Artikelen bij COM(2021)292 - Jaarverslag aan de kwijtingsautoriteit over de in 2020 uitgevoerde interne controles - Hoofdinhoud
Dit is een beperkte versie
U kijkt naar een beperkte versie van dit dossier in de EU Monitor.
| dossier | COM(2021)292 - Jaarverslag aan de kwijtingsautoriteit over de in 2020 uitgevoerde interne controles. |
|---|---|
| document | COM(2021)292  |
| datum | 8 juni 2021 |
Brussels, 8.6.2021
COM(2021) 292 final
REPORT FROM THE COMMISSION
TO THE EUROPEAN PARLIAMENT, THE COUNCIL AND THE COURT OF AUDITORS
Annual report to the Discharge Authority on internal audits carried out in 2020
{SWD(2021) 132 final}
Table of Contents
1. Objectives and scope of the report
2. The Internal Audit Service mission: accountability, independence and objectivity
3. Overview of audit work
3.1.Implementation of the 2020 audit plan
3.2.Statistical data on Internal Audit Service recommendations
4. Conclusions based on the audit work performed in 2020
4.1.Conclusion on performance audits
4.1.1.Data and information management
4.1.2.Data protection
4.1.3.Supervision strategies for the implementation of programmes by third parties
4.1.4.Control strategies for selected Directorates-General and services
4.1.5.Human resource management processes
4.1.6.Reviews assessing the implementation of the new internal control framework in the Commission
4.1.7.Other processes
4.2.Internal Audit Service limited conclusions
4.3.Overall opinion on the Commission’s financial management
5. Consultation with the Commission’s financial irregularities panel
6. Mitigating measures for potential conflicts of interest (international internal auditing standards) — Investigation of the European Ombudsman
1.Objectives and scope of the report
This report informs the European Parliament and Council, as part of the discharge procedure, about internal audits carried out in 2020 by the Internal Audit Service of the European Commission in the Commission Directorates-General, services and executive agencies 1 . It contains: (i) a summary of the number and type of internal audits carried out; (ii) a synthesis of the recommendations made; and (iii) the action taken on those recommendations. In accordance with Articles 118(8) and 247 of the Financial Regulation 2 , the Commission forwards the report to the European Parliament and to the Council. It is based on the report drawn up in accordance with Article 118(4) of the Financial Regulation by the Commission’s Internal Auditor on Internal Audit Service audits and consulting reports completed in 2020 3 .
2.The Internal Audit Service mission: accountability, independence and objectivity
The mission of the Internal Audit Service is to enhance and protect organisational value by providing risk-based and objective assurance, advice and insight. The Internal Audit Service helps the Commission accomplish its objectives by bringing a systematic, disciplined approach in order to evaluate and improve the effectiveness of risk management, control and governance processes. Its tasks include assessing and making appropriate recommendations to improve the risk management, control and governance processes to achieve the following three objectives: (i) promoting appropriate ethics and values within the organisation; (ii) ensuring effective organisational performance management and accountability; and (iii) effectively communicating risk and control information to appropriate areas of the organisation. In doing this, the Internal Audit Service aims to promote a culture of efficient and effective management within the Commission and its departments.
The independence of the work of the Internal Audit Service is enshrined in the Financial Regulation and its mission charter 4 as adopted by the Commission. This charter stipulates that, to ensure objectivity in their judgement and avoid conflict of interest, Internal Audit Service auditors must preserve their independence in relation to the activities and operations they review. If their objectivity is impaired in fact or in appearance, the details of the impairment should be disclosed. If the Internal Auditor considers it necessary, he/she may address himself/herself directly to the President of the Commission and/or the College.
The Internal Audit Service performs its work in accordance with the Financial Regulation, the International Standards for the Professional Practice of Internal Auditing, and the Code of Ethics of the Institute of Internal Auditors.
The Internal Audit Service reports — and is accountable functionally — to the Audit Progress Committee. The Internal Audit Service: (i) reports to the Audit Progress Committee significant issues arising from its audits and potential improvements to the audited processes; (ii) provides an annual overall opinion on the state of financial management in the Commission; and (iii) reports (at least annually) on its mission and performance, as set out in its annual audit plan. This reporting includes significant risk exposures, control issues, corporate governance issues and other matters.
The Audit Progress Committee assists the College of Commissioners in fulfilling its obligations under the Treaties, the Financial Regulation and other statutory instruments. It does this by: (i) ensuring the independence of the Internal Audit Service; (ii) monitoring the quality of internal audit work; (iii) ensuring that internal and external audit recommendations are properly taken into account by the Commission services; and (iv) ensuring that these recommendations receive appropriate follow-up. In this way, the Audit Progress Committee helps improve the Commission’s effectiveness and efficiency in achieving its goals. The Audit Progress Committee also facilitates the College’s oversight of the Commission’s governance, risk management, and internal control practices 5 .
