| Dokumendiregister | Riigikogu |
| Viit | 1-2/26-420/1 |
| Registreeritud | 22.06.2026 |
| Sünkroonitud | 22.06.2026 |
| Liik | EL dokument |
| Funktsioon | |
| Sari | |
| Toimik | Aruanne - SWD(2026) 149, COM(2026) 279 |
| Juurdepääsupiirang | Avalik |
| Adressaat | |
| Saabumis/saatmisviis | |
| Vastutaja | |
| Originaal | Ava uues aknas |
EN EN
EUROPEAN COMMISSION
Brussels, 15.6.2026
SWD(2026) 149 final
COMMISSION STAFF WORKING DOCUMENT
Accompanying the document
REPORT FROM THE COMMISSION
TO THE EUROPEAN PARLIAMENT, THE COUNCIL AND THE COURT OF
AUDITORS
Annual report to the Discharge Authority on internal audits carried out in 2025
{COM(2026) 279 final}
Contents
PART 1 FINAL REPORTS ..................................................................................................................................................... 6
Financial Processes ............................................................................................................................................................ 7
1.1. Procurement (DGT) .................................................................................................................................................................................. 7
1.2. Procurement (EISMEA)........................................................................................................................................................................... 8
1.3. Project management and payment process for the EU4Health Programme (HaDEA) ................................. 9
1.4. Project management and payment process of the European Defence Fund (DG DEFIS)........................ 10
1.5. Early implementation of grants in the short-term defence instruments (DG DEFIS)................................. 11
1.6. Simplification measures in cohesion funding in the 2021-2027 programming period (DG REGIO, DG EMPL) .................................................................................................................................................................................................... 12
1.7. Horizon Europe – European Innovation Council grant agreements preparation and award procedures (DG RTD, EISMEA) ........................................................................................................................................................ 13
1.8. Implementation of the Connecting Europe Facility – Transport (DG MOVE, CINEA) .................................... 15
1.9. Assurance building processes and audit strategy for the 2021-2027 programming period - design (DG HOME) ................................................................................................................................................................................................. 17
1.10. Amendments of the Common Agricultural Policy national strategic plans (DG AGRI) .............................. 19
1.11. Design of the performance monitoring and evaluation framework for the Common Agricultural Policy 2023-2027 (DG AGRI) ......................................................................................................................................................... 20
1.12. Non-Governmental Organisations (NGO) funding under the LIFE programme (DG ENV, DG CLIMA, DG ENER, CINEA) .................................................................................................................................................................................... 22
1.13. Reliability of audit opinions on the legality and regularity of Erasmus+ expenditure declared by National Agencies (DG EAC) ............................................................................................................................................................ 23
1.14. InvestEU Fund – methodology for key performance indicators and key monitoring indicators, controls over indicators and internal steering and cooperation mechanism (DG GROW) ....................... 24
1.15. Control results provided by partners (management declarations) (DG INTPA) .............................................. 26
1.16. Control results provided by partners – management declarations (DG ENEST) ............................................ 27
1.17. Financial management – high value procurement and contract management (DG TAXUD) ................ 28
1.18. Financial management – Grants (DG TAXUD) ..................................................................................................................... 31
1.19. Controls over aid to countries covered by a crisis declaration (DG MENA) ....................................................... 32
1.20. Recovery and Resilience Facility risk assessment methodology and ex post audits (DG ECFIN)........ 33
Operational Processes.................................................................................................................................................... 36
1.21. Personnel selection process (EPSO) ........................................................................................................................................... 36
1.22. Management of childcare services (OIB, OIL) ..................................................................................................................... 37
1.23. Coordination between DG FISMA and European Supervisory Authorities (DG FISMA) ............................... 39
1.24. Management of the control data of the Common Fisheries Policy (DG MARE) ............................................. 41
1.25. Management of EURES and the EURES portal (DG EMPL) .......................................................................................... 43
1.26. Management of in-kind contributions under Horizon Europe (DG RTD) .............................................................. 44
Support Processes ........................................................................................................................................................... 46
1.27. Information technology (IT) governance and IT security management (DG DEFIS) .................................... 46
1.28. Arachne+ project (DG BUDG, DG EMPL/DG REGIO, DG DIGIT) ................................................................................... 47
1.29. Human Resources Transformation programme (DG HR) .............................................................................................. 50
PART 2 FOLLOW-UP ENGAGEMENTS........................................................................................................................... 52
Audits for which some recommendations remain open after IAS follow-up in 2025 () ........................ 53
2.1. Audit on the preparedness of DG AGRI in designing the assurance building model under the new Common Agricultural Policy Strategic Plans ........................................................................................................................ 53
2.2. Audit on CASE@EC project in DG COMP .................................................................................................................................. 53
2.3. Audit on IT security management in DG EAC ....................................................................................................................... 53
2.4. Audit on the New nuclear decommissioning and waste management programme (NDWMP) in JRC .......................................................................................................................................................................................................................... 54
2.5. Audit on the protection of personal data in the Office for Administration and Payment of Individual Entitlements in PMO ............................................................................................................................................................................ 54
2.6. Audit on measuring and reporting on the performance of technical support projects in DG REFORM .......................................................................................................................................................................................................................... 54
2.7. Audit on protection of personal data under the responsibility of CINEA, EACEA, EISMEA, ERCEA, REA and the CIC ................................................................................................................................................................................................ 54
2.8. Audit on the preparedness for closing the 2014-2020 programming period of the European Structural and Investment Funds by DG EMPL and DG MARE and DG REGIO ................................................ 55
2.9. Audit on the Joint Audit Directorate for Cohesion (DAC) in DG EMPL and DG REGIO ................................ 55
2.10. Audit on Physical security of persons and assets in the Commission, HR / DIGIT / COMM / OIB / OIL 56
2.11. Audit on the assessment of HR needs in the Commission at corporate level in DG BUDG, DG HR and SG .......................................................................................................................................................................................................... 56
2.12. Audit on protection of confidentiality of information at corporate level in DG HR, DG DIGIT and SG 56
2.13. Audit on the management of large-scale building projects involving works in OIB and OIL ................ 57
2.14. Review of the Commission’s risk at payment in DG BUDG, DG EMPL, DG INTPA, DG NEAR, DG REGIO, DG RTD, EISMEA, ERCEA and REA ............................................................................................................................... 57
2.15. Audit on the External Investment Plan – European Fund for Sustainable Development (EFSD) Guarantee in DG INTPA and DG NEAR ...................................................................................................................................... 58
2.16. Audit on Intervention-level evaluations in FPI, former DG NEAR and DG INTPA ........................................... 59
List of audits for which all recommendations were closed in 2025 ............................................................ 59
PART 3 SUMMARY OF LONG OVERDUE RECOMMENDATIONS ............................................................................ 61
List of abbreviations
CIC: Common Implementation Centre
CINEA: European Climate, Infrastructure and Environment Executive Agency
DG AGRI: Directorate-General for Agriculture and Rural Development
DG BUDG: Directorate-General for Budget
DG CLIMA: Directorate-General for Climate Action
DG COMM: Directorate-General for Communication
DG COMP: Directorate-General for Competition
DG DEFIS: Directorate-General for Defence Industry and Space
DG DIGIT: Directorate-General for Digital Services
DG EAC: Directorate-General for Education, Youth, Sport and Culture
DG ECFIN: Directorate-General for Economic and Financial Affairs
DG EMPL: Directorate-General for Employment, Social Affairs and Inclusion
DG ENER: Directorate-General for Energy
DG ENEST: Directorate-General for Enlargement and Eastern Neighbourhood
DG ENV: Directorate-General for Environment
DG ESTAT: Eurostat
DG FISMA: Directorate-General for Financial Stability, Financial Services and Capital Markets Union
DG HOME: Directorate-General for Migration and Home Affairs
DG HR: Directorate-General for Human Resources and Security
DG INTPA: Directorate-General for International Partnerships
DG JUST: Directorate-General for Justice and Consumers
DG MARE: Directorate-General for Maritime Affairs and Fisheries
DG MENA: Directorate-General for Middle East, North-Africa and Gulf
DG MOVE: Directorate-General for Mobility and Transport
DG NEAR: Directorate-General for Neighbourhood and Enlargement Negotiations
DG REFORM: Directorate-General for Structural Reform Support
DG REGIO: Directorate-General for Regional and Urban Policy
DG RTD: Directorate-General for Research and Innovation
DG SANTE: Directorate-General for Health and Food Safety
DG SCIC: Directorate-General for Interpretation
DG TAXUD: Directorate-General for Taxation and Customs Union
DGT: Directorate-General for Translation
EACEA: Education and Culture Executive Agency
EISMEA: European Innovation Council and Small and Medium-sized Enterprises Executive Agency
EPSO: European Personnel Selection Office
ERCEA: European Research Council Executive Agency
FPI: Service for Foreign Policy Instruments
IAS: Internal Audit Service
HaDEA: European Health and Digital Executive Agency
HERA: Health Emergency Preparedness and Response Authority
IT: Information technology
JRC: Joint Research Centre
OIB: Office for Infrastructure and Logistics in Brussels
OIL: Office for Infrastructure and Logistics in Luxembourg
PMO: Office for the Administration and Payment of Individual Entitlements
REA: Research Executive Agency
SG: Secretariat-General
5
Context of this Staff Working Document Part 1 of this Staff Working Document contains:
• a summary of the 29 finalised assurance audit engagements (1) performed as part of the 2025 audit
plan of the Internal Audit Service (IAS) (i.e. audits for which the reports were issued between 1
February 2025 and 31 December 2025) (2);
• the main recommendations (critical and very important) (3) resulting from these audit engagements;
• information provided by the directorates-general/services on the actions drawn up and/or
implemented to address the IAS audit recommendations.
Each audit engagement followed the standard professional validation procedures and contradictory procedures
involving auditor and auditee that were applicable when the engagement was finalised. The summary of each
engagement aims to provide an overview of the audits and their main results.
Part 2 of this Staff Working Document includes a summary of the results of the IAS’s follow-up engagements
performed between 1 February 2025 and 31 December 2025 (4). These include a list of audit engagements for
which all the recommendations were assessed as having been implemented following a follow-up audit by the
IAS.
Part 3 provides an overview of the five long overdue very important recommendations on 31 December 2025.
(1) The IAS also finalised six non-assurance – advisory or insight – engagements. These are not covered in this Staff Working Document.
(2) Except for the audit on human resources management in DG FISMA. The final audit report was issued for this on 10 March 2025 and was, exceptionally, included in the annual internal audit report for 2024.
(3) Important recommendations are not listed in this Staff Working Document. (4) Each summary reflects the IAS’s assessment of the implementation status of audit recommendations at the end of the
follow-up engagement. They do not take into account any further action which the auditee may have undertaken and reported to the IAS since the release of the IAS’s follow-up note even if that action may have had an impact on the status of the recommendations.
6
Part 1
Final reports
7
Financial Processes
1.1. Procurement (DGT)
The objective of the audit was to assess if the governance, risk management and internal control framework
set-up by DGT for its procurement activities was adequately designed, efficient and effective and to provide
reasonable assurance that the key internal control objectives have been achieved.
Audit results
Is the governance framework for procurement activities adequately designed and efficiently and effectively
implemented?
The governance framework established by DGT for procurement activities is adequately designed, efficiently
and effectively implemented. The organisational structure in DGT to deal with procurement activities is
adequate, the roles and responsibilities of the various actors involved are clearly defined, including the required
competencies and the ethical aspects to consider. The evaluation panels are appointed in accordance with the
Financial Regulation and the Vademecum.
Is the risk management framework for procurement activities adequately designed and effectively implemented?
The risk management framework for procurement activities is overall adequately designed. DGT identified the
risks related to the procurement processes and defined control activities to mitigate them. However, the
implementation of the risk management framework is only partially effective as the IAS found some issues on
the internal control framework (see below) for which the control activities defined by DGT were not fully
effective to address them.
Is the internal control framework for procurement activities adequately designed, efficiently and effectively
implemented?
The internal control framework for procurement activities is overall adequately designed. This covers the
budgetary and legal commitments, the identification of needs, the planning of the procurement procedures, the
tendering and evaluation phases and the preparation and adoption of the award decision. The procurement
process follows overall the requirements of the Financial Regulation and Vademecum. However, the IAS found
several issues regarding the effectiveness and efficiency of the internal control framework. In particular, the
auditors identified issues regarding: (a) DGT’s interpretation and implementation of the legal base/guidance
applicable to procurement for outsourced translation (e.g. the concept of ‘subject matter’ and the estimation of
the initial value for a framework contract); (b) the (documentation of) controls/procedures in the pre-tendering
and tendering phases (e.g. completeness of information in some award decisions); and (c) the monitoring and
reporting processes (e.g. no formalised monitoring of budget consumption for an inter-institutional framework
contract).
Audit conclusion
The IAS concluded that although DGT has, overall, designed an adequate governance, risk management and
internal control framework for its procurement activities, there remains a very important issue concerning its
effectiveness and efficiency, particularly as regards the procurement approach for outsourced translation.
Audit recommendations
Recommendation No 1, on the procurement approach for outsourced translation, DG DGT should:
• define a procurement approach for outsourced translation.
8
Additional information provided by DG DGT on the implemented measures
DG DGT established an action plan consisting of 12 sub-actions to address all audit findings, which was
considered as satisfactory by the IAS. Half of the sub-actions had a deadline for implementation by the
end of the first quarter 2026 and have been implemented. These included actions such as organising
meetings with DG BUDG on the correct interpretation of some legal and procurement concepts,
establishing a procedure for ensuring completeness of information in the award decision, implementing
new rules in financial circuits. DG DGT is therefore fully on track to meet the planned implementation
dates.
1.2. Procurement (EISMEA)
The objective of the audit was to assess if the governance, risk management and internal control framework
set-up by EISMEA for its procurement activities are adequately designed, efficient and effective and to provide
reasonable assurance that the key internal control objectives had been achieved.
Audit results
Is the governance framework for procurement activities adequately designed and efficiently and effectively
implemented?
The governance framework established by EISMEA for procurement activities is adequately designed, efficiently
and effectively implemented. The centralised positioning of the procurement sector is adequate for and adapted
to the needs of the Agency, the roles and responsibilities of the various actors in the procurement sector and
operational units within EISMEA are clearly defined. The evaluation panels are appointed in accordance with the
Financial Regulation and the Vademecum. However, the relation between the parent Directorates-General and
EISMEA is not sufficiently translated into practical arrangements as regards the split of roles and responsibilities
at operational level, which may create issues in the preparation phase of the procurement.
Is the risk management framework for procurement activities adequately designed and effectively implemented?
The risk management framework for procurement activities is overall adequately designed. The procurement
sector has developed a list of risks related to the procurement processes and implemented activities to mitigate
them. However, the implementation of the risk management framework is, in some cases, only partially
effective as the IAS found: (a) issues in the preliminary market analysis and identification of risks for the
particular procurement procedures; and (b) three middle value procedures processed in parallel and presenting
similarities, which may be perceived as a case of contract fragmentation.
Is the internal control framework for procurement activities adequately designed, efficiently and effectively
implemented?
The internal control framework for procurement activities is overall adequately designed and efficiently and
effectively implemented. This covers the budgetary and legal commitments, the identification of needs, the
planning of the procurement procedures, the tendering and evaluation phases and the preparation and adoption
of the award decision. The procurement process follows overall the requirements of the Financial Regulation
and corporate Vademecum on procurement. The e-tendering is the default solution, and the main IT system
(public procurement management tool - PPMT) for the procurement process is overall adequately used.
However, the IAS found that in one case sampled the Agency and the parent Directorates-General did not
adequately identify a conflict-of-interest situation, and the selection and award criteria were in some cases too
strict or not proportional. In addition, data related to procurement files, including sensitive documents are not
always stored and handled in compliance with the Commission’s rules.
9
Audit conclusion
The IAS concluded that, overall, EISMEA has adequately designed and efficiently and effectively implemented
the governance, risk management and internal control framework for its procurement activities, which provides
reasonable assurance that the key internal control objectives are achieved, except for one very important issue
concerning the identification of the conflict of interest aspects, which EISMEA needs to reinforce, in cooperation
with its parent Directorates-General.
Audit recommendation
Recommendation No 3, on the checks on (potential) conflict of interest aspects, EISMEA should:
• reinforce the checks on (potential) conflict of interest aspects.
Additional information provided by EISMEA on the implemented measures
EISMEA accepted the recommendation and submitted an action plan to the IAS early February 2026,
who assessed it as satisfactory. The implementation of the recommendation is on track and EISMEA is
committed to duly implement the agreed corrective actions in 2026.
1.3. Project management and payment process for the EU4Health
Programme (HaDEA)
The objective of the audit was to assess the effectiveness of the governance, risk management and internal
control processes put in place by HaDEA for project management and payments of EU4Health grants (including
anti-fraud checks and corrective mechanisms) with the aim to achieve the programme’s objectives, in
compliance with the applicable rules.
Audit results
Are the governance, risk management and internal control processes related to the project management and
payment processes adequately implemented by competent HaDEA staff?
HaDEA implements its control strategy by providing training and guidance to its staff and by effective
management supervision. The business continuity procedures have been defined and effectively implemented.
In addition, HaDEA monitors the project execution through activities that are proportionate to the level of risk
and complexity of the projects.
Is the payment process effective and does it ensure compliance with the legal provisions?
The payment process is overall effective and ensures compliance with the legal provisions. The financial
workflows are efficient and ex ante controls are performed in line with the requirements of the Financial
Regulation. Financial corrections are properly calculated and applied when necessary, but the audit identified
some shortcomings in the documentation of the checks performed and the reporting about control results.
Is the grant amendment process effective and does it ensure compliance with the legal provisions?
The grant amendment process was effective and ensured compliance with the legal provisions. Existing controls
ensure that the amendments comply with the provisions of the grant agreements and the rules governing the
responsible actors and the timing of amendments are respected.
10
Audit conclusion
The IAS concluded that the internal control system that HaDEA has put in place for the project management
and payment process for the EU4Health Programme (grant management and payment) is adequately designed
and effectively implemented, in compliance with the applicable rules.
Audit recommendations
The IAS did not formulate any critical or very important recommendations.
1.4. Project management and payment process of the European
Defence Fund (DG DEFIS)
The objective of the audit was to assess the adequacy of the design and effective and efficient implementation
of the governance, risk management and internal control systems put in place by DG DEFIS for the project
management of the European Defence Fund grants and the ex ante financial controls on their interim payments,
in compliance with the applicable rules.
Audit results
Are DG DEFIS governance, risk management and internal control systems for the project management and
payment process of the European Defence Fund adequately designed?
DG DEFIS has designed adequate governance, risk management and internal control systems for the project
management and payment process of the European Defence Fund that include:
• project management / monitoring activities that are proportionate to the European Defence Fund
projects’ complexity / risks and are in line with the requirements of the Financial Regulation;
• clear definition, assignment and communication of the roles and responsibilities for the European
Defence Fund project management and interim payments;
• provision of appropriate training and guidance to the staff involved in the audited process;
• adequate business continuity measures; and
• proper management supervision for the European Defence Fund project management and interim
payments.
Has the project management process for the European Defence Fund grants been effectively implemented?
The project management process for the European Defence Fund grants has been effectively implemented as
the European Defence Fund project management steps have been effective, the ex ante project management
controls for the ‘certified correct’ endorsement have been sufficient, and the documentation of the project
management activities in system for grant management (SyGMa)/COMPASS is adequate.
Has the payment process for the European Defence Fund grants been effectively implemented and does it
ensure compliance with the legal provisions?
The payment process for the European Defence Fund grants has been effectively implemented and in
compliance with the legal provisions as: (a) the ex ante financial controls on the periodic financial reporting for
supporting the 'certified correct' endorsement have been sufficient; and (b) the approval workflow has been
effective and efficient, both of which ensure compliance with the legal provisions.
