kom (2023) 0323 - Ingen titel

Europaudvalget 2023
KOM (2023) 0323
Offentligt

EUROPEAN

COMMISSION

Brussels, 20.6.2023

SWD(2023) 214 final

COMMISSION STAFF WORKING DOCUMENT

Accompanying the document

REPORT FROM THE COMMISSION

TO THE EUROPEAN PARLIAMENT, THE COUNCIL AND THE COURT OF

AUDITORS

Annual report to the Discharge Authority on internal audits carried out in 2022

{COM(2023) 323 final}

kom (2023) 0323 - Ingen titel

Contents

Context of this annex ........................................................................................................................................................ 4

PART 1 FINAL REPORTS .................................................................................................................. 5

Multi-entity and horizontal audits ............................................................................................................................... 6

1.1. Audit on the cooperation and coordination mechanisms between the ETF and the EC services (DG EAC,

DG EMPL, DG INTPA, DG NEAR, ETF) ..................................................................................................................................................................6

1.2. Audit on implementation of bilateral trade agreements (DG AGRI, DG ENV, DG TRADE) ......................................7

1.3. Audit on European Commission actions against food fraud (DG AGRI, DG SANTE, OLAF) ....................................8

1.4. Audit on the Commission’s control system in relation to the reliability of performance information on

EU financial programmes (DG BUDG, SG) .................................................................................................................................................. 10

1.5. Audit on performance framework for research (CINEA, DG CLIMA, DG ENER, DG MOVE, DG RTD, JRC

()

) 11

1.6. Limited review on the reporting of the Commission’s preventive and corrective measures (‘corrective

capacity’) (DG AGRI, DG BUDG, DG EMPL, DG INTPA, DG REGIO, DG RTD, REA) ................................................................. 12

1.7. Audit on physical security of persons and assets in the Commission (DG COMM, DG DIGIT, DG HR, OIB,

OIL) .............................................................................................................................................................................................................................. 15

1.8. Audit on the protection of personal data under the responsibility of EACEA, EISMEA, CINEA, REA, ERCEA

and the CIC (CINEA, DG RTD, EACEA, EISMEA, ERCEA, REA) ............................................................................................................. 17

1.9. Audit on programme implementation – phase 1 (from work programme to call evaluation and grant

preparation) of the Connecting Europe Facility (CINEA, DG ENER, DG MOVE) .................................................................... 18

1.10. Audit on the design and early implementation of European Innovation Council (DG CNECT, DG RTD,

EISMEA) ........................................................................................................................................................................................................................ 19

1.11. Limited review of the Recovery and Resilience Facility control and audit strategies in DG ECFIN ........... 22

1.12. Audit on the effectiveness and efficiency of Eurostat’s performance management system ..................... 23

1.13. Audit on studies used for policy making in DG MOVE ........................................................................................................... 24

1.14. Limited review on the implementation of the action plans for the reduction of the Horizon 2020 error

rate and for simplifications to reduce the Horizon Europe error rate in DG RTD .............................................................. 24

1.15. Audit on performance management in DG TAXUD.................................................................................................................. 26

1.16. Limited review of the internal control framework in DG TAXUD .................................................................................... 27

Cohesion, Resilience and Values................................................................................................................................. 28

1.17. Audit on the preparedness of DG EAC’s management and control systems for the implementation of

the 2021-2027 Erasmus+ programme ....................................................................................................................................................... 28

Natural Resources and Environment ........................................................................................................................ 29

1.18. Audit on DG AGRI’s management of the wine market .......................................................................................................... 29

1.19. Gap analysis review of the new Common Agricultural Policy 2023-2027 in DG AGRI .................................... 30

1.20. Audit on the cooperation between EFCA and DG MARE on activities related to Article 30 of the

Common Fisheries Policy (DG MARE, EFCA) .............................................................................................................................................. 30

Security and Defence ...................................................................................................................................................... 32

1.21. Preparedness of DG DEFIS for the management of the European Defence Fund .............................................. 32

Neighbourhood and the World ..................................................................................................................................... 34

1.22. Audit on control strategy for grant management under the Union Civil Protection Mechanism in DG

ECHO

........................................................................................................................................................................................................................ 34

1.23. Audit on contractual expenditure verifications (FPI, DG INTPA, DG NEAR) ............................................................... 35

1.24. Audit on External Investment Plan – European Fund for Sustainable Development Guarantee (DG

INTPA, DG NEAR) ........................................................................................................................................................................................................ 36

European Public Administration ................................................................................................................................. 39

kom (2023) 0323 - Ingen titel

1.25. Audit on public procurement in DG DIGIT ...................................................................................................................................... 39

1.26. Audit on human resources management in DG ECFIN ......................................................................................................... 40

Information technology audits ................................................................................................................................... 42

1.27. Audit on progress in the implementation of the European Commission digital strategy in DG DIGIT ... 42

1.28. Audit on IT governance and management (DG HOME, DG JUST) ................................................................................... 43

1.29. Audit on information technology governance and project management (including software

development) in the SG ......................................................................................................................................................................................... 43

1.30. Audit on information technology application project management in DG TAXUD .............................................. 44

PART 2 FOLLOW-UP ENGAGEMENTS ....................................................................................... 45

2.1. Follow-up audit in DG BUDG on the management of recovery orders for competition fines (including

guarantees for competition fines) and for recovery orders in the context of the Commission's 'corrective

capacity' – Phase II (based on two follow-up audits performed in 2022) ............................................................................ 46

2.2. Follow-up audit in DG DEFIS on the supervision of the implementation of the 2014-2020 programme

for the European Geostationary Navigation Overlay Service (EGNOS) ................................................................................... 46

2.3. Follow-up audit in DG DIGIT on the management of public cloud services (multi-DG) ...................................... 47

2.4. Follow-up audit in DG DIGIT on intellectual property rights supporting activities .................................................. 47

2.5. Follow-up audit in DG EAC on information technology governance and project management ..................... 48

2.6. Follow-up audit in DG EAC on the effectiveness of the protection of personal data of beneficiaries of

and participants in the Erasmus+ and European Solidarity Corps programmes (based on two follow-up

audits performed in 2022) .................................................................................................................................................................................. 48

2.7. Follow-up of outstanding recommendations from past audits in DG ECHO .............................................................. 49

2.8. Follow-up of outstanding recommendations from past audits in the FPI ................................................................... 49

2.9. Follow-up of outstanding recommendations from past audits in DG HOME (based on two follow-up

2.10. Follow-up audit in DG INTPA on pillar assessment ................................................................................................................. 49

2.11. Follow-up audit in the JRC on information technology governance and project management .................. 50

2.12. Follow-up audit in DG NEAR on annual audit plans ................................................................................................................ 50

2.13. Follow-up audit in DG NEAR on the Neighbourhood Investment Facility and the Western Balkans

Investment Framework .......................................................................................................................................................................................... 51

2.14. Follow-up audit in the OIB on the procurement process ..................................................................................................... 51

2.15. Follow-up audit in OLAF on the human resources strategy .............................................................................................. 52

2.16. Follow-up audit in OLAF on performance management ...................................................................................................... 52

2.17. Follow-up audit in DG REFORM on the processes put in place for the delivery of technical support to

Member States ............................................................................................................................................................................................................ 52

2.18. Follow-up audit in DG RTD on IT project management and software development ......................................... 52

2.19. Follow-up audit in the SG on the Commission’s strategy for data, information and knowledge

management (based on three follow-up audits performed in 2022) ...................................................................................... 52

2.20. Follow-up audit in the SG on crisis communication in DG COMM, the SG, DG SANTE and DG ECHO ..... 53

2.21. Follow-up audit in DG TAXUD on human resource management .................................................................................. 53

2.22. Follow-up audit in DG TAXUD on the effectiveness of Directorate General for Taxation and Customs

Union’s cooperation with external stakeholders .................................................................................................................................... 54

List of audits for which all recommendations were closed in 2022 ......................................................................................... 55

PART 3 - SUMMARY OF LONG OVERDUE RECOMMENDATIONS ....................................... 57

kom (2023) 0323 - Ingen titel

List of abbreviations

CIC: Common Implementation Centre

CINEA: European Climate, Infrastructure and Environment Executive Agency

DG AGRI: Directorate-General for Agriculture and Rural Development

DG BUDG: Directorate-General for Budget

DG CLIMA: Directorate-General for Climate Action

DG CNECT: Directorate-General for Communications Networks, Content and Technology

DG COMM: Directorate-General for Communication

DG COMP: Directorate-General for Competition

DG DEFIS: Directorate-General for Defence Industry and Space

DG DIGIT: Directorate-General for Informatics

DG EAC: Directorate-General for Education, Youth, Sport and Culture

DG ECFIN: Directorate-General for Economic and Financial Affairs

DG ECHO: Directorate-General for European Civil Protection and Humanitarian Aid Operations

DG EMPL: Directorate-General for Employment, Social Affairs and Inclusion

DG ENER: Directorate-General for Energy

DG ENV: Directorate-General for Environment

DG ESTAT: Eurostat

DG FISMA: Directorate-General for Financial Stability, Financial Services and Capital Markets Union

DG HOME: Directorate-General for Migration and Home Affairs

DG HR: Directorate-General for Human Resources and Security

DG INTPA: Directorate-General for International Partnerships

DG JUST: Directorate-General for Justice and Consumers

DG MARE: Directorate-General for Maritime Affairs and Fisheries

DG MOVE: Directorate-General for Mobility and Transport

DG NEAR: Directorate-General for Neighbourhood and Enlargement Negotiations

DG REFORM: Directorate-General for Structural Reform Support

DG REGIO: Directorate-General for Regional and Urban Policy

DG RTD: Directorate-General for Research and Innovation

DG SANTE: Directorate-General for Health and Food Safety

DG TAXUD: Directorate-General for Taxation and Customs Union

DG TRADE: Directorate-General for Trade

EACEA: Education and Culture Executive Agency

EISMEA: European Innovation Council and Small and Medium-sized Enterprises Executive Agency

EFCA: European Fisheries Control Agency

ERCEA: European Research Council Executive Agency

ETF: European Training Foundation

FPI: Service for Foreign Policy Instruments

IAS: Internal Audit Service

INEA: Innovation and Networks Executive Agency (

)

IT: Information technology

JRC: Joint Research Centre

LS: Legal Service

OIB: Office for Infrastructure and Logistics in Brussels

OIL: Office for Infrastructure and Logistics in Luxembourg

OLAF: European Anti-Fraud Office

OP: Publications Office of the European Union

PMO: Office for the Administration and Payment of Individual Entitlements

REA: Research Executive Agency

SG: Secretariat-General

(

)

By Commission Implementing Decision (EU) 2021/173, the Innovation and Networks Executive Agency (INEA) was replaced by the

new European Climate, Infrastructure and Environment Executive Agency (CINEA) on 12 February 2021.

kom (2023) 0323 - Ingen titel

Context of this annex

Part 1 of this annex contains:

•

a summary of the 30 finalised internal audit engagements performed as part of the 2022 Internal

Audit Service (IAS) audit plan (audits whose reports were issued between 1 February 2022 and 31

January 2023),

the main recommendations (critical and very important (

)) stemming from these engagements,

information provided by the Directorates-General/services on the actions defined and/or implemented

to address the IAS audit recommendations.

•

Each audit followed the applicable standard professional validation and contradictory procedures between

auditor and auditee at the time of the finalisation of the engagement. The summary of each engagement aims

at providing an overview of the audits and their main results.

Part 2 of this annex includes a summary of the results of the IAS follow-up engagements performed between

1 February 2022 and 31 January 2023 (3), including a list of audit engagements for which all recommendations

were assessed as implemented following a follow-up audit by the IAS.

Part 3 provides an overview of the three long overdue very important recommendations as at 31 January 2023.

(

) Important recommendations are not listed in this annex.

(

) Each summary reflects the IAS’s assessment of the implementation status of audit recommendations at the end of the follow-up

engagement. It does not take into account any further action, with possible impact on the status of the recommendations, that the

auditee may have undertaken and reported to the IAS since the release of the IAS follow-up note.

kom (2023) 0323 - Ingen titel

Part 1

Final reports

kom (2023) 0323 - Ingen titel

Multi-entity and horizontal audits

1.1. Audit on the cooperation and coordination mechanisms between

the ETF and the EC services (DG EAC, DG EMPL, DG INTPA, DG

NEAR, ETF)

The objective of the audit was to assess the adequacy of the design and the effectiveness of the management

and control systems put in place by the ETF and the European Commission services to ensure a successful

cooperation and coordination between them.

There were no reservations in the 2021 Annual Activity Reports of DGs EMPL, NEAR, INTPA and EAC that relate

to the audited area.

The fieldwork was finalised on 19 September 2021. All observations and recommendations relate to the

situation as of that date.

The IAS recognised the ongoing efforts made by the ETF and the EC services to coordinate. The IAS identified

the following strength and good practice in this area: to ensure better coordination for the preparation of

Governing Board (GB) meetings, the ETF together with the European Commission services set up a bi-annual

Structured Dialogue.

The IAS identified one very important issue concerning ETF’S mandate and formulated one very important

recommendation.



ETF’S mandate

(addressed to DG EMPL)

DG EMPL, assisted by the ETF and in coordination with DG NEAR and DG INTPA, should clarify the ETF mandate,

with respect to the countries that are eligible under Article 1b following the entry into force of the

Neighbourhood, Development, and International Cooperation – Global Europe instrument. It should also regularly

monitor any changes to the instruments referred to in the ETF mandate and clarify the implications for its

activities. Finally, it should clarify the ETF mandate, with respect to the countries that fall under the remit of

Article 1c and designate these countries through a formal decision of the Governing Board in compliance with

the requirements of this Article.

Additional information provided by DG EMPL on the measures defined and/or implemented

following the Internal Audit Service audit

The required action is in progress regarding the recommendation on the ETF’s mandate, for

implementation by December 2023.

kom (2023) 0323 - Ingen titel

1.2. Audit on implementation of bilateral trade agreements (DG AGRI,

DG ENV, DG TRADE)

The overall objective of the audit was to assess whether DG TRADE, DG AGRI and DG ENV have established

adequate processes and tools for an efficient and effective implementation of EU bilateral trade agreements

in line with their policy objectives.

There were no reservations in the 2021 annual activity reports of the audited Directorates-General that relate

to the audited area.

The fieldwork was finalised on 12 December 2022. All observations and recommendations relate to the

situation as of that date.

The IAS did not formulate any critical or very important recommendations for DG AGRI and DG ENV.

The IAS recognised a number of strengths in DG TRADE, as it:

created the position of the Chief Trade Enforcement Officer,

established a single-entry point for complaints,

put at the stakeholders’ disposal useful IT tools (Access2Markets, ROSA) facilitating access to

information about trading with third countries and organised outreach events to promote the use of

these tools,

coordinates its work on trade barriers with the EU Member States at headquarters- and EU delegation-

level via the three Market Access Partnership platforms (Market Access Advisory Committee, Market

Access Working Groups, Market Access Teams),

improved the coordination on implementation of agreements with other Commission services and

within DG TRADE via the interservice working group and internal coordination meetings at various

levels,

made efforts to improve the implementation and enforcement of trade and sustainable development

chapters of the bilateral trade agreements. To this end, DG TRADE launched a trade and sustainable

development review, the results of which are reflected in the Commission Communication ‘The power

of trade partnerships: together for green and just economic growth’ of June 2022 (4).

