Upload
others
View
4
Download
0
Embed Size (px)
Citation preview
Public Internal Control Systems in the European Union
Good practice within Member States to
optimise Internal Control arrangements for
the management of EU funds
Discussion Paper No. 10
Ref. 2017-3
The information and views set out in this paper are those of the informally-organised PIC
Working Group and do not necessarily reflect the official opinion of the European Union.
Neither the European Union institutions and bodies nor any person acting on their behalf
may be held responsible for the use which may be made of the information contained
therein.
Good practice within Member States to optimise Internal Control arrangements for the management of EU funds
It is ultimately the responsibility of the European Commission to ensure that EU finances
are properly spent. However around 80% of the budget is executed directly by EU
Member States under shared management arrangements.
For the year 2015, the European Court of Auditors reported an estimated level of error of
3.8% for this expenditure. Although this rate has been steadily reducing over the years, it
remains above the Courts materiality threshold of 2%.
As well as its own experts in the management of EU funds, each Member State also has
its own experts in Internal Control – no doubt both in terms of policy setting and in terms
of evaluation. This Discussion Paper argues that there could usefully be structured
cooperation between national Internal Control experts and national EU fund actors to
ensure that the underlying Internal Control arrangements for EU funds function
optimally.
TABLE OF CONTENTS
1. INTRODUCTION ....................................................................................................... 1
2. EU FUNDS AND PUBLIC INTERNAL CONTROL ................................................ 2
3. POTENTIAL INTERNAL CONTROL CHALLENGES REGARDING THE
MANAGEMENT OF EU FUNDS .............................................................................. 3
3.1. The silo effect .................................................................................................... 3
3.2. Management not feeling able to intervene effectively ...................................... 3
3.3. Findings supplied by external sources do not equate with management
findings/views.................................................................................................... 3
3.4. Annuality - error rates are defined on an annual basis, whereas
solutions may require long term intervention .................................................... 4
3.5. The legal framework for European Structural and Investment funds
does not foresee an Internal Audit role .............................................................. 4
4. POTENTIAL GOOD PRACTICES TO OPTIMISE INTERNAL
CONTROL STRUCTURES........................................................................................ 4
4.1. A clear and comprehensive mapping of the role and scope of the
involvement of the national Internal Control contact point ............................... 4
4.2. Transversal overview......................................................................................... 5
4.3. International support .......................................................................................... 6
4.4. Increased role of Internal Audit in the management of European
Structural and Investment funds ........................................................................ 6
5. CONCLUSION ........................................................................................................... 6
6. TOPICS FOR DISCUSSION ...................................................................................... 7
ANNEX 1 ............................................................................................................................ 8
ANNEX 2 .......................................................................................................................... 11
1
1. INTRODUCTION
The European Commission is ultimately responsible for the implementation of the EU
budget. However around 80% of expenditure is executed directly by EU Member States
under shared management arrangements. This Discussion Paper is concerned with
Internal Control related elements underpinning the management of EU funds at Member
State level.
As EU funds are provided by an 'outside' donor, their management at national level is
subject to specific constraints or requirements concerning areas such as control, audit and
accountability. This can give rise to possible challenges to ensuring effective Internal
Control arrangements which mesh with those used elsewhere in the national
administration.
Over recent years, arrangements for the management of EU funds have become more
aligned with each other and have been developed to resemble systems using COSO/
INTOSAI-type language, structures and controls. This is perhaps most clearly
highlighted in the Annual Control Report prepared by the Audit Authority/Certification
Bodies accompanying the Annual Opinion that each Member State makes to the
Commission on the control activity it has undertaken including its own calculation of the
error rate involved1. The Commission combines these reports with other sources of
information, including any data from its own inspections, and calculates its best estimate
of validated error rates.
The European Court of Auditors (ECA) audits Member State activity regarding the
management of EU funds. It too calculates error rates at European level, each year, using
its own audit findings. The level of error rates found affects the audit opinion of the
Commission's performance in implementing the EU budget. In recent years, the ECA's
estimated level of error, which measures the level of irregularity, has been persistently
above the materiality threshold of 2%.
