Corporate Governance in Financial Institutions

Corporate Governance in Financial Institutions 

Deloitte Slovenia for CEF SEE, 28. April 2021

Agenda 

Topic 

Duration 

Basic elements of Corporate Governance 

20 min 

Suitability of the management body and key function holders 


Communicating/cooperating with Internal Audit and External Audit 


Case Study: Report on independent review of the Supervisory Board 


Q&A 


2 © 2021 Deloitte Slovenija

Today’s speaker: Katarina Kadunc, Audit Partner at Deloitte Slovenia 

Katarina Kadunc 

Audit Partner, Deloitte revizija d.o.o. 

Ljubljana, Slovenia 

+386 31 335 452 

kkadunc@deloitte.com 

The challenge and opportunities at Deloitte are 

exciting. I work with a group of people 

dedicated to making our professional services 

delivery cutting edge. 

Introduction 

Relevant Experience 

Background and 

Interests/Professional 

Affiliations 

Katarina is a certified auditor and partner in the 

Slovenian Deloitte office in Ljubljana. She joined 

Deloitte in 2003. 

Katarina is in charge of audit teams for our clients 

from the financial sector. She is an active lecturer 

in accounting standards and corporate 

governance topics within Deloitte Academy. 

Katarina is in charge of conducting audits of 

financial statements at banks and also other 

industries. She leads audits of Groups and PIE 

companies. 

She is also leading internal audit engagements, 

internal audit quality assessments and 

engagement related to corporate governance. 

Katarina graduated from the Faculty of 

Economics in Ljubljana . She hold Slovenian 

title Certified Auditor and has obtained also 

Croatian statutory auditors licence. 

ACCA licence from 2009 and she holds title of 

Certified Internal Auditor of the Slovenian 

Institute of Auditors from 2014. 


4 © 2021 Deloitte Slovenija 

Basic elements of 

Corporate Governance

Aims of Corporate Governance 

Incorporate values and ethics 

into the corporate culture 

Perform/encourage communication 

and two-sided mechanisms between 

employees and management 

Update the approach and 

procedures of corporate 

governance and effectiveness 

of communication 

Update the structure of 

corporate governance 

Improvement of vertical and 

horizontal communication 

between the Board of 

Directors, Management, 

shareholder, employees and 

the public. 

Improvement and 

communication of the 

mission, vision and ethical 

values of the organization 

Ethics / Integrity 

Management Structure 

Human Resources 

Communication 

CORPORATE 

GOVERNANCE 

Internal Audit 

Explain roles and responsibilities of 

management 

Regular updates to the 

education/knowledge of the Board, 

Supervisory Board and the Audit 

Committee 

Consolidation of compensation 

systems and motivation of employees 

with the strategy and ethical values of 

the organization 

Consolidation of the performing of 

Internal Audit with the business goals 

and the goals of the risk management 

system 

Improvement of uncovering 

and evaluating risks 

Improve monitoring and management 

of compliance with the law 

Improvement of risk 

management 

Improvement to understanding of the 

legal requirements and laws 

Improvement of planning and 

approach to risk management, 

and their supervision. 

Improvement of risk 

management tracking 

Risk Management 

Internal Controls 

Legal compliance 

Consolidation of processes of tax 

planning and tax reporting with legal 

requirements 

Emphasize importance of internal controls 


Introduction/improvement of the system of 

internal controls

Communication and Tone at the Top! 

10 ways of evaluation, does “Tone at the Top!” work? 

1) Identification of the scope and nature of wrong-doing (“zero tolerance” vs. We allow minor mistakes and risk having bigger fraud): 

2) Level of anonymity of wrong doings (the higher the level – there is a presence of fear that previous reports were not handled 

accordingly); 

3) Following of media and communication online (reputation evaluation); 

4) Employee surveys (we evaluate responsiveness, compare the results with other companies); 

5) Evaluation of the way information is communication from management (tone of communication); 

6) Interview with members of the Audit Commission, compliance leader, risk management leader; 

7) Level of understanding of all companies in the group (existence of non-formal communication from the supervisors); 

8) Interview with former employees that left the company; 

9) Responsiveness level of employees when engaging on the topic; 

10) Customer or stakeholders' complaints. 