The IAS identified two very important issues in DG TRADE concerning:

(1) the use of ex post evaluations and

supporting

studies

to improve the implementation of bilateral trade agreements, (2) monitoring of the state of

play of existing trade barriers

and formulated two very important recommendations.



Use of ex post evaluations and supporting studies to improve the implementation

of bilateral trade agreements

DG TRADE should define more specific criteria for selecting trade agreements for

ex post

evaluation and

formalise the roles of DG TRADE staff and other Directorates-General in the selection process. In addition, DG

TRADE should provide guidance on the drafting and implementation of action plans to address the results of

the recommendations stemming from external studies and establish a procedure for monitoring the

implementation of these action plans. Finally, DG TRADE should adequately disseminate the revised instructions

to staff and ensure their systematic implementation.



Trade barriers

(

)

The practical implementation of the results of the review has recently started and could not be assessed during the IAS audit.

kom (2023) 0323 - Ingen titel

DG TRADE should establish a systemic solution to ensure that identified trade barriers are systematically

followed up in view of their removal, and that related information is kept up to date for internal use and for

providing correct information to stakeholders.

Additional information provided by DG TRADE on the measures defined and/or implemented

following the Internal Audit Service audit

DG Trade accepted the recommendations and agreed with the IAS on the action plan to be implemented

in 2023 to mitigate the identified risks. These actions are part of on-going and continuous efforts by

DG Trade to seek further improvement and efficiency in the way it operates

1.3. Audit on European Commission actions against food fraud (DG

AGRI, DG SANTE, OLAF)

The objective of the audit was to assess the adequacy of the design, and the efficiency and effectiveness of

the processes put in place by the audited services to prevent and detect food fraud and coordinate actions

against food fraud.

There were no reservations in the 2021 annual activity reports of Directorates-General that relate to the audited

area.

The fieldwork was finalised on 22 November 2022. All observations and recommendations relate to the

situation as of that date.

In line with the administrative arrangements between the Commission and OLAF, the scope of the audit did not

cover issues which fall under the OLAF Director-General’s independence of its duties with respect to

investigations. The audit work regarding OLAF consisted therefore of a review of documents on a general level

without going into the investigative activities and of interviews with relevant staff and, resulted in no finding or

recommendation. Given the outcome of the audit, no final report for OLAF was issued.

The IAS recognised the technical expertise of DG AGRI and DG SANTE staff involved in the management of EC

actions against food fraud and their strong commitment and dedication to the objectives, despite the high

workload and resource constraints.

The IAS identified three very important issues concerning the: (1) allocation of tasks between DG AGRI and DG

SANTE as regards organic food products, (2) screening of notifications and monitoring of detected potential

issues in Member States control systems, (3) functionalities of the current IT systems, and formulated seven

very important recommendations.



Allocation of tasks between DG AGRI and DG SANTE as regards organic food

products

(one very important recommendation addressed to DG AGRI)

kom (2023) 0323 - Ingen titel

DG AGRI, in collaboration with DG SANTE, should:

—

taking into account the respective roles and responsibilities of DG AGRI and DG SANTE, lay down in

writing the agreed allocation of tasks as regards audits on the control systems in organics to ensure

sufficient coverage of the risks identified both in Member States and third countries,

—

establish a procedure or automated solution for coordinating the screening of notifications and

ensuring that notifications are made in both IT systems.



Screening of notifications and monitoring of detected potential issues in Member

States control systems

(two very important recommendations addressed to DG AGRI and DG

SANTE)

DG AGRI should regularly screen both the intra-EU and third country notifications and systematically document

the identification and follow-up of potential organic food fraud cases on a risk basis, based on documented risk

criteria. DG AGRI should also establish internal guidelines on how to communicate with Member States in cases

of persisting non-compliance with the ‘organics regulation’ (2018/848).

DG SANTE should assess how the current IT tools can be improved or establish controls over the manual

overview based on the existing table to ensure its completeness.



Functionalities of the current IT systems

(four very important recommendations addressed

to DG AGRI and DG SANTE)

DG AGRI should improve the functionalities in the Organic Farming Information System (OFIS) to reduce the

need for manual intervention and improve data quality.

DG SANTE should:



improve the functionalities in the integrated Rapid Alert System for Food and Feed (iRASFF) by

implementing links between the different iRASFF networks,

implement corrective measures to ensure appropriate user access rights in iRASFF, which should

include periodical user access review.

DG AGRI and DG SANTE should:



explore the possibility to introduce links between OFIS and iRASFF,

jointly assess the possibility of using artificial intelligence and data mining tools, including required

data quality improvements, in the current IT systems.

Additional information provided by DG AGRI and DG SANTE on the measures defined and/or

implemented following the Internal Audit Service audit

DGs SANTE and AGRI accepted all audit recommendations and drafted an action plan (i) to lay down in

writing certain aspects of the allocation of tasks between DG AGRI and DG SANTE as regards organic

food products; (ii) to enhance the screening of notifications and monitoring of detected potential issues

in Member States control Systems; (iii) to improve the functionalities of the current IT systems. The IAS

assessed the action plan as satisfactory.

kom (2023) 0323 - Ingen titel

1.4. Audit on the Commission’s control system in relation to the

reliability of performance information on EU financial

programmes (DG BUDG, SG)

The objective of the audit was to assess whether there was an adequate control system in place to support the

Commission in building assurance on the reliability of performance information on its financial programmes.

There were no reservations in the 2021 Annual Activity Reports of the SG and DG BUDG that relate to the

audited area.

The fieldwork was finalised on 16 September 2022. All observations and recommendations relate to the

situation as of that date.

The IAS recognised several strengths:



The performance framework of the EU budget builds on solid foundations, as acknowledged by the

Organisation for Economic Co-operation and Development (OECD) which concluded that ‘The EU system

of budgeting for performance and results is advanced and highly specified, scoring more highly than

any OECD country in the standard index of performance budgeting frameworks. Under the 2021-2027

multi-annual financial framework, the Commission is committed to further develop this framework and

to meet new needs in a changing world.

The importance of reliability of reporting (as a cornerstone in the culture of transparency and

accountability for public spending) has been emphasised by the Commission in various internal and

external communications. In this context, while the IAS has identified a need to further develop certain

aspects of its performance reporting, it noted that the Commission is already taking steps to further

increase the quality of its key performance report (Annual Management and Performance Report and

its annexes). In addition, the IAS welcomes the multiannual financial framework data quality control

framework which has been recently developed, as well as recent or ongoing developments in IT systems

which aim to improve storing and sharing performance information both within the Commission and

with external stakeholders.



The IAS identified one very important issue concerning

control activities

and formulated two very important

recommendations.



Control activities

(two very important recommendations, addressed to the SG and DG BUDG):

The Secretariat-General and DG BUDG, as corporate services, should:

further strengthen existing corporate guidance in relation to reliability controls by clarifying (for

example in the instructions for the annual activity reports and/or in other forms of guidance) the

operational services’ responsibility to report on their reliability controls which support the

Statement of the Director(s) in charge of risk management and internal control (RMIC),

verify, through central quality controls, that the above guidance is adequately implemented by the

operational services,

examine the results of the IAS survey in relation to IT systems and functionalities used for the

information management process and assess, in the context of their further development, the

improvement needs raised by operational services,

steer the operational services in order to strengthen (and ensure it is based on common principles)

the Commission’s control approach on the reliability of performance information on EU financial

programmes. The control approach should adjust the intensity of controls to risks (considering,

amongst other factors, the source of performance information). It could consider a system-based

approach and a more extensive use of ‘assurance mapping’ (already in place in some DGs), which

kom (2023) 0323 - Ingen titel

will allow a structured identification and assessment of sources of assurance and will help further

substantiating the statements made by the Directors in charge of RMIC.

Additional information provided by DG BUDG and the SG on the measures defined and/or

implemented following the Internal Audit Service audit

SG and DG BUDG prepared a joint action plan to implement the recommendations made by the IAS. The

IAS assessed this action plan as satisfactory in March 2023. The departments will work together to

implement the action plan. Some of the actions will be delivered in the course of 2023 (criteria for a

strengthened common control approach, revised instructions for Commission services), with the

complete plan to be implemented by mid-2024 (strengthen the Commission’s reporting process in its

key accountability reports such as the AARs and the AMPR).

Audit results were presented on the subsequent steps to the network of EU budget performance

correspondents from the different DGs in March 2023.

1.5. Audit on performance framework for research (CINEA, DG CLIMA,

DG ENER, DG MOVE, DG RTD, JRC

(5)

)

The objective of the audit was to assess: (1) the effective implementation of the monitoring and reporting

system for the Horizon 2020 performance framework, and (2) the adequacy of the design of the new

performance framework for Horizon Europe.

There were no reservations in the 2021 annual activity reports of the audited services that relate to the audited

area.

The fieldwork was finalised on 5 December 2022. All observations and recommendations relate to the situation

as of that date.

The IAS acknowledged the efforts made by the audited services to ensure an effective implementation of the

monitoring and reporting system of Horizon 2020 and an adequate design of the performance framework for

Horizon Europe. In particular, the IAS highlighted the following strengths:



The main monitoring tool (the Horizon dashboard) in place for Horizon 2020 and Horizon Europe allows

for an effective monitoring of the activities conducted by the services to achieve their objectives. The

Horizon dashboard is an interactive, user-friendly reporting platform that allows the visualisation and

filtering of Horizon data. It is an innovative monitoring and reporting tool and constitutes a best practice

at Commission level.

The objective-setting process at cluster 5 (‘Climate, Energy & Mobility’ under Horizon Europe pillar II)

level was based on the co-creation of the strategic plan, led by DG RTD but involving various

Directorates-General early in the planning phase. Moreover, the objectives at cluster 5 level are aligned

with the programme objectives.

In the context of Horizon Europe, DG RTD has put in place adequate processes to plan and acquire the

external data and skills needed for the operationalisation of the key impact pathways, which represents

significant challenges.



(

)

In addition to the Commission Directorates-General and services, the audit also covered the Clean Aviation Joint Undertaking, which

is an EU autonomous body and therefore falls outside the scope of this report.

kom (2023) 0323 - Ingen titel

The IAS identified one very important issue concerning the reporting

on Horizon programmes

and formulated

one very important recommendation addressed to DG RTD.



Reporting on Horizon programmes

DG RTD should review the process for verifying the data that feed into the programme performance overviews

and programme statements and apply the four-eyes principle. In addition, it should maintain an adequate audit

trail for the figures disclosed in the Annual Management and Performance Report and the programme

statements to enable reperformance of the calculation if needed.

Additional information provided by DG RTD on the measures defined and/or implemented

following the Internal Audit Service audit

The action plan foresees that, based on verified data, a draft Programme Performance Statement will

be prepared by the services in cooperation with the Performance Framework Network. This will be

submitted to the Horizon Europe Executive Committee for endorsement. The fiche of the indicators for

the IT tool that contains the meta data will be updated based on the information to be received on the

origin of the data. The steps followed for the computation of the indicators will be detailed in a

supporting document.

1.6. Limited review on the reporting of the Commission’s preventive

and corrective measures (‘corrective capacity’) (DG AGRI, DG

BUDG, DG EMPL, DG INTPA, DG REGIO, DG RTD, REA)

The objective of the limited review was to assess whether: (1) the corporate instructions for the reporting on

the preventive and corrective measures to protect the EU budget were well designed and effectively

implemented by the sampled operational Directorates-General/services, and (2) the internal controls in place at

corporate and at Directorate-General/service level ensured that simple, clear and reliable information was

reported by the sampled operational Directorate-Generals/services in their annual activity reports (AARs), and

by DG BUDG in the Commission’s Annual Management and Performance Report (AMPR).

There were no reservations in the 2021 AARs of the Directorates-General/services reviewed that relate to the

area/process reviewed.

The fieldwork was finalised on 15 June 2022. All observations and recommendations relate to the situation as

of that date.

The IAS recognised the ongoing efforts of DG BUDG to improve the quality and clarity of the reporting on the

preventive and corrective measures in the AMPR for 2021. In particular:



The AMPR provides a consolidated overview table of the preventive and corrective measures

implemented by both the Commission and the Member States (which were presented separately in the

previous AMPRs). The presentation of the table is simplified as it reports the implemented amounts

only (instead of amounts implemented and confirmed as in previous AMPRs) and presents the

information according to the multiannual financial framework headings, which facilitates the

comparison with figures presented in other tables of the AMPR that are structured in the same way

(for example reporting on the error rates). This consolidated (Member States and Commission) overview

is also presented, for the first time, on a multiannual basis (covering the period 2017-2021), providing

the reader with a simple and clear evolution of the overall corrective capacity over time.

kom (2023) 0323 - Ingen titel



DG BUDG set up in 2020 a data quality process to promote the quality checks of the recovery context

information to be carried out by the Directorates-General/services. These checks contribute to

improving the accuracy, consistency, and efficiency of the Commission’s reporting on the preventive

and corrective measures. The vast majority of the quality checks were integrated in a ‘data quality

dashboard’ as of November 2021.

Furthermore, while improvements are still necessary in this regard, the IAS also acknowledged the ongoing

efforts of DG BUDG, together with the DG REGIO and DG EMPL, to strengthen (in the AARs and AMPR) the

reporting on the corrections implemented by the Member States for the cohesion area. In particular, DG BUDG

requested the Directorates-General/services to provide a split of the corrections implemented by the Member

States: (1) according to their timing, preventive and corrective; and (2) by author, corrections resulting from

controls in EU bodies (Commission, European Court of Auditors and OLAF) and from controls in Member States.

To date, Directorates-General/services estimated (and reported in their 2021 AARs) the split of corrections by

author and committed to provide this information on a multiannual basis (since the beginning of the

programming period) in future AARs.

The IAS identified two very important issues concerning: (1) the availability of quantitative data and qualitative

information to substantiate

the corrective capacity,

(2)

reporting on corrections in the AARs and AMPR

and

formulated seven very important recommendations.



Availability of quantitative data and qualitative information to substantiate the corrective

capacity

(three very important recommendations addressed to DG BUDG, DG EMPL and DG REGIO):

DG REGIO and DG EMPL should provide information in the AARs on:

the preventive and corrective measures implemented by Member States (split ‘by time’),

the preventive or corrective measures accepted and/or implemented by Member States on a

multiannual basis, since the beginning of the programming period(s), split ‘by author’ (preventive and

corrective measures as a result of: (1) Commission audits; (2) audits of the European Court of Auditors;

(3) OLAF investigations; (4) additional corrections requested by the Commission to ensure a risk at

closure below 2%; and (5) Member States controls/audits).

DG BUDG should:

instruct the Directorates-General to compare, or briefly explain in their AARs, the relationship between

the ‘estimated future corrections’ and the ‘corrections implemented’,

strengthen the reporting in the AMPR of the Commission’s overall corrective capacity by complementing

the existing data with additional information, to be provided by the DGs, on: (1) the split ‘by author’

and ‘by timing’ of the corrections accepted and/or implemented by Member States (as per

recommendations above addressed to DG REGIO and DG EMPL), and (2) the relationship between

estimated future corrections and corrections implemented (as per bullet above).

kom (2023) 0323 - Ingen titel



Reporting on corrections in the AARs and AMPR

(four very important recommendations addressed to

DG AGRI, DG BUDG, DG EMPL and DG REGIO).

