Explanatory Memorandum to SEC(2011)1189 - Implementation of recommendations and audit executive summaries - accompanying document to the Report from the Commission to the European Parliament and the Council - Annual report to the Discharge Authority on internal audits carried out in 2010 (Article 86(4) of the Financial Regulation)

Please note

This page contains a limited version of this dossier in the EU Monitor.

dossier SEC(2011)1189 - Implementation of recommendations and audit executive summaries - accompanying document to the Report from the Commission ...
source SEC(2011)1189 EN
date 07-10-2011
52011SC1189

COMMISSION STAFF WORKING PAPER Implementation of recommendations and audit executive summaries /* SEC/2011/1189 final */


Contents

1.

COMMISSION STAFF WORKING PAPER


Implementation of recommendations and audit executive summaries

Accompanying the document

REPORT FROM THE COMMISSION TO THE COUNCIL AND THE EUROPEAN PARLIAMENT

Annual Report to the Discharge Authority on Internal Audits Carried out in 2010 (Article 86 (4) of the Financial Regulation)

TABLE OF CONTENTS

2.

1........... Level of implementation of recommendations................................................................... 7


3.

2........... Executive summaries....................................................................................................... 8


4.

2.1........ Governance.................................................................................................................. 12


5.

2.1.1..... Fraud........................................................................................................................... 12


6.

2.1.1.1.. OLAF Fraud Prevention and Detection......................................................................... 12


7.

2.1.1.2.. Former JLS (split into DG HOME and DG JUST) Fraud Prevention and Detection....... 13


8.

2.1.1.3.. REGIO : Follow-up on Fraud Prevention and Detection in Structural Funds................... 14


2.1.1.4.. ENV: LIFE + Grant Management................................................................................. 15

9.

2.1.1.5.. EAHC : Operational budget.......................................................................................... 16


10.

2.1.2..... Split of the DGs............................................................................................................ 16


2.1.2.1.. Management letter on Re-organisation of former DG TREN, DG ENV and DG JLS and creation of Shared Services....................................................................................................................... 16

11.

2.1.3..... Executive Agencies....................................................................................................... 17


2.1.3.1.. SG, BUDG, HR, DIGIT, EACI, TEN-T EA, REA, EACEA, EACI, EAHC : Overview Report on Executive Agencies of the Commission......................................................................................... 17

12.

2.1.3.2.. REA : Set up of Internal Controls and Financial Management Systems-Design............... 18


13.

2.1.3.3.. ERCEA : Set up of Internal Controls and Financial Management Systems - Design........ 19


14.

2.1.3.4.. TREN/EACI/TEN TEA : Local IT Systems supporting Financial Management............... 20


15.

2.1.3.5.. TEN T EA : Follow-up on Administrative Budget.......................................................... 21


16.

2.1.3.6.. EACEA : Follow-up on Ex-post control activities and implementation of Financial Circuits 22


17.

2.2........ IT Issues...................................................................................................................... 22


18.

2.2.1..... Management letters....................................................................................................... 22


19.

2.2.1.1.. SG, DIGIT : Management Letter on Setup of IT Projects in the Commission.................. 22


2.2.1.2.. SG, BUDG, HR.DS : Consulting engagement on 3602 (Carry-over) – Management Letter on the Commission's IT security policy............................................................................................................... 23

20.

2.2.2..... Local IT in DG EAC.................................................................................................... 23


21.

2.2.2.1.. EAC : Management of Local IT.................................................................................... 23


22.

2.2.3..... Business Continuity in DG DIGIT.................................................................................. 24


23.

2.2.3.1.. DIGIT : Business Continuity Management..................................................................... 24


24.

2.2.4..... Other audits.................................................................................................................. 24


2.2.4.1.. PMO, DIGIT : HR IT Corporate Application – NAP.................................................... 24

25.

2.3........ Control strategies.......................................................................................................... 26


2.3.1..... Structural funds – DG REGIO and DG EMPL.............................................................. 26

26.

2.3.1.1.. REGIO : Control Strategy - Audit and Financial Correction Processes........................... 26


27.

2.3.1.2.. EMPL : Control Strategy - Audit and Financial Correction Processes............................ 27


2.3.2..... Audit strategy – DG EAC............................................................................................. 28

28.

2.3.2.1.. EAC : Supervision and monitoring of National Agencies - Lifelong Learning Programme 28


2.3.3..... Development aid – DG AIDCO and DG ELARG......................................................... 30

29.

2.3.3.1.. AIDCO: Management of Thematic Budget lines............................................................ 30


30.

2.3.3.2.. AIDCO : Financial management of Programme Estimates funded by the EDF and EU Budget 31


31.

2.3.3.3.. ELARG : Public procurement under IPA....................................................................... 32


32.

2.3.3.4.. ELARG : Financial management of IPA grants............................................................... 33


33.

2.3.3.5.. Joint Sickness Insurance Scheme (JSIS) as managed by the PMO................................. 34


34.

2.4........ Compliance with payment deadlines.............................................................................. 35


2.4.1..... BUDG : Payment deadlines (BUDG, TREN, AIDCO, ECHO + IT Part)...................... 35

2.4.2..... ENER : Payment deadlines (BUDG, TREN, AIDCO, ECHO + IT Part)....................... 36

2.4.3..... MOVE : Payment deadlines (BUDG, TREN, AIDCO, ECHO + IT Part)..................... 36

2.4.4..... AIDCO : Payment deadlines (BUDG, TREN, AIDCO, ECHO + IT Part).................... 37

2.4.5..... ECHO : Payment deadlines (BUDG, TREN, AIDCO, ECHO + IT Part)...................... 37

35.

2.5........ Other audits.................................................................................................................. 37


36.

2.5.1..... Legal Service: Handling of sensitive information............................................................. 37


37.

2.5.2..... Publications Office: Official Journal Production Process as managed by the Publication Office (OP) 38


2.5.3..... Publications Office, Secretariat General: Management letter to SG - Transmission to PO of sensitive information for publication.................................................................................................................... 39

38.

2.5.4..... AGRI : Interventions in Agricultural Markets (focused on Milk and Milk products)......... 39


39.

2.5.5..... OIB : Activities of OIB.OS3 Social Infrastructure ISPRA.............................................. 40


40.

2.5.6..... PMO : Activities of PMO/6 ISPRA.............................................................................. 41


41.

2.5.7..... JRC : Management letter on JRC Grant holders............................................................. 41


42.

3........... Follow-up audits (if not in the above categories)............................................................ 42


43.

3.1........ PMO: Follow-up on Controls over Payment of Pensions............................................... 42


3.2........ BUDG Second Follow-up on ABAC – Implementation of accrual based accounting...... 43

44.

3.3........ COMP: Follow-up on Recoveries of fines..................................................................... 43


45.

3.4........ ELARG: Follow-up on Readiness Assessment/Phasing in of Delegations in Balkans....... 43


46.

3.5........ OIL: Follow-up on the Management of the Procurement Contracts................................ 43


47.

3.6........ PMO: Second Follow-up on Regularity of financial management and Implementation of financial circuits 43


48.

3.7........ JLS: Follow-up on Grants under Shared management of the European Refugee Fund..... 44


49.

3.8........ HR: Second follow-up on Review of DG ADMIN Human Resource Management Phase 1 44


50.

3.9........ OP: Follow-up on Procurement in the Publication Office................................................ 44


51.

3.10...... AIDCO: Follow-up on ex post control activities............................................................ 44


52.

3.11...... HR: Follow-up on Review of DG ADMIN Human Resource Management- Phase II..... 44


53.

3.12...... HR: Second Follow-up on Validation of Self-assessment of IAC of DG ADMIN.......... 45


54.

3.13...... OIB: Second Follow-up audit on Evaluation of targeted Internal Control Standards........ 45


3.14...... REGIO: Follow-up audit on internal control system for managing the new Structural Funds programming period – Phase I......................................................................................................................... 45

3.15...... EMPL: Follow-up audit on internal control system for managing the new Structural Funds programming period – Phase I......................................................................................................................... 46

55.

3.16...... ESTAT: Follow-up audit on IAS and IAC Joint Audit on ESTAT Grant Awarding process 2008-2009 46


56.

3.17...... TRADE: Second Follow-up audit on selected ICS........................................................ 46


57.

3.18...... JLS: Follow-up audit on IT Procurement....................................................................... 46


58.

3.19...... ENTR: Follow-up audit on Monitoring the implementation of EU law............................. 47


59.

3.20...... SG: Follow-up audit on SG consolidated report - Monitoring the implementation of EU law 47


60.

3.21...... ENV: Follow-up audit on Monitoring the implementation of EU law............................... 48


3.22...... SANCO: Follow-up audit on Grant Management in the Food safety, Animal Health and welfare and Plant Health Activity......................................................................................................................... 49

3.23...... AIDCO: Follow-up on Eligibility of Costs under the Financial and Administrative Framework Agreement with the United Nations............................................................................................................. 49

61.

3.24...... AIDCO: Second Follow-up audit on NGOs Funding.................................................... 50


62.

3.25...... DIGIT: Follow-ups on the IT Governance of the Commission and on Management Processes of Local IT 50


63.

3.26...... SANCO: Follow-up audit on Large-scale Information Systems..................................... 50


64.

3.27...... OIL: Follow-up audit on Internal Control Standards...................................................... 50


65.

3.28...... REGIO: Follow-up audit of the Review of financial corrections and recoveries in the Structural Funds area 51


66.

3.29...... REGIO: Follow-up audit on the Implementation of Programmes in the New Member States 52


67.

3.30...... OP: Final Follow-up audit on In-depth Audit of OPOCE............................................... 52


68.

3.31...... ESTAT: Second Follow-up audit of IT Risk Analysis audit............................................ 52


3.32...... COMM: Follow-up audits on Audit on Contract management in the area of communication and Audit on Building Management................................................................................................................. 52

69.

3.32.1... Audit on Contract management in the area of communication......................................... 52


70.

3.32.2... Audit on Building Management...................................................................................... 53


71.

3.33...... ENV: Second Follow-up audit on Grant Management of non-LIFE programmes........... 53


72.

3.34...... AGRI: Follow-up audit on Interventions in Agricultural Markets..................................... 53


73.

3.35...... PMO: Follow up audit on Missions as managed by PMO.............................................. 54


74.

3.36...... EMPL: Follow up audit of the Review of financial corrections and recoveries in the Structural Funds area. 55


75.

3.37...... INFSO: Follow up audit on AAR Assurance Process.................................................... 55


76.

3.38...... RTD: Follow up audit on AAR Assurance Process........................................................ 56


77.

3.39...... EMPL: Follow up audit on AAR Assurance Process..................................................... 56


78.

3.40...... REGIO: Follow up audit on AAR Assurance Process.................................................... 56


79.

3.41...... JLS: Follow up audit on AAR Assurance Process......................................................... 57


80.

3.42...... AIDCO: Follow up audit on AAR Assurance Process................................................... 57


81.

3.43...... COMP: Second Follow-Up of the Audit on local IT...................................................... 58


82.

3.44...... RTD: Further Follow up audit on Ex-Post Controls....................................................... 58


1. Level of implementation of recommendations [1]

Table 1 sums up the level of implementation of accepted recommendations, based on the auditees’ assessment, for IAS recommendations made during the period 2006-2010.

The recommendations not yet implemented are broken down by period overdue on the right-hand side of the table.

Table 1: Level of implementation of recommendations based on auditees’ assessment

Year| Priority| Total| Implemented| In progress (by number of months overdue)|

|||| No| %| No| %| No delay| 0-| 3-| 6-| 9-| 12+

Critical||||||||

Very important|||||||| 4

Important|||||||| 2

Desirable||||||||

|| 98%| 2%|||||| 6

Critical||||||||

Very important|||||||| 8

Important|||||||| 12

Desirable|||||||| 1

|| 72%| 28%|||||| 21

Critical||||||||

Very important|||| 8

Important|||| 13

Desirable|||||||| 2

|| 88%| 12%| 23

Critical||||||||

Very important|||| 1

Important||| 1

Desirable||||||||

|| 73%| 27%| 2

Critical||||||||

Very important||||||

Important|||||

Desirable|||||||

|| 33%| 67%|||

|||||||||||||

TOTAL 2006-| 1 1 86%| 14%| 53

Overall, 1 209 or 86 % of the total number of recommendations made over the period 2006-2010 are considered by the auditee as implemented to date.

97[2] very important recommendations are outstanding, of which 26 are more than 6 months overdue.

83.

2. Executive summaries


This part contains the original executive summaries (reflecting the state of play at the time when the audits were finalised) of audit engagements finalised by the IAS in 2010[3]. Each summary underwent the applicable standard professional validation and contradictory procedures between auditor and auditee at the time of finalisation. It also contains statistical information for the acceptance and implementation status.

