Explanatory Memorandum to COM(2019)350 - Annual report to the Discharge Authority on internal audits carried out in 2018 - Main contents
Please note
This page contains a limited version of this dossier in the EU Monitor.
| dossier | COM(2019)350 - Annual report to the Discharge Authority on internal audits carried out in 2018. |
|---|---|
| source | COM(2019)350  |
| date | 25-06-2019 |
Contents
- Brussels, 25.6.2019 COM(2019) 350 final
- 3.1. Implementation of the 2018 audit plan ................................................................................................................................... 3
- 3.2. Statistical data on Internal Audit Service recommendations ...................................................................................... 4
- 4.1. Conclusions on performance audits ............................................................................................................................................ 6
- 4.2. Internal Audit Service limited conclusions .......................................................................................................................... 12
- 5 2
- Audit Consulting Follow-up Limited review Management Letter
- Audit Consulting Follow-up Limited review
- 50 100 150
- Critical Very Important Important Total
- 1572
- Critical Very important Important
- 60 50 40 30 20 10
- Critical Very important Important
- 4.1.1.1. Synergies and efficiencies review
- 4.1.1.2. Governance processes
- 4.1.1.3. HR management processes
- 4.1.1.4. Other processes
- 4.1.2.1. Direct management
- 4.1.2.2. Indirect management
- 4.1.2.3. Shared management
REPORT FROM THE COMMISSION
TO THE EUROPEAN PARLIAMENT, THE COUNCIL AND THE COURT OF
AUDITORS
Annual report to the Discharge Authority on internal audits carried out in 2018
{SWD(2019) 300 final}
Table of Contents
1. INTRODUCTION ............................................................................................................................................... 2
2. THE INTERNAL AUDIT SERVICE MISSION: INDEPENDENCE, OBJECTIVITY, ACCOUNTABILITY .......................................................................................................................................... 2
3. OVERVIEW OF AUDIT WORK ...................................................................................................................... 3
3.1. Implementation of the 2018 audit plan ................................................................................................................................... 3
3.2. Statistical data on Internal Audit Service recommendations ...................................................................................... 4
4. CONCLUSIONS BASED ON THE AUDIT WORK PERFORMED IN 2018 ........................................... 6
4.1. Conclusions on performance audits ............................................................................................................................................ 6
4.1.1. Performance of Commission DGs, services and executive agencies: horizontal processes ..................................................................................................................................................................................... 7
4.1.2. Performance in implementing budget operational and administrative appropriations ....................................................................................................................................................................... 10
4.2. Internal Audit Service limited conclusions .......................................................................................................................... 12
4.3. Overall opinion on the Commission’s financial management ................................................................................ 13
5. CONSULTATION WITH THE COMMISSION’S FINANCIAL IRREGULARITIES PANEL .................. 14
6. MITIGATING MEASURES AS REGARDS POTENTIAL CONFLICTS OF INTEREST (INTERNATIONAL STANDARDS) — INVESTIGATION OF THE EUROPEAN OMBUDSMAN ................................................................................................................................................ 14
7. FURTHER MONITORING AND FOLLOW-UP ON AUDIT RECOMMENDATIONS ............................ 15
1. Introduction
This report informs the European Parliament and Council, as part of the discharge procedure and in accordance with Articles 118 and 247 of the Financial Regulation, about internal audits carried out in the Commission in 2018. It is based on the report drawn up by the Commission’s Internal Auditor on Internal Audit Service audits and consulting reports completed in 2018 (1). It covers
audits conducted in the Commission directorates-general, services and executive agencies (2), and contains (i) a summary of the number and type of internal audits carried out; (ii) a synthesis of the recommendations made; and (iii) the action taken on those recommendations.
2. The Internal Audit Service Mission: Independence, Objectivity, Accountability
The mission of the Internal Audit Service is to enhance and protect organisational value by providing risk-based and objective assurance, advice and insight. The Internal Audit Service helps the Commission accomplish its objectives by bringing a systematic, disciplined approach in order to evaluate and improve the effectiveness of risk management, control and governance processes. Its tasks include assessing and making appropriate recommendations to improve the risk management, control and governance process to achieve the following three objectives: (i) promoting appropriate ethics and values within the organisation; (ii) ensuring effective organisational performance management and accountability; and (iii) effectively communicating risk and control information to appropriate areas of the organisation. In doing this, the Internal Audit Service aims to promote a culture of efficient and effective management within the Commission and its departments.
The independence of the Internal Audit Service is enshrined in the Financial Regulation (3) and its mission charter (4) as adopted by the Commission. This charter stipulates that, to ensure objectivity in their judgement and avoid conflict of interest, Internal Audit Service auditors must preserve their independence in relation to the activities and operations they review. If their objectivity is impaired in fact or in appearance, the details of the impairment should be disclosed. If the Internal Auditor considers it necessary, he/she may address himself/herself directly to the President of the Commission and/or the College.
