Acrobat PDF

DIGIT - Annual Management plan 2007

Click to download
Reviews
Shared by: EuropeanUnion
Categories
Tags
Stats
views:
58
rating:
not rated
reviews:
0
posted:
7/21/2008
language:
English
pages:
0
EUROPEAN COMMISSION DIRECTORATE-GENERAL INFORMATICS Director General European Commission DIGIT – Annual Activity Report 2007 Date: Version: 31/03/2008 FINAL Commission européenne, L-2920 Luxembourg. Telephone: (352) 43 01-1. Office: C3/105. Telephone: direct line (352) 43 01-34561. Fax: (352) 43 01-34444. Commission européenne, B-1049 Bruxelles / Europese Commissie, B-1049 Brussel - Belgium. Telephone: (32-2) 299 11 11. Office: IMCO 5/20. E-mail: Francisco.Garcia-Moran@ec.europa.eu TABLE OF CONTENTS 1. PART 1 – POLICY RESULTS................................................................................................................ 4 1.1. Level of the Policy Area / Service........................................................................................................... 4 1.1.1. Impact indicators .................................................................................................................................. 7 1.2. Level of the ABB Activities (operational activities) ............................................................................. 10 1.2.1. Main policy and core-business results at ABB activity level ............................................................. 10 1.2.2. Activity 03 - ICT infrastructure services provisions .......................................................................... 11 1.2.3. Activity 04 - Corporate ICT infrastructure solutions.......................................................................... 15 1.2.4. Activity 05 - Corporate Information systems governance; IT consulting; Information systems development and support .................................................................................................... 22 1.2.5. Activity 06 - Interoperable Delivery of European eGovernment Services to public Administrations, Business and Citizens (IDABC)............................................................................ 30 1.2.6. Activity 02 - Administrative support to other Services and Directorate General, Institutions and executive agencies...................................................................................................................... 33 2. PART 2 – MANAGEMENT AND INTERNAL CONTROL SYSTEMS.......................................... 37 2.1. Inherent nature and characteristics of the DGs risk and control environment....................................... 37 2.1.1. General overview................................................................................................................................ 37 2.1.2. Cross-delegations and handovers ....................................................................................................... 37 2.1.3. Working arrangements between the Commissioner and the department............................................ 38 2.1.4. Systemic processes ............................................................................................................................. 38 2.1.4.1. IT governance processes.................................................................................................................. 38 2.1.4.2. Other systemic processes................................................................................................................. 39 2.2. Management and control systems.......................................................................................................... 40 2.2.1. Budget execution ................................................................................................................................ 40 2.2.1.1. Administrative credits...................................................................................................................... 40 2.2.1.2. Operational credits (IDABC)........................................................................................................... 43 2.2.2. Non-financial risks ............................................................................................................................. 45 2.3. Follow up of audit work and previous year's reservations .................................................................... 46 2.3.1. Follow up of previous year's reservation............................................................................................ 46 2.3.2. ECA recommendations....................................................................................................................... 46 2.3.3. Follow-up of other identified system weaknesses .............................................................................. 46 2.4. Key indicators supporting reasonable assurance ................................................................................... 47 2.4.1. Internal control design ........................................................................................................................ 47 2.4.2. Internal control effectiveness.............................................................................................................. 48 2.4.2.1. Ex-ante controls............................................................................................................................... 48 2.4.2.2. Ex-post controls............................................................................................................................... 49 2.4.2.3. Multi-annual programmes ............................................................................................................... 49 2.4.2.4. ICS baseline requirements ............................................................................................................... 50 2.4.2.5. ICC contribution .............................................................................................................................. 50 2.4.2.6. AOS reporting ................................................................................................................................. 50 2.4.2.7. Complaints....................................................................................................................................... 52 2.4.3. Control overrides ................................................................................................................................ 52 2.4.4. Assurance from independent monitoring............................................................................................ 52 2.4.4.1. Internal audit findings (IAC/IAS).................................................................................................... 52 AAR 2007 DIGIT - Final Page 2/59 2.4.4.2. External audit findings (ECA)......................................................................................................... 53 2.4.4.3. Internal Audit Capability (IAC) opinion ......................................................................................... 53 2.5. Conclusion on the effectiveness of the internal control system............................................................. 53 3. PART 3 – RESERVATIONS AND THEIR IMPACT ON THE DECLARATION ......................... 54 3.1. Materiality criteria used......................................................................................................................... 54 3.1.1. Qualitative criteria .............................................................................................................................. 54 3.1.2. Quantitative criteria ............................................................................................................................ 55 3.1.3. Conclusions on the materiality of the deficiencies ............................................................................. 56 3.2. Reservations .......................................................................................................................................... 56 3.3. Overall conclusions on the combined impact of the reservations on the declaration as a whole .......... 58 4. PART 4 –DECLARATION OF ASSURANCE ................................................................................... 59 AAR 2007 DIGIT - Final Page 3/59 1. PART 1 – POLICY RESULTS 1.1. Level of the Policy Area / Service As with any public sector organisation worldwide and more particularly in the EU, challenge for the European Commission is to cope with the continuous need evolution, for greater transparency, for more efficient working methods and for creation of added-value in the services it offers as well as the need to always merit trust of citizens and business who are better informed than ever before. the for the the This trust is the basis for democracy, and it has been the engine of European integration from the Rome Treaties to the recent Berlin Declaration. This was particularly relevant in 2007 when the EU celebrated the 50th anniversary of the Treaty of Rome and with the signature of the Lisbon Treaty on the 12th of December To tackle this ambitious challenge, the way forward for the Commission is twofold. Firstly, at a political level, the Lisbon strategy, which aims at making the European Union a leader in a knowledge based economy, and in particular the "i2010 – A European Information Society for growth and employment" initiative compose the framework within which, as an integral part of the developments of the information society, the application of ICT to improve public services continues to be supported. This is often referred to as the e-government initiative. Secondly, at an operational level, the Commission needs to tackle two challenges: on the one hand, modernising its own "internal" administration applying internally what it preaches externally and, on the other hand, operating professional and high quality trans-European ICT services. Concerning the modernisation of its administration the Commission will pursue its efforts in implementing an e administration, i.e. to achieve an "integrated" Commission functioning as a coherent whole vis-à-vis internal and external stakeholders. The e-Commission initiative that aims at delivering better quality and more transparent services for Commission's staff and external stakeholders by 2010, continued in 2007 to be the framework for DIGIT's activities, actions, projects and services. As has been stated repeatedly, this initiative is not purely technical. Its real goal is to enable more efficiency, simplification and transparency of the organisation 1. This initiative is about the overall transformation of the organisation with the help of technology. It is about trust and quality and not only about computers and networks. The main objective of becoming an "integrated" Commission requires actions both of an organisational and technical nature. According to its roadmap, the eCommission has an external dimension (concerning the services supplied by the Commission to citizens, business and partner administrations to support its policies) and an internal dimension (to achieve a best-practice e administration offering improved services to support Commission own processes). Within this overall framework, specific attention is paid to trans-European e-services that support the implementation of EU legislation, from internal market regulations to consumer and health policies, by facilitating the exchange of information between public administrations across Europe and by supporting the creation of on-line 1 and not only of its ICT components, even though they represent an important part of it, since this initiative is about using ICT to enable the Commission to concentrate more of its resources to operational activities AAR 2007 DIGIT - Final Page 4/59 services for the benefit of businesses and citizens, through, for instance, the IDABC programme. The development and sustainability of investments in trans-European e-services is also directly related to interoperability as defined by the European Interoperability Framework developed under the IDABC umbrella. This framework is currently also under revision. The issue of interoperability of systems across Europe is clearly a governance question at European level that the Commission should help tackle in the near future. Information systems interoperability should not become the barrier that slowed down Single Market and European integration. This is why the Commission has been engaged for years in promoting and implementing such approaches and it will continue to push for their deployment across European public administrations. As a matter of consequence, to ensure focus and alignment with the challenges mentioned above, in 2007, DIGT has refined its vision. DIGIT's new vision statement now states: "DIGIT will be a proactive leader in information and communication technologies, identify opportunities and offer, in partnership with stakeholders, innovative tools, solutions and e-services to enable the Commission to accomplish its goals more effectively and efficiently manage and deliver European policies for the benefit of EU public administrations, citizens and business". Moving forward along the lines set out above requires strong and continuous sponsorship at political level. Again in 2007, DIGIT enjoyed full support from Vice president Kallas and his cabinet to be able to deliver on its priorities and on its Annual Management Plan. Despite the amount of vacant post, due to recurring difficulties in recruiting EUR10 staff (lack of competition lists) and the very high workload, DIGIT has succeeded in delivering a very good percentage of the objectives foreseen in its Annual Management Plan for 2007. The following chapters contain details of the outputs and results obtained in all areas in 2007. However, some of them deserve, by their very impact, to be highlighted. • The IT infrastructure consolidation pilot project (known as ITIC). As far as solutions and support services are concerned, the main achievement of 2007 was the successful launch of the pilot project for Infrastructure Consolidation Following the Communication to the Commission on IT Governance SEC(2004) 1267, adopted by the Commission on 20 October 2004, a study on the consolidation of the IT infrastructure and related support services was performed during 2006 by an external consultant and with then participation of 6 DGs. It led to the conclusions that major savings, through economies of scale, could be reached by consolidating infrastructure and support services and could lead to staff redeployment to other priorities while maintaining or increasing the quality of the service and support offered to the users. In 2007, in order to take advantage of the potential economies of scale, improve the existing service levels and implement disaster recovery in a cost efficient manner, DIGIT formed a corporate service delivery organisation to deliver the full range of managed desktop services and their support for the whole of the Commission. AAR 2007 DIGIT - Final Page 5/59 A pilot phase in a reduced number of candidate DGs, with the objective of proving the concept and what it means in terms of organisation was launched with great sucess. DG REGIO and IAS were the first services to be taken on board successfully and some other DG will follow in 2008. This will enable some conclusions to be drawn at the end of the first semester 2008 and put the Commission is in a position to be able to decide whether to proceed with the consolidation of all DG infrastructure in a phased approach. • Preparation of follow-on programme for IDAbc In 2007 there were important developments relating to the IDABC programme, covering both the on-going implementation of actions included in the IDABC rolling work programme and strategic decisions on the future developments after the end of the current legal framework (end 2009) as well as progress in IDABC's further incorporation into DIGIT. • Elaboration phase and tool selection for the Corporate Portal In 2007, the elaboration phase of the corporate portal project was finalised. During this phase, the necessary tools were selected following extensive proofs of concept. The project will enter into the development phase and delivery is expected after summer 2008. • DIGIT also realised major achievements in the field of information systems in 2007. 2007 saw DIGIT's responsibilities extended to deliver information systems supporting specific policy areas thereby contributing to the e-Commission's external dimension. The IMI (Internal Market Information) system was developed for DG MARKT. It has the potential to be reused by several DGs and will evolve during 2008 to support the Services Directive. DIGIT's partnership with the Research DGs to deploy information systems to support FP7 also progressed. DIGIT produced an overall architecture and plan based on which the Research DGs chose to concentrate initially on common "front-office" systems. In this context DIGIT delivered a first version of PDM/URF which will be extended in 2008 to provide unique registration facilities for all participants in FP7 research programmes DIGIT's delivery for the e-Commission's internal dimension was strictly aligned with the ABM's IT priorities developing corporate systems to support: – document management; – the institution's decision-making processes; – human resource management; – integrated information management – financial management. These systems contribute to improving the efficiency of the Institution and support VP Kallas's simplification and transparency initiatives (Ares, e-Greffe, Sysper2, Flexitime, CDR update…) • Moves to HiTEC et Machelen data centre premises The inadequacy of the building infrastructures to house Data Centre type infrastructure, which was subject to a reservation issued by DIGIT AOD in its 2005 and 2006 AARs, led again to a series of incidents in 2007. Thankfully, their final impact on operations and endusers was limited due to proper disaster recovery infrastructure, to business continuity processes in place, and to the efficient recovery work done by the data centre teams. A mild summer in 2007 also helped avoid a real crisis due to relatively low external temperatures. Already in 2006 already, DIGIT, OIB and OIL together defined a multi-annual strategy to 2010 to improve the housing conditions of the Data and Telecom Centres of the Commission both in Brussels and in Luxembourg. The strategy was endorsed by the Cabinet of Vice President Kallas and should lead to the move of the most critical ICT equipments into AAR 2007 DIGIT - Final Page 6/59 professional data centre type rooms in a phased approach and to the refurbishing of the air conditioning and electrical infrastructure in the JMO Data Centre room (end of work had been planned for second half of 2007). So far contracts for the rent of two new data centre type rooms in Brussels (600 m²) and in Luxembourg (280 m²) have been signed. For the one in Brussels, the move out- of IMCO to the Machelen premises was finalised on the 20th February 2007; and for the one in Luxembourg the move to the HITEC building was finalised end-March 2007. The planned delivery of the first phase of a second room in Luxembourg mid-2007 has endured considerable delays and current planning only foresees the handover by OIL to DIGIT at the end of July 2008, following which DIGIT will start migrating services. The refurbishment of the air conditioning in the JMO Data Centre has furthermore suffered supplementary delays and finalisation of the work is now planned by OIL for Q2-2008. In December 2007, the planned second and third phase capacity increases for the second room in Luxembourg (2nd phase originally to be delivered to DIGIT in July-2008) were postponed and conditioned by a new Communication to the Commission to be prepared by DIGIT (update of Communication 2964 from 2004). The situation of corporate ICT infrastructure housing is consequently likely to remain critical throughout 2008 and led the AOD to maintain his 2005-2006 reservation in the 2007 AAR. Finally, it has to be mentioned that a great part of DIGIT's resources are devoted to service management. All the essential services, from training to support, from hosting to server/storage management, from telecommunications to e-mail, from product management to reference configurations, etc worked very well in 2007. In conclusion, all in all, 2007 has been a very demanding year and delivery has only been possible because of the commitment, common efforts and teamwork of DIGIT's management and staff. They all deserve to be praised for it. 1.1.1. Impact indicators This report is based on the indicators defined in the 2007 AMP. For the 2008 AMP, DIGIT has reviewed and improved some indicators to better measure impact on EU society and on multi-annual initiatives. Policy area :Administration and Information and communication Technologies Impact indicators General objective 1 Deliver better quality services Indicator Target (long term) Satisfaction of internal and external users Commission users satisfaction survey - Overall average - The Commission versus the ideal world Survey on eCommission progress Maintain at least the same level N/A (first exercise was conducted in 2007 Milestone (if any) Situation (at year end) 7,1 / 10 6,8 / 10 N.A (first exercise is planned for 2007). NB: for the 2007 e-Commission progress report, we estimated that the e-government maturity level of the Commission is 2.4 (was at 2 in 2006 and target is 3 in 2010). Satisfaction survey with the IRM's - Overall average 2 Online sophistication Increase the overall maturity of services for related to internal Increase of 4 % every year with 95 % in 2010 (i.e. : 2006: 2,6 / 4 (fair to good) 01/01/2007: 77% 2 3,2 / 4 (good to very good) Not available (the next review of 2 2005 benchmark (73%) + 1 year of annual growth rate (4%) Page 7/59 AAR 2007 DIGIT - Final Policy area :Administration and Information and communication Technologies Impact indicators General objective staff and external stakeholders Indicator administration Target (long term) Majority of TwoWay Interaction systems) Increase of 4 % every year with more than 80 % in 2010 (i.e. : Majority of TwoWay Interaction systems) Increase of 4 % every year 01/01/2007: 66% 3 Milestone (if any) Situation (at year end) progress made is foreseen for 2008) Not available (the next review of progress made is foreseen for 2008) Online sophistication related to external administration Percentage of IS 4 implementing ECAS 01/07/2007: Rough estimate of 200 systems in total 330 systems use ECAS Average number of logins per month: 264.350 (99% increase compared to 2006) Percentage of e-signatures Satisfaction