This document is an excerpt from the EUR-Lex website
Document 52011SC1189
COMMISSION STAFF WORKING PAPER Implementation of recommendations and audit executive summaries
COMMISSION STAFF WORKING PAPER Implementation of recommendations and audit executive summaries
COMMISSION STAFF WORKING PAPER Implementation of recommendations and audit executive summaries
/* SEC/2011/1189 final */
52011SC1189
COMMISSION STAFF WORKING PAPER Implementation of recommendations and audit executive summaries /* SEC/2011/1189 final */
COMMISSION STAFF WORKING PAPER Implementation of recommendations and
audit executive summaries Accompanying the document REPORT FROM THE COMMISSION TO THE
COUNCIL AND THE EUROPEAN PARLIAMENT Annual Report
to the Discharge Authority
on Internal Audits Carried out in 2010
(Article 86 (4) of the Financial Regulation)
TABLE OF CONTENTS 1........... Level of implementation of
recommendations................................................................... 7 2........... Executive summaries....................................................................................................... 8 2.1........ Governance.................................................................................................................. 12 2.1.1..... Fraud........................................................................................................................... 12 2.1.1.1.. OLAF Fraud Prevention and Detection......................................................................... 12 2.1.1.2.. Former JLS (split into DG HOME and
DG JUST) Fraud Prevention and Detection....... 13 2.1.1.3.. REGIO : Follow-up on Fraud
Prevention and Detection in Structural Funds................... 14 2.1.1.4.. ENV: LIFE + Grant Management................................................................................. 15 2.1.1.5.. EAHC : Operational budget.......................................................................................... 16 2.1.2..... Split of the DGs............................................................................................................ 16 2.1.2.1.. Management letter on
Re-organisation of former DG TREN, DG ENV and DG JLS and creation of Shared
Services....................................................................................................................... 16 2.1.3..... Executive Agencies....................................................................................................... 17 2.1.3.1.. SG, BUDG, HR, DIGIT, EACI, TEN-T
EA, REA, EACEA, EACI, EAHC : Overview Report on Executive Agencies of the
Commission......................................................................................... 17 2.1.3.2.. REA : Set up of Internal Controls
and Financial Management Systems-Design............... 18 2.1.3.3.. ERCEA : Set up of Internal Controls
and Financial Management Systems - Design........ 19 2.1.3.4.. TREN/EACI/TEN TEA : Local IT
Systems supporting Financial Management............... 20 2.1.3.5.. TEN T EA : Follow-up on
Administrative Budget.......................................................... 21 2.1.3.6.. EACEA : Follow-up on Ex-post
control activities and implementation of Financial Circuits 22 2.2........ IT Issues...................................................................................................................... 22 2.2.1..... Management letters....................................................................................................... 22 2.2.1.1.. SG, DIGIT : Management Letter on
Setup of IT Projects in the Commission.................. 22 2.2.1.2.. SG, BUDG, HR.DS : Consulting
engagement on 3602 (Carry-over) – Management Letter on the Commission's IT
security policy............................................................................................................... 23 2.2.2..... Local IT in DG EAC.................................................................................................... 23 2.2.2.1.. EAC : Management of Local IT.................................................................................... 23 2.2.3..... Business Continuity in DG DIGIT.................................................................................. 24 2.2.3.1.. DIGIT : Business Continuity
Management..................................................................... 24 2.2.4..... Other audits.................................................................................................................. 24 2.2.4.1.. PMO, DIGIT : HR IT Corporate
Application – NAP.................................................... 24 2.3........ Control strategies.......................................................................................................... 26 2.3.1..... Structural funds – DG REGIO and DG
EMPL.............................................................. 26 2.3.1.1.. REGIO : Control Strategy - Audit
and Financial Correction Processes........................... 26 2.3.1.2.. EMPL : Control Strategy - Audit and
Financial Correction Processes............................ 27 2.3.2..... Audit strategy – DG EAC............................................................................................. 28 2.3.2.1.. EAC : Supervision and monitoring of
National Agencies - Lifelong Learning Programme 28 2.3.3..... Development aid – DG AIDCO and DG
ELARG......................................................... 30 2.3.3.1.. AIDCO: Management of Thematic
Budget lines............................................................ 30 2.3.3.2.. AIDCO : Financial management of
Programme Estimates funded by the EDF and EU Budget 31 2.3.3.3.. ELARG : Public procurement under
IPA....................................................................... 32 2.3.3.4.. ELARG : Financial management of IPA
grants............................................................... 33 2.3.3.5.. Joint Sickness Insurance Scheme
(JSIS) as managed by the PMO................................. 34 2.4........ Compliance with payment deadlines.............................................................................. 35 2.4.1..... BUDG : Payment deadlines (BUDG,
TREN, AIDCO, ECHO + IT Part)...................... 35 2.4.2..... ENER : Payment deadlines (BUDG,
TREN, AIDCO, ECHO + IT Part)....................... 36 2.4.3..... MOVE : Payment deadlines (BUDG,
TREN, AIDCO, ECHO + IT Part)..................... 36 2.4.4..... AIDCO : Payment deadlines (BUDG,
TREN, AIDCO, ECHO + IT Part).................... 37 2.4.5..... ECHO : Payment deadlines (BUDG,
TREN, AIDCO, ECHO + IT Part)...................... 37 2.5........ Other audits.................................................................................................................. 37 2.5.1..... Legal Service: Handling of
sensitive information............................................................. 37 2.5.2..... Publications Office: Official
Journal Production Process as managed by the Publication Office (OP) 38 2.5.3..... Publications Office, Secretariat
General: Management letter to SG - Transmission to PO of sensitive information
for publication.................................................................................................................... 39 2.5.4..... AGRI : Interventions in
Agricultural Markets (focused on Milk and Milk products)......... 39 2.5.5..... OIB : Activities of OIB.OS3 Social
Infrastructure ISPRA.............................................. 40 2.5.6..... PMO : Activities of PMO/6 ISPRA.............................................................................. 41 2.5.7..... JRC : Management letter on JRC
Grant holders............................................................. 41 3........... Follow-up audits (if not in the
above categories)............................................................ 42 3.1........ PMO: Follow-up on Controls over
Payment of Pensions............................................... 42 3.2........ BUDG Second Follow-up on ABAC –
Implementation of accrual based accounting...... 43 3.3........ COMP: Follow-up on Recoveries of
fines..................................................................... 43 3.4........ ELARG: Follow-up on Readiness
Assessment/Phasing in of Delegations in Balkans....... 43 3.5........ OIL: Follow-up on the Management
of the Procurement Contracts................................ 43 3.6........ PMO: Second Follow-up on
Regularity of financial management and Implementation of financial circuits 43 3.7........ JLS: Follow-up on Grants under
Shared management of the European Refugee Fund..... 44 3.8........ HR: Second follow-up on Review of
DG ADMIN Human Resource Management Phase 1 44 3.9........ OP: Follow-up on Procurement in
the Publication Office................................................ 44 3.10...... AIDCO: Follow-up on ex post
control activities............................................................ 44 3.11...... HR: Follow-up on Review of DG
ADMIN Human Resource Management- Phase II..... 44 3.12...... HR: Second Follow-up on Validation
of Self-assessment of IAC of DG ADMIN.......... 45 3.13...... OIB: Second Follow-up audit on
Evaluation of targeted Internal Control Standards........ 45 3.14...... REGIO: Follow-up audit on internal
control system for managing the new Structural Funds programming period – Phase
I......................................................................................................................... 45 3.15...... EMPL: Follow-up audit on internal
control system for managing the new Structural Funds programming period – Phase
I......................................................................................................................... 46 3.16...... ESTAT: Follow-up audit on IAS and
IAC Joint Audit on ESTAT Grant Awarding process 2008-2009 46 3.17...... TRADE: Second Follow-up audit on
selected ICS........................................................ 46 3.18...... JLS: Follow-up audit on IT
Procurement....................................................................... 46 3.19...... ENTR: Follow-up audit on
Monitoring the implementation of EU law............................. 47 3.20...... SG: Follow-up audit on SG
consolidated report - Monitoring the implementation of EU law 47 3.21...... ENV: Follow-up audit on Monitoring
the implementation of EU law............................... 48 3.22...... SANCO: Follow-up audit on Grant
Management in the Food safety, Animal Health and welfare and Plant Health
Activity......................................................................................................................... 49 3.23...... AIDCO: Follow-up on Eligibility of
Costs under the Financial and Administrative Framework Agreement with the
United Nations............................................................................................................. 49 3.24...... AIDCO: Second Follow-up audit on
NGOs Funding.................................................... 50 3.25...... DIGIT: Follow-ups on the IT
Governance of the Commission and on Management Processes of Local IT 50 3.26...... SANCO: Follow-up audit on
Large-scale Information Systems..................................... 50 3.27...... OIL: Follow-up audit on Internal
Control Standards...................................................... 50 3.28...... REGIO: Follow-up audit of the
Review of financial corrections and recoveries in the Structural Funds area 51 3.29...... REGIO: Follow-up audit on the
Implementation of Programmes in the New Member States 52 3.30...... OP: Final Follow-up audit on
In-depth Audit of OPOCE............................................... 52 3.31...... ESTAT: Second Follow-up audit of
IT Risk Analysis audit............................................ 52 3.32...... COMM: Follow-up audits on Audit on
Contract management in the area of communication and Audit on Building
Management................................................................................................................. 52 3.32.1... Audit on Contract management in the
area of communication......................................... 52 3.32.2... Audit on Building Management...................................................................................... 53 3.33...... ENV: Second Follow-up audit on
Grant Management of non-LIFE programmes........... 53 3.34...... AGRI: Follow-up audit on
Interventions in Agricultural Markets..................................... 53 3.35...... PMO: Follow up audit on Missions
as managed by PMO.............................................. 54 3.36...... EMPL: Follow up audit of the
Review of financial corrections and recoveries in the Structural Funds area. 55 3.37...... INFSO: Follow up audit on AAR
Assurance Process.................................................... 55 3.38...... RTD: Follow up audit on AAR
Assurance Process........................................................ 56 3.39...... EMPL: Follow up audit on AAR
Assurance Process..................................................... 56 3.40...... REGIO: Follow up audit on AAR
Assurance Process.................................................... 56 3.41...... JLS: Follow up audit on AAR Assurance
Process......................................................... 57 3.42...... AIDCO: Follow up audit on AAR
Assurance Process................................................... 57 3.43...... COMP: Second Follow-Up of the
Audit on local IT...................................................... 58 3.44...... RTD: Further Follow up audit on
Ex-Post Controls....................................................... 58
1.
Level of implementation of recommendations [1]
Table 1 sums up the level of implementation
of accepted recommendations, based on the auditees’ assessment, for IAS
recommendations made during the period 2006-2010. The recommendations not yet implemented are
broken down by period overdue on the right-hand side of the table. Table 1: Level of implementation of
recommendations based on auditees’ assessment Year || Priority || Total || Implemented || In progress (by number of months overdue) || || || || No || % || No || % || No delay || 0-3 || 3-6 || 6-9 || 9-12 || 12+ 2006 || Critical || 10 || 10 || || 0 || || || || || || || Very important || 175 || 171 || || 4 || || || || || || || 4 Important || 192 || 190 || || 2 || || || || || || || 2 Desirable || 6 || 6 || || 0 || || || || || || || || 383 || 377 || 98% || 6 || 2% || || || || || || 6 2007 || Critical || 4 || 4 || || 0 || || || || || || || Very important || 123 || 115 || || 8 || || || || || || || 8 Important || 161 || 149 || || 12 || || || || || || || 12 Desirable || 33 || 32 || || 1 || || || || || || || 1 || 321 || 300 || 72% || 21 || 28% || || || || || || 21 2008 || Critical || 0 || 0 || || 0 || || || || || || || Very important || 153 || 134 || || 19 || || 2 || 5 || 1 || 3 || || 8 Important || 176 || 157 || || 19 || || 2 || 2 || 1 || || 1 || 13 Desirable || 14 || 12 || || 2 || || || || || || || 2 || 343 || 303 || 88% || 40 || 12% || 4 || 7 || 2 || 3 || 1 || 23 2009 || Critical || 2 || 2 || || 0 || || || || || || || Very important || 134 || 95 || || 39 || || 11 || 17 || 8 || 2 || || 1 Important || 136 || 100 || || 36 || || 9 || 12 || 6 || 5 || 3 || 1 Desirable || 4 || 4 || || 0 || || || || || || || || 276 || 201 || 73% || 75 || 27% || 20 || 29 || 14 || 7 || 3 || 2 2010 || Critical || 0 || 0 || || 0 || || || || || || || Very important || 38 || 11 || || 27 || || 23 || 4 || || || || Important || 45 || 16 || || 29 || || 16 || 8 || || 5 || || Desirable || 3 || 1 || || 2 || || 2 || || || || || || 86 || 28 || 33% || 58 || 67% || 41 || 12 || || 5 || || || || || || || || || || || || || || TOTAL 2006-2010 || 1 409 || 1 209 || 86% || 200 || 14% || 65 || 48 || 16 || 15 || 4 || 53 Overall, 1 209 or 86 % of the total number
of recommendations made over the period 2006-2010 are considered by the auditee
as implemented to date. 97[2]
very important recommendations are outstanding, of which 26 are more than 6
months overdue.
2.