11
Audit conclusion
The IAS concluded that DG DEFIS has put in place adequate governance, risk management and internal control
systems to ensure effective and efficient project management of the European Defence Fund grants and ex
ante financial controls on their interim payments, in compliance with applicable rules.
Audit recommendations
The IAS did not formulate any recommendations.
1.5. Early implementation of grants in the short-term defence
instruments (DG DEFIS)
The objective of the audit was to assess the adequacy of design and effective implementation of DG DEFIS
control system for the first phases of the management of the grants under the European defence industry
Reinforcement through common Procurement Act (EDIRPA) and the act in support of ammunition production
(ASAP) to effectively support the achievement of the objectives of the two instruments through the preparation
of the work programmes.
Audit results
Are the controls for the preparation, and implementation of the annual work programme and for the drafting
and publication of calls for proposals for EDIRPA and ASAP adequately designed and effectively implemented?
The process for the preparation, and implementation of the annual work programme and for the drafting and
publication of calls for proposals for EDIRPA and ASAP is overall effective and in accordance with the applicable
legal provisions. However, the audit identified some shortcomings as regards the demonstration by potential
EDIRPA beneficiaries specifically how the Union contribution is (notably if retroactive) necessary to offset
obstacles in common procurement during the duration of the grant action.
Are the controls for the evaluation, ranking and selection of proposals for EDIRPA and ASAP adequately designed
and effectively implemented?
DG DEFIS has designed and implemented a control system for evaluating, ranking and selecting the proposals
that is adapted to the respective specificities of EDIRPA and ASAP and is in line with applicable rules. The control
system includes specific guidance, structures and templates/checklists that supported the evaluation, ranking
and selection of proposals process.
Are the controls for the preparation and approval of the grant agreements adequately designed and effectively
implemented?
The DG DEFIS process for the preparation and approval of the grant agreements adequately supports the
effective translation of retained proposals into grant agreements and controls in place ensure compliance with
the applicable legal provisions.
Audit conclusion
The IAS concluded that the control system that DG DEFIS has put in place for the early implementation of grants
in the short-term defence instruments for ASAP and EDIRPA was overall adequately designed and implemented
in accordance with the applicable rules.
Audit recommendations
The IAS did not formulate any critical or very important recommendations.
12
1.6. Simplification measures in cohesion funding in the 2021-2027
programming period (DG REGIO, DG EMPL)
The objective of the audit was to assess if DG REGIO and DG EMPL have designed and implemented adequate
and effective internal control processes for the capacity building, the ex ante assessment and the monitoring
of the simplified cost options and financing not linked to costs which serve the intended objective of enhancing
simplification in the implementation of the Cohesion Policy funds in the 2021-2027 programming period.
Audit results
Are the processes of capacity building, ex ante assessment and monitoring of simplified cost options simplified
cost options and financing not linked to costs in the programming period 2021-2027 adequately designed?
The Directorates-General, including the joint audit Directorate for Cohesion, have made significant efforts to
establish internal networks, communities of best practice and mechanisms to build and maintain staff capacity
to use simplified cost options and financing not linked to costs. However, the established networks lack a formal
mandate which limits their full potential to operate for achieving (strategic) objectives. The training on simplified
cost options and financing not linked to costs is not always tailored to the specific roles and needs, and it needs
to be complemented by practical examples and lessons learned. Finally, there is a concentration and dependence
on one contractor which provides expertise to the Directorates-General on simplification and results-based
approaches. Moreover, this contractor is also potentially in a situation of professional conflicting interests
considering its involvement in different contracts. Such situations have not been identified and further assessed
by the Directorates-General and they have not taken any specific mitigating measures to manage the related
risks.
In the area of ex ante assessment, overall, internal procedures, guidance and checklists were adequately
designed. However, some specific guidance was lacking on the process for the assessment of adjustment
methods of simplified cost options, on the documentation of the informal phase of programming and on the
roles and responsibilities for the assessment of financing not linked to costs.
The Shared Fund Management in the European Union period 2021-2027 (SFC2021) access controls, the related
Launchpad reports and other monitoring tools were not adequately designed to meet business needs for either
control and effective monitoring and reporting on simplified cost options and financing not linked to costs
Are the processes of capacity building, ex ante assessment and monitoring of simplified cost options and
financing not linked to costs adequately, effectively and timely implemented?
The Directorates-General’ capacity building initiatives reflect a positive effort to encourage knowledge-sharing
and collaboration. However, the auditors could not verify how the members of the various simplification
enablers shared their acquired knowledge with the relevant staff in the Directorates-General for effective use.
As regards ex ante assessment, internal procedures were not always implemented consistently in practice.
These concern the documentation of the informal phase, the availability of the audit authority’s assessments
for simplified cost options and the final documents for simplified cost options and financing not linked to costs
and financing not linked to costs to run internal and inter-service consultations, the assessment of simplified
cost options by desk officers and the assessment of simplified cost options and financing not linked to costs by
the auditors.
While some practical tools were put in place for monitoring and reporting on simplified cost options and
financing not linked to costs, they are not always reliable as they require manual interventions and lack a
system of version control of data.
13
Audit conclusion
The IAS concluded that DG REGIO and DG EMPL have designed and implemented adequate and effective internal
control processes for the capacity building, ex ante assessment and monitoring and reporting on simplified cost
options and financing not linked to costs to enhance simplification in the implementation of the cohesion policy
funds in the 2021-2027 programming period, except for three very important issues concerning: (a) the ex ante
assessment of simplified cost options and financing not linked to costs; (b) capacity building and procurement
of services around such simplification measures; and (c) the monitoring and reporting on simplified cost options
and financing not linked to costs.
Audit recommendations
Recommendations No 1 and 2, on the ex ante assessment of simplified cost options and financing not
linked to costs, DG REGIO and DG EMPL should:
• improve guidance, documentation and ex ante assessments of simplified cost options and financing
not linked to costs.
Recommendations No 3 and 4, on the capacity building and procurement of services for simplified cost
options and financing not linked to costs, DG REGIO and DG EMPL should:
• enhance training on simplified cost options and financing not linked to costs, and monitor risks of
concentration/dependency on external experts and their potential professional conflicting interests.
Recommendations No 5 and 6, on the monitoring and reporting on simplified cost options and financing
not linked to costs, DG REGIO and DG EMPL should:
• manage access rights and improve monitoring and reporting tools on simplified cost options and
financing not linked to costs.
Additional information provided by DG REGIO and DG EMPL on the implemented measures
DG REGIO and DG EMPL established an action plan to address all audit findings, which was considered
satisfactory by the IAS. The implementation of the recommendations is on track to meet the deadlines
set out in the action plan (all deadlines are in 2026).
1.7. Horizon Europe – European Innovation Council grant
agreements preparation and award procedures (DG RTD,
EISMEA)
The objective of the audit was to assess whether EISMEA and DG RTD designed and implemented adequate,
effective and efficient internal control processes for the grant agreements preparation and award procedures
under the European Innovation Council (EIC) programme, ensuring compliance with the applicable rules.
Audit results
Is the specific control environment of the grant agreements preparation and coordination between the grant and
investment component including the award, procedure adequately designed within EISMEA and DG RTD to
address the specificities of the EIC in compliance with applicable rules?
14
EISMEA, with the support of DG RTD, has defined a specific control environment for the preparation of the EIC
grant agreements (including the award decisions) and for the coordination between the grant and investment
components built on corporate guidance, procedures and IT systems and complemented by manual of
procedures, checklists and instructions specific to the EIC.
However, this control environment is not adequately designed and not complete, hence failing to effectively
integrate the specificities of the EIC programme and to provide a robust framework for ensuring compliance
with applicable rules. Among the missing elements, the IAS observed the lack of procedures framing the
implementation of the parallel preparation of the single award decisions and the grant agreement preparation
to avoid that award decisions are adopted without completing necessary checks. Additionally, there is no
harmonisation of the economic security measures between grant and investment components.
The existing guidance is also not complete as regards specific measures for mitigating risks associated with
beneficiaries who have weak financial capacity and criteria for assessing retroactive start date requests, funding
holding companies, monitoring the investment budget under the EIC Accelerator, operational checklists for
amending award decisions.
Have the retained project proposals been effectively and efficiently translated into legally binding grant
agreements?
The retained project proposals have been effectively translated into legally binding grant agreements, however
the IAS identified inefficiencies and lapses in the implementation of some controls and processes that needs to
be implemented during the grant agreement preparation phase for both the EIC Acceleration and the EIC
Transition grants. Specifically, EISMEA did not conduct: (a) effective financial capacity assessment checks for
EIC Accelerator grants until June 2023 (and even then, the checks were not consistently effective); and (b)
systematic financial capacity checks for EIC Transition grants. EISMEA accepted and signed 55% of the EIC
Accelerator grant agreements with a retroactive start date even though corporate guidance states that such
instances should be exceptional. Moreover, no criteria were established to justify the use of retroactive start
date. It also failed to verify sufficiently the applicants' specific legal statuses as small and medium-size
enterprises and middle-capitalisation enterprises. Lastly, the time-to-grant results for the EIC Accelerator were
inaccurately reported and misrepresented in the 2024 Annual Activity Report.
Are the processes and controls for the preparation and adoption of the award decision and single award decision
(including the amending decisions) effectively and efficiently implemented, in compliance with the regulatory
framework?
The controls for preparing and adopting award decisions, single award decision and amending decisions, were
not always effectively and efficiently implemented in compliance with the regulatory framework. Single award
decisions were adopted before completing grant agreement preparation checks and in a number of cases, they
related to projects that did not meet eligibility criteria. Additionally, one amending award decision in a holding
company was made without performing ex ante eligibility checks. Finally, award decisions with maximum
indicative investment amounts exceeding the available budget by EUR 1.31 billion (+58%) were also adopted.
In terms of efficiency, substantial delays were noted in the time-to-grant key performance indicator for the EIC
Accelerator scheme that exceeded the target despite performing grant agreement preparation and award
procedures simultaneously.
Audit conclusion
The IAS concluded that EISMEA and DG RTD did not adequately design and implement the internal control
processes for the grant agreements preparation and award procedures specific to the European Innovation
Council Accelerator scheme, resulting in cases of non-compliance with the applicable rules, while EISMEA
partially effectively and efficiently implemented the internal control process for the European Innovation Council
Transition and Pathfinder schemes.
15
Audit recommendations
Recommendation No 1, on the EIC grant agreement preparation phase, EISMEA should:
• reinforce the design and implementation of the controls related to the European Innovation Council
grant agreement preparation phase.
Recommendation No 2, on the time-to-grant: monitoring and reporting, EISMEA should:
• revise the reporting on the time-to-grant indicator in the Annual Activity Report and assess the key
root causes for delays.
Recommendation No 3, on the award decision process, DG RTD and EISMEA should:
• revise the award decision process – critical.
Recommendation No 4, on the amending award decision process, DG RTD and EISMEA should:
• revise the amending award decision process.
Recommendation No 5, on the budget monitoring and communication of the award decisions to the
European Investment Bank, DG RTD should:
• reinforce budget monitoring and ensure formal transmission of the award decisions to the European
Investment Bank.
Additional information provided by DG RTD and EISMEA on the implemented measures
DG RTD and EISMEA accepted all recommendations, with the exception of one sub-recommendation
(only partially accepted). They submitted a joint action plan to the IAS mid-March 2026, who assessed
it as satisfactory. The implementation of all recommendations is on track. Both services are committed
to implement corrective actions as swiftly as possible to ensure that any potential risks are appropriately
mitigated within a short timeframe (before third quarter 2026 for the critical recommendation, at the
latest by the end of 2026 for the rest).
1.8. Implementation of the Connecting Europe Facility – Transport
(DG MOVE, CINEA)
The objective of the audit was to assess the effective and efficient implementation of the governance, risk
management and control processes established by CINEA and DG MOVE for the implementation of Connecting
Europe Facility (CEF) Transport (Phase II, i.e. after the award of the grant agreement), in line with the applicable
rules.
Audit results
Do DG MOVE and CINEA effectively and efficiently implement their working arrangements for the implementation
of the projects funded under CEF Transport?
The working arrangements between DG MOVE and CINEA are implemented effectively and efficiently, with roles
and responsibilities clearly defined in the Memorandum of Understanding of August 2021. DG MOVE provides
policy direction and strategic oversight, while CINEA ensures the operational management of CEF Transport
16
projects, including monitoring, reporting and payments. This division of tasks is consistently applied in practice
and supports clarity and accountability.
Coordination mechanisms are well established and function smoothly at both the strategic and the operational
level; regular meetings, management exchanges and operational contacts between project officers ensure
continuous alignment. The systematic exchange of information and reporting strengthens collaboration and
allows issues to be addressed in a timely manner.
The arrangements also demonstrate flexibility and adaptability. Adjustments to implementation, such as project
amendments or extensions, are applied consistently and discussed with DG MOVE when necessary. Both parties
consider the Memorandum of Understanding adequate, and no significant issues have been identified. Overall,
the cooperation framework enables effective programme delivery and efficient use of resources.
Has CINEA, in cooperation with its parent Directorate-General as appropriate, designed and implemented
adequate processes for monitoring the implementation of the projects funded under CEF Transport?
CINEA has designed processes to monitor the implementation of actions funded under the CEF2 Transport
programme. The roles and responsibilities are defined and understood, monitoring mechanisms are consistently
applied.
Beneficiaries are well informed of their obligations through a combination of tools, templates and practical
guidance, supported by frequent communication with project officers, facilitating effective implementation.
Monitoring and reporting arrangements provide both regular oversight and assurance on the progress of actions.
However, certain elements of the monitoring framework are not fully proportionate to the potential risk levels
of some actions and therefore require improvement, namely:
• There is currently no documented methodology with defined criteria or red flags to support a
consistent, risk-based decision on when to perform additional on-site visits.
• There is limited guidance supporting project managers in their assessment of technical reports, in
particular as regards the elements that may be considered riskier or red flags and there was no
documented evidence that these external technical reports were adequately analysed.
• The CINEA procedures and guidelines lack details on the steps to be taken in case of recurrent delays
or quality issues linked to underperformance.
Has CINEA, in cooperation with its parent Directorate-General as appropriate, designed and implemented
adequate controls in relation to payments?
CINEA, in cooperation with its parent Directorate-General where appropriate, has put in place adequate and
effective controls in relation to payments. The financial circuits are clearly documented (electronic Manual of
Procedures - eMOP), and roles and responsibilities (Project Officers, Financial Officers and Heads of Sector) are
well defined and respected, ensuring that regulatory and contractual requirements are met before any payment
is authorised.
Staff are provided with clear guidance and targeted training to ensure the necessary expertise for carrying out
financial tasks. CINEA ensures that compliance checks are performed in accordance with the applicable rules
and properly documented. No indications of double funding were identified in the reviewed sample, with checks
performed on invoices (accounting number, date and amount) to verify that costs had not been previously
claimed.
For the projects examined, pre-financing, interim and final payments were subject to the required checks
(including the Certified Financial Statement where applicable), and in cases of project termination, recoveries
were successfully carried out. No recurrent errors or systemic weaknesses were identified, and mechanisms
exist to inform the parent Directorate-General when needed. Overall, the internal control framework for
payments is considered appropriate and effective.
17
Does CINEA effectively manage amendments, as appropriate in cooperation with DG MOVE?
CINEA effectively manages the amendments process, and its controls comply with the grant agreement
provisions. CINEA has prepared detailed process manuals and procedures to manage the workflow for
amendments. A sample review of projects with amendments did not identify any cases where these procedures
were not followed. The involvement of DG MOVE is limited to specific cases as described in the process manuals.
Are the working arrangements between CINEA and DG MOVE for reporting and communicating the results of the
projects funded under CEF Transport effectively and efficiently implemented?
The working arrangements between CINEA and DG MOVE for reporting and communicating project results are
effectively implemented, with feedback to policy aligned with expectations set out in the Memorandum of
Understanding. A series of correspondents have been established to facilitate working arrangements and
collaboration between CINEA and DG MOVE. DG MOVE contribution is further strengthened through the use of
sophisticated dashboards and data visualisation tools, enhancing transparency and supporting oversight.
Established key performance indicators and stakeholder feedback surveys provide insight into the performance
of both grant management and of project officers.
Audit conclusion
The IAS concluded that CINEA and DG MOVE have adequately designed and effectively and efficiently
implemented processes for the effective and efficient implementation of CEF Transport, in line with the
applicable legal framework.
Audit recommendations
The IAS did not formulate any critical or very important recommendations.
1.9. Assurance building processes and audit strategy for the 2021-
2027 programming period - design (DG HOME)
The objective of the audit was to assess the adequacy of the design and set up of DG HOME’s ‘governance, risk
management and control processes’ for assurance building of funds implemented under shared management
in the 2021-2027 programming period.
Audit results
Has DG HOME provided relevant, clear and sufficient information to their staff on key changes and features
regarding DG HOME funds implemented under shared management in the 2021-2027 programming period?
Overall, DG HOME has identified key features and changes to the legislative framework, impacting the provision
of assurance for its funds delivered under the shared management mode. It has established a structured
approach towards the dissemination of information to staff and has provided training, guidance and tools to
support. In addition, there has been an active coordination between DG HOME, the Joint Audit Directorate for
Cohesion and other Directorates-General implementing funds under the Common Provision Regulation in setting
up common guidance and training materials for auditors regarding common features of the 2021-2027
programming period, which can be considered as a good practice.
Has DG HOME provided adequate support and tools to assist Member States in the design and set up of their
management and control systems for funds implemented under shared management in the 2021-2027
programming period?
Through established communication procedures, IT tools and regular meetings, DG HOME has set up a structured
dialogue with the national authorities and provides support to Member States regarding the design and
18
functioning of the management and control system, with specific attention to the newly established authorities
and new aspects introduced by the regulatory framework. In this context, it was noted that DG HOME closely
cooperates with the Joint Audit Directorate for Cohesion and other Directorates-General implementing funds
under the Common Provision Regulation, in providing information to Member States on topics relevant for all
funds under the Common Provision Regulation legal framework.
Are the single audit strategy and underpinning internal procedures adequately designed to address DG HOME
specific risks and new elements concerning its legality and regularity processes for the 2021-27 Funds under
shared management?
Overall, DG HOME has set up audit arrangements based on the single audit strategy commonly developed by
all Directorates-General covered by the Common Provision Regulation. However, for the specific aspects of the
audit approach for the 2021-2027 programming period and the internal processes regarding preventive and
corrective measures, by the end of the fieldwork, DG HOME had not fully established additional audit
arrangements related to the special handling of documents. Besides, a comprehensive risk assessment
approach and audit planning incorporating fund-specific and common risk factors was at that time still under
the development. Finally, DG HOME still needs to validate internal procedures regarding the application of
preventive measures and establish a procedure describing the process on the application, monitoring and
reporting of financial corrections.
Audit conclusion
The IAS concluded that for the 2021-2027 programming period, DG HOME has, overall, adequately designed
and set up governance, risk management and control processes supporting assurance building for funds
delivered under the shared management mode, except for the HOME fund – specific audit arrangements,
including risk assessment and audit planning under the single audit strategy, and the internal processes for the
preventive and corrective measures that still need to be finalised to fully set up all required elements.
Audit recommendations
Recommendation No 1, 2 and 3, on audit strategy, risk assessment and audit planning, DG HOME should:
• develop additional DG HOME-specific audit arrangements for single audit strategy.
• set-up a risk assessment model for DG HOME funds.
• revise the methodology and approach for developing the audit plan.
Recommendation No 4, on interruptions, suspensions and financial corrections processes, DG HOME
should:
• establish and finalise procedures for application of preventive and corrective measures.
Additional information provided by DG HOME on the action plan
DG HOME established an action plan to address all recommendations, assessed as satisfactory by the
IAS. By the end of 2025, DG HOME reported as implemented the recommendation on the audit strategy
and the recommendation on the risk assessment. DG HOME considered the recommendation on
establishing and finalising the procedures for application of preventive and corrective measures to be
implemented in the first quarter of 2026.
