Financial and ESG Report

Internal control system and external auditor

The Bank’s internal control system is organised in the framework of the so-called three independent lines of defence, which comprise: 

  • 1st line – the Bank’s operating units not belonging to the 2nd and 3rd line of defence, 
  • 2nd line – Compliance Department and other units managing particular risks, 
  • 3rd line – Internal Audit Department. 

The internal control system covers all organisational units of the Bank and subsidiaries belonging to the capital group. 

The main objectives of the internal control system are to ensure: 

  • effectiveness and efficiency of the Bank’s operations, 
  • credibility of financial information (including: completeness, correctness and comprehensiveness of administrative and accounting procedures and fair and true internal and external reporting), 
  • observance of risk management principles at the Bank, 
  • compliance of the Bank’s activity with laws, internal regulations and market standards. 

 Based on the developed selection criteria the Bank identified material processes, and then linked them to the general and specific objectives of the internal control system. For material processes the Bank selected controls (control mechanisms) functioning within such processes and selected out of them certain controls of key importance for achieving the objectives of the internal control system assigned to a given process. Key controls have been covered by the monitoring of their observance, such monitoring performed independently by organisational units belonging to the 1st and the 2nd line of defence in the internal control system.  

The linking of the general objectives of internal control and specific objectives isolated as part of them with material processes functioning at the Bank and key controls and principles of independent monitoring of their observance is documented in the form of the Control Function Matrix. The Bank in the Matrix also specified the responsibility of particular organizational units for employing control mechanisms, as well as their independent monitoring. 

The Bank has a formalized path of reporting about the results of monitoring controls, ascertained irregularities and status of implementing remedial and disciplining measures. From time to time this information is also transferred to the Internal Audit Department, the Bank’s Management Board and Audit Committee of the Supervisory Board. 

The Bank’s Management Board is responsible for the implementation and functioning of an adequate, effective and efficient internal control system. 

The Bank’s Supervisory Board exercises supervision and performs the annual evaluation of the implementation and ensuring that the internal control system is adequate and effective, as a whole and in its parts (including the control function, Compliance Department, Internal Audit Department). 

The Internal Audit Department is within the internal control system a specialized unit of the 3rd line of defence which carries out an independent review of processes and internal control in the Bank and the capital group, verifying the implementation of tasks assigned to the 1st and 2nd line of defence.  

The aim of the activities is providing the Bank’s management with an assessment of the effectiveness and adequacy of the risk management system and the internal control system, as well as adding value and streamlining processes in the Bank and the capital group. When implementing its mission Internal Audit takes into account the strategic objectives and tasks of the organization, as laid down by the Management Board and Supervisory Board of the Bank. The audit process is performed according to the Audit Charter and Internal Audit Methodology, fostering international standards of internal audit and good banking practices.  

The Internal Audit Department is an independent unit, directly reporting to the Chairman of the Management Board of the Bank and the results of its activities are reported to the Management Board, Audit Committee of the Supervisory Board and the Supervisory Board of the Bank.  

The activity of Internal Audit is a planned and continuous activity, resulting from the implementation of the mission and objectives, as well as the adopted Department Strategy and based on an annual audit plan. The basis of the planning process is the assessment of the risk of particular areas and processes of the Bank in order to identify increased risk and support the specification of priorities and resources for the implementation of tasks. The planning process takes into account consultations with senior management and owners of key processes. The annual audit plan is approved by the Bank’s Supervisory Board and implemented on a quarterly basis by experienced and highly qualified professionals. 

Internal Audit performs independent and objective assurance and consulting activities. Assurance activity is carried out as part of process audits, independent review function, branch audits, preventive audits and investigations. Assurance activity includes assessment of the adequacy and effectiveness of the risk management system and internal control system in all areas of banking activity. Advisory services are aimed at supporting the organization in achieving its goals and are provided, as far as their nature does not put under threat the independence, effectiveness and objectivity of Internal Audit’s assurance activity, nor is related to the designing of control mechanisms and risk management system.  

In 2021 Internal Audit Department performed audit tasks in the Bank, its subsidiaries, external entities to which the Bank, to the extent permitted by regulations, outsourced banking and bank-related operations, as well as within the BCP Capital Group. The planned activity of the Department covered among others audits of key business and support processes and also financial audits, branch audits and those of compliance with external regulatory requirements. The tasks performed by the Internal Audit Department also included investigations and prevention audits.  

The results of the review of the functioning of the entire internal control system as well as its selected components, carried out by the Internal Audit Department in cooperation with the External Auditor of the BCP Group, are presented cyclically and are subject to evaluation by the Audit Committee of the Bank’s Supervisory Board and once a year to the Bank’s Supervisory Board.

Implemented solutions regarding the internal control system protect to a significant extent the Bank from financial reporting errors and provide the Bank’s Management with information which helps evaluate the correctness, efficiency and security of the functioning of the process of preparing financial reports, also in order to ensure the highest possible effectiveness in managing identified types of risks accompanying the process.  

The internal control system, introduced by the Management Board of the Bank and incorporating the financial report preparation process, has been designed to facilitate the control of process risk while maintaining appropriate supervision over the correctness of gathering, processing and presentation of data necessary for the preparation of financial reports in keeping with effective laws.  