The Internal Audit Service performs its work in accordance with the Financial Regulation, the International Standards for the Professional Practice of Internal Auditing, and the Code of Ethics of the Institute of Internal Auditors.
The Internal Audit Service reports — and is accountable functionally — to the Audit Progress Committee. The Audit Progress Committee assists the College of Commissioners in fulfilling its obligations under the Treaties, the Financial Regulation and under other statutory instruments. It does this by (i) ensuring the independence of the Internal Audit Service; (ii) monitoring the quality of internal audit work; (iii) ensuring that internal and external audit recommendations are properly taken into account by the Commission services; and (iv) ensuring that these recommendations receive appropriate follow-up. In this way, the Audit Progress Committee helps improve the Commission’s effectiveness and efficiency in achieving its goals. The committee also facilitates the College’s oversight of the Commission’s governance, risk management, and internal control practices. In January 2018, the Internal Auditor issued an audit report on governance in the Commission. This report identified the need for proportionate improvements concerning, inter alia, risk management, financial reporting and the mandates of
1 The audit reports finalised in the period 1 February 2018 - 31 January 2019 are included in the report.
2 The report does not cover the decentralised European agencies, the European External Action Service, or other bodies audited by the Internal Audit Service, which receive separate annual reports.
3 OJ L 193, 30.7.2018, p. 1.
4 Ref. C(2017)4435 final of 30 June 2017, Communication to the Commission, Mission Charter of the Internal Audit Service of the European Commission.
the corporate (oversight) bodies. The charter of the Audit Progress Committee was updated in November 2018 as part of the Commission’s follow-up to this audit.
The Internal Audit Service does not audit Member States’ systems of control over the EU funds. Such audits reach down to the level of individual beneficiaries, and are carried out by Member States’ internal auditors, national audit authorities, other individual Commission directorates-general and the European Court of Auditors. However, the Internal Audit Service does audit measures taken by the Commission services to supervise and audit (i) bodies in Member States; and (ii) other bodies, which are responsible for disbursing EU funds, such as the United Nations. As provided for in the Financial Regulation, the Internal Audit Service can carry out these duties on the spot, including in the Member States.
3. Overview of audit work
3.1. Implementation of the 2018 audit plan
By the cut-off date of 31 January 2019, 100% of the updated 2018 audit plan had been implemented (5). This audit plan included audits in the Commission services and executive agencies (6).
166 ‘engagements’ (consisting of audits, consulting, follow-ups and reviews) were completed and 181 reports (including follow-up notes and management letters)7 were issued. A breakdown of the types of engagements and reports completed is contained in the charts below.
Number of 2018 reports by type
114
58
5 See also Internal Audit Service’s 2018 annual activity report.
6 The accompanying staff working document provides an overview of all completed audit and follow-up audit engagements.
7 The difference between the number of reports and the number of engagements derives from the fact that an audit engagement may result in several reports being issued (e.g. in addition to the final audit report, a management letter can be sent to the auditees or to other departments, depending on the results of the audit work).
2
Number of 2018 engagements by type
114
48
The 2018 initial plan (which included 52 audit engagements, (consisting of audits, reviews and consulting engagements, but excluding follow-ups) was updated at mid-year. Both the initial and updated plans were considered by the Audit Progress Committee.
The Internal Audit Service plans its audit work on the basis of a risk assessment and a capacity analysis. This is required by its charter and the international standards, and also helps to ensure efficient and effective implementation of the audit plan. The implementation of the audit plan is then regularly monitored and adjustments are made as necessary. In 2018, the Internal Audit Service performed an in-depth risk assessment resulting in a strategic multiannual audit plan for the period 2019-2021 as well as an annual audit plan for the year 2019.
3.2. Statistical data on Internal Audit Service recommendations
The number of recommendations issued by the Internal Audit Service in 2018 can be seen in the figure below.
Number of 2018 recommendations by rating
200
250
| 1______________ | 145 | |||
| 87 | ||||
233
100% of recommendations issued were accepted. For all recommendations, the auditees drafted action plans, which were submitted to — and assessed as satisfactory by — the Internal Audit Service.
1 572 (81%) of the total number of accepted recommendations (1 938 were accepted in total)
2
2
0
the auditees at the cut-off date of 31 January 2019 (8). This leaves a total of 366 recommendations (19%) that were still open on that date.
Number of recommendations issued in the period 2014-2018 by status (based on the auditees assessment)
366
Implemented Open
Of these 366 open recommendations (9), 1 is rated critical(10) and 135 are rated very important and 103 are overdue (i.e. not implemented by the originally agreed implementation date). These overdue recommendations represent 5.3% of the total of 1 938 accepted recommendations. Of these 103 overdue recommendations, 18 very important recommendations are long overdue (long overdue is when the recommendation is still open more than 6 months after the original implementation date). These represent only 2.9% of the total number of critical and very important accepted recommendations in the period 2014-2018 (compared to 2.0% in the previous reporting period). The number of very important audit recommendations that are overdue by more than 6 months has fallen considerably over recent years (from an average of 28 in the period from June 2015 to October 2016 to an average of 15 since January 2017). Work is in progress on the implementation of these recommendations and will continue to be monitored closely by the Audit Progress Committee.
