Internal Control Standards
In accordance with Commission guidelines, it is our policy to apply internal controls to ensure that:
- Operational activities are effective and efficient
- Legal and regulatory requirements are met
- Financial and other management reporting is reliable
- Assets and information are safeguarded
Internal control is the responsibility of all officials. Eurofound aims to ensure that internal control systems are integrated with operating activities so that prompt reaction to changing situations is possible and the quality of decision-making and delegation can be improved.
There are 16 internal control standards which provide generic management principles and set out the minimum requirements for Eurofound internal control activities:
- Ethical and organisational values
- Staff allocation and mobility
- Staff evaluation and development
- Objective and performance indicators
- Risk management process
- Operational structure
- Processes and procedures
- Management supervisions
- Business continuity
- Document management
- Information and communication
- Accounting and financial reporting
- Evaluation activities
- Assessment of internal control systems
- Internal audit capability
The 'raison d’être' of Eurofound is clearly defined in an up-to-date and concise mission statement developed from the perspective of Eurofound’s founding regulation and the expectations of its stakeholders.
Requirements: Eurofound’s mission statement is communicated to staff and is readily accessible. The purpose of each unit is linked to this mission statement.
Management and staff are aware of and share appropriate ethical and organisational values and uphold these through their own behaviour and decision-making.
Requirements: Ethical and organisational values have to be experienced by every member of Eurofound. Where appropriate, written rules and procedures are clearly communicated and accessible to all. This would in particular avoid conflicts of interest and irregularities.
The allocation and recruitment of staff is based on Eurofound objectives and priorities. Management promote and plan staff mobility so as to strike the right balance between continuity and renewal.
Requirements: Whenever necessary, management aligns the organisational structures and staff allocations with priorities and workload; Staff job descriptions are consistent with relevant mission statements; Eurofound has a policy to promote, implement and monitor mobility (e.g. publication of vacant posts, list of specialist posts) in order to ensure that the right person is in the right job at the right time and, where feasible, to create career opportunities; Necessary support is defined and delivered to new staff to facilitate their integration in the team.
Staff performance is evaluated against individual annual objectives,
which fit with Eurofound goals and objectives. Adequate measures
are taken to develop the skills necessary to achieve the objectives.
Requirements: In the context of the Human Resources Development Programme (HRDP) process, discussions and feedback sessions are held individually with all staff to establish and review their annual objectives, which fit with Eurofound and unit's objectives; Staff performance is evaluated according to the objectives and targets set down in the HRDP and with the requirements of the job specification. This is also taken into account in the assessment for promotion.
Eurofound goals and objectives are clearly defined and updated when necessary. These are formulated in a way that makes it possible to monitor their achievement. Key performance indicators are established to help management evaluate and report on progress made in relation to their objectives.
Requirements: Eurofound Annual Work Programme (WP) and units’ Annual Management Plans (AMPs) are developed in accordance with applicable guidance and on the basis of a dialogue between managers, middle managers and staff in order to ensure they are understood and owned; the WP and AMPs clearly set out how the planned activities at each management level will contribute to the achievement of objectives set, taking into account the allocated resources and the risk identified.
A risk management process that is in line with applicable provisions and guidelines is integrated into the annual activity planning.
Requirements: Although the organisation as a whole is generally dealing with low risks, every year a risk assessment will be part of the annual programming cycle. The Management Committee (MAC) will establish a risk register and action plan. The risk management action plan is realistic and takes into account cost/benefit aspects in order to avoid disproportionate control measures. Processes are in place to ensure that actions are implemented according to plan and continue to be relevant. Risks considered 'critical' from an overall Eurofound perspective are indicated in Eurofound Work Programme and followed-up in the Annual Activity Report.
Eurofound operational structure supports effective decision-making by suitable delegation of powers. Risks associated with sensitive functions are managed through mitigating controls and ultimately staff mobility. Adequate IT governance structures are in place.
Requirements: Delegation of authority is clearly defined, assigned and communicated in writing, conforms to Regulations requirements and is appropriate to the importance of decisions to be taken and risks involved; All delegated and sub-delegated Authorising Officers have received and acknowledged the rules and specific delegation instruments; As regards financial transactions, delegation of powers (including both 'passed for payment' and 'certified correct') is defined, assigned and communicated in writing. The office notice on sensitive functions is reviewed on an annual basis.
Eurofound processes and procedures used for the implementation and control of its activities are effective and efficient, adequately documented and compliant with applicable provisions. They include arrangements to ensure segregation of duties, and to track and give prior approval to control overrides or deviations from policies and procedures.
Requirements: Eurofound main operational and financial processes and procedures and IT systems are adequately documented and centrally accessible. Eurofound processes and procedures ensure appropriate segregation of duties; Eurofound processes and procedures comply with applicable provisions, in particular the Financial Regulation (e.g. ex-ante and ex-post verifications) and the Eurofound Implementing Rules.
