EUROPEAN COMMISSION
Brussels, 21.9.2018
COM(2018) 661 final
REPORT FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT AND THE COUNCIL
Annual report to the Discharge Authority on internal audits carried out in 2017
{SWD(2018) 429 final}
EUR-Lex Access to European Union law
This document is an excerpt from the EUR-Lex website
Use quotation marks to search for an "exact phrase". Append an asterisk (*) to a search term to find variations of it (transp*, 32019R*). Use a question mark (?) instead of a single character in your search term to find variations of it (ca?e finds case, cane, care).
Need more search options? Use the
Advanced search
You are here
Document 52018DC0661
REPORT FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT AND THE COUNCIL Annual report to the Discharge Authority on internal audits carried out in 2017
REPORT FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT AND THE COUNCIL Annual report to the Discharge Authority on internal audits carried out in 2017
REPORT FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT AND THE COUNCIL Annual report to the Discharge Authority on internal audits carried out in 2017
COM/2018/661 final
Language
HTML
DOC
PDF
Contents
1. Introduction
2. The Internal Audit Service Mission: Independence, objectivity and accountability Objectives and scope of the Report
3. Overview of audit work
3.1. Implementation of the 2017 audit plan
3.2. Statistical data on Internal Audit Service recommendations
4. Conclusions based on the audit work performed in 2017
4.1. Conclusions on performance audits
4.1.1. Performance of Commission Directorates-General, Services and Executive Agencies: horizontal processes
4.1.2. Performance in implementing budget operational and administrative appropriations
4.2. Internal Audit Service limited conclusions
4.3. Overall opinion on the Commission's financial management
5. Consultation with the Commission's Financial Irregularities Panel
6. Mitigating measures as regards potential conflict of interests (international standards) – Investigation of the European Ombudsman
7. Conclusions
1.Introduction
This report is to inform the European Parliament and Council of the work carried out by the Commission’s Internal Audit Service (IAS), as required by the Financial Regulation. It is based on the report drawn up by the Commission’s Internal Auditor, regarding Internal Audit Service audit and consulting reports completed in 2017 1 on Commission Directorates-General, Services and Executive Agencies 2 . In line with its legal base it contains a summary of the number and type of internal audits carried out, the recommendations and the action taken on those recommendations.
2.The Internal Audit Service Mission: Independence, objectivity and accountability Objectives and scope of the Report
The mission of the Internal Audit Service is to provide to the Commission independent, objective assurance and consulting services designed to add value and improve the operations of the Commission. The Internal Audit Service helps the Commission accomplish its objectives by bringing a systematic, disciplined approach in order to evaluate and make recommendations for improving the effectiveness of risk management, control and governance processes. Its tasks include assessing and making appropriate recommendations for improving the governance process in its accomplishment of the following objectives: promoting appropriate ethics and values within the organisation, ensuring effective organisational performance management and accountability and effectively communicating risk and control information to appropriate areas of the organisation. Thereby it promotes a culture of efficient and effective management within the Commission and its departments. The Internal Audit Service’s independence is enshrined in the Financial Regulation 3 and its Mission Charter 4 as adopted by the Commission. The Internal Audit Service reports on all of its audits to the Audit Progress Committee. The Audit Progress Committee assists the College of Commissioners by ensuring that the work of the Internal Audit Service and of the European Court of Auditors is properly taken into account by the Commission services and receives appropriate follow-up.
The Internal Audit Service performs its work in accordance with the Financial Regulation and the International Standards for the Professional Practice of Internal Auditing and the Code of Ethics of the Institute of Internal Auditors.
The Internal Audit Service does not audit Member States’ systems of control over the EU funds. Such audits, which reach down to the level of individual beneficiaries, are carried out by Member States’ internal auditors, national Audit Authorities, other individual Commission Directorates-General and the European Court of Auditors. The Internal Audit Service does, however, audit measures taken by the Commission services to supervise and audit bodies in Member States, and other bodies which are responsible for disbursing EU funds, such as the United Nations. As provided for in the Financial Regulation, the Internal Audit Service can carry out these duties on the spot, including in the Member States.
3.Overview of audit work
3.1.Implementation of the 2017 audit plan 5
By the cut-off date of 31 January 2018, the implementation of the updated 2017 audit plan reached 98% 6 of planned engagements for audits in the Commission, Services and Executive Agencies 7 .
