Auditing the legality and regularity of the NGEU- a strategic challenge for the ECA in the years to come
Setting out strategic objectives is an important step to achieve clarity on the what an organisation has to do. However, an organisation also needs to be clear about how it wants to do it. Clearly both aspects coincided with the adoption of the Next Generation EU (NGEU) instrument. The what increased considerably while the how of auditing the new instrument contains a significant number of new and innovative elements. Mariusz Pomienski, Director, Judit Oroszki, Principal Manager, and Paul Sime, Assistant to the Director, are directly concerned with providing assurance on the EU’s finances, which now also include NGEU expenditure. They explain, as far as possible with the information to hand at this stage, what kind of strategic challenge and substantial task the ECA will face when it comes to auditing the NGEU instrument and providing assurance on it.
By Mariusz Pomienski, Judit Oroszki and Paul Sime, Financing and administering the Union Directorate
NGEU — over 40% budget increase to be audited
On 21 January 2021, the ECA College adopted the ECA 2021–2025 Strategy (the Strategy), shortly after the historic European Council agreement on EU finances in December 2020. Mid-February 2021, with the adoption of the Recovery and Resilience Facility (RRF), the Council finalised the process of setting up the €750 billion European Union Recovery Instrument, better known as the Next Generation EU — NGEU. The time proximity is not the only element linking the two documents. The new ECA Strategy has been significantly affected by the planned rollout of the NGEU. Its size and delivery model makes it a challenge for us as the EU’s external auditors with the job of providing a Statement of Assurance (SoA) on NGEU expenditure and, of course, on the traditional EU budget, amounting for the current multiannual financial framework (MFF) to €1 074.3 billion for a seven year period.
Which features of the NGEU matter for the Statement of Assurance?
The Recovery and Resilience Facility will be the main implementing tool for the NGEU, with commitments totalling up to €672.5 billion over 2021–2023. It will provide up to €312.5 billion in grants and up to €360 billion in loans to support reforms and investments undertaken by Member States. To benefit from the RRF, Member States have to prepare national recovery and resilience plans (RRPs) with a coherent package of public investments and reforms. These reforms and investments are to be implemented by 2026. The plans should set out how the Member States intend to address effectively the challenges identified in the European Semester, particularly the 2019 and 2020 country-specific recommendations adopted by the Council.
Member States will have to include in their plans:
- a description of the proposed reforms and investments;
- the estimated cost of the proposed reforms and investments backed up by appropriate justification;
- the envisaged milestones, targets, and an indicative timetable for the implementation of the reforms and of investments to be completed by the end of August 2026 at the latest; and
- an explanation of the system to prevent, detect and correct corruption, fraud and conflicts of interest, including arrangements aimed at avoiding double funding from other Union programmes.
The European Commission will assess whether the justification provided by the Member State on the amount of the estimated total costs of the RRP submitted is reasonable and plausible. The Commission will also make sure that it is in line with the principle of cost-efficiency and is commensurate with the expected national economic and social impact. The Commission will assess whether the arrangements proposed by the Member State concerned can be expected to prevent, detect and correct corruption, fraud and conflicts of interest.
After the RRPs are approved by the Council, the Commission will sign the grant and (potential) loan agreements with the Member State. In parallel — or after the signature of the grant and potential loan agreement — the Commission will also agree with the Member State on the operational arrangements. These arrangements will provide details of the payment schedules, details in respect of timelines, indicators for the milestones and targets, and access to underlying data and evidence to substantiate the disbursement claim. The arrangements will be an important element in our work. Unfortunately, at the moment of writing, we have no clarity about what they will look like in practice.
A Member State may request a disbursement on a bi-annual basis, following a ‘satisfactory’ completion of a group of milestones and targets, reflecting progress with several of the plan’s reforms and investments. As we understand it now, the size of a specific instalment will not correspond to the estimated costs of the measures. The precise details of the payment schedules will be laid down in the operational arrangement signed with each Member State.
The Commission will have to assess the payment requests within two months. The key condition for the Commission’s payment will be the achievement of the milestones and targets laid down in the RRPs. The Commission will therefore have to make a judgement on whether — based on the documents submitted by the Member State or any other document the Commission deems relevant — the milestones and targets have been fulfilled ‘satisfactorily’.
We do not know yet how the Commission will carry out its checks or what evidence it will ask for from Member States to prove the fulfilment of milestones and targets. Details on the milestones and targets will only be laid down in the operational arrangements and financing and loan agreements, signed after the approval of the RRPs. It is worth underlining, however, that the Commission will not check the actual cost incurred — understandably, as there is no link between the payments from the EU budget and the costs incurred by the beneficiaries, the Member States.
