In relation to the financial reporting process, the Risk Management and Internal Audit Systems are components of the same overall ‘System’, which is designed, among other things, to ensure the trustworthiness, accuracy, reliability and timeliness of financial reporting.
Together with the central body of administration & accounting procedures, the provisions in the Articles of Incorporation concerning the ‘Corporate Financial Reporting Officer’ (hereinafter also ‘Financial Reporting Officer’), the appointment of the present Financial Reporting Officer, and the ‘Regulation of the Corporate Financial Reporting Officer’, approved by the Board, form the overall set of measures applied by the Bank to cover the risk of erroneous financial reporting.
As regards this, the approaches, via which the appropriateness and effective application of the said administration & accounting procedures are ensured, are based on our internally developed methodology. The latter is based on assessment of the risk of erroneous financial reporting, meaning an intentional or unintentional action potentially capable of producing errors in financial statements. This methodology, as described at the beginning of the present paragraph, is consistent with the requirements established by Supervisory Regulations concerning risk assessment and the Internal Control System.
Description of key characteristics of present risk management and internal audit systems in relation to the financial reporting process (the ‘System’)
The System is described in the following documentation approved by the Board of Directors, also bearing in mind its supervisory tasks pursuant to Article 154-bis of the CFA (Consolidated Finance Act):
- Group Accounting Manual, which describes the guidelines underlying preparation of the individual and consolidated financial statements in accordance with the requirements of current regulations;
- Financial Reporting Process, which governs the activity of production and approval of the individual financial statements, of the interim report and of quarterly reports, as well as of the consolidated financial statements and related annexes;
- Regulation of the Corporate Financial Reporting Officer, which includes the methodological document describing the process for managing the risks of erroneous financial reporting. Specifically, this latter document establishes the approach followed by the Financial Reporting Officer to assess the individual administration & accounting processes, examining their:
- Efficacy and effective application.
Phases of the process for managing risks of erroneous financial reporting
The process is illustrated below in chart form.
Identification of administration & accounting processes
An ‘administration & accounting process’ is a corporate process comprising operations/transactions capable of positively or negatively affecting the correctness of data and therefore the preparation of financial statements and further corporate acts and notifications.
Assessment of inherent risk
Administration & accounting processes can generate events featuring the risk of erroneous financial reporting, i.e. events able to violate one or more financial statement assertions.
Each risk event identified has a given level of inherent riskiness, which depends on the following criteria:
- Risk associated with a significant accounting item;
- Risk generated by an operation/transaction featuring high frequency;
- Risk generated by an operation/transaction subject to a specific valuation (e.g. securities, impairment).
In the face of the inherent risk within an activity, specific criteria are established as the basis to assess efficacy, as described in the subsequent point addressing this topic.
Assessment of the appropriateness of administration & accounting procedures
Assessment of the appropriateness of administration & accounting procedures is performed by analysis of the documentary set-up of these procedures examined and of the line controls existing and consequently documented.
Documentary analysis of the administration & accounting procedure
Documentary analysis concerns the combination of internal regulations and operating practices. In view of the risk-based approach applied, the analysis is carried out with reference to risks, to the operations/transactions generating them and to the line controls established to mitigate such risks.
For each risk the analysis assesses:
- The level of formalization of procedures, consisting of various parameters, such as, by way of non-exhaustive example, formalization, updating and circulation;
- The level of responsibility, consisting of the existence and attribution of roles and responsibilities in the execution of the operation/transaction generating the risk.
In addition, for each line control the analysis assesses the:
- Level of formalization;
- Attribution of roles and responsibilities;
- Level of traceability and verifiability of the controls themselves.
Combination of assessments of appropriateness
Adequacy is assessed by combining the assessments of appropriateness of the:
- Documentary analysis of procedures;
- Analysis of line controls.
Ex ante assessment of residual risk
For each risk event, ex ante assessment of the residual risk is performed by combining the level of ‘inherent risk’ with the related assessment of appropriateness.
Assessment of efficacy
Based on the assessment of inherent risk at the level of activity (see point 2.1.2), efficacy is then assessed.
The aim of the assessment of efficacy is to check that conducts and corporate operations (which, for the purposes of this analysis, translate into processes and activities) are able to ensure achievement of the Bank’s established objectives, while covering the risks identified.
The tools used to make this assessment are:
- Testing of controls: these are checks designed to verify that line controls have been executed or, in the latter’s absence, to check the proper functioning of the process by means of testing transactions;
- Compliance with the International Accounting Standards: these are checks designed to ascertain that accounting entries are recorded in compliance with the requirements of current relevant regulations and the International Accounting Standards;
- Operating environment factors: these are analyses designed to detect the presence of organizational or regulatory changes that may affect achievement of process objectives.
Ex post assessment of residual risk
Ex post assessment of residual risk is performed by comparing the level of residual risk ex ante, found for each individual risk, with the related assessment of efficacy.
Specifically, for each risk a comparison is performed – as regards the administration & accounting procedures and controls in place – between the assessment of the set-up and the assessment of the operation of these organizational approaches.
Assessment of appropriateness and effective application of administration & accounting procedures
To assess appropriateness and effective application of administration & accounting procedures, the ex post assessments of residual risk at the level of activity are grouped.
Further grouping of the assessments obtained at activity level leads to attribution of a rating of appropriateness and effective application of administration & accounting procedures at process level.
Lastly, the overall evaluation of the appropriateness and effective application of administration & accounting procedures in terms of the Bank as a whole, is based on the qualitative evaluation of the Financial Reporting Officer, developed on the basis of his professional judgement stemming from the evidence obtained on the individual processes.
The Financial Reporting Officer uses the evaluation of the appropriateness and effective application of administration & accounting procedures to provide the certification required pursuant to Article 154-bis, paragraph 5, of Legislative Decree no. 58/1998. The Financial Reporting Officer reports back to the C.E.O. on occasion of this certification.
Roles and functions involved
In the light of the important responsibilities entrusted to him, the Financial Reporting Officer is attributed appropriate powers and resources for performance of his functions, as detailed in the last paragraph of this Section. Specifically, the Accounting Reporting Officer, who retains responsibility for, and coordination of, the activity, draws on the support of both internal personnel and of an auditing firm other than the one appointed to audit accounts, which has been given the task of assisting the Financial Reporting Officer in the assessment activity described earlier.
As regards relations with the Bank’s units/Bodies, besides the necessary information flows envisaged by regulations with the various control functions and vis-à-vis the Management & Control Bodies, the Financial Reporting Officer receives from all Organizational Units the utmost collaboration needed to carry out the activities for which he is responsible, with assurance of free access to all premises, information, accounting records and documentation and timely, complete, accurate and reliable supply of all data requested. If any of the activities managed by the Organizational Unit in question have been outsourced to third parties, the Head of the Organizational Unit ensures that the Financial Reporting Officer is also able to access the information at such parties’ disposal. The Financial Reporting Officer agrees the procedures for the implementation of appropriate information flows with each Organizational Unit.
In addition, as regards coordination of Group companies for the preparation of consolidated financial reports, specific information flows are established for provision to the Parent company. Specifically, Group companies identify the delegated parties to be empowered to interact with the Financial Reporting Officer, in order to enable the latter to fulfil his responsibilities.
In particular, the delegated parties provide the Financial Reporting Officer with the information and with any certifications deemed necessary to enable the latter to comply with the requirements established pursuant to Articles 123-bis and 154-bis, paragraph 5, of the CFA, as well as with those established by Circulars 272 and 115 issued by the Bank of Italy concerning the matrix for accounts and production of supervisory reports on a consolidated basis.