148 engagements (including audits, follow-ups, reviews and consulting assignments) were finalised, broken down as follows:
|
2017 |
2016 |
2015 |
||||
|
|
Engagements |
Reports |
Engagements |
Reports |
Engagements |
Reports |
|
Audit |
54 |
58 |
52 |
60 |
38 |
52 8 |
|
Follow-up |
90 |
- |
95 |
- |
96 |
- |
|
(Limited) Review |
2 |
2 |
6 |
6 |
2 |
2 |
|
Management Letter |
0 |
0 |
0 |
1 |
1 |
1 |
|
JSIS Risk Assessment |
0 |
0 |
0 |
0 |
1 |
1 |
|
Consulting |
2 |
2 |
1 |
1 |
1 |
1 |
|
Total |
148 |
62 |
154 |
68 |
139 |
57 |
The 2017 initial plan 9 contained 66 audit engagements (including audits, reviews and consulting engagements but excluding follow-ups) which were planned to be finalised by the cut-off date of 31 January 2018. Furthermore, the plan contained 38 engagements which were planned to start before this cut-off date and to be finalised in 2018. The 2017 plan was updated 10 at mid-year. Both the initial and updated plans were considered by the Audit Progress Committee.
In accordance with its Charter and the International Standards and in order to ensure an efficient and effective implementation of the audit plan, the Internal Audit Service plans its audit work on the basis of a risk assessment and a capacity analysis. The implementation is then regularly monitored and adjustments are made as necessary.
3.2.Statistical data on Internal Audit Service recommendations 11
The number of recommendations issued by the Internal Audit Service (including their acceptance rate) in 2017 was as follows:
|
|
New recommendations |
Fully Accepted |
Partially accepted 12 |
Non-accepted |
|||
|
Priority |
N° |
N° |
% |
N° |
% |
N° |
% |
|
Critical |
1 |
1 |
100 |
0 |
0 |
0 |
0 |
|
Very Important |
71 |
71 |
100 |
0 |
0 |
0 |
0 |
|
Important |
126 |
124 |
98 |
2 |
2 |
0 |
0 |
|
Desirable |
1 |
1 |
100 |
0 |
0 |
0 |
0 |
|
Total |
199 |
197 |
99 |
2 |
1 |
0 |
0 |
For all accepted or partially accepted recommendations, the auditees drafted action plans, which were submitted to and assessed as satisfactory by the Internal Audit Service
In its Annual Internal Audit Report for 2017 communicated to the Commission in May 2018, the Internal Auditor reported that, at the time (based on a cut-off date of 31 January 2018), two action plans were still outstanding 13 . Since the issuance of that report, both action plans have been submitted to and assessed as satisfactory by the Internal Audit Service and eight recommendations (all related to the audit on Commission's governance/oversight arrangements concerning risk management, financial reporting and the ex-post verification/audit function) have been fully accepted by the auditees.
The implementation of the accepted recommendations made during the period 2013-2017, as assessed by auditees 14 , as at 31 January 2018 was as follows:
|
Implemented |
In progress (by number of months overdue compared to the cut-off date of 31 January 2018) |
|||||||||
|
Year |
Priority |
Total |
No. |
% |
No. |
% |
No delay |
0 - 6 |
6 - 12 |
12+ |
|
2013 |
Critical |
0 |
0 |
0% |
0 |
0% |
0 |
0 |
0 |
0 |
|
Very Important |
45 |
44 |
98% |
1 |
2% |
0 |
0 |
0 |
1 |
|
|
Important |
75 |
72 |
96% |
3 |
4% |
0 |
0 |
0 |
3 |
|
|
Desirable |
7 |
7 |
100% |
0 |
0% |
0 |
0 |
0 |
0 |
|
|
2013 Total |
127 |
123 |
97% |
4 |
3% |
0 |
0 |
0 |
4 |
|
|
2014 |
Critical |
0 |
0 |
0% |
0 |
0% |
0 |
0 |
0 |
0 |
|
Very Important |
36 |
36 |
100% |
0 |
0% |
0 |
0 |
0 |
0 |
|
|
Important |
78 |
70 |
90% |
8 |
10% |
1 |
0 |
0 |
7 |
|
|
Desirable |
11 |
11 |
100% |
0 |
0% |
0 |
0 |
0 |
0 |
|
|
2014 Total |
125 |
117 |
94% |
8 |
6% |
1 |
0 |
0 |
7 |
|
|
IACs recs taken over |
Critical |
0 |
0 |
0% |
0 |
0% |
0 |
0 |
0 |
0 |
|
Very Important |
253 |
252 |
100% |
1 |
0% |
0 |
0 |
0 |
1 |
|
|
Important |
591 |
578 |
98% |
13 |
2% |
0 |
0 |
0 |
13 |
|
|
Desirable |
63 |
63 |
100% |
0 |
0% |
0 |
0 |
0 |
0 |
|
|
IACs Total |
907 |
893 |
98% |
14 |
2% |
0 |
0 |
0 |
14 |
|
|
2015 |
Critical |
1 |
1 |
100% |
0 |
0% |
0 |
0 |
0 |
0 |
|
Very Important |
65 |
54 |
83% |
11 |
17% |
3 |
2 |
3 |
3 |
|
|
Important |
131 |
116 |
89% |
15 |
11% |
2 |
0 |
2 |
11 |
|
|
Desirable |
20 |
20 |
100% |
0 |
0% |
0 |
0 |
0 |
0 |
|
|
2015 Total |
217 |
191 |
88% |
26 |
12% |
5 |
2 |
5 |
14 |
|
|
2016 |
Critical |
0 |
0 |
0% |
0 |
0% |
0 |
0 |
0 |
0 |
|
Very Important |
115 |
65 |
57% |
50 |
43% |
32 |
15 |
3 |
0 |
|
|
Important |
142 |
76 |
54% |
66 |
46% |
21 |
25 |
16 |
4 |
|
|
Desirable |
3 |
3 |
100% |
0 |
0% |
0 |
0 |
0 |
0 |
|
|
2016 Total |
260 |
144 |
55% |
116 |
45% |
53 |
40 |
19 |
4 |
|
|
2017 |
Critical |
1 |
0 |
0% |
1 |
100% |
1 |
0 |
0 |
0 |
|
Very Important |
71 |
1 |
1% |
70 |
99% |
63 |
6 |
1 |
0 |
|
|
Important |
126 |
7 |
6% |
119 |
94% |
114 |
5 |
0 |
0 |
|
|
Desirable |
1 |
0 |
0% |
1 |
100% |
1 |
0 |
0 |
0 |
|
|
2017 Total |
199 |
8 |
4% |
191 |
96% |
179 |
11 |
1 |
0 |
|
|
TOTAL 2013-2017 |
1835 |
1476 |
80% |
359 |
20% |
238 |
53 |
25 |
43 |
|
|
Thereof Critical or Very Important |
587 |
453 |
77% |
134 |
23% |
99 |
23 |
7 |
5 |
|
