INTERNAL CONTROL FUNCTION IN THE SANTANDER GROUP

13.1. Description of the internal control function

Description of the Santander Group’s internal control model, which includes the set of processes and procedures performed by senior management and the rest of the Group’s employees to provide reasonable assurance that the goals set by the Group, including the goals regarding control over corporate strategy, effectiveness and efficiency of operations, reliability of financial information and compliance with applicable laws and regulations, are being met.

Description of the Santander Group’s internal control mod-el, which includes the set of processes and procedures per-formed by senior management and the rest of the Group’s employees to provide reasonable assurance that the goals set by the Group, including the goals regarding control over corporate strategy, effectiveness and efficiency of opera-tions, reliability of financial information and compliance with applicable laws and regulations, are being met.

The Santander Group’s internal control model (“ICM”) com-prises the set of processes and procedures performed by senior management and the rest of the Group’s employees to provide reasonable assurance that the goals set by the Group, including the goals regarding control over corporate strategy, effectiveness and efficiency of operations, reliabil-ity of financial information and compliance with applicable laws and regulations, are being met. The Santander Group’s ICM complies with all legal and regulatory requirements and is in accordance with the guidelines set by the Committee of Sponsoring Organisations of the Treadway Commission (COSO) and the Framework for Internal Control Systems in Banking Organisations issued by the Bank for International Settlements (BIS) in Basel.

The principles on which the Group’s internal control model are based are as follows:

1. Culture of senior management control and oversight. This culture is manifested in the following aspects:

• The board of directors bears ultimate responsibility for ensuring that an adequate and effective internal control system is in place and is kept up to date.

• Senior management is responsible for establishing an appropriate internal control policy and ensuring that this policy is put into effect and is monitored.

• The board of directors and senior management are re-sponsible for making all levels of the organisation aware of the importance of internal control. All employees of the organisation who are involved in internal control processes must have clearly defined responsibilities.

2. Risk identification and assessment. The Group’s internal control system ensures that all the risks that could ad-versely affect achievement of the organisation’s goals are properly identified and assessed and that new risks are assessed continuously.

3. Establishment of adequate controls and separation of functions. A clear structure of control and allocation of responsibilities has been established and the control func-tions are an intrinsic part of the organisation’s business and support activities, ensuring sufficient separation of functions to avoid any conflict of responsibilities.

4. Reporting and disclosure. The Group’s procedures and systems ensure accurate and comprehensible reporting and disclosure in the areas of financial, operational and compliance reporting.

5. Monitoring of the control system. Besides the continuous review of business and operations, control activities are subject to regular assessments, the conclusions of which are reported to senior management and the board of directors, along with any matters subject to special moni-toring.

Proper documentation of the Group’s ICM is vital to achiev-ing these objectives. Accordachiev-ingly, a common, homogeneous methodology is used to describe internal control processes, identify risks, controls and authorities within the organi-sational structure, and ensure that relevant controls are included to minimise the impact of the risks associated with the Group’s activity. Potential risks that must be covered by the ICM are identified based on senior management’s knowledge and understanding of the business and op-erational processes, taking into account both quantitative criteria, including probability of occurrence, and qualitative criteria associated with the nature, complexity or structure of the business.

Documentation and updating

The following are some of the main features of the San-tander Group’s ICM documentation:

• The ICM is a corporate model that involves every member of the organisation with control responsibilities, through a framework of direct, individually assigned responsibilities.

• Internal control is managed in a decentralised manner in the Group’s units. In addition, there is a corporate inter-nal control area, which coordinates and monitors all the Group’s units and provides general criteria and guidelines to ensure that procedures, assessment tests, classification criteria and adaptations of regulations are uniform and standardised.

• The documented model is broad and so includes not only the activities linked to the generation of consolidated financial information, which is its main objective, but also any other procedures performed in the business and sup-port areas of each entity which, while having no direct impact on the accounts, could nevertheless give rise to losses or risks in the event of incidents, errors, infringe-ments of regulations or fraud.

• The ICM is a forward-looking model and evolves by adapting to the reality of the Group’s business and sup-port activities at any given time, clearly identifying any risks that might prevent the achievement of goals and the controls that mitigate such risks.

• It includes detailed descriptions of transactions, criteria for assessing the performance of the controls and the conclu-sions of the performance assessment.

