a set of principles and practices for managing projects, which promotes adaptive planning, evolutionary development, early delivery, continuous improvement and encourages rapid and flexible response to changes.
    (23) ()     As laid down in the IT Board mandate from 30 April 2015, ‘the TCO [total cost of ownership] is calculated as the total of all IT investments and costs, internal or external, foreseen for the design, construction and operation phases (development, deployment, maintenance, support, training and infrastructure including hosting and licenses)’. The guidelines on financing of ICT (adopted by the ABM Steering Group on 16 June 2016 and updated by the Corporate Management Board on 14 December 2017) state that: ‘When planning a new system, DGs should not just focus on the short-term development costs, but properly forecast the total cost including maintenance, support and infrastructure costs across the entire lifespan of the system’.
    (24) ()     BPM@EC
    (25) ()     Except for four recommendations (from the audits on: (1) the design of DG AGRI’s performance measurement system for the 2014-2020 common agricultural policy; and (2) payment suspensions and interruptions in the 2014-2020 common agricultural policy framework), where DG AGRI accepted the related residual risk, which was lower than initially identified.
    (26) ()     Pro-memory: Follow-up audit already mentioned before. During this audit, recommendations from several audits were followed-up. In only some of these audits did this result in the closure of all recommendations.
    Top