Summary and Committee's conclusions

6.1 The Court of Auditors audits the accounts of all EU revenue and expenditure to verify their reliability and the legality and regularity of the underlying transactions. It may also publish Special Reports addressing specific questions concerning EU expenditure. In this, the Court's third Special Report issued in 2014, it examines the Commission's management and development of the second generation Schengen Information System —SIS II.

6.2 The Schengen Information System dates back to 1995 and is regarded as a vital complement to the creation of the Schengen free movement area. It is used by border guards, police, customs, visa and judicial authorities across most parts of the EU and contains information ("alerts") on individuals who may have some involvement with serious crime or who may not have the right to enter or stay in the EU, as well as information on missing persons and on lost or stolen property, such as vehicles, firearms, identity papers and banknotes. The decision to create a second generation Schengen Information System was taken as far back as 1996, in the expectation that further enlargement of the EU would necessitate a substantial upgrade. The Commission was given responsibility for managing the SIS II project in 2001 and outsourced development work for the Central SIS II System to a private contractor. The project has been beset by repeated delays and cost overruns and the Commission was unable to meet its original deadline of end 2006 for delivering SIS II. Meanwhile, to accommodate more member countries following the accession of ten new Member States to the EU in 2004, adaptations to the existing Schengen Information System were made ("SISone4all") which took effect at the end of 2007.

6.3 Although the UK does not participate in the Schengen free movement area, it has an active interest in the development of SIS II and planning has been underway for many years to connect to those parts of SIS II dealing with police and criminal judicial cooperation. SIS II became fully operational for other participating countries in May 2013 and the UK plans to connect to the Central SIS II system in the final quarter of 2014. SIS II has the capacity to hold much more information, including fingerprints and photographs, and has improved functionalities to make it easier to link different types of alert.

6.4 SIS II became fully operational in May 2013 — six years late and eight times over its initial budget estimate. The UK plans to connect it by the end of this year. The Court of Auditors Special Report provides a valuable source of information on the delays and cost overruns that have beset the development of SIS II. Given the Government's customary insistence on demonstrating value for money for all EU expenditure, it is disappointing that the Minister provides no assessment of the Court's findings and recommendations or the Commission's response, particularly as the latter implicates the Council's "constantly evolving" system requirements as a cause of the delay and increase in costs.[16] We ask the Minister whether she agrees with the Court's findings and whether she accepts, as the Commission suggests, that Member States have been reluctant to acknowledge and address weaknesses in the business case for SIS II. We also ask her to explain whether, and how, the Government considers that the expected benefits of SIS II justify the very substantial costs incurred in its development.

6.5 We note that UK participation in SIS II is dependent on the outcome of negotiations on the UK's block opt-out of pre-Lisbon police and criminal justice measures and its request to opt back into a 2007 Council Decision establishing the operational legal base for those elements of SIS II dealing with police and judicial cooperation in criminal matters. We ask the Minister to assess the risk that these ongoing negotiations will set back the timetable for the UK to connect to SIS II in the final quarter of 2014. Meanwhile, the Court of Auditors report remains under scrutiny.

Full details of the documents: Special Report of the European Court of Auditors: Lessons from the European Commission's development of the second generation Schengen Information System (SIS II), Third Special Report for 2014: (36055), -.

Background

6.6 The Schengen Information System is based on a network of national systems which are linked to a Central System. The Government has provided periodic updates to Parliament on the progress made by the UK in developing its own national system to connect to the Central SIS II System. In February 2011, the Government told us that the UK's SIS II programme had been the subject of a Major Project Review conducted by HM Treasury and the Office for Government Commerce which concluded that the programme was "in a good position to deliver its objectives".[17]

6.7 In December 2012, the Government provided further information on the costs of the UK's SIS II programme and the projected benefits. It estimated that total programme spend to the end of the financial year 2014-15 would amount to £106.28 million,[18] and the cash costs during the first ten years of live operation to £168 million, but set this against projected net benefits to the UK of around £624 million over the same ten-year period. The Government identified three categories of monetary benefit:

·  increased detections of individuals subject to European Arrest Warrants at the UK's primary checkpoints;

·  barrier effects (an expected deterrent effect on entry to the UK); and

·  recovery of lost and stolen UK passports.

