Internal control system
The internal control system is an integral part of the corporate governance system and one of the most vital elements in the bank’s effective performance. The internal control system provides for protection of the interests of the bank’s investors and customers by ensuring that the bank’s employees act in compliance with Russian laws, regulations and professional standards. It ensures a level of reliability appropriate to the nature of the bank’s operations and minimises banking risks.
The system of internal control is based on a clear allocation of authorities and responsibilities between the banks’ executive bodies, subdivisions and employees. The main requirements for the organisation of internal control as well as the allocation of authority and areas of responsibility are enshrined in the bylaws of the bank. The Audit and Risk Committee, which reports to the Supervisory Board, supports the efficient functioning of the internal control system at the bank and secures the effective participation of the Supervisory Board in exercising control over the bank’s financial and commercial activities.
Internal control within the bank is undertaken by:
- The General Shareholders’ Meeting
- The Supervisory Board
- The Management Board
- The Chairman of the Management Board and his deputies
- The Chief Accountant and his/her deputies
- The Audit Panel
- The Audit and Risk Committee of the Supervisory Board
- The bank’s subdivisions and officers responsible for internal control as authorised by its corporate documents:
- The Internal Audit Department
- The Compliance Department, which includes the Compliance Section (Internal Control Section) and Financial Monitoring Division headed by a designated AML/CFT compliance officer
- The Stock Market Professional Participant Controller
- Other subdivisions as may be required by the nature and the scale of the bank’s business.
Internal Audit Department
The role of the Internal Audit Department (IAD) is to conduct internal audits, monitor and provide direct assistance to the bank’s management bodies in ensuring its efficient operation, through independent and objective recommendations, to enhance the effectiveness of the systems of internal control, risk management and corporate governance.
The IAD monitors the compliance of the rules, procedures and practices of the bank’s operations with applicable laws and provisions, the bank’s Charter, the resolutions of the bank’s authorised bodies, monitors the effectiveness of the functioning of the decision-making system and allocation of authority, the risk management system, the system for combating money laundering and the financing of terrorism and other systems for protecting the bank’s activities, and conducts internal audits of the activities of the bank’s subdivisions. The IAD is independent in its activities. Its independence is established by the bank’s bylaws, and is based on the principles that the IAD:
- Acts under direct control of the Supervisory Board;
- Does not undertake any audited activities;
- On its own initiative, reports to the Supervisory Board on, and also informs the Chairman of the Management Board and the Management Board of, any matters coming to its attention when exercising its functions, and on proposals regarding their resolution;
- Is to be independently audited by external auditors or the Supervisory Board.
The Supervisory Board regularly engages external experts for independent appraisal of the IAD’s performance from the viewpoint of CBR’s requirements (Regulation 242-P), the International Professional Practices Framework of the Institute of Internal Auditors (the “Standards”), stakeholders’ expectations and best practices of internal audit. Such appraisal was performed in 2019 by PWC, who confirmed that the IAD worked in compliance with CBR’s requirements and the Standards, and noted significant improvements compared to the preceding appraisal made in 2017.
- Prepared the Strategic Internal Audit Plan for 2020-2022 and had it approved by the Supervisory Board;
- Prepared the Certified Internal Auditor Training Plan and began training and examination of employees ;
- Prepared the Quality Assurance and Enhancement Programme, setting out approaches to internal and external appraisals of the IAD; made an annual self-appraisal, and requested feedback from Management Board members on how well it met their expectations;
- Updated its Work Manual, setting out the basic auditing rules of, requirements to, and practical recommendations on, organisation and execution of audits, including approaches to documenting audit work;
- Introduced a data analysis tool and formulated key audit indicators for every business line of the bank, allowing the IAD to promptly identify risk events or suspicious operations requiring further investigation, and generate dashboards visualising the analysed data;
- Updated the format of its quarterly activity report for the Audit and Risk Committee.
The organisational structure of the IAD includes subdivisions responsible for the audit of corporate, retail business and information technology.
In planning its activities and in auditing, the IAD exchanges information with internal parties (Compliance Department, Security Department, Information Security Department, Stock Market Professional Participant Comptroller, Quality Control Group) and external parties (the Bank of Russia and external auditors), who audit the bank and provide consulting services in respect of risk management and internal control.
The Compliance Section (CS) performs internal control in order to identify risks of losses resulting from any non-compliance by the bank with federal laws and other statutes of the Russian Federation, the bank’s bylaws, or from the imposition of any sanctions and/or other actions by supervising authorities.
