DIRECTORATE-GENERAL HUMANITARIAN AID AND CIVIL PROTECTION - ECHO
ECHO.C - Resources, Partnerships and Operational Support
C/2 - Budget, External Audit, Informatics
DG ECHO C/2
AUDIT INFORMATION TO THE FPA PARTNERS
DG ECHO C/2 EXTERNAL AUDIT SECTOR (EAS)
Version February 2012
1. Preface 3
2. General information 3
3. Background - Why Do we conduct audits? 4
4. Legal basis 4
5. What is an ECHO Audit? 5
6. Who are the auditors? 6
7. What are the auditors’ objectives? 6
8. What should the NGO expect from the auditors? 7
9. What do the auditors expect from the Partner? 7
10. Audit Strategy and Audit plan 8
11. Areas of audit 10
12. Methodology 12
13. Audit follow-up 13
14. Relationship with European Court of Auditors and OLAF 14
15. Working practice 14
Annex 1 19
Annex 2 21
In the framework of transparency, the purpose of this document is to inform and explain to the Partners the procedures governing audits undertaken by the External Audit Sector of DG ECHO C/2.
The document starts with a description of the background to the audits. Further, it explains the types of audit, the respective methodologies, and what DG ECHO expects from its Partners when preparing for an audit.
In Annex 1 is a flowchart indicating the time needed and in Annex 2 a Question and Answer section based on questions received from our Partners.
It should be understood that this document is a description of the situation as of February 2012 and the reality might have been changed in some minor points to reflect the continuing development of the audit process. Any suggestions for improvement will be warmly received by the DG ECHO C/2 Audit Sector via its functional mailbox (ECHO-C2-AUDIT@ec.europa.eu).
This paper describes the working methodology in regard to Final HQ and Interim Field audits of DG ECHO FPA signatories, which the External Audit Sector of DG ECHO C/2 initiates. The audit methodology is being continuously developed in order to ensure more efficient, productive and effective audits.
Within the confines of business confidentiality, all audits should be carried out with openness and transparency with the involvement of the Partners at each stage of the process. The audits are facilitated by exchanges of information not only from the Partners to DG ECHO, but also from DG ECHO to the Partners. The large majority of DG ECHO’s audit reports are completed with agreement between DG ECHO and the Partner. The results of the audits should be discussed at the draft stage, by the auditors with the senior management of the Partner concerned, including the actions that they intend to take, in response to recommendations in the audit report.
In line with the principles of internal control, DG ECHO’s management safeguards the sector’s operational independence by ensuring the segregation of operational and decisional authority from the discharge of audit activities. The responsibility of the auditors is to conduct their work in accordance with the agreed methodology and report their findings. Thereafter any operational decisions that arise for the findings are the responsibility of other Units within DG ECHO.
3.Background - Why Do we conduct audits?
The DG ECHO audit function was set up in 1995. In 2000, the audit function was reorganised as part of the restructuring of DG ECHO. Its mandate has been separated from the other tasks relating to Budget and Financial Management within DG ECHO. The separation is intended to promote the operational independence and effectiveness of the audit sector.
DG ECHO is responsible for around € 1 billion of humanitarian aid each year, which it delivers through its Partners under the Framework Partnership Agreement and its equivalent for International Organisations (ICRC, IFRC and IOM) or through the FAFA (Financial and Administrative Framework Agreement) for UN organisations. DG ECHO, through the European Commission, is accountable for the use of these funds to the Discharge Authority (European Council and the European Parliament). Its activities are also subject to scrutiny by the Court of Auditors, the Council of Ministers, the European Parliament and ultimately the European Taxpayer.
To discharge this responsibility, DG ECHO must be able to confirm each year that funds have been spent as intended and in compliance with the appropriate Council Regulations and Financial Regulations. The audit process is a part of the overall control process by which DG ECHO receives information that enables it to give that confirmation.
The audits also provide DG ECHO with information about its Partners and so serve to build the confidence that is needed in the organisations that are essential to DG ECHO's mission.
Finally, insofar as the audits provide assurance, and are a confidence building measure, the audits can be said in the very broadest sense to help maintain support for humanitarian aid as funded by the Commission, because it is based on the positive results of these audits that the budget is allocated the following year. Therefore, the audits can be considered as an essential part of securing the continuing availability of humanitarian aid funds.
The necessity for audits is prescribed in Council Regulation (EC) No 1257/96 of 20 June 1996 concerning humanitarian aid (Official Journal L 163, 02/07/1996) in article 12. Here it is stated that: “All financing contracts concluded under this Regulation shall provide in particular that the Commission and the Court of Auditors may conduct checks on the spot and at the headquarters of humanitarian partners according to the usual procedures established by the Commission under the rules in force, and in particular those of the Financial Regulation applicable to the general budget of the European Communities.”
