This document is an excerpt from the EUR-Lex website
Document 52007DC0280
Annual Report to the Discharge Authority on Internal Audits Carried out in 2006
Raport anual către autoritatea care acordă descărcarea de gestiune privind lucrările de audit intern realizate în anul 2006 {SEC(2007) 708}
Raport anual către autoritatea care acordă descărcarea de gestiune privind lucrările de audit intern realizate în anul 2006 {SEC(2007) 708}
/* COM/2007/0280 final */
Annual Report to the Discharge Authority on Internal Audits Carried out in 2006
[pic] | COMMISSION OF THE EUROPEAN COMMUNITIES | Brussels, 30.5.2007 COM(2007) 280 final ANNUAL REPORT TO THE DISCHARGE AUTHORITY ON INTERNAL AUDITS CARRIED OUT IN 2006 (presented by the Commission){SEC(2007) 708} TABLE OF CONTENTS 1. Introduction 3 2. Working environment and audit plan 3 2.1. Working environment 3 2.2. Developments in the Internal Audit Process 4 2.3. Implementation of the IAS audit plan 5 2.4. Acceptance of recommendations and views of auditees and stakeholders 6 3. Findings 7 3.1. Quality review of all IACs 7 3.2. Governance, planning and organisation 7 3.3. Management of EU funds 8 3.4. Human resources management 9 3.5. ABAC 10 3.6. Follow-up 10 4. Conclusions 11 1. INTRODUCTION This report informs the Discharge Authority about the work carried out by the Commission's Internal Audit Service (IAS) in 2006, in accordance with Article 86(4) of the Financial Regulation (FR). It is based on the report of the IAS according to Article 86(3) of the FR on key audit findings and, in accordance with professional standards, on significant risk exposures and control issues and corporate governance issues. The present report is based on IAS audit work and consulting activities in 2006. It also draws on the work of the DGs' Internal Audit Capabilities (IACs), via the IAS's twice-yearly reports on IAC work. It does not cover the IAS audit work for the Community agencies, apart from the figures on implementation of the work programme[1]. The Commission's reactions to the findings and conclusions of the Internal Auditor are covered in the synthesis report on the annual activity reports of the Directors-General. In this synthesis report, adopted at the same time, the Commission takes a position on the cross-cutting issues raised by the Internal Auditor, the European Court of Auditors, and the Discharge Authority, or identified by the Audit Progress Committee and by the Director-General for Budget in his overview report. This means that certain views or opinions in this report are not necessarily fully shared by the Commission. This difference of views reflects the normal process of dialogue between the institution and its Internal Auditor. 2. WORKING ENVIRONMENT AND AUDIT PLAN 2.1. Working environment An action plan for the roadmap towards an integrated internal control framework was presented in January 2006 with a series of 16 specific proposals. The Commission improved accountability, for instance by the individual assurance declarations and reservations issued by Directors-General, and on this basis the Commission drew for the first time also on the synthesis report in order to explicitly assume its political responsibility for management. The Commission's Accounting Officer presented to the European Court of Auditors (ECA) the financial statements for 2005, the first to be prepared on a full accrual basis in accordance with internationally accepted accounting standards. The Court noted that important progress has been achieved. Attaining complete compliance with all accounting standards throughout the Commission is a process which will take time to complete. Migration of ABAC assets to SAP and the inclusion of ABAC contracts in ABAC workflow are still at the preliminary studies stage. The major tasks in progress are the progressive implementation of the new accounting system also for the European Development Fund, as well as in the agencies, in the European Economic and Social Committee and the Committee of the Regions and in the Commission delegations. The sign-off of the accounts by the Accounting Officer has been embedded in the amended Financial Regulation[2], which entered into force on 1 May 2007, including the possibility to check the information received. Establishment of executive agencies, including, in some cases, their internal audit functions, has continued, and the readiness of one to take over programme implementation tasks from its parent DG was audited by the IAC. Particular attention should be paid to a clear and organised handover of tasks from DGs to their executive agencies. The Commission strengthened its business continuity management and issued a Framework Communication on preparations for any major disruptions affecting its activities, staff, buildings, information and other assets in order to ensure that the Commission is able to continue operating as far as possible. The Commission held its first ethics day in the form of a one-day training session, divided into four workshops which produced lively discussions and good participation by staff. The objective was to raise awareness of the personnel about ethical issues and to initiate discussions on ethics and integrity issues inside the different DGs and services. While these achievements are certainly encouraging, the Commission still shares implementation of about 80% of the EU budget with the Member States. Therefore, the overall success of the efforts to create an integrated control framework largely depends on the determination and capability of Members States to implement effective and efficient control systems that reduce the risk to an acceptable level and to provide declarations of assurance on these systems. 