EUROPEAN COMMISSION

Brussels, 19.6.2024

SWD(2024) 145 final

COMMISSION STAFF WORKING DOCUMENT

Accompanying the document

REPORT FROM THE COMMISSION

TO THE EUROPEAN PARLIAMENT, THE COUNCIL AND THE COURT OF AUDITORS

Annual report to the Discharge Authority on internal audits carried out in 2023

{COM(2024) 249 final}

Contents

Part 1 Final reports

Multi–DG and multi–entity audits

1.1.Audit on the management of large-scale building projects involving works (OIB, OIL)

1.2.Audit on design and set-up of the Digital Europe Programme (DG CNECT, HaDEA)

1.3.Audit on Horizon Europe governance arrangements, preparation of the work programmes and of budget planning, allocation and monitoring (DG AGRI, DG CLIMA, DG CNECT, DG DEFIS, DG EAC, DG EMPL, DG ENER, DG ENV, DG GROW, DG HOME, DG MOVE, DG RTD, DG SANTE, SG, CINEA, EISMEA, ERCEA, HaDEA, REA)

1.4.Audit on preparedness of the management and control systems regarding the implementation of the Citizens, Equality, Rights and Values (CERV) and Justice programmes (DG JUST,
EACEA)

1.5.Audit on preparedness for closing the 2014-2020 programming period of the European Structural and Investment Funds (DG EMPL, DG MARE, DG REGIO)

1.6.Audit on LIFE implementation (DG CLIMA, DG ENER, DG ENV, CINEA)

1.7.Audit on coordination and working arrangements with EU decentralised agencies (other than FRONTEX) in DG HOME

1.8.Audit on preparedness of the management and control systems of EACEA for the implementation of the Erasmus+, Creative Europe and European Solidarity Corps programmes and their supervision by DG EAC

1.9.Limited review on the adequacy of the cooperation and coordination mechanisms aimed to prevent, detect and respond to serious cross-border threats to health (DG SANTE, HERA,
ECDC, EMA)

1.10. Audit on the implementation of the Innovation Fund (DG CLIMA, CINEA)

1.11. Limited review on data protection (DG ECHO, DG INTPA, DG NEAR, DG TAXUD,
DG TRADE, FPI)

1.12. Audit on the early implementation of grants in the EU4Health Programme (DG SANTE, HaDEA, HERA)

1.13. Audit on intervention-level evaluations (DG INTPA, DG NEAR, FPI)

1.14. Audit on protection of confidentiality of information at corporate level (DIGIT, HR, SG)

1.15. Audit on Joint Audit Directorate for Cohesion (DAC) (DG EMPL, DG REGIO)

1.16. Limited review on the Commission’s risk at payment (DG AGRI, DG BUDG, DG EMPL, DG INTPA, DG NEAR, DG REGIO, DG RTD, EISMEA, ERCEA, REA)

1.17. Audit on Horizon Europe - Grant management phase 1 (from publication of the calls until signature of the grant agreements) (ERCEA, HaDEA)

Single Market, Innovation and Digital

1.18. Audit on human resources management (DG COMP)

1.19. Audit on the preparedness of the management and control systems for the 2021-2027
Space Programme implementation (DG DEFIS)

1.20. Audit on ex ante controls of the Recovery and Resilience Facility payment requests
(DG ECFIN)

1.21.Monitoring assignment on the design and implementation of the Recovery and Resilience Facility (DG ECFIN)

1.22.Audit on Eurostat’s role in the European Statistical System (DG ESTAT)

1.23.Audit on European Anti-Fraud Office’s effectiveness in the area of fraud prevention activities (OLAF)

1.24.Consulting on the construction and completion of Wing M in Karlsruhe (JRC)

1.25.Audit on Horizon Europe - Grant management phase 1 (from publication of the calls until signature of the grant agreements) (REA)

Cohesion, Resilience and Values

1.26.Audit on corporate communication (DG COMM)

1.27.Audit on measuring and reporting on the performance of technical support projects (DG REFORM)

1.28.Limited review on HERA’s assessment of its internal control framework for the 2022 annual activity report

Natural Resources and Environment

1.29.Audit on the financial clearance of accounts (DG AGRI)

Migration and border management

1.30.Audit on the preparedness for closing actions and programmes funded under the Internal Security Fund and the Asylum, Migration and Integration Fund through direct and shared management (DG HOME)

Neighbourhood and the world

1.31. Audit on financial management of humanitarian aid under indirect management (DG ECHO)

Information technology

1.32. Limited review on the security plan and associated security measures of the EU emissions trading system (ETS) information system managed by the Directorate-General for Climate Action (DG CLIMA)

1.33. Audit on the CASE@EC project (DG COMP)

1.34. Audit on the management of information technology security (DG EAC)

Part 2 Follow-up engagements

Audits for which some recommendations remain open

2.1. Audit on IT security management in the human resources family (DIGIT, DG HR, PMO, EPSO)

2.2. Audit on monitoring the implementation and performance of 2014-2020 operational programmes in DG REGIO, DG EMPL and DG MARE

2.3.Audit on the preparation for the 2021-2027 programming period by DG REGIO, DG EMPL and DG MARE

2.4.Audit on interruptions, suspensions and financial corrections for the European Structural and Investment Funds 2014-2020 by DG REGIO, DG EMPL and DG MARE

2.5.Audit on the implementation of anti-fraud actions in the research area in DG CNECT, DG RTD, CINEA, EISMEA, ERCEA, REA

2.6.Audit on the management of experts in Horizon 2020 grants in DG CNECT, DG RTD, EASME, CINEA and REA

2.7.Audit on the protection of personal data under the responsibility of REA, EACEA, EISMEA, CINEA, ERCEA, DG RTD/CIC

2.8.Audit on EC-EEAS coordination in DG INTPA, DG NEAR and EEAS

2.9.Audit on intellectual property rights supporting activities in DIGIT, DG COMM, DG GROW,
JRC, OP

2.10. Audit on pillar assessment in DG BUDG and DG INTPA

2.11. Audit on the preparedness of DG DEFIS for the management of the European Defence Fund

2.12. Audit on the management and monitoring of compliance with the Commission’s information technology (IT) security framework in DIGIT

2.13. Audit on public procurement in DIGIT

2.14. Audit on human resources management in DG ECFIN

2.15. Limited review on the Recovery and Resilience Facility control and audit strategies in the DG ECFIN

2.16. Audit on the control strategy for humanitarian aid actions in DG ECHO

2.17. Audit on the JRC’s support to European Union policy and knowledge management (selection of and delivery on Commission requests)

2.18.Audit on TRAde Control and Expert System (TRACES) in DG SANTE

List of audits for which all recommendations were closed in 2023

Part 3 - Summary of long overdue recommendations

List of abbreviations

CIC: Common Implementation Centre

CINEA: European Climate, Infrastructure and Environment Executive Agency

DG AGRI: Directorate-General for Agriculture and Rural Development

DG BUDG: Directorate-General for Budget

DG CLIMA: Directorate-General for Climate Action

DG CNECT: Directorate-General for Communications Networks, Content and Technology

DG COMM: Directorate-General for Communication

DG COMP: Directorate-General for Competition

DG DEFIS: Directorate-General for Defence Industry and Space
DG DIGIT: Directorate-General for Digital Services 

DG EAC: Directorate-General for Education, Youth, Sport and Culture

DG ECFIN: Directorate-General for Economic and Financial Affairs

DG ECHO: Directorate-General for European Civil Protection and Humanitarian Aid Operations

DG EMPL: Directorate-General for Employment, Social Affairs and Inclusion

DG ENER: Directorate-General for Energy

DG ENV: Directorate-General for Environment

DG ESTAT: Eurostat

DG FISMA: Directorate-General for Financial Stability, Financial Services and Capital Markets Union

DG HOME: Directorate-General for Migration and Home Affairs

DG HR: Directorate-General for Human Resources and Security

DG INTPA: Directorate-General for International Partnerships

DG JUST: Directorate-General for Justice and Consumers

DG MARE: Directorate-General for Maritime Affairs and Fisheries

DG MOVE: Directorate-General for Mobility and Transport

DG NEAR: Directorate-General for Neighbourhood and Enlargement Negotiations

DG REFORM: Directorate-General for Structural Reform Support

DG REGIO: Directorate-General for Regional and Urban Policy

DG RTD: Directorate-General for Research and Innovation

DG SANTE: Directorate-General for Health and Food Safety

DG TAXUD: Directorate-General for Taxation and Customs Union

DG TRADE: Directorate-General for Trade

EACEA: Education and Culture Executive Agency

EISMEA: European Innovation Council and Small and Medium-sized Enterprises Executive Agency

EFCA: European Fisheries Control Agency

ERCEA: European Research Council Executive Agency

ETF: European Training Foundation

FPI: Service for Foreign Policy Instruments

IAS: Internal Audit Service

IT: Information technology

JRC: Joint Research Centre

LS: Legal Service

OIB: Office for Infrastructure and Logistics in Brussels

OIL: Office for Infrastructure and Logistics in Luxembourg

OLAF: European Anti-Fraud Office

OP: Publications Office of the European Union

PMO: Office for the Administration and Payment of Individual Entitlements

REA: Research Executive Agency

SG: Secretariat-General

Context of this Annex

Part 1 of this Annex contains:

•a summary of the 34 finalised internal audit engagements performed as part of the 2023 Internal Audit Service (IAS) audit plan (audits whose reports were issued between 1 February 2023 and 31 January 2024),

•the main recommendations (critical and very important) ( 1 ) stemming from these engagements,

•information provided by the Directorates-General/services on the actions defined and/or implemented to address the IAS audit recommendations.

Each audit engagement followed the applicable standard professional validation and contradictory procedures between auditor and auditee at the time of the finalisation of the engagement. The summary of each engagement aims at providing an overview of the audits and their main results.

Part 2 of this Annex includes a summary of the results of the IAS follow-up engagements performed between 1 February 2023 and 31 January 2024 ( 2 ), including a list of audit engagements for which all recommendations were assessed as implemented following a follow-up audit by the IAS.

Part 3 provides an overview of the three long overdue very important recommendations as of 31 January 2024.

Part 1
Final reports

Multi–DG and multi–entity audits

0.0.Audit on the management of large-scale building projects involving works (OIB, OIL)

The objective of the audit was to assess if the governance, risk management and internal control framework set up by OIB and OIL for the management and implementation (using procurement procedures) of large-scale building projects involving works is adequately designed, efficient and effective and provides reasonable assurance that the key internal control objectives are achieved.

There were no observations/reservations in the 2022 annual activity reports of OIB and OIL that relate to the area or process audited.

The fieldwork was finalised on 8 June 2023. All observations and recommendations relate to the situation as of that date but take into account additional information provided by the Offices after this date to support their comments on the IAS findings document preceding the audit report.

The IAS acknowledged the significant efforts and progress made by OIB and OIL in recent years to adapt the buildings (located in Brussels and Luxemburg) to the new ways of working (by fitting the existing buildings with dynamic collaborative space settings for example) as well as to progressively align the buildings with the greening objectives of the Commission in order to decrease their energy consumption and CO2 emission (by reducing the number of m² or moving to more energy efficient buildings for example).

The IAS identified one very important issue concerning the management of large-scale projects and formulated two very important recommendations.

On the approach, OIB and OIL should:

-define in their internal procedures the concept of ‘structural renovation’ to ensure a consistent implementation between projects and compliance with the Financial Regulation (Article 266); 

-define in their internal procedures which works have to be managed as a stand-alone project in compliance with the adopted PM2 methodology (including budget planning, procurement, monitoring and reporting) and in which situations a simplified methodology (to be defined) can be applied by exception (for example, for projects under a certain value). Using the previous experience of OIL with the JMO2 project, OIB should define the workflow, responsibilities and deadlines for the management of large-scale projects (including those for the related loans), before the large-scale project start its implementation (particularly for the CC2.0 project);

-establish a proportionate mechanism which identifies and takes into consideration all clients’ specific needs, as soon as possible in the early stages of the project (i.e. before the criteria/conditions for the (new) building are established) and at key moments during implementation (particularly in case key changes occur) to ensure that those needs are (when feasible) addressed and that the project is timely adapted to those changes/evolving needs. Such early consultation should aim at identifying the main specifications for the new/renovated buildings, involve key representatives and be done in a way that does not unnecessarily prolong the consultation process with a view of ensuring timely relocation of staff in the (new) building. If the clients for the new/renovated building are not known when a project is initiated, OIB and OIL should consider the needs of the most probable clients (identified according to the latest indicative planning at the level of the Office, for example, in the ‘Feuille blanche’);

-adequately document the monitoring of large-scale projects and the reporting to (senior) management on the status of those projects to ensure any potential issues are systematically and timely addressed.

On procurement activities, OIB and OIL should:

-further examine the scope for increasing competition for building and works contracts, while taking due account of the constraints not under the full control of the Offices (potential limitations on the targeted area, guidance from DG BUDG, the overall economic context and any strategic requirements such as the building policy for example). This should include:

·for building and works contracts, enhance the use of the exclusion, selection and award criteria along with other essential elements and requirements of the procurement process (such as delivery deadlines, etc.) to increase the level of competition when possible;

·for building contracts, negotiate the financial and technical conditions with several tenderers when possible, and consider the option of publishing a building prospection notice for specific needs/contracts ( 3 ) as a preferred option for increased transparency;

·for works contracts, where appropriate and cost effective for the type of works concerned ( 4 ), the Offices should foresee the option of reopening competitions under the framework contracts, use Dynamic Purchasing Systems ( 5 ) and, within those procedures, aim for an increased number of contractors when the timing of the project and the budgetary and legal framework allows.

-(for OIB only) systematically document the negotiation sessions and the negotiation limits (mandate) to ensure transparency of the procedure for building contracts while taking appropriate confidentiality safeguards, as necessary.

0.1.Audit on design and set-up of the Digital Europe Programme (DG CNECT, HaDEA)

The objective of the audit was to assess the adequacy of the design and the effectiveness of the internal control processes put in place by DG CNECT and HaDEA for the early phases of implementation of the 2021-2027 Digital Europe Programme (for the part implemented under direct management), including the supervisory and coordination arrangements between the executive agency as well as the parent Directorate-General, ensuring the achievement of the programme’s objectives in compliance with the applicable rules and the principles of sound financial management.

There were no reservations in DG CNECT’s and HaDEA’s 2022 annual activity reports.

The fieldwork was finalised on 21 September 2023. All observations and recommendations relate to the situation as of that date.

The IAS acknowledged the following strengths:

·Despite the delayed adoption of the Digital Europe Programme legal base and the recent establishment of HaDEA as a new executive agency (April 2021), the staff and management of DG CNECT and HaDEA have demonstrated a high level of commitment and dedication and quickly implemented the actions necessary for the set-up and launch of this new programme;

·After the first year of implementation, DG CNECT, in cooperation with the Digital Europe Programme Committee and implementing bodies (including HaDEA and the joint undertakings), conducted a thorough lessons learnt exercise. It resulted in a note identifying improvements, amongst other things, in the areas of the planning, launch and early implementation of the work programmes and calls for proposals. The note was addressed to the Information and Communications Technology Director and presented at the Programme Committee.