8 The chart shows the rating of the recommendations at the cut-off date. This may differ from the rating in the original report if actions subsequently taken by the auditee are deemed sufficient by the Internal Audit Service to partly mitigate the risks identified and therefore lead to a downgrading of the recommendation.
9 In addition, one important recommendation issued prior to 2013 is still open (PMO — Audit on New Pay Application).
10 The Internal Audit Service has since noted that the underlying risks have been partially mitigated and downgraded the rating of this recommendation to very important.
Number of open recommendations by rating
230
135
Age of delayed recommendations by rating
I I
| 0 | 0 < 6 months | 6 - 12 months > 12 months | |
| Critical | 0 | 0 | 0 |
| Very important | 14 | 12 | 6 |
| Important | 35 | 13 | 23 |
| ■ Total 49 25 29 |
Total
Overall, the Internal Audit Service considers the implementation of the audit recommendations to be satisfactory and comparable to previous reporting periods. This state of play indicates that the
Commission services are diligent in implementing the very important
recommendations, and that they therefore mitigate the risks identified by the Internal Audit Service. Nevertheless, attention should be paid to the individual recommendations rated ‘very important’ which are long overdue (i.e. more than 6 months overdue).
A summary of these very important and long overdue recommendations is provided in the staff working document (Section 3) annexed to this report.
4. Conclusions based on the audit work performed in 2018
4.1. Conclusions on performance audits
To contribute to the Commission’s performance-based culture and its greater focus on value for money, the Internal Audit Service carried out two types of audits in 2018: performance audits (11)
11 In total, the Internal Audit Service carried out 42 performance and comprehensive audits. For more details see the staff working document.
1
and audits which include important performance elements (comprehensive audits). Carrying out both of these audit types was part of the Internal Audit Service’s 2016-2018 strategic audit plan.
In line with its methodology and best practice, the Internal Audit Service approached performance in an indirect way. It does this by examining whether and how management has set up control systems to assess and provide assurance on the performance (efficiency and effectiveness) of its activities. Through this approach, the Internal Audit Service aims to ensure that directorates-general and services have set up adequate performance frameworks and performance measurement tools, key indicators and monitoring systems. This results in part from the fact that a large number of legal bases set out objectives that are of a wider scope than the Commission can achieve on its own. This means that SMART (12) objectives and benchmarks must first be decided upon at Commission level. The goal of these objectives and benchmarks is to separate as much as possible the Commission’s specific contribution from those of other key players who contribute to the implementation and achievement of EU objectives (Member States, regions, countries outside the EU, international organisations, etc.).
The following sections set out the conclusions of the Internal Audit Service on the various performance aspects of its audits carried out in 2018.
4.1.1. Performance of Commission DGs, services and executive agencies: horizontal processes
A major part of the 2018 internal audits focused on the efficient and effective use of resources in the various directorates-general and services of the Commission.
A key Commission initiative in this area is the synergies and efficiencies review launched in 2016 (13). This far-reaching initiative aimed to change ways of working in the Commission, achieve efficiency gains in support functions and free up resources for redeployment towards areas of greatest political importance. The Internal Audit Service audit acknowledged that the synergies and efficiencies review initiative is a major challenge for the Commission. The initiative has introduced novel and innovative ways of thinking and finding solutions to problems. The crosscutting effect of the ‘domain leader’ approach, in particular, is helping to break down silos and encourage a more joined-up way of thinking. The initiative underwent a very challenging period following its launch, which was to be expected given its ambitious nature. Since those early days, the Internal Audit Service notes the progress made and the collective efforts to address the gaps in the underlying framework. These aim at putting in place more robust processes and bringing a fresh momentum to an initiative where the expectations remain very high going forward, particularly in view of the end of the current Commission’s mandate and the start of a new Commission in 2019. Many of the initial challenges such as (i) the lack of a central steer on key issues; (ii) ensuring the robustness and feasibility of savings; (iii) budgetary issues; (iv) a lack of effective monitoring; and (v) an insufficiently common, joined-up approach are being tackled. However, there remains considerable work ahead to realise sustainable and genuine synergies and efficiencies and to achieve the objectives set in the 2016 Synergies and Efficiencies Review Communication on time. More needs to be done to capitalise on the progress made already and to ensure that the synergies and efficiencies review is embedded in the culture of the Commission.
The audit also found that at the corporate level, the central services should define clear criteria for determining savings and monitor closely the progress made towards achieving the target, and ‘domain leaders’ should set up appropriate quality mechanisms to demonstrate the level of quality of their services to the client directorates-general and take remedial actions when necessary. The Internal Audit Service’s recommendations in this regard need to be seen as
12 SMART: specific, measurable, achievable, realistic and timely.
13 Communication of the Commission SEC(2016)170 final.
proportionate improvements aimed at helping to ensure that the synergies and efficiencies review initiative is ultimately successful in delivering on its objectives. Following the Internal Audit Service audit, the Commission issued in April 2019 a new Communication on the Synergies and Efficiencies Initiative (14).