2.2. Developments in the internal audit process In 2006 a quality review of all 32 Commission IACs was carried out by the IAS for the first time. It paved the way for a coordinated strategic audit planning (in which most IACs participate) and for revised audit charters (on which work has started). Cooperation between the IAS and IACs further improved throughout 2006, inter alia through new joint audits. Coordination of audit plans, joint training efforts and cooperation on ABAC audits are examples of the working relationship with the ECA. New templates for audit and follow-up reports were designed and implemented to allow auditors to produce more focused audit reports. Preparatory work was carried out for introduction of a new, more user-friendly web-based version of the Audit Management System (AMS), scheduled for the first quarter of 2007. With a view to simplification proposals, efforts to identify relevant issues will be stepped up in 2007. 2.3. Implementation of the IAS audit plan The 2006 audit plan of the IAS was endorsed by the Commission's Audit Progress Committee (APC) on 5 December 2005 and fine-tuned throughout the year. In an effort to avoid duplication with audits carried out by the ECA most IAS ABAC audits in the operational DGs and the audit on rural development were cancelled and replaced by mainly new follow-up engagements, work on the 2007-2009 strategic audit plan and increased resources for the IAC quality reviews. The work programme was implemented at 88%: 69 Commission reports (23 audit reports, 8 follow-up reports, and 38 review reports) and 8 audits of agencies audits were finalised in 2006. Executive summaries of the Commission audits and reviews are annexed. List of finalised Commission audits and reviews: DG/Service | Engagement | Issued | Reviews, administrative and other support systems | 32 IACs | 32 IAC quality reviews and one overview report | 12 October | ADMIN | Human resources management I | 7 April | ADMIN | Human resources management II | 27 October | COMM | Follow-up of 2003 in-depth audit | 24 October | DIGIT | Data centre-operations and security | 8 December | EPSO | Selection process as managed by EPSO | 7 April | OPOCE | Follow-up of 2004 in-depth audit | 18 December | PMO | Regularity of financial management, implementation of financial circuits | 8 December | SCIC | Financial management and procurement | 22 September | Internal policies | ADMIN, SG, BUDG, SANCO, TREN, COMP | SPP/ABM cycle in the Commission | 27 November | COMP | Effectiveness and efficiency of the SPP/ABM cycle | 20 July | SANCO | Effectiveness and efficiency of the SPP/ABM cycle | 7 April | TREN | Effectiveness and efficiency of the SPP/ABM cycle – resource allocation | 10 April | SG, MARKT, ENTR, ENV, TREN | Overview report: Monitoring the implementation of EC law | 22 December | ENTR | Monitoring the implementation of EC law | 5 December | MARKT | Monitoring the implementation of EC law | 7 November | TREN | Review of monitoring the implementation of EC law | 14 December | JLS | Large IT project management | 8 June | MARKT | Local IT | 10 November | SANCO | IT management | 8 December | TAXUD | Large IT systems | 24 January | COMM | Contract management | 11 October | EAC | Implementation of ABAC | 30 June | ENTR* | Financial management of the IRC network | 6 April | ENV | Follow-up of in-depth audit | 9 February | INFSO | Follow-up of 2004 in-depth audit | 7 December | JRC | Interim follow-up audit report | 9 February | RTD | Ex-post controls | 21 December | Structural Measures and Common Agricultural Policy | AGRI,EMPL,FISH,REGIO | Overview report Structural Funds (Article 38) | 8 March | REGIO | ERDF | 21 February | FISH | Follow-up of 2004 in-depth audit | 18 December | REGIO | Financial corrections in Cohesion Fund | 22 November | External Policies | AIDCO | Interim follow-up audit report | 22 February | AIDCO, ECHO | Implementation of framework agreement with UN agencies, combined with ECHO monitoring and management reporting system – overflow 2005 audit | 28 July | ELARG | Ex-post control activities | 20 December | RELEX** | Ex-post control activities | 22 December | RELEX | Follow-up note | 31 October | *Joint audit with DG ENTR, ** Joint audit with DG RELEX 2.4. Acceptance of recommendations and views of auditees and stakeholders In 2006 the rate of acceptance of audit recommendations by auditees was 89.4%, with 7.9% rejected and 2.7% pending[3]. Commission audits (excluding IAC quality review) | Recommendations | Accepted | Rejected | Pending* | % | Total | Critical | 11 | 1 | 0 | 2.9 | 12 | Very important | 182 | 6 | 8 | 48.3 | 196 | Important | 162 | 25 | 3 | 46.8 | 190 | Desirable | 8 | 0 | 0 | 2.0 | 8 | % | 89.4 |7.9 |2.7 | | | | Total |363 |32 |11 | |406 | | * Being considered in the context of a Commission decision As concerns the IAC quality review, 241 recommendations were issued, of which 228 were accepted and 13 were rejected. Auditees' feedback on the audit scope and the conduct of the audit yielded an average result of 1.95 (previous year: 1.82) on a scale from 1 (highest) to 4 (lowest). In a fresh stakeholders' survey at the end of 2006, 75% thought that the IAS had a clear audit strategy (compared with the previous result of 79%), 86% that audits were performed with honesty, objectivity and fairness (down from 93%) and 61% (previously 63%) that the IAS recommendations are readily useful. In all, 80% (up from 71%) considered that the mission of the IAS is well understood. 