The Internal Audit Service does not audit Member States’ systems of control over the EU funds. Such audits reach down to the level of individual beneficiaries, and are carried out by Member States’ internal auditors, national audit authorities, other Commission Directorates-General and the European Court of Auditors. However, the Internal Audit Service does audit measures taken by the Commission to supervise and audit: (i) bodies in Member States; and (ii) other bodies which are responsible for disbursing EU funds, such as the United Nations. As provided for in the Financial Regulation, the Internal Audit Service can carry out these duties on the spot, including in the Member States.
3.Overview of audit work
3.1.Implementation of the 2020 audit plan
The Internal Audit Service implemented the 2020 audit plan in the context of the COVID-19 pandemic, with business continuity arrangements in place as of mid-March 2020, in line with the Commission arrangements at corporate level. Despite the challenges brought by the exceptional 2020 circumstances, the Internal Audit Service completed 137 ‘engagements’ (audits, consulting, follow-ups and reviews), as well as one risk assessment 6 , and issued 140 reports (including follow-up notes and one management letter). This was achieved by using the digitalisation opportunities available in the Commission, with tools supporting efficient and effective remote auditing processes.
A breakdown of the types of engagements and reports completed is contained in the charts below. By the cut-off date of 31 January 2021, 95% of the updated 2020 audit plan had been implemented (i.e. 100% of the assurance type engagements planned to be completed in 2020, while the finalisation of 2 consulting engagements was reprioritised and postponed to 2021). This audit plan included audits in the Commission and executive agencies 7 .
The initial 2020 plan contained 43 audit engagements (audits, reviews and consulting engagements, but excluding follow-ups) planned to be completed by the cut-off date of 31 January 2021. The plan contained 37 additional engagements planned to start before 31 January 2021 and to be completed after that date. The 2020 plan was updated mid-year. The Audit Progress Committee took both the initial and updated plans into consideration. In 2020, the Internal Audit Service also carried out in-depth risk assessments in the various Directorates-General and services. Based on the results of these assessments, the 2021-2023 strategic audit plan as regards the Commission was adopted by the internal auditor.
The Internal Audit Service plans its work on the basis of a risk assessment and a capacity analysis. This is required by its charter and international standards and helps to ensure efficient and effective implementation of the audit plan. Its implementation is regularly monitored and adjusted as necessary.
Source: European Commission, Internal Audit Service
3.2.Statistical data on Internal Audit Service recommendations 8
The figure below shows the number of recommendations the Internal Audit Service issued in 2020.
Source: European Commission, Internal Audit Service
In 2020, the auditees accepted all of the Internal Audit Service’s 185 recommendations. In all cases, the auditees drafted action plans, which they then submitted to the Internal Audit Service, who in turn assessed the plans as being satisfactory.
Over the period 2016-2020, 725 (72%) out of a total of 1 010 (partially) accepted recommendations 9 made by the Internal Audit Service were assessed by the auditees as implemented on the cut-off date of 31 January 2021 10 . This leaves a total of 285 recommendations (28%) that are still open.
Source: European Commission, Internal Audit Service
Of these 285 open recommendations, 5 are rated ‘critical’, 83 ‘very important’, and 76 are overdue (i.e. not implemented by the originally agreed implementation date). These overdue recommendations represent 7.5% of the total of 1 010 (partially) accepted recommendations. Of these 76 overdue recommendations, 6 very important ones are classified as long overdue (a recommendation is long overdue when it is still open more than 6 months after the original implementation date). These very important long overdue recommendations represent 0.6% of the total number of critical and very important accepted recommendations in the period 2016-2020 (compared to 0.3% in the previous reporting period).
Source: European Commission, Internal Audit Service
Overall, the Internal Audit Service considers the implementation of its recommendations to be satisfactory and comparable to previous reporting periods. This state of play indicates that the Commission services are diligent in implementing the critical and very important recommendations, thereby mitigating the risks identified by the Internal Audit Service. Nevertheless, attention should be paid to the individual recommendations rated very important which are long overdue.
Part 3 of the annex to this report summarises these very important and long overdue recommendations. A report specifically on the implementation of internal audit recommendations has been drawn up and sent to the Audit Progress Committee.
