CM(2009)85 18 May 20091
1063 Meeting, 8 July 2009
11 Administration and Logistics
11.1 Annual Report 2008 of the Directorate of Internal Audit
Item to be considered by the GR-PBA at its meeting 2 July 2009
1. The mission of Internal Audit is to provide oversight, objective assurance and consulting services designed to add value and improve the Organisation’s operations.
2. Internal auditing includes making appropriate recommendations to improve the governance process, promote appropriate ethics and values within the Organisation, ensure effective organisational performance management and accountability, and to enhance the effective communication of risk and control information within the Organisation.
3. Internal Audit has helped to strengthen the climate of accountability and sound management in the Organisation through a variety of activities, including through its many recommendations arising from audits. Internal Audit initiated the creation of an Audit Committee which was approved by the Committee of Ministers in January 2008. Work on the Fraud Awareness Raising and Prevention Policy and the Organisation-wide Risk Assessment continued during the year. Internal Audit provided training to staff members on financial management and internal control. It participated in various committees as an observer, gave ad-hoc advice on various issues and assisted the External Auditor, as appropriate.
4. In 2008, Internal Audit continued to maintain its international relations, notably with the Internal Oversight Services of other International Organisations and with International Investigators. In January, the OECD invited the Director of Internal Audit as an expert to give his opinion on various options for the reform of their external audit arrangements.
Audits and their results
5. The annual work programme is based on an analysis of inherent risks and discussed with the External Auditor. It takes into consideration contributions from senior management and discussions of the Ministers’ Deputies. The work plan is approved by the Secretary General. In the course of the year it may be revised as needs change.
6. In 2008 we issued 11 audit reports on the following subjects:
- Reimbursement of business calls
- European Roma and Travellers Forum
- Separation of duties in the Directorate of Finance
- Home leave
- Cash payments
- Expenditure transactions related to Joint Programmes
- Staff activity ratios for certain activities
- Fixed assets
- Year end purchases
- Financial Management support functions of DGIV in comparison with those of DGHL
- Monitoring mechanisms
7. Internal Audit also prepared 4 follow-up reports on the implementation of audit recommendations
8. Internal Audit generated 3 reports during the year (March, June, and year-end) on the activities of the Tenders Board and the opening of tenders. This reporting was to monitor a major administrative activity and to inform the members of the Tenders Board and the Buyers Coordination Group on a regular basis of the quantitative and qualitative aspects of this specific purchasing process. Based on an analysis of data, actions were suggested and accepted, thus improving the effectiveness of procedures in place.
9. During the year some general issues were identified. They need to be addressed in 2009 and subsequent years:
· The efficiency of financial processes depends partly on the quality of staff in charge of, and carrying out, financial tasks within the operational entities. Staff entrusted with financial tasks should have a financial background and possess a comprehensive knowledge of financial principles and procedures, and of the use of financial systems. This is not always the case.
· For some months there was a problem with payments being made late. This lead to suppliers and experts discontinuing their cooperation with the Organisation. Consultant’s advice was sought on how to solve the problem and measures were taken. One of our audits in 2009 will assess the extent to which the situation has improved and the robustness of measures taken to avoid a recurrence.
· In some cases, departments answers to our audit recommendations are late, and promises to take action within certain deadlines are not respected. This indicates a low commitment to the implementation of audit recommendations.
· During holiday periods there seems to be a lack of concern about business continuity. In many cases of (long) absences replacements are not properly organised rendering difficult the authorisation of transactions.
· The effectiveness of the Council very much depends on the success of its Programmes. There is a risk of the non-achievement of some Programmes where management structures are based on functional, rather than Programme, lines. This risk is increased if there is insufficient co-ordination of Programme activities between organisational units, or insufficient management at the overall Programme level.
