EUROPEAN COMMISSION DIRECTORATE-GENERAL FOR HEALTH AND FOOD SAFETY

Transcription

1 EUROPEAN COMMISSION DIRECTORATE-GENERAL FOR HEALTH AND FOOD SAFETY Directorate F - Food and Veterinary Office DG(SANTE) MR FINAL REPORT OF THE PILOT MISSION CARRIED OUT IN THE NETHERLANDS FROM 21 SEPTEMBER 2015 TO 25 SEPTEMBER 2015 IN ORDER TO EVALUATE THE SYSTEM PUT IN PLACE TO IMPLEMENT ARTICLE 4(6) OF REGULATION NO 882/2004 (NATIONAL AUDIT SYSTEM) In response to information provided by the Competent Authority, any factual error noted in the draft report has been corrected; any clarification appears in the form of a footnote.

2 Executive Summary This report describes the outcome of a pilot mission carried out by the Food and Veterinary Office (FVO) in The Netherlands from 21 to 25 September The objective of the mission was to prepare for the planned series of FVO audits intended to evaluate the system(s) put in place to implement Article 4(6), on audits of competent authorities, of Regulation (EC) No 882/2004 of the European Parliament and of the Council, on official controls performed to ensure the verification of compliance with feed and food law, animal health and animal welfare rules. Overall the report concludes that there is a functioning NAS that generally meets the objectives of Article 4(6). Nevertheless there are a number of areas where arrangements need further development to bring them fully into line with the relevant requirements, as described below. Procedures put in place in The Netherlands by NVWA to implement Article 4(6) of Regulation (EC) No 882/2004 ensure that audits are independent and can effectively determine whether activities and related results comply with planned arrangements, and that appropriate measures are taken in the light of their results. However, the audits do not generally include the objective to determine whether planned arrangements are implemented effectively and/or whether these arrangements are suitable to achieve objectives. NVWA has put effective arrangements for independent scrutiny in place for a part of the internal audit activity, but this arrangement does not cover a significant proportion of the audit activity falling within the scope of Article 4(6). Most parts of the audit process are carried out in a systematic and transparent manner. However, NVWA could not demonstrate that the process of developing an audit programme is risk-based and ensures adequate coverage of the full scope of Regulation (EC) No 882/2004. Issues such as ensuring that the audit programme is genuinely risk-based and assessing effective implementation and/or suitability of arrangements to meet the objectives of Regulation (EC) No 882/2004 were identified as particular challenges by the CCA. These difficulties are most likely not limited to The Netherlands, as feedback from the NAS Network indicates that most Member States find these aspects challenging to implement in their audit systems. This remains to be verified during future audits in other Member States. As this was a pilot mission, no recommendations were made. I

3 Table of Contents 1 Introduction Objectives, Scope and Audit Criteria Legal Basis Background Previous FVO audits Context: Article 4(6) of Regulation (EC) No 882/ Methodology Findings and Conclusions Competent Authorities Legal requirements Findings Responsibility for official controls Responsibility for internal audits of official controls Responsibility for external audits of official controls Independent scrutiny Legal requirements Findings Auditor competence Legal requirements Findings Development of the programme of audits Legal requirements Findings Planning and audit programme development in IAD Planning and audit programme development in the Divisions Implementation of the audit process Legal requirements Findings Documented Procedures Compliance with planned arrangements Verification of the effective implementation of planned arrangements and their suitability to achieve objectives...17 II

4 Audit reporting Review of audit conclusions and dissemination of best practice Monitoring and review of the audit process Follow-up of audit recommendations Legal requirements Findings Transparency Legal requirements Findings Challenges reported by the Competent Authority Overall Conclusions Closing Meeting Recommendations...24 III

5 ABBREVIATIONS AND DEFINITIONS USED IN THIS REPORT Abbreviation CA CCA DG SANTE EU EZ FVO IAD NAS Network NVWA VWS ZBO Explanation Competent Authority Central Competent Authority Directorate General for Health and Food Safety European Union Ministry for Economic Affairs (Ministerie van Ekonomische Zaken) Food and Veterinary Office Internal Audit Department (Interne Auditdienst) The network of member states national experts on National Audit Systems, hosted by the FVO Netherlands Food and Consumer Product Safety Authority (Nederlandse Voedsel- en Warenautoriteit) Ministry of Health, Welfare and Sports (Ministerie van Volksgezondheid, Welzijn en Sport) Semi-autonomous public bodies (Zelfstandige Bestuurs Organen) IV

