Special report No 5/2012: The Common External Relations Information System (CRIS) - Hoofdinhoud

COUNCIL OF Brussels, 14 May 2012 THE EUROPEAN UNION

9935/12

FIN 345 ACP 79 DEVGEN 137 RELEX 438

COVER NOTE

from: Mr Vítor CALDEIRA, President of the European Court of Auditors date of receipt: 8 May 2012 to: Mr Nicolai WAMMEN, President of the Council of the European Union Subject: Special report No 5/2012: The Common External Relations Information

System (CRIS)

Sir,

I enclose a copy of Special report No 5/2012 "The Common External Relations Information System (CRIS)" together with the Commission's replies.

The Special report, which is shortly to be published, was adopted by the Court at its meeting on

6 March 2012 and is accompanied by the replies from the Commission, which was notified of the preliminary findings on 8 December 2011.

(Complimentary close).

(s.) Vítor CALDEIRA

________________________

Encl.: Special report No 5/2012: The Common External Relations Information System (CRIS) 1

1 In English only. The other languages of this report are available on the European Court of

Auditor's website: http://eca.europa.eu/.

ЕВРОПЕЙСКА СМЕТНА ПАЛАТА EURÓPAI SZÁMVEVŐSZÉK TRIBUNAL DE CUENTAS EUROPEO IL-QORTI EWROPEA TAL-AWDITURI

EVROPSKÝ ÚČETNÍ DVŮR EUROPESE REKENKAMER DEN EUROPÆISKE REVISIONSRET EUROPEJSKI TRYBUNAŁ OBRACHUNKOWY EUROPÄISCHER RECHNUNGSHOF TRIBUNAL DE CONTAS EUROPEU

EUROOPA KONTROLLIKODA CURTEA DE CONTURI EUROPEANĂ ΕΥΡΩΠΑΪΚΟ ΕΛΕΓΚΤΙΚΟ ΣΥΝΕ∆ΡΙO EURÓPSKY DVOR AUDÍTOROV

EUROPEAN COURT OF AUDITORS CORTE DEI CONTI EUROPEA EVROPSKO RAČUNSKO SODIŠČE COUR DES COMPTES EUROPÉENNE EIROPAS REVĪZIJAS PALĀTA EUROOPAN TILINTARKASTUSTUOMIOISTUIN

CÚIRT INIÚCHÓIRÍ NA HEORPA EUROPOS AUDITO RŪMAI EUROPEISKA REVISIONSRÄTTEN

Special Report No 5/2012

(pursuant to Article 287(4), second subparagraph, TFEU)

The Common External Relations Information System (CRIS)

together with the Commission’s replies

12, RUE A LCIDE D E G ASPERI T ELEPHONE (+352) 43 98 – 1 E- MAIL : euraud@eca.europa.eu

TABLE OF CONTENTS

Paragraphs

Abbreviations and glossary

Executive summary I-IX

Introduction 1-16

Audit area 1-6

Description of CRIS 7-13

Regulatory framework 14-16

Audit scope and approach 17-23

Observations 24-74

Despite some weakenesses, CRIS is now being developed to respond to the Commission’s needs 24-44

System development projects now respond to well identified needs 24-29

Need for an up-to-date definition of CRIS’s role 30-35

Data coding weaknesses 36-41

Persisting problems with user friendliness 42-44

CRIS management is not yet sufficiently effective in ensuring data integrity 45-57

Missing data records 49-52

Invalid data records 53-56

Delayed recording 57

Insufficient security of the system and its data 58-74

Unclear definition of responsibilities for CRIS data security 58-62

Weaknesses undermining the system’s ability to maintain data confidentiality and integrity 63-67

Incomplete system documentation 68-72 Insufficient monitoring of personal data processing 73-74

Conclusions and recommendations 75-81

Commission's replies

ABBREVIATIONS AND GLOSSARY

ABAC Accrual Based Accounting system of the

Commission, which replaced Sincom2, the previous cash-based accounting system.

ABAC Datawarehouse Commission information system providing consolidated financial and accounting data.

Availability (Data–) The capacity of an information system to perform a task under defined conditions as regards schedules, deadlines and performance.

Confidentiality (Data–) The reserved character of information or of all or part of an information system (such as

algorithms, programmes and documentation) to which access is limited to authorised persons, bodies and procedures.

CRIS Common RELEX Information System

Codes (Data–) Data values that are used in a database to categorise other data.

Data controller The Community institution or body, the

(Personal–) directorate general, the unit or any other organisational entity which alone or jointly with others determines the purposes and means of the processing of personal data.

DG Directorate-General

EDFs European Development Funds

EuropeAid European Commission’s Directorate General for Development and Cooperation-EuropeAid

(previously EuropeAid Cooperation Office and Directorate General for Development)

ICS Internal control standard

Information system A set of equipment, methods and procedures and, where relevant, also persons, personnel, organised to perform information processing functions.

Information technology The leadership and organisational structures governance and processes that ensure that the

organisation’s information technology sustains and extends the organisation’s strategies and objectives.

Integrity (Data–) Guarantee that the information system and processed information can be altered only by deliberate and legitimate action and that the system will produce the expected result

accurately and in full.

IT Information technology

OECD Organisation for Economic Cooperation and

Development

OLAS On-Line Accounting System. Information system used by the Commission until 2008 to support

EDFs operations.

Personal data Any information relating to an identified or identifiable natural person; an identifiable person is one who can be identified, directly or

indirectly, in particular by reference to an identification number or to one or more factors specific to his or her physical, physiological, mental, economic, cultural or social identity.

Processing of personal Any operation or set of operations which is data performed upon personal data, whether or not

by automatic means, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.

RELEX French acronym for “relations extérieures” or external relations

ROM Results-Oriented Monitoring

Security (Data–) Data security concerns the information system’s ability to maintain data confidentiality, integrity

and availability.

EXECUTIVE SUMMARY

I. CRIS is the information system put in place by the Commission to support the management of external actions. This system's functions have been continually extended since it became operational in 2002. It has now become the main reference information system for management, reporting and documentation of external actions, financed both by the EU general budget and by the European Development Funds (EDFs).

II. CRIS enables all Commission staff involved in external action management, both at headquarters and in EU delegations, to work on a common database. It provides data concerning the different phases of management, from programming to preparation and monitoring, covering both operational and financial aspects of the actions concerned. It also feeds financial data into the Commission’s accounting system ABAC.

III. The overall audit question was whether CRIS was effective in responding to the Commission’s information needs. In particular, the Court assessed whether CRIS had been designed to respond effectively to the Commission’s needs and whether the information that it provided was reliable. The audit involved a review of the Commission’s documentation for the system as well as the performance of substantive tests on CRIS data.

IV. The Court concludes that CRIS is mostly effective in responding to the

Commission's information needs in the field of external actions. However, after ten years of development, it is still subject to persisting shortcomings. These concern in particular the definition of CRIS's role with regard to the

Commission's accounting system, weaknesses in data coding, insufficient effectiveness in ensuring data integrity and, more generally, insufficient security of the system and its data. Some of the observations raised corroborate other observations made in previous Court reports.

V. CRIS development now responds to well identified and documented information needs. However, despite recent improvements in its governance, an up-to-date definition of CRIS’s role is still missing. In particular, it was not clear why CRIS had to duplicate functions of the Commission’s accounting system.

VI. Several years of insufficiently formalised development, between 2005 and 2008, have left CRIS with poorly defined data codes. For this reason, the consolidation of data in CRIS is rendered particularly complex and prone to errors. In particular, CRIS cannot be relied upon to provide aggregated data concerning external aid by beneficiary country, financial instrument or policy.

VII. With regard to the integrity of CRIS data, the Court found data records that were either missing, not valid or not up-to-date. These undermined the system’s efficiency and effectiveness as a management tool.

VIII. The Commission had not yet sufficiently secured the system and its data. Although procedures existed for the administration of user access rights, responsibilities for CRIS data security were not clearly defined. Moreover, some system weaknesses undermined its efficiency and effectiveness in maintaining data confidentiality and integrity. The Court also found that the processing of personal data was insufficiently monitored.

IX. On the basis of its observations, the Court makes the following recommendations with a view to improving CRIS’s effectiveness in responding to the Commission’s information needs:

(a) The intended role of CRIS as an information system should be set out, notably with regard to the Commission’s ABAC accounting system. In particular, the Commission should aim to reduce the duplication of

ABAC functions in CRIS.