10. The main audit findings, recommendations and results of the individual reports are shown in the Appendix 1.
11. Internal Audit is required by its mandate to facilitate the promulgation of best practices. The aim is to increase the efficiency and effectiveness of working methods. In 2008 we identified best practices with regard to, for example, monitoring mechanisms and financial management. They were published on the Intranet
12. According to the Internal Audit Charter, the Director of Internal Audit reports to the Secretary General on the performance of the Internal Audit function against agreed key performance indicators. The indicators and respective achievements are as follows:
At least 10 audits conducted and 10 reports issued
11 audit reports, 3 reports on tendering processes and 4 follow-up reports were issued
Contribute to improvements of the Organisation’s operations, with two thirds of recommendations accepted
We made 293 recommendations, of which 140 were implemented by the end of January 2009. Implementation of a further 68 recommendations is under way and 30 recommendations will be addressed at a later stage. That means that 81% were accepted.
Some recommendations are still under consideration.
Provide reasonable assurance that internal controls are applied to financial transactions by checking compliance of financial operations (at least 600 checked)
720 transactions were checked.
Contribute to ensuring the proper identification of factors that could threaten the achievement of the Organisation’s objectives by providing managers with a risk assessment tool
A risk mapping and analysis tool has been developed and was presented to the Executive Board.
Increase the in-house awareness and capacity on Internal Control by providing a relevant training course to 30 staff members
34 staff members trained.
80% of participants who evaluated the training rated the training as being relevant for their work.
Outlook for future activities of Internal Audit
13. For 2009 we have identified priorities for our work plan. The audit subjects include :
Human Resources Management
External Office in Kiev
Production of Publications
Financial management Audits
Sale of the old EDQM building
Main Audit Findings and Results
Reimbursement of business calls
1. There are currently about 330 mobile ‘phones provided by the Organisation to staff members so that they can be contacted (or can make contact) at any time, when on Mission or in Strasbourg.
2. Some ‘phones are allocated permanently to an individual (“Pro Perso” long-loan ‘phones) with the Organisation paying up to a set amount (threshold) to reflect a reasonable amount for business call costs. Any amount above the threshold is paid for by the staff member (as this is deemed to be for private calls) unless the staff member can demonstrate that he/she paid for business calls, in which case the actual cost of the business calls is reimbursed.
3. Other ‘phones are used on a “pool” basis. A staff member takes a pool ‘phone when needed e.g. when going on Mission, and returns it afterwards. The Council pays all costs. Our opinion is that all services should recover the cost of any personal calls made with these ‘phones.
4. We found there were no overall policy or guidelines and thus arrangements in different services varied considerably. In some entities ‘phones were provided to individuals and all subsequent costs without any limit were met by the entity.
5. It was effectively impossible to obtain a comprehensive overview of costs across the organisation.
6. We made a number of recommendations based on the principles that business call costs are met by the Council, the individual does not derive personal benefit from the ‘phone, and the administrative workload is kept to a minimum. The recommendations included the creation of guidelines to ensure these principles are respected, and the recording of costs consistently and transparently.
European Roma and Travellers Forum
7. The European Roma and Travellers Forum (ERTF) is an international non-governmental organisation based in Strasbourg, which was set up to oversee the effective exercise by Roma and Travellers of all human rights and fundamental freedoms as protected by the legal instruments of the Council of Europe, and to facilitate their integration and participation in public life.
8. It has a Partnership Agreement with the Council of Europe through which it receives support, including financial support. For the years 2005 and 2006 this amounted to €193,600 per year.
9. We found that there were some areas of weakness in internal controls, but we did not consider the weaknesses to be sufficiently severe to call into question the basic financial administration of the ERTF. The situation in 2006 was an improvement on 2005.
10. As a result of our findings the main recommendation was that the ERTF strengthen its controls in order to give better assurance that the Council of Europe’s contribution is being used to achieve the ends for which it is given. More specifically we recommended that the ERTF:
· Adopt written procedures for important actions and expenditures, in particular for the authorisation of payments and the treatment of the expenses of participants at its meetings
· Keep complete records, especially regarding invoices for goods and services, and claims for expenses for travel and subsistence
· Clarify the employment status of secondees and consultants and if necessary regularise the situation.
11. The implementation of these recommendation are the subject of a follow-up report to the Committee of Ministers.
Separation of duties in the Directorate of Finance
12. In order to limit the risk of improper transactions an adequate separation of duties must exist. The External Auditor in his audit of the 2006 accounts found the separation of duties in the Finance system (FIMS) inadequate as regards staff in the Finance Directorate. Internal Audit followed up on this issue.
