Share this event on:

  • LinkedIn

Recomend this page

Thank you, we sent your recommendation to the desired recipient.

Sorry, this functionality is not available right now.
Please try with this link. Thank you.

Internal control system

The Internal Control System (ICS) consists of a set of rules, procedures and organizational structures which aim to:


  • ensure that corporate strategy is implemented
  • achieve effective and efficient corporate processes
  • safeguard the value of corporate assets
  • ensure the reliability and integrity of accounting and management data
  • ensure that operations comply with all existing rules and regulations.

Role of governing bodies

The Chairman and Deputy Chairman: are ex officio members of the Internal Control and Risk Committee (ICRC). Subject to an opinion of the ICRC, the Chairman shall propose the appointment and replacement of the Head of the Internal Audit function to the Board of Directors.

The Board of Directors of UniCredit: draws up group internal control guidelines and policy in accordance with the Italian regulators' directives and applicable law. The Board of Directors, having consulted the Board of Statutory Auditors, approves risk management policy. The Internal Audit Department reports to the Board.

The CEO: identifies the main corporate risks, presents them to the Board of Directors, and carries out the Board's instructions by having the ICS designed, managed and monitored.
The CEO has the duty of ensuring effective risk management by drawing up adequate policies and procedures and making sure that they are complied with within the bank.
In respect of third-level controls performed by the audit function that reports directly to the Board of Directors, the CEO examines the audit guidelines, proposes additions to the annual audit plan, and gives a non-binding opinion on proposed organisational and staff changes within the Internal Audit Department.

The Board of Statutory Auditors: The Chairman of the Board of Statutory Auditors is an ex officio member of the Internal Control and Risk Committee and may delegate another Statutory Auditor to attend meetings of the Committee. Statutory Auditors may at any time undertake inspections or verification, jointly or singly.

The Internal Controls and Risk Committee: comprises non-executive directors (a majority being independent directors). It assists the Board of Directors in drawing up the rules for the ICS and at least once a year assesses its adequacy, ensuring that the main corporate risks are correctly identified, measured, managed and monitored.
The ICRC may, through its Chairman, access all corporate information and functions as necessary for the proper performance of its duties, and avail itself of corporate and group departments and where necessary external advisors.
The ICRC assists the Board in determining the group's risk appetite, evaluates the annual audit plan drawn up by the Head of the Audit Department, examines the accounts quarterly and assists the Board in drawing up risk management policy. The ICRC reports at least half-yearly to the Board on its activity and on the adequacy of the ICS.

Role of the corporate functions

UniCredit monitors, measures and controls market, credit, operational, reputational and compliance risk as follows:

  • First-level or line controls are designed to ensure that transactions are carried out correctly. Controls are performed by the production unit, incorporated in procedures or carried out by a back office.
  • Second-level or risk management controls are the duty of a unit which is distinct from the production unit. The departments responsible for these controls are the following.

The Compliance Function looks after the correct application of/and compliance with the regulatory framework, its consistent interpretation at group level, as well as the identification, evaluation, prevention and monitoring of the overall compliance risks of the group or respective Legal Entities.

The Group Risk Management (GRM) controls and steers Group risks by the definition of policies and methods aimed at measuring and controlling those risks, and optimizing the cost of risk through the definition of guidelines, policies and credit non-binding opinions on significant credit exposures, in compliance with internal and external rules and regulations.

  • Third-level controls are performed by internal audit, which assesses and regularly checks the completeness, functionality and adequacy of the ICS. Internal audit is independent of both production and second-level control units. In some cases an entity may outsource internal auditing to UniCredit SpA.

UniCredit Group has an Internal Audit Department. The "Person in Charge of Internal Control System" prescribed by the Italian Corporate Governance Code is the Head of Internal Audit


UniCredit Group Risk Management (GRM) function is to control and steer Group risks by:

  • managing and optimizing Group-wide asset quality and the cost of risk;

  • determining (in concert with the CFO function) and monitoring the Group's risk appetite, and evaluating its capital adequacy;

  • defining - in compliance with regulatory requirements - the Group rules, methodologies, risk limit types, policies and strategies for risk management;

  • defining and applying the valuation, management, measuring, monitoring and reporting criteria of risks to ensure Group-wide consistency and transparency;

  • verifying the adequacy of the risk measurement systems adopted throughout the Group;

  • quantifying the impact of changes in the economic cycle or stress events on the Group's financial structure;

  • creating a Group-wide risk culture.


Through a well-established risk governance process, GRM actively manages the Group's risk exposure in the following areas:

  • Credit Risk

  • Market Risk

  • Liquidity Risk

  • Operational and Reputational Risk

The Compliance function is embedded in the second-level internal control system, pursuing the objective of preventing and managing the risk of regulatory non-compliance and conflict of interest, with a view to preserve the Bank's reputation, its customers' confidence and to contribute to Group sustainability (corporate value creation/consolidation), through:


  • strategic guidance (policies and opinions)
  • support and monitoring (compliance risk mapping, preventive evaluation)

on all Group Compliance activities.

What we do

The Compliance function has responsibility for areas which most impact external clients and have a high risk of reputational damage.

Its perimeter covers the typical regulations related to:


  • Banking Services (e.g. Anti Money Laundering, Transparency, Privacy)
  • Financial Services (e.g. Market Abuse, Financial instruments and products issued by Banks)

In particular, the Compliance function:


  • interprets laws and issues Groupwide policies and guidelines
  • gives input for the definition or update of processes
  • evaluates preventively the Compliance of processes, products, structures, agreements
  • provides support and assistance, through opinion preparation
  • provides support for training activities
  • manages Conflicts of Interest
  • checks continuously that processes on Investment Services are effective and adequate
  • identifies the Compliance areas with greater Compliance risk, to support the yearly planning of Compliance actions
  • reports to the Bank Governing Bodies and/or to Supervisory Bodies on all matters that fall within Compliance area of competence.

The goal of the Internal Audit in UniCredit  is to contribute to the protection of assets and corporate stability and provide a "reasonable guarantee" that the organization is able to achieve its goals efficiently through:


  • controls ensuring that operations are appropriate and carried out in compliance with laws and regulations
  • assessment of the effectiveness and efficiency of operating processes
  • support provided to Group divisions and companies to obtain a clear view of risk exposure/assessment at division level and of the implementation of guidelines on internal controls at individual entity level
  • assessment of the proper operation of the overall Internal Control System (line or operational controls, and controls on risk management)


UniCredit Internal Audit Department verifies the conformity of group companies' conduct with the Parent Company's guidelines and the effectiveness of internal control systems, establishes guidelines, and coordinates and oversees the internal audit activities carried out by internal audit departments in the group. In this sense, the Internal Audit Department performs the function of third- and fourth-level controls.


Every entity in the Group has established an Internal Audit unit responsible for third-level controls.


UniCredit Internal Audit Department and the local Internal Audit structures, including in those instances where the legal entities operate as sub-holding companies, form part of the Internal Audit competence line. The responsibility of the competence line coincides with the responsibility of the Internal Audit Department.

Group Audit Charter

The Group Audit Charter defines Internal Audit's mission, accountability, independence, responsibility and authority within UniCredit Group.

Updated on 27 November 2015.