52016SC0322

As there has been no greening related expenditure yet, the 2014 Annual Activity Report (AAR) of DG AGRI does not include any reservations related to greening. However, it includes a reservation on direct payments with regard to 15 Paying Agencies covering six MS. In addition, in Annex 10 of its 2014 AAR 5 , DG AGRI identified additional risks for the implementation of the reformed system of direct payments including risks related to greening.

The IAS finalised the fieldwork on 08 June 2015. All observations and recommendations relate to the situation as of that date.

Major audit findings

The IAS has identified the following three very important issues:

Assessment of the notifications for equivalent practices (Report finding N° 2)

MS can choose certain equivalent practices 6 , substituting all or some of the greening requirements. These equivalent practices shall yield equivalent or greater benefit for the environment and are listed in Annex IX to the Direct Payment Regulation 7 . The Commission has to assess within seven months of being initially notified whether these practices are indeed covered by Annex IX. If not, then the Commission rejects them through implementing acts.

Five MS notified equivalent practices which were all deemed to be covered by Annex IX to the Regulation and therefore accepted through a Commission decision, even though DG AGRI's assessment had showed that further modifications were still required for some of them to be fully compliant. Indeed the implementing act 8 did not grant DG AGRI the possibility to use a "stop the clock" procedure where MS did not address all the issues raised by the Commission in a satisfactory manner and within the statutory deadlines.

Following the Commission decision, DG AGRI sent letters to MS requesting the outstanding changes, but has not yet defined a procedure on how to follow-up whether these issues have been satisfactorily dealt with in practice at the end of the assessment process.

Risk of double funding between greening measures and rural development programmes with regard to agroforestry and afforested areas (Report finding N° 4)

According to the legislation governing greening payments 9 , the list of possible Ecological Focus Areas which can be funded under greening includes agroforestry land as well as afforested areas, which also receive support under the European Agricultural Fund for Rural Development (EAFRD). However, expenditure funded under the EAFRD shall not be the subject of any other financing under the Union's budget 10 . Furthermore, contrary to other EAFRD measures 11 which could also be possibly subject to double funding with the greening requirements, for measures regarding agroforestry and afforested areas, the rural development legislation 12 does not include any provisions for reducing payments in order to avoid double funding occurring in practice. In addition, the IAS noted that there is a lack of detailed guidance to MS on how to exclude double funding between EAFRD measures for agroforestry and afforested areas and the greening payment, especially regarding agroforestry systems.

Improving/clarifying the greening requirements (Report finding N° 6)

The greening payment is based on very complex eligibility criteria, which entails a risk of high error in the underlying transactions as well as considerable administrative burden for the MS. Furthermore, in the IAS's view, a clear added value for the environment may not always be demonstrated.

The IAS has identified a number of specific complex/ambiguous issues which could easily lead to errors and which could be simplified/clarified through modifications to the Delegated Regulations and Implementing Regulations. In particular, these concern the need to clarify the eligibility criteria and options open to MS regarding greening, overlaps between the rules concerning cross-compliance 13 and greening and the extent to which certain EFAs can be controlled in practice.

The IAS noted that as part of the Regulatory Fitness and Performance Programme (REFIT) a simplification process on the CAP legislation, including greening, is currently ongoing: the Commissioner for Agriculture and Rural Development has announced that the rules for greening would be reviewed in early 2016 after one year of implementation.

Recommendations

To address this issue, the IAS formulated the following recommendations:

Assessment of the notifications of the equivalent practices

DG AGRI should finalise the procedure for assessing equivalent practices and ensure the necessary follow-up of issues outstanding at the end of the assessment process. In order to better manage future MS notifications for equivalent practices, it should also consider the possibility to introduce a "stop the clock" procedure in the implementing act.

Double funding between greening measures and rural development programmes with regard to agroforestry and afforested areas

DG AGRI should prepare detailed guidelines for the MS on how to ensure the exclusion of double-funding between support for afforested areas and agroforestry systems measures under the EAFRD and the greening payment.

Improving/clarifying the greening requirements

DG AGRI should work together with the MSs and other stakeholders to further identify areas where it might be feasible to make clarifications/simplifications in the short term. It should then monitor closely how greening requirements are being implemented in practice by MS and examine the scope for further simplification/clarification, particularly in the framework of the review of the rules for greening planned after one year of implementation.

The audited service has established an action plan which the IAS considers satisfactory to address the recommendations.

2.2.Audit on DG AGRI's management of the approval process of the 2014-2020 Rural Development Programmes (RDPs)

Audit objectives and scope

The overall objective of the audit was to assess whether DG AGRI's management of the approval process of the RDPs is effective and efficient in ensuring the timely adoption of quality RDPs.

The audit covered the processes put in place by DG AGRI in order to assess and approve the draft RDPs. Horizontal aspects such as guidance, supervision, monitoring and reporting; supporting IT systems as well as the overall efficiency of the process (e.g. delays, workload) were also covered. The audit took particular account of the new results-based focus, which is a main feature of the new 2014-2020 period. The audit also considered political expectations regarding further simplification and reduction of red tape.

The 2014 Annual Activity Report (AAR) of DG AGRI does not include any reservations in the AAR related to the RDP approval process. However, DG AGRI 2014 AAR contains a reservation 14 concerning 2014 Rural Development expenditure (ABB04), i.e. relating to the 2007-2013 programming period. This reservation covers 28 paying agencies, 16 Member States (MS) and corresponds to an actual amount at risk of EUR 532.5 million.

The fieldwork was finalised on 12/06/2015. All observations and recommendations relate to the situation as of that date.

Major audit findings

The IAS has identified the following three very important issues:

Efficiency of AGRI's organisation for the assessment and approval of RDPs (Report finding N°1)

In most cases, the Commission's observations letters on the draft RDPs were adopted only after the 3-month deadline set in the regulation. The IAS recognises that this situation was in part a consequence of resource constraints and in part a consequence of the late adoption of the applicable regulations. This resulted in certain draft RDPs being of low quality and needing to be further improved. Nonetheless, the IAS considers that DG AGRI could better optimise the use of its resources and further improve its planning and monitoring processes. In particular and in view of the likely scale of the RDP amendments which it will inevitably have to deal with in the coming months, it will be essential to have in place strong planning and monitoring processes, which build on the lessons learnt during the approval phase.

Ex-ante conditionalities and performance (Report finding N° 3)

A key feature of the 2014-2020 programming period is the move towards a greater focus on performance through, on the one hand, the assessment of Ex-ante Conditionalities (ExAC) and on the other, the set-up of a performance framework with the use of appropriate indicators. The IAS noted some weaknesses in the assessment of certain ExAC as well as the need for enhanced coordination between the European Structural and Investment Funds (ESIF) DGs for the follow-up of the resulting MS action plans. Certain weaknesses were also noted as regards indicators, particularly when specific definitions of rural areas are used.

The need for better regulation (Report finding N° 5)

The sheer complexity of the regulatory framework means there is an inherent risk of errors in the underlying transactions as well as considerable administrative burden for the MS. The administrative complexity is compounded in cases where there are similar funding instruments in 1st pillar and 2nd pillar. This includes, for example, the payment for agricultural practices beneficial for the climate and the environment and the agri-environment and climate measures, which often require sophisticated management measures and controls to avoid double funding. In addition, the IAS noted that the parts of the regulations covering the performance focus have been formulated in such a way which leaves them open to considerable interpretation that could in turn dilute rather than strengthen their intended impact.

Recommendations

To address these issues, the IAS formulated the following recommendations:

Inadequate RDP amendments procedure

DG AGRI should approve the new procedure for dealing with amendments, reinforce the overall scheduling, ensure there is real-time monitoring and reporting at central level and make sure the necessary resources are redeployed based on a workload assessment to reduce as far as possible any delay.

Adequate assessment and monitoring of ex-ante conditionalities

DG AGRI should ensure that all applicable ExACs are adequately assessed by, for example, developing a practical template to be used internally. Additionally, DG AGRI should liaise with the other ESIF DGs to finalise and adopt a procedure for monitoring the Action Plans to fulfil ExACs, with a clear allocation of roles and responsibilities between the various ESIF DGs.

Complexity of regulation

In the short term, DG AGRI should continue its efforts to encourage MS to choose straightforward options (e.g. use of simplified cost options, clear eligibility rules for projects, etc.) as well as to collect information on the costs of control in the MS. It should also closely monitor the implementation of the programmes to help address in advance potential cases of double funding, including carry-over of agri-environmental contracts concluded before 2012. In the longer term (i.e. for future programming periods), it should ensure that any future transitional arrangements are proportionate and do not overly impact on the new programming period. There is also a need to review whether it remains appropriate to have similar funding instruments under both pillars of the Common Agricultural Policy (and hence tackle more fundamentally the risk of double funding).

The audited service has established an action plan which the IAS considers satisfactory to address the recommendations.

2.3.Audit on payment suspensions and interruptions in the 2014-2020 Common Agricultural Policy framework

Audit objectives and scope

The overall objective of the audit was to assess whether DG AGRI has effectively managed the processes for interrupting, suspending and/or reducing payments in accordance with the 2014-2020 Common Agricultural Policy legal bases.

The audit covered DG AGRI's management of interruptions, suspensions and reductions, which are applied in case of deficiencies in Member States' (MS) management and control systems and/or risk of irregular expenditure, in accordance with the following legal provisions:

For interruptions of interim payments of the European Agricultural Fund for Rural Development (EAFRD), in accordance with Art. 36.7 of R1306/2013 15 ("Horizontal Regulation" or "HZ"), which refers to Art. 83 of the Common provisions regulation (CPR 16 ) and Art. 22.4 of the implementing regulation R908/2014 17 ;

For suspensions and reductions of interim payments (EAFRD) or monthly payments (EAGF), in accordance with Art. 41 HZ.

The IAS audit took place at an early stage of DG AGRI's application of this new regulatory framework. Hence, the number of interruptions, suspensions and reductions applied so far has been relatively limited. The focus of the IAS’ work was therefore in practice largely on the systems and procedures put in place by DG AGRI, with a view to identifying possible improvements.

There are no observations/reservations in the DG's 2014 Annual Activity Report (AAR), which relate to the area/process audited.

The fieldwork was finalised on 9/11/2015. All observations and recommendations relate to the situation as of that date.

Major audit findings

The IAS has identified the following three very important issues:

Legal basis (Report finding N° 1)

There is a lack of consistency in the wording and scope of Art. 22.4 R908/2014 with the provisions of Art. 83 CPR, and, as a result, in how payment interruptions are implemented in practice, for example with respect to the period of the interruptions and the level at which they have been approved.

Concerning suspensions/reductions, there is also a lack of consistency in the interpretation and application of Art. 41.1 HZ and 41.2 HZ.

Internal guidance and procedures (Report finding N° 2)

DG AGRI's internal guidance and procedures do not sufficiently clarify how to interpret the provisions for interrupting, suspending and/or reducing payments in a consistent manner. In addition, further criteria were not developed to guide decision-making, notably in relation to the assessment of the seriousness/gravity of the deficiencies identified and when requesting action plans in the context of suspensions/reduction procedures.

Application of guidance and procedures (Report finding N°3)

For the EAFRD, compliance with the 45-day payment deadline has not been achieved in certain cases when payments were interrupted for short periods only and then followed by a reduction/suspension procedure. Furthermore, different practices exist for recording the end of the period of interruption ("stop-the-clock procedure") and procedures are not always applied in the most efficient manner.

With respect to suspensions/reductions under Art. 41.2, used in case action plans are not sufficiently implemented, there is a lack of consistency in the approach followed for the two pillars in requesting action plans from the MS. Furthermore, the overall time it takes between the various steps to request an action plan under Art. 41.2 and to take a final decision on reduction/suspension has been rather long.

Recommendations

To address these issues, the IAS formulated the following recommendations:

Legal basis

DG AGRI should clarify the scope of application of Art. 22.4 R908/2014 in relation to Art. 83 CPR and consider whether the drafting of Art. 22.4 should be reviewed. The DG should also consult the Legal Service in order to: i) confirm DG AGRI's interpretation on the application of Art.41.1 for the first pillar, and, ii) clarify when to apply Art. 41.1 and 41.2 for the second pillar.

Internal guidance and procedures

DG AGRI should update its internal guidance and procedures and clarify the interpretation of the applicable regulatory framework for each pillar as well as outline criteria for proposing interruptions and suspensions/reductions (including a de-minimis approach). Furthermore, for pillar 2, DG AGRI should explain in a clearer way when to request action plans in the context of Art. 41.2 and, in particular, how these relate to the corrective action plans resulting from AAR reservations.

Application of guidance and procedures

In the case of significant deficiencies or irregularities, DG AGRI should use Art. 83 CPR as a legal basis in view of the longer maximum period for interrupting so as to allow finalising the suspension/reduction procedure within the 45-day payment deadline. In this respect, the registration of the time of the interruption (“stop the clock” process) should be fully consistent between the different units. Finally, the procedures should be applied in the most efficient manner.

With respect to the application of Art. 41.2 for reductions/suspensions, DG AGRI should ensure more consistency when requesting action plans, notably by referring to the possible use of Art.41.2 (b) at all stages of the process. It should also try to reduce the time taken between the various steps leading to a reduction/suspension decision, where this relates to a failure to implement adequately an action plan.

The audited service has established an action plan which the IAS considers satisfactory to address the recommendations.

2.4.Gap analysis on new legislation/design of 2014-2020 programming period of European structural and investment funds Phase 2 in DG MARE

Audit objectives and scope

Phase 2 of the gap analysis aimed at a more in depth examination of the design and preparations for the management of the Multi-annual Financial Framework 2014-2020 programming period by DG MARE, and to the extent possible, its implementation in practice. In conducting phase II, the IAS clearly recognises that the development of the control architecture is very much an on-going process.

The audit focused on the DGs' processes for:

The negotiation, assessment and adoption of the Operational Programmes (OPs);

Guiding and supervising the set-up of the Member States' (MS) management and control systems.

Particular emphasis was given to new elements of management and control systems as compared to the 2007-2013 programming period as well as aspects related to the results orientation of the 2014-2020 programming period.

There are no observations/reservations in the 2013 Annual Activity Report (AAR) that relate to the area/process audited.

The fieldwork was finalised on 30/01/2015. All observations and recommendations relate to the situation as of that date.

Major audit findings

The IAS has identified the following four very important issues:

Supervising MS' management and control systems (Report finding N° 1)

Certain gaps need still to be addressed as regards the audit approach, both in terms of the European Structural and Investment Funds (ESIF) DGs' single audit strategy and DG MARE's own audit strategy for 2014-2015. Despite common areas, currently the approach as regards using other auditors' work for building-up assurance and/or conducting joint missions is not yet sufficiently developed and there is no inter-service agreement on cooperation between the audit services of the ESIF DGs for a single audit strategy for the programming period 2014-2020. There is little explanation as to how DG MARE will be able to rely on the work of the Audit Authority (AA) to obtain assurance. In addition, it is not clear how DG MARE's own specificities will be taken into account. Although the OP approval process has yielded key information on the MS' management and control systems, this has not yet been taken into account in the audit risk assessment for the DG's review of the designation package. Neither has the audit plan been updated to reflect the impact of delays in the late submission of the OPs. Also, due to inefficiencies in the underlying processes, the IAS found that DG MARE is not optimising its audit work at the OP approval stage to identify potential weaknesses in the MS' management and control systems.

OP negotiation and adoption process (Report finding N° 2)

There are delays in the OP adoption process, partly due to changes in the new Commission working methods, which have lengthened the consultation process. The respective roles and responsibilities of the various units involved in the process are not clearly defined. Guidance on how to prepare observations was only made available to staff once the IAS fieldwork was completed, with the result that observations sent to the MS were often not specific enough, inconsistent and in some cases even redundant. Furthermore, where observations have been provided to MS, the revised OPs often do not clearly demonstrate how those observations have been addressed, which can in turn hinder the DG's ability to effectively follow them up.

Results orientation and performance framework (Report finding N° 3)

A key feature of the 2014-2020 programming period is the shift to a performance framework and an essential part of any performance framework is the use of appropriate performance indicators. In line with the underlying legislation, the main focus was on getting the MS to use common indicators to assess progress in achieving policy objectives. However, in practice these are often poorly defined and whilst they can be useful for reporting in overall aggregate terms, they are not always relevant for certain specific measures and/or are by default not applicable in certain situations. The MS can include potentially more useful specific result indicators in the OP, but generally, the DG has not actively encouraged this. In addition, the information provided by the MS on the basis used to estimate the value of milestones/targets and the calculation method is of a very general nature only and there is currently no practical guidance available to desk officers on how to assess and negotiate with the MS on performance related issues in the draft OPs. The IAS found that in certain cases, weaknesses related to indicators and target setting in the draft OPs were not clearly reflected in the observations sent to the MS.

Assessment of fulfilment of Ex- ante conditionalities (Report finding N° 4)

The fulfilment of Ex-ante conditionalities (ExAC) constitutes a key part of the DG's assessment process as to whether an OP is fit for purpose and can deliver against policy objectives. However, the practices vary among the Units involved in the assessment and DG MARE has yet to further define the respective roles and responsibilities of the horizontal units as well as the approach for timely assessing whether certain conditionalities are met. The grids used to document the assessment are not sufficiently detailed and do not capture all the steps involved in the process. Furthermore, DG MARE currently does not have an overview of the overall state of play as regards unfulfilled ExAC across the OPs and the related MS' action plans.

Recommendations

To address these issues, the IAS formulated the following recommendations:

Supervising MS' management and control systems

DG MARE should further develop and clarify its audit strategy with respect to how it will obtain assurance on the reliability of the AAs and to what extent DG MARE could carry out joint audit missions and/or use other ESIF DGs' auditors' work for building-up assurance. Concerning the designation package review it should update the risk assessment and adapt its plan accordingly to take account of the latest information available as a result of the OP approval process. It should ensure that any weaknesses identified in the OPs as regards MS' management and control systems descriptions are properly reflected in the observations sent to MS.

OP negotiation and adoption process

DG MARE should establish more stringent target delays for the main steps of the process and carefully monitor the final phases before the OP's adoption, including the follow-up given to the Commission's observations. The DG should also clarify the respective roles and responsibilities of the units involved in the assessment process and ensure that any observations made are sufficiently clear and specific enough to form the basis for subsequent negotiations/discussions with MS.

Results orientation and performance framework

DG MARE should develop guidance on the definitions for common indicators and on the checks to be performed by desk officers when assessing the plausibility of milestones/targets. It should also prepare guidance for MS on the use of specific indicators and look to ensure the quality of related information provided by the MS as regards target setting and/or the nature of projects, especially where baseline values are not included.

Assessment of fulfilment of Ex- ante conditionalities

DG MARE should clarify the respective roles and responsibilities of those involved in the assessment process, ensuring a common understanding of the approach to be taken and improve the template used, together with the underlying documentation. It should ensure the timely assessment of ExAC, update and communicate regularly to all the actors involved the latest state of play on unfulfilled conditionalities and related action plans and ensure an effective follow-up.

The audited service has established an action plan which the IAS considers satisfactory to address the recommendations.

2.5.Audit on the management of grants under 2014-2020 Consumer and health programmes in CHAFEA

Audit objectives and scope

The overall objective of this audit was to assess the adequacy and effective application of the Internal Control System (ICS) related to managing grants under the new programming period (2014-2020) by CHAFEA. In particular, the audit assessed whether or not the ICS provide reasonable assurance regarding compliance with the relevant legislation and ensured sound operational management of the grant process.

The audit focused on grant management under the Health and Consumer programmes by CHAFEA and covered the following sub-processes:

Calls for proposals – preparation, approval and publication/dispatch;

Evaluation – selection of experts, evaluation of proposals, adjustment of proposals, awarding decision and ex-post publication of the list of awarded grants;

Contracting – transformation of the proposal into a grant agreement, respect of the deadlines;

Payment – budgetary commitments and pre-financing;

Ccommunication - provision of information to applicants and cooperation with and reporting to the parent DGs regarding grant management.

CHAFEA's 2014 AAR contains no observations/reservations that relate to the processes audited.

The fieldwork was finalised on 25/11/2015. All observations and recommendations relate to the situation as of that date.

Major audit findings

The IAS has identified the following very important issue:

Internal grant management procedures (Report finding N°1)

Significant weaknesses exist concerning CHAFEA's documentation of internal grant management procedures, which is either incomplete, located across a range of documents or not up to date. The documentation of procedures does not yet cover certain key parts of the grant management cycle, such as monitoring the grant implementation and grants closure, or contain only limited instructions on specific issues, such as the prevention of double funding. This lack of comprehensive written procedures, compounded by factors outside CHAFEA's direct control and stemming from the respective work programmes, has resulted in a number of weaknesses concerning planning and documenting the evaluation process, addressing the risk of double-funding, and documenting key decisions when preparing grant agreements, including the non-retroactive award of grants, pre-financing rates and the reasons for waiving financial viability checks.

Recommendation

To address this issue, the IAS formulated a recommendation which can be summarised as follows:

Internal grant management procedures

The Agency should update, finalise and consolidate the existing grant management procedures taking into consideration the requirements of the Financial Regulation and the functionalities of the Horizon 2020 ICT tools.

The audited service has established an action plan which the IAS considers satisfactory to address the recommendation.

2.6.Audit on DG's CLIMA and ENV's externalisation to EASME of the life programme 2014-2020

Audit objectives and scope

The overall objective of the current audit was to assess whether DG ENV's and DG CLIMA's externalisation arrangements with EASME are effective and efficient to support the achievement of the objectives of the LIFE 2014-2020 programme whilst ensuring sound financial management.

The audit covered the externalisation of the LIFE programme 2014-2020 to EASME, in particular (1) the governance framework, the cooperation and coordination between the parent DGs and EASME and (2) the design and early implementation of the supervision framework.

The 2014 Annual Activity Reports (AAR) of DG ENV and DG CLIMA do not include any reservations related to the externalisation process of the LIFE programme 2014-2020 to EASME.

The IAS finalised the fieldwork on 11/09/2015. All observations and recommendations relate to the situation as of that date.

Major audit findings

The IAS did not identify any material risks that would give rise to critical or very important recommendations.

3.Cohesion

3.1.Audit on the monitoring of the action plans for unfulfilled Ex-ante Conditionalities in DG REGIO and DG EMPL

Audit objectives and scope

The overall objective of the audit was to assess, taking into account the 2014-2020 regulatory framework, whether DG REGIO and DG EMPL were adequately prepared to effectively and efficiently monitor and assess the implementation by the Member States (MS) of the action plans for partially fulfilled and unfulfilled ex-ante conditionalities (ExAC).

The audit focused on the early stage of the monitoring process and the preparedness of DG EMPL and DG REGIO to deal with the wave of action plans which are expected to be implemented at the end of 2015 and in 2016.

The audit scope included an assessment of the following four areas:

The efficiency and the effectiveness of the coordination and monitoring at DG level and between DG EMPL and DG REGIO;

The efficiency and the effectiveness of the coordination and monitoring at unit level and between horizontal and geographical units as well as with line DGs;

The adequacy of the management by the relevant units of the interaction with the MS, in order to support a timely and effective implementation of the action plans related to partially fulfilled and unfulfilled ExAC, while considering reducing unnecessary regulatory burden;

The robustness of the decision making process of the ExAC Suspension Committee, i.e. the suspension of payments at Operational Programme (OP) adoption in case of significant prejudice triggered by the non-fulfilment of the ExAC by the MS.