of customers with infrastructure services (flexible web and managed services) Commission users satisfaction survey - Average 5 N/A (Not planned to go into production during 2007) Maintain at least the same level N/A (first exercise was conducted in 2007 2006: 2,5 / 4 (fair to good) 100% No outstanding recommendations 100% 7,3 / 10 Satisfaction survey with the IRM's - Average 6 3,2 / 4 (good to very good) 100% 2 outstanding very important and 3 outstanding important recommendations Percentage of DGs using DIGIT framework contracts 3 Increase security of infrastructure Implementation of recommendations of the IAS related to access rights management, ORACLE Database management, Log analysis and Data Centre security plan Percentage of IS notified (including advanced drafts) 4 Ensure compliance with the Data Protection Regulation 01/07:2007: Level 1: 100% Level 2: 100% Level 3: 100% Level 4: 100% Level 1: 100% Level 2: N/A Level 3: 25% Level 4: 25% Level 1: 100% Level 2: 100% Level 3: 71% Level 4: 66% 5 Increase interoperability of information systems Percentage of DGs using basic online services through the Corporate Portal Percentage of DGs using the common interoperability services Percentage of DGs N/A (System is planned to go into production in 2008) N/A (Systems are planned to go into production in 2008 2009) 2008-2009: 66% 01/01/2007: 59% (24 / 41) 7 3 4 5 6 2004 benchmark (58%) + 2 years of annual growth rate (4%) European Commission Authentication Service (Single Sign on) Average opinion for equipment, word processing, spreadsheet, E-mail and remote access Average opinion for document management systems, referenence configuration, IS hosting, E-mail, terminal services, network services, telephony services, proximity services, video-/audio-conference. Scale from 1 to 4 (1=needs improvement, 2=fair, 3=good, 4=very good) AAR 2007 DIGIT - Final Page 8/59 Policy area :Administration and Information and communication Technologies Impact indicators General objective Indicator implementing the RUP@EC methodology Percentage of DGs using the framework of the Commission Enterprise Architecture (CEAF) IDABC: Percentage of planned new actions for projects of common interest that have been launched in the year (as from the IDABC WP) IDABC: Percentage of planned new actions for horizontal measures launched that have been launched in the year (according to the IDABC WP) 6 Support previous objectives by a costeffective, resilient and highly performing ICT infrastructure Satisfaction of user/customers or their representatives with infrastructure services 2008: 24-29% (10 to 12 / 41) Target (long term) Milestone (if any) 39% (16 / 41) 01/01/2007: 15% (6 / 41) 27% (11 / 41) 8 Situation (at year end) 100% 83% (12 planned and 10 started) 100% 88% (25 planned and 22 started) Improvements in customer satisfaction with the 3 systems identified for improvement Top-3 of areas with room for improvement in 2006: E-mail (22x), document management systems (21x), central helpdesk (9x) Current scores for these areas with room for improvement:: E-mail (5x), document management systems (24x), central helpdesk (7x) Top-3 of areas with room for improvement in 2007: Document management systems (24x), financial management systems (10x), processing logistics requests (9x) Percentage of DGs using shared IT-services All 01/01/2007: 12% (5 / 41 : ADMIN, OIB, OIL, EPSO, PMO) 17% (7 / 41 : ADMIN, OIB, OIL, EPSO, PMO, REGIO, IAS) Yes 7 Reasonable assurance Implement and that resources assigned to maintain an effective internal control system the activities are used according with the principles of sound financial management and that the control procedures put in place give the necessary guarantees concerning the legality and regularity of the underlying transactions Yes Yes in AAR 2006 7 Throughout 2007, DIGIT provided support and advice to 24 DGs on implementing the RUP@EC methodology and/or toolset. The e-Commission mid-term review survey, foreseen for 2008, will provide more accurate statistics. Throughout 2007, DIGIT provided assistance and support regarding CEAF. The e-Commission mid-term review survey, foreseen for 2008, will provide more accurate statistics. 8 AAR 2007 DIGIT - Final Page 9/59 1.2. Level of the ABB Activities (operational activities) 1.2.1. Main policy and core-business results at ABB activity level Not yet delivered Partly delivered Delivered 9 Number of actions 03 04 ICT infrastructure services provisions Corporate ICT infrastructure solutions Information systems governance; IT consulting; Information systems development and support Interoperable Delivery of European eGovernment Services to public Administrations, Business and Citizens (IDABC) Administrative support to other Services and Directorate General, Institutions and executive agencies Number of actions % of actions Number of actions % of actions Number of actions % of actions 15 6 12 1 7% 4 27% 10 6 67% 100% 83% 2 17% 10 05 310 1 33% 2 67% 06 6 1 17% 5 83% 02 Total 42 1 2% 8 19% 33 79% 10 9 8 7 6 5 4 3 2 1 0 03 04 05 06 02 Delivered Partly delivered Not yet delivered Note: The delivery status for partly delivered actions varies between 30% and 80% with an arithmetic average around 55%. Because of the different magnitude of the actions, it is very difficult to give a more accurate general figure. 9 Including multi-annual actions for which all planned deliverables were delivered in 2007and including continuous actions The AMP mentioned 4 activities, but 1 activity (Projects of common interest) is not under control of DIGIT and is only supplied for information purposes 10 AAR 2007 DIGIT - Final Page 10/59 1.2.2. Activity 03 - ICT infrastructure services provisions Computer room facilities: In order to cope with the lack of Data Centre space in Brussels and Luxembourg, contracts for the rental of one room in Brussels (600 m2 – Machelen) and one room in Luxembourg (300 m2 – HiTEC) have been signed. In Brussels, this enabled the move out from the IMCO building in February. In Luxembourg, the HiTEC room is in use since March. The original multi-annual strategy to improve the housing conditions of the Commission's Data and Telecom Centres foresaw for Luxemburg a new room of 600m2 in 2007 and an extension of 300 m2 in 2008. The actual situation presents however considerable delays. This will continue to negatively impact a series of DG projects and to delay the delivery of corporate services and the implementation of the security measures requested in the IAS audit on the Data centre (See the reservation in part 3). E-mail: The implementation of the new e-mail infrastructure has been finalised and the old infrastructure has been decommissioned. The positive results were acknowledged by our users (increase in the overall user satisfaction to very good) and were demonstrated by a significant decrease in the number of incidents, while the usage of the service continued its steady growth. The improved reporting and monitoring means put in place during 2007 will also contribute to an improved service. The move to a new organisation of the service provision has been completed with the implementation of a managed service contract. Improvements in the quality of the service will become visible in the course of 2008. DIGIT has also addressed good (efficient) usage of e-mail via a questionnaire and interactive workshops with DIGIT internal users. The results were used as input to the e-mail policy working group, chaired by the Secretariat-General, in which DIGIT participates actively. The technical impacts of the proposed new policy have been evaluated and will be tuned once the final version is adopted by the Commission. Network infrastructure: As part of a multi-annual action to support new requirements, the backbone of the Commission's network was subject to a major upgrade on 1st August 2007. The capacity of the communication lines between Brussels and Luxembourg were increased from 1 GB/sec to 10 GB/sec. Business continuity plans (BCP): Regarding the IS hosting BCP, most of the systems identified as "critical" and “essential” are now fully fail-over capable. A workplan is being set up to deal with the very few justifiable exceptions. The BCP's for the mobile phone, the internal and external voice services, Infotel and the network infrastructure are now completed. The reinforcements of the infrastructure and services necessary in order to conform to the Commission decision in this matter will be evaluated after a gap analysis that will be undertaken in 2008. Services management: In order to provide a more efficient management of the services offered, a multi-annual action aiming at the provision of services under service mode contracts has been launched. For the Information Systems Hosting Service (ISHS), a call for tenders "Managed Services Provision" (MSP) was published in 2007. It will be concluded in 2008 and deployment will start in 2008. For the Systems and Infrastructure Services, an orientation document for a call for tenders called OASIS has been prepared and approved. The OASIS call for tenders will be launched in 2008. Teleworking: Improvements in the telephone facilities offered to teleworkers were agreed with DG ADMIN at the end of 2007 after a thorough evaluation of the associated costs incurred by the pilot exercise. It is now possible for the teleworkers to forward Commission calls to their private mobile phones and, in Luxembourg, to fixed phones in the neighbouring countries. AAR 2007 DIGIT - Final Page 11/59 Activity 03 - ICT infrastructure services provisions Result Indicators Situation at year n's end Target (mid-term) e-Commission roadmap dimension 3: Technical enablers – infrastructure Specific Objective: 6 - Support e-Commission objectives by a cost-effective, resilient and highly performing ICT infrastructure ITP - e-mail: New service approach fully defined; service definition document; New anti-spam strategy document; Recommendation for an efficient use of the email service The new contractor is fully operational on a Service-Level basis; the project for the definition of a new anti-spam strategy has been started; a draft email policy has been presented by the Secretariat-General to the Resources Directors. Predictable growth of email service use at the Commission (for better planning and financial management). Efficient use of the email system by users as a means of improving productivity and decreasing email stress ITP - e-mail: User satisfaction (on performance and user-friendliness), Level of operational efficiency of this businesscritical service (Up-Time) Overall user satisfaction with Upgrade the capacity and enhance email: 7,6 / 10 the e-mail service toward a more automated operation Number of email interventions (including but not exclusively incidents) in 2007: 7340. A decrease of 12.25% compared to 2006. This figure must also be viewed in the light of the increase of the messages volume (of 73,3% for outgoing messages) Move from IMCO to Machelen Multi-annual action aiming at the (Brussels) and move to HITEC improvement of Computer room premises (Luxemburg) finished. facilities The contract for 800 m² in Luxemburg has been signed and the first moves will take place in September 2008. The backbone of the Commission's network, and particularly the international lines supporting communications between Luxemburg and Brussels, were the subject of a major upgrade on 1st August 2007, passing from a capacity of 1 Gigabit/second to a capacity 10 times greater. Multi-annual action aiming the at the Upgrade of the network infrastructure to support new requirements J04 - Proper housing of computer room facilities: Finalisation of move from IMCO to Machelen (Brussels), finalisation of move to HITEC premises (Luxemburg), Preparation of new facilities in Luxembourg J04 – Evolution of network infrastructure: Evolution of backbone's infrastructure, Integration of Data Centres and Telecom Centres, Phased implementation e-Commission roadmap dimension: 4: Organizational enablers - Foundations for Operational Excellence Specific Objective: 1 - Deliver better quality services - optimise, integrate, document and control the delivery process of corporate IT services so that they are smoothly delivered to our customers. Increase reliability of the delivery by proactive monitoring and preventive measures G08 - Number of implemented teleworkers in relation to the requests received On 31/12/2007, a total of 3547 tokens were distributed out of which 632 for teleworkers. On average there were 100 requests pending for teleworking, DGs and external companies. BCP's are completed Starting production for the number of implemented teleworkers in relation to the requests received G04 - Business Continuity Plans for fixed and Availability of Business AAR 2007 DIGIT - Final Page 12/59 Activity 03 - ICT infrastructure services provisions Result Indicators and mobile voice services and for the data network services Situation at year n's end Target (mid-term) available for Mobile phone, Continuity Plans for the critical Internal voice, External voice, operational infrastructure services INFOTEL and for the network. identified in the Commission decision SEC(2006)899 Pre-study is finished, full study is Multi-annual action aiming at the ongoing, deadline set around end availability of a BCP for critical 2008 IS G04 - Update of risk analysis, Workplan for setting up HW and SW infrastructure for critical IS, Study on BCP/Disaster Recovery Plan (DRP) for this Information System Hosting (ISH) service, First draft of Business continuity plan for ISH service Specific Objective: 2 - Increase transparency of services for staff and external stakeholders – put in place the appropriate sourcing mechanisms and logistics so that services are delivered according to best practices and with proven cost/benefit ratio Launch of the call for tender "Managed Service" for ISH services as well as Systems and Infrastructure Service management and availability of the contract Tendering specifications are under Multi-annual action aiming at the elaboration Availability of Service contract implementation Activity 03 - ICT infrastructure services provisions Main policy outputs (delivered in year n) Anti spam strategy revisited Improve monitoring and reporting means Started: A specific contract has been launched in order to perform the first step towards the definition of the new strategy. Delivered: Projects around these activities are over. Now in "regime" situation, that is, the evolution is performed in the context of the normal operation of the service. Delivered: The Phase-in of the new contract is ongoing. The first major phase (migration part) is now ended. The Phase-out of the former contract is over. The new contractor is now fully operational on a Service-Level basis. Delivered: DIGIT is still participating in SG's initiative. Draft policy presented by SG to the Resources Directors. Technical impacts for the email service have been identified. No specific activity under DIGIT's responsibility at this stage. Partly delivered (50%): Slightly delayed due to infrastructure and space limitations (for more details see the reservation in part 3). All equipments were installed and under integration within the Data Centre. Partly delivered (40%): Inter Service Consultation approved. The contract is signed for the first 800 m². The first moves will take place in September 2008 as soon as the specific installations are finished. The JMO new air-conditioning has not been started yet (For more details see the reservation in part 3). Delivered: The backbone of the Commission's network, and particularly the international lines supporting communications between Luxemburg and Brussels, were the subject of a major upgrade on 1st August, passing from a capacity of 1 Gigabit/second to a capacity 10 times Network Users Proximity Service (NUPS) email implementation New e-mail policy Upgrade of e-mail environment (E2K3) to cover an additional 20,000 users with the same quality of service Ensure proper housing of computer room facilities Evolution towards 10Gb international links AAR 2007 DIGIT - Final Page 13/59 Activity 03 - ICT infrastructure services provisions Main policy outputs (delivered in year n) greater. These links are the basis upon which the Commission's telephony and data services between Brussels and Luxembourg are built. The upgrade required several months of preparation, with intensive testing, which put both the provider and the Commission team responsible for these services under quite some stress. The operation required new installations in four Commission buildings, JMO and BECH in Luxembourg and BREY and L130 in Brussels. The network setup uses different technologies (Nortel in Brussels, Alcatel in Luxemburg and Lucent for the international path) which had to be synchronised. Following DIGIT's policy of redundancy and minimum risk for such an essential service, each one of two lines consists of an optical worker path and an optical protection path to guarantee maximum availability. In addition to these measures, the "old" 1 Gigabit lines will be kept as backup for several months. The migration was done without any visible impact on the end-users. No service interruptions occurred at all. Implement managed service contract for Systems and Infrastructure service management (OASIS) Define and implement a Commissionwide teleworking deployment strategy Partly delivered (30%): Orientation document was finalized and approved. Tendering specifications are still under elaboration Delivered: The pilot exercise took place with great success. 238 tokens (out of the 800 foreseen for 2006 and 2007) could be distributed without delay for the expected rush for tokens did finally not occur. The access infrastructure is monitored and no capacity problems were detected so far. The stock of tokens is sufficient for the short term. The service was initially announced without full support. Nevertheless, support functions in the DGs and of SNET helped teleworkers with their teething problems. Mobile phone business continuity plan Internal voice Business Continuity Plan External voice Business Continuity Plan INFOTEL Business Continuity Plan Business continuity plan for the network Implement business continuity and disaster recovery plan guidelines Delivered: Business continuity plan document is completed and available. Delivered: Business continuity plan document is completed and available. Delivered: Business continuity plan document is completed and available. Delivered: Business continuity plan document is completed and available. Delivered: Business continuity plan document is completed and available. Partly delivered: On going with BCP project, pre-study is finished, full study is ongoing, deadline around end 2008 AAR 2007 DIGIT - Final Page 14/59 1.2.3. Activity 04 - Corporate ICT infrastructure solutions Digit Training Services: Major achievements were realised with the production of new training materials both for classroom training and for e-learning. The selection of a Virtual Learning Environment (VLE) is in a final stage. The ITECC - Office certification programme entered the second year of service while new certifications were added for Project Management and ITIL. 2007 was the year of renewal of several call for tenders providing the contractual framework for the provision of IT training services in the next years (both for technical staff and end-users). IT Infrastructure Consolidation (ITIC) Pilot: This pilot initiative prepares the IT Infrastructure Consolidation (ITIC) in order to achieve the efficiency gains and service improvements in IT infrastructure as outlined in the communication on IT governance (SEC 2004-1267). The initial design, procurement and deployment of the infrastructure have been completed, and DGs IAS and REGIO have already been enrolled into ITIC service provision, based on Service Level Agreements (SLA) and Key Performance Indicators (KPI)-based reporting. In December it was decided to extend the scope of the pilot to include DG EAC and DGT, thereby totalling 4 DGs and roughly 4.000 users, and to change the timeline by targeting pilot completion by the end of Q2 2008. The Commission will then be in a position to decide on the full consolidation of the IT infrastructure and related services. Negotiations with EAC resulted in the signature of the "protocol d'accord" in January 2008. Negotiations with DGT are still in progress, to provide DGT with a service offer including the takeover of all their servers. Preparatory work has been started with SG, FISH, ADMIN and the other DGs already served by the DIGIT IRM team. These activities will be continued throughout 2008. Open source CIRCABC and IPM: The CIRCABC (document collaboration) and IPM (Interactive Policy Making) service improves collaboration between committees and working groups involved in projects of European Union Institutions and Member State administrations at a pan-European level. These services will also improve interactivity between administrations, businesses and citizens. An Open Source platform has been chosen for the development of CIRCABC. Multilingual aspects, web accessibility and security features have been added and experience gained with development via a community for public administrations. The major output of this activity is the delivery of a first open source version under the European Public license (EUPL). Identity and access management and electronic signatures: This initiative plays an important role, as technical enabler, in the e-Commission roadmap. The electronic signature problem statement, vision and project definition documents have all been drafted and approved. A series of one-day workshops has started aiming at increasing IT security awareness. Work is ongoing on the detailed specifications for the external implementation of the Public Key Infrastructure (PKI) and for the middle layer linking this PKI platform into the office automation environment and the information systems at the EC. In 2007, the European Commission Authentication System (ECAS) proved itself capable of coping with peak workloads in an efficient and reliable way (e.g. the new Flexi-time application). ECAS will continue to provide cornerstone identity and access management functionality while progress is made towards the future security solution (e.g. ECAS signature provides already an implementation of a simple electronic signature). A Commission Service Oriented Architecture: The IPCIS project (Interoperability Platform for Corporate Information Systems) provides a common technical platform and associated service to facilitate the development of information systems within a Service Oriented Architecture (SOA). The upgrade of the application server has