(b) CRIS data code lists should be rationalised so that they are unique and their data values are mutually exclusive. Moreover, present data quality controls (checks, processes) should be revised and reinforced for

effective safeguards ensuring reliable data. These measures should aim,

in particular, to ensure that CRIS is effective and efficient in providing

aggregated information by beneficiary country, policy area and financial

instrument.

(c) Taking into account the large and diverse population of CRIS users, proper attention should be paid to improving the system’s userfriendliness

in future CRIS developments.

(d) Responsibilities for the management of CRIS data security should be established. An overall IT risk assessment should be carried out. Due care should be given to the protection of personal and financial data.

INTRODUCTION

Audit area

• 1. 

  External actions consist of the Commission’s interventions in countries outside the European Union, including enlargement of the European Union, development of African, Carribean and Pacific states and external trade policy. External action management involves the Commission’s headquarters in

Brussels as well as EU delegations in many countries around the world. In

2010, total commitments entered into by the Commission for external actions

amounted to 11 107 million euro 2 .

• 2. 

  During the past decade, the Commission has endeavoured to harmonise and simplify its procedures for the management of external actions. In particular, the Commission has taken steps to unify the departments in charge of their execution. In parallel, it has aimed to put in place a harmonised information system, the Common RELEX Information System (CRIS), by integrating formerly heterogeneous information systems. This system was supposed to be able “to provide instant financial information about projects and programmes” for external actions.

• 3. 

  An information system is a set of equipment, methods and procedures and, where relevant, also persons, personnel, organised to perform information

processing functions 3 . In an organisation, information systems are usually put

in place to provide information to personnel and management so that they can assume their planning, monitoring, control and reporting responsibilities.

2 8 445 million euro from the EU general budget and 2 662 million euro from EDFs.

Source: Commission staff working paper ‘Annual report 2011 on the European Union's development and external assistance policies and their implementation in 2010’, SEC(2011) 880 final, accompanying the document Annual report 2011 on the European Union's development and external assistance policies and their implementation in 2010’, COM(2011) 414 final i.

3 Commission’s decision C(2006) 3602 of 16 August 2006 concerning the security

of information systems used by the European Commission.

• 4. 

  When CRIS became operational in 2002, its functions related to the financial execution of projects. Since then, it was continually extended to support an increasing range of financial and operational aspects of external action management. CRIS now covers the different phases of the actions concerned, from their programming stage to their preparation and monitoring.

• 5. 

  CRIS is mostly used by the Commission’s Directorate General (DG) for

Cooperation and Development (EuropeAid 4 ), DG Enlargement and the Service for Foreign Policy Instruments 5 . In particular, these departments use CRIS as

the front-end interface for the entry of financial data concerning external actions into the Commission’s accounting system (ABAC). Financial transactions are initiated in CRIS, where the data is entered and verified before it is automatically transferred to ABAC, so that it does not have to be encoded twice. In addition, operational data on external action programmes and projects, such as the results of audit and monitoring activities, are also entered, processed and stored in CRIS. Such data are potentially helpful for management and decision making, as well as for the overall monitoring of external action implementation.

• 6. 

  Due to its role in recording and reporting the results of internal controls,

CRIS is now a key component of the Commission’s internal control system for the management of external actions.

4 On 1 of January 2011, the services of the ex-DG AIDCO and of the ex-DG DEV

were merged into a new Directorate General for Development and Cooperation–

EuropeAid (Development and Cooperation DG–EuropeAid); the public name under which the ex-DG AIDCO was better known – EuropeAid – is now used by the new Development and Cooperation DG–EuropeAid.

5 On 1 of January 2011, the ex-DG for External Relations ceased to exist and most

of its activities were taken over by the European External Action Service (EEAS).

Its financial activities were taken over by the Service for Foreign Policy Instruments (FPI).

Description of CRIS

• 7. 

  CRIS is a computer-based information system: it relies heavily on computing and telecommunications equipment (hardware) and electronic procedures (software). Its software part essentially consists of a database, a web-based user interface for data entry and consultation and an interface or link with the Commission’s ABAC accounting system. By relying on a single central database, it enables all Commission and EU delegation users to work on the same data.

• 8. 

  The user interface is organised in different modules, most of which correspond to different stages of project and annual management cycles, as shown in Figure 1. Other modules are used to administer the system.

Figure 1 – Coverage of project and annual management cycle by CRIS modules

Stage of

project/management cycle Main CRIS modules involved

Establishment of Programming policy and country

strategy Financial forecasts

Decisions

Calls for tender/calls for proposal

Potential Applicants Database Online Registration (PADOR )

Action preparation Legal Entity File/Bank Account

File

Framework contracts

Projects

Contracts

Financial guarantees

Invoices/payments

Revenue forecasts Execution and

reporting Recovery orders

Audit

Results Oriented Monitoring (ROM)

Evaluations

Source: European Court of Auditors.

• 9. 

  Among other functions, a typical CRIS module enables users:

• to create, modify and validate records;

• to search records;

• to consult records and their related data, some of which is automatically

calculated by the system;

• to attach documents to records;

• to link records of different modules.

• 10. 

  For example, the Contracts module would enable a user to search all contract records awarded to a given beneficiary. Any contract record so identified would typically contain, among other data, the contract number, a short description of the contract, its status and type, the name of the department and persons in charge, the geographical zone concerned, the contract’s signature and end dates and the contract’s amount and budget lines concerned. A scanned copy of the contract itself and its accompanying annexes would also be attached to it. Moreover, the contract record would likely be linked, for example, to several records in the Invoices module, corresponding to the invoices received from the beneficiary. From this record, the user would thus be able to navigate through all records related to the action concerned, as well as to directly consult an electronic version of the corresponding documents.

• 11. 

  The CRIS user interface is complemented by two other tools:

• a reporting system, the CRIS Datawarehouse, which enables users to

aggregate CRIS data, and

• a documentary system, the CRIS Knowledge Base, which enables users to

access all CRIS user documentation.

• 12. 

  The number of CRIS users has been growing along the years. In 2010,

CRIS was used by 5 000 individual users, more than 3 000 of whom were in

EU delegations, as shown in the Table. The average number of user sessions during a typical weekday was about 3 000.

Table - Number of users of CRIS in 2010

User allocation Users of CRIS in 2010 Number of sessions in 2010

EU delegations 3 095 62 % 562 861 70,5 % EuropeAid 1 319 26 % 178 993 22,5 %

ex-DG RELEX 164 3 % 7 404 1 % Enlargement DG 277 6 % 44 373 5,5 % Humanitarian Aid and Civil

Protection DG (ECHO) 45 1 % 1 222 0 %

other DGs or departments 105 2 % 3 683 0,5 %

Total 5 005 100 % 798 536 100 %

Source: Figures calculated by the Court on the basis of CRIS data.

• 13. 

  The development and maintenance of CRIS are financed by appropriations from the EU general budget and from EDFs. The total budget requested for the development, maintenance and support of CRIS grew over the years to reach 13 million euro in 2011. This budget is administered by EuropeAid, which leads the development and maintenance of CRIS in collaboration with other directorates general using or supporting the system.

Regulatory framework

• 14. 

  The Financial Regulation of the European Union 6 , accompanied by its implementing rules 7 , sets out the basic principles for the implementation of the

budget. In particular, it states that authorising officers must set up adequate organisational structures and control procedures and report to their institutions

6 Council Regulation (EC, Euratom) No 1605/2002 of 25 June 2002 on the

Financial Regulation applicable to the general budget of the European Communities (OJ L 248, 16.9.2002, p. 1).

7 Commission Regulation (EC, Euratom) No 2342/2002 of 23 December 2002

laying down detailed rules for the implementation of Council Regulation (EC, Euratom) No 1605/2002 on the Financial Regulation applicable to the general budget of the European Communities (OJ L 357, 31.12.2002, p. 1). In particular, Article 48 states that management, internal control systems and procedures must be designed, among other, to ensure reliable production of financial and management information.

on the performance of their duties. It also contains particular provisions regarding financial information systems.

• 15. 

  Regulation (EC) No 45/2001 i 8 provides rules for the protection of individuals

with regard to the processing of personal data by the European Union’s institutions and bodies.

• 16. 

  Commission decision C(2006) 3602 9 provides for security measures for the

protection of the Commission's information systems and the information processed therein against threats to their availability, integrity and confidentiality.

AUDIT SCOPE AND APPROACH

• 17. 

  The overall audit question was whether CRIS is effective in responding to the Commission’s information needs in the field of external actions.

• 18. 