In addition, in the light of the recent Commission Decision on Better Regulation 18 issued on 19 May 2015, the audit took account of the regulatory burden arising for MS in terms of fulfilling those plans and the Commission DGs in terms of monitoring their effective implementation.

The fieldwork was finalised on 30 June 2015. All observations and recommendations relate to the situation as of that date.

Major audit findings

The IAS identified the following two very important issues:

Monitoring and reporting of unfulfilled Ex-ante Conditionalities (Report finding N° 1)

The current monitoring and reporting arrangements are not sufficiently accurate as to how many actions/action plans have to be completed and by when and are therefore not considered as a reliable source of information for the different stakeholders in the organisation, in particular senior management.

Better regulation principles and cooperation across the Commission services (Report finding N° 2)

In addition, given the importance of the "better regulation" agenda, the IAS considers that the recently launched study on the use of new simplification provisions in the early implementation phase of the ESI funds provides an ideal opportunity for the DGs to assess the implications for MS authorities and beneficiaries of the potential burden imposed by the regulatory changes of the 2014 – 2020 programming period. However, the next steps (notably the implications of the potential costs and administrative burden deriving from the EU regulatory framework for MS and beneficiaries) have yet to be defined. Also, in view of the newly created "Structural Reform Support Service" in the Secretariat General, it is essential that there is effective cooperation across the Commission services in the future.

Recommendations

To address these issues, the IAS formulated recommendations which can be summarised as follows:

Reporting and monitoring of Ex-ante conditionalities

DG REGIO and DG EMPL should further improve their monitoring and reporting arrangements by, on the one hand, better and more streamlined reporting to senior management and, on the other, more focused and prioritised monitoring at the operational level. In particular, the quality of the reports to senior management should be improved, notably the criticality of the state of play of the action plans and, where relevant, the potential impact that delays may have on the actual implementation of the funds/OPs.

Better regulation and simplification principles

DG REGIO and DG EMPL should assess the implications for MS authorities and, if applicable, for beneficiaries of EU funds of the potential burden imposed by regulatory changes and make sure these are fed through to the 2014-2020 MFF mid-term review, together with preparations for the new programming. In addition, and depending on the precise role of the newly established Structural Reform Support Service, to avoid any potential inefficiencies or overlaps, the DGs should inform this new body as regards the monitoring and assessment of the implementation of ExAC action plans by the MS.

The audited services have established a joint action plan which the IAS considers satisfactory to address the recommendations.

3.2.Limited Review of the calculation and the underlying methodology of the residual error rates for the 2014 reporting year in DG EMPL

Audit objectives and scope

The objective of this engagement was to review the calculation and underlying methodology of the error rates and Cumulative Residual Risk (CRR) reported by DG EMPL in its (draft) 2014 Annual Activity Report (AAR), and in doing so, contribute to help mitigate the discharge risk enabling DG EMPL to take appropriate actions, if any, before their disclosure in the final AAR and in the Commission's Synthesis report.

The limited review covered the following aspects related to the European Social Fund (ESF) 2007-2013 19 :

The methodology for the calculation of the error rates and CRRs for the 118 Operational Programmes (OP) and the 2014 annual error rate (DG level) under the ESF 2007-201;

The calculated CRR (at OP and DG level);

The presentation of the error rates and CRRs in the draft 2014 AAR (including compliance with the Standing Instructions for the 2014 AAR).

The IAS reviewed the revised draft 2014 AAR transmitted by DG EMPL to the Central Services on 3 March 2015 and the error rates and CRR calculations up to that date. As DG EMPL's CRR calculation tables were updated on an on-going basis until the draft AAR was issued, all data reported in the draft AAR and reviewed by the IAS were still provisional as at 3 March 2015.

The IAS fieldwork was finalised on 6 March 2015. All observations and recommendations relate to the situation as of that date.

However, the IAS also reviewed DG EMPL's final AAR (issued on 31 March 2015, subsequent to the IAS' draft report being sent on 26 March 2015) to assess whether IAS recommendations related to the 2014 reporting year have been taken into account in the final AAR.

Major audit findings

Given the nature of this engagement, no audit opinion was formulated. However, the review made three very important findings related to:

The error rate and CRR calculation process (Report finding N° 1)

The IAS acknowledges the inherent risks, some deriving from limitations due to the regulatory framework, impacting on the accuracy and reliability of the information reported by Member States (MS) authorities. Notably, error rates related to the previous year are used to estimate the errors relating to the current year. While this may be valid in most cases, the IAS notes that the error rate and amount at risk may be potentially misstated in cases where significant changes to the management and control systems have been made.

The way in which financial corrections are assessed and taken into account for the calculation of the CRR (Report finding N° 2)

The figures reported by MS on withdrawals, recoveries and financial corrections vary considerably in terms of reliability, due in part to the limitations of the way in which they are reported to the Commission, but also because the Audit Authorities only perform limited checks on them.

The way in which DG EMPL presents key information in its (draft) AAR on financial corrections (Report finding N° 3)

The IAS reviewed DG EMPL's draft 2014 AAR and identified specific issues related to the disclosure of the financial corrections taken into account in the calculation of the CRR and the presentation of the upper limit. The IAS subsequently reviewed the final AAR (issued on 31 March 2015) and noted that the text was largely improved.

Recommendations

To address these issues, the IAS formulated recommendations which can be summarised as follows:

Calculation of error rates and of the cumulative residual risk

The IAS recommends that, for the next AAR exercise (2015 reporting year), DG EMPL should analyse for each OP whether it is valid to use the error rate relating to the previous year's expenditure as a best estimate for the reporting year when calculating the CRR and amount at risk. It should apply alternative approaches (e.g. flat rate estimates) if this is not the case.

Concerning the CRR, the IAS notes that this is one of the key factors behind the decision to make a reservation. DG EMPL should therefore issue specific guidance as regards the documentation of the (currently) fully manual CRR calculation process, including: (i) the set-up of an adequate audit trail, and (ii) the performance of additional checks on the data included in the calculation. In addition, retroactive modifications of previous annual error rates per OP should be systematically explained and documented.

Corrective capacity (withdrawals and recoveries and financial corrections)

DG EMPL should fully ensure the audit trail of financial corrections and consistency of information used at both OP and DG levels and, inter alia, document its assessment on withdrawals and recoveries (and, where applicable, other financial corrections) reported by MS authorities.

In addition, the IAS recommended to DG REGIO that negative CRR figures for individual OPs should not be carried forward into subsequent years' calculations. Given that both DGs essentially share the same methodology and this issue could pose a risk to the inherent reliability of the underlying calculation, the IAS recommends that DG EMPL coordinates with DG REGIO to ensure a coherent approach to assessing the potential impact and to find an appropriate solution.

Presentation and Reservations in the (draft) AAR

The IAS recommended that for the 2014 AAR DG EMPL already:

Discloses the actual figures of financial corrections taken into account for the calculation of the CRR with an explanation of the main changes compared to the figures declared by MS;

Clarifies the text of the AAR stating that the "upper limit" is an estimation based on error rates derived from flat rates, statistically validated error rates and non-statistical information.

The IAS reviewed DG EMPL's final AAR (issued on 31 March 2015) and noted that the text was improved as regards the explanations on financial corrections and CRR, but the "upper limit" concept has not been clarified as recommended by the IAS. The IAS therefore invited DG EMPL to address this issue in its 2015 AAR.

In addition, taking note of the European Parliament's draft 2013 Discharge report (issued on 12 February 2015) as regards the AAR reporting requirements, and subject to confirmation of the final discharge resolution, the IAS recommended DG EMPL to coordinate with DG REGIO to ensure a consistent presentation of information as from the 2015 AAR as regards:

The reasons for making/not making reservations in cases where there are exceptions to applicable Commission guidance or approved audit strategies;

The timing, origin and the amount of corrective measures, including information aimed at reconciling the year in which the payment is made, the year in which the related error is detected and the year in which recoveries or financial corrections are disclosed in the notes to the accounts.

The audited service has the DG has, to the extent possible, already implemented the recommendations for its 2014 AAR and established an action plan which the IAS considers satisfactory to address the remaining recommendations.

4.Research, energy and transport

4.1.Audit on H2020 grant management in DG CONNECT: from the preparation of the work programme to the signature of the grant agreements

Audit objectives and scope

The overall objective of the audit was to assess the effectiveness and efficiency of the internal control system for grant management in DG CONNECT and in particular if the calls for proposals effectively support the achievement of the Horizon 2020 (H2020) objectives and if the best research projects are selected and translated into grant agreements in compliance with the applicable rules.

This audit focused on the first implementation phases of H2020 from the preparation of the work programme to the signature of the grant agreements.

There are no observations/reservations in the DG's 2014 Annual Activity Report that relate to the area/process audited.

The fieldwork was finalised on 19/06/2015. All observations and recommendations relate to the situation as of that date.

Major audit findings

The IAS did not identify any material risks that would give rise to critical or very important recommendations.

4.2.Audit on the participant guarantee fund for FP7 and H2020 in DG RTD, DG ECFIN and ERCEA

Audit objectives and scope

The overall objective of the audit was to assess whether the participant guarantee fund is efficiently and effectively used to manage the risk of non-recovery of sums due by defaulting beneficiaries.

The audit focused on:

Strategy, high-level coordination, policies and procedures;

Monitoring and supervision;

Operational processes for contributions, interventions and returns to beneficiaries;

Asset management.

The audit covered the activities of DG RTD as designated service, the activities of DG ECFIN in terms of asset investment and the operational activities performed by DG RTD and ERCEA.

There are no observations or reservations in the Annual Activity Report that relate to the audited areas.

The fieldwork was finalised on 5 November 2015. All observations and recommendations relate to the situation as of that date.

Major audit findings

The IAS did not identify any material risks that would give rise to critical or very important recommendations.

4.3.Audit on the governance and supervision of the nuclear decommissioning assistance programmes in DG ENER

Audit objectives and scope

The overall objective of this audit was to assess whether the governance and supervision of the programmes by DG ENER is adequate and effective. Specifically, the audit assessed DG ENER’s supervision of the implementing bodies and national implementation structures, as well as the monitoring of the operational and financial execution. The audit also followed up one "Important" recommendation outstanding after the 2012 audit 20 performed by DG ENER's IAC.

The audit covered the decommissioning programmes for the 2014-2020 period and DG ENER’s role in the governance and supervision of the implementation.

There are no observations/reservations in the DG's 2014 Annual Activity Report that relate to the area/process audited.

The fieldwork was finalised on 23/06/2015. All observations and recommendations relate to the situation as of that date.

Major audit findings

The IAS has identified the following critical issue and very important issue:

Assessment of the ex-ante conditionalities – critical (Report finding N° 1)

The nuclear decommissioning regulations require the Member States to fulfil ‘ex-ante conditionalities’ in order to provide assurance, in the form of a financing plan, that the safe completion of the decommissioning can be achieved after termination of Union financial assistance. Furthermore, Member States have to provide the Commission with a detailed decommissioning plan, including a schedule and corresponding cost structure. The regulations allowed the Commission to suspend payments in case these ‘ex-ante conditionalities’ were not fulfilled in a satisfactory manner. These ex-ante conditionalities were introduced to address 21 the criticism made by the European Court of Auditors (ECA) in its Special Report 16/2011 and echoed by the European Parliament 22 in its decision on the 2011 discharge for the European Commission.

The audit found that DG ENER did not assess, as required by the regulations, whether the assurance provided by the financing plans established by Member States was satisfactory.

Control Strategy of DG ENER - very important (Report finding N° 2)

DG ENER has not yet defined an overall control strategy specifying how it will obtain reasonable assurance on the legality/regularity of the underlying transactions of the assistance programmes and the performance of the programmes based on the assurance provided by the implementing bodies and on its own monitoring missions.

Recommendations

To address this issue, the IAS formulated the following recommendations:

Assessment of the ex-ante conditionalities

As a matter of urgency, DG ENER should perform and document an in-depth review/assessment of the robustness of the financing plans considering the economic-financial-budgetary situation in each Member State and of the relevance and feasibility of the detailed decommissioning plans based on clear internal guidance developed beforehand and, in parallel, consult with the Legal Service and DG BUDG to establish which legal possibilities the Commission still has vis-à-vis the Member State concerned to provide further assurance and address the identified weakness (e.g. suspension of payments).

Control Strategy of DG ENER

DG ENER should, as part of its overall supervision of the Nuclear Decommissioning Assistance Programmes, define a comprehensive control strategy aimed at providing reasonable assurance with regard to (i) the legality and regularity of the underlying transactions and (ii) the performance of the programmes.

The audited service has established an action plan which the IAS considers satisfactory to address the recommendations.

4.4.Audit on the supervision on the implementation of CEF in DG ENER

Audit objectives and scope

The overall objective of the audit was to assess whether the arrangements for supervising and monitoring the implementation of the Connecting Europe Facility (CEF) 2014-2020 programme were effective to support the achievement of the CEF objectives.

The audit focussed on the implementation of the new CEF programme in the transport and energy sector, in particular:

The design and early implementation of the supervision framework;

The cooperation, coordination and communication between the parent DGs and the Agency and with other stakeholders;

The implementation of the governance framework.

Due to the complex scheme underlying the implementation of CEF and the close link with the implementation of the Trans European Network-E policy, the audit also covered the supervision of the implementation of the Projects of Common Interest (PCIs) as the latter ensure the achievement of the policy objectives.

There are no observations/reservations in the DG's 2014 Annual Activity Report that relate to the area/process audited.

The fieldwork was finalised on 11 November 2015. All observations and recommendations relate to the situation as of that date.

Major audit findings

The IAS has identified the following very important issue:

DG ENER's supervision strategy on PCIs development (Report finding N° 1)

Although different mechanisms for the supervision of PCIs implementation exist (and more are planned for the near future), DG ENER has not yet established a formalised consolidated strategic document defining what it aims to achieve with its supervision activities over the full duration of the implementation of the CEF, and how it will be able to assess their effectiveness.

In addition, DG ENER does not have a formalised strategic document setting out how the different reports on the PCIs implementation received from various stakeholders will be used and followed up whilst, at the same time, avoiding duplication or gaps in the reported information.

The IAS also noted that DG ENER does not yet have an operational comprehensive monitoring tool to collect data for the whole list of PCIs in order to enable the follow-up of their implementation and to store the related information provided by the various mechanisms and sources.

Recommendation

To address this issue, the IAS formulated the following recommendation:

DG ENER's Supervision strategy on PCIs development

Building on the existing supervision elements, DG ENER should further develop and formalise an overarching supervision strategy on the PCIs development for the entire implementation period. This strategy should include achievable objectives and key performance indicators and should demonstrate the early detection of possible issues and to which extent the measures envisaged will collectively enable the progress of the PCIs to be monitored.

DG ENER should also formalise and implement a strategy for the exploitation of the reporting on PCIs implementation to ensure an efficient use of the existing reports provided by different stakeholders. In addition, DG ENER should rapidly finalise the development of a reliable and comprehensive tool for monitoring the implementation of the PCIs development.

The audited service has established an action plan which the IAS considers satisfactory to address the recommendation.

4.5.Audit on strategic planning and programming / activity based management in JRC

Audit objectives and scope

The objective of the engagement was to assess the effectiveness of the JRC's process for setting objectives, performance indicators and targets, for aligning JRC's activities (Activity Based Management), and for monitoring and reporting on their achievement in the context of the strategic planning and programming cycle.

The audit focussed on:

Setting of objectives, indicators and targets in the management plan;

Preparation of the work plan for the JRC work programme;

Monitoring of the objectives, performance indicators and related targets in the management plan;

Periodic reporting and the annual activity report process.

There were no observations/reservations in the DG's 2014 Annual Activity Report that relate to the area or process audited.

The fieldwork was finalised on 30/06/2015. All observations and recommendations relate to the situation as of that date.

Major audit findings

The IAS has identified the following very important issue:

Objectives, indicators and targets (Report finding N° 4)

Although SMART objectives have been defined in some cases, these are not always accompanied by RACER indicators 23 to enable the measurement of the extent to which the objectives have been achieved. This is exemplified by one of the two indicators established in the Horizon 2020 (H2020) legal base ('number of peer-reviewed publications in high impact journals'), which is not adequately measured and reported in the JRC management plan. This is an important deficiency as it results in unreliable reporting on the performance of JRC's activities. The calculation of the same indicator by peer DGs in the H2020 Research Family (for indirect research) follows different and more structured criteria.

Furthermore, weaknesses were noted in the definition of objectives and indicators to measure the economy and efficiency of the DG's operations and the mix of the different types of indicators is not always balanced. Finally, the information describing the targets (in the management plan and annual activity report) is not always sufficient to explain how the targets were set and if the targets are sufficiently ambitious to ensure an efficient performance of JRC. Further improvements are also possible in the internal controls to ensure the quality of the performance measurement system.

Recommendation

To address this issue, the IAS formulated the following recommendation:

Objectives, indicators and targets

JRC should improve the quality control on the strategic planning and programming cycle in particular with reference to the consistency of the indicators, the application of 'RACER criteria', and the definition and description of the targets. Within this framework, and in order to ensure full compliance with the H2020 legal base and to align JRC with the Research Family DGs, DG JRC should seek to establish a common approach with the Research family DGs for the calculation of the H2020 indicators.

The audited service has established an action plan which the IAS considers satisfactory to address the recommendation.

4.6.Audit on the supervision on the implementation of CEF in DG MOVE

Audit objective and scope

The audit focussed on the implementation of the new CEF programme in the transport and energy sector, in particular:

The design and early implementation of the supervision framework;

The cooperation, coordination and communication between the parent DGs and the Agency, and with other stakeholders;

The implementation of the governance framework.

Due to the complex scheme underlying the implementation of CEF and the close link with the implementation of the Trans European Network-Transport policy, the audit also covered the supervision of the corridors development, as the latter ensure the achievement of the CEF programmes' policy objectives.

There are no observations/reservations in the DG's 2014 Annual Activity Report that relate to the area/process audited.

The fieldwork was finalised on 12 November 2015. All observations and recommendations relate to the situation as of that date.

Major audit findings

The IAS has identified the following very important issue:

DG MOVE's supervision strategy on corridors development (Report finding N° 1)

Although a strategy for the implementation of the core network corridors and some mechanisms for supervision of the corridors' development exist, DG MOVE has not yet established a formalised consolidated strategic document defining, on the basis of a robust assessment of supervision needs and possibilities, what it aims to achieve with its supervision activities, how it will supervise (monitor and steer) the corridor development until the end of the implementation of the programme and how it will be able to assess the effectiveness of its supervision activity.

Recommendation

To address this issue, the IAS formulated the following recommendation:

DG MOVE's supervision strategy on corridors development

Building on the existing elements, DG MOVE should further develop and formalise, based on a robust assessment of needs and possibilities, a comprehensive overall strategy for the supervision of the corridor development, setting out the supervision needs, the tools to be used and the degree of assurance to be provided. The strategy should define objectives and indicators allowing to measure the performance of the supervision activities and determining how detected issues will be addressed.

The audited service has established an action plan which the IAS considers satisfactory to address the recommendation.

4.7.Audit on the set-up of the Common Support Centre for H2020 in DG RTD

Audit objective and scope

The overall objective of the audit was to assess the adequacy of the set-up of the Common Support Center (CSC) to fulfil its mandate, which is to provide high quality services, achieve efficiency gains and rationalisation of processes.

The scope covered the adequacy and effective application of the governance, internal control system and risk management process related to the management of the CSC. The audit covered the five CSC Units.

There were no reservations for the area under review in the 2013 Annual Activity Report of DG RTD.

The fieldwork was finalised on 19/06/2015. All observations and recommendations relate to the situation as of that date.

Major audit findings

The IAS has identified the following very important issue:

Governance and decision making process (Report finding N° 1)

According to the current CSC governance, the Steering Board is the sole decision-making body and its decisions, binding for all the implementing bodies, can only be implemented once officially approved. This occurs during the Steering Board meetings (twice a year) or, as alternative, by written procedure (used only once so far). Consequently, the frequency of the decision-making does not allow an immediate implementation of key decisions even in those cases where agreement is reached at the level of the Executive Committee (which is in charge of preparing the meeting of the Steering Board).

Recommendation

To address this issue, the IAS formulated the following recommendation:

The CSC should take initiatives to ensure a more efficient decision-making process. In this respect, the CSC may consider revising its operating rules and distinguish the operational decisions that could be taken by the Executive Committee if a consensus is reached from those of strategic/political nature that can only be taken at the level of the Steering Board. As an alternative strategy, the frequency of the meetings of the Steering Board should be increased as well as the use of written procedures.

The audited service has established an action plan which the IAS considers satisfactory to address the recommendation.

4.8.Audit on H2020 grant management in DG RTD: from the preparation of the work programme to the signature of the grant agreements

Audit objective and scope

The overall objective of the audit was to assess the effectiveness of the grant management process.

The audit focused on:

Whether the calls for proposals effectively support the achievement of the Horizon 2020 (H2020) objectives;

Whether the processes in place ensure that the most promising research projects are selected and translated into grant agreements, in compliance with the applicable rules;

DG RTD's role and responsibilities in the design of the business processes/procedures (as defined by the Common Support Centre for the entities implementing H2020 funds) and their implementation by DG RTD;

The work programme preparation and the management of the calls (proposal submission, selection and monitoring of experts, evaluation of proposals, grant award and contracting) under its direct remit;

The reporting mechanism to obtain information on the implementation of the work programme for delegated calls (i.e. feedback loop for policymaking).

There are no observations/reservations in the 2014 Annual Activity Report of DG RTD that relate to the area/process audited.

The fieldwork was finalised on 11/12/2015. All observations and recommendations relate to the situation as of that date.

Major audit findings

The IAS did not identify any material risks that would give rise to critical or very important recommendations.

4.9.Audit on the management and control systems for the implementation of LIFE 2014-2020 in EASME

Audit objective and scope

The overall objective of the audit was to evaluate the effectiveness and efficiency of EASME's management and control systems for the implementation of the LIFE 2014-2020 Programme.

The audit focussed on:

The control environment, including the control strategy, roles and responsibilities, decision making, and risk assessment processes and reporting arrangements;

The adequacy of the internal control system put in place by EASME for managing the awarding of grants, ex-ante controls including pre-payments;

The adequacy of the internal control system put in place by EASME to supervise the evaluation of proposals for LIFE action and operating grants and the project monitoring by external contractors.

There are no observations/reservations in the 2014 Annual Activity Report of EASME that relate to the area/process audited.

The fieldwork was finalised on 21 August 2015. All observations and recommendations relate to the situation as of that date.

Major audit findings

The IAS has identified the following three very important issues:

Control strategy (Report finding N° 1)

EASME's control strategy for the LIFE 2014-2020 programme to support the annual declaration of assurance of its Authorising Officer by (Sub) Delegation is not complete as measurable control objectives and key performance indicators on the achievement of those objectives are not yet defined and the risk based approach is not sufficiently detailed. Furthermore, the control strategy does not describe all controls, which are currently performed (for example in relation to the external contractor).

