Good practices for risk assessment and control activities Costanza Schivi – 10 April 2019

“Internal Audit Service: Improving the Commission’s Performance” Our Role as defined by International Standards for the Professional Practice of Internal Auditing “The internal audit activity must evaluate the adequacy and effectiveness of controls in responding to risks within the organization’s governance, operations, and information systems regarding the: Achievement of the organization’s strategic objectives. Reliability and integrity of financial and operational information (main focus of ECA) Effectiveness and efficiency of operations and programs. Safeguarding of assets. Compliance with laws, regulations, policies, procedures, and contracts.  “Internal Audit Service: Improving the Commission’s Performance”

The Internal Audit Service of the European Commission Sets up strategic planning based on own risk analysis and coordinated with European Court of Auditors brings a systematic, disciplined approach in order to evaluate and improve the effectiveness of risk management, control and governance processes. Reports to: Audit Progress Committee the Commission on the results of its work (Internal audit Report) Has full and unlimited access to information

“Internal Audit Service: Improving the Commission’s Performance” Powers and duties of the internal auditor (art.118 Financial Regulation) The internal auditor shall advise his or her Union institution on dealing with risks, by issuing independent opinions on the quality of management and control systems and by issuing recommendations for improving the conditions of implementation of operations and promoting sound financial management. The internal auditor shall in particular be responsible for: assessing the suitability and effectiveness of internal management systems and the performance of departments in implementing policies, programmes and actions by reference to the risks associated with them assessing the efficiency and effectiveness of the internal control and audit systems applicable to each budget implementation operation.  “Internal Audit Service: Improving the Commission’s Performance”

A risk based methodology for Strategic Plan -define audit universe -assess the risks of the underlying components (using the Commission's risk management framework ) -consider issues (i) not covered for some time on a cyclical basis (ii) inherently material -financial management of each audited entity is covered at least every three years irrespective of the level of risk => annual opinion on the state of internal control (limited assurance) -requests and/or concerns from IAS, Commission and Executive Agencies senior management and/or the APC (top-down steer)  “Internal Audit Service: Improving the Commission’s Performance”

Which risks to assess? AUDITORS ASSESS INHERENT RISK risk by making abstraction of the controls in place MANAGERS ASSESS RESIDUAL RISK no time to assess controls during the risk assessment. If during the risk assessment auditors obtain information which indicates that key controls are missing or display very significant weaknesses, this information is likely to influence the likelihood aspect of the identified risk. controls are assessed during the preliminary survey of audits If the IAS identifies high inherent risks and management judge the residual risk to be lower => IAS may decide to carry out an audit in order to re-assure management of the appropriateness and well-functioning of mitigating controls.  “Internal Audit Service: Improving the Commission’s Performance”

Audit Universe of the IAS Financial processes Non-financial processes Grants Procurement Ethics Communication IAS Strategic Audit Plan Risk assessment Audit Universe of the IAS IT Accountability, including management disclosure Financial statements HR Payroll Monitoring EU law Risk factors Audit Results REPORTING Performance Indicators 3% Financial/Compliance 31% Performance (incl.IT) 59% Comprehensive (fin/compl+performance) 7% Other (consultancy, limited reviews) 233 auditable entities 406 auditable entities Pre-financing  “Internal Audit Service: Improving the Commission’s Performance”

Non-financial processes -do not belong to the financial management audit universe -may generate significant risks for the Commission's reputation e.g. handling of crises IT systems supporting policies information security ethics citizen or staff safety (e.g. handling of pandemics, natural disasters, etc.) sound financial and resource management  “Internal Audit Service: Improving the Commission’s Performance”

Non-financial processes (cont.) They also include significant policy areas with some budgetary impact such as competition policy, with resulting fines controls over trade policy anti-dumping measures controls over the respect of EU law infringement procedures  “Internal Audit Service: Improving the Commission’s Performance”

Commission’s standard risk typology  “Internal Audit Service: Improving the Commission’s Performance”

“Internal Audit Service: Improving the Commission’s Performance” Controls The internal audit work focuses on auditing those controls that are deemed by management to be effective (i.e. strong controls identified by management).  “Internal Audit Service: Improving the Commission’s Performance”

“Internal Audit Service: Improving the Commission’s Performance” The internal audit work focuses on auditing those controls that are deemed by management to be effective (i.e. strong controls identified by management). In practice At the end of the preliminary survey FINANCIAL/COMPLIANCE AUDITS Risk Control Matrix: identifies per process or activity, the main risks/control objectives and the existing controls. PERFORMANCE AUDITS Performance Audit Matrix: starts from a question tree and for each (sub)question to be answered, states the criteria to be used against which the auditors will assess the answers, the testing procedures to be used and the potential findings and recommendations that the audit may conclude.  “Internal Audit Service: Improving the Commission’s Performance”

A few key controls in the EC Control architecture Ex-ante system assessment on implementing bodies Ex-ante control of transactions (Financial Circuits « 4 eyes principles ») Beneficiaries audit reports Ex-post control of transactions/system (audit or transactions based) Monitoring missions on projects management (Results Oriented Missions) Verification missions or on-the-spot controls  “Internal Audit Service: Improving the Commission’s Performance”

Examples of objectives of an audits of control strategies: efficiency of the control coordination adequacy of the design and the effectiveness of the control strategies in force effectiveness of the controls underpinning the assurance building process (system audits, ex-ante and ex-post checks, monitoring, reporting) timeliness and adequacy of corrective measures effectiveness of anti-fraud controls  “Internal Audit Service: Improving the Commission’s Performance”

Challenges Understand the business! Complementarity with management assessment (IAS: High risks Management: Critical risks) Determine subjects and scope of work Be informed at an early stage of new systems and changes substantially affecting the Commission's internal control system

Questions?

Contact the Internal Audit Service: ias-europa@ec.europa.eu