COMMISSION DECISION

of 17 April 2019

on establishing new terms of reference for the pillar assessment methodology to be used under Regulation (EU, Euratom) 2018/1046 of the European Parliament and of the Council

(2019/C 191/02)

THE EUROPEAN COMMISSION,

Having regard to the Treaty on the Functioning of the European Union,

Having regard to Regulation (EU, Euratom) 2018/1046 of the European Parliament and of the Council of 18 July 2018 on the financial rules applicable to the general budget of the Union, amending Regulations (EU) No 1296/2013, (EU) No 1301/2013, (EU) No 1303/2013, (EU) No 1304/2013, (EU) No 1309/2013, (EU) No 1316/2013, (EU) No 223/2014, (EU) No 283/2014, and Decision No 541/2014/EU and repealing Regulation (EU, Euratom) No 966/2012 (1), and in particular Article 154(3) and (4) thereof,

Whereas:

(1) Article 154(3) of Regulation (EU, Euratom) 2018/1046 (‘the Financial Regulation’) requires the Commission to carry out an assessment of the systems, rules and procedures of persons or entities implementing Union funds under indirect management, if it intends to rely on such systems, rules and procedures for the implementation of the action. The assessment is to ensure a level of protection of the financial interests of the Union equivalent to the one that is provided for when the Commission implements the budget under direct management.

(2) In addition, Article 154(4) of the Financial Regulation requires the Commission to assess that persons or entities implementing Union funds under indirect management have a number of specific systems, rules and procedures in place relating to, for example, internal controls, accounting and data management. The Commission can also assess other rules and procedures of the person or entity in question, if they so agree.

(3) The assessments to be carried out under Article 154(3) and (4) of the Financial Regulation are usually carried out by external auditors, on the basis of a set of terms of reference established by the Commission.

(4) Given the additional requirements stemming from the Financial Regulation, including the rules on budgetary guarantees, and given recent Union policies on tax avoidance, money laundering and terrorism financing, it is necessary to revise the existing terms of reference and their methodology to be used for carrying out the assessments.

(5) Having regard to Article 154(4) of the Financial Regulation, the terms of reference should cover nine different areas (or pillars) some of which are compulsory for all persons and entities (namely internal control, accounting, external audit) and some of which are determined according to the activities which the person or entity is going to be undertaking (namely, grants, procurement and financial instruments and within those, exclusion from access to funding, publication of information on recipients and protection of personal data). For all of the applicable pillars, the terms of reference should ensure that the Commission obtains evidence that the level of protection of the financial interests of the Union is equivalent to the one that is provided for when the Commission implements the funds in direct management, taking into account possible supervisory measures taken by the Commission in accordance with Article 154(5) of the Financial Regulation. Moreover, Article 154(6)(c) of the Financial Regulation states that the Commission may decide not to require an

ex ante

assessment as referred to in paragraphs (3) and (4), for those procedures specifically required by the Commission, including its own and those specified in basic acts.

(6) Taking into account the principle of proportionality, the terms of reference should not impose any requirement for a specific organisational structure or a certain number of specialist staff, as this would be disproportionate for small entities. However, for implementation of the principles set out in the terms of reference, it is not appropriate to create exceptions for new and/or small entities as it is important to ensure a high standard of management.

(7) Article 279(3) of the Financial Regulation provides that existing pillar assessments carried out under Regulation (EU, Euratom) No 966/2012 of the European Parliament and of the Council (2) will continue to apply and must be reviewed as appropriate. Insofar as the terms of reference established by this Decision contain requirements that were not contained in the previous terms of reference, persons and entities assessed under the previous terms of reference will have to undergo a supplemental assessment with respect to those requirements,

HAS DECIDED AS FOLLOWS:

Sole Article

The terms of reference to be used for carrying out assessments under Article 154(3) and (4) of Regulation (EU, Euratom) 2018/1046 are set out in the Annex to this Decision.

Done at Brussels, 17 April 2019.

For the Commission

Günther OETTINGER

Member of the Commission

(1)

OJ L 193, 30.7.2018, p. 1

(2) Regulation (EU, Euratom) No 966/2012 of the European Parliament and of the Council of 25 October 2012 on the financial rules applicable to the general budget of the Union and repealing Council Regulation (EC, Euratom) No 1605/2002 (

OJ L 298, 26.10.2012, p. 1

ANNEX

TERMS OF REFERENCE FOR A PILLAR ASSESSMENT OF AN ENTITY REQUESTING TO BE ENTRUSTED WITH IMPLEMENTATION OF THE EU BUDGET UNDER INDIRECT MANAGEMENT

[NAME OF THE ENTITY]

Entity requesting the assessment:	[Entity name and full address]
Country:	[Country where the entity is established]
Reference/date of request for services:	[Reference/date of the request for services or other equivalent document issued by the entity]
Period subject to assessment:	[The year (12-month period) ending on the day of the start of the field work (on-site procedures) for the assessment]
Start date of the assessment:	[Indicative start date. The estimated contractual date of the assessment (order form date)]
End date of the assessment:	[Indicative end date. The estimated date of receipt of the final report]

TABLE OF CONTENTS

Introduction

Objectives

Standards and guidance

Requirements for the auditor

Scope

Assessment procedures

Other matters

Annexes

INSTRUCTIONS FOR USING THESE ToR

All grey shaded text in <

Italic

> is guidance, which should be removed.

Text indicated in [text] must be completed by the entity

The prescribed text and wording of these terms of reference should be respected at all times and cannot be changed.

This instruction should be removed from the ToR

1. INTRODUCTION

Context

Article 154 of the Financial Regulation (1) (‘FR’) applicable to the general budget of the European Union (‘EU’) sets out the methods of implementing the budget, including ‘indirect management’. Under indirect management, the Commission can entrust the implementation of Union funds or budgetary guarantees to the countries, organisations and bodies (further referred to as ‘entities’) indicated in Article 62 of the FR. The following entities may be concerned:

— third countries or the bodies they have designated e.g. Ministry of Interior, Kingdom of Cambodia;

— international organisations and their agencies e.g. United Nations Development Programme (UNDP);

— public law bodies e.g. Kreditanstalt für Wiederaufbau (KfW);

— bodies governed by private law but with a public service mission, to the extent that they provide adequate financial guarantees e.g. Cassa Depositi e Prestiti (CDP).

When such entities manage EU funds, they are required to guarantee a level of protection of the EU's financial interests equivalent to that required under the FR. More specifically, they must meet requirements with regard to nine ‘pillars’. These pillars relate to:

the internal control system;

the accounting system;

an independent external audit;

as well as rules and procedures for:

providing financing from EU funds through grants;

procurement;

financial instruments (2);

and also:

exclusion from access to funding;

publication of information on recipients;

protection of personal data.

Entities wishing to work with EU funds under the indirect management mode must therefore undergo a comprehensive

pillar assessment

. Based on the results of the pillar assessment, the Commission will decide whether: (i) it can entrust budget implementation tasks to the entity; and (ii) it can conclude specific agreements (i.e. indirect management contribution agreements) with the entity. However, if required by the legal base, these conditions can be specified in the agreement with the Commission, or by reference to guidance documents (e.g. the Guide for National Agencies in the case of Erasmus) to ensure harmonised implementation and equal treatment of beneficiaries of an EU programme in all participating countries.

The following are the terms of reference (‘ToR’) on which [full name and address of the Contracting Authority] agrees to engage the auditor to perform a

pillar assessment

of [name of the entity] and to report on this assessment. These ToR are annexed to the entity's [request for services; or equivalent document].

In these ToR and in Annexes 1 to 4, which form an integral part of these ToR, the following terms apply:

— ‘Pillar assessment’

‘assessment’

‘engagement’

refers to this assurance engagement. In this context, the

pillars

are the broad areas covered by this assessment; these include internal control, accounting, independent external audit, exclusion from access to funding, publication of information on recipients and protection of personal data. The entity will always need to be assessed to check it can meet the requirements in these areas. In addition to the six mandatory pillars listed above, there are three optional pillars, covering procedures and rules for grants, procurement and financial instruments.

— ‘Auditor’

refers to the audit firm contracted to perform this engagement and submit a report on it to the Commission. ‘Auditor’ can refer to the person or persons conducting the assessment, usually the engagement partner or other members of the engagement team. The engagement partner is the partner or other person in the firm who: (i) is responsible for the engagement and its performance, and for the report issued on behalf of the firm; and (ii) has the appropriate authority from a professional, legal or regulatory body.

— ‘Entity’

, refers to the entity subject to the pillar assessment. The entity is generally (3) the contracting authority for this assessment.

— ‘Commission’

refers to the European Commission, which may be represented by the relevant service or unit in the relevant Commission Directorate-General or an EU Delegation, as appropriate.

2. OBJECTIVES

The auditor is engaged to assess the systems put into place and the controls, rules and procedures applied by the entity for each pillar against the criteria set by the Commission for each pillar. The

objective

of this pillar assessment is to: (i) enable the auditor to report on whether the entity fulfils the requirements set out in points (a) to (f) of Article 154(4) of the Financial Regulation applicable to the General Budget of the European Commission and in Article 29(1) of the Financial Regulation applicable to the European Development Fund for each relevant pillar; and (ii) express a conclusion as to whether the entity:

— has set up and ensures the functioning, in all material respects, of an effective, efficient and economical

internal control system

based on international best practices and in line with the criteria set by the European Commission;

— uses an

accounting system

that provides in all material respects accurate, complete and reliable information in a timely manner, based on international accounting standards and in line with the criteria set by the European Commission;

— is subject to

an independent external audit

, required to be performed in all material respects in accordance with internationally accepted auditing standards by an audit service functionally independent of the entity concerned and in accordance with the criteria set by the European Commission;

— applies appropriate rules and procedures in all material respects for providing financing from EU funds through

grants

and in line with the criteria set by the European Commission;

— applies appropriate rules and procedures in all material respects for providing financing from EU funds through

procurement

and in line with the criteria set by the European Commission;

— applies appropriate rules and procedures in all material respects for providing financing from EU funds/budgetary guarantees through

financial instruments/budgetary guarantees

and in line with the criteria set by the European Commission;

— applies appropriate rules and procedures for

excluding third parties from access to funding

through procurement, grants and/or financial instruments;

— makes public

information on the recipients of funds

in an appropriate and timely manner;

— ensures

protection of personal data

equivalent to that referred to in Article 5 of the FR.

In addition, if in agreement with the entity concerned, and without prejudice to the final scoring, the auditor may assess whether the entity fulfils standards equivalent to applicable EU legislation and agreed international and EU standards regarding controls related to tax avoidance and non-cooperative jurisdictions, anti-money laundering and countering terrorism financing. If the entity agrees to be assessed on this particular set of issues, the auditor will be engaged to report on this under pillar 6. In order to implement Union funds through financial instruments, be those backed by a budgetary guarantee or not, the entity will need to comply with the relevant requirements under the Financial Regulation covered in the additional sections 6B and 6C through appropriate contractual arrangements, even if opting not to undergo the pillar assessment of these sections.

3. STANDARDS AND GUIDANCE

The auditor who performs this pillar assessment must be governed by:

— The IFAC International Framework for Assurance Engagements and International Standard on Assurance Engagements (‘ISAE’) 3000 for Assurance Engagements other than Audits or Reviews of Historical Financial Information insofar as these can be applied in the specific context of this pillar assessment.

— The IFAC

Code of Ethics for Professional Accountants

, issued by IFAC's International Ethics Standards Board for Accountants (IESBA), which establishes fundamental ethical principles for auditors with regard to integrity, objectivity, independence, professional competence and due care, confidentiality, professional behaviour and technical standards;

— The IFAC

International Standards on Quality Control

(ISQCs), which establish standards and provide guidance on an auditor's system of quality control.

4. REQUIREMENTS FOR THE AUDITOR

4.1. General principles

The auditor must be an

independent external

auditor who is a registered member of a national accounting or auditing body or institution which in turn is a member of the International Federation of Accountants (IFAC) and who is certified to perform audits.

The auditor must be functionally independent of the entity concerned. Hence the internal auditor of an entity subject to assessment is not eligible to perform a pillar assessment.

By agreeing to these ToR the auditor confirms that s/he meets at least one of the following conditions:

— The auditor and/or the firm is a member of a national accounting or auditing body or institution, which in turn is member of the International Federation of Accountants (IFAC).

— The auditor and/or the firm is a member of a national accounting or auditing body or institution. Although this organisation is not member of the IFAC, the auditor gives a commitment to undertake this engagement in accordance with the IFAC standards and ethics set out in these ToR.

— The auditor and/or the firm is registered as a statutory auditor in the public register of a public oversight body in an EU Member State in accordance with the principles of public oversight set out in Directive 2006/43/EC of the European Parliament and of the Council (4). This applies to auditors and audit firms based in an EU Member State.

— The auditor and/or the firm is registered as a statutory auditor in the public register of a public oversight body in a third country and this register is subject to principles of public oversight as set out in the legislation of the country concerned (this applies to auditors and audit firms based in a third country).

Where permitted by the underlying legal base (e.g. Erasmus), the auditor may be the Independent Audit Body as designated in accordance with Article 155(1) of the Financial Regulation.

4.2. Qualifications, experience and team composition

(5)

Qualifications and experience

The auditor must employ sufficient staff with: (i) appropriate professional qualifications and suitable experience with IFAC standards, in particular the ISAE 3000 for Assurance Engagements other than Audits or Reviews of Historical Financial Information; and (ii) with experience in performing institutional or compliance assessments and/or performing systems audits or equivalent engagements of entities comparable in size and complexity to the entity in question.

In addition, the engagement team as a whole shall have:

— Experience with institutional or compliance assessments and/or systems audits or equivalent engagements of EU funded programmes and projects funded by national and/or international donors and institutions. It is desirable that the leader of the fieldwork team i.e. either the manager (category 2) or the senior auditor (category 3) has experience with systems audits of EU funded external aid actions and/or other EU funded actions, and/or institutional or compliance assessments of organisations in the development aid sector and/or economic sector.

— [Optional: fluency in [specify language(s)]]

Team composition

The team of auditors required for this pillar assessment shall be composed of a category 1 auditor who has the ultimate responsibility for the assessment, and an engagement team composed of an appropriate mix of category 2-4 auditors. It is the responsibility of the auditor to propose and use an engagement team composed of an appropriate mix of auditors for this engagement.

The Commission distinguishes four categories of auditors.

Category 1 — Audit partner

An audit partner shall be a highly qualified expert with a relevant professional qualification and assuming or having assumed senior and managerial responsibilities in public audit practice.

That person should be a member of a national accounting or auditing body or institution, and must have at least 12 years' professional experience as a professional auditor or accountant in public audit practice. Experience with working with the recipient countries of EU external aid will also be taken into account.

An audit partner, or another person in a position similar to that of a partner, is the person in the audit firm who is responsible for the audit and its performance, and for the report that is issued on behalf of the firm. The audit partner has the appropriate authority from a professional, legal or regulatory body and is authorised to certify accounts by the laws of the country in which the audit firm is registered.

Category 2 — Audit manager

Audit managers should be qualified experts with a relevant university degree or professional qualification. They should have at least 6 years' experience as a professional auditor or accountant in public audit practice including relevant managerial experience of leading audit teams.

Category 3 — Senior auditor

Senior auditors should be qualified experts with a relevant university degree or professional qualification and at least 3 years' professional experience in public audit practice.

Category 4 — Assistant auditor

Assistant auditors should have a relevant university degree and at least 6 months' professional experience in public audit practice.

Curricula vitae (CVs)

The auditor shall provide the contracting authority with CVs of the partner or other person in the audit firm who is responsible for the pillar assessment and for signing the report, and also provide the CVs of the managers, senior auditors and assistant auditors proposed as part of the engagement team. CVs will include appropriate details on the type of engagements carried out by the staff, indicating capability and capacity to undertake the assessment, and will also include details on relevant specific experience. The contracting authority will examine the CVs before it signs an order form or other applicable contractual document for this engagement and reserves the right to reject them if they are not considered suitable for the requirements of the engagement.

5. SCOPE

5.1. Location and period covered by the assessment

This pillar assessment will be performed at [

location(s)

It is essential to indicate the correct location(s) where the assessment is to be performed

. The auditor should confirm the location(s) of the assessment with the contracting authority

prior

to the start of the fieldwork and ensure that relevant supporting documents as well as key staff will be available during the assessment. The auditor should take into account that the entity normally requires meetings to prepare the assessment and to discuss the draft report and that this may involve additional travelling (see Section 7).

The

period to be covered by the assessment

should normally be the year (i.e. 12-month period) ending on the day of the start of the assessment field work, i.e. the day on which the auditor effectively starts on-site (i.e. at the location where the entity is established) assessment procedures and tests.

5.2. Engagement context

Use of Annex 1 Engagement context — Key information for a pillar assessment

The auditor shall obtain a preliminary understanding of the

engagement context

on the basis of

Annex 1

Engagement context

— Key information for a pillar assessment

. The understanding must be sufficient for the auditor to submit a meaningful offer to the contracting authority.

Use of Annex 2a Assessment questionnaire

The entity shall provide a completed

Annex 2a

to the auditor as soon as possible

after

the auditor has been contracted by the contracting authority but

prior to

the start of the auditor's assessment procedures.

In a second phase,

Annex 2a

will become a support tool to be used by the auditor when designing, planning and performing the assessment procedures and to take into account the criteria that the European Commission deems essential or important for the entity undergoing assessment to comply with.

The completed

Annex 2a

questionnaire is an essential source of assessment information and evidence for the auditor. However, it is by no means the only source to be used by the auditor to plan and perform assessment procedures and to draw conclusions. All information completed and provided by the entity is provisional, and is subject to the assessment procedures the auditor deems necessary. The auditor must not rely on information before having ensured through assessment procedures that information is sufficiently accurate and complete for the purpose of the assessment and for arriving at informed conclusions for key questions.

Hence the auditor can modify, complete and add information in the findings column as it sees fit. The auditor may also add additional questions if it considers this is necessary to arrive at an informed conclusion on key questions.

The auditor must take into account the specific engagement circumstances and apply professional judgement throughout the assessment process. The auditor remains fully responsible at all times for designing, planning and performing the assessment procedures it deems necessary in addition to the questions and procedures in the

Annex 2a

questionnaire.

The auditor will use the information in the

Annex 2a

questionnaire and the results of the assessment procedures to complete

Annex 2

Assessment questionnaire and criteria

(see Section 5.4 below) and to draw a conclusion for each pillar being assessed.

5.3. Nature, extent and timing of procedures and tests for each pillar

For each pillar, the auditor must assess the

design

of relevant systems, controls, rules and procedures. This means that the auditor should perform procedures and tests on the basis of which it should arrive at a conclusion whether the system, controls, rules and procedures are present i.e. existing.

Moreover, the auditor must assess the

operating effectiveness

of systems, controls, rules and procedures for all relevant pillars (see Section 2 — Objectives above) except for the ‘independent external audit’ pillar, for which the auditor only assesses the design of the procedures for external audit.

The design and operating effectiveness of relevant systems, rules and procedures must be assessed against the criteria defined by the Commission for each pillar (see Section 5.4 below). For this purpose, the auditor must use the questionnaires provided by the Commission.

The auditor determines the nature, extent and timing of all the procedures and tests it deems necessary to perform in order to arrive at a conclusion with regard to the design and operating effectiveness of systems, controls, rules and procedures.

5.4. Criteria and materiality

For each pillar there are three levels of criteria which have been defined by the European Commission through the formulation of (key) questions in

Annex 2

Assessment questionnaire and criteria

and in

Annex 2a

Assessment questionnaire.

To determine what is a material weakness or deficiency in systems, controls, rules and procedures, the auditor must take into account the criteria and the levels of importance (i.e. scoring thresholds) defined by the Commission as these factors might influence the Commission's decision to entrust budget implementation tasks under indirect management to the entity.

Level 1 (Financial Regulation)

For each pillar there is

one

overarching level 1 question (in

Annex 2

Assessment questionnaire and criteria

) set on the basis of the Financial Regulation. This question is fundamental. Only two types of conclusions are possible:

— The answer to the question at level 1 is ‘yes’. This means that the entity complies with the requirements for the pillar concerned. The conclusion of the auditor must be formulated in the positive form, which is equivalent to an ‘unqualified opinion’.

— The answer to the question at level 1 is ‘no’. This means that the entity does

not

comply with the requirements for the pillar concerned. In this case, the conclusion must be formulated in the adverse form, which is equivalent to what is called an ‘adverse opinion’ under international standards.

Level 2 (Pillar key components)

Key questions at level 2 relate to criteria which the Commission considers essential. For this purpose, key questions and criteria are set for the key components of each pillar. Components are essentially ‘sub-pillars’, which in turn are composed of blocks of questions in

Annex 2a

Assessment questionnaire.

The auditor must apply professional judgement to

attribute a score on a scale of 0 to 10

each level 2 component

Annex 2

Assessment questionnaire and criteria

based on the information and evidence obtained from applying

Annex 2a

Level 3 (Assessment questionnaire with blocks of questions)

Annex 2a

Assessment questionnaire

includes blocks of questions that relate to the pillar key components at level 2. These blocks of detailed questions are non-exhaustive. This means that the auditor should use at least these (blocks of) questions to determine a score for each component at level 2.

The auditor can formulate additional questions and perform additional tests and procedures, as it deems necessary or appropriate. The auditor fully applies professional judgement for all questions in

Annex 2a

in order to attribute scores to the pillar key components at level 2.

5.5. Limitations in the scope

The auditor will inform the contracting authority of any

limitations in the scope

of work identified before or during the assessment, and discus with the contracting authority what action may be required and whether or how the assessment can be continued.

6. ASSESSMENT PROCEDURES

The auditor should perform the assessment in accordance with

Annex 3

Assessment procedures

, which cover documentation and evidence, planning, fieldwork and reporting. Annex 3 includes assessment procedures that the auditor should apply and procedures that the auditor may opt to use. The auditor's attention is drawn to the specific aspects set out in Sections 6.1 to 6.3 below. The auditor should exercise due professional care and judgement and determine the nature, timing and extent of assessment procedures to fit the objectives, scope and context of the assessment.

6.1. Documentation and evidence

The auditor should, in accordance with ISAE 3000, prepare documentation and obtain sufficient appropriate evidence to support assessment findings and to draw reasonable conclusions on which to base the conclusion of the assessment for each pillar. The auditor uses professional judgement to determine whether evidence is sufficient and appropriate (see Annex 3.1).

6.2. Planning and fieldwork

Start of the assessment

The assessment's official starting date is the date of signature of the contracting authority's order form or other applicable contractual document for the assessment. The auditor must then agree as soon as possible a date to start the fieldwork with the entity.

Preparatory meeting with the entity

The entity shall schedule a preparatory meeting with the auditor (see Annex 3.2.1), which will be held at [name and address of the entity]. The entity inform the Commission about this meeting, which may be attended by Commission representatives.

Procedures for assessment planning and fieldwork

The auditor's procedures should include obtaining an understanding of the engagement context, which is sufficient to design and perform further assessment procedures. This includes:

— obtaining evidence regarding the design of systems, controls, rules and procedures (Annex 3.3.1);

— performing tests of the operational effectiveness of systems, controls, rules and procedures (Annex 3.3.2);

— sampling and other means of selecting items for testing where appropriate (Annex 3.3.3);

— using the work of internal auditors where applicable (Annex 3.3.4).

6.3. Reporting

Use of the pillar assessment model report in Annex 4

The use of the model report for a pillar assessment in Annex 4 is compulsory.

Language

The report should be presented in [language]. [An executive summary of the assessment report in [English/French] should be provided along with the report] (See Annex). <

Remove if not applicable

Findings

There are two types of findings:

— Main findings

are findings that relate to material weaknesses or deficiencies in systems, controls, rules and procedures. ‘Material’ means that the auditor considers that these factors are so important for the Commission that they might influence its decision to entrust budget implementation tasks under indirect management to the entity. Hence, where material findings are found for a pillar this must lead the auditor to express an adverse conclusion for that pillar.

Main findings also include cases where several findings which taken individually do not relate to a material weakness or deficiency but when taken in the aggregate involve a finding of material weakness or deficiency. The combined impact of such findings is so significant (i.e. material) that this must lead the auditor to the conclusion that the entity does not meet the requirements for the pillar concerned (i.e. the conclusion is ‘No’).

— Other findings

are all non-material findings which the auditor believes should be brought to the attention of the entity. These findings relate to weaknesses and deficiencies in systems, controls, rules or procedures, which, individually or in the aggregate, involve a less immediate level of risk that objectives for the pillar concerned are not achieved.

Findings must be reported in accordance with the (table) formats specified in the model report for a pillar assessment in Annex 4. Main findings as well as other findings by the Auditor may be the basis for supervisory measures to be taken by the Commission in accordance with Article 154(5) of the Financial Regulation.

Recommendations

There are two types of recommendations:

— Critical recommendations

relate to material weaknesses and deficiencies in systems, controls, rules or procedures and to cases where the Commission's criteria and/or internationally accepted standards for pillars are not complied with (on a regular basis).

— Other recommendations

relate to all other findings that are not of a material nature. In these cases, the weaknesses and deficiencies in systems, controls, rules or procedures have no major and immediate impact on the objectives of these systems, controls, rules or procedures. Nevertheless, it is relevant for the entity to implement the suggested measures, as this would give it an opportunity to improve its systems, controls, rules or procedures and to achieve greater effectiveness and/or efficiency.

Recommendations must be reported in accordance with the (table) formats specified in the model report for a pillar assessment in Annex 4.

Conclusions

The assessment report should include a conclusion for each pillar. There are two types of conclusions. Conclusions must either be formulated in the positive form (i.e. ‘has set up’, ‘uses’, ‘is subject to’ or ‘applies’) or by using an adverse formulation (i.e. ‘has not set up’, ‘does not use’, ‘is not subject to’ or ‘does not apply’).

The use of a conclusion of the qualified type (i.e. using the ‘except for’ formulation) is not possible in a pillar assessment.

Date of the assessment report

The date of draft and pre-final reports should be the date when these reports are sent for consultation. The date of the

final

assessment report should be the date when the

final

independent auditor's report is signed (Annex 3.4.2).

Procedures and timetable for submitting draft and final assessment reports

The auditor should comply with the procedures and timetable for the consultation and submission of the draft and final assessment report, as set out in Annex 3.4.3 and 3.4.4.

The auditor's attention is specifically drawn to the following:

— The auditor should submit a

draft report

to the entity within [

21;

to be determined by the contracting authority]

calendar days after the day of the closing meeting

(i.e. the end of field work).

— The period between the

assessment closing meeting

and the submission to the entity of the

final assessment report

should

not exceed

[

105;

to be determined by the contracting authority]

calendar days

or [15] weeks. The auditor should explain and document any reporting delays in the working papers.

7. OTHER MATTERS

7.1. Information on practices for calculation and reporting of costs

Any information provided by an entity for the purposes of this assessment on the methodology used for the calculation and reporting of costs shall not be considered as approved by the Commission with regards to the budget of any specific action. Such approval is only possible where the specific procedures established in the Commission decision on the

ex ante

assessment of unit costs and flat rates (also known as ‘Simplified Cost Options’) have been followed. In the absence of an

ex ante

assessment of Simplified Cost Options, the eligibility of costs for any specific action shall be determined exclusively by reference to the provisions of the relevant Agreement(s) with the entity.

7.2. Follow-up

The contracting authority may request that the auditor provide further assistance as part of the follow-up on the final assessment report. The contracting authority may also request that the auditor re-assess one or more pillars if the final assessment report concluded that the entity did not comply with the requirements for the pillar(s) concerned.

These ToR do not cover any further assistance provided by the auditor in connection with the contracting authority's follow-up on the final assessment report; if such assistance is required the contracting authority will need to issue an addendum to the order form or to the other applicable contractual document for such an engagement.

7.3. Various matters

Annexes

Annex 1

Engagement context — Key information for a pillar assessment

Annex 2

Assessment questionnaire and criteria

Annex 2a

Assessment questionnaire

Annex 3

Assessment procedures

Annex 4

Pillar assessment report

IMPORTANT

: Annexes 1 to 4 form an integral part of the present terms of reference.

(1) Regulation (EU, Euratom) 2018/1046.

(2) A reference to ‘financial instruments’ is deemed to also include budgetary guarantees.

(3) The Commission may be the contracting authority in duly justified cases.

(4) Directive 2006/43/EC of the European Parliament and of the Council of 17 May 2006 on statutory audits of annual accounts and consolidated accounts, amending Council Directives 78/660/EEC and 83/349/EEC and repealing Council Directive 84/253/EC EEC (

OJ L 157, 9.6.2006, p. 87

), as amended by Directive 2014/56/EU of the European Parliament and of the Council of 16 April 2014 (

OJ L 158, 27.5.2014, p. 196

(5) Where the audit body is not from the private sector, equivalent levels of seniority, qualifications and experience should be applied.