The PIC Network cannot be expected to provide expertise on the specific technical
requirements of EU funds. However, this Discussion Paper outlines possible actions that
members of the PIC Network might take if:
the performance of their Member State in managing EU funds does not meet the
expectations that that state would set for national funds; or
that state appeared to breach the 2% error rate threshold regularly.
Concern about error rates is such that within the framework of the 2014 discharge
procedure, the European Parliament and the Council called on the European Commission
to present a report on 'persistently high levels of error and their root causes'. This report2
was published on 28 February 2017.
1 The annual error rate is calculated and included in the Annual Control Report prepared by the Audit
Authority/ Certification Bodies
2 https://ec.europa.eu/transparency/regdoc/rep/1/2017/EN/COM-2017-124-F1-EN-MAIN-PART-1.PDF
2
2. EU FUNDS AND PUBLIC INTERNAL CONTROL
The "Principles of PIC" paper3 that was endorsed by the PIC Network in 2015, sets out
that 'effective Public Internal Control is at the heart of sound financial and non-financial
management of both domestic and EU funds.' Further, it notes that "Sound PIC is a
matter and responsibility for the Member States. It serves both national and collective
interests."
That paper went on to develop eight principles which characterise PIC, despite the
enormous variety of Internal Control systems in use in Member States. Common themes
which clearly emerge are that creating a fully serviceable Internal Control system
requires ongoing vigilance by management, an ability to react to external stimuli and a
commitment to striving to deliver improvements. Of the eight PIC principles, the
following four (those numbered 1, 3, 7 and 8) are particularly relevant to the sort of
activity that this paper on EU funds management deals with.
Principle number 1: Good public governance in the public interest is the context,
the purpose and the driver of PIC.
With the overall aim of PIC being to deliver systems which achieve good governance – it
seems reasonable to conclude that a well-controlled system will deliver lower levels of
error.
Principle number 3: PIC is based on COSO and INTOSAI.
This offers a guide as to how any improvement process should be structured, its content
and the key performance measures to use. The organisation should have information
about performance which can be used by management to evaluate how well it is
functioning; the evaluation process should also gain from external sources of information
(the results from ECA and Commission audits for example). This data should be used
and if it discloses less than satisfactory performance then the reasons for the deficiencies
need to be analysed, solutions devised and implemented and the resulting performance
again measured.
Principle number 7: PIC is harmonised at an appropriate level.
This principle underlines the expectation that the system provides read across from one
system to another. Organisations should avoid running lots of independent silos. The
policies concerning the Internal Control system and the techniques proper to its
improvement should apply similarly regardless of the particular area concerned.
However, ensuring that this does so, will require either structures which permit
comparisons or, services with the proper competence to evaluate performance across the
board.
Principle number 8: PIC adopts a continuous improvement perspective.
This underlines the need to continue efforts to eliminate errors in the handling of EU
funds.
3 http://ec.europa.eu/budget/pic/lib/docs/2015/CD02PrinciplesofPIC-PositionPaper.pdf
3
3. POTENTIAL INTERNAL CONTROL CHALLENGES REGARDING THE MANAGEMENT OF
EU FUNDS
3.1. The silo effect
This is where knowledge and information are concentrated in individual vertical
commands rather than shared throughout the organisation. Depending upon the particular
funds under which revenue is spent, the precise control requirements may vary. In
addition, depending upon the administrative organisation within a Member State, there
may be a variety of entities playing a part in the control or management arrangements.
The allocation of responsibilities to the various entitles may be functional or regional or
some mix of the two. The more organisations involved and the greater the variety of
control requirements, the greater the risk of management by a series of independent silos.
There is also a danger that with a multiplicity of organisations, an imbalance in
knowledge and power may develop. One or more organisations may have the knowledge
about particular performance issues but do not have the power to make the changes
necessary to resolve them; while those organisations or parts of the organisation that
would have the power to make changes may have insufficient knowledge of the
particular issues to make them take action, or insufficient knowledge for them to identify
the correct/complete action necessary.