6 1 INTRODUCTION This pilot mission took place in The Netherlands from 21 to 25 September The mission team comprised four Food and Veterinary Office (FVO) auditors. The mission team was accompanied throughout the audit by representative(s) from the Netherlands Food and Consumer Product Safety Authority (NVWA), the Central Competent Authority (CCA) responsible for the activities falling within the scope of the mission. The opening meeting was held on 21 September 2015 with the NVWA in Utrecht. At this meeting the mission team confirmed the objectives of, and itinerary for the mission, and additional information required for the satisfactory completion of the mission was requested. 2 OBJECTIVES, SCOPE AND AUDIT CRITERIA The objective of the mission was to prepare for the planned series of FVO audits intended to evaluate the system(s) put in place to implement Article 4(6), on audits of competent authorities, of Regulation (EC) No 882/2004 of the European Parliament and of the Council, on official controls performed to ensure the verification of compliance with feed and food law, animal health and animal welfare rules 1 (hereafter: Regulation (EC) No 882/2004). The scope of the mission was limited to the procedures put in place by the NVWA, the CCA responsible for the majority of official controls falling under Regulation (EC) No 882/2004 to implement Article 4(6). As regards the conduct of the audits carried out under Article 4(6), the mission team evaluated the activities undertaken in the conduct of relevant internal audits and gathered information with regard to certain external audits carried out by NVWA (see section ). The criteria used for the evaluation are set out in Article 4(6) of Regulation (EC) No 882/2004: Competent authorities shall carry out internal audits or may have external audits carried out, and shall take appropriate measures in the light of their results, to ensure that they are achieving the objectives of this Regulation. These audits shall be subject to independent scrutiny and shall be carried out in a transparent manner. In addition, where applicable, the mission team took into account Commission Decision 2006/677/EC setting out the guidelines laying down criteria for the conduct of audits under Regulation (EC) No 882/2004 of the European Parliament and of the Council on official controls to verify compliance with feed and food law, animal health and animal welfare rules 2 1 Regulation (EC) No 882/2004 of the European Parliament and of the Council of 29 April 2004 on official controls performed to ensure the verification of compliance with feed and food law, animal health and animal welfare rules, Official Journal L 165, , pages 1 to 141, corrected and re-published in OJ L 191, , pages 1 to /677/EC: Commission Decision of 29 September 2006 setting out the guidelines laying down criteria for the conduct of audits under Regulation (EC) No 882/2004 of the European Parliament and of the Council on official controls to verify compliance with feed and food law, animal health and animal welfare rules. Official 1

7 (hereafter: Commission Decision 2006/677/EC). Where relevant, reference was made to Network Reference Documents produced by the Network of Member States National Experts on National Audit Systems (hereafter: the NAS Network), while recognising that they do not constitute an audit standard and are not legally binding. 3 LEGAL BASIS The planned audit series will be carried out under the general provisions of EU legislation and, in particular Article 45 of Regulation (EC) No 882/2004. This pilot mission was carried out in agreement with the NVWA. Full EU legal references are provided in Annex 1. Legal acts quoted in this report refer, where applicable, to the latest amended version. 4 BACKGROUND 4.1 PREVIOUS FVO AUDITS Detailed information on the structure and organisation of the Dutch competent authorities can be found in the Country Profile for The Netherlands at: The Food and Veterinary Office has carried out numerous inspections and audits in The Netherlands, the reports of which can be found at: While the topic of the current pilot mission has not been the specific objective of any previous audit, the subject has been considered within the scope of numerous sectoral audits carried out since 2006 as well as the general audit carried out in 2007 (reference number DG(SANCO)/ ). At the time of writing, there were no open recommendations to The Netherlands in relation to the application of Article 4(6). 4.2 CONTEXT: ARTICLE 4(6) OF REGULATION (EC) NO 882/2004 The requirements laid down in Article 4(6) of regulation (EC) No 882/2004, that: Competent authorities shall carry out internal audits or may have external audits carried out, and shall take appropriate measures in the light of their results, to ensure that they are achieving the objectives of this Regulation. These audits shall be subject to independent scrutiny and shall be carried out in a transparent manner should be read together with the definition of Article 2(6) laid down in the same Regulation: Journal L 278, , pp15 to 23. 2