The IAS identified one very important issue concerning conflict of interests and ethics and formulated one very important recommendation.

DG CNECT should:

-establish a policy and define a set of cost-effective measures to manage potential conflicts of interest of experts who are part of policy related expert groups and may be involved in the design of work programmes or calls for proposals to ensure equal treatment and fair competition in the award procedure;

-based on the existing good practices and taking into account HaDEA’s experience, adopt clear guidance on:

·a set of additional conflicts of interest checks of external experts, where necessary, including who should perform these checks and how:

·how these checks should be documented; and

·how to address potential conflicts of interest for external evaluators and internal staff.

-obtain from the internal staff participating in an evaluation committee a signed declaration on the absence of conflicts of interest for each specific evaluation where they participate;

-based on the experience gained so far with the implementation of the Digital Europe Programme, provide a contribution to central services on how to manage (potential) conflicts of interest’ risks linked to national affinity, in particular for experts coming from countries outside the EU, in the evaluation of Digital Europe Programme calls for proposal, as input for updating existing corporate guidance.

0.2.Audit on Horizon Europe governance arrangements, preparation of the work programmes and of budget planning, allocation and monitoring (DG AGRI, DG CLIMA, DG CNECT, DG DEFIS, DG EAC, DG EMPL, DG ENER, DG ENV, DG GROW, DG HOME, DG MOVE, DG RTD, DG SANTE, SG, CINEA, EISMEA, ERCEA, HaDEA, REA)

The objective of the audit was to assess the adequacy of the design and the effectiveness of the (early) implementation of the Horizon Europe governance, with the focus on: (1) the governance arrangements, (2) the process to prepare the work programmes (up to the launching of the calls) and (3) the process to prepare and support the budget planning, allocation and monitoring at programme level.

There were no observations/reservations in the 2022 annual activity reports of the Directorates-General and executive agencies covered by this audit that relate to the areas/processes audited.

The fieldwork was finalised on 12 July 2023. All observations and recommendations relate to the situation as of that date.

The IAS acknowledged the efforts made by the audited services to ensure an adequate implementation of the Horizon Europe governance arrangements, in particular through an effective co-creation process, since the establishment of these arrangements in June 2021.

In particular, the IAS highlighted the following strengths:

·The results of the survey conducted by the IAS in the context of this audit showed a high satisfaction rate of 13 Directorates-General and five executive agencies (out of the 22 respondents) with the new governance arrangements in place.

·Based on the analysis of the feedback of the different Directorates-General, the budgetary allocation process ensures, overall, an adequate coverage of the political priorities.

·The ‘Handbook for Horizon Europe work programme preparation’ published by the Common Policy Centre (CPC), is comprehensive, regularly updated and timely communicated to the co-creating services, providing for an effective facilitation of the co-creation process.

The IAS identified one very important issue concerning EU missions and formulated one very important recommendation.

DG RTD, in cooperation with and/or supported by the Directorates-General and services involved in Horizon Europe and in the Missions, as appropriate, should:

-contribute to improve the effectiveness and overall coherence of the governance arrangements for EU missions by:

·providing support (through guidance, templates, coordination for example) in the definition of the memoranda of understanding between the Mission managers and Deputy Mission managers;

·providing support to the Mission managers, deputy manager and secretariats in defining working arrangements for the Mission secretariats and by clarifying the responsibilities of the Mission secretariats and of the executive agencies implementing the Missions. For the secretariats that are shared between different Directorates-General, the working arrangements should set out how to coordinate and communicate with the strategic configuration of the Horizon Europe Programme Committee (especially working groups on Missions);

·reviewing the necessary level of resources in the Common Missions and Partnerships Service in DG RTD and the Missions secretariats to ensure achievements of business objectives.

-improve the budgetary processes for EU missions by:

·providing budgetary guidelines for the allocation of the 10% top-up to reinforce the ‘back office’;

·streamlining the budget management for the monitoring of the Missions budget and its reallocation;

·clarifying the role of the Missions Owners’ Group in the context of decisions with budgetary impact.

-assess the needs from the different services of enhanced support from the Common Policy Centre to the Missions and based on this assessment, develop the relevant support activities;

-analyse the effectiveness of the various tools/solutions currently used by the services to detect conflicts of interest and based on the result of this analysis, specify the approach to take by all services

0.3.Audit on preparedness of the management and control systems regarding the implementation of the Citizens, Equality, Rights and Values (CERV) and Justice programmes (DG JUST, EACEA)

The objective of the audit was to assess the adequacy of the design and the effectiveness of the governance, controls and processes put in place by DG JUST and EACEA for the implementation of the 2021-2027 CERV and Justice programmes to ensure the achievement of the programme’s objectives, in compliance with the applicable rules as well as with principles of sound financial management.

There were no observations/reservations in the 2022 annual activity report of DG JUST and EACEA that relate to the area/process audited (i.e. grants relating to the CERV and Justice programmes 2021-2027).

The fieldwork was finalised on 2 June 2023. All observations and recommendations relate to the situation as of that date.

The IAS recognised the expertise of staff of DG JUST and EACEA involved in the different phases of the grant management process and their strong and continuous commitment, despite the high workload.

The auditors identified the following strengths related to the audited processes:

·To mitigate the impact of the late adoption of the basic regulation for the 2021-2027 multiannual financial framework programmes, DG JUST had started the preparation of multiannual work programmes for 2021-2022 at an early stage, which allowed it and EACEA to launch the calls for proposals in time.

·The cooperation between DG JUST and EACEA at the stage of the evaluation of the calls of proposals, grant award and grant implementation works effectively.

·EACEA implemented measures to develop the national contact points network, by launching two calls for proposals in this respect. EACEA and DG JUST jointly steer and monitor the activity of the national contact points network, which promotes and disseminates the CERV programme and its results at national level.

The IAS did not formulate any critical or very important recommendations.

0.4.Audit on preparedness for closing the 2014-2020 programming period of the European Structural and Investment Funds (DG EMPL, DG MARE, DG REGIO)

The objective of the audit was to assess whether DG REGIO, DG EMPL and DG MARE put in place an adequate internal control system to effectively and efficiently support the preparation for the closure of the 2014-2020 programming period.

There were no reservations in the 2022 annual activity reports of the Directorates-General that relate to the processes audited.

The fieldwork was finalised on 27 February 2023. All observations and recommendations relate to the situation as of that date.

The IAS recognised the ongoing efforts made by DG REGIO, DG EMPL and DG MARE to prepare for the 2014-2020 closure exercise. The IAS identified the following strengths and good practices in this area:

·DG REGIO’s support to Member States: In the process of preparing the closure guidelines, DG REGIO collected around 600 questions from the Member States, coordinated the replies internally and with the Legal Service, and prepared a comprehensive set of replies distributed via the Expert Group on European Structural and Investment Funds. This input was also taken into account when updating the closure guidelines in late 2022. In addition, individual workshops with Member States were organised on the preparation of the closure exercise. During these workshops, key information and milestones were communicated to the Member States and questions raised by the Member States were addressed.

·DG REGIO’s matrix structure: The matrix organisation allows staff members in the competence centres, policy units and the geographical units to work together on the preparation of closure and it facilitates the horizontal flow of information, knowledge and skills.

·DG MARE’s monitoring of the error rates of high-risk operational programmes: The audit unit in DG MARE regularly reviewed the pre-annual control report error rate (prior to submission of closure documents) for operational programmes identified as having a higher risk. This approach makes it easier to address problems in due time, for a selected number of high-risk operational programmes.

·Audit plan of the Joint Audit Directorate for Cohesion: The Joint Audit Directorate for Cohesion of DG REGIO and DG EMPL is planning thematic audits in Member States on the preparation for the closure exercise.

The IAS identified two very important issues concerning planning of the closure exercise and financial settlement at closure, and formulated seven very important recommendations.

Four very important recommendations addressed to DG EMPL, DG MARE and DG REGIO on planning of the closure exercise, DG REGIO, DG EMPL and DG MARE should:

-define clearly the objectives, roles and responsibilities concerning the coordination of the preparation of the closure process between the three Directorates-General and internally in each Directorate-General;

-develop a common roadmap for the preparation of the closure process (including steps, tasks, related deliverables, milestones, roles and responsibilities) and monitor its implementation;

-allocate sufficient resources and prioritise the work on developing and putting in place internal processes and procedures for the closure exercise, adapting the IT tools and training staff.

DG REGIO should ( 6 ):

-increase the frequency of the closure matrix meetings for the preparation of the 2014-2020 closure exercise ( 7 ) and involve representatives of DG EMPL and DG MARE in the development and finalisation of the internal procedures, checklists and IT systems for managing the closure process.

Three very important recommendations addressed to DG EMPL, DG MARE and DG REGIO on financial settlement at closure, DG REGIO, DG EMPL and DG MARE should:

-define clearly what closure involves in terms of the assurance to be provided on the legality and regularity (i.e. when will the programmes be closed, what assurance will be provided about the legality and regularity of the expenditure at the moment of closure and how this assurance will be obtained), adopt this definition/approach by senior management. Put in place adequate procedures to ensure that financial corrections agreed with the Member States in relation to previous accounting years were actually implemented, that irregular amounts are removed from the final payment and interruptions, suspensions and financial corrections are applied at closure to avoid paying for irregular expenditure;

-communicate in a clear and transparent manner in their annual activity reports and the annual management and performance report on the concept of ‘amount at closure’, whether it will provide assurance that the residual risk will be below 2% before closing programmes or only after closure, and report on the implemented financial corrections at closure for each accounting year;

-manage and communicate clearly in internal procedures, in communications to the Member States and in accountability reports such as the annual activity report and the annual management and performance report.

0.5.Audit on LIFE implementation (DG CLIMA, DG ENER, DG ENV, CINEA)

The objective of the audit was to assess the adequacy of the design and the effectiveness of the governance, controls and processes put in place by CINEA and its parent Directorates-General for carrying out the LIFE programme 2021-2027 (design and implementation up to the signature of the grant agreements) to ensure the achievement of the programme’s objectives, in compliance with applicable rules as well as with the principles of sound financial management.

There were no reservations in the 2021 and 2022 annual activity reports of DG ENV, DG CLIMA, DG ENER and CINEA that relate to the process audited.

The fieldwork was finalised on 24 April 2022. All observations and recommendations relate to the situation as of that date.

The IAS recognised the expertise of the staff of CINEA and its parent Directorates-General involved in the management of the LIFE programme and their strong and continuous commitment, in spite of the high workload, in particular in the early phase of the implementation of the LIFE programme.

The IAS identified one very important issue concerning the management of conflicts of interest in the evaluation process and formulated one very important recommendation.

CINEA should:

-align and update the template for the declaration of absence of conflicts of interest for evaluation committee members between the different subprogrammes;

-ensure that each evaluation committee member completes and signs the declaration before the start of the evaluation;

-ensure adequate documentation of the decisions taken by the responsible authorising officer on any cases of declared potential conflicts of interest and the mitigating measures;

-put in place written instructions/guidance on conflicts of interest checks to be performed in addition to the self-declarations made by the contracted experts to ensure the reliability of the declarations provided by the experts. This guidance should define and illustrate ‘soft’ and ‘hard’ cases of conflicts of interest and the approach to take. The result of the analysis should be documented together with the additional checks performed in a central repository;

-ensure that the contractor updates the template for the declaration of absence of conflicts of interest and that external experts (contracted through the service provider framework contract) sign:

·a declaration of conflicts of interest for each call to which they are allocated; and

·a code of conduct mirroring the provisions in the European Commission code of conduct annexed to the model contract for experts.

-request an update of the non-conflicts of interest manual to include further checks to be made and documented by the service provider on potential conflicts of interests of subcontracted experts.

0.6.Audit on coordination and working arrangements with EU decentralised agencies (other than FRONTEX 8 ) in DG HOME

The objective The objective of the audit was to assess the adequacy of the design and the effective and efficient implementation of the coordination arrangements between DG HOME and the audited decentralised agencies, namely CEPOL, eu-LISA, EMCDDA, EUAA and EUROPOL, to support the achievement of their respective objectives in line with relevant regulations and the Common Approach.

There were no observations/reservations in the 2021 annual activity report of DG HOME that relate to the area/process audited.

The fieldwork was finalised on 16 November 2022. All observations and recommendations relate to the situation as of that date.

The IAS recognised the ongoing efforts of DG HOME to improve its oversight controls in the agencies and the commitment of the staff involved in coordination activities with the agencies, which has especially contributed to strengthening the monitoring of the annual financial implementation of the agencies’ work programme.

The IAS did not formulate any critical or very important recommendations.

0.7.Audit on preparedness of the management and control systems of EACEA for the implementation of the Erasmus+, Creative Europe and European Solidarity Corps programmes and their supervision by DG EAC

The objective of the audit was to assess if EACEA, with the support of DG EAC, was ready for the implementation of the 2021-2027 Erasmus+, Creative Europe and European Solidarity Corps programmes and if EACEA put in place adequately designed, efficient and effective governance, risk management and internal control processes for these programmes.

There were no observations/reservations in the 2022 annual activity reports of EACEA and DG EAC that relate to the area/process audited.

The fieldwork was finalised on 21 November 2023. All observations and recommendations relate to the situation as of that date.

The auditors recognised the expertise of EACEA and DG EAC staff members involved in the preparation and launch of calls for proposals, evaluation of submitted proposals and preparation of grant agreements, as well as their strong and continuous commitment in the face of a high workload.

The auditors identified the following strengths related to the audited processes:

·clear allocation of roles and responsibilities for the implementation of the 2021-2027 Erasmus+, Creative Europe and European Solidarity Corps programmes within EACEA;

·strong cooperation between EACEA and DG EAC during the grant preparation process as evidenced by regular bilateral meetings at unit, middle and senior management level;

·effective external communication with potential grant applicants, as well as systematic support of proposals selected for funding during the grant agreement preparation process;

·well-managed onboarding process to the corporate eGrants IT suite.

The IAS did not formulate any critical or very important recommendations.

0.8.Limited review on the adequacy of the cooperation and coordination mechanisms aimed to prevent, detect and respond to serious cross-border threats to health (DG SANTE, HERA, ECDC, EMA)

The objective of the limited review was to assess whether mechanisms in HERA, SANTE, EMA and ECDC are in place and are adequately designed to support the effective and efficient coordination and cooperation in the prevention, preparedness, and response as regards serious cross-border threats to health.

There were no observations/reservations in the 2022 annual activity reports of DG SANTE and HERA that relate to the area/process audited.

The fieldwork was finalised on 30 October 2023. All observations and recommendations relate to the situation as of that date.

The IAS did not formulate any critical or very important recommendations.