13. An adequate separation of duties was taken to be a User not having processing or configuration access into adjacent modules in the system, nor not having too wide an access into any single module.
14. We found five cases where Users had accesses into different modules which were sufficiently wide to constitute no (two cases) or very little (three cases) separation of duties.
15. Our main recommendations were:
16. The audit examined compliance with the regulations regarding the payment to staff of Home Leave travel expenses. We also considered if the procedures could be made more efficient. In 2007 the cost of Home Leave amounted to approximately € 263,000. The regulations provide for staff and their dependants to have the costs of their travel to their home country paid for by the Council.
17. We did not find any general major control weaknesses, although there was a problem (since rectified) with the raising of commitments, and in one case non-compliance had lead to an excess cost of about € 3,000.
18. We recommended consideration of the integration of the currently paper request form into the Multi Services Assistant.
19. Credit transfer is the usual method of payment used within the Organisation. However, in certain cases, cash payments are considered to be more appropriate. These cash payments amounted to €299,350 in 2007.
20. The audit examined a sample of cash payments made in Strasbourg related to the reimbursement of participants’ expenses at the European Youth Centre, and advances paid to temporary staff hired during Parliamentary Assembly sessions.
21. A greater than usual level of internal control is required from the entities concerned, because cash payments carry greater risk of a lack of security and of irregularities. They are also more costly to administer, so the use of them must show a discernible benefit. In our opinion, the use of cash as a payment method was justified.
22. We found no evidence of major weaknesses in internal control, but we did find two main points where a real improvement was required: the authorisation of payments and documented procedures. These issues are being addressed.
Expenditure transactions related to Joint Programmes
23. Internal Audit performed random checks on payments for the year 2007, which related to 3 Joint Programmes. We found some significant weaknesses in internal control regarding a number of payment requests which had not been approved or which had been approved by an unauthorised signatory.
24. There are a number of points for improvement regarding the recording of financial transactions, the creation of commitments (Purchase Orders) and the controls over supporting documentation.
25. In addition we found four cases where individuals had been engaged as consultants although their conditions of employment were more consistent with those of employees. This constitutes a legal and financial risk.
26. Our recommendations included :
· Setting up monitoring controls to ensure that expenditure is correctly recorded and that commitments are raised before orders are placed and contracts signed;
· Ensuring that contracts, receipts and payment requests are authorised in a systematic way and only by approved signatories;
· Ensuring that only complete and comprehensive files are accepted for payment.
27. Major administrative entities reported that all these recommendations have been implemented. We will carry out spot checks for verification.
Selected Findings of the PWC Staff Activity Ratios Study
28. Following the results of a study on Staff Activity Ratios conducted by a consultant in 2007, Internal Audit was requested to provide a complementary analysis on selected findings of that study. This audit considered firstly, an explanation of Staff Activity Ratios out of the range recommended by the consultant for two selected Programmes,; secondly, the elaboration of an alternative method to produce more robust results for Staff Activity Ratios; and lastly, the analysis of the business process of “Organising a conference”, with a view to possible efficiency and effectiveness gains.
29. Regarding the selected Staff Activity Ratios calculated by the consultant which were out of range, we found that these extreme results were the consequence of data having been mixed up either by the Council or by the consultant.
30. Given the limited sample of conferences analysed in the study we found no statistical validity in calculating and comparing Programme specific Staff Activity Ratios.
31. With regard to the activity “Organising a Conference”, we considered 21 conferences in three Programmes in order to calculate Staff Activity Ratios at task level and analyse the business process involved.
32. Our first finding related to the quality of CEAD data, as we found that users had great difficulties in classifying activities correctly. This can mainly be attributed to the fact that they were not provided with any definitions or criteria. Secondly, we found that good practices in “Organising a Conference” were neither exchanged nor documented.