In 2017, the Internal Audit Service reported on several weaknesses identified in governance processes in the Commission. Following the Internal Audit Service recommendations, the Commission issued a set of communications and decisions in November 2018 (the ‘governance package’) to address the issues identified by the Internal Audit Service and update the Commission’s corporate governance arrangements.
In 2018, several audits also focused on governance aspects in different policy areas.
The audit on Connecting Europe Facility telecom governance showed that since the telecom programme was launched in 2014, it has faced a considerable increase in the range of services offered and in complexity. The governance structure, as initially set up, is no longer adapted to the current complexity of the programme and to the future developments under the Digital Europe programme and this situation may also affect the effective implementation at programme level. Therefore, the Internal Audit Service recommended to the Directorate-General for Communications Networks, Content and Technology that it improve, in cooperation with the other directorates-general implementing the programme, the Connecting Europe Facility’s current performance framework. The Internal Audit Service also recommended that the Directorate-General for Communications Networks, Content and Technology duly monitor its progress and the results by setting of measurable objectives and indicators.
In information technology governance, the specific governance arrangements in the Directorate-General for International Cooperation and Development for the management of the OPSYS (Operational System (15)) programme and related sub-projects are overall efficient and effective. Nevertheless, the information system governance model in place is not sufficiently adapted to the future information technology landscape of the Directorate-General for International Cooperation and Development, once OPSYS is deployed in production. The Internal Audit Service recommended that the Directorate-General for International Cooperation and Development strengthen its data governance.
The Internal Audit Service also issued recommendations on the shortcomings identified in the information technology governance and information technology security of the TRAde Control and Expert System (TRACES 16).
In human resources, an audit on human resource management in the Joint Research Centre found that the management and control system for the recruitment of temporary scientific staff: (i) is adequately designed; (ii) ensures recruitments in a legal and regular manner; and (iii) is effective for responding to day-to-day needs. However, the management and control system is not effective in: (i) the identification of the competency needs of scientific staff in the long run; and (ii) monitoring the recruitment process. These shortcomings may affect the
14 C(2019)2329 final of 26 March 2019 (Synergies and Efficiencies Initiative: ‘stock-taking and way forward’).
15 The OPSYS2 programme aims to replace, by 2020, 90% of the information technology legacy systems of the external aid family of directorates-general with a series of reusable corporate information technology components and services as well as to reinforce corporate convergence with the eGrant/eProcurement programme for improving synergies and efficiencies in the Commission’s information and communication technology domain.
16 TRACES is the EU’s online management tool to manage certificates and documents in: (i) animals, animal health, animal products and plants in the Directorate-General for Health and Food Safety; (ii) timber licences in the Directorate-General for Environment; (iii) organic certificates in the Directorate-General for Agriculture and Rural Development; (iv) and catch certification schemes in the Directorate-General for Maritime Affairs and Fisheries.
achievement of the ambitious objectives set by the Joint Research Centre in its strategy 2030. The human resource management was also found to be an issue in the audit of the Joint Research Centre’s nuclear decommissioning and waste management programme. Here, there was a gap between the resources needed and the resources available to fulfil the Joint Research Centre’s responsibilities in decommissioning (both in terms of staff numbers and in specific profiles/expertise). In addition, the arrangements to ensure business continuity in the event of absences/staff shortages are not fully effective. This creates a rather fragile environment, which is not sustainable in the long run, especially considering the increase in — and the changes in the nature of — nuclear decommissioning and waste management related activities.
The issues identified in the Joint Research Centre are similar to those identified in other audits performed by the Internal Audit Service in 2016-2018 and reported in previous years. Therefore, in 2018, the Internal Audit Service sent a management letter to the Directorate-General for Human Resources and Security outlining the common issues identified in these audits. This letter, raised a number of issues for consideration to help the Commission respond effectively to the human resource challenges faced by the directorates-general and services. These issues are particularly important in a context of increased political pressure to: (i) deliver results; (ii) redeploy resources to areas of greatest political importance; (iii) reduce staff and (iv) restructure the human resource community and the new human resource service-delivery model as a result of the synergies and efficiencies review initiative. The key recurring issues identified by the Internal Audit Service are: (i) the lack of comprehensive and coherent multi-annual human resource strategies and plans; (ii) weaknesses in workload assessment, task mapping and skills mapping, all of which are key elements in order to come to robust human resource allocation decisions, and (iii) insufficient human resource data and reports adding value, made available by the corporate level.
Various audits concluded that further progress can also be made in improving the overall performance of other ‘horizontal’ processes (i.e. processes that affect a variety of different policy and administrative areas).
