PKO Bank Polski S.A. has an internal control system functioning as part of the Bank’s management system. Designing, implementing and ensuring the functioning of the adequate and effective internal control system is the responsibility of the Management Board. The Supervisory Board supervises the implementation and the functioning of the internal control system and assesses its adequacy and effectiveness, including the adequacy and effectiveness of the control functions, the compliance unit, and the internal audit unit. The assessment of the internal control system is based on specific criteria and takes into account:
- information provided by the Bank’s Management Board, Audit Committee of the Bank’s Supervisory Board, compliance unit and internal audit unit;
- findings made by the statutory auditor and resulting from the supervisory activities of authorized institutions;
- other information and documents relevant to the adequacy and effectiveness of the internal control system.
In this respect, the Supervisory Board is supported by the Supervisory Board Audit Committee that is responsible, in particular, for the monitoring of the effectiveness of the internal control system on an ongoing basis.
The objectives of the internal control system are to ensure:
- efficiency and effectiveness of the Bank’s operations;
- reliability of the financial reporting;
- compliance with risk management principles at the Bank;
- compliance of the Bank’s activities with the generally binding legal regulations, internal regulations of the Bank, supervisory recommendations and market standards adopted at the Bank.
The internal control system is arranged at the Bank on three independent levels:
- the first level consists of organizational structures of the Bank that carry out operational activities, in particular: sales of products and customer service, as well as other organizational structures of the Bank which perform risk-generating operational tasks and operate under separate internal regulations of the Bank;
- the second level comprises the activities of:
– the compliance unit;
– the specialized organizational structures of the Bank responsible for identification, measurement, control, monitoring and reporting of risks, threats and irregularities in order to ensure that the activities implemented at the first level are properly designed and the second level structures effectively manage the risks and support the effectiveness of the Bank’s operations;
- the third level comprises the activities of the internal audit unit, which performs independent audits of elements of the Bank’s management system, including the risk management system and the internal control system.
The levels are independent, i.e.:
- the second level is separate from the first level in creating systemic solutions;
- the third level is separate from the first and the second level.
The internal control system at the Bank comprises:
- the control function;
- the compliance unit;
- the independent internal audit unit.
The control function ensures compliance with controls relating, in particular, to risk management at the Bank; this function covers all of the Bank’s units, and the organizational positions in these units responsible for the performance of tasks allocated to a particular function.
The control function comprises:
- controls;
- independent monitoring of compliance with controls;
- reporting within the control function.
PKO Bank Polski S.A. identifies material processes which have a significant impact on the performance of the internal control system objectives and the Bank’s business goals, and ensures periodical reviews of the processes with regard to their materiality.
Controls are embedded in the processes, systems and IT applications in place at PKO Bank Polski S.A. These controls are tailored to the objectives of the internal control system and the specific nature of the Bank’s operations. These controls are subject to independent monitoring on all internal control system levels, which includes testing and ongoing review of controls.
The compliance unit is an organizationally independent unit. It plays a key role in ensuring compliance and management of compliance risk. Compliance risk is understood as the risk of facing legal penalties, incurring financial losses or a reputation loss as a result of non-compliance with the generally applicable laws, internal regulations of the Bank and the market standards adopted by the Bank on the part of the Bank, the Bank’s employees or entities operating on the Bank’s behalf. The compliance unit is responsible for developing solutions aimed at ensuring compliance and compliance risk management, as well as identification, assessment, control, monitoring and reporting of this risk at the Bank.
The internal audit carries out independent and objective assurance and advisory activities in order to:
- assess the adequacy and effectiveness of the risk management system and the internal control system at the first and the second level of the internal control system, taking into account the adequacy and effectiveness of risk controls and controls selected for the audit (assurance activities);
- create value through identifying potential improvements of processes at the Bank (advisory activities).
The assessment of individual areas of the Bank’s operations is carried out regularly and in an organized manner. Suggestions and recommendations issued as part of the audit are aimed at eliminating identified gaps and increasing the quality and effectiveness of the functioning of the Bank and the other entities of the Bank’s Group.
Information on irregularities, results of assessments and other material issues identified by individual components of the internal control system are presented in periodical reports addressed to the Management Board, the Supervisory Board Audit Committee, the Supervisory Board Risk Committee or the Supervisory Board.
Other entities of the Bank’s Group have internal control systems adapted to the specific nature of their activities. These entities develop and implement internal regulations defining, in particular, control tasks performed within the framework of the internal control system and the allocation of responsibility for these tasks. The manner of functioning of internal control systems depends on the business entity’s size and scope of its operations. The audit units in the Bank’s Group operate on the basis of a long-term cooperation model aimed at ensuring common internal audit standards.
The majority of the entities have separate organizational units or positions that report directly to the Management Board or the Supervisory Board of the particular entity. If this is justified by the operating profile of the company and its organizational structure (small entities with a limited scope of business), the internal control functions are performed by the management staff, without structurally separating the internal control function or unit.