Annexes to COM(2006)279 - Annual Report to the Discharge Authority on Internal Audits Carried out in 2005 (Article 86.4 of the Financial Regulation) - Main contents
Please note
This page contains a limited version of this dossier in the EU Monitor.
dossier | COM(2006)279 - Annual Report to the Discharge Authority on Internal Audits Carried out in 2005 (Article 86.4 of the Financial Regulation). |
---|---|
document | COM(2006)279 |
date | June 7, 2006 |
Delays were encountered mainly because of difficulties in the finalisation phase. Consequently, the IAS sees a clear need to reduce the time needed to conclude audits. The IAS itself will even more shorten audit reports and aim at clearer language.
IAS engagements finalised in 2005:
Service | Engagement | Issued |
Cross-cutting, Administrative and other Support Systems |
OIB | Transactions | Feb 2005 |
BUDG | Follow-up | July 2005 |
SG et al. | EU Law Implementation Review | July 2005 |
BUDG/SG | ABM/SPP Cycle Review | Oct 2005 |
DIGIT, ADMIN, BUDG, SG, TREN, COMP, ECFIN | ITC consolidated | Nov 2005 |
DIGIT | Follow-up | Nov 2005 |
Internal Policies |
ESTAT | Follow-up Taskforce | Mar 2005 |
ECFIN | Local IT control (joint IAS/IAC) | Apr 2005 |
TREN | Local IT control | May 2005 |
TREN | Financial Management | July 2005 |
ESTAT | Financial Management / Follow-up | Oct 2005 |
RTD | Financial Management | Oct 2005 |
SANCO | Financial Management | Nov 2005 |
INFSO | Follow-up | Dec 2005 |
MARKT | Financial Management | Dec 2005 |
PRESS | Follow-up | Dec 2005 |
EAC | Follow-up | Dec 2005 |
Structural Measures and Common Agricultural Policy |
AGRI | Follow-up | March 2005 |
FISH | In-depth | June 2005 |
EMPL | Structural Funds (ex-post controls) | Oct 2005 |
FISH | Structural Funds (ex-post controls) | Nov 2005 |
AGRI | Structural Funds (ex-post controls) | Dec 2005 |
External Policies |
ELARG | Follow-up | Jan 2005 |
RELEX | Information & communication | July 2005 |
AIDCO | NGOs | July 2005 |
ECHO | NGOs | Oct 2005 |
Follow-up
The Audit Management Software used by internal auditors in the Commission now includes a follow-up mechanism fed by auditees that allows management, auditors and APC alike to directly monitor the progress in implementation of audit recommendations. The IAS is regularly reviewing timeliness and extent of implementation of recommendations by auditees, in order to be able to appropriately inform the APC and its own risk analysis. In March 2006 the IAS issued its first overview report to the APC on follow-up of IAS recommendations.
While acceptance of recommendations by DGs is very good, the implementation of action plans can show considerable delays, which need particular management attention. More than half of outstanding critical recommendations and about 17% of outstanding very important recommendations are over 12 months beyond the original target date, according to auditee assessments.
This may indicate that there is a general weakness in implementation of action plans[5]. Reasons given by DGs relate to re-organisations, resource problems, difficulties with external service suppliers, lack of mandate and difficulties in co-operating with other DGs. By producing more concise and better focused audit reports, the IAS contributes to facilitating the implementation tasks of auditees.
2.4. Acceptance of Internal Audit Work
In 2005 the rate of acceptance of audit recommendations by auditees was very high with over 97% accepted[6].
recommendations | accepted | rejected | total | % |
critical | 12 | 0 | 12 | 4,2 |
very important | 122 | 2 | 124 | 43,5 |
important | 129 | 4 | 133 | 46,7 |
desirable | 16 | 0 | 16 | 5,6 |
total | 279 | 6 | 285 |
% | 97,9 | 2,1 | 100 |
The IAS regularly asks for the auditee's opinion after finalisation of an audit, including on audit scope and on conduct of the audit. The average result of these surveys reaches 1,82 on a scale from 1 (highest) to 4 (lowest).
A wider consultation in 2005 of stakeholders (DGs, Resource Directors, IACs and APC preparatory group) positively noted a clear audit strategy (79 %), that audits were performed with honesty, objectivity and fairness (93 %) and using appropriate audit techniques (75 %) but also called on the IAS to develop more synergies with IACs, to improve its understanding of auditee activities and communication during the audit and to issue fewer and more focused recommendations; the IAS was not perceived as conveying a clear vision on governance and internal control.