DG REGIO and DG EMPL should:

explain clearly in their AARs the purpose and content of the table on ‘multi-annual corrective capacity’,

including any possible correlation/link with the estimated future corrections and the risk at closure,

present in their AARs the financial corrections related to the EU share of public funding.

DG AGRI should:

agree with DG BUDG on a way to align the reporting of the corrections implemented in both DG AGRI’s

AAR and the AMPR. The approach chosen should enable the comparison between the corrections

implemented and the method used by DG AGRI for the calculation of estimated future corrections.

Significant differences (if any) between DG AGRI’s AAR and AMPR on reported amounts should be

briefly explained,

report in its AAR on the European Agriculture Fund for Rural Development recoveries not reimbursed

to the Commission but reused by the Member States to ensure consistency with the AMPR,

align the terminology used in its AAR for the ‘corrective capacity’ with the terminology used in the AAR

instructions, to ensure consistency across DGs AARs and with the AMPR.

DG BUDG should:

clarify the consolidated overview table of the AMPR on preventive and corrective measures by: (1)

specifying the criteria for the split of corrections between ‘implemented by Member States’ and

‘implemented by the Commission’, (2) further clarifying (particularly for the cohesion area) to which

programming period(s) the corrective measures implemented are linked, and (3) revising the

format/presentation of this table (consider following the sequencing of controls) and discontinue the

comparison (in percentage) between the total amounts corrected (including preventive) and the

relevant expenditure,

ensure that the information needed in the AMPR is requested in the AAR instructions and thus reported

in the AARs of the DGs to ensure consistency between the individual AARs and the AMPR. In particular,

DG BUDG should agree with DG AGRI on a consistent reporting of the corrections implemented in both

DG AGRI’s AAR and the AMPR,

in the context of the peer review of the AARs, remind the concerned Directorates-General/services

concerned of the need to briefly explain the root-causes of important variations in the financial

corrections and recoveries implemented compared with the previous years. Based on this information

at Directorate-General level, DG BUDG should provide the relevant explanation in the AMPR where there

are significant variations at the level of the Commission as a whole,

reintroduce the glossary of terms in the AMPR, with clear and consistent definitions on corrective

capacity matters,

clarify and revise the content of the financial table ‘Recovery of payments’ to ensure it is correctly

interpreted and used by the Directorates-General.

kom (2023) 0323 - Ingen titel

Additional information provided by DG AGRI, DG BUDG, DG EMPL and DG REGIO on the

measures defined and/or implemented following the Internal Audit Service audit

The deadline for the two very important recommendations is June 2023 and both are already partially

implemented.

DG AGRI accepted all recommendations from the IAS (important and very important) and submitted the

respective action plans that were assessed as satisfactory to mitigate the risks identified by the IAS.

Concerning the recommendation on the consistency of the reporting on corrections in the annual activity

reports and Annual Management and Performance Report stemming from the limited review on the

reporting of the Commission’s preventive and corrective measures (‘corrective capacity’) has been

implemented by DG AGRI within the deadline and is currently under review by the IAS.

DGs REGIO and EMPL accepted the IAS recommendations to provide in their AARs the data on preventive

and corrective measures implemented by the Member States (including split ‘by author’) and to clearly

explain the purpose and content of the table on ‘multi-annual corrective capacity’ and present the

financial corrections related to the EU share of public funding. Following these recommendations, both

REGIO and EMPL AAR report on the preventive and corrective measures implemented by Member States

(including split ‘by author’, notably in Annex 7H) and present a multi-annual overview of the financial

corrections accepted and/or implemented by Member States (see part 2.1.1., section 1, ‘Conclusion on

the protection of the EU budget in 2022’ and Annex 7H). Additionally, this annex further explains the

purpose and content of the ‘multi-annual corrective capacity table and presents the financial corrections.

Finally, the amounts of corrections accepted by the Member States (on request from the Commission)

present the part related to the EU share of public funding. DG BUDG accepted all recommendations

from the IAS (2 very important and 1 important), and the submitted action plans were assessed as

satisfactory by the IAS. DG BUDG considers all actions with deadline of December 2022 and April 2023

as implemented, pending the corresponding IAS assessment.

1.7. Audit on physical security of persons and assets in the

Commission (DG COMM, DG DIGIT, DG HR, OIB, OIL)

The objective of the audit was to assess if the Commission established an adequate governance, risk

management and internal control framework for physical security to protect its employees and safeguard its

assets.

There were no reservations in the 2021 annual activity reports of the DGs covered by the audit (DG HR, DG

COMM, DG DIGIT, OIB and OIL) that relate to the audited process.

The fieldwork was finalised on 30 June 2022. All observations and recommendations relate to the situation as

of that date.

The IAS acknowledged the good coordination and support provided by DG HR’s Security Directorate to the Local

Security Officers (LSOs). This was confirmed by the LSOs in their responses to an IAS survey aimed at better

understanding how the role of the LSOs is implemented in practice across the Commission and its

Representations and to collect feedback on DG HR’s activities and support related to physical security. According

to the results of the survey, the vast majority of LSOs consider that the support provided by DG HR’s Security

Directorate is adequate. The survey also confirms that the headquarters of the relevant DGs provide good

coordination and support to the LSOs in the Commission Representations.

kom (2023) 0323 - Ingen titel

The IAS noted that a number of security measures implemented in the last few years, such as the establishment

of the Berlaymont Welcome Centre, the overhaul of physical security systems at the Stevin car park entrance

of the Berlaymont and the installation of hostile vehicle mitigation systems on rue de la Loi, have mitigated the

security risk for Commission staff.

Furthermore, the IAS noted that, when implemented, projects and initiatives such as the EU PAX project for an

integrated IT system for managing buildings’ access or the projects to enhance protection against hostile

vehicles for Charlemagne and Berlaymont buildings, are expected to bring improvements to security aspects:

The IAS identified three very important issues concerning:



Governance framework and organisational arrangements for physical security at the

Commission

One very important recommendation addressed to DG HR on comprehensiveness of the security strategy,

organisational structure, arrangements with other Commission services and quality of security policies,

procedures and guidance.

One very important recommendation addressed to DG COMM on Commission and European Parliament office

security rules.



Risk management framework for physical security at the Commission

Two very important recommendations addressed to DG HR and DG COMM on the assessment of security risks.



Internal control measures for physical security

One very important recommendation addressed to DG HR regarding incident management, internal crisis

management, supervision of guarding service, and security inspections.

Additional information provided by DG HR and DG COMM on the measures defined and/or

implemented following the Internal Audit Service audit

DG HR and DG COMM submitted a joint action plan, which was duly approved by the Internal Audit

Service. Its full implementation is due by 31 December 2023 and is under progress.

kom (2023) 0323 - Ingen titel

1.8. Audit on the protection of personal data under the responsibility

of EACEA, EISMEA, CINEA, REA, ERCEA and the CIC (CINEA, DG RTD,

EACEA, EISMEA, ERCEA, REA)

The objective of the audit was to assess whether the Executive Agencies, supported by the CIC, put in place an

effective and efficient internal control system for the protection of personal data, in compliance with the key

provisions of the EU Data Protection Regulation, Regulation 2018/1725 (EUDPR).

There were no reservations in the 2019 to 2021 annual activity reports of the Executive Agencies and DG RTD

that related to the audited processes.

The fieldwork was finalised on 28 March 2022, except for the finding on controllership of the funding and

tenders’ portal, which was finalised on 1 June 2022. The respective observations and recommendations relate

to the situation as of those dates.

The IAS recognised that the CIC has set up a solid governance structure aimed at helping to address common

questions on the management of personal data. It has taken early actions to clarify joint controllership issues,

for example by requesting, together with the Data Protection Officers of certain agencies and joint undertakings,

advice from the European Data Protection Supervisor.

The auditors recognise the efforts made by CINEA, EACEA, EISMEA, ERCEA and REA to achieve compliance with

the EUDPR, particularly when faced with a changing landscape, which included a reshuffling of portfolios, a new

multiannual financial framework, the transfer of programmes under the eGrants infrastructure and continuing

uncertainty on the issue of the transfer of personal data to third countries following the Schrems II judgement.

The respective Data Protection Officers actively cooperate with the Data Protection Officers of the other

Executive Agencies and the Data Protection Controller of DG RTD to help find collective solutions for common

issues faced by the Agencies, for example the controllership of processes involving corporate systems.

The IAS identified two very important issues concerning the: (1) controllership of the funding and tenders’ portal,

and (2) transfer of

personal data to third countries,

and formulated two very important recommendations.



Controllership of the funding and tenders’ portal

(one very important recommendation addressed

to DG RTD)

The CIC, as the Chair of the GPSB, should take necessary steps to ensure the urgent:



finalisation of a JCA and JC record that cover all parties and all processes for the 2021-2027

multiannual financial framework,

update of the privacy notice to reflect the new record and JCA.

Transfer of personal data to third countries

(one very important recommendation addressed to

DG RTD)

DG RTD should ensure that automatic transfers of personal data to third countries are avoided altogether or

take place exclusively using a proper transfer tool as per the EUDPR.

kom (2023) 0323 - Ingen titel

Additional information provided by DG RTD on the measures defined and/or implemented

following the Internal Audit Service audit

Recommendation on the Joint Controllership Agreement (JCA) and Joint Controllership (JC) record for

Funding and Tenders Portal, rated 'very important', with original due date on 31/03/2023.

The implementation of the action plan depended on the approval of the joint-controllership record and

privacy statement covering all jointly processed personal data operations via the Single Electronic Data

Interchange Area. The joint controllership record and Privacy Statement are not yet approved. Progress

has been made and the final comments of the Commission’s Data Protection Officer are under the

scrutiny of the Chair of the Data Protection Corporate Working Group. Moreover, following the successful

roll-out of the eProcurement pre-contracting solution, the eProcurement programme is now preparing

to start the corporate roll-out of its contract management solution. In this respect, the eProcurement

jointly processed personal data operations will be included in the text of the Joint-Controllership

Arrangement.

Recommendation on ‘Correct legal context for transfers of personal data to third countries’, rated 'very

important, with due date on 31/03/2023.This has been implemented. The transfers of personal data

through the Portal to third countries take place exclusively using a proper transfer tool as per the EU

Data Protection Regulation 2018/1725. The international transfers that were audited no longer take

place: no data of representatives of applicants/beneficiaries will be sent by the Commission/Executive

Agencies to the funding agencies in third countries. They are invited to contact themselves their own

national institutions, in line with the guidance on complementary funding mechanism in third countries.

1.9. Audit on programme implementation – phase 1 (from work

programme to call evaluation and grant preparation) of the

Connecting Europe Facility (CINEA, DG ENER, DG MOVE)

The objective of the audit was to assess the adequacy of the design and the effectiveness and efficiency of

CINEA's management and internal control system for the first phase (from call to grant agreement) of the grant

management process for the implementation of the Connecting Europe Facility (CEF) 2021-2027 Transport and

Energy sectors of the 2021-2027 CEF, in compliance with the applicable rules and regulations. In particular, the

audit assessed whether: (1) the controls in place provide reasonable assurance regarding compliance with the

relevant legislation; (2) the calls for proposals effectively support the achievement of the programmes'

objectives; (3) the processes in place ensure that the highest quality projects are selected and translated into

grant agreements, in compliance with the applicable rules; and (4) the supervision of CINEA by its parent DGs

is adequate.

In the 2021 annual activity report, the declaration of assurance was qualified by a reservation concerning the

CEF Energy error rate with a residual error rate of 2.52%. This reservation was not relevant for this audit as it

referred to the previous CEF programme (CEF 1, 2014-2020).

The fieldwork was finalised on 9 August 2022. All observations and recommendations relate to the situation as

of that date.

kom (2023) 0323 - Ingen titel

The IAS identified the following strengths:



The experience accumulated over several programming periods by the Innovation and Networks

Executive Agency (

), DG MOVE and DG ENER staff has ensured a good knowledge of the grant

preparation process, as well as a forward-thinking approach to implementing effective solutions based

on identified good practices.

The close cooperation and the good working relations between CINEA and its parent Directorates-

General for the CEF Energy and Transport sectors ensure smooth information flows and alignment of

objectives. This cooperation has also allowed the Directorates-General and CINEA to work on the CEF

Energy and Transport multiannual work programmes in parallel to the finalisation of the legislative

procedure of the CEF regulation, avoiding excessive delays in the launch of the new CEF.



The IAS did not formulate any critical or very important recommendations.

1.10. Audit on the design and early implementation of European

Innovation Council (DG CNECT, DG RTD, EISMEA)

The objective of the audit was to assess the adequacy of the design of governance and internal control systems

in place and the effective implementation of the initial stages of the European Innovation Council (EIC) pillar

under Horizon Europe by EISMEA, DG RTD and DG CNECT.

There were no reservations in the 2021 Annual Activity Reports of the DG RTD, DG CNECT and EISMEA that

relate to the audited processes.

The fieldwork was finalised on 9 December 2022. All observations and recommendations relate to the situation

as of that date.

The IAS identified two critical and four very important issues concerning the: (1)

governance framework of the

EIC programme;

(2)

design of the EISMEA’s internal control environment in relation to the EIC;

(3)

roadmap for

the transition to the long-term solution for the EIC Fund;

(4)

evaluation process for the EIC calls;

(5)

EIC Fund –

assurance building blocks (reporting process and monitoring of the administrative budget);

and the (6)

EIC

Accelerator IT services and tools, and external IT service providers.

The IAS formulated two critical and five very

important recommendations.



Governance framework of the EIC programme

(one critical recommendation addressed to

DG RTD)

DG RTD should finalise the memorandum of understanding for Horizon Europe, together with EISMEA and DG

CNECT, ensuring that it reflects all the key activities performed by EISMEA, including those related to the EIC

Fund. Moreover, DG RTD, with the support of EISMEA and in consultation with the responsible central services,

should prepare a proposal to revise the delegation instrument (Commission Decision C (2021) 949 in view of

the revised governance of the EIC Fund, and clearly define the roles and responsibility of DG RTD and EISMEA

towards the management of the EIC Fund. It should also define clear rules on the conflict of interests. Finally,

it should analyse the staffing needs related to the capacity of DG RTD to supervise and monitor the EIC

programme and EIC Fund and align the staffing to needs identified.



Design of EISMEA’s internal control environment in relation to the EIC

(one critical

recommendation addressed to EISMEA)

(

)

By Commission Implementing Decision (EU) 2021/173, the Innovation and Networks Executive Agency (INEA) was replaced by the

new European Climate, Infrastructure and Environment Executive Agency (CINEA) on 12 February 2021.

kom (2023) 0323 - Ingen titel

EISMEA, under the supervision of the parent Directorates-General and with the support of DG RTD and following

the established validation workflows, should update its control and anti-fraud strategies to reflect specificities of

the EIC programme and, in collaboration with DG RTD’s CIC, complete its internal guidance/manual of procedures

for the evaluation process to cover adequately for all strands of the EIC programme.