Service| Engagement| Finalisation date

|| GOVERNANCE Fraud|

OLAF| Fraud Prevention and Detection| 27 January 2011

JLS| Fraud Prevention and Detection in (former) DG JLS| 22 November

REGIO| Follow-up on Fraud Prevention and Detection in Structural Funds| 26 April

ENV| LIFE + Grant Management| 26 May

EAHC| Operational budget| 28 January

|| Split of DGs|

TREN, ENV, JLS| Management letter on Re-organisation of former DG TREN, DG ENV and DG JLS and creation of Shared Services| 18 March 2011

|| Executive Agencies|

SG, BUDG, HR, DIGIT, EACI, TEN-T EA, REA, EACEA, EACI, EAHC| Overview Review Report on Executive Agencies of the Commission| 06 September

REA| Set up of Internal Controls and Financial Management Systems- Design| 27 July

ERCEA| Set up of Internal Controls and Financial Management System- Design| 15 July

TREN/ EACI/ TEN-T EA| Local IT Systems supporting Financial Management| 26 January

TEN-T EA| Follow-up on Administrative Budget| 11 February

EACEA| Follow-up on Ex-post control activities and implementation of Financial Circuits| 17 March

|| IT ISSUES Management letters|

SG, DIGIT| Management Letter on Setup of IT Projects in the Commission| 1 February 2011

SG, BUDG, DIGIT, HR.DS| Management Letter on the Commission's IT security policy| 24 February

|| Local IT in DG EAC|

EAC| Management of Local IT| 28 April

|| Business Continuity in DG DIGIT|

DIGIT| Business Continuity Management| 22 October

|| Other audits|

PMO, DIGIT| HR IT Corporate Application - NAP| 27 October

|| CONTROL STRATEGIES Structural funds – DG REGIO and DG EMPL|

REGIO| Control Strategy - Audit and Financial Correction Processes| 1 February 2011

EMPL| Control Strategy - Audit and Financial Correction Processes| 1 February 2011

|| Audit strategy – DG EAC|

EAC| Supervision and monitoring of National Agencies - Lifelong Learning Programme| 12 November

|| Development aid – DG AIDCO and DG ELARG|

AIDCO| Management of Thematic Budget lines| 13 July

AIDCO| Financial management of Programme Estimates funded by the EDF and EU Budget| 25 January 2011

ELARG| Public procurement under IPA| 25 June

ELARG| Financial management of IPA grants| 20 December

|| Joint Insurance Sickness Scheme (JSIS) - PMO|

PMO| Joint Sickness Insurance Scheme as managed by PMO| 16 December

|| COMPLIANCE WITH PAYMENT DEADLINES|

BUDG| Payment deadlines (BUDG, TREN, AIDCO, ECHO + IT Part)| 08 December

ENER| Payment deadlines (BUDG, TREN, AIDCO, ECHO + IT Part)| 08 December

MOVE| Payment deadlines (BUDG, TREN, AIDCO, ECHO + IT Part)| 08 December

AIDCO| Payment deadlines (BUDG, TREN, AIDCO, ECHO + IT Part)| 08 December

ECHO| Payment deadlines (BUDG, TREN, AIDCO, ECHO + IT Part)| 08 December

|| OTHER AUDITS|

LS| Handling of sensitive information and conflicts of interest| 08 December

OP| The Official Journal Production Process as managed by the Publication Office (OP)| 29 November

OP, SG| Management letter to SG - Transmission to OP of sensitive information for publication| 08 December

AGRI| Interventions in Agricultural Markets (focused on Milk and Milk products)| 19 July

OIB| Activities of OIB.OS3 Social Infrastructure ISPRA| 16 July

PMO| Activities of PMO/6 ISPRA| 04 June

JRC| Management letter on JRC Grant holders| 24 November

|| FOLLOW-UP AUDITS (if not in the above categories)|

PMO| Follow-up on Controls over Payment of Pensions| 25 January 2011

BUDG| Second Follow-up on ABAC – Implementation of accrual based accounting| 24 January 2011

COMP| Follow-up on Recoveries of fines| 21 January 2011

ELARG| Follow-up on Readiness Assessment/ Phasing-in of Delegations in Balkans| 17 January 2011

OIL| Follow-up on the Management of the Procurement Contracts| 20 January 2011

PMO| Second Follow-up on Regularity of Financial Management and Implementation of Financial Circuits| 18 January 2011

JLS| Follow-up on Grants under Shared Management of the European Refugee Fund| 11 January 2011

HR| Second Follow-up on Review of DG ADMIN Human Resource Management Phase 21 December

OP| Follow-up on Procurement in the Publication Office| 22 December

AIDCO| Follow-up on Ex-Post Control activities in DG AIDCO| 22 December

HR| Follow-up on Limited Review DG ADMIN Human Resource Management - Phase II| 22 December

HR| Follow-up on IAS Validation of Self-Assessment of IAC of DG ADMIN| 21 December

OIB| Follow-up on Evaluation of Targeted Internal Control Standards| 21 December

REGIO| Follow-up on the Internal Control System for managing the new Structural Funds programming period – Phase I| 17 December

EMPL| Follow-up on the Internal Control System for managing the new Structural Funds programming period – Phase I| 17 December

ESTAT| Follow-up on IAS and IAC Joint Audit on Grant Awarding Process 2008 - 17 December

TRADE| Follow-up on Implementation of selected Internal Control Standards| 07 December

JLS| IT Procurement| 10 November

ENTR| Follow-up on Monitoring the Implementation of EU Law| 14 December

SG| Follow-up on SG consolidated Report - Monitoring the Implementation of EU Law| 06 September

ENV| Follow-up on Monitoring the Implementation of EU Law| 25 June

SANCO| Follow-up on Grant Management in the Food Safety, Animal Health and Welfare and Plant Health Activity| 11 June

AIDCO| Follow-up on Eligibility of Costs under the Financial and Administrative Framework Agreement with the United Nations| 31 May

AIDCO| Second Follow-up on NGOs Funding| 28 May

DIGIT| Follow-up on IT Governance at the European Commission| 26 May

DIGIT| Follow-up on Management Processes of Local IT| 26 May

SANCO| Follow-up on Large-scale Information Systems| 10 May

OIL| Follow-up on Internal Control Standards| 30 April

REGIO| Follow-up on the Review of financial corrections and recoveries in the Structural Funds area| 15 April

REGIO| Follow-up on Implementation of Programmes in the New Member States| 16 April

OP| Follow-up on In-depth Audit of OPOCE| 07 November

ESTAT| Second Follow-up on IT Risk Analysis| 26 March

COMM| Follow-up on Building management| 08 April

COMM| Follow-up on Contract management in the area of Communication| 08 April

ENV| Follow-up on Grant Management of Non-LIFE Programmes| 03 March

AGRI| Follow-up on Interventions in Agricultural Markets| 26 February

PMO| Follow-up on Audit on missions| 16 February

EMPL| Follow-up on the Review of financial corrections and recoveries in the Structural Funds area| 25 February

INFSO| Follow-up on AAR Process - Operational DGs - INFSO| 17 February

RTD| Follow-up on AAR Process - Operational DGs - RTD| 17 February

EMPL| Follow-up on AAR Process - Operational DGs - EMPL| 18 February

REGIO| Follow-up on AAR Process - Operational DGs - REGIO| 01 March

JLS| Follow-up on AAR Process - Operational DGs - JLS| 10 March

AIDCO| Follow-up on AAR Process - Operational DGs - AIDCO| 05 March

COMP| Second Follow-up on Local IT| 04 February

RTD| Follow-up on 2006 Audit of Ex-Post Controls| 25 January

84.

2.1. Governance 2.1.1. Fraud 2.1.1.1. OLAF Fraud Prevention and Detection


· Objectives and Scope

As a result of the joint IAS-IAC audit risk assessment, the coordinated 2010-2012 Strategic Audit Plan, which was endorsed by the Audit Progress Committee on 28 April 2010, includes several audit engagements on Fraud Prevention and Detection. The IAS 2010 audit work programme notably includes an audit of the specific DG aspects in the former DG JLS (final report issued on 23 November 2010) and the current audit of OLAF and horizontal aspects of fraud prevention and detection. Similar audits are also planned to be conducted in 2011.

The objective of this audit engagement was to assess the adequacy and effective application of the governance, risk management and internal control processes for fraud prevention and detection by OLAF.

The scope of the current report comprises Commission-wide aspects of the control environment, risk assessment, control activities, information and communication and the monitoring process designed and set up for fraud prevention and detection purposes. The fieldwork was finalised on 30 September 2010. All observations and recommendations relate to the situation as of that date.

Acceptance Status|| Yes (Partially)| No

Priority| #| #| % Total| #| % Total

Very Important| 0

Important| 0

Total| 0

85.

2.1.1.2. Former JLS (split into DG HOME and DG JUST) Fraud Prevention and Detection


· Objectives and Scope

As a result of the joint IAS-IAC audit risk assessment, the coordinated 2010-2012 Strategic Audit Plan, which was endorsed by the Audit Progress Committee on 28 April 2010, included several audit engagements on Fraud Prevention and Detection. The IAS 2010 audit work programme notably included an audit of the specific DG aspects in the former DG JLS and an audit of OLAF, which addresses horizontal aspects of fraud prevention and detection.

The objective of this audit engagement was to assess the adequacy and effective application of the governance, risk management and internal control processes for fraud prevention and detection in (former) DG JLS.

The scope of the current report comprises former DG JLS's specific aspects of the control environment, risk assessment, control activities, information and communication process and the monitoring process designed and set up for fraud prevention and detection purposes.

DG JLS's 2009 Annual Activity Report mentions that all Member States have submitted their 2009 annual summaries and information on the financial execution of SOLID funds. The analysis of these annual summaries shows that, although several weaknesses were reported in the annual summaries, none of them is considered critical for the overall functioning of the funds, including their control systems. No fraud or suspicion of fraud was reported.

The fieldwork was finalised on 9 September 2010. All observations and recommendations relate to the situation as of that date.

Further to the split of former DG JLS and the creation of DGs JUSTICE and HOME, the recommendations made in this report indicate whether they are addressed to both DGs or to one of them.

The Executive Summary provides a synthesis of information on the audit including critical and very important findings, risks and recommendations as well as the audit option - its emphasis is on providing a quick understanding of the audit and its main results. The body of the report contains the detailed validated audit information and as such is the authoritative text.

Acceptance Status|| Yes| No

Priority| #| #| % Total| #| % Total

Very Important| 0

Important| 0

Total| 0

86.

2.1.1.3. REGIO: Follow-up on Fraud Prevention and Detection in Structural Funds


· Objectives and Scope

The objective of the follow-up engagement was to assess progress made in implementing the accepted recommendations that resulted from the audit 'Prevention and detection of fraud in the Structural Funds' carried out in DG REGIO in 2007 (final report dated 19 December 2007).

This follow-up audit does not result in an assessment of the adequacy of controls as a whole, but focuses on the specific recommendations in the original audit.

· Audit Methodology

This follow-up engagement was carried out in accordance with the annual work plan of the Internal Audit Service (IAS) for 2010 and IAS methodological guidelines.

In assessing the status of the original audit recommendations, this follow-up audit focused on all recommendations that were included in the audit report, four 'very important' and one 'important' (no 'critical' issues were raised in the original audit). The actions taken by DG REGIO to implement these recommendations have been assessed through the examination of the documentary evidence obtained during the follow-up audit and through discussions with key staff.

When making our assessment on the implementation of recommendations, we took into consideration their implementation status as reported by the auditee through AMS-Issue Track.

This audit was conducted in conformance with the International Standards for the Professional Practice of Internal Auditing.

2.1.1.4. ENV: LIFE + Grant Management

· Objectives and Scope

The objective of the audit is to assess the adequacy and effective application of the internal control system (ICS), risk management and governance processes related to the Grant management of the LIFE+ programme, managed under direct management by DG ENV from October 2007. During the audit, two successive reorganisations of DG ENV (October 2009 and February 2010) took place. These have been taken into account in our assessment. In particular, the audit aimed to assess:

· compliance with the relevant legal base, rules and procedures

· effectiveness and efficiency of the processes regarding grants under direct management;

· reliability of financial information.

The scope of this audit engagement focused on grant management under the LIFE+ program, since grants funding represents more than 86% of the program's annual appropriations. Only sub-processes that have already been implemented were considered: publication of calls; reception of proposals; evaluation; selection and awarding phases; payments of pre-financing. Procurement has been excluded of the scope of the audit since it only represents not more than 13% of the LIFE+ program.

In the 2008 Annual Activity Report (the latest currently available at the end of the fieldwork), there are no observations/reservations that relate to the areas/processes audited. DG ENV has issued a reservation in the 2009 Annual Activity Report regarding the eligibility of expenditure declared by beneficiaries of grants. Although the reservation concerns all programs managed by DG ENV under direct management there were yet too few final payments for the LIFE+ program (and only for the NGOs funding), to conclude whether the reservation specifically applies to LIFE+.

The fieldwork was finalised on 28 February 2010. All observations and recommendations relate to the situation as of that date.

Acceptance Status|| Yes| No

Priority| #| #| % Total| #| % Total

Very Important| 0

Important| 0

Total| 0

87.

2.1.1.5. EAHC: Operational budget


· Objectives and Scope

The objective of this audit was to assess the adequacy and effective application of the internal control system (ICS), risk management and governance processes related to grants managed by the EAHC. In particular, the audit assessed whether the ICS provided reasonable assurance regarding compliance with the relevant legislation, effectiveness and efficiency of the processes and the reliability of financial information.

