The guidelines emerging from the Board’s documentation assign the Internal Audit System (IAS) the objective of ensuring proper information and appropriate coverage of control for all activities and, in particular, in the areas of greater corporate risk. As part of the last report on ICAAP (Internal Capital Adequacy Assessment Process) (which banks have to send to the Bank of Italy by the end of April each year), the most significant risks were deemed to be credit risk, operating risks, liquidity risk and reputational risk. In addition, rate and market risks and, more in general, all the main regulatory and economic risks are stably covered.

Banca IFIS’s IAS consists of rules, procedures and organization units aiming to ensure observance of corporate strategies and achievement of the following goals:

  • Effectiveness and efficiency of corporate processes (administration, production, distribution, etc.);

  • Safeguarding of assets’ value and protection from losses;

  • Reliability and integrity of accounting and operating information;

  • Compliance of transactions with legislation, supervisory regulations and also with house policies, plans, regulations and procedures, and with Codes (Code of Ethics, Corporate Governance Code, etc.) adopted for internal application by the Bank.

Controls involve, with different roles, the Board of Directors, the Board of Statutory Auditors, General Managers, and all personnel. Some types of controls are highlighted below:

  • Line controls which aim to ensure that operations are carried out correctly. These controls are carried out by the operational structures themselves or are incorporated in procedures or in back office activities;

  • Risk management controls which aim to define methods for measuring risks, verify if limits assigned to the various operational areas are being respected and check if operations within all areas are consistent with the risk / reward objectives assigned. These controls are entrusted to various structures, different from the operational one;

  • Internal auditing activities which aim to identify anomalous trends and violations of procedures and regulations, as well as to appraise the overall efficiency and effectiveness of the Internal Audit System. These activities are carried out on a continual basis, both periodically and by exception, by various different structures that are independent from operational structures, also via on-the-spot audits.

Corporate Bodies foster a corporate culture that sets value on the control function. All personnel in the organization must be aware of the role assigned to them in the internal audit system and be fully involved.

The Board of Directors has the task of (a) approving strategic guidelines and risk management policies, (b) approving the Bank’s organizational structure, (c) establishing the guidelines of the internal audit system of the Bank and its subsidiaries, and also of (d) checking that the internal audit set-up is consistent with elected risk propensity.

In addition, the Board of Directors ensures that a correct, complete and timely information system is established and that the functionality, efficiency and effectiveness of the IAS is assured, based on regular assessments and, when necessary, taking appropriate remedial actions.

The roles of the other main players in the IAS (Internal Audit Committee, Executive Director in Charge of Internal Audit System, Supervisory Committee pursuant to Legislative Decree 231/2001, Internal Auditing Department and Corporate Accounting Reporting Officer) are described in the parts of this Report specifically dedicated to such figures and/or their respective activities.

The overall framework of the figures involved in the IAS is completed by further risk-management control functions, mainly entrusted to the:

  • Risk Management Department, with the aim of establishing the methodologies, tools and procedures to identify, measure, monitor and control the various types of risk as well as to:

  • Monitor observance of the risk policies established by the Board of Directors through detection of any critical and risk thresholds identified for the various types of risk;

  • Cover some types (like liquidity risk and operating risk) also through the production of reports for corporate bodies;

  • Compliance Department, with the aim of identifying the risk of regulatory non-compliance, assessing its impacts and recommending mitigation actions by means of prior analysis and monitoring of the regulations included in the relevant boundary and their knock-on effect on corporate units and processes.

Key characteristics of present risk management and internal audit systems in relation to the financial reporting process

1. Foreword

In relation to the financial reporting process, the risk management and internal audit systems are components of the same overall “System”, which is designed, among other things, to assure the trustworthiness, accuracy, reliability and timeliness of financial reporting.

Together with the central body of administration & accounting procedures, the provisions in the Articles of Association concerning the “Corporate Accounting Reporting Officer” (hereinafter also “Financial Accounting Officer”), the appointment of the present Financial Reporting Officer, and the “Regulation of the Corporate Accounting Reporting Officer”, approved by the BoD, form the overall set of measures applied by the Bank to cover the risk of erroneous financial reporting.