3. FINDINGS
The findings reported below are based on audits carried out by the IAS in 2005, on other internal audit activities undertaken (including IAS reports on IAC work) and on the professional judgement of the auditor. These findings are selective as they reflect the chosen focus for the year, according to the risk based audit plan 2004–2006, and avoiding overlap with the work of the ECA in a "single audit" perspective. Key areas of IAS Commission audits in 2005 were:
- financial management in internal policies;
- management of the structural funds;
- local IT management, building on earlier IT audit work;
- security of information;
- control of funds awarded to non-governmental organisations (NGOs);
- key components of the SPP cycle, to be continued in 2006; and
- Commission monitoring of compliance with EU law, basis for extended audit work 2006.
The overview of findings is organised according to the risk typology adopted by the Commission in October 2005[7]. As there are close inter-relations between risk areas, audit findings frequently touch on more than only one risk type.
3.1. The External Environment
The Commission has a major delegation risk for policies in shared management: the Treaty gives it full responsibility for implementing the budget[8] but more than three quarters of the budget are in fact allocated to final beneficiaries by Member States bodies.
To be able to assume this responsibility, i.e. to be able to give reasonable assurance, the Commission needs to obtain reasonable assurance for the funds in shared management, on the regularity and legality of transactions managed by Member States.
Obtain reasonable assurance
Preparing for the structural funds[9] programming period 2007-2013, it is essential, in the opinion of the IAS, that the services involved intensify their efforts and build on good practices to obtain sufficient evidence underpinning their annual assurance declaration:
- Welcoming the common audit strategy agreed in 2005 by the structural funds DGs as a good starting point, the IAS recommended developing a strategy for gaining more assurance on sound financial management from audit and evaluation work and that audit work should lead to clear and precise opinions to be used to support the DG assurance. Services should strengthen the quality of the underlying audit process and harmonise and better define internal reporting and assurance requirements (audit coverage, error rates, systemic findings).
- Introducing more "single audit" elements, i.e. reliance on the work of other controllers and systematic use of management reporting from Member State bodies, subject to appropriate review, permits more effective use of control resources, reduces the risk of double controls and allows for a more complete overview over the chain of controls. This requires increased efforts to align audit strategies, planning and risk assessment with Member States bodies and setting up a methodology for reviewing their audit work. For the IAS, convincing Member States to conclude "contracts of confidence" would provide additional comfort[10]. The IAS recommends that the Commission communicate more pro-actively with Member States and in particular promote good practices identified at all levels of the control chain.
- Taking up earlier concerns regarding the late availability of audit information for the 2000-2006 period, the IAS recommends a more pro-active and preventive approach for the coming period. Major weaknesses identified in the current period should be addressed when establishing the control systems for the new programmes.
Adequate disclosure of assurance
The Internal Auditor considers that the degree and scope (limitations) of assurance provided should be adequately disclosed by DGs in the annual activity reports (AAR). The AAR should make clear the cumulative amounts covered by the audits and the amounts at risk, together with the criteria used to determine the level of assurance obtained.
3.2. Planning, Processes and Systems
The 2005 IAS work programme had a strong focus on auditing financial management and on security and IT systems. Important further areas were planning and programming and the monitoring of EU law implementation.
The Internal Auditor considers that, despite significant improvements, the Commission remains exposed to risks in these areas, limiting the effectiveness of operations and the assurance available for transactions. The quality and scope of supervision and control activities need to be improved.
Supervision and effectiveness of controls
Assurance building in the area of shared management is complex and audits of financial management show that supervision remains a problem area also within some DGs and across DGs. IAS and IAC audits noted weaknesses in adhering to Internal Control Standards (ICS) and the Financial Regulation. This concerns the design and setup of control systems: insufficient ex-ante evaluations, risk analyses and separation of functions, including of auditors and management. It also concerns the accuracy and completeness of transaction controls, of project and control data, of documentation of procedures. The Internal Auditor considers that providing assurance on the legality and regularity of transactions is exposed to considerable risks in such circumstances. IAS and IACs made detailed recommendations to services in areas such as payment flows, procurement, grant and contract management and recoveries, but also in security and IT issues.
Follow-up audits noted positive developments in areas previously audited, but also point to important delays with the related operational, financial and reputational risks. As to Eurostat, the follow-up audits concluded that, after considerable work, the risk level was now comparable to that of other services. One outstanding point raised in this context concerns bank accounts held in the name of the Commission but not opened by the Accounting Officer, which in the meantime has been addressed by DG Budget.
A specific area audited by the IAS in 2005 was the control of funds granted to NGOs in development and humanitarian aid. The management systems concerned are complex and vary between programmes and managing services. Irregularities involving NGOs led to increased attention and to a number of investigations, including on procurement practices. The IAS noted a number of good practices, such as efforts at more regular and more focused communication with the NGO community and at simplifying application procedures, in particular in the context of calls for proposals. Recommendations made concern the need to build up Commission-wide knowledge on NGOs, including a common NGO typology, exchange of best practices and of risk analyses, and strengthened co-operation with Member States and other donors. Recommendations also cover increased monitoring and ongoing assessment of NGOs, more attention to NGO compliance with procurement rules and strengthening the capacity building of partners to improve the quality of projects. Broad acceptance by auditees resulted in EuropeAid's intention to partly revise the approach in managing the relations with NGOs.
