Letter

Mr. Aivo Orav

Ambassador, Permanent Representative

Permanent Representation of Estonia to the

EU

Rue Guimard 11/13, 1040, Brussels

Mr. Mart Võrklaev

Minister of Finance

Ministry of Finance

Suur-Ameerika 1, 10122 Tallinn

Commission européenne/Europese Commissie, 1049 Bruxelles/Brussel, BELGIQUE/BELGIË - Tel. +32 22991111

EUROPEAN COMMISSION DIRECTORATE-GENERAL ECONOMIC AND FINANCIAL AFFAIRS

Resources and performance management

The Director

Brussels, ECFIN.R.4/AUD/ GG/(2024)4036367

Subject: EPM Audit of Milestones and Targets

Estonian Recovery and Resilience Plan

Ref.: EE-Q2-2024-M/T Audit on M/T and Compliance (to be used in all

correspondence)

Your Excellency,

I am writing to inform you that the Control and evaluation Unit of the Directorate General for

Economic and Financial Affairs (DG ECFIN) will carry out a combined audit on milestones

and targets with a compliance part on the Audit Authority in the context of the Recovery and

Resilience Facility (RRF).

The possibility of such audit is foreseen in Article 12 of the Financing Agreement of the

Recovery Resilience Plan between the European Commission and the Estonia in accordance

with Article 22(2)(e) of the RRF Regulation1.

1. OBJECTIVE OF THE AUDIT

The objective of the audit is to obtain reasonable assurance on the satisfactory fulfilment

of the milestones and targets as declared in the request(s) for payment n° 1 submitted by

Estonia to the European Commission on 30/06/2023 and n° 2 submitted by Estonia to the

European Commission on 18/12/2023.

1 Regulation (EU) 2021/241 of the European Parliament and of the Council of 12 February 2021 establishing the Recovery

and Resilience Facility

2

The specific objective of the audit is to verify the reliability of reported data on achieved

milestones and targets as declared in the requests for payment to the European

Commission, as well as their aggregation.

2. SCOPE OF THE AUDIT

SEQUENTIAL

NUMBER (AS

IN CID)

NAME OF MEASURE MILESTONE

/ TARGET

INDICATORS

(QUANTITATIVE / QUALITATIVE)

BODY(IES) RESPONSIBLE

FOR REPORTING AND

IMPLEMENTATION / FOR

AUDITING

49 Development of

event services and

digital gateway for

entrepreneurs

target Number of IT development projects

contributing to the implementation of

the business event services and

gateway that have successfully

deployed new developments online.

These development projects shall be

either directly related to the

development of the digital gateway for

entrepreneurs or to the development of

business-event services, which

additionally include the development

of various related systems for

interfacing with the digital gateway.

As a result of each development

project, at least a minimally functional

IT solution shall be completed (i.e.,

the IT solution shall be operational at

least in the basic parts for the end

users (entrepreneurs) and shall be able

to provide feedback for further

development needs during the reform

implementation period or afterwards).

Compliance Audit:

Audit Authority

(Financial Control

Department -

Ministry of Finance of

Estonia)

78 Pilot Energy

Storage

Programme

milestone An open call for proposals shall be

published by the Environmental

Investment Centre to support energy

storage projects.

The call shall be based on project

selection criteria and award conditions

that ensure that the selected projects

comply with the ‘Do no significant

harm’ Technical Guidance

(2021/C58/01) through the use of an

exclusion list and the requirement of

compliance with the relevant EU and

national environmental legislation.

The selection/eligibility criteria shall

specify that the supported activities

and/or enterprises contribute to

climate-neutral economy, climate

resilience and climate change

adaptation, including circular

economy objectives.

Fulfilment of M/T

Audit:

Ministry of Climate

Environmental

Investment Centre

7 Development of

digital waybills

services

target Number of projects developing an

eFTI platform which have received a

positive grant decision.

Fulfilment of M/T

Audit:

3

The scope of the audit is limited to:

- A verification of the achievements of milestones and targets declared in the request for

payment n°1 submitted on 30/06/2023 and n°2 submitted on 18/12/2023 to the European

Commission; (Fulfilment of M/T Audit)

- Public Procurement and State Aide procedures and “Do no significant harm” (DNSH),

where applicable

- A verification of an adequate and independent audit of systems and cases of support to

investments and reforms -KR5; (Compliance Audit part on the Audit Authority)

- The review of the audit body’s methodology and procedures in relation to the above-

mentioned key requirement; (Compliance Audit)

- The review of the audit body’s working papers from audits carried out on the selected

milestones or targets declared to the Commission in the payment n°1 submitted on

30/06/2023 and n°2 submitted on 18/12/2023; (Compliance Audit)

- The re-performance of the selected audits of M/T; (Compliance Audit)

The audit work will trace and verify (recount) data for selected milestones and targets,

where possible.

3. ORGANISATION OF THE AUDIT WORK

The audit will consist of several phases carried out in the Commission (preparation,

reporting and follow-up) and at the premises of the Coordinating Body, Bodies

implementing reforms and investments, Audit Authority and if applicable, final recipients:

▪ Preparation (analysis of key documents such as manuals, checklists, procedures,

verification reports, methodology, etc.)

▪ Fieldwork (review of the data management and reporting systems and of the data

reported for the selected milestones and targets, including data verification for a

sample of final recipients / operations)

▪ Reporting and contradictory (observations) procedure

▪ Follow-up

Ministry of Economic

Affairs and

Communications

Estonian Business and

Innovation Agency

4

4. DATES

The audit field work will be carried out during the week of 10-14 June 2024. As indicated

in chapter 6 of this letter, the lead auditor will be in contact with the Estonian authorities

and will send a detailed agenda once the requested documentation has been received. The

audit will take place at the premises of the Coordinating body and of the Bodies

implementing reforms and investments. In addition, further to the analysis of the

information requested in point 6, the audit may also take place, if appropriate, at the

premises of the final recipients of the selected operation(s)/project(s).

For this particular audit, the bodies implementing reforms and investments concerned are

indicated in point 2, as responsible for the implementation and reporting. In case there are

other bodies responsible for implementing and reporting on the selected milestones and

targets, I would be grateful if Estonian authorities could inform us.

The audit body is invited to participate in the audit as an observer.

5. AUDIT TEAM

The lead auditor responsible for the conduct of the audit is Ms GALLI Giulia, +32 2 29

88200, [email protected], the associated auditors will be Judith SCHRENK

and Peter NIKLAS.

I would be grateful if the Estonian authorities concerned could indicate the name,

telephone number and e-mail address of the contact person(s) in the Coordinating body of

the Recovery and Resilience Plan responsible for this audit, in order to make further

practical arrangements ensuring the smooth operational running of this task, in particular

the exchange of documents and information as well as the clearing and adversarial

procedures.

6. DOCUMENTS AND INFORMATION REQUIRED

In order to facilitate the preparation of the audit, I would be grateful if the services

concerned would provide the information set out in annexes II, III, IV, and V by 30 May

2024. In addition to the documentation required, these annexes (information sheets) allow

the Bodies being audited to identify the tasks to be performed by the audit team and the

key persons whose presence is needed during the fieldwork.

Further details, including the detailed agenda and the list of the operations/final recipients

selected for this audit will be communicated later following the analysis of the information

requested. For the selected operations/final recipients, a comprehensive file (including all

the relevant working papers on the milestone and target data processing and evaluation

reports on selected projects) should be made available to the auditors.

For any queries or clarifications, in particular with regard to the requested information

and documents in preparation of this audit, please do not hesitate to contact the lead

auditor for this audit is Ms GALLI Giulia, +32 2 29 88200, [email protected].