The scope of this audit focused on the following sub-processes managed by the EAHC: establishment of the Agency's work programme, call for proposals, evaluation of proposals, awarding decision, payments, recovery, outstanding commitments (RAL) and de-commitments, ex-post publicity and ex-post controls (external audit). DG SANCO was only audited to the extent that it is involved in these sub-processes (e.g. clear assignment of responsibilities, communication, reporting).

There were no observations/reservations made in the 2008 AAR of DG SANCO and the EAHC concerning the processes under the scope of this audit.

During the audit, no scope limitations were identified.

The fieldwork was finalised on 4 December 2009. All observations and recommendations relate to the situation as of that date.

Acceptance Status|| Yes| No

Priority| #| #| % Total| #| % Total

Very Important| 0

Important| 0

Total| 0

88.

2.1.2. Split of the DGs 2.1.2.1. Management letter on Re-organisation of former DG TREN, DG ENV and DG JLS and creation of Shared Services


· Objectives and scope

The aim of this management letter is to report on the lessons learnt from the re-organisation of three major Directorates-General of the Commission (namely former DGs TREN, ENV and JLS) and from the creation of Shared Resource Directorates (SRDs) and Shared Internal Audit Capabilities (SIACs).

The IAS invites the central and operational Directorates-General concerned to take stock of both existing challenges and best practices concerning areas such as the budgetary procedure, the appraisal and promotion exercise, the Annual Activity Report (AAR) and the Management Plan (MP) exercises. In that perspective, issues for consideration have been identified.

This engagement was performed in accordance with the IAS Guidelines and the Mutual Expectations Paper, which describes the responsibilities of the IAS and the contact persons. It was also conducted in conformity with the International Standards for the Professional Practice of Internal Auditing.

As originally planned, the IAS organised a desk review and a number of interviews with the relevant key staff of DG ENV, DG CLIMA, DG ENER, DG MOVE and their Shared Services. Because DG JLS's reorganisation was decided later than those of DG TREN and DG ENV, the IAS confirmed the findings in the latter Directorates General with a limited number of staff in DGs HOME and JUST.

89.

2.1.3. Executive Agencies 2.1.3.1. SG, BUDG, HR, DIGIT, EACI, TEN-T EA, REA, EACEA, EACI, EAHC: Overview Report on Executive Agencies of the Commission


· Objectives and Scope

The objective of this overview report is to report on the systemic issues identified in the various audit engagements performed between 2006 and 2009 by the Internal Audit Service (IAS) in the Executive Agencies (EAs) of the European Commission.

The objective of the underlying audit engagements in the EAs was to assess the adequacy and effective application of their internal control system (ICS), risk management and governance processes for the management of both the administrative budget and the operational budget. In particular, the audits assessed whether the ICS provided reasonable assurance regarding compliance with the applicable legislation, the effectiveness and efficiency of the processes and the reliability of financial and non-financial information.

Regarding the audit engagements on the administrative budget, the focus was on:

1) The overall organisation of the Agency (including governance issues).

2) The accounting system, including the regularity of financial management and the implementation of financial circuits, the accounting organisation, the accounting for fixed assets, salaries, and purchases, and the year-end closing procedures.

3) The treasury cycle including the management of bank accounts.

4) The external relations of the Agency with other Commission services (i.e. the service level agreements and memoranda of understanding with the parent DG(s)).

The operational budget in the EAs is mostly spent via grants. Therefore, for these audits, the scope focused on the following sub-processes managed by the EA:

1) The establishment of the Agency's work programme.

2) The calls for proposals, the evaluation of proposals and the awarding decision.

3) Payments, recovery, outstanding commitments (RAL) and de-commitments.

4) Ex-post publicity and ex-post controls (external audit).

The parent DGs were only audited to the extent that they were involved in these sub-processes (e.g. clear assignment of responsibilities, communication, reporting).

No scope limitations were identified during the audits of the underlying engagements.

The fieldwork for the overview report was finalised on 10 June 2010. This overview report does not contain any new findings or recommendations but only those of a systemic nature that arose from the underlying audit reports mentioned.

Acceptance Status|| Yes| No

Priority| #| #| % Total| #| % Total

Very Important| 0

Important| 0

Total| 0

90.

2.1.3.2. REA: Set up of Internal Controls and Financial Management Systems-Design


· Objectives and Scope

The objective of this audit, conducted from March 2010 to July 2010, was to assess the design and set up of the Research Executive Agency's (REA/the Agency) internal control systems which underpin the financial grant management process under the Seventh Framework Programme (FP7). In view of its recent operational autonomy (June 2009), this audit also covered the assessment of the Agency' general internal framework, including the IT internal control environment.

For this first 'design' phase, the audit covered REA's implementation of the Internal Control Standards and organisational arrangements with other Commission services and its parent DGs. It also covered the control strategy put in place for the Agency's grant management process, in particular the award process (evaluation and ranking of proposals), the grant agreements (from the negotiation up to the signature of the grants), the implementation of grant agreements and related audit activities.

At a later stage (2011), the IAS plans to examine the effectiveness of REA's internal controls in practice, i.e. to determine whether these have been adequately implemented and are working as intended.

There are no observations/reservations in the first REA AAR for 2009 that relate to the area/process audited. The fieldwork was finalised on 14 May 2010. All observations and recommendations relate to the situation as of that date.

Acceptance Status|| Yes| No

Priority| #| #| % Total| #| % Total

Very Important| 0

Important| 0

Total| 0

91.

2.1.3.3. ERCEA: Set up of Internal Controls and Financial Management Systems - Design


· Objectives and Scope

The objective of this audit was to assess the set up and design of the European Research Council Executive Agency's (ERCEA) internal control systems which underpin the financial grant management process of the IDEAS Programme tender FP7. In addition and in view of the fact ERCEA has only been operating autonomously since July 2009, the audit also reviewed its general internal control framework. At a later date, currently foreseen for 2011, the IAS plans to examine the effectiveness of these internal controls in practice, i.e. to determine whether these controls have actually been implemented and are working as intended.

For this first 'design' phase, the audit covered ERCEA's implementation of the Internal Control Standards and organisational arrangements with other Commission services, the parent DG and more specifically the role it plays in supporting the work of the Scientific Council (SC), which is the arm of the European Research Council ultimately responsible for approving research proposals and determining overall strategy. It also covered the control strategy in place for the Agency's grant management process, including ex-post activities. In this regard, it should be noted that the IAS considered it too early to undertake any meaningful coverage of the evaluation and monitoring process for assessing the results of the specific program IDEAS. In addition, although the audit did not include a detailed examination of IT systems (as the Agency has its own qualified IT internal auditor), it did cover high level IT organisation and governance issues.

There are no observations/reservations in the AAR that relate to the area/process audited, due to the early stage of FP7 implementation. The fieldwork was finalised on 4 May 2010. All observations and recommendations relate to the situation as of that date.

Acceptance Status|| Yes| No

Priority| #| #| % Total| #| % Total

Very Important| 0

Important| 0

Total| 0

92.

2.1.3.4. TREN/EACI/TEN-T EA: Local IT Systems supporting Financial Management


· Objectives and Scope

The Directorate-General for Energy and Transport (DG TREN) is responsible for developing and implementing European policies in the energy and transport field for the benefit of all sectors of the society, businesses, cities, rural areas and above all of citizens. DG TREN carries out these tasks using legislative proposals and programme management, including the financing of projects.

In order to fulfil this mission, the DG manages a large quantity of contracts in very different areas, such as grants, research and procurement contracts. The business processes related to the management of these contracts are currently supported by two IT applications, called PMS (Project Management System) and ePMS. The latter is the evolution of the PMS system which will be phased out in parallel with the closing of the fifth Research Framework Programme (FP5) contracts.

The Trans-European Transport Network Executive Agency (TEN-Т EA) assures the technical and financial implementation and management of the Trans-European Transport Network (TEN-Т) programme, which supports key transport infrastructure projects. Its parent DG, DG TREN, remains responsible for the overall policy, programming and evaluation of the TEN-Т programme.

The TENtec System has been designed for the management of the TEN-Т Programmes from the call for proposal until the grant agreements. The TENtec system is under the full supervision and responsibility of Directorate В of DG TREN. In the future, TENtec shall also provide an external portal to implement the Open Method of Coordination between the Commission, the Member States, and later on, also with other Institutions (e.g. the European Investment Bank, see in this respect the TEN Loan Guarantee Instrument).

The Executive Agency for Competitiveness and Innovation (EACI) assures the technical and financial implementation and management of Community actions in the fields of energy, transport, entrepreneurship and innovation. The overall policy, programming and evaluation remains in its parent DGs, i.e.

· DG TREN for the Intelligent Energy Europe and Marco Polo programmes.

· DG ENTR for Enterprise Europe Network, Eco-innovation (in conjunction with DG ENV) and Intellectual Property Rights Awareness and Enforcement programmes.

The EACI uses EPSS/RIVET and NEF IT systems developed by DG RTD but also PMS and ePMS for the management of the contracts related to its missions.

The objective of the audit is to assess the adequacy and effective application of the internal control systems (ICS), IT governance and risk management related to the Local IT Systems Supporting Financial Management in DG TREN, EACI and TEN-Т EA.

The scope of this audit was limited to the TENtec and PMS/ePMS systems and related IT processes and procedures. IT processes and procedures not directly linked to these systems have not been assessed. However, some local IT infrastructure storing end-user computing files that have a material impact on financial processes have been evaluated.

The nature and extent of the current audit did not enable the inclusion of EPSS/RIVET and NEF in the audit scope. As these systems are managed by DG RTD, they could be reviewed in future IAS audits.

During the audit, no scope limitations were identified.

There are no observations/reservations in the Annual Activity Report 2008 that relate to the area/process audited.

The fieldwork was finalised on 1st December 2009. All observations and recommendations relate to the situation as of that date.

Acceptance Status|| Yes| No

Priority| #| #| % Total| #| % Total

Very Important| 0

Important| 0

Total| 0

93.

2.1.3.5. TEN-T EA: Follow-up on Administrative Budget


Based on the results of our follow-up audit, we assess that all the recommendations addressed to the TEN-Т EA that resulted from the Audit of the Administrative Budget of the Trans- European Transport Network Executive Agency have been adequately and effectively implemented.

94.

2.1.3.6. EACEA: Follow-up on Ex-post control activities and implementation of Financial Circuits


Based on the results of our follow-up audit, it is assessed that all the recommendations addressed to EACEA that resulted from the audit 'Ex-post control activities and implementation of Financial Circuits' have been adequately and effectively implemented, except for two recommendations.

95.

2.2. IT Issues 2.2.1. Management letters 2.2.1.1. SG, DIGIT: Management Letter on Setup of IT Projects in the Commission


· Objectives

The review of the Management of the Setup of IT Projects in the Commission was included in the IAS 2010 Audit Work Programme following the audit risk assessment carried out in 2009 as part of the IAS's coordinated Strategic Audit Plan for 2010-2012.

The objective of the review was to assess the adequacy and effective application of the internal control systems (ICS) and IT governance related to the Management of the Setup of IT Projects in the Commission. It aimed at identifying the root causes of the problems most often encountered and at proposing issues for considerations at Commission level. Previous IAS audits in this area have concluded that the set-up phase is crucial for the successful outcome of IT projects.

This Management Letter complements previous audits on IT corporate governance carried out by the IAS. The recommendations contained in these reports have been taken into account in the report of the IT Task Force issued on 30 June 2010 and the subsequent Communication 'Getting the best from IT in the Commission' (SEC(2010)1182). This review focuses on operational aspects of IT project management and could provide a source of inspiration for the actions initiated by the new governance bodies set up. The IAS analysed and evaluated the design and effectiveness of controls put in place by the management of the selected DGs to mitigate the major risks associated with the setup phase.

· Scope

The scope of this Management Letter was limited to the Project Initiating and the Project Management Planning phase of the PM methodology. IT processes and procedures not directly linked to these phases have not been assessed. The IAS sampled 12 IT projects recently implemented in various DGs. The issues for consideration also take into account recent audit reports and management letters issued by the Internal Audit Service in this area.

This engagement was conducted in conformance with the International Standards for the Professional Practice of Internal Auditing.

The fieldwork took place between February and August 2010. The main issues identified were subsequently discussed in a management workshop held on 18 October, to which IT and business project managers responsible for the implementation of the 12 IT projects sampled were invited. All lessons learnt and issues for consideration relate to the situation as of that date. As mentioned below, important changes have taken place during the completion of this engagement in the area of IT governance, in particular after the communication on 'Getting the best from IT in the Commission' (SEC(2010)1182).

96.

2.2.1.2. SG, BUDG, DIGIT, HR.DS: Management Letter on the Commission's IT security policy


· Objectives and scope

The objective of this Management Letter is to summarise the main issues related to the implementation of IT security governance in the Commission and other related policies as identified in the IT audit engagements performed by the IAS in several DGs over the last four years. The aim is to contribute to the improvement of the information security framework in terms of its adequacy and effectiveness in supporting the goals of the organisation.

97.

2.2.2. Local IT in DG EAC 2.2.2.1. EAC: Management of Local IT


· Objectives and Scope

The objective of the engagement was to analyse and evaluate the internal control system put in place by DG EAC to ensure an adequate and effective management of its local IT.