Roadmap for the transition to the long-term solution for the EIC Fund

(one very important recommendation addressed to DG RTD)

DG RTD, with the support of EISMEA, and of the responsible central services, should carry out a comprehensive

assessment of the implications of the new EIC Fund management arrangements, in terms of supervision

strategy, control environment, staffing, and relations with the key stakeholders. The assessment should also

include an evaluation of the resources necessary for DG RTD to be able to exercise its supervisory role on

EISMEA. Furthermore, based on this assessment, DG RTD, with the support of EISMEA, should develop a roadmap

or an action plan set-up (and, where necessary, for the transition period), in which the key actions, resources,

milestones and corresponding responsible entities are identified.



Evaluation process for the EIC calls

(one very important recommendation addressed to

EISMEA)

EISMEA, in cooperation with DG RTD (CIC), should analyse the effectiveness of the various tools/solutions

currently used by the units and define the approach for the Agency as regards conflict of interest checks. It

should also appoint observers in the EIC Accelerator calls as stipulated in Horizon Europe guidance.



EIC Fund assurance building blocks - reporting process and monitoring of the

administrative budget

(two very important recommendations addressed to EISMEA and DG RTD)

For the fiscal year of 2022, EISMEA should, under the supervision of DG RTD, ensure that all reporting obligations

of the EIC Fund stipulated in the statutory and governing documents of the Fund are performed in a timely

manner. EISMEA should report on key elements related to the management of the EIC Fund in its 2022 annual

activity report, and monitor and report on the administrative budget of the EIC Fund.

For the fiscal year of 2023, depending on the final arrangements decided for the EIC Fund as regards the

management mode, DG RTD (with the support of EISMEA, the Alternative Investment Fund Manager/Fund

manager under direct management, and/or the European Investment Bank under indirect management) should

ensure that the tasks and responsibilities related to the monitoring and reporting obligations (including the

administrative budget) of the EIC Fund are clearly specified in the key governance documents.



EIC Accelerator IT services and tools, and external IT service providers

(one very important recommendation addressed to EISMEA)

EISMEA, in cooperation with DG RTD (CIC), should finalise the IT security plan and perform the vulnerability testing

for the various components of the EIC IT tools for the EIC Accelerator. It should also inform the Information

Technology and Cybersecurity Board of the latest developments by providing updated and completed project

charters of all EIC IT tools and update the relevant information in the corporate tool for management of

information systems (GovIS2). Furthermore, the Agency should assess the current contract and agreement and

conclude on the relevance of the service provided for the user needs and, on this basis, as well as on the lessons

learnt from the EIC pilot, define an EIC IT strategy covering the specific IT tools to support the implementation of

the three EIC strands (in particular the EIC Accelerator). In addition, EISMEA should submit the IT strategy to the

relevant services/bodies for endorsement, following consultation of DG RTD (CIC).

kom (2023) 0323 - Ingen titel

Additional information provided by DG RTD, EISMEA and DG CNECT on the measures defined

and/or implemented following the Internal Audit Service audit

The action plan for the audit on the design and early implementation of the EIC was sent for validation

to the IAS.

Recommendation on governance framework of the EIC programme, rated ‘critical’; the joint (DG RTD,

DG CNECT and EISMEA) Action Plan has been finalised and is being implemented.

DG RTD (and the other auditees) accepted the recommendation and, according to the adopted joint

Action Plan, committed to sign a Memorandum of Understanding between EISMEA, DG RTD and DG

CNECT, reflecting the roles, responsibilities and cooperation modalities, in particular, those related to

the management of the EIC Fund, implementing the interim solution, as well as to revise it after the

finalisation of the negotiations for the adoption of the long-term solution (indirect management). DG

RTD will also prepare a proposal of Commission Decision to revise the delegation instrument, with a

clear definition of the tasks delegated to EISMEA.

DG RTD, with the support of EISMEA, will also finalise the relevant documents (including the contribution

agreement with the EIB, the delegation instrument, Conflict of Interest provisions in the Rules of

Procedures of the EIC Board, and the quadripartite MoU between the Commission, AIFM, EIB and EISMEA)

to address the conflict of interest, including clear definition and attribution of roles and responsibilities

of the different actors participating in the EIC Fund governance and precise instructions on conflict of

interest/incompatibility.

Finally, DG RTD with the support of EISMEA, will carry out a documented analysis of the workload and

related staffing needs, based on the responsibilities of DG RTD (including the supervision and monitoring

the implementation of the EIC programme and to prepare the EIC Work Programme). DG CNECT will be

associated for the EIC Work Programme activities and its supervision and monitoring role. This is meant

to result in the adoption of an options paper/roadmap to align the level of staffing to the needs

identified.

Recommendation on the roadmap for the transition to the long-term solution for the EIC Fund, rated

‘very important’.

DG RTD committed to carry out a documented assessment of the implications (for DG RTD and EISMEA)

of the new set up (indirect management) in terms of supervision strategy, control environment, staffing

and relations with key stakeholders, including the resources necessary for DG RTD to exercise its

supervisory role. Furthermore, and on the basis of the guidance of the Commissioners’ project group,

DG RTD will adopt a roadmap for the long-term set up, including the key actions, resources, milestones

and responsible entities, including, as necessary, a further amendment of the MoU and the Delegation

Act.

Recommendation on the EIC Fund assurance building blocks (reporting process and monitoring of the

administrative budget), rated ‘very important’

DG RTD committed to clarify the tasks and responsibilities for (EIC Fund) reporting under both the interim

solution in 2023 and the long-term solution in the Delegation instrument and in the MoU. These

reporting requirements will be part of the four-party agreement between COM, EISMEA, EIB, AIFM

including provisions on the coordination by EISMEA between the grant and investment component.

The joint action plan to address the 14 recommendations deriving from the ten findings has been agreed

between DG RTD, DG CNECT and EISMEA and submitted to the IAS on 22 February 2022.

kom (2023) 0323 - Ingen titel

The audit was closed in January 2023. Although the final report is considered critical, CNECT is only

involved as associated DG in one sub-recommendation which is related to the governance framework

of the EIC programme.

1.11. Limited review of the Recovery and Resilience Facility control and

audit strategies in DG ECFIN

The objective of the limited review was to assess whether DG ECFIN designed adequate control and audit

strategies for the Recovery and Resilience Facility (RRF) enabling it to obtain reasonable assurance on: (1) the

legality and regularity of the use of payments, and (2) the effectiveness of Member States’ control systems to

protect the financial interests of the Union.

There were no reservations in the 2021 AAR of DG ECFIN that relate to the area/process audited.

The fieldwork was finalised on 15 March 2022. All observations and recommendations relate to the situation

as of that date.

The IAS acknowledged progress already made by DG ECFIN in setting up the RRF control and audit strategies.

This has been a challenging task due to the complexity of both the operational environment and the instrument’s

legal framework, coupled with extreme time pressure to approve the national Recovery and Resilience Plans

(RRP) and the first regular payment requests. Key milestones achieved include:



A new organisational structure in DG ECFIN to fulfil the new Commission’s responsibilities in the

implementation of the RRF. This includes the creation of a dedicated centralised unit for controls and

audits, which provides needed guidance and support to the implementation of the RRF both within the

DG and, more widely, in the Commission.

The setting up of a coordination mechanism with other Commission services, which enables, among

others, an effective review of the RRPs and the assessment of milestones and targets before

proceeding with the regular payments to Member States.

The completion of the design of the control architecture to ensure compliance with the legality and

regularity aspects of the programme. This includes processes for the assessment of RRPs and the

payment requests against agreed milestones and targets as well as multi-level audits to be performed

throughout the lifecycle of the instrument.



The IAS identified two very important issues concerning the: (1)

measures for prevention, detection and follow-

up of serious irregularities, double funding and serious breaches of the Financing Agreement,

and (2)

suspension

of payments and reduction of support due to not satisfactorily fulfilled milestones and targets.

The IAS

formulated two very important recommendations.



Measures for prevention, detection and follow up of serious irregularities, double

funding and serious breaches of the Financing Agreement and the Suspension of

payments

DG ECFIN should finalise the criteria for assessing the compliance of the Member States’ control systems with

the key requirements, and complete the audit methodology for the system audits on the protection of the

financial interests of the European Union by identifying the risk assessment process to be applied when defining

the scope of the work. In addition, DG ECFIN should elaborate the framework and the set of activities to be

implemented to avoid double funding of the same cost by the RRF and other Union programmes, and improve

the process to prepare, approve and distribute the guidance to the Member States.

kom (2023) 0323 - Ingen titel



Suspension of payments and reduction of support due to not satisfactorily fulfilled

milestones and targets

DG ECFIN should adopt a methodology for the suspension of payments and reduction of support in case

milestones and targets for a particular payment request have not been partially or fully met, and a methodology

on the application of corrections in cases where the

ex post

substantive test results indicate material errors in

the assessment of the achieved milestones and targets.

Additional information provided by DG ECFIN on the measures defined and/or implemented

following the Internal Audit Service audit

DG ECFIN finalised its action plan aiming to address the five recommendations in the report (including

2 very important ones) and to be implemented in 2023. As set out in the 2022 Annual Activity Report

of the Directorate-General for Economic and Financial Affairs, most of these weaknesses have already

been addressed, including through a Commission Communication

issued on 21 February 2023. One

sub recommendation has been rejected by DG ECFIN. It concerns the development by DG ECFIN of

internal guiding principles for the consultation of other Commission services prior to the inter-service

consultation (during the preliminary assessment).

1.12. Audit on the effectiveness and efficiency of Eurostat’s

performance management system

The objective of the audit was to assess the adequacy of the design and the efficiency and effectiveness of the

performance management system put in place by DG ESTAT to plan, monitor and report on the achievement of

its key objectives.

There were no reservations in the 2021 Annual Activity Report of DG ESTAT that relate to the audited process.

The fieldwork was finalised on 21 October 2022. All observations and recommendations relate to the situation

as of that date.

The IAS recognised the ongoing efforts made by DG ESTAT to design and implement an effective performance

management process and observed the following strengths in relation to the audited process.



DG ESTAT aligned objective and performance indicators of the strategic planning and programming

(SPP) cycle with the performance management framework for the Single Market Programme, through

which the Directorate-General finances its activities.

DG ESTAT communicated to staff the SPP objectives by making the objectives and output indicators

available in the planning, monitoring and reporting tool in addition to the usual publication of strategic

and management plans on its intranet.

DG ESTAT implemented a robust and well documented process to monitor and report on performance

management.

The monitoring and reporting on objectives and indicators are performed twice per year.



The IAS did not formulate any critical or very important recommendations.

COM (2023) 99 final specifies in its annex the methodology to determine partial suspension and partial payments in the context of

the RRF

kom (2023) 0323 - Ingen titel

1.13. Audit on studies used for policy making in DG MOVE

The objective of the audit was to assess whether DG MOVE had put in place an adequate internal control system

to ensure that all the stages of the studies’ lifecycle are effectively and efficiently managed, and in accordance

with the applicable legislation and corporate guidance.

There were no reservations in the 2021 Annual Activity Report of DG MOVE that relate to the audited area.

The fieldwork was finalised on 28 March 2022. All observations and recommendations relate to the situation

as of that date.

The IAS recognised the ongoing efforts made by DG MOVE to strengthen the internal controls in the procurement

process and improve the quality of tender documents through the active support of the Legal Sector in Unit

SRD.1. The use of the Vigie system, supported by annual training courses, contributes to coordinating the studies

requests and optimising the use of budget resources.

The IAS did not formulate any critical or very important recommendations.

1.14. Limited review on the implementation of the action plans for the

reduction of the Horizon 2020 error rate and for simplifications

to reduce the Horizon Europe error rate in DG RTD

The objective of the limited review was to assess the extent to which the action plans to reduce the error rate

for Horizon 2020 and to bring simplifications for Horizon Europe had been implemented by DG RTD (through

the Common Implementation Centre) and are likely to effectively contribute to the above-mentioned objectives.

There were no reservations in the 2020 Annual Activity Report of DG RTD (hosting the Common Implementation

Centre, Directorate RTD.H) concerning the scope of this limited review.

The fieldwork was finalised on 1 February 2022. All observations and recommendations relate to the situation

as of that date.

kom (2023) 0323 - Ingen titel

The IAS recognised the significant and ongoing efforts made by DG RTD to implement the action plans, while

being confronted with important challenges marked by the transition from the 2014-2020 programming period

to the 2021-2027 EU Multiannual Financial Framework and the COVID-19 pandemic. Moreover, the progress of

a number of actions was closely linked to exchanges and coordination with internal (Commission) or external

(EU institutions) partners.

In this context, the priorities and the focus of the activities of the Common Implementation Centre were on the

finalisation of the 2021 audit campaign for Horizon 2020 and on horizontal tasks related to the set-up of the

new programming period: the finalisation of the preparation and the adoption of the Horizon Europe regulation

and implementing decisions, the reorganisation of DG RTD and the preparation and implementation of new

mandates of the implementing bodies in the research family (executive agencies and joint undertakings).

As regards the two action plans for the reduction of the error rate for Horizon 2020 and the simplification under

Horizon Europe, the IAS noted that DG RTD, through the CIC:



Promoted the launch of the Research and Innovation Network for

Ex Ante

Controls (‘RINEC’), whose aim

is to enhance the efficiency and effectiveness of

ex ante

controls, by discussing, disseminating and

exploiting best practices.

Put in place new solutions to raise the awareness of a high number of beneficiaries and providers of

certificates of financial statements regarding reporting on specific costs under Horizon 2020.



The IAS identified one very important issue concerning the

effective implementation of the action plans

and

formulated one very important recommendation.



Re-assessment of the action plans

On the basis of the lessons learnt from the first year of implementation of the action plans, DG RTD, in

coordination with DG BUDG, should:

re-assess the action plans (including the analysis of the contribution of the actions already

implemented to address the root causes of the error rate) and revise them where necessary to ensure

that they prioritise those measures which are most likely to effectively address the root causes of

errors and hence further contribute to the reduction of the error rate,

at the level of the individual actions, define the next steps to fully implement them in line with the

prioritisation established.

This recommendation was partially accepted by the auditee.

kom (2023) 0323 - Ingen titel

Additional information provided by DG RTD on the measures defined and/or implemented

following the Internal Audit Service audit

DG RTD has partially rejected the ‘very important' recommendation and accepted the related residual

risks based on the following: DG RTD considers the establishment of a clear cause-effect relation

between individual actions of the plans and related reductions of the error rate as not feasible.

Moreover, the measurement of the error rate reduction by ex-post audits comes with a significant delay

after the implementation of the actions, since they affect cost statements that are submitted by

beneficiaries after these actions and are audited yet much later.

However, following this IAS audit, and based on the original action plans agreed with central services,

DG RTD has prepared a reprioritized Action Plan to both reduce the error rate on Horizon 2020 and

prevent a high error rate in Horizon Europe. The highest priority has been seton communication, both

external and internal. Dedicated webinars and trainings addressed to beneficiaries, in particular most

error prone beneficiaries, have been organized all along the year for both Horizon 2020 and Horizon

Europe. Enhanced trainings on reporting and payments and audit implementation addressed to internal

staff have also been organized as part of this communication plan and the Horizon Europe Ex ante

controls guidance have been approved and published. Regarding the increased use of simplified cost

options, the European Court of Auditors recently provided feedback following their assessment of 10

lump sum grants. The Commission will discuss the results with the Court in April 2023 and update the

lump sum methodology if and as needed, including the audit methodology. Since the start of Horizon

Europe, DG RTD has massively improved the support and guidance for lump sums. All relevant

information is available online in one place for internal and external users, respectively. This includes

all internal and external events of the information campaign. Tools and guidance are continuously

improved following the feedback received, for example the detailed budget table and FAQs. In line with

the action plan, we launched the first significant wave of lump sum topics in Horizon Europe work

programme 2023-2024, with lump sums accounting for up to 23% of the call budget in 2024. On this

basis, DG RTD is proceeding with the roll-out of lump sums in Horizon Europe in the years to come.