4.Conclusions based on the audit work performed in 2020
4.1.Conclusion on performance audits
To contribute to the Commission’s performance-based culture and its greater focus on value for money, the Internal Audit Service carried out two types of audits in 2020: performance audits and comprehensive audits 11 covering important aspects of performance. They were included in the Internal Audit Service’s 2019-2021 strategic audit plan.
In line with its methodology and best practices, the Internal Audit Service approached performance in an indirect way. It does so by examining whether and how management has set up control systems to assess and provide assurance on the performance (efficiency and effectiveness) of its activities. With this approach, it aims to ensure that Directorates-General and services have developed appropriate performance frameworks, performance measurement tools, key indicators and monitoring systems.
The following sections set out the Internal Audit Service’s conclusions on the various aspects of performance it focused on in the audits it carried out in 2020.
4.1.1.Data and information management
Data are a strategic asset for a public sector organisation. EU policies and the implementation of EU programmes are increasingly data-driven. Policymakers use quantified evidence to make informed decisions. Data are also used to demonstrate the EU budget’s performance and the progress made towards achieving the objectives of its spending programmes. Across the Commission services, data should be widely available and shared where appropriate, to improve cost-effectiveness. At the same time, the Commission must ensure full compliance with legal and other confidentiality requirements and guarantee a high level of security for sensitive information. The need to preserve high privacy, security, safety and ethical standards without impinging on the flow and wide use of data is an integral part of the political guidelines and underlined in the working methods of the von der Leyen Commission.
In this challenging context, the Internal Audit Service carried out a series of audits covering different aspects of data management. The results of these audits clearly indicate that significant improvements are necessary in this area going forward, with a number 12 of very important recommendations issued in 2020 being related to data management.
The data, information and knowledge management audit assessed the effectiveness of the Commission’s data, information and knowledge management strategy. It concluded that the Commission should set up a dedicated strategy and structure with the aim of: (1) improving the way data, information and knowledge are gathered, managed, shared and preserved; and (2) developing new opportunities for collaborative working. The Internal Audit Service acknowledged that within the boundaries of the current strategy and governance set-up, important steps had been taken to set priorities, coordinate and manage the activities in the data, information and knowledge management area. However, there is a need for proportionate improvements in key areas that would enable the Commission to have a data, information and knowledge management strategy fully aligned with its political objectives and priorities, to enhance the oversight role of the governing body (the Information Management Steering Board) and to ensure effective data, information and knowledge management. The proposed improvements aim at complementing the existing framework, to better reply to the challenges and changes that the implementation of a fully data-driven Commission brings along.
A related issue of alignment with Commission-wide priorities and objectives was identified in the audit on the Joint Research Centre’s work in support of EU policy and knowledge management. The Joint Research Centre is the European Commission’s science and knowledge service. Considering that one of its main objectives is to support EU policies with the highest quality of independent scientific evidence throughout the whole policy cycle in a variety of areas, adequate data, information and knowledge management is critical success factor for the Centre. Although policy support and knowledge management processes are efficiently implemented to enable the Centre to mobilise the available expertise to provide timely high quality deliverables, which satisfy the client’s policy support needs, there is a significant (very important) weakness in the design of the processes affecting their effective implementation. The Commission-wide identification of policy support needs at corporate and Directorate-General level should be significantly strengthened to enable more effective prioritisation of the Centre’s activities, in line with the Commission’s priorities.
Another key aspect of data management is the safeguarding of information and the preservation of the confidentiality of the data managed. This is all the more important for classified information, as the unauthorised disclosure of such information may significantly harm the interests of the EU or one or more of its Member States. In the audit on Horizon 2020 grant management in the Research Executive Agency, the auditors found that although the ex ante controls on Horizon 2020 payments and the processes for the closure of Horizon 2020 projects were effective, weaknesses existed in the management of projects involving EU-restricted information, ultimately resulting in security breaches.
The Commission’s digital strategy is complementary to its data, information and knowledge management strategy. The digital strategy sets out a vision for a digitally transformed, user-centred and data-driven administration. One of the enablers of this transformation is cloud computing. Public cloud computing aims to bring benefits such as business agility, ease of use, data availability, cost savings and sustainability. However, adequate data protection should also be a key consideration when adopting information technology solutions in the cloud. In the audit on the management of public cloud services, the Internal Audit Service recognised the efforts made in recent years to develop a vision of cloud-based information technology infrastructure solutions. While acknowledging the steps already taken by the Commission to put in place appropriate arrangements for the use of public ‘infrastructure as a service’ and ‘platform as a service’ cloud services, the Internal Audit Service concluded that the governance and security of these cloud security services needed to be significantly enhanced to ensure that they achieve their objectives while reducing risk exposure.