Process of Risk Management 

Strategy, rules, labels 

Consolidated workflows of 

The risk management processes 

Define 

expectations 

Recognizing risks 

and current management 

Recognize 

risks 

Rules of 

Evaluate 

success 

Track risks and 

controls 

Cycle of risk 

management 

Evaluate/ 

measuring of 

risk 

Evaluate 

control 

measurement 


Tools, systems 

Decrease/ 

control 

risk 

Risk Management 

department 


Potential Risk areas 

Shareholder 

Ethics 

Competitor 

Procurement 

Business partner 

Strategic planning 

Market dynamics 

Support processes 

Client 

Resource allocation 

State 

Manufacturing & logistics 

Laws & regulations 

Government 

Process management 

Economy 

Marketing and sales 

Other assets 

Employee development 

Contracts 

Supplier 

Reputation 

Business 

R&D, services 

PPE 

Employee potentials 

Other obligations 

Corporate 

Partners Market structure 

Process 

Material Assets 

Employees and work culture Legal department 

Governance 

Strategy 

Potential risks areas 

Processes 

Finance 

Knowledge 

Market 

Liquidity and loans 

Accounting 

Capital allocation 

Systems 

Data management 

Intellectual property 

Raw material prices 

Back payment 

Tax department 

Capital 

Hardware 

Planning and development 

Intangible assists 

Interest rate 

Cash flows 


Liabilities 

Software 

Work processes 

Knowledge management 

Exchange rate 

Risk preventions 

Financing 

Standards and compliance 

Web/Bases 

Organization and 

monitoring 

Information 


Overall Risk Management system 

Companies that have a well-defined Risk Management system benefit from a balanced 

perspective of managing risks based on the basic principles. 

Common definition of risks 

Common framework for managing risks 

Risk managing 

Duties and responsibilities 

Transparency of management/board 

Common system for managing risks 

Responsibilities of executive management 

Objective valuation and monitoring of risks 

Frameworks and systems 

for managing risks 

Common system for 

managing risks 

Employees Processes Technology 

Responsibilities of business units 

Support from supporting functions 

Risk „ownership“ 


Relationship between risks and internal controls 

RISKS 

Possibility of a damaging event that can negatively impact the capabilities of an organization in achieving its goals 

RISK MANAGEMENT 

The process with which we try to reestablish trust in the capabilities of an organization to 

foresee, rank by priority, and successfully overcome the barriers in achieving its goals. 

INTERNAL CONTROLS 

Processes that have the aim to help realize the organization‘s goals – which can 

be managed/affected by the board, management and employees. 


Ethics 

The basic system of values that the organization wants to enact through Code of Ethics of an organization 

represents its employees: 

• By expressing goals and accompanying values; 

• By establishing unique ethical guidelines for employees. 

Content of the Code of Ethics 

• Establishes the need to follow laws, legal requirements and internal statutes of the organization; 

• Encourages basic ethical behavior while performing business: professionalism, fairness, transparency and 

independence; 

• Prevents situations conflicts of interests (i.e. accepting gifts from supplies or clients, misuse of internal information 

for personal gain, financial interests at external organizations that conduct business with the organization; 

• Concrete examples of ethical and unethical behavior; 

• Concrete examples of sanctions for not following the Code of Ethics. 


Ethics 

The effectiveness of the Code of Ethics can increase through: 

• Executive management thoroughly following the Code of Ethics; 

• A written statement of each employee on agreeing to perform in accordance with the prescribed Code of Ethics; 

• A creation of an educational program providing employees to pose questions they might have in regard to the Code 

of Ethics; 

• Continuous informing of employees about ethical questions or situations; 

• Expanded responsibilities of the person in charge of ethics or the Ethics Board – that serves as an advising body to 

the organization; 

• Establishing a well functioning system that enables employees to report on unethical behavior without fear or 

consequences (whistleblowing); 

• … 



Suitability of the 

management body and 

key function holders

Guidelines on suitability of the management body and key function holders 

ESMA and EBA issued final guidelines (GL-2017-12) on the assessment of the suitability of 

members of the management body to help financial institutions determine 

Summary 

These Guidelines aim to harmonise and improve 

suitability assessments within EU financial sectors, and 

to ensure sound governance arrangements in financial 

institutions in line with the Capital Requirements 

Directive (CRD IV) and the Markets in Financial 

Instruments Directive (MiFID II). The Guidelines offer 

clarifications of a number of concepts and will 

undoubtedly provide credit institutions and investment 

firms with important practical guidance for assessing 

the suitability of the individual members, as well as the 

overall composition of their management bodies. 

Monitoring and Re-assessment 

Institutions are obliged to monitor the individual and 

collective suitability of the management body. 

Significant Institutions should perform a periodic suitability 

reassessment at least annually or if triggered by a specific 

event. 

Non-significant credit institutions should perform a periodic 

suitability reassessment at least every two years or in case 

triggered by a specific event such as: 

• a new appointment, a change of role or a renewal; 

• new facts or any other issue; 

• a licensing or qualifying holding procedure. 

