Internal controls and risk management system as regards the financial reporting process

The system of internal controls over financial reporting is the process meant to provide reasonable certainty as to the reliability36 of the financial reporting itself and as to the capacity of the process of preparing the financial statements to produce financial reporting in accordance with generally accepted accounting standards.

Snam Rete Gas S.p.A. has a regulations body, “Internal Controls Over Financial Reporting”, which defines the rules, methods, roles and responsibilities for designing, implementing and maintaining, over time, the system of internal controls over the corporate reporting of the Snam Rete Gas S.p.A. group as well as for evaluating its effectiveness.

The body of procedural rules for the corporate reporting control system was defined in compliance with the provisions of article 154-bis of the “Testo Unico della Finanza” and takes into account the requirements provided for in the Sarbanes-Oxley Act of 2002 (SOA), to which the ultimate parent Eni Sp.A. is subject as an issuer listed on the New York Stock Exchange (NYSE) and which reflect upon Snam Rete Gas S.p.A. as relevant subsidiary. The model for corporate reporting internal control adopted by Snam Rete Gas S.p.A is based on the COSO Report (“Internal Control – Integrated Framework” published by the Committee of Sponsoring Organizations of the Treadway Commission).

In addition to Snam Rete Gas S.p.A., the defined control model has been applied, since obtaining control, at the companies directly and indirectly controlled by it according to international accounting standards in view of their significance for the purposes of preparing financial reporting. The companies controlled by Snam Rete Gas S.p.A. are adopting the defined control model as reference for designing and implementing their own control systems so as to adapt it to their dimensions and to the complexity of the activities carried out.

Main features of the internal controls and risk management system as regards the financial reporting process

The control system was defined by following two essential principles, that is, the dissemination of controls to all levels of the organisational structure consistent with the operational responsibilities conferred and the sustainability of the controls over time so that their execution would prove to be integrated and compatible with operational demands.

The design, implementation and maintenance of the control system are provided using: a process of risk assessment, identification of controls, evaluation of controls and information flows (reporting).

The risk assessment process, conducted using the top down approach, has the aim of identifying the organisational entities, the processes and the specific activities capable of generating risks of unintentional errors or of fraud which could have significant effects on the financial statements.

In particular, identification of the organisational entities which are involved within the scope of the control system (relevant companies) is done on the basis of the contribution by the various entities to given values in the consolidated financial statements (total assets, total financial debt, net revenues, pre-tax income) both in relation to considerations concerning significance per specific risk and process. Within the scope of relevant companies for the control system, identification is then made of the significant processes based on an analysis of quantitative factors (processes which contribute to making up the items in the financial statements by amounts greater than a given percentage of the pre-tax profits) as well as qualitative factors (for example: complexity of the accounting treatment of the account; novelty or significant changes in business conditions).

In view of the relevant activities and processes, risks are identified, that is, potential events that, if occurring, could compromise achievement of the control objectives inherent to financial reporting (for example, financial statement assertions). The risks thus identified are assessed in terms of potential impact and probability of occurrence based on quantitative and qualitative parameters and assuming an absence of controls (so-called inherent assessment). Particularly with reference to risks of fraud37, Snam Rete Gas S.p.A conducts a dedicated risk assessment based on a specific method in relation to “Antifraud Programmes and Controls.”

The appropriate control activities are defined in view of the companies, processes and relative risks deemed relevant. The structure of the control system provides controls at the entity level, operating interdepartmentally in relation to the entity in reference (group/single company) as well as controls at the process level.

Controls at the entity level are organised into a defined checklist based on the model adopted in the COSO Report according to five components: control environment, risk assessment, control activities, information systems and communication flows and monitoring activities. In particular, among the controls of the “control environment” component, there are activities involving definition of the timing for preparing and disseminating economic and financial results; among the controls of the “control activities” component there is the presence of organisational structures and a body of rules adapted to achieve the objectives involved in financial reporting (for example, such controls provide for review activities and updating, performed by specialised company department posts, on the rules relating to financial statements and accounting); among the controls of the “information systems and communication flows” component are activities relating to the information system for handling the consolidation process.

Controls at the process level are subdivided as follows: specific controls, signifying the entirety of the manual or automated activities aimed at preventing, identifying and correcting errors or irregularities occurring in the course of operational activities; pervasive controls, signifying structural elements of the control system meant to define a general context to promote proper execution and control of operational activities (for example, the segregation of incompatible duties and general controls over their information systems).

The specific controls are identified in appropriate procedures that define both the execution of business processes as well as the so-called “key controls” that, if absent or lacking operability, generate a risk of error or fraud of significance to the financial statements that cannot be intercepted by other controls.

The controls both at the entity and process levels are subject to evaluation (monitoring) to check, over time, the soundness of the design and actual operability; for this purpose, ongoing monitoring activities have been provided for, conferred to the management in charge of the relevant processes or activities, along with independent monitoring activities (separate evaluations) conferred to Internal Audit, which operates according to a pre-established plan announced by the manager in charge of the preparation of the corporate accounting documents (Manager in Charge of Financial Reporting) for the purpose of defining the scope and objectives of his involvement by using agreed audit procedures.

The monitoring activities enable identification of eventual deficiencies in the control system, which are subject to evaluation in terms of probability and impact on the financial reporting and, based on their significance, are characterised in ascending order of importance as “deficiencies”, “significant points of weakness” and “material deficiencies”.

The results of the activities of monitoring are subjected to periodic flows of information (reporting) as to the status of the control system, provided in part by the use of information technology tools aimed at ensuring that the information on the adequacy of the design and the operability of the controls can be tracked. Based on this reporting, the Manager in Charge of Financial Reporting drafts a half-yearly report on the effectiveness of the control system, which, shared with the CEO, is submitted to the board of directors, upon prior report to the Internal Control Committee and to the Board of Statutory Auditors, on the occasion of approval of the draft annual report and half-yearly financial report so as to enable the mentioned supervisory functions to be carried out, along with evaluations of the internal control system performed within its own scope of responsibility.

The activities of the Manager in Charge of Financial Reporting are supported within the Snam Rete Gas group by various individuals whose duties and responsibilities are defined in the framework rules referred to earlier. In particular, the control activities involve all levels of the organisational structure of Snam Rete Gas and the relevant subsidiaries, such as those in charge of business operations and department managers, up to administrative managers and CEOs. In this organisational context, for the purposes of the internal control system, the figure of the risk owner, who performs the ongoing monitoring which assesses the design and operability of the specific and pervasive controls while feeding the information flow of reporting on the monitoring activity, assumes particular significance.

(36) Reliability (of information): Information which has the characteristics of accuracy and conformity with the generally accepted accounting standards, and meets the requirements of the applicable laws and regulations.
(37) Fraud: Within the scope of the Control System, any intentional act or omission which results in a misleading statement in the reporting.