Annex 1

Engagement context — Key information for a pillar assessment

ENTITY SUBJECT TO ASSESSMENT

PILLAR

PILLAR SUBJECT TO ASSESSMENT(1)

1.	INTERNAL CONTROL

YES

2.	ACCOUNTING

YES

3.	EXTERNAL AUDIT

YES

GRANTS

YES/NO

5.	PROCUREMENT

YES/NO

6.	FINANCIAL INSTRUMENTS (2)

YES/NO

7.	EXCLUSION FROM ACCESS TO FUNDING

YES

8.	PUBLICATION OF INFORMATION ON RECIPIENTS

YES

9.	PROTECTION OF PERSONAL DATA

YES

Pillars 1, 2, 3, 7, 8 and 9 are always subject to assessment (3).

Pillars 4 to 6 may be subject to assessment, depending on the nature of the budget implementation tasks to be entrusted.

CONTACT DETAILS
Entity: [full name of the entity subject to assessment]
Address	Country
Phone	Fax
Website
Key contact
Name	Function	<indicate executive function e.g. Director, General Manager, Head of Finance and Accounting>
Email	Phone/Fax
Delegation of the European Union in [Country] <delete this table if not applicable>
Address	Country
Phone	Fax
Key contact
Name	Function
Email	Phone/Fax
European Commission service responsible for the relevant EU funding programme <delete if not applicable>
Key contact
Name	Function/unit
Email	Phone/Fax

PILLAR 1 — INTERNAL CONTROL

Please provide a description (maximum 5 pages) of the

internal control system

addressing:

— The control environment

— integrity and ethical values

— organisational structure and assignment of authority

— governance oversight structure

— Risk assessment

— Control activities including:

— segregation of duties (including measures for avoiding conflicts of interest)

— information processing and computerised information systems (including general IT controls, application controls, data integrity and audit trails)

— prevention, detection and correction of errors, fraud and irregularities

— bank/cash management

— payroll and time management

— Information and communication

— internal reporting

— external reporting: financial statements; reporting to donors

— Monitoring

— monitoring of (the components of) the internal control system

— internal audit function.

PILLAR 2 — ACCOUNTING

Please provide a description (maximum 5 pages) of the

accounting system

— Accounting system and policies

— Budgeting

— Accounting and budgeting for projects, activities, (trust) funds and financial instruments.

PILLAR 3 — INDEPENDENT EXTERNAL AUDIT

Please provide a description (maximum 5 pages) of the

external audit function

, addressing:

— The regulatory framework for external audit

— The external auditor of the entity and audit standards.

PILLAR 4 — GRANTS

Please provide a description (maximum 5 pages) of the entity’s

grants system

, addressing:

— The legal and regulatory framework

— Grants principles, covering in particular measures to avoid conflicts of interest throughout the grants award process

— Types of grants used

— Organisation (tasks and responsibilities)

— Documentation and filing of the grants process

— Grants procedures, including:

— publication of call for proposals

— submission of proposals

— security and confidentiality of proposals

— receipt, registration and opening of proposals

— selection and evaluation procedures

— awarding of grants

— notification and publication

— grant agreements and contracts.

PILLAR 5 — PROCUREMENT

Please provide a description (maximum 5 pages) of the entity’s

procurement system

addressing:

— The legal and regulatory framework

— Procurement principles, particularly:

— transparency measures such as

ex ante

publication of calls for tenders and

ex post

publication of contractors

— measures to avoid conflicts of interest throughout the procurement process

— Types of procurement used (works, services, supplies)

— Types of competitive procurement procedures used

— Organisation (tasks and responsibilities)

— Documentation and filing of the procurement process

— Procurement procedures:

— invitation to tender

— selection and evaluation procedures and award of contracts

— complaints system.

PILLAR 6 — FINANCIAL INSTRUMENTS

(4)

Please provide a description (maximum 5 pages) of

financial instruments

, addressing:

— The legal and regulatory framework. Aspects to be covered:

— descriptions of the instruments, including investment strategies or policies, the type of support provided, the criteria for eligibility for financial intermediaries and final recipients, and additional operational requirements transposing the policy objectives of the instrument;

— the requirements for a target range of values for the leverage effect (the EU contribution to a financial instrument shall aim to mobilise a total investment exceeding the size of the EU contribution according to the indicators defined in advance);

— a definition of non-eligible activities;

— provisions ensuring alignment of interests and addressing possible conflicts of interest;

— provisions for selecting financial intermediaries (financial intermediaries must be selected on the basis of open, transparent, proportionate and non-discriminatory procedures, avoiding conflicts of interest) and for setting up dedicated investment vehicles, if applicable;

— provisions on the liability of the entrusted entity and of other entities involved in implementing the financial instruments;

— provisions on the settlement of disputes;

— provisions on the governance of the instruments;

— provisions regarding the use and re-use of the EU contribution where applicable (Article 209 of the FR);

— provisions for managing contributions from the EU and for managing fiduciary accounts, including counterparty risks, acceptable treasury operations, responsibilities of parties concerned, remedial actions in the event of excessive balances on fiduciary accounts, record keeping and reporting;

— rules for accounting and financial reporting (separate financial reporting for each financial instrument);

— provisions on the duration, the possibility of extension, and the termination of the instrument, including the conditions for early termination and, where appropriate, exit strategies;

— provisions on the monitoring of the implementation of support to financial intermediaries and final recipients, including reporting by the financial intermediaries;

— Basic principles: financial instruments shall be used in accordance with the principles of sound financial management, transparency, proportionality, non-discrimination, equal treatment and subsidiarity and in accordance with their objectives;

— Guidelines and operating rules for the use of financial instruments;

— Organisation (tasks and responsibilities);

— Credit risk management system and internal risk rating system — if applicable (only for entities that plan to request a budgetary guarantee from the EU);

— Rules and procedures for controls related to tax avoidance and non-cooperative jurisdictions;

— Rules and procedures for controls related to money laundering or terrorist financing.

PILLAR 7 — EXCLUSION FROM ACCESS TO FUNDING

Please provide a description (maximum 5 pages) of the entity’s

exclusion system

, addressing:

— The legal and regulatory framework

— Exclusion criteria.

— Procedures. State in particular if the aspects listed above are covered in the procedures and how they are applied.

PILLAR 8 — PUBLICATION OF INFORMATION ON RECIPIENTS

Please provide a description (maximum 5 pages) of the entity’s system for

publishing information on recipients

of funds, addressing:

— The legal and regulatory framework;

— Requirements for publication. State in particular if the following aspects are covered in the procedures and how they are applied:

— name, locality, nature and purpose, amount;

— timing;

— means of publication.

PILLAR 9 — PROTECTION OF PERSONAL DATA

Please provide a description (maximum 5 pages) of the entity’s system of

protection of personal data

, addressing:

— The legal and regulatory framework

— Requirements for the protection of personal data. State in particular if these requirements are covered in the procedures and how they are applied.

(1) The entity should state here YES or NO to indicate whether the pillar is subject to assessment.

(2) The reference to ‘financial instruments’ is deemed to also include budgetary guarantees.

(3) In the exceptional case that neither the rules and procedures for grants, nor for procurement nor for financial instruments are assessed (i.e. none of the pillars 4 to 6), there is no need to assess the rules and procedures for exclusion and publication (i.e. pillars 7 and 8).

(4) ‘Financial instruments’ also includes budgetary guarantees.

Annex 2

ASSESSMENT QUESTIONNAIRE AND CRITERIA

PILLAR 1 — INTERNAL CONTROL

Level 1 (Financial Regulation). Has the entity set up and ensured the functioning in all material respects of an effective, efficient and economical internal control system based on international best practices and in line with the criteria set by the European Commission?

YES/NO

Level 2 criteria/questions (5 components for internal control)

SCORE

(0 – 10)

1.	Control environment Does the entity’s control environment provide an adequate basis for carrying out internal control across the organisation?

../10

2.	Risk assessment Does the entity identify risks to the achievement of its objectives across the entity, including assessing the potential for fraud, and are risks analysed as a basis for determining how they should be managed?

../10

3.	Control activities Does the entity deploy effective and efficient control activities, including preventing, detecting and correcting irregularities and fraud?

../10

4.	Information and communication Does the entity have controls and procedures in place which ensure reliable reporting — both internal and external (inbound and outbound) — in line with applicable requirements and standards?

../10

5.	Monitoring Does the entity monitor internal controls regularly and effectively?

../10

Total score

../50

SCORE

Answer to level 1 question is YES if the total score for all 5 components is at least 70 % and the score for each individual component is at least 2/10 or 20 %.

Answer to level 1 question is NO if the total score is less than 70 % or the score for one individual component is lower than 2/10 or 20 %.

PILLAR 2 — ACCOUNTING

Level 1 (Financial Regulation). Does the entity use an accounting system that provides in all material respects accurate, complete and reliable information in a timely manner, based on international accounting standards and in line with the criteria set by the European Commission?

YES/NO

Level 2 criteria/questions (3 components for accounting)

SCORE

(0 – 10)

1.	Accounting system and policies Does the entity use an adequate accounting system, and does it have clear and written accounting policies?

../10

2.	Budgeting Does the entity have a budget system and procedures which result in transparent and reliable budgets for its operations and activities?

../10

Accounting and budgeting for specific projects, activities, (trust) funds and financial instruments (1), where relevant

Does the entity have: (i) accounting and budgeting procedures which enable adequate and timely reporting to donors/fund providers (including the European Commission) on the use of funds provided by them for projects, activities, (trust) funds and financial instruments; and (ii) the capacity and processes in place to produce financial statements (2)?

../10

Total score

../30

SCORE

Answer to level 1 question is YES if the total score for all 3 components is at least 70 % and the score for each individual component is at least 2/10 or 20 %.

Answer to level 1 question is NO if the total score is less than 70 % or the score for one individual component is lower than 2/10 or 20 %.

PILLAR 3 — INDEPENDENT EXTERNAL AUDIT

Level 1 (Financial Regulation). Is the entity subject to an independent external audit, required to be performed in all material respects in accordance with internationally accepted auditing standards by an audit service that is functionally independent of the entity, and in accordance with the criteria set by the European Commission?

YES/NO

Level 2 criteria/questions (3 components for independent external audit)

SCORE

(0 – 10)

1.	Legal and regulatory framework Does the entity have a clear regulatory framework for external audit?

../10

Principles

Three possible situations can be distinguished depending on the applicable regulatory framework and the standards on auditing.

Key question (level 2) — Applies if the external audit is performed by an independent professional external audit firm (private sector) in accordance with standards equivalent to international standards on auditing. Is the entity subject to an external audit which is:

—	performed by a professional external audit firm which is independent from the entity and which complies with the fundamental principles of professional ethics, which include: integrity, objectivity, professional competence and due care, confidentiality and professional behaviour?

—	performed in accordance with auditing standards equivalent to the international standards on auditing (‘ISAs’) issued by the International Auditing and Assurance Standards Board (IAASB)?

Key question (level 2) — Applies if the external audit is performed by a national audit institution (public sector) in accordance with standards equivalent to international standards on auditing. Is the entity subject to an external audit which is:

—

performed by a national audit institution or a supreme audit institution (e.g. a national court of auditors or equivalent body) which is independent from the entity and which complies with the fundamental principles of professional ethics, which include: integrity, objectivity, professional competence and due care, confidentiality and professional behaviour?

—	performed in accordance with auditing standards equivalent to principles, standards and guidance issued by the International Organisation of Supreme Audit Institutions (INTOSAI)?

Key question (level 2) — Applies if the external audit is performed by an external audit or oversight body which operates under a specific regulatory or institutionalised framework (e.g. external auditor of the UN) and which is independent from the entity in accordance with standards equivalent to international standards on auditing. Is the entity subject to an external audit which is:

—	performed by an external audit or oversight body which is independent from the entity and which complies with the fundamental principles of professional ethics, which include: integrity, objectivity, professional competence and due care, confidentiality and professional behaviour?

—	performed in accordance with auditing standards equivalent to the international standards on auditing (‘ISAs’) or INTOSAI standards?

../10

3.	External audit procedures Is the entity subject to appropriate external audit procedures?

../10

Total score

../30

SCORE

Answer to level 1 question is YES if the total score for all 3 components is at least 70 % and the score for each individual component is at least 2/10 or 20 %.

Answer to level 1 question is NO if the total score is less than 70 % or the score for one individual component is lower than 2/10 or 20 %.

PILLAR 4 — GRANTS

Level 1 (Financial Regulation). Does the entity apply appropriate rules and procedures for providing financing from EU funds through grants and in accordance with the criteria set by the European Commission?

YES/NO

Level 2 criteria/questions (3 components for grants)

SCORE

(0 – 10)

1.	Legal and regulatory framework Does the entity have a clear legal and regulatory framework for providing grants?

../10

Principles

Are the following principles integrated in the procedures, rules and criteria of the entity’s grant award system: transparency, equal treatment, eligibility criteria, avoiding double funding, conflicts of interest?

These principles must be integrated in the procedures, rules and criteria of the entity’s grant award system in accordance with the overarching principle of proportionality. Principles are not absolute and a limited number of exceptions can be allowed provided that such exceptions are clearly stated, reasonable and justified.

../10

3.	Grants procedures Does the entity apply appropriate rules and procedures for providing financing from EU funds through grants and in accordance with the criteria set by the European Commission?

../10

Total score

../30

SCORE

Answer to level 1 question is YES if the total score for all 3 components is at least 70 % and the score for each individual component is at least 2/10 or 20 %.

Answer to level 1 question is NO if the total score is less than 70 % or the score for one individual component is lower than 2/10 or 20 %.

PILLAR 5 — PROCUREMENT

Level 1 (Financial Regulation). Does the entity apply appropriate rules and procedures in all material respects for providing financing from EU funds through procurement and in accordance with the criteria set by the European Commission?

YES/NO

Level 2 criteria/questions (3 components for procurement)

SCORE

(0 – 10)

1.	Legal and regulatory framework Does the entity have a clear legal and regulatory framework for procurement?

../10

Principles

Are the following principles integrated in the procedures, rules and criteria of the entity’s procurement system: transparency, equal treatment, public access to procurement information, conflicts of interest and use of competitive tendering procedures and best value for money?

These principles must be integrated in the procedures, rules and criteria of the entity’s procurement system in accordance with the overarching principle of proportionality. Principles are not absolute and a limited number of exceptions can be allowed provided that such exceptions are clearly stated, reasonable and justified.

../10

3.	Procurement procedures Does the entity apply appropriate rules and procedures for procurement?

../10

Total score

../30

SCORE

Answer to level 1 question is YES if the total score for all 3 components is at least 70 % and the score for each individual component is at least 2/10 or 20 %.

Answer to level 1 question is NO if the total score is less than 70 % or the score for one individual component is lower than 2/10 or 20 %.

PILLAR 6 — FINANCIAL INSTRUMENTS (3)

Level 1 (Financial Regulation). Does the entity apply appropriate rules and procedures in all material respects for providing financing from EU funds/budgetary guarantees through financial instruments/budgetary guarantees, and in accordance with the criteria set by the European Commission?

YES/NO

Level 2 criteria/questions (3 components for financial instruments)

SCORE

(0 – 10)

1.	Legal and regulatory framework Does the entity have a clear legal and regulatory framework for the use and implementation of financial instruments/budgetary guarantees?

../10

Principles

Are the following principles and conditions integrated in the procedures, rules and criteria of the entity’s financial instruments/budgetary guarantees?

Basic principles (Article 209(1) FR). Sound financial management, transparency, proportionality, non-discrimination, equal treatment and subsidiarity.

Selection of financial intermediaries (Article 216(3) FR). Financial intermediaries must be selected on the basis of open, transparent, proportionate and non-discriminatory procedures, avoiding conflicts of interest.

Conditions for financial instruments and budgetary guarantees (Article 209(2) FR). Financial instruments and budgetary guarantees must comply with the following basic conditions: address market failures or sub-optimal investment situations, additionality, leverage effect and alignment of interest, as well as, where applicable, non-distortion of competition in the internal market and consistency with State aid rules.

../10

3.	Financial instruments/budgetary guarantees procedures Does the entity apply appropriate rules and procedures for the use of financial instruments/budgetary guarantees?

../10

Total score

../30

SCORE

Answer to level 1 question is YES if the total score for all 3 components is at least 70 % and the score for each individual component is at least 2/10 or 20 %.

Answer to level 1 question is NO if the total score is less than 70 % or the score for one individual component is lower than 2/10 or 20 %.

PILLAR 6 — FINANCIAL INSTRUMENTS — additional Section 6A (additional questions for budgetary guarantees (4) )

Level 2 criteria/questions (four additional components for budgetary guarantees) Does the entity have a credit risk management system and utilise an internal risk rating system appropriate to the nature, size and complexity of its activities?

YES/NO

1.	Risk policy/strategic framework Does the entity have a sound policy and strategy in place to identify, manage, measure and control risk (focus on credit risk)?

../10

2.	Risk governance Does the entity have an appropriate organisational framework to enable effective credit risk management, measurement and control, with sufficient qualitative and quantitative human and technical resources to carry out the required tasks?

../10

3.	Credit risk identification, analysis and monitoring system Does the entity have a well-functioning system of credit risk identification, analysis and monitoring?

../10

4.	Internal risk rating system (IRRS) Does the entity utilise an internal risk rating system (IRRS) appropriate to the nature, size and complexity of its activities?

../10

Total score

../40

SCORE

Answer to level 2 question is YES if the total score for all 4 components is at least 70 % and the scores for each component are at least 2/10 or 20 %.

Answer to level 2 question is NO if the total score is less than 70 % or the score for one component is lower than 2/10 or 20 %

PILLAR 6 – FINANCIAL INSTRUMENTS — additional sections 6B and 6C (optional (5) )

Level 1. Does the Entity implement in the selection/implementation of financial instruments/budgetary guarantees supported by Union funds, standards equivalent to applicable Union legislation and agreed international and Union standards, and therefore: a) does not support actions that contribute to tax avoidance and b) does not enter into operations with entities incorporated or established in non-cooperative jurisdictions for tax purposes?

YES/NO

Level 2 criteria/questions (2 components for controls related to tax avoidance and non-cooperative jurisdictions)

SCORE

(0 – 10)

Controls related to Tax avoidance and Non-Cooperative Jurisdictions (NCJs)

Does the Entity implement in the selection/implementation of financial instruments/budgetary guarantees supported by Union funds, standards equivalent to applicable Union legislation and agreed international and Union standards(6) and therefore:

1)	does not support actions that contribute to tax avoidance and

2)	does not enter into operations with entities incorporated or established in non-cooperative jurisdictions for tax purposes,

../10

Level 1. Does the Entity implement in the selection/implementation of financial instruments/budgetary guarantees, standards equivalent to applicable Union legislation and agreed international and Union standards, and therefore: c) does not support actions contributing to money laundering and terrorism financing and d) does not enter into new or renewed operations with entities incorporated or established in jurisdictions identified as high risk third countries?

YES/NO

Level 2 criteria/questions (2 components for controls related to anti-money laundering and countering terrorism financing)

SCORE

(0 – 10)

Anti-Money Laundering (AML) and Countering Terrorism Financing (CTF)

Does the Entity implement in the selection/implementation of Financial Instruments/Budgetary Guarantees, standards equivalent to applicable Union legislation and agreed international and Union standards that provide reasonably effective safeguards and therefore:

1)	does not support actions contributing to money laundering and terrorism financing and

2)	does not enter into new or renewed operations with entities incorporated or established in jurisdictions identified as high risk third countries(7)

../10

Answer to level 1 question is YES if the total score for the relevant section is at least 70 %.

Answer to level 1 question is NO if the total score for the relevant section is less than 70 %.

PILLAR 7 — EXCLUSION FROM ACCESS TO FUNDING

Level 1 (Financial Regulation). Does the entity apply appropriate rules and procedures for excluding third parties from access to funding through procurement, grants and/or financial instruments (8) ?

YES/NO

Level 2 criteria/questions (3 components for exclusion from access to funding)

SCORE

(0 – 10)

1.	Legal and regulatory framework Does the entity have a clear legal and regulatory framework regarding exclusion from funding?

../10

2.	Exclusion criteria Are exclusion criteria integrated in the procedures and rules for the award of procurement contracts, grants and/or financial instruments?

../10

3.	Exclusion procedures Does the entity effectively apply rules and procedures for exclusion referred to under 2?

../10

Total score

../30

SCORE

Answer to level 1 question is YES if the total score for all 3 components is at least 70 % and the score for individual components 1 or 3 is at least 2/10 or 20 % or the score for individual component 2 is at least 5/10 or 50 %.

Answer to level 1 question is NO if the total score is less than 70 % or the score for individual components 1 or 3 is lower than 2/10 or 20 % or the score for individual component 2 is lower than 5/10 or 50 %.

PILLAR 8 — PUBLICATION OF INFORMATION ON RECIPIENTS AND OTHER INFORMATION

Level 1 (Financial Regulation) Does the entity make public information on the recipients of funds in an appropriate and timely manner (9) ?

YES/NO

Level 2 criteria/questions (3 components for publication of recipients)

SCORE

(0 – 10)

Legal and regulatory framework

Does the entity have a clear legal and regulatory framework on publication of recipients, covering (1) the publication of appropriate information on fund beneficiaries; (2) a reference to a common international standard ensuring protection of fundamental rights and of commercial interests; and (3) regular publication updates?

../10

2.	Requirements If the regulatory framework is implemented by an additional set of procedures for publication, do the latter integrate its requirements?

../10

3.	Publication procedures Does the entity effectively apply rules and procedures for publication based on the requirements mentioned under 2?

../10

Total score

../30

SCORE

Answer to level 1 question is YES if the total score for all 3 components is at least 70 % and the score for each individual component is at least 2/10 or 20 %.

Answer to level 1 question is NO if the total score is less than 70 % or the score for one individual component is lower than 2/10 or 20 %.

PILLAR 9 — PROTECTION OF PERSONAL DATA

Level 1 (Financial Regulation) Does the entity ensure protection of personal data equivalent to that referred to in Article 5 of the FR (10) ?

YES/NO

Level 2 criteria/questions (3 components for protection of personal data)

SCORE

(0 – 10)

1.	Legal and regulatory framework Does the entity have a clear legal and regulatory framework regarding protection of personal data?

../10

2.	Requirements Are requirements integrated in the procedures and rules for the protection of personal data?

../10

3.	Procedures Does the entity effectively apply rules and procedures (e.g. appropriate technical and organisational measures) for protection of personal data (in the provision of grants/procurement/financial instruments, as appropriate) based on the requirements mentioned under 2?

../10

Total score

../30

SCORE

Answer to level 1 question is YES if the total score for all 3 components is at least 70 % and the score for each individual component is at least 2/10 or 20 %.

Answer to level 1 question is NO if the total score is less than 70 % or the score for one individual component is lower than 2/10 or 20 %.

(1) Reference to ‘financial instruments’ is deemed to also include budgetary guarantees.

(2) Cf. Article 209(4) of the 2018 EU Financial Regulation (FR).

(3) Reference to ‘financial instruments’ and ‘EU funds’ is deemed to also include budgetary guarantees.

(4) Only applicable if the entity plans to request a budgetary guarantee from the EU.

(5) In order to implement Union funds through financial instruments, the entity will need to comply with the relevant requirements under the Financial Regulation covered in the additional sections 6B and 6C through appropriate contractual arrangements, even if opting not to undergo the pillar assessment of these sections.

(6) The EU tax policy and regulatory framework includes, in particular and subject to further developments: Code of Conduct for business taxation, 1.12.1997 (

OJ C 2, 6.1.1998

); Council Directive 2011/96/EU of 30 November 2011 on the common system of taxation applicable in the case of parent companies and subsidiaries of different Member States (

OJ L 345, 29.12.2011, p. 8

); Council Directive 2003/49/EC of 3 June 2003 on a common system of taxation applicable to interest on royalty payments made between associated companies of different Member States (

OJ L 157, 26.6.2003, p. 49

); Commission Recommendation 2012/772/EU of 6 December 2012 on aggressive tax planning (

OJ L 338, 12.12.2012, p. 41

); Council Directive 2011/16/EU of 15 February 2011 on administrative cooperation in the field of taxation and repealing Directive 77/799/EEC (

OJ L 64, 11.3.2011, p. 1

); Commission Anti-Tax Avoidance Package: Next steps towards delivering effective taxation and greater tax transparency in the EU (COM/2016/23), Commission Recommendation (EU) 2016/136 of 28 January 2016 on the implementation of measures against tax treaty abuse (

OJ L 25, 2.2.2016, p. 67

); Council Directive (EU) 2016/1164 of 12 July 2016 laying down rules against tax avoidance practices that directly affect the functioning of the internal market (

OJ L 193, 19.7.2016, p. 1

); ECOFIN Council conclusions of 12 February, 8 March, 25 May, 17 June, 8 November and 5 December 2016, 5 December 2017, 23 January and 13 March 2018.

(7) Taking into account Directive (EU) 2015/849.

(8) The exclusion of third parties must be assessed for grants, procurement and/or financial instruments when the respective pillar (grants, procurement and financial instruments) has been assessed. Reference to ‘financial instruments’ and ‘EU funds’ is deemed to also include budgetary guarantees.

(9) The publication of information on recipients must be assessed for grants, procurement and/or financial instruments once the corresponding pillar (grants, procurement and financial instruments) has been assessed.

(10) In line with Regulations (EU) 2018/1725 and (EU) 2016/679.

Annex 2A

ASSESSMENT QUESTIONNAIRE

PILLAR

PILLAR SUBJECT TO ASSESSMENT (1)

1.	INTERNAL CONTROL

YES

2.	ACCOUNTING

YES

3.	EXTERNAL AUDIT

YES

GRANTS

YES/NO

5.	PROCUREMENT

YES/NO

6.	FINANCIAL INSTRUMENTS (2)

YES/NO

7.	EXCLUSION FROM ACCESS TO FUNDING

YES

8.	PUBLICATION OF INFORMATION ON RECIPIENTS

YES

9.	PROTECTION OF PERSONAL DATA

YES

Pillars 1, 2, 3, 7, 8 and 9 are always subject to assessment.

Pillars 4 to 6 may be subject to the assessment, depending on the nature of the implementation tasks to be entrusted.

PURPOSE AND USE OF THIS DOCUMENT

In a first phase, the entity will be requested to complete relevant questions in Annex 2a and to submit a completed Annex 2a to the contracting authority (if different to the entity itself) and the auditor.

Attention: the entity is requested to complete questions indicated with ‘to be completed by entity’, ‘TBCBE’ in the column with the heading ‘Entity comments’. Key questions must only be completed by the auditor based on its professional judgement and the assessment procedures and tests performed.

The contracting authority will provide a completed Annex 2a questionnaire to the auditor as soon as possible after the auditor has been contracted but prior to the start of the auditor's assessment procedures.

In a second phase, Annex 2a will become a support tool used by the auditor to design, plan and perform the assessment procedures and to take into account the criteria which the European Commission deems essential or important for the entity subject to assessment to comply with.

The completed questionnaire is an essential source of assessment information and evidence for the auditor. However, it is by no means the only source to be used by the auditor to plan and perform assessment procedures and to draw conclusions. All information completed and provided by the entity is subject to the assessment procedures the auditor deems necessary. The auditor must not rely on information until it has ensured through assessment procedures that the information is sufficiently accurate and complete for the purpose of the assessment and to arrive at informed conclusions for key questions.

Hence the auditor may modify, complete and add information in the ‘Auditor comments’ column as it sees fit. The auditor may also add additional questions if it considers that this is necessary to arrive at an informed conclusion for key questions.

Use of the column ‘Auditor comments’ — It is highly recommended that the auditor uses as much as possible comments and narratives in summary form to avoid entering lengthy texts in the ‘Auditor comments’ column. The auditor may adapt the width and/or length of this column to enter information and comments. Alternatively, the auditor may use attachments (e.g. long narratives and/or documents obtained from the entity) which can be referred to.

The auditor remains fully responsible at all times for designing, planning and performing the assessment procedures it deems necessary to arrive at a conclusion for each pillar covered by the assessment. The auditor must take into account the specific engagement circumstances and apply professional judgement throughout the assessment process.

PILLAR 1 — INTERNAL CONTROL
KEY QUESTION (level 1)	Auditor comments
Has the entity set up and ensured the functioning in all material respects of an effective, efficient and economical internal control system and in accordance with the criteria set by the European Commission?
Guidance Article 154 of the Financial Regulation The Commission may accept that the accounting systems and the internal control systems used by entities and persons entrusted with the implementation of Union funds or budgetary guarantees are providing equivalent levels of protection of the financial interests of the Union and of reasonable assurance of achieving the management objectives.

PILLAR 1 — INTERNAL CONTROL

1.	CONTROL ENVIRONMENT — questions/criteria

Entity comments

Auditor comments

Key question (level 2): Does the control environment of the entity provide an adequate basis for carrying out internal control across the organisation?

Note: The control environment includes the governance and management functions and the attitudes, awareness and actions of those charged with governance and management concerning the entity's internal control and its importance in the entity.

1.1.	Integrity and ethical values. Does management demonstrate a commitment to communicate and enforce integrity and ethical values?