5

7. PROTECTION OF PERSONAL DATA

The Commission services would like to draw your attention to the fact that data collected

during the audit may include information relating to an identified or identifiable natural

person (‘data subject’). Such information could be stored on the servers of the

Commission. Regulation (EC) No 2018/1725 (OJ L 295, 21.11.2018, p.39) of the

European Parliament and of the Council, applicable to Union institutions, and Regulation

(EU) 2016/679 (OJ L 119, 4.5.2016, p.1), applicable to Member States, protect the right

to privacy of natural persons with respect to the processing of personal data. In order to

inform the data subjects of their rights, you are kindly asked to deliver the enclosed

Information note on Protection of Personal Data collected by DG Economic and Financial

Affairs’ Control and Evaluation Unit (Annex I) to the Bodies or Organisations to be

audited in the context of this audit.

Yours faithfully,

Bernadette Frederick

Enclosure: Annex I - Information note on Protection of Personal Data collected by the

Control and evaluation Unit of DG ECFIN

Annex II - Information Sheet for the Coordinating body selected for the Audit

on milestones and targets.

Annex III - Information Sheet for the Intermediary body level selected for the

Audit on milestones and targets.

Annex IV - Information sheet for the Final recipients selected for the Audit on

milestones and targets.

c.c.:

Anu Alber, Head of Financial Control Department, Ministry of Finance

of the Republic of Estonia, the RRF audit body

Mart Pechter, Advisor of the Financial Control Department, Ministry of

Finance of the Republic of Estonia, the RRF audit body

Triin Tomingas, Head of Foreign Financing Unit, State Budget

Department, Ministry of Finance of the Republic of Estonia

Siret Soosein, Expert, State Shared Service Centre, RRP coordinator

Katri Targama, Head of the Grants Management Unit, State Shared

Services Centre

e-signed

6

Directorate-General for Economic and Financial Affairs

Mark Schelfhout, Head of Unit, ECFIN R.4

Jakob Wegener Friis, Director ECFIN E

Joern Griesse, Head of Unit, ECFIN E.2

Recovery and Resilience Task Force

Maria Teresa Fabregas Fernandez, Director, SG.RECOVER.B

Luca Rossi, Head of Unit, SG.RECOVER.B2

Ave Schank-Lukas, SG.RECOVER.B2 – Tallinn

Joint audit service for Cohesion (DAC)

Franck Sebert, Director, REGIO.EMPL.DAC

European Anti-fraud Office (OLAF):

James Sweeney, Director, OLAF.C – Anti-Fraud Knowledge Centre

Charlotte Arwidi, Head of Unit OLAF.C.1 - Anti-Corruption, Anti-

Fraud Strategy and Analysis

European Court of Auditors

[email protected]

7

Annex I - Information note on Protection of Personal Data collected by Directorate-

General for Economic and Financial Affairs’ Control and evaluation unit at the

European Commission

1. Introduction

The European Commission (hereafter ‘the Commission’) is committed to protect your

personal data and to respect your privacy. The Commission collects and further processes

personal data pursuant to Regulation (EU) 2018/1725 of the European Parliament and of the

Council of 23 October 2018 on the protection of natural persons with regard to the processing

of personal data by the Union institutions, bodies, offices and agencies and on the free

movement of such data, is applicable (repealing Regulation (EC) 45/2001).

This privacy statement explains the reason for the processing of your personal data, the way

we collect, handle and ensure protection of all personal data provided, how that information

is used and what rights you have in relation to your personal data. It also specifies the contact

details of the responsible Data Controller with whom you may exercise your rights, the Data

Protection Officer and the European Data Protection Supervisor.

This privacy statement concerns the processing operation ‘External audits and controls’,

undertaken by the Commission (DG ECFIN, unit R.4) as presented below.

2. Why and how do we collect your personal data?

Purpose of the processing operation: The Commission collects and uses your personal data to

do any kind of financial control including ex-ante controls, desk checks, financial

verifications and audits of grant agreements or contracts to verify beneficiaries’ or

contractors’, subcontractors’ or third parties’ compliance with all contractual provisions

(including financial provisions), in view of checking that the provisions of the grant

agreements or the contracts are being properly implemented and in view of assessing the

legality and regularity of the transaction underlying the implementation of the general budget

of the Union.

Your personal data will not be used for an automated decision-making including profiling.

3. On what legal ground(s) do we process your personal data?

The possibility for the Commission to carry out checks and financial controls is foreseen in

the model grant agreement and contract signed between the Commission and the

beneficiary/contractor, as required by the Financial Regulation (‘FR’) applicable to the

General Budget of the European Communities2.

We process your personal data because:

2 Articles 117-123 FR on internal audits, article 127 on cross-reliance audits, articles 183 and 203 FR on

audits covering grant agreements and articles 254 – 259 FR on external audits by the Court of Auditors.

8

The processing operations on personal data carried out in the context of audit and control

activities3 are necessary and lawful under the following articles of the Regulation (EU)

1725/2018:

a) processing is necessary for the performance of a task carried out in the public interest or

in the exercise of official authority vested in the Union institution or body4;

b) processing is necessary for compliance with a legal obligation to which the controller is

subject5.

4. Which personal data do we collect and further process?

In order to carry out any kind of financial controls, ex-ante and ex-post, the Data Controller

could collect the following categories of personal data:

Mandatory:

• Mandatory contact data: name, company, e-mail address, telephone number;

• Mandatory data for access to finance and contractual obligations. Such data can be:

bank account reference (IBAN and BIC codes), VAT number, passport or ID number;

timesheets, salary slips, accounts, details of the costs, missions, reports, information

coming from local IT system used to declare costs as eligible, supporting documents

linked to travel costs, minutes from mission and other similar data depending of the

nature of the grant/contract, etc.;

• Mandatory information for the evaluation of selection criteria or eligibility criteria:

expertise, technical skills and languages, educational background, professional

experience, including details on current and past employment;

Voluntary:

• Voluntary data: other contact details (mobile telephone number, fax number,

professional postal address, function and department, country of residence);

• Voluntary data that may be collected by the website if there is consent to its cookies:

IP address, language preference, etc.

3 The audit and control activities are varied across the Commission departments as they can be conducted at

any time during the performance of the programme or project and can concern beneficiaries, projects,

system, transactions, etc. depending on the needs of the contracting authority. The audit and control

activities may be carried out on documents and/or on the spot, and may be carried out either before or after

the final payment to the beneficiary. Audits and controls of documents may be carried out in any place

where the funds in question are managed or used; the geographical scope is therefore worldwide.

The specific contract should specify what the audit and control is to cover (subject and location).

4 Article 5 (1) (a) of Regulation (EU) 2018/1725 and, in particular, Articles 317, 319 TFEU and Article 106

(a) of the Euratom Treaty.

5 In particular Articles 117, 183, 203.4 and 5, and 262 of the FR.

9

5. How long do we keep your data?

The Data Controller only keeps your personal data for the time necessary to fulfil the purpose

of collection or further processing, namely for 10 years after the audit is closed on condition

that no contentious issues occurred; in this case, data will be kept until the end of the last

possible legal procedure.

6. How do we protect and safeguard your personal data?

All personal data in electronic format (e-mails, documents, databases, uploaded batches of

data, etc.) are stored either on the servers of the European Commission or of its contractors

(processors), if contractors are engaged to assist the controller. All processing operations are

carried out pursuant to the Commission Decision (EU, Euratom) 2017/46 of 10 January 2017

on the security of communication and information systems in the Commission.