Internal procedures for the LIFE programme implementation (Report finding N° 2)

The EASME Manual of Procedures does not currently include procedures for the implementation of the LIFE 2014-2020 programme. EASME staff applies operational procedures that were adopted by DG ENV and which are not yet adapted to EASME's specific needs and workflow. Consequently, they require some re–designing to adapt them to the new LIFE 2014-2020 programme. The informal internal notes and instructions and the Grants Manual (only partly updated) do not cover the main procedures for the management of LIFE, notably those in the key areas of expert selection and management, evaluation of proposals, contract preparation and project monitoring.

Grants management (Report finding N° 3)

There is no formalised procedure in EASME for the approval of experts to be added to the initial pool provided by the contractor in charge of the evaluation of proposals.

In addition, the IAS detected shortcomings in the management of declarations of absences of conflict of interest and noted that the current guidelines are too vague for cases where existing situations of conflict of interest have not been declared.

Concerning the performance of the evaluation of grant proposals by an external contractor, the IAS noted that in one case the quality of the evaluation reports produced by the contractor was not "fully satisfactory", and the Agency had to re-perform tasks that were actually contracted out. However, for this particular contract, it did not take measures to reduce the amount to be paid to the contractor or to impose payment of liquidated damages. In another case, the Agency extensively reviewed the work performed by the contractor but could not produce a robust assessment showing that the extent and scope of the review were cost-effective.

Recommendations

To address these issues, the IAS formulated the following recommendations:

Control strategy

EASME should complete its control strategy applicable to the new programme, by including control objectives to be attained at the end of the programme's lifecycle and setting target values to measure the effectiveness and efficiency of the key controls applicable to the different stages of the implementation of LIFE (i.e. award, contracting, monitoring) and further develop the different elements of its risk-based control approach (including notably also the monitoring of the activities of the external contractors) and how the elements of the control strategy provide the building blocks of assurance regarding the legality and regularity of the use of resources.

Internal procedures for the LIFE programme implementation

EASME should develop and implement operational procedures specific to the implementation of LIFE by EASME, train its staff on how to apply them and ensure that they are uploaded on the EASME intranet.

Grants management

EASME, should formalise the procedure for the approval of experts in order to ensure the consistent use of clear criteria, adequate documentation and clear assignment of responsibilities. It should also provide more detailed guidance on how to deal with evaluation procedures where external experts are found not to have declared an existing case of conflict of interest.

The Agency should systematically perform checks to prevent double funding in relation to operating grants.

Finally, the Agency should ensure that future decisions to internalise evaluation work or to revise the work of the contractors are supported by a robust cost-effectiveness analysis and that a clear procedure for the application of liquidated damages to underperforming contractors is defined and implemented in order to detect and sanction failures to comply with contractual agreements.

The audited service has established an action plan which the IAS considers satisfactory to address the recommendations.

4.10.Audit on the preparedness of the management and control systems for the SME instrument in EASME

Audit objective and scope

The overall objective of the audit was to assess EASME's preparedness to adequately manage the implementation of the dedicated Small and Medium sized Enterprises (SME) instrument under Horizon 2020 (H2020), notably if EASME has adequate internal controls to provide its Authorising Officer by Delegation (AOD) with reasonable assurance regarding the sound financial management of the SME instrument and the legality and regularity of the underlying transactions and if it has adequate internal controls to effectively monitor and evaluate the implementation of the SME instrument.

There were no reservations in EASME’s 2013 and 2014 Annual Activity Reports.

The fieldwork was finalised on 18/06/2015. All observations and recommendations relate to the situation as of that date.

Major audit findings

The IAS has identified the following three very important issues:

Control framework (Report finding N° 1)

EASME's control strategy for the SME Instrument to support the annual declaration of assurance of its AO(Sub)D is not complete as measurable control objectives and key performance indicators on the achievement of those objectives are not yet defined and the risk based approach is not sufficiently detailed. In this context, it should be noted that the common ex-post control strategy for H2020 is not yet fully established and the assurance provided by this building block cannot yet be evaluated. Furthermore, the Agency has not yet developed or finalised its internal control methodology and tools, including checks to be performed in case of potential fraud (in particular double funding).

Guidance to evaluators and quality of evaluations (Report finding N° 2)

Based on the projects funded in 2014, it is expected that approximately 25% of the funding of a certain type of projects (innovation projects) will co-finance subcontracting costs. The stage of evaluation of proposals is a key moment at which the eligibility of subcontracting foreseen in a proposal and whether it provides good value-for-money is checked. This is of particular importance as this element is not subject to subsequent ex-post verifications. However, the audit identified weaknesses in the guidance given to the evaluators in this respect. Issues were also identified with the quality of the evaluations performed and with the internal methodology for following-up on the work of the evaluators as in two out of four cases tested the assessment of subcontracting costs and the value for money principle was not justified.

Workload analysis (Report finding N° 3)

The Agency has not yet performed a workload assessment of all the sectors implementing the SME Instrument. The performance monitoring tools currently in place are not sufficient to establish adequately the level of staff needed, as e.g. they do not allow measuring the average time spent on different tasks in order to be able to plan better use of resources in the future.

Recommendations

To address these issues, the IAS formulated the following recommendations:

Control framework

EASME should complete its control strategy applicable to the new programmes (in line with the applicable DG BUDG guidance and once developed, the common Research family control provisions), by including control objectives to be attained at the end of the programmes' lifecycle and setting target values to measure the effectiveness and efficiency of the key controls applicable to the different stages of the implementation of the SME Instrument (i.e. award, contracting, monitoring). In the meanwhile, EASME should measure the effectiveness of existing controls for the purpose of supporting the AOSD annual declaration of assurance and it should further develop how the different elements its risk-based control approach shall be implemented.

Guidance to evaluators and quality of evaluations

EASME should improve the relevant methodology and guidance for the evaluation of phase 2 proposals both for the EASME staff and for the evaluators to ensure that the evaluation results provide reliable assurance about the eligibility of sub-contracting costs.

Workload analysis

EASME should perform a workload assessment in all sectors implementing the SME instrument using consistently the existing workload indicators in order to identify the resources needed to accomplish the tasks.

The audited service has established an action plan which the IAS considers satisfactory to address the recommendations.

4.11.Audit on H2020 grant management in ERCEA: from the preparation of the work programme to the signature of the grant agreements

Audit objective and scope

The overall objective of the audit was to assess the effectiveness of the internal control system for Horizon 2020 (H2020) grant management in ERCEA.

The audit focussed on:

Whether or not the calls for proposals effectively supported the achievement of the H2020 objectives as represented in the ERC 2014 and 2015 work programmes;

Whether or not the research proposals, which support the achievement of the H2020 objectives, were selected and translated into grant agreements in compliance with the applicable rules;

The first implementation phases of H2020 from the planning of the evaluation of proposals to the signature of the Grant Agreements by ERCEA in 2014 and in 2015. This included the support provided to the Scientific Council for the evaluation and selection of proposals.

There were no observations/reservations in the Annual Activity Report that relate to the area/process audited.

The fieldwork was finalised on 17/11/2015. All observations and recommendations relate to the situation as of that date.

Major audit findings

The IAS did not identify any material risks that would give rise to critical or very important recommendations.

4.12.Audit on the preparedness of the management and control system for CEF and H2020 in INEA

Audit objective and scope

The overall objective of the audit was to assess INEA's preparedness to adequately manage the implementation of the new Connecting Europe Facility (CEF) programmes (CEF-Transport, CEF-Energy and CEF-ICT) and the two societal challenges "Smart, Green and Integrated Transport" and "Secure, Clean and Efficient Energy" under Horizon 2020 (H2020).

The audit focused on:

The risk management and controls in place in the award and contracting stages of the grant management;

The assurance that the Agency can obtain from these controls;

The quality of the related reporting for both CEF and H2020.

There are no observations/reservations in the 2014 Annual Activity Report (AAR) of INEA that relate to the area/process audited.

The fieldwork was finalised on the 30 September 2015. All observations and recommendations relate to the situation on that date.

Major audit findings

The IAS has identified the following very important issue:

Control strategy and assurance building process (Report finding N° 1)

INEA has not incorporated the existing controls into a comprehensive, formalised control strategy encompassing all the controls to be implemented during the different stages of the grant management process and describing how they collectively contribute to building assurance on the legality and regularity of the underlying transactions and the sound management of resources. Additionally, the control objectives and key performance indicators to measure the effectiveness and efficiency of the controls are not sufficiently developed and the ex-ante and ex-post controls on interim and final payments have not yet been fully established.

Recommendation

To address this issue, the IAS formulated the following recommendation:

Control strategy and assurance building process

Based on the existing control elements, INEA should further develop an overarching control strategy for the implementation of CEF and H2020, in line with the corporate guidance. This strategy should include sufficiently developed control objectives and key performance indicators and should ensure that the controls envisaged collectively provide a reasonable level of assurance to the Authorising Officer by Delegation (AOD), with no gaps or duplications. Pending the finalisation and implementation of the control strategy, INEA should ensure that the AOD has sufficient elements to support his/her annual declaration of assurance in the AAR.

The audited service has established an action plan which the IAS considers satisfactory to address the recommendation.

4.13.Audit on the implementation of the Anti-Fraud strategy in REA

Audit objective and scope

The objective of the audit was to assess the effectiveness of the Agency's Anti-Fraud Strategy for FP7 programmes in ensuring adequate and effective implementation of the governance, risk management and control processes for the prevention, detection and follow-up of fraud.

The audit focused on:

Internal organisation, operational processes and planning;

Communication and information;

Human resources and knowledge management;

Security and integrity of the information.

The Agency did not make any reservations that are directly related to the scope of the audit in its 2014 Annual Activity Report.

The fieldwork was finalised on 15/06/2015. All observations and recommendations relate to the situation as of that date.

Major audit findings

The IAS has identified the following very important issue:

Potential overlaps for the researchers participating in the COFUND actions (Report finding N° 1)

REA has developed a series of reports to detect overlaps in EU funding, whereby fellows recruited under COFUND projects would also be receiving funds from other Marie Curie actions. However, there are no such checks performed to detect overlapping fellowships to researchers recruited in two or more different COFUND projects running simultaneously, who could thus be double-funded for the same period.

Recommendation

To address this issue, the IAS formulated the following recommendation:

Potential overlaps for the researchers participating in the COFUND actions

The Agency should run and analyse on a regular basis reports from the existing IT systems and databases in order to identify and prevent any potential overlaps and possible double funding from happening and recover ineligible expenditure for confirmed cases of overlapping fellowships.

The audited service has established an action plan which the IAS considers satisfactory to address the recommendation.

5.External actions

5.1.Audit on the design and implementation of EU trust funds

Audit objectives and scope

The overall objective of this audit was to assess the adequacy of the design and implementation of the EU Trust Funds' (TF) governance processes, their compliance with the legal provisions, and the efficiency and effectiveness of their internal control systems, including financial management and accounting aspects.

The audit focused on:

The design of the existing regulatory framework for TFs (Commission decisions, Constitutive Agreement, Guidelines on EU TFs);

The implementation of two TFs: TF "Bêkou", established in July 2014 and managed by DG DEVCO and TF "Madad" 24 , established in December 2014 and managed by DG NEAR.

There are no observations and reservations in the 2014 AAR of DG DEVCO, DG NEAR and DG BUDG that relate to the EU TFs.

The fieldwork was finalised on 9 October 2015. All observations and recommendations relate to the situation as of that date.

Major audit findings

The IAS has identified the following two very important issues:

Governance processes (Report finding N° 1)

The established governance and decision making process requires that a number of key strategic decisions, including how the funds will be used, the approval of the TF's annual report and annual accounts and extension of the duration of the TF, are taken by the Operation Committee of the TFs which is established below the Trust Fund Board (Art. 259 of the Rules of Application to the Financial Regulation). Since only donors contributing above a certain threshold are represented in this Committee, the established structure does not fully correspond to the provision of the FR which states that strategic decisions are to be taken by the Trust Fund Board in which all donors and non-donor MS should be represented.

In addition, the TF Manager is empowered to decide on exceptions and non-compliance events without informing the chair of the Operational Committee (i.e. the line Director) on a timely basis. This is neither in line with the ordinary procedure in place in DG DEVCO and DG NEAR nor is it justified by the need to ensure better efficiency.

Performance management (Report finding N° 5)

At present, there are no specific objectives, indicators and targets to measure the operational performance of the TF. None of the TFs prepared an annual work plan for 2015 and the Guidelines on EU TFs do neither provide either a template nor baseline requirements for it. The Action Documents, which are supposed to set out how progress of the actions will be monitored, do not include a description of the performance monitoring arrangements relating to planned actions in a majority of cases.

Recommendations

To address these issues, the IAS formulated recommendations which can be summarised as follows:

Governance processes

DG DEVCO should ensure that strategic decisions on future TFs are taken at the level of the TF Board and not by the Operational Committee. This should be achieved by revising the template of the Constitutive Agreement and by means of specific instructions in the Guidelines on EU TFs.

For existing TFs, the DGs should ensure that non-donors and not represented (small) donors are duly informed on the decisions taken by the Operational Committee.

Performance management

DG DEVCO and DG NEAR should enhance their performance framework and develop a set of indicators for measuring the operational efficiency and effectiveness of the TFs. DG DEVCO should revise the Guidelines on EU TFs and provide instructions and a template for the annual work plan as well amend the Action Document template. Both DGs should ensure that the approved Action Documents include adequate performance monitoring information.

The recommendation on the governance process was initially rejected by DG DEVCO and partially accepted by DG NEAR. Subsequently, the recommendation has been accepted by DG DEVCO (when submitting the action plan) and by DG NEAR (after the discussion at the 84th APC meeting) and the audited services have established action plans which the IAS considers satisfactory to address the recommendations.

5.2.Audit on preparedness for the Instrument for Pre-Accession Assistance (IPA II) in DG NEAR

Audit objectives and scope

The overall objective of the audit was to assess DG NEAR's preparedness for the implementation of the IPA II instrument.

The specific objectives included an assessment of the following:

Effective and timely implementation of the strategic planning set in the 2014 Management Plan of DG NEAR, also taking into account the legal requirements (i.e. Regulation (EU) No 231/2014 establishing an Instrument for Pre-accession Assistance – IPA II) 25 ;

Effectiveness and consistency of the guidance on Budget Support as new implementation modality (guidelines, training, templates, etc.) provided at both Headquarters and EU Delegation level;

Effective integration by DG NEAR of the IPA tasks previously managed by DG REGIO and DG EMPL;

Appropriateness of the performance-driven and results-oriented programming: objective setting, regular performance reviews based on RACER indicators.

There are no observations/reservations in the AAR 2013 that relate to the area/process audited.

The fieldwork was finalised on 20 March 2015. All observations and recommendations relate to the situation as of that date.

Major audit findings

The IAS has identified the following two very important issues:

Preparedness for the assessment of performance (Report finding N° 1)

The internal planning to ensure the successful completion of performance assessment has been unrealistic without clear milestones and deliverables. Weaknesses have been identified in the target setting for indicators. Indicators currently available are not RACER and a weighted method for performance assessment to provide comparability among countries which are different in terms of sectors of focus, stages of maturity in implementing IPA II and quality of data provided has not yet been developed.

HR planning for EUDs implementing IPA II (Report finding N° 2)

The shift to IPA II was not underpinned by an updated workload assessment. Staff to be potentially freed for other activities (due to the decrease of ex-ante controls and of the gradual introduction of Budget Support as implementation modality) has not been estimated. In addition, the uncoordinated process for the rotation of key staff in the Delegation to Turkey, the EU Delegation managing the biggest financial envelope attributed to a third country, led to disruption of activities, heavy reliance placed on local staff and strong support and guidance needed from Headquarters.

Recommendations

To address these issues, the IAS formulated recommendations which can be summarised as follows:

Performance assessment

DG NEAR should define a realistic planning for the timely completion of the performance assessment framework for IPA II, including a clear and stable roadmap, the development of RACER indicators and a weighted method to ensure comparability among countries.

HR planning for EU Delegations implementing IPA II

DG NEAR should carry out an updated workload assessment covering the whole programming period for IPA II and improve the planning for the rotation exercise for DG NEAR staff in close cooperation with the EEAS.

The audited service has established an action plan which the IAS considers satisfactory to address the recommendations.

5.3.Audit on DG NEAR's control strategy

Audit objectives and scope

The overall objective of the audit was to assess whether DG NEAR's control strategy is adequate, effectively implemented, systematically monitored and adequately reported on, and whether it ensures that corrective measures are taken promptly and proportionately in order to obtain reasonable assurance on the legality and regularity of transactions.

The audit focused on the assessment of:

The efficiency of the control coordination following the merger of the former DG ELARG and DEVCO Dir. F;

The adequacy of the design and the effectiveness of the control strategies in force in DG NEAR;

The effectiveness of the controls underpinning the assurance building process of DG NEAR (in particular system audits, ex-ante 26 and ex-post checks, monitoring, reporting by EU Delegations to Headquarters);

The timeliness and adequacy of corrective measures taken by DG NEAR.

Regarding the processes under the scope of this audit, the following reservations were included in the AAR 2014:

a)DG DEVCO: global reservation due to the error rate above 2%, impacting all ABB activities (the reservation was based on a global Residual Error Rate study that did not allow an estimation of a representative error rate by ABB activity or other sub-categories of expenditure)

b)DG NEAR presented two reservations:

The residual Error Rate for Indirect Management by Beneficiary Countries (due to the increased weight of Turkey in the audit population and in the audited sample with errors and irregularities mostly related to procurement) 27 ;

The adverse effect on the Commission's reputation with regard to the recording of costs reported under indirect management by entrusted entities due to weaknesses in the procedures for recognising interim costs.

The fieldwork was finalised on 8 December 2015. All observations and recommendations relate to the situation as of that date.

Major audit findings

The IAS has identified the following very important issue:

Assurance building process for entrustment (IPA) (Report finding N° 1)

Audits of the management and control systems of IPA beneficiary countries are key in providing assurance to the DG that these countries can be entrusted with budget implementation tasks. The different assurance activities carried out by the systems audit team are an important building block to provide reasonable assurance to the relevant Authorising Officer by Sub-Delegation on the design and reliability of beneficiaries' management and control systems. Although the systems audit team's work has so far allowed to identify systemic deficiencies, which were not or insufficiently reported under IPA I, significant weaknesses were identified in this process. There was no realistic planning of systems audits for 2015, the guidance provided to the auditors is out-of-date and needs revision and the audit work needs to be improved in terms of documentation, reporting of results and use of external experts.

Recommendation

To address this issue, the IAS formulated a recommendation which can be summarised as follows:

Assurance building process for entrustment (IPA)

DG NEAR should review the design and implementation of the systems audits for IPA in order to improve their effective contribution to the assurance of the Authorising Officer by Sub-Delegation. This should include defining the recommended audit approaches and improving the working methods of the systems audit function. The audited service has established an action plan which the IAS considers satisfactory to address the recommendation.

5.4.Audit on the management of the African Peace Facility

Audit objectives and scope

The objective of the audit was to assess the adequacy and effectiveness of the management and internal control systems set up by DG DEVCO as regards the financial management and operational monitoring of the African Peace Facility (APF), in order to ensure that the African Union Commission (AUC) and other organisations implement the APF according to legality, regularity and sound financial management principles.

The audit focussed on:

The adequate implementation by DG DEVCO of the measures inserted in the agreements with the AUC/other organisations to mitigate weaknesses detected in the various assessments (pillar assessments, external audits, evaluations, etc.);

The overall financial and operational monitoring by DG DEVCO services of the implementation of the APF by the AUC and other implementing organisations – Regional Economic Communities (RECs) 28 .

The audit fieldwork was finalised on 27 November 2015. All observations and recommendations relate to the situation as of that date.

Major audit findings

The IAS has identified the following four very important issues:

Institutional assessment and monitoring by DG DEVCO of the partnership with the AUC (Report finding N° 1)

The various pillar assessments and other evaluations have shown that the AUC has never fully complied with the Financial Regulation requirements for signing agreements under indirect management. No subsequent sufficiently structured and comprehensive action plans have been designed to reduce the identified weaknesses. Furthermore, neither have these weaknesses been systematically followed up nor was there a continued, formalised and structured monitoring that has enabled DG DEVCO to collect key information on the financial management of the AUC, despite its difficult financial situation and high dependency on EU funding.

Design and effectiveness of the remedial/mitigating measures at contract level (Report finding N° 2)

The special conditions in the agreements signed with the AUC under indirect management since 2012 contain specific remedial measures to mitigate the financial risks related to the weaknesses identified in the pillar assessments. Since 2014, these mitigating measures have been neither adequately designed nor effectively implemented in order to mitigate effectively the institutional weaknesses identified. In particular, there has been no long-term expertise (technical assistance) on financial management to the AUC since October 2014. In addition, there is no sufficient information on the frequency, content, reliability and results of the management controls or internal audits undertaken by the AUC on the APF-funded operations. Furthermore, the delays in the audit process (including time to launch and execute the audits) have already led to DG DEVCO having to waive recovery of amounts unduly paid to APF operations. The IAS observed that 57% of the APF payments have not yet been covered by audits (of which half relate to on-going contracts and the other half to contracts for which the implementation period expired at the end of 2014 but the final reports from the AUC are not available or audits have not yet been launched or finalised).

Governance and coordination between DG DEVCO – EU Delegations – EEAS (Report finding N° 3)

The various EU actors (DG DEVCO headquarters, the EU Delegation to the AU and the EEAS) have neither established detailed working arrangements nor clearly defined their respective roles and responsibilities for the monitoring of the APF projects. This prevents them from having a complete and accurate view on the implementation of the actions funded by the APF.

Reporting on the APF and management representations (Report finding N° 4)

The current reporting arrangements (in particular the APF Annual Report) do not provide sufficient information to the stakeholders on the current state of play and on the implementation of the projects funded by the APF.

Recommendations

To address these issues, the IAS formulated the following recommendations:

Institutional assessment and monitoring by DG DEVCO of the partnership with the AUC

DG DEVCO should negotiate and conclude a new action plan/aide-mémoire with the AUC which should take into account the results of the latest pillar assessment, in particular regarding the accounting, procurement and sub-delegation processes assessed as non-compliant with the Financial Regulation. The new aide-mémoire should include provisions on reinforced and result-oriented Technical Assistance and elements to increase DG DEVCO's visibility of the AUC's internal controls. In addition, DG DEVCO should implement, together with the AUC, a structured monitoring system of the APF.

Design and effectiveness of the remedial/mitigating measures at contract

DG DEVCO should amend the existing APF (and non-APF) contracts with the AUC by including specific remedial measures for the non-compliant pillars and for cross-cutting issues, in order to take into account the results of the latest pillar assessment.

Furthermore, DG DEVCO should re-design the content of the technical assistance in the corresponding new contract (APF Expert Pool), taking a result-oriented approach and fully coordinated with the AUC, in order to effectively address the institutional weaknesses identified in the pillar assessment and the internal control weaknesses identified in the external audit reports.

Governance and coordination between DG DEVCO – EU Delegations – EEAS

DG DEVCO should improve the monitoring of the APF-funded agreements by strengthening and structuring the coordination between DG DEVCO headquarters, the EU Delegation to the AU, the other EU Delegations to the RECs and the EEAS. Following a resource needs assessment, DG DEVCO should consider rebalancing resources within the DG or setting up a specific task force (for a predefined period) in order to allocate the appropriate resources to the management of the APF.

