52012DC0563

REPORT FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT AND THE COUNCIL

Annual Report to the Discharge Authority on internal audits carried out in 2011 (Article 86(4) of the Financial Regulation)

TABLE OF CONTENTS

1........... Introduction.................................................................................................................... 4

2........... The IAS’s Mission.......................................................................................................... 4

3........... Implementation of the IAS coordinated audit plan............................................................ 5

3.1........ Audit statistics................................................................................................................ 5

3.2........ Main findings and recommendations, their impact and subsequent management action....... 6

3.2.1..... Governance.................................................................................................................... 7

3.2.2..... Performance audits......................................................................................................... 8

3.2.3..... Control strategies............................................................................................................ 9

3.2.4..... The Global Navigation Satellite Systems (GNSS) programmes...................................... 10

3.2.5..... Financial management processes................................................................................... 11

3.2.6..... Information Technologies.............................................................................................. 11

4........... Consultation with the Commission’s Financial Irregularities Panel................................... 12

5........... Conclusions.................................................................................................................. 12

5.1........ Performance audits....................................................................................................... 12

5.2........ Commission departments’ control strategies.................................................................. 12

5.3........ Commission’s management of major industrial programmes........................................... 13

5.4........ Commission’s financial management processes.............................................................. 13

5.5........ Commission’s IT governance........................................................................................ 13

1.           Introduction

This report is to the Discharge Authority on the work carried out by the Commission’s Internal Audit Service (IAS), in accordance with Article 86(4) of the Financial Regulation (FR). It is based on the IAS report under Article 86(3) of the FR on key audit findings and on significant risk exposure and control and corporate governance issues.

It is based on the audit and consulting work done by the IAS in 2011[1] in Commission Directorates-General and executive agencies. It does not report on audit work in decentralised European Agencies, the European External Action Service, or other agencies or bodies audited by the IAS, for which separate annual reports are drawn up.

The Commission’s reactions to the findings and conclusions of the Internal Auditor were covered in the synthesis report[2], in which the Commission states its views on the cross-cutting issues raised by the IAS, the European Court of Auditors (ECA) and the Discharge Authority, and those identified by the Audit Progress Committee (APC).

In 2011 the IAS celebrated its tenth anniversary. The annual conference was an occasion to recall the achievements of the Commission’s administrative reform efforts, of which the creation of the IAS and of the departmental IACs was a determining component. One of its conclusions was that the Commission’s internal audit community[3] is not only one of the largest public internal audit functions, but has also acquired one of the highest degrees of maturity.

According to the IAS stakeholder survey results, 87 % of participants are confident that the service delivers and communicates a strong vision in terms of governance and internal control; 87 % are also convinced that the recommendations issued by the IAS lead to better risk control in the Commission and the Executive Agencies.

2.           The IAS’s Mission

The IAS audits management and control systems within the Commission and the EU agencies and provides independent and objective assurance on their adequacy and effectiveness. At the request of management, it can also take on consulting work.

The IAS is under the authority of the Member of the Commission responsible for Audit and is accountable to the APC. Its independence is guaranteed in its Mission Charter, adopted by the Commission.

The mission charter stipulates that the IAS carries out its duties in accordance with the Financial Regulation and the International Standards for the Professional Practice of Internal Auditing and the Code of Ethics of the Institute of Internal Auditors (IIA).

Overall opinion on the Commission’s financial management

As required by its charter, the IAS issued, in 2011, an overall opinion on the state of financial management in the Commission in the previous year. It is a positive assurance statement. It is based on the work carried out by the IAS and IACs during the previous three-year period and provides reassurance to the Commission (the ‘College’) that the statements of assurance issued by the Directors-General are, seen as a whole, soundly based, and that there are no significant weaknesses other than those mentioned in the report made by the IAS under Article 86(3) of the FR.

IAS contribution to a more positive Statement of Assurance (‘DAS’)

The DAS represents the opinion of the European Court of Auditors (ECA) on the reliability of the EU accounts and on the legality and regularity of the underlying transactions. Although the accounts were found to be reliable in recent years, the ECA has issued an adverse opinion for some fields of activity. Most errors occur outside the Commission and are found in particular in the structural funds, which have shared management, and in rural development (shared management), research (direct management) and external aid (decentralised management). Serious breaches of EU and national procurement rules accounted for much of the error found in the ‘Cohesion’ area.