The Early Detection and Exclusion System (EDES) is an alert tool, containing restricted information about third parties likely to represent a threat to the EU’s financial interests and reputation. The goal of the system is to counter fraud and protect the financial interests of the EU, and thus enable the authorising officers to take informed decisions. The audit on the Early Detection and Exclusion System found that the control system itself is overall effectively and efficiently designed, in line with applicable legal provisions. However, the audit identified two issues: (i) guidelines and awareness raising; and (ii) the practical implementation of the Early Detection and Exclusion System. The Internal Audit Service therefore recommended that significant efforts, both at the corporate and local level, be deployed to bring the awareness and implementation of the Early Detection and Exclusion System to a mature state to ensure that it is also operationally effective.
Every day, the European Commission creates, procures, acquires and disseminates intangible assets. Often, intellectual property rights such as copyright, trademarks and patents protect these assets. At the same time, Commission staff may have to use intellectual property assets owned by third parties. It is therefore necessary to efficiently and effectively manage intellectual property in the European Commission. Although the Commission has designed adequate governance, risk management and control processes for its intellectual property related activities, weaknesses were identified in their implementation of these processes at corporate level. In particular, weaknesses were found in the identification and classification of intellectual property assets, and in intellectual property clauses attached to software contracts. In addition to the recommendations made to address these issues, the Internal Audit Service recommended to the Directorate-General for Informatics and the Joint Research Centre that they jointly develop a corporate software policy for the development and distribution of software owned by the Commission.
Risk management is about identifying and carefully assessing potential problems that could
robust and mature risk management process, which forms an integral part of management processes, can add value to an organisation by increasing the likelihood of it achieving its objectives, in particular if these organisations are impacted by significant change. For the Directorates-General for Migration and Home Affairs and for Justice and Consumers, the audits found that the risk management process is not yet fully integrated into the culture and systems of the directorates-general. In response to the issues identified, the Internal Audit Service recommended to both directorates-general that they strengthen their guidance and methodology for identifying and assessing risks to include the consideration of lost opportunities, external dimensions and crosscutting risks and the possibility of using different risk identification methodologies which are better matched to their specific circumstances.
If the Commission was to experience a major breakdown of one or more of its critical systems it could have a significant reputational impact. It follows that the business continuity requirements of the Directorate-General for Communication are very demanding. Although, the Directorate-General for Communication has put numerous controls in place aimed at reducing the risks, the Internal Audit Service identified a weakness in the key step on which business continuity management is built: its business impact analysis process.
Adequate coordination of activities and cooperation with stakeholders are essential to ensure consistent and effective action between different policy areas.
In external action, coordination activities exist between the Commission (the Directorate-General for International Cooperation and Development, the Directorate-General for Neighbourhood and Enlargement Negotiations and the Service for Foreign Policy Instruments) and the European External Action Service, in the management of the EU delegations and in programming and implementing external instruments. These coordination activities take place both at headquarters and at EU delegation level. The coordination activities were found to be effective and efficient overall, even though a weakness was identified in country-level coordination. The Internal Audit Service notably recommended to the Directorate-General for International Cooperation and Development and the Directorate-General for Neighbourhood and Enlargement Negotiations that they further develop the operational tool (the aid-implementation dashboard) to set up a consolidated portfolio of EU-funded projects.
Eurostat closely cooperates with other EU bodies and international organisations to improve statistical methodology and exchange of data. This cooperation with external stakeholders has a significant impact on the implementation of the European statistical programme. Eurostat has set up effective cooperation arrangements with a number of external stakeholders, but the management and control systems in place lack a clear overall policy at directorate-general level. In addition, the coordination of activities and the exchange of the relevant information within the directorate-general also need to be improved.
Several aspects of the better regulation initiative were audited in various audits. This involved audits on the evaluation process in the Directorates-General for Agriculture and Rural Development, for Employment, Social Affairs and Inclusion, and for Regional and Urban Policy; an audit on the preparation of legislative initiatives in the Directorate-General for Taxation and Customs Union; and an audit on monitoring and enforcement of EU health law in the Directorate-General for Health and Food Safety. No significant performance issues were identified in these areas.
4.1.2. Performance in implementing budget operational and administrative appropriations
In the area of directly managed funds, several audits assessed the management of grants by executive agencies (Education, Audiovisual and Culture Executive Agency, Executive Agency for Small and Medium-sized Enterprises, European Research Council Executive Agency, Innovation and Networks Executive Agency, Research Executive Agency). No significant performance
Executive Agency. In this agency, although no significant issues in terms of project management and payment processing in the sample of projects tested were detected, serious shortcomings affecting the effectiveness of the overall internal control system were identified. Since the audit, the agency has taken action to address these shortcomings. The Internal Audit Service has noted that the underlying risks have been partially mitigated and downgraded the rating of the critical recommendation to very important.