Executive summaries
This part contains the original executive
summaries (reflecting the state of play at the time when the audits were
finalised) of audit engagements finalised by the IAS in 2010[3]. Each summary underwent the
applicable standard professional validation and contradictory procedures
between auditor and auditee at the time of finalisation. It also contains
statistical information for the acceptance and implementation status. Service || Engagement || Finalisation date || GOVERNANCE Fraud || OLAF || Fraud Prevention and Detection || 27 January 2011 JLS || Fraud Prevention and Detection in (former) DG JLS || 22 November REGIO || Follow-up on Fraud Prevention and Detection in Structural Funds || 26 April ENV || LIFE + Grant Management || 26 May EAHC || Operational budget || 28 January || Split of DGs || TREN, ENV, JLS || Management letter on Re-organisation of former DG TREN, DG ENV and DG JLS and creation of Shared Services || 18 March 2011 || Executive Agencies || SG, BUDG, HR, DIGIT, EACI, TEN-T EA, REA, EACEA, EACI, EAHC || Overview Review Report on Executive Agencies of the Commission || 06 September REA || Set up of Internal Controls and Financial Management Systems- Design || 27 July ERCEA || Set up of Internal Controls and Financial Management System- Design || 15 July TREN/ EACI/ TEN-T EA || Local IT Systems supporting Financial Management || 26 January TEN-T EA || Follow-up on Administrative Budget || 11 February EACEA || Follow-up on Ex-post control activities and implementation of Financial Circuits || 17 March || IT ISSUES Management letters || SG, DIGIT || Management Letter on Setup of IT Projects in the Commission || 1 February 2011 SG, BUDG, DIGIT, HR.DS || Management Letter on the Commission's IT security policy || 24 February || Local IT in DG EAC || EAC || Management of Local IT || 28 April || Business Continuity in DG DIGIT || DIGIT || Business Continuity Management || 22 October || Other audits || PMO, DIGIT || HR IT Corporate Application - NAP || 27 October || CONTROL STRATEGIES Structural funds – DG REGIO and DG EMPL || REGIO || Control Strategy - Audit and Financial Correction Processes || 1 February 2011 EMPL || Control Strategy - Audit and Financial Correction Processes || 1 February 2011 || Audit strategy – DG EAC || EAC || Supervision and monitoring of National Agencies - Lifelong Learning Programme || 12 November || Development aid – DG AIDCO and DG ELARG || AIDCO || Management of Thematic Budget lines || 13 July AIDCO || Financial management of Programme Estimates funded by the EDF and EU Budget || 25 January 2011 ELARG || Public procurement under IPA || 25 June ELARG || Financial management of IPA grants || 20 December || Joint Insurance Sickness Scheme (JSIS) - PMO || PMO || Joint Sickness Insurance Scheme as managed by PMO || 16 December || COMPLIANCE WITH PAYMENT DEADLINES || BUDG || Payment deadlines (BUDG, TREN, AIDCO, ECHO + IT Part) || 08 December ENER || Payment deadlines (BUDG, TREN, AIDCO, ECHO + IT Part) || 08 December MOVE || Payment deadlines (BUDG, TREN, AIDCO, ECHO + IT Part) || 08 December AIDCO || Payment deadlines (BUDG, TREN, AIDCO, ECHO + IT Part) || 08 December ECHO || Payment deadlines (BUDG, TREN, AIDCO, ECHO + IT Part) || 08 December || OTHER AUDITS || LS || Handling of sensitive information and conflicts of interest || 08 December OP || The Official Journal Production Process as managed by the Publication Office (OP) || 29 November OP, SG || Management letter to SG - Transmission to OP of sensitive information for publication || 08 December AGRI || Interventions in Agricultural Markets (focused on Milk and Milk products) || 19 July OIB || Activities of OIB.OS3 Social Infrastructure ISPRA || 16 July PMO || Activities of PMO/6 ISPRA || 04 June JRC || Management letter on JRC Grant holders || 24 November || FOLLOW-UP AUDITS (if not in the above categories) || PMO || Follow-up on Controls over Payment of Pensions || 25 January 2011 BUDG || Second Follow-up on ABAC – Implementation of accrual based accounting || 24 January 2011 COMP || Follow-up on Recoveries of fines || 21 January 2011 ELARG || Follow-up on Readiness Assessment/ Phasing-in of Delegations in Balkans || 17 January 2011 OIL || Follow-up on the Management of the Procurement Contracts || 20 January 2011 PMO || Second Follow-up on Regularity of Financial Management and Implementation of Financial Circuits || 18 January 2011 JLS || Follow-up on Grants under Shared Management of the European Refugee Fund || 11 January 2011 HR || Second Follow-up on Review of DG ADMIN Human Resource Management Phase 1 || 21 December OP || Follow-up on Procurement in the Publication Office || 22 December AIDCO || Follow-up on Ex-Post Control activities in DG AIDCO || 22 December HR || Follow-up on Limited Review DG ADMIN Human Resource Management - Phase II || 22 December HR || Follow-up on IAS Validation of Self-Assessment of IAC of DG ADMIN || 21 December OIB || Follow-up on Evaluation of Targeted Internal Control Standards || 21 December REGIO || Follow-up on the Internal Control System for managing the new Structural Funds programming period – Phase I || 17 December EMPL || Follow-up on the Internal Control System for managing the new Structural Funds programming period – Phase I || 17 December ESTAT || Follow-up on IAS and IAC Joint Audit on Grant Awarding Process 2008 - 2009 || 17 December TRADE || Follow-up on Implementation of selected Internal Control Standards || 07 December JLS || IT Procurement || 10 November ENTR || Follow-up on Monitoring the Implementation of EU Law || 14 December SG || Follow-up on SG consolidated Report - Monitoring the Implementation of EU Law || 06 September ENV || Follow-up on Monitoring the Implementation of EU Law || 25 June SANCO || Follow-up on Grant Management in the Food Safety, Animal Health and Welfare and Plant Health Activity || 11 June AIDCO || Follow-up on Eligibility of Costs under the Financial and Administrative Framework Agreement with the United Nations || 31 May AIDCO || Second Follow-up on NGOs Funding || 28 May DIGIT || Follow-up on IT Governance at the European Commission || 26 May DIGIT || Follow-up on Management Processes of Local IT || 26 May SANCO || Follow-up on Large-scale Information Systems || 10 May OIL || Follow-up on Internal Control Standards || 30 April REGIO || Follow-up on the Review of financial corrections and recoveries in the Structural Funds area || 15 April REGIO || Follow-up on Implementation of Programmes in the New Member States || 16 April OP || Follow-up on In-depth Audit of OPOCE || 07 November ESTAT || Second Follow-up on IT Risk Analysis || 26 March COMM || Follow-up on Building management || 08 April COMM || Follow-up on Contract management in the area of Communication || 08 April ENV || Follow-up on Grant Management of Non-LIFE Programmes || 03 March AGRI || Follow-up on Interventions in Agricultural Markets || 26 February PMO || Follow-up on Audit on missions || 16 February EMPL || Follow-up on the Review of financial corrections and recoveries in the Structural Funds area || 25 February INFSO || Follow-up on AAR Process - Operational DGs - INFSO || 17 February RTD || Follow-up on AAR Process - Operational DGs - RTD || 17 February EMPL || Follow-up on AAR Process - Operational DGs - EMPL || 18 February REGIO || Follow-up on AAR Process - Operational DGs - REGIO || 01 March JLS || Follow-up on AAR Process - Operational DGs - JLS || 10 March AIDCO || Follow-up on AAR Process - Operational DGs - AIDCO || 05 March COMP || Second Follow-up on Local IT || 04 February RTD || Follow-up on 2006 Audit of Ex-Post Controls || 25 January
2.1.
Governance
2.1.1.
Fraud
2.1.1.1.
OLAF Fraud Prevention and Detection
·
Objectives and Scope As a result of
the joint IAS-IAC audit risk assessment, the coordinated 2010-2012 Strategic
Audit Plan, which was endorsed by the Audit Progress Committee on 28 April
2010, includes several audit engagements on Fraud Prevention and Detection.
The IAS 2010 audit work programme notably includes an audit of the specific DG
aspects in the former DG JLS (final report issued on 23 November 2010) and the
current audit of OLAF and horizontal aspects of fraud prevention and detection.
Similar audits are also planned to be conducted in 2011. The
objective of this audit engagement was to assess
the adequacy and effective application of the governance, risk management and
internal control processes for fraud prevention and detection by OLAF. The scope of the current report comprises Commission-wide aspects of the
control environment, risk assessment, control activities, information and
communication and the monitoring process designed and set up for fraud
prevention and detection purposes. The fieldwork was finalised on 30 September
2010. All observations and recommendations relate to the situation as of that
date. Acceptance Status || || Yes (Partially) || No Priority || # || # || % Total || # || % Total Very Important || 6 || 6 || 100 || 0 || 0 Important || 5 || 5 || 100 || 0 || 0 Total || 11 || 11 || 100 || 0 || 0
2.1.1.2.
Former JLS (split into DG HOME and DG JUST)
Fraud Prevention and Detection
·
Objectives and Scope As a result
of the joint IAS-IAC audit risk assessment, the coordinated 2010-2012 Strategic
Audit Plan, which was endorsed by the Audit Progress Committee on 28 April
2010, included several audit engagements on Fraud Prevention and Detection. The
IAS 2010 audit work programme notably included an audit of the specific DG
aspects in the former DG JLS and an audit of OLAF, which addresses horizontal
aspects of fraud prevention and detection. The
objective of this audit engagement was to assess
the adequacy and effective application of the governance, risk management and
internal control processes for fraud prevention and detection in (former) DG
JLS. The scope of the current report comprises former DG JLS's specific aspects of
the control environment, risk assessment, control activities, information and
communication process and the monitoring process designed and set up for fraud
prevention and detection purposes. DG JLS's 2009
Annual Activity Report mentions that all Member States have submitted their
2009 annual summaries and information on the financial execution of SOLID
funds. The analysis of these annual summaries shows that, although several
weaknesses were reported in the annual summaries, none of them is considered
critical for the overall functioning of the funds, including their control
systems. No fraud or suspicion of fraud was reported. The fieldwork
was finalised on 9 September 2010. All observations and recommendations relate
to the situation as of that date. Further to the
split of former DG JLS and the creation of DGs JUSTICE and HOME, the
recommendations made in this report indicate whether they are addressed to both
DGs or to one of them. The Executive
Summary provides a synthesis of information on the audit including critical and
very important findings, risks and recommendations as well as the audit option
- its emphasis is on providing a quick understanding of the audit and its main
results. The body of the report contains the detailed validated audit
information and as such is the authoritative text. Acceptance Status || || Yes || No Priority || # || # || % Total || # || % Total Very Important || 2 || 2 || 100 || 0 || 0 Important || 6 || 6 || 100 || 0 || 0 Total || 8 || 8 || 100 || 0 || 0
2.1.1.3.
REGIO: Follow-up on Fraud Prevention and
Detection in Structural Funds
·
Objectives and Scope The objective of the follow-up engagement
was to assess progress made in implementing the accepted recommendations that
resulted from the audit "Prevention and detection of fraud in the
Structural Funds" carried out in DG REGIO in 2007 (final report dated
19 December 2007). This follow-up audit does not result in an
assessment of the adequacy of controls as a whole, but focuses on the specific
recommendations in the original audit. ·
Audit Methodology This follow-up engagement was carried out
in accordance with the annual work plan of the Internal Audit Service (IAS) for
2010 and IAS methodological guidelines. In assessing the status of the original
audit recommendations, this follow-up audit focused on all recommendations that
were included in the audit report, four "very important" and one
"important" (no "critical" issues were raised in the
original audit). The actions taken by DG REGIO to implement these
recommendations have been assessed through the examination of the documentary
evidence obtained during the follow-up audit and through discussions with key
staff. When making our assessment on the
implementation of recommendations, we took into consideration their
implementation status as reported by the auditee through AMS-Issue Track. This audit was conducted in conformance
with the International Standards for the Professional Practice of Internal
Auditing.
2.1.1.4.
ENV: LIFE + Grant Management
·
Objectives and Scope The objective of the audit is to assess the adequacy and effective application of
the internal control system (ICS), risk management and governance processes
related to the Grant management of the LIFE+ programme, managed under direct
management by DG ENV from October 2007. During the audit, two successive
reorganisations of DG ENV (October 2009 and February 2010) took place. These
have been taken into account in our assessment. In particular, the audit aimed
to assess: ·
compliance with the relevant legal base, rules
and procedures ·
effectiveness and efficiency of the processes
regarding grants under direct management; ·
reliability of financial information. The scope of
this audit engagement focused on grant management under the LIFE+ program,
since grants funding represents more than 86% of the program's annual appropriations. Only sub-processes that
have already been implemented were considered: publication of calls; reception
of proposals; evaluation; selection and awarding phases; payments of
pre-financing. Procurement has been excluded of the scope of the audit since it
only represents not more than 13% of the LIFE+ program. In the 2008 Annual Activity Report (the
latest currently available at the end of the fieldwork), there are no
observations/reservations that relate to the areas/processes audited. DG ENV
has issued a reservation in the 2009 Annual Activity Report regarding the
eligibility of expenditure declared by beneficiaries of grants. Although the
reservation concerns all programs managed by DG ENV under direct management
there were yet too few final payments for the LIFE+ program (and only for the
NGOs funding), to conclude whether the reservation specifically applies to
LIFE+. The fieldwork was
finalised on 28 February 2010. All observations and recommendations relate to
the situation as of that date. Acceptance Status || || Yes || No Priority || # || # || % Total || # || % Total Very Important || 3 || 3 || 100 || 0 || 0 Important || 9 || 9 || 100 || 0 || 0 Total || 12 || 12 || 100 || 0 || 0
2.1.1.5.
EAHC: Operational budget
·
Objectives and Scope The objective of this audit was to assess
the adequacy and effective application of the internal control system (ICS),
risk management and governance processes related to grants managed by the EAHC.
In particular, the audit assessed whether the ICS provided reasonable assurance regarding compliance
with the relevant legislation, effectiveness and efficiency of the processes and the reliability of
financial information. The scope of
this audit focused on the following sub-processes managed by the EAHC: establishment of the Agency's work programme, call for proposals,
evaluation of proposals, awarding decision, payments, recovery, outstanding
commitments (RAL) and de-commitments,
ex-post publicity and ex-post controls (external audit). DG SANCO was only
audited to the extent that it is involved in these sub-processes (e.g. clear
assignment of responsibilities, communication, reporting). There were
no observations/reservations made in the 2008 AAR of DG SANCO and the EAHC concerning the processes under the scope of this audit. During the
audit, no scope limitations were identified. The fieldwork was
finalised on 4 December 2009. All observations and recommendations relate to the situation as of that date. Acceptance Status || || Yes || No Priority || # || # || % Total || # || % Total Very Important || 3 || 3 || 100 || 0 || 0 Important || 12 || 12 || 100 || 0 || 0 Total || 15 || 15 || 100 || 0 || 0
2.1.2.