An important element of the internal control system in the process of preparing financial reports is the cooperation of the Audit Committee of the Bank’s Supervisory Board with an audit firm providing financial audit services. The Bank prepared the policy of selecting an audit firm for carrying out an audit and policy for providing by an audit firm carrying out an audit, by entities connected with such audit firm and by a member of an audit firm network – permitted services not being an audit. The above-mentioned policies are captured in the document „Policy of Selecting and Cooperation with Audit Firms”, which was approved by the Audit Committee of the Supervisory Board on 26 October 2017 and it was last updated on 28 February 2021. The policy specifies: 

  • The principles of selecting the audit firm to conduct statutory audit and voluntary audit, 
  • Principles of providing permitted services not being a statutory or voluntary audit by Audit Firm, entities connected with Audit Firm or member of an Audit Firm network, 
  • Procedure of accepting performance by Other Audit Firms of services other than the statutory audit and the voluntary audit, 
  • Principles of the Bank’s cooperation with audit firms, entities connected with an audit firm or members of the audit firm network with respect to conducting statutory or voluntary audits and providing permitted services. 

The external auditor is selected by the Supervisory Board on the basis of a recommendation issued by the Audit Committee of the Supervisory Board. In addition, in the interest of the quality of financial data presented in the remaining published quarterly reports, the Bank, together with the external auditor, has implemented cooperation procedures ensuring – on an on-going basis – the consultation of important issues connected with the recognition of economic events in the books and financial reports. At meetings of the Audit Committee of the Supervisory Board the external auditor presents key findings relative to financial reporting, consults with the Audit Committee of the Supervisory Board draft reports and proposes an approach to the audit of the annual financial report. 

The Bank is covered by the consolidated financial report of the Millennium BCP capital group. In this connection, the annual review of the Bank’s internal control system supporting the process of preparing and disclosure of financial information is also subject to the terms and requirements of consolidated supervision, which is performed by the Bank of Portugal and the European Central Bank. The external auditor of the Millennium BCP capital group participated in 2021 in two reviews of the adequacy and effectiveness of the part of the Bank’s internal control system supporting the process of preparing and disclosure of financial information (financial reporting) and issued an appropriate opinion in this respect. 

On 22 February 2021 the Supervisory Board of the Bank approved the selection of Deloitte Audyt Sp. z o.o. sp. k. as an entity authorised to perform audits of financial reports of Bank Millennium S.A. and the Bank’s capital group for the years 2021, 2022 and 2023. The audit agreement was concluded on 6 May 2021. 

Remuneration received by the auditor on account of services provided to the Capital Group of Bank Millennium S.A. 

Remuneration received by the auditor on account of services provided to the Capital Group of Bank Millennium S.A.

Auditor’s Remuneration 2021 2020
(in PLN’000) Bank Subsidiaries Bank Subsidiaries
Statutory audit within the meaning of art. 2 point 1 of the Act on Statutory Auditors  1 142 517 928 464
Other assurance services  170 268 850 208
Tax advisory services
Other services

Services other than statutory audit: 

  • a review of the stand-alone and consolidated interim condensed financial reports of Bank Millennium S.A. drawn up as at June 30, 2021, 
  • review of the interim condensed financial reports of Millennium TFI SA investment funds prepared as at June 30, 2021, 
  • audit of the consolidation documentation and the reporting package of Bank Millennium S.A. capital group for the period of 6 months, ended on 30 June 2021, and for the period of 12 months, ended on 31 December 2021, prepared in accordance with instructions and group rules of BCP capital group, 
  • procedures for verification of consolidation documentation and the reporting package of the Bank Millennium S.A. capital group for the period of 3 months, ended on 31 March 2021, prepared in accordance with group principles, 
  • procedures for verification of consolidation documentation and the reporting package of the Bank Millennium S.A. capital group for the period of 9 months, ended 30 September 2021, prepared in accordance with group principles, 
  • assurance service concerning requirements for safekeeping of customers’ assets for 2021 for Bank Millennium S.A. and Millennium Dom Maklerski S.A., 
  • assurance service concerning evaluation of adequacy of the risk management system in 2021 in Millennium TFI S.A., 
  • assurance service in accordance with MSUA 3000, concerning verification of the internal control system of Bank Millennium S.A. and Millennium Leasing, in accordance with instructions of the group auditor for the period from 1 June 2020 to 31 January 2021 and for the period from 1 February 2021 to 30 November 2021, 
  • assurance service in accordance with MSUA 3000, concerning verification of the remuneration report for 2021 in Bank Millennium S.A., 
  • assurance service in accordance with MSUA 3000: Statement of the independent auditor issued on behalf of the entity authorized to audit financial statements on the conformity of methods and principles of valuation of the Fund’s assets described in the prospectus with the regulations on accounting of investment funds, as well as on the conformity and completeness of these principles with the investment policy adopted by the Fund, 
  • assurance service in accordance with MSUA 3000: independent verification of the non-financial data presented within CSR Report, 

Deloitte Audyt Sp. z o.o. sp. k. also provided attestation service according to ISAE 3000 concerning verification of internal control systems of Bank Millennium S.A. and Millennium Leasing S.A. , in accordance with the instructions of the group auditor for the period from 1 June 2020 to 31 January 2021. The net remuneration amounting to PLN 119 thousand this service was presented in the financial statements for the 12-month period ended 31 December 2021, as the period to which the service relates ended on 31 January 2021. 

Search results