Dissemination and exploitation activities are of paramount importance to maximise the impact of Horizon 2020. They work by ensuring the effective use and dissemination of the results of the research activities funded by the EU. The role of the Commission is to support Horizon 2020 beneficiaries with specific initiatives and dedicated tools and to ensure the beneficiaries comply with the contractual obligations. The Common Support Centre has designed an adequate dissemination and exploitation process supported by an information technology workflow that contains the mandatory checks that the project officers have to perform when assessing the implementation of the dissemination and exploitation plan agreed in the grant agreement. However, there are weaknesses in the practical application of the current process. Therefore, the Internal Audit Service made recommendations to ensure that: (i) compliance with the dissemination and exploitation contractual obligations and reporting requirements are monitored properly; and (ii) there is an appropriate level of follow-up of the dissemination and exploitation activities after projects are implemented.
The Directorate-General for Neighbourhood and Enlargement Negotiations manages grant- and procurement-award procedures under the European Neighbourhood Instrument in direct management. Supervision missions to the EU delegations are an important tool to provide reasonable assurance to the authorising officer by sub-delegation about the effectiveness and efficiency of the management and control systems in place in the EU delegations for the implementation of the European Neighbourhood Instrument. The Internal Audit Service identified one issue concerning supervision missions. The Internal Audit Service recommended to the Directorate-General for Neighbourhood and Enlargement Negotiations that it revise its procedures in order to improve the effectiveness of the supervision missions, in particular by (i) introducing risk-based planning of supervision missions; (ii) revising missions frequency; (iii) adapting the length of the on-the-spot visits to the requirements of the instructions on the finalisation phase of the missions; and (iv) setting up a procedure to disseminate the best practices to other EU delegations.
An audit on the Partnership Instrument in the Service for Foreign Policy Instruments identified weaknesses in the design and implementation of supervision missions by headquarters. In addition, the Internal Audit Service recommended to the Service for Foreign Policy Instruments that it strengthen the control environment in the EU delegation to the United States of America. In view of the weaknesses identified in the allocation of responsibilities for the management of the Partnership Instrument in this EU delegation. These weaknesses may affect the effectiveness and efficiency of operations and may lead to fraudulent activities not being detected on time.
The Office for the Administration and Payment of Individual Entitlements is responsible for the management of the Joint Sickness Insurance Scheme, accident insurance and occupational diseases. An audit on the Office for the Administration and Payment of Individual Entitlements control strategy concluded that the office has adequately designed and implemented efficient and effective internal controls for the Joint Sickness Insurance Scheme and accident insurance, except for two weaknesses. The audit therefore made recommendations on: (i) the review and documentation of the Joint Sickness Insurance Scheme control strategy; and (ii) the effectiveness and efficiency of ex ante and ex post controls.
In the area of indirectly managed funds, several audits focused on the supervision
the directorates-general and services No significant performance weaknesses were identified in two of these audits (17).
However, in two other audits in specific areas, weaknesses were identified in the management inancial instruments (18). Because the root cause of some of the issues identified is at central level, a management letter providing suggestions for improvements was also issued to the Directorates-General for Budget and for Economic and Financial Affairs.
• In the audit of LIFE financial instruments i
Environment, the Internal Audit Service concluded that although overall both directorates-general have put in place adequate supervisory processes to monitor the implementation of the financial instruments, there remains a weakness in the visibility and promotion of the EU contribution. To remedy this weakness, the directorates-general should regularly verify and effectively monitor that the requirements of the delegation agreements are respected in practice.
• Following the finalisation of an audit on the management of investment facilities
in the Directorate-General for International Cooperation and Development in 2017, the Internal Audit Service performed a similar audit on the Neighbourhood Investment Facility and the Western Balkans Investment Framework in the Directorate-General for Neighbourhood and Enlargement Negotiations in 2018. The audit found that while the overall design of both investment facilities is adequate, there are several weaknesses in their implementation that need to be addressed in order to improve the monitoring activities and the financial management.
Finally, an audit on the assurance-building process in headquarters, in the headquarters of the
identified a weakness in the monitoring process for the annual management declarations. These annual management declarations are provided by the international financial institutions and/or national agencies implementing projects under indirect management. The Internal Audit Service recommended to the Directorate-General for International Cooperation and Development that it should: (i) set up specific guidance on the monitoring process (controls, timing and follow-up); and (ii) provide information in the annual activity report on the status of management declarations and on their contribution to the assurance-building process.
In the area of shared management, six performance/comprehensive audits assessed programme management and payment processes. No significant performance weaknesses were identified in this area.
4.2. Internal Audit Service limited conclusions
The Internal Audit Service issued limited conclusions on the state of internal control to every directorate-general and service in February 2019. These limited conclusions contributed to the 2018 annual activity reports of the directorates-general and services
17 Audit on supervision of project management and payment for GALILEO in the Directorate-General for Internal Market, Industry, Entrepreneurship and SMEs; Audit on the supervision of the implementation of the Copernicus programme in the Directorate-General for Internal Market, Industry, Entrepreneurship and SMEs – phase II.
