Management of Deutsche Bank and its consolidated subsidiaries is responsible for establishing and maintaining adequate internal control over financial reporting (ICOFR). Our internal control over financial reporting is a process designed under the supervision of our chairman and our Chief Financial Officer to provide reasonable assurance regarding the reliability of financial reporting and the preparation of the firm’s consolidated financial statements for external reporting purposes in accordance with International Financial Reporting Standards (IFRS). ICOFR includes our disclosure controls and procedures designed to prevent misstatements.
Risks in Financial Reporting
The main risks in financial reporting are that either financial statements do not present a true and fair view due to inadvertent or intentional errors (fraud) or the publication of financial statements is not done on a timely basis. These risks may reduce investor confidence or cause reputational damage and may have legal consequences including banking regulatory interventions. A lack of fair presentation arises when one or more financial statement amounts or disclosures contain misstatements (or omissions) that are material. Misstatements are deemed material if they could, individually or collectively, influence economic decisions that users make on the basis of the financial statements.
To confine those risks of financial reporting, management of the Group has established ICOFR with the aim of providing reasonable but not absolute assurance against material misstatements and conducted an assessment of the effectiveness of the Group’s internal control over financial reporting based on the framework established in Internal Control Integrated Framework (2013) issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). COSO recommends the establishment of specific objectives to facilitate the design and evaluate adequacy of a control system. As a result in establishing ICOFR, management has adopted the following financial statement objectives:
- Existence - assets and liabilities exist and transactions have occurred.
- Completeness - all transactions are recorded, account balances are included in the financial statements.
- Valuation - assets, liabilities and transactions are recorded in the financial reports at the appropriate amounts.
- Rights and Obligations and ownership - rights and obligations are appropriately recorded as assets and liabilities.
- Presentation and disclosures - classification, disclosure and presentation of financial reporting is appropriate.
- Safeguarding of assets - unauthorized acquisition, use or disposition of assets is prevented or detected in a timely manner.
However, any internal control system, including ICOFR, no matter how well conceived and operated, can provide only reasonable, but not absolute assurance that the objectives of that control system are met. As such, disclosure controls and procedures or systems for ICOFR may not prevent all errors and fraud. Further, the design of a control system must reflect the fact that there are resource constraints, and the benefits of controls must be considered relative to their costs.
Organization of the Internal Control System
Functions Involved in the System of Internal Control over Financial Reporting
Controls within the system of ICOFR are performed by all business functions and infrastructure functions with an involvement in reviewing the reliability of the books and records that underlie the financial statements. As a result, the operation of ICOFR involves staff based mainly in the following functions: Finance, Chief Operating Office and Risk.
Finance is responsible for the periodic preparation of the financial statements and operates independently from the Group’s businesses. Within Finance, different departments have control responsibilities which contribute to the overall preparation process:
- Group Finance is responsible for Group-wide activities which include the preparation of Group financial and management information and risk reporting. Group Finance sets the reporting timetables, performs the consolidation and aggregation processes, effects the elimination entries for inter and intra group activities, controls the period end and adjustment processes, compiles the Group financial statements, and considers and incorporates comments as to content and presentation made by senior and external advisors.
- Transactions, Policy and Advisory is responsible for developing the Group’s interpretation of International Financial Reporting Standards and Regulatory Standards and their consistent application within the Group. It provides accounting and regulatory advice and consulting services to Finance and the wider business, and is responsible for the timely resolution of corporate and transaction-specific accounting and regulatory issues.
- Global Valuation Group and business aligned valuation specialists are responsible for developing policies and minimum standards for valuation, providing related implementation guidance when undertaking valuation control work, and challenging and validating valuation control results. They act as the single point of contact on valuation topics for external parties (such as regulators and external auditors).
- Finance specialists for businesses or entities are responsible for reviewing the quality of financial data by performing validation and control. They are in close contact with business, infrastructure and legal entity management and employ their specific knowledge to address financial reporting issues arising on products and transactions, as well as validating reserving and other adjustments based on judgment.
- Group Tax is responsible for producing income tax related financial data in conjunction with Finance, covering the assessment and planning of current and deferred income taxes and the collection of tax related information. Group Tax monitors the income tax position and controls the provisioning for tax risks.
- Group Planning & Performance Management is responsible for the Group-wide forecasting and planning activities.
The operation of ICOFR is also importantly supported by the Chief Operating Office and Risk. Although these functions are not directly involved in the financial preparation process, they contribute significantly to the production of financial information:
- Chief Operating Office (COO) is responsible for confirming transactions with counterparties, and performing reconciliations both internally and externally of financial information between systems, depots and exchanges. COO also undertakes all transaction settlement activity on behalf of the Group and performs reconciliations of nostro account balances.
