5.12.2008   

EN

Official Journal of the European Union

C 311/13


REPORT

on the annual accounts of the European Network and Information Security Agency for the financial year 2007 together with the Agency's replies

(2008/C 311/03)

CONTENTS

1-2

INTRODUCTION

3-6

STATEMENT OF ASSURANCE

7-11

OBSERVATIONS

Tables 1 to 4

The Agency's replies

INTRODUCTION

1.

The European Network and Information Security Agency (hereinafter the Agency) was created by Regulation (EC) No 460/2004 of the European Parliament and of the Council of 10 March 2004 (1). The Agency's main task is to enhance the Community's capability to prevent and respond to network and information security problems by building on national and Community efforts.

2.

Table 1 summarises the Agency's competences and activities. Key data taken from the financial statements drawn up by the Agency for the financial year 2007 are presented in Tables 2, 3 and 4 for information purposes.

STATEMENT OF ASSURANCE

3.

This Statement is addressed to the European Parliament and the Council in accordance with Article 185(2) of Council Regulation (EC, Euratom) No 1605/2002 of 25 June 2002 (2); it was drawn up following an examination of the Agency's accounts, as required by Article 248 of the Treaty establishing the European Community.

4.

The Agency's accounts for the financial year ended 31 December 2007 (3) were drawn up by its Executive Director, pursuant to Article 17 of Regulation (EC) No 460/2004, and sent to the Court, which is required to give a Statement of Assurance on their reliability and on the legality and regularity of the underlying transactions.

5.

The Court conducted its audit in accordance with the IFAC and ISSAI (4) International Auditing Standards and Codes of Ethics, insofar as these are applicable in the European Community context. The audit was planned and performed to obtain reasonable assurance that the accounts are reliable and that the underlying transactions are legal and regular.

6.

The Court has thus obtained a reasonable basis for the Statement set out below:

Reliability of the accountsThe Agency's accounts for the financial year ended 31 December 2007 are, in all material respects, reliable.Legality and regularity of the underlying transactionsThe transactions underlying the Agency's annual accounts, taken as a whole, are legal and regular.The observations which follow do not call the Court's Statement into question.

OBSERVATIONS

7.

The Agency's 2007 budget amounted to 8,3 million euro compared to 7,0 million euro the previous year. The implementation of operational activities (Title III) was concentrated in the last quarter of 2007. About 40 % of the commitments and more than 50 % of the payments under Title III were executed in November and December 2007 due to the late release of funds. For small Agencies with limited resources, releasing funds at the end of the year jeopardises the implementation of operational activities.

8.

The appropriations carried over did not always correspond to legal commitments in four cases (5). Moreover, more accurate financial information needs to be prepared by the operational departments (6) to minimise the risks of errors in the accounts.

9.

The inventory of fixed assets was managed using a spreadsheet, which did not guarantee the integrity of the data, and no exhaustive physical inventory was made.

10.

Recurrent weaknesses were noted in the procurement procedures: the pre-selections of bids were not justified, the evaluation documents were not signed by the evaluation committee, and the files were not structured and were incomplete. In one case relevant information could not be found. This situation was at odds with the principle of transparency.

11.

According to article 27 of the founding regulation, the Agency's mandate expires on 13 March 2009. Given the financial and organisational impact on the Agency's activities, a decision should be taken.

This report was adopted by the Court of Auditors in Luxembourg at its meeting of 18 September 2008.

For the Court of Auditors

Vítor Manuel da SILVA CALDEIRA

President


(1)  OJ L 77, 13.3.2004, p. 1.

(2)  OJ L 248, 16.9.2002, p. 1.

(3)  These accounts were drawn up on 25 June 2008 and received by the Court on 4 July 2008.

(4)  International Federation of Accountants (IFAC) and International Standards of Supreme Audit Institutions (ISSAI).

(5)  Total value of 121 500 euro.

(6)  Errors of about 105 000 euro of accrued liabilities were identified and corrected during the audit.


 

Table 1

European Network and Information Security Agency (Heraklion)

Areas of Community competence

Competences of the Agency

(Regulation (EC) No 460/2004 of the European Parliament and of the Council)

Governance

Resources made available to the Agency

(Data for 2006)

Products and services supplied

The representatives of the MemberState governments have, by common agreement, adopted a statement on the creation of a European Network and Information Security Agency. The Agency should operate as a point of reference and establish confidence by virtue of its independence, the quality of the advice it delivers and the information it disseminates, the transparency of its procedures and methods of operating, and its diligence in performing the tasks assigned to it.

(Council Decision of 19 February 2004, taken on the basis of Article 251 of the Treaty).

Objectives

The Agency enhances the capability of the Community, the Member States and the business community to prevent, address and respond to network and information security problems.

The Agency provides assistance and delivers advice to the Commission and the Member States on issues related to network and information security falling within its competencies.

The Agency develops a high level of expertise and uses this expertise to stimulate broad cooperation between actors from the public and private sectors.

The Agency assists the Commission, when called upon, in developing Community legislation in the field of network and information security.

Tasks

The Agency:

(a)

collects information on current and emerging risks that could have an impact on electronic communications networks;

(b)

provides the European Parliament, the Commission and European bodies or competent national bodies with advice and assistance;

(c)

enhances cooperation between actors in its field;

(d)

facilitates cooperation on common methodologies to address network and information security issues;

(e)

contributes to awareness raising on network and information security issues for all users;

(f)

assists the Commission and the Member States in relations with industry;

(g)

tracks standards;

(h)

advises the Commission on research in the area of network and information;

(i)

promotes risk assessment activities, on prevention solutions;

(j)

contributes to cooperation with third countries.