The remaining actions related to the partially implemented recommendation on revising the
methodology and approach for developing the audit plan are ongoing. DG HOME continues monitoring
the execution of the audit plan (the audits for 2025 have already been performed). In order to fully
implement the recommendation, DG HOME will report any deviations in the revised audit work
programme and incorporate the results into future updates of the audit plan.
19
1.10. Amendments of the Common Agricultural Policy national
strategic plans (DG AGRI)
The objective of the audit was to assess in DG AGRI the adequacy of the design and the effectiveness and
efficiency of the implementation of the internal control processes for reviewing and approving the amendments
to the Common Agricultural Policy national strategic plans, including the review and follow-up of notifications.
Audit results
Has DG AGRI adequately designed its processes for the review and approval of the Common Agricultural Policy
strategic plans amendments?
Overall, DG AGRI has designed adequate and detailed procedures for the review and approval of the Common
Agricultural Policy amendments and notifications, which are presented in its Vademecum, and which are
updated on a regular basis. It has also designed templates for communicating with Member States. Moreover,
DG AGRI has set up the New Consistency Board to address outstanding technical issues in the implementation
of the Common Agricultural Policy strategic plans (including when reviewing amendment requests), ensuring
consistent and coordinated responses. This is especially important given the complexity of the Common
Agricultural Policy legal framework.
However, the mandate and rules of functioning of the New Consistency Board were not fully clear as regards
New Consistency Board conclusions requiring formal endorsement. After the fieldwork ended, DG AGRI adopted
a revised mandate clarifying those elements.
In addition, there was a lack of clarity on the date of start of eligibility for approved changes in the European
Agricultural Fund for Rural Development interventions which were previously notified but found non-compliant
with the legal basis for notifications. For future notifications and amendments, this should be clarified, due to
an ongoing Common Agricultural Policy Omnibus Regulation which will modify the process for amendments and
is planned to enter into force in January 2026. In addition, DG AGRI had also not provided clear guidance to
Member States on how to indicate in the amendments which changes were notified and at which date.
Furthermore, there was a lack of clarity on what can be accepted in terms of deviations between the overall
target numerators of result indicators and related outputs (in case of direct link between the two). Finally, the
requirements to Member States for the presentation of planned outputs did not allow to identify the planned
aggregated outputs for a group of unit amounts, in case the intervention also benefited from additional national
financing generating outputs.
Does DG AGRI effectively and efficiently implement its processes for the review and approval of the Common
Agricultural Policy strategic plan amendments?
Overall, DG AGRI has adequately implemented its procedures for the review and approval of the Common
Agricultural Policy amendments. In addition, DG AGRI effectively monitors the progress of the assessment and
approval of amendments including through regular monitoring of deadlines and sharing of information within
DG AGRI and with other Directorates-General involved. As a result, it has managed to approve the amendment
requests within the legal deadline, despite the significant number of amendment requests and the large volume
of changes included in each of them, which impose a continuous heavy workload on DG AGRI staff.
However, there were some misalignments between the procedures prescribed in the Vademecum and the
practices observed with regards to the pre-consultation with other Directorates-General and the consultation
within DG AGRI during the assessment of the amendment request. In addition, there was a misalignment
between the Vademecum and the practice as regards the use of the return for corrections.
Furthermore, based on sample testing, corrections of non-compliance in the Common Agricultural Policy
strategic plans identified after their approval were not always requested from the Member States.
20
Finally, there were some gaps as well as information not up to date in the documentation of the assessment
of some of the amendment requests reviewed. In addition, not all approved amendments and related ‘At a
glance’ documents were published on time on the Europa website, contrary to the instructions in the
Vademecum.
Audit conclusion
The IAS concluded that DG AGRI has adequately designed and effectively and efficiently implemented internal
control processes for reviewing and approving the amendments to the Common Agricultural Policy national
strategic plans, including the review and follow-up of notifications, except for two very important issues which
relate to the date of start of eligibility of European Agricultural Fund for Rural Development notified changes,
as well as to the clarification on the acceptable deviations between result indicators and outputs and correction
of detected non-compliances in the Common Agricultural Policy strategic plans.
Audit recommendations
Recommendation No 4, on the notifications and date of start of eligibility, DG AGRI should:
• ensure clarity on the date of eligibility for notified changes.
Recommendation No 6 and 7, on the errors and inconsistencies in the Common Agricultural Policy
strategic plans, DG AGRI should:
• request corrections on detected non-compliances in Common Agricultural Policy strategic plans.
• clarify acceptable deviations between outputs and result indicators and reinforce checks on outputs.
Additional information provided by DG AGRI on the implemented measures
DG AGRI accepted all recommendations and submitted an action plan, assessed as satisfactory by the
IAS, in April 2026, to mitigate the risks identified.
1.11. Design of the performance monitoring and evaluation
framework for the Common Agricultural Policy 2023-2027 (DG
AGRI)
The objective of the audit was to assess whether DG AGRI has adequately designed the Common Agricultural
Policy 2023-2027 performance monitoring and evaluation framework (PMEF) in order to monitor, evaluate and
report on the performance of the Common Agricultural Policy under the New Delivery Model.
Audit results
Intervention logic
Overall, the Common Agricultural Policy strategic plan interventions, designed at Member State level, respond
to the Common Agricultural Policy objectives and are sufficiently linked to the result and impact indicators. This
is to a large extent thanks to DG AGRI’s advice and consistent support to Member States.
Performance monitoring and evaluation framework indicators
DG AGRI has prepared fiches for the performance monitoring and evaluation framework indicators, which allows
for a uniform interpretation on how data must be collected and reported by Member States. Within DG AGRI,
21
the allocation of responsibilities regarding who is responsible on which Common Agricultural Policy indicators
is clear. Furthermore, to cope with the challenges related to data quality, DG AGRI has put in place instructions,
designed in-house controls and established structured communication with data providers such as Eurostat.
Support to Member States on the implementation of the Common Agricultural Policy strategic plans and for
monitoring their performance
Overall, DG AGRI has put in place adequate procedures for providing support to the Member States in the
implementation of the Common Agricultural Policy strategic plans and for monitoring their performance, apart
from the following very important weakness:
While the Common Agricultural Policy regulation allows Member States to request amendments on milestones
and targets for result indicators, it does not provide clear grounds under which such amendments may be
rejected. In the absence of clear provisions in the basic legislation and not to undermine the effectiveness of
the biennial performance review, DG AGRI has agreed on an approach to deal with such requests for
amendments, which has evolved over time as the implementation of the Common Agricultural Policy strategic
plans progressed. However, this approach remains difficult to implement in the absence of a clear legal basis
and needs further clarification and documentation.
Processes for evaluating and reporting on the Common Agricultural Policy 2023- 2027
DG AGRI has put in place adequate processes to deliver the evaluations as required by the Common Agricultural
Policy strategic plan Regulation, through the preparation of a fit for purpose multiannual plan for studies.
In addition, DG AGRI disseminates available data on the performance monitoring and evaluation framework
indicators through the Agri-food Data Portal (AGRIDATA portal). Preparations are ongoing for reporting on the
performance of the new Common Agricultural Policy in the new 2024 Annual Activity Report of DG AGRI.
However, in terms of performance reporting, the performance programme statements accompanying the draft
budget for 2025 and annexed to the 2023 Annual Management and Performance Report for the EU budget did
not include data for the Common Agricultural Policy 2023-2027 core indicators, although some data were
already available for a number of indicators.
Audit conclusion
The IAS concluded that overall, DG AGRI has adequately designed the Common Agricultural Policy 2023-2027
performance monitoring and evaluation framework to monitor, evaluate and report on the performance of the
Common Agricultural Policy under the New Delivery Model, except for one very important issue relating to the
approach for approving changes to targets and milestones for result indicators.
Audit recommendations
Recommendation No 1, on the approval of changes to milestones and targets for result indicators, DG
AGRI should:
• update and clarify the approach for assessing requested changes to milestones and targets.
Additional information provided by DG AGRI on the implemented measures
DG AGRI accepted the recommendation from the IAS and submitted an action plan that was assessed
as satisfactory by the IAS, in June 2025, to mitigate the risks. Actions related to recommendation 1 are
ongoing. DG AGRI continues to monitor the execution of the audit plan.
22
This recommendation was due on 31 March 2026. DG AGRI planned to implement it in two steps, as
approved by the IAS in the action plan.
DG AGRI considers that the first action has been implemented (the outcome of the dedicated meeting
of the Expert Group on the implementation of the CAP Strategic Plans Regulation was used for the
discussions on the design of the new Performance Regulation for 2028-2034 and in particular for the
selection of the indicators).
The second step, on the clarification of the approach for assessing requested changes to milestones
and targets, has been discussed in the next New Consistency Board meeting on 5 June 2026. Once the
agreement is reached, the Vademecum will be updated accordingly. DG AGRI expects by consequence
to close the recommendation once the new version of the Vademecum has been validated.
1.12. Non-Governmental Organisations (NGO) funding under the LIFE
programme (DG ENV, DG CLIMA, DG ENER, CINEA)
The objective of this audit was to assess whether DG ENV, DG CLIMA, DG ENER and CINEA, responsible for the
Programme for the Environment and Climate Action (LIFE), have taken effective measures to implement the
‘Guidance on funding for activities related to the development, implementation, monitoring, and enforcement
of Union legislation and policy’ for the grants signed after its issuance, i.e. under the 2024 LIFE calls for
proposals and onwards. The objective of the audit did not include an evaluation of the applicable legal basis
and of the corporate guidance.
Audit results
Based on the work performed within the scope of the audit, the IAS assessed the measures taken to comply
with the corporate guidance as follows:
Have the Commission services concerned (parent Directorates-General) provided adequate guidance to CINEA,
in alignment with the EC corporate guidelines?
The LIFE programme parent Directorates-General took a series of measures, including providing orientation to
CINEA on how the corporate guidance should be applied in practice, responding to specific queries and advising
on individual cases for the proposals submitted under the LIFE 2024 calls for proposals. They also ensured a
proper follow-up on the matter at the CINEA Steering Committee and LIFE Working Group meetings.
For future LIFE calls, they clarified in the 2025–2027 LIFE Multi-Annual Work Programme that operating grant
agreements should not require beneficiaries to undertake specific, detailed activities directly targeting EU
institutions, their staff or members, or to take positions on specific policy issues.
Additionally, they informed the non-governmental organisations with whom they had an ongoing operating
grant, about the impact of the corporate guidance by holding meetings on 28 November 2024, 4 December
2024, and 3 June 2025.
Has CINEA implemented the corporate guidance effectively?
CINEA has carried out a series of measures to implement the corporate guidance, including providing targeted
training to external experts involved in the grant agreement preparation phase and incorporating in the text of
the 2025 LIFE calls for proposals -– as part of the criteria for eligible activities - the requirement to ‘respect EU
values and European Commission policy regarding reputational matters’, including a reference to the corporate
guidance.
23
Furthermore, during the preparation of the action and operating grants awarded following the 2024 LIFE call,
successful beneficiaries were informed, as part of the guidance note for the grant preparation phase, about the
new compliance requirements related to the corporate guidance. In addition, beneficiaries of operating grants
signed under the 2024 LIFE calls were informed of the reporting requirements for the implementation of their
grant agreements, which include compliance with the corporate guidance.
To align its internal operations with the requirements stemming from the corporate guidance, CINEA has revised
its procedures for the evaluation and award of grants to non-governmental organisations and updated the
existing checklist accordingly. CINEA performed a review of all successful proposals under the 2024 LIFE call to
remove from the work packages to be included in the grant agreements, references to activities that they
consider are not in line with the corporate guidance, such as those framed as lobbying or targeting directly
(members of) EU institutions for specific policy outcomes. A register has also been established to track proposals
requiring adjustments during the grant agreement preparation phase. However, the experience gained by CINEA
staff and lessons learnt from the 2024 exercise have not yet been fully consolidated for use in future calls for
proposals.
CINEA also reported the results of the screening of pre-2024 ongoing LIFE grants to its parent Directorates-
General and to EC central services.
Overall, CINEA has put in place adequate measures for preventing, detecting and addressing potential conflict
of interests for experts involved in the evaluation of proposals, as well as for evaluation committee members.
However, based on sample testing, the auditors identified one case where the declaration of confidentiality and
absence of conflict of interests of one voting member of an evaluation committee was signed around four
months after the evaluation committee had taken place.
Audit conclusion
The IAS concluded that the Commission services responsible for the LIFE programme have taken adequate
measures to implement the ‘Guidance on funding for activities related to the development, implementation,
monitoring and enforcement of union legislation and policy’ so that activities such as those framed as lobbying
or targeting directly (members of) EU institutions for specific policy content or outcome, are not mandated as
a requirement, or condition for Union financing.
Audit recommendations
The IAS did not formulate any critical or very important recommendations.
1.13. Reliability of audit opinions on the legality and regularity of
Erasmus+ expenditure declared by National Agencies (DG EAC)
The objective of the audit was to assess whether the measures taken by DG EAC to ensure the reliability of
audit opinions issued by the independent audit bodies (IABs) on the legality and regularity of expenditure
reported by the national agencies are adequately designed and effectively implemented to obtain the necessary
assurance on the use of Erasmus+ funds.
Audit results
Are the minimum requirements for the controls set by DG EAC for IAB and national agencies and the assessment
of the audit opinions on the legality and regularity of expenditures declared by the national agencies adequately
designed, in compliance with the applicable rules?
DG EAC has a well-established procedure for setting minimum requirements for the independent audit body’s
work (in the form of yearly guidelines) and for assessing the independent audit opinions, including clear roles
and responsibilities for DG EAC staff involved in the process. The yearly guidelines include a comprehensive set
24
of requirements with a recommended methodological approach, provisions on audit population reconciliation
and sampling, as well as indicative audit programmes and audit opinion templates which are timely
communicated to the national authorities and IAB. However, the requirements for the national agencies to check
the ‘top 15%’ of beneficiaries receiving 70-75% of the budget need clarification and the monitoring of primary
checks performed by national agencies is not fully effective.
Is the assessment that DG EAC performs on the independent audit opinions on the legality and regularity of
expenditure declared by the national agencies effective to ensure the necessary assurance is obtained?
Overall, DG EAC effectively assesses the independent audit opinions on the legality and regularity of Erasmus+
expenditure. However, the IAS audit identified inconsistencies in verifying the audit population for primary
checks and deviations from the recommended sampling parameters for financial transaction testing in some
of the sampled independent audit opinions.
Does DG EAC follow up on the observations arising from the independent audit opinion and the actions taken
by national agencies and national authorities in response to the observations?
DG EAC follows up the observations reported in the independent audit opinions and their implementation by the
national agencies on a regular basis. However, no formalised internal methodology exists for assessing the
observations and no action plans for the implementation are requested from the national agencies and
approved by DG EAC.
Audit conclusion
The IAS concluded that DG EAC has effectively implemented measures that are adequately designed to ensure
the reliability of audit opinions issued by the IABs on the legality and regularity of expenditure reported by the
national agencies to obtain the necessary assurance on the use of Erasmus+ funds, except for one very
important issue related to the management of observations.
Audit recommendations
Recommendation No 2, on the management of observations, DG EAC should:
• improve the follow-up of observations.
Additional information provided by DG EAC on the implemented measures
DG EAC submitted an action plan addressing all audit findings in January 2026, which was assessed as
satisfactory by the IAS. All planned measures related to this recommendation are ongoing and fully on
track. They are expected to be fully implemented within the agreed timeframe (end of December 2026).
1.14. InvestEU Fund – methodology for key performance indicators
and key monitoring indicators, controls over indicators and
internal steering and cooperation mechanism (DG GROW)
The objective of the audit was to assess the adequacy of the design and the effective implementation of: (a)
the internal steering and coordination mechanism put in place by DG GROW for the financing of the InvestEU
Fund operations; (b) the methodology developed on indicators (key performance indicators and key monitoring
indicators) to monitor the implementation of the InvestEU Fund; and (c) the controls put in place over the
operational reporting by Implementing Partners (IPs).
25
Audit results
Is there an adequate and effective internal steering and coordination mechanism in place, allowing DG GROW
to meet the InvestEU Fund’s objectives and to maximise its impact?
The Commission (DG ECFIN and since February 2025 DG GROW) has established an adequate and effective
internal mechanism that allows the participating Directorates-General to provide appropriate policy steer and
coordination. Commission Directorates-General have access to timely and adequate data on the implementation
of InvestEU operations. Moreover, there is a clear and comprehensive division of work, roles and responsibilities
between the Directorates-General involved in the implementation of the InvestEU Fund. This was confirmed by
the Directorates-General that participated in the survey launched by the IAS as part of this audit. 85% of the
survey participants agreed that the roles and responsibilities of DG GROW and their own DG as regards the
implementation of the InvestEU Fund are clearly defined and well understood.
Has DG GROW established a robust methodology on performance and monitoring indicators for the financing of
InvestEU Fund operations and is this effectively used to monitor the implementation of the Fund?
The performance management framework for the InvestEU Fund has been defined in the InvestEU Regulation,
which contains both key performance and key monitoring indicators. In June 2022, DG ECFIN developed the
methodology for the calculation of InvestEU key performance and key monitoring indicators which was then
revised in February 2024 to include additional indicators proposed by the InvestEU Steering Board (such as
indicators on climate mitigation, biodiversity and gender equality) and to clarify some of the calculation
methodologies.
When assessing the performance management framework put in place to track the progress of InvestEU
towards the achievement of the Union’s objectives and evaluate its performance the IAS found that the
objectives defined in the legal basis are not ‘specific’, the indicators have no baselines and are not always
accompanied by a target. Moreover, the approach to measure the long-term effect of the programme has not
yet been defined. Additionally, specific indicators for digitisation and climate are not fully aligned with best
practices set in these areas by the Commission or are not independently verified.
As part of their control activities, DG GROW officers perform checks on the aggregate data reported by the IPs
on a semi-annual basis and carry out monitoring visits to the IPs. However, the internal control strategy does
not: (a) define which specific checks should be performed during the monitoring visits to ensure the
completeness and accuracy of the data underlying the aggregate values of indicators provided by the
implementing partners; (b) formalise the target in terms of implementing partners to be visited each year, and
(c) define the approach for selecting implementing partners to be accompanied on their visits to financial
intermediaries/financial beneficiaries.
Article 8(8) of the InvestEU Regulation and the Commission Notice on the InvestEU Programme climate and
environmental tracking guidance stipulate that the Commission, together with the implementing partners, shall
seek to ensure a balanced distribution between the projects mainly contributing to climate mitigation priorities
and those contributing to environmental priorities under the ‘Sustainable Infrastructure Window’ of InvestEU .
The analysis carried out by the IAS of the available data indicated a 95%-5% split between climate and
environmental spending for the Sustainable Infrastructure Window (by the end of 2024), which is below the
expectations in the area.
Audit conclusion
The IAS concluded that overall, DG GROW has designed and implemented an adequate and effective internal
steering and coordination mechanism for the financing of InvestEU Fund operations and has put in place a
robust methodology on performance and monitoring indicators to monitor the implementation of InvestEU,
except for one very important issue related to the quality of objectives and key performance indicators and key
monitoring indicators set in the legal basis.
Audit recommendations
26
Recommendation No 1, on the performance management system, DG GROW should:
• improve the design of the performance management system.
Additional information provided by DG GROW on the implemented measures
DG GROW submitted a draft action plan, which is being assessed by the IAS. Nevertheless, DG GROW
already started the implementation of the actions it proposed in the action plan.
1.15. Control results provided by partners (management
declarations) (DG INTPA)
The objective of the limited review was to assess whether DG INTPA has designed and implements an adequate
system that ensures that the management declarations effectively contribute to the assurance on the effective
implementation of EU funds under indirect management with entrusted entities, as well as on the accuracy of
financial reporting and its compliance with the Financial Regulation.
Audit results
Has DG INTPA designed an adequate control framework to comply with the Financial Regulation requirements
on management declarations?