Overall, 1 476 or 80% of the total number of accepted recommendations made over the period 2013-2017 were considered by the auditees as implemented, leaving a total of 359 recommendations (or 20%) still in progress. Of these 359 recommendations in progress, one was rated critical 15 , and 133 recommendations were rated very important (23% of the total number of accepted critical and very important recommendations).
Of the 359 recommendations in progress, 121 were overdue, representing 6.6% of the total number of accepted recommendations, of which 12 very important recommendations were long overdue (for more than 6 months compared to the original due date). These represented only 0.7% of the total number of accepted recommendations in the period 2013-2017.
The total number of recommendations issued during the period 2013-2017 for which a follow-up audit had been conducted amounts to 1 361 compared to 1 476 reported as 'ready for review' by the auditees.
Of the total number of recommendations followed up during that period, 1 296 (95%) had been closed by the Internal Audit Service. This means that on average, the Internal Audit Service assessed that 5% of recommendations could not be considered as effectively implemented, and therefore not closed following the completion of the follow-up audit.
Overall, the Internal Audit Service considers that the state of play regarding the implementation of audit recommendations is satisfactory and comparable to previous reporting periods. It indicates that the Commission services are diligent in implementing the very important recommendations, hence mitigating the risks identified. Nevertheless, attention has to be paid to the individual recommendations rated very important which are long overdue, i.e. more than six months. A dedicated report was established and sent to the Audit Progress Committee 16 , a summary of which is provided in the Staff Working Document to this report.
4.Conclusions based on the audit work performed in 2017
4.1.Conclusions on performance audits
In response to the Commission’s move towards a performance-based culture and greater focus on value for money, the Internal Audit Service continued to carry out performance audits 17 and audits which include important performance elements (comprehensive audits) in 2017 as part of its 2016-2018 strategic audit plan.
In line with its methodology and best practice, the Internal Audit Service approached performance in an indirect way, i.e. whether and how management have set up control systems intended to assess and provide assurance on the performance (efficiency and effectiveness) of its activities. Through this approach, the Internal Audit Service aims at ensuring that, in the first instance, Directorates-General and Services have established adequate performance frameworks and performance measurement tools, key indicators and monitoring systems. This results in part from the fact that a large number of legal bases set out objectives that are of a wider scope than what the Commission can achieve on its own. This means that SMART (Specific, Measurable, Achievable, Relevant, Time-Bound) objectives and benchmarks have first to be established at Commission level, in order to dissociate, to the extent possible, the Commission's specific contribution from those of other major key players who contribute to the implementation and achievement of EU funds' objectives (Member States, Regions, Third Countries, International Organisations, etc.).
The following sections set out the conclusions of the Internal Audit Service on the various performance aspects of its audits carried out in 2017.
4.1.1.Performance of Commission Directorates-General, Services and Executive Agencies: horizontal processes
4.1.1.1. Governance processes
In October 2016, the European Court of Auditors issued its special report N°27/2016 on 'Governance at the European Commission – best practice?'. The Court recommended, inter alia, that the Commission invite the Internal Auditor to carry out more audit work on high level governance issues 18 . In response, the College adopted on 11 January 2017 a decision (ref. C(2017) 4 Final) requesting the Internal Auditor to undertake an audit on the Commission’s governance arrangements concerning risk management, financial reporting, and the ex-post verification/audit function. The Internal Audit Service performed this audit in 2017 in addition to several audits already planned on (high level) governance processes in other areas in the Commission. The results of these audits demonstrate that very important weaknesses exist in various governance arrangements at both corporate and operational levels. Given the current challenging nature of the EU context, including the need to improve the trust and confidence of the citizens in EU policies and Institutions, the Internal Audit Service concluded that the Commission should seize the opportunity to further improve its governance arrangements and consequently its ability to achieve its objectives.
