COMMISSION OF THE EUROPEAN COMMUNITIES COMMUNICATION TO THE COMMISSION

Transcription

1 COMMISSION OF THE EUROPEAN COMMUNITIES Brussels, SEC(2003) 59 final COMMUNICATION TO THE COMMISSION Clarification of the responsibilities of the key actors in the domain of internal audit and internal control in the Commission (presented by Mrs. Schreyer and Mr. Kinnock in agreement with the President)

2 COMMUNICATION TO THE COMMISSION Clarification of the responsibilities of the key actors in the domain of internal audit and internal control in the Commission 1. CONTEXT OF THE COMMUNICATION Action 13 of the AAR 2001 synthesis report, adopted by the Commission on 24 July 2002, stated: the Commission will ensure that, before 1 December 2002, the responsibilities of the key actors in audit and control, including on the spot checks, are clarified in accordance with the stated principles of the Reform White Paper and the new Financial Regulation, best practice and internationally accepted principles of good governance. The impetus for the White Paper on Administrative Reform in the domain of financial management was the decentralisation of internal control to the Directors- General and the Heads of Service, and the need for that decentralisation to be accompanied by the appropriate central normative and support mechanisms. In this context, Annex 1 outlines the Director General s prime responsibility for controls, as evidenced through the annual declarations (action 82), the role of the CFS (action 72 and 78), the role of the DG s control functions (action 81) and the Commission s internal audit as regards the role of the IAS (Chapter XXV). As the COSO 1 - framework 2 was one of the main inspirations for the proposals in the White Paper related to internal control, some extracts are also set out in Annex 1 to this Communication. The new Financial Regulation constitutes the legal base for these decentralised accountability arrangements and defines the responsibilities of each financial actor. Definitions of the roles of the Authorising Officer (art. 60 1) and the Internal Auditor (art. 86 1) are also provided in Annex 1. Also article 4.8 of the charter for the Authorising Officers by Subdelegation is recalled in that annex. The purpose of this Communication is to clarify the roles of the various key actors in internal control and internal audit, at both central and DG level, taking account of the basic orientations of the White Paper and the new Financial Regulation and therefore providing the Commission with a basis for reasonable assurance over its operations. 1 2 Committee of Sponsoring Organisation of the Treadway Commission Internal Control-Integrated Framework, September 1992 (July 1994 edition)

3 2. CLARIFICATION ON THE ROLES AT DG AND SERVICE-LEVEL 2.1. Roles in managing internal control 3 in the DG Role of Directors-General Directors-General are responsible for the sound management of adequate and efficient control systems in their DG, and for reporting annually through the Annual Activity Reports and Declarations to the College on the state of these systems and the use made of the resources at their disposal. They retain overall responsibility. This responsibility is exercised through their supervision of the structures and processes which they establish within their DGs or Services in order to gain assurances that the systems under their control are operating properly. In the domain of financial management, this means that the Director General or Head of Service is in charge of designating the Authorising Officers by Subdelegation (AOS) with their charter, responsibilities and reporting duties. In addition, the Director General or Head of Service will define the financial circuits and put in place the appropriate organisation for executing ex-ante, on-the-spot and ex-post controls. Depending on the financial circuit, these functions can be carried out under direct control of the AOS or at a more centralised level in the DG. The adopted organisation will also respect the incompatibility between ex-ante and expost controls as set out in the Financial Regulation (art. 60 4) and the Director General or Head of Service will also define the most appropriate organisation for executing the ex-post controls in their environment Role of directorates and units Directorates and units are responsible for the effectiveness of the control system in their environment. In the domain of financial management, the AOS takes overall responsibility for the sound execution of internal control as specified in his charter with his Director General or Head of Service. This means that they have to implement and supervise the effectiveness of the controls and establish the reporting to their Director-General of Head of Service as stated in art. 4.8 of their charter as AOS. According to the selected financial circuit, all ex-ante controls are executed in his directorate/unit or in a more centralised entity in the DG or Service. The Director-General or Head of Service designates, where relevant, the officials in charge of on-the-spot ex-post checks aiming to verify the functioning of the internal control system. 3 Internal control covers the globality of the policies and procedures conceived and put in place by an entity s management to ensure the economic, efficient and effective achievement of the entity s objectives; the adherence to external rules and to management policies and regulations; the safeguarding of assets and information; the prevention and detection of fraud and error, and the quality of accounting records and the timely production of reliable financial and management information. In case of shared management, internal control also covers the controls by the DG or Service on the management and control systems in the Member States.