There is an agreement that the ERC will use lump sums for Advanced Grants awarded following the

2024 calls. DG RTD and EISMEA have started to explore the use lump sums for European Innovation

Council (EIC) grants. Further increases of lump sums in Pillar 2 will be explored in time for the 2025

work programme. In addition, the preparations for a unit personnel cost scheme are ongoing in view of

adopting the necessary Commission decision and adapting IT tools and guidance. Besides, a

questionnaire on costs reporting on Horizon 2020 have been relaunched and the answers provided by

beneficiaries have been analysed and will feed future trainings and webinars. Also, a personnel costs

wizard for Horizon Europe which will help beneficiaries declaring their personnel costs is currently under

development and should be finalized in 2023. Finally, DG RTD is participating in a longer-term corporate

project led by DG BUDG on the use of artificial intelligence and data analysis to prevent errors.

1.15. Audit on performance management in DG TAXUD

The objective of the audit was to assess the adequacy of the design and the efficiency and effectiveness of the

performance management system put in place by DG TAXUD to plan, monitor and report on the achievement

of its key policy objectives.

There were no reservations in the 2020 Annual Activity Report of DG TAXUD that relate to the audited area.

The fieldwork was finalised on 18 November 2022. All observations and recommendations relate to the

situation as of that date.

kom (2023) 0323 - Ingen titel

The IAS acknowledged several strengths.

Effective coordination



Unit TAXUD.E.2 (‘Inter-institutional relations, coordination, communication and strategic planning’)

coordinates effectively the strategic planning and programming (SPP) exercise and supports the

operational units in the process of the preparation of the SPP documents.

Monitoring of the customs and tax action plans



For the purpose of monitoring the customs and tax action plans, DG TAXUD has set up a ‘traffic light

system’, which provides user-friendly information for senior management about the progress of

activities and actions.

Several DG TAXUD’s operational units prepare ‘concept notes’ to keep the Director-General informed

on the activities undertaken on customs and tax action plan initiatives.



The IAS did not formulate any critical or very important recommendations.

1.16. Limited review of the internal control framework in DG TAXUD

The objective of the limited review was to assess if the Authorising Officer by Delegation (AOD) of DG TAXUD

performed an adequate assessment of the presence and functioning of all internal control principles and

components as laid down in the Commission communication on the revision of the internal control framework

(ICF), adapted to its own circumstances.

There were no reservations in the 2020 Annual Activity Report of DG TAXUD that relate to the audited area.

The fieldwork was finalised on 18 November 2022. All observations relate to the situation as of that date.

The IAS identified the following strengths:



Clear allocation of roles and responsibilities within the DG in ICF matters.

Balance between the effective monitoring of the ICF by the coordinating unit E1 and the contribution

from operational units (for example assessment at the level of the internal control monitoring criteria).

Comprehensive set of indicators to assess the presence and functioning of internal control principles,

targeted to the Directorate-General’s needs and specific context.

Effective use of DG BUDG’s tools and templates to support: (1) the assessment of the internal control

monitoring criteria, and (2) the assessment at internal control principle, component and standard levels.

The use of a comprehensive data source for evaluating each internal control monitoring criterion.

The IAS did not formulate any critical or very important recommendations.

kom (2023) 0323 - Ingen titel

Cohesion, Resilience and Values

1.17. Audit on the preparedness of DG EAC’s management and control

systems for the implementation of the 2021-2027 Erasmus+

programme

The objective of the audit was to assess if DG EAC designed and put in place efficient and effective processes

to ensure the preparedness of the management and control systems for the implementation of the 2021-2027

Erasmus+ programme.

There are no reservations in the 2021 Annual Activity Report of DG EAC related to the 2014-2020 and 2021-

2027 Erasmus+ programmes.

The fieldwork was finalised on 14 October 2022. All observations relate to the situation as of that date.

The IAS identified the following strengths:



Clear allocation of roles and responsibilities for the implementation of the 2021-2027 Erasmus+

programme within DG EAC.

Comprehensive set of guidance documents for the preparation, programming, implementation, and

review of the 2021-2027 Erasmus+ programme, including aspects related to horizontal priorities and

anti-fraud measures.

Comprehensive set of internal procedures for the assessment of the deliverables of the national

authorities, national agencies, and independent audit bodies.

Extensive involvement of the national agencies in the preparation and programming of the 2021-2027

Erasmus+ programme (co-creation).

Expertise of DG EAC’s staff involved in the preparation, programming, implementation and review of

the 2021-2027 Erasmus+ programme.



The IAS did not formulate any critical or very important recommendations.

kom (2023) 0323 - Ingen titel

Natural Resources and Environment

1.18. Audit on DG AGRI’s management of the wine market

The objective of the audit was to assess whether DG AGRI put in place an adequate internal control system for

the effective and efficient implementation of the National Support Programmes in the wine sector by the

Member States.

The following reservations were made in the 2021 Annual Activity Report concerning specifically the

area/process under the scope of this audit engagement:



In the wine sector, DG AGRI audits found deficiencies (Spain, Hungary) and the Member State (Hungary)

reported an error rate above materiality. The Certification Body also identified deficiencies in Spain.

Under the wine crisis distillation measure, DG AGRI identified deficiencies in the checks setting up of

price for wine distillation, possible creation of artificial conditions to receive the aid, and the price paid

to distillers in Romania.

The fieldwork was finalised on 27 September 2022. All observations and recommendations relate to the

situation as of that date.

The IAS recognised the technical expertise of DG AGRI staff involved in the management of the National Support

Programmes in the wine sector and their strong commitment, in spite of the high workload stemming from DG

AGRI’s transition towards the new Common Agricultural Policy and the challenges resulting from the current

geopolitical and climatic situation.

The IAS identified one very important issue concerning the

monitoring of performance

and formulated one very

important recommendation.



Monitoring of performance

DG AGRI should:

develop guidance to the Member States on the applicable requirements as regards the data to be

reported on interventions in the wine sector under the Common Agricultural Policy Strategic Plans (by

means of Annex V to Implementing Regulation (EU) 2022/1475),

ensure that Member States Annex III notifications under the current five-year programme of the

National Support Programmes are systematically analysed and documented in a consistent manner so

that they can be used in the monitoring of the wine sector.

kom (2023) 0323 - Ingen titel

Additional information provided by DG AGRI on the measures defined and/or implemented

following the Internal Audit Service audit

DG AGRI accepted all recommendations from the IAS (important and very important) and submitted the

respective action plans that were assessed as satisfactory to mitigate the risks identified by the IAS.

1.19. Gap analysis review of the new Common Agricultural Policy

2023-2027 in DG AGRI

Pursuing similar objectives as the ones set for the review of the gap assessment performed in 2014 on the

Common Agricultural Policy (CAP) for the period 2014-2020, this gap analysis review identified the main

differences (‘gaps’) between the initial Commission proposals for the 2023-2027 CAP and the final regulations

adopted. It has assessed the resulting main management challenges and associated risks with a view to

enabling the Commission (in particular, DG AGRI) to manage those risks adequately.

The analysis was finalised on 7 April 2022. All conclusions relate to the situation as of that date.

The IAS acknowledged the efforts deployed by the Commission's services during the negotiation phase to

defend the New Delivery Model, to promote a new intervention logic centred on the performance of the new

CAP around a set of ambitious objectives, notably in relation to the contribution of the CAP to the European

Green Deal. However, the IAS noted that the adopted legislation has resulted in important amendments bringing

significant additional challenges and risks, which will need to be addressed when designing and implementing

suitable controls for the new 2023-2027 CAP. The IAS did not formulate any critical or very important

recommendations but brought a number of issues for consideration to the attention of the Directorate-General.

1.20. Audit on the cooperation between EFCA and DG MARE on activities

related to Article 30 of the Common Fisheries Policy (DG MARE,

EFCA)

The objective of this audit was to assess the adequacy of the design of the existing underlying processes, and

the efficiency and effectiveness of the cooperation between EFCA and DG MARE on activities related to

compliance with international provisions under Article 30 of the Common Fisheries Policy (CFP).

There were no reservations in the 2021 Annual Activity Report of DG MARE that relate to the audited area.

The fieldwork was finalised on 10 May 2022. All observations and recommendations relate to the situation as

of that date.

The IAS acknowledged a number of strengths:



While setting clear boundaries for EFCA’s international activities, the Working Arrangements adopted

in 2020 leave some flexibility to adapt to future needs and EFCA’s resources in stating that ‘the

implementation of the specific actions shall be discussed and agreed, if necessary, between EFCA and

DG MARE on a case-by-case basis, by taking into consideration EFCA's workload, availability of

resources and other priorities.’

The interaction and cooperation between EFCA and DG MARE are spread across the two organisations

and the intensity of the activities varies across units. The tasks EFCA and DG MARE cooperate on are

very diverse in nature, size and complexity. DG MARE and EFCA cooperate in an efficient way: the



kom (2023) 0323 - Ingen titel

knowledge of the respective teams of the various regulations and the tasks stemming therefrom have

reached a high level of maturity. Both entities have dedicated teams who work closely together.

Communication between them is fluid and both teams are proactive and responsive. Based on a sample

of exchanges of emails and deliverables, the IAS has assessed the reactivity of the teams, against

quantitative (time to react) and qualitative criteria (relevance of staff in copy, level of exchanges).

The IAS did not formulate any critical or very important recommendations.

kom (2023) 0323 - Ingen titel

Security and Defence

1.21. Preparedness of DG DEFIS for the management of the European

Defence Fund

The objective of the audit was to assess the adequacy of the design and effective implementation (where

already applicable) of the control strategy of the European Defence Fund (EDF) programme by DG DEFIS.

There were no reservations in the 2021 Annual Activity Report of DG DEFIS that related to the audited area.

The fieldwork was finalised on 17 September 2022. All observations and recommendations relate to the

situation as of that date.

The IAS recognised the ongoing efforts made by DG DEFIS regarding the management of the EDF programme

and identified the following strengths.



As regards the organisation, DG DEFIS staff responsible for the management of the EDF programme

is knowledgeable, motivated and has extensive valuable experience in the defence field.

There is good cooperation within the Directorate-General (between the operational units and the

financial units), as well as with other key stakeholders (Member States, national experts, etc.), in the

annual work programme preparation and the harmonisation of the calls for proposals process.

The process for the definition and harmonisation of topics for the calls for proposals is well established

and effectively implemented in terms of ensuring quality and timeliness. In this regard, a lessons learnt

exercise is regularly performed and has enabled further improvement of the work programme

preparation for 2022, with a revision of the roles and responsibilities between DG DEFIS and Member

States.

The call evaluation report is well designed to effectively address the different provisions of the

Financial and EDF Regulations. The report provides a comprehensive view on the call for proposals and

evaluation process, including eligibility and admissibility checks, timelines, scores of award criteria,

tracking of changes performed by the evaluation committee to the consensus reports, budgetary

considerations, ethics.



The IAS identified one very important issue concerning the

validation of small and medium-sized enterprises

(SME) and mid-cap status

and formulated one very important recommendation.



Validation of SME and mid-cap status

DG DEFIS should:

develop an approach for in-depth checks of the SME and mid-cap status of risky candidates which REA

is unable to check due to its annual capacity limitations,

ensure that the control approach is re-assessed at regular intervals in the light of the results of controls

(notably in-depth

ex ante

checks) and adapted, if necessary,

kom (2023) 0323 - Ingen titel

define guidance on the risk assessment for selecting the entities to be submitted for in-depth

ex ante

checks to REA (full status validation),

define in its control strategy the actions to be taken in case of negative outcome of the

ex-ante

in-

depth check, including the possibility or need to use the call reserve list to replace the excluded

consortium.

Additional information provided by DG DEFIS on the measures defined and/or implemented

following the Internal Audit Service audit

DG DEFIS Management accepted all the recommendation and submitted specific action plans for their

implementation. The IAS has considered all these action plans as adequate to address the residual risks

identified by the auditors. The IAS closely monitors their implementation through follow-up reports and

audit.

kom (2023) 0323 - Ingen titel

Neighbourhood and the World

1.22. Audit on control strategy for grant management under the Union

Civil Protection Mechanism in DG ECHO

The objective of the audit was to assess the adequacy of the design and the effective implementation of the

control strategy of the Union Civil Protection Mechanism (UCPM) for the management of grants.

There were no reservations in the 2021 Annual Activity Report of DG ECHO that relate to the audited area.

The fieldwork was finalised on 14 October 2022. All observations and recommendations relate to the situation

as of that date.

The IAS recognised several strengths.

The control strategy of DG ECHO covering both the humanitarian aid and the UCPM includes several

positive elements: it provides a good overview of the UCPM actions, a list of the relevant ECHO

procedures, together with the control stages and the responsible Units and staff positions.

The IAS acknowledged as a good practice the audit information paper addressed to the Civil Protection

Grant beneficiaries issued in August 2022. It includes, among other elements, a section on ’most

frequent errors resulting in disallowances’ and the reasons for the latter, thus providing useful guidance

to beneficiaries.

The IAS identified one very important issue concerning the direct

award of grants,

and it formulated one very

important recommendation.



Grant award procedure – use of exceptions

DG ECHO should include in the UCPM work programme the criteria for selecting beneficiaries for the exceptions

covered by Article 195 (a), (b), (c) and (f) of the financial regulation, based on annex 3 of the internal rules for

the implementation of the EU budget. In addition, DG ECHO should include a justification for the use of direct

awards in all award decisions when an exception to the call of proposals is used, based on Article 195 (c) and

(f) of the financial regulation.

Additional information provided by DG ECHO on the measures defined and/or implemented

following the Internal Audit Service audit

DG ECHO has accepted the recommendations and established an action plan to ensure their timely

implementation. The actions include establishing the criteria for selecting beneficiaries for the

exceptions covered by Article 195 (a), (b), (c) and (f) of the FR in the UCPM work programme which is

set to be implemented with its adoption in 2024. Moreover, the use of these exceptions, in particular

Articles 195 (c) and (f), will be clarified in the related guidance document by the end of June 2023.

kom (2023) 0323 - Ingen titel

1.23. Audit on contractual expenditure verifications (FPI, DG INTPA, DG

NEAR)

The objective of the audit was to assess whether the contractual expenditure verifications process in DG INTPA,

DG NEAR and FPI was adequately designed and efficiently and effectively implemented to serve as a reliable

source of assurance on the legality and regularity of payments.

The fieldwork was finalised on 9 December 2022. All observations and recommendations relate to the situation

as of that date.

The IAS recognised the ongoing efforts made by DG INTPA to maintain and continuously update the guidance,

templates (contractual documents, terms of reference for contractual expenditure verifications) and related

procedures, which are used by the entire external action family. This helps to implement a consistent approach

across DG INTPA, DG NEAR and FPI and all their EU delegations, and the knowledge transfer when staff rotates

among the Directorates-General. The IAS also recognised high professionalism of the members of contracts

and finance sections and units in dealing with the contractual expenditure verifications.

