Since mid-2006, the position of Head of the Internal Auditing Office, reporting to the Board of Directors, has been held by the manager Ruggero Miceli. The mission assigned to this office by the relevant regulations approved by the Board of Directors also includes verification that the Internal Control and Risk Management System is always complete, adequate, fully operational and working properly.
Mr. Miceli’s appointment took place at the Board meeting held on 4 August 2006, on the proposal of the Director in charge of overseeing the functionality of the Internal Control and Risk Management System. On the basis of supervisory provisions and corporate governance rules in force at the time, no other opinions were acquired in explicit form.
At the time of hiring, the remuneration of Mr. Miceli was approved by a Committee within the Board having duties back then similar to the current Remuneration Committee. Remuneration policies for the Members, employees and outside staff members of the Banca IFIS Banking group approved by the Shareholders’ Meeting subsequently decreed his exclusion from stock option plans, as with other managers of control functions, as established by supervisory requirements concerning banks’ organization and corporate governance. The mechanism for the possible acknowledgement of variable salary portions is governed within the scope of ‘policies’ approved by the Shareholders’ Meeting, and requires the opinion of the Remuneration Committee and the competence of the Board of Directors. The Office/Department is equipped, from time to time, with resources suited to the fulfilment of its duties.
The Internal Auditing Office is not responsible for any operating area. The position of the Internal Auditing Office in the organization chart as a staff department of the Board of Directors, in addition to assuring its independence - consistently with the Bank of Italy’s guidance and with sector best practice - facilitates the appropriate exchange of information with the Internal Risk Management and Internal Control Committee, with the Board of Statutory Auditors and, in general, with corporate bodies and Officers.
The Regulations for Group Internal Auditing require the Parent company’s Internal Auditing Office to define a plan of activities that, basing itself on a structured process of analysis and prioritization of the main risks, takes into account the different levels of risk involved in the various activities and structures of the Parent company and its subsidiaries.
The Programmatic plan of audit activities lists the control activities planned for the three-year period (multi-year plan) and contains a separate and detailed presentation of the activities planned for the first 12 months (annual plan). A specific section of this plan is dedicated to the revision activities made in the IT area (ICT auditing).
In the Programmatic plan of audit activities, the Internal Auditing Office, with the aim of providing a summary framework linked to the Programmatic plan of audit activities for the previous financial period, reports on:
- The level of adaptation to the observations made within the context of the audits carried out;
- The completeness, adequacy, functionality and reliability of the Internal Control System.
The Programmatic plan of audit activities is forwarded simultaneously to the Board of Statutory Auditors, to the Risk Management and Internal Control Committee, to the Chairman of the Board of Directors, to the Director in charge of the Internal Control and Risk Management System as well as to Top Management for subsequent review by the Board of Directors. The Programmatic plan is updated any time it is deemed necessary, upon request from corporate bodies and/or proposed by the Head of the Internal Auditing Office.
During 2014, the Head of the Internal Auditing Office:
- Had direct access to all information useful for the performance of his office;
- Constantly interacted with the Risk Management and Internal Control Committee, with the Board of Statutory Auditors and with the Supervisory Body as per Legislative Decree no. 231/2001 (of which he is a Member), also reporting on his work;
- Forwarded the outcome of all activities to the Risk Management and Internal Control Committee, to the Board of Statutory Auditors, to the Chairman of the Board of Directors and to the Director in charge of the Internal Control and Risk Management System, as well as to the Chief Executive Officer and the General Manager;
- Reported on its doings to the Board of Directors providing, in reference to the audited processes and/or areas, adequate information on the activity carried out, as well as evaluations on the Internal Control System and on the residual risk, including through instructions on compliance of the plans defined for the purpose of mitigating risks. The quarterly reports (tableau de bord), the Annual report and any other reports and documents on specific and important topics fall within this scope.
- Carried out specific activities concerning the reliability of information systems and accounting systems.
During approval of the 2014-2016 Audit Plan, the Board of Directors also confirmed the decision-making autonomy of the Internal Auditing Officer concerning training of the Office’s staff, purchase of publications and payment of association dues, as well as assignment of further economic resources of 100,000 Euro, that can be drawn upon independently by the Head of the Internal Auditing Office for external consultancy.
The main activities carried out by the Head of the Internal Auditing Office during the course of 2014, on the basis of the aforementioned Programmatic plan, concerned, with varying depth according to the risk level, both the Parent company (Banca IFIS S.p.A.) and the subsidiary (IFIS Finance Sp. z o.o.).
The main sectors of operation refer to the following areas: business loans, non-performing loans, online collection and management of company liquidity, the latter including transactions in government bonds. Activities were also implemented concerning line offices lending support to business operations, second-level corporate control functions and the IT system, as well as certain additional company processes not directly ascribable to a particular office or department.
Besides the quarterly reports (Tableau de Bord) and the Annual report on the work done, in compliance with the requirements of Supervisory Bodies, the Head of the Internal Auditing Office also prepared specific reports concerning:
- Assessments of the subsidiary;
- Remuneration policies;
- The ICAAP process;
- Government and management of the liquidity risk.
The Internal Auditing Officer also interacted with Level 2 control units with reference to the areas of risk covered by such units.
The Internal Auditing Office availed itself of the collaboration of BDO Sp. z o.o. for the performance of audit activities within the Polish subsidiary.