COMMISSION OF THE EUROPEAN COMMUNITIES Brussels, 16 October 2007 SEC(2007)1341 EN COMMUNICATION TO THE COMMISSION Revision of the Internal Control Standards and Underlying Framework - Strengthening Control Effectiveness - EN 1 EN
COMMUNICATION TO THE COMMISSION Revision of the Internal Control Standards and Underlying Framework Strengthening Control Effectiveness EN 2 EN
TABLE OF CONTENTS 1. Background... 4 2. The goals of the proposed changes... 4 3. The revised Internal Control Framework... 5 3.1. The revised Internal Control Standards for effective management... 6 3.2. The Requirements... 7 3.3. Internal Control Effectiveness... 7 3.3.1. Flexibility of approach... 7 3.3.2. Optional Internal Control Effectiveness Guidance... 8 3.4. Reporting obligations... 8 4. Support for increasing understanding and ownership... 9 5. Conclusion... 10 EN 3 EN
1. BACKGROUND As part of the Financial Reform, launched in the year 2000, the Commission decided to revise its internal control structures to make Authorising Officers by Delegation fully responsible for internal control over their activities. Governance arrangements were put in place, via the Annual Activity Reports, to provide assurance to the Commission on the management of activities. The Reform White Paper of 2000 1 defines internal control as covering "the globality of the policies and procedures conceived and put in place by an organisation s management to ensure the economic, efficient and effective achievement of its objectives; the adherence to external rules and to management policies and regulations; the safeguarding of assets and information; the prevention and detection of fraud and error, and the quality of accounting records and the timely production of reliable financial and management information". The foundation of the internal control framework was provided by the 24 Internal Control Standards, developed specifically for the Commission environment and based on international good practice 2. To permit progressive implementation and allow measurement of the maturity of internal control systems, each Standard was complemented, from 2001, by a set of "baseline requirements" defining the specific practical actions which should underlie the internal control system of each service. Since 2002, services have been required to formally assess, on an annual basis, their level of compliance with the baseline requirements. Results of the annual assessment indicate that internal control structures have, on the whole, been successfully implemented: notably in the achievement of a high level of compliance with the baseline requirements (95% in 2005 and 2006). In 2005, the Commission adopted a common risk management methodology 3, the principles of which are fully taken into account in this proposal for revision of the Internal Control Standards. 2. THE GOALS OF THE PROPOSED CHANGES Like any modern administration, the Commission needs to show its internal control systems provide sufficient assurance on the execution of its activities. Management at all levels must therefore be able to demonstrate not only that they have put controls in place but also that these controls take account of the risks involved and that they work as intended. This involves a change of emphasis in the internal control framework, as well as rationalisation of the current Standards in the light of seven years' experience, to ensure they are readily understandable and applicable by all staff. Meeting this requirement is not simply a question of making small drafting changes to the existing Standards, nor of making minor alterations to the baseline requirements. While the current Standards are well understood in some quarters, 1 2 3 Reforming the Commission, A White Paper Part 1, COM(2000)200 The internationally recognised COSO framework - http://www.coso.org/ Towards an effective and coherent risk management in the Commission services, SEC(2005)1327 EN 4 EN
feedback from services suggests that the internal control framework could be clearer and that a more flexible approach would help focus controls on key areas and encourage risk-based control measures. The role of all staff and in particular all managers in ensuring sound internal control over their activities should also be reinforced to address the perception which persists in some places that it is only a limited number of "financial" staff who are concerned. In this context, the notion of segregation of duties has been extended to cover not solely financial responsibilities, in line with international practice. Within the spirit of the ongoing debureaucratisation and simplification initiatives, the revised Standards are written in simpler language, without specialist jargon, to underline the message that internal control is the business of all staff, from top management downwards. The proposal removes the overlaps present in the existing Standards but does not change the methodological basis for the Standards or introduce change where it is not necessary. Accordingly, the modifications to the internal control framework and Standards aim at: Clarifying/Simplifying the approach: making it easier for all staff to understand and streamlining the obligatory annual reporting on compliance with baseline requirements. Increasing ownership: renaming the Standards as "Internal Control Standards for effective management" to make them more appealing to a broader group of staff and enhance the quality of the internal control environment. Strengthening Internal Control Effectiveness: a flexible approach and optional Effectiveness Guidance will enable services to prioritise effectiveness action on certain Standards in line with the nature of their activities and risks. This will increase assurance on the effectiveness of the Commission's internal control systems and allow more effective use of control resources. 