1.1.1

Is there a written code of conduct that is communicated to all staff or a staff manual containing provisions promoting ethical behaviour and values?

TBCBE

1.1.2

Does management stress and communicate the importance of integrity and ethical values to staff (‘tone from the top’)?

TBCBE

1.1.3

Are there procedures (e.g. disciplinary sanctions, financial and personal liability) for staff who do not comply with integrity rules and ethical values?

TBCBE

1.1.4

Are there procedures in place to deal with possible conflicts of interest at management level?

TBCBE

1.2.	Organisational structure and assignment of authority and responsibility. Does the entity have a clear and adequate organisational structure and are key responsibilities clearly defined?

1.2.1

Does the entity have a clear organisational structure (i.e. the framework within which an entity's activities for achieving its objectives are planned, executed, controlled and reviewed) which supports good management and governance?

TBCBE

1.2.2

What is the decision-making structure and who is the highest decision-making authority?

TBCBE

1.2.3

Are reporting lines and responsibilities clearly defined? For example: are responsibilities, authorities and reporting lines clearly stipulated in employment contracts and/or operating manuals?

TBCBE

1.2.4

Are job descriptions available?

TBCBE

1.2.5

How are the authority and responsibility for operating activities assigned and how are reporting relationships and authorisation hierarchies established?

TBCBE

1.2.6

What are the policies and practices that relate to, for example, recruitment, orientation, training, evaluation, counselling, promotion, compensation and remedial actions?

TBCBE

1.3.	Governance oversight structure. Does the entity have an adequate governance oversight structure?

1.3.1

Is there a governance oversight body (e.g. oversight authorities, audit committee, regulators, governing board, executive body) which is independent of the management of the entity?

TBCBE

1.3.2

Are there rules for the appointment, remuneration and resignation of members of the governance oversight body?

TBCBE

1.3.3.

If there is no governance oversight body, has the entity's management taken measures to carry out its governance oversight responsibilities?

TBCBE

1.3.4

Does the entity have an internal audit function? If yes, refer to Section 5.2.

TBCBE

1.3.5

If no, how (i.e. by what other measures) does management exercise oversight of the development and performance of internal control?

TBCBE

1.4.	Process for attracting, developing and retaining competent individuals. Does the entity demonstrate a commitment to attract, develop and retain competent individuals in alignment with objectives?

1.4.1

Does the entity have formal written human resources policies and practices?

TBCBE

1.4.2

Does the entity have recruitment and remuneration policies?

TBCBE

1.4.3

Does the entity have a staff development (covering development and training needs) and appraisal system?

TBCBE

PILLAR 1 — INTERNAL CONTROL

2.	RISK ASSESSMENT — questions/criteria

Entity comments

Auditor comments

Key question (level 2): Does the entity identify risks to the achievement of its objectives across the entity and are risks analysed as a basis for determining how they should be managed?

2.1

Does the entity specify its objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives?

2.2

Does the entity have risk assessment procedures in place which enable management to identify, assess and address existing or potential issues that may hamper the achievement of the entity's objectives?

TBCBE

2.3

Are risks assessed on a project basis or across the entity as a whole?

TBCBE

2.4

Are risk assessment procedures documented?

TBCBE

2.5

Does the entity have a risk register?

TBCBE

2.6

Does the entity have risk assessment procedures which:

—	Identify events and risks affecting the achievement of the objectives, including the potential for fraud?

—	Analyse the significance of risks and the likelihood of their occurrence?

—	Determine the actions and follow-up mechanisms needed in response to the risks?

—	Implement and modify controls to respond to changes in identified risks?

TBCBE

PILLAR 1 — INTERNAL CONTROL

3.	CONTROL ACTIVITIES — questions/criteria

Entity comments

Auditor comments

Key question (level 2): does the entity deploy effective and efficient control activities?

3.1.	General Does the entity have formal and written policies and procedures for control activities?

3.1.1

Does the entity deploy control activities

—	through formal, written policies and procedures?

—	that contribute to mitigating risks to the achievement of objectives to acceptable levels?

—	that are relevant i.e. based on an assessment of risks and of controls required to manage these risks?

TBCBE

3.1.2

Are the following key aspects addressed by the control activities deployed by the entity?

—	reliability of accounting and reporting (see Section 4 — Information and Communication);

—	safeguarding of assets and information;

—	compliance with rules in procurement and other expenditure processes;

—	prevention, detection and correction of errors, fraud and irregularities.

TBCBE

3.2.

Segregation of duties — general

Is there effective segregation of duties for following key functions:

—	authorising officer (i.e. mandate to authorise transactions for operational and/or financial issues) and accounting officer (i.e. authority to execute payments);

—	authorisation, processing, recording and reviewing of transactions;

—	operational and financial supervision.

3.2.1

Is segregation of duties formally stipulated, for example in an operating or procedures manual?

TBCBE

3.3.	Safeguarding of information — documentation, fling and record keeping Does the entity have adequate and effective procedures for documenting, filing and record keeping, and controls over the completeness and accuracy of information?

3.3.1

What are the main features of the entity's filing systems (electronic, paper, operating instructions, use of databases and electronic archiving systems)?

TBCBE

3.3.2

Identify and document key features of the filing system/procedures.

TBCBE

3.3.3

Does the entity have a specific policy or procedures for documentation and filing relating to the processes for grants, procurement and financial instruments?

Note: specific requirements may apply, such as transparency and confidentiality.

TBCBE

3.4.	Information processing and computerised information systems. Does the entity have effective procedures and controls over IT systems which maintain the integrity of information and the security of data these systems process?

3.4.1

Does the entity have formal and written procedures and controls with regard to its IT systems?

TBCBE

3.4.2

Does the entity have adequate and effective procedures for initiation, approval, recording, processing and reporting of transactions?

3.4.3

Does the entity apply an appropriate mix of manual and automated elements in internal control, taking into account the nature and complexity of the entity's use of IT and computerised information systems?

3.4.4

Do the controls over the entity's IT systems include effective general IT controls and application controls?

Guidance relating to computerised information systems

The entity's business/activity processes result in transactions that are initiated, recorded, processed and reported by the information system, which is either manually or computer operated or through a mix of manual and computer-operated procedures.

Is there an appropriate segregation of duties for key accounting functions i.e. for the initiation, approval, recording, processing (i.e. transfer to the general ledger) and reporting in the financial statements?

The use of IT affects the way that control activities are implemented. Controls over IT systems are effective when they maintain the integrity of information and the security of the data such systems process, and include effective general IT controls and application controls.

General IT controls are policies and procedures that relate to many applications and support the effective functioning of application controls. They apply to mainframe, miniframe and end-user environments. General IT controls that maintain the integrity of information and security of data commonly include controls over the following:

—	data centre and network operations;

—	system software acquisition, change and maintenance;

—	program change;

—	access security;

—	application system acquisition, development and maintenance.

Application controls are manual or automated procedures that typically operate at a business process level and apply to the processing of transactions by individual applications. Application controls can be preventative or detective in nature and are designed to ensure the integrity of the accounting records. Accordingly, application controls relate to procedures used to initiate, record, process and report transactions or other financial data. These controls help ensure that transactions occurred, are authorised and are completely and accurately recorded and processed. Examples include edit checks of input data, and numerical sequence checks with manual follow-up of exception reports or correction at the point of data entry.

The use of manual or automated elements in internal control also affects the manner in which transactions are initiated, recorded, processed and reported:

—

Controls in a manual system may include such procedures as approvals and reviews of transactions, and reconciliations and follow-up of reconciling items. Alternatively, an entity may use automated procedures to initiate, record, process and report transactions, in which case records in electronic format replace paper documents.

—

Controls in IT systems consist of a combination of automated controls (for example, controls embedded in computer programs) and manual controls. Manual controls may be independent of IT, may use information produced by IT, or may be limited to monitoring the effective functioning of IT and of automated controls, and to handling exceptions. When IT is used to initiate, record, process or report transactions, or other financial data for inclusion in financial statements, the systems and programs may include controls related to the corresponding assertions for material accounts or may be critical to the effective functioning of manual controls that depend on IT.

An entity's mix of manual and automated elements in internal control varies with the nature and complexity of the entity's use of IT.

3.5.	Prevention, detection and correction of errors, fraud and irregularities Does the entity have adequate and effective procedures for the prevention, detection and correction of errors, fraud and irregularities?

3.5.1

Does the entity consider the potential for errors, fraud and irregularities in assessing risks to the achievement of objectives?

TBCBE

3.5.2

Does the entity identify (sensitive) posts with risk of collusion (e.g. bank and cash management, procurement and purchase functions) and are there supervisory measures (e.g. rotation of functions, additional controls)?

TBCBE

3.5.3

Are there procedures for the reporting and follow-up of errors, fraud and irregularities?

TBCBE

3.6.

Safeguarding of fixed assets

Does the entity have an adequate and effective fixed and intangible assets management system in place which ensures the safeguarding of fixed and intangible assets and tracks fixed assets for the purposes of financial accounting, preventive maintenance and theft deterrence?

3.6.1

Does the entity have a description of or procedures manual for its asset management system?

TBCBE

3.6.2

Obtain a sufficient understanding of the entity's asset management system i.e. practices and procedures for the acquisition and management of land and buildings, machinery, vehicles, equipment and intangible assets (e.g. intellectual property rights, licences).

Note: specific attention should be paid to procurement rules which are applicable for the acquisition of fixed and intangible assets (refer to pillar 5 — procurement).

Guidance

Document the above procedure with descriptions and references to relevant source material (e.g. systems, flowcharts, manuals etc.) and identify any shortcomings in the entity's asset management system.

Relevant issues include: roles and responsibilities (segregation of duties) for management of assets acquisition and purchase procedures, asset registration (use of asset registers, vehicle logbooks), controls and procedures for access, control and monitoring procedures, safeguard and access procedures, asset disposition and transfer of assets.

3.7.

Safeguarding of inventories and accounts receivable and debts

Does the entity have an adequate and effective inventory (supplies, goods and materials) management system in place which ensures the safeguarding of inventories and which tracks inventories for the purposes of financial accounting, preventive maintenance and theft deterrence?

Does the entity have an adequate and effective management system in place which ensures the reconciliation of payments with accounts receivable and debts?

3.7.1

Does the entity have a description of or procedures manual for its inventory management system?

TBCBE

3.7.2

Obtain a sufficient understanding of the entity's inventory management system (practices and procedures for the acquisition, purchase and management of supplies such as materials, tools, spare parts and office supplies).

Note: specific attention should be paid to procurement rules which are applicable for the acquisition of supplies, goods and materials (refer to pillar 5 — procurement).

Guidance

Relevant issues include: (i) roles and responsibilities for the management of inventories, acquisition and purchase procedures, and inventory records; (ii) safeguards, access and use; (iii) control and monitoring procedures, stock taking and reconciliations; (iv) use and disposal of stocks

3.8.	Bank management and safeguarding of cash in the bank Does the entity have an adequate and effective bank management system in place which ensures the safeguarding of bank accounts and which allows for the proper accounting of cash collected and used?

3.8.1

Does the entity have a description of or procedures manual for its bank management system?

TBCBE

3.8.2

Does the entity perform regular (at least on a monthly basis) reconciliations of accounting data held in the entity's accounts (general ledger account, cash book) with bank account data, and in such a way that no material differences are left unexplained?

3.8.3

Obtain a sufficient understanding of the entity's bank management system (practices and procedures for the management of bank accounts).

Guidance

Relevant issues include: roles and responsibilities (segregation of duties, access rights, use of a separate treasury function) for management of bank accounts, type of accounts (e.g. interest bearing, currencies used), use of dual signature procedures, regular bank reconciliations, supervision and control, use of dedicated/specific bank accounts for projects; treasury policies.

3.9.	Cash management and safeguarding of cash on hand Does the entity have an adequate and effective cash management system in place which ensures the safeguarding of (petty) cash and which allows for the proper accounting of cash collected and used?

3.9.1

Does the entity have a description of or procedures manual for its cash management system?

TBCBE

3.9.2

Does the entity perform regular (at least on a monthly basis) reconciliations of accounting data held in its accounts (general ledger account, cash book) with bank account data, and in such a way that no material differences are left unexplained?

3.9.3

Are there appropriate procedures for holding cash and cash counts?

3.9.5

Does the entity clear and reconcile suspense accounts and advances i.e. of cash payments made, from which no expenditures have yet been recorded, at least monthly within 30 days of the end of each month? Such advances may include travel advances and operational imprest(3) note accounts. This may also include transfers to other entities, which are classified as expenditures when they are made, even if reporting on any earmarked portion of the transfers is expected periodically.

3.9.6

Obtain a sufficient understanding of the entity's cash management system (practices and procedures for cash management).

Guidance

Relevant issues include: roles and responsibilities (segregation of duties, access rights, use of a separate treasury function) for cash management; procedures for cash handling and limits of cash to be held; regular petty cash counts and reconciliations; management of cash advances (use, authorisation, limits, monitoring and clearance).

3.10.

Recruitment.

Does the entity have adequate and effective procedures for the recruitment of staff (both permanent and temporary)?

3.10.1

Does the entity have a description of or procedures manual for its recruitment system?

TBCBE

3.10.2

Obtain a sufficient understanding of the entity's recruitment system (practices and procedures for the management of expatriate, local and other staff).

3.10.3

Perform a walkthrough of the recruitment process from the approval of the selection procedure to the signing of the employment contract.

Guidance

Document the above procedures with descriptions and references to relevant source material (e.g. systems, flowcharts, manuals etc.) and identify any shortcomings in the entity's recruitment procedures

Relevant issues include: roles and responsibilities for the management of staff; selection and approval procedures; determination and approval of salaries, allowances and other conditions of employment; use of employment contracts; job descriptions.

3.11.

Payroll and time management.

Does the entity have an adequate and effective payroll and time management system?

3.11.1

Does the entity have a description of or procedures manual for its payroll and time management system?

TBCBE

3.11.2

Obtain a sufficient understanding of the entity's payroll and time management system i.e. practices and procedures for payroll and time management.

3.11.3

Are the personnel database(4) and payroll directly linked to ensure data consistency? Are reconciliations performed on a regular basis (in principle monthly)?

3.11.4

Are payroll and time management systems linked to ensure correct calculation of salaries and wages where applicable?

3.11.5

Is authority to change records and payroll restricted and are audit trails available?

3.11.6

Are there appropriate (approval) procedures for changes to the personnel records?

3.11.7

Are there procedures for identifying control weaknesses and/or ghost workers? For example: are (annual) payroll audits performed by an internal audit capability?

3.11.8

Does the entity have a system to allocate staff, salaries and related costs to projects?

3.11.9

What principles (i.e. plausibility of basic assumptions used and allocation keys) does the entity use to allocate salaries and salary-related costs to projects? How is time spent by staff for specific projects approved and recorded?

Guidance

Relevant issues include: roles and responsibilities for the payroll and time management; recording, calculation and approval of salaries and salary components (fixed/variable; overtime; social security). Special attention should be paid to the entity's time management system: timekeeping procedures and records (use of timesheets), supervision control and approval procedures.

3.12.

Controls for other salary-related expenditure and allowances.

Does the entity have adequate and effective controls for other salary-related expenditure and allowances?

Key question (level 3):

3.12.1

Does the entity have a description of or procedures manual for its controls of other salary-related expenditure and allowances?

TBCBE

3.12.2

What procedures and controls are in place to determine and pay allowances for travelling and accommodation (i.e. per diems)?

3.12.3

What procedures and controls are in place to determine and pay expenditure for training and personnel development?

3.13.

Acquisition of services and costs of services.

Does the entity have adequate and effective controls for the acquisition of services and for the accounting of costs for services?

3.13.1

What procedures does the entity have in place for the contracting of services with external service provides (e.g. studies and research; advertising, promotion, publication and visibility actions; evaluations; audit, accounting and legal services; technical assistance; translation and interpretation; organisation of conferences and seminars; visibility actions)?

Note: specific attention should be paid to procurement rules which are applicable for the acquisition of services (refer to pillar 5 — procurement).

TBCBE

3.14.

Expenditure controls for other (non-salary) expenditure.

Does the entity have adequate and effective controls for other (non-salary) expenditure?

Note: this includes all costs other than salaries, salary-related expenditure and allowances and costs of services. Examples include: office costs such as rent, consumables and office supplies, utility costs (electricity, water, gas, fuel), taxes and levies (e.g. sewer and solid waste charges), cleaning and maintenance; communication (telephone, fax, internet); insurance, administration and accounting, printing.

3.14.1

Does the entity have a description of or procedures manual for its controls of other (non-salary) expenditure?

TBCBE

3.14.2

Obtain a sufficient understanding of the entity's system for expenditure control (practices and procedures for expenditure control).

Guidance

Relevant issues include: roles and responsibilities for expenditure control; management procedures which ensure that expenditure control is in line with the entity's procedures; authorisation and approval of expenditure; performance of regular budget–actual comparisons of expenditure.

3.15.

Monitoring of operating performance.

Does the entity have adequate and effective controls for operating performance?

3.15.1

Does the entity have a description or manual of its procedures for monitoring operating performance?

TBCBE

3.15.2

What measures does the entity have in place to review operating performance i.e. the progress made on the implementation of activities and projects?

TBCBE

3.15.3

Has the entity adopted quality standards (e.g. ISO)?

TBCBE

3.15.4

If external standards are not, used are there internal standards?

TBCBE

3.15.5

Does the entity have procedures for the evaluation of operating performance (prior, during implementation and after implementation)?

TBCBE

3.15.6

By whom (internal or external) are these evaluations performed and how are results reported and followed up on?

TBCBE

3.16.

Compliance with regulations and rules for using funds.

Does the entity have adequate and effective controls for ensuring compliance with EU regulations and rules for the funding of the entity's activities and projects?

3.16.1

Does the entity have a description or manual of its procedures to ensure compliance with regulations and rules for using funds?

TBCBE

3.16.2

Does the entity have procedures in place which ensure that actual expenditure incurred and revenue received for activities and projects are in conformity with applicable rules i.e. conditions set out in contracts and agreements?

3.16.3

Does the entity have procedures in place which ensure that specific rules and conditions are well-known and respected? Such rules and conditions can relate to e.g.: the eligibility of expenditure, procurement rules (see pillar 5), origin rules, rules for visibility of EU-funded actions, and rules for the transfer of assets at the end of a project.

PILLAR 1 — INTERNAL CONTROL

4.	INFORMATION AND COMMUNICATION — questions/criteria

Guidance

Information is necessary for the entity to carry out internal control responsibilities to support the achievement of its objectives. The entity's management obtains or generates and uses relevant and quality information from both internal and external sources to support the functioning of other components of internal control.

Internal reporting (internal information and communication)

This concerns internal reporting, which covers financial reporting and reporting to the entity's management on the qualitative aspects of the implementation of activities and projects within the entity.

External reporting (external information and communication)

Two flows of external information and communication can be distinguished:

—

External reporting outbound: financial reporting and reporting to external stakeholders on the qualitative and quantitative aspects of the entity's implementation of activities and projects.

This concerns essentially the entity's annual financial statements and its accountability towards its (external) stakeholders.

—	External reporting inbound: financial reporting and reporting to the entity on the qualitative and quantitative aspects of the implementation of activities and projects by grant beneficiaries.

This concerns the reporting flows from grant beneficiaries to the entity and their accountability towards the entity. Reporting is based on specific rules and conditions set by the entity in order to comply with the requirements (including reporting requirements) for funding provided by the EU and other donors. These reporting flows constitute a vital element of internal control.

The above two types of external reporting are dealt with under pillar 2 — accounting.

PILLAR 1 — INTERNAL CONTROL

4.	INFORMATION AND COMMUNICATION (cont'd) — questions/criteria

Entity comments

Auditor comments

Key question (level 2): Does the entity have controls and procedures in place which ensure reliable reporting — both internal and external (inbound and outbound) — in line with applicable requirements and standards?

4.1.	Internal reporting Does the entity have adequate and effective controls for ensuring that internal reporting provides relevant and quality information to management?

4.1.1

Does the entity obtain or generate and use relevant, quality information (internal and/or external sources) to compile management reports?

TBCBE

4.1.2

Does the entity's management receive regular (monthly, quarterly) reports on progress made on objectives, activities, projects?

TBCBE

4.1.3

Does the information cover qualitative aspects of implementation such as use of performance indicators, implementation status and delays, key problems and issues?

TBCBE

4.1.4

Does the information cover financial aspects such as budget–actual comparisons and analyses of expenditure incurred by activity/project?

TBCBE

4.1.5

Does the entity internally communicate information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control?

TBCBE

4.2.	External reporting (outbound) — financial statements Does the entity prepare and present annual financial statements which are reliable and in line with applicable international standards?

4.2.1

Does the entity prepare and present annual financial statements which are reliable?

‘Reliable’ means that the financial statements:

—	represent faithfully the entity's financial position, financial performance and cash flows;

—	reflect the economic substance of transactions, other events and conditions, and not merely the legal form;

—	are neutral, i.e. free from bias;

—	are prudent; and

—	are complete in all material respects.

Guidance

Year-end financial statements are a critical condition for transparency. The ability to prepare year-end financial statements in a timely fashion is a key indicator of how well the accounting system is operating, and of the quality of records maintained.

In order to be useful and to contribute to transparency, financial statements must be understandable to the reader and deal with transactions, assets and liabilities in a transparent and consistent manner. This is the purpose of financial reporting standards. Some countries have their own public sector financial reporting standards, set by government or another authorised body. To be generally acceptable, such national standards are usually aligned with international standards such as the International Public Sector Accounting Standards (IPSAS), of which some are relevant for countries that adopt accrual-based accounting, while others are relevant for cash-based systems.

4.2.2

Does the financial information presented in the financial statements meet the following qualities which make it useful for the users?

—	Relevance Financial information should be relevant to the decision-making needs of users.

—	Materiality There should be a focus on financial information which is expected to affect users' decisions.

—	Faithful representation Financial information should be true and fair and free from misstatement.

—	Comparability Financial information should be comparable across periods and across organisations.

—	Verifiability Information should communicate the underlying economics of the entity's activities.

—	Timeliness Disclosure of financial information should not be excessively delayed.

—	Understandability The financial information must be understandable by users with reasonable knowledge of the entity's activities.

4.2.3

Does the entity prepare and present annual financial statements which are in line with applicable international standards? What is the applicable financial reporting framework? What basic regulations and rules does the entity need to comply with when preparing and presenting its annual financial statements?

TBCBE

4.2.4

Other good practice disclosures

Do the financial statements of the entity disclose:

—	the entity's address and legal form and the jurisdiction under which it operates?

—	the nature of the entity's operations and its principal activities?

—	a reference to the legal and regulatory framework governing the entity's operations?

—	the name and identity of the controlling entity (where applicable)?

—	budget–actual comparisons of appropriations/commitments and disbursement?

—	details of sources of funding (amounts received/receivable and identity of fund providers)?

—	statements of financial position and of financial performance by type of activity, programme, project, (trust) funds and financial instruments for the period covered by the financial statements?

4.2.5

Does the entity comply with national accounting (including financial reporting) standards which apply in the country in which it is established? For example: the World Bank i.e. the International Bank for Reconstruction and Development (IBRD) and the International Development Association (IDA) comply with US Generally Accepted Accounting Principles (US GAAP).

4.2.6

Does the entity comply with international accounting standards (including financial reporting) or accounting policies and rules prescribed by specific regulations or conventions?

—	International Public Sector Accounting Standards (IPSAS)

—	International Financial Reporting Standards (IFRSs)

—	Other specific conventions and rules such as for example the United Nations System accounting Standards (UNSAS)

TBCBE

4.2.7

What is the accounting basis for preparing and presenting the financial statements of the entity:

—	Accrual basis

—	Cash basis

—	Modified cash or modified accrual basis (i.e. mixed).

Footnote: ‘Accrual basis’ means a basis of accounting under which transactions and other events are recognised when they occur (and not only when cash or its equivalent is received or paid). Therefore the transactions and events are recorded in the accounting records and recognised in the financial statements of the periods to which they relate. The elements recognised under accrual accounting are assets, liabilities, net assets/equity, revenue and expenses.

TBCBE

4.2.8

What period of time does the entity use as its financial year?

TBCBE

4.2.9

Do the entity's financial statements include the following components:

—	statement of changes in net assets/equity statement of financial position (also referred to as balance sheet or statement of assets and liabilities);

—	statement of financial performance (also referred to as statement of revenues and expenses, income statement, operating statement, or profit and loss statement);

—	statement of changes in net assets/equity;

—	cash flow statement; and

—	accounting policies and notes to the financial statements.

TBCBE

4.2.10

Are the entity's financial statements submitted for external audit within 6 months of the end of the financial year?

TBCBE

4.3.

External reporting (outbound) — specific reporting to donors/fund providers

Does the entity have reporting procedures which allow adequate and timely reporting to donors/fund providers (including the European Commission) on the use of funds for projects, (trust) funds and financial instruments provided by them?

4.3.1

Does the entity have specific and dedicated reporting procedures for activities, projects or (trust) funds and financial instruments financed by the EU or other donors?

TBCBE

4.4.	External reporting (inbound) — reporting by sub-delegatees and grant beneficiaries Does the entity take appropriate measures which ensure, to a reasonable extent, that grant beneficiaries provide reliable and timely reports on the use of funds provided to them by the entity?

4.4.1

Does the entity have specific and dedicated reporting procedures for activities, projects, (trust) funds and financial instruments financed by the EU or other donors?

TBCBE

4.4.2

Does the entity provide conditions for reporting by grant beneficiaries on the financial and qualitative aspects of the implementation of activities, projects, (trust) funds and financial instruments?

TBCBE

4.4.3

Are conditions for reporting clearly and properly communicated (e.g. use of terms of reference, use of (web-based) guidelines, instructions, brochures)?

—	What are the main reporting conditions?

—	Are these conditions binding? For example: are conditions set out in (annexes) to agreements or contracts concluded by the entity with grant beneficiaries?

—	Are consequences of non-compliance with conditions (e.g. rules for eligibility of expenditure) explained?

TBCBE

4.4.4

Does the entity monitor/verify whether reporting conditions are respected?

TBCBE

4.4.5

Does the entity obtain and review progress reports made by the grant beneficiaries on a regular basis?

TBCBE

4.4.6

Does the entity respond in an effective and timely manner to issues resulting from the review of these reports? Such issues may include: significant differences in budget–actual comparisons of expenditure, unusual expenditure items, (possible) ineligible expenditure, delays in project implementation, project activities not implemented as planned.

TBCBE

PILLAR 1 — INTERNAL CONTROL

5.	MONITORING — questions/criteria

Entity comments

Auditor comments

Key question (level 2): Does the entity monitor (the components of) its internal control system regularly and effectively?

5.1.	Monitoring of (the components of) the internal control system (if the entity has no internal audit function) If the entity has no internal audit function, does it have adequate and effective measures to monitor internal control?

5.1.1

What are the main activities that the entity uses to monitor (the components of) its internal control system?

TBCBE

5.1.2

How does the entity initiate remedial actions to deficiencies in (the components of) its internal control system?

TBCBE

5.2.	Internal audit function. Does the entity have an effective internal audit function?

5.2.1

Standards and internal audit charter

Does the internal audit function comply with the international professional standards and the Code of Ethics issued by the Institute of Internal Auditors (www.theiia.org)?

TBCBE

Guidance

Regular and adequate feedback to management is required on the performance of the internal control systems, through an internal audit function or equivalent systems monitoring function. In some countries, internal audit functions are concerned only with the pre-audit of transactions, which is then considered part of the internal control activities.

5.2.2

Standards and internal audit charter (cont'd)

Has the internal audit function adopted an internal audit charter which is consistent with the Definition of Internal Auditing, the Code of Ethics and the standards issued by the Institute of Internal Auditors?

Footnote: An internal audit charter is a formal document that sets out the internal audit activity's purpose, authority and responsibility. The internal audit charter: (i) establishes the internal audit activity's position within the organisation, including the nature of the chief audit executive's functional reporting relationship with the board; (ii) authorises access to records, personnel and physical properties relevant to the performance of engagements; and (iii) determines the scope of internal audit activities. Final approval of the internal audit charter resides with the senior management of the entity or an oversight body (audit committee) where appropriate.

TBCBE

5.2.3

Independence

How does the internal audit function fit into the entity's organisational structure?

TBCBE

5.2.4

Independence

Is the internal audit function independent i.e. does it have freedom from conditions that threaten its ability to carry out internal audit responsibilities in an unbiased manner?

TBCBE

5.2.5

Independence (cont'd)

Does the chief audit executive/head of the internal audit function have direct and unrestricted access to senior management and the oversight body as appropriate?

TBCBE

5.2.6

Objectives and scope of work

What is the nature of the internal audit function's responsibilities?

TBCBE

5.2.7

Objectives and scope of work (cont'd)

What are the activities performed, or to be performed, by the internal audit function?

TBCBE

5.2.8

Objectives and scope of work

Does the internal audit charter define the nature of the (assurance) services provided to the entity?