The RRF will be implemented under direct management with Member States, which are the beneficiaries of EU funds. They are required to put in place an effective management and control system to make sure that the information on the achievement of targets and milestones, provided to the Commission with the payment request, is complete, accurate and reliable, and that the RRF only supports measures which comply with all applicable EU and national law.
The Commission will report in a number of ways on the implementation of the RRF:
- through a scoreboard displaying progress with the implementation of the RRPs in each of the six pillars. This scoreboard will be the main performance reporting system of the RRF;
- in an annual report to the European Parliament and the Council, with information on the status of implementation of milestones and targets, and the status of disbursements and suspensions;
- in a review report on the implementation of the RRF, presented by 31 July 2022. This report will assess, in particular, the way the RRPs contribute to the scope and general objectives of the RRF; and
- finally, after three years of implementation, the Commission will provide an independent evaluation report and an ex post evaluation report by end 2028.
The Commission will also report on the performance and regularity of the RRF spending (including the calculated risk at payment) in the Annual Activity Report of its Directorate-General for Economic and Financial Affairs (ECFIN) and in its Annual Management and Performance Report.
How to design the compliance audit of the RRF — a methodological challenge spelled out in the Strategy
The nature of our assurance engagement is defined by Article 287 of the Treaty on the Functioning of the EU (TFEU): we provide the SoA on the legality and regularity of the expenditure underlying the annual accounts (and, indeed, the RRF expenditure will be recorded in these accounts). The subject matter of our assurance audit will be, then, identical with our ‘normal’ SoA work: it will consist of the expenditure transactions of the given year.
Our new ECA Strategy recognises the challenge of providing assurance on a large instrument whose disbursement rules differ from the ‘traditional’ budget:
The next multiannual financial framework (MFF) 2021–2027 and the ’Next Generation EU’ (NGEU) initiative will involve important changes and related challenges for us. This concerns in particular our assurance reports, namely the Statement of Assurance and our Annual Reports. To this end, we will continue to develop our audit approach and use available data and information, which will allow us to continue providing strong assurance, based on our Treaty mandate and in full accordance with international public-sector audit standard.
What kind of assurance should we give for the NGEU — a key question
According to the auditing standards, we can choose from two types of assurance: reasonable or limited. Our opinion on the legality and regularity of ‘traditional’ expenditure provides reasonable assurance on the spending of the EU budget. It would not come as a surprise, then, if we are expected to do the same for the RRF. However, regardless of our wishes and stakeholders’ expectations, a lot will depend on what is feasible. The feasibility of providing the same type of assurance on the RRF as on the MFF will depend on the availability of information and the technical possibilities with regard to estimating the financial impact of non-achievement of targets/milestones. And also on the resources that the ECA will have available to audit this more than 40% increase in EU funds for which it will have to give audit assurance.
We usually draw assurance from a combination of two sources: control systems and substantive testing. At the time of writing this article, the Commission had not yet defined its control strategy and we have not seen the descriptions of the Member States’ management and control arrangements in the RRPs. A further challenge for our assessment of the control systems will be that the RRF provides for Member State-specific plans and there are no harmonised system requirements. So we can expect the statement of assurance on RRF expenditure will have to be based on the substantive testing.
Applying audit criteria — achievement being the new compliance element
To give our Statement of Assurance we must first form an independent assessment of whether a given subject matter is in compliance with applicable laws and regulations. The general audit objective for an audit of the legality and regularity of underlying transactions is to determine whether they are legal and regular in all material respects. In the case of the RRF, providing a clean opinion would mean stating that less than 2% of RRF expenditure had been made on the basis of ‘unsatisfactory’ achievement of milestones and targets. Both the qualitative (satisfactory/unsatisfactory) and the quantitative (2%) elements of this statement will most likely pose practical problems.
Talking about the achievement (or not) of the milestones/targets, the major risk for the feasibility of our assurance audit is the quality of the milestones and targets themselves. If they are only vaguely defined, we could face a situation where they are not fully auditable. If we are sure that they are auditable, we will have to decide whether the information available at the Commission is sufficient for us to conclude on the legality and regularity. The Commission’s check will be based on justification provided by the Member State, which may not always allow us to confirm that the targets/milestones had been reached in reality. This could be the case — particularly — for investments, for which targets will probably be linked to certain tangible deliverables, i.e. number of kilometres of rail built, number of square meters of renovated building, number of beneficiaries of a particular investment scheme, etc..