Further, in the Framework Partnership Agreement 2008 (FPA 2008) the possibility to undertake audits is laid down in article 23 of Annex III 'General Conditions applicable to the Grant Agreement'. Each Grant Agreement between DG ECHO and its Partners/grant agreement signatories to implement the actions states in Article 23.2: “The Commission or any other organisation mandated by the Commission, may audit the Humanitarian Organisation's use made of the Community contribution. Such audits may be initiated during the implementation of the Grant Agreement until four years after Final payment of the Grant Agreement. Audit findings may entail recovery decisions by the Commission. The Humanitarian Organisation assures full assistance to the Commission or any other organisation mandated by the Commission in the course of field and headquarter audits.”
5.What is an ECHO Audit?
Throughout their duration, the activities financed by the Commission can be subjected to audits as well as evaluations and monitoring. One should not confuse the objectives of an audit with those of an evaluation or monitoring. The aim of an audit is to make it possible for auditors in the light of their examination of the financial data, of the organisation and of other items to express a considered opinion. The objective of a financial audit (HQ audit) is to enable the auditor to express an opinion as to whether:
The funds have been used in accordance with the applicable legislation and the terms and conditions of grant agreements;
The funds have been used for their intended purpose
Compliance is the ability to reasonably ensure conformity and adherence to the applicable legislation and rules. It generally covers one or more of the following aspects:
Compliance with contractual basis (FPA, grant agreement…);
Compliance with financial and accounting terms and conditions of contracts (in order to verify the legality and regularity of the expenses);
Compliance with procedural terms and conditions (e.g. procurement procedures);
Compliance with systems requirements for internal and management control systems (Council Regulation (EC) No 1257/96, especially Art 7).
The possible audits carried out during a project's life are: systems, financial, performance and forensic fraud. Additionally, a systems audit can be combined with a financial, technical and/or forensic audit. This depends not only on the project's specific aspects and features but also on the circumstances. DG ECHO may want to verify that:
The organisation set up meets the agreed terms and conditions;
The scheduled procedures exist, are applied and abided by;
The system introduced for accounting and reporting purposes is reliable and relevant;
The project's technical facilities have been set up and work according to the agreement.
6.Who are the auditors?
DG ECHO C/2 External Audit Sector (DG ECHO EAS) is supported by the Audit Contractor; a consortium of independent audit firms operating in the countries of the Union who are members of an international accounting and auditing association, which is responsible for the audits. The Audit Contractor is appointed by means of a framework contract following an open call for tenders.
The consortium is led and managed by a central management team (CMT) comprising senior and experienced auditors based close to the DG ECHO offices in Brussels.
DG ECHO EAS works in very close cooperation with the CMT, both in terms of developing and agreeing the audit methodology, participating in the training that the CMT provides to its audit teams and in general discussion of issues and technical matters that arise from time to time. Formal meetings are held with the CMT each month or more frequently if there is a need. Besides the monthly meeting with the responsible Audit Contractor an annual training session is undertaken with all of the auditors involved to discuss problems encountered, share information (e.g. on best practice) and discuss eventual changes in the templates to be used.
DG ECHO EAS carries out quality assurance reviews of the work of the contractors, which involves a detailed scrutiny of the audit files. DG ECHO EAS is also subject to periodic reviews, as are the audit contractors, by the European Court of Auditors.
DG ECHO, being part of the European Commission, upholds the highest ethical standards and does not want to be seen to have any conflict of interest be it real, hypothetical or perceived. Therefore, the audit contractors owe a duty of care to DG ECHO and must remain independent and free from conflicts of interests at all times. They cannot provide any professional services to or otherwise advise Partners throughout the duration of the framework contract. This conflict of interest cannot be solved by using another company / partner of the audit contractor and / or its network.
7.What are the auditors’ objectives?
At both Headquarters and Field levels, the auditors’ primary task is to verify the expenditure of funds donated by DG ECHO to ensure that expenditure is supported by appropriate documentary evidence that is in compliance with Council Regulation (EC) No 1257/96, the prevailing Financial Regulations, the FPA or FAFA and the individual grant or contribution agreement with DG ECHO. The auditors will seek evidence on a sample basis and in accordance with the principles of legality and regularity.
In performing their work, the auditors will also ascertain and assess the respective Partner’s systems and procedures, to the extent that they are relevant, in order to form a view of the adequacy or otherwise of these controls and to establish the minimum number of transactions selected for substantive testing during the audit of the Partner.
Although not their primary function, the auditors will also make recommendations for improvements to the Partner's systems and procedures, which should be expected to be relevant to the specific circumstances. These recommendations are made in the spirit of Partnership between DG ECHO and its Partners to assist their development through external independent review of the organisation without extra cost and to share best practices within the Partner community. It is important to understand that auditors’ recommendations are not mandatory – they are intended to be helpful and constructive in assisting Partners meet their obligations to DG ECHO. The decision to follow a recommendation lies with the Partner although DG ECHO would expect there to be a good reason if a recommendation is rejected entirely.
Where expenditure is not supported by sufficient documentary evidence, or where it is not properly incurred, the Audit Contractors have no discretion; they must report the matter and the amounts as a proposed disallowance. The subsequent decision as to whether to issue a recovery order is one made by DG ECHO after taking into account all known facts/mitigating circumstances leading to the provisional disallowance as reported by the contract auditors. The auditors play no part in the decision to issue a recovery order or not.