3. THE REVISED INTERNAL CONTROL FRAMEWORK It is proposed that the new Standards enter into force on 1 January 2008. The revised internal control framework will consist of three closely interlinked components: the Internal Control Standards for effective management themselves; the "Requirements" based on the former baseline requirements, reorganised and rationalised in line with the new Standards; Internal Control Effectiveness assessment whereby services judge the effectiveness of their internal control systems in practice. Optional guidance to help them in this respect is provided. These aspects are illustrated in Figure 1 and discussed in sections 3.1 to 3.3 below. EN 5 EN
Figure 1 - Overview of the Internal Control framework: Effective, risk-based control arrangements (Effectiveness Guidance) The Effectiveness Guidance (which is optional) can help management determine whether the internal control arrangements are sufficiently adapted to the service s activities and risks and whether they work as intended in practice. The ICS and Requirements The Internal Control Standards for effective management (ICS) and Requirements constitute the foundation of the internal control framework. They provide basic principles and minimum requirements. In addition to the above and taking account of the overall obligation to comply with the Requirements, the framework will allow services flexibility in determining the standards on which further emphasis on effectiveness is necessary. 3.1. The revised Internal Control Standards for effective management The guiding principles of internal control in the Commission are laid down in the new Internal Control Standards for effective management (Appendix 1). The Standards are structured around six building blocks 4 : 1. Mission and Values, 2. Human Resources, 3. Planning and Risk Management Processes, 4. Operations and Control Activities, 5. Information and Financial Reporting, and 6. Evaluation and Audit. Risk management is strengthened in the new framework. Basic risk management principles (adapting controls to risks identified) apply to all Internal Control Standards for effective management, and the flexible approach and guidance outlined below (see section 3.3) can help services to focus on standards representing higher risks. Moreover, the new Standard 6 (risk management process) refers specifically to the process in place for identifying risks in the annual planning phase, in conformity with the principles laid down in the common risk management methodology 5. Following the removal of overlaps, which were sometimes a source of confusion for practitioners, Standards have been rationalised and their number reduced from 24 to 16. It is important to note that this does not represent a reduction in control: all domains covered by the former Internal Control Standards are regrouped according 4 5 Inspired by the internationally recognised COSO framework - http://www.coso.org/ Refer to footnote 2 EN 6 EN
to the new Standards. The Standards are accompanied by two assessment tools, the "Requirements" and "Effectiveness Guidance", which are detailed in the following sections. 3.2. The Requirements The Requirements (Appendix 2) specify the minimum features of a service s internal control systems and processes. These reflect the former baseline requirements, which have been rationalised. Moreover, requirements for sensitive functions (new Standard 7, Operational Structure) have been modified in response to the needs expressed by the services for clearer rules, streamlined procedure for reporting derogations, and need to ensure continuity of services when confronted with mandatory mobility. Further guidance on sensitive functions will be provided before the end of 2007. The Requirements are intended to remain relatively stable and be revised only when necessary to take account of Commission Decisions or other events impacting on the internal control framework. Services should regard full compliance with all of these requirements as the target, taking account of the fact that this is difficult to achieve at any given moment due to staff mobility, new requirements, etc. For EU Delegations, as in the past, the External Relations Directorate General and the EuropeAid Co-operation Office will jointly transpose those requirements into specific actions adapted to their working environment, with the assistance of DG Budget. 3.3. Internal Control Effectiveness The reinforced element in the revised framework relates to effectiveness 6. 3.3.1. Flexibility of approach Services must put in place monitoring measures to show their internal control systems are effective. An effective and efficient internal control system requires management to take a view on risk and to focus control resources on those areas where risk is the greatest, while ensuring adequate control over all activities. Hence, the revised approach recognises that certain Standards may be more important for certain activities and that their importance may change over time. Services have therefore the possibility to prioritise certain Standards to ensure they take measures to improve effectiveness in particular areas and strengthen the basis of the annual declaration of assurance of the Directors-General. The Annual Management Plan will be the vehicle whereby the services determine which Standards are most relevant as regards further emphasis on effectiveness for the coming year, based on their specific activities and risks. The choice of Standards to be prioritised will be decided by management in line with their own assessment of risk. To allow for a smooth transition, services should set these priorities in their 2008 Annual Management Plan on the basis of their knowledge and experience of 6 The icat Internal Control Assessment Tool was a first step towards strengthening control effectiveness EN 7 EN