been completed and the Weblogic Server (release 10) is now the recommended product choice. The recommendations for web services take into account AAR 2007 DIGIT - Final Page 15/59 the latest available specifications concerning security and reliability. The updated web service platform will be delivered during 2008. An initial production deployment platform is ready for Message Oriented Middleware (MOM) and Enterprise Service Bus (ESB) use. Several workshops took place. A proof of concept using the Enterprise Service Bus solution was successfully delivered and presented to the e-FP7 project. The orchestration workflow engine is also available for users and the platform has been upgraded to the latest Weblogic Integration release (9.2). Major efforts have been invested in portal technology, which lead to a strategic corporate portal decision based upon a combined product choice consisting of Microsoft's Office Sharepoint Services (MOSS) (for collaboration and information dissemination purposes) and BEA's Portal Server (release 10) ( for application integration purposes). BEA's registry product has been evaluated to implement the central registry at the European Commission. A demonstration playground is available to explain the concepts and refine the requirements with the DGs. Work has started on the implementation of a central interoperability service in the Data Centre. A flexible platform for Internet Services: The main objective of the Flexible Platform project is to provide both a technical platform that is easy to set up and maintain and also an evolving set of multilingual web tools which will help the European Commission to improve its communication and collaboration by implementing the most successful Web 2.0 practices (blogs, forums, evoting polls, wikis, etc). This initiative responds to the Commission's recently adopted strategy to communicate better with the public via the internet. The action adopts a practical and tactical approach by quickly providing, easy to set up, out-ofthe-box solutions, without making a great investment, with a view to closely following the evolution and trends of the Internet. The EUROPA Flexible Platform project is managed in close collaboration with DG COMM who finances this project since September 2006. In September 2007, DIGIT started the Intranet Flexible Platform and also made these new services available on the intranets at the Commission. While the infrastructure for the Intranet Flexible Platform is still being rolled-out, requests are growing exponentially. Several presentations took place and training courses are in preparation. Activity 04 - Corporate ICT infrastructure solutions Result Indicators Situation at year n's end Target (mid-term) e-Commission roadmap dimension 1: External Dimension Specific Objective: 2 - Increase transparency of services for staff and external stakeholders B05 - Success rate of the new collaborative I.T. service( number of projects joining, number of web-site hits, survey in community) The target of delivering a new Release a new I.T. service based IT service based on open source on Open Source software software has been achieved with the flexible platform. This platform offers for the Europa website (for the public) blogs, forums, e-voting polls and greeting card services. Blogs have been used within Commissioner websites and by Commission Representations in 23 languages. e-Voting is present on the Europa home page. The same services are AAR 2007 DIGIT - Final Page 16/59 Activity 04 - Corporate ICT infrastructure solutions Result Indicators Situation at year n's end Target (mid-term) available on the intranet. e-Commission roadmap dimension 3: Technical enablers Specific Objective: 2 - Increase transparency of services for staff and external stakeholders CLWP - Satisfaction of EC staff with the new internet services and external use of the flexible web platform The flexible platform offers an increase in the interoperability between different information system development teams. The greeting card service on IntraComm, sent in December 2007 more than 13.000 e-cards ( close to 50% of the officials). The first wikis delivered, are mostly serving IT teams, but the same technology has been demonstrated to non-IT teams during Europa's Forum, within the ICN network and during several meetings with DGs. Specific Objective: 5 - Increase interoperability of information systems IO1 - Number of applications using the interoperability platform Due to budget scarcity only 2 applications went into production. The first application concerns a bridge between the DIGIT helpdesk and the development tools and the second application concerns the e-FP7 project for the family of research DGs. Depending on the availability of resources, 3 additional applications are ready to use the interoperability platform. 330 information systems already use ECAS, the common IT security solution at the EC. This is a 60% increase compared to the previous year. In the domain of electronic signatures, a vision document has been approved by DIGIT management and discussed with Commission stakeholders. The preparation of detailed specifications for a Public Key Infrastructure (PKI) service has started. The first pilot applications should use this Electronic Signature Supporting Infrastructure (ESSI) platform by year-end 2008. The gradual delivery of modules Improved interoperability between information systems, starting with an operational service of message transfer among information systems An increased interaction between policy makers at the European Commission and the European businesses and citizens, based on new IT services released within a flexible Internet environment I02/I03/I04/J06 - Number of information systems using the common IT security solution, Availability of electronic signatures, Compliance with legal reporting and audit requirements, Quality and trust of I.T. security services Improve I.T. security for office and information systems through the gradual delivery of modules for Identity and Access Management service (authentication, administration, authorisation, reporting, etc.) A trusted framework for doing business with our external partners, supported by the appropriate electronic signature technology AAR 2007 DIGIT - Final Page 17/59 Activity 04 - Corporate ICT infrastructure solutions Result Indicators Situation at year n's end for Identity and Access Management has started with the delivery of a vision document. ECAS is now supporting external users and provides a first implementation of a simple electronic signature. ITP - IT Infrastructure Consolidation: DGs IAS and REGIO have Improvement of service levels, Successful already been integrated into ITIC migration to a consolidated infrastructure service delivery organisation. The and service, Scalability of the technical different services included in ITIC solution, Availability and disaster are offered to these DGs through recovery capability and SLA with a KPI-based reporting. The IT infrastructure on top of which ITIC services work is hosted in the Data Centre, and disaster recovery capable and scalable in order to meet Business Continuity Plans requirements and accommodate the future growth of the user base. e-Commission roadmap dimension 4: Organizational enablers Target (mid-term) Technical Solutions design of a new consolidated infrastructure. Implementation of the consolidation with a representative group of pilot DGs. Specific Objective: 6 – Support previous objectives by a cost-effective, resilient and highly performing ICT infrastructure H03/H04 - The successful introduction of an effective e-learning service, The timely launch of tenders for IT training including the e-learning approach and method, A satisfactory usage and acceptance level of e-Learning services, A steady increase in the number of IT certifications In the e-learning initiative, the technical and functional tests were completed for the selection of a VLE (Virtual Learning Environment system) for the Commission and the beta-version for the IT starter Kit for newcomers has entered its final stage. Also 650 users have been registered for the ITECC (European Commission IT certification e-learning program) and 220 out of them have been certified. The new ITECC action for 2007-2008 has been launched. The call for tenders T-STD2 (Microsoft Technical Trainings) and T-TECH (Technical Non MS IT training) were completed and contracts were reviewed. Also a call for tender BIBLIO (IT magazines and books) was published. The Orientation Document for TRAINUSER has been approved and specifications are to be finished by end of Feb 2008). These actions will allow AAR 2007 DIGIT - Final Page 18/59 To complement traditional classroom training with new forms of learning such as eLearning, virtual classrooms, etc. Provide the staff with targeted, qualitative, cost-effective and accessible learning to develop the skills they need Activity 04 - Corporate ICT infrastructure solutions Result Indicators Situation at year n's end the continuation of the availability of traditional classroom trainings. Activity 04 - Corporate ICT infrastructure solutions Main policy outputs (delivered in year n) Develop and deploy CIRCABC on an Open Source Software platform Delivered: The first production release 1.0 was rolled-out at the end of 2007 . Currently both IPM's and CIRCA's source code are available for download under the EUPL license from the IDABC site and on Circa. Several workshops were held in 2007 to present the new releases and migration procedures. Delivered: DG COMM has decided to continue the external Europa flexible platform project and renew the Protocol d'accord. The objective is to support the existing production services (blogs, forums, and evoting polls) and implement new services, easy to put in place. The first identified services for the Intranets Flexible Platform (Blogs, Forums, e-voting polls, wikis, Image Galleries and Greeting Cards) have been delivered between July and November 2007. DIGIT will continue its efforts in the Flexible Platform domain with new web 2.0 technologies in order to enhance the Communication within the Commission. Establish a Commission Service Oriented Architecture (SOA) of information systems Delivered: - Enterprise service bus : done, production ready at Data Centre - Workflow tools : done, production ready at Data Centre - Portal tools: evaluation done, busy packaging. Summary of progress by work package : - Interoperability Technical Platform (ITP) : done in 2007 - Interoperability Deployment Infrastructure (IDI): preparatory actions done in 2007 and initial platforms ready at Data Centre, remaining actions foreseen in 2008 (provided budget is made available) - Common Service Registry (CSR): evaluation completed in 2007, remaining actions foreseen in 2008. - Interoperability service definition (ISD) : on going, most actions are foreseen in 2008 Delivered: e-Signature: 1. The scheduled problem statement, project vision and project definition documents were approved by DIGIT management. These documents have also been discussed with the Commission stakeholders. A series of one-day workshops has started aiming at increasing IT security awareness. 2. The project started (a) the preparation of detailed specifications for externalised implementation of the public key infrastructure (PKI) subproject and (b) the preparation of the implementation of the ESSI platform (Electronic Signature Service Infrastructure) bridging the PKI platform with the requiring information systems and office automation at the European Commission. 3. A report is available on the use of ECAS as a tool for simple esignatures. Target (mid-term) A flexible platform for Internet Services Define a global Identity and Access Management strategy, including analysis, definition & deployment of electronic ID management AAR 2007 DIGIT - Final Page 19/59 Activity 04 - Corporate ICT infrastructure solutions Main policy outputs (delivered in year n) 4. First pilot applications should be using the ESSI platform for advanced e-signatures by year-end 2008, but the tasks related to the management and delivery of certificates (PKI track) must be performed under the responsibility of the Security Directorate (DG ADMIN). Identity and Access Management (IAM): 1. Evolutive maintenance of ECAS has been assured in 2007. ECAS migrated successfully to a more performant infrastructure in Q2 2007 in order to support the Flexi-time application requirements. 2. The ECAS external access functionality has been developed and successfully presented in July 2007. This implementation contains a web application (called AIDA) allowing application managers to manage named external user accounts via delegation. DG AIDCO started production use of this service (via the web-service interface module) since Q4 2007. The project is now ready to support additional applications. 3. All IAM activities have been re-grouped under a single management structure with a formal split between the development project and the operational service. A steering committee, a technical committee and a service coordination group are operational and decide upon functionality included in the upcoming (ECAS) releases in 2008. 4. The IAM vision document has gone through a first review cycle but a modification is outstanding in order to integrate additional service management considerations. 5. The current ECAS solution (with small enhancements) proved to cover satisfactorily short term needs (e.g. a first implementation of a simple electronic signature is available). The future road map and architecture document will be finalized by Q4 2008 and are dependent upon a security products market, still in full evolution. Study and potentially implement infrastructure consolidation (feasibility study and potential implementation) Delivered: the initial design, procurement and deployment of the infrastructure are completed, as well as the migration of 2 DGs to ITIC services. An extension of the infrastructure to support the growing user base will be ordered and deployed in 2008. It was decided to extend the scope of the pilot to include DG EAC and DGT, thereby totalling 4 DG's and roughly 4.000 users, and to change the timeline by targeting pilot completion by end of Q2 2008 (except deployment of desktops for DGT). The rollout of IAS and REGIO is completed - except for the reinstallation of their desktops, which is scheduled in Q1 2008. Negotiations with EAC resulted in signature of the "protocol d'accord" on 18 January (2008). Migration activities for DG EAC are scheduled to start in Q2 2008, starting with the takeover of first level support service, followed by office automation service migrations, and rollout of desktops. Negotiations with DGT are still in progress. In December 2007, DIGIT submitted a second version of its ITIC proposal to DGT. A third version will have to be prepared, following a request by DGT for obtaining an all-inclusive offering, catering for all their servers. Preparatory work was started with SG, FISH, ADMIN and the other DGs already served by the DIGIT IRM team. These activities will be continued throughout 2008. AAR 2007 DIGIT - Final Page 20/59 Activity 04 - Corporate ICT infrastructure solutions Main policy outputs (delivered in year n) The ITIC SLA (v0.3) and service catalogue documents are publicly available. KPI reporting was partly implemented, and will be further developed in 2008. The project's Web presence on Intracomm went live dd. 30.11.2007. An ITIC change management process was put in place to deal with incoming RFC (requests for change). Develop and deliver training to raise awareness of all internal stakeholders of ICT disciplines and evolutions in the Commission. Develop and deploy elearning capacities Delivered: Major achievements have been completed with the production of new training materials both for classical classroom training and for elearning. The selection of a Virtual Learning Environment (VLE) is completed. The ITECC - Office certification program has entered the second year of service while new certifications are added for Project Management and ITIL Version 3. 2007 has been the year of renewal of several call for tenders providing the contractual framework for the provision of IT training services in the next years (both for technical staff and end-users). Classroom training: - New ITIL Version 3 courses have been scheduled for the first Q 2008. One day course ITIL bridge version 2 to version 3, and a new ITIL foundation course version 3 - New CAPM (Project Management Certification) courses have been organised for the first Q 2008. These types of courses are gradually moved over to ADMIN A3 as general project management courses. E-Learning modules published: - The SECEM/PKI (=Secure Email)module has been published in ENFR E-Learning modules in development: - The "Starter Kit for newcomers" is now available. - “EAS efficient storage” has been delivered - “Fighting Spam” has been delivered - “Optimail”: has been delivered - "SYSLOG DG"; under development – to be completed in 2008 ITECC 2007 (IT Office Certification e-learning): - Has been launched - Certification will last until 30/06/2008 AAR 2007 DIGIT - Final Page 21/59 1.2.4. Activity 05 - Corporate Information systems governance; IT consulting; Information systems development and support Significant progress was made by DIGIT in executing its mission concerning information systems: coordination of the e-Commission; delivery of corporate information systems; and implementation of the commission's IT governance. The annual report on the e-Commission confirms that the Institution is currently on track to meet its objective of becoming an integrated administration by 2010. Increased awareness of the role of IT in the Institution has been achieved through the IT priorities exercise and the elaboration of the roles and responsibilities of the central services as regards IT. This positive evolution has prepared the ground for the 2008 mid-term review of the e-Commission. This review will be an opportunity for DIGIT to complement the activities of the IDABC programme thereby consolidating its role in formulating and implementing pan-European interoperability policy and services in addition to its contributions to the simplification, transparency and effectiveness of the Commission's internal operations. 2007 saw DIGIT's responsibilities extended to delivering information systems supporting specific policy areas thereby contributing to the e-Commission's external dimension. The IMI(Internal Market Information) system was developed for DG MARKT. It has the potential to be reused by other DGs and will evolve during 2008 to support the Services Directive. DIGIT's partnership with the Research DGs to deploy information systems to support FP7 also progressed. DIGIT produced an overall architecture and plan based on which the Research DGs chose to concentrate initially on common "front-office" systems. In this context DIGIT delivered a first version of PDM/URF which will be extended in 2008 to provide unique registration facilities for all participants in FP7 research programmes. DIGIT's delivery for the e-Commission's internal dimension was strictly aligned with the ABM's IT priorities developing corporate systems to support: document management; the institution's decision-making processes; human resource management; integrated information management; and financial management. These systems contribute to improving the efficiency of the Institution and support VP Kallas's simplification and transparency initiatives. The first release of the systems (ARES/HERMES/NOMCOM) for e-DOMEC for the SG was completed based on feedback from the Document Management Officers (DMO) and the dedicated infrastructure installed in the Data Centre. The system has been put into production in DIGIT (February 2008) which will allow the progressive deployment of the system from 2008 resulting in an unique repository for all official documents accessible by authorised persons across all DGs. Moreover, development of the new system e-Greffe owned by the SG started with the delivery of a first version for feedback from the end-users. This will allow the rollout of the first release in April 2008. Finally, Argus, the system to support crisis management, was completed with facilities for managing staff availability and extended with portal functions integrating information from JRC. The Sysper2 HR system for DG ADMIN was extended, mainly with modules for Time Management (leave absences and part-time) and for managing Flexitime. It was adapted to manage all aspects of careers so as to allow the phase-out of SYSPER. Preparatory work was also done for the new CDR and promotion procedures, which will be completed during 2008. The Corporate Portal elaboration phase, including a proof of concept and architecture definition was completed. DIGIT will develop and deploy the system owned by DG ADMIN during 2008. It will provide users personalised access to Commission information; tools for collaborate work; and integrated services supplied by information systems. The deployment of ABAC Assets was completed in the delegations and permanent representations. Preliminary work was undertaken to prepare the modernisation of the systems to support DIGIT's financial and contractual processes. Essential elements of the organisational and technical enablers for the e-Commission are the actions to ensure business continuity. This has been identified as one of the ABM's priorities and during 2007 the first version of DIGIT's global Business Continuity Plan was completed. Detailed plans for 6 of the 8 core services provided by DIGIT was completed by the services owners and the remaining 2 are on track to be completed in 2008. AAR 2007 DIGIT - Final Page 22/59 The European Commission's IT Governance matured during 2007 with a clearer understanding by all actors of their roles and responsibilities. The DIGIT budget allocation proposal for the common information systems budget line, based on the DGs' schema directors and on the preparatory work done by the MAP was accepted as a basis for the budgetary hearings by DG BUDG. There has been an increased uptake of the RUP methodology confirming that DGs appreciate the need for a rigorous approach when building information systems. In summary, the progress made on the e-Commission during 2007 and the systems delivered were in line with the planning for the year and will underpin the work to be done in 2008 leading to an integrated Commission enabled by innovative IT. Activity 05 - Information systems governance; ICT consulting; Information systems development and support Result Indicators Situation at year n's end Target (mid-term) e-Commission roadmap