3.2. Management not feeling able to intervene effectively
It could be that management of fund spending units do not feel able to intervene
effectively when it becomes aware of sub-standard performance. This may be because
the system is seen as prescribed and/or considered unworkable. As such, management
may view some of the remedies that would be pursued with an indigenous system as
unavailable: such as changing or simplifying the requirements of the systems; varying the
delivery objectives temporarily; ensuring the performance required bears relationship to
the performance that may reasonably be delivered. Also the system may be viewed as too
prescriptive, too complex, or too different from indigenous systems.
Further, managers responsible for EU funds operations may feel isolated or that no one
else within their organisation is obliged to confront the same problems or deliver
solutions within the same constraints.
3.3. Findings supplied by external sources do not equate with management
findings/views
Management may not accept the interpretation of the transaction that leads to a finding of
error; or recognise or accept that the errors disclosed are actually errors or, with its
greater knowledge of its own procedures may not consider that a group or cluster of
errors can be properly designated systematic. If any of these differences of view remain
unreconciled then it is very unlikely that any successful remedial action can be instigated
or other resolution reached.
4
3.4. Annuality - error rates are defined on an annual basis, whereas
solutions may require long term intervention
The fixing and calculating of error rates is made on an annual basis using only the
information available by a fixed date (a brief description of how error rates for the
European Structural and Investment Funds4 are calculated is at annex 2). The ECA
reports its error rate calculation in its Annual Report, which is then used by the European
Parliament in deciding whether to grant the Commission a discharge for a particular
year's spending. The focus on one specific year, inherent in this process, carries a clear
risk of distortions; with short term resolution of specific known errors being prioritised
rather than dealing with underlying issues.
Because of the timetable enforced by the ECA annual reporting system, a country may be
required to provide its response with incomplete information, i.e. before it is clear
precisely what the full facts of any individual case actually are.
Further, results from each audit are likely to be dealt with in isolation. This may result in
interest from senior management relating only to resolving the individual problem 'cases'.
Thus, senior management may ignore, downplay or not resource the more complex long-
term analysis needed to identify the underlying issues and then devise remedial measures.
3.5. The legal framework for European Structural and Investment funds5
does not foresee an Internal Audit role
Internationally recognised Internal Control frameworks all include a monitoring
component, which, as well as including ongoing and specific monitoring by
management, includes also independent evaluations by internal audit. However the
Regulations for the management of ESIF funds do not specifically require an internal
audit function.
The regulations do define managerial requirements and an Audit Authority function
(external). However, this audit body acts mainly by looking back at transactions, often
with a substantial time delay. Thus any error rates found by the Audit Authority are a lag
indicator. Management could usefully benefit from a proactive Internal Audit function to
provide lead information on the effectiveness Internal Control systems and on
recommendations for system improvements.
4. POTENTIAL GOOD PRACTICES TO OPTIMISE INTERNAL CONTROL STRUCTURES
4.1. A clear and comprehensive mapping of the role and scope of the
involvement of the national Internal Control contact point
A clear and comprehensive mapping of the role and scope of competence of all of the
actors involved would be a useful tool. It can:
4 Not applicable to EAFRD. In this context, relevant provisions are included in Parts Three and Four of
Regulation (EU) No 1303/2013 of the European Parliament and of the Council of 17 December, which
apply to ERDF, ESF, CF and EMFF.
5 Idem
5
identify clearly all the actors involved and their area(s) of responsibility;
identify whether sufficient connections exist between the actors, including those
necessary to resolve knowledge/power imbalances, as well as identifying where
potentially useful connections have not yet been forged;
identify what is expected from each connection, whether vertical or transversal, or
what is required to make each connection effective;
consider whether this also clearly identifies all the actors involved in the response
process to the ECA, as well as their area(s) of responsibility, to ensure that all the
stages of the response process are covered and that the most recent information or
views is fed in at the various stages.
Hungary has carried out such an exercise and the results are given in annex 1.
4.2. Transversal overview
Given the differing delivery mechanisms for each EU fund, it could be useful to have a
structure that can take an informed transversal overview of the various solutions to
ensure quality, and to identify good practices that could be used to prevent or minimise
other system failings. This would be of particular importance where there are many
entities involved in control delivery, verification and audit. Who or what organisation
should be responsible for taking such an overview would vary from country to country. It
may be thought most appropriate to an internal audit body or it might be a role for the
national contact point for Internal Control, as in many Member States this contact point
is in a dedicated Internal Control policy unit, commonly known as the Central
Harmonisation Unit.