Split of the DGs
2.1.2.1.
Management letter on Re-organisation of former
DG TREN, DG ENV and DG JLS and creation of Shared Services
·
Objectives and scope The aim of this management letter is to
report on the lessons learnt from the re-organisation of three major
Directorates-General of the Commission (namely former DGs TREN, ENV and
JLS) and from the creation of Shared Resource Directorates (SRDs) and Shared
Internal Audit Capabilities (SIACs). The IAS invites the central and operational
Directorates-General concerned to take stock of both existing challenges and
best practices concerning areas such as the budgetary procedure, the appraisal
and promotion exercise, the Annual Activity Report (AAR) and the Management
Plan (MP) exercises. In that perspective, issues for consideration have been
identified. This engagement was performed in accordance
with the IAS Guidelines and the Mutual Expectations Paper, which describes the
responsibilities of the IAS and the contact persons. It was also conducted in
conformity with the International Standards for the Professional Practice of
Internal Auditing. As originally planned, the IAS organised a
desk review and a number of interviews with the relevant key staff of
DG ENV, DG CLIMA, DG ENER, DG MOVE and their Shared
Services. Because DG JLS's reorganisation was decided later than those of
DG TREN and DG ENV, the IAS confirmed the findings in the latter
Directorates General with a limited number of staff in DGs HOME and JUST.
2.1.3.
Executive Agencies
2.1.3.1.
SG, BUDG, HR, DIGIT, EACI, TEN-T EA, REA, EACEA,
EACI, EAHC: Overview Report on Executive Agencies of the Commission
·
Objectives and Scope The objective of this overview report is to
report on the systemic issues identified in the various audit engagements
performed between 2006 and 2009 by the Internal Audit Service (IAS) in the
Executive Agencies (EAs) of the European Commission. The objective
of the underlying audit engagements in the EAs was to assess the adequacy and effective application of their internal
control system (ICS), risk management and governance processes for the
management of both the administrative budget and the operational budget. In particular, the audits assessed whether the
ICS provided reasonable assurance regarding compliance with the
applicable legislation, the effectiveness and efficiency of the
processes and the reliability of financial and non-financial
information. Regarding the audit engagements on the administrative
budget, the focus was on: 1) The overall organisation of the Agency
(including governance issues). 2) The accounting system, including the
regularity of financial management and the implementation of financial
circuits, the accounting organisation, the accounting for fixed assets,
salaries, and purchases, and the year-end closing procedures. 3) The treasury cycle including the
management of bank accounts. 4) The
external relations of the Agency with other Commission services (i.e. the
service level agreements and memoranda of understanding
with the parent DG(s)). The operational budget in the EAs is
mostly spent via grants. Therefore, for these audits, the scope focused on the
following sub-processes managed by the EA: 1) The establishment of the Agency's work
programme. 2) The calls for proposals, the
evaluation of proposals and the awarding decision. 3) Payments, recovery, outstanding
commitments (RAL) and de-commitments. 4) Ex-post publicity and ex-post controls
(external audit). The parent DGs were only audited to the extent
that they were involved in these sub-processes (e.g. clear assignment of
responsibilities, communication, reporting). No scope limitations were identified during the
audits of the underlying engagements. The fieldwork for the overview report was
finalised on 10 June 2010. This overview report does not contain any new
findings or recommendations but only those of a systemic nature that arose from
the underlying audit reports mentioned. Acceptance Status || || Yes || No Priority || # || # || % Total || # || % Total Very Important || 7 || 7 || 100 || 0 || 0 Important || 7 || 7 || 100 || 0 || 0 Total || 14 || 14 || 100 || 0 || 0
2.1.3.2.
REA: Set up of Internal Controls and Financial
Management Systems-Design
·
Objectives and Scope The objective of this
audit, conducted from March 2010 to July 2010, was to assess the design and set
up of the Research Executive Agency's (REA/the Agency) internal control systems which underpin the financial grant
management process under the Seventh Framework Programme (FP7). In view of its
recent operational autonomy (June 2009), this audit also covered the assessment
of the Agency' general internal framework, including the IT internal control
environment. For this first "design" phase, the
audit covered REA's implementation of the Internal Control Standards and
organisational arrangements with other Commission services and its parent DGs.
It also covered the control strategy put in place for the Agency's grant
management process, in particular the award process (evaluation and ranking of
proposals), the grant agreements (from the negotiation up to the signature of
the grants), the implementation of grant agreements and related audit
activities. At a later stage (2011), the IAS plans to
examine the effectiveness of REA's internal controls in practice, i.e. to
determine whether these have been adequately implemented and are working as
intended. There are no observations/reservations in
the first REA AAR for 2009 that relate to the area/process
audited. The fieldwork was finalised on 14 May 2010. All observations and recommendations
relate to the situation as of that date. Acceptance Status || || Yes || No Priority || # || # || % Total || # || % Total Very Important || 5 || 5 || 100 || 0 || 0 Important || 4 || 4 || 100 || 0 || 0 Total || 9 || 9 || 100 || 0 || 0
2.1.3.3.
ERCEA: Set up of Internal Controls and Financial
Management Systems - Design
·
Objectives and Scope The objective of this audit was to assess the
set up and design of the European Research Council Executive Agency's (ERCEA)
internal control systems which underpin the financial
grant management process of the IDEAS Programme tender FP7. In addition and in
view of the fact ERCEA has only been operating autonomously since July 2009,
the audit also reviewed its general internal control framework. At a later
date, currently foreseen for 2011, the IAS plans to examine the effectiveness
of these internal controls in practice, i.e. to determine whether these
controls have actually been implemented and are working as intended. For this first "design" phase, the
audit covered ERCEA's implementation of the Internal Control Standards and
organisational arrangements with other Commission services, the parent DG and
more specifically the role it plays in supporting the work of the Scientific
Council (SC), which is the arm of the European Research Council ultimately
responsible for approving research proposals and determining overall strategy.
It also covered the control strategy in place for the Agency's grant management
process, including ex-post activities. In this regard, it should be noted that
the IAS considered it too early to undertake any meaningful coverage of the
evaluation and monitoring process for assessing the results of the specific
program IDEAS. In addition, although the audit did not include a detailed
examination of IT systems (as the Agency has its own qualified IT internal
auditor), it did cover high level IT organisation and governance issues. There are no observations/reservations in the
AAR that relate to the area/process audited, due to the early stage of FP7 implementation.
The fieldwork was finalised on 4 May 2010. All observations and recommendations
relate to the situation as of that date. Acceptance Status || || Yes || No Priority || # || # || % Total || # || % Total Very Important || 4 || 4 || 100 || 0 || 0 Important || 4 || 4 || 100 || 0 || 0 Total || 8 || 8 || 100 || 0 || 0
2.1.3.4.
TREN/EACI/TEN-T EA: Local IT Systems supporting
Financial Management
·
Objectives and Scope The Directorate-General for Energy
and Transport (DG TREN) is responsible for developing and implementing European
policies in the energy and transport field for the benefit of all sectors of the society, businesses, cities, rural areas
and above all of citizens. DG TREN carries out these tasks using
legislative proposals and programme management, including the financing of
projects. In order to fulfil this mission, the DG manages
a large quantity of contracts in very different areas, such as grants, research
and procurement contracts. The business processes related to the management of
these contracts are currently supported by two IT applications, called PMS
(Project Management System) and ePMS. The latter is the evolution of the PMS
system which will be phased out in parallel with the closing of the fifth
Research Framework Programme (FP5) contracts. The Trans-European Transport
Network Executive Agency (TEN-Т EA) assures the technical and financial implementation and management of the
Trans-European Transport Network (TEN-Т) programme, which supports
key transport infrastructure projects. Its parent DG, DG TREN, remains
responsible for the overall policy, programming and evaluation of the
TEN-Т programme. The TENtec System has been designed for the
management of the TEN-Т Programmes from
the call for proposal until the grant agreements. The TENtec system is under
the full supervision and responsibility of Directorate В of DG
TREN. In the future, TENtec shall also provide an external portal to implement
the Open Method of Coordination between the Commission, the Member States, and
later on, also with other Institutions (e.g. the European Investment Bank, see
in this respect the TEN Loan Guarantee Instrument). The Executive Agency for
Competitiveness and Innovation (EACI) assures the technical and financial
implementation and management of Community actions in the fields of energy,
transport, entrepreneurship and innovation. The overall policy, programming and
evaluation remains in its parent DGs, i.e. ·
DG TREN for the Intelligent Energy Europe and
Marco Polo programmes. ·
DG ENTR for Enterprise Europe Network,
Eco-innovation (in conjunction with DG ENV) and Intellectual Property Rights
Awareness and Enforcement programmes. The EACI uses EPSS/RIVET and NEF IT systems
developed by DG RTD but also PMS and ePMS for the management of the contracts
related to its missions. The objective of the audit is to assess the
adequacy and effective application of the internal control systems (ICS), IT
governance and risk management related to the Local IT Systems Supporting
Financial Management in DG TREN, EACI and TEN-Т EA. The scope of this
audit was limited to the TENtec and PMS/ePMS systems and related IT processes and procedures. IT processes and
procedures not directly linked to these systems have not been assessed.
However, some local IT infrastructure storing end-user computing files that
have a material impact on financial processes have been evaluated. The nature and extent of the current audit did
not enable the inclusion of EPSS/RIVET and NEF in the audit scope. As these
systems are managed by DG RTD, they could be reviewed in future IAS audits. During the audit, no scope limitations were identified. There are no
observations/reservations in the Annual Activity Report 2008 that relate to the
area/process audited. The fieldwork was finalised on 1st
December 2009. All observations and recommendations relate to the situation as
of that date. Acceptance Status || || Yes || No Priority || # || # || % Total || # || % Total Very Important || 4 || 4 || 100 || 0 || 0 Important || 5 || 5 || 100 || 0 || 0 Total || 9 || 9 || 100 || 0 || 0
2.1.3.5.
TEN-T EA: Follow-up on Administrative Budget
Based on the results of our follow-up
audit, we assess that all the recommendations addressed to the TEN-Т EA
that resulted from the Audit of the Administrative Budget of the Trans-
European Transport Network Executive Agency have been adequately and effectively
implemented.
2.1.3.6.
EACEA: Follow-up on Ex-post control activities
and implementation of Financial Circuits
Based on the results of our follow-up
audit, it is assessed that all the recommendations addressed to EACEA that
resulted from the audit "Ex-post control activities and implementation of
Financial Circuits" have been adequately and effectively implemented,
except for two recommendations.
2.2.
IT Issues
2.2.1.
Management letters
2.2.1.1.
SG, DIGIT: Management Letter on Setup of IT
Projects in the Commission
·
Objectives The review of the Management of the Setup
of IT Projects in the Commission was included in the IAS 2010 Audit Work
Programme following the audit risk assessment carried out in 2009 as part of
the IAS's coordinated Strategic Audit Plan for 2010-2012. The objective of the review was to assess
the adequacy and effective application of the internal control systems (ICS)
and IT governance related to the Management of the Setup of IT Projects in the
Commission. It aimed at identifying the root causes of the problems most often
encountered and at proposing issues for considerations at Commission level.
Previous IAS audits in this area have concluded that the set-up phase is
crucial for the successful outcome of IT projects. This Management Letter complements previous
audits on IT corporate governance carried out by the IAS. The recommendations
contained in these reports have been taken into account in the report of the IT
Task Force issued on 30 June 2010 and the subsequent Communication
"Getting the best from IT in the Commission" (SEC(2010)1182). This
review focuses on operational aspects of IT project management and could
provide a source of inspiration for the actions initiated by the new governance
bodies set up. The IAS analysed and evaluated the design and effectiveness of
controls put in place by the management of the selected DGs to mitigate the
major risks associated with the setup phase. ·
Scope The scope of this Management Letter was
limited to the Project Initiating and the Project Management Planning phase of
the PM methodology. IT processes and procedures not directly
linked to these phases have not been assessed. The IAS sampled 12 IT projects
recently implemented in various DGs. The issues for consideration also take
into account recent audit reports and management letters issued by the Internal
Audit Service in this area. This engagement was conducted in
conformance with the International Standards for the Professional Practice
of Internal Auditing. The fieldwork took place between February
and August 2010. The main issues identified were subsequently discussed in a
management workshop held on 18 October, to which IT and business project
managers responsible for the implementation of the 12 IT projects sampled were
invited. All lessons learnt and issues for consideration relate to the
situation as of that date. As mentioned below, important changes have taken
place during the completion of this engagement in the area of IT governance, in
particular after the communication on "Getting the best from IT in the Commission"
(SEC(2010)1182).
2.2.1.2.
SG, BUDG, DIGIT, HR.DS: Management Letter on the
Commission's IT security policy
·
Objectives and scope The objective of this Management Letter is to summarise the main
issues related to the implementation of IT security governance in the
Commission and other related policies as identified in the IT audit engagements
performed by the IAS in several DGs over the last four years. The aim is to
contribute to the improvement of the information security framework in terms of
its adequacy and effectiveness in supporting the goals of the organisation.
2.2.2.
Local IT in DG EAC
2.2.2.1.