Management supervision is performed to ensure that the implementation of activities is running efficiently and effectively while complying with applicable provisions.
Requirements: Management at all levels supervises the activities they are responsible for and keep track of main issues identified which are reported through the MAC. Management supervision covers both legality and regularity aspects, operational performance and organisational development (i.e. achievement of AMP objectives); Management monitors the implementation of accepted audit recommendations and related action plans on the basis of a transparent allocation of roles and responsibilities; At any time deemed appropriate, the Director informs the Commission of any potentially significant issues related to internal control and audit and OLAF (European Anti-Fraud Office) investigations, as well as material budgetary and financial issues that might have an impact on the sound management of appropriations or which could hamper the attainment of the objectives set.
Adequate measures are in place to ensure continuity of service in case of 'business-as-usual' interruption. Continuity plans are in place to ensure that Eurofound is able to continue operating to the extent possible whatever the nature of a major disruption.
Requirements: Adequate measures - including handover files and deputising arrangements for relevant operational activities and financial transactions - are in place, and accessible centrally, to ensure the continuity of all service during 'business-as-usual' interruptions (such as absence, staff change, migration to new IT systems, incidents, etc.); Business Continuity Plans identify the functions, services and infrastructure which need to be restored within certain time-limits and the resources necessary for this purpose (key staff, buildings, IT, documents and other).
Appropriate processes and procedures are in place to ensure that the Eurofound document management is secure, efficient (in particular as regards retrieving appropriate information) and complies with applicable legislation.
Requirements: Document management systems and related procedures comply with relevant compulsory security measures, provisions on document management and rules on protection of personal data.
Internal communication enables management and staff to fulfil their responsibilities effectively and efficiently, including in the domain of internal control. Eurofound has an external communication strategy to ensure that its external communication is effective, coherent and in line with the Commission's key political messages. IT systems used are adequately protected against threats to their confidentiality and integrity.
Requirements: Internal and external communications comply with relevant copyright provisions; Eurofound Balanced Scorecard (BSC) is developed for the main goals of Eurofound and, where appropriate, at the level of units. The BSC includes concise management information necessary to oversee the entity's activities and evolution, for example: performance indicators, financial information or other relevant management information; Arrangements are in place to ensure that management and staff are appropriately informed of decisions, projects or initiatives - including those in other units - that concern their work assignments and environment; All personnel are encouraged to communicate potential internal control weaknesses, if judged significant or systemic, to the appropriate management level. Contact persons are assigned to facilitate and coordinate such reporting; Eurofound has a documented strategy for external communication, including clearly defined target audiences, messages and action plans.
Eurofound has adopted and implements an IT Security Plan based on an inventory of the security requirements and a risk analysis of the IT systems under their responsibility, and apply the relevant control measures as documented in the security plan and disaster recovery plan; The IT systems support adequate data management, including database administration and data quality assurance. Data management systems and related procedures comply with relevant compulsory security measures and rules on protection of personal data.
Adequate procedures and controls are in place to ensure that accounting
data and related information used for preparing the organisation's
annual accounts and financial reports are accurate, complete and timely.
Requirements: Each Authorising Officer has responsibility through PROJEX and ABAC for ensuring the reliability and completeness of the accounting information under his/her control necessary to the Accounting Officer for the production of accounts which give a true image of Eurofound’s assets and of budgetary implementation; The Accounting Officer is the coordinator and acts as helpdesk within Eurofound with a view to ensuring the quality of accounting data and information supplied to the Commission central accounting system.
Evaluations of expenditure programmes and other non-spending activities are performed to assess the results, impacts and needs that these activities aim to achieve and satisfy.
Requirements: Evaluations are performed in accordance with an annual evaluation plan outlining the appropriate type (retrospective evaluations, interim, final and ex-post, and prospective evaluations, ex-ante and impact assessments) and the scope of each evaluation. Evaluations are performed in accordance with professional standards.
Management assesses the effectiveness of the internal control systems, including the processes carried out by implementing bodies, at least once a year.
Requirements: Management assesses the effectiveness of the internal control systems, including the processes carried out by implementing bodies at least annually. Such self-assessments can, for example, be based on staff surveys or interviews combined with management reviews of supervisory reports, results of evaluation and ex-ante/ex-post verifications, audit recommendations and other sources that provide relevant information about the internal control effectiveness.
Eurofound relies on an internal audit capability, provided by IAS (Internal Audit Service of the European Commission). IAS provides independent, objective assurance and consulting services designed to add value and improve the operations of Eurofound.
The annual audit work plan is risk-based, forms part of a multi-annual
strategic plan coordinated with the IAS and is approved by the
The Director ensures that the IAS has sufficient and adequate resources
to perform the audit work plan.