Analysis of the Audit Report of the Court of Auditors on Internal Information Systems

Analysis of the Court's Audit Report

The entry into force of the Law 2/2023, of February 20, regulating the protection of persons who report regulatory violations and the fight against corruption, has meant a significant change for local authorities in Spain. This regulation, which transposes the Directive (EU) 2019/1937 on the protection of whistleblowers (known as the Whistleblowing Directive), has introduced an obligation to implement Internal Information Systems (SII) in order to ensure a safe and confidential environment for those who report irregularities.

The recent Report of the Court of Auditors, approved on November 28, 2024, analyzes the measures adopted by local governments in municipalities with populations between 100,000 and 200,000 during the 2023 financial year to comply with this regulation. This article aims to break down the main findings, conclusions, and recommendations of the court's report, reflecting on the current state of SII (Information System) systems in local entities, the challenges they face, and the opportunities to improve their implementation.

Internal Information Systems: Pillar of Transparency and the Fight against Corruption

A Internal Information System (SII) It is the preferred channel for individuals with an employment or professional relationship with an entity to report violations of European Union law, as well as other actions or omissions that may constitute serious administrative or criminal offenses. These systems must guarantee:

1. Confidentiality and anonymity of the informant and the information provided.
2. Protection against retaliation, offering support measures to whistleblowers.
3. Proper management of communications, by designating those responsible and approving clear and efficient procedures.

The importance of these systems lies in their ability to promote transparency, prevent corruption, and enable the early detection of irregularities, contributing to strengthening citizen confidence in public institutions.

Findings of the Court Report: A Widespread Delay in the Implementation of SII

The Court of Auditors' report reveals a worrying picture regarding municipal compliance with Law 2/2023. The main findings are presented below:

1. Poor compliance with the legal deadline

Only 6 of the 35 municipalities inspected (Donostia/San Sebastián, Getafe, Girona, Lleida, Mataró and Santander) managed to implement an SII within the established deadline, which expired on June 13, 2023By the end of the first quarter of 2024, only the 40 % of the municipalities had a functioning SII, which reflects a widespread delay in adapting to regulations.

2. Structural deficiencies in the implemented systems

Even among the municipalities that complied with the obligation, they were detected deficiencies in the design and operation of the SII:

• Lack of advertising and disseminationMost city councils did not adequately report the existence of internal channels, making it difficult for both inside and outside the organization to understand them.
• Deficiencies in proceduresNearly half of the approved procedures omitted essential requirements, such as the minimum content required by law.
• Deficiencies in the designation of those responsibleIn many cases, the collegiate bodies did not delegate system management functions to a designated responsible person, as required by regulations.

3. Low utilization of internal channels

The use of SIIs was low in the few months they were operational. Only 4 municipalities They received communications through their internal channels, and only a small part of these corresponded to irregularities contemplated within the scope of Law 2/2023.

4. Absence of an Independent Whistleblower Protection Authority

The report highlights that, at the end of the audited year, neither the State nor more than half of the autonomous communities had established a Independent Whistleblower Protection AuthorityThis limits the external avenues for whistleblowers to file their complaints, reinforcing the importance of SIIs at the local level.

5. Low implementation in entities dependent on city councils

Only the 12 % of dependent entities Of the municipalities without SII had internal channels for receiving communications. In contrast, in the municipalities that had implemented an SII, this percentage rose to 52 %, which demonstrates the positive influence of municipal systems on their dependent entities.

Recommendations from the Court of Auditors to Improve the SII

The report includes a series of recommendations for local governments to strengthen their SIIs and ensure their effectiveness:

Promote implementation in dependent entities: Provide technical assistance or facilitate the accession of dependent entities to the municipal system, especially in cases permitted by regulations.

Expand communication channels: Enable more channels (in person, digital, telephone) to facilitate the presentation of communications.

Improve forms and procedures: Ensure that forms are clear, accessible, and comply with legal requirements.

Strengthen whistleblower protection: Establish concrete measures that generate confidence in the system, including guarantees of anonymity and support against retaliation.

Increase advertising: Widely disseminate the existence of internal channels, both within and outside the organization, and publicize external channels created by the autonomous communities or the State.

Evaluate the performance of systems: Create indicators to conduct periodic evaluations of the effectiveness and activity of the SII.

Find out more related posts in our DPO blog