8 Audit means a systematic and independent examination to determine whether activities and related results comply with planned arrangements and whether these arrangements are implemented effectively and are suitable to achieve objectives. Further guidance on certain aspects of the requirement and definition is provided in Commission Decision 2006/677/EC. In particular the guidelines in the Annex to this Decision provide information on aspects to be considered when ensuring that the audit process is systematic, transparent, independent and subject to independent scrutiny. In addition, guiding principles in relation to compliance with planned arrangements, effective implementation of arrangements and their suitability to achieve objectives are provided. Guidance is also provided in relation to audit reporting, follow-up of the audit outcome, audit review and dissemination of best practice, resources and auditor competence. As reflected in the recitals of the Decision: The guidelines are not binding but serve to provide useful guidance to the Member States in the implementation of Regulation (EC) No 882/2004. The NAS Network is a network of officials (auditors) from national competent authorities, responsible for the performance of audits of official control systems as provided for by Article 4(6) of Regulation (EC) No 882/2004. The Network meets regularly, under the chairmanship of, and facilitated by, the FVO to exchange experiences in implementing national audit systems on official control activities. During the course of these exchanges; discussions, workshops etc. good principles and practices are identified and agreed by the network. To enable dissemination of information the Network, working in plenary session and through sub-groups, facilitated by the FVO, consolidate agreed principles and good practices on specific topics into Network Reference Documents. In relation to NAS, at the time of this mission the NAS Network had produced the following Network Reference Documents: Risk Based Planning for Audits of Official Control Systems - February Version 1 Independence and Independent Scrutiny - Feb 2014 Version 1 Auditing Effectiveness of Official Control Systems - February Version 1 These documents may be used as reference documents, however, they do not constitute an audit standard and are not legally binding. 4.3 METHODOLOGY The evaluation process consisted of: an initial desk study phase in which the relevant information already available in FVO was collated and analysed. This included the Dutch Multi-Annual National 3

9 Control Plan and associated Annual Reports, the Country Profile of The Netherlands and FVO sectoral audit reports; a pre-mission questionnaire and the analysis of the response from the NVWA; and a visit to the NVWA to meet those bodies responsible for carrying out audits under Article 4(6). During the visit the FVO mission team evaluated arrangements in place and verified their application through examination of a variety of evidence, including documentation of the programme development and of the life cycle of a number of audits. Observing the performance of individual auditors was not included in the scope of this mission as the mission team considered that the effectiveness of an individual audit can be better judged by the FVO sectoral Units auditors in the context of relevant sectoral audits. The evaluation focussed particularly on those elements which the mission team considered essential to ensure the audit bodies can produce reliable audit results, with adequate coverage of official controls, to give assurance that the objectives of 882/2004 are being met: Responsibilities for the implementation of Article 4(6); Status and reporting lines of auditing bodies/units; Arrangements for independent scrutiny; Procedures for the selection of auditors and management of auditor competence; Procedures for the development of audit programmes, with particular attention on how an adequate coverage of the audit/risk universe is ensured; Planning, conduct and reporting of audits, including the approach to auditing the suitability of arrangements in place for official controls to achieve the objectives of the Regulation; Follow-up of audit recommendations including the system in place for corrective action in cases where problems are identified during the audit activities; and How and to what extent transparency is ensured In addition, the mission team gathered information on particular challenges faced by the CCA when implementing Article 4(6). 4

10 5 FINDINGS AND CONCLUSIONS 5.1 COMPETENT AUTHORITIES 5.1.1Legal requirements Article 4(6) of Regulation (EC) No 882/2004 states, that Competent authorities shall carry out internal audits or may have external audits carried out Article 2(6) of the same Regulation defines audit as a systematic and independent examination to determine whether activities and related results comply with planned arrangements and whether these arrangements are implemented effectively and are suitable to achieve objectives. In section 5.3 of the Annex of Decision 2006/677/EC further guidance is provided to Member States on the Independence : Audit bodies should be free from any commercial, financial, hierarchical, political or other pressures that might affect their judgment or the outcome of the audit process. The audit system, audit body and auditors should be independent of the activity being audited and free from bias and conflicts of interest. Auditors should not audit areas or activities for which they have direct responsibility. All relevant competent authorities should introduce safeguards to ensure that responsibility and accountability for audit and control activities, such as the management and supervision of official control systems, are kept sufficiently distinct. Where the audit team makes recommendations for corrective and preventive action, the auditee should choose the methods to be applied for such action. Active audit team involvement in follow-up should be limited to assessing the suitability of the action plan and the effectiveness of the corrective and preventive action. Auditees should not be in a position to impede the audit programme, findings or conclusions. They should be consulted on the draft report and their comments should be considered by the audit body. Where appropriate, those comments should be taken into account in a transparent manner. The following points may help ensure that the audit process safeguards the independence of both the audit body and the audit team: a clear, documented mandate affording adequate power to conduct the audits should be provided, neither the audit body nor the audit team should be involved in managing or supervising the control systems being audited, for external audits, the audit body and audit team should be external to, and independent of, the organisational hierarchy of the auditee, 5