2020 Update 

In 2020 EBA and ESMA launched a public consultation on 

its revised joint Guidelines on the assessment of the 

suitability of members of the MB and KFH. This review 

reflects the amendments introduced by the fifth Capital 

Requirements Directive (CRD V) and the Investment Firms 

Directive (IFD) in relation to the assessment of the 

suitability of members of the management body 

Practical Guidance 

The guidelines also include Annexes with: 

• a template matrix to assess the collective suitability of 

the members of the management body 

• a list of skills and a list of documents that must be 

available at the time of the first appointment. 



Addressees and scope of application 

Management body 

• Management function (executive). 

• Supervisory function (non-executive). 

• Partially or fully delegated executive functions the to a 

person or an internal executive body should be 

understood as constituting the management function. 

Key function holders 

(CRD-institutions* only) 

• Persons who have significant influence over the 

direction of the institution, but who are neither 

members of the management body and are not the 

CEO. 

• The heads of internal control functions and the Chief 

Financial Officer, when they are not members of the 

management body, should be always considered as key 

function holders, and therefore, subject to the 

institutions' assessment. 

* CRD-institutions: legally defined as “an undertaking whose business is to receive deposits or 

other repayable funds from the public and to grant credits for its own account”, 

https://www.eba.europa.eu/risk-analysis-and-data/credit-institutions-register 



Key Assessment Criteria: sufficient time commitment 

Quantitative assessment of time commitment 

• CRD IV sets a limit on the number of “directorships” which may be held by a 

member of the management body in an institution that is “significant” (Article 

91(3) of the CRD IV). 

• The number of directorships which may be held by a member of the 

management body of an SI under the CRD IV is limited to: 

a) one executive directorship with 

two non-executive directorships; 

b) or four non-executive directorships. 

However, there are two exceptions to this rule: 

1. Directorships in organisations which do not pursue predominantly commercial 

objectives do not count. 

2. Certain multiple directorships count as a single directorship (“privileged 

counting”): 

a) directorships held within the same group; 

b) directorships held within institutions which are members of the same 

institutional protection scheme; 

c) directorships held within entities in which the institution holds a 

qualifying holding (Articles 91(4) and (5) of the CRD IV). 

The members of the 

management body should 

have sufficient time to 

cover all the necessary 

subjects in depth. 



Key Assessment Criteria: knowledge, skills and experience 

The management body, 

individually and collectively, 

should possess adequate 

knowledge, skills, and 

experience to understand the 

institution's activities. 

Stage 1 – Assessment against thresholds 

Presumption of adequate experience for its management function: 

a) Executive CEO: 

Ten years of practical experience in banking or financial services 

within the last twelve years of which a significant proportion should 

include senior level managerial positions; 

b) Executive director: 

Five years of recent practical experience in banking or financial 

services in senior level managerial positions. 

Presumption of adequate experience for its supervisory function: 

a) Non-executive chair: 

Ten years of recent relevant practical experience of which a significant 

proportion should include senior level managerial positions and 

significant theoretical experience in banking or a similar relevant field; 

b) Non-executive director: 

Three years of recent relevant practical experience at high level 

managerial positions (including theoretical experience in banking). 

Practical experience gained in the public or academic sector could also 

be relevant depending on the position held. 

Stage 2 – Complementary assessment 

If the thresholds at which sufficient experience is presumed are not met conduct a 

complementary assessment of the appointee’s experience. 

• Examples of other relevant factors to include: sufficient diversity, broad range of 

experiences and, where relevant, national requirements to have staff 

representatives in the management body 



Key Assessment Criteria: reputation, conflicts of interest and independence of mind 

Reputation 

• Members of the management body shall at all times be of sufficiently good; 

• Since a person can either have a good or a bad reputation, the principle of 

proportionality cannot apply to the reputation requirement 

Legal proceedings 

• Competent authorities must always be informed of legal proceedings 

(pending or concluded) 

• Based on all the relevant information available, the supervisor will assess the 

materiality of the facts and their impact on the reputation of the appointee 

Conflicts of interest and independence of mind 

• Members of management bodies should be able to make their own sound, 

objective and independent decisions and judgments (i.e. act with 

independence of mind) 

• Notify of all actual, potential or perceived conflicts of interest and assess 

the materiality of the risk posed by the conflict of interest. 

• If a conflict of interest is considered to be material: 

• perform a detailed assessment of the particular situation; 

• decide which preventive/mitigating measures will be implemented; 

• prepare a “Conflict of interest statement”. 

2020 Update - Independence of mind 

Being a member of affiliated companies 

does not in itself represent an obstacle for 

a member of the MB to act with 

independence of mind. 

