Control and reporting

Internal control and risk management system

The internal control system consists of the set of internal control bodies and areas that ensure compliance with the procedure for implementing and attaining the goals established by the legislation of the Russian Federation, the foundation documents and internal regulations of Sberbank.

The Supervisory Board is responsible for determining the principles of and approaches to the organization of the internal control and risk management systems at the Bank. The establishment and maintenance of the effective functioning of the internal control and risk management systems at the Bank are performed by the executive bodies, which are also responsible for the implementation of the decisions of the Supervisory Board in these areas.

The internal control and risk management systems are built using the “Three Lines of Defense” model.

Three Lines of Defense Model
The first line of defense
Acceptance of risks
Business units:
  • identify and conduct primary risk assessment;
  • carry out primary control of the compliance of the risk with the established limits;
  • develop and implement measures necessary to comply with the established limits.
The second line of defense
Risk management
Units responsible for risk management:
  • identify and assess risk significance;
  • develop risk management and assessment methodology and system of risk level limits;
  • assess and forecast the level of risks;
  • control compliance with established limits;
  • carry out stress testing;
  • prepare risk reporting.
The third line of defense
Audit of the risk management system
Internal audit:
  • assess the efficiency;
  • In accordance with international approaches, all three systems are appraised: internal control, risk management, and corporate governance. This requirement is enshrined in the Regulations on the Internal Audit Service of the Bank;
  • notify the Supervisory Board and the executive bodies of the bank of identified shortcomings and the actions taken to eliminate them.

The regulator and external audit of Sberbank ensure additional external control over the functioning of the internal control and risk management system.

Internal control at Sberbank is performed by the following bodies, services and officials:

  • Management bodies;
  • Internal Audit Commission;
  • Internal Audit Service;
  • Internal Control Service;
  • Chief Accountant of the Bank (deputy chief accountants);
  • The heads (their deputies) and chief accountants (their deputy chief accountants) of the branches of the Bank;
  • Structural unit (designated employee) responsible for countering the laundering of the proceeds of crime and the financing of terrorism;
  • Controller of the professional participant of the securities market;
  • Other units and employees exercising internal control in accordance with the authorities determined by the internal regulations of the Bank.

Organization of the risk management process

The risk management system applied by Sberbank meets the requirements of global best practice and is based on the standards and tools recommended by the Basel Committee on banking supervision. The main objectives of the integrated risk management system as a component of the Sberbank management process are:

  • identification and assessment of the materiality of risks;
  • evaluation, aggregation, forecasting of the level of risks;
  • establishment of limits and risk restrictions;
  • monitoring and control of the level of risks, implementation of measures to reduce the accepted risk in order to maintain it within the established external and internal limits;
  • compliance with the mandatory standards and restrictions set by the Bank of Russia;
  • assessment of capital adequacy to cover risks, development of preventive and corrective actions to maintain capital adequacy;
  • ensuring a common understanding of the risks at the Group level;
  • development of a risk culture and risk management competencies in the Group taking into account the best world practices.

To ensure effective planning and control of the assumed risks, the risk management functions are distributed among the Supervisory Board,the CEO of Sberbank, the Chairman of the Executive Board, the Executive Board, the head of the Risk Block (Head of the Risk Management Service of Sberbank), specialized committees of the Executive Board, the units of the Risk Block and other units of Sberbank and the memebers of the Group.

Internal Audit Service

The Internal Audit Service is intended to support the management bodies of the Bank in the attainment of set goals and ensure the effectiveness and performance of the Bank, and operates in compliance with the principles of constant activity, independence, impartiality, honesty, objectiveness and professional competence. The Internal Audit Service is an independent structural unit, which performs inspections on the entire internal control functioning system, is accountable to the Supervisory Board and is subordinate administratively to the CEO, Chairman of the Executive Board. The Head of the Internal Audit Services is appointed and removed from office by the Supervisory Board.

In August 2016 PricewaterhouseCoopers Consulting LLC (PwC) conducted an external assessment of the Internal Audit Service of Sberbank from the perspective of compliance with professional standards on internal auditing. The main conclusions of the external assessment: “The results of our analysis of the performance of the internal audit function make it possible to state that the activity of Sberbank’s Internal Audit Service is constantly improving. The strengths of the Bank’s Internal Audit Service are the level of qualifications of its employees and the quality of the reports based on the results of audits.”

Sberbank takes the necessary measures to ensure the independence and impartiality of the Internal Audit Service, creates the conditions for the impartial and effective exercise by the Internal Audit Service of its functions.

The Internal Audit Service conducts audits in all areas of Sberbank’s activities and monitors the effectiveness of the measures adopted by departments/units and management bodies based on the results of the audits, thereby reducing the level of identified risks.