dimension 1: External Dimension Specific Objective: 1 - Deliver better quality services by improving the support to the Internal Market policy A05 - Release a first version of the Internal Market Information (IMI) system to the satisfaction of the project owner and users First version of the IMI system implementing the minimal features to support the information exchange required to support the Professional Qualifications directive for a restricted number of professions (accountants, doctors, pharmacists and physiotherapists). Have the IMI system acting as the sole communication platform providing the necessary information to allow proper implementation of a range of Internal Market Directives with cooperation/mutual assistance provisions Specific Objective: 2 – Increase transparency of services for external stakeholders by providing a set of efficient IT tools to facilitate their relationships with the EC in the framework of the Research policy A04 - The participant database and Version 1 of URF in production, to the satisfaction of the project owner and users The FP7 Quick Start .project has successfully concluded and DIGIT helped whenever necessary. DIGIT released the "eFP7 interim report" offering a complete proposal for the evolution of the FP7 IT systems but the Research DGs opted for a less ambitious target and DIGIT has not been confirmed as the unique supplier of integrated systems. Move and operate eFP7 towards a common architecture and engineering methodologies. (The current eFP7 is an integrated information system supporting the business processes of the Framework Program 7, that interoperates with specific local systems developed within the Research DGs) e-Commission roadmap dimension 2: Internal Dimension Specific Objective: 1 - Deliver better quality services by improving the support to Decision Making and Crisis Management processes in the Commission C02 - First version of the e-Greffe system The needs of the Greffe have been Ensure compliance between users' developed on the chosen target defined during 10 meetings needs and features of the system architecture ("salons") with the users. Availability of "translation Production is foreseen for the procedures" related features (longsecond quarter of 2008 and this term objective) version will include an interface with Poetry (translation requests and translations). C05 - New releases of ARGUS accepted The Argus Portal has been A tool that allows the integration by the system owner delivered. This publishes of Rapid Alert Systems, based on information for a given crisis, import/export features coming from ARGUS and several AAR 2007 DIGIT - Final Page 23/59 Activity 05 - Information systems governance; ICT consulting; Information systems development and support Result Indicators Situation at year n's end sources, such as the JRC. Member States and other institutions can be given access to selected information. Specific Objective: 4 - Streamline processes by delivering high-quality corporate information systems in the document management, human resources and financial domains D03 - Number of DGs where Ares/Hermes is in production Rollout in DIGIT took place on 20 February 2008 and rollout in DG MARKT is planned for April 2008 Delivered on time (2nd quarter) The objective is to rollout Ares/Hermes to 10 DGs during 2007 and complete the rest of the DGs during 2008 and 2009. Quick-phasing out of the the +/65 SIC Congé and replacement by the 'time management' module of Sysper 2, in conformance with the new rules and guidelines to be published by DG ADMIN. Target (mid-term) D01 – SYSPER2 Time management & Flexitime management: Timeliness of the deployment and synchronisation with the administrative decisions of DG ADMIN D01 - Timely deployment of the first versions of the Career management modules allowing to phase out the obsolete BS 2000 mainframe infrastructure, for DG ADMIN Modules have been delivered and Quick replacement of current are under validation by DG obsolete Sysper information ADMIN system by new Sysper 2 modules in order to allow the phasing out (by DG ADMIN) of the obsolete and costly BS2000 mainframe infrastructure on which SYSPER is still running Specific Objective: 5 – Increase interoperability of information systems by integrating through the Corporate Portal a large number of heterogeneous IT applications. D05 – Corporate Portal: Timely deployment of Corporate module The elaboration phase has been A commission-wide finalised portal fully deployed corporate e-Commission roadmap dimension 4: Organizational enablers Specific Objective: 1 – Deliver better quality services by providing guidance on business continuity. GO3 - Approval of DIGIT Business Continuity Plan and percentage of key actors being trained Overall BCP and six out of 8 BCP set-up and implemented and specific BCPs set-up. Crisis 100% of key actors being trained management/business continuity arrangements presented to the key staff. e-Commission roadmap dimension 5: Roadmap management Specific Objective: 1 – Deliver better quality services by coordinating analyses of gaps in specific e-government domains impacting the e-Commission with a view to keep the e-Commission roadmap up to date and in synchronisation with policy developments. K01 - Implementation of the eCommission Roadmap by the services: Number of yearly releases of the roadmap, Timeliness of the delivery of annual progress report, Timeliness of the identification of the domains (maximum 3) to be analysed, Timeliness of delivery of the gap analyses A report has been prepared and Lead and implement an esent to the cabinet. The next step commission roadmap planning, is the mid-term review (with a monitoring and reporting cycle. communication planned for adoption in Q4-2008) which will review the overall framework and propose, if necessary, an update to the e-Commission roadmap. AAR 2007 DIGIT - Final Page 24/59 Activity 05 - Information systems governance; ICT consulting; Information systems development and support Main policy outputs (delivered in year n) Develop and deploy the Internal Market Information System (IMI) Delivered: The first version of the IMI system implementing the minimal features to support the information exchange required to support the Professional Qualifications directive for a restricted number of professions (accountants, doctors, pharmacists and physiotherapists) was delivered on 12/11/2007. These features are the following: - Competent Authorities Management (registration of new CAs and management of existing CAs) - Information Request Management (creation and management of information requests) and Workflow definition - Multilinguism (system available in all official languages) - Translation features (module available to translators for the translation of anything displayed on screen, online translation or upload of translation files) - Users and access administration These features will be completed in 2008. Some optimisations are still on going in order to limit the usage of computing resources and improved the performance of the system. A dedicated hosting environment is being considered in longer term. Develop and deploy an information system to support FP7 Delivered: FP7 Quick Start: The project has successfully concluded by the Research DGs. DIGIT helped whenever necessary. eFP7 Project: Following a 9 month preparatory study, on 15 June 2007, DIGIT released the "eFP7 interim report" offering a complete proposal for the evolution of the FP7 IT systems based on standard market practices. Following the assessment of the business process landscape and the organisational maturity, taking into account similar initiatives for grant management from other DGs, the report suggests a five year plan leading to a single set of IT systems serving FP7 and other programmes like CIP. Following a meeting of the IT Supervisory Board of Directors General (the high level governance instrument for eFP7) in July 2007 the Research DGs opted for a less ambitious target of gradual evolution of the current systems clearly favouring the "front-office" to the "backoffice" systems. As a result, DIGIT has not been confirmed as the unique supplier of integrated systems for grant management in Research DGs but remains in the project as one supplier of some front-office and back-office systems and the interoperability of the Research DGs information systems. Develop and deploy e-Greffe Delivered: During Q1 2007, the project owner run a series of sessions with the concerned staff in order to come up with the set of features for the tool. Following this analysis the Vision Document for the project was completed and the priority features for the first phase of the project identified as well as the candidates for the second phase. . According to the project plan, the roll out of the first version of the tool is planned for Q2 2008. The two first development iteration completed in 2007 concerned the following features:- Complete processing of " autonomous acts" AAR 2007 DIGIT - Final Page 25/59 Activity 05 - Information systems governance; ICT consulting; Information systems development and support Main policy outputs (delivered in year n) "Electronic agreements" from cabinets New and more ergonomic "information form" Bi-lingual contextual help "basculements" of procedures (PEF) Better integration of DTS linked with acts to which they refer to, following the increase in the number of cases resulting from better regulation (impact assessments etc…); Functional improvements resulting from evolving needs and the internal workshops with staff referred to above, together with a refinement of the analysis of requirements ; interoperability with CIS-Net (including the Fast-Track) New follow-in form to support the different workflows in the Greffe action 2 (interface with DGT's Poetry for the request and send back of translations) - Develop and deploy Argus Delivered: Main achievements for 2007 are: - The new module called EC Permanence, which allows the DGs and the Cabinets to manage the high ranked officials' permanences during summer and Winter holiday periods. Before, the permanence scheduling information was collected manually and compiled in a document which was then circulated via e-mails. Now, the information will be updatable online when needed and immediately available to all the concerned persons and to all Commission staff in a reduced version (i.e without personal data) - The Argus Portal, which makes information for a given crisis, coming from ARGUS and several sources, such as the JRC. Member States and other institutions can be given access to selected information. Other achievements: - Performance improvements, minor enhancements (February) - Accessibility from PDA, extended user tracking, message arrival alert, user-friendly scheduling interface, minor bug fixes and improvements (April) - EC Permanence (June) - Switch to FT SMS platform, ARGUS Portal with links to JRC services (news, maps, automated analysis) (September) - Migration to BEA WL 9.2 platform and JDK 5, some bugfixes (November) - Extended PDA functionality (support of triggering phase 2), enhancements to the core ARGUS (merging roles, menu reorganisation, better integration with Google maps), Automatic component refresh, multitab interface for Portal, direct communication (messaging), multiple RSS components, many small improvements (December). Develop and deploy Ares and Hermes projects Partly delivered (60%): Two versions (in July and November) were submitted for testing to SG and the DMO-IRM community leading to the identification of improvements to the tool. Last specs for the system were completed and more particularly those concerning the security model (Sept 2007). These specs have been implemented in the version to be deployed in DIGIT and DG MARKT AAR 2007 DIGIT - Final Page 26/59 Activity 05 - Information systems governance; ICT consulting; Information systems development and support Main policy outputs (delivered in year n) during Q1 2008. The development of the framework Hermes Repository Services (HRS) that will allow the integration other applications and information systems with the Hermes Repository started during Q4 2007. The work concentrated on the definition of a global architecture and the development of a proof of concept of some basic services. . EMC² has carried out code review of the system as well as a review of the physical architecture for deployment together with the deliverables of the project. . The IT infrastructure for the first 10 DGs is available since end 2007. Performance testing is planned for beginning 2008. In 2007, two test versions of NOMCOM II were made available for testing to SG and the DMO-IRM community. Deployment is now planned for February 2008. Maintenance and user support have been carried out as planned. However, it has to be highlighted the budget for 2007 has not been enough to meet the planned deadlines for delivery. In fact, the budget planned in 2006 did not take into account the need to review the architecture of the application (User interface and the scope of features). These necessary changes have resulted in additional resources and The system has finally been rolled out in DIGIT in February 2008 and is planned to be rolled out in MRKT in April 2008 . Deployment of the Sysper2 Time management module Delivered: Sysper2 (module allowing to manage, in an integrated manner, leaves, absences and various work patterns) has been deployed on 1/1/2007 as foreseen. After the deployment, the support and maintenance (corrective and evaluative) actions required a lot of efforts but this module is now complete apart from some small interfaces with other information system, e.g. the mission management system. These development have been postponed due to other major priority for the Sysper2 project. The Time management module has allowed to phase out the SIC Congé Commission-wide and could be used as foundation for the flexitime module required for 1/4/2007. This new module is closely interoperable with all other HR information systems and is improving the quality of service (integrated tool based on common data, streamlined rules...) Deployment of the Sysper2 Flexitime module Delivered: The flexitime module has been deployed on 1/4/2007 as requested and has been widely used (more than 12 000 officials adopted the flexitime) in all services of the Commission with no problem. Much additional development will be made to further improve the flexitime, and more generally time management, tools (link with badge readers...) This deployment allowed the phasing out of the SIC Congé and offered an cost effective and interoperable set of tools allowing better quality of services (modern optimised tools), implementing streamlined processes In particular, the flexitime module required to put in place a resilient architecture. Deployment of the Sysper2 Career management module (version 1) Delivered: Delivered but not yet deployed. The development is finished and these modules have been delivered and are under validation. This AAR 2007 DIGIT - Final Page 27/59 Activity 05 - Information systems governance; ICT consulting; Information systems development and support Main policy outputs (delivered in year n) validation and tests are indeed crucial since the new modules will be directly linked to the payroll system. In depth end-to-end tests are being preformed by DG ADMIN (for Sysper2) and PMO (for IRIS) in order to allow the deployment of these new modules and all the related interfaces. Deployment of the Sysper2 Career management module (version 2) Partly delivered (50%): Tthe staff mobility management module has been already fully delivered. Other extensions have been postponed due to other priorities (attestation, certification, CDR… ) decided by ADMIN's HRMIS Steering Committee. Delivered: The elaboration phase of the corporate portal project has been finalised. During this phase, the necessary tools have been selected following extensive proofs of concept. A number of project documents have been completed and handed over to the system owner, ADMIN. Among these are a revised vision document, a business case document, a budget plan, and a condensed master plan. Moreover a lot of operational tasks have been performed with ADMIN to prepare for the existing sites migration, the identification of the services to implement in the portal and the identification of the roles of staff based on their job description. Other work has been outsourced to IBM which produced a number of deliverables that complement those delivered to ADMIN and allow to prepare the operational project. A particular input is the identification of a tool allowing the existing sites migration to the portal. NOTIS has been installed in the operational environment at the data centre only at the end of the last quarter due to a number of technical difficulties (first SOA service to enter operation). Following staff departures the effective pilot use in DIGIT was re-scheduled to February 2008 in order to guarantee full support. Define business continuity and disaster recovery plan guidelines Delivered: The first version of the global DIGIT Business Continuity Plan (BCP) was sent to the Secretary General on 30 March 2007. It covered the organisational aspects of crisis management and identified the eight DIGIT core services for which detailed BCPs are required. During 2007 six of these specific BCPs were produced and work is ongoing on developing the remaining two. The overall DIGIT BCP is now being revised and updated. Delivered: A report has been prepared and sent to the cabinet. In line with the provisions of the e-Commission Communication which foresees the elaboration of a yearly report to present the e-Commission roadmap progress, DIGIT has consulted all concerned DGs on the 2007 achievements. This reporting exercise focus on the initiatives that are indeed part of the e-Commission roadmap and not on the entire set of IT activities and projects carried out across the Commission. Based on the feedback from all concerned DGs, including their appreciation of progress, the overall picture is encouraging and most actions are on track. Progress can be observed for all objectives set by the e-Commission communication back in 2005. The Commission thus seems to be on the right track to climb the e-government maturity ladder with an estimated e government maturity of 2.4, on track towards the objective of becoming an integrated administration by 2010 (level 3 of e-government maturity). The next step for the implementation of the e-Commission is the mid- Develop and deploy the Corporate Portal Monitor and report to the cabinet of VP Kallas on the implementation of the eCommission Roadmap by the services AAR 2007 DIGIT - Final Page 28/59 Activity 05 - Information systems governance; ICT consulting; Information systems development and support Main policy outputs (delivered in year n) term review (with a communication planned for adoption in Q4-2008) which will review the overall framework and propose, if necessary, an update to the e-Commission roadmap to include the new e-government initiatives launched by the Commission until 2010. AAR 2007 DIGIT - Final Page 29/59 1.2.5. Activity 06 - Interoperable Delivery of European eGovernment Services to public Administrations, Business and Citizens (IDABC) In 2007 there were important developments in this area, covering both the on-going implementation of actions included in the IDABC rolling work programme and strategic decisions on the future developments after the end of the current legal framework (end 2009). Concerning the implementation of the IDABC programme's actions, there were several outcomes in both sectoral projects and horizontal measures. For the projects of common interest, five new systems were put into production and started being actively used in 2007 in the areas of Agriculture, Enterprise, Health and Consumer Protection. In particular it is worth mentioning the newly established network of enforcement authorities on Consumer Protection cases, through which, during 2007, 161 information requests were handled, as well as 95 enforcement request and 71 alert cases. In addition the development of 2 other systems was finalised in 2007, leading the way to the launch of new services in 2008: • in the area of Education and Training; • for the Internal Market and Services area, the Internal Market Information System – IMI. The availability of the IMI system is essential as it is a key measure to facilitate the implementation of the Services Directive. For the horizontal measures, important milestones were reached in 2007: • the operational launch of the new S-TESTA network (the secured private network connecting EU and national public administrations), replacing the outdated TESTA II network, • the joint launch with DG INFSO of the epractice.eu portal (which is today the reference in Europe for the exchange of best practices in eGovernment), • the finalisation of the new contractual framework for the Your Europe action, which closed the early deployment phase of the portal (that has been now handed over to DG ENTR and DG MARKT), • the launch of the development phases for the Semantic Interoperability Clearing-house and for the Open Source Observatory and Repository (following the endorsement of the respective Global Implementation Plans by the IDABC management committee). Furthermore, IDABC has contributed with key deliverables to the i2010 eGovernment Action Plan by providing Common Specifications for the CIP pilot on electronic Identity and with the IDABC study on interoperability of eSignatures. These results will be used as input for the preparation of an action plan in the context of the latest Single Market Review, as announced by the Commission. Finally, under the leadership of IDABC, the Commission has adopted a new type of licence based on the Open Source Software model, the European Union Public Licence (EUPL). This licence is now available in all EU official languages and is becoming a reference licence for European public administrations. Aside from the implementation of the IDABC work programme, the preparatory work on the follow-on of the programme has started. At the beginning of the year the IDABC management committee endorsed the Commission proposal for the sustainability of the operational infrastructure services developed under IDABC. The aim is to continue support and funding of these services under Commission/DIGIT direct management. Following this outcome and in agreement with DG BUDG, DIGIT has started the preparation of the follow-on programme. A strategic approach has already been presented to the IDABC management committee which agreed with the approach. Political support from the Member States for IDABC continues to be strong. IDABC work has also been referred to as an essential contribution to European eGovernment in the Lisbon ministerial declaration of September 2008. AAR 2007 DIGIT - Final Page 30/59 Activity 06 - Interoperable Delivery of European eGovernment Services to public Administrations, Business and Citizens (IDABC) Result Indicators Situation at year n's end Target (mid-term) e-Commission roadmap dimension 1: External Dimension Specific Objective: 5 - Increase interoperability of information systems B04 - Define and implement a sustainable strategy for IDABC operational services (notably sTESTA, and PKI) Endorsement by the IDABC A sustainable strategy is management committee of the implemented by the end of 2008 Commission proposal for the sustainability of the operational infrastructure services. The aim is to continue support and funding of these services under the Commission/DIGIT direct management. DIGIT has started the preparation of the follow-on programme. A strategic approach has already been presented to the IDABC management committee that agreed with the approach. The work programme and Revision of the work programme Financing decision of the 4th and financing decision adopted by revision of the work programme July 2007 were adopted in July 2007 For information: 83% (12 planned N/A and 10 started). These are projects undertaken by other DGs in the context of the IDABC programme. They are mentioned here only for the sake of transparency, since DIGIT has no control over the execution of these projects. 