European Structural and Investment Funds: Management and Control System

Information system

4.1. Description of the information systems including a flowchart (central or common network system or decentralised system with links between the systems)

A bespoke, fully integrated web-based IT system has been developed to enable the MA to manage the 2014 to 2020 programmes. The system is called EUMIS. It supports all phases of the process, including applications, claims, progress towards targets, payments and recoveries, and compliance and verification checks. The system has a flexible reporting tool allowing users to meet all reporting requirements. The relationships between the steps in the delivery of the programme and where information is held can be viewed in an image in the PDF version of this document hosted on EUMIS, available by request.

There is no direct link between EUMIS and the Commission’s SFC database for the automated electronic exchange of information. The EUMIS reporting tools generate the necessary management information reports that can be manually uploaded in the SFC. Reports produced in this way will be time and date stamped and where necessary electronically signed before being loaded onto SFC.

EUMIS is available to Lead Partners through a web interface for the entry of operation applications, milestones and claims for payments. This online service shares the same common database as the internal systems allowing checking and authorisation of the various stages by the MA. EUMIS is hosted on the Scottish Government servers and is maintained by ISIS (the internal SG information management systems specialists). EUMIS is designed and built to meet the principle of segregation of duties in all processes. It is protected by the same systems as the remainder of the Government electronic systems.

4.1.1. Collecting, recording and storing, in a computerised form data on each operation, including where appropriate data on individual participants and a breakdown of data on indicators by gender when required, necessary for monitoring, evaluation, financial management, verification and audit, as required by Article 125(2)(d) of Regulation (EU) No 1303/2013 and by Article 24 of Commission Delegated Regulation 480/2014

The single database within EUMIS holds detailed financial data on all operations, including forecast spend, activity due and dates due allowing the MA to track and monitor progress. Where required by the individual operation it will record units met, costs incurred and all claim data required for reporting to the Commission. Information on each operation is collected and entered at each stage of the lifecycle of the operation according to the detail on the individual screens within EUMIS.

Entering detail in this manner means EUMIS holds targets and progress made towards indicator outputs and results by gender where required. It holds data on individuals receiving support, breaking this down by all the required EU reporting characteristics. The data on individuals supported, and activity undertaken will be uploaded by the Lead Partners and then checked and verified by the MA through the claim and verification processes. 

4.1.2. Ensuring that the data referred to in the previous point is collected, entered and stored in the system, and that data on indicators is broken down by gender where required by Annexes I and II to Regulation (EU) No 1304/2013, as required by Article 125(2)(e) of Regulation (EU) No 1303/2013

The EUMIS system has been developed so that data relating to indicators has to be entered into the system for an indicator to count as achieved. The data required for reporting is mandatory on the system. Therefore the DA must upload data relating to indicators for them to be included towards targets. The system has reports allowing the MA to check all data uploaded.

The data regarding recipients (individual participants, organisations or other activity) being supported through an operation can be updated directly by the DA onto EUMIS or through a web service interface. Transmission via an interface established between the EUMIS system and the beneficiary's system which will identify common fields and transfer the appropriate information. 

Data will not be accepted by EUMIS unless all mandatory fields required for reporting purposes have been completed. Data will be checked at claim stage.

Lead Partners will confirm that all outputs and results have been updated when submitting a claim and progress towards outputs and results will be monitored at claim stage

4.1.3. Ensuring that there is a system which records and stores, in computerised form, accounting records for each operation, and which supports all the data required for drawing up payment applications and accounts, including records of amounts to be recovered, amounts recovered, amounts irrecoverable and amounts withdrawn following cancellation of all or part of the contribution for an operation or operational programme, as set out in Article 126(d) and 137(b) of Regulation (EU) No 1303/2013

EUMIS holds detailed records of all units and costs within each claim and the operation(s) these relate to. 

Each operation is badged by the relevant reporting fields required by the Commission. If costs or units are deemed ineligible post payment, they will be recorded as irregularities and the MA will designate the status withdrawn, recovered, pending recovery, de-minimis, irrecoverable or non-reportable, as appropriate. The amounts will be repaid to the budget of the Commission by deduction from the expenditure declared and notified to the Commission via the submission of the next statement of expenditure. 

EUMIS holds the necessary data as to the amount and status of the irregularity, amounts to be recovered, recovered or irrecoverable. EUMIS can identify all operations which have been withdrawn and all payments relating to them can be reported as such. This information will be drawn by the MA in order for the CA to complete the Commission returns.

