This document is an excerpt from the EUR-Lex website
Document 52008DC0499
Communication from the Commission to the European Parliament and Council - Annual report to the discharge authority on internal audits carried out in 2007 {SEC(2008) 2361 final}
Communication from the Commission to the European Parliament and Council - Annual report to the discharge authority on internal audits carried out in 2007 {SEC(2008) 2361 final}
Communication from the Commission to the European Parliament and Council - Annual report to the discharge authority on internal audits carried out in 2007 {SEC(2008) 2361 final}
/* COM/2008/0499 final */
Communication from the Commission to the European Parliament and Council - Annual report to the discharge authority on internal audits carried out in 2007 {SEC(2008) 2361 final} /* COM/2008/0499 final */
[pic] | COMMISSION OF THE EUROPEAN COMMUNITIES | Brussels, 30.7.2008 COM(2008) 499 final Communication from the Commission to the European Parliament and Council ANNUAL REPORT TO THE DISCHARGE AUTHORITY ON INTERNAL AUDITS CARRIED OUT IN 2007 {SEC(2008) 2361 final} TABLE OF CONTENTS 1. Introduction 4 2. Working environment and audit plan 4 2.1. Working environment 4 2.2. Developments in the Internal Audit Process 5 2.3. Implementation of the IAS audit plan 6 2.4. Acceptance of recommendations and views of auditees and stakeholders 10 3. Main Findings and Recommendations 10 4. Conclusions 14 Annual Report TO THE DISCHARGE AUTHORITY ON INTERNAL AUDITS CARRIED OUT IN 2007 INTRODUCTION This report informs the Discharge Authority about the work carried out by the Commission's Internal Audit Service (IAS), in accordance with Article 86(4) of the Financial Regulation (FR). It is based on the report of the IAS according to Article 86(3) of the FR on key audit findings and, in accordance with professional standards, on significant risk exposures and control issues and corporate governance issues. This report is based on IAS audit and consulting reports finalised in 2007. This report concerns audit and consulting work related to Commission DGs and Services and executive agencies only. It does not cover the IAS work on other agencies or bodies. The Commission's reactions to the findings and conclusions of the Internal Auditor are covered in the synthesis report on the annual activity reports of the Directors-General. In this synthesis report, adopted at the same time, the Commission takes a position on the cross-cutting issues raised by the Internal Auditor, the European Court of Auditors and the Discharge Authority, or identified by the Audit Progress Committee and by the Director-General for Budget in his overview report. This means that certain views or opinions in this report are not necessarily fully shared by the Commission. The difference of views reflects the normal process of dialogue between the institution and its Internal Auditor. WORKING ENVIRONMENT AND AUDIT PLAN Working environment As part of the Commission's reform, 24 Internal Control Standards and related "baseline requirements" had been introduced in 2000. These Standards were revised in 2007 with a view to moving from compliance to effectiveness, simplifying the language and making all staff aware of the Standards and also of non-financial issues. The revised Standards came into effect on 1 January 2008, and DGs/Services are now asked to select, based on a risk assessment process, which standards they wish to prioritise in order to demonstrate effectiveness. The second report on the progress of the Commission Action Plan towards an Integrated Internal Control Framework concluded that progress has been made in terms of the assessment of management and control systems in the structural funds, the definition and assignment of control responsibilities in shared management and the presentation of assurance in DGs' Annual Activity Reports. 2007 is the first year of operation of the 2007-2013 financial framework, with a new control approach in the area of research and a new programming process for structural funds based on common standards for financial management, control and evaluation (e.g. Member States to provide summaries of available audits and declarations). In 2007, the accounts were signed off for the first time by the Commission's Accounting Officer pursuant to the amended FR.[1] Significant progress was achieved in developing the ABAC IT system. The delegations' imprest accounts were fully integrated into ABAC in January 2007, an updated project plan for the migration of the European Development Fund accounts to ABAC was prepared and the Commission was working towards "going live". The Commission further implemented its business continuity provisions. All Commission DGs submitted validated business continuity plans. Some DGs have already started testing their individual plans. A corporate business continuity communication exercise and testing of the overall business continuity plan were carried out in 2007. Efforts are now focused on awareness raising, training and further exercises to share the lessons learned. A new, dynamic approach to fraud proofing was introduced.