Annexes to COM(2005)257 - Annual Report to the Discharge Authority on Internal Audits Carried out in 2004 - Main contents
Please note
This page contains a limited version of this dossier in the EU Monitor.
| dossier | COM(2005)257 - Annual Report to the Discharge Authority on Internal Audits Carried out in 2004. |
|---|---|
| document | COM(2005)257  |
| date | June 15, 2005 |
2. OVERVIEW OF IAS AUDIT WORK IN 2004
IN ORDER TO PERFORM ITS MISSION, THE IAS ACTS IN ACCORDANCE WITH THE FINANCIAL REGULATION AND THE IAS CHARTER, AS WELL AS GENERALLY RECOGNISED PRINCIPLES AND INTERNATIONAL STANDARDS GOVERNING INTERNAL CONTROL AND INTERNAL AUDIT, I.E. THE COSO CONTROLS FRAMEWORK [2] and the Institute of Internal Auditors' (IIA) professional standards and practice advisories[3]. The IAS audit work focuses on four main categories, as defined by the IIA: reliability and integrity of financial and operational information, effectiveness and efficiency of operations, safeguarding of assets and compliance with laws and regulations and contracts. It also includes a focus on the strategic or high-level goals of the Commission and the extent to which these are aligned with and support its overall mission[4].
The audit work of the IAS is based on a three-year rolling strategic plan, adopted in early 2004 and which is updated annually to reflect necessary changes. Audit work in 2004 focussed on the finalisation of audits, risk assessments and desk reviews necessary under the Action 87 programme (see table below), and the presentation of the major findings in a summary report to the Audit Progress Committee (APC) in September 2004 and January 2005[5]. 2004 also saw an intensification of the IAS audit follow-up programme, given that sufficient audit coverage since the start of audit work was now available. In this context the follow-up of IAS Eurostat audit work is particularly important and this will be extended into 2005.
The IAS also presented in December 2004 its first twice yearly summary report on the work done by the DGs' IACs, bringing to the attention of the Commission a number of key risk areas. As noted by the APC, future reports should profit from harmonised reporting criteria in the Commission's internal audit community.
Overview of Audit Engagements conducted in 2004 (and their appearance in Annexes):
Audit | Audit Planning Memorandum | Final Report |
Cross-cutting, Administrative and other Support Systems |
OPOCE | 2 March 2004 | 15 October 2004 |
IT Local Control COMP | 17 July 2003 | 20 July 2004 |
IT Local Control SG | 17 July 2003 | 31 July 2004 |
Risk Assessments and Desk Reviews: SG, SJ, OLAF, ADMIN, ADMIN/DS, EPSO, OIB, PMO, DIGIT, SCIC, OIL, DGT, GOPA, 36 ITC Risk Assessments |
Internal Policies including Research |
EAC | 15 March 2004 | 21 September 2004 |
ENV | 29 March 2004 | 17 September 2004 |
ESTAT II | 17 November 2003 | 19 March 2004 |
INFSO | 30 April 2004 | 20 October 2004 |
JRC | 26 March 2004 | 21 October 2004 |
Risk Assessments and Desk Reviews: ECFIN, ENTR, COMP, SANCO, TREN, JAI, MARKT, TAXUD |
Structural Measures and Common Agricultural Policy |
EMPL | 22 May 2003 | 22 July 2004 |
AGRI Follow-up | 20 October 2004 | 25 February 2005. |
REGIO Follow-up | 24 September 2004 | 23 December 2004 |
Risk Assessments and Desk Reviews: FISH |
External Policies including Pre-accession Aid |
AIDCO | 31 July 2003 | 29 April 2004 |
ELARG Follow-up | 20 September 2004 | 21 January 2005 |
Risk Assessments and Desk Reviews: TRADE |
The acceptance by audited services of IAS audit findings and recommendations is high with 84% of all recommendations issued being accepted and another 10% accepted with comments. This is an indication that audit advice is considered helpful to bringing about improvements but also that management is taking its responsibility in deciding whether or not, and how, it wants to follow recommendations. In one case a critical recommendations was rejected by the auditee as it was felt that follow-up action was not manageable at the DG level.
