Information pursuant to Section 243a(2) of the Austrian Commercial Code
The internal control and risk management system at UNIQA Insurance Group AG is comprised of transparent systems that encompass all company activities and include a systematic and permanent approach, based on a defined risk strategy, with the following elements: identification, analysis, measurement, management, documentation and communication of risks, as well as the monitoring of these activities. The scope and orientation of these systems put in place were designed on the basis of company-specific requirements. Despite creating appropriate frameworks, there is always a certain residual risk because even appropriate and functional systems cannot guarantee absolute security with regard to the identification and management of risks.
Objectives:
- Identification and measurement of risks that could obstruct the goal of producing (consolidated) financial statements that comply with regulations
- Limiting recognised risks, for example by consulting with external specialists
- Review of external risks with regard to their influence on the consolidated financial statements and the corresponding reporting of these risks
The aim of the internal control system in the accounting process is to guarantee sufficient security by means of implementing controls so that, despite identified risks, proper financial statements are prepared. Along with the risks described in the Risk Report, the risk management system also analyses additional risks within internal business processes, compliance, internal reporting, etc.
Organisational structure and control environment
The company’s accounting process is incorporated into the UNIQA Group accounting process. In addition to the SAP S/4HANA accounting system, a harmonised insurance-specific IT system is also used for the company’s purposes. Compliance guidelines and manuals for company organisation, accounting and consolidation exist for the purpose of guaranteeing secure processes.
Identification and control of risks
An inventory and appropriate control measures were conducted to identify existing risks. The type of controls was defined in the guidelines and instructions and coordinated with the existing authorisation concept.
The controls include both manual coordination and comparison routines, as well as the approval of system configurations for connected IT systems. New risks and control weaknesses in the accounting process are quickly reported to management so that it can undertake corrective measures. The procedure for the identification and control of risks is evaluated on a regular basis by an external independent auditor.
Information and communication
Deviations from expected results and evaluations are monitored by means of monthly reports and key figures, and they form the foundation of information provided to management on an ongoing basis. The management review that is based on this information, and the approval of the processed data, form the foundation of further treatment in the company’s financial statements.
Measures to ensure effectiveness
Rather than being made up of static systems, the internal control and risk management system is adjusted on an ongoing basis to changing requirements and general conditions. In order to identify necessary changes, the effectiveness of all systems must be constantly monitored. The foundations for this are:
- Regular self-evaluations by the persons tasked with controls
- Evaluations of key data to validate transaction results in relation to indications that suggest control deficiencies
- Random tests of effectiveness by the Internal Audit department and comprehensive efficacy tests by the Internal Audit department and/or special teams
Reporting to the Supervisory Board/Audit Committee
In the context of compliance and internal control and risk management systems, the Management Board reports regularly to the Supervisory Board and the Audit Committee by means of Internal Audit department reports and the separate engagement of external auditors.