Planning - co-ordination and coherence
The Reform process since 2000 has put emphasis on the responsibility and managerial independence of the Commission DGs; nevertheless, the Commission remains a single body under a single political authority and co-ordination and coherence are key success factors for the Commission as it strives to meet its policy objectives.
Findings of a review of horizontal aspects of the strategic planning and programming cycle (SPP) suggest a need for more comprehensive translation of political priorities and legal commitments into co-ordinated planning and resource allocation processes. Audits of operational processes (such as monitoring law implementation, IT) confirm that there is insufficient co-ordination and strategic planning.
The SG, together with other horizontal services and the networks involved, is already engaged in reviewing the effectiveness of the SPP cycle. The IAS will further perform a series of audits in operational DGs throughout 2006. They also have some bearing on an issue repeatedly addressed in past annual audit reports: the need of better balancing central and local responsibilities and for stronger horizontal functions in the Commission to ensure coherence and adequate oversight (internal control, risk management, accounting, HR, IT).
IT controls and governance
An efficient IT environment is essential for the Commission given its importance in providing policy and operations support; the human, financial and physical resources involved are considerable, as are possible external dependencies. The IAS recommends clarifying further the roles and responsibilities of horizontal and operational services in the IT area, for example for security, business continuity, planning, development and management of IT information systems. It sees a clear need for central reporting on the state of IT controls and risks and for a greater role of horizontal services in strategic orientations and methodological support.
According to the IAS, IT aspects should be fully reflected in the ICS and in risk management (e.g. disaster recovery plans) at DG and at Commission level. Concerning IT infrastructure, while recognizing important recent improvements in IT governance, the IAS recommends exploiting the potential for economies of scale; this may involve further re-defining roles of central and local IT. In order to ensure optimal use of administrative and operational appropriations, the IAS recommends that resource allocation should follow the evolution of IT architecture. This could include billing for central IT services. A working group (BUDG/DIGIT) on the financing of central IT is in preparation.
3.3. People and the Organisation
The IAS sees a need for more and more focused training. Clarification of security rules and practice and greater attention to business continuity arrangements is essential for the Commission to prevent and / or contain possible systems or operations exposures.
Training and awareness
The Commission’s ICS attach particular importance to the control environment. Well developed and monitored, it translates into empowerment and a capacity for pro-activeness, permitting staff to develop flexible solutions and working practices adapted to the political and management environment, while ensuring there is the necessary control.
Audits recommended the need to communicate better and to make necessary information more easily available within DGs, by using databases, regular exchange channels and frequent updates. Training is key for responding effectively to frequent changes and new and often complex rules call for even more training efforts. Audits in almost all areas recommended increased and more focused training, principally in financial procedures, procurement and audit.
Security and business continuity
A number of IAS and IAC audits noted insufficient respect of Commission rules on security of offices, documentation and of IT installations or an inadequate treatment of access to sensitive information and of supervision of access to files. Co-ordination of security aspects can be difficult because of complex procedures, involving a high number of actors and possibly several services.
The IAS recommends improving security assessments and a better link with risk assessments in order to be able to develop coherent security strategies. Attributing clear responsibilities in departments for security aspects, and improving internal expert advice and awareness-raising should simplify and increase the security environment. Questions of business continuity and contingency planning play an important, but still underestimated role, in that context. The IAS notes that the Commission is reinforcing its crisis management and co-ordination capacity (ex. Argus) and the SG's initiative on Business Continuity Planning.
3.4. Legality and Regularity
Compliance with internal and external rules is a key issue to limit the exposure to financial, legal and reputational risks. Instances of non-compliance call for a swift management response, including better training and planning; simplifying the regulatory environment, to the extent possible, reduces the administrative burden and facilitates compliance.
Respect of rules
IAS and IAC audits identified shortcomings in various areas (operations, procurement, security) regarding financial, operational or contractual rules. Reasons may be insufficient internal communication and documentation of procedures, lack of training or lack of resources in certain areas or during certain periods of the programme cycle. Staff may be confronted with too many and too complicated rules.
According to the IAS, the potential impact can be considerable: financial through a possible loss of funds or mis-management; political if the objectives set are not or only insufficiently achieved; legal if challenged in courts; reputational through damage to the Commission's image in the public, especially in the eyes of its partners. Besides increased and improved training, the IAS recommends a review of staff allocation and planning (implying an extended use of risk analysis) and simplification and streamlining of rules and legislation.