The scope of the audit included the following processes:

· Plan & Organise: IT architecture definition, organisation definition, risk management and IT project management activities.

· Acquire & Implement: application software development, change and release management.

· Deliver & Support: logical and physical security, incident management, problem management, operations management and data management.

· Monitor & Evaluate: quality, performance management, monitoring of internal control, regulatory compliance and governance.

The audit focused in particular on the activities performed by unit EAC.R.5 (Informatics Resources). Other services (EAC.R.6 - Document Management and Local Security) and representatives of IT system users (Education, Audiovisual and Culture Executive Agency (EACEA)) were also consulted regarding their respective responsibilities, in particular for the management of IT projects.

There are no observations/reservations in the AAR that relate to the processes audited.

Acceptance Status|| Yes| No

Priority| #| #| % Total| #| % Total

Very Important| 0

Important| 0

Total| 0

98.

2.2.3. Business Continuity in DG DIGIT 2.2.3.1. DIGIT: Business Continuity Management


· Objectives and Scope

The overall objective of this audit was to assess the adequacy and effectiveness of Business Continuity Management (BCM) in DG DIGIT.

The scope of the audit covered the management structures and procedures of Business Continuity in DG DIGIT (cf. BCM life-cycle at DG-level), including coordination with other DGs/Services and external service providers.

There are no observations/reservations in the 2009 AAR of the audited DG that relate to the area/process audited.

The fieldwork was finalised in June 2010. All observations and recommendations relate to the situation as of that date.

Acceptance Status|| Yes| No

Priority| #| #| % Total| #| % Total

Very Important| 0

Important| 0

Total| 0

2.2.4. Other audits 2.2.4.1. PMO, DIGIT: HR IT Corporate Application – NAP

· Objectives and Scope

The mission of PMO is to ensure the determination and payment of individual rights of active and post-active staff as well as the reimbursement of experts' expenses, with a significant proportion of these tasks dedicated to other Institutions and almost all the Regulatory and Executive Agencies.

To accomplish its mission, PMO relies on the NAP (Nouvelle Application Paie) software, an off-the-shelf product heavily customised and adapted over time to the needs of PMO (and of the different bodies they serve).

The administration, calculation and payment of financial entitlements of staff of EC and other Institutions/bodies carry inherent financial and reputational risks. In addition, operational risks related to the high dependency of PMO on the NAP Environment (NAP, FIXPEN, InfoCentre) and compliance risks related to the correct implementation of the Staff Regulations and Personal Data protection Regulation exist.

The objective of the engagement was to analyse and evaluate the internal control systems put in place by PMO to provide:

· proper governance set up and project management for the NAP project;

· adequate physical and logical security arrangements for the NAP Environment.

Regarding security, the engagement focused on confidentiality, integrity and availability of the information processed in the NAP environment and in particular on:

· Authentication, authorisation and accountability of NAP Environment users,

· Business Continuity arrangements,

· Data integrity and validation controls implemented in the NAP environment,

· Management of changes.

The scope of the audit included the following processes:

· Plan & Organise: IT project management and management of quality of the project.

· Acquire & Implement: changes and configuration management.

· Deliver & Support: management of information system security, continuity of service, data and IT operations.

· Application Controls: source data collection, entry, preparation and authorization.

The audit focused primarily on the activities performed by the team in charge of NAP (called NAP Cell). The role and responsibilities of DIGIT as service and system provider (DIGIT.B3 - NAP System Supplier, and DIGIT.C2 - NAP Infrastructure Service Provision) and of PMO's main users (Units 01, 04, 05 and 08) were also analysed during the audit.

There are no reservations in the 2009 AAR that relate to the processes audited.

The fieldwork was finalised on 10 September 2010. All observations and recommendations relate to the situation as of that date.

Acceptance Status|| Yes| No

Priority| #| #| % Total| #| % Total

Very Important| 0

Important| 0

Total| 0

2.3. Control strategies 2.3.1. Structural funds – DG REGIO and DG EMPL 2.3.1.1. REGIO: Control Strategy - Audit and Financial Correction Processes

· Objectives and Scope

The SFs DGs spend around one third of the total EC budget annually under shared management. Although the Member States (MSs) have primary responsibility for implementing effective internal control systems to prevent or detect and correct irregular and illegal expenditure, the Commission performs a supervisory role over national systems and assumes final responsibility for the implementation of the budget. Therefore, the SFs DGs should have a credible control strategy for demonstrating that they are seeking reasonable assurance on the effective functioning of the management and control systems (MCS) in MSs and beneficiary countries.

This audit covered:

· DG REGIO’s own audit strategy and risk-based strategic audit planning for the 2000-2006 and 2007-2013 programming periods (PP) and all funds;

· the Audit Directorate's quality improvement programme / system for quality control;

· the disclosure of key information (i.e. the key assurance building blocks) supporting the reasonable assurance provided in the declaration of assurance of the 2009 AAR;

· the measures to build up MS capacity for installing sound and effective management and control systems.

The objective was to assess:

· whether the audit strategy designed to obtain assurance on the adequate set-up and effective functioning of the management and control systems in the Member States and beneficiary countries is adequate, effectively implemented, regularly monitored and adequately reported on, and is ensuring that corrective measures are taken promptly and proportionately ;

· whether the Audit Directorate has established a sound quality assurance programme or system for quality control, and/or has taken adequate measures to ensure the continuous quality improvement of the audit function;

· whether the DG has adequately disclosed the level of assurance obtained for shared management in its 2009 AAR,

· whether the DG's measures to build up MS capacity for installing sound and effective management and control systems at managing, certifying and audit authorities are adequate and effective.

DG REGIO has included the following reservations in its 2009 AAR concerning specifically the processes under the scope of this audit:

· "For ERDF and Cohesion Fund there are significant deficiencies prejudicing the effective functioning of the MCS of certain programmes 2007-2013 in Bulgaria, Italy, Germany, Spain and together with 15 European Territorial Cooperation programmes;

· For ERDF and Cohesion Fund there are significant deficiencies prejudicing the effective functioning of the MCS of certain programmes 2000-2006 in Bulgaria, Italy, Germany, The United Kingdom and together with 15 INTERREG programmes

· For 38 out of the 79 programmes concerned the DG does not have reasonable assurance on the legality and regularity of the underlying transactions in relation to reimbursements in 2009 of expenditure declared. For the 41 remaining programmes, significant deficiencies have been identified at an early stage before any reimbursement in 2009 of expenditure declared, which limits the risk for the financial interests of the Union."

The fieldwork was finalised in mid October 2010. All observations and recommendations relate to the situation as of that date.

Acceptance Status|| Yes| No

Priority| #| #| % Total| #| % Total

Very Important| 0

Important| 0

Total| 0

99.

2.3.1.2. EMPL: Control Strategy - Audit and Financial Correction Processes


· Objectives and Scope

The Structural Funds (SF) DGs spend around one third of the total EC budget annually under shared management. Although the Member States (MSs) have primary responsibility for implementing effective internal control systems to prevent or detect and correct irregular and illegal expenditure, the Commission performs a supervisory role over national systems and assumes final responsibility for the implementation of the budget. Therefore, the SFs DGs should have a credible control strategy for demonstrating that they are seeking reasonable assurance on the effective functioning of the management and control systems (MCS) in MSs and beneficiary countries.

This audit covered:

· DG EMPL’s own ESF audit strategy and risk-based strategic audit planning for the 2000-2006 and 2007-2013 programming periods;

· the audit units’ quality improvement programme / system for quality control;

· the disclosure of key information (i.e. the key assurance building blocks) supporting the reasonable assurance provided in the declaration of assurance of the 2009 AAR;

· the measures to build up MSs' capacity for installing sound and effective management and control systems.

The objective was to assess:

· whether the audit strategy designed to obtain assurance on the adequate set-up and effective functioning of the management and control systems in the MSs and beneficiary countries is adequate, effectively implemented, regularly monitored and adequately reported on, and is ensuring that corrective measures are taken promptly and proportionately;

· whether the audit units have established a sound quality assurance programme or system for quality control, and/or have taken adequate measures to ensure the continuous quality improvement of the audit function;

· whether the DG has adequately disclosed the level of assurance obtained for shared management in its 2009 AAR,

· whether the DG's measures to build up MS capacity for installing sound and effective management and control systems at managing, certifying and audit authorities are adequate and effective.

In its 2009 AAR, DG EMPL made reservations in relation to deficiencies in the MCS for ESF Operational Programmes (OP) in a number of MSs for both the 2000-06 and 2007-13 programming periods (PP) and which have not been subject to sufficient control and corrective measures by the national authorities.

The fieldwork was finalised in mid October 2010. All observations and recommendations relate to the situation as of that date.

Acceptance Status|| Yes| No

Priority| #| #| % Total| #| % Total

Very Important| 0

Important| 0

Total| 0

2.3.2. Audit strategy – DG EAC 2.3.2.1. EAC: Supervision and monitoring of National Agencies - Lifelong Learning Programme

· Objectives and Scope

The objective of this audit was to assess the adequacy, effectiveness and efficiency of the internal control system put in place by DG EAC, including primary controls performed by National Agencies (NAs) and secondary controls by National Authorities (NAUs).

DG EAC implements 72% of its budget through the Centralised Indirect Management mode (through NAs), 20% through its Executive Agency (EACEA) and 8% through the Centralised Management mode. The main programmes during the period 2007-2013 are Lifelong Learning Programme (LLP), (851 Mio EUR commitments in 2010) and Youth in Action (YiA) (106 Mio EUR commitments in 2010).

Annual financing agreements are signed with each of the 66 NAs, of which 38 are managing LLP (9 also managing the Youth programme). These agreements cover both the operating grant (paid as a lump sum) and decentralized grants (subject to the transfer of Community funds into NAs accounts).

Based on a risk analysis, the audit focused mainly on the LLP, which covers Directorate R of DG EAC and the operational units involved (Dir B, C). The auditors reviewed the implementation, monitoring/supervision and support processes at both DG EAC and NAU/NA levels.

The IAS visited three NAUs and NAs in Turkey, Hungary and Finland, due to the materiality of their budget and the supervisory and audit work carried out by DG EAC and the European Court of Auditors in NAUs/NAs. In addition, 7 NAs and NAUs were also surveyed to assess the systematic nature of the audit findings, of which 5 replied on time.

The areas excluded from the scope of this audit are detailed in section 2.1.1 of the report.

No reservation/observation was made regarding the management of the programmes by the NAs in DG EAC's 2009 AAR. However, the 2009 AAR referred to:

· A partial assurance on the following NAs and NAUs: Ireland (LLP and YiA), Greece (YiA), Spain (LLP and YiA), Hungary (YiA), The Netherlands (LLP), Portugal (LLP), Sweden (LLP, YiA), Norway (YiA), (applying an error rate of 5%).

· The lack of assurance for NA and NAUs of Bulgaria (LLP), Malta (LLP, YiA) and Cyprus (YiA) (applying an error rate of 20%). The programme for Cyprus has been suspended as from 6/02/2009 (LLP, YiA).

This audit was conducted in conformance with the International Standards for the Professional Practice of Internal Auditing.

The audit fieldwork was finalised in mid-September 2010. All observations and recommendations relate to the situation as of that date.

Acceptance Status|| Yes| No

Priority| #| #| % Total| #| % Total

Very Important| 0

Important| 0

Total| 0

2.3.3. Development aid – DG AIDCO and DG ELARG 2.3.3.1. AIDCO: Management of Thematic Budget lines

· Objectives and Scope

The objective of this audit was to assess (i) the adequacy, effectiveness and efficiency of the internal control system put in place by DG AIDCO for the management of the Thematic Budget Lines, and (ii) compliance with the Commission rules and DG AIDCO internal procedures.

Based on a risk analysis and taking into account audit coverage3 achieved in the past, this audit focused mainly on the thematic operations in place since 2007, and related to the EĪDHR (European Initiative for Democracy and Human Rights) instrument and the food security programme managed by DG AIDCO Directorate F and the geographical units concerned (Asia, Latin America and ACP). In this context, the auditors reviewed all the processes related to the management of both global (managed by HQ) and local (managed by EU Delegations) Calls for Proposals (CfP), and the implementation and monitoring/supervision of the thematic operations. Horizontal and support processes like programming activities and human resources were also part of the scope. The audit was complemented by the second follow-up audit on 'NGOs funding by DG AIDCO' which is the subject of a separate report (final report issued on 28 May 2010).

The IAS visited three EU Delegations, Thailand and its regionalised Delegations, Sierra Leone, and Nicaragua and its regionalised Delegations, chosen on the basis of the materiality of their budget and thematic operations and other risk factors. In addition, 19 Delegations were surveyed through a questionnaire to corroborate the audit findings, of which 17 Delegations replied.

Areas excluded from the scope of this audit are detailed in section 2.1.1 of the report.

The audit fieldwork was finalised at the end of April 2010. All observations and recommendations relate to the situation as of that date.

There are no observations/reservations in the 2009 AAR that relate to the area/process audited.

This audit was conducted in conformance with the International Standards for the Professional Practice of Internal Auditing.

Acceptance Status|| Yes| No

Priority| #| #| % Total| #| % Total

Very Important| 0

Important| 0

Total| 0

100.