  This overall question is adressed in three parts:

(a) Is CRIS designed to effectively respond to the Commission's needs? (see paragraphs 24 to 44)

(b) Is the information provided by CRIS reliable? (see paragraphs 45 to 57)

(c) Did the Commission sufficiently secure CRIS and its data? (see paragraphs 58 to 74)

8 Regulation (EC) No 45/2001 i of the European Parliament and of the Council of

18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data (OJ L 8, 12.1.2001, p. 1).

9 See footnote 3.

• 19. 

  The work specifically related to audit subquestions (a) and (c) relied mostly on analysing the relevant documentation together with explanations given by Commission staff during audit interviews. This work essentially concerned the development of CRIS since 2005. However, events that took place between 2000 and 2005 were also considered, as far as relevant documentation was available. This part of the audit concentrated on EuropeAid, which is the key player in the development of CRIS. The Court also carried out an electronic survey of CRIS users in EU delegations during May 2011.

• 20. 

  The second part of the audit – subquestion (b) – consisted of verifying whether the information provided by CRIS was reliable. This was done by performing substantive tests on CRIS data sets. These tests were carried out on data directly imported from the CRIS database at the end of March 2011. They aimed to check whether CRIS data records were complete, valid, consistent and up-to-date.

• 21. 

  The scope of the audit included the information concerning all appropriations whose management is supported by CRIS, both from the EU general budget and from the EDFs.

• 22. 

  For efficiency purposes, the audit work focused on eight of CRIS’s

  10

21 modules, selected to represent both financial and operational modules .

This enabled the Court to carry out more detailed tests of the selected modules while still having a general picture of the whole system.

• 23. 

  The audit did not aim to assess CRIS’s more technical aspects, as would be done in an information technology audit. It did not aim either to assess the cost effectiveness of CRIS maintenance and development.

10 The modules selected for the audit were the Decisions, Contracts, Legal Entity

Files, Invoices, Financial Forecasting, Audit, Evaluations and ROM modules.

OBSERVATIONS

Despite some weaknesses, CRIS is now being developed to respond to the Commission’s needs

System development projects now respond to well identified needs

• 24. 

  Information technology governance concerns “the leadership and organisational structures and processes that ensure that the organisation’s information technology sustains and extends the organisation’s strategies and

objectives” 11 .

• 25. 

  According to the Commission’s internal control standards, adequate IT

governance structures must be in place 12 . In particular:

• each directorate general must define the appropriate organisation for

managing the information systems that it owns;

• an annual “schéma directeur” (IT master plan), covering all information

system developments must be produced;

• each information system owned by a directorate general must possess a

clearly identified business owner, to represent the users’ interest, and be overseen by a steering committee;

• all new information system projects must be approved on the basis of a

vision document, describing the project;

• all new information systems should be developed using the standard

Commission project management and development methods.

11 Definition of the IT Governance Institute®, as quoted in SEC(2004) 1267 of 20

October 2004 ‘Communication to the Commission on the improvement of information technology governance in the Commission’–.

12 ICS No 7. See also SEC(2004) 1267.

• 26. 

  These measures aim to ensure, in particular, that information system development projects respond to the organisation’s needs and are designed to

effectively respond to these needs 13 .

• 27. 

  The Court found that, between 2005 and 2008, the identification and prioritisation of information needs were neither systematic nor clearly documented. This contributed to system developments that did not adequately respond to the Commission’s needs, or even, in extreme cases, to useless developments (see Box 1). Similarly, the management of most IT projects was also kept relatively informal, with the exception of a major project for the takeover of OLAS, the information system previously used to support EDFs operations.

Box 1 - The Evaluations module has never been used

A Commission working paper from 2004 suggested that the Evaluations module of

CRIS had been planned to provide a complete overview of mid-term and final evaluations managed by delegations and operational units. However, this module has never been used and it did not contain any record. The Commission had no documentation available to explain this situation.

13 SEC(2004) 1267 provides that: ‘All information systems development projects

should produce a “business case/feasibility study” explaining why a system is built, what it does propose to do, how it does plan to do so, where it impacts the organisation and how much it will cost’.

• 28. 

  Since 2008, the Commission has been putting into place a more comprehensive IT governance structure for CRIS. In particular, information needs are now systematically identified and analysed. All EuropeAid’s new information system development projects must now be approved on the basis of a vision document, describing the project’s objectives, risks and means. On this basis, EuropeAid produces an annual “schéma directeur” (IT master plan), listing all planned information system development projects. For each project, a business owner is designated to represent the users’ interest; major projects are overseen by a steering committee.

• 29. 

  Moreover, a project management methodology is now in use at EuropeAid and new information system development projects are documented.

Need for an up-to-date definition of CRIS’s role

• 30. 

  Good practice calls for all information system development projects to produce documents explaining why a system is built, what it proposes to do

and how it plans to do so 14 . The Court checked whether such documents

existed for the development of CRIS, as a whole.

• 31. 

  The Court found documents showing that, when the Commission decided in 2000 to develop CRIS, its objective was to be able to “provide instant financial information about projects and programmes” for external actions and, “in particular, to provide a proper picture of the distribution of commitments and payments on countries and sectors in the various geographical regions”. CRIS intended to complement the Commission’s accounting system by providing functions and information more specific to the external action domain.

• 32. 

  From 2002 to 2004, the first CRIS modules were thus mostly dedicated to some financial management aspects of external actions, such as decisions, contracts and invoices. However, since then, the system’s functions have been

14 See footnote 13.

continually extended, especially by covering more operational aspects of external actions. New modules have been progressively added and existing ones have been adapted (see Figure 2). Other information systems have also

been taken over, extending CRIS’s coverage of the external action domain 15 .

Major changes were made in 2005 with the introduction in CRIS of accrual accounting functions. Another major change, in 2008, was the take-over of OLAS (see paragraph 27).

15 Since it began, CRIS has successively taken over the functions and data of the

following information systems: Griot (the system of the ex-Directorate General DGIA, in 2002), Désirée (the system of the ex-Directorate General DGIB, in 2002- 2003), MIS (the information system of the ex-Directorate General DGVIII, in 2003- 2004) and OLAS (the information system of the ex-Directorate General DEV, in 2008).

Figure 2 – CRIS development history

DEVELOPMENTS IN

YEAR NEW CRIS MODULES INTERFACE BETWEEN

CRIS AND ABAC

1999 -

2002 CRIS

FRAMEWORK CONTRACTS

DECISIONS COMMITMENTS

CONTRACTS PAYMENTS

2002 INVOICES

DAC FORMS CALLS FOR TENDERS/

PROPOSALS

PROGRAM-

2003 MING

FINANCIAL FORECASTING

(1st version) AUDIT

FINANCIAL

2004 GUARANTEES

REVENUE FORECASTS CONTRACTS

RECOVERIES INVOICES

2005 RECOVERIES

INVOICES GUARANTEES

(Major

changes)

2006

ROM

2007

2008

2009 FINANCIAL FORECASTING

2010

Source: European Court of Auditors.

• 33. 

  Since 2002, there were also major developments in the Commission’s accounting system. In particular, since the introduction of accrual accounting in 2005 and the replacement of the previous accounting system Sincom2 by ABAC, it provides many new functions, such as contract registration.

• 34. 

  Despite these major changes both in CRIS and in ABAC, the Court did not find any document providing an up-to-date statement of CRIS’s intended role in the Commission’s overall information system, its objectives or the precise scope of operations it supports.

• 35. 

  In particular, CRIS’s role was not adequately defined with regard to ABAC, many functions of which were replicated in CRIS. The added value of continuing to encode financial transactions in CRIS instead of encoding them directly in ABAC was not clear (see Box 2). Nevertheless, because of this interdependence of CRIS and ABAC, about one third of EuropeAid’s IT human resources are being used to keep CRIS up to date with ABAC’s development and are diverted from supporting external action operations.

Box 2 - Inefficient data transfer between CRIS and ABAC

The interface between CRIS and ABAC does not facilitate data exchange. Indeed,

ABAC automatically performs completeness and consistency checks on financial transaction data before recording them. Since checks performed by ABAC are not always the same as the ones performed by CRIS, financial transaction data are sometimes blocked when transferred from CRIS to ABAC, i.e. at a late stage in the validation procedure. Data then has to be corrected and validated again in CRIS and transferred a second time to ABAC.

Data coding weaknesses

• 36. 

  The use of data codes in an information system enables the easy retrieval of data records with automatic search tools, as well as their consolidation for reporting purposes. The efficiency and effectiveness of a system in enabling the easy retrieval and consolidation of data records are thus strongly dependent on the quality and consistency of data codes.