In order to protect your personal data, the Commission has put in place a number of technical

and organisational measures in place. Technical measures include appropriate actions to

address online security, risk of data loss, alteration of data or unauthorised access, taking into

consideration the risk presented by the processing and the nature of the personal data being

processed. Organisational measures include restricting access to the personal data solely to

authorised persons with a legitimate need to know for the purposes of this processing

operation.

If the controller uses (a) contractor(s) (processor(s)) to assist the controller, this will be

indicated in the specific privacy statement and the following paragraph will be provided:

The Commission’s contractors are bound by a specific contractual clause for any processing

operations of your data on behalf of the Commission, and by the confidentiality obligations

deriving from the transposition of the General Data Protection Regulation in the EU Member

States (‘GDPR’ Regulation (EU) 2016/679).

7. Who has access to your data and to whom is it disclosed?

Access to your personal data may be provided on a ‘need to know’ basis to Commission

services and staff dealing with the external audit or control (including those

supervising/approving), inclusive of OLAF.

In addition, staff from the Council, European Parliament, European Court of Auditors may

have access to your personal data. Finally, your data may be shared with national managing,

certifying and Audit Authorities in shared management, beneficiaries/final recipients and

external contractors.

The information we collect will not be given to any third party, except to the extent and for

the purpose we may be required to do so by Union law, including the possible transmission

of personal data to EU bodies or institutions in charge of audit or inspection in accordance

with the EU Treaties.

8. What are your rights and how can you exercise them?

You have specific rights as a ‘data subject’ under Chapter III (Articles 14-25) of Regulation

(EU) 2018/1725, in particular the right to access, rectify or erase your personal data and the

right to restrict the processing of your personal data. Where applicable, you also have the right

to object to the processing or the right to data portability.

10

You have the right to object to the processing of your personal data, which is lawfully carried

out pursuant to Article 5(1)(a) on grounds relating to your particular situation.

You can exercise your rights by contacting the Data Controller, or in case of conflict the Data

Protection Officer. If necessary, you can also address the European Data Protection

Supervisor. Their contact information is given under Heading 9 below.

Where you wish to exercise your rights in the context of one or several specific processing

operations, please provide their description (i.e. their Record reference(s) as specified under

Heading 10 below) in your request.

9. Contact information

- The Data Controller

If you would like to exercise your rights under Regulation (EU) 2018/1725, or if you have

comments, questions or concerns, or if you would like to submit a complaint regarding the

collection and use of your personal data, please feel free to contact the Data Controller.

European Commission, DG ECFIN, Unit R.4 at [email protected].

- The Data Protection Officer of the European Commission

You may contact the Data Protection Officer ([email protected]) with

regard to issues related to the processing of your personal data under Regulation (EU)

2018/1725.

- The European Data Protection Supervisor (EDPS)

You have the right to have recourse (i.e. you can lodge a complaint) to the European Data

Protection Supervisor, https://edps.europa.eu:data-protection/our-role-

supervisor/complaints_en or [email protected], if you consider that your rights under

Regulation (EU) 2018/1725 have been infringed as a result of the processing of your personal

data by the Data Controller.

10. Where to find more detailed information?

The Commission Data Protection Officer (DPO) publishes the register of all processing

operations on personal data by the Commission, which have been documented and notified to

him. You may access the register via the following link: http://ec.europa.eu/dpo-register.

This specific processing operation has been included in the DPO’s public register with the

following Record reference: 04466.1

11

Annex II - Information Sheet for the Coordinating body selected for the Audit on milestones and

targets.

1. Objective of the audit

The objectives of the audit are to :

• Verify that appropriate data management and reporting systems are in place; and

• Assess the reliability of the reported data for the selected milestones and targets.

2. Milestones and Targets and related indicators included in the audit

SEQUENTIAL

NUMBER (AS

IN CID)

NAME OF MEASURE MILESTONE

/ TARGET

INDICATORS

(QUANTITATIVE / QUALITATIVE)

BODY(IES)

RESPONSIBLE FOR

REPORTING AND

IMPLEMENTATION / FOR

AUDITING

78 Pilot Energy Storage

Programme

milestone An open call for proposals

shall be published by the

Environmental Investment

Centre to support energy

storage projects.

The call shall be based on

project selection criteria and

award conditions that ensure

that the selected projects

comply with the ‘Do no

significant harm’ Technical

Guidance (2021/C58/01)

through the use of an

exclusion list and the

requirement of compliance

with the relevant EU and

national environmental

legislation. The

selection/eligibility criteria

shall specify that the

supported activities and/or

enterprises contribute to

climate-neutral economy,

climate resilience and climate

change adaptation, including

circular economy objectives.

Fulfilment of M/T

Audit:

Ministry of Climate

Environmental

Investment Centre

7 Development of digital

waybills services

target Number of projects

developing an eFTI platform

which have received a positive

grant decision.

Fulfilment of M/T

Audit:

Ministry of Economic

Affairs and

Communications

Estonian Business

and Innovation

Agency

12

3. Tasks performed by the audit team at the Coordinating body

• Interview Manager and staff involved in monitoring and reporting and data-management;

• Review of the systems and procedures relating to the collection, storage, verification

and reporting of data on the achievement of milestones and targets;

• Review availability, completeness, and timeliness of reports received from the lower levels (e.g.

bodies implementing reforms and investments and final recipients);

• Review of the reports/data received from the lower levels (e.g. bodies implementing reforms and

investments and final recipients);

• Re-count numbers from received reports/data and compare result to the information reported to

the Commission in Fenix.

• Review of the DNSH guidelines/check lists used

4. Staff to be available at the Coordinating body during the audit

• RRP Manager.

• Data-management official.

• Staff involved in reviewing and compiling reports received from lower levels.

• IT staff involved in database management, if applicable.

5. Documentation to prepare in advance of arrival of the audit team

All documents related to point 3 should be submitted in one of these formats: .pdf, .doc, .docx, .xls, .xlsx,

.xml, .msg, .csv, .ods, . txt, .jpg, .png, .ppt, .pptx, .eml, .zip. Impossibility to convert files into these formats

will be discussed case by case.

During the visit, for the operations/final recipients selected for the audit, a comprehensive file (including

all the relevant working papers on the milestone/target and related indicators data processing) should be

made available to the audit team.

6. Expected time of audit team at the Coordinating body

A more detailed planning of the audit mission will be communicated at a later stage.

WARNING: In no circumstances should reports be fabricated for the purpose of the audit.

13

Annex III – Information Sheet for the Intermediate body level

selected for the Audit on milestones and targets.

1. Objective of the audit

The objectives of the Audit are to:

• Assess that appropriate data management and reporting systems are in place; and

• Verify the reliability of the reported data for the selected milestones and targets.

2. Milestones and Targets and related indicators included in the audit

SEQUENTIAL

NUMBER (AS

IN CID)

NAME OF MEASURE MILESTONE

/ TARGET

INDICATORS

(QUANTITATIVE / QUALITATIVE)

BODY(IES)

RESPONSIBLE FOR

REPORTING AND

IMPLEMENTATION / FOR

AUDITING

78 Pilot Energy Storage

Programme

milestone An open call for proposals

shall be published by the

Environmental Investment

Centre to support energy

storage projects.

The call shall be based on

project selection criteria and

award conditions that ensure

that the selected projects

comply with the ‘Do no

significant harm’ Technical

Guidance (2021/C58/01)

through the use of an

exclusion list and the

requirement of compliance

with the relevant EU and

national environmental

legislation. The

selection/eligibility criteria

shall specify that the

supported activities and/or

enterprises contribute to

climate-neutral economy,

climate resilience and climate

change adaptation, including

circular economy objectives.