11 for internal audits, the following general principles should apply to ensure the process is independent and transparent: the audit body and audit team should be appointed by top management, the audit body and/or the audit team should report to top management, a check should be carried out to ensure no conflict of interest exists for either the audit body or the audit team. Independent audit bodies should be external to or separate from the management of audited activities. Internal audit bodies should report to the most senior management within the organisational structure. Where technical expertise required for the audit is available only within a competent authority, measures should be taken to ensure the audit team remains independent. Where control activities are organised on a regional basis, technical specialists could be exchanged in order to ensure they are independent Findings Responsibility for official controls 1. The Dutch Ministries with competence for food and feed safety, animal health and welfare and plant health are structured in a centralised manner and direct their policies through a number of agencies and bodies with mostly regional implementation. 2. The main ministries involved are: the Ministry of Economic Affairs (EZ) and the Ministry of Health, Welfare and Sports (VWS). 3. The main implementing agencies and bodies delivering the policies are: the Netherlands Food and Consumer Products Safety Authority (NVWA) and various semi-autonomous public bodies (ZBO). Dutch legislation provides for the establishment of autonomous management agencies/bodies to implement specific tasks in the public interest. They are under external control of the Ministry concerned but are competent for making independent and sector specific decisions. 4. For full details of the division of all relevant competences between all involved Competent Authorities, see the country profile for The Netherlands at: Responsibility for internal audits of official controls 5. The NVWA has a functionally separate Internal Audit Department (IAD) that directly reports to the Inspector General and the Audit Committee. IAD has 11 auditors to perform its tasks. 6

12 6. The Audit Charter of the NVWA, which was signed by the Inspector General on 9 March 2015, lays down, inter alia, role, responsibilities and reporting lines of the IAD. According to the Audit Charter, IAD has the following main tasks: Give assurance to the board of directors; Help improve internal control; Make the organisation more accountable; Support the audit department of the ministries. 7. The Charter further specifies that these objectives are achieved by, inter alia: carrying out of audits and the preparation of reports; advising on the basis of audits carried out; guaranteeing quality of audits of external parties (second-line supervision); supporting Divisions in the performance of audits; monitoring the implementation of audit programmes by Divisions 8. The position of IAD as a department nominally attached to the Directorate of Staff but with a direct reporting line to the top management (Inspector General) means that IAD has no direct responsibility for the areas and activities they audit. IAD neither drafts procedures followed by other Divisions or Departments, nor undertakes supervision tasks. 9. IAD carries out a range of different audit types including operational audits, financial audits, IT-audits, integrated audits and audits of horizontal issues. Thus, IAD s role covers a range of NVWA activities far broader than official controls falling within the scope of Regulation (EC) No 882/2004. In practice most NVWA audits covered by Article 4(6) take place at Divisional level. 10. Three Divisions of NVWA have responsibility for the controls falling within the scope of Regulation (EC) No 882/2004 (as well as for other tasks): Agriculture & Nature, Consumer & Safety and Veterinary & Imports. Each Division or Board has 1-3 quality employees. Within each Division they carry out internal quality audits taking into account both Regulation (EC) No 882/2004 requirements and relevant ISO standards. Corrective measures identified in response to previous audit reports are also taken into account. 7

13 11. The diagram below presents the distribution of audit staff within the organisation: 12. In Divisions the quality employees responsible for internal audits are not placed in the Departments responsible for official controls but instead report directly to the Chief Inspector of the Division. They therefore have no direct responsibility for the areas and activities they audit. The quality employees, in the context of their quality assurance activities may have a limited role in developing procedures for official controls but this role deals with ensuring procedures comply with the quality management system while technical content is the responsibility of the relevant Department. Thus the risk of selfreview during audit is mitigated. In addition, IAD considers that since the Divisions carry out conformity audits, the risk of self-review is less relevant than for audits aimed at evaluating the suitability of planned arrangements. In the opinion of the IAD there might be a risk of undesirable mixing functions, in the case that the Division auditors have a more extensive/prominent role in the programming and selection process of audits to be carried out. 13. Auditors in both IAD and the Divisions are all employees of NVWA. 14. While there is no formal written procedure to manage risks of bias or conflict of interest, all NVWA auditing staff met by the mission team demonstrated strong awareness of potential risks to independence, including risks of self-review. 15. Where technical expertise is needed to support audit activities, technical experts, whether sourced from within NVWA (the usual practice) or from outside, do not participate in formulating audit conclusions. They therefore are not required to demonstrate the same degree of independence. 16. In relation to recommendations and the role of auditors in follow-up, see section

14 Responsibility for external audits of official controls 17. The NVWA carries out annual audits of the ZBOs carrying out official controls falling within the scope of Regulation (EC) No 882/ These audits of ZBOs are viewed by NVWA as external audits and therefore arrangements had not been made to include them under the scope of this mission. As a result, the mission team could not meet with the relevant auditors, but IAD provided some information regarding the procedures for the conduct of these audits. 19. These audits are carried out by specific personnel dedicated to this task in the Divisions responsible for the sectors concerned. These auditors are distinct from the quality employees who carry out internal audit. 20. The performance of the ZBOs is audited against the agreements these bodies have in place with NVWA for the conduct of controls. In two out of three Divisions, IAD audit procedures are used by the ZBO auditors and IAD reviews draft reports before they are finalised. The FVO mission team received no information on procedures used in the third Division. Conclusions 21. NVWA has allocated responsibility for auditing all activities carried out under the scope of Regulation (EC) No 882/ The placement within the organisation and reporting lines for both IAD and the Divisional audits are appropriate for ensuring that the audit function can operate with an appropriate level of independence, foreseen by the definition of audit set out in Article 2(6) of Regulation (EC) No 882/2004. This contributes to ensuring the reliability of the auditing activity. The existence of an Audit Charter covering IAD activities provides additional support for the audit activity. 5.2 INDEPENDENT SCRUTINY 5.2.1Legal requirements Article 4(6) of Regulation (EC) No 882/2004 requires that the audits shall be subject to independent scrutiny. In section 5.4 of the Annex of Decision 2006/677/EC further guidance is provided to Member States on the Independent Scrutiny of the Audit Process : In order to check whether it is achieving its objectives, the audit process should be subject to scrutiny by an independent person or body. Such independent person or body should have sufficient authority, expertise and resources to carry out this task effectively. The approaches to independent scrutiny may vary, depending on the activity or the competent authority. 9

