Explanatory Memorandum to COM(2025)314 - Annual report to the Discharge Authority on internal audits carried out in 2024 - Main contents
Please note
This page contains a limited version of this dossier in the EU Monitor.
| dossier | COM(2025)314 - Annual report to the Discharge Authority on internal audits carried out in 2024. |
|---|---|
| source | COM(2025)314  |
| date | 17-06-2025 |
Contents
- Brussels, 17.6.2025
- Table of contents
- 1. Objectives and scope of the report
- 2. Mission of the Internal Audit Service: accountability, independence and objectivity
- 3. Overview of audit work
- 3.1.Implementation of the 2024 audit plan
- 3.2.Statistical data on Internal Audit Service recommendations
- 4. Results based on the audit work performed in 2024
- 4.1.Overall results on performance audits
- 4.1.1.Financial processes
- 4.1.2.Operational processes
- 4.1.3.Support processes
- 4.2.Internal Audit Service limited conclusions
- d.the Commission's objectives are achieved effectively and efficiently; and
- Engagements by type
- Source: European Commission
- Recommendations by rating
- Source: European Commission, Internal Audit Service
- Delay of overdue recommendations by rating
- 4.1.1.Financial processes
- 4.1.2.Operational processes
- 4.1.3.Support processes
- IT management
- Other support processes
COM(2025) 314 final
REPORT FROM THE COMMISSION
TO THE EUROPEAN PARLIAMENT, THE COUNCIL AND THE COURT OF AUDITORS
Annual report to the Discharge Authority on internal audits carried out in 2024
{SWD(2025) 159 final}
4.3.Overall conclusion on the Commission’s financial management
5. Consultation with the Commission’s financial irregularities panel
1.Objectives and scope of the report
This report informs the European Parliament and the Council about internal audits carried out in 2024 by the European Commission’s Internal Audit Service (IAS) in its Directorates-General, services and executive agencies ( 1 ). It is part of the discharge procedure. It contains: (i) a summary of the number and type of internal audits carried out; (ii) a synthesis of the principal recommendations made; and (iii) the action taken on those recommendations. In accordance with Articles 118(8) and 253 of the Financial Regulation ( 2 ), the Commission forwards the report to the European Parliament and to the Council. It is based on the report drawn up in accordance with Article 118(4) of the Financial Regulation by the Commission’s Internal Auditor on Internal Audit Service audits and other engagement reports completed in 2024 ( 3 ).
Furthermore, as required by Article 118(5) of the Financial Regulation, the report focuses on the overall compliance with the principles of sound financial management and performance by providing the overall results on performance and an overall conclusion on financial management (Section 4) ( 4 ).
2.Mission of the Internal Audit Service: accountability, independence and objectivity
The mission of the Internal Audit Service is to enhance and protect organisational value by providing the Commission with risk-based and objective assurance, advice, insight and foresight. To this end, the Internal Audit Service, as part of its audit plan:
• performs an independent assessment of the effectiveness of governance, risk management, and control processes for operations, activities and financial transactions (‘assurance services’); and
• provides advice, insight and foresight (‘non-assurance services’).
The assurance services are performed to confirm or verify that:
a.risks are appropriately and continuously identified, assessed and managed;
b.significant financial, managerial and operating information is accurate, reliable and timely;
c.the Commission’s policies, procedures and applicable laws and regulations are complied with;
e.the development and maintenance of high-quality control processes are promoted throughout the Commission.
The independence of the Internal Audit Service’s work is enshrined in the Financial Regulation and its mission charter ( 5 ) as adopted by the Commission. This charter stipulates that, to ensure objectivity in their judgement and avoid conflicts of interest, its management and auditors must preserve their independence in relation to the activities and operations they review. If their objectivity is impaired in fact or in appearance, the details of the impairment should be disclosed. If the Internal Auditor considers it necessary, she may address the President of the Commission and/or the College of Commissioners directly.
The Internal Audit Service performs its work in accordance with the Financial Regulation, the International Standards for the Professional Practice of Internal Auditing ( 6 ), and the Code of Ethics of the Institute of Internal Auditors.
