controller. If that doesn’t happen, the internal auditor becomes
a repetitive advisory voice without empowerment.
The EC and the EU are difficult for Americans in particular to
understand, because, as the Union itself says, it’s a unique
organization, not really a federal union or simply a voluntary
association. Do you think that the very structure and nature of
the EC are such that controls are more difficult to implement?
In a multilateral organization, there are different cultures and
different languages, particularly in Europe. Cultural sensitivity
is a major career-progression precondition. Now, that is very
important and very good, but at some point, the law of diminishing returns sets in, and what I call the “politeness conspiracy”
takes over, and no one tells the truth any more. If that becomes
part of the culture, you miss out on a lot of social controls you
would have in a monoculture.
A second element is that the commissioners, by treaty, have
collective responsibility. That climate of collective responsibility was introduced at a time when the EC was predominantly a
policy setter — on competition, the environment, and so forth.
The commission only became a robust money manager — and
that’s its Achilles heel — from the 1980s onward. Ultimately,
that led to annual spending of about 100 billion Euros. The
money-management role of the commission has never been properly recognized, and thus you never had a control culture, because
control wasn’t a valued function. After 10 or 20 years, something
had to give. So, in 1999, it was a relatively small incident, involving a billing of 6,000 Euros that triggered the commission’s resignation. The Dutch expression is that it was the last drop that
made the bucket spill over.
The EC has an enormous challenge in catching up on those
20 years, on its control construct. So, one should not be too critical. But at the same time one should also be critical enough,
and say that if you do come out with a proper white paper, you
have to make sure that you “walk the talk.” Commission President Romano Prodi has told the European Parliament that it
will have to study the governance construct and commissioners’
responsibilities more closely, so we are making some headway.
We have been hammering on that issue, as the IAS, for a long,
Normally, in a corporation or an institution, you have an
accountant, a finance director, or a controller who actually helps
underpin collective responsibility by vouching for the integrity
of the numbers and the adequacy of the controls. We’re not
that far yet. The structure has to be strengthened horizontally.
We’ve been arguing for that. That is no different than other
organizations, and it is also fixable if we get our governance
Eighty percent of the commission’s expenditures are made
through the member states themselves. Yet, the commission,
by treaty, keeps budget responsibility. That arrangement is married with another assumption, called the “‘subsidiarity assumption,” which means that you rely as much as possible on the
existing control framework of the member states.
The control frameworks of the member states are very
diverse, very culturally determined. It’s practically impossible to assume full-fledged budget responsibilities for the
expenditure that goes down to the member states unless you
have a very effective mechanism that ensures up front that
member states take responsibility. At this moment, that is
mainly done by ex post facto audit arrangements, except
for a few most-interesting avant-garde programs. We are
arguing for the equivalent of an assurance statement or a letter of representation from these countries before we start
sending the money. We want them to vouch for the systemic
adequacy of their controls, properly signed by the finance
minister of that country and countersigned by the national
audit officer or audit court with legal jeopardy. So far, there
are few takers.
So, yes, the commission has a few characteristics that are peculiar to it, but none that are not fixable.
You’ve worked in both the public and the private spheres.
Could you elaborate on the similarities and differences
between the two?
The private sector has it somewhat easier because the drivers are
more concrete. You have either products or services, and you have
a bottom line. The performance indicators are relatively clear. An
organization like the EU goes into territories that by definition,
are high risk and, by definition, have a redistribution-of-wealth
aspect, so the controls are very difficult to design with finesse. The
performance indicators are very different, and they’re sometimes
elusive. All multilaterals, and also many individual countries, struggle with that. You tread in territory that is heavily politicized, with
soft products, and sometimes not even products, but simply political decisions for the distribution of wealth. At the same time, the
politicians want to be able to tell the taxpayer, “We’ve got excellent controls.”
We’re in a high-risk business. For example, we send about
10 billion Euros in grant money to developing countries annually. Developing countries, by their very nature, have a leakage percentage that is extremely high, probably are between
15 percent and 35 percent. This is not all fraud; it is also inefficiency and lack of effectiveness. To get that accepted at all levels in a political institution is extremely difficult. If you start out
by saying to your taxpayer, “Yes, we’re adding another billion
to a risk profile with 30 percent leakage,” that is not going to
go down well.
The single greatest difference is the politicization. I know that
in the corporate sector you also have politics, but in the public sec-
INTERNAL AUDITOR FEBRUARY 2004