Reporting on the APF and management representations

DG DEVCO should define appropriate reporting arrangements to its senior management and stakeholders that should include the main operational and financial highlights for each APF action (notably those identified by DG DEVCO or the external contractors and/or communicated by the AUC).

The audited service has established an action plan which the IAS considers satisfactory to address the recommendations.

5.5.Audit on the adequacy and effective implementation of DG ECHO's Anti-Fraud strategy

Audit objectives and scope

The objective of the audit was to assess the effectiveness of the DG's Anti-Fraud Strategy in ensuring adequate and effective implementation of the governance, risk management and control processes for the prevention, detection and follow-up of fraud.

The audit assessed the following main areas:

Internal organisation: DG ECHO's processes and procedures necessary for the implementation of the Commission's Anti-Fraud Strategy and for putting in place a robust Anti-Fraud Strategy and action plan tailored to the DG specific environment; activities and risks to timely and effectively prevent and detect fraudulent activities;

Communication and information: i) communication to management, staff and implementing partners on fraud risk management, ethics and integrity in order to ensure that they are aware of fraud risk management activities, of their roles and responsibilities; ii) monitoring and reporting on alleged fraud, sanctions and recovery (in coordination with OLAF and central services); iii) DG ECHO's review of the outcome and impact of its fraud prevention and detection controls;

Stakeholder management: monitoring controls regarding the legal and regular use of EU funds entrusted to the implementing partners; DG ECHO's controls for ensuring that the implementing partners have been properly advised on their responsibilities regarding Anti-Fraud measures for safeguarding EU funds.

There are no observations/reservations in the 2014 AAR that relate to the area/process audited.

The fieldwork was finalised on 8 May 2015. All observations and recommendations relate to the situation as of that date.

Major audit findings

The IAS did not identify any material risks that would give rise to critical or very important recommendations.

6.Education and citizenship

6.1.Audit on DG HOME's preparedness for 2014-2020 legislation under shared management

Audit objectives and scope

The overall objective of the audit was to assess DG HOME's preparedness for the implementation of the new legislation under shared management.

In conducting this audit, the IAS clearly recognises that the development of DG HOME's procedures for the implementation phase of the new ISF/AMIF funds, including its control architecture, is very much an on-going process. This is reflected in the audit results, as far as they present a snapshot at a particular point in time. Indeed, the early nature of this audit was designed precisely with the aim of helping the DG to identify any possible weaknesses in DG HOME's preparedness giving the opportunity for an early improvement of the process, if needed.

The scope of the audit focussed on the following four areas:

The Overall Planning of Activities (e.g. roadmap) established by DG HOME for the setting up and implementation of the new legislation;

The process of assessment and approval of National Programmes (NPs) in order to approve policy and results-driven programmes, which are able to respond to changing needs and which contribute to achieving key EU Home affairs objectives;

DG HOME's review of the Designation of Responsible Authorities (RAs) by Member States (MS), which is one of the novelties of the new legislative framework and a key building block of control and assurance;

DG HOME's Control architecture to build assurance on the effective management of the new funds under shared management.

There are no observations/reservations in the AAR that relate to the area/process audited.

The fieldwork was finalised on 05/06/2015. All observations and recommendations relate to the situation as of that date.

Major audit findings

The IAS has identified the following three very important issues:

Assessment and Approval of NPs (Report finding N° 2)

Delays were noted in the adoption of NPs 29 and the analysis of NPs performance elements does not include an assessment of the reliability of MSs performance data.

Designation of Responsible Authorities by MS (Report finding N° 3)

Delays were noted in the designation of RAs by MS 30 . DG HOME was drafting its procedure for reviewing the MS 'Designation process' and some gaps were identified regarding the review of the controls to be performed by the Competent Authorities in the MS.

DG HOME's control architecture (Report finding N° 4)

DG HOME is currently developing several control procedures for the new funds under shared management, but these are not yet brought together to form an overall control strategy. Two main control documents are being drafted by DG HOME: (1) the procedure for the 'Annual Clearance of accounts' and (2) the 'Audit Strategy 2014-2020 - shared management'. The IAS identified several control gaps and/or aspects requiring clarification.

Recommendations

To address these issues, the IAS formulated recommendations which can be summarised as follows:

Assessment and Approval of NPs

DG HOME should ensure that MS are clear on the limited scope of its review when approving the NPs and on the more detailed reviews of MCS planned by the DG during the designation process. The DG should continue to build up a performance culture in its funds through active monitoring during the implementation of NPs, particularly by assessing the reliability of performance data reported by MS and challenging the adequacy of target values, when relevant 31 . Finally, DG HOME should continue its efforts to ensure swift adoption of the outstanding NPs through continued monitoring and regular communication with MS. Particular attention should be focussed on the MS which are less responsive and the steps taken recently aimed at shortening the process for the formal adoption of NPs (e.g. shorter ISC and translation deadlines), need to be continued in order to ensure that all MS NPs are approved by year-end.

Designation of Responsible Authorities by MS

DG HOME should finalise its draft procedure for reviewing the Designations as soon as possible. Furthermore, the gaps on the DG's analysis of the Designating Authority, RA and Audit Authorities (AA) should be addressed. Depending on the information gathered during the 'Designation meetings' on the robustness of RAs and AAs procedures, DG HOME should assess the need for further guidance, particularly on sampling (mainly for RAs) and types of audit opinions (for AAs). DG HOME should also monitor closely and report on pending Designations in order to accelerate the process of designations and have all RAs of approved NPs designated by year-end.

DG HOME's control architecture

DG HOME should establish an overall 'Control Strategy' comprising all control layers and procedures (i.e. ex-ante and ex-post; financial and operational) which clearly explains the links and information flows between them (i.e. how information obtained in one control stage is gathered and fed back to next control stages). The DG should monitor closely the negotiations on the three Implementing and Delegated Acts not yet adopted and, once adopted, should work with the MS to develop practical methods and tools for Monitoring and Evaluation. It should finalise the procedure for the 'Annual clearance of accounts', clarify in particular the impact on the clearance decision where cases of ineligible projects have been detected and set out how to address issues detected concerning the quality of the AA work on previous and future controls 32 .

The DG should also finalise the 'Audit Strategy 2014-2020 – Shared Management' and clarify the Audit Plan for 2015 and 2016, including the implications in terms of audit resources and how to address the possible resources shortages and their impact on the DG's annual assurance 33 . It should also be explained how assurance will be obtained on the reliability of the AA to ensure that the 'single audit concept' can be applied in practice, and the rationale for the sampling approach chosen (representative vs. risk-based) and for confirming the legality and regularity of expenditure on an annual basis 34 should be clarified. In addition, DG HOME should set out the approach for dealing with the risk of fraud and unreliable performance data'. This should include the need for audits (as a second layer of control) if the regular monitoring mechanisms do not yield the necessary assurance 35 . Finally, DG HOME should better exploit the 'capacity building' actions (e.g. guidance and training) to the national authorities developed by the ESIF (European Structural and Investment Funds) DGs 36 and, in case of common MS authorities, relevant information (e.g. on the reliability of those authorities) should be systematically shared.

The audited service has established an action plan which the IAS considers satisfactory to address the recommendations.

6.2.Audit on the effectiveness and efficiency of the Erasmus+ control strategy in the Education, Audio-visual and Culture Executive Agency and in National Agencies (DG EAC)

Audit objectives and scope

The overall objective of the audit was to assess if the control strategy for the Erasmus+ programme is adequately designed and is effectively and efficiently implemented.

The scope of the audit in DG EAC focused on supervisory and control activities in relation to the direct management by EACEA, the indirect management by NAs and the roles and responsibilities of DG EAC and EIF in Student Loan Guarantee Facility.

There are no observations/reservations in DG EAC's 2014 AAR that relate to the area/ process audited.

The fieldwork was finalised in DG EAC on 16 October 2015. All observations and recommendations relate to the situation as of these dates.

Major audit findings

The IAS did not identify any material risks that would give rise to critical or very important recommendations.

6.3.Audit on the effectiveness and efficiency of the Erasmus+ control strategy in the Education, Audio-visual and Culture Executive Agency and in National Agencies (DG EACEA)

Audit objectives and scope

The overall objective of the audit was to assess if the control strategy for the Erasmus+ programme is adequately designed and is effectively and efficiently implemented.

In respect to EACEA, the scope of the audit focused primarily on the ex-ante controls performed on the Erasmus+ projects after the signature of the grant agreement/ decision. In addition, the IAS performed a high-level review of the ex-post controls currently in place. The high-level review consisted of an analysis of the design of the ex-post control strategy for Erasmus+ (e.g. roles and responsibilities, procedures, methodology, calculation of error rate and reporting arrangements). It did not include any substantive tests on the effective implementation of the strategy, due to the early stage of the Erasmus+ programme life-cycle, which means projects are not yet included in the ex-post controls performed during the period covered by the scope of the audit 37 .

There are no observations/reservations in DG EACEA's 2014 AAR that relate to the area/ process audited.

The fieldwork was finalised in EACEA on 6 October 2015. All observations and recommendations relate to the situation as of these dates.

Major audit findings

The IAS did not identify any material risks that would give rise to critical or very important recommendations.

6.4.Limited review of the calculation and the underlying methodology of the residual error rates for the 2014 reporting year in DG EAC

Audit objectives and scope

The objective of the engagement was to review the calculation and underlying methodology of the multi-annual residual error rate (RER) reported by DG EAC in its (draft) 2014 Annual Activity Report (AAR) 38 , and in doing so, help DG EAC mitigate the discharge risk by enabling it to take appropriate actions, if any, before their disclosure in the final AAR and Synthesis report.

The review covered the following aspects:

The process and methodology for the calculation of the RERs for the different management modes of DG EAC, including the controls performed by DG EAC on the data reported by the National Agencies (NAs);

The calculated RERs;

The presentation of the RERs in the draft AAR;

Compliance with the Standing Instructions for the 2014 AAR.

The IAS reviewed the draft AAR transmitted to the central services (SG/BUDG) on 27/02/2015 and the preliminary RER calculations up to that date.

The audit fieldwork was finalised on 18/03/2015. All observations and recommendations relate to the situation as of that date.

Major audit findings

The IAS did not identify any material risks that would give rise to critical or very important recommendations.

7.Economic and financial affairs

7.1.Audit on the performance of DG GROWTH's supervision of ESA's implementation of GALILEO

Audit objectives and scope

The overall objective of the audit was to assess the efficiency and effectiveness of DG GROWTH's strategy for the supervision of the deployment phase of the Galileo Programme entrusted to ESA.

The audit focused in particular on:

The supervision framework including the division of roles, responsibilities and delegated tasks between DG GROWTH and ESA for the management of the Galileo Programme;

The adequacy of the management tools put in place by DG GROWTH to supervise the Galileo deployment phase activities entrusted to ESA;

The co-operation and co-ordination between DG GROWTH and ESA.

There are no observations/reservations in the DG’s 2014 AAR that relate to the area/process audited.

The fieldwork was finalised on 15 July 2015. All observations and recommendations relate to the situation as of that date.

Major audit findings

The IAS has identified the following three very important issues:

Implementation of the procurement activities (Report finding N° 1)

The type of checks performed by the different units currently involved in the review of the acquisition plans have not yet been clearly documented in order to ensure that there are no gaps or overlaps. In addition, DG GROWTH's internal deadlines for the contributions of the different units to the approval process of the acquisition plan are often not respected and there are no documented clear criteria for the approval of ESA's procurement proposals. Other weaknesses identified included the non-availability of a consolidated and updated acquisition plan and weaknesses in the communication with ESA on approval decisions.

Cooperation between DG GROWTH and ESA (Report finding N° 2)

The revised baseline of the deployment activity (what has to be achieved) to replace the current out-of-date one has not yet been fully agreed with ESA. In addition, there is no formalised mandate for the different Programme Governance Boards and the decisions taken at senior management level are not always clearly recorded.

DG GROWTH's Supervision Strategy (Report finding N° 3)

Currently there is no documented supervision strategy defining what the DG wants to achieve with its supervision activities, how it will be able to assess them, which of ESA's activities should be monitored, as well as what assurance DG GROWTH needs from Directorate J. In the absence of a documented supervision strategy resources cannot be allocated according to priorities to ensure that they are used in the most cost-effective way.

Recommendations

To address these issues, the IAS formulated recommendations which can be summarised as follows:

Implementation of the procurement activities

DG GROWTH should clarify the roles of Units J2, R1 and 02 to prevent any potential gaps or overlaps in the review of the legality and regularity aspects of procurement proposals from ESA, set clear internal deadlines for the contributions of the different units to the procurement process, monitor the respect of the deadlines and document clear approval criteria.

DG GROWTH should furthermore ensure that a consolidated and up-to-date acquisition plan is available and that the communication with ESA about procurement proposals cannot lead to misunderstandings.

Cooperation between DG GROWTH and ESA

DG GROWTH should urgently reach an agreement with ESA on the necessary update of the baseline and ensure that all deployment phase activities can continue in accordance with the plan. It should also formalise mandates for Programme Governance Boards and ensure that the decision making process is adequately documented and action plans followed-up accordingly.

DG GROWTH's Supervision Strategy

DG GROWTH should formalise its Galileo supervision strategy, defining the level of assurance it wants to achieve with its supervision activities, what is expected in terms of output and what resources are required based on the specific delegation agreement tasks, thus ensuring that the current supervision activities correspond to the DG's needs and management priorities (with no gaps or overlaps) and that performance can be assessed.

The audited service has established an action plan which the IAS considers satisfactory to address the recommendations.

7.2.Audit on financial and procurement management in DG TRADE

Audit objectives and scope

The objective of this audit was to assess the adequacy of the design and the effective implementation of DG TRADE's internal control system, risk management and governance processes related to financial and procurement management.

This engagement covered operational and administrative budget lines directly and entirely managed by DG TRADE as Authorising Officer by Delegation (AOD). The audit mainly focused on transactions and procurement procedures related to the financial year 2014.

There are no observations/reservations in DG TRADE's 2014 AAR that relate to the area/process audited.

The fieldwork within DG TRADE was finalised on 30/05/2015. All observations and recommendations relate to the situation as of that date.

Major audit findings

The IAS has identified the following very important issue:

Compliance issues in the procurement process (Report finding N° 1)

The audit revealed a number of non-compliance issues, either with the current Financial Regulation and its Rules of Applications, with DG BUDG's Vademecum on Public procurement or with DG TRADEs internal procedures regarding key steps of the procurement process. More specifically, non-systemic weaknesses were found as regards the equal treatment of tenderers. In one case, the type of contract was changed from a Framework contract to a single service contract with a maximum ceiling. This change amended the conditions of the contract and directly impacted the contractual and price provisions specified in the tender documents. This modification does not comply with the principle of equal treatment. Further weaknesses were identified by the IAS concerning the definition and the assessment of evaluation criteria and their disclosure in the evaluation report, the respect of formal time limits concerning the replies to questions, and divergences between the recommendation of the evaluation committee and the award decision.

Recommendation

To address this issue, the IAS formulated a recommendation which can be summarised as follows:

Compliance issues in the procurement process

In order to ensure compliance with the FR, the RAP, the Vademecum on public procurement and with its internal procedures, DG TRADE should reinforce targeted supporting measures regarding the drafting and content of the tender specifications, the evaluation process and the consistency between of the decisions taken and their formal justifications. Furthermore DG TRADE should adapt its templates and procedures to ensure completeness, relevance and proper justification of the information disclosed in the evaluation report.

The audited service has established an action plan which the IAS considers satisfactory to address the recommendation.

7.3.Audit on European trade defence instruments in DG TRADE

Audit objectives and scope

The overall objective of the audit was to assess the performance of DG TRADE in managing the inherent risks related to the European trade defence instruments.

The audit covered for the three instruments governance and organisation, planning and monitoring, processes and procedures, and communication, information and stakeholder management.

There are no observations or reservations in the DG's 2014 AAR that relate to the audited area.

The fieldwork was finalised on 19/10/2015. All observations and recommendations relate to the situation as of that date.

Major audit findings

The IAS did not identify any material risks that would give rise to critical or very important recommendations.

7.4.Audit on knowledge management in DG COMP

Audit objectives and scope

The overall objective of the audit was to assess the efficiency and effectiveness of the knowledge management process put in place by DG COMP to address the risk of losing knowledge and expertise in competition case handling.

The scope of the audit focussed on the management of technical knowledge on case handling and policy matters for the three enforcement instruments in DG COMP (Mergers, Antitrust & Cartels and State Aid).

There are no observations/reservations in the DG's 2014 AAR that relate to the process audited.

The fieldwork was finalised on 30/09/2015. All observations and recommendations relate to the situation as of that date.

Major audit findings

The IAS did not identify any material risks that would give rise to critical or very important recommendations.

7.5.Consulting engagement on objective and indicator setting in the context of DG FISMA's management plan

Audit objectives and scope

The consulting engagement was performed at the request of DG FISMA's management made in the context of the IAS' Stakeholder Survey 2014.

The overall objective of the engagement was to review the processes put in place by DG FISMA 39 for setting objectives and performance indicators when preparing its Management Plan (MP) and to advise on potential improvements.

The scope did not involve the IAS reformulating objectives, developing new indicators, setting concrete targets, developing concrete templates or examining the link between activities and resources.

Major audit findings

The consulting engagement resulted in a number of recommendations and suggestions for improvement which aim to provide DG FISMA with a more solid platform for the preparation of the Strategic Plan 2016-2019 and the Annual Management Plan 2016 and more generally in the move towards a more performance based culture. They are designed to be of practical assistance and the IAS expects the DG to reflect carefully on how they can be applied in practice. However, as this is a consulting engagement and not an audit, the IAS did not require DG FISMA to prepare an action plan and will not follow up the recommendations in the way it would do for an audit.

8.General services

8.1.Audit on the support by EUROSTAT to the Europe 2020 strategy and the new Commission priorities

Audit objectives and scope

The overall objective of the audit engagement was to assess whether EUROSTAT has put in place an efficient and effective process to provide up-to-date statistical data in the areas covered by the Europe 2020 strategy and the new Commission priorities to help to monitor progress towards the related targets.

The audit examined the core process of producing European statistics in EUROSTAT, (including quality review and validation), with a particular focus on the following indicators:

The Europe 2020 headline indicators;

The resource efficiency scoreboard;

The key employment and social indicators scoreboard in the Joint Employment Report (JER) under the European Semester.

The audit also covered EUROSTAT's provision of methodological support and advice to the DGs for the production of other statistics 40 .

There are no observations, or reservations, in EUROSTAT's 2014 AAR that relate to the area audited.

The fieldwork was finalised on 30/09/2015. All observations and recommendations relate to the situation as of that date.

Major audit findings

The IAS has identified the following very important issue:

Use of other statistics and EUROSTAT’s role (Report finding N° 1)

There is no evidence that other statistics used by the DGs to demonstrate progress made in achieving Europe 2020 targets are subject to a quality assurance review (performed by the DGs themselves or by an independent body), equivalent to the process implemented by EUROSTAT for European Statistics. EUROSTAT has to perform a planning and coordination exercise for the DGs with which it has signed Memoranda of Understanding. In this context, it compiles an inventory of other statistics and a Statistical Master Plan 41 . According to its mandate, EUROSTAT also has to provide methodological support, guidance, training and advice to the DGs but not a quality assurance review of other statistics.

However, the IAS noted that so far EUROSTAT has signed Memoranda of Understanding with only eleven DGs/Services out of 20 producing other statistics (hence not covering all the possible other statistics produced in the Commission). In addition, while an inventory of other statistics was compiled for these DGs/Services, the statistical master plan was not developed and it is not clear how it will be used in the context of EUROSTAT's operational planning cycle.

Recommendation

To address this issue, the IAS formulated a recommendation which can be summarised as follows:

Use of other statistics and EUROSTAT’s role

EUROSTAT should improve its support to the policy DGs (within the limits of its mandate). In this respect, it should initiate the process for signing the remaining Memoranda of Understandings with the DGs producing and disseminating other statistics and should provide advice and expertise to all DGs, including on possible measures to be implemented to address the risks associated with the quality of other statistics. It should prepare the Statistical Master Plan and integrate it into its planning processes for the Multi-annual Financial Framework 2014-2020.

In addition, in order to address the risks associated with the quality of other statistics which fall outside its mandate, EUROSTAT should raise the issue of possible measures to mitigate this risk with the DGs concerned together with the SG.

The audited service has established an action plan which the IAS considers satisfactory to address the recommendation.

8.2.Risk assessment of the Joint Sickness and Insurance Scheme

Audit objectives and scope

During the period September –November 2015 the IAS performed a comprehensive audit risk assessment as part of the preparation of its Strategic Audit Plan 2016-2018 aimed at identifying individual risks for each DG/Service and as a result, proposed audits for areas that have a high risk exposure.

While PMO was part of the risk assessment carried out across all Commission DGs/Services, its services only partially cover the activities of the Joint Sickness Insurance Scheme (JSIS). In addition to PMO, other bodies (e.g. JSIS Management Committee, which is an inter-institutional joint committee) and Commission DGs (i.e. ECFIN, ESTAT) have various roles in the organisation and functioning of the JSIS.

Therefore, the IAS carried out a specific risk assessment of the JSIS to identify the risks to which the JSIS as a whole is exposed and may need to take actions to mitigate them.

Based on the results of this risk assessment, the IAS will communicate separately to PMO any planned audits during the period 2016-2018.

Overall conclusion of the risk assessment

Overall, the risks related to the assessed processes appear to be largely mitigated. However, three processes, (Governance, Management of JSIS financial balance and IT Project Management) have a high residual risk which means that further actions may be needed to adequately mitigate the related risks.

The IAS established an indicative list of audit topics which forms the basis for an audit rolling plan and which will be the subject of an annual light re-assessment of the risks involved. At that time, the IAS will also re-assess the resources at its disposal and may plan an audit.

9.IT audits

9.1.Audit on the management of local IT in DG COMP

Audit objectives and scope

The overall objective of the audit was to analyse and evaluate DG COMP's current internal control systems to ensure an adequate and effective management of its local IT activities.

The scope of the audit included the following areas:

IT Governance, with a focus on IT strategy and the organisation set-up;

Physical and logical security arrangements;

IT projects / systems, with a focus on quality and change management.

The audit has mainly focused on activities performed by unit R3, responsible for IT in DG COMP. The IAS has also looked at the activities of business counterparts of key projects / IS (mostly units R1, Document Management, and A4, European Competition Network) and at other security-related actors (unit R2, Resources, Ethics and Security, in charge of the LSO function, and Directorate H, State aid: Cohesion, R&D&I and enforcement, in charge of the LISO function).

As regards the security aspects, the auditors have used the results of the security gap analysis 42 (performed by unit R3 in 2014), to provide the DG with reassurance on the adequacy of the main controls in place and check the state of play for the missing controls.

The scope of this audit did not include the processes related to DG COMP Forensic IT (FIT) 43 function, which is a highly specialised activity managed by unit G2 under the Directorate Cartels.

There are no observations/reservations in the 2014 AAR that relate to the area/process audited.