Following the administrative reform of 2000, the Commission made significant advances in strengthening its accountability, responsibility and assurance-building processes. The decentralised model of financial management is well understood and embedded in the culture of the organisation, and clear accountability instruments are in place together with a robust assurance building process. Furthermore, in October 2017 the Commission adopted a Communication on governance in the European Commission. Nevertheless, at corporate level, the Internal Audit Service identified the need for proportionate improvements of the current governance and oversight arrangements, in particular as regards risk management and more general aspects of the governance set-up.
Furthermore, in the area of corporate IT governance, significant progress has been made since 2015 when new IT governance structures were put in place. Nevertheless, despite these developments, significant weaknesses which require a proportionate but necessary response to reinforce and further strengthen governance in this area were identified. The recommended improvements aim to complement and reinforce existing Commission structures by further empowering the IT Board, defining a clear overall corporate IT strategy and improving the corporate oversight of the IT investments portfolio across the Commission.
The Directorate-General for Human Resources and Security, the Paymaster Office (PMO) and the European Personnel Selection Office (EPSO) own a range of corporate information systems which are vital for the daily functioning of the Commission as well as some other European Institutions, EU Executive and Decentralised Agencies and other EU bodies. In this area, significant weaknesses were identified in the governance and project management arrangements in place for these systems. Key improvements are needed to ensure the strategic alignment both within the Human Resources family and with the Directorate-General for Informatics, as the primary IT system and service provider, and thereby optimise the value obtained from IT investments.
Governance deficiencies are also a root cause for significant weaknesses identified in the production process and the quality of statistics not produced by Eurostat. The Internal Audit Service acknowledges that within the limits of the current framework and of the respective responsibilities of the actors involved, some steps have already been taken both at corporate (Eurostat) and at operational (Directorate-General/Service) level to coordinate and manage the production process of statistics by Directorates-General/Services, in order to improve their quality. Moreover, the operational Directorates-General have in place, with various degrees of formalisation and complexity, processes and activities to ensure that their statistical needs are met either by external providers or by processing internally data already available. However, the framework currently in place within the Commission is not robust enough to ensure that the quality of the statistics not produced by Eurostat is of a satisfactory standard level overall and that the various processes currently used are sustainable in the longer term.
4.1.1.2. Human Resources management processes
In the Human Resources area, the Internal Audit Service assessed for several Directorates-General and Executive Agencies if they have designed and implemented adequate Human Resources strategies to deal with challenges resulting from new priorities, changes in staffing levels and reorganisations. In general, the audits concluded that the Directorates-General and Executive Agencies have taken adequate measures to manage the human resources challenges to which they are confronted. Nevertheless, weaknesses were identified in strategic Human Resources management in the Directorate-General for Migration and Home Affairs and the Education, Audiovisual and Culture Executive Agency, in the allocation of human resources in the Directorate-General for Migration and Home Affairs and the Directorate-General for Justice and Consumers and in the organisational structure and the selection process of contractual agents in the Education, Audiovisual and Culture Executive Agency.
4.1.1.3. IT management processes
Several IT audits concluded that there is room for improving the effectiveness of IT security in the Commission. Cybersecurity, or IT Security, is critical to ensure that within an organisation information is protected against disclosure to unauthorised users (confidentiality), improper modification (integrity) and non-access when required (availability).
In the audit on IT security in the Directorate-General for Informatics, the Internal Audit Service concluded that although the preventive controls are adequately designed and effective, the level of maturity varies between the different technologies analysed. In addition, there are significant weaknesses as regards integrity controls, which are less systematic and effective in practice.
At operational level, the Directorate-General for Energy manages several IT systems supporting nuclear accountancy and inspection processes that handle classified information under the European Atomic Energy Community (EURATOM) safeguards and for which significant issues need to be addressed. In particular, the current security arrangements derive mainly from an assessment made some sixteen years ago, which has not been updated. In addition, organisational weaknesses were noted in the IT security governance arrangements, IT security plans and controls over the secure network.
The European Anti-Fraud Office (OLAF) handles a large amount of sensitive information in its IT systems, with particular requirements regarding confidentiality and integrity. The Internal Audit Service acknowledges that the European Anti-Fraud Office applies a number of good practices to reduce the inherent security risks to which it is exposed. However, the Internal Audit Service identified a number of weaknesses which led it to conclude that the controls in place do not provide sufficient assurance that IT security risks are adequately mitigated. In particular, the Content Management system, which is the key system used by the European Anti-Fraud Office for its day-to-day case handling and more generally the IT security governance structure, needs to be significantly improved.