6.8 Other benefits included "greater identity assurance at the border primary checkpoints, improved public and law enforcement officer protection, improved judicial cooperation and improved police cooperation". The Government added that all of these benefits had been "agreed and quality assured by Home Office economists and financial modellers to ensure the Programme is in line with the HM Treasury Green Book".[19]

6.9 A number of instruments concerning the Schengen Information System are within the scope of the UK's block opt-out of pre-Lisbon police and criminal justice measures and will cease to apply to the UK with effect from 1 December 2014. The Government has indicated that it wishes to opt back into one of these measures — a 2007 Council Decision on the establishment, operation and use of SIS II — which it says "constitutes the operational legal basis for SIS II for the purposes of police and judicial cooperation in criminal matters".[20] The UK's request to join this, and 34 other pre-Lisbon police and criminal justice measures, is currently the subject of negotiation with the Commission and Council.

The Court of Auditors Special Report

6.10 The Court of Auditors report examines whether the Commission managed the development of SIS II well and addresses four questions: whether SIS II was delivered on time; whether it was in line with initial cost estimates; whether there was a sufficiently robust business case; and whether the Commission learned and applied lessons throughout its management of the project. The following paragraphs summarise the Court's observations and its main conclusions and recommendations.

Did the Commission deliver SIS II on time and on budget?

6.11 Although the Commission delivered the Central SIS II System in time for its revised launch date in April 2013, it did so six years later than initially planned and at eight times the original budget estimate.[21] The Court attributes the delay and overspend to the "challenging governance context which limited the Commission's ability to address operational issues", but also highlights weaknesses in the Commission's management of the early stage of the project. Its findings include:

·  an unrealistic initial project deadline (end 2006) and cost estimate;

·  delays in producing a revised project budget for the development of SIS II;

·  changes to the system requirements, including a significant increase in the capacity of SIS II (from an initial estimate of 15 million alerts to up to 100 million), which only stabilised towards the end of the final project phase from 2010;

·  lack of expertise within the Commission, and too few staff, to manage outsourced contracts effectively and to supervise the main development contractor in the early stages;

·  poor working relations with some Member States (alleviated by the creation of a Global Project Management Board in 2009);

·  an unclear governance framework; and

·  large increases in the value of the main development contract (from €20 million in 2004 to €82 million in 2012).

Was there a sufficiently robust business case?

6.12 The Court observes that the full cost of delivering SIS II amounts to around €500 million, comprising €189 million for the Central System and an estimated €330 million for the development of national systems.[22] Whilst costs have spiralled, the Court suggests that the expected benefits have reduced. This is because the Schengen Information System was successfully extended to new member countries (those acceding to the EU in 2004) in 2007, through the SISone4all project, thereby diminishing a major element of the business case for SIS II. Despite major changes to the expected costs and benefits of the SIS II project, the Commission did not thoroughly re-assess its original business case in order to demonstrate that SIS II remained an organisational priority offering a higher return on investment than other opportunities.

Did the Commission learn lessons?

6.13 The Court considers that the Commission did learn lessons from its experience during the early stage of the project which were reflected in a change of approach during the final phase from 2010 to April 2013. It introduced a more realistic deadline for completion of the SIS II project, allocated more resources and appropriate expertise, established a Global Project Management Board to strengthen relations with Member States and end-users, and worked to more stable system requirements. Although the Commission has not carried out a formal evaluation, it has applied lessons learned from SIS II in preparing other large-scale IT projects. In particular, the Commission recognises the need for system requirements to be set out in legislation before development work starts and for an effective governance structure. Responsibility for the development of future large-scale IT systems, and the management of those such as SIS II which are now operational, has been entrusted to a new Agency ("eu-LISA") which has the necessary expertise to oversee large-scale IT projects.