The role of the Audit Progress Committee established under Article 123 of the Financial Regulation is to ensure the independence of the IAS, monitor the quality of the internal audit work and ensure that recommendations are taken into account and followed by services of the Commission, its executive agencies and other bodies. The Internal Audit Service: (i) reports significant issues arising from its audits and potential improvements to the audited processes; (ii) provides an annual overall conclusion on the state of financial management in the Commission; and (iii) reports (at least annually) on its mission and performance, as set out in its annual audit plan. This reporting includes significant risk exposures, control issues, corporate governance issues and other matters.
The Audit Progress Committee assists the College in fulfilling its obligations under the Treaties, the Financial Regulation and other statutory instruments. It does this by: (i) ensuring the independence of the Internal Audit Service; (ii) monitoring the quality of internal audit work; (iii) ensuring that internal and external audit recommendations are properly taken into account by Commission services; and (iv) ensuring that these recommendations receive appropriate follow-up. In this way, the Audit Progress Committee helps the Commission to improve its effectiveness and efficiency in achieving its goals. It also facilitates the College’s oversight of the Commission’s governance, risk management, and internal control practices ( 7 ).
The Internal Audit Service does not audit Member States’ systems of control over EU funds. Such audits reach down to the level of individual beneficiaries, and are carried out by Member States’ internal auditors, national audit authorities, other Commission Directorates-General and the European Court of Auditors. However, the Internal Audit Service does audit measures taken by the Commission to supervise and audit: (i) bodies in Member States; and (ii) other bodies that are responsible for disbursing EU funds. In accordance with Article 118(2) of the Financial Regulation, the Internal Audit Service enjoys full and unlimited access to all information required to perform its duties including, if necessary, also on-the-spot access in Member States and non-EU countries.
3.Overview of audit work
3.1.Implementation of the 2024 audit plan
The Internal Audit Service implemented the 2024 audit plan against the backdrop of mounting pressure on resources in some of the Commission Directorates-Generals and broader challenges related to Russia’s war of aggression against Ukraine and other emerging geopolitical crises. By the cut-off date of 31 January 2025, the Internal Audit Service had completed ( 8 ) a total of 26 engagements (audits, limited reviews and other) in the Commission’s Directorates-General and services ( 9 ). This represents a 93% completion rate of the updated 2024 audit plan. Furthermore, one audit report was finalised in March 2025 and is exceptionally included in the annual internal audit report for 2024 ( 10 ).
In accordance with its charter and with international auditing standards, the Internal Audit Service plans its audit work on the basis of a risk assessment and a capacity analysis. The aim is to draw up an audit plan that covers the highest risk areas, thereby maximising its added value, and that helps to ensure the best use of resources and the efficient and effective implementation of the audit plan. The Internal Audit Service regularly monitors the implementation of the audit plan and adjusts it as necessary.
The Internal Audit Service followed up on 56 previous audit engagements to review the implementation of recommendations and issued 75 ( 11 ) follow-up notes to the respective Directorates-General and services. As a result, 21 engagements were closed ( 12 ). The Internal Audit Service concluded that all recommendations were effectively implemented, while 35 remained open with ongoing implementation by the cut-off date.
The overall number and breakdown by engagement types completed by the cut-off date of 31 January 2025 is shown in the charts below.
Total
27
In 2024, the Internal Audit Service issued 43 reports (final audit reports and insight notes). The number of reports is higher than the number of engagements because, for some engagements involving multiple auditees ( 13 ), the Internal Audit Service delivered several reports for the different auditees within the scope of the audit. In 2024, it conducted seven multi-Directorates-General or multi-entity audits (and issued 21 final reports linked to these audits).
3.2.Statistical data on Internal Audit Service recommendations
Recommendations issued in 2024 ( 14 )
The Internal Audit Service issued 176 recommendations stemming from its 2024 audit work. As illustrated below, 58% of these recommendations were rated important and 42% very important, with no critical recommendations. For all (partially) accepted recommendations, the auditees drafted action plans.
Source: European Commission, Internal Audit Service
In 2024, the auditees accepted 174 recommendations and partially accepted two recommendations. For all (partially accepted) recommendations, the auditees drafted action plans. These were submitted to the Internal Audit Service, which then assessed them as being satisfactory or requested a revised action plan.