[2] The previous upstream consultation process on draft legislation introduced in 2001 will remain available, but in addition more input will be provided to the Commission by OLAF, resulting from its investigative activities. OLAF will make a structured and multidisciplinary analysis of its investigative activities, but it will also base the new fraud proofing activity on a large information pool, including audit findings by the IAS and by Internal Audit Capabilities (IACs). The IAS continued to have the full support of VP Kallas and the APC, which enabled it to remain independent and objective in pursuit of its functions. In June 2007, a revised charter of the APC was adopted. Following a recommendation made in the 2006 Report of the Internal Auditor the Commission issued a governance statement in 22 languages. Developments in the Internal Audit Process The Commission updated the mission charter of the IAS and introduced a model charter for the IACs. The main points include accountability, independence, objectivity and responsibilities. This ties in with a conclusion in the 2006 annual report of the Internal Auditor that the efficiency and robustness of the internal audit architecture should be improved. The IAS will also give an annual overall opinion on the internal controls in the Commission starting with 2009, the final year of the current audit planning. Following the IAS report on the quality review of all IACs, 2007 was the first year of the 2007-2009 strategic audit planning cycle, with common IACs/IAS planning and risk assessment in favour of a single audit approach. This firmly consolidates the audit universe, strengthens IACs' independence and further fosters cooperation between IACs and the IAS. This cooperation has been further strengthened through the Auditnet (IAC model charter, audit opinions and annual IAC opinion). The second external quality assessment of the IAS was launched. This will be finalised in 2008 with an independent opinion on the compliance of the IAS with the internationally recognised standards of the Institute of Internal Auditors (IIA). The result of a pre-assessment was that the IAS generally complies with the IIA standards, with the exception of Resource management (high turnover of staff, audit v. non-audit functions) and Quality of communications (time lag between the end of field work and the final report; discussion of findings with the auditee), where the IAS partially complies. The Internal Auditor and IAS staff played an active part in cooperation between the EC and the UN in the field of administration and financial management. They also contributed to meetings of the profession at international level: the IIA world conference, the Representatives of Internal Audit Services of the United Nations Organisations and Multilateral Financial Institutions conference and the second specialised conference for Internal Auditors in Central Europe. The IAS was also represented at the meeting of "coordinated organisations". The annual IAS conference provided more food for thought in relation to the overall audit opinion. The IAS has now included a blueprint in its 2008 annual management plan with a view to issuing its first overall opinion at the end of implementation of the strategic audit plan covering 2007-2009. Implementation of the IAS audit plan The strategic 2007-2009 IAS audit plan, drawn up in close cooperation with IACs, was endorsed by the APC on 2 February 2007. The 2007 work programme was implemented to 95%: 68 reports (41 audit reports, 25 follow-up reports, and 2 management letters) were finalised in 2007. Executive summaries of these reports are annexed. DG/Service | Engagement | Issue date | Administrative and other support systems | SG/BUDG/REGIO/ EMPL/RTD/ ADMIN/DIGIT/INFSO/ JLS/AIDCO | AAR Assurance Process | 21 January 2008[3] | ADMIN | Follow-up human resources management phase I | 13 December | BUDG | ABAC - implementation of accrual based accounting | 3 May | BUDG | Comparative Analysis of the Accruals-Based Accounting Systems and Financial Reporting as Implemented by the European Commission and some Member States | 26 April | COMM | Examination of the purchase of office buildings in Cyprus | 14 September | COMM | Special report on tendering procedures for transmission services in DG COMM | 14 December | DGT | Management of translation demand | 13 June | DGT | Follow-up of IAS validation of self-assessment of the IAC of DGT | 14 December | DIGIT | IT procurement and service delivery in DG DIGIT | 5 December | EPSO | Follow-up on limited review