implementing the existing 24 Internal Control Standards (a mapping table between former and new Standards is provided in Appendix 4). The selection of Standards is a logical conclusion of the risk management exercise 7. 3.3.2. Optional Internal Control Effectiveness Guidance The effectiveness of the internal control system as a whole can be measured through pertinent indicators. However, because the Standards are interdependent, it is hardly possible to quantify the effective implementation of each individual Standard through generic indicators. Nonetheless, this latter can be judged on a variety of bases (for example, process reviews, management supervision and ad-hoc verification, surveys and interviews, management self-assessments, audit reports, stakeholder feedback). The optional guidance developed by DG Budget may be used to support this judgement. For each Standard, Effectiveness Guidance in Annex consist of two elements: (1) "tips for assessing control effectiveness" (Appendix 2), a series of questions which can help management determine whether their internal control arrangements work as intended in practice and are adapted to the risks involved; and (2) an assessment table (Appendix 3), which can help management identify the standards that are most relevant to them, considering the specific activities and risks of the service. This guidance is not intended to represent a supplementary set of requirements or a checklist which must be met by all services or used as a benchmark to assess the performance of a service. It is illustrative, not exhaustive and not compulsory. Services will be free to adapt the guidance using specific elements or defining new ones according to their individual needs. To ensure the continuing relevance of the guidance, and in view of its optional nature, it will be updated as appropriate by Director-General of DG Budget, in agreement with the Secretary General and the Director-General of Personnel and Administration and in consultation with other services concerned. DG Budget will provide advice on the assessment of effectiveness. 3.4. Reporting obligations Directors-General will continue to provide assurance in their Annual Activity Reports on the operation of their internal control systems (in particular via the Internal Control Templates incorporated in Part 2). To cater for the revised internal control framework, the following reporting principles for the Annual Activity Report are proposed: Reporting on Compliance with requirements: Reporting on compliance with the Requirements will be simplified. As of the 2007 Annual Activity Reports, full reporting on compliance with the baseline requirements will no longer be obligatory. Instead, reporting on compliance in the Annual Activity Reports will be exception-based. It will indicate on the one hand the requirements on which conclusive results were achieved and on the other hand the requirements with which a service does not comply (if any), the reasons for this and the planned actions to address the situation. It will include summary information on derogations to the mandatory staff mobility in relation to sensitive functions (as 7 Refer to footnote 2 EN 8 EN
from the 2008 Annual Activity Report). Consequently the present practice of informing in writing the appropriate horizontal services when derogations are granted will be removed. The current tool ("ICMT") and support from DG Budget will remain available on request for services wishing to fully report on compliance with the baseline requirements. Reporting on Effectiveness of internal control systems: To support the argumentation leading to assurance, the Annual Activity Reports should clearly describe the information available on the effectiveness of internal control systems, typically obtained by analysing and consolidating management self-assessments (the optional Effectiveness Guidance can be useful here), audit reports, results of ex-post controls and other relevant sources. The Reports (as from the 2008 Annual Activity Report) should also present the results of the action taken on priority Standards identified in the Annual Management Plan. The use of exception reporting for compliance and the increased flexibility allowing services to concentrate on certain Standards as regards ensuring effectiveness is expected to involve no more work than the current compulsory reporting system while also offering the opportunity to address high-priority internal control issues. The Annual Activity Report instructions will be updated accordingly. 2007 Annual Activity Reports will be based on the existing framework of 24 Standards. 