As far as the financial impact of irregularities is concerned, in the framework of our SoA audits we highlight which non-compliance with legal requirements — if known before the payment — would have had an impact on the Commission’s or other paying authorities’ decision to pay. We make a distinction between ‘conditions for payments’ (non-compliance with them has a direct financial impact) and ‘other compliance issues’ (these do not have a direct impact on the payment made but imply a financial risk and/or could lead to financial corrections).
For the RRF, the key condition for the Commission to make the disbursement is the achievement of the milestones and targets for the reforms and investments agreed in the RRPs. This ‘achievement’ seems to be the ‘condition for payment’ as understood by our methodology. Needless to say, Member States will have to make sure that spending from the RRF complies with all relevant EU and national rules. The payments or their amounts, however, will not depend on this criterion.
Similarly, there will be several other legal requirements included in the RRF regulation and potentially in the grant/loan agreements and operational arrangements. For example, RRF spending will need to comply with the application of horizontal financial rules for the RRF, the ‘do no significant harm’ principle, additionality and complementarity principles and provisions on sound economic governance, etc. However, these principles will not be ‘conditions for payment.’ As a result, we can expect that we would consider as ‘errors with financial impact’ only the amounts accepted and paid by the Commission for which we demonstrate that the corresponding milestones or targets had not, in reality, been fulfilled. Provided we are able to reach such conclusions on the basis of the available information, the next challenge will be how to estimate the amounts of money spent despite a ‘non achievement’ of targets/milestones, so non-compliance.
Due to the nature of the instrument, a quantification similar to the one used for the MFF might not be the most appropriate way to assess the seriousness of the non-compliance identified. This is because, for the MFF, we can clearly link the error to the amount paid — mostly on a cost reimbursement basis. However, for the RRF there will most likely be no direct link between the amounts disbursed and the cost estimates underlying the milestones and targets fulfilled. It is also doubtful, whether individual milestones/targets will be assessed, and paid for, by the Commission separately.
We could possibly use a quantification similar to the system proposed by the Commission. Due to the performance-based nature of the RRF, the Commission’s ex post controls will aim to verify that the payment conditions were met, most importantly the achievement of milestones and targets. If ex post controls by the Commission reveal that milestones or targets were in fact not met, the Commission may recover a proportionate amount. We do not know yet how robust and ‘useful’ the Commission methodology will be.
Providing audit assurance and addressing accountability arrangements — two tracks on the same path
The technical possibilities discussed above will have to be a part of the ECA’s decision-making for the best approach to designing the annual audit of the RRF. Key for this will be whether the ECA will be in a position to establish a robust and defendable method for linking the non or partial achievement of milestones/targets to expenditure, i.e. to estimate the financial impact of errors it detects. This crucial element will also influence the feasibility of providing reasonable assurance on RRF expenditure.
In the ‘minimum’ option we would be using the information available to the Commission and provided by the Member States. We would conclude overall on the Commission’s assessment of whether milestones and targets have been fulfilled and possibly on the Commission’s assessment of compliance with the eligibility period.
Another option is a combination of yearly and rotational audits of Member States, testing a sample of milestones and targets, with checks down to the level of the final recipient. This would require checks directly in Member States, going beyond what is available at the Commission.
The usefulness and cost/benefit ratio of all options will largely depend on the precision of the agreed milestones/targets and on the quality of the information demonstrating their achievement. After the Commission completes its preparatory work and Member States submit their plans, we will be able to assess which approach leads to the most efficient assurance engagement and how to strike the best balance between the SoA and other audits of the NGEU.
One thing remains obvious: our audits of the NGEU and the RRF will be at the centre of interest of the European Parliament and the Council, our institutional stakeholders, for the years to come. This inevitably makes them a key strategic challenge for the ECA. In this context, it is relevant to note that the introduction of the NGEU is not only relevant to the ECA’s strategic goal on providing strong audit assurance, in a challenging and changing environment. It also matters to both other strategic goals on improving accountability, transparency and audit arrangements across all types of EU action and on targeting our audits on the areas and topics where we can add most value.
EU citizens need to be able to trust their external auditor to provide insight into and transparency on what works well and what not, also when it concerns such a far-reaching and innovative instrument as the NGEU. As the EU’s independent external auditor, we will do our utmost to deliver what is feasible, and what is reasonable.