15 Where a body or a committee has been established with a view to independent scrutiny of the audit process, one or more independent persons should be members of such body or committee. Such independent persons should have access to the audit process and be empowered to contribute fully to it. Action should be taken to remedy any shortcomings identified in the audit process by the independent person or body Findings 23. On 23 April 2012, the NVWA set up an Audit Committee to act as an advisory body to the Inspector General. Its role was further defined in a Constituent Act signed by the Inspector General on 9 March According to this Act, the roles and responsibilities of the Audit Committee are: Advising the NVWA in relation to control and audit policy with specific focus on risk management and NVWA-wide operations; Advising on the annual audit programme of the NVWA; Regularly reflecting on the functioning of the IAD; The discussion of major findings and trends; Monitoring of the implementation of recommendations; Advising on the Audit Charter; To be an ambassador for audit to relevant parties; The matters relating to the functioning of the Audit Committee. 24. The Act specifies the composition of the Committee. It consists of three external members (including the chair), the Inspector General and Deputy Inspector General, the Director of Staff, the Director of Business Administration and the Head of IAD. The Act requires that the Committee meets at least four times a year. 25. The Constituent Act empowers the Audit Committee to make statements addressed to senior management in relation to the functioning of NVWA. The external members are specifically empowered to communicate independently with officials of the NVWA, including employees, management and the IAD. 26. The Constituent Act also foresees an agenda of planned resignations of external members in order to ensure both continuity and renewal. 27. The IAD provided the FVO mission team with extracts from Audit Committee meeting minutes, illustrating that feedback is received on the audit programme and process. 28. The Audit Committee s scrutiny role does not cover the auditing activity carried out at Divisional level by quality employees or by those auditors responsible for auditing ZBO. 10

16 Conclusions 29. Sufficient arrangements have been put in place for independent scrutiny of IAD s audit process, as required by Article 4(6) of the Regulation. However, for audits carried out at Divisional level and on external bodies (ZBO) no equivalent arrangements have been put in place. 5.3 AUDITOR COMPETENCE 5.3.1Legal requirements Articles 2(6) and 4(6) of Regulation (EC) No 882/2004 do not lay down specific requirements regarding the competence of auditors. Article 6 of the same Regulation requires that staff performing official controls receive, for their area of competence, appropriate training enabling them to undertake their duties competently and keep up-to-date in their area of competence and receive regular additional training as necessary Section 6.6 of the Annex of Commission Decision 2006/677 provides guidance on auditor competence: Auditor competence and selection criteria should be defined under the following headings: generic knowledge and skills audit principles, procedures and techniques; management/organisational skills, specific technical knowledge and skills, personal attributes, education, work experience, auditor training and experience. It is essential to put a mechanism in place to ensure auditors are consistent and their competencies are maintained. Competencies required by audit teams will vary depending on the area they are auditing within the control or supervision systems. As regards the technical knowledge and skills required by auditors, the training requirements for staff performing official controls (Chapter 1 of Annex II to Regulation (EC) No 882/2004) should also be considered Findings 30. IAD staff includes auditors specialised and qualified in the fields of financial audit and IT audits, as well as those experienced in the areas falling within the scope of Regulation (EC) No 882/2004. IAD has identified the multi-disciplinary nature of its staff as one of 11