• 37. 

  The objectives set for CRIS in 2000 were to be able to provide instant and consolidated financial information about projects and programmes for external actions (see paragraph 31). The Court checked whether data codes in CRIS were so defined as to effectively contribute to this objective.

• 38. 

  The Court found that, because of successive system developments that were not sufficiently formalised (see paragraph 27), several of the more than one hundred code lists were duplicated. Duplicated data code lists can diverge over time. They also make data consolidation and reconciliation more complex, time-consuming and prone to errors. A project had been launched a few years ago to rationalise the organisation of data codes in CRIS by storing them in a common table. However, the project was not completed and the system was left in a hybrid situation, with some data code lists still stored in separate or duplicate tables.

• 39. 

  The Court also found several code lists containing values that were not mutually exclusive, which prevented the effective consolidation of data. For example, the Invoices module, like many other CRIS modules, referred to a list of codes representing geographical areas. Within this list, some codes indicated countries whilst others indicated groups of countries. For this reason, some payment records made in a country referred to the code of this country, while others referred to the code of a broader geographical region around the country. As a result of this situation, CRIS cannot be easily used to determine the list or total amount of payments made to beneficiaries in a given country. An example can be found in Box 3.

Box 3 - Equivocal geographical area codes in payment records

A payment record in CRIS might refer to Tanzania, while another one might refer to a geographical area called ‘South Sahara’. A list of payments referring to Tanzania would contain the first record but not the second one, although a part of the second payment might have been directed to Tanzania.

• 40. 

  Similarly, CRIS cannot easily be used to compute the total amount spent on a given policy or financed from a given financial instrument. Indeed, the list of domains used to associate records from many CRIS modules to a given domain mixes geographical zones (Asia, for example), financial instruments

(TACIS 16 , for example) and thematic policies (food security, for example).

• 41. 

  As a result of this situation, the consolidation of data – notably financial data – contained in CRIS for reporting purposes is rendered particularly complex. This situation is detrimental to CRIS’s efficiency and effectiveness as a

reporting and management tool 17 .

16 Technical Assistance to the Commonwealth of Independent States.

17 In its annual report on EDFs concerning the financial year 2005, the Court noted:

“weaknesses in the computerised management information system (CRIS), notably its coding system, do not allow an efficient overall supervision of microproject programmes by the Commission central services. As an example, a reliable list of microproject programmes that have been implemented or are in the course of implementation is still difficult to produce. This is a more general problem not specific to microproject programmes (...)”.

In its annual report for the financial year 2006, the Court also noted:”The Common

Relex Information System (CRIS) provides data for the day-to-day management

of projects. Largely as a result of data definition limitations some desirable

analyses of financial information are not available from the system.”

In its Special Report No 4/2009 about ‘The Commission’s Management of Non State Actors’ involvement in EC Development Cooperation’, the Court noted: “There is at present no readily available source of data in EuropeAid concerning NSA funding (...). The data in CRIS is incomplete and the identification of operators unreliable.”

Persisting problems with user friendliness

• 42. 

  According to the ‘Communication to the Commission on the improvement of

information technology governance in the Commission’ 18 , information systems

must be user-driven and meet users’ needs. Users are thus well placed to give indications about the effectiveness of an information system in responding to their needs.

• 43. 

  In May 2011, the Court performed a survey of CRIS users in the EU delegations, aiming to assess to what extent this population of CRIS users were affected by certain issues. 44 of the 92 delegations to whom questionnaires were sent replied The main conclusions that can be drawn from the analysis of these replies were the following:

• CRIS users experience long and frequent system unavailability

(14 delegations out of 44 report unavailability for longer than one week);

• in 2010, nearly all responding delegations (41 out of 44) encountered delays

in encoding or validating transactions because of CRIS design

shortcomings 19 ;

• 21 respondents out of 44 believed that, because of difficulties in their

interpretation or translation, some data codes were sometimes encoded by guessing;

• six delegations out of 44 reported that delays due to CRIS cost the

Commission; two of these delegations provided estimated penalties or losses concerned of 300 euro in one case and 3 000 euro in the other.

18 See footnote 13.

19 In its annual report concerning the financial year 2008, the Court noted: ”the

existence of technical constraints that the users of the system (CRIS) frequently face and that may affect the regularity of the transactions processed (it is common to find cases of payments made after the deadlines set because of the unavailability of the system)”.

• 44. 

  The results of the Court’s survey are supported by those of two surveys carried out by the Commission in 2008 and 2010, which involved CRIS users both at the Commission’s headquarters and in EU delegations. These surveys showed that user opinions towards the system had improved but remained mixed, as shown in Figure 3.

Figure 3 – Progress of CRIS user opinion about several aspects of the system between 2008 and 2010 and on a scale from 1 (poor) to 5 (excellent)

Source: Commission working paper – Results of the Survey 2010 “The CRIS system – your opinion”, February 2011.

CRIS management is not yet sufficiently effective in ensuring data integrity

• 45. 

  For an information system to be effective, it is not enough for it to provide data, it must also ensure data integrity. Data integrity concerns the capacity of an information system to produce the expected result accurately and in full, so

that it can be relied upon 20 .

• 46. 

  In terms of security, CRIS is considered by the Commission as a critical system or, in other words, a system the loss of whose integrity or availability might threaten the position of the Commission with regard to other institutions,

Member States or other parties 21 .

• 47. 

  The Commission has put in place several safeguards to contribute to CRIS data integrity:

• automated checks are embedded in CRIS software;

• each financial transaction encoded in CRIS has to be validated by several

different officials;

• inside EuropeAid, a small group of officials, the Data Quality Team,

performs data quality checks and coordinates the correction of large

numbers of incorrect or missing data 22 ;

20 Commission decision C(2006) 3602.

21 Commission decision C(2006) 3602 provides that critical information systems are

“systems the loss of whose integrity or availability might threaten the position of the Commission with regard to other institutions, Member States or other parties; cases would include damage to the image of the Commission or of other Institutions in the eyes of the Member States or the public, a very serious prejudice to legal or natural persons, a budget overrun or a substantial financial loss with very serious adverse consequences for the Commission's finances”.

22 According to Commission management documents, in 2010, the Data Quality

Team identified 80 000 data anomalies and coordinated the correction of more than 70 000 of them.

• internal and external audit reports regularly point out systemic data quality

issues and formulate recommendations; and

• ex post controls performed on samples of financial transactions also reveal

data quality issues.

• 48. 

  The Court performed substantive tests on sets of CRIS data records to verify whether the information system was effective in ensuring data integrity. More particularly, the Court checked whether the data records concerned were complete, valid and up-to-date:

  All transactions are recorded and all relevant data fields are

Complete filled-in.

Data is consistent throughout the information system (records Valid do not contradict each other) and data records reflect the

situation as it could be observed on the spot. Up-to-date The information is captured in due time.

Missing data records

• 49. 

  The Court found invoice records that were directly encoded in ABAC rather than CRIS. For this reason, lump sum payment records sometimes had to be created in CRIS to balance total amounts in CRIS and ABAC. The Court found 118 such reconciliation records (31 records in 2009, with a total amount of 65 million euro, and 87 records in 2010, with a total amount of 175 million euro). These lump sum payment records failed to compensate for the lack of detailed record information in CRIS. In particular, they were not attributed to a particular geographical area (see paragraph 39). The direct encoding of invoice records in ABAC undermines CRIS’s ability to provide consolidated information.

• 50. 

  The possibilities of attaching documents to data records were not yet systematically used. For example, one third of closed or ongoing decision records updated in 2010 had no attached document. Similarly, 14 % of closed or ongoing contract records with a signature date in 2009 or 2010 had no attached document. This limits the system’s efficiency and effectiveness in terms of project management and access to documents.

• 51. 

  In addition, the Court found cases where the possibility offered by CRIS of linking together records from different modules and related to the same project, enabling users to navigate through all records related to a given action (see paragraph 10) was not used. For example, 9 000 out of 105 000 contract records (9 %) were not linked to any financing decision. Similarly, more than

300 out of 3 000 closed or ongoing audit records 23 (10 %) were not linked to any contract or decision record 24 . This undermines CRIS’s efficiency as a

project management tool.

• 52. 

  As a member of the OECD’s Development Assistance Committee (DAC), the Commission regularly reports to the OECD about its external assistance activities. This involves classifying the activities concerned according to a standard categorisation (DAC sector codes). In CRIS, contract and project records can be associated to a DAC sector code. While nearly all contract records were linked to such a code, only 30 % of project records actually were. This situation makes it impossible to use CRIS data for the production of reliable statistics according to the OECD’s DAC codification (see Box 4).

