Financial statements control system

Internal control system

PZU has an internal control system (ICS) in place, adjusted to the scale of its operations and its organizational structure. Its purpose is to ensure the effectiveness and efficiency of operations within the organization, reliability of financial reporting and compliance of the Company’s operations with the applicable laws and internal regulations.

The ICS comprises supervision, overall administrative and accounting procedures, organizational structures, reporting systems, solutions implemented in IT systems, the compliance function and other control mechanisms contributing to the security and stability of the Company’s operations by ensuring:

• efficiency and effectiveness of the operating activity;
• reliability of information communicated inside and outside the Company and assurance of availability and reliability of such information, in particular pertaining to financial statements;
• adequacy and effectiveness of risk controls (control operations should be commensurate with the level of risk involved in the operations and processes under control);
• responsible and transparent management of the Company;
• compliance of the Company’s activity with internal regulations and the standards of conduct adopted by the Company.

The following elements are distinguished within the ICS:

• control function aiming at ensuring compliance with control mechanisms concerning, in particular, risk management in the Company;
• independent compliance cell (Compliance Department – BCM) whose purpose is to execute the compliance function and to ensure systemic solutions with regard to efficiency and effectiveness of the ICS;
• independent internal audit cell (Internal Audit Department – BAW) whose purpose is to carry out independent and objective assessment and evaluation of adequacy and effectiveness of the internal control system and other elements of the system of governance.

The ICS is built on the basis of the said elements and is based on a model of three independent and complementary levels, i.e. three lines of defense, where:

• the first line of defense is comprised of activities of business processes owners, encompassing the operational management of risk associated with the Company’s operations and processes carried out as part of those operations;
• the second line of defense is comprised of activities of the Compliance Department and risk management by other specialized business units specified in internal regulations on risk management and dealing with risk identification, measurement, monitoring and reporting and controlling the limits;
• the third line of defense is provided by activities of the Internal Audit Department.

Supervision over the internal control system within the Company is exercised by:

• oversight exercised by the Supervisory Board;
• activities of the Management Board, including the establishment of an adequate and effective internal control system and periodic assessment of the functioning of the ICS;
• oversight exercised by the managers of functional divisions, specialist units and organizational cells in their subordinated organizational units/cells;
• oversight exercised by the Compliance Department in the area of system solutions aimed at ensuring adequacy and effectiveness of risk control in the business processes covered by the ICS.

The head of the respective organizational division/unit/cell is responsible for the deployment of an effective Internal Control System in the supervised area of the Companies’ activity, in particular for designing and ensuring efficient operation of control actions as integral components of operating processes.

An element of the ICS adopted by PZU is the compliance function supervised by the Director of the Compliance Department. The appointment and dismissal of the Director of the Compliance Department must be consulted with the Audit Committee. The Director of the Compliance Department has direct access to the Company’s Management Board Members and Supervisory Board Members, and representatives of the Compliance Department participate in meetings of selected committees established within the Company’s structure.

The PZU Group’s internal control system has been developed at the leading entity (i.e. PZU) level and is applicable to all members of the PZU Group, in consideration of their distinct nature, proportionality and adequacy. With regard to regulated entities existing within banking groups, the internal control system has been designed at the level of each of these groups, taking into account the applicable sectoral regulations.

As part of its cooperation with PZU Group entities, PZU analyzes information that it receives regularly from these entities concerning the organization of the internal control system, internal control conducted and evaluation of the internal control system, in order to improve unified standards for the operation of an effective internal control system.

Control mechanisms applied during the preparation of the financial statements

Financial statements are prepared in the Finance Division and central units operating based on the applicable regulations. The Finance Division is supervised by a Management Board Member, and the financial statements require approval by the Management Board.

The process is conducted in compliance with:

• accounting principles (accounting policy) adopted by the Management Board;
• chart of accounts with a commentary;
• other detailed internal regulations approved by the PZU Management Board specifying key rules for recording business events in PZU, the valuation of assets and liabilities and the calculation of the financial result;
• method of keeping the accounting ledgers;
• dedicated reporting systems.

Data are prepared in the source systems using formal operating and acceptance procedures which specify the powers of specific persons.

The reporting process is carried out by qualified, skilled and experienced staff.

PZU monitors changes in external regulations concerning, without limitation, the accounting policy and reporting requirements applicable to insurers and carries out appropriate adaptation processes in these areas. The accounting records are closed and financial statements are prepared in accordance with schedules, including the key activities and control points with assigned liability for timely and correct completion.

The key controls during preparation of the financial statements include:

• controls and permanent monitoring of the quality of input data, supported by financial systems with defined rules of data correctness, in accordance with PZU’s internal regulations governing the control of accuracy of accounting data;
• data mapping from the source systems to financial statements supporting the proper presentation of data;
• analytical review of financial statements by specialists to compare them with the business knowledge and business transactions;
• formal review of the financial statements to confirm compliance with the applicable legal regulations and market practice in terms of required disclosures.

Activities within the consolidated financial reporting processes are coordinated through a shared organizational structure of the Finance Division in the PZU and PZU Życie Head Offices, which is organized based on a personal union. PZU controls all its consolidated subsidiaries through these companies’ management boards and supervisory boards.