2.3.3.2. AIDCO: Financial management of Programme Estimates funded by the EDF and EU Budget


· Objectives and Scope

Programme Estimates (PE) is the instrument applied by DG AIDCO to implement programmes under decentralised management mode. The scope of the audit included PE contracts signed after 1 January 2007 following the publication of the PE guide issued by DG AIDCO.

Based on CRIS data covering contracts signed from January 2007 to June 2010, PE imprest commitments totalled € 1.465 Mio, of which € 1.134 Mio were financed by the EDF and € 331 Mio by the EU Budget.

The objective of this audit was to assess the compliance, effectiveness and efficiency of DG AIDCO's procedures and controls over Programme Estimates (PE) in order to ensure that they are in the context of a control strategy that is able to provide assurance to the Director General when signing off the Annual Activity Report (AAR).

The audit fieldwork was conducted in DG AIDCO's HQ and the EU Delegations to Democratic Republic of Congo (DRC) and Malawi. In addition, other 9 EU Delegations (EUDs) were surveyed through a questionnaire prepared by the audit team for this particular engagement. The audit methodology is further described in Annex 1. The areas excluded from the scope of this audit are detailed in section 2.1.1 of this report.

No reservation/observation was made regarding the management of programmes through the PE instrument in DG AIDCO's 2009 AAR.

The audit fieldwork was finalised on 12 November 2010. All observations and recommendations relate to the situation as of that date.

Acceptance Status|| Yes| No

Priority| #| #| % Total| #| % Total

Very Important| 0

Important| 0

Total| 0

101.

2.3.3.3. ELARG: Public procurement under IPA


· Objectives and Scope

The objective of the audit was to asses the internal control system related to the procurement procedures under IPA. In particular, the audit assessed whether the internal control system provides reasonable assurance regarding compliance with applicable rules and regulations, and the effectiveness and efficiency of the procurement process under centralised deconcentrated and decentralised management modes.

The scope of this audit included the following sub-processes:

· Appropriateness of and compliance with Financial Circuits.

· Appropriateness of and compliance with the procurement and contracts checklists.

· Adequate procurement portfolio and individual contract monitoring.

· Reporting from Delegations to HQ and supervision and supporting actions taken by HQ with regard to Delegations.

· The legality and regularity of the procurement procedure under deconcentrated centralised management (AOsD to 'sign') or under decentralised management mode (AOsD to 'endorse') and its compliance with the Commission Decision on conferral of management of powers (ex-ante verification by the Delegation of the procurement procedure applied by the beneficiary country).

The audit covered the procurement activities carried out by the seven EU Delegations and one Office in candidate4 and potential candidate countries. These EU Delegations and Office were responsible for contracting and/or endorsing 67% of the commitments (procurement and grants) executed by DG ELARG in 2009.

The IAS visited the European Delegation Liaison Office to Kosovo during the preliminary survey and two EU Delegations during the fieldwork (fYROM and Croatia), and reviewed 21 procurement files and their corresponding contracts. See section 2.1.3 of the full report for details of the selection criteria adopted.

Section 2.1.2 of the full report lists the areas excluded from the scope of the audit.

The fieldwork was finalised on 7 May 2010. All observations and recommendations relate to the situation as of that date.

Acceptance Status|| Yes| No

Priority| #| #| % Total| #| % Total

Very Important| 0

Important| 0

Total| 0

102.

2.3.3.4. ELARG: Financial management of IPA grants


· Objectives and Scope

The objective of the audit was to asses the compliance, effectiveness and efficiency of DG ELARG's procedures and controls over grants financed by IPA and managed under centralised (CD) and joint (JO) management modes. The audit focused on the use of checklists, respect of financial circuits and rules for monitoring, reporting, and supervision, with particular attention to the initial phases of the project cycle, i.e. programming, selection and award procedures of grants.

The scope of this audit included the following sub-processes:

· Review of programming activities for centrally managed projects;

· Review of the selection and award procedures applied by DG ELARG: Decisions on award procedures to be applied, analysis of Call for Proposals (CfP) managed at HQ level, appropriateness of and compliance with Financial Circuits, appropriateness of and compliance with checklists;

· Adequate monitoring and supervision activities performed at HQ on IPA grants: Proper portfolio monitoring and reporting procedures on grant contracts;

· Compliance with applicable rules and regulations;

· Quality of data provided by DG ELARG, e.g. through adequate encoding of information in CRIS.

The reference period covered by the audit included contracts concluded as from 2007, managed centrally at HQ level. The main focus of the audit was on the review of contracts implemented through CD and JO management modes related to regional and horizontal programmes (Multi-Beneficiary Programmes (МВР)).

Section 2.1.2 of the full report lists the areas excluded from the scope of the audit.

No observation/reservation was included in the 2009 Annual Activity Report (AAR) that specifically relates to the processes audited.

The fieldwork was finalised on 8 October 2010. All observations and recommendations relate to the situation as of that date.

This audit was conducted in conformance with the International Standards for the Professional Practice of Internal Auditing.

Acceptance Status|| Yes| No

Priority| #| #| % Total| #| % Total

Very Important| 0

Important| 0

Total| 0

103.

2.3.4. Joint Sickness Insurance Scheme (JSIS) as managed by the PMO


· Objectives and Scope

The objective of the audit was to assess the effectiveness and efficiency of the internal control system put in place by PMO regarding the management of the Joint Sickness Insurance Scheme (JSIS).

The audit focused on:

· the efficiency and effectiveness of the internal organisation and the internal control environment of PMO's management of the JSIS;

· the existence and effectiveness of PMO's control strategy of the JSIS, including the strategy to prevent and detect fraud.

The audit also included a review of PMO's:

· strategic approach of the JSIS in order to ensure that it provides sickness insurance to its members in the most economical, efficient and effective manner while taking into account the challenges presented by the current environment;

· approach taken to ensure the financial health of the JSIS.

There are no observations/reservations in the 2009 AAR that relate to the area/process audited.

The fieldwork was finalised on 22 October 2010. All observations and recommendations relate to the situation as of that date.

Acceptance Status|| Yes| No

Priority| #| #| % Total| #| % Total

Critical| 0

Very Important| 0

Important| 0

Total| 0

2.4. Compliance with payment deadlines 2.4.1. BUDG: Payment deadlines (BUDG, TREN, AIDCO, ECHO + IT Part)

· Objectives and Scope

Commission Services are required to comply with the time limits established in the Financial Regulation or in the specific contract or agreement for processing payments. Non-compliance with legal payment deadlines results in beneficiaries being entitled to late payment interest.

Commission Communication SEC(2009)477 on 'Streamlining financial rules and accelerating budget implementation' requires DGs to accelerate the payment process and to comply with shorter report approval and payment deadlines (known as 'Target deadlines') as one of the measures to improve budget implementation and help the economic recovery. Subsequent to the adoption of this Communication, and due to the particular attention being paid by the Ombudsman and the European Parliament to the Commission’s late payments, DGs have been requested to strengthen the payment process in order to comply with both legal and target deadlines.

The overall objective of this audit was to assess compliance with the rules and regulations, and guidance and instructions related to the payment deadlines process and the adequacy and effectiveness of the process in place in the Commission to comply with the time limit to pay. In particular, the audit assessed the support provided by DG BUDG to operational DGs, the internal control system implemented in Operational DGs to process payments within the set deadlines, and the monitoring and reporting systems in place at both central and DG level.

The scope of the audit, conducted in DG BUDG (in its central role) and in a sample of operational DGs (DG ECHO, DG MOVE, DG ENER and DG AIDCO), covered the processing of payment transactions (pre-financing, interim and final) under centralised management as well as the monitoring and reporting activities implemented both in Operational and horizontal DGs. The use of central and local IT systems was also covered by the audit.

This overview report takes into account the results of the validation of RTD's local system undertaken by DG BUDG between December 2009 and April 2010 in order to enable the Accounting Officer of the Commission to discharge his responsibilities as defined in Article 61 of the Financial Regulation. The IAS notes that a number of issues raised in the final report on compliance with payments deadlines, such as the suspension of payment deadlines, the time required to record cost claims and make payments, and the quality of the information recorded in ABAC (invoice dates, EC reception dates) are similar to those identified in the operational DGs audited by the IAS.

The fieldwork was finalised in September 2010. All observations and recommendations relate to the situation as of that date.

104.

Recommendations issued in the consolidated report (including lessons learned)


Acceptance Status|| Yes| No

Priority| #| #| % Total| #| % Total

Very Important| 0

Important| 0

Desirable| 0

Total| 0

Recommendations addressed to DG BUDG (from consolidated report and DG BUDG’s annex)

Acceptance Status|| Yes| No

Priority| #| #| % Total| #| % Total

Very Important| 0

Important| 0

Desirable| 0

Total| 0

2.4.2. ENER: Payment deadlines (BUDG, TREN, AIDCO, ECHO + IT Part)

See point 2.6.1.

Acceptance Status|| Yes| No

Priority| #| #| % Total| #| % Total

Very Important| 0

Important| 25

Total| 11

2.4.3. MOVE: Payment deadlines (BUDG, TREN, AIDCO, ECHO + IT Part)

See point 2.6.1

Acceptance Status|| Yes| No

Priority| #| #| % Total| #| % Total

Very Important| 0

Important| 25

Total| 11

2.4.4. AIDCO: Payment deadlines (BUDG, TREN, AIDCO, ECHO + IT Part)

See point 2.6.1

Acceptance Status|| Yes| No

Priority| #| #| % Total| #| % Total

Very Important| 0

Important| 0

Total| 0

2.4.5. ECHO: Payment deadlines (BUDG, TREN, AIDCO, ECHO + IT Part)

See point 2.6.1

Acceptance Status|| Yes| No

Priority| #| #| % Total| #| % Total

Very Important| 0

Important| 0

Total| 0

105.

2.5. Other audits 2.5.1. Legal Service: Handling of sensitive information


· Objectives and Scope

The mission of the Legal Service (LS) is 'to assist the Commission in its tasks, in particular to ensure that the provisions of the Treaties and other measures taken by the institutions are interpreted and applied in accordance with the law. For this purpose, it will give legal advice, defend the interests of the Commission and of the Union before the courts, the national or international tribunals and other dispute settlement bodies, and strive to assure the highest quality, coherence and development of Union legislation'.

In performing their tasks, staff in the LS handle on a daily basis sensitive information provided by individuals, business undertakings (business secrets and market sensitive information), International Organisations, Member States and Third Countries, Courts and Tribunals, other Commission services or produced internally. Some information can also be classified pursuant to the Commission's rules on security, often at the level RESTRICTED EU. In this respect, activities of the LS entail potentially high legal, financial and reputational risks related to possible breaches of confidentiality.

The objective of the present audit was to assess the adequacy and the effectiveness of the internal control system of LS in ensuring the confidentiality of sensitive information.

The scope of the audit covered litigation and legal advice activities (therefore excluding infringements and quality of legislation), as well as administrative support and selected aspects of legal coordination.

The audit focused on horizontal, service-wide processes as well as on the implementation of internal controls in a sample of Legal Teams.

The following processes were excluded:

· Public access to Commission documents as defined by Regulation (EC) 1049/2001;

· IT systems, with the exception of the management of access rights.

There are no observations/reservations in the 2009 AAR that relate to the area/process audited.

The fieldwork was finalised on 30 July 2010. All observations and recommendations relate to the situation as of that date.

Acceptance Status|| Yes| No

Priority| #| #| % Total| #| % Total

Very Important| 0

Important| 0

Total| 0

106.

2.5.2. Publications Office: Official Journal Production Process as managed by the Publication Office (OP)


· Objectives and Scope

The objective of the audit was to assess the effectiveness and efficiency of OP's internal control system relating to the OJ production process.

The audit focused on the operational arrangements put in place to ensure the business continuity of the production process of the OJ L and C series and TED, and the compliance of the design and implementation of the financial circuits relating to the OJ production process with the rules and regulations in force; it also included a review of performance aspects such as the control of and reporting on the quality of the production process.

The audit did not cover the proofreading part of the O J as this will be covered by an audit conducted by the IAC of OP at the end of 2010.

There are no observations/reservations in OP 2009 Annual Activity Report (AAR), which relate to the area/process audited.

The fieldwork was finalised on 30 September 2010. All observations and recommendations relate to the situation as of that date.

Acceptance Status|| Yes| No

Priority| #| #| % Total| #| % Total

Very Important| 0

Important| 0

Total| 0

107.

2.5.3. Publications Office, Secretariat General: Management letter to SG - Transmission to PO of sensitive information for publication


· The context

The Author Services transmit all documents for publication electronically, e.g. via the internal network for the transmission from the Commission's Secretariat-General, or via FTP through the TESTA II network for the transmission from the Council's Secretariat-General.

According to the Office, approximately 1% of the 500 to 1000 documents (in all languages) that OP receives each month from all Institutions contains sensitive information that must not be disclosed before the publication date, e.g. documents on state aid, antidumping documents from DG TRADE, merger-related information from DG COMP, and decisions on duties from DG TAXUD. However, no specific measures, such as encryption, are in place to protect the confidentiality of these documents. At the Commission, documents containing information that must not be disclosed before publication are transmitted to OP by the Secretariat-General by email using eGreffe. Nevertheless, the existing tools for the secure transmission of sensitive documents (e.g. SECEM - SECure Email Commission internal) are not used for this purpose.

