ANNEX I
Accreditation criteria for paying agencies referred to in Article 1(2)
1. INTERNAL ENVIRONMENT
(A) Organisational structure
The paying agency’s organisational structure shall allow it to execute the following main functions in respect of EAGF and EAFRD expenditure:
(i)
authorisation and control of payments to establish that the amount to be paid to a beneficiary is in conformity with Union rules, which shall include, in particular, administrative and on-the-spot controls;
(ii)
execution of payments of the authorised amount to beneficiaries (or their assignees) or, in the case of rural development, the Union co-financing part;
(iii)
accounting to record all payments in the paying agency’s separate accounts for EAGF and EAFRD expenditure, in the form of an information system, and the preparation of periodic summaries of expenditure, including the monthly (for the EAGF), quarterly (for the EAFRD) and annual declarations to the Commission. The paying agency’s accounts shall also record the assets financed by the EAGF and the EAFRD, in particular concerning intervention stocks, uncleared advances, securities and debtors;
(iv)
as regards types of intervention referred to in Regulation (EU) 2021/2115, the paying agency’s organisational structure shall also ensure the execution of the performance reporting on output indicators for the purposes of the annual performance clearance referred to in Article 54 of Regulation (EU) 2021/2116 and the performance reporting on result indicators for the multiannual performance monitoring referred to in Article 134 of Regulation (EU) 2021/2115, demonstrating that Article 37 of Regulation (EU) 2021/2116 is complied with.
The paying agency’s organisational structure shall provide for clear assignment of authority and responsibility at all operational levels and for separation of the functions referred to in the first paragraph, points (i), (ii) and (iii), the responsibilities of which shall be defined in an organisational chart that includes the reporting lines. It shall include the technical services and the internal audit service referred to in point 4.
(B) Human-resource standard
The paying agency shall demonstrate a commitment to integrity and ethical values. All management levels shall respect integrity and ethical values in their instructions, actions and behaviour. The integrity and ethical values shall be set out in standards of conduct and understood at all levels of the organisation, as well as by outsourced service providers and beneficiaries. Processes shall be in place to assess whether individuals and entities are aligned with the standards of conduct and to address deviations in a timely manner. The paying agency shall also demonstrate a commitment to attract, develop, and retain competent individuals in alignment with its objectives.
In particular, the agency shall ensure that:
(i)
appropriate human resources are allocated to carry out operations and existence of appropriate technical skills as required at different operational levels;
(ii)
the division of duties is such that no official has responsibility for more than one of the responsibilities for authorising, paying or accounting of sums charged to the EAGF or to the EAFRD, and no official performs any of those tasks without supervision;
(iii)
the responsibilities of each official are defined in a written job description, including the setting of financial limits to his/her authority. The latter may be defined in the system;
(iv)
staff training is appropriate at all operational levels, including fraud awareness, and there is a policy for rotating staff in sensitive positions, or alternatively for increased supervision;
(v)
appropriate measures are taken to avoid and detect a possible risk of conflict of interests within the meaning of Article 61 of Regulation (EU, Euratom) 2018/1046 as regards implementing paying agency’s functions vis-a-vis people with influence and sensitive positions inside and outside the paying agency. Where there is a risk of a conflict of interests, measures shall be in place to ensure that that Article is applied.
(C) Risk assessment
The paying agency shall ensure:
(i)
the identification of objectives of the paying agency to enable the identification and assessment of risks relating to those objectives;
(ii)
the identification of the risks, including potential irregularities or fraud, to the achievement of its objectives and the analysis of those risks as a basis for determining how the risk should be managed;
(iii)
as regards the risk of potential fraud, an anti-fraud strategy, which shall include measures to counter fraud and any illegal activities affecting the financial interests of the Union. These measures shall include the prevention and detection of, and conditions for investigating fraud; and reparation and deterrence measures, with proportionate and dissuasive sanctions;
(iv)
the implementation of measures to prevent and mitigate the risks;
(v)
the identification and assessment of changes that could significantly impact the internal control system;
(vi)
the regular review of the risk assessment and of the measures put in place to prevent or mitigate the identified risks.