88% (25 planned and 22 started) 100% B04 - Prepare the adoption of an updated work programme and related financing decision B04 - Percentage of planned new actions for projects of common interest that have been launched in 2007 (as from the IDABC WP) B04 - Percentage of planned new actions for horizontal measures that have been launched in 2007 (as from the IDABC WP). Activity 06 - Interoperable Delivery of European eGovernment Services to public Administrations, Business and Citizens (IDABC) Main policy outputs (delivered in year n) IDABC Policy development Delivered: Preparation of IDABC follow-on programme: - Endorsement from PEGSCO of the proposed approach to the longterm sustainability of IDABC infrastructure services. - Draft final Consultation paper prepared, comprising both main objectives and description of instruments for a new programme. - Planning and approach presented to Cabinet. Delivered: The work programme and Financing decision of the 4th revision of the work programme were adopted in July 2007 Management of the IDABC Work Programme AAR 2007 DIGIT - Final Page 31/59 Activity 06 - Interoperable Delivery of European eGovernment Services to public Administrations, Business and Citizens (IDABC) Main policy outputs (delivered in year n) Main expenditure-related outputs (delivered in year n) Projects of Common Interest For information: within the 20 projects included in the WP, 12 actions were planned to be launched in 2007. Of those 10 actions have started, 1 has been cancelled and 1 is to be moved to 2008. The overall budget consumption has been of 86% (3.4 M EUR). These are projects undertaken by other DGs in the context of the IDABC programme. They are mentioned here only for the sake of transparency, since DIGIT has no control over the execution of these projects. Horizontal measures Partly delivered: Out of the 25 actions planned to be launched in 2007, 21 have started in 2007, 4 are moved to 2008 or cancelled. Furthermore, one additional measure has been launched this year (so the total is now 22 actions, of which 13 from DIGIT/01). The overall budget consumption has been of 130% (26.1 M EUR), including the front-loading of 8M EUR from the 2008 budget of sTESTA. AAR 2007 DIGIT - Final Page 32/59 1.2.6. Activity 02 - Administrative support to other Services and Directorate General, Institutions and executive agencies Procurement and contractual services: Over the last years the number of EU bodies has significantly increased, in particular Executive Agencies. This situation has resulted in a higher workload for DIGIT in terms of coordination – ex ante in the preparation phase of the call for tenders and ex post in the daily management of the contracts (inclusion of Institutions and the other EU bodies in the course of the contract). This year was characterised by relatively high level of market procedures (25, of which 10 negotiated procedures, 12 Open Calls for Tenders and 3 other procedures), covering complex issues. The total market volume amount is 303.977.237,28 €. The acquisitions covered by these procedures are hardware, software and services (among others servers, desktop PCs, telephone information services, Internet access, telecommunication equipment, statistical software, desktop software, service centre or audit management software). DIGIT systematically included the requirements of the Eco-Management and Audit Scheme (EMAS) in its call for tenders for hardware wherever this was possible. For instance multifunctional devices, servers and PCs were assessed from a technical and financial point of view for the ecological criteria. Financial services: 2007 has seen an increase of 5% with respect to contracts and order forms for the other Directorates-General. More than 2.300 transactions were submitted by the other DirectoratesGeneral for ex ante approval of IT files. What is even more significant is the increase in the number of services provided to operational DG and services of the Commission and other Institutions and EU bodies which resulted in an increased number of cross sub-delegated budget lines. This reflected the growing involvement of DIGIT in the development and in the hosting of information systems for the other DirectoratesGeneral, in particular the EU policies ones, which jumped from 25 to 37. Such involvement is also seen in the 25% increase in recovery orders, which is another means used by DIGIT as a service provider to cover its costs, notably those borne for other Institutions. Logistics: The number of purchase orders has remained steady compared with the previous year - thus about 1.400 purchase orders for hardware, software, maintenance, moves and other associated services were processed on behalf of the ICT community of the Commission. All requests issued by DGs and services were handled and could be converted into orders. For the fourth year in a row, the number of moves has beaten previous records and reached 40.000 ICT items (+ 40% compared to 2004). Despite this increased workload, the logistical services were delivered to the full satisfaction of the 13.000 users who moved in 2007. As the management centre for ICT items in Brussels and Luxembourg, DIGIT also manages ICT items purchased on operational budgets. Because of the importance of this issue for the sound management of the Commission ICT assets, the team dedicated to this task was strengthened in 2007 and all requests for entry into the inventory issued by DGs were processed and accurately booked in the accounts. However, since the entries into the inventory are triggered by the requests from DGs, some non material purchases may still not be recorded in the inventory and the accounts in the year of their delivery. Information and Communication: The work of maintaining, updating and improving the three DIGIT websites (Europa, DIGIT IntraComm and DIGIT Intranet) continued. In addition, a constant flow of news articles in various for a (Bulletin Informatique, the DIGIT Newsroom and Intranet News plus contributions to Commission en Directe and Management Matters) was produced. The IT User Satisfaction Survey was designed and executed and training and support was provided to correspondents in the DIGIT units. AAR 2007 DIGIT - Final Page 33/59 Budget planning and execution: DIGIT is responsible for the budget planning and programming exercise for the IT-credits on the XX lines (1313 and 1314). Part of the credits is allocated to DG's for their local use. This allocation is generally done on a per capita basis, taking into account min/max thresholds. Nevertheless, DIGIT remains AOSD for all expenses under its responsibility. Allocation and follow-up of DG budget is handled with a specific SYSLOG module. DIGIT does a regular monitoring of budget planning issues internally. A specific difficulty of the budget planning process is due to the fact that the structure of the budget lines does not fully reflect DIGIT's business areas; "Virements" are necessary to make the necessary adjustments during the year. Activity 02 - Administrative support to other Services and Directorate General, Institutions and executive agencies Result Indicators Situation at year n's end Target (mid-term) e-Commission roadmap dimension 4: Organisational Enablers Specific Objective: 6 - Support previous objectives by a cost-effective, resilient and highly performing ICT infrastructure Number of Gama files, Number of new contracts signed, Number of amendments to existing contracts signed, Number of queries handled by Call Centre, Delivery of procurement plan for year n+1 Gama files Avis favorable Avis défavorables Avis mixtes Avis suspendus Dossiers retirés Fiches info Absence d'avis Contracts signed Out of which Interinstitutional11 Amendments signed Number of queries handled by Call Centre Delivery of procurement plan for year n+1 23 0 0 0 1 2 0 26 12 200 4221 Coverage of the whole cycle: definition of the needs, management of procurement procedure and signature of the contracts for the ICT community of other DGs, EU Institutions and Agencies yes 7/12/07 e-CR Objective 7 - Implement and maintain an effective internal control system so that reasonable assurance can be given that resources assigned to the activities are used according with the principles of sound financial management and that the control procedures put in place give the necessary Content of the websites available, N° of news bulletins published, N° of BI published N° of news bulletins published N° of Bulletins Informatiques published Average percentage of vacant posts Average duration vacancies (months) Recruitments of 50 Have a high quality DIGIT communication contributing to the various objectives of the DG and 3 responding to the expectations of the various stakeholders 10,3% An effective and efficient management of human resources 8,3 Limited average vacancy rate of available posts and Availability of an overview and figures on how vacant posts are dealt with, better gender balance within DIGIT, of AD/AST grades and officials/external service providers 55 11 All "ILA" contracts of MS are considerd inter-institutional AAR 2007 DIGIT - Final Page 34/59 Activity 02 - Administrative support to other Services and Directorate General, Institutions and executive agencies Result Indicators Situation at year n's end From other DGs External Female Male Gender balance 24 31 23 32 32% F, 68% M 0,4 0,73 64 Have an overall framework for the funding of the Commissions operational and administrative ICT services in place Target (mid-term) Ratio AD/AST Ratio officials/externals G06 - Number of ICT services The number of contributing to the overall funding, Budget "protocoles d'accord" amount contributing to the ICT funding and SLA's illustrating the number of ICT services contributing to the overall funding Budget amount contributing to the ICT funding 11,8 million € Activity 02 - Administrative support to other Services and Directorate General, Institutions and executive agencies Main policy outputs (delivered in year n) Provide high quality ICT procurement services for DIGIT and the ICT community of other DGs, EU Institutions and Agencies Availability of administrative procedures, operational procedures and DIGIT administrative information on DIGIT intranet Organisation of the annual e-Commission Symposium Fostering the external communication policy of DIGIT (Europa site, BI, coherence) Delivered: The calls for tenders, negotiated procedures, signature of contracts and amendments foreseen for 2007 were done following the planning established for 2007 Delivered: The action started in 2006. As of 4 July 2007 109 procedures feature in the DIGIT Procedures Catalogue on the DIGIT Intranet. Delivered: The symposium took place on 2 October with 210 participants in the morning and 170 in the afternoon. Delivered: 1. The three DIGIT websites were constantly maintained, updated and improved and support was provided for all contributors: • DIGIT Europa (for the public) • DIGIT IntraComm (for DIGIT's customers in the DGs) • DIGIT Intranet (for DIGIT staff) 2. DIGIT Newsroom and weekly Newsroom Update 37 editions of the Newsroom Update were produced with a circulation of over 1.500 Commission subscribers. A total of 220 pertinent DIGIT news items were thus brought to the direct attention of our customers. In addition 39 News items of DIGIT staff interest were published internally on the DIGIT Intranet Newsroom 3. The new electronic Bulletin Informatique was launched for the AAR 2007 DIGIT - Final Page 35/59 Activity 02 - Administrative support to other Services and Directorate General, Institutions and executive agencies Main policy outputs (delivered in year n) Commission's IT community Three editions were published in 2007 containing 25 in depth technical articles provided by 12 DGs (TRADE, INFSO, ESTAT, AIDCO, BUDG, AGRI, ENV, RELEX, SJ, COMM, PMO and DIGIT itself) An effective and efficient management of human resources, making DIGIT an attractive place to work Delivered: Screening of administrative and support functions: all job-descriptions have been analysed and sent to units. Validated data is being returned and re-analysed gradually but the foreseen gap analysis and reporting can only start when this is the case for all data. The project suffered some delay as other priorities had to be done first. 2 selections for AT2b agents level AD5 and AD8 could be finalised. Though some progress has been made, DIGIT has difficulties to reach the target fixed for EUR10 recruitments. This is partly due to the fact that the result of the 2 selections returned about 50% of EUR2 candidates and other candidates are already occupying a post or do not match the required job descriptions. In relation to the total number of posts, the percentage of AD posts is now 28.8% (compared to 24.4% on the 1.1.2006). In absolute terms, the number of AD posts has increased from 96 to 124 posts over this period. On the 31.12.2007, the average percentage of vacant posts (10.30%) is now below the value of 1/2007 (11.48%) and the average value for the semester (11.69 %), after a peak of 12.85% in 3/2007. This is due to the ongoing recruitments at the AST level. The ratio of vacant AD posts is 10.50 %, of AST posts 8.8%. Since 1.1.2007, the average duration of vacancy for empty posts has increased from 5.02 to 8.28 For AD posts, the indicator increased from 5 to 8.62, for AST from 3.84 to 9.06. This results specifically from the long duration of vacant AD and AST posts. Though a reverse in the tendency could be observed during the year as EUR12 recruitments were ongoing, the indicators clearly illustrate the difficulties in recruiting staff matching DIGIT needs. 15 posts at AD level and 42 at AST level have been published. 56 candidatures could be registered, (31 male, 25 female but 11 female candidates for one AST post). 24 people joined DIGIT from others DG's (15M; 9F), 31 external recruitments took place (17M, 14F). In total 32 men and 23 women joined DIGIT in 2007. The gender balance could be improved in 2007 with 2% to 32% women and 68% men. Setting up a framework for the funding of ICT within the Commission Partly delivered: The terms of reference for a contract for defining a cost model have been agreed between SG, BUDG and DIGIT. SG launched the contract and work started as soon as January 2008. AAR 2007 DIGIT - Final Page 36/59 2. PART 2 – MANAGEMENT AND INTERNAL CONTROL SYSTEMS 2.1. Inherent nature and characteristics of the DGs risk and control environment 2.1.1. General overview DIGIT was created as a Directorate-General following a Commission decision of April 2004. In 2006, DIGIT was reorganised with the creation of a new Directorate (Directorate C - Corporate ICT infrastructure provision). A second reorganisation took place on 1 January 2008 whereby one unit was transferred from Directorate B (Corporate ICT infrastructure solutions) to Directorate C and a new unit was created in Directorate B. This will improve efficiency of infrastructure services provision and will put the Directorate-General in a position so that it can cope with increasing demand and business complexity in the development of corporate information systems. Responsibility for the IDABC programme was handed over from DG Enterprise to DIGIT on 1/1/2007 and staff were transferred to the new unit DIGIT.01. DIGIT wants to be a proactive leader in information and communication technologies, identify opportunities and offer, in partnership with stakeholders, innovative tools, solutions and eservices to enable the Commission to accomplish its goals more effectively and efficiently manage and deliver European policies for the benefit of EU public administrations, citizens and business The mission of the Directorate-General is to enable the Commission to make effective and efficient use of Information and Communication Technologies in order to achieve its organisational and political objectives. With this goal in mind, the Directorate-General for Informatics, in partnership with all relevant stakeholders, has the responsibility to: – Define the IT Strategy of the European Commission; – Provide the EC and whenever appropriate other European Institutions and bodies with high quality and advanced: – IT infrastructure solutions and e-services; – Support services; – Telecommunications facilities; – Deliver information systems required to support EC corporate business processes within the framework of the e-Commission strategy; – Promote and facilitate, in full collaboration with European public administrations, the deployment of pan-European eGovernement services for citizens and enterprises. The Directorate-General for Informatics has the lead responsibility for implementing the eCommission initiative adopted by the Commission in June 2001 which was renewed in November 2005 for the next five years by setting as a strategic objective to increase its egovernment maturity so as to implement an integrated Commission. This mission is carried out in line with best practices in IT governance and in partnership with all Commission's DGs and Services. 2.1.2. Cross-delegations and handovers Cross sub-delegated lines are given by DGs to which DIGIT is mainly offering hosting services or from which DIGIT is system supplier for the development of some of their information systems. Underlying SLAs are signed between DIGIT and its clients. For each cross subdelegated line received, DIGIT provides quarterly and annual reporting justifying the use of credits. DIGIT has also cross-delegated credits to 15 other services. These are, amongst others, used to finance actions within the IDABC programme and for the renting of Data Centre premises. Adequate reporting justifying the use of these credits has been received from the services concerned. AAR 2007 DIGIT - Final Page 37/59 On 1 January 2007, the IDABC programme was handed over from DG Entreprise to DIGIT. 2.1.3. Working arrangements between the Commissioner and the department The working arrangements between DIGIT and the cabinet of the Vice-President Siim Kallas were in 2006 aligned with the good practice at the Commission following an initiative of the President and the Secretariat-General. No changes were applied in 2007 to these arrangements. 2.1.4. Systemic processes 2.1.4.1. IT governance processes The Communication on the improvement of information technology governance in the Commission of 200412 assigned the following duties to DIGIT as regards the development of IT strategy and IT interservice coordination in the Commission: " – DIGIT will be responsible for a coherent corporate Information Systems development strategy, on the basis of the strategy developed in each horizontal DG for its own specific business; – DIGIT is responsible for the elaboration of the strategy concerning the development of IT and telecommunications infrastructure and IT support services; – To communicate these strategies, and allow individual DGs to develop their IT strategies in light of them, DIGIT should publish an annual circular to all DGs outlining the calendar and requirements of the informatics budget and governance processes; – DIGIT should be informed about all new information systems being planned by DGs and about all major revisions to existing systems, independently of budget source or other considerations. DIGIT will provide an opinion as regards the proposed development, potential synergies or overlaps with other developments etc. These opinions will also be presented to the Methodology Architecture Portfolio management subgroup (MAP) of the CTI-IS13; – The director general of DIGIT should become a member of the ABM steering group; – DIGIT should present to SG and DG BUDG the budget allocation proposals for the development and maintenance of information systems financed with administrative appropriations14 as input to the Annual Policy Strategy and Provisional Draft Budget. These proposals will be elaborated in consultation with the MAP; – DIGIT will provide guidance, steer and animate the work of the CTI-infrastructure and CTI-IS; – DIGIT will be responsible for the creation of a common knowledge base concerning all information systems of the Commission on the basis of information supplied by the DGs. It will identify and promote best practices and favour collaboration between all services; – DIGIT will host the Corporate Project Office (CPO). Its duties concern the horizontal activities related to information systems coordination in the Commission, including the preparation and presidency of the MAP." The structures foreseen (MAP, CTI-IS, CTI-infrastructure) were immediately implemented. The CTI entities met 11 times a year, the MAP met 11 times in 2005, 8 times in 2006 and 7 times in 2007. The Corporate Project Office has been created and is hosted in DIGIT/B. The Director General of DIGIT became a member of the ABM steering group. DIGIT published the annual IT governance circular in the last quarter of each calendar year between 2004 and 2007. DIGIT received and analysed, in collaboration with the MAP, the schema directeurs of DGs, as foreseen by the Commission decision. DIGIT has proposed to BUDG the funding levels for 12 13 SEC(2004) 1267 Comité Technique Informatique – Information Systems. This committee assures the interservice coordination for all matters related to information systems in the Commission e.g. the common budget envelope XX 01 02 11 05, previously “A7070” 14 AAR 2007 DIGIT - Final Page 38/59 information system development under the common administrative appropriations from 2005 onwards. These budget proposals took into account the IT priorities defined by the ABM Steering Group for the Institution for 2007-2008. It is expected that such a yearly IT priorities exercise be organised by the forthcoming ABM IT governance subgroup. It is foreseen that all DGs request the opinion of DIGIT prior to initiating a new project for an information system, independently of the funding budget line. DIGIT has given its opinion to the project definitions (alias vision documents) submitted as of the beginning 2005. The procedure foresees a response in less than 10 working days and has in general been respected in years 2005 to 2007. 