of the selection process as managed by EPSO | 18 December | ESTAT | Second follow-up audit of the in-depth audit of Eurostat | 9 March | ESTAT | IT procurement and service delivery | 20 November | OIB | Management of procurement contracts in OIB | 3 April | OIB | Management of buildings procurement contracts by OIB | 3 April | OIB | Follow-up on buildings infrastructure managed by the European Commission | 8 February | OIB | Follow-up on transaction testing | 20 April | OIB | Evaluation of targeted ICS | 4 October | OIL | Management of procurement contracts | 3 April | PMO | Controls over payment of pensions | 7 September | SCIC | Follow-up of validation of self-assessment of the SCIC IAC | 29 November | Internal policies | COMP | Follow-up report on the audit of IT controls | 16 May | EAC | ABAC - implementation of accrual-based accounting in DG EAC/2006 closing | 18 July | EAC | Follow-up report on the implementation of ABAC | 18 July | EACEA | Implementation of the financial circuits for operational budget of the EAC executive agency | 19 March | ENTR | Management letter ex-post controls | 20 April | ENTR | Follow-up report on the financial management of the innovation relay centre (IRC) network | 23 October | ENTR | Follow-up of validation of self-assessment of the DG ENTR IAC | 18 December | ENV | Monitoring the implementation of EC law | 22 January | ENV | Second follow-up audit of DG ENV's 2004 in-depth audit | 29 March | ENV | Grant management of non-life programmes | 18 September | INFSO | Ex-post controls | 20 February | JRC | Second follow-up of in-depth audit of the JRC of 2004 | 21 September | MARKT | Follow-up report on DG MARKT financial management and financial circuits | 18 January | RTD | Follow-up report on the in-depth audit of DG RTD (2003) and the audit on financial circuits & financial management in DG RTD (2005) | 16 March | RTD | IT procurement and service delivery | 30 November | TAXUD | IT procurement and service delivery | 18 October | TREN | Follow-up report on the audit of financial management and financial circuits in DG TREN | 20 March | TREN | Follow-up report of "Audit of local IT management process" | 7 September | TREN-IEEA | TREN executive agency | 30 January | TREN | Follow-up of validation of self-assessment of DG TREN IAC | 20 December | Structural Measures and Common Agricultural Policy | AGRI | Local IT systems of DG AGRI feeding into ABAC | 25 May | AGRI | Interventions in agricultural markets | 23 November | AGRI | Follow-up report on structural funds - EAGGF GUIDANCE | 22 November | EMPL | Prevention and detection of fraud in the structural funds | 19 December | EMPL | Implementation of programmes in the new Member States | 12 December | FISH | Follow-up audit report on structural fund - financial instrument for fisheries guidance | 20 July | REGIO | Implementation of programmes in the new Member States | 13 November | REGIO | Follow-up on the ERDF - audit of the implementation of Article 38 of Council Regulation 1260/1999 | 14 December | REGIO | Prevention and detection of fraud in the structural funds | 19 December | External Policies | AIDCO | Eligibility of costs under the financial and administrative framework agreement with the United Nations by DG AIDCO | 19 June | AIDCO | Ex-post control activities | 18 July | AIDCO | Follow-up audit on NGOs funding | 31 July | AIDCO | Financial Management of Main Programmes in Directorate D | 20 December | ECHO | Follow-up audit on NGOs funding | 6 June | ECHO | Monitoring and supervision tools | 23 November | ECHO, ADMIN | Management letter on security Issues in DG ECHO | 29 November | ELARG | Follow-up audit report on the in-depth audit of DG ELARG | 15 March | RELEX | Follow-up audit of the audit on handling of classified information and communication among the delegations and DG RELEX | 4 July | TRADE | Implementation of selected internal control standards | 13 June | Acceptance of recommendations and views of auditees and stakeholders In 2007, the rate of acceptance of audit recommendations by auditees was 99%, with 1% rejected. Commission and executive agency audits | Recommendations | Accepted | Rejected | % | Total | Critical | 5 | 1 | 2 | 6 | Very important | 111 | 0 | 41 | 111 | Important | 129 | 3 | 49 | 132 | Desirable | 20 | 0 | 8 | 20 | % | 99 | 1 | Total | 265 | 4 | 269 | Auditees' feedback on the scope and conduct of the audit yielded an average result of 1.86 (previous years: 1.95 for 2006 and 1.82 for 2005) on a scale of 1 (highest) to 4 (lowest). In a new stakeholder survey, 80.5% thought that the IAS had a clear audit strategy (compared with the previous result of 75%), 82.9% that audits were performed with honesty, objectivity and fairness (85.7% in 2006) and 48.8% that the IAS recommendations are useful (previously 60.7%). Overall, however, 80.5% (previously 55.4%) considered