Internal control system and external auditor

The Bank’s internal control system is organised in the framework of the so-called three independent lines of defence, which comprise:

• 1^st line – the Bank’s operating units not belonging to the 2^nd and 3^rd line of defence,
• 2^nd line – Compliance Department and other units managing particular risks,
• 3^rd line – Internal Audit Department.

The internal control system covers all organisational units of the Bank and subsidiaries belonging to the capital group.

The main objectives of the internal control system are to ensure:

• effectiveness and efficiency of the Bank’s operations,
• credibility of financial information (including: completeness, correctness and comprehensiveness of administrative and accounting procedures and fair and true internal and external reporting),
• observance of risk management principles at the Bank,
• compliance of the Bank’s activity with laws, internal regulations and market standards.

Based on the developed selection criteria the Bank identified material processes, and then linked them to the general and specific objectives of the internal control system. For material processes the Bank selected controls (control mechanisms) functioning within such processes and selected out of them certain controls of key importance for achieving the objectives of the internal control system assigned to a given process. Key controls have been covered by the monitoring of their observance, such monitoring performed independently by organisational units belonging to the 1^st and the 2^nd line of defence in the internal control system.

The linking of the general objectives of internal control and specific objectives isolated as part of them with material processes functioning at the Bank and key controls and principles of independent monitoring of their observance is documented in the form of the Control Function Matrix. The Bank in the Matrix also specified the responsibility of particular organizational units for employing control mechanisms, as well as their independent monitoring.

The Bank has a formalized path of reporting about the results of monitoring controls, ascertained irregularities and status of implementing remedial and disciplining measures. From time to time this information is also transferred to the Internal Audit Department, the Bank’s Management Board and Audit Committee of the Supervisory Board.

The Bank’s Management Board is responsible for the implementation and functioning of an adequate, effective and efficient internal control system.

The Bank’s Supervisory Board exercises supervision and performs the annual evaluation of the implementation and ensuring that the internal control system is adequate, effective and efficient, as a whole and in its parts (including the control function, Compliance Department, Internal Audit Department).

The Internal Audit Department is within the internal control system a specialized unit of the 3rd line of defence which carries out an independent review of processes and internal control in the Bank and the capital group, verifying the implementation of tasks assigned to the 1st and 2nd line of defence.

The aim of the activities is providing the Bank’s management with an assessment of the effectiveness and adequacy of the risk management system and the internal control system, as well as adding value and streamlining processes in the Bank and the capital group. When implementing its mission Internal Audit takes into account the strategic objectives and tasks of the organization, as laid down by the Management Board and Supervisory Board of the Bank. The audit process is performed according to the Audit Charter and Internal Audit Methodology, fostering international standards of internal audit and good banking practices.

The Internal Audit Department is an independent unit, directly reporting to the Chairman of the Management Board of the Bank and the results of its activities are reported to the Management Board, Audit Committee of the Supervisory Board and the Supervisory Board of the Bank.

The activity of Internal Audit is a planned and continuous activity, resulting from the implementation of the mission and objectives, as well as the adopted Department Strategy and based on an annual audit plan. The basis of the planning process is the assessment of the risk of particular areas and processes of the Bank in order to identify increased risk and support the specification of priorities and resources for the implementation of tasks. The planning process takes into account consultations with senior management and owners of key processes. The annual audit plan is approved by the Bank’s Supervisory Board and implemented on a quarterly basis by experienced and highly qualified professionals.

Internal Audit performs independent and objective assurance and consulting activities. Assurance activity is carried out as part of process audits, independent review function, branch audits, preventive audits and investigations. Assurance activity includes assessment of the adequacy and effectiveness of the risk management system and internal control system in all areas of banking activity. Advisory services are aimed at supporting the organization in achieving its goals and are provided, as far as their nature does not put under threat the independence, effectiveness and objectivity of Internal Audit’s assurance activity, nor is related to the designing of control mechanisms and risk management system.

In 2019 Internal Audit Department performed audit tasks in the Bank, its subsidiaries, external entities to which the Bank, to the extent permitted by regulations, outsourced banking and bank-related operations, as well as within the BCP Capital Group. The planned activity of the Department covered among others audits of key business and support processes and also financial audits, branch audits and those of compliance with external regulatory requirements. The tasks performed by the Internal Audit Department also included investigations and prevention audits.

The results of the review of the functioning of the entire internal control system as well as its selected components, carried out by the Internal Audit Department in cooperation with the External Auditor of the BCP Group, are presented cyclically and are subject to evaluation by the Audit Committee of the Bank’s Supervisory Board and once a year to the Bank’s Supervisory Board.

Implemented solutions regarding the internal control system protect to a significant extent the Bank from financial reporting errors and provide the Bank’s Management with information which helps evaluate the correctness, efficiency and security of the functioning of the process of preparing financial reports, also in order to ensure the highest possible effectiveness in managing identified types of risks accompanying the process.

The internal control system, introduced by the Management Board of the Bank and incorporating the financial report preparation process, has been designed to facilitate the control of process risk while maintaining appropriate supervision over the correctness of gathering, processing and presentation of data necessary for the preparation of financial reports in keeping with effective laws.