17 the strengths of the Department, as it allows them to carry out a broad range of audits using a variety of audit techniques and learn from each other. 31. IAD staff met had many years of audit experience and continued to attend additional training in audit techniques. 32. In the Divisions, a number of auditors met were very experienced in ISO/conformity auditing. Due to recent and up-coming retirements there were a number of recent recruits too, not all of which had previous audit experience. When asked about recruiting new quality employees, the managers met by the mission team explained that, while previous experience was taken into account, particular emphasis was placed on the personal attributes of the recruits that were likely to enable them to be a successful auditor. 33. Introduction training, adapted to individual needs, had been put in place for the newcomers and in most cases the new recruits were in post for a period of time before the colleagues they were to replace actually retired, allowing for a smooth handover of duties. 34. NVWA auditors participate regularly in the European Commission s Better Training for Safer Food audit courses, both as trainers and trainees. 35. Where specific technical knowledge was necessary for the successful completion of an audit, both IAD and the Divisions could make use of technical experts, mainly from within NVWA. It was explained that while such experts were expected to provide necessary technical advice, they did not formulate audit conclusions and were therefore not subject to the same criteria used for auditor selection. Conclusions 36. Adequate procedures have been put in place to ensure that auditors have sufficient competence to perform their duties and that they can maintain and further develop their auditing competence. Relevant technical expertise is available when needed. 5.4 DEVELOPMENT OF THE PROGRAMME OF AUDITS 5.4.1Legal requirements Article 3(1) of Regulation (EC) No 882/2004 requires that: Member States shall ensure that official controls are carried out regularly, on a risk basis and with an appropriate frequency, so as to achieve the objectives of this Regulation The definition laid down in Article 2(6) specifies, inter alia, that audits should be systematic. 12

18 In section 5.1 of the Annex of Decision 2006/677/EC further guidance is provided to Member States on the Systematic Approach, including: A systematic approach should be applied to the planning, conduct, follow-up and management of audits. To that end, the audit process should: be the result of a transparent planning process identifying risk-based priorities in line with the competent authority s responsibilities under Regulation (EC) No 882/2004, form part of an audit programme that ensures adequate coverage of all relevant areas of activity and all relevant competent authorities within the sectors covered by Regulation (EC) No 882/2004 at an appropriate risk-based frequency over a period not exceeding five years, be supported by documented audit procedures and records to ensure consistency between auditors and to demonstrate that a systematic approach is followed In addition: Where more than one audit programme is envisaged within a Member State, steps should be taken to ensure that such programmes are effectively coordinated, so as to ensure a seamless audit process across the relevant competent authorities. The audit programme(s) should also cover all relevant levels of the competent authority s hierarchy Findings Planning and audit programme development in IAD 37. The NVWA has a multi-annual internal audit programme, the IAD works with an annual programme, both aim to be risk-based. More detailed annual plans include audits performed by IAD and quality employees. 38. IAD has developed an audit universe of 23 domains covering all the sectors where controls are carried out. This audit universe' is used by both IAD and the Divisions to ensure adequate audit coverage of all relevant areas. The domains are defined only in broad terms (e.g. animal health, animal welfare, food of animal origin, etc.) and not in terms of the control activities carried out in the sector. For some of these domains, such as industrial production, there may be a number of different types of activities of varying risk levels, but the audit universe does not currently take this into account (but see also below, paragraphs 45 and 47). 39. IAD has a documented procedure which describes in general terms the process for development and approval of the annual audit programme. The Head of IAD is responsible for preparing an 'indicative list' of audits taking into account auditing activity required by national and international obligations, information from the results of the multi-annual control plan, results of and planning for external audits, RASFF (the European Commission s Rapid Alert System for Food and Feed) notifications, input from all Directors and Chief Inspectors and the audit universe. 13

19 40. Audits are selected from the indicative list onto a shortlist, taking into account factors such as legal obligations, risks (including political, financial and reputational), programme coverage and audit capacity. 41. The table used to develop the 'shortlist' for the 2015 programme was demonstrated to the FVO mission team showing the criteria and associated weightings used. These criteria and weightings are not explicitly defined in the documented procedure. 42. The Inspector General of the NVWA is responsible for the final approval of the programme. 43. The Head of IAD monitors progress with implementation of the annual audit programme. Where it is necessary to add new audits during the year this leads to a reprioritisation. This can result in some audits being rescheduled to the following year or dropped from the programme. Amendments to the programme must be presented for approval to the Inspector General Planning and audit programme development in the Divisions 44. The annual audit programmes of the Divisions are developed taking into account audit obligations in relation to maintaining ISO accreditation (all laboratories and certain official control activities), obligations under European legislation and trying to maintain an adequate coverage of all activities. In addition, Heads of Department and the Chief Inspectors provide input on the areas of activity which they wish to have audited. 45. In two of the three Divisions met, the relevant part of the audit universe developed by IAD was used as a basis for identifying activities to be audited. As a result, the aim to achieve adequate coverage of all activities was considered to have been addressed if an audit takes place in all domains for which the Division was responsible during the 5 year period. 46. Regarding risk based selection of audits, the quality employees of these same two Divisions explained that they relied on the input of the relevant Departments regarding the relevant risks for their areas. 47. In one Division the quality employee had further developed the audit universe for the relevant domains by expanding each domain to consider the different control activities related to the domain. He then applied a weighting system for various risk factors to each of the identified control activities, with a view to make a risk-based selection of audit subjects. This work had not however as yet resulted in an audit programme for the Division as: The quality employee found it difficult to ensure that all relevant risks were reflected appropriately in the weighting system; and In practice, the number of audits that actually could be carried out was limited to audits necessary to maintain existing accreditations. This was due to the combination of: 14

