You are here

Internal control standards

As a public body, EU-OSHA strives for excellence and has to be transparent and accountable.

EU-OSHA uses a well-established system of internal control standards in line with the Commission’s standards. The standards set clear criteria for the Agency’s management and are assessed regularly. Following each assessment, EU-OSHA develops an action plan and takes steps to address any shortcomings that have been identified. 

The internal control standards aim to make sure that:

  • Operational activities are effective and efficient
  • Legal and regulatory requirements are met
  • Financial and other management reporting is reliable
  • Assets and information are safeguarded

There are 16 standards, grouped into six blocks, as outlined below:

Mission and values

1. Mission

The Agency’s raison d’être is clearly defined in an up-to-date and concise mission statement developed from the perspective of the Agency’s users.

2. Ethical and organisational values

Management and staff are aware of and share appropriate ethical and organisational values and uphold these through their own behaviour and decision-making.

Human resources

3. Staff allocation and mobility

The allocation and recruitment of staff is based on the Agency’s objectives and priorities. Management promote and plan staff mobility to strike the right balance between continuity and renewal.

4. Staff evaluation and development

Staff performance is evaluated against individual annual objectives, which fit with the Agency's overall objectives. Adequate measures are taken to develop the skills necessary to achieve the objectives.

Planning and risk management process

5. Objectives and performance indicators

The Agency’s objectives are clearly defined and updated when necessary. These are formulated in a way that makes it possible to monitor their achievement. Key performance indicators are established to help management evaluate and report on the progress made in relation to their objectives.

6. Risk management process

A risk management process that is in line with applicable provisions and guidelines is integrated into the annual activity planning.

Operations and control activities

7. Operational structure

The Agency's operational structure supports effective decision-making by suitable delegation of powers. Risks associated with the Agency's sensitive functions are managed through mitigating controls and ultimately staff mobility. Adequate IT governance structures are in place.

8. Processes and procedures

The Agency’s processes and procedures used for the implementation and control of its activities are effective and efficient, adequately documented and compliant with applicable provisions. They include arrangements to ensure segregation of duties and to track and give prior approval to control overrides or deviations from policies and procedures.

9. Management supervision

Management supervision is performed to ensure that the implementation of activities is running efficiently and effectively while complying with applicable provisions.

10. bussiness continuity

Adequate measures are in place to ensure continuity of service in case of 'bussiness-as-usual' interruption. bussiness continuity plans are in place to ensure that the Agency is able to continue operating to the extent possible whatever the nature of a major disruption.

11. Document management

Appropriate processes and procedures are in place to ensure that the Agency's document management is secure, is efficient (in particular as regards retrieving appropriate information) and complies with applicable legislation.

Information and financial reporting

12. Information and communication

Internal communication enables management and staff to fulfil their responsibilities effectively and efficiently, including in the domain of internal control. Where appropriate, the Agency has an external communication strategy to ensure that its external communication is effective, coherent and in line with the Agency's key messages. IT systems used and/or managed by the Agency (where the Agency is the system owner) are adequately protected against threats to their confidentiality and integrity.

13. Accounting and financial reporting

Adequate procedures and controls are in place to ensure that accounting data and related information used for preparing the organisation's annual accounts and financial reports are accurate, complete and timely.

Evaluation and audit

14. Evaluation of activities

Evaluations of expenditure programmes and non-spending activities are performed to assess the results, impacts and needs that these activities aim to achieve and satisfy.

15. Assessment of internal control systems

Management assess the effectiveness of the Agency's key internal control systems, including the processes carried out by implementing bodies, at least once a year.

16. Internal audit function

The internal audit function at EU-OSHA is performed by the European Commission’s Internal Auditor. The Internal Auditor shall advise EU-OSHA on dealing with risks by issuing opinions on the quality of management and control systems and by issuing recommendations for improving the conditions of implementation of operations and promoting sound financial management.

Find out more about how EU-OSHA is governed.