0.9.Audit on the implementation of the Innovation Fund (DG CLIMA, CINEA)

The objective of the audit was to assess the design, efficiency and effectiveness of the governance and control processes set up by DG CLIMA and CINEA for the implementation of the Innovation Fund, up to the grant agreement signature, to ensure the achievement of the Innovation Fund’s objectives, in compliance with applicable rules and in accordance with the principles of sound financial management.

There were no reservations in the 2022 annual activity reports of DG CLIMA and CINEA that relate to the area/process audited.

The fieldwork was finalised on 20 June 2023. All observations and recommendations relate to the situation as of that date.

The IAS recognised the expertise of the staff of CINEA and DG CLIMA involved in the management of the Innovation Fund, as well as their strong and continuous commitment, despite the high workload, in particular in light of the challenging circumstances under which they had to implement the Innovation Fund (COVID-19 pandemic, and political imperatives resulting from the Russian war of aggression against Ukraine for example).

The IAS identified three very important issues concerning: (1) the establishment of the evaluation committee and evaluation by external experts, (2) the management of conflicts of interest in the evaluation process, (3) other elements pertaining to the evaluation process, and formulated four very important recommendations.

Establishment of the evaluation committee and evaluation by external experts (two very important recommendations addressed to DG CLIMA and CINEA)

DG CLIMA and CINEA should, in coordination with each other:

-seek guidance from DG BUDG on how to report on the lack of evaluation committee for the 2020 and 2021 calls in their annual activity report. The agreed approach should then be implemented;

-based on the Amending Delegated Regulation, revise the specific memorandum of understanding for the Innovation Fund to provide for the formal establishment of an evaluation committee, which may be partially or fully composed of external experts, for the ongoing and future calls.

Management of conflicts of interest in the evaluation process (one very important recommendation addressed to CINEA):

CINEA should:

-include, in its manual of procedures for the Innovation Fund, detailed provisions on how to perform and document checks on conflicts of interest for external experts and staff participating in evaluations, as well as guidance, complementary to the central guidance, on how to assess the existence of conflicts of interest and decide on follow-up actions;

-implement and document the checks on conflicts of interest that are performed, (i.e. the documents used in the checks, the name of the person performing the checks, and the dates when the checks took place) as well as the decisions taken in case of potential conflicts of interest, in line with the established procedures and guidance;

-when creating the pools of pre-selected experts, assess, in coordination with DG CLIMA, the risks linked to the use of non-EU experts (expert who is neither an EU national nor a third-country national residing in the EU) and decide on how to address these risks.

Other elements pertaining to the evaluation process (one very important recommendation addressed to CINEA):

CINEA should:

-in cooperation with DG CLIMA, clarify further in future two-stage call texts which changes may be allowed to proposals in the second stage without changing the outcome of the first stage selection;

-clarify in the manual of procedures for the Innovation Fund how to perform and document checks for assessing if changes in proposals during the second stage evaluation would have called into question the result of the first stage evaluation;

-clarify the procedure for taking decisions on ineligibility and inadmissibility throughout the evaluation process, including as regards the role of the Admissibility and Eligibility Committee;

-properly document all the admissibility and eligibility checks performed and final decisions made;

-detail the procedure to perform and document checks of applicants against the whole EU sanctions list prior to the award procedure, including a clear allocation of roles and responsibilities between CINEA and REA.

0.10.Limited review on data protection (DG ECHO, DG INTPA, DG NEAR, DG TAXUD, DG TRADE, FPI)

The objective of this limited review was to assess the state of compliance of the audited services with the key provisions of Regulation (EU) 2018/1725 and associated Commission Decision 2020/969 (implementing rules), with particular consideration to the transfer of data to third countries.

There were no observations/reservations in the 2022 annual activity reports of the Directorates-General covered by the audit that relate to the area/process audited.

The fieldwork of this limited review was finalised on 20 November 2023. All observations and recommendations relate to the situation as of that date.

The IAS recognised the following strengths:

·The Commission Directorates-General/service covered by the audit, with the support of the Data Protection Officer of the Commission, have made good progress in establishing and implementing the necessary framework to achieve compliance with the key provisions of the European Union Data Protection Regulation. This framework encompasses guidance, templates, an IT tool, and a clear governance operating model.

·The IAS acknowledged in particular the correct and effective use of the Data Protection Managements System to: (1) create comprehensive and detailed records of processing operations, and (2) manage and report data breaches.

The IAS did not formulate any critical or very important recommendations.

0.11.Audit on the early implementation of grants in the EU4Health Programme (DG SANTE, HaDEA, HERA)

The objective of the audit was to assess the adequacy of the design and the effective implementation of the governance and internal control processes for EU4 Health in DG SANTE, HERA and HADEA concerning the programming, planning and early implementation phases of grants.

There were no observations/reservations in the 2022 annual activity reports of DG SANTE, HERA and HaDEA that relate to the area/process audited.

The fieldwork was finalised on 5 December 2023. All observations and recommendations relate to the situation as of that date.

The auditors recognised the ongoing efforts made by DG SANTE, HERA and HaDEA to continuously improve their internal controls and working procedures concerning the programming, planning and early implementation phases of grants. In particular, the auditors recognised following strengths:

·Robust controls in DG SANTE and HERA on the preparation and adoption of the annual work programme, with effective coordination with HaDEA for the drafting and publication of calls for proposals.

·Strong evaluation process in HaDEA, with an evaluation committee which reviews and reaches a consensus on the proposals recommended for funding and their ranking, both in the external evaluation processes (applied to open calls for proposals) as well as for internal evaluations (for direct grants). All necessary supporting documentation for each step of the selection process is available in the corporate systems, which provides a complete audit trail of the evaluation process.

·Effective grant agreement preparation process in HaDEA; Time to Grant in compliance with corporate standards (estimated average Time to Grant 199 days ( 9 ) in September vs corporate target of 275 days). Exceptions are correctly documented in the corporate systems.

·The operational controls in HaDEA for the monitoring of the implementation of projects are being performed systematically.

·The ex-ante financial controls are adequately designed, with a detailed checklist which includes analytical checks of the costs and sampling of transactions for some of the cost categories.

The IAS did not formulate any critical or very important recommendations.

0.12.Audit on intervention-level evaluations (DG INTPA, DG NEAR, FPI)

The objective of the audit was to assess whether the process to evaluate interventions is adequately designed, and effectively and efficiently implemented so that the main evaluation objectives (i.e. assessing the performance of an intervention, identifying opportunities to improve current and future interventions, and reporting on the outcome to stakeholders and the wider public) are achieved.

There were no observations/reservations in the 2022 annual activity reports of DG INTPA and FPI that relate to the area/process audited. As regards DG NEAR, the reservation ‘Difficulties in monitoring adequately all projects in Libya, Syria and Ukraine’ is based on the fact that ‘the Delegations cannot implement standard monitoring and evaluation activities due to the virtual impossibility to conduct in-country project site visits by its staff or other verifications in the vast majority of locations due to the security and political constraints’.

The fieldwork was finalised on 20 October 2023. All observations and recommendations relate to the situation as of that date.

The IAS welcomed the initiatives taken by the audited services to improve the quality and efficiency of the evaluation process:

·The signature by DG INTPA and DG NEAR of one common contract for the provision of evaluation support services to both Directorates-General. The addendum to the contract currently being concluded provides that FPI will be associated and will benefit from the same evaluation support services.

·DG INTPA’s pilot project started in September 2021 aiming at establishing a structured and comprehensive quality assurance system to improve the quality of evaluation reports.

·The ongoing integration of the EVAL IT tool into the Operational System OPSYS to improve the evaluation management and repository system.

The IAS identified three very important issues concerning: (1) evaluation guidance, templates, and the IT tool, (2) implementation of the evaluation process, (3) monitoring, overview, and reporting at headquarters’ level, and formulated eight very important recommendations.

·Evaluation guidance, templates, and the IT tool (one very important recommendation addressed to DG INTPA)

DG INTPA in close collaboration with DG NEAR and FPI should put in place a coherent common (policy and guidance) framework covering the entire process of intervention-level evaluations, and in particular, planning, execution, and exploitation of their results.

·Implementation of the evaluation process (three very important recommendations addressed to DG INTPA, DG NEAR and FPI)

DG INTPA, DG NEAR and FPI should ensure that the weaknesses in the execution of evaluations are addressed in ongoing and future evaluations to ascertain that evaluations are of a good quality and that their results may be used for accountability purposes and/or to improve the management of ongoing and future interventions. In particular, the Directorate-General/service should ensure that:

-evaluations are only performed if needed and considered to be useful, and launched timely in view of using their results for the intended purpose (improving the ongoing intervention and/or designing a new intervention/the next phase of the evaluated intervention for example);

-the evaluation manager and the Reference Group ensure adequate quality (check) of the key evaluation documents and deliverables (the terms of reference should clearly define the objectives of the evaluation, and the final report should adequately reply to the terms of reference/information needs/evaluations questions asked for example);

-evaluation results are disseminated in line with the terms for reference for the evaluation;

-the ‘Response of the services’ clearly specifies for each recommendation: the acceptance, actions to be taken, the deadline for implementation, and the entity in charge;

-the implementation of recommendations is tracked to completion, and a stock-taking is performed one year after the approval of the final evaluation report by the delegation/unit in charge of the evaluation.

·Monitoring, overview, and reporting at headquarters’ level (four very important recommendations addressed to DG INTPA, DG NEAR and FPI)

DG INTPA in close collaboration with DG NEAR and FPI should ensure that the design of the evaluation process (including guidance documents and templates) is subject to periodic review so that it remains relevant and fit-for-purpose, and that its benefits outweigh its costs.

DG INTPA, DG NEAR and FPI should:

-put in place a mechanism to monitor the implementation of the evaluation process to ensure that the guidance is correctly applied, and that the IT tool is used as intended across the Directorate-General/service;

-ensure that the outcome of the evaluation activities is properly reported;

-put in place and oversee the implementation of a system ensuring that the evaluation objectives of learning lessons and accountability are systematically monitored and achieved. To this end, it should ensure that:

·lessons learnt are analysed and disseminated, and that evaluation results are used for programming;

·as a general rule and unless an exception is duly justified, evaluation results are systematically published to ensure accountability and transparency.

0.13.Audit on protection of confidentiality of information at corporate level (DG DIGIT, DG HR, SG)

The objective of the audit was to assess if DG HR, DG DIGIT and SG have established an adequately designed corporate framework, risk management process and adequate and effective corporate controls for protecting the confidentiality of information in the Commission.

There were no observations/reservations in the 2022 annual activity reports of the Directorates-General covered by the audit (i.e. DG HR, DG DIGIT and SG) that relate to the area/process audited.

The fieldwork was finalised on 19 June 2023. All observations and recommendations relate to the situation as of that date.

The IAS acknowledged the strong support provided by the Security Directorate of DG HR, DG DIGIT and SG respectively to the local security officers, the local informatics security officers ( 10 ) and the document management officers, as confirmed by these actors in their answers to the IAS survey.

Furthermore, the IAS noted the progress made in the following projects which, when fully implemented, are expected to improve the way in which information security is managed in the Commission:

·Deployment of the SUE – SUE is the Commission IT system for handling EU classified information up to the level SECRET UE/EU SECRET and has been in a pilot phase. When ready, it will allow users to handle and exchange EU classified information at the levels of CONFIDENTIEL UE/EU CONFIDENTIAL and SECRET UE/EU SECRET. The system includes a Document Management System (SUE-DMS) that will allow the creation, consultation, handling, and exchange of documents in compliance with the need-to-know principle and the relevant legislation on the handling of EU classified information.

·Deployment of iTOP (IT Operations Portal) – iTOP is an open source and web-based IT service management platform including: a customisable customers management database (CMDB), a helpdesk system and a document management tool. With this portal, HR.DS intends to improve the manageability, security and consistency of documentation for all their IT-security related processes ( 11 ).

·In addition, the IAS welcomed the Commission’s proposal for a Regulation on information security ( 12 ) which proposes common information security rules for all Union institutions and agencies and therefore is expected to strengthen the information security framework overall.

The IAS identified three very important issues concerning: (1) the provisions for external service providers to ensure confidentiality of information, (2) IT controls to ensure protection of sensitive non classified (SNC) information and (3) the process for managing information security incidents and formulated five very important recommendations.

·Provision for external service providers to ensure confidentiality of information 

One very important recommendation was addressed to DG HR concerning the screening and guidance documents on external service providers.

·IT controls to ensure protection of SNC information

Three very important recommendations were addressed to DG DIGIT, DG HR and SG to improve the protection of SNC information in transit or at rest, through several measures, including on guidance and training and on the practical application of the current technologies to increase process efficiency.

·Process for managing information security incidents

One very important recommendation was addressed to DG HR concerning several aspects of the process to manage information security incidents, including on staff awareness, the roles and responsibilities at corporate and local level, analysing impacts and drawing lessons learnt, the investigation process and the reporting to the corporate governance bodies on those incidents.

0.14.Audit on Joint Audit Directorate for Cohesion (DAC) (DG EMPL, DG REGIO)

The objective of the audit was to assess the adequacy of the design of the management and control systems put in place by the DAC to enable it to implement its mandate efficiently and effectively.

There were no observations/reservations in the 2022 annual activity report of the Directorates-General covered by the audit (i.e. DG EMPL and DG REGIO) that relate to the area/process audited.

The audit covered the period from July 2021 to November 2023. All observations and recommendations relate to the situation as of that date.

The IAS recognised the ongoing efforts made by DG REGIO and DG EMPL to support the DAC functioning with a view to implement its mandate and identified the following strengths and good practices:

·The DAC builds further on the two well-established and mature former audit directorates of DG REGIO and DG EMPL, which were already supported by experienced staff, a set of procedures and dedicated IT tools for their core operations. The senior management of the two Directorates-General provided their full support to the reorganisation.

·The DAC redesigned, in a short period of time, the main audit processes to align the previous practices of the former audit directorates. This work was done through a participative process involving DAC staff in working groups and consultation of key stakeholders in both Directorates-General. The survey conducted by the IAS reported that on average 75% of the DAC audit staff respondents consider that after the creation of the DAC the two Directorates-General’ processes and workflows were harmonised and aligned with the DAC’s needs and practices. Also, some 70% of the DAC’s stakeholders are satisfied with the quality and timing of services provided by the DAC.

·The IAS survey reported that some 84% of DAC staff have a sense of belonging to the DAC as an entity. Moreover, 87% respondents agree that the DAC management has taken actions in the sense of team belongingness and cohesiveness in units and across DAC.

·The DAC is responsible for auditing more than 440 operational programmes of Cohesion policy funds, which follow the same rules (Common Provisions Regulation), and often have the same Member State authorities responsible for the programmes of the different funds. The DAC audit teams audit all funds in a given Member State (which was previously done by separate teams from the respective audit directorates prior to the creation of the DAC).