As regards this, the approaches via which the appropriateness and effective application of the said administration & accounting procedures is ensured are based on our internally developed methodology. The latter is based on assessment of the risk of erroneous financial reporting, meaning an intentional or unintentional action potentially capable of producing errors in financial statements. This methodology, as described at the beginning of the present paragraph, is consistent with the requirements established by supervisory regulations concerning risk assessment and the internal audit system.

2. Description of key characteristics of present risk management and internal audit systems in relation to the financial reporting process (the “System”)

The System is described in the following documentation approved by the Board of Directors, also bearing in mind its supervisory tasks pursuant to Article 154-bis of the CFA (Consolidated Finance Act):

  • Group Accounting Manual, which describes the guidelines underlying preparation of the individual and consolidated financial statements in accordance with the requirements of current regulations;

  • Financial Reporting Process, which governs the activity of production and approval of the individual annual financial statements, of the half-yearly report and of quarterly reports, as well as of the consolidated annual financial statements and related annexes;

  • Regulation of the Corporate Accounting Reporting Officer, which includes the methodological document describing the process for managing the risks of erroneous financial reporting. Specifically, this latter document establishes the approach followed by the Accounting Reporting Officer to assess the individual administration & accounting processes, examining their:

  • Riskiness;

  • Appropriateness;

  • Efficacy and effective application.

2.1 Phases of the process for managing risks of erroneous financial reporting

The process is illustrated below in chart form.

2.1.1 Identification of administration & accounting processes

An “administration & accounting process” is that corporate process comprising operations/transactions capable of positively or negatively affecting the correctness of data and therefore preparation of financial statements and further corporate acts and notifications.

2.1.2 Assessment of inherent risk

Administration & accounting processes can generate events featuring the risk of erroneous financial reporting, i.e. events able to violate one or more financial-statement assertions.

Each risk event identified has a given level of inherent riskiness, which depends on the following criteria:

  • Risk associated with a significant accounting item;

  • Risk generated by an operation/transaction featuring high frequency;

  • Risk generated by an operation/transaction subject to a specific valuation (e.g. securities, impairment).

In the face of the inherent risk found at the level of activity, specific criteria are established as the basis to assess efficacy, as described in the subsequent point addressing this topic.

2.1.3 Assessment of the appropriateness of administration & accounting procedures

Assessment of the appropriateness of administration & accounting procedures is performed by analysis of the documentary set-up of the administration & accounting procedure examined and of line controls existing and consequently documented.

Documentary analysis of the administration & accounting procedure

Documentary analysis concerns the combination of house regulations and operating practices. In view of the risk-based approach applied, the analysis is carried out with reference to risks, to the operations/transactions generating them and to the line controls established to mitigate such risks.

For each risk the analysis assesses:

  • The level of formalization of procedures, consisting of various parameters, such as, by way of non-exhaustive example, formalization, updating and circulation;

  • The level of responsibility, consisting of the existence and attribution of roles and responsibilities in the execution of the operation/transaction generating the risk.

In addition, for each line control the analysis assesses the:

  • Level of formalization;

  • Attribution of roles and responsibilities;

  • Level of traceability and verifiability of the controls themselves.

Combination of appropriateness assessments

Appropriateness is assessed by combining the assessments of appropriateness of the:

  • Documentary analysis of procedures and

  • Analysis of line controls.

2.1.4 Assessment of residual risk ex ante

For each risk event, assessment of the residual risk ex ante is performed by combining the level of “inherent risk” with the related assessment of appropriateness.

2.1.5 Assessment of efficacy

Based on the assessment of inherent risk at the level of activity (see point 2.1.2), efficacy is then assessed.

The aim of the assessment of efficacy is to check that conducts and corporate operations (which, for the purposes of this analysis, translate into processes and activities) are able to assure achievement of the Bank’s established objectives, while covering the risks identified.

The tools used to make this assessment are:

  • Testing of controls: these are checks designed to check that line controls have been executed or, in the latter’s absence, the proper functioning of the process by means of tests of transactions;

  • Compliance with international accounting standards: these are checks designed to ascertain that accounting entries are performed in compliance with the requirements of current relevant regulations and international accounting standards;

  • Operating environment factors: these are analyses designed to detect the presence of organizational or regulatory changes that may affect achievement of process objectives.