In particular, such a transversal overview could look at: is activity underway to repair any
weaknesses identified in Internal Control performance; has a particular remedial action
been successful?
This process may be particularly important where an action plan to ameliorate the
situation is being prepared for agreement with, or has been agreed by the Commission,
with a view to ensuring that the plan is in line with similar or previous examples,
international standards and/or national good practices. And also to ensure that it is
complete, practicable, timely and that suitable arrangements have been made to oversee
its implementation.
Systemic issues
Experience tends to show that problems are looked at on an individual basis by
management. And whilst this may allow for the resolution of that individual problem, it
does not necessarily highlight, much less resolve, any underlying systemic issues.
Further, by taking a horizontal overview, common trends can be identified, including
analysis of external information such as ECA and European Commission audit results,
allowing proactive action to avoid future errors.
6
4.3. International support
If managers do feel isolated within their own administration, the national PIC contact
point/the PIC Network could offer an alternative route to put managers in touch with
their counterparts in different areas of the national administration or even facilitate
contacts with managers in other Member States for informal suggestions and advice.
4.4. Increased role of Internal Audit in the management of European
Structural and Investment funds6
Internal Audit is recognised as playing a key role in providing assurance to management
on the effectiveness of Internal Control systems and in making suggestions for system
improvements.
An Internal Audit function could be best placed to have a full knowledge of system
weaknesses and/or deficiencies and provide upfront recommendations to management to
improve the control system and reduce the level of error.
Further, by Internal Audit undertaking this proactive role, this could lead to a higher level
of confidence in the control system, therefore potentially allowing for a lower sample
selection of transactions, and thus reduced costs.
5. CONCLUSION
The level of error in the management of EU funds remains continually above the 2%
materiality threshold. Whilst the management requirements of EU funds provide for
specific governing structures, the overarching principles of Public Internal Control apply
in general terms too.
As well as its own experts in the management of EU funds, each Member State also has
its own experts in Internal Control – no doubt both in terms of policy setting and in terms
of evaluation.
The PIC Network cannot provide expertise on the specific technical requirements
concerning EU funds and the same is true concerning specific responses to individual
findings. However, PIC Network members are well placed to help their administration
consider whether the structure and organisation of the Internal Control arrangements that
it applies meet international standards and/or national good practice and whether its
arrangements to respond to external audit reports are organised/used in the best possible
way to reflect fully the administration's view of the accuracy of the findings and whether
and what remedial action may be required is properly represented.
This Discussion Paper advocates that there could usefully be structured cooperation
between national Internal Control experts and national EU fund actors allowing for a
transversal overview of underlying Internal Control arrangements; and outlines an
informal supporting role of the PIC Network. Further, the paper emphasises the possible
contribution of an Internal Audit function in relation to more effective and efficient
Internal Control arrangements for ESIF funds7.
6 See footnote 4
7 See footnote 4
7
6. TOPICS FOR DISCUSSION
(1) To what extent is there a role for the national Internal Control contact point
to help to ensure that proper action is taken to remedy any ongoing high
error rates, within their national administration?
(a) Should any such role be formalised or remain informal?
(2) What could be the role of the national Internal Control contact point in the
response process to ECA and/or European Commission reports?
(3) Could the national Internal Control contact point usefully get involved in
harmonisation between Audit Authorities/Certification Bodies, if there were
more than one such body within a Member State? What other structures
could exist to ensure coordination between them?
8
ANNEX 1
Overview of the Internal Control Actors involved in the management of
EU funds in Hungary
General
There is a Government Decision on participation in EU decision making and
coordination within government. This Government Decision has established a working
group (named: European Coordination Inter-ministerial Committee, ECIC) with the
following tasks:
Mandate preparation for decision making forums (like EC or COREPER or working
parties or other committees);
Coordination between ministries and institutions (e.g. in the case of EU funds, it
includes all actors, such as managing authorities, intermediate bodies, certifying
authority, audit authority, AFCOS, and state aid control);
Weekly meetings and weekly report to government on activities of EU decision
making forums – seeking approval from government;
The leader of ECIC is the State Secretary of the Prime Minister’s Office. Members are
Prime Minister’s Office, line ministries and invited institutions (e.g. National Tax Office,
Hungarian Treasury, Hungarian National Bank);
ECIC has 52 expert groups (e.g. covering subjects such as Regional Policy and Structural
Funds, Financial Control, Budget, and Europe 2020).