The IAS audit plan has therefore prioritised audits to ensure that a consistent control strategy is being applied for every significant area of expenditure, including the Structural Funds DGs, as such control strategies aim at addressing the risk of error in the underlying transactions.

3.           Implementation of the IAS coordinated audit plan

3.1.        Audit statistics

In 2011, the IAS implemented 88 % of its priority engagements (C1 engagements being those due to be completed in the year). Other engagements were well advanced, to the tune of 69 % of non-priority audit engagements (C2 engagements being those that may be completed in the following year due to scheduling considerations). 29 C1 and 36 C2 engagements (including audits, follow-ups and consultancy) were finalised, resulting in 77 reports as follows:

Type || || Total 2011 || Total 2010 || Total 2009

AUDIT || No of engagements || 20 || 24 || 26

No of reports || 23 || 28 || 31

PRELIMINARY REVIEWS || No of engagements || 3 || 0 || 0

No of reports || 3 || 0 || 0

CONSULTING || No of engagements || 1 || 6 || 5

No of reports[4] || 1 || 6 || 5

FOLLOW-UP || No of engagements || 41 || 44 || 31

No of reports || 50 || 50 || 34

Total No of engagements || 65 || 74 || 62

Total No of reports || || 77 || 84 || 70

The IAS issued the following number of recommendations:

|| Acceptance status || Yes || No

Priority || No || No || % || No || %

Critical || 0 || 0 || 100 % || 0 || 0 %

Very important || 57 || 56 || 98 % || 1 || 2 %

Important || 102 || 101 || 99 % || 1 || 1 %

Desirable || 1 || 1 || 100 % || 0 || 0 %

Total || 160 || 158 || 99 % || 2 || 1 %

A complete list of the audit reports is in the attached Commission Working Document, together with the summaries, the rates of acceptance of the recommendations per report, the state of implementation of recommendations issued for 2007-2011 and the summaries of final conclusions of follow-up engagements.

For all accepted recommendations, audited services drafted action plans, which were submitted to and agreed with the IAS. Audited services reported that 80 % of all recommendations accepted in 2007-2011 had been implemented by the beginning of 2012. Only 25[5] recommendations were more than six months overdue.

The total number of recommendations accepted by the audited services in 2007-2011, for which the IAS had conducted follow-up audits by the end of 2011, is 1 097. The IAS agreed that the recommendations had been implemented and closed 98 % of the recommendations followed-up during this period.

The IAS follow-up work confirmed that recommendations are being implemented satisfactorily. The APC was informed of any critical or very important recommendations which were significantly overrunning.

3.2.        Main findings and recommendations, their impact and subsequent management action

A summary of the objectives and scope of the audit engagements referred to below is in the attached Commission Staff Working Document, together with the number of recommendations issued and accepted.

3.2.1.     Governance

In 2011, the IAS undertook a number of audits and follow-up action on governance within the European Commission (EC).

· Fraud

The IAS maintained its commitment to fraud prevention and detection and in 2011 carried out an audit in DG AGRI. Fraud prevention and detection was part of the scope[6] of two other audits on control strategies in DG INFSO and in DG RTD. In addition, one follow-up audit was carried out in 2011 on anti-fraud information systems in DG OLAF.

The audit in DG AGRI focused on assessing the adequacy and effective application of the governance, risk management and internal control process for prevention, detection and follow-up of fraud cases.

The IAS recommended clearly assigning anti-fraud roles and responsibilities, raising fraud risk awareness in vulnerable areas, developing an anti-fraud strategy, strengthening anti-fraud controls at Member State level for shared management, improving the follow-up of and reporting on identified fraud cases and working towards better cooperation with OLAF. According to the action plan, AGRI will, during 2012, appoint a full-time anti-fraud correspondent, approve its anti-fraud strategy in line with the Commission’s and establish working arrangements with OLAF.