8.What should the NGO expect from the auditors?
The aim is to make the audit process transparent. The NGO should expect to participate in a planning meeting attended by senior audit personnel some time in advance of the audit visit itself. The purpose of this meeting is to plan the audit with the NGO, to advise the NGO of the documentation that will need to be provided to the auditors and to finalise the dates of the visit and reporting timetable.
The NGO should also expect to be invited to attend an exit meeting at the end of fieldwork to discuss the audit findings that at a later stage will be set out in the draft report circulated in advance for comment. These comments will be included in the report together with any additional comments from the auditors. The auditors may not agree with these comments but the NGO should certainly expect them to correct any real errors of fact that are found in the draft report. The NGO should also expect the auditors to consult with the CMT or with DG ECHO audit sector on technical and contentious issues so that these can be resolved at the earliest opportunity.
Finally, of course, the NGO should expect the audits to be conducted efficiently, professionally and with courtesy at all times.
9.What do the auditors expect from the Partner?
Both DG ECHO EAS and the contract auditors expect the NGO's full cooperation throughout the audit. It is very rare that Partners do not provide this but the contract auditors are instructed to tell DG ECHO of any difficulties that they are experiencing as soon as they arise. DG ECHO will then assess the difficulties and decide whether or not to intervene.
In detailed terms, the contract auditors expect the NGO to provide a reconciliation of transaction lists to the final financial reports submitted to DG ECHO and the supporting documentary evidence for the sample of transactions selected for testing by the start of the audit visit. It is not the contract auditor's job to undertake the reconciliations or search for documentation and failure to provide these is likely to mean a disallowance. They also expect the NGO to respond to and comment on the draft audit report on a timely basis, usually within a month of receipt.
If the NGO experiences difficulty in retrieving documentation from the field, the auditors will give a reasonable time for this to be done but they also have contractual deadlines to meet when delivering their report and cannot give excessive time. The NGO should however keep in mind the contractual obligations as stated in the General Conditions to the FPA where the ability of the Partner to provide documentation on a timely basis is a contractual obligation (i.e. within 30 calendar days from the initial request by DG ECHO or by the contract auditors).
Non-adherence to the retrieval of documents / access to documentation might be inferred as breach of contract with all possible consequences. Access to documentation does not only mean the handing over of the documents but also accessibility concerning language. The members of the contracting consortium are based throughout Europe and cover the European languages. This means that Partners should have a summary translation of key documents available in a European language that the auditors can understand. It is not the responsibility of the auditors to translate documents in a local language and if a translation is not available from the Partner it implies that the Partner is not exercising proper control. In these circumstances DG ECHO audit sector has given instructions to disallow these costs and to make recommendations concerning a lack of internal control and weak financial systems in place which might be used later during the Partner's annual assessments.
In certain cases, there may be restrictions to export original documentation outside the country of operation. In these cases DG ECHO EAS accepts copies of originals provided that these are supported by a cover letter stating that the attached documents are true and fair copies of the originals. The copies need to be listed and explicit referenced. The cover letter and list should be signed at the appropriate level (e.g. Head of Mission or Head of Finance of the Country Office).
10.Audit Strategy and Audit plan
The results of the audit work, underpin, inter alia the Director General's Annual Declaration that the funds at his or her disposal have been used regularly and legally for the purposes intended. The results also input into DG ECHO's annual assessment of Partners and Control Mechanism applied.
In order to fulfil the objectives on a regular and systematic basis, and in light of the staff and financial resources available, DG ECHO implements a risk based audit strategy. In the first case, Partners are audited at the headquarters on a cyclical basis. In the early years, the audit cycle covered a two year period and following two completed cycles, DG ECHO is implementing normally a three year cycle for all Partners with a tendency under the FPA 2008 towards a four year cycle. This cycle has been chosen to ensure that records covering a five year period are available especially as the maximum project implementation time is 18 months. At each audit visit, the actions taken as a result of the recommendations made from previous audits are also subject to audit review.
Secondly, the FPA 2008 specifies two different control mechanisms; the so-called "A and P" Control Mechanism. For audit purposes the main difference lies in the extent and frequency which DG ECHO will initiate audits. For an “A” Control Mechanisms all projects funded by DG ECHO will be subject to an audit. For “P” Control Mechanisms it will normally be the case that only a sample will be subject to audit and there will normally be a longer gap between audit visits.
For both “A” and “P” Control Mechanisms the auditors will continue to set a level of substantive testing of transactions based on their assessment of audit risk (i.e. the risk of ineligible costs being claimed). They will also review and assess systems and procedures put in place to ensure compliance with Financial Regulation. As regards procurement procedures where there is a P Control Mechanism in place Partners are required to follow their own systems and procedures which are presumed to be equivalent or better than those required by Council Decision 1257/96 and Annex IV to the FPA. Where there is an “A” Control Mechanism in place Partners are required to follow the Annex IV requirements and the auditors will be looking to see that they have done so.