The consolidated financial reporting process is governed by a number of internal acts defining the principles of accounting policy adopted by the PZU Group and accounting standards. Moreover, it is subject to detailed schedules including the key activities and control points with assigned liability for timely and correct completion.

Consolidation packages forwarded by subsidiaries are subjected to:

• verification procedures by a statutory auditor scrutinizing the PZU Group’s consolidated financial statements;
• analytical reviews by specialists.

Consolidation packages forwarded by banks are also reconciled with their published stock exchange disclosures.

The organization and the process of preparing the financial statements are regularly reviewed by the internal audit function.

Internal audit

The internal audit function is run in a manner ensuring its unbiased nature and independence from operational functions, and its purpose is to add value and enhance the PZU Group’s operational performance. The activity of the audit function involves a regular and orderly assessment of the adequacy and effectiveness of the internal control system and other components of the management system. The internal audit function supports the PZU Group in the pursuit of its objectives by providing – also through consulting – certainty as to the effectiveness of these processes.

The duties of the internal audit function comprise in particular:

• establishment, implementation and maintenance of an audit plan, which defines the scope of audit work to be undertaken in subsequent years, with regard to all types of activity and the Company’s overall system of management;
• making recommendations on the basis of the findings collected in the course of work according to the audit plan;
• checks of execution of the corrective measures following from the recommendations made.

The audit plan is prepared on the basis of an annual risk identification and assessment conducted across all areas of PZU’s business. A draft plan is presented for evaluation by the Audit Committee and then approval by the Management Board.

The timely implementation of audit recommendations by the business units is overseen by the responsible member of the Management Board or PZU Group Director. The Internal Audit Department monitors the progress of implementing the recommendations based on information obtained from the respective business units. After an analysis, it decides whether to consider them completed.

The following adopted principles guarantee the independence and impartiality of internal audit:

• The Managing Director on Audit, who heads the Internal Audit Department, reports functionally to the Audit Committee and organizationally directly to the Management Board President;
• the appointment and dismissal of the Managing Director for Audit must be consulted with the Audit Committee.
• The Managing Director on Audit participates in meetings of the Audit Committee and meetings of the Management Board, and representatives of the Internal Audit Department take part in meetings of selected committees operating within PZU’s structure;
• PZU’s internal auditors demonstrate outstanding professional and ethical qualifications and possess the proper knowledge and skills, including the knowledge of issues necessary to conduct audits. They have access to the necessary information, explanations, documents and data, allowing for the timely and correct performance of their tasks;
• the scope of audit activities performed during each audit and the resulting evaluations are autonomous decisions of internal audit. The tasks are allocated in such a manner so as to prevent potential and actual conflicts of interest. Each employee is required to notify their superior if a such a conflict occurs. Information on potential conflicts of interests is also collected and, where necessary, tasks assigned to members of the internal audit team are reallocated. Furthermore, no auditor is permitted to audit any activities they have themselves performed or managed, and no auditor may accept responsibility for any operating activity subject to assessment by internal audit.

PZU has implemented the Internal Auditor’s Code of Ethics, based on guidelines issued by the Institute of Internal Auditors (IIA). The purpose of the Code is to promote best practices and models for ethical behavior, and to motivate the need for continuous professional improvement and development of the proper image of internal auditors.

The Internal Audit Department provides the Company’s Management Board and Audit Committee with periodic management information from its subordinate area, including, in particular:

• information on the progress in implementing the audit plan;
• information on the findings of internal audits;
• information on recommendation monitoring results.

In order to ensure the proper quality and continuous improvement of the internal audit function, internal (on an annual basis) and external (not less than once every five years) assessments of the Company’s internal audit activities are conducted. A third-party assessment of the internal audit function at PZU conducted by PwC Advisory and an analysis of coordination of the Group’s internal audit run by the Internal Audit Department demonstrated general compliance with the International Standards for the Professional Practice of Internal Auditing and the Code of Ethics developed by the IIA.

Audit Committee

The appointment of the Audit Committee has served the purpose of increasing the effectiveness of supervisory activities performed by the Supervisory Board with regard to the monitoring of financial reporting processes.

The Committee’s tasks associated with monitoring the financial reporting process and the provision of advisory and evaluation services include, in particular:

• tentative evaluation of the Management Board’s report on the activity of the Company and the Company’s annual financial statements;
• tentative evaluation of the Management Board’s report on the activity of the Company’s group and the annual consolidated financial statements of the Company’s group;
• tentative evaluation of all financial documents submitted to the Supervisory Board, in particular an annual financial plan prepared by the Management Board and a report on its implementation;
• issuing opinions on the core principles of the financial reporting and accounting system in place in the Company (including the criteria for consolidation of results of individual entities from the Company’s group);
• providing the Supervisory Board with conclusions and recommendations concerning the rationale for any modification of the financial reporting system in place in the Company and the Company group and informing the Supervisory Board about significant irregularities in such system or risks associated with its organization and operation, known to the Committee.

The Audit Committee presents recommendations regarding the selection of an audit firm to perform the audit and review of the financial statements to the Supervisory Board.

A statutory auditor appointed by the PZU Supervisory Board upon a recommendation of the Audit Committee, reviews interim standalone and consolidated financial statements, audits annual standalone and consolidated financial statements and annual solvency and financial condition reports required by the Solvency II Directive (for PZU and the PZU Group).