Share this event on:
  • LinkedIn

Recomend this page

Thank you, we sent your recommendation to the desired recipient.

Sorry, this functionality is not available right now.
Please try with this link. Thank you.

Our control systems

1 / 3

The Internal Control System


The Internal Control System (ICS) consists of a set of rules, procedures and organizational structures which aim to:

  • ensure that corporate strategy is implemented
  • achieve effective and efficient corporate processes
  • safeguard the value of corporate assets
  • ensure the reliability and integrity of accounting and management data
  • ensure that operations comply with all existing rules and regulations.

Role of governing bodies

The Chairman and Deputy Chairman
are ex officio members of the Internal Control and Risk Committee (ICRC). Subject to an opinion of the ICRC, the Chairman shall propose the appointment and replacement of the Head of the Internal Audit function to the Board of Directors.


The Board of Directors of UniCredit
draws up group internal control guidelines and policy in accordance with the Italian regulators' directives and applicable law. The Board of Directors, having consulted the Board of Statutory Auditors, approves risk management policy. The Internal Audit Department reports to the Board.

identifies the main corporate risks, presents them to the Board of Directors, and carries out the Board's instructions by having the ICS designed, managed and monitored.
The CEO has the duty of ensuring effective risk management by drawing up adequate policies and procedures and making sure that they are complied with within the bank.
In respect of third-level controls performed by the audit function that reports directly to the Board of Directors, the CEO examines the audit guidelines, proposes additions to the annual audit plan, and gives a non-binding opinion on proposed organisational and staff changes within the Internal Audit Department.




The Chairman of the Board of Statutory Auditors is an ex officio member of the Internal Control and Risk Committee and may delegate another Statutory Auditor to attend meetings of the Committee. Statutory Auditors may at any time undertake inspections or verification, jointly or singly.



comprises non-executive directors (a majority being independent directors). It assists the Board of Directors in drawing up the rules for the ICS and at least once a year assesses its adequacy, ensuring that the main corporate risks are correctly identified, measured, managed and monitored.

The ICRC may, through its Chairman, access all corporate information and functions as necessary for the proper performance of its duties, and avail itself of corporate and group departments and where necessary external advisors.

The ICRC assists the Board in determining the group's risk appetite, evaluates the annual audit plan drawn up by the Head of the Audit Department, examines the accounts quarterly and assists the Board in drawing up risk management policy. The ICRC reports at least half-yearly to the Board on its activity and on the adequacy of the ICS.

Role of the corporate functions

UniCredit monitors, measures and controls market, credit, operational, reputational and compliance risk as follows:


First-level or line controls are designed to ensure that transactions are carried out correctly.

Controls are performed by the production unit, incorporated in procedures or carried out by a back office.

Second-level or risk management controls are the duty of a unit which is distinct from the production unit. The departments responsible for these controls are the following:

  • The Compliance Function looks after the correct application of/and compliance with the regulatory framework, its consistent interpretation at group level, as well as the identification, evaluation, prevention and monitoring of the overall compliance risks of the group or respective Legal Entities.
  • The Group Risk Management (GRM) controls and steers Group risks by the definition of policies and methods aimed at measuring and controlling those risks, and optimizing the cost of risk through the definition of guidelines, policies and credit non-binding opinions on significant credit exposures, in compliance with internal and external rules and regulations.

Third-level controls are performed by Internal Audit, which assesses and regularly checks the completeness, functionality and adequacy of the ICS. Internal audit is independent of both production and second-level control units. In some cases an entity may outsource internal auditing to UniCredit SpA.

UniCredit Group has an Internal Audit Department. The "Person in Charge of Internal Control System" prescribed by the Italian Corporate Governance Code is the Head of Internal Audit.


Please click on the accordion below to learn more on the corporate functions responsibile for intenal controls

Role of the Supervisory Body

pursuant to Legislative Decree 231/2001

Italian Legislative Decree 231/01 prescribes the establishment of an internal Supervisory Body (hereinafter also SB) with independent powers of initiative and control whose duty is to supervise the functioning of and compliance with the Organization and Management Model and to ensure its updating.

Legislative Decree No. 231 of June 8, 2001 states the administrative liability of incorporated and non-incorporated bodies, companies and associations (entities). This liability is very similar to the criminal liability because it's not linked to the person committing the illegal conduct (entities are liable even if the person liable can't be prosecuted or has not been identified).

Entities can be liable as per L.D. 231/01 if:

a) senior managers, directors or people working under their guidance and supervision commit any of the crimes listed into the special part of the Decree;

b) the offence is committed for the benefit or in the interest of the entities themselves.

Entities may be exempted from liability if they prove that they have adopted and effectively implemented models of organization and management suitable to prevent the commission of the offences covered by the decree.

In this context, UniCredit SpA has adopted an Organization and Management Model that describes the methodology used to manage the risks pursuant to Legislative Decree 231/2001, the composition and role of the Supervisory Board and the internal disciplinary system.

The "Code of Ethics pursuant to Legislative Decree no. 231/2001" is an integral part of the Organization and Management Model, and contains rules intended to ensure that the conduct of the Addresses are always guided by principles of fairness, collaboration, loyalty, transparency and mutual respect, as well as to avoid conducts that could constitute the offences and crimes set forth in Italian Legislative Decree 231/01.

Role of the external auditing firm




External auditors of listed companies are required to be entered to a special Register kept by Consob. During the financial year they are required to verify that:

  • the company's accounting records are properly maintained and that operations are correctly reflected in the accounting records; and
  • the company's annual accounts and consolidated accounts are free from material misstatements which would alter the true and fair view of the financial position and results of operations of the Company and of the Group and are compliant with applicable accounting standards.

Additionally, based on Consob's recommendation, the external auditors shall also carry out a review of the individual and consolidated first-half report.
An auditing firm was appointed to perform the above tasks by UniCredit's Shareholders' Meeting on 9 April 2020 according to the Board of Statutory Auditors' proposal, for the financial statements 2022-2030 as for Legislative Decree 39/2010 that introduced a duration of nine years non-renewab

The auditing firm currently appointed by UniCredit as its external auditors is KPMG S.p.A. whose address is as follows:

Via Vittor Pisani, 25
20124 Milano
Tel. 02 83322111


The auditing firm's reports (Report of the External Auditors) are included in the Parent Company's and Consolidated Annual Report and Accounts, as well as in the Individual and Consolidated First-Half Report.











Updated on 19 July 2022.