Acceptance of IAS audit recommendations made in 2004:
Accepted | Accepted with Comments | Partly Rejected | Rejected | Total | % |
Critical | 39 | 1 | 0 | 1 | 41 | 10% |
Very important | 119 | 21 | 0 | 5 | 145 | 38% |
Important | 151 | 22 | 7 | 5 | 185 | 48% |
Desirable | 12 | 0 | 1 | 1 | 14 | 4% |
Total | 321 | 44 | 8 | 12 | 385 | 100% |
% | 84% | 11% | 2% | 3% | 100% |
3. SUMMARY OF MAIN FINDINGS AND RECOMMENDATIONS
This chapter highlights both issues/control weaknesses and related recommendations that were brought to the attention of the College, either because they are of sufficient importance (materiality), because they provide insight into the state of the Commission internal controls or because they cannot easily be resolved at the DG level.
3.1. From Compliance to Effective Implementation – Internal Control Standards
A theme of this report is that it is necessary to move beyond compliance towards a more substantive implementation of the Internal Control Standards (ICS) resulting in a more efficient and effective internal control system. The continuing development of the Internal Control Assessment Tool (iCAT) offered by the Central Financial Service (CFS) to assist services to move from indicating compliance with baseline requirements to assessing the effectiveness of their internal control system is a very welcome initiative in this context.
A key will be making sure that managers realise that, if properly implemented, internal controls will assist them in the realisation of their objectives – controls need not be an "added burden with no return on investment". The main findings expressed below, and the recommendations that accompany them, have this purpose in mind.
3.2. Improving Co-ordination and Coherence – Strategy and Planning
3.2.1. Performance Improvement and Monitoring
Performance monitoring is still underdeveloped which makes it difficult to measure progress and therefore difficult to take remedial action if necessary. Key challenges include establishing meaningful performance indicators, both financial and operational, and thus ensuring that the reporting system provides a meaningful and comprehensive view of the progress in achieving DG objectives[6].
Currently performance monitoring tends to focus on financial ratios and input/output indicators and little progress has been made with developing indicators to assess policy impact. There is a need for more expert guidance for developing indicators on such issues. The risk is that proxy quantitative indicators are used and that these are misleading, e.g. the number of documents sent to partners is sometimes used as an indictor of the effectiveness of the relationship. Reliance on such weak indicators undermines effective management including policy development and decision-making. There is also insufficient feedback from the analysis of experience into policy-making and programming, possibly leading to insufficient attention to value for money aspects, inadequate targeting and relative under-performance. A critical factor for effective feedback is that the results of evaluations of programmes are made available in time for use in the new programming exercises. Despite the setting-up of multi-annual evaluation plans, long-term aspects are not yet completely embedded in the evaluation process. The problem is further compounded by difficulties faced by certain DGs when compiling relevant statistics or data from Member States, in terms of timeliness, reliability and consistency.
Recommendation 1 :
DGs should make every effort to upgrade the quality of their indicators and develop an integrated approach to measure and evaluate performance. In this regard use of the Common Assessment Framework , which is specifically designed to support the implementation of quality management in public sector organisations, should be considered. Key performance indicators, both financial and operational, should be defined and reported in a "tableau de bord" submitted to management on a regular basis to support tracking and monitoring of performance in key areas. The use of Total Quality Management tools/techniques such as benchmarking and satisfaction surveys should be selectively applied as part of the feedback needed from grant beneficiaries and other stakeholders.
3.3. Taking Informed Decisions – Risk Management and Management Information Systems
3.3.1. Risk Management
When effectively utilised, risk management serves as a proactive management tool for identifying obstacles to achieving policy and operational objectives and assisting in taking political decisions, including in prioritisation and allocation of resources. Ongoing positive developments, led by BUDG, include a draft risk management framework and risk management pilot exercises which were conducted in numerous DGs. In addition, BUDG recently set up and is chairing the Risk Management Steering Group which has as its goal the further development and customisation of a risk management policy, and implementation manual and tools. It is important that these efforts also result in a consolidated risk overview at the Commission level (allowing for a complete top down view of key risks).