(D) Delegation
(D.1)
If the paying agency delegates any of its tasks to another body in accordance with Article 9(1) of Regulation (EU) 2021/2116 the following conditions shall be fulfilled:
(i)
a written agreement must be concluded between the paying agency and that body specifying, apart from the delegated tasks, the nature of the information and the supporting documents to be submitted to the paying agency and the time limit within which they must be submitted. The agreement must enable the paying agency to comply with the accreditation criteria;
(ii)
the paying agency shall in all cases remain responsible for the efficient management of the funds concerned. It remains fully responsible for the legality and regularity of the underlying transactions, including protecting the Union’s financial interest, as well as for declaring the corresponding expenditure to the Commission and for preparing the accounts accordingly;
(iii)
the responsibilities and obligations of the other body, notably concerning the control and verification of the compliance with Union rules, shall be clearly defined;
(iv)
the paying agency shall ensure that the other body has effective systems for ensuring that it fulfils its tasks in a satisfactory manner;
(v)
the other body shall explicitly confirm to the paying agency that it fulfils its tasks and shall describe the means employed;
(vi)
the paying agency shall regularly review the tasks delegated to confirm that the work performed is of satisfactory standard and that it is in compliance with Union rules.
(D.2)
The conditions set out in points (D.1)(i), (ii), (iii) and (v) shall apply mutatis mutandis in the cases where paying agency functions are performed by another body as part of its regular tasks on the basis of national legislation.
2. CONTROL ACTIVITIES
(A) Procedures for authorising claims
The paying agency shall adopt procedures to comply with the following rules:
(i)
the paying agency shall lay down detailed procedures for the receipt, recording and processing of claims, including a description of all documents and the information system to be used;
(ii)
each official responsible for authorisation shall have at his/her disposal a detailed checklist of the verifications to be carried out, and shall attest in the supporting documents of the claim that those checks have been carried out. That attestation may be made by electronic means. There shall be evidence of systematic, such as sample, system or plan based review of the work by a senior staff member;
(iii)
a claim shall be authorised for payment only after sufficient checks have been carried out to ensure compliance with Union rules.
(iv)
the checks shall include those required by the relevant regulation governing the specific measure under which aid is claimed, and those required pursuant to Article 59 of Regulation (EU) 2021/2116 to prevent and detect fraud and irregularity with particular regard to the risks incurred. For the EAFRD, there shall in addition be procedures for verifying that the conditions for the granting of aid, including contracting, have been respected and that all applicable Union rules, including those fixed in the CAP Strategic Plan, have been complied with;
(v)
the management of the paying agency shall, at an appropriate level, be informed on a regular and timely basis of the results of administrative and on-the-spot checks carried out, so that the sufficiency of those controls may always be taken into account before a claim is settled;
(vi)
the work performed shall be detailed in a report accompanying each claim, batch of claims or, if appropriate, in a report covering one marketing year. The report shall be accompanied by an attestation of the eligibility of the approved claims and of the nature, scope and limits of the work done. This may be made by electronic means. In addition, for the EAFRD there shall be an assurance that the criteria for the granting of aid, including contracting, have been respected and that all applicable Union rules, including those fixed in the CAP Strategic Plan, have been complied with. If any physical or administrative checks are not exhaustive, but performed on a sample of claims, the claims selected shall be identified, the sampling method described, the results of all inspections and the measures taken in respect of discrepancies and irregularities reported upon. The supporting documents (in paper or electronic form) shall be sufficient to provide assurance that all the required checks on the eligibility of the authorised claims have been performed;
(vii)
where documents (in paper or electronic form) relating to the claims authorised and controls made are retained by other bodies, both those bodies and the paying agency shall set up procedures to ensure that those documents or electronic data records are kept and available to the paying agency.
(B) Procedures for payment
The paying agency shall adopt the necessary procedures to ensure that payments are made only to bank accounts belonging either to beneficiaries or to their assignees. The payment shall be made by the paying agency’s bank, or, as appropriate, a governmental payments office, within 5 working days of the date of charge to the EAGF or to the EAFRD. Procedures shall be adopted to ensure that all payments for which transfers are not executed are not declared to the EAGF or to the EAFRD for reimbursement. If such payments have already been declared to the EAGF or to the EAFRD, these should be re-credited to those Funds via the next monthly/quarterly declarations or in the annual accounts at the latest. No payments shall be made in cash. The approval of the authorising official and/or his/her supervisor may be made by electronic means, provided an appropriate level of security over those means is ensured, and the identity of the signatory is entered into the electronic records.
(C) Procedures for accounting
The paying agency shall adopt the following procedures:
(i)
accounting procedures shall ensure that monthly (for the EAGF), quarterly (for the EAFRD) and annual declarations are complete, accurate and timely, and that any errors or omissions are detected and corrected, in particular through checks and reconciliations performed at regular intervals;
(ii)
the accounting for intervention storage shall ensure that the quantities and associated costs are correctly and promptly processed and recorded per identifiable lot and in the correct account at each stage from the acceptance of an offer to the physical disposal of the product, in compliance with the applicable regulations, and ensure that the quantity and nature of stocks at every location may be determined at any time.