18 Financial instrument : a Union measure of financial support provided from the budget to address one or more specific policy objectives of the Union which may take the form of equity or quasi equity investments, loans or guarantees, or other risk sharing instruments, and which may, where appropriate, be combined with other forms of financial support or with funds under shared management or funds of the European Development Fund (EDF).
concerned. They draw on the audit work carried out in the last 3 years and cover all open recommendations issued by the Internal Audit Service and former Internal Audit Capabilities (insofar as the Internal Audit Service has taken these recommendations over). The Internal Audit Service’s conclusion on the state of internal control is limited to the management and control systems that were audited. The conclusion does not cover those systems that have not been audited by the Internal Audit Service in the past 3 years.
Particular attention, which led to reservations in the annual activity report of the service concerned, was drawn in the limited conclusion on the Education, Audiovisual and Culture Executive Agency with regard to one critical and two very important recommendations issued in the context of the audit on Erasmus+ and Creative Europe – grant management phase II.
4.3. Overall opinion on the Commission’s financial management
As required by its mission charter, the Internal Audit Service issues an annual overall opinion on the Commission’s financial management. This is based on the audit work in the area of financial management in the Commission carried out by the Internal Audit Service during the previous 3 years (2016-2018). It also takes into account information from other sources, namely the reports from the European Court of Auditors.
As in the previous editions, the 2018 overall opinion is qualified with regard to the reservations made in declarations of assurance by authorising officers by delegation. In arriving at its overall opinion, the Internal Audit Service considered the combined impact of: (i) the amounts estimated to be at risk as disclosed in the annual activity reports; (ii) the corrective capacity, as evidenced by financial corrections and recoveries of the past; and (iii) estimates of future corrections and amounts at risk at closure. Given the magnitude of financial corrections and recoveries of the past and assuming that corrections in future years will be made at a comparable level, the EU budget is adequately protected as a whole (not necessarily individual policy areas) and over time (sometimes several years later).
Without further qualifying the overall opinion, the Internal Audit Service emphasised the following matter:
Supervision strategies regarding third parties implementing policies and programmes
Although it remains fully responsible for ensuring the legality and regularity of expenditure and sound financial management (and also the achievement of policy objectives), the Commission increasingly relies on third parties to implement its programmes. This is mostly done by delegating the implementation of the operational budget or certain tasks to countries outside the EU, international organisations or international financial institutions, national authorities and agencies, joint undertakings, non-EU bodies and EU decentralised agencies. Moreover, in certain policy areas, greater use is being made of financial instruments under the current (2014-2020) multiannual financial framework . Such instruments and alternative funding mechanisms entail specific challenges and risks for the Commission, as also highlighted by the European Court of Auditors.
To fulfil their overall responsibilities, the Commission departments have to oversee the implementation of the programmes and policies and provide guidance and assistance where needed. Therefore, they have to define and implement adequate, effective and efficient supervision/monitoring/reporting activities to ensure that the delegated entities and other partners effectively implement the programmes, adequately protect the financial interests of the EU, comply with the delegation agreements, when applicable, and that any potential issues which are identified are addressed as soon as possible.
The Internal Audit Service recommended in a number of audits that the relevant Commission departments’ control strategies and supervisory arrangements should set out more clearly the priorities and the need to obtain assurance on sound financial management in those EU and non-EU bodies. Although actions have been taken in recent
_________________________________________
departments to mitigate the risks identified as a result of audit work, further improvements are still needed in some areas.
Moreover, the Internal Audit Service notes that, without prejudice to the result of the ongoing negotiations on the new multiannual financial framework (2021-2027), decentralised agencies and other implementing bodies will continue to be entrusted with operational responsibilities in certain areas. In this context, the Commission departments should continue their efforts to identify and assess the risks involved in delegating tasks to third parties and pursue effective and efficient supervisory activities by further developing the relevant control strategies.
Going forward, the Internal Audit Service will monitor the developments regarding the new multiannual financial framework as part of its update of the strategic risk assessment and audit plan in order to assess on a timely basis the related high risks and, where appropriate, assess the preparedness of the Commission departments to implement the new frameworks once they are adopted.
The issues addressed in the Internal Auditor’s emphasis of matter above are points of particular attention for the Commission.
Innovative financial instruments and alternative funding mechanisms play an increasingly important role in the implementation of the EU budget. The greater use made of financial instruments under the current multiannual financial framework has proven essential in order to catalyse private investment and maximise the impact of the EU budget. The Commission has proposed that this should continue under the next multiannual framework and is committed to ensuring that any related risks are appropriately mitigated.
The Commission is also paying close attention to proper supervision of agencies and other implementing bodies. For example, in 2018, central services and departments set up a working group to clarify and delineate the role of departments supervising executive agencies. As regards decentralised agencies, the new framework financial regulation has improved the governance arrangements and the decentralised agencies are strengthening their risk management. The Commission will continue to take action, where relevant, to continuously monitor, mitigate and address risks relating to delegation of tasks to third parties.