As regards INFSO and RTD, the IAS found that DG INFSO in particular had developed ground-breaking anti-fraud initiatives and that these should be built upon to help develop a common fraud strategy for the research area as a whole. For RTD, the IAS found that certain areas still needed to be addressed, including awareness raising, identifying ‘red-flags’, making sure that anti-fraud checks are embedded in control systems, working with other DGs on specific risks such as plagiarism and double funding, ensuring proper data capture and making use of advanced data search tools. The RTD anti-fraud strategy has meanwhile been revised to ensure common elements are properly dealt with; training courses in fraud awareness have been organised; the regular risk assessment includes a consideration of fraud risks (essentially double financing); and the IT tool developed by INFSO to detect cases of plagiarism will be considered once the field tests have been completed.

· Business Continuity Management

In 2011, the IAS conducted an in-depth follow-up audit of its 2009 audit on Business Continuity Management (BCM) in the Secretariat General (in its coordination role) and in the operational DGs JLS[7], TAXUD and HR It was unable to give an opinion after its 2009 audit. During this follow-up exercise the IAS not only evaluated the progress made by each of the audited services in implementing their respective action plans, but also re-assessed the adequacy of controls as a whole. As a result, a qualified audit opinion was expressed, giving reasonable assurance regarding the achievement of the business objectives, except for one issue relating to BCM supervision. The Commission is evaluating the most appropriate and effective measures of resolving that issue.

3.2.2.     Performance audits

In its resolution of 10 May 2011 on the discharge for 2009, the European Parliament invited ‘the Internal Audit Service to allocate part of its resources to an examination of whether the spending by the main DGs is efficient, economical and effective and thereby completing the current financial and compliance audits’(§59).

Consequently, the IAS included a number of performance audits in its 2010-2012 strategic audit plan. In 2011 it delivered its first performance audits on the Entrepreneurship and Innovation Programme (EIP) in DG ENTR and on the operational activities of DG ECHO.

The EIP audit highlighted the need for DG ENTR to develop a reduced set of meaningful and stable indicators for similar action under the EIP successor programme, to improve performance measurement in evaluations and to improve its guidance on performance aspects to the Executive Agency for Competitiveness and Innovation, to which more projects could be outsourced. The Commission’s proposal for the Programme for Competitiveness of Enterprises and SMES (COSME) under the next Multi-annual Financial Framework 2014-2020 pays due heed to the audit results.

The audit on ECHO’s operational activities concluded that while the DG reacts quickly to an event, weaknesses were noted in moving from relief efforts to development assistance and in the mainstreaming of Disaster Risk Reduction and disaster preparedness in projects. According to the action plan, a final methodology and an appropriate set of tools for mainstreaming DRR into its emergency response procedure will be available by the end of 2012.

The IAS also recommended that DGs ECHO and DEVCO prepare a common strategy on LRRD (Link between Relief Rehabilitation and Development) and that the LRRD issue be properly addressed in the update of the legal instruments, in particular the European Development Fund and Development Cooperation Instrument. The interinstitutional discussions on the Commission proposals for the new legal instruments under the new MFF are taking place, and the ECHO/DEVCO/EEAS common strategy on LRRD is being formulated, aimed at improving the aid effectiveness of both humanitarian and development aid by means of better coordination, avoiding duplication and enhancing synergies. The common methodology is expected to be adopted by the end of 2012.

In 2011 the IAS carried out an audit on the effectiveness and efficiency of the monitoring by DG MARKT of the application of public procurement rules in the Member States. The audit concluded that the DG should take a more proactive, preventive approach, in partnership with the Member States. In particular, the collection, analysis and reporting of information should be enhanced and enforcement action better prioritised and targeted, based on ECA, OLAF and ex-post control work. DG MARKT should take the lead in exchanging information, experiences and best practices, and benchmarking the national procurement systems.

The Commission took the IAS audit recommendations into consideration in its proposals for revised public procurement legislation, in particular regarding the requirements for Member States to submit annual reports and to establish specialised bodies at national level, responsible for general coordination and supervision.