A Systematic Commission-wide analysis of the risks that represent obstacles to the realisation of key Commission objectives is not available to highest levels of management. Such an integrated view would facilitate integrated solutions and the realisation of synergies across traditional organisation boundaries. If operational DG-level risk assessments are consolidated into a global Commission level risk document (including a top down view of key risks), the Commission's decision-making process will be strengthened.
Recommendation 2:
At the DG level, risk management should be embedded in the regular management processes and conducted along with the strategic planning process, and then incorporated into ongoing management reporting and decision-making. Critical risks and management responses should be reported in the Annual Management Plan and the Annual Activity Report.
DG families should explore the efficacy of a family-wide risk management concept for their major objectives. This would result in increased coordination and the identification of synergies.
A Commission-wide risk overview at the Commission level (allowing for a complete top down view of key risks) should be prepared and used to support risk management and decision making.
3.3.2. Management Information Systems
The findings emerging from the 2004 audit work that focused specifically on local IT systems were largely in line with those of the 2003 IT Governance Review at the corporate level, and the recommendations emerging from the latter already cover most of problem areas identified in the former. Significant progress has been made in terms of addressing risk identified in the IT Governance review[7] and this should have a positive effect at the local IT level. The findings emerging from other in-depth audits also echoed those emerging from the local IT systems work and the IT governance review.
Specific findings emerging from the local IT systems work included that there is a need for a more systematic mid- and long-term planning process; an urgent need for improved risk management (including systematic risk analysis, and use of common and valid methodology and tools); that there is still insufficient supervision by central services of corporate procedures and guidelines, in particular in terms of information systems security; and that there is a need for quality-management guidelines. It was observed that corporate guidelines do not always exist in some specific areas, and that in cases where they do exist there is sometimes insufficient knowledge of these procedures, (e.g. in the areas of security of data and continuity of operations) leading to high risk of non-compliance.
Improving control over the risks in local information systems is important for the Commission because some of these information systems were identified as being critical for the efficient and effective performance of the Commission's operational activities.
Recommendation 3:
Although some DGs have taken steps to comply with security policies/guidelines, management now needs to ensure that disaster recovery and contingency plans are developed and tested, It is also important that for all major information systems precautions are taken to ensure security of information and continuity of operations.
Core administrative processes (such as contract and grant management) should be supported by more integrated management information systems as this would improve management's ability to monitor project implementation[8].
3.4. Better Alignment of Risks and Controls – Simplification and Proportionality
A significant number of DGs expressed the view that the level of bureaucratisation was too heavy, emphasising the need for simplification and proportionality in procedures and controls . Although this view was mainly expressed in the context of risk assessments and desk reviews it was also substantiated by audits where the Financial Regulation and Implementing Rules where seen to need fine tuning. There are opportunities for a better balance between intended impact of the controls and the associated costs. It should be noted that a working group set up by the RUF to identify the difficulties encountered following the implementation of the Financial Regulation has made a number of recommendations in this regard and that this issue will be addressed in the context of the envisaged revision of the Financial Regulation. Progress in this area will not only result in efficiency and effectiveness gains but will help build a more positive image for controls.
Other areas where simplification and streamlining are possible include support processes such as human resources and general administration where a move from an administration focus to a management focus would be welcome. Recognising the overall shortage in staffing levels, it is felt that improvements in planning, priority setting, resource allocation, simplification and efficiency would help mitigate this problem.
3.4.1. Review and Simplification of Financial Rules
Although considerable progress has been made in defining necessary financial rules these are sometimes seen as being too heavy for the risks they are designed to mitigate.
Recommendation 4:
In revising the Financial Regulation and the Implementing Rules special attention should be paid to simplification and proportionality in order to achieve a better balance between the risks at stake and the cost of control. This also applies, for instance, to grant management, where the control cost, both for the Commission and beneficiaries, could be significantly reduced by harmonising and simplifying delivery and/or funding methods.
Beyond the review of the Financial Regulation, the same attention should be paid to relevant sectoral legislation and the design of financial instruments and programmes.