Fulfilment of M/T

Audit:

Ministry of Climate

Environmental

Investment Centre

7 Development of digital

waybills services

target Number of projects

developing an eFTI platform

which have received a positive

grant decision.

Fulfilment of M/T

Audit:

Ministry of Economic

Affairs and

Communications

Estonian Business

and Innovation

Agency

14

3. Tasks performed by the audit team at the Intermediate body level

• Interview body implementing reforms and investments manager and staff involved in

monitoring, reporting and data-management.

• Review of the systems and procedures relating to the collection, storage, verification and

reporting of data on the achievement of milestones and targets;

• Review availability, completeness, and timeliness of reports received from the lower levels (e.g.

final recipients);

• Review of the reports/data received from the lower levels (e.g. final recipients);

• Re-count numbers from received reports and compare result to the numbers reported to the next

level.

• Review of the DNSH guidelines/check lists used

4. Staff to be available at the Intermediate body level during the audit

• Manager of the body implementing reforms and investments,

• Staff involved in reviewing and compiling reports received from reporting Final recipients.

• IT staff involved in database management, if applicable.

5. Documentation to prepare in advance of arrival of the audit team, if different than the

documentation provided by the coordinating body

All documents related to point 3 should be submitted in one of these formats: .pdf, .doc, .docx, .xls, .xlsx,

.xml, .msg, .csv, .ods, . txt, .jpg, .png, .ppt, .pptx, .eml, .zip. Impossibility to convert files into these formats

will be discussed case by case.

During the visit, for the operations/final recipients selected for the audit, a comprehensive file (including

all the relevant working papers on the milestone/target and related indicators data processing), should be

made available to the audit team.

6. Expected time of audit team at the Intermediate body level site

Between one-half and two days at each Intermediate level site – a more detailed planning of the audit

mission will be communicated at a later stage. Depending on the complexity of the verification

mechanism and number of milestones and targets associated to the same body, this timing could be

prolonged.

WARNING: In no circumstances should reports be fabricated for the purpose of the audit.

15

Annex IV - Information sheet for all Final recipients selected for the Audit on milestones and

targets.

1. Objective of the audit

The objectives of the audit are to:

• Assess that appropriate data management and reporting systems are in place; and

• Verify the reliability of the reported data for the selected milestones and targets.

2. Milestones and Targets and related indicators included in the audit

SEQUENTIAL

NUMBER (AS

IN CID)

NAME OF

MEASURE

MILESTONE

/ TARGET

INDICATORS

(QUANTITATIVE / QUALITATIVE)

BODY(IES)

RESPONSIBLE FOR

REPORTING AND

IMPLEMENTATION /

FOR AUDITING

7 Development of

digital waybills

services

target Number of projects

developing an eFTI platform

which have received a positive

grant decision.

Fulfilment of M/T

Audit:

Ministry of

Economic Affairs

and

Communications

Estonian Business

and Innovation

Agency

3. Tasks performed by the audit team at the Final recipient

• Understand how and when source documents are completed in relation to the

activities/services/outputs/results.

• Review availability and completeness of all source documents for the selected request for

payment.

• Recount the recorded numbers from available source documents and compare result to the

numbers reported by the final recipients.

• Compare reported numbers with other data sources

• Verify the actual delivery of the services/outputs/results (if feasible).

• Review of the DNSH guidelines/check lists used

4. Staff to be available at the Final recipient during the audit (not needed for the selected measures)

• Final recipient Manager.

• Staff responsible for completing the source documents.

• Staff responsible for entering data in registers or IT systems (as appropriate).

• Staff responsible for compiling the periodic reports (e.g., monthly, quarterly, etc.).

16

5. Documentation to prepare in advance of arrival of the audit team, if different than the

documentation provided by the coordinating body

All documents related to point 3 should be submitted in one of these formats: .pdf, .doc, .docx, .xls, .xlsx,

.xml, .msg, .csv, .ods, . txt, .jpg, .png, .ppt, .pptx, .eml, .zip. Impossibility to convert files into these formats

will be discussed case by case.

During the visit, for the operations/final recipient selected for the audit, a comprehensive file (including

all the relevant working papers on the milestone/target and related indicators data processing) should be

made available to the audit team.

6. Expected time of audit team at the Final recipient site

Between one-half and two days at each final recipient site – a more detailed planning of the audit mission

will be communicated at a later stage. Depending on the complexity of the verification mechanism, the

size of the final recipient and the data reported by final recipient, this timing could be prolonged.

WARNING: In no circumstances should source documents or reports be fabricated for the purpose of

the audit.

17

Annex V - Information sheet for all measures selected for the Compliance Audit.

1. Objective of the audit

The objectives of the audit are to:

• The re-performance of the selected audit (T49) of M/T

2. Milestones and Targets and related indicators included in the audit

SEQUENTIAL

NUMBER (AS

IN CID)

NAME OF MEASURE MILESTONE

/ TARGET

INDICATORS

(QUANTITATIVE / QUALITATIVE)

BODY(IES) RESPONSIBLE FOR

REPORTING AND IMPLEMENTATION /

FOR AUDITING

49 Development of event services

and digital gateway for

entrepreneurs

target Number of IT development

projects contributing to the

implementation of the

business event services and

gateway that have successfully

deployed new developments

online.

These development projects

shall be either directly related

to the development of the

digital gateway for

entrepreneurs or to the

development of business-

event services, which

additionally include the

development of various

related systems for interfacing

with the digital gateway. As a

result of each development

project, at least a minimally

functional IT solution shall be

completed (i.e., the IT solution

shall be operational at least in

the basic parts for the end

users (entrepreneurs) and shall

be able to provide feedback

for further development needs

during the reform

implementation period or

afterwards).

Compliance Audit:

Audit Authority

(Financial Control Department -

Ministry of Finance of Estonia)

3. Tasks performed by the audit team at the Audit Authority

• Interview Audit Authority and staff involved in auditing the RRF measures.

• Understand how and when source documents are completed in relation to the

activities/services/outputs/results.

• Review availability and completeness of all source documents for the selected request for

payment.

18

• Compare reported numbers with other data sources.

• Verify the actual delivery of the services/outputs/results (if feasible).

• Review of the DNSH guidelines/check lists used

4. Staff to be available at the Audit Authority during the audit

• Member State Audit Team.

• Staff responsible for completing the audit report related to the measure selected.

5. Documentation to prepare in advance of arrival of the audit team, if different than the

documentation provided by the coordinating body

• Audit body's updated audit strategy of the RRP;

• Audit body's methodology and procedures for carrying out the audit work, i.e. the audit manual

together with templates of checklists and other working documents;

• Audit reports from the selected audit on T 49;

• Documentation of relevant state aid and public procurement procedures checks (checklists

used).

All documents submitted should be in one of these formats: .pdf, .doc, .docx, .xls, .xlsx, .xml, .msg, .csv,

.ods, . txt, .jpg, .png, .ppt, .pptx, .eml, .zip. Impossibility to convert files into these formats will be

discussed case by case.

During the visit, for the operations/final recipient selected for the audit, a comprehensive file (including

all the relevant working papers on the milestone/target and related indicators data processing) should be

made available to the audit team.

6. Expected time of audit team at the Audit Authority site

About one day at Audit Authority’s site – a more detailed planning of the audit mission will be

communicated at a later stage.

WARNING: In no circumstances should source documents or reports be fabricated for the purpose of

the audit.