3.2.3.     Control strategies

Following its audits on the structural funds in 2010, the IAS examined control strategies in 2011 in the research field (DGs RTD and INFSO), in external aid (DG DEVCO), in pre-accession programmes (IPARD) and in the TEN-T programme.

Regarding the audits in DGs RTD and INFSO, one of the major achievements was the introduction, as of 2012, of a Common Representative Audit Sample (CRAS) across the whole research policy domain. This will address inefficiencies and reduce the audit burden and coordination problems of having the same beneficiaries tested by up to eight different Research Commission Services (RCS). To preserve accountability and assurance needs, each service’s share of the single sample may be increased as necessary, and they should continue to draw their own specific risk-based samples.

In the area of external aid, the IAS recommended that DG DEVCO strengthen its supervision and controls over both decentralised and centralised calls for proposals, and more specifically put in place or strengthen its monitoring mechanisms and controls, in order to obtain assurance on the effectiveness and transparency of the grant award process, and its compliance with the established rules. Other IAS recommendations covered staff training needs, enhanced data inputting controls in CRIS through improved training, and a more rigorous data review process covering both DEVCO HQ and EU Delegations. DG DEVCO strengthened its supervision and controls over calls for proposals by strengthening the PRAG (Practical Guide to Contract procedures for EU External Actions) instructions, revising current guidelines and making a steady effort on the training front. A study on data quality is being launched with a view to classifying the various errors, identifying the main reasons for erroneous encoding and proposing corrective and preventive measures. A comprehensive action plan to improve data quality in CRIS will be established as part of the specific audit on CRIS conducted by the ECA.

The audit on the Instrument for Pre-Accession Assistance for Rural Development (IPARD), managed by DG AGRI, highlighted the delays in implementing the IPARD programmes, resulting in poor financial execution and a possible budget loss under the n+3 de-commitment rule. The IAS recommended that DG AGRI do more to establish the steps and timeline of the pre-accreditation process up to the conferral decision, and give better guidance and communication to candidate countries and their pre-accreditation bodies. DG AGRI was of the view that conferring the management of the IPARD programme to Croatia was the best way to prepare Croatia for running the Rural Development Funds (which was corroborated by the ECA), but will improve guidance, revise the conferral process, and provide regular evaluation of bottlenecks up to the end of 2012.

The Trans-European Transport Network Executive Agency was created in 2006 to manage the technical and financial implementation of the TEN-T programme (EUR 1.2 billion committed in 2011). The audit on control strategy in TEN-T EA concluded with a satisfactory audit opinion, confirming that executive agencies can constitute a workable and effective management model for further development in the next multi-annual financial framework.

3.2.4.     The Global Navigation Satellite Systems (GNSS) programmes

The Commission is increasingly becoming involved in the management and delivery of major industrial programmes like ITER, Galileo or EU-wide IT systems which pose particular challenges and risks.

To support Commission management activities in this area, the IAS completed a series of three audits in 2011 of the Global Navigation Satellite System (GNSS) programmes EGNOS and Galileo. In the wake of significant delays, additional costs and the withdrawal of private investors, these programmes were reorganised in 2007-2008 with a revised plan, a new funding scheme and a new governance model involving, notably, the Commission as Programme Manager, the European Space Agency (ESA) as Project Manager and the Member States represented through different bodies. The Commission proposed to earmark EUR 7 billion to guarantee the completion of the EU satellite navigation infrastructure and to run the systems until 2020.

The first IAS engagement on Governance, Risk Management and Project Management concluded with an adverse audit opinion, recommending more stability in these space programmes and in their governance structure. Other recommendations were that: leadership of the Commission Programme Manager be strengthened; the Commission and the ESA focus more on their respective roles; the role of the GNSS Agency be clarified and stabilised; and the human resources strategy be improved in relation to temporary staff to ensure continuity of personnel.

The second IAS engagement on Actions, Grants and Procurement Management resulted in a qualified opinion. The IAS recommended that a new review of the ESA’s internal control system be organised in line with the Financial Regulation requirements for indirect centralised management. The conditions for allowing open competitive tenders should also be strengthened, and the use of negotiated procedures should be limited to exceptional cases. Finally, the IAS recommended tightening up ESA’s reporting requirements to create a better link between payments and deliverables, with a view to better planning, supervision and monitoring of ESA. DG ENTR undertook to re-perform (outsource) the six-pillar assessment of ESA’s systems and procedures.

