The Company has developed its Internal Control System that aims to ensure full confidence in achieving the following goals:
- supporting the efficiency and productivity of the Company’s activities and the safeguarding of its assets;
- compliance with the requirements of all applicable legislation and in-house policies and procedures, including when engaging in business operations and maintaining accounting records;
- ensuring the reliability and timeliness of financial and other reporting.
The Company’s Internal Control System consists of a set of internal control processes that function based on the existing organizational structure, in-house policies and regulations as well as the internal control and risk management procedures and methods which the Company applies at all levels of management and within all functional areas.
The Audit Commission and the Internal Audit Department monitor the Company’s financial and economic activities.
The internal control and risk management system is integrated into respective levels of management taking into account the role of the appropriate stages in the process of developing, approving, applying, and evaluating the internal control and risk management system:
- Strategic level – the Company’s Board of Directors and Audit Committee of the Board of Directors.
The strategic level approves the strategic framework for the establishment and operation of the internal control and risk management system and its goals at the Company and supports the integration of this system into all the Company’s organizational processes, including the drafting of policies, and the process of managing changes. The Company’s Board of Directors and the Audit Committee of the Board of Directors determine the perception of the internal control and risk management system by employees;
- Operational level – the Company’s executive bodies.
This level ensures the effective organization of the operation and continuous monitoring of the effectiveness of the internal control and risk management system;
- Control level – the Company’s Audit Commission and Internal Audit Department as well as the department heads and employees responsible for the operation of the internal control and risk management system.
This level ensures the implementation of control procedures and risk management measures and monitors their productivity. The Company’s Internal Audit Department conducts a systematic independent assessment of the adequacy, reliability, and effectiveness of the internal control and risk management system and corporate governance.
All the subjects of the internal control and risk management system are responsible within their own purview for compliance with risk management approaches and standards and also for the proper implementation of control procedures in their areas of activity.
The internal control system is based on the principles of the COSO concept recommended by the Corporate Governance Code (Recommended for use by Letter No. 06-243 of the Bank of Russia dated April 10, 2014 “On the Corporate Governance Code”).
In accordance with the COSO model, the Company has established a controlled environment, employs a risk assessment system, systematically introduces control procedures and evaluates the effectiveness of their implementation, and monitors changes in its organizational structure and business processes.
The Company’s information systems serve as the basis for communication between the agents involved in the internal control and risk management system and decision-making on matters concerning internal control and risk management. The relevant information is determined, recorded, and transmitted in such form and within a timeframe that enable employees to perform their functional duties while not violating the principle of separation of powers. This principle is part of the division of functions between the Company’s independent structural units in order to ensure operational efficiency and avoid any compromise in risk assessment by these units.
The internal control and risk management system is adapted to the Company’s goals as they are at the time, factors in the external and internal environments, and standard business practice. The risk management process is carried out on an ongoing basis and is cyclical due to the continuous nature of decision-making concerning risk management.