RECOMMENDATIONS ISSUED BETWEEN 2020 AND 2024 ( 15 )
The Internal Audit Service produced a comprehensive overview of the follow-up to recommendations that were overdue by more than six months. This overview was addressed to the Audit Progress Committee.
As illustrated below, at the cut-off date of 31 January 2025, out of a total of 831 (partially) accepted recommendations ( 16 ) made by the Internal Audit Service in 2020-2024, 544 (65%) were assessed by the auditees as implemented ( 17 ). This leaves a total of 287 recommendations (35%) that remain open.
Of the 287 recommendations that remained open at the cut-off date, none were rated critical, 99 (34%) were rated very important, and 188 (66%) were rated important.
Of the open recommendations, 71 were overdue (not implemented by the originally agreed date). These overdue recommendations represent 8.5% of the (partially) accepted recommendations. Of the overdue recommendations, six very important recommendations are classified as long overdue (i.e. open more than six months after the original implementation date). This is higher than the three recommendations in the previous year, but still attests to the Internal Audit Service’s strict follow-up policy in assessing the implementation of its recommendations. These very important long overdue recommendations represent 0.7% of the total number of (partially) accepted recommendations in 2020-2024 (compared to 0.4% in the previous reporting period). There are no very important long overdue recommendations issued before 2020.
(Issued in 2020-2024)
Source: European Commission, Internal Audit Service
Overall, the Internal Audit Service considers the implementation of its recommendations to be satisfactory and comparable to previous reporting periods. This state of play shows that Commission services are diligent in implementing the critical and very important recommendations, thus mitigating the risks highlighted by the Internal Audit Service.
Part 3 of the Staff Working Document to this report summarises these very important and long overdue recommendations.
4.Results based on the audit work performed in 2024
4.1.Overall results on performance audits
To support the Commission’s performance-based culture and emphasis on value for money, the Internal Audit Service finalised 23 engagements focused on performance. For approximately 80% of these engagements, the Internal Audit Service identified high residual risks in the areas or processes audited giving rise to very important recommendations. Various strengths and good practices were also noted (for more details see Section 1 of the Staff Working Document).
In line with its methodology and good practices, the Internal Audit Service audits performance in an indirect way. It assesses the performance of the Commission’s departments in implementing policies, programmes, and actions, by reference to the risks associated with them. With this approach, it aims to ensure that Directorates-General and services have developed robust performance frameworks, adequate performance measurement tools, and comprehensive monitoring systems.
The sections below present the conclusions of the Internal Audit Service on the various performance aspects assessed in its 2024 audits ( 18 ).
Most Internal Audit Service audits consisted in providing reassurance to the College, as well as to the Directorates-General and services, on the efficient and effective implementation of internal controls on financial management (see also the overall conclusion on financial management in Section 4.3).
Four audits did not reveal critical or very important weaknesses in the control systems, namely: (1) the audit on anti-fraud strategies in the external action family; (2) the audit on Horizon 2020 grant management phase IV in the European Research Council Executive Agency; (3) the audit on the performance of the management of experts for proposal evaluation in the Education and Culture Executive Agency; and (4) the audit on procurement in the Directorate-General for Interpretation.
The other nine audits revealed a need for improvements and led to the issuance of a number of very important recommendations ( 19 ).
The Directorate-General for Agriculture and Rural Development had made progress in its preparedness to design the assurance building model under the new Common Agricultural Policy strategic plans. However, there remained a number of elements that still needed to be developed to ensure that the control framework put in place is sufficiently robust to provide assurance that the Common Agricultural Policy expenditure under the new delivery model is implemented in line with the Common Agricultural Policy legal framework.
The Directorates-Generals for Regional and Urban Policy, for Employment, Social Affairs and Inclusion and for Maritime Affairs and Fisheries have overall designed adequate assurance building processes for the funds implemented under shared management to mitigate the key risks and address the main new elements introduced by the 2021-2027 programming period legislation. Nevertheless, the Directorates-General’ single audit strategy will need to be updated as certain elements were not sufficiently clear or have not been sufficiently developed at this stage of the programming period. The Directorate-General for Regional and Urban Policy also implements the EU Solidarity Fund under shared and indirect management. The department has put in place control processes for managing the Fund but there is a need for further improvement concerning its design and effective management.