The third engagement on Accounting for Fixed Assets, Financial Circuits and Financial Management concluded with an adverse audit opinion on the completeness and valuation of fixed assets. The IAS recommended that DG ENTR strengthen its supervision of fixed assets management and develop an appropriate accounting strategy. DG ENTR should work with DG BUDG and the Accounting Officer to determine an appropriate valuation and accounting methodologies for the different fixed asset streams. In addition to this new assessment of the ESA’s internal control system, DG ENTR’s ex post audits should take all available information into account, notably the qualifications expressed by the ESA’s Board of Auditors on the Agency’s annual accounts.

The Commission immediately took action to address the above issues. A new Deputy Director-General was assigned to oversee the whole programme. Measures were adopted to improve the administrative processes. External consultants have been recruited to assist in the valuation and accounting. In October 2011, the first two operational satellites were successfully launched. The Commission adopted, in November, a proposal for a new Regulation on the implementation and exploitation of European Satellite Navigation Systems.

3.2.5.     Financial management processes

In 2011 the IAS concentrated mainly on two processes at Commission level (management of guarantees and recoveries) and on the management of procurements in three operational services (OIB, DG HR and JRC). In addition, the series of GNSS programme audits also covered some financial activities, notably grants and procurement management, financial circuits and financial management (see para 3.2.4 for more details). The multi-DG audit performed in 2011 identified areas for improvement in the management of financial guarantees.

The follow-up on recovery procedures showed adequate implementation of the recommendations, contributing to more stringent processes in the audited DGs. The 2011 follow-up audits on procurement procedures showed that the systems and procedures in the audited services had been significantly improved.

Overall, the IAS conclusions on financial management processes in the Commission are positive.

3.2.6.     Information Technologies

Information technologies (IT) are having more and more of an impact on the Commission’s operations, and more money and staff are being devoted to IT activities (EUR 500 million spent each year and 3 800 staff working in IT).

Following IAS recommendations, the Commission launched various initiatives in 2010 to ensure that it is getting the most of its investments in IT in terms of expenditure and service efficiency, including the setting up of an IT steering committee.

The Commission’s attention is now focused on devising a comprehensive IT strategy and a more strategic approach to IT investments, by monitoring more closely its IT expenditures to ensure they are aligned with core business operations, and to identify efficiency-boosting synergies.

The audits conducted in 2011[8] focused on IT governance, IT project management and IT security. Particular attention was given to the management of sub-contracted activities, where outsourced services might exacerbate the inherent risks of failure to meet business needs, budget overrun and breaches in the security of the systems.

The results demonstrated the need to strengthen governance and IT risk management in administrative departments and for IT projects. In particular, the role of senior management in overseeing IT investments should be enhanced. Other areas for improvement relate to IT security.

4.           Consultation with the Commission’s Financial Irregularities Panel

No systemic problems were reported in 2011 by the Financial Irregularities Panel under Article 66(4) of the Financial Regulation applicable to the general budget of the European Communities.

5.           Conclusions

The Commission expresses its appreciation both to the Internal Auditor and to the audited DGs and Services for their positive cooperation and for their action plans in response to the IAS’s recommendations. By implementing the action plans for this year and for previous years, the Commission is steadily building up its internal control framework.

On the basis of the work carried out in 2011, the following conclusions can be drawn:

5.1.        Performance audits

The IAS’s first two performance audits sought to make processes more effective and efficient rather than to test their compliance with procedures and rules. This type of audit is particularly relevant at this present time: there are mature internal control systems to address the compliance issue, but the Commission must strive to do more with fewer resources, and to demonstrate increased efficiency, given the current economic climate. The IAS also made major efforts to define the performance audit framework and to develop an in-house training programme for auditors.

These first performance audits produced positive results, but highlighted the need for

· better links between the activities of DGs,

· more relevant performance indicators for certain programmes,

· better performance measurement in evaluations.

