2008 DISCHARGE – COMMISSION : ANNUAL REPORT IN INTERNAL AUDITS
PURPOSE: to inform the Discharge Authority about the work carried out by the Commission's Internal Audit Service (IAS) in 2008. It is based on the report of the IAS and concentrates in particular on significant risk exposures and control issues and corporate governance issues within the Commission.
CONTENT: this report is based on IAS audit and consulting reports finalised in 2008 (and some finalised at the beginning of 2009). It concerns audit and consulting work related to Commission DGs and Services and executive agencies only. It does not cover the IAS work on other agencies or bodies.
The Commission's reactions to the findings and conclusions of the Internal Auditor are covered in the synthesis report on the annual activity reports of the Directors-General (see SEC(2009)1102).
Main conclusions: on the basis of the Commission audits and reviews finalised in 2008 and other related work the following conclusions can be drawn:
Conclusion 1: Further progress made, but more improvements needed: in thecourse of its audits, reviews and consultancy work, the IAS saw further improvements in the Commission’s internal control systems. Six critical recommendations had been issued in 2007, but none in 2008. The number of unsatisfactory or partly unsatisfactory opinions in new audit reports dropped from six in 2007 to four in 2008. However, further improvements are still needed.
For instance several aspects of financial management can still be improved:
- significant progress was made concerning the completeness and consistency of the Commission's recovery/financial corrections statistics. For example, DG REGIO and DG EMPL, in collaboration with DG BUDG, have undertaken to produce an overall table on financial corrections (already made or in the process of being made): this will enhance considerably the audit trail of multi-annual controls in shared management. However, in areas of centralised management a backlog of recovery orders is to be noted. Hence, internal recovery procedures need be simplified and shortened;
- whether it is appropriate to apply the 2% materiality limit of error across the board to both standard financial transactions and certain particularly complex or highly sensitive projects needs to be reassessed. The proposed concept of "tolerable risk of error" – if and when endorsed by Council and Parliament – would be more appropriate and should improve in the future the achievable level of reasonable assurance of financial management in certain areas;
- attention was drawn to the need for solid monitoring of procurement procedures, especially if major parts of outsourced activities are attributed to a limited number of bidders, exposing the Commission to risks of market concentration.
With regard to security, considerable progress has been made and follow-up audits confirmed that the difficulties encountered in ensuring that relevant Commission delegations were properly equipped for handling EU classified information have now been resolved. The findings of the audits have also helped the general review of the Commission's security policy, which took place in 2008.
Ethics standards require continuous attention, and throughout the year initiatives at DG and central level have been launched to further strengthen the Commission ethics framework and raise staff awareness. The IAS has not yet provided an audit opinion on the Commission's Ethics framework, but will follow a schedule of actions until the end of 2010. Timely implementation by the Commission services of critical and very important recommendations is an ongoing challenge. The Audit Progress Committee, assisted by the IAS, holds DGs to account in implementing their own Action Plans. It issues reminders, addressed to portfolio Commissioners, which are generally effective, improving follow-up and facilitating the reassessment of residual risks.
Conclusion 2: IT: the extensive audit work on IT issues showed that an effective and efficient IT environment is important for the successful implementation of the Commission’s policies. Greater efforts to follow up past recommendations, an integrated systems approach with a view to gaining an overview of all IT developments at all times and the need for comprehensive security arrangements to guarantee, inter alia, business continuity seem more and more important. Better management of projects and service providers are also key success factors.
Conclusion 3: Strong Embedded Audit Culture: the second external quality review of the IAS demonstrated that the service fully complies with the "International Standards for the Professional Practice of Internal Auditing". The IAS is an integrated and accepted driver of positive change in the Commission, covering jointly with the Internal Audit Capabilities all identified risks with the strategic audit plan 2007-2009. While the IAS audit plan focuses to a large extent on financial management, it also covers areas such as governance (e.g. ethics), IT, security and operations (e.g. implementation of EC law).
As reported here, the IAS’s audit work helps to draw attention to risks and areas for improving control of risks: it is therefore important that control of non-financial risks should continue to receive attention throughout the Commission.