4.1.1.4. Other processes
Other Internal Audit Service audits in various areas showed that further actions are necessary to increase the overall performance of the audited processes.
Authorising Officers by Delegation (AODs) need to consider the cost effectiveness of controls when setting up the internal control systems in their Directorates-General and need to report on the cost-effectiveness of controls in their Annual Activity Reports while the Commission needs to estimate the costs and benefits of control systems when revising or presenting new spending proposals. The multi- Directorate-General audit on the Commission’s framework/arrangements for the estimation, assessment and reporting on the cost-effectiveness of controls revealed significant weaknesses in the current corporate framework, which considerably reduce the usefulness of the reported results on costs and benefits of controls for both Commission management and external stakeholders. There are key elements of the framework which need to be substantively improved in order to make the process more useful and relevant.
The management of agricultural markets, including market crises, is one of the core responsibilities of the Directorate-General for Agriculture and Rural Development, derived from the common agricultural policy objectives. The Directorate-General has put in place adequate processes, which have enabled it to react to market crisis situations in a timely manner. However, a significant weakness exists with regard to the extent to which the Directorate-General for Agriculture and Rural Development draws lessons from such situations in terms of risk management and the follow-up of the crisis measures.
In the area of food safety crisis preparedness, the Internal Audit Service found that the Directorate-General for Health and Food Safety had not updated the 'general plan’ for food crisis and the related procedures and arrangements on a regular basis, had not tested this plan with the majority of the main stakeholders responsible for crisis management at Member State and Commission level and had no concrete plans in place for exercising the plan. Furthermore, the audit revealed deficiencies in communication. This poses efficiency and effectiveness risks in terms of crisis preparedness.
European Union competition policy aims to ensure that competition in the free internal market is not distorted by preventing or correcting anti-competitive behaviours in the domains of antitrust, mergers and state aid. In a system where both the European Commission and the Member States have competences in the enforcement of EU antitrust policy, coordination between them is key for the overall effectiveness of the policy. Significant weaknesses exist in terms of cooperation with the national courts due to the limited flow of information coming from them. The Commission has not received complete information from some Member States on the content of the national judgments related to the enforcement of EU antitrust law, as required by Regulation 1/2003. This situation prevents the Commission from submitting observations where one of the parties lodges an appeal against the judgement and identifying and assessing weaknesses or divergences on the enforcement of EU competition law.
Amongst all the Commission services, the Directorate-General for the Environment manages one of the highest levels of complaints and infringements cases. Over the last ten years, the Directorate-General has made significant efforts aimed at improving the enforcement of very complex EU environmental law. However, despite the efforts to improve the treatment of the large number of complaints and infringements, it continues to experience considerable difficulties in meeting the Commission targets for dealing with them. Moreover, the current pressure on the staff of the Directorate-General involved in these processes, is likely to further intensify in the light of the new provisions detailed in the Commission’s communication “EU law: better results through better application”. As a result, although the Directorate-General for the Environment has put in place adequate processes to ensure the effective enforcement of environmental law, there remain a number of significant weaknesses that need to be addressed notably on the efficiency and effectiveness of complaints handling and the enforcement of EU environmental law.
Scientific projects belong to the core activities of the Joint Research Centre and are key for delivering quality scientific results to support EU policies with independent evidence throughout the whole policy cycle. Although the management and control systems put in place by the Joint Research Centre for its scientific project management activities are adequately designed, there is a significant weakness in its implementation regarding the monitoring of the execution of scientific projects and work packages.
In the audit on ethics in the European Anti-Fraud Office, the Internal Audit Service concluded that the European Anti-Fraud Office has set-up and implemented an ethics framework based on clear procedures adapted to the Directorates-General specific environment and nature of its work. Internal controls in place ensure that staff comply to a high extent with ethics rules and obligations, in particular in terms of independence, integrity, impartiality, discretion and objectivity. However, the European Anti-Fraud Office staff awareness on how to deal with social media and interest representatives needs to be significantly improved.
Furthermore, the Internal Audit Service assessed the charge-back process within Directorate-General for Human Resources and Security for the services provided to its clients and found that the Directorate-General has already taken a number of steps to adapt and improve this process to bring it in line with corporate guidelines. This primarily included the revision of its costing methodology and the harmonisation of the service level agreements concluded with the Decentralised Agencies, which represent the majority of its external clients. Nevertheless, a significant weakness in the draft costing model was still present at the time of the fieldwork, and key areas need to be strengthened in order to fully comply with corporate requirements and fundamental principles.
4.1.2.Performance in implementing budget operational and administrative appropriations
4.1.2.1. Direct management
In the area of directly managed funds, several audits assessed programme and project management processes and no significant performance weaknesses were identified in this area.
