Pursuant to the Articles of Association of PKO Bank Polski and the Regulations of the Audit Committee of the Supervisory Board of PKO Bank Polski, the entity conducting the audit of the Bank's financial statements is selected by the Bank's Supervisory Board based on the recommendation of the Audit Committee.
On 15 December 2022, pursuant to § 15 clause 1 point 2 of the Bank’s Articles of Association, the Bank’s Supervisory Board selected KPMG Audyt Spółka z ograniczoną odpowiedzialnością sp.k. (KPMG) as the audit firm to audit and review the financial statements of the Bank and of the Bank’s Group for the years 2024-2026. KPMG Audyt Spółka z ograniczoną odpowiedzialnością sp.k. with its registered office in Warsaw, Inflancka Street 4A, is entered in the list of audit firms maintained by the National Board of Registered Auditors under the number 3546. On 14 February 2024, the Bank concluded an agreement with KPMG for the audit and review of the financial statements of the Bank and the Bank’ Group for the years 2024-2026.
In accordance with the Resolutions of the Supervisory Board of PKO Bank Polski on the policy for selecting an audit firm to audit the financial statements of PKO Bank Polski and the Capital Group, the Bank applies the following policy:
- The maximum uninterrupted duration of statutory audit engagements carried out by the same audit firm or by an audit firm associated with that audit firm or by any member of the same audit network operating in the European Union is 10 audited financial years. Such maximum uninterrupted duration of engagements may be extended by two years up to a maximum of 12 audited financial years, upon the consent of the Polish Financial Supervision Authority in case of a simultaneous engagement of more than one audit firm in a joint audit, and on the condition that a joint audit report will be delivered as a result of the joint audit.
- An audit contract is concluded for an audit period of no less than 2 financial years and no more than 3 financial years, with the possibility of extension for the subsequent audit period of at least two financial years.
- Following the end of the maximum uninterrupted duration of statutory audit engagements, referred to in point 1, the audit firm may again conduct the statutory audit of the financial statements, provided that at least 4 years have lapsed since the completion of the previous audit of the financial statements of the Bank and its Group.
- The key statutory auditor cannot perform the statutory audit of the financial statements for a period of more than 5 audited financial years.
- The key statutory auditor may perform the statutory audit again provided that at least 3 years have lapsed since the completion of the last statutory audit of the Bank’s and the Group's financial statements.
The Bank has an internal audit system in place, which forms part of the Bank’s management system. The Bank’s Management Board is responsible for the design, implementation and functioning of an adequate and effective internal audit system. The Supervisory Board supervises the implementation and functioning of an adequate and effective internal audit system and evaluates its adequacy and effectiveness, including the adequacy and effectiveness of the control function, the compliance unit, and the internal audit unit. The internal audit system is evaluated on the basis of specific criteria, taking into account the information provided by the Bank’s Management Board, the Audit Committee of the Supervisory Board, the compliance unit, and the internal audit unit, findings of the registered auditor and those resulting from the supervisory activities of the competent institutions, as well as other information and documents which are relevant to the adequacy and effectiveness of the internal audit system. In this respect, the Supervisory Board is supported by the Supervisory Board Audit Committee which is responsible, in particular, for monitoring the effectiveness of the internal audit system.
The purpose of the internal control system is to ensure:
- efficiency and effectiveness of the Bank’s operations,
- reliability of the financial reporting,
- compliance with the risk management principles at the Bank,
- compliance of the Bank’s activities with the generally binding legal regulations, internal regulations of the Bank, supervisory recommendations and market standards adopted Bank.
The internal control system is arranged at the Bank on three independent levels:
1) the first level consists of the Bank’s organisational structures conducting operating activities, including in particular the sales of products and customer service, and the Bank’s other organisational structures carrying out risk-generating operating tasks and functioning on the basis of the Bank’s separate internal regulations,
2) the second level comprises the activities of:
- the compliance unit,
- the specialised organisational structures of the Bank responsible for identification, measurement, control, monitoring and reporting of risks, threats and irregularities in order to ensure that the activities implemented at the first level are properly designed and the second level structures effectively manage the risks and support the effectiveness of the Bank’s operations,
3) the third level comprises the activities of the internal audit unit, which performs independent audits of elements of the Bank’s management system, including the risk management system and the internal audit system.
The said levels are independent, which means that:
- the second level is independent of the first level as regards the creation of system solutions,
- the third level is independent of the first and second level.
The internal audit system at the Bank comprises:
- the control function,
- the compliance unit – the Compliance Department,
- the internal audit unit – the Internal Audit Department.
The control function ensures compliance with controls relating, in particular, to risk management at the Bank, this function covers all of the Bank’s units and the organisational positions in these units responsible for the performance of tasks allocated to the specific function.
