Internal control applies to all activities, irrespective of whether they are financial or nonfinancial. It is a process that helps an organisation to achieve its objectives and sustain operational and financial performance, respecting rules and regulations. It supports sound decision making, taking into account risks to the achievement of objectives and reducing them to acceptable levels through cost-effective controls.
The Internal Control Framework of EU-OSHA is in line with the revised Internal Control Framework of the European Commission (C(2017) 2373 final dated 19 April 2017). The Internal Control Framework consists of five internal control components and 17 principles. Based on a yearly risk assessment, EU-OSHA develops an action plan and takes steps to mitigate risks as far as possible.
The five internal control components and 17 principles are the following:
Control environment
1. EU-OSHA demonstrates commitment to integrity and ethical values.
2. The Governing Board (GB) shows independence from management and monitors the development and performance of internal control.
3. The Director establishes structures, reporting lines and appropriate authorities and responsibilities in the pursuit of objectives.
4. EU-OSHA demonstrates a commitment to attract, develop and retain competent individuals in alignment with objectives.
5. EU-OSHA holds individuals accountable for their internal control responsibilities in pursuit of objectives.
Risk assessment
6. EU-OSHA specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.
7. EU-OSHA identifies risks to the achievement of its objectives across the organization and analyses risks as a basis for determining how the risks should be managed.
8. EU-OSHA considers the potential for fraud in assessing risks to the achievement of its objectives.
9. EU-OSHA identifies and assesses changes that could significantly impact the internal control system.
Control activities
10. EU-OSHA selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.
11. EU-OSHA selects and develops general control activities over technology to support the achievement of objectives.
12. EU-OSHA deploys control activities through corporate policies that establish what is expected and in procedures that put policies into action.
Information and communication
13. EU-OSHA obtains or generates and uses relevant quality information to support the functioning on internal control.
14. EU-OSHA internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.
15. EU-OSHA communicates with external parties about matters affecting the functioning of internal control.
Monitoring activities
16. EU-OSHA selects, develops and performs ongoing and/or separate assessments to ascertain whether the components of internal control are present and functioning.
17. EU-OSHA identifies and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, as appropriate.