EAC: Management of Local IT
·
Objectives and Scope The objective of
the engagement was to analyse and evaluate the internal control system put in
place by DG EAC to ensure an adequate and effective management of its local IT. The scope of
the audit included the following processes: ·
Plan & Organise: IT architecture definition,
organisation definition, risk management and IT project management activities. ·
Acquire & Implement: application software
development, change and release management. ·
Deliver & Support: logical and physical
security, incident management, problem management, operations management and
data management. ·
Monitor & Evaluate: quality, performance
management, monitoring of internal control, regulatory compliance and
governance. The audit focused
in particular on the activities performed by unit EAC.R.5 (Informatics
Resources). Other services (EAC.R.6 - Document Management and Local Security)
and representatives of IT system users (Education, Audiovisual and Culture
Executive Agency (EACEA)) were also consulted regarding their respective
responsibilities, in particular for the management of IT projects. There are no observations/reservations in
the AAR that relate to the processes audited. Acceptance Status || || Yes || No Priority || # || # || % Total || # || % Total Very Important || 7 || 7 || 100 || 0 || 0 Important || 7 || 7 || 100 || 0 || 0 Total || 14 || 14 || 100 || 0 || 0
2.2.3.
Business Continuity in DG DIGIT
2.2.3.1.
DIGIT: Business Continuity Management
·
Objectives and Scope The overall
objective of this audit was to assess the adequacy and effectiveness of
Business Continuity Management (BCM) in DG DIGIT. The scope of the
audit covered the management structures and procedures of Business Continuity
in DG DIGIT (cf. BCM life-cycle at DG-level), including coordination with other
DGs/Services and external service providers. There are no
observations/reservations in the 2009 AAR of the audited DG that relate to the
area/process audited. The fieldwork was finalised in June 2010.
All observations and recommendations relate to the situation as of that date. Acceptance Status || || Yes || No Priority || # || # || % Total || # || % Total Very Important || 4 || 4 || 100 || 0 || 0 Important || 8 || 8 || 100 || 0 || 0 Total || 12 || 12 || 100 || 0 || 0
2.2.4.
Other audits
2.2.4.1.
PMO, DIGIT: HR IT Corporate Application – NAP
·
Objectives and Scope The mission of
PMO is to ensure the determination and payment of individual rights of active
and post-active staff as well as the reimbursement of experts' expenses, with a
significant proportion of these tasks dedicated to other Institutions and
almost all the Regulatory and Executive Agencies. To accomplish its
mission, PMO relies on the NAP (Nouvelle Application Paie) software, an
off-the-shelf product heavily customised and adapted over time to the needs of
PMO (and of the different bodies they serve). The
administration, calculation and payment of financial entitlements of staff of
EC and other Institutions/bodies carry inherent financial and reputational
risks. In addition, operational risks related to the high dependency of PMO on
the NAP Environment (NAP, FIXPEN, InfoCentre) and compliance risks related to
the correct implementation of the Staff Regulations and Personal Data
protection Regulation exist. The objective of
the engagement was to analyse and evaluate the internal control systems put in
place by PMO to provide: ·
proper governance set up and project management
for the NAP project; ·
adequate physical and logical security
arrangements for the NAP Environment. Regarding
security, the engagement focused on confidentiality, integrity and availability
of the information processed in the NAP environment and in particular on: ·
Authentication, authorisation and accountability
of NAP Environment users, ·
Business Continuity arrangements, ·
Data integrity and validation controls implemented
in the NAP environment, ·
Management of changes. The scope of the audit included the
following processes: ·
Plan & Organise: IT project management and
management of quality of the project. ·
Acquire & Implement: changes and
configuration management. ·
Deliver & Support: management of information
system security, continuity of service, data and IT operations. ·
Application Controls: source data collection,
entry, preparation and authorization. The audit focused
primarily on the activities performed by the team in charge of NAP (called NAP
Cell). The role and responsibilities of DIGIT as service and system provider
(DIGIT.B3 - NAP System Supplier, and DIGIT.C2 - NAP Infrastructure Service
Provision) and of PMO's main users (Units 01, 04, 05 and 08) were also analysed
during the audit. There are no reservations in the
2009 AAR that relate to the processes audited. The fieldwork was finalised on 10 September
2010. All observations and recommendations relate to the situation as of that
date. Acceptance Status || || Yes || No Priority || # || # || % Total || # || % Total Very Important || 7 || 7 || 100 || 0 || 0 Important || 7 || 7 || 100 || 0 || 0 Total || 14 || 14 || 100 || 0 || 0
2.3.
Control strategies
2.3.1.
Structural funds – DG REGIO and DG EMPL
2.3.1.1.
REGIO: Control Strategy - Audit and Financial
Correction Processes
·
Objectives and Scope The SFs DGs spend around one third of the
total EC budget annually under shared management. Although the Member States
(MSs) have primary responsibility for implementing effective internal control
systems to prevent or detect and correct irregular and illegal expenditure, the
Commission performs a supervisory role over national systems and assumes final
responsibility for the implementation of the budget. Therefore, the SFs DGs
should have a credible control strategy for demonstrating that they are seeking
reasonable assurance on the effective functioning of the management and control
systems (MCS) in MSs and beneficiary countries. This audit covered: ·
DG REGIO’s own audit strategy and risk-based
strategic audit planning for the 2000-2006 and 2007-2013 programming periods
(PP) and all funds; ·
the Audit Directorate's quality improvement
programme / system for quality control; ·
the disclosure of key information (i.e. the key
assurance building blocks) supporting the reasonable assurance provided in the
declaration of assurance of the 2009 AAR; ·
the measures to build up MS capacity for
installing sound and effective management and control systems. The objective was to assess: ·
whether the audit strategy designed to obtain
assurance on the adequate set-up and effective functioning of the management
and control systems in the Member States and beneficiary countries is adequate,
effectively implemented, regularly monitored and adequately reported on, and is
ensuring that corrective measures are taken promptly and proportionately ; ·
whether the Audit Directorate has established a
sound quality assurance programme or system for quality control, and/or has
taken adequate measures to ensure the continuous quality improvement of the
audit function; ·
whether the DG has adequately disclosed the
level of assurance obtained for shared management in its 2009 AAR, ·
whether the DG's measures to build up MS
capacity for installing sound and effective management and control systems at
managing, certifying and audit authorities are adequate and effective. DG REGIO has included the following reservations in its
2009 AAR concerning specifically the processes under the scope of this audit: ·
"For ERDF and Cohesion Fund there are
significant deficiencies prejudicing the effective functioning of the MCS of
certain programmes 2007-2013 in Bulgaria, Italy, Germany, Spain and together
with 15 European Territorial Cooperation programmes; ·
For ERDF and Cohesion Fund there are significant
deficiencies prejudicing the effective functioning of the MCS of certain
programmes 2000-2006 in Bulgaria, Italy, Germany, The United Kingdom and
together with 15 INTERREG programmes ·
For 38 out of the 79 programmes concerned the DG
does not have reasonable assurance on the legality and regularity of the
underlying transactions in relation to reimbursements in 2009 of expenditure
declared. For the 41 remaining programmes, significant deficiencies have been
identified at an early stage before any reimbursement in 2009 of expenditure
declared, which limits the risk for the financial interests of the Union." The fieldwork was finalised in mid October
2010. All observations and recommendations relate to the situation as of that
date. Acceptance Status || || Yes || No Priority || # || # || % Total || # || % Total Very Important || 3 || 3 || 100 || 0 || 0 Important || 5 || 5 || 100 || 0 || 0 Total || 8 || 8 || 100 || 0 || 0
2.3.1.2.
EMPL: Control Strategy - Audit and Financial
Correction Processes
·
Objectives and Scope The Structural Funds (SF) DGs spend around
one third of the total EC budget annually under shared management. Although the
Member States (MSs) have primary responsibility for implementing effective
internal control systems to prevent or detect and correct irregular and illegal
expenditure, the Commission performs a supervisory role over national systems
and assumes final responsibility for the implementation of the budget.
Therefore, the SFs DGs should have a credible control strategy for
demonstrating that they are seeking reasonable assurance on the effective
functioning of the management and control systems (MCS) in MSs and beneficiary
countries. This audit covered: ·
DG EMPL’s own ESF audit strategy and risk-based
strategic audit planning for the 2000-2006 and 2007-2013 programming periods; ·
the audit units’ quality improvement programme /
system for quality control; ·
the disclosure of key information (i.e. the key
assurance building blocks) supporting the reasonable assurance provided in the
declaration of assurance of the 2009 AAR; ·
the measures to build up MSs' capacity for
installing sound and effective management and control systems. The objective was to assess: ·
whether the audit strategy designed to obtain
assurance on the adequate set-up and effective functioning of the management
and control systems in the MSs and beneficiary countries is adequate,
effectively implemented, regularly monitored and adequately reported on, and is
ensuring that corrective measures are taken promptly and proportionately; ·
whether the audit units have established a sound
quality assurance programme or system for quality control, and/or have taken
adequate measures to ensure the continuous quality improvement of the audit
function; ·
whether the DG has adequately disclosed the
level of assurance obtained for shared management in its 2009 AAR, ·
whether the DG's measures to build up MS
capacity for installing sound and effective management and control systems at
managing, certifying and audit authorities are adequate and effective. In its 2009 AAR, DG EMPL made reservations
in relation to deficiencies in the MCS for ESF Operational Programmes (OP) in a
number of MSs for both the 2000-06 and 2007-13 programming periods (PP) and
which have not been subject to sufficient control and corrective measures by
the national authorities. The fieldwork was finalised in mid October
2010. All observations and recommendations relate to the situation as of that
date. Acceptance Status || || Yes || No Priority || # || # || % Total || # || % Total Very Important || 3 || 3 || 100 || 0 || 0 Important || 5 || 5 || 100 || 0 || 0 Total || 8 || 8 || 100 || 0 || 0
2.3.2.
Audit strategy – DG EAC
2.3.2.1.
EAC: Supervision and monitoring of National
Agencies - Lifelong Learning Programme
·
Objectives and Scope The objective of this audit was to assess
the adequacy, effectiveness and efficiency of the internal control system put in place by DG EAC, including primary
controls performed by National Agencies (NAs) and secondary controls by
National Authorities (NAUs). DG EAC implements 72% of its budget through the
Centralised Indirect Management mode (through NAs), 20% through its Executive
Agency (EACEA) and 8% through the Centralised Management mode. The main
programmes during the period 2007-2013 are Lifelong Learning Programme (LLP),
(851 Mio EUR commitments in 2010) and Youth in Action (YiA) (106 Mio EUR
commitments in 2010). Annual financing agreements are signed with each
of the 66 NAs, of which 38 are managing LLP (9 also managing the Youth
programme). These agreements cover both the operating grant (paid as a lump
sum) and decentralized grants (subject to the transfer of Community funds into
NAs accounts). Based on a risk analysis, the audit focused
mainly on the LLP, which covers Directorate R of DG EAC and the operational
units involved (Dir B, C). The auditors reviewed the implementation,
monitoring/supervision and support processes at both DG EAC and NAU/NA levels. The IAS visited three NAUs and NAs in
Turkey, Hungary and Finland, due to the materiality of their budget and the
supervisory and audit work carried out by DG EAC and the European Court of
Auditors in NAUs/NAs. In addition, 7 NAs and NAUs were also surveyed to assess
the systematic nature of the audit findings, of which 5 replied on time. The areas excluded
from the scope of this audit are detailed in section 2.1.1 of the report. No reservation/observation was made
regarding the management of the programmes by the NAs in DG EAC's 2009 AAR.
However, the 2009 AAR referred to: ·
A partial assurance on the following NAs and
NAUs: Ireland (LLP and YiA), Greece (YiA), Spain (LLP and YiA), Hungary (YiA),
The Netherlands (LLP), Portugal (LLP), Sweden (LLP, YiA), Norway (YiA),
(applying an error rate of 5%). ·
The lack of assurance for NA and NAUs of
Bulgaria (LLP), Malta (LLP, YiA) and Cyprus (YiA) (applying an error rate of
20%). The programme for Cyprus has been suspended as from 6/02/2009 (LLP, YiA). This audit was conducted in conformance with the
International Standards for the Professional Practice of Internal Auditing. The audit fieldwork was finalised in
mid-September 2010. All observations and recommendations relate to the
situation as of that date. Acceptance Status || || Yes || No Priority || # || # || % Total || # || % Total Very Important || 2 || 2 || 100 || 0 || 0 Important || 3 || 3 || 100 || 0 || 0 Total || 5 || 5 || 100 || 0 || 0
2.3.3.
Development aid – DG AIDCO and DG ELARG
2.3.3.1.
AIDCO: Management of Thematic Budget lines
·
Objectives and Scope The objective of this audit was to assess (i)
the adequacy, effectiveness and efficiency of the internal control system put
in place by DG AIDCO for the management of the Thematic Budget Lines, and (ii) compliance with the Commission rules
and DG AIDCO internal procedures. Based on a risk analysis
and taking into account audit coverage3 achieved in the past, this audit focused mainly on the thematic operations
in place since 2007, and related to the EĪDHR
(European Initiative for Democracy and Human Rights) instrument and the food security
programme managed by DG AIDCO Directorate F and the geographical units
concerned (Asia, Latin America and ACP). In this context, the auditors reviewed
all the processes related to the management of both global (managed by HQ) and
local (managed by EU Delegations) Calls for Proposals (CfP), and the implementation
and monitoring/supervision of the thematic
operations. Horizontal and support processes like programming activities
and human resources were also part of the scope. The audit was complemented by
the second follow-up audit on "NGOs funding by DG AIDCO" which
is the subject of a separate report (final report issued on 28 May 2010). The IAS visited three EU Delegations, Thailand
and its regionalised Delegations, Sierra Leone, and Nicaragua and its
regionalised Delegations, chosen on the basis of the materiality of their
budget and thematic operations and other risk factors. In addition, 19
Delegations were surveyed through a questionnaire to corroborate the audit
findings, of which 17 Delegations replied. Areas
excluded from the scope of this audit are detailed in section 2.1.1 of
the report. The audit fieldwork was finalised at the end of
April 2010. All observations and recommendations relate to the situation as of
that date. There are no observations/reservations in the
2009 AAR that relate to the area/process audited. This audit was conducted in conformance with the
International Standards for the Professional Practice of Internal Auditing. Acceptance Status || || Yes || No Priority || # || # || % Total || # || % Total Very Important || 6 || 6 || 100 || 0 || 0 Important || 5 || 5 || 100 || 0 || 0 Total || 11 || 11 || 100 || 0 || 0
2.3.3.2.