2.1.6 Assessment of residual risk ex post

Assessment of residual risk ex post is performed by comparing the level of residual risk ex ante, found for each individual risk, with the related assessment of efficacy.

Specifically, for each risk a comparison is performed – as regards the administration & accounting procedures and controls in place – between the assessment of the set-up and the assessment of the operation of these organizational approaches.

2.1.7 Assessment of appropriateness and effective application of administration & accounting procedures

To make the assessment of appropriateness and effective application of administration & accounting procedures, the assessments of residual risk ex post at the level of activity are grouped.

Further grouping of the assessments obtained at activity level leads to attribution of a rating of appropriateness and effective application of administration & accounting procedures at process level.

Lastly, the overall evaluation of the appropriateness and effective application of administration & accounting procedures in terms of the Bank as a whole, is based on the qualitative evaluation of the Accounting Reporting Officer, developed on the basis of his professional judgement stemming from the evidence obtained on the individual processes.

The Accounting Reporting Officer uses the evaluation of the appropriateness and effective application of administration & accounting procedures to provide the certification required pursuant to Article 154-bis, paragraph 5, of Italian Legislative Decree no. 58/1998. The Accounting Reporting Officer reports back to the CEO on occasion of this certification.

2.2 Roles and functions involved

In the light of the important responsibilities entrusted to him, the Accounting Reporting Officer is attributed appropriate powers and resources for performance of his functions, as detailed in the last paragraph of this Section. Specifically, the Accounting Reporting Officer, who retains responsibility for and coordination of the activity, draws on the support both of internal personnel and of an auditing firm other than the one appointed to audit accounts, which has been given the task of assisting the Accounting Reporting Officer in the assessment activity described earlier.

As regards relations with the Bank’s units/Bodies/Officers, besides the necessary information flows envisaged by regulations with the various control functions and vis-à-vis the Management & Control Bodies, the Accounting Reporting Officer receives from all Organizational Units the utmost collaboration needed to carry out the activities for which he is responsible, with assurance of free access to all premises, information, accounting records and documentation and timely, complete, accurate and reliable supply of all data requested. If any of the activities managed by the Organizational Unit in question have been outsourced to third parties, the Head of the Organizational Unit ensures that the Accounting Reporting Officer is also able to access the information at such parties’ disposal. The Accounting Reporting Officer agrees the procedures for implementation of appropriate information flows with each Organizational Unit.

In addition, as regards coordination of Group Companies for preparation of consolidated financial reports, specific information flows are established for provision to the Parent Company. Specifically, Group Companies identify the delegated parties to empower to interact with the Accounting Reporting Manager, in order to enable the latter to fulfil his responsibilities.

In particular, the delegated parties provide the Accounting Reporting Officer with the information and with any certifications deemed necessary to enable the latter to comply with the requirements established pursuant to Articles 123-bis and 154-bis, paragraph 5, of the CFA, as well as with those established by Circulars 272 and 115 issued by the Bank of Italy concerning the matrix for accounts and production of supervisory reports on a consolidated basis.

***

During 2010 the process of gradual reinforcement and ongoing structuring of the internal audit system continued. In this context the Board of Directors, also based on the reports received from the Internal Audit Committee, did not find any inadequacies in relation to the Bank’s size and operations.

11.1. EXECUTIVE DIRECTOR IN CHARGE OF INTERNAL AUDIT

The Board of Directors has identified the CEO as the executive director in charge of overseeing the functionality of the internal audit system. This responsibility also comes to him from the tasks that the supervisory directives enacted by the Bank of Italy attribute to delegated bodies/officers and/or to the body/officer performing the management function. In Banca IFIS the management function, saving matters that are the exclusive prerogative of the Board pursuant to the Articles of Association and/or powers not delegated by the Board – as also specified in the “Corporate governance project” approved by the Board – is performed by Top Management (consisting of the CEO and General Manager).

During 2010 the CEO promoted and followed the fine-tuning of the processes of identification of the main corporate risks (strategic, operating, financial and compliance) in relation to the Bank’s evolution in terms of size, the range of services marketed and operating organization, as well as in relation to trends in the legislative and regulative framework.