Potential material conflicts of interest 

Current 

Personal 

Close personal relationship with a 

member of a management body, is a 

party in legal proceedings, conducts 

significant business 

Financial 

Has a substantial financial interest in 

or financial obligation to the 

supervised entity 

Possible preventive/mitigating measures include: 

• prohibition to participate in any meeting or decision-making concerning a 

particular disclosed interest; 

• resignation of a certain position; 

• specific monitoring by the supervised entity; 

• specific reporting to the competent authority on a particular situation; 

• cooling-off period for the appointee; 

• obligation on the supervised entity to publish the conflict of interest; 

• any application of the “at arm’s length” principle; 

Current or over the past two years 

Political 

Holds a position of high political 

influence 

Professional 

Holds management or senior staff 

position or significant commercial 

relationship 

• specific approvals by the whole management body for a certain situation to 

continue. 



Key Assessment Criteria: collective suitability, human and financial resources for training of members of the management 

body and other 2020 updates 

Collective suitability 

• Identifying gaps in the collective suitability through the self-assessment of its 

management body, for example based on a suitability matrix. 

2020 Update - ESG factors 

Inclusion of the ESG factors within the responsibilities 

of the management body 

Human and financial resources for training of members of the management 

body 

• Adequate human and financial resources for induction and training of members 

of the management body to understand an institution's business model, 

structure and risk profile, and keep qualifications up-to-date; 

2020 Update - Collective suitability 

Institutions should respect the principle of equal 

opportunities for any gender and take measures to 

improve a more gender-balanced composition of staff 

in management positions. 

2020 Update - Recovery and Resolution 

The draft joint Guidelines takes into account the 

recovery and resolution framework introduced by the 

Bank Recovery and Resolution Directive (BRRD) and 

provide further guidance in this regard. As part of 

early intervention measures and during resolution, 

the suitability of newly appointed members of the 

management body and of the management body 

collectively is relevant and requires an assessment. 

2020 Update - AML and CTF 

The Guidelines address the fit and proper assessment 

of members of the management body as they 

contribute to identifying, managing and mitigating 

money laundering and financing of terrorism risks. 



Standard procedure for new appointments 

Standard process flow 

• Notification of the national competent authority (NCA) by the supervised entity 

of the (proposed) appointment of a new member of the management body. To 

do this, the supervised entity uses the forms and templates provided by the 

NCA. 

• The NCA notifies the ECB and informs it of the time limit, if any, within which a 

decision has to be taken in accordance with the national law. 

• The NCA and the ECB collect all the necessary documentation and carry out a 

joint assessment, while ensuring: 

• that the assessment is carried out in accordance with the substantive 

criteria provided in national law; 

• compliance with the requirements under Union law; and 

• consistency with the outcomes of other fit and proper assessments. 

• The ECB prepares a decision, with the assistance of the NCA. 

Types of decisions: 

• Negative decision 

• Positive decision 

• Positive decision with recommendation 

Where all the fit and proper requirements have been met, but an issue has been 

identified and needs to be addressed, the ECB may include recommendations or 

set out expectations. 

• Positive decision with obligation 

The ECB decision can also include an obligation to provide specific types of 

information for the purposes of the ongoing fit and proper assessment or to take 

a specific action relating to fitness and propriety. 

• Positive decision with condition 

The ECB may also impose conditions. A condition is a requirement imposed on 

the supervised entity (while it may also have direct implications on the 

appointee) in place of what would otherwise be a negative decision. 

A proportionate approach is applied to most of the smaller entities falling under the 

direct supervision of the ECB. However, the assessment of whether all the fit and 

proper criteria are fulfilled remains the same. 

Where a conditional decision is issued, the supervised entity must report to the 

ECB, in a timely manner, on the fulfilment of the condition. 

Unlike non-compliance with an obligation or recommendation, non-compliance 

with a condition will automatically affect the fitness and propriety of the 

appointee, as failure to comply with a condition means that the appointee 

does not satisfy the applicable fit and proper assessment criteria 



Communicating/cooperating 

with Internal Audit


An important part of corporate governance 

Corporate Governance 

is the structure of rules, practices, and processes used to direct and manage a company. A 

company's board of directors is the primary force influencing corporate governance. Bad 

corporate governance can cast doubt on a company's operations and its ultimate profitability. 

Internal Audit is a 

key tool for Supervisory 

Boards in tracking the 

daily operations and 

success of businesses. 