Note: ‘Assurance services’ involve the internal auditor's objective assessment of evidence to provide an independent opinion or conclusions regarding an entity, operation, function, process, system or other subject matter. The nature and scope of the assurance engagement are determined by the International Standards for the Professional Practice of Internal Auditing.

TBCBE

5.2.9

Objectives and scope of work

Does the internal audit function prepare a risk assessment of the activities and/or organisational functions (e.g. departments, units)?

Note: Evidence of an effective internal audit (or systems monitoring) function would also include a focus on high-risk areas.

TBCBE

5.2.10

Objectives and scope of work

Does the internal audit function draw up a multi-annual (usually three-year) audit plan as well as annual operational plans? How and by whom are audit subjects selected and approved?

TBCBE

5.2.11

Objectives and scope of work (cont'd)

Do these plans incorporate an appropriate range of audit types including compliance, financial audits, payroll audits, system including information technology audits, forensic and performance audits?

TBCBE

5.2.12

Objectives and scope of work

Is the internal audit operational for all activities managed by the entity?

TBCBE

5.2.13

Reporting

Are internal audit reports completed and issued to a fixed schedule and are they distributed to senior management and an oversight body or audit committee as appropriate?

TBCBE

5.2.14

Reporting (cont'd)

Does the internal audit function present regular (i.e. monthly, quarterly) progress reports to the management of the entity and an oversight body/audit committee as appropriate?

TBCBE

5.2.15

Follow-up on internal audit findings and recommendations

Are findings and recommendations resulting from internal audit duly addressed (to the entity's senior management and an oversight body/audit committee as appropriate) and resolved?

TBCBE

5.2.16

Follow-up on internal audit findings and recommendations

Does the entity's management respond promptly to internal audit findings?

TBCBE

5.2.17

Follow-up on internal audit findings and recommendations

Are internal audit recommendations implemented fully and timely?

Note: Evidence of an effective internal audit (or systems monitoring) function would also include action by management on internal audit findings. This is of critical importance since lack of action on findings completely undermines the rationale for the internal audit function.

TBCBE

5.3.	Management's assertion regarding the effectiveness of the internal control system Does the entity's management make an assertion regarding the effectiveness of the internal control system?

5.3.1

Does management include a report regarding the effectiveness of its internal control system (i.e. an internal control report) in the entity's annual financial statements/annual report?

If yes, review the entity's internal control reports of the last 3 years and the independent auditor's report on management's assertion regarding the effectiveness of the internal control system.

If yes, which type of opinion (unqualified, qualified) did the external auditors express on management's assertion regarding the effectiveness of its internal control system?

TBCBE

PILLAR 2 — ACCOUNTING

KEY QUESTION (level 1)

Auditor comments

Does the entity use an accounting system that provides in all material respects accurate, complete and reliable information in a timely manner, based on national and/or international accounting standards and in line with the criteria set by the European Commission?

Guidance

Accounting policies are the specific principles, bases, conventions, rules and practices applied by the entity in preparing and presenting financial statements. A reliable basis means that the entity applies accounting policies which are relevant to the decision-making needs of users, and reliable in that the financial statements:

—	represent faithfully the entity's financial position, financial performance and cash flows;

—	reflect the economic substance of transactions, other events and conditions, and not merely the legal form;

—	are neutral, i.e. free from bias;

—	are prudent; and

—	are complete in all material respects.

Article 154 of the Financial Regulation

The Commission may accept that the accounting systems and the internal control systems used by entities and persons to be entrusted with budget implementation tasks on behalf of the Commission are providing equivalent levels of protection of the financial interests of the Union and of reasonable assurance of achieving the management objectives.

PILLAR 2 — ACCOUNTING

1.	ACCOUNTING SYSTEM AND POLICIES — questions/criteria

Entity comments

Auditor comments

1.	Accounting system and policies

Key question (level 2): Does the entity use an adequate accounting system and does it have clear and written accounting policies?

1.1

Does the entity apply accounting policies which:

—	are relevant to the decision-making needs of users and which provide a reliable basis for preparing the entity's financial statements?

—	comply with the applicable national and/or international accounting standards or accounting policies and rules prescribed by specific regulations or conventions?

1.2

Does the entity have a manual of accounting policies and procedures, including detailed descriptions of accounting procedures for the various types of financial and accounting transactions?

TBCBE

1.3

Does the entity operate a double-entry bookkeeping/accounting system?

Note: A ‘double-entry’ accounting system is a set of rules for recording financial information in a financial accounting system in which every transaction or event changes at least two different nominal ledger accounts.

TBCBE

1.4

Does the entity have a chart of accounts which properly reflects its operations and activities?

TBCBE

1.5

Does the entity perform regular bank reconciliations and cash book reconciliations (where applicable)?

TBCBE

1.6

Does the entity perform regular reconciliations and clearings of suspense accounts and advances? Are separate (general ledger) accounts kept for the accounting of advance and final payments for different projects?

Note: reliable reporting of financial information requires constant checking and verification of recording practices. This is an important part of internal control and a foundation for good quality information for management and for external reports. Timely and frequent reconciliation of data from different sources is fundamental for data reliability.

TBCBE

1.7

Does the accounting system allow the processing and reporting of accounting and financial information relating to specific projects, activities, (trust) funds and financial instruments, no matter whether these are financed by the entity itself and/or external sources (such as the European Commission)?

TBCBE

1.8

Can the entity ensure an accounting trail for transactions (income and expenditure) relating to specific projects, activities, (trust) funds and financial instruments, no matter whether these are financed by the entity itself and/or external sources (such as the EC)?

TBCBE

1.9

How are advance payments made to the entity by external organisations (e.g. the EC) for funding of specific projects, activities, (trust) funds and financial instruments accounted for in the entity's accounting records?

TBCBE

1.10

Does the entity have procedures for ‘clearing’ advances paid by it to grant beneficiaries (e.g. are advances cleared on the basis of audit reports on the use of funds submitted by grant beneficiaries)?

PILLAR 2 — ACCOUNTING

2.	BUDGETING — questions/criteria

Entity comments

Auditor comments

Budgeting

Key question (level 2): does the entity have a budget system and procedures which result in transparent and reliable budgets for its operations and activities?

2.1

Are budget procedures formalised (e.g. through a budget manual or circulars)?

TBCBE

2.2

At which intervals are budgets prepared (annual, half-yearly, quarterly)?

TBCBE

2.3

Who are the key actors involved with the budget process?

TBCBE

2.4

Which accounting and other data sources are used?

TBCBE

2.5

Does the entity have an appropriate budget classification system (classification criteria could, for example, include: operational and capital expenditure, activity-based budgets or functional, analytical classification, classification by project/sub-project).

TBCBE

2.6

Do budgets provide a coherent and clear presentation of projected/estimated costs in line with the entity's activities, operations and projects?

TBCBE

2.7

Are budgets transparent and comprehensive and do they properly reflect the operations of the entity?

2.8

Are assumptions used to prepare the budgets and to compute projected and estimated expenditure plausible? Are cost allocation keys, which are applied to compute budget cost data, based on logical, consistent and plausible assumption and principles?

2.9

Are budget data relevant and reliable so that they are of real use to the management and/or other users?

TBCBE

2.10

How and by whom are budgets approved?

TBCBE

2.11

Can the accounting system produce comprehensive reports for actual expenditure incurred in comparison to the initial budget?

TBCBE

2.12

Are reports stating actual total expenditure compared to the originally budgeted total expenditure prepared on a regular basis (quarterly, half yearly) and are they issued within a reasonable amount of time (1 month) after end of period?

TBCBE

2.13

Are differences between actual expenditure and the originally budgeted expenditure examined and properly explained?

TBCBE

2.14

In cases where the composition of expenditure varies significantly from the original budget, are such variances properly approved?

TBCBE

2.15

Do reports on budget execution also account for expenditure made from transfers to parts (e.g. offices in other locations) of the entity which operate in an autonomous/independent way from the entity's headquarters?

TBCBE

PILLAR 2 — ACCOUNTING

3.	ACCOUNTING AND BUDGETING FOR SPECIFIC PROJECTS, ACTIVITIES, (TRUST) FUNDS, FINANCIAL INSTRUMENTS AND BUDGETARY GUARANTEES — questions/criteria

Entity comments

Auditor comments

The purpose of the questions in this section is to assess whether the entity's accounting system can produce reliable and timely reports on the use made by the entity — and/or by grant beneficiaries — of funds for specific activities, projects, (trust) funds and financial instruments(5). The users of these reports are the entity's management and/or external parties which have provided funding (such as the European Commission).

3.	Accounting and budgeting for projects, activities, (trust) funds and financial instruments

Key question (level 2): does the entity have accounting and budgeting procedures which allow adequate and timely reporting to donors/fund providers (including the European C) on the use of funds provided by them for projects, activities, (trust) funds and financial instruments and capacity and processes in place to produce financial statements (6)?

3.1

Does the entity have an accounting system and procedures which allow the generation of relevant and reliable information for preparing reports (with financial and qualitative information) and financial statements on activities, projects, (trust) funds and financial instruments financed by the EU or other donors?

TBCBE

3.2

Does the entity's accounting system allow the generation of financial reports for specific activities, projects, (trust) funds and financial instruments, or the generation of aggregate accounting data, which can be directly used to compile financial reports and financial statements?

TBCBE

Guidance

An entity's information system typically includes the use of standard journal entries that are required on a recurring basis to record transactions. Examples might be journal entries to record salary costs in the general ledger.

An entity's financial reporting process also includes the use of non-standard journal entries to record non-recurring, unusual transactions or adjustments. These may be necessary to account for cost items (including allocation of costs) relating to a specific project which are not covered by standard accounting procedures and journal entries. In manual general ledger systems, non-standard journal entries may be identified through inspection of ledgers, journals and supporting documentation.

3.3

To what extent does the entity need to make additional journal entries, adjust entries and/or carry out other manual processing and manipulation of financial and cost data to prepare complete and reliable reports?

TBCBE

3.4

To what extent does the entity use intermediate and/or (cost) allocation tables tracking the financial information presented in project-specific information to the entity's general ledger accounts and/or costing accounts?

TBCBE

3.5

To what extent does the entity make use of additional software (e.g. spreadsheet applications like MS Excel) outside its regular accounting software to produce financial reports?

TBCBE

3.6

Obtain a sufficient understanding of how financial information (i.e. expenditure) for projects is accounted for in the entity's accounting system (i.e. key assumptions, allocation principles) and how this information has been extracted and included (automatically/manual adjustments) in the financial reports.

TBCBE

3.7

Does the entity have a budgeting system and procedures which allow generation of relevant and reliable information for preparing budgets on activities, projects, (trust) funds and financial instruments?

Note: in principle the same questions apply as for the entity's general budget process.

TBCBE

PILLAR 3 — INDEPENDENT EXTERNAL AUDIT
KEY QUESTION (level 1)	Auditor comments
Is the entity subject to an independent external audit, to be performed in all material respects in accordance with internationally accepted auditing standards by an audit service functionally independent of the entity and in accordance with the criteria set by the European Commission?
Guidance A high-quality external audit is an essential requirement for creating transparency in the entity's use of resources, including funds provided by donors. Key elements of the quality of external audit are: the objectives and scope of the audit, and adherence to appropriate auditing standards including independence of the external auditor i.e. the audit institution.

PILLAR 3 — INDEPENDENT EXTERNAL AUDIT

1.	REGULATORY FRAMEWORK — questions/criteria

Entity comments

Auditor comments

Key question (level 2): does the entity have a clear regulatory framework for external audit?

1.1

Is the entity subject to an external audit performed by an independent professional external audit firm (private sector) in accordance with standards equivalent to international standards on auditing?

If yes, complete questions at 2.1 (Principles) and 3 (External audit procedures).

TBCBE

1.2

Is the entity subject to an external audit performed by a national audit institution (public sector) in accordance with standards equivalent to international standards on auditing? If yes, complete the questions in Section 3 below.

If yes, complete questions at 2.2 (Principles) and 3 (External audit procedures).

TBCBE

1.3

Is the entity subject to an external audit performed by an external audit or oversight body which operates under a specific regulatory or institutionalised framework (e.g. external auditor of the UN) in accordance with standards equivalent to international standards on auditing? If yes, complete the questions in Section 4 below.

If yes, complete questions at 2.3 (Principles) and 3 (External audit procedures).

TBCBE

PILLAR 3 — INDEPENDENT EXTERNAL AUDIT

2.	PRINCIPLES — questions/criteria

Entity comments

Auditor comments

2.1.

The external audit is performed by an independent professional external audit firm (private sector) in accordance with standards equivalent to international standards on auditing.

Key question (level 2): Is the entity subject to an external audit which is:

—	performed by a professional external audit firm which is independent from the entity and which complies with the fundamental principles of professional ethics, which include: integrity, objectivity, professional competence and due care, confidentiality and professional behaviour?

—	performed in accordance with auditing standards equivalent to International Standards on Auditing (‘ISAs’) issued by the International Auditing and Assurance Standards Board (IAASB)?

2.1.1

Is the audit performed by a professional external audit firm which is a member of an established national accounting or auditing body?

Is the national accounting or auditing body a member of IFAC?

2.1.2

Is the audit performed in accordance with the applicable national standards on auditing and are these standards in compliance with International Standards on Auditing (‘ISAs’) issued by the International Auditing and Assurance Standards Board (IAASB)?

2.1.3

Is the auditor who performs the audit governed by a code of ethics which establishes the fundamental ethical principles for auditors with regard to integrity, objectivity, independence, professional competence and due care, confidentiality, professional behaviour and technical standards?

Is this code of ethics compliant with the IFAC Code of Ethics for Professional Accountants issued by IFAC's International Ethics Standards Board for Accountants (IESBA)?

2.1.4

Is the fundamental principle of independence fully respected?

2.2.

The external audit is performed by a national audit institution (public sector) in accordance with standards equivalent to international standards on auditing.

Key question (level 2): Is the entity subject to an external audit which is:

—

—	performed in accordance with auditing standards equivalent to principles, standards and guidance issued by the International Organisation of Supreme Audit Institutions (INTOSAI)?

2.2.1

Is the audit performed by a national audit institution which is a member of INTOSAI?

2.2.2

Is the audit performed in accordance with the applicable national standards on auditing and are these standards in compliance with INTOSAI Standards?

2.2.3

Is the auditor who performs the audit governed by a Code of Ethics which establishes the fundamental ethical principles for auditors with regard to integrity, objectivity, independence, professional competence and due care, confidentiality, professional behaviour and technical standards?

Is this Code of Ethics compliant with the INTOSAI Code of Ethics (ISSAI 30) or equivalent?

2.2.4

Is the fundamental principle of independence fully respected?

2.3.

The external audit is performed by an external audit or oversight body which operates under a specific regulatory or institutionalised framework (e.g. external auditor of the UN) and which is independent from the entity in accordance with standards equivalent to international standards on auditing.

Key question (level 2): Is the entity subject to an external audit which is:

—	performed by an external audit or oversight body which is independent from the entity and which complies with the fundamental principles of professional ethics, which include: integrity, objectivity, professional competence and due care, confidentiality and professional behaviour?

—	performed in accordance with auditing standards equivalent to International Standards on Auditing (‘ISAs’) or INTOSAI standards?

2.3.1

Is the audit performed by an external audit or oversight body which operates under a specific regulatory or institutionalised framework? Obtain a brief description of this framework.

2.3.2

Is the audit performed in accordance with standards equivalent to the International Standards on Auditing (‘ISAs’) or INTOSAI standards?

2.3.3

Is this Code of Ethics compliant with the principles of the IFAC Code of Ethics for Professional Accountants issued by IFAC's International Ethics Standards Board for Accountants (IESBA), the INTOSAI Code of Ethics (ISSAI 30) or an equivalent code of ethics?

2.3.4

Is the fundamental principle of independence fully respected?

PILLAR 3 — INDEPENDENT EXTERNAL AUDIT

3.	EXTERNAL AUDIT PROCEDURES — questions/criteria

Entity comments

Auditor comments

Key question (level 2): is the entity subject to appropriate external audit procedures?

2.1

What type(s) of external audit apply to the entity (e.g. annual audits of the entity's financial statements, compliance audits and other audits)?

What are the objectives and scope of these audits? Do audits also cover aspects of legality and regularity related to funding provided by the European Commission and/or other fund providers?

With what frequency are the audits performed?

To whom does the auditor issue its report?

TBCBE

2.2

By which auditor(s) are these audit performed (see 1 — regulatory framework)?

TBCBE

2.3

Within how many months of the end of the entity's financial year is an audit report on its financial statements issued?

Which type of audit opinion was issued on the financial statements in the last 3 years?

TBCBE

2.4

Are findings and recommendations resulting from external audits duly addressed (to the entity's senior management and an oversight body/audit committee as appropriate) and resolved?

TBCBE

2.5

Does the entity's management respond promptly to external audit findings?

TBCBE

2.6

Are external audit recommendations implemented fully and in a timely manner?

TBCBE

PILLAR 4 — GRANTS

KEY QUESTION (level 1)

Auditor comments

Does the entity apply appropriate rules and procedures for providing financing from EU funds through grants and in accordance with the criteria set by the European Commission?

Guidance

The entity may conclude grant contracts directly with grant beneficiaries (7). A grant is a financial contribution by way of donation given to a specific beneficiary to finance activities carried out by the beneficiary or to finance the operation (i.e. the operating costs) of the beneficiary.

The entity should have procedures in place which ensure, to a reasonable extent, that these grant beneficiaries meet requirements for internal control, accounting and external audit. The principles of a grant system must be stated in a well-defined and transparent legal and regulatory framework that clearly establishes appropriate policies, procedures, accountability and controls. While the grant system operates within its own framework, it benefits from the overall control environment, including public access to information, internal controls operated by the entity, the entity's accounting system and external audit.

The Commission may accept that grant rules and procedures are appropriate if the following conditions are met:

(a)	they comply with the principles of proportionality, sound financial management, equal treatment and non-discrimination;

(b)	they ensure transparency, with adequate publication of calls for proposals, direct award procedures being limited to reasonable amounts or being duly justified;

(c)	they prevent conflicts of interest throughout the entire grant award procedure.

PILLAR 4 — GRANTS

1.	LEGAL AND REGULATORY FRAMEWORK — questions/criteria

Entity comments

Auditor comments

Key question (level 2): Does the entity have a clear legal and regulatory framework for providing grants?

1.1

What types of grants does the entity provide? Does the framework properly define the term ‘grants’ and the forms of grants (e.g. maximum amount, percentage of total (eligible) cost of the action, use of lump sum financing etc.)?

TBCBE

1.2

For grants awarded following calls for proposals, are there guidelines for grant applicants and do these guidelines clearly describe procedures and rules from the application to the award of grants?

—	Are these guidelines published and easy accessible?

—	Do the guidelines clearly describe key principles (see below) and key issues such as eligibility rules, supporting documents required and provide a description of the activities/action?

—	Do the guidelines include documents such as grant application forms and action budget templates?

—	Are means of redress available, easily accessible, transparent, non-discriminatory, efficient and effective? Are beneficiaries/applicants informed about their rights throughout the process?

TBCBE

1.3

Does the entity use standard templates for grant contracts?

Do the contract templates allow for actions/activities to be clearly defined?

Are all beneficiaries identified in contracts?

Do contracts specify at least the subject, the beneficiary/ies, the duration, the maximum amount of funding, a budget for the action or work programme and the responsibilities of the beneficiary/ies?

TBCBE

1.4

Do contracts clearly set out the conditions, rules and criteria that must be respected?

If a grant is awarded to several entities, do the grant contracts clearly set out the obligations and responsibilities of the coordinator, if any, and of the other beneficiaries, and the conditions for adding or removing a beneficiary?

Amendments to grant contracts must not involve any changes that would influence the grant award decision or the equal treatment of applicants, where relevant. Are these criteria respected?

Are there basic rules for eligible costs (e.g. actual costs incurred by the grant beneficiary)?

TBCBE

PILLAR 4 — GRANTS

2.	PRINCIPLES — questions/criteria

Entity comments

Auditor comments

Key question (level 2): are the following principles integrated in the procedures, rules and criteria of the entity's grant award system: transparency, equal treatment, eligibility criteria and avoiding conflicts of interest?

These principles must be integrated in the procedures, rules and criteria of the entity's grant award system in accordance with the overarching principle of proportionality. Principles are not absolute and a limited number of exceptions can be laid down provided that they are clearly stated, reasonable and justified.

2.1

Transparency Are calls for proposals published widely and in an easily accessible way? Do grant applicants have sufficient time to submit proposals?

2.2

Equal treatment Are calls for proposals evaluated by an evaluation committee which is impartial and which uses clear and published criteria? Are selections and awards performed on the sole basis of the application? Is communication with grant applicants allowed in these phases?

2.3.1

Eligibility criteria Does the grant award system provide eligibility criteria which are transparent and non-discriminatory? Are eligibility criteria published and easy accessible?

2.3.2

Eligibility criteria Are there eligibility criteria for grant applicants (e.g. legal and administrative status and rules on nationality)?

2.3.3

Eligibility criteria Are there eligibility criteria for the actions to be financed by the grants (e.g. types of activities, sectors or themes and geographical areas covered by the grant)?

2.5

Avoiding double funding Does the grant award system include basic rules which make it clear that the same costs cannot be financed twice for the same action?

2.6

Avoiding conflicts of interest Does the grant award system include procedures and rules to prevent conflicts of interest throughout the grant award process?

PILLAR 4 — GRANTS

3.	GRANTS PROCEDURES — questions/criteria

Entity comments

Auditor comments

Key question (level 2): does the entity apply appropriate rules and procedures for providing grants?

3.1.	Publication of call for proposals — Does the entity apply appropriate rules and procedures for the publication of calls for proposals?

3.1.1

Are calls for proposals published in national/international media (e.g. press, internet)?

TBCBE

3.1.2

Are relevant documents available and easy accessible (e.g. on websites) for grant applicants? Relevant documents may include: guidelines for applicants including important criteria such as eligibility rules for applicants, actions and expenditure, grant application forms, grant agreement or contract templates and annexes.

TBCBE

3.1.3

Does the grant award system provide the possibility to award grants without a call for proposals (i.e. direct award)? Are conditions for a direct award procedure strictly defined and limited to exceptional and duly justified situations e.g. grants to beneficiary countries, crisis situations, monopoly situations or similar cases?

TBCBE

3.1.4

Does the grant award system provide a support and information function (e.g. are information sessions with potential applicants organised, is there a contact point/helpdesk function, is there a FAQ mechanism, handbooks)?

—	Is it possible for grant applicants to submit questions after publication of the call for proposals and before the deadline for submitting proposals?

—	Are answers to questions of an applicant shared with other applicants?

TBCBE

3.2.	Submission of proposals — Does the entity apply appropriate rules and procedures for the submission of proposals?

3.2.1

Does the entity have procedures in place for the receipt, registration and keeping of proposals made by grant applicants?

Does the entity use electronic/IT systems to register and process grant applications? Are there measures and controls in place which ensure integrity, availability and, where appropriate, confidentiality of documents and the protection of personal data?

TBCBE

3.2.2

Are deadlines for the submission of proposals communicated to grant applicants?

TBCBE

3.3.	Security and confidentiality of proposals — Does the entity apply rules and procedures which guarantee the security and confidentiality of proposals?

3.3.1

Does the grant award system include rules which ensure security and confidentiality of proposals submitted, in particular by:

—	ensuring that measures are in place for the security and storage of proposals (e.g. keeping a document register, numbering all documents or having a central storage area for all documents), as well as for limiting access to documents; and

—	considering electronic security issues and having documented processes for electronic storage and communication (e.g. proposals submitted electronically are safeguarded from access before the closing time; the system has the capacity to reject late proposals automatically).

TBCBE

3.4.	Receipt, registration and opening of the proposals — Does the entity apply appropriate rules and procedures for the receipt, registration and opening of the proposals?

3.4.1

Does the grant award system lay down procedures for the opening of the proposals, in particular by:

—	having an evaluation committee open and authenticate proposals as soon as possible after the designated time;

—	specifying criteria for the nomination of the members of the committee;

—	performing the opening of proposals in a context where basic information on the proposals is disclosed and recorded in official minutes;

—	specifying clear policy-defining circumstances under which proposals would be invalidated (e.g. proposals received after the closing time are invalidated unless this was due to an error by the grant awarding entity; criteria for the eligibility of tenderers);

—	ensuring that any clarification of submitted proposals does not result in substantive alterations after the deadline for submission; and

—	ensuring that a clear and formal report of all the proposals received is produced before passing them to the officers responsible for their evaluation.

TBCBE

3.5.	Selection and evaluation procedures — Does the entity apply appropriate rules and procedures for the selection and evaluation of grant proposals?

3.5.1

Evaluation officers/committee (for evaluation committee guidance see procurement)

—	Are selection and evaluation procedures performed by more than one evaluating official or preferably a committee?

—	Are criteria for the nomination of the evaluation committee specified? Depending on the value of the proposals and the level of risk, the committee could include not only officials from different departments with no hierarchical links but also possibly external experts.

—	Are the role, function, composition and operating rules of the evaluation committees described? Are the responsibilities of the non-voting chairperson and the voting members of the committee clearly described?

—	Are there procedures for the keeping of and access to (confidential) proposal documents?

—

Are officials in charge of the evaluation not in a conflict of interest situation (e.g. through mandatory disclosure) and are they bound by confidentiality requirements? In the case of an evaluation committee, integrity and professional considerations must be taken into account when selecting members.

—	Are all relevant aspects of the evaluation included in a written report signed by the evaluation officers/committee?

TBCBE

3.5.2

Administrative and formal checks

Are proposals made subject to administrative and formal checks by the evaluation committee or by other staff, in which case the results of their work need to be reviewed by the committee?

Do these checks focus on a full and correct completion of the grant application form and the submission of all required supporting documents?

Can these checks result in the rejection of an application, which means that a proposal is not considered for further evaluation?

Is it possible for applicants to provide, within a set deadline, missing information or supporting documents or to provide clarification?

TBCBE

3.5.3

Eligibility

Are proposals made subject to eligibility checks by the evaluation committee or by other staff, in which case the results of their work need to be reviewed by the committee?

Are these checks performed on the basis of a checklist with eligibility criteria?

Note: these criteria may include eligibility criteria for grant applicants (e.g. legal and administrative status, rules on nationality and grounds for exclusion) and eligibility criteria for the actions to be financed by the grants (e.g. types of activities, sectors or themes and geographical areas covered by the grant).

Do these checks involve a review of required supporting documents?

Can these checks result in the rejection of an application, which means that a proposal is not considered for further evaluation?

TBCBE

3.5.4

Financial and operational capacity

Are proposals made subject to checks of financial and operational capacity by the evaluation committee or by other staff, in which case the results of their work need to be reviewed by the committee?

Are these checks performed on the basis of a checklist with criteria?

Does the grant award system provide clear, objective and non-discriminatory criteria for assessing that applicants have sufficient financial and operational capacity?

Are these criteria specified and notified in the call for proposals?

Note: ‘Financial capacity’ refers to the availability of stable and sufficient sources of financing to ensure operating performance throughout the action period. ‘Operational capacity’ refers to available professional competence, skills, qualifications and experience to complete the proposed action. Assessments can be made on the basis of the supporting documents to the proposal, such as financial statements and audit reports, and proof of actions completed by the applicant.

Can these checks result in the rejection of an application, which means that a proposal is not considered for further evaluation?

TBCBE

3.5.5

Design and content of the action

Does the grant award system provide clear procedures, rules and criteria for the evaluation of proposals against set objectives? Key issues may include: design of the action, priorities, type of activities, quality aspects, expected impact, sustainability, efficiency and effectiveness, visibility.

Is use being made of an evaluation grid which sets out all relevant evaluation criteria? Do evaluation grids include a scoring of the key aspects of the evaluation?

TBCBE

3.5.6

Conclusions of the evaluation committee

Does the evaluation committee draw up and sign an evaluation report of all proposals ranked by scores attributed to the proposals? Are completed evaluation grids attached to this report?

Do these reports provide clear conclusions as to successful and unsuccessful applicants?

TBCBE

3.6.	Awarding of grants — Does the entity apply appropriate rules and procedures for the award of grants?

3.6.1

Is the decision to award a grant taken at an appropriate level (e.g. proposal made by the evaluation committee and formal decision taken by the entity's senior management)?

TBCBE

3.6.2

Do grant decisions have an appropriate form (are decision templates available)?

Do grant decisions specify: the total amount of funding; details of the grant beneficiary; the title/description of the action/activity; where relevant, the reasons for the award, particularly if these are not in line with the opinion of the evaluation committee; the names of rejected applicants and the reasons for rejection.

TBCBE

3.6.3

Are specific decisions taken with regard to unsuccessful applications?

TBCBE

3.7.	Notification and post-award publication — Does the entity apply appropriate rules and procedures for the notification and publication of the grant awards?