4 Role of Resource Directors 4 In addition to their role under , Resource Directors oversee the implementation of internal control systems within their DG based on the overview of information received from all directorates responsible for implementing those systems. Being the recipient of all relevant information on the results of ex-ante and ex-post controls, of audits, and of management supervision controls given by operational directorates, he monitors the follow-up of action plans in this respect. The Resource Directors 5 should also co-ordinate the preparation of the DGs annual activity report. In this context, Resource Directors will report to the Director-General or Head of Service their advice and recommendations on the overall state of internal control in their DG. This will apply fully in 2003; it will be applied to the 2002 exercise within limits which individual DGs may wish to explain.. Due to the specificity of each DG or Service, the Director-General or Head of Service can decide to appoint another person in the Dg for the above-described tasks. He can also request the Resource Director (or his equivalent) to give guidance, promote best practice inside the DG or Service and to recommend improvements to the DG or Services internal control system and/or give additional tasks in the framework of supervision of internal control in the DG or Service, in line with standard 17 of the internal control standards Role of IACs The IAC does not have responsibility for installing or managing control systems. Specific tasks can be undertaken in order to advise senior management on the implementation of the internal controls. On the basis of the work program adopted by the Director General or Head of Service, they will also test certain parts of the internal control system on their effectiveness and adequacy and, if necessary, make recommendations for enhancing these systems Roles related to internal audit in the DG The primary objective of the Internal Audit Capabilities will be to add value to their DG or Service in relation to the effectiveness of internal controls over the activities of the DG. They are responsible for audits within the DG or Service. In line with individual arrangements decided by the Director-General or Head of Service and in accordance with the nature and the scope of their work during the year in question, they should express an opinion on the state of control as a contribution to the preparation of the AAR. Together with the Director-General or Head of Service, a workplan should be established on the basis of a risk assessment As there is no standard definition of the function of Resource Director across the Commission, the term resource director will in this communication refer to the person of the management board in charge for resource management at DG-level including programming, human resources and financial resources management. If this function doesn t exist as such the Director General can designate the most appropriate person in this respect. Taking account of the specificities of the DG or Service, the Director General or Head of Service may designate another person as co-ordinator of the preparation of the AAR. Each DG shall establish appropriate supervision arrangements including, where appropriate, ex post control of a sample of transactions to ensure that the procedures set up by management are carried out effectively.

5 IACs do not form part of the management control functions and are at the service of their Director-General, while retaining independence vis-à-vis the auditees. Because they already report to their Director General, IACs cannot be considered as hierarchically dependent on IAS, but they should co-operate constructively and coordinate their workplans. Auditnet remains the main forum for exchanges of methodology and best practice, and for such co-ordinating of workplans Roles in the context of the Annual Activity Report (AAR) The Director General or Head of Service should have appropriate mechanisms to ensure that procedures are followed, and that all applicable statutes and regulations are complied with and that best practice is taken into account when setting up and implementing the relevant processes. To deliver this assurance the following key actors may assist in the process leading up to the preparation of the AAR: the operational directorates and units, who have basic responsibility for ensuring the compliance and effectiveness of the internal controls in their domains, deliver regular management reporting; the Authorising Officers by Subdelegation (AOS) report as specified in the charter they signed with the Director General or Head of Service; evaluation units provide regularly reports in the framework of their work program; the financial units for providing the service s annual accounts for which a draft is provided by the Accountant; the members of senior management (Deputy Director-General, Directors, etc.) and all relevant staff designated by the Director-General or Head of Service deliver specific reports at his request and participate at the self-assessment processes aimed at gauging the extent to which the Internal Control Standards have been implemented, and identifying and managing risks; the Resource Director co-ordinates the preparation 7 of the AAR and will report to the Director-General or Head of Service his advice and recommendations on the overall state of internal control in his DG, on the basis of information provided by the directorates, AOS, IAC and other relevant partners. This will apply fully in 2003; it will be applied to the 2002 exercise within limits which individual DGs may wish to explain; the Internal Audit Capability (IAC) which gives advice regarding on the AAR process and in accordance with the nature and the scope of their work during the year in question, they should express an opinion on the state of control as a contribution to the preparation of the AAR. It should be noted that the IAS does not provide an annual opinion on the individual AAR of the DGs. In preparing their Annual Activity Reports, the Director-General or Head of Service will also draw upon their own direct knowledge of the activities in the DG or Service 7 Taking account of the specificities of the DG or Service, the Director General or Head of Service may designate another person as co-ordinator of the preparation of the AAR.