The Institute of internal Auditors further classifies corporate governance 

into 4 main pillars: 

1. Executive board / management; 

2. Internal audit; 

3. External audit; 

4. Supervisory Board / Auditing Committee. 

Integration and cooperation between these 4 pillars are crucial for a successful corporate 

governance. 


Standards of Internal Audit 

International standards of professional practice 

of Internal auditing 

Standard 1110 – Organizational Independence. 

Responsible body (= Supervisory board or Audit Committee): 

• Approving the internal audit charter; 

• Approving the risk-based internal audit plan; 

• Approving the internal audit budget and resource plan; 

• Receiving communications from the Chief Audit Executive on the internal audit activity’s 

performance relative to its plan and other matters; 

Standard 1111: 

Direct Interaction 

with the Board 

The Chief Audit 

Executive must 

communicate and 

interact directly with 

the board. 

• Approving decisions regarding the appointment and removal of the Chief Audit Executive; 

• Approving the remuneration of the Chief Audit Executive; 

• Making appropriate inquiries of management and the Chief Audit Executive to determine 

whether there are inappropriate scope or resource limitations. 


Independence of Internal Audit 

Predisposition for a quality Internal Audit 

Theory: 

• Functional reporting to Supervisory Board / Audit Committee; 

• Administrative reporting to the Board of Directors. 

Board of 

Directors/ 

Supervisory 

Board 

Audit 

Committee 

CEO/Direc 

tor 

Internal 

Audit 


Added value of Internal Audit 

• In the past the Internal Audit function used to be a routine and repetitive task - with 

smaller emphasize on quality controls and a strong focus on compliance with legal 

requirements and procedures; 

• Today, Internal Audit is considered crucial in advising the Board of Directors and the 

Supervisory Board – it is a dynamic tool, focused on understanding and 

identifying/uncovering various risks and opportunities for improvements; 

• Areas of Internal Audit analysis and outcomes include strategic guidance and decision 

making, risk management, optimization, etc.; 

• Practical experience with doing business. 


Internal Audit and Audit Committee 

Direct, open, honest and clear communication 

In accordance with best world practice from Internal Audit departments, the following methods for establishing and managing good relationships 

between the Internal Audit and Audit Committee are important: 

• The existence of a direct, open, honest and clear communication to avoid unexpected situations; 

• Internal Audit needs to inform the Audit Committee on new laws, trends and other important information that is needed to execute the 

activities of both sides; 

• The review of periodical reports, informing the Audit Committee with potential recommendations and their implementation; 

• Internal Audit must focus also on executing prevention measures, instead of only focusing on identifying existing issues; 

• The program of corporate governance needs to include mechanisms for improvement of business processes, introduction of ethical standards, 

education, reporting standards and systems, and confirmation of compliance with current legal and internal acts/processes; 

• Presentation of findings of Internal Audit must be in majority focused on reviewing the supervisory questions from which the findings and their 

content derives from – instead of only on the discovered issues; 

• Besides regular meetings of the Audit Committee, the Chief Audit Executive must also be in frequent contact with the members of the Audit 

Committee on wider topics and matters that are important for the company/organisation; 

• The Audit Committee create recommendations for the extraordinary investigations or special audits (when deemed needed). 


The quality of Internal Audit 

Human Resource requirements for Internal 

Auditors are important 

Competences of the Internal Auditors are crucial for formulating and maintaining the 

quality of Internal Audit. 

Every Internal Auditor must: 

• Understand and have knowledge of the functioning and business of the company; 

• Understand and have knowledge of the standards of Internal Audit; 

• Have the capabilities to perform and constantly improve financial and operational 

processes; 

• Be able to foster effective communication and educate other employees; 

• Have a professional certificate. 

How can Internal Audit‘s performance be evaluated? 

How can you compensate a very high performing Internal Auditor? 


Usefulness of Internal Audit 

How to achieve a more important advisory 

role of Internal Audit? 

• Presence on board meetings 

• Chief Audit Officer needs to voluntarily decide which meetings in the company he or she 

will attend; 

• Besides Internal Audit experience, useful history of other experience from practice is 

beneficial; 

• Specialization of the team – not to small, not to strong, obligatory rotation of roles and 

work in teams; 

• Understandings of the management‘s expectations, the Audit Committee and auditees; 

• Short and insightful reporting. Emphasizing the importance of measures that prevent risks. 