Thirdly, the strategy differentiates between the HQ audits, which focus on completed projects or actions, and the interim Field audit of ongoing projects in the field. The interim Field audits, combined with monitoring activities by DG ECHO experts, fulfil an accountability function and also provide advice to Partners and early warning to DG ECHO of potential difficulties or problems. The results of interim field audits are carried forward to and linked to the eventual HQ audits.
Also, the information obtained from previous HQ audits is used in the field to test compliance with the established procedures as described in the HQ audit report.
These elements of the audit strategy are combined to form the annual audit plan. The audit plan for the next year is prepared each year in the autumn by the DG ECHO C/2 EAS and approved by DG ECHO Management. It includes not only the Partners pre-selected to be audited at HQ and/or Field level but also the foreseen countries for the Field audits as well as an overview of resources needed.
The annual audit plan bases itself on the Partners’ level of risk as determined by the adequacy of Internal Control (as identified in previous audits) and the number of grant agreements signed. Selection of Partners for audit can be more frequent depending on the requests from inter alia geographical and finance units. The grant agreements to each Partner are audited every three to four years at HQ and it is also foreseen to audit all the Partners of DG ECHO in the project locations based on a similar risk analysis.
With the FPA 2008, it is foreseen, in principle, to audit all projects governed by an "A Control Mechanism" as a matter of fact at HQ level and a sample of these will be selected for a field audit as well. The annual focus and the main themes of the audits are detailed in the annual audit plan itself.
The audits of projects governed by a 'P' Control Mechanism will be undertaken (both at HQ and at Field) to confirm to DG ECHO that the procedures of the Partner as described to DG ECHO in previous audit reports and / or in the web based tool 'Appel'; which all Partners are using to apply for FPA Partnership are still valid. The 'Appel' tool is used to assess all applicants with the same methodology and questions. The applicant has to do this self-assessment which then will be verified by DG ECHO C/3 before acceptance or not as an FPA Partner.
The 'P' Control Mechanism is based on the assumption that the Partner's procedures are of a similar level as those required by the Financial Regulation of the European Union for International Organisations in relation to audit, internal control, accounting and procurement (Article 53d of Council Regulation (EC, EURATOM) No 1995/2006 also known as '4-Pillars'). If this is the case the Partner has to apply its own procedures when implementing DG ECHO funded actions.
At the end of the year, an annual report is prepared which summarises the activities and results of the annual audit plan.
11.Areas of audit
11.1.DG ECHO Partners – HQ audits
As the headquarters of an organisation plays a key role in defining procedures to be applied both at field and HQ levels and generally comprises a finance department in charge of controlling financial returns submitted to donors, it is inevitable that the majority of auditing effort of the DG ECHO is focussed on the control systems and supporting documents at the Partners’ headquarters. In reality many of the project expenses incurred are contracted at HQ level and as such full documentation should be available at HQ level (e.g. international staff and international procurement).
A DG ECHO HQ Audit is a detailed review of procedures and validation of expenditure claimed from DG ECHO and is undertaken by audit staff who have specific in-depth knowledge of DG ECHO’s procedures, practices and outlook.
The audits performed by DG ECHO are required to give the level of assurance in order to arrive at an opinion that funds made available have been used for the purposes intended in compliance with the rules and regulation in force.
All costs and documentation are drawn together at Partners’ headquarters and the majority of auditing is therefore carried out at the Partners’ headquarters.
The DG ECHO audit sector supervises the process and takes delivery of the audit results, which are then actioned, as appropriate, by DG ECHO staff. The audit process is presented by means of a flow chart in Annex I.
The specific steps to identify the Partners to be audited are:
To check on the results of past audits with the internal control risk identified;
When the last audit took place;
The number of grant agreements signed.
The selection of projects should be sufficient to enable DG ECHO to take reasonable assurance that the Partner adheres to the principles of the FPA. Therefore there is a need to base the selection of signed grant agreements on a range of certain criteria.
The selection of Partners/grant agreements subjected to HQ audits is established on the basis of the following criteria:
Amount and number of agreements signed;
Grant agreements selected should cover the decision years between the last HQ audit and the date of preparation of the new HQ audit to have a coverage of the period;
Risk identified during previous audits;
Results previous field and/or HQ audits;
Special requests (e.g. concerns raised by desks/experts);
Coverage of Countries of operation;
on-going operations/follow-up projects (On-going projects for the same area/objectives year in/year out should be selected within the sample);
Last field audit by the EAS; and
11.2.DG ECHO Partners – Interim Field audits
The Partner implements the activities that are the subject of grants from DG ECHO by means of field projects or actions. This is therefore an essential area of audit as this is where the real work is carried out by the Partner. Audits cover financial, administrative and operational aspects of the projects with visits and testing at on-going projects and local and regional Partner offices and various project locations (e.g. refugee camps, health structures and distribution points).
The projects to be audited are subjected to a multi criterion analysis combined with a perception of attached risks. In general, these audits have been outsourced to the external Audit Contractor. However, in case of specific needs or requests these audits may also be undertaken by DG ECHO audit staff. These Field audits may also involve direct discussions with Partner's staff and beneficiaries.
The audit report is based on facts presented to the auditor. The results of the grant agreement are compared with the reality on the ground to establish progress and conformity with the agreement.