The fieldwork was finalised in April 2015. All observations and recommendations relate to the situation as of that date.

Major audit findings

The IAS has identified the following five very important issues:

IT financing sources (Report finding N° 1)

DG COMP's business strategy increasingly demands new and more reliable IT tools to improve the effectiveness and efficiency of its business processes. However, it does not have an operational budget or a dedicated budgetary line to ensure this, which means that it has been forced to find financing sources outside of the administrative budget of DG COMP since 2011, which are only approved and freed on an annual basis. This does not allow a stable, low-risk and sustainable IT strategy in the medium and long term.

Currently, it uses the ISA programme 44 as a significant source of funding for its IT needs (37% of DG COMP's total budget in 2014 and 29% in 2015). Although initially foreseen as a short-term solution only, the ISA option has become a de facto long-term solution which, however, adds to the complexity and costs as the ISA rules require IT tools to be re-usable and generic.

Furthermore, the audit showed some weaknesses in the control procedures applied to ISA funds. Monthly time-sheets of IT contractors do not identify the project the person is working on. Instead, this information is recorded separately. Furthermore, some inconsistencies in the annual reporting to the Chair of the ISA Programme (DG DIGIT) were noted.

Alignment of Business and IT strategy (Report finding N° 2)

DG COMP produces yearly a short-medium term IT strategy in the context of the IT Master Plan (ITMP), defining the project portfolio and the key strategic projects for the two years to come. However, the required IT capabilities (internal resources, rational growing, structural and programme management needs 45 ), which are necessary to cope with the changing business context and increased demands of IT services, have not been appropriately assessed and defined to ensure proper alignment with the business strategy. In addition, the planning and prioritisation processes are not fully effective.

Project management (Report finding N° 5)

Despite the number, complexity and strategic importance of the IT projects in the DG, the project management support function does not adequately support the business and IT staff involved in the projects. The DG COMP development team is organised in a vertical, project-based structure and is not supported by key horizontal activities such as quality management, methodology support, architecture definition and validation, security expertise, documentation and knowledge management. Quality controls are insufficient and the change management process is impacted by the lack of a clear testing framework and related resources.

These weaknesses are compounded by the fact that the DG is dealing with an increased portfolio and IT budget, bigger and more complex projects and programmes, coupled with the additional challenges arising from use of ISA funding and rationalisation principles.

Implementation of the recommendations of the Security Gap Analysis (SGA) (Report finding N° 6)

Although it is very well aware of the sensitive nature of the information treated by its information systems and the need to apply appropriate security measures, DG COMP has neither performed an exhaustive IT Risk Assessment, nor prepared Security Plans for its operational SPECIFIC ISs 46 . In addition, DG COMP does not have any service level agreement (SLA) with DG DIGIT on the specific security controls required for hosting its SPECIFIC ISs in the EC Datacentre.

The plan prepared by DG COMP to address the recommendations of the SGA 47 conducted in September 2014 is limited to the implementation of the two high priority recommendations (to perform the risk assessment and prepare the security plans) and covers only new projects. This decision was not adequately supported by a solid risk assessment.

The role of Local Information Security Officer (LISO) in DG COMP (Report finding N° 7)

The LISO has a central role for information security in every DG and should actively contribute to its effective management. The role of the LISO in DG COMP is not aligned with the existing EC framework for IT security and he is not sufficiently involved in supervising IT security matters.

Currently, only 20% of the total working time of one official is actually devoted to LISO duties. In addition, neither the LISO nor his deputy have sufficient expertise in IT security in order to supervise the implementation of security controls effectively. Consequently, their actual involvement in IT security aspects of IT projects is very limited in practice.

Recommendations

To address these issues, the IAS formulated recommendations which can be summarised as follows:

IT financing sources

DG COMP should explore again the possibility of finding alternative/complementary and stable funding in order to sustainably plan and adequately fund its IT activities.

For the time being, the budgetary problems faced by DG COMP may mean that the ISA programme will effectively remain a significant source of funding. Recording the projects the IT contractors are working on directly in the time-sheets which are verified by the internal control actors provides the most effective and efficient assurance to management that funds are used in accordance with the applicable ISA rules. The time-sheets should therefore be consistently filled in to this end. Also, the inconsistencies in the annual reporting to DIGIT should be avoided by cross-checking with the available data in ABAC.

Alignment of Business and IT strategy

DG COMP should strengthen the process leading to the definition of the Business and IT strategies to ensure that they are fully aligned and that the related investment and organisational structures are adequately defined. This strategic analysis should consider the global impact of the changing business and IT environments and include a comprehensive assessment of the required IT organisation (including the outsourcing strategy). This should take particular account of relevant legal or regulatory changes, based on proper impact assessments on the IT function, made well in advance. There needs to be adequate prioritisation and provision of internal resources to key IT activities and projects.

Project management

DG COMP should strengthen the project management support function and the quality framework to support Business managers, Project managers and portfolio managers.

Implementation of the recommendations of the Security Gap Analysis (SGA)

DG COMP should implement the two most critical actions proposed by the SGA, namely to undertake a risk assessment (in line with the EC security framework) and to prepare security plans for its SPECIFIC information systems. In addition, an SLA with DG DIGIT for those systems hosted in the EC Datacentre should be established to agree on the specific security requirements.

As regards the legacy ISs, which will not be replaced by CMR, DG COMP should review these for any potential major weaknesses, and identify and implement appropriate solutions. DG COMP should assess the need to perform the same review for those ISs which will be replaced by CMR, for which the replacement date is not yet certain and/or is likely to be after 2016.

The role of LISO in DG COMP

DG COMP should align the status and tasks of its LISO to the provisions of Commission Decision C(2006)3602 and ensure that the respective roles and responsibilities are clearly understood. It should ensure that the LISO is sufficiently available, has sufficient expertise in IT security and performs the necessary tasks in practice.

The audited service has established an action plan which the IAS considers satisfactory to address the recommendations.

9.2.Audit on IT security governance in the Commission (DG HR, DG DIGIT, SG)

Audit objectives and scope

The objective of this engagement was to assess the adequacy of the information security governance arrangements in the Commission, with the aim of providing recommendations to improve the existing setup. It focused in particular on the following main areas:

Whether governance arrangements allow for information-related risks to be effectively managed in practice;

The extent to which there is effective oversight of information security issues;

Whether there are clear roles and responsibilities in place.

The audit focused on responsibilities exercised and activities performed by the three main actors at the corporate level, as follows:

The Secretariat-General (SG), in its role of chairing the ABM Steering Group and the Group of Resource Directors;

DG DIGIT, as provider of corporate information security technologies and services, and;

The Security Directorate of DG Human Resources (DG HR), as the service currently in charge of the overall security of the Commission and owner of its existing information systems security policy, Implementing Rules and subsequent standards.

The audit also took into account the on-going reflections on the Commission's corporate IT and information security governance structure, together with the current revision of the regulatory framework concerning the security of its information systems.

There are no reservations in the relevant 2014 AARs, which specifically concern the area audited. The fieldwork was finalised in June 2015. All observations and recommendations relate to the situation as of that date.

Major audit findings

The IAS has identified the following four very important issues:

Information security governance structure (Report finding N° 1)

Neither the existing nor the proposed information security governance structures, currently under discussion, are aligned with what is recommended by recognised best practices. In particular, there is no specific governance body with responsibility for steering information security developments in this regard. In addition, the role, responsibilities and position in the organisation of the Chief Information Security Officer (CISO) need to be carefully reconsidered to ensure that the wider issue of information security as a whole is properly addressed (not only IT security) and also to ensure that there is a proper segregation between information security policy and the delivery of IT security measures/solutions.

Information security risk treatment (Report finding N° 2)

A clear and robust approach to the treatment of risk is key to strong information security governance. Currently, there is no process at corporate level for consolidating the information security-related risks identified by the DGs and services. Consequently, there is no overall view on the information risk appetite and no structured Commission-wide information security risk treatment programme. In addition, there is no mechanism in place for systematically measuring the cost-effectiveness of information security activities.

Reference framework for information security (Report finding N° 3)

Strong governance also requires a clear information security reference framework to be in place and regularly reviewed, which clearly sets out the overall strategy, policies, decision-making structures and accountability arrangements. Currently, this is not sufficiently well developed. In particular, the Commission has yet to define key information security principles which should provide guidance on the way information security should support the achievements of business objectives. There is no corporate information security strategy document, defining the desired state of information security in a medium to long-term perspective. DGs and Services are not currently implementing the Commission policy on the security of information adequately. In addition, there is no effective mechanism for controlling the adequacy of data classification, which is an essential part of any information security process.

Information security programme (Report finding N° 4)

Also key to an effective governance structure is having an information security programme in place, under the supervision of the governance body and aimed at implementing the information security strategy in a structured and efficient way, including an information security awareness programme. Currently, there is no such programme in the Commission.

Recommendations

To address these issues, the IAS formulated recommendations which can be summarised as follows:

Information security governance structure

Information security governance should be clearly distinguished from its management. At the top level, a Commission governance body should be established to direct, approve key decisions, coordinate and to provide oversight on information security-related activities and initiatives.

A high-level working group should be created as a second layer and be responsible for regularly reviewing the effectiveness and efficiency of the reference framework and for promoting continuous improvement throughout the organisation, notably by ensuring that information security is addressed in the business planning processes and embedded in the information systems and services.

The Chief Information Security Officer (CISO) should be independent from IT management responsibilities and report to the high-level working group, and be responsible for establishing the overall approach to information security applicable to all Commission information (whatever its forms and security levels). He/she should adopt a business-focused approach to information security while establishing, maintaining and monitoring the information security management system. He/she should run a programme for the implementation of the information security strategy.

The DGs concerned (HR, DIGIT and SG) replied that "the CISO function should be fulfilled by an Information Security Steering Board (ISSB)", highlighting the need to avoid extra administrative layers but ensuring appropriate segregation. While this means that the audited DGs intend to apply the general principles of the recommendation (segregation of duties and checks and balances), it does not follow the recommendation to the very end in that the function of CISO is assigned to a Working Group. Therefore, the IAS considers that the DGs have partially accepted the recommendation and underlines that success will very much depend on the effective and efficient functioning of the ISSB. This has repercussions also for the other recommendations, as the ISSB will be key in ensuring that risks highlighted are properly mitigated.

Information security risk treatment

The Commission governance body should set out a structured process to determine the Commission's information security-related risk appetite, which incorporates a business impact, threat and vulnerabilities assessment. Based on this, it should define a cost-effective information security risk treatment programme to be implemented across the board at the level of the DGs. This risk treatment programme should reflect the organisation’s information security-related risk appetite and take into account the inter-dependencies between operational processes and information systems.

Reference framework for information security

The Commission governance body should endorse a formal reference framework for security of information under all its forms. This framework should include processes or arrangements that allow the governance body to evaluate, direct, monitor and communicate corporate information security principles supportive of business objectives and a corporate information security strategy aligned with the business strategy. It should also comply with the overall regulatory framework, provide effective and efficient response to business objectives and requirements and address the consequences of non-compliance.

Information security programme

In line with the overall governance structure adopted, the Commission governance body should endorse a corporate information security programme, which encompasses all elements necessary to effectively implement the information security strategy, together with the necessary investment of resources. It should be managed under a sound methodology with the necessary collaboration and support from all stakeholders, including the business side.

One very important recommendation addressed to DG DIGIT, DG HR and SG on information security governance was partially rejected. The audited services have established an action plan which the IAS considers satisfactory to address the (partially) accepted recommendations.

10.Management letter

10.1.Common issues arising from IAS audits related to IT security matters

Introduction

Over the period 2009-2015, the IAS performed a series of audits targeting IT security in individual DGs and Services of the Commission, either under specific topics or under the broader scope of local IT management. During the course of these audits the IAS observed several systemic issues which may lead to insufficient security measures being implemented and IT security breaches exploited.

Audit objectives and scope

The purpose of this Management Letter is to provide the corporate services in charge of IT security in the Commission with a summary of the main issues reoccurring across DGs, so that they can take stock of them with a view to identifying possible actions to define and implement centrally, in line with the key orientations in the ICT security domain resulting from the "Summer Review", to thus reduce exposure to risks potentially impacting the Commission. The issues have been grouped into eight categories, together with the high-level issues for consideration.

Major audit findings and issues for consideration

IT governance

In a majority of the DGs audited, the mission, composition and main roles of IT Steering Committees are not clearly defined, resulting in a number of associated tasks not being adequately performed. Furthermore, IT security is not usually a regular item on the agenda of IT governance bodies and business representatives (system and data users) are rarely involved in discussions concerning the security of their IT systems.

An appropriate IT governance set-up should thus be fully functioning in each DG and Service, notably by ensuring that Steering Committee's roles are clearly defined and that they receive adequate information to effectively exercise their decision-making, monitoring and supervision responsibilities in the field of IT security.

IT risk assessment and treatment

Not all DGs have implemented an effective IT risk management framework, and thus an accurate register of IT related risks and countermeasures. Moreover, there is currently no process in place at corporate level for consolidating the information on IT security-related risks identified locally, making it impossible for the corporate governance bodies to obtain an overall view on a Commission-wide risk exposure and to assess the effectiveness and efficiency of current security arrangements.

DGs and Services should implement an effective IT risk management framework, provide an overview of information security-related risk exposure at governance level and evidence at information system management level the security requirements and controls and countermeasures deployed.

IT security plans

In most DGs, the management of IT security plans receives a low priority. Plans either do not exist or are not comprehensive enough in the assessment of risks, threats and vulnerabilities and in listing mitigating controls. There are also significant gaps and delays between the drafting of plans and their implementation.

DGs and Services should define and implement "generic" security plans covering standard IT systems and further define "tailor made" plans for specific IT systems.

Roles and responsibilities

Specific roles and related responsibilities in IT security are not assigned and properly performed in all DGs and Services, in particular for system or data owners and Local Informatics Security Officers (LISOs). In addition, not all contractors are informed of the Commission regulatory framework for IT security and are monitored on their adherence to it.

DGs and Services should identify the roles of their main information security stakeholders and ensure that they all fulfil their responsibilities in line with the regulatory framework and local requirements. The IAS considers this to be especially important in the light of the discussion triggered by the "Summer Review" through the working group on ICT Domain Leadership. In particular, this needs to be seen in the context of the working group's conclusions on ICT security and the intention to propose a more effective and efficient organisation of LISOs.

IT security in IT projects

DGs do not properly document their security requirements and specifications in IT project artefacts and do not treat IT security as a permanent item in the project agenda. In a majority of cases, there is a limited or even no contribution from the LISO or other IT security experts during the different phases of projects. Moreover, not all DGs perform a review of codes developed by contractors including security aspects, before the software is utilised.

DGs and Services should ensure that IT security is better embedded at the different stages of projects' lifecycle, from business requirements expressed during the inception phase to the testing before going live. Input from business owners and security experts should be duly sought.

Identity access management

Formal procedures for granting and revoking access to information systems and services are not formalised in all DGs. When DGs manage their own IT infrastructure, it is common that developers are granted privileges on production environments on a permanent basis. In addition, generic accounts or individual privileged accounts managed by DGs locally do not always comply with the EC password policy.

DGs and Services should implement a structured process of user registration and privileges management for all their systems, based on the "need-to-know" and "least privileges" 48 key principles.

IT security services

IT systems managed locally by the DGs are not always running the latest version of service packs, patches or hot fixes published by DG DIGIT, they do not have an automated anti-virus tool installed, they do not check that removable media received from suppliers are "safe", and there is generally no compensating control that the configuration and conditions of use of contractor machines respect the Commission information security policy framework. Generally, DGs do not conclude service level agreements with, nor monitor the performance of their IT service suppliers on the provision of security services.

DGs and Services should implement IT security services under a managed process, covering internal and external service providers in full respect of the Commission's regulatory framework whenever applicable.

Protection of data

Often production data are copied to other environments, for testing or other purposes, without adequate sanitisation of sensitive data. Furthermore, where repairs are carried out on hard discs and magnetic tapes, assurance that no external party will access the data contained on the media after a repair is not guaranteed.

Each DG / Service processing or storing sensitive or classified data should define and follow appropriate processes to ensure adequate protection of such data from unauthorised disclosure in case of dismissal of media and when using production data for testing.

PART 2: Follow-up engagements (summarised)

1. Follow-up audit on management of the security of EU ETS IT system in DG CLIMA and DG DIGIT – Multi DG

The IAS assessed that 5 out of a total of 9 recommendations included in the original report have been adequately and effectively implemented. These recommendations have been closed.

Concerning the remaining recommendations (one very important recommendation and three important recommendations), while observing good progress in the implementation of the action plan, the IAS considers that the related risks are not yet fully mitigated and consequently the recommendations cannot be closed.

Concerning recommendation 1 on Implementation of the ETS's Security Controls (very important), so far, the DG CLIMA and DG DIGIT have performed an in-depth risk analysis which confirmed the very sensitive nature of the data handled by the EU ETS system and the high exposure to cyber-attacks (mainly in the areas of hosting infrastructure, user authentication management and communication over networks). These risks and sensitivities are similar to those faced in the banking sector/stock exchange. Moreover, both services have identified the key security controls that should be implemented for the ETS and compared them with the existing security measures. As a result, a significant number of missing key security controls has been flagged.

In this respect, IAS notes that DG CLIMA and DG DIGIT have not yet fully agreed on the implementation of the missing controls and have not yet approved the related implementation roadmap, which was foreseen in the original action plan to be implemented by January 2015. In addition, DG DIGIT plans to create a new standard service for secure hosting that should address the security requirements and which is currently in the design phase.

The IAS acknowledges the progress made in identifying the risks and prioritising the missing security controls. However, without their full implementation, the EU ETS system is still vulnerable to the high risks identified at the time of the audit. The results of this follow-up audit corroborate with the decision of DG CLIMA to keep the above mentioned reservation in its 2014 AAR.

Given the delays already encountered, the IAS invites DG CLIMA and DG DIGIT to make an additional effort to agree on an implementation plan and work together on its execution so to quickly reduce the high security risk currently faced by the Commission.

Furthermore, DG CLIMA should re-assess the significance of the security controls that would still be missing at the end of 2015 (because of cost effectiveness issues, other technical constraints or because their implementation would need to be postponed to 2016) together with the associated services (DG DIGIT and DG HR.DS), in order to decide whether it can lift the EU ETS related reservation in its 2015 AAR.

2. Follow-up audit on the charge-back process in the Commission – Multi-DG

DG BUDGET

Based on the results of the follow-up audit, the IAS assessed that the two remaining recommendations addressed to DG Budget that resulted from the audit on charge-back Process in the Commission have not been adequately and effectively implemented.

Recommendation 1 on "governance of the charge-back process" focused on the implementation of a governance framework for the charge-back process. It recommended the assignment of the ownership of the process and of the responsibility to endorse the framework for the charge-back process in the Commission (actors, their responsibilities, applicable rules, reporting arrangements) to the ABM Steering Group.

While the ownership of the charge-back process was assigned to the ABM Steering Group and the guidance for the charge-back process within the Commission was endorsed by it in March 2014, this is not yet the case for the charge-back process in relation to other EU Institutions, Agencies and Bodies.

Pending this, the IAS considers recommendation 1 not to be fully implemented yet and will therefore be re-opened.

Recommendation 2 on "central guidance and instructions" required DG Budget to develop a clear and transparent framework for the charge-back process in the Commission including roles and responsibilities and central guidance.

As explained above, the guidance on the charge-back process for services delivered to other EU Institutions, Agencies and Bodies has not been published yet.

Therefore, the IAS assesses the recommendation as not fully implemented at this stage and will be re-opened.

DG DIGIT

The very important recommendation 1 on "identification of IT services to be charged-back" required DG DIGIT to (a) provide to the potential client DGs/Services easily accessible information on the "baseline" services available and (b) clearly define the criterion or criteria to identify which IT systems hosting costs are charged-back. The criteria defined to charge-back services, as well as the list of services covered by its own appropriation, should be discussed with DG BUDG.

The IAS acknowledges the significant measures taken by DIGIT to enhance the transparency of the charge-back services, notably the communication to the IRMs on the criteria to charge-back the information systems hosting costs and the launch of DIGIT service catalogue, covering all the services provided by DG DIGIT. In addition, the IAS takes note of several on-going actions, such as the validation with the DGs/Services of the inventory of the information systems hosted in DG DIGIT, the setting up of a consolidated cost model encompassing all the services provided by DG DIGIT (Directorates A, B and C) and the update of the service catalogue with baseline services and associated costs.

Consequently, in view of the progress made and the on-going actions, the IAS considers that the recommendation can be downgraded from very important to important.

Recommendation 3, important, on "communication on costs" required DG DIGIT to (a) produce and distribute clear and simple documentation on the types of costs charged-back to the DGs (split of the cost base) and unit costs used in the cost model, and, more generally, on the method used to estimate costs charged-back for any service provided by DG DIGIT; (b) ensure that the documents sustaining the provision of service (proposals, Memorandum of Understanding, Service Level Agreement) and subsequent reporting provide clear information on the services that will be/have been provided and on the KPI to measure them allowing the client to take informed decision and to monitor the provision of the services.

As the consolidated cost model and the Memorandum of Understanding have not yet been released, this recommendation is considered not fully implemented and will remain open.

3. Follow-up audit on the performance audit on the efficiency and effectiveness of the planning stage of the selection process - Multi-DG

DG HR

As regards the documentation for the Workforce Simulator (recommendation 4), the IAS notes that the advanced draft version still contains a few sections that need to be finalised. In this respect, the IAS advises DG HR to finalise the outstanding part of the technical documentation of the Workforce Simulator.

EPSO

As regards recommendation 1 on the "EPSO Planning exercise" (very important), the IAS acknowledges the progress made to date. However, the IAS notes that EPSO has not issued written guidelines aimed at ensuring the consistent reporting of needs for laureates across all the EU Institutions. Also, only limited information has been made available to the Management Board to support the discussions on the strategic planning (i.e. a consolidated table with the needs of the Institutions). Therefore, the IAS concludes that this recommendation has not yet been fully implemented. However, in view of the progress made, this recommendation is downgraded from very important to important.

4. Follow-up audit on control strategy implementation in DG AGRI

The IAS assessed that the outstanding action 1.4 has been effectively implemented given that the updated guidance on key and ancillary controls (KAC), consolidated by the Common Agricultural Policy (CAP) measure, is about to be completed. The majority of the documents have been drafted and presented to the Member States in the Agricultural Funds Committee (AFC) and those remaining (3 out of 23, concerning KAC for payment entitlements, Art. 68, and debt management) are due to be presented in the context of the next AFC meeting (April 2015).

For sub-actions 1.9.2 and 3.2 related to the need to align the audit manual to the legislative framework for the CAP 2014-2020, especially for the conformity clearance procedure, we have noted the progress made, including deploying a new version of the COMBO application and providing additional guidance to DG AGRI staff on the modified process. However, the audit manual still remains to be aligned with the new CAP requirements.

Regarding sub-action 1.8.2, progress has been made, notably by finalising the guidelines on the clearance of accounts for financial year 2015 and the mid-term review of the multiannual work programme of Directorate J for the period 2014-2017 which foresees a number of "dedicated" audit missions in 2015 solely targeting the Certifying Bodies' (CB) work. However, since the CBs will only start providing their "reinforced" opinion pursuant to Article 9 of Regulation (EC) 1306/2013 as from 2016 (based on financial year 2015), we acknowledge that only then DG AGRI will be in a position to assess the overall quality of the CBs' contributions in the assurance building process.