20 o o a management decision to increase the number of areas of official controls that were accredited, resulting in a prioritisation of quality assurance work; and the retirement of staff resulting in a need to direct resources to induction training of new recruits 48. Nevertheless the quality employee still hoped to be able to implement this system for risk-based selection of audits in the future. 49. Part of IAD s monitoring role includes assessment of the Divisional audit programmes, in particular to identify gaps and overlaps, and provision of feedback to the Chief Inspectors on this assessment. As Divisions are autonomous in developing their audit programmes, the Chief Inspector is not obliged to amend the audit programme on the basis of IAD advice. Conclusions 50. Defined procedures are in place for the development and approval of audit programmes. 51. Efforts have been made to identify the range of activities that must be covered by the audit programme and to prioritise audit activities on the basis of risk. Nevertheless, NVWA s ability to demonstrate that the audit programme is risk-based and ensures adequate coverage of official control activities is undermined by the broad terms in which the audit universe has been defined and the unsystematic approach to risk-based prioritisation, in particular in the development of the Divisional audit programmes. 52. The absence of an effective co-ordination of the audit programmes contributes to a risk of gaps and/or overlaps in auditing activity. 5.5 IMPLEMENTATION OF THE AUDIT PROCESS 5.5.1Legal requirements Article 2(6) of Regulation (EC) No 882/2004 states that Audit means a systematic and independent examination to determine whether activities and related results comply with planned arrangements and whether these arrangements are implemented effectively and are suitable to achieve objectives. In section 5.1 of the Annex of Decision 2006/677/EC further guidance is provided to Member States on the Systematic Approach, including: A systematic approach should be applied to the planning, conduct, follow-up and management of audits. To that end, the audit process should:. 15

21 be supported by documented audit procedures and records to ensure consistency between auditors and to demonstrate that a systematic approach is followed include procedures for generating audit findings, including the identification of evidence of compliance and noncompliance, as appropriate, and for preparing, approving and distributing audit reports, include procedures to review audit conclusions, in order to identify system-wide strengths and weaknesses in the control system, disseminate best practice and ensure the monitoring of corrective and preventive actions, be monitored and reviewed to ensure the audit programme's objectives have been met and to identify opportunities for improvement. Section 6.1 of the Annex of Commission Decision 2006/677 provides guidance on implementation of the Audit Process: To comply with the requirements of Article 4(6) of Regulation (EC) No 882/2004, the audit system should cover the following three points set out in Article 2(6): (a) Verification of compliance with planned arrangements in order to provide assurances that official controls are carried out as intended and that any instructions or guidelines given to staff carrying out the controls are followed. This may largely be addressed by document review, but will also require on-site verification. The audit team will require good generic audit knowledge and skills to address this audit objective. (b) Verification of the effective implementation of planned arrangements. In order to assess effectiveness, that is the extent to which planned results are achieved, on-site operational implementation must be included. This should include an assessment of the quality and consistency of the controls and should involve on-site audit activities. The audit team will require the relevant technical expertise in order to address this audit objective. (c) The audit system should also seek to assess whether the planned arrangements are suitable to achieve the objectives of Regulation (EC) No 882/2004, and in particular the single integrated multi-annual national control plan. This should include assessing the suitability of official controls, with regard, for example, to their frequency and the methods applied, having regard to the structure of the production chain(s) and to production practices and volume. The audit team should have substantial knowledge and understanding of system auditing, together with relevant technical input to address this audit objective. In order to determine whether the planned arrangements are suitable to achieve the objectives set out in (c) above, the following should be considered: Audit criteria should include strategic objectives stemming from Regulations (EC) No 178/2002 and (EC) No 882/2004 (including the single integrated multi-annual national control plan) and national legislation. The primary focus of audits should be the control arrangements relating to the critical points for control in the production chain(s). The emphasis should be on assessing whether planned arrangements are capable of delivering sufficient guarantees on (a) the 16

