Effectiveness of internal control systems

Methodology applied for the assessment of the effectiveness of the internal control system

EBA assesses the effectiveness of the internal control system by assessing the implementation of the internal control framework, including the implementation of the defined indicators, and by evaluating the main shortcomings identified by the EBA itself or reported by others, including the Internal Audit Services and the European Court of Auditors.

Internal control framework

The EBA’s Internal Control Standards (ICS) are based on the Commission’s ICS. They are approved by the Management Board and implemented within the organisation through the adoption of detailed implementing rules and related procedures.

In January 2019, the Management Board adopted the revised Internal Control Framework, which is in line with the model of the European Commission and the Committee of Sponsoring Organizations (COSO). The revised framework entered into force on the day following its adoption.

The framework consists of 5 internal control components and 17 principles, which are further developed in 49 characteristics. The EBA has assessed the presence and proper functioning of each principle (17 principles) and aggregated all the results at the component level (5 components) and ultimately at the level of the Internal Control Framework as a whole.

The EBA monitoring cycle of the EBA’s internal control system is based on ongoing activities and specific periodic assessments. The deficiencies identified in the context of the monitoring activities are important elements that are taken into account in the annual assessment of the presence and functioning of the internal control system. Moreover, the methodology on the basis of which the annual assessment is conducted also includes the in-depth analysis of a set of indicators measured individually or via staff surveys and the audit results. The indicators and related monitoring data are discussed and approved on an annual basis by the EBA’s Executive Director.

The assessment of the ICF for 2023 was performed and the main conclusions were as follows:

• The IAS concluded that overall, the design and implementation of internal control framework set up by EBA is effective and efficient, in order to allow achievement of the Agency’s objectives, giving the EBA certainty for the assurance building process. There is only one very important recommendation issued in 2023 for which the action plan proposed by the EBA has been assessed as adequate and the implementation will be concluded in 2024. 
• The self–assessment performed in relation to the implementation of the internal control framework showed that the internal system is present and functioning well, with only minor improvements needed.
• At the component level, all of them are present and functioning well, with only minor improvements needed.
• At the principles level, all of them are present and functioning well, with only 7 principles requiring minor improvements.
• The analysis of the internal control monitoring criteria showed that out of 66 indicators, 58 reached the established target, while 8 indicators did not, compared with 13 in 2022, thus showing a significant improvement over a 12 month period.
• The IAS concluded that overall, the design and implementation of internal control framework set up by EBA is effective and efficient, in order to allow achievement of the Agency’s objectives, giving the EBA certainty for the assurance building process. There is only one very important recommendation issued in 2023 for which the action plan proposed by the EBA has been assessed as adequate and the implementation will be concluded in 2024. 

Ethics guidelines and conflicts of interest policy

The EBA has in place ethics guidelines and policies on conflicts of interest, setting out rules and expected behaviours to ensure that its staff act with independence, impartiality, objectivity and loyalty, and in a transparent way.

EBA staff and members of the EBA’s governing bodies must submit annually a declaration of interests disclosing any interests that may conflict with the EBA’s legitimate interests. The declarations of members of the governing bodies are published on the EBA’s website, and so are those of the EBA’s Chair, Executive Director and Directors. Alongside this regular obligation, all those actors are also reminded of their obligation to declare interests at any time inbetween the submission of annual declarations.

A specific risk and compliance team supports the Ethics Officer’s work on ethics.

In 2023 in the area of ethics, the workflow system implemented at the end of December 2022 has effectively streamlined the handling of ethics requests and refinements continue to be made to the system. A new system for the annual declaration of conflicts of interest for BoS, MB, ResCo and AMLSC members was implemented in 2023, which significantly reduced the workload for compiling and assessing declarations. The EBA also led an Inter-Agency Legal Network workstream on revolving doors issues, surveying EU agencies, compiling current practices and identifying good practices that may be of interest to other agencies.

The EBA continues to publish detailed information on leavers, as recommended by the European Ombudsman in its decision in case SI/2/2017/NF.[1].

Anti-fraud strategy

The EBA’s anti-fraud strategy was last updated in 2020 and is expected to be update following finalisation of new OLAF guidance on anti-fraud strategies. It is implemented primarily through an annual anti-fraud risk assessment (AFRA) coordinated by the Risk and Compliance team within the Legal and Compliance Unit. The 2023 exercise was launched in November 2023 and the conclusions were presented to the Management Board in May 2024.

The objective of performing an AFRA is to identify potential fraud risks in all areas of activity of the EBA and prevent occurrence by ensuring appropriate controls are in place. The exercise focuses on the three primary areas of risk identified and handled in the strategy: misappropriation and theft of EU funds and resources; abuse of position in return for promise of favour; leaking of sensitive information. It sets out fraud risk scenarios and assesses their severity and likelihood, identifying and taking into account existing controls and assessing their adequacy. Based on the AFRA, where necessary, additional mitigating measures might be suggested and taken. The AFRA should also create awareness of fraud risks across the organisation, so that the EBA is better equipped to prevent, detect and report possible cases of fraud. The AFRA also contributes to the “Detect” objective of the strategy in identifying and assessing the effectiveness of controls in place to identify potential fraud and recommend further controls where appropriate. Prevention and detection work also relies on awareness activities, primarily delivered through new joiner and annual ethics training. This training, ensures that staff are aware of what amounts to fraud, what can give rise to it, as well as channels for whistleblowing and helps create a climate where informants feel able to approach line managers, Risk and Compliance, the Executive Director, Management Board or OLAF. The strategy’s “recover, mitigate and respond” and “exploit” objectives have not been a focus of action in 2023 in the absence of detected frauds and EBA/OLAF investigations.

In 2024 the Risk and Compliance team will continue working to integrate the AFRA process into the EBA’s enterprise risk management (ERM) framework, and expects to update the anti-fraud strategy in the light of final OLAF guidance in this area.

Conclusions of the assessment of internal control systems

Following the 2023 in-depth analysis of the results obtained during the annual assessment (including the results obtained from ongoing monitoring) showed that there are no critical risks that could affect EBA’s achievement of its objectives. All the components and principles are present and functioning as intended but, several principles were noted that would benefit from adjustments and improvements that would enhance the efficiency and effectiveness of the principle and its elements.

With a view to enhancing the internal controls as a whole and strengthening the approach to compliance and performance in terms of further embedding compliance in day-to-day work, the EBA has continued to focus on ensuring that the existing >96% attendance at its annual mandatory training on ethics, anti-fraud and other compliance areas becomes full attendance. Going forward, the EBA will further develop data protection training provision for staff and integrate local risk registers into the ERM.

Statement of the manager in charge of risk management and internal controls

I undersigned, in my capacity as Internal Control Coordinator, I declare that in accordance with the EBA’s Internal Control Framework I have reported my advice and recommendations on the overall state of internal control at the Authority to the Executive Director.

I hereby certify that the information provided in this Annual Report and in its annexes is, to the best of my knowledge, accurate, reliable and complete.

Paris, 14 June 2024

Peter Mihalik

Internal Control Coordinator

I undersigned declare that I have reported my recommendations on the state of risk management in the European Banking Authority to the Executive Director and to the Management Board.

I hereby certify that the management reporting on the state of risk management is, to the best of my knowledge, accurate and complete.

Paris, 14 June 2024

Jonathan Overett Somnier
Risk Manager