6 and upon the relevant audit reports produced by the Court of Auditors, IAS and IACs, and the extent to which recommendations and action plans have been implemented. 3. CLARIFICATION ON THE ROLES AT COMMISSION-LEVEL 3.1. Roles in managing internal control at Commission level Role of the Commission Internal control and internal audit are cornerstones in the governance construct to protect adequately the Commission in the discharge of its duties as spelled out in the Treaty. Therefore, clear accountability in the role and definitions proposed for the different actors in the control and audit Community is key. In the past, the control function in the Commission was centralised. Such a function exists in other organisations. However, in line with the Reform and its determination to clearly assign responsibility for control to those who have the actual power to implement internal control on a day-to-day basis, the Commission has chosen a different model: while the responsibility for the implementation of internal control is decentralised to Directors General and Heads of Service, the definition of minimum control standards and oversight of their implementation is the task of a central service, the CFS Role of DG Budget The responsibility of the Accountant in internal control is to ensure the integrity of the accounting system. Each DG is responsible for the data entered into the system and for ensuring the reliability and accuracy of the information entered. In this context, the Accountant is responsible for the subsequent processing and output of the information entered in the accounting system, including through local information systems which he has validated. The role of the Central Financial Service is to provide guidance, promote best practice, and recommend improvements to the Commission s overall internal control system and to the standards which underpin the basic control framework.in this context, as internal control embraces more than financial management and control, the CFS liases with SG and DG Admin for issues of their respective field of competence, i.e. programming and human resources management. The CFS is not responsible for verifying the reliability or adequacy of the overall system or for providing a positive assurance that it is functioning as intended. It will, however, review the state of internal control in the Commission on the basis of the contents of the individual annual activity reports, audits of Court of Auditors, IAS and executive summaries together with their action plan of completed audits and reviews by IACs. Transmission of these reports does not, however, involve any transfer of responsibility. On this basis, the CFS will provide an overview in the framework of the synthesis adopted by the Commission. The CFS will also co-ordinate internal control issues to promote a common understanding and implementation of methods, tools and techniques and to create a

7 common reporting framework. In this respect, a special attention will be given to the specific needs of smaller DGs and Services Role of the Secretariat General The SG prepares, in collaboration with the CFS, the synthesis of annual activity reports which will also bring to the attention of the College the key issues on which action is needed. They also prepare the common methodology for the annual activity reports. The synthesis of the annual activity reports constitutes a privileged moment for the College, because the synthesis report allows it to take note of the overall activities and state of controls of the Institution, and to decide on remedial action, where considered necessary, in line with the specific provisions of this Communication. The Secretariat General has a key role in the co-ordination of the aspects of internal control related to the setting of policy priorities through the APS-cycle and the Commission s Work Program. In this context, they also promote a common understanding and implementation of methods, tools and techniques by the DGs and Services Role of the Internal Audit Service The IAS is not itself responsible for the implementation and management of controls. In the framework of the Financial Regulation, it will assess the suitability and quality of the Commission s internal control systems and report yearly about its work in the annual internal audit report. In addition, on the basis of the work programme, it can undertake specific tasks to advise on an effective implementation of internal controls Roles relating to internal audit at Commission level The mission of the IAS remains to assist management in controlling risks, monitoring compliance, to provide an opinion on the quality of management and control systems and to improve efficiency and effectiveness of operations. The IAS assists management through the audits of Commission activities, and by examining the adequacy and effectiveness of systems and operations and, more widely, the quality of performance of Commission services in carrying out policies, programmes and actions. IAS will assess the suitability and quality of internal control and audit systems as stated in Article 86 1 (b) of the new Financial Regulation. Action 87 of the Reform White Paper foresees that the IAS will carry out a complete cycle of indepth audits of management and control systems in all DGs some 18 months after the first round of DG s annual reports, i.e. by the end of The IAS annual work programme is established on the basis of a risk analysis, which implicitly expresses a professional judgement on the capacity of the Commission s services to achieve their objectives and the effectiveness of their related controls. The IAS will also assure methodological co-ordination of internal audit activities with the IACs through Auditnet. The objective should be to establish a common internal audit methodology, tools and related guidelines in this perspective and to promote a coherent planning of internal audits.