Considering that the above mentioned actions remain in progress, the IAS concludes that both recommendations 1 and 3 should remain open until full implementation of all outstanding sub-actions.

5. Follow-up audit on the Limited Review of DG AGRI's Residual Error Rate

Recommendation 1 on "reliability of Member States control statistics", originally rated critical, had been previously down-graded to very important. We now find that further progress has been made with regard to the project to automate the transmission of control statistics. Progress has been made as well concerning the work to prepare for the Certification Bodies' (CB) enhanced role, although this is substantively still in an early phase. This issue will be further followed-up in the context of the follow-up of the IAC audit on DG AGRI's readiness for the implementation of the enhanced role of CB in the new assurance model.

The only remaining outstanding issues are therefore the following two longer term actions:

- Firstly, to carry out a comprehensive review of the impact of the reinforced work of the CB on the reliability of the control statistics after two years of its application (i.e. 2017).

- Secondly, although some improvements were included in Implementing Regulation 809/2014, the action to develop guidance to Paying Agencies (PA) to ensure representative random control samples has not yet been addressed. As in previous periods, minimum control rates are defined for random samples, but this does not necessarily ensure their statistical representativeness. This is all the more important as according to Guideline N°2 for the certification audit of the EAGF/EAFRD accounts, CB will now have to base their legality and regularity work on representative PA's control samples.

However, more detailed practical guidance to PAs on drawing representative random samples has not yet been developed.

Representative control samples of PA would indeed allow DG AGRI to demonstrate that its error rates are reliable. Furthermore, in the context of the on-going effort to simplify the Common Agricultural Policy, it is also important to note that representative control samples may lead to a reduction of the overall control burden and cost of control.

Therefore, building on the experience of other DGs, for example in the Structural Funds area, in introducing statistical sampling methods for Member States' controls, DG AGRI should consider introducing progressively a number of actions to allow both DG AGRI and the MS to gain experience with statistical sampling (see annex). In particular, DG AGRI should launch a comprehensive study on representative sampling covering the main schemes of Pillar I and Pillar II.

The IAS will follow up the actions taken at the same time as the comprehensive review of the impact of the reinforced work of the CB mentioned above.

For the very important recommendation 4 on "AAR presentation", DG AGRI has provided more information on the corrective capacity and the inherent limitations of comparing financial corrections data with amounts at risk. It is also reported in a transparent manner in the annual activity report that cross compliance related corrections are excluded from the corrective capacity. Also, DG AGRI is committed to developing further, together with the other shared management DGs and the central services, the materiality criteria for the 2014-20 period. The actual criteria developed will be subject to future audit work of the IAS. On this basis, we conclude that DG AGRI has implemented the recommendation overall. Nevertheless, it is important for DG AGRI to finalise the analysis of whether, in addition to cross-compliance corrections, also other (lower value) sanctions/penalties-type of corrections should possibly be excluded from the corrective capacity.

Since the Limited Review was carried out in 2013, DG AGRI has considerably improved the reporting of error rates, corrective capacity and reservations in its annual activity report. However, it is essential that sufficient importance is dedicated to the remaining actions to strengthen the reliability of the Member States' control statistics in the long run.

6. Follow-up audit on IAC audits in DG ENV (Anti-Fraud Strategy)

Based on the results of the follow-up audit of the accepted SIAC recommendations, the IAS assessed that:

Recommendations 3.3 on "sharing the "LIFE Red Flags" with EASME" (important), 3.5 on "further development of the fraud indicators for grants (Finance unit)" (important) and 5.2 on "the regular information of the Director-General about all fraud cases" (very important) have been adequately implemented and can therefore be closed.

Recommendations 3.4 on "including the consideration of fraud red flags in the mandatory procedures of the external contractors" and 6 on "fraud proofing of legislation" (both important) have become obsolete and can therefore be closed.

The following recommendations remain open:

Recommendations 1, 2.1, 7.2 (important) and 5.3 (very important), for which the initial implementation date has not yet expired and which all relate to the drafting and approval of an updated Anti-Fraud Strategy. Although these actions remain to be implemented, DG ENV has made important progress as a fraud risk assessment has been carried out during 2015 and a new Anti-Fraud strategy is being drafted and should be finalised and approved in early 2016.

Recommendation 4 on "the Early Warning System (EWS) and precautionary measures" (important), for which the implementation date has been postponed to reflect the fact that the EWS will be replaced by the EDES database as of 01/01/2016.

The following sub-recommendations have not yet been fully implemented:

Recommendation 2.2 on "easy access to procedures and tools on fraud prevention and identification" (important), which has been partially implemented as some information in the SRD.2 site dedicated to Anti-Fraud is missing or not up-to-date pending the adoption of the new Anti-Fraud Strategy;

Recommendations 3.1, 3.2, 3.6 and 3.7 on "fraud indicators ("red flags")" (important), which have been partially implemented, whilst progress has been made by developing the "red flags" lists and publishing them on the intranet. However, there has been no dedicated training or communication to staff regarding the importance of fraud awareness and zero tolerance to fraud in 2015. Besides, the instructions to reflect red flags in the DG ENV checklists should still be strengthened.

Recommendations 5.1, 5.4 and 5.5 on "follow-up of (potential) fraud cases" (very important), which have been partially implemented or for which no action has been completed yet (recommendation 5.4). Implementation has started and should be completed in good time for DG ENV to have a complete and up-to-date overview of all fraud cases to ensure their adequate and timely follow-up, including the application of penalties where appropriate.

Recommendation 7.1 on "the enhancement of the analysis and documentation during the risk assessment related to potentially sensitive functions" (important), which has been partially implemented, as some of the functions indicated in the audit report (e.g. IRM) have not yet been assessed and no explanation provided. Nevertheless, the IAS notes that significant progress was made in the review of sensitive functions in DG ENV and the shared resource Directorate in the beginning of 2015.

7. Follow-up audit on the ENV-CLIMA SIAC audits on Anti-Fraud Strategy in DG CLIMA

Based on the results of the follow-up audit of the accepted SIAC recommendations, the IAS assessed that:

Recommendation 3.1 on "further development of the fraud indicators for grants (Finance unit)" (important) has been adequately implemented and can therefore be closed;

Recommendation 5 on "fraud proofing of legislation" (important) has become obsolete and can therefore be closed.

The following recommendations remain open:

Recommendations 1 and 2.1 (important), for which the initial implementation date has not yet expired, and which relate to the drafting and approval of an updated Anti-Fraud Strategy for DG CLIMA. Although these actions remain to be completed, work is on-going in DG CLIMA as a common ENV-CLIMA fraud risk assessment has been carried out during 2015 and a new Anti-Fraud Strategy should be finalised and approved in early 2016.

Recommendation 6 on "sensitive functions" (important), for which the initial implementation date has not yet expired and which has not yet been implemented, as at the time of the follow-up DG CLIMA had not yet carried out a risk assessment on potentially sensitive functions.

The following recommendations which have not yet been fully implemented:

Recommendation 2.2 on "easy access to procedures and tools on fraud prevention and identification" (important), which has been partially implemented, as some information in the SRD.2 site dedicated to Anti-Fraud is still missing or not up-to-date pending the adoption of the new Anti-Fraud Strategy;

Recommendations 3.2 and 3.3 on "fraud indicators ("red flags")" (important), which have been partially implemented, whilst progress has been made by developing the "red flags" lists and publishing them on the intranet. However, there has been no dedicated training or communication to staff regarding the importance of fraud awareness and zero tolerance to fraud in 2015. Besides, the instructions to reflect red flags in the DG CLIMA checklists should still be strengthened.

8. Follow-up audit on IAC audits in DG SANTE

The following recommendations remain open:

Audit on the External Stakeholder Consultations in DG SANTE:

Recommendations 1.1, 2 and 5 (very important) and recommendations 3, 4.2, 7 and 8 (important) remain to be implemented pending the results of the recent IntraSANTE consultation on the draft standard operating procedures.

Audit on Business Continuity in DG SANTE

Recommendation 1 on "the update of the Business Continuity Plan" (very important) is assessed as partially implemented overall, as (although the sub-recommendation 1.1 on "the drafting of a new Business Impact Analysis" has been implemented) the actions related to the remaining sub-recommendations 1.2, 1.3 and 1.4 are yet to be completed.

Audit on the Internal Control Standards 5, 6, 7 and 8 in DG SANTE:

Recommendation 4 on "a re-assessment of the sensitive posts and functions" (very important) is yet to be fully addressed following the recent re-organisation in SANTE.

Audit on the Operations of Directorate F, the Food and Veterinary Office, in DG SANTE

Recommendation 6 on "the development of a long-term strategy" (very important) remains ongoing following the recent re-organisation in DG SANTE.

Audit on Costing Practices in Procurement in Selected Funding Areas in DG SANTE

Recommendation 1.1 on "the development of guidance on costing practices" (important): the DG is finalising the related actions.

9. Follow-up of the Limited Review of the calculation and the underlying methodology of DG REGIO's residual error rates for the 2013 reporting year

The IAS assesses that recommendations 1 on "reservations and presentation in the AAR" (important), 3 on "reliability of withdrawals and recoveries" (very important), and 4 on "calculation basis of the Cumulative Residual Risk (CRR)/Error Rate" (very important) addressed to DG REGIO have been adequately and effectively implemented.

Recommendation 2 on "reliability of validated error rates" (very important): the IAS notes that the updated version of the auditors' checklists for assessing Audit Authorities still needs to be formally validated. In the light of the progress made overall on this recommendation, we assess that it has been adequately and effectively implemented and can be closed.

Recommendation 5 on "business process" (important): while the IAS notes that two out of three sub-recommendations have been duly implemented, DG REGIO decided for cost-efficiency reasons, that it will not develop a specific IT tool for the calculation of the CRR for the 2007-2013 programming period. Given the progress made regarding the other actions of this recommendation, the IAS considers that it can be closed overall. However, in the absence of a fully automated tool, IAS emphasises that DG REGIO is assuming the risk that the calculation of the CRR may be prone to data entry or calculation errors that could be avoided through a dedicated IT tool. The IAS judges this risk to be 'medium'. As a mitigating measure, DG REGIO should be vigilant in monitoring any changes to the underlying data and ensure that there is a sound audit trail in place.

10. Follow-up audit 1st Phase of DG EMPL performance measurement systems (EaSI)

Based on the results of the follow-up audit, the IAS assessed that all recommendations addressed to DG EMPL have been adequately and effectively implemented, except for the following recommendation:

Recommendation 4 Performance measurement - Audits of Progress and EaSI, This recommendation concerns the need to reflect on performance audits in view of building up assurance on the performance of the Progress/ EaSI programmes. The IAS takes note that, the setting up of the working group foreseen by the action plan is delayed due the ongoing re-organisation which will affect the responsibilities for the Progress/EASI programme and the positioning of the evaluation unit in the organigram.

11. Follow-up audit of IAC audits in DG REGIO

Readiness Assessment - ERDF 2000-2006 closure process

Based on the results of the follow-up audit, the IAS assessed that four out of five recommendations (all except recommendation 1) have been adequately and effectively implemented.

Concerning, recommendation 1 on "audit follow-up procedures - irregularities in older programming periods" (important), the IAS notes the progress made in actions taken to close the cases from 1989 onwards and launch recovery orders and that management is adequately informed on the state of play. However, given the risks that old ineligible amounts become irrecoverable, the IAS stresses the need to continue close monitoring all the open cases going forward. Therefore, we consider that this recommendation should remain in progress for the time being and it will be followed-up separately by the IAS or as part of its future audits in DG REGIO.

Interruptions and suspensions of payments

Based on the results of the follow-up audit, the IAS concludes that the recommendation 11 on "implementation of the revised guidance note. Formalisation of the establishment of the Interruptions Committee" (important) should remain open until a complete process manual on interruptions and suspensions is drafted and published on the intranet.

Performance framework

Based on the results of the follow-up audit, the IAS concludes that recommendations 1, 3 and 4 have been adequately and effectively implemented and can be closed.

For recommendation 2, the IAS acknowledges the progress made in implementing parts 2.3 (new guidance on performance framework) and 2.4 (Trainings on performance framework) of the action plan. However, parts 2.1 and 2.2 of the action plan, which concern the reliability of systems for reporting performance data, have not been finalised yet. Therefore this recommendation remains open until all actions are completed. However, since the IAS considers that the partial implementation of the action plans has reduced the risk level from high to medium, this recommendation has been downgraded to important.

Recommendation 4.2 on "inadequate filing in WFS; Preparation of WAVE" (important) remains open.

12. Follow-Up audit on DG REGIO Implementation of the 2007-2013 Programming Period

The IAS notes the improvements made by DG REGIO as regards strengthening the corrective process by reducing the time to issue audit mission reports when serious deficiencies are identified, organising more regular meetings of the Interruptions, suspensions and financial corrections Committee and improved documentation of the reasons for decisions on interruptions and pre-suspensions in the Committee minutes. Therefore we assess that the recommendation 3 on "corrective measures to reduce the error rate" has been adequately and effectively implemented.

The implementation of recommendation 2 is still in progress.

13. 1st Follow-up audit of IAC audits in DG EMPL (Business Continuity Procedures)

Based on the results of the follow-up audit, the IAS assessed that recommendation 7 on "updating of NOAH" has been adequately and effectively implemented.

Recommendation 10 on "IT disaster recovery plan and security needs" (important), remains open.

14. Follow-up audit on the implementation of FP7 control systems (including supervision of external Bodies) in DG RTD

The IAS assesses that all the recommendations addressed to DG RTD that resulted from the audit on "the implementation of FP7 control systems (including supervision of external Bodies)" have been adequately and effectively implemented, except for the following recommendations:

Recommendation 1: "supervision of the Joint Undertakings" (very important). The recommendation implementation deadline is 31/12/2015. As a consequence, its implementation will be followed-up by the IAS after this date.

Recommendation 3: "Anti-fraud Strategy" (very important). Three out of four actions of the action plan are assessed as implemented. Only action 3 “develop guidelines for the application of financial and administrative penalties in Horizon 2020” has not yet been implemented and, therefore, the recommendation will be reopened and DG RTD is requested to provide a revised completion date. As a consequence, the implementation of the remaining action will be followed-up by the IAS after the new completion date. As the risks mentioned in the audit report are partially mitigated, the recommendation will be downgraded to important.

15. Follow-up audit on the implementation of FP7 control systems (including supervision of external Bodies) in DG CONNECT

The IAS assesses that all the recommendations (including supervision of external Bodies) have been adequately and effectively implemented.

Recommendation 1: "Anti-Fraud Strategy (deterrent measures, detection of plagiarism and double funding)" (very important) remains open.

16. Follow-up audit on implementation of FP7 control systems in ERCEA

This follow-up audit was carried out in the context of the IAS contribution to the preparation of ERCEA 2014 Annual Activity Report (AAR) and covered the first part of recommendation 1 "Building up the assurance" (very important) concerning ERCEA's alternative assessment pattern and disclosure of a representative error rate for the IDEAS programme. The IAS assessed that this part of recommendation 1 has been adequately and effectively implemented. However, it found that the presentation in the draft annual activity report of the conclusions drawn from the ex-post controls should be further clarified in order to avoid misinterpretations. In particular, the IAS suggested to ERCEA to emphasise in the executive summary of its AAR that the results of the alternative assessment pattern are still partial and therefore, no statistically valid conclusions can yet be drawn from it. We also suggested removing the word fully from the sentence “The completion of this specific ERCEA monetary unit sample is not yet fully statistically representative to draw the final conclusion” in order to align it with the pre-conditions to be met before drawing a conclusion on the results of the monetary unit sample as set out in annex III of the FP7 Ex-post Audit Strategy 2009-2016.

17. Follow-up audit on IAC audit of assets management in DG JRC

Based on the results of our follow-up audit, we assess that all recommendations addressed to JRC that resulted from the original audit have been adequately and effectively implemented, except for the following recommendation:

Recommendation 1: "the ISM Director, with the support of Director B, should: a) Prepare a proposal for centralisation of responsibilities and resources in Ispra to be submitted to the Director-General for decision. b) Implement the decision."

This recommendation is assessed as partially implemented. However, based on the actions already implemented, the residual risk has been re-assessed as medium and the recommendation has been downgraded from very important to important.

There are two remaining sub-actions related to the following recommendations:

Recommendation 2 "the function of Site Asset Manager should be formally defined in Geel, Petten and Karlsruhe (A possibility was discussed during the audit to integrate the Site Asset Manager function into the Site Management Units of the respective sites.)".

Recommendation 10 "the Ispra Site Directorate should improve the facilities for the physical management of the written-off items (Ideally, a common space should be allocated for this purpose, where items written-off should be stored per category and destination (i.e. donation, selling, scrapping, etc)."

Given the progress made and the low outstanding residual risks, these two recommendations will be closed.

18. Follow-up audit on IAC audits in INEA

Based on the results of our follow-up audit, we assess that all the recommendations followed-up, in both audit reports, have been adequately and effectively implemented and will therefore be closed. The remaining open recommendation is recommendation 3 on "ABAC Assets user access rights", of the audit on procurement.

19. Follow-up audit on IAC audits in DG CONNECT

Based on the results of our follow-up audit, the IAS assessed that all the recommendations have been adequately and effectively implemented (and can therefore be closed) except the recommendation no 5 on "granting, revising, withdrawing and revoking access rights" (important) from the audit on "Policy design and management of IT access rights", for which the following points have not been fully implemented, notably:

The audit recommended DG CONNECT to implement a procedure for the review of the access rights in compliance with Commission Decision C(2006)3602. DG CONNECT could not provide evidence of a regular review of user accounts and their respective privileges. This task is under the responsibility of the business process, application or data owner, depending on the type of user and application.

The audit recommended to better monitor and report on operations performed by DG CONNECT's privileged users (e.g. ARES document management officer, IAM Service Desk, MIPS missions' administrators, i-Flow developers) for some IT systems. Since the time of the original audit, the IT Service Desk of DG CONNECT was transferred to the Common Support Centre (CSC) (DG. RTD.J4). Though entitled to, DG CONNECT (as system owner) has not requested from the CSC to receive regular reporting on the Service Desk activities related to the interventions on access privileges.

The audit recommended DG CONNECT: i) to complete the business impact/risk assessment for the system CONNECTED/JIVE, ii) to ensure that sensitive information is protected from access by staff working in other DGs and to raise awareness of users publishing information on their responsibility to apply adequate protection against (unauthorised) disclosure through awareness/training sessions. The IAS noted that the DG did not perform a business impact/risk assessment for CONNECTED/JIVE application is not covered by the current IT security plans.

As a consequence, recommendation no. 5 will be reopened in IssueTrack.

20. Follow-up audit on FPI control strategy

Based on the results of our follow-up audit, we consider the recommendation as partially implemented and we downgrade this recommendation from very important to important, because of the lower residual risk.

During the second follow-up audit, additional tests will be performed in order to verify the impact of the actions implemented on the accuracy of the calculation of the error rate.

With regard to the three sub-recommendations, we concluded the following:

Recommendation 3 - first part concerns the implementation of a multi-annual approach for the calculation of the residual error rate. According to the information provided in the 2014 Annual Activity Report (AAR), FPI will apply a multi-annual approach for the residual error rate starting with 2014. This sub-recommendation is considered implemented.

Nevertheless, the effectiveness of this method can only be assessed in 2016, during the second phase of the follow-up audit on 'FPI - Control Strategy'. During this second follow-up, the cumulative impact of the first two years will be analysed.

Recommendation 3 - second part concerns the need for improvement of the calculation of the extrapolation of the error rate.The IAS acknowledges the improvements made by FPI on this issue. In particular, the calculation of the error rate is currently based on the payments actually audited (instead of the total population of selected payments, as in the previous AAR).

The sample method applied by FPI for the ex-post control is risk-based, complemented by stratification per instrument and per risk. This approach does not completely follow the 'hybrid method' described in the DG BUDG Instructions in case of risk-based stratified sample (stratification of the sample and extrapolation of the overall error rate based on the weight of the population). In addition, the documents received by the auditors did not clearly explain the criteria for the selection of the high-low-medium risk stratified population and the criteria for the extrapolation of the results.

Therefore, the extrapolation method to determine the error rate in the entire population should be better explained and/or corrective measures for the calculation of the overall error rate (weight of the population) should be introduced.

This sub-recommendation is considered 'partially implemented'.

Recommendation 3 - third part concerns the disclosure of the nature of errors with no potential financial reservation in the AAR. According to the information provided in the 2014 AAR, this sub-recommendation is considered implemented.

21. Follow-up audit on DG DEVCO: assurance building Process in EU Delegations

Part of recommendation 2 (point 2.3 - important) has a separate action plan with a planned target date for implementation set at 31 December 2015 and will be subject to a follow-up at the beginning of 2016.

22. Follow-up audit on DG ECHO: financial management of Humanitarian Aid

The following recommendation was assessed as partially implemented:

Recommendation 3: "Follow-up of audit recommendations addressed to partners". The new target date set by DG ECHO is 31 March 2016. Based on the measures implemented so far and considering the residual risks, the Auditors have decided to downgrade this recommendation to important.

The action plans for the following recommendations are open, and together with recommendation 3, will be reviewed during the second follow-up audit.

Recommendation 2 "roles and responsibilities for the management of the imprest account" (very important).

Recommendation 6.1: "residual error rate (implementation of ex-post audit results – contradictory and post-contradictory phase)". Based on the implemented actions under point 6.2 and considering the residual risks, recommendation 6 was downgraded to important.

23. Follow-up audit on DG ECHO: contribution agreements with UN Bodies and other International organisations

Of the five original recommendations, four recommendations (recommendations 1 on "project monitoring" (very important), 2 on "reporting" (very important), 3 on "verifications of UN Agencies and International organisations" (very important) and 5 on "project design and selection" (important) remain open.

Recommendation 4 on Pillar assessment (Important) has been adequately and effectively implemented.

24. Follow-up audit on DG DEVCO: contribution agreements with UN Bodies and other International organisations

The IAS assessed that all the recommendations covered by the present engagement have been adequately and effectively implemented.

Concerning sub-recommendation 2.1 on "audit plan and verification missions - reporting on the results of verification missions " (important), remains open.

25. Follow-up audit on the IAC Audits in DG JUST (Audit on Procurement)

Recommendation 3: "devise a future strategy for the Commission's responsibilities with regards to ECRIS" (important) is considered by DG JUST as in progress with a revised completion date set for the 31th of March 2017.

26. Follow-up audit on IAC Audits in DG EAC

Based on the results of the follow-up audit, the IAS consider that the reviewed three recommendations have been adequately and effectively implemented and will be closed.

The remaining open IAC recommendations relate to the audits on "Document management" (recommendation 1 (important)), on "Country analysis" (recommendations 1 and 3 (important)) and "HR function" (recommendations 1, 2, 3, 4, 5, 6 and 8 (very important) and recommendations 7 and 9 (important)).