DG INTPA has put in place a control framework for the management declarations which encompasses guidance
and checklists for the staff and templates related to contribution agreements (including for financial
instruments) that the entrusted entities have to use for their management declarations. However, the IAS found
that guidance (instructions, templates and checklists) is not accurate, complete and/or sufficiently clear on some
important elements of the management declaration handling process which would enable more effective
controls on the compliance of the management declaration with the requirements of the Financial Regulation.
During the fieldwork, the IAS also found that there is no mechanism, neither at local or at corporate level, to
collect and analyse information on issues encountered with global management declarations in view of
identifying and addressing systemic/ repetitive issues.
Does DG INTPA implement its control system effectively, efficiently, and in line with the rules in place?
The IAS found that a management declaration was available for 38 out of 39 sampled files for which it was
required. However, the controls designed were not always implemented effectively, efficiently, and in line with
the applicable rules. The IAS identified two major issues concerning the handling of management declarations,
notably: (a) submission deadline and validity period for payments and clearings of global management
declarations was not aligned with the provisions of the Financial Regulation; (b) insufficient and/or inadequate
checks, resulting in accepting as valid for processing payments and clearings management declarations that
were either non-compliant with the agreements and/or templates or not accompanied by an audit opinion. The
IAS also found that DG INTPA’s approach to preparing the Annual Activity Report does not align with the principle
of sound financial management as the assurance relies on global management declarations from the preceding
year rather than those pertaining to the year covered by the Annual Activity Report.
Does DG INTPA’s reporting on management declarations in the Annual Activity Report comply with DG BUDG’s
instructions?
DG INTPA reporting on management declarations in the Annual Activity Reports is not fully in line with DG
BUDG’s instructions as the DG does not collect all the data necessary to properly fill in the tables on
management declarations.
27
Audit conclusion
The IAS concluded that the system designed and implemented by DG INTPA to ensure that the management
declarations contribute to the assurance on the effective implementation of EU funds under indirect
management with entrusted entities, the accuracy of financial reporting and its compliance with the Financial
Regulation is adequate except for two very important issues related to some aspects of the design of the control
framework for management declarations, and the effectiveness and efficiency of management declarations as
a control measure.
Audit recommendations
Recommendation No 1, on the design of the control framework for management declarations, DG INTPA
should:
• improve the control framework for management declarations.
Recommendation No 2, on the assurance provided from global management declarations, DG INTPA
should:
• increase the effectiveness of management declarations as a control tool.
Additional information provided by DG INTPA on the implemented measures
INTPA drafted an action plan that was accepted by IAS. DG INTPA has already implemented
Recommendation No 2, with follow-up pending by IAS. Implementation of Recommendation 1 is
underway.
1.16. Control results provided by partners – management
declarations (DG ENEST)
The objective of the limited review was to assess whether DG ENEST has designed and implements an adequate
system that ensures that the management declarations effectively contribute to the assurance on the effective
implementation of EU funds under indirect management with entrusted entities, as well as on the accuracy of
financial reporting and its compliance with the Financial Regulation.
Audit results
Has DG ENEST designed an adequate control framework to comply with the Financial Regulation requirements
on management declarations?
DG ENEST has put in place a control framework for the management declarations which encompasses guidance
and checklists for the staff and templates that the entrusted entities have to use for their management
declarations. However, the IAS found issues in these elements that need to be further developed to enable more
effective controls of management declarations.
Does DG ENEST implement its control system effectively, efficiently, and in line with the rules in place?
The IAS found that a management declaration was available for all 41 sampled payments and clearing files,
for which it was required. However, the controls designed were not always implemented effectively, efficiently,
and in line with the rules in place. Specifically, the IAS identified two major issues related to handling
management declarations, notably: (a) an erroneous interpretation and application of the rules related to global
management declarations (both as regards the submission deadline, and their validity period for payments and
28
clearings); (b) inadequate application of the guidance in place resulting in accepting as valid for processing
payments and clearings management declarations that were either non-compliant with the agreements and/or
templates or not accompanied by an audit opinion.
Does DG ENEST’s reporting on management declarations in the Annual Activity Report comply with DG BUDG’s
instructions?
DG ENEST reporting on management declarations in the Annual Activity Report is not fully in line with DG BUDG’s
instructions as the DG does not collect the data allowing it to fill in properly the tables on management
declarations.
Audit conclusion
The IAS concluded that the system designed and implemented by DG ENEST to ensure that the management
declarations contribute to the assurance on the effective implementation of EU funds under indirect
management with entrusted entities, the accuracy of financial reporting and its compliance with the Financial
Regulation is adequate except for two very important issues related to some aspects of the design of the control
framework for management declarations, and the effectiveness and efficiency of management declarations as
a control measure.
Audit recommendations
Recommendation No 1, on the design of the control framework for management declarations, DG
ENEST should:
• improve the control framework for management declarations.
Recommendation No 2, on the assurance provided from global management declarations, DG ENEST
should:
• increase the effectiveness of management declarations as a control tool.
Additional information provided by DG ENEST on the implemented measures
DG ENEST accepted all recommendations and sent the action plan to the IAS on 23 January 2026. The
IAS accepted the action plan on 9 February 2026. Both very important recommendations are being
implemented and will be finalised by 1 September 2026.
1.17. Financial management – high value procurement and contract
management (DG TAXUD)
The objective of the audit was to assess whether the internal control system set up by DG TAXUD for high value
procurement and contract management is adequately designed, and efficiently and effectively implemented.
Audit results
Has the internal control environment of public procurement in DG TAXUD been adequately designed and
effectively and efficiently implemented?
DG TAXUD has defined and implemented internal roles and responsibilities for all procurement related tasks.
DG TAXUD’s staff involved in the procurement process are made aware of their specific roles and the applicable
rules.
29
DG TAXUD has properly reported procurement risks, and associated mitigating actions, in its risk register. The
risks related to specific framework contracts are monitored and reported to the Public Procurement Committee.
However, there is no consolidated assessment of risk(s) identified in different steps or instances of the
procurement process, nor a structured approach to follow up on or monitor the formulated mitigating actions
relating to different procurement activities.
In addition, DG TAXUD has not consolidated the control activities specific to procurement into a comprehensive,
formalised control strategy covering the different steps of the procurement process and the related risks, as
identified in various risk assessment exercises.
Although DG TAXUD has designed actions to mitigate the ethics-related risk associated to public procurement,
it has not assessed the effectiveness of these measures in strengthening a fraud-proof procurement and
contract management system.
Is the procurement planning adequately designed and effectively and efficiently implemented?
DG TAXUD has designed and implemented a procurement planning process. However, the process shows very
important issues which may affect the effective and efficient achievement of the Directorate-General’s
objectives in the audited area. These weaknesses concern the design and implementation of specific steps in
the planning process, in particular:
a. the estimation of the total contract value, where DG TAXUD relied solely on historical prices
without conducting adequate market research,
b. the duration of the framework contracts, whereby the automatic renewal extended the
contracts beyond the standard four-year limit, without sufficient documented justification,
c. the preparation phase of procurement procedures. There is no evidence of a root cause analysis
of delays stemming from the past procurement procedures enabling the DG to assess the time
required for the planning steps. Moreover, the DG did not take specific measures to enhance
internal cooperation and communication between Directorates to ensure a smooth completion
of the procurement steps.
Is the tendering and award process implemented according to the internal controls and applicable rules?
The preparation and publication of procurement documents, and the communication with tenderers have been
implemented according to the applicable procurement rules.
However, the IAS identified very important issues as regards the selection and award criteria defined in the
tender dossier and the evaluation of tenders. The award criteria defined by DG TAXUD in the tender documents
were not sufficiently clear, detailed, or directly related to the technical specifications of the tender. In addition,
evaluation reports highlighted weaknesses identified during the evaluation process, but they did not specify
how the DG intended to address them in the final selection process, nor mention of any specific corrective
measures that should be undertaken during the contract execution stage.
Is the contract management effectively and efficiently implemented?
DG TAXUD has established processes for contract monitoring.
The financial and operational aspects of the IT contract’s implementation were reported periodically and timely
to ensure the achievement of the entity’s objectives. Internal guidance was made available for the operational
units covering the operational aspects contract management of IT contracts.
However, the IAS has identified very important issues in the documentation and/or implementation of DG
TAXUD’s ex ante key controls on commitments and payments. These concern mainly: (a) the design and
implementation of the payment checklist/workflow; (b) the documentation of ex ante operational key controls
for an informed-based payment validation by the Authorising Officer by sub-delegation; and (c) gaps in the
30
design and implementation of early detection and exclusion system checks. These issues may affect the
effective and efficient implementation of contract management by the responsible staff members.
DG TAXUD has a contract monitoring control process in place allowing to report issues related to the
procurement deliverables. Nevertheless, DG TAXUD did not make use of performance and retention money
guarantees provisions for the audited framework contracts nor the related specific contracts and did not justify
why it did not apply these safeguards.
The financial circuit for procurement is centralised and the financial team in the Directorate E plays a key role,
by providing an active support to the operational units throughout the procurement life cycle (from the
identification of needs up to the final payment of the relevant contract). However, the procedural framework
for financial circuit authorisations, budgetary and legal commitments and payments were not formally approved
or up to date.
DG TAXUD has ensured that contract amendments were concluded in accordance with established procedures.
However, DG TAXUD has systematically made specific contract extensions without documenting a justification
on the exceptional circumstances when accepting them. In addition, there is no evidence of any assessment of
past specific contracts to determine more reasonable durations for on-demand specific contracts, that would
provide sufficient margin to reduce the need for amendments.
DG TAXUD retains all financial and operational documents related to the implementation of specific contracts.
However, commitment and payment files were incomplete or inconsistent making it difficult to retrieve
complete documentation.
Audit conclusion
The IAS concluded that the internal control system set up by DG TAXUD for high value procurement and contract
management needs to be significantly enhanced to strengthen its efficiency and effectiveness, notably with
regard to: (a) the procurement control strategy; (b) the award criteria and evaluation process; (c) the contract
value estimation and contract duration; (d) the early detection and exclusion system checks; and (e) ex ante
controls over payments.
Audit recommendations
Recommendation No 1, on control strategy, DG TAXUD should:
• improve the DG’s risk management and develop a control strategy.
Recommendation No 3, on award criteria and evaluation process, DG TAXUD should:
• enhance the award criteria and evaluation process.
Recommendation No 4, on contract value estimation and contract duration, DG TAXUD should:
• carry out market analysis when estimating contract value and justify automatic renewal of framework
contracts.
Recommendation No 6, on early detection and exclusion system, DG TAXUD should:
• consult the early detection and exclusion system database throughout the procurement and contact
management lifecycle.
Recommendation No 8, on ex ante controls on payments, DG TAXUD should:
• enhance ex ante controls on payments.
31
Additional information provided by DG TAXUD on the implemented measures
DG TAXUD submitted an action plan addressing all audit recommendations in January 2026, which was
assessed as satisfactory by the IAS. All actions are currently ongoing and progressing according to
schedule. Full implementation is expected within the agreed timeframe, with some measures due by the
end of June 2026 and the remainder by the end of December 2026.
1.18. Financial management – Grants (DG TAXUD)
The objective of the audit was to assess whether the internal control systems established by DG TAXUD for
managing grants under the Customs Control Equipment Instrument programme are adequately designed and
effectively implemented.
Audit results
Has DG TAXUD put in place an adequate control framework for the call preparation and for the management of
its grants?
DG TAXUD has defined clear organizational structures, roles and responsibilities for managing Customs Control
Equipment Instrument grants and has in place: (a) internal procedures / guidelines /tools; (b) a set of guidance
to beneficiaries; and (c) relevant trainings modules, on the spot trainings and information sessions for the staff
involved. However, DG TAXUD has not yet developed a control strategy targeted to the specific Customs Control
Equipment Instrument risks. Furthermore, the existing guidance (corporate and/or DG TAXUD specific) requires
enhancement and should be centralised for easier access.
Does DG TAXUD effectively manage the preparation, selection, and award of the Customs Control Equipment
Instrument calls?
DG TAXUD has: (a) prepared its calls, with improvement noted for the second call; (b) evaluated proposals timely,
in line with applicable deadlines; (c) implemented a lessons-learned approach as regards the call preparation
and the evaluation of proposals; and (d) prepared grant agreements in due time and in line with award decision.
However, the IAS did not find evidence, neither in the eGrants system nor in the grant preparation report, on
whether the shortcomings mentioned at evaluation summary report stage have been duly considered during
the grant agreement preparation phase.
Does DG TAXUD efficiently and effectively monitor the implementation of the Customs Control Equipment
Instrument grant agreements?
Overall, DG TAXUD has in place tools and procedures for monitoring Customs Control Equipment Instrument
grants, and effectively and efficiently implements ex ante checks on payments and on amendments. However,
DG TAXUD does not provide enough evidence in eGrants of the continuous monitoring of the projects financed
under the Customs Control Equipment Instrument and of the payment processing (in particular the checks
preceding the certified correct).
Audit conclusion
The IAS concluded that overall, DG TAXUD has adequately designed and effectively implemented the internal
control system for managing its grants activities under the Customs Control Equipment Instrument programme,
except for two very important issues related to the Customs Control Equipment Instrument s control strategy,
and the evidence in eGrants of the continuous project monitoring and of the payment processing.
32
Audit recommendations
Recommendation No 1, on control strategy, DG TAXUD should:
• develop a control strategy for the Customs Control Equipment Instrument and establish the
methodology for the calculation of the Customs Control Equipment Instrument error rate.
Recommendation No 4, on evidence-based grant agreement monitoring, DG TAXUD should:
• clarify procedures for the certified correct and expected audit trail to document the checks performed
for grant agreement monitoring.
Additional information provided by DG TAXUD on the implemented measures
DG TAXUD submitted an action plan addressing all audit recommendations in January 2026, which was
assessed as satisfactory by the IAS. All actions are currently ongoing and progressing according to
schedule. Full implementation is expected within the agreed timeframe, with some measures due by the
end of June 2026 and the remainder by the end of December 2026.
1.19. Controls over aid to countries covered by a crisis declaration
(DG MENA)
The objective of the audit was to assess the adequacy of the design, and the effective implementation of the
risk management and control systems put in place by DG MENA to ensure that the financial aid provided to the
sampled countries covered by a crisis declaration is delivered following the principle of sound operational and
financial management.
Audit results
Is the control system over financial aid to each of the sampled countries covered by a crisis declaration
adequately designed to ensure that such aid is delivered according to the principle of sound financial
management?
The design of key controls is overall adequate, but the guidance on controls for crisis contexts is scattered
across multiple documents and not consolidated, leading to inconsistent application and variable quality of
justifications. While EU Delegations adapt and strengthen controls in practice, the lack of a single,
comprehensive reference limits systematic risk mitigation, monitoring, and reporting. Good practices exist at
specific EU Delegations but are not consistently shared.
Is the control system over financial aid to each of the sampled countries covered by a crisis declaration
adequately implemented in practice?
Overall, the key controls for financial aid under crisis declarations are largely in place and functioning, with
measures to mitigate risks such as fraud, corruption, conflict of interest, and double funding. However, their
consistent application is affected by varying experience levels of staff responsible for applying the relevant
rules (due to staff turnover) and fragmented guidance across multiple documents. While many EU Delegations
demonstrate good practices, such as structured evaluation committees and thorough legal and financial checks,
some gaps persist, including incomplete verification of legal entities or eligibility criteria. Headquarters-level
oversight remains limited, with annual reporting and coding constraints reducing the ability to systematically
monitor flexible procedures. Consequently, although the framework is sound, its effectiveness depends heavily
on staff knowledge and manual processing.
33
Is there effective monitoring and reporting on the effectiveness/ adequacy of key controls to ensure that financial
aid is delivered effectively?
The monitoring, reporting, and follow-up mechanisms for financial aid under crisis declarations remain largely
manual, and not sufficiently structured. While a tagging system exists within the corporate IT system, it is not
tailored to capture crisis declaration cases effectively, limiting the ability to systematically identify and track
contracts for which flexible arrangement apply. Monitoring at Delegation level continues to rely heavily on staff
knowledge and ad hoc checks, and reporting through tools such as External Assistance Management Reports
and Annual Activity Reports provides limited and non-consistent insights on control effectiveness or risk
exposure.
Audit conclusion
The IAS concluded that the risk management and control systems put in place by DG MENA to ensure that the
financial aid provided to countries covered by a crisis declaration are delivered following the principle of sound
operational and financial management is adequately designed and effectively implemented except for the
monitoring and reporting mechanism related to contracts concluded under flexible procedures.
Audit recommendations
Recommendation No 1, on monitoring and reporting related to contracts concluded under flexible
procedures, DG MENA should:
• improve monitoring and reporting for flexible procedures.
Additional information provided by DG MENA on the implemented measures
The IAS issued the final audit report in December 2025. DG MENA set up an action plan, considered
satisfactory by the IAS in April 2026. DG MENA has already started working on the implementation of
the agreed actions, particularly as regards upgrading the features on the IT systems. No major
difficulties are expected for the action plan to be implemented within the planned timeframe.
1.20. Recovery and Resilience Facility risk assessment methodology
and ex post audits (DG ECFIN)
The objective of the audit was to assess the risk management and control processes for the Recovery and
Resilience Facility ex post audits (i.e. audit on milestones and targets and combined system audits) and their
compliance with the Recovery and Resilience Facility Regulation.
Audit results
Has DG ECFIN designed an adequate risk assessment methodology and ex post audit process?
DG ECFIN's risk assessment methodology for selecting milestones and targets for ex post audits is clear and
adequate. However, the methodology has not been reviewed since it was developed to ensure that the key risk
factors remain valid, and that the risk scoring system enables clearer comparisons of risk levels of milestones
and targets. In addition, there are no clear instructions on how to document possible modification of risk levels
following the application of professional judgment.
The design of the ex post audit process is adequate and well detailed, but instructions for drafting audit
objectives and scope are not clear, as well as some performance indicators.
34
Is the risk assessment methodology and the ex post audits on the Recovery and Resilience Facility efficiently
and effectively implemented by DG ECFIN?
Overall, the risk assessment methodology and the audit process are implemented as designed. The risk
assessments files sampled were well documented, although with varying practices across the teams not
harmonised. Ex post audits were executed, documented, and reported according to the internal procedures. Audit
deliverables tested, such as mission planning memoranda and audit reports are of good quality. However, there
is a long audit throughput time resulting in an extended duration of ex post audits. The main reasons for the
long duration of audits are their complex nature and broad audit scope (combining elements of different type
of engagements), the length of the review of supplementary documentation, quality assurance and internal
consultation, deadline extensions granted to Member States for providing additional documents, as well as time
required for official translation of draft and finals audit reports.
Is DG ECFIN’s monitoring and reporting on Recovery and Resilience Facility ex post audits efficient and effective?
DG ECFIN has defined four core indicators to monitor the implementation of the audit strategy, two of which
are regularly followed up and reported in the Annual Activity Report but require further clarification.
DG ECFIN’s reporting on the ex post audits sampled was overall efficient and effective. However, the information
on ex post audits included in the Annual Activity Report does not provide details on their status (completed,
reporting stage, flash report) at the cut-off date for reporting.
Ex post audit reports and audit deliverables include the statement that audits are conducted in accordance with
International Standards on Auditing and in particular with the International Organization of Supreme Audit
Institutions (INTOSAI) standard International Standards of Supreme Audit Institutions (ISSAI) 4000, however the
current formulation is misleading as it does not clarify the degree of compliance with the standard (partially or
in full).
Audit conclusion
The IAS concluded that, overall, DG ECFIN adequately designed and effectively implemented risk management
and control processes for the Recovery and Resilience Facility risk assessment methodology and ex post audits
on milestones and targets, in compliance with the Recovery and Resilience Facility Regulation, except for the
two very important issues related to the duration of audits and auditing standards and quality assurance
programme
Audit recommendations
Recommendation No 3, on duration of audits and reporting, DG ECFIN should:
• reduce delays in the ex post audit process and ensure completeness of Annual Activity Reports.