Box 4 - Projects cannot be listed by DAC sector code

As only 30 % of CRIS project records refer to a DAC sector code, a search for all project records related to ‘Water Resources Protection’, for example, would render a list of the projects concerned that would most likely be incomplete and could not be relied upon.

23 These concern audits of external operations that are generally carried out by

external audit firms contracted by the Commission.

24 In its annual report concerning the financial year 2004, the Court had already

noted: “information relating to all audits, even those contracted by implementing organisations, should be recorded in CRIS and linked to the corresponding project management information”. A similar recommendation was also made in the Court’s annual report concerning the financial year 2005.

Invalid data records

• 53. 

  The Court did not find in CRIS any case of duplicate financial records, that is of transactions which would have been recorded more than once.

• 54. 

  However, the Court found records which were not backed by an actual financial transaction or operational event. These records, commonly called “dummy” records by CRIS users, were sometimes created to cope with technical limitations of the system. In particular, 100 out of 15 000 contract records closed in CRIS in 2009 and 2010 turned out to be “dummy” contract records. The presence of such records can cause bias in consolidated data and is also likely to confuse users, causing errors and inefficiencies.

• 55. 

  The Court found CRIS records containing inconsistent data values. For example:

• 2 % of 6 000 audit records had a provisional status although they showed a

final report reception date in the past;

• 7 % of 2 300 closed contract records with a signature date in 2009 or 2010

had a signature date later than the implementation start date;

• 1 % of 5 000 decision records had an ongoing status although they showed

a closing date that had already passed.

Such inconsistencies often indicate the presence of incorrect data records or

administrative errors 25 .

25 In its annual report for the financial year 2008, the Court noted: ”During the

transaction testing it was noted that the information kept in CRIS is not always fully accurate. Errors of codification of both payment and commitment data were detected (for example, in the case of projects and / or contracts where the CRIS country code is wrongly entered). Other errors could affect the reliability of the Commission’s financial statements (for example, concerning bank guarantee expiry dates and project/contract management modes)”.

• 56. 

  The Court found records that showed differences between CRIS and the

ABAC Datawarehouse, a central system of the Commission used to provide consolidated financial and accounting information to management.

Delayed recording

• 57. 

  With regard to the timeliness of data registration in CRIS, the Court found records for which delays had occured between a business event and its registration in the system. For example, the Commission’s standard is to record invoices within five days of their reception. However, in 2010, only half of the invoices were recorded in CRIS within this delay, and 13 % of invoices were still not recorded one month after their reception. Similarly, in 2010, an average of six weeks passed between the reception of an audit report by the Commission and its attachment to the corresponding CRIS audit record.

Insufficient security of the system and its data

Unclear definition of responsibilities for data security

• 58. 

  Commission decision C(2006) 3602 on the security of its information

systems 26 states that each director-general must appoint at least one local

information security officer, responsible to ensure that IT service providers and system suppliers introduce adequate security measures. It also states that directorates general may delegate all or part of the implementation and management of their security plans to horizontal departments such as the Directorate General for Informatics. However, in such cases, the directorates general must ensure that the department in question applies the necessary security measures. In order to record the terms of the delegation, a service level agreement must be drawn up between the parties defining in particular measures for monitoring implementation.

• 59. 

  Moreover, the Financial Regulation states that the institution’s accounting officer is responsible for validating information systems laid down to supply or

justify accounting information 27 . The implementing rules of the Financial

Regulation specify that the accounting officer must give his agreement before

such systems are modified 28 .

• 60. 

  The Court found that procedures and responsibilities for the allocation, maintenance and removal of CRIS user access rights were documented. However, at a more general level, responsibilities for the management of CRIS were not clearly established. In particular, CRIS fell outside the responsibilities of EuropeAid’s Local Information Security Officer.

• 61. 

  There was no signed service level agreement between EuropeAid, the

CRIS system owner, and the Directorate General for Informatics, to which

EuropeAid delegated responsibilities, in particular for securing the servers hosting CRIS’s software and data. Without such a document, the respective responsibilities of the directors general concerned are not clear.

• 62. 

  In July 2008, the Commission’s accounting officer validated CRIS as a local system for supplying and justifying accounting information in relation to

operations financed by the EU general budget 29 . However, although significant

modifications had been made to CRIS in 2010, CRIS did not appear in the list

26 See footnote 3.

27 The Financial Regulation states in Article 61: “Each institution shall appoint an

accounting officer who shall be responsible in each institution for: (...) laying down and validating the accounting systems and where appropriate validating systems laid down by the authorising officer to supply or justify accounting information (...)”.

28 The Implementing Rules of the Financial Regulation state in Article 57 that ”where

financial management systems set up by the authorising officer provide data for the institution’s accounts or are used to substantiate data in those accounts, the accounting officer must give his agreement to the introduction or modification of such systems”.

29 At the time of the Court’s audit, CRIS had not yet been validated for accounting

information related to operations financed by EDFs.

of changes notified to the Commission’s accounting officer for that year, contrary to what is provided by the implementing rules of the Financial Regulation (see paragraph 59).

Weaknesses undermining the system’s ability to maintain data confidentiality and integrity

• 63. 

  The Commission’s internal control standards require that information technology systems used by a directorate general must be protected against

threats to their confidentiality and integrity 30 .

• 64. 

  The Court found two issues that raise concern regarding CRIS’s ability to maintain data confidentiality (see paragraph 65) and integrity (see paragraph 67).

• 65. 

  Data confidentiality concerns in particular the reserved character of data to

which access is limited to authorised persons 31 . In the case of CRIS, access to

the system is automatically granted to Commission statutory and external users in Development and Cooperation DG–EuropeAid, Enlargement DG,Humanitarian Aid and Civil Protection DG (ECHO), the Service for Foreign Policy Instruments, as well as to Commission staff in EU delegations. Access is also granted on request to temporary external users from these same departments, and to staff from other departments and from the European Court of Auditors. In some cases, users from outside the institutions are also allowed to access the system.

• 66. 

  However, CRIS does not include a standard mechanism to limit users’ access rights to certain categories of data. In two specific cases, ad hoc technical mechanisms had to be developed so that sensitive documents were

30 ICS No 12.

31 See footnote 3.

not accessible to all users 32 . Apart from these two exceptions, all CRIS users

automatically have access to all CRIS data. This situation puts into question the confidentiality of CRIS data, particularly in the case of the few external users of the system.

• 67. 

  To ensure data integrity, measures must be taken to guarantee that the information system and processed information can be altered only by deliberate

and legitimate action 33 . Among other functions, CRIS includes mechanisms to enable financial agents to validate transactions in the system 34 . The Court

found records of financial validations made by an authorised user that had been modified by another person.

Incomplete system documentation

• 68. 

  System documentation is an important tool for IT developers and system users to ensure data security and, in particular, integrity. It enables them to understand how the system treats data and how data and codes should be interpreted. In particular, it makes it possible for developers to maintain consistency in the system when adapting it, and for users to enter the right data at the right place. The implementing rules of the Financial Regulation state that a full and up-to date description must be available for computer systems used

to process budget implementation operations 35 . Each such description must

define the content of all data fields and describe how the system treats each individual operation. It must also show in detail how the system guarantees the existence of a complete audit trail for each operation.

32 Ad hoc user access restrictions were developed for the Call for Tenders module

and for contract records marked as confidential.

33 See footnote 3.

34 The Financial Regulation states in Article 84 that “where revenue and expenditure

operations are managed by means of computer systems, documents may be signed by a computerised electronic procedure”.

35 Article 107 of Regulation (EC, Euratom) No 2342/2002.

• 69. 

  The Court found that documentation of data fields content – the data glossary – was lacking for two out of eight CRIS modules selected for the audit (see paragraph 22). For the other six modules, the data glossary was complete and up-to-date.

• 70. 

  Functional analysis documentation, describing how the system processes individual operations, was available for all modules selected for the audit. However, at a more general level, the technical architecture of the system was poorly documented. For example, integrity relationships between the different

data tables in CRIS were not documented 36 .

• 71. 

  Apart from the Evaluations module, which was not in use (see Box 1), the Court also found that a user manual was available for each audited module. However, in three cases out of seven, the user manual was partly outdated or incomplete.

• 72. 

