Effective risk management is supported by the Internal Control System (ICS) implemented in PZU, which offers solutions for three levels of defense:
- 1st line of defense – includes risk management by business process owners in the course of operations;
- 2nd line of defense – includes risk management by specialized cells responsible for risk identification, measurement, monitoring and reporting and controlling the limits;
- 3rd line of defense – includes internal audit which conducts independent audits of the individual elements of the risk management system, as well as of control procedures.
PZU’s internal control system is adapted to the Company’s scale of operations and organizational structure. It aims to provide:
- effectiveness and efficiency of the operating activity;
- reliability of reporting, especially financial reporting;
- compliance of the activity with the law, internal regulations and standards of conduct;
- compliance with risk management rules.
The system includes supervision, administrative and accounting procedures, organizational structures, reporting systems, IT solutions, a compliance function, and other controls to ensure the stability and security of operations. The following elements are distinguished within the ICS:
- control function – including controls in processes, independent monitoring of compliance and reporting;
- compliance function, carried out by the Compliance Office;
- internal control unit, i.e., the Internal Control Department, tasked with implementing and supervising system solutions for the ICS;
- internal audit, carried out by the Internal Audit Department, which independently and objectively evaluates the adequacy and effectiveness of the internal control and management system.
Supervision over the internal control system includes:
- supervision and periodic evaluation of the ICS by the Supervisory Board;
- activities of the Management Board, including the establishment of an adequate and effective internal control system;
- supervision by the PZU Group Directors and Managing Directors over the control function in the areas reporting to them;
- supervision by the head of the Internal Control Department on systemic solutions to strengthen the efficiency and effectiveness of the ICS;
- supervision by the supervisor of the internal audit function;
- supervision by PZU units in relation to their subordinate units or areas in the introduction and maintenance of effective and efficient controls.
Heads of PZU organizational units are responsible for the organization and implementation of the control function in the supervised area of PZU operations, in particular, for the design, implementation and effective functioning of control mechanisms in the implemented processes, ensuring an appropriate response to the occurring risks, as well as the organization of monitoring of compliance with the implemented control mechanisms, in proportion to the level of risk associated with the Company’s operations and the processes subject to control.
The PZU Group’s internal control system has been developed at the level of PZU as the leading entity and is applicable to the Group companies, in consideration of their formal distinction, proportionality and adequacy. In banking groups, the system is designed at the level of these groups, in accordance with sector regulations.
As part of cooperation with the PZU Group entities, the Company periodically analyzes information on the ICS operation, internal audits as completed and system evaluations. The goal is to enhance unified standards of operation of internal control systems throughout the Group.
The elements of the internal control system are described in more detail in Chapter 7.4.1. The risk management system and the internal control system
Compliance
The purpose of the compliance function is to ensure that PZU complies with laws, external regulations, industry standards and internal regulations. It is supervised by the Managing Director of Regulatory Affairs, reporting to the President of the PZU Management Board (or a delegated person). The appointment and dismissal of a person heading the compliance function requires the opinion of the Audit Committee of the PZU Supervisory Board.
Internal control
Internal control supports the Company’s management process. It is designed to independently assess the adequacy and effectiveness of controls, as well as the quality and regularity of process implementation. At PZU, institutional control is carried out by the Internal Control Department, an independent, separate organizational unit.
Internal audit
The purpose of internal audit is to support the PZU Group in improving its operations and delivering value through independent and objective evaluation of processes. The audit is carried out independently of operational functions and involves a systematic check whether the internal control system and other elements of the management system are adequate and effective.
PZU has implemented the Internal Auditor’s Code of Ethics, based on guidelines issued by the Institute of Internal Auditors (IIA). The purpose of the Code is to promote best practices and models for ethical behavior, and to motivate the need for continuous professional improvement and development of the proper image of internal auditors.
Audit tasks are carried out taking into account the Internal Audit Strategy for 2025–2027. The status of the strategy’s implementation is monitored by, among other things, performance indicators for the internal audit function.
The Internal Audit Department provides the Management Board and the Audit Committee with periodic management information regarding, in particular:
- the progress in implementing the audit plan;
- the results of internal audits;
- the results of monitoring the implementation of recommendations.
In order to ensure high quality and continuous improvement of the internal audit function, internal (on an annual basis) and external (not less than once every five years) assessments of the Company’s internal audit activities are conducted.
A third-party assessment of the internal audit function at PZU conducted in 2025 by KPMG and an analysis of coordination of the Group’s internal audit run by the Internal Audit Department demonstrated that the activities of the Internal Audit Department were “generally compliant” with the Global Internal Audit Standards issued by the Institute of Internal Auditors (IIA).