11 vision documents in 2005, 76 in 2006 and 106 in 2007 were analysed. However it has to be regretted that not all new information systems benefit from such opinions. DGs tend to submit for opinion only systems funded from the common administrative appropriations. In order to further enforce the Commission decision, DIGIT controls the existence of such approved vision documents for any new system installed in DIGIT's data centre. In order to develop a coherent information systems development strategy, DIGIT has elaborated the e-Commission communication 2006-2010 which records the high level objectives and action lines of this strategy. A roadmap has been elaborated and a yearly report on progress produced as foreseen in the communication. A common knowledge base of all Commission information systems and of all activities related to them has been created and made accessible to all staff (GovIS). The standards for the project management and development of information systems are being developed. This process started in 2005. They are the RUP@EC project management and development methodology, the Commission's IT enterprise architecture framework and DIGIT's hosting guidelines. DIGIT has been systematically providing guidance, steering and animating the work of the CTIinfrastructure and CTI-IS in particular via monthly inter-service meetings. 2.1.4.2. Other systemic processes At the end of 2006 DIGIT transmitted it's Business Impact Analysis and Business Continuity Plan to the Secretariat General. This identified eight systemic critical functions for which DIGIT is responsible as the process owner: – Central Help Desk (CHD) - Point of contact of DG DIGIT for the handling of ICT incidents coming from the local service desks of the DGs, dispatching and reporting incidents that are transmitted to the DIGIT third level support groups or to third parties; – Corporate Information System Hosting (ISHS) - Management of critical, essential and necessary corporate and DG information systems hosted by DIGIT, as identified in the Communication to the Commission; assurance of availability and performance; – Data Network Infrastructure (Snet) - The data network services supporting internal and external data communications, enabling the services of internet and intranet, electronic mail, video conferencing, information storage, applications and information systems; – Systems and Infrastructure (SIS) - Management of infrastructure hardware and related software; assurance of operations of the Data Centre, Office Automation and Telecommunication; – Telephone Information (INFOTEL) - The telephone answering services ("INFOTEL") of the European Commission in Brussels and Luxembourg; – Telephone (FTSA/VCOL/NUPS-MCP) - Management and support of fixed and mobile telephony services in Brussels and Luxembourg; – Corporate IT Infrastructure & E-mail (CITIS) - Electronic message handling services and the associated services; providing E-Mail, access management, virtual fax handling, anti-virus software, external access to Commission applications; – Secure Network (sTesta) - Management of the telecommunications network for the secure information exchange between European public administrations. AAR 2007 DIGIT - Final Page 39/59 Most of the corporate infrastructure services are now provided by companies on a service mode basis under DIGIT contractual oversight instead of being provided by teams composed of Commission officials and external people under time & means contracts. All contracts for the provision of services now include a Service Level Agreement which enables DIGIT to closely monitor the quality of the services provided, mainly through appropriate key performance indicators. For each of the eight critical services identified, a Business Continuity Plan has been or is being established. As part of this exercise, measures have already been taken and others will be taken in order to eliminate or mitigate the risk of discontinuity in the provision of those critical services. 2.2. Management and control systems 2.2.1. Budget execution 2.2.1.1. Administrative credits 1. Inherent nature and characteristics of the DGs policy environment and stakeholders Summary: The Directorate General supplies Information System hosting, development and procurement services to other DGs, Institutions and Agencies and buys services and supplies in the area of Information and Communication Technology. Contractors are mainly large companies or consortia of large companies. There are approximately 25 procurement procedures a year for a total value of 303.977.237,28 EUR for 2007. Key inherent risks insofar they impact on reasonable assurance (including limit and extent of its responsibilities and those of other stakeholders): • DIGIT reported in July 2007 a cross-cutting risk15 of untimely and unpredictable ICT budget and complexity of its supporting processes to DG BUDG. A first version of a procedural framework based on Service Level Agreements (SLA) to allow for charge back DGs inter alia on their operational budget was set up. This approach needs further refinement of the methodology to calculate costs and terms of reference for a study were elaborated by the Secretariat-General (SG) with the help of DIGIT and BUDG. The study has been subcontracted by the SG and the results can be expected in 2008 Procurement is highly regulated. Detailed rules exist with even more in depth guidance based on experience and the jurisprudence of court judgements. In-depth knowledge is therefore necessary to manage procurement effectively. Such knowledge is provided via the use of standardised procedures and a wide range of up-to-date templates. Moreover, the whole procurement cycle relies on an Orientation Document, in which an analysis of the risks is performed. In particular, this analysis aims at taking into account all aspects of the market situation in order to prepare a call for tenders that will lead to a competitive and plural offer. Transparency of the procedures is achieved by an adequate information (see below), allowing any economic operator to be informed correctly Direct centralised management Procurement: Awarded market volume 2007 2006 2005 2004 2003 304.497.237 897.351.478 172305458 276315349 129680138 Number of procedures 27 19 22 33 37 • Management mode/s: Key figures: Contracts have in general 1 contractor except in the case of "cascades" Average median /value/ range of contracts: 12.15 MEUR (ranging from 60.000EUR to 81 MEUR) The average duration of the contracts is 4.3 years Split between services and supplies: 18 service (56.841.622€) and 9 supply 15 A risk is cross-cutting if other DGs need to be involved in the management of the risk AAR 2007 DIGIT - Final Page 40/59 (247.682.615€) Budget planning and execution: Financial execution indicators Orders processed Commitments made Payments made Recovery orders made Order files submitted by the DGs for DIGIT visa ("paraphe") Credits received Out of which cross delegated credits Credits committed Out of which committed crossdelegated credits % of committed credits % of committed crossdelegated credits Number of sub-delegations received 3.267 2.121 5.394 127 2.288 145.306.062 20.408.595 142.515.358 20.402.670 98,08 99,97 37 Appropriations 2. Management and control systems – the basis of the declaration of assurance Planning and selection process of contractors, including preventive controls In DG-DIGIT, there is a streamlined project cycle approach for the organisation of the public procurement, independent of the type of procedure. In the last quarter of every year, a planning exercise is carried out in order to assess the needs for the next two years in terms of contracts and to translate them into public procurement procedures. At any time during the year new needs may be included in the planning. The needs for supplies derive from the Product Management procedure in which the other DGs participates. This procedure provides the needs of DGs and DIGIT and the decisions result from a formal agreement with DGs. The planning exercise is prepared with the full involvement of all Operational Units and coordinated by the Contract and Finance Unit. The management at all levels is involved in its preparation and consolidation. Any procedure, whether an open call for tenders or a negotiated procedure based on any legal basis, has a strict project management approach. The main steps related to the decision making process are the following: 1) Preparation of an Orientation Document for the file. 2) Presentation of the Orientation Document to the Management Meeting of DG-DIGIT and approval by the Director General, 3) Preparation of the tendering specifications or, in justified cases, start of the negotiated procedures 4) Evaluation of the offers according to the applicable rules 5) Briefing of the Management Meeting of DG DIGIT and approval of the Director General for the follow up of the procedure 6) Submission of the Evaluation Report to the GAMA 7) Based on the recommendations of the GAMA and the Evaluation Report, the Authorizing Officer awards the market. 8) In the case of a negotiated procedure without prior publication, a publication in the Official Journal is foreseen as well as a stand still period before signature of the resulting contract – or the resulting amendment to an existing contract. 9) Signature of the contact During the whole process of a procurement file, the Operational Units work in close cooperation with a contract manager of the Finance and Contract Unit that ensures the compliance of the file during its life cycle starting from the Orientation Document. This ensures the operational and compliance (with the NFR) requirements are systematically met. AAR 2007 DIGIT - Final Page 41/59 The importance of the Orientation Document should be stressed here. For any procurement procedure, all relevant elements of the file are presented in that document. In particular in case of a negotiated procedure, the legal basis for the procedure has to be detailed and justified. DG DIGIT management is informed about the circumstances that lead to a negotiated procedure. From an operational point of view, the following issues are covered at DIGIT: • The procedures defined in the VadeMeCum of DG BUDG are strictly followed, in particular concerning the constitution of the evaluation committee. In DG DIGIT at least one member of the evaluation committee belong to another DG. The same is applied for the opening board. In addition to this, the technical evaluation and the financial evaluation are separated either because the sub groups for these tasks are different OR by only starting the financial evaluation once the technical evaluation is completed. • It should be stressed that in case of Inter institutional procedures, DIGIT invites representatives of the Institutions to participate to the evaluation committee. • A declaration of absence of conflicts of interests is signed by all members of the evaluation committee and of the opening board. • Before the contract is signed, the tenderers are asked to provide information demonstrating they are not in a situation of exclusion. • In addition to this the consultation of the early warning system is done at the time of the evaluation of the exclusion criteria. • An advisory board called the GAMA (Groupe d'Analyse des Marchés), consisting of representative of the DGs or Offices of the Admin family is systematically consulted for the procurement procedures, according to certain rules. For any market above 137.000 EUR or any negotiated procedure aiming at a change of the duration of a contract, not foreseen in the initial contract, or a modification of the scope of a contract, whatever the value implied by these 2 modifications has to be submitted to the GAMA. • Measures are taken for the protection of the offers: they are stored in two locked room (1 room for the original, and 1 room for the copies). DIGIT includes systematically in its market procedures a general benchmarking clause allowing the analysis of the price, or the quality of the services by a third independent party. In addition to this, in some contracts – such as hardware supply – the contractor has to organise a periodic benchmarking of its prices and demonstrate that the proposed prices follow the market trend. Communication and information DIGIT published the open call for tenders on its website, allowing any interested party to access it. Of course any economic operator requesting the specifications receives them within the applicable delay. Questions of general interest are replied to all registered economic operators and posted on the website with the tendering specifications. Links to the official journal are also posted on the website. (prior information notice, contract notice and contract award notice. • All unsuccessful tenderers may request explanation according to the regulation and they have also the possibility to ask for a debriefing. • Contracts are registered on SYSLOG, the front end for ABAC • Staff members attend training on procurement, financial regulation, or internal control when appropriate, i.e. for new staff members or in case of change in the regulation. • Financial circuits: Every financial transaction requires at least two people to be involved (the "four eyes" principle). One person must initiate the transaction and a second person must verify it. Each person involved in the transaction has been nominated by the Authorising Officer to carry out the task and their names are recorded in the computerised financial system. • Arrangements for monitoring the contractor's performance include systematic use of progress reports and formal acceptance of contractual deliverables. Detective corrective controls: and Performance monitoring, and verification of payments and key milestones Preventive corrective controls audit: and and Ex post and supervisory controls are in place Desk reviews, onthe-spot audits AAR 2007 DIGIT - Final Page 42/59 carried out either ex ante or ex post. 3. Feedback which enables control activities to be optimised Verification that processes are working as designed • Risk assessment process serves to highlight key issues to ensure that mitigating action is taken • Self-assessment of the effectiveness of the internal control arrangements is performed on an annual basis • Self-assessment of the compliance with internal control standards is performed on an annual basis • Post mortem analysis Not applicable Monitoring of performance of independent bodies, 3rd party auditors, externally contracted auditors IAC, IAS, ECA recommendation s on the functioning of the system and their follow up High level management reporting and its role in identifying problem issues In 2007, the IAS conducted in DIGIT an IT procurement audit. A reasonable positive assurance was given and several best practices coming from DIGIT management systems in this area were give by the auditor. Several recommendations were made at the end of this exercise. The implementation of the recommendations started in January 2008. In addition to this, the Court of Auditors had several observations in 2007 for the DAS 2006. One of these remarks concerned a bank guarantee that did not extend to the foreseen maximum duration of the contract. The necessary measures have been taken to that regard. A periodic reporting is done to the management via the reporting tool DIAM, for market procedure there is a systematic follow up of the implementation of the annual plan and for budgetary execution there is a monthly reporting addressed to Management (tableau de bord) 2.2.1.2. Operational credits (IDABC) 1. Inherent nature and characteristics of the DGs policy environment and stakeholders Summary: The Directorate General buys services in the area of information and communication technology. The contractors are companies located in Belgium, Luxembourg, Greece, Italy and Germany. Procurement is done via framework contracts that are established mainly at the beginning of the programme (in general for a duration of 2 years extensible to 4 maximum). Key inherent risks insofar they impact on reasonable assurance (including limit and extent of its responsibilities and those of other stakeholders): Procurement is highly regulated. Detailed rules exist with even more in depth guidance based on experience and the jurisprudence of court judgements. In-depth knowledge is therefore necessary to manage procurement effectively. Such knowledge is provided via the presence of a legal adviser in the unit working with operational credits and via regular contacts with the financial and contracts unit and with the relevant services in DG BUDG. • The risk for over-dependency on contractors is high due to the limited market offer for ICT consultancy services in Brussels. • Lately bidder are more ready to contest in front of CFI results of tendering procedures, so the follow up of those procedure has become heavier, using resources normally dedicated to operational tasks. Management mode/s: Direct centralised management Key figures: Procurement: Split between services and supply: Service: 8.900.000€, Supply: 0€ Volume of contracts by type of procedure per year: Open: 8 900 000 €, Restricted: 0€, Negotiated: 0€ Number of contractors: 5 • AAR 2007 DIGIT - Final Page 43/59 Average median /value/ range of contracts: 988 889 € Average/median contract period: 16,6 (framework contracts: 24, specific contracts: 10.6) Contracted amounts/ contractors: NUMBER TYPE OF OF PROCEDUR CONTRAC E TORS 2 2 2 2 2 2 1 1 1 REFERENCE OF CONTRACT FWC ENTR/05/78 LOT 1 ENTR/05/78 LOT 1 SC 1 FWC ENTR/05/78 LOT 2 ENTR/05/78 LOT 2 SC 1 FWC ENTR/05/78 LOT 3 ENTR/05/78 LOT 3 SC 1 FWC ENTR/05/86 ENTR/05/86 SC 1 ENTR/05/86 SC 2 PERIOD IN MONTHS 24 12 24 12 24 12 24 5 12 149,00 AMOUNT 1.500.000,00 OPEN 199.891,50 OPEN 800.000,00 OPEN 199.400,00 OPEN 2.600.000,00 OPEN 499.943,00 OPEN 4.000.000,00 OPEN 95.000,00 OPEN 1.250.760,00 OPEN 11.144.994,50 Budget planning and execution: Financial execution indicators Appropriations Commitments made Payments made Recovery orders made Credits received Credits committed % of committed credits 26 92 2 23.906.300 23.547.801 98,50 2. Management and control systems – the basis of the declaration of assurance Planning and selection process of contractors, including preventive controls • Procurement needs are clearly defined and justified from an economic or operational point of view and approved by the AOD. • For each contracts an evaluation committee is set up to prepare the selection of the contractors. Members of evaluation committees are asked to sign a document reminding them of their obligation to declare any potential conflict of interest. • Declaration of lack of conflict of interest (member of committee). • Before a contract is signed, contractors must show that they are not in one of the situations of exclusion specified in the Financial Regulation (eg bankruptcy, failure to pay tax or social security contributions, convicted of an offence concerning their professional conduct). Before each transaction is authorised, staff are automatically alerted by the computerised financial system if the Commission is aware of this or any similar problem. • An advisory body(GAMA) is consulted with regard to procurement files on a mandatory basis. • Physical protection of the offers submitted (locked cupboards). • Transparency measures: calls for tender are published in the Official Journal and the EUROPA/IDABC website. Updated information and FAQ are posted regularly on the website. • Adequate communication to unsuccessful tenderers. • Computerised accounting system is used to record the contracts and the transactions related to the contracts in ABAC. • Technical training in procurement are given to all staff involved in the procurement process. • All staff involved in financial management have the responsibility to alert their Director-General, the Secretary-General or OLAF if they suspect any irregular, illegal or criminal activity. • Financial circuits: Every financial transaction requires at least two people to be involved (the "four eyes" principle). One person must initiate the transaction and a second person must verify it. Each person involved in the transaction has been nominated by the Authorising Officer to carry out the task and their names are recorded in the computerised financial system. Page 44/59 Communication and information Detective corrective controls: Performance and AAR 2007 DIGIT - Final monitoring, and verification of payments and key milestones Preventive corrective controls audit: and and • Arrangements for monitoring the contractor's performance include systematic use of progress reports and formal acceptance of contractual deliverables. Ex post and supervisory controls are in place Desk reviews, onthe-spot audits carried out either ex ante or ex post. 3. Feedback which enables control activities to be optimised Verification that processes are working as designed Monitoring of performance of independent bodies, 3rd party auditors, externally contracted auditors IAC, IAS, ECA recommendation s on the functioning of the system and their follow up High level management reporting and its role in identifying problem issues • Risk assessment process serves to highlight key issues to ensure that mitigating action is taken • The IDABC programme implements a system of continuous evaluation, which comprises an initial evaluation, a mid-term evaluation and a final evaluation of the programme (over 5 years). These evaluations are performed by external independent experts and reported on to the Council and European Parliament. • For the main actions, specific CBA evaluations are made (GIP) and reviewed by the IDABC management committee (PEGSO) or by the competent sectoral committee (in accordance to the provisions of the IDABC legal basis). • Feedback is provided by the internal auditors (IAC, IAS). Feedback from the European Court of Auditors and by the European Parliament in the context of the discharge procedure. Recommendations made by these bodies are followed up systematically. • A management scoreboard is reviewed by management on a periodic (quarterly) basis (DIAM). • The results and progress as regards the management of procurement made during the year is reported in the Annual Activity Reports. • Yearly reporting on the execution of the IDABC Work Programme is made to the IDABC management committee (PEGSCO). 