Effectiveness of internal control systems

Methodology applied for the assessment of the effectiveness of the internal control system

EBA assesses the effectiveness of the internal control system by assessing the implementation of the Internal Control Framework, including the implementation of the defined indicators, and by evaluating the main shortcomings identified by the EBA itself or reported by others, including the Internal Audit Services and the European Court of Auditors.

Internal control framework

The EBA’s Internal Control Standards (ICS) are based on the Commission’s ICS. They are approved by the Management Board and implemented within the organisation through the adoption of detailed implementing rules and related procedures.

In January 2019, the Management Board adopted the revised Internal Control Framework, which is in line with the model of the European Commission and the Committee of Sponsoring Organisations (COSO). The revised framework entered into force on the day following its adoption.

The framework consists of five internal control components and 17 principles, which are further developed in 49 characteristics. The EBA has assessed the presence and proper functioning of each principle (17 principles) and aggregated all the results at the component level (five components) and, ultimately, at the level of the Internal Control Framework as a whole.

The EBA monitoring cycle of the EBA’s internal control system is based on ongoing activities and specific periodic assessments. The deficiencies identified in the context of the monitoring activities are important elements that are taken into account in the annual assessment of the presence and functioning of the internal control system. Moreover, the methodology on the basis of which the annual assessment is conducted also includes an in-depth analysis of a set of indicators measured individually or via staff surveys and audit results. The indicators and related monitoring data are discussed and approved on an annual basis by the EBA’s Executive Director.

The assessment of the ICF for 2024 was performed and the main conclusions were as follows:

• The IAS concluded that, overall, the internal control system put in place by the EBA to manage its human resources and its ethics framework are adequately designed and effectively and efficiently implemented to support the achievement of its operational goals. There were no very important recommendations issued, and the action plan proposed by the EBA has been assessed as adequate.
• The self-assessment performed in relation to the implementation of the Internal Control Framework showed that the internal system is present and functioning well, with only minor improvements needed.
• At the component level, all of them are present and functioning well, with only minor improvements needed.
• At the principles level, all of them are present and functioning well, with only six principles requiring minor improvements.
• The analysis of the internal control monitoring criteria showed that out of 67 indicators, 63 reached the established target, while four indicators did not, compared with eight in 2023, thus showing a significant improvement over a 12-month period.

Risk Management

Regarding the COSO Enterprise Risk Management (ERM) Framework, work had started in 2021 with Deloitte to enhance the compatibility of the EBA’s risk management with the COSO ERM Framework, with the following main pillars for managing the ERM having been developed:

• An ERM policy, defining the overall ERM practices, as well as a risk appetite/risk tolerance statement, summarising the EBA’s appetite for risk in a whole range of activities.
• An ERM lifecycle document explaining in detail the different steps/phases to be considered over the course of one year, including detailed indications of the different stakeholders and lines of defences involved in each step. The ERM lifecycle exists to generate and maintain a stream of data and information, recorded in the EBA’s risk register, on the basis of which the EBA’s management can make risk-informed decisions;
• The strategic risk register;
• The identification of specific risks requiring additional mitigation measures.

Initially containing 15 strategic risks, following interviews with Directors and Heads of Units, two strategic risks were added to the register for 2024, taking the overall number to 17. Six of those risks were identified as needing extra mitigation measures, which were followed up on throughout the year, with progress on individual measures being reported on a regular basis to the Management Board. In addition, ERM developments were in 2024 also added as a regular topic for discussion in senior management and directors’ meetings.

Ethics guidelines and conflicts of interest policy

The EBA has in place ethics guidelines and policies on conflicts of interest setting out rules and expected behaviours to ensure that its staff act with independence, impartiality, objectivity and loyalty, and in a transparent way.

EBA staff and members of the EBA’s governing bodies must submit annually a declaration of interests disclosing any interests that may conflict with the EBA’s legitimate interests. The declarations of members of the governing bodies are published on the EBA’s website, and so are those of the EBA’s Chairperson, Executive Director and Directors. Alongside this regular obligation, all such actors are also reminded of their obligation to declare interests at any time in between the submission of annual declarations.