·Since the establishment of the Learning and Development Council in the DAC, the trainings have been better adapted to the needs of the staff and target specific profiles. Special emphasis was given to newcomers in order to help DAC staff become autonomous and operational as soon as possible. This was confirmed by the IAS survey which reported that the integration of newcomers was appreciated by DAC staff, in particular the welcome pack received by new colleagues and access to IT systems, information repositories (Wiki for example) and internal guidelines. In addition, DAC staff was satisfied with the quality of the training courses needed to perform core tasks.

The IAS identified two very important issues concerning organisational structure and IT tools, monitoring and reporting, and formulated five very important recommendations.

·Organisational structure (two very important recommendations addressed to DG EMPL and DG REGIO):

DG REGIO and DG EMPL should:

-further revise and align the internal procedures of both Directorates-General, for which the DAC is either client or provider;

-also seek support from central services (especially to DG HR) in handling the current constraints of managing HR procedures related to DAC staff from two Directorates-General. This also entails support for addressing working-around limitations of the current functionalities in the corporate HR IT systems, including access rights, monitoring and reporting to facilitate efficient HR management;

-evaluate the synergies and the efficiency gains achieved by the creation of the DAC;

-in view of the challenges highlighted by this audit and taking into account the experience acquired so far in the DAC and of other organisational models, assess in due course, the functioning of the current organisational structure. This analysis, aiming at ensuring effective and efficient cooperation between Commission services, should also consider possible future developments in the structure of the shared management funds under the post 2027 multiannual financial framework.

·IT tools, monitoring and reporting (three very important recommendations addressed to DG EMPL and DG REGIO)

DG REGIO and DG EMPL should:

-continue the integration of the existing IT audit tools/systems under MyWorkplace for the 2021-2027 programming period. Furthermore, Directorates-General need to ensure that the existing roadmap for the integration of IT tools is sufficiently detailed and adequately monitored;

-for the development of MAPAR Compass Corporate for the 2021-2027 programming period, embed all audit processes for shared management and make optimal use of the enhanced reporting functionalities of this IT system;

-consider embedding metrics for monitoring the performance of the business processes workflows of the DAC and related key performance indicators. An assessment needs to be made regarding the feasibility and necessity of onboarding direct management audit processes to Compass Corporate or any other IT system;

-DG EMPL, in charge of the development of MAPAR Compass Corporate, should ensure appropriate monitoring of and reporting on the progress of the project. In particular, there should be adequate communication to the steering committee of the project supporting the decision-making process.

0.15.Limited review on the Commission’s risk at payment (DG AGRI, DG BUDG, DG EMPL, DG INTPA, DG NEAR, DG REGIO, DG RTD, EISMEA, ERCEA, REA)

The objective of this limited review was to assess: (1) the adequacy of the design of the corporate instructions by DG BUDG for the reporting on the risk at payment and on the risk categorisation and the effective implementation of these instructions by the sampled operational Directorates-General/executive agencies; and (2) the effectiveness of the internal control processes in place in DG BUDG and at Directorate-General/executive agency level to ensure simple, clear and reliable reporting on the risk at payment in the Commission’s annual management and performance report (including the risk categorisation) and in the annual activity reports of the sampled operational Directorates-General/executive agencies.

There were no observations/reservations in the 2022 annual activity reports of the Directorates-General/executive agencies in the scope concerning the risk at payment as such. However, DG REGIO, DG EMPL and DG AGRI issued reservations on a number of operational programmes/paying agencies/measures for which a residual error rate higher than the 2% threshold was estimated.

The fieldwork was finalised on 14 July 2023. All observations and recommendations relate to the situation as of that date. However, the IAS report took note of two events (and related information) which took place after the end of the fieldwork, namely: the error rate reported by the European Court of Auditors (ECA) in its annual report for the financial year 2022, published in October 2023 as well as the underlying documented analysis carried out by the Cohesion Directorates-General on the 2022 ECA’ s findings on which they disagreed.

The IAS recognised the following:

·While some aspects need to be strengthened, the auditors recognised the efforts made by DG BUDG to provide corporate guidance to all Commission DGs/services for the calculation and reporting, in the AARs, of their risks at payment as well as to put in place adequate controls at central level to provide a reliable consolidated reporting on these amounts at Commission level in the annual management and performance report. Furthermore, the IAS welcomed DG BUDG’s decision to align the thresholds of the Commission’s risk categories in its 2022 annual management and performance report with those used by the ECA to facilitate the comparison between Commission and ECA results in this regard ( 13 ).

·The auditors also recognised the efforts made by the sampled DGs/services to complement the above corporate instructions, which set up the main principles, with the necessary ‘local’ instructions to address the specificities of the DGs/services. These ‘local’ instructions are centralised in the case of Research through the Common Audit Service in DG RTD and in the case of Cohesion through the Joint Audit Directorate for Cohesion), ensuring a consistent calculation method and AAR reporting by the DGs/services involved.

The IAS identified one very important issue concerning the analysis and (internal) reporting of the root causes of errors in relation with ECA’s findings and formulated nine very important recommendations.

·Analysis and (internal) reporting of the root causes of errors in relation with ECA’s findings

DG INTPA, DG NEAR, DG RTD, REA, ERCEA and EISMEA should:

-perform and document a structured analysis of the ECA findings. The results of this analysis should help to facilitate the identification of the appropriate actions to mitigate recurrent ECA errors (for accepted findings) and allow for the documentation of categories and reasons for disagreements (for rejected findings);

-report on the analysis above in line with the guidance to be defined by DG BUDG.

DG EMPL, DG REGIO should:

-strengthen the existing documented analysis (as per 2022 ECA statement of assurance findings) to identify the causes for all ECA findings (not only those contested). The results of this analysis should help to facilitate the identification of the appropriate actions to mitigate recurrent ECA errors (in the case of accepted findings) and will complement the existing documentation of categories and reasons for disagreements (in case of rejected findings);

-report on the analysis above in line with the guidance to be defined by DG BUDG).

DG BUDG should:

-prepare the relevant guidance and gather structured information on Directorate-General’s analysis of ECA findings including:

·for accepted findings, the root causes of errors (including whether they are similar or different with Commission’s findings) and the mitigating actions taken; and

·for findings not accepted, the reasons for not accepting them.

This process should allow for the aggregation of this information to provide an analysis at Commission level.

-report internally on this aggregated information with a view of strengthening the Commission’s narrative for the discharge;

-taking into account the timing constraints and the limitations in explaining the difference between Commission and ECA error rates, consider whether the AAR instructions need to be adapted concerning the reporting requirements in this regard ( 14 );

-to further increase transparency, seek (jointly with the Secretariat General) a strategic discussion with ECA at Commission level with a view to having a common understanding on the treatment and quantification of errors, reducing the number (and impact) of disagreements ( 15 ) and ultimately to help reduce the ECA and Commission error rates and potentially the difference between them.

This is particularly important given the number and potential impact on ECA’s overall error rate of the findings which are not, or only partially accepted by the Directorates-General/services. It should aim to help clarify key concepts such as types of errors (i.e. with and without financial impact) and could form part of the Commission’s response to the Parliament’s decision on the discharge for the financial year 2021 ( 16 ), in which it was invited to rethink its methodology and cooperate with ECA to increase harmonisation and provide more comparable figures.

0.16.Audit on Horizon Europe - Grant management phase 1 (from publication of the calls until signature of the grant agreements) (ERCEA, HaDEA)

The objective of the audit was to assess the adequacy of the design and the effective and efficient implementation of the internal control system for the Horizon Europe grant management processes (from the preparation of the call for proposals to the signature of the grant agreements) in ERCEA and in HaDEA, with a particular focus on:

·whether the grant agreements effectively support the achievement of the Horizon Europe objectives; and

·whether the processes in place ensure that the best research projects are selected and translated into grant agreements in compliance with the applicable rules.

There were no observations/reservations in the 2022 annual activity reports of ERCEA and HaDEA that relate to the area and processes audited. The fieldwork was finalised on 6 December 2023 in ERCEA and on 8 December 2023 in HaDEA. All observations and recommendations relate to the situation as of that date. The IAS recognised the ongoing efforts made by ERCEA to ensure the effective implementation of grant management processes from the publication of the calls until signature of the grant agreements. ERCEA applied the following good practices:

·Ethics review process: ERCEA carries out the pre-screening of the ethics review with its own staff, making use of external experts for serious ethics issues. This allows flexibility to adapt the planning and cope with the workload, as the ethics review is not dependent on the availability of external ethics experts.

·ERCEA prepared very detailed ethics summary reports that describe in a clear and comprehensive manner all issues identified, including the ethics experts’ in-depth analysis of the ethical dimension of the projects.

·ERCEA developed a ‘quality control checklist’ which is used during the evaluation process to ensure compliance with the procedures and quality of the final results (i.e. the retained and reserve proposals).

The IAS acknowledged the ongoing efforts made by HaDEA to ensure the effective implementation of the internal control system for the initial phases of the Horizon Europe grant management processes in the context of an increasing workload and time pressure.

In particular, the IAS highlighted the following good practices:

·Before and during the evaluation process, the call coordinators regularly meet the project officers working on the evaluation to provide guidance, assistance and discuss on any issues, questions or clarifications that may rise.

·Some units have developed checklists for the evaluation and the grant agreement preparation process to support the work of the project officers and external experts. The checklists provide details for the different aspects of the process.

The IAS did not formulate any critical or very important recommendations.

Single Market, Innovation and Digital

0.17.Audit on human resources management (DG COMP)

The objective of the audit was to assess the adequacy of the design and the effectiveness and efficiency of the internal control system put in place by DG COMP to manage its human resources that support the achievement of its operational objectives.

There were no observations/reservations in the 2022 annual activity report of DG COMP that relate to the areas/processes audited.

The fieldwork was finalised on 15 May 2023. All observations and recommendations relate to the situation as of that date.

The IAS recognised several strengths on:

On workload assessment and HR allocation, DG COMP has:

·developed a Directorate-General-wide workload assessment framework based on IT tools (PETRA and case management systems) and workload indicators covering all activities of the Directorate-General (all instruments, cases, policy work, horizontal and administrative tasks). In addition, each instrument network (antitrust, merger control and state aid control) has designed and implements its own more granular workload assessment/monitoring tool(s) at instrument level, adapted to the specific requirement of the instrument in terms of deadlines, case sensitivity and network size;

·established clear criteria for staff allocation to cases/projects based on the results of the workload assessment, as well as other qualitative considerations such as skills, complexity and/or political significance of the case;

·introduced a process by which the appropriateness of the allocation of staff to units, directorates and instrument networks is assessed on an ongoing basis. Based on the outcome, the Directorate-General re-allocates staff (temporarily or permanently) to other cases, projects or task forces to balance the workload across the organisation and to meet the Directorate-General’s priorities.

On organisational flexibility, DG COMP:

·has implemented a matrix organisational structure which enables to create teams with staff from different units, either from within or outside an instrument network.

·DG COMP actively promotes and implements flexible staff redeployment (structural or ad-hoc ‘décloisonnement’) to address specific needs or peaks of work, through pooling of resources, project teams and task forces. The level of ‘décloisonnement’ is monitored by DG COMP’s Senior Management and the HR Correspondent.

·The HR Strategy provides guiding principles to management to:

-organise the ‘décloisonnement’ by establishing how the decisions should be formalised and how staff contributions to projects and tasks forces should be recognised;

-enhance the use of project teams as a way of providing possibilities for greater staff autonomy/responsibility.

On tone at the top, DG COMP:

·In 2018, DG COMP adopted a charter for people management, also known as the ‘10 DOs for people management’, through which managers committed to abide by the DG’s core values of responsibility, integrity, respect, trust and duty of care.

The IAS did not formulate any critical or very important recommendations.

0.18.Audit on the preparedness of the management and control systems for the 2021-2027 Space Programme implementation (DG DEFIS)

The objective of the audit was to assess if DG DEFIS’s management and control systems for the implementation of the 2021-2027 European Space Programme are adequately designed.

There were no observations/reservations in the 2022 annual activity report of DG DEFIS that relate to the area/process audited.

The fieldwork was finalised on 18 April 2023. All observations and recommendations relate to the situation as of that date.

The IAS identified the following strengths in DG DEFIS’s design of management and control systems for the 2021-2027 Space Programme implementation:

·Strong experience of DG DEFIS and entrusted entities with regards to the Space Programme’s components, but also to the programming phase of the programmes. The same teams that negotiated the contribution agreements and the financial framework partnership agreement were responsible for the implementation of the programmes in the previous and the new multiannual financial framework.

·The Procurement Board, which was previously only used in Copernicus, now scrutinises the procurement process of entrusted entities for all components of the Space Programme and monitors the contract implementation. Thus, the controls over the procurement processes were significantly strengthened.

·There is a very complete performance reporting process, with quarterly implementation reports submitted by the entrusted entities. The quarterly implementation reports not only cover financial reporting but also operational implementation, key performance indicators, risks and threats, etc. The content and structure of these reports is described in detail in the financial framework partnership agreement.

·Extensive ex ante controls following a complete checklist are carried out for each of the implementation reports submitted by entrusted entities. Once the controls are performed, entrusted entities receive feedback from DG DEFIS on the results of the controls performed and any lessons to be drawn.

·The fact that knowledge related to ex post controls has been transferred to the European Space Agency for the Space Programme (EUSPA), with the aim that the responsibility will also be transferred to EUSPA in the future. The ex post controls are being performed jointly by DG DEFIS-EUSPA with the purpose of teaching EUSPA how to perform the ex post controls.

·DG DEFIS has documented in writing a complete guideline for accounting of fixed assets. The yearly closing process includes an assessment of the accounting quality for the year, as well as an action plan for the following year.

The IAS identified one very important issue concerning security management plans for Galileo (global navigation satellite system), EGNOS (European Geostationary Navigation Overlay Service) and Copernicus (earth observation component of the EU’s space programme) and formulated one very important recommendation.

·Security management plans for Galileo, EGNOS and Copernicus

DG DEFIS should follow up and work with the relevant parties to ensure the formal approval of the outstanding security management plans as required by the new financial framework partnership agreements.

0.19.Audit on ex ante controls of the Recovery and Resilience Facility payment requests (DG ECFIN)

The objective of the audit was to assess the adequacy of the design and the effective implementation of DG ECFIN’s ex ante controls for the assessment of the Recovery and Resilience Facility payment requests including the ‘Recovery and Resilience Facility control framework’ for the assessment of milestones and targets, and payment suspensions.

There were no reservations in the 2022 annual activity report of DG ECFIN that relate to the area/process audited.

The fieldwork was finalised on 10 November 2023. All observations and recommendations relate to the situation as of that date.

The IAS recognised the progress already made by DG ECFIN in setting up and implementing the ex ante controls for the preliminary assessment of the payment requests submitted by the Member States. Key elements include:

·Establishment of a comprehensive process calendar aimed at framing, planning and directing the process for the preparation of the preliminary assessment.

·Strong involvement of DG ECFIN legal unit in the payment requests assessment process for ensuring consistency of the preliminary assessments.

·Set up and implementation of methodologies for the assessment of milestones and targets and for suspension of payments.

·Definition and implementation of sampling approach for the performance of the ex ante controls on evidence underpinning the achievement of the milestones/targets provided by the Member States.