The IAS has identified two very important issues concerning: (1) the

objective and design of contractual

expenditure verifications as a control,

and (2) monitoring

and feedback on the contractual expenditure

verifications

and formulated four very important recommendations.



Objective and design of contractual expenditure verifications as a control

(one very important recommendations addressed to DG INTPA)

DG INTPA, together with DG NEAR and FPI, should clarify the objective of the contractual expenditure

verifications as a control and revise the template terms of reference for contractual expenditure verifications

(including a detailed description of verification procedures and of the risk assessment and sampling

methodology), to ensure that they achieve the stated objective. They should also share guidance, interpretative

materials, or frequently asked questions on EU expenditure eligibility rules, expenditure verification procedures,

risk assessment and sampling methodologies with the external auditors.



Monitoring

and

feedback

the

contractual

expenditure

verifications

(three very important recommendations addressed to DG INTPA, DG NEAR, FPI)

DG INTPA, DG NEAR and FPI, should implement periodic assessments of the sound functioning and cost-benefit

of contractual expenditure verifications.

Additional information provided by DG INTPA, DG NEAR and FPI on the measures defined

and/or implemented following the Internal Audit Service audit

DG INTPA, DG NEAR and FPI are working to address the recommendations in line with the agreed action

plans, except for one rejected 'very important' recommendation from the audit on contractual

expenditure verifications.

DG INTPA, DG NEAR and FPI rejected their respective recommendations related to finding No 5 on the

‘monitoring and feedback on the contractual expenditure verifications process’. The DGs are committed

to improving their procedures and controls but consider that the recommendations would not be cost

effective, and the workload involved would be disproportionate to the possible benefits in terms of

improvement of the CEV control. Moreover, the DGs’ assurance building is not only based on CEV but

also on a number of other pillars such as the residual error rate (RER) study and the statement of

assurance audits by the European Court of Auditors. Moreover, DG INTPA is currently reviewing controls

tools such the Terms of Reference of Expenditure Verifications and feedback mechanisms to the

auditors, which, once implemented, will also contribute to improving the functioning oof CEV. In relation

kom (2023) 0323 - Ingen titel

to this recommendation, FPI also highlighted that it is not feasible for them to implement another pillar

of audit and control as the service does not have sufficient staff to carry out the very significant

workload that the actions would entail. The assurance builds on other pillars such as MRER, early and

targeted ex-post controls and DAS audits.

The audited services have not agreed with the level of importance of the finding No 3. The services

considered that the issues identified by the IAS do not expose them to a high risk because there is a

CEV process in place, even if it requires some improvements (such as clarifying guidance). Moreover,

the weaknesses identified are mitigated by checks carried out by the EU delegations before payment

and the results of the multi-annual residual error rate show error rates below 2%. However, they

recognised it as an area to be improved and they will a) clarify the objective of the CEV; b) revise the

template risk assessment, the sampling methodology for the external auditors and the terms of

reference for CEV; c) add the reference in the terms of reference to the guidance on EU expenditure

eligibility rules, expenditure verification procedures, risk assessment and sampling.

1.24. Audit on External Investment Plan – European Fund for

Sustainable Development Guarantee (DG INTPA, DG NEAR)

The objective of the audit was to assess the adequacy and effectiveness of the European Fund for Sustainable

Development (EFSD) Guarantee scheme.

There were no reservations in the 2021 annual activity reports of DG INTPA and DG NEAR that relate to the

audited area.

The fieldwork was finalised on 22 July 2022. All observations and recommendations relate to the situation as

of that date.

The IAS acknowledged the following strengths:

•

The auditors recognise the ongoing efforts made by DG INTPA and DG NEAR to establish an adequate

governance structure and ensure active involvement of the EU Member States and the other main

stakeholders in the decision-making process.

The EFSD Guarantee is a new and unique instrument and DG INTPA, with the support of DG NEAR,

managed to sign agreements for the whole amount of the instrument by the final deadline established

by the EFSD Regulation – 31 December 2020. This was achieved despite the significant challenges

related to the establishment of the new implementation modality, the need to negotiate a number of

horizontal clauses (for example EU restrictive measures) and the reorientation to address the

challenges of the COVID-19 crisis. There are already a number of operations covered by the EFSD

Guarantee under half of the signed guarantee agreements.

A new relevant control system ‘VI – Indirect management – Financial Instruments and Budgetary

Guarantees (EFSD, EFSD+)’ was included in the annexes of the 2021 Annual Activity Report of DG

INTPA. It provides a comprehensive overview of the control activities for the budgetary guarantees as

well as the main risks and cost-effectiveness indicators per stage. In addition, the 2021 Annual Activity

Report presents, for the first time, relevant overall financial figures in the section on control results

and more information on the achievements of the EFSD Guarantee programme in the part on policy

highlight.

•

The IAS identified four very important issues concerning: (1)

governance,

(2)

assurance building,

(3) the

guarantee agreement clauses,

and (4)

performance monitoring and reporting.

It formulated four very important

recommendations addressed to DG INTPA.

kom (2023) 0323 - Ingen titel



Governance

DG INTPA, in cooperation with DG NEAR, should define who does what as regards the risk monitoring on the

basis of the guidance of the risk compendium developed under the auspices of the steering committee on

contingent liabilities.

In addition, DG INTPA, in cooperation with DG NEAR should define the overall investment goals and their scope

and ensure that the agenda of the EFSD+ strategic board includes regular discussions and exchange of

information on the complementarity and coherence between the EFSD+ and the other EU external programmes

and financial instruments. The EFSD+ strategic board should adopt guidelines covering all objectives and

eligibility criteria for the External Action Guarantee under the EFSD+ in line with the Neighbourhood

Development and International Cooperation Instrument (NDICI) regulation.

Lastly, DG INTPA, in cooperation with DG NEAR, should ensure that the EFSD+ rules of procedures translate the

mandate for the operational board in the NDICI regulation into specific tasks and the expected outputs.



Assurance building

DG INTPA, in cooperation with DG NEAR should invite the international development financial institutions (IFIs)

to launch the pillar reassessment if not already done and enhance the monitoring of the risk information

reported and the financial statements provided by the relevant IFIs.

DG INTPA should describe the submission process of the management declarations and audit opinions in its

relevant control system for budgetary guarantees in the annex of the annual activity report. In addition, DG

INTPA, in cooperation with DG NEAR, should revise the management declaration template and develop internal

guidance and review procedures as well as model guarantee agreement clauses regarding the unaudited and

audited financial statements.



Guarantee agreement clauses

DG INTPA should check if other guarantee agreements, in addition to the reviewed four, allow refinancing of

existing loans and that in all such cases, it is ensured that the mobilised global investment exceeds the amount

of the guarantee.

DG INTPA, in cooperation with DG NEAR, should adopt an internal procedure for reviewing the claims, where it

should be defined what constitutes ‘default’.

Lastly, DG INTPA should adopt specific guidance and standard agreement clauses related to the recoveries, and,

if necessary, propose to the IFIs to amend the signed guarantee agreements.



Performance monitoring and reporting

DG INTPA, in cooperation with DG NEAR, should establish a target for the instrument and should start reporting

on the share of investment in least developed countries and fragile countries and should reassess the overall

leverage target. Internal guidelines for calculation and reporting on the EFSD objectives should be adopted.

DG INTPA should establish a methodology to support reporting on additionality and all EFSD Guarantee

objectives to be adopted, as well as a mapping of the core and cross-sector indicators of the signed guarantee

agreements and the EFSD Guarantee objectives to be carried out.

Finally, DG INTPA, in cooperation with DG NEAR, should clarify which methodologies have to be used for data

collection and calculation of the cross-sector indicators regarding greenhouse gas emissions and indirect

employment, and should reassess the methodologies for the indicators of number of beneficiaries.

kom (2023) 0323 - Ingen titel

Additional information provided by DG INTPA and DG NEAR I on the measures defined and/or

implemented following the Internal Audit Service audit

Sustained efforts have been made to improve the management of the EFSD guarantees throughout the

year 2022. The major deficiencies identified by the open “very important” audit recommendations are

being or will be addressed according to the relevant Action Plans. Their current state of implementation

does not lead to any significant assurance-related concern.

The action plan was adopted by DG INTPA in March 2023 to address the findings and recommendations

raised by the IAS. As associated service, DG NEAR will contribute to the implementation of some actions.

kom (2023) 0323 - Ingen titel

European Public Administration

1.25. Audit on public procurement in DG DIGIT

The objective of the audit was to assess if the governance, risk management and internal control framework

set-up by DG DIGIT for its procurement activities were adequately designed, efficient and effective and provide

reasonable assurance that key internal control objectives are achieved.

There were no reservations in the 2021 Annual Activity Report of DG DIGIT that relate to the process audited.

The fieldwork was finalised on 14 June 2022. All observations and recommendations relate to the situation as

of that date.

The IAS acknowledged the progress made by DG DIGIT in the last years to modernise its procurement activities.

In particular, the IAS welcomed the following initiatives.



Since 2019, DG DIGIT adopted a Dynamic Purchase System (DPS) to procure cloud services. This system

encourages competition and increases the number and quality of offers received. The IT system used

under DPS (Negometrix) is also considered by DG DIGIT staff as an efficient tool to facilitate the

tendering process, especially the communication with the tenderers and the evaluation of the offers.

DG DIGIT is increasing the use of framework contracts with reopening of competition which, by

definition, encourages competition for specific contracts compared to the framework contracts with

cascade which were more favoured in the past.



The IAS identified one very important issue concerning the

steering of information and communication

technology (ICT) procurements

and formulated one very important recommendation.



Steering of ICT procurements

DG DIGIT should:

(a)

steer further the ICT procurement towards more efficient procurement methods that encourage

competition. In particular:

the DPS, currently used for cloud services, should be extended, and favoured for high value ICT

procurements, whenever this is possible and cost-effective given the nature of the purchase,

open procedures should be used preferably with the reopening of competition and the use of the

cascading system should be progressively reduced for framework contracts above certain

thresholds, except for the cases where security of supply is endangered,

framework contracts should be signed with a higher number of contractors, whenever appropriate,

in order to encourage more competition for the specific contracts and to obtain better specific

offers while reducing in parallel the administrative burden through improved IT tools and a more

efficient organisation of the procurement process.

kom (2023) 0323 - Ingen titel

(b)

set up a comprehensive set of procurement tools enabling result-oriented alternatives to the use of

‘Time and Means’ contracts for ICT development and service delivery. The use of ‘Time and Means’

contracts should be progressively reduced, whenever possible. Since DG DIGIT contracts are used by a

wide range of customers, DG DIGIT should seek the support of the Information Technology and

Cybersecurity Board (ITCB) as part of a move towards alternative contractual models, together with

the development of a roadmap for the progressive reduction of ‘Time and Means’ contracts,

(c)

seek the support of the ITCB in obtaining an overview across the Commission of all ICT high value

procurements and contracts, to avoid potential overlaps, resource waste and inefficiencies,

(d)

establish an overview/centralised planning and supervision arrangements for its own low and very low

value procurements, with a view to grouping them, where possible, into higher value procurements. The

aim being to generate more competition and make procedures more efficient,

(e)

further develop the tender specifications to be more in line with the increased expectations as regards

the environment. This could include requirements on the way the services are delivered (for example

to reduce the energy consumption) and/or the supplies are produced and replaced (for example by

using recycled and/or sustainable materials or renewable energy).

Additional information provided by DG DIGIT I on the measures defined and/or implemented

following the Internal Audit Service audit

DIGIT prepared and submitted an action plan, which was accepted by IAS. DIGIT is currently

implementing the action plan according to the agreed target dates (end 2023 for the ‘very important’

recommendation), therefore mitigating the related risks.

As from September 2022, the use of the Public Procurement Management (PPMT) and eSubmission

tools has been made obligatory for the procedures with low and middle value. A set of new guidelines

has also been developed to assist DIGIT staff members responsible for conducting those procurement

procedures. In addition to this, the DIGIT Procurement Board (DPB) endorsed in November 2022, an

updated proposal on DIGIT’s procurement delivery model.

1.26. Audit on human resources management in DG ECFIN

The objective of the audit was to assess whether DG ECFIN had put in place an effective human resources

management strategy and processes to ensure the availability of sufficient and adequately skilled resources to

support the achievement of its operational objectives.

There were no reservations in the 2021 Annual Activity Report of DG ECFIN that relate to the audited area.

The fieldwork was finalised on 13 July 2022. All observations and recommendations relate to the situation as

of that date.

The IAS acknowledged the following strengths:



DG ECFIN has set up several bodies at different levels of hierarchy and launched initiatives to exchange

views and enhance dialogue on human resources matters. This includes the Human Resources Board,

the Sounding Board and the Group on Equality Mainstreaming, the 'Coffee with Maarten' initiative, the

Midday Info Sessions and the Middle Management club.

All levels of the organisation highly appreciate the contribution and support of the Resources Director

and the Human Resources Business Correspondent (HRBC). The 2021 HRBC Assessment Exercise

carried out by DG HR highlighted that

ʻthe

HRBC team makes contributions to the discussions on [human

resources] matters in a pro-active and transparent wayʼ.



kom (2023) 0323 - Ingen titel



DG ECFIN’s Learning and Development offer is substantial, and regularly updated and improved based

on the assessment of staff needs and the Directorate-General’s priorities. It includes, among others,

the ECFIN Summer School, which is highly valued by the staff and the ECFIN specific female talent

management programme.

The IAS did not formulate any critical or very important recommendations.

kom (2023) 0323 - Ingen titel

Information technology audits

1.27. Audit on progress in the implementation of the European

Commission digital strategy in DG DIGIT

The objective of the audit was to assess whether the Commission designed and deployed an effective and

efficient control system to oversee, manage and monitor the implementation of the European Commission

Digital Strategy.

There were no reservations in the 2021 Annual Activity Report of DG DIGIT that relate to the audited area. The

Commission departments involved did not disclose any reservation in their respective annual activity reports

regarding the implementation of the European Commission digital strategy (ECDS).

The fieldwork was finalised on 26 April 2022. All findings and recommendations relate to the situation as of

that date.

The IAS observed several notable developments in the Commission’s general IT working environment, in

particular since the beginning of the implementation of the ECDS. These help to constitute strong foundations

for the digital transformation of underlying processes. In particular, the following elements were developed and

are being implemented by the Commission departments:



New user-centric digital workplace.

IT infrastructure for remote access supporting teleworking.

Re-usable solution platform to develop and operate digital solutions.

Construction of a data ecosystem for the sharing and re-use of data.

Hybrid cloud services offering.

IT security risk management framework.

The IAS identified one very important issue concerning the

digitalisation

and formulated one very important

recommendation.



Digitalisation

In its role to coordinate the implementation of the ECDS, DG DIGIT should strengthen its guidance and support

to Commission departments in preparing and monitoring the progress in implementing: (1) process

digitalisation, (2) the digital solutions modernisation plan (DSMP) related actions, and (3) the digital delivery

model.

kom (2023) 0323 - Ingen titel

Additional information provided by DG DIGIT I on the measures defined and/or implemented

following the Internal Audit Service audit

DG DIGIT prepared and submitted an action plan, which was accepted by the IAS. DG DIGIT is currently

implementing the action plan according to the agreed target dates (Q1 2024 for the ‘very important’

recommendation), therefore mitigating the related risks; and the actions are being put in place as a

result of the new Digital Strategy (adopted in June 2022) and the resolution to conduct annual report

on the State of the Digital Commission.