The Head of the Internal Audit Service provides the Supervisory Board with the reports of the Service on the implementation of the Annual Audit Plan approved by the Supervisory Board and on the results of audits for corresponding reporting periods.

In its work, the Internal Audit Service uses internal audit best practices, including international fundamental principles of internal audit professional practice.

In 2017 the Internal Audit Service conducted 9.9 thousand audits, of which 5 thousand were scheduled and 4.9 thousand were unscheduled. Management of Sberbank, the units of the central administration and branches were notified of the results of all the audits pursuant to the established procedure. Based on the results of the audits, management issued 1.3 thousand orders to resolve systemic problems. During the year 22.3 thousand measures were taken to eliminate the violations (82% were completed, 18% were in progress), and 8 thousand disciplinary measures were taken against the employees of Sberbank.

The Internal Audit Services of Sberbank and Group companies conducted 184 audits of subsidiary banks and 63 audits of subsidiaries. Based on the results of the groups of Group companies, more than 2.1 thousand recommendations were issued.

In accordance with the requirements of Instruction No. 3624-U dated 15 April 2015, within the framework of the audit of internal capital adequacy assessment proceduresIn accordance with Instruction No. 3624-U of the Bank of Russia dated April 15, 2015 “On the Requirements on the Risk and Capital Management System of the Credit Institution and the Bank Group”., 19 significant risks were audited in 2017 (15 significant risks in 2016). Based on the results of the audit for 2016–2017, 413 orders were issued, of which 45% have already been performed.

As a whole the internal control and risk management systems comply with the nature and scale of the operations being performed, the level and combination of the assumed risks.

Oleg Chistyakov

Head of the Internal Audit Service of Sberbank, Senior Managing Director – Director of the Internal Audit Division

Date of birth: 22.10.1964

Work experience: from 2004 to 2009 – Deputy Director, Division for Internal Control, Internal Audits and Audit, Sberbank of Russia. From 2009 to 2014 – Acting Director, Director of the Division for Internal Control, Internal Audits and Audit, Sberbank of Russia. From January 2015 – Senior Managing Director – Director of the Internal Audit, Sberbank.

Education: 1986 – Ordzhonikidze Moscow Management Institute (now State University of Management), engineer-economist.

Awards: Medal of the Order of Second Degree “For Services to the Homeland”.

Internal Control Service

An Internal Control Service was created at Sberbank to implement internal controls, assist the management bodies of Sberbank in ensuring that Sberbank’s activity complies with legislation, regulations and best practice, and also to create and apply effective methods and mechanisms for managing the risks of the emergence of losses at Sberbank owing to non-compliance with the legislation of the Russian Federation and the internal regulations of Sberbank, the standards of the self-regulatory organization and/or the application of sanctions and/or other enforcement actions by the supervisory authorities. The Service represents the totality of the structural units and employees of the Bank operating in accordance with the Regulations on the Internal Control Service.

The Internal Control Service operates on the principles of independence, continuity, objectivity, impartiality and professional competence.

The Internal Control Service is accountable to the Supervisory Board, the CEO, Chairman of the Executive Board, and the Executive Board of the Bank. The Internal Control Service submit reports at least once a year on its work to the bodies of the Bank, and in the established instances – to the Supervisory Board.

Larisa Zalomikhina

Head of the Internal Control Service of Sberbank, Senior Managing Director – Director of the Compliance Division

Date of birth: 04.01.1973

Work experience: from 2004 to 2012 – held different positions at Financial Brokerage Troika Dialog. From 2012 to 2014 – Director of the Compliance Division, Sberbank of Russia. From December 2014 – Senior Managing Director – Director of the Compliance Division, Sberbank.

Education: 1996 – Moscow Institute of Physics and Technology, specializing in Applied Mathematics and Physics.

Risk Unit

For risk management purposes at the Bank, the Risk Unit develops supports and improves risk management system. The Unit also determines risk management principles, develops a methodology for assessment and management of risks and also develops a system of risk level limits. To avoid any conflicts of interest, the Bank ensures that the Risk Unit is independent from other divisions concluding operations/transactions exposed to risks.

Alexander Vedyakhin

Senior Vice President, (Chief Risk Officer, Sberbank Group)

Date of birth: 20.02.1977

Work experience: from 2008 to 2012 – First Deputy Chairman of the Executive Board, Sberbank PJSC (Ukraine). From 2012 to 2015 – Executive Director of the Risk Department, Managing Director, Risk Unit Administration, Sberbank, member of the Board of Directors, Chief Risk Officer, DenizBank (Turkey). From July 2015 – Senior Vice President, Chief Risk Officer, Sberbank Group. He is a member of the Board of Directors and Supervisory Boards of subsidiary banks and subsidiaries of Sberbank.