Recommendation No 4, on auditing standard and quality assurance programme, DG ECFIN should:
• clarify the framework and standards guiding the ex post audits and enhance the quality assurance
programme.
Additional information provided by DG ECFIN on the implemented measures
DG ECFIN submitted an action plan, assessed as satisfactory by the IAS in December 2025. All planned
measures are expected to be fully completed within the agreed timeframe (end of June 2026).
The recommendation on reducing delays in the ex post audit process and ensuring completeness of
annual activity reports is being addressed and its implementation will be reflected in DG ECFIN’s annual
35
activity report. The recommendation on clarifying the framework and standards guiding the ex post
audits and enhancing the quality assurance programme is being addressed and some evidence has
already been submitted to the IAS ahead of the implementation deadline.
36
Operational Processes
1.21. Personnel selection process (EPSO)
The objective of the audit was to assess the adequacy of the governance, risk management and control
processes set up by EPSO for the design of the new competition model for permanent staff.
Audit results
Is the framework underlying the new competition model adequately designed to support EPSO’s mission as
selection office of the EU institutions and bodies?
EPSO provided evidence of a stakeholder engagement process when designing the new competition model.
However, weaknesses exist in the way EPSO identifies the needs and expectations of its clients, which includes
a lack of a formalised set of criteria for the prioritisation of their needs and of an effective feedback mechanism
to obtain input from all stakeholders. Also, the communication process between EPSO and its clients is ad hoc
and reactive, rather than structured and proactive.
Primarily explained by the fact that EPSO has been operating in continuous crisis mode since the suspension of
the competitions in 2023, more than two years after EPSO’s Management Board decision to deploy the new
competition model, EPSO has not yet adopted: (a) a roadmap, which should have been preceded by a risk
assessment to identify the risks and challenges linked with the deployment; and (b) a procedure supporting the
new selection process.
The new organisational structure and the roles and responsibilities of the actors involved support the overall
objective of the recent reorganisation of EPSO which consisted of adapting its structure to the new competition
model. However, this reorganisation needs to be completed by updating some job descriptions and carrying out,
in due course, an impact analysis of the new competition model on EPSO resources.
In the past few years, EPSO has faced significant challenges as indicated above and drew some lessons from
the issues experienced, particularly with the former service provider when launching the new call for tender.
However, there is no evidence of a structured and comprehensive process to learn lessons from past
experiences, covering other areas of EPSO's activities within the new competition model. Also, with a more
forward-looking perspective and to improve efficiency in its operations, EPSO needs to prepare well and timely
for the use of Artificial Intelligence.
Is the new competition model adequately designed to ensure compliance with the legal basis and achieve its
objectives?
The new competition model indicated above has been designed with a view to ensuring compliance with the
Staff Regulation and its implementation rules. The objectives of the main pillars of the new competition model
are to have ‘faster, leaner and more accessible’ competitions. However, EPSO has not yet defined adequate
indicators to measure the achievement of these objectives. As a consequence, EPSO’s monitoring of the progress
towards the achievement of these objectives, once the new model is fully implemented, is not adequate and
EPSO’s senior management and the members of EPSO’s Management Board do not receive reports to oversee
the achievement of the objectives and the progress of individual competitions.
Audit conclusion
The IAS concluded that the governance, risk management and control processes set up by EPSO for the new
competition model for permanent staff are not adequately designed.
37
Audit recommendations
Recommendation No 1, on the management of clients’ needs and communication aspects, EPSO should:
• manage clients’ needs and communication aspects.
Recommendation No 2, on the roadmap for the deployment of the new competition model and
procedure for the selection process, EPSO should:
• set-up a roadmap and a procedure and carry out an impact analysis of the new competition model.
Recommendation No 3, on the objectives of the new competition model – indicators and monitoring,
EPSO should:
• define key performance indicators and monitor the achievement of objectives of the new competition
model.
Recommendation No 5, on lessons learnt, EPSO should:
• analyse lessons learnt.
Additional information provided by EPSO on the implemented measures
EPSO established an action plan to address all audit findings, considered as satisfactory by the IAS.
All planned measures are expected to be fully completed within the agreed timelines. Progress has been
achieved with key actions in their advanced stage or close to completion. Notably, the roadmap to
analyse and monitor the new competition model is well advanced.
1.22. Management of childcare services (OIB, OIL)
The objective of the audit was to assess the adequacy of the design of the framework and the adequacy of the
design and the effective implementation of the control system (including IT controls over eKidWeb) put in place
by OIB and OIL for the management of the childcare services.
Audit results
Have OIB and OIL designed an adequate framework for the provision of childcare services?
OIB and OIL have established a set of operational/working procedures to regulate certain aspects of their daily
operations and management of childcare services. However, the IAS noted that the legal basis for the provision
of the childcare services is outdated. Additionally, there is a misalignment between the legal basis on OIL’s
shared role and responsibilities with the European Parliament, and there is also no formal agreement with them
for managing childcare services.
Regarding OIB, the IAS also notes that the large size of the operational units of the childcare services may
hinder effective control. Additionally, while OIB has a good practice of cooperation with one of the organisations
specialised in the field of childcare from which it receives additional assurance on the quality of the services
provided by the external partners, a comprehensive comparative analysis of the potential benefits and
drawbacks of the delivery model with external partners as opposed to the services managed internally is lacking.
38
Furthermore, some oversight committees’ legal basis are outdated and there are no effective measures to
ensure rotation of members or prevention of conflicts of interests.
Finally, there are no agreements between OIB and the Parents Associations of the European Schools to clarify
their respective roles and responsibilities regarding children's safety and security and the Offices do not have
a complete set of Service Level Agreements with all their clients to define their respective rights and obligations
regarding the provision of childcare services.
Have OIB and OIL adequately designed and effectively implemented a control system for the management of
the childcare services?
The IAS found that both Offices have established strong educational and operational aspects of childcare
services, including pedagogical policies, performance metrics and adequate training of the pedagogical staff,
as well as an adequate system to monitor the quality and receive feedback from clients and staff on the
childcare services, resulting in high satisfaction rate.
However, the IAS identified issues in the financial aspects related to the interinstitutional budgeting and for the
cost allocating processes, an outdated and undocumented methodology for establishing and allocating costs
and undocumented justification of the different scales of the parental contributions for afterschool childcare in
Brussels and Luxembourg.
Has OIB designed adequate controls on the project management and IT security of the IT application (eKidWeb)
used by OIB and OIL to support the provision of childcare services?
The IAS acknowledges the efforts made by OIB and OIL to migrate and implement an IT application (eKidWeb)
to support the provision of the childcare services but notes several issues related to project management, and
the IT security controls of eKidWeb. The IAS found that the project management and change management
processes are not sufficiently detailed and are not fully aligned with established procedures. Additionally, OIB
does not comply with IT security standards (e.g. use of production data, access management process). The IAS
also identified weaknesses in logging and monitoring, management of sensitive information, and risk
management.
Audit conclusion
The IAS concluded that while the Offices have overall designed an adequate framework and control system for
the management of childcare services, there remain three very important issues in the implementation of the
control system concerning: (a) the roles and responsibilities of the oversight committees and external actors
involved; (b) the establishment of the interinstitutional budget and allocation of costs and calculation of parental
and institutional contributions; and (c) IT controls on project management and IT security of eKidWeb.
Audit recommendations
Recommendation No 5 and 6, on the roles and responsibilities of the external actors and oversight
committees involved in the provision/supervision of childcare services, OIB and OIL should:
• revise the legal basis of oversight committees, clarify the role of the Parents Associations of the
European Schools and ensure a comprehensive overview of all the agreements with clients.
Recommendation No 7 and 8, on the budget of the Childcare centre / Centre-polyvalent d’enfance and
cost allocation, including institutional and parental contributions, OIB and OIL should:
• improve the budget of the childcare centre / centre-polyvalent d’enfance and cost allocation processes,
including the calculation of the institutional and parental contributions.
39
Recommendation No 9 and 10, on the IT controls on the project management and IT security of the IT
application (eKidWeb) used for the provision of childcare services, OIB and OIL should:
• improve the IT controls on project management and IT security of eKidWeb.
Additional information provided by OIB and OIL on the implemented measures
OIB and OIL established an action plan addressing all audit findings., considered as satisfactory by the
IAS. The implementation of the recommendations has started with actions to be implemented between
2026 and 2028. The implementation is on track to meet the planned deadlines.
1.23. Coordination between DG FISMA and European Supervisory
Authorities (DG FISMA)
The objective of the audit was to assess the adequacy of the design and the effective and efficient
implementation of the coordination mechanisms between DG FISMA and the European Supervisory Authorities
(ESAs) – the European Banking authority (EBA), the European Insurance and Occupational Pensions Authority
(EIOPA), and the European Securities and Market Authority (ESMA), to support the achievement of the respective
key objectives.
Audit results
Have DG FISMA and the European Supervisory Authorities designed an adequate organisational set up for the
overall coordination?
DG FISMA has developed internal guidance, which formally defines roles and responsibilities of coordination
between DG FISMA and the European Supervisory Authorities on the Single Programming Document, resources
allocation and technical standards. Working arrangements between DG FISMA and ESAs are in place covering
cooperation in the areas of technical standards and technical advice, international matters and guidelines.
However, they no longer reflect the current modalities of cooperation between DG FISMA and the European
Supervisory Authorities and are not up to date regarding the description of the processes and procedures to be
followed.
The communication channels in the framework of the Standing Committees and the information exchange
mechanisms between DG FISMA and the European Supervisory Authorities are overall adequately designed.
Are the coordination mechanisms between DG FISMA and the European Supervisory Authorities in the horizontal
areas covered by the audit adequately designed and effectively and timely implemented?
The coordination process in place on the draft Single Programming Document is adequately designed and
effectively and timely implemented. However, the IAS observed recurrent comments in the Commission Opinion
on the Single Programming Document about administrative aspects which reveal that the European Supervisory
Authorities did not improve the Single Programming Document over time. Moreover, the absence of formal
feedback from the European Supervisory Authorities of DG FISMA’s comment was only recently addressed.
The coordination process between DG FISMA and the European Supervisory Authorities regarding the
preparation of new mandates and ad hoc tasks is overall adequate and timely implemented. However,
concerning the request of new services by non-partner Directorates-General, the IAS did not find evidence (for
the two cases sampled) that DG FISMA had analysed these proposals and their impact on the European
Supervisory Authorities’ resources before the agreement with the other Directorates-General was signed, as
required in the note issued by the Secretariat General.
40
In line with the European Supervisory Authorities funding regulation, DG FISMA performed reviews of their
operations, however the internal planning document has not been complemented by other instructions to drive
the DG’ staff through the review exercise. The IAS also found that the European Supervisory Authorities’ review
process, as per the Funding Regulation, differs from the evaluation of the EU decentralised agencies both in
scope and methodology. So far DG FISMA has conducted one impact assessment to evaluate ‘the powers,
governance and funding framework’ in 2017, but no other assessments on the European Supervisory
Authorities’ performance have been carried out since.
The Commission’s proposal on the new market integration package regulation adopted in December 2025 align
the review clause with existing evaluation requirements for the decentralised agencies, enabling the
Commission to assess the relevant aspects of ESMA's performance
Are the coordination mechanisms between DG FISMA and the European Supervisory Authorities in the policy
areas covered by the audit adequately designed and effectively and timely implemented?
The coordination of drafting, amending and adoption of the technical standards is well organised and timely
implemented. DG FISMA plans the work and leads or participates in the consultations of the various working
groups between Commission and the European Supervisory Authorities representatives efficiently and
effectively. DG FISMA effectively supports the work of these working groups.
Concerning the questions and answers process design, some elements have not been defined and mutually
agreed between DG FISMA and the European Supervisory Authorities. Moreover, the internal guidance
established by DG FISMA is not updated/comprehensive and the existing indicators do not enable to measure
the performance of the process.
In terms of the questions and answers process implementation, there is no proper monitoring of and reporting
on the state of play of the on-going questions and answers nor an analysis of the root causes of delays. The IT
tool used by DG FISMA does not contain reliable or consistent data to enable the DG’s senior management to
have an overview of the files. Finally, the IAS did not find evidence that DG FISMA has carried out a lessons
learnt exercise to further analyse the issues identified and to improve the process based on stakeholder
feedback.
Audit conclusion
The IAS concluded that DG FISMA has adequately designed and effectively and efficiently implemented the
coordination mechanisms with the European Supervisory Authorities, to support the achievement of the
respective key objectives except for the three very important issues related to the questions and answers
process and review and evaluation.
Audit recommendations
Recommendation No 1, on questions and answers: process design, DG FISMA should:
• enhance the questions and answers process design.
Recommendation No 2, on questions and answers: process implementation, DG FISMA should:
• enhance the implementation of the questions and answers process.
Recommendation No 3, on review and evaluation, DG FISMA should:
• improve review process design.
41
Additional information provided by DG FISMA on the implemented measures
Following the adoption by the IAS of the final audit report in December 2025, DG FISMA submitted an
action plan, which is being assessed by the IAS. Notwithstanding, DG FISMA has already launched the
implementation of some actions to ensure a timely completion of the action plan.
1.24. Management of the control data of the Common Fisheries
Policy (DG MARE)
The objective of the audit was to assess whether DG MARE has adequately designed and effectively and
efficiently implemented processes for managing the control data of the Common Fisheries Policy, in line with
the applicable legal framework.
Audit results
Has DG MARE put in place an adequate data management framework covering the management of control
data?
DG MARE has put in place a data management framework in line with the Commission corporate guidance. This
framework includes a data management strategy covering the management of control data and a Digital
Steering Committee, overseen at DG level, responsible for setting up and monitoring data and digital strategies
with the support of the DG MARE data network working group and of the Integrated Fisheries Data Management
programme Committee.
In addition, internal coordination and dissemination of updated information on data related issues is ensured
through the activities of the local data correspondent as well as through regular meetings of the data network
working group and of the Integrated Fisheries Data Management Committee. Awareness events and topical
presentations are also organised by the data management unit.
However, in terms of implementation of the data management strategy, there are no concrete action plans or
indicators to steer and monitor its progress. Moreover, data owners and data stewards have not been officially
assigned, although it is required by the corporate guidance and there is a lack of back up arrangements in the
data management unit.
Has DG MARE put in place adequate processes to ensure that it receives data from the Member States/ third
countries as per the legal basis?
Overall, where there is a specific legal requirement for Member States to submit control data to the Commission,
DG MARE has put in place adequate processes for the reception of such data. Nevertheless, Member States did
not systematically send timely information on closures of fisheries, in line with Article 35 of the Control
Regulation. The auditors found that DG MARE had not put in place a process for improving Member States’
compliance with their reporting obligations on closures of fisheries.
DG MARE currently faces difficulties to access some control data (i.e. disaggregated catch data from fishing
logbooks) from certain Member States which consider that this is not required under the current legal basis. To
address this issue, the amended Control Regulation, mostly applicable from January 2026, clarifies the need
for flag Member States to ‘ensure direct electronic exchange of relevant information concerning vessels flying
its flag’ to the Commission (or the body designated by it), including fishing logbook information.
In addition, DG MARE is continuously improving its IT environment and the functionalities of its systems and
monitoring tools to facilitate the submission and exchanges of fisheries control data, based on a universal
standard, as well as to lessen duplication of data requirements wherever possible. DG MARE has also delivered
42
specific training events and exchanged extensively with Member States and third countries on the digitalisation
of the EU certification scheme, resulting in a high level of preparedness for the introduction of the CATCH IT
Tool in January 2026.
Has DG MARE put in place processes to ensure adequate quality of control data?
While Member States are primarily responsible for ensuring that all control data submitted or made available
to the Commission as per the relevant regulations are accurate and complete, based on a validation system set
up for that purpose, DG MARE has taken a number of steps to improve the quality of the control data.
Through expert groups, implementation documents and guidance, DG MARE has been working closely with
Member States to help them improve the quality of the control data submitted. Thanks to continuous
improvement of its IT environment, DG MARE is enhancing automated checks on the quality of the data. Based
on the review of the outcome of these automated checks, DG MARE follows-up on detected inconsistencies,
which are considered most material, through bilateral exchanges with the Member States concerned, to ensure
adequate action is taken. In addition, DG MARE conducts verifications and audits, which may include data
validation systems in their scope, and follows up appropriately the related Member State’s action plans.
However, while the Control Regulation requires Member States to send to DG MARE updates of national plans
on data validation systems, there is no procedure for their assessment and follow-up.
In order to further improve the exchange and quality of Member State’s control data, the revised Control
Regulation enables the Commission to include, in an implementing act, provisions on data quality and validation
of data. The revised implementing act accompanying the Control Regulation is currently being finalised. It will
include mandatory data validation rules for the Member States aiming at substantially improving the quality of
the data provided. The adoption is planned for the Autumn 2025, which will likely lead to delays in the IT
systems’ necessary updates and as a result in the implementation of the revised Control Regulation.
Has DG MARE put in place processes to ensure adequate use and dissemination of control data?
DG MARE has established a comprehensive list of reporting obligations towards the Regional Fisheries
Management Organisations and in the South-West Atlantic. This list is updated annually and sent to the Council.
In addition, DG MARE adequately disseminates control data as per the current legal limits and published for the
first time in 2024 aggregated catch data. In addition, DG MARE has taken steps to allow the reuse and wider
sharing of data through the amendment of the Control Regulation, applicable as from January 2026.
However, the following areas in the use and sharing of control data need improvement:
• monitoring of the consumption of fishing opportunities and of Member State closures of fisheries;
notification on the Commission’s website of such closures;
• use of information received on alleged illegal, unregulated and unreported fishing activities;
notification and dissemination of updated information relating to illegal, unregulated and unreported
fishing activities;
• checks on and transmission of Regional Fisheries Management Organisations lists of vessels with
fishing authorisations.
Audit conclusion
The IAS concluded that DG MARE has adequately designed and effectively and efficiently implemented
processes for managing the control data of the Common Fisheries Policy, in line with the legal framework
applicable at the time of the audit, except for one very important issue related to the reception, use and
publication of data related to fishing opportunities.
43
Audit recommendations
Recommendation No 2, on the reception, use and publication of data related to fishing opportunities
and closures of fisheries, DG MARE should:
• improve monitoring of data on fishing opportunities and closure of fisheries.
Additional information provided by DG MARE on the implemented measures
DG MARE and the IAS agreed on an action plan in December 2025. The implementation of the
recommendations is ongoing and expected to be completed as planned by the end of November 2026.
1.25. Management of EURES and the EURES portal (DG EMPL)
The objective of the audit was to assess the adequacy of the design and the effective implementation of the
governance arrangements for the management of the EURopean Employment Services (EURES) and the EURES
portal in DG EMPL.
Audit results
Are the governance arrangements for the management of EURES adequately designed?
DG EMPL and the European Labour Authority (ELA) put in place a number of arrangements to govern the
cooperation between themselves on the management of EURES. These include principles of cooperation,
referred to as the ‘operational agreement’, a handover note from DG EMPL, a Memorandum of Understanding,
and other cooperation arrangements on specific areas. However, these arrangements are not always sufficiently
detailed or up to date in a number of areas, including IT governance and the mandate of the IT Steering
Committee. In addition, there is no formal data processing agreement in place between ELA and DG EMPL. A
EURES portal strategy 2023-2030 is in place and an overall EURES strategy is being prepared, for which the
approval process, according to DG EMPL, needs to be aligned with the provisions set in the EURES regulation.
Are the governance arrangements for the management of EURES effectively implemented?
DG EMPL applies the PM2 methodology for project management, however, it is not clear how this is tailored or
customised to the EURES project to cover the artefacts and principles of this methodology. In addition, the
system owner’s responsibilities are not clearly defined in the handover documents and operational agreement,
particularly with regards to the regulations and standards that must be adhered to. A process is in place to
manage business requirements between ELA and EMPL, but there is no overview of a detailed and exhaustive
analysis of the business requirements, including functional, non-functional and security requirements. As a
result, ELA does not have sufficient visibility or information for the prioritisation and change management
processes. Furthermore, ELA does not have sufficient oversight over the technical controls provided by DG EMPL.