4.1.2.Data protection
Two audits assessed the efficiency and effectiveness of the internal control systems that enable the Commission Directorates-General concerned to demonstrate compliance with Regulation (EU) 2018/1725 on the protection of personal data. Both audits revealed significant weaknesses in the internal control systems in place. This exposes the Commission to reputational risks, which may affect the achievement of its general objective to become a ‘modern, high-performing and sustainable European Commission’, in particular because of its key role in the adoption of data protection regulations in Europe.
1.The first audit covered five Directorates-General and services at corporate and local level and gave rise to eight very important recommendations in total. The Internal Audit Service concluded that, although the Commission has made good progress in putting in place control systems enabling the Directorates-General and services to demonstrate compliance with the applicable legal base, there remains a number of significant improvements needed to reinforce the effectiveness and efficiency of these systems in the move towards achieving full compliance. These concern: (1) the general framework governing data protection aspects; (2) the role and actions of the data protection officer to support the data protection process across the Commission; and (3) the use of targeted measures to improve compliance with key provisions of Regulation (EU) 2018/1725. These improvements should be seen as complementary measures aimed at enhancing the existing governance structures and processes relating to data protection issues, while respecting the principles of the Commission’s current decentralised model, which remain valid.
2.The second audit was conducted in the Directorate-General for Education, Youth, Sport and Culture that is responsible for programmes such as Erasmus+ and the European Solidarity Corps, and gave rise to one critical and four very important recommendations. In the context of their participation in these programmes, a high number of persons provide some personal data to the Directorate-General. As delegated data controller, the Directorate-General processes these personal data and transmits them to National Agencies in EU Member States and third countries, which are in charge of implementing the projects at national level. Together with the National Agencies, which act as data processors, the Directorate-General for Education, Youth, Sport and Culture has to ensure that the data received from the participants to the programmes are adequately protected by all actors having access to these data. The Internal Audit Service found that: (1) the Directorate-General introduced certain elements related to personal data protection in the guiding documents and agreements that govern the programmes; and (2) personal data protection is explicitly mentioned in the National Agencies’ management declarations. These elements are building blocks of the control system for handling personal data, however they are not always adequately implemented and more specifically they do not constitute the safeguards, as required by Regulation (EU) 2018/1725, for international data transfers outside the EU/European Economic Area countries. The internal control system in place for the protection of the personal data of beneficiaries and participants in the Erasmus+ and European Solidarity Corps programmes was not found to be effective in ensuring compliance with the Regulation’s key provisions.
A crosscutting issue that emerged from these two audits concerns the transfer of personal data to third countries. The invalidation of the EU-US Privacy Shield (the ‘Schrems II judgement’) poses concrete challenges for the services transferring personal data to third countries or using the cloud. In response to an order of the European Data Protection Supervisor, the Commission took stock of more than 600 processing records that might concern problematic international transfers of personal data. The critical recommendation addressed by the Internal Audit Service to the Directorate-General for Education, Youth, Sport and Culture was related to the transfer of personal data to third countries. Following the action taken by the Directorate-General, the Internal Audit Service performed, after the cut-off date of this annual report, an assessment of some of the measures implemented by the auditee. The Internal Audit Service concluded that the Directorate-General for Education, Youth, Sport and Culture partially mitigated the risks and, as a result, downgraded the risk level for two recommendations (from ‘critical’ to ‘very important’ and from ‘very important’ to ‘important’).
Finally, in another audit related to the management of experts in Horizon 2020 grants, one issue was found on the processing of the experts’ personal data, giving rise to a very important recommendation.
4.1.3.Supervision strategies for the implementation of programmes by third parties
Authorising officers have to set up adequate and effective strategies and activities for supervising and monitoring the delegated entities' effective implementation of the programmes and protection of the EU budget, and for promptly addressing any identified potential difficulties. In previous years, the Internal Audit Service performed several audits of the supervision arrangements in place in Directorates-General and services for the implementation of programmes (and/or policies) by third parties. It frequently identified weaknesses in the effectiveness of the supervision strategies. In its overall opinion on financial management, the Internal Audit Service formulated an emphasis of matter for 6 years in a row (2015 to 2020) on the supervision strategies for third parties implementing policies. In 2020, three audits focused on EU contributions implemented via indirect management.