AIDCO: Financial management of Programme
Estimates funded by the EDF and EU Budget
·
Objectives and Scope Programme Estimates (PE) is the instrument
applied by DG AIDCO to implement programmes under decentralised management
mode. The scope of the audit included PE contracts signed after 1 January 2007
following the publication of the PE guide issued by DG AIDCO. Based on CRIS data covering contracts
signed from January 2007 to June 2010, PE imprest commitments totalled € 1.465
Mio, of which € 1.134 Mio were financed by the EDF and € 331 Mio by the EU
Budget. The objective of this audit was to assess
the compliance, effectiveness and efficiency of DG AIDCO's procedures and
controls over Programme Estimates (PE) in order to ensure that they are in the
context of a control strategy that is able to provide assurance to the Director
General when signing off the Annual Activity Report (AAR). The audit fieldwork was conducted in DG
AIDCO's HQ and the EU Delegations to Democratic Republic of Congo (DRC) and
Malawi. In addition, other 9 EU Delegations (EUDs) were surveyed through a
questionnaire prepared by the audit team for this particular engagement. The
audit methodology is further described in Annex 1. The areas excluded from the
scope of this audit are detailed in section 2.1.1 of this report. No reservation/observation was made
regarding the management of programmes through the PE instrument in DG AIDCO's
2009 AAR. The audit fieldwork was finalised on 12
November 2010. All observations and recommendations relate to the situation as
of that date. Acceptance Status || || Yes || No Priority || # || # || % Total || # || % Total Very Important || 6 || 6 || 100 || 0 || 0 Important || 7 || 7 || 100 || 0 || 0 Total || 13 || 13 || 100 || 0 || 0
2.3.3.3.
ELARG: Public procurement under IPA
·
Objectives and Scope The objective of the audit was to asses
the internal control system related to the procurement procedures under IPA. In
particular, the audit assessed whether the internal control system provides reasonable assurance regarding compliance
with applicable rules and regulations, and the effectiveness and
efficiency of the procurement process under centralised deconcentrated and decentralised management modes. The scope of this audit
included the following sub-processes: ·
Appropriateness of and compliance with Financial
Circuits. ·
Appropriateness of and compliance with the
procurement and contracts checklists. ·
Adequate procurement portfolio and individual
contract monitoring. ·
Reporting from Delegations to HQ and supervision
and supporting actions taken by HQ with regard to Delegations. ·
The legality and regularity of the procurement
procedure under deconcentrated centralised management (AOsD to "sign")
or under decentralised management mode
(AOsD to "endorse") and its compliance
with the Commission Decision on conferral
of management of powers (ex-ante verification by the Delegation of the procurement
procedure applied by the beneficiary country). The audit covered the procurement activities
carried out by the seven EU Delegations and one Office in candidate4
and potential candidate countries. These EU Delegations and Office were
responsible for contracting and/or endorsing 67% of the commitments
(procurement and grants) executed by DG ELARG in 2009. The IAS visited the European Delegation Liaison
Office to Kosovo during the preliminary survey and two EU Delegations during
the fieldwork (fYROM and Croatia), and
reviewed 21 procurement files and their corresponding contracts. See section
2.1.3 of the full report for details of the selection criteria adopted. Section 2.1.2 of the full report lists the areas excluded
from the scope of the audit. The fieldwork was finalised on 7 May
2010. All observations and recommendations relate to the situation as of that
date. Acceptance Status || || Yes || No Priority || # || # || % Total || # || % Total Very Important || 1 || 1 || 100 || 0 || 0 Important || 6 || 6 || 100 || 0 || 0 Total || 7 || 7 || 100 || 0 || 0
2.3.3.4.
ELARG: Financial management of IPA grants
·
Objectives and Scope The objective of the audit was to asses
the compliance, effectiveness and efficiency of DG ELARG's procedures and
controls over grants financed by IPA and managed under centralised (CD) and
joint (JO) management modes. The audit focused on the use of checklists,
respect of financial circuits and rules for monitoring, reporting, and supervision,
with particular attention to the initial phases of the project cycle, i.e.
programming, selection and award procedures of grants. The scope of this audit
included the following sub-processes: ·
Review of programming
activities for centrally managed projects; ·
Review of the selection and award procedures
applied by DG ELARG: Decisions on award procedures to be applied, analysis of Call for Proposals
(CfP) managed at HQ level, appropriateness of and compliance with
Financial Circuits, appropriateness of and compliance with checklists; ·
Adequate monitoring and supervision activities
performed at HQ on IPA grants: Proper portfolio monitoring and reporting
procedures on grant contracts; ·
Compliance with
applicable rules and regulations; ·
Quality of data provided by DG ELARG, e.g.
through adequate encoding of information in CRIS. The reference period covered by the audit
included contracts concluded as from 2007, managed centrally at HQ level. The
main focus of the audit was on the review of contracts implemented through CD
and JO management modes related to regional and horizontal programmes
(Multi-Beneficiary Programmes (МВР)). Section 2.1.2 of the full report lists the areas excluded
from the scope of the audit. No observation/reservation was included in the
2009 Annual Activity Report (AAR) that specifically relates to the processes
audited. The fieldwork was finalised on 8
October 2010. All observations and recommendations relate to the situation as
of that date. This audit was conducted in conformance with the
International Standards for the Professional Practice of Internal Auditing. Acceptance Status || || Yes || No Priority || # || # || % Total || # || % Total Very Important || 2 || 2 || 100 || 0 || 0 Important || 6 || 6 || 100 || 0 || 0 Total || 8 || 8 || 100 || 0 || 0
2.3.4.
Joint Sickness Insurance Scheme (JSIS) as
managed by the PMO
·
Objectives and Scope The objective of the audit was to assess the
effectiveness and efficiency of the internal control system put in place by PMO
regarding the management of the Joint Sickness Insurance Scheme (JSIS). The audit focused on: ·
the efficiency and effectiveness of the internal
organisation and the internal control environment of PMO's management of the
JSIS; ·
the existence and effectiveness of PMO's control
strategy of the JSIS, including the strategy to prevent and detect fraud. The audit also included a
review of PMO's: ·
strategic approach of the JSIS in order to
ensure that it provides sickness insurance to its members in the most
economical, efficient and effective manner while taking into account the
challenges presented by the current environment; ·
approach taken to ensure the financial health of
the JSIS. There are no
observations/reservations in the 2009 AAR that relate to the area/process
audited. The fieldwork was finalised on 22 October 2010.
All observations and recommendations relate to the situation as of that date. Acceptance Status || || Yes || No Priority || # || # || % Total || # || % Total Critical || 2 || 2 || 100 || 0 || 0 Very Important || 5 || 5 || 100 || 0 || 0 Important || 2 || 2 || 100 || 0 || 0 Total || 9 || 9 || 100 || 0 || 0
2.4.
Compliance with payment deadlines
2.4.1.
BUDG: Payment deadlines (BUDG, TREN, AIDCO, ECHO
+ IT Part)
·
Objectives and Scope Commission
Services are required to comply with the time limits established in the
Financial Regulation or in the specific contract or agreement for processing
payments. Non-compliance with legal payment deadlines results in beneficiaries
being entitled to late payment interest. Commission
Communication SEC(2009)477 on "Streamlining financial rules and
accelerating budget implementation" requires DGs to accelerate the
payment process and to comply with shorter report approval and payment
deadlines (known as "Target deadlines") as one of the measures to
improve budget implementation and help the economic recovery. Subsequent to the
adoption of this Communication, and due to the particular attention being paid
by the Ombudsman and the European Parliament to the Commission’s late payments, DGs have been requested to strengthen the
payment process in order to comply with both legal and target deadlines. The overall
objective of this audit was to assess compliance with the rules and
regulations, and guidance and instructions related to the payment deadlines
process and the adequacy and effectiveness of the process in place in the
Commission to comply with the time limit to pay. In particular, the audit
assessed the support provided by DG BUDG to operational DGs, the internal
control system implemented in Operational DGs to process payments within the
set deadlines, and the monitoring and reporting systems in place at both
central and DG level. The scope of
the audit, conducted in DG BUDG (in its central role) and in a sample of
operational DGs (DG ECHO, DG MOVE, DG ENER and DG AIDCO), covered the
processing of payment transactions (pre-financing, interim and final) under
centralised management as well as the monitoring and reporting activities
implemented both in Operational and
horizontal DGs. The use of central and local IT systems was also covered by
the audit. This overview report takes into account the results of the validation
of RTD's local system undertaken by
DG BUDG between December 2009 and April 2010 in order to enable the Accounting
Officer of the Commission to discharge his responsibilities as defined in Article 61 of the Financial Regulation. The IAS
notes that a number of issues raised in the final report on compliance
with payments deadlines, such as the suspension of payment deadlines, the time
required to record cost claims and make payments, and the quality of the information recorded in ABAC (invoice dates,
EC reception dates) are similar to those identified in the operational
DGs audited by the IAS. The fieldwork was
finalised in September 2010. All observations and recommendations relate to the
situation as of that date. Recommendations issued in the consolidated
report (including lessons learned) Acceptance Status || || Yes || No Priority || # || # || % Total || # || % Total Very Important || 7 || 7 || 100 || 0 || 0 Important || 5 || 5 || 100 || 0 || 0 Desirable || 0 || 0 || 100 || 0 || 0 Total || 12 || 12 || 100 || 0 || 0 Recommendations addressed to DG BUDG (from
consolidated report and DG BUDG’s annex) Acceptance Status || || Yes || No Priority || # || # || % Total || # || % Total Very Important || 5 || 5 || 100 || 0 || 0 Important || 8 || 8 || 100 || 0 || 0 Desirable || 1 || 1 || 100 || 0 || 0 Total || 14 || 14 || 100 || 0 || 0
2.4.2.
ENER: Payment deadlines (BUDG, TREN, AIDCO, ECHO
+ IT Part)
See point 2.6.1. Acceptance Status || || Yes || No Priority || # || # || % Total || # || % Total Very Important || 5 || 5 || 100 || 0 || 0 Important || 4 || 3 || 75 || 1 || 25 Total || 9 || 8 || 89 || 1 || 11
2.4.3.
MOVE: Payment deadlines (BUDG, TREN, AIDCO, ECHO
+ IT Part)
See point 2.6.1 Acceptance Status || || Yes || No Priority || # || # || % Total || # || % Total Very Important || 5 || 5 || 100 || 0 || 0 Important || 4 || 3 || 75 || 1 || 25 Total || 9 || 8 || 89 || 1 || 11
2.4.4.
AIDCO: Payment deadlines (BUDG, TREN, AIDCO,
ECHO + IT Part)
See point 2.6.1 Acceptance Status || || Yes || No Priority || # || # || % Total || # || % Total Very Important || 7 || 7 || 100 || 0 || 0 Important || 4 || 4 || 100 || 0 || 0 Total || 11 || 11 || 100 || 0 || 0
2.4.5.
ECHO: Payment deadlines (BUDG, TREN, AIDCO, ECHO
+ IT Part)
See point 2.6.1 Acceptance Status || || Yes || No Priority || # || # || % Total || # || % Total Very Important || 2 || 2 || 100 || 0 || 0 Important || 5 || 5 || 100 || 0 || 0 Total || 7 || 7 || 100 || 0 || 0
2.5.
Other audits
2.5.1.
Legal Service: Handling of sensitive information
·
Objectives and Scope The mission of
the Legal Service (LS) is "to assist the Commission in its tasks, in
particular to ensure that the provisions of the Treaties and other measures
taken by the institutions are interpreted and applied in accordance with the
law. For this purpose, it will give legal
advice, defend the interests of the Commission and of the Union before the courts,
the national or international tribunals and other dispute settlement bodies,
and strive to assure the highest quality, coherence and development of Union
legislation". In performing
their tasks, staff in the LS handle on a daily basis sensitive information
provided by individuals, business undertakings (business secrets and market
sensitive information), International Organisations, Member States and Third
Countries, Courts and Tribunals, other Commission services or produced
internally. Some information can also be classified
pursuant to the Commission's rules on security, often at the level RESTRICTED
EU. In this respect, activities of the LS entail potentially high legal,
financial and reputational risks related to possible breaches of
confidentiality. The objective
of the present audit was to assess the adequacy and the effectiveness of the
internal control system of LS in ensuring the confidentiality of sensitive
information. The scope of
the audit covered litigation and legal advice activities (therefore excluding
infringements and quality of legislation), as well as administrative support
and selected aspects of legal coordination. The audit focused
on horizontal, service-wide processes as well as on the implementation of
internal controls in a sample of Legal Teams. The following
processes were excluded: ·
Public access to Commission documents as defined
by Regulation (EC) 1049/2001; ·
IT systems, with the exception of the management
of access rights. There are no
observations/reservations in the 2009 AAR that relate to the area/process
audited. The fieldwork was finalised on 30 July
2010. All observations and recommendations relate to the situation as of that
date. Acceptance Status || || Yes || No Priority || # || # || % Total || # || % Total Very Important || 7 || 7 || 100 || 0 || 0 Important || 6 || 6 || 100 || 0 || 0 Total || 13 || 13 || 100 || 0 || 0
2.5.2.
Publications Office: Official Journal Production
Process as managed by the Publication Office (OP)
·
Objectives and Scope The objective of the audit was to assess the
effectiveness and efficiency of OP's internal control system relating to the OJ
production process. The audit focused on the operational
arrangements put in place to ensure the business continuity of the production
process of the OJ L and C series and TED, and the compliance of the design and
implementation of the financial circuits relating to the OJ production process
with the rules and regulations in force; it also included a review of
performance aspects such as the control of and reporting on the quality of the
production process. The audit did not cover the
proofreading part of the O J as this will be covered by an audit conducted by the IAC of OP at the end of 2010. There are no
observations/reservations in OP 2009 Annual Activity Report (AAR), which relate to the area/process audited. The fieldwork was finalised on 30 September
2010. All observations and recommendations relate to the situation as of that
date. Acceptance Status || || Yes || No Priority || # || # || % Total || # || % Total Very Important || 4 || 4 || 100 || 0 || 0 Important || 1 || 1 || 100 || 0 || 0 Total || 5 || 5 || 100 || 0 || 0
2.5.3.