Electronically signed on 17/05/2024 12:10 (UTC+02) in accordance with Article 11 of Commission Decision (EU) 2021/2121

Mr. Aivo Orav

Ambassador, Permanent Representative

Permanent Representation of Estonia to the

EU

Rue Guimard 11/13, 1040, Brussels

Mr. Mart Võrklaev

Minister of Finance

Ministry of Finance

Suur-Ameerika 1, 10122 Tallinn

Commission européenne/Europese Commissie, 1049 Bruxelles/Brussel, BELGIQUE/BELGIË - Tel. +32 22991111

EUROPEAN COMMISSION DIRECTORATE-GENERAL ECONOMIC AND FINANCIAL AFFAIRS

Resources and performance management

The Director

Brussels, ECFIN.R.4/AUD/ GG/(2024)4036367

Subject: EPM Audit of Milestones and Targets

Estonian Recovery and Resilience Plan

Ref.: EE-Q2-2024-M/T Audit on M/T and Compliance (to be used in all

correspondence)

Your Excellency,

I am writing to inform you that the Control and evaluation Unit of the Directorate General for

Economic and Financial Affairs (DG ECFIN) will carry out a combined audit on milestones

and targets with a compliance part on the Audit Authority in the context of the Recovery and

Resilience Facility (RRF).

The possibility of such audit is foreseen in Article 12 of the Financing Agreement of the

Recovery Resilience Plan between the European Commission and the Estonia in accordance

with Article 22(2)(e) of the RRF Regulation1.

1. OBJECTIVE OF THE AUDIT

The objective of the audit is to obtain reasonable assurance on the satisfactory fulfilment

of the milestones and targets as declared in the request(s) for payment n° 1 submitted by

Estonia to the European Commission on 30/06/2023 and n° 2 submitted by Estonia to the

European Commission on 18/12/2023.

1 Regulation (EU) 2021/241 of the European Parliament and of the Council of 12 February 2021 establishing the Recovery

and Resilience Facility

2

The specific objective of the audit is to verify the reliability of reported data on achieved

milestones and targets as declared in the requests for payment to the European

Commission, as well as their aggregation.

2. SCOPE OF THE AUDIT

SEQUENTIAL

NUMBER (AS

IN CID)

NAME OF MEASURE MILESTONE

/ TARGET

INDICATORS

(QUANTITATIVE / QUALITATIVE)

BODY(IES) RESPONSIBLE

FOR REPORTING AND

IMPLEMENTATION / FOR

AUDITING

49 Development of

event services and

digital gateway for

entrepreneurs

target Number of IT development projects

contributing to the implementation of

the business event services and

gateway that have successfully

deployed new developments online.

These development projects shall be

either directly related to the

development of the digital gateway for

entrepreneurs or to the development of

business-event services, which

additionally include the development

of various related systems for

interfacing with the digital gateway.

As a result of each development

project, at least a minimally functional

IT solution shall be completed (i.e.,

the IT solution shall be operational at

least in the basic parts for the end

users (entrepreneurs) and shall be able

to provide feedback for further

development needs during the reform

implementation period or afterwards).

Compliance Audit:

Audit Authority

(Financial Control

Department -

Ministry of Finance of

Estonia)

78 Pilot Energy

Storage

Programme

milestone An open call for proposals shall be

published by the Environmental

Investment Centre to support energy

storage projects.

The call shall be based on project

selection criteria and award conditions

that ensure that the selected projects

comply with the ‘Do no significant

harm’ Technical Guidance

(2021/C58/01) through the use of an

exclusion list and the requirement of

compliance with the relevant EU and

national environmental legislation.

The selection/eligibility criteria shall

specify that the supported activities

and/or enterprises contribute to

climate-neutral economy, climate

resilience and climate change

adaptation, including circular

economy objectives.

Fulfilment of M/T

Audit:

Ministry of Climate

Environmental

Investment Centre

7 Development of

digital waybills

services

target Number of projects developing an

eFTI platform which have received a

positive grant decision.

Fulfilment of M/T

Audit:

3

The scope of the audit is limited to:

- A verification of the achievements of milestones and targets declared in the request for

payment n°1 submitted on 30/06/2023 and n°2 submitted on 18/12/2023 to the European

Commission; (Fulfilment of M/T Audit)

- Public Procurement and State Aide procedures and “Do no significant harm” (DNSH),

where applicable

- A verification of an adequate and independent audit of systems and cases of support to

investments and reforms -KR5; (Compliance Audit part on the Audit Authority)

- The review of the audit body’s methodology and procedures in relation to the above-

mentioned key requirement; (Compliance Audit)

- The review of the audit body’s working papers from audits carried out on the selected

milestones or targets declared to the Commission in the payment n°1 submitted on

30/06/2023 and n°2 submitted on 18/12/2023; (Compliance Audit)

- The re-performance of the selected audits of M/T; (Compliance Audit)

The audit work will trace and verify (recount) data for selected milestones and targets,

where possible.

3. ORGANISATION OF THE AUDIT WORK

The audit will consist of several phases carried out in the Commission (preparation,

reporting and follow-up) and at the premises of the Coordinating Body, Bodies

implementing reforms and investments, Audit Authority and if applicable, final recipients:

▪ Preparation (analysis of key documents such as manuals, checklists, procedures,

verification reports, methodology, etc.)

▪ Fieldwork (review of the data management and reporting systems and of the data

reported for the selected milestones and targets, including data verification for a

sample of final recipients / operations)

▪ Reporting and contradictory (observations) procedure

▪ Follow-up

Ministry of Economic

Affairs and

Communications

Estonian Business and

Innovation Agency

4

4. DATES

The audit field work will be carried out during the week of 10-14 June 2024. As indicated

in chapter 6 of this letter, the lead auditor will be in contact with the Estonian authorities

and will send a detailed agenda once the requested documentation has been received. The

audit will take place at the premises of the Coordinating body and of the Bodies

implementing reforms and investments. In addition, further to the analysis of the

information requested in point 6, the audit may also take place, if appropriate, at the

premises of the final recipients of the selected operation(s)/project(s).

For this particular audit, the bodies implementing reforms and investments concerned are

indicated in point 2, as responsible for the implementation and reporting. In case there are

other bodies responsible for implementing and reporting on the selected milestones and

targets, I would be grateful if Estonian authorities could inform us.

The audit body is invited to participate in the audit as an observer.

5. AUDIT TEAM

The lead auditor responsible for the conduct of the audit is Ms GALLI Giulia, +32 2 29

88200, [email protected], the associated auditors will be Judith SCHRENK

and Peter NIKLAS.

I would be grateful if the Estonian authorities concerned could indicate the name,

telephone number and e-mail address of the contact person(s) in the Coordinating body of

the Recovery and Resilience Plan responsible for this audit, in order to make further

practical arrangements ensuring the smooth operational running of this task, in particular

the exchange of documents and information as well as the clearing and adversarial

procedures.

6. DOCUMENTS AND INFORMATION REQUIRED

In order to facilitate the preparation of the audit, I would be grateful if the services

concerned would provide the information set out in annexes II, III, IV, and V by 30 May

2024. In addition to the documentation required, these annexes (information sheets) allow

the Bodies being audited to identify the tasks to be performed by the audit team and the

key persons whose presence is needed during the fieldwork.

Further details, including the detailed agenda and the list of the operations/final recipients

selected for this audit will be communicated later following the analysis of the information

requested. For the selected operations/final recipients, a comprehensive file (including all

the relevant working papers on the milestone and target data processing and evaluation

reports on selected projects) should be made available to the auditors.

For any queries or clarifications, in particular with regard to the requested information

and documents in preparation of this audit, please do not hesitate to contact the lead

auditor for this audit is Ms GALLI Giulia, +32 2 29 88200, [email protected].

