Pursuant to the the Articles of Association of PKO Bank Polski S.A. and the Regulations of the Audit Committee of the Supervisory Board of PKO Bank Polski S.A., the entity conducting the audit of the Bank's financial statements is selected by the Supervisory Board of the Bank based on the recommendation of the Audit Committee.
On 26 January 2017 the Supervisory Board of PKO Bank Polski S.A. appointed KPMG Audyt Spółka z ograniczoną odpowiedzialnością spółka komandytowa as the audit firm for the audit and review of the financial statements of PKO Bank Polski S.A. and the consolidated financial statements of the PKO Bank Polski S.A. Group for the years 2017-2019. The same entity audited the financial statements of the Bank and the Bank’s Group for the years 2015-2016.
In accordance with the Resolutions of the Supervisory Board on the policy for selecting an audit firm to audit the financial statements of the PKO Bank Polski S.A. and the PKO Bank Polski S.A. Group, Bank applies the following policy:
- The key statutory auditor cannot perform a statutory audit of the financial statements for a period of more than five audited financial years.
- An audit contract will be concluded for an audited period of no less than two financial years, and no more than three financial years, with the option to extend it for a subsequent audited period which may last no less than two financial years.
- The maximum uninterrupted period over which a statutory audit engagement may be performed by the same audit firm or by an audit firm related to that audit firm, or by any member of the said audit firms’ network operating within the European Union, is five audited financial years. The maximum time of the uninterrupted engagement referred to in the previous paragraph may be extended by two years, to a maximum of seven audited financial years, based on the consent of the Polish Financial Supervision Authority, in the event that more than one audit firm is engaged, in accordance with the joint audit formula, on condition that a joint audit report will be the deliverable resulting from the joint statutory audit.
- An audit firm may again perform the function of a statutory auditor after no less than four years of the end of its pervious audit of the Bank’s and the Bank Group’s financial statements.
- The key statutory auditor may again perform a statutory audit after no less than three years from the end of the pervious statutory audit of the Bank’s and the Bank Group’s financial statements.
PKO Bank Polski S.A. has an internal control system functioning as part of the Bank’s management system. Designing, implementing and ensuring the functioning of the adequate and effective internal control system is the responsibility of the Bank’s Management Board. The Supervisory Board supervises the implementation and the functioning of the internal control system, and evaluates its adequacy and effectiveness, including the adequacy and effectiveness of the control functions, compliance unit, and the internal audit unit. The internal control system is evaluated based on agreed assessment criteria and taking into account information provided by the Bank’s Management Board, Supervisory Board Audit Committee, compliance unit and the internal control unit, findings of the statutory auditor and findings resulting from supervisory activities of responsible institutions, as well as other information and documents material from the point of view of adequacy and effectiveness of the internal control system. In this respect, the Supervisory Board is supported by the Supervisory Board Audit Committee that is responsible, in particular, for monitoring the effectiveness of the internal control system.
The objectives of the internal control system are as follows:
- ensuring the efficiency and effectiveness of the Bank’s operations;
- reliability of the financial reporting;
- compliance with risk management principles in the Bank;
- compliance of the Bank’s activities with the generally binding legal regulations, internal regulations of the Bank, supervisory recommendations and market standards adopted in the Bank.
The internal control system is arranged at the Bank on three independent levels (lines):
- the first level (line) consists of organizational structures of the Bank that carry out operational activities, in particular: sales of products and Customer service, as well as other organizational structures of the Bank that perform risk-generating operational tasks and operate under separate internal regulations of the Bank;
- the second level (line) is composed of activities of the compliance unit, as well as identification, measurement, control, monitoring and reporting of risks, and threats and irregularities – tasks are performed by specialized organizational structures operating under applicable policies, methodologies and procedures; the purpose of these structures is to ensure that the activities implemented at the first level are properly designed and effectively reduce the risk, support risk measurement and analysis and business effectiveness;
- the third level (line) is internal audit, which carries out independent audits of elements of the Bank’s management system, including the risk management system and the internal control system. The internal audit operates separately from the first and second level.
The internal control system in the Bank comprises:
- control function;
- compliance unit;
- independent internal audit unit.
The control function ensures compliance with controls relating, in particular, to risk management at the Bank; this function covers all of the Bank’s units, and the organizational positions in these units responsible for the performance of tasks allocated to this function. The control function consists of:
- independent monitoring of controls;
PKO Bank Polski S.A. identifies, and the Bank’s Management Board approves a list of material processes which have a significant impact on the performance of the internal control system objectives and the Bank’s business goals, and ensures periodical reviews of the processes functioning at the Bank with regard to their materiality.
Controls are embedded in the processes in place at PKO Bank Polski S.A. and IT applications. These controls are tailored to the objectives of the internal control system and the specific nature of the operations conducted by the Bank. These controls are subject to independent monitoring including a periodical evaluation of their adequacy and effectiveness.