Annual planning of Internal Audit 

Risk-based approach 

• The annual plan of Internal Audit is derived from the risk assessment 

• Based on the identification of risks – all potential segments of the company are identified 

that should be part of the Internal Audit or so called t.i.„Audit Universe“. In this scope 

the processes with high risks are further laid out; 

• The annual plan needs to be checked by the managing board and be approved by the 

Audit Committee; 

• The annual plan needs to be periodically analyzed in order to determine its relevance or 

requires updated (current trend – quarter review and correction) 


Recommended additional readings/literature 

Deloitte: Audit Committee Resource Guide 

https://www2.deloitte.com/content/dam/Deloitte/us/Documents/center-for-corporate-governance/us-aers-audit-committeeresource-guide-2018-041818.pdf 



Communicating/cooperating 

with External Audit

Responsibilities of the Audit Committee 

Helping you fulfil your responsibilities 

Why do we interact with 

the Audit Committee? 

To communicate 

audit scope 

To provide timely 

and relevant 

observations 

To provide 

additional 

information to help 

you fulfil your 

broader 

responsibilities 

We use this symbol to 

highlight areas of our 

audit where the Audit 

Committee needs to 

focus attention. 

As a result of regulatory change in recent years, the role of the Audit Committee has significantly expanded. We set out here 

a summary of the core areas of Audit Committee responsibility to provide a reference in respect of these broader responsibilities 

and highlight throughout the document where there is key information which helps the Audit Committee in fulfilling its remit. 

• At the start of each annual audit cycle, ensure 

that the scope of the external audit is appropriate. 

• Make recommendations as to the auditor 

appointment and implement a policy 

on the engagement of the external auditor to 

supply non-audit services. 

• Review the internal control and risk 

management systems (unless expressly 

addressed by separate board risk committee). 

• Explain what actions have been or are being 

taken to remedy any significant failings or 

weaknesses. 

Ensure that appropriate arrangements are in place 

for the proportionate and independent 

investigation of any concerns raised by staff in 

connection 

with improprieties. 

Oversight of 

external audit 

Integrity of 

reporting 

Internal controls 

and risks 

Oversight of 

internal audit 

Whistle-blowing 

and fraud 

• Impact assessment of key judgements and 

level of management challenge. 

• Review of external audit findings, key 

judgements, level of misstatements. 

• Assess the quality of the internal team, their 

incentives and the need for supplementary 

skillsets. 

• Assess the completeness of disclosures, 

including consistency with disclosures 

on business model and strategy and, where 

requested by the Board, provide advice 

in respect of the fair, balanced and 

understandable statement. 

• Consider annually whether there is a need for 

an internal audit function and make 

a recommendation accordingly to the Board. 

• Monitor and review the effectiveness 

of the internal audit activities. 


Auditor and the Audit Committee 

Basics of cooperation 

Cooperation and partnership relationship 

Frequency of meetings: 

• At least 3-4 times annually: 

o 

o 

o 

o 

Contract; 

Presentation of the Audit Plan; 

Reporting after interim audit; 

Reporting after completed audit. 

Optional communication between the Audit Committee and Auditors – without the 

presence of the management board 



Examples of topics that can be discussed 

Risk management 

•Regulation and legal requirements; 

•Market and competitive trends; 

•Financing and liquidity; 

•Exposure to financial risks; 

•Business continuity. 

Exchange of 

information between 

the Auditor and the 

Audit Committee is 

essential for both 

sides to perform 

their tasks. 

Auditing Team 

• Structure; 

• Experience of each member; 

• Experts, their experience and independence; 

• Review of the quality of the audit project, 

Independence 

•Is the auditor independent; review of other projects; 

•Potential discovered risks tied to independence; 

•Protection measures in the case of independence issues; 

•Rotation of the Auditing firm or/and the Audit Partner. 







valuation 

• Relevance of the process of accounting 

reporting; 

• Detected mistakes and their potential impact 

on accounting statements and disclosures; 

• Relevance of accounting approach. 

• Relevance of used methodology; 

• Bias/objectivity of the management; 

• Sensitivity towards the main assumptions; 

• Audit approach. 

IRS 260 – the 

auditor is required to 

report on key 

findings during the 

audit, including the 

implemented 

accounting 

procedures. 

Issues discovered 

during the audit 

• Review and understanding of corrected and 

non-corrected issues; 

• Reasons and potential impact on internal 

controls. 




Related 

parties 

Internal 

controls 

Fraud 

• Ensure complete and accurate related party 

transactions. 

• Discovered defects in internal controls during 

the audit; 

• Management of the control information 

system; 

• Cooperation with internal audit. 

• Estimating the risk of fraud; 

• Suspected fraud or actual discovered fraud; 

• Established mechanisms for uncovering and 

discovering fraud; 

• Management avoidance of established controls 

for fraud. 

IRS 240 – auditor 

received insights into 

how the responsible 

personnel manages 

the procedures for 

evaulating and 

responding to risks 

of frauc in the 

organisation and 

above the inside 

controls that the 

management 

established in order 

to minimize risk of 

fraud. 