Clarity and consistency - simplification
A parallel issue is consistency in applying rules; consistent application of rules both within a DG and across DGs. Although there is a legitimate demand for flexibility, from administrative and beneficiary perspective, this should not put at risk the necessary operational stability and guarantee of equal treatment.
The insufficient documentation of procedures observed in a number of IAS and IAC audits is closely linked to these questions. Better documenting procedures and making documentation more easily available should not be a bureaucratic burden but a useful tool in analysing procedures (and re-designing or re-engineering, where necessary), for managing risks and facilitating mobility.
While audits identify a need in the Commission to better respect and to apply more coherently existing rules, simplification remains an important and parallel challenge. For 2006 the IAS will pay particular attention to simplification, as a specific audit objective in all relevant engagements.
4. CONCLUSIONS
On the basis of its 2005 work, the Internal Auditor draws attention to four overall conclusions. The Commission's reactions to the findings and conclusions of the Internal Auditor are covered in the synthesis report on Director's-General annual activity reports
Conclusion 1
IAS conclusion: Audit work in 2005 shows that the Commission services have made considerable progress in internal control. However, these audits also identified major remaining weaknesses in the design and set up of control systems, and in the effective implementation of standards and controls. Examples include the proper set up of financial circuits, segregation of functions, risk analysis, supervision and the respect of control and documentation requirements in contract and grant management, information security and business continuity and IT management and planning.
Services should continue their efforts to move from formal compliance with procedures to making effective use of new tools and controls, which will lead to reduced (administrative) cost and increased management efficiency.
Commission reply: The Commission will develop indicators for control objectives, covering in particular the way internal control systems tackle the risk associated with the legality and regularity of operations. Reporting on internal control effectiveness will be further strengthened in annual activity reports where necessary. The Commission also invites the European Parliament and the Council to support efforts to adapt the legal framework to ensure effective application of the principles of proportionality and cost-effectiveness of controls.
Conclusion 2
IAS conclusion: Directors-General should ensure that control processes effectively underpin the reasonable assurance given in the AARs. This process and the scope and level of assurance available should be adequately disclosed in the AAR. This could include:
- improving and harmonizing control/audit methodologies for "families" of DGs;
- integrating different levels of assurance (e.g. Member States, Commission) into a coherent framework and have integrated reporting with clear indicators for the level of assurance.
Commission reply: The Commission will ensure that its delegated authorising officers will continue their efforts to guarantee that reasonable assurance in the declarations accompanying the annual reports is effectively underpinned by appropriate internal control systems. Regarding shared management, the Commission will continue to work towards reinforcing assurance from the national authorities managing EU funds. The Commission is committed to establishing an integrated internal control framework.
Conclusion 3
IAS conclusion: Under the leadership of the Secretary General, Directors-General should explore the potential for using "shared services" with the objective to increase management efficiency and effectiveness as well as using resources more economically. This could include:
- reviewing the distribution of certain tasks and use of resources at horizontal and operational level;
- testing, and if successful, introducing Commission wide instruments such as service level agreements and / or funding arrangements between operational and horizontal services.
Potential examples include: IT, communication and financial / HR management for small services.
Commission reply: The Commission recognises the potential added value of inter-service arrangements for small departments, provided such arrangements are based on a cost-benefit analysis and made in accordance with the applicable rules, while preserving the responsibility of each delegated authorising officer.
Conclusion 4
IAS conclusion: Commission services should develop an effective "culture of follow-up". Follow-up actions to control and audit reports should be fully integrated into normal management planning and practice, and timely implementation should be monitored regularly at senior management level.
Regular and full attention to management and control weaknesses brings about a learning organisation that can over time considerably reduce burdensome and potentially disruptive control activities.
Commission reply: The Commission will ensure that its Directorates-General draw up precise action plans, taking into account priorities assigned and resource constraints, and on this basis follow up audit recommendations in good time.
[1] Performance Standard 2060 of the Institute of Internal Auditors (www.theIIA.org).
[2] Article 185(3) FR.
[3] Comprehensive IAS audit work on ABAC is planned for 2006.
[4] SEC(2005) 1327.
[5] Internal Control Standard 21, follow-up of audit recommendations.
[6] Commission audits only, listed above.
[7] SEC(2005) 1327.
[8] Article 274 EC Treaty.
[9] As from 1 January 2007, the EAGGF-Guidance will be replaced by the European Fund for Rural Development (EFRD). The rules regarding the financial management and the controls of this fund will be aligned as far as possible with the rules governing the EAGGF-Guarantee (Council Regulations (EC) No 1290/2005 and (EC) No 1698/2005).
[10] In line with the Roadmap Action Plan - COM(2006) 9.