108.

2.5.4. AGRI: Interventions in Agricultural Markets (focused on Milk and Milk products)


· Objectives and Scope

The objective of the audit was to assess the effectiveness and efficiency of the internal control systems put in place by DG AGRI regarding the management and audit of market measures for milk and milk products.

109.

The audit focused on


· the effective organisation of DG AGRI's management of market measures

· compliance by DG AGRI with regulations and procedures in the Milk sector

· the effectiveness of the management of the crisis in the dairy market

· the audit by DG AGRI of market measures.

There are no observations/reservations in the 2009 AAR that relate to the area/process audited.

The fieldwork was finalised on 3 June 2010. All observations and recommendations relate to the situation as of that date.

Acceptance Status|| Yes| No

Priority| #| #| % Total| #| % Total

Very Important| 0

Important| 0

Desirable| 0

Total| 0

110.

2.5.5. OIB: Activities of OIB.OS3 Social Infrastructure ISPRA


· Objectives and Scope

The objective of the audit was to assess the effectiveness and efficiency of the internal control system put in place for the activities managed by the Social Infrastructures Unit in ISPRA (OIB.OS3) following its transfer from the JRC to OIB on 1st March 2009.

The audit focused on the implementation of the financial circuits, the financial management of revenue, procurement procedures managed by the Unit, financial reporting and ex-post controls. It also addressed the adequacy of the coordination within the Unit, with JRC and with OIB headquarters in Brussels as well as human resources aspects, mainly job descriptions, sensitive functions and training.

There are no observations and/or reservations in the 2009 AAR, which relate to the process audited.

The fieldwork was finalised on 27 May 2010. All observations and recommendations relate to the situation as of that date.

Acceptance Status|| Yes| No

Priority| #| #| % Total| #| % Total

Very Important| 0

Important| 0

Total| 0

111.

2.5.6. PMO: Activities of PMO/6 ISPRA


· Objectives and Scope

The objective of the audit was to assess the effectiveness and efficiency of the monitoring and control systems put in place by PMO/6-ISPRA for the remuneration process (establishment of rights and payments).

The audit focused on the design and the implementation of the financial circuits and procedures related to the determination and payment of individual rights of active staff managed by PMO/6-ISPRA and, in particular, newly recruited or transferred staff.

The Joint Sickness Insurance Scheme (Settlements Office in Ispra), although managed by PMO/6-ISPRA, was excluded from the scope of the audit as the monitoring and supervision is performed by PMO/3, the central office in Brussels. The IAC of DG HR carried out an audit on a selection of procedures of the Joint Sickness Insurance Scheme in 2007. The IAS has planned an audit of the Joint Sickness Insurance Scheme for 2010.

The IAS is currently conducting an IT audit on the NAP application, addressing IT security, project management and the governance set-up.

There are no observations/reservations in PMO's 2009 Annual Activity Report (AAR), which relate to the area/process audited.

The fieldwork was finalised on 23 April 2010. All observations and recommendations relate to the situation as of that date.

Acceptance Status|| Yes| No

Priority| #| #| % Total| #| % Total

Very Important| 0

Important| 0

Total| 0

112.

2.5.7. JRC: Management letter on JRC Grant holders


· The context

There are three main types of non-statutory staff financed by the JRC:

· research fellows (known as grantholders) employed under national law employment contracts;

· seconded national experts or SNEs; and

· trainees.

According to the JRC, in the past staff were recruited under national law employment contracts as research fellows or 'grantholders'. This practice was abandoned in all JRC sites in 2006 except in ITU (Karlsruhe) and IPTS (Seville). The reason was primarily linked to the disparate treatment of grantholders across the JRC sites due to differences in national legislation relating to, for example, salaries, social security contributions and individual rights. Treating grantholders with the same obligations and work environment differently, depending on their nationality and the site on which they are employed, created discontent and uncertainty among the grantholder population.

According to JRC, the introduction of the Contract Agent system did not provide an immediate solution to the needs of the JRC in delivering its Work Programme objectives and satisfying the obligations imposed by Article 4 of the Euratom Treaty (training element), in terms of quick access to the job market, talent spread, and a simple and competitive selection and recruitment procedure. According to JRC, ensuring diversity in terms of nationality was also critical, in particular for those countries contributing to the overall budget of the Seventh Framework Programme (Switzerland, Israel, Norway, Iceland, Liechtenstein, Turkey, Croatia, the Former Yugoslav Republic of Macedonia, Serbia, Albania, Montenegro and Bosnia & Herzegovina).

In October 2007, in view of the urgent need to use such scientific expertise, the Director-General of the JRC decided, after a verbal consultation with the Director-General of Personnel and Administration, to re-instate the use of grantholder contracts on the basis of national law in Ispra, Geel and Petten (where this practice had been abandoned). The grantholder scheme was officially reintroduced by Mr. Schenkel in a note to JRC Directors on 21 February 2008.

113.

3. Follow-up audits (if not in the above categories)


In addition to the follow-up audits carried out by the IAS, the latter also regularly reports to the APC on the state of play regarding implementation of IAS audit recommendations (see Table 1):

114.

3.1. PMO: Follow-up on Controls over Payment of Pensions


Based on the results of the follow-up audit all the recommendations resulting from the original audit have been adequately implemented and risks mitigated. However, there is still room for further improvement and the IAS specifically invited PMO to consider one point for attention.

The IAS notes the progress made by PMO in the area of controls, following the results of its own audits.

3.2. BUDG Second Follow-up on ABAC – Implementation of accrual based accounting

Based on a desk review of supporting documents provided by DG BUDG the IAS assessed that all the remaining open recommendations have been adequately implemented and risks mitigated. As a result, the IAS has closed them. No recommendation resulting from the original audit remains open.

115.

3.3. COMP: Follow-up on Recoveries of fines


Based on a desk review of supporting documents provided by DG COMP the IAS assessed that all the remaining open recommendations have been adequately implemented and risks mitigated. As a result, the IAS has closed them. No recommendation resulting from the original audit remains open.

116.

3.4. ELARG: Follow-up on Readiness Assessment/Phasing in of Delegations in Balkans


Based on the results of the follow-up audit, the IAS assessed that all the recommendations addressed to DG ELARG that resulted from the audit 'Readiness assessment/Phasing-in of Delegations in Balkans' have been adequately and effectively implemented, except for one recommendation.

However, as the actions to be taken to implement this recommendation are also included in the IAS audit report on 'Closure process of pre-IPA instruments' under Recommendation n° 4, the IAS proposed to close this recommendation in this audit engagement and ensure its follow up in the context of the above mentioned audit.

117.

3.5. OIL: Follow-up on the Management of the Procurement Contracts


Based on the results of the follow-up audit, the IAS assessed that all the recommendations addressed to OIL that resulted from the audit 'Management of the Procurement Contract' have been adequately and effectively implemented, except for four recommendations.

118.

3.6. PMO: Second Follow-up on Regularity of financial management and Implementation of financial circuits


Based on the results of the follow-up audit, the IAS assessed that globally the recommendations resulting from the original audit have been adequately implemented and risks mitigated, although in some cases there is still room for improvement. The IAS would specifically like to invite PMO to consider five points for attention.

Accordingly, the IAS will close all recommendations.

The IAS notes the progress made by PMO in the area of controls, following its own and ECA's audit recommendations. The IAS also notes the positive development of the complex IT system for rights at the corporate level (replacing IRIS), which was based on the professional cooperation between PMO and DIGIT.

119.

3.7. JLS: Follow-up on Grants under Shared management of the European Refugee Fund


In October and November 2010, the IAS conducted a first follow-up audit assessing how the DG implemented the recommendations.

12 recommendations were assessed as having been adequately implemented and have been closed. Two recommendations have been assessed as partially implemented.

One recommendation has not been implemented. Following a reflection, DG JLS (now HOME) has considered that their risks of conflict of interest were limited and it decided to retain these activities in one section for efficiency reasons. Consequently, the recommendation will not be implemented.

One Recommendation was still 'open' at the time of the follow-up and was therefore not reviewed (expected completion date 31/12/2010). It has been sent for review on 14/12/2010 which was sent after the end of the fieldwork (09/12/2010). It will be included in the 2nd follow-up.)

120.

3.8. HR: Second follow-up on Review of DG ADMIN Human Resource Management Phase 1


Based on the results of the follow-up audit, all the recommendations addressed to DG ADMIN that resulted from the Review of DG ADMIN Human Resource Management Phase 1 have been adequately and effectively implemented.

121.

3.9. OP: Follow-up on Procurement in the Publication Office


Based on the results of the follow-up audit, the IAS assessed that all the recommendations addressed to the Publication Office that resulted from the audit Procurement in the Publication Office have been adequately and effectively implemented. However, as regards the implementation of the procedure "Comité d'évaluation", the evidence provided was not fully satisfactory, as the individual evaluation sheets were not formalized nor signed by each member. Therefore, the IAS invited OP to supervise the implementation of this procedure more closely.

122.

3.10. AIDCO: Follow-up on ex post control activities


Based on the results of the follow-up audit, the IAS assessed that all the recommendations addressed to DG AIDCO that resulted from the audit on ex post control activities have been adequately and effectively implemented, except for one recommendation, where the IAS considered that the assessment of the results of the key control layers and their impact on the coverage/contribution to the consolidated assurance should be completed.

123.

3.11. HR: Follow-up on Review of DG ADMIN Human Resource Management- Phase II


The assessment of the state of implementation was based on a desk review of evidence provided in Issue Track, interviews and additional information provided by DG HR during the follow-up audit. Based on the results of the follow-up audit, the IAS assessed that all the recommendations addressed to DG HR that resulted from the Limited Review DG ADMIN Human Resource Management - Phase II have been adequately and effectively implemented, except for one recommendation, which will be reassessed when the strategy on absenteeism has been adopted.

124.

3.12. HR: Second Follow-up on Validation of Self-assessment of IAC of DG ADMIN


In line with the IAS 2010 audit plan, a second follow-up of the IAS Validation of Self- Assessment of IAC of DG ADMIN (IAS-2006-ADMIN-001) has been performed in DG HR.

The objective of this engagement was to assess the progress made in implementing the remaining accepted recommendations addressed to DG HR (formerly DG ADMIN) following the first follow-up of the validation finalised in May 2008 (IAS-2008-ADMIN- 001).

This follow-up does not result in a re-assessment of the adequacy of controls as a whole but focuses on the specific recommendations in the original engagement. It was carried out in accordance with the IAS methodological guidelines.

The assessment of the state of implementation was based on a desk review of evidence provided in Issue Track. Based on the results of the follow-up, the IAS assessed that all the recommendations addressed to DG HR, that resulted from the IAS Validation of Self- Assessment of the IAC of DG ADMIN, could be closed.

125.

3.13. OIB: Second Follow-up audit on Evaluation of targeted Internal Control Standards


The assessment of the state of implementation was based on a desk review of evidence provided in 'IssueTrack' and additional information requested by the auditors. Based on the results of this desk review, the IAS assessed that the two recommendations which remained outstanding after the first IAS follow-up audit can be closed. The implementation of the recommendation relating to the former ICS 17 – Supervision (Very Important) will be examined and tested in the context of the follow-up of the OIB procurement audit, scheduled for 2011, and in particular its recommendation n° 5 'Ex post controls'. The recommendation on the former ICS 15 – Documentation of procedures (Important) is assessed as implemented in view of the progress made to date.

3.14. REGIO: Follow-up audit on internal control system for managing the new Structural Funds programming period – Phase I

The objective of the follow-up engagement, which has been undertaken on a desk review basis only, was to assess the progress made in implementing the accepted 2 issues for consideration and 2 very important recommendations that resulted from the audit carried out in 2008.

The assessment, which has been undertaken in line with IAS methodological guidelines, takes into account the state of implementation as reported by your DG in the Issue Track reporting tool and other documentary evidence obtained.

Based on the results of the desk review of the progress made as regards the two recommendations, the IAS considers they can be closed. However, given the ongoing nature of the actions to be taken to address the concerns raised in the two issues for consideration (in relation to the next programming period), the IAS considers they remain open for the moment, but should be implemented in due course and reported accordingly in Issue Track. However, issues for consideration are not included as part of the IAS's twice yearly reporting to APC on the state of play of implementation of audit recommendations.

3.15. EMPL: Follow-up audit on internal control system for managing the new Structural Funds programming period – Phase I

The objective of the follow-up engagement, which has been undertaken on a desk review basis only, was to assess the progress made in implementing the accepted 2 issues for consideration and 2 very important recommendations that resulted from the audit carried out in 2008.

The assessment, which has been undertaken in line with IAS methodological guidelines, took into account the state of implementation as reported by your DG in the Issue Track reporting tool and other documentary evidence obtained.

Based on the results of the desk review of the progress made as regards the two recommendations, the IAS considers they can be closed. However, given the ongoing nature of the actions to be taken to address the concerns raised in the two issues for consideration (in relation to the next programming period), the IAS considers they remain open for the moment, but should be implemented in due course and reported accordingly in Issue Track. However, issues for consideration are not included as part of the IAS's twice yearly reporting to APC on the state of play of implementation of audit recommendations.