Fraud 

Two-way communication that takes place throughout the whole audit process 

Mutual reporting obligation of discovered and/or suspected fraud: 

• Frequent discussion of fraud risk and on the most risk exposed areas: 

− Impact of risk of fraud on the audit procedure; 

− Impact of suspected fraud and discovered fraud on audit procedure; 

− Potential impact on financial statements and audit report; 

− Fraud triangle – presence of factors (motivational factors, pressure, opportunity,…); 

− In the case of management fraud – impact on integrity and risk associated with the ongoing/approved business- 

Auditor 

Two-way 

Communication 

Supervisory Board 

Board of Directors/ 

Management 


EU Regulation 537/2014 

Regulation (EU) No 537/2014 of the European Parliament and of 

the Council of 16 April 2014 on specific requirements regarding 

statutory audit of public-interest entities and repealing Committee 

Decision 2005/909/EC Text with EEA relevance 

Areas relevant for auditors and Audit Committees: 

• Audit fees (costs); 

• Non-audit services; 

• Evaluation of the quality of conducted audit; 

• Audit report; 

• Additional report for the Audit Committee; 

• Appointment of auditors; 

• Duration of the audit project; 

• Supervision of auditors and audit firms. 


Additional reporting in relation to Article 11 of the Regulation 

Contents of the separate report: 

Independence statement. 

Statement of all key audit partners that participated in the audit project. 

Type, frequency and scope of contact with the Audit Committee, management 

and/or supervisory board; including the dates of meetings with these parties. 

Description of the scope and duration of the audit. 

Description of used methodology (sample testing/controls), changes to audit approach 

compared to previous year‘s audit. 




Materiality level (qualitative and quantitative factors). 

Circumstances in connection to risks of the audited company (disclosed warranties, 

comfort letters, supporting measures, on which the evaluation is based). 

Key defeciencies in the system reponsobile for financial control and accounting 

reporting. 

Actual/assumed non-compliance with statutes or laws – and if these are relevant 

for the Audit Committee. 

Evaluation of the accounting methods used in different accounts, including the potential 

impacts on changed approach. 




Scope of consolidation and criteria for exclusion from consolidation. 

Auditing projects, which were conducted by auditors not part of the obligatory 

mandated audit project and are not part of the same audit firm. 

Did the audit client hand over all relevant documents and requested explanations. 

… and all other 

matters that are 

relevant for 

supervision of 

the financial 


process… 

Issues present during the audit project. 

All important matters that are derived from the obligatory mandated audit, and were 

discussed or communicated with the management of the audit client. 



Case study: 

Report on independent review 

of the Supervisory Board

Independent external review was conducted with the following steps: 

1. Review of legal 

requirements, 

guidelines, code of 

conducts and good 

practice examples 

2. Preparation of 

a questionnaire 

for selfevaluation; 

analysis of 

answers from 

the Supervisory 

Board and other 

bodies 

3. Interviews 

with members of 

the Supervisory 

Board and 

selected other 

members of 

Higher 

Management 

4. Review of 

documentation 

5. Reporting on 

findings in relation 

to the evaluation of 

the work of the 


of the bank and its 

committees, and 

analysis of the 

knowledge and 

competences of 

Supervisory Board‘s 

members 


Evaluation of the work of the Supervisory Board 

Based on the analysis of the questionnaires. 

Structure 

Process 

Cooperation with 

other parties 

Activity 

Structure 

Culture & compliance 

Board 

Committees 

Appointment 

Meetings 

Supervision of 

planning and strategy 

Important transactions 

Independence 

Providing information 

Understanding of 

business and risks 

Performance 

Responsibilities 

Evaluation of the 


Very strong Strong Medium strong Weak Very weak N/A 

*areas were evaluated for the Supervisory Board as a whole based on the self-evaluation questionnaires, conducted interviews and reviewed documentation. 


Evaluation of the work of the Audit Committee 


Structure 

Process 


other parties 

Activity 

Structure 

Culture 

Relationship with 

the Board 

Understanding of 

business and risks 

Independence 


Supervision over 

financial reporting 


Supervision over the 

auditing procedure 


Ethics and 

compliance 

Self-evaluation 


*areas were evaluated based on the self-evaluation questionnaires, conducted interviews and reviewed documentation. 


Evaluation of the work of the Nomination and Remuneration Committee 



Structure Process Activity 

other parties 

Structure 

Culture 

Relationship with 

the Board 

Supervision over the 

appointment procedure 

Independence 


Evaluation of the Board 

and the Supervisory Board 


Self-evaluation 



*areas were evaluated based on the self-evaluation questionnaires, conducted interviews and reviewed documentation. 