4.1.2.2. Indirect management
In the area of indirectly managed funds, several audits focused on the supervision arrangements in place in the Directorates-General and Services.
An audit on the supervision of Shift2Rail (S2R) by the Internal Audit Service revealed a significant performance issue as the Directorate-General for Mobility and Transport has not established a formalised, consolidated, risk based supervision strategy for Shift2Rail which sets out the Directorates-General supervision objectives and how the different supervision tools contribute to building assurance on achievement of policy objectives. There is no formal allocation of tasks between the Directorate-General for Mobility and Transport operational and financial units in charge of the supervision of the Shift2Rail, with the exception of the preparation of the joint undertaking's Governing Board meetings. Moreover, the Directorate-General for Mobility and Transport has not carried out a formal mapping exercise of the Shift2Rail-related tasks and corresponding estimation of the resources needed.
In the audit on the management of investment facilities in the Directorate-General for International Cooperation and Development, the Internal Audit Service found that the Directorate does not systematically monitor the international financial institution’s (IFIs) operational performance and the key aspects of the blending operations it has to report on annually to the European Parliament and the Council. Moreover, the reports submitted by the IFIs at the level of the EU Delegations are of a varying quality. Hence, the EU Delegations do not always have relevant information to supervise appropriately the operational and financial aspects of the projects.
4.1.2.3. Shared management
In the area of shared management, several audits assessed programme and project management processes. They revealed several significant performance weaknesses some of which may endanger the achievement of the policy objectives.
The Operational Programme (OP) amendment process is a mechanism with which Member States can re-orient the delivery mechanisms for implementing Operational Programmes, and for which the responsible Directorates-General need to carry out a thorough analysis prior to the adoption of the amendment by Commission Decision. Although the audited process is overall working well and the Directorate-General for Regional and Urban Policy, the Directorate-General for Employment, Social Affairs and Inclusion, and the Directorate-General for Maritime Affairs and Fisheries have made considerable efforts to ensure a coordinated approach in each Directorate-General and across the Directorates-General, there is a significant weakness concerning the consistency, effectiveness and timeliness of the Operational Programmes amendments.
Various instruments are used for funding youth employment initiatives, which are managed by the Directorate-General for Employment, Social Affairs and Inclusion. Significant weaknesses were found in the mechanisms to ensure consistency between the preparation of new youth employment policy initiatives, the implementation of funding and the mechanism to reallocate funds to new or urgent policy priorities, where necessary.
The Fund for European Aid to the most Deprived (FEAD) is implemented through various Operational Programmes managed by the Directorate-General for Employment, Social Affairs and Inclusion. The key weakness identified relates to performance measurement and reporting. The Fund for European Aid to the most Deprived regulatory framework lacks elements of a performance measurement framework, such as milestones and targets for common indicators or specific objectives. Indicators and data reported for the Fund for European Aid to the most Deprived have inherent limitations which makes them less useful for reporting on the overall performance of the fund. Moreover, the legal basis lacks mechanisms to monitor the uptake of accompanying measures and information on implementation on the ground is not received on a regular basis to facilitate the effective monitoring of the programme.
Finally, the audit of major projects in Directorate-General for Regional and Urban Policy revealed significant weaknesses in the process for the approval and early monitoring of major projects supported by the European Regional Development Fund and the Cohesion Fund.
4.2.Internal Audit Service limited conclusions on the state of internal control of each DG
The Internal Audit Service issued limited conclusions on the state of internal control to every Directorate-General and Service in February 2018. These conclusions contribute to the 2017 Annual Activity Reports of the Directorates-General and Services concerned. They draw on the audit work carried out in the last three years and cover all open recommendations issued by the Internal Audit Service and former Internal Audit Capabilities (insofar as the Internal Audit Service has taken them over). The Internal Audit Service conclusion on the state of internal control is limited to the management and control systems which were subject to an audit and does not cover those systems which had not been audited by the Internal Audit Service in the past three years.
Particular attention, which led to reservations in the annual activity report of the Directorate-General concerned, was drawn in the limited conclusions of:
·The Directorate-General for Climate Action: with regard to the delay observed in the implementation of one very important IT security related recommendation (on the management of the security of the EU Emmissions Trading IT system), which exposes the Directorate-General to the risk of security breaches;
·The Directorate-General for International Cooperation and Development: with regard to the delay observed in the implementation of one very important recommendation issued in the context of the audit on the management of the African Peace Facility;
·The Education, Audiovisual and Culture Executive Agency: with regard to one critical and a number of very important recommendations issued in the context of the audit on Erasmus+ and Creative Europe – grant management phase 1.
In addition, the Internal Audit Service drew particular attention to the Structural Reform Support Service to the public procurement issues identified in an audit on financial management in the Structural Reform Support Service and indicated that the service should duly assess if these require a reservation in the Annual Activity Report. On the basis of the existing corporate guidelines, the service concluded that there was no basis for a financial reservation and no need for a reservation in the Annual Activity Report on reputational grounds as the reputational risks identified did not materialise. The Internal Audit Service agrees with this assessment.