It is general practice that each of the field audited grant agreements is automatically selected for a final audit at HQ level within the standard HQ cycles.
The selection of Partners subjected to field visits is established on the basis of the following criteria:
Value of total DG ECHO funds awarded (e.g. Per annum);
Value of individual grant agreements;
Results HQ audits;
Country of operation;
Last field audit by DG ECHO C/2 EAS or the Audit Contractor;
Perceived risks (e.g. concerns raised by desks/experts).
The sample chosen will also include:
DG ECHO’s top 40 Partners every 12 - 24 months with more frequent audits for Partners showing problems;
Another 20 Partners every year on the basis of perceived risks (based on input from desks / experts).
The coverage of the main countries of operation on a regular basis.
Based on these criteria and the audits undertaken in the previous year a provisional plan is prepared as part of the annual audit plan. This plan might change over the year for example where a selected Partner is not working anymore in the selected country of operation and has therefore to be substituted, the funding for a selected country diminishes, or the security risk is sufficiently high as to prevent access.
Each audit is conducted in line with internationally accepted auditing standards to the degree applicable and such other practices and procedures as deemed necessary and agreed upon, based on the framework audit contractual terms with the appointed audit contractor. For each type of audit, different programmes addressing each of the specific types of audit have been developed to guide the audit; files are drawn up with supporting documentation leading to conclusions and a report is issued for each audit. The detailed audit working papers are constantly reviewed and updated by the Contractors working in close collaboration with DG ECHO audit unit.
Concerning HQ and Field audits there is a special need to link the findings of each type of audit in the respective reports to e.g. compare procedures established at HQ and their application on the ground.
The auditors should not be in a position of Conflict of Interest regarding the audit work to be done. A statement is therefore given at the signing of each Specific Agreement between DG ECHO and the Audit Contractor that no conflict of interest exists.
The audit approach for all audits charged to the Audit Contractor is determined by DG ECHO and is reported to DG ECHO on the adherence by the Partner to the prevailing conditions of the governing FPA.
The Audit Contractor is not mandated to decide whether any mitigating circumstances arose during the implementation of the projects subject to audit. The audit report is solely on the basis of regularity and legality – whether the conditions of the respective FPA and the grant agreements have been adhered to and on the existence of incurred costs supported by documents and included in the Partners' accounting system.
Any mitigating circumstances of which the Audit Contractor became aware are to be reported to DG ECHO who then will make the final decision on the eligibility of the costs subject to such circumstances.
DG ECHO aims to respond sympathetically to such circumstances but the auditors have no discretion and must report lost documents as a potential disallowance. Discretion, if exercised, and any subsequent decisions concerning eligibility of expenditure, lies with DG ECHO except when there is clear evidence that DG ECHO has already approved these circumstances and accepted these during liquidation. In this case the report should nevertheless reflect the facts of non-conformity in its conclusion but without a proposed financial consequence.
The follow-up on audit reports is carried out in various ways; the annual overview of audit activities report of DG ECHO C/2 EAS includes sections on the work done and the results achieved; recommendations made by the auditors and the actions taken as a result of these recommendations will be subject to audit review at the next audit visit as part of the three to four-year cycle of audits.
The follow-up within DG ECHO is done by the respective Units involved. The work undertaken has been realised by dividing it in two parts:
The first part is to establish the final amount to be recovered by analysing the audit report and consulting the sub-delegated Authorising Officers, normally of the geographic Units and the Partners. The amount to be recovered is established by DG ECHO C/2 in close consultation with the responsible sub-delegated Authorising Officer to take into account the specific project circumstances to establish any acceptable reason for the non-adherence leading to the potential recovery as reported by the auditors in their report. After approval by the Authorising Officer the recovery request is sent to Unit C/3. DG ECHO C/3 will undertake the administrative aspects of the recovery procedure and the introduction of the amounts recoverable in the Commission accounts.
Secondly, DG ECHO C/3 will follow up on the findings of the audit in the frame of the annual Partner assessment concerning the adherence to the principles of the FPA.
Wherever possible the procedure to issue the recovery order is only initiated once both the Commission and the Partner have agreed on the amount recoverable.
Does DG ECHO want to make recovery orders?
No, that is not what DG ECHO wants to happen. DG ECHO's objective is for the money to be spent for its intended purpose and a recovery order indicates a failure to achieve that objective. DG ECHO is, however, bound by terms and conditions set out in the Commission’s own internal Financial Regulation and its Implementing Rules; as well as those set out in Council Regulation 1257/96.
It is, therefore, essential that the NGOs’ systems and procedures ensure that the money is spent in compliance with the grant or contribution agreement between DG ECHO and the Partner and that the NGO keeps good supporting documentary evidence and accounting records. DG ECHO recognises that this is sometimes difficult in the field and "force majeure" can sometimes mean records are lost. DG ECHO will normally look sympathetically at such cases but will not do so where the Partner has not made every reasonable effort to place records in a secure location as soon as possible after completion of the project.