8 The role of the Audit Progress Committee is to ensure that the work of the IAS is properly taken into account by Commission services and receives appropriate followup. In its Annual Report 2001, the Court of Auditors recommended that the Commission revisit the composition and the functional responsibility of the members of the Audit Progress Committee to ensure that audit work receives appropriate response and follow-up. While this issue may justifiably be revisited, it is considered that after less than 2 years in operation the present arrangements could be improved through procedural measures rather than changes to composition and functional responsibility Roles in the context of the synthesis of the Annual Activity Report In adopting the synthesis of Annual Activity Reports, the College takes note of the achievements and performance of Commission departments and their reservations for the overall soundness of the system, and responds to any issues which arise. To that effect, the College will examine a synthesis report prepared in the form of a communication by the President in agreement with the members of the Commission responsible for Administration and Budget. Regarding internal control elements, the following actors intervene: the Director General or Head of Service, who is responsible for the effectiveness of internal control in his DG or Service and reports each year in his annual activity report on the status of the systems under his charge and on the use that he has made of the resources at his disposal; the Internal Audit Service, who establishes its yearly IAS internal audit report in accordance with Article 86 3 of the Financial Regulation and comments in the context of the inter-service consultation to prepare the synthesis report; the Central Financial Service, who provides an overview of the overall state of internal control on the basis of the individual annual activity reports, audits of Court of Auditors, IAS and executive summaries together with their action plan of completed audits and reviews by IACs. This overview will be integrated as a distinctive part in the synthesis report. 4. CONCLUSION In order to clarify the roles of the different actors in internal audit and internal control, the Commission is invited: to adopt the proposed clarification for internal control and internal audit as set out in this Communication; to invite the Directors-General and Heads of Service to verify, by the end of March 2003, their organisational structure for internal control and the preparation of the AAR. Specifically, they will communicate to the CFS who in their DG or Service ( contact officer ) will undertake the co-ordination tasks with regard to internal control systems, which in this communication are expected to be undertaken by the Resource Director or equivalent;

9 to charge the Directors-General and Heads of Service to verify that the charter of their own IACs is in line with the responsibilities described above; to confirm the role of CFS, which will require it to deliver advice to the Commission on the overall state of internal control systems in the Commission services, to recommend improvements and distribute best practices on the internal control framework of the Commission. This advice will be based on the analysis of reports from DGs, and reports from the IAS and the Court of Auditors. The Directors General and Heads of Service provide all relevant information via the contact officer in due time to the CFS, including executive summaries and their related action plans of completed IAC-audits and reviews. The CFS advice and recommendations will, for the first time, be integrated as a distinctive part into the synthesis of the Annual Activity Reports related to The DGs and Services will be expected to ensure the integrity of the information provided as the CFS will not have the task of validating such information; to charge the CFS to continue strengthening the necessary support on internal control from mid 2003 onwards by developing appropriate methods, tools and techniques on internal control, including the provision of appropriate training; to confirm the necessity to implement action 87 by the end of 2003; to decide that, in addition to its annual internal audit report as required by the Financial Regulation, the IAS should give its view on the synthesis of annual activity reports through the inter-service consultation, prior to its endorsement by the College; to confirm the composition and the functional responsibility of the members of the Audit Progress Committee as it is currently implemented for the moment and to revisit this issue in due time, to confirm the IAS mandate to support IACs through Auditnet, and more precisely to promote common methods, tools and techniques concerning audit in the Commission and to ensure a coherent planning of internal audit in the Commission. This communication recalls the main thrusts concerning the roles of the various key actors in the domain of audit and control. During the implementation and development of these key principles, several detailed decisions will have to be taken at DG-level. Should further questions arise, then the IAS, in co-operation with Auditnet, will provide support to the DGs in the domain of internal audit, while the CFS, in co-operation with the network of Resource Directors, will provide support to the DGs in the domain of internal control.