33. It was not possible to establish useful Staff Activity Ratios; neither at activity nor at task level. One reason for this was that the data available on the sample of conferences were only estimations, often even very rough ones. Moreover, the data we got strongly indicated that there is no such thing as a typical conference and that there are many factors influencing the time spent on organising them. Therefore, a formula to forecast the number of staff needed would be very complex and of little practical application.
34. Finally, we identified some risks of not achieving the objectives of the Programmes for which these conferences were held. These related to limited use of project management techniques in combination with the fact that Programmes ran across organisational boundaries.
35. Our main recommendations were:
· The Directorate of Strategic Planning revising the CEAD working methods in close cooperation with services and providing users with criteria for correct classification,
· Services making use of a process model and a check list, both developed in the course of the audit,
· Services that organise conferences doing a preliminary analysis on which type to choose, and in order to economise on resources, opting to contribute to conferences organised by a third party if the project objectives can be reached by this option,
· Services ensuring that for major projects and at Programme level, proper project management techniques are used and that staff are trained in them, and
· Services aligning organisational and Programme structures whenever possible.
36. The Council of Europe reported in the annual accounts more than € 264M of fixed assets as at 31 December 2007.
37. Its managers have two main responsibilities regarding those assets. Firstly as custodians they are required to manage the physical assets, ensuring they are identified and recorded when acquired or disposed of, and ensuring the assets are verified on a regular basis as existing and in working order. Secondly since the introduction of fixed asset accounting in January 2006 managers must ensure that the Directorate of Finance is supplied with the information from which the required accounting entries can be produced.
38. The audit examined the maintenance of fixed asset records and withdrawal from use reports and involved the physical verification of a sample of assets to ensure information held was correct. We also carried out a number of tests and reconciliations on the accounting numbers in order to provide the External Auditor with additional assurance.
39. We did not discover any major weaknesses, but we did find that MAEs were not always aware of what to capitalise, which lead to some problems in identifying fixed assets and how transactions should be treated.
40. The Directorate of Finance carried out lengthy follow-up checks to ensure that fixed assets were identified and accounted for correctly.
41. Our recommendations included:
· Enlarging the instructions produced by the Directorate of Finance to Major Administrative Entities to clarify definitions and information requirements.
· Information sessions/meetings to ensure these requirements are fully understood.
· The introduction of regular reconciliations of the records of Major Administrative Entities with those of the Directorate of Finance in order to smooth out the workload
· Numerous points of compliance which Major Administrative Entities need to respect in order that assets can be managed and correct accounting numbers generated with less administrative workload.
42. The vast majority of our recommendations have been implemented.
Year end purchases
43. The financial year-end imposes on managers an additional responsibility to ensure that budgetary control procedures and the economical use of funds are maintained whilst operating within the time constraints imposed by the year-end.
44. There is also a requirement to meet year-end accounting requirements as required by the Financial Regulations. Broadly this entails ensuring that commitments and expenditure are charged to the year in which they are incurred.
45. We conducted a series of tests to verify that funds were committed, expended, and accounted for as required by the Financial Regulations, and we gave some consideration to the economical use of available budget at that time of year.
46. Our main findings were that:
· The majority of items tested were correct.
· At least nearly € 0.5M of commitments were raised either too late or not at all. This is poor budgetary control, and understated budgetary commitment figures used in financial management information.
· Our samples showed over € 100,000 of expenditure charged to the wrong financial year. The External Auditor asked that the 2007 accounts be adjusted accordingly. The reasons were either that 2007 budget was used to pre-pay 2008 expenses, or that historically accruals and pre-payments had not been accounted for in accordance with generally accepted accounting principles.
47. We recommended that the Directorate of Finance provide Major Administrative Entities with more detailed year-end information and instructions to underline and reinforce year-end budgetary control and financial reporting requirements. The Directorate of Finance implemented these recommendations.
Organisation of Financial Management support functions
48. This audit was one of our major ambitious studies. It evaluated the effectiveness and efficiency of the Financial Management support functions of two Major Administrative Entities, one of which was more centralised than the other. We also aimed at identifying potential areas for improvement in both MAEs.
49. By measuring effectiveness using ten indicators for output quality, pass-through times and the meeting of deadlines, we found reasonable evidence that financial administration in both entities was equally effective.