The common practice of concentrating the validation of all commitments at Director level and other practices such as long "validation chains" may result in practice in both bottlenecks and a dilution of control. Financial circuits and delegation levels should be established and regularly reviewed, based on an appropriate risk assessment, allowing for lower risk transactions to be processed under simplified procedures and higher risk transactions to be authorised at a higher management level (or requiring additional ex-ante validation, etc). This should permit to keep the cost of controls at a level proportionate to the control risk identified.
Recommendation 5:
Financial procedures and sub-delegation levels should be established and regularly reviewed based on an appropriate risk assessment in order to align risk level and controls. Low risk transactions should be processed under simplified procedures and, conversely, higher risk level transactions should require authorisation by senior management or an additional ex ante visa.
3.4.2. Management Supervision and Ex-Post Controls
Supervision is a key management responsibility whose purpose is to ensure that internal controls are effectively and continuously operating in practice as intended and that objectives are met . Therefore, management must ensure that proper supervision is in place. Management supervisory controls still need to improve considerably and be better evidenced.
Recommendation 6:
Management supervision of the effective application of the internal procedures, including, among others, segregation of duties, sub-delegation and deputising arrangements, and their compliance with the Financial Regulation (FR), Implementing Rules (IR) and other relevant regulations, should be strengthened and conducted on a regular basis.
Ex-post controls should be strengthened in order to ensure effective and continuous operation of the internal controls as intended. In this regard, the DG's annual declaration should specifically address both the adequacy of the internal controls in place (design) and its effective operation over the period covered by the statement[9].
Whether the ex-post controls are conducted in practice by either the operational Directorates/Units or supported by the Finance Units should be decided based on the circumstances of each DG. However, in all cases, the Finance Unit (possibly in coordination and with input from the IAC, based on the results of the audit work conducted) should play a key role in terms of defining the methodology to be used.
Financial audits conducted in order to check beneficiary compliance should be strengthened in terms of the methodology used, including risk assessment, the timeliness (significantly hampered by lengthy, cumbersome contradictory procedures), coverage, results, overview and follow up. Despite the significant investment made in conducting ex-post controls and financial audits (the latter often outsourced), it has proved difficult if not impossible to get from all of the DGs concerned an overview summarising the population (i.e.: number and value of contracts), coverage achieved, financial corrections proposed by the auditors and resulting "error rate" and recovery orders actually issued as a result.
Recommendation 7:
The methodology, including risk assessment, used in order to conduct financial audits should be improved. An overview of the results should be provided on an annual basis, reported in the AAR and consolidated in the synthesis report by DG . Recurring or systemic issues should be identified along with the actions taken by management to prevent them from re-occurring.
Several audits also emphasised that, even though BUDG has expended effort to remedy the situation, there are still difficulties with timely follow up of projects which has resulted in an increase in RAL[10] levels for certain DGs. Furthermore, reducing the "legacy" backlog of abnormal RALs, particularly in certain DGs dealing with a high number of commitments, is proving to be difficult and very demanding in terms of resources. More generally, despite the standard reporting made available by BUDG concerning RAL and Recovery Orders (ROs), these are not yet effectively used in practice by the operational DGs to support timely follow up.
3.4.3. Closure Audits
In terms of closure audits [11], DGs concerned are still experiencing difficulties and this contributes to IAS' concerns about the weaknesses in the internal control system.
Recommendation 8:
A clear audit strategy for closure audits must be developed and actions must be planned well in advance and included in the general audit plan. Key elements include: a clear and documented procedure and a defined risk-assessment model for systems audits and for the selection of the closure audits. The roles and responsibilities need to be clear and specified (including procedures for the reports approval and the follow-up process), and adequate resources need to be devoted to the task. To avoid delays, the workflow should be streamlined and indicative deadlines to be respected at each stage of the process should be established. The methodology of closure audits should be defined in an audit manual.
Appropriate reporting tools must be adopted to ensure proper monitoring of the closure audit process and of the recovery procedures launched as a result of the audits.
Necessary corrective measures must be taken, at Head Quarters and European Commission Delegations, to address the detected problems, in particular as regards deficiencies and failures in the Commission’s own management and control systems, and to start the recovery process, in accordance with the Financial Regulation and the Implementing Rules.