14.Relationship with European Court of Auditors and OLAF
DG ECHO C/2 EAS co-operates with both the European Court of Auditors (ECA) and with the European Anti-Fraud Office (OLAF).
In the past, joint field audits have been undertaken with ECA and DG ECHO C/2 EAS As part of its normal actions the ECA undertakes Quality Assessments of the Audit Contractor.
Under the terms of the Framework Contract, the Audit Contractor is obliged to inform DG ECHO immediately where cases of fraud and potential irregularities are identified. Where sufficient grounds exist, DG ECHO will then provide this information to OLAF who should decide on the next steps.
15.1.Description of standard documents
Opening letter: The purpose of the opening letter from DG ECHO is to inform the Partner that an audit will be carried out. In case of sub-contracted audits the Partner will be informed of this and that they will be contacted soon by the Audit Contractor for precise arrangements.
Opening Letter from Audit Contractor: This document sets out in more detail specific for each Partner the information needed, the audit process cycle and the planning scheme of the contracted auditor. It normally has as an annex the ICQ (see below) needed for the specific type of audit as well as a request for a preliminary planning meeting and for different types of documents to be received. This letter is also the start of the 30 day period to provide for the necessary documents as stated in the General Conditions to the FPA. The auditors have received the instructions to finalise the audit after this period with the costs for which the documentation is still not provided being disallowed. Further, they will note in their opinion that the Partner is in breach of the clauses of the FPA.
ICQ: The purpose of the Internal Control Questionnaire (ICQ) for HQ audits is primarily to establish the level of internal control systems of the Partner. The responses given to the ICQ, together with the supporting evidence received from the Partner, will be reviewed and evaluated, primarily to establish the level of sampling. The audit review cannot be relied upon to have detected all deficiencies and weaknesses that a full investigative audit might reveal. However, as a result of its completion and evaluation, recommendations for systems improvements can generally be identified.
The recommendations stemming from the answers given to the ICQ and from the audit tests undertaken should be considered as assistance to the Partner for ways to improve the management of their organisation. They should not be seen as orders although if a Partner does not accept the recommendation a reasonable explanation is expected. Partners should also note that since the recommendations are intended to deliver improvements to internal control systems and procedures, where they are not implemented without good reason, the auditors are likely to continue to assess the audit risk (as defined) as high with a continuing corresponding high level of transaction testing.
For each type of audit there is a specific adapted ICQ available. It is built around certain chapters with each chapter containing a number of questions and pre-defined options as answers. The ICQ is always completed on the basis of current systems and controls in place at the organisation, which may not have existed at the time the grant agreements subject to substantive testing were running.
In conducting the substantive testing of the selected projects, the risk level established by the ICQ indicates the volume and amount of testing required. This means that for all budget lines a number of transactions can be tested throughout the process. The substantive testing is intended to verify the validity of transactions by inter alia reference to original supporting documentation (e.g. invoices), accounting entries in the records maintained by the Partner and the procedural requirements of the grant agreement (e.g. in respect of procurement procedures). It also includes verification of cash and bank accounts to verify payment of the transactions claimed.
Another result of the audit process DG ECHO C/2 EAS is able to identify and disseminate best practices and benchmarks amongst all of its Partners.
Report template: For each type of audit a specific Report Template has been created. The Report Template contains two main parts; first a description of the control systems in place and second the substantive testing. The substantive testing part of the HQ report will show all the non-adherence to the obligations stemming from the FPA as potential disallowance or potential recovery. The template also includes a specific space for the Partner’s comments.
Working Papers: Standard sets of working papers have been prepared to assist the auditors in undertaking the audits. These will be used during the audit to prepare before the on-site visit as well as to be completed during the on-site visit. It is also used for Quality Review by the audit partner to sign off that he or she is content with the work done.
Representation letter: A letter of representation has been created to ask the Partner for their agreement/disagreement with the audit results. It asks specifically for information on the recommendations made as well as on the proposed recoveries. The letter needs to be signed by the Partner and will be attached to the report. Where the Partner accepts the recoveries proposed these can immediately be acted upon by DG ECHO C/3 after the agreement of the responsible Head of Geographical Unit.
Closure letter to Partner: closure letters are prepared to send to the Partner informing the Partner that the audit is finalised, explaining the follow-up and to state to the Partner the position of DG ECHO C/2 EAS on eventual disagreements between auditor and Partner.
Cover note to Management: At finalisation of the audit the report will be submitted to DG ECHO Management for information. The cover note will highlight any major findings Management should be aware of, any areas of disagreement between Partner and auditor and any mitigating circumstances on which the responsible Authorising Officer should give their opinion. The note includes the distribution of disallowance tables to be returned by the authorising officer who makes the decision regarding the actual recovery.
The total time for the completion of an HQ batch of audits is normally nine months from the start date of the contract signed with the auditor. In this period the audit needs to be finalised and DG ECHO should have received the final reports.
The standard DG ECHO procedure is that after signature of the Specific Agreement DG ECHO sends an information notice or opening letter to its Partners selected for audit. After this, other than for exceptional reasons or in case of clarifications, all direct contacts will be taken over by the auditors. The auditors will then arrange a time schedule to undertake the audit. Nevertheless, in case of persistent or recurring difficulties the Partner is encouraged to contact and resolve them with DG ECHO EAS, as is the auditor.