Analysis of the experience and knowledge of the Supervisory Board (1/2) 

Work experience Board Member Member 1 Member 2 Member 3 Member 4 Member 5 Member 6* Member7* All 

Leadership experience/period YES/ 2006- YES/ 2002- YES YES/ 

1996- 

YES/ 1995- YES/1995 YES/2016 7 

Leadership experience from commercial banking/period 

YES/2004- 

2016 

YES/2007 NO NO NO YES/ 

1995/2007 

NO 3 

Work experience from commercial banking/period 

YES/2004- 

2016 

YES/2007 NO NO NO YES/1989- 

2016 

YES/2008 4 

Work experience from area of banking supervision/period NO NO NO YES/ 1996- 

2005 

YES/ 

1992-1995 

NO NO 2 

Work experience from area of law, legal/period NO NO NO NO NO NO YES/ 

2008- 

1 

Work experience from area of finance, accounting or 

tax/period 

YES/ 2004- 

2016 

YES/ 2011- 

2015 

YES/ 

1995- 

YES/ 1996 

YES/ 

1992- 

YES/1995 

YES/ 

2008- 

7 

Work experience from risk management in banks or other 

financial institutions/period 

YES/ 2004- 

2016 

NO NO NO NO YES/ 2007- 

2014 

NO 2 

Work experience from area of IT/period NO NO NO NO NO NO YES/ 2016 1 

Previous work experience from Supervisory Boards in 

commercial banks/period 

NO NO YES/ 2011- 

2015 

NO NO NO NO 1 

Previous work experience from Supervisory Boards in non 

financial institutions, organizations/period 

NO YES/ 2011- 

2013 

YES/ 

1996- 

YES/ 

2008- 

NO NO NO 3 

*Members are currently in the outgoing period from the board 


Analysis of the experience and knowledge of the Supervisory Board (2/2) 

Education/qualificaions Board Member Member 1 Member 2 Member 3 Member 4 Member 5 Member 6* Member7* All 

EDUATION 

Management X X X X 4 

Economics (banking, finance, accounting, audit) X X X X X X X 7 

Law X 1 

IT 0 

QUALIFICATIONS** 

IT X X X X X X X 7 

Corporate Governance X X X X X X 6 

Management X 1 

Strategy X X 2 

Law X 1 

Accounting X X X X X 5 

Compliance of business 0 

Internal Audit X X X X X 5 

External Audit X X X X X 5 

Risk Management X X X X X X X 7 

Banking Regulations X X X X X X X 7 

*Members are currently in the outgoing period from the board 

**Based on completed courses/workshops with members of the Supervisory Board in years 2016, 2017 and 2018 (until 25th Maz 2018) 


Katarina Kadunc 

Audit Partner 

Deloitte Revizija d.o.o. 

kkadunc@deloitte.com 

+386 (0)31 335 452 

Luka Hrobat 

Manager 

Deloitte Svetovanje d.o.o. 

lhrobat@deloittece.com 

+386 (0)41 224 596 

Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited (“DTTL”), its global network of member firms, and their related entities (collectively, the “Deloitte organization”). 

DTTL (also referred to as “Deloitte Global”) and each of its member firms and related entities are legally separate and independent entities, which cannot obligate or bind each other in 

respect of third parties. DTTL and each DTTL member firm and related entity is liable only for its own acts and omissions, and not those of each other. DTTL does not provide services to 

clients. Please see www.deloitte.com/about to learn more. 

Deloitte is a leading global provider of audit and assurance, consulting, financial advisory, risk advisory, tax and related services. Our global network of member firms and related 

entities in more than 150 countries and territories (collectively, the “Deloitte organization”) serves four out of five Fortune Global 500® companies. Learn how Deloitte’s approximately 

312,000 people make an impact that matters at www.deloitte.com 

Deloitte Central Europe is a regional organization of entities organized under the umbrella of Deloitte Central Europe Holdings Limited, the member firm in Central Europe of Deloitte 

Touche Tohmatsu Limited. Services are provided by the subsidiaries and affiliates of, and firms associated with Deloitte Central Europe Holdings Limited, which are separate and 

independent legal entities. The subsidiaries and affiliates of, and firms associated with Deloitte Central Europe Holdings Limited are among the region’s leading professional services 

firms, providing services through nearly 7,000 people in 44 offices in 18 countries. 

© 2021 Deloitte

Corporate Governance in Financial Institutions

Create successful ePaper yourself

Delete template?

Save as template?