The multi-entity audit on pillar assessments revealed significant weaknesses in the internal control system for delegating funds under indirect management, at corporate and local level in a number of Directorates-General of the external action family. Even though the Commission has undertaken serious efforts to put in place an effective system for pillar assessments and is continuing to invest in further developing a corporate approach to increase a coherent implementation and reduce the high inherent risks, the system needs significant strengthening. This is necessary to ensure a level of protection of the EU budget that is equivalent to when the budget is implemented directly. The significant weaknesses identified concern (1) agreements signed with the United Nations Secretariat and related entities without prior positive pillar assessment and without taking appropriate supervisory measures (this observation led to critical recommendations being formulated by the Internal Audit Service to the auditees); (2) incorrect information on the status of pillar assessments which led the Directorates-General and services to sign agreements with entities without prior positive pillar assessment and without taking appropriate supervisory measures; (3) inadequate corporate oversight; (4) inadequate monitoring of substantive system changes of pillar-assessed entities; and (5) insufficient involvement by the Directorates-General and services in the pillar assessments performed by third parties. Based on these observations, the Internal Audit Service issued overall 4 critical and 15 very important recommendations in total to the five Directorates-General concerned. Details of them are in the annex to this report.
At the same time, the other two audits of (1) indirect management with entrusted entities in the Directorate-General for International Partnerships and the Directorate-General for Neighbourhood and Enlargement Negotiations and (2) the supervision of the implementation of the 2014-2020 programme for the European geostationary navigation overlay service in the Directorate-General for Defence Industry and Space painted a generally positive picture of the audited processes. These audits did not identify any critical or very important issues.
4.1.4.Control strategies for selected Directorates-General and services
Directorates-General and services must ensure the legality, regularity and sound financial management of programmes and projects financed using the EU budget. Authorising officers by delegation design a control strategy. This strategy encompasses ex ante and ex post controls that are the key building blocks supporting the annual declaration of assurance. In 2020, the Internal Audit Service performed various audits in this area. They included:
(1) an audit on the design and implementation of the control strategy in the Consumers, Health; Agriculture and Food Executive Agency; (2) an audit on the effectiveness of the design and implementation of the ex post control strategy for the Connecting Europe Facility in the Innovation and Networks Executive Agency; (3) an audit on the Horizon 2020 ex post audit strategy in the Directorate-General for Research and Innovation; and (4) an audit on ex post controls in the Education, Audiovisual and Culture Executive Agency. The 2020 audits paint a generally positive picture, even though two of the four audits revealed the following weaknesses.
The Common Implementation Centre is administratively part of the Directorate-General for Research and Innovation and provides audit services for the various Horizon 2020 implementing bodies by way of financial (ex post) audits, carried out either by its own auditors or by external audit firms, to verify the eligibility of costs declared by beneficiaries. The Internal Audit Service identified a weakness in the design of the ex post audit strategy for Horizon 2020 and issued two very important recommendations.
Although in the Innovation and Networks Executive Agency, the ex post control strategy was found to be overall adequately designed and effectively implemented, one weakness concerned the assessment of amendments of procurement contracts during ex post audits and the documentation of work performed by the on-the spot auditors.
4.1.5.Human resource management processes
In recent years, the Internal Audit Service has carried out various audits of human resource management processes in several Commission Directorates-General and services. Issues identified in previous years were also identified this year in a human resources audit of Eurostat. The Internal Audit Service identified weaknesses in human resources strategic management, human resources planning and human resources monitoring and reporting. It recommended Eurostat take targeted action in these areas.
4.1.6.Reviews assessing the implementation of the new internal control framework in the Commission
In 2019, the Internal Audit Service launched a series of limited reviews in six Directorates-General and services to assess the implementation of the Commission’s new internal control framework. In 2020, this initiative was continued with three additional limited reviews on the same topic, focusing on the assessment process, not the internal control system itself. The generally satisfactory results observed in 2019 were confirmed in 2020, with only one very important recommendation issued. These confirm that the Commission’s assessment processes of the internal control systems are not a high risk area.
4.1.7.Other processes
Several audits assessed performance aspects of other processes implemented by various Directorates-Generals and services. Most of them did not identify any significant performance issues. Only in a few cases did they identify a significant issue.
External experts are key players in the Horizon 2020 grant management process during the evaluation of proposals and project implementation. The Internal Audit Service found that although the Directorates-General and Executive Agencies have in general set up and implemented adequate and effective internal control systems for the expert management process, weaknesses remain in the effectiveness of monitoring expert participation patterns and adherence to rotation rules.
One weakness was identified in the design and effectiveness of the Joint Research Centre’s information technology project management practices.
A weaknesses was also identified in the performance management framework of the Service for Foreign Policy Instruments.
The Directorate-General for Trade’s control system for planning and monitoring the evaluation process was not found to be fully adequate or effective (including the use of resources).