that the IAS work contributes to the quality of management and control systems in the Commission. MAIN FINDINGS AND RECOMMENDATIONS AAR assurance process The engagements assessed the effectiveness of the Annual Activity Report (AAR) assurance process, which is a key component of the Commission's governance architecture and represents best practice worldwide. They covered six operational DGs plus four horizontal services. The AAR process is being continuously improved (e.g. peer reviews and revised standing instructions). As a result of the audit the standing instructions issued by the Secretariat General have already been revised along the lines of the IAS proposals: more explicit guidance on how the different components feed the assurance, including an explanation of how the IAC opinion has contributed to the assurance; a precise definition of the control strategy; systematic and mandatory use of key indicators on the functioning of control systems; reconciliation with findings by the European Court of Auditors (ECA) and explanations of delays in the implementation of critical and very important internal audit recommendations. A more extensive peer review is planned, aiming at a more complete and consistent synthesis report. While DGs can report major non-financial deficiencies in their AAR, the IAS drew attention to the limitations of the management declarations of assurance, given that they cover neither non-financial nor systemic responsibilities. Handling of sensitive/classified data and physical security The data security risks need more attention. The IAS issued recommendations on a formalised security clearance policy and the need to reinforce database security controls in order to avoid any leaks of sensitive information or access by unauthorised persons. On occasions, internal instructions do not encourage the use of the Commission's classification rules and their enforcement is not always proportionate to the specific security risks. Departments accepted that DG-specific rules for dealing with sensitive information (unauthorised disclosure of which would cause harm to the EU) or other security issues should be coordinated with central security services so as to ensure a coherent approach to security. In terms of physical security this concerns in particular staff who by the nature of their work are exposed to a high risk in the area of external aid. As regards the handling of classified information in delegations, three critical recommendations from an earlier audit were being implemented to enable delegations to exchange classified information electronically and to be fully compliant with security rules. Monitoring the implementation of EC law The Commission communication on monitoring EC law,[4] which describes what action the Commission will take to improve the application of Community law, takes into account most of the main recommendations issued by the IAS in its consolidated report of December 2006. The last of this series of audits concerned environmental legislation. Weaknesses were detected in the pro-active monitoring of EC law. In particular, no assurance could be obtained that all directives are being transposed correctly and on time in all Member States. The most important IAS recommendations have been taken into account in a draft Commission Communication on the implementation of EC environmental law and the DG-specific action plan provided for implementation of all recommendations by December 2007 except for two recommendations, the last of which is to be implemented by December 2009. Ex-post controls (EPC) The series of audits of EPC in the research family was completed with an audit in DG INFSO. As a follow-up to the recommendations made, the DGs of the research family decided to implement detailed action plans which are regularly monitored by the APC. Further EPC audits were carried out in two DGs to assess the compliance, efficiency and effectiveness of EPC, which are instrumental for a positive declaration of assurance. Recommendations to increase the ex-post audit coverage, the integration of EPC into control chains and the increased use of key performance indicators (KPIs) were accepted and are being implemented. Fraud prevention in Structural Funds Following audits on the European Social Fund and the European Regional Development Fund, a specific joint fraud prevention strategy for Structural Funds will be set up with the co-operation of OLAF and will subsequently be reviewed on an annual basis. The quality and accuracy of information on fraud cases and the assessment and monitoring of controls exercised by Member States in relation to fraud will also be improved, for instance by setting up a hotline in the Member States. All recommendations were accepted with completion dates up to the end of 2008. Procurement As part of the wider