126.

3.16. ESTAT: Follow-up audit on IAS and IAC Joint Audit on ESTAT Grant Awarding process 2008-2009


Based on the results of the follow-up audit, the IAS assessed that all the recommendations addressed to DG ESTAT that resulted from the above mentioned audit have been adequately and effectively implemented, except for one Recommendation.

However, the IAS agreed to close this recommendation since the residual risk involved is considered as low.

127.

3.17. TRADE: Second Follow-up audit on selected ICS


Based on the results of the second follow-up audit, all the recommendations addressed to DG TRADE that resulted from the 2007 Audit on Implementation of selected Internal Control Standards have been adequately and effectively implemented.

128.

3.18. JLS: Follow-up audit on IT Procurement


Based on the results of the follow-up audit, the IAS assessed that all the recommendations addressed to DG HOME and DG JUSTICE that resulted from the above mentioned audit have been adequately and effectively implemented.

However, the IAS noted that a negotiated procedure was applied for three procurement contracts concluded in 2010, each with an individual value of more than 1 Mio€ (amounting to more than 7 Mio€ in total), with the same supplier.

In the light of IAS' previous audits in this area, DG HOME was invited to carefully manage the risks of potential concentration of outsourced activities and technical captivity.

129.

3.19. ENTR: Follow-up audit on Monitoring the implementation of EU law


· Objectives and Scope

The objective of the follow-up engagement was to assess progress made in implementing the accepted recommendations that resulted from the audit on monitoring the implementation of EU law carried out between June and November 2006 (Final Report dated 5 December 2006).

This follow-up audit did not result in an assessment of the adequacy of controls as a whole but focused on the specific recommendations in the original audit.

· Audit Methodology

This follow-up engagement was carried out in accordance with the annual work plan of the IAS for 2009 and IAS methodological guidelines. In assessing the status of the original audit recommendations, this follow-up audit focused on those recommendations that were rated 'Very important' (there were no critical recommendations made in the original report). The audit procedures consisted of:

· reviewing the uploaded evidence in 'IssueTrack';

· interviewing the responsible officers for the implementation of the recommendations, and

· reviewing the additional evidence received.

Recommendations originally rated as being 'Important' have been assessed through desk reviews and interviews.

When making the assessment on the implementation of recommendations, the IAS took into consideration their implementation status as reported by the auditee through AMS-Issue Track.

130.

3.20. SG: Follow-up audit on SG consolidated report - Monitoring the implementation of EU law


· Objectives and Scope

The objective of this follow-up engagement was to assess progress made in implementing the accepted recommendations that resulted from the audit on Monitoring the implementation of EU law (consolidated report) carried out between September and December 2006 (Final Report dated 22 December 2006).

This follow-up audit did not result in an assessment of the adequacy of controls as a whole but focused on the specific recommendations in the original audit.

· Audit Methodology

This follow-up engagement was carried out in accordance with the annual work plan of the IAS for 2010 and IAS methodological guidelines.

In assessing the status of the original audit recommendations, this follow-up audit focused on those recommendations that were rated 'very important' (there were no critical recommendations in the original report).

The audit procedures consisted in:

· reviewing the uploaded evidence in 'IssueTrack';

· interviewing the responsible officers for the implementation of the recommendations, and

· reviewing the additional evidence received.

Recommendations originally rated as being 'Important' have been assessed through desk reviews and interviews.

When making the assessment on the implementation of recommendations, the IAS took into consideration their implementation status as reported by the auditee through 'AMS-IssueTrack'.

131.

3.21. ENV: Follow-up audit on Monitoring the implementation of EU law


· Objectives and Scope

The objective of the follow-up engagement was to assess progress made in implementing the accepted recommendations that resulted from the audit on Monitoring the Implementation of EU law carried out between September and December 2006 (Final Report dated 22 January 2007).

This follow-up audit did not result in a re-assessment of the adequacy of controls as a whole but focused on the specific recommendations in the original audit.

· Audit Methodology

This follow-up engagement was carried out in accordance with the annual work plan of the IAS for 2010 and IAS methodological guidelines.

In assessing the status of the original audit recommendations, this follow-up audit focused on those recommendations that were rated 'Critical' and 'Very important'. The audit procedures consisted of:

· reviewing the uploaded evidence in Issue Track;

· testing the mitigating actions taken by DG ENV for the Critical recommendations;

· interviewing the responsible officers for the implementation of the Critical and Very Important recommendations, and

· reviewing the additional evidence received.

Recommendations originally rated as 'Important' or 'Desirable' were assessed through desk reviews and interviews. When making the assessment on the implementation of recommendations, the IAS took into consideration their implementation status as reported by the auditee through AMS-Issue Track.

132.

3.22. SANCO: Follow-up audit on Grant Management in the Food safety, Animal Health and welfare and Plant Health Activity


· Objectives and Scope

The objective of the follow-up engagement was to assess progress made in implementing the accepted recommendations that resulted from the audit on Grant Management in the Food Safety, Animal Health and Welfare and Plant Health Activity carried out between September and December 2008 (Final Report dated 30 January 2009).

This follow-up audit did not result in a re-assessment of the adequacy of controls as a whole but focused on the specific recommendations in the original audit.

· Audit Methodology

This follow-up engagement was carried out in accordance with the annual work plan of the IAS for 2010 and IAS methodological guidelines.

In assessing the status of the original audit recommendations, this follow-up audit focused on those recommendations that were rated 'Very important' (the original report did not contain any critical recommendations). The audit procedures consisted in:

· reviewing the uploaded evidence in Issue Track;

· interviewing the responsible officers for the implementation of the recommendations, and

· reviewing the additional evidence received.

Recommendations originally rated as 'Important' or 'Desirable' have been assessed through desk reviews and interviews. When making the assessment on the implementation of recommendations, the IAS took into consideration their implementation status as reported by the auditee through AMS-Issue Track.

133.

3.23. AIDCO: Follow-up on Eligibility of Costs under the Financial and Administrative Framework Agreement with the United Nations


The assessment of the state of implementation is based on substantive testing of a sample of 12 contracts with UN Organisations (including both devolved projects managed by EU Delegations and centralised projects managed by AIDCO HQ), interviews with DG AIDCO and EU Delegations’ staff, and review of relevant documentation. The lAS fieldwork was conducted in DG AIDCO’s HQ and the EU Delegations to Thailand, Sierra Leone and Nicaragua.

Based on the results of the follow-up audit, the IAS assessed that one out of the four recommendations addressed to DG AIDCO has been adequately and effectively implemented.

Further actions are required to ensure the effective implementation of the other three recommendations:

134.

3.24. AIDCO: Second Follow-up audit on NGOs Funding


The objective of this engagement was to re-assess the progress made in implementing the remaining accepted recommendations addressed to DG AIDCO following the first follow-up of the audit on 'NGOs funding in DG AIDCO' carried out in 2007.

This second follow-up audit did not result in a re-assessment of the adequacy of controls as a whole but focused on the specific recommendations in the original audit. It was carried out in accordance with the IAS methodological guidelines.

The implementation status was assessed through interviews and reviews of evidence provided by you to support the implementation of the recommendations.

Based on the results of the follow-up audit, the IAS assess that all eight recommendations can be considered as implemented although some specific actions are still outstanding but which are currently being addressed by the audit on 'Management of thematic budget lines in DG AIDCO'.

135.

3.25. DIGIT: Follow-ups on the IT Governance of the Commission and on Management Processes of Local IT


A follow up of the seven clusters in which the thirty outstanding recommendations were grouped was conducted in 2009-2010 in accordance with the IAS methodological guidelines.

When analysing the implementation of the mitigating actions, the IAS took into consideration the implementation status as reported through AMS-Issue Track, as well as any additional information provided by the auditee during the engagement. The implementation status was assessed through a desk review of supporting documents and meetings with key staff of the DG concerned. The IAS has taken into account the recently created IT task force, set up by Vice President Šefčovič 'in order to ensure the Commission can continue to exploit the huge potential that Information Technology (IT)offers for delivering greater efficiency and improved services'.

Based on the results of the current follow-up engagement, the IAS considered that 15 out of the 30 recommendations have been adequately and effectively implemented. They include all the recommendations belonging to Cluster 6 - 'Training and sensibilisation to internal control', which has been closed. Concerning the other six clusters, the implementation of several actions to fully mitigate the underlying risks is still outstanding.

136.

3.26. SANCO: Follow-up audit on Large-scale Information Systems


Based on the results of the follow-up audit, the IAS considered that all the recommendations addressed to DG Health and Consumers that resulted from the audit on 'Large-scale Information Systems at DG SANCO' have been adequately and effectively implemented.

137.

3.27. OIL: Follow-up audit on Internal Control Standards


· Objectives and Scope

The objective of the follow-up engagement was to assess progress made in implementing the accepted recommendations that resulted from the Audit on Evaluation of Targeted Internal Control Standards carried out in May 2008.

This follow-up audit does not result in an assessment of the adequacy of controls as a whole but focuses on the specific recommendations in the original audit.

· Audit Methodology

This follow-up engagement was carried out in accordance with the annual work plan of the IAS for 2010 and IAS methodological guidelines.

In assessing the status of the original audit recommendation, the IAS reviewed the implementation status of all the recommendations made in the original report. Meetings were held with the officials responsible for the implementation of the specific parts of the action plan for each recommendation. In addition, a sample of transactions was tested to verify the effective implementation of the actions taken by OIL for the very important recommendations, where appropriate. Recommendations originally rated as 'Important' were assessed through desk reviews and interviews.

When making the assessment on the implementation of recommendations, the IAS took into consideration their implementation status as reported by the auditee through AMS-Issue Track.

Based on the results of the follow-up audit as described in the objectives and scope, the IAS assessed that all recommendations have been adequately and effectively implemented, with the exception of three recommendations.

138.

3.28. REGIO: Follow-up audit of the Review of financial corrections and recoveries in the Structural Funds area


In line with the 2010 audit plan, the IAS performed a follow-up of the IAS Review of DG REGIO financial corrections and recoveries in the Structural Funds area, which report was issued on 14 November 2008 (ARES (2008) 46356).

The objective of the follow-up engagement, which has been undertaken on a desk review basis only, was to assess the progress made in implementing the accepted issues for consideration that resulted from the review carried out in 2008 (a similar review was carried out in respect of DG EMPL).

The assessment, which has been undertaken in line with IAS methodological guidelines, takes into account the state of implementation as reported by your DG in the 'IssueTrack' reporting tool and other documentary evidence obtained.

The main focus of the original review was the progress made at the time by DG REGIO on certain key actions contained in the Commission's action plan to strengthen its supervisory controls of structural actions under shared management. Given the ongoing nature of that plan, the IAS did not provide an audit opinion at the time and it raised issues for consideration rather than firm recommendations. Based on the results of the desk review of the progress made as regards those issues, the IAS considers that for practical purposes, they can be closed, including Issue for Consideration n° 2 concerning the integrated single IT system and monitoring arrangements. The monitoring aspects have been addressed, but the IAS recognised that the timeline and associated business processes for the development of an integrated system have yet to be developed and will not be done so within the immediate future. Therefore, to avoid keeping the complete issue open indefinitely, the IAS proposed to close it in 'IssueTrack', but monitor developments to the extent relevant in its forthcoming audits.

139.

3.29. REGIO: Follow-up audit on the Implementation of Programmes in the New Member States


Based on the results of the follow-up, The IAS considered that the two recommendations addressed to DG REGIO that resulted from the audit on the Implementation of Programmes in the New Members States have been adequately implemented.

140.

3.30. OP: Final Follow-up audit on In-depth Audit of OPOCE


The IAS has completed the follow-up of its audit 'In-Depth audit of OPOCE (IAS-2004-OPOCE-001)' in OP.

The objective of this engagement was to assess the progress made in implementing the remaining very important accepted recommendation addressed to OP (formerly OPOCE) following the first and second follow-ups of the audit carried out in December 2006 (IAS-2006-OPOCE-001) and in January 2010 (IAS-2009-OP-001), respectively on '43.Clarification of Article 3 of the basis OPOCE Regulation (2000/459/EC, ECSC, Euratom)'.

This follow-up audit did not result in a re-assessment of the adequacy of controls as a whole but focused on the specific recommendation in the original audit. It was carried out in accordance with the IAS methodological guidelines.

The assessment of the state of implementation was based on a desk review of evidence provided by your services in Issue Track. Based on the results of the follow-up audit, the IAS considered that recommendation No 43 has been adequately and effectively implemented, as the Service Level Agreement between OP and OIB was concluded on 29 March 2010.

141.

3.31. ESTAT: Second Follow-up audit of IT Risk Analysis audit


Following the first follow up engagement, 6 out of 18 observations1 were considered as implemented. Based on the results of the current follow-up engagement, the IAS assessed that six more issues, considered by DG ESTAT as 'Ready for review' have been adequately and effectively implemented. The remaining six issues are assessed as not yet implemented, with several actions still required to be implemented to fully mitigate the underlying risks.

142.