3.4.4. Grant Management and Contract Management
3.4.4.1. Grant Management
Centralised direct grants : the main issues identified relate to the lack of definition and consistency in the calculation of eligible costs, costs charged in excess or outside the eligibility period, substantial staff costs funded through lump sums in certain programmes, expert selection, potential conflict of interest, audit trail, insufficient project follow up and lack of effective ex-post controls.
Regarding double funding , the Financial Regulation stipulates that “one action may give rise to the award of only one grant from the budget to any one beneficiary”. In practice, little is done to ensure that this is the case. Therefore, controls to prevent this risk should be strengthened, namely by addressing the issue systematically during the ex-post controls.
Recommendation 9:
Double funding: A more effective utilisation by the DGs of existing instruments, e.g. the "declarations sur l'honneur", with the possibility of applying legal sanctions in case of false declarations, the accounting requirements applicable to grant beneficiaries and the systematic or selective consultation of other DGs should be promoted and reinforced[12]. Additional mitigating controls to limit the inherent risk of double funding should be enabled and supported by Commission-wide tools. In this regard, the creation of the ABAC Contracts database and the Central Legal Entities File in the last quarter of 2004 will be a positive step but it cannot guarantee complete prevention. Ideally, the system could be enhanced to flag cases where the same contractor/grantee is receiving EU funding from various DGs for the same activity.
Expert selection – potential conflict of interest : Improvements must be made concerning experts involved in project selection. These relate to the need for independent experts to be recruited through appropriate tendering procedures. Selected experts should be requested to sign a conflict of interest statement (as it is already the case in certain DGs)[13].
Centralised in-direct grants : key issues relate to the need to complete the mandatory validation of internal control systems at the National Agencies, the need to obtain management assurance statements from those and improve the effective follow-up of the issues raised in the certification reports produced by the independent auditors.
Recommendation 10:
Validation of Internal Controls : steps must be taken to complete mandatory validation of internal control systems at the National Agencies before the new programming cycle. Management assurance statements need to be obtained from MS. Follow-up of the issues raised in the certification reports produced by the independent auditors should be improved.
Budget implementation: In order to have a more complete view of the programme execution, statistics should be established taking into account both payments made by the portfolio DG and by the relevant National Agencies. The services concerned should also organise a closer follow-up of advance payments and interest earned[14].
Ex-post controls conducted by National Agencies: Clear guidelines should be set up on minimum requirements and minimum coverage to be provided by National Agencies through ex-post controls conducted by the latter. For example, financial risks and responsibilities relating to financial losses due to insolvency of beneficiaries are not identified in a reliable manner.
3.4.4.2. Outsourcing of Core Activities, Mitigating the Risks of Collusion, Conflict of Interest, Dependence on External Providers and Insider Trading
Several in-depth audits identified concerns about the risks of collusion, conflicts of interest, dependence on external providers and insider trading.
Recommendation 11:
In order to strengthen the existing controls to mitigate the risks of collusion, conflict of interest and insider trading, an analysis should be conducted to identify any contractors or grantees presenting a significant concentration of the budget of the concerned DG. Careful attention in this regard should be paid both to private and NGO organisations being regularly funded by the Commission's services either through contracts or grants.
In some DGs significant core activities have been outsourced to a single contractor (in certain cases over extended periods of time).
Recommendation 12:
DGs where there is significant outsourcing of core activities to a single contractor over an extended period of time should carefully evaluate the risks arising from such dependence, and submit this for formal approval by senior management.
3.4.4.3. NGO Compliance with the Financial Regulation
Compliance of NGO's funding with the requirements of the Financial Regulation[15] and Implementing Rules concerning the progressive decrease in funds for running costs grants should be ensured. In practice, progress made in this regard, including proper communication to the NGOs and planning on how the progressive decrease will be implemented (starting in 2005, according to Article 181 of the FR), is still limited. Furthermore, potential discrepancies resulting from the NGO funding decision and the above mentioned requirements have been raised by some DGs. Additionally, controls in place in order to ensure compliance with the requirements of Article 109 of the FR and Article 165 of the IR that EU funding may not have the purpose or the effect of producing a profit for the beneficiary should be strengthened.