3.7.1

Notification of grant award to applicants

Are successful applicants notified in writing about the grant award and relevant details (e.g. at least the amount of funding) soon after the award decision has been taken?

Are unsuccessful applicants notified in writing about the grant award soon after the award decision has been taken and are the reasons for rejecting their application provided?

TBCBE

3.8.	Grant contracts — Does the entity apply appropriate rules and procedures for concluding grant contracts?

3.8.1

Does the entity conclude grant contracts with applicants/beneficiaries soon after the award decision has been taken?

TBCBE

3.8.2

Do grant contracts include conditions and rules for the payment of grants such as supporting documents, suspension/termination/reduction of grants in case of poor/partial/late implementation? Do beneficiaries have the opportunity to make observations on these matters?

TBCBE

3.8.3

Does the entity have procedures in place to verify that costs declared by beneficiaries in their payment requests (e.g. a declaration in the form of a financial report) are real, accurate, properly recorded and eligible in accordance with the conditions of the grant contract?

TBCBE

3.8.4

Does the entity have in place:

—	procedures to suspend/terminate the implementation of a grant or grant payments, or the participation of a beneficiary in the event that irregularities or fraud or breach of contractual conditions have occurred?

—	appropriate rules and procedures to recover funds unduly paid, including where appropriate by bringing legal proceedings and by endeavouring to assign claims against its grant beneficiaries to the contracting authority or the European Commission?

TBCBE

3.8.5

Do grant contracts set out requirements for internal control, accounting (including financial reporting) and external audit?

TBCBE

3.8.6

Does the entity have procedures in place which ensure, to a reasonable extent, that grant beneficiaries meet the (contractual) requirements for internal control, accounting and external audit?

PILLAR 5 — PROCUREMENT

KEY QUESTION (level 1)

Auditor comments

Does the entity apply appropriate rules and procedures in all material respects for providing financing from EU funds through procurement and in accordance with the criteria set by the European Commission?

Guidance

The principles of a procurement system need to be stated in a well-defined and transparent legal and regulatory framework that clearly establishes appropriate policies, procedures, accountability and controls. One of the key principles established by this legal framework is the use of transparency and competition as a means to obtain fair and reasonable prices and overall value for money. While the procurement system operates within its own framework, it benefits from the overall control environment, including public access to information, internal controls operated by the entity, the entity's accounting system and external audit.

Principles in Article 154 of the Financial Regulation

The Commission may accept that procurement rules and procedures are appropriate if the following conditions are met:

(a)	they comply with the principle of broad competition of tenderers to obtain the best value for money and negotiated procedures are limited to reasonable amounts or are duly justified;

(b)	they ensure transparency with adequate ex ante publication, in particular of calls for tenders, and adequate ex post publication of contractors;

(c)	they ensure equal treatment, proportionality and non-discrimination;

(d)	they prevent conflicts of interest throughout the entire procurement procedure;

(e)	they apply appropriate review procedures, rules for recovering funds unduly paid and rules for excluding from access to funding (grounds for exclusion to be assessed under the exclusion pillar).

The national law of Member States or third countries transposing Directive 2014/24/EU (repealing Directive 2004/18/EC) should be considered equivalent to the rules applied by the institutions in accordance with the Financial Regulation.

PILLAR 5 — PROCUREMENT

1.	LEGAL AND REGULATORY FRAMEWORK — questions/criteria

Entity comments

Auditor comments

Key question (level 2): Does the entity have a clear legal and regulatory framework for procurement?

1.1

Is the legal and regulatory framework organised hierarchically and is precedence clearly established?

TBCBE

1.2

Is it freely and easily accessible to the public through appropriate means?

TBCBE

1.3

Does it apply to all procurement undertaken?

TBCBE

1.4

What types of procurement (e.g. works, services and supplies) are regulated by this framework?

TBCBE

PILLAR 5 — PROCUREMENT

2.	PRINCIPLES — questions/criteria

Entity comments

Auditor comments

Key question (level 2): are the following principles integrated in the procedures, rules and criteria of the entity's procurement system: transparency, equal treatment, public access to procurement information, avoiding conflicts of interest and using competitive tendering procedures and best value for money?

These principles must be integrated in the procedures, rules and criteria of the entity's procurement system in accordance with the overarching principle of proportionality. Principles are not absolute and a limited number of exceptions could be allowed provided that such exceptions are clearly stated, reasonable and justified.

2.1

Transparency. Does the procurement system provide an adequate degree of transparency in the entire procurement cycle (i.e. invitation to tender, evaluation, award and dispute resolution) in order to promote fair and equitable treatment for bidders, i.e. potential suppliers and contractors?

2.2.1

Equal treatment. Does the procurement system stipulate procedures which ensure that all eligible bidders have equal opportunity to compete and which ensure non-discrimination?

TBCBE

2.2.2

Equal treatment. Does the procurement system contain provisions for equal access for all potential candidates? This includes for example: absence of restriction to certain candidates, publication and advertising measures which ensure the broadest possible participation, provisions which ensure that tender specifications do not contain unjustified obstacles to access for candidates (technically, administratively (e.g. selection, exclusion and award criteria) and with respect to timing and deadlines).

TBCBE

2.2.3

Equal treatment. Does the procurement system stipulate avoiding unnecessary restrictions on the size, composition or nature of bidders?

TBCBE

2.2.4

Equal treatment. Does it contain rules for keeping bidding costs low (for example by: not changing bid forms unnecessarily, not requiring information that is of little use, allowing adequate time for bids to be prepared and using electronic bidding systems, if possible).

TBCBE

2.2.5

Equal treatment. Are there measures to design tenders in a way which avoids bid rigging? For example: for keeping the identity of bidders undisclosed by using numbers, rather than names, to identify them and for encouraging participation by many bidders.

Guidance: bid rigging occurs when bidders agree among themselves to eliminate competition in the procurement process, thereby denying the public a fair price.

TBCBE

2.3

Publication of procurement information. Does the procurement system provide for public access to all relevant procurement information, e.g. procurement plans, bidding opportunities, contract awards and information on resolution of procurement complaints?

Guidance

Public dissemination of information through appropriate means (e.g. government or agency level websites, procurement journals, national or regional newspapers or on demand from procurement bodies) on procurement processes and its outcomes are key elements of transparency. To generate timely and reliable data, a good information system will capture data on procurement transactions and be secure.

TBCBE

2.4

Avoiding conflicts of interest. Does the procurement system include procedures and rules to prevent conflicts of interest throughout the procurement procedures?

2.5.1

Use of competitive tendering procedures and best value for money. Does the procurement system provide for competitive tendering procedures which allow the desired quality of services, supplies or works to be obtained at the best possible price?

TBCBE

2.5.2

Use of competitive tendering procedures and best value for money. Does the procurement system clearly define the different procurement procedures which can be used and how this is to be justified? Elements to consider:

—	the nature of the procurement: services (e.g. technical assistance and studies), supplies (e.g. equipment and materials) and works (e.g. infrastructure and other engineering works);

—	the type of the procurement procedure: open and restricted, restricted, competitive negotiated procedure, etc.;

—	the value of the procurement and thresholds for different contracts, e.g. services, supplies and works.

2.5.3

Use of competitive tendering procedures and best value for money. Which of the following types of procurement procedures are provided for by the procurement system: open (international or local), restricted procedure, framework contracts, dynamic purchasing system, competitive dialogue, negotiated procedure (the use of the negotiated procedure should be limited to reasonable amounts or be duly justified) and single tender procedure, etc.?

TBCBE

2.5.4

Use of competitive tendering procedures and best value for money. Are these procedures designed in a way that allows fair and transparent competition?

PILLAR 5 — PROCUREMENT

Guidance on the types of procurement procedures

Open procedure

In ‘open’ calls for tender (international or local), all businesses and other types of economic operator may submit a tender. The contract is given maximum publicity by publishing a notice in national or international newspapers and in any other appropriate media. Any natural or legal person wishing to tender may ask to receive the tender dossier (which may have to be paid for), in accordance with the procedures specified in the contract notice. The tenders are examined. The eligibility and the financial, economic, technical and professional capacity of the tenderers are checked to arrive at a selection. The tenders are compared and the contract is awarded. No negotiation is allowed.

Restricted procedure

In ‘restricted’ calls for tender, all businesses and other types of economic operator may ask to submit a tender but only those who satisfy the selection criteria may be invited to do so. The selection criteria and the tasks to be undertaken are described in the published contract notice. A ‘long list’ of all the candidates replying to the notice is cut down to a shortlist of the best qualified, on the basis of their replies. The contract is given maximum publicity by publishing a notice in national or international newspapers and in any other appropriate media. Tender dossiers are sent to the shortlisted candidates. Once tenders have been analysed, they are compared and the successful tenderer is chosen. No negotiation is allowed.

Framework contracts

A framework contract is an agreement between one or more contracting authorities and one or more economic operators. It aims to establish the terms governing specific contracts which may be awarded during a given period, particularly the duration, subject, price, maximum value, implementation rules and the quantities envisaged. Framework contracts with several economic operators are called ‘multiple’ framework contracts. These take the form of separate contracts but they are all concluded in identical terms. The specifications must state both the minimum and the maximum number of operators with which the contracting authority intends to conclude contracts. The duration of such contracts may not exceed a certain number of years (e.g. 4), save for in exceptional cases justified in particular by the subject of the framework contract. Contracting authorities may not make undue use of framework contracts or use them in such a way that the purpose or effect is to prevent, restrict or distort competition. Specific contracts based on framework contracts are awarded under the terms of the framework contract and must obey the principles of transparency, proportionality, equal treatment, non-discrimination and fair competition.

Dynamic purchasing system

A dynamic purchasing system is a completely electronic process for making common purchases for a limited period. It is open to any business or other economic operator who meets the selection criteria and has submitted a technically compliant indicative tender. No specific threshold applies. For each individual contract, the contracting authority publishes a contract notice and invites all contractors admitted to the system to bid. The contract is awarded to the most economically advantageous tender (i.e. the sole award criterion is the best value for money).

Competitive dialogue

In the case of particularly complex contracts, where the contracting authority considers that neither direct use of the open procedure nor the arrangements governing the restricted procedure will result in the best value for money, it may use the competitive dialogue. A contract may be considered as ‘particularly complex’ if the contracting authority is objectively unable either to specify the technical means of satisfying its needs or objectives or to specify the legal or financial makeup of the project. No specific threshold applies. Contracting authorities must publish a contract notice setting out or attaching their needs and requirements. They must open a dialogue with the candidates, satisfying the selection criteria in the contract notice. The dialogue may cover all aspects of the tender. However, it is conducted separately with each candidate on the basis of their proposed solutions and ideas. The contracting authority must ensure equal treatment of tenderers and keep the tenders confidential. It is therefore not allowed to pick the best solutions from different tenderers. The minimum number of candidates invited to tender is three. If fewer than three candidates meet the selection criteria, the contracting authority may continue the procedure with the one or two who do meet the criteria. The contracting authority may not make up the number with other economic operators who did not take part in the procedure or candidates who do not meet the selection criteria. During the dialogue, contracting authorities must treat all tenderers equally and ensure that the solutions proposed or other information received in the dialogue is kept confidential unless the candidate agrees to disclosure. The contracting authority must prepare a report justifying the manner in which dialogue was conducted.

After informing the participants that the dialogue has been concluded, contracting authorities must ask them to submit their final tenders on the basis of the solutions presented and specified during the dialogue. The tenders must contain all the information required and necessary for the performance of the project. At the request of the contracting authority, these tenders may be clarified, specified and fine-tuned, provided that this does not have the effect of changing basic aspects of the tender or of the invitation to tender, as variations could distort competition or have a discriminatory effect. At the request of the contracting authority, the tenderer offering best value for money may be asked to clarify aspects of the tender or confirm commitments contained in the tender provided this does not have the effect of amending substantial aspects of the tender or of the call for tenders and does not risk distorting competition or causing discrimination.

The contracting authorities may specify prices or payments to the participants in the dialogue. The contract is awarded to the technically compliant tender which is the most economically advantageous (i.e. the sole criterion is the best value for money). The standard templates must be adapted as required.

Negotiated procedure/single tender procedure

A contract may be awarded directly (using the ‘single tender procedure’ or ‘negotiated procedure’) in defined circumstances (e.g. in cases where the contract to be concluded does not exceed a certain value or where exceptional circumstances justify a direct award). In the case of a negotiated procedure, an evaluation committee must be nominated to proceed with the negotiation. In all cases, the contracting authority must draft a report explaining how participant(s) in the negotiations were selected and the price set, and the grounds for the award decision. The contracting authority should ensure that basic principles relating to procurement procedures such as checking compliance with eligibility rules (nationality rules), selection and exclusion criteria are duly applied.

Note: in accordance with Annex I, Section 2, 11-12 of the Financial Regulation the use of the negotiated procedure should be limited to reasonable amounts or be duly justified.

PILLAR 5 — PROCUREMENT

3.	PROCUREMENT PROCEDURES — questions/criteria

Entity comments

Auditor comments

Key question (level 2): does the entity apply appropriate rules and procedures for procurement?

3.1.	Invitation to tender. Are there appropriate rules and procedures for the invitation to tender and for each type of procurement (e.g. open, restricted and negotiated procedures)?

3.1.1

Does the procurement system ensure a sufficient level of transparency in the procurement opportunity?

—	For open tendering, is the information on the procurement made publicly available, including related evaluation criteria; and

—	for restricted/selective and negotiated/limited methods is information published on how to qualify in a readily available medium within a timeframe and in a manner that would reasonably allow eligible suppliers to apply?

3.1.2

Does the procurement system set out rules for the publication of a tender notice which include:

—	information on the nature of the product or service to be procured, specifications, quantity, timeframe for delivery, realistic closing dates and times, where to obtain documentation and where to submit tenders;

—	a clear and complete description of selection and award criteria that is non-discriminatory and cannot be altered afterwards;

—	details on the management of the contract and the plan and method for payment and possibly the guarantees when required; and

—	details of the contact point for enquiries?

TBCBE

3.1.3

Does the procurement system provide rules to communicate to potential suppliers in the same timeframe and in the same manner, in particular by:

—	encouraging information exchange on a formal basis (e.g. contact points for enquiries, information sessions, online module to observe clarification meetings, online posting of questions and answers);

—	ensuring that questions for clarification are promptly responded to and that this information is transmitted to all interested parties;

—	communicating changes immediately, preferably via the same channel originally used; and

—	publishing information, preferably online, to allow for external monitoring and public scrutiny?

TBCBE

3.2.

Selection and evaluation procedures and award of contracts.

Does the entity apply appropriate rules and procedures for evaluation and award?

Are there rules which ensure that the evaluation process is performed properly and confidentially and is not biased?

Does the entity apply appropriate criteria for evaluation?

Are there clear criteria for selecting the tender that is the best value for money, e.g. lowest price, price/quality ratio or other?

3.2.1.

Security and confidentiality of information

3.2.1.1

Does the procurement system include rules which ensure the security and confidentiality of information submitted, in particular by:

—	ensuring that measures are in place for the security and storage of tendering documents (e.g. keeping a document register, numbering all documents or having a central storage area for all documents), as well as for limiting access to documents; and

—	considering electronic security issues and having documented processes for electronic storage and communication (e.g. tenders submitted electronically are safeguarded from access before the closing time and the system has the capacity to reject late tenders automatically)?

TBCBE

3.2.2.

Procedures for the opening of the tender

3.2.2.1

Does the procurement system define a clear procedure for the opening of the tender, in particular by:

—	having a team (or evaluation committee) open, authenticate and duplicate sealed tenders as soon as possible after the designated time, immediately followed by public opening, if possible;

—	specifying criteria for the nomination of the members of this team;

—	performing the opening of tenders, preferably before a public audience where basic information on the tenders is disclosed and recorded in official minutes;

—	specifying policy-defining circumstances under which tenders would be invalidated (e.g. tenders received after the closing time are invalidated unless it is due to a procuring agency error) and eligibility criteria for tenderers;

—	ensuring that any clarification of submitted tenders does not result in substantive alterations after the deadline for submission; and

—	ensuring that a clear and formal report of all the tenders received is produced (including their date and time of arrival, as well as the comments received from tenderers) before passing them to the officers responsible for their evaluation?

TBCBE

3.2.3.

Selection and shortlisting criteria

3.2.3.1

Does the procurement system provide clear, objective and non-discriminatory criteria for:

—	assessing that tenderers have sufficient financial, economic, technical and professional capacity; and

—	selecting and shortlisting candidates and tenderers who meet these criteria?

TBCBE

3.2.3.2

Are these selection criteria specified and notified in the contract notices?

TBCBE

3.2.3.3

Does the procurement system provide clear and objective criteria for assessing the economic and financial capacity of tenderers?

Examples of criteria: balance sheet data for the last 3 years, turnover/revenue/operating income data for the last 3 years, staff employed for the last 3 years.

TBCBE

3.2.3.4

Does the procurement system provide clear and objective criteria for assessing the technical and professional capacity of tenderers?

Examples of criteria: services provided, supplies delivered and works carried out in the past 3 years, samples, descriptions, photos, specifications of products and/or equipment delivered.

TBCBE

3.2.4.

Evaluation and award criteria

3.2.4.1

Does the procurement system provide clear, objective and non-discriminatory criteria for a detailed evaluation of the technical and financial aspects of the tenders?

TBCBE

3.2.4.2

Are there clear and objective criteria and rules for determining the results of the evaluation (e.g. quoting of key criteria for each candidate or tenderer)?

TBCBE

3.2.4.3

Are contracts awarded on the basis of clear and notified award criteria? Are contracts awarded to the tender which quotes the lowest price or under the best-value-for-money procedure (i.e. the most economically advantageous tender)?

TBCBE

3.2.5.

Evaluation officers/committee

3.2.5.1

Are evaluations undertaken with more than one evaluating official or preferably by a committee?

TBCBE

3.2.5.2

Are criteria for the nomination of the evaluation committee specified? Depending on the value of the procurement and the level of risk, the committee could include not only officials from different departments but also possibly external experts.

TBCBE

3.2.5.3

Are the role, function, composition and operating rules of the evaluation committees described? Are the responsibilities of the non-voting chairperson and the voting members of the committee clearly described? Is there a secretary to the committee responsible for carrying out all administrative tasks connected with the evaluation procedure?

TBCBE

3.2.5.4

Are there appropriate procedures for the keeping of and access to (confidential!) tender and proposal documents?

TBCBE

3.2.5.5

TBCBE

3.2.5.6

Are all relevant aspects of the evaluation included in a written report signed by the evaluation officers/committee?

TBCBE

PILLAR 5 — PROCUREMENT

Guidance relating to evaluation committees

Appointment and composition

Tenders should be opened and evaluated by evaluation officers or an evaluation committee formally appointed by the contracting authority comprising a non-voting chairperson, a non-voting secretary and an odd number of voting members. The evaluators must be provided with detailed information on the planned timetable and the workload involved for an evaluator. Evaluators must be available during the scheduled evaluation period. Replacement evaluators should be appointed for each procedure to prevent delays in cases of unavailability. Voting members must have a reasonable command of the language in which the tenders are submitted. Voting members must have the technical and administrative ability to give an informed opinion on the tenders. The identity of the evaluators should be kept confidential.

Impartiality and confidentiality

Members of the evaluation committee must sign a declaration of impartiality and confidentiality. Any member who has or might have an actual or potential conflict of interest with any tenderer or applicant must declare it and immediately withdraw from the evaluation committee.

During the procurement procedure, all contacts between the contracting authority and candidates, applicants or tenderers must be under conditions ensuring transparency and equal treatment. No information about the examination, clarification, or evaluation of tenders, or proposals, or decisions about the award of a contract, may be disclosed before the approval of the evaluation report by the contracting authority. Any attempt by a tenderer, candidate or applicant to influence the process in any way (whether by making contact with members of the evaluation committee or otherwise) may result in the immediate exclusion of its tender or proposal from further consideration.

Apart from the tender opening session, the proceedings of the evaluation committee are confidential. To keep the proceedings confidential, attendance at evaluation committee meetings is strictly limited to the members of the committee appointed.

Apart from the copies given to the evaluators, the tenders or proposals must not leave the room/building in which the committee meetings take place before the conclusion of the work of the evaluation committee. They must be kept in a safe place when not in use.

Responsibilities of evaluation committee members

The chairperson is responsible for coordinating the evaluation process and for ensuring its impartiality and transparency. The voting members of the evaluation committee have collective responsibility for decisions taken by the committee.

The secretary to the committee is responsible for carrying out all administrative tasks connected with the evaluation procedure. These include, among others, keeping minutes of evaluation committee meetings, keeping relevant records and documents and drawing up evaluation reports. Any request for clarification requiring communication with the tenderers or applicants during the evaluation process must be conducted in writing.

Timetable

The evaluation committee must be formed early enough to ensure that members are available to prepare and conduct the evaluation process. The tenders must be evaluated in time to allow the procedure to be completed within the validity period of the tenders. It is very important that all tenderers, whether successful or unsuccessful, receive information without delay.

Once the evaluation has been completed, the contracting authority should promptly take the award decision by approving the evaluation reports.

Period of validity

Tenderers are bound by their tenders for the period specified in the letter of invitation to tender and/or in the tender dossier. This period must be sufficient to allow the contracting authority to examine tenders, approve the contract award proposal, notify the successful and unsuccessful tenderers and conclude the contract. The period of validity of tenders should be fixed at an appropriate number of calendar days (e.g. 90 days) from the deadline for the submission of tenders.

PILLAR 5 — PROCUREMENT

3.	PROCUREMENT PROCEDURES (cont'd) — questions/criteria

Entity comments

Auditor comments

3.2.6.

Award of contracts

3.2.6.1

Does the procurement system provide rules for informing tenderers as well as the wider public on the outcome of the tendering process by:

—	notifying successful and unsuccessful tenderers of the outcome of their tenders, as well as when and where the contract award information is published

—	considering the possibility of publishing the grounds for the award, including the consideration given to qualitative tender elements. Do not disclose commercially-sensitive information about the winning tender or about other tenders, which could favour collusion in future procurements; and

—	allowing the mandatory standstill period, where one exists, before the beginning of the contract?

TBCBE

3.2.6.2

Does the procurement system provide rules which give the possibility of debriefing to suppliers on request by:

—	withholding confidential information (e.g. trade secrets or pricing);

—	highlighting the strengths and weaknesses of the unsuccessful tender;

—	for debriefings in writing, ensuring that the written report is approved beforehand by a senior procurement official; and

—	organising oral debriefings, provided that discussions are carried out in a structured manner so that they do not disclose confidential information, and that they are properly recorded?

TBCBE

3.3.

Complaints system

Does the procurement system provide for an independent, transparent, non-discriminatory, efficient and effective administrative procurement review process for handling procurement complaints by participants not only before but also after the award and prior to contract signature?

The prompt resolution of complaints is necessary to enable contract awards to be reversed if necessary and limit remedies tied to profit loss and costs associated with bid or proposal preparation after contract signatures. A good process also includes the ability to refer the resolution of the complaints to an independent higher authority for appeals.

3.3.1

Does the procurement system provide information on how to lodge a complaint related to the procurement process? Are complaints reviewed by a function or body which:

—	is comprised of experienced professionals, familiar with the legal framework for procurement, and includes members from the private sector, civil society and government;

—	is not involved in any capacity in procurement transactions or in the process leading to contract award decisions;

—	does not charge fees that prohibit access by concerned parties;

—	follows processes for submission and resolution of complaints that are clearly defined and publicly available;

—	exercises the authority to suspend the procurement process;

—	issues decisions within the timeframe specified in the rules/regulations; and

—	issues decisions that are binding on all parties (without precluding subsequent access to an external higher authority)?

TBCBE

PILLAR 6 — FINANCIAL INSTRUMENTS (8)

KEY QUESTION (level 1)

Entity comments

Auditor comments

Does the entity apply appropriate rules and procedures in all material respects for providing financing from EU funds/budgetary guarantees through financial instruments and in accordance with the criteria set by the European Union?

Guidance

A financial instrument may take the form of equity or quasi-equity investments, loans or guarantees or other risk-sharing instruments and it may be combined with other forms of financial support.

Financial Regulation applicable to the general budget of the European Union.

The Commission may implement financial instruments (‘FIs’) under indirect management by entrusting tasks to entities and their financial intermediaries. Title X of the Financial Regulation applicable to the general budget of the European Union sets out principles and conditions for the implementation of financial instruments, as follows:

—	financial instruments under direct and indirect management (Article 208 FR);

—	selection of the entities entrusted with the implementation of financial instruments in indirect management (Article 208.4 FR);

—	principles and conditions applicable to financial instruments and budgetary guarantees (Article 209 FR);

—	content of the contribution agreement with entities entrusted with the implementation of financial instruments in indirect management (Article 155.6 FR; Article 208 FR);

—	monitoring of financial instruments (Articles 155 and 209 FR); and

—	rules and implementation (Article 215 FR).

International accounting standards for private sector entities

According to IAS (International Accounting Standard) 32 and 39, a financial instrument is defined as ‘any contract that gives rise to a financial asset of one entity and a financial liability or equity instrument of another entity’.

IAS 32 (Financial Instruments) outlines the accounting requirements for the presentation of FIs, particularly as to the classification of such instruments into financial assets, financial liabilities and equity instruments. The standard also provides guidance on the classification of related interest, dividends and gains/losses, and when financial assets and financial liabilities can be offset. IAS 39 was reissued in December 2003, applies to annual periods beginning on or after 1 January 2005, and is superseded by IFRS 9 Financial Instruments for annual periods beginning on or after 1 January 2015. IFRS 9 Financial Instruments sets out the recognition and measurement requirements for FIs and some contracts to buy or sell non-financial items. The International Accounting Standards Board (IASB)is adding to the standard as it completes the various phases of its comprehensive project on FIs, and so it will eventually form a complete replacement for IAS 39 Financial Instruments: Recognition and Measurement.

International accounting standards for public sector entities

For public sector entities IPSAS (International Public Sector Accounting Standards) 28-30 apply. The definitions of a financial instrument and of financial assets, financial liabilities and equity instruments are essentially the same as in IAS 32. IFRS 9 has no equivalent in IPSAS and thus do not apply in IPSAS. Financial instruments can be categorised on the basis of their valuation method:

—	financial instruments valued at current value (usually market price): cash instruments, securities, derivatives, bonds, equity instruments traded on active markets;

—	financial instruments valued at amortised cost: loans, receivables, borrowings, equity instruments without active market.

PILLAR 6 — FINANCIAL INSTRUMENTS

1.	LEGAL AND REGULATORY FRAMEWORK — questions/criteria

Entity comments

Auditor comments

Key question (level 2): Does the entity have a clear legal and regulatory framework for the use and implementation of FIs?

The principles of using financial instruments (‘FIs’) need to be stated in a well-defined and transparent legal and regulatory framework that clearly establishes appropriate policies, procedures, accountability and controls. While financial instruments operate within their own framework, they benefit from the overall control environment, internal controls operated by the entity, the entity's accounting system and external audit.

1.1

Does the entity have a legal and regulatory framework for FIs which contains:

—	descriptions of the FIs, including investment strategies or policies, the type of support provided, the criteria for eligibility for financial intermediaries and final recipients as well as additional operational requirements transposing the policy objectives of the FI;

—	systems, rules and procedures to achieve and measure a target range of values for the leverage and the multiplier effects (the EU contribution to a FI should aim at mobilising a global investment exceeding the size of the EU contribution according to the indicators defined in advance);

—

provisions for the management of contributions from third parties including the possibility to open fiduciary accounts on behalf of a third party, counterparty risks, acceptable treasury operations, responsibilities of parties concerned, remedial actions in the event of excessive balances on fiduciary accounts, record keeping and reporting(9) equivalent to EU requirements;

—	rules for accounting, financial reporting (separate financial reporting for each FI) and external audit;

—	systems, rules and procedures to regulate duration, possibility of extension, and termination of the FI, including the conditions for early termination and, where appropriate, exit strategies as well as on repayments paid/to be paid back to the third party or to fiduciary accounts;

—	systems, rules and procedures to monitor the implementation of support to financial intermediaries and final recipients including reporting by the financial intermediaries?

TBCBE

1.2

What types of FIs does the entity use or intend to use? Obtain a detailed description of:

—

Types of FIs used, including explanations of (technical) terms and abbreviations. FIs may include loans with commercial (market price) interest rates, loans with favourable interest rates and repayment terms, loans with performance-dependent repayment terms, micro-loans, non-refundable grants, guarantees, frameworks for cooperation with the third parties, such as investment facilities and blending facilities, etc.

—

The risks associated with each FI, how these risks are managed and what remedial measures are in place. Typical risks may include, but are not limited to, exchange rate risks (loans issued and repayable in local currencies and financed through internationally convertible currencies) and credit risks (credit worthiness of borrowers).

TBCBE

1.3

How are FIs provided to beneficiaries (borrowers)? How are they secured and by which type of liabilities and/or guarantees?

Please reply to the following with reference to:

—	Support through financial intermediaries (intermediate financing)

—	Direct support to final recipients (non-intermediated financing)

TBCBE

1.4

Does the entity have guidelines or operating rules and manuals for the FIs used?