3. FINDINGS 3.1. Quality review of all IACs This quality review of IACs took the form of validation reports by the IAS on 32 individual IAC self-assessments and the resulting overview report. The objective was to assess the IACs' conformity with the Institute of Internal Auditors' (IIA) Standards for the Professional Practice for Internal Auditing and the Code of Ethics. Eleven of the 32 IACs were found to be generally compliant with both attribute and performance standards, 17 were partially compliant and 30 were found to be compliant with the Code of Ethics. This clearly shows that the effort to increase professionalism and compliance with audit standards has to be maintained. This review triggered discussions and reflections on the role and organisation of internal audit within the Commission. Considering that some 120 auditors work in the IACs and around 60 for the IAS, there is a clear need for a common definition of the audit universe, risk assessment and coordinated audit planning. Without prejudging any further Commission decision, some IAS proposals related to the independence of the IAC and the possibility for a head of IAC to address a party outside the DG are currently being examined with the IACs. The APC will review implementation of the IAS proposals in July 2007. 3.2. Governance, planning and organisation Monitoring the implementation of EC law The timely and correct implementation of EC legislation is primarily the responsibility of the Member States, but as “guardian of the Treaty” the Commission has a monitoring task. In order to improve monitoring of implementation of EC law, the IAS proposed a risk-based plan on transposition of EC directives, a more systematic approach to verification of implementing measures at the level of Member States, prioritisation criteria for complaints and infringement cases and maximum throughput times for the most important cases. A Commission Communication on monitoring EC law is currently being prepared and is expected to be adopted by the end of 2007. Implementation of SPP/ABM process While the DGs audited were found to be formally in compliance with the Commission rules on SPP/ABM and the corresponding Commission Internal Control Standards, the IAS considers that further progress is needed on the effectiveness and efficiency of the SPP/ABM cycle so that DGs can move from formal compliance to real ownership and to leverage the benefits for internal management. Some IAS recommendations have already been implemented, such as the need for multi-annual strategic planning and to take into account core business instead of focusing exclusively on new initiatives in the APS. The IAS also recommended screening. In response to the European Parliament's request, the Commission has prepared an assessment of its mid-term staff needs and a detailed report on the staffing of support and coordination functions. Progress has also been made on integrating risk management into the policy-making process. Other recommendations, such as developing a strategy to support the SPP/ABM cycle with IT and full monitoring of human resources allocations have not been taken on board. IT management/systems The IAS audited the Commission's data centre and IT management in four operational DGs and the risk analysis was confirmed by five (out of a total of twelve) resulting critical recommendations. Two critical recommendations related to physical security in the JMO and BECH buildings in Luxembourg. Another very important one was to set up a comprehensive disaster recovery plan covering all critical information systems hosted in the Data Centre. This is linked to the fact that DGs might not be sufficiently prepared to ensure the continuity of their operations, as reliable information on their critical systems was not available. The Schengen Information System (SIS II) was found to have suffered from inadequate project management, in particular insufficient monitoring of contractors' performance due to insufficient specialised staff and non-optimised use of staff, leading the Commission to rely heavily on the quality and reliability of the contractor. Measures should also be taken to ensure that all DGs fully comply with Regulation (EC) No 45/2001 on the protection of personal data and that the local information security officer performs sufficient controls and acts independently. IT-related audits were also carried out by three IACs. Issues identified at local level included the need for a thorough planning process for IT applications, definition of the role of project owners and the need to have a complete local IT inventory. 3.3. Management of EU funds Structural Funds The objective was to determine whether the Commission has put in place a system to verify if the control systems presented by Member States meet the required standards, to assess the controls put in place at DG level, including assessment of cooperation with Member States, and to evaluate ex-post controls carried out by the structural funds DGs. The IAS recommended that reporting requirements for authorising officers by sub-delegation should be defined more precisely. Structural Funds DGs should establish a common audit strategy, based on the coordination work already undertaken. Greater coordination with Member States, including through "contracts of confidence", improved compliance with minimum auditing standards and a clear and precise audit opinion or disclaimer would improve the assurance process. The main audit results should be clearly disclosed in DGs' annual activity reports in order to obtain a fuller picture of the level and type of assurance given on the management and control systems put in place by the Member States. The IAS considers that the financial correction