Recommendation 13:
Functioning grants to NGOs and compliance with Financial Regulation (FR) and Implementing Rules (IR) : Compliance with the FR and IR should be ensured.
Progress should be made, including proper planning and communication to the NGOs concerned, to ensure compliance with the requirement set out in the Financial Regulation for progressive decrease in funding for running costs.
4. CONCLUSIONS
In 2004 several milestones were reached in terms of the Commission's ongoing effort to modernise and strengthen its management and control systems. The new staff regulation entered into force and Directorates-General continued their effort to improve the internal control systems put in place under the Commission Reform. The Internal Audit Service (IAS) completed the so-called Action 87 of the Reform White Paper by carrying out audit work (including desk reviews and risk assessments) in thirty-three Commission services.
Taking a more strategic perspective, audit work and recommendations have lead the Internal Auditor to a series of conclusions where the Commission could make considerable gains in terms of improved governance and performance.
The Internal Control System
The DGs indicated in a self-assessment exercise[16] that they had reached a high level of compliance with the Internal Control Standards (ICS). Major progress is also confirmed by the IAS audits. However, these audits also revealed that there are still critical control weaknesses and that important improvements are still needed in key areas such as grant management and public tendering, management supervision and ex-post controls (both in terms of funds managed by the Commission and in shared management with Member States) and that the Commission is still exposed to potential control breakdowns. The present report (as do the individual audit reports) includes recommendations designed to strengthen related controls.
Conclusion 1 :
Despite important progress in internal control, important weaknesses still exist in areas such as grant management and tendering, management supervision and ex-post controls. These weaknesses should be addressed with urgency.
But the challenge goes even further and is twofold: first, compliance with the Internal Control Standards is not an end in itself. What is important is that the internal control systems are effective in giving reasonable assurance that the Commission's objectives are being achieved, that laws and regulations are complied with and that the financial reporting from the Commission is reliable[17]. Second, the answer is not necessarily more controls, but better and more cost-effective controls. Newly established rules and regulations now need to go through the natural next step, i.e. they need to be refined on the basis of lessons learnt, taking into account simplification and proportionality in terms of costs and risks.
This applies also to shared management where, in order to be efficient, assurance has to come primarily from the Member States and not through more Commission on-the-spot controls. This is why the IAS proposed in its last Annual Report to introduce disclosure and assurance statements from Member States management[18].
Additional steps need to be taken to embed controls into standard management processes, in order to facilitate DG management and for DGs to obtain a return on their "investment". For example, planning and objective setting have not yet been sufficiently incorporated into regular management activities, which means there is limited impact and productivity gains at the DG level. A key will be making sure that managers realise that if properly implemented, internal controls will effectively assist them in the realisation of their objectives.
Conclusion 2 :
Directorates-General have to strive for effectiveness of their control systems – beyond compliance. Cost-effectiveness and risks should be taken more into account in designing controls; for shared management this means that more assurance has to come from Member States .
Horizontal Functions
The College has collective political and budget responsibility for the Communities' budget (including funds under shared management). However, the Commission's financial management and control architecture is primarily focused on the individual Directorates-General and the accountability/assurance statements come from DGs. A pre-dominantly DG-level perspective means there is an increased likelihood that important, notably "cross-cutting" control issues/risks, are not sufficiently covered or mitigated. Examples may include the uneven application of rules; uneven design and implementation of policies; and the difficulty of aggregating key accounting and information management data coming from DGs – the basis of the Commission's central accounting and management information reporting. Certain of these horizontal functions are well established, e.g. the establishing of the Commission's budget. The Commission also has made important improvements to strengthen policy coordination and coherence such as establishing high-level networks and the creation of DIGIT. But certain horizontal functions are not yet adequately covered.
The Financial Regulation as revised in 2002 does not explicitly provide for the Accounting Officer to certify the integrity, consistency and reliability ("true and fair view") of the accounts. However, such a step strengthens the control system. It ensures the consistency and reliability of the Commission's accounts and therefore provides adequate protection to the College.