4. SUPPORT FOR INCREASING UNDERSTANDING AND OWNERSHIP To increase understanding and ownership of the revised internal control framework by all staff, and move towards strengthening internal control effectiveness in services and supporting Directors-General annual statement of assurance, the following accompanying actions are essential: Top management support: Top management decide the Standards to be prioritised for the strengthening of internal control effectiveness and define the internal responsibilities 8, taking into account their organisation and risk environment. Strong top management commitment to internal control, including the allocation of sufficient time and resources for raising awareness and developing internal control skills, will be vital to the further integration of the Standards in the working environment. Effective communication: Communication campaigns and presentations will be organised to inform and raise awareness of staff at all levels. Targeted presentations for different levels of the organisation emphasising the value of the internal control standards for effective management will be prepared by DG Budget as a communication package for the Internal Control Coordinators. Each service should promote the use of the Standards among its own staff, taking account of its own operational environment. 8 Clarification of the responsibilities of the key actors in the domain of internal audit and internal control in the Commission, SEC(2003)59 EN 9 EN
High quality training: DG Budget will launch, with the support of DG Personnel and Administration, differentiated training programmes on internal control for managers and for staff, along with information sessions for people who have already been trained in internal control. Moreover, depending on needs and resources, workshops for managers and/or for Internal Control Coordinators on specific Standards will be developed. Services also have the option of developing customised internal control training programmes under an internal control framework contract with external consultants. Support from central services: DG Budget will facilitate the sharing of good practices and experience between services. Effectiveness Guidance and communication actions will be updated on the basis of experience and feedback reported by services. As in the past, assistance will be provided to the services through the different steps of the Strategic Planning and Programming cycle, notably the Annual Management Plans and the Annual Activity Reports. Measurement of acceptance and understanding of the Standards: A sample-based survey, via the Internal Control Coordinators, will be conducted before the end of 2008 to assess awareness and ownership and refocus, if needed, support and communication efforts involving DG Budget and the services. 5. CONCLUSION While the internal control structures created by the Financial Reform in 2000 have been successfully implemented, notably in terms of organisation of financial circuits and compliance with the baseline requirements related to the Internal Control Standards, more needs to be done to ensure controls are working effectively in practice. In particular, further efforts are needed to ensure that all staff are aware of their responsibilities as regards internal control. The revised presentation of the Internal Control Standards for effective management and their supporting guidance will facilitate this. The flexibility incorporated into the new approach will also allow services to tailor the provisions to their own specific environments. Accordingly, the Commission is invited to: adopt the revised Internal Control framework, including the Internal Control Standards for effective management and related Requirements for effective management set out in Appendices 1 and 2; instruct each service preparing a Commission Decision having a consequence on the Requirements to coordinate with the Secretariat General, DG Personnel and Administration and DG Budget and include in the text of the Decision the relevant modifications to the Requirements, and authorise DG Budget to keep the Requirements up-to-date accordingly; decide that the revised Standards and related Requirements will be applicable from 1 January 2008; decide that the 2006 baseline requirements should be applied as at 31 December 2007 (updated solely in terms of the dates and of Business Continuity Planning EN 10 EN
requirements applicable from 2007 9 ) for the assessment of compliance, on the basis of the existing 24 Internal Control Standards; require services to identify in their Annual Management Plans (for the first time for AMP 2008) the Standards they wish to prioritise for examination of control effectiveness. For AMP 2008, the identification of those standards will be based on knowledge and experience of the existing 24 Standards; charge the Secretariat General, DG Personnel and Administration and DG Budget to streamline the instructions for the reporting of services compliance with the (Baseline) Requirements as from their 2007 Annual Activity Reports; charge DG Budget with the development of information sessions and the revision of the internal control training programme for delivery starting in the Autumn 2007; encourage services to prepare for the introduction and implementation of the revised Standards and to take appropriate action to strengthen awareness and understanding of control effectiveness by all staff, in particular through training, information and support activities; charge the Secretariat General, DG Personnel and Administration and DG Budget to develop revised guidance on sensitive functions before the end of 2007, applicable from 2008; empower the Director-General of DG Budget, in agreement with the Secretary General and the Director-General of Personnel and Administration and in consultation with other services concerned, to modify as appropriate in the future the optional Effectiveness Guidance. 9 Commission staff working document on a framework for business continuity management in the Commission, SEC(2006)899. EN 11 EN