1.   Management Board

1.

It is composed of one representative of each MemberState, three representatives appointed by the Commission, and three representatives, without the right to vote, each of whom represents one of the following groups:

(a)

information and communication technologies industry;

(b)

consumer groups;

(c)

academic experts.

2.

Board members may be replaced by alternates.

2.   Executive Director

1.

The Agency is managed by its Executive Director, who is independent in the performance of his duties.

2.

The Executive Director is appointed for a term of office of up to five years.

3.   External audit

Court of Auditors.

4.   Internal audit

The Commission's Internal Auditor.

5.   Discharge authority

Parliament acting on recommendation from the Council.

Final budget:

8,3 (6,9) million euro (100 % Community subsidy)

Staff figures on 31 December 2007:

44 posts according to the establishment plan. Posts occupied 42;

Other posts: 11 Contract Agents, 2 SNEs, 2 Trainees.

Total staff: 56

operational: 31 (35)

administrative and policy: 25 (26)

The Agency produced 22 reports on various NIS topics including:

Security awareness initiatives and measurement of effectiveness Security policies;

Certification and accreditation schemes;

Security measures implemented by service providers;

Internal market of eCommunications;

Inventory of risk management methods;

Business continuity methods;

Governance;

Emerging risks;

Technological developments;

Applications and technologies;

Good practice;

Contacts directory;

Authentication levels;

CSIRT cooperation.

The Agency organised 8 Workshops on various NIS topics including Awareness Raising, technological developments, authentication, CSIRT.

The Agency updated its web site.

The Agency issued a newsletter on a quarterly basis.

The Agency delivered over 40 presentations in various NIS events and conferences.

The Agency dealt with seven requests for advice and assistance: five by MemberStates (two from Austria, two from Greece and one from Bulgaria) and two requests from the Commission.

The Agency developed contacts with specialised organs of OECD and International Telecommunication Union in order to identify possible synergies and to report on their activities to the Agency's stakeholders.

Source: Information supplied by the Agency.


Table 2

European Network and Information Security Agency (Heraklion) — Implementation of the budget for the financial year 2007

(1000 euro)

Revenue

Expenditure

Source of revenue

Revenue entered in the final budget for the financial year

Revenue collected

Allocation of expenditure

Final budget appropriations

Appropriations carried over from previous financial year(s)

entered

committed

paid

carried over

cancelled

entered

committed

paid

cancelled

Community subsidies

8 000

7 900

Title I

Staff

4 190

4 082

3 953

129

108

253

253

243

11

Other revenue

417

417 (1)

Title II

Administration

1 135

1 103

883

220

32

126

126

121

5

 

 

 

Title III

Operating activities

3 092

3 043

1 351

1 692

49

538

538

496

42

Total

8 417

8 317

Total

8 417

8 228

6 187

2 041

189

917

917

860

58

Source: Data supplied by the Agency — this table summarises the data provided by the Agency in its annual accounts. Revenue collected and payments are estimated on a cash basis.


Table 3

European Network and Information Security Agency (Heraklion) — Economic outturn account for the financial years 2007 and 2006

(1000 euro)

 

2007

2006

Operating revenue

Community subsidies

7 988

5 476

Other revenues

203

12

Total (a)

8 191

5 488

Operating expenditure

Staff expenditure

3 573

3 100

Fixed asset related expenditure

126

103

Other administrative expenditure

1 477

1 515

Operational expenditure

2 199

1 236

Total (b)

7 375

5 954

Surplus /(deficit) from operating activities (c = a – b)

816

– 466

Financial operations revenue (e)

Financial operations expenditure (f)

3

2

Surplus /(deficit) from non-operating activities (g = e – f)

–3

–2

Economic result for the year (h = c + g)

813

– 468

Source: Data supplied by the Agency — this table summarises the data provided by the Agency in its annual accounts: these accounts are drawn up on an accrual basis.


Table 4

European Network and Information Security Agency (Heraklion) — Balance sheet at 31 December 2007 and 2006

(1000 euro)

 

2007

2006

Non-current assets

Intangible fixed assets

36

33

Tangible fixed assets

337

312

Current assets

Short-term receivables

101

56

Cash and cash equivalents

2 379

2 519

Total assets

2 853

2 920

Current liabilities

Provisions for risks and charges

155

66

Accounts payable

1 255

2 224

Total liabilities

1 410

2 290

Net assets

1 443

630

Reserve

Accumulated surplus/deficit

630

1 098

Economic result for the year

813

– 468

Net capital

1 443

630

Source: Data supplied by the Agency — this table summarises the data provided by the Agency in its annual accounts: these accounts are drawn up on an accrual basis.


(1)  The amount includes the re-use of 234 528 euro.

Source: Data supplied by the Agency — this table summarises the data provided by the Agency in its annual accounts. Revenue collected and payments are estimated on a cash basis.


THE AGENCY'S REPLIES

7.

Indeed external factors such as the late release of funds partially affected the implementation of operational activities. In the meantime the Agency has closely planned and follows up the execution of 2008 budget.

8.

In certain cases with a significant number of variables, the appropriations carried over were calculated with some degree of approximation. The Agency is aware of this risk and strives to ensure to the highest degree possible the accuracy of appropriations carried over.

9.

Fixed assets are managed in the accounting software of the Agency. The administrative inventory is managed in spreadsheets due to the limited number of items. The Agency intends to use ABAC Assets in 2009.

10.

The Agency recognises some shortcomings in three procurement files. The Agency takes measures to eliminate these administrative shortcomings including the hiring of an experienced Procurement Officer.

11.

The European Commission has proposed an extension of the mandate of the Agency and legislators have agreed on a three-year extension.