27. Follow-up audit on Lifelong Learning Programme in EAC and EACEA

Based on the results of the follow-up audit, the IAS assessed that recommendation 3 addressed to DG EAC (EACEA being associated) has been adequately and effectively implemented. Recommendations 1 and 2 about the DG EAC supervisory arrangements, can however only be considered as partially implemented. A Memorandum of Understanding (MoU) has been established and signed by DG EAC and EACEA in March 2015. The MoU specifies the key modalities and procedures for interaction between the Executive Agency and its parent DG. This general MoU will be supplemented by several specific MoUs that will cover areas such as financial resources, IT, information and communication, procurement and designated bodies. DG EAC and EACEA are currently working on the specific MoUs which were expected to be signed by the end of 2015.

Given the improvements already made, the IAS downgraded the rating of both partially implemented recommendations from very important to important.

28. Follow-up audit on National Agencies – DG EAC

Based on the results of the follow-up audit, the IAS assessed that three recommendations have been adequately and effectively implemented and will be closed.

The state of implementation of the two remaining open very important recommendations (1 on "internal performance" and 3 on "performance measures") will be assessed by a second follow-up audit.

29. Follow-up audit on IAC audits in EACEA

The results of the IAS follow up engagement are summarised below:

Monitoring missions in EACEA:

The IAS followed up six recommendations: two very important recommendations (recommendation 1 on "strategy and planning" and recommendation 7 on "data dissemination") and four important recommendations (recommendation 2 on "economies and optimal use of resources", recommendation 3 on "mission expenditure management", recommendation 5 on "improvement of procedure implementation" and recommendation 8 on "central reporting on AAR"). Based on the results of the follow-up, the IAS assessed that the six recommendations have been adequately and effectively implemented and can be closed.

Erasmus Mundus II Programme and the Intra-ACP academic mobility scheme:

The IAS followed up eight recommendations: four very important recommendations (recommendation 4 on "past performance - recurrent beneficiaries", recommendation 5 on "documentation of selection process", recommendation 6 on "students’ complaints" and recommendation 10 on "Doctorates’ Employment Contracts"), and four important recommendations (recommendation 7 on "programmes jointness and accreditation", recommendation 11 on "document management, filing and dissemination", recommendation 12 on "financial reporting" and recommendation 13 on "coordination with parent DGs and other DGs/Services"). They also followed up four very important open recommendations with an extended completion date of 31/12/2015 (recommendation 1 on "time lag and potential overspending", recommendation 2 on "global financial monitoring – decommitment rate", recommendation 8 on "payment of grants", recommendation 9 on "eligible activities and conditions ruling the geographical lots").

Based on the results of the follow up, all recommendations have been adequately and effectively implemented (and will be closed), except for the following two recommendations:

Recommendation 9 on "eligible activities and conditions ruling the geographical lots" (very important):

EACEA performed the analysis of the individual mobility flows implemented in 2011 and 2012 by the partnerships selected in the context of Erasmus Mundus. It identified and assessed the exceptional circumstances that these partnerships encountered and defined a procedure for the treatment of the cases of “force majeure”. However, this procedure has not been formally approved, consequently the "force majeure" clause cannot be implemented yet in order to assess the eligibility of an activity within the context of the Erasmus Mundus- Action 2 partnerships.
Recommendation 10 on "Doctorates employment contracts": EACEA completed the legal and operational analysis and senior management has already decided on the action to be taken. However, the Agency has not yet completed the estimation of the ineligible expenditure neither issued the recovery orders, if necessary. According to EACEA, this will most likely be done in the 1st quarter of 2016. For this reason, the IAS considers the recommendation as partially implemented, but, taking into consideration the progress done so far, downgrades it to important.

Recommendation 3 remains open.

30. Follow-up audit on HR management in response to the financial crisis in DG ECFIN

Concerning the remaining two recommendations, the IAS noted that the actions taken by DG ECFIN did not lead in all the cases to substantial improvement in the HR management system. As a result, the IAS considers that further actions are deemed necessary to adequately mitigate the underlying risks identified. Details and results of our review are as follows:

Recommendation 1 on HRM strategy (very important)

The IAS recommended to DG ECFIN that it should develop its multi-annual HRM strategy further to ensure that adequate human resources are available to meet its business objectives.

The IAS review is based on DG ECFIN's HRM strategy issued on 26/8/2015. This strategy document explains the context as well as past and on-going actions within the DG. It proposes new actions on organisational efficiency, recruitment and workforce planning, staff performance management, learning and development, career management and mobility and working conditions. For each of these aspects, indicators are included for 2015 and also the last 5 previous years.

IAS analysis of the document concluded that it mainly focuses on historical data, with limited forward planning at this stage due to the planned reorganisation of the DG As a result, there is not yet a clear link between DG ECFIN's political and operational priorities and its HR strategy.

As a consequence, the HRM strategy does not fully address the key aspects that were recommended in the original report, notably:

There is no qualitative and quantitative (multi-annual) analysis to address the actual staffing needs and the planned staff reduction over the next few years. This is a result of the uncertainties over the exact extent of the loss of resources but also on the dependency on the tools provided by DG HR. Within the existing limited options of DG ECFIN, a stop-gap solution to address this issue was implemented instead ;

For the proposed new actions, the indicators used to assess progress are not supplemented by milestones and key performance indicators to measure their level of implementation and effectiveness;

The monitoring mechanisms to assess key aspects of the HR strategy still need to be improved and streamlined.

In conclusion, the IAS considers that the actions implemented so far do not entirely address the original very important risk identified during the audit. However, given the improvements already made, the IAS consider that it has been partially mitigated and therefore the recommendation is downgraded from very important to important.

Recommendation 2 on "HR annual planning" (very important)

The IAS recommended that DG ECFIN improve its annual HR planning process by performing a task mapping exercise, assessing individual staff workload, and therefore being able to align staff allocation with tasks, priorities and workload identified as a consequence.

The IAS noted various recent actions taken by DG ECFIN as regards HR annual planning, notably:

The running of a pilot task mapping and workload assessment exercise using a tool (Petra) already in use in DG COMP, and adapted to ECFIN needs;

Using a tool provided by DG HR, a gap analysis to calculate job vacancies to be filled in the near future and how to quantify the gap in terms of number of posts resulting from retirement and both temporary and permanent exits.

Contacts with different DGs, including DG HR, DG BUDG and SG, concerning the definition of workload indicators;

The setup of a task force to redefine policy priorities which will lead to the readjustment of the HR envelope.

Nonetheless, these actions have not triggered concrete results contributing to an improved DG ECFIN annual resource planning process. The Petra task mapping tool is not yet fully adapted to the DG specific needs and as a result, it was decided not to implement it before the planned reorganisation. The gap analysis tool provided by DG HR was only partly used because it reflected the situation before the Commissions' reorganisation. The staff data used as input was out of date because it did not exclude staff that moved to the DG Financial Stability, Financial Services and Capital Markets Union (mostly from former Directorate E). Finally, DG ECFIN has not implemented workload indicators to date because, according to them, their contacts with DG HR, DG BUDG and SG, did not deliver a Commission-wide accepted definition for them.

For these reasons, DG ECFIN did not mitigate the original very important risks identified in the report. The missing tools prevent the DG from carrying out staff workload analysis and the corresponding alignment of staff allocation with tasks, priorities and workload in an efficient and effective way. Thus, it is also not possible to verify the suitability of the current staff allocation to each Directorate. This may result in an allocation of resources to Units and Directorates that are not in line with actual workload and priorities, and which in turn, may prevent it from achieving its objectives.

Recommendation 2 is, therefore, considered still open with the original rating of very important.

32. Follow-up audit on DG GROW IAC audits (1st batch: ex-MARKT audits)

Based on the results of the follow-up audit, the IAS assessed that: a) the recommendations in the audit reports on "the Internal Market Information (IMI) system project management" and "the process of managing complaints/infringements at DG MARKT" have been adequately and effectively implemented; b) the recommendations included in the audit of "the stakeholder consultation process" are obsolete - they proposed the redesign of stakeholder consultation procedures in the DG to ensure compliance with Commission principles and standards; however, new mandatory general principles and minimum standards for consultation have been established in the 'Guidelines for stakeholder consultation', part of the Better Regulation Guidelines adopted by the Commission in May 2015 (SWD(2015) final 111). The DG GROW intranet pages on stakeholder consultation procedures contain up-to-date information on the new guidelines.

33. Follow-up audit on DG MARKT's (FISMA's) cooperation with the three Supervisory Bodies on Financial Services

Based on the results of the follow-up audit, we assess that both recommendations addressed to DG FISMA were adequately and effectively implemented and will therefore be closed.

The IAS will perform a second follow-up in 2016 to assess the state of implementation of the remaining recommendation 1 on "working relationship and memorandum of understanding between DG FISMA and the ESAs" (important) which is currently open in Issue track.

34. Follow-up audit on HR management in response to the financial crisis in DG FISMA

The IAS followed up four recommendations out of the five recommendations issued in the original audit: recommendations 1 on "HRM strategy" (very important), 2 on "HR annual planning" (very important), 4 on "dissemination of good practices" (important) and 5 on "selection procedure" (desirable). Recommendation 3 on "monitoring and reporting on HRM" is currently open and has not been included in this follow-up engagement.

As a result of this follow-up audit, the IAS considers that recommendations 2, 4 and 5 have been adequately and effectively implemented and can be closed.

Concerning recommendation 1 on "HRM strategy", the IAS acknowledges the existence of DG FISMA's HRM strategy, issued on 20/10/2015, however this document only covers 2015 and 2016. For this reason it is more an HR annual planning than a strategic document with a medium to long-term perspective. In addition, this document does not include a quantitative analysis based on workload indicators, nor key performance indicators to identify the actual staffing needs and to address the planned staff reduction over the next years. It does not define either a mechanism to monitor the implementation of the HRM strategy.

In conclusion, the IAS considers that the actions implemented so far do not entirely address the original very important risk identified during the audit. However, given the improvements already made, the recommendation is downgraded from very important to important.

35. Follow-up audit on IAC audits – DG FISMA

Based on the results of the follow-up audit, we assess that three (recommendations 1 and 3 from the audit on "Staff learning and development" and recommendation 3 from the audit on "Management planning and use of results of studies") out of the four recommendations addressed to DG FISMA that resulted from the above mentioned IAC audits have been adequately and effectively implemented.

Concerning the important recommendation 5 on "learning and development budget", the IAS agrees with DG FISMA on the fact that the recommendation is obsolete. Due to the reorganisation of the DG, the original allocation of a learning and development budget per Directorate recommended to DG MARKT is no longer appropriate to the size of the current DG FISMA. In addition, DG HR has announced a change in the calculation of the learning and development budget to be allocated to each DG as from 2016 (from per capita to project-based allocation).

The four recommendations followed up in this engagement will therefore be closed. As a result, the audit on "Management, planning and use of results of studies" will also be closed. Concerning the IAC audit on "Staff development and learning", it includes additional three recommendations which are currently open in Issue track (recommendation 2 on "offer of learning and development activities" (important), recommendation 4 on "compliance with internal control standard No 4 and attendance of compulsory trainings" (important) and recommendation 6 on "promotion of learning and development activities" (important)).

36. Follow-up audit on IAC audit on document management in DG TRADE

Based on the results of the follow-up audit, the IAS assessed that all the eleven reviewed recommendations have been adequately and effectively implemented and will be closed.

Compared with the original audit, there is only one recommendation which remains open on "incompleteness of files in ARES" (recommendation 6 important).

37. Follow-up audit on enforcement in the context of multilateral and bilateral trade commitments

Based on the results of the follow-up audit, the IAS assessed the following;

Recommendation 5 on "timeliness of data in the MADB" (important).

The original recommendation requested DG TRADE to ensure that the Market Access DataBase (MADB) contains complete and up-to-date information on barriers, to be regularly checked. The IAS observed that DG TRADE has reminded the staff on the importance of the timely update of the trade barriers section in the MADB. In addition, the Marked Access Advisory Committee timely reviews and updates the lists of key barriers. However, the IAS noted that there are still delays in the subsequent update of the MADB, which consequently include obsolete/out-of-date information. Thus, we consider the recommendation as not yet fully implemented. According to DG TRADE, this issue will be addressed in 2016 by the further development of the Market Access Cases Workflow (MACW).

Recommendation 2 (very important) on "criteria used for prioritisation" good progress has been made towards its implementation and the original risk has been partially mitigated. Consequently the criticality can be downgraded to important.

Recommendation 1 (very important), the IAS noted that the strategic paper on the FTA implementation has been issued on 1st October 2015 including the description of the responsibilities of Unit G3, geographical desks and market units, but this strategy will be rolled out in 2016. In addition, the enhanced MACW does not cover all the steps of the workflow for enforcement activities. For these reasons, although DG TRADE has made progress towards implementation, the original risks have not been mitigated yet and the criticality remains unchanged.

Six recommendations (two very important recommendations (recommendation 1 "organisation of work in the context of enforcement activities" and recommendation 2 "criteria used for prioritisation"), and four important recommendations (recommendation 5 "timeliness of data in the MADB", recommendation 6 "documentation of enforcement activities", recommendation 8 "relations with business", recommendation 10 "preparation of the implementation phase of FTAs"), remain open.

38. Follow-up audit of the IAC Audit on management of the income process for the childcare activities in the OIB

One recommendation is not yet considered as implemented: 4. IT systems (important). It will be reviewed at a later stage by the IAS.

39. Follow-up audit on management of local IT in DG ESTAT

According to Issue Track, nine recommendations (of which one is very important) out of a total of thirteen are considered as implemented. Based on the results of our follow-up audit, we have assessed that all nine recommendations have been adequately and effectively implemented and can be closed.

40. Follow-up audit on the administrative processes supporting the European Semester

The IAS recognises that SG has completed some of the recommended actions, in particular the finalisation of the Vademecum for the European Semester and the related templates, the definition of the process for post mortem evaluations of the European Semester and of the roles and responsibilities for the collaborative space used by DG Country Teams. The IAS also appreciates the effort that the services are currently making to finalise in January 2016 the remaining actions, notably the finalisation of the action plan for the 2015 post mortem and the definition of access right policy and procedures for the collaborative space. However we assess that the two recommendations have not yet been adequately and effectively implemented and may need more time than currently foreseen to be fully implemented.

41. Follow-up audit of PMO IAC Audits

Based on the results of the follow-up audit, the IAS concludes that five recommendations have been adequately and effectively implemented and can be closed. These are:

IAC Audit on "Management of accidents' insurance in PMO.3", recommendations: recommendation 1 "financial opportunity for externalisation of accident insurance" (very important), recommendation 3 "management of accounts" (very important), recommendation 4 "guidelines for management of accident files" (important) and recommendation 8 "reliable tools for management of subrogation files" (important);

IAC Audit on "the effectiveness and efficiency of the mission management workflow in the PMO", the recommendation 1 "roles and responsibilities – control guidelines" (important)

For one recommendation (IAC Audit on "Management of accidents' insurance in PMO.3", recommendation 5 "reliable monitoring of accident files" (very important), the IAS has not received sufficient information to assess whether there has been sufficient progress to adequately mitigate the risk.

Six IAC recommendations considered by management as implemented have not been followed-up as these will be covered by planned IAS audits in the Strategic Audit Plan 2016-2018. Therefore, these recommendations remain open.

42. Follow-up audit on SCIC IAC Audits

With regard to the IAC audit on "the professional support provided to the interpreters", the IAS concludes that five recommendations have been adequately and effectively implemented and can be closed. These are;

Recommendation 1.2.2 "training module in the statistical tool and integration of relevant information related to the interpreters’ learning and development programme" (important), recommendation 3 "implementation of the training framework" (important), recommendation 4 "implementation of the training framework – arbitration process" (important), recommendation 5 "financial management and compliance" (important) and recommendation 6.1 "meeting preparation" (very important).

With regard to the IAC audit on "the technical support provided to meetings and conferences", the IAS have not been provided with sufficient information to assess the effective implementation of two recommendations (recommendation 1 "setting-up a technical governance/steering committee" (very important), recommendation 2 "establish a single list of rooms and communicate it to client" (important)). The recommendations will be re-opened. Two other recommendations of this audit also remain open (recommendation 4 "define the purposes of Coral within the technical support services" (important) and recommendation 5 "develop and implement a quality assurance and improvement programme for the provision of the technical services" (important)).

43. Follow-up audit of the IAC audit on "Risk Management in the Secretariat General"

Based on the results of the follow-up engagement, the IAS assessed that recommendation 1 on "Integration with the planning process" and recommendation 2 on "Awareness and support" have been adequately and effectively implemented and will be closed in Issue Track.

As regards the recommendation 3 "risk identification", the IAS notes that the risk assessment exercise performed in the first half of 2015 did not fully address the issues highlighted in the recommendation, as the units did not systematically identify risks as part of the set-up of the Unit Management Plan (i.e. only 13 out of 29 units indicated any kind of risks which could hinder them to achieve their objectives, while Directorate D - Policy Coordination did not report any risk). Furthermore, Senior Management was not involved in the validation of the final results.

However, the IAS notes the improvements made to the risk assessment exercise launched in November 2015, namely as regards the detailed guidance provided to all Directorates on how to identify, categorise and rate risks and the additional step of discussing the identified risks at senior management level.

As regards recommendation 4 "risk assessment and response", the IAS notes the improvements in the process. The risk management process is currently part of the Unit Management Plan set-up process, aiming to simplify the process and to improve the motivation of those who contribute. Detailed guidance was provided to the units on risk rating as part of the risk assessment exercise launched in November 2015 and senior management is foreseen to be involved in validating the results of the exercise.

According to the information received, the ongoing risk assessment exercise should be completed in early 2016. For this reason, the IAS considers that recommendation 3 "risk identification", and recommendation 4 "risk assessment and response", should remain open for the time being. However, as most of the agreed actions for recommendations 3 and 4 have been implemented, they will be downgraded from very important to important.

44. Follow-up audit on handling of sensitive information in the Legal Service

Based on the results of the follow-up engagement, the IAS concludes that the five recommendations have been adequately and effectively implemented and can be closed.

Although the IAS considers that the original risks have been adequately mitigated, there were a number of minor actions which were not implemented and where further improvements are possible:

the definition and recognition of the role of 'Documentalists' in the process of handling sensitive information is not clear (recommendation 1 on "roles and responsibilities at central and team level" (very important));

the current guidance/instructions on the 'Security incidents' may be strengthened by requesting the analysis of the causes of security breaches and the identification of the potential consequences or the type of response to be provided (recommendation 3 on "security incident reporting and management" (very important));

the current guidance/instructions does not include the monitoring activity to ensure the correct implementation of the procedure for the handling of EU restricted information (recommendation 6 on "handling EU restricted documents" (very important)).

All other recommendations remain open.

45. Follow-up audit on monitoring of security as managed by ADMIN-DS (HR Security) – new security rules

After the second follow-up, three recommendations (recommendations 1 on "roles and responsibilities – regulatory framework and bilateral agreements", and 2 on "roles and responsibilities – role and responsibility of the local security officer" and 6 on "security investigations (point b) on documentation of procedures") were assessed as not fully implemented. However, in view of the progress made at that time, they were downgraded from the original rating very important to important.

One of the pending actions, relating to recommendations 1 and 2, was the adoption of the new Commission security rules, which was expected to take place in the first part of 2015.

The Commission has now adopted the new set of rules on security, which includes the Commission Decisions 2015/443 on Security in the Commission, C(2015) 628 on setting up the Commission Security Expert group and C(2015) 444 on security rules for protecting EU classified information.

They address some of the points raised in our recommendations 1 and 2. Consequently recommendation 1 is considered now fully implemented and will be closed.

For recommendation 2 a last point on the training program for the Local Security Officers remains open.

46. Follow-up audit on management of local IT in PMO

Out of the four recommendations still open since the previous follow-ups two had been reported as implemented:

Recommendation 13 of the "Audit on HR IT Corporate Application – NAP" "trainings for NAP users" and,

Recommendation 11 of the "Audit on management of local IT in PMO" "accountability and Segregation of Duties in ASSMAL"

Based on the results of our follow-up audit, we have assessed that these two recommendations have been adequately and effectively implemented and can be closed.

47. Follow-up audit on the management and supervision of contracts for the outsourced IT Services (IT contract management)

DG SANTE

Based on the results of the follow-up engagement, the IAS assessed that one of the two recommendations ready for review (recommendation 3) has been adequately and effectively implemented and will be closed in Issue Track.

Recommendation 4 on Follow-up of memoranda of understanding between DG SANTE and DG DIGIT (I) requested DG SANTE to "be proactive and request DG DIGIT to have a formal annual joint evaluation of the services as provided for in the Memoranda of Understandings (MoU) and an overall assessment of the service, user's satisfaction, and recurrent problems encountered and areas for improvement should be discussed in these meetings."

DG SANTE sent a note (Ref. Ares(2015)4573565) to DG DIGIT on 26/10/2015, i.e. 5 days before the deadline of the action plan) to ask for a meeting in November 2015 in the context of a joint annual evaluation of the MoUs concerning the hosting of DG SANTE's information systems in the DIGIT Data Centre.

The meeting took place on 14 December 2015 based on information provided by DG DIGIT feeding the discussions. The recommendation was closed by the IAS.

Publication Office

Based on the results of our follow-up audit, the IAS concludes that both recommendations considered as implemented by management have been adequately and effectively implemented and can be closed in Issue Track.

The remaining two recommendations (recommendation 1 on "evaluation of OP's own call for tenders prior to publication" (very important) and recommendation 3 on "follow-up of MoUs between DG DIGIT and OP" (important)) will remain open.

48. Follow-up audit on Official Journal managed by Publications Office

No official note was issued on this section of the follow-up and the remaining recommendation on establishing a secure transmission of documents with the Council still remains a work in progress.

The criticality has been downgraded in 2015 from very important to important.

49. Follow-up audit on DG DEVCO: procurement under decentralised management mode

Based on the results of the follow-up audit, the IAS assessed that recommendations 1 (very important), 4 and 6 (important) and 7 (desirable) have been adequately and effectively implemented.

Concerning recommendation 3 on "the impact on the procurement process of weaknesses at contracting authorities' level", the IAS considers that some actions still need to be implemented to mitigate the related risks. In particular, the original action plan aimed at issuing a note giving instructions regarding the assessment of the capacity of the contracting authorities to implement EU financial rules and instructions. Further instructions on reinforced efforts on training, the organisation of kick-off meetings and the possibility to develop a roadmap for increasing the capacity of the contracting authorities should have been included in the same note. In this respect, the IAS observed that the role of the EU-Observers in guaranteeing compliance with the Commission's rules was clarified in the Companion. However, the IAS did not obtain evidence of any instruction note containing the implementation of the original action plan, as mentioned above.

Consequently, this recommendation is considered as only partially implemented and will be reopened.

50. Follow-up audit on IAC IT recommendations

Performance audit of the Anti-Fraud Information System (AFIS) (OLAF)

Based on the results of our follow-up audit, we have assessed that out of the original thirteen recommendations, five out of six recommendations implemented and one other which had not been reported as such (recommendation 11) have been adequately and effectively implemented and can be closed.