The Directorate-General for Economic and Financial Affairs adequately designed and efficiently and effectively implemented governance processes for the preparation phase of Marco Financial Assistance operations. However, further improvement is needed in the design and efficient and effective implementation of the risk management and control processes as well as in marking and protecting of sensitive non classified information.
In indirect management, the audit on controls over the financial management of the civilian Common Security and Defence Policy missions, implemented by the Service for Foreign Policy Instruments, found that while the Service has designed and implemented a control framework tailored to the specificities of the missions, further improvement is needed regarding its design which affect its effective implementation.
Although the Directorate-General for International Partnerships has put in place a control system encompassing guidance, templates, checklists and training to support the implementation of the grant and procurement award processes under indirect management with partner countries, and the performance of the related ex ante controls by the EU Delegations, their design needs to be further improved to ensure compliance with the rules and their effective and efficient implementation.
Although the Directorate-General for Research and Innovation has made huge investments to design an adequate and innovative Horizon Europe control strategy to ensure the legal and regular implementation, as well as the sound financial management of the programme, further improvement is needed to key components of the control strategy to fully achieve the long term objective of having a level of error below the materiality threshold of 2% for Horizon Europe.
The Climate, Infrastructure and Environment Executive Agency is one of the five executive agencies implementing Horizon Europe. While the Agency has designed and put in place adequate controls for the Horizon Europe grant management processes, there is a need for further improvement related to the management of conflicts of interest and of the evaluation processes which may impair the effectiveness and efficiency of implementation.
Finally, the audit on assurance building for expenditure under direct management in the Directorate-General for Maritime Affairs and Fisheries found that although the department has adequately designed and implemented its assurance building processes as regards expenditure under direct management, there is a need for further improvement in the design and financial implementation of the sustainable fisheries partnership agreements.
The Internal Audit Service performed three audits focusing on specific programmes or instruments. The audit on the Single Market Programme yielded positive results, without any critical or very important weaknesses being identified.
The audit on the implementation and monitoring of the EU emission trading system and the audit on the new nuclear decommissioning and waste management programme in the Joint Research Centre resulted in 10 and four very important recommendations respectively. In the audit on the EU emission trading system, the processes for the management of the EU emission trading system auctions are functioning well, but there is a need for further improvement in the design and effective implementation of the Directorate-General for Climate Action other processes for the implementation and monitoring of the EU emission trading system. For the nuclear decommissioning and waste management programme, there is a need for further improvement in the governance, management and control systems to ensure the sustainable, efficient and effective implementation of the programme across all the nuclear sites of the Joint Research Centre.
Human resource management
The Commission is requested to deliver more without being able to increase the size of its overall workforce, as it is subject to stable staffing. Consequently, a growing number of Commission departments do not receive the staff reinforcements they request, resulting in high pressure on resources which has been reported by the Commission as a cross-cutting critical risk. In this context, the Internal Audit Service performed three audits to assess various aspects of human resource management in the Commission.
The audit on the assessment of human resources needs in the Commission at corporate level concluded that the existing processes for assessing human resource needs in the legislative and budgetary contexts have made progress but requires key improvements. Two key issues have been identified on: (1) the support from the central services for the assessment of human resource needs at local department level; and (2) the quality checks on human resource needs by the central services. Addressing these issues is crucial to ensure the best use of the Commission’s limited resources and serve its key priorities and obligations.
The multi-entity audit on human resource allocation in EU Delegations concluded that the Commission's process for allocating human resources in EU Delegations complied with the rules, but there is a need to improve its design and effective and efficient implementation to achieve the objective of providing a global view of EU Delegation’s workload.
At the level of an individual department, an audit on human resource management in the Directorate-General for Financial Stability, Financial Services and Capital Markets Union concluded that although the department has put in place an adequate internal system to manage its human resources, there is a need for further improvement as regards the design of the department’s human resource strategic framework that may affect its effective and efficient implementation.