4.3.Overall opinion on the Commission's financial management
As required by its Mission Charter, the Internal Audit Service issues an annual Overall Opinion on the Commission's financial management. It is based on the audit work in the area of financial management in the Commission carried out by the Internal Audit Service during the previous three years (2015-2017). It also takes into account information from other sources, namely the reports from the European Court of Auditors. The Overall Opinion is issued in parallel to this report and covers the same financial year.
As in the previous editions, the 2017 Overall Opinion is qualified with regard to the reservations made in the Authorising Officers' by Delegation Declarations of Assurance. In arriving at this opinion, the Internal Audit Service considered the combined impact of the amounts estimated to be at risk as disclosed in the annual activity reports and the corrective capacity as evidenced by financial corrections and recoveries of the past as well as by estimates of future corrections and amounts at risk at closure. Given the magnitude of financial corrections and recoveries of the past and assuming that corrections in future years will be made at a comparable level, the EU Budget is adequately protected as a whole (not necessarily individual policy areas) and over time (sometimes several years later).
Without further qualifying the Overall Opinion, the Internal Audit Service emphasised the following matter:
Supervision strategies regarding third parties implementing policies and programmes
Although it remains fully responsible for ensuring the legality and regularity of expenditure and sound financial management (and also the achievement of policy objectives), the Commission is increasingly relying on third parties to implement its programmes. This is mostly done by delegating the implementation of the Commissions’ operational budget (under indirect management mode) or certain tasks to third countries, international organisations or international financial institutions, national authorities and agencies, Joint Undertakings, non-EU bodies and EU Decentralised Agencies. Moreover, in some policy areas, greater use is progressively made of financial instruments under the current 2014-2020 Multi-annual Financial Framework. Such instruments and alternative funding mechanisms entail specific challenges and risks for the Commission, as also highlighted by the European Court of Auditors.
To fulfil their overall responsibilities, the operational Directorates-General have to oversee the implementation of the programmes and policies and provide guidance and assistance where needed. The Directorates-General therefore have to define and implement adequate, effective and efficient supervision/monitoring/reporting activities to ensure that the delegated entities and other partners effectively implement the programmes, adequately protect the financial interests of the EU, comply with the delegation agreements, when applicable, and that any potential issue is addressed as soon as possible.
The Internal Audit Service recommended in a number of audits that certain Directorates-General control and supervisory strategies should set out more clearly their priorities and needs as regards obtaining assurance on sound financial management in those EU and non-EU bodies. In particular, the control strategies did not sufficiently take into account the different risks involved in entrusting tasks to the delegated entities and independent sources were not effectively used to build up the assurance. These Directorates-General should undertake more effective and efficient supervisory activities.
Furthermore, the objectives of the supervisory/monitoring/reporting activities and how to assess their effectiveness were not sufficiently clear and controls on these activities were limited in practice.
The Internal Audit Service notes the initiatives undertaken by the central services as well as the action plans developed following the Internal Audit Service recommendations by the partner Directorates-General to mitigate the risks related to the relations with their decentralised agencies and implementing bodies on among other things, monitoring programming, performance and budgetary issues.
5.Consultation with the Commission's Financial Irregularities Panel
No systemic problems were reported in 2017 by the financial irregularities panel under Article 73(6) 19 of the Financial Regulation.
6.Mitigating measures as regards potential conflict of interests (international standards) – Investigation of the European Ombudsman
The current Director-General of the Internal Audit Service, Internal Auditor of the Commission, Mr Manfred Kraff, took office on 1 March 2017. Mr Kraff was previously Deputy Director-General (DDG) and Accounting Officer of the Commission in the Commission’s Directorate-General Budget.
In line with Institute of Internal Auditors’ standards 20 , on 7 March 2017, following his appointment as Director-General and Internal Auditor, Mr Kraff issued instructions on the arrangements to be put in place in order to mitigate and/or avoid any potential or only perceived conflict of interest as regards Internal Audit Service audit work in relation to his former responsibilities. These arrangements foresaw that Mr Kraff would not be involved in the supervision of audit work relating to operations that he was responsible for before joining the Internal Audit Service. The supervision of the audit work related to such cases ultimately fell under the responsibility of Mr Jeff Mason, former Internal Audit Service Acting Director-General (September 2016-February 2017) and current Director in the Internal Audit Service (IAS.B, Audit in Commission and Executive Agencies I). The arrangements also provided that the Audit Progress Committee would be informed of these instructions and of their implementation and that Mr Mason would refer to the Audit Progress Committee as regards the assessment of any situation that may be interpreted as impairing Mr Kraff's independence or objectivity. In those cases, Mr Kraff would refrain from any supervision of the related audit work.