10 Relevant extracts of the White Paper and the recast Financial Regulation ANNEX Some basic orientations in the White Paper relative to audit and control are recalled hereafter: Action 82 recalls the DG s responsibility for controls through the declarations as follows: each Director-General is accountable for sound and efficient resource management both in decision making and through the follow up of decisions taken, i.e. internal control. This responsibility should be expressed in a declaration by each Director-General in her/his Annual Activity Report, that adequate internal controls have been put in place and that, on the basis of the analysis made in the report, resources have been used for the intended purposes. The DG s annual accounts shall be included in the Annual Activity Report. The Heads of Unit and Directors should take responsibility for their contributions to this report. By signing the annual report, the Director-General takes responsibility for the accuracy and completeness of the information presented, confirms that the resources were used as intended and that the internal control procedures in place give adequate assurance as to the legality and regularity of the underlying transactions. Action 72 creates the Central Financial Service as follows: A Central Financial Service (within DG Budget) will define the regulatory framework including sectoral financial rules for using Community finances and the minimum standards for internal control, provide advice on their application to those who manage financial appropriations and who take care of their recovery, develop and manage common financial management information systems and define together with DG Administration and operational DGs training courses on financial matters. Action 78 of the White Paper states that the Central Financial Service will define common minimum standards for internal control within DGs and will provide advice on their implementation. Each authorizing service must take ultimate responsibility for reviewing its own internal control systems, and it will be for Directors General to ensure the adequacy of internal controls in their services These documents, the user networks and the audit reports from DGs and from the Internal Audit Service will provide the Central Financial Service with the necessary information to oversee the implementation of the minimum standards across the Commission. Action 81 of the White Paper, Strengthening the role of the DGs control function, states that an Audit Capability will be created in each DG, the primary objective of which is to provide assurance to the Director-General as to the functioning of internal controls over the activities of the DG, including financial activities. This function should also be involved in the evaluation and improvement of internal control mechanisms, internal rules and procedures and risk assessment. It will report directly to the Director-General, to ensure its necessary independence and authority within the DG. This function will undertake an independent review of the use made of the budget by the DG, and undertake systems, program and performance reviews, and ex-post checks on activities in the field. 10