Finally, ELA Cybersecurity Officer lacks direct access to crucial information and there is no formal agreement
in place that outlines how information about the EURES portal will be shared by DG EMPL with the Cybersecurity
Officer. There is no formal description of the management of the EURES budget and the related roles and
responsibilities of ELA and DG EMPL. Furthermore, ELA lacks sufficient visibility on the budget spent in
development and maintenance by DG EMPL as there is a lack of detailed information to analyse and optimise
the IT Budget and related costs, and report to ELA management.
Audit conclusion
The IAS concluded that DG EMPL (together with ELA) has designed and effectively implemented adequate
governance arrangements for the management of EURES and the EURES portal except for two very important
issues concerning governance arrangements and IT project management.
44
Audit recommendations
Recommendation No 1, on governance arrangements, DG EMPL should:
• strengthen governance arrangements.
Recommendation No 2, on IT project management, DG EMPL should:
• strengthen IT project management.
Additional information provided by DG EMPL on the implemented measures
DG EMPL established an action plan to address all audit findings, which was considered satisfactory by
the IAS. The implementation of the recommendations has started and is on track to meet the deadlines
set out in the action plan (deadlines are in 2026 and in 2027).
1.26. Management of in-kind contributions under Horizon Europe (DG
RTD)
The objective of the audit was to assess whether the governance, risk management and controls for the process
of managing in-kind contributions under Horizon Europe in DG RTD are adequately designed, are effectively and
efficiently implemented and ensure compliance with the regulatory framework.
Audit results
Is the control environment for the process of management of in-kind contributions adequately designed
DG RTD has defined clearly the roles and responsibilities in relation to the support provided to the joint
undertakings, in line with the Commission Decision on the coordinated implementation of Horizon Europe.
DG RTD has provided methodological support to the joint undertakings for the management of the in-kind
contribution process. It has organised regularly technical meetings with all joint undertakings (represented at
the level of Heads of Finance and Administration), during which the in-kind contributions were recurrent topics.
Moreover, DG RTD provided support to the joint undertakings when they developed their in-kind contributions
to the additional activities guidance to staff and the members and provided templates to the joint undertakings
for reporting on the in-kind contributions in their Annual Work Programmes and Consolidated Annual Activity
Reports.
DG RTD developed the in-kind contributions to the additional activities IT tool to allow joint undertakings and
partners to plan and report in-kind contributions to the additional activities inside the eGrants environment.
However, a number of relevant functionalities in the corporate IT tool are still not in place and under analysis
by the Common Implementation Centre. In addition, DG RTD did not develop centralised guidance documents to
address the joint undertakings’ needs, leading to different practices at joint undertakings’ level in both the
monitoring and the reporting on in-kind contributions.
Audit conclusion
The IAS concluded that overall, DG RTD has provided adequate support to the joint undertakings for their
management of the in-kind contributions-related processes, except for one very important issue concerning the
IT support and the functionalities available in the IT tool.
45
Audit recommendations
Recommendation No 2, on the IT support to the joint undertakings, DG RTD should:
• finalise the development of the IT tools and improve the quality of the reports.
Additional information provided by DG RTD on the implemented measures
DG RTD and the IAS agreed on an action plan. As regards in-kind contributions to the additional activities
(IKAA), the IT tool will include the automatic extraction of data. For in-kind contributions to operational
projects (IKOP), DG RTD has concluded the design discussions with all the Joint Undertakings (JUs) and
has planned the remaining IT improvements to simplify reporting phases by the end of the 2026.
46
Support Processes
1.27. Information technology (IT) governance and IT security
management (DG DEFIS)
The objective of the audit was to assess the adequacy of the design, and the efficiency and effectiveness of
the implementation of the governance, risk management and control systems put in place by DG DEFIS for IT
governance and IT security arrangements.
Audit results
Are DG DEFIS IT governance structures, principles, processes and practices adequately designed and
implemented?
DG DEFIS has made evident progress in formalising its strategic alignment by drafting and having the DG
approval of a first version of the IT and digital governance document in August 2025. This document outlines
the IT strategy and roles and responsibilities, demonstrating adherence to the Commission's digital strategy
and cybersecurity strategy. However, the implementation was not yet fully completed at the end of the
fieldwork. An IT and Digital Management Board had been designed but still needed formal launch and approval
of the governance document at its first meeting (expected in December 2025). Furthermore, there was no
implementation plan to translate the Commission's digital strategy into concrete, measurable objectives specific
to DG DEFIS.
Are IT (including security) risks defined, identified, communicated and managed appropriately to mitigate their
effects on the DG DEFIS strategic objectives?
DG DEFIS has performed regular risk assessments according to EC policies (IT Security Risk Management
Methodology - ITSRM2), registered risks in the governance risk control tool. System owners are actively involved
in defining security plans, and residual risks are assessed and mitigated in line with defined risk level objectives.
Despite these managed processes, a few issues exist, notably regarding the reporting on security measures
(e.g., delayed mandatory penetration testing for DEFEND-S) which is not formally reported to the local
information security officer or management, insufficient assurance on security measures applied by third
parties or follow-up on exceptions.
Are there well-designed, effective and efficient processes in place to optimise the value contribution of IT
processes, services and systems?
The overall effectiveness and efficiency of IT processes are considered satisfactory, as the audit found no
significant issues in IT governance and security management. DG DEFIS actively pursues the reuse of solutions
in its digital investments. However, an area for improvement identified is the ability to monitor IT services
effectively to measure the return on investment. In particular, the absence of specific performance metrics
hinders the ability to assess the value derived from IT expenditure.
Is there an effective and efficient process in place for the IT portfolio management, to properly evaluate and
prioritise IT projects, systems and services?
DG DEFIS utilises the required centralised tool, Governance Information System (GovIS2), for IT portfolio
management of both projects and operational systems. The information is kept accurate and complete. The use
of the Commission’s project management methodology (PM²) for all IT projects, with the required deliverables,
is a key strength. DG DEFIS also benefits from having an IT portfolio manager function to ensure good
coordination and communication between the business and IT functions. However, issues have been identified
in the practical implementation of performance monitoring including a lack of defined metrics for operational
performance of IT systems, such as answer times, availability, or the time taken to implement change requests.
47
Are the available resources assessed and optimised?
The IT competencies and qualifications are appropriate and maintained. DG DEFIS has limited IT staff resources
but provides staff backup. The concentration of responsibilities and tasks among the same people in key
governance roles poses a risk and requires the reconsideration of role assignments. Having only two members
dedicated to the Information Resource Management presents a challenge to optimise resource management
and ensure operational continuity, particularly when key personnel are unavailable.
Has DG DEFIS designed and implemented a comprehensive IT security management framework?
DG DEFIS shows significant maturity in its security posture, achieving a ‘low risk, high maturity’ label in the
cybersecurity maturity yearly assessment done by DG DIGIT in both 2023 and 2024. The inventory and
ownership of IT assets are satisfactorily managed using GovIS2, and eight out of ten IT systems have up-to-
date security plans. Roles, responsibilities and processes are effectively implemented to control and monitor
the implementation and operation of information security within the DG. Despite these strengths, the
governance framework remains incomplete. There is a lack of a formal procedure for handling security incidents
specifically at the DG DEFIS level. At the time of the audit, there was no process in place for performing a
business impact assessment to determine system security classification, which is essential for defining security
needs. The audit found that IT security plans were not always updated upon major changes, that the maximum
tolerable period of disruption was misaligned with the availability levels of systems in the sample and mitigating
measures may not be implemented or may be delayed without residual risk being reported to management.
Audit conclusion
The IAS concluded that, overall, the governance, risk management and control system put in place by DG DEFIS
with regard to IT governance and IT security arrangements is adequately designed and efficiently and effectively
implemented except for one very important issue related to aligning business needs and recovery expectations,
maintaining IT security plans and formalising processes about incident and user access management.
Audit recommendations
Recommendation No 4, on the IT security management framework, DG DEFIS should:
• strengthen IT security management framework.
Additional information provided by DG DEFIS on the implemented measures
DG DEFIS and the IAS agreed on an action plan in January 2026. The implementation is ongoing with
tentative completion by September 2026. It entails: a) performing business impact assessments to
define business criticality and recovery objectives; b) a review of system availability classification, and
an update of the IT security plans to ensure alignment with business requirements; c) establishing a
process to review the security plans annually, and for ad-hoc updates following major system changes;
d) defining a DG system-specific incident management and escalation procedure; e) the implementation
of a systematic process for the regular review and revocation of user access rights for all DG DEFIS-
owned systems, with particular focus on critical systems.
1.28. Arachne+ project (DG BUDG, DG EMPL/DG REGIO, DG DIGIT)
The objective of the audit was to assess whether DG BUDG, DG EMPL/DG REGIO (Joint Audit Directorate DAC)
and DG DIGIT had put in place appropriate governance, risk management and control processes to:
• deliver the Arachne+ project - phase 2 effectively,
48
• achieve the strategic objectives and business expectations within the allocated time and resources,
and
• be in compliance with the Commission’s security and personal data protection framework.
Audit results
Were adequate governance and risk management processes and structures in place for the management of the
Arachne + project, phase 2, including planning, managing resources, risks and changes, monitoring and reporting
of project performance?
Governance roles, responsibilities, key processes and high-level objectives had been established for Arachne+
through a project charter and other supporting documents. However, even though the Steering Committee had
regular meetings, the Supervisory Board had never met. The staffing of the project team was not aligned with
the project plan and no dedicated cross-cutting group to validate business requirements and to support the
project owner had been established.
Though project scope, objectives and success criteria were defined at a high level, and more detailed business
requirements had been defined for phase 2, these were not specific enough. This was primarily due to the
absence of an established baseline for phase 2, clear requirements, acceptance criteria and criteria for the IT
system ‘go-live’. Additionally, the ongoing process for collecting needs lacked appropriate prioritisation of the
work remaining to be performed, taking into account the impact on the business. There was also a lack of
appropriate involvement and approval of all relevant internal and external stakeholders. Although several
registers (requirements traceability documents) had been created to support the definition and monitoring of
the requirements for implementation, it was not possible for the auditors to trace and link all the requirements
through these registers.
Besides, whilst the risks were being regularly discussed in the Steering Committee meetings, a complete and
up-to-date log of risks, changes, issues and decisions had not been established. As a result, there was no formal
and documented discussion and decision for certain changes.
Finally, although the project progress (in terms of achievements and ongoing activities) was reported in every
governance or operational meeting, this reporting did not allow to assess the progress made compared to the
established baseline (planned vs remaining), which is necessary to be able to identify potential risks of delay.
Were adequate controls in place to support the effective IT project management and software development for
Arachne + phase 2?
In general, IT project management and software development practices had been established. However, many
artefacts were either insufficiently documented or not created at all, and some defined processes were only
partially implemented or not implemented at all (e.g. the user acceptance testing process lacked test cases, and
quality management practices were not implemented as defined).
Regarding IT security, the Arachne+ team had performed the business impact assessment and the risk
assessment in line with the established Commission framework. However, the business impact assessment
results were not adequately supported by sufficient information to provide for a more fact-based assessment.
Audit conclusion
The IAS concluded that the governance, risk management and control processes put in place by DG BUDG, as
system owner, with the support of DG EMPL/DG REGIO (DAC) and DG DIGIT, were not appropriate to deliver the
Arachne+ project phase 2 effectively and to achieve the strategic objectives and business expectations for the
overall project within the allocated time and resources. IT security and personal data protection control
processes were compliant with the Commission’s process steps, though significant improvements are necessary
as regards the quality of IT security artefacts.
49
Audit recommendations
Recommendation No 1, 2 and 3, on project governance, monitoring and reporting:
• DG BUDG should strengthen project governance, monitoring and reporting.
• DG EMPL/DG REGIO should continue support to project owner to strengthen project governance,
monitoring and reporting throughout phase 2.
• DG DIGIT should support project owner from the solution provider’s perspective.
Recommendation No 4 and 5, on management of the project scope, requirements, acceptance and
success criteria, DG BUDG should:
• review of project scope, requirements, and go-live criteria;
• improve/advance the management of requirements, acceptance and success criteria.
Recommendation No 6 and 7, on IT security management,
• DG BUDG should improve the IT security risk management study.
• DG DIGIT should implement the defined IT security measures and ensure risk acceptance criteria have
been satisfied.
Additional information provided by DG BUDG, DG EMPL/DG REGIO and DIGIT on the
implemented measures
DG BUDG considers it has strengthened governance, a formal escalation procedure has been developed,
and human resources have been reviewed and reinforced.
DG BUDG considers it has prioritised work based on business impact, ensured continuous stakeholder
involvement, and defined and met clear Service Activation criteria, covering IT security, onboarding, data
protection and testing validation. It also considers to have updated the requirement traceability matrix
and strengthened data protection compliance.
DG BUDG has reported as fully implemented the update of business impact assessment, the IT security
risk assessment and the IT Security Plan.
DG EMPL/DG REGIO have been actively and continuously supporting DG BUDG throughout Phase 2 in
strengthening project governance, execution and follow up of User Accepting Testing, monitoring and
reporting.
DG DIGIT has been supporting DG BUDG from the solution provider’s perspective and, together with DG
BUDG, is implementing enhanced reporting on the progress of the project towards its delivery.
DG DIGIT with the support of DG BUDG, has reported that it has implemented and tested all defined IT
security measures before Arachne+ Service Activation.
The IAS has not yet confirmed the adequate implementation of the recommendations.
50
1.29. Human Resources Transformation programme (DG HR)
The objective of the audit was to assess whether DG HR has put in place appropriate governance, risk
management and control processes to execute the Human Resources Transformation programme effectively
so as to achieve the strategic objectives and business expectations within the allocated time and resources, and
in compliance with the Commission’s internal security standards.
Audit results
Are adequate governance and risk management processes and structures in place for the management of the
programme, including planning, managing resources, risks and changes, monitoring and reporting of project
performance?
While the Human Resources Transformation programme governance structure and processes are overall well
set up, certain elements need further definition or are missing. The programme management team and the
project management Board did not yet have a consolidated update about the progress of the projects and
working groups at programme level. The programme level relies on project team meetings, project steering
committee meetings and programme coordination meetings, to identify issues and take remedial actions but,
quality checks in key areas were not performed.
Additionally, risk management activities are performed both at project and programme level, but the auditors
noted weaknesses in the formal mechanism and process.
Are adequate controls in place to support the effective achievement of the main business and security objectives
of the Human Resources Transformation programme?
The Human Resources Transformation programme Charter identified expected outcomes and benefits, along
with metrics to help identify if the benefits are achieved. However, for a number of those ‘identified benefits’
the auditors observed that they are not specific and measurable, certain metrics are not directly related to the
benefits and no baseline values were set.
No service level agreement had been established between DG DIGIT and the HR family defining the services
provided through the IT platform, including the functionalities, performance, maintenance and operational
arrangements, and security controls. The existing service level agreement between DG HR and other European
Institutions, bodies and agencies about the HR services has been extended with the new Human Resources
Transformation services but, the supplier-customer relationship is not adequately reflected in the agreement –
especially relating to the detailed definition of services and the provision of assurance on IT security.
Are adequate controls in place to support the effective execution of the selected projects and the security of the
respective systems (pre-selection, onboarding)?
Projects are established, their business requirement definitions are managed well, and the projects efficiently
apply the ‘minimum viable product’ approach. However, in the domain of IT security, the Human Resources
Transformation programme did not have sufficient expertise and resources both at programme and project
levels.
Moreover, the necessary security measures were not timely and fully implemented.
Audit conclusion
The IAS concluded that although Human Resources Transformation programme governance structure and
processes are overall well set up, a very important issue related to IT security management processes remains
which may affect the achievement of the Programme’s strategic objectives and compliance with the
Commission’s internal security standards.
Audit recommendations
51
Recommendation No 3, on the management of IT security, DG HR shouldimprove the IT security
management processes.
Additional information provided by DG HR on the implemented measures
DG HR submitted an action plan, assessed as satisfactory by the IAS in June 2025. All planned measures
are expected to be fully completed within the agreed timeframe (September 2026), ensuring a robust,
systematic, and well-governed approach to IT security across the Human Resources Transformation
Programme. Significant progress has already been achieved, with key actions either completed or in
their final stages. Notably, the implementation of IT Security Plans is periodically monitored and formally
approved by the Steering Committee.
Part 2
Follow-up
engagements
53
Audits for which some recommendations
remain open after IAS follow-up in 2025 (5)
2.1. Audit on the preparedness of DG AGRI in designing the
assurance building model under the new Common Agricultural
Policy Strategic Plans
Follow-up performed in DG AGRI
Based on the results of the follow-up audit, the IAS concluded that the following recommendations were
adequately and effectively implemented:
• Recommendation No 1 (very important): design of the assurance framework under the New Delivery
Model.
• Recommendation No 4 (very important): decision on how to report on assurance for expenditure under
the Common Agricultural Policy Strategic Plan in the Annual Activity Report not yet in place.
2.2. Audit on CASE@EC project in DG COMP
Follow-up performed in DG COMP
Based on the results of the follow-up audit, the IAS concluded that the following recommendation was
adequately and effectively implemented:
• Recommendation No 2 (very important): IT security arrangements.
2.3. Audit on IT security management in DG EAC
Follow-up performed in DG EAC
Based on the results of the follow-up audit, the IAS concluded that the following recommendation was
adequately and effectively implemented:
• Recommendation No 1 (very important): data classification.
(5) This section only lists audit engagements where a follow-up was performed on critical and/or very important recommendations.
54
2.4. Audit on the New nuclear decommissioning and waste
management programme (NDWMP) in JRC
Follow-up performed in JRC
Based on the results of the follow-up audit, the IAS concluded that the following recommendation was
partially implemented:
• Recommendation No 2 (downgraded from very important to important): JRC internal organisation of
NDWMP responsibilities.
Based on the results of the follow-up audit, the IAS concluded that the following recommendation was
adequately and effectively implemented:
• Recommendation No 5 (very important): NDWMP budget flexibility needs.
2.5. Audit on the protection of personal data in the Office for
Administration and Payment of Individual Entitlements in PMO
Follow-up performed in PMO
Based on the results of the follow-up audit, the IAS concluded that the following recommendation was
adequately and effectively implemented:
• Recommendation No 1 (very important): accountability, roles and responsibilities.
2.6. Audit on measuring and reporting on the performance of
technical support projects in DG REFORM
Follow-up performed in DG REFORM
Based on the results of the follow-up audit, the IAS concluded that the recommendation below was adequately
and effectively implemented:
• Recommendation No 1 (very important): performance measurement methodology.
2.7. Audit on protection of personal data under the responsibility
of CINEA, EACEA, EISMEA, ERCEA, REA and the CIC
Follow-up performed in DG RTD (CIC)
Based on the results of the follow-up audit, the IAS concluded that the following recommendation was partially
implemented:
• Recommendation No 3 (downgraded from very important to important): controllership of the Funding
and Tenders Portal.
55
2.8. Audit on the preparedness for closing the 2014-2020
programming period of the European Structural and
Investment Funds by DG EMPL and DG MARE and DG REGIO
Follow-up performed in DG EMPL
Based on the results of the follow-up audit, the IAS concluded that the following recommendation was
adequately and effectively implemented:
• Recommendation No 2 (very important): planning of the closure exercise.
Based on the results of the follow-up audit, the IAS concluded that the following recommendation was partially
implemented:
• Recommendation No 6 (downgraded from very important to important): financial settlement at closure
of programmes.
Follow-up performed in DG MARE
Based on the results of the follow-up audit, the IAS concluded that the following recommendations were
adequately and effectively implemented:
• Recommendation No 3 (very important): planning of the closure exercise.