All the ICM documentation of each Group company is stored in a corporate computer application. This applica-tion allows processes, risks and controls to be consulted and updated by users in real-time and reviewed by external auditors or supervisory bodies. It also serves as a support tool for the internal control model assessment process, au-tomatically ensuring the model’s integrity. The chart below shows the framework of documentation and responsibilities of the Group’s internal control model:

GROUP’S INTERNAL CONTROL MODEL SCHEME

INTERNAL CONTROL

MODEL

More than 170 companies of the Group (covera-ge above 97% equity components).

More than 39,000 controls (documented and assessed every six months) and 16,000 processes.

More than 6,000 indicators.

GLOBAL SPHERE

REGULAR REVIEW

DOCUMENTATION

RESPONSIBILITIES

Define a methodology for documenting processes, risks and controls.

DDefine a homogeneous command table of indicators that assess objectively the main processes of the Group’s divisions/

areas.

More than 5,000 professionals are involved in assessing and certifying the ICM.

Upward certification from control executi-ves to the Group’s CEO.

Evaluation of the design and effectiveness of controls twice a year.

Subjected to auditing.

Keeping the descriptions of processes, risks and controls and the identity of the persons responsible for them up to date is a key aspect of the Group’s ICM.

In 2013 the Group’s ICM documentation evolved to meet the new regulatory requirements affecting banks’ proce-dures and to reflect the changes in the organisation, both the changes in the businesses and operational processes and the changes that have taken place in the Group’s organisa-tional and corporate structure.

Documenting and updating the ICM is not only done in the business units; it is also a crucial part of identifying, docu-menting and assessing the risks and controls associated with operational processes outsourced to Group companies.

Ultimately, the ICM is examined by the Group’s statutory au-ditor, who reports to the Audit and Compliance Committee and issues an opinion on the effectiveness of the internal controls applied to the generation of the financial informa-tion contained in the consolidated financial statements of the Santander Group at 31 December 2013.

The corporate scope of the Santander Group’s ICM also imposes an obligation to constantly ensure that the people involved in the ICM at all levels of the organisation are kept up to date, coordinated and trained as appropriate. For that purpose, in addition to the continuous updating of the information contained in the corporate internal control por-tal, which serves as a channel of communication between the various ICM users, in 2013 further online and on-site training courses were given and various corporate internal control conventions were held. More than 100 corporate executives and managers from different Group entities took part in these conventions, aimed at promoting the sharing of best practices and building awareness of the corporate methodology.

Assessment and integration in management The Group has an assessment and certification process for reviewing the performance of the ICM and the effectiveness of the established controls, processes and activities. This process starts with an assessment of the control activities by the persons responsible for them. Based on the conclusions of this first assessment, the various subprocesses, processes and activities related to the generation of financial informa-tion are certified. Once all these certificainforma-tions have been analysed, the CEO, CFO and Controller certify the effective-ness of the ICM as a whole.

Two assessment processes were carried out in the Group during 2013: in the first half, an assessment of control ef-fectiveness aimed at anticipating incidents, so as to improve the controls before the end of the year; and the annual assessment of the effectiveness of controls (approximately 39,000 in the Group overall) and processes (approximately 2,500).

Besides the assessment process, the Group has defined a set of more than 500 control indicators at corporate level, with the aim of systematising the assessment and monitor-ing of control performance. These indicators are measured monthly in the various Group entities.

Also, with a view to reinforcing the integration of internal control in management, in 2013 a monthly executive inter-nal control report was established to allow closer monitor-ing and oversight of internal control-related matters by senior management. This report brings together relevant internal control-related information from the monthly control indicator measurements and the half-yearly assess-ments, the appraisal of the reports and recommendations of Internal Audit, the reports and rating of the supervisors, and the reports and assessments of the corporate areas with re-sponsibility for control over the relevant areas of the Group’s various units.

The Santander Group’s internal control model ensures that, while having a broad international structure and being pre-sent in many different markets and geographies, the Group has homogeneous mechanisms for controlling uniform processes and procedures with unique degrees of account-ability, which allow it to achieve its strategic objectives in an effective and operationally efficient way, ensuring the reliability of the financial information that is generated and compliance with applicable laws and regulations.