Education: 1999 – Volgograd State Technical University, Faculty of the Economy (cum laude); 2010 – Russian Presidential Academy of the National Economy and Public Administration, MBA “Banks, Business Management”; 2012 – training in the joint skills upgrade program of Sberbank and London Business school. Candidate of Economic Sciences.

Awards: 2016 – Medal, order “For Merit to the Fatherland”, II Class

External Auditor

Sberbank engages an independent audit firm to audit and confirm the reliability of the financial statements prepared both under Russian and international standards.

Sberbank holds a public tender each year to select the audit firm to provide audit services. The public tender documentation is approved by the tender commission and published on the official website of Sberbank. The audit firm selected by public tender is approved by the Executive Board, the Audit Committee of the Supervisory Board, and the Supervisory Board, and is appointed by the annual General Shareholders’ Meeting of Sberbank.

On May 26, 2017 the annual General Shareholders’ Meeting of Sberbank appointed PricewaterhouseCoopers Audit as the auditor of Sberbank for 2017 and the first quarter of 2018. In accordance with the audit engagement contract, PricewaterhouseCoopers Audit performed the following types of work:

  • audit of the annual financial statements of Sberbank for 2017 prepared in accordance with the requirements of the legislation of the Russian Federation;
  • audit of the consolidated financial statements of Sberbank 2017 prepared in accordance with IFRS;
  • reviews of the interim condensed consolidated financial statements of Sberbank for the first six and nine months of 2017, and also for the first three months of 2018 prepared in accordance with IFRS;
  • audit of the interim financial statements of Sberbank for the first six months of 2017 prepared in accordance with the requirements of the legislation of the Russian Federation.
Payments of Sberbank Group companies to the group companies of the auditor of Sberbank
Payments, RUB million without VAT
2016 2017
Audit of the financial statements (including audit of the statutory financial statements, IFRS financial statements) 13.2 48.3
Interim audits and reviews 13.5 19.6
Tax consultancy services 30.2 23.9
Other non-tax consultancy services 172.9 173.9
Internal Audit Commission

The Internal Audit Commission is elected by the annual General Shareholders’ Meeting to monitor the financial and business activities of Sberbank. In accordance with the Articles of Association of Sberbank, the Internal Audit Commission has seven members. The members of the Audit Commission may not at the same time be members of the Supervisory Board or hold other positions in Sberbank’s management bodies.

On May 26, 2017 the Annual General Meeting of Shareholders of the Bank elected three external representatives and four representatives of Sberbank to the Internal Audit Commission.

The Internal Audit Commission in 2017
Chairwoman of the Audit Commission Natalya Borodina Deputy Director of the Internal Audit Department of the Central Bank of the Russian Federation
Member of the Audit Commission Maria Voloshina Deputy Chief Accountant of the Bank of Russia – Deputy Director of the Accounting and Reporting Department
Member of the Audit Commission Tatyana Domanskaya Executive Director, Head of the Department for Interaction with External Controlling Bodies of the Internal Audit Division of Sberbank
Member of the Audit Commission Yuliya Isakhanova Senior Managing Director – Head of the Financial Control Directorate of the Finance Department of Sberbank
Member of the Audit Commission Irina Litvinova Deputy Director of the Internal Audit Department of the Central Bank of the Russian Federation
Member of the Audit Commission Alexey Minenko Managing Director, Deputy Chief Accountant – Deputy Director, Accounting and Reporting Directorate/Division of Sberbank
Member of the Audit Commission Natalya Revina Senior Managing Director – Director of the Integrated Risk Management Department of SberbankHeld the position of Senior Managing Director – Director of the Integrated Risk Management Department of Sberbank until September 14, 2017.

The Internal Audit Commission audits Sberbank’s financial and economic activities based on annual results and also at any other time on the initiative of the bodies and persons indicated in Federal Law No. 208-FZ dated December 26, 1995 “On Joint Stock Companies”, the Articles of Association of Sberbank, and the Regulations on the Audit Commission of Sberbank.

The Audit Commission assesses the accuracy of the data included in the annual report and contained in the annual financial statements of Sberbank, is entitled to convene an extraordinary General Shareholders’ Meeting or meetings of the Supervisory Board of Sberbank in instances when the violations identified by the internal audit in Sberbank’s financial and economic activities, or a real threat to the interests of the Bank (its depositors) require the adoption of decisions on matters that fall within the competencies of these bodies of Sberbank.