Signing off the accounts is also a natural complement to the Accounting Officer's authority to set accounting standards: being able to sign off means for instance having undertaken plausibility and coherence checks in order to minimise differences in application or mis-application of rules. Lessons learnt from these checks may in turn be used by the Accounting Officer for improving and adapting rules and procedures where necessary. This does not mean re-introducing an ex-ante visa of individual transactions and is not limiting the evident responsibility of the actor "on the ground" for correctly applying rules like in any other area of Commission activity.
This is why the IAS recommends a sign-off on the accounts by the Accounting Officer. This systemic responsibility in no way reduces the responsibility of Authorising Officers to guarantee the reliability of information made available to the Accounting Officer. It is now timely to introduce this central oversight, as the new accruals accounting system increases the level of accounting expertise required throughout the Commission.
Conclusion 3 :
In order to ensure the integrity, consistency and reliability of the accounts, the Accounting Officer should sign off the Commission's accounts certifying that they present a true and fair view.
The Accounting Officer should be adequately empowered in order to be able to exercise this responsibility without modifying the responsibility of Director-Generals for the underlying transactions and the reliability of the information made available to the Accountant.
Another area of concern is risk management. When effectively utilised, risk management serves as a proactive management tool for identifying obstacles to achieving policy and operational objectives and assisting in taking political decisions, including in prioritisation and allocation of resources.
As set out in this report, risk management in the Commission is still in a rather embryonic state. DGs focus largely on risk analysis, and risk management is not embedded in regular management processes. This situation persists despite the fact that BUDG has recently launched very welcome initiatives in this field (these are detailed in the body of this report). A Commission-wide approach to risk management, including methodology and tools, has yet to be implemented and should result in a consolidated risk overview at the Commission level (allowing for a complete top down view of key risks). This seems to be essential for managing risks related to multiple DGs and for better informing the Commission's decisions on resource allocation in the framework of the Strategic Planning and Programming cycle and is in line with best practice.
Conclusion 4 :
A Commission-wide risk overview process should be implemented (allowing for a complete top down view of key risks). This would facilitate pro-active risk management related to the key objectives of the Commission and more informed resource allocation decisions.
[1] Action 87 of the Reform White Paper required the IAS to review the improvements and reinforcing of the DG’s internal control systems and carry out a complete cycle of audits of management and control systems in all DGs.
[2] See www.coso.org; including the Enterprise Risk Management – Integrated Framework. September 2004.
[3] See www.theiia.org.
[4] As defined in the COSO Enterprise Risk Management – Integrated Framework.
[5] The APC was informed of the preliminary findings on 20 September 2004 and discussed the final overview on 14 January 2005.
[6] The Synthesis report of 2003 Annual Activity Reports clearly asks for simplifying and improving objective setting and indicators - COM(2004) 418, pt. 3.
[7] As is evident in recent Communications - SEC(2004) 1265 & 1267 - and with the creation of DG DIGIT. Ongoing efforts to implement the actions specified in these Communications should though continue.
[8] It is understood that further development of ABAC in the course of 2005 will address some of these concerns but process owners should ensure that this is the case.
[9] It is noted that progress is being made in this respect; the Circular for the 2004 Annual Activity Reports of 3 December 2004 - SEC(2004) 1562 - puts much more emphasis on the need to describe the internal control system put in place and to what extent it is considered to be effective in addressing key risks (parts 3 and 4 of the AAR in particular).
[10] "Reste à Liquider".
[11] Closure audits relate to the closure of a multi-year programme. Normally at the end of the programming period the payment authority presents the Commission with a certified declaration of expenditure. The purpose of the closure audit is to verify the accuracy of the declaration.
[12] See Title V: Procurement of Financial Regulation, particularly Article 133 of the implementing Rules.
[13] It is noted that for some DGs the existing legal framework may provide different rules.
[14] Developments of ABAC are supposed to address these issues.
[15] Article 113.
[16] Update of the Self-Assessment of Readiness of Services to be compliant with the Internal Control Baselines by 31 December 2004 - SEC(2004) 250, 3.3.2004.
[17] As also stressed by the Synthesis of Annual Activity Reports 2003 of DGs and Services - COM(2004) 418, 9.6.2004.
[18] Including for National Agencies in the context of centralised indirect management.