In the 2014-2020 Multiannual Financial Framework, the Commission proposed radical simplifications and included in all sectoral programmes general and specific objectives and key performance indicators with a view to improved performance reporting. Moreover, a standard clause on evaluation requires a final evaluation report on whether each programme’s objectives have been achieved.

5.2.        Commission departments’ control strategies

The IAS continued to work towards helping the Commission to achieve a more positive DAS by taking an effective but proportionate approach to the risk of error in the underlying transactions.

With a view to strengthening the controls on the way EU research policy is run, the 2011 IAS audit in two Commission research-related departments underlined the need for a common audit strategy in the Research Area, with no fewer than eight Commission departments. The interconnected nature of research means that there are bound to be common beneficiaries, requiring a more coordinated audit approach.

In the External Aid area the IAS recommended stronger supervision and controls in the EDF grant management process, both at Commission headquarters and in the EU Delegations. The action plans were designed to improve supervision of devolved expenditure, notably by improving the Delegations’ reporting, rationalising the control programmes and monitoring control activities. The measures were considered adequate but have yet to bear fruit. The separation of tasks between the Commission and the EEAS presents new risks, which are being addressed.

The IAS audited the control strategies of the Structural Funds DGs in 2010, concluding that they are on the right track. This work will be continued in 2012 in the Cohesion area, by way of audits covering the closure of the previous programming period for the ERDF, CF and ESF and the implementation of controls over the 2007-13 programming period, to seek reasonable assurance that DGs are effectively addressing the issue of the persistently high rate of error.

5.3.        Commission’s management of major industrial programmes

Following its audits on the Global Navigation Satellite Systems (GNSS) Programmes, the IAS concluded that the Commission should ensure it has the capacity to run such complex programmes, as they require large-project management skills which are not readily found internally. They also require management responsibility to be assigned at an appropriately high level and a stable governance structure.

The Commission took immediate action to address the above issues and adopted a proposal for a new Regulation on the implementation and exploitation of European Satellite Navigation Systems. This provides a new framework for the financing and governance of the EGNOS and Galileo programmes for 2014-2020.

5.4.        Commission’s financial management processes

The follow-up audits on financial management processes have shown much improvement over recent years, so the IAS’s conclusions in this area are positive. Work is still needed to ensure that the control framework remains robust despite pressure on resources.

5.5.        Commission’s IT governance

Following the IAS’s recommendations in the IT area, the Commission has taken a number of initiatives, such as establishing ABM and IT Steering Committees, the High Level Group on IT, the IS Project Management Board and the Special IT Working Group on office automation, all of which have improved IT governance. In 2010/2011, the IT rationalisation process was initiated[9]. To this end, many Commission IT systems were reviewed and assessed in 2011, with a view to limiting the number of local IT systems and IT staff and to streamlining existing systems. This work is ongoing. It is essential that any rationalisation decisions be based on a thorough and objective analysis of the costs and benefits of each option under consideration.

[1]               The audit and consulting reports finalised by 1 February 2011 and the management letter on the split of DGs finalised in March 2011 were included in the 2010 report and are therefore not reported on here. Reports issued in 2011 but finalised by 31 January 2012 are, by the same token, included in the 2011 report.

[2]               COM(2011) 0281 of 6 June 2012.

[3]               IAS and Internal Audit Capabilities (IACs).

[4]               Including Management Letters.

[5]               Of these 25 recommendations, one was issued in 2006 (see comments in the attached Commission Working Document).

[6]               More details in section 3.2.3.

[7]               In 2010 DG JLS was split into DG HOME and DG JUST.

[8]               Management of Local IT in DG EMPL, Security of IT environment in subcontracted projects in DG REGIO, Management of the telecommunication infrastructure and services sTESTA in DG DIGIT, IT tools of the Enterprise Europe Network in EACI.

[9]               The Communication from Commissioner M. Šefčovič to the Commission ‘Getting the best from IT in the Commission’ of 7.10.2010 established the ABM and IT Steering Committees. The Communication from Commissioner M. Šefčovič to the Commission ‘Follow up to the Communication ‘Getting the best from IT in the Commission’ of 30.11.2011 proposed the Commission’s IT rationalisation process.