  CRIS includes an audit trail system that, in principle, enables the reconstitution of data modification history, i.e. which actions were performed on a given record by which user and when. However, the audit trail data was not available to users through the CRIS user interface; it could only be accessed by IT personnel and its interpretation required great familiarity with the system’s IT architecture. This limits the audit trail’s potential usefulness to exceptional cases on special request.

36 An integrity relationship would be, for example, that a record in the Contracts

module cannot be deleted from the system as long as it is referred to by a record in the Payments module; this particular relationship would ensure that a payment can always be linked back to a contract, that there are no “orphan” payments.

Insufficient monitoring of personal data processing

• 73. 

  Regulation (EC) No 45/2001 i provides rules for the processing of personal data. In particular, it provides that the data controller must give prior notice to

the Commission’s Data Protection Officer 37 .

• 74. 

  Four notifications were sent by data controllers to the Commission’s Data

Protection Officer on the processing of personal data in CRIS. One concerned CRIS as a whole and the other three concerned specific modules. However, the Court identified documents containing personal data and that were attached to CRIS records without being covered by any of these notifications. These included more than 2 000 CVs attached to records in several CRIS modules and that could thus be accessed by all CRIS users (see paragraphs 65 and 66).

37 Regulation (EC) No 45/2001 i states in Article 25: “the controller shall give prior

notice to the Data Protection Officer of any processing operation or set of such

operations intended to serve a single purpose or several related purposes.”

CONCLUSIONS AND RECOMMENDATIONS

• 75. 

  The Court concludes that CRIS is mostly effective in responding to the

Commission's information needs in the field of external actions. However, after ten years of development, it is still subject to persisting shortcomings. These concern in particular the definition of CRIS's role with regard to the Commission's accounting system, weaknesses in data coding, insufficient effectiveness in ensuring data integrity and, more generally, insufficient security of the system and its data. Some of the observations raised corroborate other observations made in previous Court reports.

• 76. 

  When putting CRIS into operation in 2002, the Commission’s objective was to be able to provide instant and consolidated financial information about projects and programmes in the external action domain. Since then, CRIS was continually adapted to respond to new specific information needs, and these developments substantially modified the system. In particular, besides financial aspects of external actions, CRIS now covers many of their operational aspects. In the meantime, the accounting information system of the Commission also evolved to provide many new functions. However, despite these changes, a new definition of CRIS’s role and objectives was never stated. In particular, the role of CRIS is no longer adequately defined with regard to the role of the Commission’s accounting system, of which it duplicates many functions.

Recommendation 1

The intended role of CRIS as an information system should be set out, notably with regard to the Commission’s ABAC accounting system. In particular, the Commission should aim to reduce the duplication of ABAC functions in CRIS.

• 77. 

  Since 2008, the Commission has taken measures to ensure that CRIS developments respond to well identified information needs. All CRIS development projects are now approved on the basis of a vision document, describing the project’s objectives, risks and means. Moreover, a project management methodology is now in use.

• 78. 

  Successive and insufficiently formalised developments of CRIS, between

2005 and 2008, have left the system with poorly defined data codes. The Court found that several code lists were duplicated, while others contained codes that were not mutually exclusive. As a result, the consolidation of data is rendered particularly complex and prone to errors. In particular, CRIS cannot be easily used to provide aggregated data concerning external actions by beneficiary country, financial instrument or policy.

• 79. 

  With regard to the integrity of CRIS data, the Court found records where information was either missing, not valid or not up-to-date. These undermined the system’s reliability and its efficiency and effectiveness as a management tool.

Recommendation 2

CRIS data code lists should be rationalised so that they are unique and their data values are mutually exclusive. Moreover, present data quality controls (checks, processes) should be revised and reinforced for effective safeguards ensuring reliable data. These measures should aim, in particular, to ensure that CRIS is effective and efficient in providing aggregated information by beneficiary country, policy area and financial instrument.

• 80. 

  A survey of CRIS users in EU delegations performed by the Court revealed that they experience difficulties with the system. In particular, they reported long and frequent system unavailability, delays in recording transactions due to system design shortcomings and difficulties in the interpretation of data codes.

Recommendation 3

Taking into account the large and diverse population of CRIS users, proper attention should be paid to improving the system’s user-friendliness in future CRIS developments.

• 81. 

  The Court found that the Commission had not yet sufficiently secured the system and its data. Although procedures existed for the administration of user access rights, responsibilities for CRIS data security were not clearly defined. Moreover, some system weaknesses undermine its efficiency and effectiveness in maintaining data confidentiality and integrity. The Court also found that the processing of personal data was insufficiently monitored.

Recommendation 4

Responsibilities for the management of CRIS data security should be established. An overall IT risk assessment should be carried out. Due care should be given, particularly to the protection of personal and financial data.

This Report was adopted by Chamber III, headed by Mr Karel PINXTEN,

Member of the Court of Auditors, in Luxembourg at its meeting of 6 March

2012.

For the Court of Auditors

Vítor Manuel da SILVA CALDEIRA President

REPLIES OF THE COMMISSION TO THE SPECIAL REPORT OF THE EUROPEAN

COURT OF AUDITORS

THE COMMON EXTERNAL RELATIONS INFORMATION SYSTEM (CRIS)

EXECUTIVE SUMMARY

IV. Please see the Commission reply to paragraph 75.

V. Regarding the role of CRIS, see also Commission replies to paragraphs 76 and recommendation 1.

Regarding the duplicated functions, see Commission replies to paragraph 35, 76 and recommendation 1.

VI. Please see the Commission reply to paragraph 78.

VII. Please see the Commission reply to paragraph 79.

VIII. Please see the Commission reply to paragraph 81.

IX.

(a) CRIS is the management information system of the Commission's external relations' Directorates General 38 . It is an integrated system that includes a direct interface with the Commission's accounting system (ABAC), thereby streamlining the number of tools which external cooperation staff use for their everyday work. Its objectives were defined in the document "Stratégie des systèmes d'information de la DG EuropeAid jusque 2016" in December 2011.

In the rationalisation process of its IT landscape, the Commission is currently working on a better integration of all its systems. The objective of reducing the duplication of ABAC functions will be achieved by the direct use of ABAC functionalities from CRIS through ABAC web-services. EuropeAid is part of a pilot project initiated in this respect across the Commission.

(b) The Commission will continue the on-going efforts with data monitoring and improvement of data validation processes in CRIS. Different steps have already been taken in this area, as for instance the nomination of data owners as of beginning 2009 with the view of managing the data codes and defining the standards to be implemented.

(c) The complexity of the business environment and the diversity of user roles and responsibilities inevitably lead to a certain complexity in such an integrated system. Nevertheless, the Commission accepts this recommendation. The user-friendliness improvement is a major objective, inter alia, in the following projects:

• - 

  the multi-commitment project in the contract and decision modules;

• - 

  the invoice streamlining project; and

38 Only partially as regards ECHO

• - 

  the redesign of the audit module.

(d) An overall IT risk assessment will start in the course of 2012 and the Commission will nominate a Local Information Security Officer for CRIS.

INTRODUCTION

• 2. 

  Please see the Commission definition of CRIS in paragraph IXa.

Even from the beginning in 2002, CRIS was designed for operational management purposes as well as financial management. At that time, the operational management aspects (core business processes) were handled in the action/project and programming modules.

OBSERVATIONS

• 27. 

  The situation described by the Court is the one that prevailed before 2009 when a new governance was set up and the IT unit was reorganised. All changes in the systems are now preceded by a complete documented process (identification, approbation, prioritisation, analysis, development, tests). The Commission also performed the modelling of its business processes, aiming at better aligning the functional specifications of the system with them.

Box 1 – The Evaluations module has never been used

The limited evaluation module that exists in CRIS was set up with the aim to constitute a very simple database of the evaluations, for reporting purpose. Following this, when it appeared that the needs had actually evolved and were more complex than initially envisaged, it was finally decided to develop a more ambitious project named "Project Cycle Management (PCM) Evaluation" capable of supporting the whole evaluation process in a complete new technical architecture. This project is planned to be operational in 2013 and will undoubtedly provide more added value to the whole evaluation process.

• 31. 

  One of the main objectives of the CRIS set up and development was also the need for rationalising the three systems of former DG1A, DG1B and DG8 following the merge of these three services. The Commission didn't want to continue to maintain three different systems with different interfaces to ABAC.

• 34. 

  As regards the definition of the role of CRIS, please refer to the reply to paragraph IXa.

Its objectives were defined in the document "Stratégie des systèmes d'information de la DG EuropeAid jusque 2016" of December 2011.

• 35. 

  CRIS gives the users the opportunity to manage operational and financial data related to their projects through one integrated tool.