audit work on IT procurement and service delivery in the Commission, four DGs were audited for compliance with Commission rules and effectiveness and efficiency. Limited residual risks were identified in three DGs, these relating to an insufficiently precise description of services to be provided, time reporting by external providers, the late start of the procedure to renew contracts and insufficient recording of exceptions. Following the IAS audit, a new buildings procurement procedure was developed which, among other things, will improve the documentation of the decision-making process, ensure that key information is circulated at an appropriate stage, introduce a risk management system for all building procurement projects and incorporate long-term strategic management with clearly separated, but interacting, policy definition and implementation processes. For procurement contracts other than for buildings the DG concerned decided to develop a module to ensure the effective follow-up of steps in the procurement procedure, to create a register containing all correspondence related to complaints and to produce, for important tenders, a strategy document which will include cost-benefit analyses and will also cover needs. Controls over payments of pensions This audit assessed the adequacy and effective application of the internal control system and risk management in relation to the determination and payment of pensions to retired staff. An outdated computer system makes manual controls necessary. While there are sound ex-ante controls in place, targeted, risk-based ex-post controls will be carried out in future, thereby reducing the risks of, for instance, incorrect payments, loss of paper files and incorrect manual adjustments. Implementation of ABAC As the introduction phase of ABAC, closely accompanied by European Court of Auditors (ECA) audits, is being completed, the IAS is reducing its audit activity in this area. Following an adverse opinion on the closing of accounts for 2005 in DG EAC, a closing accounts audit of DG EAC and its executive agency for 2006 (in cooperation with the ECA) was carried out and a qualified reasonable assurance was given, although there was a finding of limited reconciliation between local and central accounting systems and incomplete documentation. The implementation of ABAC was also the subject of IAC audits. Executive agencies The IAS audited two executive agencies with reasonable assurances regarding the business objectives being given in both cases. Some of the issues highlighted related to compliance with the Commission Decision on the Security of Information Systems and with the Personal Data Protection Regulations, procedures regarding year-end transactions, harmonisation and simplification of checklists and workflows and a comprehensive approach to ex-post controls. Other newly created executive agencies (European Research Council Executive Agency and Research Executive Agency) may benefit from the experience gained by existing agencies on how best to implement all the necessary steps in the start-up phase. FAFA (Financial and Administrative Framework Agreement with the UN) Following last year's audit on compliance with the FAFA and the capacity to obtain assurance regarding the use made of EU funds, the APC invited the IAS to assess the materiality of the residual risks with regard to indirect costs in particular, and in association with the overall controls on EC/UN funding within the FAFA and the UN financial control system. The additional audit work confirmed that the design of FAFA is appropriate, but also that the control mechanisms still need to be effectively and further implemented. The DGs concerned have accepted all the recommendations and have already undertaken several initiatives to increase the use of FAFA control tools on direct and indirect costs. Financial and grant management Financial audits were carried out in the areas of Asian delegations and for environmental programmes. The audit of the management of the main financial programmes in Asian delegations identified a number of areas for improvement that management intends to implement by the end of 2008: lines of responsibility between Delegations and line DGs to be more clearly defined; headquarters to play a greater support and guidance role for delegations to ensure coherent and efficient operation across delegations; improved project and portfolio monitoring and an enhanced training strategy. An assessment of the functioning of the process of grant management for environmental projects revealed the need to improve documentation for controls of beneficiaries' actual costs; to refine the ex-post control strategy to cover smaller beneficiaries; to ensure timeliness of approval of technical reports; and to issue specific guidelines for ex-post controls that are