TBCBE

1.5

Does the entity make use of standard templates for providing FIs, such as model contracts?

Please reply to the following with reference to:

—	Financial intermediaries

—	Final recipients (in case of non-intermediate financing)

TBCBE

1.6

Do these contracts clearly set out relevant terms and conditions?

TBCBE

PILLAR 6 — FINANCIAL INSTRUMENTS

2.	PRINCIPLES — questions/criteria

Entity comments

Auditor comments

Key question (level 2): are the following principles and conditions integrated in the procedures, rules and criteria of the entity's financial instruments?

Basic principles (Article 209(1) FR).

Financial instruments shall be used in accordance with the principles of sound financial management, transparency, proportionality, non-discrimination, equal treatment and subsidiarity and in accordance with their objectives and, where applicable, the duration established in the basic act for the FIs.

Selection of financial intermediaries (Article 208 FR)

Financial intermediaries shall be selected on the basis of open, transparent, proportionate and non-discriminatory procedures, avoiding conflicts of interest. Financial intermediaries or final recipients of the financial instruments shall be selected with due account of the nature of the financial instrument to be implemented, the experience and the operational and financial capacity of the entities concerned, and/or the economic viability of projects of final recipients. The choice shall be transparent, justified on objective grounds and shall not give rise to a conflict of interest.

Conditions for financial instruments and budgetary guarantees (Article 209 FR)

Financial instruments/budgetary guarantees shall comply with the following basic conditions: address market failures or sub-optimal investment situations, additionality, non-distortion of competition in the internal market and consistency with State aid rules, leverage effect and alignment of interest and providing remuneration consistent with the sharing of risk.

Guidance

The above principles must be integrated in the procedures, rules and criteria of the entity's financial instruments in accordance with the overarching principle of proportionality. Principles are not absolute and a limited number of exceptions can be allowed provided that they are clearly stated, reasonable and justified.

2.1.1

Basic principles. Are the following basic principles integrated in the procedures, rules and criteria for the use and implementation of the entity's financial instruments/budgetary guarantees?

—	sound financial management;

—	transparency;

—	proportionality;

—	non-discrimination; and

—	equal treatment?

TBCBE

2.2.1

Selection of financial intermediaries. What is the entity's procedure for selecting financial intermediaries(10)?

TBCBE

2.2.2

Selection of financial intermediaries. Are financial intermediaries selected on the basis of open, transparent, proportionate and non-discriminatory procedures, avoiding conflicts of interests?

2.2.3

Selection of financial intermediaries. Are financial intermediaries or final recipients of the FIs selected with due account of the nature of the FI to be implemented, the experience and the operational and financial capacity of the entities concerned, and/or the economic viability of projects of final recipients?

Is the selection transparent, justified on objective grounds and does it not give rise to a conflict of interest?

2.3.1

Conditions for FIs. Do the entity's systems, rules and procedures allow the entity to implement FIs that address market failures or sub-optimal investment situations, which are deemed to be economically viable according to internationally accepted standards but do not give rise to sufficient funding from market sources?

TBCBE

2.3.2

Conditions for FIs. Do the entity's systems, rules and procedures allow it to implement FIs that comply with the principle of additionality (FIs should not aim to replace those of a Member State, private funding or another EU financial intervention)?

TBCBE

2.3.3

Conditions for FIs. Do the systems, rules and procedures in place within the entity allow it to comply with the condition of aligning interest by provisions such as co-investment, risk-sharing requirements or financial incentives, while preventing a conflict of interest with other activities of the entrusted entity)?

TBCBE

2.3.4

Conditions for FIs. Do the entity's systems, rules and procedures allow it to achieve and measure a leverage and a multiplier effect including, where appropriate, the maximisation of private investment?

TBCBE

PILLAR 6 — FINANCIAL INSTRUMENTS

3.	FINANCIAL INSTRUMENT PROCEDURES — questions/criteria

Entity comments

Auditor comments

Key question (level 2): does the entity effectively apply rules and procedures for the use and implementation of its financial instruments?

3.1.	Monitoring. Does the entity effectively apply appropriate rules and procedures for the monitoring of financial instruments?

3.1.1

Does the entity have procedures in place for monitoring the use of FIs which build on the reporting and accounts provided by financial intermediaries and on the audits available and controls carried out by the financial intermediary?

TBCBE

3.1.2

Where no financial intermediary exists, does the entity have procedures in place to directly monitor the use of FIs based on the reporting and accounts provided by final recipients?

TBCBE

Guidance: Monitoring of financial instruments

To ensure the harmonised monitoring of financial instruments referred to in Article 215(3) of the Financial Regulation, a monitoring system should be put in place by the authorising officer responsible for helping provide a reasonable assurance that EU funds are used in accordance with Article 36(2) of the Financial Regulation.

The monitoring system should be used to: (i) assess the progress of the implementation of financial instruments in achieving the policy objectives reflected in the relevant output and result indicators established by the ex ante evaluation; (ii) analyse to what extent the implementation complies with the defined requirements in accordance with Article 209(2) of the Financial Regulation; and (iii) provide the basis for the Commission's reporting required under Articles 41(4) and 140(8) of the Financial Regulation.

3.2.	Loans. Does the entity apply appropriate rules and procedures for the contracting of loans?

3.2.1

What are the recording and reporting systems and procedures for loans?

TBCBE

3.2.2

Are these systems and procedures adequate?

3.2.3

Are loan contracts approved against adequate and transparent criteria?

3.2.4

Is the contract (general ledger) account reconciled on a regular basis (at least every month) to the contract recording system?

TBCBE

3.3.	Guarantees. Does the entity apply appropriate rules and procedures for the issuing of guarantees?

3.3.1

What are the recording and reporting systems and procedures for guarantees?

TBCBE

3.3.2

Are these systems and procedures adequate?

3.3.3

Are guarantees approved against adequate and transparent criteria?

3.3.4

Is the contract (general ledger) account reconciled on a regular basis (at least every month) to the contract recording system?

TBCBE

3.3.5

Regarding budgetary guarantees, is the entity capable of adequately reporting on their implementation, including — where the contribution reimburses expenditure — on accounts drawn up for the expenditure incurred and a management declaration confirming that: (i) the information is properly presented, complete and accurate; (ii) the contribution was used for its intended purpose; (iii) the control systems put in place give the necessary guarantees on the legality and regularity of the underlying transactions; and (iv) a summary of the final audit reports and of controls carried out, including an analysis of the nature and extent of errors and weaknesses identified in systems and corrective action, has been taken or is planned?

3.4.	Interest rate rebates/subsidies. Does the entity have a proper recording and reporting system for providing interest rate rebates/subsidies?

3.4.1

What are the recording and reporting systems and procedures for interest rate rebates?

TBCBE

3.4.2

Are these systems and procedures adequate?

3.4.3

Are interest rate rebates approved against adequate and transparent criteria?

3.5.	Equity. Does the entity apply appropriate rules and procedures for conducting equity operations?

3.5.1

Does the entity have an equity strategy or guidelines for equity investments and a due diligence process, approved by the board or other appropriate governance body?

TBCBE

3.5.2

Does the entity systematically perform a valuation of its equity operations(s), at the time of approval and periodically over the life of the investment? Describe the information and the method(s) used for valuation.

3.5.3

Does the entity have an established process to manage the exits of its equity investments? Does the equity strategy set out any requirements for a timely exit plan?

3.5.4

Is the entity actively managing its equity portfolio? Does it have board members mandated in its investee companies (for direct equity investments), or similar means to monitor closely the performance of its investee companies? In case of investments in funds, does the entity have members nominated in the bodies representing investors in the funds?

TBCBE

PILLAR 6 — FINANCIAL INSTRUMENTS — ADDITIONAL QUESTIONS FOR BUDGETARY GUARANTEES (optional) (11)

6a.	BUDGETARY GUARANTEES — questions/criteria

Entity comments

Auditor comments

Key question (level 2): Does the entity have a credit risk management system and use an internal risk rating system (IRRS) appropriate to the nature, size and complexity of the entity's activities?

Guidance

Most entities implementing budgetary guarantees are credit institutions or investment firms that are subject to regulation and oversight, including rules on credit risk, on risk rating and on the IT systems and procedures to operate them.

The purpose of this sub-section is to assess the reliability of the risk management function of the entity, including its governance and internal credit risk rating system, which is material for a future assessment of the risk-sharing arrangements between the EU and the entity, as well as for the EU remuneration stemming from the risk taken by the EU (Article 209(2)(f) FR).

The EU exposure to counterparts under budgetary guarantees includes a contingent liability, which represents the EU financial liability that it is not fully covered by provisions (Article 211 FR). In order to assess the risk of counterparts claiming EU payments for guarantee calls above the available provisioning, the Commission has to monitor at least once a year the EU exposure arising from each budgetary guarantee. To this end, counterparts are requested to provide the Commission every year with information on the outstanding financial obligations arising for the EU from the budgetary guarantees, including a risk assessment, grading information and expected defaults concerning the operations covered by the budgetary guarantee (Article 219(6) FR). The Commission relies on this information to carry out the assessment of the sustainability of contingent liabilities (Article 210(3) FR) and to review regularly the provisioning rate of each budgetary guarantee (Article 211(1) FR).

Standards on the regulation, supervision and risk management of banks are described in:

—	at international level: ‘Basel III’, an internationally agreed set of measures developed by the Basel Committee on Banking Supervision, including ‘Core principles for effective supervision’, in particular principles 15 (risk management process) and 17 (credit risk);

—

at EU level: Directive 2013/36/EU on access to the activity of credit institutions and the prudential supervision of credit institutions and investment firms; Regulation (EU) No 575/2013 on prudential requirements for credit institutions and investment firms; Directive 2014/65/EU on markets in financial instruments.

6a.1

Risk policy/strategic framework. Does the entity have a sound policy and strategy in place to identify, manage, measure and control risk (with a focus on credit risk)?

6a.1.1

Does the entity have a risk policy that:

—	clearly defines and allocates responsibilities within the organisation;

—	takes into consideration soundness, rationality, and feasibility; and

—	remains available and understandable throughout the entire organisation?

TBCBE

6a.1.2

Does the entity have a risk strategy or guidelines, approved by the senior management, which regularly:

—	defines the boundaries and business considerations in accordance with which the entity is expected to operate when pursuing its business strategy;

—	establishes individual and aggregate level risks and different types of risk (risk capacity, including limits) that the entity is willing and able to accept in order to pursue its business activities;

—	communicates the board's risk appetite effectively throughout the entity, linking it to daily operational decision-making and establishing the means to raise risk awareness across the entity;

—	provides continuity by taking into account the cyclical aspects of the economy where the entity operates and the resulting shifts in the composition and quality of the overall portfolio; and

—	includes both quantitative and qualitative considerations?

TBCBE

6a.2

Risk governance. Does the entity have an appropriate organisational framework to enable effective credit risk management, measurement and control, with sufficient qualitative and quantitative human and technical resources to carry out the required tasks?

6a.2.1

Is the allocation of responsibilities within the entity clearly defined so that:

—	the board or other governing body approves the policies for managing and controlling risk and reviews them regularly, and takes an active role in defining the risk appetite and ensuring its alignment with the entity's strategic, capital and financial plans, and compensation practices;

—	the senior management is responsible for drawing up and implementing the rules and procedures for managing, measuring and controlling risk;

—	there are clear lines of responsibility for taking on, measuring, monitoring, managing and reporting risk;

—

the senior management ensures that the staff involved in all phases of the risk management process is qualified, competent and have the necessary training, willingness and experience to exercise prudent judgement in assessing, managing and/or controlling risk, and a solid understanding of the entity's strategic direction, policies, procedures, risk tolerance and limits;

—	the risk management function is involved in any revenue generation activities; and

—	the chief risk officer (CRO) reports to and has direct access to the board or its risk committee without impediment?

TBCBE

6a.2.2

Is the separation of duties implemented so that:

—

the credit risk management function is fully independent from the business function and comprises ‘three lines of defence’ clearly recognisable, as follows:

1)	the business line (i.e. first line of defence) has ‘ownership’ of risk, whereby it acknowledges and manages the risk that it incurs in conducting its activities;

2)	the risk management function (i.e. second line of defence) is responsible for further identifying, measuring, monitoring and reporting risk on an entity-wide basis as part of the second line of defence, independently from the first line of defence(12);

3)	there is an internal audit/compliance function (third line of defence), which periodically reviews risk and in particular credit risk aspects?

TBCBE

6a.2.3

Are activities of the risk management function sufficiently comprehensive in scope so as to include as much as possible the following aspects:

—	identifying material individual, aggregate and emerging risks;

—	assessing these risks and measuring the entity's exposure to them?

TBCBE

6a.2.4

Do the entity's policies clearly outline the levels of delegation of approvals to management(13) and are approvals made in accordance with the entity's written policies and guidelines and granted by the appropriate level of management?

TBCBE

6a.3

Does the entity have a well-functioning system of credit risk identification, analysis and monitoring?

6a.3.1

Does the entity's risk identification system encompass the following:

—	all material risks to the entity, on- and off-balance sheet and on group-wide, portfolio-wide, business-line and transaction levels; and

—	an ongoing analysis of existing risks as well as identification of new or emerging risks?

TBCBE

6a.3.2

Does the risk management function perform an unbiased assessment of the quality of individual credits/investments and the aggregate portfolio, including appropriateness of credit risk rating and of the estimate of losses? Is this second opinion given at approval stage and then regularly reviewed over the life of the operations?

TBCBE

6a.3.3

Does the measurement of credit risk take into account as much as possible the following aspects:

—	the specific nature of the credit/investment and its contractual and financial conditions;

—	the exposure profile until maturity in relation to potential market movements and the economic cycle;

—	the existence of collateral or guarantees;

—	the default potential based on the internal risk rating;

—	quantitative assessment (e.g. financial modelling) as well as qualitative assessment; and

—	systematic due diligence and risk analysis of all transactions, where due diligence findings have an impact on the management approval and/or structuring of the operation?

TBCBE

6a.3.4

Does the (credit risk) management information system of the entity include the following characteristics:

—	provides adequate information (quality, detail, timeliness) on the composition of the credit/investment portfolio;

—	is sufficiently reliable and comprehensive so that the entity relies on accurate, robust and reliable internal and external data to be able to identify, assess and mitigate risks; and

—	includes periodically reviewed stress tests and scenario analyses to be used by the entity to better understand potential risk exposures under a variety of adverse circumstances?

TBCBE

6a.4

Does the entity use an internal risk rating system (IRRS) appropriate to the nature, size and complexity of its activities?

6a.4.1

Is the entity able to document the rationale for its choice of rating criteria and to provide data and analyses demonstrating that the rating criteria and procedures are likely to result in ratings that meaningfully differentiate risk?

TBCBE

6a.4.2

Does the risk rating system of the entity include as much as possible the following characteristics:

—	all credit exposures are risk-rated;

—	it encompasses an adequate number of ratings, which are reasonable, timely and dynamic;

—	there is a process to map the IRRS to regulatory classification and/or credit rating agencies scales;

—	the rating criteria reflect an appropriate combination of qualitative and quantitative factors and the criteria to assign each rating are clearly defined;

—	there is a time horizon for the risk rating;

—	the ratings reflect both the borrower's expected performance and the transaction's structure;

—	when the entity uses an external database to supplement its data and/or an external rating model, it demonstrate the adequacy of the external data and that the entity understands the rating philosophy underlying the model; and

—	the rating assigned to an operation is well supported and documented?

TBCBE

6a.4.3

Does the entity retain data on the realised default rates associated with rating grades and ratings migration?

TBCBE

6a.4.4

Does the entity have comprehensive policies and procedures on effective validation of the rating system(14) and regularly independent review the adequacy of the IRRS?

TBCBE

PILLAR 6 — FINANCIAL INSTRUMENTS – ADDITIONAL QUESTIONS (optional) (15)

6b.	TAX AVOIDANCE AND NON-COOPERATIVE JURISDICTIONS — questions/criteria

Entity comments

Auditor comments

Key question (level 2): Does the entity implement in the selection/implementation of financial instruments/budgetary guarantees supported by EU funds, standards equivalent to applicable EU legislation and agreed international and EU standards and therefore: a) does not support actions that contribute to tax avoidance and b) does not enter into operations with entities incorporated or established in non-cooperative jurisdictions for tax purposes?

Guidance

Tax avoidance standards aim broadly at ensuring that tax rules for effective taxation are in place and not circumvented:

—	At OECD level they include notably the principles of transparency and exchange of information, and the work on base erosion and profit shifting (BEPS)

—

More specifically at EU level they include the EU tax policy and regulatory framework on tax avoidance(16), such as: the policy commitments against tax avoidance (including the EU policy on non-cooperative jurisdictions for tax purposes), the Code of conduct for business taxation (harmful tax competition), the anti-abuse measures provided in various directives, the comprehensive Anti-Tax Avoidance package adopted in 2016 and translating BEPS rules in the EU legal framework, the EU rules on administrative cooperation and transparency provided in the corresponding directives.

Building on these tax avoidance standards, EU-funded projects should not involve aggressive tax planning and should have established sound business reasons (other than tax reasons) for a given structure, not taking advantage of the technicalities of a tax system or of mismatches between two or more tax systems to reduce tax liability. The list of ‘hallmarks’ in Directive 2018/822/EU of 25 May 2018 (‘DAC6’) facilitates the identification of transactions that may include features of tax avoidance or abuse and could be used as a reference by the assessors.

When assessing if the entity's ex ante due diligence assessment procedures and rules are sufficiently comprehensive to allow it to meet the requirements of this pillar, the following elements should also be taken into account:

Whether the scope of tax due diligence covers the relevant entities in the project structure. For example in addition to the ultimate beneficial owners, relevant entities should include entities with which, in relation to a given project, the Entity has a contract or an indirect relationship based on this contract(17).

b)	The relevant financial flows of the project structure (and their respective tax treatment), including for example whether relevant financial flows would be effectively taxed(18), and whether the project has not been artificially structured(19).

The assessment and mitigation of the tax avoidance risks in specific operations arising from the presence of tax related deficiencies in relation to (i) transparency criteria; (ii) fair taxation criteria; and (iii) BEPS criteria for jurisdictions committed to addressing such deficiencies identified by the EU(20)

The entity's procedures for entering into new or renewed operations with entities incorporated or established in jurisdictions listed under the relevant EU policy on non-cooperative jurisdictions, including for example whether such prohibitions are applied; which project related entities they cover; how the entity defines ‘new or renewed’ operations; whether such prohibitions apply to contracts for new or renewed operations from the moment the jurisdiction is added to the EU list and what derogations are allowed from these prohibitions(21).

In undertaking their assessment the assessors should take into account relevant guidance published by the Commission, such as Commission Communication on new requirements against tax avoidance in EU legislation governing in particular financing and investment operations (C(2018) 1756 final) and subsequent updates.

6b.1

Do the rules of the organisation under which financial instruments supported by EU funds are selected/implemented contain an explicit reference to the assessment of tax avoidance risks and to prohibitions in relation to non-cooperative jurisdictions (NCJs) for tax purposes, capturing the following standards:

a)	OECD principles of tax transparency and exchange of information and work on base erosion and profit shifting (BEPS); and

b)	the EU tax policy and regulatory framework on tax avoidance (as detailed in the guidance notes above), or equivalent?

TBCBE

6b.2

With regard to controls related to tax avoidance, what rules and procedures does the entity have in place so that financial instruments supported by EU funds do not support actions that contribute to tax avoidance?

TBCBE

6b.2.1

Are the entity's ex ante due diligence assessment procedures and rules sufficiently comprehensive in scope to cover the relevant entities involved in the financial flows of the project?

6b.2.2

Does the entity's ex ante tax due diligence assessment allow it to assess if need be up to the ultimate beneficial owner whether:

a)	the relevant financial flows would be effectively taxed; and

b)	the project has not been artificially structured to aim at avoiding tax?

6b.2.3

Does the entity's ex ante tax due diligence assessment consider the presence of jurisdictions committed to addressing deficiencies identified by the EU in the relevant entities(22) as a possible tax avoidance risk, e.g. in relation to (i) transparency; (ii) fair taxation; and (iii) base erosion and profit shifting (BEPS), taking into account the Council conclusions establishing the criteria for the EU list of non-cooperative jurisdictions for tax purposes?

In the affirmative, does the entity's tax due diligence assessment identify possible supervisory measures to address such deficiencies?

6b.3

With regard to NCJs, do the entity's rules and procedures ensure that when implementing financial instruments supported by EU funds, the entity:

a)	identifies, in the project and in the project's relevant entities, the presence of jurisdictions listed under Annex I of the EU Council conclusions;

b)	applies enhanced customer due diligence measures for operations involving entities incorporated or established in non-cooperative jurisdictions for tax purposes;

c)	does not enter into new or renewed operations with entities incorporated or established in jurisdictions listed under Annex I of the EU Council conclusions; and

d)	derogates from c) only if the action is physically implemented in the same jurisdiction, and does not present any indication that the relevant operation contributes to money laundering, terrorism financing, tax avoidance, tax fraud or tax evasion?

TBCBE

PILLAR 6 — FINANCIAL INSTRUMENTS – ADDITIONAL QUESTIONS (optional) (23)

6c.	ANTI-MONEY LAUNDERING and COUNTERING TERRORISM FINANCING — questions/criteria

Entity comments

Auditor comments

Key question (level 2): Does the entity implement in the selection/implementation of financial instruments/budgetary guarantees, standards equivalent to applicable EU legislation and agreed international and EU standards? Does it therefore: a) not support actions contributing to money laundering and terrorism financing; and b) not enter into new or renewed operations with entities incorporated or established in jurisdictions identified by the EU as high-risk third countries?

Guidance on anti-money laundering and countering terrorist financing (AML/CTF)

Standards on AML/CTF aim broadly at preventing the misuse of the financial system for the purpose of money laundering and terrorist financing by applying preventative measures.

—	At international level, it includes the work of the Financial Action Task Force (FATF).

—	More specifically at EU level, it includes EU Directive (EU) 2015/849.

An examination of the entity's rules and procedures would look at:

whether the entity's rules and procedures plan for a risk assessment on money laundering and terrorist financing and for prohibitions in relation to ‘high-risk third countries’, and in the affirmative to what extent the risk assessment may lead to the adoption of supervisory measures to address the risks;

b)	whether the entity has appropriate policies, controls and procedures in place, including internal control measures, an audit policy, training measures and rules for protecting staff/employees that report suspicious transactions or breaches according to AML/CFT obligations from retaliation;

c)	whether the entity has an ex ante due diligence process for checking that appropriate information on payers and payees accompanies funds transfers and the scope of such process(24);

whether the entity's rules and procedures include customer due diligence requirements (CDD), record keeping and monitoring of transactions, and in the affirmative, to what extent they include reasonable measures to verify the identity of the beneficial owner(s) of customers (i.e. legal persons and legal arrangements) and understand the ownership and control of the customer and the measures that are applicable if the entity detects a suspicious transaction.

e)	whether the entity applies enhanced due diligence requirements, taking into account Directive (EU) 2015/849, when dealing with ‘high-risk third countries’; and

f)	whether the entity applies certain prohibitions for projects involving jurisdictions identified as high-risk countries(25).

6c.1

With regard to anti-money laundering (AML) and countering-terrorism financing (CFT), does the entity have appropriate policies, controls and procedures in place to ensure that EU-funded actions do not contribute to money laundering or terrorist financing?

6c.1.1

Does the entity have appropriate policies, controls and procedures in place to identify and assess the risks of money laundering and terrorist financing, taking into account risk factors including those relating to their customers, countries or geographic areas, products, services, transactions or delivery channels?

6c.1.2

When providing EU funds to third parties, does the entity apply customer due diligence measures comprising:

(a)	identifying the third party and verifying the third party's identity on the basis of documents, data or information obtained from a reliable and independent source;

(b)

identifying the beneficial owner and taking reasonable measures to verify that person's identity so that the entity is satisfied that it knows who the beneficial owner is, including, as regards legal persons, trusts, companies, foundations and similar legal arrangements, taking reasonable measures to understand the ownership and control structure of the third party;

(c)	assessing and, as appropriate, obtaining information on the purpose and intended nature of the business relationship;

(d)

continuously monitoring the business relationship, including by scrutinising transactions carried out throughout the course of that relationship to ensure that they are consistent with the entity's mandatory knowledge of the customer, the business and risk profile - including where necessary the source of funds, and by ensuring that the documents, data or information held are kept up to date(26)?

When applying those Customer Due Diligence measures, does the entity apply enhanced customer due diligence requirements, in particular when dealing with:

—	high-risk third countries identified, taking into account Directive (EU) 2015/849;

—	a cross-border banking relationship with a third country respondent institution; or

—	when dealing with transactions or business relationship involving politically exposed persons and other higher risk cases identified by the entity?

6c.2

For jurisdictions identified as high-risk third countries, taking into account Directive (EU) 2015/849, does the entity — when implementing an EU-financed project:

a)	identify, in the project and in the project's relevant entities, the presence of jurisdictions identified as ‘high-risk third countries’;

b)	apply enhanced customer due diligence measures for operations involving ‘high-risk third countries’;

c)	not enter into new or renewed operations with entities incorporated or established in jurisdictions identified as high-risk third countries, taking into account Directive (EU) 2015/849;

d)	derogate from c) only if the action is physically implemented in the same jurisdiction, and does not present any indication that the relevant operation contributes to money laundering, terrorism financing, tax avoidance, tax fraud or tax evasion?

PILLAR 7 — EXCLUSION FROM ACCESS TO FUNDING
KEY QUESTION (level 1)	Auditor comments
Does the entity apply appropriate rules and procedures for excluding third parties from access to funding through procurement, grants and/or financial instruments (27) ?

PILLAR 7 — EXCLUSION FROM ACCESS TO FUNDING

1.	LEGAL AND REGULATORY FRAMEWORK

Entity comments

Auditor comments

Key question (level 2): Does the entity have a clear legal and regulatory framework for exclusion from funding?

TBCBE

PILLAR 7 — EXCLUSION FROM ACCESS TO FUNDING

2.	EXCLUSION CRITERIA

Entity comments

Auditor comments

Key question (level 2): Are the following exclusion criteria integrated in the procedures and rules for the award of procurement contracts, grants and/or financial instruments(28)?

TBCBE

2.1

Are third parties excluded from funding if they or a person having powers of representation, decision-making or control over them or a member of their administrative, management or supervisory body have been the subject of a final judgment or of a final administrative decision for one of the following reasons(29)

a)	bankruptcy, insolvency or winding-up procedures;

b)	breach of obligations relating to the payment of taxes or social security contributions;

c)	grave professional misconduct, including mis-representation

fraud;

e)	corruption;

f)	conduct related to a criminal organisation;

g)	money laundering or terrorist financing;

h)	terrorist offences or offences linked to terrorist activities;

i)	child labour and other trafficking in human beings;

j)	irregularity(30)

k)	creating a shell company;

l)	being a shell company.

Are there any derogations to the above based on justified grounds, such as:

—	overriding reasons of public interest such as public health or environmental protection?

2.2

Is proportionality taken into account when deciding on exclusion from funding?

2.3

Is the right of defence taken into account when deciding on exclusion from funding?

2.4

Is the assessment of remedial measures, put in place by the entity to demonstrate its reliability, taken into account when deciding on exclusion from funding?

PILLAR 7 — EXCLUSION FROM ACCESS TO FUNDING

3.	PROCEDURES

Entity comments

Auditor comments

Key question (level 2): Does the entity effectively apply rules and procedures for exclusion (in the provision of grants/procurement/financial instruments, as appropriate) based on the requirements mentioned under 2?

TBCBE

3.1

Does the entity effectively apply rules and procedures for exclusion in the provision of grants?

3.2

Does the entity effectively apply rules and procedures for exclusion in the procurement process?

3.3

Does the entity effectively apply rules and procedures for exclusion under financial instruments?

PILLAR 8 — PUBLICATION OF INFORMATION ON RECIPIENTS OF FUNDS AND OTHER INFORMATION
KEY QUESTION (level 1)	Auditor comments
Does the entity make public the information on fund recipients in an appropriate and timely manner?

PILLAR 8 — PUBLICATION OF INFORMATION ON RECIPIENTS OF FUNDS AND OTHER INFORMATION

1.	LEGAL AND REGULATORY FRAMEWORK — questions/criteria

Entity comments

Auditor comments

Key question (level 2): Does the entity have a clear legal and regulatory framework for publication of recipients, covering: (i) adequate publication elements of beneficiaries; (ii) a reference to a common international standard ensuring protection of fundamental rights and commercial interests; and (iii) regular publication updates?

TBCBE

PILLAR 8 — PUBLICATION OF INFORMATION ON RECIPIENTS OF FUNDS AND OTHER INFORMATION

2.	REQUIREMENTS — questions/criteria

Entity comments

Auditor comments

Key question (level 2) Are the following requirements integrated in the procedures and rules for publication?