(D) Procedures for the performance reporting
As regards types of intervention referred to in Regulation (EU) 2021/2115, the paying agency shall ensure that an information system is in place to collect, record and store in computerised form data on each claim and operation. In addition, the system shall provide a breakdown of data on all relevant output indicators per intervention to guarantee that the annual performance reporting shows that the expenditure was made in accordance with Article 37 of Regulation (EU) 2021/2116, as well as the data for the result indicators, including targets and milestones.
(E) Procedures for advances and securities
Procedures shall be adopted to ensure that:
(i)
payments of advances are separately identified in the accounting or subsidiary records;
(ii)
guarantees are obtained only from financial institutions which fulfil the conditions of Chapter IV of this Regulation and which are approved by the appropriate authorities and which remain valid until cleared or called upon, on the simple request of the paying agency;
(iii)
The advances are cleared within the stipulated time limits and those overdue for clearing are promptly identified and the guarantees promptly called upon.
(F) Procedures for debts
All the criteria provided for in sections (A) to (E) shall apply, mutatis mutandis , to levies, forfeited guarantees, reimbursed payments, assigned revenues etc. which the paying agency is required to collect on behalf of the EAGF and of the EAFRD.
The paying agency shall set up a system for the recognition of all amounts due and for the recording in a single debtor’s ledger of all such debts prior to their receipt. The debtor’s ledger shall be inspected at regular intervals and action shall be taken to collect debts that are overdue.
(G) Audit trail
The information regarding documentary evidence of the authorisation, accounting and payment of claims, performance reporting and handling of advances, securities and debts shall be available in the paying agency to ensure at all times a sufficiently detailed audit trail.
3. INFORMATION AND COMMUNICATION
(A) Communication
The paying agency shall adopt the necessary procedures to ensure that every change in the Union’s regulations, and in particular the rates of aid applicable, are recorded and the instructions, databases and checklists updated in good time.
(B) Information systems security
The information systems security shall be certified in accordance with International Standards Organisation 27001: Information Security management systems – Requirements (ISO).
Member States may certify, provided it is authorised by the Commission, the information systems security in accordance with other accepted standards if those standards guarantee a level of security at least equivalent to that provided by ISO 27001.
The first and second paragraphs shall not apply to paying agencies responsible for the management and control of a yearly expenditure not higher than EUR 400 million, if the Member State concerned has informed the Commission of its decision to apply one of the following standards instead:
—
International Standards Organisation 27002: Code of practice for Information Security controls (ISO);
—
Bundesamt für Sicherheit in der Informationstechnik: IT-Grundschutzhandbuch/IT Baseline Protection Manual (BSI);
—
Information Systems Audit and Control Association: Control objectives for Information and related Technology (COBIT).
4. MONITORING
(A) Ongoing monitoring via internal control activities
The internal control activities shall cover at least the following areas:
(i)
monitoring of the technical services and delegated bodies responsible for carrying out the controls and other functions to ensure a proper implementation of regulations, guidelines and procedures;
(ii)
initiating of system changes in order to improve control systems in general;
(iii)
reviewing claims and requests submitted to the paying agency as well as other information providing suspicion of irregularities;
(iv)
monitoring procedures to prevent and detect fraud and irregularity with particular regard to those areas of CAP expenditure under the paying agency’s competence which are exposed to a significant risk of fraud or other serious irregularities.
Ongoing monitoring shall be built into the normal, recurring operating activities of the paying agency. At all levels the daily operations and controls activities of the agency shall be monitored on an ongoing basis to ensure a sufficiently detailed audit trail.
(B) Separate evaluations via an internal audit service
The paying agency shall adopt procedures to comply with the following rules:
(i)
the internal audit service shall be independent of the paying agency’s other departments and shall report directly to the paying agency’s director;
(ii)
the internal audit service shall verify that procedures adopted by the agency are adequate to ensure that compliance with Union rules is verified and that the accounts are accurate, complete and timely. Verifications may be limited to selected measures and to samples of transactions provided that an audit plan ensures that all significant areas, including the departments responsible for authorisation, are covered over a period not exceeding 5 years;
(iii)
the internal audit service’s work shall be performed in accordance with internationally accepted standards, shall be recorded in working papers and shall result in reports and recommendations addressed to the agency’s top management.