4.2.Internal Audit Service limited conclusions
The Internal Audit Service issued limited conclusions on the state of internal control to every 13 Directorate-General and service in February 2021. These limited conclusions contributed to the 2020 annual activity reports of the Directorates-General and services concerned. Drawing on the audit work carried out in the last 3 years, they cover all open recommendations issued by the Internal Audit Service and former Internal Audit Capabilities (insofar as the Internal Audit Service has taken over these recommendations). The Internal Audit Service’s conclusion on the state of internal control is limited to the management and control systems that were audited. It does not cover systems not audited by the Internal Audit Service in the past 3 years.
4.3.Overall opinion on the Commission’s financial management
As required by its mission charter, the Internal Audit Service issues an annual overall opinion on the Commission’s financial management. This is based on the audit work in the area of financial management in the Commission carried out by the Internal Audit Service during the past 3 years (2018 to 2020). It also takes into account information from other sources, namely the reports of the European Court of Auditors. The overall opinion is issued at the same time as this report and covers the same year.
As in the previous editions, the 2020 overall opinion is qualified with regard to the reservations made in the declarations of assurance by authorising officers by delegation. In arriving at its overall opinion, the Internal Audit Service considered the combined impact of: (1) the amounts estimated to be at risk as disclosed in the annual activity reports; (2) the corrective capacity, as evidenced by financial corrections and recoveries of the past; and (3) estimates of future corrections and amounts at risk at closure. Given the magnitude of financial corrections and recoveries of the past and assuming that corrections in future years will be made at a comparable level, the EU budget is adequately protected as a whole (not necessarily individual policy areas) and over time (sometimes several years later).
Without further qualifying the overall opinion, the Internal Audit Service emphasised the following matters:
1.Implementation of the EU budget in the context of the current crisis related to the COVID-19 pandemic: need for a continuous monitoring and assessment of (new/emerging) risks and for the definition and implementation of corresponding mitigating measures
The health, social, economic and financial situation created by the COVID-19 pandemic entails potentially high, cross-cutting risks for the institution as regards the implementation of the EU budget and the delivery of its policy priorities.
This includes the operations conducted prior to the crisis (as part of the 2014-2020 multiannual financial framework), for which adequate controls (ex-post in particular) still need to be performed, and forthcoming operations under the 2021-2027 multiannual financial framework and the recovery package under Next Generation EU, on assurance, compliance and performance aspects.
As the crisis has continued since early 2020, this context poses challenges, in particular as regards:
·the implementation of the budget in compliance with the applicable legal framework, due to changing rules and evolving regulations, urgent procedures, use of exceptional measures, difficult conditions and/or limited availability of financial and human resources;
·the extent to which the necessary controls and verifications, whether at the level of the Commission, Member States, third countries, implementing partners and/or beneficiaries, can be performed as intended due to logistical constraints such as full and timely access to information and documentation, problems in undertaking missions/on-the-spot checks and ability of implementing partners and beneficiaries to continue their normal activities;
·the potential impact on the Commission’s current and future corrective capacity, due to the very challenging economic situation faced at EU and national levels, including the possible bankruptcies of final beneficiaries, which could make it difficult to recover undue amounts.
The assurances provided on the financial management of the EU budget are multi-annual in nature and depend on the robustness of the corresponding control strategies at different levels. These are based on risk assessments of the specific programmes and related budget operations, ex ante and ex post controls on expenditure, supervision strategies regarding third parties implementing policies and programmes, together with the implementation of the corrective capacity to protect the EU budget. The IAS acknowledges that even before the summer of 2020 the Commission services (started to) assess(ed) the risks deriving from the COVID-19 pandemic and related to the implementation of the EU budget, both in terms of compliance and performance, and adopted mitigating measures.
To ensure the budget is duly protected over time in the face of these unprecedented challenges, the Internal Audit Service stresses that the Commission’s Directorates-General and services should continue to (i) duly assess the risks caused by the COVID-19 pandemic related to financial management in terms of assurance, compliance with the legal framework, and the corrective capacity of the multi-annual systems, as well as performance; and (ii) define and implement adequate mitigating measures, such as adjusting or redefining their control strategies. Furthermore, the Commission’s Directorates-General should design and implement appropriate financial management, audit and control strategies for operations to support the recovery under NextGenerationEU, in particular as concerns the Recovery and Resilience Facility.
2.Supervision strategies regarding third parties implementing policies and programmes.