The IAS identified two very important issues concerning assessment of the audit and control milestones and protection of sensitive non-classified information, and formulated two very important recommendations.

·Assessment of the audit and control milestones

DG ECFIN, in cooperation with the Recovery and Resilience Task Force, should:

-further develop and formalise the existing guidance for the cases where DG ECFIN requests Member States to make additional commitments concerning actions stemming from milestones on audit and control. In particular, the guidance should:

·establish in which format DG ECFIN should receive the formal confirmation on the Member State’s commitment, if this is not included in the documentation supporting the payment request;

·define how DG ECFIN should follow up the fulfilment of such commitments; and

·define the criteria for determining the deadlines for the Member States to fulfil the commitments.

-clarify the relations between the ‘commitment framework’, the ‘framework for assessing milestones and targets under the Recovery and Resilience Facility Regulation’ (Annex 1 to COM(2023)99), and the ‘Reversal of Milestones and Targets under the Recovery and Resilience Facility’ (Annex II to COM(2023)545);

-ensure that the guidance on additional commitments is shared with relevant staff and decide whether the relevant information from the note should be shared with the Member States.

·Protection of sensitive non-classified information

DG ECFIN, in cooperation with the Recovery and Resilience Task Force, should:

-assess and define which Recovery and Resilience Facility related documents are sensitive non-classified in the framework of the Commission Decision on Security, handle and store them according to the instructions;

-provide guidance and training to the relevant staff members on the identification, storage and handling of sensitive information related to the implementation of the RRF.

0.20.Monitoring assignment on the design and implementation of the Recovery and Resilience Facility (DG ECFIN)

The objective of the assignment was for the IAS: (1) to analyse the work of the European Court of Auditors and DG ECFIN on the adequacy of the design and the effective implementation of the control strategy for the Recovery and Resilience Facility, (2) to draw its own conclusions and (3) to use such information in the context of the preparation of its 2022 overall opinion.

Due to the nature of the engagement, there were no recommendations addressed to DG ECFIN as the service responsible for the implementation of the Recovery and Resilience Facility.

0.21.Audit on Eurostat’s role in the European Statistical System (DG ESTAT)

The objective of the audit was to assess whether Eurostat has in place an appropriate management and control system to effectively exercise its steering and supporting roles within the European Statistical System.

There were no observations/reservations in the 2022 annual activity report of Eurostat that relate to the area/process audited.

The fieldwork was finalised on 31 October 2023. All observations and recommendations relate to the situation as of that date.

The IAS acknowledged that Eurostat:

·guides and steers in an effective manner the work of the European Statistical System governance bodies at strategic (the European Statistical System Committee, expert groups on the national statistical institutes, the partnership group, ‘Directeurs Généraux des Instituts Nationaux Statistiques’), management (Director’s groups) and technical (expert groups and task forces) levels;

·has set up and maintains numerous expert groups and fora to facilitate the exchange of expertise among the European Statistical System partners;

·provides effective administrative/organisational support to the different European Statistical System bodies;

·supports the follow-up of recommendations made by the advisory bodies (the European Statistical Governance Advisory Board and the European Statistical Advisory Committee).

The IAS did not formulate any critical or very important recommendations.

0.22.Audit on European Anti-Fraud Office’s effectiveness in the area of fraud prevention activities (OLAF)

The objectives of the audit were to assess the design, effectiveness and efficiency of OLAF anti-fraud activities within the European Commission and assess the adequacy of the controls put in place by OLAF to ensure the legality and regularity of OLAF’s operations in implementing grants in relation to the EU anti-fraud programme.

There were no observations/reservations in the 2023 annual activity report of OLAF that relate to the area/process audited.

The fieldwork was finalised on 30 June 2023. All observations and recommendations relate to the situation as of that date.

The IAS acknowledged the continuous efforts by OLAF to support the Commission services in the design and implementation of their anti-fraud activities. Overall feedback received from the interviewed Directorates-General as part of the fieldwork of the audit was positive with respect to OLAF’s overall support on the antifraud trainings and activities as well as regarding the coordination role in the design of the Commission Anti-Fraud Strategy and its action plans. The availability and proactivity of OLAF was also highlighted by the interviewed Directorates-General in charge of implementing financial programmes.

The IAS did not formulate any critical or very important recommendations.

0.23.Consulting on the construction and completion of Wing M in Karlsruhe (JRC)

The terms of reference for the advisory engagement of the IAS on the construction and completion of Wing M in Karlsruhe divided the work into three phases. The note presenting the results of the IAS work of the phase 3 ( 17 ) closed the last phase of the engagement which focused on the functioning of the project team and all supporting services to bring the execution of the contracts to a successful end.

As this was a consulting engagement, the resulting report does not contain an audit opinion or conclusion and there are no formal recommendations. The report contains issues for consideration which will not be formally followed up by the IAS.

0.24.Audit on Horizon Europe - Grant management phase 1 (from publication of the calls until signature of the grant agreements) (REA)

The objective of the audit was to assess the adequacy of the design and the effective and efficient implementation of the internal control system for the Horizon Europe grant management processes (from the preparation of the call for proposals to the signature of the grant agreements) in REA, with a particular focus on:

·whether the grant agreements effectively support the achievement of the Horizon Europe objectives; and

·whether the processes in place ensure that the best research proposals are selected and translated into grant agreements in compliance with the applicable rules.

There are no reservations in the 2022 annual activity report of REA that relate to the area and processes audited.

The fieldwork was finalised on 8 December 2023. All observations and recommendations relate to the situation as of that date.

The IAS acknowledged the ongoing efforts made by REA to ensure the effective implementation of internal control system for the Horizon Europe grant management processes (from the preparation of the call for proposals to the signature of the grant agreements) in the context of an increasing workload and time pressure. In particular, the IAS highlighted the following strengths:

·The main recommendations from the observers’ reports and their state of implementation, for each call, are included every six months in the Annex to the report of the Authorising Officers by Sub-Delegation for monitoring purposes.

·The network of call coordinators has regular meetings to provide assistance to call coordinators in implementing call evaluations and to follow up on the recommendations from the independent observer reports.

The IAS did not formulate any critical or very important recommendations.

Cohesion, Resilience and Values

0.25.Audit on corporate communication (DG COMM)

The objective of the audit was to assess whether the Commission’s governance framework for corporate communication, the monitoring of external communication actions across the Commission, and the internal control system for corporate communication campaigns managed by DG COMM are adequately designed and effectively implemented to support the political priorities of the College.

DG COMM’s 2022 annual activity report did not include any observations/reservations relating to the areas or processes audited.

The fieldwork was finalised on 4 July 2023. All observations and recommendations relate to the situation as of that date.

The IAS acknowledged the following good initiatives:

·In the current geopolitical environment marked by significant unforeseen events and a prolonged state of crisis, DG COMM demonstrated, agility in adapting the design and implementation of two major corporate communication campaigns, namely NextGeneration EU and You are EU, which were still ongoing at the date of this report. Furthermore, using large-scale paid advertising for the first time, DG COMM has achieved good results by reaching very large audiences with these corporate campaigns. According to DG COMM estimates, the campaign for NextGeneration EU reached approximately 220 million citizens, with an estimated 100 million citizens being able to recall at least one campaign ad, while the You are EU campaign reached approximately 325 million people after the first ad wave. The next challenge for DG COMM will be to transform this output into real impact, such as an increased positive attitude of Europeans towards the Union and an increased level of support for the Union’s values and policies.

·DG COMM also adapted its corporate procurement solutions to support more efficiently the outsourcing activities of the corporate communication campaigns:

-In 2021, DG COMM concluded a dedicated framework contract to procure media planning and buying services, thus aligning with the prevailing market trend of engaging separate agencies for creative services and media planning and buying, thereby ensuring specialised support from a dedicated supplier. The contract made use of a new procurement tool, namely: the Dynamic Purchasing System, currently in pilot phase in DG COMM, that allows increased supplier competitiveness, more flexibility and improved speed of delivery.

·Since 2021, DG COMM has also strengthened the terms of the service level agreements in the framework contracts with the suppliers of communication services, including quality indicators, targets, and negative consequences (liquidated damages for example) in case of non-compliance issues. The improved terms aim at ensuring that DG COMM is better equipped to monitor the performance of the communication agencies and react promptly in case of poor performance.

·Furthermore, in October 2022, DG COMM’s management approved an amended right of consent procedure aimed at monitoring the major communication actions of the Commission’s departments throughout their lifetime. This procedure, when implemented fully and effectively, is expected to strengthen DG COMM’s leadership in the external communication domain by emphasising its role in: (1) aligning major communication actions with political priorities and (2) providing Directorates-General and services with timely political and operational feedback.

The IAS did not formulate any critical or very important recommendations.

0.26.Audit on measuring and reporting on the performance of technical support projects (DG REFORM)

The analysis was finalised on 7 April 2022. All conclusions relate to the situation as of that date.

The objective of the audit was to assess the adequacy of the design and the effective implementation of DG REFORM’s processes and controls on performance measurement and the reporting of project outcomes and results.

There were no observations/reservations in the 2022 annual activity report of DG REFORM that relate to the area/process audited.

The fieldwork was finalised on 25 November 2022. All observations and recommendations relate to the situation as at that date.

The IAS recognised the ongoing efforts made by DG REFORM, particularly in the light of its resourcing challenges, to improve the controls over performance measurement and reporting. The IAS identified the following strengths and good practices in these areas:

·The establishment of the Evaluation Project Team in September 2019 led to a number of good practices put in place by the Directorate-General in the area, such as the updating of the Request for Support template completed by Member State’s Beneficiary Authorities, to include logical framework approach ( 18 ) components, the sharing of best practices with operational units and the planning of ‘knowledge hours’ where Policy Officers will be briefed about evaluation practices.

·As of 2021, the Directorate-General has been providing other Directorates-General and Member State’s Coordinating Authorities access to key project information, such as implementation dates, funding amounts and state of play (via a ‘monitoring dashboard’).

·The Directorate-General has provided training sessions to Policy Officers informing them about the differences between output, outcome and impact indicators and the need to distinguish between these metrics from the outset of the technical support projects (i.e. at the design stage). In addition, the Directorate-General has supported the Policy Officers in designing the logical framework approach by acquiring specialised consulting services in the area.

·DG REFORM has developed a process to gather stakeholders’ views on the Structural Reform Support Programme/the technical support instrument projects through sending out questionnaires to these stakeholders at the project completion stage (satisfaction questionnaires) and 6, 12, or 18 months following the completion of technical support projects (outcome questionnaires).

The IAS identified one very important issue concerning performance measurement methodology and formulated one very important recommendation.

·Performance measurement methodology

DG REFORM should:

-strengthen its current monitoring system to ensure that it collects objective and reliable data allowing it to monitor the result/outcome indicators set at project level (during the design stage) in order to be able to monitor the achievement of project objectives and report on the result (outcome) indicator at aggregated (programme) level, as required by the technical support instrument regulation;

-ensure that it collects objective and reliable data that will allow it to monitor the achievement of the objectives set in the Country Support Plans and report on the impact indicator at aggregated (programme) level, as required by the technical support instrument regulation;

-to strengthen the reliability of the outcome questionnaires, involve external (independent) parties in the assessment of the responses that are provided by beneficiary authorities to outcome questionnaires.

0.27.Limited review on HERA’s assessment of its internal control framework for the 2022 annual activity report

The objective of the limited review was to assess if the Authorising Officer by Delegation has performed an adequate overall assessment of the presence and functioning of all internal control principles and components as laid down in the Communication on the revision of the internal control framework.

The fieldwork was finalised on 15 March 2023. All observations and recommendations relate to the situation as of that date.

The IAS recognised the ongoing efforts made by HERA to set up and implement its internal control framework, as well as the achievement made in performing its first assessment, despite the operational challenges it initially faced as a newly created entity. In this context, the IAS noted the following:

·HERA has actively sought and followed the advice and guidance from the central services for the definition of its internal control monitoring criteria and the assessment of the implementation of the internal control principles.

·HERA prepared a note on the 2022 annual assessment to describe and formalise the elements to be taken into account during the assessment.

·HERA swiftly addressed the issues identified by the IAS during this review.

·HERA has prepared an action plan with specific deadlines and units responsible to develop and put in place procedures to address shortcomings of its internal control framework.

The IAS did not formulate any critical or very important recommendations.

Natural Resources and Environment

0.28.Audit on the financial clearance of accounts (DG AGRI)

The objective of the audit was to assess the adequacy of the controls put in place by DG AGRI for carrying out the annual financial clearance of the European Agricultural Guarantee Fund and the European Agricultural Fund for Rural Development (EAFRD) accounts and their effective implementation to ensure that the expenditure reimbursed from the EU budget is eligible, regular and correctly recorded in the EU accounts. The annual financial clearance of accounts is one of the building blocks of the control system put in place by DG AGRI for the Director-General to be able to provide a reasonable assurance that the Common Agricultural Policy expenditure is eligible, regular and correctly recorded in the EU accounts.

In the 2022 annual activity report of DG AGRI ( 19 ), the Director General raised reservations on the European Agricultural Guarantee Fund market measures, the European Agricultural Guarantee Fund Direct Payments and EAFRD Rural development measures in relation to 47 paying agencies for a potential financial impact of 47,179 and 329 million euro respectively.

The fieldwork was finalised on 20 September 2023. All observations and recommendations relate to the situation as of that date.

The IAS recognised that DG AGRI has designed and implements a robust and comprehensive control framework to carry out the annual financial clearance exercise. Templates and instruction notes cover all legal requirements. The information supplied by the Member States is thoroughly scrutinised, and where problems are identified, these are adequately resolved or followed up via a conformity procedure.

Furthermore, DG AGRI staff ensured the timely completion of the clearance exercise despite the heavy workload and the tight deadlines.

The IAS did not formulate any critical or very important recommendations.

Migration and border management

0.29.Audit on the preparedness for closing actions and programmes funded under the Internal Security Fund and the Asylum, Migration and Integration Fund through direct and shared management (DG HOME)

The objective of the audit was to assess the effective implementation of the controls put in place by DG HOME for: (1) closing the Union actions and Emergency Assistance grants under direct management; and (2) the annual clearances for the national programmes funded through the Asylum, Migration and Integration Fund and the Internal Security Fund for the 2014-2020 programming period under shared management, as a proxy for their final closure and the adequacy of DG HOME’s preparatory steps for the final closure of such national programmes.

There were two observations/reservations in the 2022 annual activity report of DG HOME that relate to the area/process audited.

The fieldwork was finalised on 12 July 2023. All observations and recommendations relate to the situation as of that date.

The IAS recognised the following strengths:

·For both direct and shared management, DG HOME operates processes and controls that have been utilised and fine-tuned over a long period of time and can be considered as mature. Many of the checks performed on the actions are reliably and continuously supported by IT tools used for the Asylum, Migration and Integration Fund and the Internal Security Fund programmes, which capture the required information, helping to provide a proper audit trail. The checks established cover most risks associated with the implementation of grants and/or national programmes and are in general executed and documented in a consistent manner.