2.2.2. Non-financial risks DIGIT is subject to three significant non-financial cross-cutting risks16: (1) Insufficient space in the Data Centre building infrastructure forces DIGIT to continue to use the computer rooms in BECH: This induces serious difficulties for the installation of equipment needed to cater for the inevitable growth of existing information systems and delays in the timely operation of a series of DG projects, the delivery of corporate services and the implementation of security measures requested by the Internal Audit Service. According to the plan agreed with the Cabinet, OIL / DIGIT have planned to rent in Luxembourg a new room of 600 m² in 2007, followed by an extension of 300 m² in 2008 and two more extensions of 300 m² each, in 2009 and 2011. The 600 m² room should have been available by July 2007. For technical reasons, the provider has only offered a space limited to 794 m². The Inter Service Consultation for the 2007-2011 renting plan by OIL was only completed in December 2007 and DG BUDG approved it later the same month. 16 A risk is cross-cutting if other DGs need to be involved in the management of the risk (i.e. if DIGIT cannot manage the risk effectively by its own) AAR 2007 DIGIT - Final Page 45/59 Compared with the original planning of 2006, the actual situation presents considerable delays and current forecast for availability of the facilities is Q3 2008. These delays also force DIGIT to continue using the inadequate computer rooms in BECH until Q3 2008. (2) Without careful planning and extra funding, it will not be possible for DIGIT to implement and test all business continuity requirements submitted by all services regarding their most critical information systems within an acceptable timeframe: DIGIT will provide a draft Business Continuity Plan (BCP) and DG's should align their calendar for the testing of their business continuity requirements accordingly. (3) IT Infrastructure Consolidation (ITIC) project: Possible lack of top management sponsoring and support, difficulties with redeployment of staff, resistance to change and difficulties with management of budget allocation: The pilot project will result in a total go/no-go decision and this should eliminate these risks. Furthermore, DIGIT encounters considerable difficulties in hiring ICT staff. This is clearly illustrated by the average duration of vacancy for empty posts, which has increased from 5,02 to 8,28 months in 2007. 2.3. Follow up of audit work and previous year's reservations 2.3.1. Follow up of previous year's reservation In 2005, DIGIT issued a reservation regarding the inadequacy of the building infrastructure both in Brussels and in Luxembourg to house Data Centre type infrastructure. This reservation was maintained in 2006. In order to cope with this issue, it was planned to rent new data centre rooms both in Brussels and in Luxembourg. Contracts for the rental of one room in Brussels (600 m² in Machelen) and one room in Luxembourg (300 m² HiTEC) were signed in 2006. In Brussels this enabled the move out from the IMCO building in February 2007. In Luxembourg the HiTEC room has been in use since March 2007, but due to the limited additional space this room offers, the two computer rooms in the BECH building have to be maintained. The refurbishment of the air conditioning in the JMO Data Centre has furthermore suffered supplementary delays and finalisation of the work is now re-scheduled for Q2-2008. 2.3.2. ECA recommendations The European Court of Auditors stated in their annual report on the implementation of the budget concerning financial year 200617 that DIGIT did not present legality and regularity indicators for all major spending services in their AAR 2006. In this year's report, DIGIT presents key indicators supporting reasonable assurance concerning the legality and regularity of underlying transactions for all major spending services. Details can be found in section 2.4. 2.3.3. Follow-up of other identified system weaknesses Ten critical / very important recommendations, made by the Internal Audit Service (IAS) in the 2004 IT governance audit, are at present overdue. These delays are mainly caused by external factors not directly manageable by DIGIT. A first set of those overdue recommendations relate to the "IT Infrastructure Consolidation" project that entered its second step, i.e. a pilot phase involving a restricted number of DGs. Following this pilot phase a decision will have to be taken by the Commission on whether or not to proceed with the consolidation of IT infrastructure. A second set of recommendations is related to the "Financing of Corporate IT" for which a Working Group called "IT Billing", chaired by SG, has been set up in order to analyse the issue 17 OJ C 273, 15.11.2007, section 2.18 AAR 2007 DIGIT - Final Page 46/59 and make proposals to the ABM Steering Group. The working group concurred that further refinement of the methodology to calculate costs and a tool to afterwards permit the billing of client DG/services was needed and subcontracted a study. The results will become available in 2008. Regarding the IAS consolidated ICT audit of 2004, 3 critical / very important recommendations are overdue. The main reason for their delay is that their implementation does also not entirely depend on DIGIT but on decisions to be made by the ABM Steering Group and on proposals to be defined and accepted in close collaboration between DIGIT and other horizontal services (DG ADMIN/DS, SG and DG BUDG). The Audit Progress Committee (APC) decided to regroup all outstanding recommendations (including the less important ones) for these 2 audits into 6 clusters18, concluded that important progress and initiatives were still being implemented at all levels and confirmed that it would continue to follow these matters. The IAS identified in the 2006 audit on the Data Centre 6 very important issues related to security and in the 2007 audit on IT procurement 1 very important issue related to the internal control procedure. Implementation of the related recommendations is underway. 2.4. Key indicators supporting reasonable assurance The assurance provided by the Authorising Officer by Delegation (AOD) is built upon the following assurance building blocks: – Internal control design; – Internal control effectiveness; – Control overrides; – Assurance issued from independent monitoring actors. These assurance building blocks are detailed in the following sections. 2.4.1. Internal control design When DIGIT became an independent Directorate-General it entered de facto in what is called a financial circuit model 4 (centralised unit): the central financial unit of DIGIT assuming the tasks of financial initiating agent (FIA), financial verifying agent (FVA) and, playing also the role of authorising officer by sub-delegation (AOS) for amounts under the thresholds dealt by the authorising officer by delegation (AOD). This situation, although acceptable for DGs with small budget or limited number of low risk transactions, was not fully adequate for DIGIT. A first analysis showed that the model 2 (partially decentralised) was suitable for future operations, with Directorates and operational units assuming the roles of operational initiating agent (OIA), operational verifying agent (OVA) and AOS, while the functions of FIA and FVA were to be ensured by a financial unit, part of the "Resources" Directorate. Actually, model 2 allows sharing responsibility among operational Directorates and units while making it possible to maintain the specialised resources at financial level within a centralised service. Of course, every AOS is still accountable to the AOD in particular by means of regular AOS reports. Gradual transition from model 4 to model 2 took place in 2007, reinforcing the role of Directors. To summarize, it can be said that most commitments are currently in model 2 and payments are still in model 4, except for IDABC which has kept its own financial model, i.e. model 1 (decentralised unit). Beside the controls imbedded in the financial models, DIGIT has put in place a procedure related to the exceptions handling (internal control standard n°8). Exceptions to the Financial Regulation as well as to internal procedures are recorded and have been subject to an in-depth analysis by the ICC team. Following this analysis, some procedures will be subject to a further analysis and to an implementation plan in order to determine how controls can be improved so as to achieve a minimisation of exceptions in the future. 18 Consolidation of IT Infrastructure, IT Billing, IT Risk Analysis, Security, Definition of Roles and Responsibilities in IT Domain, Training and Sensibilisation to Internal Control AAR 2007 DIGIT - Final Page 47/59 In 2007, 78 exceptions were recorded. Only one exception resulted into a budgetary left behind (RAL19) but this issue was not material. The financial circuits are extended with ex-post controls. More details can be found in the section on internal control effectiveness. It should be noted that the current ex-post control procedure will be subject to a revision in 2008. In the context of the AAR and on top of their quarterly reports, each AOS gives his/her own assurance to the AOD, i.e. to the Director-General. The declaration of the AOD is also based on the declaration of the Resources Director. In that context, DIGIT's basic approach was starting from the asset accounts of the balance sheet for 31.12.2006 to verify the entries that make the difference from that to the balance sheet of 31.12.2007. DIGIT has reconciled every single posting on the IT asset accounts during 2007. The overall number of postings was almost 50.000 and more than 80% of them were on computer hardware. As it was intended at the beginning of the year, DIGIT checked every single entry on the asset accounts on a regular basis. This regular control enabled the immediate identification of problematic entries during the fiscal year and to avoid an excess of corrections after the cut-off. Risk management is well embedded in DIGIT. Assessments are systematically reviewed at directorate level when establishing the AMP. Moreover units report quarterly to senior management on the detailed risks for every single AMP action. This quarterly reporting is also presented to the Cabinet. 2.4.2. Internal control effectiveness 2.4.2.1. Ex-ante controls Administrative budget: All commitments with a value higher than or equal to 50 000€ in the area of centrally managed IT expenditures as well as all other commitments are subject to a dedicated ex-ante verification by a FVA, who is a member of the financial unit in the Resources Directorate. For the other lower value commitments, this verification is performed by the AOS. These verifications resulted in 112 rejections of the controlled transactions. The vast majority of these transactions were further processed once inter alia the policy area, the posting criteria or other items had been corrected. For all other transactions (other commitments, payments and recovery orders) there is no dedicated FVA but the AOS performs the verification in the framework and as stated in the financial circuit model and related procedures adopted by the AOD for DIGIT. Regarding payments, the AOS's returned 18 transactions (0,3 % of all payments) for correction to the initiating agent and rejected 10 other transactions (0,2 % of all payments). A supplementary ex-ante verification function has not been implemented in DIGIT. Operational budget: For this type of budget (IDABC lines), the financial circuits are implemented within the unit managing the programme, with the Director-General acting as AOD. All commitments, payments and recovery orders are subject to an ex-ante verification by a FVA, who is a member of the unit. The principle of the 4-eyes is applied within the unit, for doing this different personnel have to play the OVA (Head of Unit level), OIA, FIA and FVA roles. The Head of Unit has also the role of AOS for payments and low-value commitments (below 50K EUR). The verifications are standardised by the use of check-lists. In 2007 3 transactions were returned to to FIA's by the FVA's, no transactions were returned to the FIA's by the AOS and/or rejected by the AOS. Paraphe procedure: 19 Reste à liquider - outstanding commitments which remain to be paid AAR 2007 DIGIT - Final Page 48/59 This procedure was implemented to meet following objectives: – Be aware of all the 'goods and services' acquired by DGs in the IT and telecommunication fields and make sure that these acquisitions are compliant with Commission rules and policy in this matter; – Insure the coherence of IT goods and services; – Verify the correct use of DIGIT framework contracts (purpose, etc…); – Follow the ceiling consumption of DIGIT framework contracts; – Register all assets in the inventory as DIGIT is the Management Center for that. All Commission's DGs and Services are asked to systematically use the 'paraphe' procedure whenever they buy IT or telecommunications goods or services and 2 182 order files were submitted in 2007. However, experience has shown that the procedure is not always used. 2.4.2.2. Ex-post controls DIGIT applied Monetary Unit Sampling (MUS) on Commitments, Payments and Recovery Orders: Transaction type Commitments Payments Recovery orders Total value20 Total Controlled number Value % Number % 162 066 122 2 142 34 813 075 21,5 80 3,7 144 396 460 5 629 12,9 1,4 18 671 041 79 7 140 473 131 5 118 253 71,7 19 14,5 The sampled transactions were controlled on the basis of checklists whereby transactions for Directorates A/B/C and authorised by the financial Unit R2 were controlled by the Directors of Directorates A/B/C and transactions authorised by Directorates A/B/C/R and Unit 01 were controlled by the ICC group. Moreover, the Director-General was asked to control an overall sample of transactions, the Resources Director was asked to control a sample of transactions authorised by one of his Heads of Unit and one Head of Unit was asked to control a sample transactions authorised by his staff. The results of these controls have been consolidated by the ICC group on the basis of summary sheets and these will be input for a global action plan aiming at improving the internal control system. Controls carried out show that there have been no material errors (low error rates) as regards legality and regularity and that the cumulative level of errors in favour of the beneficiaries is zero (no overpayments). However, DIGIT has, in several cases, been pre-financing operational services (i.a. hosting of information systems for operational DGs) from its administrative budget. That such a risk existed has already been mentioned in the AMP's for 2007 and 2008 and by the IAS in their audit report of the Data Centre. 2.4.2.3. Multi-annual programmes The IDABC programme is exclusively implemented via public procurement (for service contracts). All contractual payments are systematically checked against contractual deliverables and cost statements included in the related progress reports. As a consequence the need for recovery orders is extremely rare and it is basically limited to applying penalties in case of nonexecution of contractual obligations21. In 2007 it has been the case for one of the specific contracts (s-TESTA), due to the technical unavailability of critical network services over a period of 2 days. 20 Contrary to annex 4, these figures include transactions on credits sub-delegated to DIGIT but exclude transactions on credits sub-delegated to other services On the other hand, recovery orders are used to gather for the contributions to the IDABC programme from the Candidate Countries, following the establishment of the related Memorandum of Understanding 21 AAR 2007 DIGIT - Final Page 49/59 Several transactions have been audited, both by the IAS and the Court of Auditors, without any specific problem being detected on the financial verifications.22 2.4.2.4. ICS baseline requirements The effectiveness of the 24 internal control standards was assessed using a tool (iCAT) put at our disposal by DG BUDG . Three groups of people (a total of 56 persons) completed the survey : the management (i.e. the General Director, the Directors, the Heads of Unit, the Deputy Heads of Unit and the assistant to the General Director), the "heads of entity" and the staff. The results of the survey, which represent a self-assessment, including comments and proposals for internal control improvement will be analysed in depth by the ICC team during workshops at group level. Based on the workshop results, the ICC will issue a report proposing recommendations to improve the internal control effectiveness. A first analysis already showed that some controls could be improved but that they are not detrimental to the operations except for an issue with the business continuity plan which constitutes a significant risk but which was already known and reported upon. Finally, no material event reported to or known by the ICC has to be drawn to the attention of the AOD (i.e. the General Director). 2.4.2.5. ICC contribution Regarding the 2008 AMP, the ICC team in coordination with the different DIGIT directorates updated the risk analysis carried out in 2006 at level of DIGIT's activities/processes and assessed in more depth the risks at the level of AMP actions. Some critical risks were identified and reported. In addition, in order to select internal control standards on which to put a particular emphasis during 2008, the ICC organised a workshop during the second management away day of November 2007. For the 2007 AAR, the ICC assessed the effectiveness of the 24 internal control standards using iCAT and the compliance towards the baseline requirements using ICMT. He organised workshops at directorate level and presented a consolidated report to the General Director. The ICC team also closely followed the audits performed by the IAS and DIGIT's IAC and participated in kick-off and exit meetings. The ICC was regularly informed on potential issues and coordinated DIGIT's answer to IAS and IAC's recommendations. When requested, the ICC participated in Audit Progress Committee (APC) preparatory meetings. In terms of internal control review, the ICC and Resources Director assessed the financial circuits in place at DIGIT and proposed to go a step further towards the model 2. The ICC team analysed the exceptions and will issue a report containing recommendations aiming at improving the internal control system. Concerning ethics and integrity, the ICC sent a comprehensive note to all staff reminding them of the rules and attitude to follow. 2.4.2.6. AOS reporting DIGIT has sent an annual reporting justifying the use of credits sub-delegated from other services and has received such a reporting for credits sub-delegated to other services. Credits Budget line transferred from DIGIT to Transferred Committed Reported matters of material budget in amount in impact by the other service 2007 2007 22 DIGIT has not yet received the results of the audits done by the Court in the context of the DAS 2007, the only possible remark we are aware of at this stage concerning the formalisation of sub-delegations for the AOSD. The audit from IAS delivered some recommendations on general procedural aspects related to the management/verification of contractual files but no comments on the financial transactions themselves. The recommendations have been implemented. AAR 2007 DIGIT - Final Page 50/59 AGRI COMP EAC EMPL ENTR ENV ESTAT FISH INFSO JRC MARKT OIL SANCO SG 02.020401 02.020401 02.020402 02.020401 02.020401 02.010405 02.020401 02.020402 02.010405 02.020401 02.020401 02.020402 02.020401 02.020401 02.010405 02.020401.01 02.020401.05 XX.010301.11.03 02.020401 02.020402 02.020401 500 000 495 589 0 -38 880 0 0 400 000 399 990 0 0 30 000 29 948 970 000 969 111 0 0 0 -6 246 875 000 774 991 0 0 0 0 0 0 0 0 0 0 0 0 301 513 301 375 3 100 000 3 100 000 Reporting not yet received 130 000 None None None None None None None None None None None None 129 27423 None Credits Budget line transferred from other services to DIGIT ADMIN BUDG EMPL ENTR ESTAT IAS INFSO MARKT OIB 26 010211 00 05 27 010211 00 05 02 010404 05 02 010404 05 02 010503 05 29 020100 05 28 010211 00 05 09 010211 00 05 09 010503 05 12 010401 05 12 020100 05 26 012201 010300 HSW 26 012201 010300 SUP 26.012201.010300 TEL 26 010901 020301 26 010901 010300 26 012100 010300 13.010401 13.010403 08 010503 05 25 010211 00 05 26 010211 00 05 14 040200 06 010503 05 Transferred Committed Reported matters of material budget in amount in impact by DIGIT 2007 2007 3 480 000 950 000 5 488 20 000 29 610 380 000 150 000 19 441 247 124 50 000 50 000 953 145 734 000 1 014 000 873 380 138 751 625 400 122 511 52 505 809 235 3 700 000 60 000 328 000 37 500 3 478 893 949 806 5 292 19 440 29 372 380 000 149 863 19 441 247 124 49 763 49 919 953 145 734 000 1 014 000 872 274 138 676 625 259 122 483 52 377 809 217 3 699 780 59 920 327 999 37 260 None None None None None None None None None None OPOCE PMO REGIO RTD SG SJ TAXUD TREN 23 None None None None None None None None Information provided by SG mentions only a committed amount of 59 568€ AAR 2007 DIGIT - Final Page 51/59 Sub-delegations for commitments and payments DIGIT received from the 4 Offices (EPSO, OIB, OIL and PMO) for infrastructure and IT services related to basic services (office automation, network connections, support, etc.) are integrated into the APB process. These sub-delegations are based on a fixed amount per capita and the amounts are confirmed in an exchange of notes between the Director-General of DIGIT and the Director of the Office. Regarding the AAR, no explicit reporting exists. 