In 2024, the Risk and Compliance Team, which supports the Ethics Officer’s work on ethics, processed an increased number of EBA staff ethics requests (495 requests) and continued refining the Ethics workflow, which is the system put into place for streamlining the handling of ethics requests of EBA staff. Furthermore, work has started, together with the other ESAs, for the adaptation of the conflicts of interest policy for non-staff to the new powers conferred to the EBA under DORA and MiCA.

The EBA continues to publish on its website detailed information on occupational activities that staff undertake after leaving the EBA, as recommended by the European Ombudsman in its decision in case SI/2/2017/NF.7.

Anti-fraud strategy

The EBA’s anti-fraud strategy was adopted on 22 January 2020, covering a period of five years and is implemented primarily through annual anti-fraud risk assessments (AFRA). The objective of performing an AFRA is to identify potential fraud risks in all areas of activity of the EBA and to prevent occurrence by ensuring appropriate controls are in place. It sets out fraud risk scenarios and assesses their severity and likelihood, identifying and taking into account existing controls and assessing their adequacy.

The last AFRA, which was finalised in Q2 2024, assessed five main areas: misappropriation and theft of EU funds and resources, lack of adequate declarations of interests by staff members, abuse of position in return for promise of favour, the leaking of sensitive information and IT breaches. The Risk and Compliance Team started developing, on the basis of the results of this AFRA, a 2025–2027 Anti-Fraud Strategy which follows the European Commission’s methodology and guidance for the Anti-fraud Strategies of EU Decentralised Agencies and Joint Undertakings, and which should be adopted by the Management Board in Q1 of 2025.

The Risk and Compliance team continued its prevention and detection work through mandatory ethics training for new joiners and all staff, in which a part is dedicated to anti-fraud. This training ensures that staff are aware of what fraud is, what can give rise to it, and what whistleblowing routes and protections are available to them to report fraud without fear of retaliation. There has been no detected fraud or EBA/OLAF investigation in 2024.

Conclusions of the assessment of internal control systems

Following the 2024 in-depth analysis of the results obtained during the annual assessment (including the results obtained from ongoing monitoring), it was found that there are no critical risks that could affect the EBA’s achievement of its objectives. All the components and principles are present and functioning as intended, but several principles were noted that would benefit from adjustments and improvements that would enhance the efficiency and effectiveness of the principle and its elements.

Five Internal Control Components:

1. Control Environment
   Category 1 (Fully Effective):
   The component is present and functioning well, only minor improvements needed.
2. Risk Assessment
   Category 1 (Fully Effective):
   The component is present and functioning well, only minor improvements needed.
3. Control Activities
   Category 1 (Fully Effective):
   The component is present and functioning well, only minor improvements needed.
4. Information and Communication
   Category 1 (Fully Effective):
   The component is present and functioning well, only minor improvements needed.
5. Monitoring Activities
   Category 1 (Fully Effective):
   The component is present and functioning well, only minor improvements needed.

With a view to upholding and enhancing the internal controls as a whole, strengthening the approach to compliance and performance in terms of further embedding compliance in day-to-day work, the EBA will strengthen development and monitoring of risk mitigation plans for relevant strategic risks, commence implementation of a new anti-fraud policy and strategy, update ethics requirements to take into account new tasks of the EBA, and establish enhanced oversight of management of sensitive data.

Statement of the manager in charge of risk management and internal controls

I the undersigned, in my capacity as Internal Control Coordinator, declare that in accordance with the EBA’s Internal Control Framework I have reported my advice and recommendations on the overall state of internal control at the Authority to the Executive Director.

I hereby certify that the information provided in this Annual Report and in its annexes is, to the best of my knowledge, accurate, reliable and complete.

Paris, 13 June 2025

Peter Mihalik
Internal Control Coordinator

I the undersigned declare that I have reported my recommendations on the state of risk management in the European Banking Authority to the Executive Director and to the Management Board.

I hereby certify that the management reporting on the state of risk management is, to the best of my knowledge, accurate and complete.

Paris, 13 June 2025

Jonathan Overett Somnier
Risk Manager