·DG HOME has established solid guidance in the form of manuals that cover all the processes operated and describe the procedure of checks to be done in good detail. The manuals are also suited to support the onboarding of new staff.

·Staff commitment is visible in many artifacts: checklists are often filled in with great detail and there is documentation of cases in which the different actors discussed diverging opinions with solid arguments. Finally, our interviewed colleagues showed great dedication and knowledge of many specifics as well as of the macro processes.

The IAS did not formulate any critical or very important recommendations.

Neighbourhood and the world

0.30.Audit on financial management of humanitarian aid under indirect management (DG ECHO)

The objective The objective of the audit was to assess the adequacy and effectiveness of selected control activities in DG ECHO to ensure the legality and regularity of the humanitarian aid spending under indirect management.

There were no observations and reservations in the 2022 annual activity report of DG ECHO that relate to the area and processes audited.

The fieldwork was finalised on 23 October 2023. All observations and recommendations relate to the situation as of that date.

The IAS acknowledged a number of strengths:

·The ongoing efforts made by DG ECHO to support humanitarian aid actions in third countries often in extremely difficult circumstances, the high level of dedication, professionalism and knowledge of DG ECHO staff working in all the units implementing humanitarian aid actions from operational and financial point of view.

·The ongoing efforts made by DG ECHO to support humanitarian aid actions in third countries often in extremely difficult circumstances, the high level of dedication, professionalism and knowledge of DG ECHO staff working in all the units implementing humanitarian aid actions from operational and financial point of view.

·DG ECHO field experts and desk officers make clear and extensive comments and conclusions on their operational assessment of the proposals, amendments and final report despite the high workload and the urgency to address a number of crises that unfolded in 2022 and 2023.

The IAS did not formulate any critical or very important recommendations.

Information technology

0.31.Limited review on the security plan and associated security measures of the EU emissions trading system (ETS) information system managed by the Directorate-General for Climate Action (DG CLIMA)

The objective of the limited review was to assess whether DG CLIMA has designed adequate security measures in the IT security plan ( 20 ) for the EU ETS information system and established an effective framework for their implementation.

Since 2010, DG CLIMA has continuously issued in its annual activity reports a reservation on reputational, legal, and financial grounds related to security weaknesses identified in the Union Registry of the EU ETS. In its 2021 and 2022 annual activity reports, DG.

CLIMA reported that the unmitigated residual risks remained too high to be acceptable by the Director General.

The fieldwork was finalised on 21 February 2023. All observations and recommendations relate to the situation as of that date.

The IAS acknowledged a number of strengths:

•DG CLIMA’s IT unit in charge of the EU ETS information system, CLIMA E.3 ‘Climate information system’, is strongly committed to providing high quality services and to meeting the challenges posed by the information security needs. Over the years, the unit has built a strong competence in the field of security, in close cooperation with the Security Directorate of the Directorate-General Human Resources and Security (DG HR), and it has continuously improved its coordination and partnership with DG DIGIT.

•DG CLIMA carried out a risk analysis for the EU ETS information system in 2022 with the same methodology (MAGERIT) and the same risk assessment tool (PILAR) as for the previous exercise in 2018, while remaining aligned with the IT security risk management proposed by the Commission (ITSRM). This has ensured that the current IT security plan is consistent with the previous one and that there is coherence and continuity in the security measures derived from it.

The IAS identified two very important issues concerning IT security plan and implementation of the IT security plan, and formulated two very important recommendations.

•IT security plan

DG CLIMA should:

-assess the IT security risks and review the security plan on a yearly basis. It should also define the role of stakeholders (experts from the IT and business side) in the annual review process;

-document the discussions and decisions taken on future risk assessments for the EU ETS information system, in particular, changes in the tools supporting threat analysis and risk assessment. Furthermore, the participation of key stakeholders, notably DG DIGIT, should be sought to share and validate the deliverables of the risk assessment using existing governance bodies such as the IT security working group;

-correct the IT security plan’s erroneous statement regarding the acceptance of residual risks and ensure that any accepted risks regarding the security of the ETS information system are consistently communicated and documented in its security plans and the annual activity report.

•Implementation of the IT security plan

DG CLIMA should:

-in the short term, submit a request to DG DIGIT and report to the Information Technology and Cybersecurity Board on data encryption solutions for the Union Registry database;

-improve the monitoring of the requirements and success criteria of each security measure defined in the IT security plan. Any significant delay and deviations must be explained in writing and validated in the EU Registry Steering Committee that may then decide to revise the IT security plan;

-discuss with DG DIGIT what information needs to be provided in order to monitor the effectiveness of the security controls for the EU ETS information system security with the view to agreeing an updated Memorandum of Understanding and a Service Level Agreement accordingly.

0.32.Audit on the CASE@EC project (DG COMP)

The objective of the audit was to assess if the governance and internal control processes for the CASE@EC project are adequately designed and effectively and efficiently implemented to: (1) ensure security and corporate reusability of the case management platform and (2) support DG COMP’s core business processes (including the registration).

There were no observations/reservations in the 2022 annual activity report of DG COMP that relate to the area/process audited.

The fieldwork was finalised on 26 June 2023 and was followed by a thorough validation process from July to September 2023. During this period, DG COMP provided the IAS with additional information about the control measures already in place, or those being implemented to address the issues identified in this audit. However, the IAS could not test the adequacy of these new controls. Therefore, all observations and recommendations relate to the situation as of 26 June 2023, complemented where appropriate, with the additional information provided by DG COMP after that date.

The IAS noted the following strengths regarding CASE@EC project delivery:

·The development of the project continues to progress in a way which helps to deliver new case management functionalities for DG COMP and for other Commission departments.

·The comprehensive involvement of stakeholders from different Directorates-General helps the project to deliver a reusable case management platform for Commission services.

·The project management process has included the regular communication between the business managers and IT management, which has created a platform for integrating the business needs and requirements into the system development.

·The project has integrated all DG COMP’s registration processes (relating to different instruments and horizontal projects) into a single tool, which has allowed DG COMP to exploit the benefits of business process standardisation and centralisation.

·The rolling out of the different modules of the system allows DG COMP to phase out its legacy systems which are no longer supported by the vendors.

·The initial challenges involved in the first rollout in September 2021 were successfully managed in order to provide reliable functionalities for the implemented business processes (such as registration, State Aid instruments, horizontal tasks).

·The project successfully managed to address, at very short notice, unplanned milestones such as the Digital Markets Act ( 21 ), Digital Services Act ( 22 ) and Foreign Subsidies Regulation ( 23 ) instruments.

The IAS identified two very important issues concerning IT security arrangements, and administrative and technical controls, and formulated two very important recommendations.

·IT security arrangements

DG COMP should:

-strengthen its organisational security functions, complete the update of specific design documents and reperform the vulnerability assessment on the next version of the IT system.

·Administrative and technical controls

DG COMP should:

- perform a revision of the access management processes and improve the monitoring of sensitive activities and evaluation of related security risks.

0.33.Audit on the management of information technology security (DG EAC)

The objective of the audit was to assess the adequacy of the design and the effective and efficient implementation of control processes put in place by DG EAC for managing the security of the IT systems under its responsibility.

There were no observations/reservations in the 2022 annual activity report of DG EAC that relate to the area/process audited.

The fieldwork was finalised on 19 October 2023. All observations and recommendations relate to the situation as of that date.

The IAS recognised the overall maturity of the IT arrangements and associated competencies and expertise in DG EAC, which have been developed over a number of years. This can be seen more specifically in the area of IT security management through a number of good practices the IAS identified. These include:

·strong IT governance arrangements at DG level;

·DG EAC IT landscape implementing Erasmus+ and European Solidarity Corps programmes follows the principles of the European Commission Digital Strategy and makes use of corporate services ( 24 ), as well as tightly integrates reusable components ( 25 );

·all IT systems are hosted in the corporate data centre under the responsibility of the Directorate-General for Digital Services, with the exception of the European Youth Portal front-end, which is hosted in Amazon Web Services, allowing DG EAC’s direct IT resources to focus on IT business applications’ life cycle;

·clear organisation and well defined roles and responsibilities within unit EAC.R.4, following a recent reorganisation in two main sectors (IT support & operations, IT programme management) with horizontal IT portfolio and a management support team.

The IAS identified one very important issue concerning data classification and formulated one very important recommendation.

DG EAC should:

-update the IT Security Plans for the Indirect Grant Management, in line with ITRSM2 practices and specifically:

·distinguish between primary and secondary data sets per (sub) modules of the Indirect Grant Management;

·ensure alignment between the business impact assessment results per data set and confidentiality, integrity and availability levels in the IT security plan;

·define controls for each data set which are proportionate to the risk exposure and ensure they are formally accepted by the system (module) owner;

·define and document the quantitative mitigation factors which support the calculation of residual risk levels and ensure these are accepted by senior management. 

Part 2
Follow-up engagements 

1.

Audits for which some recommendations remain open

1.0.Audit on IT security management in the human resources family (DG DIGIT, DG HR, PMO, EPSO)

Follow-up performed in DG HR:

Based on the results of the follow-up audit, the IAS concluded that the following recommendation was adequately and effectively implemented:

·Recommendation No 2 (very important): logical system-related controls

·Recommendation No 3 (very important): IT service provider management

The following recommendation was not fully and/or adequately implemented:

·Recommendation No 1 (very important): IT security governance

DG HR has partially implemented the mitigating measures for this recommendation. The information systems inventory GovIS2 is regularly updated, and IT security compliance is monitored and periodically reported to the IT Steering Committee. Additionally, IT security roles and responsibilities were reviewed and agreed between DG HR and DG DIGIT. Moreover, DG HR documented the IT security plans for its key information systems.

However, DG HR was unable to provide the IAS with any documentary evidence to confirm that the security measures (including those with high and medium criticality) listed in DG HR newly drafted IT security plans were implemented and monitored in practice.

In addition, DG HR has yet to appoint System Security Officers for 15 information systems (amounting to 75% of the total).

Follow-up performed in DG DIGIT:

Based on the results of the follow-up audit, the IAS concluded that the following recommendations were adequately and effectively implemented:

·Recommendation No 1 (very important): logical system-related controls.

·Recommendation No 2 (very important): IT service provider management.

All recommendations from this audit addressed to DG DIGIT have been closed.

Follow-up performed in EPSO:

Based on the results of the follow-up audit, the IAS concluded that the following recommendation was adequately and effectively implemented:

·Recommendation No 1 (very important): IT security governance

The following recommendations were assessed as not fully and/or adequately implemented:

·Recommendation No 2 (important): logical system-related controls.

EPSO has established a user access management procedure together with DG DIGIT. The procedure is valid for the production and the maintenance ( 26 ) environments. DG DIGIT has programmed a script to regularly review and ensure that the accounts for EPSO users who left or changed jobs are deactivated. DG DIGIT has confirmed that they have not created test accounts in the production of any EPSO IT systems. The user access review is applied to two of the EPSO IT systems, but EPSO still has to implement the process for the three remaining IT systems. EPSO also improved the logging and monitoring processes, to reduce the risk of a data breach. However, the logging and monitoring processes that have been implemented are only partially documented.

EPSO has started using the application security testing service ( 27 ) offered by DG DIGIT S.1 Cybersecurity policy implementation in the fourth quarter of 2022. DG DIGIT has finalised the application security testing for three EPSO IT systems, with two IT systems remaining to have the tests planned. EPSO plans to launch the application security testing exercise annually for the IT systems that have gone through significant changes potentially impacting information security. The findings raised during the application security testing exercises are logged, prioritised and monitored by EPSO and DG DIGIT.

EPSO reviewed the IT security incident management process to detect, report and assess IT security incidents collaborating with DG DIGIT.

EPSO reviewed the template for the change management requests and added a new subsection ‘security and data protection’ to include information on IT security impact for every change request. EPSO and DG DIGIT monitor the progress of the changes approved. However, periodic meetings where the business representatives and c-LISO are involved to follow up the change requests agreed, still have to be put in place. The IAS invited EPSO to reinforce the communication in this respect and explain the existence of the new subsection to the people in charge of fulfilling the change request template. The minutes of the meetings where the change requests are discussed with the Local Information Security Officer and business representatives should also be documented. The IAS acknowledged the progress made by EPSO on this activity and invited it to implement the missing actions.

Although EPSO has improved the logging and monitoring of IT security related events, the following are still missing a) it lacks a policy and structured approach; b) EPSO management has not been involved in the approval of any policy; c) no sufficient evidence that the use of logged events facilitates the incident response on an automatic basis.

In addition, EPSO has not finalised the activities launched to strengthen the security on data in motion ( 28 ). EPSO has identified three actions to secure personal data out of which one has been implemented. As these activities have not been approved by EPSO management, the activities have not been planned and prioritised yet.

·Recommendation No 3 (important): IT service provider management.

EPSO and DG DIGIT have collaborated on drafting the Service Level Agreement. The document has been signed.

EPSO assessed whether the secure hosting service would provide a feasible and more secure solution for the EPSO systems. DG DIGIT prepared a comparative assessment of the hosting solution which evaluates the existing gaps between the current basic hosting service and the requested secure hosting service. EPSO has taken into consideration the outcome of the DG DIGIT assessment, together with the fact that several systems will be replaced within one year by new tools, the constrained budgetary resources, and an estimation for the implementation time. Based on these factors, EPSO concluded that the implementation of the secure hosting service is not worth the investment and effort. EPSO Senior Management accepted the proposal to stay with basic hosting service and accepted the residual risk. However, the replacement of several system by new tools depends on a separate IT programme which could be subject to delays and changes. This means that the current IT systems could stay longer in production. Additionally, EPSO has not indicated if the new IT systems would fully mitigate the IT security risks or if other mitigating measures are planned to satisfy essential IT security requirements. The new HR transformation programme impacts the agreed action plan and puts on hold the identified measures. Based on these changes, the IAS would need evidence that the new measures address the risk identified.

Follow-up performed in PMO:

Based on the results of the follow-up audit, the IAS concluded that the following recommendations have been adequately and effectively implemented:

·Recommendation No 1 (very important): IT security governance and risk management

·Recommendation No 2 (important): logical system-related controls

·Recommendation No 3 (important): IT service provider management

All recommendations from this audit addressed to PMO have been closed.

1.1.Audit on monitoring the implementation and performance of 2014-2020 operational programmes in DG REGIO, DG EMPL and DG MARE

Follow-up performed in DG EMPL:

Based on the results of the follow-up audit, the IAS concluded that the following recommendation was not fully and/or adequately implemented:

·Recommendation No 2 (very important): performance data reliability.

DG EMPL together with DG REGIO and the Joint Audit Directorate undertook a number of specific actions with regard to performance data reliability.

However, the IAS noted that DG EMPL did not update its strategy for a performance-based culture for the 2014-2020 period to ensure a consistent approach on assurance on the reliability of performance data.

