Ibercaja Banco has established mechanisms to control and monitor information at different levels and they are prepared and supported using three lines of defence.
- A first line of control at the Business, Management and Support Units.Under the general principle that the primary party responsible for control must be a person responsible for each business area, they must have effective risk management processes (identification, measurement or evaluation, surveillance, mitigation and communication of risks).
- A second centralised and independent control line. In order to supervise the exercising of the primary controls, and to exercise specialised financial operating and management controls, the Entity has systems that guarantee: effective and efficient operations, adequate risk control, prudent business conduct, the reliability of financial and non-financial information that is reported or disclosed (internally and externally), as well as compliance with laws, regulations, supervisory requirements and the Entity's internal policies and procedures. These systems cover the entire organisation, including the activities of all business, support and control units.
- An Internal Audit Unit. This “third line of defence” is responsible for performing an independent review of the first two “lines of defence”.
These lines include the participation of the governing bodies and Senior Management.
Ibercaja carries out various control activities intended to mitigate the risk of error, omission or fraud that could affect the reliability of the financial information, which were identified in accordance with the previously explained process.
Specifically, and with respect to processes where material risks have been detected, including error and fraud, Ibercaja has developed a uniform documentation, consisting of:
- A description of the activities related to the process from the start, indicating the particularities that may apply to a certain product or operation.
- The risk and control matrix, which contains the relevant risks with a material impact on the Entity's financial statements and their association with the mitigating controls, as well as all the evidence regarding their application. These controls include those that are considered to be key to the process and which, in any event, ensure the adequate recognition, measurement, presentation and disclosure of transactions in the financial information.
The documents allow for a quick and clear visualisation of those parts of the processes that include identified risks and key controls. Each of the risk matrices help to identify the risk that affects each of the objectives of the financial information, the controls mitigating that risk, as well as their characteristics, the persons responsible for the control mechanism, the frequency with which it must be applied and the associated evidence.
In general terms, the Management Control Unit is responsible for establishing the accounting policies that are applicable to new transactions in accordance with the criteria established in current legislation. As regards the critical judgments related to the application of accounting policies and relevant estimates, this Unit establishes the criteria to be applied within the legislative framework. The application of these criteria may be carried out directly by the Units (with supervision) or the Bodies in which Senior Management is present (Committees).