TBCBE

2.1

As a general rule, does the entity publish information on the recipients of funds containing at least the following elements: name, locality, nature and purpose and amount?

Without prejudice to the rules and procedures on data protection addressed under the data protection pillar, are there any exemptions for justified grounds such as:

—	the entity may waive publication for reasons of confidentiality and security, for example if publication would threaten the rights and freedom of individuals or harm the recipient's commercial interest; or

—	the entity may waive publication where the contracts are for low amounts?

2.2

Does the entity publish the information regularly (for example: at least once a year)?

2.3

Does the entity publish the information adequately based on common international standards? Which ones (for example: IATI, OECD)?

PILLAR 8 — PUBLICATION OF INFORMATION ON RECIPIENTS OF FUNDS AND OTHER INFORMATION

3.	PUBLICATION PROCEDURES — questions/criteria

Entity comments

Auditor comments

Key question (level 2): Does the entity effectively apply rules and procedures for publication (in the provision of grants/procurement/financial instruments, as appropriate) based on the requirements mentioned under 2?

TBCBE

3.1

Does the entity effectively apply rules and procedures for publication in the provision of grants?

3.2

Does the entity effectively apply rules and procedures for publication in the procurement process?

3.3

Does the entity effectively apply rules and procedures for publication under financial instruments?

PILLAR 9 — PROTECTION OF PERSONAL DATA
KEY QUESTION (level 1)	Auditor comments
Does the entity ensure protection of personal data equivalent to that referred to in Article 5 of the Financial Regulation (31)?

PILLAR 9 — PROTECTION OF PERSONAL DATA

1.	LEGAL AND REGULATORY FRAMEWORK

Entity comments

Auditor comments

Key question (level 2): Does the entity have a clear legal and regulatory framework for the protection of personal data?

TBCBE

PILLAR 9 — PROTECTION OF PERSONAL DATA

2.	REQUIREMENTS

Entity comments

Auditor comments

Key question (level 2): Are the following requirements integrated in procedures and rules for the protection of personal data?

2.1

As a general rule, are personal data:

—	processed lawfully, fairly and transparently for the individual in question;

—	collected for specified, explicit and legitimate purposes and not further processed in a manner not compatible with those purposes;

—	adequate, relevant and limited to what is necessary for the purposes for which they are processed;

—	accurate and, where necessary, kept up to date;

—	kept in a form which permits identification of the individuals for no longer than is necessary for the purposes for which the personal data are processed;

—	processed in a manner that ensures appropriate security of the personal data?

2.2

Do procedures and rules encompass the following principles:

—	right to information;

—	right to access and rectify or erase personal data;

—	right to data portability;

—	right to confidentiality of electronic communications?

PILLAR 9 — PROTECTION OF PERSONAL DATA

3.	PROCEDURES

Entity comments

Auditor comments

Key question (level 2): Does the entity effectively apply rules and procedures (e.g. appropriate technical and organisational measures) for the protection of personal data (in the provision of grants/procurement/financial instruments, as appropriate) based on the requirements mentioned under 2?

3.1

Does the entity effectively apply rules and procedures for the protection of personal data in the provision of grants?

TBCBE

3.2

Does the entity effectively apply rules and procedures for the protection of personal data in the procurement process?

TBCBE

3.3

Does the entity effectively apply rules and procedures for the protection of personal data under financial instruments?

TBCBE

(1) The entity/auditor should state here YES or NO to indicate whether the pillar is subject to assessment.

(2) The reference to ‘financial instruments’ is deemed to also include budgetary guarantees.

(3) The imprest system is a form of financial accounting system. The most common imprest system is the petty cash system. The basic characteristic of an imprest system is that a fixed amount is reserved, and subsequently replenished after a certain period of time or when circumstances require, because money was spent. This replenishment will come from another account source e.g. petty cash will be replenished by cashing a cheque drawn on a bank account.

(4) Effective payroll management should be underpinned by a personnel database (in some cases called the ‘nominal roll’ and not necessarily computerised), which provides a list of all staff, who should be paid every month and which can be verified against an approved list of staff and the individual personnel records (or staff files). The link between the personnel database and the payroll is a key control. Any amendments required to the personnel database should be processed in a timely manner through a change report, and should result in an audit trail. Payroll audits should be undertaken regularly to identify ghost workers, fill data gaps and identify control weaknesses.

(5) A reference to ‘financial instruments’ is deemed to also include budgetary guarantees.

(6) In accordance with Article 209(4) of the FR.

(7) The notion of ‘grant beneficiaries’ is to be understood in a broad sense, i.e. it may also include partner/beneficiary countries and the entity's implementing partners.

(8) Reference to financial instruments and EU funds is deemed to also include budgetary guarantees.

(9) For those organisations that do not apply International Public Sector Accounting Standards (IPSAS) yet, it was agreed that financial reporting can be according to International Financial Reporting Standards (IFRS).

(10) Sometimes, IFIs also work through bodies from the partner country (national funds), which are assimilated to financial intermediaries.

(11) Only applicable in case the entity plans to apply for a budgetary guarantee from the European Union.

(12) The compliance function is also deemed part of the second line of defence.

(13) i.e. when to utilise an individual signature authority, dual or joint authorities or a credit/investment committee depending upon the size and nature of the transaction.

(14) e.g. review of the evidence supporting the model design, back-testing, benchmarking, assessment of the discriminatory power of the ratings.

(15) The entity may still pass this pillar even if the scoring for this section does not meet the threshold, but subject to the supervisory measures that will be applied at contractual level as appropriate.

(16) The EU tax policy and regulatory framework includes, in particular and subject to further developments: Code of Conduct for business taxation, 1.12.1997 (

OJ C 2, 6.1.1998, p. 2

); Council Directive 2011/96/EU of 30 November 2011 on the common system of taxation applicable in the case of parent companies and subsidiaries of different Member States (

OJ L 345, 29.12.2011, p. 8

); Council Directive 2003/49/EC of 3 June 2003 on a common system of taxation applicable to interest on royalty payments made between associated companies of different Member States (

OJ L 157, 26.6.2003, p. 49

); Commission Recommendation 2012/772/EU of 6 December 2012 on aggressive tax planning (

OJ L 338, 12.12.2012, p. 41

); Council Directive 2011/16/EU of 15 February 2011 on administrative cooperation in the field of taxation and repealing Directive 77/799/EEC (

OJ L 64, 11.3.2011, p. 1

); Commission Anti-Tax Avoidance Package: Next steps towards delivering effective taxation and greater tax transparency in the EU (COM/2016/23); Commission Recommendation (EU) 2016/136 28 January 2016 on the implementation of measures against tax treaty abuse (

OJ L 25, 2.2.2016, p. 67

); Council Directive (EU) 2016/1164 of 12 July 2016 laying down rules against tax avoidance practices that directly affect the functioning of the internal market (

OJ L 193, 19.7.2016, p. 1

); ECOFIN Council conclusions of 12 February, 8 March, 25 May, 17 June, 8 November and 5 December 2016, 5 December 2017, 23 January and 13 March 2018.

This information can be consulted at: EU policy on non-cooperative jurisdictions for tax purposes (https://ec.europa.eu/taxation_customs/tax-common-eu-list_en); the anti-tax avoidance package (Commission website: https://ec.europa.eu/taxation_customs/business/company-tax/anti-tax-avoidance-package_en; Council website: http://www.consilium.europa.eu/en/policies/anti-tax-avoidance-package/); the EU policy against harmful tax competition (https://ec.europa.eu/taxation_customs/business/company-tax/harmful-tax-competition_en) including the work of the Code of conduct Group on business taxation (Council website: http://www.consilium.europa.eu/en/council-eu/preparatory-bodies/code-conduct-group/); the EU work on administrative cooperation in the field of direct taxation (https://ec.europa.eu/taxation_customs/business/tax-cooperation-control/administrative-cooperation/enhanced-administrative-cooperation-field-direct-taxation_en); on transparency for intermediaries (https://ec.europa.eu/taxation_customs/business/company-tax/transparency-intermediaries_en); and the EU regulatory framework on taxation (http://eur-lex.europa.eu/browse/directories/consleg.html?root_default=CC_1_CODED%3D09&displayProfile=lastConsDocProfile&classification=in-force#arrow_09).

(17) See, in particular, Section IV (1) 1.2 of Commission Communication (C(2018)1756, 21.3.2018).

(18) This would mean for example looking at whether the profits realised are taxed under the applicable standard rules (if not, go to the next entity level), and whether the profits channelled are taxed under the applicable standard rules (if not, go to the next entity level, up to the ultimate beneficial owners if need be). However, once effective taxation is established for a given financial flow, no further evidence on the taxation of this flow is needed.

(19) This could include for example providing evidence of the economic rationale of a structure, the effective substance of the various entities (see for instance p. 125 sq http://data.consilium.europa.eu/doc/document/ST-10421-2018-INIT/en/pdf, and http://data.consilium.europa.eu/doc/document/ST-5814-2018-REV-3/en/pdf) and the tax impact of the structuring.

(20) The presence of jurisdictions included in Annex II of the EU Council conclusions in the structure of an operation should trigger a case-by-case examination and require specific attention to ensure that the concerns, which these jurisdictions have committed to address in order to comply with tax good governance criteria, are not exploited in projects financed by EU funds. These concerns may relate to any of the criteria mentioned in Annex V to the Council conclusions of 5 December 2017, i.e.: (i) transparency and exchange of information; (ii) fair taxation (including criterion 2.2); and (iii) BEPS standards. For example, financial flows of projects financed by EU funds should not benefit from harmful tax regimes that a jurisdiction has committed to abolish. Similarly, where a jurisdiction does not yet meet transparency criteria because of insufficient exchange of information mechanisms with EU Member States, it should be checked whether the non-reportable tax information in the financial flows of the project may prevent the effective taxation of this financial flow.

(21) The only derogation allowed under the EU Financial Regulation is the derogation for physical implementation. In applying this derogation the entity should assess the physical location of the project (e.g. via an appropriate economic substance test) and whether there is an indication that the relevant project contributes to tax avoidance.

(22) i.e. Jurisdictions included in Annex II of EU Council Conclusions.

(23) The entity may still pass this pillar even if the scoring for this section does not meet the threshold subject to supervisory measures that will be applied at contractual level as appropriate.

(24) In line with Regulation (EU) 2015/847 and Directive (EU) 2015/849.

(25) Taking into account Directive (EU) 2015/849.

(26) Taking into account Directive (EU) 2015/849.

(27) Reference to financial instruments and EU funds is deemed to include budgetary guarantees.

(28) If the entity applies Directive 2014/24/EU of the European Parliament and of the Council of 26 February 2014 on public procurement and repealing Directive 2004/18/EC (Article 57) or national law transposing this Directive, the protection of the EU financial interests shall be considered as equivalent to the Union rules, policies and procedures.

(29) Directive 2014/24/EU (repealing Directive 2004/18/EC) shall be considered equivalent to the Financial Regulation of the EU. This section may therefore be checked against systems, rules and procedures applying the above-mentioned Directive or national law transposing the above-mentioned Directive.

(30) Not applicable for financial instruments.

(31) Without prejudice to Regulations (EU) 2018/1725 and (EU) 2016/679.

Annex 3

ASSESSMENT PROCEDURES

3.1. Assessment documentation and evidence

1)

Assessment documentation (working papers)

The auditor should in accordance with ISAE 3000, prepare documentation that provides:

— a sufficient and appropriate record of the basis for the auditor’s report; and

— evidence that the assessment was planned and performed in accordance with ISAE 3000 and applicable legal and regulatory requirements.

‘Documentation’ or ‘working papers’ mean the record of assessment procedures performed, relevant evidence obtained and conclusions the auditor reached. An ‘assessment file’ refers to one or more folders or other storage media, in physical or electronic form, containing the records that comprise the assessment documentation or working papers for a specific engagement.

2)

Evidence

The auditor should, in accordance with ISAE 3000, ensure that evidence is gathered to support the auditor’s conclusion and evidence that the assessment was carried out in accordance with the IFAC

International Framework for Assurance Engagements

and

International Standard on Assurance Engagements (‘ISAE’) 3000

for

Assurance Engagements other than Audits or Reviews of Historical Financial Information.

The auditor should obtain sufficient appropriate evidence to support assessment findings and to draw reasonable conclusions on which to base the assessment conclusions. The auditor uses their professional judgement to determine whether evidence is sufficient and appropriate.

3)

Retention of assessment documentation (working papers)

The auditor should retain documentation for the engagement (including evidence for fees and expenses such as invoices for hotel accommodation, air plane boarding cards, ticket stubs, time sheets, etc.) for inspection by the contracting authority for 5 years from the date of payment by the contracting authority of the auditor’s final invoice for this engagement. The contracting authority should, on request and in accordance with the legislation in the country where the office having responsibility for the assessment is based, have access to the assessment documentation within this five-year period.

4)

Access to the entity’s records and documents

The auditor should have full and unrestricted access at any time to all records and documents (including accounting records, contracts, minutes of meetings, bank records, invoices, etc.), to the entity’s employees and locations insofar as this is possible and relevant to the assessment. The auditor may ask the entity for access to its banks (e.g. to request a bank confirmation), consultants and others, or to firms the entity has engaged.

3.2. Planning

1)

Preparatory meeting with the entity

The entity normally plans for a preparatory meeting with the auditor. This meeting will take place at the entity’s headquarters or another location, depending on which is most appropriate and convenient for both parties. The purpose of this meeting is to discuss the assessment planning, fieldwork and reporting and to clarify outstanding issues. The entity and the auditor may agree on alternative methods to prepare the assessment (e.g. conference calls). During the preparatory meeting, the auditor may request additional information and documents that it considers necessary or useful for the assessment planning and fieldwork.

The entity should inform the Commission about this meeting which may be attended by Commission representatives.

2)

Planning activities, assessment plan and assessment work programmes

The auditor should plan the assessment so that it is carried out effectively and efficiently. Adequate planning involves devoting appropriate attention to important assessment areas, identifying and resolving potential problems promptly, and properly organising and managing the assessment so that it is effective and efficient.

The auditor should have an assessment plan (or a similar planning document such as an assessment work plan or a planning memorandum) setting out the assessment approach and key principles of planning, fieldwork and reporting. The auditor should have assessment work programmes that detail and document the assessment tests and procedures.

3.3. Fieldwork

1)

Obtaining evidence on the design of systems, controls, procedures and rules

The scope of work should include an assessment of the

design

of relevant systems, controls, procedures and rules that are relevant for the pillar concerned.

Procedures to obtain evidence on the design of systems, controls, procedures and rules may include:

— talking to members of the entity’s staff who may have relevant information;

— evaluating whether descriptions, if available, fairly present the systems, controls, procedures and rules that have been designed and implemented by the entity;

— inspecting legal and regulatory documents (e.g. laws, regulations, contracts and agreements), internal instructions and guidance papers (e.g. operating rules, internal control manuals, etc.) and any other document the auditor may consider relevant;

— observing operations and inspecting documents, reports, printed and electronic records of transaction processing, accounting procedures (e.g. bank reconciliation) and other key approval and internal control procedures (e.g. periodical expenditure reports, budget–actual comparisons, review and approval of timesheets, etc.), documents relating for example to: (i) the entity’s regulatory framework for external audit; (ii) grant and procurement procedures; and (iii) financial instruments and financial instrument transactions; and

— repeating controls and procedures.

The auditor may wish to use flowcharts or questionnaires to help assess the design of the controls, procedures and rules.

2)

Tests of systems, controls and procedures

The scope of work should include an assessment of whether relevant systems, controls, procedures and rules are

operating effectively

A system, control, procedure or rule is operating effectively if, individually or in combination with other systems, controls, procedures or rules, it provides reasonable assurance that:

— the entity’s objectives (e.g. objectives of the internal control system or of a grant or procurement process) are achieved and, in particular, that risks to the achievement of the objectives are properly managed and controlled;

— the risks of error, irregularities and fraud are prevented, detected and properly and promptly corrected.

When designing and carrying out tests of the controls, the auditor should:

— carry out other procedures in addition to inquiries to obtain evidence about:

— how a system operated or how a control, procedure or rule was applied;

— the consistency with which the system worked or a control, procedure or control was applied; and

— by whom or by what means controls, procedures or rules were applied;

— determine means of selecting items for testing that are effective in meeting the procedure’s objectives.

When determining the extent of tests of the controls, procedures or rules, the auditor must consider factors such as the characteristics of the population to be tested, the nature of the controls, procedures and rules, the frequency of their application (for example, monthly, daily, a number of times per day), and the expected rate of deviation.

Tests of controls, procedures and rules may include but are not limited to inspection (of records, documents and assets), observation, interviewing the management and others within the entity, confirmation, recalculation and repeating certain procedures.

3)

Sampling and other means of selecting items for testing

When designing and performing tests of systems, controls, procedures and rules, the auditor may use sampling or other ways of selecting items for testing. Sampling involves applying the procedures to less than 100 % of items of relevance to the assessment (e.g. a selection of transactions or account balances) such that all sampling units have a chance of being selected. This will provide the auditor with a reasonable basis on which to draw conclusions about the entire population.

Sampling can take either a statistical or non-statistical approach. The auditor may make a well-judged selection of specific items from a population (e.g. high value or key items, all items over a certain amount, items to obtain information or items to test control activities or procedures or rules). Selective examination does not constitute sampling.

While selective examination of specific items will often be an efficient means of obtaining evidence, it does not constitute sampling. The results of procedures applied to items selected in this way cannot be projected or extrapolated to the entire population. Accordingly, selective examination of specific items does not provide evidence on the rest of the population. Sampling, on the other hand, is designed to enable conclusions to be drawn about an entire population on the basis of testing a sample drawn from it.

4)

Using the work of internal auditors

When the auditor determines that an internal audit function is likely to be relevant for the assessment they: (a) determine whether and to what extent specific work of the internal auditors can be used; and (b) if using the specific work of the internal auditors, whether that work is adequate for the purposes of the audit. The auditor should comply with

ISA 610 ‘Using the Work of Internal Auditors’

insofar as this ISA is relevant to the assessment.

5)

Written representations

In assurance engagements other than audits or reviews of historical financial information (ISAE 3000) the auditor should obtain representations from the management. A written representation is a statement by the management provided to the auditor to confirm certain matters or to support other assessment evidence.

The auditor may request a letter of representation signed by the member(s) of the entity’s management who have the primary responsibility for the entity’s systems, controls, procedures and rules.

6)

Debriefing memorandum (‘aide mémoire’)

The auditor will prepare a debriefing memo for discussion at the closing meeting. The memo should outline the main assessment findings that have resulted from the fieldwork and recommendations. A copy of the memo should be sent to the contracting authority’s audit task manager.

7)

Closing meeting

The auditor should organise a closing meeting with the entity. The entity should inform the Commission about this meeting which may be attended by Commission representatives.

The purpose of this meeting is to discuss the debriefing memo and to obtain the entity’s confirmation and initial comments on the auditor’s findings and recommendations. The auditor and the entity can agree on the outstanding information to be provided by the entity and, where applicable, a deadline for submission. The auditor can inform the entity about the reporting procedures. The auditor should document any comments (verbal and written) made by the entity and by Commission representatives and take them into account for the assessment report.

3.4. Reporting

1)

Basic reporting requirements and language

The auditor should report the assessment’s results in accordance with the IFAC International Framework for Assurance Engagements and ISAE 3000, the practices of his/her audit firm and the requirements of these terms of reference (ToR).

The report should be objective, clear, concise, timely and constructive.

The report should be presented in the language as indicated in Section 6.4 of the ToR. If the language of the report is other than English or French the auditor should also provide an executive summary of the report in English or French.

2)

Date of the assessment report

The date of draft and pre-final reports should be the date when these reports are sent for consultation. The date on the cover page of the

final

assessment report should be the date when the

final

assessment report is signed.

Facts and events that have come to the auditor’s attention

before

the

final

report is signed and which have an impact on the findings in that report must be taken into account. However, the auditor is under no obligation to enquire of the entity’s management and/or to carry out further procedures

after

the closing meeting and before the signature of the final report.

3)

Procedure for the consultation and submission of the draft report

<

The contracting authority can adapt this part as it sees fit as the proposed text is based on Commission procedures.

Attention

: parts where the Commission is consulted/informed must be maintained

>

The auditor should submit a

draft

report to the contracting authority within <21> calendar days after the day of the closing meeting (i.e. the end of the field work). The

draft

report should include the entity’s comments insofar as these have already been obtained during the assessment fieldwork and the closing meeting.

A paper and an electronic version of the

draft

report along with a cover letter should be submitted. The word ‘draft’ should be clearly indicated on all versions.

The entity may send a copy of the

draft

pillar assessment report to the European Commission to seek the Commission’s view on specific elements of the draft report (1).

The contracting authority should provide comments to the auditor within 21 calendar days from receipt of the

draft

report.

The auditor should submit to the contracting authority a revised

draft

report which takes into account any comments received within <7> calendar days from receipt of the comments.

The contracting authority should submit comments to the auditor within <21> calendar days from receipt of the

draft

report.

4)

Procedure for the consultation and submission of the final report

<

The contracting authority can adapt this part as it sees fit as the proposed text is based on Commission procedures.

Attention

: parts where the Commission is consulted/informed must be maintained

>

If no additional fieldwork is required, the auditor should submit a

pre-final

report to the contracting authority within <7> calendar days from the receipt of comments on the

draft

report. The word ‘pre-final’ should be indicated on the cover page of the

pre-final

report. The contracting authority should inform the auditor in writing whether it accepts the

pre-final

report within <14> calendar days from receipt of the

pre-final

report.

The auditor should submit a final report within <7> calendar days from receipt of the comments on the

pre-final

report.

The auditor should then submit an original paper version and one electronic version of the

final

report along with a cover note to the entity.

The reports should be provided on the auditor’s original letterhead. The word ‘final’ should be clearly indicated on all versions. The auditor should also send an electronic version of the final report (i.e. a

scanned

copy (in PDF format) of the

signed

and

dated final report

with the auditor’s

letterhead

) to the entity.

The period between the closing meeting and the submission to the contracting authority of the final report should not exceed <105> calendar days or <15> weeks.

The auditor should send an electronic and a paper copy of the

final

pillar assessment report to the European Commission:

European Commission

Directorate-General for […]

Audit and Control Unit

1040 Bruxelles/Brussel

BELGIQUE/BELGIË

(1) Without prejudice to the supervisory measures that the Commission shall take, in accordance with Article 154(5) of the Financial Regulation.

Annex 4

PILLAR ASSESSMENT REPORT

[DRAFT, PRE-FINAL OR FINAL] REPORT

[date]

<

for the final report this is the date on which the final independent auditor's report is signed; for a draft or pre-final report this is the date on which these reports are sent for consultation

>

PILLAR ASSESSMENT

OF [NAME OF THE ENTITY]

Entity subject to assessment:	[Entity name]
Country:	[Country where the entity is established]
Auditor:	[Audit firm and office responsible for the assessment]
Period subject to assessment:	[date] to [date] [this should normally be the year (12-month period) ending on the day of the start of the field work (on-site procedures) of the assessment]
Dates of assessment fieldwork:	[date] to [date]

TABLE OF CONTENTS

Independent Assurance Report

112

Executive Summary

117

Engagement Context

126

Internal Control System

127

Accounting System

129

Independent External Audit

129

Grants

129

Procurement

130

Financial Instruments

130

Exclusion from Access to Funding

131

10.

Publication of Information on Recipients

131

11.

Protection of Personal Data

131

Annexes

133

INSTRUCTIONS FOR USING THIS MODEL REPORT

This model report for a

pillar assessment

provides a report format and structure for the auditor and includes guidance for the content of the report sections.

— All grey shaded text in <

Italic

> is guidance which should be removed.

— All text which is

not

grey shaded can be used by the auditor for drawing up the report. The auditor can modify text as it sees fit

except for the prescribed text of the independent auditor's report.

The prescribed text and wording of the independent auditor's assurance report should be respected at all times and not be changed.

This instruction page should be removed from the report

INDEPENDENT ASSURANCE REPORT

Pillar assessment

[full name and address of the entity]

We have carried out a pillar assessment (‘assessment’) of [name]; the ‘entity’. The objective of the assessment is to provide reasonable assurance to the European Commission as to whether the entity fulfils the requirements set out in points (a) to (f) of Article 154(4) of the Financial Regulation applicable to the General Budget of the European Commission and Article 29.1 of the Financial Regulation applicable to the European Development Fund with regard to the following pillars:

Internal control system

Accounting system

Independent external audit

Grants <

remove if not applicable

Procurement <

remove if not applicable

Financial instruments (1) <

remove if not applicable

Exclusion from access to funding

Publication of information on recipients

Protection of personal data

The scope of our work and our conclusions for each of the respective pillars are set out below.

Respective responsibilities of the entity's management and the auditor

The entity's management are responsible for ensuring that the systems, controls, rules and procedures connected with the pillars comply with internationally accepted standards and with the criteria set by the European Commission for each pillar. The entity's management is also responsible for providing information, documents and access to systems and entity staff to the auditor insofar as this is necessary and relevant for the purpose of this assessment.

Our responsibility is to assess the systems put into place and the controls, rules and procedures applied by the entity for each pillar against the criteria for each pillar and to report our findings in accordance with the terms of reference for this assessment.

These terms of reference specify that we must carry out our work in accordance with the

International Standard for Assurance Engagements 3000

(issued by the International Federation of Accountants) on

Assurance Engagements other than Audits or Reviews of Historical Financial Information

insofar as this standard can be applied in the specific context of this pillar assessment. This standard requires us to observe applicable ethical standards in the conduct of our work.

Scope of work for all pillars

The scope of our engagement includes an assessment of each pillar and of the systems put in place and controls, rules and procedures applied by the entity.

Depending on the requirements for the pillar concerned our assessment has covered the design or the design and operational effectiveness of the relevant systems, controls, procedures and rules.

Our assessment involved comparing factual information and data relating to systems, controls, rules and procedures against the Commission's criteria. These criteria and the levels of importance (materiality) are set out in Chapter 2.3 of our detailed report.

To determine what is a material weakness or deficiency in systems, controls, rules and procedures we have taken into account the criteria and the levels of importance defined by the Commission as these factors might influence the Commission's decision to entrust budget implementation tasks under indirect management to the entity.

This assessment has primarily looked into the systems, controls, rules and procedures which are in place for the entity's regular operations. The conclusions of this assessment do not relate to specific actions, projects, contracts or agreements, neither present nor future.

Because of its inherent limitations, internal control and other systems, rules and procedures may not necessarily prevent or detect errors. Also, projections of this historic assessment of the design and effectiveness of systems, controls, rules and procedures to future periods are subject to the risk that these systems, controls, rules and procedures may become inadequate because of changes in conditions, or that the degree of compliance with rules and procedures may deteriorate.

We have taken into account all the available evidence presented to us during our fieldwork which we finalised on [date of closing meeting], including the subsequent comments and information of the entity and of the European Commission up to the date of this report.

We believe that the evidence we have obtained is sufficient and appropriate to provide a basis for our conclusions.

PILLAR 1 — INTERNAL CONTROL SYSTEM

The scope of our engagement includes an assessment of whether the entity has set up and ensured the functioning of an effective, efficient and economical internal control system. Consequently the procedures undertaken by us covered the design and the operational effectiveness of the internal control system.

Our work concentrated on the internal control components and controls which the Commission considers important and which are detailed in the assessment questionnaires.

Conclusion

wording to be used for a positive conclusion; remove this part if not applicable

Overall, in our opinion, based on the work we have performed, the entity has set up and ensured the functioning in all material respects of an effective, efficient and economical internal control system that is in accordance with the criteria set by the European Commission.

wording to be used for an adverse conclusion; remove this part if not applicable

We refer to our findings as set out in Section 1.3: Summary of Findings of our detailed report which sets out the material weaknesses and deficiencies in the internal control system.

Overall, in our opinion, because of the material nature of the matters referred to in the preceding paragraph and based on the work we have performed, the entity has not set up and ensured the functioning in all material respects of an effective, efficient and economical internal control system that is in accordance with the criteria set by the European Commission.

PILLAR 2 — ACCOUNTING SYSTEM

The scope of our engagement includes an assessment of whether the entity uses an accounting system that provides accurate, complete, reliable and prompt information. The procedures performed by us covered the design and the operational effectiveness of the accounting system.

Our work concentrated on those aspects and components of the accounting system which the Commission considers important and which are detailed in the assessment questionnaires.

Conclusion

wording to be used for a positive conclusion; remove this part if not applicable

Overall, in our opinion, based on the work we have performed, the entity uses an accounting system that provides in all material respects accurate, complete, reliable and prompt information in accordance with the criteria set by the European Commission.

wording to be used for an adverse conclusion; remove this part if not applicable

We refer to our findings as set out in Section 1.3: Summary of Findings of our detailed report which sets out the material weaknesses and deficiencies in the accounting system.

Overall, in our opinion, because of the material nature of the matters referred to in the preceding paragraph and based on the work we have performed, the entity does not use an accounting system that provides in all material respects accurate, complete, reliable and prompt information in accordance with the criteria set by the European Commission.