The arrangements in place were discussed with the Audit Progress Committee at its meetings of 6 April 2017 (preparatory group) and 3 May 2017. The Committee took stock of the actual implementation in 2017 of these arrangements at its meetings of 31 January 2018 (preparatory group) and 7 March 2018. The Audit Progress Committee concluded that it considered that the measures defined by the Internal Audit Service adequately address the risk of conflict of interest in line with the international standards and best practice and noted with satisfaction that arrangements to ensure organisational independence have been implemented in practice in the relevant audits.
The European Ombudsman sent a letter to the European Commission on 4 December 2017 informing that, following a complaint from a citizen, an inquiry would be opened in order to assess the appropriateness of the measures taken by the Commission to prevent any conflict of interest or a perception thereof as regards the appointment of the new Director-General of the Internal Audit Service (ref. 1324/2017/LM). Following the European Ombudsman’s request for a meeting, an inspection meeting between the Commission and European Ombudsman's services took place on 8 February 2018. On that occasion, the Internal Audit Service and the Commission's central services replied to the questions raised by and presented the relevant elements to the Ombudsman team, and provided the relevant supporting documents, as per the Ombudsman’s request. The Ombudsman informed the Commission on 26 April 2018 that a copy of the report of the inspection meeting of 8 February 2018 was sent to the complainant for possible comments and that after receiving the complainant’s comments, the Ombudsman would decide on the appropriate next steps in the inquiry.
7.Conclusions
The implementation of action plans drawn up in response to Internal Audit Service audits this year and in the past contributes to the steady improvement of the Commission’s internal control framework.
The Internal Audit Service will conduct follow-up audits on the execution of action plans that will be examined by the Audit Progress Committee, which will inform the College as appropriate.
The Internal Audit Service will continue to focus on financial, compliance, IT and performance audits.
- (1) The audit reports finalised in the period 1 February 2017 - 31 January 2018 are included in this report.
- (2) The Report does not cover the decentralised European Agencies, the European External Action Service, or other bodies audited by the Internal Audit Service, which receive separate annual reports.
- (3) Article 100 of the Financial Regulation.
- (4) ref. C(2017) 4435 final of 30 June 2017, Communication to the Commission, Mission Charter of the Internal Audit Service of the European Commission.
- (5) See also the Internal Audit Service’s 2017 Annual Activity Report.
- (6) All engagements (audits, consulting and follow-ups) were completed, except for one management letter. The issuance of the management letter summarising the results of various audits on Human Resources in the Commission was postponed to 2018.
- (7) The Staff Working Document (SWD) provides an overview of all completed audit and follow-up audit engagements.
- (8) Some audits, in particular multi-Directorate-General audits, may give rise to more than one audit report.
- (9) Issued on 16 February 2017.
- (10) Issued on 28 July 2017. It describes the changes to the plan, resulting from a decrease in capacity and a reassessment of the Directorates-General/Services risk exposure.
- (11) A comprehensive overview on the Internal Audit Service recommendations is provided in the report addressed to the Audit Progress Committee dated 27 March 2018.
- (12) Two recommendations were partially accepted in 2017:As a rule, the Internal Audit Service proposes audits in which recommendations are (partially) rejected to the Audit Progress Committee for discussion. This may result in Directorates-General re-considering their position.
- (13) The two action plans related to the audits on:
-
(14)
This table shows the rating of the recommendations at the cut-off date. This may differ from the rating in the original report if actions subsequently taken by the auditee are deemed sufficient by the Internal Audit Service to partly mitigate the risks identified and therefore to a downgrading of the recommendation.
- (15) Following an Internal Audit Service follow-up engagement performed in March 2018, the rating of this critical recommendation has been downgraded to ‘very important’.
- (16) A comprehensive overview on the Internal Audit Service recommendations is provided in the report addressed to the Audit Progress Committee dated 27 March 2018.
- (17) In total, the Internal Audit Service carried out 47 performance and comprehensive audits. For more details see the Staff Working Document.
- (18) Good governance is about having proper processes/structures in place to inform, manage and monitor the activities of the organisation towards the achievement of its objectives. Oversight is about ensuring that these processes/structures are effectively supervised independently from operational management.
- (19) Art. 117, RAP stipulates: "That annual report shall also mention any systemic problems detected by the specialised panel set up pursuant to Article 73(6) of the Financial Regulation .
- (20) The international audit standards, to which the Financial Regulation expressly refer to in Article 98 ("Appointment of the Internal Auditor"), state that: "If independence or objectivity is impaired in fact or appearance, the details of the impairment must be disclosed to appropriate parties. The nature of the disclosure will depend upon the impairment." (IIA-IPPF standard 1130). Moreover, the standards state that: "internal auditors must refrain from assessing specific operations for which they were previously responsible. Objectivity is presumed to be impaired if an internal auditor provides assurance services for an activity for which the internal auditor had responsibility within the previous year" (IIA-IPPF standard 1130.A1).