Although the Commission remains fully responsible for ensuring the legality and regularity of expenditure and sound financial management (and also for the achievement of policy objectives), it has increasingly relied on third parties to implement its programmes. This is mostly done by delegating the implementation of the EU’s operational budget or certain tasks to countries outside the EU, international organisations or international financial institutions, national authorities and national agencies in Member States, joint undertakings, non-EU bodies and EU decentralised agencies. Moreover, in certain policy areas, alternative funding mechanisms such as financial instruments are increasingly used and entail specific challenges and risks for the Commission, as also highlighted by the European Court of Auditors.
To fulfil their overall responsibilities, the Directorates-General have to oversee the implementation of the programmes and policies and provide guidance and assistance where needed. Therefore, they have to define and implement adequate, effective and efficient supervision/monitoring/reporting activities to ensure that the delegated entities and other partners effectively implement the programmes, adequately protect the financial interests of the EU, comply with the delegation agreements, when applicable, and that any potential issues which are identified are addressed as soon as possible.
The Internal Audit Service continued to recommend in a number of audits in 2020 that the control strategies and supervisory arrangements of the relevant Directorates-General should set out more clearly the priorities and the need to obtain assurance on sound financial management in those EU and non-EU bodies. Although actions have been taken in recent years both at the level of the central services and at that of the relevant Directorates-General to mitigate the risks identified as a result of audit work, further improvements are still needed in some areas and in particular as regards pillar assessment in indirect management.
In this context, the Commission Directorates-General should continue their efforts to identify and assess the risks involved in delegating tasks to third parties and pursue effective and efficient supervisory activities by further developing the relevant control strategies. Particular attention should be given to the fulfilment of the pre-conditions to entrust third parties with the management of EU funds. This is relevant not only in relation with the activities delegated under the 2014-2020 multiannual financial framework, but more so in view of the increase in the use of equity, guarantee and risk-sharing instruments in the 2021-2027 multiannual financial framework.
The Internal Audit Service will monitor the developments regarding the impact of the COVID-19 crisis and the reliance on third parties for the implementation of programmes, on the 2014-2020 and the 2021-2027 multi-annual financial frameworks, the political priorities and the Commission’s financial management. This will be done as part of the Internal Audit Service’s updates of the periodic (strategic) risk assessments and resulting audit plans.
5.Consultation with the Commission’s financial irregularities panel 14
No systemic problems were reported in 2020 by the panel set up pursuant to Article 143 of the Financial Regulation, where it gives the opinion referred to in Article 93 of the Financial Regulation.
6.Mitigating measures for potential conflicts of interest (international internal auditing standards) — Investigation of the European Ombudsman
The current Director-General of the Internal Audit Service, Internal Auditor of the Commission, Mr Manfred Kraff, took office on 1 March 2017. Mr Kraff was previously Deputy Director-General and Accounting Officer of the Commission in the Directorate-General for Budget.
In line with international audit standards 15 , on 7 March 2017, following his appointment as Director-General and Internal Auditor, Mr Kraff issued instructions on the arrangements to be put in place to mitigate and/or avoid any potential or perceived conflict of interest in Internal Audit Service audit work in relation to his former responsibilities. These arrangements were prolonged in 2018 (until 1 March 2019), in 2019 (until 1 March 2020), in 2020 (until 1 March 2021) and in 2021 (until 1 March 2022), through instruction notes to all Internal Audit Service staff issued by Mr Kraff on 1 March 2018, 1 March 2019, 2 March 2020 and 23 February 2021. According to the arrangements, Mr Kraff would not be involved in the supervision of audit work relating to operations for which he was responsible before joining the Internal Audit Service. The supervision of the audit work in such cases ultimately fell/will fall under the responsibility of Mr Jeff Mason, former Internal Audit Service Acting Director-General (from September 2016 to February 2017) and current Director in the Internal Audit Service (Directorate B, Audit in Commission, Executive Agencies, EU Agencies and other autonomous bodies II). The arrangements also stated that the Audit Progress Committee would be informed of these instructions and of their implementation and that Mr Mason would refer to the Audit Progress Committee for the assessment of any situation that may be interpreted as impairing Mr Kraff's independence or objectivity. In those cases, Mr Kraff would refrain from any supervision of the audit in question.
The arrangements in place were discussed with the Audit Progress Committee at its meeting of March 2018. The committee considered that the measures drawn up by the Internal Audit Service adequately address the risk of conflict of interest in line with the international standards and best practice. The committee also noted with satisfaction that arrangements to ensure organisational independence had been implemented in practice in the relevant audits. The Audit Progress Committee also took stock of the implementation in 2018 of these arrangements at its meetings of January 2019 (preparatory group), March 2019, March 2020 and January 2021 (preparatory group). The Audit Progress Committee again noted with satisfaction that these arrangements had been implemented in practice in a number of audits and considered that this was leading practice in the internal audit profession.
