15.12.2009   

EN

Official Journal of the European Union

C 304/16


REPORT

on the annual accounts of the European Network and Information Security Agency for the financial year 2008, together with the Agency’s replies

2009/C 304/04

CONTENTS

 

Paragraph

Page

INTRODUCTION …

1-2

17

STATEMENT OF ASSURANCE …

3-12

17

COMMENTS ON THE BUDGETARY AND FINANCIAL MANAGEMENT …

13-14

18

Table …

19

The Agency’s replies

20

INTRODUCTION

1.

The European Network and Information Security Agency (hereinafter ‘the Agency’), located in Heraklion, was created by Regulation (EC) No 460/2004 of the European Parliament and of the Council of 10 March 2004 (1). The Agency’s main task is to enhance the Community’s capability to prevent and respond to network and information security problems by building on national and Community efforts (2).

2.

The Agency’s 2008 budget amounted to 8,4 million euro compared with 8,3 million euro the previous year. The number of staff employed by the Agency at the end of the year was 58 as compared with 56 the previous year.

STATEMENT OF ASSURANCE

3.

Pursuant to the provisions of Article 248 of the Treaty the Court has audited the annual accounts (3) of the Agency, which comprise the ‘financial statements’ (4) and the ‘reports on implementation of the budget’ (5) for the financial year ended 31 December 2008 and the legality and regularity of the transactions underlying those accounts.

4.

This Statement of Assurance is addressed to the European Parliament and the Council in accordance with Article 185(2) of Council Regulation (EC, Euratom) No 1605/2002 (6).

The Director’s responsibility

5.

As authorising officer, the Director implements the revenue and expenditure of the budget in accordance with the financial rules of the Agency under his own responsibility and within the limits of authorised appropriations (7). The Director is responsible for putting in place (8) the organisational structure and the internal management and control systems and procedures relevant for drawing up final accounts (9) that are free from material misstatement, whether due to fraud or error, and for ensuring that the transactions underlying those accounts are legal and regular.

The Court’s responsibility

6.

The Court’s responsibility is to provide, on the basis of its audit, a statement of assurance as to the reliability of the annual accounts of the Agency and the legality and regularity of the transactions underlying them.

7.

The Court conducted its audit in accordance with the IFAC and ISSAI (10) International Auditing Standards and Codes of Ethics. Those standards require that the Court complies with ethical requirements and plans and performs the audit to obtain reasonable assurance about whether the accounts are free from material misstatement and whether the underlying transactions are legal and regular.

8.

The Court’s audit involves performing procedures to obtain audit evidence about the amounts and disclosures in the accounts and about the legality and regularity of the transactions underlying them. The procedures selected depend on its audit judgement including the assessment of the risks of material misstatement of the accounts or of illegal or irregular transactions, whether due to fraud or error. In making those risk assessments internal control relevant to the entity’s preparation and presentation of accounts is considered in order to design audit procedures that are appropriate in the circumstances. The Court’s audit also includes evaluating the appropriateness of accounting policies used and, the reasonableness of accounting estimates made by management, as well as evaluating the overall presentation of the accounts.

9.

The Court believes that the audit evidence obtained is sufficient and appropriate to provide a basis for the opinions set out below.

Opinion on the reliability of the accounts

10.

In the Court’s opinion, the Agency’s Annual Accounts (11) present fairly, in all material respects, its financial position as of 31 December 2008 and the results of its operations and its cash flows for the year then ended, in accordance with the provisions of its Financial Regulation.

Opinion on the legality and the regularity of the transactions underlying the accounts

11.

In the Court’s opinion, the transactions underlying the annual accounts of the Agency for the financial year ended 31 December 2008 are, in all material respects, legal and regular.

12.

The comments which follow do not call the Court’s opinions into question.

COMMENTS ON THE BUDGETARY AND FINANCIAL MANAGEMENT

13.

For the 2005-2007 period, VAT paid by the Agency and still to be recovered from the hosting Member State amounted to approximately 45 000 euro. Despite the considerable efforts made by the Agency since 2005, no solution had yet been found for the reimbursement of this amount by the national tax authorities.

14.

In one procurement procedure (12), for a three year framework service contract, needs were underestimated and the available budget for this expenditure for the entire year was consumed within six months. Underestimating procurement budgets constitute an obstacle to fair competition as firms are less prone to present offers for limited amounts.

This report was adopted by the Court of Auditors in Luxembourg at its meeting of 8 October 2009.

For the Court of Auditors

Vítor Manuel da SILVA CALDEIRA

President

Table

European Network and Information Security Agency (Heraklion)

Areas of Community competence

Competences of the Agency (Regulation (EC) No 460/2004 of the European Parliament and of the Council)

Governance

Resources made available to the Agency

(Data for 2007)

Products and services supplied in 2008

The representatives of the Member State governments have, by common agreement, adopted a statement on the creation of a European Network and Information Security Agency. The Agency should operate as a point of reference and establish confidence by virtue of its independence, the quality of the advice it delivers and the information it disseminates, the transparency of its procedures and methods of operating, and its diligence in performing the tasks assigned to it.

(Council Decision of 19 February 2004, taken on the basis of Article 251 of the Treaty).

Objectives

The Agency enhances the capability of the Community, the Member States and the business community to prevent, address and to respond to network and information security problems.