The Court's recommendations

6.14 The Court makes eight recommendations for managing and developing large-scale IT systems:

·  base the project timetable on a technical analysis of the tasks to be performed;

·  integrate all projects into corporate IT governance arrangements and make full use of in-house expertise to manage the work of contractors effectively;

·  ensure that business needs and the views of end-users are sufficiently taken into account in decision-making;

·  ensure the approval of the business case before progressing from project initiation to project planning and review it in the event of major changes to project costs, expected benefits, risks or alternatives;

·  document key project decisions so that they are easily traceable;

·  ensure that there is effective global coordination when a project requires the development of different but dependent systems by different stakeholders;

·  develop large-scale IT systems using interoperable building blocks which can be easily re-used to prevent being locked into a single contractor; and

·  pass on lessons learned from the Court's audit to all EU institutions and agencies and complete an evaluation of the extent to which SIS II has achieved the expected benefits.

The Commission's reply

6.15 In its reply to the Court's findings, the Commission notes that the decision to develop SIS II was taken by the Council on its own initiative (without a Commission proposal) and attributes the delays and cost over-runs to "substantially changing system requirements" which "had a huge impact" on the management of the outsourced contract for developing SIS II. It highlights "the large difference between the nature of the system initially planned and the one that was delivered", as well as the complex governance structure and difficult relationship with some Member States, stemming from "policy considerations related to the overall approach of some member countries towards the enlargement of the Schengen area".[23]

6.16 The Commission adds that it had no formal role in assessing the initial business case for SIS II, and that it systematically reassessed cost estimates at key milestones of the project, but says that the Council made clear, throughout the project, that "the entry into operation of SIS II was an absolute priority".[24] It confirms that it will share the lessons learned from the Court's audit of SIS II project management and that the impact of SIS II will be assessed in 2016 (three years after it entered into operation). However, it also questions how readily transferable some of the lessons learned from the development and implementation of SIS II will be, given that it has been "a very specific undertaking" which will be difficult to replicate in other IT systems.

6.17 The Commission accepts all of the Court's recommendations, most of which it says form part of the IT governance arrangements it put in place in 2010. Its concluding assessment of SIS II is that it "is performing adequately and fulfils the needs of the users" and that it has "significant additional functions" which give end-users "immediate visible practical advantages over SIS I".[25]

The Minister's Explanatory Memorandum of 11 June 2014

6.18 The Minister for Modern Slavery and Organised Crime (Karen Bradley) describes the content of the Court of Auditors report, says that it has no direct policy implications for the UK, and confirms that the UK is on track to connect to SIS II In the final quarter of 2014. She adds:

"The Central SIS II system is currently operating in a stable environment: there have been no incidents to report. For the last seven months, Member States have consistently reported that they are not experiencing any issues."[26]

Previous Committee Reports

None.

17   See letter of 7 February 2011 from the then Parliamentary Under-Secretary for Crime Prevention (James Brokenshire) to the Chair of the European Scrutiny Committee. Back

18   A slightly higher figure of £111 million is given in Command Paper 8671, published in July 2013. Back

19   See letter of 13 December 2012 from the Security Minister (James Brokenshire) to the Chair of the European Scrutiny Committee. Back

20   See Command Paper 8671, July 2013. Back

21   The Commission's initial cost estimate of €23 million in 2001 was updated in 2003 to €35.3 million and revised again in 2010 to €145 million. The actual cost to April 2013 is estimated as €188.6 million. Back

22   The cost of developing national systems has largely been met from national budgets, but includes some €95 million from the EU's External Borders Fund for 2007-13. Back

23   See pp.44-45 of the Court of Auditors Special Report. Back

24   See p.56 of the Court of Auditors Special Report. Back

25   See pp.44 and 53 of the Court of Auditors Special Report. Back

26   See para 17 of the Minister's Explanatory Memorandum. Back