After the agreement on timing the ICQ is sent by the Audit Contractor to the Partner for completion.
The ICQ covers 8 areas, namely:
Management’s Commitment to Quality;
Budgets, Financial Control and Reporting;
Fraud and Corruption Policies; and
After this, the on-site visit is undertaken by the auditors. The audit objectives and the working method are outlined in the opening meeting. At the on site exit meeting the Partner will be informed of the main findings and documentation that is still outstanding. A deadline will be agreed for the receipt of the documentation, after which the report will be drafted and no further documentation considered. At the closing meeting, which should also normally be attended by the audit partner, the main findings and recommendations in the draft report previously sent to the Partner for comment will be discussed.
Normally within 10 weeks following the end of work at Partner’s HQ DG ECHO C/2 EAS receive a Draft Report (electronic version). This Draft Report includes the comments of the Partner who has been given sufficient time to reply. When DG ECHO C/2 EAS agrees to the draft report being final, the Audit Contractor sends 3 signed paper copies and an electronic copy to DG ECHO as well as a paper copy direct to the Partner.
The linkage between HQ and Interim Field audits has been strengthened as with the start of the new Framework Audit Contract, the Auditor Contractor also undertakes Interim Field audits and carries the results through to the audits carried out at the Partner's HQ. Any project that has been audited in the field will automatically be subject to HQ audit and the procedures known from HQ audits will be verified during the field visit at the project location. This helps the Partners as it gives them a kind of internal audit for the specific project which identifies system weaknesses and/or errors and make recommendations for improvement.
There are two chapters in the audit report covering aspects which some Partners may not have in place. These are the sections on Fraud and Corruption and on Field Operational Practices. The main reason for these sections being added is to raise awareness by the Partners to start a process within their organisation to handle the specific risks in a more appropriate way.
15.3.Interim Field Audits
The normal duration of Field audit batches is 9 months. During this period of time, which starts normally at the signature of the Specific Agreement, the audits have to be finalised. In this time frame the auditors have to organise the audits and deliver the reports (one report per Partner audited). Normally Partners have one month to reply to the draft reports and DG ECHO also has a month for their review of the reports. Each Field Batch consists of, on average 5, on-going projects / Partners to be audited.
Due to the sometimes unstable locations of the DG ECHO projects there is a possibility foreseen in the contract concerning termination of the respective Specific Agreement in cases of ‘Force Majeure’. This safeguard clause can be used in those cases where a continuation of the Field Audit could cause security problems for the auditors or where the Beneficiary country creates unforeseen visa problems. In any case, a continuous dialogue between the Audit Contractor and DG ECHO C/2 EAS takes place to give guidance as well as to discuss eventual problems that may arise.
The standard procedure is that after signature of the Specific Agreement DG ECHO sends an information notice or opening letter to its Partners selected for audit. After this, all direct contacts are undertaken by the auditors.
Once a detailed programme is agreed this is forwarded to DG ECHO C/2 EAS, the DG ECHO Desk Officer, the DG ECHO Security Advisor and the DG ECHO Field Office for information. Soon after the first contacts are made the ICQ is sent to the Partners to be filled in and documentation is requested together with an opening letter from the audit contractor usually within two weeks, with a request for the ICQ to be returned completed within a further three weeks.
The ICQ for field audits contains the following sections:
Accounting Systems and IT;
Cash and Bank;
Fraud and Corruption Policies;
Field Operational Practices;
Upon arrival in the beneficiary country the audit contractors:
visit the DG ECHO Office (if one exists) for briefing by the DG ECHO expert;
hold an initial meeting at the outset of the mission with all Partners to be audited to enable the audit to be presented to the Partners (reason, objective, methodology, reporting etc.) and for the detailed programme (particularly logistics) for the fieldwork and security issues to be raised/discussed and agreed;
visit the Partner’s main in-country office. The exact organisational structure of each Partner will vary and should have been ascertained during the initial meeting with the Desk Officer. In general, Partners have an office that is often (but not always) based in the capital of the country and is generally the link between the Partner’s EU HQ and the in-country operations;
visit the location of the project. This is generally, but not always, located away from the main in-country office and will be supported by a dedicated field office;
hold end-of-fieldwork meetings with the Partner to review findings and recommendations. This is very important as sometimes the remaining period of the project comes to an end before the report can be finalised but there might be action needed beforehand.
After the field audit has taken place, a draft report should be submitted normally within four weeks to the Partner both at HQ and at Field level for their comments/ factual corrections. The normal reply deadline is set at 4 weeks after which the comments received are taken into account and added to the report as an annex. Eventual disagreements are to be explained in the report and then the final draft is submitted to DG ECHO for approval and finalisation. After DG ECHO approval, the final report is submitted to the Partner by the Audit Contractor.