As regards the duplication of functions, at the time when CRIS was set up, a certain level of duplication of functions was unavoidable because it proved difficult to use the central system directly (SINCOM II then was not web-based) in the various EU delegations freshly appointed in the course of the devolution process. After the introduction of a new accounting system (ABAC Workflow) in 2005 and the major priorities of the following years (EDF integration, new modules), the Commission has started to work on the improvement of this situation in line with the rationalisation of its IT landscape. This process, launched in 2010, will clarify, when needed, the role of each Commission application and lead to the absorption or to the integration of systems so that duplication of functionalities will be significantly reduced.

The duplication of functions does not entail any duplication in the data encoding process.

As regards the interdependence of CRIS and ABAC, the impact in terms of resources was refined in December 2011 and resulted in a new estimation of one sixth of the IT resources.

Box 2 – Inefficient data transfer between CRIS and ABAC

The new ABAC architecture will make available to all local systems its validation services. Accordingly, before sending a transaction to ABAC for recording, CRIS will use these validation services either to inform end-users of encoding errors so that they can perform necessary corrections or, when the data is correct, to automatically call up ABAC recording services. In the current architecture, ABAC does not provide functionalities for evaluating transactions without storing them in the data base beforehand. As a consequence, CRIS invokes locally developed checks before sending them into ABAC via the interface. This explains why for the time being, the validation has to be performed in CRIS.

• 38. 

  Two projects are currently ongoing for the management of codes in order to deal with the duplication of data code lists. A first one aims to centralise and consolidate reference data, and to offer replication services to IT systems. A second one is the continuation of the first one and aims at reorganising the way lists of codes are stored in CRIS.

Both projects started in 2010 and will be developed progressively until 2014. They will lead to significant improvements in this respect.

• 39. 

  In the case mentioned by the Court the geographical zones may be, by themselves, not mutually exclusive: a given country is always part of one or more given geographical area(s). This may lead to some unavoidable overlapping.

The complexity of the consolidation as described by the Court rather stems from the high diversity of programmes and procedures dealt with by the Commission in the framework of External actions. As a result, it is not necessarily attributable to CRIS.

Box 3 – Equivocal geographical area codes in payment records

The situation the Court refers to is unavoidable given the diversity of the programmes managed in a given country. Indeed external aid can be imputable to a beneficiary region that extends over several countries. However, in many cases, this can be easily overcome thanks to a sound operational follow-up, and by combining various existing CRIS codes.

• 40. 

  Other criteria available in CRIS may be used to refine the consolidation of the total amount spent on a given financial instrument. For instance, the related budget lines may be used to identify the amount spent on a given financial instrument. Similarly, the field 'zone benefiting from the

action' may be used to identify the amount spent in a given country.

• 41. 

  The complexity to consolidate financial data is directly correlated to the nature of the Commission actions in the framework of External Actions rather than to CRIS shortcomings.

43.

First bullet point:

A downtime of CRIS longer than one week occurred in January 2011 because of the EuropeAid and DG Development merger, and the setting up of the European External Action Service (EEAS) and the Foreign Policy Instruments service (FPI).

This was however an exceptional circumstance. Generally speaking, the downtimes are closely monitored by the Commission. In 2011, apart from the above situation, CRIS has been up and running for more than 99% of the time.

As it is a web based application, the availability of the system in delegations is also reliant on the availability of other technical layers (networks, local servers, …).

Second bullet point:

Significant efforts were made to address these design shortcomings in the beginning of 2011, and will be repeated. A reorganisation of support tasks has also increased the quality of service. As a consequence the number of incidents registered in 2011 has structurally decreased in comparison to 2010.

Third bullet point:

The codification complexity reflects the complexity and variety of the business procedures and regulations themselves.

Due to this complex business environment, CRIS accumulates specific coding to classification codes imposed by the central financial system. Where a review of business functionality is scheduled (e.g. new Financial Regulation / Implementing Rules) particular attention will be paid to ensure a harmonised cross section review of these "master data". Furthermore, the available information flows have significantly improved in the last years (Knowledge base, systematic release notes, CRIS Support Twitter account, USM networks, etc.).

• 49. 

  The purpose of reconciliation invoices is to update the CRIS Decisions (Level 1 commitments) and Contracts (Level 2 commitments) consumptions whenever some transactions cannot be processed via CRIS because of functional limitations, or because the implementation is done by services which cannot make use of CRIS. Due to this technical constraint, these transactions have to be processed in ABAC directly or by using a different local system. As a result a reconciliation process is needed afterwards.

The reconciliation is not intended to replicate all statistical information which could already be obtained elsewhere, but simply to match CRIS and ABAC amounts consumed on the respective commitments over a specific period of time (usually the whole budgetary year).

Compared to the global number of transactions managed through CRIS, the number of cases where reconciliation is needed is very limited. Even in those cases, all statistics relating to decisions or contracts are always available by country code. However, for these cases, statistics on invoices/payments by beneficiary country have to be obtained directly from ABAC Data warehouse.

• 50. 

  Attaching documents to data records for contracts and decisions is compulsory following an instruction note of 8 October 2009. This instruction note has been completed afterwards by several specific developments in CRIS, which have extended the possibility of blocking the validation of transactions in case the necessary documents are not duly attached to it. These new features were implemented in November 2010.

• 51. 

  Since September 2011, the contract records identified by the Court are now automatically linked to a financing decision record. Concerning the audit records, most cases (96%) pre-date 2009, at a time when it was still possible for any user to close a CRIS Audit record without linking it to an audited contract. Since then, except in very specific cases, this is no longer allowed by the system. These very specific cases (the remaining 4% of cases reported by the Court) involve audits of STABEX (Stabilization of export earnings) funds or compliance assessments of international organisations, which by definition are not related to any audited contract.

• 52. 

  Until 2009 CRIS has been used as one of the sources of information for DAC reporting although data had to be reworked and manual verifications were done before the reporting was done to OCDE for data quality reasons.

Since then, significant efforts to improve the encoding process of the DAC forms have been made and now, as a result, all the DAC forms are duly attached to all new project records. An ex-ante verification on DAC codes is done centrally on all projects (visa RESPCAD).

According to the last statistics available from CRIS, at least 84% of projects and 95% of contracts dated 2009 onwards have a DAC form associated to each of them, keeping in mind that not all DG's using CRIS use the DAC form.

Additionally, an exercise aiming to update historical data on transactions dating 2003 and later (and open projects before 2003), was launched in 2010 and will be implemented in 2012.

Box 4 – Projects cannot be listed by DAC sector code

Please see the Commission reply to paragraph 52.

• 54. 

  The formal terminology of the Commission for “dummy” records is “technical commitments” records. In order to tackle this problem, a project named "multi-commitment project" started in 2010. It allows the linking of one single contract record to several budgetary commitments of different types. As soon as this project is fully implemented, no "technical commitment" record will have to be created anymore.

55.

First bullet point:

The Commission acknowledges the fact that the audit records reported by the Court should have already been closed at the time of the Court's audit. This is partly due to some "business rules" that prevent the final user from giving his/her final visa, and hence closing the record. Since then, more than half of these cases have been closed. In the next version of CRIS audit module, procedures regarding the closing of audit records will be simplified and adapted so as to allow the closure of the records without delay.

Second bullet point:

About one third of the cases identified by the Court relates to a normal situation (grant contracts concluded with a starting date of activities prior to the signature date, or budget support interventions or other technical commitments (pro forma registrations)) for which the signature date can be encoded but is not relevant or compulsory.

Third bullet point:

This situation is the consequence of a development oversight that has long been corrected (the most recent decision in the sample dates back to 2005). At that time, when re-opening a decision, the closing date was not deleted automatically.

The potential for making such an error is either no longer possible due to continuous improvements of CRIS over recent years or is currently being addressed in ongoing development projects.

• 56. 

  Data inconsistencies between ABAC Data warehouse (source data: ABAC Workflow) and CRIS could sometimes occur following failures or exceptional operations done directly in ABAC, but they are monitored and followed by correction or reconciliation processes. The way financial data are processed in CRIS is regularly validated by the Accounting Officer of the Commission.

• 57. 

  Concerning the recording of invoices, an IT project will be launched in 2012 to examine all possibilities to simplify the encoding process, notably the encoding of the gross amount which requires a complex calculation to be made by the data entry agent.

As regards the attachments for audit records, the Commission has recently significantly reduced the average delay between the reception of a final audit report and its attachment to an audit record in CRIS. However the speed with which the audit records are recorded in CRIS has no accounting implications and few management information implications provided that records are entered in time for required reporting purposes.