The control function comprises:
- control mechanisms,
- independent monitoring of compliance with control mechanisms,
- reporting as part of the control function.
The Bank determines and the Management Board approves the list of material processes which have a material impact on the achievement of the internal audit system objectives and business objectives of the Bank and ensures periodical reviews of the processes in place at the Bank from the perspective of their materiality.
Controls are embedded in the processes taking place at the Bank and in the systems or applications which support these processes. These controls are tailored to the objectives of the internal audit system, which are related to the processes in place at the Bank and their complexity, the risk of irregularities and the specific nature of the Bank’s operations, and take into account the resources available to the Bank. These controls are subject to independent monitoring at all levels of the internal audit system. Such independent monitoring of compliance with controls is performed:
- horizontally – by a Bank’s unit within that unit or within another unit at the same level,
- vertically – by the Bank’s units at the second level as regards to the first level units.
The Bank’s units are responsible for performing specific activities associated with horizontal or vertical monitoring within the scope of their tasks and powers. Independent monitoring includes current verification or testing of the controls.
The compliance unit is an organisationally separate, independent unit which plays the key role in ensuring compliance and managing compliance risk understood as the risk of suffering legal sanctions, financial losses or reputation loss as a result of non-compliance on the part of the Bank, the Bank’s employees or the entities acting on its behalf with the generally applicable laws, the Bank’s internal regulations and the market standards adopted by the Bank.
The compliance unit is responsible for developing solutions aimed at ensuring compliance and compliance risk management, as well as identification, assessment, control, monitoring and reporting of this risk at the Bank.
Internal audit is an independent and objective assurance and advisory function which performs systematic and organised assessments of the individual areas of the Bank’s activity and suggests steps to be taken to increase the quality and effectiveness of the Bank’s operations.
The objective of the audit unit is:
1) as part of its assurance activities – to evaluate the adequacy and effectiveness of the risk management system and the internal audit system at the first and second levels of the internal audit system, taking into account the adequacy and effectiveness of the risk controls and control mechanisms selected for auditing,
2) as part of its advisory activities – adding value to and improving the processes in the Bank.
The Bank operates the following mechanisms to ensure independence of the compliance unit and the internal audit unit:
1) approval of the Audit Charter and the rules for ensuring compliance and managing compliance risk by the Management Board of the Supervisory Board,
2) subordination of the compliance unit to the President of the Management Board,
3) functional subordination of the internal audit unit to the Audit Committee of the Supervisory Board and its administrative subordination to the President of the Management Board,
4) the internal audit unit, as a third level unit, not being subject to independent monitoring by the Bank’s organisational units situated at the second level of the internal audit system,
5) ensuring direct access to members of the Management Board and the Supervisory Board to directors of the said units,
6) participation of the directors of the said units in the meetings of the Management Board,
7) participation of the directors of the said units in the meetings of the Supervisory Board and the relevant Committees when their agenda includes issues relating to the internal audit system or risk management,
8) appointment and dismissal of internal audit unit director and the compliance unit director require prior approval of the Supervisory Board,
9) approval of the amount of remuneration of the internal audit unit director by the Supervisory Board or its competent committee, respectively,
10) approval of the amount of remuneration (including bonuses) of the compliance unit director by the Audit Committee of the Supervisory Board, taking into account the principle that the said remuneration may not differ from the remuneration of other persons performing key functions at the Bank and that it should not be directly dependent on the Bank’s financial results,
11) notifying the PFSA of any changes of directors of the said units, including the reasons for those changes,
12) providing the employees of the aforementioned units with access to all necessary information (including confidential and sensitive information), rooms and IT systems (without the possibility of interference with the system’s resources), as well as communication with the Bank’s employees, to the extent they deem necessary to perform their tasks,
13) non-participation of the employees of the said units in the execution of day-to-day business tasks,
14) providing solutions for controlling the remuneration of the employees of the aforementioned units which guarantee their independence and objectivity in the performance of their tasks and which enable employing people with appropriate qualifications, experience and skills,
15) protecting employees of the said units from unjustified termination of their employment,
16) organisational separation of the aforementioned units and preventing the employees of these units from performing any duties other than those assigned to them;
17) ensuring financial resources necessary for the effective performance of duties and continuous improvement of the skills and qualifications of the employees of the said units.
Information on irregularities, results of assessments and other material issues identified by the individual components of the internal audit system are presented in periodical reports addressed to the Management Board, the Supervisory Board Audit Committee, the Supervisory Board Risk Committee, or the Supervisory Board.
