Internal Control

EASO uses a well-established system of internal control principles in line with the Commission’s standards which are based on international best practices. The principles set clear criteria for the Agency’s management and are assessed through ex-post controls. Following each assessment, EASO develops an action plan and takes steps to address any shortcomings that have been identified. 

The internal control standards aim to make sure that:

  • Operational activities are effective and efficient
  • Legal and regulatory requirements are met
  • Financial and other management reporting is reliable
  • Assets and information are safeguarded

EASO applies an Internal Control Framework that is based on 5 components which are divided into a total of 17 principles, each having their own set of characteristics. The following comprises EASO’s Internal Control Framework:

Control Environment

The control environment is the set of standards of conduct, processes and structures that provide the basis for carrying out internal control across an organisation.  The Management Board and Senior Management set the tone at the top for the importance of internal control, including expected standards of conduct.

  • Principle 1: The Agency demonstrates a commitment to integrity and ethical values.
  • Principle 2: The Management Board demonstrates independence from management and exercises oversight of the development and performance of internal control.
  • Principle 3: The Management establishes, with political oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives.
  • Principle 4: The Agency demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives.
  • Principle 5: The Agency holds individuals accountable for their internal control responsibilities in the pursuit of objectives.

Risk Assessment

Risk assessment is a dynamic and iterative process for identifying and assessing risks which could affect the achievement of objectives, and for determining how such risks should be managed.

  • Principle 6: The Agency specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.
  • Principle 7: The Agency identifies risks to the achievement of its objectives across the organisation and analyses risks as a basis for determining how the risks should be managed.
  • Principle 8: The Agency considers the potential for fraud in assessing risks to the achievement of objectives.
  • Principle 9: The Agency identifies and assesses changes that could significantly impact the internal control system.

Control Activities

Control activities ensure the mitigation of risks related to the achievement of policy, operational and internal control objectives. They are performed at all levels of the organisation, at various stages of business processes, and across the technology environment. They may be preventive or detective and encompass a range of manual and automated activities as well as segregation of duties.

  • Principle 10: The Agency selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.
  • Principle 11: The Agency selects and develops general control activities over technology to support the achievement of objectives.
  • Principle 12: The Agency deploys control activities through corporate policies that establish what is expected and in procedures that put policies into action.

Information and Communication

Information is necessary for the organisation to carry out internal control and support the achievement of objectives. External communication provides the public and stakeholders with information on the Agency's policy objectives and actions. Internal communication provides staff with the information it needs to achieve its objectives and to carry out day-to-day controls.

  • Principle 13: The Agency obtains or generates and uses relevant quality information to support the functioning of internal control.
  • Principle 14: The Agency internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.
  • Principle 15: The Agency communicates with external parties about matters affecting the functioning of internal control.

Monitoring Activities

Continuous and specific assessments are used to ascertain whether each of the five components of internal control is present and functioning. Continuous assessments, built into business processes at different levels of the organisation, provide timely information on any deficiencies. Findings are assessed and deficiencies are communicated and corrected in a timely manner, with serious matters reported as appropriate.

  • Principle 16: The Agency selects, develops, and performs ongoing and/or separate assessments to ascertain whether the components of internal control are present and functioning.
  • Principle 17: The Agency assesses and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including the Management Board and senior management, as appropriate.


2020  Register of Deficiencies and Corrective Action Plan        [EN]
2020 Anti Fraud Control Activities[EN]
2020 IC Monitoring Criteria[EN]
2018 Management Board Decision no. 42 on the Internal Control Framework of EASO   [EN]
2020     EASO Anti-Fraud Strategy[EN]
    •  Q3 2020 updated version of the Anti-Fraud Strategy[EN]
    •  Q4 2020 updated version of the Anti-Fraud Strategy[EN]
    •  Q1 2021 updated version of the Anti-Fraud Strategy[EN]