5

7. PROTECTION OF PERSONAL DATA

The Commission services would like to draw your attention to the fact that data collected

during the audit may include information relating to an identified or identifiable natural

person (‘data subject’). Such information could be stored on the servers of the

Commission. Regulation (EC) No 2018/1725 (OJ L 295, 21.11.2018, p.39) of the

European Parliament and of the Council, applicable to Union institutions, and Regulation

(EU) 2016/679 (OJ L 119, 4.5.2016, p.1), applicable to Member States, protect the right

to privacy of natural persons with respect to the processing of personal data. In order to

inform the data subjects of their rights, you are kindly asked to deliver the enclosed

Information note on Protection of Personal Data collected by DG Economic and Financial

Affairs’ Control and Evaluation Unit (Annex I) to the Bodies or Organisations to be

audited in the context of this audit.

Yours faithfully,

Bernadette Frederick

Enclosure: Annex I - Information note on Protection of Personal Data collected by the

Control and evaluation Unit of DG ECFIN

Annex II - Information Sheet for the Coordinating body selected for the Audit

on milestones and targets.

Annex III - Information Sheet for the Intermediary body level selected for the

Audit on milestones and targets.

Annex IV - Information sheet for the Final recipients selected for the Audit on

milestones and targets.

c.c.:

Anu Alber, Head of Financial Control Department, Ministry of Finance

of the Republic of Estonia, the RRF audit body

Mart Pechter, Advisor of the Financial Control Department, Ministry of

Finance of the Republic of Estonia, the RRF audit body

Triin Tomingas, Head of Foreign Financing Unit, State Budget

Department, Ministry of Finance of the Republic of Estonia

Siret Soosein, Expert, State Shared Service Centre, RRP coordinator

Katri Targama, Head of the Grants Management Unit, State Shared

Services Centre

e-signed

6

Directorate-General for Economic and Financial Affairs

Mark Schelfhout, Head of Unit, ECFIN R.4

Jakob Wegener Friis, Director ECFIN E

Joern Griesse, Head of Unit, ECFIN E.2

Recovery and Resilience Task Force

Maria Teresa Fabregas Fernandez, Director, SG.RECOVER.B

Luca Rossi, Head of Unit, SG.RECOVER.B2

Ave Schank-Lukas, SG.RECOVER.B2 – Tallinn

Joint audit service for Cohesion (DAC)

Franck Sebert, Director, REGIO.EMPL.DAC

European Anti-fraud Office (OLAF):

James Sweeney, Director, OLAF.C – Anti-Fraud Knowledge Centre

Charlotte Arwidi, Head of Unit OLAF.C.1 - Anti-Corruption, Anti-

Fraud Strategy and Analysis

European Court of Auditors

[email protected]

7

Annex I - Information note on Protection of Personal Data collected by Directorate-

General for Economic and Financial Affairs’ Control and evaluation unit at the

European Commission

1. Introduction

The European Commission (hereafter ‘the Commission’) is committed to protect your

personal data and to respect your privacy. The Commission collects and further processes

personal data pursuant to Regulation (EU) 2018/1725 of the European Parliament and of the

Council of 23 October 2018 on the protection of natural persons with regard to the processing

of personal data by the Union institutions, bodies, offices and agencies and on the free

movement of such data, is applicable (repealing Regulation (EC) 45/2001).

This privacy statement explains the reason for the processing of your personal data, the way

we collect, handle and ensure protection of all personal data provided, how that information

is used and what rights you have in relation to your personal data. It also specifies the contact

details of the responsible Data Controller with whom you may exercise your rights, the Data

Protection Officer and the European Data Protection Supervisor.

This privacy statement concerns the processing operation ‘External audits and controls’,

undertaken by the Commission (DG ECFIN, unit R.4) as presented below.

2. Why and how do we collect your personal data?

Purpose of the processing operation: The Commission collects and uses your personal data to

do any kind of financial control including ex-ante controls, desk checks, financial

verifications and audits of grant agreements or contracts to verify beneficiaries’ or

contractors’, subcontractors’ or third parties’ compliance with all contractual provisions

(including financial provisions), in view of checking that the provisions of the grant

agreements or the contracts are being properly implemented and in view of assessing the

legality and regularity of the transaction underlying the implementation of the general budget

of the Union.

Your personal data will not be used for an automated decision-making including profiling.

3. On what legal ground(s) do we process your personal data?

The possibility for the Commission to carry out checks and financial controls is foreseen in

the model grant agreement and contract signed between the Commission and the

beneficiary/contractor, as required by the Financial Regulation (‘FR’) applicable to the

General Budget of the European Communities2.

We process your personal data because:

2 Articles 117-123 FR on internal audits, article 127 on cross-reliance audits, articles 183 and 203 FR on

audits covering grant agreements and articles 254 – 259 FR on external audits by the Court of Auditors.

8

The processing operations on personal data carried out in the context of audit and control

activities3 are necessary and lawful under the following articles of the Regulation (EU)

1725/2018:

a) processing is necessary for the performance of a task carried out in the public interest or

in the exercise of official authority vested in the Union institution or body4;

b) processing is necessary for compliance with a legal obligation to which the controller is

subject5.

4. Which personal data do we collect and further process?

In order to carry out any kind of financial controls, ex-ante and ex-post, the Data Controller

could collect the following categories of personal data:

Mandatory:

• Mandatory contact data: name, company, e-mail address, telephone number;

• Mandatory data for access to finance and contractual obligations. Such data can be:

bank account reference (IBAN and BIC codes), VAT number, passport or ID number;

timesheets, salary slips, accounts, details of the costs, missions, reports, information

coming from local IT system used to declare costs as eligible, supporting documents

linked to travel costs, minutes from mission and other similar data depending of the

nature of the grant/contract, etc.;

• Mandatory information for the evaluation of selection criteria or eligibility criteria:

expertise, technical skills and languages, educational background, professional

experience, including details on current and past employment;

Voluntary:

• Voluntary data: other contact details (mobile telephone number, fax number,

professional postal address, function and department, country of residence);

• Voluntary data that may be collected by the website if there is consent to its cookies:

IP address, language preference, etc.

3 The audit and control activities are varied across the Commission departments as they can be conducted at

any time during the performance of the programme or project and can concern beneficiaries, projects,

system, transactions, etc. depending on the needs of the contracting authority. The audit and control

activities may be carried out on documents and/or on the spot, and may be carried out either before or after

the final payment to the beneficiary. Audits and controls of documents may be carried out in any place

where the funds in question are managed or used; the geographical scope is therefore worldwide.

The specific contract should specify what the audit and control is to cover (subject and location).

4 Article 5 (1) (a) of Regulation (EU) 2018/1725 and, in particular, Articles 317, 319 TFEU and Article 106

(a) of the Euratom Treaty.

5 In particular Articles 117, 183, 203.4 and 5, and 262 of the FR.

9

5. How long do we keep your data?

The Data Controller only keeps your personal data for the time necessary to fulfil the purpose

of collection or further processing, namely for 10 years after the audit is closed on condition

that no contentious issues occurred; in this case, data will be kept until the end of the last

possible legal procedure.

6. How do we protect and safeguard your personal data?

All personal data in electronic format (e-mails, documents, databases, uploaded batches of

data, etc.) are stored either on the servers of the European Commission or of its contractors

(processors), if contractors are engaged to assist the controller. All processing operations are

carried out pursuant to the Commission Decision (EU, Euratom) 2017/46 of 10 January 2017

on the security of communication and information systems in the Commission.