In 2022, DIGIT has launched a pilot with some DGs to support the draft of their digital transformation

roadmap. DIGIT will set up an advisory service, which will support Commission’s departments in the

planning and implementation of their digital transformation initiatives.

1.28. Audit on IT governance and management (DG HOME, DG JUST)

The objective of the audit was to assess the adequacy of the design and the effectiveness and efficiency of the

implementation of the IT governance and management arrangements in DG HOME and DG JUST for the

information and communication systems (CIS) owned by each Directorate-General and managed under their

responsibility.

There were no reservations in the 2021 Annual Activity Reports of DG HOME and DG JUST that relate to the

audited area.

The fieldwork was finalised on 18 November 2022. All observations and recommendations relate to the

situation as of that date.

The IAS identified the following good practices regarding IT governance, project management and software

management in DG JUST and DG HOME:



An established IT governance structure, allowing both IT and business stakeholders to regularly

evaluate, monitor and decide upon IT budget, priorities, key activities and issues.

A defined annual IT work plan (portfolio) with key deliverables for the upcoming year.

IT systems delivered in line with political expectations.

The involvement of stakeholders through project organisation structures and regular communication

between the system/project owner and solution provider to identify, continuously validate and, if

needed, update business requirements and expectations throughout the duration of the project.

The IAS did not formulate any critical or very important recommendations.

1.29. Audit on information technology governance and project

management (including software development) in the SG

The objective of the audit was to assess the effectiveness and efficiency of the IT governance, project

management, and software development practices in the SG for IT systems developed and owned by the SG

and for those owned by the SG, but which are developed by DIGIT or through outsourcing contracts.

There were no reservations in the 2021 Annual Activity Report of the Secretariat-General that relate to the

audited area.

kom (2023) 0323 - Ingen titel

The fieldwork was finalised on 20 July 2022. All observations and recommendations relate to the situation as

of that date.

The IAS noted several strengths regarding IT governance, project management and software development

practices, in particular the SG:



Established IT governance and project management structures, which help to create a platform for the

discussion of IT budget related issues, priorities, and key activities.

Defined annual IT work plans which clearly identify the key deliverables for the coming year.

Comprehensively involves stakeholders through project organisation structures and regular

communication between the system/project owner (and its representatives) and solution provider (and

its representatives). This helps to ensure that business requirements and expectations are identified,

continuously validated and, if needed, updated throughout the duration of the project.

The IAS did not formulate any critical or very important recommendations.

1.30. Audit on information technology application project management

in DG TAXUD

The objective of the audit was to assess the adequacy of the design as well as the effective and efficient

implementation of the management and control systems that DG TAXUD put in place to manage its IT

application projects.

There were no reservations in the 2021 Annual Activity Report of DG TAXUD that relate to the audited area.

The audit was finalised at the end of the preliminary survey, on 16 November 2022. All observations relate to

the situation as of that date.

The IAS identified the following strengths:



DG TAXUD’s IT steering committee (ITSC) takes decisions on IT strategy, projects and services, and

oversees the implementation of the DGs’ IT work plan.

DG TAXUD’s IT risk management and internal control practices are in line with the Commission

methodologies.

DG TAXUD has a comprehensive IT project management methodology in place

As DG TAXUD does not develop IT in-house, it has put in place monitoring, reporting and quality controls

for all its outsourced development activities.

DG TAXUD estimates, approves and monitors its IT budget.

DG TAXUD has created an IT security strategy with a corresponding roadmap and regularly monitors

its implementation.

The IAS did not formulate any critical or very important recommendations.

kom (2023) 0323 - Ingen titel

Part 2

Follow-up

engagements

kom (2023) 0323 - Ingen titel

2.1. Follow-up audit in DG BUDG on the management of recovery

orders for competition fines (including guarantees for

competition fines) and for recovery orders in the context of the

Commission's 'corrective capacity' – Phase II (based on two

follow-up audits performed in 2022)

Based on the results of the follow-up audit, the IAS concluded that the following recommendation was

adequately and effectively implemented:



Recommendation No 3 (important): monitoring and reporting on fraud cases.

Recommendation No 5 (important): DG BUDG’s automatic validation and calculation of due dates.

2.2. Follow-up audit in DG DEFIS on the supervision of the

implementation of the 2014-2020 programme for the European

Geostationary Navigation Overlay Service (EGNOS)

Based on the results of the follow-up audit, the IAS concluded that the following recommendations were

adequately and effectively implemented:



Recommandation No 1 (important): EGNOS extension to non-EU countries.

Recommendation No 6 (important): monitoring and reporting of the EGNOS 2014-2020 programme.

The following recommendations were assessed as not fully and/or adequately implemented:



Recommendation No 2 (important): GSA’s annual reporting package

The 2021 annual reporting package was submitted by European Union Agency for the Space

Programme (e) with one week delay from the agreed deadline. The independent audit body opinion,

due on 15 March, has not yet been received and it is not expected before the end of July. This delay

will again prevent DG DEFIS from using the information in the ongoing internal audits.



Recommendation No 5 (important): monitoring access to EGNOS services

In November 2021, DG DEFIS sent a formal letter to the European Union Aviation Safety Agency (EASA)

requesting a periodic verification by EASA of non-EU countries’ continuous compliance with the relevant

provisions of the Single European Sky regulation related to the EGNOS Safety of Life service.

EASA replied to the request - requesting further instructions from DG DEFIS regarding the content,

timing and characteristics of the reporting.

Although the process for establishing a monitoring mechanism by DG DEFIS has been initiated, it has

not been completed and therefore not yet effectively implemented.

kom (2023) 0323 - Ingen titel

2.3. Follow-up audit in DG DIGIT on the management of public cloud

services (multi-DG)

Based on the results of the follow-up audit, the IAS concluded that the following recommendation was

adequately and effectively implemented:



Recommendation No 1 (very important): governance of cloud service.

2.4. Follow-up audit in DG DIGIT on intellectual property rights

supporting activities

Based on the results of the follow-up audit, the IAS concluded that the following recommendations were not

fully and/or adequately implemented:



Recommendation No 1 (very important): efficiency and effectiveness of intellectual property rights

(IPR) management in DIGIT

The JRC, in its role as the Commission’s central intellectual property (IP) service, established EURECA,

a database for the declaration and management of IP assets, including information technology (IT)

software.

DG DIGIT provided guidance and technical support to other DGs which have IP assets to declare and

started encoding its own IP assets in the EURECA database.

However, not all of DG DIGIT’s assets with high ‘asset relevance’ have been encoded in EURECA and

the use of the database is not yet systematic within DG DIGIT. For this reason, there is no systematic

identification of the IP assets with high ‘asset relevance’ (assets that are likely to be distributed outside

the Commission), and no assessment of the related risks.

DG DIGIT should work towards a realistic completion date for populating the database and harmonising

its use.

DG DIGIT is currently developing a scanning tool intended to automatically identify assets encoded in

EURECA which may not be suitable for distribution outside the Commission, due to incompatibility of

software licences. This will assist in the risk assessment specific to the management of IT software IP

assets. However, the tool is not yet in production (expected by the end of 2022) – as an interim solution

prior to full implementation of the action, a data catalogue has been established to record the

necessary information.



Recommendation No 4 (very important): software and IT solutions

While DG DIGIT planned to revise the General Terms and Conditions for Information Technology

Contacts (GTCs), it finally set up a working group with DG BUDG, DG INTPA, the Legal Service and the

JRC to provide a Commission-wide model framework contract that can be adapted by all users

according to their specific needs, including IT procurement. Once in place, this model will replace the

three currently used by DG BUDG, DG DIGIT and DG INTPA, making obsolete the current DG DIGIT GTCs.

However, the template has not yet been agreed and the process is expected to be finalised before the

end of 2022, following an inter-service consultation.

DG DIGIT, jointly with the JRC, created a software policy for the Commission to regulate the

dissemination of software owned by the Commission. The resulting Commission decision C(2021)8759

on the open-source licensing and reuse of Commission software was adopted on 8 December 2021.

This part of the recommendation is considered by the IAS as implemented.

kom (2023) 0323 - Ingen titel

Considering the actions taken to mitigate the risks identified by the IAS in the audit report, both

recommendations were downgraded from very important to important.

2.5. Follow-up audit in DG EAC on information technology governance

and project management

Based on the results of the follow-up audit, the IAS concluded that the following recommendation was

adequately and effectively implemented:



Recommendation No 3 (important): software development practices.

2.6. Follow-up audit in DG EAC on the effectiveness of the protection

of personal data of beneficiaries of and participants in the

Erasmus+ and European Solidarity Corps programmes (based on

two follow-up audits performed in 2022)

Based on the results of the follow-up audits, the IAS concluded that the following recommendations were

adequately and effectively implemented:



Recommendation No 2 (important): handling of data subjects’ request.

Recommendation No 3 (very important): supervision of processors’ compliance with the EU data

protection regulation.

Recommendation No 4 (very important): storage limitation principle.

Recommendation No 6 (important): handling of personal data breaches.

The following recommendation was assessed as not fully and/or adequately implemented and was downgraded

from very important to important:



Recommendation No 1 (very important): Information to Erasmus+ participants during personal data

collection

DG EAC informed all Erasmus+ participants for whom there is already data in its databases about their

rights as data subjects, either via a link in the message to the participants’ survey or in a separate

message, fully in line with the obligations of the data controller towards the data subjects.

For the future storage of personal data, DG EAC has designed a process which is compliant with the

EU data protection regulation setting out the role of National Agencies, beneficiaries or Commission

systems in conveying this information. DG EAC accordingly updated all relevant records, privacy

statements, and templates of agreements between the parties to reflect the new setup.

According to the new approach, the data controller should inform the data subjects about the data

processing and their rights during the data collection. This process was put in operation for the IT

system (MobilityTool+) which supported the Erasmus+ programme during the previous multiannual

financial framework. However, for the new multiannual financial framework, DG EAC changed the IT

system managing personal data processing, but has yet to develop and implement the same process

for informing participants. Consequently, there is a backlog of Erasmus+ participants (data subjects)

of more than one year, who have not yet been informed about their rights. DG EAC should activate the

same process as in the MobilityTool+ in the new IT system and clear the backlog using a method as

applied previously (for example a separate message).

kom (2023) 0323 - Ingen titel

Based on the review of the information and supporting documents provided, the IAS considered that

DG EAC partially mitigated the risks related to the observation through the actions taken. Therefore

the IAS downgraded it from very important to important and re-opened it in its recommendations

tracking system.

2.7. Follow-up of outstanding recommendations from past audits in

DG ECHO

Based on the results of the follow-up audit, the IAS concluded that the following recommendations were

adequately and effectively implemented:

Audit on the control strategy for humanitarian aid actions



Recommendation No 2 (important): (Re-)assessment of non-governmental organisations.

Recommendation No 5 (very important):

ex post

headquarters audit and verifications.

2.8. Follow-up of outstanding recommendations from past audits in

the FPI

Based on the results of the follow-up audit, the IAS concluded that the following recommendations were

adequately and effectively implemented:

Audit on Performance Management in the FPI



Recommendation No 3 (important): performance monitoring and reporting.

2.9. Follow-up of outstanding recommendations from past audits in

DG HOME (based on two follow-up audits performed in 2022)

Based on the results of the follow-up audits, the IAS concluded that the following recommendation was

adequately and effectively implemented:

Audit on DG HOME’s audit activity and clearance of accounts



Recommendation No 1 (very important): Set-up and planning of DG HOME’s audit activity.

Recommendation No 2 (very important): execution of the audit plan.

Recommendation No 4 (important): quality assurance.

Audit on the preparation for the 2021-2027 programming period of DG HOME funds



Recommendation No 1 (very important): delays in the work programmes of the thematic facility.

Recommendation No 2 (very important): monitoring of progress in the programming of 2021-2027

period and reporting to senior management.

2.10. Follow-up audit in DG INTPA on pillar assessment

Based on the results of the follow-up audit, the IAS concluded that the following recommendation was not fully

and/or adequately implemented:

kom (2023) 0323 - Ingen titel



Recommendation No 27 (important): follow-up of verification mission recommendations related to

findings that may affect pillar compliance

To implement the audit recommendation, DG INTPA has:

—

Revised the terms of reference and the template for the expenditure verification report to

enable the reporting of systemic findings. In accordance with the template, the report shall

include the systemic findings identified, their nature and the reasons they are considered

systemic. However, neither the terms of reference nor the instructions included in the

template for the expenditure verification report: (1) specify that the auditors should report

non-financial systemic findings (related to for example internal control, compliance), and (2)

require that the auditors assess if the finding may negatively affect pillar-compliance.

Designed a procedure to identify and analyse systemic findings on an annual basis and

inform DG BUDG and the lead service for pillar assessment about the outcome of its

analysis. DG INTPA has decided that, in its first year of application, the procedure will be

limited to ‘globally operating international organisations whose audit task management is

centralised’ but has not yet decided if and when it will be extended to other pillar-assessed

entities.

—

The system put in place by DG INTPA will be used for the first time for the preparation of the 2023

annual audit and verification plan.

2.11. Follow-up audit in the JRC on information technology governance

and project management

Based on the results of the follow-up audits, the IAS concluded that the following recommendation was

adequately and effectively implemented:



Recommendation No 3 (important): software development practices.

Recommendation No 4 (important): IT risk management.

2.12. Follow-up audit in DG NEAR on annual audit plans

Based on the results of the follow-up audit, the IAS concluded that the following recommendation was

adequately and effectively implemented:



Recommendation No 3 (very important): key performance indicators and reporting.

The following recommendation was assessed as not fully and/or adequately implemented and was downgraded

to important:



Recommendation No 2 (very important): Follow-up of audit results.

DG NEAR adopted a

Procedure to report on findings stemming from verification missions to international

organisations

in January 2022. The design of the procedure is adequate, but its practical implementation

will only be assessed once it is completed for the first time (first half of 2023).

DG NEAR has not yet revised the guidance on the follow-up of financial findings. For this reason, the

recommendation cannot be considered as fully implemented. However, based on the progress made by

DG NEAR, the IAS downgraded the recommendation from very important to important.

kom (2023) 0323 - Ingen titel

2.13. Follow-up audit in DG NEAR on the Neighbourhood Investment

Facility and the Western Balkans Investment Framework

Based on the results of the follow-up audit, the IAS concluded that the following recommendations were

adequately and effectively implemented:



Recommendation No 6 (important): Western Balkans Investment Framework (WBIF) – Project reporting.

Recommendation No 7 (very important): Western Balkans Investment Framework (WBIF) - Monitoring

at the facility level.

2.14. Follow-up audit in the OIB on the procurement process

Based on the results of the follow-up audit, the IAS concluded that the following recommendation was not fully

and/or adequately implemented and downgraded the recommendation from very important to important:



Recommendation No 1 (very important): procurement procedures

Regarding the second part of the action plan on a revised ‘Kallas procedure’, the OIB made some

progress, as follows:

—

The OIB and DG HR set up a working group in 2018 to prepare the revision of the ‘Kallas

procedure’ in accordance with the Financial Regulation.