PILLAR 3 — INDEPENDENT EXTERNAL AUDIT

The scope of our engagement includes an assessment of whether the entity is subject to an independent external audit, performed in accordance with internationally accepted auditing standards by an audit service functionally independent of the entity concerned. Consequently the procedures performed by us covered the design of the framework of external audit to which the entity is subject.

Our work concentrated on those aspects and components of the framework for an independent external audit which the Commission considers important and which are detailed in the assessment questionnaires.

Conclusion

wording to be used for a positive conclusion; remove this part if not applicable

Overall, in our opinion, based on the work we have performed, the entity is subject to an independent external audit, required to be performed in all material respects in accordance with internationally accepted auditing standards by an audit service functionally independent of the entity and in accordance with the criteria set by the European Commission.

wording to be used for an adverse conclusion; remove this part if not applicable

We refer to our findings as set out in Section 1.3: Summary of Findings of our detailed report which sets out the material weaknesses and deficiencies in the framework for an independent external audit.

Overall, in our opinion, because of the material nature of the matters referred to in the preceding paragraph and based on the work we have performed, the entity is not subject to an independent external audit, required to be performed in all material respects in accordance with internationally accepted auditing standards by an audit service functionally independent of the entity and in accordance with the criteria set by the European Commission.

PILLAR 4 — GRANTS

The scope of our engagement includes an assessment of whether the entity applies appropriate rules and procedures for providing financing from EU funds through grants. Consequently the procedures performed by us covered the design and the operational effectiveness of the grants system.

Our work concentrated on those aspects and components of the grants system which the Commission considers important and which are detailed in the assessment questionnaires.

Conclusion

wording to be used for a positive conclusion; remove this part if not applicable

Overall, in our opinion, based on the work we have performed, the entity applies appropriate rules and procedures in all material respects for providing financing from EU funds through grants and in accordance with the criteria set by the European Commission.

wording to be used for an adverse conclusion; remove this part if not applicable

We refer to our findings as set out in Section 1.3: Summary of Findings of our detailed report which sets out the material weaknesses and deficiencies in the grants system.

Overall, in our opinion, because of the material nature of the matters referred to in the preceding paragraph and based on the work we have performed, the entity does not apply appropriate rules and procedures in all material respects for providing financing from EU funds through grants and in accordance with the criteria set by the European Commission.

PILLAR 5 — PROCUREMENT

The scope of our engagement includes an assessment of whether the entity applies appropriate rules and procedures for providing financing from EU funds through procurement. Consequently the procedures performed by us covered the design and the operational effectiveness of the procurement system.

Our work concentrated on those aspects and components of the procurement system which the Commission considers important and which are detailed in the assessment questionnaires.

Conclusion

wording to be used for a positive conclusion; remove this part if not applicable

Overall, in our opinion, based on the work we have performed, the entity applies appropriate rules and procedures in all material respects for providing financing from EU funds through procurement and in accordance with the criteria set by the European Commission.

wording to be used for an adverse conclusion; remove this part if not applicable

We refer to our findings as set out in Section 1.3: Summary of Findings of our detailed report which sets out the material weaknesses and deficiencies in the procurement system.

Overall, in our opinion, because of the material nature of the matters referred to in the preceding paragraph and based on the work we have performed, the entity does not apply appropriate rules and procedures in all material respects for providing financing from EU funds through procurement and in accordance with the criteria set by the European Commission.

PILLAR 6 — FINANCIAL INSTRUMENTS

(2)

The scope of our engagement includes an assessment of whether the entity applies appropriate rules and procedures for providing financing from EU funds through financial instruments. Consequently the procedures performed by us covered the design and the operational effectiveness of the financial instruments used by the entity.

Our work concentrated on those aspects and components of the financial instruments used by the entity which the Commission considers important and which are detailed in the assessment questionnaires.

Conclusion

wording to be used for a positive conclusion; remove this part if not applicable

Overall, in our opinion, based on the work we have performed, the entity applies appropriate rules and procedures in all material respects, for providing financing from EU funds through financial instruments and in accordance with the criteria set by the European Commission.

wording to be used for an adverse conclusion; remove this part if not applicable

We refer to our findings as set out in Section 1.3: Summary of Findings of our detailed report which sets out the material weaknesses and deficiencies in the financial instruments used by the entity.

Overall, in our opinion, because of the material nature of the matters referred to in the preceding paragraph and based on the work we have performed, the entity does not apply appropriate rules and procedures in all material respects for providing financing from EU funds through financial instruments and in accordance with the criteria set by the European Commission.

PILLAR 7 — EXCLUSION FROM ACCESS TO FUNDING

The scope of our engagement includes an assessment of whether the entity applies appropriate rules and procedures for excluding third parties from access to funding.

Consequently the procedures performed by us covered the design and the operating effectiveness of the measures taken by the entity for this purpose.

Our work concentrated on those exclusion grounds and measures taken by the entity that the Commission considers important and which are detailed in the assessment questionnaires.

Conclusion

wording to be used for a positive conclusion; remove this part if not applicable

Overall, in our opinion, based on the work we have performed, the entity applies appropriate rules and procedures for excluding third parties from access to funding in accordance with the criteria set by the European Commission.

wording to be used for an adverse conclusion; remove this part if not applicable

We refer to our findings as set out in Section 1.3: Summary of Findings of our detailed report which sets out the material weaknesses and deficiencies in the entity's exclusion system.

Overall, in our opinion, because of the material nature of the matters referred to in the preceding paragraph and based on the work we have performed, the entity does not apply appropriate rules and procedures for excluding third parties from access to funding in accordance with the criteria set by the European Commission.

PILLAR 8 — PUBLICATION OF INFORMATION ON RECIPIENTS

The scope of our engagement includes an assessment of whether the entity makes public information on the recipients of funds in an appropriate and timely manner.

Consequently the procedures performed by us covered the design and the operational effectiveness of the measures taken by the entity for this purpose.

Our work concentrated on those requirements that the Commission considers important and which are detailed in the assessment questionnaires.

Conclusion

wording to be used for a positive conclusion; remove this part if not applicable

Overall, in our opinion, based on the work we have performed, the entity applies appropriate rules and procedures for making public information on the recipients of funds in an appropriate and timely manner in accordance with the criteria set by the European Commission.

wording to be used for an adverse conclusion; remove this part if not applicable

We refer to our findings as set out in Section 1.3: Summary of Findings of our detailed report which sets out the material weaknesses and deficiencies in the entity's system of publication of information on recipients.

Overall, in our opinion, because of the material nature of the matters referred to in the preceding paragraph and based on the work we have performed, the entity does not apply appropriate rules and procedures for making public information on the recipients of funds in an appropriate and timely manner in accordance with the criteria set by the European Commission.

PILLAR 9 — PROTECTION OF PERSONAL DATA

The scope of our engagement includes an assessment of whether the entity ensures protection of personal data equivalent to that referred to in Article 5 of the Financial Regulation.

Consequently the procedures performed by us covered the design and the operational effectiveness of the measures taken by the entity for this purpose.

Our work concentrated on those requirements and measures taken by the entity that the Commission considers important and which are detailed in the assessment questionnaires.

Conclusion

wording to be used for a positive conclusion; remove this part if not applicable

Overall, in our opinion, based on the work we have performed, the entity applies appropriate rules and procedures for ensuring protection of personal data in accordance with the criteria set by the European Commission.

wording to be used for an adverse conclusion; remove this part if not applicable

We refer to our findings as set out in Section 1.3: Summary of Findings of our detailed report which sets out the material weaknesses and deficiencies in the entity's exclusion system.

Overall, in our opinion, because of the material nature of the matters referred to in the preceding paragraph and based on the work we have performed, the entity does not apply appropriate rules and procedures for ensuring protection of personal data in accordance with the criteria set by the European Commission.

Distribution and use

The entity has requested this report and it is intended solely for the information and use of the entity and the European Commission.

Auditors' signature

Name of auditor signing

Auditor's address

Date of signature

final

report is signed.>

1. EXECUTIVE SUMMARY

1.1. Conclusions

A summary of our conclusions for each pillar is provided below.

PILLAR

CONCLUSION

1.	Internal control system

YES/NO

Has the entity set up and ensured the functioning in all material respects of an effective, efficient and economical internal control system and in accordance with the criteria set by the European Commission?

2.	Accounting system

YES/NO

Does the entity use an accounting system that provides in all material respects accurate, complete, reliable and prompt information that is in accordance with the criteria set by the European Commission?

3.	Independent external audit

YES/NO

Is the entity subject to an independent external audit, required to be performed in all material respects in accordance with internationally accepted auditing standards by an audit service functionally independent of the entity and in accordance with the criteria set by the European Commission?

Grants

YES/NO/NA

Does the entity apply appropriate rules and procedures for providing financing from EU funds through grants and in accordance with the criteria set by the European Commission?

5.	Procurement

YES/NO/NA

6.	Financial instruments

YES/NO/NA

Does the entity apply appropriate rules and procedures in all material respects for providing financing from EU funds through financial instruments and in accordance with the criteria set by the European Commission?

In particular, does the entity apply appropriate rules and procedures with reference to:

Credit risk management system and use of an internal risk rating system?

YES/NO/NA

Tax avoidance and non-cooperative jurisdictions?

YES/NO/NA

Anti-money laundering and countering terrorism financing?

YES/NO/NA

7.	Exclusion from access to funding

YES/NO/NA

Does the entity apply appropriate rules and procedures for excluding third parties from access to funding through procurement, grants and/or financial instruments?

YES/NO/NA

8.	Publication of information on recipients

YES/NO/NA

Does the entity make public information on the recipients of funds appropriately and within a reasonable timeframe?

YES/NO/NA

9.	Protection of personal data

YES/NO/NA

Does the entity ensure protection of personal data equivalent to that referred to in Article 5 of the Financial Regulation(3)?

YES/NO/NA

1.2. Roadmap

Suggested length of the roadmap: maximum 2 pages

We have concluded that the entity does not fully comply with the requirements of pillar(s) [specify pillar(s)].

We have found significant deficiencies and weaknesses in … <

briefly describe the main weaknesses and deficiencies for the pillar(s) concerned in accordance with the findings in Section 1.3

We have made a number of critical recommendations to remedy these key weaknesses <

briefly describe the critical recommendations for the pillar(s) concerned in accordance with the recommendations in Section 1.3

We suggest that the entity implements these recommendations for it to become eligible for being entrusted with budget implementation tasks under indirect management by the European Commission.

For this purpose we propose an action plan, i.e. a roadmap that includes a timetable to address and remedy the deficiencies and weaknesses. This roadmap and accompanying timetable for implementing our proposed measures has been discussed and agreed with the entity <

The roadmap should, to the extent possible, be agreed with the entity prior to the issuing of the auditor's final report. If this is not possible the reasons should be clearly explained

Roadmap

Describe here the roadmap by addressing the following key aspects for each pillar concerned:

— a brief

narrative

of the main findings, i.e. material weaknesses or deficiencies in systems, controls, procedures and rules;

— a brief

narrative

of the proposed action plan to remedy these weaknesses or deficiencies.

The action plan should clearly set out which proposed measures (i.e. critical recommendations) will be implemented and how they will be implemented and a clear and realistic timetable

1.3. Summary of findings and recommendations

See below a summary of our findings and recommendations for each pillar.

Findings

The main findings are the ones that relate to material weaknesses or deficiencies in systems, controls, rules and procedures. ‘Material’ means that we consider these factors to be so important for the Commission that they might influence the Commission's decision to entrust budget implementation tasks under indirect management to the entity. Therefore, where we have found material findings for a pillar it has led us to express a negative conclusion for it.

The main findings also include cases where several findings which taken individually do not relate to a material weakness or deficiency but which taken together involve a finding of material weakness or deficiency. The combined impact of such findings is considered so important (i.e. material) that it has led us to conclude that the entity does not meet the requirements for the pillar concerned (i.e. the conclusion is ‘no’).

The other findings are all non-material findings which we believe should be brought to the entity's attention. These findings relate to weaknesses and deficiencies in systems, controls, rules and procedures which, individually or together, carry a less immediate level of risk of the objectives for the pillar concerned not being achieved.

Recommendations

The critical recommendations relate to material weaknesses and deficiencies in systems, controls, rules or procedures and to cases where the European Commission's criteria and/or internationally accepted standards for pillars are not (regularly) complied with.

Our other recommendations relate to all other findings which are not of a material nature. In these cases the weaknesses and deficiencies in systems, controls, rules or procedures have no major and immediate impact on the objectives of these systems, controls, rules or procedures. Nevertheless, we believe that it is relevant for the entity to implement the suggested measures to have the opportunity to improve systems, controls, rules or procedures and to achieve greater effectiveness and/or efficiency.

Each of our recommendations is detailed in Chapters 3 to 8.

We suggest that the entity implements our critical recommendations as set out in the roadmap in Section 1.2 of this report.

PILLAR 1 — INTERNAL CONTROL SYSTEM
Main findings/critical recommendations
No	Description of the finding/recommendation
1	Finding:
	Recommendation:
2

3

Etc.

Other findings/other recommendations
No	Description of the finding/recommendation
1	Finding:
	Recommendation:
2

3

Etc.

Note: The number and description of the finding/recommendation must correspond with the detailed finding/recommendation in Section 3.3.1 respectively Section 3.3.2.

PILLAR 2 — ACCOUNTING SYSTEM
Main findings/critical recommendations
No	Description of the finding/recommendation
1	Finding:
	Recommendation:
2

3

Etc.

Other findings/other recommendations
No	Description of the finding/recommendation
1	Finding:
	Recommendation:
2

3

Etc.

Note: The number and description of the finding/recommendation must correspond with the detailed finding/recommendation in Section 4.3.1 respectively Section 4.3.2.

PILLAR 3 — INDEPENDENT EXTERNAL AUDIT
Main findings/critical recommendations
No	Description of the finding/recommendation
1	Finding:
	Recommendation:
2

3

Etc.

Other findings/other recommendations
No	Description of the finding/recommendation
1	Finding:
	Recommendation:
2

3

Etc.

Note: The number and description of the finding/recommendation must correspond with the detailed finding/recommendation in Section 5.3.1 respectively Section 5.3.2.

PILLAR 4 — GRANTS
Main findings/critical recommendations
No	Description of the finding/recommendation
1	Finding:
	Recommendation:
2

3

Etc.

Other findings/other recommendations
No	Description of the finding/recommendation
1	Finding:
	Recommendation:
2

3

Etc.

Note: The number and description of the finding/recommendation must correspond with the detailed finding/recommendation in Section 6.3.1 respectively Section 6.4.2.

PILLAR 5 — PROCUREMENT
Main findings/critical recommendations
No	Description of the finding/recommendation
1	Finding:
	Recommendation:
2

3

Etc.

Other findings/other recommendations
No	Description of the finding/recommendation
1	Finding:
	Recommendation:
2

3

Etc.

Note: The number and description of the finding/recommendation must correspond with the detailed finding/recommendation in Section 7.3.1 respectively Section 7.3.2.

PILLAR 6 — FINANCIAL INSTRUMENTS
Main findings/critical recommendations
No	Description of the finding/recommendation
1	Finding:
	Recommendation:
2

3

Etc.

Other findings/other recommendations
No	Description of the finding/recommendation
1	Finding:
	Recommendation:
2

3

Etc.

Note: The number and description of the finding/recommendation must correspond with the detailed finding/recommendation in Section 8.3.1 respectively Section 8.3.2.

PILLAR 7 — EXCLUSION FROM ACCESS TO FUNDING
Main findings/critical recommendations
No	Description of the finding/recommendation
1	Finding:
	Recommendation:
2

3

Etc.

Other findings/other recommendations
No	Description of the finding/recommendation
1	Finding:
	Recommendation:
2

3

Etc.

Note: The number and description of the finding/recommendation must correspond with the detailed finding/recommendation in Section 9.3.1 respectively Section 9.3.2.

PILLAR 8 — PUBLICATION OF INFORMATION ON RECIPIENTS
Main findings/critical recommendations
No	Description of the finding/recommendation
1	Finding:
	Recommendation:
2

3

Etc.

Other findings/other recommendations
No	Description of the finding/recommendation
1	Finding:
	Recommendation:
2

3

Etc.

Note: The number and description of the finding/recommendation must correspond with the detailed finding/recommendation in Section 10.3.1 respectively Section 10.3.2.

PILLAR 9 — PROTECTION OF PERSONAL DATA
Main findings/critical recommendations
No	Description of the finding/recommendation
1	Finding:
	Recommendation:
2

3

Etc.

Other findings/other recommendations
No	Description of the finding/recommendation
1	Finding:
	Recommendation:
2

3

Etc.

Note: The number and description of the finding/recommendation must correspond with the detailed finding/recommendation in Section 11.3.1 respectively Section 11.3.2.

2. ENGAGEMENT CONTEXT

2.1. Context

Article 154 of the Financial Regulation (4) (‘FR’) applicable to the general budget of the European Union (‘EU’) sets out the methods of implementing the budget, including ‘indirect management’. Under indirect management, the Commission can entrust budget implementation tasks to the countries, organisations and bodies (further referred to as ‘entities’) indicated in Article 62 of the FR. The following entities may be concerned:

— third countries or the bodies they have designated e.g. Ministry of Interior, Kingdom of Cambodia;

— international organisations and their agencies e.g. United Nations Development Programme (UNDP);

— public law bodies e.g. Kreditanstalt für Wiederaufbau (KfW);

— bodies governed by private law but with a public service mission, to the extent that they provide adequate financial guarantees e.g. Cassa Depositi e Prestiti (CDP).

(1) the internal control system;

(2) the accounting system;

(3) an independent external audit;

as well as rules and procedures for:

(4) providing financing from EU funds through grants;

(5) procurement;

(6) financial instruments (5)

and also:

(7) exclusion from access to funding;

(8) publication of information on recipients;

(9) protection of personal data.

Entities wishing to work with EU funds under the indirect management mode must therefore undergo a comprehensive

pillar assessment

2.2. Description of the entity subject to the assessment

Provide a description of the entity. Suggested maximum: 2 pages.

Main features and characteristics of the entity, organisational structure, nature of activities and operations, etc

2.3. Criteria used for the assessment and materiality

For each pillar there are three levels of criteria that have been defined by the European Commission through the formulation of (key) questions in

Annex 2 and 2a

of the terms of reference (

Assessment questionnaire and criteria

and

Assessment questionnaire

). To determine what is a material weakness or deficiency in systems, controls, rules and procedures, we have taken into account the criteria and the levels of importance (i.e. the scoring thresholds) defined by the Commission, as these factors might influence the Commission's decision to entrust budget implementation tasks under indirect management to the entity.

Level 1 (Financial Regulation)

For each pillar there is

one

overarching level 1 question (in

Annex 2

Assessment questionnaire and criteria

) defined on the basis of the Financial Regulation. Only two answers are possible:

— The answer to the question at level 1 is ‘yes’. This means that the entity complies with the requirements for the pillar concerned. Our conclusion is positive, which is equivalent to an ‘unqualified opinion’.

— The answer to the question at level 1 is ‘no’. This means that the entity does not comply with the requirements of the pillar concerned. In this case our conclusion is negative, which is equivalent to an ‘adverse opinion’ under international standards.

Level 2 (Pillar key components)

Key questions at level 2 relate to criteria which the Commission considers essential. For this purpose, key questions and criteria are defined for the key components of each pillar. Components are essentially ‘sub-pillars’ which in turn are composed of blocks of questions in

Annex 2a

Assessment questionnaire.

We have applied professional judgement to attribute a score on a scale of 0 to 10 to each level 2 component in

Annex 2

Assessment questionnaire and criteria

based on the information and evidence we have obtained in

Annex 2a

Level 3 (Assessment questionnaire with blocks of questions)

Annex 2a

Assessment questionnaire

includes blocks of questions which relate to the pillars' key components at level 2. These blocks of detailed questions have guided us and are basically non-exhaustive examples. This means that we can — but do not necessarily have to — use (all) these (blocks of) questions to determine a score for each component at level 2.

We have formulated additional questions and performed additional procedures and tests as we deemed necessary or appropriate. We have fully applied our professional judgement for all questions in

Annex 2a

to attribute scores to the pillars' key components at level 2.

3. INTERNAL CONTROL SYSTEM

3.1. Description of the internal control system

Describe the main features of the entity's internal control system. Suggested maximum: 2 pages

3.2. Summary of work performed and criteria used for the assessment

Provide a summary description of the work, i.e. procedures and tests performed to assess the internal control system pillar. Briefly describe the criteria used to assess this pillar. The auditor may refer to Chapter 2.3 and to the completed Assessment questionnaire and criteria in Annexes 2 and 3

3.3. Findings and recommendations

Our detailed findings and recommendations are set out below.

The use of the table format below is compulsory and it must be respected at all times

3.3.1. Main findings and critical recommendations

Finding/Rec. No: [number]

Title: [short description of the finding and recommendation]

Description of the finding:

[describe the finding in detail, covering facts, criteria, cause and impact]

Description of the recommendation:

[describe the recommendation in detail]

Comments from the entity:

[state whether the entity agrees or disagrees with the finding/recommendation and describe the entity's comments]

Comments from the Commission:

[Describe the Commission comments]

Further comments of the auditor:

[complete only if the entity does not agree with the auditor's finding/recommendation despite the auditor still believing that the finding/recommendation is valid. In that case, the auditor should rebut the entity's comments here and justify why the finding is maintained]

3.3.2. Other findings and recommendations

Finding/Rec. No: [number]

Title: [short description of the finding and recommendation]

Description of the finding:

[describe the finding in detail, covering facts, criteria, cause and impact]

Description of the recommendation:

[describe the recommendation in detail]

Comments from the entity:

[state whether the entity agrees or disagrees with the finding/recommendation and describe the entity's comments]

Comments from the Commission:

[Describe the Commission's comments]

Further comments of the auditor:

4. ACCOUNTING SYSTEM

See Chapter 3: Internal Control System. The same structure and content should be used

4.1. Description of the accounting system

[…]

4.2. Summary of work performed and criteria used for the assessment

Provide a summary description of the work, i.e. procedures and tests performed to assess the accounting pillar. Briefly describe the criteria used to assess this Pillar. The auditor may refer to Chapter 2.3 and to the completed Assessment questionnaire and criteria in Annexes 2 and 3

4.3. Findings and recommendations

Our detailed findings and recommendations are set out below.

Main findings and critical recommendations

[…]

ii.

Other findings and recommendations

[…]

5. INDEPENDENT EXTERNAL AUDIT

See Chapter 3: Internal Control System. The same structure and content should be used

Description of the framework for independent external audit

[…]

Summary of work performed and criteria used for the assessment

Provide a summary description of the work, i.e. procedures and tests performed to assess the independent external audit pillar. Briefly describe the criteria used to assess this pillar. The auditor may refer to Chapter 2.3 and to the completed Assessment questionnaire and criteria in Annexes 2 and 3.

Findings and recommendations

Our detailed findings and recommendations are set out below.

Main findings and critical recommendations

[…]

ii.

Other findings and recommendations

[…]

6. GRANTS

See Chapter 3: Internal Control System. The same structure and content should be used

Description of the grants system

[…]

Summary of work performed and criteria used for the assessment

Provide a summary description of the work, i.e. procedures and tests performed to assess the grants pillar. Briefly describe the criteria used to assess this pillar. The auditor may refer to Chapter 2.3 and to the completed Assessment questionnaire and criteria in Annexes 2 and 3

Findings and recommendations

Our detailed findings and recommendations are set out below.

Main findings and critical recommendations

[…]

ii.

Other findings and recommendations

[…]

7. PROCUREMENT

See Chapter 3: Internal Control System. The same structure and content should be used

Description of the procurement system

[…]

Summary of work performed and criteria used for the assessment

Provide a summary description of the work, i.e. procedures and tests performed to assess the procurement pillar. Briefly describe the criteria used to assess this pillar. The auditor may refer to Chapter 2.3 and to the completed Assessment questionnaire and criteria in Annexes 2 and 3

Findings and recommendations

Our detailed findings and recommendations are set out below.

Main findings and critical recommendations

[…]

ii.

Other findings and recommendations

[…]

8. FINANCIAL INSTRUMENTS

(6)

See Chapter 3: Internal Control System. The same structure and content should be used

Description of the financial instruments

[…]

Summary of work performed and criteria used for the assessment

Provide a summary description of the work, i.e. procedures and tests performed to assess the financial instruments pillar. Briefly describe the criteria used to assess this pillar. The auditor may refer to Chapter 2.3 and to the completed Assessment questionnaire and criteria in Annexes 2 and 3

Findings and recommendations

Our detailed findings and recommendations are set out below.

Main findings and critical recommendations

[…]

ii.

Other findings and recommendations

[…]

9. EXCLUSION FROM ACCESS TO FUNDING

See Chapter 3: Internal Control System. The same structure and content should be used

Description of the system used for excluding recipients from access to funding

[…]

Summary of work performed and criteria used for the assessment

Provide a summary description of the work, i.e. procedures and tests performed to assess the pillar on exclusion from access to funding. Briefly describe the criteria used to assess this pillar. The auditor may refer to Chapter 2.3 and to the completed Assessment questionnaire and criteria in Annexes 2 and 3

Findings and recommendations

Our detailed findings and recommendations are set out below.

Main findings and critical recommendations

[…]

ii.

Other findings and recommendations

[…]

10. PUBLICATION OF INFORMATION ON RECIPIENTS

See Chapter 3: Internal Control System. The same structure and content should be used

Description of the system used for publishing information on recipients

[…]

Summary of work performed and criteria used for the assessment

Provide a summary description of the work, i.e. procedures and tests performed to assess the pillar on publication of information on recipients. Briefly describe the criteria used to assess this pillar. The auditor may refer to Chapter 2.3 and to the completed Assessment questionnaire and criteria in Annexes 2 and 3

Findings and recommendations

Our detailed findings and recommendations are set out below.

Main findings and critical recommendations

[…]

ii.

Other findings and recommendations

[…]

11. PROTECTION OF PERSONAL DATA

See Chapter 3: Internal Control System. The same structure and content should be used

Description of the system used for ensuring the protection of personal data

[…]

Summary of work performed and criteria used for the assessment

Provide a summary description of the work, i.e. procedures and tests performed to assess the pillar on the protection of personal data. Briefly describe the criteria used to assess this pillar. The auditor may refer to Chapter 2.3 and to the completed Assessment questionnaire and criteria in Annexes 2 and 3

Findings and recommendations

Our detailed findings and recommendations are set out below.

Main findings and critical recommendations

[…]

ii.

Other findings and recommendations

[…]

(1) Reference to financial instruments is deemed to include budgetary guarantees.

(2) This includes budgetary guarantees, taxation and AML/CTF requirements. Please provide conclusions for each sub-section (6a, 6b, 6c), in addition to general conclusions for the overall pillar.

(3) Without prejudice to Regulations (EU) 2018/1725 and (EU) 2016/679.

(4) Regulation (EU, Euratom) 2018/1046.

(5) A reference to ‘financial instruments’ is deemed to also include budgetary guarantees.

(6) Including budgetary guarantees.

Annex 1

People contacted or involved in the assessment

The auditor — [name of the audit firm]
[Name 1]	[indicate position/title of the person in the audit firm who is ultimately responsible for the engagement and its performance, and for the report that is issued on behalf of the firm, e.g. partner, director or equivalent]
[Name 2; optional]	[optional (if not in conflict with the practices and human resources policies of the audit firm). Indicate the position/title of the person in the audit firm who has been managing the audit, e.g. senior manager]

The entity subject to assessment — [name of the entity]
[Name 1]	[indicate position/title in the entity, e.g. director, finance manager, accountant, programme manager]
[Name 2]	[as 1]
[Name 3, etc.]	[as 1]

The following tables should only be completed if and when the Commission has been associated with the assessment and/or has been consulted on a draft version of the assessment report. If not these tables can be removed

Directorate-General for International Cooperation and Development/Other Directorate-General
[Name 1]	[indicate position/title and unit in the Commission, e.g. head of finance, contracts and audit]
[Name 2]	[as 1]
[Name 3, etc.]	[as 1]

Delegation of the European Union in [country]
[Name 1]	[indicate position in the EU Delegation, e.g. head of finance and contracts, programme officer, contracts officer, finance officer, etc.]
[Name 2]	[as 1]
[Name 3, etc.]	[as 1]

[

Indicate name of any other external organisation or person contacted or involved in the audit, such as the entity’s statutory auditors or technical assistants. Remove this table if not applicable

]

[Name 1]	[indicate position/title in the organisation]
[Name 2, etc.]	[as 1]

Annex 2

Assessment questionnaire and criteria

This Annex must include a copy of

Annex 2

of the terms of reference, i.e. the Assessment questionnaire and criteria

completed by the auditor

Annex 3

Assessment Questionnaire

This Annex must include a full copy of

Annex 2a

of the ToR the Assessment Questionnaire

completed by The Auditor

. The Auditor may provide this document as a separate attachment to this report