The multi-Directorates-General audit on IT security risk management covering both the corporate and local levels, found that although the Commission has designed an adequate IT security risk management framework and processes, in compliance with the Commission’s IT security framework, there is a need to further improve the effective and efficient implementation of processes in the following areas: (1) the IT security risk management methodology and related tools; (2) the risk acceptance criteria; (3) the monitoring and reporting of the risk assessment results; and (4) the completeness and accuracy of IT security information. Areas for improvements were identified both at the level of the Commission and at the decentralised level.
A limited review of SUMMA ( 20 ), in preparation of ‘going-live’ focused on the controls put in place by the Directorate-General for Budget to mitigate the main risks regarding the transition of the Commission’s central accounting, budget and treasury system. Very important areas for further improvement remained at the time of the limited review. Furthermore, additional areas for improvement, potentially having an impact on the subsequent efficient and effective use of the system in practice, were identified.
The audit on the IT financing framework concluded that the Directorate-General for Digital Services has made efforts to design and implement an adequate control framework for the management of the baseline IT services and of the charge-back processes. However, despite the fact that the current IT financing framework has brought some positive elements, there is a need for further improvement in its design regarding the concept of baseline IT services and the adequacy of the current IT financing framework to deliver sustainable corporate IT services going forward.
The Internal Audit Service audit on the protection of personal data in the Pay Masters Office concluded that the control system put in place by the Office for the key business processes handling personal data is not adequately designed and effectively implemented to ensure compliance with the relevant legal base. While the Internal Audit Service takes note of important steps taken by the Office in 2024 (after the end of the audit fieldwork) to address key shortcomings, significant progress still needs to be made in (1) accountability, roles and responsibilities; (2) arrangements in case of joint processing, international transfers of personal data and service level agreements, (3) compliance with data protection principles and (4) IT controls to ensure the integrity, confidentiality and availability of personal data.
4.2.Internal Audit Service limited conclusions
The Internal Audit Service issued limited conclusions on the state of internal control to all Commission’s Directorates-General and services in February 2025 ( 21 ). These limited conclusions fed into the 2024 annual activity reports of the Directorates-General and services concerned. Drawing on the audit work carried out in the last five years, they cover all open recommendations issued. The Internal Audit Service’s conclusion on the state of internal control is limited to the management and control systems that were audited. It does not cover systems not audited by the Internal Audit Service in the past five years.
4.3.Overall conclusion on the Commission’s financial management
As required by its mission charter, the Internal Audit Service issues an annual overall conclusion on the Commission’s financial management. This is based on the audit work in the area of financial management in the Commission carried out by the Internal Audit Service in the past three years (2022 to 2024). It also takes into account information from other sources, namely the reports of the European Court of Auditors. The overall conclusion is issued at the same time as this report and covers the same year.
Based on this audit information, the internal auditor considered that, in 2024, the Commission had put in place governance, risk management and internal control procedures which, taken as a whole, are adequate to give reasonable assurance over the achievement of its financial objectives, with the exception of those areas of financial management over which authorising officers by delegation have expressed reservations in their declaration of assurance.
Without further qualifying the overall conclusion for 2024, the Internal Audit Service drew the attention of the Commission to the need to respond to the high cross-cutting risks for the institution and the EU budget by building on the lessons learned from managing its financial resources in a challenging context.
This is linked in particular to the complexity of (innovative) funding mechanisms and related challenges for their implementation. The Commission, being ultimately responsible for ensuring the legality and regularity of expenditure and sound financial management, will therefore need to continue taking actions to mitigate the new high risks identified.
As the Commission is embarking on an ambitious reshape of the EU budget, aimed at making it simpler, more focused and more impactful, the traditional governance, control and assurance framework needs to be adapted to remain relevant for innovative, complex funding and new delivery models, including performance-based approaches.
To remain effective, the assurance and control framework in the next multi-annual financial framework must be proportional to the associated risks. The level and intensity of controls should be adjusted to the delivery model of the future instrument(s), to avoid duplication of controls and audits, and to reduce the administrative burden.
The assurance and control strategy should be embedded from the onset, developed in parallel with policy design and implementation planning, thus ensuring both the effective and efficient delivery of programmes, as well as supporting broader financial management and governance objectives.