The entities belonging to the Bank’s Group have internal audit systems adapted to the specific nature of their operations. These entities develop and implement internal regulations defining, in particular, tasks relating to the control activities carried out within the internal audit system and the division of responsibility for these tasks. The operation of the internal audit systems in the companies depends on the size and scope of operations of the entities belonging to the Bank’s Group. In most entities, there are separate organisational units or positions performing these functions, reporting directly to the Management Board of the given company or to the Supervisory Board. In the cases justified by an entity’s operating profile and its organisational structure (small entities with a limited range of activities), control activities are performed by their managers, without a structurally separated internal audit function or unit. The Bank takes into account the role of the Bank’s Group entities in identifying the material processes with regard to their contribution to ensuring the achievement of the objectives of the Bank’s internal audit system.
The internal control system at PKO Bank Polski S.A. covers, among other things, the process of preparing financial statements to ensure effective and reliable operations, reliability of disclosures presented and compliance with laws, internal regulations and best market practices and standards. At all levels of the internal control system, the Bank's employees apply controls built into the processes and systems and IT applications that support the implementation of these processes. These controls are subject to independent monitoring on all internal control system levels, which includes testing and ongoing review of controls.
In the process of preparing financial statements, which is an essential process for achieving the objectives of the Bank's internal control system and business objectives, the Bank has established controls, and compliance with these controls is monitored independently at a frequency and to the extent specified in the control function matrix for this process.
The basis for the preparation of the consolidated financial statements of the PKO Bank Polski S.A. Group are the financial statements of the parent company, PKO Bank Polski S.A., and the financial information of consolidated companies and investment funds (so-called consolidation packages) supplemented by additional data and disclosures necessary in the consolidation process, provided by these companies and funds and the Bank's units participating in the process of preparing the consolidated financial statements.
The financial statements of PKO Bank Polski S.A. are based on the Bank's accounting records. Source data from the data warehouse is also used. The process of preparing financial data for reporting purposes is automated, and data preparation is subject to operational and acceptance procedures. The controls in place in the process of preparing the financial statements involve verifying and reconciling the reporting data with the accounting records and other documents underlying the preparation of the financial statements, as well as with the applicable regulations on accounting policies and the preparation of financial statements.
The process of preparing financial statements is subject to regular multi-stage verification (in particular with regard to the correctness of accounting reconciliations, substantive analysis and reliability of information), and the financial statements are subject to multi-stage approval. The Bank has embedded controls in the processing of financial data for reporting purposes, which include verification of the accuracy and reliability of the data presented. Manual corrections, including those resulting from management decisions, are subject to special verification.
The Bank’s employees monitor changes in external reporting regulations on an ongoing basis, analyze market standards and apply best practices, and, if necessary, update internal regulations and implement changes in systems supporting the reporting process.
The financial reporting process uses reporting applications both for the preparation of the Bank's financial statements and for the consolidation process, as well as for the preparation of consolidated financial statements. IT systems used for reporting meet cyber security requirements.
To ensure the completeness of the disclosures required by International Financial Reporting Standards in the annual financial statements, the Accounting and Reporting Department prepares a checklist based on the applicable standards. In addition, on 21 December 2021, a resolution of the Bank's Management Board introduced the Policy on Disclosure of Financial Instruments in the financial statements of PKO Bank Polski S.A. thus meeting the requirements of Recommendation R regarding the rules for classifying credit exposures, estimating and recognizing expected credit losses and credit risk management. Pursuant to section 36.6 of the Recommendation, the Bank's Management Board annually reviews the applied policies for disclosure of information on financial instruments. The Policy is reviewed in order to ensure its compliance with the Bank's risk profile, current market conditions, accounting standards and supervisory requirements. The last review for the period from 31 December 2022 to 31 December 2023 was adopted by the Management Board on 13 February 2024.
Annual and semi-annual financial statements and quarterly interim reports (comprising the Management Board's commentary and the consolidated financial statements of the PKO Bank Polski S.A. Group, together with the condensed financial statements of PKO Bank Polski S.A.):
- are subject to review by the Audit Committee of the Supervisory Board and the Supervisory Board (whereby, in the case of the annual financial statements of the Bank and of the Group, the opinion of the Supervisory Board is expressed in the form of a resolution);
- are submitted to the Management Board of PKO Bank Polski S.A., which, after preliminary approval, forwards them to the Audit Committee of the Supervisory Board and the Supervisory Board;
- are finally authorised for publication by the Bank's Management Board.
The statements bear a qualified electronic signature by all members of the Management Board.
Annual and semi-annual financial statements, in accordance with generally applicable legislation, are additionally subject to audit and review by an independent audit firm, as appropriate.
The Supervisory Board performs annual assessments of the compliance of the annual consolidated financial statements of the Bank’s Group, the annual financial statements of the Bank and the Directors’ Report on the operations of the Bank’s Group and of the Bank with the books, documents and facts, pursuant to Article 382 (3) of the Commercial Companies Code.