4.1.4. Maintaining accounting records in a computerised form of expenditure declared to the Commission and the corresponding public contribution paid to beneficiaries, as set out in Article 126(g) of Regulation (EU) No 1303/2013

EUMIS reports the details of the total expenditure, public match funding and grant paid and date paid to beneficiaries. This information will be used by the MA and CA in the preparation of declarations of expenditure to the Commission as described in Section 3.2.2. Copies of the individual declarations are stored in eRDM.

This information is maintained in both Sterling and Euros. 

4.1.5. Keeping an account of amounts recoverable and of amounts withdrawn following cancellation of all or part of the contribution for an operation, as set out in Article 126(h) of Regulation (EU) No 1303/2013

The MA will record all amounts to be recovered and all amounts withdrawn following cancellation of all or part of the contribution for an operation. These amounts will be entered into EUMIS, from where, the CA will use this information to maintain as required by Council Regulation (EU) No 1303/2013 Article 126, a list of the amounts recovered, withdrawn and pending recovery following the cancellation of all or part of the contribution for an Operation. This list is available via a report from the EUMIS system.

The MA will record irregularities recorded against each claim for each operation and as per the correct irregularity classification types. For operations which are still live, the grant due will automatically be recovered from the next claim for the relevant operation. Where an operation is no longer live, this will be recovered through issuing an invoice to the beneficiary.

4.1.6. Keeping records of amounts related to operations suspended by a legal proceeding or by an administrative appeal having suspensory effects

Where operations are suspended by a legal proceeding or by an administrative appeal having suspensory effect identified out-with the verifications process and notified to the MA, no further claims will be paid and an irregularity entered onto EUMIS as a post payment irregularity. These sums would then be removed from the next declaration and until such time as the suspension is resolved.

4.1.7. Indication as to whether the systems are operational and can reliably record the data mentioned above

The system is fully operational and can reliably record all data required by the regulations.

4.2. Description of procedures to verify that the IT systems security is ensured

EUMIS is hosted on Scottish Government servers and is covered by the SG IT Security Policy. This Policy addresses four fundamental security principles: authority, accountability, assurance and awareness. Its objectives are to ensure that:

• all IT systems used in the Scottish Government are properly assessed to ensure that corporate procedures, responsibilities and IT security objectives, in particular the legal requirements, are met
• appropriate levels of security are in place to maintain the confidentiality, integrity and availability of information and information systems
• all employees are aware of the limits of their authority and their accountability for their actions

Descriptions of the systems in place meet this policy are set out on the IT pages of the SG intranet, Saltire. Data held on SG servers is backed up according to the IT Security Policy to ensure business continuity.

The independent penetration test undertaken before the system was deployed found that there were no security vulnerabilities within the application or with its interface to the internet.

EUMIS itself is protected by several layers of security, the first of which is the requirement to only be available to registered users. A list of all registered users is maintained by the EUMIS administrator. A password is required to gain access to the system, and EUMIS automatically requires a new user to change the password provided to allow them after they first log on. Thereafter, passwords are required to be changed every three months. This is set within the detailed administrator screens of EUMIS. Any user who incorrectly enters a password three times is locked out, and can only be reset by the system administrator.

When a person no longer requires access to EUMIS, they are noted as inactive by the system administrator. This allows an audit of their work to be carried out and is more robust that removing them from the user list. Lead Partners each have a Strategic Intervention Manager who is able to add further logins for staff working on that SI. These details are added automatically to the use list maintained by the system administrator. 

Permissions as to the fields which can be changed and the screens visible to an individual role are set by the system administrator, and include the commonly used roles in the programmes, portfolio compliance officer, portfolio compliance manager etc. Each person on the user list is given a role title that links with this permissions table. A copy of the permissions table is held in eRDM.

EUMIS automatically creates and stores an Audit trail logging all changes to the database by SI or operation as appropriate, describing the user logged in, the SI or operation being amended, the date and time of the changes and a journal of all changes made including the data being entered into the database.

The web interface used by Lead Partners will use Basic Authentication over SSL to ensure that only users known to EUMIS are able to make changes. Basic authentication stores a username/password combination in the request header unencrypted. To ensure the username/password combination is not readable by anyone potentially intercepting the request, the request must be sent via SSL. EUMIS is already currently configured to use SSL. Basic Authentication is known to be susceptible to Cross-Site-Request Forgery (CSRF) attacks. This will be mitigated in the implementation of the service. Only specific user accounts to interact with the interface.

4.3. Description of the current situation as regards implementation of the requirements of Article 122(3) of Regulation (EU) No 1303/2013

The system is fully operational and can reliably record all data required by the regulations.