• 60. 

  The issue of insufficiently defined responsibilities for the security management of CRIS at a global level will be addressed by the nomination of Local Information Security Officer specifically dedicated to CRIS.

• 61. 

  Directorate–General for Informatics (DG DIGIT) has signed a Memorandum of Understanding (MoU) for each information system of EuropeAid. One is related to CRIS. CRIS has also been defined as "critical" and for that reason, DG DIGIT has put in place a backup system.

• 62. 

  CRIS is regularly validated by Commission’s Accounting Officer as a local system, and the last validation took place in December 2011. In future, internal procedures regarding a timely communication of significant changes in CRIS to the Commission's Accounting Officer will be improved.

• 65. 

  CRIS access procedure uses both ECAS authentication system and the "Commission Enterprise Directory" group membership based authorisation system.

All other access authorisations are given following clearly defined access authorisation procedures according to which appropriate approvals and visas are necessary.

• 66. 

  The Commission will address the observation through its multiannual CRIS re-engineering work, and will review the security rules in 2014, in particular through the project for the security management for the external and internal users.

• 67. 

  To guarantee data quality, a procedure must be in place to correct data where a formal notification has been made that erroneous data exists. Such modifications occur only in case when necessary data corrections are made by the IT unit, following a failure in CRIS or a post-processing. They are applied by either support or development or data quality teams. Procedures have been put in place to ensure that such actions are initiated via a request form, to be validated by the business manager of the concerned module. Modifications are firstly executed in a pre-production environment, then validated by the business manager, and finally put in production.

• 69. 

  The two modules identified by the Court and for which the glossary was lacking:

• - 

  the evaluation module will be replaced by the PCM evaluation module (see also reply to Box 1),

• - 

  the ROM module will be phased out in 2012,

• 70. 

  The Commission will improve the documentation in the context of its on-going multiannual CRIS re-engineering work.

• 71. 

  Out of the three cases where the manual was out of date, the situation has improved in the meantime:

• - 

  the Audit manual was updated in September 2011;

• - 

  the Financial Forecasting manual was updated in December 2011; and

• - 

  the LEF manual will be updated in 2012.

• 72. 

  The reconstitution of data modification history is possible in the system at two different levels:

• at the technical level, there is indeed an audit trail system which is only accessible to IT staff

already familiarized with complex maintenance operations;

• at the functional level, all users can

• - 

  consult how data have been changed by consulting the information provided in the riders to the concerned records and

• - 

  visualise references to possible corrections processed by IT services on the concerned transactions as explained in the first bullet point. This, in turn, allows them to access the corresponding documentation on these corrections (i.e. cleansing report).

• 74. 

  The CV and other personal data that appear in the documents attached to CRIS are annexes to the contracts and, as such, they are embedded implicitly in the notification DPO-752 for CRIS ("CRIS has also storage capabilities of supporting documents. Documents stored by CRIS are mainly contracts and invoices."). However, the presence of personal data in the said documents is not explicitly mentioned in the notification. It should be underlined that supporting documents are subject of a "passive" storage without any further processing by the application. As a consequence, they do not contain searchable data, i.e. it is not possible to operate a search in CRIS by the name of a given person appearing in an attachment.

CONCLUSIONS AND RECOMMENDATIONS

• 75. 

  CRIS is one of the many local systems existing within the Commission and, as such, is supporting the specific business needs of the DGs using it. Additionally, since it also supports financial functionalities, it is interfaced with the central accounting system of the Commission.

Since the CRIS implementation in 2002, the Commission has significantly improved the system. As an example regarding the data coding, the Commission set up at a global level common classifications. These are not yet fully unified for the time being, given the complexity of the integration due to the pre-existence of the CRIS Contract database. Significant efforts in this area have however already been made in the previous years through, for instance, the set up of an interservice working group on CRIS/ABAC Contracts.

Concerning the data integrity, monitoring procedures have been put in place, followed by postprocessings and implementation/improvements of business rules in the system. Additionally, responsibilities of data codes have been set up in CRIS, and technical improvements are on-going through the multiannual project that will be completed by the end of 2014.

• 76. 

  The Commission has started a process of rationalising its IT landscape where the main objective is to prevent multiple systems from covering identical or similar processes, and to integrate DG- specific needs within corporate solutions.

As regards the financial and accounting aspects, this rationalisation process will lead to the direct use of ABAC functionalities from CRIS through ABAC web-services.

Recommendation 1

CRIS is the management information system of the Commission's external relations' Directorates General. It is an integrated system that includes a direct interface with the Commission's accounting system (ABAC), thereby streamlining the number of tools which external cooperation staff use for their everyday work. Its objectives were defined in the document "Stratégie des systèmes d'information de la DG EuropeAid jusque 2016" in December 2011.

In the rationalisation process of its IT landscape, the Commission is currently working on a better integration of all its systems. The objective of reducing the duplication of ABAC functions will be achieved by the direct use of ABAC functionalities from CRIS through ABAC web-services. EuropeAid is part of a pilot project initiated in this respect across the Commission.

• 78. 

  The complexity of consolidation stems from the high diversity of programmes and procedures dealt with by the Commission in the framework of External actions and can not be automatically ascribable to CRIS. Indeed, regarding the example provided by the Court, external aid can be imputable globally to a beneficiary region that extends over several countries.

However, except these cases, the Commission is in a position to provide, through CRIS, reliable aggregated information by country, by financial instrument and by policy area.

• 79. 

  There are some delays in the entering of some data, and certain documents that should have been attached into CRIS are missing, but no financial and/or other critical information is missing in CRIS. Efforts are underway to reduce the period of time in which information is reported to CRIS. Moreover, as regards data quality issues in general, significant progress has been made in the last three years:

• - 

  Data owners have been nominated to be accountable as regards the related data.

• - 

  A data quality team has been put in place that performs monitoring actions and implements corrective actions.

• - 

  A data quality governance has been implemented.

Recommendation 2

The Commission will continue the on-going efforts with data monitoring and improvement of data validation processes in CRIS. Different steps have already been taken in this area, as for instance the nomination of data owners as of beginning 2009 with the view of managing the data codes and defining the standards to be implemented.

• 80. 

  As it is a web based application, the availability of the system in delegation is firstly depending on the availability of other technical layers (networks, local servers …). Some of these do not fall under the Commission responsibility, this is the case for instance of the network managed by the EEAS institution. Regarding the application and data base servers, the Commission has recorded a high level of availability of the system. For instance, in 2011, except a downtime of CRIS of more than one week due to the merger of former EuropeAid and DG Development, and the set up of the EEAS and the FPI, CRIS has been up and running for more than 99% of the time.

Minimizing the system shortcomings both at general (system) and local (transaction) level is a constant concern for the Commission. Comprehensive governance is now in place that leads to early detection/correction of blocking shortcomings. Several measures to improve the quality of deliverables have also been taken, among which code review, technical and functional analysis before implementation and, tests.

Communication about data codes has been rationalised through the use of the CRIS knowledge database and has been improved by, inter alia, the systematic preparation of weekly release notes and regular updates of manuals.

Recommendation 3

The complexity of the business environment and the diversity of user roles and responsibilities inevitably lead to a certain complexity in such an integrated system. Nevertheless the Commission accepts this recommendation. The user-friendliness improvement is a major objective, inter alia, in the following projects:

• - 

  the multi-commitment project in the contract and decision modules;

• - 

  the invoice streamlining project; and

• - 

  the redesign of the audit module.

• 81. 

  The insufficiently secured system issue will be addressed by the nomination of a Local Information Security Officer for CRIS. To ensure confidentiality, the Commission clearly defined access authorisation procedures. Moreover, the access in CRIS to data classified as confidential is restricted. Improvement in the management of external user rights will be addressed in the following years through a specific project to be completed by 2014. Regarding the personal data in CRIS, the Commission applies the rules laid out in Regulation (EC) No 45/2001 i, and the procedures notified and validated by the Data Protection Officer (DPO) of the Commission.

Recommendation 4

An overall IT risk assessment will start in the course of 2012 and the Commission will nominate a Local Information Security Officer for CRIS.

Met de EU Monitor volgt u alle Europese dossiers die voor u van belang zijn en bent u op de hoogte van alles wat er speelt in die dossiers. Helaas kunnen wij geen nieuwe gebruikers aansluiten, deze dienst zal over enige tijd de werkzaamheden staken.

De EU Monitor is ook beschikbaar in het Engels.