The OIB prepared a working document including a proposal for a substantially revised ‘Kallas

procedure’ and submitted it to the members of the working group at the end of September

2018. The working group submitted its comments on the revised methodology to the OIB in

September 2020, which was subsequently discussed with DG BUDG and the Legal Service.

The drafting of the ‘new methodology’ (the revised ‘Kallas procedure’), is being finalised. The

Legal Service provided their legal analysis in 2022, which DG HR has now taken into

consideration for the revised version. Another round of informal consultation with DG BUDG,

the Legal Service and the SG was initiated. Once finalised, the inter-service consultation is

expected to be launched in the second quarter of 2022.

—

The IAS recognised that:

—

The ‘Kallas procedure’ plays an advisory role to the Real Estate Committee, while

supplementing the Financial Regulation.

Until the revision of the procedure is finalised, Annex 20 of the Commission Decision C(2018)

5120 on the Internal rules for the implementation of the general budget of the EU

constitutes the formalised rules for the management of real estate transactions and they

are aligned with the provisions of the Financial Regulation.

However, until the new methodology to replace the ‘Kallas procedure’ is approved, the IAS considers that

this part of the recommendation is not fully implemented as the aspects related to clarifying market

prospects and the negotiation processes are not yet sufficiently addressed. The ‘new real estate

methodology’ is expected to be more flexible, to focus on the strict application of the Financial Regulation

and to improve the prospecting and negotiating process in order to address certain weaknesses of the

previous methodology and to bring the real estate methodology closer to the evolving building needs of

the Commission.

However, the actions taken by the OIB (together with those on-going), reduce the risk initially identified

regarding weaknesses in the needs analysis which was that tender specifications may not fully respond

kom (2023) 0323 - Ingen titel

to the real requirements of the organisation and that procured goods or services may not be fit for the

intended purposes. Consequently, the recommendation was downgraded from very important to important.

2.15. Follow-up audit in OLAF on the human resources strategy

Based on the results of the follow-up audit, the IAS concluded that the following recommendations were

adequately and effectively implemented:



Recommendation No 2 (very important): task and skills mapping.

Recommendation No 3 (very important): workload assessment and staff allocation.

Recommendation No 4 (important): recruitment (selection of temporary agents).

Recommendation No 5 (important): staff development.

Recommendation No 6 (important): staff satisfaction with working methods and environment.

2.16. Follow-up audit in OLAF on performance management

Based on the results of the follow-up audit, the IAS concluded that the following recommendation was

adequately and effectively implemented:



Recommendation No 1 (important): roles and responsibilities for performance management activities.

2.17. Follow-up audit in DG REFORM on the processes put in place for

the delivery of technical support to Member States

Based on the results of the follow-up audit, the IAS concluded that the following recommendation was

adequately and effectively implemented:



Recommendation No 2 (important): defining project output indicators and reporting on project

implementation.

2.18. Follow-up audit in DG RTD on IT project management and

software development

Based on the results of the follow-up audit, the IAS concluded that the following recommendation was

adequately and effectively implemented:



Recommendation No 2 (important): IT project governance.

2.19. Follow-up audit in the SG on the Commission’s strategy for data,

information and knowledge management (based on three follow-

up audits performed in 2022)

Based on the results of the follow-up audits, the IAS concluded that the following recommendations were

adequately and effectively implemented:

kom (2023) 0323 - Ingen titel



Recommendation No 1 (very important): design of the Data Information and Knowledge Management

(DIKM) strategy.

Recommendation No 2 (very important): strategic layer – the IMSB.

Recommendation No 3 (important): cooperation between IMSB and ITCB.

Recommendation No 4 (very important): role and responsibilities of the Information Management

Team.

Recommendation No 5 (very important): data, information and knowledge management governance -

Sharing of information on progress and deliverables of actions.

Recommendation No 6 (important): Data, information and knowledge management work programme

and data strategy action plan.

Recommendation No 7 (important): data quality.

2.20. Follow-up audit in the SG on crisis communication in DG COMM,

the SG, DG SANTE and DG ECHO

Based on the results of the follow-up audit, the IAS concluded that the following recommendation was

adequately implemented:



Recommendation No 2 (important): capacity building.

2.21. Follow-up audit in DG TAXUD on human resource management

Based on the results of the follow-up audit, the IAS concluded that the following recommendations were not

fully and/or adequately implemented and were downgraded from very important to important:



Recommendation No 3 (very important): human resources management - task and skills mapping.

DG TAXUD:

—

Moved to the use of ATLAS in full mode and implemented a process to update the system

regularly.

Finalised the mapping of tasks across the Directorate-General.

Designed the skills mapping tool, and adopted the skills assessment process based on a

staff survey and meetings between the human resources correspondent and the Directors.

Defined the gap analysis process which is to be based on the results of the skills assessment.

However, the implementation of the skills assessment process is still ongoing. DG TAXUD will perform

the gap analysis once the skills assessment process is finalised.



Recommendation No 4 (very important): workload assessment, staff allocation and project teams.

DG TAXUD:

—

Designed the workload assessment framework, which includes the workload assessment

process, workload indicators covering the activities of the Directorate-General and a

monitoring dashboard.

Established staff allocation criteria and planned their regular revision.

—

kom (2023) 0323 - Ingen titel

—

Designed the staff allocation process.

Put in place tools to manage and monitor staff allocation (the vacancy dashboard, a flexible

secretary post to manage staff needs and the procedure for staff reinforcement).

Analysed the reasons for the non-recoverable overtime and management’s response to

requests for overtime recuperation in 2019 and 2020.

Defined its approach to flexitime working arrangements in line with Commission Decision C

(2022) 1788.

Designed and communicated to staff guidelines on the establishment and management of

project teams.

However, the assessment of staff allocation is still ongoing. Once finalised, DG TAXUD will re-allocate staff

and balance workload, if considered necessary based on the results of the allocation assessment.

Considering the elements already implemented, the recommendations were downgraded from very

important to important as the residual risk level is now considered medium.

2.22. Follow-up audit in DG TAXUD on the effectiveness of Directorate

General for Taxation and Customs Union’s cooperation with

external stakeholders

Based on the results of the follow-up audit, the IAS concluded that the following recommendation was not fully

and/or adequately implemented:



Recommendation No 4 (important): management and monitoring of expert groups/project groups

In January 2022, DG TAXUD adopted new guidelines aligned with the Commission’s corporate rules

on creating and managing expert groups (EG). When communicating the guidelines to staff, DG TAXUD

emphasised the following main principles:

—

Units managing the EGs are responsible for ensuring the overall compliance with the existing

guidance.

Senior management carries out quarterly reviews on the list of expert groups and related

activities.

Moreover, Unit E2, Inter-institutional relations, coordination, communication and strategic planning,

was appointed to liaise with other units, provide guidance and monitor compliance by screening a

sample of EGs.

However, the guidelines have not yet been fully implemented. In particular, the IAS found that:

—

The ‘Register of Commission Expert Groups and Other Similar Entities’ is not fully up to date.

For example, some meeting agendas and/or minutes are not uploaded, and some EGs status

(open, on hold or closed) are not timely recorded in the Commission’s register.

The DG’s EGs internal overview file is not fully updated and aligned with the Commission’s

The two quarterly screenings made on a sample of EGs (5 out of 50) were not fully effective.

The first screening did not spot missed encoding of meetings. For the second screening,

conducted in the second quarter of 2022, DG TAXUD selected one EG which had been closed

in January 2022 and should therefore not have been sampled.

—

kom (2023) 0323 - Ingen titel

List of audits for which all recommendations were closed in 2022

Based on the results of the follow-up engagements performed in 2022, the IAS assessed that the audits listed

below could be closed as all the recommendations were assessed as implemented. The audit titles are presented

per policy area, and within each area they are ordered alphabetically (per European Commission DG/Service).

Audits on several Commission Directorates-General and/or services (multi-entity audits) and horizontal audits,

and audits in the area of information technology are presented separately.

HORIZONTAL AUDITS

2.23. Audit on WiFi4EU in DG CNECT, DG DIGIT and INEA

2.24. Audit on data protection in DIGIT, DG HR, JRC, LS, and SG (based on two follow-up audits performed in

2022)

2.25. Audit on the effectiveness of the management of absenteeism in the OIB, OIL and PMO

SINGLE MARKET, INNOVATION AND DIGITAL

2.26. Follow-up of outstanding recommendations from past audits in DG CNECT

Audit on Connecting Europe Facility (CEF) Telecom governance

Audit on implementation of the better regulation principles in the preparation of digital single market

policy proposals

Audit on implementation of anti-fraud actions in the research area

Audit on management of experts in Horizon 2020 grants

2.27. Audit on preparedness of the Competition programme in DG COMP

2.28. Limited review of the Internal Control Framework (ICF) in DG COMP

2.29. Audit on human resources management in Eurostat (based on three follow-up audits performed in

2022)

2.30. Audit on the effectiveness and efficiency of DG FISMA performance management system

2.31. Follow-up of outstanding recommendations from past audits in the JRC

Audit on site management infrastructure support services

Audit on human resources management –recruitment of temporary scientific staff

Audit on accounting of assets

Audit on scientific project management

2.32. Audit on Intellectual Property Rights (IPR) supporting activities in the JRC

2.33. Audit on the Commission's strategy for data, information and knowledge management in the JRC

2.34. Audit on support, monitoring and enforcement of transport ‘acquis’ in DG MOVE

COHESION, RESILIENCE AND VALUES

2.35. Audit on the management of the Employment and Social Innovation programme (EaSI) with special

emphasis on the PROGRESS axis in DG EMPL

2.36. Audit on grant management of 2014-2020 Justice and Rights Equality and Citizens programmes in DG

JUST

2.37. Audit on human resources management and staff allocation in DG JUST

2.38. Audit on Connecting Europe Facility (CEF) Telecom governance in DG JUST

2.39. Audit on the processes for coordinating technical support to the Member States in DG REFORM (including

the contribution of DG EMPL and DG REGIO) (based on two follow-up audits performed in 2022)

2.40. Audit on implementation of financial instruments under European Regional Development Fund/Cohesion

Fund 2014-2020 in DG REGIO

kom (2023) 0323 - Ingen titel

NATURAL RESOURCES AND ENVIRONMENT

2.41. Follow-up of outstanding recommendations from past audits in DG AGRI

Audit on DG AGRI's support, monitoring and checks of the work of Certification Bodies (CB)

Audit on DG AGRI's monitoring and supervision arrangements regarding Land Parcel Identification

System (LPIS) in Member States

2.42. Audit on LIFE financial instruments: effectiveness and efficiency of the current framework in DG CLIMA

and DG ENV

MIGRATION AND BORDER MANAGEMENT

p.m.

Follow-up of outstanding recommendations from past audits in DG HOME

Audit on monitoring the implementation and performance of 2014-20 national programmes

Audit on human resources management and staff allocation

SECURITY AND DEFENCE

2.43. Audit on payments and accounting for tangible assets under the Galileo and Copernicus 2014-2020

programmes in DG DEFIS

2.44. Audit on intellectual property rights (IPR) supporting activities in DG DEFIS

NEIGHBOURHOOD AND THE WORLD

p.m.

Audit on contribution agreements with international organisations in DG ECHO

2.45. Audit on the Instrument contributing to Stability and Peace (IcSP) in the FPI

p.m.

Audit on the partnership Instrument in the FPI

EUROPEAN PUBLIC ADMINISTRATION

2.46. Audit on control strategy for the Joint Sickness Insurance Scheme and accidents insurance in the PMO

(based on two follow-up audits performed in 2022)

INFORMATION TECHNOLOGY

2.47. Audit on IT project management practices for multi-DGs projects in DG DIGIT (based on two follow-up

audits performed in 2022)

2.48. Audit on IT governance and project management in the OP

kom (2023) 0323 - Ingen titel

Part 3 - Summary of

long overdue

recommendations

kom (2023) 0323 - Ingen titel

At the end of the reporting period, 31 January 2023, there were 3 very important long overdue

recommendations, overdue by more than six months compared to the original expected completion dates set

in the auditees’ initial action plans.

Original

agreed

completio

n date

Revised

expected

completion

date

No.

Entity

Audit title

Recommendation

title

Final report

date

Expected

delay

DG BUDG

Recovery orders

and bank

guarantees for

fines

Dealing with

insolvencies and

bankruptcies

20.11.2019

30.6.2021

30.6.2023

2 years

DG BUDG reported that a substantial part of the recommendation (three out of the four sub-recommendations)

is implemented, and consequently, in their opinion, the residual risk is significantly reduced.

However, the set-up of a comprehensive and reliable set of tools at Commission level to monitor the financial

and legal situation of contractors and beneficiaries is on-going. This action has been included into the proposal

for a corporate strategy for the management of the accounts receivable prepared by DG BUDG. The

Communication to the Commission - An enhanced corporate strategy for the management of the Commission’s

debtors,

planned to be launched in interservice consultation during the first quarter of 2022, was postponed.

DG BUDG revised the expected completion date to 30 June 2023 as the re-launch of the adoption process is

expected in early 2023 (after the recently amended Internal Rules).

In the meantime, intermediate measures were taken (awareness notes were sent to the eight most affected

DGs requesting them to take a decision on the pending recovery orders and waivers, which, according to DG

BUDG, they have done).

kom (2023) 0323 - Ingen titel

No. Entity

Audit title

Recommendation

title

Final

report

date

Original

agreed

completion

date

Revised

expected

completion

date

Expected

delay

DG EAC

Effectiveness of the

protection of personal

data of beneficiaries of

and participants in the

Erasmus+ and European

Solidarity Corps

programmes managed

by DG EAC

Transfer of

personal data to

third countries

28.1.2021

15.12.2021

30.6.2023

1 year and

6 months

The IAS recommended that DG EAC should analyse, with the support of the data protection officer (DPO), how compliance

of its programmes with the internal data protection regulation (IDPR) concerning international transfers of data can be

ensured in the context of the order (

) and the announced guidance of the European Data Protection Supervisor (EDPS).

The Director General reported that it analysed with DG JUST, the Legal Service and the DPO different possibilities to

ensure compliance of the transfers to third countries with the IDPR. A suitable transfer tool (adequate and robust

safeguard measures that protect the rights and freedoms of the data subjects) has been identified and the EDPS will be

consulted formally on this solution - as requested by the IDPR.

Performance

management

framework

III

FPI

Performance

management in FPI

1.10.2020

31.12.2021

30.9.2023

1 year and

9 months

FPI announced that they fully implemented two of the three sub-recommendations. These two sub-recommendations

originally triggered the overall risk high rating. The remaining sub-recommendation (stemming from medium risks at the

time of the audit) is pending, awaiting the full implementation of a new IT system, which is under the steer of DG INTPA

and DG DIGIT.

(

)

On 14 October 2020, the EDPS gave all European institutions a formal order to: (a) perform a mapping exercise to provide information

concerning processing operations that involve international transfers of data, and (b) report to it any identified risks and gaps, in

accordance with the order. The EDPS also asked the European institutions to perform, in a second phase, a case-by-case ‘transfer

impact assessment’ to identify the level of protection provided by the third country of destination of the data. To facilitate this

assessment, the EDPS will provide in due time specific guidance.