An important element of the internal control system in the process of preparing financial reports is the cooperation of the Audit Committee of the Bank’s Supervisory Board with an audit firm providing financial audit services. The Bank prepared the policy of selecting an audit firm for carrying out an audit and policy for providing by an audit firm carrying out an audit, by entities connected with such audit firm and by a member of an audit firm network – permitted services not being an audit. The above-mentioned policies are captured in the document „Policy of Selecting and Cooperation with Audit Firms”, which was approved by the Audit Committee of the Supervisory Board on 26 October 2017. The policy specifies:

1. the principles of selecting the audit firm to conduct:
   1. statutory audit, i.e. audit of the annual consolidated financial report of the Bank’s capital group or audit of the Bank’s annual financial report whose duty to conduct results from art. 64 of the Accounting Act of 29 September 1994, (hereinafter „the Accounting Act”), provisions of other acts or provisions of European Union law,
   2. voluntary audit, i.e. audit of the annual financial report which is conducted pursuant to the Bank’s decision, and not on the basis of art. 64 of the Accounting Act, provisions of other acts or provisions of European Union law, conducted in accordance with national or other audit standards, as well as auditing the annual consolidated financial report of the Bank’s capital group conducted in accordance with standards other than national audit standards;
2. principles of providing permitted services not being a statutory or voluntary audit by:
   1. audit firm conducting a statutory audit or voluntary audit at the Bank or at Millennium BCP,
   2. entities connected with the audit company conducting a statutory or voluntary audit at the Bank or at Millennium BCP, and
   3. member of an audit firm network conducting a statutory or voluntary audit at the Bank or at Millennium BCP.
3. principles of the Bank’s cooperation with audit firms, entities connected with an audit firm or members of an audit firm network with respect to conducting statutory or voluntary audits and providing permitted services.

The external auditor is selected by the Supervisory Board on the basis of a recommendation issued by the Audit Committee of the Supervisory Board. In addition, in the interest of the quality of financial data presented in the remaining published quarterly reports, the Bank, together with the external auditor, has implemented cooperation procedures ensuring – on an on-going basis – the consultation of important issues connected with the recognition of economic events in the books and financial reports. At meetings of the Audit Committee of the Supervisory Board the external auditor presents key findings relative to financial reporting, consults with the Audit Committee of the Supervisory Board draft reports and proposes an approach to the audit of the annual financial report.

Bearing in mind the mandatory rotation of audit firms resulting from legal regulations and the five-year period of cooperation with PricewaterhouseCoopers Sp. z o.o. (i.e. the entity which up to then audited the Bank’s financial reports), coming to an end, in 2018 the Bank conducted the process of selecting a new audit firm. The process was conducted in accordance with the „Policy of Selecting and Cooperation with Audit Firms” adopted by the Audit Committee of the Supervisory Board on 26 October 2017. At the meeting of 25 October 2018, the Audit Committee of the Supervisory Board familiarised itself with the report of the task force (dedicated to conducting the bidding procedure) on the procedure of selecting the audit company for conducting statutory audits for Bank Millennium S.A. and the Bank’s capital group containing the conclusions from the selection procedure and indicating the audit firm recommended for conducting statutory audits. Based on the recommendation of the Audit Committee of the Supervisory Board, the Management Board of the Bank recommended to the Supervisory Board the selection of Deloitte Sp. Z o.o. Sp. k. as an entity authorized to audit financial reports of Bank Millennium S.A. and the Bank Millennium capital group for the years 2019 and 2020. This recommendation was formulated on the basis of the selection procedure organised by the Bank meeting the binding criteria. The Supervisory Board on 26 October 2018 approved the selection of Deloitte Sp. Z o.o. Sp. k. in accordance with the presented proposal.

The Bank is covered by the consolidated financial report of the Millennium BCP capital group. In this connection, the annual review of the Bank’s internal control system supporting the process of preparing and disclosure of financial information is also subject to the terms and requirements of consolidated supervision, which is performed by the Bank of Portugal and the European Central Bank. The external auditor of the Millennium BCP capital group participated in 2019 in the review of adequacy and effectiveness of the part of the Bank’s internal control system supporting the process of preparing and disclosure of financial information (financial reporting) and issued an appropriate opinion in this respect.

On 26 October 2018 the Supervisory Board of the Bank approved the selection of Deloitte Sp. z o.o. Sp. k. as an entity authorised to perform audits of financial reports of Bank Millennium S.A. and the Bank’s capital group for the years 2019 and 2020. The audit agreement was concluded on 23 April 2019.

Remuneration received by the auditor on account of services provided to the Capital Group of Bank Millennium S.A.

Services other than statutory audit:

• a review of the stand-alone and consolidated interim condensed financial reports of Bank Millennium S.A. drawn up as at June 30, 2019,
• review of the interim condensed financial reports of Millennium TFI SA investment funds prepared as at June 30, 2019,
• audit of the consolidation documentation and the reporting package of Bank Millennium S.A. capital group for the period of 12 months, ended on 31 December 2019, prepared in accordance with instructions and group rules of BCP capital group,
• procedures for verification of consolidation documentation and the reporting package of the Bank Millennium S.A. capital group for the period of 3 months, ended on 31 March 2019, prepared in accordance with group principles,
• procedures for verification of consolidation documentation and the reporting package of the Bank Millennium S.A. capital group for the period of 9 months, ended 30 September 2019, prepared in accordance with group principles,
• assurance service concerning requirements for safekeeping of customers’ assets for 2019 for Bank Millennium S.A. and Millennium Dom Maklerski S.A.,
• assurance service concerning evaluation of adequacy of the risk management system in 2019 in Millennium TFI S.A.
• assurance service in accordance with MSUA 3000, concerning verification of the internal control system of Bank Millennium S.A. and Millennium Leasing, in accordance with instructions of the group auditor for the period from 1 June 2018 to 31 May 2019,
• assurance service in accordance with MSUA 3000: Statement of the independent auditor issued on behalf of the entity authorized to audit financial statements on the conformity of methods and principles of valuation of the Fund’s assets described in the prospectus with the regulations on accounting of investment funds, as well as on the conformity and completeness of these principles with the investment policy adopted by the Fund,
• assurance service in accordance with MSUA 3000: independent verification of the non-financial data presented within CSR Report.