The Internal Control System (ICS) consists of a set of rules, procedures and organizational structures which aim to:
- ensure that corporate strategy is implemented
- achieve effective and efficient corporate processes
- safeguard the value of corporate assets
- ensure the reliability and integrity of accounting and management data
- ensure that operations comply with all existing rules and regulations
Role of governing bodies
THE BOARD OF DIRECTORS OF UNICREDIT
establishes guidelines for the internal controls system consistently with the strategic guidelines and risk appetite established, in accordance with the instructions issued by the Supervisory Authorities and with applicable laws. On a yearly basis, the Board of Directors defines the Group Risk Appetite Framework consistently with the budget process timeline and with the definition of the financial plan and establishes policies to govern the risks to which the Group may be exposed, as well as risk targets and tolerance thresholds, reviewing them periodically in order to ensure that they remain effective over time.
identifies the Company's risks, submitting them to the Board of Directors, and implements the Board's guidelines by planning, managing and monitoring the internal controls and risks management system. The CEO is responsible for taking all necessary steps to ensure that the organisation and internal controls system comply with the principles and requirements envisaged under legal provisions.
THE BOARD OF STATUTORY AUDITORS
is responsible for overseeing the completeness, adequacy, functionality and reliability of the internal controls system and the Risk Appetite Framework, as well as the risks management and control process. As to the variety of corporate functions and structures that have control roles and responsibilities within the Company, the Board of Statutory Auditors is called to check the efficacy of all structures and functions involved in the controls system, the proper performance of duties and their proper coordination, promoting any corrective actions aimed at remedy any shortcoming or irregularities detected.
THE INTERNAL CONTROLS & RISKS COMMITTEE
The Committee supports the Board of Directors on risk management and internal control system-related issues and, in particular, in verifying that risk strategies, management policies and the Risk Appetite Framework have been correctly implemented and in defining policies and processes for evaluating corporate activities.
The Committee reports to the Board of Directors on the status of the Group's internal controls system.
Role of the corporate functions
UniCredit monitors, measures and controls market, credit, operational, reputational and compliance risk as follows:
Layers of the Internal Control System
First layer: Organisation/Operations Business Lines
Second layer: Risk Management & Compliance
Third layer: Internal Audit
First-level or line controls are designed to ensure that transactions are carried out correctly.
Controls are performed by the production unit, incorporated in procedures or carried out by a back office.
Second-level or risk management controls are the duty of a unit which is distinct from the production unit. The departments responsible for these controls are the following:
- The Compliance Function looks after the correct application of/and compliance with the regulatory framework, its consistent interpretation at group level, as well as the identification, evaluation, prevention and monitoring of the overall compliance risks of the group or respective Legal Entities.
- The Group Risk Management (GRM) controls and steers Group risks by the definition of policies and methods aimed at measuring and controlling those risks, and optimizing the cost of risk through the definition of guidelines, policies and credit non-binding opinions on significant credit exposures, in compliance with internal and external rules and regulations.
As independent function, Internal Audit plays an integral part in the internal controls system, carrying out assurance and consulting to evaluate, add value to and improve the internal controls system of UniCredit and its Group.
Internal Audit adheres to the International Professional Practices Framework (Definition of Internal Audit, Core Principles for the Professional Practice of Internal Auditing, and Code of Ethics and International Standards).
Please click on the accordion below to learn more on the corporate functions responsibile for intenal controls
UniCredit Group Risk Management (GRM) function is to control and steer Group risks by:
- managing and optimizing Group-wide asset quality and the cost of risk;
- determining (in concert with the CFO function) and monitoring the Group's risk appetite, and evaluating its capital adequacy;
- defining - in compliance with regulatory requirements - the Group rules, methodologies, risk limit types, policies and strategies for risk management;
- defining and applying the valuation, management, measuring, monitoring and reporting criteria of risks to ensure Group-wide consistency and transparency;
- verifying the adequacy of the risk measurement systems adopted throughout the Group;
- quantifying the impact of changes in the economic cycle or stress events on the Group's financial structure;
- creating a Group-wide risk culture.