procedure for the cohesion fund should be significantly improved to reduce its overall length. In order to avoid the risk of non-compliance with the Financial Regulation and other rules, the interpretation of the "net reduction" principle and the application of the "flat rate" correction criterion should be clarified. The financial reporting should be reinforced as well, in particular with regard to the forecasting of revenue. FAFA (Financial and Administrative Framework Agreement with the UN) The objective of the audit was to evaluate compliance with the FAFA and the capacity to obtain assurance about the use made of EU funds. The IAS identified a risk that the EU funds might not have been used for intended purposes, especially as the reporting of indirect costs lacked transparency. The audit demonstrated the usefulness of the FAFA, which provided a much needed reference framework for cooperation between very diverse partners on both sides of the EC/UN partnership. The APC invited the IAS to assess the materiality of the residual risks with regard to indirect costs in particular, associated with the overall controls on EC/UN funding in the framework of the FAFA and the UN financial control system. Ex-post controls on research activities These audits were carried out to assess the compliance, efficiency and effectiveness of ex-post controls on research activities, which are instrumental for a positive declaration of assurance. In line with the ECA's last annual report, the IAS found that ex-post control activities were unsatisfactory and that coordinated and risk-based planning of ex-post controls is needed. The IAS recommended that objectives of ex-post controls and the underlying strategy should be defined more clearly and the results should be better documented in the DGs' annual activity reports. Sufficient coverage of the auditable programmes and beneficiaries should be guaranteed. The requirements of the Financial Regulation should be met in terms of forecasts of revenue from cost claims following ex-post controls. The coverage by ex-post controls is clearly insufficient compared with the control objectives, which led to a reservation entered in the annual activity report. 3.4. Human resources management These reviews covered planning, recruitment, mobility, underperformance, absenteeism and the system of internal controls in the selection process for permanent staff. The IAS pointed to the need for DG ADMIN to play a greater coordinating and monitoring role, with the aim of ensuring the consistent application of human resources management policies across the Commission. The IAS also proposed making human resources management an integral part of the Commission's strategic planning/management process in order to improve the match between the needs of the DGs and the availability of human resources and to develop a long-term vision for effective human resources management. IAS proposals included developing workload indicators, setting targets for vacancy rates and the lead time to recruit, achieving better management of compulsory mobility, reconsidering the ratio between permanent and temporary staff and ensuring better management of underperformance by improving the human resources skills of managers. Introducing a series of control and monitoring activities in the recruitment process could make it easier to organise the appropriate number of competitions in the right areas and to increase the number of successful applicants finally recruited. The IAS also found a lack of a long-term human resources strategy or the need for improved planning of human resources allocation in the audits relating to the SPP/ABM process. Human resources management was also the subject of audits by two IACs in 2006, in which strategic planning and efficient resource allocation featured prominently in the recommendations. Very important recommendations in a number of other IACs' audit reports also related to human resources issues. 3.5. ABAC The implementation of the new accrual-based accounting system (ABAC) is a major challenge for the Commission. In 2006 both the IAS and ECA included ABAC audits in various DGs in their audit plan. Considering that one of the principal obligations of the ECA as external auditor is to give its opinion on the consolidated financial statements, the IAS decided to cancel planned ABAC audits in a number of DGs covered by the ECA and, in close cooperation with the ECA, to perform an audit on implementation of accrual-based accounting in DG EAC which covered the transition process to accrual based accounting as well as the 2005 year-end closing of the accounts in DG EAC. Based on the results of the IAS audit the accounting control systems of DG EAC appeared inadequate to ensure the completeness, accuracy and reliability of the accounting data. Therefore, the year-end accounting entries reported by DG EAC did not give a true and fair view of the financial position and performance of DG EAC. IAS opinion was based mainly on the lack of adequate documentation of the year-end closing procedures, the absence of full reconciliation between the local systems and the central accounting systems plus significant accounting errors in the accrual calculations with a material impact on the account balances. 