- Chief Risk Office (CRO) is responsible for developing policies and standards for managing credit, market, legal, liquidity operational and vendor risks. CRO identifies and assesses the adequacy of credit, legal and operational provisions.
Controls to Minimize the Risk of Financial Reporting Misstatement
The system of ICOFR consists of a large number of internal controls and procedures aimed at minimizing the risk of misstatement of the financial statements. Such controls are integrated into the operating process and include those which:
- are ongoing or permanent in nature such as supervision within written policies and procedures or segregation of duties,
- operate on a periodic basis such as those which are performed as part of the annual financial statement preparation process,
- are preventative or detective in nature,
- have a direct or indirect impact on the financial statements themselves. Controls which have an indirect effect on the financial statements include IT general controls such as system access and deployment controls whereas a control with a direct impact could be, for example, a reconciliation which directly supports a balance sheet line item,
- feature automated and/or manual components. Automated controls are control functions embedded within system processes such as application enforced segregation of duty controls and interface checks over the completeness and accuracy of inputs. Manual internal controls are those operated by an individual or group of individuals such as authorization of transactions.
The combination of individual controls encompasses each of the following aspects of the system of ICOFR:
- Accounting policy design and implementation. Controls to promote the consistent recording and reporting of the Group’s business activities on a global basis in accordance with authorized accounting policies.
- Reference data. Controls over reference data in relation to the general ledger and on and off-balance sheet transactions including product reference data.
- New product and transaction approval, capture and confirmation. Controls are intended to ensure the completeness and accuracy of recorded transactions as well as appropriate authorization. Such controls include transaction confirmations which are sent to and received from counterparties to help ensure that trade details are corroborated.
- Reconciliation controls, both external and internal. Inter-system reconciliations are performed between relevant systems for all trades, transactions, positions or relevant parameters. External reconciliations include nostro account, depot and exchange reconciliations.
- Valuation including the independent price verification process (IPV). Finance performs IPV controls at least monthly in order to evaluate the reasonableness of the front office valuation. The results of the IPV processes are assessed on a monthly basis by the Valuation Control Oversight Committee.
- Business aligned valuation specialists focus on valuation approaches and methodologies for various asset classes and perform IPV for complex derivatives and structured products.
- Taxation. Controls are designed to ensure that tax calculations are performed properly and that tax balances are appropriately recorded in the financial statements.
- Reserving and adjustments based on judgment. Controls are designed to ensure reserving and other adjustments based on judgment are authorized and reported in accordance with the approved accounting policies.
- Balance Sheet substantiation. Controls relating to the substantiation of balance sheet accounts to promote the integrity of general ledger account balances based on supporting evidence.
- Consolidation and other period end reporting controls. At period end, all businesses and regions submit their financial data to the Group for consolidation. Controls over consolidation include the validation of accounting entries required to eliminate the effect of inter and intra company activities. Period end reporting controls include general ledger month end close processes and the review of late adjustments.
- Financial Statement disclosure and presentation. Controls over compilation of the financial statements themselves including preparation of disclosure checklists and compliance with the requirements thereof, and review and sign-off of the financial statements by senior Finance management. The financial statements are also subject to approval by the Management Board, and the Supervisory Board and its Audit Committee.
Measuring Effectiveness of Internal Control
Each year, management of the Group undertakes a formal evaluation of the adequacy and effectiveness of the system of ICOFR. This evaluation incorporates an assessment of the effectiveness of the control environment as well as individual controls which make up the system of ICOFR taking into account:
- The financial misstatement risk of the financial statement line items, considering such factors as materiality and the susceptibility of the particular financial statement item to misstatement.
- The susceptibility of identified controls to failure, considering such factors as the degree of automation, complexity, and risk of management override, competence of personnel and the level of judgment required.
These factors, in aggregate, determine the nature and extent of evidence that management requires in order to be able to assess whether or not the operation of the system of ICOFR is effective. The evidence itself is generated from procedures integrated within the daily responsibilities of staff or from procedures implemented specifically for purposes of the ICOFR evaluation. Information from other sources also form an important component of the evaluation since such evidence may either bring additional control issues to the attention of management or may corroborate findings. Such information sources include:
- Reports on audits carried out by or on behalf of regulatory authorities;
- External Auditor reports; and,
- Reports commissioned to evaluate the effectiveness of outsourced processes to third parties.
In addition, Group Audit evaluates the design and operating effectiveness of ICOFR by performing periodic and ad-hoc risk-based audits. Reports are produced summarizing the results from each audit performed which are distributed to the responsible managers for the activities concerned. These reports also provide evidence to support the annual evaluation by management of the overall operating effectiveness of the ICOFR.
As a result of the evaluation, management has concluded that ICOFR is appropriately designed and operating effectively as of December 31, 2017.