22 safety of the end-product(s) and (b) compliance with other feed and food law requirements and with animal health and welfare rules. In order to achieve this, audit(s) should where possible extend beyond and across administrative boundaries Findings Documented Procedures 53. Both IAD and Division Quality Employees have their own documented procedures covering the audit process, including audit planning, execution and reporting. 54. These procedures cover the activities and processes necessary in order to prepare for, carry out and report on an audit. The mission team reviewed a number of audit reports demonstrating that these procedures are applied in practice. 55. In the case of the external audits performed on ZBO, according to the information provided by IAD, for 2 of the 3 Divisions, IAD procedures were used for these audits. For the remaining Division carrying out such audits, it was not clear to the mission team what procedures were followed Compliance with planned arrangements 56. All NVWA staff met during the mission confirmed that Divisional audits are designed and executed as conformity audits with the main objective of determining whether activities comply with planned arrangements. Audit reports assessed by the FVO mission team demonstrated that Divisional auditors could detect non-compliance. 57. While IAD carries out a broader range of audit types than the Divisional auditors, the audit reports seen by the FVO mission team also demonstrated that IAD auditors could determine whether activities complied with planned arrangements Verification of the effective implementation of planned arrangements and their suitability to achieve objectives 58. While Divisional audits are conformity audits (see ), the audit reports assessed by the FVO did contain some findings relating to effectiveness of implementation of planned arrangements and/or suitability of those arrangements. These findings, however, were made on an ad hoc basis: the audits themselves were not planned or designed with the objective of assessing effective implementation and/or suitability of arrangements. 59. IAD, with its broader internal audit role, carries out inter alia diagnostic audits with the objectives of identifying underlying causes of problems identified with controls. The example seen by the FVO mission team included findings and conclusions in relation to effectiveness of implementation, and suitability, of planned arrangements, based on deficiencies identified in specific areas/activities. 17

23 60. While IAD can carry out diagnostic audits when required, the determination of effectiveness of implementation, and suitability, of planned arrangements is not included systematically in the audit programme planning. The IAD representatives met expressed the view that more needs to be done to develop a more systematic approach to auditing effectiveness Audit reporting 61. Both IAD and the Divisions have clear procedures in place for reporting the findings, conclusions and recommendations of audits, including report templates and defined procedures for report drafting and approval, including provision for auditees to comment on draft reports. 62. The subsequent distribution of the reports is also defined. Division audit reports are available to any interested parties within NVWA. IAD audit reports are not necessarily made available to parties other than the auditee and the Management Board in cases with sensitive findings. The reports in such cases may not be distributed without the permission of the Inspector General Review of audit conclusions and dissemination of best practice 63. Current IAD and Division audit procedures do not provide for systematic review of audit conclusions to identify system-wide strengths and weaknesses in the control system or for dissemination of best practice. 64. IAD audit reports are discussed at Management Board meetings and Division audit reports may be discussed at quality management meetings. There is therefore a potential for identification of both system-wide weaknesses and best practice, but no mechanism has been put in place to ensure that this happens systematically Monitoring and review of the audit process 65. For IAD, monitoring of the audit programme development and implementation occurs in the context of reporting to the Board of Directors and meeting the Audit Committee. However, according to the IAD representatives met, the main focus in these exchanges is the basis for selection of audits to include in the programme and the outcome of individual audits. As yet no mechanism is in place to review the audit process to ensure audit programme s objectives have been met. 66. IAD s role includes monitoring of the Division audit programmes and meeting with the Chief Inspectors to advise them on any gaps, overlaps or failure to deliver programmed audits. 67. Within Divisions, the management reviews required as part of the quality management system cover all areas of activity, including internal audits. However, from the example of output of the review provided to the FVO mission team, the main focus of the review 18

24 (for audits) was the completion of the planned programme rather than the audit process itself. Conclusions 68. Procedures put in place by NVWA are sufficient to ensure that compliance with planned arrangements is audited effectively and in a transparent and systematic manner. 69. Auditing of effective implementation of planned arrangements and the suitability of arrangements to achieve objectives does not take place systematically. 70. Audit reporting procedures are satisfactory. 71. Certain elements identified in Commission Decision 2006/677/EC as forming part of the systematic approach to implementing the audit process, namely dissemination of audit findings and monitoring and review of the audit process, do not take place systematically in NVWA. 5.6 FOLLOW-UP OF AUDIT RECOMMENDATIONS 5.6.1Legal requirements Article 4(6) of Regulation (EC) No 882/2004 requires, inter alia, that Competent authorities shall carry out internal audits or may have external audits carried out, and shall take appropriate measures in the light of their results. In section 5.3 of the Annex of Decision 2006/677/EC further the guidance is provided to Member States on Independence in relation to follow-up of audit recommendations: Where the audit team makes recommendations for corrective and preventive action, the auditee should choose the methods to be applied for such action. Active audit team involvement in follow-up should be limited to assessing the suitability of the action plan and the effectiveness of the corrective and preventive action. Section 6.3 of the Annex of Commission Decision 2006/677 provides guidance on follow-up of the audit outcome: Where appropriate, an action plan should be drawn up and delivered by the auditee. It should propose time-bound corrective and preventive action to address any weakness identified by the audit or audit programme. The audit team should assess the suitability of the action plan and may be involved in verifying its subsequent implementation: an Action plan enables the audit team to assess whether the proposed corrective and preventive action is sufficient to address the recommendations of the audit report. Action plans should include risk-based prioritisation and time frames for completion of corrective and preventive action. A wide range of different action plans could be 19