3.6. Follow-up As production of audits has continued, follow-up has become an increasingly important issue and is now subject to a systematic approach and separate reports. The IAS's 2006 year-end report, issued in February 2007, concluded that while the number of outstanding recommendations is falling, significant delays still exist: 50% of outstanding critical and very important recommendations are overdue by more than six months. Therefore there are still significant weaknesses in management's implementation of action plans. In two cases the IAS concluded that the level of implementation of the pending recommendations was not sufficient to carry out a full follow-up audit. Recommendations from past IAS annual reports by the internal auditor should also be followed up. Examples of recommendations that were not sufficiently followed up in 2006 include the proposals on IT governance and the consolidation of IT infrastructure. 4. CONCLUSIONS On the basis of his 2006 Commission audits and reviews and related work, the Internal Auditor of the Commission draws the following conclusions (the Commission's position is contained in the synthesis report on the annual activity reports of the Directors-General). IAS Conclusion 1: Continue improvement efforts The IAS audit work found clear improvements in the internal control systems in many areas. Big steps have been taken by the Commission to improve the control environment, for instance the Communication on business continuity, the ethics day and the focus provided by the high-level group looking at EC law. However, there are also still major weaknesses and further efforts are needed, as illustrated by the number of critical IAS recommendations (twelve) and the number of audits with adverse IAS opinions (nine). Areas for improvement include ex-post controls, IT (buildings, data security, adequate staffing and planning processes for IT projects and continuity of services), implementation of new accounting rules and contract management[4] (oversight of use of framework contracts, monitoring of subcontracting and multiple roles of a single service provider). IAS Conclusion 2: Follow-up, a recurring issue The overview reports on follow-up show that the culture of follow-up proposed in the 2005 report has not yet been fully established. Further efforts must be made in the Commission in order to ensure proper, systematic and swift follow-up of audit recommendations. Implementation of internal and external audit recommendations is vital to achieving the Commission’s strategic objective of a positive DAS. IAS Conclusion 3: Integrated Human Resources strategy Not only the reviews of the human resources management, but also the audits of the SPP/ABM process, of monitoring of implementation of EC law and of IT management showed that a long-term strategy for human resources management is an important factor in success and that inadequate allocation of human resources can have a substantial negative impact on the operations and reputation of the Commission. DG ADMIN, as the central service in charge of human resources management, together with the decentralised human resources units in DGs and services, should develop a strategy fully aligned on the strategic planning process. IAS Conclusion 4: Improve the efficiency and robustness of internal audit architecture The Commission has a two-tier system of internal audit: the IACs and the IAS, which closely reflects the Commission’s governance architecture. The quality review concluded that the vast majority of IACs partly or generally complied with the standards. However, the efforts to increase professionalism should continue and the recently introduced coordinated planning process should be solidly embedded in order further to improve the overall efficiency of internal audit work in the Commission. Without prejudging any further Commission decision, some issues, such as further strengthening the independence of IACs by giving them the possibility to escalate issues at a corporate level in the Commission, were openly discussed and are still pending; they will be revisited by the APC in 2007. IAS Conclusion 5: Annual governance statement A number of governance-related issues were addressed in the audits finalised in 2006 (SPP/ABM, monitoring of EC law, etc.) and in the IAC quality review; governance issues were also focused on at the 2006 IAS conference. The Commission has laid a solid foundation for its governance. In order to achieve full maturity and to make its governance architecture and its latest developments known to stakeholders, the Commission should describe its governance policy and practice, preferably in the synthesis report summarising the DGs' annual activity reports, make it available on its website and provide for its regular updating[5]. Such a description could include explanations of the Commission's risk management system, strategic planning, the code of ethics, the role of the Accountant, the internal control systems, internal audit and the APC. In this way, the Commission could increase credibility and trust on the part of its stakeholders and EU citizens. [1] In some cases, however, agency audits resulted in recommendations concerning the Commission and are taken into account in the statistics in Section 2.4. [2] Council Regulation (EC, Euratom) No 1995/2006 of 13 December 2006 amending Regulation (EC, Euratom) No 1605/2002 on the Financial Regulation applicable to the general budget of the European Communities (OJ L 390, 30.12.2006, p. 1). [3] Commission audits only, excluding the IAC quality review. [4] A number of IAC audit reports also related to efficient contract management in public procurement. [5] Directive 2006/46/EC (OJ L 224, 16.8.2006, p. 1) placed an obligation on companies whose securities are admitted to trading on a regulated market and which have their registered office in the Community to disclose an annual corporate governance statement as a specific and clearly identifiable section of their annual report.