Taking into consideration the actions on performance data reliability already implemented by DG EMPL together with DG REGIO and the Joint Audit Directorate, the IAS considered that the risk of unreliable performance data has been partially reduced. Therefore, the recommendation was downgraded from very important to important.

Follow-up performed in DG REGIO:

Based on the results of the follow-up audit, the IAS concluded that the following recommendation has been adequately and effectively implemented:

·Recommendation No 2 (very important): performance data reliability.

All recommendations from this audit addressed to DG REGIO have been closed.

1.2.Audit on the preparation for the 2021-2027 programming period by DG REGIO, DG EMPL and DG MARE

Follow-up performed in DG EMPL:

Based on the results of the follow-up audit, the IAS concluded that the following recommendation was adequately and effectively implemented:

·Recommendation No 2 (important): support to Member States in the preparation of the 2021-2027 programming period.

1.3.Audit on interruptions, suspensions and financial corrections for the European Structural and Investment Funds 2014-2020 by DG REGIO, DG EMPL and DG MARE

Follow-up performed in DG EMPL:

Based on the results of the follow-up audit, the IAS concluded that the following recommendations were adequately and effectively implemented:

·Recommendation No 2 (very important): key criteria for preventing measure.

·Recommendation No 4 (very important): warning letters.

·Recommendation No 5 (very important): warning letters as additional preventive measures.

·Recommendation No 7 (very important): financial corrections.

·Recommendation No 10 (important): implementation of preventive and corrective measures.

·Recommendation No 11 (important): implementation of preventive and corrective measures.

·Recommendation No 15 (important): Monitoring and reporting on ISFC process.

Follow-up performed in DG MARE

Based on the results of the follow-up audit, the IAS concluded that the following recommendation was adequately and effectively implemented:

·Recommendation No 8 (very important): financial corrections.

Follow-up performed in DG REGIO:

Based on the results of the follow-up audit, the IAS concluded that the following recommendations were adequately and effectively implemented:

·Recommendation No 1 (very important): key criteria for preventing measures.

·Recommendation No 3 (very important): warning letters.

·Recommendation No 6 (very important): financial corrections.

·Recommendation No 9 (important): Implementation of preventive and corrective measures.

1.4.Audit on the implementation of anti-fraud actions in the research area in DG CNECT, DG RTD, CINEA, EISMEA, ERCEA, REA

Follow-up performed in DG RTD:

Based on the results of two follow-up audits, the IAS concluded that the following recommendations were adequately and effectively implemented:

·Recommendation No 1 addressed to the Common Implementation Centre (important): fraud prevention (guidance, trainings, tools).

·Recommendation No 2 addressed to the Common Implementation Centre (important): notifications of potential fraud or irregularities to OLAF.

·Recommendation No 3 addressed to the Common Implementation Centre (important): handling of projects under OLAF investigation.

·Recommendation No 4 addressed to the Common Implementation Centre (important): monitoring of the anti-fraud activities.

·Recommendation No 5 addressed to the Common Implementation Centre (important): other findings.

·Recommendation No 1 addressed to DG RTD (important): fraud prevention (training).

·Recommendation No 2 addressed to DG RTD (important); handling of projects under OLAF investigation.

All recommendations from this audit addressed to DG RTD have been closed.

Follow-up performed in CINEA:

Based on the results of the follow-up audit, the IAS concluded that the following recommendation was adequately and effectively implemented:

·Recommendation No 1 (important): findings at the level of INEA ( 29 ).

All recommendations from this audit addressed to CINEA have been closed.

Follow-up performed in EISMEA:

Based on the results of the follow-up audit, the IAS concluded that the following recommendations were adequately and effectively implemented:

·Recommendation No 1 (important): notifications of potential fraud or irregularities to OLAF.

·Recommendation No 2 (important): handling projects under OLAF investigation.

All recommendations from this audit addressed to EISMEA have been closed.

Follow-up performed in ERCEA:

Based on the results of the follow-up audit, the IAS concluded that the following recommendations were adequately and effectively implemented:

·Recommendation No 2 (important): notifications of potential fraud or irregularities to OLAF.

·Recommendation No 3 (important): handling of projects under OLAF investigation.

The following recommendation was not fully and/or adequately implemented:

·Recommendation No 1 (important): fraud prevention (training).

ERCEA made attendance at the anti-fraud trainings compulsory for new staff recruited in 2021-2022. However, ERCEA did not adequately monitor the effective attendance of newcomers, as only 39% and 27% of newcomers attended anti-fraud trainings in 2021 and 2022 respectively ( 30 ).

Follow-up performed in REA:

Based on the results of the follow-up audit, the IAS concluded that the following recommendations were adequately and effectively implemented:

·Recommendation No 1 (important): notifications of potential fraud or irregularities to OLAF.

·Recommendation No 2 (important): handling of projects under OLAF investigation.

All recommendations from this audit addressed to REA have been closed.

1.5.Audit on the management of experts in Horizon 2020 grants in DG CNECT, DG RTD, EASME, CINEA and REA

Follow-up performed in CINEA:

Based on the results of two follow-up audits, the IAS concluded that the following recommendations were adequately and effectively implemented:

·Recommendation No 12 (important): terminations of experts’ contracts and related payments.

·Recommendation No 16 (important): data protection – training and raising awareness of the staff.

All recommendations from this audit addressed to CINEA have been closed.

Follow-up performed in DG RTD:

Based on the results of two follow-up audits, the IAS concluded that the following recommendations were adequately and effectively implemented:

·Recommendation No 1 (important): planning and reporting on the activities of the Expert Management Business Process (the Common Implementation Centre).

·Recommendation No 2 (important): planning and reporting on the activities of the Expert Management Business Process.

·Recommendation No 3 (very important): monitoring of participation pattern of independent experts and respect of rotation rules.

·Recommendation No 4 (important): respect of the public procurement rules.

·Recommendation No 6 (important): guidance on expert management.

·Recommendation No 7 (important): management of ethics experts.

·Recommendation No 9 (important): terminations of experts’ contracts and related payments.

·Recommendation No 14 (important): availability of complete and reliable data on experts.

·Recommendation No 17 (important): data protection – training and raising awareness of the staff.

The following recommendation was not fully and/or adequately implemented and was downgraded from very important to important:

·Recommendation No 5 (very important): processing of experts’ personal data.

DG RTD/CIC:

-updated in 2022 the guidance note ‘Selection of evaluators in Horizon Europe’ including practical recommendations and best practices on the checks to be done, the use of social media/internet and the processing of personnel data of experts retrieved from external sources;

-added in the EU Experts Call for Expression of interest, Funding & Tenders Portal Expert Database 2021-2027 ( 31 ) a reference to the processing of personal data of experts retrieved from external sources;

-completed the work of the Task Force on Elimination and Retention Safeguards leading to the elimination of over 5 million obsolete structured personal data records from DG RTD’s IT systems;

-reminded in January 2023 the operational controllers (i.e. Directors and/or Heads of Unit) in DG RTD about their obligations to ensure the timely closure of relevant files and the implementation of the retention actions indicated in the retention list. The note provided guidance for the operational controllers to take all appropriate measures to erase the personal data that have passed their retention period;

-reminded the operational controllers (the Heads of Unit) to delete all obsolete personal data from personal/shared drives and to eliminate all structured personal data on paper by the end of September 2023;

-organised a specific training on Data protection aspects in experts’ management in November 2022;

-published on the Funding & Tenders Portal the experts’ data for Horizon Europe for 2021 and 2022. The lists contained the names of the experts and their fields of expertise, as per Article 49 (3) of Horizon Europe Regulation.

The privacy statement for experts on the Funding & Tenders Portal has not yet been updated and the revision of the related privacy record has not been completed. Considering the actions already taken i.e. DG RTD has partially mitigated the risks as regards the processing of personnel data of experts retrieved from external sources, the IAS downgraded the recommendation from very important to important.

Follow-up performed in EISMEA:

Based on the results of the follow-up audit, the IAS concluded that the following recommendation was adequately and effectively implemented:

·Recommendation No 13 (important): termination of experts’ contracts and related payments.

All recommendations from this audit addressed to EISMEA have been closed.

Follow-up performed in REA:

Based on the results of the follow-up audit, the IAS concluded that the following recommendations were adequately and effectively implemented:

·Recommendation No 8 (important): terminations of experts’ contracts and related payments.

·Recommendation No 11 (important): terminations of experts’ contracts and related payments.

All recommendations from this audit addressed to REA have been closed.

1.6.Audit on the protection of personal data under the responsibility of REA, EACEA, EISMEA, CINEA, ERCEA, DG RTD/CIC

Follow-up performed in REA:

Based on the results of the follow-up audit, the IAS concluded that the following recommendations were adequately and effectively implemented:

·Recommendation No 2 (important): record management.

·Recommendation No 3 (important): controllership for processes using corporate systems.

·Recommendation No 4 (important): data subjects’ rights.

·Recommendation No 5 (important): controllership record REA-2019-09.

·Recommendation No 6 (important): handling of data breaches.

Follow-up performed in EACEA:

Based on the results of the follow-up audit, the IAS concluded that the following recommendations were adequately and effectively implemented:

·Recommendation No 2 (important): record management.

·Recommendation No 3 (important): controllership for processes using corporate systems.

·Recommendation No 4 (important): data subjects’ rights.

·Recommendation No 5 (important): controllership records EACEA-2019-06 and EACEA- 002-2020.

Follow-up performed in EISMEA:

Based on the results of the follow-up audit, the IAS concluded that the following recommendations were adequately and effectively implemented:

·Recommendation No 3 (important): controllership for processes using corporate systems.

·Recommendation No 4 (important): data subjects’ rights.

·Recommendation No 5 (important): retention of digital and paper files.

·Recommendation No 6 (important): handling of personal data breaches.

·The following recommendation was not fully and/or adequately implemented:

·Recommendation No 2 (important): record management.

With regard to the publication of the records of all established processing operations, EISMEA has updated the list of processes and published all records, but ten out of 44 records remain to be finalised (i.e. they were published as draft).

Follow-up performed in ERCEA

Based on the results of the follow-up audit, the IAS concluded that the following recommendations were adequately and effectively implemented:

·Recommendation No 3 (important): controllership for processes using corporate systems.

·Recommendation No 4 (important): data subjects’ rights.

·Recommendation No 5 (important): transfer of personal data to third countries.

·Recommendation No 6 (important): retention of digital files.

Follow-up performed in CINEA:

Based on the results of the follow-up audit, the IAS concluded that the following recommendations were adequately and effectively implemented:

·Recommendation No 2 (important): record management.

·Recommendation No 3 (important): controllership for processes using corporate systems.

·Recommendation No 4 (important): retention of digital files.

1.7.Audit on EC-EEAS coordination in DG INTPA, DG NEAR and EEAS

Follow-up performed in DG INTPA:

Based on the results of two follow-up audits, the IAS concluded that the following recommendation was adequately and effectively implemented:

·Recommendation No 3.1 (important): multiannual programming.

·The recommendations listed below were not fully and/or adequately implemented:

·Recommendation No 2.1 (important): working arrangements.

The IAS acknowledged that DG INTPA has made progress in implementing this recommendation. It participated in the negotiations at Head of Unit level with DG NEAR, FPI and EEAS and submitted a draft version of the working arrangements to SG.

However, these working arrangements have not yet been finalised and adopted. The SG has been collecting feedback from the Directorates-General involved to ensure that all aspects related to coordination between the Commission and the EEAS are included in the draft version of the working arrangements. Once this phase is completed, the working arrangements will be subject to an informal inter service meeting and subsequently the formal inter service consultation will be launched. None of these two phases have been scheduled yet at the time of the follow-up.

·Recommendation No 2.5 (important): official procedures in GoPro.

According to the IAS recommendation, DG INTPA should ensure that the updated working arrangements, are uploaded in GoPro, where the official procedures are maintained. This action will only be completed once the working arrangements are adopted.

Follow-up performed in DG NEAR:

Based on the results of the follow-up audit, the IAS concluded that the following recommendation was adequately and effectively implemented:

·Recommendation No 3.2 (important): multiannual programming.

The following recommendation was not fully and/or adequately implemented:

·Recommendation No 2.2 (important): working arrangements.

The IAS acknowledged that DG NEAR has made progress in implementing this recommendation. It participated in the negotiations at Head of Unit level with DG INTPA, FPI and EEAS. DG INTPA submitted a draft version of the working arrangements to SG.

However, these working arrangements have not yet been finalised and adopted. The SG has been collecting feedback from the DGs involved to ensure that all aspects related to coordination between the Commission and the EEAS are included in the draft version of the working arrangements. Once this phase is completed, the working arrangements will be subject to an informal inter service meeting and subsequently the formal inter service consultation will be launched. None of these two phases have been scheduled by the time of the follow-up.

1.8.Audit on intellectual property rights supporting activities in DG DIGIT, DG COMM, DG GROW, JRC, OP

Follow-up performed in DG DIGIT:

Based on the results of the follow-up audit, the IAS concluded that the following recommendations have been adequately and effectively implemented:

·Recommendation No 1 (important): efficiency and effectiveness of intellectual property rights management in DG DIGIT.

·Recommendation No 4 (important): software and IT solutions.

All recommendations from this audit addressed to DG DIGIT have been closed.

1.9.Audit on pillar assessment in DG BUDG and DG INTPA

Follow-up performed in DG BUDG:

Based on the results of the follow-up audit, the IAS concluded that the following recommendation was adequately and effectively implemented:

·Recommendation No 1 (very important): corporate oversight role.

The following recommendation was assessed as not fully and/or adequately implemented:

·Recommendation No 12 (very important): substantive changes.

DG BUDG :

-included in the template for the management declaration a part requiring the pillar assessed entities to confirm that no substantial changes, which have not yet been communicated to the European Commission, affect the entity’s rules and procedures ( 32 );

-established the corporate procedure that the lead services should follow when a pillar-assessed entity notifies that it has made changes to its systems, rules or procedures;

-specified the measures that the lead service should take when its analysis (which may be supported by the work of an independent auditor) confirms the substantive nature of the changes notified;

-provided room for including information related to substantive changes in the current central repository ( 33 ).

Moreover, DG BUDG has been working on the establishment of the Pillar Assessment Automated Workflow tool, which will enable the Commission services to process all stages of the pillar assessment, including the processing of the information on changes notified (submission of the information by the pillar-assessed entities, and their analysis by the lead services). However, as the tool was supposed to be operational at the earliest by the end of 2023, the lead services could not directly update the information on substantive changes in the Pillar Assessment Automated Workflow tool by the time of the follow-up.

Given that DG BUDG has addressed the high risks identified by the audit, the recommendation was downgraded from very important to important.

Follow-up performed in DG INTPA

Based on the results of the follow-up audit, the IAS concluded that the following recommendation was adequately and effectively implemented:

·Recommendation No 27 (important): Follow-up of verification mission recommendations related to findings that may affect pillar compliance.

All recommendations from this audit addressed to DG INTPA have been closed.

