Internal control standards
EU-OSHA uses a well-established system of internal control standards in line with the Commission’s standards. The standards set clear criteria for the Agency’s management and are assessed regularly. Following each assessment, EU-OSHA develops an action plan and takes steps to address any shortcomings that have been identified.
The internal control standards aim to make sure that:
- Operational activities are effective and efficient
- Legal and regulatory requirements are met
- Financial and other management reporting is reliable
- Assets and information are safeguarded
There are 16 standards, grouped into six blocks, as outlined below:
Mission and values
The Agency’s raison d’être is clearly defined in an up-to-date and concise mission statement developed from the perspective of the Agency’s users.
2. Ethical and organisational values
Management and staff are aware of and share appropriate ethical and organisational values and uphold these through their own behaviour and decision-making.
3. Staff allocation and mobility
The allocation and recruitment of staff is based on the Agency’s objectives and priorities. Management promote and plan staff mobility to strike the right balance between continuity and renewal.
4. Staff evaluation and development
Staff performance is evaluated against individual annual objectives, which fit with the Agency's overall objectives. Adequate measures are taken to develop the skills necessary to achieve the objectives.
Planning and risk management process
5. Objectives and performance indicators
The Agency’s objectives are clearly defined and updated when necessary. These are formulated in a way that makes it possible to monitor their achievement. Key performance indicators are established to help management evaluate and report on the progress made in relation to their objectives.
6. Risk management process
A risk management process that is in line with applicable provisions and guidelines is integrated into the annual activity planning.
Operations and control activities
7. Operational structure
The Agency's operational structure supports effective decision-making by suitable delegation of powers. Risks associated with the Agency's sensitive functions are managed through mitigating controls and ultimately staff mobility. Adequate IT governance structures are in place.
8. Processes and procedures
The Agency’s processes and procedures used for the implementation and control of its activities are effective and efficient, adequately documented and compliant with applicable provisions. They include arrangements to ensure segregation of duties and to track and give prior approval to control overrides or deviations from policies and procedures.
9. Management supervision
Management supervision is performed to ensure that the implementation of activities is running efficiently and effectively while complying with applicable provisions.
10. bussiness continuity
Adequate measures are in place to ensure continuity of service in case of 'bussiness-as-usual' interruption. bussiness continuity plans are in place to ensure that the Agency is able to continue operating to the extent possible whatever the nature of a major disruption.
11. Document management
Appropriate processes and procedures are in place to ensure that the Agency's document management is secure, is efficient (in particular as regards retrieving appropriate information) and complies with applicable legislation.
Information and financial reporting
12. Information and communication
Internal communication enables management and staff to fulfil their responsibilities effectively and efficiently, including in the domain of internal control. Where appropriate, the Agency has an external communication strategy to ensure that its external communication is effective, coherent and in line with the Agency's key messages. IT systems used and/or managed by the Agency (where the Agency is the system owner) are adequately protected against threats to their confidentiality and integrity.
13. Accounting and financial reporting
Adequate procedures and controls are in place to ensure that accounting data and related information used for preparing the organisation's annual accounts and financial reports are accurate, complete and timely.
Evaluation and audit
14. Evaluation of activities
Evaluations of expenditure programmes and non-spending activities are performed to assess the results, impacts and needs that these activities aim to achieve and satisfy.
15. Assessment of internal control systems
Management assess the effectiveness of the Agency's key internal control systems, including the processes carried out by implementing bodies, at least once a year.
16. Internal audit function
The internal audit function at EU-OSHA is performed by the European Commission’s Internal Auditor. The Internal Auditor shall advise EU-OSHA on dealing with risks by issuing opinions on the quality of management and control systems and by issuing recommendations for improving the conditions of implementation of operations and promoting sound financial management.
Find out more about how EU-OSHA is governed.