In order to protect your personal data, the Commission has put in place a number of technical

and organisational measures in place. Technical measures include appropriate actions to

address online security, risk of data loss, alteration of data or unauthorised access, taking into

consideration the risk presented by the processing and the nature of the personal data being

processed. Organisational measures include restricting access to the personal data solely to

authorised persons with a legitimate need to know for the purposes of this processing

operation.

If the controller uses (a) contractor(s) (processor(s)) to assist the controller, this will be

indicated in the specific privacy statement and the following paragraph will be provided:

The Commission’s contractors are bound by a specific contractual clause for any processing

operations of your data on behalf of the Commission, and by the confidentiality obligations

deriving from the transposition of the General Data Protection Regulation in the EU Member

States (‘GDPR’ Regulation (EU) 2016/679).

7. Who has access to your data and to whom is it disclosed?

Access to your personal data may be provided on a ‘need to know’ basis to Commission

services and staff dealing with the external audit or control (including those

supervising/approving), inclusive of OLAF.

In addition, staff from the Council, European Parliament, European Court of Auditors may

have access to your personal data. Finally, your data may be shared with national managing,

certifying and Audit Authorities in shared management, beneficiaries/final recipients and

external contractors.

The information we collect will not be given to any third party, except to the extent and for

the purpose we may be required to do so by Union law, including the possible transmission

of personal data to EU bodies or institutions in charge of audit or inspection in accordance

with the EU Treaties.

8. What are your rights and how can you exercise them?

You have specific rights as a ‘data subject’ under Chapter III (Articles 14-25) of Regulation

(EU) 2018/1725, in particular the right to access, rectify or erase your personal data and the

right to restrict the processing of your personal data. Where applicable, you also have the right

to object to the processing or the right to data portability.

10

You have the right to object to the processing of your personal data, which is lawfully carried

out pursuant to Article 5(1)(a) on grounds relating to your particular situation.

You can exercise your rights by contacting the Data Controller, or in case of conflict the Data

Protection Officer. If necessary, you can also address the European Data Protection

Supervisor. Their contact information is given under Heading 9 below.

Where you wish to exercise your rights in the context of one or several specific processing

operations, please provide their description (i.e. their Record reference(s) as specified under

Heading 10 below) in your request.

9. Contact information

- The Data Controller

If you would like to exercise your rights under Regulation (EU) 2018/1725, or if you have

comments, questions or concerns, or if you would like to submit a complaint regarding the

collection and use of your personal data, please feel free to contact the Data Controller.

European Commission, DG ECFIN, Unit R.4 at [email protected].

- The Data Protection Officer of the European Commission

You may contact the Data Protection Officer ([email protected]) with

regard to issues related to the processing of your personal data under Regulation (EU)

2018/1725.

- The European Data Protection Supervisor (EDPS)

You have the right to have recourse (i.e. you can lodge a complaint) to the European Data

Protection Supervisor, https://edps.europa.eu:data-protection/our-role-

supervisor/complaints_en or [email protected], if you consider that your rights under

Regulation (EU) 2018/1725 have been infringed as a result of the processing of your personal

data by the Data Controller.

10. Where to find more detailed information?

The Commission Data Protection Officer (DPO) publishes the register of all processing

operations on personal data by the Commission, which have been documented and notified to

him. You may access the register via the following link: http://ec.europa.eu/dpo-register.

This specific processing operation has been included in the DPO’s public register with the

following Record reference: 04466.1

11

Annex II - Information Sheet for the Coordinating body selected for the Audit on milestones and

targets.

1. Objective of the audit

The objectives of the audit are to :

• Verify that appropriate data management and reporting systems are in place; and

• Assess the reliability of the reported data for the selected milestones and targets.

2. Milestones and Targets and related indicators included in the audit

SEQUENTIAL

NUMBER (AS

IN CID)

NAME OF MEASURE MILESTONE

/ TARGET

INDICATORS

(QUANTITATIVE / QUALITATIVE)

BODY(IES)

RESPONSIBLE FOR

REPORTING AND

IMPLEMENTATION / FOR

AUDITING

78 Pilot Energy Storage

Programme

milestone An open call for proposals

shall be published by the

Environmental Investment

Centre to support energy

storage projects.

The call shall be based on

project selection criteria and

award conditions that ensure

that the selected projects

comply with the ‘Do no

significant harm’ Technical

Guidance (2021/C58/01)

through the use of an

exclusion list and the

requirement of compliance

with the relevant EU and

national environmental

legislation. The

selection/eligibility criteria

shall specify that the

supported activities and/or

enterprises contribute to

climate-neutral economy,

climate resilience and climate

change adaptation, including

circular economy objectives.

Fulfilment of M/T

Audit:

Ministry of Climate

Environmental

Investment Centre

7 Development of digital

waybills services

target Number of projects

developing an eFTI platform

which have received a positive

grant decision.

Fulfilment of M/T

Audit:

Ministry of Economic

Affairs and

Communications

Estonian Business

and Innovation

Agency

12

3. Tasks performed by the audit team at the Coordinating body

• Interview Manager and staff involved in monitoring and reporting and data-management;

• Review of the systems and procedures relating to the collection, storage, verification

and reporting of data on the achievement of milestones and targets;

• Review availability, completeness, and timeliness of reports received from the lower levels (e.g.

bodies implementing reforms and investments and final recipients);

• Review of the reports/data received from the lower levels (e.g. bodies implementing reforms and

investments and final recipients);

• Re-count numbers from received reports/data and compare result to the information reported to

the Commission in Fenix.

• Review of the DNSH guidelines/check lists used

4. Staff to be available at the Coordinating body during the audit

• RRP Manager.

• Data-management official.

• Staff involved in reviewing and compiling reports received from lower levels.

• IT staff involved in database management, if applicable.

5. Documentation to prepare in advance of arrival of the audit team

All documents related to point 3 should be submitted in one of these formats: .pdf, .doc, .docx, .xls, .xlsx,

.xml, .msg, .csv, .ods, . txt, .jpg, .png, .ppt, .pptx, .eml, .zip. Impossibility to convert files into these formats

will be discussed case by case.

During the visit, for the operations/final recipients selected for the audit, a comprehensive file (including

all the relevant working papers on the milestone/target and related indicators data processing) should be

made available to the audit team.

6. Expected time of audit team at the Coordinating body

A more detailed planning of the audit mission will be communicated at a later stage.

WARNING: In no circumstances should reports be fabricated for the purpose of the audit.

13

Annex III – Information Sheet for the Intermediate body level

selected for the Audit on milestones and targets.

1. Objective of the audit

The objectives of the Audit are to:

• Assess that appropriate data management and reporting systems are in place; and

• Verify the reliability of the reported data for the selected milestones and targets.

2. Milestones and Targets and related indicators included in the audit

SEQUENTIAL

NUMBER (AS

IN CID)

NAME OF MEASURE MILESTONE

/ TARGET

INDICATORS

(QUANTITATIVE / QUALITATIVE)

BODY(IES)

RESPONSIBLE FOR

REPORTING AND

IMPLEMENTATION / FOR

AUDITING

78 Pilot Energy Storage

Programme

milestone An open call for proposals

shall be published by the

Environmental Investment

Centre to support energy

storage projects.

The call shall be based on

project selection criteria and

award conditions that ensure

that the selected projects

comply with the ‘Do no

significant harm’ Technical

Guidance (2021/C58/01)

through the use of an

exclusion list and the

requirement of compliance

with the relevant EU and

national environmental

legislation. The

selection/eligibility criteria

shall specify that the

supported activities and/or

enterprises contribute to

climate-neutral economy,

climate resilience and climate

change adaptation, including

circular economy objectives.