9
Mapping of the Hungarian national PIC contact point (NCP) involvement in
EU fund management and control system
Possible areas
of involvement Hungary Benefit
Regulation of
management and
control system of
MA, CA and AA8
The NCP is a member of all relevant
expert groups of the ECIC
The Minister for National Economy
holds general responsibility for the
development, harmonisation and
coordination of the national public
Internal Control system, including
development of the legislation which
regulates EU fund management and
control system.
All guidelines published by NCP has
consider the obligations for MA, CA
and AA – in Hungary all institution
responsible for EU fund
management are public budgetary
organisation therefore all national
regulation of Public Internal Control
applies for them.
NCP is aware of new legislation
or modifications and can give
opinion during the drafting
process and react if any
modification is needed to other
national legislation.
During elaboration of new
guidelines for Internal Audit or
Internal Control the EU
legislation and guidelines are
taken into account.
Coordination
between MA, CA
and AA
The NCP leads a national Internal
Control Working Group which has a
EU fund subgroup – through this
subgroup NCP is coordinating of
audit plans of AA and internal
auditors of MAs and CA.
NCP provides platform for
coordination which allows them
to help internal auditors to
perform more focused tasks in the
field of EU fund management.
Responding to
audit reports
The NCP provides input to
responses to audit reports of EU
Funds.
NCP has an overview on on-
going audits and findings which
could be used to define areas that
could benefit from further
development.
8 MA – Managing Authority; CA – Certifying Authority; AA – Audit Authority.
10
Improvement of
management and
control system of
MA, CA and AA
In case of Hungary the Audit
Authority is placed under the
Ministry for National Economy. The
Minister for National Economy
should ensure that Audit Authority
has all sources, capacity, access,
independency to fulfil it tasks. This
means that the NCP is responsible
for the codification of the
regulations for Audit Authority.
Whilst the NCP acts as a contact
point for Minister, it must be
stressed that the Audit Authority
retains full independence.
The NCP has the right to exercise
quality assessment of the Internal
Control arrangements underpinning
the management of all EU fund
activities in Hungary.
NCP has an overview on the
performance of the AA.
NCP could notify top
management if any change is
needed in the EU fund
management and control system.
Training The NCP is operating a Methodical
and Training Centre which has a
course also for “Control of EU
funds”
Internal auditors could gain
knowledge on EU fund
management and control system.
Other The NCP elaborates an Annual
Report for Government on the
controls performed by the Managing
Authority, Certifying Authority and
Audit Authority - it is a summary of
performed 1st level controls,
certifications and annual
control reports and opinions of
Audit Authority.
NCP provides an overview to the
Government about the results and
status of control system (first
level controls and controls
performed by CA and AA on EU
fund management) of EU funds.
11
ANNEX 2
Managing and control systems that Member States are enjoined to use9
The managing authority/intermediate body carries out verifications until the
submission of the programme accounts. It verifies that the co-financed products have
been delivered, that the expenditure declared by the beneficiaries has been paid and that
it complies with the applicable law, the operational programme and the conditions for
support of the operation.
The verifications shall include:
Administrative verifications in respect of each application for reimbursement from
beneficiaries;
On the spot verifications of operations on a sample basis.
Before submitting interim payment applications, the certifying authority certifies that
they result from reliable accounting systems, are based on verifiable supporting
documents and have been subject to verifications by the managing authority. The last
interim payment claim is submitted by the certifying authority to the Commission by 31
July following the end of the accounting year.
The audit authority carries out audits on the management and control systems (system
audits), the accounts, and of a sample of operations on the basis of the declared
expenditure to the Commission during the accounting year. It has to organise its system
audits and audits of operations in order to deliver the audit opinion by 15 February
following the end of the accounting year. The assurance documents are to be provided by
the various Member State authorities to the Commission. The managing authority
finalises the verifications to ensure that the expenditure to be certified in the accounts is
legal and regular. It takes account of findings of the audit authority and makes necessary
financial corrections including flat rates corrections. It draws up the management
declaration and annual summary.