It is essential to retain the appropriate level of controls throughout the programme lifecycle, especially if late implementation of funds creates pressure. To ensure the continuous and reliable implementation of the new control and assurance strategies, the necessary human resources should be defined and allocated from the onset until the closure, in both capacity and skills.
5.Consultation with the Commission’s financial irregularities panel
No systemic problems were reported in 2024 by the panel set up under Article 145 of the Financial Regulation, where it gives the opinion referred to in Article 93 of the Financial Regulation.
(1)
The report does not cover the European Peace Facility, decentralised European agencies, the European External Action Service or other autonomous bodies audited by the Internal Audit Service, which receive separate reports.
(2)
Regulation (EU, Euratom) 2024/2509 of the European Parliament and of the Council of 23 September 2024 replacing Regulation (EU, Euratom) 2018/1046 (Article 247)
(3)
The audit reports finalised from 1 February 2024 to 31 January 2025 are included in this report, except for the audit on Human Resources management in the Directorate-General for Financial Stability, Financial Services, and Capital Markets Union for which the final audit report was issued on 10 March 2025 and is exceptionally included in the Annual Internal Audit report for 2024.
(4) () A summary of the assurance provided by the Internal Audit Service is published in parallel to this report in the Annual Management and Performance Report on the EU budget.
(5)
Communication to the Commission, Mission Charter of the Internal Audit Service of the European Commission, C (2022)8450 final of 28 November 2022.
(6)
The Global Internal Audit Standards (GIASs) became effective on 9 January 2025. The GIASs replace the 2017 International Professional Practices Framework of the Institute of Internal Auditors which was applicable in 2024.
(7)
For details, see Communication to the Commission, Charter of the Audit Progress Committee of the European Commission, C (2020) 1165 final of 27 February 2020.
(8)
The multi-entity audit on anti-fraud strategies in the external action family is considered finalised even though for one of the four Commission Services included in the audit scope (the Directorate-General for International Partnerships), the final audit report was not issued by the cut-off date of 31 January 2025. This report is expected to be included in the Annual Internal Audit report for 2025.
(9) () The Internal Audit Service’s Commission audit universe covers 50 organisational entities (departments) in total. For some of these entities, more than one final audit or review report was issued in 2024. See the Staff Working Document to this report for a detailed overview of entities for which final audit and review reports were issued.
(10) () Audit on Human Resources management in the Directorate-General for Financial Stability, Financial Services, and Capital Markets Union for which the draft report was issued on 19 December 2024 and the final audit report was issued on 10 March 2025.
(11) () Some audit engagements were followed up on more than once and some follow-up notes covered more than one audit engagement.
(12) () The list of audits that were closed after a follow-up is included in Section 2.2 of the Staff Working Document.
(13) () This refers to audits that span multiple Commission Directorates-General and/or services (multi-Directorates-General audits) or audits conducted in Commission departments and in the decentralised agencies or other autonomous bodies (multi-entity audits).
(14) () Including four recommendations (one very important and three important) from the audit on Human Resources management in the Directorate-General for Financial Stability, Financial Services, and Capital Markets Union, which was finalised on 10 March 2025. This audit and its recommendations were however not included in the 2024 final Overview Report addressed to the Audit Progress Committee.
(15) () Excluding four recommendations issued after the cut-off date of 31 January 2025, as explained in the previous footnote.
(16) () Out of 831 recommendations issued in 2020-2024, 823 recommendations were fully accepted, four were partially accepted and four were rejected.
(17) () The chart shows the rating of the recommendations at the cut-off date. This may differ from the rating in the original audit report because, in a follow-up audit, the Internal Audit Service may assess that the actions taken by the auditee partly mitigated the risks initially identified and so may downgrade the rating of the recommendation.
(18) () In total, the Internal Audit Service carried out 23 audit engagements with a performance focus (20 performance and comprehensive audits) or engagements involving some performance aspects (2 IT audits and 1 IT limited review). For more details see the Staff Working Document.
(19) () 19 out of a total of 74 very important recommendations issued in 2024 (26%).
(20) () Tool for accrual based and budgetary accounting.
(21) () No audits were carried out in the advisory service Inspire, Debate, Engage and Accelerate Action in the 2020-2024 period, as no high risks were identified, and therefore no limited conclusion was provided.