Legislative Observatory
European Parliament
Please fill in this field to find a procedure

2009 discharge: EU general budget, Section III, Commission

2010/2142(DEC)

DISCHARGE 2009– COMMISSION : ANNUAL REPORT ON INTERNAL AUDITS

PURPOSE: this report informs the Discharge Authority about the work carried out by the Commission's Internal Audit Service (IAS) in 2009, and focuses on significant risk exposures and control and corporate governance issues in the Commission.

CONTENT: The report is based on IAS audit and consulting reports completed in 2009. It concerns solely the auditing of internal management and control systems within the Commission DGs and services and the regulatory and executive Agencies. It does not cover the results of audit work in other agencies or bodies audited by the IAS.

The Commission's reactions to the findings and conclusions of the Internal Auditor were covered in the synthesis report on the annual reports on DGs activities (see SEC(2010)0994).

Main conclusions: on the basis of the audits and related work, finalised in 2009, a series of conclusions and recommendations were made, with comments from the Commission. The conclusions are as follows: 

Conclusion 1: further progress has been made, but more improvements are needed: the IAS saw continuous improvements in the Commission’s internal control environment, linked to the efforts towards an unqualified DAS (declaration of assurance). However, the IAS noted that further improvements are needed on several aspects of financial management:

Shared management:

  • concerning the management of grants under the Schengen Facility II, and despite the contract extension granted and changes decided on the repartition of funds between the Schengen part and the cash-flow, the risk profiles will have to be better defined;
  • improvements should be made on the general co-ordination of audit strategies by the Commission services responsible for the management of structural funds policies, thereby improving the coverage of common audit authorities. The results of the enquiry launched in 2009 to review the audit authorities' work will allow the Commission to rely on the opinions provided and, consequently, reduce its own on the spot audits. 

Direct management:

  • regarding the inventory process, despite the strengths of its Public Procurement Advisory Group, the procurement process in Joint Research Council needs to be substantially improved, particularly regarding the documentation of exceptions, planning, the quality of ex post controls and the justifications provided for market captivity;
  • in the research area attention was drawn to the need for a strategy for fraud detection and prevention and for improving guidance on the implementation of financial viability checks. Nevertheless, a number of improvements have already been made in the internal control systems for the management of the 7th Framework programme (e.g., the balance between ex ante and ex post controls and the completion of a procedure for the management of the Guarantee Funds). 

Indirect centralised management - implementation of CFSP actions: progress was made on the requirements to be met by CSDP missions in relation to indirect centralised management, on the set-up, support and monitoring of CSDP missions, and on the closure procedure for CSDP contracts. Further actions still need to be implemented by DG RELEX in order to fully comply with indirect centralised management requirements. Moreover, guidance and methodology for assessments of civilian crisis management missions and on the setting up of financial management systems for missions will have to be developed, and ex post controls on missions will need to be strengthened.

It is the IAS opinion that an overview is necessary at the level of the institution if common processes, such as risk analysis and business continuity management, are to be effective in protecting the institution as a whole. The IAS recommends that appropriate bodies be made responsible for gaining this overview, and for making appropriate recommendations. The Commission considers that corporate oversight is already in place or planned for certain processes. It further considers that any allocation of this type of responsibilities to central services would dilute the responsibility of each Director-General and Head of Service. 

Conclusion 2: risk management: the IAS noted the progress made since the Commission’s adoption of a risk management framework in 2005, but considered that its implementation needs to be better embedded in the management processes of each service. This should be combined with an enhanced overview of cross-cutting risks and improved guidance at central level. 

The Commission could not accept this recommendation in its entirety, as they considered parts of it to be inconsistent with the Commission's governance framework. The Commission considers that within the current governance structure the central services already provide an overview of cross-cutting risks and guidance on the risk management framework and implementation.

Conclusion 3: corporate business continuity: the IAS audit showed that the Commission needs to keep up the momentum in its efforts to ensure business continuity in the event of serious disruptions, in particular through enhanced steering, coordination and testing of the recovery of critical activities. The Commission shares this point of view.

Conclusion 4: corporate IT approach: the IAS has demonstrated the need to strengthen IT strategic decision-making and IT project management processes, in order to ensure that IT projects are properly aligned with the Commission’s objectives, provide value for money and are implemented in a timely manner. The Commission shares this analysis.

Lastly, the Internal Audit Service submitted its Strategic Audit Plan for the period 2010–2012, the aim of which is to cover the main risks identified, and achieving the necessary coverage to support the Internal Auditor’s overall opinion on financial management.