subcontracted to external audit firms. A considerable number of grant or financial management audits were also carried out by IACs. Follow-up The timely follow-up of audit recommendations is crucial for the effectiveness of internal audit and for the continuous improvement of internal control. Some progress has been made, leading to a decrease in the total number of outstanding recommendations made before 2006. In the IAS's view more than 80% of the recommendations have been implemented. However, there are still significant delays in the implementation of critical and very important recommendations, revealing weaknesses in DGs' implementation of action plans, particularly in relation to older recommendations. More than 25% of outstanding critical and very important recommendations are overdue by more than six months (although this is a considerable improvement compared to more than 50% a year ago). In an effort to remedy this situation, the IAS proposed that the DGs/Services which did not take steps to implement overdue critical and very important recommendations be reminded of the importance of doing so and also, where appropriate, to give the reasons for delays in the Annual Activity Reports. The APC pays particular attention to the follow-up of recommendations and fostered implementation by deciding that letters will be sent by the APC Chair to the Commissioners concerned, to draw their attention to critical and very important recommendations that are more than six months overdue. Conclusions On the basis of the Commission audits and reviews finalised in 2007, and other related work, the Internal Auditor of the Commission drew the following conclusions (the Commission's position is contained in the synthesis report on the annual activity reports of the Directors-General). IAS conclusion 1: Overall progress made, but more improvements needed In the course of its audit work, the IAS noted further improvements in the Commission's internal control systems. The number of critical IAS recommendations issued decreased from twelve in 2006 to six in 2007 and the number of audits with adverse IAS opinions dropped from nine in 2006 to six in 2007. However, further improvements are still needed, for instance in the areas of grant management, ex-post controls, procurement and implementation of data protection provisions. IAS conclusion 2: Information Security Ensuring that sensitive information held in the Commission (both at Headquarters and in the Delegations) is protected against unauthorised disclosure and access is of paramount importance for the Commission's effectiveness and reputation. All DGs and services concerned should pay particular attention to information security and should coordinate with and seek validation of all their security measures by the corporate security service. IAS conclusion 3: Policy Directorates-General have front-line responsibility for fraud prevention The Commission has recently adopted a new approach to fraud proofing. OLAF plays a key role in fraud investigations and contributes to developing methods of fighting fraud on the basis of its experience. However, in the Commission, Directors-General - as Authorising Officers by Delegation - have, front-line responsibility for the prevention of fraud in their area of responsibility (in which they will be supported by OLAF) and for the follow-up to OLAF investigations (recoveries etc.). IAS conclusion 4: AAR assurance process steadily being improved The ultimate aim of both the AAR assurance process and the synthesis report is to support the political responsibility of the Commissioners to manage the Commission. The foundation of the assurances given will be improved by a better definition of the underlying control strategies, backed by indicators for key controls and by better "reconciliation" of the assurances with the results of the ECA's work. IAS conclusion 5: Some progress in follow-up, but also some areas lagging behind Follow-up of audit recommendations has improved recently, but still takes too long in some areas. Also some issues raised in previous annual reports still require continued attention, e.g. a human resources strategy that is fully aligned on the strategic planning process and the development of shared services and improvements in IT governance. [1] Council Regulation (EC, EURATOM) No 1995/2006 of 13 December 2006 amending Regulation (EC, Euratom) No 1605/2002 on the Financial Regulation applicable to the general budget of the European Communities, OJ L 390, 30.12.2006, p. 1. [2] See COM(2007)806 of 17 December 2007. [3] One report per DG. Although these reports were only finalised in January 2008, the majority of the audit work was carried out in 2007 and the IAS considers their results important enough already to be reported in the 2007 Annual Report. [4] COM(2007)502 of 5 September 2007