The Agency provides assistance and delivers advice to the Commission and the Member States on issues related to network and information security falling within its competencies.

The Agency develops a high level of expertise and uses this expertise to stimulate broad cooperation between actors from the public and private sectors.

The Agency assists the Commission, where called upon, in developing Community legislation in the field of network and information security.

Tasks

The Agency:

(a)

collects information on current and emerging risks that could produce an impact on electronic communications networks;

(b)

provides the European Parliament, the Commission, European bodies or competent national bodies with advice, and assistance;

(c)

enhances cooperation between actors in its field;

(d)

facilitates cooperation on common methodologies to address network and information security issues;

(e)

contributes to awareness raising on network and information security issues for all users;

(f)

assists the Commission and the Member States in relations with industry;

(g)

tracks standards;

(h)

advises the Commission on research in the area of network and information;

(i)

promotes risk assessment activities, on prevention solutions;

(j)

contributes to cooperation with third countries.

1 —   Management Board

1.

It is composed of one representative of each Member State, three representatives appointed by the Commission, and three representatives, without the right to vote, each of whom represents one of the following groups:

(a)

information and communication technologies industry;

(b)

consumer groups;

(c)

academic experts.

2.

Board members may be replaced by alternates.

2 —   Executive Director

1.

The Agency is managed by its Executive Director, who is independent in the performance of his duties.

2.

The Executive Director is appointed for a term of office of up to five years.

3 —   External audit

Court of Auditors.

4 —   Internal audit

The Commission’s Internal Auditor.

5 —   Discharge authority

Parliament acting on recommendation by the Council.

Budget

8,4 (8,3) million euro

Staff at 31 December 2008

44 (44) posts according to the establishment plan. Posts occupied 39 (42);

Other posts: 12 (11) Contract Staff, 5 (2) SNEs, 2 (2) Trainees.

Total staff: 58 (56)

 

operational: 38 (31)

 

administrative and policy: 20 (25)

Improving resilience in European e-Communication networks

Stock taking of Member States policies and analysis of findings; good practice guidelines; stock taking of providers measure, technologies and standards that enhance the resilience of public communication; Analysis of resilience features of public communication and Deployment Scenarios

Developing and maintaining co operation between Member States

Cooperation models through community building, conferences, etc.; a co-operation platform for the awareness raising community; good practice sharing for CERT communities; supporting the take up of interoperable eIDs; NIS brokerage.

Identifying emerging risks for creating trust and confidence

A framework to enable decision makers to better assess emerging risks arising from new technologies; a European capacity for the evaluation of emerging risks; multi-stakeholder dialogue with public and private sector decision makers; position papers on emerging risks arising from new technologies.

Building information confidence with micro enterprises:

Analysing micro enterprises needs; Piloting ENISA’s risk assessment on micro enterprises

Requests for assistance:

Responses to five requests for assistance (Austria, Bulgaria, Cyprus, Greece, European Parliament).

Source: Information supplied by the Agency.

THE AGENCY’S REPLIES

13.

The Agency will continue to take all possible measures available to it in order to have this matter resolved.

14.

The budget estimation for this particular project was made at a time when the turnover of the Agency’s staff was relatively low. This estimate was made with the assumption that when the staffing needs of the Agency were fully met, a very limited number of interim agents would be required, if any. This line of reasoning was not entirely correct due to the continual steep staff turnover. The Agency has been monitoring the actual consumption in this contract and as a result a new call for tenders was issued in third quarter of 2009.


(1)  OJ L 77, 13.3.2004, p. 1.

(2)  The Table summarises the Agency's competences and activities. It is presented for information purposes.

(3)  These accounts are accompanied by a report on the budgetary and financial management during the year which gives inter alia an account of the rate of implementation of the appropriations with summary information on the transfers of appropriations among the various budget items.

(4)  The financial statements include the balance sheet and the economic outturn account, the cash-flow table, the statement of changes in capital and the annex to the financial statements which includes the description of the significant accounting policies and other explanatory information.

(5)  The budget implementation reports comprise the budget outturn account and its annex.

(6)  OJ L 248, 16.9.2002, p. 1.

(7)  Article 33 of Regulation (EC, Euratom) No 2343/2002 of 23 December 2002 (OJ L 357, 31.12.2002, p. 80).

(8)  Article 38 of Regulation (EC, Euratom) No 2343/2002.

(9)  The rules concerning the presentation of the accounts and accounting by the Agencies are laid down in chapter 1 of Title VII of Regulation (EC, Euratom) No 2343/2002 as last amended by Commission Regulation (EC, Euratom) No 652/2008 of 9 July 2008 (OJ L 181, 10.7.2008, p. 23) and are integrated as such in the Financial Regulation of the Agency.

(10)  International Federation of Accountants (IFAC) and International Standards of Supreme Audit Institutions (ISSAI).

(11)  The Final Annual Accounts were drawn up on 17 June 2009 and received by the Court on 6 July 2009. The Final Annual Accounts, consolidated with those of the Commission are published in the Official Journal of the European Union by 15 November of the following year. These can be found on the following website http://eca.europa.eu or http://www.enisa.europa.eu/about-enisa/accounting-finance

(12)  Framework service contract for the provision of temporary interim staff (175 000 euro over three years) while on the basis of the effective expenditure during the first six months, the total value of the contract over three years can be estimated at 1 050 000 euro.