50. We measured efficiency by comparing two output indicators with the total number of staff working on (comparable) financial tasks. These data showed that the more decentralised financial administration was, on average, 26 % less efficient than the more centralised one. The difference amounts, in staffing terms, to some 4 full time equivalents.
51. Regarding the organisational structure, we think that efficiency in the more centralised Directorate General is higher because CCM assistants are grouped in the Central Division, being responsible to the LFO only and specialise in the various budget types. This structure also better safeguards business continuity when staff are absent. In both DGs, every single transaction, regardless of the amount spent, is approved by every management level up to at least CCM.
52. Also in both DGs, only around 50 % of the staff assigned to financial tasks had a financial profile.
53. Regarding business processes, we found that written procedures need either updating and completing or to be produced. The existing ones show a large number of process steps for rather simple processes, the majority of which deal with checks and visas (44 %) or do not add any value at all (42 %). A detailed analysis of the Mission Forecasting and Approval processes showed that the minimum number of steps needed for a final approval varies between 15 and 25, about a third of which are checks and visas. In both DGs, we found Cost Centres with checks being performed after the approval, redundant filing, or redundant workflows (paper and e-mail workflows operating in parallel). Despite the high number of checks, about every other mission order did not meet the requirements of the Finance Directorate.
54. Our main recommendations were:
· transform one Major Administrative Entity’s organisational structure into a more centralised one, while at the same time maintaining personal links to the Cost Centres served.
· delegate in both DGs the approval of transactions below certain threshold values to management levels below CCM.
· in the medium term allocate in both DGs financial administration tasks only to staff with financial profiles.
· streamline financial administration processes in both DGs by reducing the number of steps, especially those with no added value.
· establish or and complete written procedures for all regular financial administration processes.
55. Following the priorities set up during the 3rd Summit and the review of working methods of monitoring mechanisms carried out in the Council of Europe since July 2007, the Directorate of Internal Audit included an audit on monitoring activities in the 2008 Plan. The objective of the audit was to assess the efficiency of monitoring procedures, identify good practices, assess the need for a common database and analyse the workload for the monitoring of existing and new Conventions.
56. The scope included a sample of 6 monitoring mechanisms managed by the DGHL and the DG IV.
57. During the audit, we found a number of best practices related to monitoring procedures, regrading planning and administration, the use of IT, and the networking practices of the Secretariats of monitoring mechanisms. The main points were:
· the coordination of planning, close communication and regular exchanges of information and results between different mechanisms;
· the streamlining of monitoring procedures (detailed Rules of Procedure, evaluation guidelines, check-lists, standard documentation, register of recommendations), the streamlining of document production practices and extensive use of the Extranet;
· the use of planning tools and the projection of activities;
· the use of field offices for logistics and to obtain information.
58. These best practices make procedures more efficient, increase the quality and consistency of monitoring work and results, generate savings, and increase the visibility of mechanisms and of the Council of Europe.
59. During the audit, we found that there was a significant risk to the visibility, credibility and continuity of such monitoring mechanisms as the MONEYVAL, ECRML and the Anti-Doping Convention. The human resources of these mechanisms did not match the current and future workload. We also found that there was room for improvement in the coordination of monitoring and cooperation activities, which would reduce the risk of knowledge fragmentation and inconsistent actions.
60. We made the following recommendations:
· Enhance institutionalised cooperation between monitoring and assistance activities to ensure that cooperation activities are based on monitoring recommendations;
· Reduce the workload of the mechanisms experiencing a shortage in human resources and/or enhance their structures;
· Examine the feasibility of setting up a shared contact management system;
· The Directorate of Information Technology coordinate efforts of Major Administrative Entities in order to ensure maximum use of a single access point to individual databases, which will have an enormous impact on the visibility of the Council of Europe as it will provide a better and a more comprehensive picture on achieved results.
61. These recommendations are either accepted or under consideration by the relevant Major Administrative Entities. The last recommendation is being addressed.
Note 1 This document has been classified restricted until examination by the Committee of Ministers.