Recommendation 9 on "user account management" (important) requires further action. In particular, the audit recommended OLAF to develop and implement a stronger monitoring tool to ensure that deviations in the user account management are identified and addressed in a timely manner. The IAS considers that the AFIS User Registration Tool (URT) should be reinforced to identify and report inactive user accounts. Also, to enforce an annual review cycle and to lock accounts which have not been reviewed and confirmed by the responsible officer. The IAS note that a new tool called QUEST has been developed to achieve this goal, but it will not be in production until sometime in 2016. As a consequence, the IAS considers that this recommendation should remain open.

Audit on procurement in DG JUST and policy design and management of IT access rights in DG CONNECT

The results of these audits are reported above in summaries 25 and 19 respectively as they were part of wider IAC follow-up audits.

IT audit follow-up in DG GROW, DG REGIO and DG RTD

The IAS assessed that the recommendations under review have been adequately and effectively implemented and can be closed.

51. Follow-up audit on DG MARE local IT

Four recommendations (of which two are very important) out of a total of eight have been adequately and effectively implemented and will be closed.

List of follow-up audits performed in 2015 for which all recommendations have been closed after the follow-up

Based on the results of the follow-up audits performed in 2015, the IAS assessed that all the recommendations that resulted from the audits listed below and that remained open before the follow-up could be closed.

Audit Title

52. IAC audit on HR management in DG AGRI

53. IAC audit on control activities in DG MARE

54. IAS audit on European Fisheries Fund Control Strategy in DG MARE

55. IAS audit on design and monitoring of Directorate J control strategy (Pillar 1-2) in DG AGRI

56. IAS audit on performance measurement systems in DG REGIO – phase 1

57. IAS audit on performance measurement systems in DG REGIO – phase 2

58. IAS audit on performance measurement systems in DG EMPL – phase 2

59. IAS audit on control strategy - Audit and Financial Corrections Processes in DG REGIO

60. IAS audit on implementation of FP7 Control Systems in REA

61. IAC audits in ERCEA

62. IAS audit on SYGMA Project management (development process) in DG CONNECT and DG RTD – phase 1

63. IAC audit of Websites managed by the JRC

64. IAS audit on the control strategy in DG ENER

65. IAS limited review of the calculation and the underlying methodology of the residual error rates for the 2013 reporting year in DG CONNECT

66. IAS audit on development of IT Systems to support the management of the Horizon 2020 Research Programme under the ownership of DG RTD (Part I: URF/PDM and SEP projects)

67. IAS audit on control strategy in EASME (EACI)

68. IAC audits in DG RTD

69. IAC audit of support of the cost certification of FP7 projects in DG JRC

70. IAC audit on ex-ante visa on procurement in decentralised management in DG NEAR

71. IAC audit on joint management in Headquarters and Delegations in DG NEAR

72. IAC audit on cross-border cooperation in DG NEAR

73. IAC audits in DG COMM (Audit on the 'Circuits financiers de la DG COMM (siège)')

74. IAS audit on monitoring of EU law implementation in DG JUST

75. IAS audit on management of the IT projects (E4ALink and EVE) in DG EAC

76. IAS audit on control strategy in DG HOME – 1st

77. IAS audit on control strategy in DG HOME – 2nd

78. IAS audit on GMES/Copernicus programme managed by DG GROW

79. IAC audit on the handling and reporting of information security incidents in DG COMP

80. IAC audit on ethics in DG TAXUD

81. IAC audit on the capitalisation of intangible fixed assets in DG TAXUD

IAS audit on effectiveness of HR management to support the financial crisis in DG COMP

82. IAC audits on management of the forecasting exercise, asset management of mandates and budgetary transactions in DG ECFIN

83. IAC audits in DG TRADE (Financial Circuits)

84. IAC audits on document management and on administrative budget in DG ESTAT

85. IAS audit on HR IT Corporate Application in PMO– NAP

86. IAS audit on management and monitoring of staff allocation in the Commission Services (Multi-DG)

87. IAS Commission-wide audit on strategy and coordination of statistical data production, development and dissemination in DG ESTAT

88. IAC audit on risk management in the Legal Service

89. IAS audit on the efficiency and effectiveness of the design and implementation of the financial circuits in OIB

90. IAC audits in OP

91. IAS audit on AAR process in the Commission (Multi-DG) - recommendations addressed to DG BUDG

92. IAS audit on ethics in DG HR

93. IAS audit on the Management of building procurement contracts by DG HR and OIB

94. IAC audit on ethics in BEPA

95. IAS audit on Human Resource Management (Phase II) in DG HR

96. IAS audit on Security of IT environment in subcontracted projects in DG REGIO

PART 3: Summary of long outstanding recommendations as at 31 January 2016

DG	Audit title	Recommendation	Comments	delay
AGRI	IAS Audit on the Management and monitoring of staff allocation	Workload assessment	The action plan is expected to be implemented by mid-March 2016. The IAS will perform a follow-up in the course of 2016.	Expected delay of 1 year.
BUDG	Charge-back process in the Commission (IAS multi-DG audit)	Central guidance and instructions	A first follow-up was done in 2015. It was re-opened as guidance on the charge-back process for services delivered to other EU institutions, agencies and bodies had not been published. A second follow-up will be done in the fourth quarter of 2016.	Expected delay of 3 years and 6 months.
DEVCO	IAC Audit on Communication flows between DEVCO HQ and EU Delegations	Quality of the information on the intranet	According to DG DEVCO, several actions have already been implemented with the remaining actions to be implemented by the end of March 2016.	Expected delay of 9 months.
DEVCO	IAS audit on Compliance with Payment Deadlines	Monitoring and reporting on the payment process	The IAS is currently performing a new audit on non-compliance with payment deadlines (audit started in January 2016).
DIGIT	Management of logical access to systems (ECAS/LDAP/windows) (IAS audit)	Vision and strategy for identity and access management	A first deliverable (the vision document) is due to be adopted by DG DIGIT in the second quarter of 2016. However, further preparations are necessary for the development of the recommended strategy.	Expected delay of 1 year and 1 month.
DIGIT	Management of logical access to systems (ECAS/LDAP/windows) (IAS audit)	Planning of the Exodus project	A roadmap for the project was adopted by the project Steering Committee and security requirements are considered in the larger context of DG DIGIT Secure Hosting Services. However, the solution is not yet developed and implemented. The IAS considers that actions achieved so far are not sufficient to mitigate the risk exposure.	Expected delay of 1 year.
EAC	IAS Performance audit of National Agencies	Internal performance	The DG has contracted an external supplier to conduct a study to implement the recommendation. The final report is expected to be delivered in March 2016.	Expected delay of 1 year and 6 months.
ECFIN	IAS Audit on the Effectiveness of HR management to support the financial crisis in DG ECFIN, DG COMP, DG MARKT	HR annual planning	A follow-up conducted in October 2015 revealed that although various actions had been taken, these had not yet produced concrete results contributing to an improved annual resource planning. The IAS will assess new actions taken by the DG after this follow-up in the third quarter of 2016.	Expected delay of 1 year and 6 months.
ECHO	Contribution agreements with international organisations - DG ECHO (IAS audit)	Project Monitoring	While actions have been taken to further develop the monitoring framework, steps to evaluate the ability of partners to monitor and report on the achievement of objectives and results have not been taken.	Expected delay of 1 year.
ECHO	Contribution agreements with international organisations - DG ECHO (IAS audit)	Verifications of UN Agencies and International Organisations	The audit and verification strategy, including the sampling methodology, has not yet been finalised. It is still under discussion prior to its formal approval.	Expected delay of 1 year.
EMPL	DG EMPL Closure of the 2000-2006 ESF programming period (IAS audit)	Preparation for closure (Planning, Methodology and Guidance)	The recommendation relates to the preparations of the closure of the 2007-2013 period which is, however, due to begin in 2017, only. Nevertheless, the IAS is planning a follow-up in the second half of 2016 to assess the state of play.	Expected delay of 1 year and 6 months.
EMPL	DG EMPL Closure of the 2000-2006 ESF programming period (IAS audit)	Checks on closure documents	The recommendation relates to the preparations of the closure of the 2007-2013 period which is, however, due to begin in 2017, only. Nevertheless, the IAS is planning a follow-up in the second half of 2016 to assess the state of play.	Expected delay of 1 year and 6 months.
FISMA	IAS Audit on the Effectiveness of HR management to support the financial crisis in DG ECFIN, DG COMP, DG MARKT	Monitoring and reporting on HRM	The DG has reported this recommendation as 'implemented' in the meantime. An IAS follow-up audit is going to be launched in due time.
JRC	Third party liability (IAC audit)	Comprehensive risk methodology	Around 40% of the action plan has been implemented, with the remaining 60% expected to be completed by August 2016.	Expected delay of 1 year and 7 months.
JRC	Business continuity (IAC audit)	Local deputising arrangements for crisis management	As some JRC Institutes have not yet implemented the actions included in the original plan, the JRC is still exposed to the high risks identified in the audit report.	Expected delay of 2 years and 1 month.
JRC	Business continuity (IAC audit)	Governance structure	The strategy is expected to be approved soon.	Expected delay of 2 years and 3 months.
OP	IAS Audit of management and supervision of outsourced IT services (contract management)	Evaluation of OP’s own call for tenders (prior to publication)	Based on progress made in the implementation of the recommendation, the IAS is downgrading this recommendation to 'important'.	Expected delay of 7 months.
PMO	IAC Audit on Effectiveness and efficiency the mission management workflow	Mission management workflow (MIPS as managerial tool)	The full implementation of the recommendation is dependent on the finalisation of a series of IT developments on MIPS under the responsibility of DG DIGIT. A follow-up audit will be performed in the course of the second quarter of 2016.	Expected delay of 9 months.
PMO	IAC Audit PMO Management of accidents' insurance	Reimbursement of accident costs	A follow-up performed at the end of 2015 concluded that there was not sufficient information to assess whether sufficient progress has been made to adequately mitigate the risk.	Expected delay of 3 years and 1 month.
PMO	IAC Audit on PMO Contracts related to the management of missions	CAF implementation	A first follow-up revealed that some actions have been implemented. However, the implementation of the remaining actions relates to an on-going Commission-wide IT development and for which PMO is dependent on DG DIGIT.	Expected delay of 1 year and 6 months.
PMO	IAC Audit on PMO Contracts related to the management of missions	Key performance indicators	PMO is dependent on DG DIGIT for the implementation of the remaining actions.	Expected delay of 1 year and 11 months.
REGIO	Closure of the 2000-2006 ERDF programming period (IAS audit)	Preparation for closure (Planning, Methodology and Guidance)	Both recommendations relate to the preparations of the closure of the 2007-2013 period which is, however, due to begin in 2017, only. Nevertheless, the IAS is planning a follow-up in the second half of 2016 to assess the state of play.	Expected delay of 1 year.
REGIO	Closure of the 2000-2006 ERDF programming period (IAS audit)	Checks on closure documents	Both recommendations relate to the preparations of the closure of the 2007-2013 period which is, however, due to begin in 2017, only. Nevertheless, the IAS is planning a follow-up in the second half of 2016 to assess the state of play.	Expected delay of 1 year.
REGIO	Preparation for use of Financial Instruments in DG REGIO (IAS audit)	Legal framework for financial instruments in 2014-2020	According to management, the majority of the actions have been implemented. The delays in implementing the remaining actions should not lead to any material residual risk. IAS follow-up to be done in second half of 2016.	Expected delay of 1 year and 1 month.
SANTE	Management of Funds in DG SANTE Veterinary Programmes (IAC audit)	Financial Architecture of the Programs	The methodology for the re-evaluation of cost ceilings is expected to be completed by March 2016.	Expected delay of 10 months.
SANTE	Internal Control Standards 5,6,7 and 8 in DG SANCO (IAC audit)	Re-assessment of the Sensitive posts and functions	The recommendation has been partially implemented. Due to organisational changes in the DG, the completion of the exercise was put on hold but is expected to be finalised by mid-2016.	Expected delay of 1 year to 6 months.
SCIC	Operational audit of the professional support provided to interpreters (IAC audit)	Objective setting and performance indicators	The DG has reported this recommendation as 'implemented' in the meantime. An IAS follow-up audit is going to be launched in due time.
SCIC	Technical support provided to meetings and conferences (IAC audit)	Corporate governance	A follow-up performed in December 2015 concluded that the recommendation was not fully implemented given the on-going discussions in the Commission on how to re-organise the governance of meeting and conference support. A new follow-up will be performed in 2016.	Expected delay of 2 years.
SCIC	Technical support provided to meetings and conferences (IAC audit)	Management tools	The implementation of the recommendation is now dependent on the completion of the “Synergies and efficiency review” requested by Vice-President Georgieva.	Expected delay of 2 years.
TAXUD	DG TAXUD’s external communication strategy (IAC audit)	Unclear definition of roles and responsibilities	The DG has reported this recommendation as 'implemented' in the meantime. An IAS follow-up audit is going to be launched in due time.
TAXUD	Performance Measurement System in DG TAXUD Customs Activities (IAS audit)	Performance measurement of DG TAXUD customs activities	Only one action remains to be implemented. A follow-up will take place in the second quarter of 2016.	Expected delay of 1 year.
TRADE	Enforcement of EU rights in the context of multilateral and bilateral trade commitments (IAC audit)	Organisation of work in the context of enforcement activities	Although DG TRADE has made progress towards the implementation of the recommendation, the original risks have not been sufficiently mitigated to downgrade it.	Expected delay of 1 year and 8 months.

(1)

The summary reflects the assessment of the IAS on the status of implementation of the audit recommendations at the end of the follow-up assignment. It does not take into account any further actions that may have been undertaken by the auditee and reported to the IAS since the release of the IAS follow-up note or report, possibly having an impact on the status of the recommendation.

(2)

In the context of the current audit, reference sickness absence rate is defined as the rate an organisation can effectively achieve, i.e. taking into account the impact of the absences for the organisation and the cost-effectiveness of the measures to reduce it. Any effort to go below the reference rate would be too costly for the organisation.

(3)

This analysis should cover different criteria like for instance the staff structure (age groups, the type of contracts, gender balance) and the nature of activities performed in the Commission by different categories of staff.

(4)

RACER stands for: Relevant (Does it measure the right thing), Accepted (discussed, agreed and endorsed), Credible (does it provide credible measured results), Easy (not be too costly and does not require disproportionate efforts to get the data) and Robust (does not lead non-experts to draw wrong conclusions and does not generate adverse effects) (Source: SG Methodological Guidance on Preparing Management Plans dated 07/10/2014).

(5)

See Annex 10 of DG AGRI's Annual Activity Report for 2014-Part 3.2, "Direct Payments-Control results and the DG AGRI assessment thereon", paragraph 3.2.7 "Root causes of the error rate in direct payments- what is DG AGRI doing about it".

(6)

According to article 43 of Regulation (EU) 1307/2013

(7)

Regulation (EU) 1307/2013

(8)

IR 641/2014

(9)

Article 46 of Regulation (EU) 1307/2013

(10)

Articles 30 of Regulation (EU) 1306/2013 and 65(11) of Regulation (EU) 1303/2013

(11)

Such as agri-environmental-climate measures

(12)

Articles 22 and 23 of Regulation (EU) 1305/2013

(13)

Cross-compliance rules consist of a number of statutory requirements under EU law as well as standards for Good Agricultural and Environmental Condition of land (GAEC) to be defined at national level, which aim at protecting the environment together with public, plant and animal health as well as animal welfare. Farmers receiving Direct Payments need to comply with these cross-compliance rules.

(14)

See Page 202 of DG AGRI 2014 AAR.

(15)

REGULATION (EU) No 1306/2013 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 17 December 2013 on the financing, management and monitoring of the common agricultural policy and repealing Council Regulations (EEC) No 352/78, (EC) No 165/94, (EC) No 2799/98, (EC) No 814/2000, (EC) No 1290/2005 and (EC) No 485/2008.

(16)

REGULATION (EU) No 1303/2013 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 17 December 2013 laying down common provisions on the European Regional Development Fund, the European Social Fund, the Cohesion Fund, the European Agricultural Fund for Rural Development and the European Maritime and Fisheries Fund and laying down general provisions on the European Regional Development Fund, the European Social Fund, the Cohesion Fund and the European maritime and Fisheries Fund and repealing Council Regulation (EC) No 1083/2006.

(17)

COMMISSION IMPLEMENTING REGULATION (EU) No 908/2014 of 6 August 2014 laying down rules for the application of Regulation (EU) No 1306/2013 of the European Parliament and of the Council with regard to paying agencies and other bodies, financial management, clearance of accounts, rules on checks, securities and transparency

(18)

COM(2015) 215 final, Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions, Better regulation for better results - An EU agenda , SWD(2015) 110 final, SWD(2015) 111 final, 19 May 2015.

(19)

Interim payments made in 2014 under the ESF 2007-2013 represent 88% of the total payments made by DG EMPL in 2014. NB: The IAS did not review the calculation or the methodology related to the other ABBs in DG EMPL (under direct management mode, under indirect management mode, i.e. Instrument for Pre-Accession –IPA – Human Resources Development or under shared management mode, i.e. European Globalisation adjustment Fund, EGF).

(20)

DG ENER IAC Follow-up Audit on the Nuclear Decommissioning Assistance Programme (A 2014-6)

(21)

See point 2.1 last paragraph of the explanatory memorandum of Proposal for a COUNCIL REGULATION on Union support for the nuclear decommissioning assistance programmes in Bulgaria, Lithuania and Slovakia. {COM(2011)783 final}

(22)

See point 73 and 91 of the European Parliaments resolution of 17 April 2013 on the Court of Auditors' special reports in the context of the 2011 Commission discharge (2013/2015 (DEC))

(23)

SMART criteria stand for 'Specific, measurable, achievable, relevant and timed' objectives (Financial Regulation - Art. 30(3).

RACER criteria stand for 'Relevant, accepted, credible, easy and robust' indicators (SG Guide on 'Setting objectives and indicators').

(24)

According to the Establishment decision and the Constitutive agreement, the name of the TF is "EU Regional Trust Fund in Response to the Syrian Crisis, "the Madad Fund". For the purpose of this audit, the IAS uses 'TF Madad' for better readability of the text.

(25)

Article 14 of the Regulation (EU) No 231/2014 of the European Parliament and of the Council establishing an Instrument for Pre-accession Assistance (IPA II), 11 March 2014.

(26)

Including clearing of pre-financing.

(27)

The 2014 RER for Indirect Management by Beneficiary Countries (equal to 2,67%) results from errors found in the implementation of 2006 Programmes, which are not IPA-related.

(28)

RECs are sub-regional African international organisations: The Economic Community of Sahelo-Saharian States (CEN-SAD), Common Market for Eastern and Southern Africa (COMESA), the East African Community (EAC), the Economic Community of Central African States (ECCAS), the Economic Community Of West African States (ECOWAS), the Intergovernmental Authority on Development (IGAD) in Eastern Africa, the Southern African Development Community (SADC), the Arab Maghreb Union (UMA).

(29)

22 NPs, out of a total of 58 had been adopted at the end of the audit fieldwork date (05/06/2015), corresponding to a 38% completion rate. DG HOME communicated to the IAS on 27/08/2015 the following: "A further 23 NPs have been adopted in July/August… To date, 45,of the 58 NPs have already been adopted. The review process for the remaining 13 is well advanced ".

(30)

At the end of the audit fieldwork date (05/06/2015), 25 designations, or 43 %, have been communicated to DG HOME.

(31)

E.g. During the mid-terms review or when assessing the Annual Implementation Reports in case of new information or unforeseen events which may require the need to change the target values.

(32)

Previous controls (i.e. Accounts reviewed by the same AA and already cleared by the Commission), Future controls (i.e. future clearance decisions and the reliability of the AA and its impact on DG HOME's Audits

(33)

Two scenarios (or a mix of them) may need to be considered with different probabilities (based on experience from SOLID funds) and resources implications: Scenario 1 - Most of the AAs are reliable and the 'Single Audit Concept' can be applied in practice Scenario 2 - An important number of AAs are not reliable and the 'Single Audit Concept' will be applied to a limited extent.

(34)

In this context, alignment with ESIF (European Structural and Investment Funds) DGs on the methodology for issuing reservations should be explored (i.e. At ABB level vs. at NP level) in coordination with DG BUDG.

(35)

Whereas the IAS notes that the legislator has deliberately chosen not to include a 'Performance Reserve' in the new HOME funds (i.e. no financial penalties are envisaged in case of under-performance issues), the Commission's move towards a real 'performance culture' has to be given the necessary attention and the need for reliable performance data reported by MSs is key in this context.

(36)

Considering the commonalities on the control set-up, the experience of those DGs and the limited resources of DG HOME, the use of already available guidance (adapted to HOME context) may be a cost-efficient option.

(37)

Ex-post controls of the legacy have already been extensively revised both by the IAC and by the ECA with no significant outstanding issues.

(38)

The draft AAR used in this limited review is the version of 27/02/2015.

(39)

As DG FISMA was only created on 1/1/2015, the processes under examination are to a large extent the processes taken over from the former DG MARKT.

(40)

According to Commission Decision on EUROSTAT of 17 September 2012 (2012/504/EU) "other statistics" are statistics that are not European statistics developed, produced and disseminated by other Commission services and that are identified in the planning and coordination exercise steered by Eurostat. Subject to available resources, Eurostat should provide guidance and training and optimise the use of existing information that can be used for statistical purposes, in order to ensure quality and minimise burden for respondents.

(41)

The standard MoU between Eurostat and Operational DGs establishes in Art. 4 that Eurostat should "identify other statistics and administrative records with a view of compiling an inventory of statistics collected by Commission services and a statistical master plan […] for the Multiannual Financial Framework period (planned activities).

(42)

The security gap analysis was meant to determine the gaps between the Commission Security Standards (i.e. mandatory measures related to the Commission Decision on the security of information systems C(2006)3602) and the actual level of security of DG COMP information systems. According to this report, the compliance level is on average 60%, with certain areas fully implemented and other requiring several actions to comply.

(43)

FIT is applied at the premises of private companies to examine computers and digital storage media with the aim of identifying, preserving, recovering, analysing and presenting data that can be used as legal evidence in the context of cartel and antitrust investigations

(44)

ISA is the programme on Interoperability Solutions for European Public Administrations. It supports and facilitates efficient and effective cross-border electronic collaboration between European public administrations. The programme enables the delivery of electronic public services and ensures the availability, interoperability, reuse and sharing of common IT frameworks and software components. The ISA projects in DG COMP are SANI2 (GENIS), ECN2, eTrustEx, Recovery calculator, Transparency, SACollab (State Aid Collaborative space), SARI, and ReferenceData (REDDA).

(45)

The programme management needs involve both the business and the IT dimensions, notably in terms of organisation and governance.

(46)

Section 3.4.1 of the Implementing Rules of the Decision C(2006) 3602 states that the classification of information systems must be "based on their security needs". SPECIFIC systems are those information systems having additional security requirements and/or stronger security measures compared to those for STANDARD ones. These must be determined using either a full risk assessment or a limited risk assessment focusing on the area(s) of concern.

(47)

The aim of the SGA was to determine which gaps exist between the Commission Security Standards (i.e. the mandatory security measures related to Commission Decision C(2006)3602 and its implementing rules) and the level of security of DG COMP Information Systems.

(48)

According to this principle, a user account should operate and launch IT applications with as few privileges (in the sense of permission to perform an action) as possible, to limit access only to information and resources necessary for a legitimate purpose.

Choose the experimental features you want to try