5. Consultation with the Commission’s financial irregularities panel
No systemic problems were reported in 2018 by the panel set up under Article 143 of the Financial Regulation, where it gives the opinion referred to in Article 93 of the Financial Regulation(19).
6. Mitigating measures as regards potential conflicts of interest (international standards) — Investigation of the European Ombudsman
The current Director-General of the Internal Audit Service, Internal Auditor of the Commission Mr Manfred Kraff, took office on 1 March 2017. Mr Kraff was previously Deputy Director-General and Accounting Officer of the Commission in the Commission’s Directorate-General for Budget.
In line with international audit standards (20), on 7 March 2017, following his appointment as Director-General and Internal Auditor, Mr Kraff issued instructions on the arrangements to be
19 It should be noted that since the entry into application of the new Financial Regulation (FR) the functions of all institutions’ financial irregularities panel have been transferred to the Early Detection and Exclusion System Panel referred to in Article 143 of the FR.
20 The international audit standards, to which the Financial Regulation expressly refer to in Article 98 (‘Appointment of the Internal Auditor’), state that: ‘If independence or objectivity is impaired in fact or appearance, the details of the impairment must be disclosed to appropriate parties. The nature of the disclosure will depend upon the impairment.’ (Institute of Internal Auditors (IAA)-IPPF standard 1130). Moreover, the standards state that: ‘internal auditors must refrain from assessing
put in place in order to mitigate and/or avoid any potential or perceived conflict of interest as regards Internal Audit Service audit work in relation to his former responsibilities. These arrangements were prolonged in 2018 (for the period 1 March 2018 to 1 March 2019) and in 2019 through instruction notes to all Internal Audit Service staff issued by Mr Kraff on 1 March 2018 and 1 March 2019. According to the arrangements, which have now been prolonged until 1 March 2020, Mr Kraff would not be involved in the supervision of audit work on operations that he was responsible for before joining the Internal Audit Service. The supervision of the audit work related to such cases ultimately fell under the responsibility of Mr Jeff Mason, former Internal Audit Service Acting Director-General (September 2016-February 2017) and current Director in the Internal Audit Service (IAS.B, Audit in Commission and executive agencies I). The arrangements also provided that the Audit Progress Committee would be informed of these instructions and of their implementation, and that Mr Mason would refer to the Audit Progress Committee for the assessment of any situation that may be interpreted as impairing Mr Kraff’s independence or objectivity. In those cases, Mr Kraff would refrain from any supervision of the related audit work.
The arrangements in place were discussed with the Audit Progress Committee at its meeting of March 2018. The committee considered that the measures drawn up by the Internal Audit Service adequately address the risk of conflict of interest in line with the international standards and best practice. The committee also noted with satisfaction that arrangements to ensure organisational independence have been implemented in practice in the relevant audits. The Audit Progress Committee further took stock of the actual implementation in 2018 of these arrangements in its preparatory group meeting of 30 January 2019. The Audit Progress Committee noted with satisfaction that these arrangements had been implemented in practice in a number of audits and considered that this was leading practice in the internal audit profession.
On 4 December 2017, the European Ombudsman sent a letter to the European Commission informing it that, following a complaint from a member of the public, an inquiry would be opened in order to assess the appropriateness of the measures taken by the Commission to prevent any conflict of interest (or a perception thereof) as regards the appointment of the new Director-General of the Internal Audit Service. The Internal Audit Service and the Commission’s central services replied to the various questions raised by the Ombudsman, and provided all relevant supporting documents and information requested. The Internal Audit Service notes that, on 17 December 2018, the Ombudsman indicated in a letter sent to the Commission that she had assessed the measures taken by the Commission to avoid any actual or potential conflict of interest as ‘largely reassuring’. However, in this letter the Ombudsman also asked for further information about one specific issue relating to reporting lines for appraisals for 2017. The Commission sent the relevant information to the Ombudsman in April 2019.
On 27 September 2018 and 7 January 2019, during the hearings as part of the 2017 reporting year discharge, Mr Kraff presented to the European Parliament’s Budgetary Control Committee (CONT) the arrangements in place. These arrangements had been made public in the Internal Audit Service’s 2017 and 2018 annual activity reports (issued in March 2018 and 2019) and in the Commission’s annual report on internal audits (former Financial Regulation ‘Article 99(5)’ report, issued in September 2018).
7. Further monitoring and follow-up on audit recommendations
The implementation of action plans drawn up in response to Internal Audit Service audits this year and in the past contributes to the steady improvement of the Commission’s internal control framework. The staff working document accompanying this report summarises the follow-up measures currently being implemented by the Commission departments. The Internal Audit Service will conduct follow-up engagements on the implementation of action plans. These engagements will be considered by the Audit Progress Committee, which will inform the College as appropriate.
specific operations for which they were previously responsible. Objectivity is presumed to be impaired if an internal auditor provides assurance services for an activity for which the internal auditor had responsibility within the previous year’ (Institute of Internal Auditors (IAA)-IPPF standard 1130.A1).