Through a well-established risk governance process, GRM actively manages the Group's risk exposure in the following areas:
- Credit Risk
- Market Risk
- Liquidity Risk
- Operational and Reputational Risk
The Compliance function is embedded in the second-level internal control system, pursuing the objective of preventing and managing the risk of regulatory non-compliance and conflict of interest, with a view to preserve the Bank's reputation, its customers' confidence and to contribute to Group sustainability (corporate value creation/consolidation), through:
- strategic guidance (policies and opinions)
- support and monitoring (compliance risk mapping, preventive evaluation) on all Group Compliance activities.
The Compliance function has responsibility for areas which most impact external clients and have a high risk of reputational damage.
Its perimeter covers the typical regulations related to:
- Banking Services (e.g. Anti Money Laundering, Transparency, Privacy)
- Financial Services (e.g. Market Abuse, Financial instruments and products issued by Banks)
In particular, the Compliance function:
- interprets laws and issues Groupwide policies and guidelines
- gives input for the definition or update of processes
- evaluates preventively the Compliance of processes, products, structures, agreements
- provides support and assistance, through opinion preparation
- provides support for training activities
- manages Conflicts of Interest
- checks continuously that processes on Investment Services are effective and adequate
- identifies the Compliance areas with greater Compliance risk, to support the yearly planning of Compliance actions
- reports to the Bank Governing Bodies and/or to Supervisory Bodies on all matters that fall within Compliance area of competence.
The UniCredit Internal Audit function, which reports to the Board of Directors, steers, coordinates and monitors the Group's internal audit activities, and performs third-level control activities as well as on-site inspections on the Parent Company and on the Group's Companies that have outsourced internal audit activities to UniCredit on an inservice company basis ("In service Companies").
In addition, as the Group's Internal Audit function it may conduct on-site controls on any Group Company.
The Internal Audit function acts in compliance with the Internal Audit Group Charter, which defines its mission, responsibility, organisational reporting, tasks and authority.
Group Audit Charter
The Group Audit Charter defines Internal Audit's mission, accountability, independence, responsibility and authority within UniCredit Group.
Role of the Supervisory Body
pursuant to Legislative Decree 231/2001
Italian Legislative Decree 231/01 prescribes the establishment of an internal Supervisory Body (hereinafter also SB) with independent powers of initiative and control whose duty is to supervise the functioning of and compliance with the Organization and Management Model and to ensure its updating.
Legislative Decree No. 231 of June 8, 2001 states the administrative liability of incorporated and non-incorporated bodies, companies and associations (entities). This liability is very similar to the criminal liability because it's not linked to the person committing the illegal conduct (entities are liable even if the person liable can't be prosecuted or has not been identified).
Entities can be liable as per L.D. 231/01 if:
a) senior managers, directors or people working under their guidance and supervision commit any of the crimes listed into the special part of the Decree;
b) the offence is committed for the benefit or in the interest of the entities themselves.
Entities may be exempted from liability if they prove that they have adopted and effectively implemented models of organization and management suitable to prevent the commission of the offences covered by the decree.
Decree 231/2001, the composition and role of the Supervisory Board and the internal disciplinary system.
The "Code of Ethics pursuant to Legislative Decree no. 231/2001" is an integral part of the Organization and Management Model, and contains rules intended to ensure that the conduct of the Addresses are always guided by principles of fairness, collaboration, loyalty, transparency and mutual respect, as well as to avoid conducts that could constitute the offences and crimes set forth in Italian Legislative Decree 231/01.
Role of the external auditing firm
External auditors of listed companies are required to be entered to a special Register kept by Ministry of Economy and Finance.
During the financial year they are required to verify that:
- the company's accounting records are properly maintained and that operations are correctly reflected in the accounting records; and
- the company's annual accounts and consolidated accounts are free from material misstatements which would alter the true and fair view of the financial position and results of operations of the Company and of the Group and are compliant with applicable accounting standards.
Additionally, based on Consob's recommendation, the external auditors shall also carry out a review of the individual and consolidated first-half report.
An auditing firm was appointed to perform the above tasks by UniCredit's Shareholders' Meeting on 9 April 2020 according to the Board of Statutory Auditors' proposal, for the financial statements 2022-2030 as for Legislative Decree 39/2010 that introduced a duration of nine years non-renewable.
The auditing firm currently appointed by UniCredit as its external auditors is KPMG S.p.A. whose address is as follows:
Via Vittor Pisani, 25
Tel. 02 83322111
The auditing firm's reports (Report of the External Auditors) are included in the Parent Company's and Consolidated Annual Report and Accounts, as well as in the Individual and Consolidated First-Half Report.