In the period 2018-2020, during the hearings as part of the reporting year discharge, Mr Kraff presented the arrangements in place to the European Parliament’s Budgetary Control Committee (CONT). These arrangements were also made public in the Internal Audit Service’s 2017, 2018 and 2019 annual activity reports and the Commission’s annual reports on internal audits of September 2018, June 2019 and June 2020.
On 4 December 2017, the European Ombudsman sent a letter to the European Commission informing it that, following a complaint from a member of the public, an inquiry would be opened to assess the appropriateness of the measures taken by the Commission to prevent any conflict of interest (or a perception thereof) in the appointment of the new Director-General of the Internal Audit Service. The Internal Audit Service and the Commission's central services replied to the questions the Ombudsman asked, providing all relevant supporting documents and information requested.
The Ombudsman closed the inquiry on 23 July 2019 16 , concluding that: (i) the Commission had put in place appropriate measures to avoid potential conflicts of interest and safeguard the objectiveness of the Internal Auditor’s function; and (ii) there was no maladministration by the Commission in how it appointed the Director-General of its Internal Audit Service.
(1) The report does not cover the decentralised European agencies, the European External Action Service or other bodies audited by the Internal Audit Service, which receive separate annual reports.
(2) Regulation (EU, Euratom) 2018/1046 of the European Parliament and of the Council of 18 July 2018 on the financial rules applicable to the general budget of the Union, amending Regulations (EU) No 1296/2013, (EU) No 1301/2013, (EU) No 1303/2013, (EU) No 1304/2013, (EU) No 1309/2013, (EU) No 1316/2013, (EU) No 223/2014, (EU) No 283/2014, and Decision No 541/2014/EU and repealing Regulation (EU, Euratom) No 966/2012OJ L 193, 30.7.2018.
(3) The audit reports finalised in the period 1 February 2020 to 31 January 2021 are included in this report.
(4) Communication to the Commission, Mission Charter of the Internal Audit Service of the European Commission, C(2020)1760 final of 25 March 2020.
(5) For details, see Communication to the Commission, Charter of the Audit Progress Committee of the European Commission, C(2020) 1165 final of 27 February 2020. The Charter of the Audit Progress Committee was updated in 2020 to take account of the 2019—2024 Commission entering into office on 1 December 2019 and changes in the Committee’s membership.
(6) One ‘other engagement’, consists of an in-depth risk assessment of the Innovation Fund. Originally, the Internal Audit Service intended to perform an audit in this area. However, the processes relating to the set-up were not sufficiently mature to perform an audit. Furthermore, subsequent to the start of the engagement, the Commission decided to reallocate the responsibility for implementing the fund to an executive agency.
(7) The annex accompanying this report provides an overview of all completed audit and follow-up audit engagements.
(8) A comprehensive overview of the Internal Audit Service recommendations is provided in the report addressed to the Audit Progress Committee on 31 March 2021.
(9) Out of 1 010 recommendations made in 2016-2020, 1 008 recommendations were fully accepted and 2 partially accepted.
(10) The chart shows the rating of the recommendations at the cut-off date. This may differ from the rating in the original report if actions subsequently taken by the auditee are deemed sufficient by the Internal Audit Service to partly mitigate the risks identified and therefore lead to a downgrading of the rating of the recommendation.
(11) In total, the Internal Audit Service carried out 24 performance and comprehensive audits. For more details see the annex.
(12) 15 of the 53 (28%) very important recommendations issued in 2020.
(13) Except for the Task Force for Relations with the United Kingdom and the advisory service Inspire, Debate, Engage and Accelerate Action (IDEA).
(14) Since the entry into application of the new Financial Regulation the functions of all institutions’ financial irregularities panel have been transferred to the Early Detection and Exclusion System Panel referred to in Article 143 of the FR.
(15) The international audit standards, to which the FR expressly refers in Article 98 ("Appointment of the Internal Auditor"), state that: ‘If independence or objectivity is impaired in fact or appearance, the details of the impairment must be disclosed to appropriate parties. The nature of the disclosure will depend upon the impairment." (IIA-IPPF standard 1130). Moreover, the standards state that: "internal auditors must refrain from assessing specific operations for which they were previously responsible. Objectivity is presumed to be impaired if an internal auditor provides assurance services for an activity for which the internal auditor had responsibility within the previous year’ (IIA-IPPF standard 1130.A1).
(16) Decision of 23 July 2019 and amending Decision of 30 October 2019, in case 1324/2017/LM on how the European Commission appointed the Director General of its Internal Audit Service.