The certifying authority collates all interim claims in the accounts and excludes the
irregular amounts (and those under ongoing assessment) detected in relation to
expenditure included in interim payment claims. It takes account of findings of the audit
authority and satisfies itself that necessary financial corrections including flat rates
corrections have been made. It provides in the accounts explanations for the difference
between the sum of interim payment claims and the accounts. It draws up the accounts
certifying their completeness, accuracy and veracity and that the expenditure entered in
the accounts complies with applicable law.
The audit authority finalises the system audits and audit of operations. It informs the
managing authority/certifying authority of the final audit results for their follow-up and
corrective measures. It prepares the annual control opinion and annual audit opinion and
calculates a projected error rate and residual risk of error in the accounts, taking into
account the financial corrections implemented by the managing authority/certifying
authority as a result of audits. In addition, it carries out final audit work on the accounts
and assesses the consistency of the management declaration.
9 See footnote 4
12
The Commission carries out an examination of the assurance documents by 31 May year
N+1 to determine whether the accounts are complete, accurate and true and if the
accounts can be accepted. Within 30 days of the acceptance of accounts, the Commission
will pay/recover the balance due. In justified cases, the Commission will not accept the
accounts triggering a contradictory procedure with the Member State. By 30 June year
N+1 for the major part of operational programmes, a payment/recovery of the balance is
made.
Subsequently, the Commission will carry out conformity audits on the legality and
regularity of the expenditure which will trigger net financial corrections in case of
detection of irregularities demonstrating serious deficiency in the effective functioning of
the management and control system not previously identified by the national authorities
and subject to appropriate corrective measures.
Commission calculation of error rates the European Investment and
Structural Funds10
All programmes are assessed against audit opinions at national and Commission level
based on audits carried out on systems and representative samples of operations. In
addition, operational line managers and authorising officers by sub-delegation also assess
the level of assurance. The assessment is based on three elements as follows:
(1) The first element is the assessment of the functioning of management and
control systems carried out by the audit directorate. This assessment may take
into account results of corrective actions implemented by the Member State in the
reporting year. This assessment is complemented at the Commission level taking
into account elements received by the operational managers and the regular
contacts with regional and national programme authorities.
(2) The second element is the projected error rate reported by programme audit
authorities in the Annual Control Reports (ACR), based on expenditure for the
year preceding the reporting year. The Commission assesses the reliability of the
projected error rates for each programme, on the basis of all available information
and audit results, including on-the-spot missions, and uses this information as the
best estimate of the possible risk for expenditure in the reporting year. In case the
projected error rates are not available, not accurate or found not to be reliable, the
audit directorate either recalculates them when it has sufficient information to do
so or, alternatively, replaces them by flat rates in line with the results of the
assessment of the functioning of management and control systems. This results in
an error rate validated by management for each programme for the reporting
year. This is the best estimate expressed as a percentage of the value of the
interim payments made in the reporting year of expenditure which is not in full
conformity with contractual or regulatory provisions.
(3) The third element is the consideration of the multi-annual impact of the validated
error rates calculated since the beginning of the programming period, on the
corresponding interim payments made during that same period, after deduction of
the recoveries and withdrawals reported for each year, as well as, pending
recoveries at the end of the reporting year and withdrawals accepted by certifying
authorities and recorded in their accounts prior to the date of signature of the
AAR.
10
See footnote 4
13
The application of this third element results in a cumulative residual risk/error rate for
each programme or where appropriate group of programmes covered by a common
management and control system, expressed as a percentage of the value of the
cumulative interim payments made for the programming period. This is the
Commission's best estimate of expenditure which is not in full conformity with
contractual or regulatory provisions and which has not been corrected at the date the
report is signed.
The assessment of the relevant reports, data and other information available requires the
application of professional judgement, namely when weighting contradictory information
or considering abnormal statistical results. When taking into account reported
corrections, the authorising officer by delegation also assesses that they effectively
mitigate the risks identified and that they result in a reduction in the level of the error that
remains uncorrected in the population.