The compliance unit is an organizationally independent unit that plays a key role in ensuring compliance and management of non-compliance risk understood as risk legal sanctions, financial losses, or loss of reputation, if the Bank, the Bank’s staff or entities acting on behalf of the Bank fail to comply with the universally applicable provisions of law, internal regulations, or market standards adopted by the Bank. The objective of the compliance unit is developing solutions aimed at ensuring compliance, and non-compliance risk management, as well as identifying, assessing, controlling, monitoring and reporting this risk at the Bank.
The internal audit carries out independent and objective assurance and advisory activities in order to:
- assess the adequacy and effectiveness of the risk management system and the internal control system at the first and the second level of the internal control system, taking into account adequacy and efficiency of risk controls and controls selected for the audit (assurance activities);
- value creation and identifying potential improvements of processes at the Bank (advisory activities).
The Bank has mechanisms ensuring independence of the compliance unit and the internal audit unit, which include, in particular:
- approval, by the Management Board and the Supervisory Board, of the Audit Chart and principles of ensuring compliance and managing the risk of non-compliance;
- subordination of the compliance unit directly to the President of the Management Board responsible for managing the risk of non-compliance;
- functional subordination of the internal audit unit to the Audit Committee of the Supervisory Board and administrative subordination to the President of the Management Board;
- excluding the internal audit unit, as the third level, from independent monitoring on the part of the Bank’s organisational units located as part of the second level;
- providing the directors of the above-mentioned units with direct contact with the members of the Management Board and the Supervisory Board;
- participation of directors of above-mentioned units in sessions of the Management Board;
- participation of directors of the above-mentioned units in sessions of the Supervisory Board and relevant Committee, in case when the subject matter of their session include issues related to the internal control system or risk management;
- appointment, dismissal and approval for the amount of remuneration of directors of the above-mentioned units upon the approval of the Audit Committee of the Supervisory Board or the Supervisory Board;
- informing the Polish Financial Supervision Authority about changes at the position of directors of the above-mentioned units along with indication of the cause of change;
- providing the employees of the above-mentioned units with access to all the necessary information (including confidential and sensitive), premises and IT systems (without the possibility of interfering in system resources), as well as communication with the Bank’s employees within a range that is deemed necessary for performance of tasks;
- no participation of the above-mentioned units in performance of current business tasks;
- ensuring remuneration that guarantees independence and objectivity of performance of tasks and allows for hiring people with relevant qualifications, experiences and skills;
- protection of employees of the above-mentioned units from unjustified termination of employment relationship;
- ensuring funds necessary for efficient performance of tasks and systematic increase of skills and qualifications by employees of the above-mentioned units.
The assessment of individual areas of the Bank’s operations is carried out in a systematic and organized manner. Suggestions and recommendations issued under the audit are aimed at eliminating identified gaps and increasing the quality and effectiveness of the functioning of the Bank. Information on irregularities, assessment results and other material issues identified by individual elements of the internal control system are presented in periodic reports for the Management Board of PKO Bank Polski S.A., the Supervisory Board Audit Committee of PKO Bank Polski S.A., or the Supervisory Board of PKO Bank Polski S.A.
Other entities of the Bank’s Group have internal control systems adapted to the specific nature of the entities’ operations. These entities develop and implement internal regulations defining, in particular, control tasks performed within the framework of the internal control system, and the allocation of responsibility for these tasks. The manner of functioning of internal control systems depends on the size and scope of the business of entities making up the Bank’s Group. The majority of the entities have separated organizational units or positions that report directly to the Management Board or the Supervisory Board of the particular entity. If this is justified by the operating profile of the company and its organizational structure (small entities with a limited scope of business) the internal control functions are performed by the management staff, without structurally separating this function or internal control unit.
In order to ensure the reliability and correctness of the process of preparing the financial statements, the Bank designed and implemented a number of controls that are embedded in the functions of reporting systems and internal regulations concerning this process. These controls involve among others things the use of continuous verification and reconciliation of reporting data to the accounting records, sub-ledger accounts and other documents providing the basis for financial statements, and with binding accounting and reporting standards.
The process of preparing financial statements is subjected to regular multi-level verification, in particular with regard to the correctness of the account reconciliation, substantive analysis and reliability of the information. In accordance with the internal regulations, the financial statements are approved by the Management Board of PKO Bank Polski SA and the Audit Committee of the Supervisory Board appointed by the Supervisory Board of PKO Bank Polski SA in 2006.
The tasks of the Audit Committee of the Supervisory Board include, among other things, monitoring the financial reporting process including the review of separate and consolidated interim and annual financial statements, with particular emphasis on:
- information on substantial changes in the accounting and reporting policy and in the method of making significant management estimates and judgements for the purposes of financial reporting, as well as compliance of the financial reporting process with the applicable law;
- significant adjustments resulting from the audit and the auditor’s opinion on the audit of the financial statements, discussion of any issues, qualifications and doubts resulting from the audit of financial statements and analysis of the independent auditor’s recommendations addressed to the Management Board, and responses of the Management Board in this regard.
The description of cooperation between the Audit Committee and the external auditor and its assessment is included in the report on activities of the Audit Committee drawn up on an annual basis and attached to the report on activities of the Supervisory Board.