DG ECHO C/2 External Audit Sector
Brussels, February 2012
Information to Partners concerning the quality of DG ECHO audits and the possible added value of these based on questions and remarks stemming from Partners
Certain NGOs have been active themselves or via groups, such as VOICE, and have registered concerns about DG ECHO audits. The NGOs' concerns, whether justified or not, provide an indicator of misunderstanding due to a lack of communication. The question here is not to determine up to what point these concerns are founded, nor to whom the responsibility has to be attributed, but to take note of the NGOs' feedback, in order to be able to propose appropriate solutions / better communication as there is a need for transparency in the Partnership relation between DG ECHO and its Partners.
DG ECHO has regrouped the opinions / questions / observations into categories of recurring feedback. They basically affect the definition of an audit, the objective, the scope and the methodology. Each of these points has been explained below.
There are too many audits, differing methods and inadequate coordination between donors
The humanitarian organisations receiving financing from various sources are subject to audits. These audits can become numerous, depending on the variety and the origin of financing received. In addition, these audits are carried out according to methodologies specific to each donor, resulting in a complex and drawn out control process.
The Partners work not only with DG ECHO but also receive funding from other donors as well as from the general public. Most of the donors have a need for specific reports and have a different audit methodology compared with DG ECHO.
DG ECHO has now undertaken three to four rounds of audits on its Partners and with the FPA 2008 being in force it has been decided by DG ECHO to reduce the audit cycle from a 2-year cycle towards a 3 to 4-year cycle to minimise the disturbance at HQ level. Due to this decrease of audits undertaken at HQ level, field audits will be more common (as it was in the past) thereby assuring the proper implementation of the actions.
DG ECHO will also try to discuss at the Humanitarian Aid Committee the Good Humanitarian Donorship initiative the audit methodology with the member states to reduce the audit impact on the Partners.
Some organisations see the auditors as a personal attack on their organisations and the way they are managed.
Hostile reaction may result where the audit process is perceived as an interference in the management of the organisation.
NGOs are proud of their independence, and can react in a hostile way to recommendations aimed at improving their operating mode. They sometimes judge that DG ECHO and/or auditors are too detailed in their audit work.
Most NGOs welcome the audits with measured enthusiasm, but some remain reticent at having organisations evaluated "as companies", due to their mandate differences. Others express reservations as to the objective of the audit procedures; that the audit focuses excessively on financial flows and insufficiently on the results obtained on the field, and are therefore an inadequate means with which to evaluate the organisations.
Being aware of the difficulties encountered by the organisations being audited and listening to their concerns promotes the creation of a climate of trust. This positive attitude makes it possible to defuse hostile reactions manifested by organisations being audited, and thus to improve cooperation, which is beneficial for the auditors and the organisations alike.
The DG ECHO External Audit Sector (EAS) and its Audit Contractor need to create and maintain goodwill amongst the NGOs and will make greater efforts to promote the benefits of the audits.
Special attention should be paid to the relations with Partners to explain the added value of the audits for their organisation. It is in this spirit of constant improvement that the recommendations made by the auditors should be understood. These are not orders but well meant advice, and DG ECHO expects its Partners to give proper response to the issues raised be they accepted or not by the Partner. Whilst some recommendations may seem a little onerous to the Partner, the main issue is that the Partner is aware of the identified problems and in the action that could be taken to minimise the inherent risk. The dialogue has then to continue between the auditors and those audited on the recommendations that have been made. Greater dialogue should promote greater acceptance and, in due course, implementation.
Steps taken by the auditors:
Regular training of the external auditors about NGOs' misconceptions and concerns;
An explanation at the opening meeting of the purposes and objectives of the audit and where it can add value.
Attendance on an ‘ad hoc’ basis by DG ECHO EAS officials at opening / closing meetings with Partners to help to convey the benefits of the audit.
The NGOs are conscious of their dependence on the funds provided by institutional and private donors, and aware that access to these funds depends on trust, and the organisations' legitimacy and effectiveness. Financial scandals, fraud, allegations of bad management and the lack of transparency and professionalism of certain associations, are liable to tarnish the image of the entire sector. Such failing can lead to criticism in the media and by the general public.
NGOs have responded to these events by developing greater transparency and accountability for the activities. Various steps have been developed, to improve their practices and to account for the funds used to report on and results obtained.
The practice of audits is widespread in the commercial sector: it is less so within the NGO sector in some countries, for historical, cultural and ideological reasons.
Audits fall within this accountability context, to give an account to their donors of the use of the funds received. At the same time, this control process is essential to ensure the "health" of the sector while making it possible to detect the most fragile Partners. To accept such controls should be to improve mutual trust which is the basis of the Partnership.
A good audit report is a positive outcome for the Partner that it can use to help promote its relationship with other donors when seeking additional financing. A critical audit report is less easy to perceive as positive but Partners should view such a report constructively. It is an indication to the Partner that improvements may be necessary; both to secure maximum future funding and to improve the way it conducts its activities for the maximum benefit of those in receipt of humanitarian aid.
Commission européenne/ Europese Commissie, B-1049 Bruxelles/Brussel - Belgium. Telephone: (32-2) 299 11 11.
Office: AN 88 01/51. Telephone: direct line (32-2) 296 59 61. Fax: (32-2) 295 74 83.