Publications Office, Secretariat General:
Management letter to SG - Transmission to PO of sensitive information for publication
·
The context The Author Services transmit all documents for
publication electronically, e.g. via the internal network for the transmission
from the Commission's Secretariat-General, or via FTP through the
TESTA II network for the transmission from the Council's Secretariat-General. According to the Office, approximately 1% of the
500 to 1000 documents (in all languages) that OP receives each month from all
Institutions contains sensitive information that must not be disclosed before
the publication date, e.g. documents on state aid, antidumping documents from
DG TRADE, merger-related information from DG COMP, and decisions on duties from
DG TAXUD. However, no specific measures, such as encryption, are in place to
protect the confidentiality of these documents. At the Commission, documents
containing information that must not be disclosed before publication are
transmitted to OP by the Secretariat-General by email using eGreffe.
Nevertheless, the existing tools for the secure transmission of sensitive documents
(e.g. SECEM - SECure Email Commission internal) are not used for this purpose.
2.5.4.
AGRI: Interventions in Agricultural Markets
(focused on Milk and Milk products)
·
Objectives and Scope The objective of the audit was to assess the
effectiveness and efficiency of the internal control
systems put in place by DG AGRI regarding the management and audit of market measures
for milk and milk products. The audit focused on ·
the effective organisation of DG AGRI's
management of market measures ·
compliance by DG AGRI with regulations and
procedures in the Milk sector ·
the effectiveness of the management of the
crisis in the dairy market ·
the audit by DG AGRI of market measures. There are no
observations/reservations in the 2009 AAR that relate to the area/process
audited. The fieldwork was finalised on 3 June 2010.
All observations and recommendations relate to the situation as of that date. Acceptance Status || || Yes || No Priority || # || # || % Total || # || % Total Very Important || 2 || 2 || 100 || 0 || 0 Important || 3 || 3 || 100 || 0 || 0 Desirable || 1 || 1 || 100 || 0 || 0 Total || 6 || 6 || 100 || 0 || 0
2.5.5.
OIB: Activities of OIB.OS3 Social Infrastructure
ISPRA
·
Objectives and Scope The objective of the audit was to
assess the effectiveness and efficiency of the internal control system put in
place for the activities managed by the Social Infrastructures Unit in ISPRA (OIB.OS3) following its transfer from the JRC to
OIB on 1st March 2009. The audit focused on the
implementation of the financial circuits, the financial management of revenue,
procurement procedures managed by the Unit, financial reporting and ex-post controls. It also addressed the adequacy of the
coordination within the Unit, with JRC and with OIB headquarters in
Brussels as well as human resources aspects, mainly job descriptions, sensitive
functions and training. There are no observations and/or
reservations in the 2009 AAR, which relate to the process audited. The fieldwork was finalised on 27
May 2010. All observations and recommendations relate to the situation as of that
date. Acceptance Status || || Yes || No Priority || # || # || % Total || # || % Total Very Important || 3 || 3 || 100 || 0 || 0 Important || 4 || 4 || 100 || 0 || 0 Total || 7 || 7 || 100 || 0 || 0
2.5.6.
PMO: Activities of PMO/6 ISPRA
·
Objectives and Scope The objective of the audit was to
assess the effectiveness and efficiency of the monitoring and control systems put
in place by PMO/6-ISPRA for the remuneration process (establishment of rights
and payments). The audit focused on the design and the
implementation of the financial circuits and procedures related to the
determination and payment of individual rights of active staff managed by PMO/6-ISPRA and, in particular, newly
recruited or transferred staff. The Joint Sickness
Insurance Scheme (Settlements Office in Ispra), although managed by PMO/6-ISPRA, was excluded from the scope of the
audit as the monitoring and supervision is performed by PMO/3, the central
office in Brussels. The IAC of DG HR carried
out an audit on a selection of procedures of the Joint Sickness Insurance
Scheme in 2007. The IAS has planned an audit of the Joint Sickness Insurance
Scheme for 2010. The IAS is currently conducting an IT audit on
the NAP application, addressing IT security, project management and the
governance set-up. There are no observations/reservations in PMO's
2009 Annual Activity Report (AAR), which relate to the area/process audited. The fieldwork was finalised on 23 April
2010. All observations and recommendations relate to the situation as of that
date. Acceptance Status || || Yes || No Priority || # || # || % Total || # || % Total Very Important || 2 || 2 || 100 || 0 || 0 Important || 1 || 1 || 100 || 0 || 0 Total || 3 || 3 || 100 || 0 || 0
2.5.7.
JRC: Management letter on JRC Grant holders
·
The context There are three main types of non-statutory staff financed
by the JRC: ·
research fellows (known as grantholders)
employed under national law employment contracts; ·
seconded national experts or SNEs; and ·
trainees. According to the
JRC, in the past staff were recruited under national law employment contracts
as research fellows or "grantholders". This practice was abandoned in
all JRC sites in 2006 except in ITU (Karlsruhe) and IPTS (Seville). The reason
was primarily linked
to the disparate treatment of grantholders across the JRC sites due to
differences in national legislation
relating to, for example, salaries, social security contributions and individual rights. Treating grantholders with the
same obligations and work environment differently, depending on their
nationality and the site on which they are employed, created discontent and uncertainty among the grantholder population. According to JRC, the introduction
of the Contract Agent system did not provide an immediate solution to the needs of the JRC in delivering its Work
Programme objectives and satisfying the obligations imposed by Article 4
of the Euratom Treaty (training element), in terms of quick access to the job
market, talent spread, and a simple and competitive
selection and recruitment procedure. According to JRC, ensuring diversity in terms of nationality was also critical, in
particular for those countries contributing to the overall budget of the
Seventh Framework Programme (Switzerland, Israel, Norway, Iceland, Liechtenstein, Turkey, Croatia, the
Former Yugoslav Republic of Macedonia, Serbia, Albania, Montenegro and
Bosnia & Herzegovina). In October
2007, in view of the urgent need to use such scientific expertise, the Director-General of the JRC decided, after a verbal
consultation with the Director-General of Personnel and Administration, to
re-instate the use of grantholder contracts on the basis of national law in Ispra, Geel and Petten (where
this practice had been abandoned). The grantholder scheme was officially
reintroduced by Mr. Schenkel in a note to JRC Directors on 21 February 2008.
3.
Follow-up audits (if not in the above categories)
In addition to the follow-up audits carried
out by the IAS, the latter also regularly reports to the APC on the state of
play regarding implementation of IAS audit recommendations (see Table 1):
3.1.
PMO: Follow-up on Controls over Payment of
Pensions
Based on the results of the follow-up audit
all the recommendations resulting from the original audit have been adequately
implemented and risks mitigated. However, there is still room for further
improvement and the IAS specifically invited PMO to consider one point for
attention. The IAS notes the progress made by PMO in
the area of controls, following the results of its own audits.
3.2.
BUDG Second Follow-up on ABAC – Implementation
of accrual based accounting
Based on a desk review of supporting
documents provided by DG BUDG the IAS assessed that
all the remaining open recommendations have been adequately implemented and
risks mitigated. As a result, the IAS has closed them. No recommendation resulting from the original audit remains open.
3.3.
COMP: Follow-up on Recoveries of fines
Based on a desk review of supporting
documents provided by DG COMP the IAS assessed that
all the remaining open recommendations have been adequately implemented and
risks mitigated. As a result, the IAS has closed them. No recommendation resulting from the original audit remains open.
3.4.
ELARG: Follow-up on Readiness Assessment/Phasing
in of Delegations in Balkans
Based on the results of the follow-up
audit, the IAS assessed that all the recommendations addressed to DG ELARG that
resulted from the audit "Readiness assessment/Phasing-in of Delegations in
Balkans" have been adequately and effectively implemented, except for one
recommendation. However, as the actions to be taken to
implement this recommendation are
also included in the IAS audit report on "Closure
process of pre-IPA instruments" under Recommendation n° 4, the IAS proposed to
close this recommendation in this audit engagement and ensure its follow up in
the context of the above mentioned audit.
3.5.
OIL: Follow-up on the Management of the
Procurement Contracts
Based on the results of the follow-up audit, the IAS
assessed that all the recommendations addressed to OIL that resulted from the
audit "Management of the Procurement Contract" have been adequately
and effectively implemented, except for four recommendations.
3.6.
PMO: Second Follow-up on Regularity of financial
management and Implementation of financial circuits
Based on the results of the follow-up
audit, the IAS assessed that globally the recommendations resulting from the
original audit have been adequately implemented and risks mitigated, although
in some cases there is still room for improvement. The IAS would specifically
like to invite PMO to consider five points for attention. Accordingly, the IAS will close all
recommendations. The IAS notes the progress made by PMO in
the area of controls, following its own and ECA's audit recommendations. The
IAS also notes the positive development of the complex IT system for rights at
the corporate level (replacing IRIS), which was based on the professional
cooperation between PMO and DIGIT.
3.7.
JLS: Follow-up on Grants under Shared management
of the European Refugee Fund
In October and November 2010, the IAS
conducted a first follow-up audit assessing how the DG implemented the
recommendations. 12 recommendations were assessed as having
been adequately implemented and have been closed. Two recommendations have been
assessed as partially implemented. One recommendation has not been
implemented. Following a reflection, DG JLS (now HOME) has considered that
their risks of conflict of interest were limited and it decided to retain these
activities in one section for efficiency reasons. Consequently, the
recommendation will not be implemented. One Recommendation was still
"open" at the time of the follow-up and was therefore not reviewed
(expected completion date 31/12/2010). It has been sent for review on
14/12/2010 which was sent after the end of the fieldwork (09/12/2010). It will
be included in the 2nd follow-up.)
3.8.
HR: Second follow-up on Review of DG ADMIN Human
Resource Management Phase 1
Based on the results of the follow-up
audit, all the recommendations addressed to DG ADMIN that resulted from the
Review of DG ADMIN Human Resource Management Phase 1 have been adequately and
effectively implemented.
3.9.
OP: Follow-up on Procurement in the Publication
Office
Based on the results of the follow-up
audit, the IAS assessed that all the recommendations addressed to the
Publication Office that resulted from the audit Procurement in the Publication
Office have been adequately and effectively implemented. However, as regards
the implementation of the procedure "Comité d'évaluation", the
evidence provided was not fully satisfactory, as the individual evaluation
sheets were not formalized nor signed by each member. Therefore, the IAS invited
OP to supervise the implementation of this procedure more closely.
3.10.
AIDCO: Follow-up on ex post control activities
Based on the results of the follow-up
audit, the IAS assessed that all the recommendations addressed to DG AIDCO that
resulted from the audit on ex post control activities have been adequately and
effectively implemented, except for one recommendation, where the IAS considered
that the assessment of the results of the key control layers and their impact
on the coverage/contribution to the consolidated assurance should be completed.
3.11.
HR: Follow-up on Review of DG ADMIN Human
Resource Management- Phase II
The assessment of the state of
implementation was based on a desk review of evidence provided in Issue Track,
interviews and additional information provided by DG HR during the follow-up
audit. Based on the results of the follow-up audit, the IAS assessed that all
the recommendations addressed to DG HR that resulted from the Limited Review DG
ADMIN Human Resource Management - Phase II have been adequately and effectively
implemented, except for one recommendation, which will be reassessed when the
strategy on absenteeism has been adopted.
3.12.
HR: Second Follow-up on Validation of
Self-assessment of IAC of DG ADMIN
In line with the IAS 2010 audit plan, a
second follow-up of the IAS Validation of Self- Assessment of IAC of DG ADMIN
(IAS-2006-ADMIN-001) has been performed in DG HR. The objective of this engagement was to
assess the progress made in implementing the remaining accepted recommendations
addressed to DG HR (formerly DG ADMIN) following the first follow-up of the
validation finalised in May 2008 (IAS-2008-ADMIN- 001). This follow-up does not result in a
re-assessment of the adequacy of controls as a whole but focuses on the
specific recommendations in the original engagement. It was carried out in
accordance with the IAS methodological guidelines. The assessment of the state of
implementation was based on a desk review of evidence provided in Issue Track.
Based on the results of the follow-up, the IAS assessed that all the
recommendations addressed to DG HR, that resulted from the IAS Validation of
Self- Assessment of the IAC of DG ADMIN, could be closed.
3.13.
OIB: Second Follow-up audit on Evaluation of
targeted Internal Control Standards
The assessment of the state of
implementation was based on a desk review of evidence provided in "IssueTrack"
and additional information requested by the auditors. Based on the results of
this desk review, the IAS assessed that the two recommendations which remained
outstanding after the first IAS follow-up audit can be closed. The
implementation of the recommendation relating to the former ICS 17 –
Supervision (Very Important) will be examined and tested in the context of the
follow-up of the OIB procurement audit, scheduled for 2011, and in particular
its recommendation n° 5 "Ex post controls". The recommendation on the
former ICS 15 – Documentation of procedures (Important) is assessed as
implemented in view of the progress made to date.
3.14.
REGIO: Follow-up audit on internal control
system for managing the new Structural Funds programming period – Phase I
The objective of the follow-up engagement,
which has been undertaken on a desk review basis only, was to assess the
progress made in implementing the accepted 2 issues for consideration and 2
very important recommendations that resulted from the audit carried out in
2008. The assessment, which has been undertaken
in line with IAS methodological guidelines, takes into account the state of
implementation as reported by your DG in the Issue Track reporting tool and
other documentary evidence obtained. Based on the results of the desk review of
the progress made as regards the two recommendations, the IAS considers they
can be closed. However, given the ongoing nature of the actions to be taken to
address the concerns raised in the two issues for consideration (in relation to
the next programming period), the IAS considers they remain open for the
moment, but should be implemented in due course and reported accordingly in
Issue Track. However, issues for consideration are not included as part of the
IAS's twice yearly reporting to APC on the state of play of implementation of
audit recommendations.