He constantly reported back to the Board of Directors on all aspects of corporate management, including verification of the overall appropriateness, effectiveness and efficiency of the internal audit system.

In particular, during 2010 the CEO:

  • Interacted with the other parties in the internal audit system;

  • Constantly followed implementation of the Audit Plan and the results of the audits performance;

  • Submitted risk policies to the Board of Directors for approval, reporting to the Board quarterly on the trend of such risks.

Lastly, in 2006 the CEO had proposed to the Board appointment of the present Internal Auditing Officer who, based on corporate house regulations, performs the activities attributed by the Corporate Governance Code to the “Internal Audit Officer”. Appraisal of the latter’s performance, also in relation to the variable part of remuneration, is the prerogative of the Board of Directors as the Internal Auditing Function is established within the Board itself.

11.2. INTERNAL AUDIT OFFICER

Since mid 2006 the position of Head of the Internal Auditing Function as a staff department of the Board of Directors has been held by the manager Ruggero Miceli. The mission assigned to this Function by the relevant regulation approved by the Board of Directors also includes verification that the internal audit system is always appropriate, fully operational and working properly.

The appointment took place at the Board meeting held on 4 August 2006, on the proposal of the executive director in charge of overseeing the functionality of the internal audit system.

At the time of hiring, the remuneration of Mr. Miceli was approved by the Remuneration Committee. Remuneration policies for the members, employees and outside staff members of the Banca IFIS banking group approved by the Shareholders’ Meeting subsequently decreed his exclusion from stock option plans, together with the other managers of control functions, as established by supervisory requirements concerning banks’ organization and corporate governance.

The Internal Audit Officer and, more in general, the Internal Auditing Function, is not responsible for any operating area and does not report on a line basis to any manager of operating areas. The positioning of the Internal Auditing Function in the corporate organization chart as a staff department of the Board of Directors, as well as assuring its independence – consistently with the Bank of Italy’s guidance and with sector best practice – facilitates the appropriate exchange of information with the Internal Audit Committee, Board of Statutory Auditors and, in general, with corporate bodies and officers.

During 2010 the Internal Audit Officer:

  • Had direct access to all information useful for performance of his office;

  • Reported on his work on a 6-monthly basis to the Board of Directors;

  • Constantly interacted with the Internal Audit Committee, Board of Statutory Auditors and with the Supervisory Committee set up as per Italian Legislative Decree 231/2001 (of which he is a member), also reporting on his work;

  • Reported back continuously on his work also to the executive director in charge of overseeing the functionality of the internal audit system.

At the time of approval of the 2010 Audit Plan, the Board of Directors had also approved decision-making autonomy of the Internal Auditing Officer concerning training of the Function’s staff, purchase of publications and payment of association dues, as well as assignment of further economic resources of EUR 50,000, that can be drawn upon independently by the Internal Auditing Officer,

The main activities performed by the Internal Audit Officer during 2010, based on the said Audit Plan, concerned – with varying levels of depth depending on the level of risk – the following organizational components:

  • Subsidiary;

  • Italian and foreign branches;

  • Management areas/services.

The main areas concerned were:

  • Credit management;

  • Online funding;

  • Information technology;

  • Compliance.

Besides the 6-monthly Reports on the work done, in compliance with the requirements of Supervisory Bodies, the Internal Auditing Officer also prepared specific reports concerning:

  • Assessments of the subsidiary company;

  • Audits of the foreign branch;

  • Remuneration policies;

  • The ICAAP process.

He also interacted with Level 2 control units with reference to the areas of risk covered by such units.

11.3. ORGANIZATIONAL MODEL as per Italian Legislative Decree 231/2001

Banca IFIS, sensitive to the need to ensure conditions of transparency and fairness in conducting its business, in order to safeguard its institutional role and image, the expectations of shareholders and of those who work for and with the Bank, has deemed it consistent with its corporate policies to implement the Organizational & Management Model envisaged by Italian Legislative Decree 231/2001.

This initiative was taken also in the conviction that application of the Organizational Model is a sound means of increasing the sensitivity of those who work for the Bank, spurring them to apply, in performing and conducting their activities, fair and linear conduct, such as to prevent the risk of perpetration of the crimes contemplated in Legislative Decree 231/2001.

