BULGARIA: IT Audit of the Information System of the European Structural and Investment Funds
Bulgarian National Audit Office has conducted its first IT audit - of the Information System for Management and Monitoring (ISMM) of the funds from the European Structural and Investment Funds (ESIF) for the period 2014-2020 and its management.
The ISMM 2020 system helps to reduce the administrative burden for beneficiaries through electronic management of various processes, such as:
- conducting electronic administrative proceedings to the Managing Authorities (MA) of the operational programs for the provision of non-grant financial assistance (GFA), verification of incurred expenses, determination of financial corrections;
- introducing and maintaining an electronic audit trail;
- significant reduction of paper turnover at all stages of a project - application, evaluation of the submitted project proposals, reporting, implementation, control, communication and verification;
- limiting the cases of requesting and providing the same information several times in the form of different documents through the electronic management of the processes.
The maintenance of the information system is assigned to the Directorate "Central Coordination Unit" at the Ministry of Finance, and its main information center is located in the State Hybrid Private Cloud.
ISMM 2020 consists of two main modules: public and internal. The public module (https://eumis2020.government.bg/) provides summary information on the financial implementation of the programmes (agreed and paid funds), in total amount and at different levels - programme, priority axis, sub-priority, procedure. The beneficiaries submit their electronic applications through the public module.
The internal module (https://umis2020.government.bg/ ) is intended for the work of the programme management and monitoring units, auditing and certification bodies, and through it new procedures are opened, project proposals are evaluated, contracts are concluded, reports are made and results are monitored.
For the period 2016-2021, more than 5,100 users are registered in the ISMM 2020 internal module. In total, over 171,500 user profiles and over 59,800 applicants are registered in the electronic application and reporting modules. Over 16,400 requests have been processed by the system's Help Desk.
The audit focused in two main areas:
1. IT management of ISMM 2020 related to:
- strategic and short-term planning of the development of ISMM 2020;
- identification and approval of the requirements for the IT system;
- monitoring and reporting of the implementation of the activities of introduction, maintenance and development of the system;
- positioning the IT unit in the structure of the organization and the defining its functions;
- implemented policies for the preparation and storage of the system documentation and for the assignment of subcontractors;
- risk management; and
- the implemented compliance mechanisms.
2. Effectiveness of the activities for maintenance and development of ISMM 2020, including:
- introduced procedures/policies for management of continuity, incidents and change of ISMM 2020 and their implementation;
- provision of reliable information for monitoring the implementation of the programs; and
- satisfaction of ISMM 2020 users with the functioning of the system.
The audit scope did not comprise the analysis and assessment of:
a) the information security policy, due to the fact that it is subject to an annual assessment by the audit bodies of the Executive Agency "Audit of European Union Funds" and Executive Agency "Certification Audit of European Agricultural Funds";
b) the formulation, awarding procedure and delivery of the service for the development and implementation of ISММ 2020, due to the fact that the service was implemented outside the 2016-2021 period;
c) given the limited human and time resources for conducting the audit, its scope did not include the analysis and assessment of:
- human resource management policies related to hiring, training and termination of employment and/or employment relationships;
- capacity management, which should ensure that system capacity and performance meet current and future needs of the activity;
- the controls introduced at the application level, aimed at evaluating the effectiveness and efficiency of the form and operation of internal controls and operational procedures related to the automation of processes and the identification of problems related to the operation of information system applications.
The audit covered a six -year period from 2016 to 2021.
The conclusion of the audit
The information system for management and monitoring - ISMM 2020, has a serious potential to provide the management of funds from external sources with the necessary data and information due to:
- the created organizational structure for managing the system;
- the introduced framework for: monitoring of the activity for the IT provision of the funds management; reviewing whether the requirements of information security documents are observed; creating backups and archiving, as well as documenting the changes;
- the provided resources (financial and expert) for maintaining, optimizing and developing the system;
- the availability of critical systems ensuring continuity of work;
- the constant expansion and improvement of the functional capabilities of the system and the high satisfaction of users from its maintenance.
Nevertheless, the effectiveness of ISMM 2020 in providing information and data on the management of funds is limited due to:
- the lack of strategic planning of system management activities and procedures for outsourcing its maintenance and development;
- the limited capabilities of the system to generate data in different level of details and levels of summarization;
- the established incorrect data from the outputs of the system due to problems in extracting summarized information from it;
- the need to update internal rules and procedures for the management of ISMM 2020.
The Bulgarian National Audit Office (BNAO) has given 24 recommendations to the Minister of Finance to improve the management of the system.
The BNAO audit team, conducted the audit has received the institution's annual award "Team of the Year 2023" which is given for the highest professional achievements.