3.15.
EMPL: Follow-up audit on internal control system
for managing the new Structural Funds programming period – Phase I
The objective of the follow-up engagement,
which has been undertaken on a desk review basis only, was to assess the
progress made in implementing the accepted 2 issues for consideration and 2
very important recommendations that resulted from the audit carried out in
2008. The assessment, which has been undertaken
in line with IAS methodological guidelines, took into account the state of
implementation as reported by your DG in the Issue Track reporting tool and
other documentary evidence obtained. Based on the results of the desk review of
the progress made as regards the two recommendations, the IAS considers they
can be closed. However, given the ongoing nature of the actions to be taken to
address the concerns raised in the two issues for consideration (in relation to
the next programming period), the IAS considers they remain open for the
moment, but should be implemented in due course and reported accordingly in
Issue Track. However, issues for consideration are not included as part of the
IAS's twice yearly reporting to APC on the state of play of implementation of
audit recommendations.
3.16.
ESTAT: Follow-up audit on IAS and IAC Joint
Audit on ESTAT Grant Awarding process 2008-2009
Based on the results of the follow-up
audit, the IAS assessed that all the recommendations addressed to DG ESTAT that
resulted from the above mentioned audit have been adequately and effectively
implemented, except for one Recommendation. However, the IAS agreed to close this
recommendation since the residual risk involved is considered as low.
3.17.
TRADE: Second Follow-up audit on selected ICS
Based on the results of the second
follow-up audit, all the recommendations addressed to DG TRADE that resulted
from the 2007 Audit on Implementation of selected Internal Control Standards
have been adequately and effectively implemented.
3.18.
JLS: Follow-up audit on IT Procurement
Based on the results of the follow-up
audit, the IAS assessed that all the recommendations addressed to DG HOME and
DG JUSTICE that resulted from the above mentioned audit have been adequately
and effectively implemented. However, the IAS noted that a negotiated
procedure was applied for three procurement contracts concluded in 2010, each
with an individual value of more than 1 Mio€ (amounting to more than 7 Mio€ in
total), with the same supplier. In the light of IAS' previous audits in
this area, DG HOME was invited to carefully manage the risks of potential
concentration of outsourced activities and technical captivity.
3.19.
ENTR: Follow-up audit on Monitoring the
implementation of EU law
·
Objectives and Scope The objective of the follow-up engagement
was to assess progress made in implementing the accepted recommendations that
resulted from the audit on monitoring the implementation of EU law carried
out between June and November 2006 (Final Report dated 5 December 2006). This follow-up audit did not result in an
assessment of the adequacy of controls as a whole but focused on the specific
recommendations in the original audit. ·
Audit Methodology This follow-up engagement was carried out
in accordance with the annual work plan of the IAS for 2009 and IAS
methodological guidelines. In assessing the status of the original audit
recommendations, this follow-up audit focused on those recommendations that
were rated "Very important" (there were no critical recommendations
made in the original report). The audit procedures consisted of: ·
reviewing the uploaded evidence in "IssueTrack"; ·
interviewing the responsible officers for the
implementation of the recommendations, and ·
reviewing the additional evidence received. Recommendations originally rated as being
"Important" have been assessed through desk reviews and interviews. When making the assessment on the
implementation of recommendations, the IAS took into consideration their
implementation status as reported by the auditee through AMS-Issue Track.
3.20.
SG: Follow-up audit on SG consolidated report -
Monitoring the implementation of EU law
·
Objectives and Scope The objective of this follow-up engagement was
to assess progress made in implementing the accepted recommendations that
resulted from the audit on Monitoring the implementation of EU law (consolidated
report) carried out between September and December 2006 (Final Report dated 22
December 2006). This follow-up audit did not result in an
assessment of the adequacy of controls as a whole but focused on the specific
recommendations in the original audit. ·
Audit Methodology This follow-up engagement was carried out
in accordance with the annual work plan of the IAS for 2010 and IAS
methodological guidelines. In assessing the status of the original
audit recommendations, this follow-up audit focused on those recommendations
that were rated "very important" (there were no critical
recommendations in the original report). The audit procedures consisted in: ·
reviewing the uploaded evidence in "IssueTrack"; ·
interviewing the responsible officers for the
implementation of the recommendations, and ·
reviewing the additional evidence received. Recommendations originally rated as being
"Important" have been assessed through desk reviews and interviews. When making the assessment on the
implementation of recommendations, the IAS took into consideration their
implementation status as reported by the auditee through "AMS-IssueTrack".
3.21.
ENV: Follow-up audit on Monitoring the
implementation of EU law
·
Objectives and Scope The objective of the follow-up engagement
was to assess progress made in implementing the accepted recommendations that
resulted from the audit on Monitoring the Implementation of EU law carried
out between September and December 2006 (Final Report dated 22 January 2007). This follow-up audit did not result in a
re-assessment of the adequacy of controls as a whole but focused on the
specific recommendations in the original audit. ·
Audit Methodology This follow-up engagement was carried out
in accordance with the annual work plan of the IAS for 2010 and IAS
methodological guidelines. In assessing the status of the original
audit recommendations, this follow-up audit focused on those recommendations
that were rated "Critical" and "Very important". The audit
procedures consisted of: ·
reviewing the uploaded evidence in Issue Track; ·
testing the mitigating actions taken by DG ENV
for the Critical recommendations; ·
interviewing the responsible officers for the
implementation of the Critical and Very Important recommendations, and ·
reviewing the additional evidence received. Recommendations originally rated as
"Important" or "Desirable" were assessed through desk
reviews and interviews. When making the assessment on the implementation of recommendations,
the IAS took into consideration their implementation status as reported by the
auditee through AMS-Issue Track.
3.22.
SANCO: Follow-up audit on Grant Management in
the Food safety, Animal Health and welfare and Plant Health Activity
·
Objectives and Scope The objective of the follow-up engagement
was to assess progress made in implementing the accepted recommendations that
resulted from the audit on Grant Management in the Food Safety, Animal
Health and Welfare and Plant Health Activity carried out between September
and December 2008 (Final Report dated 30 January 2009). This follow-up audit did not result in a
re-assessment of the adequacy of controls as a whole but focused on the
specific recommendations in the original audit. ·
Audit Methodology This follow-up engagement was carried out
in accordance with the annual work plan of the IAS for 2010 and IAS
methodological guidelines. In assessing the status of the original
audit recommendations, this follow-up audit focused on those recommendations
that were rated "Very important" (the original report did not contain
any critical recommendations). The audit procedures consisted in: ·
reviewing the uploaded evidence in Issue Track; ·
interviewing the responsible officers for the
implementation of the recommendations, and ·
reviewing the additional evidence received. Recommendations originally rated as
"Important" or "Desirable" have been assessed through desk
reviews and interviews. When making the assessment on the implementation of
recommendations, the IAS took into consideration their implementation status as
reported by the auditee through AMS-Issue Track.
3.23.
AIDCO: Follow-up on Eligibility of Costs under
the Financial and Administrative Framework Agreement with the United Nations
The assessment of the state of implementation
is based on substantive testing of a sample of 12 contracts with UN
Organisations (including both devolved projects managed by EU Delegations and
centralised projects managed by AIDCO HQ), interviews with DG AIDCO and EU
Delegations’ staff, and review of relevant documentation. The lAS fieldwork was
conducted in DG AIDCO’s HQ and the EU Delegations to Thailand, Sierra Leone and
Nicaragua. Based on the results of the follow-up
audit, the IAS assessed that one out of the four recommendations addressed to
DG AIDCO has been adequately and effectively implemented. Further actions are required to ensure the
effective implementation of the other three recommendations:
3.24.
AIDCO: Second Follow-up audit on NGOs Funding
The objective of this engagement was to
re-assess the progress made in implementing the remaining accepted
recommendations addressed to DG AIDCO following the first follow-up of the
audit on "NGOs funding in DG AIDCO" carried out in 2007. This second follow-up audit did not result
in a re-assessment of the adequacy of controls as a whole but focused on the
specific recommendations in the original audit. It was carried out in
accordance with the IAS methodological guidelines. The implementation status was assessed
through interviews and reviews of evidence provided by you to support the
implementation of the recommendations. Based on the results of the follow-up
audit, the IAS assess that all eight recommendations can be considered as
implemented although some specific actions are still outstanding but which are
currently being addressed by the audit on "Management of thematic
budget lines in DG AIDCO".
3.25.
DIGIT: Follow-ups on the IT Governance of the
Commission and on Management Processes of Local IT
A follow up of the seven clusters in which
the thirty outstanding recommendations were grouped was conducted in 2009-2010
in accordance with the IAS methodological guidelines. When analysing the implementation of the
mitigating actions, the IAS took into consideration the implementation status
as reported through AMS-Issue Track, as well as any additional information
provided by the auditee during the engagement. The implementation status was
assessed through a desk review of supporting documents and meetings with key
staff of the DG concerned. The IAS has taken into account the recently created
IT task force, set up by Vice President Šefčovič "in order to
ensure the Commission can continue to exploit the huge potential that
Information Technology (IT)offers for delivering greater efficiency and
improved services". Based on the results of the current
follow-up engagement, the IAS considered that 15 out of the 30 recommendations
have been adequately and effectively implemented. They include all the
recommendations belonging to Cluster 6 - "Training and sensibilisation to
internal control", which has been closed. Concerning the other six
clusters, the implementation of several actions to fully mitigate the
underlying risks is still outstanding.
3.26.
SANCO: Follow-up audit on Large-scale
Information Systems
Based on the results of the follow-up
audit, the IAS considered that all the recommendations addressed to DG Health
and Consumers that resulted from the audit on "Large-scale Information
Systems at DG SANCO" have been adequately and effectively implemented.
3.27.
OIL: Follow-up audit on Internal Control
Standards
·
Objectives and Scope The objective of the follow-up engagement
was to assess progress made in implementing the accepted recommendations that
resulted from the Audit on Evaluation of Targeted Internal Control Standards
carried out in May 2008. This follow-up audit does not result in an
assessment of the adequacy of controls as a whole but focuses on the specific
recommendations in the original audit. ·
Audit Methodology This follow-up engagement was carried out
in accordance with the annual work plan of the IAS for 2010 and IAS
methodological guidelines. In assessing the status of the original
audit recommendation, the IAS reviewed the implementation status of all the
recommendations made in the original report. Meetings were held with the
officials responsible for the implementation of the specific parts of the
action plan for each recommendation. In addition, a sample of transactions was
tested to verify the effective implementation of the actions taken by OIL for
the very important recommendations, where appropriate. Recommendations
originally rated as "Important" were assessed through desk reviews
and interviews. When making the assessment on the
implementation of recommendations, the IAS took into consideration their
implementation status as reported by the auditee through AMS-Issue Track. Based on the results of the follow-up audit
as described in the objectives and scope, the IAS assessed that all
recommendations have been adequately and effectively implemented, with the
exception of three recommendations.
3.28.
REGIO: Follow-up audit of the Review of
financial corrections and recoveries in the Structural Funds area
In line with the 2010 audit plan, the IAS
performed a follow-up of the IAS Review of DG REGIO financial corrections and
recoveries in the Structural Funds area, which report was issued on 14 November
2008 (ARES (2008) 46356). The objective of the follow-up engagement,
which has been undertaken on a desk review basis only, was to assess the
progress made in implementing the accepted issues for consideration that
resulted from the review carried out in 2008 (a similar review was carried out
in respect of DG EMPL). The assessment, which has been undertaken
in line with IAS methodological guidelines, takes into account the state of
implementation as reported by your DG in the "IssueTrack" reporting
tool and other documentary evidence obtained. The main focus of the original review was
the progress made at the time by DG REGIO on certain key actions contained in the
Commission's action plan to strengthen its supervisory controls of structural
actions under shared management. Given the ongoing nature of that plan, the IAS
did not provide an audit opinion at the time and it raised issues for
consideration rather than firm recommendations. Based on the results of the
desk review of the progress made as regards those issues, the IAS considers
that for practical purposes, they can be closed, including Issue for
Consideration n° 2 concerning the integrated single IT system and monitoring
arrangements. The monitoring aspects have been addressed, but the IAS recognised
that the timeline and associated business processes for the development of an
integrated system have yet to be developed and will not be done so within the
immediate future. Therefore, to avoid keeping the complete issue open
indefinitely, the IAS proposed to close it in "IssueTrack", but
monitor developments to the extent relevant in its forthcoming audits.
3.29.
REGIO: Follow-up audit on the Implementation of
Programmes in the New Member States
Based on the results of the follow-up, The
IAS considered that the two recommendations addressed to DG REGIO that resulted
from the audit on the Implementation of Programmes in the New Members States
have been adequately implemented.
3.30.
OP: Final Follow-up audit on In-depth Audit of
OPOCE
The IAS has completed the follow-up of its
audit "In-Depth audit of OPOCE (IAS-2004-OPOCE-001)" in OP. The objective of this engagement was to
assess the progress made in implementing the remaining very important accepted
recommendation addressed to OP (formerly OPOCE) following the first and second
follow-ups of the audit carried out in December 2006 (IAS-2006-OPOCE-001) and
in January 2010 (IAS-2009-OP-001), respectively on "43.Clarification of
Article 3 of the basis OPOCE Regulation (2000/459/EC, ECSC, Euratom)". This follow-up audit did not result in a
re-assessment of the adequacy of controls as a whole but focused on the
specific recommendation in the original audit. It was carried out in accordance
with the IAS methodological guidelines. The assessment of the state of
implementation was based on a desk review of evidence provided by your services
in Issue Track. Based on the results of the follow-up audit, the IAS considered
that recommendation No 43 has been adequately and effectively implemented, as
the Service Level Agreement between OP and OIB was concluded on 29 March 2010.
3.31.