• Recommendation No 7 (very important): financial settlement at closure of programmes.
Follow-up performed in DG REGIO
Based on the results of the follow-up audit, the IAS concluded that the following recommendation was
adequately and effectively implemented:
• Recommendation No 1 (very important): planning of the closure exercise.
Based on the results of the follow-up audit, the IAS concluded that the following recommendation was partially
implemented:
• Recommendation No 5 (downgraded from very important to important): financial settlement at closure
of programmes.
2.9. Audit on the Joint Audit Directorate for Cohesion (DAC) in DG
EMPL and DG REGIO
Follow-up performed in DG EMPL
Based on the results of the follow-up audit, the IAS concluded that the following recommendation was
adequately and effectively implemented:
• Recommendation No 5 (very important): IT project management for the Management of (all) Audit
Processes, Activities and Resources system (MAPAR) and the Management of (all) Audit Processes,
Activities and Resources Compass Corporate system (MAPAR CC).
56
2.10. Audit on Physical security of persons and assets in the
Commission, HR / DIGIT / COMM / OIB / OIL
Follow-up performed in DG COMM
Based on the results of the follow-up audit, the IAS concluded that the following recommendation was
adequately and effectively implemented:
• Recommendation No 4 (important): risk management framework for physical security at the
Commission.
2.11. Audit on the assessment of HR needs in the Commission at
corporate level in DG BUDG, DG HR and SG
Follow-up performed in DG HR
Based on the results of the follow-up audit, the IAS concluded that the following recommendation was
adequately and effectively implemented:
• Recommendation No 1 (very important): support from the corporate services for the assessment of
HR needs at local level.
Follow-up performed in DG BUDG
Based on the results of the follow-up audit, the IAS concluded that the following recommendation was
adequately and effectively implemented:
• Recommendation No 2 (very important): support from the corporate services for the assessment of
HR needs at local level.
Follow-up performed in the SG
• Recommendation No 3 (very important): support from the corporate services for the assessment of
HR needs at local level.
2.12. Audit on protection of confidentiality of information at
corporate level in DG HR, DG DIGIT and SG
Follow-up performed in DG HR
Based on the results of the follow-up audit, the IAS concluded that the following recommendations were
adequately and effectively implemented:
• Recommendation No 7 (very important): IT controls to ensure protection of sensitive non classified
information.
• Recommendation No 9 (very important): process for managing information security incidents.
57
Follow-up performed in DG DIGIT
Based on the results of the follow-up audit, the IAS concluded that the following recommendation was partially
implemented:
• Recommendation No 6 (downgraded from very important to important): IT controls to ensure
protection of sensitive non-classified information.
Follow-up performed in the SG
Based on the results of the follow-up audit, the IAS concluded that the following recommendation was
adequately and effectively implemented:
• Recommendation No 8 (very important): IT controls to ensure protection of sensitive non-classified
information.
2.13. Audit on the management of large-scale building projects
involving works in OIB and OIL
Follow-up performed in OIB
Based on the results of the follow-up audit, the IAS concluded that the following recommendation was not
adequately and effectively implemented and reopened:
• Recommendation No 8 (very important): management of large - scale projects – approach and
procurement activities.
Follow-up performed in OIL
Based on the results of the follow-up audit, the IAS concluded that the following recommendation was
adequately and effectively implemented:
• Recommendation No 9 (very important): management of large - scale projects – approach and
procurement activities.
2.14. Review of the Commission’s risk at payment in DG BUDG, DG
EMPL, DG INTPA, DG NEAR, DG REGIO, DG RTD, EISMEA, ERCEA
and REA
Follow-up performed in DG BUDG
Based on the results of the follow-up audit, the IAS concluded that the following recommendation was
adequately and effectively implemented:
• Recommendation No 9 (very important): analysis and (internal) reporting of the root causes of errors
in relation to the European Court of Auditors’ findings.
58
Follow-up performed in DG EMPL
Based on the results of the follow-up audit, the IAS concluded that the following recommendation was
adequately and effectively implemented:
• Recommendation No 7 (very important): analysis and (internal) reporting of the root causes of errors
in relation to European Court of Auditors’ findings.
Follow-up performed in DG ENEST
Based on the results of the follow-up audit, the IAS concluded that the following recommendation was
adequately and effectively implemented:
• Recommendation No 2 (very important): analysis and (internal) reporting of the root causes of errors
in relation with the European Court of Auditor’s findings.
Follow-up performed in DG INTPA
Based on the results of the follow-up audit, the IAS concluded that the following recommendation was
adequately and effectively implemented:
• Recommendation No 1 (very important): analysis and (internal) reporting of the root causes of errors
in relation with the European Court of Auditor’s findings.
Follow-up performed in DG REGIO
Based on the results of the follow-up audit, the IAS concluded that the following recommendation was
adequately and effectively implemented:
• Recommendation No 8 (very important): analysis and (internal) reporting of the root causes of errors
in relation with the European Court of Auditor’s findings.
2.15. Audit on the External Investment Plan – European Fund for
Sustainable Development (EFSD) Guarantee in DG INTPA and
DG NEAR
Follow-up performed in DG INTPA
Based on the results of the follow-up audit, the IAS concluded that the following recommendation was
adequately and effectively implemented:
• Recommendation No 2 (very important): assurance building.
Based on the results of the follow-up audit, the IAS concluded that the following recommendations was not
adequately and effectively implemented and reopened:
• Recommendation No 4 (important): guarantee agreement clauses.
59
2.16. Audit on Intervention-level evaluations in FPI, former DG NEAR
and DG INTPA
Follow-up performed in ENEST
Based on the results of the follow-up audit, the IAS concluded that the following recommendation was not
adequately and effectively implemented and reopened:
• Recommendation No 11 (very important): implementation of the evaluation process.
Follow-up performed in FPI
Based on the results of the follow-up audit, the IAS concluded that the following recommendation was not
adequately and effectively implemented and reopened:
• Recommendation No 12 (very important): implementation of the evaluation process.
Follow-up performed in DG INTPA
Based on the results of the follow-up audit, the IAS concluded that the following recommendation was
adequately and effectively implemented:
• Recommendation No 13 (very important): periodic review of the evaluation process.
List of audits for which all recommendations
were closed in 2025
Based on the results of the follow-up engagements performed in 2025, the IAS concluded that the audits listed
below could be closed as all the recommendations were assessed as implemented.
AUDITS IN DGs
2.1. Audit in DG BUDG - Limited review of SUMMA in preparation for ‘going live’
2.2. Audit in DG CLIMA – Limited review of the security plan and associated security measures of the EU
emissions trading system information system managed by DG CLIMA
2.3. Audit in DG COMP – Human resources management
2.4. Audit in DG DEFIS - Preparedness for the management and control systems for the 2021-2027 Space
programme implementation
2.5. Audit in DG DIGIT - Public procurement
2.6. Audit in EACEA - Performance of the management of experts for proposal evaluation
2.7. Audit in DG ECFIN - Human resources management
2.8 Audit in DG ECFIN - Limited review of the Recovery and Resilience Facility control and audit strategies
60
2.9. Audit in DG ECFIN - Ex ante controls of the Recovery and Resilience Facility payment requests
2.10. Audit in DG ESTAT - Effectiveness and efficiency of Eurostat’s performance management system
2.11. Audit in DG GROW - Performance of the treatment of stakeholders’ complaints concerning the internal
market
2.12. Audit in DG HOME - Preparedness for closing actions and programmes funded under the Internal
Security Fund (ISF) and the Asylum, Migration and Integration Fund (AMIF) through direct and shared
management
2.13. Audit in DG SANTE - TRAde Control and Expert System (TRACES)
2.14. Audit in DG SANTE - Information technology (IT) security– findings on the medical device regulation’s
European database on medical devices (MDR EUDAMED) IT system
2.15. Audit in SCIC - Procurement
2.16. Audit in the SG - Information technology governance and project management, including software
development
MULTI – DGs AUDITS
2.17. Audit in DGs CLIMA and CINEA - Implementation of the Innovation Fund
2.18. Audit in DGs DIGIT, DG HR and the SG - Management of public cloud services
2.19. Audit in DG HOME - Coordination between DG HOME and the EU decentralised agencies
2.20. Audit in DGs JUST and EACEA - Preparedness of the management and control systems regarding the
implementation of Citizens, Equality, Rights and Values (CERV) and Justice programmes
2.21. Audit in DGs REGIO, DG EMPL and DG MARE - Interruptions, suspensions and financial corrections for
European Structural and Investment Funds 2014-2020
2.22. Audit in DGs SANTE, HERA and HaDEA - Early implementation of grants in the EU4Health Programme
Part 3
Summary of
long overdue
recommendations
62
At the end of the reporting period, 31 December 2025, there were five very important long overdue recommendations, overdue by more than six months compared to the
original expected completion dates set in the auditees’ initial action plans.
No. Entity Audit title Recommendation title Final report
date
Original agreed
completion date
Revised expected
completion date
Expected
delay
I FPI IAS.C4-2022-Y ENT-001:
Allocation of human resources
in EU Delegations
Design and implementation
of the workload
assessment in EU
Delegations (WLAD)
4.11.2024 30.4.2025 30.6.2026 1 year and 2
months
The issues identified in the design and implementation of the workload assessment in EU Delegations (WLAD) has a partial impact on their effectiveness. The IAS
recommended the agreement on a methodology that allows for comparisons of EU Delegations at global level, and to select the subset of key indicators that will contribute
to the workload assessment, to improve the efficiency of the data collection process. FPI accepted the recommendation but highlighted that they would retain the sub-set
of indicators from the audited WLAD exercise – staff/contract/million managed – for future exercises. Any change would not adequately reflect the FPI operating model
that is not based on a ‘country’ model but on a regional network of staff deployed in five Regional Teams worldwide.
FPI further postponed the target date from 31 December 2025 to 30 June 2026. DG INTPA is in the lead for the implementation of this action for the whole external action
family. DG INTPA has already taken steps to define the methodology and indicators, including workload, reflecting the specificities of international cooperation sections in
delegations (including cooperation & finance, contracts & audit), allowing for a more detailed analysis of differences in EU Delegations workloads. However, the methodology
must also take into account the roll-out of the modernisation of the EU Delegations’ network to be implemented in 2026.
63
No. Entity Audit title Recommendation title Final report
date
Original agreed
completion date
Revised expected
completion date Expected
delay
II OIB IAS.B4-2022-Y COMM-005:
Management of large-scale
building projects involving
works in OIB and OIL
Management of large-scale
projects - approach and
procurement activities - OIB
1.12.2023 31.12.2024 31.1.2026 1 year and 1
month
According to OIB, significant progress has been made on the implementation of these three remaining points since the IAS first follow-up in August 2025. On 28 January
2026, OIB marked the three outstanding points as ‘ready for review’: (1) define the concept of ‘structural renovation’ to ensure a consistent implementation between
projects and compliance with the Financial Regulation; (2) establish a proportionate mechanism which identifies and takes into consideration all clients’ specific needs, as
soon as possible in the early stages of the project and at key moments during implementation; (3) define in its internal procedures which works have to be managed as a
stand-alone project in compliance with the adopted Project Management Methodology (PM2) and in which situations a simplified methodology can be applied by exception.
No. Entity Audit title Recommendation title Final report
date
Original agreed
completion date
Revised expected
completion date
Expected
delay
III DG EAC IAS.C2-2019-EAC-001:
Effectiveness of the protection
of personal data of
beneficiaries of and
participants in the Erasmus+
and European Solidarity Corps
programmes managed by DG
EAC
Transfer of personal data
to third countries
28.1.2021 15.12.2021 31.3.2026 4 years and
3 months
64
(6) On 14 October 2020, the EDPS gave all European institutions a formal order to a) perform a mapping exercise to provide information concerning processing operations that involve international transfers of data and b) report to it any identified risks and gaps, in accordance with the order. The EDPS also asked the European institutions to perform, in a second phase, a case-by-case ‘transfer impact assessment’ to identify the level of protection provided by the third country of destination of the data. To facilitate this assessment, the EDPS will provide in due time specific guidance.
The IAS recommended that DG EAC should analyse, with the support of the data protection officer (DPO), how compliance of its programmes with the internal data protection
regulation (IDPR) concerning international transfers of data can be ensured in the context of the order (6) and the announced guidance of the European Data Protection
Supervisor (EDPS). The DG reported that it analysed with DG JUST, the Legal Service and the DPO different possibilities to ensure compliance of the transfers to third
countries with the IDPR. A suitable transfer tool (i.e. adequate and robust safeguard measures that protect the rights and freedoms of the data subjects) has been identified
and the EDPS has been consulted formally on this solution - as requested by the IDPR. Agreement with the EDPS has been reached at working level but pending the
appointment of the new EDPS, the formal agreement is still outstanding.
No. Entity Audit title Recommendation title Final report
date
Original agreed
completion date
Revised expected
completion date
Expected
delay
IV DG HR IAS. Physical security of
persons and assets in the
Commission
Risk management
framework for physical
security at the Commission
4.10.2022 31.12.2023 31.3.2026 2 years and
3 months
While the IAS acknowledged that significant progress has been made in the implementation of the action plan, the recommendation has not been fully implemented as
one point related to the implementation of a new IT platform for risk management remains outstanding. The delay was mainly due to data protection issues linked to the
platform initially chosen by the Secretariat-General.
65
No. Entity Audit title Recommendation title Final report
date
Original agreed
completion date
Revised expected
completion date
Expected
delay
V DG HR IAS. B4-2021-Y COMM-002:
Physical security of persons
and assets in the Commission
Governance framework and
organisational
arrangements for physical
security at the Commission
4.10.2022 31.12.2023 30.6.2026 2 years and
6 months
The formalisation and validation of a comprehensive security strategy was delayed, pending a decision at political level (beyond DG HR’s control) on the organisation of
internal/ corporate security and on the scope of the internal security strategy, but it is now well on track for adoption in the first semester 2026. In addition, the
agreement clarifying the security governance and competences with regard to the JRC sites was delayed by the ongoing revision of JRC security governance, but it is near
finalisation.
EN EN
EUROPEAN COMMISSION
Brussels, 15.6.2026
COM(2026) 279 final
REPORT FROM THE COMMISSION
TO THE EUROPEAN PARLIAMENT, THE COUNCIL AND THE COURT OF
AUDITORS
Annual report to the Discharge Authority on internal audits carried out in 2025
{SWD(2026) 149 final}
Table of contents
OBJECTIVE AND SCOPE OF THE REPORT............................................................................................................ 2
THE INTERNAL AUDIT SERVICE .............................................................................................................................. 2
OVERVIEW OF THE AUDIT WORK .......................................................................................................................... 4
OVERALL RESULTS BASED ON THE AUDIT WORK PERFORMED IN 2025 ................................................. 6
Overall results on performance ........................................................................................................................................................... 6
Overall conclusion on the Commission’s financial management .................................................................................... 9
ACTIONS TAKEN BY AUDITEES ............................................................................................................................ 11
CONSULTATION WITH THE COMMISSION’S FINANCIAL IRREGULARITIES PANEL ............................... 12
2
Objective and scope of the report This report informs the European Parliament and the Council about internal audits carried out in 2025 by
the European Commission’s Internal Audit Service in 51 organisational entities: directorates-
general, services, EU offices, and executive agencies (1). It is an input to the discharge procedure and
contains: (a) a summary of the number and type of internal audits carried out; (b) a synthesis of the principal recommendations made; and (c) the actions taken on those recommendations. In accordance with Articles 118(8) and 253 of the Financial Regulation (2), the Commission is forwarding the report to the European Parliament and to the Council. It is based on the report drawn up in accordance with Article 118(4) of the Financial Regulation by the Commission’s Internal Auditor on Internal Audit Service audits and other engagement reports completed in 2025 (3).
Furthermore, as required by Article 118(5) of the Financial Regulation, the report focuses on the overall compliance with the principles of sound financial management and performance by providing the overall results on performance and an overall conclusion on financial management (Section 4) (4) and highlights any systemic problems detected by the Commission’s financial irregularities panel (Section 5).
The Internal Audit Service The Internal Audit Service is an independent service in the Commission and is led by the Commission’s
Internal Auditor.
Under its mandate stemming from the Financial Regulation, the Internal Auditor advises the Commission on dealing with risks, by assessing:
• the suitability and effectiveness of internal management systems;
• the performance of departments in implementing policies, programmes and actions;
• the efficiency and effectiveness of the control and audit systems applicable to all budget implementation operations.
The mission of the Internal Audit Service is to strengthen the Commission's ability to create, protect, and
sustain public value – as a modern, accountable and performance-oriented institution – by providing independent, risk-based, and objective assurance, advice, insight, and foresight.
(1) The report does not cover the European External Action Service, the European Data Protection Supervisor, the European
Public Prosecutor’s Office, the European Peace Facility, decentralised EU agencies, EU joint undertakings or other autonomous bodies that are audited by the Internal Audit Service. They receive separate reports where relevant.
(2) Regulation (EU, Euratom) 2024/2509 of the European Parliament and of the Council of 23 September 2024 replacing Regulation (EU, Euratom) 2018/1046 (Article 247).
(3) The audit reports finalised between 1 February 2025 and 31 December 2025 are included in this report, except for the audit on human resources management in the Directorate-General for Financial Stability, Financial Services, and Capital Markets Union for which the final audit report was issued on 10 March 2025 and was exceptionally included in the Annual Internal Audit report for 2024.
(4) A summary of the assurance provided by the Internal Audit Service is published in parallel to this report in the Annual Management and Performance Report on the EU budget.
3
To this end, the Internal Audit Service provides:
• independent assessments of the effectiveness of the governance, risk management, and control processes for operations, activities and financial transactions (‘assurance services’); and
• advice, insight and foresight (‘non-assurance services’).
The main deliverables are internal audit reports that contain independent opinions on the quality of management and control systems as well as recommendations for improving operations and promoting sound financial management.
In 2025, the Commission adopted a recast mission charter (5), marking a significant update to the Internal
Audit Service's legal and operational framework. The Charter ensures full alignment with the 2024 recast Financial Regulation and the new Global Internal Audit Standards (6). By guaranteeing the Internal Auditor’s independence and granting full and unlimited access to the information and personnel required for their work, the Charter provides the necessary safeguards for the service to operate effectively. The 2021 external quality assessment, which is valid for five years, confirmed the Internal Audit Service’s conformance with the Standards and the Code of Ethics in force at that time.
The Internal Audit Service adopted its 2025-2029 Audit Strategy in 2025. This is aligned with the
Commission's new political mandate and aims to drive improved performance and accountability in the Commission and other EU entities, as well as to provide value-added services to stakeholders.
In conformance with Article 8(2) of the mission charter, the Internal Auditor fulfils a number of annual
reporting obligations to the Audit Progress Committee. The Audit Progress Committee assists the College
in fulfilling its obligations under the Treaties, the Financial Regulation and other statutory instruments. Its role, which isestablished under Article 123 of the Financial Regulation, is to ensure the independence of the Internal Audit Service, monitor the quality of the internal audit work and ensure that recommendations are taken into account and followed up by the Commission, its executive agencies and other bodies.
In her annual declaration to the Audit Progress Committee, the Internal Auditor confirmed that the Internal Audit Service preserved full organisational independence in 2025 and was free from interference or
limitations in the conduct of its audit work; and that there were no impairments to individual objectivity in fact or in appearance.
The Internal Auditor ensured that the resources available in 2025 were sufficient and were effectively deployed to optimise the achievement of the approved internal audit plan. The resources had an appropriate mix of knowledge, skills and other competences.
The Internal Audit Service does not audit Member States’ systems of control over EU funds. Such audits reach down to the level of individual beneficiaries, and are carried out by Member States’ internal auditors, national audit authorities, other Commission directorates-general and the European Court of Auditors. However, the Internal Audit Service does audit measures taken by the Commission to supervise and audit: (a) bodies in Member States; and (b) other bodies that are responsible for disbursing EU funds.