2.4.2.7. Complaints During 2007, the following legal challenges were started: – Two cases before the Court of First Instance, namely T-300/07 and T-377/07, related to the award of two IDABC calls for tender ("Your Europe Portal Management" and "Content Interoperability Technologies"). – Three complaints before the European Ombudsman, namely 438/2007/TN (on CIRCA), 1895/2007/BB (on the new videoconference service) and 2395/2007/VIK (on an enquiry about a possible infringement in the field of data protection). – A complaint before the European Data Protection Supervisor, namely C2007-408 (on a possible issue about data protection). It should be noted that the two cases before the Court of First Instance and two of the three complaints before the European Ombudsman were filed by the same company, which at the time of writing has filed a total of 23 cases before the Court of First Instance and 8 complaints before the European Ombudsman against the Commission and other EU Institutions. In addition, the complaint C2007-408 before the European Data Protection Supervisor is very closely linked to the complaint 2395/2007/VIK before the European Ombudsman, the latter having been filed by the above-mentioned company There is a complaint pending before the European Ombudsman since 2004, namely 3006/2004/BB (on the use of Documentum as ECM platform). The final decision is expected any time now. All the above-mentioned challenges are under control. 2.4.3. Control overrides The GAMA advisory body is consulted with regard to procurement files on a mandatory basis and all opinions of this committee have been taken into account (no "passé outre"). There were no cases where instructions have been confirmed in writing by the delegating authority, in the circumstances described in Article 66(2) of the Financial Regulation: "An authorizing officer by delegation or subdelegation who considers that a decision which it is his responsibility to take is irregular or contrary to the principles of sound financial management shall inform the delegating authority in writing. If the delegating authority then gives a reasoned instruction in writing to the authorizing officer by delegation or subdelegation to take the decision in question, the authorizing officer may not be held liable". 2.4.4. Assurance from independent monitoring 2.4.4.1. Internal audit findings (IAC/IAS) The Internal Audit Capability has started an audit of the IT inventory management process but did not finalise audits of DIGIT during 2007. The IAS performed in 2007 an audit of IT procurement and service delivery at DIGIT and focussed on the following aspects of the internal control system, risk management and governance processes: contract preparation and management and monitoring of these contracts with external contractors. Based on the results of the audit, the IAS believed that the internal control system in place provided reasonable assurance regarding the achievement of the business objectives set up for the processes audited except for one issue: no full compliance with the Commission Internal Control Standard (ICS) regarding exception reports so as to ensure the timely notification of these exceptions. The audit also outlined particularly strengths in the tendering and preparation of contracts process and in the management and monitoring of the contracts with external suppliers. AAR 2007 DIGIT - Final Page 52/59 DIGIT has submitted an action plan and will focus on timely notification by revising the ICS procedure accordingly. Moreover DIGIT will ensure further segregation of duties between the detection of deviations, their logging and the oversight of these deviations, and the accountability for these deviations. 2.4.4.2. External audit findings (ECA) For the statement of assurance 2007 (DAS), the Court sampled and controlled 3 transactions (total value 531.862 €) as well as 6 payments on carried over appropriations (total value 876.747 €). The validation process has just been started and no final conclusions are currently known. 2.4.4.3. Internal Audit Capability (IAC) opinion The IAC function expressed the following opinion: "On the basis of the results of our audits and taking into account their objectives and scope, this IAC considers that the internal control system in place provides reasonable assurance regarding the achievement of the business objectives set up for the processes audited24. In addition to the opinion given above, and taking into account the actual audit coverage of the activities/processes in the DG, the head of the IAC (f.f.) declare that he is not aware of any element not reported here which may constitute a major (material) weakness in the internal control system In conclusion, the IAC has no elements for suggesting possible reservation in the AAR 2007". 2.5. Conclusion on the effectiveness of the internal control system Based on all elements and assessments presented in this part of the report, DIGIT can give the reasonable assurance that the resources assigned to the activities described in this report have been used for their intended purposes and in accordance with the principles of sound financial management, and that the control procedures put in place give the necessary guarantees concerning the legality and regularity of the underlying transactions. 24 Consultancy work regarding the cut-off methodology and audit on inventory management AAR 2007 DIGIT - Final Page 53/59 3. PART 3 – RESERVATIONS AND THEIR IMPACT ON THE DECLARATION DIGIT has disclosed its main systemic responsibilities in part 2 of this report and would make a reservation for any deficiency having an impact on legality and regularity. 3.1. Materiality criteria used 3.1.1. Qualitative criteria The inadequacy of the building infrastructures to house Data Centre type infrastructure, which was subject to a reservation issued by DIGIT AOD in its 2005 and 2006 AARs, led again to a series of incidents in 2007. Thankfully, their final impact on operations and end-users was limited due to proper disaster recovery infrastructure, to business continuity processes in place, and to the efficient recovery work done by the data centre teams. A 2007 mild summer also avoided a real crisis with relatively low external temperatures. In 2006, DIGIT, OIB and OIL defined together a multi-annual strategy to improve the housing conditions of the Commission's Data and Telecom Centres (Data Centre), both in Brussels and in Luxembourg and Vice President Kallas' cabinet endorsed this strategy. The main objective of the strategy is to move most critical ICT equipment into professional data centre rooms in a phased approach up until 2010 and to refurbish the electrical infrastructure and air conditioning in the JMO Data Centre room. Therefore, the renting of new data centre rooms was planned both in Brussels and in Luxembourg. An IAS audit of the data centre also confirmed in 2006 the inadequacy of the IT rooms. The IAS issued two critical recommendations to the attention of OIL on the matter. The action plan to mitigate the risks highlighted by the IAS was presented jointly by OIL and DIGIT to the Audit Progress Committee on the 30/03/2007 and received strong support from the APC. Moreover, in 2007 the reinforcement of the Data Centre security and business continuity of IS and corporate operational infrastructure services was retained as a top IT priority by the ABM Steering Group25. So far, while the electrical works were completed according to the plans in 2006 for the JMO data room, the renewal of the cooling infrastructure, initially planned for completion in July 2007, has been delayed several times and the current forecast from OIL is Q2 2008. Furthermore, contracts for the rental of one room in Brussels (600 m² in Machelen) and one room in Luxembourg (280 m² HiTEC) were signed in 2006. In Brussels, this enabled the move out of the IMCO building in February 2007. In Luxembourg, the HiTEC room has been in use since March 2007 and allowed to begin to empty the BECH installations. But, due to the limited additional space this room offers, the two computer rooms in the BECH building had to be maintained in order to cope with ever-increasing hosting requirements from DGs and fast growing infrastructure (network, e-mail, etc…). Consequently, the failover sites in Luxembourg are now composed of two low quality computer rooms in the BECH building (as a reminder: data rooms in BECH were qualified as "inadequate" by the IAS) and one in HiTEC. In addition, in 2007 and in conformity with the multi-annual strategy, OIL and DIGIT prepared an Interservice Consultation for the rental of a new room of 600 m² in Luxembourg with the objective to dispose of the additional space by July 2007. For the record, the strategy foresees that this would be followed by an extension of 300 m² in 2008 and two more extensions of 300 m² each, in 2009 and 2011. 25 Notes D(2006)10217 of 25 October 2006 (minutes of the meeting of 10/10/2006) and D(2006)11405 of 30 November 2006 (minutes of the meeting of 30/11/2006) AAR 2007 DIGIT - Final Page 54/59 The market procedure was initiated by OIL during Autumn 2006 allowing the final choice of room in March 2007. The ISC was finally launched by OIL at the beginning of July 2007 after long preparatory works. After lengthy and very detailed discussions with all parties involved (OIL, BUDG and DIGIT), the ISC was approved on December 21st, 2007 with the subsequent signature by OIL of a rental contract for 794 m² in Windhof. However, contrary to the strategy previously endorsed by VP Kallas Cabinet and presented on various occasions (APC, Machelen ISC…), DG BUDG considered the renting of the 794 m² room as a "one-off" initiative rather than as one stage of a multi-phase space increase. According to DG BUDG further space increases could only be made if the Commission approves a new OIL/DIGIT plan for the years 2009-2013. Consequently, a new Communication to the Commission will need to be prepared by DIGIT and OIL early in 2008 as an update of Communication 2964 from 2004. Moreover, contrary to the original plans set up in 2006, the Windhof data room (794 m²) will only be made available by OIL end-July 2008 and will consequently only enter into production in September 2008 at the earliest, once the preparatory works to have it connected to the network have taken place. Therefore, the final phasing-out of the BECH rooms is planned for end 2008 at the earliest. Due to all the reasons mentioned above, DIGIT will face difficulties in accepting new Information system hosting requests from DGs. A prioritization system will have to be implemented. Despite such prioritization, delays will continue negatively affecting a series of DG projects and might delay the delivery of corporate services. As a conclusion, even with the ongoing actions undertaken by OIL in this area, risks are definitely high and problems will persist for some time while being beyond DIGIT's direct control. As a result, the materiality of this issue derives from the high probability of the risk and from the potential impact of service disruption, loss of information, lack of on-time service delivery and lack of service extension. This is deemed critical for the proper day-to-day functioning of the Commission as a whole and may badly affect its reputation. 3.1.2. Quantitative criteria 1. A financial impact, or cumulative effect, higher than 2M € corresponds to 2% of the total budget managed by DIGIT. This can be converted to a time equivalent by using persons/year as the unit (2M € would correspond to 20 persons/year). 2. The occurrence of a major incident (at least one critical system not being available for more than one day, or the loss or partial loss or corruption of critical data.) 3. The possibility of people sustaining injuries because of security or health problems in one of the data rooms. 4. Late availability of new DG information systems or new corporate services because of the unavailability of new data centre rooms. 5. The impossibility of extending existing DG information systems or corporate services because of the unavailability of new data centre rooms. The consequences of a possible incident resulting from the inadequacy of the data centres premises were examined in the light of these criteria bearing in mind the following points: • the impact on DIGIT’s own resources • the impact on DIGIT clients’ services • the impact on other key Commission stakeholders’ resources (including the Member States). The approach adopted in order to quantify the financial impact was also based on: • the cost of the manpower wasted to carry out remedial actions to rebuild operations AAR 2007 DIGIT - Final Page 55/59 • and/or on the value of unavailable, lost or partially corrupted data. One can quantify a possible incident resulting from the inadequacy of the data centres premises with some examples: Equipment: The e-mail infrastructure alone is valued at more than 7M €. If an undetected fire, possibly provoked by the air cooling system, were to occur in the major data room (as has already happened) it could result in severe equipment damage including destruction of the back-up robot which - costs in excess of 2M €. A fire in the main JMO room could result in equipment worth more than 40M € being damaged or destroyed. Manpower: In the event of a major disaster staff in DIGIT, in the DGs and services and with external contractors would need to be redeployed to carry out remedial actions and would be taken away from their normal work. The installation of new equipment alone would necessitate considerably more than 20 person/years. A simple one day impact to the network infrastructure or e-mail system would seriously hamper the work of over 20,000 persons. Quantitative impact of potential loss of data and/or unavailability of information systems. In 2007, the Data Centre hosted and assured operations for about 1.300 administrative and policy oriented information systems. Of this total, 24 are considered "critical", 28 "essential" and 12 "necessary". A disaster in the Data Centre would definitely result in more than one mission critical system being unavailable. 3.1.3. Conclusions on the materiality of the deficiencies Based on the results of the qualitative and quantitative analysis, the risk identified is material enough for a reservation to be raised in the AOD declaration, which in DIGIT's opinion should normally have been raised by OIL. 3.2. Reservations DG Title of the reservation DIGIT Inadequacy of the Data Centre building infrastructure in Luxembourg. Domain ABB activity Information and communication technologies Activity 03 - ICT infrastructure services provisions Reason for the reservation Insufficient adequate building infrastructure premises forces DIGIT to continue to use the low quality computer rooms in BECH which were recognised as "inadequate" by the IAS in the audit of the Data Centre. AAR 2007 DIGIT - Final Page 56/59 Materiality criterion/criteria The materiality was checked in different domains considering the internal control standard on business continuity, major points raised in audits and reputational risks for the Commissions: - Extra financial costs (e.g. manpower wasted to rebuild operations and lost or partially corrupted data, damaged equipment) for DIGIT and its clients (other services but possibly also Member States) due to incidents in Luxemburg sites (Power cuts, Air conditioning problems …) in 2007; - The use of resources on emergency moves and interventions, which would not have been necessary with an adequate housing of computer rooms and which could have been used inter alia for the replacement of aging equipment such as the telecommunications infrastructure; - The move of the majority of the failover hardware from BECH to HITEC was funded through DIGIT's ICT budget. This operation ended in 2007 and DIGIT could not use the budget for the initial foreseen projects; - Late availability or unavailability of mission critical systems and risk of corruption of data sets leading to complaints and impacting DIGIT’s and the Commission’s reputation. The magnitude can be assessed, taking into account the risk of non availability of information systems supporting the EC internal Administration and the European policies as well as the loss of working hours for Commission officials due to the resources needed to solve problems, to move equipment and to handle incidents due to inadequate building infrastructure. Consequently, based on the results of the qualitative and quantitative analysis, it appears that the risk identified and the financial impact is material enough (inter alia over 2% of DIGIT's budget of around 140 million €) for a reservation to be raised in the AOD declaration. The scope of the reservation covers Information Systems owned by other DGs and hosted by DIGIT (including those providing services required by EU legislation for the benefit of Member States) and corporate ICT infrastructure services offered by DIGIT. As such, this reservation can be considered as generic for all potentially affected DGs including Information Systems hosted and managed autonomously by DGs but requiring some corporate services (e.g. ECAS, proxys) to properly function. The reservation does not have any other impact on the AOD declaration of assurance than restricting its scope. Therefore, the AOD has estimated that this restriction does not prevent him from giving a reasonable but qualified assurance. Quantification Impact on the assurance Responsibility for the Even if important actions are ongoing with OIL in this area, the risk is definitely high and will remain so for quite some time while being beyond DIGIT’s direct weakness and its remedy control. The responsibility to mitigate the risks lies in particular with OIL. Corrective action In 2006, DIGIT, OIB and OIL defined together a multi-annual strategy until 2010 to improve the housing conditions of the Data and Telecom Centres of the Commission both in Brussels and in Luxembourg. The strategy was approved by the Cabinet of Vice President Kallas and should lead to necessary capacity increases and the move of most critical ICT equipments into professional data centre type rooms in a phased approach and to the refurbishing of air conditioning and electrical infrastructure in the JMO Data Centre room (end of work had been planned for second half of 2007). So far contracts for the rent of two new data centre type rooms in Brussels (600 m²) and in Luxembourg (280 m²) have been signed. For the one in Brussels, the AAR 2007 DIGIT - Final Page 57/59 move out- of IMCO was finalised on the 20th February 2007; and for the one in Luxembourg the move was finalised end-March 2007. The planned delivery of the first phase of the new room in Luxembourg (Windhof) mid-2007 has suffered considerable delays and current planning only foresees handover by OIL to DIGIT end-July 2008, following which DIGIT will start equipping the room and start moving servers. End of work is now estimated for Q4 2008. The refurbishment of the air conditioning in the JMO Data Centre has furthermore suffered supplementary delays and finalisation of the work is now planned by OIL for Q2-2008. In December 2007, the planned second & third phase capacity increases for the new room in Luxembourg (2nd phase originally to be delivered to DIGIT in July2008) were postponed and conditioned by a new Communication to the Commission to be prepared by DIGIT and OIL (update of Communication 2964 from 2004). The situation of corporate ICT infrastructure housing is consequently likely to remain critical throughout 2008. 3.3. Overall conclusions on the combined impact of the reservations on the declaration as a whole Not applicable AAR 2007 DIGIT - Final Page 58/59 4. PART 4 –DECLARATION OF ASSURANCE I, the undersigned, Francisco Garcia Moran Director-General of DIGIT In my capacity as authorising officer by delegation Declare that the information contained in this report gives a true and fair view26. State that I have reasonable assurance that the resources assigned to the activities described in this report have been used for their intended purpose and in accordance with the principles of sound financial management, and that the control procedures put in place give the necessary guarantees concerning the legality and regularity of the underlying transactions. This reasonable assurance is based on my own judgement and on the information at my disposal, such as the results of the self-assessment, ex post controls, the work of the internal audit capability, the observations of the Internal Audit Service and the lessons learnt from the reports of the Court of Auditors for years prior to the year of this declaration. Confirm that I am not aware of anything not reported here which could harm the interests of the institution. However the following reservation should be noted: Inadequacy of the Data Centre building infrastructure in Luxembourg Luxembourg, 31/03/2008 (signed) Francisco GARCIA MORAN Director-General DIGIT 26 True and fair in this context means a reliable, complete and correct view on the state of affairs in the service. AAR 2007 DIGIT - Final Page 59/59

Related docs
Digit Mag April 2007
Views: 4684  |  Downloads: 28
Digit Mag June 2007
Views: 553  |  Downloads: 10
Digit Mag October 2007
Views: 414  |  Downloads: 13
Digit Mag November 2007
Views: 4353  |  Downloads: 8
Digit Mag September 2007
Views: 585  |  Downloads: 13
Digit Mag December 2004
Views: 4104  |  Downloads: 3
Digit Mag May 2008
Views: 5852  |  Downloads: 70
Digit Mag July 2001
Views: 5757  |  Downloads: 13
Digit Mag February 2006
Views: 2848  |  Downloads: 9
Digit Mag May 2004
Views: 783  |  Downloads: 3
Digit Mag August 2007
Views: 619  |  Downloads: 9
Digit Mag January 2007
Views: 4474  |  Downloads: 15
Digit Mag July 2007
Views: 4159  |  Downloads: 7
Digit Mag May 2007
Views: 2745  |  Downloads: 14
premium docs
Limited Partnership Agreement$19.00
Limited Liability Partnership Agreement$29.95
Last Will and Testament Template $19.95
Trademark License Agreement$14.95
Manager Managed LLC Agreement$9.95
Special Power of Attorney$9.95
Marital Settlement Agreement No Fault No Children$29.95
Other docs by EuropeanUnion
CorpDocs-Board Resolution For Sale and Leaseback of Real Estate
Views: 194  |  Downloads: 2
OSHA Form 301
Views: 446  |  Downloads: 4
Iowa Form IA W4 Employee s Withholding Allowance Certificate
Views: 410  |  Downloads: 5
CONFIDENTIALITY AGREEMENT
Views: 415  |  Downloads: 3
Information release authorization
Views: 298  |  Downloads: 7
Google Inc Ammendments and Bylaws
Views: 320  |  Downloads: 9
Users marcsigal Desktop term papers Creative assignments
Views: 330  |  Downloads: 0
r494
Views: 239  |  Downloads: 2
Non-Discrimination Policy
Views: 668  |  Downloads: 14
ALLEGATION OF JURISDICTION
Views: 157  |  Downloads: 0
Sample Bylaws
Views: 473  |  Downloads: 29
Users marcsigal Desktop term papers Family_Business_Draft_Syllabus_Spring_2005
Views: 122  |  Downloads: 0
Stock Subscription Package
Views: 384  |  Downloads: 30
CorpDocs-Board Resolution Authorizing Adjustment of Surplus After Reappraisal
Views: 163  |  Downloads: 1
LAST WILL AND TESTAMENT ALTERNATIVE
Views: 720  |  Downloads: 25