ESTAT: Second Follow-up audit of IT Risk
Analysis audit
Following the first follow up engagement, 6
out of 18 observations1 were considered as implemented. Based on the results of the current
follow-up engagement, the IAS assessed that six more issues, considered by DG
ESTAT as "Ready for review" have been adequately and effectively
implemented. The remaining six issues are assessed as not yet implemented, with
several actions still required to be implemented to fully mitigate the
underlying risks.
3.32.
COMM: Follow-up audits on Audit on Contract
management in the area of communication and Audit on Building Management
The results of the two follow up audits are
as follows:
3.32.1.
Audit on Contract management in the area of
communication
Only one of the five recommendations
included in the original IAS audit was accepted. Based on the results of the
follow-up audit, the IAS assessed that the accepted recommendation addressed to
DG COMM that resulted from the audit carried out in 2006 has been adequately
and effectively implemented.
3.32.2.
Audit on Building Management
The audit on "Building
Management" summarised the results of the mission carried out by the
IAS in Cyprus as contribution to the Asset Management audit performed by DG
COMM's IAC in 2007. The findings and recommendations made by
the IAS were incorporated in the audit report prepared by DG COMM's IAC, who
retains ownership of the report's content. The follow up audit engagement is
planned to be performed in 2011. Taking into account the limited scope of
the IAS original engagement and the follow up engagement of the Asset
Management audit already planned by the IAC in 2011, the IAS carried out desk
review of the actions taken by DG COMM (and reported in Issue Track) in order
to assess their adequacy. DG COMM's IAC will follow up the assessment of their
effectiveness as part of their 2011 follow-up engagement. Based on the results of the desk review,
the recommendations have been adequately implemented. They will therefore be
closed in Issue Track.
3.33.
ENV: Second Follow-up audit on Grant Management
of non-LIFE programmes
The objective of this engagement was to
assess the progress made in implementing the remaining accepted recommendation
addressed to DG ENV following the first follow-up carried out early 2009. This follow-up audit did not result in an
assessment of the adequacy of controls as a whole but focused on the specific
recommendations in the original audit. It was carried out in accordance with
the IAS methodological guidelines. The assessment of the state of
implementation was based on a desk review of evidence provided by DG ENV in
Issue Track. Based on the results of the follow-up
audit, the IAS considered that all the recommendations addressed to DG ENV that
resulted from the audit on Grant Management of non-LIFE programmes have
been adequately and effectively implemented.
3.34.
AGRI: Follow-up audit on Interventions in
Agricultural Markets
·
Objectives and Scope The objective of the follow-up engagement
was to assess progress made in implementing the accepted recommendations that
resulted from the audit on Interventions in Agricultural Markets carried out in
2007. This follow-up audit did not result in an
assessment of the adequacy of controls as a whole but focused on the specific
recommendations in the original audit. ·
Audit Methodology This follow-up engagement was carried out
in accordance with the annual work plan of the Internal Audit Service (lAS) for
2009 and lAS methodological guidelines. In assessing the status of the original
audit recommendations, this follow-up audit focused on the one recommendation
that was rated ’Very important”. The methodology for the assessment of the
implementation of this recommendation (No 1) consisted of a review of a sample
of recent proposal notes for the setting up of export refunds as well as the
related supporting documents and applicable guidelines. Recommendations
originally rated as “Important” were assessed through desk reviews and
interviews. When making the assessment on the
implementation of recommendations, the IAS took into consideration their
implementation status as reported by the auditee through AMS-Issue Track. Based on the results of the follow-up audit
as described in the objectives and scope, the IAS assessed that all
recommendations have been adequately and effectively implemented, with the
exception of one recommendation.
3.35.
PMO: Follow up audit on Missions as managed by
PMO
·
Objectives and Scope The objective of the follow-up engagement
was to assess progress made in implementing the accepted recommendations that
resulted from the "IAS Audit on Missions as managed by the PMO" carried
out in 2008 (final report dated 11 July 2008). This follow-up audit did not result in an
assessment of the adequacy of controls as a whole but focused on the specific
recommendations in the original audit. ·
Audit Methodology This follow-up engagement was carried out
in accordance with the annual work plan of the IAS for 2009 and IAS
methodological guidelines. In assessing the implementation status of
the original audit recommendations, this follow-up audit focussed on the two
recommendations that were rated "Very Important". The approach taken
consisted of examining and assessing the relevant documentation intended to
support the implementation of the Action Plan, conducting interviews to clarify
any outstanding issues, obtaining additional documentation/information needed
and conducting limited substantive testing where appropriate. In addition, a sample of 24 missions was
randomly selected, with 12 missions "paid for by organisers" and 12
with "derogation for hotels". The selection was based on the types of
errors found during the original audit. The objective of the testing was to
review compliance with the rules of the "Guide to Missions", which
was adopted by Commission Decision C(2008)6215 dated 18 November 2008 and which
entered into force on 1 January 2009. When making the assessment on the implementation
of the recommendations, the IAS took into consideration their implementation
status as reported by the auditee through the AMS "Issue Track"
follow-up tool. PMO had reported all eight recommendations as "ready for
review" as at the date of the follow-up audit.
3.36.
EMPL: Follow up audit of the Review of
financial corrections and recoveries in the Structural Funds area.
In line with the 2010 audit plan, the IAS
has performed a follow-up of the IAS Review of DG EMPL financial corrections
and recoveries in the Structural Funds area, which final report for was issued
on 14 November 2008 (ARES (2008) 46350). The objective of the follow-up engagement,
which has been undertaken on a desk review basis only, was to assess the
progress made in implementing the accepted issues for consideration that
resulted from the review carried out in 2008 (a similar review was carried out
in respect of DG REGIO and is also currently subject to IAS follow up). The assessment, which has been undertaken
in line with IAS methodological guidelines, took into account the state of
implementation as reported by your DG in the "IssueTrack" reporting
tool and other documentary evidence obtained. The main focus of the original review was
on the progress made at the time by DG EMPL on certain key actions contained in
the Commission's action plan to strengthen its supervisory controls under
shared management of structural actions. Given the ongoing nature of that plan,
the IAS did not provide an audit opinion at the time and raised issues for
consideration rather than firm recommendations. Based on the results of the
desk review of the progress made as regards those issues, the IAS considered
that for practical purposes, they can be closed, but that related matters will
be examined from an audit perspective in the context of the IAS planned
2010 audit of DG EMPL's control strategy, which proposes to cover the financial
correction processes.
3.37.
INFSO: Follow up audit on AAR Assurance Process
In January 2008 the IAS issued a final
audit report D(2008) 118 on the AAR Assurance Process. Whilst the very
important recommendations contained therein focused on DG BUDG and SG, the
report also made recommendations, classified as important or desirable, to a
number of operational DGs covered in a sample, which included DG INFSO. In
December 2009 the IAS made a specific follow up of the recommendations made to
DG BUDG and SG and followed up separately the recommendations made to the
operational DGs on a desk review basis only. This review, which has been undertaken in
line with IAS methodological guidelines, took into account the state of
implementation as reported by DG INFSO in the Issue Track reporting tool and
other documentary evidence obtained. Based on the results of the desk review, the
IAS assessed that all the recommendations addressed to DG INFSO that resulted
from the audit "AAR Assurance Process" have been implemented. The IAS recognises that the AAR Assurance
Process is a continuously evolving one and that whilst the implementation of
the agreed recommendations has already contributed to the improvement of the
DG's reporting, it will nevertheless be subject to further refinement and
revision as it matures in practice.
3.38.
RTD: Follow up audit on AAR Assurance Process
In January 2008 the IAS issued a final
audit report D(2008) 118 on the AAR Assurance Process. Whilst the very
important recommendations contained therein focused on DG BUDG and SG, the
report also made recommendations, classified as important or desirable, to a
number of operational DGs covered in a sample, which included DG RTD. In
December 2009 the IAS made a specific follow up of the recommendations made to
DG BUDG and SG and followed up separately the recommendations made to the
operational DGs on a desk review basis only. This review, which has been undertaken in
line with IAS methodological guidelines, took into account the state of
implementation as reported by your DG in the Issue Track reporting tool and
other documentary evidence obtained. Based on the results of the desk review, the
IAS assessed that all the recommendations addressed to DG RTD that resulted
from the audit "AAR Assurance Process" have been implemented. The IAS recognises that the AAR Assurance
Process is a continuously evolving one and that whilst the implementation of
the agreed recommendations has already contributed to the improvement of the
DGs reporting, it will nevertheless be subject to further refinement and
revision as it matures in practice.
3.39.
EMPL: Follow up audit on AAR Assurance Process
In January 2008 the IAS issued a final
audit report D(2008)118 on the AAR Assurance Process. Whilst the very important
recommendations contained therein focused on DG BUDG and SG, the report also
made recommendations, classified as important or desirable, to a number of
operational DGs covered in a sample, which included DG EMPL. In December 2009
the IAS made a specific follow up of the recommendations made to DG BUDG and SG
and followed up separately the recommendations made to the operational DGs on a
desk review basis only. This review, which has been undertaken in
line with IAS methodological guidelines, took into account the state of
implementation as reported by your DG in the "IssueTrack" reporting
tool and other documentary evidence obtained. Based on the results of the follow-up audit
as described in the objectives and scope, the IAS assessed that all
recommendations have been adequately and effectively implemented.
3.40.
REGIO: Follow up audit on AAR Assurance Process
In January 2008 the IAS issued a final
audit report (D(2008)118) on the AAR Assurance Process. Whilst the very
important recommendations contained therein focused on DG BUDG and SG, the
report also made recommendations, classified as important or desirable, to a
number of operational DGs covered in a sample, which included DG REGIO. In
December 2009 the IAS made a specific follow up of the recommendations made to
DG BUDG and SG and followed up separately the recommendations made to the
operational DGs on a desk review basis only. This review, which has been undertaken in
line with IAS methodological guidelines, took into account the state of
implementation as reported by your DG in the Issue Track reporting tool and
other documentary evidence obtained. Based on the results of the desk review, the
IAS assessed that the recommendation addressed to DG REGIO as a resulted of the
audit "AAR Assurance Process" has been implemented. The IAS recognises that the AAR Assurance
Process is a continuously evolving one and that whilst the implementation of
the agreed recommendations has already contributed to the improvement of the
DG's reporting, it will nevertheless be subject to further refinement and
revision as it matures in practice.
3.41.
JLS: Follow up audit on AAR Assurance Process
In January 2008 the IAS issued a final
audit report (D(2008)118) on the AAR Assurance Process. Whilst the very
important recommendations contained therein focused on DG BUDG and SG, the
report also made recommendations, classified as important or desirable, to a
number of operational DGs covered in a sample, which included DG JLS. In
December 2009 the IAS made a specific follow-up of the recommendations made to
DG BUDG and SG and followed up separately the recommendations made to the
operational DGs on a desk review basis only. This review, which has been undertaken in
line with IAS methodological guidelines, took into account the state of
implementation as reported by your DG in the Issue Track reporting tool and
other documentary evidence obtained. Based on the results of the follow-up audit
as described in the objectives and scope, the IAS assessed that all
recommendations have been adequately and effectively implemented.
3.42.
AIDCO: Follow up audit on AAR Assurance Process
In January 2008 the IAS issued a final
audit report (D(2008)118) on the AAR Assurance Process. Whilst the very
important recommendations contained therein focused on DG BUDG and SG, the
report also made recommendations, classified as important or desirable, to a
number of operational DGs covered in a sample, which included DG AIDCO. In
December 2009 the IAS made a specific follow up of the recommendations made to
DG BUDG and SG and followed up separately the recommendations made to the
operational DGs on a desk review basis only. This review, which has been undertaken in
line with IAS methodological guidelines, took into account the state of
implementation as reported by DG AIDCO in the Issue Track reporting tool and
other documentary evidence obtained. Based on the results of the desk review, the
IAS assessed that all the recommendations addressed to DG AIDCO that resulted
from the audit "AAR Assurance Process" have been adequately
implemented. The IAS recognises that the AAR Assurance
Process is a continuously evolving one and that whilst the implementation of
the agreed recommendations has already contributed to the improvement of the
DG's reporting, it will nevertheless be subject to further refinement and
revision as it matures.
3.43.
COMP: Second Follow-Up of the Audit on local IT
In line with the IAS policy, a follow-up
engagement has to be performed for each audit in order to determine whether the
agreed actions have been adequately implemented. Following the first follow-up
audit carried out in 2007, 41 out of 45 recommendations were assessed as
implemented and 4 were assessed as being still in progress, out of which two
were rated as Very Important and two as Important. For the latter, the
IAS policy foresees a second follow-up to be performed when the level of
implementation reported by the DG is considered by the IAS to be satisfactory. Based on its analysis of the information
provided by DG COMP in Issue Track, the IAS has now closed the remaining open
recommendations.
3.44.
RTD: Further Follow up audit on Ex-Post Controls
In 2008 the IAS conducted a follow-up of
recommendations made in its 2006 audit of Ex-Post Controls in DG RTD. As a result of the follow-up audit, three
recommendations remained in progress at that time. Since the date of the follow-up, the IAS
has been tracking the gradual implementation of the remaining recommendations,
by way of desk review of evidence submitted through the use of the Issue Track
tool. The IAS has completed that desk review for
all the recommendations which remained outstanding and concluded that they have
been adequately and effectively implemented. This further follow up has not resulted in
an assessment of the adequacy of controls as a whole but has focussed on the
specific recommendations in the original audit. [1] Data from 2010 Follow-up of IAS recommendations Final
Overview Report based on the information provided by the DGs through IssueTrack
as at 17 January 2011. [2] One very important recommendation issued in 2005 is
still outstanding and past due for more than 6 months. [3] Some reports finalised at the beginning of 2010 were
included in the 2009 report and are, therefore, not included in the 2010
report. Likewise, the reports/management letters drafted in 2010, but finalised
by 1 February 2011, with the exception of the ML on the split of the DGs
finalised in March, are included in the 2010 report.