Fulfilment of M/T

Audit:

Ministry of Climate

Environmental

Investment Centre

7 Development of digital

waybills services

target Number of projects

developing an eFTI platform

which have received a positive

grant decision.

Fulfilment of M/T

Audit:

Ministry of Economic

Affairs and

Communications

Estonian Business

and Innovation

Agency

14

3. Tasks performed by the audit team at the Intermediate body level

• Interview body implementing reforms and investments manager and staff involved in

monitoring, reporting and data-management.

• Review of the systems and procedures relating to the collection, storage, verification and

reporting of data on the achievement of milestones and targets;

• Review availability, completeness, and timeliness of reports received from the lower levels (e.g.

final recipients);

• Review of the reports/data received from the lower levels (e.g. final recipients);

• Re-count numbers from received reports and compare result to the numbers reported to the next

level.

• Review of the DNSH guidelines/check lists used

4. Staff to be available at the Intermediate body level during the audit

• Manager of the body implementing reforms and investments,

• Staff involved in reviewing and compiling reports received from reporting Final recipients.

• IT staff involved in database management, if applicable.

5. Documentation to prepare in advance of arrival of the audit team, if different than the

documentation provided by the coordinating body

All documents related to point 3 should be submitted in one of these formats: .pdf, .doc, .docx, .xls, .xlsx,

.xml, .msg, .csv, .ods, . txt, .jpg, .png, .ppt, .pptx, .eml, .zip. Impossibility to convert files into these formats

will be discussed case by case.

During the visit, for the operations/final recipients selected for the audit, a comprehensive file (including

all the relevant working papers on the milestone/target and related indicators data processing), should be

made available to the audit team.

6. Expected time of audit team at the Intermediate body level site

Between one-half and two days at each Intermediate level site – a more detailed planning of the audit

mission will be communicated at a later stage. Depending on the complexity of the verification

mechanism and number of milestones and targets associated to the same body, this timing could be

prolonged.

WARNING: In no circumstances should reports be fabricated for the purpose of the audit.

15

Annex IV - Information sheet for all Final recipients selected for the Audit on milestones and

targets.

1. Objective of the audit

The objectives of the audit are to:

• Assess that appropriate data management and reporting systems are in place; and

• Verify the reliability of the reported data for the selected milestones and targets.

2. Milestones and Targets and related indicators included in the audit

SEQUENTIAL

NUMBER (AS

IN CID)

NAME OF

MEASURE

MILESTONE

/ TARGET

INDICATORS

(QUANTITATIVE / QUALITATIVE)

BODY(IES)

RESPONSIBLE FOR

REPORTING AND

IMPLEMENTATION /

FOR AUDITING

7 Development of

digital waybills

services

target Number of projects

developing an eFTI platform

which have received a positive

grant decision.

Fulfilment of M/T

Audit:

Ministry of

Economic Affairs

and

Communications

Estonian Business

and Innovation

Agency

3. Tasks performed by the audit team at the Final recipient

• Understand how and when source documents are completed in relation to the

activities/services/outputs/results.

• Review availability and completeness of all source documents for the selected request for

payment.

• Recount the recorded numbers from available source documents and compare result to the

numbers reported by the final recipients.

• Compare reported numbers with other data sources

• Verify the actual delivery of the services/outputs/results (if feasible).

• Review of the DNSH guidelines/check lists used

4. Staff to be available at the Final recipient during the audit (not needed for the selected measures)

• Final recipient Manager.

• Staff responsible for completing the source documents.

• Staff responsible for entering data in registers or IT systems (as appropriate).

• Staff responsible for compiling the periodic reports (e.g., monthly, quarterly, etc.).

16

5. Documentation to prepare in advance of arrival of the audit team, if different than the

documentation provided by the coordinating body

All documents related to point 3 should be submitted in one of these formats: .pdf, .doc, .docx, .xls, .xlsx,

.xml, .msg, .csv, .ods, . txt, .jpg, .png, .ppt, .pptx, .eml, .zip. Impossibility to convert files into these formats

will be discussed case by case.

During the visit, for the operations/final recipient selected for the audit, a comprehensive file (including

all the relevant working papers on the milestone/target and related indicators data processing) should be

made available to the audit team.

6. Expected time of audit team at the Final recipient site

Between one-half and two days at each final recipient site – a more detailed planning of the audit mission

will be communicated at a later stage. Depending on the complexity of the verification mechanism, the

size of the final recipient and the data reported by final recipient, this timing could be prolonged.

WARNING: In no circumstances should source documents or reports be fabricated for the purpose of

the audit.

17

Annex V - Information sheet for all measures selected for the Compliance Audit.

1. Objective of the audit

The objectives of the audit are to:

• The re-performance of the selected audit (T49) of M/T

2. Milestones and Targets and related indicators included in the audit

SEQUENTIAL

NUMBER (AS

IN CID)

NAME OF MEASURE MILESTONE

/ TARGET

INDICATORS

(QUANTITATIVE / QUALITATIVE)

BODY(IES) RESPONSIBLE FOR

REPORTING AND IMPLEMENTATION /

FOR AUDITING

49 Development of event services

and digital gateway for

entrepreneurs

target Number of IT development

projects contributing to the

implementation of the

business event services and

gateway that have successfully

deployed new developments

online.

These development projects

shall be either directly related

to the development of the

digital gateway for

entrepreneurs or to the

development of business-

event services, which

additionally include the

development of various

related systems for interfacing

with the digital gateway. As a

result of each development

project, at least a minimally

functional IT solution shall be

completed (i.e., the IT solution

shall be operational at least in

the basic parts for the end

users (entrepreneurs) and shall

be able to provide feedback

for further development needs

during the reform

implementation period or

afterwards).

Compliance Audit:

Audit Authority

(Financial Control Department -

Ministry of Finance of Estonia)

3. Tasks performed by the audit team at the Audit Authority

• Interview Audit Authority and staff involved in auditing the RRF measures.

• Understand how and when source documents are completed in relation to the

activities/services/outputs/results.

• Review availability and completeness of all source documents for the selected request for

payment.

18

• Compare reported numbers with other data sources.

• Verify the actual delivery of the services/outputs/results (if feasible).

• Review of the DNSH guidelines/check lists used

4. Staff to be available at the Audit Authority during the audit

• Member State Audit Team.

• Staff responsible for completing the audit report related to the measure selected.

5. Documentation to prepare in advance of arrival of the audit team, if different than the

documentation provided by the coordinating body

• Audit body's updated audit strategy of the RRP;

• Audit body's methodology and procedures for carrying out the audit work, i.e. the audit manual

together with templates of checklists and other working documents;

• Audit reports from the selected audit on T 49;

• Documentation of relevant state aid and public procurement procedures checks (checklists

used).

All documents submitted should be in one of these formats: .pdf, .doc, .docx, .xls, .xlsx, .xml, .msg, .csv,

.ods, . txt, .jpg, .png, .ppt, .pptx, .eml, .zip. Impossibility to convert files into these formats will be

discussed case by case.

During the visit, for the operations/final recipient selected for the audit, a comprehensive file (including

all the relevant working papers on the milestone/target and related indicators data processing) should be

made available to the audit team.

6. Expected time of audit team at the Audit Authority site

About one day at Audit Authority’s site – a more detailed planning of the audit mission will be

communicated at a later stage.

WARNING: In no circumstances should source documents or reports be fabricated for the purpose of

the audit.

Electronically signed on 17/05/2024 12:10 (UTC+02) in accordance with Article 11 of Commission Decision (EU) 2021/2121