The Bank condemns conduct contrary to current legislative requirements and to the ethical principles also stated in the Bank’s Code of Ethics. In this respect, application and effective implementation of the Model improves the Bank’s Corporate Governance, limiting the risk of crimes being committed.

In preparing its Organizational Model, Banca IFIS has based itself on the guidelines issued by the ABI (Italian Banking Association) for the adoption of organizational models in relation to banks’ administrative liability”. These guidelines provide orientation for the interpretation and analysis of the legal and organizational implications stemming from introduction of Legislative Decree 231/2001.

Crimes pursuant to Legislative Decree no. 231/2001

As regards the crimes to which the set of rules in question is applicable, at present they consist of the following types:

  • Crimes in dealings with Public Administration;

  • Computer crimes and unlawful handling of data;

  • Organized crime;

  • Counterfeiting of coins, legal tenders, government stamps and identification instruments or signs;

  • Crimes against industry and trade;

  • Some types of corporate crimes;

  • Crimes with terrorist intent or aiming to subvert the democratic order;

  • Mutilation of female genitals;

  • Crimes against the person;

  • Market abuses;

  • Crimes (manslaughter and negligently causing serious or grievous bodily harm) committed with breach of occupational health and safety regulations;

  • Receiving, laundering and use of cash, assets or other benefits of unlawful provenance;

  • Copyright breaches;

  • Convincing people to be reticent or to make false statements to the court authorities.

For full observance and interpretation of the Organization Model, a Supervisory Committee has been set up. The Supervisory Committee is a collective body formed by members of the Board of Directors, chosen from among the non-executive Directors, and the Internal Auditing Officer. The Committee, as per the resolution of the Board of Directors appointed by the Shareholders’ Meeting on 29 April 2010, is currently chaired by the Director Andrea Martin and consists of two other permanent members, the Director Leopoldo Conti and Internal Auditing Officer Ruggero Miceli. Membership is the same as in the previous 3-year period.

The Committee holds office for three years and meets at least once a quarter. Meetings are regularly documented in minutes, which are recorded in the minutes register. The Committee reports on its work to the Board of Directors every six months. The Committee has autonomous powers of initiative and control, as established in Italian Legislative Decree 231/2001 “Rules for the administrative liability of legal entities, partnerships and associations, including those without legal personality”.

The Organizational Model adopted by the Bank, also refers, to the extent that it is applicable, to the subsidiary, considering the current Group structure, particularly as regards:

  • Group regulations;

  • Code of Ethics;

  • Group Accounting Manual;

  • System of delegated powers;

  • Business procedures (where present).

The Regulation of the Supervisory Committee is available on the Bank’s website, in the section “Investor Relations – Corporate Governance – Supervisory Committee”.

11.4. AUDITING FIRM

The Company’s Shareholders’ Meeting of 30 April 2007 appointed KPMG S.p.A. to audit the Company’s financial statements and the Group’s consolidated financial statements, as well as Banca IFIS half-year report for the period 2008-2013; KPMG S.p.A. will hold office until approval of the financial statements at 31 December 2013.

11.5. CORPORATE ACCOUNTING REPORTING MANAGER

On 27 September 2007 the Board of Directors appointed Carlo Sirombo as Corporate Accounting Reporting Manager, effective from 1 October 2007.

Pursuant to Article 19 of the Articles of Association:

  • The Board of Directors, pursuant to Article 154-bis of the Italian Legislative Decree no. 58/1998, appoints, after having received the mandatory opinion of the Board of Statutory Auditors, a corporate accounting reporting officer;

  • The corporate accounting reporting office must meet the requirements of integrity established for election as a statutory auditor by Article 2 of Ministry Decree no. 162 of 30 March 2000 and the requirements of professionalism established for election as a director of Banks that are joint-stock companies by Article 1, paragraph 1, of Ministry Decree no. 161 of 18 March 1998.

The Accounting Reporting Officer, who is also Manager of the Administration & Management Control Department has spending power of € 50,000 for each spending item and can make use of the department’s facilities for constant adaptation of administration & accounting procedures for formation of the individual annual financial statements, consolidated annual financial statements and of any other financial communication, as well as for the other functions envisaged by law.