Commercial Information
Español
English
Shareholders and Investors: Corporate Governance and Remuneration Policy
  1. Ibercaja
  2. Shareholders and Investors
  3. Corporate Governance and Remuneration Policy
  4. Mechanisms of Internal Control
    5. Imprimir 

Mechanisms of Internal Control

The Ibercaja Banco Group has a strong organizational structure that ensures effective risk management and control. The governance structure provides the appropriate communication channels to transmit information and decisions to all levels of the organization.

For a more detailed description of the Governing Bodies and their functions can be found here.

The Executive Committees directly linked to risk management and control are: 
 
  • Global Risk Committee: executive body responsible for defining and monitoring the Group's risk strategies and policies, reporting periodically to the Major Risks and Solvency Committee on the degree of compliance with the metrics established in the Risk Appetite Statement, proposing, where appropriate, the necessary action plans to remedy any excesses or non-compliances and ensuring that the Group has the appropriate procedures and means for the identification, measurement, follow-up and monitoring of the risk profile.
 
  • Audit Committee: among the functions of the Audit Committee is to be informed of the annual Operating Plan of the Internal Audit function submitted to the Audit and Compliance Committee, to be periodically informed of the results of the internal audit reports and to promote the implementation of the recommendations for improvement proposed to mitigate the weaknesses observed. 
Thus, the organizational structure provides the Bank with a global risk governance and management structure, proportional to the complexity of the Ibercaja Banco Group's business, with three lines of defense:
 
  • First line of defense: configured by the Group's business and support units, risk takers. Under the general principle that the first person responsible for control must be the head of each business area, they must have effective risk management processes (identification, measurement or evaluation, monitoring, mitigation and communication of risks).
 
  • Second line of defense: organizationally located in the Control Area Management (CRO), which is responsible for carrying out the internal control functions in risk management, both financial and non-financial, acting independently from the business and support units. For the development of its functions it is configured through the Risk Control Department, which monitors and reports on risks, as well as reviewing the application of management policies and control procedures by the first line; the Regulatory Compliance Department, in charge of reviewing the adequacy of the policies, procedures and daily activity of the Entity with current legislation, regulations and applicable internal policies, expressly including the prevention of money laundering and the financing of terrorism, as well as the supervision of the rules of conduct and transparency; and the Customer Service Unit. 
The areas of supervision and control actions to be carried out by the risk control and regulatory compliance functions are set out in their respective Annual Operating Plans (AOP), which are periodically monitored by Senior Management and the governing bodies (Major Risks and Solvency Committee and Audit and Compliance Committee, respectively).
 
  • Third line of defense: is located in the Internal Audit Department of Ibercaja Banco, which reports hierarchically and functionally to the Board of Directors, through the Audit and Compliance Committee.
The Internal Audit Department provides assurance to the Governing Bodies, Senior Management and other stakeholders by permanently, independently and objectively assessing the adequacy and effectiveness of the internal control, risk management (financial and non-financial) and corporate governance systems and processes; compliance with applicable legislation and the internal policies and regulations of the Ibercaja Group's activities; the reliability and integrity of financial and non-financial, accounting and management information; and the integrity and security of the Internal Model processes, the reliability of methods, techniques, assumptions and sources of information. 

In order to perform its functions, the Internal Audit Department has specialized Units. 

The audits to be carried out annually by each specialized Internal Audit Unit are included in the Annual Internal Audit Operating Plan, which is submitted to the Audit and Compliance Committee of the Board of Directors and is monitored periodically. 
 
The Bank's Board of Directors and Senior Management are aware of the importance of warranting investors the reliability of the financial information published to the market. For this reason, the Board of Directors is responsible for the establishment and supervision of the information and risk control systems, as formally set forth in its Regulations, including this responsibility in the Internal Control over Financial Reporting System (ICFR).

Ibercaja has different control activities aimed at mitigating the risks of incurring in errors, omissions or fraud that may affect the reliability of the financial information and which have been identified in accordance with the aforementioned process. 

Specifically, and with respect to the areas and processes with material risk detected, including those of error and fraud, Ibercaja has developed homogeneous documentation of the same, being formed by: 
 
  • Policy for the identification of relevant processes-areas and risks, as well as a documented procedure for the management of risks identified through this policy.
 
  • The description of the activities related to the process from the beginning, indicating the particularities that a certain product or operation may contain. 
 
  • The matrix of risks and controls, which includes the relevant risks with a material impact on the Entity's financial statements and their association with the controls that mitigate them, as well as the set of evidence in which their application materializes. 
Among the controls can be identified those that are considered key in the process and that, in any case, ensure the proper recording, valuation, presentation and breakdown of transactions in the financial information. 

The documents make it possible to quickly and clearly visualize in which part of the processes the key risks and controls have been located. The risk matrices help to detect the risks that affect each of the objectives of the financial information, the mitigating controls thereof, as well as their characteristics, the persons responsible for the control, the frequency and the associated evidence. 

Additionally, the Entity has an ICFR risk management tool that facilitates the control and monitoring of the system and covers the management of the map of processes, risks and defined controls, as well as the procedure for the upward certification of controls.

In general terms, the Financial Area is in charge of establishing the accounting policies applicable to new transactions in accordance with the criteria established in current regulations. Regarding critical judgments in relation to the application of accounting policies and relevant estimates, this Department establishes the criteria to be applied within the regulatory framework. The application of these criteria may be carried out directly by the Units (with supervision) or by Collegiate Bodies in which Senior Management is present (Committees).

The Internal Audit Function carries out scheduled reviews of the systems in place for the control of all risks, internal operating procedures and compliance with applicable internal and external regulations. Among the current functions assigned to the Internal Audit Department and included in the Entity's internal regulations, is the permanent evaluation of the adequacy and proper functioning of the governance framework, of the internal control and risk management information systems inherent to the activities of the Entity or its Group, proposing, with a preventive approach, recommendations for improvement. 

In order to achieve its objectives and carry out the functions assigned to it, the Internal Audit Department has a multi-year Strategic Plan, within the framework of the Entity's Strategic Plans, which sets out the strategic objectives to be achieved during the period, the functions, tools and projects to be developed and the timetable for their attainment. Within the action plans, the work of reviewing the ICFR is a fundamental pillar, establishing annual reviews of the Entity's critical procedures.
 
Logo Obra Social