3.32. COMM: Follow-up audits on Audit on Contract management in the area of communication and Audit on Building Management


The results of the two follow up audits are as follows:

143.

3.32.1. Audit on Contract management in the area of communication


Only one of the five recommendations included in the original IAS audit was accepted. Based on the results of the follow-up audit, the IAS assessed that the accepted recommendation addressed to DG COMM that resulted from the audit carried out in 2006 has been adequately and effectively implemented.

144.

3.32.2. Audit on Building Management


The audit on 'Building Management' summarised the results of the mission carried out by the IAS in Cyprus as contribution to the Asset Management audit performed by DG COMM's IAC in 2007.

The findings and recommendations made by the IAS were incorporated in the audit report prepared by DG COMM's IAC, who retains ownership of the report's content. The follow up audit engagement is planned to be performed in 2011.

Taking into account the limited scope of the IAS original engagement and the follow up engagement of the Asset Management audit already planned by the IAC in 2011, the IAS carried out desk review of the actions taken by DG COMM (and reported in Issue Track) in order to assess their adequacy. DG COMM's IAC will follow up the assessment of their effectiveness as part of their 2011 follow-up engagement.

Based on the results of the desk review, the recommendations have been adequately implemented. They will therefore be closed in Issue Track.

145.

3.33. ENV: Second Follow-up audit on Grant Management of non-LIFE programmes


The objective of this engagement was to assess the progress made in implementing the remaining accepted recommendation addressed to DG ENV following the first follow-up carried out early 2009.

This follow-up audit did not result in an assessment of the adequacy of controls as a whole but focused on the specific recommendations in the original audit. It was carried out in accordance with the IAS methodological guidelines. The assessment of the state of implementation was based on a desk review of evidence provided by DG ENV in Issue Track.

Based on the results of the follow-up audit, the IAS considered that all the recommendations addressed to DG ENV that resulted from the audit on Grant Management of non-LIFE programmes have been adequately and effectively implemented.

146.

3.34. AGRI: Follow-up audit on Interventions in Agricultural Markets


· Objectives and Scope

The objective of the follow-up engagement was to assess progress made in implementing the accepted recommendations that resulted from the audit on Interventions in Agricultural Markets carried out in 2007.

This follow-up audit did not result in an assessment of the adequacy of controls as a whole but focused on the specific recommendations in the original audit.

· Audit Methodology

This follow-up engagement was carried out in accordance with the annual work plan of the Internal Audit Service (lAS) for 2009 and lAS methodological guidelines.

In assessing the status of the original audit recommendations, this follow-up audit focused on the one recommendation that was rated ’Very important”. The methodology for the assessment of the implementation of this recommendation (No 1) consisted of a review of a sample of recent proposal notes for the setting up of export refunds as well as the related supporting documents and applicable guidelines. Recommendations originally rated as “Important” were assessed through desk reviews and interviews.

When making the assessment on the implementation of recommendations, the IAS took into consideration their implementation status as reported by the auditee through AMS-Issue Track.

Based on the results of the follow-up audit as described in the objectives and scope, the IAS assessed that all recommendations have been adequately and effectively implemented, with the exception of one recommendation.

147.

3.35. PMO: Follow up audit on Missions as managed by PMO


· Objectives and Scope

The objective of the follow-up engagement was to assess progress made in implementing the accepted recommendations that resulted from the 'IAS Audit on Missions as managed by the PMO' carried out in 2008 (final report dated 11 July 2008).

This follow-up audit did not result in an assessment of the adequacy of controls as a whole but focused on the specific recommendations in the original audit.

· Audit Methodology

This follow-up engagement was carried out in accordance with the annual work plan of the IAS for 2009 and IAS methodological guidelines.

In assessing the implementation status of the original audit recommendations, this follow-up audit focussed on the two recommendations that were rated 'Very Important'. The approach taken consisted of examining and assessing the relevant documentation intended to support the implementation of the Action Plan, conducting interviews to clarify any outstanding issues, obtaining additional documentation/information needed and conducting limited substantive testing where appropriate.

In addition, a sample of 24 missions was randomly selected, with 12 missions 'paid for by organisers' and 12 with 'derogation for hotels'. The selection was based on the types of errors found during the original audit. The objective of the testing was to review compliance with the rules of the 'Guide to Missions', which was adopted by Commission Decision C(2008)6215 dated 18 November 2008 and which entered into force on 1 January 2009.

When making the assessment on the implementation of the recommendations, the IAS took into consideration their implementation status as reported by the auditee through the AMS 'Issue Track' follow-up tool. PMO had reported all eight recommendations as 'ready for review' as at the date of the follow-up audit.

3.36. EMPL: Follow up audit of the Review of financial corrections and recoveries in the Structural Funds area.

In line with the 2010 audit plan, the IAS has performed a follow-up of the IAS Review of DG EMPL financial corrections and recoveries in the Structural Funds area, which final report for was issued on 14 November 2008 (ARES (2008) 46350).

The objective of the follow-up engagement, which has been undertaken on a desk review basis only, was to assess the progress made in implementing the accepted issues for consideration that resulted from the review carried out in 2008 (a similar review was carried out in respect of DG REGIO and is also currently subject to IAS follow up).

The assessment, which has been undertaken in line with IAS methodological guidelines, took into account the state of implementation as reported by your DG in the 'IssueTrack' reporting tool and other documentary evidence obtained.

The main focus of the original review was on the progress made at the time by DG EMPL on certain key actions contained in the Commission's action plan to strengthen its supervisory controls under shared management of structural actions. Given the ongoing nature of that plan, the IAS did not provide an audit opinion at the time and raised issues for consideration rather than firm recommendations. Based on the results of the desk review of the progress made as regards those issues, the IAS considered that for practical purposes, they can be closed, but that related matters will be examined from an audit perspective in the context of the IAS planned 2010 audit of DG EMPL's control strategy, which proposes to cover the financial correction processes.

148.

3.37. INFSO: Follow up audit on AAR Assurance Process


In January 2008 the IAS issued a final audit report D(2008) 118 on the AAR Assurance Process. Whilst the very important recommendations contained therein focused on DG BUDG and SG, the report also made recommendations, classified as important or desirable, to a number of operational DGs covered in a sample, which included DG INFSO. In December 2009 the IAS made a specific follow up of the recommendations made to DG BUDG and SG and followed up separately the recommendations made to the operational DGs on a desk review basis only.

This review, which has been undertaken in line with IAS methodological guidelines, took into account the state of implementation as reported by DG INFSO in the Issue Track reporting tool and other documentary evidence obtained.

Based on the results of the desk review, the IAS assessed that all the recommendations addressed to DG INFSO that resulted from the audit 'AAR Assurance Process' have been implemented.

The IAS recognises that the AAR Assurance Process is a continuously evolving one and that whilst the implementation of the agreed recommendations has already contributed to the improvement of the DG's reporting, it will nevertheless be subject to further refinement and revision as it matures in practice.

149.

3.38. RTD: Follow up audit on AAR Assurance Process


In January 2008 the IAS issued a final audit report D(2008) 118 on the AAR Assurance Process. Whilst the very important recommendations contained therein focused on DG BUDG and SG, the report also made recommendations, classified as important or desirable, to a number of operational DGs covered in a sample, which included DG RTD. In December 2009 the IAS made a specific follow up of the recommendations made to DG BUDG and SG and followed up separately the recommendations made to the operational DGs on a desk review basis only.

This review, which has been undertaken in line with IAS methodological guidelines, took into account the state of implementation as reported by your DG in the Issue Track reporting tool and other documentary evidence obtained.

Based on the results of the desk review, the IAS assessed that all the recommendations addressed to DG RTD that resulted from the audit 'AAR Assurance Process' have been implemented.

The IAS recognises that the AAR Assurance Process is a continuously evolving one and that whilst the implementation of the agreed recommendations has already contributed to the improvement of the DGs reporting, it will nevertheless be subject to further refinement and revision as it matures in practice.

150.

3.39. EMPL: Follow up audit on AAR Assurance Process


In January 2008 the IAS issued a final audit report D(2008)118 on the AAR Assurance Process. Whilst the very important recommendations contained therein focused on DG BUDG and SG, the report also made recommendations, classified as important or desirable, to a number of operational DGs covered in a sample, which included DG EMPL. In December 2009 the IAS made a specific follow up of the recommendations made to DG BUDG and SG and followed up separately the recommendations made to the operational DGs on a desk review basis only.

This review, which has been undertaken in line with IAS methodological guidelines, took into account the state of implementation as reported by your DG in the 'IssueTrack' reporting tool and other documentary evidence obtained.

Based on the results of the follow-up audit as described in the objectives and scope, the IAS assessed that all recommendations have been adequately and effectively implemented.

151.

3.40. REGIO: Follow up audit on AAR Assurance Process


In January 2008 the IAS issued a final audit report (D(2008)118) on the AAR Assurance Process. Whilst the very important recommendations contained therein focused on DG BUDG and SG, the report also made recommendations, classified as important or desirable, to a number of operational DGs covered in a sample, which included DG REGIO. In December 2009 the IAS made a specific follow up of the recommendations made to DG BUDG and SG and followed up separately the recommendations made to the operational DGs on a desk review basis only.

This review, which has been undertaken in line with IAS methodological guidelines, took into account the state of implementation as reported by your DG in the Issue Track reporting tool and other documentary evidence obtained.

Based on the results of the desk review, the IAS assessed that the recommendation addressed to DG REGIO as a resulted of the audit 'AAR Assurance Process' has been implemented.

The IAS recognises that the AAR Assurance Process is a continuously evolving one and that whilst the implementation of the agreed recommendations has already contributed to the improvement of the DG's reporting, it will nevertheless be subject to further refinement and revision as it matures in practice.

152.

3.41. JLS: Follow up audit on AAR Assurance Process


In January 2008 the IAS issued a final audit report (D(2008)118) on the AAR Assurance Process. Whilst the very important recommendations contained therein focused on DG BUDG and SG, the report also made recommendations, classified as important or desirable, to a number of operational DGs covered in a sample, which included DG JLS. In December 2009 the IAS made a specific follow-up of the recommendations made to DG BUDG and SG and followed up separately the recommendations made to the operational DGs on a desk review basis only.

This review, which has been undertaken in line with IAS methodological guidelines, took into account the state of implementation as reported by your DG in the Issue Track reporting tool and other documentary evidence obtained.

Based on the results of the follow-up audit as described in the objectives and scope, the IAS assessed that all recommendations have been adequately and effectively implemented.

153.

3.42. AIDCO: Follow up audit on AAR Assurance Process


In January 2008 the IAS issued a final audit report (D(2008)118) on the AAR Assurance Process. Whilst the very important recommendations contained therein focused on DG BUDG and SG, the report also made recommendations, classified as important or desirable, to a number of operational DGs covered in a sample, which included DG AIDCO. In December 2009 the IAS made a specific follow up of the recommendations made to DG BUDG and SG and followed up separately the recommendations made to the operational DGs on a desk review basis only.

This review, which has been undertaken in line with IAS methodological guidelines, took into account the state of implementation as reported by DG AIDCO in the Issue Track reporting tool and other documentary evidence obtained. Based on the results of the desk review, the IAS assessed that all the recommendations addressed to DG AIDCO that resulted from the audit 'AAR Assurance Process' have been adequately implemented.

The IAS recognises that the AAR Assurance Process is a continuously evolving one and that whilst the implementation of the agreed recommendations has already contributed to the improvement of the DG's reporting, it will nevertheless be subject to further refinement and revision as it matures.

154.

3.43. COMP: Second Follow-Up of the Audit on local IT


In line with the IAS policy, a follow-up engagement has to be performed for each audit in order to determine whether the agreed actions have been adequately implemented. Following the first follow-up audit carried out in 2007, 41 out of 45 recommendations were assessed as implemented and 4 were assessed as being still in progress, out of which two were rated as Very Important and two as Important. For the latter, the IAS policy foresees a second follow-up to be performed when the level of implementation reported by the DG is considered by the IAS to be satisfactory.

Based on its analysis of the information provided by DG COMP in Issue Track, the IAS has now closed the remaining open recommendations.

155.

3.44. RTD: Further Follow up audit on Ex-Post Controls


In 2008 the IAS conducted a follow-up of recommendations made in its 2006 audit of Ex-Post Controls in DG RTD.

As a result of the follow-up audit, three recommendations remained in progress at that time.

Since the date of the follow-up, the IAS has been tracking the gradual implementation of the remaining recommendations, by way of desk review of evidence submitted through the use of the Issue Track tool.

The IAS has completed that desk review for all the recommendations which remained outstanding and concluded that they have been adequately and effectively implemented.

This further follow up has not resulted in an assessment of the adequacy of controls as a whole but has focussed on the specific recommendations in the original audit.

[1] Data from 2010 Follow-up of IAS recommendations Final Overview Report based on the information provided by the DGs through IssueTrack as at 17 January 2011.

[2] One very important recommendation issued in 2005 is still outstanding and past due for more than 6 months.

[3] Some reports finalised at the beginning of 2010 were included in the 2009 report and are, therefore, not included in the 2010 report. Likewise, the reports/management letters drafted in 2010, but finalised by 1 February 2011, with the exception of the ML on the split of the DGs finalised in March, are included in the 2010 report.