11 In the section on objectives for the creation of an Internal Audit Service (chapter XXV) is stated that an appropriate structure for the Commission s audit activities would be for systematic ex-post checks and systems reviews of activities in the field to be carried out by specialist staff in Control Units within operational DGs (see Action 81). This structure would be complemented by a central Internal Audit Service (IAS) whose main task would be to review the internal control functions and systems within the Commission. The mission of the new service will be to assist management within the Commission in (1) controlling risks, (2) monitoring compliance and by (3) providing an independent opinion on the quality of management and control systems and (4) making recommendations in order to improve the efficiency and the effectiveness of operations and to ensure economy in the use of Commission resources (security for money and value for money). The overall objective of the IAS is to provide reasonable assurance by way of audits of all Commission activities, notably the independent appraisal of the adequacy and quality of the Commission s internal control systems over all its operations as well as the examination of the adequacy and effectiveness of systems and operations and, more widely, the quality of performance of Commission services in carrying out policies, programs and actions. Action 87 foresees in-depth audits in the following terms: The Internal Audit Service will review the improvement and reinforcing of the DG s internal control systems. Formal statements on the progress made by services will be provided (but no formal opinion on the quality of the services internal control systems). These statements will be used for DG s Annual Activity Reports for The Internal Audit Service will advise the College through the Audit Progress Committee on the Annual Activity Reports from the operational and horizontal DGs for It is to be expected that from April 2001 to December 2002, the Internal Audit Service will carry out a complete cycle of in-depth audits of management and control systems in all DGs. The recast Financial Regulation specifies the responsibilities as follows: Article 60 1 describes the responsibilities of the Authorising Officer as the Authorising Officer shall be responsible in each institution for implementing revenue and expenditure in accordance with the principles of sound financial management and for ensuring that the requirements of legality and regularity are complied with. Article 85 states that Each institution shall establish an internal auditing function which must be performed in compliance with the relevant international standards. The internal auditor appointed by the institution shall be answerable to the latter for verifying the proper operation of budgetary implementation systems and procedures. The internal auditor may not be either Authorising Officer or Accounting Officer. Article 86 1 indicates for the internal auditor that the internal auditor shall advise his/her institution on dealing with risks, by issuing independent opinions on the quality of management and control systems and by issuing recommendations for improving the conditions of implementation of operations and promoting sound financial management. He/She shall be responsible in particular: a) for assessing the suitability and effectiveness of internal management systems and the performance of departments in implementing policies, programs and actions by reference to the risks associated with them; b) for assessing the suitability and quality of the internal control and audit systems applicable to every budgetary implementation operation. 11

12 The charter of Authorizing Officer by Subdelegation specifies the reporting responsibilities as follows: The Authorizing Officer by subdelegation shall report regularly to the Authorizing Officer by delegation on the implementation of programmes, operations or actions in respect of which powers have been subdelegated to him. These regular reports, which shall also be used in the preparation of the annual activity report of the Authorizing Officer by delegation, shall include: a description of the work programmes and the specific objectives for each of the programmes, operations or actions; a description of outputs and outcomes; a description of the use made of resources assigned by the Authorising Officer by delegation, accompanied by a comparison with the findings of the analysis of the resources judged necessary to implement the programmes, operations or actions in question which was conducted when the Authorizing Officer by delegation set the objectives; remarks on the action taken to follow up the observations made in earlier discharges or reports by the Court of Auditors in connection with the programmes, operations or actions in question; remarks on action taken on any qualifications made by the Authorizing Officer by delegation in earlier declarations, where such qualifications pointed to measures taken or to be taken to remedy malfunctioning in connection with the programmes, operations or actions in question; an accounting annex based on the model supplied by the Accounting Officer for the accounting annex to the annual report of the Authorizing Officer by delegation. Related to the COSO-framework, COSO 8 defines the internal control as a process designed to provide reasonable assurance regarding the achievement of objectives in the following categories: effectiveness and efficiency of operations, reliability of financial reporting, and compliance with applicable laws and regulations. Some extracts on management responsibilities as defined in COSO follows: Every individual within an entity has some role in effecting internal control. Roles vary in responsibility and involvement. Management is directly responsible for all activities of an entity, including its internal control system. Naturally, management at different levels in an entity will have different internal control responsibilities. 8 Internal Control-Integrated Framework, September 1992 (July 1994 edition) 12

13 In any organisation, the buck stops with the chief executive. He or she has ultimate ownership responsibility for the internal control system. Senior managers in charge of organisational units have responsibility for internal control related to their units objectives. They guide the development and implementation of internal control policies and procedures that address their units objectives and ensure that they are consistent with the entity-wide objectives. Senior managers usually assign responsibility for the establishment of more specific internal control procedures to personnel responsible for the unit s particular functions or departments. Accordingly, these subunit managers usually play a more hands-on role in devising and executing particular internal control procedures. They will also make recommendations on the controls, monitor their application and meet with upper level managers to report on the controls functioning. Of particular significance to monitoring are finance and controllership officers and their staffs, whose activities cut across, up and down the operating and other units of an enterprise. These financial executives often are involved in developing entity-wide budgets and plans. They track and analyse performance, often from operations and compliance perspectives, as well as a financial one. These activities are usually part of an entity s central or corporate organisation, but they commonly also have dotted line responsibility for monitoring division, subsidiary or other unit activities. 13