Internal control system
The Bank's Internal Control System comprises all internal regulations, procedures and organisational structures, which – acting together – aim to ensure:
- compliance of operations with the Bank's strategy,
- effectiveness and efficiency of procedures,
- protection of assets,
- prevention of losses, errors and damage to the Bank's reputation,
- security, stability and efficiency of operations,
- reliability and completeness of accounting records and management information,
- compliance of transactions with the generally applicable laws, supervisory regulations, internal policies, regulations and procedures,
- support of the decision-making process.
The Bank's Internal Control System is aligned with the Bank's organisational structure, the complexity of its business, scale and profile of the risk related to: credit risk (including counterparty risk, concentration risk, residual risk, country risk), financial risk (market risk including interest rate risk in the banking book; liquidity risk), operational risk, Pillar II risk (real estate risk, macroeconomic risk, business risk, including strategic risk; reputational risk, model risk), compliance risk and bancassurance risk.
Internal control is an ongoing process, carried out at all organisational levels of the Bank. The internal control system engages – in various roles – the statutory bodies of the Bank, individuals and organizational units of the Bank, supervising and directing at all levels of management and all employees.
The Supervisory Board supervises the internal control system and assesses its adequacy, effectiveness and efficiency. It is supported in the performance of these duties by the Audit Committee and Internal Audit.
The Management Board is responsible for the development and functioning of the internal control system and a regular review of its component policies, strategies and procedures as well as for overall effectiveness of the internal control system which is adapted to the size and profile of the risk associated with the Bank's operations. The President of the Bank's Management Board issues, in the form of a regulation, the Internal Control Regulations.
In 2012, the Business Internal Control Committee was set up whose tasks include the provision of opinions and recommendations supporting the efficiency and effectiveness of the Bank's internal control system. The Committee supports the President of the Management Board, identifying remedial measures and priorities in their implementation, with a view to providing for the needs of the Bank's organisational units and of Customers, as well as to ensure compliance of the Bank's operations with internal regulations of the Bank and the generally applicable law.
The Internal Control System covers three levels of control:
1) Operational management
Controls performed as part of the operational management function are divided into linear controls and functional controls.
a) Linear control is carried out on an ongoing basis by each employee (self-control) based on the existing procedures and as part of the supervision by managers of the Bank's organisational units (hierarchical controls). This control should ensure correctness of operations within the same operational structure in accordance with the applicable procedures.
b) Functional control is performed in the Bank's Units by Directors, by delegated employees or by the supervising unit on the basis of control plans prepared by Directors. The purpose of this control is to check the quality and correctness of performed activities, in particular in the scope of risk assessment and monitoring, compliance with competences assigned to the job positions and checking coherence between limits of rights in the different functionality areas of operations.
2) Risk management control
The risk control management function is exercised by the Bank's units not involved in business activity, in particular in the scope of security, financial controlling and accounting, risk management and compliance. The purpose of this control is to measure, monitor and strengthen the effectiveness of risk management undertaken by operational units to support risk owners in determining the level of risk exposure and distribution of information regarding the risks in the Bank.
3) Internal audit (institutional control)
This control covers audits performed by the Internal Audit Department (IAD), both on organizational units of the Bank and its subsidiaries. The task of the Internal Audit Department is to review and evaluate independently and objectively the adequacy, effectiveness and efficiency of the Internal Control System, the compliance function and the risk management system. IAD acts to detect and eliminate any incompliance of Bank employees' activities with the applicable laws, including prudency regulations and other external standards, as well as the Bank's internal regulations.
Institutional control is exercised through audits performed in accordance with an officially accepted audit plan, unplanned ad-hoc audits and remote controls. The Internal Audit Department reports directly to the President of the Management Board. The IAD also presents reports to the Audit Committee and Supervisory Board.
An independent quality assessment review of the Internal Audit function of the Bank was performed at the end of 2013 by PwC. According to PwC, the results of the review were very positive. The review confirmed that the Internal Audit Department generally conforms with the International Standards for the Professional Practice of Internal Auditing.
The Bank exercises the control functions at its subsidiary companies by having representatives in supervisory boards of each subsidiary. The Pekao Group companies apply uniform standards and internal rules of the Internal Audit operation.