1.10.Audit on the preparedness of DG DEFIS for the management of the European Defence Fund

Based on the results of the follow-up audit, the IAS concluded that the following recommendation was adequately and effectively implemented:

·Recommendation No 1 (very important): validation of small and medium-sized enterprises and mid-cap status ( 34 ).

1.11.Audit on the management and monitoring of compliance with the Commission’s information technology (IT) security framework in DG DIGIT

Based on the results of the follow-up audit, the IAS concluded that the following recommendations were adequately and effectively implemented:

·Recommendation No 1 (very important): IT security compliance management and reporting practices.

·Recommendation No 3 (important): IT tools for monitoring IT security compliance.

The following recommendation was assessed as not fully and/or adequately implemented:

·Recommendation No 2 (very important): IT security compliance management process.

DG DIGIT created and made available a set of guidance materials clarifying the IT security compliance management process, roles and responsibilities and detailing the priority controls as well as elaborating on potential supporting evidence for the defined controls. DG DIGIT also made progress in integrating the IT security risk management and compliance processes through building a new set of risk management assessment functionalities in the GRC ( 35 ) tool. The finalisation of the integrated risk and compliance assessment was planned for mid-year 2023, with onboarding planned for the second half of 2023. As the parts of the recommendation related to the compliance assessment had been implemented and the remaining part is related to improving performance of the IT security processes, the IAS considered that the risks have been reduced and lowered the risk rating from very important to important.

1.12.Audit on public procurement in DG DIGIT

Based on the results of the follow-up audit, the IAS concluded that the following recommendation was adequately and effectively implemented:

·Recommendation No 6 (important): ex post controls.

1.13.Audit on human resources management in DG ECFIN

Based on the results of the follow-up audit, the IAS concluded that the following recommendation was adequately and effectively implemented:

·Recommendation No 9 (important): flexitime and recuperation rules.

1.14.Limited review on the Recovery and Resilience Facility control and audit strategies in the DG ECFIN

Based on the results of the follow-up audit, the IAS concluded that the following recommendations were adequately and effectively implemented:

·Recommendation No 2 (important): design of processes and procedures for the assessment of the fulfilment of milestones and targets.

·Recommendation No 3 (very important): measures for prevention, detection and follow up of any serious irregularities, double funding and serious breaches of the financing agreement.

The recommendations listed below were not fully and/or adequately implemented:

·Recommendation No 4 (very important): suspension of payments and reduction of support due to not satisfactorily fulfilled milestones and targets.

In line with the action plan, DG ECFIN adopted a methodology for the suspension of payment and reduction of support in case milestones/targets have not been partially or fully met. The methodology defines the basis for the calculation of the suspended amount (unit value) and indicates the approach for adjusting this amount considering the importance of the reform/investment in the Recovery and Resilience Plan. This methodology will be used in case the Commission becomes aware that the information and justification underlying a payment request is incorrect in the context of ex post controls.

Nevertheless, the procedure and the necessary templates to be used by the staff when applying the above-mentioned methodology are only available as draft documents but have not been finalised yet. DG ECFIN intends to fine tune and finalise these documents once a first case for their use arises.

In view of the above elements, the IAS downgraded this recommendation from very important to important.

·Recommendation No 5 (important): residual responsibility of the Commission.

To ensure that the link to report on potential fraud, corruption, irregularities, misconduct or conflicts of interest related to the implementation of the Recovery and Resilience Facility is easily accessible to the public, DG ECFIN made available the link to European Anti-Fraud Office website via the Recovery and Resilience Facility website.

DG ECFIN prepared a draft guidance document for staff and related templates which defines the procedures to be followed for the reduction, recovery and early repayment in case of fraud, corruption or conflicts of interest that have not been corrected by the Member States.

At the time of the follow-up, the procedure and related templates were still at the draft stage and needed further fine-tuning, including consultation with other Commission central services, and internal approval.

1.15.Audit on the control strategy for humanitarian aid actions in DG ECHO

The following recommendation was not fully and/or adequately implemented:

·Recommendation No 3 (important): ex ante controls on final reports and final payments.

Since the previous follow up at the end of 2021, DG ECHO has made further progress in the implementation of the outstanding actions. In particular:

-DG ECHO included in its financial manual instructions on financial initiations, in particular which staff member should be indicated in ABAC as the one providing ‘certified correct’. In addition, it included a specific check on this in the financial checklists used when reviewing the final reports for the agreements under direct and indirect management modes.

-DG ECHO included in the checklist for the operational verification of the final reports from the United Nations/international organisations a specific check as regards the completeness of the reporting by the entrusted entities on their implementing partners and contractors.

However, some actions have not been fully implemented. In particular, DG ECHO should document the results of the checks done by the financial initiator and verifier properly, including whether or not certain preconditions applied:

DG ECHO revised the financial manual and included an instruction for the financial initiators and verifier to reflect the most relevant results of the checks in Fichop ( 36 ). This action was assessed by the IAS in November 2021 as insufficient to address the recommendation since the action plan was referring to the results of all checks and especially those that are conditional ( 37 ). No additional modifications to the financial manual or the instructions have been done since then.

-DG ECHO planned to adopt the corporate system eGrants for humanitarian aid grants under direct management as from 2023. The corporate solution is supposed to replace the existing process of review of final reports and final payments as it includes automatic controls, electronic workflow, new checklists and keeps track of all internal communication among the reviewers.

-For humanitarian aid agreements under indirect management, DG ECHO did not undertake actions to fully implement the action plan after the previous IAS follow up in November 2021. DG ECHO continues to use Fichop ( 38 ) for documenting the most relevant results of the checks done on the final reports, and ARES (Commission’s documentation system) where the financial initiator and financial verifier simply declare that all checks are done according to the checklist. However, this checklist has not been used according to DG ECHO procedure; it is used as an aide-memoire instead.

1.16.Audit on the JRC’s support to European Union policy and knowledge management (selection of and delivery on Commission requests)

Based on the results of the follow-up audit, the IAS concluded that the following recommendations were adequately and effectively implemented:

·Recommendation No 1 (very important): policy support - definition of priorities, identification of needs and assessment of the requests.

·Recommendation No 3 (important): monitoring of the JRC’s policy support work.

·Recommendation No 4 (important): organisation of knowledge management units, knowledge centres and competence centres.

1.17.Audit on TRAde Control and Expert System (TRACES) in DG SANTE

Based on the results of the follow-up audit, the IAS concluded that the following recommendation was adequately implemented:

-Recommendation No 2 (important): capacity building.

List of audits for which all recommendations were closed in 2023

Based on the results of the follow-up engagements performed in 2023, the IAS concluded that the audits listed below could be closed as all the recommendations were assessed as implemented.

Part 3 - Summary of long overdue recommendations

At the end of the reporting period, 31 January 2023, there were 3 very important long overdue recommendations, overdue by more than six months compared to the original expected completion dates set in the auditees’ initial action plans. In the meantime, one of those has been downgraded from very important to important.

At the cut-of date (31 January 2024), DG BUDG reported that a substantial part of the recommendation (three out of the four sub-recommendations) was already implemented, and consequently, in their opinion, the residual risk was significantly reduced.

However, at the cut-off date, the set-up of a comprehensive and reliable set of tools at Commission level to monitor the financial and legal situation of contractors and beneficiaries had been included into the proposal for a corporate strategy for the management of the accounts receivable prepared by DG BUDG. The ‘Communication to the Commission - An enhanced corporate strategy for the management of the Commission’s debtors’, which was planned to be launched in interservice consultation (ISC) during the first quarter of 2022, had been postponed. The strategy was adopted on 6 February 2024 (C(2024 )588), along with the ‘[amended] Commission Decision on the internal procedure provisions for the recovery of amounts receivable arising from direct management and the recovery of fines, lump sums and penalty payments under the Treaties’ (C(2024) 587 of 6 February 2024).

Consequently, the sub-action 2.4 (which is a broader version of 2.3 i.e. covering all contractors and beneficiaries, beyond the overdue debtors already covered), is considered as implemented.

In the meantime, and before the formal adoption of the strategy, intermediate measures were taken (i.e. awareness notes were sent to the eight most affected DGs requesting them to take a decision on the pending recovery orders and waivers, which, according to DG BUDG, they have done).

(1) ()    Important recommendations are not listed in this Annex.

(2) ()    Each summary reflects the IAS’s assessment of the implementation status of audit recommendations at the end of the follow-up engagement. It does not take into account any further action, with possible impact on the status of the recommendations, that the auditee may have undertaken and reported to the IAS since the release of the IAS follow-up note.

(3) ()    See Kallas methodology sections 3.3.2.2 and 3.3.3.

(4) ()     Repetitive or standard works.

(5) ()    The Dynamic System is a variation of the restricted procedure (new tenderers can be added and participate during its entire period).

(6) ()    IAS recommended to implement this recommendation in close cooperation with DG EMPL and DG MARE. 

(7) ()    Post-fieldwork event: The frequency of the Closure Matrix meetings, which are devoted entirely to 2014-2020 closure has already been increased (from 2 to 3 meetings in 2023).

(8)  FRONTEX is the European Border and Coast Guard Agency

(9) ()    Data available on 27 September 2023.

(10) ()    Including the c-Liso function provided by DIGIT.

(11) ()    In particular for RUE-X, SUE, Rtop (digital workplace for remote access to IT systems handling EU classified information), Security Clearance and Authorisation service.

(12) ()    EUR-Lex - 52022PC0119 - EN - EUR-Lex (europa.eu).

(13) ()    ECA presents two categories of risk in its annual report (low and high, using 2% of error rate as threshold) vs. three risk categories (Low, medium and high) used by the Commission as reported in its annual management and performance report (AMPR). For the AMPR 2022, the thresholds used by the Commission in previous AMPRs were changed from 1.899% to 1.999% for the low-risk segment and from 1.9% to 2.5% for the medium risk segment. The threshold for the high-risk segment remained unchanged at 2.5%. With the revised thresholds the Commission divides the expenditure into lower- (below 2%), medium- (between 2% and 2.5%) and higher-risk (above 2.5%) segments This alignment of thresholds to those used by ECA allows to compare Commission and ECA’s segments (i.e. the sum of the medium and high risk segments of the Commission in the AMPR can be compared with the high risk segment of the ECA in its annual report).

(14) ()    Currently, according to the 2022 annual activity report instructions, a separate paragraph should be included to justify and explain the department’s (counter) arguments if there is a major divergence with ECA.

(15) ()    The IAS acknowledged the efforts made in some Directorates-General to reduce disagreements. However, given the still very important impact of those cases on ECA’s overall error rates, a strategic discussion between both EU institutions is needed.

(16) ()    European Parliament decision of 10 May 2023 on discharge in respect of the implementation of the general budget of the European Union for the financial year 2021, Section III – Commission (2022/2081(DEC)), point 62.

(17) ()    Phase 3 deliverables: establishment of an adequate project management team/framework for the implementation of the new contracts.

(18) ()    The logical framework approach or ‘logframe’ summarises the intervention/project logic and sets out how each intervention/project will be monitored (by defining a set of indicators included in a matrix).

(19) ()    2022 annual activity report of DG AGRI, section 2.1.4.2.

(20)

()    The IT security plan captures information about the information system and the security risk management approach, summarises the results of the risk assessment, and presents the high-level cost and schedule plan for the implementation of the chosen security measures.

(21) ()    Regulation (EU) 2022/1925 of the European Parliament and of the Council of 14 September 2022 on contestable and fair markets in the digital sector and amending Directives (EU) 2019/1937 and (EU) 2020/1828

(22) ()    Regulation (EU) 2022/2065 of the European Parliament and of the Council of 19 October 2022 on a Single Market for Digital Services and amending Directive 2000/31/EC.

(23) ()    Regulation (EU) 2022/2560 of the European Parliament and of the Council of 14 December 2022 on foreign subsidies distorting the internal market.

(24) ()    For instance, EU-Access for authorisations, EU-Login for identification and authentication, Vault for password storage, HERMES/Ares/NomCom for storage of documents, corporate notification services and multilingualism services to simplify the translation process for application forms.

(25) ( )    Such as Compass Corporate.

(26) ()    Maintenance environment. It typically refers to a platform used by testers, engineers, administrators, for testing, validating updates, patches, or changes before deploying them to the production live system. It should closely resemble the production environment and it contains in come case a copy of the production data.

(27) ()    Application security testing service: This capability provides vulnerability assessment of web and mobile applications, prior to their deployment in production. The objective is to perform appropriate testing to ensure a reasonable level of security.

(28) ()    Data in motion: Data actively transported between systems over network or communication channel. It is data in route between source and destination.

(29) ()    The IAS audit was performed in 2020 in the former INEA (Innovation and Networks Executive Agency) for which CINEA (European Climate, Infrastructure and Environment Executive Agency) is the legal successor as of 1 April 2021.

(30) ()    17 out of 44 newcomers in 2021 and 11 out of 41 newcomers in 2022.

(31) ()    v.1.2, 15 January 2023.

(32) ()    Management declaration – May 2022.

(33) ()    One of the columns of the current repository allows to include, amongst others, the information on substantive changes reported by the pillar assessed entities.

(34) ()    In accordance with the European Defence Fund Regulation, ‘small and medium-sized enterprises’ or ‘SMEs’ means small and medium-sized enterprises as defined in Article 2 of the Annex to Commission Recommendation 2003/361/EC; ‘middle capitalisation company’ or ‘mid-cap’ means an enterprise that is not a SME and that employs a maximum of 3 000 persons, where the headcount of staff is calculated in accordance with Articles 3 to 6 of the Annex to Recommendation 2003/361/EC..

(35) ()    IT Security Governance, Risk and Compliance.

(36) ()    FichOp (‘fiche opérationnelle’) is a tool for monitoring and management of Humanitarian Aid actions which serves multiple purposes. It captures the main aspects of the operational analysis and follow-up made by Field Experts, Desk Officers, Desk Assistants and Financial Officers on the humanitarian actions all along the action's cycle.

(37) ()    Conditional checks in the checklist for the final payment are those that are performed only if certain condition is met. For example, ‘if no VAT exemption […]’, ‘if depreciation is claimed […]’. In these cases, the current system for documenting the results of the checks does not provide audit trail to clearly show if particular check was done and no issues were detected, or it was considered as not applicable and consequently not performed.

(38) ()    The eGrants and eProcurement Steering Board (GPSB) has discussed during its meeting in February 2023 the possible solutions for onboarding of the contribution agreements to eGrants for the RELEX family that could be progressively put in place as from 2023 (pilot testing was launched). 

(39) ()    ‘Ready for review’.

(40) ()    On 14 October 2020, the EDPS gave all European institutions a formal order to: (a) perform a mapping exercise to provide information concerning processing operations that involve international transfers of data, and (b) report to it any identified risks and gaps, in accordance with the order. The EDPS also asked the European institutions to perform, in a second phase, a case-by-case ‘transfer impact assessment’ to identify the level of protection provided by the third country of destination of the data. To facilitate this assessment, the EDPS will provide in due time specific guidance.