(5) Commission Decision (EU) 2025/2570 of 18 December 2025 establishing the mission charter for the Internal Audit
Service of the Commission. (6) The Global Internal Audit Standards, promulgated by the Institute of Internal Auditors (IIA) effective as from 9 January
2025, guide the worldwide professional practice of internal auditing and serve as a basis for evaluating and elevating the quality of the internal audit function. The Global Internal Audit Standards replace the 2017 International Professional Practices Framework of the Institute of Internal Auditors which was applicable in 2024.
4
Overview of the audit work 2025 was the first year of the implementation of the Internal Audit Service’s 2025-2029 Audit Strategy, which is aligned with the Commission's new political mandate, priorities and objectives. By the cut-off date of 31 December 2025 (7), the Internal Audit Service had completed a total of 35 engagements (29 assurance
audits, and 6 non-assurance engagements) in the Commission’s directorates-general and services. The Internal Audit Service delivered 100% of the assurance reports planned in the 2025 audit plan for the Commission. One audit report was finalised in March 2025 and included in the annual internal audit report for 2024 (8).
In accordance with its charter and with global auditing standards, the Internal Audit Service plans its audit work on the basis of a risk assessment and a capacity analysis. The aim is to draw up an audit plan that covers the highest risk areas, thereby maximising its added value, as well as helping to ensure the best use of resources and the efficient and effective implementation of the audit plan. The Internal Audit Service regularly monitors the implementation of the audit plan and adjusts it as necessary.
In 2025, the Internal Audit Service issued 33 reports (final audit reports and insight notes) and two internal
reports.
The chart below shows the contribution of the assurance engagements to the achievement of the general
objectives included in the Commission’s 2025-2029 strategic plan.
Contribution to the Commission's general objectives
(7) The 2025 audit plan is a transition year to the new cut-off date of 31 December 2025. Until 2024, the reference period
for the audit plans was 1 February n to 31 January n+1. (8) This audit report related to the audit on human resources management in the Directorate-General for Financial
Stability, Financial Services, and Capital Markets Union. The final audit report for this audit was issued on 10 March 2025.
2
8
6
5
3
3
2
A new plan for Europe’s sustainable prosperity and competitivenessA modern, high-performing and
sustainable European Commission
Delivering together and preparing our Union for the future
A global Europe – leveraging our
power and partnerships
Sustaining our quality of
life: food security, water
and nature
A new era for European defence and security
Supporting people, and strengthening our
societies and our social models
5
Source: European Commission, Internal Audit Service
The Internal Audit Service issued 123 recommendations stemming from its 2025 audit work. As illustrated
below, 2% of these recommendations were rated as critical, 52% as very important and 46% as important.
Recommendations by rating
Source: European Commission, Internal Audit Service
In 2025, the auditees accepted 118 recommendations and partially accepted 5 recommendations. For all
(partially accepted) recommendations, the auditees drafted action plans. The Internal Audit Service then assessed them as being satisfactory or requested a revised action plan. For the recommendations that were partially not accepted, the auditees accepted the residual risk. All the assurance reports were submitted to the Commission’s Audit Progress Committee together with the action plans.
2 (2%)
64
(52%)
57
(46%)
Critical Very important Important
123
6
Overall results based on the audit work performed in 2025
Overall results on performance
To support the Commission’s performance-based culture and emphasis on value for money, the Internal Audit Service finalised 29 audit engagements focused on performance aspects. For approximately 80% of these engagements, the Internal Audit Service identified high residual risks in the areas or processes audited that gave rise to very important recommendations. One audit report issued a critical recommendation to two entities, noting very high residual risks. Various strengths and good practices were also noted.
In line with its methodology and good practices, the Internal Audit Service audits performance in an indirect way. It assesses the performance of the Commission’s departments in implementing policies, programmes, and actions, by reference to the risks associated with them. With this approach, it aims to ensure that directorates-general and services have developed robust performance frameworks, adequate performance measurement tools, and comprehensive monitoring systems; and that they use them to manage performance and risks.
The Internal Audit Service’s 2025 engagements indicate that the Commission’s financial management, operational and support processes remain robust, though certain areas require attention to ensure compliance and long-term effectiveness.
While financial management systems are generally effective (see the Overall Conclusion), some vulnerabilities in procurement and grant management, notably assurance and audit strategies, require to be addressed. Audits of funding programmes revealed a need for greater consistency in performance measurement, where clearer indicators and streamlined processes could enhance transparency and impact, in particular in view of the move towards performance-based delivery models. Similarly, the operational performance would benefit from clearer definition of roles and responsibilities and from the sound management of risks related to the support systems, mainly IT. Finally, considering the reliance of the Commission on human and technological resources, the systems for selection and recruitment of staff, for IT project management and for cybersecurity management require strengthening as key founding blocks for a modern public administration.
The following sections present the conclusions of the Internal Audit Service on the various performance aspects assessed in its 2025 audits.
Financial processes
The Internal Audit Service’s audits provided assurance to the College, as well as to the directorates-general and services, that internal controls on financial management were being efficiently and effectively implemented (see also the overall conclusion on financial management in Section 4.2).
Five audits carried out by the Internal Audit Service did not reveal any major weaknesses in the control
systems under examination. The other 13 audits revealed a need for improvements and led to the
issuance of critical and very important recommendations.
In the field of grant management, the Internal Audit Service identified two cases where the entities under
examination needed to improve the processes in place.
Five audits carried out by the Internal Audit Service on grant management ended in unqualified audit
conclusions: (a) non-governmental organisations (NGO) funding under the Programme for the Environment
and Climate Action (LIFE); (b) implementation of the Connecting Europe Facility; (c) project management and payment process for the EU4Health Programme; (d) project management and payment process of the European Defence Fund; and (e) early implementation of grants in the short-term defence instruments European Defence Industry Reinforcement through common Procurement Act (EDIRPA) and the Act in Support of Ammunition Production (ASAP).
7
An audit on the European Innovation Council’s grant agreements preparation and award procedures
resulted in a negative opinion and a critical recommendation concerning the need for the Directorate-General and the executive agency concerned to revise the award decision process specific to the European Innovation Council Accelerator scheme in line with the applicable rules. The audit also resulted in very important recommendations to both auditees for reinforcement of the controls related to the grant agreement preparation; revision of the reporting on the time-to-grant indicator in the Annual Activity Report and assessing the key root causes of delays; revision of the amending award decision process; and reinforcement of budget monitoring, and ensuring formal transmission of the award decisions to the European Investment Bank.
In another audit carried out on grants, the internal control system for managing grants under the Customs
Control Equipment Instrument programme was found to be adequately designed and effectively implemented, except for two issues related to the instrument’s control strategy, and for documenting of the project monitoring and payment processing in the eGrants tool.
The Internal Audit Service carried out two audits in the field of programme management for the current
programming period.
In the first of these two programme management audits, with a view to simplifying the implementation of the cohesion policy funds in the 2021-2027 programming period, adequate and effective internal control
processes had been designed and implemented for capacity building, ex ante assessment and monitoring and reporting on simplified cost options and financing not linked to costs. However, related guidance, documentation and ex ante assessments need to be improved. In addition, training needs to be enhanced and risks of dependency on external experts need to be monitored. Finally, the directorates-general need to improve monitoring and reporting.
In the second of these two programme management audits, the Internal Audit Service concluded that the internal control processes for reviewing and approving the amendments to the Common Agricultural Policy
(CAP) national strategic plans, had been adequately designed and implemented. However, there was a lack of clarity on the starting date of eligibility for approved changes in the European Agricultural Fund for Rural Development interventions which had been previously notified but found to be non-compliant with the legal basis for notifications. In addition, a very important weakness was identified regarding the clarification on the acceptable deviations between result indicators and outputs and correction of detected non-compliances in the CAP Strategic Plans.
In the thematic area of assurance building and audit strategy the Internal Audit Service identified cases
where the entities under examination needed to improve the processes in place.
In a programme covered by the Common Provisions Regulation for the 2021-2027 programming
period, the audited directorate-general had set up audit arrangements based on the Single Audit Strategy but
by the end of the audit fieldwork it had not fully established additional audit arrangements for the special handling of documents, a comprehensive risk assessment approach and audit planning incorporating fund- specific and common risk factors.
In another audit, risk management and control processes for the Recovery and Resilience Facility risk
assessment methodology and ex post audits on milestones and targets in compliance with the Recovery and Resilience Facility Regulation had been adequately designed and effectively implemented, except for two very important issues related to: (a) the duration of audits; and (b) the auditing standards and quality assurance programme.
As regards the reliability of audit opinions on the legality and regularity of Erasmus+ expenditure declared
by national agencies, the audited directorate-general had effectively implemented measures that were adequately designed to ensure the reliability of audit opinions issued by the independent audit bodies to obtain the necessary assurance, except for one issue related to the management of observations.
To ensure that financial aid provided to the countries covered by a crisis declaration is delivered in
accordance with the principle of sound operational and financial management, the risk management and control systems put in place were found to be adequately designed and effectively implemented, except for the monitoring and reporting mechanism related to contracts concluded under flexible procedures.
8
The Internal Audit Service also carried out limited reviews on control results provided by partners. These
reviews concluded that the systems designed and implemented by the responsible directorates-general in the area of external relations to ensure that the management declarations contribute to the assurance on the effective implementation of EU funds under indirect management with entrusted entities are adequate, except for issues related to some aspects of the design and to the effectiveness and efficiency of management declarations as a control measure.
As regards the performance monitoring and evaluation framework, the Internal Audit Service identified
cases where the entities under examination needed to improve the processes in place:
An audit on the InvestEU programme confirmed an adequate and effective internal steering and coordination
mechanism for the financing of InvestEU Fund operations and a robust methodology on performance and monitoring indicators to monitor the implementation has been put in place. However, it identified shortcomings in the objectives that are defined in the relevant legal basis and in the indicators used to monitor and evaluate the achievement of the programme’s objectives.
An audit on the design of the performance monitoring and evaluation framework for the 2023-2027 Common
Agricultural Policy, found that it was adequately designed to monitor, evaluate and report on the
performance of the CAP Strategic Plans. However, the approach for approving changes to targets and milestones for result indicators needed further clarifications in the absence of clear provisions in the basic legislation.
Concerning procurement and contract management the Internal Audit Service identified three instances
where the entities under examination needed to improve the processes in place.
One audit identified one very important issue regarding the effectiveness and efficiency of the procurementapproach followed for outsourced translations. Another audit identified one very important issue concerning the identification of (potential) conflict-of-interest aspects, which the responsible executive agency needs to reinforce, in cooperation with its parent directorates-general.
In an audit on high value procurement and contract management, the internal control system set up needs to be significantly enhanced to strengthen its efficiency and effectiveness. The Internal Audit Service identified five very important issues concerning: (a) the risk management and control strategy; (b) award criteria and the evaluation process; (c) contract value estimation and contract duration; (d) the early detection and exclusion system; and (e) ex ante controls on payments.
Operational processes
The Internal Audit Service performed six audits that focused on specific activities or programmes.
An audit on the management of EURopean Employment Services (EURES) and the EURES portal found
that the responsible directorate-general and the affiliated decentralised agency had put in place a number of arrangements to govern their cooperation. However, these arrangements had not always been sufficiently detailed or kept up to date in a number of areas, including IT governance and the mandate of the IT Steering Committee.
An audit carried out on the coordination mechanisms related to financial supervision found thatthe
responsible directorate-general had adequately designed and effectively and efficiently implemented the coordination mechanisms with the three supervisory authorities except for issues related to the questions and answers process, and review and evaluation.
Another audit found that processes for managing the control data of the Common Fisheries Policy had
been adequately designed and effectively and efficiently implemented, in line with the legal framework applicable at the time of the audit, except for one issue related to the reception, use and publication of data related to fishing opportunities.
An audit on the selection process in the European Personnel Selection Office concluded that the
governance, risk management and control processes set up by the Office responsible for the new competition model for permanent staff was not adequately designed. The identified issues included the management of
9
clients’ needs and related communication aspects; the roadmap for the deployment of the new competition model and procedure for the selection process; and the indicators and monitoring for assessing the achievement of the objectives of the new competition model.
An audit carried out on the management of childcare services found that the offices in charge had, overall,
designed an adequate framework and control system. However, issues were identified in the implementation concerning the roles and responsibilities of the oversight committees and external actors involved; the establishment of the interinstitutional budget and allocation of costs and calculation of parental and institutional contributions; and IT controls on project management and the IT security of the relevant IT tool.
An audit on the management of in-kind contributions under Horizon Europe concluded that overall, the
responsible directorate-general had provided adequate support to the joint undertakings, except for one very important issue concerning IT support and the functionalities available in the IT tool.
Support processes
Human resource management
An audit carried out on the Human Resources Transformation Programme concluded that although the
programme’s governance structure and processes had been well set up overall, a very important issue relating
to the IT security management processes remained that may affect the achievement of the programme’s
strategic objectives and compliance with the Commission’s internal security standards.
Information technology (IT) governance, IT project management and IT security management
The Internal Audit Service carried out two audits in this area.
An audit carried out on IT governance and IT security management in one directorate-general revealed that,
overall, the governance, risk management and control system put in place for IT governance and IT security
arrangements was adequately designed and efficiently and effectively implemented, except for one issue
related to aligning business needs and recovery expectations, maintaining IT security plans and formalising
processes about incident and user access management.
For the Arachne+ project, the governance, risk management and control processes put in place by a
directorate-general, as system owner, with the support of other directorates-general, were not appropriate to
deliver phase 2 of the project effectively and to achieve the strategic objectives and business expectations for
the overall project within the allocated time and resources. IT security and personal data protection control
processes were compliant with the Commission’s process steps, but significant improvements were necessary
as regards the quality of IT security artefacts.
Additionally, a number of other audits looked at the IT aspects of audited processes and identified in
different cases adequate controls or weaknesses.
Overall conclusion on the Commission’s financial management
As required by its mission charter, the Internal Audit Service issues an annual overall conclusion on the
Commission’s financial management. This is based on the audit work in the area of financial management in
the Commission carried out in the past three years (2023 to 2025). It also takes into account information from
other sources, namely the reports of the European Court of Auditors. The overall conclusion is issued at the
same time as this report and covers the same year.
Based on this audit information, the Internal Auditor considered that in 2025 the Commission put in place
governance, risk management and internal control procedures which, taken as a whole, are adequate to give
reasonable assurance over the achievement of its financial objectives, with the exception of those areas of
10
financial management over which authorising officers by delegation have expressed reservations in their
declaration of assurance.
Without further qualifying the overall conclusion for 2025, the Internal Auditor draws attention to the need
to ensure that the control and assurance framework remains robust, proportionate and effective
to manage risks to an acceptable level, especially in the context of concurrent priorities and continuous
pressure on resources. This is particularly pertinent in view of the need to accelerate implementation and ensure
a timely closure of the current programmes while preparing for the upcoming multiannual financial framework,
which will introduce further innovative instruments and delivery models.
The challenging socio-economic and political environment and need to respond to the various crises during the
past few years required rapid mobilisation of unprecedented amounts of resources and funding, and the
creation of novel performance-based instruments. Delays in finalising and implementing the control and
audit strategies for the current programming period,as a result of the necessary adaptations to the
revised delivery models, should be given due attention. At the same time, the Commission has to continue the
simplification efforts to ensure that EU funding remains accessible and delivers results while ensuring sound
financial management.
In the context of a major overhaul of funding and delivery models under the next multiannual financial
framework, the Commission should make use of the lessons learned from the current 7-year period and
ensure that the assurance model is defined from the outset, in order for control strategies for individual
instruments to be developed in good time before implementation starts.
The continued shift towards performance-based delivery models will require a revised approach to enable
the Commission to provide assurance on the legality and regularity of expenditure, including where
necessary support to the Member States, adjustments to the organisation of the audit function and revision of
traditional legality and regularity indicators, such as the error rate.
Continued attention needs to be paid to proportionate and effective controls for the oversight of budget
amounts implemented by the Member States and/or third parties, considering the increased reliance
the Commission places on them.
In addition, the expanding financial operations of the Union highlight the importance of a robust and well-
integrated risk management framework and strong oversight of loans, budgetary guarantees and
financing through the issuance of debt securities.
Finally, to ensure delivery of its objectives relating to accountability, sound financial management and protection
of the EU budget, the Commission should continue efforts and seize opportunities to optimise the use of
limited resources and to adjust its organisation, processes and operations. The design of new assurance
models and the individual control strategies should be accompanied by a definition of adequate human
resources, in numbers, skills and timing, and a strategy for effectively leveraging appropriate technological
means, while carefully managing the risks they introduce.
11
Actions taken by auditees The impact of the internal audit work on improving the Commission’s performance and accountability depends on the implementation of its recommendations. To enable oversight by the governing bodies, the Internal Audit Service carries out follow-up audits when the audited entity has reported the recommendation as ready for review. The Internal Audit Service also provides regular information to the Audit Progress Committee on the status of implementation of its recommendations.
The Internal Audit Service followed up on 50 previous audit engagements to review the implementation
of recommendations and issued 82 (9) follow-up notes to the respective directorates-general and services. As a result, for 22 engagements, all recommendations were closed (10), while for the other 28 engagements, one or more recommendations remained open by the cut-off date (11).
As illustrated below, at the cut-off date of 31 December 2025, out of a total of 773 (partially) accepted recommendations (12) made by the Internal Audit Service in 2021-2025, 525 (68%) were assessed by the auditees as implemented (13). This leaves a total of 248 recommendations (32%) that remain open.
Source: European Commission, Internal Audit Service
(9) Some audit engagements were followed up more than once and some follow-up notes covered more than one audit
engagement. (10) Section 2.2 of the Staff Working Document contains the list of audits that were closed after a follow-up was performed. (11) Section 2.1 of the Staff Working Document contains a list of audits that remained open after a follow-up was performed
on critical and/or very important recommendations. (12) Out of 777 recommendations issued in 2021-2025, 763 recommendations were fully accepted, 10 were partially
accepted and four were rejected. (13) The chart shows the rating of the recommendations on the cut-off date. This may differ from the rating in the original
audit report because, in a follow-up audit, the Internal Audit Service may assess that the actions taken by the auditee partly mitigated the risks that were initially identified and may therefore downgrade the rating of the recommendation.
248
(32%)
525
(68%)
No of accepted recommendations
issued in 2021-2025 by status (based on the auditees assessment)
Open Implemented
773
2 (1%)
112
(45%)
134
(54%)
No of open
recommendations
by rating
Critical Very important Important
248
12
Of the 248 recommendations that remained open on the cut-off date, two were rated as critical, 112
(45%) as very important, and 134 (54%) as important.
Of the open recommendations, 43 were overdue (i.e. not implemented by the originally agreed date). These
overdue recommendations represented 5.6% of the (partially) accepted recommendations.
Of the overdue recommendations, fourvery important recommendations issued in 2021-2025 were classified as long overdue (i.e. open for more than six months after the original implementation date), compared to six
recommendations in the previous year. These long overdue very important recommendations represented 0.5% of the total number of (partially) accepted recommendations in 2021-2025 (in line with the previous reporting period). Additionally, there is onevery important long overdue recommendation that was issued before the 2021 audit plan, increasing the total number at the cut-off date to five very important recommendations.
Delay of overdue recommendations by rating
(Issued in 2021-2025)
Source: European Commission, Internal Audit Service
Overall, the Internal Audit Service considers the implementation of its recommendations to be satisfactory and comparable with previous reporting periods. This shows that Commission services have been diligent in implementing the critical and very important recommendations, thus mitigating the risks highlighted by the Internal Audit Service.
Part 3 of the Staff Working Document accompanying this report summarises these very important long overdue recommendations.
Consultation with the Commission’s financial irregularities panel The panel set up under Article 145 of the Financial Regulation did not report any systemic problems in 2025, when it gave its opinion referred to in Article 93 of the Financial Regulation.
7
2 2
9 16
7
16 18
9
0 < 6 months 6 - 12 months > 12 months
Very important Important