6.7 Internal control and risk management system in relation to the financial reporting process
Foreword
The internal control and risk management system and the financial reporting process of Snam and its Controlled Companies are part of the same “System” (Corporate Reporting Internal Control System), aiming to ensure that the financial reports are sound28, accurate, reliable and of a timely nature, and that the process for drafting financial statements is able to produce financial information in accordance with accounting principles.
Snam has adopted a body of rules that define the standards, methodologies, roles and responsibilities for designing, implementing and maintaining over time the system of internal controls on the financial reporting of Snam and its Controlled Companies, and for evaluating its effectiveness over time.
In addition to Snam, the control model is applied to Controlled Companies based on their relevance for the purposes of preparing financial reports. The Controlled Companies adopt the defined control model as a reference to design and implement their own system of internal controls for financial reporting, tailoring it to their size and the complexity of the activities they undertake.
Snam’s internal control and risk management model for financial reporting was defined in accordance with the provisions of Article 154-bis of the TUF and is based on the “COSO Framework”.
In 2013, work got under way to revise and update this model in order to ensure it remains reliable and suitable, due partly to Eni’s ceasing to fulfil this role as of 2012, partly to the growing complexity of the structure and organisation of Snam and its Controlled Companies, and also to the need to implement the changes made in the updated version of the aforementioned COSO Framework.
Existing phases of the internal control and risk management system in relation to the financial reporting process
The design, implementation and maintenance of the system of internal controls for financial reporting are guaranteed by the scoping, identification and evaluation of risks and controls (at company and process levels, through risk assessment and monitoring activities) and by the related information flows (reporting).
Identification and evaluation of risks for financial reporting
The scoping and risk assessment activities for the relevant processes, which are conducted using a top-down, risk-based approach, are aimed at identifying the organisational entities, items, accounts, significant financial statement information, processes and specific activities that may pose a risk of unintentional error or of fraud that could have a significant impact on the financial statements.
In particular, identifying the organisational entities which fall within the scope of the internal control and risk management system for financial reporting relies on the contribution of the different entities to specific amounts on the consolidated financial statements (total assets, total financial debt, net revenues, earnings before tax), and considers their relevance for specific procedures and risks. Within the companies that are relevant to the internal control and risk management system for financial reporting, significant procedures are then identified based on an analysis of quantitative factors (procedures which help determine financial statement items in amounts in excess of a specific percentage of pre-tax profit and shareholders’ equity) and qualitative factors (e.g. significant estimates made in determining the amount, complexity of the accounting treatment).
For relevant procedures and activities, risks of unintentional error and of fraud are identified, i.e. potential events which may compromise the achievement of the control objectives for financial reporting (e.g. financial statement declarations). The risks thus identified are assessed in terms of potential impact and likelihood of occurrence, assuming the absence of controls (so-called inherent-risk assessment).
Identification of controls for identified risks
For companies, processes and related risks considered significant, a control system has been defined based on two fundamental principles: disseminating controls to all levels of the organisational structure, in line with the operational responsibilities assigned, and sustaining the controls over time, so that they are integrated and compatible with operating requirements.
The control system structure provides for entity-level controls, which apply across the entire entity in question (group/individual company), and process-level controls. The entity-level controls are organised on the basis of the model adopted in the “COSO Framework”,
broken down into five components (control environment, risk assessment, control activities, information systems and communication flows, monitoring activities).
Of particular importance are: control activities designed to determine the timing for the preparation and disclosure of economic and financial results (“half-yearly and financial statement circular” and the respective calendars); the existence of organisational structures and of a body of regulations appropriate for the achievement of financial reporting objectives; and training activities concerning accounting standards and the system of internal controls for financial reporting.
Process-level controls are broken down into:
- specific controls, understood as all manual or automated activities intended to prevent, identify and correct errors or irregularities which occur in carrying out operating activities;
- pervasive controls, understood as structural elements of the control system aimed at defining a general context which encourages proper execution and control of operational activities (such as the segregation of incompatible tasks and general controls on information systems).
Specific controls are identified in special procedures which define both the performance of corporate processes and the controls whose absence or lack of implementation entails a significant risk of error/fraud on the financial statements which has no chance of being intercepted by other controls.
Evaluation of controls for identified risks
Both entity-level and process-level controls are subject to regular evaluation (monitoring) in order to verify over time the adequacy of their design and their operational effectiveness. To this end, ongoing evaluation has been entrusted to the management responsible for significant processes/activities, and separate evaluation has been entrusted to the Internal Auditor, who operates in accordance with a plan agreed with the Executive Responsible for preparing corporate accounting documents that aims to define the scope and objectives of his/her actions via agreed audit procedures.
Monitoring activities identify any deficiencies in the system of internal controls for financial reporting, which are classified according to their significance and to the identification of actions to be taken to overcome them. The evaluation of the deficiencies considers them both individually and combined with financial statement items or significant information.
The results of the monitoring activities are subject to periodic reporting on the status of the control system, which is carried out using IT tools aimed at ensuring the traceability of information on the adequacy of the design and the functionality of the controls. Based on this reporting, the Executive Responsible for preparing corporate accounting documents prepares a half-yearly report on the adequacy and effective application of the system of internal controls for financial reporting which is shared with the Chief Executive Officer and submitted to the Board of Directors, following a report to the Control and Risk Committee and Board of Statutory Auditors, upon approval of the consolidated financial statements, the draft separate financial statements and the half-yearly financial report, so that the supervisory activities of the Board of Directors can be carried out, as well as his/her own evaluations on the system of internal controls for financial reporting, based partly on the external assessment of the adequacy of the control system in relation to the preparation of the separate and consolidated financial statements.
Positions and departments involved
The Executive Responsible for preparing corporate accounting documents is supported within Snam and its Controlled Companies by various parties, whose duties and responsibilities are defined by the aforementioned rules on the financial reporting control system. In particular, control activities involve all levels of the organisational structure of Snam and its relevant Controlled Companies, such as business operating managers and departmental managers, up to administrative managers and CEOs. In this organisational context, the risk owner assumes particular importance as the person who, through on-going monitoring, evaluates the design and operation of specific and pervasive controls and supplies information for reports on monitoring activities, as well as on any deficiencies found, in order to identify appropriate corrective actions in a timely manner.
28 Soundness (of the information): information is sound when it is correct, complies with generally accepted accounting standards and fulfils the requirements of the applicable laws and regulations.