The CS acts in line with principles of independence, fairness and impartiality. The CS forms part of the Compliance Department which, in its turn, reports to the Supervisory Board, the Chairman of the Management Board and the Management Board. The Compliance Section submits reports on its performance to the bank’s executive bodies and the Supervisory Board on a quarterly basis.
The CS carries out the following functions:
- developing the methodological framework of the internal control system;
- reviewing bylaws developed by the bank’s internal subdivisions from the viewpoint of their compliance with banking laws and the Bank of Russia’s regulations;
- monitoring Russian laws for the purpose of updating corporate documents in due time;
- making proposals to improve banking service technologies so as to comply with banking laws, abridge service time and increase service quality;
- developing bylaws intended to identify conflicts of interest and prevent internal misconduct;
- developing bylaws intended to enforce rules of corporate conduct and standards of professional ethics;
- providing methodological support to the bank’s staff regarding evaluation of regulatory risks and identification of such risks in internal technologies or rules of specific banking operations;
- analysing the results of internal and external audits of banking operations so as to adjust existing corporate documents regulating the internal control system and regulatory risk management;
- registering regulatory risk events and maintaining an analytical database of the bank’s losses;
- evaluating the extent of any deviations identified in transactions, finding their causes, any systemic errors, abuse or organised schemes, and initiating investigations;
- assessing the need for any regulatory risk mitigation measures and preparing appropriate decisions within its competence;
- controlling subdivisions’ compliance with approved procedures, limits, processes and technologies;
- liaising with the Bank of Russia and external auditors regarding any methodological issues related to internal control and regulatory risk management;
- analysing customer grievance indicators and the bank’s observance of customers’ rights;
- analysing the suitability of any outsourcing arrangements of the bank.
Audit and Risk Committee
The Audit and Risk Committee acts in the interests of the bank’s shareholders, the bank itself and its investors, promotes the establishment of an effective system of control over the financial and commercial activity of the bank, and ensures the actual involvement of the Supervisory Board in exercising control over the financial and commercial performance of the bank.
The Audit and Risk Committee acts within powers conferred to it by the Supervisory Board under the relevant regulation.
In its activities, the Audit and Risk Committee is fully accountable to the Supervisory Board and acts under Russian laws, the bank’s Charter, the Regulation on the Supervisory Board, the Regulation on the Audit and Risk Committee and other bylaws of the bank as approved by its General Shareholders’ Meetings and the Supervisory Board, and also resolutions of the Committee itself.
The Audit and Risk Committee co-operates with other Supervisory Board Committees, the bank’s Audit Panel, auditors of the bank, the Management Board, the Internal Audit Department, the Compliance Section and other management and control bodies of the bank.
The bank’s Audit Panel is a standing, elective body forming part of the bank’s internal control system.The Audit Panel acts in the interests of the bank and its shareholders for the purposes of mitigating the risks of the bank’s business activities.
The Audit Panel is subject to the legislation of the Russian Federation, the regulations of the Bank of Russia, the bank’s Charter, the Regulation on the Audit Panel and the resolutions of the General Shareholders’ Meeting.
Within its competence, the Audit Panel shall inspect the bank’s compliance with applicable laws and regulations, organising the bank’s internal control, the legality of operations made by the bank (by full or selective verification) and the state of the bank’s cash and property.
According to the bank’s Charter, the Audit Panel consists of three members elected by the General Shareholders’ Meeting for a term ending at the next annual General Shareholders’ Meeting.
The bank’s external auditors in 2019 were Joint-Stock Company KPMG (in respect of the International Financial Reporting Standards) and Joint-Stock Company Audit-Consulting Group Business Systems Development (RBS) (in respect of the Russian Accounting Standards).
External auditors are appointed by the General Shareholders’ Meeting upon the Supervisory Board’s recommendation.In its turn, the Supervisory Board relies on recommendations as to the choice of the bank’s auditor given by its Audit and Risk Committee which, following discussions in 2018–2019 and meetings with auditors, recommended that it keep the current auditors, whose independence and impartiality was acknowledged by the members of that Committee.
KPMG’s fees for the audit of 2019 IFRS statements and the interim reviews for 3, 6 and 9 months of 2019 stood at RUB 24,450,000, excluding VAT.
RBS’s fees for the audit of 2019 RAS statements and the interim review for 9 months of 2019 stood at RUB 2,700,000, including VAT.